-
Notifications
You must be signed in to change notification settings - Fork 222
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support pulling certs from alternative sources #461
Comments
So instead of get_url on each host we think it would be a nice feature to be able to This would be a relatively quick and also backward compatible way, easily manageable with a new variable or even with an fallback block scenario. Edit: for example our modified pkg-redhat.yml
|
👋 hi, so this is an interesting problem and I understand that you need to solve it. I've actually recently merged #475 which is technically going against the solution you propose here. I'll take a closer look at what we might be able to do and post a proposal here. |
After taking a closer look, we can definitely still implement this even after merging #475 - we can just add a block (like the one that you showed in your example) that will fetch the keys with the condition Just a small question here to make sure I properly understand - IIUC you have intermediary repositories set up somewhere in your infrastructure that these "offline" servers can access for package downloads. Would it be possible for you to create a simple intermediary storage where you would also put the keys and override the I'm happy to implement the functionality if the answer to the above question is "we can't do that", I'm just curious if you've considered it. Thanks! |
@rockaut Did you find a way to make it work for you? Can we close this? EDIT: Renamed the issue to give it a possibly more representative name. |
Just a quick answer because I'm on vacation currently :D
Yes this can be closed. Sorry, I wasn't aware it's still open. In fact this was solved some releases of the role ago with another change.
Sent from Outlook for Android<https://aka.ms/AAb9ysg>
…________________________________
From: Alex Lopez ***@***.***>
Sent: Monday, July 22, 2024 12:04:50 PM
To: DataDog/ansible-datadog ***@***.***>
Cc: Markus Fischbacher ***@***.***>; Mention ***@***.***>
Subject: Re: [DataDog/ansible-datadog] Agent installation fails on pulling certs (Issue #461)
@rockaut<https://github.com/rockaut> Did you find a way to make it work for you? Can we close this?
—
Reply to this email directly, view it on GitHub<#461 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AADOV6DDXIUOEMOOGNPDBLDZNTKMFAVCNFSM6AAAAABLH7LFECVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENBSGU3TOMJQHA>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Thanks for the update! I'll close it, then. |
We already have a case (Nr. 1022982) open for this one.
We have a lot of servers which aren't allow to have direct access to "the interwebs". For package installations we have intermediate repositories to work around for this which works great in combination with the role. But not for the certificates. Currently the role always tries to pull the certs from Amazon S3 (or keys.datadog.com which is still S3) - and it's just not viable to whitelist those addresses!
We thought that setting the variables:
would help but the just the the yum/dnf repo options to false. The role will still try to fetch the certs which in turn then fails and the whole role/installation fails.
So it would be great if the role might skip the cert-fetch maybe with a new variable or respecting the already present variables.
Or even better: if the role would not only accept URLs from where to pull the certs but instead:
Edit: the problem for us as we currently use RHEL lies in the four tasks starting from (
ansible-datadog/tasks/pkg-redhat.yml
Line 28 in 3bb392d
The text was updated successfully, but these errors were encountered: