Add file encrypting functionality "yaml.j2" --> "yaml.j2.enc" files via a wrapper #126
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
#125 - Related to this issue but this PR technically not happening in-memory. That requires closer integration with k8t but this still works.
What is this?
This lets you use encrypted "yaml.j2" files with the "k8t" tool.
Encrypted files stay encrypted while the data is at-rest.
This is helpful for pushing your k8t project on GitHub while including all your encrypted secrets.
How it works?
"./k8tsecure" is a wrapper for "k8t".
It takes the same arguments as k8t.
Before running the actual k8t command, it decrypts all encrypted YAML files using "ansible-vault".
Then, runs the k8t command with those temporarily decrypted files.
When the k8t command is completed, it discards the temporarily decrypted YAML files.
That keeps your git-working tree clean.
None of the decrypted files end up accidentally being committed to the git repository.
Requirements
This utilizes "ansible-vault" command for encryption and decryption:
https://docs.ansible.com/ansible/latest/vault_guide/index.html
It requires one of the following installations
Link: https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html
Link: https://pypi.org/project/ansible-vault/
How-to-use this?
Create an empty "ansible.cfg" file in the same directory as this script(root of the k8t project)
Add the following two lines without the "#"s in that config file and update the password file's location based on your needs. Preferably, it should be outside of the git repository directory. You could use your home directory, etc.
open that ./some_directory/.vault_password.txt file
and add the desired password (e.g. 16 characters)
rename any file that you want to encrypt by following the name convention below.
some-secret.yaml.j2 --> some-secret.yaml.j2.enc
another.yaml.j2 --> another.yaml.j2.enc
run "./k8tsecure encrypt_all" once to encrypt all the .enc files for first-time setup.
From that point, everytime you want to use "k8t" tool,
use "./k8tsecure" instead. k8tsecure encapsulates k8t behind the scenes while handling the encrypted files.
The arguments/flags are the same as "k8t" tool's original command-set due to the encapsulation
"k8t gen --environment development > compiled_dev_environment.yaml"
becomes
"./k8tsecure gen --environment development > compiled_dev_environment.yaml"
Anytime you need to edit those ".enc" files,
run the standard "ansible-vault" commands from directory where you have "ansible.cfg" file.
e.g. "ansible-vault edit some-secret.yaml.j2.enc"
Available options for k8tsecure
"./k8tsecure encrypt_all" -- Encrypts all files containing ".enc" in the filename
"./k8tsecure decrypt_all" -- Decrypts all files containing ".enc" in the filename
"./k8tsecure any k8t flag option etc." -- Passes through all the arguments to k8t after temporarily decrypting the ".enc" files.