问题描述
如果我用ansible-vault
加密host_vars/*
文件,除了清单文件中的主机变量外,我似乎没有机会获得未加密的主机变量.我想念什么吗?
If I encrypt host_vars/*
files with ansible-vault
, I don't seem to have a chance to have nonencrypted host vars other than those residing in the inventory file. Am I missing something?
推荐答案
事实证明,host_vars
-和group_vars
文件实际上可能是目录.即,可以创建host_vars/example.com/vault
和host_vars/example.com/vars
而不是创建host_vars/example.com
.读取目录中的所有文件.哪个解决了.
As it turns out, host_vars
- and group_vars
-files might be directories in actuality. That is, instead of creating host_vars/example.com
one might create host_vars/example.com/vault
and host_vars/example.com/vars
. All the files residing in the directory are read. Which settles it.
此外,最佳做法是存储敏感变量在vault
文件中以vault_
为前缀,然后将它们重新分配给vars
文件中的非前缀变量.像这样:
Additionally, the best practice is to store sensitive variables prefixed with vault_
in the vault
file, and reassign them to non-prefixed variables in the vars
file. Like so:
vault
:
vault_mysql_password: '...'
vars
:
mysql_password: '{{ vault_mysql_password }}'
这样,您就可以使用grep
或任何类似工具找到加密的变量.
That way, you'll be able to find encrypted variables with grep
, or any similar tool.
这篇关于有没有办法同时拥有加密和未加密的主机变量?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!