Add --sops mode to encrypt harvest and manifest data at rest (especially useful if using --dangerous)
This commit is contained in:
parent
6a36a9d2d5
commit
33b1176800
GPG key ID:
59B3F0C24135C6A9
12 changed files with 760 additions and 117 deletions
66
README.md
66
README.md
|
|
@ -90,9 +90,6 @@ This uploads a self-contained `enroll` zipapp to a temporary directory on the re
|
|||
|
||||
**Privilege note:** A "full" harvest typically needs root access. Remote harvesting assumes the remote user can run `sudo` **without a password prompt** (NOPASSWD) so the harvest can run non-interactively. If you don't want this, pass `--no-sudo` as well.
|
||||
|
||||
**JinjaTurtle note:** If you want to take advantage of JinjaTurtle to turn configs into templates (see below note on JinjaTurtle integration), you'll still need to install JinjaTurtle on the remote host first.
|
||||
|
||||
|
||||
## Sensitive data
|
||||
|
||||
**enroll** doesn't make any assumptions about how you might handle sensitive data from your config files, in Ansible. Some people might use SOPS, others might use Vault, others might do something else entirely.
|
||||
|
|
@ -121,6 +118,49 @@ ansible-galaxy collection install community.sops
|
|||
|
||||
Then you can use the collection's lookup/vars plugins or modules to decrypt or load SOPS-encrypted vars at runtime.
|
||||
|
||||
Note the section below **also** talks about SOPS, but this is in the context of simply encrypting the data generated by `enroll` at rest for safe-keeping, **not** for direct integration with Ansible.
|
||||
|
||||
|
||||
### Encrypting harvest/manifests at rest with `--sops`
|
||||
|
||||
If you want to use `--dangerous` (or you simply want to keep the harvested artifacts private when they're sitting on disk, in git, etc), you can pass `--sops` to `harvest`, `manifest`, or `single-shot`.
|
||||
|
||||
To use `--sops`, you will need to have [sops](https://github.com/getsops/sops) installed on your `$PATH`.
|
||||
|
||||
- `--sops` expects one or more **GPG key fingerprints**. If `sops` is not on the `$PATH`, **enroll** will error.
|
||||
- `harvest --sops ...` writes a *single* encrypted file (`harvest.tar.gz.sops`) instead of a plaintext directory.
|
||||
- `manifest --sops ...` (and `single-shot --sops ...`) will:
|
||||
- decrypt the harvest bundle with `sops -d` (if the `--harvest` input is an encrypted file), then generate manifests as normal
|
||||
- bundle the entire generated Ansible output into a *single* encrypted file (`manifest.tar.gz.sops`)
|
||||
|
||||
⚠️ **Important:** `manifest --sops` (and `single-shot --sops`) produces **one encrypted file**. It is **not** an Ansible repo you can point `ansible-playbook` at directly. It is **not** the same as using SOPS inventory with the Ansible SOPS collection.
|
||||
|
||||
To use the encrypted SOPS manifest, decrypt and extract it first, then run Ansible from inside the extracted `manifest/` directory:
|
||||
|
||||
```bash
|
||||
sops -d /path/to/manifest.tar.gz.sops | tar -xzvf -
|
||||
cd manifest
|
||||
ansible-playbook ...
|
||||
```
|
||||
|
||||
Example:
|
||||
|
||||
```bash
|
||||
# Harvest (encrypted-at-rest)
|
||||
enroll harvest --out /tmp/enroll-harvest --dangerous --sops <FINGERPRINT(s)>
|
||||
|
||||
# Manifest (encrypted-at-rest)
|
||||
enroll manifest --harvest /tmp/enroll-harvest/harvest.tar.gz.sops --out /tmp/enroll-ansible --sops <FINGERPRINT(s)>
|
||||
|
||||
# Decrypt/extract manifest output for inspection / ansible runs
|
||||
cd /tmp/enroll-ansible
|
||||
sops -d manifest.tar.gz.sops | tar -xzvf -
|
||||
cd manifest
|
||||
```
|
||||
|
||||
(If you want to manually inspect an encrypted harvest bundle, extract it into its own directory, e.g. `mkdir -p harvest && sops -d harvest.tar.gz.sops | tar -xzvf - -C harvest`.)
|
||||
|
||||
|
||||
|
||||
## Manifest
|
||||
|
||||
|
|
@ -151,8 +191,6 @@ JinjaTurtle will be used automatically if it is detected on the `$PATH`. You can
|
|||
|
||||
If you *do* have JinjaTurtle installed, but *don't* wish to make use of it, you can use `--no-jinjaturtle`, in which case all config files will be kept as 'raw' files.
|
||||
|
||||
**Remote mode**: if you are using the `--remote-xxx` flags for `manifest` or `single-shot` subcommands, and want to take advantage of the JinjaTurtle integration, you'll still need to install JinjaTurtle on the remote host *in advance*.
|
||||
|
||||
---
|
||||
|
||||
# How multi-site avoids "shared role breaks a host"
|
||||
|
|
@ -239,6 +277,24 @@ Remote + dangerous:
|
|||
enroll harvest --remote-host myhost.example.com --remote-user myuser --out /tmp/enroll-harvest --dangerous
|
||||
```
|
||||
|
||||
### `--sops` (encrypt bundles at rest)
|
||||
|
||||
`--sops` bundles and encrypts the output as a single SOPS-encrypted `.tar.gz.sops` file (GPG). This is particularly useful if you're using `--dangerous`.
|
||||
|
||||
```bash
|
||||
# Encrypted harvest bundle (writes /tmp/enroll-harvest/harvest.tar.gz.sops)
|
||||
enroll harvest --out /tmp/enroll-harvest --dangerous --sops <FINGERPRINT(s)>
|
||||
|
||||
# Encrypted manifest bundle (writes /tmp/enroll-ansible/manifest.tar.gz.sops)
|
||||
enroll manifest --harvest /tmp/enroll-harvest/harvest.tar.gz.sops --out /tmp/enroll-ansible --sops <FINGERPRINT(s)>
|
||||
|
||||
# Decrypt/extract the manifest bundle, then run Ansible from inside ./manifest/
|
||||
cd /tmp/enroll-ansible
|
||||
sops -d manifest.tar.gz.sops | tar -xzvf -
|
||||
cd manifest
|
||||
ansible-playbook ./playbook.yml
|
||||
```
|
||||
|
||||
|
||||
## 2. Generate Ansible manifests (roles/playbook) from that harvest
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue