No description
297dfb1d50
This adds a new type of vault-password script (a 'client') that takes advantage of and enhances the
multiple vault password support.
If a vault password script basename ends with the name '-client', consider it a vault password script client.
A vault password script 'client' just means that the script will take a '--vault-id' command line arg.
The previous vault password script (as invoked by --vault-password-file pointing to an executable) takes
no args and returns the password on stdout. But it doesnt know anything about --vault-id or multiple vault
passwords.
The new 'protocol' of the vault password script takes a cli arg ('--vault-id') so that it can lookup that specific
vault-id and return it's password.
Since existing vault password scripts don't know the new 'protocol', a way to distinguish password scripts
that do understand the protocol was needed. The convention now is to consider password scripts that are
named like 'something-client.py' (and executable) to be vault password client scripts.
The new client scripts get invoked with the '--vault-id' they were requested for. An example:
ansible-playbook --vault-id my_vault_id@contrib/vault/vault-keyring-client.py some_playbook.yml
That will cause the 'contrib/vault/vault-keyring-client.py' script to be invoked as:
contrib/vault/vault-keyring-client.py --vault-id my_vault_id
The previous vault-keyring.py password script was extended to become vault-keyring-client.py. It uses
the python 'keyring' module to request secrets from various backends. The plain 'vault-keyring.py' script
would determine which key id and keyring name to use based on values that had to be set in ansible.cfg.
So it was also limited to one keyring name.
The new vault-keyring-client.py will request the secret for the vault id provided via the '--vault-id' option.
The script can be used without config and can be used for multiple keyring ids (and keyrings).
On success, a vault password client script will print the password to stdout and exit with a return code of 0.
If the 'client' script can't find a secret for the --vault-id, the script will exit with return code of 2 and print an error to stderr.
|
||
|---|---|---|
| .github | ||
| bin | ||
| contrib | ||
| docs | ||
| examples | ||
| hacking | ||
| lib/ansible | ||
| packaging | ||
| test | ||
| ticket_stubs | ||
| .coveragerc | ||
| .gitattributes | ||
| .gitignore | ||
| .gitmodules | ||
| .mailmap | ||
| .yamllint | ||
| ansible-core-sitemap.xml | ||
| CHANGELOG.md | ||
| CODING_GUIDELINES.md | ||
| CONTRIBUTING.md | ||
| COPYING | ||
| docsite_requirements.txt | ||
| Makefile | ||
| MANIFEST.in | ||
| MODULE_GUIDELINES.md | ||
| README.md | ||
| RELEASES.txt | ||
| requirements.txt | ||
| ROADMAP.rst | ||
| setup.py | ||
| shippable.yml | ||
| tox.ini | ||
| VERSION | ||
Ansible
Ansible is a radically simple IT automation system. It handles configuration-management, application deployment, cloud provisioning, ad-hoc task-execution, and multinode orchestration - including trivializing things like zero downtime rolling updates with load balancers.
Read the documentation and more at https://ansible.com/
You can find installation instructions here for a variety of platforms. Most users should probably install a released version of Ansible from pip, a package manager or our release repository. Officially supported builds of Ansible are also available. Some power users run directly from the development branch - while significant efforts are made to ensure that devel is reasonably stable, you're more likely to encounter breaking changes when running Ansible this way.
Design Principles
- Have a dead simple setup process and a minimal learning curve
- Manage machines very quickly and in parallel
- Avoid custom-agents and additional open ports, be agentless by leveraging the existing SSH daemon
- Describe infrastructure in a language that is both machine and human friendly
- Focus on security and easy auditability/review/rewriting of content
- Manage new remote machines instantly, without bootstrapping any software
- Allow module development in any dynamic language, not just Python
- Be usable as non-root
- Be the easiest IT automation system to use, ever.
Get Involved
- Read Community Information for all kinds of ways to contribute to and interact with the project, including mailing list information and how to submit bug reports and code to Ansible.
- All code submissions are done through pull requests. Take care to make sure no merge commits are in the submission, and use
git rebasevsgit mergefor this reason. If submitting a large code change (other than modules), it's probably a good idea to join ansible-devel and talk about what you would like to do or add first and to avoid duplicate efforts. This not only helps everyone know what's going on, it also helps save time and effort if we decide some changes are needed. - Users list: ansible-project
- Development list: ansible-devel
- Announcement list: ansible-announce - read only
- irc.freenode.net: #ansible
Branch Info
- Releases are named after Led Zeppelin songs. (Releases prior to 2.0 were named after Van Halen songs.)
- The devel branch corresponds to the release actively under development.
- Various release-X.Y branches exist for previous releases.
- We'd love to have your contributions, read Community Information for notes on how to get started.
Authors
Ansible was created by Michael DeHaan (michael.dehaan/gmail/com) and has contributions from over 1000 users (and growing). Thanks everyone!
Ansible is sponsored by Ansible, Inc
License
GNU General Public License v3.0
See COPYING to see the full text.