问题描述

如果我用ansible-vault加密host_vars/*文件，除了清单文件中的主机变量外，我似乎没有机会获得未加密的主机变量.我想念什么吗?

If I encrypt host_vars/* files with ansible-vault, I don't seem to have a chance to have nonencrypted host vars other than those residing in the inventory file. Am I missing something?

推荐答案

事实证明，host_vars-和group_vars文件实际上可能是目录.即，可以创建host_vars/example.com/vault和host_vars/example.com/vars而不是创建host_vars/example.com.读取目录中的所有文件.哪个解决了.

As it turns out, host_vars- and group_vars-files might be directories in actuality. That is, instead of creating host_vars/example.com one might create host_vars/example.com/vault and host_vars/example.com/vars. All the files residing in the directory are read. Which settles it.

此外，最佳做法是存储敏感变量在vault文件中以vault_为前缀，然后将它们重新分配给vars文件中的非前缀变量.像这样:

Additionally, the best practice is to store sensitive variables prefixed with vault_ in the vault file, and reassign them to non-prefixed variables in the vars file. Like so:

vault:

vault_mysql_password: '...'

vars:

mysql_password: '{{ vault_mysql_password }}'

这样，您就可以使用grep或任何类似工具找到加密的变量.

That way, you'll be able to find encrypted variables with grep, or any similar tool.

这篇关于有没有办法同时拥有加密和未加密的主机变量?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！