Fixes #5907: gitlab_runner is not idempotent on first run after runner creation #5908
Conversation
ansibullbot
added
bug
plugins/modules/gitlab_runner.py
Outdated
| @@ -216,6 +216,7 @@ def create_or_update_runner(self, description, options): | |||
| 'locked': options['locked'], | |||
| 'run_untagged': options['run_untagged'], | |||
| 'maximum_timeout': options['maximum_timeout'], | |||
| 'access_level': options['access_level'], | |||
There was a problem hiding this comment.
This looks ok to me, but I think it has a slight change in runner registration behavior: this module defines ref_protected as the default for creation, which I think is not the real default in GitLab's API if the attribute is not provided*.
But I guess this happens anyway after the first run with the current approach, since the update method will then change it, and that is the reason you opened the issue in the first place I assume.
Just wanted to point this out but will let @felixfontein decide on the best approach.
*See https://docs.gitlab.com/ee/api/runners.html#register-a-new-runner and https://docs.gitlab.com/runner/register/
For a protected runner, use the --access-level="ref_protected" parameter. For an unprotected runner, use --access-level="not_protected" instead or leave the value undefined.
There was a problem hiding this comment.
A little side note: Not sure about the history behind this, but I think selecting ref_protected as the default here was a bit of an exotic choice. Of course that's more secure as it limits the runner to being available on protected branches only, but I'm not sure that's the more common use case for GitLab runners.
There was a problem hiding this comment.
That is good remark. I was not aware of that fact. From that point of view, it would be the best to also change the default value of access_level to not_protected. Because the access_level was not passed to the runner creation call before, people actually got an unprotected runner. That is not what you would expect from the documentation. But it is inline with the default behavior of the GitLab API.
There was a problem hiding this comment.
@cfiehe I agree that makes more sense and I see you've already incorporated it. The only thing now is that this is technically a breaking change so I'm eager to hear feedback from the collection maintainers (I'm only involved in the GitLab module here :))
There was a problem hiding this comment.
Changing the default value is a breaking change and cannot be merged (see also #582). Changing the default requires a longer deprecation period.
Generally I would avoid having a default at all though, then the default on creation would be "use whatever GitLab thinks is the default", and the default for updating would be "don't update that value". Whether you prefer to force a specific value for this option if none is provided, or whether not specifying a value means "I don't care / don't change", that's something for the module maintainers to decide. But it's nothing this bugfix PR should touch/change.
There was a problem hiding this comment.
@felixfontein the issue is that the bugfix, without removing the default, would also be a breaking change.
So maybe removing the default here is the easiest transition, but then the code will need to ensure that it's not sending null values to the API if no attribute is present, as GitLab sometimes doesn't like that.
There was a problem hiding this comment.
That's true, but at least it's restoring the documented behavior, and not changing the documented behavior and the implementation.
But yeah, it's also not helping that the current behavior has been there for quite a few years (it has always been like this since it was migrated to this repository). That's also (in part) why I didn't add the backport-5 label.
So maybe the best way forward is:
- Add a new option
access_level_on_creationof type boolean with no explicit default, but implicit defaultfalse. - If that option is not specified, a deprecation warning will be triggered that this option will switch to
truefor the next major release (community.general 7.0.0). - Only set the access level on creation when
access_level_on_creation=trueis passed to the module.
It would be a rather short deprecation period, but at least users would know that something is changing, and (most importantly) can get the module to use the new behavior already now. What do you think about this approach?
(Deprecating the default value of access_level is something that should probably happen in a separate PR, as it's not strictly related to this problem.)
cfiehe
force-pushed
the
fix_gitlab_runner_not_idempotent
branch
2 times, most recently
from
5f8fe38 to
448a583
Compare
Docs Build 📝Thank you for contribution!✨ This PR has been merged and your docs changes will be incorporated when they are next published. |
felixfontein
added
check-before-release
cfiehe
force-pushed
the
fix_gitlab_runner_not_idempotent
branch
3 times, most recently
from
00b36d2 to
82d899d
Compare
This comment was marked as outdated.
