Secret Management with Ansible Vault and docker-compose
ฝัง
- เผยแพร่เมื่อ 16 มี.ค. 2023
- Secret management with docker-compose doesn't have to be an enigma. This video shows how I use Ansible and Ansible Vault in conjunction with docker-compose to keep my secrets safe and encrypted whilst still being able to push my repos to Github publicly.
github.com/ironicbadger/secre...
blog.ktz.me/secret-management...
===
🎙️ selfhosted.show podcast
📱 twitter @ironicbadger
🦣 mastondon techhub.social/@ironicbadger
📓 blog.ktz.me
💾 perfectmediaserver.com
🧑🏽💻 github.com/ironicbadger
![ป่ะป๊าเลอา ชื่อ ??? [ดูคลิปเต็มหน้าช่อง] #Short | PANG ORNHIRA](http://i.ytimg.com/vi/ssxX0VkJCTo/mqdefault.jpg)
This is like a podcast, but with the visual element. Nice work
You mean like the SelfHosted-Podcast ;)
You mean, like a podcast? Lmao
Some say he has a face for radio… all we know, is he’s called ironicbadger.
@@ktzsystems This time on Chris and the Badger :D That was just great
This "just" tool is just awesome, maybe you could elaborate on this in a future episode
For sure.
Just stumbled upon this video after searching for Ansible Molecule topics but saw this and started watching. As soon as I heard your voice I knew it was you. Great video and thanks for the great podcasts, Self-Hosted is one of my favs!
More of this kind of videos please! The is the best introduction to Ansible and Ansible-Vault I've found, by far. And finally by someone who clearly knows how those tools should be used.
really great, don't hesitate to share this kind of content, it's extremely interesting
This is a great video. Thank you
Just getting into Ansible. Originally found out about this when I was in the search of automation&monitoring of certificate&key distribution via SCP. Stumbled upon Ansible, fell down the rabbit hole of actually setting this up securely. As soon as I get this thing rolling, I can say goodbye to my cronjobs and badly crafted service tasks!
That´s realy awesome! Very helpful video, thanks a lot.
Nice to see a face with the voice I know do well 😊
Nice entertaining video. Can’t wait for more
Thank you! 😁
Alex thank you for video. Please keep it going :)
Great video! I'll definitely check out ansible vault in the future :-)
Great video, appreciated!
Great stuff. Very much appreciated. If you wanted to, you could do several more videos explaining various parts of this for folks like me who have less experience with portions of this. I’ve never heard you mention some of them on self-hosted. Like Just. Pretty amazing.
Just is new to me as well, rest assured when I'm a bit deeper into it I'll make a video about it. It's replaced make completely for me as my infrastructure command wrapper.
Thanks for this, made me think of a word oft used, what is it - ah yes, awesome.
Also, your building infra here with Ansible, as well it is intended but in my little head I had a thought. It could also be other things, like a code checkout. So this could also be a 'just' ( I like that pattern your using ) checkout some git repository or other and create within it a bunch of files not controlled at all by git, such as `.env` files and the like, making a complete separation between publicly controlled application files and the credential files that are used to make them work. The Ansible vault could even be held in a separate, privately hosted Git, whilst the public opensource git code remains, well public.
But I get what your saying about the encryption of ansible vault and potential for various agencies out there with their ability to maybe at some time be able to read them. But like the Borg, we can also 'rotate shields' ( change passwords regularly ) 😃
awesome video! recently started using just, its amazing!
It is! I’ve been using make for so long but just has the flexibility needed for optional params and stuff. It’s so slick.
@@ktzsystems learning about things like just (or even being prompted to check out vscode again) is one way that videos like this are superior to written content. It's fun to see how everything's coming together in a complete experience, even if it is just one person's experience.
Great video!
Glad you enjoyed it. Plenty more planned
A full ansible tutorial would be great!
Definitely going to be more Ansible content coming soon!
@@ktzsystems just a small reminder for you, that you made that comment ;-P
Great video, this could be big! I see a whole how to build (your) perfect media server series ;-) this way!
Me too ;)
It's weird seeing your face. Thanks for the video, subscribed.
what theme are you using in vscode? and great video! great content and it looks amazing in 4k
Bearded theme and icons
🔥
I prefer inline vault vscode plugin... The files remain human readable with context.
Also love the hash merging option in Ansible so that you can define and override complex variable objects vs ugly flat variables.
I use YAML inventory and store most of my non-default host/group vars there as it's much easier to manage in one central place.
Would love to see an example of the hash vars thing please! 😮
We the people need to see this!
Down in OBX for spring break.... Will see if I can whip up an example
Hi Alex did you hear about containerd and nerdctl? Nerdctl is docker compose compatible but it talks to containerd directly without relaying on docker and the docker daemon
Looks super interesting!
@@ktzsystemsI switched all my containers to pure containerd and nerdctl and I can't be happier.
Ah the justfile is not in the git repo. Wanted to see your examples there.
Sure it is! Here you go
github.com/ironicbadger/infra/blob/master/justfile
i like this video. i have a question.
despite using the ansible-vault, isn't it an insecure way to write the decrypted secrets directly into the generated docker-compose file ?
when a attacker exploits a machine and takes over. its easy to obtaine the secrets, docker inspect etc.
If the attacker has access to your box itself it’s probably only a small concern in the grand scheme.
Good video. What vs code theme is that?
bearded theme and icons. you know, for the discerning beard wearing gentleman.
Alex! What's your stance on docker-compose over the community.docker Ansible modules? If you're in the ecosystem, why the extra steps?
Portability and compatibility. When I first wrote this Ansible role the community docker module was in its infancy and lacked a lot of the dials I needed to fully customise my plays as required. Over the years I've really come to value the fact that all my role really does is create a .yaml file and from there I use standard compose tooling to manage the containers on the host.
@@ktzsystems Fair enough, thanks!
Great video - re:Ansible stuff, I heard the words you were saying, but since I got stuck in Chapter 2 of Jeff Geerling's book when he started using Vagrant & VirtualBox, all I could do is nod and say "Get me summa that" ¯\_(ツ)_/¯
It'd be great if you could translate his book into Debian and Proxmox, while keeping the Vagrant dialect ;)
Cheers!
I have lots of content planned around using Ansible never fear!
You didn't actually explain the bit where you gave the vault password when you ran the playbooks, or I missed it