From 91dda5cb16e2e0327b4a17b60abee21d365c75d8 Mon Sep 17 00:00:00 2001 From: "Christian M. Adams" Date: Fri, 26 Mar 2021 13:42:33 -0400 Subject: [PATCH] backup secrets to YAML files --- ansible/templates/role.yml.j2 | 1 + roles/backup/defaults/main.yml | 5 - roles/backup/tasks/cleanup.yml | 7 ++ roles/backup/tasks/main.yml | 13 +-- roles/backup/tasks/secrets.yml | 93 ++++++++++++++++--- ...rd.yml.j2 => admin_password_secret.yml.j2} | 0 .../broadcast_websocket_secret.yml.j2 | 10 ++ roles/backup/templates/postgres_secret.yml.j2 | 16 ++++ ...et_key.yml.j2 => secret_key_secret.yml.j2} | 0 roles/backup/vars/main.yml | 7 +- roles/installer/tasks/update_status.yml | 10 ++ 11 files changed, 136 insertions(+), 26 deletions(-) rename roles/backup/templates/{admin_password.yml.j2 => admin_password_secret.yml.j2} (100%) create mode 100644 roles/backup/templates/broadcast_websocket_secret.yml.j2 create mode 100644 roles/backup/templates/postgres_secret.yml.j2 rename roles/backup/templates/{secret_key.yml.j2 => secret_key_secret.yml.j2} (100%) diff --git a/ansible/templates/role.yml.j2 b/ansible/templates/role.yml.j2 index 1b1263b3..ce13ebc3 100644 --- a/ansible/templates/role.yml.j2 +++ b/ansible/templates/role.yml.j2 @@ -79,5 +79,6 @@ rules: - awx.ansible.com resources: - '*' + - backups verbs: - '*' diff --git a/roles/backup/defaults/main.yml b/roles/backup/defaults/main.yml index 046fd48a..dbb48bf8 100644 --- a/roles/backup/defaults/main.yml +++ b/roles/backup/defaults/main.yml @@ -1,8 +1,3 @@ --- deployment_type: "awx" tower_postgres_image: postgres:12 - -# Secret Names -tower_secret_key_secret: "{{ meta.name }}-secret-key" -tower_admin_password_secret: "{{ meta.name }}-admin-password" -# tower_postgres_configuration_secret: "{{ meta.name }}-postgres-configuration" diff --git a/roles/backup/tasks/cleanup.yml b/roles/backup/tasks/cleanup.yml index 9976a8c9..e20e8718 100644 --- a/roles/backup/tasks/cleanup.yml +++ b/roles/backup/tasks/cleanup.yml @@ -1,5 +1,12 @@ --- +# After copying secret files to the PVC, delete the local tmp copies +- name: Clean up _secrets directory + ansible.builtin.file: + path: "{{ playbook_dir }}/_secrets" + state: absent + + - name: Delete any existing management pod community.kubernetes.k8s: name: "{{ meta.name }}-db-management" diff --git a/roles/backup/tasks/main.yml b/roles/backup/tasks/main.yml index 52852290..2dcfb230 100644 --- a/roles/backup/tasks/main.yml +++ b/roles/backup/tasks/main.yml @@ -1,14 +1,15 @@ --- -# - include_tasks: init.yml +- include_tasks: init.yml + +- include_tasks: postgres.yml - include_tasks: secrets.yml -# - include_tasks: postgres.yml +# TODO: Add task to change the status on the backup CR when this runs successfully +- name: Set flag signifying this backup was successful + set_fact: + tower_backup_complete: "{{ _backup_dir }}" -# -## - include_tasks: conf.yml -# -## - include_tasks: download.yml - include_tasks: cleanup.yml diff --git a/roles/backup/tasks/secrets.yml b/roles/backup/tasks/secrets.yml index 98506dbc..ee30e690 100644 --- a/roles/backup/tasks/secrets.yml +++ b/roles/backup/tasks/secrets.yml @@ -8,7 +8,7 @@ - name: Make _secrets directory file: - path: "{{ playbook_dir }}/_secrets" + path: "_secrets" state: directory - name: Get secret_key @@ -24,10 +24,19 @@ - name: Template secret_key definition template: - src: secret_key.yml.j2 - dest: "{{ playbook_dir }}/_secrets/secrets.yml" + src: secret_key_secret.yml.j2 + dest: "_secrets/secret_key_secret.yml" mode: '0600' - # dest: pvc # potentially just do a copy task, loop through definition files + +- set_fact: + secret_key_template: "{{ lookup('file', '_secrets/secret_key_secret.yml')}}" + +- name: Write secret_key to pvc + community.kubernetes.k8s_exec: + namespace: "{{ meta.namespace }}" + pod: "{{ meta.name }}-db-management" + command: >- + bash -c "echo '{{ secret_key_template }}' > {{ _backup_dir }}/secret_key_secret.yml" - name: Get admin_password k8s_info: @@ -43,17 +52,75 @@ - name: Template admin_password definition template: - src: admin_password.yml.j2 - dest: "{{ playbook_dir }}/_secrets/admin_password.yml" + src: admin_password_secret.yml.j2 + dest: "_secrets/admin_password_secret.yml" mode: '0600' +- set_fact: + admin_password_template: "{{ lookup('file', '_secrets/admin_password_secret.yml')}}" -# TODO: Secrets to back up: tower-secret-key, tower1-admin-password, tower1-app-credentials, tower1-broadcast-websocket, tower1-dockercfg-q8qd2, tower1-postgres-configuration -# Do we need the service-account-token? probably? `tower1-token-hn2hm`, tower1-token-slllw +- name: Write secret_key to pvc + community.kubernetes.k8s_exec: + namespace: "{{ meta.namespace }}" + pod: "{{ meta.name }}-db-management" + command: >- + bash -c "echo '{{ admin_password_template }}' > {{ _backup_dir }}/admin_password_secret.yml" +- name: Get broadcast_websocket + k8s_info: + kind: Secret + namespace: '{{ meta.namespace }}' + name: '{{ tower_broadcast_websocket_secret }}' + register: _broadcast_websocket -# After copying secret files to the PVC, delete the local tmp copies -- name: Clean up _secrets directory - ansible.builtin.file: - path: "{{ playbook_dir }}/_secrets" - state: absent +- name: Set broadcast_websocket key + set_fact: + secret_key: "{{ _broadcast_websocket['resources'][0]['data']['secret'] | b64decode }}" + +- name: Template broadcast_websocket definition + template: + src: broadcast_websocket_secret.yml.j2 + dest: "_secrets/broadcast_websocket_secret.yml" + mode: '0600' + +- set_fact: + broadcast_websocket_template: "{{ lookup('file', '_secrets/broadcast_websocket_secret.yml')}}" + +- name: Write secret_key to pvc + community.kubernetes.k8s_exec: + namespace: "{{ meta.namespace }}" + pod: "{{ meta.name }}-db-management" + command: >- + bash -c "echo '{{ broadcast_websocket_template }}' > {{ _backup_dir }}/broadcast_websocket_secret.yml" + +- name: Get postgres configuration + k8s_info: + kind: Secret + namespace: '{{ meta.namespace }}' + name: '{{ tower_postgres_configuration_secret }}' + register: _postgres_configuration + +- name: Set postgres configuration + set_fact: + database_password: "{{ _postgres_configuration['resources'][0]['data']['password'] | b64decode }}" + database_username: "{{ _postgres_configuration['resources'][0]['data']['username'] | b64decode }}" + database_name: "{{ _postgres_configuration['resources'][0]['data']['database'] | b64decode }}" + database_port: "{{ _postgres_configuration['resources'][0]['data']['port'] | b64decode }}" + database_host: "{{ _postgres_configuration['resources'][0]['data']['host'] | b64decode }}" + database_type: "{{ _postgres_configuration['resources'][0]['data']['type'] | b64decode }}" + +- name: Template postgres configuration definition + template: + src: postgres_secret.yml.j2 + dest: "_secrets/postgres_secret.yml" + mode: '0600' + +- set_fact: + postgres_secret_template: "{{ lookup('file', '_secrets/postgres_secret.yml')}}" + +- name: Write secret_key to pvc + community.kubernetes.k8s_exec: + namespace: "{{ meta.namespace }}" + pod: "{{ meta.name }}-db-management" + command: >- + bash -c "echo '{{ postgres_secret_template }}' > {{ _backup_dir }}/postgres_secret.yml" diff --git a/roles/backup/templates/admin_password.yml.j2 b/roles/backup/templates/admin_password_secret.yml.j2 similarity index 100% rename from roles/backup/templates/admin_password.yml.j2 rename to roles/backup/templates/admin_password_secret.yml.j2 diff --git a/roles/backup/templates/broadcast_websocket_secret.yml.j2 b/roles/backup/templates/broadcast_websocket_secret.yml.j2 new file mode 100644 index 00000000..c8d4cc2f --- /dev/null +++ b/roles/backup/templates/broadcast_websocket_secret.yml.j2 @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: Secret +metadata: +{% raw %} + name: '{{ meta.name }}-broadcast-websocket' + namespace: '{{ meta.namespace }}' +{% endraw %} +stringData: + secret: '{{ lookup('password', '/dev/null length=32 chars=ascii_letters,digits') }}' diff --git a/roles/backup/templates/postgres_secret.yml.j2 b/roles/backup/templates/postgres_secret.yml.j2 new file mode 100644 index 00000000..b1ad1f6b --- /dev/null +++ b/roles/backup/templates/postgres_secret.yml.j2 @@ -0,0 +1,16 @@ +# Postgres Secret. +--- +apiVersion: v1 +kind: Secret +metadata: +{% raw %} + name: '{{ meta.name }}-postgres-configuration' + namespace: '{{ meta.namespace }}' +{% endraw %} +stringData: + password: '{{ database_password }}' + username: '{{ database_username }}' + database: '{{ database_name }}' + port: '{{ database_port }}' + host: '{{ database_host }}' + type: '{{ database_type }}' diff --git a/roles/backup/templates/secret_key.yml.j2 b/roles/backup/templates/secret_key_secret.yml.j2 similarity index 100% rename from roles/backup/templates/secret_key.yml.j2 rename to roles/backup/templates/secret_key_secret.yml.j2 diff --git a/roles/backup/vars/main.yml b/roles/backup/vars/main.yml index 7ee44aa6..0c33617d 100644 --- a/roles/backup/vars/main.yml +++ b/roles/backup/vars/main.yml @@ -9,5 +9,8 @@ tower_backup_size: '' # Specify storage class to determine how to dynamically create PVC's with tower_backup_storage_class: '' -# Secret to lookup that provide the PostgreSQL configuration -tower_postgres_configuration_secret: '' +# Secret Names +tower_secret_key_secret: "{{ meta.name }}-secret-key" +tower_admin_password_secret: "{{ meta.name }}-admin-password" +tower_broadcast_websocket_secret: "{{ meta.name }}-broadcast-websocket" +tower_postgres_configuration_secret: "{{ meta.name }}-postgres-configuration" diff --git a/roles/installer/tasks/update_status.yml b/roles/installer/tasks/update_status.yml index ec4b3d54..93068f1c 100644 --- a/roles/installer/tasks/update_status.yml +++ b/roles/installer/tasks/update_status.yml @@ -73,3 +73,13 @@ status: towerMigratedFromSecret: "{{ tower_migrated_from_secret }}" when: tower_migrated_from_secret is defined + +- name: Update Tower Backup status + operator_sdk.util.k8s_status: + api_version: '{{ api_version }}' + kind: "{{ kind }}" + name: "{{ meta.name }}" + namespace: "{{ meta.namespace }}" + status: + towerBackupComplete: "{{ _backup_dir }}" + when: tower_backup_complete is defined