#Can cert_filepath and key_filepath be enhanced to take the content of certificate content?

1 messages · Page 1 of 1 (latest)

vale steppe
#

I am using the certificate based authentication in netapp.ontap modules, love it. However, to make certificates secure, I have to encrypt the certificate files in ansible-vault, and when running ansible playbook, decrypt them to temporary files and supply to "cert_filepath" and "key_filepath", then remove them. It's cumbersome and can be insecure.

is there a way for netapp.ontap modules to accept the decrypted content directly? We are also exploring solution to use a remote cyberark vault for storing certificates. This will help.

vale steppe
#

@short loom do you have any ideas how this can be done?

short loom
#

I haven't use ansible-vault before so i'm not 100% sure this works. But i think something like this

- name: Manage NetApp volume hosts: localhost gather_facts: no vars: netapp_username: "{{ lookup('ansible.parsing.vault', 'vault_netapp_username') }}" netapp_password: "{{ lookup('ansible.parsing.vault', 'vault_netapp_password') }}" tasks: - name: Create volume na_ontap_volume: state: present name: my_volume vserver: my_vserver aggregate_name: my_aggregate size: 20 size_unit: gb username: "{{ netapp_username }}" password: "{{ netapp_password }}" hostname: "{{ netapp_hostname }}"

and then run something like

ansible-playbook playbook.yml --ask-vault-pass

vale steppe
#

Thanks for the example. My understanding is that: set a variable to a file content works, but the certificate based authentication require path to a file. For example:

        - name: run ontap info module to check connectivity
          connection: local
          netapp.ontap.na_ontap_rest_info:
              hostname: "{{ inventory_hostname }}"
              https: true
              validate_certs: false
              cert_filepath: "/path/to/cert_file"
              key_filepath: "/path/to/key_file"
              gather_subset: cluster
              fields: "name"
          tags: always
#

if cert_filepath: can accept content like a variable, that would be great. as well as "key_filepath".

vale steppe
#

or maybe a different param, like:

    cert: "{{ cert_content }}"
    key: "{{ key_content }}"
vale steppe
#

@short loom Does netapp rest library support content of certificate? If not, can it be added? I don't understand why it can support file path but not content itself.

short loom
vale steppe
#

@short loom Just to be clear, you want me to ask this in ontap-api forum?