Skip to content

feat: Support key and keyfile for authentication#357

Open
richm wants to merge 1 commit into
linux-system-roles:mainfrom
richm:feat-key-and-keyfile
Open

feat: Support key and keyfile for authentication#357
richm wants to merge 1 commit into
linux-system-roles:mainfrom
richm:feat-key-and-keyfile

Conversation

@richm

@richm richm commented Jul 14, 2026

Copy link
Copy Markdown
Collaborator

Feature: Allow users to specify an authentication key for a server using the
new key parameter for items in the timesync_ntp_servers list. The key
value is as described at https://chrony-project.org/doc/latest/chrony.conf.html#keyfile
and includes the key ID, the optional type, and the key string. Users are strongly
encouraged to use Ansible Vault to encrypt the key.

Reason: Users need to be able to specify authentication keys for secure
time synchronization.

Result: Users can configure secure time synchronization.

Assisted-by: Cursor using models Cursor Grok 4.5, Composer 2.5, Sonnet 5.

Signed-off-by: Rich Megginson rmeggins@redhat.com

Summary by CodeRabbit

  • New Features
    • Added Chrony authentication support with per-server key values, automatically applied to generated pool/server entries.
    • Added configurable secure logging and an option to remove the Chrony keyfile when no keys are configured.
    • Added support for customizing the Chrony keyfile path.
  • Documentation
    • Updated role documentation for the key format and new configuration options, including related error cases.
  • Bug Fixes
    • Improved Chrony configuration rendering for keyfile placement and key handling.
  • Tests
    • Expanded Chrony key generation/configuration test coverage, including failure scenarios and keyfile retention/removal behavior.

@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Changes

Chrony NTP authentication keys are configurable per server, rendered into a keyfile, referenced from chrony.conf, and covered by integration tests. Secure logging, keyfile removal, platform-specific paths, and ownership settings are also added.

🚥 Pre-merge checks | ✅ 6
✅ Passed checks (6 passed)
Check name Status Explanation
Title check ✅ Passed The title follows Conventional Commits and accurately summarizes authentication key and keyfile support.
Description check ✅ Passed The description covers the feature, reason, and result, but it uses 'Feature' instead of 'Enhancement' and omits issue tracker tickets.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Format ✅ Passed PR description includes Feature, Reason, Result, optional Assisted-by, and Signed-off-by; this satisfies the repo template requirements.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 6

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@README.md`:
- Around line 62-72: Update the README configuration entry for key so the
description states that the key type is required and the value contains the key
type followed by key contents, excluding the numeric ID. Replace the
placeholder-only `key: !vault ...` example with a concrete redacted vaulted
value that demonstrates the expected format while preserving the existing
encryption guidance.

In `@tasks/main.yml`:
- Around line 179-181: Add a safe empty-list fallback to
__timesync_ntp_unique_keys before applying the length check in the
timesync_ntp_provider condition, matching the existing pattern elsewhere such as
line 197. Preserve the current requirement that the resulting list length must
be greater than zero.
- Around line 187-188: Update the chrony key file task’s group setting near the
existing owner declaration to use the role’s OS-specific internal variable for
the chrony group instead of the hardcoded `chrony` value, ensuring Debian/Ubuntu
resolve `_chrony` while other platforms retain their configured group.

In `@tests/tasks/cleanup.yml`:
- Line 16: Update the condition near the cleanup task’s package check to provide
a default empty mapping when ansible_facts.packages is undefined, while
preserving the existing other_provider membership test when package facts are
available.

In `@vars/Debian.yml`:
- Line 7: Rename the platform-specific variable to
__timesync_chrony_keyfile_path in vars/Debian.yml:7-7, vars/Fedora.yml:7-7,
vars/RedHat_10.yml:7-7, and vars/RedHat_6.yml:7-7, preserving each existing path
value; update every consumer of timesync_chrony_keyfile_path to use the new
internal variable name.

In `@vars/RedHat_9.yml`:
- Line 7: Rename timesync_chrony_keyfile_path to __timesync_chrony_keyfile_path
in vars/RedHat_9.yml and any other introduced vars/*.yml platform files. Update
all references consistently: templates/chrony.conf.j2 lines 64-66,
tests/tests_keys.yml lines 43-47 and 93-97, and the search strings in
tests/tests_keys.yml lines 52-63 and 64-76.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 0cca7cb7-2f6c-4641-bd5a-2cc386bc12ba

📥 Commits

Reviewing files that changed from the base of the PR and between b48f052 and 4016699.

📒 Files selected for processing (18)
  • README.md
  • defaults/main.yml
  • tasks/main.yml
  • templates/chrony.conf.j2
  • templates/chrony.keys.j2
  • tests/tasks/cleanup.yml
  • tests/tests_keys.yml
  • tests/vars/vault-variables.yml
  • tests/vault_pwd
  • vars/Debian.yml
  • vars/Fedora.yml
  • vars/RedHat_10.yml
  • vars/RedHat_6.yml
  • vars/RedHat_7.yml
  • vars/RedHat_8.yml
  • vars/RedHat_9.yml
  • vars/SL-Micro.yml
  • vars/default.yml

Comment thread README.md Outdated
Comment thread tasks/main.yml Outdated
Comment thread tasks/main.yml Outdated
Comment thread tests/tasks/cleanup.yml Outdated
Comment thread vars/Debian.yml
Comment thread vars/RedHat_9.yml
@richm
richm force-pushed the feat-key-and-keyfile branch 2 times, most recently from cce5201 to 25550c4 Compare July 14, 2026 22:45
@richm

richm commented Jul 14, 2026

Copy link
Copy Markdown
Collaborator Author

[citest]

@richm
richm requested review from mlichvar and spetrosi July 14, 2026 22:49
@richm
richm force-pushed the feat-key-and-keyfile branch from 25550c4 to e6eb494 Compare July 15, 2026 00:18
@richm

richm commented Jul 15, 2026

Copy link
Copy Markdown
Collaborator Author

[citest]

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
tests/tests_keys.yml (1)

43-50: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Mask sensitive key material in test logs.

Even though these are test keys, applying no_log: true to tasks that read and decode sensitive files prevents the raw key material from leaking into CI console output and establishes a secure pattern for anyone reusing this code.

🔒️ Proposed fix
         - name: Fetch chrony key file
-          slurp:
+          ansible.builtin.slurp:
             src: "{{ timesync_chrony_keyfile_path }}"
           register: __keys_chrony_keys_encoded
+          no_log: true
 
         - name: Decode chrony key file
-          set_fact:
+          ansible.builtin.set_fact:
             __keys_chrony_keys: "{{ __keys_chrony_keys_encoded.content | b64decode }}"
+          no_log: true
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/tests_keys.yml` around lines 43 - 50, Apply no_log: true to both the
“Fetch chrony key file” slurp task and the “Decode chrony key file” set_fact
task so raw key material is masked from CI logs while preserving their existing
registration and decoding behavior.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tests/tests_keys.yml`:
- Around line 26-27: Update the task module invocations throughout
tests_keys.yml to use their fully qualified Ansible names, including
ansible.builtin.include_tasks for the shown Run the role task and the
corresponding ansible.builtin prefixes for slurp, assert, stat, set_fact,
command, and meta, while preserving existing task behavior.
- Around line 111-114: Update the command in the chrony journal task registering
__keys_chrony_journal to query the wildcard unit pattern 'chrony*' instead of
the hardcoded chronyd unit name, preserving the existing task behavior and
assertions.

---

Nitpick comments:
In `@tests/tests_keys.yml`:
- Around line 43-50: Apply no_log: true to both the “Fetch chrony key file”
slurp task and the “Decode chrony key file” set_fact task so raw key material is
masked from CI logs while preserving their existing registration and decoding
behavior.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 9a188d6c-097c-406e-82ca-7c18d6b788ad

📥 Commits

Reviewing files that changed from the base of the PR and between 4016699 and e6eb494.

