search

ansible-collections / community.hashi_vault

Ansible collection for managing and working with HashiCorp Vault.
https://docs.ansible.com/ansible/devel/collections/community/hashi_vault/index.html
GNU General Public License v3.0
80 stars 59 forks source link

[env] Support reading a ca certificate path from VAULT_CACERT #75

Closed Laikulo closed 3 years ago

Laikulo commented 3 years ago
SUMMARY

Make ca_cert default to env:VAULT_CACERT

ISSUE TYPE
COMPONENT NAME

hashi_vault lookup plugin

ADDITIONAL INFORMATION

Presently, when using hashi_vault with a non-public CA, the user must specify the CA certificate as part of the lookup parameters.
It would be nice if hashi_vault matched the vault client's behavior, and used a CA from VAULT_CACERT if available.

Currently, I am using the following workaround

#inventory.yaml
all:
  vars:
    some_secret_thing: "{{ lookup('hashi_vault', 'secret=secret/data/somesecret:somevalue', ca_cert=lookup('env','VAULT_CACERT'))}}"
briantist commented 3 years ago

Hi @ArchLayperson , thanks for submitting. This seems like a reasonable change, and should be possible for v1.2.0.

In following #10 , we'll probably also introduce an ANSIBLE_HASHI_VAULT_-prefixed version, and INI file support, with the VAULT_CACERT version having the lowest priority.

briantist commented 3 years ago

@ArchLayperson The changes referenced above have been released in v1.2.0.