Skip to content

Latest commit

 

History

History
101 lines (79 loc) · 2.87 KB

README.md

File metadata and controls

101 lines (79 loc) · 2.87 KB

This OCurrent pipeline will monitor a GitHub repository and deploy the Ansible Playbooks that it finds there.

The repository must contain a file configuration.sexp, which the pipeline reads. The minimal configuration file is given below:

((playbooks(((name playbook.yml)))))

In this example, a single playbook called playbook.yml is monitored for changes and deployed with ansible-playbook playbook.yml. In this minimal case, an ansible.cfg file should be present in the repository to give the location of the host inventory file.

Alternatively, an inventory can be specified as shown below, resulting in ansible-playbook -i hosts playbook.yml.

((playbooks(((name playbook.yml)(inventory hosts)))))

In this more complete example, deps indicates a list of files which the playbook depends upon. The playbook and all the dependencies are hashed and if there is any change the playbook is redeployed. Recurrent deployments can be specified using validity, which indicates the number of days between deployments. The hosts targeted can be limited with the limit directive.

((playbooks (
  (
   (name update-something-else.yml)
   (deps (roles/apt/tasks/main.yml))
  )
  (
   (name update.yml)
  )
  (
   (name playbook.yml)
   (validity 7)
   (inventory hosts)
   (limit (host1 host2))
   (deps (roles/ubuntu/tasks/main.yml))
  )
)))

Secrets can be handled using encrypted variables in docker secrets.

((playbooks (
  (
   (name playbook.yml)
   (vars /run/secrets/my-secret-vars.yml)
  )
)))

This translates into the following command line:

ansible-playbook -e @/run/secrets/my-secret-vars.yml --vault-password-file /run/secrets/vault-password playbook.yml

Create my-secret-vars.yml using ansible-vault create my-secret-vars.yml with the variables you need:

my-var: foo

my-long-var: |
  foo
  bar

Within the playbook these variables can be used as any other {{ my-var }}, however a typical use might be to create Docker secrets. b64encode is advised for any JSON files to prevent Ansible from decoding/recoding them.

- name: Create Docker secrets
  docker_secret:
    name: "{{ item }}"
    data: "{{ lookup('vars', item) | b64encode }}"
    data_is_b64: true
  loop:
    - my-var
    - my-long-var

Deployment

Create the GitHub application using this link.

Add a webhook secret: e.g. openssl rand -base64 32

Use the Makefile to build a Docker image. The docker-compose.yml gives a sample deployment, which can be deployed using make up.