📒 Files selected for processing (19)
  • README.md
  • defaults/main.yml
  • tasks/main.yml
  • templates/chrony.conf.j2
  • templates/chrony.keys.j2
  • tests/tasks/cleanup.yml
  • tests/tests_keys.yml
  • tests/vars/vault-variables.yml
  • tests/vault_pwd
  • vars/Debian.yml
  • vars/Fedora.yml
  • vars/RedHat_10.yml
  • vars/RedHat_6.yml
  • vars/RedHat_7.yml
  • vars/RedHat_8.yml
  • vars/RedHat_9.yml
  • vars/SL-Micro.yml
  • vars/default.yml
  • vars/main.yml
🚧 Files skipped from review as they are similar to previous changes (16)
  • vars/Debian.yml
  • vars/SL-Micro.yml
  • vars/default.yml
  • vars/RedHat_10.yml
  • vars/RedHat_6.yml
  • tests/vars/vault-variables.yml
  • vars/RedHat_7.yml
  • tests/vault_pwd
  • tests/tasks/cleanup.yml
  • vars/RedHat_9.yml
  • defaults/main.yml
  • vars/RedHat_8.yml
  • vars/Fedora.yml
  • templates/chrony.keys.j2
  • tasks/main.yml
  • README.md

Comment thread tests/tests_keys.yml
Comment on lines +26 to +27
- name: Run the role
include_tasks: tasks/run_role_with_clear_facts.yml

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Use FQCN for module invocations.

As per path instructions, you must ALWAYS use the centrally managed wrapper with its Fully Qualified Collection Name (ansible.builtin.include_tasks). Please apply the ansible.builtin. prefix to this task and all other module invocations (slurp, assert, stat, set_fact, command, meta) throughout this test file.

♻️ Proposed fix
-        - name: Run the role
-          include_tasks: tasks/run_role_with_clear_facts.yml
+        - name: Run the role
+          ansible.builtin.include_tasks: tasks/run_role_with_clear_facts.yml
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Run the role
include_tasks: tasks/run_role_with_clear_facts.yml
- name: Run the role
ansible.builtin.include_tasks: tasks/run_role_with_clear_facts.yml
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/tests_keys.yml` around lines 26 - 27, Update the task module
invocations throughout tests_keys.yml to use their fully qualified Ansible
names, including ansible.builtin.include_tasks for the shown Run the role task
and the corresponding ansible.builtin prefixes for slurp, assert, stat,
set_fact, command, and meta, while preserving existing task behavior.

Source: Path instructions

Comment thread tests/tests_keys.yml
Comment on lines +111 to +114
- name: Grab the journal for chronyd
command: journalctl -u chronyd
register: __keys_chrony_journal
changed_when: false

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check how the chrony service is defined across platforms
rg -i "service.*chrony" vars/ defaults/

Repository: linux-system-roles/timesync

Length of output: 165


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== files =="
git ls-files | rg '(^|/)(tests/tests_keys\.yml|defaults/|vars/|tasks/|README\.md)$' || true

echo "== chrony references =="
rg -n -i 'chrony|chronyd|timesync_.*service' .

echo "== tests/tests_keys.yml excerpt =="
cat -n tests/tests_keys.yml | sed -n '90,140p'

Repository: linux-system-roles/timesync

Length of output: 27076


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== file map for repo root =="
find . -maxdepth 2 \( -path './.git' -o -path './.venv' \) -prune -o -type f | sed 's#^\./##' | sort | head -200

echo "== chrony variables in likely files =="
for f in $(git ls-files | rg '^(defaults|vars|tasks|tests)/'); do
  rg -n -i 'chrony|chronyd|service' "$f" || true
done

Repository: linux-system-roles/timesync

Length of output: 40644


🏁 Script executed:

#!/bin/bash
set -euo pipefail

python3 - <<'PY'
from pathlib import Path
p = Path('tests/tests_keys.yml')
for start,end in [(1,220)]:
    print(p)
    with p.open() as f:
        for i,line in enumerate(f,1):
            if start <= i <= end:
                print(f"{i:4d}: {line.rstrip()}")
PY

Repository: linux-system-roles/timesync

Length of output: 7992


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== tests/tests_keys.yml around the journal command =="
nl -ba tests/tests_keys.yml | sed -n '100,130p'

echo "== search for journalctl use in tests =="
rg -n 'journalctl -u|journalctl' tests

echo "== search for chrony service variable names anywhere =="
rg -n 'timesync_.*service|chrony.*service|service.*chrony|chronyd|chrony' .

