How to evaluate a yaml key using jinja and then evaluate its value using jinja in .j2 file using ansible?

Question

I have a kubernetes secrets manifest in the form of secret.j2 file which has a password key. This password key is supposed assigned a value from an ansible-vault encrypted string present in a dev.yml file. This dev.yml looks like below:-

dev_db_password: !vault |
    $ANSIBLE_VAULT;1.1;AES256
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

I am passing "dev" as a runtime parameter "namespace=dev" to my playbook. The stringData of secret.j2 looks like this:-

stringData:
 consoleadminpassword: "{{'{{'}} {{ namespace + '_console_password' }} {{'}}'}}"
 consolenonadminpassword: "{{'{{'}} {{ namespace + '_console_password' }} {{'}}'}}"
 dbpassword: "{{'{{'}} {{ namespace + '_console_password' }} {{'}}'}}"

When I am templating secret.j2 to secret.yml, the resulting output of stringData looks like this:-

stringData:
  consoleadminpassword: "{{ dev_console_password }}"
  consolenonadminpassword: "{{ dev_console_password }}"
  dbpassword: "{{ dev_db_password }}"

Now I want it to further evaluate the "dev_db_password" to set "dbpassword" key to the decrypted value from dev.yml while ansible templates secret.j2 to secret.yml. Is there a way to achieve this in the same line by modifying dbpassword: "{{'{{'}} {{ namespace + '_db_password' }} {{'}}'}}" ?

Answer 1

Q: "evaluate the dev_db_password ... while ansible templates secret.j2. Is there a way to achieve this in the same line by modifying dbpassword: ... ?"

A: Yes. There is. Try lookup plugin vars. See ansible-doc -t lookup vars

dbpassword: "{{'{{'}} {{ lookup('vars', namespace + '_db_password') }} {{'}}'}}"

For example, the template

shell> cat secret.j2
stringData:
  consoleadminpassword: "{{'{{'}} {{ lookup('vars', namespace + '_console_password') }} {{'}}'}}"
  consolenonadminpassword: "{{'{{'}} {{ lookup('vars', namespace + '_console_password') }} {{'}}'}}"
  dbpassword: "{{'{{'}} {{ lookup('vars', namespace + '_db_password') }} {{'}}'}}"

and the playbook

- hosts: localhost
  tasks:
    - template:
        src: secret.j2
        dest: secret.yml
      vars:
        namespace: dev
        dev_console_password: passwd_console
        dev_db_password: passwd_db

give

shell> cat secret.yml 
stringData:
  consoleadminpassword: "{{ passwd_console }}"
  consolenonadminpassword: "{{ passwd_console }}"
  dbpassword: "{{ passwd_db }}"

---

If you don't need the next evaluation of the variables (passwords) in the dictionary the template below

shell> cat secret.j2
stringData:
  consoleadminpassword: {{ lookup('vars', namespace + '_console_password') }}
  consolenonadminpassword: {{ lookup('vars', namespace + '_console_password') }}
  dbpassword: {{ lookup('vars', namespace + '_db_password') }}

will give

shell> cat secret.yml 
stringData:
  consoleadminpassword: passwd_console
  consolenonadminpassword: passwd_console
  dbpassword: passwd_db

---

If you put the passwords into an encrypted file

shell> cat dev.yml 
dev_console_password: passwd_console
dev_db_password: passwd_db

shell> ansible-vault encrypt dev.yml
Encryption successful

shell> cat dev.yml
$ANSIBLE_VAULT;1.1;AES256
30663636653963333864346339303034356463356234383035363561356365376130396465323736
...

the playbook will give the same results

- hosts: localhost
  vars:
    namespace: dev
  tasks:
    - include_vars: "{{ namespace }}.yml"
    - template:
        src: secret.j2
        dest: secret.yml