backup secrets to YAML files

ansible/templates/role.yml.j2

@@ -79,5 +79,6 @@ rules:
       - awx.ansible.com
     resources:
       - '*'
+      - backups
     verbs:
       - '*'

roles/backup/defaults/main.yml

@@ -1,8 +1,3 @@
 ---
 deployment_type: "awx"
 tower_postgres_image: postgres:12
-
-# Secret Names
-tower_secret_key_secret: "{{ meta.name }}-secret-key"
-tower_admin_password_secret: "{{ meta.name }}-admin-password"
-# tower_postgres_configuration_secret: "{{ meta.name }}-postgres-configuration"

roles/backup/tasks/cleanup.yml

@@ -1,5 +1,12 @@
 ---
 
+# After copying secret files to the PVC, delete the local tmp copies
+- name: Clean up _secrets directory
+  ansible.builtin.file:
+    path: "{{ playbook_dir }}/_secrets"
+    state: absent
+
+
 - name: Delete any existing management pod
   community.kubernetes.k8s:
     name: "{{ meta.name }}-db-management"

roles/backup/tasks/main.yml

@@ -1,14 +1,15 @@
 ---
 
-# - include_tasks: init.yml
+- include_tasks: init.yml
+
+- include_tasks: postgres.yml
 
 - include_tasks: secrets.yml
 
-# - include_tasks: postgres.yml
+# TODO: Add task to change the status on the backup CR when this runs successfully
+- name: Set flag signifying this backup was successful
+  set_fact:
+    tower_backup_complete: "{{ _backup_dir }}"
 
-#
-## - include_tasks: conf.yml
-#
-## - include_tasks: download.yml
 
 - include_tasks: cleanup.yml

roles/backup/tasks/secrets.yml

@@ -8,7 +8,7 @@
 
 - name: Make _secrets directory
   file:
-    path: "{{ playbook_dir }}/_secrets"
+    path: "_secrets"
     state: directory
 
 - name: Get secret_key
@@ -24,10 +24,19 @@
 
 - name: Template secret_key definition
   template:
-    src: secret_key.yml.j2
-    dest: "{{ playbook_dir }}/_secrets/secrets.yml"
+    src: secret_key_secret.yml.j2
+    dest: "_secrets/secret_key_secret.yml"
     mode: '0600'
-    # dest: pvc # potentially just do a copy task, loop through definition files
+
+- set_fact:
+    secret_key_template: "{{ lookup('file', '_secrets/secret_key_secret.yml')}}"
+
+- name: Write secret_key to pvc
+  community.kubernetes.k8s_exec:
+    namespace: "{{ meta.namespace }}"
+    pod: "{{ meta.name }}-db-management"
+    command: >-
+      bash -c "echo '{{ secret_key_template }}' > {{ _backup_dir }}/secret_key_secret.yml"
 
 - name: Get admin_password
   k8s_info:
@@ -43,17 +52,75 @@
 
 - name: Template admin_password definition
   template:
-    src: admin_password.yml.j2
-    dest: "{{ playbook_dir }}/_secrets/admin_password.yml"
+    src: admin_password_secret.yml.j2
+    dest: "_secrets/admin_password_secret.yml"
     mode: '0600'
 
+- set_fact:
+    admin_password_template: "{{ lookup('file', '_secrets/admin_password_secret.yml')}}"
 
-# TODO: Secrets to back up: tower-secret-key, tower1-admin-password, tower1-app-credentials, tower1-broadcast-websocket, tower1-dockercfg-q8qd2, tower1-postgres-configuration
-# Do we need the service-account-token? probably? `tower1-token-hn2hm`, tower1-token-slllw
+- name: Write secret_key to pvc
+  community.kubernetes.k8s_exec:
+    namespace: "{{ meta.namespace }}"
+    pod: "{{ meta.name }}-db-management"
+    command: >-
+      bash -c "echo '{{ admin_password_template }}' > {{ _backup_dir }}/admin_password_secret.yml"
 
+- name: Get broadcast_websocket
+  k8s_info:
+    kind: Secret
+    namespace: '{{ meta.namespace }}'
+    name: '{{ tower_broadcast_websocket_secret }}'
+  register: _broadcast_websocket
 
