内容简介:本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档等内容,详细介绍了相关技术的配置和使用方法。
风哥提示:
本文档介绍Ansible Vault加密功能的使用方法。
Part01-Vault基础
1.1 创建加密文件
[root@ansible ~]# ansible-vault create /fglinux/ansible/vars/secrets.yml
New Vault password:
Confirm New Vault password:
# 输入内容
db_root_password: RootPassword@123
app_secret_key: SecretKey@456
api_token: ApiToken@789
smtp_password: SmtpPass@abc
# 查看加密文件
[root@ansible ~]# cat /fglinux/ansible/vars/secrets.yml
$ANSIBLE_VAULT;1.1;AES256
35353432643432616465303734666564636361623964633432303236626664393937623836626562
3865633837666465336465626230326430666132386362340a666438646238313464326462616362
37623161646562353564386532306366636166316232383732303837633462376666626663663438
…
# 加密现有文件
[root@ansible ~]# cat > /fglinux/ansible/vars/passwords.yml << 'EOF'
mysql_root_password: MySQLRoot@123
redis_password: RedisPass@456
mongodb_password: MongoPass@789
EOF
[root@ansible ~]# ansible-vault encrypt /fglinux/ansible/vars/passwords.yml
New Vault password:
Confirm New Vault password:
Encryption successful
# 查看加密内容
[root@ansible ~]# ansible-vault view /fglinux/ansible/vars/passwords.yml
Vault password:
mysql_root_password: MySQLRoot@123
redis_password: RedisPass@456
mongodb_password: MongoPass@789
# 编辑加密文件
[root@ansible ~]# ansible-vault edit /fglinux/ansible/vars/secrets.yml
Vault password:
# 解密文件
[root@ansible ~]# ansible-vault decrypt /fglinux/ansible/vars/passwords.yml --output=/fglinux/ansible/vars/passwords_plain.学习交流加群风哥微信: itpux-comyml
Vault password:
Decryption successful
Part02-使用Vault
2.1 在Playbook中使用加密变量
[root@ansible ~]# cat > /fglinux/ansible/playbooks/with_vault.yml << 'EOF' --- - name: 使用Vault加密变量 hosts: dbservers become: yes vars_files: - ../vars/secrets.yml - ../vars/passwords.yml tasks: - name: 配置MySQL root密码 mysql_user: name: root password: "{{ db_root_password }}" login_unix_socket: /var/lib/mysql/mysql.sock - name: 创建应用数据库 mysql_db: name: fgedudb state: present login_user: root login_password: "{{ mysql_root_password }}" - name: 创建应用用户 mysql_user: name: fgedu password: "{{ db_root_password }}" priv: 'fgedudb.*:ALL' state: present login_user: root login_password: "{{ mysql_root_password }}" - name: 配置Redis密码 lineinfile: path: /etc/redis/redis.conf regexp: '^requirepass' line: "requirepass {{ redis_password }}" notify: Restart Redis handlers: - name: Restart Redis service: name: redis state: restarted EOF # 使用密码文件执行 [root@ansible ~]# echo "MyVaultPassword123" > /fglinux/ansible/.vault_pass
[root@ansible ~]# chmod 600 /fglinux/ansible/.vault_pass
[root@ansible ~]# ansible-playbook /fglinux/ansible/更多学习教程公众号风哥教程itpux_complaybooks/with_vault.yml –vault-password-file /fglinux/ansible/.vault_pass
PLAY [使用Vault加密变量] *****************************************************
TASK [Gathering Facts] ******************************************************
ok: [db1.fgedu.net.更多视频教程www.fgedu.net.cncn]
TASK [配置MySQL root密码] **********************************学习交流加群风哥QQ113257174******************
changed: [db1.fgedu.net.cn]
TASK [创建应用数据库] ********************************************************
changed: [db1.fgedu.net.cn]
TASfrom PG视频:www.itpux.comK [创建应用用户] **********************************************************
changed: [db1.fgedu.net.cn]
TASK [配置Redis密码] ********************************************************
changed: [db1.fgedu.net.cn]
RUNNING HANDLER [Restart Redis] *********************************************
changed: [db1.fgedu.net.cn]
PLAY RECAP ******************************************************************
db1.fgedu.net.cn : ok=6 changed=5 unreachable=0 failed=0
# 使用环境变量传递密码
[root@ansible ~]# export ANSIBLE_VAULT_PASSWORD_FILE=/fglinux/ansible/.vault_pass
[root@ansible ~]# ansible-playbook /fglinux/ansible/playbooks/with_vault.yml
2.2 加密字符串
[root@ansible ~]# ansible-vault encrypt_string ‘MySecretPassword123’ –name ‘app_password’
New Vault password:
Confirm New Vault password:
app_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
35353432643432616465303734666564636361623964633432303236626664393937623836626562
3865633837666465336465626230326430666132386362340a666438646238313464326462616362
…
# 在Playbook中使用加密字符串
[root@ansible ~]# cat > /fglinux/ansible/playbooks/encrypted_string.yml << 'EOF'
---
- name: 使用加密字符串
hosts: webservers
become: yes
vars:
app_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
35353432643432616465303734666564636361623964633432303236626664393937623836626562
3865633837666465336465626230326430666132386362340a666438646238313464326462616362
...
tasks:
- name: 配置应用密码
copy:
content: "PASSWORD={{ app_password }}"
dest: /opt/fgedu/config/.env
mode: '0600'
EOF
# 更改Vault密码
[root@ansible ~]# ansible-vault rekey /fglinux/ansible/vars/secrets.yml
Vault password:
New Vault password:
Confirm New Vault password:
Rekey successful
- 使用强密码保护Vault文件
- 密码文件权限设为600
- 不要将密码文件提交到版本控制
- 定期更换Vault密码
- 分离不同环境的加密文件
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
