Ansible/DevOpsLab
Template
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f6d1182193e030a695b074dd041d6bf4dd0f19e5
DevOpsLab/molecule/default/converge.yml
Сергей Антропов f6d1182193 Обновление проекта
2025-10-28 19:19:49 +03:00

150 lines
8.1 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
# =============================================================================
# CONVERGE - Сборка и запуск тестовых сценариев
# =============================================================================
- hosts: localhost
gather_facts: false
vars:
# Получаем preset из переменной окружения или используем default
preset_name: "{{ lookup('env', 'MOLECULE_PRESET') | default('default') }}"
preset_file: "/workspace/molecule/presets/{{ preset_name }}.yml"
# перечисли файлы/глобы, которые нужно временно расшифровать
vault_targets:
- /workspace/vault/secrets.yml
- /workspace/vault/secret.yml
- /workspace/files/playbooks/group_vars/*/vault.yml
- /workspace/files/playbooks/host_vars/*/vault.yml
- /workspace/roles/**/vars/vault.yml
tasks:
# =============================================================================
# НАСТРОЙКА - Загрузка конфигурации и подготовка
# =============================================================================
- name: Configuration setup
debug:
msg: |
================================================================================
НАСТРОЙКА - Загрузка конфигурации и подготовка
================================================================================
Preset: {{ preset_name }}
================================================================================
- name: Load preset configuration
include_vars: "{{ preset_file }}"
when: preset_file is file
ignore_errors: true
# - name: Install collections
# community.docker.docker_container_exec:
# container: ansible-controller
# command: bash -lc "ansible-galaxy collection install -r /workspace/requirements.yml --force --no-deps --upgrade >/dev/null 2>&1 || true"
# =============================================================================
# VAULT - Работа с зашифрованными файлами
# =============================================================================
- name: Vault operations
debug:
msg: |
================================================================================
VAULT - Работа с зашифрованными файлами
================================================================================
Files: {{ vault_targets | length }} targets
================================================================================
- name: Check if vault file is encrypted
community.docker.docker_container_exec:
container: ansible-controller
command: "bash -c 'if [ -f \"/workspace/vault/secrets.yml\" ]; then grep -q \"ANSIBLE_VAULT\" /workspace/vault/secrets.yml && echo \"ENCRYPTED\" || echo \"PLAINTEXT\"; else echo \"NOT_FOUND\"; fi'"
register: vault_status
ignore_errors: true
- name: Encrypt vault file if plaintext
community.docker.docker_container_exec:
container: ansible-controller
command: "bash -c 'VAULT_PASSWORD_FILE=\"/workspace/vault/.vault\"; if [ -f \"$VAULT_PASSWORD_FILE\" ] && [ -f \"/workspace/vault/secrets.yml\" ] && [ \"{{ vault_status.stdout }}\" = \"PLAINTEXT\" ]; then ansible-vault encrypt --encrypt-vault-id default --vault-password-file \"$VAULT_PASSWORD_FILE\" /workspace/vault/secrets.yml; fi'"
when: vault_status.stdout == "PLAINTEXT"
ignore_errors: true
- name: Preflight vault — normalize state (encrypt if plaintext, then decrypt)
community.docker.docker_container_exec:
container: ansible-controller
command: "bash -c 'VAULT_PASSWORD_FILE=\"/workspace/vault/.vault\"; if [ -f \"$VAULT_PASSWORD_FILE\" ] && [ -f \"/workspace/vault/secrets.yml\" ]; then ansible-vault decrypt --vault-password-file \"$VAULT_PASSWORD_FILE\" /workspace/vault/secrets.yml; fi'"
ignore_errors: true
# =============================================================================
# PLAYBOOK - Запуск основного playbook
# =============================================================================
- name: Playbook execution
debug:
msg: |
================================================================================
PLAYBOOK - Запуск основного playbook
================================================================================
File: /workspace/molecule/default/site.yml
================================================================================
- name: Debug - Check files in container
community.docker.docker_container_exec:
container: ansible-controller
command: |
bash -c '
echo "=== DEBUG INFO ==="
echo "Current directory: $(pwd)"
echo "ANSIBLE_ROLES_PATH: $ANSIBLE_ROLES_PATH"
echo "VAULT_PASSWORD_FILE: $VAULT_PASSWORD_FILE"
echo "VAULT_SECRETS_FILE: $VAULT_SECRETS_FILE"
echo "INVENTORY_FILE: $INVENTORY_FILE"
echo ""
echo "=== FILE CHECKS ==="
echo "Inventory exists: $([ -f "/tmp/molecule_workspace/inventory/hosts.ini" ] && echo "YES" || echo "NO")"
echo "Vault password exists: $([ -f "/workspace/vault/.vault" ] && echo "YES" || echo "NO")"
echo "Vault secrets exists: $([ -f "/workspace/vault/secrets.yml" ] && echo "YES" || echo "NO")"
echo "Site.yml exists: $([ -f "/workspace/molecule/default/site.yml" ] && echo "YES" || echo "NO")"
echo ""
echo "=== DIRECTORY LISTING ==="
ls -la /tmp/molecule_workspace/ || echo "No molecule_workspace dir"
ls -la /workspace/vault/ || echo "No vault dir"
echo ""
echo "=== INVENTORY CONTENT ==="
cat /tmp/molecule_workspace/inventory/hosts.ini || echo "Cannot read inventory"
'
# - name: Run lab playbook
# community.docker.docker_container_exec:
# container: ansible-controller
# command: |
# bash -c '
# set -e
# export ANSIBLE_ROLES_PATH=/workspace/roles
# export VAULT_PASSWORD_FILE="/workspace/vault/.vault"
# export VAULT_SECRETS_FILE="/workspace/vault/secrets.yml"
# export INVENTORY_FILE="/tmp/molecule_workspace/inventory/hosts.ini"
# echo "Starting playbook execution..."
# if [ -f "$VAULT_PASSWORD_FILE" ] && [ -f "$VAULT_SECRETS_FILE" ]; then
# echo "Running with vault..."
# ansible-playbook -i "$INVENTORY_FILE" /workspace/molecule/default/site.yml --vault-password-file "$VAULT_PASSWORD_FILE" -e "vault_file_path=$VAULT_SECRETS_FILE" -v
# else
# echo "Running without vault..."
# ansible-playbook -i "$INVENTORY_FILE" /workspace/molecule/default/site.yml -v
# fi
# echo "Playbook completed successfully"
# '
# =============================================================================
# CLEANUP - Перешифровка файлов после выполнения
# =============================================================================
- name: Cleanup operations
debug:
msg: |
================================================================================
CLEANUP - Перешифровка файлов после выполнения
================================================================================
Re-encrypting vault files
================================================================================
- name: Post-run — re-encrypt secrets
community.docker.docker_container_exec:
container: ansible-controller
command: "bash -c 'VAULT_PASSWORD_FILE=\"/workspace/vault/.vault\"; if [ -f \"$VAULT_PASSWORD_FILE\" ] && [ -f \"/workspace/vault/secrets.yml\" ]; then ansible-vault encrypt --encrypt-vault-id default --vault-password-file \"$VAULT_PASSWORD_FILE\" /workspace/vault/secrets.yml; fi'"
ignore_errors: true
Reference in New Issue View Git Blame Copy Permalink