From d99fc2941b365f0a0efd17ee4d70b20cc0cb95ed Mon Sep 17 00:00:00 2001 From: Floren Munteanu Date: Sat, 15 Jun 2024 07:04:13 -0400 Subject: [PATCH 1/2] App vault playbook --- .../content/wiki/guide/playbooks/vault.md | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 k3s-cluster/content/wiki/guide/playbooks/vault.md diff --git a/k3s-cluster/content/wiki/guide/playbooks/vault.md b/k3s-cluster/content/wiki/guide/playbooks/vault.md new file mode 100644 index 0000000..12d10ab --- /dev/null +++ b/k3s-cluster/content/wiki/guide/playbooks/vault.md @@ -0,0 +1,25 @@ +--- +title: Vault +prev: /wiki/guide/playbooks +--- + +The playbook allows the end-user to perform various Ansible Vault related tasks, like listing currently encrypted role variables, encryption of a specific role variable and update of Ansible Vault global password. + + + +{{< callout type="info" >}} + Refer to the Ansible [tutorial](/k3s-cluster/tutorials/handbook/ansible), for usage of encrypted variables and files. +{{< /callout >}} + +## Execution + +Example of playbook execution, using the Ansible Vault global password: + +```shell +ansible-playbook --ask-vault-pass vault.yaml +``` + +Ansible Vault global password prompt: + +```shell +Vault password: my-Gl0bal-Passw0rd From 31c7b6be3836cf995965be9c0c729e095b0ebf42 Mon Sep 17 00:00:00 2001 From: Floren Munteanu Date: Sat, 15 Jun 2024 07:04:36 -0400 Subject: [PATCH 2/2] Update vault documentation --- .../tutorials/handbook/ansible/_index.md | 74 +++++++++++-------- 1 file changed, 43 insertions(+), 31 deletions(-) diff --git a/k3s-cluster/content/tutorials/handbook/ansible/_index.md b/k3s-cluster/content/tutorials/handbook/ansible/_index.md index b6bf547..442f64b 100644 --- a/k3s-cluster/content/tutorials/handbook/ansible/_index.md +++ b/k3s-cluster/content/tutorials/handbook/ansible/_index.md @@ -21,7 +21,7 @@ This repository uses a global password for all encrypted settings, allowing the ### Encryption -Example of `ansible_password` variable encryption, with `ansible-vault` command: +Example of `ansible_password` variable encryption: ```shell ansible-vault encrypt_string 'this-Is-Som3-paSsw0rd' --name 'ansible_password' @@ -34,12 +34,12 @@ New Vault password: my-Gl0bal-Passw0rd Confirm New Vault password: my-Gl0bal-Passw0rd Encryption successful ansible_password: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 32313062343462356565373964653464623266323538373864383063333232393833336163343436 - 3631326537313236613737353037393564623230353936380a643161633533626236376630353864 - 35323639343039386465363233303239386535376630656637346333643563613536366631373466 - 3461636432363861610a336232313535333433643737636236376236313334656138336335616262 - 36613833363662323261373266333565633430643639366435303061313039643637 + $ANSIBLE_VAULT;1.1;AES256 + 32313062343462356565373964653464623266323538373864383063333232393833336163343436 + 3631326537313236613737353037393564623230353936380a643161633533626236376630353864 + 35323639343039386465363233303239386535376630656637346333643563613536366631373466 + 3461636432363861610a336232313535333433643737636236376236313334656138336335616262 + 36613833363662323261373266333565633430643639366435303061313039643637 ``` {{< callout type="warning" >}} @@ -48,44 +48,56 @@ ansible_password: !vault | Insert the `ansible_password` encrypted output into [`all.yaml`](https://{{< param variables.repository.cluster >}}/blob/main/inventory/cluster/group_vars/all.yaml) configuration file, while respecting the output indentation. -### Decryption - -{{< callout type="info" >}} - The `@` symbol defined into `-e` (short definition for `--extra-vars`) option represents the `filename` root location. -{{< /callout >}} - -Example of `ansible_password` variable decryption, with `ansible` command: +Once all variables have been initially encrypted with the same global password, they can be updated with the [Vault](/k3s-cluster/wiki/guide/playbooks/vault) playbook: ```shell -ansible localhost --ask-vault-pass -m debug \ - -a 'var=ansible_password' \ - -e '@inventory/cluster/group_vars/all.yaml' +ansible-playbook --ask-vault-pass vault.yaml +Vault password: my-Gl0bal-Passw0rd +Select an action to perform: + 1) List encrypted role variables + 2) Encrypt role variable + 3) Update global password +: 2 +Set variable with a 'key:value' format: +ansible_password:this-Is-An0th3r-paSsw0rd ``` -Ansible Vault decrypted variable output: +Ansible Vault encrypted variable output: ```shell -Vault password: my-Gl0bal-Passw0rd -localhost | SUCCESS => { - "ansible_password": "this-Is-Som3-paSsw0rd" -} +New Vault password: my-Gl0bal-Passw0rd +Confirm New Vault password: my-Gl0bal-Passw0rd +ok: [localhost] => + encrypted_variable.stdout: |- + ansible_password: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 62623461303137663165333062663339623431353335396633623538353136336263366638666665 + 6432626166383863396434303330356136366231623337350a336538336438373834343836643630 + 66353062303735316639313962666661323266613165313865393163386534656165393333306632 + 3630366333363764380a626339363632306438333063646238336634323535393233366539643662 + 36323730346430623433373034623734383766316330333138633862353530366238 ``` -Example of `notify_url` variable decryption, with `ansible` command: +### Decryption + +The variables can be decrypted and visualized with the [Vault](/k3s-cluster/wiki/guide/playbooks/vault) playbook: ```shell -ansible localhost --ask-vault-pass -m debug \ - -a 'var=kured_vars.kubernetes.configuration.slack.notify_url' \ - -e '@roles/kured/defaults/main.yaml' +ansible-playbook --ask-vault-pass vault.yaml +Vault password: my-Gl0bal-Passw0rd +Select an action to perform: + 1) List encrypted role variables + 2) Encrypt role variable + 3) Update global password +: 1 ``` -Ansible Vault decrypted variable output: +Ansible Vault decrypted variables output: ```shell -Vault password: my-Gl0bal-Passw0rd -localhost | SUCCESS => { - "kured_vars.kubernetes.configuration.slack.notify_url": "slack://token" -} +ok: [localhost] => + encrypted_variables: + - ansible_password: this-Is-An0th3r-paSsw0rd ``` ### Playbook Usage