awx-operator/roles/backup/tasks/secrets.yml

---

# TODO: Get Secret_key value/s

# TODO: Store Secret_key value/s in a way that can be made into another secret upon restore

# The general idea here is that the user provides the name for the current deployment, we grab secrets based on that, then when it is restored, we restore to whatever name/namespace is specified at the time of restore

- name: Make _secrets directory
  file:
    path: "{{ playbook_dir }}/_secrets"
    state: directory

- name: Get secret_key
  k8s_info:
    kind: Secret
    namespace: '{{ meta.namespace }}'
    name: '{{ tower_secret_key_secret }}'
  register: _secret_key

- name: Set secret key
  set_fact:
    secret_key: "{{ _secret_key['resources'][0]['data']['secret_key'] | b64decode }}"

- name: Template secret_key definition
  template:
    src: secret_key.yml.j2
    dest: "{{ playbook_dir }}/_secrets/secrets.yml"
    mode: '0600'
    # dest: pvc # potentially just do a copy task, loop through definition files

- name: Get admin_password
  k8s_info:
    kind: Secret
    namespace: '{{ meta.namespace }}'
    name: '{{ tower_admin_password_secret }}'
  register: _admin_password
# TODO: check if admin_password secret name is provided, and check for that? use defaults.yml

- name: Set admin_password
  set_fact:
    admin_password: "{{ _admin_password['resources'][0]['data']['password'] | b64decode }}"

- name: Template admin_password definition
  template:
    src: admin_password.yml.j2
    dest: "{{ playbook_dir }}/_secrets/admin_password.yml"
    mode: '0600'


# TODO: Secrets to back up: tower-secret-key, tower1-admin-password, tower1-app-credentials, tower1-broadcast-websocket, tower1-dockercfg-q8qd2, tower1-postgres-configuration
# Do we need the service-account-token? probably? `tower1-token-hn2hm`, tower1-token-slllw


# After copying secret files to the PVC, delete the local tmp copies
- name: Clean up _secrets directory
  ansible.builtin.file:
    path: "{{ playbook_dir }}/_secrets"
    state: absent