Using Ansible in Jenkins pipeline to deploy application secrets encrypted with Ansible Vault

11/05/2019 - ANSIBLE, DOCKER, JENKINS

In this example we are going to encrypt an application secrets file with Ansible Vault and use Ansible in Jenkins pipeline to deploy it to a remote server.


Jenkins server


Create a application specific folder mini where vault encrypted secret files will be stored.


jenkins@server:~$ mkdir -p ~/app-secrets/mini

Create a secrets file .env and encrypt it at same time.


jenkins@server:~$ ansible-vault create ~/app-secrets/mini/.env
New Vault password: # type secret here (vault)
Confirm New Vault password: # type secret here again (vault)

# Place this into the editor and save it
DB_USER=inanzzz
DB_PASS=123123

Confirm encrypted file.


jenkins@server:~$ cat ~/app-secrets/mini/.env
$ANSIBLE_VAULT;1.1;AES256
30343063633063643337346233353332323433653736653437316139626438653936393137393735
6436623965666331333331646563386365383363656464310a326162336565356439623037353934
38656438393562623636666638396438623165323464303762336162616338376133636536323465
6337623135396536610a373333323936376230376534366630383536656234356663656165386130
65613434386632346631663937333965373137393666643637323331343661613362

Jenkins UI


Install "Ansible" Jenkins plugin and then add a new "Credential" as "Secret text". Set the value as vault and ID as AnsibleVault then save it.


Structure


└── cicd
    ├── merge
    │   └── develop
    │       └── Jenkinsfile
    └── provision
        └── stag
            ├── hosts.yml
            └── site.yml

Files


Jenkinsfile


pipeline {
    agent any

    options {
        skipDefaultCheckout(true)
    }

    stages {
        stage('Git') {
            steps {
                echo '> Checking out the Git version control ...'
                checkout scm
            }
        }
        stage('Deploy') {
            steps {
                echo '> Deploying the application ...'
                ansiblePlaybook(
                    vaultCredentialsId: 'AnsibleVault',
                    inventory: 'cicd/provision/stag/hosts.yml',
                    playbook: 'cicd/provision/stag/site.yml'
                )
            }
        }
    }
}

hosts.yml


all:
  hosts:
    staging:
      ansible_connection: ssh
      ansible_user: vagrant
      ansible_host: 192.168.99.30
      ansible_port: 22

sites.yml


---

- name: Deploy the application secrets to the "staging" server
  hosts: staging
  remote_user: vagrant
  become: yes
  tasks:
    - name: Create the application directory
      file:
        path: /home/vagrant/mini
        state: directory
        owner: vagrant
        group: vagrant
    - name: Copy secret .env file over
      copy:
        src: /var/lib/jenkins/app-secrets/mini/.env
        dest: /home/vagrant/mini/.env
        owner: vagrant
        group: vagrant
      no_log: true

Result


Jenkins console output


> Checking out the Git version control ...
using GIT_SSH to set credentials
...
> Deploying the application ...
$ ansible-playbook cicd/provision/stag/site.yml -i cicd/provision/stag/hosts.yml --vault-password-file /var/lib/jenkins/workspace/mini-push-feature/vault6204200521041546377.password

PLAY [Deploy the application to the "staging" server] **************************

TASK [Gathering Facts] *********************************************************
ok: [staging]

TASK [Create the application directory] ****************************************
ok: [staging]

TASK [Copy docker files over] **************************************************
ok: [staging]

TASK [Copy secret .env file over] **********************************************
ok: [staging]

PLAY RECAP *********************************************************************
staging                    : ok=4    changed=0    unreachable=0    failed=0 

Finished: SUCCESS

Staging server


vagrant@staging:~$ ls -la mini/
-rw-r--r-- 1 vagrant vagrant    2 May 12 21:49 .env
vagrant@staging:~$ cat mini/.env 
DB_USER=inanzzz
DB_PASS=123123