* Add a toggle to control the number of signatures required to verify the authenticity of a collection
* Make the default number of required valid signatures 1
* Add option to make signature verification strict and fail if there are no valid signatures (e.g. "+1")
* Use a regex to validate --required-valid-signature-count
* Add a toggle to limit the gpg status codes that are considered a failure
* Update documentation and changelog
* Add unit and integration tests for the new options
* Fixes#77146
Fix using user-provided signatures when running 'ansible-galaxy collection verify ns.coll --offline'
Add a test for a user-provided signature when running ansible-galaxy collection verify with --offline
Fix displaying overall gpg failure without extra verbosity
Add a test for displaying gpg failure without verbosity
Improve documentation to be more clear that signature verification only currently applies to collections directly sourced from Galaxy servers
Describe difference between targeting a single host using -i vs. --limit. In particular, pointing out the behavior difference that -i will not rad inventory variables.
* initial merge of maintainer guide
* Apply suggestions from code review
Co-authored-by: Aine Riordan <44700011+ariordan-redhat@users.noreply.github.com>
Co-authored-by: Aine Riordan <44700011+ariordan-redhat@users.noreply.github.com>
* ansible-galaxy collection install|verify:
- Support verifying the origin of the MANIFEST.json when the Galaxy server has provided signatures.
- Allow supplemental signatures to use during verification on the CLI/requirements file.
* ansible-galaxy collection install:
- Support disabling signature verification. This silences the warning provided by ansible-galaxy if the Galaxy server provided signatures it cannot use because no keyring is configured.
- Store Galaxy server metadata alongside installed collections for provenance. This is used by 'ansible-galaxy collection verify --offline'.
* Add unit tests for method that gets signatures from a Galaxy server
* Add integration tests for user-provided signature sources
- Test CLI option combinations
- Test installing collections with valid/invalid signature sources
- Test disabling GPG verification when installing collections
- Test verifying collections with valid/invalid signature sources
* Make signature verification advisory-by-default if signatures are provided by the Galaxy server
- Make the default keyring None
- Warn if the keyring is None but the Galaxy server provided signatures
- Error if the keyring is None but the user supplied signatures
- Error if the keyring is not None but is invalid
* changelog
* add ansible-galaxy user documentation for new options
Co-authored-by: Matt Martz <matt@sivel.net>
Co-authored-by: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua>
Co-authored-by: Martin Krizek <martin.krizek@gmail.com>
Co-authored-by: Sandra McCann <samccann@redhat.com>
Co-authored-by: Andy Mott <amott@redhat.com>
Co-authored-by: John R Barker <john@johnrbarker.com>
* Add script to freeze sanity requirements.
* Declare sanity test requirements and freeze
* Use pinned requirements for import.plugin test.
* Expand scope of import test for ansible-core.
* Add ignores for galaxy import errors.
* Update test-constraints sanity test.
* Hashing is not encrypting
All encryption systems have a formal inverse function to decrypt
A hash is a one way function without inverse by definition
* Update docs/docsite/rst/user_guide/playbooks_filters.rst
Co-authored-by: Sandra McCann <samccann@redhat.com>
Clarify that the `requires_ansible` field in meta/runtime.yml refers to the version of Ansible Core (ansible-core), not any package called "ansible" e.g. https://pypi.org/project/ansible/
* Use NativeEnvironment for all templating
ci_complete
* Keep Templar.copy_with_new_env for backwards compat
* Mention that AnsibleUndefined.__repr__ changed in the porting guide
* Templar.copy_with_new_env backwards compat
* ci_complete
* Update network_resources.rst
I am not sure a fully qualified URL should be here... but teach me great documentation gods
* Change platform index external link to internal ref
Co-authored-by: Aine Riordan <44700011+ariordan-redhat@users.noreply.github.com>
Unofficial packaging should be maintained externally since
it is not tested in CI or used in the official release process.
Maintainers of unofficial packages are better equipped with the necessary
expertise and testing resources to support alternative packaging.
* removes AWS scenario guide, moving to collection
* first attept to replace TOC entries
* not sure what I did, but saving it
* updates TOCs to reflect new location of aws guide
* reinstates original page as a stub
* adds links to new location for AWS guide, updates header
Co-authored-by: Alicia Cozine <acozine@users.noreply.github.com>
* Removed translatable words from code blocks
##### SUMMARY
Removed translatable words from codeblocks as per #59449
##### ISSUE TYPE
- Docs Pull Request
+label: docsite_pr
* Maintaining intend as well as clearity
* Preserving "save_as" as the key
* showing equivalence and keeping same context
* docs - add some info on plugin option source precedence
##### SUMMARY
Add some clarity on precedence, especially from sources of the same type.
##### ISSUE TYPE
- Docs Pull Request
+label: docsite_pr
* update RST formatting
* Update docs/docsite/rst/dev_guide/developing_plugins.rst
Apply review suggestions
Co-authored-by: Aine Riordan <44700011+ariordan-redhat@users.noreply.github.com>
Co-authored-by: Aine Riordan <44700011+ariordan-redhat@users.noreply.github.com>
* add tests for fail filter
also tests that fail does not block inspectability
* add fail filter
fallback message is a bit clunky,
since you can't invoke a filter without specifying an input.
