added secret encrpytion script and check, incl pre-commit hook
This commit is contained in:
53
bin/encryptkeys
Executable file
53
bin/encryptkeys
Executable file
@@ -0,0 +1,53 @@
|
||||
#!/bin/bash
|
||||
|
||||
# encrypt unencrypted secrets or warn if a secret is unencrypted in check mode
|
||||
|
||||
keydir=$1
|
||||
secret=$2
|
||||
mode=$3
|
||||
|
||||
if test -z "$mode"; then
|
||||
echo "Usage: $0 keydir vault-password-file (check|encrypt)"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
err=""
|
||||
|
||||
for key in "$keydir"/*; do
|
||||
filetype=$(file "$key")
|
||||
|
||||
case "$filetype" in
|
||||
*OpenSSH*)
|
||||
case "$mode" in
|
||||
encrypt)
|
||||
ansible-vault encrypt --vault-password-file "$secret" --vault-id default "$key"
|
||||
;;
|
||||
check)
|
||||
echo "$key is unencrypted!"
|
||||
err=1
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
*Ansible*Vault*)
|
||||
case "$mode" in
|
||||
check)
|
||||
:
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
*)
|
||||
case "$mode" in
|
||||
check)
|
||||
echo "$key is an unknown clear text file!"
|
||||
err=1
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
|
||||
|
||||
esac
|
||||
done
|
||||
|
||||
if test -n "$err"; then
|
||||
exit 1
|
||||
fi
|
||||
Reference in New Issue
Block a user