Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSH_KEY Not passed through #481

Open
mighty-services opened this issue Oct 29, 2024 · 1 comment
Open

SSH_KEY Not passed through #481

mighty-services opened this issue Oct 29, 2024 · 1 comment
Assignees
@ChristianLempa
Labels
question User's question

Comments

@mighty-services
Copy link

Issue Reporting

Dear Christian,

thank you for your tutorial on Kestra and putting the templates into your boilerplates. Unfortunately I can't get the passing of the secrets to work properly.

I have set up Kestra as docker compose, like you did and added the SSH-Variable in the environment-Part:

....
  kestra:
    image: kestra/kestra:latest
    pull_policy: always
    user: root
    command: server standalone
    volumes:
      - /data/kestra/data:/app/storage
      - /var/run/docker.sock:/var/run/docker.sock
      - /data/kestra/kestra-wd/:/tmp/kestra-wd
    environment:
      SECRET_SSH_KEY: ${SECRET_SSH_KEY}
      KESTRA_CONFIGURATION: |
        datasources:
          postgres:
            url: jdbc:postgresql://postgres:5432/kestra
            driverClassName: org.postgresql.Driver
....

I created a keypair, created an Ansible users on the target system, copied the keypair and made sure it's logging in and executing commands with sudo (without any warnings or prompts).

I encoded my private keyfile with base64 -w 0 ~/.ssh/id_ed25519 > ssh_key_base64.txt.

I copied the content of the file to .env, so it looks like

SECRET_SSH_KEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

When I access the kestra container and do echo $SECRET_SSH_KEY. It's displaying the Key

But when I use your flow-example and simply put in one host like this:

id: linux-server-updates
namespace: homelab

tasks:
  - id: ansible
    type: io.kestra.plugin.core.flow.WorkingDirectory
    tasks:
      - id: local_files
        type: io.kestra.core.tasks.storages.LocalFiles
        inputs:
          inventory.ini: |
            [servers]
            10.0.9.20
          myplaybook.yaml: |
            ---
            - hosts: servers
              tasks:
                - name: upgrade apt packages
                  become: true
                  ansible.builtin.apt:
                    upgrade: true
                    update_cache: true
          id_rsa: "{{ secret('SSH_KEY') }}"
      - id: ansible_task
        type: io.kestra.plugin.ansible.cli.AnsibleCLI
        docker:
          image: docker.io/cytopia/ansible:latest-tools
          user: "1000"  # required to set ssh key permissions
        env:
          "ANSIBLE_HOST_KEY_CHECKING": "false"
          "ANSIBLE_REMOTE_USER": "ansible"
        commands:
          - ansible-playbook -i inventory.ini --key-file id_rsa myplaybook.yaml

it's giving me the error
fatal: [10.0.9.20]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: Warning: Permanently added '10.0.9.20' (ED25519) to the list of known hosts.\r\nLoad key \"/tmp/kestra-wd/tmp/sJsPGfZTeENFMrMMcE6ov/id_rsa\": invalid format\r\[email protected]: Permission denied (publickey,password).", "unreachable": true}
@mighty-services
Copy link
Author

I tried several things and have found a workaround thanks to your example playbook-ssh-key.

I import the hosts-file, playboook AND the SSH Private-Key with this:

     - id: ansible_task
        namespaceFiles:
          enabled: true
          include:
            - hosts.yml
            - 'playbooks/linux_maintenance.yml'
            - id_ed25519

in the end I tell ansible to use this key

        commands:
          - ansible-playbook -i hosts.yml 'playbooks/linux_maintenance.yml' --private-key id_ed25519

my full test-flow looks like this now:

id: linux-server-updates
namespace: homelab

tasks:
  - id: ansible
    type: io.kestra.plugin.core.flow.WorkingDirectory
    tasks:
      - id: ansible_task
        namespaceFiles:
          enabled: true
          include:
            - hosts.yml
            - 'playbooks/linux_maintenance.yml'
            - id_ed25519
        type: io.kestra.plugin.ansible.cli.AnsibleCLI
        docker:
          image: docker.io/cytopia/ansible:latest-tools
          user: "1000"  # required to set ssh key permissions
        env:
          "ANSIBLE_HOST_KEY_CHECKING": "false"
          "ANSIBLE_REMOTE_USER": "ansible"
        commands:
          - ansible-playbook -i hosts.yml 'playbooks/linux_maintenance.yml' --private-key id_ed25519

I'm sure this is not a perfect solution, so I'm open for any tips and improvements :)

@ChristianLempa ChristianLempa self-assigned this Oct 30, 2024
@ChristianLempa ChristianLempa added the question User's question label Oct 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ChristianLempa ChristianLempa

Labels
question User's question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ChristianLempa @mighty-services