Please confirm the following

• I agree to follow this project's code of conduct.
• I have checked the current issues for duplicates.
• I understand that EDA-Controller is open source software provided for free and that I might not receive a timely response.

Bug Summary

I have a lab with AAP 2.4 and Gitlab. I am trying to sync a rulebook repo so I can work with the EDA controller. I am getting an SSL error because of a self signed cert on my Gitlab server.

Ive tried adding the below.
git config http.sslVerify false
git config --global http.sslVerify false
export GIT_SSL_NO_VERIFY=true

Environment

Rhel9

Steps to reproduce

Sync a project repo with a gitlab server that has a self signed cert

Actual results

Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[373378]: 2023-07-21 13:46:58,762 INFO default: aap_eda.tasks.project.sync_project(project_id=4) (e502c624-06b3-4b5a-8f0a-bd11d4debcb3)
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: 2023-07-21 13:46:58,776 INFO Task started: Sync project ( project_id=4 )
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: 2023-07-21 13:46:58,914 WARNING Command returned non-zero exit status 128:
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: #011command: ['/usr/bin/git', 'clone', '--quiet', '--depth', '1', 'https://root:[email protected]/root/rulebooks.git', '/tmp/eda-project-tyd62sso/src']
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: #011stderr: fatal: unable to access 'https://192.168.0.13/root/rulebooks.git/': SSL certificate problem: self-signed certificate
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: 2023-07-21 13:46:58,924 ERROR Traceback (most recent call last):
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: File "/usr/lib/python3.9/site-packages/aap_eda/services/project/git.py", line 159, in call
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: try:
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: File "/usr/lib64/python3.9/subprocess.py", line 528, in run
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: raise CalledProcessError(retcode, process.args,
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: subprocess.CalledProcessError: Command '['/usr/bin/git', 'clone', '--quiet', '--depth', '1', 'https://root:[email protected]/root/rulebooks.git', '/tmp/eda-project-tyd62sso/src']' returned non-zero exit status 128.
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: During handling of the above exception, another exception occurred:
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: Traceback (most recent call last):
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: File "/usr/lib/python3.9/site-packages/rq/worker.py", line 1061, in perform_job
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: rv = job.perform()
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: File "/usr/lib/python3.9/site-packages/rq/job.py", line 821, in perform
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: self._result = self._execute()
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: File "/usr/lib/python3.9/site-packages/rq/job.py", line 844, in _execute
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: result = self.func(*self.args, **self.kwargs)
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: File "/usr/lib/python3.9/site-packages/aap_eda/tasks/project.py", line 39, in sync_project
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: ProjectImportService().sync_project(project)
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: File "/usr/lib/python3.9/site-packages/aap_eda/services/project/imports.py", line 57, in wrapper
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: func(self, project)
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: File "/usr/lib/python3.9/site-packages/aap_eda/services/project/imports.py", line 100, in sync_project
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: repo = self._git_cls.clone(
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: File "/usr/lib/python3.9/site-packages/aap_eda/services/project/git.py", line 132, in clone
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: _executor(cmd)
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: File "/usr/lib/python3.9/site-packages/aap_eda/services/project/git.py", line 179, in call
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: logger.warning(message, e.returncode, e.cmd, e.stderr)
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: aap_eda.services.project.git.GitError: Command '['/usr/bin/git', 'clone', '--quiet', '--depth', '1', 'https://root:[email protected]/root/rulebooks.git', '/tmp/eda-project-tyd62sso/src']' returned non-zero exit status 128.
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: Traceback (most recent call last):
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: File "/usr/lib/python3.9/site-packages/aap_eda/services/project/git.py", line 159, in call
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: try:
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: File "/usr/lib64/python3.9/subprocess.py", line 528, in run
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: raise CalledProcessError(retcode, process.args,
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: subprocess.CalledProcessError: Command '['/usr/bin/git', 'clone', '--quiet', '--depth', '1', 'https://root:[email protected]/root/rulebooks.git', '/tmp/eda-project-tyd62sso/src']' returned non-zero exit status 128.
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: During handling of the above exception, another exception occurred:
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: Traceback (most recent call last):
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: File "/usr/lib/python3.9/site-packages/rq/worker.py", line 1061, in perform_job
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: rv = job.perform()
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: File "/usr/lib/python3.9/site-packages/rq/job.py", line 821, in perform
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: self._result = self._execute()
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: File "/usr/lib/python3.9/site-packages/rq/job.py", line 844, in _execute
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: result = self.func(*self.args, **self.kwargs)
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: File "/usr/lib/python3.9/site-packages/aap_eda/tasks/project.py", line 39, in sync_project
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: ProjectImportService().sync_project(project)
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: File "/usr/lib/python3.9/site-packages/aap_eda/services/project/imports.py", line 57, in wrapper
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: func(self, project)
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: File "/usr/lib/python3.9/site-packages/aap_eda/services/project/imports.py", line 100, in sync_project
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: repo = self._git_cls.clone(
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: File "/usr/lib/python3.9/site-packages/aap_eda/services/project/git.py", line 132, in clone
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: _executor(cmd)
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: File "/usr/lib/python3.9/site-packages/aap_eda/services/project/git.py", line 179, in call
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: logger.warning(message, e.returncode, e.cmd, e.stderr)
Jul 21 08:46:58 aap-eda automation-eda-controller-worker-1[427478]: aap_eda.services.project.git.GitError: Command '['/usr/bin/git', 'clone', '--quiet', '--depth', '1', 'https://root:[email protected]/root/rulebooks.git', '/tmp/eda-project-tyd62sso/src']' returned non-zero exit status 128.
[root@aap-eda ~]#

