Groups keyboard shortcuts have been updated
Dismiss
See shortcuts
Ansible plugin vault key
45 views
Skip to first unread message
Alexandre Castel
Jan 13, 2025, 3:52:50 AMJan 13
to rundeck-discuss
Hello,
We're currently testing to upgrade Rundeck Community 4.16 to 5.7.
Upgrade went well except one thing : ansible plugin.
With the new version, vault key define in the job is not pass.
I've this simple job :
(extra vars is : nodenames: ${option.Host})
I was expecting an argument like this to be pass (log from my working job ) :
procArgs: [ansible-playbook, /etc/rundeck/ansible-playbook/awx_pm_simple_launch.yml, -l, localhost, -vvv, --extra-vars=@/tmp/rundeck/ansible-runner16022651087442681634extra-vars, --vault-password-file=/tmp/rundeck/ansible-runner16202939694114564451vault]
We're currently testing to upgrade Rundeck Community 4.16 to 5.7.
Upgrade went well except one thing : ansible plugin.
With the new version, vault key define in the job is not pass.
I've this simple job :
(extra vars is : nodenames: ${option.Host})My playbook have a token and the job must decrypt it with ansible vault.
When i launch it with debug mode, I see that vault key is not pass :
procArgs: [ansible-playbook, /etc/rundeck/ansible-playbook/awx_pm_simple_launch.yml, -l, localhost, -vvv, --extra-vars=@/var/lib/rundeck/var/tmp/ansible-runner18244828759173027225extra-vars]
waiting for vault password prompt (None)...
waiting for vault password prompt (None)...
Enter Password (None):
waiting for vault password prompt (None)...
waiting for vault password prompt (None)...
Enter Password (None):
and later in the log :
task path: /etc/rundeck/ansible-playbook/awx_pm_simple_launch.yml:18
fatal: [localhost]: FAILED! => {
"msg": "Decryption failed (no vault secrets were found that could decrypt)"
}
fatal: [localhost]: FAILED! => {
"msg": "Decryption failed (no vault secrets were found that could decrypt)"
}
keys/ansible-vault exist, i recreated it 2-3 times (an of course, it's the good password :) )
This job work fine in my prod environment (running in 4.16 Rundeck community)
I tested 2 versions of ansible-plugins :
4.0.4 provided by Rundeck 5.7
4.0.7 latest version
I was expecting an argument like this to be pass (log from my working job ) :
procArgs: [ansible-playbook, /etc/rundeck/ansible-playbook/awx_pm_simple_launch.yml, -l, localhost, -vvv, --extra-vars=@/tmp/rundeck/ansible-runner16022651087442681634extra-vars, --vault-password-file=/tmp/rundeck/ansible-runner16202939694114564451vault]
Did i missed something ?
Alexandre Castel
Jan 14, 2025, 8:46:34 AMJan 14
to rundeck-discuss
Hi,
I already tested 4.0.7 but no luck, still no key-vault sent.
I already tested 4.0.7 but no luck, still no key-vault sent.
rac...@rundeck.com
Jan 14, 2025, 11:04:26 AMJan 14
to rundeck-discuss
Hi Alexandre,
I see. I’ve tested on my end (Rundeck 5.8.0 / Ansible plugin 4.0.5) as follows:
Ansible side config and test1.- My ansible.cfg:
[defaults] inventory=/home/reideianto/Deployments/ansible/config/hosts nocows=12.- My inventory file, the USER_NAME variable is encrypted by ansible-vault in a file called main.yml:
[the_farm] 192.168.56.20 192.168.56.21 192.168.56.22 [the_farm:vars] use_extra_vars=true ansible_user= {{ USER_NAME }}3.- A basic/example playbook (ping_vault.yml) that uses that vault password:
- hosts: all vars_files: - /home/reideianto/Deployments/ansible/config/vaults/main.yml tasks: - name: Ping ping:4.- Now, I’ve tested directly from Ansible (not via rundeck) with the following command:
ansible-playbook ping_vault.yml --ask-vault-passObtaining the following result:
Vault password: PLAY [all] *********************************************************************************************************************************************************************** TASK [Gathering Facts] *********************************************************************************************************************************************************** ok: [192.168.56.20] ok: [192.168.56.22] ok: [192.168.56.21] TASK [Ping] ********************************************************************************************************************************************************************** ok: [192.168.56.20] ok: [192.168.56.22] ok: [192.168.56.21] PLAY RECAP *********************************************************************************************************************************************************************** 192.168.56.20 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 192.168.56.21 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 192.168.56.22 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=05.- Passing the wrong password the result is expected (it fails):
Vault password: ERROR! Decryption failed (no vault secrets were found that could decrypt) on /home/reideianto/Deployments/ansible/config/vaults/main.yml Now let’s integrate Ansible and Rundeck1.- My Ansible model source config (take a look). Check your settings carefully here.
