Fix LDAP secret retrieval

[lorenzo-maffeo-SAP]

Update load_ldap_password_secret.yml to fix LDAP secret retrieval

SUMMARY

When deploying a Tower via Operator and configuring LDAP binding on deployment, LDAP secret cannot be retrieved by the playbook despite following the instructions in the documentation

Fixed file /roles/installer/tasks/load_ldap_password_secret.yml to allow correct retrieval of LDAP secret by removing [0] in lines 12 and 14

ISSUE TYPE

Bug fix

ADDITIONAL INFORMATION

Reproduction steps:

1. Clone repo and configure a deployment with LDAP binding on deployment
2. Create the ldap secret with the instructions available here
3. Confirm password is correctly set in the secret
4. Start deployment and watch logs of awx-operator-controller-manager
5. Deployment will fail with the following error
   task path: /opt/ansible/roles/installer/tasks/load_ldap_password_secret.yml:10\nfatal: [localhost]: FAILED! => {\"msg\": \"The conditional check '\\\"ldap-password\\\" in ldap_password[\\\"resources\\\"][0][\\\"data\\\"]' failed. The error was: error while evaluating conditional (\\\"ldap-password\\\" in ldap_password[\\\"resources\\\"][0][\\\"data\\\"]): list object has no element 0. list object has no element 0\\n\\nThe error appears to be in '/opt/ansible/roles/installer/tasks/load_ldap_password_secret.yml': line 10, column 3, but may\\nbe elsewhere in the file depending on the exact syntax problem.\\n\\nThe offending line appears to be:\\n\\n\\n- name: Load LDAP bind password Secret content\\n ^ here\\n\"}

[fosterseth]

needs manual testing from developer

[rooftopcellist]

@lorenzo-maffeo-SAP the preceding task which sets ldap_password will always return a list, that is why that [0] index is there to return only the first entry in the list (because in this case since "name" is specified, not a label, we can gaurantee that there is only 1 item in the list, or 0.

In the case of your error, there are 0 secrets in the list. Can you confirm that the spec.ldap_password_secret specified is the name of a k8s secret that matches a secret in your k8s namespace?

Docs here:

• https://ansible.readthedocs.io/projects/awx-operator/en/latest/user-guide/advanced-configuration/trusting-a-custom-certificate-authority.html?h=ldap#trusting-a-custom-certificate-authority

[lorenzo-maffeo-SAP]

@rooftopcellist the secret is correctly present with the right name, it has a single entry containing the password.
I have followed step by step the instructions at https://ansible.readthedocs.io/projects/awx-operator/en/latest/user-guide/advanced-configuration/trusting-a-custom-certificate-authority.html?h=ldap#trusting-a-custom-certificate-authority to create the LDAP secret password and add it to the specs, deployment kept failing until I modified the code as per this PR.
I have experienced this behaviour on 2 different Kubernetes clusters where I attempted deployment.
At this point, if code is correct, it seems documentation is wrong: can you please try on your side to follow the steps in the documentation (without any deviation) and see if you can reproduce it?

[kurokobo]

@lorenzo-maffeo-SAP
Does your Secret exist in the same namespace as AWX Operator and AWX?

[lorenzo-maffeo-SAP]

@lorenzo-maffeo-SAP Does your Secret exist in the same namespace as AWX Operator and AWX?

Yes, correct. I have tried a complete new deployment on a local minikube cluster and still experience the same behaviour.

user@minikube-test [22:06:47] [~/code/awx-k8s] [master *]
-> % k get all -n awx
NAME                                                  READY   STATUS    RESTARTS      AGE
pod/awx-demo-postgres-13-0                            1/1     Running   0             4m29s
pod/awx-demo-task-856bf67c94-n2zsh                    4/4     Running   0             3m29s
pod/awx-demo-web-755dcfd8c4-p5vg7                     3/3     Running   1 (27s ago)   66s
pod/awx-operator-controller-manager-85c949b69-4926g   2/2     Running   0             4m37s

NAME                                                      TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)        AGE
service/awx-demo-postgres-13                              ClusterIP   None             <none>        5432/TCP       4m29s
service/awx-demo-service                                  NodePort    10.99.58.121     <none>        80:30834/TCP   3m31s
service/awx-operator-controller-manager-metrics-service   ClusterIP   10.106.238.199   <none>        8443/TCP       8m58s

NAME                                              READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/awx-demo-task                     1/1     1            1           3m29s
deployment.apps/awx-demo-web                      1/1     1            1           3m22s
deployment.apps/awx-operator-controller-manager   1/1     1            1           8m58s

NAME                                                        DESIRED   CURRENT   READY   AGE
replicaset.apps/awx-demo-task-856bf67c94                    1         1         1       3m29s
replicaset.apps/awx-demo-web-755dcfd8c4                     1         1         1       3m22s
replicaset.apps/awx-operator-controller-manager-85c949b69   1         1         1       8m58s

