Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Support for Ansible Vault Decryptor #827

Open
oxr463 opened this issue Mar 31, 2023 · 5 comments
Open

Add Support for Ansible Vault Decryptor #827

oxr463 opened this issue Mar 31, 2023 · 5 comments
Labels
enhancement New feature or request

Comments

@oxr463
Copy link

oxr463 commented Mar 31, 2023

Reference(s):
@hiddeco
Copy link
Member

hiddeco commented Mar 31, 2023

We do at the moment not accept any new decryptors which are not supported by SOPS itself.

At present, we are working hard (in the background) to make the Mozilla SOPS project healthy again, and with a diverse group of maintainers. After we have succeeded in this, the request should go to the SOPS project first.

@oxr463
Copy link
Author

oxr463 commented Mar 31, 2023

Sounds like I need to work with SOPs upstream first and then come back here.

@oxr463 oxr463 mentioned this issue Mar 31, 2023
Open
@hiddeco
Copy link
Member

hiddeco commented Mar 31, 2023

Can you please also provide more details on how you envision the decryption to work within the kustomize-controller? My initial thought was the desire to store the data key of SOPS in Ansible Vault, but based on your comment in the SOPS issue, it seems that individual values are put into the vault.

How would the kustomize-controller know how and what to decrypt?

@stefanprodan
Copy link
Member

That ansible-vault-go seems abandoned? The crypo package it uses is from 2018 and contains major CVEs. I would not want such a thing in Flux source code.

@oxr463
Copy link
Author

oxr463 commented Mar 31, 2023

Can you please also provide more details on how you envision the decryption to work within the kustomize-controller? My initial thought was the desire to store the data key of SOPS in Ansible Vault, but based on your comment in the SOPS issue, it seems that individual values are put into the vault.

Here is what I had in mind:

apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
  name: my-secrets
  namespace: flux-system
spec:
  interval: 10m0s
  sourceRef:
    kind: GitRepository
    name: my-secrets
  path: ./
  prune: true
  decryption:
    provider: sops # this would stay the same
    secretRef:
      name: sops-ansible-vault # vault password goes in here

Reference(s):

How would the kustomize-controller know how and what to decrypt?

Haven't figured that out yet. Any suggestions appreciated!

That ansible-vault-go seems abandoned? The crypo package it uses is from 2018 and contains major CVEs. I would not want such a thing in Flux source code.

Yeah, it definitely looks old. But since Ansible is written in Python, this project looks like a good starting point. I don't think we should use it as-is. I'm assuming we'll need a complete rewrite to integrate with SOPs.

@kingdonb kingdonb added the enhancement New feature or request label Apr 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kingdonb @stefanprodan @hiddeco @oxr463