您的位置: 首页  >  技术问答  >  使用Hashicorp Vault with Ansible - 插件安装

使用Hashicorp Vault with Ansible - 插件安装

分类: 技术问答 2022-09-01 16:55:53
问题描述:

我想用Ansible的Hashicorp Vault来检索我将在Ansible playbook中使用的用户名/密码。使用Hashicorp Vault with Ansible - 插件安装

保险柜设置 - 我创建了一个秘密。整合两者的步骤是什么?围绕插件的文档并不是那么好。我尝试从ansible和这个作品的文件查找,但如何使用第三方插件?有人可以帮助我遵循以下步骤吗?

  1. 安装插件,pip install ansible-modules-hashivault
  2. 有什么用https://github.com/jhaals/ansible-vault
    2.a的环境变量(VAULT ADDR & VAULT TOKEN)我把区别在哪里?
  3. 变化ansible.cfg指向vault.py这是位于我Ansible项目

  4. 的“插件”文件夹,测试基本的整合,我可以使用下面的剧本? https://pypi.python.org/pypi/ansible-modules-hashivault

    - hosts: localhost 
    -tasks: 
     - hashivault_status: 
     register: 'vault_status'

试过,但我得到:

An exception occurred during task execution. The full traceback is: 
Traceback (most recent call last): 
    File "/usr/lib/python2.7/site-packages/ansible/executor/task_executor.py", line 119, in run 
    res = self._execute() 
    File "/usr/lib/python2.7/site-packages/ansible/executor/task_executor.py", line 431, in _execute 
    self._task.post_validate(templar=templar) 
    File "/usr/lib/python2.7/site-packages/ansible/playbook/task.py", line 248, in post_validate 
    super(Task, self).post_validate(templar) 
    File "/usr/lib/python2.7/site-packages/ansible/playbook/base.py", line 371, in post_validate 
    value = templar.template(getattr(self, name)) 
    File "/usr/lib/python2.7/site-packages/ansible/template/__init__.py", line 359, in template 
    d[k] = self.template(variable[k], preserve_trailing_newlines=preserve_trailing_newlines, fail_on_undefined=fail_on_undefined, overrides=overrides) 
    File "/usr/lib/python2.7/site-packages/ansible/template/__init__.py", line 331, in template 
    result = self._do_template(variable, preserve_trailing_newlines=preserve_trailing_newlines, escape_backslashes=escape_backslashes, fail_on_undefined=fail_on_undefined, overrides=overrides) 
    File "/usr/lib/python2.7/site-packages/ansible/template/__init__.py", line 507, in _do_template 
    res = j2_concat(rf) 
    File "<template>", line 8, in root 
    File "/usr/lib/python2.7/site-packages/jinja2/runtime.py", line 193, in call 
    return __obj(*args, **kwargs) 
    File "/usr/lib/python2.7/site-packages/ansible/template/__init__.py", line 420, in _lookup 
    instance = self._lookup_loader.get(name.lower(), loader=self._loader, templar=self) 
    File "/usr/lib/python2.7/site-packages/ansible/plugins/__init__.py", line 339, in get 
    self._module_cache[path] = self._load_module_source('.'.join([self.package, name]), path) 
    File "/usr/lib/python2.7/site-packages/ansible/plugins/__init__.py", line 324, in _load_module_source 
    module = imp.load_source(name, path, module_file) 
    File "/etc/ansible/ProjectA/lookup_plugins/vault.py", line 5 
    <!DOCTYPE html> 
    ^
SyntaxError: invalid syntax 

fatal: [win01]: FAILED! => { 
    "failed": true, 
    "msg": "Unexpected failure during module execution.", 
    "stdout": ""
+1

你介意先修复你的剧本的语法吗?缩进被打破,“任务”是一个关键,而不是另一个项目。 – techraf

+0

Vault提供了一个简单的REST API - 您甚至可以使用[uri](https://docs.ansible.com/ansible/uri_module.html)模块。令人惊讶的是Ansible提供了许多查找插件,尽管它应该很简单,但找到一个适用于所有这些插件的工具却非常困难 - [您已经找到的那个插件](https://github.com/jhaals/ansible-vault)作品。 – techraf

+0

我真的不明白你在这里问的问题。该插件的README非常清晰,并提供了很好的示例。你问什么[环境变量](https://en.wikipedia.org/wiki/Environment_variablehttps://en.wikipedia.org/wiki/Environment_variable)是什么? – techraf

既然你把这么多鸡蛋进入后,我不知道这个问题是关于什么的,这里的东西让你用本机查找插件和jhaals/ansible-vault

  • ,你可以在当前目录下创建lookup_plugins并保存vault.py内;

  • VAULT_ADDRVAULT_TOKEN环境变量如同您在脚本中看到的那样;

以下(它使用screenjq,你可能需要安装它们)运行库的开发模式下,bash脚本设置了秘密,并运行Ansible剧本与两个查找插件查询秘密:

#!/bin/bash 
set -euo pipefail 

export VAULT_ADDR=http://127.0.0.1:8200 

if [[ ! $(pgrep -f "vault server -dev") ]]; then 
    echo \"vault server -dev\" not running, starting... 
    screen -S vault -d -m vault server -dev 
    printf "sleeping for 3 seconds\n" 
    sleep 3 
else 
    echo \"vault server -dev\" already running, leaving as is... 
fi 

vault write secret/hello value=world excited=yes 
export VAULT_TOKEN=$(vault token-create -format=json | jq -r .auth.client_token) 
ansible-playbook playbook.yml --extra-vars="vault_token=${VAULT_TOKEN}"

playbook.yml

--- 
- hosts: localhost 
    connection: local 
    tasks: 
    - name: Retrieve secret/hello using native hashi_vault plugin 
     debug: msg="{{ lookup('hashi_vault', 'secret=secret/hello token={{ vault_token }} url=http://127.0.0.1:8200') }}" 

    - name: Retrieve secret/hello using jhaals vault lookup 
     debug: msg="{{ lookup('vault', 'secret/hello') }}"

你到底应该得到:

TASK [Retrieve secret/hello using native hashi_vault plugin] ******************* 
ok: [localhost] => { 
    "msg": "world" 
} 

TASK [Retrieve secret/hello using jhaals vault lookup] ************************* 
ok: [localhost] => { 
    "msg": { 
     "excited": "yes", 
     "value": "world" 
    } 
}

单词world是从保险柜中提取的。

+0

Thx techraf,我现在就得到了两个插件和运行! – RedAnsible

相关推荐