|
|
@ -52,6 +52,10 @@ DOCUMENTATION = """
|
|
|
|
description: controls verification and validation of SSL certificates, mostly you only want to turn off with self signed ones.
|
|
|
|
description: controls verification and validation of SSL certificates, mostly you only want to turn off with self signed ones.
|
|
|
|
type: boolean
|
|
|
|
type: boolean
|
|
|
|
default: True
|
|
|
|
default: True
|
|
|
|
|
|
|
|
namespace:
|
|
|
|
|
|
|
|
version_added: "2.8"
|
|
|
|
|
|
|
|
description: namespace where secrets reside. requires HVAC 0.7.0+ and Vault 0.11+
|
|
|
|
|
|
|
|
default: None
|
|
|
|
"""
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
|
|
EXAMPLES = """
|
|
|
|
EXAMPLES = """
|
|
|
@ -77,6 +81,10 @@ EXAMPLES = """
|
|
|
|
- name: authenticate with a Vault app role
|
|
|
|
- name: authenticate with a Vault app role
|
|
|
|
debug:
|
|
|
|
debug:
|
|
|
|
msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=approle role_id=myroleid secret_id=mysecretid url=http://myvault:8200')}}"
|
|
|
|
msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=approle role_id=myroleid secret_id=mysecretid url=http://myvault:8200')}}"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- name: Return all secrets from a path in a namespace
|
|
|
|
|
|
|
|
debug:
|
|
|
|
|
|
|
|
msg: "{{ lookup('hashi_vault', 'secret=secret/hello token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200 namespace=teama/admins')}}"
|
|
|
|
"""
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
|
|
RETURN = """
|
|
|
|
RETURN = """
|
|
|
@ -109,6 +117,7 @@ class HashiVault:
|
|
|
|
def __init__(self, **kwargs):
|
|
|
|
def __init__(self, **kwargs):
|
|
|
|
|
|
|
|
|
|
|
|
self.url = kwargs.get('url', ANSIBLE_HASHI_VAULT_ADDR)
|
|
|
|
self.url = kwargs.get('url', ANSIBLE_HASHI_VAULT_ADDR)
|
|
|
|
|
|
|
|
self.namespace = kwargs.get('namespace', None)
|
|
|
|
|
|
|
|
|
|
|
|
# split secret arg, which has format 'secret/hello:value' into secret='secret/hello' and secret_field='value'
|
|
|
|
# split secret arg, which has format 'secret/hello:value' into secret='secret/hello' and secret_field='value'
|
|
|
|
s = kwargs.get('secret')
|
|
|
|
s = kwargs.get('secret')
|
|
|
@ -134,6 +143,9 @@ class HashiVault:
|
|
|
|
self.verify = self.boolean_or_cacert(kwargs.get('validate_certs', True), kwargs.get('cacert', ''))
|
|
|
|
self.verify = self.boolean_or_cacert(kwargs.get('validate_certs', True), kwargs.get('cacert', ''))
|
|
|
|
if self.auth_method and self.auth_method != 'token':
|
|
|
|
if self.auth_method and self.auth_method != 'token':
|
|
|
|
try:
|
|
|
|
try:
|
|
|
|
|
|
|
|
if self.namespace is not None:
|
|
|
|
|
|
|
|
self.client = hvac.Client(url=self.url, verify=self.verify, namespace=self.namespace)
|
|
|
|
|
|
|
|
else:
|
|
|
|
self.client = hvac.Client(url=self.url, verify=self.verify)
|
|
|
|
self.client = hvac.Client(url=self.url, verify=self.verify)
|
|
|
|
# prefixing with auth_ to limit which methods can be accessed
|
|
|
|
# prefixing with auth_ to limit which methods can be accessed
|
|
|
|
getattr(self, 'auth_' + self.auth_method)(**kwargs)
|
|
|
|
getattr(self, 'auth_' + self.auth_method)(**kwargs)
|
|
|
@ -153,6 +165,9 @@ class HashiVault:
|
|
|
|
if self.token is None:
|
|
|
|
if self.token is None:
|
|
|
|
raise AnsibleError("No Vault Token specified")
|
|
|
|
raise AnsibleError("No Vault Token specified")
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if self.namespace is not None:
|
|
|
|
|
|
|
|
self.client = hvac.Client(url=self.url, token=self.token, verify=self.verify, namespace=self.namespace)
|
|
|
|
|
|
|
|
else:
|
|
|
|
self.client = hvac.Client(url=self.url, token=self.token, verify=self.verify)
|
|
|
|
self.client = hvac.Client(url=self.url, token=self.token, verify=self.verify)
|
|
|
|
|
|
|
|
|
|
|
|
if not self.client.is_authenticated():
|
|
|
|
if not self.client.is_authenticated():
|
|
|
|