[英]Saltstack use environment variables in an external external pillar
I have a salt external pillar that is designed to connect to a remote resource and fetch secrets then inject them into my minion's pillar data.我有一个盐外部支柱,旨在连接到远程资源并获取秘密,然后将它们注入我的奴才的支柱数据。 To connect to the remote resource I need to pass the credentials securely to the external pillar.
要连接到远程资源,我需要将凭据安全地传递给外部支柱。 I have tried doing this from environment variables, and I would prefer not writing the credentials to disk.
我已经尝试从环境变量中执行此操作,并且我不希望将凭据写入磁盘。 My issue is that salt is not able to access the environment variables I export before execution.
我的问题是 salt 在执行之前无法访问我导出的环境变量。
My external pillar looks something like this:我的外部支柱看起来像这样:
import os
access_key, secret_key = os.environ.get('ACCESS_KEY', None), os.environ.get('SECRET_KEY', None)
def __virtual__():
if access_key is None or secret_key is None:
return False
return 'my_pillar_module'
Then I would like execute this code like this:然后我想像这样执行这段代码:
export ACCESS_KEY
export SECRET_KEY
salt 'my.minion' pillar.data # or any other salt invocation
The above execution does not work because the os.environ object does not see the exported env vars.上述执行不起作用,因为 os.environ 对象看不到导出的环境变量。 I can get around this by writing a temporary file out and reading from it, but I was wondering if there is a better way to do this.
我可以通过写一个临时文件并从中读取来解决这个问题,但我想知道是否有更好的方法来做到这一点。 Open to suggestions and prefer not writing out my credentials.
对建议持开放态度,不想写出我的凭据。
I was able to set my credentials as environment variables then pass them to the salt command via pillar data.我能够将我的凭据设置为环境变量,然后通过支柱数据将它们传递给 salt 命令。 By doing this I never write the credentials to disk.
通过这样做,我永远不会将凭据写入磁盘。 External CI/CD systems like Jenkins or GitHub Actions can call this same way and never store creds on box!
像 Jenkins 或 GitHub Actions 这样的外部 CI/CD 系统可以以同样的方式调用,并且永远不会在盒子上存储凭据! Example below:
下面的例子:
export MY_TOKEN
export MY_SECRET
salt 'my.minion' pillar='{"TOKEN": "'$MY_TOKEN'", "SECRET": "'$MY_SECRET'"}'
Then inside the external pillar I used the ext_method's pillar data to set the variables as need be.然后在外部支柱内部,我使用 ext_method 的支柱数据根据需要设置变量。
def ext_pillar(minion_id, pillar, **kwargs):
token, secret = pillar.get('TOKEN', None), pillar.get('SECRET', None)
if not token or not secret:
return {}
# Use credentials and return pillar data
return pillar_data
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.