Jenkins pipeline - refering to SSH Keys in ansible and Terraform
Question
I have a ansible playbook which refers to ssh key data for adding the public key to the authorized_host file when it is created, here is an extract.
vars:
vm1:
ssh_key_var: '{{ ssh_key_data }}'
tasks:
- name: Create VM
azure_rm_virtualmachine:
resource_group: '{{ resource_group1.name }}'
name: '{{ vm1.name }}'
vm_size: '{{ vm1.size }}'
admin_username: '{{ vm1.admin_username }}'
ssh_password_enabled: false
ssh_public_keys:
- path: '/home/{{ vm1.admin_username }}/.ssh/authorized_keys'
key_data: '{{ vm1.ssh_key_var }}'
network_interfaces: '{{ network_interface1.name }}'
image: '{{ vm1.image }}'
Normally this is pretty straight forward - I'd run on my laptop and have key locally, maybe get the data referred to as a file.
I tried running the playbook with secret text in a jenkins pipeline as using an environmental variable secret text "AZURE_AUTHORIZED_KEY" for the public key, which I store in credentials:
stage('Deploy server') {
agent {
docker { image 'my_ansible_container:latest' }
}
environment {
AZURE_CLIENT_ID = credentials('AZURE_CLIENT_ID_ANSIBLE')
AZURE_SECRET = credentials('AZURE_SECRET_ANSIBLE')
AZURE_SUBSCRIPTION_ID = credentials('AZURE_SUBSCRIPTION_ID_ANSIBLE')
AZURE_TENANT = credentials('AZURE_TENANT_ANSIBLE')
AUTHORIZED_KEY = credentials('AZURE_AUTHORIZED_KEY')
}
steps {
// deploy server
sh "ansible-playbook playbook.yml --extravars \"ssh_key_data=${AUTHORIZED_KEY}\""
}
}
When I add the public key as a var in the playbook it all works fine, but I dont want to store keys in the repo, even if they are public keys and it's a private repo.
When I import as env_var it does not seem to take the value and 'cascade' it in to the vars as expected. Anyone have a solution to this kind of problem - is my approach wrong?
Thanks
1 answers
solution1
0 2020-04-29 07:48:30
There was nothing wrong, expect typing errors, bit of closing quotes also. Here is the syntax for those who may be interested. Note I am using this as a intermediate solution where I want to move secrets out of jenkins and into something like hashicorp vault.
I also renamed some of my env vars to be a bit more, representative :
}
environment {
AZURE_CLIENT_ID = credentials('AZURE_CLIENT_ID_ANSIBLE')
AZURE_SECRET = credentials('AZURE_SECRET_ANSIBLE')
AZURE_SUBSCRIPTION_ID = credentials('AZURE_SUBSCRIPTION_ID_ANSIBLE')
AZURE_TENANT = credentials('AZURE_TENANT_ANSIBLE')
AUTHORIZED_KEY = credentials('AZURE_AUTHORIZED_KEY')
AUTHORIZED_PASSWORD = credentials('AZURE_AUTHORIZED_PASSWORD')
}
steps {
// deploy a boot strap server
sh "ansible-playbook playbook.yml \
--extra-var 'admin_password_var=${AUTHORIZED_PASSWORD}' \
--extra-var 'ssh_public_key_var=${AUTHORIZED_KEY}'"
}
and an extract of the playbook
vars:
vm1:
admin_password: '{{ admin_password_var }}'
ssh_public_key: '{{ ssh_public_key_var }}'
- name: Create VM
azure_rm_virtualmachine:
resource_group: '{{ resource_group1.name }}'
name: '{{ vm1.name }}'
vm_size: '{{ vm1.size }}'
admin_username: '{{ vm1.admin_username }}'
admin_password: '{{ vm1.admin_password }}'
ssh_password_enabled: false
ssh_public_keys:
- path: '/home/{{ vm1.admin_username }}/.ssh/authorized_keys'
key_data: '{{ vm1.ssh_public_key }}'
network_interfaces: '{{ network_interface1.name }}'
image: '{{ vm1.image }}'
Note I have chosen variables that may appear duplicative, but I prefer the approach given it allows me to trace back the source and not get confused which one is being used.
There may be other approaches, but this is a working one, and simple as well; which strikes me as an attractive combination!
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.