Failed to run a schema template deployment to NDO with HTTPAPI Plugin (DCNE-297)

[noppanut15]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

• It failed when I tried to deploy a schema template to a site using ndo_schema_template_deploy with HTTPAPI Plugin, even though the NDO version is 3.7 or higher.
• It can only be deployed with mso_schema_template_deploy module without HTTPAPI Plugin. It works, but it isn't a good idea to keep using this module with NDO 3.7+, as upgrading to NDO 4.x will break this workaround.

Affected Module Name(s):

• ndo_schema_template_deploy

MSO version and MSO Platform

• NDO 3.7(1g)

APIC version and APIC Platform for Site Level Resources

• APIC 5.2(4d)

Collection versions

• cisco.mso 2.9.0
• cisco.nd 1.2.0
• ansible.netcommon 7.1.0

Output/ Error message

The full traceback is:
  File "/var/folders/9z/c_rnn2y110dd4wpd7nxhs7kc0000gn/T/ansible_cisco.mso.ndo_schema_template_deploy_payload_g_wvtifn/ansible_cisco.mso.ndo_schema_template_deploy_payload.zip/ansible_collections/cisco/mso/plugins/module_utils/mso.py", line 658, in request
    info = self.connection.send_request(method, uri, json.dumps(data))
  File "/var/folders/9z/c_rnn2y110dd4wpd7nxhs7kc0000gn/T/ansible_cisco.mso.ndo_schema_template_deploy_payload_g_wvtifn/ansible_cisco.mso.ndo_schema_template_deploy_payload.zip/ansible/module_utils/connection.py", line 199, in __rpc__
    raise ConnectionError(to_text(msg, errors='surrogate_then_replace'), code=code)
fatal: [nd-lab.example.com]: FAILED! => {
    "changed": false,
    "current": {},
    "invocation": {
        "module_args": {
            "host": "nd-lab.example.com",
            "login_domain": null,
            "output_level": "normal",
            "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "port": null,
            "schema": "noppanut-test-schema-01",
            "sites": null,
            "state": "deploy",
            "template": "noppanut-test-template-01",
            "timeout": null,
            "use_proxy": false,
            "use_ssl": true,
            "username": "admin",
            "validate_certs": false
        }
    },
    "msg": null
}

Expected Behavior

• The schema template should be able to be deployed by using ndo_schema_template_deploy module with HTTPAPI Plugin

• This is the output when I use my workaround. (mso_schema_template_deploy module without HTTPAPI Plugin):

ok: [nd-lab.example.com] => {
    "changed": false,
    "current": {},
    "invocation": {
        "module_args": {
            "host": "nd-lab.example.com",
            "login_domain": null,
            "output_level": "normal",
            "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "port": null,
            "protocol": "https",
            "schema": "noppanut-test-schema-01",
            "site": null,
            "state": "deploy",
            "template": "noppanut-test-template-01",
            "timeout": 30,
            "use_proxy": false,
            "use_ssl": true,
            "username": "admin",
            "validate_certs": false
        }
    },
    "msg": "Successfully deployed"
}

Actual Behavior

• I cannot use ndo_schema_template_deploy module with HTTPAPI Plugin as per the error message above.
• I need to use mso_schema_template_deploy module without HTTPAPI Plugin instead as a workaround for NDO 3.7.

Playbook tasks to Reproduce

• .ansible.cfg

[defaults]
interpreter_python=/usr/local/bin/python3.10

• deployer.yaml

---
- name: Deploy a schema template
  hosts: mso
  connection: local
  gather_facts: false
  tasks:
  - name: Deploy a schema template
    cisco.mso.ndo_schema_template_deploy:
      host: "nd-lab.example.com"
      username: "changeme"
      password: "changeme"
      use_proxy: False
      use_ssl: True
      validate_certs: False
      schema: "noppanut-test-schema-01"
      template: "noppanut-test-template-01"
      state: deploy

• inventory.ini

[mso:vars]
ansible_connection=ansible.netcommon.httpapi
ansible_network_os=cisco.nd.nd
ansible_httpapi_use_ssl=True
ansible_httpapi_validate_certs=True

[mso]
nd-lab.example.com

• Run the playbook:

ansible-playbook deployer.yml  -i inventory.ini -vvvv            

Important Factoids

• MacOS 15.1.1
• python 3.10.15
• ansible-core 2.17.7 (installed by pipx install ansible-core --python /usr/local/bin/python3.10)

References

N/A

[akinross]

Hi @noppanut15,

I tried to reproduce your issue but am not able to. Could you provide some more details from the logs besides the traceback. If you do not want to do this via github you can email them to me directly to email address attached to this github profile.

[noppanut15]

Hi @akinross,

Thanks for helping on this so promptly!

I sent the debug logs to your email along with the credentials to my lab and the schema/template I used, as I think it may save our time investigating this. :)

[noppanut15]

Hi @akinross,

Just to update you regarding this issue.

Based on my findings, I believe this is a special case that only occurs with the NDO behind Cloudflare.
When leveraging the ansible.netcommon.httpapi connection plugin, I found "raw": "error code: 1010", in the HTTP response by Cloudflare in Ansible debug log.

Cloudflare documentation regarding this error:
Error 1010: The owner of this website has banned your access based on your browser's signature

It appears that requests from the connection plugin are being blocked by Cloudflare due to the HTTP client/browser signature.

The current workaround is to create a rule to bypass the Browser Integrity Check for the domain hosting the NDO. This has resolved the issue!