Expected results

Project sync

Additional information

No response

Please confirm the following

• I agree to follow this project's code of conduct.
• I have checked the current issues for duplicates.
• I understand that EDA-Controller is open source software provided for free and that I might not receive a timely response.

Feature type

New Feature

Feature Summary

Hello!

I am really enjoying this event driven automation controller now - however an immediate requirement I see us needing is the ability to leverage more authentication options for the UI login as opposed to just using local users. Similar to whats available in AAP (AWX in our case). AAD or even LDAP would be helpful to show our internal security departments that the application meets their requirements/standardization.

Thanks for the consideration!

Steps to reproduce

User Login - only local available

Current results

Only available to use local accounts as opposed to something like AAD which provides MFA in our case

Sugested feature result

Provide the ability to use Azure AD settings or LDAP for UI access

Additional information

No response

Please confirm the following

• I agree to follow this project's code of conduct.
• I have checked the current issues for duplicates.
• I understand that EDA-Controller is open source software provided for free and that I might not receive a timely response.

Bug Summary

The service created after entering a service name in EDA, uses the incorrect selectors which cause the service not to select the pod. the additional selector on the service is created-by: eda which does not exist on the pod.

Environment

K3s 1.29, EDA Operator deployed

Steps to reproduce

start/restart an activation

Actual results

service definition

:~# kubectl get svc -n eda-server-operator-system debug -o yaml
apiVersion: v1
kind: Service
metadata:
  creationTimestamp: "2024-04-25T11:44:32Z"
  labels:
    app: eda
    created-by: eda
    job-name: activation-job-3-15
  name: debug
  namespace: eda-server-operator-system
  resourceVersion: "504260"
  uid: 26f3d1ef-baf8-453e-aa65-8bbebbd6f71f
spec:
  clusterIP: 172.17.100.209
  clusterIPs:
  - 172.17.100.209
  internalTrafficPolicy: Cluster
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - name: debug-5000
    port: 5000
    protocol: TCP
    targetPort: 5000
  selector:
    app: eda
    created-by: eda
    job-name: activation-job-3-15
  sessionAffinity: None
  type: ClusterIP
status:
  loadBalancer: {}
:~#