NAME                                    READY   AGE
statefulset.apps/awx-demo-postgres-13   1/1     4m29s

user@minikube-test [22:06:52] [~/code/awx-k8s] [master *]
-> % k get secrets -n awx
NAME                              TYPE                DATA   AGE
awx-demo-admin-password           Opaque              1      4m47s
awx-demo-app-credentials          Opaque              3      3m41s
awx-demo-broadcast-websocket      Opaque              1      4m44s
awx-demo-ldap-password            Opaque              1      8m32s
awx-demo-postgres-configuration   Opaque              6      4m39s
awx-demo-receptor-ca              kubernetes.io/tls   2      3m51s
awx-demo-receptor-work-signing    Opaque              2      3m45s
awx-demo-secret-key               Opaque              1      8m52s
redhat-operators-pull-secret      Opaque              1      8m59s

user@minikube-test [22:08:10] [~/code/awx-k8s] [master *]
-> % k -n awx get secret awx-demo-ldap-password -o jsonpath="{.data.ldap-password}" | base64 -d
MySuperSecurePassword%

user@minikube-test [22:08:41] [~/code/awx-k8s] [master *]
-> % grep -v ^# kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
  # Find the latest tag here: https://github.com/ansible/awx-operator/releases
  - github.com/ansible/awx-operator/config/default?ref=2.9.0
  - awx-demo.yml
images:
  - name: quay.io/ansible/awx-operator
    newTag: 2.9.0
namespace: awx

user@minikube-test [22:08:52] [~/code/awx-k8s] [master *]
-> % grep -v ^# awx-demo.yml
---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
  name: awx-demo
spec:
  no_log: false
  service_type: nodeport
  ldap_password_secret: awx-ldap-password
  extra_settings:
    - setting: AUTH_LDAP_SERVER_URI
      value: >-
        "ldap://ldap.test.local:389"

    - setting: AUTH_LDAP_BIND_DN
      value: >-
        "CN=Userxxx,CN=Users,DC=test,DC=local"

user@minikube-test [22:09:04] [~/code/awx-k8s] [master *]
-> % k apply -k .
namespace/awx unchanged
customresourcedefinition.apiextensions.k8s.io/awxbackups.awx.ansible.com unchanged
customresourcedefinition.apiextensions.k8s.io/awxrestores.awx.ansible.com unchanged
customresourcedefinition.apiextensions.k8s.io/awxs.awx.ansible.com unchanged
serviceaccount/awx-operator-controller-manager unchanged
role.rbac.authorization.k8s.io/awx-operator-awx-manager-role configured
role.rbac.authorization.k8s.io/awx-operator-leader-election-role unchanged
clusterrole.rbac.authorization.k8s.io/awx-operator-metrics-reader unchanged
clusterrole.rbac.authorization.k8s.io/awx-operator-proxy-role unchanged
rolebinding.rbac.authorization.k8s.io/awx-operator-awx-manager-rolebinding unchanged
rolebinding.rbac.authorization.k8s.io/awx-operator-leader-election-rolebinding unchanged
clusterrolebinding.rbac.authorization.k8s.io/awx-operator-proxy-rolebinding unchanged
configmap/awx-operator-awx-manager-config unchanged
service/awx-operator-controller-manager-metrics-service unchanged
deployment.apps/awx-operator-controller-manager unchanged
awx.awx.ansible.com/awx-demo configured

user@minikube-test [22:09:39] [~/code/awx-k8s] [master *]
-> % k delete pod/awx-demo-task-856bf67c94-2qcjt pod/awx-demo-web-755dcfd8c4-xpnz5 deployment.apps/awx-demo-task deployment.apps/awx-demo-web
pod "awx-demo-task-856bf67c94-2qcjt" deleted
pod "awx-demo-web-755dcfd8c4-xpnz5" deleted
deployment.apps "awx-demo-task" deleted
deployment.apps "awx-demo-web" deleted

user@minikube-test [22:10:06] [~/code/awx-k8s] [master *]
-> % k logs -f pod/awx-operator-controller-manager-85c949b69-56l92
[...]
TASK [installer : Load LDAP bind password Secret content] **********************\r\ntask path: /opt/ansible/roles/installer/tasks/load_ldap_password_secret.yml:10\nfatal: [localhost]: FAILED! => {\"msg\": \"The conditional check '\\\"ldap-password\\\" in ldap_password[\\\"resources\\\"][0][\\\"data\\\"]' failed. The error was: error while evaluating conditional (\\\"ldap-password\\\" in ldap_password[\\\"resources\\\"][0][\\\"data\\\"]): list object has no element 0. list object has no element 0

edit: I just noticed after posting this that the secret name is not the same, I copied the files from the system where I originally found the issue and most likely carried the same mistake along with it. Once I fixed the secret name, deployment worked fine

--------------------------- Ansible Task StdOut -------------------------------

TASK [installer : Load ldap bind password] *************************************
task path: /opt/ansible/roles/installer/tasks/install.yml:52

-------------------------------------------------------------------------------
{"level":"info","ts":"2024-06-11T20:29:50Z","logger":"logging_event_handler","msg":"[playbook task start]","name":"awx-demo","namespace":"awx","gvk":"awx.ansible.com/v1beta1, Kind=AWX","event_type":"playbook_on_task_start","job":"5267741342915667530","EventData.Name":"installer : Retrieve LDAP bind password Secret"}

--------------------------- Ansible Task StdOut -------------------------------

TASK [installer : Retrieve LDAP bind password Secret] **************************
task path: /opt/ansible/roles/installer/tasks/load_ldap_password_secret.yml:2

-------------------------------------------------------------------------------
{"level":"info","ts":"2024-06-11T20:29:50Z","logger":"proxy","msg":"Read object from cache","resource":{"IsResourceRequest":true,"Path":"/api/v1/namespaces/awx/secrets/awx-demo-ldap-password","Verb":"get","APIPrefix":"api","APIGroup":"","APIVersion":"v1","Namespace":"awx","Resource":"secrets","Subresource":"","Name":"awx-demo-ldap-password","Parts":["secrets","awx-demo-ldap-password"]}}