Closed conorsch closed 3 years ago
conorsch
commented
6 years ago Here's a working prototype that handles host/group vars encrypted with SOPS: https://gist.github.com/conorsch/1556c634b1b65598bc766737d9e76fc6 It will not decrypt vars in other locations, e.g. vars/. For that, a custom parser must be written for Ansible, which involves a patch (and therefore a fork) of Ansible itself to work.
musicformellons
commented
6 years ago @conorsch I am looking around for a key/secret solution and stumbled onto sops which -as far as I understand things right now- like for being versatile supporting aws kms, google kms, gpg, and supported by mozilla etc. Integration with Ansible is a requirement for me as well. Before I was going in the direction of Credstash (aws kms) and noticed that it is supported by Ansible as a lookup.
Probably I am wrong -new as I am in this field- but my impression is that sops as a vars_plugin can only be used for setting up host keys, whereas the as a lookup it would be more versatile. Could you maybe shed some light on this? E.g.:
endorama
commented
5 years ago Hello, I provided two more ansible plugins for supporting all sops feature in Ansible.
You can check out the PRs here:
Both are being used by our operations team at my company since late 2018.
MarkusTeufelberger
commented
4 years ago Work seems to be progressing in https://github.com/ansible-collections/community.sops
endorama
commented
4 years ago Indeed it is! Testers are welcome, consider we are working towards the first release so you should install it via git (ansible-galaxy collection install https://github.com/ansible-collections/community.sops.git)
endorama
commented
3 years ago Hello, an update on the Ansible Sops community collection.
We released version 1.0.0 and added more capabilities:
sops that allows looking up a sops-encrypted file content;sops that allows loading Ansible vars from sops-encrypted files for hosts and groups;load_vars that allows loading Ansible vars from a sops-encrypted file dynamically during a playbook or role;encrypt_sops which allows to encrypt data with sopsFeel free to open an issue with feature requests or bug reports!
The collection is available from Ansible Galaxy and we are working to have it included in Ansible 2.11.
I think this issue can be closed and I would be happy to follow-up in #337 to update the sops documentation.
felixfontein
commented
3 years ago Heh, I didn't knew there was an Ansible issue in this repo :)
It will be Ansible 3.0.0 BTW and not 2.11; there will be no Ansible 2.11, the next major Ansible release will be 3.0.0. (Not to confuse with ansible-base/ansible-core; they will continue with 2.x.y versions, i.e. the next release will be ansible-core 2.11. Ansible is ansible-base/ansible-core + a set of collections.)
ajvb
commented
3 years ago Awesome, thank you @endorama!
duckie
commented
1 year ago We use an in-house vars plugin at my company. It is similar to the community one but with additional tricks to decrypt on many different cloud accounts in the same run, based on discoverable env vars files along the secrets files. Works like a charm.
Has anyone tried integrating SOPS with Ansible? At a high level, looks like a custom vars_plugin would support automatic decryption of SOPS vars files. As the SOPS docs state, all SOPS-encrypted vars files will have a top-level key
sops. That should be good enough to trigger safely shelling out to thesopsCLI and adding the decrypted vars to the play run.The case would be a single Ansible site config repository that's shared across a team, so that YAML vars files can be encrypted to various team members' GPG keys, and safely stored in version control.
I'm happy to tackle prototyping the integration, but wanted to take the time to open an issue here in case others are interested in same. Feel free to comment here, otherwise I'll report back with progress when and if some is made.