Create secrets or configs from files already on remote

[Zialus]

SUMMARY

Would it be possible to create secrets and/or configs from files already on the remote?
This would be specially useful for a GitOps workflow. One would use the git module to clone a repo with all the configs/secrets and use the docker_config/docker_secret module to add them to swarm.

ISSUE TYPE

• Feature Idea

COMPONENT NAME

• community.general.docker_secret
• community.general.docker_config

ADDITIONAL INFORMATION

These are the current examples on the documentation

- name: Create secret foo (from a file on the control machine)
  community.general.docker_secret:
    name: foo
    # If the file is JSON or binary, Ansible might modify it (because
    # it is first decoded and later re-encoded). Base64-encoding the
    # file directly after reading it prevents this to happen.
    data: "{{ lookup('file', '/path/to/secret/file') | b64encode }}"
    data_is_b64: true
    state: present

- name: Create config foo (from a file on the control machine)
  community.general.docker_config:
    name: foo
    # If the file is JSON or binary, Ansible might modify it (because
    # it is first decoded and later re-encoded). Base64-encoding the
    # file directly after reading it prevents this to happen.
    data: "{{ lookup('file', '/path/to/config/file') | b64encode }}"
    data_is_b64: true
    state: present

Possibly a new flag could be added to indicate whether the source of the data is the machine running ansible or the target server.

[felixfontein]

What would make sense is add a data_src parameter, mutually exclusive with data, which allows to read from a file on the remote. Modules can only read data from the remote machine, not from the controller (only action plugins can do that), so a flag doesn't really make sense.

[Zialus]

Sure, that would be great!

[WojciechowskiPiotr]

Why exclusive? The data points to file location, the data_src may get values local (by default) or remote depending on if the file is located on a local or remote host. But we need to exclude a situation where you connect to Docker Engine via API, not the local socket. In such a case, only the local value can be permitted.

[felixfontein]

@WojciechowskiPiotr data_src would be a path on the system where the module is executed (i.e. the remote host). The module cannot access files on the controller, except if it is executed there (or in case we add an accompanying action module - but I don't think that's necessary, since there's already a way more flexible mechanism when the data parameter is combined with lookups).

[WojciechowskiPiotr]

Ok, I forgot we cannot send data to a remote host that way I wanted to send it :)

[felixfontein]

Yes, that requires an accompanying action plugin :) It's definitely possible to do that, but I don't think it's worth the effort here, since using lookups is a lot more flexible.

[felixfontein]

resolved_by_pr #203