feat: Secure credential management with automatic vault encryption#442
Open
balajikumaran-c-s wants to merge 17 commits into
Open
feat: Secure credential management with automatic vault encryption#442balajikumaran-c-s wants to merge 17 commits into
balajikumaran-c-s wants to merge 17 commits into
Conversation
- Add omnia_test_credentials.yml to gitignore (contains passwords) - Add .backups/ directory to gitignore (contains sensitive backups)
- Create omnia_test_credentials.yml for sensitive data (passwords) - Clean omnia_test_config.yml with no sensitive information - Add proper documentation for LDAP credentials usage
- Update provision module to load LDAP bind credentials from credentials file - Update apptainer module to load LDAP user credentials from credentials file - Fix setup_inventory.yml with better error handling for missing vault keys - Fix sync_project_default.yml to use omnia_core_password from credentials - All LDAP sensitive data now properly separated from config
- Clear all password fields in omnia_test_credentials.yml - File ready for users to fill with their actual credentials - Should be encrypted with ansible-vault before use
Signed-off-by: balajikumaran.cs <balajikumaran.cs@dellteam.com>
Signed-off-by: balajikumaran.cs <balajikumaran.cs@dellteam.com>
- Add logic to encrypt plain text omnia_test_credentials.yml files - Create vault key automatically if it doesn't exist - Complete encrypt/decrypt cycle: detect → decrypt → use → re-encrypt - Handle both encrypted and plain text credentials seamlessly - All molecule tests now automatically encrypt credentials on first run
- Fix ansible-lint risky-shell-pipe error in setup_inventory.yml - Update README.md with credentials file documentation - Update rules.md with load_omnia_test_credentials function - Document automatic vault encryption for credentials
Files using sync_project_default.yml require omnia_test_credentials to be passed from localhost play to oim_server play for rsync auth. Updated files: - molecule/build_image_aarch64/converge.yml - molecule/build_image_x86_64/converge.yml - molecule/discovery/converge.yml - molecule/local_repo/converge.yml - molecule/one_shot_log_extraction/converge.yml - molecule/prepare_oim/converge.yml - molecule/provision/converge.yml - molecule/telemetry/converge.yml
- Add auto-encryption of omnia_test_credentials.yml in pytest_sessionstart - Ensures credentials are encrypted when running 'verify' only - Remove verbose pytest options (-v --tb=short -s) from run_molecule.sh - Fix omnia_test_credentials passthrough in all converge.yml files Files changed: - molecule/conftest.py: Add auto-encryption hook - run_molecule.sh: Remove verbose options - molecule/*/converge.yml: Add credentials passthrough
- Remove --delete flag from rsync in sync_project_default.yml - Prevents deletion of config/ folder and other container-generated files - Now only syncs/updates files from dataset to container - Preserves: config/, secret.yaml, values.yaml, vault keys - More scalable approach - any new dataset files sync automatically
Signed-off-by: balajikumaran.cs <balajikumaran.cs@dellteam.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🎯 Overview
This PR implements comprehensive secure credential management by separating sensitive data from configuration files and providing automatic Ansible Vault encryption.
🔧 Key Features
1. 🔐 Credential Separation
2. 🔒 Automatic Vault Encryption
3. 📁 Credentials File Structure