如何使用GitLab CI/CD变量传递SSH密码给我的Ansible Playbook?

huangapple go评论65阅读模式
英文:

How should I pass an ssh password using a gitlab ci-cd variable for my ansible-playbook?

问题

以下是您要翻译的内容:

我想使用Ansible和CI/CD流水线来练习自动化,唯一的问题是我不确定如何引用用户的密码。如果可能的话,我想避免在我的inventory.yml文件中使用密码,因为它会在我的Gitlab项目中可见。
我正在测试CI/CD环境变量,以便更容易地引用它们。

我的.gitlab-ci.yml文件:

stages:
  - deploy

deploy-job:
  stage: deploy
  script:
    - apk add ansible -v
    - apk add sshpass -v
    - ls -lah
    - mkdir /etc/ansible/
    - touch /etc/ansible/ansible.cfg
    - touch ~/.ansible.cfg
    - echo "[defaults]" >> /etc/ansible/ansible.cfg
    - echo "host_key_checking = False" >> /etc/ansible/ansible.cfg
    - echo "[defaults]" >> ~/.ansible.cfg
    - echo "host_key_checking = False" >> ~/.ansible.cfg
    - ansible-playbook ansible_roles.yml -i inventory.yml --extra-vars=$CONTABO_PASSWORD

我的inventory.yml文件:

all:
  children:
    webservers:
      hosts:
        Contabo:
          ansible_ssh_port: xxx
          ansible_host: xxx.xxx.xxx.xxx
          ansible_password: $CONTABO_PASSWORD
      vars:
        became: yes
        become_method: sudo
        ansible_user: test

在代码中应该更改什么?
英文:

I would like to practice automation with ansible and a ci-cd pipeline and my only problem is that I'm not sure how to reference the password for the user. If possible I would like to avoid using passwords in my inventory.yml since it would be visible in my Gitlab project.
I'm testing out the CI_CD enviroment variables so I can reference them easier.

My .gitlab-ci.yml:

stages:
  - deploy

deploy-job:
  stage: deploy
  script:
    - apk add ansible -v
    - apk add sshpass -v
    - ls -lah
    - mkdir /etc/ansible/
    - touch /etc/ansible/ansible.cfg
    - touch ~/.ansible.cfg
    - echo "[defaults]" >> /etc/ansible/ansible.cfg
    - echo "host_key_checking = False" >> /etc/ansible/ansible.cfg
    - echo "[defaults]" >> ~/.ansible.cfg
    - echo "host_key_checking = False" >> ~/.ansible.cfg
    - ansible-playbook ansible_roles.yml -i inventory.yml --extra-vars=$CONTABO_PASSWORD

my inventory.yml file:

all:
  children:
    webservers:
      hosts:
        Contabo:
          ansible_ssh_port: xxx
          ansible_host: xxx.xxx.xxx.xxx
          ansible_password: $CONTABO_PASSWORD
      vars:
        became: yes
        become_method: sudo
        ansible_user: test

What should I change in the code?

答案1

得分: 1

你可以使用 ansible-vault 通过密码或密码文件来加密你的文件 inventory.yml。

创建一个包含你的 Vault 密码的文件 vault_pass.txt

使用 ansible-vault 命令以 --vault-password-file 选项来加密你的 inventory.yml 文件:

ansible-vault encrypt inventory.yml --vault-password-file=/path/to/vault_pass.txt

将加密后的 inventory.yml 文件推送到你的项目 Gitlab。

要运行使用加密文件的 playbook,只需添加以下内容:

ansible-playbook ansible_roles.yml -i inventory.yml --vault-password-file=/path/to/vaultkeyfile

或者你也可以使用 --ask-vault-pass,它在执行 playbook 时会要求你输入密码:

ansible-playbook ansible_roles.yml -i inventory.yml --ask-vault-pass

最后,如果你想解密它:

ansible-vault decrypt inventory.yml --vault-password-file=/path/to/vault_pass.txt

英文:

You can use ansible-vault to encrypt your file inventory.yml using a password or a password file.

Create a file that contains your Vault password vault_pass.txt

Encrypt your inventory.yml file using the ansible-vault command with the --vault-password-file option:

> ansible-vault encrypt inventory.yml --vault-password-file=/path/to/vault_pass.txt

Push your encrypted inventory.yml file into yout project Gitlab.

To run a playbook that uses the encrypted file just add the following:

> ansible-playbook ansible_roles.yml -i inventory.yml --vault-password-file=/path/to/vaultkeyfile

Or you can do the same with --ask-vault-pass which ask you for the password when executing the playbook:

> ansible-playbook ansible_roles.yml -i inventory.yml --ask-vault-pass

And finaly if you want to decrypt it:

> ansible-vault decrypt inventory.yml --vault-password-file=/path/to/vault_pass.txt

huangapple
  • 本文由 发表于 2023年2月8日 18:07:14
  • 转载请务必保留本文链接:https://go.coder-hub.com/75384174.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定