Hello everyone!

We have been investing plenty of personal time and energy for many years to share our knowledge with you all. However, we now need your help to keep this blog running. All you have to do is just click one of the adverts on the site, otherwise it will sadly be taken down due to hosting etc. costs. Thank you.

In this example we are going to encrypt an application secrets file with Ansible Vault and use Ansible in Jenkins pipeline to deploy it to a remote server.


Jenkins server


Create a application specific folder mini where vault encrypted secret files will be stored.


jenkins@server:~$ mkdir -p ~/app-secrets/mini

Create a secrets file .env and encrypt it at same time.


jenkins@server:~$ ansible-vault create ~/app-secrets/mini/.env
New Vault password: # type secret here (vault)
Confirm New Vault password: # type secret here again (vault)

# Place this into the editor and save it
DB_USER=inanzzz
DB_PASS=123123

Confirm encrypted file.


jenkins@server:~$ cat ~/app-secrets/mini/.env
$ANSIBLE_VAULT;1.1;AES256
30343063633063643337346233353332323433653736653437316139626438653936393137393735
6436623965666331333331646563386365383363656464310a326162336565356439623037353934
38656438393562623636666638396438623165323464303762336162616338376133636536323465
6337623135396536610a373333323936376230376534366630383536656234356663656165386130
65613434386632346631663937333965373137393666643637323331343661613362

Jenkins UI


Install "Ansible" Jenkins plugin and then add a new "Credential" as "Secret text". Set the value as vault and ID as AnsibleVault then save it.


Structure


└── cicd
   ├── merge
   │   └── develop
   │   └── Jenkinsfile
   └── provision
      └── stag
      ├── hosts.yml
      └── site.yml

Files


Jenkinsfile


pipeline {
agent any

options {
skipDefaultCheckout(true)
}

stages {
stage('Git') {
steps {
echo '> Checking out the Git version control ...'
checkout scm
}
}
stage('Deploy') {
steps {
echo '> Deploying the application ...'
ansiblePlaybook(
vaultCredentialsId: 'AnsibleVault',
inventory: 'cicd/provision/stag/hosts.yml',
playbook: 'cicd/provision/stag/site.yml'
)
}
}
}
}

hosts.yml


all:
hosts:
staging:
ansible_connection: ssh
ansible_user: vagrant
ansible_host: 192.168.99.30
ansible_port: 22

sites.yml


---

- name: Deploy the application secrets to the "staging" server
hosts: staging
remote_user: vagrant
become: yes
tasks:
- name: Create the application directory
file:
path: /home/vagrant/mini
state: directory
owner: vagrant
group: vagrant
- name: Copy secret .env file over
copy:
src: /var/lib/jenkins/app-secrets/mini/.env
dest: /home/vagrant/mini/.env
owner: vagrant
group: vagrant
no_log: true

Result


Jenkins console output


> Checking out the Git version control ...
using GIT_SSH to set credentials
...
> Deploying the application ...
$ ansible-playbook cicd/provision/stag/site.yml -i cicd/provision/stag/hosts.yml --vault-password-file /var/lib/jenkins/workspace/mini-push-feature/vault6204200521041546377.password

PLAY [Deploy the application to the "staging" server] **************************

TASK [Gathering Facts] *********************************************************
ok: [staging]

TASK [Create the application directory] ****************************************
ok: [staging]

TASK [Copy docker files over] **************************************************
ok: [staging]

TASK [Copy secret .env file over] **********************************************
ok: [staging]

PLAY RECAP *********************************************************************
staging : ok=4 changed=0 unreachable=0 failed=0

Finished: SUCCESS

Staging server


vagrant@staging:~$ ls -la mini/
-rw-r--r-- 1 vagrant vagrant 2 May 12 21:49 .env
vagrant@staging:~$ cat mini/.env
DB_USER=inanzzz
DB_PASS=123123