Repository: linux-system-roles/timesync

Length of output: 259


🌐 Web query:

Debian chrony service unit name chrony.service chronyd.service journalctl -u

💡 Result:

On Debian, the official systemd service unit name for the chrony package is chrony.service [1][2]. While the underlying daemon itself is named chronyd [1][3], the service management unit provided by the Debian package is named chrony.service [1][2]. When interacting with systemd, you should use the unit name chrony.service. For example, to check the status or view logs with journalctl, you can use the following commands: Check service status: systemctl status chrony.service View logs for the service: journalctl -u chrony.service If you prefer to view the most recent logs for the service, you can combine this with standard journalctl flags: journalctl -u chrony.service -e Some third-party distributions or custom configurations may sometimes use chronyd.service [3][4][5], but for standard Debian installations, chrony.service is the correct unit name [1][2].

Citations:


🌐 Web query:

Debian chrony package service unit name chrony.service or chronyd.service journalctl -u supports glob patterns

💡 Result:

In Debian, the chrony package provides the primary systemd service unit named chrony.service [1][2]. While historical versions or custom configurations may sometimes refer to it as chronyd.service [3][4], the standard unit file provided in current Debian packages is chrony.service [1][2]. Regarding journalctl, the --unit (or -u) flag supports shell-style glob patterns [5]. When you provide a pattern to --unit, systemd generates a match for that pattern [6]. For example, running the command: journalctl -u 'chrony*' will return logs for any unit starting with "chrony", effectively capturing both chrony.service and other related units like chrony-wait.service [1][5]. Note that it is recommended to wrap the pattern in quotes (e.g., 'chrony*') to prevent the shell from expanding the glob before it reaches journalctl [5].

Citations:


🌐 Web query:

site:manpages.debian.org chrony service unit name Debian chrony.service

💡 Result:

On Debian systems, the systemd service unit name for the chrony daemon is chrony.service [1]. The chrony daemon itself is managed by this unit, which ensures that the chronyd process starts correctly [1][2]. When managing the service using systemctl, you would use the following command structure: systemctl status chrony.service systemctl restart chrony.service Additionally, in configurations involving systemd-timedated, the unit may be referenced as chronyd.service in certain contexts [1].

Citations:


Avoid hardcoding the journal unit name. Debian/Ubuntu use chrony.service, so journalctl -u chronyd can miss key-related errors and let the negative assertions pass. Use journalctl -u 'chrony*' here.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/tests_keys.yml` around lines 111 - 114, Update the command in the
chrony journal task registering __keys_chrony_journal to query the wildcard unit
pattern 'chrony*' instead of the hardcoded chronyd unit name, preserving the
existing task behavior and assertions.

@richm
richm force-pushed the feat-key-and-keyfile branch from e6eb494 to 348af4f Compare July 15, 2026 00:51
@richm

richm commented Jul 15, 2026

Copy link
Copy Markdown
Collaborator Author

[citest]

Comment thread tests/tests_keys.yml Outdated
@richm

richm commented Jul 15, 2026

Copy link
Copy Markdown
Collaborator Author

Fixes #321

@mlichvar mlichvar left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The key IDs need to be specified by the user, so they match the server configuration. This seems quite a lot of code for such a minor feature.

@richm

richm commented Jul 15, 2026

Copy link
Copy Markdown
Collaborator Author

The key IDs need to be specified by the user, so they match the server configuration.

Ah, ok. I thought the key ID was just used as an index into the chrony.keys "table". That is, I thought the use case was this: As an administrator configuring the client side of secure timesync, I need to configure the client to use the same authentication key as used by the server, which is just the "[type ]keystring". So I figured "hey, the user doesn't care about the key ID since it is just an index into the chrony.keys table - they just want to associate a key with a server, so the role can auto-generate the key IDs".

So the key ID is significant? That will definitely change the implementation, and possibly simplify somewhat.

This seems quite a lot of code for such a minor feature.

It may be "minor" but it is security related, which invokes several considerations.

  • The vars files changes are to add variables for the keyfile path and group. The reason why so many files have to change for this is because the set_vars implementation uses the first_found method https://github.com/linux-system-roles/timesync/blob/main/tasks/set_vars.yml#L38 instead of the more flexible method used in newer roles https://github.com/linux-system-roles/podman/blob/main/tasks/set_vars.yml#L39
  • vault is used because we really want to emphasize that customers should use vault to encrypt the key values
  • timesync_secure_logging and no_log was added because the role must not leak key data into the logs
  • the code to parse the keys and generate the key IDs is because of the reasons listed above
  • the main.yml code that uses the keys was moved into a block so that we can ensure the variables holding the key material are cleared and not leaked into the global namespace/scope

If you can suggest a better way to do this, I would appreciate it

@richm

richm commented Jul 15, 2026

Copy link
Copy Markdown
Collaborator Author
  • added timesync_remove_keyfile_if_no_keys because otherwise there is no way to remove a chrony.keys file that is no longer used, and it seems unsafe to just always remove it if there are no keys specified in the timesync_ntp_servers list without user authorization

@richm
richm force-pushed the feat-key-and-keyfile branch from 348af4f to 0ec98dd Compare July 15, 2026 17:31
@richm

richm commented Jul 15, 2026

Copy link
Copy Markdown
Collaborator Author

@mlichvar the new implementation takes a key as the entire string including the key ID

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tasks/main.yml`:
- Line 164: Update the regex string in the item.key search condition to use YAML
single-quote delimiters, preserving the backslash in \s so the regex continues
matching digits followed by whitespace.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: a96a74fe-fc8f-4fd6-9b7c-31d4cd0fab22

📥 Commits

Reviewing files that changed from the base of the PR and between e6eb494 and 0ec98dd.

📒 Files selected for processing (18)
  • README.md
  • defaults/main.yml
  • tasks/main.yml
  • templates/chrony.conf.j2
  • templates/chrony.keys.j2
  • tests/tests_keys.yml
  • tests/vars/vault-variables.yml
  • tests/vault_pwd
  • vars/Debian.yml
  • vars/Fedora.yml
  • vars/RedHat_10.yml
  • vars/RedHat_6.yml
  • vars/RedHat_7.yml
  • vars/RedHat_8.yml
  • vars/RedHat_9.yml
  • vars/SL-Micro.yml
  • vars/default.yml
  • vars/main.yml
🚧 Files skipped from review as they are similar to previous changes (15)
  • vars/default.yml
  • vars/RedHat_9.yml
  • vars/RedHat_6.yml
  • templates/chrony.conf.j2
  • tests/vars/vault-variables.yml
  • vars/RedHat_10.yml
  • vars/Fedora.yml
  • vars/Debian.yml
  • templates/chrony.keys.j2
  • vars/SL-Micro.yml
  • defaults/main.yml
  • tests/vault_pwd
  • vars/RedHat_8.yml
  • vars/RedHat_7.yml
  • README.md

Comment thread tasks/main.yml Outdated
@richm
richm force-pushed the feat-key-and-keyfile branch from 0ec98dd to 3d7a021 Compare July 15, 2026 17:52
@richm

richm commented Jul 15, 2026

Copy link
Copy Markdown
Collaborator Author

[citest]

@richm

richm commented Jul 15, 2026

Copy link
Copy Markdown
Collaborator Author

[citest_bad]

@richm
richm force-pushed the feat-key-and-keyfile branch from 3d7a021 to 1d53232 Compare July 15, 2026 21:10
@richm

richm commented Jul 15, 2026

Copy link
Copy Markdown
Collaborator Author

[citest]

@richm

richm commented Jul 15, 2026

Copy link
Copy Markdown
Collaborator Author

[citest_bad]

@mlichvar

mlichvar commented Jul 16, 2026

Copy link
Copy Markdown
Collaborator

@mlichvar the new implementation takes a key as the entire string including the key ID

Looks good to me. Thanks.

What will happen if there are two servers using the same key ID but different key?

@richm
richm force-pushed the feat-key-and-keyfile branch from 1d53232 to 7d4cf4d Compare July 16, 2026 13:17
@richm

richm commented Jul 16, 2026

Copy link
Copy Markdown
Collaborator Author

@mlichvar the new implementation takes a key as the entire string including the key ID

Looks good to me. Thanks.

What will happen if there are two servers using the same key ID but different key?

