ci: zabbix: Use multiple sudo-pass files
The `zabbix.yml` playbook applies to hosts that are not members of the *pyrocufflink.blue* domain, and thus have different passwords for `sudo`. Using the `-e` argument to `ansible-playbook` and specifying a single Vault-encrypted file that defines the `ansible_become_password` variable effectively forces Ansible to try to use that password on every host. This is because variables defined on the command line, or read from a file specified on the command line, have the highest precedence. To use different passwords on different hosts, the normal variable scoping rules have to be used. To that end, one `sudo-pass` file is created in the `group_vars/pyrocufflink` directory, so it will apply to all machines that are members of the *pyrocufflink.blue* domain. Additionally, another `sudo-pass` file is created in the `host_vars/gw0` directory; it will only apply to the gateway device.jenkins-master
parent
b809d4294f
commit
0500adadfa
|
|
@ -17,53 +17,51 @@ pipeline {
|
||||||
variable: 'KEYTAB')]) {
|
variable: 'KEYTAB')]) {
|
||||||
sh 'kinit -kt "${KEYTAB}" jenkins@PYROCUFFLINK.BLUE'
|
sh 'kinit -kt "${KEYTAB}" jenkins@PYROCUFFLINK.BLUE'
|
||||||
}
|
}
|
||||||
|
withCredentials([file(
|
||||||
|
credentialsId: 'vault-jenkins@pyrocufflink.blue',
|
||||||
|
variable: 'SUDO_PASS_FILE'
|
||||||
|
)]) {
|
||||||
|
sh 'cp "${SUDO_PASS_FILE}" group_vars/pyrocufflink/sudo-pass'
|
||||||
|
}
|
||||||
|
withCredentials([file(
|
||||||
|
credentialsId: 'vault-jenkins@gw0',
|
||||||
|
variable: 'SUDO_PASS_FILE'
|
||||||
|
)]) {
|
||||||
|
sh 'cp -f "${SUDO_PASS_FILE}" host_vars/gw0/sudo-pass'
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
stage('Remount R/W') {
|
stage('Remount R/W') {
|
||||||
steps {
|
steps {
|
||||||
withCredentials([file(
|
ansiblePlaybook \
|
||||||
credentialsId: 'vault-jenkins@pyrocufflink.blue',
|
playbook: 'remount.yml',
|
||||||
variable: 'SUDO_PASS_FILE')]) {
|
limit: 'zabbix',
|
||||||
ansiblePlaybook \
|
become: true,
|
||||||
playbook: 'remount.yml',
|
vaultCredentialsId: 'ansible-vault',
|
||||||
limit: 'zabbix',
|
extraVars: [
|
||||||
become: true,
|
remount_state: 'rw',
|
||||||
vaultCredentialsId: 'ansible-vault',
|
]
|
||||||
extraVars: [
|
|
||||||
remount_state: 'rw',
|
|
||||||
],
|
|
||||||
extras: '-e@"${SUDO_PASS_FILE}"'
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
stage('Zabbix') {
|
stage('Zabbix') {
|
||||||
steps {
|
steps {
|
||||||
withCredentials([file(
|
ansiblePlaybook \
|
||||||
credentialsId: 'vault-jenkins@pyrocufflink.blue',
|
playbook: 'zabbix.yml',
|
||||||
variable: 'SUDO_PASS_FILE')]) {
|
become: true,
|
||||||
ansiblePlaybook \
|
vaultCredentialsId: 'ansible-vault',
|
||||||
playbook: 'zabbix.yml',
|
extras: '--diff'
|
||||||
become: true,
|
|
||||||
vaultCredentialsId: 'ansible-vault',
|
|
||||||
extras: '-e@"${SUDO_PASS_FILE}" --diff'
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
stage('Remount R/O') {
|
stage('Remount R/O') {
|
||||||
steps {
|
steps {
|
||||||
withCredentials([file(
|
ansiblePlaybook \
|
||||||
credentialsId: 'vault-jenkins@pyrocufflink.blue',
|
playbook: 'remount.yml',
|
||||||
variable: 'SUDO_PASS_FILE')]) {
|
limit: 'zabbix',
|
||||||
ansiblePlaybook \
|
become: true,
|
||||||
playbook: 'remount.yml',
|
vaultCredentialsId: 'ansible-vault'
|
||||||
limit: 'zabbix',
|
|
||||||
become: true,
|
|
||||||
vaultCredentialsId: 'ansible-vault',
|
|
||||||
extras: '-e@"${SUDO_PASS_FILE}"'
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -72,6 +70,7 @@ pipeline {
|
||||||
post {
|
post {
|
||||||
always {
|
always {
|
||||||
sh 'kdestroy'
|
sh 'kdestroy'
|
||||||
|
sh 'find . -name sudo-pass -delete'
|
||||||
}
|
}
|
||||||
failure {
|
failure {
|
||||||
emailext \
|
emailext \
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue