+44 20 3287 1023
support@nicktailor.com
My Git Repos

How to pass an API key with Ansible

| May 19, 2022

https://chronosphere.io/ – Third Party Cloud Monitoring Solution

Chronocollector: – https://github.com/Perfect10NickTailor/chronocollector

This role deploys the chronocollector management service which sends the data to domain.chronosphere.io For those of you who don’t know what it is. Its basically a cloud monitoring tool that scrapes data on your instances and then you can create dashboards or even export the data to promethus to make it look pretty and easy to read. You will likely pay for subscription, they will give you a subdomain which becomes your gateway address (domain.chronosphere.io)

Special note: You then need to deploy the node_exporter to push to the hosts you want scraped. That is a separate playbook and stupid easy.

This role will download the latest collector
It will install the latest collector
It will check to see if the ‘service’ its added to systemd, if nots.. adds it, if the service is there, it will move on and simply start the service.

#nowthatsjustfunny: So its debatable on how to approach passing {{ api_keys }} in a scalable and secure way. A lot of people create an “ansible vault encrypted variable”. This is so that when they push their code to their git repos. The {{ api_key }} isn’t exposed to someone simply glancing by the code. The issue with this approach is now you have to remember a vault password to pass to ansible, so it can decrypt the {{ api_key }} to pass, inorder for it to work when you run the playbook.(LAME)

.

#nowthatsjustcool: So just for the purposes of this post and for fun. I wrote it so that you can simply pass the {{ api_key }} during runtime. This way instead of being prompted for the vault-pass, you are prompted for the api_key to pass as a variable when you run the book. This gets rid of the need to setup a encrypted variable in your code entirely. Everyone has their own way of doing things, but I tend to think outside the box, so it always way more fun to be different in how you think.

.

Ansible Operational Documentation

How to use this role:

1.You must first download the git repository
a.git clone git@github.com:Perfect10NickTailor/chronocollector.git
2.Under your user you will see a directory called chronocollector cd into this directory here you will see the defaults/main.yml where you can see what you can pass to groups_vars & host_vars
b.cd chronocollector

.

3.Next you want edit the hosts.client inside your ansible/inventory/dev/hosts.client

Example file: hosts.dev or hosts.staging

c.Put your server under the appropriate group inside the file and save
i.Testmachine1 ansible_host=192.168.60.10

Running your playbook:

1.You must run your play book from inside parent ansible directory

.

2.Now there is a playbook called chronocollector.yml in the ansible directory which simply calls the chronocollector role inside the ansible/roles/chronocollector directory, where the role should be living.

Example: of ansible/chronocollector.yml

hosts: all

  gather_facts: no

  vars_prompt:

  – name: api_key

    prompt: Enter the API key

  roles:

    – role: chronocollector

.

Command:

ansible-playbook -i inventory/dev/hosts.dev chronocollector.yml -u nickadmin -Kkb –ask-become –limit=’testmachine3′

-i : This flag tells ansibe-playbook command which hosts file to use, these are always defined by customer like hosts.dev or hosts.staging
-u : this is the ssh_user you will be connecting to the servers with
-Kkb : this tells ansible that you will be using sudo su – for the ssh_user when running all role/tasks
-ask-beocme : is saying become root
-limit=’server’ : this allows you to segement which server you want to run the playbook against.

.

Successful run:

.

Notice: It asks you for the API key at runtime.

ntailor@jumphost:~/ansible2$ ansible-playbook -i ansible/inventory/dev/hosts.dev chronocollector.yml -u nicktadmin -Kkb –ask-become –limit=’testmachine3′

SSH password:

BECOME password[defaults to SSH password]:

Enter the API key:

.

PLAY [all] ***************************************************************************************************************************************************************************************************************

.

TASK [chronocollector : download node collector] *************************************************************************************************************************************************************************

ok: [testmachine3]

.

TASK [chronocollector : move collector to /usr/local/bin] ****************************************************************************************************************************************************************

ok: [testmachine3]

.

TASK [chronocollector : mkdir directory /etc/chronocollector] ************************************************************************************************************************************************************

ok: [testmachine3]

.

TASK [chronocollector : Copy default config.yml to /etc/chronocollector/] ************************************************************************************************************************************************

ok: [testmachine3]

.

TASK [chronocollector : Touch again the same file, but do not change times this makes the task idempotent] ***************************************************************************************************************

changed: [testmachine3]

.

TASK [chronocollector : Ensure API key is present in config file] ********************************************************************************************************************************************************

changed: [testmachine3]

.

TASK [chronocollector : Change file ownership, group and permissions apitoken file to secure it from prying eyes other than root] ****************************************************************************************

changed: [testmachine3]

.

TASK [chronocollector : Check that the service file /etc/systemd/system/collector.service exists] ************************************************************************************************************************

ok: [testmachine3]

.

TASK [chronocollector : Include add systemd task if service file does not exist] *****************************************************************************************************************************************

included: ansible/roles/chronocollector/tasks/systemd.yml for testmachine3

.

TASK [chronocollector : Create startup file for collector in systemd] ****************************************************************************************************************************************************

changed: [testmachine3]

.

TASK [chronocollector : Create systemd collector.service] ****************************************************************************************************************************************************************

changed: [testmachine3]

.

TASK [chronocollector : check whether custom line exists] ****************************************************************************************************************************************************************

changed: [testmachine3]

.

TASK [chronocollector : Start Collector Service via systemd] *************************************************************************************************************************************************************

changed: [testmachine3]

.

TASK [chronocollector : Show status of collector from systemd] ***********************************************************************************************************************************************************

changed: [testmachine3]

.

TASK [chronocollector : debug] *******************************************************************************************************************************************************************************************

ok: [testmachine3] => {

“status.stdout”: ” Active: failed (Result: exit-code) since Thu 2022-05-19 10:31:49 BST; 315ms ago”

}

.

PLAY RECAP ***************************************************************************************************************************************************************************************************************

testmachine3 : ok=15 changed=8 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

May 19, 2022 Ansible, API's, LinuxNo Comments »

Leave a Reply

Your email address will not be published. Required fields are marked *

0