ansible 配置 vault 加密

有兩種更安全的方式來存儲這類數據：
1.ansible的命令行工具ansible-vault能夠加密和解密任何ansible使用的文件。
2.使用第三方的密鑰管理服務來存儲數據。

ansible-vault能夠建立，編輯，加密，解密和查看文件。ansible vault能夠加密任何ansible使用的文件，包含inventory變量，playbook中調用的變量文件，經過參數傳遞給playbook的變量文件，ansible-roles定義的變量文件。

ansible vault使用的是外部的Python工具實現的加密。文件使用AES256加密，而且你須要提供一個密碼做爲加密密鑰。

#交互式
[root@ansible-server ansible]# ansible-vault create test.yml     #建立加密文件
New Vault password: 
Confirm New Vault password:

[root@ansible-server ansible]# cat test.yml 
$ANSIBLE_VAULT;1.1;AES256
35323132396639386132393132373663326664316466333863666136623661333863666365633938
3134356261396233323532633732386235343463656334300a383862323435613132366330666134
37613065613833633832633565653133643334313439373339663934653437383536653430656166
3435323165623962640a383933393738613330396334323438303965633666343531336236626431
3866

[root@ansible-server ansible]# ansible-vault view test.yml        #查看加密文件
Vault password: 
---

[root@ansible-server ansible]# ansible-vault edit test.yml        #編輯加密文件
Vault password:

#非交互式
[root@ansible-server ansible]# echo redhat >> vault.pass
[root@ansible-server ansible]# ansible-vault create test2.yml --vault-password-file=vault.pass
[root@ansible-server ansible]# ansible-vault rekey test2.yml --vault-password-file=vault.pass
New Vault password: 
Confirm New Vault password: 
Rekey successful
#加密已存在的yaml文件
[root@ansible-server ansible]# ansible-vault encrypt del-local.yml
New Vault password: 
Confirm New Vault password: 
Encryption successful
[root@ansible-server ansible]# cat del-local.yml
$ANSIBLE_VAULT;1.1;AES256
32646664306332383564613237373231323262386630336330313839353164386462633831376362
6364306130356131643039366561663065633831343630340a623133383132313331323231373734
35643435633139626131663837626266353139303236396532343434386133303962666165663330
3637616461336364650a333938343539323063643364383334653361393661643233636133633363
65386537623536313466343263333034643636376562373562663535363537396430653062656137
62616465623633333036303831613238393939363563663137663830386461383865323965393732
66396233363833666561383235646236343930396533636131643035636437343766326633316336
32616230343030386462396537383730316566396566383461383766646561303936303939353838
33666634393363316538323137303464363265383562666161306461623664303332346662363439
34323165653336613736356635653964363638646364383365613230613735666663626134323939
63363635353634333963373363383264356633656637623131373865353164323433643630613935
33633039363461646331393032333535393339666562353231633266306463346166366233306162
36343035353935336431636434666139346531643230643933393634373562303161616562333335
36393636303763336463383630633937393332333630626666303239643534323162303765303033
61336366646566313331343533613566353261643638633235376635343362636632636132343233
35353131623238633933326330643263303032326233323362303533306262626135633832626264
32626431623139613938346633653834366438306663393635396635366330303130383565633966
30653364653936393163616130386638313166346265613834626538643961356139363563616666
38353931323465316666333434393964643265383239626632323863613165346539663538663238
34653930653263326134383731653337626437663736653762343731616333363238336435653933
66653664323937653666656337376439373731333839616663306335313832353266363631393231
3161636532643435623961376630386562613533363039376261
#解密一個已經加密的文件
[root@ansible-server ansible]# ansible-vault decrypt del-local.yml --output=del-local-1.yml
Vault password: 
Decryption successful
[root@ansible-server ansible]# cat del-local-1.yml 
- name: dele to local
  hosts: 172.16.216.181
  tasks:
    - command: ps
      register: a_ps
      changed_when: false

    - debug:
        msg: "{{ a_ps.stdout }}"

    - local_action: command ps
      #command: ps
      #delegate_to: localhost
      register: local_ps
      changed_when: false

    - debug:
        msg: "{{ local_ps.stdout }}"

[root@ansible-server ansible]# cat del-local.yml 
$ANSIBLE_VAULT;1.1;AES256
32646664306332383564613237373231323262386630336330313839353164386462633831376362
6364306130356131643039366561663065633831343630340a623133383132313331323231373734
35643435633139626131663837626266353139303236396532343434386133303962666165663330
3637616461336364650a333938343539323063643364383334653361393661643233636133633363
65386537623536313466343263333034643636376562373562663535363537396430653062656137
62616465623633333036303831613238393939363563663137663830386461383865323965393732
66396233363833666561383235646236343930396533636131643035636437343766326633316336
32616230343030386462396537383730316566396566383461383766646561303936303939353838
33666634393363316538323137303464363265383562666161306461623664303332346662363439
34323165653336613736356635653964363638646364383365613230613735666663626134323939
63363635353634333963373363383264356633656637623131373865353164323433643630613935
33633039363461646331393032333535393339666562353231633266306463346166366233306162
36343035353935336431636434666139346531643230643933393634373562303161616562333335
36393636303763336463383630633937393332333630626666303239643534323162303765303033
61336366646566313331343533613566353261643638633235376635343362636632636132343233
35353131623238633933326330643263303032326233323362303533306262626135633832626264
32626431623139613938346633653834366438306663393635396635366330303130383565633966
30653364653936393163616130386638313166346265613834626538643961356139363563616666
38353931323465316666333434393964643265383239626632323863613165346539663538663238
34653930653263326134383731653337626437663736653762343731616333363238336435653933
66653664323937653666656337376439373731333839616663306335313832353266363631393231
3161636532643435623961376630386562613533363039376261

