本文介绍了有没有办法同时拥有加密和未加密的主机变量?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

如果我用ansible-vault加密host_vars/*文件,除了清单文件中的主机变量外,我似乎没有机会获得未加密的主机变量.我想念什么吗?

If I encrypt host_vars/* files with ansible-vault, I don't seem to have a chance to have nonencrypted host vars other than those residing in the inventory file. Am I missing something?

推荐答案

事实证明host_vars-和group_vars文件实际上可能是目录.即,可以创建host_vars/example.com/vaulthost_vars/example.com/vars而不是创建host_vars/example.com.读取目录中的所有文件.哪个解决了.

As it turns out, host_vars- and group_vars-files might be directories in actuality. That is, instead of creating host_vars/example.com one might create host_vars/example.com/vault and host_vars/example.com/vars. All the files residing in the directory are read. Which settles it.

此外,最佳做法是存储敏感变量在vault文件中以vault_为前缀,然后将它们重新分配给vars文件中的非前缀变量.像这样:

Additionally, the best practice is to store sensitive variables prefixed with vault_ in the vault file, and reassign them to non-prefixed variables in the vars file. Like so:

vault:

vault_mysql_password: '...'

vars:

mysql_password: '{{ vault_mysql_password }}'

这样,您就可以使用grep或任何类似工具找到加密的变量.

That way, you'll be able to find encrypted variables with grep, or any similar tool.

这篇关于有没有办法同时拥有加密和未加密的主机变量?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

10-29 03:13