有没有办法同时拥有加密和非加密的主机变量? [英] Is there a way to have both encrypted and nonencrypted host vars?

问题描述

如果我使用 ansible-vault 加密 host_vars/* 文件，我似乎没有机会拥有非加密的主机变量，而不是那些驻留在清单中的主机变量文件.我错过了什么吗?

If I encrypt host_vars/* files with ansible-vault, I don't seem to have a chance to have nonencrypted host vars other than those residing in the inventory file. Am I missing something?

推荐答案

事实证明，host_vars- 和 group_vars- 文件实际上可能是目录.也就是说，可以创建 host_vars/example.com/vault 和 host_vars/example.com/vars 而不是创建 host_vars/example.com.读取驻留在目录中的所有文件.这解决了它.

As it turns out, host_vars- and group_vars-files might be directories in actuality. That is, instead of creating host_vars/example.com one might create host_vars/example.com/vault and host_vars/example.com/vars. All the files residing in the directory are read. Which settles it.

此外，最佳做法是存储敏感变量在 vault 文件中以 vault_ 为前缀，并将它们重新分配给 vars 文件中的非前缀变量.像这样:

Additionally, the best practice is to store sensitive variables prefixed with vault_ in the vault file, and reassign them to non-prefixed variables in the vars file. Like so:

保险库:

vault_mysql_password: '...'

变量:

mysql_password: '{{ vault_mysql_password }}'

这样，您就可以使用 grep 或任何类似工具查找加密变量.

That way, you'll be able to find encrypted variables with grep, or any similar tool.

这篇关于有没有办法同时拥有加密和非加密的主机变量?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！