kustomize-controller
kustomize-controller copied to clipboard
Add Support for Ansible Vault Decryptor
Reference(s):
- https://github.com/sosedoff/ansible-vault-go
- https://github.com/fluxcd/kustomize-controller/blob/main/internal/decryptor/decryptor.go
We do at the moment not accept any new decryptors which are not supported by SOPS itself.
At present, we are working hard (in the background) to make the Mozilla SOPS project healthy again, and with a diverse group of maintainers. After we have succeeded in this, the request should go to the SOPS project first.
Sounds like I need to work with SOPs upstream first and then come back here.
Can you please also provide more details on how you envision the decryption to work within the kustomize-controller? My initial thought was the desire to store the data key of SOPS in Ansible Vault, but based on your comment in the SOPS issue, it seems that individual values are put into the vault.
How would the kustomize-controller know how and what to decrypt?
That ansible-vault-go seems abandoned? The crypo package it uses is from 2018 and contains major CVEs. I would not want such a thing in Flux source code.
Can you please also provide more details on how you envision the decryption to work within the kustomize-controller? My initial thought was the desire to store the data key of SOPS in Ansible Vault, but based on your comment in the SOPS issue, it seems that individual values are put into the vault.
Here is what I had in mind:
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: my-secrets
namespace: flux-system
spec:
interval: 10m0s
sourceRef:
kind: GitRepository
name: my-secrets
path: ./
prune: true
decryption:
provider: sops # this would stay the same
secretRef:
name: sops-ansible-vault # vault password goes in here
Reference(s):
- https://fluxcd.io/flux/guides/mozilla-sops/#gitops-workflow
How would the kustomize-controller know how and what to decrypt?
Haven't figured that out yet. Any suggestions appreciated!
That ansible-vault-go seems abandoned? The crypo package it uses is from 2018 and contains major CVEs. I would not want such a thing in Flux source code.
Yeah, it definitely looks old. But since Ansible is written in Python, this project looks like a good starting point. I don't think we should use it as-is. I'm assuming we'll need a complete rewrite to integrate with SOPs.