Merge branch 'main' into feature/configure_iag_http_server_threads

docs/vault_guide.md

@@ -28,6 +28,19 @@ The variables in this section may be overridden in the inventory in the `all` gr
 | Variable | Group | Type | Description | Default Value
 | :------- | :---- | :--- | :---------- | :------------
 | `configure_vault` | `all` | Boolean | Flag to configure Vault. When set to to `true`, the Vault Unseal role will be executed. | `false`
+| `vault_read_only` | `all` | Boolean | Flag to manage how secret data is written to Vault with IAP version 2021.2 and later. | `false`
+
+
+Beginning with the 2021.2 release, a `readOnly` property was added to vaultProps in the properties.json file. This property allows developers to denote fields that contain sensitive data and manage how secret data is written to Vault. This configurable property defaults to false.
+
+When set as readOnly: true, the following will occur:
+
+ - Masking in the UI will be disabled (turned off).
+ - Clear text will be shown.
+ - All custom user decorations will be ignored.
+ - IAP will not write data to Vault.
+
+⚠ WARNING: If there are passwords stored within Vault and the readOnly property is initially set to false, and then later changed to true, all passwords will be lost and have to be set manually.
 
 ## Common Variables
 

roles/gateway/tasks/download-packages.yml

@@ -23,8 +23,8 @@
 
 - name: Check for valid IAG release
   ansible.builtin.fail:
-    msg: "missing or invalid iag_release"
-  when: iag_release == "UNDEFINED"
+    msg: "Deployer does not support installing Gateway version {{ iag_release }} on {{ ansible_distribution }}-{{ ansible_distribution_major_version }}"
+  when: invalid_iag_release is defined
 
 - name: Download Gateway OS rpms
   ansible.builtin.import_role:

roles/gateway/tasks/main.yaml

@@ -10,8 +10,8 @@
 
 - name: Check for valid IAG release
   ansible.builtin.fail:
-    msg: "missing or invalid iag_release"
-  when: iag_release == "UNDEFINED"
+    msg: "Deployer does not support installing Gateway version {{ iag_release }} on {{ ansible_distribution }}-{{ ansible_distribution_major_version }}"
+  when: invalid_iag_release is defined
 
 - name: Install base OS packages
   ansible.builtin.include_role:

roles/gateway/vars/release-undefined.yaml

@@ -1,4 +1,4 @@
 # Copyright (c) 2024, Itential, Inc
 # GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
 ---
-iag_release: UNDEFINED
+invalid_iag_release: true

roles/gateway_haproxy/tasks/main.yaml

@@ -10,8 +10,8 @@
 
 - name: Check for valid IAG release
   ansible.builtin.fail:
-    msg: "missing or invalid iag_release"
-  when: iag_release == "UNDEFINED"
+    msg: "Deployer does not support installing HAProxy on {{ iag_release }}"
+  when: invalid_iag_release is defined  
 
 - name: Install HAProxy
   ansible.builtin.package:

roles/gateway_haproxy/vars/release-undefined.yaml

@@ -1,4 +1,4 @@
 # Copyright (c) 2024, Itential, Inc
 # GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
 ---
-iag_release: UNDEFINED
+invalid_iag_release: true

roles/mongodb/tasks/download-packages.yml

@@ -22,8 +22,8 @@
 
 - name: Check for valid MongoDB release
   ansible.builtin.fail:
-    msg: "missing or invalid mongodb_release_url"
-  when: mongodb_release_url == "UNDEFINED"
+    msg: "Deployer does not support installing MongoDB for IAP version {{ iap_release }} on {{ ansible_distribution | lower }}-{{ ansible_distribution_major_version }}"
+  when: invalid_mongodb_release is defined
 
 - name: Install MongoDB repo
   ansible.builtin.yum_repository:

roles/mongodb/tasks/main.yaml

@@ -11,8 +11,8 @@
 
 - name: Check for valid MongoDB release
   ansible.builtin.fail:
-    msg: "missing or invalid mongodb_version"
-  when: mongodb_version == "UNDEFINED"
+    msg: "Deployer does not support installing MongoDB for IAP version {{ iap_release }} on {{ ansible_distribution }}-{{ ansible_distribution_major_version }}"
+  when: invalid_iag_release is defined
   tags: always
 
