DevOpsTools/DevOpsLab
Template
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Обновление проекта

Browse Source
This commit is contained in:
Сергей Антропов
2025-10-30 01:10:35 +03:00
parent 2ce450215b
commit 981ede5c94
15 changed files with 440 additions and 1064 deletions
Download Patch File Download Diff File Expand all files Collapse all files

443
molecule/default/converge.yml
View File

@@ -8,16 +8,6 @@
# Получаем preset из переменной окружения или используем default
preset_name: "{{ lookup('env', 'MOLECULE_PRESET') | default('default') }}"
preset_file: "/workspace/molecule/presets/{{ preset_name }}.yml"
# перечисли файлы/глобы, которые нужно временно расшифровать
vault_targets:
- /workspace/vault/secrets.yml
- /workspace/vault/secret.yml
# - /workspace/files/playbooks/group_vars/*/vault.yml
# - /workspace/files/playbooks/host_vars/*/vault.yml
# - /workspace/roles/**/vars/vault.yml
# - /workspace/roles/*/defaults/*.yml
# - /workspace/files/**/*secret*.yml
tasks:
# =============================================================================
@@ -38,262 +28,197 @@
ignore_errors: true
# =============================================================================
# VAULT - Работа с зашифрованными файлами
# НАСТРОЙКА ЗАВЕРШЕНА - Переходим к подготовке контейнеров
# =============================================================================
- name: Vault operations
- name: Configuration loaded and proceed to container preparation
debug:
msg: |
================================================================================
VAULT - Работа с зашифрованными файлами
НАСТРОЙКА ЗАВЕРШЕНА
================================================================================
Files: {{ vault_targets | length }} targets
Конфигурация загружена. Далее выполняется подготовка контейнеров (ранее была в run.yml)
================================================================================
- name: Check vault files encryption status
community.docker.docker_container_exec:
container: ansible-controller
command: |
bash -c '
VAULT_TARGETS_JSON="{{ vault_targets | to_json }}"
VAULT_PASSWORD_FILE="/workspace/vault/.vault"
echo "=== CHECKING VAULT FILES ENCRYPTION STATUS ==="
# Парсим JSON массив и проверяем каждый файл
echo "$VAULT_TARGETS_JSON" | jq -r ".[]" | while read -r target; do
echo "Checking target: $target"
# Если это glob паттерн, находим файлы
if [[ "$target" == *"*"* ]]; then
for file in $target; do
if [ -f "$file" ]; then
echo "Found file: $file"
if grep -q "ANSIBLE_VAULT" "$file"; then
echo "ENCRYPTED: $file"
else
echo "PLAINTEXT: $file"
fi
fi
done
else
# Обычный файл
if [ -f "$target" ]; then
echo "Found file: $target"
if grep -q "ANSIBLE_VAULT" "$target"; then
echo "ENCRYPTED: $target"
else
echo "PLAINTEXT: $target"
fi
else
echo "NOT_FOUND: $target"
fi
fi
done
'
register: vault_status_check
ignore_errors: true
- name: Encrypt plaintext vault files
community.docker.docker_container_exec:
container: ansible-controller
command: |
bash -c '
VAULT_TARGETS_JSON="{{ vault_targets | to_json }}"
VAULT_PASSWORD_FILE="/workspace/vault/.vault"
echo "=== ENCRYPTING PLAINTEXT VAULT FILES ==="
if [ ! -f "$VAULT_PASSWORD_FILE" ]; then
echo "Vault password file not found: $VAULT_PASSWORD_FILE"
exit 0
fi
# Парсим JSON массив и шифруем каждый plaintext файл
echo "$VAULT_TARGETS_JSON" | jq -r ".[]" | while read -r target; do
echo "Processing target: $target"
# Если это glob паттерн, находим файлы
if [[ "$target" == *"*"* ]]; then
for file in $target; do
if [ -f "$file" ] && ! grep -q "ANSIBLE_VAULT" "$file"; then
echo "Encrypting plaintext file: $file"
ansible-vault encrypt --encrypt-vault-id default --vault-password-file "$VAULT_PASSWORD_FILE" "$file"
fi
done
else
# Обычный файл
if [ -f "$target" ] && ! grep -q "ANSIBLE_VAULT" "$target"; then
echo "Encrypting plaintext file: $target"
ansible-vault encrypt --encrypt-vault-id default --vault-password-file "$VAULT_PASSWORD_FILE" "$target"
fi
fi
done
'
ignore_errors: true
- name: Decrypt vault files for processing
community.docker.docker_container_exec:
container: ansible-controller
command: |
bash -c '
VAULT_TARGETS_JSON="{{ vault_targets | to_json }}"
VAULT_PASSWORD_FILE="/workspace/vault/.vault"
echo "=== DECRYPTING VAULT FILES FOR PROCESSING ==="
if [ ! -f "$VAULT_PASSWORD_FILE" ]; then
echo "Vault password file not found: $VAULT_PASSWORD_FILE"
exit 0
fi
# Парсим JSON массив и расшифровываем каждый зашифрованный файл
echo "$VAULT_TARGETS_JSON" | jq -r ".[]" | while read -r target; do
echo "Processing target: $target"
# Если это glob паттерн, находим файлы
if [[ "$target" == *"*"* ]]; then
for file in $target; do
if [ -f "$file" ] && grep -q "ANSIBLE_VAULT" "$file"; then
echo "Decrypting encrypted file: $file"
ansible-vault decrypt --vault-password-file "$VAULT_PASSWORD_FILE" "$file"
fi
done
else
# Обычный файл
if [ -f "$target" ] && grep -q "ANSIBLE_VAULT" "$target"; then
echo "Decrypting encrypted file: $target"
ansible-vault decrypt --vault-password-file "$VAULT_PASSWORD_FILE" "$target"
fi
fi
done
'
ignore_errors: true
# =============================================================================
# VAULT LOADING - Загрузка vault переменных из vault_targets
# =============================================================================
- name: Load vault variables from vault_targets
community.docker.docker_container_exec:
container: ansible-controller
command: |
bash -c '
VAULT_PASSWORD_FILE="/workspace/vault/.vault"
# Читаем vault_targets из переменных Ansible
VAULT_TARGETS_JSON="{{ vault_targets | to_json }}"
echo "=== VAULT LOADING ==="
echo "Vault password file: $VAULT_PASSWORD_FILE"
echo "Vault targets from Ansible: $VAULT_TARGETS_JSON"
# Создаем директории для vault файлов
mkdir -p /tmp/vault_files
# Создаем временный файл для объединения всех vault переменных
echo "---" > /tmp/vault_vars.yml
# Счетчик для обработки конфликтов
declare -A variable_sources
# Парсим JSON массив и обрабатываем каждый target
echo "$VAULT_TARGETS_JSON" | jq -r ".[]" | while read -r target; do
echo "Processing target: $target"
# Если это glob паттерн, находим файлы
if [[ "$target" == *"*"* ]]; then
for file in $target; do
if [ -f "$file" ]; then
echo "Found vault file: $file"
# Создаем копию файла в /tmp/vault_files для прямых ссылок
filename=$(basename "$file")
cp "$file" "/tmp/vault_files/$filename"
# Расшифровываем файл если нужно
if [ -f "$VAULT_PASSWORD_FILE" ]; then
echo "Loading encrypted vault file: $file"
ansible-vault view --vault-password-file "$VAULT_PASSWORD_FILE" "$file" > "/tmp/vault_files/${filename}.decrypted"
# Добавляем в объединенный файл с проверкой конфликтов
echo "---" >> /tmp/vault_vars.yml
echo "# From: $file" >> /tmp/vault_vars.yml
ansible-vault view --vault-password-file "$VAULT_PASSWORD_FILE" "$file" >> /tmp/vault_vars.yml
else
echo "Loading plain vault file: $file"
cp "$file" "/tmp/vault_files/${filename}.decrypted"
# Добавляем в объединенный файл с проверкой конфликтов
echo "---" >> /tmp/vault_vars.yml
echo "# From: $file" >> /tmp/vault_vars.yml
cat "$file" >> /tmp/vault_vars.yml
fi
fi
done
else
# Обычный файл
if [ -f "$target" ]; then
echo "Found vault file: $target"
# Создаем копию файла в /tmp/vault_files для прямых ссылок
filename=$(basename "$target")
cp "$target" "/tmp/vault_files/$filename"
# Расшифровываем файл если нужно
if [ -f "$VAULT_PASSWORD_FILE" ]; then
echo "Loading encrypted vault file: $target"
ansible-vault view --vault-password-file "$VAULT_PASSWORD_FILE" "$target" > "/tmp/vault_files/${filename}.decrypted"
# Добавляем в объединенный файл с проверкой конфликтов
echo "---" >> /tmp/vault_vars.yml
echo "# From: $target" >> /tmp/vault_vars.yml
ansible-vault view --vault-password-file "$VAULT_PASSWORD_FILE" "$target" >> /tmp/vault_vars.yml
else
echo "Loading plain vault file: $target"
cp "$target" "/tmp/vault_files/${filename}.decrypted"
# Добавляем в объединенный файл с проверкой конфликтов
echo "---" >> /tmp/vault_vars.yml
echo "# From: $target" >> /tmp/vault_vars.yml
cat "$target" >> /tmp/vault_vars.yml
fi
fi
fi
done
# Символические ссылки не нужны для работы, убираем их создание
echo "=== VAULT VARIABLES LOADED ==="
echo "Combined vault variables:"
cat /tmp/vault_vars.yml
echo ""
echo "Individual vault files available at:"
ls -la /tmp/vault_files/
'
ignore_errors: true
# =============================================================================
# LOAD VAULT VARIABLES - Загрузка vault переменных в Ansible
# =============================================================================
- name: Load vault variables into Ansible
include_vars:
file: /tmp/vault_vars.yml
ignore_errors: true
- name: Set vault files path
set_fact:
vault_files_path: /tmp/vault_files
when: vault_files_path is not defined
# =============================================================================
# CONVERGE ЗАВЕРШЕН - Playbook'и выполняются через Makefile
# =============================================================================
- name: Converge completed
# =============================================================================
# ПОДГОТОВКА КОНТЕЙНЕРОВ (бывший run.yml)
# =============================================================================
- name: Подготовка окружения для тестирования
hosts: all
become: true
tasks:
# Сброс цветовых кодов ANSI для корректного отображения
- name: Reset ANSI color codes
debug:
msg: |
================================================================================
CONVERGE ЗАВЕРШЕН
================================================================================
Vault переменные загружены и готовы к использованию
Playbook'и run.yml и roles/deploy.yml будут выполнены через Makefile
================================================================================
msg: "\033[0m"
changed_when: false
tags:
- setup
- color-reset
# Создание tmp директории для Ansible
- name: Create Ansible tmp directory
file:
path: /tmp/.ansible-tmp
state: directory
mode: '0755'
owner: root
group: root
tags:
- setup
- tmp
# Обновление кеша пакетов для Debian/Ubuntu
- name: Update package cache (Debian/Ubuntu)
apt:
update_cache: true
cache_valid_time: 3600
when: ansible_os_family == 'Debian'
changed_when: false
tags:
- setup
- update
# Обновление кеша пакетов для RHEL/CentOS/AlmaLinux/Rocky
- name: Update package cache (RHEL/CentOS/AlmaLinux/Rocky)
yum:
update_cache: true
when: ansible_os_family == 'RedHat'
changed_when: false
tags:
- setup
- update
# Обновление кеша пакетов для Alt Linux
- name: Update package cache (Alt Linux)
command: apt-get update
when: ansible_os_family == 'Altlinux'
changed_when: false
failed_when: false
tags:
- setup
- update
# Обновление кеша пакетов для Astra Linux
- name: Update package cache (Astra Linux)
command: apt-get update
when: ansible_os_family == 'Astra Linux'
changed_when: false
failed_when: false
tags:
- setup
- update
# Установка common tools для всех ОС
- name: Install common tools (Debian/Ubuntu)
apt:
name:
- curl
- jq
- ca-certificates
- iproute2
- iputils-ping
- procps
- net-tools
- vim
- wget
- unzip
- git
- sudo
state: present
update_cache: false
when: ansible_os_family == 'Debian'
no_log: true
tags:
- setup
- tools
- name: Install common tools (RHEL/CentOS/AlmaLinux/Rocky)
yum:
name:
- curl
- jq
- ca-certificates
- iproute
- iputils
- procps-ng
- net-tools
- vim
- wget
- unzip
- git
- sudo
state: present
when: ansible_os_family == 'RedHat'
no_log: true
tags:
- setup
- tools
- name: Install common tools (Alt Linux)
command: apt-get install -y curl jq ca-certificates iproute2 iputils procps net-tools vim wget unzip git sudo
when: ansible_os_family == 'Altlinux'
changed_when: false
failed_when: false
no_log: true
tags:
- setup
- tools
- name: Install common tools (Astra Linux)
command: apt-get install -y curl jq ca-certificates iproute2 iputils procps net-tools vim wget unzip git sudo
when: ansible_os_family == 'Astra Linux'
changed_when: false
failed_when: false
no_log: true
tags:
- setup
- tools
# Установка Python для Ansible (если не установлен)
- name: Install Python (Debian/Ubuntu)
apt:
name:
- python3
- python3-pip
- python3-venv
state: present
when: ansible_os_family == 'Debian'
no_log: true
tags:
- setup
- python
- name: Install Python (RHEL/CentOS/AlmaLinux/Rocky)
yum:
name:
- python3
- python3-pip
state: present
when: ansible_os_family == 'RedHat'
no_log: true
tags:
- setup
- python
- name: Install Python (Alt Linux)
command: apt-get install -y python3 python3-pip
when: ansible_os_family == 'Altlinux'
changed_when: false
failed_when: false
no_log: true
tags:
- setup
- python
- name: Install Python (Astra Linux)
command: apt-get install -y python3 python3-pip
when: ansible_os_family == 'Astra Linux'
changed_when: false
failed_when: false
no_log: true
tags:
- setup
- python