是否有办法使用ansible. build .uri模块发布/放置加密文件,同时无缝地从保险库解密它?还是有一个安全的解决方案(即一个安全的任务序列?)。
这个用例是上传一个许可证文件,该文件在项目的roles/the_role/files文件夹中加密存储。
ansible. build .uri模块能够找到加密的文件,但是在上传之前它不会解密它。
- name: "Nexus Update License: Uploading new License file"
ansible.builtin.uri:
url: "http://{{ inventory_hostname }}:{{ nexus_default_port }}{{ nexus_default_context_path | regex_replace('\/$', '')}}/service/rest/v1/system/license"
user: "{{ nexus_admin_account }}"
password: "{{ nexus_admin_password }}"
headers:
Content-Type: application/octet-stream
method: POST
force_basic_auth: yes
status_code: 200,204
src: "license.lic.enc" # this uploads the license still encrypted...
这个问题是类似的,但我不能使用复制模块:如何上传加密文件使用ansible保险库?
我无法找到一种方法来上传文件,同时从保险库中解密它。
一种解决方法是将文件上传到远程主机,使用它,然后确保它在任何情况下都被删除。
这比在运行ansible的主机上解密文件要好,因为其他用户可能可以访问它,而ansible执行的任务应该非常快。
# The following is slightly better as it will remove the license after use
- name: "Deploy new license"
block:
- name: "Copy license file"
ansible.builtin.copy:
src: "{{ nexus_license_file }}"
dest: "/tmp/license"
owner: "{{ nexus_os_user }}"
group: "{{ nexus_os_group }}"
mode: 0400
- name: "Nexus Update License ({{ ansible_hostname }}): Uploading new License file"
ansible.builtin.uri:
url: "http://{{ inventory_hostname }}:{{ nexus_default_port }}{{ nexus_default_context_path | regex_replace('\/$', '')}}/service/rest/v1/system/license"
user: "{{ nexus_admin_account }}"
password: "{{ nexus_admin_password }}"
headers:
Content-Type: application/octet-stream
method: POST
force_basic_auth: yes
status_code: 200,204
src: "/tmp/license"
remote_src: true
always: # Always remove the license file
- name: "Remove license file"
ansible.builtin.file:
path: "/tmp/license"
state: absent