From 1c6e273b5249f56daee5438d89336d0df88f6a12 Mon Sep 17 00:00:00 2001 From: Bas Date: Thu, 26 Oct 2023 17:50:34 +0200 Subject: [PATCH] [ansible/artifactory] Configure admin credentials (#335) * Setup admin credentials - credits: @eugene-krivosheyev * README.md * CHANGELOG.md Signed-off-by: Bas Meijer * Revert directory creation. * artifactory_admin_password was not used before, define it to manage it with Ansible. * Stay secure! --------- Signed-off-by: Bas Meijer --- .../jfrog/platform/CHANGELOG.md | 4 ++ .../jfrog/platform/README.md | 56 +++++++++++-------- .../roles/artifactory/defaults/main.yml | 7 +-- .../roles/artifactory/tasks/install.yml | 16 +++++- .../artifactory/templates/bootstrap.creds.j2 | 2 + 5 files changed, 55 insertions(+), 30 deletions(-) create mode 100644 Ansible/ansible_collections/jfrog/platform/roles/artifactory/templates/bootstrap.creds.j2 diff --git a/Ansible/ansible_collections/jfrog/platform/CHANGELOG.md b/Ansible/ansible_collections/jfrog/platform/CHANGELOG.md index 1ccf17a5..0847904a 100644 --- a/Ansible/ansible_collections/jfrog/platform/CHANGELOG.md +++ b/Ansible/ansible_collections/jfrog/platform/CHANGELOG.md @@ -1,6 +1,10 @@ # JFrog Platform Ansible Collection Changelog All changes to this collection will be documented in this file. +## [10.15.4] - Oct 2, 2023 +* Configure admin password +* Formatting README.md + ## [10.15.3] - Oct 16, 2023 * Product Updates/fixes diff --git a/Ansible/ansible_collections/jfrog/platform/README.md b/Ansible/ansible_collections/jfrog/platform/README.md index 79b06932..9ea560e8 100644 --- a/Ansible/ansible_collections/jfrog/platform/README.md +++ b/Ansible/ansible_collections/jfrog/platform/README.md @@ -1,29 +1,29 @@ # JFrog Platform Ansible Collection This Ansible directory consists of the following directories that support the JFrog Platform collection. - + * ansible_collections directory - This directory contains the Ansible collection package that has the Ansible roles for Artifactory, Distribution, Insight and Xray. See the roles README for details on the product roles and variables. * examples directory - This directory contains example playbooks for various architectures. - + ## Getting Started ## Prerequisites From 10.11.x collection and above, Using fully qualified collection name (FQCN) , This is required for installing collection dependencies -``` +```bash ansible-galaxy collection install community.postgresql community.general ansible.posix ``` - + 1. Install this collection from Ansible Galaxy. - + ``` ansible-galaxy collection install jfrog.platform ``` - + Ensure you reference the collection in your playbook when using these roles. - - ``` + + ```yaml --- - hosts: artifactory_servers collections: @@ -31,18 +31,18 @@ ansible-galaxy collection install community.postgresql community.general ansible - community.general roles: - artifactory - + ``` - - 2. Ansible uses SSH to connect to hosts. Ensure that your SSH private key is on your client and the public keys are installed on your Ansible hosts. - + + 2. Ansible uses SSH to connect to hosts. Ensure that your SSH private key is on your client and the public keys are installed on your Ansible hosts. + 3. Create your inventory file. Use one of the examples from the examples directory to construct an inventory file (hosts.ini) with the host addresses - + 4. Create your playbook. Use one of the examples from the examples directory to construct a playbook using the JFrog Ansible roles. These roles will be applied to your inventory and provision software. - + 5. Then execute with the following command to provision the JFrog Platform with Ansible. - -``` + +```bash ansible-playbook -vv platform.yml -i hosts.ini" ``` @@ -51,7 +51,7 @@ ansible-playbook -vv platform.yml -i hosts.ini" For production deployments,You may want to generate your master and join keys and apply it to all the nodes. **IMPORTANT** : Save below generated master and join keys for future upgrades -``` +```bash MASTER_KEY_VALUE=$(openssl rand -hex 32) JOIN_KEY_VALUE=$(openssl rand -hex 32) ansible-playbook -vv platform.yml -i hosts.ini --extra-vars "master_key=$MASTER_KEY_VALUE join_key=$JOIN_KEY_VALUE" @@ -60,13 +60,21 @@ ansible-playbook -vv platform.yml -i hosts.ini --extra-vars "master_key=$MASTER_ ## Using [Ansible Vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html) to Encrypt Vars Some vars you may want to keep secret. You may put these vars into a separate file and encrypt them using [Ansible Vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html). +For example, you will probably change the default password for the admin user using an encrypted file. + +```yaml +# Default password +artifactory_admin_password: password ``` + + +```bash ansible-vault encrypt secret-vars.yml --vault-password-file ~/.vault_pass.txt ``` then in your playbook include the secret vars file. -``` +```yaml - hosts: artifactory_servers collections: - community.general @@ -81,7 +89,7 @@ then in your playbook include the secret vars file. ## Upgrades All JFrog product roles support software updates. To use a role to perform a software update only, use the __upgrade_only_ variable and specify the version. See the following example. -``` +```yaml - hosts: artifactory_servers collections: - community.general @@ -108,7 +116,7 @@ Create an external database as documented [here](https://www.jfrog.com/confluenc For example, for artifactory, these below values needs to be set for using external postgresql -``` +```yaml postgres_enabled: false artifactory_db_type: postgresql @@ -124,11 +132,11 @@ artifactory_db_url: jdbc:postgresql://:5432/{{ artifactory_ 1. Go to the ansible_collections/jfrog/platform directory. 2. Update the galaxy.yml meta file as needed. Update the version. 3. Build the archive. (Requires Ansible 2.9+) -``` +```bash ansible-galaxy collection build ``` -## OS support +## OS support The JFrog Platform Ansible Collection can be installed on the following operating systems: * Ubuntu LTS versions (18.04/20.4/22.04) @@ -139,6 +147,6 @@ The JFrog Platform Ansible Collection can be installed on the following operatin ## Known issues * Refer [here](https://github.com/jfrog/JFrog-Cloud-Installers/issues?q=is%3Aopen+is%3Aissue+label%3AAnsible) * By default, ansible_python_interpreter: "/usr/bin/python3" used , For Centos/RHEL-7, Set this to "/usr/bin/python" . For example -``` +```bash ansible-playbook -vv platform.yml -i hosts.ini -e 'ansible_python_interpreter=/usr/bin/python' -``` \ No newline at end of file +``` diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory/defaults/main.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/defaults/main.yml index 3b776a30..0d33fcad 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory/defaults/main.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/defaults/main.yml @@ -64,10 +64,9 @@ artifactory_gid: 1030 # If this is an upgrade artifactory_upgrade_only: false -# Default username and password -artifactory_admin_username: admin -artifactory_admin_password: password - +# Default username and password, uncomment and change to manage with ansible +# artifactory_admin_username: admin +# artifactory_admin_password: password artifactory_service_file: /lib/systemd/system/artifactory.service # Provide systemyaml content below with 2-space indentation diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/install.yml b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/install.yml index dcef9660..20566972 100644 --- a/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/install.yml +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/tasks/install.yml @@ -110,7 +110,7 @@ group: "{{ artifactory_group }}" loop: - "{{ artifactory_home }}/var/data" - - "{{ artifactory_home }}/var/etc" + - "{{ artifactory_home }}/var/etc/" - "{{ artifactory_home }}/var/etc/security/" - "{{ artifactory_home }}/var/etc/artifactory/info/" @@ -168,6 +168,18 @@ - artifactory_licenses | length > 0 notify: Restart artifactory +- name: Set up Artifactory admin account + ansible.builtin.template: + src: bootstrap.creds + dest: "{{ artifactory_home }}/var/etc/access/" + owner: "{{ artifactory_user }}" + group: "{{ artifactory_group }}" + mode: 0600 + when: + - artifactory_admin_username is defined + - artifactory_admin_password is defined + notify: Restart artifactory + - name: Check if included database driver is the correct version become: true ansible.builtin.stat: @@ -222,4 +234,4 @@ delay: 5 when: - not ansible_check_mode - - artifactory_start_service | bool \ No newline at end of file + - artifactory_start_service | bool diff --git a/Ansible/ansible_collections/jfrog/platform/roles/artifactory/templates/bootstrap.creds.j2 b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/templates/bootstrap.creds.j2 new file mode 100644 index 00000000..49e4139e --- /dev/null +++ b/Ansible/ansible_collections/jfrog/platform/roles/artifactory/templates/bootstrap.creds.j2 @@ -0,0 +1,2 @@ +{{ artifactory_admin_username }}@*={{ artifactory_admin_password }} +