feat: honor ANSIBLE_VAULT_PASSWORD_FILE for vault decryption#5019
Open
JohnLahr wants to merge 1 commit intoansible:mainfrom
Open
feat: honor ANSIBLE_VAULT_PASSWORD_FILE for vault decryption#5019JohnLahr wants to merge 1 commit intoansible:mainfrom
JohnLahr wants to merge 1 commit intoansible:mainfrom
Conversation
JohnLahr
force-pushed
the
feat/vault-secrets-initialization
branch
from
ccca49f to
40b8ad3
Compare
JohnLahr
force-pushed
the
feat/vault-secrets-initialization
branch
from
40b8ad3 to
7b446de
Compare
JohnLahr
force-pushed
the
feat/vault-secrets-initialization
branch
from
7b446de to
61f7748
Compare
Delegate vault secret initialization to Ansible's own CLI.setup_vault_secrets(), which reads: - ANSIBLE_VAULT_PASSWORD_FILE environment variable - vault_password_file in ansible.cfg - ANSIBLE_VAULT_IDENTITY_LIST / vault_identity_list Previously, all DataLoader instances were initialized with a hardcoded dummy vault password "x", causing decryption failures for fully encrypted vault files (e.g., group_vars/*/vault.yaml). This meant JinjaRule and VariableNamingRule silently skipped vault files. The fix centralizes vault secret loading in _get_vault_secrets() which caches the result and falls back to the dummy password when no vault configuration is found. All three DataLoader creation sites (parse_yaml_from_file, path_dwim, ansible_templar) now use the shared _make_dataloader() factory. Interactive prompts are disabled (ask_vault_pass=False, auto_prompt=False). Fixes ansible#2889, ansible#2506, ansible#2443, ansible#3718 Supersedes ansible#4069 Signed-off-by: John Lahr <john@johnlahr.me>
JohnLahr
force-pushed
the
feat/vault-secrets-initialization
branch
from
61f7748 to
d32c8e4
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
ansible-lint creates DataLoader instances with a hardcoded dummy vault
password, so
ANSIBLE_VAULT_PASSWORD_FILE,vault_password_fileinansible.cfg, andvault_identity_listare all silently ignored. Thiscauses JinjaRule and VariableNamingRule to skip fully encrypted vault
files with "Decryption failed (no vault secrets were found that could
decrypt)".
This delegates vault initialization to Ansible's own
CLI.setup_vault_secrets()(the same function thatansible-playbookuses) and caches the result for all DataLoader instances. Interactive
prompts are disabled. When no vault configuration is found, the existing
dummy password fallback is preserved.
Fixes #2889
Fixes #2443
Related to #3718
Testing:
python -m pytest test/test_vault.py -vpython -m pytest test/test_examples.py::test_vault_full test/test_examples.py::test_vault_partial -vANSIBLE_VAULT_PASSWORD_FILE=.vault_pass ansible-lintagainst a project with vault-encrypted group_vars