Appendix H. Encrypting Ansible password variables with ansible-vault
You can use ansible-vault
to encrypt Ansible variables used to store passwords so they are not readable as plaintext. For example, in group_vars/all.yml
the ceph_docker_registry_username
and ceph_docker_registry_password
variables can be set to Service Account credentials, or Customer Portal credentials. The Service Account is designed to be shared, but the Customer Portal password should be secured. In addition to encrypting ceph_docker_registry_password
, you may also want to encrypt dashboard_admin_password
and grafana_admin_password
.
Prerequisites
- A running Red Hat Ceph Storage cluster.
- Access to the Ansible administration node.
Procedure
- Log in to the Ansible administration node.
Change to the
/usr/share/ceph-ansible/
directory:[admin@admin ~]$ cd /usr/share/ceph-ansible/
Run
ansible-vault
and create a new vault password:Example
[admin@admin ceph-ansible]$ ansible-vault encrypt_string --stdin-name 'ceph_docker_registry_password_vault' New Vault password:
Re-enter the vault password to confirm it:
Example
[admin@admin ceph-ansible]$ ansible-vault encrypt_string --stdin-name 'ceph_docker_registry_password_vault' New Vault password: Confirm New Vault password:
Enter the password to encrypt, then enter CTRL+D twice to complete the entry:
Syntax
ansible-vault encrypt_string --stdin-name 'ceph_docker_registry_password_vault' New Vault password: Confirm New Vault password: Reading plaintext input from stdin. (ctrl-d to end input) PASSWORD
Replace PASSWORD with the password:
Example
[admin@admin ceph-ansible]$ ansible-vault encrypt_string --stdin-name 'ceph_docker_registry_password_vault' New Vault password: Confirm New Vault password: Reading plaintext input from stdin. (ctrl-d to end input) SecurePassword
Do not hit enter after typing the password or it will include a new-line as a part of the password in the encrypted string.
Take note of the output that begins with
ceph_docker_registry_password_vault: !vault |
and ends with a few lines of numbers, as it will be used in the next step:Example
[admin@admin ceph-ansible]$ ansible-vault encrypt_string --stdin-name 'ceph_docker_registry_password_vault' New Vault password: Confirm New Vault password: Reading plaintext input from stdin. (ctrl-d to end input) SecurePasswordceph_docker_registry_password_vault: !vault | $ANSIBLE_VAULT;1.1;AES256 38383639646166656130326666633262643836343930373836376331326437353032376165306234 3161386334616632653530383231316631636462363761660a373338373334663434363865356633 66383963323033303662333765383938353630623433346565363534636434643634336430643438 6134306662646365370a343135316633303830653565633736303466636261326361333766613462 39353365343137323163343937636464663534383234326531666139376561663532 Encryption successful
The output you need begins immediately after the password, without spaces or new lines.
Open for editing
group_vars/all.yml
and paste the output from above into the file:Example
ceph_docker_registry_password_vault: !vault | $ANSIBLE_VAULT;1.1;AES256 38383639646166656130326666633262643836343930373836376331326437353032376165306234 3161386334616632653530383231316631636462363761660a373338373334663434363865356633 66383963323033303662333765383938353630623433346565363534636434643634336430643438 6134306662646365370a343135316633303830653565633736303466636261326361333766613462 39353365343137323163343937636464663534383234326531666139376561663532
Add a line below the encrypted password with the following:
Example
ceph_docker_registry_password: "{{ ceph_docker_registry_password_vault }}"
NoteUsing two variables as seen above is required due to a bug in Ansible that breaks the string type when assigning the vault value directly to the Ansible variable.
Configure Ansible to ask for the vault password when running
ansible-playbook
.Open for editing
/usr/share/ceph-ansible/ansible.cfg
and add the following line in the[defaults]
section:ask_vault_pass = True
Optionally, you can pass
--ask-vault-pass
every time you run ansible-playbook:Example
[admin@admin ceph-ansible]$ ansible-playbook -v site.yml --ask-vault-pass
Re-run
site.yml
orsite-container.yml
to ensure there are no errors related to the encrypted password.Example
[admin@admin ceph-ansible]$ ansible-playbook -v site.yml -i hosts --ask-vault-pass
The
-i hosts
option is only needed if you are not using the default Ansible inventory location of/etc/ansible/hosts
.
Additional Resources
- See Service Account information in Red Hat Container Registry Authentication