feat(ansible): per-variable fields in the playbook run form
When you click Run, Steward now parses the playbook and renders a field for each declared variable instead of a blank extra-vars textarea. The form loads on demand via HTMX (/ansible/run-form/<source>/<playbook>). - sources.discover_playbook_variables: parse vars: defaults + vars_prompt: (vars_prompt wins on name collision; non-scalar vars skipped; role/include vars not traversed). Flags secret-looking names + vars_prompt private. - Run-time values flow through a JSON extra-vars file (-e @file), which is space/quote-safe — fixes a latent shlex-split bug in the old -e key=value textarea path. executor.build_extra_vars_file (pure) + start_run merge. - Secret-flagged fields are masked AND routed through an unpersisted secret_vars channel (runner.trigger_run → start_run), so passwords entered at run time never land in the DB / run history. - Defaults shown as placeholders (not prefilled): an untouched field falls through to the inventory/play default instead of overriding it. - routes: run_form HTMX endpoint; _parse_run_params now returns (params, secret_vars, err) and reads var__/secret__ fields. Schedules drop secret vars (can't prompt unattended). - templates: ansible/_run_form.html fragment; browse.html rewired to HTMX, static JS run-form removed. Advanced section keeps limit/tags/check + a free-form extra-vars escape hatch. - tests: test_playbook_variables.py (discovery + extra-vars file). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -26,6 +26,7 @@ async def trigger_run(
|
||||
triggered_by: str | None = None,
|
||||
inventory_content: str | None = None,
|
||||
connection: dict | None = None,
|
||||
secret_vars: dict | None = None,
|
||||
):
|
||||
"""Resolve inventory for the scope, persist an AnsibleRun, and launch it.
|
||||
|
||||
@@ -36,6 +37,8 @@ async def trigger_run(
|
||||
connection is an optional per-run SSH override (user/password) for
|
||||
first-contact provisioning — passed to the executor but deliberately NOT
|
||||
stored on the AnsibleRun row (params), so the password never lands in the DB.
|
||||
secret_vars (sensitive run-time playbook variables) are likewise passed
|
||||
through to the executor but never persisted.
|
||||
Returns (run, source, error): on success error is None; on failure run is
|
||||
None and error is a short human-readable reason.
|
||||
"""
|
||||
@@ -77,7 +80,7 @@ async def trigger_run(
|
||||
executor.start_run(
|
||||
app, run_id, playbook_path, inventory_path or "",
|
||||
source["path"], params or None, inventory_content,
|
||||
connection=connection,
|
||||
connection=connection, secret_vars=secret_vars,
|
||||
)
|
||||
)
|
||||
task.add_done_callback(
|
||||
|
||||
Reference in New Issue
Block a user