I am seeking answers on whether or how it is possible within saltstack to run a state which would require input, or whether there is an existing way for a salt to interactively perform a kinit.
Specifically, I have states in which I seek to run tests across all our nodes, some of which require a valid kerberos ticket.
At the moment, we have a script which prompts for the login (runs kinit), then initiates the tests using salt if the login succeeded, then destroys the ticket afterwards.
I would like to improve this because:
We can probably solve 2, by creating a salt state to copy the kerberos ticket to all nodes first, and call that state first before calling the test states, but this doesn't solve 1.
While we only require the facility for running tests at the moment, with an admin account, we can forsee in the future the desire to run other states requiring other kerberos tickets, potentially run by a user who is permitted to the state by the configured salt ACL's.
Existing code is in a bash script that looks something like this, and needs to be run on each individual node, to get the ticket locally:
if kinit <adminaccount>
then
salt-call state.test.suites
kdestroy
fi
To solve 2: I thought we could use something like this but would still require the extra wrapper script:
export KRB5CCNAME="/path/to/test/ticket"
if kinit <adminaccount>
then
salt-call state.sls state.test.util.distribute_ticket pillar="{ticket: '${KRB5CCNAME}'}"
salt <hostpattern> state.sls state.test.suites
kdestroy
fi
Ideally there would be a method by which we could define within salt master configuration or within a salt state itself, that the state requires interactive input, can only be called with a terminal (for example salt-call) and which connects the terminal to the salt process where it's available for example for a cmd.run which calls kinit.
Or, perhaps there is a kerberos support module which can require a ticket at the time of executing salt, before distributing the highstate to minions, (and perhaps make the ticket available somehow in pillar data) ?
I have looked through the salt documentation and not found anything however I could have missed something, hence my question.
Thanks for your time.
If you have a better way of automating/implementing this, please consider answering and if it is acceptable I'll mark it as Accepted, unless someone else has a solution using salt (if it's still useful I'll still upvote it even if there is a salt-specific solution as the accepted answer).
If you are a salt expert and believe that I'm correct that there is currently no way of doing this, please let me know, and if there's no other answers that help me out, I'll mark yours as Accepted after waiting 1 week for answers, because the information that its not possible is also useful so I don't spend more time searching.
I'm not a true expert in Salt but it appears there is no such possibility in states for now.
A wrapper script inside Salt state is one of a few workaround options, another one would be calling cmdmod.run module (which has stdin parameter). But then you will likely end up with another wrapper script for the Salt launch itself.
There is an open issue since 2014 about adding ability to send some input to cmd.run state.