This is Kobra, a DevOps deployment swiss-army knife utility. It provides a convenient wrapper over OpenTofu, Ansible and Helmfile with proper secrets management, removing the hassle of complex deployment strategy.
| Project | Release Badge |
|---|---|
| Kobra |  |
Register Kowabunga APT repository and then simply:
$ sudo apt-get install kobramacOS can install Kobra through Homebrew. Simply do:
$ brew tap kowabunga/cloud https://github.com/kowabunga-cloud/homebrew-tap.git
$ brew update
$ brew install kobraKobra can be manually installed through released binaries.
Just download and extract the tarball for your target.
Kobra-managed platforms require a specific kobra.yml file to exist at the root of your platform. This YAML-formated file contains several important pieces of configuration, e.g:
git: # optional
method: string # optional, accepts 'ssh' (default) and 'http'
ssh: # optional
user: string # optional, 'git' if unspecified
private_key_file: string # optional, guessed from ~/.ssh/config if unspecified
password: string # optional, password used to decrypt private key file, if any
http: # optional
username: string # optional, basic auth username
password: string # optional, basic auth password
token: string # optional, e.g GitHub PAT (Personal Access Token)
secrets:
provider: string # aws, env, file, hcp, input, keyring
aws: # optional, aws-provider specific
region: string
role_arn: string
id: string
env: # optional, env-provider specific
var: string # optional, defaults to KOBRA_MASTER_KEY
file: # optional, file-provider specific
path: string
hcp: # optional, hcp-provider specific
endpoint: string # optional, default to "http://127.0.0.1:8200" if unspecified
mount: string # optional, default to "secret" if unspecified
token_env: string # optional, default to "VAULT_TOKEN" if unspecified
token_file: string # optional, default to "$HOME/.vault-token" if unspecified
master_key_id: string
ssh: # optional
remote: # remote servers SSH connection parameters
user: string # username to be used
key_file: string # path to associated SSH private key file
bootstrap: # optional, remote servers SSH connection parameters for first-deployment
user: string # username to be used
key_file: string # path to associated SSH private key file
toolchain: # optional
use_system: bool # optional, 'false' if unspecified
tf: # optional
provider: string # optional, accepts 'opentofu' (default) and 'terraform'
version: string # optional, 'latest' if unspecified
helm: # optional
version: string # optional, 'latest' if unspecified
helmfile: # optional
version: string # optional, 'latest' if unspecified
ansible: # optional
version: string # optional, 'latest' if unspecified
packages: # optional, list of extra Python packages from PyPI to be added to toolchain
freename: version # key/value tuple with key being PyPI package name
# and value being package version (use 'latest' if unpinned).Kobra supports different secrets management providers:
- aws: AWS Secrets Manager (TODO)
- env: Environment variable stored master-key
- file: local plain text master-key file (not recommended for production)
- hcp: Hashicorp Vault
- input: interactive command-line input prompt for master-key
- keyring: local OS keyring (macOS Keychain, Windows Credentials Manager, Linux Gnome Keyring/KWallet)
WARNING: it is highly recommended not to use local secret management backends if secret is to be used by other contributors. When working as a team, always rely on distributed secret management backends.
Licensed under Apache License, Version 2.0, see LICENSE.