Copy SSH Key with copy rather than template module

[bobbyshaw]

Doing so adds support for copying encrypted keys files directly.

This was added to ansible in 2.1 to the copy command but seemingly not to template.

I tried a workaround with a before-setup script but in order to update git by ssh key a source file is required to be defined. When doing so, it overwrites the valid SSH key that was placed via custom task with the encrypted file.

[ricardclau]

Hi

The idea behind using template at https://github.com/ansistrano/deploy/commit/fcbc5d42694d1f8c062be5efdab45780dc32ef01 was to allow these keys to be stored in ansible vault safely.

Also, I am a bit confused with this, there is no mention of anything new added in Ansible 2.1 at http://docs.ansible.com/ansible/copy_module.html. What is the problem with template? Is it because if the key is encrypted it appears as a binary file and then the template module gets confused?

[bobbyshaw]

Hi,

I was finding that my encrypted key file was being copied over to the server as-is without being decrypted. Was I perhaps doing something wrong if this was meant to work.

ansistrano_git_identity_key_path: ansible-includes/ssh.key.encrypted

The change to copy isn't well documented but was in the release notes of 2.1 (https://github.com/ansible/ansible/issues/7298#issuecomment-222700139)

[ricardclau]

well, the key is copied "as-is", used in git and we use shred after that

if you use ansible-vault to encrypt it, that should work as well (haven't used it TBH, we deploy the keys to a known location with some other process and use the files), provided you supply the vault password to your playbook

[bobbyshaw]

How do you move the files in place with another process and still do a key based checkout? At the moment this is based on declaring the ansistrano_git_identity_key_path but if I wish to put this in place myself with a before task to manage it myself then it either gets overwritten if I declare the path, or uses non-key-based checkout if it's not declared.

As it's not working for me, what do you suggest?

An alternative contribution would be to add another flag variable that indicates whether to use SSH key based git checkout or not rather than deciding this based on whether you're copying a key into place or not.

[ricardclau]

Well, we have a "control / deployment" machine and we copy the keys there when we build the AMI

Then, our playbooks use that key that has been installed in the image baking

[bobbyshaw]

For users that don't use that kind of setup, what can I do? As the PR and my previous comments suggest, I'm happy to contribute code so that it does work.

What's the advantage of template over copy?

[ricardclau]

Well, unless I am missing something the machine that deploys needs to have a valid git ssh key in plain text, right? I still don´t understand why you need to upload a crypted key, why is that?

Anyway, the idea behind using template was to be able to add these keys in the git repo, crypted with ansible-vault and then you also push your keys in a crypted format

[bobbyshaw]

I have a separate repository that handles the deployments via git for projects. It contains exclusively a playbook written with ansistrano and so needs to contain deployment keys that are encrypted and are able to clone my other repository containing my project.

My problem is I have vault encrypted an entire SSH key file. My SSH key is not in a variable. Can we find a way to support ssh keys in variables and files?

[ricardclau]

Ah I understand now! Maybe the feature is actually broken, we are not testing it as I am using plain text keys

Will have to investigate a bit though, thanks for the explanations!

[ricardclau]

Sorry about the delay here @bobbyshaw

This seems a much better way to use vault encrypted keys and I am not even sure adding template was useful in the first place

Merging and tagging!