imulab/ansible-concourse-vault

Ansible playbook to bootstrap a single node Concourse CI Server, back by Vault and PostgreSQL

ansible-concourse-vault

Ansible playbook to bootstrap a single node Concourse CI Server, back by Vault and PostgreSQL

TLDR;

Prerequisites:

• Ubuntu 18.04 LTS

git clone https://github.com/imulab/ansible-concourse-vault.git
cd ansible-concourse-vault
sudo -s
chmod +x install
./install

If you encounter an error complaining about ansible dependency sshpass is not met, update your /etc/apt/sources.list with this.

Downloading Concourse executable may take some time. After the installation finishes:

# absorb the VAULT_ADDR environment variable
source /etc/environment

# you should see vault is unsealed now.
vault status 							

# check out vault seal key and root token	
cat /opt/deployment-secrets/secrets.json

# login to vault
vault login <your_vault_root_token>

# write some secret
vault write concourse/main/foo value=bar
vault write concourse/main/key value=@my_key

What it does

This playbook installs and configures Concourse CI in an opinionated fashion to allow personal/lab use of a continuous integration server that can manage secrets using Vault in a minimal way.

Some of the opinions that this playbook took:

• Vault is installed and enabled on localhost with no TLS.
• Vault uses a local file backend, which is placed by default at /mnt/vault/data.
• Vault issues only one seal key.
• Vault places seal key and root token at /opt/deployment-secrets.
• After the installation, Vault is unsealed.
• Concourse is enabled on the external ip address specified by user during installation and on default port 8080.

Resources

• Setting Up and Using Concourse CI on Ubuntu 16.04 by Digital Ocean
• Vault Integration with Concourse by Pivotal Services
• Secure credential automation with Vault by Pivotal Services