Deploying to production with Ansible¶
Concept - Single key to all credentials¶
Harbor 2.0 standardizes the way of deploying itself to production servers, introducing a simplified deployment from single repository with one passphrase for all secrets.
Deployment mechanism is installing Harbor + dependencies from requirements.txt, cloning the repository, setting permissions, adding autostart with systemd and starting the project.
Please note, that it requires all changes to be committed to git repository before starting
harbor :deployment:apply command.
Encrypted deployment.yml file can contain ssh passwords, ssh private key. It’s safe to store it in repository - Ansible Vault is using strong AES encryption
deploy_user: my-deployment-user deploy_group: my-deployment-user # Directory, where the project will be installed remote_dir: /home/my-deployment-user/project # Target repository to clone (in most cases it should be the same repository as current one) # leave commented for automatic detection #git_url: email@example.com:your-org/your-repo.git # Secret url is helpful, when you cannot setup working ssh-agent. Secret url is used only at deployment time, later # a regular URL (without credentials) is leaved on the machine #git_secret_url: https://user:firstname.lastname@example.org/your-org/your-repo.git # Will make a file in /etc/sudoers.d/ to allow ssh-agent passing into sudo session configure_sudoers: true nodes: production: - host: remote-host.org port: 2222 user: my-deployment-user sudo_password: my-sudo-password # select between password or key-based authentication password: my-password private_key: | -----BEGIN OPENSSH PRIVATE KEY----- (................................) -----END OPENSSH PRIVATE KEY-----
Getting started with Harbor deployments¶
First time you need to download a required Ansible role and optionally generate an example deployment.yml file
harbor :deployment:files:update :deployment:create-example
Now fill up deployment.yml file, then perform a test deployment.
# tip: use --ask-vault-pass if you encrypt .env file # tip: you need to have all changes (except deployment.yml - you can hold with this file) committed to repository before running deployment harbor :deployment:apply
When deployment ran smoothly and you are sure that’s pretty all, then encrypt deployment.yml
# tip: Use same key as in .env file to make it simpler harbor :vault:encrypt deployment.yml
Use switches and environment variables to customize playbook name, inventory name, to pass Ansible Vault password, to ask for user ssh login or ssh password.
# ask interactively for sudo password harbor :deployment:apply --ask-sudo-pass # provide a vault password in alternative way VAULT_PASSWORDS="oh-thats-secret" harbor :deployment:apply # another way to provide vault password echo 'VAULT_PASSWORDS="oh-thats-secret"' > /mnt/secret-encrypted-storage/.secret-env source .secret-env && harbor :deployment:apply # run witha custom playbook (place it in .rkd/deployment/ PLAYBOOK="my-playbook.yml" harbor :deployment:apply # deploying from a custom branch instead of "master" harbor :deployment:apply --branch primary # providing a key for GIT clone used to setup project repository on target machine harbor :deployment:apply --git-key="~/.ssh/id_rsa"