Merge pull request #89 from Spredzy/secret_key

Secret Key: Allow one to specify a secret key else generate it

roles/installer/defaults/main.yml

@@ -23,6 +23,10 @@ tower_admin_password: changeme
 
 tower_broadcast_websocket_secret: changeme
 
+# Secret to lookup that provide the secret key
+#
+tower_secret_key_secret: ''
+
 # Add extra volumes to the AWX pod. Specify as literal block. E.g.:
 # tower_extra_volumes: |
 #   - name: my-volume

roles/installer/tasks/main.yml

@@ -1,17 +1,6 @@
 ---
-- name: Check for existing secret key
-  k8s_info:
-    kind: Secret
-    namespace: '{{ meta.namespace }}'
-    name: '{{ meta.name }}-secret-key'
-  register: secret_key_resources
-
-- name: Deploy Tower Secret Key if needed
-  k8s:
-    apply: yes
-    definition: "{{ lookup('template', 'tower_secret.yaml.j2') }}"
-  register: k8s_tower_secret_result
-  when: secret_key_resources['resources'] | length < 1
+- name: Include secret key configuration tasks
+  include_tasks: secret_key_configuration.yml
 
 - name: Include database configuration tasks
   include_tasks: database_configuration.yml

roles/installer/tasks/secret_key_configuration.yml

@@ -0,0 +1,42 @@
+---
+- name: Check for specified secret key configuration
+  k8s_info:
+    kind: Secret
+    namespace: '{{ meta.namespace }}'
+    name: '{{ tower_secret_key_secret }}'
+  register: _custom_secret_key
+  when: tower_secret_key_secret | length
+
+- name: Check for default secret key configuration
+  k8s_info:
+    kind: Secret
+    namespace: '{{ meta.namespace }}'
+    name: '{{ meta.name }}-secret-key'
+  register: _default_secret_key
+
+- name: Set secret key secret
+  set_fact:
+    _secret_key_secret: '{{ _custom_secret_key["resources"] | default([]) | length | ternary(_custom_secret_key, _default_secret_key) }}'
+
+- block:
+    - name: Create secret key secret
+      k8s:
+        apply: true
+        definition: "{{ lookup('template', 'tower_secret.yaml.j2') }}"
+
+    - name: Read secret key secret
+      k8s_info:
+        kind: Secret
+        namespace: '{{ meta.namespace }}'
+        name: '{{ meta.name }}-secret-key'
+      register: _generated_secret_key
+
+  when: not _secret_key_secret['resources'] | default([]) | length
+
+- name: Set secret key secret
+  set_fact:
+    secret_key_secret: '{{ _generated_secret_key["resources"] | default([]) | length | ternary(_generated_secret_key, _secret_key_secret)  }}'
+
+- name: Store secret key secret name
+  set_fact:
+    secret_key_secret_name: "{{ secret_key_secret['resources'][0]['metadata']['name'] }}"

roles/installer/templates/tower.yaml.j2

@@ -54,7 +54,7 @@ spec:
             - name: "{{ meta.name }}-application-credentials"
               mountPath: "/etc/tower/conf.d/"
               readOnly: true
-            - name: {{ meta.name }}-secret-key
+            - name: "{{ secret_key_secret_name }}"
               mountPath: /etc/tower/SECRET_KEY
               subPath: SECRET_KEY
               readOnly: true
@@ -112,7 +112,7 @@ spec:
             - name: "{{ meta.name }}-application-credentials"
               mountPath: "/etc/tower/conf.d/"
               readOnly: true
-            - name: {{ meta.name }}-secret-key
+            - name: "{{ secret_key_secret_name }}"
               mountPath: /etc/tower/SECRET_KEY
               subPath: SECRET_KEY
               readOnly: true
@@ -168,9 +168,9 @@ spec:
                 path: 'credentials.py'
               - key: environment_sh
                 path: 'environment.sh'
-        - name: {{ meta.name }}-secret-key
+        - name: "{{ secret_key_secret_name }}"
           secret:
-            secretName: '{{ meta.name }}-secret-key'
+            secretName: '{{ secret_key_secret_name }}'
             items:
               - key: secret_key
                 path: SECRET_KEY