ansible/examples/builder.yml: use secret for jenkins_api_token

Put it into variable 'token' for all the other tasks.

Signed-off-by: Dan Mick <dmick@redhat.com>

diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg
index 8ac5e420e0cdd7866136062adcb8bfefca7066f8..585ae0350be1e6b7f76a80812aa580a3a512390b 100644 (file)
--- a/ansible/ansible.cfg
+++ b/ansible/ansible.cfg
@@ -1,6 +1,7 @@
 [defaults]
 callback_plugins = callbacks
 retry_files_enabled = False
+vault_password_file = ~/.vault_pass.txt
 
 [ssh_connection]
 pipelining=True

diff --git a/ansible/examples/builder.yml b/ansible/examples/builder.yml
index 8ed95543f8908691efdf7dc997e7d4fcdb47b987..2ecad6ef23245298f80263621a658f430fa6719f 100644 (file)
--- a/ansible/examples/builder.yml
+++ b/ansible/examples/builder.yml
@@ -13,10 +13,7 @@
     - libvirt: false # Should vagrant be installed?
     - permanent: false # Is this a permanent builder?  Since the ephemeral (non-permanent) tasks get run more often, we'll default to false.
     - jenkins_user: 'jenkins-build'
-    #- jenkins_key: This gets defined below now.
-    # jenkins API credentials:
     - api_user: 'ceph-jenkins'
-    - token: '{{ token }}'
     - api_uri: 'https://jenkins.ceph.com'
     - jenkins_credentials_uuid: 'jenkins-build'
     - nodename: '{{ nodename }}'
@@ -25,8 +22,22 @@
     - osc_user: 'username'
     - osc_pass: 'password'
     - container_mirror: 'docker-mirror.front.sepia.ceph.com:5000'
+    - secrets_path: "{{ lookup('env', 'ANSIBLE_SECRETS_PATH') | default('/etc/ansible/secrets', true) }}"
+
 
   tasks:
+    - name: "Include secrets"
+      include_vars: "{{ secrets_path | mandatory }}/jenkins_api_token.yml"
+      no_log: true
+      tags:
+        always
+
+    - set_fact:
+        token: "{{ jenkins_api_token }}"
+      no_log: true
+      tags:
+        always
+
     ## DEFINE PACKAGE LISTS BELOW
     # Universal DEBs
     - set_fact: