From: Dan Mick Date: Thu, 8 Jun 2023 08:59:28 +0000 (-0700) Subject: ansible/examples/builder.yml: use secret for jenkins_api_token X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=b1290b4d4e2c9585646e1ccba2e28f4fcd72b101;p=ceph-build.git ansible/examples/builder.yml: use secret for jenkins_api_token Put it into variable 'token' for all the other tasks. Signed-off-by: Dan Mick --- diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg index 8ac5e420..585ae035 100644 --- a/ansible/ansible.cfg +++ b/ansible/ansible.cfg @@ -1,6 +1,7 @@ [defaults] callback_plugins = callbacks retry_files_enabled = False +vault_password_file = ~/.vault_pass.txt [ssh_connection] pipelining=True diff --git a/ansible/examples/builder.yml b/ansible/examples/builder.yml index 8ed95543..2ecad6ef 100644 --- a/ansible/examples/builder.yml +++ b/ansible/examples/builder.yml @@ -13,10 +13,7 @@ - libvirt: false # Should vagrant be installed? - permanent: false # Is this a permanent builder? Since the ephemeral (non-permanent) tasks get run more often, we'll default to false. - jenkins_user: 'jenkins-build' - #- jenkins_key: This gets defined below now. - # jenkins API credentials: - api_user: 'ceph-jenkins' - - token: '{{ token }}' - api_uri: 'https://jenkins.ceph.com' - jenkins_credentials_uuid: 'jenkins-build' - nodename: '{{ nodename }}' @@ -25,8 +22,22 @@ - osc_user: 'username' - osc_pass: 'password' - container_mirror: 'docker-mirror.front.sepia.ceph.com:5000' + - secrets_path: "{{ lookup('env', 'ANSIBLE_SECRETS_PATH') | default('/etc/ansible/secrets', true) }}" + tasks: + - name: "Include secrets" + include_vars: "{{ secrets_path | mandatory }}/jenkins_api_token.yml" + no_log: true + tags: + always + + - set_fact: + token: "{{ jenkins_api_token }}" + no_log: true + tags: + always + ## DEFINE PACKAGE LISTS BELOW # Universal DEBs - set_fact: