Merge pull request #151 from axivo/doc/playbook

Update playbooks documentation
axivo · Jun 15, 2024 · 48cf817 · 48cf817
2 parents 5cb8662 + 31c7b6b
commit 48cf817
Show file tree

Hide file tree

Showing 2 changed files with 68 additions and 31 deletions.
diff --git a/k3s-cluster/content/tutorials/handbook/ansible/_index.md b/k3s-cluster/content/tutorials/handbook/ansible/_index.md
@@ -21,7 +21,7 @@ This repository uses a global password for all encrypted settings, allowing the
 
 ### Encryption
 
-Example of `ansible_password` variable encryption, with `ansible-vault` command:
+Example of `ansible_password` variable encryption:
 
 ```shell
 ansible-vault encrypt_string 'this-Is-Som3-paSsw0rd' --name 'ansible_password'
@@ -34,12 +34,12 @@ New Vault password: my-Gl0bal-Passw0rd
 Confirm New Vault password: my-Gl0bal-Passw0rd
 Encryption successful
 ansible_password: !vault |
-  $ANSIBLE_VAULT;1.1;AES256
-  32313062343462356565373964653464623266323538373864383063333232393833336163343436
-  3631326537313236613737353037393564623230353936380a643161633533626236376630353864
-  35323639343039386465363233303239386535376630656637346333643563613536366631373466
-  3461636432363861610a336232313535333433643737636236376236313334656138336335616262
-  36613833363662323261373266333565633430643639366435303061313039643637
+          $ANSIBLE_VAULT;1.1;AES256
+          32313062343462356565373964653464623266323538373864383063333232393833336163343436
+          3631326537313236613737353037393564623230353936380a643161633533626236376630353864
+          35323639343039386465363233303239386535376630656637346333643563613536366631373466
+          3461636432363861610a336232313535333433643737636236376236313334656138336335616262
+          36613833363662323261373266333565633430643639366435303061313039643637
 ```
 
 {{< callout type="warning" >}}
@@ -48,44 +48,56 @@ ansible_password: !vault |
 
 Insert the `ansible_password` encrypted output into [`all.yaml`](https://{{< param variables.repository.cluster >}}/blob/main/inventory/cluster/group_vars/all.yaml) configuration file, while respecting the output indentation.
 
-### Decryption
-
-{{< callout type="info" >}}
-  The `@` symbol defined into `-e` (short definition for `--extra-vars`) option represents the `filename` root location.
-{{< /callout >}}
-
-Example of `ansible_password` variable decryption, with `ansible` command:
+Once all variables have been initially encrypted with the same global password, they can be updated with the [Vault](/k3s-cluster/wiki/guide/playbooks/vault) playbook:
 
 ```shell
-ansible localhost --ask-vault-pass -m debug \
-  -a 'var=ansible_password' \
-  -e '@inventory/cluster/group_vars/all.yaml'
+ansible-playbook --ask-vault-pass vault.yaml
+Vault password: my-Gl0bal-Passw0rd
+Select an action to perform:
+ 1) List encrypted role variables
+ 2) Encrypt role variable
+ 3) Update global password
+: 2
+Set variable with a 'key:value' format:
+ansible_password:this-Is-An0th3r-paSsw0rd
 ```
 
-Ansible Vault decrypted variable output:
+Ansible Vault encrypted variable output:
 
 ```shell
-Vault password: my-Gl0bal-Passw0rd
-localhost | SUCCESS => {
-    "ansible_password": "this-Is-Som3-paSsw0rd"
-}
+New Vault password: my-Gl0bal-Passw0rd
+Confirm New Vault password: my-Gl0bal-Passw0rd
+ok: [localhost] =>
+  encrypted_variable.stdout: |-
+    ansible_password: !vault |
+              $ANSIBLE_VAULT;1.1;AES256
+              62623461303137663165333062663339623431353335396633623538353136336263366638666665
+              6432626166383863396434303330356136366231623337350a336538336438373834343836643630
+              66353062303735316639313962666661323266613165313865393163386534656165393333306632
+              3630366333363764380a626339363632306438333063646238336634323535393233366539643662
+              36323730346430623433373034623734383766316330333138633862353530366238
 ```
 
-Example of `notify_url` variable decryption, with `ansible` command:
+### Decryption
+
+The variables can be decrypted and visualized with the [Vault](/k3s-cluster/wiki/guide/playbooks/vault) playbook:
 
 ```shell
-ansible localhost --ask-vault-pass -m debug \
-  -a 'var=kured_vars.kubernetes.configuration.slack.notify_url' \
-  -e '@roles/kured/defaults/main.yaml'
+ansible-playbook --ask-vault-pass vault.yaml
+Vault password: my-Gl0bal-Passw0rd
+Select an action to perform:
+ 1) List encrypted role variables
+ 2) Encrypt role variable
+ 3) Update global password
+: 1
 ```
 
-Ansible Vault decrypted variable output:
+Ansible Vault decrypted variables output:
 
 ```shell
-Vault password: my-Gl0bal-Passw0rd
-localhost | SUCCESS => {
-    "kured_vars.kubernetes.configuration.slack.notify_url": "slack://token"
-}
+ok: [localhost] =>
+  encrypted_variables:
+  - ansible_password: this-Is-An0th3r-paSsw0rd
 ```
 
 ### Playbook Usage

diff --git a/k3s-cluster/content/wiki/guide/playbooks/vault.md b/k3s-cluster/content/wiki/guide/playbooks/vault.md
@@ -0,0 +1,25 @@
+---
+title: Vault
+prev: /wiki/guide/playbooks
+---
+
+The playbook allows the end-user to perform various Ansible Vault related tasks, like listing currently encrypted role variables, encryption of a specific role variable and update of Ansible Vault global password.
+
+<!--more-->
+
+{{< callout type="info" >}}
+  Refer to the Ansible [tutorial](/k3s-cluster/tutorials/handbook/ansible), for usage of encrypted variables and files.
+{{< /callout >}}
+
+## Execution
+
+Example of playbook execution, using the Ansible Vault global password:
+
+```shell
+ansible-playbook --ask-vault-pass vault.yaml
+```
+
+Ansible Vault global password prompt:
+
+```shell
+Vault password: my-Gl0bal-Passw0rd