Does the thought of storing plain text passwords in configuration files make you feel uneasy? If you'd like to take advantage of using ansible-vault, a minor update to ceph-validate role will be required for the time being.

Afterwards you can proceed to create a vault password for the required variable:

ansible-vault encrypt_string --stdin-name 'ceph_docker_registry_password'
New Vault password: **************** # create a password for vault itself from stdin
Confirm New Vault password: **************** # create a password for vault itself from stdin
Reading plaintext input from stdin. (ctrl-d to end input)
<password_stdin> # Do not press enter; you must hit ctrl+d after the last char

Paste the vault output sent to stdout in your all.yml:

ceph_docker_registry_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          <REDACTED>
          <REDACTED>
          <REDACTED>
          <REDACTED>
          <REDACTED>
Encryption successful

Here's a partial example of what I put in the all.yml to deploy RHCS 4 from their new-ish authenticated registry:

ceph_docker_image: "rhceph/rhceph-4"
ceph_docker_image_tag: "latest"
ceph_docker_registry: "registry.redhat.io"
ceph_docker_registry_auth: true
ceph_docker_registry_username: username
ceph_docker_registry_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          <REDACTED>
          <REDACTED>
          <REDACTED>
          <REDACTED>
          <REDACTED>

Last but not least, you'll need select one of the following options to unlock your variable on each playbook run:

  • a). update /usr/share/ceph-ansible/ansible.cfg:
ask_vault_pass = True

or,

  • b). invoke playbook runs by using the --ask-vault-pass flag to prompt for your unlock password:
[root@tower-osd4 ceph-ansible]# ansible-playbook site-docker.yml.sample --ask-vault-pass
Vault password: