8000 Multiline environment variables are not passed correctly to EE · Issue #1980 · ansible/ansible-navigator · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Multiline environment variables are not passed correctly to EE #1980

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
RobinR1 opened this issue May 5, 2025 · 1 comment
Open

Multiline environment variables are not passed correctly to EE #1980

RobinR1 opened this issue May 5, 2025 · 1 comment
Labels
bug Researched, reproducible, committed to fix new New issues and PRs to triaged

Comments

@RobinR1
Copy link
RobinR1 commented May 5, 2025
ISSUE TYPE
  • Bug Report
SUMMARY

When a multiline environment variable is passed or set in the ansible-navigator config file, the env file generated by ansible-navigator for use in the EE is invalid resulting in an error parsing the file during initialization of ansible-navigator similar to:

Error: parsing file "/tmp/ansible-navigator_vttp8ri6/artifacts/86240bdd-fec7-4110-9d05-89a631ccceaf/env.list": invalid variable: =hzV4
ANSIBLE-NAVIGATOR VERSION
ansible-navigator 25.4.0
CONFIGURATION
ansible-navigator:
  execution-environment:
    enabled: true
    environment-variables:
      set:
        PASSBOLT_BASE_URL: https://passbolt/
        PASSBOLT_PASSPHRASE: ********
        ANSIBLE_VAULT_PASSWORD: *******
      pass:
        - PASSBOLT_PRIVATE_KEY
    image: registry/systems/ansible/awx/execution-environments/awx-community-ee:latest
    pull:
      arguments:
        - "--creds ******:*****"
      policy: 'missing'
    volume-mounts:
      - src: '~/src/ansible/roles/'
        dest: '/home/runner/.ansible/roles'
        options: 'z'
      - src: '~/.ssh_ansible/'
        dest: '/home/runner/.ssh/'
        options: 'O'
  ansible:
    inventory:
      entries:
        - '~/src/ansible/inventory/'
        - '~/src/inventory_scripts/vmware_inventory_script.py'
        - '~/src/inventory_scripts/ovm_inventory_script.py'
  time-zone: 'Europe/Brussels'
LOG FILE
2025-05-05T11:57:57.519726+02:00 CRITICAL 'ansible_navigator.actions.run_0930._handle_message' Unhandled message from runner queue, discarded: {'event': 'verbose', 'uuid': 'c9f1fb72-79ef-45ec-ac7a-a89e65e99c17', 'counter': 1, 'stdout': 'Error: parsing file "/tmp/ansible-navigator_0atmecb6/artifacts/c9dc06c2-a9a7-4da2-ac94-80fc0948a36e/env.list": invalid variable: "=hzV4"', 'start_line': 0, 'end_line': 1, 'runner_ident': 'c9dc06c2-a9a7-4da2-ac94-80fc0948a36e', 'created': '2025-05-05T09:57:57.519289+00:00'}
STEPS TO REPRODUCE

Define an environment variable containing newlines. For example (in my case) an PGP private key:

export PASSBOLT_PRIVATE_KEY=$(cat ~/.passbolt/private_key.asc)
echo "$PASSBOLT_PRIVATE_KEY"
-----BEGIN PGP PRIVATE KEY BLOCK-----

xcTGBGWf4YcBDAC7K0EcP+GwXNaF9YDZdjKr/+fUPnn5Q0rB25svfEjU7yqr
hEA6cQVgl2eTssI9uolHXlupbzOPbLaILNwh0JLtEp7BMX50VMp0WmwE1av6
JMZf656mw1Z8NqVz53hNOG+J588BIL9ksZ1SKGaV+E9ATd7TpUnUG8fC9+vs
Tx0nNCd876QERFNp5g/EXY16ycvpQK8Oofh1tV88YF05v0qxhy7RQNnlsNDA
....
=hzV4
-----END PGP PRIVATE KEY BLOCK-----

and set ansible-navigator to pass the PASSBOLT_PRIVATE_KEY:

ansible-navigator:
  execution-environment:
    environment-variables:
      pass:
        - PASSBOLT_PRIVATE_KEY

or define the environment-variable in the yaml config similar to:

ansible-navigator:
  execution-environment:
    environment-variables:
      set:
        PASSBOLT_PRIVATE_KEY: |
          -----BEGIN PGP PRIVATE KEY BLOCK-----
          
