--- # ============================================================================= # CONVERGE - Сборка и запуск тестовых сценариев # ============================================================================= - hosts: localhost gather_facts: false vars: # Получаем preset из переменной окружения или используем default preset_name: "{{ lookup('env', 'MOLECULE_PRESET') | default('default') }}" preset_file: "/workspace/molecule/presets/{{ preset_name }}.yml" # перечисли файлы/глобы, которые нужно временно расшифровать vault_targets: - /workspace/vault/secrets.yml - /workspace/vault/secret.yml - /workspace/files/playbooks/group_vars/*/vault.yml - /workspace/files/playbooks/host_vars/*/vault.yml - /workspace/roles/**/vars/vault.yml tasks: # ============================================================================= # НАСТРОЙКА - Загрузка конфигурации и подготовка # ============================================================================= - name: Configuration setup debug: msg: | ================================================================================ НАСТРОЙКА - Загрузка конфигурации и подготовка ================================================================================ Preset: {{ preset_name }} ================================================================================ - name: Load preset configuration include_vars: "{{ preset_file }}" when: preset_file is file ignore_errors: true # - name: Install collections # community.docker.docker_container_exec: # container: ansible-controller # command: bash -lc "ansible-galaxy collection install -r /workspace/requirements.yml --force --no-deps --upgrade >/dev/null 2>&1 || true" # ============================================================================= # VAULT - Работа с зашифрованными файлами # ============================================================================= - name: Vault operations debug: msg: | ================================================================================ VAULT - Работа с зашифрованными файлами ================================================================================ Files: {{ vault_targets | length }} targets ================================================================================ - name: Check if vault file is encrypted community.docker.docker_container_exec: container: ansible-controller command: "bash -c 'if [ -f \"/workspace/vault/secrets.yml\" ]; then grep -q \"ANSIBLE_VAULT\" /workspace/vault/secrets.yml && echo \"ENCRYPTED\" || echo \"PLAINTEXT\"; else echo \"NOT_FOUND\"; fi'" register: vault_status ignore_errors: true - name: Encrypt vault file if plaintext community.docker.docker_container_exec: container: ansible-controller command: "bash -c 'VAULT_PASSWORD_FILE=\"/workspace/vault/.vault\"; if [ -f \"$VAULT_PASSWORD_FILE\" ] && [ -f \"/workspace/vault/secrets.yml\" ] && [ \"{{ vault_status.stdout }}\" = \"PLAINTEXT\" ]; then ansible-vault encrypt --encrypt-vault-id default --vault-password-file \"$VAULT_PASSWORD_FILE\" /workspace/vault/secrets.yml; fi'" when: vault_status.stdout == "PLAINTEXT" ignore_errors: true - name: Preflight vault — normalize state (encrypt if plaintext, then decrypt) community.docker.docker_container_exec: container: ansible-controller command: "bash -c 'VAULT_PASSWORD_FILE=\"/workspace/vault/.vault\"; if [ -f \"$VAULT_PASSWORD_FILE\" ] && [ -f \"/workspace/vault/secrets.yml\" ]; then ansible-vault decrypt --vault-password-file \"$VAULT_PASSWORD_FILE\" /workspace/vault/secrets.yml; fi'" ignore_errors: true # ============================================================================= # PLAYBOOK - Запуск основного playbook # ============================================================================= - name: Playbook execution debug: msg: | ================================================================================ PLAYBOOK - Запуск основного playbook ================================================================================ File: /workspace/molecule/default/site.yml ================================================================================ - name: Debug - Check files in container community.docker.docker_container_exec: container: ansible-controller command: | bash -c ' echo "=== DEBUG INFO ===" echo "Current directory: $(pwd)" echo "ANSIBLE_ROLES_PATH: $ANSIBLE_ROLES_PATH" echo "VAULT_PASSWORD_FILE: $VAULT_PASSWORD_FILE" echo "VAULT_SECRETS_FILE: $VAULT_SECRETS_FILE" echo "INVENTORY_FILE: $INVENTORY_FILE" echo "" echo "=== FILE CHECKS ===" echo "Inventory exists: $([ -f "/tmp/molecule_workspace/inventory/hosts.ini" ] && echo "YES" || echo "NO")" echo "Vault password exists: $([ -f "/workspace/vault/.vault" ] && echo "YES" || echo "NO")" echo "Vault secrets exists: $([ -f "/workspace/vault/secrets.yml" ] && echo "YES" || echo "NO")" echo "Site.yml exists: $([ -f "/workspace/molecule/default/site.yml" ] && echo "YES" || echo "NO")" echo "" echo "=== DIRECTORY LISTING ===" ls -la /tmp/molecule_workspace/ || echo "No molecule_workspace dir" ls -la /workspace/vault/ || echo "No vault dir" echo "" echo "=== INVENTORY CONTENT ===" cat /tmp/molecule_workspace/inventory/hosts.ini || echo "Cannot read inventory" ' # - name: Run lab playbook # community.docker.docker_container_exec: # container: ansible-controller # command: | # bash -c ' # set -e # export ANSIBLE_ROLES_PATH=/workspace/roles # export VAULT_PASSWORD_FILE="/workspace/vault/.vault" # export VAULT_SECRETS_FILE="/workspace/vault/secrets.yml" # export INVENTORY_FILE="/tmp/molecule_workspace/inventory/hosts.ini" # echo "Starting playbook execution..." # if [ -f "$VAULT_PASSWORD_FILE" ] && [ -f "$VAULT_SECRETS_FILE" ]; then # echo "Running with vault..." # ansible-playbook -i "$INVENTORY_FILE" /workspace/molecule/default/site.yml --vault-password-file "$VAULT_PASSWORD_FILE" -e "vault_file_path=$VAULT_SECRETS_FILE" -v # else # echo "Running without vault..." # ansible-playbook -i "$INVENTORY_FILE" /workspace/molecule/default/site.yml -v # fi # echo "Playbook completed successfully" # ' # ============================================================================= # CLEANUP - Перешифровка файлов после выполнения # ============================================================================= - name: Cleanup operations debug: msg: | ================================================================================ CLEANUP - Перешифровка файлов после выполнения ================================================================================ Re-encrypting vault files ================================================================================ - name: Post-run — re-encrypt secrets community.docker.docker_container_exec: container: ansible-controller command: "bash -c 'VAULT_PASSWORD_FILE=\"/workspace/vault/.vault\"; if [ -f \"$VAULT_PASSWORD_FILE\" ] && [ -f \"/workspace/vault/secrets.yml\" ]; then ansible-vault encrypt --encrypt-vault-id default --vault-password-file \"$VAULT_PASSWORD_FILE\" /workspace/vault/secrets.yml; fi'" ignore_errors: true