diff --git a/roles/backup/tasks/dump_generated_secret.yml b/roles/backup/tasks/dump_generated_secret.yml index cc25ae23..6d262af1 100644 --- a/roles/backup/tasks/dump_generated_secret.yml +++ b/roles/backup/tasks/dump_generated_secret.yml @@ -25,12 +25,15 @@ namespace: '{{ meta.namespace }}' name: "{{ _name }}" register: _secret + no_log: true - name: Set secret data set_fact: _data: "{{ _secret['resources'][0]['data'] }}" _type: "{{ _secret['resources'][0]['type'] }}" + no_log: true - name: Create and Add secret names and data to dictionary set_fact: secret_dict: "{{ secret_dict | default({}) | combine({ item: {'name': _name, 'data': _data, 'type': _type }}) }}" + no_log: true diff --git a/roles/backup/tasks/dump_secret.yml b/roles/backup/tasks/dump_secret.yml index 6b62ffac..76f845d1 100644 --- a/roles/backup/tasks/dump_secret.yml +++ b/roles/backup/tasks/dump_secret.yml @@ -4,7 +4,7 @@ set_fact: _name: "{{ awx_spec.spec[item] | default('') }}" -- name: Skip if secret name not defined +- name: Backup secret if defined block: - name: Get secret k8s_info: @@ -13,13 +13,16 @@ namespace: '{{ meta.namespace }}' name: "{{ _name }}" register: _secret + no_log: true - name: Set secret key set_fact: _data: "{{ _secret['resources'][0]['data'] }}" _type: "{{ _secret['resources'][0]['type'] }}" + no_log: true - name: Create and Add secret names and data to dictionary set_fact: secret_dict: "{{ secret_dict | default({}) | combine({item: { 'name': _name, 'data': _data, 'type': _type }}) }}" + no_log: true when: _name != '' diff --git a/roles/backup/tasks/postgres.yml b/roles/backup/tasks/postgres.yml index c9d74d0c..28dac9b6 100644 --- a/roles/backup/tasks/postgres.yml +++ b/roles/backup/tasks/postgres.yml @@ -6,6 +6,7 @@ namespace: '{{ meta.namespace }}' name: "{{ this_awx['resources'][0]['status']['postgresConfigurationSecret'] }}" register: pg_config + no_log: true - name: Fail if postgres configuration secret status does not exist fail: @@ -20,6 +21,7 @@ awx_postgres_port: "{{ pg_config['resources'][0]['data']['port'] | b64decode }}" awx_postgres_host: "{{ pg_config['resources'][0]['data']['host'] | b64decode }}" awx_postgres_type: "{{ pg_config['resources'][0]['data']['type'] | default('unmanaged'|b64encode) | b64decode }}" + no_log: true - block: - name: Delete pod to reload a resource configuration @@ -77,6 +79,7 @@ - name: Set full resolvable host name for postgres pod set_fact: resolvable_db_host: '{{ (awx_postgres_type == "managed") | ternary(awx_postgres_host + "." + meta.namespace + ".svc.cluster.local", awx_postgres_host) }}' # noqa 204 + no_log: true - name: Set pg_dump command set_fact: @@ -87,6 +90,7 @@ -d {{ awx_postgres_database }} -p {{ awx_postgres_port }} -F custom + no_log: true - name: Write pg_dump to backup on PVC k8s_exec: @@ -99,4 +103,5 @@ echo 'Successful' """ register: data_migration + no_log: true failed_when: "'Successful' not in data_migration.stdout" diff --git a/roles/backup/tasks/secrets.yml b/roles/backup/tasks/secrets.yml index b7f39e95..e45d1ef8 100644 --- a/roles/backup/tasks/secrets.yml +++ b/roles/backup/tasks/secrets.yml @@ -27,6 +27,7 @@ - name: Nest secrets under a single variable set_fact: secrets: {"secrets": '{{ secret_dict }}'} + no_log: true - name: Write postgres configuration to pvc k8s_exec: @@ -34,3 +35,4 @@ pod: "{{ meta.name }}-db-management" command: >- bash -c "echo '{{ secrets | to_yaml }}' > {{ backup_dir }}/secrets.yml" + no_log: true diff --git a/roles/installer/tasks/admin_password_configuration.yml b/roles/installer/tasks/admin_password_configuration.yml index 7de3c0fa..c38300a2 100644 --- a/roles/installer/tasks/admin_password_configuration.yml +++ b/roles/installer/tasks/admin_password_configuration.yml @@ -5,6 +5,7 @@ namespace: '{{ meta.namespace }}' name: '{{ admin_password_secret }}' register: _custom_admin_password + no_log: true when: admin_password_secret | length - name: Check for default admin password configuration @@ -13,16 +14,19 @@ namespace: '{{ meta.namespace }}' name: '{{ meta.name }}-admin-password' register: _default_admin_password + no_log: true - name: Set admin password secret set_fact: _admin_password_secret: '{{ _custom_admin_password["resources"] | default([]) | length | ternary(_custom_admin_password, _default_admin_password) }}' + no_log: true - block: - name: Create admin password secret k8s: apply: true definition: "{{ lookup('template', 'admin_password_secret.yaml.j2') }}" + no_log: true - name: Read admin password secret k8s_info: @@ -30,13 +34,16 @@ namespace: '{{ meta.namespace }}' name: '{{ meta.name }}-admin-password' register: _generated_admin_password + no_log: true when: not _admin_password_secret['resources'] | default([]) | length - name: Set admin password secret set_fact: __admin_password_secret: '{{ _generated_admin_password["resources"] | default([]) | length | ternary(_generated_admin_password, _admin_password_secret) }}' + no_log: true - name: Store admin password set_fact: admin_password: "{{ __admin_password_secret['resources'][0]['data']['password'] | b64decode }}" + no_log: true diff --git a/roles/installer/tasks/broadcast_websocket_configuration.yml b/roles/installer/tasks/broadcast_websocket_configuration.yml index 4060a382..d40f1cc5 100644 --- a/roles/installer/tasks/broadcast_websocket_configuration.yml +++ b/roles/installer/tasks/broadcast_websocket_configuration.yml @@ -5,6 +5,7 @@ namespace: '{{ meta.namespace }}' name: '{{ broadcast_websocket_secret }}' register: _custom_broadcast_websocket + no_log: true when: broadcast_websocket_secret | length - name: Check for default broadcast websocket secret configuration @@ -13,17 +14,20 @@ namespace: '{{ meta.namespace }}' name: '{{ meta.name }}-broadcast-websocket' register: _default_broadcast_websocket + no_log: true - name: Set broadcast websocket secret set_fact: # yamllint disable-line rule:line-length _broadcast_websocket_secret: '{{ _custom_broadcast_websocket["resources"] | default([]) | length | ternary(_custom_broadcast_websocket, _default_broadcast_websocket) }}' # noqa 204 + no_log: true - block: - name: Create broadcast websocket secret k8s: apply: true definition: "{{ lookup('template', 'broadcast_websocket_secret.yaml.j2') }}" + no_log: true - name: Read broadcast websocket secret k8s_info: @@ -31,6 +35,7 @@ namespace: '{{ meta.namespace }}' name: '{{ meta.name }}-broadcast-websocket' register: _generated_broadcast_websocket + no_log: true when: not _broadcast_websocket_secret['resources'] | default([]) | length @@ -38,7 +43,9 @@ set_fact: # yamllint disable-line rule:line-length __broadcast_websocket_secret: '{{ _generated_broadcast_websocket["resources"] | default([]) | length | ternary(_generated_broadcast_websocket, _broadcast_websocket_secret) }}' # noqa 204 + no_log: true - name: Store broadcast websocket secret name set_fact: broadcast_websocket_secret_value: "{{ __broadcast_websocket_secret['resources'][0]['data']['secret'] | b64decode }}" + no_log: true diff --git a/roles/installer/tasks/cleanup.yml b/roles/installer/tasks/cleanup.yml index f4bffe37..7fb5084a 100644 --- a/roles/installer/tasks/cleanup.yml +++ b/roles/installer/tasks/cleanup.yml @@ -23,5 +23,6 @@ - '{{ _secret_key }}' - '{{ _postgres_configuration }}' - '{{ _broadcast_websocket_secret }}' + no_log: true when: not garbage_collect_secrets | bool diff --git a/roles/installer/tasks/database_configuration.yml b/roles/installer/tasks/database_configuration.yml index 2b028f26..2e99be55 100644 --- a/roles/installer/tasks/database_configuration.yml +++ b/roles/installer/tasks/database_configuration.yml @@ -6,6 +6,7 @@ name: '{{ postgres_configuration_secret }}' register: _custom_pg_config_resources when: postgres_configuration_secret | length + no_log: true - name: Check for default PostgreSQL configuration k8s_info: @@ -13,6 +14,7 @@ namespace: '{{ meta.namespace }}' name: '{{ meta.name }}-postgres-configuration' register: _default_pg_config_resources + no_log: true - name: Check for specified old PostgreSQL configuration secret k8s_info: @@ -21,6 +23,7 @@ name: '{{ old_postgres_configuration_secret }}' register: _custom_old_pg_config_resources when: old_postgres_configuration_secret | length + no_log: true - name: Check for default old PostgreSQL configuration k8s_info: @@ -28,6 +31,7 @@ namespace: '{{ meta.namespace }}' name: '{{ meta.name }}-old-postgres-configuration' register: _default_old_pg_config_resources + no_log: true - name: Set old PostgreSQL configuration set_fact: @@ -41,16 +45,19 @@ when: - old_pg_config['resources'] is defined - old_pg_config['resources'] | length + no_log: true - name: Set PostgreSQL configuration set_fact: _pg_config: '{{ _custom_pg_config_resources["resources"] | default([]) | length | ternary(_custom_pg_config_resources, _default_pg_config_resources) }}' + no_log: true - block: - name: Create Database configuration k8s: apply: true definition: "{{ lookup('template', 'postgres_secret.yaml.j2') }}" + no_log: true - name: Read Database Configuration k8s_info: @@ -58,11 +65,13 @@ namespace: '{{ meta.namespace }}' name: '{{ meta.name }}-postgres-configuration' register: _generated_pg_config_resources + no_log: true when: not _pg_config['resources'] | default([]) | length - name: Set PostgreSQL Configuration set_fact: pg_config: '{{ _generated_pg_config_resources["resources"] | default([]) | length | ternary(_generated_pg_config_resources, _pg_config) }}' + no_log: true - name: Set actual postgres configuration secret used set_fact: @@ -112,6 +121,7 @@ awx_postgres_port: "{{ pg_config['resources'][0]['data']['port'] | b64decode }}" awx_postgres_host: "{{ pg_config['resources'][0]['data']['host'] | b64decode }}" awx_postgres_sslmode: "{{ pg_config['resources'][0]['data']['sslmode'] | default('prefer'|b64encode) | b64decode }}" + no_log: true - name: Look up details for this deployment k8s_info: diff --git a/roles/installer/tasks/initialize_django.yml b/roles/installer/tasks/initialize_django.yml index cdfc03ae..924e77b0 100644 --- a/roles/installer/tasks/initialize_django.yml +++ b/roles/installer/tasks/initialize_django.yml @@ -22,6 +22,7 @@ bash -c "awx-manage update_password --username '{{ admin_user }}' --password '{{ admin_password }}'" register: update_pw_result changed_when: users_result.stdout == 'Password not updated' + no_log: true when: users_result.return_code == 0 - name: Create super user via Django if it doesn't exist. @@ -33,6 +34,7 @@ bash -c "echo \"from django.contrib.auth.models import User; User.objects.create_superuser('{{ admin_user }}', '{{ admin_email }}', '{{ admin_password }}')\" | awx-manage shell" + no_log: true when: users_result.return_code > 0 - name: Create preload data if necessary. # noqa 305 @@ -78,6 +80,7 @@ _execution_environments_pull_credentials: >- {{ _custom_execution_environments_pull_credentials["resources"] | default([]) | length | ternary(_custom_execution_environments_pull_credentials, []) }} + no_log: true - name: Register default execution environments (without authentication) k8s_exec: @@ -98,6 +101,8 @@ default_execution_environment_pull_credentials_url: "{{ _execution_environments_pull_credentials['resources'][0]['data']['url'] | b64decode }}" default_execution_environment_pull_credentials_url_verify: >- {{ _execution_environments_pull_credentials['resources'][0]['data']['ssl_verify'] | default("True"|b64encode) | b64decode }} + no_log: true + - name: Register default execution environments (with authentication) k8s_exec: namespace: "{{ meta.namespace }}" @@ -111,4 +116,5 @@ --verify-ssl='{{ default_execution_environment_pull_credentials_url_verify }}'" register: ree changed_when: "'changed: True' in ree.stdout" + no_log: true when: _execution_environments_pull_credentials['resources'] | default([]) | length diff --git a/roles/installer/tasks/load_bundle_cacert_secret.yml b/roles/installer/tasks/load_bundle_cacert_secret.yml index 686242ed..d1803d00 100644 --- a/roles/installer/tasks/load_bundle_cacert_secret.yml +++ b/roles/installer/tasks/load_bundle_cacert_secret.yml @@ -5,8 +5,10 @@ namespace: '{{ meta.namespace }}' name: '{{ bundle_cacert_secret }}' register: bundle_cacert + no_log: