Deploying to production with Ansible

Concept - Single key to all credentials

Harbor 2.0 standardizes the way of deploying itself to production servers, introducing a simplified deployment from single repository with one passphrase for all secrets.

Deployment mechanism is installing Harbor + dependencies from requirements.txt, cloning the repository, setting permissions, adding autostart with systemd and starting the project. Please note, that it requires all changes to be committed to git repository before starting harbor :deployment:apply command.

Encrypted deployment.yml file can contain ssh passwords, ssh private key. It’s safe to store it in repository - Ansible Vault is using strong AES encryption

deploy_user: my-deployment-user
deploy_group: my-deployment-user

# Directory, where the project will be installed
remote_dir: /home/my-deployment-user/project

# Target repository to clone (in most cases it should be the same repository as current one)
# leave commented for automatic detection

# Secret url is helpful, when you cannot setup working ssh-agent. Secret url is used only at deployment time, later
# a regular URL (without credentials) is leaved on the machine

# Will make a file in /etc/sudoers.d/ to allow ssh-agent passing into sudo session
configure_sudoers: true

        - host:
          port: 2222
          user: my-deployment-user
          sudo_password: my-sudo-password

          # select between password or key-based authentication
          password: my-password
          private_key: |
              -----BEGIN OPENSSH PRIVATE KEY-----
              -----END OPENSSH PRIVATE KEY-----

Getting started with Harbor deployments

First time you need to download a required Ansible role and optionally generate an example deployment.yml file

harbor :deployment:files:update :deployment:create-example

Now fill up deployment.yml file, then perform a test deployment.

# tip: use --ask-vault-pass if you encrypt .env file
# tip: you need to have all changes (except deployment.yml - you can hold with this file) committed to repository before running deployment
harbor :deployment:apply

When deployment ran smoothly and you are sure that’s pretty all, then encrypt deployment.yml

# tip: Use same key as in .env file to make it simpler
harbor :vault:encrypt deployment.yml

Advanced usage

Use switches and environment variables to customize playbook name, inventory name, to pass Ansible Vault password, to ask for user ssh login or ssh password.

# ask interactively for sudo password
harbor :deployment:apply --ask-sudo-pass

# provide a vault password in alternative way
VAULT_PASSWORDS="oh-thats-secret" harbor :deployment:apply

# another way to provide vault password
echo 'VAULT_PASSWORDS="oh-thats-secret"' > /mnt/secret-encrypted-storage/.secret-env
source .secret-env && harbor :deployment:apply

# run witha custom playbook (place it in .rkd/deployment/
PLAYBOOK="my-playbook.yml"  harbor :deployment:apply

# deploying from a custom branch instead of "master"
harbor :deployment:apply --branch primary

# providing a key for GIT clone used to setup project repository on target machine
harbor :deployment:apply --git-key="~/.ssh/id_rsa"