Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Deployment with Ansible from Gitlab CI, dealing with passwords

I'm trying to achieve an "password-free" deployment workflow using Gitlab CI and Ansible. Some steps do require a password (I'm already using SSH Keys whenever I can) so I've stored those password inside an Ansible Vault. Next, I would just need to provide the Vault password when running the playbook.

But how could I integrate this nicely with Gitlab CI?

May I register a gitlab-ci job (or jobs are suitable for builds only?), which just runs the playbook providing the vault password somehow?! Can this be achieved without a password laying around in plain text?!

Also, I would be really happy if someone can point me some material that shows how we can deploy builds using Ansible. As you can notice, I've definitively found nothing about that.

like image 935
kbtz Avatar asked Sep 15 '15 14:09

kbtz


People also ask

How do you pass an encrypted password in Ansible?

You can use the ansible-vault encrypt_string command for this. You'll be prompted to insert and then confirm the vault password. You can then start inserting the string value that you wish to encrypt. Press ctrl-d to end input.

How do I use Ansible passwords?

To enable this feature, a command line tool, ansible-vault is used to edit files, and a command line flag --ask-vault-pass or --vault-password-file is used. You can also modify your ansible. cfg file to specify the location of a password file or configure Ansible to always prompt for the password.

How do I store passwords in Ansible vault?

You can store your vault passwords on the system keyring, in a database, or in a secret manager and retrieve them from within Ansible using a vault password client script. Enter the password as a string on a single line. If your password has a vault ID, store it in a way that works with your password storage tool.


1 Answers

You can set an environment variable in the GitLab CI which would hold the Ansible Vault password. In my example i called it $ANSIBLE_VAULT_PASSWORD

Here is the example for .gitlab-ci.yml:

deploy:
  only:
    - master
  script:
    - echo $ANSIBLE_VAULT_PASSWORD > .vault_password.txt
    - ansible-playbook -i ansible/staging.yml --vault-password-file .vault_password.txt

Hope this trick helps you out.

like image 134
Laurynas Mališauskas Avatar answered Sep 22 '22 05:09

Laurynas Mališauskas