Move tower_broadcast_websocket_secret to a Secret

2026-05-08 22:33:35 +00:00 · 2021-03-04 10:22:46 +01:00
parent e4fd5aeb32
commit 9683dc23a4
10 changed files with 71 additions and 5 deletions
--- a/roles/finalizer/defaults/main.yml
+++ b/roles/finalizer/defaults/main.yml
@@ -15,3 +15,7 @@ tower_secret_key_secret: ''
 # Secret to lookup that provide the PostgreSQL configuration
 #
 tower_postgres_configuration_secret: ''
+
+# Secret to lookup that provide the broadcast websocket key
+#
+tower_broadcast_websocket_secret: ''
--- a/roles/finalizer/tasks/main.yml
+++ b/roles/finalizer/tasks/main.yml
@@ -5,6 +5,8 @@
        _admin_password: '{{ tower_admin_password_secret | length | ternary(tower_admin_password_secret, meta.name + "-admin-password") }}'
        _secret_key: '{{ tower_secret_key_secret | length | ternary(tower_secret_key_secret, meta.name + "-secret-key") }}'
        # yamllint disable-line rule:line-length
+        _broadcast_websocket_secret: '{{ tower_broadcast_websocket_secret | length | ternary(tower_broadcast_websocket_secret, meta.name + "-broadcast-websocket") }}'  # noqa 204
+        # yamllint disable-line rule:line-length
        _postgres_configuration: '{{ tower_postgres_configuration_secret | length | ternary(tower_postgres_configuration_secret, meta.name + "-postgres-configuration") }}'  # noqa 204

    - name: Remove ownerReferences reference
@@ -20,5 +22,6 @@
        - '{{ _admin_password }}'
        - '{{ _secret_key }}'
        - '{{ _postgres_configuration }}'
+        - '{{ _broadcast_websocket_secret }}'

  when: not tower_garbage_collect_secrets | bool
--- a/roles/installer/defaults/main.yml
+++ b/roles/installer/defaults/main.yml
@@ -39,7 +39,9 @@ tower_admin_email: test@example.com
 #
 tower_admin_password_secret: ''

-tower_broadcast_websocket_secret: changeme
+# Secret to lookup that provide the broadcast websocket key
+#
+tower_broadcast_websocket_secret: ''

 # Secret to lookup that provide the secret key
 #
--- a/roles/installer/tasks/broadcast_websocket_configuration.yml
+++ b/roles/installer/tasks/broadcast_websocket_configuration.yml
@@ -0,0 +1,44 @@
+---
+- name: Check for specified broadcast websocket secret configuration
+  k8s_info:
+    kind: Secret
+    namespace: '{{ meta.namespace }}'
+    name: '{{ tower_broadcast_websocket_secret }}'
+  register: _custom_broadcast_websocket
+  when: tower_broadcast_websocket_secret | length
+
+- name: Check for default broadcast websocket secret configuration
+  k8s_info:
+    kind: Secret
+    namespace: '{{ meta.namespace }}'
+    name: '{{ meta.name }}-broadcast-websocket'
+  register: _default_broadcast_websocket
+
+- name: Set broadcast websocket secret
+  set_fact:
+    # yamllint disable-line rule:line-length
+    _broadcast_websocket_secret: '{{ _custom_broadcast_websocket["resources"] | default([]) | length | ternary(_custom_broadcast_websocket, _default_broadcast_websocket) }}'  # noqa 204
+
+- block:
+    - name: Create broadcast websocket secret
+      k8s:
+        apply: true
+        definition: "{{ lookup('template', 'tower_broadcast_websocket_secret.yaml.j2') }}"
+
+    - name: Read broadcast websocket secret
+      k8s_info:
+        kind: Secret
+        namespace: '{{ meta.namespace }}'
+        name: '{{ meta.name }}-broadcast-websocket'
+      register: _generated_broadcast_websocket
+
+  when: not _broadcast_websocket_secret['resources'] | default([]) | length
+
+- name: Set broadcast websocket secret
+  set_fact:
+    # yamllint disable-line rule:line-length
+    broadcast_websocket_secret: '{{ _generated_broadcast_websocket["resources"] | default([]) | length | ternary(_generated_broadcast_websocket, _broadcast_websocket_secret)  }}'  # noqa 204
+
+- name: Store broadcast websocket secret name
+  set_fact:
+    broadcast_websocket_secret_value: "{{ broadcast_websocket_secret['resources'][0]['data']['secret'] | b64decode }}"
--- a/roles/installer/tasks/main.yml
+++ b/roles/installer/tasks/main.yml
@@ -5,6 +5,9 @@
 - name: Include admin password configuration tasks
  include_tasks: admin_password_configuration.yml

+- name: Include broadcast websocket configuration tasks
+  include_tasks: broadcast_websocket_configuration.yml
+
 - name: Include database configuration tasks
  include_tasks: database_configuration.yml

--- a/roles/installer/templates/credentials.py.j2
+++ b/roles/installer/templates/credentials.py.j2
@@ -13,4 +13,4 @@ DATABASES = {
    }
 }

-BROADCAST_WEBSOCKET_SECRET = "{{ tower_broadcast_websocket_secret | b64encode }}"
+BROADCAST_WEBSOCKET_SECRET = "{{ broadcast_websocket_secret_value }}"
--- a/roles/installer/templates/tower_broadcast_websocket_secret.yaml.j2
+++ b/roles/installer/templates/tower_broadcast_websocket_secret.yaml.j2
@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: '{{ meta.name }}-broadcast-websocket'
+  namespace: '{{ meta.namespace }}'
+stringData:
+  secret: '{{ lookup('password', 'ts' + meta.name + 'pg length=32 chars=ascii_letters,digits') }}'