Appendix H. Encrypting Ansible password variables with ansible-vault

You can use ansible-vault to encrypt Ansible variables used to store passwords so they are not readable as plaintext. For example, in group_vars/all.yml the ceph_docker_registry_username and ceph_docker_registry_password variables can be set to Service Account credentials, or Customer Portal credentials. The Service Account is designed to be shared, but the Customer Portal password should be secured. In addition to encrypting ceph_docker_registry_password, you may also want to encrypt dashboard_admin_password and grafana_admin_password.

Prerequisites

  • A running Red Hat Ceph Storage cluster.
  • Access to the Ansible administration node.

Procedure

  1. Log in to the Ansible administration node.

  2. Change to the /usr/share/ceph-ansible/ directory: 

    [admin@admin ~]$ cd /usr/share/ceph-ansible/

  3. Run ansible-vault and create a new vault password:

    Example

    [admin@admin ceph-ansible]$ ansible-vault encrypt_string --stdin-name 'ceph_docker_registry_password_vault'
New Vault password:

  4. Re-enter the vault password to confirm it:

    Example

    [admin@admin ceph-ansible]$ ansible-vault encrypt_string --stdin-name 'ceph_docker_registry_password_vault'
New Vault password:
Confirm New Vault password:

  5. Enter the password to encrypt, then enter CTRL+D twice to complete the entry:

    Syntax

    ansible-vault encrypt_string --stdin-name 'ceph_docker_registry_password_vault'
New Vault password:
Confirm New Vault password:
Reading plaintext input from stdin. (ctrl-d to end input)
PASSWORD

    Replace PASSWORD with the password:

    Example

    [admin@admin ceph-ansible]$ ansible-vault encrypt_string --stdin-name 'ceph_docker_registry_password_vault'
New Vault password:
Confirm New Vault password:
Reading plaintext input from stdin. (ctrl-d to end input)
SecurePassword

    Do not hit enter after typing the password or it will include a new-line as a part of the password in the encrypted string.

  6. Take note of the output that begins with ceph_docker_registry_password_vault: !vault | and ends with a few lines of numbers, as it will be used in the next step:

    Example

    [admin@admin ceph-ansible]$ ansible-vault encrypt_string --stdin-name 'ceph_docker_registry_password_vault'
New Vault password:
Confirm New Vault password:
Reading plaintext input from stdin. (ctrl-d to end input)
SecurePasswordceph_docker_registry_password_vault: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          38383639646166656130326666633262643836343930373836376331326437353032376165306234
          3161386334616632653530383231316631636462363761660a373338373334663434363865356633
          66383963323033303662333765383938353630623433346565363534636434643634336430643438
          6134306662646365370a343135316633303830653565633736303466636261326361333766613462
          39353365343137323163343937636464663534383234326531666139376561663532
Encryption successful

    The output you need begins immediately after the password, without spaces or new lines.

  7. Open for editing group_vars/all.yml and paste the output from above into the file:

    Example

    ceph_docker_registry_password_vault: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          38383639646166656130326666633262643836343930373836376331326437353032376165306234
          3161386334616632653530383231316631636462363761660a373338373334663434363865356633
          66383963323033303662333765383938353630623433346565363534636434643634336430643438
          6134306662646365370a343135316633303830653565633736303466636261326361333766613462
          39353365343137323163343937636464663534383234326531666139376561663532

  8. Add a line below the encrypted password with the following:

    Example

    ceph_docker_registry_password: "{{ ceph_docker_registry_password_vault }}"

    Note

    Using two variables as seen above is required due to a bug in Ansible that breaks the string type when assigning the vault value directly to the Ansible variable.

  9. Configure Ansible to ask for the vault password when running ansible-playbook.

    1. Open for editing /usr/share/ceph-ansible/ansible.cfg and add the following line in the [defaults] section: 

      ask_vault_pass = True

    2. Optionally, you can pass --ask-vault-pass every time you run ansible-playbook:

      Example

      [admin@admin ceph-ansible]$ ansible-playbook -v site.yml --ask-vault-pass

  10. Re-run site.yml or site-container.yml to ensure there are no errors related to the encrypted password.

    Example

    [admin@admin ceph-ansible]$ ansible-playbook -v site.yml -i hosts --ask-vault-pass

    The -i hosts option is only needed if you are not using the default Ansible inventory location of /etc/ansible/hosts.

Additional Resources