Can ansible vault encrypt values in plugin configuration files? - ansible

I'm writing a dynamic inventory plugin for ansible which pulls off device info from an API and adds it to the inventory. To configure my plugin, I need a username and password for the service which I retrieve from my plugin configuration yaml file
plugin_conf.yaml:
plugin: my_inventory_plugin
host_location: api.example.com
port: 443
user: some_user
password: some_pass
Since storing credentials in a file under version control is bad, does ansible vault support capabilities to encrypt values stored in a plugin configuration file?
i.e can the user of my plugin do something like
plugin: my_inventory_plugin
host_location: api.example.com
port: 443
user: !vault|
$FOO;1.1;AES256
blah blah
password: !vault|
$BAR;1.1;AES256
something else
and regardless if they use insecure plaintext or the ansible vault, my plugin can still get the values using the self.get_option('user') method?

I tested it out myself and the answer is yes.
If the user encrypts a string using ansible vault setting the name of the secret using -n, they can use the variable name into my config file. There are no special handling cases required in my plugin to handle plaintext credentials or ansible vault credentials.

Related

How to build Ansible Playbook without username/password

I am new to Ansible and started learning and working on Ansible Playboks especially on network automation. Part of our hosting infra, inorder to login to any device we have default script runs to ssh into the device, something like goto . Hence no need to give any username and password, it directly logs into the device.
How we can include this customization in Ansible playbook without using any username or password.
Ansible supports using ssh keys.
Confirm that you can connect using SSH to all the nodes in your inventory using the same username. If necessary, add your public SSH key to the authorized_keys file on those systems.
Refer to documentation here
Also, it is a good idea to read the 'getting started' page
You will still need to supply a Username, that the SSH Key belongs to:
Guide on Setting up an SSH key for a Linux User: Here
Once SSH Key is configured and Copied over to your Ansible Server:
Edit the Sudoers File on the Slave Node and set NOPASSWD for the user, that way your user won't be prompted for a password when you are duing Sudo Commands: Reference Here

USERAUTH fail with private key file for Github and Spring cloud config

I tried to use the method for using private key (that has passphrase and is added to ssh-agent from file) (according to this stack post):
spring:
cloud:
config:
server:
git:
uri: git#github.com-forApp:myorg/myrepo.git
search-paths: '{application}'
clone-on-start: true
private_key_file: ~/.ssh/id_rsa
but I keep getting
org.eclipse.jgit.api.errors.TransportException:
git#github.com:myorg/myrepo.git: USERAUTH fail
Do I have to do it exactly as doc says with pasting the key into config file or can one just point to the key file somehow?
EDIT
Actually it turns out that the private_key_file is not needed at all or ignored by Spring. But you need the ~/.ssh/config section pointing to private key to use:
Host github.com-forApp # used in spring uri
HostName github.com
User git
IdentityFile ~/.ssh/gitHubKey
I was able to replicate your behavior and resolved it with following. Let me know your thoughts.
USERAUTH fail is happening because you are not providing the passphrase for the RSA private key.(password for Basic Auth and passphrase for ssh private key)
spring:
cloud:
config:
server:
git:
uri: git#github.com:myorg/myrepo.git
search-paths: '{application}'
clone-on-start: true
passphrase: myprivatekeypassword
By default ~/.ssh/id_rsa is sent during GIT SSH Authentication(Test with command ssh -vT git#github.com. You don't need to specify it in configuration. Also, I am not sure whether private_key_file works or not, since I don't see any official documentation for it.
If you have different named RSA file under .ssh then I would advise to create config file under ~/.ssh/config with github host details and identify file.
Here is one example.
Host github.com
IdentityFile ~/.ssh/mygitid_rsa
Check this stack answer for more details which desired the configuration providing private key file path within config.

Ansible connectivity from Control Host to Remote Host : Alternate to Passwordless SSH

We are in the midway of implementing Ansible CI for app deployment. For connecting the Remote host from Control Host , we used passwordless SSH authentication (by adding SSH key to authorized_keys).
But with recent changes, Unix team not allowing this any more on higher env as corporate unix policy. So have to use the password way.
The user with which Ansible running & connecting to Remote machine is a sudo user & does not have a password for itself.
So in this case, how do we connect from Control Host to Remote host, without the SSH key?
while running the ansible playbook we get an option to provide the user using which we can do ssh --user . Also the same configuration can be achieved by providing the configuration in the inventory file.
ansible_user=<user_name>
For password you can use vault
I am editing the answer to provide info that we can use other user than the one with which ansible is installed. You can create a new user which has password or passwordless authentication setup.
Hope so this helps.
Cheers,
Yash

Unable to connect to AWS instance even after manually adding in public key to authorized_keys

I am unable to run an ansible-playbook or use ansible ping on a AWS instance. However, I can ssh into the instance with no problem. My hosts file is this:
[instance]
xx.xx.xxx.xxx ansible_ssh_user=ubuntu ansible_ssh_private_key_file=/home/josh/Ansible/Amazon/AWS.pem
Should I not use a direct path. I am trying to use ansible to install apache onto the server. In my security group in the AWS console, I allowed all incoming ssh traffic in port 22, and ansi
service: name=apache2 state=started`ble tries to ssh through port 22 so that should not be the problem. Is there some crucial idea behind sshing into instances that I didn't catch onto to. I tried following this post: Ansible AWS: Unable to connect to EC2 instance but to no avail.
make sure inside ansible.cfg ***
private_key_file = path of private key(server-private-key)
and in host machine don't change default authorized_keys file ,better way is create one user, for that user create .ssh directory and then inside create a file called authorized_keys & paste your server-public key
$~/.ssh/authorized_keys
try: ansible-playbook yourplaybookname.yml --connection=local
ansible defaults to ssh

In Elasticsearch where to generate keystore and add authentication in readonlyrest plugin?

I am trying to add password authentication in my elasticsearch cluster using readonlyrest plugin. I installed the plugin successfully now i am trying to configure my configuration file(.yml file) but there In case 0 they are using a keystore see below
http.type: ssl_netty4
readonlyrest:
enable: true
ssl:
enable: true
keystore_file: "/elasticsearch/plugins/readonlyrest/keystore.jks"
keystore_pass: readonlyrest
key_pass: readonlyrest
Can anyone please tell me from where i can generate this keystore and also where is the username and password authentication parameters set in this plugin.
You can use Letsencrypt to generate a valid SSL certificate for free.
Use Letsencrypt's own tool called certbot
A Letsencrypt certificate works just fine in ReadonlyREST, but first you have to convert it into a JKS keystore.
Obtaining a JKS keystore from Letsencrypt certs is a common procedure: you would do the same if you want to use Letsencrypt with Tomcat. A very common, googleable use case.
PS: I will progressively release some detailed documentation in the following weeks on the official website.

Resources