我通常使用encrypt_string
来加密我的ansible角色中的秘密,但我有一个新老板,他坚持要加密整个文件,但我似乎无法与ansible角色一起工作。
这是一个简单的例子,说明我的问题是什么。
bash-3.2$ tree
.
├── playbooks
│ └── run_foo.yml
└── roles
└── foo
├── tasks
│ └── main.yml
└── vars
├── main.yml
└── vault.yml
5 directories, 4 files
这是一个使用这个角色的剧本。
bash-3.2$ cat playbooks/run_foo.yml
---
- name: Run Foo
hosts: all
roles:
- role: ../roles/foo
角色:
bash-3.2$ cat roles/foo/tasks/main.yml
---
# tasks file for foo
- name: Show us debug clear_text
debug:
var: clear_text
- name: Show us debug password
debug:
var: password
这是我的vars/main。yml文件:
bash-3.2$ cat roles/foo/vars/main.yml
---
# vars file for foo
include_vars: vault.yml
clear_text: 12345
这是我加密的vault.yml
文件:
bash-3.2$ cat roles/foo/vars/vault.yml
$ANSIBLE_VAULT;1.1;AES256
64653334323939303461653839353634666162383130326533306234636232656162306661383761
6339376233366638643331373831316638373263663830350a333733653039353939656633376333
31323232666633373633393032396232613830393735396139376333353035633566376465636536
3930633964633861620a633735343066313938633733303538333864353665393062626338356665
63363666636638623964336461346366323565323563316434323439626239633734
这是解密后的样子:
bash-3.2$ ansible-vault view roles/foo/vars/vault.yml
Vault password:
password: hovercraft
下面是我运行剧本时的结果:
bash-3.2$ ansible-playbook -i,localhost playbooks/run_foo.yml --connection=local --ask-vault-pass
Vault password:
PLAY [Run Foo] ******************************************************************************************************************************************************************************
TASK [Gathering Facts] **********************************************************************************************************************************************************************
[WARNING]: error loading fact - please check content
[WARNING]: Platform darwin on host localhost is using the discovered Python interpreter at /Library/Frameworks/Python.framework/Versions/3.6/bin/python3.6, but future installation of
another Python interpreter could change the meaning of that path. See https://docs.ansible.com/ansible/2.10/reference_appendices/interpreter_discovery.html for more information.
ok: [localhost]
TASK [../roles/foo : Show us debug clear_text] **********************************************************************************************************************************************
ok: [localhost] => {
"clear_text": 12345
}
TASK [../roles/foo : Show us debug password] ************************************************************************************************************************************************
ok: [localhost] => {
"password": "VARIABLE IS NOT DEFINED!"
}
PLAY RECAP **********************************************************************************************************************************************************************************
localhost : ok=3 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
可以使用加密的保险库吗?我的新经理想要的Yml文件?
将这两个文件放入目录vars/main。vars/main中的所有文件都会自动包含。例如,
shell> tree .
.
├── ansible.cfg
├── hosts
├── roles
│ └── foo
│ ├── tasks
│ │ └── main.yml
│ └── vars
│ └── main
│ ├── main.yml
│ └── vault.yml
└── run_foo.yml
shell> cat roles/foo/tasks/main.yml
- debug:
var: clear_text
- debug:
var: password
shell> cat roles/foo/vars/main/main.yml
clear_text: 12345
shell> cat roles/foo/vars/main/vault.yml
password: hovercraft
shell> cat run_foo.yml
- hosts: all
roles:
- foo
为
shell> cat hosts
localhost
shell> ansible-playbook run_foo.yml
PLAY [all] ***********************************************************************************
TASK [foo : debug] ***************************************************************************
ok: [localhost] =>
clear_text: 12345
TASK [foo : debug] ***************************************************************************
ok: [localhost] =>
password: hovercraft
PLAY RECAP ***********************************************************************************
localhost: ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
使用加密的vault.yml将得到相同的结果。加密整个文件更简单、更安全。而不是代码,您只更新和加密这个文件。除此之外,还可以使用每个用户映射自己的库的用例。yml覆盖。
指出
- 使用角色的目录defaults
不要在目录vars/main或文件vars/main.yml下分配角色。角色的变量的目的是覆盖角色的默认值。参见理解变量优先级。角色的更新将覆盖潜在用户在vars中的自定义,如果您分发它的话。在开发中,忽略版本控制中的vars/main。
库。Yml放入目录defaults
shell> cat roles/foo/defaults/main/vault.yml
password: hovercraft
和测试密码
shell> cat roles/foo/tasks/main.yml
- assert:
that: password != 'hovercraft'
fail_msg: Change and encrypt password!
when: assert_password|d(true)|bool
- debug:
var: clear_text
- debug:
var: password
默认情况下,用户将看到
shell> ansible-playbook run_foo.yml
PLAY [all] ***********************************************************************************
TASK [foo : assert] **************************************************************************
fatal: [localhost]: FAILED! => changed=false
assertion: password != 'hovercraft'
evaluated_to: false
msg: Change and encrypt password!
关闭assert进行测试
shell> ansible-playbook run_foo.yml -e assert_password=false
- 限制secret的范围
您可以将秘密的范围限制在需要它们的任务中。例如,将密码放入文件
shell> cat vars/password.yml
my secret password
在tasks
中读取shell> cat roles/foo/tasks/main.yml
- assert:
that: password != 'hovercraft'
fail_msg: Change and encrypt password!
when: assert_password|d(true)|bool
vars:
password: "{{ lookup('file', password_path) }}"
- debug:
var: clear_text
- debug:
var: password
vars:
password: "{{ lookup('file', password_path) }}"
提供文件的路径,例如,在剧本
中shell> cat run_foo.yml
- hosts: all
vars:
password_path: "{{ playbook_dir }}/vars/password.yml"
roles:
- foo
为
shell> ansible-playbook run_foo.yml
PLAY [all] ***********************************************************************************
TASK [foo : assert] **************************************************************************
ok: [localhost] => changed=false
msg: All assertions passed
TASK [foo : debug] ***************************************************************************
ok: [localhost] =>
clear_text: 12345
TASK [foo : debug] ***************************************************************************
ok: [localhost] =>
password: my secret password
PLAY RECAP ***********************************************************************************
localhost: ok=3 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
文件的加密对于文件查找是透明的。这也解决了你对"use grep to find things in the code"
的其他问题
shell> grep -r password: roles/
roles/foo/defaults/main/vault.yml:password: hovercraft
roles/foo/tasks/main.yml: password: "{{ lookup('file', password_path) }}"
roles/foo/tasks/main.yml: password: "{{ lookup('file', password_path) }}"
看起来您正在尝试在vars文件中使用include_vars
。这行不通;include_vars
是一个Ansible模块,只会工作一个任务列表(即,剧本,角色,或类似)。所以你可以这样写roles/foo/tasks/main.yaml
:
- name: load encrypted vars
include_vars:
file: vault.yaml
- name: show us debug clear_text
debug:
var: clear_text
- name: show us debug password
debug:
var: password
假设你有roles/foo/vars/main.yaml
看起来像这样:
clear_text: this is clear text
和像这样创建的roles/foo/vars/vault.yaml
:
echo 'password: hovercraft' |
ansible-vault encrypt > roles/foo/vars/vault.yaml
我们可以这样写剧本:
- hosts: localhost
gather_facts: false
roles:
- foo
然后像这样运行:
$ ansible-playbook playbook.yaml --ask-vault-password
并得到以下输出:
PLAY [localhost] **************************************************************************************************************************************************************************************************
TASK [foo : load encrypted vars] **********************************************************************************************************************************************************************************
ok: [localhost]
TASK [foo : show us debug clear_text] *****************************************************************************************************************************************************************************
ok: [localhost] => {
"clear_text": "this is clear text"
}
TASK [foo : show us debug password] *******************************************************************************************************************************************************************************
ok: [localhost] => {
"password": "hovercraft"
}
PLAY RECAP ********************************************************************************************************************************************************************************************************
localhost : ok=3 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
您可以在此存储库中找到完整的示例。
如果您希望自动加载加密文件而不需要显式的include_vars
,那么将其移出角色并放入group_vars
或host_vars
中。