feat: allow EDA credential fields to link to external Secret Management Systems (SMS) by hsong-rh · Pull Request #1361 · ansible/eda-server

hsong-rh · 2025-07-10T20:18:50Z

This RP is regenerated from #1349

AAP allows text fields in a Credential to be connected to an external Secret Management System like Hashicorp Vault.
EDA was lacking this feature, this fix tries to address that by providing

Test External SMS for connectivity and existence of secrets
Optionally link text fields to External SMS
Uses the awx-plugins-core to manage the connections to external SMS

New API end points added

/api/eda/v1/credential-types/nnn/test/ (POST)
/api/eda/v1/eda-credentials/nnn/test/ (POST)
/api/eda/v1/eda-credentials/nnn/input_sources/ (GET)
/api/eda/v1/credential_input_sources/ (CRUD)

The awx-plugins-core supports 10 different external systems, for parity we have added the schema for all 10 of them

CyberArk Central Credential Provider Lookup
AWS Secrets Manager lookup
Microsoft Azure Key Vault
Centrify Vault Credential Provider Lookup
CyberArk Conjur Secrets Manager Lookup
HashiCorp Vault Secret Lookup
HashiCorp Vault Signed SSH
Thycotic DevOps Secrets Vault
Thycotic Secret Server
GitHub App Installation Access Token Lookup

https://issues.redhat.com/browse/AAP-46900

flowchart TD;
    A[EDA UI] -->|Create Credential| B(EDA API);
    B --> C{AWX Plugins};
    C -->|Fetch/Test| D[fa:fa-vault Hashicorp];
    C -->|Fetch/Test| E[fa:fa-vault CyberArk];
    C -->|Fetch/Text| F[fa:fa-vault Azure];

codecov-commenter · 2025-07-10T20:28:37Z

Codecov Report

❌ Patch coverage is 99.67638% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 94.14%. Comparing base (2b9eddb) to head (d2804c2).
⚠️ Report is 122 commits behind head on main.

Files with missing lines	Patch %	Lines
src/aap_eda/core/utils/credentials.py	97.29%	1 Missing ⚠️
src/aap_eda/services/project/scm.py	50.00%	1 Missing ⚠️

@@            Coverage Diff             @@
##             main    #1361      +/-   ##
==========================================
+ Coverage   93.94%   94.14%   +0.20%     
==========================================
  Files         324      335      +11     
  Lines       18951    19537     +586     
==========================================
+ Hits        17804    18394     +590     
+ Misses       1147     1143       -4

Flag	Coverage Δ
unit-int-tests-3.11	`94.09% <99.67%> (+0.20%)`	⬆️
unit-int-tests-3.12	`94.14% <99.67%> (+0.20%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
src/aap_eda/analytics/utils.py	`100.00% <100.00%> (ø)`
src/aap_eda/api/exceptions.py	`100.00% <100.00%> (ø)`
src/aap_eda/api/filters/__init__.py	`100.00% <100.00%> (ø)`
src/aap_eda/api/filters/credential_input_source.py	`100.00% <100.00%> (ø)`
src/aap_eda/api/serializers/__init__.py	`100.00% <100.00%> (ø)`
src/aap_eda/api/serializers/activation.py	`96.20% <100.00%> (+0.02%)`	⬆️
...aap_eda/api/serializers/credential_input_source.py	`100.00% <100.00%> (ø)`
src/aap_eda/api/serializers/credential_type.py	`100.00% <100.00%> (ø)`
src/aap_eda/api/serializers/eda_credential.py	`99.13% <100.00%> (+0.09%)`	⬆️
src/aap_eda/api/urls.py	`100.00% <100.00%> (ø)`
... and 32 more

... and 1 file with indirect coverage changes

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

sonarqubecloud · 2025-07-21T17:27:30Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

hsong-rh · 2025-07-21T18:34:40Z

The e2e test failure will be handled by updating the API client on the eda-qa side after this has been merged.

Based on eda-server PR 1361[1], now EDA allows credentials to link to external Secret Management Systems (SMS), like Hashicorp Vault and others. To comply with the back-end functionality, this PR adds 4 new modules to the collection: - credential_input_source - credential_input_source_info - credential_test - credential_type_test [1] ansible/eda-server#1361

Based on eda-server PR 1361[1], now EDA allows credentials to link to external Secret Management Systems (SMS), like Hashicorp Vault and others. To comply with the back-end functionality, this PR adds 2 new modules to the collection: - credential_input_source - credential_input_source_info As a bonus feature, we also implement the "test" functionality to credential and credential_type, which essentially adds the support to reach the test credential endpoints to check if a credential is working as expected before actually creating the credential. [1] ansible/eda-server#1361

Based on eda-server PR 1361[1], now EDA allows credentials to link to external Secret Management Systems (SMS), like Hashicorp Vault and others. To comply with the back-end functionality, this PR adds 2 new modules to the collection: - credential_input_source - credential_input_source_info We also implement the "test" functionality to credential and credential_type, which essentially adds the support to reach the test credential endpoints to check if a credential is working as expected before actually creating the credential. [1] ansible/eda-server#1361 Co-authored-by: Madhu Kanoor <mkanoor@redhat.com>

We missed this file when working on PR ansible#1361 https://issues.redhat.com/browse/AAP-51904

We missed this file when working on PR #1361 https://issues.redhat.com/browse/AAP-51904 We are adding an ATF test to do the real integration test https://issues.redhat.com/browse/AAP-51905

hsong-rh requested a review from a team as a code owner July 10, 2025 20:18

hsong-rh added the run-e2e label Jul 10, 2025

hsong-rh force-pushed the aap-46900 branch from 11e4d3e to a1b58b8 Compare July 21, 2025 16:57

allow EDA credential fields to link to external SMS

d2804c2

hsong-rh force-pushed the aap-46900 branch from a1b58b8 to d2804c2 Compare July 21, 2025 17:26

Alex-Izquierdo approved these changes Jul 21, 2025

View reviewed changes

mkanoor approved these changes Jul 21, 2025

View reviewed changes

hsong-rh merged commit 1766604 into ansible:main Jul 21, 2025
6 of 7 checks passed

kaiokmo mentioned this pull request Aug 3, 2025

feat: [AAP-47707] allow credentials to link to external SMS ansible/event-driven-ansible#459

Merged

mkanoor added a commit to mkanoor/eda-server that referenced this pull request Aug 20, 2025

fix: allow for RHAPP, file content and env vars from SMS

cfb2d48

We missed this file when working on PR ansible#1361 https://issues.redhat.com/browse/AAP-51904

mkanoor mentioned this pull request Aug 20, 2025

fix: allow for RHAAP, file content and env vars from SMS #1383

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: allow EDA credential fields to link to external Secret Management Systems (SMS)#1361

feat: allow EDA credential fields to link to external Secret Management Systems (SMS)#1361
hsong-rh merged 1 commit into
ansible:mainfrom
hsong-rh:aap-46900

hsong-rh commented Jul 10, 2025 •

edited

Loading

Uh oh!

codecov-commenter commented Jul 10, 2025 •

edited

Loading

Uh oh!

sonarqubecloud Bot commented Jul 21, 2025

Uh oh!

hsong-rh commented Jul 21, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

hsong-rh commented Jul 10, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

codecov-commenter commented Jul 10, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

sonarqubecloud Bot commented Jul 21, 2025

Quality Gate passed

Uh oh!

hsong-rh commented Jul 21, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

hsong-rh commented Jul 10, 2025 •

edited

Loading

codecov-commenter commented Jul 10, 2025 •

edited

Loading