Ansible Vault for User Logins
I am using the following playbook to run an update on a Docker cluster - nano /opt/ansible/playbooks/update_wikis.yml:
---
- hosts: Wiki_Virtual
gather_facts: no
vars_prompt:
- name: "gitlabuser"
prompt: "Enter your INSTAR Gitlab Username"
private: no
- name: "gitlabpassword"
prompt: "Enter your INSTAR Gitlab Username"
private: yes
tasks:
- name: Log into Docker Registry and force re-authorization
docker_login:
registry: my.gitlab.com:12345
username: "{{ gitlabuser }}"
password: "{{ gitlabpassword }}"
reauthorize: yes
- name: Download the latest Wiki build images
shell: docker pull my.gitlab.com:12345/wiki/{{ item }}
with_items:
- wiki_en_container
- wiki_de_container
- wiki_fr_container
- name: Remove the EN Wiki Container
docker_container:
name: wiki_en
state: absent
- name: Rebuild the EN Wiki Container
docker_container:
name: wiki_en
image: my.gitlab.com:12345/wiki/wiki_en_container
state: started
restart_policy: unless-stopped
networks:
- name: gateway
networks_cli_compatible: yes
- name: Remove the DE Wiki Container
docker_container:
name: wiki_de
state: absent
- name: Rebuild the DE Wiki Container
docker_container:
name: wiki_de
image: my.gitlab.com:12345/wiki/wiki_de_container
state: started
restart_policy: unless-stopped
networks:
- name: gateway
networks_cli_compatible: yes
- name: Remove the FR Wiki Container
docker_container:
name: wiki_fr
state: absent
- name: Run the FR Wiki Container
docker_container:
name: wiki_fr
image: my.gitlab.com:12345/wiki/wiki_fr_container
state: started
restart_policy: unless-stopped
networks:
- name: gateway
networks_cli_compatible: yes
This downloads the newest Docker images from a private Docker registry, removes the old containers and replaces them with new ones build from the updated images.
I am using a prompt to ask for the user login for the private registry before running any of the tasks. I want to replace my personal login here with a Ansible User login that I can share with my coworkers. And preferably it should be hidden inside a vault - so that I only have to forward a simple vault login and the authentication with my registry will remain hidden from other users.
Creating the Vault
I will place the Ansible user login inside a file nano /opt/ansible/playbooks/login_vault.yml:
---
ansible_gitlab_user: m.polinowski@gmail.com
ansible_gitlab_pass: verysecretpassword
Include it into your Playbook
Now I need to include this file into my playbook and extract the variables from it:
---
- hosts: Wiki_Virtual
gather_facts: no
tasks:
- name: Include vault for registry login
include_vars:
file: login_vault.yml
- name: Log into Docker Registry and force re-authorization
docker_login:
registry: my.gitlab.com:12345
username: "{{ansible_gitlab_user}}"
password: "{{ansible_gitlab_pass}}"
reauthorize: yes
Encrypt your Logins with Ansible Vault
To access the file you will need a password that you have to forward to your co-workers. I choose to create this password inside a password file. Don't forget to gitignore this file to prevent unauthorized users from running your playbook:
touch /opt/ansible/playbooks/vault_pass
nano /opt/ansible/playbooks/vault_pass
mysecretvaultpass
I can now use the ansible-vault command to encrypt my vault:
ansible-vault encrypt /opt/ansible/playbooks/login_vault.yml --vault-password-file /opt/ansible/playbooks/vault_pass
Encryption successful
Verify that your vault was encrypted by running:
cat /opt/ansible/playbooks/login_vault.yml
$ANSIBLE_VAULT;1.1;AES256
64323732356632353638316337313632326233373339366665356433346633626463653064363362
6635646....
If you need to check the content of your vault run the following command:
ansible-vault view /opt/ansible/playbooks/login_vault.yml --vault-password-file /opt/ansible/playbooks/vault_pass
Running your Playbook
You can first do a Dry Run by attaching the --check flag to the command:
ansible-playbook /opt/ansible/playbooks/update_wikis.yml --vault-password-file /opt/ansible/playbooks/vault_pass --check
PLAY [Wiki_Virtual] *********************************************************************
TASK [Include vault for registry login] *************************************************
ok: [Wiki_Virtual]
TASK [Log into Docker Registry and force re-authorization] ******************************
ok: [Wiki_Virtual]
TASK [Download the latest Wiki build images] ********************************************
skipping: [Wiki_Virtual] => (item=wiki_en_container)
skipping: [Wiki_Virtual] => (item=wiki_de_container)
skipping: [Wiki_Virtual] => (item=wiki_fr_container)
TASK [Remove the EN Wiki Container] *****************************************************
changed: [Wiki_Virtual]
TASK [Rebuild the EN Wiki Container] ****************************************************
ok: [Wiki_Virtual]
TASK [Remove the DE Wiki Container] *****************************************************
changed: [Wiki_Virtual]
TASK [Rebuild the DE Wiki Container] ****************************************************
ok: [Wiki_Virtual]
TASK [Remove the FR Wiki Container] *****************************************************
changed: [Wiki_Virtual]
TASK [Run the FR Wiki Container] ********************************************************
ok: [Wiki_Virtual]
PLAY RECAP ******************************************************************************
Wiki_Virtual : ok=8 changed=3 unreachable=0 failed=0 skipped=1