build: add option for masked config builds (w/o secrets)

dd-ix · Feb 25, 2024 · fd0eacf · fd0eacf
1 parent b850c68
commit fd0eacf
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 3 deletions.
diff --git a/hosts/host_vars/localhost/ixp.yml b/hosts/host_vars/localhost/ixp.yml
@@ -0,0 +1,9 @@
+build_masked: false
+
+secrets_masked:
+  eos:
+    admin_hash: "{MASKED}"
+    deploy_hash: "{MASKED}"
+    snmp_community: "{MASKED}"
+    radius_key: "{MASKED}"
+    root_pubkey: "{MASKED}"
diff --git a/roles/bird_build/tasks/client.yml b/roles/bird_build/tasks/client.yml
@@ -14,7 +14,12 @@
 - name: set md5 secret
   ansible.builtin.set_fact:
     client2: "{{ client2|combine({ 'password': peer[family + 'bgpmd5secret']}, recursive=true) }}"
-  when: peer[family + 'bgpmd5secret'] != None
+  when: peer[family + 'bgpmd5secret'] != None and not build_masked
+
+- name: mask md5 secret
+  ansible.builtin.set_fact:
+    client2: "{{ client2|combine({ 'password': '{MASKED}'}, recursive=true) }}"
+  when: peer[family + 'bgpmd5secret'] != None and build_masked
 
 - ansible.builtin.set_fact:
     ddix_peers: "{{ ddix_peers + [client2] }}"
diff --git a/roles/bird_build/tasks/main.yml b/roles/bird_build/tasks/main.yml
@@ -23,7 +23,7 @@
     dest: "{{ arouteserver_workdir }}/dist/clients.yml"
 
 - name: run arouteserver bird
-  ansible.builtin.shell: arouteserver bird --cfg arouteserver/arouteserver.yml --clients "{{ arouteserver_workdir }}/dist/clients.yml" -o "{{ arouteserver_workdir }}/dist/bird.conf" --cache-dir "{{ arouteserver_workdir }}/cache" --use-local-files logging
+  ansible.builtin.shell: arouteserver bird --cfg arouteserver/arouteserver.yml --clients "{{ arouteserver_workdir }}/dist/clients.yml" -o "{{ arouteserver_workdir }}/dist/bird{% if build_masked %}.masked{% endif %}.conf" --cache-dir "{{ arouteserver_workdir }}/cache" --use-local-files logging
   args:
     chdir: "{{ playbook_dir }}/.."
   environment:

diff --git a/roles/com_secrets/tasks/main.yml b/roles/com_secrets/tasks/main.yml
@@ -1,3 +1,8 @@
 - name: parse secrets
   ansible.builtin.set_fact:
     secrets: "{{ lookup('ansible.builtin.file', lookup('ansible.builtin.env', 'AROUTESERVER_SECRETS_FILE', default=(playbook_dir + '/../secrets.yml')))|from_yaml }}"
+
+- name: mask secrets
+  ansible.builtin.set_fact:
+    secrets: "{{ secrets|combine(secrets_masked) }}"
+  when: build_masked
diff --git a/roles/eos_build/tasks/eos.yml b/roles/eos_build/tasks/eos.yml
@@ -1,4 +1,4 @@
 - name: build eos config
   ansible.builtin.template:
     src: "{{ playbook_dir }}/../templates/eos/{{ switch_fqdn }}.conf.j2"
-    dest: "{{ arouteserver_workdir }}/eos/{{ switch_fqdn }}.conf"
+    dest: "{{ arouteserver_workdir }}/eos/{{ switch_fqdn }}{% if build_masked %}.masked{% endif %}.conf"