Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cant specify parameter: _valid_extensions in ansible.cfg #183

Closed
ZzenlD opened this issue Jun 14, 2024 · 8 comments · Fixed by #186
Closed

Cant specify parameter: _valid_extensions in ansible.cfg #183

ZzenlD opened this issue Jun 14, 2024 · 8 comments · Fixed by #186

Comments

@ZzenlD
Copy link

ZzenlD commented Jun 14, 2024

Hello :)

In my ansible inventory i encrypt only some of the variables with the command:

sops —set ‘[“foo_password“] “password_value“‘ host_vars/example_host.yml

My .sops.yml looks like:

creation_rules:
  - age: <my-age-key>
     encrypted_regex: _(password|apikey)$
     mac_only_encrypted: true

The encryption works fine and as expected, but the decryption is not working.
In ansible i use the community.sops.sops_vars-plugin and my ansible.cfg looks like:

[defaults]
vars_plugins_enabled = host_group_vars,community.sops.sops

[community.sops]
age_keyfile = <path to key-file>
config_file = <path to config-file>
_valid_extensions = [“.sops.yml“, “.sops.yaml“, “.sops.json“, “.yml“]

If i understood correctly i can say then community.sops.sops_vars-plugin with the parameter _valid_extensions that it should also read my normal yaml-files. But it does not work.

Thanks for your help, maybe i missunderstood something.
@felixfontein
Copy link
Collaborator

The _valid_extensions option is (currently) not user-configurable. You can only use keys in the INI file that are explictly specified, like age_keyfile or config_file (they have Configuration: entries in https://docs.ansible.com/ansible/devel/collections/community/sops/sops_vars.html#parameters which list how they can actually be set).

@felixfontein felixfontein mentioned this issue Jun 14, 2024
Closed
@ZzenlD
Copy link
Author

ZzenlD commented Jun 14, 2024

So this mean its impossible that ansible will automatically decrypt host_vars without the sops.yml-ending?

@felixfontein
Copy link
Collaborator

Right now, yes, it's impossible.

@felixfontein felixfontein mentioned this issue Jun 15, 2024
Merged
@felixfontein
Copy link
Collaborator

#186 makes this configurable.

@ZzenlD
Copy link
Author

ZzenlD commented Jul 26, 2024

Thank you very much for that.
I have now configured it as follows:

ansible.cfg:

[defaults]
vars_plugins_enabled = host_group_vars, community.sops.sops

[community.sops]
age_keyfile = <path to key-file>
config_path = <path to config-file>
valid_extensions = [".sops.yml", ".sops.yaml", ".sops.json", ".yml"]

If I now create a host_vars/host1.sops.yml with the following content:

test_password: ENC[AES256_GCM,data:5537Sw==,iv:GTV5rBdB2p5ecBC688WtQmYiqny7V3S+JIRjfpAgsvU=,tag:HwJ4UgzceVguua7zmuMo5A==,type:str]
sops:
  <sops-specific content here>

And then execute the following playbook:

- hosts: all
  gather_facts: false
  tasks:
    - debug:
        msg: "test_password: {{ test_password }}"

I receive the following (correct) output:

PLAY [host1] ******************************************************************************************************

TASK [debug] *********************************************************************************************************
ok: [host1] => 
  msg: 'test_password: <clear-text-password>'

PLAY RECAP ***********************************************************************************************************
host1                   : ok=1    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

If I rename the host_vars/host1.sops.yml to host_vars/host1.yml, I get the following (incorrect) output:

PLAY [host1] ******************************************************************************************************

TASK [debug] *********************************************************************************************************
ok: [host1] => 
  msg: 'test_password: ENC[AES256_GCM,data:5537Sw==,iv:GTV5rBdB2p5ecBC688WtQmYiqny7V3S+JIRjfpAgsvU=,tag:HwJ4UgzceVguua7zmuMo5A==,type:str]'

PLAY RECAP ***********************************************************************************************************
host1                   : ok=1    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

So it is not being decrypted correctly, have I overlooked something or is this a bug? Thanks for your help.

@ZzenlD
Copy link
Author

ZzenlD commented Jul 26, 2024

I found the error myself and would like to provide the solution here so that it helps others who also encounter it.

The error is in the ansible.cfg, it must look like this:

[defaults]
vars_plugins_enabled = host_group_vars, community.sops.sops

[community.sops]
age_keyfile = <path to key-file>
config_path = <path to config-file>
valid_extensions = .sops.yml, .sops.yaml, .sops.json, .yml

@felixfontein
Copy link
Collaborator

You can also see the syntax when checking out the INI entry part of the documentation: https://docs.ansible.com/ansible/devel/collections/community/sops/sops_vars.html#parameter-valid_extensions

@felixfontein
Copy link
Collaborator

(Also you can remove .sops.yml from the extension list if you have .yml on it :) )

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

vars plugin: make valid_extensions configurable felixfontein/community.sops
2 participants
@felixfontein @ZzenlD