Does the thought of storing plain text passwords in configuration files make you feel uneasy? If you'd like to take advantage of using ansible-vault, a minor update to ceph-validate role will be required for the time being.
Afterwards you can proceed to create a vault password for the required variable:
ansible-vault encrypt_string --stdin-name 'ceph_docker_registry_password'
New Vault password: **************** # create a password for vault itself from stdin
Confirm New Vault password: **************** # create a password for vault itself from stdin
Reading plaintext input from stdin. (ctrl-d to end input)
<password_stdin> # Do not press enter; you must hit ctrl+d after the last char
Paste the vault output sent to stdout in your all.yml:
ceph_docker_registry_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
<REDACTED>
<REDACTED>
<REDACTED>
<REDACTED>
<REDACTED>
Encryption successful
Here's a partial example of what I put in the all.yml to deploy RHCS 4 from their new-ish authenticated registry:
ceph_docker_image: "rhceph/rhceph-4"
ceph_docker_image_tag: "latest"
ceph_docker_registry: "registry.redhat.io"
ceph_docker_registry_auth: true
ceph_docker_registry_username: username
ceph_docker_registry_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
<REDACTED>
<REDACTED>
<REDACTED>
<REDACTED>
<REDACTED>
Last but not least, you'll need select one of the following options to unlock your variable on each playbook run:
- a). update /usr/share/ceph-ansible/ansible.cfg:
ask_vault_pass = True
or,
- b). invoke playbook runs by using the
--ask-vault-pass
flag to prompt for your unlock password:
[root@tower-osd4 ceph-ansible]# ansible-playbook site-docker.yml.sample --ask-vault-pass
Vault password:
Comments