Comments (5)
Im experiencing this too with Ansible's Kubernetes plugin. They do mention there is a validation bug. But I am hitting the same problem with validation turned off.
https://docs.ansible.com/ansible/kubernetes_module.html
from ansible-vault.
root cause
via IRC:
the virtualenv we install ansible in to is constructed with system python, which uses apple's bad openssl; pyopenssl is installed and configured against homebrew's openssl but doesn't automatically replace the stdlib ssl module. requests should be using it; things in the stdlib probably are not.
Sadly ansible & therefore vault.py
is at the mercy of this arcane mess, and effectively pulls in the crippled OSX OpenSSL, OpenSSL 0.9.8zh 14 Jan 2016
, instead of the desired brewed version OpenSSL 1.0.2h 3 May 2016
that we need to have TLS1.2 support.
solution
- in
/usr/local/Library/Taps/homebrew/homebrew-core/Formula/ansible.rb
L20 change to depend on brewed python 100% of the time:depends_on :python
and not just for snow leopard - rebuild the dependencies from source
brew update
brew upgrade openssl
brew cleanup
brew rm --force python ansible
brew install --build-from-source python
brew install --build-from-source ansible
In vault.py
we need a single change, just after generating the context in https://github.com/jhaals/ansible-vault/blob/master/vault.py#L66 :
# homebrew's ansible setup is quirky so let's lock to TLS1.2 only
# https://docs.python.org/dev/library/ssl.html
context.options = ssl.PROTOCOL_TLSv1_2
The issue is that for users with a different SSL, this might actually be ssl.PROTOCOL_TLS
or ssl.PROTOCOLv23
instead for older ones. I don't know if using ssl.OPENSSL_VERSION
as a string to check against against is sensible, any better suggestions?
from ansible-vault.
@bernielomax I am pretty sure your certificate validation issue in kubernetes is unrelated BTW
from ansible-vault.
https://github.com/Homebrew/brew-evolution/pull/12 hopefully should resolve this in future
from ansible-vault.
I've installed python via brew
then
installed pip via sudo easy_install
sudo easynstall pip
from ansible-vault.
Related Issues (20)
- Error retrieving data from vault HOT 1
- Allow to iterate over list of secrets not values HOT 1
- is there a plan to add support to VAULT_GITHUB_API_TOKEN? HOT 1
- CERTIFICATE_VERIFY_FAILED HOT 2
- Delay lookups HOT 4
- Quoted parameters should not be split on spaces HOT 1
- Install instructions? HOT 3
- Handle API endpoints that don't return JSON
- Errors with lookup HOT 3
- missing url key, plugin fails, even with ' | default('') ' HOT 5
- Python Crashes when using this Plugin in OSX High Sierra HOT 8
- Cache not used
- Using Python 3.6.4 Unable to retrieve personal token from vault: POST data should be bytes, an iterable of bytes, or a file object. It cannot be of type str. HOT 2
- Test play using vault plugin fails HOT 1
- Multipart Dynamic secrets are not cached in Playbooks HOT 1
- Inserting variables into a pki lookup statement
- Integration with molecule test 'object has no attribute 'code' HOT 2
- Failing AppRole Authentication
- Unhandled exception with the newest jinja and ansible
- dont support kv-v2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ansible-vault.