Ansible Vault
An Ansible Vault is a secure way (albeit rudimentary) for us to handle passwords. We will need it to help secure our cluster, and we already have it installed as it comes with Ansible, and we have already set it with our script at the very beginning of the guide. Later, we will be able to migrate passwords to even more secure locations.
Run this command:
touch ~/.HAB/vault-hosts && ansible-vault encrypt ~/.HAB/vault-hosts
This will create the vault (an empty file named vault-hosts) and encrypt it
with the password found at ~/HAB/.ansible_vault_access (check out
ansible.cfg to see the mapping)
You should see this response:
% touch ~/.HAB/vault-hosts && ansible-vault encrypt ~/.HAB/vault-hosts
Encryption successful
You should also view the file you just encrypted to see what is looks like in clear text:
cat ~/.HAB/vault-hosts
Voilà! No need to worry about these files hitting the terminal from basic commands, they can not be read! To view the decrypted file, you can run (though, the file is empty, so you won't see anything, yet):
ansible-vault view ~/.HAB/vault-hosts
We will keep secrets in encrypted files like this when possible. To edit, you would simply use
ansible-vault edit ~/.HAB/vault-hosts
To quit the editor type :q.
Word To The Wise
Ansible Vault can get really finicky with regard to finding the config files
needed to map to your password, so be sure you are executing commands in the top
level hab-plays folder at all times.
To be clear, we could put all these steps in Ansible, and totally abstract away this layer, but it's instructive to have them outside automation as these files will hold the keys to a lot of the castle we are building, and in the case of lock out, it's important to know how to get access to things.
You will be unable to build any live hosts without first following the Ansible Vault steps in this section. Which is by design.
Speaking of Security...
If you don't have any ssh RSA keys, you should create some before moving on.
Ready to get some live hosts? Let's do it!