Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
785 views
in Technique[技术] by (71.8m points)

templates - How to evaluate a yaml key using jinja and then evaluate its value using jinja in .j2 file using ansible?

I have a kubernetes secrets manifest in the form of secret.j2 file which has a password key. This password key is supposed assigned a value from an ansible-vault encrypted string present in a dev.yml file. This dev.yml looks like below:-

dev_db_password: !vault |
    $ANSIBLE_VAULT;1.1;AES256
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

I am passing "dev" as a runtime parameter "namespace=dev" to my playbook. The stringData of secret.j2 looks like this:-

stringData:
 consoleadminpassword: "{{'{{'}} {{ namespace + '_console_password' }} {{'}}'}}"
 consolenonadminpassword: "{{'{{'}} {{ namespace + '_console_password' }} {{'}}'}}"
 dbpassword: "{{'{{'}} {{ namespace + '_console_password' }} {{'}}'}}"

When I am templating secret.j2 to secret.yml, the resulting output of stringData looks like this:-

stringData:
  consoleadminpassword: "{{ dev_console_password }}"
  consolenonadminpassword: "{{ dev_console_password }}"
  dbpassword: "{{ dev_db_password }}"

Now I want it to further evaluate the "dev_db_password" to set "dbpassword" key to the decrypted value from dev.yml while ansible templates secret.j2 to secret.yml. Is there a way to achieve this in the same line by modifying dbpassword: "{{'{{'}} {{ namespace + '_db_password' }} {{'}}'}}" ?

question from:https://stackoverflow.com/questions/65863662/how-to-evaluate-a-yaml-key-using-jinja-and-then-evaluate-its-value-using-jinja-i

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

Q: "evaluate the dev_db_password ... while ansible templates secret.j2. Is there a way to achieve this in the same line by modifying dbpassword: ... ?"

A: Yes. There is. Try lookup plugin vars. See ansible-doc -t lookup vars

dbpassword: "{{'{{'}} {{ lookup('vars', namespace + '_db_password') }} {{'}}'}}"

For example, the template

shell> cat secret.j2
stringData:
  consoleadminpassword: "{{'{{'}} {{ lookup('vars', namespace + '_console_password') }} {{'}}'}}"
  consolenonadminpassword: "{{'{{'}} {{ lookup('vars', namespace + '_console_password') }} {{'}}'}}"
  dbpassword: "{{'{{'}} {{ lookup('vars', namespace + '_db_password') }} {{'}}'}}"

and the playbook

- hosts: localhost
  tasks:
    - template:
        src: secret.j2
        dest: secret.yml
      vars:
        namespace: dev
        dev_console_password: passwd_console
        dev_db_password: passwd_db

give

shell> cat secret.yml 
stringData:
  consoleadminpassword: "{{ passwd_console }}"
  consolenonadminpassword: "{{ passwd_console }}"
  dbpassword: "{{ passwd_db }}"

If you don't need the next evaluation of the variables (passwords) in the dictionary the template below

shell> cat secret.j2
stringData:
  consoleadminpassword: {{ lookup('vars', namespace + '_console_password') }}
  consolenonadminpassword: {{ lookup('vars', namespace + '_console_password') }}
  dbpassword: {{ lookup('vars', namespace + '_db_password') }}

will give

shell> cat secret.yml 
stringData:
  consoleadminpassword: passwd_console
  consolenonadminpassword: passwd_console
  dbpassword: passwd_db

If you put the passwords into an encrypted file

shell> cat dev.yml 
dev_console_password: passwd_console
dev_db_password: passwd_db
shell> ansible-vault encrypt dev.yml
Encryption successful
shell> cat dev.yml
$ANSIBLE_VAULT;1.1;AES256
30663636653963333864346339303034356463356234383035363561356365376130396465323736
...

the playbook will give the same results

- hosts: localhost
  vars:
    namespace: dev
  tasks:
    - include_vars: "{{ namespace }}.yml"
    - template:
        src: secret.j2
        dest: secret.yml

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...