Vault

Vault

关注
发信
关注(28)粉丝(399)

ansible - 将Hashicorp Vault与Ansible结合使用-插件设置

我想在Ansible中使用Hashicorp Vault来检索将在Ansible剧本中使用的用户名/密码。

保险柜已设置-我创建了一个 secret 。整合两者的步骤是什么?关于插件的文档不是很好。我尝试从ansible查找文件,这可行,但是如何使用3rd party插件?有人可以帮助我执行以下步骤吗?

  • 安装插件pip install ansible-modules-hashivault
  • https://github.com/jhaals/ansible-vault有什么区别
    2.a我放在哪里的环境变量(VAULT ADDR和VAULT TOKEN)?
  • 更改ansible.cfg以指向位于Ansible项目
    • 的“插件”文件夹中的vault.py
  • 要测试基本集成,我可以使用以下剧本吗?
    https://pypi.python.org/pypi/ansible-modules-hashivault
    - hosts: localhost
    -tasks:
       - hashivault_status:
         register: 'vault_status'

    • 试过这个,但我得到:
    An exception occurred during task execution. The full traceback is:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ansible/executor/task_executor.py", line 119, in run
    res = self._execute()
  File "/usr/lib/python2.7/site-packages/ansible/executor/task_executor.py", line 431, in _execute
    self._task.post_validate(templar=templar)
  File "/usr/lib/python2.7/site-packages/ansible/playbook/task.py", line 248, in post_validate
    super(Task, self).post_validate(templar)
  File "/usr/lib/python2.7/site-packages/ansible/playbook/base.py", line 371, in post_validate
    value = templar.template(getattr(self, name))
  File "/usr/lib/python2.7/site-packages/ansible/template/__init__.py", line 359, in template
    d[k] = self.template(variable[k], preserve_trailing_newlines=preserve_trailing_newlines, fail_on_undefined=fail_on_undefined, overrides=overrides)
  File "/usr/lib/python2.7/site-packages/ansible/template/__init__.py", line 331, in template
    result = self._do_template(variable, preserve_trailing_newlines=preserve_trailing_newlines, escape_backslashes=escape_backslashes, fail_on_undefined=fail_on_undefined, overrides=overrides)
  File "/usr/lib/python2.7/site-packages/ansible/template/__init__.py", line 507, in _do_template
    res = j2_concat(rf)
  File "<template>", line 8, in root
  File "/usr/lib/python2.7/site-packages/jinja2/runtime.py", line 193, in call
    return __obj(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/ansible/template/__init__.py", line 420, in _lookup
    instance = self._lookup_loader.get(name.lower(), loader=self._loader, templar=self)
  File "/usr/lib/python2.7/site-packages/ansible/plugins/__init__.py", line 339, in get
    self._module_cache[path] = self._load_module_source('.'.join([self.package, name]), path)
  File "/usr/lib/python2.7/site-packages/ansible/plugins/__init__.py", line 324, in _load_module_source
    module = imp.load_source(name, path, module_file)
  File "/etc/ansible/ProjectA/lookup_plugins/vault.py", line 5
    <!DOCTYPE html>
    ^
SyntaxError: invalid syntax

fatal: [win01]: FAILED! => {
    "failed": true,
    "msg": "Unexpected failure during module execution.",
    "stdout": ""

    最佳答案

    由于您在帖子中投入了很多鸡蛋,所以我不知道问题的实质所在,因此可以通过 native 查找插件和jhaals/ansible-vault进行操作。

  • 您可以在当前目录中创建lookup_plugins并将 vault.py 保存在其中;
  • VAULT_ADDRVAULT_TOKEN环境变量与您在脚本中看到的一样。

    • 下面的Bash脚本(它使用screenjq,您可能需要安装它们)在开发人员模式下运行Vault,设置密码,然后运行Ansible剧本,后者使用两个查找插件查询密码:
    #!/bin/bash
set -euo pipefail

export VAULT_ADDR=http://127.0.0.1:8200

if [[ ! $(pgrep -f "vault server -dev") ]]; then
    echo \"vault server -dev\" not running, starting...
    screen -S vault -d -m vault server -dev
    printf "sleeping for 3 seconds\n"
    sleep 3
else
    echo \"vault server -dev\" already running, leaving as is...
fi

vault write secret/hello value=world excited=yes
export VAULT_TOKEN=$(vault token-create -format=json | jq -r .auth.client_token)
ansible-playbook playbook.yml --extra-vars="vault_token=${VAULT_TOKEN}"

    playbook.yml:
    ---
- hosts: localhost
  connection: local
  tasks:
    - name: Retrieve secret/hello using native hashi_vault plugin
      debug: msg="{{ lookup('hashi_vault', 'secret=secret/hello token={{ vault_token }} url=http://127.0.0.1:8200') }}"

    - name: Retrieve secret/hello using jhaals vault lookup
      debug: msg="{{ lookup('vault', 'secret/hello') }}"

    最后,您应该获得:
    TASK [Retrieve secret/hello using native hashi_vault plugin] *******************
ok: [localhost] => {
    "msg": "world"
}

TASK [Retrieve secret/hello using jhaals vault lookup] *************************
ok: [localhost] => {
    "msg": {
        "excited": "yes",
        "value": "world"
    }
}

    单词world是从保险柜中提取的。

    关于ansible - 将Hashicorp Vault与Ansible结合使用-插件设置,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/41376918/

    10-15 08:40
    Powered by LMLPHP ©2024 Vault 0.023010