This post outlines the necessary secrets required for Ansible playbooks. It includes details on how to use theansiblesafe tool to manage these secrets securely.

Red Hat Subscription Manager (RHSM) Variables

These variables are used to register the Ansible Automation Platform instance with Red Hat Subscription Manager and attach the necessary subscriptions.

• rhsm_username: The username for your Red Hat account. (More info)
• rhsm_password: The password for your Red Hat account. (More info)
• rhsm_org: The ID of the organization to register the system to. (More info)
• rhsm_activationkey: The activation key used to register the system. (More info)

Admin User Variables

• admin_user_password: The password for the admin user in Virtual Machines using kcli-pipelines. (More info)

Offline Token Variables

• offline_token: The offline token used for Red Hat Subscription Manager. (More info)
• automation_hub_offline_token: The offline token used for Automation Hub. (More info)

OpenShift Pull Secret

• openshift_pull_secret: The pull secret used to deploy OpenShift Clusters. (More info)

FreeIPA Server Admin Password

• freeipa_server_admin_password: The password for the FreeIPA server admin user using the freeipa-workshop-deployer. (More info)

Managing Secrets with Ansiblesafe

ansiblesafe is a Go script that facilitates the encryption and decryption of YAML files using the Ansible Vault CLI. It supports various operations such as encrypting, decrypting, and syncing secrets with HashiCorp Vault.

Installation

dnf install ansible-core -y curl -OL https://github.com/tosin2013/ansiblesafe/releases/download/v0.0.8/ansiblesafe-v0.0.8-linux-amd64.tar.gztar -zxvf ansiblesafe-v0.0.8-linux-amd64.tar.gzchmod +x ansiblesafe-linux-amd64 sudo mv ansiblesafe-linux-amd64 /usr/local/bin/ansiblesafe

Usage

If you do not pass any flags everything wil be auto generated for you

$ ansiblesafe -hUsage of /tmp/go-build1657505477/b001/exe/ansiblesafe:  -f, --file string     Path to YAML file (default: $HOME/vault.yml)  -o, --operation int   Operation to perform (1: encrypt, 2: decrypt, 3: Write secrets to HashiCorp Vault, 4: Read secrets from HashiCorp Vault, 5: skip encrypting/decrypting)

To useansiblesafe, navigate to the cloned directory and perform the following commands based on your needs:

• Encrypt a YAML file:

  ./ansiblesafe-f path_to_your_file-o 1

• Decrypt a YAML file:

  ./ansiblesafe-f path_to_your_file-o 2

Hasicorp Examples

Write secrets to HashiCorp Vault

$ export VAULT_ADDRESS=http://127.0.0.1:8200/$ export VAULT_TOKEN=token$ export SECRET_PATH=ansiblesafe/example$ ansiblesafe -o 3

Read secrets from HashiCorp Vault and safe to vault.yaml

$ export VAULT_ADDRESS=http://127.0.0.1:8200/$ export VAULT_TOKEN=token$ export SECRET_PATH=ansiblesafe/example$ ansiblesafe -o 4$ ansiblesafe -o 1 # Optional encrypt the file

Security Considerations

Instructions to use ansiblesale without a password prompt

$ touch ~/.vault_password$ chmod 600 ~/.vault_password# The leading space here is necessary to keep the command out of the command history$  echo password >> ~/.vault_password# Link the password file into the current working directory$ ln ~/.vault_password .# Set the environment variable to the location of the file$ export ANSIBLE_VAULT_PASSWORD_FILE=.vault_password

Remember to keep your vault password and tokens secure and limit access to authorized users only.

More Information

For more details onansiblesafe and its capabilities, visit theGitHub repository.