-
-
Save lae/14ae450d4bfd56525d00 to your computer and use it in GitHub Desktop.
Ansible vault transparent encryption revisited
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Just print out the secrets file as-is if the password file doesn't exist | |
| if [ ! -r '.vault_password' ]; then | |
| cat | |
| exit | |
| fi | |
| CONTENT="$(cat)" | |
| # Store vault's stderr in RESULT and redirect encrypted stdout back to stdout | |
| { | |
| RESULT="$(echo "$CONTENT" | ansible-vault encrypt - --vault-password-file=.vault_password 2>&1 1>&$OUT)"; | |
| } {OUT}>&1 | |
| if echo "$RESULT" | grep -qP "Encryption successful|^$"; then | |
| exit | |
| elif echo "$RESULT" | grep -q "ERROR! input is already encrypted"; then | |
| echo "$CONTENT" | |
| else | |
| # This should be unreachable, but just in case. | |
| echo "RESULT=$RESULT" >> .gitdebug | |
| echo "CONTENT=$CONTENT" >> .gitdebug | |
| exit 1 | |
| fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Just print out the secrets file as-is if the password file doesn't exist | |
| if [ ! -r '.vault_password' ]; then | |
| cat "$1" | |
| exit | |
| fi | |
| export PAGER='cat' | |
| CONTENT="$(ansible-vault view "$1" --vault-password-file=.vault_password 2>&1)" | |
| if echo "$CONTENT" | grep -q 'ERROR! input is not encrypted'; then | |
| cat "$1" | |
| else | |
| echo "$CONTENT" | |
| fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Just print out the secrets file as-is if the password file doesn't exist | |
| if [ ! -r '.vault_password' ]; then | |
| cat | |
| exit | |
| fi | |
| CONTENT="$(cat)" | |
| # Store vault's stderr in RESULT and redirect decrypted stdout back to stdout | |
| { | |
| RESULT="$(echo "$CONTENT" | ansible-vault decrypt - --vault-password-file=.vault_password 2>&1 1>&$OUT)"; | |
| } {OUT}>&1 | |
| if echo "$RESULT" | grep -qP "Decryption successful|^$"; then | |
| exit | |
| elif echo "$RESULT" | grep -q "ERROR! input is not encrypted"; then | |
| echo "A secrets.yml file was committed in cleartext." | |
| echo "Please fix this before continuing." | |
| exit 1 | |
| else | |
| # This should be unreachable, but just in case. | |
| echo "RESULT=$RESULT" >> .gitdebug | |
| echo "CONTENT=$CONTENT" >> .gitdebug | |
| exit 1 | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment