Move tower_broadcast_websocket_secret to a Secret

deploy/crds/awx_v1beta1_cr.yaml

@@ -9,7 +9,6 @@ spec:
   tower_task_privileged: false
 
   tower_hostname: example-awx.test
-  tower_broadcast_websocket_secret: changeme
 
   tower_admin_user: test
   tower_admin_email: test@example.com

deploy/crds/awx_v1beta1_molecule.yaml

@@ -9,8 +9,6 @@ spec:
   tower_ingress_type: ingress
   tower_task_privileged: false
 
-  tower_broadcast_websocket_secret: changeme
-
   tower_admin_email: test@example.com
 
   tower_image: quay.io/ansible/awx:execution-environments

deploy/olm-catalog/awx-operator/manifests/awx-operator.clusterserviceversion.yaml

@@ -103,6 +103,11 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:io.kubernetes:Secret
+      - displayName: Broadcast Websocket Secret
+        path: tower_broadcast_websocket_secret
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:io.kubernetes:Secret
       - displayName: Ingress Type
         path: tower_ingress_type
         x-descriptors:

roles/finalizer/defaults/main.yml

@@ -15,3 +15,7 @@ tower_secret_key_secret: ''
 # Secret to lookup that provide the PostgreSQL configuration
 #
 tower_postgres_configuration_secret: ''
+
+# Secret to lookup that provide the broadcast websocket key
+#
+tower_broadcast_websocket_secret: ''

roles/finalizer/tasks/main.yml

@@ -5,6 +5,8 @@
         _admin_password: '{{ tower_admin_password_secret | length | ternary(tower_admin_password_secret, meta.name + "-admin-password") }}'
         _secret_key: '{{ tower_secret_key_secret | length | ternary(tower_secret_key_secret, meta.name + "-secret-key") }}'
         # yamllint disable-line rule:line-length
+        _broadcast_websocket_secret: '{{ tower_broadcast_websocket_secret | length | ternary(tower_broadcast_websocket_secret, meta.name + "-broadcast-websocket") }}'  # noqa 204
+        # yamllint disable-line rule:line-length
         _postgres_configuration: '{{ tower_postgres_configuration_secret | length | ternary(tower_postgres_configuration_secret, meta.name + "-postgres-configuration") }}'  # noqa 204
 
     - name: Remove ownerReferences reference
@@ -20,5 +22,6 @@
         - '{{ _admin_password }}'
         - '{{ _secret_key }}'
         - '{{ _postgres_configuration }}'
+        - '{{ _broadcast_websocket_secret }}'
 
   when: not tower_garbage_collect_secrets | bool

roles/installer/defaults/main.yml

@@ -39,7 +39,9 @@ tower_admin_email: test@example.com
 #
 tower_admin_password_secret: ''
 
-tower_broadcast_websocket_secret: changeme
+# Secret to lookup that provide the broadcast websocket key
+#
+tower_broadcast_websocket_secret: ''
 
 # Secret to lookup that provide the secret key
 #

roles/installer/tasks/broadcast_websocket_configuration.yml

@@ -0,0 +1,44 @@
+---
+- name: Check for specified broadcast websocket secret configuration
+  k8s_info:
+    kind: Secret
+    namespace: '{{ meta.namespace }}'
+    name: '{{ tower_broadcast_websocket_secret }}'
+  register: _custom_broadcast_websocket
+  when: tower_broadcast_websocket_secret | length
+
+- name: Check for default broadcast websocket secret configuration
+  k8s_info:
+    kind: Secret
+    namespace: '{{ meta.namespace }}'
+    name: '{{ meta.name }}-broadcast-websocket'
+  register: _default_broadcast_websocket
+
+- name: Set broadcast websocket secret
+  set_fact:
+    # yamllint disable-line rule:line-length
+    _broadcast_websocket_secret: '{{ _custom_broadcast_websocket["resources"] | default([]) | length | ternary(_custom_broadcast_websocket, _default_broadcast_websocket) }}'  # noqa 204
+
+- block:
+    - name: Create broadcast websocket secret
+      k8s:
+        apply: true
+        definition: "{{ lookup('template', 'tower_broadcast_websocket_secret.yaml.j2') }}"
+
+    - name: Read broadcast websocket secret
+      k8s_info:
+        kind: Secret
+        namespace: '{{ meta.namespace }}'
+        name: '{{ meta.name }}-broadcast-websocket'
+      register: _generated_broadcast_websocket
+
+  when: not _broadcast_websocket_secret['resources'] | default([]) | length
+
+- name: Set broadcast websocket secret
+  set_fact:
+    # yamllint disable-line rule:line-length
+    broadcast_websocket_secret: '{{ _generated_broadcast_websocket["resources"] | default([]) | length | ternary(_generated_broadcast_websocket, _broadcast_websocket_secret)  }}'  # noqa 204
+
+- name: Store broadcast websocket secret name
+  set_fact:
+    broadcast_websocket_secret_value: "{{ broadcast_websocket_secret['resources'][0]['data']['secret'] | b64decode }}"

roles/installer/tasks/main.yml

@@ -5,6 +5,9 @@
 - name: Include admin password configuration tasks
   include_tasks: admin_password_configuration.yml
 
+- name: Include broadcast websocket configuration tasks
+  include_tasks: broadcast_websocket_configuration.yml
+
 - name: Include database configuration tasks
   include_tasks: database_configuration.yml
 

roles/installer/templates/credentials.py.j2

@@ -13,4 +13,4 @@ DATABASES = {
     }
 }
 
-BROADCAST_WEBSOCKET_SECRET = "{{ tower_broadcast_websocket_secret | b64encode }}"
+BROADCAST_WEBSOCKET_SECRET = "{{ broadcast_websocket_secret_value }}"

roles/installer/templates/tower_broadcast_websocket_secret.yaml.j2

@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: '{{ meta.name }}-broadcast-websocket'
+  namespace: '{{ meta.namespace }}'
+stringData:
+  secret: '{{ lookup('password', 'ts' + meta.name + 'pg length=32 chars=ascii_letters,digits') }}'