Merge pull request #159 from nautobot/release-3.2.0

Release 3.2.0

.cookiecutter.json

@@ -21,15 +21,16 @@
         "_drift_manager": {
             "template": "https://github.com/nautobot/cookiecutter-nautobot-app.git",
             "template_dir": "nautobot-app",
-            "template_ref": "refs/tags/nautobot-app-v2.3.0",
+            "template_ref": "refs/tags/nautobot-app-v2.4.0",
             "cookie_dir": "",
             "branch_prefix": "drift-manager",
             "pull_request_strategy": "create",
             "post_actions": [
-                "black"
+                "ruff",
+                "poetry"
             ],
-            "draft": true,
-            "baked_commit_ref": "f75687d1998767d0385ff1eb722abf2044208871"
+            "draft": false,
+            "baked_commit_ref": "80e244d924aa91275b03caec727d96451357bf45"
         }
     }
 }

.github/workflows/ci.yml

@@ -14,7 +14,7 @@ on: # yamllint disable-line rule:truthy rule:comments
   pull_request: ~
 
 env:
-  APP_NAME: "nautobot-app-secrets-providers"
+  APP_NAME: "nautobot-secrets-providers"
 
 jobs:
   ruff-format:
@@ -38,7 +38,7 @@ jobs:
       - name: "Setup environment"
         uses: "networktocode/gh-action-setup-poetry-environment@v6"
       - name: "Linting: ruff"
-        run: "poetry run invoke ruff"
+        run: "poetry run invoke ruff --action lint"
   check-docs-build:
     runs-on: "ubuntu-22.04"
     env:
@@ -92,6 +92,10 @@ jobs:
         uses: "actions/checkout@v4"
       - name: "Setup environment"
         uses: "networktocode/gh-action-setup-poetry-environment@v6"
+      - name: "Constrain Nautobot version and regenerate lock file"
+        env:
+          INVOKE_NAUTOBOT_SECRETS_PROVIDERS_LOCAL: "true"
+        run: "poetry run invoke lock --constrain-nautobot-ver --constrain-python-ver"
       - name: "Set up Docker Buildx"
         id: "buildx"
         uses: "docker/setup-buildx-action@v3"
@@ -109,6 +113,7 @@ jobs:
           build-args: |
             NAUTOBOT_VER=${{ matrix.nautobot-version }}
             PYTHON_VER=${{ matrix.python-version }}
+            CI=true
       - name: "Copy credentials"
         run: "cp development/creds.example.env development/creds.env"
       - name: "Linting: pylint"
@@ -123,14 +128,14 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        python-version: ["3.8", "3.11"]
+        python-version: ["3.8", "3.12"]
         db-backend: ["postgresql"]
         nautobot-version: ["stable"]
         include:
           - python-version: "3.11"
             db-backend: "postgresql"
             nautobot-version: "2.0.0"
-          - python-version: "3.11"
+          - python-version: "3.12"
             db-backend: "mysql"
             nautobot-version: "stable"
     runs-on: "ubuntu-22.04"
@@ -142,6 +147,10 @@ jobs:
         uses: "actions/checkout@v4"
       - name: "Setup environment"
         uses: "networktocode/gh-action-setup-poetry-environment@v6"
+      - name: "Constrain Nautobot version and regenerate lock file"
+        env:
+          INVOKE_NAUTOBOT_SECRETS_PROVIDERS_LOCAL: "true"
+        run: "poetry run invoke lock --constrain-nautobot-ver --constrain-python-ver"
       - name: "Set up Docker Buildx"
         id: "buildx"
         uses: "docker/setup-buildx-action@v3"
@@ -159,6 +168,7 @@ jobs:
           build-args: |
             NAUTOBOT_VER=${{ matrix.nautobot-version }}
             PYTHON_VER=${{ matrix.python-version }}
+            CI=true
       - name: "Copy credentials"
         run: "cp development/creds.example.env development/creds.env"
       - name: "Use Mysql invoke settings when needed"
@@ -167,9 +177,9 @@ jobs:
       - name: "Run Tests"
         run: "poetry run invoke unittest"
   changelog:
-    if: |
+    if: >
       contains(fromJson('["develop","ltm-1.6"]'), github.base_ref) &&
-      (github.head_ref != 'main')
+      (github.head_ref != 'main') && (!startsWith(github.head_ref, 'release'))
     runs-on: "ubuntu-22.04"
     steps:
       - name: "Check out repository code"
@@ -196,7 +206,7 @@ jobs:
       - name: "Set up Python"
         uses: "actions/setup-python@v5"
         with:
-          python-version: "3.11"
+          python-version: "3.12"
       - name: "Install Python Packages"
         run: "pip install poetry"
       - name: "Set env"
@@ -231,7 +241,7 @@ jobs:
       - name: "Set up Python"
         uses: "actions/setup-python@v5"
         with:
-          python-version: "3.11"
+          python-version: "3.12"
       - name: "Install Python Packages"
         run: "pip install poetry"
       - name: "Set env"

