Fixes #36971 - GUI to allow cloning of Ansible roles from VCS

[Thorben-D]

This feature adds a new modal to /ansible/ansible_roles, which allows the user to clone a git-repo with roles to a specified SmartProxy.

RedMine-Ticket

Depends on theforeman/foreman_ansible#676

[theforeman-bot]

Can one of the admins verify this patch?

[Thorben-D]

I just pushed a commit that:

• Moves all Git-functionality to this plugin, letting me remove the git dependency from the foreman plugin.
• Improves code readability by splitting up big functions into a helper-file
• Improves the tests

[ekohl]

In smart-proxy plugins you can also use load_programmable_settings to dynamically perform logic on it. https://github.com/theforeman/smart-proxy/blob/2fb6db34f8726df3e8b276c4ced0542fd296bc6a/modules/httpboot/httpboot_plugin.rb#L7-L11 is one example.

What you can do with that is define one path which contains the mutable roles. Then you have another setting which contains all the paths that are loaded.

You can expose this to the user in two ways.

One is explicit: there are 2 settings and in the plugin definition you make sure the mutable roles path is in the readable roles path list.

The other is implicit: you only have a single list of role paths and take the first item of that list as the mutable roles path.

On start up you can make sure the mutable roles directory exists or can be created. You can even only expose the vcs_clone capability if it's working, but I'd be cautious with that because we don't refresh features all the time so you can easily end up with a hard to debug situation. theforeman/smart-proxy#847 is IMHO the better way to go with such health checks.

[ekohl]

Similar to my comments on the Foreman PR side (theforeman/foreman_ansible#676), I'd make it a bit more REST. So:

• GET /vcs_clone/roles to list
• POST /vcs_clone/roles to install
• PUT /vcs_clone/roles/:name to update
• DELETE /vcs_clone/roles/:name to delete

[Thorben-D]

Again, thank you very much for the detailed feedback. Very sorry I forgot to cross-link MRs. Glad you found it anyways!
I added settings for the roles paths am not using plain strings anymore.
Currently, an exception is thrown if the mutable-roles path does not exist or is not writable (and the feature is enabled), effectively disabling the plugin.
I do however think the verification-API is a good idea. Maybe we could integrate this into the existing /features route? Somethink like /features/active might be a good idea...

[ekohl]

Suggested change

	%w[vcs_url name ref].each do |param|
	return false unless repo_info.key?(param)
	end
	%w[vcs_url name ref].all? { |param| repo_info.key?(param) }

[ekohl]

I'd think this should read first from the mutable directory so VCS cloned repos can override system wide repos. See the overall review for more on settings.

[ekohl]

I'd prefer settings. In lib/smart_proxy_ansible/plugin.rb you see a list of default_settings and you can provide it there. See the overall review for more on settings.

[ekohl]

Not a complete review, just focusing on one item.

[ekohl]

These should be settings because in development environments or containers you may want to use different paths.

I've been thinking about some constants in the Proxy module, but the other day I realized that the Proxy::Plugin API is an even better place. That can combine those constants with the specific plugin name. So you could get a state_dir(path) method that would evaluate state_dir('roles') to /var/lib/foreman-proxy/ansible/roles in production. I thought I had some PR for that, but can't find the code I wrote. Essentially, I'd base it on the table in https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#RuntimeDirectory=

I'd very much welcome PRs that implement this. It's a recurring problem in plugins.

[Thorben-D]

I have now added these fields as arguments that may be passed in the configuration file.
The mutable_roles_path is constructed like this: StateDirectory/plugin_name/roles
I also added runtime_, state_, cache_, logs_ and config_dir methods. Those just construct the respective paths from an environment-variable and the plugin name. The env-variables conform to the systemd table you linked, so they can be passed easily.
If this is what you had in mind, I could create a merge-request to merge the xxxx_dir-methods into smart-proxy/lib/proxy/plugin.rb for reusability.

[nofaralfasi]

I'm getting the following error:
Disabling all modules in the group ['ansible'] due to a failure in one of them: /var/lib/foreman-proxy/ansible/roles is not writable. Check permissions or disable vcs_integration
Maybe that's something we need to address in the documentation?

[nofaralfasi]

When setting :vcs_integration: false, I can still trigger the role cloning from the GUI. However, the task remains stuck in the pending status.
I believe the intended behavior here is to restrict access to the new form, correct?

[Thorben-D]

Yes, that would be ideal but iirc, the functionality to inform Foreman of enabled/disabled features is not yet a thing as described in the last paragraph of @ekohl's comment here:
#85 (review)

[nofaralfasi]

Does this work for you?
I have a different location where I store my Ansible roles, and setting it here doesn't work for me.

[Thorben-D]

Are your paths relative perhaps? I just tested it and it works fine with absolute paths, but not relative ones.

[nofaralfasi]

My path is /home/nalfassi/playbooks. It's also configured in my /etc/ansible/ansible.cfg as follows:
roles_path = /home/nalfassi/playbooks.

[nofaralfasi]

And I'm using my localhost as my smart-proxy.

[nofaralfasi]

Since this PR has been inactive for a while, we’re closing it to keep the repository organized. If you’d like to continue working on it, please feel free to reopen or create a new PR.