openstack/openstack-ansible-ops
Code Issues Proposed changes
Files
6a600eb981aeda03fb558efa2ba3f38af0fd6b20
openstack-ansible-ops/encrypt_secrets/roles/ansible_vault/defaults/main.yml
Dmitriy Rabotyagov 6a600eb981 Add a collection for managing encryption of secret data 
Best practices should referring to at least basic encryption of data
including SSH keypairs, PKI certificates, user_secrets, etc.

This collection aims to help/assist with managing data in encrypted
state, in case ansuble_vault is used as an encryption mechanism.

The collection should allow adding more supproted mechanism,
like SOPS for managing data encryption in the future.

Change-Id: I8af3118946682af4ec31bb1d4f6bea93be34f68c
2025-05-02 08:03:24 +00:00

40 lines
2.0 KiB
YAML
Raw Blame History

---
# Copyright 2025, Advanced Hosters B.V.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Allowed values: "encrypt", "decrypt" and "rotate"
ansible_vault_action: encrypt
# Path to the OpenStack-Ansible configuration (openstack_deploy) folder
ansible_vault_repo_path: "{{ lookup('ansible.builtin.env', 'OSA_CONFIG_DIR') | default(lookup('ansible.builtin.env', 'PWD') ~ '/openstack_deploy', True) }}"
# Name of the region, which will be used as vault id
ansible_vault_region: "{{ service_region | default('RegionOne') }}"
# Path to the ansible-vault password file
ansible_vault_pw: "{{ lookup('ansible.builtin.env', 'ANSIBLE_VAULT_PASSWORD_FILE') }}"
# Path to the freshly generated ansible-vault password file. Used for rotation only
ansible_vault_new_pw: "{{ ansible_vault_pw ~ '.new' }}"
# If in-place copy is enabled, role will completely override the resulting file
# When disabled, Ansible will produce a managed block for each managed variable
ansible_vault_in_place_copy: true
# Paths to files, where individual variables needs to be encrypted
ansible_vault_secrets_paths:
- "{{ ansible_vault_repo_path }}/user_secrets.yml"
- "{{ ansible_vault_repo_path }}/group_vars/all/secrets.yml"
# Instead of defining paths to files explicitly, you can search filesystem for
# files with individually encrypted secrets. Results will be combined with
# `ansible_vault_secrets_paths`
ansible_vault_secrets_search_paths: []
ansible_vault_secrets_search_pattern: "secrets.yml"
# Can be overriden to a specific destination in case venv is not activated
ansible_vault_binary: ansible-vault
View Git Blame Copy Permalink