2.- My Node executor config (take a look).
3.- My Job definition (contains the same Playbook tested in the “only ansible test” as an inline playbook):
- defaultTab: nodes description: '' executionEnabled: true id: c2c64069-2ac8-4857-b872-87e3191539ce loglevel: INFO name: VaultTest nodeFilterEditable: false nodefilters: dispatch: excludePrecedence: true keepgoing: false rankOrder: ascending successOnEmptyNodeFilter: false threadcount: '1' filter: 192.* nodesSelectedByDefault: true plugins: ExecutionLifecycle: {} scheduleEnabled: true sequence: commands: - configuration: ansible-base-dir-path: /home/reideianto/Deployments/ansible/config/ ansible-become: 'false' ansible-binaries-dir-path: /home/reideianto/.local/bin/ ansible-encrypt-extra-vars: 'false' ansible-playbook-inline: |- - hosts: all vars_files: - /home/reideianto/Deployments/ansible/config/vaults/main.yml tasks: - name: Ping ping: ansible-ssh-passphrase-option: option.password ansible-ssh-use-agent: 'false' ansible-vault-storage-path: keys/vaultpasswd nodeStep: true type: com.batix.rundeck.plugins.AnsiblePlaybookInlineWorkflowNodeStep keepgoing: false strategy: node-first uuid: c2c64069-2ac8-4857-b872-87e3191539ce4.- The vault password is stored on the keys/vaultpasswd Key Storage path (Rundeck).
5.- With the right password (take a look).
6.- With the wrong password (take a look)
Could you test your environment in this way? Probably I’m missing something.
Regards!
Alexandre Castel
Jan 17, 2025, 3:46:58 AMJan 17
to rundeck-discuss
Hi,
Thanks to all your information, I recreated a project to test everything.
It seems like the user (me) was the problem again : the vault password was wrong ...
Damn special character inside, it didn't displayed correctly !
Nevertheless, something is off with the debug mode.
When you run a rundeck job with debug mode, it doesn't display the vault-password sent like before :
ansible-plugins-3.2.5 => procArgs: [ansible-playbook, /etc/rundeck/ansible-playbook/awx_pm_simple_launch.yml, -l, localhost, -vvv, --extra-vars=@/tmp/rundeck/ansible-runner3036298140453214118extra-vars, --vault-password-file=/tmp/rundeck/ansible-runner2796122056635081851vault]
Did they change the way the vault-password is sent ?
Thanks you for your time !
Thanks to all your information, I recreated a project to test everything.
It seems like the user (me) was the problem again : the vault password was wrong ...
Damn special character inside, it didn't displayed correctly !
Nevertheless, something is off with the debug mode.
When you run a rundeck job with debug mode, it doesn't display the vault-password sent like before :
ansible-plugins-3.2.5 => procArgs: [ansible-playbook, /etc/rundeck/ansible-playbook/awx_pm_simple_launch.yml, -l, localhost, -vvv, --extra-vars=@/tmp/rundeck/ansible-runner3036298140453214118extra-vars, --vault-password-file=/tmp/rundeck/ansible-runner2796122056635081851vault]
ansible-plugins-4.0.7 => procArgs: [ansible-playbook, /etc/rundeck/ansible-playbook/awx_pm_simple_launch.yml, -l, localhost, -vvv, --extra-vars=@/var/lib/rundeck/var/tmp/ansible-runner10626938259769063478extra-vars]
Did they change the way the vault-password is sent ?
Thanks you for your time !
Reply all
Reply to author
Forward
0 new messages