The "Missing Guide" on using Ansible to protect your secrets
Dan Tehranian, DevOps Lead here at Delphix, recently published an excellent "missing guide" on using Ansible, an automation tool used in DevOps, and how to keep your organization's secrets secret.
Once you've started using Ansible to codify the configuration of your infrastructure, you will undoubtedly run into a situation where you need to manage some of your infrastructure's "secrets". Examples of such secrets include SSH private keys, SSL certificates, or passwords. How do you codify and automate the distribution of these secrets?
By checking these secrets into a source control system or posting for review in a code review tool in plain-text, you'd be instantly making them visible to a large number of people within your organization. Luckily Ansible has created a tool to address this: Ansible Vault. ... Unfortunately the documentation provides little information on best practices for how to use Ansible Vault to deploy those secrets via a playbook, how to prevent the contents of those secrets from being echoed in plain-text to STDOUT when run with "-verbose" mode (ouch!), and how to test your playbooks when they contain such encrypted secrets, and how to integrate this into Jenkins.
Having recently spent time writing an Ansible role for deploying an OpenVPN server and having had to figure out the answer to a lot of these issues, I'm now happy to present "The Missing Guide to Managing Secrets with Ansible Vault."
Read the rest here: