search

rhedsord / openshift-devsecops

The merger of the CI/CD demos, provisioning, and DevSecOps workshop content into a single repo, built on OCP 4.x
BSD 2-Clause "Simplified" License
1 stars 4 forks source link

Lookup passwords should be put in secrets #22

Open jflowers opened 4 years ago

jflowers commented 4 years ago

Everywhere we do this:

roles/gitea/tasks/gitea_rhsso.yml:5:    rhsso_gitea_secret: "{{ lookup('password', '/dev/null length=15 chars=ascii_letters') }}"
roles/quay/tasks/quay_rhsso.yml:5:    rhsso_quay_secret: "{{ lookup('password', tmp_dir +'/rhsso_quay.secret length=15 chars=ascii_letters') }}"
roles/rhsso/defaults/main.yml:16:postgresql_password: "{{ lookup('password', '/dev/null length=15 chars=ascii_letters') }}"
roles/sonarqube/defaults/main.yml:4:sonarqube_password: '{{ lookup("password", tmp_dir + "/sonarqube.password chars=ascii_letters,digits") }}'

we should be putting this in a secret and looking for it in that secret

  1. lookup password from file and put in a trash var solely for use in the next step
  2. put it in a secret unless the secret already exists
  3. pull value from secret into var that other tasks use

This will enable more than one person to run ansilbe playbooks against a cluster

jharmison-redhat commented 4 years ago

Lacking a better secret management tool/workflow, I think this is better than locally stashed copies for this use case. Would be good to implement specifically as a reusable role/task list/something to feed vars into rather than recoding that workflow over and over.