The latest commit addresses this:

  • the role will issue an error if the user attempts to use multiple keys which have different key IDs but the same key value, or the same key ID for different key values
  • there are tests for these cases
  • the README explains this

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tests/tests_keys.yml`:
- Around line 3-21: Load tests/vars/vault-variables.yml in the Test NTP server
authentication keys play so the __timesync_test_key_simple,
__timesync_test_key_md5, and __timesync_test_key_sha1 variables used by
timesync_ntp_servers are defined before the role runs.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: de10553b-7cda-413b-94a3-3e65add869ca

📥 Commits

Reviewing files that changed from the base of the PR and between 1d53232 and 7d4cf4d.

📒 Files selected for processing (18)
  • README.md
  • defaults/main.yml
  • tasks/main.yml
  • templates/chrony.conf.j2
  • templates/chrony.keys.j2
  • tests/tests_keys.yml
  • tests/vars/vault-variables.yml
  • tests/vault_pwd
  • vars/Debian.yml
  • vars/Fedora.yml
  • vars/RedHat_10.yml
  • vars/RedHat_6.yml
  • vars/RedHat_7.yml
  • vars/RedHat_8.yml
  • vars/RedHat_9.yml
  • vars/SL-Micro.yml
  • vars/default.yml
  • vars/main.yml
🚧 Files skipped from review as they are similar to previous changes (16)
  • defaults/main.yml
  • vars/RedHat_8.yml
  • vars/RedHat_10.yml
  • vars/default.yml
  • tests/vault_pwd
  • vars/RedHat_9.yml
  • vars/SL-Micro.yml
  • vars/Debian.yml
  • vars/Fedora.yml
  • tests/vars/vault-variables.yml
  • templates/chrony.keys.j2
  • vars/main.yml
  • vars/RedHat_6.yml
  • templates/chrony.conf.j2
  • vars/RedHat_7.yml
  • tasks/main.yml

Comment thread tests/tests_keys.yml
@richm

richm commented Jul 16, 2026

Copy link
Copy Markdown
Collaborator Author

[citest]

@mlichvar

Copy link
Copy Markdown
Collaborator

The new "Ensure the same key value is not used with different IDs" check doesn't seem right to me. It might not make much sense to use different IDs for the same key, but I think it should not cause the role to fail.

@richm

richm commented Jul 16, 2026

Copy link
Copy Markdown
Collaborator Author

The new "Ensure the same key value is not used with different IDs" check doesn't seem right to me. It might not make much sense to use different IDs for the same key, but I think it should not cause the role to fail.

How about a warning in that case?

@mlichvar

Copy link
Copy Markdown
Collaborator

Yes, that would be fine I think.

@richm
richm force-pushed the feat-key-and-keyfile branch from 7d4cf4d to 929217b Compare July 16, 2026 14:40
@richm

richm commented Jul 16, 2026

Copy link
Copy Markdown
Collaborator Author

[citest]

@richm

richm commented Jul 16, 2026

Copy link
Copy Markdown
Collaborator Author

Yes, that would be fine I think.

ok - check the latest commit - ok to merge?

@mlichvar

Copy link
Copy Markdown
Collaborator

"Each unique key value should have a unique ID." in the warning seems wrong. I think the warning should just hint it might be a misconfiguration, possibly also on the server side (two different servers using same key).

Also the new text in documentation should be fixed to not say it's an error.

Feature: Allow users to specify an authentication key for a server using the
new `key` parameter for items in the `timesync_ntp_servers` list.  The `key`
value is as described at https://chrony-project.org/doc/latest/chrony.conf.html#keyfile
and includes the key ID, the optional type, and the key string.  Users are strongly
encouraged to use Ansible Vault to encrypt the key.

Reason: Users need to be able to specify authentication keys for secure
time synchronization.

Result: Users can configure secure time synchronization.

Assisted-by: Cursor using models Cursor Grok 4.5, Composer 2.5, Sonnet 5.

Signed-off-by: Rich Megginson <rmeggins@redhat.com>
@richm
richm force-pushed the feat-key-and-keyfile branch from 929217b to b9d9263 Compare July 16, 2026 16:09
@richm

richm commented Jul 16, 2026

Copy link
Copy Markdown
Collaborator Author

"Each unique key value should have a unique ID." in the warning seems wrong. I think the warning should just hint it might be a misconfiguration, possibly also on the server side (two different servers using same key).

Also the new text in documentation should be fixed to not say it's an error.

Done.

@richm

richm commented Jul 16, 2026

Copy link
Copy Markdown
Collaborator Author

[citest]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants