kustomize-controller icon indicating copy to clipboard operation
kustomize-controller copied to clipboard

Published 20 hours ago verified publisher icon fluxcd

Add Support for Ansible Vault Decryptor

Open oxr463 opened this issue 1 year ago • 5 comments

Reference(s):

  • https://github.com/sosedoff/ansible-vault-go
  • https://github.com/fluxcd/kustomize-controller/blob/main/internal/decryptor/decryptor.go

oxr463 avatar Mar 31 '23 12:03 oxr463

We do at the moment not accept any new decryptors which are not supported by SOPS itself.

At present, we are working hard (in the background) to make the Mozilla SOPS project healthy again, and with a diverse group of maintainers. After we have succeeded in this, the request should go to the SOPS project first.

hiddeco avatar Mar 31 '23 12:03 hiddeco

Sounds like I need to work with SOPs upstream first and then come back here.

oxr463 avatar Mar 31 '23 12:03 oxr463

Can you please also provide more details on how you envision the decryption to work within the kustomize-controller? My initial thought was the desire to store the data key of SOPS in Ansible Vault, but based on your comment in the SOPS issue, it seems that individual values are put into the vault.

How would the kustomize-controller know how and what to decrypt?

hiddeco avatar Mar 31 '23 13:03 hiddeco

That ansible-vault-go seems abandoned? The crypo package it uses is from 2018 and contains major CVEs. I would not want such a thing in Flux source code.

stefanprodan avatar Mar 31 '23 13:03 stefanprodan

Can you please also provide more details on how you envision the decryption to work within the kustomize-controller? My initial thought was the desire to store the data key of SOPS in Ansible Vault, but based on your comment in the SOPS issue, it seems that individual values are put into the vault.

Here is what I had in mind:

apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
  name: my-secrets
  namespace: flux-system
spec:
  interval: 10m0s
  sourceRef:
    kind: GitRepository
    name: my-secrets
  path: ./
  prune: true
  decryption:
    provider: sops # this would stay the same
    secretRef:
      name: sops-ansible-vault # vault password goes in here

Reference(s):

  • https://fluxcd.io/flux/guides/mozilla-sops/#gitops-workflow

How would the kustomize-controller know how and what to decrypt?

Haven't figured that out yet. Any suggestions appreciated!

That ansible-vault-go seems abandoned? The crypo package it uses is from 2018 and contains major CVEs. I would not want such a thing in Flux source code.

Yeah, it definitely looks old. But since Ansible is written in Python, this project looks like a good starting point. I don't think we should use it as-is. I'm assuming we'll need a complete rewrite to integrate with SOPs.

oxr463 avatar Mar 31 '23 14:03 oxr463