Project

General

Profile

Review #687

encrypt ansible vault password (locally)

Added by Pierre-Louis Bonicoli about 1 month ago. Updated 1 day ago.

Status:
In Progress
Priority:
Normal
Category:
-
Start date:
2020-03-10
Branch:
duckcorp/admin:encrypt_vault_password and duckcorp/duckcorp-infra:decrypt_vault_password

Description

  1. duckcorp/admin:encrypt_vault_password branch: encrypt Ansible Vault password
  2. duckcorp/duckcorp-infra:decrypt_vault_password branch: decrypt Ansible Vault password when needed

History

#1

Updated by Pierre-Louis Bonicoli about 1 month ago

  • Description updated (diff)
  • Status changed from New to In Progress
#2

Updated by Marc Dequènes 28 days ago

Quack,

I tested the use of ansible-playbook and it work fine. The setup too is very easy. Nevertheless I cannot anymor do any git show/diff/grep with automatic decryption. I suppose that the operation changes the workdir because setting ANSIBLE_VAULT_PASSWORD_FILE with the absolute path of the script solves all these problems. Thus I would be in favor of documenting this too (the setting in ansible.cfg can be kept of not, your choice).

#3

Updated by Pierre-Louis Bonicoli 20 days ago

Marc Dequènes wrote:

Nevertheless I cannot anymor do any git show/diff/grep with automatic decryption. I suppose that the operation changes the workdir because setting ANSIBLE_VAULT_PASSWORD_FILE with the absolute path of the script solves all these problems. Thus I would be in favor of documenting this too (the setting in ansible.cfg can be kept of not, your choice).

Does that work with the Git configuration below ?

[diff "ansible-vault"]
    textconv = ANSIBLE_VAULT_PASSWORD_FILE=ansible/decrypt-vault-password.sh ansible-vault view
    cachetextconv = false

What do you prefer:
- to define ANSIBLE_VAULT_PASSWORD_FILE environment variable
- or to use the configuration above - in this case, should this configuration be commited in $GIT_DIR/config ?

#4

Updated by Marc Dequènes 17 days ago

  • Assignee changed from Marc Dequènes to Pierre-Louis Bonicoli

It works.

I would like things that are mechanism and not really settings to be centralized in my ~/.gitconfig, so I prefer to set ANSIBLE_VAULT_PASSWORD_FILE (as before but different value).

The config in ansible.cfg may stay but since we have encrypted files outside ansible/ that may not be very practical in the end. If you use it yourself and are fine with it, then you can keep it.

#5

Updated by Marc Dequènes 1 day ago

Any news?
Since this is almost done, it would be nice to have it merged.

Also available in: Atom PDF