feat(proxmox): add hosts config
Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>
This commit is contained in:
Tuan-Dat Tran
74
issues/001_fix_vault_security_issue.md
Normal file
74
issues/001_fix_vault_security_issue.md
Normal file
@@ -0,0 +1,74 @@
|
||||
# Issue: Fix Vault Security Risk in Proxmox Role
|
||||
|
||||
**Status**: Open
|
||||
**Priority**: High
|
||||
**Component**: proxmox/15_create_secret.yaml
|
||||
**Assignee**: Junior Dev
|
||||
|
||||
## Description
|
||||
The current vault handling in `roles/proxmox/tasks/15_create_secret.yaml` uses insecure shell commands to decrypt/encrypt vault files, creating temporary plaintext files that pose a security risk.
|
||||
|
||||
## Current Problematic Code
|
||||
```yaml
|
||||
- name: Decrypt vm vault file
|
||||
ansible.builtin.shell: cd ../; ansible-vault decrypt "./playbooks/{{ proxmox_vault_file }}"
|
||||
no_log: true
|
||||
|
||||
- name: Encrypt vm vault file
|
||||
ansible.builtin.shell: cd ../; ansible-vault encrypt "./playbooks/{{ proxmox_vault_file }}"
|
||||
no_log: true
|
||||
```
|
||||
|
||||
## Required Changes
|
||||
|
||||
### Step 1: Replace shell commands with Ansible vault module
|
||||
Replace the shell-based decryption/encryption with `ansible.builtin.ansible_vault` module.
|
||||
|
||||
### Step 2: Remove temporary plaintext file operations
|
||||
Eliminate the need for temporary plaintext files by using in-memory operations.
|
||||
|
||||
### Step 3: Add proper error handling
|
||||
Include error handling for vault operations (missing files, decryption failures).
|
||||
|
||||
## Implementation Steps
|
||||
|
||||
1. **Read the current vault file securely**:
|
||||
```yaml
|
||||
- name: Load vault content securely
|
||||
ansible.builtin.include_vars:
|
||||
file: "{{ proxmox_vault_file }}"
|
||||
name: vault_data
|
||||
no_log: true
|
||||
```
|
||||
|
||||
2. **Use ansible_vault module for operations**:
|
||||
```yaml
|
||||
- name: Update vault data securely
|
||||
ansible.builtin.set_fact:
|
||||
new_vault_data: "{{ vault_data | combine({vm_name_secret: cipassword}) }}"
|
||||
when: not variable_exists
|
||||
no_log: true
|
||||
```
|
||||
|
||||
3. **Write encrypted vault directly**:
|
||||
```yaml
|
||||
- name: Write encrypted vault
|
||||
ansible.builtin.copy:
|
||||
content: "{{ new_vault_data | ansible.builtin.ansible_vault.encrypt('vault_password') }}"
|
||||
dest: "{{ proxmox_vault_file }}"
|
||||
mode: "0600"
|
||||
when: not variable_exists
|
||||
no_log: true
|
||||
```
|
||||
|
||||
## Testing Requirements
|
||||
- Test with existing vault files
|
||||
- Verify no plaintext files are created during operation
|
||||
- Confirm vault can be decrypted properly after updates
|
||||
|
||||
## Acceptance Criteria
|
||||
- [ ] No shell commands used for vault operations
|
||||
- [ ] No temporary plaintext files created
|
||||
- [ ] All vault operations use Ansible built-in modules
|
||||
- [ ] Existing functionality preserved
|
||||
- [ ] Proper error handling implemented
|
||||
Reference in New Issue
Block a user