          xcTGBGWf4YcBDAC7K0EcP+GwXNaF9YDZdjKr/+fUPnn5Q0rB25svfEjU7yqr
          hEA6cQVgl2eTssI9uolHXlupbzOPbLaILNwh0JLtEp7BMX50VMp0WmwE1av6
          JMZf656mw1Z8NqVz53hNOG+J588BIL9ksZ1SKGaV+E9ATd7TpUnUG8fC9+vs
          Tx0nNCd876QERFNp5g/EXY16ycvpQK8Oofh1tV88YF05v0qxhy7RQNnlsNDA
          ....
          =hzV4
          -----END PGP PRIVATE KEY BLOCK-----
EXPECTED RESULTS

ansible-navigator passing the environment variable as is, including the newlines, to the execution environment.

ACTUAL RESULTS

ansible-navigator fails on parsing the generated env-file

ADDITIONAL INFORMATION

The content of the generated env file is similar to:

ANSIBLE_UNSAFE_WRITES=1
AWX_ISOLATED_DATA_DIR=/runner/artifacts/86240bdd-fec7-4110-9d05-89a631ccceaf
ANSIBLE_CACHE_PLUGIN_CONNECTION=/runner/artifacts/86240bdd-fec7-4110-9d05-89a631ccceaf/fact_cache
PASSBOLT_BASE_URL=https://passbolt/
PASSBOLT_PASSPHRASE=********
ANSIBLE_VAULT_PASSWORD=*******
PASSBOLT_PRIVATE_KEY=-----BEGIN PGP PRIVATE KEY BLOCK-----

xcTGBGWf4YcBDAC7K0EcP+GwXNaF9YDZdjKr/+fUPnn5Q0rB25svfEjU7yqr
hEA6cQVgl2eTssI9uolHXlupbzOPbLaILNwh0JLtEp7BMX50VMp0WmwE1av6
JMZf656mw1Z8NqVz53hNOG+J588BIL9ksZ1SKGaV+E9ATd7TpUnUG8fC9+vs
Tx0nNCd876QERFNp5g/EXY16ycvpQK8Oofh1tV88YF05v0qxhy7RQNnlsNDA
...
=hzV4
-----END PGP PRIVATE KEY BLOCK-----
ANSIBLE_CALLBACK_PLUGINS=/runner/artifacts/86240bdd-fec7-4110-9d05-89a631ccceaf/callback
ANSIBLE_STDOUT_CALLBACK=awx_display
ANSIBLE_RETRY_FILES_ENABLED=False
ANSIBLE_HOST_KEY_CHECKING=False
@RobinR1 RobinR1 added bug Researched, reproducible, committed to fix new New issues and PRs to triaged labels May 5, 2025
@RobinR1
Copy link
Author
RobinR1 commented May 5, 2025
edited
Loading

On a sidenote, in AWX, when configuring a new credential type with this config:

fields:
  - id: passbolt_url
    type: string
    label: Passbolt Base URL
  - id: passbolt_private_key
    type: string
    label: Passbolt Private GPG Key
    secret: true
    multiline: true
  - id: passbolt_passphrase
    type: string
    label: Passbolt Private GPG Key Passphrase
    secret: true
required:
  - passbolt_url
  - passbolt_private_key
  - passbolt_passphrase

and this config injector:

env:
  PASSBOLT_BASE_URL: '{{ passbolt_url }}'
  PASSBOLT_PASSPHRASE: '{{ passbolt_passphrase }}'
  PASSBOLT_PRIVATE_KEY: '{{ passbolt_private_key }}'

and then creating a new credential with this new type where the GPG key is plain pasted into the passbolt_private_key field. It is correctly passed through to the EE by AWX.

This should be possible too somehow when using ansible-navigator, but I have yet to find a way that actually works. I have been experimenting with \n and \\\n which makes ansible-navigator and/or podman to parse the env file succesfully. But the GPG key is not recognised by the passbolt lookup plugin that is using this environment variable.

 msg: 'An unhandled exception occurred while running the lookup plugin ''anatomicjc.passbolt.cached''.
    Error was a <class ''ValueError''>, original message: Expected: ASCII-armored                      
    PGP data. Expected: ASCII-armored PGP data'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Researched, reproducible, committed to fix new New issues and PRs to triaged
Projects
🧰 devtools project board
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@RobinR1
0