New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Execute ScriptVaultSecret on demand instead of on load #82418
base: devel
Are you sure you want to change the base?
Conversation
c960e54
to
c9dc0d3
Compare
A vault secret script can do whatever is needed to return a vault password. This can mean loading something from a local password store or accessing a remote password storage solution. When combining the password script with multiple vault_identity_list entries this adds a lot of unneeded loading of vault indentity passwords. Most of which may not be required to complete the ansible run. This commit delays executing for Script and ClientScriptVaultSecret classes until the bytes password is accessed.
c9dc0d3
to
4ef61dc
Compare
This is relevant for us, too. When can we expect this to be merged? |
This could have some unintended side-effects that work against the desired behavior. The gnarliest one off the top of my head: deferring the script execution until first secret access optimizes for "nothing runs", but when the first encounter with an encrypted file/value occurs post-fork (eg, an This also likely clashes with some upcoming changes around how undecryptable vaulted values are tracked, where we need to know if a value is decryptable before the first fork occurs (for the same reasons as above). That change would basically defeat this one anyway, at least the first time a vaulted value is encountered pre-fork. It seems like you have some use cases for vault access that aren't handled well by its original design assumptions. Are you using multiple |
Relevant for me too. As we are talking about secrets, I do not like the idea of returning "all the secrets" (or just multiple) or having them in memory just-in-case they are needed. That sounds like a big change, but ansible could handle all the secrets/credentials in a separate instance/process and accessing them is communicating with this separate instance anyway. |
Yes, we have multiple vault id's and they all map to the same script. Giving the script access to N wouldn't help much since we don't know which will be used and have to check all of them. What would help is if ansible could preprocess the secrets and collect the vault-id's that will be used and only request those. |
SUMMARY
A vault secret script can do whatever is needed to return a vault password. This can mean loading something from a local password store or accessing a remote password storage solution. When combining the password script with multiple vault_identity_list entries this adds a lot of unneeded loading of vault indentity passwords. Most of which may not be required to complete the ansible run.
This commit delays executing for Script and ClientScriptVaultSecret classes until the bytes password is accessed.
We currently have a
vault_identity_list
with 35 different entries. Each entry requires authorization and loading them takes a while making the startup time for ansible significant. Executing the password scripts on demand would solve 2 problems:ISSUE TYPE
ADDITIONAL INFORMATION