Dynamically collect secrets for backup & restore roles

- This prevents us from overwriting vars unintentionally at restore time - This will make it easier to add secrets to be backed up in the future - Add generated secret names to awx spec backup - Fail early if secret status doesn't exist - Skip if secret is not in spec for non-generated secrets - Secret values must be b64 decoded before secret is created - Cleanup temp files
2026-05-08 06:12:54 +00:00 · 2021-06-11 11:54:06 -04:00
parent 1bb6ada3a2
commit bfec61ad8d
15 changed files with 153 additions and 161 deletions
--- a/roles/backup/tasks/awx-cro.yml
+++ b/roles/backup/tasks/awx-cro.yml
@@ -16,6 +16,15 @@
  set_fact:
    awx_spec: "{{ _awx['spec'] }}"

+- name: Set names of backed up secrets in the CR spec
+  set_fact:
+    awx_spec: "{{ awx_spec | combine ({ item.key : item.value }) }}"
+  with_items:
+    - {"key": "secret_key_secret", "value": "{{ this_awx['resources'][0]['status']['secretKeySecret'] }}"}
+    - {"key": "admin_password_secret", "value": "{{ this_awx['resources'][0]['status']['adminPasswordSecret'] }}"}
+    - {"key": "broadcast_websocket_secret", "value": "{{ this_awx['resources'][0]['status']['broadcastWebsocketSecret'] }}"}
+    - {"key": "postgres_configuration_secret", "value": "{{ this_awx['resources'][0]['status']['postgresConfigurationSecret'] }} "}
+
 - name: Write awx object to pvc
  k8s_exec:
    namespace: "{{ backup_pvc_namespace }}"
--- a/roles/backup/tasks/dump_generated_secret.yml
+++ b/roles/backup/tasks/dump_generated_secret.yml
@@ -0,0 +1,35 @@
+---
+
+- name: Get secret name
+  set_fact:
+      _name: "{{ this_awx['resources'][0]['status'][item] }}"
+
+- name: Fail if status is not set on AWX CR
+  block:
+      - name: Set error message
+        set_fact:
+            error_msg: "{{ item }} status is not set on AWX object yet"
+
+      - name: Handle error
+        import_tasks: error_handling.yml
+
+      - name: Fail early if secret name status is not set
+        fail:
+            msg: "{{ error_msg }}"
+  when: _name is not defined or _name == ''
+
+- name: Get secret
+  k8s_info:
+      version: v1
+      kind: Secret
+      namespace: '{{ meta.namespace }}'
+      name: "{{ _name }}"
+  register: _secret
+
+- name: Set secret data
+  set_fact:
+      _data: "{{ _secret['resources'][0]['data'] }}"
+
+- name: Create and Add secret names and data to dictionary
+  set_fact:
+      secret_dict: "{{ secret_dict | default({}) | combine({ item: {'name': _name, 'data': _data }}) }}"
--- a/roles/backup/tasks/dump_secret.yml
+++ b/roles/backup/tasks/dump_secret.yml
@@ -0,0 +1,24 @@
+---
+
+- name: Get Secret Name
+  set_fact:
+      _name: "{{ awx_spec[item] | default('') }}"
+
+- name: Skip if secret name not defined
+  block:
+      - name: Get secret
+        k8s_info:
+            version: v1
+            kind: Secret
+            namespace: '{{ meta.namespace }}'
+            name: "{{ _name }}"
+        register: _secret
+
+      - name: Set secret key
+        set_fact:
+            _data: "{{ _secret['resources'][0]['data'] }}"
+
+      - name: Create and Add secret names and data to dictionary
+        set_fact:
+            secret_dict: "{{ secret_dict | default({}) | combine({item: { 'name': _name, 'data': _data }}) }}"
+  when: _name != ''
--- a/roles/backup/tasks/main.yml
+++ b/roles/backup/tasks/main.yml
@@ -30,10 +30,10 @@

    - include_tasks: postgres.yml

-    - include_tasks: secrets.yml
-
    - include_tasks: awx-cro.yml

+    - include_tasks: secrets.yml
+
    - name: Set flag signifying this backup was successful
      set_fact:
        backup_complete: true
@@ -45,5 +45,3 @@

 - name: Update status variables
  include_tasks: update_status.yml
-
-# TODO: backup tower settings or make sure that users only specify settings/config changes via AWX object.  See ticket
--- a/roles/backup/tasks/secrets.yml
+++ b/roles/backup/tasks/secrets.yml
@@ -1,65 +1,33 @@
 ---

