Render a Kubernetes Secret from an IdM vault
When To Use This
Use this to render review-first Kubernetes Secret manifests from IdM vault material.
Required Authority
IdM owns the payload. Kubernetes enforces only if the rendered manifest is applied.
Safety Boundary
This workflow is render-only. Confirm that this is the intended boundary before placing it in a scheduled job or AAP workflow.
Secret Handling
Do not print payload material. Use no_log: true on payload-bearing tasks. Review artifacts should redact secret values, and payload manifest rendering should be opt-in.
Inputs
- Named target objects
- Credentials with the required IdM or platform authority
- A reviewed output path or downstream task
Steps
- Confirm the target objects and authority before running.
- Run the command or task with review-friendly output.
- Inspect the returned evidence before continuing to any mutating step.
ansible-playbook playbooks/render-kubernetes-secret-from-idm-vault.yml
Example Review Manifest
This vars file drives the packaged wrapper playbook. It retrieves vault material only when live lookup is enabled and renders a redacted Kubernetes Secret review manifest by default.
render-vault-secret-vars.yml
---
eigenstate_k8s_secret_name: app-config
eigenstate_k8s_secret_namespace: payments
eigenstate_k8s_secret_output_dir: ./artifacts
eigenstate_k8s_secret_render_only: true
eigenstate_k8s_secret_apply: false
eigenstate_k8s_secret_render_review_manifest: true
eigenstate_k8s_secret_write_payload_manifest: false
eigenstate_k8s_secret_live_lookup_enabled: true
eigenstate_k8s_secret_vault_name: app-config
eigenstate_k8s_secret_vault_scope: shared
eigenstate_k8s_secret_server: idm-01.example.com
eigenstate_k8s_secret_kerberos_keytab: /runner/env/ipa/automation.keytab
Run It
ansible-playbook playbooks/render-kubernetes-secret-from-idm-vault.yml \
-e @render-vault-secret-vars.yml
Expected Evidence
The role renders a review-only Kubernetes Secret manifest with payload fields redacted. A captured wrapper run with static payload inputs produced:
PLAY [Render Kubernetes Secret manifest from IdM vault material] ********
TASK [eigenstate.ipa.kubernetes_secret_from_idm_vault : Validate Kubernetes Secret delivery variables] ***
ok: [localhost] => {
"changed": false,
"msg": "All assertions passed"
}
TASK [kubernetes_secret_from_idm_vault : Render reviewable Kubernetes Secret manifest]
changed: [localhost]
PLAY RECAP ************************************************************
localhost : ok=6 changed=2 unreachable=0 failed=0 skipped=10 rescued=0 ignored=0
The rendered review artifact contains redacted data, not the vault payload:
apiVersion: v1
kind: Secret
metadata:
name: "idm-vault-secret"
namespace: "default"
annotations:
eigenstate.ipa/payload: "redacted-in-review-manifest"
eigenstate.ipa/source: "idm-vault"
type: "Opaque"
stringData:
artifact: "REDACTED"
Troubleshooting
- Permission failure: verify the account and delegated authority.
- Unexpected empty result: verify target names and source records.
- Unsafe output: redact payloads and add
no_log: truewhere secret material is present.