From 8917df176acc4085493aa47c131ba76b6a343e56 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Franti=C5=A1ek=20Dvo=C5=99=C3=A1k?= <valtri@civ.zcu.cz>
Date: Wed, 28 Aug 2024 14:06:00 +0000
Subject: [PATCH] Move asset management secrets in vault to site-specific path
---
common/playbooks/security-assets.yaml | 17 +++++++++++------
.../etc/glpi-agent/conf.d/01-eosc.cfg.j2 | 4 ++--
2 files changed, 13 insertions(+), 8 deletions(-)
diff --git a/common/playbooks/security-assets.yaml b/common/playbooks/security-assets.yaml
index 0ae2fe8..bd55142 100644
--- a/common/playbooks/security-assets.yaml
+++ b/common/playbooks/security-assets.yaml
@@ -1,11 +1,16 @@
---
#
-# Secrets in "/glpi-agent":
+# Secrets in "/{{ site_name }}":
#
-# * server (or local)
-# * user
-# * password
-# * tag
+# Anything starting "glpi_" will be propagated to the confiugration.
+#
+# Expected secrets:
+#
+# * glpi_local (for debugging)
+# * glpi_server (for remote assets management integration)
+# * glpi_user
+# * glpi_password
+# * glpi_tag
#
- name: GLPI Agent Configuration
hosts: allnodes
@@ -13,7 +18,7 @@
tasks:
- name: Get Secrets From Vault
set_fact:
- secret: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/glpi-agent', token_validate=false) }}"
+ secret: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/site-' + site_name, token_validate=false) }}"
- name: Debug Secrets
debug:
msg: "{{ item.key }} = {{ item.value }}"
diff --git a/common/playbooks/templates/etc/glpi-agent/conf.d/01-eosc.cfg.j2 b/common/playbooks/templates/etc/glpi-agent/conf.d/01-eosc.cfg.j2
index 49dc79c..87a8d42 100644
--- a/common/playbooks/templates/etc/glpi-agent/conf.d/01-eosc.cfg.j2
+++ b/common/playbooks/templates/etc/glpi-agent/conf.d/01-eosc.cfg.j2
@@ -1,7 +1,7 @@
{{ ansible_managed | comment }}
{% for key, value in secret.items() -%}
-{% if value|length -%}
-{{ key }} = {{ value }}
+{% if key | regex_search('^glpi_') -%}
+{{ key | regex_replace('^glpi_', '') }} = {{ value }}
{% endif -%}
{% endfor -%}
--
GitLab