robertdebock.vault_snapshot
Ansible角色 vault_snapshot
在Vault上配置vault_snapshot。
| GitHub | GitLab | 下载 | 版本 |
|---|---|---|---|
 |
 |
 |
 |
示例剧本
此示例取自 molecule/default/converge.yml,在每次推送、拉取请求和发布时进行测试。
---
- name: 汇聚
hosts: all
become: true
gather_facts: true
pre_tasks:
- name: 从远程机器读取令牌
ansible.builtin.slurp:
src: /root/.vault-token
register: token_raw
roles:
- role: robertdebock.vault_snapshot
vault_snapshot_token: "{{ token_raw['content'] | b64decode }}"
vault_snapshot_ssl_verify: false
vault_snapshot_schedules:
- name: 每小时
interval_seconds: 3600
retain: 24
path_prefix: /opt/vault/snapshots/
storage_type: local
local_max_space: 1073741824
- name: 每小时-aws
interval_seconds: 3600
retain: 24
path_prefix: /hourly
storage_type: aws-s3
aws_s3_bucket: my-bucket
aws_s3_region: eu-central-1
aws_access_key_id: some_key
aws_secret_access_key: some_secret
aws_s3_enable_kms: false
- name: 每小时-azure
interval_seconds: 3600
retain: 24
path_prefix: /hourly/
storage_type: azure-blob
azure_container_name: my-blob
azure_account_name: some_account
azure_account_key: some_key
机器需要进行准备。在CI中,这通过 molecule/default/prepare.yml 完成:
---
- name: 准备
hosts: all
become: true
gather_facts: false
roles:
- role: robertdebock.bootstrap
- role: robertdebock.core_dependencies
- role: robertdebock.hashicorp
- role: robertdebock.vault
vault_type: ent
vault_hardening_disable_swap: false
- role: robertdebock.vault_configuration
vault_configuration_license: "{{ lookup('ansible.builtin.env', 'VAULT_LICENSE') }}"
vault_configuration_listener_tcp:
address: "127.0.0.1:8200"
cluster_address: "127.0.0.1:8201"
tls_disable: true
vault_configuration_storage_raft:
path: "/opt/vault/data"
node_id: "{{ ansible_hostname }}"
tasks:
- name: 刷新处理程序
ansible.builtin.meta: flush_handlers
- name: 启动Vault
ansible.builtin.service:
name: vault
state: started
- name: 初始化Vault
ansible.builtin.command:
cmd: vault operator init -format=yaml
register: vault_init_raw
environment:
VAULT_ADDR: "https://localhost:8200"
VAULT_SKIP_VERIFY: "true"
changed_when: true
- name: 将vault_init_raw输出保存为YAML
ansible.builtin.set_fact:
vault_init: "{{ vault_init_raw.stdout | from_yaml }}"
- name: 存储root_token
ansible.builtin.copy:
content: "{{ vault_init.root_token }}"
dest: /root/.vault-token
owner: root
group: root
mode: "0640"
- name: 解封Vault
ansible.builtin.command:
cmd: vault operator unseal {{ item }}
loop: "{{ vault_init.unseal_keys_b64 }}"
environment:
VAULT_ADDR: "https://localhost:8200"
VAULT_SKIP_VERIFY: "true"
changed_when: true
还可以查看完整解释和示例,了解如何使用这些角色。
角色变量
变量的默认值在defaults/main.yml中设置:
---
# vault_snapshot 的默认文件
# 设置Vault实例地址。类似于`VAULT_ADDR`。
vault_snapshot_address: "https://localhost:8200"
# 设置连接Vault的令牌。类似于`VAULT_TOKEN`。
vault_snapshot_token: ""
# 要配置的快照列表。请查看 `molecule/default/converge.yml` 以获取完整示例。
vault_snapshot_schedules: []
# 是否要禁用SSL证书验证?
vault_snapshot_ssl_verify: true
要求
- pip软件包列表见 requirements.txt。
使用的角色状态
以下角色用于准备系统。您可以以另一种方式准备系统。
| 需求 | GitHub | GitLab |
|---|---|---|
| robertdebock.bootstrap |  |
 |
| robertdebock.core_dependencies |  |
 |
| robertdebock.hashicorp |  |
 |
| robertdebock.vault |  |
 |
| robertdebock.vault_configuration |  |
 |
上下文
此角色是许多兼容角色的一部分。有关更多信息,请查看这些角色的文档。
这里是相关角色的概览:
兼容性
此角色已在以下容器镜像上进行测试:
| 容器 | 标签 |
|---|---|
| Amazon | Candidate |
| Debian | all |
| EL | 9 |
| Fedora | 39 |
| Ubuntu | all |
所需的最低Ansible版本为2.12,已对以下版本进行测试:
- 以前的版本。
- 当前版本。
- 开发版本。
如果您发现问题,请在GitHub上注册。
许可证
作者信息
请考虑赞助我。
安装
ansible-galaxy install robertdebock.vault_snapshot许可证
apache-2.0
下载
78
拥有者
I know my way around (Linux) infrastructure, have a passion for automation, Docker, Ansible, Molecule and ci/cd.