pod definition

:~# kubectl describe po -n eda-server-operator-system activation-job-3-15-kzxn4
Name:             activation-job-3-15-kzxn4
Namespace:        eda-server-operator-system
Priority:         0
Service Account:  default
Node:             e4c5619fc6451fc6/172.16.10.73
Start Time:       Thu, 25 Apr 2024 11:44:27 +0000
Labels:           app=eda
                  batch.kubernetes.io/controller-uid=19fbce92-dd2d-4949-9cd4-c23aa063fb63
                  batch.kubernetes.io/job-name=activation-job-3-15
                  controller-uid=19fbce92-dd2d-4949-9cd4-c23aa063fb63
                  job-name=activation-job-3-15
Annotations:      cni.projectcalico.org/containerID: 467e7f7bbbf75fe5313ae350ec0f43faec089669e4a6305c306ad666a938dac2
                  cni.projectcalico.org/podIP: 172.17.82.127/32
                  cni.projectcalico.org/podIPs: 172.17.82.127/32
Status:           Running
IP:               172.17.82.127
IPs:
  IP:           172.17.82.127
Controlled By:  Job/activation-job-3-15
Containers:
  eda-15-e3513340-5abe-4271-a8d6-9e542face962:
    Container ID:  containerd://0aac4ddc4fe8bbb0e82157210f34433addf3db3f7c83c6bb4b8695c1179f2949
    Image:         quay.io/ansible/ansible-rulebook:latest
    Image ID:      quay.io/ansible/ansible-rulebook@sha256:e12d9ef9205156bba2b03f044792dba52375844dbdcfb0e26d0c53e0695982ee
    Port:          5000/TCP
    Host Port:     0/TCP
    Command:
      ansible-rulebook
    Args:
      --worker
      --websocket-ssl-verify
      False
      --websocket-url
      ws://eda-daphne:8001/api/eda/ws/ansible-rulebook
      --websocket-access-token
      eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbl90eXBlIjoiYWNjZXNzIiwiZXhwIjoxNzE0MDQ5MDY3LCJpYXQiOjE3MTQwNDU0NjcsImp0aSI6ImNiOWE2YTgzZWRmMDQ0OTM4NjI2OWE2ZjhjODk3ODk3IiwidXNlcl9pZCI6Mn0.evpw7A-PmdvtedJkoIm55C8YyhtZM02oIfmU5HJDqec
      --websocket-refresh-token
      eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbl90eXBlIjoicmVmcmVzaCIsImV4cCI6MTc0NTU4MTQ2NywiaWF0IjoxNzE0MDQ1NDY3LCJqdGkiOiIxMzUyMjBjNzQ5YTg0MjM2OTlkYmE5MjEwMmE5NGRiYyIsInVzZXJfaWQiOjJ9.M9YgcZV6E42kaWA4A1n8UuJhG2SZnOizQJDRS4sZRWY
      --websocket-token-url
      http://eda-daphne:8001/api/eda/v1/auth/token/refresh/
      --id
      15
      --heartbeat
      300
      -v
    State:          Running
      Started:      Thu, 25 Apr 2024 11:44:32 +0000
    Ready:          True
    Restart Count:  0
    Environment:
      ANSIBLE_LOCAL_TEMP:  /tmp
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-flnt2 (ro)
Conditions:
  Type                        Status
  PodReadyToStartContainers   True 
  Initialized                 True 
  Ready                       True 
  ContainersReady             True 
  PodScheduled                True 
Volumes:
  kube-api-access-flnt2:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
QoS Class:                   BestEffort
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type    Reason     Age   From               Message
  ----    ------     ----  ----               -------
  Normal  Scheduled  31s   default-scheduler  Successfully assigned eda-server-operator-system/activation-job-3-15-kzxn4 to e4c5619fc6451fc6
  Normal  Pulling    31s   kubelet            Pulling image "quay.io/ansible/ansible-rulebook:latest"
  Normal  Pulled     27s   kubelet            Successfully pulled image "quay.io/ansible/ansible-rulebook:latest" in 3.425s (3.425s including waiting)
  Normal  Created    27s   kubelet            Created container eda-15-e3513340-5abe-4271-a8d6-9e542face962
  Normal  Started    27s   kubelet            Started container eda-15-e3513340-5abe-4271-a8d6-9e542face962
:~#

firewall and endpoints

# iptables -nvL KUBE-SERVICES
Chain KUBE-SERVICES (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            172.17.100.209       /* eda-server-operator-system/debug:debug-5000 has no endpoints */ tcp dpt:5000 reject-with icmp-port-unreachable
:~# 
:~# 
:~# kubectl get endpoints -n eda-server-operator-system
NAME                                                     ENDPOINTS            AGE
eda-ui                                                   172.17.82.81:8080    28h
eda-server-operator-controller-manager-metrics-service   172.17.82.116:8443   31h
eda-redis-svc                                            172.17.82.114:6379   28h
eda-daphne                                               172.17.82.118:8001   28h
eda-api                                                  172.17.82.118:8000   28h
debug                                                    <none>               6m35s
:~# 

Expected results

the the service contains the correct selectors for the pod it is using as an endpoint

Additional information

deploy pod details quay.io/ansible/eda-server:sha-2a1ae92b45586892fcdb9e57c22cb67a4a54acf7 2a1ae92

Please confirm the following

• I agree to follow this project's code of conduct.
• I have checked the current issues for duplicates.
• I understand that EDA-Controller is open source software provided for free and that I might not receive a timely response.

Feature type

Enhancement to Existing Feature

Feature Summary

Currently, only sha-*, edge, and main tags are available on quay.io: https://quay.io/repository/ansible/eda-server?tab=tags

EDA Server seems to be started to be tagged and released with CalVer since v2024.2.22, but there are no images that have these CalVer as tags.

We can find the images by referring commit hashes for each releases, but I think it would be helpful for users if there are images that have CalVer based tags.

Steps to reproduce

See the available tags on quay.io: https://quay.io/repository/ansible/eda-server?tab=tags

Current results

No CalVer based tags

Sugested feature result

CalVer based tags are published with the releases on GitHub

Additional information

No response

Please confirm the following

• I agree to follow this project's code of conduct.
• I have checked the current issues for duplicates.
• I understand that EDA-Controller is open source software provided for free and that I might not receive a timely response.

