store secrets & definitions in a tempfile dir, fix postgres label

2026-03-31 15:53:11 +00:00 · 2021-04-08 15:18:03 -04:00
parent 2cbf60fa17
commit 82efe05343
9 changed files with 34 additions and 39 deletions
--- a/roles/backup/tasks/awx-cro.yml
+++ b/roles/backup/tasks/awx-cro.yml
@@ -23,12 +23,12 @@
 - name: Template AWX object definition
  template:
    src: awx_object.yml.j2
-    dest: "_secrets/awx_object.yml"
+    dest: "{{ secrets_dir.path }}/awx_object.yml"
    mode: '0600'

 - name: Set AWX object template file as var
  set_fact:
-    awx_object_template: "{{ lookup('file', '_secrets/awx_object.yml') }}"
+    awx_object_template: "{{ lookup('file', '{{ secrets_dir.path }}/awx_object.yml') }}"

 - name: Write awx object to pvc
  k8s_exec:
--- a/roles/backup/tasks/cleanup.yml
+++ b/roles/backup/tasks/cleanup.yml
@@ -1,11 +1,5 @@
 ---

-# After copying secret files to the PVC, delete the local tmp copies
- name: Clean up _secrets directory
-  file:
-    path: "_secrets"
-    state: absent
-
 - name: Delete any existing management pod
  k8s:
    name: "{{ meta.name }}-db-management"
--- a/roles/backup/tasks/postgres.yml
+++ b/roles/backup/tasks/postgres.yml
@@ -32,7 +32,7 @@
    kind: Pod
    namespace: '{{ meta.namespace }}'
    label_selectors:
-      - "app={{ tower_name }}-{{ deployment_type }}-postgres"
+      - "app.kubernetes.io/name={{ tower_name }}-postgres"
  register: postgres_pod
  until: "postgres_pod['resources'][0]['status']['phase'] == 'Running'"
  delay: 5
--- a/roles/backup/tasks/secrets.yml
+++ b/roles/backup/tasks/secrets.yml
@@ -1,10 +1,10 @@
 ---

- name: Make _secrets directory
-  file:
-    path: "_secrets"
+- name: Make temp secrets directory
+  tempfile:
+    prefix: "secrets-"
    state: directory
-    mode: '0700'
+  register: secrets_dir

 - name: Get secret_key
  k8s_info:
@@ -20,12 +20,12 @@
 - name: Template secret_key definition
  template:
    src: secret_key_secret.yml.j2
-    dest: "_secrets/secret_key_secret.yml"
+    dest: "{{ secrets_dir.path }}/secret_key_secret.yml"
    mode: '0700'

 - name: Set secret key template
  set_fact:
-    secret_key_template: "{{ lookup('file', '_secrets/secret_key_secret.yml') }}"
+    secret_key_template: "{{ lookup('file', '{{ secrets_dir.path }}/secret_key_secret.yml') }}"

 - name: Write secret_key to pvc
  k8s_exec:
@@ -48,12 +48,12 @@
 - name: Template admin_password definition
  template:
    src: admin_password_secret.yml.j2
-    dest: "_secrets/admin_password_secret.yml"
+    dest: "{{ secrets_dir.path }}/admin_password_secret.yml"
    mode: '0700'

 - name: Set admin_password template
  set_fact:
-    admin_password_template: "{{ lookup('file', '_secrets/admin_password_secret.yml') }}"
+    admin_password_template: "{{ lookup('file', '{{ secrets_dir.path }}/admin_password_secret.yml') }}"

 - name: Write secret_key to pvc
  k8s_exec:
@@ -76,12 +76,12 @@
 - name: Template broadcast_websocket definition
  template:
    src: broadcast_websocket_secret.yml.j2
-    dest: "_secrets/broadcast_websocket_secret.yml"
+    dest: "{{ secrets_dir.path }}/broadcast_websocket_secret.yml"
    mode: '0700'

 - name: Set broadcast_websocket template
  set_fact:
-    broadcast_websocket_template: "{{ lookup('file', '_secrets/broadcast_websocket_secret.yml') }}"
+    broadcast_websocket_template: "{{ lookup('file', '{{ secrets_dir.path }}/broadcast_websocket_secret.yml') }}"

 - name: Write broadcast_websocket definition to pvc
  k8s_exec:
@@ -109,12 +109,12 @@
 - name: Template postgres configuration definition
  template:
    src: postgres_secret.yml.j2
-    dest: "_secrets/postgres_secret.yml"
+    dest: "{{ secrets_dir.path }}/postgres_secret.yml"
    mode: '0700'

 - name: Set postgres configuration
  set_fact:
-    postgres_secret_template: "{{ lookup('file', '_secrets/postgres_secret.yml') }}"
+    postgres_secret_template: "{{ lookup('file', '{{ secrets_dir.path }}/postgres_secret.yml') }}"

 - name: Write postgres configuration to pvc
  k8s_exec:
--- a/roles/restore/tasks/apply_secret.yml
+++ b/roles/restore/tasks/apply_secret.yml
@@ -10,7 +10,7 @@

 - name: Write temp secret definition template file
  copy:
-    dest: "_definitions/{{ item }}.yml.j2"
+    dest: "{{ definitions_dir.path }}/{{ item }}.yml.j2"
    content: |
      {{ awx_object.stdout }}
    mode: '0600'
@@ -21,4 +21,4 @@
    namespace: "{{ namespace | default('default') }}"
    apply: yes
    wait: yes
-    template: "_definitions/{{ item }}.yml.j2"
+    template: "{{ definitions_dir.path }}/{{ item }}.yml.j2"
--- a/roles/restore/tasks/cleanup.yml
+++ b/roles/restore/tasks/cleanup.yml
@@ -1,10 +1,5 @@
 ---

- name: Clean up _secrets directory
-  file:
-    path: "_definitions"
-    state: absent
-
 - name: Delete any existing management pod
  k8s:
    name: "{{ meta.name }}-db-management"
--- a/roles/restore/tasks/init.yml
+++ b/roles/restore/tasks/init.yml
@@ -75,8 +75,8 @@
    - tower_backup_dir != ''
    - stat_backup_dir.return_code != 0

- name: Make _definitions directory
-  file:
-    path: "_definitions"
+- name: Make temp definitions directory
+  tempfile:
+    prefix: "definitions-"
    state: directory
-    mode: '0700'
+  register: definitions_dir
--- a/roles/restore/tasks/init_awx.yml
+++ b/roles/restore/tasks/init_awx.yml
@@ -10,7 +10,7 @@

 - name: Write temp AWX definition template file
  copy:
-    dest: "_definitions/awx_object.yml.j2"
+    dest: "{{ definitions_dir.path }}/awx_object.yml.j2"
    content: |
      {{ awx_object.stdout }}
    mode: '0600'
@@ -18,10 +18,10 @@
 - name: Deploy AWX
  k8s:
    state: "{{ state | default('present') }}"
-    namespace: "{{ namespace | default('default') }}"
+    namespace: "{{ meta.namespace | default('default') }}"
    apply: yes
    wait: yes
-    template: "_definitions/awx_object.yml.j2"
+    template: "{{ definitions_dir.path }}/awx_object.yml.j2"


 # TODO: The awx object and secrets need to be applied from the awx-operator, because that is where the service account is?
--- a/roles/restore/tasks/postgres.yml
+++ b/roles/restore/tasks/postgres.yml
@@ -32,7 +32,7 @@
    kind: Pod
    namespace: '{{ meta.namespace }}'
    label_selectors:
-      - "app={{ tower_name }}-{{ deployment_type }}-postgres"
+      - "app.kubernetes.io/name={{ tower_name }}-postgres"
  register: postgres_pod
  until: "postgres_pod['resources'][0]['status']['phase'] == 'Running'"
  delay: 5
@@ -59,17 +59,23 @@
    replicas: 0
  when: this_deployment['resources'] | length

+- name: Get the postgres pod information
+  set_fact:
+    resolvable_db_host: "{{ awx_postgres_host }}.{{ meta.namespace }}.svc.cluster.local"
+
 - name: Set pg_restore command
  set_fact:
    psql_restore: >-
      psql -U {{ awx_postgres_user }}
-      -d template1
+      -h {{ resolvable_db_host }}
+      -U {{ awx_postgres_user }}
+      -d {{ awx_postgres_database }}
      -p {{ awx_postgres_port }}

 - name: Restore database dump to the new postgresql container
  k8s_exec:
-    namespace: "{{ meta.namespace }}"
-    pod: "{{ postgres_pod_name }}"
+    namespace: "{{ tower_backup_pvc_namespace }}"
+    pod: "{{ meta.name }}-db-management"
    command: |
      bash -c """
      set -e -o pipefail