HAdeploy allow most of the variable to be encrypted. This feature rely on the Ansible Vault mechanism.

All encrypted values must be set under one or several encrypted_vars token, and their usage must follow a specific pattern. See the example below.


Attributes are variables name.


A typical use case of encryption is to protect thessh_password in a host definition. Encryption can be achieved by provided the values as in the following sample:

  john_password: |

- name: sr
  ssh_host: sr.cluster1.mydomain.com
  ssh_user: root
  ssh_password: "{{john_password}}"

Note the way the variable is provided to the ranger_password attribute: "{{john_password}}" (And not the usual ${john_password}). This form is mandatory, as the variable resolution must be performed by Ansible, not by HADeploy. See Variables for more info.

NB: As the encrypted value is directly provided to Ansible, which will decrypt it in memory, HADeploy itself does not perform any decryption. So, there is no risk to have a decrypted, clear value in some intermediate file.

Using this pattern, most of the values of type string can be encrypted in the deployment file.

Another use case of encryption is to protect the ranger admin password in the ranger_relay definition:

  ranger_password: |

  host: en1
  ranger_url:  https://ranger.mycluster.mycompany.com:6182
  ranger_username: admin
  ranger_password: "{{ranger_password}}"  
  ca_bundle_local_file: cert/ranger_mycluster_cert.pem
  ca_bundle_relay_file: /etc/security/certs/ranger_mycluster_cert.pem

Encrypting a value

HADeploy encryption rely on the Ansible Vault capability. So, the encryption will be performed using ansible-vault command.

Here is a simple approach to achieve this:

First, create a temporary file containing only the password (Here, the password is admin):

echo -n admin >/tmp/data.txt

It is important to ensure there is no leading or trailing control character, or white space:

hexdump -C /tmp/data.txt
00000000  61 64 6d 69 6e                                    |admin|

Then, you can encrypt it, using the following command:

ansible-vault encrypt </tmp/data.txt
New Vault password:
Confirm New Vault password:
Encryption successful

You will need to provide a Vault password. This is the password you will have to provided later, on each launch of HADeploy.

Now, you may cut and paste the result as your encrypted_vars.ranger_password value, as shown on the top of this page. And be sure:

If you don't follow these recommendation, we may have some cryptic error messages, such as:

fatal: [en1]: FAILED! => {"failed": true, "msg": "Unexpected templating type error occurred on ({{ rangerPassword }}): Non-hexadecimal digit found"}

And, of course, don't forget to cleanup the file which contains the password in clear text.

rm /tmp/data.txt

Launching HADeploy with encrypted values

Do not mistake this feature with the vault password you may need to provide when accessing an Ansible inventory (see here). There is no relationshipt between these two passwords. They act at different level.

If you launch HADeploy on file containing encrypted value, you will need to provide a password. Otherwise you will have an error like the following:

The offending line appears to be:

      rangerPassword: !vault |
                      ^ here

First approach is to enter this password on each launch. For this, simply add the option --askVaultPassword on the command line.

hadeploy --src infra/mycluster.yml --src app.yml --askVaultPassword  --action DEPLOY
Vault password:

Another approach is to provide this password in a file. The password must be a string stored as a single line of the file.

Then use the option --vaultPasswordFile to provide the path on this file:

hadeploy --src infra/mycluster.yml --src app.yml --vaultPasswordFile infra/vault_password.txt  --action DEPLOY

Ensure permissions on the file are such that no one else can access your key and do not add this file to source control.