refs #8025 Passbolt integration, README improved, ansible vault deleted, EE fixes

This commit is contained in:
Juan Ferrer 2024-10-02 13:20:37 +02:00
parent 8184838a8d
commit 5f7041dfbf
9 changed files with 112 additions and 57 deletions

4
.gitignore vendored
View File

@ -1,4 +1,6 @@
.vscode/ .vscode/
.vaultpass .vault-pass
.vault.yml
.passbolt.yml
venv venv
context/_build context/_build

View File

@ -2,24 +2,30 @@
Collection of Ansible playbooks used in the Verdnatura server farm. Collection of Ansible playbooks used in the Verdnatura server farm.
## Install Ansible ## Setup Ansible
Instal Ansible on Debian. Install Ansible on Debian.
``` ```
apt install ansible apt install ansible
``` ```
Install dependencies.
```
ansible-galaxy collection install -r collections/requirements.yml
```
Create Python virtual environment. Create Python virtual environment.
``` ```
python3 -m venv venv python3 -m venv venv
source venv/bin/activate source venv/bin/activate
pip install --upgrade pip ansible==10.1.0 ansible-builder==3.1.0 pip install --upgrade pip ansible==10.1.0 ansible-builder==3.1.0
pip install -r requirements.txt pip install -r requirements.txt
deactivate
```
Install dependencies.
```
ansible-galaxy collection install -r collections/requirements.yml
```
Before running any Ansible command, activate the Python virtual environment.
```
source venv/bin/activate
``` ```
## Run playbook ## Run playbook
@ -27,30 +33,52 @@ pip install -r requirements.txt
Before merging changes into protected branches, playbooks should be tested Before merging changes into protected branches, playbooks should be tested
locally to ensure they work properly. locally to ensure they work properly.
Launch playbook on the fly on a host not declared in the inventory. Run playbook on inventory host.
``` ```
ansible-playbook -i <ip_or_hostname>, [-t tag1,tag2] playbooks/test.yml ansible-playbook -i inventories/lab -l <host> [-t tag1,tag2...] playbooks/ping.yml
```
Run playbook on the fly on a host not declared in the inventory.
```
ansible-playbook -i <ip_or_hostname>, playbooks/ping.yml
``` ```
*Note the comma at the end of the hostname or IP.* *Note the comma at the end of the hostname or IP.*
## Manage vault ## Manage secrets
To manage Ansible vault place the password into *.vaultpass* file. Secrets can be managed by using Ansible vault or an external keystore, Passbolt
is used in this case. It is recommended to use an external keystore to avoid
publicly exposing the secrets, even if they are encrypted.
View or edit the vault file. When running playbooks that use any of the keystores mentioned above, the
*run-playbook.sh* script can be used, it is an ovelay over the original
*ansible-playbook* command which injects the necessary parameters.
### Ansible vault
To manage Ansible vault place the encryption password into *.vault-pass* file.
Manage the vault.
``` ```
ansible-vault {view,edit} --vault-pass-file .vaultpass vault.yml ansible-vault {view,edit,create} --vault-pass-file .vault-pass .vault.yml
``` ```
When running playbooks that use the vault the *vault-playbook.sh* script can > [!CAUTION]
be used, it is ovelay over the original *ansible-playbook* command. > The files used for the vault must only be used locally and
> under **no** circumstances can they be uploaded to the repository.
## Create execution environment ### Passbolt
Add the necessary environment variables to the *.passbolt.yml* file:
* https://galaxy.ansible.com/ui/repo/published/anatomicjc/passbolt/docs/
## Build execution environment for AWX
Create an image with *ansible-builder* and upload it to registry. Create an image with *ansible-builder* and upload it to registry.
``` ```
ansible-builder build --tag ansible-runner:vn1 ansible-builder build --tag awx-ee:vn1
``` ```
## Common playbooks ## Common playbooks
@ -65,6 +93,7 @@ ansible-builder build --tag ansible-runner:vn1
* https://docs.ansible.com/ansible/latest/reference_appendices/config.html * https://docs.ansible.com/ansible/latest/reference_appendices/config.html
* https://docs.ansible.com/ansible/latest/collections/ansible/builtin/gather_facts_module.html * https://docs.ansible.com/ansible/latest/collections/ansible/builtin/gather_facts_module.html
* https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_vars_facts.html * https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_vars_facts.html
* https://www.passbolt.com/blog/managing-secrets-in-ansible-using-passbolt * https://ansible.readthedocs.io/projects/builder/en/latest/
* https://galaxy.ansible.com/ui/repo/published/anatomicjc/passbolt/
* https://www.ansible.com/blog/introduction-to-ansible-builder/ * https://www.ansible.com/blog/introduction-to-ansible-builder/
* https://github.com/ansible/awx-ee/tree/devel
* https://www.passbolt.com/blog/managing-secrets-in-ansible-using-passbolt

