forked from axivo/k3s-cluster
-
Notifications
You must be signed in to change notification settings - Fork 0
/
vault.yaml
130 lines (121 loc) · 4.77 KB
/
vault.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
---
- name: Ansible Vault
hosts: localhost
connection: local
gather_facts: false
vars_files:
- ./roles/argocd/defaults/main.yaml
- ./roles/cloudflare/defaults/main.yaml
- ./roles/cluster/defaults/main.yaml
- ./roles/kured/defaults/main.yaml
- ./roles/longhorn/defaults/main.yaml
- ./roles/prometheus/defaults/main.yaml
vars_prompt:
- name: playbook_action
prompt: "Select an action to perform:\n
1) List encrypted role variables\n
2) Encrypt role variable\n
3) Update global password\n"
private: false
tasks:
- name: Encrypted Role Variables
when: playbook_action in ['1', '1)']
block:
- name: Set encrypted role variables fact
ansible.builtin.set_fact:
encrypted_variables:
- ansible_password: '{{ ansible_password }}'
- argocd_vars:
kubernetes:
server:
admin:
password: '{{ argocd_vars.kubernetes.server.admin.password }}'
user:
password: '{{ argocd_vars.kubernetes.server.user.password }}'
- cloudflare_vars:
kubernetes:
api:
token:
value: '{{ cloudflare_vars.kubernetes.api.token.value }}'
- cluster_vars:
service:
postfix:
user:
alias: '{{ cluster_vars.service.postfix.user.alias }}'
name: '{{ cluster_vars.service.postfix.user.name }}'
password: '{{ cluster_vars.service.postfix.user.password }}'
- kured_vars:
kubernetes:
configuration:
slack:
notify_url: '{{ kured_vars.kubernetes.configuration.slack.notify_url }}'
- longhorn_vars:
kubernetes:
default_settings:
backup:
user:
password: '{{ longhorn_vars.kubernetes.default_settings.backup.user.password }}'
- prometheus_vars:
kubernetes:
grafana:
user:
password: '{{ prometheus_vars.kubernetes.grafana.user.password }}'
no_log: true
- name: List encrypted role variables
ansible.builtin.debug:
var: encrypted_variables
- name: Encrypt Role Variable
when: playbook_action in ['2', '2)']
block:
- name: Set role variable key and value
ansible.builtin.pause:
prompt: Set variable with a 'key|value' format
register: variable
- name: Encrypt role variable
ansible.builtin.command:
cmd: ansible-vault encrypt_string {{ variable.user_input | split('|') | last | quote }} -n {{ variable.user_input | split('|') | first | quote }}
register: encrypted_variable
changed_when: true
no_log: true
- name: List encrypted role variable
ansible.builtin.debug:
var: encrypted_variable.stdout
- name: Global Password
when: playbook_action in ['3', '3)']
block:
- name: Set new global password
ansible.builtin.pause:
prompt: Password
echo: false
register: password
- name: Create password file
ansible.builtin.lineinfile:
line: '{{ password.user_input }}'
path: ./password
mode: '0644'
create: true
no_log: true
- name: Update global password
ansible.builtin.command:
cmd: ansible-vault encrypt_string {{ item | quote }} -n {{ item | quote }} --vault-pass-file ./password
loop:
- ansible_password
- argocd_vars.kubernetes.server.admin.password
- argocd_vars.kubernetes.server.user.password
- cloudflare_vars.kubernetes.api.token.value
- cluster_vars.service.postfix.user.alias
- cluster_vars.service.postfix.user.name
- cluster_vars.service.postfix.user.password
- kured_vars.kubernetes.configuration.slack.notify_url
- longhorn_vars.kubernetes.default_settings.backup.user.password
- prometheus_vars.kubernetes.grafana.user.password
register: encrypted_variables
changed_when: true
no_log: true
- name: Remove password file
ansible.builtin.file:
path: ./password
state: absent
- name: List encrypted role variables
ansible.builtin.debug:
var: encrypted_variables.results | map(attribute='stdout')