Feature type

New Feature

Feature Summary

EDA-Server should support the same authentication mechanisms to SCM (Github) as AWX, Tower, AAP, etc. The limitation of only a non-SSO Personal Access Token is a breaking item for me and my company. Since we use a Github Enterprise account, with security restrictions that include direct SSO ties to Okta, means that I am unable to use the same Github repos for EDA content as I do for controller content.
My options are either divide things and use a repo source outside my org. Or setup a GH action to copy content from within to outside the org.
Neither of which my boss nor InfoSec would approve of.

Steps to reproduce

Create repository, create personal access token from service account, create Project and add repo as source.

Current results

Project sync fails, in the webgui the error is:

Command '['/usr/bin/git', 'clone', '--quiet', '--depth', '1', 'https://user value here:token value [email protected]/company/aap.git', '/tmp/eda-project-4_1pndwz/src']' returned non-zero exit status 128.

Attempting to run the same command on the EDA host itself results in:

[root@aapedap01 eda]# git clone --depth 1 https://user value here:token value [email protected]/company/aap.git /tmp/eda11122
Cloning into '/tmp/eda11122'...
remote: The 'company' organization has enabled or enforced SAML SSO.
remote: To access this repository, visit https://github.com/orgs/company/sso?authorization_request=auth request string and try your request again.

Suggested feature result

Adding SCM Private key would be the silver-bullet to this issue

Additional information

No response

Please confirm the following

• I agree to follow this project's code of conduct.
• I have checked the current issues for duplicates.
• I understand that EDA-Controller is open source software provided for free and that I might not receive a timely response.

Bug Summary

Currently our github enterprise repository cannot sync with eda-server. The error we get is: Failed to clone the project: ERROR: Unable to create local directories(/.ansible/tmp): [Errno 13] Permission denied: b'/.ansible'

Environment

eda-server is deployed using eda-server-operator on okd cluster (OpenShift version 4.15.0-0.okd-2024-03-10-010116) which is running in vmware.

Steps to reproduce

See environment.
Create source control credentials first and then source control github repository.

Actual results

eda server cannot sync the github repository.
Error: Failed to clone the project: ERROR: Unable to create local directories(/.ansible/tmp): [Errno 13] Permission denied: b'/.ansible

Expected results

eda-server should be able to sync with the github repo.

Additional information

This seems to be related to the container security context in openshift environment where container is not able to create local directories(/.ansible/tmp). Is there some way to fix this?

   securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      runAsNonRoot: true
      runAsUser: 1000490000
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /var/lib/eda/files
      name: eda-server-media-data
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-9gvrx
      readOnly: true
  dnsPolicy: ClusterFirst
  enableServiceLinks: true
  nodeName: tst-okd-6.<>.<>
  preemptionPolicy: PreemptLowerPriority
  priority: 0
  restartPolicy: Always
  schedulerName: default-scheduler
  securityContext:
    fsGroup: 1000490000
    seLinuxOptions:
      level: s0:c22,c14
    seccompProfile:
      type: RuntimeDefault

Please confirm the following

• I agree to follow this project's code of conduct.
• I have checked the current issues for duplicates.
• I understand that EDA-Controller is open source software provided for free and that I might not receive a timely response.

Feature type

Enhancement to Existing Feature

Feature Summary

Currently, there is no feature to disable SSL verification for remote git repository to clone project.

Of course, disabling SSL verification is not recommended from a security perspective, and I understand that adding certificates to the worker container's certificate store would be ideal, but disabling SSL verification for development and testing EDA/EDA Controller purposes is in demand.

For git command, an environment variable GIT_SSL_NO_VERIFY can be used to disable SSL verification.
But in the current implementation, even if we add this environment variables to worker container, it is ignored due to explicit env args for subprocess.run:

Steps to reproduce

1. Deploy EDA Controller with worker that has GIT_SSL_NO_VERIFY=1 as its environment variable
2. Push rulebooks to the remote repository that uses self-signed certificate over HTTPS
3. Add project with the remote repository in EDA Controller
4. Try to sync project

Current results

The project is marked as Failed with following error:

Command '/usr/bin/git clone --quiet --depth 1 https://git.example.com/gitea/example.git /tmp/eda-project-77tmgvb0/src' returned non-zero exit status 128.

The logs from worker pod:

2023-08-03 13:15:17,947 WARNING  Command returned non-zero exit status 128:
        command: /usr/bin/git clone --quiet --depth 1 https://git.example.com/gitea/example.git /tmp/eda-project-77tmgvb0/src
        stderr: fatal: unable to access 'https://git.example.com/gitea/example.git/': SSL certificate problem: self-signed certificate

I can confirm the worker container has the env and the env takes effect for invoking git clone manually in the container.

