Harvest and Secrets Management with SOPs

Jump to bottom

Chris Grindstaff edited this page Aug 18, 2023 · 3 revisions

Harvest and Secrets Management with SOPs

This is most applicable for 7-mode filers. When using cDOT, it's better to use ONTAP certificate authentication.

The idea outlined below is:

Setup your harvest.yml per normal with username and passwords in the clear. Make sure everything works.
Use sop to encrypt your harvest.yml file. Let's say the encrypted file is named harvest.enc.yml. Delete the in-the-clear file, harvest.yml.
Use sop to start Harvest using the harvest.enc.yml

Setup

Install age
Install sops
Create key with age

age-keygen -o keys.txt

Print public key

grep public keys.txt

Move keys.txt to location sops requires

# Linux
mkdir -p $XDG_CONFIG_HOME/sops/age/
mv keys.txt $XDG_CONFIG_HOME/sops/age/

# Mac
mkdir -p ~/Library/Application\ Support/sops/age/
mv keys.txt ~/Library/Application\ Support/sops/age/

Encrypt harvest.yml

sops --encrypt --age public-key-from-step-4 harvest.yml > harvest.enc.yml

Start Harvest via sops

There are several ways to use the encrypted file. You can use an in-memory FIFO or temporary file. Both the examples below use --no-fifo

sops exec-file --no-fifo harvest.enc.yml 'HARVEST_CONFIG={} bin/harvest start'

# Launch a shell with the TMPFILE variable pointing to the decrypted harvest.yml
sops exec-file --no-fifo harvest.enc.yml 'TMPFILE={} bash'
    # now inside the exec-ed shell you can use harvest as normal with --config
bin/harvest --config $TMPFILE start|stop|status