Comments (11)
TerryHowe
commented on July 28, 2024
I thought there was a way to do this, but I'll have to investigate.
from ansible-modules-hashivault.
TerryHowe
commented on July 28, 2024
This should do it https://github.com/TerryHowe/ansible-modules-hashivault/blob/master/ansible/modules/hashivault/hashivault_read.py#L14
from ansible-modules-hashivault.
rattermeyer
commented on July 28, 2024
The verify = False removes the error, but does not resolve the problem.
Especially as this is a security related module, I would like not to turn off verification, but enable to specify / whitelist the CA cert. This could be done using VAULT_CACERT or _CAPATH (see https://www.vaultproject.io/docs/commands/environment.html).
Haven't tested the lookup module, but it seems you are using there the VAULT_CAPATH already.
from ansible-modules-hashivault.
TerryHowe
commented on July 28, 2024
Okay, maybe it isn't documented clearly enough, but this module uses hvac to access vaulty and hvac uses requests. Requests takes verify as a boolean or a string to the capath. I haven't tested it, but it should work:
http://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification
from ansible-modules-hashivault.
TerryHowe
commented on July 28, 2024
The lookup plugin is a little nicer about defaulting verify: https://github.com/TerryHowe/ansible-modules-hashivault/blob/master/ansible/plugins/lookup/hashivault.py#L37
Maybe a good enhancement here would be to use a similar logic that the lookup plugin uses in the regular module
from ansible-modules-hashivault.
rattermeyer
commented on July 28, 2024
Hi,
that's what I understood as well, so I tried:
hashivault_status:
verify: /etc/ssl/certs/cluster-ca.pem
But this results in /etc/ssl/certs/cluster-ca.pem is not a valid boolean. Valid booleans include: y,yes,on,1,true,1,True,n,no,off,0,false,0,False"
which might come from hashivault_argspec / _init:
verify = dict(required=False, default=(not os.environ.get('VAULT_SKIP_VERIFY', '')), type='bool'),
or maybe I am missing something.
from ansible-modules-hashivault.
TerryHowe
commented on July 28, 2024
Could you do my a favor and remove the type specified in that line from within you venv and let me know if it works. If that doesn't work, tryp type='str'. I don't have anything to test that right now and setting up a system to test that would be time consuming.
from ansible-modules-hashivault.
rattermeyer
commented on July 28, 2024
Hi,
will give it a try. Need to understand how to "develop" ansible module. Might take some days until I find time...
from ansible-modules-hashivault.
TerryHowe
commented on July 28, 2024
No need to do real development, just edit the file in your venv directly most likely something like editing the file $VIRTUAL_ENV/lib/python2.7/site-packages/ansible/module_utils/hashivault.py and edited line 12 I think:
verify = dict(required=False, default=(not os.environ.get('VAULT_SKIP_VERIFY', '')), type='str'),
from ansible-modules-hashivault.
dizzler
commented on July 28, 2024
Improved support for TLS via hvac is in PR #32 https://github.com/TerryHowe/ansible-modules-hashivault/pull/32
from ansible-modules-hashivault.
TerryHowe
commented on July 28, 2024
https://pypi.python.org/pypi/ansible-modules-hashivault it is live
from ansible-modules-hashivault.
Related Issues (20)
- auth_method missing return value
- auth_method missing diff support HOT 1
- Policy module is missing check and diff
- oidc_auth_method_config & oidc_auth_role missing diff mode
- hashivault_db_secret_engine_config error using vault server 1.12.x and 1.13.x HOT 9
- Re-add wrap_ttl to hashivault_approle_role_secret HOT 1
- configuring allowed_other_sans parameter in hashivault_pki_role broken HOT 2
- hashivault_secret_engine doesn't support seal wrap HOT 5
- Add coverage for 'userfilter' in hashivault_auth_ldap HOT 2
- Dependency on ansible>=5.0.0 HOT 3
- TLS authentication uses removed method
- hashivault_token_renew: call to client.renew_self_token not working anymore
- https://github.com/TerryHowe/ansible-modules-hashivault/pull/467 breaks installs that use pip based hvac HOT 1
- hashivault_k8s_auth_role does not detect changes in policies
- hashivault_identity_entity_alias didn't have custom_metada parameter HOT 3
- Bug on hashivault_approle_role_secret module HOT 1
- Permission denied when creating a policy HOT 3
- Support of hvac create_or_update_acl_policy HOT 7
- Support of hvac JWT auth method and role
- How can I create a static database role HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ansible-modules-hashivault.