Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ansible: Encrypt passwords and keys used in playbooks with Ansible Vault #77

Closed
ricsanfre opened this issue Sep 17, 2022 · 1 comment · Fixed by #78
Closed

Ansible: Encrypt passwords and keys used in playbooks with Ansible Vault #77

ricsanfre opened this issue Sep 17, 2022 · 1 comment · Fixed by #78
Labels
enhancement New feature or request
Milestone
release 1.5

Comments

@ricsanfre
Copy link
Owner

Enhancement Request

Encrypt all passwords/keys that currently and stored in plain-text within ansible variables.

Use Ansible Vault capability for that.

References
@ricsanfre ricsanfre added the enhancement New feature or request label Sep 17, 2022
@ricsanfre ricsanfre changed the title Ansible: Encrypt passwords and keys used in playbooks using Ansible Vault Ansible: Encrypt passwords and keys used in playbooks with Ansible Vault Sep 17, 2022
@ricsanfre
Copy link
Owner Author

ricsanfre commented Sep 18, 2022
edited

Solution implemented

  1. Include all secrets, keys in a specific var yaml file: vautl.yml located in vars directory
  ---
  # Encrypted variables - Ansible Vault
  vault:
    # SAN
    san:
      iscsi:
        node_pass: s1cret0
        password_mutual: 0tr0s1cret0
    # K3s secrets
    k3s:
      k3s_token: s1cret0
    # traefik secrets
    traefik:
      basic_auth_passwd: s1cret0
    # Minio S3 secrets
    minio:
      root_password: supers1cret0
      longhorn_key: supers1cret0
      velero_key: supers1cret0
      restic_key: supers1cret0
    # elastic search
    elasticsearch:
      admin_password: s1cret0
    # Fluentd
    fluentd:
      shared_key: s1cret0
    # Grafana
    grafana:
      admin_password: s1cret0

  1. Encrypt the file with Ansible vault

    ansible-vault encrypt vault.yml

    Provide ansible vault password to encrypt the file.

    The file can be decrypted using the following command

    ansible-vault decrypt vault.yml

  2. Reference the vault variables in playbooks, group_vars, etc.

    For example in: k3s_cluster group variables.

     # k3s shared token
  k3s_token: "{{ vault.k3s.k3s_token }}"

    All referenced variables that are encrypted by ansible vault belong to vault yaml dictionary, so they can be clearly identified and their values located in vault.yml file.

  3. Include task to load vault variables file in each playbook's pre-task section:

    - name: my_playbook
  hosts: my_server
  pre_tasks:
    - name: Include vault variables
      include_vars: "vars/vault.yml"
      tags: ["always"]
  roles:
  ....

  4. Execute ansible playbooks with --ask-vault-pass argument, so the password used to encrypt vault file can be provided when starting the playbook.

    ansible-playbook my-playbook.yml --ask-vault-pass

ricsanfre added a commit that referenced this issue Sep 24, 2022
@ricsanfre
Fix #77. Encrypt ansible variables storing keys/passwords using Ansib…
bfa984a 
…le Vault
@ricsanfre ricsanfre added this to the release 1.5 milestone Sep 29, 2022
@ricsanfre ricsanfre mentioned this issue Oct 2, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
release 1.5
Development

Successfully merging a pull request may close this issue.

Feature/letsencrypt ricsanfre/pi-cluster
1 participant
@ricsanfre