.github/workflows/upstream_testing.yml

@@ -4,10 +4,11 @@ name: "Nautobot Upstream Monitor"
 on:  # yamllint disable-line rule:truthy rule:comments
   schedule:
     - cron: "0 4 */2 * *"  # every other day at midnight
+  workflow_dispatch:
 
 jobs:
   upstream-test:
     uses: "nautobot/nautobot/.github/workflows/plugin_upstream_testing_base.yml@develop"
     with:  # Below could potentially be collapsed into a single argument if a concrete relationship between both is enforced
       invoke_context_name: "NAUTOBOT_SECRETS_PROVIDERS"
-      plugin_name: "nautobot-app-secrets-providers"
+      plugin_name: "nautobot-secrets-providers"

README.md

@@ -23,6 +23,7 @@ This app supports the following popular secrets backends:
 
 | Secrets Backend                                                                | Supported Secret Types                                                                                                                                                                        | Supported Authentication Methods                                                                                                                                                                                                                                                                           |
 | ------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| [1Password](https://1password.com) | [Hosted Password Management](https://1password.com/password-management) | [Service Account Token](https://developer.1password.com/docs/service-accounts/) |
 | [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/)                 | [Other: Key/value pairs](https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_create-basic-secret.html)                                                                         | [AWS credentials](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html) (see Usage section below)                                                                                                                                                                                         |
 | [AWS Systems Manager Parameter Store](https://aws.amazon.com/secrets-manager/) | [Other: Key/value pairs](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html)                                                                   | [AWS credentials](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html) (see Usage section below)                                                                                                                                                                                         |
 | [Azure Key Vault](https://learn.microsoft.com/en-us/azure/key-vault/)          | [Key Vault Secrets](https://learn.microsoft.com/en-us/azure/key-vault/secrets/about-secrets)                                                                                                  | [Entra ID Service Principal](https://learn.microsoft.com/en-us/python/api/azure-identity/azure.identity.environmentcredential?view=azure-python)                                                                                                                                                           |

development/Dockerfile

@@ -53,29 +53,20 @@ RUN which poetry || curl -sSL https://install.python-poetry.org | python3 - && \
 WORKDIR /source
 COPY . /source
 
-# Get container's installed Nautobot version as a forced constraint
-# NAUTOBOT_VER may be a branch name and not a published release therefor we need to get the installed version
-#  so pip can use it to recognize local constraints.
-RUN pip show nautobot | grep "^Version: " | sed -e 's/Version: /nautobot==/' > constraints.txt
+# Build args must be declared in each stage
+ARG NAUTOBOT_VER
+ARG PYTHON_VER
 
-# Use Poetry to grab dev dependencies from the lock file
-# Can be improved in Poetry 1.2 which allows `poetry install --only dev`
-#
-# We can't use the entire freeze as it takes forever to resolve with rigidly fixed non-direct dependencies,
-#   especially those that are only direct to Nautobot but the container included versions slightly mismatch
-RUN poetry export -f requirements.txt --without-hashes --extras all --output poetry_freeze_base.txt
-RUN poetry export -f requirements.txt --without-hashes --extras all --with dev --output poetry_freeze_all.txt
-RUN sort poetry_freeze_base.txt poetry_freeze_all.txt | uniq -u > poetry_freeze_dev.txt
-
-# Install all local project as editable, constrained on Nautobot version, to get any additional
-#   direct dependencies of the app
-RUN --mount=type=cache,target="/root/.cache/pip",sharing=locked \
-    pip install -c constraints.txt -e .[all]
+# Constrain the Nautobot version to NAUTOBOT_VER, fall back to installing from git branch if not available on PyPi
+# In CI, this should be done outside of the Dockerfile to prevent cross-compile build failures
+ARG CI
+RUN if [ -z "${CI+x}" ]; then \
+    INSTALLED_NAUTOBOT_VER=$(pip show nautobot | grep "^Version" | sed "s/Version: //"); \
+    poetry add --lock nautobot@${INSTALLED_NAUTOBOT_VER} --python ${PYTHON_VER} || \
+    poetry add --lock git+https://github.com/nautobot/nautobot.git#${NAUTOBOT_VER} --python ${PYTHON_VER}; fi
 
