cppforlife
commented
3 years ago @braunsonm i think we would be open to such enhancement if this could be encapsulated into a small binary that does the heavy lifting (similar to sops binary).
Open braunsonm opened 3 years ago
cppforlife
commented
3 years ago @braunsonm i think we would be open to such enhancement if this could be encapsulated into a small binary that does the heavy lifting (similar to sops binary).
braunsonm
commented
3 years ago Interesting, I wasn't aware the sops binary was separated from the rest of the controller code. Do you think you could link me to where that lives in the source of the kapp controller so I could get a better understanding?
danielhelfand
commented
3 years ago The sops binary is made available via the container image for kapp-controller: https://github.com/vmware-tanzu/carvel-kapp-controller/blob/dee8a5beacd13c97423213dc7381917577d8505c/Dockerfile#L51
It’s then called directly using the os/exec package: https://github.com/vmware-tanzu/carvel-kapp-controller/blob/b58896522e15360f571f03c1a3f122e7f9dd44f7/pkg/template/sops.go#L138
Obviously more to it than just that as far as some of the design around it, but this is how sops is currently used.
cppforlife
commented
3 years ago Interesting, I wasn't aware the sops binary was separated from the rest of the controller code. Do you think you could link me to where that lives in the source of the kapp controller so I could get a better understanding?
kapp-controller actually calls out to all the of tools (vendir, ytt, kapp, kbld, imgpkg, etc.).
braunsonm
commented
3 years ago This should be pretty easily do-able with the Vault cli. For instance to decrypt (assuming logged in):
vault write -field=plaintext transit/decrypt/my-role ciphertext="$(cat encrypted-values.yml.vault)" | base64 --decodeDecrypted yaml is output to stdout.
danielhelfand
commented
3 years ago As a note, I would prefer using a go module as opposed to the binary for this case if possible.
aaronshurley
commented
3 years ago It sounds like we're open to contributions for this enhancement but it's currently not prioritized in our backlog.
Describe the problem/challenge you have I would like to use Vault to provide my secrets for my YTT templates. To achieve this, one can encrypt the secrets YAML with the Vault Transit engine and store in their repository.
Describe the solution you'd like A templater in kapp controller that supports Hashicorp Vault's transit engine to decrypt files similar to the SOPS templater. This way I can decrypt secrets, template with ytt, and deploy with kapp.
Additional Details It is also possible to use Vault to inject secrets, you just would not be able to use those secrets with ytt. See here and examples