I'm using Ansible to clone / update a Git repository that I'm accessing via
HTTP, using username & password. Except that the "git" task really doesn't
help me.
I can't put those credentials in the URL, because they then end up stashed
in the config of the git repository. That causes problems downstream,
including disclosure of the password to anyone else who has access to the
box, and if the password changes, failures in the Ansible script.
One work-around I came up with was the following:
# set up the Git credential cache...
- name: Set up credential cache
command: git config --global credential.helper cache
# shove credentials into it...
- name: Fetch git repositories
shell: printf 'protocol=http\nhost=git.example.com\nusername={{ username
}}\npassword={{ password }}\n' | git credential approve ; if [ -d reponame.git
]; then (cd reponame.git && git pull); else git clone http://{{ username
}}@git.example.com/git/reponame reponame.git ; fi
This works, but doesn't take care of various corner cases that the Ansible
"git" task does take care of. Also potentially puts the password in the log
file. Next approximation is to write the input to git credential approve to a
file, using the "template" task, but that leaves behind a file I have to
delete. So at that point, rather than using credential "cache", use the "store".
So I ended up with this:
- name: Install temp file with personal git credentials
template: src="git_creds.txt.j2" dest="{{ ansible_env.HOME }}/git_creds.txt"
mode=0600
- name: Approve credentials for Git.
command: /bin/bash -c "git config --global credential.helper store; cat
git_creds.txt | git credential approve"
- name: Fetch Git repository
git: dest={{ ansible_env.HOME }}/reponame
repo=http://git.example.com/git/reponame
- name: remove stored creds
command: /bin/bash -c "cat git_creds.txt | git credential reject ; rm
git_creds.txt"
This has a bad failure mode, though - if the script fails, then the
credentials get left behind on the box.
Is there any better way to do this?!?!
Should I file a bug to have the "git" task take username and password, and
perform the steps that I'm going through above, but then also able to do
the cleanup if the Git command fails? Or should the "git" task be able to
push the password on stdin?
Thanks for any help!
Eric.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/b086e2fc-0978-43e7-ba4f-bc154b428e88%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