-# Install any dev dependencies frozen from Poetry
-# Can be improved in Poetry 1.2 which allows `poetry install --only dev`
-RUN --mount=type=cache,target="/root/.cache/pip",sharing=locked \
-    pip install -c constraints.txt -r poetry_freeze_dev.txt
+# Install the app
+RUN poetry install --extras all --with dev
 
 COPY development/nautobot_config.py ${NAUTOBOT_ROOT}/nautobot_config.py
 # !!! USE CAUTION WHEN MODIFYING LINES ABOVE

development/development.env

@@ -7,6 +7,7 @@ NAUTOBOT_BANNER_TOP="Local"
 NAUTOBOT_CHANGELOG_RETENTION=0
 
 NAUTOBOT_DEBUG=True
+NAUTOBOT_LOG_DEPRECATION_WARNINGS=True
 NAUTOBOT_LOG_LEVEL=DEBUG
 NAUTOBOT_METRICS_ENABLED=True
 NAUTOBOT_NAPALM_TIMEOUT=5

development/nautobot_config.py

@@ -163,5 +163,11 @@
                 },
             }
         },
+        "one_password": {
+            "vaults": {},
+            "token": os.getenv(
+                "OP_SERVICE_ACCOUNT_TOKEN",
+            ),
+        },
     },
 }

development/towncrier_template.j2

@@ -1,4 +1,15 @@
 
+# v{{ versiondata.version.split(".")[:2] | join(".") }} Release Notes
+
+This document describes all new features and changes in the release. The format is based on [Keep a
+Changelog](https://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic
+Versioning](https://semver.org/spec/v2.0.0.html).
+
+## Release Overview
+
+- Major features or milestones
+- Changes to compatibility with Nautobot and/or other apps, libraries etc.
+
 {% if render_title %}
 ## [v{{ versiondata.version }} ({{ versiondata.date }})](https://github.com/nautobot/nautobot-app-secrets-providers/releases/tag/v{{ versiondata.version}})
 
@@ -12,7 +23,11 @@
 {% if definitions[category]['showcontent'] %}
 {% for text, values in sections[section][category].items() %}
 {% for item in text.split('\n') %}
+{% if values %}
 - {{ values|join(', ') }} - {{ item.strip() }}
+{% else %}
+- {{ item.strip() }}
+{% endif %}
 {% endfor %}
 {% endfor %}
 

docs/admin/compatibility_matrix.md

@@ -7,3 +7,4 @@
 | 2.0.X                                  | 2.0.0                          | 2.99.99                       |
 | 3.0.X                                  | 2.0.0                          | 2.99.99                       |
 | 3.1.X                                  | 2.0.0                          | 2.99.99                       |
+| 3.2.X                                  | 2.0.0                          | 2.99.99                       |

