Dynamically collect secrets for backup & restore roles

- This prevents us from overwriting vars unintentionally at restore time - This will make it easier to add secrets to be backed up in the future - Add generated secret names to awx spec backup - Fail early if secret status doesn't exist - Skip if secret is not in spec for non-generated secrets - Secret values must be b64 decoded before secret is created - Cleanup temp files
2026-05-08 14:22:49 +00:00 · 2021-06-11 11:54:06 -04:00
parent 1bb6ada3a2
commit bfec61ad8d
15 changed files with 153 additions and 161 deletions
--- a/roles/restore/tasks/cleanup.yml
+++ b/roles/restore/tasks/cleanup.yml
@@ -18,7 +18,19 @@
        namespace: '{{ meta.namespace }}'
        ownerReferences: null
  loop:
-    - '{{ secret_key_secret_name }}'
-    - '{{ admin_password_secret_name }}'
-    - '{{ broadcast_websocket_secret_name }}'
-    - '{{ postgres_configuration_secret_name }}'
+    - '{{ secret_key_secret }}'
+    - '{{ admin_password_secret }}'
+    - '{{ broadcast_websocket_secret }}'
+    - '{{ postgres_configuration_secret }}'
+
+- name: Cleanup temp spec file
+  file:
+    path: "{{ tmp_spec.path }}"
+    state: absent
+  when: tmp_spec.path is defined
+
+- name: Cleanup temp secret vars file
+  file:
+    path: "{{ secret_vars.path }}"
+    state: absent
+  when: secret_vars.path is defined
--- a/roles/restore/tasks/deploy_awx.yml
+++ b/roles/restore/tasks/deploy_awx.yml
@@ -31,15 +31,6 @@
  set_fact:
    awx_spec: "{{ spec.ansible_facts }}"

- name: Set names of backed up secrets in the CR spec
-  set_fact:
-    awx_spec: "{{ awx_spec | combine ({ item.key : item.value }) }}"
-  with_items:
-    - {'key': 'secret_key_secret', 'value': '{{ secret_key_secret_name }}'}
-    - {'key': 'admin_password_secret', 'value': '{{ admin_password_secret_name }}'}
-    - {'key': 'broadcast_websocket_secret', 'value': '{{ broadcast_websocket_secret_name }}'}
-    - {'key': 'postgres_configuration_secret', 'value': '{{ postgres_configuration_secret_name }}'}
-
 - name: Restore kind
  set_fact:
    kind: "{{ _kind }}"
--- a/roles/restore/tasks/postgres.yml
+++ b/roles/restore/tasks/postgres.yml
@@ -4,7 +4,7 @@
  k8s_info:
    kind: Secret
    namespace: '{{ meta.namespace }}'
-    name: '{{ postgres_configuration_secret_name }}'
+    name: '{{ postgres_configuration_secret }}'
  register: pg_config

 - name: Store Database Configuration
--- a/roles/restore/tasks/secrets.yml
+++ b/roles/restore/tasks/secrets.yml
@@ -6,27 +6,45 @@
    pod: "{{ meta.name }}-db-management"
    command: >-
      bash -c "cat '{{ backup_dir }}/secrets.yml'"
-  register: secrets
+  register: _secrets

- name: Create temp vars file
+- name: Create Temporary secrets file
  tempfile:
-    prefix: secret_vars-
-  register: secret_vars
+    state: file
+    suffix: .json
+  register: tmp_secrets

 - name: Write vars to file locally
  copy:
-    dest: "{{ secret_vars.path }}"
-    content: "{{ secrets.stdout }}"
+    dest: "{{ tmp_secrets.path }}"
+    content: "{{ _secrets.stdout }}"
    mode: 0640

 - name: Include secret vars from backup
-  include_vars: "{{ secret_vars.path }}"
+  include_vars: "{{ tmp_secrets.path }}"

