Skip to content

Draft: Add support for segmented vault access

All-or-nothing access to the vault is a bit annoying (to say it mildly). Even with SSH access to a few hosts, I can't run the playbooks without first:

  1. Run find -name vault_* -delete
  2. Remove vault_password_file = misc/get-vault-pass.sh from ansible.cfg
  3. Copy all the secrets from the hosts to the playbook

This is not enough to make everything works without hacks (all the group_vars/all/vault_* files need to be moved somewhere more specific, ex: vars/<role>.yml).

More vaults!

  • monitoring vault
  • Hetzner vault for hcloud_inventory.py (should be a read-only key)
  • Move all group_vars/all/vault_* to vars/<role> (use symlink if it is required by multiple roles)
Edited by Kristian Klausen

Merge request reports