[root@ansible-server ansible]# cat j2.yml
- name: test j2
  hosts: all
  tasks: 
    - name: first use template module
      template:
         src: motd.j2
         dest: /etc/motd
         owner: root
         group: root
         mode: 0644
[root@ansible-server ansible]# ansible-vault encrypt j2.yml
New Vault password: 
Confirm New Vault password: 
Encryption successful
[root@ansible-server ansible]# ansible-playbook j2.yml --ask-vault-pass
Vault password: 

PLAY [test j2] ******************************************************************************************************************

TASK [Gathering Facts] **********************************************************************************************************
ok: [172.16.216.181]
ok: [172.16.216.182]

TASK [first use template module] ************************************************************************************************
changed: [172.16.216.182]
changed: [172.16.216.181]

PLAY RECAP **********************************************************************************************************************
172.16.216.181             : ok=2    changed=1    unreachable=0    failed=0   
172.16.216.182             : ok=2    changed=1    unreachable=0    failed=0   

[root@ansible-server ansible]# ansible-playbook j2.yml --vault-password-file=vault.pass

PLAY [test j2] ******************************************************************************************************************

TASK [Gathering Facts] **********************************************************************************************************
ok: [172.16.216.182]
ok: [172.16.216.181]

TASK [first use template module] ************************************************************************************************
ok: [172.16.216.182]
ok: [172.16.216.181]

PLAY RECAP **********************************************************************************************************************
172.16.216.181             : ok=2    changed=0    unreachable=0    failed=0   
172.16.216.182             : ok=2    changed=0    unreachable=0    failed=0   

#將密碼文件設置成環境變量
[root@ansible-server ansible]# vim /etc/profile
export ANSIBLE_VAULT_PASSWORD_FILE=/etc/ansible/vault.pass
[root@ansible-server ansible]# . /etc/profile
[root@ansible-server ansible]# ansible-playbook j2.yml

PLAY [test j2] ******************************************************************************************************************

TASK [Gathering Facts] **********************************************************************************************************
ok: [172.16.216.182]
ok: [172.16.216.181]

TASK [first use template module] ************************************************************************************************
ok: [172.16.216.182]
ok: [172.16.216.181]

PLAY RECAP **********************************************************************************************************************
172.16.216.181             : ok=2    changed=0    unreachable=0    failed=0   
172.16.216.182             : ok=2    changed=0    unreachable=0    failed=0   
[root@ansible-server ~]# yum install python2-cryptography        #提升加密速度

實例

[root@ansible-server ~]# ansible-vault create secret.yml
newusers:
    - name: ansibleuser1
      pw: redhat
    - name: ansibleuser2
      pw: $Re4H1t@

[root@ansible-server ansible]# cat create_users.yml 
- name: create user accounts for all our servers
  hosts: client
  vars_files:
    - secret.yml
  tasks:
    - name: create users
      user:
        name: "{{ item.name }}"
        password: "{{ item.pw | password_hash('sha512') }}"
      with_items: "{{ newusers }}"
[root@ansible-server ansible]# ansible-playbook --syntax-check --ask-vault-pass create_users.yml 
Vault password: 

playbook: create_users.yml
[root@ansible-server ansible]# echo redhat > vault.pass
[root@ansible-server ansible]# chmod 0600 vault.pass 
[root@ansible-server ansible]# ansible-playbook --syntax-check --vault-password-file=vault.pass create_users.yml               

playbook: create_users.yml
[root@ansible-server ansible]# ansible-playbook --vault-password-file=vault.pass create_users.yml  

PLAY [create user accounts for all our servers] *********************************************************************************

TASK [Gathering Facts] **********************************************************************************************************
ok: [172.16.216.182]
ok: [172.16.216.181]

TASK [create users] *************************************************************************************************************
changed: [172.16.216.182] => (item={u'name': u'ansibleuser1', u'pw': u'redhat'})
changed: [172.16.216.181] => (item={u'name': u'ansibleuser1', u'pw': u'redhat'})
changed: [172.16.216.182] => (item={u'name': u'ansibleuser2', u'pw': u'$Re4H1t@'})
changed: [172.16.216.181] => (item={u'name': u'ansibleuser2', u'pw': u'$Re4H1t@'})

PLAY RECAP **********************************************************************************************************************
172.16.216.181             : ok=2    changed=1    unreachable=0    failed=0   
172.16.216.182             : ok=2    changed=1    unreachable=0    failed=0   

[root@ansible-server ansible]# ssh ansibleuser1@172.16.216.181
ansibleuser1@172.16.216.181's password: 
the hostname is ansible-client1.liuxplus.com
today's date is 2018-10-11
[ansibleuser1@ansible-client1 ~]$ exit
登出
Connection to 172.16.216.181 closed.
[root@ansible-server ansible]# ssh ansibleuser1@172.16.216.182
ansibleuser1@172.16.216.182's password: 
the hostname is ansible-client2.linuxplust.com
today's date is 2018-10-11
[ansibleuser1@ansible-client2 ~]$ exit
登出
Connection to 172.16.216.182 closed.
[root@ansible-server ansible]# ssh ansibleuser2@172.16.216.181
ansibleuser2@172.16.216.181's password: 
the hostname is ansible-client1.liuxplus.com
today's date is 2018-10-11
[ansibleuser2@ansible-client1 ~]$ exit
登出
Connection to 172.16.216.181 closed.
[root@ansible-server ansible]# ssh ansibleuser2@172.16.216.182
ansibleuser2@172.16.216.182's password: 
the hostname is ansible-client2.linuxplust.com
today's date is 2018-10-11
[ansibleuser2@ansible-client2 ~]$ exit
登出
Connection to 172.16.216.182 closed.