This post outlines the necessary secrets required for Ansible playbooks. It includes details on how to use the ansiblesafe tool to manage these secrets securely.
Red Hat Subscription Manager (RHSM) Variables
These variables are used to register the Ansible Automation Platform instance with Red Hat Subscription Manager and attach the necessary subscriptions.
-
rhsm_username: The username for your Red Hat account. (More info) -
rhsm_password: The password for your Red Hat account. (More info) -
rhsm_org: The ID of the organization to register the system to. (More info) -
rhsm_activationkey: The activation key used to register the system. (More info)
Admin User Variables
-
admin_user_password: The password for the admin user in Virtual Machines using kcli-pipelines. (More info)
Offline Token Variables
-
offline_token: The offline token used for Red Hat Subscription Manager. (More info) -
automation_hub_offline_token: The offline token used for Automation Hub. (More info)
OpenShift Pull Secret
-
openshift_pull_secret: The pull secret used to deploy OpenShift Clusters. (More info)
FreeIPA Server Admin Password
-
freeipa_server_admin_password: The password for the FreeIPA server admin user using the freeipa-workshop-deployer. (More info)
Managing Secrets with Ansiblesafe
ansiblesafe is a Go script that facilitates the encryption and decryption of YAML files using the Ansible Vault CLI. It supports various operations such as encrypting, decrypting, and syncing secrets with HashiCorp Vault.
Installation
dnf install ansible-core -y
curl -OL https://github.com/tosin2013/ansiblesafe/releases/download/v0.0.8/ansiblesafe-v0.0.8-linux-amd64.tar.gz
tar -zxvf ansiblesafe-v0.0.8-linux-amd64.tar.gz
chmod +x ansiblesafe-linux-amd64
sudo mv ansiblesafe-linux-amd64 /usr/local/bin/ansiblesafe
Usage
If you do not pass any flags everything wil be auto generated for you
$ ansiblesafe -h
Usage of /tmp/go-build1657505477/b001/exe/ansiblesafe:
-f, --file string Path to YAML file (default: $HOME/vault.yml)
-o, --operation int Operation to perform (1: encrypt, 2: decrypt, 3: Write secrets to HashiCorp Vault, 4: Read secrets from HashiCorp Vault, 5: skip encrypting/decrypting)
To use ansiblesafe, navigate to the cloned directory and perform the following commands based on your needs:
- Encrypt a YAML file:
./ansiblesafe -f path_to_your_file -o 1
- Decrypt a YAML file:
./ansiblesafe -f path_to_your_file -o 2
Hasicorp Examples
Write secrets to HashiCorp Vault
$ export VAULT_ADDRESS=http://127.0.0.1:8200/
$ export VAULT_TOKEN=token
$ export SECRET_PATH=ansiblesafe/example
$ ansiblesafe -o 3
Read secrets from HashiCorp Vault and safe to vault.yaml
$ export VAULT_ADDRESS=http://127.0.0.1:8200/
$ export VAULT_TOKEN=token
$ export SECRET_PATH=ansiblesafe/example
$ ansiblesafe -o 4
$ ansiblesafe -o 1 # Optional encrypt the file
Security Considerations
Instructions to use ansiblesale without a password prompt
$ touch ~/.vault_password
$ chmod 600 ~/.vault_password
# The leading space here is necessary to keep the command out of the command history
$ echo password >> ~/.vault_password
# Link the password file into the current working directory
$ ln ~/.vault_password .
# Set the environment variable to the location of the file
$ export ANSIBLE_VAULT_PASSWORD_FILE=.vault_password
Remember to keep your vault password and tokens secure and limit access to authorized users only.
More Information
For more details on ansiblesafe and its capabilities, visit the GitHub repository.
Top comments (0)