Skip to content

ipa: add environment fallback support for validate_certs #10753

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

ipa: add environment fallback support for validate_certs #10753

wants to merge 4 commits into from

Conversation

zjpeterson
Copy link
Contributor

SUMMARY

Add an environment fallback IPA_VALIDATE_CERTS for the validate_certs parameter in the ipa module utils. Currently you can set all connection-related parameters via the environment, except for this one.

ISSUE TYPE
  • Feature Pull Request
COMPONENT NAME

ipa

ADDITIONAL INFORMATION

@ansibullbot
Copy link
Collaborator

cc @Akasurde @Nosmoht @justchris1
click here for bot help

@ansibullbot ansibullbot added docs_fragments docs_fragments plugin (shared docs) feature This issue/PR relates to a feature request module_utils module_utils plugins plugin (any type) labels Aug 28, 2025
@ansibullbot

This comment was marked as outdated.

Sign in to view
@ansibullbot ansibullbot added the needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR label Aug 28, 2025
@felixfontein felixfontein added check-before-release PR will be looked at again shortly before release and merged if possible. backport-11 Automatically create a backport for the stable-10 branch labels Aug 28, 2025
@felixfontein
Copy link
Collaborator

Please ignore that sanity error failures, #10755 is adding the necessary ignores.

felixfontein
felixfontein reviewed Aug 28, 2025
View reviewed changes
Copy link
Collaborator

@felixfontein felixfontein left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your contribution!

I would change the environment variable's name to ANSIBLE_IPA_VALIDATE_CERTS, since we prefer to prefix all environment variables with ANSIBLE_ unless these variables are also interpreted in the same sense by the software that the module manages (which very likely isn't the case here).

russoz
russoz reviewed Aug 31, 2025
View reviewed changes
Copy link
Collaborator

@russoz russoz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Other than the comments by @felixfontein , looks good to me

felixfontein
felixfontein reviewed Sep 4, 2025
View reviewed changes
plugins/doc_fragments/ipa.py
Comment on lines +65 to +66
- If the value is not specified in the task, the value of environment variable E(IPA_VALIDATE_CERTS) is used instead.
If both the environment variable E(IPA_VALIDATE_CERTS) and the value are not specified in the task, then default value is used.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- If the value is not specified in the task, the value of environment variable E(IPA_VALIDATE_CERTS) is used instead.
If both the environment variable E(IPA_VALIDATE_CERTS) and the value are not specified in the task, then default value is used.
- If the value is not specified in the task, the value of environment variable E(ANSIBLE_IPA_VALIDATE_CERTS) is used instead.
If both the environment variable E(ANSIBLE_IPA_VALIDATE_CERTS) and the value are not specified in the task, then default value is used.

plugins/module_utils/ipa.py
ipa_pass=dict(type='str', no_log=True, fallback=(env_fallback, ['IPA_PASS'])),
ipa_timeout=dict(type='int', default=10, fallback=(env_fallback, ['IPA_TIMEOUT'])),
validate_certs=dict(type='bool', default=True),
validate_certs=dict(type='bool', default=True, fallback=(env_fallback, ['IPA_VALIDATE_CERTS'])),
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
validate_certs=dict(type='bool', default=True, fallback=(env_fallback, ['IPA_VALIDATE_CERTS'])),
validate_certs=dict(type='bool', default=True, fallback=(env_fallback, ['ANSIBLE_IPA_VALIDATE_CERTS'])),

@ansibullbot ansibullbot removed the needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR label Sep 4, 2025
@zjpeterson
Copy link
Contributor Author

zjpeterson commented Sep 10, 2025
edited
Loading

@felixfontein The other environment vars already start with IPA_ so I just matched it. It would be mismatched to use ANSIBLE_ unless the rest of them change too.

Anecdotally, it has been my experience that module-specific environment variables use a custom prefix matching the module names, such as the use of SN_ in servicenow.itsm, ACI_ in cisco.aci, and MIQ_ for the manageiq modules in this collection.

@felixfontein
Copy link
Collaborator

@felixfontein The other environment vars already start with IPA_ so I just matched it.

These have been grandfathered in, since they were added before the ANSIBLE_ prefix rule.

It would be mismatched to use ANSIBLE_ unless the rest of them change too.

True, but that doesn't change that the prefix should be used for new environment variables. (Also it's possible to add additional env variable fallbacks for the existing options that have a prefix.)

@ansibullbot ansibullbot added the stale_ci CI is older than 7 days, rerun before merging label Sep 12, 2025
@felixfontein felixfontein removed the backport-11 Automatically create a backport for the stable-10 branch label Oct 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@russoz russoz russoz left review comments

@felixfontein felixfontein felixfontein left review comments

Assignees

No one assigned

Labels

check-before-release PR will be looked at again shortly before release and merged if possible. docs_fragments docs_fragments plugin (shared docs) feature This issue/PR relates to a feature request module_utils module_utils plugins plugin (any type) stale_ci CI is older than 7 days, rerun before merging

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@zjpeterson @ansibullbot @felixfontein @russoz