Load vault passwords from local password store, then cache them

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>

Load vault passwords from local password store, then cache them
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
cb8f5b15 · ynerant · ynerant · 6026f8d8 · cb8f5b15 · 6026f8d8
Commit cb8f5b15 authored 4 years ago by ynerant Committed by ynerant 4 years ago
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -6,6 +6,7 @@
 roles_path = ./roles
 action_plugins = ./action_plugins
 lookup_plugins = ./lookup_plugins
+vars_plugins = ./vars_plugins

 # Do not create .retry files
 retry_files_enabled = False

--- a/group_vars/all/vault.yml
+++ b/group_vars/all/vault.yml
-vault: "{{ lookup('pipe', 'pass show crans/ansible_vault') | from_yaml }}"
--- a/vars_plugins/pass.py
+++ b/vars_plugins/pass.py
+#!/usr/bin/env python
+from functools import lru_cache
+from os import getenv
+from pathlib import Path
+import subprocess
+import sys
+
+from ansible.plugins.vars import BaseVarsPlugin
+
+
+DOCUMENTATION = """
+    module: pass
+    vars: vault
+    version_added: 2.9
+    short_description: Load vault passwords from pass
+    description:
+        - Works exactly as a vault, loading variables from pass.
+        - Decrypts the YAML file `ansible_vault` from cranspasswords.
+        - Loads the secret variables.
+        - Makes use of data caching in order to avoid calling cranspasswords multiple times.
+        - Uses the local gpg key from the user running ansible on the Control node.
+"""
+
+
+
+class VarsModule(BaseVarsPlugin):
+    @staticmethod
+    @lru_cache
+    def vault_passwords():
+        """
+        Passwords are decrypted from the local password store, then are cached.
+        By that way, we don't decrypt these passwords everytime.
+        """
+        password_store = Path(getenv('PASSWORD_STORE_DIR', Path.home() / '.password-store'))
+        full_command = ['gpg', '-d', password_store / getenv('CRANS_PASSWORD_STORE_SUBMODULE', 'crans') / 'ansible_vault.gpg']
+        proc = subprocess.run(full_command, capture_output=True, close_fds=True)
+        clear_text = proc.stdout.decode('UTF-8')
+        sys.stderr.write(proc.stderr.decode('UTF-8'))
+        return clear_text
+
+    def get_vars(self, loader, path, entities):
+        """
+        Get all vars for entities, called by Ansible.
+
+        loader: Ansible's DataLoader.
+        path: Current play's playbook directory.
+        entities: Host or group names pertinent to the variables needed.
+        """
+        # VarsModule objects are called every time you need host vars, per host,
+        # and per group the host is part of.
+        # It is about 6 times per host per task in current state
+        # of Ansible Crans configuration.
+
+        # It is way to much.
+        # So we cache the data into the DataLoader (see parsing/DataLoader).
+
+        return {'vault': loader.load(VarsModule.vault_passwords())}