gpt4 book ai didi

kubernetes - 如何从 CLI 打印包含 Kubernetes secret 的 Ansible 保管变量?

转载 作者:行者123 更新时间:2023-12-02 12:14:54 26 4
gpt4 key购买 nike

我有一个 Ansible group_vars包含以下文件的目录:

$ cat inventory/group_vars/env1
...
...
ldap_config: !vault |
$ANSIBLE_VAULT;1.1;AES256
31636161623166323039356163363432336566356165633232643932623133643764343134613064
6563346430393264643432636434356334313065653537300a353431376264333463333238383833
31633664303532356635303336383361386165613431346565373239643431303235323132633331
3561343765383538340a373436653232326632316133623935333739323165303532353830386532
39616232633436333238396139323631633966333635393431373565643339313031393031313836
61306163333539616264353163353535366537356662333833653634393963663838303230386362
31396431636630393439306663313762313531633130326633383164393938363165333866626438
...
...

这个 Ansible 加密字符串中封装了一个 Kubernetes secret 。一个看起来像这样的 base64 blob:
IyMKIyBIb3N0IERhdGFiYXNlCiMKIyBsb2NhbGhvc3QgaXMgdXNlZCB0byBjb25maWd1cmUgdGhlIGxvb3BiYWNrIGludGVyZmFjZQojIHdoZW4gdGhlIHN5c3RlbSBpcyBib290aW5nLiAgRG8gbm90IGNoYW5nZSB0aGlzIGVudHJ5LgojIwoxMjcuMC4wLjEJbG9jYWxob3N0CjI1NS4yNTUuMjU1LjI1NQlicm9hZGNhc3Rob3N0Cjo6MSAgICAgICAgICAgICBsb2NhbGhvc3QKIyBBZGRlZCBieSBEb2NrZXIgRGVza3RvcAojIFRvIGFsbG93IHRoZSBzYW1lIGt1YmUgY29udGV4dCB0byB3b3JrIG9uIHRoZSBob3N0IGFuZCB0aGUgY29udGFpbmVyOgoxMjcuMC4wLjEga3ViZXJuZXRlcy5kb2NrZXIuaW50ZXJuYWwKIyBFbmQgb2Ygc2VjdGlvbgo=

如何在单个 CLI 中解密?

最佳答案

我们可以使用 Ansible adhoc 命令来检索感兴趣的变量 ldap_config .首先,我们将使用这个 adhoc 来检索 Ansible 加密的保险库字符串:

$ ansible -i "localhost," all               \
-m debug \
-a 'msg="{{ ldap_config }}"' \
--vault-password-file=~/.vault_pass.txt \
-e@inventory/group_vars/env1
localhost | SUCCESS => {
"msg": "ABCD......."

请注意,我们是:
  • 使用 debug模块并让它打印变量 msg={{ ldap_config }}
  • ansible解密加密字符串的 secret 路径
  • 使用符号 -e@< ...path to file...>传递带有加密库变量的文件

  • 现在我们可以使用 Jinja2 过滤器来完成剩下的解析:
    $ ansible -i "localhost," all                             \
    -m debug \
    -a 'msg="{{ ldap_config | b64decode | from_yaml }}"' \
    --vault-password-file=~/.vault_pass.txt \
    -e@inventory/group_vars/env1
    localhost | SUCCESS => {
    "msg": {
    "apiVersion": "v1",
    "bindDN": "uid=readonly,cn=users,cn=accounts,dc=mydom,dc=com",
    "bindPassword": "my secret password to ldap",
    "ca": "",
    "insecure": true,
    "kind": "LDAPSyncConfig",
    "rfc2307": {
    "groupMembershipAttributes": [
    "member"
    ],
    "groupNameAttributes": [
    "cn"
    ],
    "groupUIDAttribute": "dn",
    "groupsQuery": {
    "baseDN": "cn=groups,cn=accounts,dc=mydom,dc=com",
    "derefAliases": "never",
    "filter": "(objectclass=groupOfNames)",
    "scope": "sub"
    },
    "tolerateMemberNotFoundErrors": false,
    "tolerateMemberOutOfScopeErrors": false,
    "userNameAttributes": [
    "uid"
    ],
    "userUIDAttribute": "dn",
    "usersQuery": {
    "baseDN": "cn=users,cn=accounts,dc=mydom,dc=com",
    "derefAliases": "never",
    "scope": "sub"
    }
    },
    "url": "ldap://192.168.1.10:389"
    }
    }

    注意:以上部分 -a 'msg="{{ ldap_config | b64decode | from_yaml }}"在从 Base64 转换为 YAML 方面,是什么在做繁重的工作。

    引用
  • How to run Ansible without hosts file
  • https://docs.ansible.com/ansible/latest/user_guide/playbooks_filters.html#filters-for-formatting-data
  • Base64 Decode String in jinja
  • How to decrypt string with ansible-vault 2.3.0
  • 关于kubernetes - 如何从 CLI 打印包含 Kubernetes secret 的 Ansible 保管变量?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/58071737/

    26 4 0
    Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
    广告合作:1813099741@qq.com 6ren.com