Ahh sorry cat ~/.ssh/infrastructure >
I only used it for debugging, will be removed > - ./setup.sh -c > > Obviously what happens here is unknown. > This does the cloudflared client setup: ansible-playbook playbooks/bootstrap/cloudflared-client.yml # Playbook installs cloudflared locally --- - hosts: localhost vars: install_only: True ssh_client_config: True ssh_client_config_group: servers roles: - papanito.cloudflared I use cloudlfared to setup a ssh-tunnel thus on the machine from where I connect I have to configure ssh client accordingly https://developers.cloudflare.com/access/ssh/ssh-guide/#2-authenticate-the-cloudflare-daemon I don't see any "--vault-id", "--vault-password-file", or other > related parameters. > Also, we don't know what your ansible.cfg file above contains. > yeah, I have configured the password file in the ansible.cfg vault_password_file = ~/.ssh/infrastructure On Friday, 14 August 2020 13:43:10 UTC+2, Dick Visser wrote: > > On Fri, 14 Aug 2020 at 08:37, Papanito <papa...@wyssmann.com <javascript:>> > wrote: > > > > Here is my .gitlab-ci.yml > > > > variables: > > SITE: "site.yml" > > PLAYBOOKS: "playbooks/**/*.yml" > > ANSIBLE_CONFIG: "./ansible.cfg" > > > > stages: > > - verify > > - deploy > > > > before_script: > > - chmod 740 $CI_PROJECT_DIR > > - whoami > > - apt-get update -qy #update system > > - apt-get install python3.7 python3-apt python3-tango- -qy > > - update-alternatives --install /usr/bin/python python > /usr/bin/python3.7 1 > > - update-alternatives --set python /usr/bin/python3.7 > > - python --version > > - mkdir ~/.ssh > > - chmod 700 ~/.ssh > > - eval "$(ssh-agent -s)" > > - cat $SSH_KNOWN_HOSTS | tr -d '\r' > ~/.ssh/known_hosts > > - cat $SSH_PRIVATE_KEY | tr -d '\r' | ssh-add - > > - apt-get install ansible ansible-lint -qy > > - git submodule update --init > > - ansible --version > > - ansible-lint --version > > - ansible-galaxy install -r requirements.yml > > - echo "$ANSIBLE_VAULT_PASSWORD" > ~/.ssh/infrastructure > > > - cat ~/.ssh/infrastructure > > What is the idea behind this ^^ step? > > > - ./setup.sh -c > > Obviously what happens here is unknown. > > > > > > > > ansible-verify: > > stage: verify > > script: > > - ansible-lint -v $SITE > > - ansible-lint -v $PLAYBOOKS > > - ansible-playbook --syntax-check $SITE > > - ansible-playbook --syntax-check $PLAYBOOKS -e target=servers > > I don't see any "--vault-id", "--vault-password-file", or other > related parameters. > Also, we don't know what your ansible.cfg file above contains. > > You need to make sure that ansible-playbook knows where to find the > vault password. > Either by command parameters, or through a configuration file. > > > > > > > ansible-dry-run: > > stage: deploy > > script: > > - ansible-playbook --check $SITE -vvvv > > > > ansible-apply: > > stage: deploy > > script: > > - ansible-playbook $SITE > > rules: > > - if: '$CI_COMMIT_BRANCH == "master"' > > > > > > > > On Thursday, August 13, 2020 at 3:52:01 PM UTC+2 dick....@geant.org > wrote: > >> > >> The problem might be in the way you invoke ansible-playbook in the > gitlab CI. > >> So, what does your .gitlab-ci.yml look like? > >> > >> On Thu, 13 Aug 2020 at 13:09, Papanito <papa...@wyssmann.com> wrote: > >> > > >> > I already checked > https://docs.ansible.com/ansible/latest/user_guide/vault.html but I don't > see where the problem is. > >> > > >> > I use a shared gitlab runner: > https://docs.gitlab.com/ee/ci/runners/README.html > >> > > >> > Well, in the end it's a docker image so you think is still a ci issue > or can it be related to python/ansible versions? > >> > > >> > On Thursday, August 13, 2020 at 12:17:29 PM UTC+2 dick....@geant.org > wrote: > >> >> > >> >> This seems to be a problem specific to your CI tool, so a logical > >> >> place would be to consult the support channels of that CI tool > >> >> (whichever it was - you didn't tell). > >> >> Either way, how ansible-vault works is explained here: > >> >> https://docs.ansible.com/ansible/latest/user_guide/vault.html. > >> >> Fix your CI so that it uses ansible-vault using those instructions. > >> >> > >> >> On Thu, 13 Aug 2020 at 12:07, Papanito <papa...@wyssmann.com> > wrote: > >> >> > > >> >> > Even so I explicitly set python3 as default, I still get the same > error as mentioned. This is what I do on my ci-server > >> >> > > >> >> > - apt-get install python3.7 python3-apt -qy > >> >> > - update-alternatives --install /usr/bin/python python > /usr/bin/python3.7 1 > >> >> > - update-alternatives --set python /usr/bin/python3.7 > >> >> > > >> >> > I can confirm that on my ci-server python 3.7 is installed as > default > >> >> > > >> >> > python --version > >> >> > Python 3.7.3 > >> >> > On Thursday, August 13, 2020 at 10:13:07 AM UTC+2 Papanito wrote: > >> >> >> > >> >> >> Ok got it, the ci-machine runs on python 2 whereas on my > dev-machine I have python 3. > >> >> >> > >> >> >> On Thursday, August 13, 2020 at 9:35:59 AM UTC+2 Papanito wrote: > >> >> >>> > >> >> >>> I am using ansible 2.9.11 on my dev machine (arch linux) where I > encrypted ./resources/cloudflare/cert.pem. using ansible-vault with a > password file. I have commited the file to source control. > >> >> >>> > >> >> >>> I can run the playbook without issues on my dev-machine i.e. > decryption works > >> >> >>> > >> >> >>> Now on my ci machine - which is running ubuntu and ansible 2.7.7 > - the run of the playbook fails with > >> >> >>> > >> >> >>> > >> >> >>> Tried to use the vault secret (default) to decrypt > (/builds/papanito/infrastructure/resources/cloudflare/cert.pem) but it > failed. Error: HMAC verification failed: Signature did not match digest. > >> >> >>> fatal: [node003]: FAILED! => { > >> >> >>> "msg": "Decryption failed (no vault secrets were found that > could decrypt) on > /builds/papanito/infrastructure/resources/cloudflare/cert.pem" > >> >> >>> > >> >> >>> I can confirm that I have the password-file on the ci-machine > and the password in it is correct. So what's going on here? Why decryption > does not work? > >> >> > > >> >> > -- > >> >> > You received this message because you are subscribed to the Google > Groups "Ansible Project" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > send an email to ansible-proje...@googlegroups.com. > >> >> > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/1f3fc51e-4e93-4b16-9233-099274f6e1c5n%40googlegroups.com. > > > >> >> > >> >> > >> >> > >> >> -- > >> >> Dick Visser > >> >> Trust & Identity Service Operations Manager > >> >> GÉANT > >> > > >> > -- > >> > You received this message because you are subscribed to the Google > Groups "Ansible Project" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send an email to ansible-proje...@googlegroups.com. > >> > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/3e275609-575c-44c9-b79c-a2d246c89dacn%40googlegroups.com. > > > >> > >> > >> > >> -- > >> Dick Visser > >> Trust & Identity Service Operations Manager > >> GÉANT > > > > -- > > You received this message because you are subscribed to the Google > Groups "Ansible Project" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ansible...@googlegroups.com <javascript:>. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/01f91041-a068-4f68-85b0-256e0956eeben%40googlegroups.com. > > > > > > -- > Dick Visser > Trust & Identity Service Operations Manager > GÉANT > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/18366dba-9a2e-4367-b502-b03d693fa21co%40googlegroups.com.
