Load vault passwords from local password store, then cache them
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>certbot_on_virtu
parent
6026f8d84e
commit
cb8f5b1537
|
|
@ -6,6 +6,7 @@
|
||||||
roles_path = ./roles
|
roles_path = ./roles
|
||||||
action_plugins = ./action_plugins
|
action_plugins = ./action_plugins
|
||||||
lookup_plugins = ./lookup_plugins
|
lookup_plugins = ./lookup_plugins
|
||||||
|
vars_plugins = ./vars_plugins
|
||||||
|
|
||||||
# Do not create .retry files
|
# Do not create .retry files
|
||||||
retry_files_enabled = False
|
retry_files_enabled = False
|
||||||
|
|
|
||||||
|
|
@ -1 +0,0 @@
|
||||||
vault: "{{ lookup('pipe', 'pass show crans/ansible_vault') | from_yaml }}"
|
|
||||||
|
|
@ -0,0 +1,57 @@
|
||||||
|
#!/usr/bin/env python
|
||||||
|
from functools import lru_cache
|
||||||
|
from os import getenv
|
||||||
|
from pathlib import Path
|
||||||
|
import subprocess
|
||||||
|
import sys
|
||||||
|
|
||||||
|
from ansible.plugins.vars import BaseVarsPlugin
|
||||||
|
|
||||||
|
|
||||||
|
DOCUMENTATION = """
|
||||||
|
module: pass
|
||||||
|
vars: vault
|
||||||
|
version_added: 2.9
|
||||||
|
short_description: Load vault passwords from pass
|
||||||
|
description:
|
||||||
|
- Works exactly as a vault, loading variables from pass.
|
||||||
|
- Decrypts the YAML file `ansible_vault` from cranspasswords.
|
||||||
|
- Loads the secret variables.
|
||||||
|
- Makes use of data caching in order to avoid calling cranspasswords multiple times.
|
||||||
|
- Uses the local gpg key from the user running ansible on the Control node.
|
||||||
|
"""
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
class VarsModule(BaseVarsPlugin):
|
||||||
|
@staticmethod
|
||||||
|
@lru_cache
|
||||||
|
def vault_passwords():
|
||||||
|
"""
|
||||||
|
Passwords are decrypted from the local password store, then are cached.
|
||||||
|
By that way, we don't decrypt these passwords everytime.
|
||||||
|
"""
|
||||||
|
password_store = Path(getenv('PASSWORD_STORE_DIR', Path.home() / '.password-store'))
|
||||||
|
full_command = ['gpg', '-d', password_store / getenv('CRANS_PASSWORD_STORE_SUBMODULE', 'crans') / 'ansible_vault.gpg']
|
||||||
|
proc = subprocess.run(full_command, capture_output=True, close_fds=True)
|
||||||
|
clear_text = proc.stdout.decode('UTF-8')
|
||||||
|
sys.stderr.write(proc.stderr.decode('UTF-8'))
|
||||||
|
return clear_text
|
||||||
|
|
||||||
|
def get_vars(self, loader, path, entities):
|
||||||
|
"""
|
||||||
|
Get all vars for entities, called by Ansible.
|
||||||
|
|
||||||
|
loader: Ansible's DataLoader.
|
||||||
|
path: Current play's playbook directory.
|
||||||
|
entities: Host or group names pertinent to the variables needed.
|
||||||
|
"""
|
||||||
|
# VarsModule objects are called every time you need host vars, per host,
|
||||||
|
# and per group the host is part of.
|
||||||
|
# It is about 6 times per host per task in current state
|
||||||
|
# of Ansible Crans configuration.
|
||||||
|
|
||||||
|
# It is way to much.
|
||||||
|
# So we cache the data into the DataLoader (see parsing/DataLoader).
|
||||||
|
|
||||||
|
return {'vault': loader.load(VarsModule.vault_passwords())}
|
||||||
Loading…
Reference in New Issue