This is an external pillar for salt that offers pass as storage for pillar data.
To use salt-pillar-pass, put this in your salt-master configuration (/etc/salt/master):
extension_modules: modules
ext_pillar:
- salt-pillar-pass:
prefix: saltYou need to put the salt-pillar-pass.py file to <root_dir>/<extension_modules>/pillar/salt-pillar-pass.py, with <root_dir> and <extension_modules> as configured in the salt-master configuration.
Adjust the prefix value as needed. It will be prepended to all paths fetched from pass.
You don't need to include something in your top.sls at your pillar_roots.
edit/create a secret: pass edit <prefix>/<minon_id>
check, what the minion sees: salt <minion_id> pillar.get pass --out=yaml
This external pillar uses a dedicated path for each minion, comprised of a configurable prefix and the minion_id. The content is interpreded as yaml and made available to the minion under the pass pillar item.
# create the secrets
pass insert -m salt/minion1 << EOF
my_secret1: secret_value1
my_secret2:
- item1
- item2
EOF
# print the yaml entered before
salt minion1 pillar.get pass --out=yamluse in salt files:
{{ salt['pillar.get']('pass:my_secret1', 'my_default_value') }}