true - name: Load bundle Certificate Authority Secret content set_fact: bundle_ca_crt: '{{ bundle_cacert["resources"][0]["data"]["bundle-ca.crt"] | b64decode }}' + no_log: true when: '"bundle-ca.crt" in bundle_cacert["resources"][0]["data"]' diff --git a/roles/installer/tasks/load_ldap_cacert_secret.yml b/roles/installer/tasks/load_ldap_cacert_secret.yml index ebf5fcc2..c1ff67c3 100644 --- a/roles/installer/tasks/load_ldap_cacert_secret.yml +++ b/roles/installer/tasks/load_ldap_cacert_secret.yml @@ -5,8 +5,10 @@ namespace: '{{ meta.namespace }}' name: '{{ ldap_cacert_secret }}' register: ldap_cacert + no_log: true - name: Load LDAP CA Certificate Secret content set_fact: ldap_cacert_ca_crt: '{{ ldap_cacert["resources"][0]["data"]["ldap-ca.crt"] | b64decode }}' + no_log: true when: '"ldap-ca.crt" in ldap_cacert["resources"][0]["data"]' diff --git a/roles/installer/tasks/load_route_tls_secret.yml b/roles/installer/tasks/load_route_tls_secret.yml index 07d54d9c..0abc1371 100644 --- a/roles/installer/tasks/load_route_tls_secret.yml +++ b/roles/installer/tasks/load_route_tls_secret.yml @@ -5,13 +5,16 @@ namespace: '{{ meta.namespace }}' name: '{{ route_tls_secret }}' register: route_tls + no_log: true - name: Load Route TLS Secret content set_fact: route_tls_key: '{{ route_tls["resources"][0]["data"]["tls.key"] | b64decode }}' route_tls_crt: '{{ route_tls["resources"][0]["data"]["tls.crt"] | b64decode }}' + no_log: true - name: Load Route TLS Secret content set_fact: route_ca_crt: '{{ route_tls["resources"][0]["data"]["ca.crt"] | b64decode }}' + no_log: true when: '"ca.crt" in route_tls["resources"][0]["data"]' diff --git a/roles/installer/tasks/migrate_data.yml b/roles/installer/tasks/migrate_data.yml index 2e341402..735002d0 100644 --- a/roles/installer/tasks/migrate_data.yml +++ b/roles/installer/tasks/migrate_data.yml @@ -11,6 +11,7 @@ awx_old_postgres_database: "{{ old_pg_config['resources'][0]['data']['database'] | b64decode }}" awx_old_postgres_port: "{{ old_pg_config['resources'][0]['data']['port'] | b64decode }}" awx_old_postgres_host: "{{ old_pg_config['resources'][0]['data']['host'] | b64decode }}" + no_log: true - name: Default label selector to custom resource generated postgres set_fact: @@ -47,6 +48,7 @@ -d {{ awx_old_postgres_database }} -p {{ awx_old_postgres_port }} -F custom + no_log: true - name: Set pg_restore command set_fact: @@ -54,6 +56,7 @@ pg_restore --clean --if-exists -U {{ database_username }} -d {{ database_name }} + no_log: true - name: Stream backup from pg_dump to the new postgresql container k8s_exec: @@ -65,6 +68,7 @@ PGPASSWORD={{ awx_old_postgres_pass }} {{ pgdump }} | PGPASSWORD={{ awx_postgres_pass }} {{ pg_restore }} echo 'Successful' """ + no_log: true register: data_migration failed_when: "'Successful' not in data_migration.stdout" diff --git a/roles/installer/tasks/resources_configuration.yml b/roles/installer/tasks/resources_configuration.yml index f8e7294e..778646ed 100644 --- a/roles/installer/tasks/resources_configuration.yml +++ b/roles/installer/tasks/resources_configuration.yml @@ -30,6 +30,7 @@ - 'persistent' - 'service' - 'ingress' + no_log: true - name: Apply deployment resources k8s: diff --git a/roles/installer/tasks/secret_key_configuration.yml b/roles/installer/tasks/secret_key_configuration.yml index eeefa8eb..593f3a21 100644 --- a/roles/installer/tasks/secret_key_configuration.yml +++ b/roles/installer/tasks/secret_key_configuration.yml @@ -5,6 +5,7 @@ namespace: '{{ meta.namespace }}' name: '{{ secret_key_secret }}' register: _custom_secret_key + no_log: true when: secret_key_secret | length - name: Check for default secret key configuration @@ -13,16 +14,19 @@ namespace: '{{ meta.namespace }}' name: '{{ meta.name }}-secret-key' register: _default_secret_key + no_log: true - name: Set secret key secret set_fact: _secret_key_secret: '{{ _custom_secret_key["resources"] | default([]) | length | ternary(_custom_secret_key, _default_secret_key) }}' + no_log: true - block: - name: Create secret key secret k8s: apply: true definition: "{{ lookup('template', 'secret_key.yaml.j2') }}" + no_log: true - name: Read secret key secret k8s_info: @@ -30,13 +34,16 @@ namespace: '{{ meta.namespace }}' name: '{{ meta.name }}-secret-key' register: _generated_secret_key + no_log: true when: not _secret_key_secret['resources'] | default([]) | length - name: Set secret key secret set_fact: __secret_key_secret: '{{ _generated_secret_key["resources"] | default([]) | length | ternary(_generated_secret_key, _secret_key_secret) }}' + no_log: true - name: Store secret key secret name set_fact: secret_key_secret_name: "{{ __secret_key_secret['resources'][0]['metadata']['name'] }}" + no_log: true diff --git a/roles/restore/tasks/cleanup.yml b/roles/restore/tasks/cleanup.yml index f80ad691..8d7345d6 100644 --- a/roles/restore/tasks/cleanup.yml +++ b/roles/restore/tasks/cleanup.yml @@ -22,6 +22,7 @@ - '{{ admin_password_secret }}' - '{{ broadcast_websocket_secret }}' - '{{ postgres_configuration_secret }}' + no_log: true - name: Cleanup temp spec file file: diff --git a/roles/restore/tasks/postgres.yml b/roles/restore/tasks/postgres.yml index d498277d..a9c17fda 100644 --- a/roles/restore/tasks/postgres.yml +++ b/roles/restore/tasks/postgres.yml @@ -10,6 +10,7 @@ namespace: '{{ meta.namespace }}' name: '{{ postgres_configuration_secret }}' register: pg_config + no_log: true - name: Store Database Configuration set_fact: @@ -19,6 +20,7 @@ awx_postgres_port: "{{ pg_config['resources'][0]['data']['port'] | b64decode }}" awx_postgres_host: "{{ pg_config['resources'][0]['data']['host'] | b64decode }}" awx_postgres_type: "{{ pg_config['resources'][0]['data']['type'] | b64decode | default('unmanaged') }}" + no_log: true - name: Default label selector to custom resource generated postgres set_fact: @@ -63,6 +65,7 @@ - name: Set full resolvable host name for postgres pod set_fact: resolvable_db_host: "{{ awx_postgres_host }}.{{ meta.namespace }}.svc.cluster.local" + no_log: true when: awx_postgres_type == 'managed' - name: Set pg_restore command @@ -74,6 +77,7 @@ -U {{ awx_postgres_user }} -d {{ awx_postgres_database }} -p {{ awx_postgres_port }} + no_log: true - name: Restore database dump to the new postgresql container k8s_exec: @@ -86,4 +90,5 @@ echo 'Successful' """ register: data_migration + no_log: true failed_when: "'Successful' not in data_migration.stdout" diff --git a/roles/restore/tasks/secrets.yml b/roles/restore/tasks/secrets.yml index 53b25821..644aea28 100644 --- a/roles/restore/tasks/secrets.yml +++ b/roles/restore/tasks/secrets.yml @@ -7,6 +7,7 @@ command: >- bash -c "cat '{{ backup_dir }}/secrets.yml'" register: _secrets + no_log: true - name: Create Temporary secrets file tempfile: @@ -19,31 +20,38 @@ dest: "{{ tmp_secrets.path }}" content: "{{ _secrets.stdout }}" mode: 0640 + no_log: true - name: Include secret vars from backup include_vars: "{{ tmp_secrets.path }}" + no_log: true - name: If deployment is managed, set the database_host in the pg config secret block: - name: Set new database host set_fact: database_host: "{{ deployment_name }}-postgres" + no_log: true - name: Set tmp postgres secret dict set_fact: _pg_secret: "{{ secrets['postgresConfigurationSecret'] }}" + no_log: true - name: Change postgres host value set_fact: _pg_data: "{{ _pg_secret['data'] | combine({'host': database_host | b64encode }) }}" + no_log: true - name: Create a postgres secret with the new host value set_fact: _pg_secret: "{{ _pg_secret | combine({'data': _pg_data}) }}" + no_log: true - name: Create a new dict of secrets with the new postgres secret set_fact: secrets: "{{ secrets | combine({'postgresConfigurationSecret': _pg_secret}) }}" + no_log: true when: secrets['postgresConfigurationSecret']['data']['type'] | b64decode == 'managed' - name: Apply secret @@ -53,6 +61,7 @@ apply: yes wait: yes template: "secrets.yml.j2" + no_log: true - name: Remove ownerReference on restored secrets k8s: @@ -64,3 +73,4 @@ namespace: '{{ meta.namespace }}' ownerReferences: null loop: "{{ secrets | dict2items }}" + no_log: true