Skip to content

feat: Secure credential management with automatic vault encryption#442

Open
balajikumaran-c-s wants to merge 17 commits into
dell:automation-v2.2.0.0from
balajikumaran-c-s:automation-v2.2.0.0
Open

feat: Secure credential management with automatic vault encryption#442
balajikumaran-c-s wants to merge 17 commits into
dell:automation-v2.2.0.0from
balajikumaran-c-s:automation-v2.2.0.0

Conversation

@balajikumaran-c-s

@balajikumaran-c-s balajikumaran-c-s commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

🎯 Overview

This PR implements comprehensive secure credential management by separating sensitive data from configuration files and providing automatic Ansible Vault encryption.

🔧 Key Features

1. 🔐 Credential Separation

  • omnia_test_config.yml: Non-sensitive settings (IPs, paths, options)
  • omnia_test_credentials.yml: Sensitive passwords (SSH, container, LDAP)
  • Clear separation prevents accidental exposure of credentials

2. 🔒 Automatic Vault Encryption

  • Plain text credentials are automatically encrypted on first Molecule run
  • Vault key is auto-generated if missing (.omnia_test_credentials.key)
  • Smart decrypt → use → re-encrypt cycle during test execution
  • All credential operations use no_log: true for security

3. 📁 Credentials File Structure

# SSH Credentials
oim_ssh_password: ""          # OIM server SSH (remote mode)
omnia_core_password: ""       # Container SSH (port 2222)

# LDAP Credentials  
ldap_credentials: ""                    # Cluster login tests
external_ldap_bind_username: ""        # External LDAP auth
external_ldap_bind_password: ""        # External LDAP auth



4. 🔄 Module Updates

- Provision module: LDAP bind credentials from credentials file
- Apptainer module: LDAP user credentials from credentials file
- Slurm module: Already compliant (reference implementation)

5. 🚀 omnia.sh Install/Uninstall via pytest

- Moved omnia.sh installation from converge.yml to pytest test cases
- Supports both Local and NFS storage options
- Internal NFS server setup for testing
- Background execution with progress tracking

6. 📚 Documentation Updates

- README.md: Added credentials file documentation, updated Quick Start
- rules.md: Added load_omnia_test_credentials() to core function catalog

7. 🛠️ Bug Fixes

- Fixed ansible-lint risky-shell-pipe error with set -o pipefail
- Fixed credential loading in setup_inventory.yml
- Fixed sync_project_default.yml password references

- Add omnia_test_credentials.yml to gitignore (contains passwords)
- Add .backups/ directory to gitignore (contains sensitive backups)
- Create omnia_test_credentials.yml for sensitive data (passwords)
- Clean omnia_test_config.yml with no sensitive information
- Add proper documentation for LDAP credentials usage
- Update provision module to load LDAP bind credentials from credentials file
- Update apptainer module to load LDAP user credentials from credentials file
- Fix setup_inventory.yml with better error handling for missing vault keys
- Fix sync_project_default.yml to use omnia_core_password from credentials
- All LDAP sensitive data now properly separated from config
- Clear all password fields in omnia_test_credentials.yml
- File ready for users to fill with their actual credentials
- Should be encrypted with ansible-vault before use
Signed-off-by: balajikumaran.cs <balajikumaran.cs@dellteam.com>
Signed-off-by: balajikumaran.cs <balajikumaran.cs@dellteam.com>
- Add logic to encrypt plain text omnia_test_credentials.yml files
- Create vault key automatically if it doesn't exist
- Complete encrypt/decrypt cycle: detect → decrypt → use → re-encrypt
- Handle both encrypted and plain text credentials seamlessly
- All molecule tests now automatically encrypt credentials on first run
- Fix ansible-lint risky-shell-pipe error in setup_inventory.yml
- Update README.md with credentials file documentation
- Update rules.md with load_omnia_test_credentials function
- Document automatic vault encryption for credentials
@balajikumaran-c-s balajikumaran-c-s changed the title Automation v2.2.0.0 feat: Secure credential management with automatic vault encryption Jun 25, 2026
Files using sync_project_default.yml require omnia_test_credentials
to be passed from localhost play to oim_server play for rsync auth.

Updated files:
- molecule/build_image_aarch64/converge.yml
- molecule/build_image_x86_64/converge.yml
- molecule/discovery/converge.yml
- molecule/local_repo/converge.yml
- molecule/one_shot_log_extraction/converge.yml
- molecule/prepare_oim/converge.yml
- molecule/provision/converge.yml
- molecule/telemetry/converge.yml
@balajikumaran-c-s balajikumaran-c-s marked this pull request as ready for review June 29, 2026 10:52
- Add auto-encryption of omnia_test_credentials.yml in pytest_sessionstart
- Ensures credentials are encrypted when running 'verify' only
- Remove verbose pytest options (-v --tb=short -s) from run_molecule.sh
- Fix omnia_test_credentials passthrough in all converge.yml files

Files changed:
- molecule/conftest.py: Add auto-encryption hook
- run_molecule.sh: Remove verbose options
- molecule/*/converge.yml: Add credentials passthrough
- Remove --delete flag from rsync in sync_project_default.yml
- Prevents deletion of config/ folder and other container-generated files
- Now only syncs/updates files from dataset to container
- Preserves: config/, secret.yaml, values.yaml, vault keys
- More scalable approach - any new dataset files sync automatically
Signed-off-by: balajikumaran.cs <balajikumaran.cs@dellteam.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant