2714b4fe1a
When ansible_vault_in_place_copy is supploed as extra var it is not always treated a False properly, still messing up with conditions Using bool filter help to eliminate such behaviour. Also reduce verbosity of blockinfile loop by using loop label. Change-Id: Iafaf53c77288d8f45b0bf0ddd99fe242a9f6e7cb
Encrypting secrets
This document describes the supported operations for encrypting secrets and explains how to perform them using the appropriate tooling.
Ansible-Vault
OpenStack-Ansible provides tooling to encrypt and rotate secret files and keypairs using Ansible Vault.
Role Defaults
../../encrypt_secrets/roles/ansible_vault/defaults/main.yml
Installing the Collection
To install the collection, define it in your region deployment configuration file, located at /etc/openstack_deploy/user-collection-requirements.yml, as shown below:
- name: osa_ops.encrypt_secrets
type: git
version: master
source: https://opendev.org/openstack/openstack-ansible-ops#/encrypt_secretsThen, run ./scripts/bootstrap-ansible.sh to install the collection.
Initial Encryption of Secret Files
When initializing a region for the first time, you should encrypt secrets and generated private keys before storing them in Git. You can perform this process locally or on the deployment host.
Note
You must re-run the encryption process whenever new services or keypairs are generated, which may occur at later deployment stages.
Encrypting Secrets Locally
The process for encrypting secrets locally is similar to running it on the deploy host, but some context-specific variables required by OpenStack-Ansible may be unavailable and must be supplied manually.
Ensure you have a Python virtual environment with Ansible installed before proceeding.
- Generate a password for the Ansible Vault and store it securely:
pwgen 36 1 > /tmp/vault.secret- Run the encryption playbook:
ansible-playbook osa_ops.encrypt_secrets.ansible_vault -e ansible_vault_region=${REGION_NAME} -e ansible_vault_pw=/tmp/vault.secret- Copy the contents of /tmp/vault.secret to the deployment host, for example to /etc/openstack/vault.secret.
- Define the vault secret path in `/etc/openstack_deploy/user.rc`:
export ANSIBLE_VAULT_PASSWORD_FILE=/etc/openstack/vault.secret- Store the password securely in your preferred password manager.
- Push the changes to your Git repository.
- Ensure that the deploy host decrypts any required secrets.
Encrypting Secrets on the Deployment Host
Follow these steps to encrypt secrets directly on the deployment host:
- Generate a password and store it securely:
pwgen 36 1 > /etc/openstack/vault.secret- Define the vault secret path in `/etc/openstack_deploy/user.rc`:
export ANSIBLE_VAULT_PASSWORD_FILE=/etc/openstack/vault.secret- Run the encryption playbook:
openstack-ansible osa_ops.encrypt_secrets.ansible_vault- Commit and push changes to /etc/openstack_deploy in your Git repository.
- Save the vault password (/etc/openstack/vault.secret) in a secure password manager.
- Decrypt any necessary secrets before running OpenStack playbooks.
Decrypting Keypairs on the Deploy Host
The OpenStack-Ansible PKI role does not support storing private keys in encrypted format on the deployment host. Instead, configure a pipeline that decrypts the keys after placing them on the deploy host.
Encrypted keypairs should be committed to the Git repository, but stored unencrypted on the deployment host.
To decrypt them, run the following playbook:
openstack-ansible osa_ops.encrypt_secrets.ansible_vault -e ansible_vault_action=decryptRotating the Ansible Vault Secret
Rotating the Ansible Vault password requires re-encrypting all secrets in the repository. Assuming the original password is stored in /tmp/vault.secret, follow these steps:
- Generate a new vault password/encryption key:
pwgen 45 1 > /tmp/vault.secret.new- Re-encrypt all secrets using the new password:
ANSIBLE_VAULT_PASSWORD_FILE=/tmp/vault.secret ansible-playbook osa_ops.encrypt_secrets.ansible_vault -e ansible_vault_action=rotate- Transfer the new password to the deployment host and store it securely in a password manager.