#harvest, vault and ansible

Hi All, I would like to create an Ansible playbook to fetch credentials (stored in hashicorp vault) for harvest.yml, does anyone know if harvest will automatically search for credentials_file and execute?

hi @mild barn if you list the credentials_file section in your poller, Harvest will read it as describe here https://netapp.github.io/harvest/23.02/configure-harvest-basic/#credentials-file

We also documented an example last week that may be helpful https://github.com/NetApp/harvest/discussions/1780

I'd like to go beyond the credentials-files and have it point to a script that fetches the credentials from somewhere else. For example, we use Password Manager Pro. At run-time, I'd like Harvest to run a script which fetches the current password from PMP. If the password changes, we won't have to touch Harvest at all. As long as a script call-out is in place, it shouldn't matter what password management system the customer has.

Thanks @leaden zinc, so in the credential file I can have an ansible playbook to fetch credentials?

Hi Ed, can you create a github issue for that request? I'll create one later today if you don't get to it

@mild barn the Ansible playbook would fetch the credentials and update you credentials_file. The fetching happens outside Harvest and only involves Ansible and Vault. Alternatively, vault agent templates might be a good solution too https://developer.hashicorp.com/vault/tutorials/vault-agent/agent-templates

i would be interested in this solution, since we dont have access to create hcl files in vault, ansible would work for us to.

@cloud loom and others, captured request in https://github.com/NetApp/harvest/issues/1805

@cloud loom about your auth script request. Are you asking for a script that runs before each cluster auth or only once at startup? Does execing a script pass your corporate security gauntlet? In the past, customers have expressed concern about locking down an external script. The user that runs the Harvest poller will need read/exec permissions to execute the script. Any thoughts on the API? Maybe something like:

credential_script: /path/to/script

Harvest execs the script passing two arguments via stdin: 1. address of the cluster 2. username (both read from harvest.yaml). After execing the process, Harvest reads the password on stdout of the execed process and uses that password

@low grove I wasn't sure about your reply - are you saying you'd also like something like Ed requested? If so does the rough idea outlined above cover your usecase? Or were you saying that Ansible works fine and you don't need/want anything more?

The way PMP works is that a host gets a key to get a specific password. The script on the nabox host then has the rights to go retrieve it. What you've proposed looks like it should work.

I think having it run during every poll is probably overkill and I can afford to lose some samples. At startup is a minimum, but a daily retrieval would be self-correcting if somebody forgets to restart the pollers - at worst, we lose a day of data and I could live with that.

thanks Ed, I'll update the issue with these details and come back with any questions. Makes sense and is something we'll add

@leaden zinc some like ED state could possible work for us as well.

hi @cloud loom and @low grove We've added support for credential scripts. Please give it a try in nightly and let us know if it covers your use-case.
Documentation https://netapp.github.io/harvest/23.05/configure-harvest-basic/#credentials-script
Nightly build https://github.com/NetApp/harvest/releases/tag/nightly

Thanks @leaden zinc ! I don't have time to write my script right now but did go through the documentation and it definitely addresses my asks.

thanks Ed!