- name: Get secret_key
-  k8s_info:
-    kind: Secret
-    namespace: '{{ meta.namespace }}'
-    name: "{{ this_awx['resources'][0]['status']['secretKeySecret'] }}"
-  register: _secret_key
+- name: Create Temporary secrets file
+  tempfile:
+    state: file
+    suffix: .json
+  register: tmp_secrets

- name: Set secret key
+- name: Dump (generated) secret names from statuses and data into file
+  include_tasks: dump_generated_secret.yml
+  with_items:
+    - secretKeySecret
+    - adminPasswordSecret
+    - broadcastWebsocketSecret
+    - postgresConfigurationSecret
+
+- name: Dump secret names from awx spec and data into file
+  include_tasks: dump_secret.yml
+  loop:
+    - route_tls_secret
+    - ldap_cacert_secret
+    - image_pull_secret
+
+- name: Nest secrets under a single variable
  set_fact:
-    secret_key: "{{ _secret_key['resources'][0]['data']['secret_key'] | b64decode }}"
-
- name: Get admin_password
-  k8s_info:
-    kind: Secret
-    namespace: '{{ meta.namespace }}'
-    name: "{{ this_awx['resources'][0]['status']['adminPasswordSecret'] }}"
-  register: _admin_password
-
- name: Set admin_password
-  set_fact:
-    admin_password: "{{ _admin_password['resources'][0]['data']['password'] | b64decode }}"
-
- name: Get broadcast_websocket
-  k8s_info:
-    kind: Secret
-    namespace: '{{ meta.namespace }}'
-    name: "{{ this_awx['resources'][0]['status']['broadcastWebsocketSecret'] }}"
-  register: _broadcast_websocket
-
- name: Set broadcast_websocket key
-  set_fact:
-    broadcast_websocket: "{{ _broadcast_websocket['resources'][0]['data']['secret'] | b64decode }}"
-
- name: Get postgres configuration
-  k8s_info:
-    kind: Secret
-    namespace: '{{ meta.namespace }}'
-    name: "{{ this_awx['resources'][0]['status']['postgresConfigurationSecret'] }}"
-  register: _postgres_configuration
-
- name: Set postgres type
-  set_fact:
-    database_type: "{{ _postgres_configuration['resources'][0]['data']['type'] | b64decode }}"
-  when: _postgres_configuration['resources'][0]['data']['type'] is defined
-
- name: Set postgres configuration
-  set_fact:
-    database_password: "{{ _postgres_configuration['resources'][0]['data']['password'] | b64decode }}"
-    database_username: "{{ _postgres_configuration['resources'][0]['data']['username'] | b64decode }}"
-    database_name: "{{ _postgres_configuration['resources'][0]['data']['database'] | b64decode }}"
-    database_port: "{{ _postgres_configuration['resources'][0]['data']['port'] | b64decode }}"
-    database_host: "{{ _postgres_configuration['resources'][0]['data']['host'] | b64decode }}"
-
- name: Template secrets into yaml
-  set_fact:
-    secrets_file: "{{ lookup('template', 'secrets.yml.j2') }}"
+    secrets: {"secrets": '{{ secret_dict }}'}

 - name: Write postgres configuration to pvc
  k8s_exec:
    namespace: "{{ backup_pvc_namespace }}"
    pod: "{{ meta.name }}-db-management"
    command: >-
-      bash -c "echo '{{ secrets_file }}' > {{ backup_dir }}/secrets.yml"
+      bash -c "echo '{{ secrets | to_yaml }}' > {{ backup_dir }}/secrets.yml"
--- a/roles/backup/templates/secrets.yml.j2
+++ b/roles/backup/templates/secrets.yml.j2
@@ -1,14 +0,0 @@
---
-secret_key_secret_name: "{{ _secret_key['resources'][0]['metadata']['name'] }}"
-admin_password_secret_name: "{{ _admin_password['resources'][0]['metadata']['name'] }}"
-broadcast_websocket_secret_name: "{{ _broadcast_websocket['resources'][0]['metadata']['name'] }}"
-postgres_configuration_secret_name: "{{ _postgres_configuration['resources'][0]['metadata']['name'] }}"
-secret_key: {{ secret_key }}
-admin_password: {{ admin_password }}
-broadcast_websocket: {{ broadcast_websocket }}
-database_password: {{ database_password }}
-database_username: {{ database_username }}
-database_name: {{ database_name }}
-database_port: {{ database_port }}
-database_host: {{ database_host }}
-database_type: {{ database_type }}