Kobra

This is Kobra, a DevOps deployment swiss-army knife utility. It provides a convenient wrapper over OpenTofu, Ansible and Helmfile with proper secrets management, removing the hassle of complex deployment strategy.

Current Releases

Project	Release Badge
Kobra

Installation

Ubuntu Linux

Register Kowabunga APT repository and then simply:

$ sudo apt-get install kobra

macOS

macOS can install Kobra through Homebrew. Simply do:

$ brew tap kowabunga/cloud https://github.com/kowabunga-cloud/homebrew-tap.git
$ brew update
$ brew install kobra

Manual

Kobra can be manually installed through released binaries.

Just download and extract the tarball for your target.

Managed Platform Configuration

Kobra-managed platforms require a specific kobra.yml file to exist at the root of your platform. This YAML-formated file contains several important pieces of configuration, e.g:

git:                                  # optional
  method: string                      # optional, accepts 'ssh' (default) and 'http'
  ssh:                                # optional
    user: string                      # optional, 'git' if unspecified
    private_key_file: string          # optional, guessed from ~/.ssh/config if unspecified
    password: string                  # optional, password used to decrypt private key file, if any
  http:                               # optional
    username: string                  # optional, basic auth username
    password: string                  # optional, basic auth password
    token: string                     # optional, e.g GitHub PAT (Personal Access Token)
secrets:
  provider: string                    # aws, env, file, hcp, input, keyring
  aws:                                # optional, aws-provider specific
    region: string
    role_arn: string
    id: string
  env:                                # optional, env-provider specific
    var: string                       # optional, defaults to KOBRA_MASTER_KEY
  file:                               # optional, file-provider specific
    path: string
  hcp:                                # optional, hcp-provider specific
    endpoint: string                  # optional, default to "http://127.0.0.1:8200" if unspecified
    mount: string                     # optional, default to "secret" if unspecified
    token_env: string                 # optional, default to "VAULT_TOKEN" if unspecified
    token_file: string                # optional, default to "$HOME/.vault-token" if unspecified
  master_key_id: string
ssh:                                  # optional
  remote:                             # remote servers SSH connection parameters
    user: string                      # username to be used
    key_file: string                  # path to associated SSH private key file
  bootstrap:                          # optional, remote servers SSH connection parameters for first-deployment
    user: string                      # username to be used
    key_file: string                  # path to associated SSH private key file
toolchain:                            # optional
  use_system: bool                    # optional, 'false' if unspecified
  tf:                                 # optional
    provider: string                  # optional, accepts 'opentofu' (default) and 'terraform'
    version: string                   # optional, 'latest' if unspecified
  helm:                               # optional
    version: string                   # optional, 'latest' if unspecified
  helmfile:                           # optional
    version: string                   # optional, 'latest' if unspecified
  sops:                               # optional
    version: string                   # optional, 'latest' if unspecified
  kubeseal:                           # optional
    version: string                   # optional, 'latest' if unspecified
    controller:                       # optional
      namespace: string               # optional, 'kube-system' if unspecified
      name: string                    # optional, 'sealed-secrets' if unspecified
  ansible:                            # optional
    version: string                   # optional, 'latest' if unspecified
    packages:                         # optional, list of extra Python packages from PyPI to be added to toolchain
      freename: version               # key/value tuple with key being PyPI package name
                                      # and value being package version (use 'latest' if unpinned).

SSH Connectivity

While global SSH connection (either to Git or managed instances, through Ansible) can be set in kobra.yml file, it is highly recommended to keep it properly managed at OS level.

A good approach is to ensure you have a $HOME/.ssh/config file, with global (i.e. fallback) User and/or IdentityFile definition, and optional per-host(s)s or subnet(s) override, e.g.:

User jdoe
IdentityFile /home/jdoe/.ssh/id_ecdsa

Host 10.*
    User ubuntu
    IdentityFile /home/jdoe/.ssh/priv-key

Alternatively, one can also set per-host settings and overrides and let Ansible address hosts by himself, e.g. with ansible/inventories/hosts.txt:

[all]
host-1 ansible_host=192.168.0.1 ansible_ssh_user=root ansible_ssh_private_key_file=/path/to/file
host-2 ansible_host=192.168.0.2 ansible_ssh_user=ubuntu ansible_ssh_private_key_file=/path/to/another/file

Secrets Management

Kobra supports different secrets management providers:

• aws: AWS Secrets Manager (TODO)
• env: Environment variable stored master-key
• file: local plain text master-key file (not recommended for production)
• hcp: Hashicorp Vault
• input: interactive command-line input prompt for master-key
• keyring: local OS keyring (macOS Keychain, Windows Credentials Manager, Linux Gnome Keyring/KWallet)

WARNING: it is highly recommended not to use local secret management backends if secret is to be used by other contributors. When working as a team, always rely on distributed secret management backends.

License

Licensed under Apache License, Version 2.0, see LICENSE.