-
|
Hi, The problem we're facing, is that we'd like to assign a minion multiple roles (via a merged pillar list) like the following: roles:
- roleA
- roleB
- roleCHaving salt-master configured like... vault:
metadata:
entity:
minion-id: '{minion}'
role: '{pillar[roles]}'... leads to a vault entity metadata entry of Currently we kinda 'workaround' with having salt-master configured like... vault:
metadata:
entity:
minion-id: '{minion}'
role0: '{pillar[roles][0]}'
role1: '{pillar[roles][1]}'
role2: '{pillar[roles][2]}'
role3: '{pillar[roles][3]}'
roleN: '{pillar[roles][N]}'... and extending the vault policy accordingly... saltext-vault/src/saltext/vault/runners/vault.py Line 1041 in f7204c9 --- vault.py.org 2024-12-06 18:32:35.055564665 +0000
+++ vault.py 2024-12-06 18:31:58.256113406 +0000
@@ -1038,7 +1038,7 @@ def _get_metadata(minion_id, metadata_pa
try:
for expanded_pattern in helpers.expand_pattern_lists(pattern, **mappings):
metadata[key].append(expanded_pattern.format(**mappings))
- except KeyError:
+ except (KeyError, IndexError):
log.warning(
"Could not resolve metadata pattern %s for minion %s",
pattern,... and also leads to have metadata role0-N set, even with empty values - which i actually don't know if this might lead to any unknown side effects/issues. The question that arises is, how to properly use the comma separated value from vault's metadata to have pillars set correctly, if possible? I hope i was able to describe the problem thoroughly enough, Kind Regards, |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
|
Thanks for the thorough explanation! This is an issue that has itched me for a long time with no clear answer so far. I really wish Vault supported composite values for templates, but it does not seem likely this will exist at some point. Joining the entity metadata into a sorted comma-separated list is a very poor I use multiple minion roles myself, but template the assigned Vault roles instead: vault:
# ...
policies:
assign:
- salt_minions
- salt_minion_{minion}
- salt_role_{pillar[roles]}
# ...This sadly removes the benefits of templated policies, necessitating management of the corresponding (regular) role policies some other way (e.g. the state module or Terraform). Edit: I investigated another solution to this via identity groups, but it seems policy templates can only reference a specific group (see the available parameters), which defeats this idea. Edit 2: I implemented a draft of your proposal in #105 (sorry for including minor unrelated changes :]). Atm I think it's an acceptable workaround for an annoying situation and should work as expected. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks @lkubb for all the effort you put in there. |
Beta Was this translation helpful? Give feedback.
-
|
@maennlse FYI, the functionality is released now in https://github.com/salt-extensions/saltext-vault/releases/tag/v1.3.0. Thanks a lot for coming up with the workaround! |
Beta Was this translation helpful? Give feedback.
Thanks for the thorough explanation! This is an issue that has itched me for a long time with no clear answer so far. I really wish Vault supported composite values for templates, but it does not seem likely this will exist at some point.
Joining the entity metadata into a sorted comma-separated list is a very poor
workaroundbandaid for this missing functionality and I'm open to any suggestions for improving the situation, e.g. assigningrole_0etc. instead (or in addition). It's still not ideal, but (on first glance!) seems like a much better compromise.I use multiple minion roles myself, but template the assigned Vault roles instead: