Links

Migrating V1 to V2

The release of v2 of the ansible-playbooks brings along a number of improvements including improved secrets management support. Follow these docs to help with the migration.

jwks.json

Older portal setups have stored Skynet Accounts JWKS JSON config file at different location then later/latest v1 playbooks.
Check if you have file named cluster-{cluster-id}-jwks.json stored in cluster config directory in LastPass.
It should stored in one of the locations: Shared-Ansible/portal-cluster-configs/cluster-{cluster-id}-jwks.json or Ansible\portal-cluster-configs\cluster-{cluster-id}-jwks.json
If you have it stored in one of the loactions: Shared-Ansible/jwks.json or Ansible\jwks.json
then move and rename the JWKS record to the appropriate location mentioned above.
Also make sure that the content of the json file is the same as the file the Skynet Accounts module is actually using. You will find the file used on you portal server at the location: /home/user/skynet-webportal/docker/accounts/conf/jwks.json
Note, that the json formatting might differ, but the content should be the same. If not, most probably the file on your server is up-to-date and LastPass record is outdated and should be updated.

Ansible-Playbooks

Step 1 is to update your ansible-playbooks to v2. You can do this by pulling the v2 tag from the repo.

Hosts.ini

In your hosts.ini file, you can now define the secrets manager you want to use. You do this by defining a secrets_storage variable in your [<group>:vars] sections. Here is an example
[webportals:vars]
secrets_storage="plaintext"
You should also delete this outdated code:
# ansible_become_pass is required to execute playbooks without root access
# using (become=True). It is Ansible internal variable and it is not lazy
# evaluated as user defined variables. We need to set default value for
# playbooks not requiring this var and not having active LastPass session. For
# portal-setup-initial we allow this password to be missing and we create it in
# LastPass (if missing).
#
# Condition:
# Check for user password if (LastPass is required and not (allow missing password and password is missing))
#
# lastpass_required|default(False): Ask for LastPass password when requied
# lastpass_allow_missing_user_credentials|default(False): Flag to allow for missing LastPass password
# lookup('pipe', 'lpass ls ' + lastpass_portal_credentials_server) == '': Password is missing in LastPass
ansible_become_pass="{{ lookup('community.general.lastpass', lastpass_portal_credentials_server, field='password') if (lastpass_required|default(False) and not (lastpass_allow_missing_user_credentials|default(False) and lookup('pipe', 'lpass ls ' + lastpass_portal_credentials_server) == '')) else '' }}"
webportal_user_pass_hash="{{ ansible_become_pass | password_hash('sha512', 65534 | random(seed=inventory_hostname) | string) }}"

Migration Wizard

If you want migrate your secrets from LastPass to one of the new secret manager options (plaintext or HashiCorp Vault) you can use migration wizard script we provide.