refs #8025 Passbolt integration, README improved, ansible vault deleted, EE fixes
This commit is contained in:
parent
8184838a8d
commit
5f7041dfbf
|
@ -1,4 +1,6 @@
|
||||||
.vscode/
|
.vscode/
|
||||||
.vaultpass
|
.vault-pass
|
||||||
|
.vault.yml
|
||||||
|
.passbolt.yml
|
||||||
venv
|
venv
|
||||||
context/_build
|
context/_build
|
||||||
|
|
67
README.md
67
README.md
|
@ -2,24 +2,30 @@
|
||||||
|
|
||||||
Collection of Ansible playbooks used in the Verdnatura server farm.
|
Collection of Ansible playbooks used in the Verdnatura server farm.
|
||||||
|
|
||||||
## Install Ansible
|
## Setup Ansible
|
||||||
|
|
||||||
Instal Ansible on Debian.
|
Install Ansible on Debian.
|
||||||
```
|
```
|
||||||
apt install ansible
|
apt install ansible
|
||||||
```
|
```
|
||||||
|
|
||||||
Install dependencies.
|
|
||||||
```
|
|
||||||
ansible-galaxy collection install -r collections/requirements.yml
|
|
||||||
```
|
|
||||||
|
|
||||||
Create Python virtual environment.
|
Create Python virtual environment.
|
||||||
```
|
```
|
||||||
python3 -m venv venv
|
python3 -m venv venv
|
||||||
source venv/bin/activate
|
source venv/bin/activate
|
||||||
pip install --upgrade pip ansible==10.1.0 ansible-builder==3.1.0
|
pip install --upgrade pip ansible==10.1.0 ansible-builder==3.1.0
|
||||||
pip install -r requirements.txt
|
pip install -r requirements.txt
|
||||||
|
deactivate
|
||||||
|
```
|
||||||
|
|
||||||
|
Install dependencies.
|
||||||
|
```
|
||||||
|
ansible-galaxy collection install -r collections/requirements.yml
|
||||||
|
```
|
||||||
|
|
||||||
|
Before running any Ansible command, activate the Python virtual environment.
|
||||||
|
```
|
||||||
|
source venv/bin/activate
|
||||||
```
|
```
|
||||||
|
|
||||||
## Run playbook
|
## Run playbook
|
||||||
|
@ -27,30 +33,52 @@ pip install -r requirements.txt
|
||||||
Before merging changes into protected branches, playbooks should be tested
|
Before merging changes into protected branches, playbooks should be tested
|
||||||
locally to ensure they work properly.
|
locally to ensure they work properly.
|
||||||
|
|
||||||
Launch playbook on the fly on a host not declared in the inventory.
|
Run playbook on inventory host.
|
||||||
```
|
```
|
||||||
ansible-playbook -i <ip_or_hostname>, [-t tag1,tag2] playbooks/test.yml
|
ansible-playbook -i inventories/lab -l <host> [-t tag1,tag2...] playbooks/ping.yml
|
||||||
|
```
|
||||||
|
|
||||||
|
Run playbook on the fly on a host not declared in the inventory.
|
||||||
|
```
|
||||||
|
ansible-playbook -i <ip_or_hostname>, playbooks/ping.yml
|
||||||
```
|
```
|
||||||
|
|
||||||
*Note the comma at the end of the hostname or IP.*
|
*Note the comma at the end of the hostname or IP.*
|
||||||
|
|
||||||
## Manage vault
|
## Manage secrets
|
||||||
|
|
||||||
To manage Ansible vault place the password into *.vaultpass* file.
|
Secrets can be managed by using Ansible vault or an external keystore, Passbolt
|
||||||
|
is used in this case. It is recommended to use an external keystore to avoid
|
||||||
|
publicly exposing the secrets, even if they are encrypted.
|
||||||
|
|
||||||
View or edit the vault file.
|
When running playbooks that use any of the keystores mentioned above, the
|
||||||
|
*run-playbook.sh* script can be used, it is an ovelay over the original
|
||||||
|
*ansible-playbook* command which injects the necessary parameters.