$ kubectl -n eda exec -it eda-worker-69b97bc457-pbjbf -- bash

[eda@eda-worker-69b97bc457-pbjbf src]$ env | grep GIT_SSL_NO_VERIFY
GIT_SSL_NO_VERIFY=1

[eda@eda-worker-69b97bc457-pbjbf src]$ git clone https://git.example.com/gitea/example.git
Cloning into 'example'...
remote: Enumerating objects: 1417, done.
remote: Counting objects: 100% (1417/1417), done.
remote: Compressing objects: 100% (485/485), done.
remote: Total 1417 (delta 903), reused 1407 (delta 899), pack-reused 0
Receiving objects: 100% (1417/1417), 279.88 KiB | 31.10 MiB/s, done.
Resolving deltas: 100% (903/903), done.

[eda@eda-worker-69b97bc457-pbjbf src]$ rm -rf example

# Remove env and ensure git clone is failed
[eda@eda-worker-69b97bc457-pbjbf src]$ unset GIT_SSL_NO_VERIFY
[eda@eda-worker-69b97bc457-pbjbf src]$ git clone https://git.example.com/gitea/example.git
Cloning into 'example'...
fatal: unable to access 'https://git.example.com/gitea/example.git/': SSL certificate problem: self-signed certificate

Sugested feature result

The environment variable GIT_SSL_NO_VERIFY on the worker container can take effect to clone project from the remote repository that uses self-signed certificate over HTTPS.

Additional information

While it would be best to be able to disable SSL verification on a per-project basis via the GUI, it seems easier to improve the project service to respect the environment variable GIT_SSL_NO_VERIFY if it is specified.

Please confirm the following

• I agree to follow this project's code of conduct.
• I have checked the current issues for duplicates.
• I understand that EDA-Controller is open source software provided for free and that I might not receive a timely response.

Feature type

Enhancement to Existing Feature

Feature Summary

A field/option (either in the UI, or a parameter offered via the inventory file) to use a proxy to fetch/source Github projects. We use similar functionality with AAP already, however after setting up an instance of EDA we are unable to source projects outside of our internal infrastructure due to firewall rulings.

Steps to reproduce

Trying to source rulebooks from Github results in a timeout due to firewall rules that we're unable to work around without the use of a proxy.

Current results

We're unable to use EDA due to limited options to source rulebooks.

Sugested feature result

The ability for us to use rulebooks :)

Additional information

No response

Please confirm the following

• I agree to follow this project's code of conduct.
• I have checked the current issues for duplicates.
• I understand that EDA-Controller is open source software provided for free and that I might not receive a timely response.

Bug Summary

After deploying the eda server with k8s eda-server-operator, there are no issues, I am able to configure the token, credentials, project, etc.
But the Rulebook Activation fails with the error:

ansible_rulebook.cli - ERROR - Terminating Expecting value: line 1 column 1 (char 0)

Environment

Deployed on microk8s:

kubectl version
Client Version: v1.28.3
Server Version: v1.28.3

Steps to reproduce

Using Single-Command Installation Guide from https://github.com/ansible/eda-server-operator.

Actual results

2024-02-06 13:48:47,189 Creating Job
2024-02-06 13:48:47,197 Image URL is registry.redhat.io/ansible-automation-platform-24/de-supported-rhel8:1.0.3-27
2024-02-06 13:48:47,202 Container args ['--worker', '--websocket-ssl-verify', 'False', '--websocket-address', 'ws://eda-daphne:8001/api/eda/ws/ansible-rulebook', '--id', '11', '--heartbeat', '300', '-v']
2024-02-06 13:49:21,503 Job activation-job-4-11 is running
2024-02-06 13:49:15,410 - ansible_rulebook.app - INFO - Starting worker mode
2024-02-06 13:49:15,410 - ansible_rulebook.websocket - INFO - websocket ws://eda-daphne:8001/api/eda/ws/ansible-rulebook connecting
2024-02-06 13:49:15,457 - ansible_rulebook.websocket - INFO - websocket ws://eda-daphne:8001/api/eda/ws/ansible-rulebook connected
2024-02-06 13:49:15,536 - ansible_rulebook.job_template_runner - INFO - Attempting to connect to Controller https://eda.mydevenvironment.test.com
2024-02-06 13:49:15,618 - ansible_rulebook.cli - ERROR - Terminating Expecting value: line 1 column 1 (char 0)
2024-02-06 13:49:15,668 - asyncio - ERROR - Unclosed client session
client_session: <aiohttp.client.ClientSession object at 0x7fd1c87524f0>
2024-02-06 13:49:15,668 - asyncio - ERROR - Unclosed connector
connections: ['[(<aiohttp.client_proto.ResponseHandler object at 0x7fd1c76410a0>, 603289.689777)]']
connector: <aiohttp.connector.TCPConnector object at 0x7fd1c8489310>
2024-02-06 13:49:38,908 Secret activation-secret-4 is deleted.
2024-02-06 13:49:39,950 Service activation-job-4-11-9092 is deleted.
2024-02-06 13:49:40,012 Job activation-job-4-11 is cleaned up.
2024-02-06 13:49:40,016 Activation failed. It will attempt to restart (1/5) in 60 seconds according to the restart policy on-failure.It may take longer if there is no capacity available.
2024-02-06 13:49:40,075 Job for activation-job-4-11 has been removed.
2024-02-06 13:49:40,080 Job activation-job-4-11 is cleaned up.

Expected results

Rulebook Activation success.

Additional information

No response

Please confirm the following

• I agree to follow this project's code of conduct.
• I have checked the current issues for duplicates.
• I understand that EDA-Controller is open source software provided for free and that I might not receive a timely response.

Bug Summary

When writing conditions that use mixed notation in the form of dot notation and bracket notation, the eda-server parser will throw an error and fail to start the rulebook activation, while the ansible-rulebook CLI interface will accept and parse the condition, and start the rulebook activation.

Environment

Server and Workstation: RHEL 8.8

ansible-rulebook: 1.0.5

Automation Platform: 2.4

Steps to reproduce

Create a rulebook that contains a condition that uses mixed notation and run it through ansible-rulebook and eda-server. An example of mixed notation would look like, event.payload.changes[0].ref.displayId == 'dev'

Actual results

The eda-server parser identifies an error at the start of the bracket notation and doesn't start the rulebook activation.

ansible_rulebook.cli - ERROR - Terminating Error parsing: event.payload.changes[0].ref.displayId == 'dev'. Expected end of text, found '[' (at char 21), (line:1, col:22)

Expected results

The rulebook should start in eda-server like it does for ansible-rulebook.

Additional information

No response

Please confirm the following

• I agree to follow this project's code of conduct.
• I have checked the current issues for duplicates.
• I understand that EDA-Controller is open source software provided for free and that I might not receive a timely response.

Feature type

Enhancement to Existing Feature

Feature Summary

Make it easier to debug the source of errors when running tests.

Steps to reproduce

Force a python exception to be thrown inside of a request, like when using the user_client fixture or other similar fixtures. Then run it, get the failure, and observe that a 500 server error happened.

Current results

We can observe a 500 response code, but we do not get a traceback.

Sugested feature result

Tests print the traceback.

Additional information

The source of the issue has been identified that the DEBUG setting is True during tests. This is uncommon, and undesirable.

We have been occasionally hacking this by applying @override_settings(DEBUG=True) to individual tests.

It would be better to change this globally, specific to whenever tests are being ran. I struggled to do this, because eda-server seems to be using some extra settings libraries that I don't follow the mechanics of.

Please confirm the following

• I agree to follow this project's code of conduct.
• I have checked the current issues for duplicates.
• I understand that EDA-Controller is open source software provided for free and that I might not receive a timely response.

Bug Summary

Restarting a rulebook activation has two issues:

• if using kubernetes ingress, you must re-deploy the ingress as the service name has changed

• cluster Internal traffic that uses the service name for rulebook access will also loose access to the rulebook as the address has changed, specifically in this case the service name.

Environment

Kubernetes

Steps to reproduce

1. start a rulebook activation
2. check service name kubectl get svc -n <namespace>
3. note name
4. restart rulebook activation
5. check service name kubectl get svc -n <namespace>
6. bam!!! service name different

Actual results

Service details before restart

root@7dd5f0bf32b32b93:/home/deploy# kubectl get svc -n eda
NAME                                                     TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
activation-job-6-16-5003                                 ClusterIP   172.16.41.108   <none>        5003/TCP   6m40s
eda-api                                                  ClusterIP   172.16.41.45    <none>        8000/TCP   3d
eda-daphne                                               ClusterIP   172.16.41.171   <none>        8001/TCP   3d
eda-postgres-13                                          ClusterIP   None            <none>        5432/TCP   3d
eda-redis-svc                                            ClusterIP   172.16.40.199   <none>        6379/TCP   3d
eda-server-operator-controller-manager-metrics-service   ClusterIP   172.16.40.153   <none>        8443/TCP   11d
eda-ui                                                   ClusterIP   172.16.41.34    <none>        80/TCP     3d
root@7dd5f0bf32b32b93:/home/deploy# 
root@7dd5f0bf32b32b93:/home/deploy# 
root@7dd5f0bf32b32b93:/home/deploy# kubectl get svc -n eda activation-job-6-16-5003 -o yaml
apiVersion: v1
kind: Service
metadata:
  creationTimestamp: "2024-01-19T18:09:20Z"
  labels:
    app: eda
    job-name: activation-job-6-16
  name: activation-job-6-16-5003
  namespace: eda
  resourceVersion: "5870150"
  uid: 780deb98-8f1a-4f15-b843-2437bfddf2b6
spec:
  clusterIP: 172.16.41.108
  clusterIPs:
  - 172.16.41.108
  internalTrafficPolicy: Cluster
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - port: 5003
    protocol: TCP
    targetPort: 5003
  selector:
    app: eda
    job-name: activation-job-6-16
  sessionAffinity: None
  type: ClusterIP
status:
  loadBalancer: {}

service detais post restart

root@7dd5f0bf32b32b93:/home/deploy# kubectl get svc -n eda
NAME                                                     TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
activation-job-6-17-5003                                 ClusterIP   172.16.41.68    <none>        5003/TCP   11s
eda-api                                                  ClusterIP   172.16.41.45    <none>        8000/TCP   3d
eda-daphne                                               ClusterIP   172.16.41.171   <none>        8001/TCP   3d
eda-postgres-13                                          ClusterIP   None            <none>        5432/TCP   3d
eda-redis-svc                                            ClusterIP   172.16.40.199   <none>        6379/TCP   3d
eda-server-operator-controller-manager-metrics-service   ClusterIP   172.16.40.153   <none>        8443/TCP   11d
eda-ui                                                   ClusterIP   172.16.41.34    <none>        80/TCP     3d
root@7dd5f0bf32b32b93:/home/deploy# kubectl get svc -n eda activation-job-6-17-5003 -o yaml
apiVersion: v1
kind: Service
metadata:
  creationTimestamp: "2024-01-19T18:39:58Z"
  labels:
    app: eda
    job-name: activation-job-6-17
  name: activation-job-6-17-5003
  namespace: eda
  resourceVersion: "5886550"
  uid: 5acb12fa-6799-406d-8716-b77c8b7b1c37
spec:
  clusterIP: 172.16.41.68
  clusterIPs:
  - 172.16.41.68
  internalTrafficPolicy: Cluster
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - port: 5003
    protocol: TCP
    targetPort: 5003
  selector:
    app: eda
    job-name: activation-job-6-17
  sessionAffinity: None
  type: ClusterIP
status:
  loadBalancer: {}
root@7dd5f0bf32b32b93:/home/deploy# 

Expected results

That the service name used for the rulebook activation remains the same. In addition that there also be service labels that remain the same for the service per rulebook so that kubernetes label selectors work.

Additional information

service name appears to use format activation-job-<job-id>-<activation number>-<port> i.e. activation-job-6-16-5003 dropping the information that is not relevant <activation number> and <port> would fix 99% of the crux of this issue. This useless "service name" information is better suited to an annotation.

Please confirm the following

• I agree to follow this project's code of conduct.
• I have checked the current issues for duplicates.
• I understand that EDA-Controller is open source software provided for free and that I might not receive a timely response.

Feature type

Enhancement to Existing Feature

Feature Summary

When importing a project into EDA server, your project may contain the following paths

• ./extensions/eda/rulebooks
• ./rulebooks

On import, if EDA server detects the first path, it attempts to import rulebooks in that path but then ignores the second path. Hence, if the first path was empty (e.g. a placeholder), EDA would fail to import any rulebooks defined in ./rulebooks

Steps to reproduce

1. Create a rulebook project with these paths present, ensuring the first path is absent of any rulebooks.
2. Place rulebooks in the second path (e.g. ./rulebooks).
3. Import the project to EDA server
4. Try to create an Activation
5. Discover that none of the rulebooks defined in ./rulebooks are present
6. Delete the ./extensions/eda/rulebooks path in your project
7. Commit/push your project
8. Sync the project in EDA
9. Try to create an Activation
10. Discover that the rulebooks defined in ./rulebooks are now available

Current results

./rulebooks directory is ignored if ./extensions/eda/rulebooks directory is present.

Sugested feature result

Either import rulebooks from both paths or provide concise documentation explaining this situation.

Additional information

No response

Please confirm the following

• I agree to follow this project's code of conduct.
• I have checked the current issues for duplicates.
• I understand that EDA-Controller is open source software provided for free and that I might not receive a timely response.

Bug Summary

Possibly a bug, but definitely a question:
If eda-server makes use of SSL on the websocket, is it possible to specify the websocket ssl cert file? or perhaps give the option to remove SSL from the websocket entirely?

Environment

RHEL9
AAP 2.4
EDA (from 2.4-6 installer)

Steps to reproduce

During rulebook activations. if using any cert other than the buildin self-signed ones (/etc/ansible-automation-platform/eda/server.cert) the underlying ansible-rulebook process breaks due to an ssl name mismatch.

