在这个例子中,我们要用Ansible Vault加密一个应用程序的机密文件,并在Jenkins管道中使用Ansible将其部署到远程服务器上。
Jenkins服务器
创建一个应用程序特定的文件夹mini ,存放金库加密的秘密文件:
jenkins@server:~$ mkdir -p ~/app-secrets/mini
创建一个秘密文件.env ,同时对其进行加密:
jenkins@server:~$ ansible-vault create ~/app-secrets/mini/.env
New Vault password: # type secret here (vault)
Confirm New Vault password: # type secret here again (vault)
# Place this into the editor and save it
DB_USER=inanzzz
DB_PASS=123123
确认加密的文件。
jenkins@server:~$ cat ~/app-secrets/mini/.env
$ANSIBLE_VAULT;1.1;AES256
30343063633063643337346233353332323433653736653437316139626438653936393137393735
6436623965666331333331646563386365383363656464310a326162336565356439623037353934
38656438393562623636666638396438623165323464303762336162616338376133636536323465
6337623135396536610a373333323936376230376534366630383536656234356663656165386130
65613434386632346631663937333965373137393666643637323331343661613362
Jenkins用户界面
安装 "Ansible "Jenkins插件,然后添加一个新的 "Credential "作为 "秘密文本"。设置值为vault ,ID为AnsibleVault ,然后保存它。
结构
└── cicd
├── merge
│ └── develop
│ └── Jenkinsfile
└── provision
└── stag
├── hosts.yml
└── site.yml
文件
Jenkins文件
pipeline {
agent any
options {
skipDefaultCheckout(true)
}
stages {
stage('Git') {
steps {
echo '> Checking out the Git version control ...'
checkout scm
}
}
stage('Deploy') {
steps {
echo '> Deploying the application ...'
ansiblePlaybook(
vaultCredentialsId: 'AnsibleVault',
inventory: 'cicd/provision/stag/hosts.yml',
playbook: 'cicd/provision/stag/site.yml'
)
}
}
}
}
hosts.yml
all:
hosts:
staging:
ansible_connection: ssh
ansible_user: vagrant
ansible_host: 192.168.99.30
ansible_port: 22
sites.yml
---
- name: Deploy the application secrets to the "staging" server
hosts: staging
remote_user: vagrant
become: yes
tasks:
- name: Create the application directory
file:
path: /home/vagrant/mini
state: directory
owner: vagrant
group: vagrant
- name: Copy secret .env file over
copy:
src: /var/lib/jenkins/app-secrets/mini/.env
dest: /home/vagrant/mini/.env
owner: vagrant
group: vagrant
no_log: true
结果
Jenkins控制台输出
> Checking out the Git version control ...
using GIT_SSH to set credentials
...
> Deploying the application ...
$ ansible-playbook cicd/provision/stag/site.yml -i cicd/provision/stag/hosts.yml --vault-password-file /var/lib/jenkins/workspace/mini-push-feature/vault6204200521041546377.password
PLAY [Deploy the application to the "staging" server] **************************
TASK [Gathering Facts] *********************************************************
ok: [staging]
TASK [Create the application directory] ****************************************
ok: [staging]
TASK [Copy docker files over] **************************************************
ok: [staging]
TASK [Copy secret .env file over] **********************************************
ok: [staging]
PLAY RECAP *********************************************************************
staging : ok=4 changed=0 unreachable=0 failed=0
Finished: SUCCESS
暂存服务器
vagrant@staging:~$ ls -la mini/
-rw-r--r-- 1 vagrant vagrant 2 May 12 21:49 .env
vagrant@staging:~$ cat mini/.env
DB_USER=inanzzz
DB_PASS=123123
