...
|
...
|
@@ -47,16 +47,24 @@ DOCUMENTATION = """
|
47
|
47
|
"""
|
48
|
48
|
|
49
|
49
|
EXAMPLES = """
|
50
|
|
-- debug: msg="{{ lookup('hashi_vault', 'secret=secret/hello:value token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200')}}"
|
|
50
|
+- debug:
|
|
51
|
+ msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200')}}"
|
51
|
52
|
|
52
|
|
-- name: Vault that requires authentication via ldap
|
53
|
|
- debug: msg="{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=ldap mount_point=ldap username=myuser password=mypas url=http://myvault:8200')}}"
|
|
53
|
+- name: Return all secrets from a path
|
|
54
|
+ debug:
|
|
55
|
+ msg: "{{ lookup('hashi_vault', 'secret=secret/hello token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200')}}"
|
|
56
|
+
|
|
57
|
+- name: Vault that requires authentication via LDAP
|
|
58
|
+ debug:
|
|
59
|
+ msg: "{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=ldap mount_point=ldap username=myuser password=mypas url=http://myvault:8200')}}"
|
54
|
60
|
|
55
|
61
|
- name: Using an ssl vault
|
56
|
|
- debug: msg="{{ lookup('hashi_vault', 'secret=secret/hola:value token=c975b780-d1be-8016-866b-01d0f9b688a5 url=https://myvault:8200 validate_certs=False')}}"
|
|
62
|
+ debug:
|
|
63
|
+ msg: "{{ lookup('hashi_vault', 'secret=secret/hola:value token=c975b780-d1be-8016-866b-01d0f9b688a5 url=https://myvault:8200 validate_certs=False')}}"
|
57
|
64
|
|
58
|
65
|
- name: using certificate auth
|
59
|
|
- debug: msg="{{ lookup('hashi_vault', 'secret=secret/hi:value token=xxxx-xxx-xxx url=https://myvault:8200 validate_certs=True cacert=/cacert/path/ca.pem')}}"
|
|
66
|
+ debug:
|
|
67
|
+ msg: "{{ lookup('hashi_vault', 'secret=secret/hi:value token=xxxx-xxx-xxx url=https://myvault:8200 validate_certs=True cacert=/cacert/path/ca.pem')}}"
|
60
|
68
|
"""
|
61
|
69
|
|
62
|
70
|
RETURN = """
|
...
|
...
|
@@ -100,10 +108,10 @@ class HashiVault:
|
100
|
100
|
if len(s_f) >= 2:
|
101
|
101
|
self.secret_field = s_f[1]
|
102
|
102
|
else:
|
103
|
|
- self.secret_field = 'value'
|
|
103
|
+ self.secret_field = ''
|
104
|
104
|
|
105
|
|
- # if a particular backend is asked for (and its method exists) we call it, otherwise drop through to using
|
106
|
|
- # token auth. this means if a particular auth backend is requested and a token is also given, then we
|
|
105
|
+ # If a particular backend is asked for (and its method exists) we call it, otherwise drop through to using
|
|
106
|
+ # token auth. This means if a particular auth backend is requested and a token is also given, then we
|
107
|
107
|
# ignore the token and attempt authentication against the specified backend.
|
108
|
108
|
#
|
109
|
109
|
# to enable a new auth backend, simply add a new 'def auth_<type>' method below.
|
...
|
...
|
@@ -143,7 +151,7 @@ class HashiVault:
|
143
|
143
|
if data is None:
|
144
|
144
|
raise AnsibleError("The secret %s doesn't seem to exist for hashi_vault lookup" % self.secret)
|
145
|
145
|
|
146
|
|
- if self.secret_field == '': # secret was specified with trailing ':'
|
|
146
|
+ if self.secret_field == '':
|
147
|
147
|
return data['data']
|
148
|
148
|
|
149
|
149
|
if self.secret_field not in data['data']:
|