Actual results

Rulebook activation fails with:

2024-03-26 18:35:30,773 Pulling image registry.redhat.io/ansible-automation-platform-24/de-supported-rhel8:latest

2024-03-26 18:35:32,808 Starting Container

2024-03-26 18:35:32,818 Container args ['ansible-rulebook', '--worker', '--websocket-ssl-verify', 'yes', '--websocket-url', 'wss://host.containers.internal:443/api/eda/ws/ansible-rulebook', '--websocket-access-token', '******', '--websocket-refresh-token', '******', '--websocket-token-url', 'https://host.containers.internal:443/api/eda/v1/auth/token/refresh/', '--id', '1105', '--heartbeat', '300', '-v']

2024-03-26 18:35:33,026 Container 2f46ac6d107c5a10bdc677a56d037ab6dc616feb48e0e731b5d98757d724c309 is started.

2024-03-26 18:35:33,810 - ansible_rulebook.app - INFO - Starting worker mode

2024-03-26 18:35:33,810 - ansible_rulebook.websocket - INFO - websocket wss://host.containers.internal:443/api/eda/ws/ansible-rulebook connecting

2024-03-26 18:35:33,827 - ansible_rulebook.cli - ERROR - Terminating [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'host.containers.internal'. (_ssl.c:1129)

2024-03-26 18:35:35,129 Container 2f46ac6d107c5a10bdc677a56d037ab6dc616feb48e0e731b5d98757d724c309 is cleaned up.

2024-03-26 18:35:35,141 Pod 2f46ac6d107c5a10bdc677a56d037ab6dc616feb48e0e731b5d98757d724c309 exited with code 1. Activation failed. It will attempt to restart (1/5) in 60 seconds according to the restart policy on-failure.It may take longer if there is no capacity available.

2024-03-26 18:39:05,653 Restart requested by user. 

Expected results

Rulebook activates successfully.

Additional information

Something has changed between AAP installed 2.4-1 and 2.4-6 in that the former created self-signed certs for the websocket (/etc/ansible-automation-platform/eda/websocket.cert). Now, however, it seems the url 'host.containers.internal' was added an an Alt name to the server.cert file.
This effectively breaks any usage of a public certificate on the EDA host.

Please confirm the following

• I agree to follow this project's code of conduct.
• I have checked the current issues for duplicates.
• I understand that EDA-Controller is open source software provided for free and that I might not receive a timely response.

Feature type

Enhancement to Existing Feature

Feature Summary

Currently when a RuleBook Activation is created and enabled a default name is generated based on its internal ID and given to the created Pod, Service and Job Objects inside a K8s clusters.

When there is a use-case where a user wants to have a central, long-lived and unique RuleBook Activation, it would be nice if it could have some control over the generated Service Object name. This would make it much easier to create default Ingress\Mappings to expose the RuleBook endpoint.

Currently the RuleBook Activation needs to always be first manually created, and then can we see the generated name for the service so they can be later exposed outside of the cluster.

Steps to reproduce

Create a RuleBook Activation.
See the generated Pod, Service and Job names.

Current results

Pod, Service and Job Names follow the following naming convention:

• Pod: activation-job-<ID>-XXX
• Service: activation-job-<ID>-<PORT>
• Job: activation-job-<ID>

Sugested feature result

Add the ability the statically define the generated resources names (at least Service), in the RuleBook Activation page, and have that name be used for the generated Service Object instead.

Additional information

No response

Please confirm the following

• I agree to follow this project's code of conduct.
• I have checked the current issues for duplicates.
• I understand that EDA-Controller is open source software provided for free and that I might not receive a timely response.

Feature type

Enhancement to Existing Feature

Feature Summary

There are multiple files in the /docs folder but no docsite to publish them for users :-)

Would like to see this published to ReadTheDocs (and I volunteer to give it a try if y'all are okay with that)

Steps to reproduce

none

Current results

All docs must be read from githhub source

Sugested feature result

Docs will be visible from a link on https://docs.ansible.com/ecosystem.html.

Additional information

No response

Please confirm the following

• I agree to follow this project's code of conduct.
• I have checked the current issues for duplicates.
• I understand that EDA-Controller is open source software provided for free and that I might not receive a timely response.

Feature type

New Feature

Feature Summary

Add Organizations to the EDAServer to allow multiple teams to use the tool.
Add the option to specify Container Groups for each organiation, a resource, which like in AWX, will allow us to specify the namespace and resources for the decision environment pods.

Steps to reproduce

You will be able to create via the UI the organizations and instance/container groups as an admin user

Current results

Currently all the decision environment pods are created with built in resources and in the namespace the eda server is deployed in.

Sugested feature result

You can specify for users in a certain organization which namespaces/resources the decision environment pods they create are created in.

Additional information

No response