|
||||||
|
|
||||||
|
### Ansible vault
|
||||||
|
|
||||||
|
To manage Ansible vault place the encryption password into *.vault-pass* file.
|
||||||
|
|
||||||
|
Manage the vault.
|
||||||
```
|
```
|
||||||
ansible-vault {view,edit} --vault-pass-file .vaultpass vault.yml
|
ansible-vault {view,edit,create} --vault-pass-file .vault-pass .vault.yml
|
||||||
```
|
```
|
||||||
|
|
||||||
When running playbooks that use the vault the *vault-playbook.sh* script can
|
> [!CAUTION]
|
||||||
be used, it is ovelay over the original *ansible-playbook* command.
|
> The files used for the vault must only be used locally and
|
||||||
|
> under **no** circumstances can they be uploaded to the repository.
|
||||||
|
|
||||||
## Create execution environment
|
### Passbolt
|
||||||
|
|
||||||
|
Add the necessary environment variables to the *.passbolt.yml* file:
|
||||||
|
|
||||||
|
* https://galaxy.ansible.com/ui/repo/published/anatomicjc/passbolt/docs/
|
||||||
|
|
||||||
|
## Build execution environment for AWX
|
||||||
|
|
||||||
Create an image with *ansible-builder* and upload it to registry.
|
Create an image with *ansible-builder* and upload it to registry.
|
||||||
```
|
```
|
||||||
ansible-builder build --tag ansible-runner:vn1
|
ansible-builder build --tag awx-ee:vn1
|
||||||
```
|
```
|
||||||
|
|
||||||
## Common playbooks
|
## Common playbooks
|
||||||
|
@ -65,6 +93,7 @@ ansible-builder build --tag ansible-runner:vn1
|
||||||
* https://docs.ansible.com/ansible/latest/reference_appendices/config.html
|
* https://docs.ansible.com/ansible/latest/reference_appendices/config.html
|
||||||
* https://docs.ansible.com/ansible/latest/collections/ansible/builtin/gather_facts_module.html
|
* https://docs.ansible.com/ansible/latest/collections/ansible/builtin/gather_facts_module.html
|
||||||
* https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_vars_facts.html
|
* https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_vars_facts.html
|
||||||
* https://www.passbolt.com/blog/managing-secrets-in-ansible-using-passbolt
|
* https://ansible.readthedocs.io/projects/builder/en/latest/
|
||||||
* https://galaxy.ansible.com/ui/repo/published/anatomicjc/passbolt/
|
|
||||||
* https://www.ansible.com/blog/introduction-to-ansible-builder/
|
* https://www.ansible.com/blog/introduction-to-ansible-builder/
|
||||||
|
* https://github.com/ansible/awx-ee/tree/devel
|
||||||
|
* https://www.passbolt.com/blog/managing-secrets-in-ansible-using-passbolt
|
||||||
|
|
|
@ -1,8 +1,10 @@
|
||||||
ARG EE_BASE_IMAGE="quay.io/ansible/ansible-runner:latest"
|
ARG EE_BASE_IMAGE="quay.io/centos/centos:stream9"
|
||||||
ARG PYCMD="/usr/bin/python3"
|
ARG PYCMD="/usr/bin/python3.12"
|
||||||
|
ARG PYPKG="python3.12"
|
||||||
ARG PKGMGR_PRESERVE_CACHE=""
|
ARG PKGMGR_PRESERVE_CACHE=""
|
||||||
ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS=""
|
ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS=""
|
||||||
ARG ANSIBLE_GALAXY_CLI_ROLE_OPTS=""
|
ARG ANSIBLE_GALAXY_CLI_ROLE_OPTS=""
|
||||||
|
ARG ANSIBLE_INSTALL_REFS="ansible-core>=2.17.0 ansible-runner==2.4.0"
|
||||||
ARG PKGMGR="/usr/bin/dnf"
|
ARG PKGMGR="/usr/bin/dnf"
|
||||||
|
|
||||||
# Base build stage
|
# Base build stage
|
||||||
|
@ -11,22 +13,28 @@ USER root
|
||||||
ENV PIP_BREAK_SYSTEM_PACKAGES=1
|
ENV PIP_BREAK_SYSTEM_PACKAGES=1
|
||||||
ARG EE_BASE_IMAGE
|
ARG EE_BASE_IMAGE
|
||||||
ARG PYCMD
|
ARG PYCMD
|
||||||
|
ARG PYPKG
|
||||||
ARG PKGMGR_PRESERVE_CACHE
|
ARG PKGMGR_PRESERVE_CACHE
|
||||||
ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS
|
ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS
|
||||||
ARG ANSIBLE_GALAXY_CLI_ROLE_OPTS
|
ARG ANSIBLE_GALAXY_CLI_ROLE_OPTS
|
||||||
|
ARG ANSIBLE_INSTALL_REFS
|
||||||
ARG PKGMGR
|
ARG PKGMGR
|
||||||
|
|
||||||
COPY _build/scripts/ /output/scripts/
|
COPY _build/scripts/ /output/scripts/
|
||||||
COPY _build/scripts/entrypoint /opt/builder/bin/entrypoint
|
COPY _build/scripts/entrypoint /opt/builder/bin/entrypoint
|
||||||
|
RUN $PKGMGR install $PYPKG -y ; if [ -z $PKGMGR_PRESERVE_CACHE ]; then $PKGMGR clean all; fi
|
||||||
RUN /output/scripts/pip_install $PYCMD
|
RUN /output/scripts/pip_install $PYCMD
|
||||||
|
RUN $PYCMD -m pip install --no-cache-dir $ANSIBLE_INSTALL_REFS
|
||||||
|
|
||||||
# Galaxy build stage
|
# Galaxy build stage
|
||||||
FROM base as galaxy
|
FROM base as galaxy
|
||||||
ARG EE_BASE_IMAGE
|
ARG EE_BASE_IMAGE
|
||||||
ARG PYCMD
|
ARG PYCMD
|
||||||
|
ARG PYPKG
|
||||||
ARG PKGMGR_PRESERVE_CACHE
|
ARG PKGMGR_PRESERVE_CACHE
|
||||||
ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS
|
ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS
|
||||||
ARG ANSIBLE_GALAXY_CLI_ROLE_OPTS
|
ARG ANSIBLE_GALAXY_CLI_ROLE_OPTS
|
||||||
|
ARG ANSIBLE_INSTALL_REFS
|
||||||
ARG PKGMGR
|
ARG PKGMGR
|
||||||
|
|
||||||
RUN /output/scripts/check_galaxy
|
RUN /output/scripts/check_galaxy
|
||||||
|
@ -43,9 +51,11 @@ ENV PIP_BREAK_SYSTEM_PACKAGES=1
|
||||||
WORKDIR /build
|
WORKDIR /build
|
||||||
ARG EE_BASE_IMAGE
|
ARG EE_BASE_IMAGE
|
||||||
ARG PYCMD
|
ARG PYCMD
|
||||||
|
ARG PYPKG
|
||||||
ARG PKGMGR_PRESERVE_CACHE
|
ARG PKGMGR_PRESERVE_CACHE
|
||||||
ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS
|
ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS
|
||||||
ARG ANSIBLE_GALAXY_CLI_ROLE_OPTS
|
ARG ANSIBLE_GALAXY_CLI_ROLE_OPTS
|
||||||
|
ARG ANSIBLE_INSTALL_REFS
|
||||||
ARG PKGMGR
|
ARG PKGMGR
|
||||||
|
|
||||||
RUN $PYCMD -m pip install --no-cache-dir bindep pyyaml packaging
|
RUN $PYCMD -m pip install --no-cache-dir bindep pyyaml packaging
|
||||||
|
@ -53,7 +63,8 @@ RUN $PYCMD -m pip install --no-cache-dir bindep pyyaml packaging
|
||||||
COPY --from=galaxy /usr/share/ansible /usr/share/ansible
|
COPY --from=galaxy /usr/share/ansible /usr/share/ansible
|
||||||
|
|
||||||
COPY _build/requirements.txt requirements.txt
|
COPY _build/requirements.txt requirements.txt
|
||||||
RUN $PYCMD /output/scripts/introspect.py introspect --user-pip=requirements.txt --write-bindep=/tmp/src/bindep.txt --write-pip=/tmp/src/requirements.txt
|
COPY _build/bindep.txt bindep.txt
|
||||||
|
RUN $PYCMD /output/scripts/introspect.py introspect --user-pip=requirements.txt --user-bindep=bindep.txt --write-bindep=/tmp/src/bindep.txt --write-pip=/tmp/src/requirements.txt
|
||||||
RUN /output/scripts/assemble
|
RUN /output/scripts/assemble
|
||||||
|
|
||||||
# Final build stage
|
# Final build stage
|
||||||
|
@ -61,9 +72,11 @@ FROM base as final
|
||||||
ENV PIP_BREAK_SYSTEM_PACKAGES=1
|
ENV PIP_BREAK_SYSTEM_PACKAGES=1
|
||||||
ARG EE_BASE_IMAGE
|
ARG EE_BASE_IMAGE
|
||||||
ARG PYCMD
|
ARG PYCMD
|
||||||
|
ARG PYPKG
|
||||||
ARG PKGMGR_PRESERVE_CACHE
|
ARG PKGMGR_PRESERVE_CACHE
|
||||||
ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS
|
ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS
|
||||||
ARG ANSIBLE_GALAXY_CLI_ROLE_OPTS
|
ARG ANSIBLE_GALAXY_CLI_ROLE_OPTS
|
||||||
|
ARG ANSIBLE_INSTALL_REFS
|
||||||
ARG PKGMGR
|
ARG PKGMGR
|
||||||
|
|
||||||
RUN /output/scripts/check_ansible $PYCMD
|
RUN /output/scripts/check_ansible $PYCMD
|
||||||
|
|
|
@ -1,4 +1,33 @@
|
||||||
version: 3
|
version: 3
|
||||||
|
images:
|
||||||
|
base_image:
|
||||||
|
name: quay.io/centos/centos:stream9
|
||||||
dependencies:
|
dependencies:
|
||||||
galaxy: collections/requirements.yml
|
|
||||||
python: requirements.txt
|
python: requirements.txt
|
||||||
|
galaxy: collections/requirements.yml
|
||||||
|
python_interpreter:
|
||||||
|
package_system: python3.12
|
||||||
|
python_path: /usr/bin/python3.12
|
||||||
|
ansible_core:
|
||||||
|
package_pip: ansible-core>=2.17.0
|
||||||
|
ansible_runner:
|
||||||
|
package_pip: ansible-runner==2.4.0
|
||||||
|
system: |
|
||||||
|
git-core [platform:rpm]
|
||||||
|
python3.11-devel [platform:rpm compile]
|
||||||
|
libcurl-devel [platform:rpm compile]
|
||||||
|
krb5-devel [platform:rpm compile]
|
||||||
|
krb5-workstation [platform:rpm]
|
||||||
|
subversion [platform:rpm]
|
||||||
|
subversion [platform:dpkg]
|
||||||
|
git-lfs [platform:rpm]
|
||||||
|
sshpass [platform:rpm]
|
||||||
|
rsync [platform:rpm]
|
||||||
|
epel-release [platform:rpm]
|
||||||
|
unzip [platform:rpm]
|
||||||
|
podman-remote [platform:rpm]
|
||||||
|
cmake [platform:rpm compile]
|
||||||
|
gcc [platform:rpm compile]
|
||||||
|
gcc-c++ [platform:rpm compile]
|
||||||
|
make [platform:rpm compile]
|
||||||
|
openssl-devel [platform:rpm compile]
|
||||||
|
|
|
@ -1,6 +1,5 @@
|
||||||
- name: Configure base Debian host
|
- name: Configure base Debian host
|
||||||
hosts: all
|
hosts: all
|
||||||
vars_files: ../vault.yml
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: Configure virtual machine or host
|
- name: Configure virtual machine or host
|
||||||
import_role:
|
import_role:
|
||||||
|
|
|
@ -5,6 +5,5 @@
|
||||||
passbolt: 'anatomicjc.passbolt.passbolt'
|
passbolt: 'anatomicjc.passbolt.passbolt'
|
||||||
passbolt_inventory: 'anatomicjc.passbolt.passbolt_inventory'
|
passbolt_inventory: 'anatomicjc.passbolt.passbolt_inventory'
|
||||||
tasks:
|
tasks:
|
||||||
- name: Print password
|
- debug:
|
||||||
debug:
|
msg: "Password: {{ lookup(passbolt, 'test').password }}"
|
||||||
msg: "Variable: {{ lookup(passbolt, 'test') }}"
