Draft: Add support for segmented vault access (!382) · Merge requests · Arch Linux / infrastructure

Kristian Klausen requested to merge klausenbusk/infrastructure:segmented-vault into master May 10, 2021

All-or-nothing access to the vault is a bit annoying (to say it mildly). Even with SSH access to a few hosts, I can't run the playbooks without first:

Run find -name vault_* -delete
Remove vault_password_file = misc/get-vault-pass.sh from ansible.cfg
Copy all the secrets from the hosts to the playbook

This is not enough to make everything works without hacks (all the group_vars/all/vault_* files need to be moved somewhere more specific, ex: vars/<role>.yml).

More vaults!

monitoring vault
Hetzner vault for hcloud_inventory.py (should be a read-only key)
Move all group_vars/all/vault_* to vars/<role> (use symlink if it is required by multiple roles)

Edited May 12, 2021 by Kristian Klausen

Admin message

Draft: Add support for segmented vault access

Merge request reports