Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
What would be the way to load vaulted variables for Ansible roles #605
I am trying to organize our Ansible-Container repository so that we can share common ansible roles across different teams (in order to keep things DRY). A couple of our roles rely on Ansible-Vault to encrypt secrets. My question is about how do I make use of Ansible Vault within Ansible-Container ?
In a classic Ansible world, we leverage the
Thanks to this convention we know where we can find vaulted vars for a specific role and rekey the secret as needed.
Back to Ansible-container. Our project layout looks like this:
Let's take for example a role which installs a log collector (Like
Does ansible-container offer a way to do such a thing ? Can ansible-container make use of
I have been able to load variables using a command like this, but as you can see If I need to add a
I am interested in your thoughts on this ?
Thanks for using Ansible Container, and for taking the time to post such a detailed question.
As far as decrypting the vault files, you would need use a password file. You can pass in
You can also set an environment variable in the conductor container
Of course, you will also need to mount the password file to the conductor container, which you can do using
Setting volumes and variables for the conductor in
We're going to add Ansible Vault support. In fact, it's on my short list of things to get done in the next day or three. You'll be able to pass in a password, a password file, environment variable, or even be prompted for a password. The decryption will take place in the conductor, and the unencrypted variables will be available for use in
As far as making it easier to access all your variable files, I'm wondering if you could simply mount them to the conductor container using
The other option is to maybe add some additional attributes to
Having the vault support you described would be awesome.
I'm not sure I agree with having to use
It almost seems like we need an include_vars in
I'm also not found of declaring my vars twice. Once for the conductor and again for the playbooks. Seems repetitive especially since most of my vars can be stored in the same files.
Hi guys, couldn't we consider deploying a
I think right now there is no way to provide a custom ansible.cfg file or override this ansible-playbook command so that we can add an inventory using -i.
To @awiddersheim's point, it is a bit less convenient to not have at least a glue playbook—almost every project I work on, there are a bunch of roles, but there are always at least two or three other tasks that I need to run before the roles (or to clean up or kick something off after), and it's annoying to have to build a new role for one or two of these maintenance-y tasks.
@Lowess from what I can tell everything in your current ansible-container directory does get mounted on the conductor as a volume under
If you run
This also means that any
There are a couple of problems though. The first is the playbook that ansible-conductor generates has no groups associated with it so nothing will likely happen unless you have an
You can see the hosts file generation happening here.
The second problem is when
This means even if you did
You can access them by doing
I really like Ansible's inventory directory ability. Been pretty successful with the following pattern and was hoping to continue applying it here:
This doesn't really seem possible now. Closest thing would be doing
Almost seems like having