awx-operator/roles/restore/tasks/secrets.yml

---

- name: Create Temporary secrets file
  tempfile:
    state: file
    suffix: .json
  register: tmp_secrets

- name: Get secret definition from pvc
  k8s_cp:
    namespace: "{{ backup_pvc_namespace }}"
    pod: "{{ ansible_operator_meta.name }}-db-management"
    container: "{{ ansible_operator_meta.name }}-db-management"
    remote_path: "{{ backup_dir  }}/secrets.yml"
    local_path: "{{ tmp_secrets.path }}"
    state: from_pod
  no_log: "{{ no_log }}"

- name: Include secret vars from backup
  include_vars: "{{ tmp_secrets.path }}"
  no_log: "{{ no_log }}"

- name: If deployment is managed, set the new postgres_configuration_secret name
  block:
  - name: Set new postgres_configuration_secret name
    set_fact:
      _generated_pg_secret_name: "{{ deployment_name }}-postgres-configuration"

  - name: Override postgres_configuration_secret
    set_fact:
      spec:
        "{{ spec | combine({'postgres_configuration_secret': _generated_pg_secret_name}, recursive=True) }}"
  when: secrets['postgresConfigurationSecret']['data']['type'] | b64decode == 'managed'

- name: If deployment is managed, set the database_host in the pg config secret
  block:
    - name: Set new database host
      set_fact:
        database_host: "{{ deployment_name }}-postgres-{{ supported_pg_version }}"
      no_log: "{{ no_log }}"

    - name: Set tmp postgres secret dict
      set_fact:
        _pg_secret: "{{ secrets['postgresConfigurationSecret'] }}"
      no_log: "{{ no_log }}"

    - name: Change postgres host and name value
      set_fact:
        _pg_data: "{{ _pg_secret['data'] | combine({'host': database_host | b64encode }) }}"
        _pg_secret_name: "{{ deployment_name }}-postgres-configuration"
      no_log: "{{ no_log }}"

    - name: Override postgres secret name
      set_fact:
        _pg_secret: "{{ _pg_secret | combine({'name': _pg_secret_name}) }}"
      no_log: "{{ no_log }}"

    - name: Override postgres secret host with new Postgres service
      set_fact:
        _pg_secret: "{{ _pg_secret | combine({'data': _pg_data}) }}"
      no_log: "{{ no_log }}"

    - name: Create a new dict of secrets with the new postgres secret
      set_fact:
        secrets: "{{ secrets | combine({'postgresConfigurationSecret': _pg_secret}) }}"
      no_log: "{{ no_log }}"
  when: secrets['postgresConfigurationSecret']['data']['type'] | b64decode == 'managed'

- name: Set new receptor secret names
  set_fact:
    previous_receptor_ca_name: "{{ previous_deployment_name }}-receptor-ca"
    previous_receptor_tls_name: "{{ previous_deployment_name }}-receptor-work-signing"
  no_log: "{{ no_log }}"

- name: Set new name for receptor secrets using deployment_name
  block:
    - name: Set new receptor secret names
      set_fact:
        receptor_ca_name: "{{ deployment_name }}-receptor-ca"
        receptor_work_signing_name: "{{ deployment_name }}-receptor-work-signing"
      no_log: "{{ no_log }}"

    - name: Set tmp dict for receptor secrets
      set_fact:
        _ca_secret: "{{ secrets[previous_receptor_ca_name] }}"
        _work_signing_secret: "{{ secrets[previous_receptor_tls_name] }}"
      no_log: "{{ no_log }}"

    - name: Change receptor secret names in tmp dict
      set_fact:
        _ca_secret_name: "{{ _ca_secret | combine({ 'name': receptor_ca_name }) }}"
        _work_signing_secret_name: "{{ _work_signing_secret | combine({ 'name': receptor_work_signing_name}) }}"
      no_log: "{{ no_log }}"

    - name: Create a new dict of receptor secrets with updated names
      set_fact:
        secrets: "{{ secrets | combine({previous_receptor_ca_name: _ca_secret_name, previous_receptor_tls_name: _work_signing_secret_name}) }}"
      no_log: "{{ no_log }}"

- name: Apply secret
  k8s:
    state: present
    namespace: "{{ ansible_operator_meta.namespace }}"
    apply: yes
    wait: yes
    definition: "{{ lookup('template', 'secrets.yml.j2') }}"
  no_log: "{{ no_log }}"

- name: Remove ownerReference on restored secrets
  k8s:
    definition:
      apiVersion: v1
      kind: Secret
      metadata:
        name: "{{ item.value.name }}"
        namespace: '{{ ansible_operator_meta.namespace }}'
        ownerReferences: null
  loop: "{{ secrets | dict2items }}"
  no_log: "{{ no_log }}"