Container image providing an Ansible environment for the controller
- Supports
pass- Dynamically generate and persist secret values
- Obtain ansible vault password via a vault client script (
vault/pass-client.sh)
- Supports ansible kubernetes tasks
- The Working Directory is
/project
Ensure local mount directories are present and sufficiently restrictive:
for d in .ssh .gnupg .password-store
do
if [ ! -d "$d" ]
then
mkdir "$d"
chmod u=rwx "$d"
fi
doneThe directories are used for SSH, GNUPG and pass. Using a volume allows persisting configuration accross container lifetimes.
It is possible to mount existing directories, however it is required that the
pid and gid of the user container (ansible) match in order to meet security
requirements.
The default pid and gid are 1000 respectively.
It might be required to build a custom container image if different ids are required.
The Dockerfile supports the optional arguments USER_ID and GROUP_ID for this purpose.
Run a containerized bash with docker:
sudo docker run \
-it \
--rm \
-e ANSIBLE_VAULT_IDENTITY_LIST="dev@/project/vault/pass-client.sh,prod@/project/vault/pass-client.sh" \
-v $PWD/requirements.yml:/project/requirements.yml:ro \
-v $PWD/inventories:/project/inventories:ro \
-v $PWD/roles:/project/roles:ro \
-v $PWD/sshservers.yml:/project/sshservers.yml:ro \
-v $PWD/k8s.yml:/project/k8s.yml:ro \
-v $PWD/common.yml:/project/common.yml:ro \
-v $PWD/.ssh:/home/ansible/.ssh:rw \
-v $PWD/.gnupg:/home/ansible/.gnupg:rw \
-v $PWD/.password-store:/home/ansible/.password-store:rw \
--network=host \
capybara1/ansible... or with containerd:
sudo ctr run \
-t \
--rm \
--env ANSIBLE_VAULT_IDENTITY_LIST="dev@/project/vault/pass-client.sh,prod@/project/vault/pass-client.sh" \
--mount type=bind,src=$PWD/requirements.yml,dst=/project/requirements.yml,options=rbind:ro \
--mount type=bind,src=$PWD/inventories,dst=/project/inventories,options=rbind:ro \
--mount type=bind,src=$PWD/roles,dst=/project/roles,options=rbind:ro \
--mount type=bind,src=$PWD/sshservers.yml,dst=/project/sshservers.yml,options=rbind:ro \
--mount type=bind,src=$PWD/k8s.yml,dst=/project/k8s.yml,options=rbind:ro \
--mount type=bind,src=$PWD/common.yml,dst=/project/common.yml,options=rbind:ro \
--mount type=bind,src=$PWD/.ssh,dst=/home/ansible/.ssh,options=rbind:rw \
--mount type=bind,src=$PWD/.gnupg,dst=/home/ansible/.gnupg,options=rbind:rw \
--mount type=bind,src=$PWD/.password-store,dst=/home/ansible/.password-store,options=rbind:rw \
--net-host \
docker.io/capybara1/ansible:latest ansibleThings to do next:
- Add target node(s) to the known_hosts for SSH
- Add an SSH key-pair
- Add a GPG key
- Init a password store