View File

@ -1,8 +1,10 @@
ARG EE_BASE_IMAGE="quay.io/ansible/ansible-runner:latest" ARG EE_BASE_IMAGE="quay.io/centos/centos:stream9"
ARG PYCMD="/usr/bin/python3" ARG PYCMD="/usr/bin/python3.12"
ARG PYPKG="python3.12"
ARG PKGMGR_PRESERVE_CACHE="" ARG PKGMGR_PRESERVE_CACHE=""
ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS="" ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS=""
ARG ANSIBLE_GALAXY_CLI_ROLE_OPTS="" ARG ANSIBLE_GALAXY_CLI_ROLE_OPTS=""
ARG ANSIBLE_INSTALL_REFS="ansible-core>=2.17.0 ansible-runner==2.4.0"
ARG PKGMGR="/usr/bin/dnf" ARG PKGMGR="/usr/bin/dnf"
# Base build stage # Base build stage
@ -11,22 +13,28 @@ USER root
ENV PIP_BREAK_SYSTEM_PACKAGES=1 ENV PIP_BREAK_SYSTEM_PACKAGES=1
ARG EE_BASE_IMAGE ARG EE_BASE_IMAGE
ARG PYCMD ARG PYCMD
ARG PYPKG
ARG PKGMGR_PRESERVE_CACHE ARG PKGMGR_PRESERVE_CACHE
ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS
ARG ANSIBLE_GALAXY_CLI_ROLE_OPTS ARG ANSIBLE_GALAXY_CLI_ROLE_OPTS
ARG ANSIBLE_INSTALL_REFS
ARG PKGMGR ARG PKGMGR
COPY _build/scripts/ /output/scripts/ COPY _build/scripts/ /output/scripts/
COPY _build/scripts/entrypoint /opt/builder/bin/entrypoint COPY _build/scripts/entrypoint /opt/builder/bin/entrypoint
RUN $PKGMGR install $PYPKG -y ; if [ -z $PKGMGR_PRESERVE_CACHE ]; then $PKGMGR clean all; fi
RUN /output/scripts/pip_install $PYCMD RUN /output/scripts/pip_install $PYCMD
RUN $PYCMD -m pip install --no-cache-dir $ANSIBLE_INSTALL_REFS
# Galaxy build stage # Galaxy build stage
FROM base as galaxy FROM base as galaxy
ARG EE_BASE_IMAGE ARG EE_BASE_IMAGE
ARG PYCMD ARG PYCMD
ARG PYPKG
ARG PKGMGR_PRESERVE_CACHE ARG PKGMGR_PRESERVE_CACHE
ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS
ARG ANSIBLE_GALAXY_CLI_ROLE_OPTS ARG ANSIBLE_GALAXY_CLI_ROLE_OPTS
ARG ANSIBLE_INSTALL_REFS
ARG PKGMGR ARG PKGMGR
RUN /output/scripts/check_galaxy RUN /output/scripts/check_galaxy
@ -43,9 +51,11 @@ ENV PIP_BREAK_SYSTEM_PACKAGES=1
WORKDIR /build WORKDIR /build
ARG EE_BASE_IMAGE ARG EE_BASE_IMAGE
ARG PYCMD ARG PYCMD
ARG PYPKG
ARG PKGMGR_PRESERVE_CACHE ARG PKGMGR_PRESERVE_CACHE
ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS
ARG ANSIBLE_GALAXY_CLI_ROLE_OPTS ARG ANSIBLE_GALAXY_CLI_ROLE_OPTS
ARG ANSIBLE_INSTALL_REFS
ARG PKGMGR ARG PKGMGR
RUN $PYCMD -m pip install --no-cache-dir bindep pyyaml packaging RUN $PYCMD -m pip install --no-cache-dir bindep pyyaml packaging
@ -53,7 +63,8 @@ RUN $PYCMD -m pip install --no-cache-dir bindep pyyaml packaging
COPY --from=galaxy /usr/share/ansible /usr/share/ansible COPY --from=galaxy /usr/share/ansible /usr/share/ansible
COPY _build/requirements.txt requirements.txt COPY _build/requirements.txt requirements.txt
RUN $PYCMD /output/scripts/introspect.py introspect --user-pip=requirements.txt --write-bindep=/tmp/src/bindep.txt --write-pip=/tmp/src/requirements.txt COPY _build/bindep.txt bindep.txt
RUN $PYCMD /output/scripts/introspect.py introspect --user-pip=requirements.txt --user-bindep=bindep.txt --write-bindep=/tmp/src/bindep.txt --write-pip=/tmp/src/requirements.txt
RUN /output/scripts/assemble RUN /output/scripts/assemble
# Final build stage # Final build stage
@ -61,9 +72,11 @@ FROM base as final
ENV PIP_BREAK_SYSTEM_PACKAGES=1 ENV PIP_BREAK_SYSTEM_PACKAGES=1
ARG EE_BASE_IMAGE ARG EE_BASE_IMAGE
ARG PYCMD ARG PYCMD
ARG PYPKG
ARG PKGMGR_PRESERVE_CACHE ARG PKGMGR_PRESERVE_CACHE
ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS
ARG ANSIBLE_GALAXY_CLI_ROLE_OPTS ARG ANSIBLE_GALAXY_CLI_ROLE_OPTS
ARG ANSIBLE_INSTALL_REFS
ARG PKGMGR ARG PKGMGR
RUN /output/scripts/check_ansible $PYCMD RUN /output/scripts/check_ansible $PYCMD

