1

我正在尝试将我的 group_vars 拆分为未加密的“vars”和加密的“Vault”。由于官方文档很短,我按照这里给出的非常详尽的教程进行操作。通过他们的示例设置,我可以使其工作。vars 文件引用拱形部分,如下所示:

mysql_port: 3306
mysql_host: 10.0.0.3
mysql_user: fred
mysql_password: "{{ vault_mysql_password }}"

现在我的真实用例在这些文件中有字典,如下所示:

---
vhosts:
    vhost1:
      mysql_user: fred
      mysql_password: "{{ vault_mysql_password }}"
    vhost2:
      mysql_user: frida
      mysql_password: "{{ vault_mysql_password }}"

我的保管库文件以类似的方式组织,这就是行不通的:

---
vhosts:
    vhost1:
      vault_mysql_password: secret1
    vhost2:
      vault_mysql_password: secret2

我得到的结果是:Ansible 确实找到了所有加密的变量。但它声称常规的未定义。这是调试输出中缺少 mysql_user 的调试命令的输出:

ansible --ask-vault-pass -m debug -a 'var=hostvars[inventory_hostname]' database
Vault password: 
localhost | SUCCESS => {
    "hostvars[inventory_hostname]": {
        "ansible_check_mode": false, 
        "ansible_connection": "local", 
        "ansible_playbook_python": "/usr/bin/python", 
        "ansible_version": {
            "full": "2.4.1.0", 
            "major": 2, 
            "minor": 4, 
            "revision": 1, 
            "string": "2.4.1.0"
        }, 
        "group_names": [
            "database"
        ], 
        "groups": {
            "all": [
                "localhost"
            ], 
            "database": [
                "localhost"
            ], 
            "ungrouped": []
        }, 
        "inventory_dir": "/home/user/ansible/vault-test", 
        "inventory_file": "/home/user/ansible/vault-test/hosts", 
        "inventory_hostname": "localhost", 
        "inventory_hostname_short": "localhost", 
        "omit": "__omit_place_holder__2aa3b7d59a4009e07f27cf11ffabda560533de17", 
        "playbook_dir": "/home/user/ansible/vault-test", 
        "vhosts": {
            "vhost1": {
                "vault_mysql_password": "secret1"
            }, 
            "vhost2": {
                "vault_mysql_password": "secret2"
            }
        }
    }
}

非常感谢我必须做的任何提示!还是我试图做一件不可能的事情?

4

1 回答 1

3

加密变量的行为方式与未加密变量相同。在您的情况下,您只需用来自 vaulted 文件的普通 vars 文件覆盖vhostsvar vhosts

这将起作用:

---
vhosts:
    vhost1:
      mysql_user: fred
      mysql_password: "{{ vault_vhosts.host1.vault_mysql_password }}"
    vhost2:
      mysql_user: frida
      mysql_password: "{{ vault_vhosts.host2.vault_mysql_password }}"

---
vault_vhosts:
    vhost1:
      vault_mysql_password: secret1
    vhost2:
      vault_mysql_password: secret2

或这个:

---
vhosts:
    vhost1:
      mysql_user: fred
      mysql_password: "{{ vault_vhost1_mysql_password }}"
    vhost2:
      mysql_user: frida
      mysql_password: "{{ vault_vhost2_mysql_password }}"

---
vault_vhost1_mysql_password: secret1
vault_vhost2_mysql_password: secret2
于 2017-11-02T10:56:01.020 回答