#9, #14: Implemented :env:encrypt

src/harbor/__init__.py

@@ -25,6 +25,7 @@
 from .tasks.deployment import ManageVagrantTask
 from .tasks.deployment import EditVaultTask
 from .tasks.deployment import EncryptVaultTask
+from .tasks.deployment import EnvEncryptTask
 from .tasks.diagnostic import DumpComposeArguments
 from .tasks.diagnostic import DumpComposeConfigTask
 from .tasks.gateway import ReloadGatewayTask
@@ -77,6 +78,7 @@ def imports():
         TaskDeclaration(ManageVagrantTask()),
         TaskDeclaration(EditVaultTask()),
         TaskDeclaration(EncryptVaultTask()),
+        TaskDeclaration(EnvEncryptTask()),
 
         # git
         TaskDeclaration(FetchRepositoryTask()),

src/harbor/tasks/deployment.py

@@ -413,10 +413,13 @@ class EditVaultTask(BaseDeploymentTask):
     # usage of environment variable (NOTICE: paths to password files must begin with "/" or "./")
     VAULT_PASSWORDS="./.vault-password-file||second-some-plaintext-password-there" harbor :vault:edit .env-prod
 
+    # use a different text editor (you can also put EDITOR variable to your .env file)
+    EDITOR=vim harbor :vault:edit deployment.yml
+
 HINT: You can avoid writing the path in commandline each time by putting `VAULT_PASSWORDS=./path-to-password-file.txt` to the .env file
 HINT: You can store vault password file on encrypted flash drive, and make a symbolic link. Every time when you mount an encrypted drive you will gain access to the project
 NOTICE: When at least one of vault password files does not exist, then there will be a password prompt
-    """
+"""
 
     def get_group_name(self) -> str:
         return ':harbor:vault'
@@ -481,3 +484,56 @@ def run(self, context: ExecutionContext) -> bool:
             self._clear_old_vault_temporary_files()
 
         return True
+
+
+class EnvEncryptTask(BaseDeploymentTask):
+    """Manages the encryption of .env-prod file
+
+The .env-prod file is a file that could be kept securely in GIT repository while containing passwords
+required for services to work.
+"""
+
+    def get_group_name(self) -> str:
+        return ':harbor:env'
+
+    def get_name(self) -> str:
+        return ':encrypt'
+
+    def format_task_name(self, name) -> str:
+        return development_formatting(name)
+
+    def get_declared_envs(self) -> Dict[str, str]:
+        envs = super(BaseDeploymentTask, self).get_declared_envs()
+        envs['VAULT_PASSWORDS'] = ''
+
+        return envs
+
+    def configure_argparse(self, parser: ArgumentParser):
+        parser.add_argument('--decrypt', '-d', action='store_true', help='Decrypt instead of encrypting')
+        self._add_vault_arguments_to_argparse(parser)
+
+    def run(self, context: ExecutionContext) -> bool:
+        vault_opts = self._get_vault_opts(context)
+        mode = 'decrypt' if context.get_arg('--decrypt') else 'encrypt'
+
+        src = '.env'
+        dst = '.env-prod'
+
+        if mode == 'decrypt':
+            src = '.env-prod'
+            dst = '.env'
+
+        try:
+            self.sh('cp %s %s-tmp' % (src, dst))
+            self.sh('ansible-vault %s %s %s-tmp' % (mode, vault_opts, dst), capture=False)
+            self.sh('mv %s-tmp %s' % (dst, dst))
+        finally:
+            self._clear_old_vault_temporary_files()
+
+        if mode == 'encrypt':
+            try:
+                self.sh('git add %s' % dst)
+            except:
+                pass
+
+        return True