The populate_tower Rake task creates a bunch of objects in Tower, whose IDs are then used in the specs to test the API.

Unfortunately, these object references are sprinkled around the specs. The IDs of the created objects are at least printed out as manager_ref/ems_ref= 123 by the Rake task. It is however still uncomfortable and error-prone to replace them in the specs when re-populating Tower and re-recording VCR cassettes.

I’d write out these references during the population to a YAML/JSON/Ruby/whatever file. This file would be then parsed in spec_helper.rb and made accessible to the specs. Then, instead of matching by a hard-coded magic number like :manager_ref => "24",, something like :manager_ref => REFS[:hello_vm], could be used in the examples.

This applies to object counts too. These are tested to match in the examples and are already collected and printed by the Rake task.

What do you think, @jameswnl?

There are PRs that solve this issue:

• #92 Rake task
• #93 Specs

Description:
Creating authentications via REST fails for ansible tower 3.6 that only supports API version v2.

POST /api/authentications
{
	"action": "create",
	"resources": [
		{
			"description": "TestDescription",
			"name": "test_credentials_36",
			"related": {},
			"user": 1,
			"userid": "foo",
			"password": "foo",
			"host": "baz_36",
			"type": "ManageIQ::Providers::AnsibleTower::AutomationManager::VmwareCredential",
			"manager_resource": {
				"href": "https://192.168.122.33/api/providers/6"
			}
		}
	]
}
Response:
{
  "results": [
    {
      "success": true,
      "message": "Creating Authentication",
      "task_id": "35",
      "task_href": "https://192.168.122.33/api/tasks/35"
    }
  ]
}

GET /api/tasks/35
Reponse : 
{
  "href": "https://192.168.122.33/api/tasks/35",
  "id": "35",
  "name": "Creating Ansible Tower Credential (name=test_credentials_36)",
  "state": "Finished",
  "status": "Error",
  "message": "{\"credential_type\":[\"This field is required.\"]}",
  "userid": "system",
  ...
  ...
  ...
  "actions": [
    ...
    ...
  ]
}

1. Is there an existing issue already reported or any related bugzilla?
   https://bugzilla.redhat.com/show_bug.cgi?id=1794047

2. Severity: High

3. Version: 5.11.8.0
   Note: I believe this issue has existed since the beginning. We started testing with ansible tower 3.6 recently and discovered this bug and for other tower providers that we have, we use v1.

Credentials

Major Changes

• Tower 3.2.x upgrade will split up a machine credential which has vault_password value and both will remain associated to job_templates (if any)
  ** For us, we'll create/update accordingly (have to test and confirm if the new machine credential will keep the original ID.
• Tower 3.2.x upgrade will drop azure_classic and rackspace credentials (and previously associated job_templates will just lose them
  ** ManageIQ/manageiq#16936 and #58
  ** After upgrade, refresh will destroy them
• Other newly added:
  ** Vault
  ** Ansible Tower
  ** Insights
  ** rhev
  ** custom credential type (Custom credentials will not be managed by the V1 API)

Todo

• UI changes for embedded Ansible items will need a new credential drop-down for Vault. (
  • Services Template: ManageIQ/manageiq-ui-classic#3468
  • Automate Method Type: (Same as above)
• Add Vault credential in Service summary screen
  • ManageIQ/manageiq#17207
  • #70
• Back-end: Add vault credential support to Ansible playbook service template ManageIQ/manageiq#17184
• Back-end: Add vault credential support to Ansible Automate Method Type ManageIQ/manageiq#17192
• Clarify if upgrade and split machine credential will keep the original ID
  • Test the upgrade scenario
• Provider code changes
  • vault credential type
    • PR ManageIQ/manageiq#16825
    • PR #54
  • rhev credential type
    • this can be only partially supported through the Tower API V1
    • The support for the optional field ca file location can only be done when move to consume from API V2
    • PR #62
    • PR ManageIQ/manageiq#17044
    • PR #69
  • drop Rackspace/Azure Classic credential types
    • PR ManageIQ/manageiq#16936
    • PR #58

Others

• Investigate usage of custom credential (e.g. supporting Azure classic?)

Recording VCR cassettes for the specs using a non-empty Tower instance may result in sensitive data leakage. Recorded data contains not only the populated test records, but everything that the API returns.

Even though encrypted credential secrets are never visible via the API, some non-key/password information may be still considered sensitive. This applies namely to the internal hostnames and URL’s as well as anything that @miq-bot may spot and warn about, e.g. strings containing the cloudforms keyword.

VCR’s filter_sensitive_data[1][2] configuration option would not be a good fit, but the before_record[3][4] hook may serve this purpose well. For the beginning it can match and replace internal hostnames. Later on, if such a need emerges, it will be easy to extend this matching e.g. to raise an error if something the @miq-bot might not like would be recorded.

I’d like to ask @jameswnl or @bdunne for consideration.

AFAICT this provider only supports turning verify_ssl off, and indeed some users are resorting to that:
http://talk.manageiq.org/t/how-to-create-ansible-tower-provider-via-api/2142 (though they have problems doing it via API)

This is suboptimal from security perspective; ideally if Tower has self-signed certificate, ManageIQ could be configured to trust the specific internal CA that generated it.
It's probably doable now by editing the machine's CA bundle — but that's not friendly (esp. on multi-appliance install). Ideally there should be a way to configure a CA to trust per-provider, from the UI (and API).

(I've added similar support in openshift provider, and assisted for ovirt provider, happy to help if you want to work on this...)

A guide covering “Maintaining cassettes for new specs” is located in /spec/support/ansible_shared/automation_manager/refresher.rb. However, there are currently more specs that use VCR cassettes: namely refresher_v2.rb, refresh_configuartion_script_source.rb, refresh_configuartion_script_source_v2.rb and event_catcher/stream.rb.

Because of that I’d like to see the guide somewhere else. Either there can be a document somewhere like /spec/support/vcr_guide.md, or it can be included the way it is now as a huge block comment in /spec/support/vcr_helper.rb instead. It the particular spec files, there can be only a short reference to the guide.

Do you agree with this change, @jameswnl?

CloudForms integration with Ansible tower works with the local tower admin credentials, this request is for the ability to use an AD service account.

Related Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1715978

We would like to use Embedded Ansible for one of the providers (Nuage) and would like to make use of Automation -> Ansible -> Credentials feature so that user doesn't always need to input credentials.

Embedded Ansible is implemented through AWX meaning that AWX needs to be aware of Nuage credentials type, which it isn't the case. Now, AWX offers a simple way to dynamically register custom credentials type, but it has to be done via API v2, which isn't yet supported by ManageIQ.

Q1: Is integrating Nuage credential type into AWX setting really the only way to go?
Q2: What if AWX maintainer refuses to accept the PR?
Q3: Is there no "local" way where miq would store the credentials locally and forcibly use them when running playbooks? I mean, it feels odd that we need to modify AWX upstream even if we only want to use Embedded Ansible.

/cc @jameswnl @carbonin @himdel I kindly ask for a suggestion on how to proceed.

The ansible tower provider has a url= override which defaults to https for the scheme and /api/v2 for the path [ref]. This isn't being invoked for some reason and the bare IP/DNS name is being saved causing authentication failures once the provider is added.

When you destroy an AnsibleTower AutomationManager through the API or the UI its Provider record gets orphaned.

>> ManageIQ::Providers::AnsibleTower::AutomationManager.count
=> 0
>> ManageIQ::Providers::AnsibleTower::Provider.count
=> 1
>> ManageIQ::Providers::AnsibleTower::Provider.first
=> #<ManageIQ::Providers::AnsibleTower::Provider id: 4, type: "ManageIQ::Providers::AnsibleTower::Provider", name: "Ansible Tower", guid: "7730b493-08eb-4c4d-bc9f-f767d31ab6b5", zone_id: 2, created_at: "2020-06-25 13:55:21", updated_at: "2020-06-25 13:55:21", tenant_id: 1>

While supporting an embedded automation manager and an ansible tower provider, most of the functionality was done in shared modules that were then included in those two classes.

Now that embedded ansible has moved to use ansible-runner not embedded tower we can remove all of this complexity.

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

This repository currently has no open or pending branches.

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

The caller must currently pass /api/v2 to the end of the URL, but that feels unnecessary. We should default to /api/v2 if it is not present in the URL.