时间戳

首页 > 解决方案 > 如何从 CLI 打印包含 Kubernetes 机密的 Ansible 保管变量?

kubernetes - 如何从 CLI 打印包含 Kubernetes 机密的 Ansible 保管变量?

问题描述

我有一个 Ansiblegroup_vars目录,其中包含以下文件:

$ cat inventory/group_vars/env1
...
...
ldap_config: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          31636161623166323039356163363432336566356165633232643932623133643764343134613064
          6563346430393264643432636434356334313065653537300a353431376264333463333238383833
          31633664303532356635303336383361386165613431346565373239643431303235323132633331
          3561343765383538340a373436653232326632316133623935333739323165303532353830386532
          39616232633436333238396139323631633966333635393431373565643339313031393031313836
          61306163333539616264353163353535366537356662333833653634393963663838303230386362
          31396431636630393439306663313762313531633130326633383164393938363165333866626438
...
...

这个 Ansible 加密字符串中封装了一个 Kubernetes 机密。一个看起来像这样的 base64 blob:

IyMKIyBIb3N0IERhdGFiYXNlCiMKIyBsb2NhbGhvc3QgaXMgdXNlZCB0byBjb25maWd1cmUgdGhlIGxvb3BiYWNrIGludGVyZmFjZQojIHdoZW4gdGhlIHN5c3RlbSBpcyBib290aW5nLiAgRG8gbm90IGNoYW5nZSB0aGlzIGVudHJ5LgojIwoxMjcuMC4wLjEJbG9jYWxob3N0CjI1NS4yNTUuMjU1LjI1NQlicm9hZGNhc3Rob3N0Cjo6MSAgICAgICAgICAgICBsb2NhbGhvc3QKIyBBZGRlZCBieSBEb2NrZXIgRGVza3RvcAojIFRvIGFsbG93IHRoZSBzYW1lIGt1YmUgY29udGV4dCB0byB3b3JrIG9uIHRoZSBob3N0IGFuZCB0aGUgY29udGFpbmVyOgoxMjcuMC4wLjEga3ViZXJuZXRlcy5kb2NrZXIuaW50ZXJuYWwKIyBFbmQgb2Ygc2VjdGlvbgo=

如何在单个 CLI 中解密?

标签: kubernetesansiblekubernetes-secrets

解决方案

我们可以使用 Ansible adhoc 命令来检索感兴趣的变量ldap_config。首先,我们将使用这个 adhoc 来检索 Ansible 加密的保险库字符串:

$ ansible -i "localhost," all               \
    -m debug                                \
    -a 'msg="{{ ldap_config }}"'            \
    --vault-password-file=~/.vault_pass.txt \
    -e@inventory/group_vars/env1
localhost | SUCCESS => {
    "msg": "ABCD......."

请注意,我们是:

  • 使用debug模块并让它打印变量,msg={{ ldap_config }}
  • 给出ansible解密加密字符串的秘密路径
  • 使用符号-e@< ...path to file...>传递带有加密保险库变量的文件

现在我们可以使用 Jinja2 过滤器来完成剩下的解析:

$ ansible -i "localhost," all                             \
     -m debug                                             \
     -a 'msg="{{ ldap_config | b64decode | from_yaml }}"' \
     --vault-password-file=~/.vault_pass.txt              \
     -e@inventory/group_vars/env1
localhost | SUCCESS => {
    "msg": {
        "apiVersion": "v1",
        "bindDN": "uid=readonly,cn=users,cn=accounts,dc=mydom,dc=com",
        "bindPassword": "my secret password to ldap",
        "ca": "",
        "insecure": true,
        "kind": "LDAPSyncConfig",
        "rfc2307": {
            "groupMembershipAttributes": [
                "member"
            ],
            "groupNameAttributes": [
                "cn"
            ],
            "groupUIDAttribute": "dn",
            "groupsQuery": {
                "baseDN": "cn=groups,cn=accounts,dc=mydom,dc=com",
                "derefAliases": "never",
                "filter": "(objectclass=groupOfNames)",
                "scope": "sub"
            },
            "tolerateMemberNotFoundErrors": false,
            "tolerateMemberOutOfScopeErrors": false,
            "userNameAttributes": [
                "uid"
            ],
            "userUIDAttribute": "dn",
            "usersQuery": {
                "baseDN": "cn=users,cn=accounts,dc=mydom,dc=com",
                "derefAliases": "never",
                "scope": "sub"
            }
        },
        "url": "ldap://192.168.1.10:389"
    }
}

注意:以上部分-a 'msg="{{ ldap_config | b64decode | from_yaml }}"是从 Base64 转换为 YAML 方面的繁重工作。

参考

推荐阅读