我试图将我的group_vars拆分为未加密的"vars"并加密"vault" . 由于官方文档很短,我给出了一个非常详尽的教程here . 通过他们的示例设置,我可以使它工作 . vars文件引用了拱形部分,如下所示:
mysql_port: 3306
mysql_host: 10.0.0.3
mysql_user: fred
mysql_password: "{{ vault_mysql_password }}"
现在我的真实用例在这些文件中有这样的字典:
---
vhosts:
vhost1:
mysql_user: fred
mysql_password: "{{ vault_mysql_password }}"
vhost2:
mysql_user: frida
mysql_password: "{{ vault_mysql_password }}"
我的保险库文件以类似的方式组织,这是无法解决的问题:
---
vhosts:
vhost1:
vault_mysql_password: secret1
vhost2:
vault_mysql_password: secret2
我得到的结果是:Ansible确实找到了所有加密变量 . 但它声称常规的未定义 . 以下是debug命令的输出,其中调试输出中缺少mysql_user:
ansible --ask-vault-pass -m debug -a 'var=hostvars[inventory_hostname]' database
Vault password:
localhost | SUCCESS => {
"hostvars[inventory_hostname]": {
"ansible_check_mode": false,
"ansible_connection": "local",
"ansible_playbook_python": "/usr/bin/python",
"ansible_version": {
"full": "2.4.1.0",
"major": 2,
"minor": 4,
"revision": 1,
"string": "2.4.1.0"
},
"group_names": [
"database"
],
"groups": {
"all": [
"localhost"
],
"database": [
"localhost"
],
"ungrouped": []
},
"inventory_dir": "/home/user/ansible/vault-test",
"inventory_file": "/home/user/ansible/vault-test/hosts",
"inventory_hostname": "localhost",
"inventory_hostname_short": "localhost",
"omit": "__omit_place_holder__2aa3b7d59a4009e07f27cf11ffabda560533de17",
"playbook_dir": "/home/user/ansible/vault-test",
"vhosts": {
"vhost1": {
"vault_mysql_password": "secret1"
},
"vhost2": {
"vault_mysql_password": "secret2"
}
}
}
}
任何暗示我必须做的事非常感谢!或者我想做一件不可能的事情?
1 回答
加密变量的行为与未加密变量的行为相同 . 在您的情况下,您只需从普通的vars文件覆盖
vhostsvar,其中vhosts来自拱形文件 .这将有效:
或这个: