我想在 ansible vault 文件中查看实际的 git commit 更改。
有没有简单的方法来实现这一目标?
您可以非常巧妙地做到这一点,这样普通的 git 工具git log
就git diff
可以使用自定义 git diff 驱动程序和.gitattributes
.
.vault_password
其中并且该文件未提交 - 您还应该将其添加到.gitignore
.添加一个.gitattributes
与存储库中使用 ansible-vault 加密的任何文件匹配的文件,并为其赋予属性diff=ansible-vault
。例如,我有:
env_vars/production.yml diff=ansible-vault merge=binary
env_vars/staging.yml diff=ansible-vault merge=binary
您还可以使用通配符模式 - 每行的第一个元素,即模式,遵循与文件相同的规则.gitignore
。该merge=binary
选项告诉 git 不要尝试对这些文件进行三向合并。
然后,您必须为具有以下属性的文件设置差异驱动diff=ansible-vault
程序ansible-vault view
:
git config --global diff.ansible-vault.textconv "ansible-vault view"
应该就是这样 - 当 git 计算您的模式匹配的文件的差异时,它会首先解密它们。
因此,经过一番挖掘后,我构建了非平凡的解决方案。
首先将您的保管库密码存储到 (.gitignored).vault_password
文件中。
在以下示例中,文件的 aHEAD
和HEAD~2
版本 inventory/group_vars/xyz/vault.yml
是 vimdiff 编辑的:
vimdiff \
<(ansible-vault view --vault-password-file=.vault_password \
<(git show HEAD:inventory/group_vars/xyz/vault.yml)) \
<(ansible-vault view --vault-password-file=.vault_password \
<(git show HEAD~2:inventory/group_vars/xyz/vault.yml))
For completeness, it's worth to mention how to configure the diff for ansible-vaulted files globally. For example, I work with really a lot of ansible repositories over here and almost all of them have some vaulted secrets. So what I want is my configuration to be global and portable from one machine to another.
In your ~/.gitconfig
add these sections:
[core]
# The following line defines a global .gitattributes file
attributesfile = ~/.gitattributes
[diff "ansible-vault"]
textconv = "ansible-vault view"
For this to work, you need some naming pattern for ansible-vaulted files, which is something good that you should do anyways. In my case, I like to name them with the extension .vault.yml
. So my ~/.gitattributes
file looks like this:
*.vault.yml diff=ansible-vault merge=binary
Finally, to avoid typing the password all the time, make sure you have a file in a convenient place in each repository (normally something like .vault
, placed at the root). This file must contain the password in plain text (properly .gitignore
d, of course) or an executable script that produces such password.
Having that in place, go ahead and tell ansible to use the .vault
file, by adding the following line to the global or local ansible.cfg
:
vault_password_file = .vault
Done. Now running git diff
will produce the readable diff that you would expect from non-vaulted files :)
给 Windows 用户的提示:
在 Windows 上运行时,您会遇到问题,即 ansible-vault 不可用。但是你可以将它安装在你的 WSL 中。
在 WSL 中安装 ansible-vault 后,以下内容对我有用
.git 属性
**/vault.yml diff=ansible-vault
.gitconfig
[core]
attributesfile = ~/.gitattributes
[diff "ansible-vault"]
textconv = sh -c 'cat $0 | wsl ansible-vault decrypt --output - --vault-password-file=~/.vault_pass'
保险库密码必须在 ~/.vault_pass 的 wsl 中