From 0500adadfa69a6f1c68813d5fbdafb9e1d494386 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Fri, 22 Jun 2018 19:33:23 -0500 Subject: [PATCH] ci: zabbix: Use multiple sudo-pass files The `zabbix.yml` playbook applies to hosts that are not members of the *pyrocufflink.blue* domain, and thus have different passwords for `sudo`. Using the `-e` argument to `ansible-playbook` and specifying a single Vault-encrypted file that defines the `ansible_become_password` variable effectively forces Ansible to try to use that password on every host. This is because variables defined on the command line, or read from a file specified on the command line, have the highest precedence. To use different passwords on different hosts, the normal variable scoping rules have to be used. To that end, one `sudo-pass` file is created in the `group_vars/pyrocufflink` directory, so it will apply to all machines that are members of the *pyrocufflink.blue* domain. Additionally, another `sudo-pass` file is created in the `host_vars/gw0` directory; it will only apply to the gateway device. --- ci/zabbix.jenkinsfile | 63 +++++++++++++++++++++---------------------- 1 file changed, 31 insertions(+), 32 deletions(-) diff --git a/ci/zabbix.jenkinsfile b/ci/zabbix.jenkinsfile index 7fc27b5..fa65bca 100644 --- a/ci/zabbix.jenkinsfile +++ b/ci/zabbix.jenkinsfile @@ -17,53 +17,51 @@ pipeline { variable: 'KEYTAB')]) { sh 'kinit -kt "${KEYTAB}" jenkins@PYROCUFFLINK.BLUE' } + withCredentials([file( + credentialsId: 'vault-jenkins@pyrocufflink.blue', + variable: 'SUDO_PASS_FILE' + )]) { + sh 'cp "${SUDO_PASS_FILE}" group_vars/pyrocufflink/sudo-pass' + } + withCredentials([file( + credentialsId: 'vault-jenkins@gw0', + variable: 'SUDO_PASS_FILE' + )]) { + sh 'cp -f "${SUDO_PASS_FILE}" host_vars/gw0/sudo-pass' + } } } stage('Remount R/W') { steps { - withCredentials([file( - credentialsId: 'vault-jenkins@pyrocufflink.blue', - variable: 'SUDO_PASS_FILE')]) { - ansiblePlaybook \ - playbook: 'remount.yml', - limit: 'zabbix', - become: true, - vaultCredentialsId: 'ansible-vault', - extraVars: [ - remount_state: 'rw', - ], - extras: '-e@"${SUDO_PASS_FILE}"' - } + ansiblePlaybook \ + playbook: 'remount.yml', + limit: 'zabbix', + become: true, + vaultCredentialsId: 'ansible-vault', + extraVars: [ + remount_state: 'rw', + ] } } stage('Zabbix') { steps { - withCredentials([file( - credentialsId: 'vault-jenkins@pyrocufflink.blue', - variable: 'SUDO_PASS_FILE')]) { - ansiblePlaybook \ - playbook: 'zabbix.yml', - become: true, - vaultCredentialsId: 'ansible-vault', - extras: '-e@"${SUDO_PASS_FILE}" --diff' - } + ansiblePlaybook \ + playbook: 'zabbix.yml', + become: true, + vaultCredentialsId: 'ansible-vault', + extras: '--diff' } } stage('Remount R/O') { steps { - withCredentials([file( - credentialsId: 'vault-jenkins@pyrocufflink.blue', - variable: 'SUDO_PASS_FILE')]) { - ansiblePlaybook \ - playbook: 'remount.yml', - limit: 'zabbix', - become: true, - vaultCredentialsId: 'ansible-vault', - extras: '-e@"${SUDO_PASS_FILE}"' - } + ansiblePlaybook \ + playbook: 'remount.yml', + limit: 'zabbix', + become: true, + vaultCredentialsId: 'ansible-vault' } } @@ -72,6 +70,7 @@ pipeline { post { always { sh 'kdestroy' + sh 'find . -name sudo-pass -delete' } failure { emailext \