Managing secrets
We need a way to effectively manage secrets in this repository.
I've looked at sops, which is an interesting tool. There is support for sops
(via a plugin) in kustomize
, but not in the oc apply
command, and the plugin support required only works when specifying --enable_alpha_plugins
on the command line which is (a) a PITA to type every time, and (b) is a strong signal the feature isn't ready yet.
There exists a community sops collection for Ansible, but the out-of-the-box integration really only works with Ansible 2.10, which was only recently released and isn't generally available yet.
Given the current state of sops
integration with our chosen tooling, we've put together an alternative solution using GPG and ansible-vault. The vault key is stored in the repository, but is encrypted using gpg
(to the identities listed in .vault_pgp_keys
). By pointing Ansible's vault_password_file
option at a script, we can have Ansible decrypt the files on-the-fly when they are required.
You can find the implementation in the feature/gpg branch of this repository.