 - name: Install base OS packages
@@ -148,7 +148,7 @@
   ansible.builtin.template:
     src: mongod.conf.j2
     dest: "{{ mongo_conf_file }}"
-    owner: "{{ mongo_owner}}"
+    owner: "{{ mongo_owner }}"
     group: "{{ mongo_group }}"
     mode: "0644"
   tags: configure_mongo

roles/mongodb/vars/release-undefined.yaml

@@ -1,4 +1,4 @@
 # Copyright (c) 2024, Itential, Inc
 # GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
 ---
-mongodb_version: UNDEFINED
+invalid_mongodb_release: true

roles/os/tasks/download-packages.yml

@@ -23,11 +23,12 @@
     file: "{{ item }}"
   with_first_found:
     - "release-{{ ansible_distribution_major_version }}.yaml"
+    - "release-undefined.yaml"
 
 - name: Check supported OS
   ansible.builtin.fail:
-    msg: "Unsupported OS version!"
-  when: os_packages is undefined
+    msg: "Deployer does not support installing on {{ ansible_distribution }} {{ ansible_distribution_major_version }}!"
+  when: invalid_os_release is defined
 
 - name: Download OS rpms
   ansible.builtin.import_role:

roles/os/tasks/redhat.yaml

@@ -6,11 +6,12 @@
     file: "{{ item }}"
   with_first_found:
     - "release-{{ ansible_distribution_major_version }}.yaml"
+    - "release-undefined.yaml"
 
 - name: Check supported OS
   ansible.builtin.fail:
-    msg: "Unsupported OS version!"
-  when: os_packages is undefined
+    msg: "Deployer does not support installing on OS version {{ ansible_distribution_major_version }}!"
+  when: invalid_os_release is defined
 
 - name: Include OS specific tasks (online)
   ansible.builtin.include_tasks: "{{ ansible_os_family.lower() }}-online.yaml"

roles/os/vars/release-undefined.yaml

@@ -0,0 +1,3 @@
+# Copyright (c) 2024, Itential, Inc
+# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
+invalid_os_release: true

roles/platform/tasks/determine-release-vars.yml

@@ -29,5 +29,5 @@
 
 - name: Check for valid IAP release
   ansible.builtin.fail:
-    msg: "missing or invalid iap_release"
-  when: iap_release == "UNDEFINED"
+    msg: "Deployer installer does not support installing IAP version {{ iap_release }} on {{ ansible_distribution | lower }}-{{ ansible_distribution_major_version }}"
+  when: invalid_iap_release is defined

roles/platform/templates/2021.2-properties.j2

@@ -16,7 +16,10 @@
 {# Build Vault props #}
 {% set vaultProps = None %}
 {% if configure_vault | bool %}
-  {% set vaultProps = dict(url = "http://" ~ hostvars[groups['vault'][0]].inventory_hostname ~ ":" ~ vault_port, token = vault_install_dir ~ "/token.txt", endpoint = "kv-v2/data" ) %}
+  {% set vaultProps = dict(url = "http://" ~ hostvars[groups['vault'][0]].inventory_hostname ~ ":" ~ vault_port, token = vault_install_dir ~ "/token.txt", endpoint = "kv-v2/data", readOnly = "false" | bool) %}
+  {% if vault_read_only | bool %}
+    {% set vaultProps = dict(vaultProps, **{'readOnly': vault_read_only}) %}
+  {% endif %}
 {% endif %}
 {# Build SSL props #}
 {% set acceptInvalidCerts = True %}

roles/platform/templates/2022.1-properties.j2

@@ -16,7 +16,10 @@
 {# Build Vault props #}
 {% set vaultProps = None %}
 {% if configure_vault | bool %}
-  {% set vaultProps = dict(url = "http://" ~ hostvars[groups['vault'][0]].inventory_hostname ~ ":" ~ vault_port, token = vault_install_dir ~ "/token.txt", endpoint = "kv-v2/data" ) %}
+  {% set vaultProps = dict(url = "http://" ~ hostvars[groups['vault'][0]].inventory_hostname ~ ":" ~ vault_port, token = vault_install_dir ~ "/token.txt", endpoint = "kv-v2/data", readOnly = "false" | bool) %}
+  {% if vault_read_only | bool %}
+    {% set vaultProps = dict(vaultProps, **{'readOnly': vault_read_only}) %}
+  {% endif %}
 {% endif %}
 {# Build SSL props #}
 {% set acceptInvalidCerts = True %}

roles/platform/templates/2023.1-properties.j2

@@ -43,7 +43,10 @@ defined in the host file.
 {# Build Vault props #}
 {% set vaultProps = None %}
 {% if configure_vault | bool %}
-  {% set vaultProps = dict(url = "http://" ~ hostvars[groups['vault'][0]].inventory_hostname ~ ":" ~ vault_port, token = vault_install_dir ~ "/token.txt", endpoint = "kv-v2/data" ) %}
+  {% set vaultProps = dict(url = "http://" ~ hostvars[groups['vault'][0]].inventory_hostname ~ ":" ~ vault_port, token = vault_install_dir ~ "/token.txt", endpoint = "kv-v2/data", readOnly = "false" | bool) %}
+  {% if vault_read_only | bool %}
+    {% set vaultProps = dict(vaultProps, **{'readOnly': vault_read_only}) %}
+  {% endif %}
 {% endif %}
 {
   "id": "{{ profile_name }}",

roles/platform/templates/2023.2-properties.j2

@@ -43,7 +43,10 @@ defined in the host file.
 {# Build Vault props #}
 {% set vaultProps = None %}
 {% if configure_vault | bool %}
-  {% set vaultProps = dict(url = "http://" ~ hostvars[groups['vault'][0]].inventory_hostname ~ ":" ~ vault_port, token = vault_install_dir ~ "/token.txt", endpoint = "kv-v2/data" ) %}
+  {% set vaultProps = dict(url = "http://" ~ hostvars[groups['vault'][0]].inventory_hostname ~ ":" ~ vault_port, token = vault_install_dir ~ "/token.txt", endpoint = "kv-v2/data", readOnly = "false" | bool) %}
+  {% if vault_read_only | bool %}
+    {% set vaultProps = dict(vaultProps, **{'readOnly': vault_read_only}) %}
+  {% endif %}
 {% endif %}
 {
   "id": "{{ profile_name }}",

roles/platform/vars/release-undefined.yaml

@@ -1,4 +1,4 @@
 # Copyright (c) 2024, Itential, Inc
 # GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
 ---
-iap_release: UNDEFINED
+invalid_iap_release: true

roles/rabbitmq/tasks/download-packages.yml

@@ -22,8 +22,8 @@
 
 - name: Check for valid RabbitMQ release
   ansible.builtin.fail:
-    msg: "missing or invalid rabbitmq_packages"
-  when: rabbitmq_packages == "UNDEFINED"
+    msg: "Deployer installer does not support installing RabbitMQ on IAP version {{ iap_release }}"
+  when: invalid_rabbitmq_packages is defined
 
 - name: Import PackageCloud signing key
   ansible.builtin.rpm_key:

roles/rabbitmq/tasks/main.yaml

@@ -10,8 +10,8 @@
 
 - name: Check for valid RabbitMQ release
   ansible.builtin.fail:
-    msg: "missing or invalid rabbitmq_packages"
-  when: rabbitmq_packages == "UNDEFINED"
+    msg: "Deployer installer does not support installing RabbitMQ on IAP version {{ iap_release }}"
+  when: invalid_rabbitmq_packages is defined
 
 - name: Install base OS packages
   ansible.builtin.include_role:

roles/rabbitmq/vars/release-undefined.yaml

@@ -1,4 +1,4 @@
 # Copyright (c) 2024, Itential, Inc
 # GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
 ---
-rabbitmq_packages: UNDEFINED
+invalid_rabbitmq_packages: true

roles/redis/tasks/download-packages.yml

@@ -22,8 +22,8 @@
 
 - name: Check for valid Redis release
   ansible.builtin.fail:
-    msg: "missing or invalid redis_packages"
-  when: redis_packages == "UNDEFINED"
+    msg: "Deployer does not support installing Redis on IAP version {{ iap_release }}"
+  when: invalid_redis_release is defined
 
 - name: Download package from Remi repo
   when: redis_install_method == "remi_repo"

roles/redis/tasks/main.yaml

@@ -10,8 +10,8 @@
 
 - name: Check for valid Redis release
   ansible.builtin.fail:
-    msg: "missing or invalid redis_packages"
-  when: redis_packages == "UNDEFINED"
+    msg: "Deployer does not support installing Redis on IAP version {{ iap_release }}"
+  when: invalid_redis_release is defined
 
 - name: Install base OS packages
   ansible.builtin.include_role:

roles/redis/vars/release-undefined.yaml

@@ -1,4 +1,4 @@
 # Copyright (c) 2024, Itential, Inc
 # GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
 ---
-redis_packages: UNDEFINED
+invalid_redis_release: true