Apply an vault encrypted secret.yaml on a k3s cluster

I have a kubernetes secret that has been encrypted by ansible-vault such that secret.yml is encrypted so if checked in, it wont be in plain text.

I would like to do a command on the k3s node to apply the decrypted secret.yml but the ansible-vault tool only exists on the machine with the playbook scripts

kubectl apply -f (decrypted secret.yml)

for other instances of doing kubectl apply -f someyamlfile.yaml, I would first copy that file over to the node and do the kubectl apply -f on the node

how would i decrypt on the server with ansible-vault / runbooks but do the kubectl apply -f decryptedsecret.yaml

thanks in advance

Is there a way to unencrypt the secret.yml on the server side and then apply the unencrypted secret during the playbook run where the unencrypted secret is never directly stored on disk space?


Sure, you can delegate tasks to localhost.

You could also use unvault lookup plugin (for instance) to get your encrypted file content that you could pass to kubectl, k8s module or else.

1 Like