-# After copying secret files to the PVC, delete the local tmp copies
-- name: Clean up _secrets directory
-  ansible.builtin.file:
-    path: "{{ playbook_dir }}/_secrets"
-    state: absent
+- name: Set broadcast_websocket key
+  set_fact:
+    secret_key: "{{ _broadcast_websocket['resources'][0]['data']['secret'] | b64decode }}"
+
+- name: Template broadcast_websocket definition
+  template:
+    src: broadcast_websocket_secret.yml.j2
+    dest: "_secrets/broadcast_websocket_secret.yml"
+    mode: '0600'
+
+- set_fact:
+    broadcast_websocket_template: "{{ lookup('file', '_secrets/broadcast_websocket_secret.yml')}}"
+
+- name: Write secret_key to pvc
+  community.kubernetes.k8s_exec:
+    namespace: "{{ meta.namespace }}"
+    pod: "{{ meta.name }}-db-management"
+    command: >-
+      bash -c "echo '{{ broadcast_websocket_template }}' > {{ _backup_dir }}/broadcast_websocket_secret.yml"
+
+- name: Get postgres configuration
+  k8s_info:
+    kind: Secret
+    namespace: '{{ meta.namespace }}'
+    name: '{{ tower_postgres_configuration_secret }}'
+  register: _postgres_configuration
+
+- name: Set postgres configuration
+  set_fact:
+    database_password: "{{ _postgres_configuration['resources'][0]['data']['password'] | b64decode }}"
+    database_username: "{{ _postgres_configuration['resources'][0]['data']['username'] | b64decode }}"
+    database_name: "{{ _postgres_configuration['resources'][0]['data']['database'] | b64decode }}"
+    database_port: "{{ _postgres_configuration['resources'][0]['data']['port'] | b64decode }}"
+    database_host: "{{ _postgres_configuration['resources'][0]['data']['host'] | b64decode }}"
+    database_type: "{{ _postgres_configuration['resources'][0]['data']['type'] | b64decode }}"
+
+- name: Template postgres configuration definition
+  template:
+    src: postgres_secret.yml.j2
+    dest: "_secrets/postgres_secret.yml"
+    mode: '0600'
+
+- set_fact:
+    postgres_secret_template: "{{ lookup('file', '_secrets/postgres_secret.yml')}}"
+
+- name: Write secret_key to pvc
+  community.kubernetes.k8s_exec:
+    namespace: "{{ meta.namespace }}"
+    pod: "{{ meta.name }}-db-management"
+    command: >-
+      bash -c "echo '{{ postgres_secret_template }}' > {{ _backup_dir }}/postgres_secret.yml"

roles/backup/templates/broadcast_websocket_secret.yml.j2

@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+{% raw %}
+  name: '{{ meta.name }}-broadcast-websocket'
+  namespace: '{{ meta.namespace }}'
+{% endraw %}
+stringData:
+  secret: '{{ lookup('password', '/dev/null length=32 chars=ascii_letters,digits') }}'

roles/backup/templates/postgres_secret.yml.j2

@@ -0,0 +1,16 @@
+# Postgres Secret.
+---
+apiVersion: v1
+kind: Secret
+metadata:
+{% raw %}
+  name: '{{ meta.name }}-postgres-configuration'
+  namespace: '{{ meta.namespace }}'
+{% endraw %}
+stringData:
+  password: '{{ database_password }}'
+  username: '{{ database_username }}'
+  database: '{{ database_name }}'
+  port: '{{ database_port }}'
+  host: '{{ database_host }}'
+  type: '{{ database_type }}'

roles/backup/vars/main.yml

@@ -9,5 +9,8 @@ tower_backup_size: ''
 # Specify storage class to determine how to dynamically create PVC's with
 tower_backup_storage_class: ''
 
-# Secret to lookup that provide the PostgreSQL configuration
-tower_postgres_configuration_secret: ''
+# Secret Names
+tower_secret_key_secret: "{{ meta.name }}-secret-key"
+tower_admin_password_secret: "{{ meta.name }}-admin-password"
+tower_broadcast_websocket_secret: "{{ meta.name }}-broadcast-websocket"
+tower_postgres_configuration_secret: "{{ meta.name }}-postgres-configuration"

roles/installer/tasks/update_status.yml

@@ -73,3 +73,13 @@
     status:
       towerMigratedFromSecret: "{{ tower_migrated_from_secret }}"
   when: tower_migrated_from_secret is defined
+
+- name: Update Tower Backup status
+  operator_sdk.util.k8s_status:
+    api_version: '{{ api_version }}'
+    kind: "{{ kind }}"
+    name: "{{ meta.name }}"
+    namespace: "{{ meta.namespace }}"
+    status:
+      towerBackupComplete: "{{ _backup_dir }}"
+  when: tower_backup_complete is defined