That is, "{{ fail }}" doesn't work,
so you have to do "{{ None | fail }}"
* document 'fail' filter
* add changelog fragment
* fail filter uses default message on Undefined or emptystring
makes it slightly easier to use the default message:
```diff
- "{{ None | fail }}"
+ "{{ '' | fail }}"
```
and the user sees a slightly more relevant message
if the message itself is undefined:
```diff
- The error was: {{ failmsg | fail }}: 'failmsg' is undefined
+ The error was: {{ failmsg | fail }}: Mandatory variable has not been overridden
```
* rebuild as the builtin `Undefined`
* harmonise `hint` parameter for make_undefined with jinja
* use code block for documentation item
[ref](https://github.com/ansible/ansible/pull/75435#discussion_r707661035)
* rename to `undef` to expose less Python into the Jinja
[ref](https://github.com/ansible/ansible/pull/75435#pullrequestreview-757799031)
* explicitly instantiate undefined value now that it's possible
see I knew we would break something with reflection
* preserve test coverage of undefined variable
Co-authored-by: Matt Davis <nitzmahone@users.noreply.github.com>
Change:
- Remove only user-facing use of ANSIBLE_ASYNC_DIR.
- Remove two comments saying to change things that, apparently, we
aren't going to change...
Test Plan:
- ci_complete
Tickets:
- Fixes#74139
- Fixes#74138
- Refs #74226
Signed-off-by: Rick Elrod <rick@elrod.me>
* Enable ansible-galaxy to specify client id override with Keycloak Token
* Specify ability to provide override of client_id
* Test client_id can be configured for individual servers
* Add issue link to changelog
* Document client_id as a config option and add an example
Co-authored-by: s-hertel <19572925+s-hertel@users.noreply.github.com>
* pip - Use pip from the current Python interpreter.
If `executable` and `virtualenv` were not specified, and
the `pip` Python module is available for the current interpreter,
use that `pip` module instead of searching for a `pip` command.
* Add comment about needing `__main__` to run `pip`.
* Fix unit test.
* Add porting guide entry.
* Update changelog to match porting guide description.
ci_complete
* Refs #75478 - On the communicating page, add Matrix links to first 4 chat spaces, improve introduction, update working groups with Matrix and IRC locations, add a link to the community FAQ, add localised community translations, and remove Lightbulb room, the GitHub project has been archived
Co-authored-by: Alicia Cozine <879121+acozine@users.noreply.github.com>
* Support templating _from_files with --extra-vars for imported roles
* Add tests for templating the filenames for import_role, import_playbook, and import_tasks
* Add documentation
Co-authored-by: Alicia Cozine <879121+acozine@users.noreply.github.com>
Co-authored-by: Martin Krizek <martin.krizek@gmail.com>
##### SUMMARY
When I used this example it complains with:
ERROR! The tasks/main.yml file for role 'myrole' must contain a list of tasks
The error appears to be in 'ansible/roles/myrole/tasks/main.yml': line 2, column 1, but may
be elsewhere in the file depending on the exact syntax problem.
The offending line appears to be:
---
tasks:
^ here
Removing "tasks:" fixes it.
##### ISSUE TYPE
- Docs Pull Request
+label: docsite_pr
Push /usr/bin/python to almost the bottom of the barrel. This makes the strategy to prefer
specific versions of the "mystery meat" version.
* Change INTERPRETER_PYTHON default to 'auto'
Change description to match change in behavior.
Change deprecation message to a warning.
* Update docs
* Add porting guide entry
* Update unit tests
* Update integration test
* Allow INTERPRETER_PYTHON_FALLBACK to be configure using a variable
* Prefer platform-python above other Python 2 interpreters
* Add Python 3.10 to the list of interpreters
* updates Tower page to talk about RHAAP
* updates scenario guide Tower references
* updates Tower references to use AWX and/or RHAAP
* more scenario guides fixes
* fix CI failures
* Update docs/docsite/rst/porting_guides/porting_guide_2.8.rst
* removes tower link
* for 2.8, still mention Tower along with AWX and RHAAP
* aws guides should be updated in the collection, where they now exist
Co-authored-by: Alicia Cozine <acozine@users.noreply.github.com>
* Update network user guide to point to ansible.utils.cli_parse module as ansible.netcommon.cli_parse is deprecated from ansible.netcommon 2.0.0 release
* Canonicalize module_defaults actions and action_groups pre-fork and cache them on the play
* Call get_action_args_with_defaults with the resolved FQCN plugin and don't pass the redirect list
* Add validation for action_group metadata and a toggle to disable the warnings
* Handle groups recursively referring to each other
* Remove special-casing for non-fqcn actions in module_defaults groups
* Error for actions and groups in module_defaults that can't be resolved
* Error for fully templated module_defaults
* Add integration tests for action_groups
* Changelog
While implementing basic Ansible module testing I realised that the `self.module` used in some places is not actually a thing, and I changed to `my_module` to make it work as I understand it was expected.