View File

@ -1,4 +1,33 @@
version: 3 version: 3
images:
base_image:
name: quay.io/centos/centos:stream9
dependencies: dependencies:
galaxy: collections/requirements.yml
python: requirements.txt python: requirements.txt
galaxy: collections/requirements.yml
python_interpreter:
package_system: python3.12
python_path: /usr/bin/python3.12
ansible_core:
package_pip: ansible-core>=2.17.0
ansible_runner:
package_pip: ansible-runner==2.4.0
system: |
git-core [platform:rpm]
python3.11-devel [platform:rpm compile]
libcurl-devel [platform:rpm compile]
krb5-devel [platform:rpm compile]
krb5-workstation [platform:rpm]
subversion [platform:rpm]
subversion [platform:dpkg]
git-lfs [platform:rpm]
sshpass [platform:rpm]
rsync [platform:rpm]
epel-release [platform:rpm]
unzip [platform:rpm]
podman-remote [platform:rpm]
cmake [platform:rpm compile]
gcc [platform:rpm compile]
gcc-c++ [platform:rpm compile]
make [platform:rpm compile]
openssl-devel [platform:rpm compile]

View File

@ -1,6 +1,5 @@
- name: Configure base Debian host - name: Configure base Debian host
hosts: all hosts: all
vars_files: ../vault.yml
tasks: tasks:
- name: Configure virtual machine or host - name: Configure virtual machine or host
import_role: import_role:

View File

@ -5,6 +5,5 @@
passbolt: 'anatomicjc.passbolt.passbolt' passbolt: 'anatomicjc.passbolt.passbolt'
passbolt_inventory: 'anatomicjc.passbolt.passbolt_inventory' passbolt_inventory: 'anatomicjc.passbolt.passbolt_inventory'
tasks: tasks:
- name: Print password - debug:
debug: msg: "Password: {{ lookup(passbolt, 'test').password }}"
msg: "Variable: {{ lookup(passbolt, 'test') }}"

13
run-playbook.sh Executable file
View File

@ -0,0 +1,13 @@
#!/bin/bash
EXTRA_ARGS=()
if [ -f .passbolt.yml ]; then
EXTRA_ARGS+=("--extra-vars" "@.passbolt.yml")
fi
if [ -f .vaultpass ]; then
EXTRA_ARGS+=("--vault-password-file" ".vaultpass")
fi
export PYTHONPATH=./venv/lib/python3.12/site-packages/
ansible-playbook ${EXTRA_ARGS[@]} $@

View File

@ -1,3 +0,0 @@
#!/bin/bash
export PYTHONPATH=./venv/lib/python3.12/site-packages/
ansible-playbook --vault-password-file .vaultpass $@

View File

@ -1,26 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
37396535616365346266643936343463336564303066356131363064633436353763343735666563
3234623639383039393735346632636163623435313965660a363363386637666261626661336333
39643436663965383239323435613339323766623630633430343465313038643235636666343938
3531636532613661650a336631666138306166346363333534613436396565343161623838363132
30643532636332356630306563336165663266663237326262336533363665653230393332623134
63626333303134346435666231386361643137636132383236373937636235326132666230306362
36363136653963366235626239656339663736393636663136656164393031323663623463393438
63646635343462363332636531323634623930643737333430613666366335303362323764363533
39336533366466633132383438633063616564623862366263376638323138623363656164343635
64346437646435383137313162656237303436343839366261633935613735316166376466616635
61616132626539656633353032663932653730633365633331313330323932653465656634383334
64633634326462316164316130373334666365643936646634333032326465373131656161646234
30376135613534303533326133383661353235343034356466333961396237373937353137373735
32373633396438313133663839373663656139346163386336373265356265613038646633386334
37353331373332373636346166333639343936633464663335653762386431376632613430363666
66636139663662633861643733306238646335353664636265623464393163343462326239613662
63633236326161643838353931646566323236326636376331663463333664636566666462303063
31303436356164623234346362386633633633623230366366393839376239636533636564666663
39663034373664663063656561306132383734646263656464626432633963396638363362396664
37303038373038346536613235333237613435663632656334643334326232396336653035326162
63663637306531373030643962386339393263653262363037626538386132353363663761363138
62663532313862396339653364306533326639333139336636343762373038333838313762393431
34386239303765653930306334393339383234303137346461633231353637326137353964613832
61353035353539633334333337346665383937346566396438306465336337366661323435616133
37643932306265633465643430636662653865313661663331316662303861356466