diff --git a/roles/installer/defaults/main.yml b/roles/installer/defaults/main.yml index e03df54d..41fa3cba 100644 --- a/roles/installer/defaults/main.yml +++ b/roles/installer/defaults/main.yml @@ -23,6 +23,10 @@ tower_admin_password: changeme tower_broadcast_websocket_secret: changeme +# Secret to lookup that provide the secret key +# +tower_secret_key_secret: '' + # Add extra volumes to the AWX pod. Specify as literal block. E.g.: # tower_extra_volumes: | # - name: my-volume diff --git a/roles/installer/tasks/main.yml b/roles/installer/tasks/main.yml index 2ef5e4aa..30fad4a0 100644 --- a/roles/installer/tasks/main.yml +++ b/roles/installer/tasks/main.yml @@ -1,17 +1,6 @@ --- -- name: Check for existing secret key - k8s_info: - kind: Secret - namespace: '{{ meta.namespace }}' - name: '{{ meta.name }}-secret-key' - register: secret_key_resources - -- name: Deploy Tower Secret Key if needed - k8s: - apply: yes - definition: "{{ lookup('template', 'tower_secret.yaml.j2') }}" - register: k8s_tower_secret_result - when: secret_key_resources['resources'] | length < 1 +- name: Include secret key configuration tasks + include_tasks: secret_key_configuration.yml - name: Include database configuration tasks include_tasks: database_configuration.yml diff --git a/roles/installer/tasks/secret_key_configuration.yml b/roles/installer/tasks/secret_key_configuration.yml new file mode 100644 index 00000000..2188068c --- /dev/null +++ b/roles/installer/tasks/secret_key_configuration.yml @@ -0,0 +1,42 @@ +--- +- name: Check for specified secret key configuration + k8s_info: + kind: Secret + namespace: '{{ meta.namespace }}' + name: '{{ tower_secret_key_secret }}' + register: _custom_secret_key + when: tower_secret_key_secret | length + +- name: Check for default secret key configuration + k8s_info: + kind: Secret + namespace: '{{ meta.namespace }}' + name: '{{ meta.name }}-secret-key' + register: _default_secret_key + +- name: Set secret key secret + set_fact: + _secret_key_secret: '{{ _custom_secret_key["resources"] | default([]) | length | ternary(_custom_secret_key, _default_secret_key) }}' + +- block: + - name: Create secret key secret + k8s: + apply: true + definition: "{{ lookup('template', 'tower_secret.yaml.j2') }}" + + - name: Read secret key secret + k8s_info: + kind: Secret + namespace: '{{ meta.namespace }}' + name: '{{ meta.name }}-secret-key' + register: _generated_secret_key + + when: not _secret_key_secret['resources'] | default([]) | length + +- name: Set secret key secret + set_fact: + secret_key_secret: '{{ _generated_secret_key["resources"] | default([]) | length | ternary(_generated_secret_key, _secret_key_secret) }}' + +- name: Store secret key secret name + set_fact: + secret_key_secret_name: "{{ secret_key_secret['resources'][0]['metadata']['name'] }}" diff --git a/roles/installer/templates/tower.yaml.j2 b/roles/installer/templates/tower.yaml.j2 index 8f7a4314..bbc47300 100644 --- a/roles/installer/templates/tower.yaml.j2 +++ b/roles/installer/templates/tower.yaml.j2 @@ -54,7 +54,7 @@ spec: - name: "{{ meta.name }}-application-credentials" mountPath: "/etc/tower/conf.d/" readOnly: true - - name: {{ meta.name }}-secret-key + - name: "{{ secret_key_secret_name }}" mountPath: /etc/tower/SECRET_KEY subPath: SECRET_KEY readOnly: true @@ -112,7 +112,7 @@ spec: - name: "{{ meta.name }}-application-credentials" mountPath: "/etc/tower/conf.d/" readOnly: true - - name: {{ meta.name }}-secret-key + - name: "{{ secret_key_secret_name }}" mountPath: /etc/tower/SECRET_KEY subPath: SECRET_KEY readOnly: true @@ -168,9 +168,9 @@ spec: path: 'credentials.py' - key: environment_sh path: 'environment.sh' - - name: {{ meta.name }}-secret-key + - name: "{{ secret_key_secret_name }}" secret: - secretName: '{{ meta.name }}-secret-key' + secretName: '{{ secret_key_secret_name }}' items: - key: secret_key path: SECRET_KEY