我有一个Ansible加密变量。现在,我希望能够运行我的剧本,即使我没有解锁变量(使用--ask-vault-pass(,只跳过依赖它的任务。理想情况下,会有一个警告,说任务被跳过了。
现在,当我在没有--ask-vault-pass的情况下运行我的剧本时,它失败了,并出现错误:
致命:[…]:失败=>{"changed":false,"msg":"AnsibleError:模板化"{(samba_passwords|string|from_yaml([samba_username]}}'。错误是<类'ansible.analysing.vault.AnsibleVaultError'>,原始消息:正在尝试解密but未发现金库秘密"}
有没有办法在when:子句中检查加密的变量是否未解密,因此无法访问?
Q:">检查加密的变量是否已解密。跳过依赖它的任务。理想情况下,带有一个警告,说明该任务已跳过">
A: 例如,给定具有变量的文件
shell> cat vars-test.yml
test_var1: test var1
加密文件
shell> ansible-vault encrypt vars-test.yml
New Vault password:
Confirm New Vault password:
Encryption successful
shell> cat vars-test.yml
$ANSIBLE_VAULT;1.1;AES256
61373230346437306135303463393166323063656561623863306333313837666561653466393835
3738666532303836376139613766343930346263633032330a323336643061373039613330653237
30666364376266396633613162626536383161306262613062373239343232663935376364383431
6335623366613834360a336531656537626662376166323766376433653232633139383636613963
64356632633863353534323636313231633866613635343962383463636565303032
然后是战术手册
shell> cat pb.yml
- hosts: test_01
tasks:
- include_vars: vars-test.yml
ignore_errors: true
- set_fact:
test_var1: "{{ test_var1|default('default') }}"
- name: Execute tasks if test_var1 was decrypted
block:
- debug:
msg: Execute task1
- debug:
msg: Execute task2
when: test_var1 != 'default'
给出(节略(
shell> ansible-playbook pb.yml --ask-vault-pass
TASK [include_vars] ****
ok: [test_01]
TASK [set_fact] ****
ok: [test_01]
TASK [debug] ****
ok: [test_01] =>
msg: Execute task1
TASK [debug] ****
ok: [test_01] =>
msg: Execute task2
如果你没有为命令提供密码,剧本会给出(缩写(
shell> ansible-playbook pb.yml
PLAY [test_01] ****
TASK [include_vars] ****
fatal: [test_01]: FAILED! => changed=false
ansible_facts: {}
ansible_included_var_files: []
message: Attempting to decrypt but no vault secrets found
...ignoring
TASK [set_fact] ****
ok: [test_01]
TASK [debug] ****
skipping: [test_01]
TASK [debug] ****
skipping: [test_01]
我已经研究过了,但还没有找到任何方法。解决这种情况的简单方法是在任务中使用ignore_errors: yes。