|
|
||||||
|
|
|
@ -0,0 +1,13 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
EXTRA_ARGS=()
|
||||||
|
|
||||||
|
if [ -f .passbolt.yml ]; then
|
||||||
|
EXTRA_ARGS+=("--extra-vars" "@.passbolt.yml")
|
||||||
|
fi
|
||||||
|
if [ -f .vaultpass ]; then
|
||||||
|
EXTRA_ARGS+=("--vault-password-file" ".vaultpass")
|
||||||
|
fi
|
||||||
|
|
||||||
|
export PYTHONPATH=./venv/lib/python3.12/site-packages/
|
||||||
|
ansible-playbook ${EXTRA_ARGS[@]} $@
|
|
@ -1,3 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
export PYTHONPATH=./venv/lib/python3.12/site-packages/
|
|
||||||
ansible-playbook --vault-password-file .vaultpass $@
|
|
26
vault.yml
26
vault.yml
|
@ -1,26 +0,0 @@
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
|
||||||
37396535616365346266643936343463336564303066356131363064633436353763343735666563
|
|
||||||
3234623639383039393735346632636163623435313965660a363363386637666261626661336333
|
|
||||||
39643436663965383239323435613339323766623630633430343465313038643235636666343938
|
|
||||||
3531636532613661650a336631666138306166346363333534613436396565343161623838363132
|
|
||||||
30643532636332356630306563336165663266663237326262336533363665653230393332623134
|
|
||||||
63626333303134346435666231386361643137636132383236373937636235326132666230306362
|
|
||||||
36363136653963366235626239656339663736393636663136656164393031323663623463393438
|
|
||||||
63646635343462363332636531323634623930643737333430613666366335303362323764363533
|
|
||||||
39336533366466633132383438633063616564623862366263376638323138623363656164343635
|
|
||||||
64346437646435383137313162656237303436343839366261633935613735316166376466616635
|
|
||||||
61616132626539656633353032663932653730633365633331313330323932653465656634383334
|
|
||||||
64633634326462316164316130373334666365643936646634333032326465373131656161646234
|
|
||||||
30376135613534303533326133383661353235343034356466333961396237373937353137373735
|
|
||||||
32373633396438313133663839373663656139346163386336373265356265613038646633386334
|
|
||||||
37353331373332373636346166333639343936633464663335653762386431376632613430363666
|
|
||||||
66636139663662633861643733306238646335353664636265623464393163343462326239613662
|
|
||||||
63633236326161643838353931646566323236326636376331663463333664636566666462303063
|
|
||||||
31303436356164623234346362386633633633623230366366393839376239636533636564666663
|
|
||||||
39663034373664663063656561306132383734646263656464626432633963396638363362396664
|
|
||||||
37303038373038346536613235333237613435663632656334643334326232396336653035326162
|
|
||||||
63663637306531373030643962386339393263653262363037626538386132353363663761363138
|
|
||||||
62663532313862396339653364306533326639333139336636343762373038333838313762393431
|
|
||||||
34386239303765653930306334393339383234303137346461633231353637326137353964613832
|
|
||||||
61353035353539633334333337346665383937346566396438306465336337366661323435616133
|
|
||||||
37643932306265633465643430636662653865313661663331316662303861356466
|
|
Loading…
Reference in New Issue