Skip to content

Add 'env_var_' prefix option for handling secrets#775

Open
marehler wants to merge 1 commit intonetascode:developfrom
marehler:env_var_issue720
Open

Add 'env_var_' prefix option for handling secrets#775
marehler wants to merge 1 commit intonetascode:developfrom
marehler:env_var_issue720

Conversation

@marehler
Copy link
Copy Markdown
Contributor

@marehler marehler commented Apr 17, 2026

Related Issue(s)

Fixes #720

Related Collection Role

  • cisco.nac_dc_vxlan.validate
  • cisco.nac_dc_vxlan.dtc.create
  • cisco.nac_dc_vxlan.dtc.deploy
  • cisco.nac_dc_vxlan.dtc.remove
  • other

Related Data Model Element

  • vxlan.fabric
  • vxlan.global
  • vxlan.topology
  • vxlan.underlay
  • vxlan.overlay
  • vxlan.overlay_extensions
  • vxlan.policy
  • vxlan.multisite
  • defaults.vxlan
  • other

Proposed Changes

Add plugin to lookup up secrets starting with the 'env_var_' prefix. Same functionality as already supported for switch credentials. Example:

---
vxlan:
  underlay:
    bgp:
      authentication_enable: true
      authentication_key_type: 3
      authentication_key: env_var_bgp_auth_key
  • Created plugins/action/common/prepare_plugins/prep_005_resolve_env_vars.py
  • Runs as prepare plugin 005 in the prepare_service_model pipeline — after fabric/global setup and list defaults (001–004), before any topology processing (104+)
  • Recursively walks the entire model_extended data model
  • Any string value starting with env_var_ is resolved via os.getenv()
  • If the env var isn't set, a warning is emitted and the original string is kept unchanged
  • Verbose logging (-v) shows how many variables were resolved; -vvv shows each individually with its data model path
  • No impact on existing switch credential flow: get_credentials.py operates on the rendered inv_list (after templates), not the raw data model. The two mechanisms are complementary and don't interfere.

Test Notes

  1. BGP Fabric
TASK [cisco.nac_dc_vxlan.validate : Prepare Service Model] ***************************************************************************************************
task path: /Users/marehler/Git/sac-ndfc/nac-ndfc/collections/ansible_collections/cisco/nac_dc_vxlan/roles/validate/tasks/sub_main.yml:110
Resolved 'env_var_mcast_auth_key' from environment variable at 'vxlan.underlay.multicast.ipv4.authentication_key'
Resolved 'env_var_bgp_auth_key' from environment variable at 'vxlan.underlay.bgp.authentication_key'
Resolved 'env_var_tacacs_key' from environment variable at 'vxlan.global.ebgp.aaa_freeform'
Resolved 3 environment variable(s) in the data model
  1. MSD Fabric
TASK [cisco.nac_dc_vxlan.validate : Prepare Service Model] ***************************************************************************************************
task path: /Users/marehler/Git/sac-ndfc/nac-ndfc/collections/ansible_collections/cisco/nac_dc_vxlan/roles/validate/tasks/sub_main.yml:110
Resolved 'env_var_dci_password' from environment variable at 'vxlan.multisite.overlay_dci.ebgp_password'
Resolved 1 environment variable(s) in the data model

Cisco Nexus Dashboard Version

3.2.2

Checklist

  • Latest commit is rebased from develop with merge conflicts resolved
  • New or updates to documentation has been made accordingly
  • Assigned the proper reviewers

@marehler marehler requested a review from a team as a code owner April 17, 2026 07:39
@marehler marehler added the enhancement New feature or request label Apr 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support for 'env_var_' prefix option to secure any data model secret

1 participant

@marehler