Ansible: Move vault credentials into passage

2023-09-14 09:22:54 +02:00 · 2023-09-14 09:22:54 +02:00 · 8576c4b0e4
commit 8576c4b0e4
parent 5e2bedf89f
3 changed files with 5 additions and 151 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -14,7 +14,6 @@ trigger:
 environment:
  ANSIBLE_FORCE_COLOR: true
  ANSIBLE_HOME: /drone/src/.ansible
-  ANSIBLE_VAULT_PASSWORD_FILE: "/drone/src/vault_pass"
  SUMMON_PROVIDER: /drone/src/summon-wrapper
  PASSAGE_DIR: /drone/src/.passage/store
  PASSAGE_IDENTITIES_FILE: /drone/src/ssh_key
@ -27,16 +26,12 @@ steps:
    image: registry.tobiasmanske.de/ansible-runner:latest
    pull: always
    environment:
-      VAULT_PASS:
-        from_secret: vault_pass
      SSH_KEY:
        from_secret: ssh_key
      GIT_SSH_COMMAND: ssh -i /drone/src/ssh_key -o StrictHostKeyChecking=no
    commands:
-      - echo $${VAULT_PASS} > /drone/src/vault_pass
      - echo $${SSH_KEY} | base64 -d > /drone/src/ssh_key
      - chmod 600 /drone/src/ssh_key
-      - chmod 600 /drone/src/vault_pass
      - git clone ssh://git@git.tobiasmanske.de:7779/tobias/infrastructure-vault.git $${PASSAGE_DIR}
  - name: Prepare Runner
    image: registry.tobiasmanske.de/ansible-runner:latest
@ -45,7 +40,7 @@ steps:
      - cd ansible
      - mkdir $ANSIBLE_HOME
      - ansible-galaxy install -r requirements.yaml
-      - ansible-playbook --private-key ../ssh_key --inventory=inventory.yaml runner-pre.yaml
+      - summon ansible-playbook --private-key ../ssh_key --inventory=inventory.yaml runner-pre.yaml
  - name: Run Terraform
    image: registry.tobiasmanske.de/terraform-runner:latest
    pull: always
@ -58,7 +53,7 @@ steps:
    pull: always
    commands:
      - cd ansible
-      - ansible-playbook --private-key ../ssh_key --inventory=inventory.yaml playbook.yaml
+      - summon ansible-playbook --private-key ../ssh_key --inventory=inventory.yaml playbook.yaml
  - name: Validate Ansible
    image: registry.tobiasmanske.de/ansible-runner:latest
    pull: always
@ -68,7 +63,7 @@ steps:
    commands:
      - cd ansible
      - ansible-galaxy install -r requirements.yaml
-      - ansible-playbook --check --private-key ../ssh_key --inventory=inventory.yaml playbook.yaml
+      - summon ansible-playbook --check --private-key ../ssh_key --inventory=inventory.yaml playbook.yaml

 image_pull_secrets:
  - registry
--- a/ansible/secrets.yml
+++ b/ansible/secrets.yml
@ -0,0 +1,2 @@
+---
+ANSIBLE_VAULT_PASSWORD_FILE: !file:var ansible/vault
--- a/ansible/vault-keyring-client
+++ b/ansible/vault-keyring-client
@ -1,143 +0,0 @@
-#!/usr/bin/env python
-# -*- coding: utf-8 -*-
-# (c) 2014, Matt Martz <matt@sivel.net>
-# (c) 2016, Justin Mayer <https://justinmayer.com/>
-#
-# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
-#
-# =============================================================================
-#
-# This script is to be used with ansible-vault's --vault-id arg
-# to retrieve the vault password via your OS's native keyring application.