docs/admin/install.md

@@ -52,6 +52,17 @@ The HashiCorp Vault provider requires the `hvac` library. This can easily be ins
 pip install nautobot-secrets-providers[hashicorp]
 ```
 
+#### 1Password Vault
+
+The 1Password Vault provider requires the `onepassword-sdk` library. This can easily be installed along with the app using the following command.
+
+```no-highlight
+pip install nautobot-secrets-providers[onepassword]
+```
+
+!!! note
+    The 1Password Vault requires a minimum version of Python 3.9.
+
 ### Access Requirements
 
 There are no special access requirements to install the app.

docs/admin/providers/index.md

@@ -6,3 +6,4 @@ This Nautobot app supports the following secrets providers:
 - [Azure](./azure_setup.md)
 - [Delinea/Thycotic](./delinea_setup.md)
 - [HashiCorp](./hashicorp_setup.md)
+- [1Password](onepassword_setup.md)

docs/admin/providers/onepassword_setup.md

@@ -0,0 +1,34 @@
+# 1Password Vault
+
+Requires a minimum of Python3.9
+
+## Prerequisites
+
+You must create a Service Account for the 1Password vault/vaults you are trying to access. You can follow the [Getting Started with Service Accounts](https://developer.1password.com/docs/service-accounts/get-started/) to assist with creating the Service Account.
+
+!!! note
+    The Service Account token needs to have access to the Vault that it is configured for. Per 1Password policy "You can't grant a service account access to your built-in Personal, Private, or Employee vault, or your default Shared vault."
+
+## Configuration
+
+You must provide a mapping in `PLUGINS_CONFIG` within your `nautobot_config.py`, for example:
+
+```python
+PLUGINS_CONFIG = {
+    "nautobot_secrets_providers": {
+        "one_password": {
+            "token": os.environ.get("OP_SERVICE_ACCOUNT_TOKEN"),
+            "vaults": {
+                "MyVault": {
+                    "token": os.environ.get("OP_SERVICE_ACCOUNT_TOKEN"),
+                },
+            },
+        },
+    },
+}
+```
+
+- `token` - (required) The 1Password Service Account Token to be used globally when it is not specified by a vault.
+- `vaults` (required) Each 1Password Vault that is supported by this app will be listed inside this dictionary.
+  - `<vault_name>` (required) The name of the vault needs to be placed as a key inside the `vaults` dictionary.
+    - `token` (optional) The 1Password Service Account Token to be used by the above vault, if overriding the global `token`.

docs/admin/release_notes/version_3.2.md

@@ -0,0 +1,23 @@
+
+# v3.2 Release Notes
+
+This document describes all new features and changes in the release. The format is based on [Keep a
+Changelog](https://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic
+Versioning](https://semver.org/spec/v2.0.0.html).
+
+## Release Overview
+
+- Added Python 3.12 support
+- Added 1Password secrets provider (Python 3.9 and later only)
+
+## [v3.2.0 (2024-11-07)](https://github.com/nautobot/nautobot-app-secrets-providers/releases/tag/v3.2.0)
+
+### Added
+
+- [#88](https://github.com/nautobot/nautobot-app-secrets-providers/issues/88) - Added 1Password as a Secrets Provider.
+- [#150](https://github.com/nautobot/nautobot-app-secrets-providers/issues/150) - Added support for Python 3.12.
+
+### Housekeeping
+
+- Rebaked from the cookie `nautobot-app-v2.4.0`.
+- [#150](https://github.com/nautobot/nautobot-app-secrets-providers/issues/150) - Rebaked from the cookie `nautobot-app-v2.3.2`.

docs/dev/contributing.md

@@ -49,24 +49,14 @@ The branching policy includes the following tenets:
 
 Secrets Providers will observe semantic versioning, as of 1.0. This may result in a quick turnaround in minor versions to keep pace with an ever-growing feature set.
 
+### Backporting to Older Releases
+
+If you are backporting any fixes to a prior major or minor version of this app, please open an issue, comment on an existing issue, or post in the [Network to Code Slack](https://networktocode.slack.com/) (channel `#nautobot`).
+
+We will create a `release-X.Y` branch for you to open your PR against and cut a new release once the PR is successfully merged.
+
 ## Release Policy
 
 Secrets Providers has currently no intended scheduled release schedule, and will release new features in minor versions.
 
-When a new release, from `develop` to `main`, is created the following should happen.
-
-- A release PR is created from `develop` with:
-    - Update the release notes in `docs/admin/release_notes/version_<major>.<minor>.md` file to reflect the changes.
-    - Change the version from `<major>.<minor>.<patch>-beta` to `<major>.<minor>.<patch>` in `pyproject.toml`.
-    - Set the PR to the `main` branch.
-- Ensure the tests for the PR pass.
-- Merge the PR.
-- Create a new tag:
-    - The tag should be in the form of `v<major>.<minor>.<patch>`.
-    - The title should be in the form of `v<major>.<minor>.<patch>`.
-    - The description should be the changes that were added to the `version_<major>.<minor>.md` document.
-- If merged into `main`, then push from `main` to `develop`, in order to retain the merge commit created when the PR was merged
-- A post release PR is created with:
-    - Change the version from `<major>.<minor>.<patch>` to `<major>.<minor>.<patch + 1>-beta` in both `pyproject.toml` and `nautobot.__init__.__version__`.
-    - Set the PR to the proper branch, `develop`.
-    - Once tests pass, merge.
+The steps taken by maintainers when creating a new release are documented in the [release checklist](./release_checklist.md).