Contents
There are numerous ways to encrypt and share sensitive information. Projects such as BlackBox , Pass and Ansible Vault do similar things. BlackBox has the added benefit that multiple people can access the sensitive information as long as they are on the same keyring using GPG
As Ansible is used as the main configuration management tool and will be to the tool that’s manipulating the secret / sensitive information it makes sense to try and leverage vault. The issue is that there is still a shared secret / password that needs to be considered. Thanks to John Knight the following post covers off how to combine Ansible, GPG & Git to provide a similar but more integrated solution than Blackbox.
This post will build on that information and add extra background reading.
Useful resources
Secrets
The rationale for this work is to build a docker container that acts as a Jenkins Slave. It needs to have sensitive information stored inside in order to access git, svn and git etc. This information needs to be stored in the project encrypted
- cvspass auth information
- svn auth information
- builder private key
All this information should be stored inside a vault encrypted file in Ansible. Im using the following structure.
vars/
└── vault
├── cvs.yml
├── keys.yml
└── subversion.yml ansible-vault encrypt vars/vault/* --vault-password-file ./vault-password.txtAs the ansible playbook is run passing the vault password the content can be simply copied
sudo docker run \
-h centos-slave \
--name=building base_image \
ansible-playbook \
--vault-password-file /srv/ansible/vault-password.txt \
-c local \
-s -v /srv/ansible/site.yml- name: Added builder private key from vault to .ssh
copy:
content: ""
dest: "/.ssh/id_rsa"
owner: ""
group: ""
mode: '0600'Makefile
The docker container is built using Make which wraps up all the docker commands and allows the password to be unencrypted.
SHELL := /bin/bash
img:
@echo -------------------------------------------------------
@echo Cleaning up previous containers
@echo -------------------------------------------------------
CONTAINER="$(shell sudo docker ps -a | grep building | awk '{ print $$1 }')" ; \
if [[ -n "$$CONTAINER" ]]; then \
sudo docker rm $$CONTAINER; \
fi
# Decrypt the vault password
gpg --batch --yes --decrypt-files vault-password.txt.gpg;
mvn -U clean package
@echo -------------------------------------------------------
@echo Building docker container via Ansible
@echo -------------------------------------------------------
sudo docker build -t base_key_ansible target/build/jenkins_slave
sudo docker run \
-h centos-slave \
--name=building base_key_ansible \
ansible-playbook \
--vault-password-file /srv/ansible/vault-password.txt \
-c local \
-s -v /srv/ansible/site.yml
@echo -------------------------------------------------------
@echo Built docker container
@echo -------------------------------------------------------
sudo docker commit building centos-slave
@echo -------------------------------------------------------
@echo Cleaning up
@echo -------------------------------------------------------
sudo docker rm building
sudo docker ps -a
sudo docker images
sudo docker rmi base_key_ansible
mvn clean
rm vault-password.txt
@echo -------------------------------------------------------
@echo Complete
@echo -------------------------------------------------------