From 9683dc23a49eb43c5c17b5edf1bcc5909510e702 Mon Sep 17 00:00:00 2001 From: Yanis Guenane Date: Thu, 4 Mar 2021 10:22:46 +0100 Subject: [PATCH] Move tower_broadcast_websocket_secret to a Secret --- deploy/crds/awx_v1beta1_cr.yaml | 1 - deploy/crds/awx_v1beta1_molecule.yaml | 2 - .../awx-operator.clusterserviceversion.yaml | 5 +++ roles/finalizer/defaults/main.yml | 4 ++ roles/finalizer/tasks/main.yml | 3 ++ roles/installer/defaults/main.yml | 4 +- .../broadcast_websocket_configuration.yml | 44 +++++++++++++++++++ roles/installer/tasks/main.yml | 3 ++ roles/installer/templates/credentials.py.j2 | 2 +- .../tower_broadcast_websocket_secret.yaml.j2 | 8 ++++ 10 files changed, 71 insertions(+), 5 deletions(-) create mode 100644 roles/installer/tasks/broadcast_websocket_configuration.yml create mode 100644 roles/installer/templates/tower_broadcast_websocket_secret.yaml.j2 diff --git a/deploy/crds/awx_v1beta1_cr.yaml b/deploy/crds/awx_v1beta1_cr.yaml index e2102cbf..bc1ae23c 100644 --- a/deploy/crds/awx_v1beta1_cr.yaml +++ b/deploy/crds/awx_v1beta1_cr.yaml @@ -9,7 +9,6 @@ spec: tower_task_privileged: false tower_hostname: example-awx.test - tower_broadcast_websocket_secret: changeme tower_admin_user: test tower_admin_email: test@example.com diff --git a/deploy/crds/awx_v1beta1_molecule.yaml b/deploy/crds/awx_v1beta1_molecule.yaml index 8719e7c0..7ba58551 100644 --- a/deploy/crds/awx_v1beta1_molecule.yaml +++ b/deploy/crds/awx_v1beta1_molecule.yaml @@ -9,8 +9,6 @@ spec: tower_ingress_type: ingress tower_task_privileged: false - tower_broadcast_websocket_secret: changeme - tower_admin_email: test@example.com tower_image: quay.io/ansible/awx:execution-environments diff --git a/deploy/olm-catalog/awx-operator/manifests/awx-operator.clusterserviceversion.yaml b/deploy/olm-catalog/awx-operator/manifests/awx-operator.clusterserviceversion.yaml index 3f005782..f4ff94d9 100644 --- a/deploy/olm-catalog/awx-operator/manifests/awx-operator.clusterserviceversion.yaml +++ b/deploy/olm-catalog/awx-operator/manifests/awx-operator.clusterserviceversion.yaml @@ -103,6 +103,11 @@ spec: x-descriptors: - urn:alm:descriptor:com.tectonic.ui:advanced - urn:alm:descriptor:io.kubernetes:Secret + - displayName: Broadcast Websocket Secret + path: tower_broadcast_websocket_secret + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:advanced + - urn:alm:descriptor:io.kubernetes:Secret - displayName: Ingress Type path: tower_ingress_type x-descriptors: diff --git a/roles/finalizer/defaults/main.yml b/roles/finalizer/defaults/main.yml index d729ba0d..6bf1bc52 100644 --- a/roles/finalizer/defaults/main.yml +++ b/roles/finalizer/defaults/main.yml @@ -15,3 +15,7 @@ tower_secret_key_secret: '' # Secret to lookup that provide the PostgreSQL configuration # tower_postgres_configuration_secret: '' + +# Secret to lookup that provide the broadcast websocket key +# +tower_broadcast_websocket_secret: '' diff --git a/roles/finalizer/tasks/main.yml b/roles/finalizer/tasks/main.yml index a01f713e..9f6fdc86 100644 --- a/roles/finalizer/tasks/main.yml +++ b/roles/finalizer/tasks/main.yml @@ -5,6 +5,8 @@ _admin_password: '{{ tower_admin_password_secret | length | ternary(tower_admin_password_secret, meta.name + "-admin-password") }}' _secret_key: '{{ tower_secret_key_secret | length | ternary(tower_secret_key_secret, meta.name + "-secret-key") }}' # yamllint disable-line rule:line-length + _broadcast_websocket_secret: '{{ tower_broadcast_websocket_secret | length | ternary(tower_broadcast_websocket_secret, meta.name + "-broadcast-websocket") }}' # noqa 204 + # yamllint disable-line rule:line-length _postgres_configuration: '{{ tower_postgres_configuration_secret | length | ternary(tower_postgres_configuration_secret, meta.name + "-postgres-configuration") }}' # noqa 204 - name: Remove ownerReferences reference @@ -20,5 +22,6 @@ - '{{ _admin_password }}' - '{{ _secret_key }}' - '{{ _postgres_configuration }}' + - '{{ _broadcast_websocket_secret }}' when: not tower_garbage_collect_secrets | bool diff --git a/roles/installer/defaults/main.yml b/roles/installer/defaults/main.yml index accf98b2..f92a19e2 100644 --- a/roles/installer/defaults/main.yml +++ b/roles/installer/defaults/main.yml @@ -39,7 +39,9 @@ tower_admin_email: test@example.com # tower_admin_password_secret: '' -tower_broadcast_websocket_secret: changeme +# Secret to lookup that provide the broadcast websocket key +# +tower_broadcast_websocket_secret: '' # Secret to lookup that provide the secret key # diff --git a/roles/installer/tasks/broadcast_websocket_configuration.yml b/roles/installer/tasks/broadcast_websocket_configuration.yml new file mode 100644 index 00000000..e4b387ce --- /dev/null +++ b/roles/installer/tasks/broadcast_websocket_configuration.yml @@ -0,0 +1,44 @@ +--- +- name: Check for specified broadcast websocket secret configuration + k8s_info: + kind: Secret + namespace: '{{ meta.namespace }}' + name: '{{ tower_broadcast_websocket_secret }}' + register: _custom_broadcast_websocket + when: tower_broadcast_websocket_secret | length + +- name: Check for default broadcast websocket secret configuration + k8s_info: + kind: Secret + namespace: '{{ meta.namespace }}' + name: '{{ meta.name }}-broadcast-websocket' + register: _default_broadcast_websocket + +- name: Set broadcast websocket secret + set_fact: + # yamllint disable-line rule:line-length + _broadcast_websocket_secret: '{{ _custom_broadcast_websocket["resources"] | default([]) | length | ternary(_custom_broadcast_websocket, _default_broadcast_websocket) }}' # noqa 204 + +- block: + - name: Create broadcast websocket secret + k8s: + apply: true + definition: "{{ lookup('template', 'tower_broadcast_websocket_secret.yaml.j2') }}" + + - name: Read broadcast websocket secret + k8s_info: + kind: Secret + namespace: '{{ meta.namespace }}' + name: '{{ meta.name }}-broadcast-websocket' + register: _generated_broadcast_websocket + + when: not _broadcast_websocket_secret['resources'] | default([]) | length + +- name: Set broadcast websocket secret + set_fact: + # yamllint disable-line rule:line-length + broadcast_websocket_secret: '{{ _generated_broadcast_websocket["resources"] | default([]) | length | ternary(_generated_broadcast_websocket, _broadcast_websocket_secret) }}' # noqa 204 + +- name: Store broadcast websocket secret name + set_fact: + broadcast_websocket_secret_value: "{{ broadcast_websocket_secret['resources'][0]['data']['secret'] | b64decode }}" diff --git a/roles/installer/tasks/main.yml b/roles/installer/tasks/main.yml index 5848d4c1..22e68471 100644 --- a/roles/installer/tasks/main.yml +++ b/roles/installer/tasks/main.yml @@ -5,6 +5,9 @@ - name: Include admin password configuration tasks include_tasks: admin_password_configuration.yml +- name: Include broadcast websocket configuration tasks + include_tasks: broadcast_websocket_configuration.yml + - name: Include database configuration tasks include_tasks: database_configuration.yml diff --git a/roles/installer/templates/credentials.py.j2 b/roles/installer/templates/credentials.py.j2 index 3df41d4f..986ebe65 100644 --- a/roles/installer/templates/credentials.py.j2 +++ b/roles/installer/templates/credentials.py.j2 @@ -13,4 +13,4 @@ DATABASES = { } } -BROADCAST_WEBSOCKET_SECRET = "{{ tower_broadcast_websocket_secret | b64encode }}" +BROADCAST_WEBSOCKET_SECRET = "{{ broadcast_websocket_secret_value }}" diff --git a/roles/installer/templates/tower_broadcast_websocket_secret.yaml.j2 b/roles/installer/templates/tower_broadcast_websocket_secret.yaml.j2 new file mode 100644 index 00000000..e9ed6ff3 --- /dev/null +++ b/roles/installer/templates/tower_broadcast_websocket_secret.yaml.j2 @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: '{{ meta.name }}-broadcast-websocket' + namespace: '{{ meta.namespace }}' +stringData: + secret: '{{ lookup('password', 'ts' + meta.name + 'pg length=32 chars=ascii_letters,digits') }}'