ansible playbook使用vault

今天我们以连接ansible 连接windows server 为例，讲讲如何使用ansible vault。有时候我们传递的参数很敏感，担心被被泄露，这个时候可以使用ansible vault对playbook中的变量文件进行加密。然后将解密的密码作为凭据配置到ansible tower，ansible tower的template关联这个凭据，当运行template的时候会自动使用凭据对加密的文件进行解密并使用。

1.在ansible core使用vault

1.1对敏感的变量文件进行加密

[root@iZj6cj20vqe3q7vt49zoxdZ ansible-best-practice]# ansible-vault encrypt ./ansible-vault/group_vars/all
New Vault password:
Confirm New Vault password:
Encryption successful
[root@iZj6cj20vqe3q7vt49zoxdZ ansible-best-practice]#

1.2 ansible playbook内容

[root@iZj6cj20vqe3q7vt49zoxdZ ansible-best-practice]# cat ./ansible-vault/ansible-windows.yml
- hosts: "{{ hosts_group }}"
  remote_user: root

  tasks:
    - set_fact:
        env_name: 'china'
      when: env_name_alias=='zhonguo'

    - set_fact:
        env_name: 'china'
      when: env_name_alias=='cn'

    - set_fact:
        env_name: "{{ env_name_alias }}"
      when: env_name_alias not in ['zhonguo','cn']

    - debug:
        msg: "env_name is {{ env_name }}"

    - debug:
        msg: "env_name_alias is {{ env_name_alias }}"
        
[root@iZj6cj20vqe3q7vt49zoxdZ ansible-best-practice]# cat ./ansible-vault/group_vars/all
$ANSIBLE_VAULT;1.1;AES256
63386462363563386562393434366334643937353836366131313531343936633935623437386262
3930366332643764323230373234386163396234306336300a316535656432376430373933353436
31366430333464343465643432313834303866646235663231613664653534613262623766663436
6461353236613538340a366463666236306661653763653537616666633366356164353561346139
33323737666564383539663631633866306132386239623438646131353861613763323463643438
33343935323738306666396430373433373737623038343930646331346562613332363761376163
316531646261376430363230356637383039
[root@iZj6cj20vqe3q7vt49zoxdZ ansible-best-practice]#

1.3 运行playbook

[root@iZj6cj20vqe3q7vt49zoxdZ ansible-best-practice]# ansible-playbook -i "ec2-18-163-55-107.ap-east-1.compute.amazonaws.com," ./ansible-vault/ansible-windows.yml -e "hosts_group=all ansible_user='Administrator' ansible_port='5986' ansible_connection='winrm' ansible_winrm_transport=ntlm ansible_winrm_server_cert_validation=ignore ansible_winrm_read_timeout_sec=180 remote_user=Administrator env_name_alias=cn" --ask-vault-pass
Vault password:
 [WARNING]: Found variable using reserved name: remote_user


PLAY [all] ********************************************************************************************************************************************************

TASK [Gathering Facts] ********************************************************************************************************************************************
ok: [ec2-18-163-55-107.ap-east-1.compute.amazonaws.com]

TASK [set_fact] ***************************************************************************************************************************************************
skipping: [ec2-18-163-55-107.ap-east-1.compute.amazonaws.com]

TASK [set_fact] ***************************************************************************************************************************************************
ok: [ec2-18-163-55-107.ap-east-1.compute.amazonaws.com]

TASK [set_fact] ***************************************************************************************************************************************************
skipping: [ec2-18-163-55-107.ap-east-1.compute.amazonaws.com]

TASK [debug] ******************************************************************************************************************************************************
ok: [ec2-18-163-55-107.ap-east-1.compute.amazonaws.com] => {
    "msg": "env_name is china"
}

TASK [debug] ******************************************************************************************************************************************************
ok: [ec2-18-163-55-107.ap-east-1.compute.amazonaws.com] => {
    "msg": "env_name_alias is cn"
}

PLAY RECAP ********************************************************************************************************************************************************
ec2-18-163-55-107.ap-east-1.compute.amazonaws.com : ok=4    changed=0    unreachable=0    failed=0

[root@iZj6cj20vqe3q7vt49zoxdZ ansible-best-practice]#

2.在ansible-tower使用vault

2.1 新建类型为vault的凭据

这里的密码应输入vault加密使用的密码，运行playbook时会自动使用它解密。

2.2 新建ansible tower template

凭据选择刚才新建的类型为vault的凭据，运行template时tower自动使用它解密。

2.3 运行template

template 关联的PROJECT和INVENTORY不是本章的重点，因此省略。