我正在尝试将我的 group_vars 拆分为未加密的“vars”和加密的“Vault”。由于官方文档很短,我按照这里给出的非常详尽的教程进行操作。通过他们的示例设置,我可以使其工作。vars 文件引用拱形部分,如下所示:
mysql_port: 3306
mysql_host: 10.0.0.3
mysql_user: fred
mysql_password: "{{ vault_mysql_password }}"
现在我的真实用例在这些文件中有字典,如下所示:
---
vhosts:
vhost1:
mysql_user: fred
mysql_password: "{{ vault_mysql_password }}"
vhost2:
mysql_user: frida
mysql_password: "{{ vault_mysql_password }}"
我的保管库文件以类似的方式组织,这就是行不通的:
---
vhosts:
vhost1:
vault_mysql_password: secret1
vhost2:
vault_mysql_password: secret2
我得到的结果是:Ansible 确实找到了所有加密的变量。但它声称常规的未定义。这是调试输出中缺少 mysql_user 的调试命令的输出:
ansible --ask-vault-pass -m debug -a 'var=hostvars[inventory_hostname]' database
Vault password:
localhost | SUCCESS => {
"hostvars[inventory_hostname]": {
"ansible_check_mode": false,
"ansible_connection": "local",
"ansible_playbook_python": "/usr/bin/python",
"ansible_version": {
"full": "2.4.1.0",
"major": 2,
"minor": 4,
"revision": 1,
"string": "2.4.1.0"
},
"group_names": [
"database"
],
"groups": {
"all": [
"localhost"
],
"database": [
"localhost"
],
"ungrouped": []
},
"inventory_dir": "/home/user/ansible/vault-test",
"inventory_file": "/home/user/ansible/vault-test/hosts",
"inventory_hostname": "localhost",
"inventory_hostname_short": "localhost",
"omit": "__omit_place_holder__2aa3b7d59a4009e07f27cf11ffabda560533de17",
"playbook_dir": "/home/user/ansible/vault-test",
"vhosts": {
"vhost1": {
"vault_mysql_password": "secret1"
},
"vhost2": {
"vault_mysql_password": "secret2"
}
}
}
}
非常感谢我必须做的任何提示!还是我试图做一件不可能的事情?