This comment was marked as outdated.
ansibullbot
added
merge_commit
cfiehe
force-pushed
the
fix_gitlab_runner_not_idempotent
branch
from
4849dd5 to
6f50b3d
Compare
ansibullbot
removed
merge_commit
cfiehe
force-pushed
the
fix_gitlab_runner_not_idempotent
branch
2 times, most recently
from
d61c655 to
a238592
Compare
|
Thanks for the review. I have added the requested changes and rebased the branch. |
cfiehe
force-pushed
the
fix_gitlab_runner_not_idempotent
branch
from
a238592 to
f3bfb21
Compare
…rst run after runner creation This fix introduces the new boolean option 'access_level_on_creation'. It controls, whether the value of 'access_level' is used for runner registration or not. The option 'access_level' has been ignored on registration so far and was only used on updates. The user is informed by a deprecation warning, if the option is unspecified. For reasons of compatibility 'false' is assumed in that case. The option 'access_level_on_creation' will switch to 'true' for the next major release (community.general 7.0.0) Signed-off-by: Christoph Fiehe <[email protected]>
cfiehe
force-pushed
the
fix_gitlab_runner_not_idempotent
branch
from
f3bfb21 to
4b12d51
Compare
There was a problem hiding this comment.
Besides this looks good to me! @nejch what do you think?
@felixfontein @cfiehe LGTM like this! It might make sense to track the access_level default in a follow-up to align with GitLab eventually, or @cfiehe if you're willing to open another PR for that :)
Backport to stable-6: 💚 backport PR created✅ Backport PR branch: Backported as #5922 🤖 @patchback |
…r creation (#5908) This fix introduces the new boolean option 'access_level_on_creation'. It controls, whether the value of 'access_level' is used for runner registration or not. The option 'access_level' has been ignored on registration so far and was only used on updates. The user is informed by a deprecation warning, if the option is unspecified. For reasons of compatibility 'false' is assumed in that case. The option 'access_level_on_creation' will switch to 'true' for the next major release (community.general 7.0.0) Signed-off-by: Christoph Fiehe <[email protected]> Co-authored-by: Christoph Fiehe <[email protected]> (cherry picked from commit 31ff3f6)
|
@cfiehe thanks a lot for your contribution! Creating a follow-up issue or PR sounds good to me. The first step will be removing the current default and documenting it manually, and using a similar mechanism as for the new option in this PR (if the default is not set, call |
felixfontein
removed
the
check-before-release
…not idempotent on first run after runner creation (#5922) Fixes #5907: gitlab_runner is not idempotent on first run after runner creation (#5908) This fix introduces the new boolean option 'access_level_on_creation'. It controls, whether the value of 'access_level' is used for runner registration or not. The option 'access_level' has been ignored on registration so far and was only used on updates. The user is informed by a deprecation warning, if the option is unspecified. For reasons of compatibility 'false' is assumed in that case. The option 'access_level_on_creation' will switch to 'true' for the next major release (community.general 7.0.0) Signed-off-by: Christoph Fiehe <[email protected]> Co-authored-by: Christoph Fiehe <[email protected]> (cherry picked from commit 31ff3f6) Co-authored-by: cfiehe <[email protected]>
SUMMARY
This fix introduces the new boolean option
access_level_on_creation. It controls, whether the value ofaccess_levelis used for runner registration or not. The optionaccess_levelhas been ignored on registration so far and was only used on updates. The user is informed by a deprecation warning, if the option is unspecified. For reasons of compatibilityfalseis assumed in that case. The optionaccess_level_on_creationwill switch totruein community.general 7.0.0.Signed-off-by: Christoph Fiehe [email protected]
ISSUE TYPE
COMPONENT NAME
gitlab_runner