awx-operator/roles/backup/tasks/secrets.yml

---

- name: Dump (generated) secret names from statuses and data into file
  include_tasks: dump_generated_secret.yml
  with_items:
    - secretKeySecret
    - adminPasswordSecret
    - broadcastWebsocketSecret
    - postgresConfigurationSecret

- name: Dump secret names from awx spec and data into file
  include_tasks: dump_secret.yml
  loop:
    - route_tls_secret
    # ingress_tls_secret is deprecated in favor of ingress_hosts.tls_secret
    - ingress_tls_secret
    # LDAP is deprecated
    - ldap_cacert_secret
    - bundle_cacert_secret
    - ee_pull_credentials_secret

- name: Dump ingress tls secret names from awx spec and data into file
  include_tasks: dump_ingress_tls_secrets.yml
  with_items: "{{ awx_spec.spec['ingress_hosts'] | default([]) | selectattr('tls_secret', 'defined') | map(attribute='tls_secret') | list }}"

- name: Dump receptor secret names and data into file
  include_tasks: dump_receptor_secrets.yml
  loop:
    - '{{ deployment_name }}-receptor-ca'
    - '{{ deployment_name }}-receptor-work-signing'

# image_pull_secret is deprecated in favor of image_pull_secrets
- name: Dump image_pull_secret into file
  include_tasks: dump_secret.yml
  with_items:
    - image_pull_secret
  when: image_pull_secret is defined

- name: Dump image_pull_secrets into file
  include_tasks: dump_secret.yml
  with_items:
    - image_pull_secrets
  when: image_pull_secrets | default([]) | length

- name: Nest secrets under a single variable
  set_fact:
    secrets: {"secrets": '{{ secret_dict }}'}
  no_log: "{{ no_log }}"

- name: Write postgres configuration to pvc
  k8s_cp:
    namespace: "{{ backup_pvc_namespace }}"
    pod: "{{ ansible_operator_meta.name }}-db-management"
    container: "{{ ansible_operator_meta.name }}-db-management"
    remote_path: "{{ backup_dir }}/secrets.yml"
    content: "{{ secrets | to_yaml }}"
  no_log: "{{ no_log }}"