Skip to content

Backup failed due to unsafe conditionals in 2.12.2 #1734

Closed
#1737
Closed
Backup failed due to unsafe conditionals in 2.12.2#1734
#1737
Assignees
rooftopcellist
Labels
communityneeds_triage
@kurokobo

Description

@kurokobo
kurokobo
opened on Feb 28, 2024

Please confirm the following

  • I agree to follow this project's code of conduct.
  • I have checked the current issues for duplicates.
  • I understand that the AWX Operator is open source software provided for free and that I might not receive a timely response.

Bug Summary

Reconciliation for AWXBackup CR fails due to unsafe conditionals.

Logs (replaced \n with line breaks):

TASK [Dump ingress tls secret names from awx spec and data into file] ******************************** 
fatal: [localhost]: FAILED! => {"msg": "
The conditional check '{{ awx_spec.spec['ingress_hosts'] | default('') | map(attribute='tls_secret', default='') | select() | list | length }}' failed. The error was: Conditional is marked as unsafe, and cannot be evaluated.

The error appears to be in '/opt/ansible/roles/backup/tasks/secrets.yml': line 21, column 3, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

- name: Dump ingress tls secret names from awx spec and data into file
  ^ here
"}

AWX Operator version

2.12.2

AWX version

23.9.0

Kubernetes platform

kubernetes

Kubernetes/Platform version

k3s version v1.28.6+k3s2

Modifications

no

Steps to reproduce

Ceate any AWXBackup CR.

Expected results

Reconciliation for AWXBackup completes.

Actual results

Failed in the Dump ingress tls secret names from awx spec and data into file task with above logs.

Additional information

I believe this is introduced with #1714.
That PR upgrades SDK and causes Ansible to be upgraded 2.15.8, so following topic about CVE-2023-5764 in the porting guide can be applied:

Conditionals - due to mitigation of security issue CVE-2023-5764 in ansible-core 2.15.7, conditional expressions with embedded template blocks can fail with the message “Conditional is marked as unsafe, and cannot be evaluated.” when an embedded template consults data from untrusted sources like module results or vars marked !unsafe.
https://docs.ansible.com/ansible/latest/porting_guides/porting_guide_8.html#playbook

So the task that causes this issue should not use {{ ... }} in when:

awx-operator/roles/backup/tasks/secrets.yml

Line 25 in 630a5ee

when: "{{ awx_spec.spec['ingress_hosts'] | default('') | map(attribute='tls_secret', default='') | select() | list | length }}"

Operator Logs

No response

Metadata

Metadata

Assignees

Labels

communityneeds_triage

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions