-
-
Notifications
You must be signed in to change notification settings - Fork 144
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
podman_login: why are tlsverify certdir mutually exclusive? #723
Comments
I believe that if you use certdir it assumes you use tls verifying, and if you don't want to use tls than it doesn't make sense to set a certdir. But probably @jthiatt has a better explanation. ---
- name: Test podman_login
hosts: all
gather_facts: false
tasks:
- name: Test
containers.podman.podman_login:
certdir: "{{ certdir | default(omit, true) }}"
registry: ghcr.io
tlsverify: "{{ tlsverify | default(omit, true) }}" And you can set either I don't have a strong objection to remove mutual exclusiveness, but it's firstly wrong settings in a playbook. |
Thanks for the quick response!
That actually helps for my use case! Can't believe I didn't know about that, thanks a bunch. :) However, I still wonder about this:
If it assumes you're using tls, doesn't it make sense to be able to say so explicitly? The following playbook also throws the error: ---
- name: Test podman_login
hosts: all
gather_facts: false
tasks:
- name: Test
containers.podman.podman_login:
certdir: /foo
registry: ghcr.io
tlsverify: true Perhaps that was the better example of the (perceived) issue -- sorry! |
Yeah, it's because |
Happy to open a PR if it's generally felt that decoupling exclusiveness is the nicest. Alternatively, I think this could also be seen as a documentation issue: if you feel it's nicer to keep the exclusiveness, I think this should just be mentioned in the docs for certdir/tlsverify. |
I'm fine with either. Exclusiveness is actually protecting from shooting to legs, but it has an issue with setting both vars as you showed. |
I guess I was under the impression if you were providing cert(s) you wouldn't want to skip TLS verification. Seems like this is not the case since the args can be passed to podman without any issue. I'm fine with removing the exclusiveness. I won't be able to get to this PR for a few days, if someone wants to pick it up that would be appreciated. |
BUG REPORT
Using the
podman_login
module with thetlsverify
andcertdir
arguments set results in an error.Description
The
tlsverify
andcertdir
arguments are explicitly defined as mutually exclusive here. I fail to see the reason for this, as it looks as if I can use the two options with podman:However, perhaps I'm missing something about the underlying mechanics that's making it necessary to set these options as exclusive?
If not, I would like to request that these options are made not exclusive, as this is currently leading to problems when using this module with molecule. A Molecule YAML config like this one currently throws errors:
...as the
tlsverify
andcertdir
parameters are set to an empty string (and thus are both defined) when the environment variables are empty. Also see: ansible-community/molecule-plugins#248Steps to reproduce the issue:
Run the following playbook
Describe the results you received:
Describe the results you expected:
tlsverify
andcertdir
should be able to be set together.Version of the
containers.podman
collection: 1.12.0Output of
podman version
:The text was updated successfully, but these errors were encountered: