mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
added docs for vault and made trigger shorter: !vault (#20985)
* added docs for vault and made trigger shorter: !vault * added single var valuting * Update playbooks_vault.rst Edit pass for spelling and grammar. Ship it! * Update playbooks_vault.rst Typo fixes.
This commit is contained in:
parent
9703b0ff39
commit
a2c38c47aa
7 changed files with 31 additions and 8 deletions
|
@ -4,6 +4,7 @@ Ansible Changes By Release
|
||||||
## 2.3 TBD - ACTIVE DEVELOPMENT
|
## 2.3 TBD - ACTIVE DEVELOPMENT
|
||||||
|
|
||||||
###Major Changes:
|
###Major Changes:
|
||||||
|
* Documented and renamed the previously released 'single var vaulting' feature, allowing user to use vault encryption for single variables in a normal YAML vars file.
|
||||||
|
|
||||||
###Minor Changes:
|
###Minor Changes:
|
||||||
* The version and release facts for OpenBSD hosts were reversed. This has been
|
* The version and release facts for OpenBSD hosts were reversed. This has been
|
||||||
|
|
|
@ -20,6 +20,8 @@ Ansible tasks, handlers, and so on are also data so these can be encrypted with
|
||||||
|
|
||||||
The vault feature can also encrypt arbitrary files, even binary files. If a vault-encrypted file is given as the `src` argument to the `copy` module, the file will be placed at the destination on the target host decrypted (assuming a valid vault password is supplied when running the play).
|
The vault feature can also encrypt arbitrary files, even binary files. If a vault-encrypted file is given as the `src` argument to the `copy` module, the file will be placed at the destination on the target host decrypted (assuming a valid vault password is supplied when running the play).
|
||||||
|
|
||||||
|
As of version 2.3, Ansible also supports encrypting single values inside a YAML file, using the `!vault` tag to let YAML and Ansible know it uses special processing. This feature is covered in more details below.
|
||||||
|
|
||||||
.. _creating_files:
|
.. _creating_files:
|
||||||
|
|
||||||
Creating Encrypted Files
|
Creating Encrypted Files
|
||||||
|
@ -115,6 +117,28 @@ This is something you may wish to do if using Ansible from a continuous integrat
|
||||||
|
|
||||||
(The `--vault-password-file` option can also be used with the :ref:`ansible-pull` command if you wish, though this would require distributing the keys to your nodes, so understand the implications -- vault is more intended for push mode).
|
(The `--vault-password-file` option can also be used with the :ref:`ansible-pull` command if you wish, though this would require distributing the keys to your nodes, so understand the implications -- vault is more intended for push mode).
|
||||||
|
|
||||||
|
|
||||||
|
.. _single_encryptd_variable:
|
||||||
|
|
||||||
|
Single Encrypted Variable
|
||||||
|
`````````````````````````
|
||||||
|
|
||||||
|
As of version 2.3, Ansible can now use a vaulted variable that lives in an otherwise 'clear text' YAML file::
|
||||||
|
|
||||||
|
notsecret: myvalue
|
||||||
|
mysecret: !vault |
|
||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
66386439653236336462626566653063336164663966303231363934653561363964363833313662
|
||||||
|
6431626536303530376336343832656537303632313433360a626438346336353331386135323734
|
||||||
|
62656361653630373231613662633962316233633936396165386439616533353965373339616234
|
||||||
|
3430613539666330390a313736323265656432366236633330313963326365653937323833366536
|
||||||
|
34623731376664623134383463316265643436343438623266623965636363326136
|
||||||
|
other_plain_text: othervalue
|
||||||
|
|
||||||
|
|
||||||
|
This vaulted variable be decrypted with the supplied vault secret and used as a normal variable. The `ansible-vault` command line supports stdin and stdout for encrypting data on the fly, which can be used from your favorite editor to create these vaulted variables; you just have to be sure to add the `!vault` tag so both Ansible and YAML are aware of the need to decrypt. The `|` is also required, as vault encryption results in a multi-line string.
|
||||||
|
|
||||||
|
|
||||||
.. _speeding_up_vault:
|
.. _speeding_up_vault:
|
||||||
|
|
||||||
Speeding Up Vault Operations
|
Speeding Up Vault Operations
|
||||||
|
|
|
@ -156,6 +156,4 @@ AnsibleConstructor.add_constructor(
|
||||||
u'!unsafe',
|
u'!unsafe',
|
||||||
AnsibleConstructor.construct_yaml_unsafe)
|
AnsibleConstructor.construct_yaml_unsafe)
|
||||||
|
|
||||||
AnsibleConstructor.add_constructor(
|
AnsibleConstructor.add_constructor(u'!vault', AnsibleConstructor.construct_vault_encrypted_unicode)
|
||||||
u'!vault-encrypted',
|
|
||||||
AnsibleConstructor.construct_vault_encrypted_unicode)
|
|
||||||
|
|
|
@ -40,7 +40,7 @@ def represent_hostvars(self, data):
|
||||||
|
|
||||||
# Note: only want to represent the encrypted data
|
# Note: only want to represent the encrypted data
|
||||||
def represent_vault_encrypted_unicode(self, data):
|
def represent_vault_encrypted_unicode(self, data):
|
||||||
return self.represent_scalar(u'!vault-encrypted', data._ciphertext.decode(), style='|')
|
return self.represent_scalar(u'!vault', data._ciphertext.decode(), style='|')
|
||||||
|
|
||||||
if PY3:
|
if PY3:
|
||||||
represent_unicode = yaml.representer.SafeRepresenter.represent_str
|
represent_unicode = yaml.representer.SafeRepresenter.represent_str
|
||||||
|
|
|
@ -73,7 +73,7 @@ class AnsibleSequence(AnsibleBaseYAMLObject, list):
|
||||||
class AnsibleVaultEncryptedUnicode(yaml.YAMLObject, AnsibleUnicode):
|
class AnsibleVaultEncryptedUnicode(yaml.YAMLObject, AnsibleUnicode):
|
||||||
__UNSAFE__ = True
|
__UNSAFE__ = True
|
||||||
__ENCRYPTED__ = True
|
__ENCRYPTED__ = True
|
||||||
yaml_tag = u'!vault-encrypted'
|
yaml_tag = u'!vault'
|
||||||
|
|
||||||
@classmethod
|
@classmethod
|
||||||
def from_plaintext(cls, seq, vault):
|
def from_plaintext(cls, seq, vault):
|
||||||
|
|
|
@ -1,14 +1,14 @@
|
||||||
# If you use normal 'ansible-vault create' or edit, files always have at least one new line
|
# If you use normal 'ansible-vault create' or edit, files always have at least one new line
|
||||||
# so c&p from a vault encrypted that wasn't specifically created sans new line ends up with one.
|
# so c&p from a vault encrypted that wasn't specifically created sans new line ends up with one.
|
||||||
# (specifically created, as in 'echo -n "just one line" > my_secret.yml'
|
# (specifically created, as in 'echo -n "just one line" > my_secret.yml'
|
||||||
vault_encrypted_var: !vault-encrypted |
|
vault_encrypted_var: !vault |
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
66386439653236336462626566653063336164663966303231363934653561363964363833313662
|
66386439653236336462626566653063336164663966303231363934653561363964363833313662
|
||||||
6431626536303530376336343832656537303632313433360a626438346336353331386135323734
|
6431626536303530376336343832656537303632313433360a626438346336353331386135323734
|
||||||
62656361653630373231613662633962316233633936396165386439616533353965373339616234
|
62656361653630373231613662633962316233633936396165386439616533353965373339616234
|
||||||
3430613539666330390a313736323265656432366236633330313963326365653937323833366536
|
3430613539666330390a313736323265656432366236633330313963326365653937323833366536
|
||||||
34623731376664623134383463316265643436343438623266623965636363326136
|
34623731376664623134383463316265643436343438623266623965636363326136
|
||||||
vault_encrypted_one_line_var: !vault-encrypted |
|
vault_encrypted_one_line_var: !vault |
|
||||||
$ANSIBLE_VAULT;1.1;AES256
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
33363965326261303234626463623963633531343539616138316433353830356566396130353436
|
33363965326261303234626463623963633531343539616138316433353830356566396130353436
|
||||||
3562643163366231316662386565383735653432386435610a306664636137376132643732393835
|
3562643163366231316662386565383735653432386435610a306664636137376132643732393835
|
||||||
|
|
|
@ -204,7 +204,7 @@ class TestAnsibleLoaderVault(unittest.TestCase, YamlTestUtils):
|
||||||
lines2.append(' %s' % line)
|
lines2.append(' %s' % line)
|
||||||
|
|
||||||
vaulted_var = '\n'.join(lines2)
|
vaulted_var = '\n'.join(lines2)
|
||||||
tagged_vaulted_var = u"""!vault-encrypted |\n%s""" % vaulted_var
|
tagged_vaulted_var = u"""!vault |\n%s""" % vaulted_var
|
||||||
return tagged_vaulted_var
|
return tagged_vaulted_var
|
||||||
|
|
||||||
def _build_stream(self, yaml_text):
|
def _build_stream(self, yaml_text):
|
||||||
|
|
Loading…
Reference in a new issue