search

mumoshu / sopsed

Spawning and storage of secure environments powered by sops, inspired from vaulted. Out-of-box support for kubectl, kube-aws, helm, helmfile
9 stars 2 forks source link

Vault auto-selection according to any customizable condition like envvars, cmd, etc. #2

Open mumoshu opened 6 years ago

mumoshu commented 6 years ago

Suppose that a "vault" is a "set of credentials to be decrypted".

Probably with .sopsed.yaml like:

vaults:
  test:
    enabled_if:
      envvars:
        ENV: test
    # - sopsed searches for `credentials/*-key.pem` for encryption
    # - sopsed searches for `credentials/*-key.pem.enc` to decryption
    files: clusters/test/credentials/*-key.pem

whereas decrypted .sopsed/test.yaml is:

env:
  KUBECONFIG: ./kubeconfig
files:
  clusters/test/credentials/foo-key.pem: |
    <content>

so that e.g. ENV=test helmfile sync only triggers decryption necessary to work on the test env.

mumoshu commented 6 years ago

For more versatility, maybe:

.sopsed.yaml:

vaults:
  # Vault containing KUBECONFIG=clusters/test/kubeconfig and the encrypted version of kubeconfig
  kube-test:
    # With SOPSED_COMMAND envvar populated and visible to the script
    enabled_if:
    - ./scripts/env_is test
    - [ "$SOPSED_COMMAND" == "kubectl" ];
    files:
    - clusters/test/credentials/*-key.pem
     # Run maybe `sops set KUBECONFIG=clusters/test/kubeconfig --vault kube-test` to set the envvar
  # Vault containing KUBECONFIG=clusters/prod/kubeconfig and the encrypted version of kubeconfig
  # corresponds to the encrypted vault at .sopsed/kube-prod.yaml
  kube-prod:
    enabled_if:
    - ./scripts/env_is prod
    - [ "$SOPSED_COMMAND" == "kubectl" ];
    files:
    - clusters/prod/credentials/*-key.pem

Usage:

# This runs the kubectl command inside the "test" vault in which KUBECONFIG envvar is populated and the kubeconfig file is there decrypted
$ ENV=test sopsed kubectl get po

# This runs the kubectl command inside the "prod" vault in which KUBECONFIG envvar is populated and the kubeconfig file is there decrypted
$ ENV=prod sopsed kubectl get po
mumoshu commented 6 years ago

.sopsed.yaml should just be:

vaults:
  kube-test:
    enabled_if:
    - ./scripts/env_is test
    - [ "$SOPSED_COMMAND" == "kubectl" ];
  kube-prod:
    enabled_if:
    - ./scripts/env_is prod
    - [ "$SOPSED_COMMAND" == "kubectl" ];

without the files: keys after #5