-#
-# This file *MUST* be saved with executable permissions. Otherwise, Ansible
-# will try to parse as a password file and display: "ERROR! Decryption failed"
-#
-# The `keyring` Python module is required: https://pypi.org/project/keyring/
-#
-# By default, this script will store the specified password in the keyring of
-# the user that invokes the script. To specify a user keyring, add a [vault]
-# section to your ansible.cfg file with a 'username' option. Example:
-#
-# [vault]
-# username = 'ansible-vault'
-#
-# In useage like:
-#
-#    ansible-vault --vault-id keyring_id@contrib/vault/vault-keyring-client.py view some_encrypted_file
-#
-#  --vault-id will call this script like:
-#
-#     contrib/vault/vault-keyring-client.py --vault-id keyring_id
-#
-# That will retrieve the password from users keyring for the
-# keyring service 'keyring_id'. The equivalent of:
-#
-#      keyring get keyring_id $USER
-#
-# If no vault-id name is specified to ansible command line, the vault-keyring-client.py
-# script will be called without a '--vault-id' and will default to the keyring service 'ansible'
-# This is equivalent to:
-#
-#    keyring get ansible $USER
-#
-# You can configure the `vault_password_file` option in ansible.cfg:
-#
-# [defaults]
-# ...
-# vault_password_file = /path/to/vault-keyring-client.py
-# ...
-#
-# To set your password, `cd` to your project directory and run:
-#
-#   # will use default keyring service / vault-id of 'ansible'
-#   /path/to/vault-keyring-client.py --set
-#
-# or to specify the keyring service / vault-id of 'my_ansible_secret':
-#
-#  /path/to/vault-keyring-client.py --vault-id my_ansible_secret --set
-#
-# If you choose not to configure the path to `vault_password_file` in
-# ansible.cfg, your `ansible-playbook` command might look like:
-#
-# ansible-playbook --vault-id=keyring_id@/path/to/vault-keyring-client.py site.yml
-
-from __future__ import (absolute_import, division, print_function)
-__metaclass__ = type
-
-import argparse
-import sys
-import getpass
-import keyring
-from keyring.backends import SecretService
-
-from ansible.config.manager import ConfigManager, get_ini_config_value
-
-KEYNAME_UNKNOWN_RC = 2
-
-
-def build_arg_parser():
-    parser = argparse.ArgumentParser(description='Get a vault password from user keyring')
-
-    parser.add_argument('--vault-id', action='store', default=None,
-                        dest='vault_id',
-                        help='name of the vault secret to get from keyring')
-    parser.add_argument('--username', action='store', default=None,
-                        help='the username whose keyring is queried')
-    parser.add_argument('--set', action='store_true', default=False,
-                        dest='set_password',
-                        help='set the password instead of getting it')
-    return parser
-
-
-def main():
-    keyring.set_keyring(SecretService.Keyring())
-    # Set default values
-    username = getpass.getuser()
-    keyname = 'ansible'
-
-    # Try to load values from config if one exists
-    config = ConfigManager()
-    if config._config_file:
-        username = get_ini_config_value(
-            config._parsers[config._config_file],
-            dict(section='vault', key='username')
-        ) or username
-
-        keyname = get_ini_config_value(
-            config._parsers[config._config_file],
-            dict(section='vault', key='keyname')
-        ) or keyname
-
-    # Read values from command line (which override the previous if given)
-    arg_parser = build_arg_parser()
-    args = arg_parser.parse_args()
-
-    username = args.username or username
-    keyname = args.vault_id or keyname
-
-    if args.set_password:
-        intro = 'Storing password in "{}" user keyring using key name: {}\n'
-        sys.stdout.write(intro.format(username, keyname))
-        password = getpass.getpass()
-        confirm = getpass.getpass('Confirm password: ')
-        if password == confirm:
-            keyring.set_password(keyname, username, password)
-        else:
-            sys.stderr.write('Passwords do not match\n')
-            sys.exit(1)
-    else:
-        secret = keyring.get_password(keyname, username)
-        if secret is None:
-            sys.stderr.write('vault-keyring-client could not find key="%s" for user="%s" via backend="%s"\n' %
-                             (keyname, username, keyring.get_keyring().name))
-            sys.exit(KEYNAME_UNKNOWN_RC)
-
-        # print('secret: %s' % secret)
-        sys.stdout.write('%s\n' % secret)
-
-    sys.exit(0)
-
-
-if __name__ == '__main__':
-    main()