Doing a git pull without typing username, password and doesn’t save any secrets in the system by Ansible
I guess this question is so simple with some of you. However, to me, it’s not straight forward as I expect.
Let me give you a brief about the problem.
We have a folder code in a server. To deploy the application, we need to access into the deploy server and do a git pull
to update the latest code from the origin.
Every time, when we type the command, it will prompt the username and password.
It’s a waste of time if we must type the username and password every time. So I need to find the solution to tackle the issue. I’m quite familiar with Ansible. So I will use Ansible to automate the task.
Fortunately, Ansible has a git module which can update the latest code from a specific branch.
- name: Update Code
git:
repo: https://{{ git_username}}:{{ git_password }}@github.com/private-repo.git
dest: /tmp/git
version: master
This Ansible task is so simple, isn’t it? Yeah, it is so simple but there is a problem. It saves git_username and git_password
in .git/config
file.
So we can try another method. I will not use Ansible module anymore, instead of using shell command.
- name: Update Code
shell: |
git pull https://{{ git_username}}:{{ git_password }}@github.com/private-repo.git master
This method does not save the username and password in the .git/config
file. However, it writes logs to the audit.log
Another method is to use creadential.helper
git config --global credential.helper 'cache --timeout 7200'
However, this method will save username and password in plaintext in local disk ( ~/.git-credentials ).
After searching for a while on the Internet, I discovered Ansible expect
module.
It can do exactly what I want. Moreover, it doesn’t save any logs in the log files.
- name: Git Pull
expect:
command: git pull
responses:
(.*)Username(.*): "{{ git_username }}"
(.*)Password(.*): "{{ git_username }}" # you don't want to show passwords in your logs
no_log: true
Yeah. that’s a solution. It took me for a couple of hours to investigate. I hope my solution can help someone to tackle the issue quickly.
If you have any questions, please let me know.