根据Gaël的建议，我创建了一个python工具，它使用ansible libs来完成重键

它保留缩进并在适当的位置更新文件。适用于vault变量和常规vault文件

脚本

#!/usr/bin/env python3

import sys
import re
from tempfile import NamedTemporaryFile
from ansible.parsing.vault import VaultEditor, VaultLib, VaultSecret
from ansible.constants import DEFAULT_VAULT_IDENTITY

def rekey(content, old_secret, new_secret):
  vault_regex = re.compile(r'(^(\s*)\$ANSIBLE_VAULT\S*\n(\s*\w+\n)*)', re.MULTILINE)
  vaults = {match[0]: match[1] for match in vault_regex.findall(content)}
  for old_vault, indentation in vaults.items():
    with NamedTemporaryFile(mode='w', delete=False) as f:
      f.write(old_vault.replace(indentation, ''))
    VaultEditor(VaultLib([(DEFAULT_VAULT_IDENTITY, old_secret)])).rekey_file(f.name, new_secret)
    with open(f.name) as f:
      new_vault = indentation + indentation.join(f.readlines())
      content = content.replace(old_vault, new_vault)
  return content

def main(old_password, new_password, files):
  for file_name in files:
    with open(file_name) as f:
      content = f.read()
    with open(file_name, 'w') as f:
      f.write(rekey(content, VaultSecret(old_password.encode()), VaultSecret(new_password.encode())))

main(sys.argv[1], sys.argv[2], sys.argv[3:])

用法

./rekey.py my-old-pass my-new-pass $(find . -type f -name "*.yaml") another-file.vault

解释

对于每个输入文件：

1. 读取输入文件并提取与vault正则表达式匹配的序列
2. 将提取的Vault保存到临时文件
3. 重新键入临时文件
4. 使用重新设置密钥的文件的内容在输入文件中进行替换