Gossip encrypt secret for Consul make ansible deployments annoying #18

New Issue

Open

opened 2020-07-13 18:22:42 +00:00 by quentin · 1 comment

quentin commented

2020-07-13 18:22:42 +00:00

Owner

File roles/consul/vars/main.yml.sample must be copied to roles/consul/vars/main.yml
Secret must be filled either by dumping it from the live system or by creating a new one

We should find a better alternative or at least document it...

- File `roles/consul/vars/main.yml.sample` must be copied to `roles/consul/vars/main.yml` - Secret must be filled either by dumping it from the live system or by creating a new one We should find a better alternative or at least document it...

adrien commented

2020-07-14 07:01:16 +00:00

Owner

I use ansible-vault to encrypt a file in group_vars/all in my repo, it's a fine solution.

It's a YAML vars file you would fill like any other:

mysql_root_password: blablabla
nuke_password: lolilol

To encrypt it (ensure you do it before any commit):

ansible-vault encrypt group_vars/all/vault.yml
[...]
# You can also decrypt the file for edition
ansible-vault decrypt group_vars/all/vault.yml

When calling ansible-playbook, you need to add the --ask-vault-pass parameter. I admit that having to enter the vault password at each run is a pain in the ass, but it's safe and you can commit the secrets file.

I use `ansible-vault` to encrypt a file in `group_vars/all` in my repo, it's a fine solution. It's a YAML vars file you would fill like any other: ```YAML mysql_root_password: blablabla nuke_password: lolilol ``` To encrypt it (ensure you do it before any commit): ansible-vault encrypt group_vars/all/vault.yml [...] # You can also decrypt the file for edition ansible-vault decrypt group_vars/all/vault.yml When calling `ansible-playbook`, you need to add the `--ask-vault-pass` parameter. I admit that having to enter the vault password at each run is a pain in the ass, but it's safe and you can commit the secrets file.