Question

我有一个Ansible group_vars目录，其中包含以下文件：

$ cat inventory/group_vars/env1
...
...
ldap_config: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          31636161623166323039356163363432336566356165633232643932623133643764343134613064
          6563346430393264643432636434356334313065653537300a353431376264333463333238383833
          31633664303532356635303336383361386165613431346565373239643431303235323132633331
          3561343765383538340a373436653232326632316133623935333739323165303532353830386532
          39616232633436333238396139323631633966333635393431373565643339313031393031313836
          61306163333539616264353163353535366537356662333833653634393963663838303230386362
          31396431636630393439306663313762313531633130326633383164393938363165333866626438
...
...

此Ansible加密字符串中封装了一个Kubernetes机密。一个看起来像这样的base64 blob：

IyMKIyBIb3N0IERhdGFiYXNlCiMKIyBsb2NhbGhvc3QgaXMgdXNlZCB0byBjb25maWd1cmUgdGhlIGxvb3BiYWNrIGludGVyZmFjZQojIHdoZW4gdGhlIHN5c3RlbSBpcyBib290aW5nLiAgRG8gbm90IGNoYW5nZSB0aGlzIGVudHJ5LgojIwoxMjcuMC4wLjEJbG9jYWxob3N0CjI1NS4yNTUuMjU1LjI1NQlicm9hZGNhc3Rob3N0Cjo6MSAgICAgICAgICAgICBsb2NhbGhvc3QKIyBBZGRlZCBieSBEb2NrZXIgRGVza3RvcAojIFRvIGFsbG93IHRoZSBzYW1lIGt1YmUgY29udGV4dCB0byB3b3JrIG9uIHRoZSBob3N0IGFuZCB0aGUgY29udGFpbmVyOgoxMjcuMC4wLjEga3ViZXJuZXRlcy5kb2NrZXIuaW50ZXJuYWwKIyBFbmQgb2Ygc2VjdGlvbgo=

如何在单个CLI中对此解密？

Answer 1

我们可以使用Ansible adhoc命令来检索目标变量ldap_config。首先，我们将使用以下临时命令来检索Ansible加密文件库字符串：

$ ansible -i "localhost," all               \
    -m debug                                \
    -a 'msg="{{ ldap_config }}"'            \
    --vault-password-file=~/.vault_pass.txt \
    -e@inventory/group_vars/env1
localhost | SUCCESS => {
    "msg": "ABCD......."

请注意我们是：

使用debug模块并让其打印变量msg={{ ldap_config }}
提供ansible用来解密加密字符串的秘密路径
使用符号-e@< ...path to file...>传递带有加密文件库变量的文件

现在，我们可以使用Jinja2过滤器进行其余的解析：

$ ansible -i "localhost," all                             \
     -m debug                                             \
     -a 'msg="{{ ldap_config | b64decode | from_yaml }}"' \
     --vault-password-file=~/.vault_pass.txt              \
     -e@inventory/group_vars/env1
localhost | SUCCESS => {
    "msg": {
        "apiVersion": "v1",
        "bindDN": "uid=readonly,cn=users,cn=accounts,dc=mydom,dc=com",
        "bindPassword": "my secret password to ldap",
        "ca": "",
        "insecure": true,
        "kind": "LDAPSyncConfig",
        "rfc2307": {
            "groupMembershipAttributes": [
                "member"
            ],
            "groupNameAttributes": [
                "cn"
            ],
            "groupUIDAttribute": "dn",
            "groupsQuery": {
                "baseDN": "cn=groups,cn=accounts,dc=mydom,dc=com",
                "derefAliases": "never",
                "filter": "(objectclass=groupOfNames)",
                "scope": "sub"
            },
            "tolerateMemberNotFoundErrors": false,
            "tolerateMemberOutOfScopeErrors": false,
            "userNameAttributes": [
                "uid"
            ],
            "userUIDAttribute": "dn",
            "usersQuery": {
                "baseDN": "cn=users,cn=accounts,dc=mydom,dc=com",
                "derefAliases": "never",
                "scope": "sub"
            }
        },
        "url": "ldap://192.168.1.10:389"
    }
}

注意：：从-a 'msg="{{ ldap_config | b64decode | from_yaml }}"开始，从Base64转换为YAML的工作量很大。

参考文献

Answer 2

如果您需要一个衬纸来处理包含内联保管库变量的任何yaml文件（不仅在库存中），并且准备好为此安装pip软件包，则可以使用yq解决方案，建立在jq

上的Yaml处理器

必备软件：安装yq

pip install yq

用法

您可以使用以下命令获得结果：

yq .ldapconfig inventory/group_vars/env1 | ansible_vault decrypt

如果您需要交互输入保险柜密码，请不要忘记添加相关选项

yq .ldapconfig inventory/group_vars/env1 | ansible_vault --ask-vault-pass decrypt

如何打印包含CLI中的Kubernetes机密的Ansible Vault变量？

2 个答案:

参考文献