Apply an vault encrypted secret.yaml on a k3s cluster

Lance_Lyons · May 23, 2024, 4:01pm

I have a kubernetes secret that has been encrypted by ansible-vault such that secret.yml is encrypted so if checked in, it wont be in plain text.

I would like to do a command on the k3s node to apply the decrypted secret.yml but the ansible-vault tool only exists on the machine with the playbook scripts

kubectl apply -f (decrypted secret.yml)

for other instances of doing kubectl apply -f someyamlfile.yaml, I would first copy that file over to the node and do the kubectl apply -f on the node

how would i decrypt on the server with ansible-vault / runbooks but do the kubectl apply -f decryptedsecret.yaml

thanks in advance

Lance_Lyons · May 28, 2024, 10:00pm

Is there a way to unencrypt the secret.yml on the server side and then apply the unencrypted secret during the playbook run where the unencrypted secret is never directly stored on disk space?

ptn · May 29, 2024, 6:27am

Hi,

Sure, you can delegate tasks to localhost.

You could also use unvault lookup plugin (for instance) to get your encrypted file content that you could pass to kubectl, k8s module or else.

Topic		Replies	Views
References for using Ansible-Vault's APIs in a Python script Get Help ansible-vault	4	176	May 8, 2024
Facilitate ansible-vaulting of variables from within text editors Project Discussions ansible-vault , yaml	0	233	November 22, 2023
Accessing encrypted configuration values with a plugin Get Help config , plugin , ansible-vault	5	36	November 1, 2024
Get kv secret from the vault with playbook Get Help ansible-core , ssl , hashi-vault	7	612	December 8, 2023
Ansible-vault encrypt; return value if already encrypted Get Help ansible-vault	3	33	August 6, 2024

Apply an vault encrypted secret.yaml on a k3s cluster

Related topics