community.hashi_vault.vault_ansible_settings 查询 – 返回插件设置(选项)
注意
此查询插件是 community.hashi_vault 集合(版本 6.2.0)的一部分。
如果您使用的是 ansible 包,则可能已安装此集合。它不包含在 ansible-core 中。要检查它是否已安装,请运行 ansible-galaxy collection list。
要安装它,请使用:ansible-galaxy collection install community.hashi_vault。
要在 playbook 中使用它,请指定:community.hashi_vault.vault_ansible_settings。
community.hashi_vault 2.5.0 中的新增功能
概要
返回给定插件的选项及其值的字典。
这对于在模块和
module_defaults中使用插件设置非常有用,尤其是在ansible.cfg、Ansible 变量或控制器上的环境变量中设置常用设置时。选项可以按名称进行筛选,并且可以包含或排除默认值、未设置的选项和私有选项。
术语
参数 |
注释 |
|---|---|
关键字参数
这描述了查询的关键字参数。这些是在以下示例中的值 key1=value1、key2=value2 等:lookup('community.hashi_vault.vault_ansible_settings', key1=value1, key2=value2, ...) 和 query('community.hashi_vault.vault_ansible_settings', key1=value1, key2=value2, ...)
参数 |
注释 |
|---|---|
包含其值来自默认值的选项。 选项
|
|
包含值为 选项
|
|
包含以下划线 选项
|
|
将返回其选项的插件的名称。 仅支持查询。 短名称(没有点 默认值: |
备注
注意
当关键字参数和位置参数一起使用时,位置参数必须列在关键字参数之前:
lookup('community.hashi_vault.vault_ansible_settings', term1, term2, key1=value1, key2=value2)和query('community.hashi_vault.vault_ansible_settings', term1, term2, key1=value1, key2=value2)此集合支持一些“低优先级”环境变量,这些变量在所有其他来源之后加载,例如
VAULT_ADDR。此插件**不支持**这些环境变量。
如果您希望使用它们,请使用 ansible.builtin.env 查询 直接加载它们,当调用模块或设置
module_defaults时。同样,任何依赖于额外处理来填充其值的选项都不会执行该处理。
例如,不会从令牌接收器文件加载令牌,身份验证方法不会调用其
validate方法。请参阅示例以了解解决方法,但请考虑改用 Ansible 特定的方法来设置这些值。
另请参见
另请参见
- 模块默认值
使用
module_defaults关键字。
示例
### In these examples, we assume an ansible.cfg like this:
# [hashi_vault_collection]
# url = https://config-based-vault.example.com
# retries = 5
### end ansible.cfg
### We assume some environment variables set as well
# ANSIBLE_HASHI_VAULT_URL: https://env-based-vault.example.com
# ANSIBLE_HASHI_VAULT_TOKEN: s.123456789
### end environment variables
# playbook - ansible-core 2.12 and higher
## set defaults for the collection group
- hosts: all
vars:
ansible_hashi_vault_auth_method: token
module_defaults:
group/community.hashi_vault.vault: "{{ lookup('community.hashi_vault.vault_ansible_settings') }}"
tasks:
- name: Get a secret from the remote host with settings from the controller
community.hashi_vault.vault_kv2_get:
path: app/some/secret
######
# playbook - ansible any version
## set defaults for a specific module
- hosts: all
vars:
ansible_hashi_vault_auth_method: token
module_defaults:
community.hashi_vault.vault_kv2_get: "{{ lookup('community.hashi_vault.vault_ansible_settings') }}"
tasks:
- name: Get a secret from the remote host with settings from the controller
community.hashi_vault.vault_kv2_get:
path: app/some/secret
######
# playbook - ansible any version
## set defaults for several modules
## do not use controller's auth
- hosts: all
vars:
ansible_hashi_vault_auth_method: aws_iam
settings: "{{ lookup('community.hashi_vault.vault_ansible_settings', '*', '!*token*') }}"
module_defaults:
community.hashi_vault.vault_kv2_get: '{{ settings }}'
community.hashi_vault.vault_kv1_get: '{{ settings }}'
tasks:
- name: Get a secret from the remote host with some settings from the controller, auth from remote
community.hashi_vault.vault_kv2_get:
path: app/some/secret
- name: Same with kv1
community.hashi_vault.vault_kv1_get:
path: app/some/secret
######
# playbook - ansible any version
## set defaults for several modules
## do not use controller's auth
## override returned settings
- hosts: all
vars:
ansible_hashi_vault_auth_method: userpass
plugin_settings: "{{ lookup('community.hashi_vault.vault_ansible_settings', '*', '!*token*') }}"
overrides:
auth_method: aws_iam
retries: '{{ (plugin_settings.retries | int) + 2 }}'
settings: >-
{{
plugin_settings
| combine(overrides)
}}
module_defaults:
community.hashi_vault.vault_kv2_get: '{{ settings }}'
community.hashi_vault.vault_kv1_get: '{{ settings }}'
tasks:
- name: Get a secret from the remote host with some settings from the controller, auth from remote
community.hashi_vault.vault_kv2_get:
path: app/some/secret
- name: Same with kv1
community.hashi_vault.vault_kv1_get:
path: app/some/secret
######
# using a block is similar
- name: Settings
vars:
ansible_hashi_vault_auth_method: aws_iam
settings: "{{ lookup('community.hashi_vault.vault_ansible_settings', '*', '!*token*') }}"
module_defaults:
community.hashi_vault.vault_kv2_get: '{{ settings }}'
community.hashi_vault.vault_kv1_get: '{{ settings }}'
block:
- name: Get a secret from the remote host with some settings from the controller, auth from remote
community.hashi_vault.vault_kv2_get:
path: app/some/secret
- name: Same with kv1
community.hashi_vault.vault_kv1_get:
path: app/some/secret
#####
# use settings from a different plugin
## when you need settings that are not in the default plugin (vault_login)
- name: Settings
vars:
ansible_hashi_vault_engine_mount_point: dept-secrets
settings: "{{ lookup('community.hashi_vault.vault_ansible_settings', plugin='community.hashi_vault.vault_kv2_get') }}"
module_defaults:
community.hashi_vault.vault_kv2_get: '{{ settings }}'
block:
- name: Get a secret from the remote host with some settings from the controller, auth from remote
community.hashi_vault.vault_kv2_get:
path: app/some/secret
#####
# use settings from a different plugin (on an indivdual call)
## short names assume community.hashi_vault
- name: Settings
vars:
ansible_hashi_vault_engine_mount_point: dept-secrets
settings: "{{ lookup('community.hashi_vault.vault_ansible_settings') }}"
module_defaults:
community.hashi_vault.vault_kv2_get: '{{ settings }}'
block:
- name: Get a secret from the remote host with some settings from the controller, auth from remote
community.hashi_vault.vault_kv2_get:
engine_mount_point: "{{ lookup('community.hashi_vault.vault_ansible_settings', plugin='vault_kv2_get') }}"
path: app/some/secret
#####
# normally, options with default values are not returned, but can be
- name: Settings
vars:
settings: "{{ lookup('community.hashi_vault.vault_ansible_settings') }}"
module_defaults:
# we usually want to use the remote host's IAM auth
community.hashi_vault.vault_kv2_get: >-
{{
settings
| combine({'auth_method': aws_iam})
}}
block:
- name: Use the plugin auth method instead, even if it is the default method
community.hashi_vault.vault_kv2_get:
auth_method: "{{ lookup('community.hashi_vault.vault_ansible_settings', 'auth_method', include_default=True) }}"
path: app/some/secret
#####
# normally, options with None/null values are not returned,
# nor are private options (names begin with underscore _),
# but they can be returned too if desired
- name: Show all plugin settings
ansible.builtin.debug:
msg: "{{ lookup('community.hashi_vault.vault_ansible_settings', include_none=True, include_private=True, include_default=True) }}"
#####
# dealing with low-precedence env vars and token sink loading
## here, VAULT_ADDR is usually used with plugins, but that will not work with vault_ansible_settings.
## additionally, the CLI `vault login` is used before running Ansible, so the token sink is usually used, which also will not work.
- hosts: all
vars:
plugin_settings: "{{ lookup('community.hashi_vault.vault_ansible_settings', 'url', 'token*', include_default=True) }}"
overrides:
url: "{{ plugin_settings.url | default(lookup('ansible.builtin.env', 'VAULT_ADDR')) }}"
token: >-
{{
plugin_settings.token
| default(
lookup(
'ansible.builtin.file',
(
plugin_settings.token_path | default(lookup('ansible.builtin.env', 'HOME')),
plugin_settings.token_file
) | path_join
)
)
}}
auth_method: token
settings: >-
{{
plugin_settings
| combine(overrides)
}}
module_defaults:
community.hashi_vault.vault_kv2_get: "{{ lookup('community.hashi_vault.vault_ansible_settings') }}"
tasks:
- name: Get a secret from the remote host with settings from the controller
community.hashi_vault.vault_kv2_get:
path: app/some/secret
#####
返回值
键 |
描述 |
|---|---|
选项及其值的字典。 即使有多个术语,也只返回单个字典。 返回: 成功 示例: |