- name: Set new database host based on supplied deployment_name
-  set_fact:
-    database_host: "{{ deployment_name }}-postgres"
-  when:
-    - database_type == 'managed'
+- name: If deployment is managed, set the database_host in the pg config secret
+  block:
+    - name: Set new database host
+      set_fact:
+        database_host: "{{ deployment_name }}-postgres"
+
+    - name: Set tmp postgres secret dict
+      set_fact:
+        _pg_secret: "{{ secrets['postgresConfigurationSecret'] }}"
+
+    - name: Change postgres host value
+      set_fact:
+        _pg_data: "{{ _pg_secret['data'] | combine({'host': database_host | b64encode }) }}"
+
+    - name: Create a postgres secret with the new host value
+      set_fact:
+        _pg_secret: "{{ _pg_secret | combine({'data': _pg_data}) }}"
+
+    - name: Create a new dict of secrets with the new postgres secret
+      set_fact:
+        secrets: "{{ secrets | combine({'postgresConfigurationSecret': _pg_secret}) }}"
+  when: secrets['postgresConfigurationSecret']['data']['type'] | b64decode == 'managed'

 - name: Apply secret
  k8s:
--- a/roles/restore/templates/secrets.yml.j2
+++ b/roles/restore/templates/secrets.yml.j2
@@ -1,9 +1,9 @@
-# Postgres Secret
+{% for secret in secrets %}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
-  name: '{{ postgres_configuration_secret_name }}'
+  name: '{{ secrets[secret]['name'] }}'
  namespace: '{{ meta.namespace }}'
  labels:
    app.kubernetes.io/name: '{{ meta.name }}'
@@ -12,57 +12,8 @@ metadata:
    app.kubernetes.io/component: '{{ deployment_type }}'
    app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
 stringData:
-  password: '{{ database_password }}'
-  username: '{{ database_username }}'
-  database: '{{ database_name }}'
-  port: '{{ database_port }}'
-  host: '{{ database_host }}'
-  type: '{{ database_type }}'
+  {% for key, value in secrets[secret]['data'].items() %}
+    '{{ key }}': '{{ value | b64decode }}'
+  {% endfor %}

-# Secret Key Secret
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: '{{ secret_key_secret_name }}'
-  namespace: '{{ meta.namespace }}'
-  labels:
-    app.kubernetes.io/name: '{{ meta.name }}'
-    app.kubernetes.io/part-of: '{{ meta.name }}'
-    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
-    app.kubernetes.io/component: '{{ deployment_type }}'
-    app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
-stringData:
-  secret_key: '{{ secret_key }}'
-
-# Admin Password Secret
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: '{{ admin_password_secret_name }}'
-  namespace: '{{ meta.namespace }}'
-  labels:
-    app.kubernetes.io/name: '{{ meta.name }}'
-    app.kubernetes.io/part-of: '{{ meta.name }}'
-    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
-    app.kubernetes.io/component: '{{ deployment_type }}'
-    app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
-stringData:
-  password: '{{ admin_password }}'
-
-# Broadcast Websocket Secret
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: '{{ broadcast_websocket_secret_name }}'
-  namespace: '{{ meta.namespace }}'
-  labels:
-    app.kubernetes.io/name: '{{ meta.name }}'
-    app.kubernetes.io/part-of: '{{ meta.name }}'
-    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
-    app.kubernetes.io/component: '{{ deployment_type }}'
-    app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
-stringData:
-  secret: '{{ broadcast_websocket }}'
+{% endfor %}
--- a/roles/restore/vars/main.yml
+++ b/roles/restore/vars/main.yml
@@ -8,7 +8,7 @@ backup_api_version: '{{ deployment_type }}.ansible.com/v1beta1'
 backup_kind: 'AWXBackup'

 # set default secret names to be used if a backup dir and claim are provided (not a backup_name)
-secret_key_secret_name: '{{ deployment_name }}-secret-key'
-admin_password_secret_name: '{{ deployment_name }}-admin-password'
-broadcast_websocket_secret_name: '{{ deployment_name }}-broadcast-websocket'
-postgres_configuration_secret_name: '{{ deployment_name }}-postgres-configuration'
+secret_key_secret: '{{ deployment_name }}-secret-key'
+admin_password_secret: '{{ deployment_name }}-admin-password'
+broadcast_websocket_secret: '{{ deployment_name }}-broadcast-websocket'
+postgres_configuration_secret: '{{ deployment_name }}-postgres-configuration'