-
Notifications
You must be signed in to change notification settings - Fork 23.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Creating Docker secrets from file system #35119
Comments
Files identified in the description: If these files are inaccurate, please update the |
This can be accomplished by using I'll however leave this open as a feature idea as there may be some reason why lookup won't suffice, where the file you are trying to use has non ascii characters that could cause trouble. |
@sivel Thank you for the info. I'll try that pattern and I expect that it should work for me. |
I was able to use |
@sivel Will lookup modify the data it reads in? I've seen some weird behavior that I'm tracking down where JSON loaded through this method appears to be modified when viewing it inside the running service container. Here are some of the changes that I've observed so far:
|
The modification of JSON data is likely very closely related to the info provided in #34595 (comment) Trying to pipe json through jinja2 in ansible currently, will end up converting the JSON to a python dictionary. |
@sgtpanic I think it would be good to have the option to create secrets from binary data (which currently doesn't really work). There are two options:
Both options have advantages and disadvantages:
@ushuz since you added the |
For However, if the module itself or
@sgtpanic Could you provide more details? Is it |
@ushuz That JSON didn't really work is not that much a surprise, since Ansible tries (and has to try, for a lot of things to work!) at different places to interpret strings as YAML (which is a super-set of JSON), and re-encodes them when a string is needed. That's why keeping stuff base64 encoded is a good thing (as Ansible then won't modify it). It helps both for JSON and for binary data :) I had some trouble with binary data when playing with TLS ALPN authentication for ACME (there, the ACME server returns a binary blob which needs to be inserted into a x509 certificate); it didn't work very well (there were some less/more problems with Python 2 or 3, I don't remember which), and I asked on the ansible-devel mailing list how to handle binary data, and it was suggested to move it around base64 encoded. (That's also how the slurp module returns it.) I guess the easiest will be to add an option to (And for |
The option you proposed seems applicable to any modules that potentially accepts binary data. As the root causes are some Ansible design decisions and Python 2 / 3, IMO it would be better to handle this at a higher level, instead of dealing it in each module affected. For JSON, |
I created a PR for this (#49688), which adds an option to Base64-decode |
With the PR just merged (which will be included in Ansible 2.8, to be released this spring/summer), you can do
This only works for files on the control node; for files on the remote node, you need to |
ISSUE TYPE
COMPONENT NAME
docker_secret
ANSIBLE VERSION
CONFIGURATION
NA
OS / ENVIRONMENT
N/A
SUMMARY
I think that docker_secret is an excellent addition to Ansible and I am interested to use it to manage infrastructure. I looked at it today but it appears that I can only create secrets from strings, not directly from files (e.g. I have a property file that I would like to turn into a secret or convert an SSL private key into a secret). I considered
cat
ing the file into a variable but I was hoping for something more direct. Is this correct and I'm limited to only strings? I understand it's only in preview so it's not the final iteration. If I can't create secrets from files, I'd be glad to add functionality to the module with some guidance.STEPS TO REPRODUCE
I was hoping to do something like the below.
EXPECTED RESULTS
ACTUAL RESULTS
The text was updated successfully, but these errors were encountered: