keystore size changed

[ozbillwang]

generate keystore file with below command:

keytool -keystore keystore -import -alias cert -file cert.crt -trustcacerts

But after write it to vault and read it again, I found the file is changed.

# original
$ md5sum keystore
2a8231bf6b87d4f49615625d420e5894  keystore

# export from vault read
$ md5sum keystore
9151fd3262a8773f8cfc2d1790d37e52  keystore

I got error in java:

java.io.IOException: Invalid keystore format

Read the comments in hashicorp/vault#1286, I encode the keystore content with below command to avoid this issue, it works.

$ base64 keystore | vault write secret/keystore value=-
$ vault read -field=value secret/keystore | base64 -d > keystore.out

$ md5sum keystore*
2a8231bf6b87d4f49615625d420e5894  keystore
2a8231bf6b87d4f49615625d420e5894  keystore.out

But when read the content with ansible-vault.

$ cat default/main.yml:
keystore: "{{ lookup('vault','secret/keystore', 'vault') | b64decode }}"

$ cat tasks/main.yml
- name: copy keystore files
  copy: content="{{ keystore }}" dest="/etc/ssl/keystore"

It is changed:

$ md5sum keystore
de81adbb412edba3a630ba6f1bcb5d34  keystore

[ozbillwang]

Ok, confirm the problem is not in ansible-vault, try to not pipe lookup result to jinja2 filter, still same issue.

something else, maybe in jinja2 filter b64decode

keystore_base64: "{{ lookup('vault','secret/keystore', 'vault') }}" 
keystore: "{{ keystore_base64 | b64decode }}"

But this works:

keystore_base64: "{{ lookup('vault','secret/keystore', 'vault') }}" 

- name: copy keystore files
  copy: content="{{ keystore_base64 }}" dest="/etc/ssl/keystore.base64"

- name: decode
  shell: "base64 -d /etc/ssl/keystore.base64  > /etc/ssl/keystore"

[ozbillwang]

something with exist known issue:

ansible/ansible#13794