Questions: - How do you interact with this feature within the inventory?
- Should you be able to have a single file with encrypted data in it that can be used by multiple users, or is it on a per user basis? Do you need to be able to share the data with multiple people? *The easiest solution seems like encrypted data should be on a per user basis.* - Does the sensitive data live in the inventory or in an external file?
TODO: - Look at Ansible Vault - how does that work?
Out of scope: - Connect to third party encrypted data stores, ie. Vault
Questions: - How do you interact with this feature withinBolt should support eyaml data in the inventory? file. - Should you Users should be able to have a single file with encrypted embed bolt eyaml data in it that can be used by multiple users, or is it on a per user basis? Do you need the inventory file similar to be able to share how the data with multiple people? * prompt plugin works. The easiest solution seems like encrypted data plugin should be on called eyaml, It should have a per user basis.* single key "encrypted-value" that {noformat} nodes: - Does uri: my_node config: winrm: password: _plugin: eyaml encrypted-value: > ENC[PKCS7,Y22exl+OvjDe+drmik2XEeD3VQtl1uZJXFFF2NnrMXDWx0csyqLB/2NOWefv NBTZfOlPvMlAesyr4bUY4I5XeVbVk38XKxeriH69EFAD4CahIZlC8lkE/uDh jJGQfh052eonkungHIcuGKY/5sEbbZl/qufjAtp/ufor15VBJtsXt17tXP4y l5ZP119Fwq8xiREGOL0lVvFYJz2hZc1ppPCNG5lwuLnTekXN/OazNYpf4CMd /HjZFXwcXRtTlzewJLc+/gox2IfByQRhsI/AgogRfYQKocZgFb/DOZoXR7wm IZGeunzwhqfmEtGiqpvJJQ5wVRdzJVpTnANBA5qxeA==] {noformat}
Users should configure the sensitive data live eyaml plugin in bolt yaml under the inventory or in an external file? {{plugins:eyaml}} section. relative paths to keys should be relative to the {{Boltdir}}.
Questions: - What should the {{encrypted-value}} key be called? - Can bolt expose the "eyaml" command directly or do we need {{bolt eyaml encrypt}} and {{bolt eyaml create-keys}} the latter seems out of scope unless documenting how does that work to use eyaml proves difficult? Can we put eyaml in {{/opt/puppetlabs/bin/eyaml}} or does it need to be {{/opt/puppetlabs/bolt/bin/eyaml}}. - Should we leverage the hiera-eyaml's gem plugins or just support pkcs7. If we're not going to leverage eyaml plugins we should probably just call this the pkcs7 plugin. Out of scope: - Connect to third party encrypted data stores, ie. Vault. These should be separate plugins.
Bolt should support eyaml data in the inventory file.
Users should be able to embed bolt eyaml data in the inventory file similar to how the prompt plugin works. The plugin should be called eyaml, It should have a single key "encrypted-value" that
Users should configure the eyaml plugin in bolt yaml under the {{plugins:eyaml}} section. relative paths to keys should be relative to the {{Boltdir}}.
What should the {{encrypted-value}} key be called? - Can bolt expose the "eyaml" command directly or do we need {{bolt eyaml encrypt}} and {{bolt eyaml create-keys}} the latter seems out of scope unless documenting how to use eyaml proves difficult? Can we put eyaml in {{/opt/puppetlabs/bin/eyaml}} or does it need to be {{/opt/puppetlabs/bolt/bin/eyaml}}.
- Should we leverage the hiera-eyaml's gem plugins or just support pkcs7. If we're not going to leverage eyaml plugins we should probably just call this the pkcs7 plugin.
- User should not have to run eyaml command to encrypt a value - Do we need bolt eyaml commands? Yes, behaves like {{hiera eyaml}} command and uses the hiera cli class. - {{bolt eyaml createkeys}} calls hiera create key - {{bolt eyaml encrypt}} with f s and p options - {{bolt eyaml decrypt}} with f and s options
Out of scope: - Connect to third party encrypted data stores, ie. Vault. These should be separate plugins.