我设置了一个动态清单,从MySQL数据库中提取主机及其变量。动态库存本身运行良好。
库存中的一些变量是敏感的,所以我不希望将它们存储为纯文本。
因此,作为测试,我使用加密了一个值
ansible-vault encrypt_string 'foobar'
结果是:
!vault |
$ANSIBLE_VAULT;1.1;AES256
39653264643032353830336333356665663638353839356162386462303338363661333564633737
3737356131303563626564376634313865613433346438630a343534363066393431633366393863
30333636386536333166363533373239303864633830653566316663616432633336393936656233
6633666134306530380a356664333834353265663563656162396435353030663833623166363466
6436
Encryption successful
我决定将加密后的值作为一个变量存储在MySQL中。为避免疑义,经过一些测试后,您可以将加密字符串规范化为:
$ANSIBLE_VAULT;1.1;AES256
363635393063363466313636633166356562396562336633373239333630643032646637383866656463366137623232653531613135623464353932653665300a376461666332626538386263343732333039356663363132333533663339313466346435373064343931383536393736303731393834323964613063323362370a3361313132396239336130643839623939346438616363383932616639656463
你可以用一个简单的剧本来测试这种格式:
---
- hosts: all
gather_facts: no
vars:
final_var: !vault "$ANSIBLE_VAULT;1.1;AES256n363635393063363466313636633166356562396562336633373239333630643032646637383866656463366137623232653531613135623464353932653665300a376461666332626538386263343732333039356663363132333533663339313466346435373064343931383536393736303731393834323964613063323362370a3361313132396239336130643839623939346438616363383932616639656463"
tasks:
- name: Display variable
debug:
msg: "{{ final_var }}"
当执行剧本时,会观察到以下输出:
ok: [target] => {
"msg": "foobar"
}
当试图从库存中获取变量(my_secret(而不是直接在文件中引用它时,就会出现困难。
---
- hosts: all
gather_facts: no
vars:
final_var: !vault "{{ my_secret }}"
tasks:
- name: Display variable
debug:
msg: "{{ final_var }}"
这导致:
fatal: [target]: FAILED! => {"msg": "input is not vault encrypted data"}
现在,虽然我已经讲了很多关于MySQL中动态清单中存储的值,但如果我们从等式中删除它,我们可以得到类似的行为。
---
- hosts: all
gather_facts: no
vars:
secret: "$ANSIBLE_VAULT;1.1;AES256n363635393063363466313636633166356562396562336633373239333630643032646637383866656463366137623232653531613135623464353932653665300a376461666332626538386263343732333039356663363132333533663339313466346435373064343931383536393736303731393834323964613063323362370a3361313132396239336130643839623939346438616363383932616639656463"
final_var: !vault "{{ secret }}"
tasks:
- name: Display variable
debug:
msg: "{{ final_var }}"
这与工作示例几乎相同,但加密字符串不是内联编写的,而是来自另一个变量。
这导致了相同的错误:
fatal: [target]: FAILED! => {"msg": "input is not vault encrypted data"}
这可能表明更广泛的问题是,由于某种原因,Ansible无法解析作为变量存储的加密数据。也许在解析YAML时,它实际上是在尝试解密"{{ my_secret }}"而不是$ANSIBLE_VAULT;1.1;AES256 ...。
这是有道理的,但我想从你们身边跑过去,问问是否有办法解决这个问题,或者你是否建议完全不同的方法。谢谢
最好将变量放入加密文件中。将加密的文件存储在MySQL中,而不是加密的变量。如果你已经"建立了一个动态清单,从MySQL数据库中提取主机及其变量">修改设置应该没有问题。从数据库中提取加密的文件,并将其存储在host_var(和/或group_var、play-vars、role-vars…(中,而不是将加密的变量存储在清单中(和/或者playbook、role…的代码中(。这样,在代码中,您就不在乎变量是否加密。
例如
shell> tree host_vars/
host_vars/
├── test_01
│ └── final_var.yml
├── test_02
│ └── final_var.yml
└── test_03
└── final_var.yml
shell> cat host_vars/test_01/final_var.yml
final_var: final_var for test_01
shell> cat host_vars/test_02/final_var.yml
final_var: final_var for test_02
shell> cat host_vars/test_03/final_var.yml
final_var: final_var for test_03
对文件进行加密。例如
shell> ansible-vault encrypt host_vars/test_01/final_var.yml
Encryption successful
shell> cat host_vars/test_01/final_var.yml
$ANSIBLE_VAULT;1.1;AES256
37363965336263366466336236336466323033353763656262633836323062626135613834396435
3665356363396132356131663336396138663962646434330a346433353039383864333638633462
35623034363338356362346133303262393233346439363264353036386337356236336135626434
6533333864623132330a346566656630376439643533373263303338313063373239343463333431
62353230323336383263376335613635616339383934313164323938363066616136373036326461
3538613937663530326364376335343438366139366639303230
然后是下面的剧本
- hosts: test_01,test_02,test_03
tasks:
- debug:
msg: "{{ inventory_hostname }}: {{ final_var }}"
给出(节略(
"msg": "test_02: final_var for test_02"
"msg": "test_01: final_var for test_01"
"msg": "test_03: final_var for test_03"