Move asset management secrets in vault to site-specific path

8917df17 · František Dvořák · feab494a · 8917df17 · 8917df17
Commit 8917df17 authored 6 months ago by František Dvořák
--- a/common/playbooks/security-assets.yaml
+++ b/common/playbooks/security-assets.yaml
 ---
 #
-# Secrets in "/glpi-agent":
+# Secrets in "/{{ site_name }}":
 #
-# * server (or local)
-# * user
-# * password
-# * tag
+# Anything starting "glpi_" will be propagated to the confiugration.
+#
+# Expected secrets:
+#
+# * glpi_local (for debugging)
+# * glpi_server (for remote assets management integration)
+# * glpi_user
+# * glpi_password
+# * glpi_tag
 #
 - name: GLPI Agent Configuration
  hosts: allnodes
@@ -13,7 +18,7 @@
  tasks:
    - name: Get Secrets From Vault
      set_fact:
-        secret: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/glpi-agent', token_validate=false) }}"
+        secret: "{{ lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/site-' + site_name, token_validate=false) }}"
    - name: Debug Secrets
      debug:
        msg: "{{ item.key }} = {{ item.value }}"

--- a/common/playbooks/templates/etc/glpi-agent/conf.d/01-eosc.cfg.j2
+++ b/common/playbooks/templates/etc/glpi-agent/conf.d/01-eosc.cfg.j2
 {{ ansible_managed | comment }}

 {% for key, value in secret.items() -%}
-{% if value|length -%}
-{{ key }} = {{ value }}
+{% if key | regex_search('^glpi_') -%}
+{{ key | regex_replace('^glpi_', '') }} = {{ value }}
 {% endif -%}
 {% endfor -%}