target secret functions support #78
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Too late, are you aware of NaCL / libsodium instead of gpg? It's bit more simple and native in python. GPG depends on some setup. I wrote short article about how it works under Salt - http://apealive.net/post/2017-09-salt-nacl-ext-pillar/ |
|
Well aware of NaCL/libsodium indeed! I did some experimentation a while ago with it, but at the time (and as you state in your article), there was no builtin key management functionality . I do like NaCL/libsodium, but GPG just leaves the key management out of kapitan which we prefer. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This introduces support for creating a target secret on compile time, if the secret does not already exist.
Target secrets have been introduced a few commits ago and have proven to work well. However when using reclass inventory interpolation for target secret tags, you will be forced to create all of the interpolated target secrets manually as compilation will fail.
To solve this problem, this PR proposes the following new (optional) form of secret tags:
?{gpg:path/to/new_secret|randomstr:32}Or interpolating
${target_name}:?{gpg:targets/${target_name}/new_secret|randomstr:16}If
path/to/new_secretdoes not exist undersecrets_pathit evaluatesrandomstr:32, a function supported in this PR, which returns a 32 (as parameterised) byte-log random string generated by https://docs.python.org/3/library/secrets.html#secrets.token_urlsafe and creates the secret with its content.randomstrcan also be evaluated without a parameter and a base64 encoded version of it is also available asrandomstrb64(which mimics the --base64 flag inkapitan secretscommand line).Note that this only supports target secrets and requires the recipients to be set in the inventory for the target being compiled. Once the target secret is created from a function, it will not be recreated.