--- - name: Create Temporary secrets file tempfile: state: file suffix: .json register: tmp_secrets - name: Get secret definition from pvc k8s_cp: namespace: "{{ backup_pvc_namespace }}" pod: "{{ ansible_operator_meta.name }}-db-management" container: "{{ ansible_operator_meta.name }}-db-management" remote_path: "{{ backup_dir }}/secrets.yml" local_path: "{{ tmp_secrets.path }}" state: from_pod no_log: "{{ no_log }}" - name: Include secret vars from backup include_vars: "{{ tmp_secrets.path }}" no_log: "{{ no_log }}" - name: If deployment is managed, set the new postgres_configuration_secret name block: - name: Set new postgres_configuration_secret name set_fact: _generated_pg_secret_name: "{{ deployment_name }}-postgres-configuration" - name: Override postgres_configuration_secret set_fact: spec: "{{ spec | combine({'postgres_configuration_secret': _generated_pg_secret_name}, recursive=True) }}" when: secrets['postgresConfigurationSecret']['data']['type'] | b64decode == 'managed' - name: If deployment is managed, set the database_host in the pg config secret block: - name: Set new database host set_fact: database_host: "{{ deployment_name }}-postgres-{{ supported_pg_version }}" no_log: "{{ no_log }}" - name: Set tmp postgres secret dict set_fact: _pg_secret: "{{ secrets['postgresConfigurationSecret'] }}" no_log: "{{ no_log }}" - name: Change postgres host and name value set_fact: _pg_data: "{{ _pg_secret['data'] | combine({'host': database_host | b64encode }) }}" _pg_secret_name: "{{ deployment_name }}-postgres-configuration" no_log: "{{ no_log }}" - name: Override postgres secret name set_fact: _pg_secret: "{{ _pg_secret | combine({'name': _pg_secret_name}) }}" no_log: "{{ no_log }}" - name: Override postgres secret host with new Postgres service set_fact: _pg_secret: "{{ _pg_secret | combine({'data': _pg_data}) }}" no_log: "{{ no_log }}" - name: Create a new dict of secrets with the new postgres secret set_fact: secrets: "{{ secrets | combine({'postgresConfigurationSecret': _pg_secret}) }}" no_log: "{{ no_log }}" when: secrets['postgresConfigurationSecret']['data']['type'] | b64decode == 'managed' - name: Set new receptor secret names set_fact: previous_receptor_ca_name: "{{ previous_deployment_name }}-receptor-ca" previous_receptor_tls_name: "{{ previous_deployment_name }}-receptor-work-signing" no_log: "{{ no_log }}" - name: Set new name for receptor secrets using deployment_name block: - name: Set new receptor secret names set_fact: receptor_ca_name: "{{ deployment_name }}-receptor-ca" receptor_work_signing_name: "{{ deployment_name }}-receptor-work-signing" no_log: "{{ no_log }}" - name: Set tmp dict for receptor secrets set_fact: _ca_secret: "{{ secrets[previous_receptor_ca_name] }}" _work_signing_secret: "{{ secrets[previous_receptor_tls_name] }}" no_log: "{{ no_log }}" - name: Change receptor secret names in tmp dict set_fact: _ca_secret_name: "{{ _ca_secret | combine({ 'name': receptor_ca_name }) }}" _work_signing_secret_name: "{{ _work_signing_secret | combine({ 'name': receptor_work_signing_name}) }}" no_log: "{{ no_log }}" - name: Create a new dict of receptor secrets with updated names set_fact: secrets: "{{ secrets | combine({previous_receptor_ca_name: _ca_secret_name, previous_receptor_tls_name: _work_signing_secret_name}) }}" no_log: "{{ no_log }}" - name: Apply secret k8s: state: present namespace: "{{ ansible_operator_meta.namespace }}" apply: yes wait: yes definition: "{{ lookup('template', 'secrets.yml.j2') }}" no_log: "{{ no_log }}" - name: Remove ownerReference on restored secrets k8s: definition: apiVersion: v1 kind: Secret metadata: name: "{{ item.value.name }}" namespace: '{{ ansible_operator_meta.namespace }}' ownerReferences: null loop: "{{ secrets | dict2items }}" no_log: "{{ no_log }}"