Skip to content

Commit f28d786

Browse files
berendtberendt
authored
Allow the use of unencrypted secrets.yml files (#1764)
AI-assisted: Claude Code Signed-off-by: Christian Berendt <[email protected]>
1 parent ea885fb commit f28d786

File tree

1 file changed

+42
-11
lines changed

1 file changed

+42
-11
lines changed

osism/tasks/openstack.py

Lines changed: 42 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -165,7 +165,11 @@ def baremetal_port_delete(self, port_or_id):
165165
def get_cloud_password(cloud):
166166
"""
167167
Load and decrypt the OpenStack password for a specific cloud profile
168-
from the Ansible Vault encrypted secrets.yml file.
168+
from the secrets.yml file.
169+
170+
This function supports both encrypted (Ansible Vault) and unencrypted
171+
secrets files. Encrypted files are decrypted using the vault password,
172+
while unencrypted files are read directly (development mode fallback).
169173
170174
Args:
171175
cloud (str): The cloud profile name
@@ -191,21 +195,48 @@ def get_cloud_password(cloud):
191195
# Get vault instance for decryption
192196
vault = get_vault()
193197

194-
# Load and decrypt the entire Ansible Vault encrypted file
198+
# Load the secrets file
195199
with open(secrets_path, "rb") as f:
196-
encrypted_data = f.read()
200+
file_data = f.read()
197201

198-
# Decrypt the entire file content
199-
decrypted_data = vault.decrypt(encrypted_data).decode()
202+
decrypted_secrets = None
200203

201-
# Parse the decrypted YAML content safely
204+
# Try to decrypt the file if it's vault encrypted
202205
try:
203-
decrypted_secrets = yaml.safe_load(decrypted_data)
204-
except yaml.YAMLError as yaml_exc:
205-
logger.error(
206-
f"Failed to parse YAML content from decrypted secrets file: {yaml_exc}"
206+
if vault.is_encrypted(file_data):
207+
# File is encrypted, decrypt it
208+
decrypted_data = vault.decrypt(file_data).decode()
209+
logger.debug(f"Successfully decrypted secrets file: {secrets_path}")
210+
else:
211+
# File is not encrypted, use as-is
212+
decrypted_data = file_data.decode()
213+
logger.info(
214+
f"Secrets file is not encrypted (development mode): {secrets_path}"
215+
)
216+
217+
# Parse the YAML content safely
218+
try:
219+
decrypted_secrets = yaml.safe_load(decrypted_data)
220+
except yaml.YAMLError as yaml_exc:
221+
logger.error(
222+
f"Failed to parse YAML content from secrets file: {yaml_exc}"
223+
)
224+
return None
225+
226+
except Exception as decrypt_exc:
227+
# If decryption fails, try reading as plain YAML (development fallback)
228+
logger.warning(
229+
f"Failed to decrypt secrets file, attempting to read as plain YAML: {decrypt_exc}"
207230
)
208-
return None
231+
try:
232+
with open(secrets_path, "r") as f:
233+
decrypted_secrets = yaml.safe_load(f)
234+
logger.info(
235+
f"Successfully loaded unencrypted secrets file (development mode): {secrets_path}"
236+
)
237+
except Exception as plain_exc:
238+
logger.error(f"Failed to read secrets file as plain YAML: {plain_exc}")
239+
return None
209240

210241
if not decrypted_secrets or not isinstance(decrypted_secrets, dict):
211242
logger.warning(

0 commit comments

Comments
 (0)