英文:
How should I pass an ssh password using a gitlab ci-cd variable for my ansible-playbook?
问题
以下是您要翻译的内容:
我想使用Ansible和CI/CD流水线来练习自动化,唯一的问题是我不确定如何引用用户的密码。如果可能的话,我想避免在我的inventory.yml文件中使用密码,因为它会在我的Gitlab项目中可见。
我正在测试CI/CD环境变量,以便更容易地引用它们。
我的.gitlab-ci.yml文件:
stages:
- deploy
deploy-job:
stage: deploy
script:
- apk add ansible -v
- apk add sshpass -v
- ls -lah
- mkdir /etc/ansible/
- touch /etc/ansible/ansible.cfg
- touch ~/.ansible.cfg
- echo "[defaults]" >> /etc/ansible/ansible.cfg
- echo "host_key_checking = False" >> /etc/ansible/ansible.cfg
- echo "[defaults]" >> ~/.ansible.cfg
- echo "host_key_checking = False" >> ~/.ansible.cfg
- ansible-playbook ansible_roles.yml -i inventory.yml --extra-vars=$CONTABO_PASSWORD
我的inventory.yml文件:
all:
children:
webservers:
hosts:
Contabo:
ansible_ssh_port: xxx
ansible_host: xxx.xxx.xxx.xxx
ansible_password: $CONTABO_PASSWORD
vars:
became: yes
become_method: sudo
ansible_user: test
在代码中应该更改什么?
英文:
I would like to practice automation with ansible and a ci-cd pipeline and my only problem is that I'm not sure how to reference the password for the user. If possible I would like to avoid using passwords in my inventory.yml since it would be visible in my Gitlab project.
I'm testing out the CI_CD enviroment variables so I can reference them easier.
My .gitlab-ci.yml:
stages:
- deploy
deploy-job:
stage: deploy
script:
- apk add ansible -v
- apk add sshpass -v
- ls -lah
- mkdir /etc/ansible/
- touch /etc/ansible/ansible.cfg
- touch ~/.ansible.cfg
- echo "[defaults]" >> /etc/ansible/ansible.cfg
- echo "host_key_checking = False" >> /etc/ansible/ansible.cfg
- echo "[defaults]" >> ~/.ansible.cfg
- echo "host_key_checking = False" >> ~/.ansible.cfg
- ansible-playbook ansible_roles.yml -i inventory.yml --extra-vars=$CONTABO_PASSWORD
my inventory.yml file:
all:
children:
webservers:
hosts:
Contabo:
ansible_ssh_port: xxx
ansible_host: xxx.xxx.xxx.xxx
ansible_password: $CONTABO_PASSWORD
vars:
became: yes
become_method: sudo
ansible_user: test
What should I change in the code?
答案1
得分: 1
你可以使用 ansible-vault 通过密码或密码文件来加密你的文件 inventory.yml。
创建一个包含你的 Vault 密码的文件 vault_pass.txt。
使用 ansible-vault 命令以 --vault-password-file 选项来加密你的 inventory.yml 文件:
ansible-vault encrypt inventory.yml --vault-password-file=/path/to/vault_pass.txt
将加密后的 inventory.yml 文件推送到你的项目 Gitlab。
要运行使用加密文件的 playbook,只需添加以下内容:
ansible-playbook ansible_roles.yml -i inventory.yml --vault-password-file=/path/to/vaultkeyfile
或者你也可以使用 --ask-vault-pass,它在执行 playbook 时会要求你输入密码:
ansible-playbook ansible_roles.yml -i inventory.yml --ask-vault-pass
最后,如果你想解密它:
ansible-vault decrypt inventory.yml --vault-password-file=/path/to/vault_pass.txt
英文:
You can use ansible-vault to encrypt your file inventory.yml using a password or a password file.
Create a file that contains your Vault password vault_pass.txt
Encrypt your inventory.yml file using the ansible-vault command with the --vault-password-file option:
> ansible-vault encrypt inventory.yml --vault-password-file=/path/to/vault_pass.txt
Push your encrypted inventory.yml file into yout project Gitlab.
To run a playbook that uses the encrypted file just add the following:
> ansible-playbook ansible_roles.yml -i inventory.yml --vault-password-file=/path/to/vaultkeyfile
Or you can do the same with --ask-vault-pass which ask you for the password when executing the playbook:
> ansible-playbook ansible_roles.yml -i inventory.yml --ask-vault-pass
And finaly if you want to decrypt it:
> ansible-vault decrypt inventory.yml --vault-password-file=/path/to/vault_pass.txt
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论