--- # ============================================================================= # CONVERGE - Сборка и запуск тестовых сценариев # ============================================================================= - hosts: localhost gather_facts: false vars: # Получаем preset из переменной окружения или используем default preset_name: "{{ lookup('env', 'MOLECULE_PRESET') | default('default') }}" preset_file: "/workspace/molecule/presets/{{ preset_name }}.yml" # перечисли файлы/глобы, которые нужно временно расшифровать vault_targets: - /workspace/vault/secrets.yml - /workspace/vault/secret.yml # - /workspace/files/playbooks/group_vars/*/vault.yml # - /workspace/files/playbooks/host_vars/*/vault.yml # - /workspace/roles/**/vars/vault.yml # - /workspace/roles/*/defaults/*.yml # - /workspace/files/**/*secret*.yml tasks: # ============================================================================= # НАСТРОЙКА - Загрузка конфигурации и подготовка # ============================================================================= - name: Configuration setup debug: msg: | ================================================================================ НАСТРОЙКА - Загрузка конфигурации и подготовка ================================================================================ Preset: {{ preset_name }} ================================================================================ - name: Load preset configuration include_vars: "{{ preset_file }}" when: preset_file is file ignore_errors: true # ============================================================================= # VAULT - Работа с зашифрованными файлами # ============================================================================= - name: Vault operations debug: msg: | ================================================================================ VAULT - Работа с зашифрованными файлами ================================================================================ Files: {{ vault_targets | length }} targets ================================================================================ - name: Check vault files encryption status community.docker.docker_container_exec: container: ansible-controller command: | bash -c ' VAULT_TARGETS_JSON="{{ vault_targets | to_json }}" VAULT_PASSWORD_FILE="/workspace/vault/.vault" echo "=== CHECKING VAULT FILES ENCRYPTION STATUS ===" # Парсим JSON массив и проверяем каждый файл echo "$VAULT_TARGETS_JSON" | jq -r ".[]" | while read -r target; do echo "Checking target: $target" # Если это glob паттерн, находим файлы if [[ "$target" == *"*"* ]]; then for file in $target; do if [ -f "$file" ]; then echo "Found file: $file" if grep -q "ANSIBLE_VAULT" "$file"; then echo "ENCRYPTED: $file" else echo "PLAINTEXT: $file" fi fi done else # Обычный файл if [ -f "$target" ]; then echo "Found file: $target" if grep -q "ANSIBLE_VAULT" "$target"; then echo "ENCRYPTED: $target" else echo "PLAINTEXT: $target" fi else echo "NOT_FOUND: $target" fi fi done ' register: vault_status_check ignore_errors: true - name: Encrypt plaintext vault files community.docker.docker_container_exec: container: ansible-controller command: | bash -c ' VAULT_TARGETS_JSON="{{ vault_targets | to_json }}" VAULT_PASSWORD_FILE="/workspace/vault/.vault" echo "=== ENCRYPTING PLAINTEXT VAULT FILES ===" if [ ! -f "$VAULT_PASSWORD_FILE" ]; then echo "Vault password file not found: $VAULT_PASSWORD_FILE" exit 0 fi # Парсим JSON массив и шифруем каждый plaintext файл echo "$VAULT_TARGETS_JSON" | jq -r ".[]" | while read -r target; do echo "Processing target: $target" # Если это glob паттерн, находим файлы if [[ "$target" == *"*"* ]]; then for file in $target; do if [ -f "$file" ] && ! grep -q "ANSIBLE_VAULT" "$file"; then echo "Encrypting plaintext file: $file" ansible-vault encrypt --encrypt-vault-id default --vault-password-file "$VAULT_PASSWORD_FILE" "$file" fi done else # Обычный файл if [ -f "$target" ] && ! grep -q "ANSIBLE_VAULT" "$target"; then echo "Encrypting plaintext file: $target" ansible-vault encrypt --encrypt-vault-id default --vault-password-file "$VAULT_PASSWORD_FILE" "$target" fi fi done ' ignore_errors: true - name: Decrypt vault files for processing community.docker.docker_container_exec: container: ansible-controller command: | bash -c ' VAULT_TARGETS_JSON="{{ vault_targets | to_json }}" VAULT_PASSWORD_FILE="/workspace/vault/.vault" echo "=== DECRYPTING VAULT FILES FOR PROCESSING ===" if [ ! -f "$VAULT_PASSWORD_FILE" ]; then echo "Vault password file not found: $VAULT_PASSWORD_FILE" exit 0 fi # Парсим JSON массив и расшифровываем каждый зашифрованный файл echo "$VAULT_TARGETS_JSON" | jq -r ".[]" | while read -r target; do echo "Processing target: $target" # Если это glob паттерн, находим файлы if [[ "$target" == *"*"* ]]; then for file in $target; do if [ -f "$file" ] && grep -q "ANSIBLE_VAULT" "$file"; then echo "Decrypting encrypted file: $file" ansible-vault decrypt --vault-password-file "$VAULT_PASSWORD_FILE" "$file" fi done else # Обычный файл if [ -f "$target" ] && grep -q "ANSIBLE_VAULT" "$target"; then echo "Decrypting encrypted file: $target" ansible-vault decrypt --vault-password-file "$VAULT_PASSWORD_FILE" "$target" fi fi done ' ignore_errors: true # ============================================================================= # VAULT LOADING - Загрузка vault переменных из vault_targets # ============================================================================= - name: Load vault variables from vault_targets community.docker.docker_container_exec: container: ansible-controller command: | bash -c ' VAULT_PASSWORD_FILE="/workspace/vault/.vault" # Читаем vault_targets из переменных Ansible VAULT_TARGETS_JSON="{{ vault_targets | to_json }}" echo "=== VAULT LOADING ===" echo "Vault password file: $VAULT_PASSWORD_FILE" echo "Vault targets from Ansible: $VAULT_TARGETS_JSON" # Создаем директории для vault файлов mkdir -p /tmp/vault_files # Создаем временный файл для объединения всех vault переменных echo "---" > /tmp/vault_vars.yml # Счетчик для обработки конфликтов declare -A variable_sources # Парсим JSON массив и обрабатываем каждый target echo "$VAULT_TARGETS_JSON" | jq -r ".[]" | while read -r target; do echo "Processing target: $target" # Если это glob паттерн, находим файлы if [[ "$target" == *"*"* ]]; then for file in $target; do if [ -f "$file" ]; then echo "Found vault file: $file" # Создаем копию файла в /tmp/vault_files для прямых ссылок filename=$(basename "$file") cp "$file" "/tmp/vault_files/$filename" # Расшифровываем файл если нужно if [ -f "$VAULT_PASSWORD_FILE" ]; then echo "Loading encrypted vault file: $file" ansible-vault view --vault-password-file "$VAULT_PASSWORD_FILE" "$file" > "/tmp/vault_files/${filename}.decrypted" # Добавляем в объединенный файл с проверкой конфликтов echo "---" >> /tmp/vault_vars.yml echo "# From: $file" >> /tmp/vault_vars.yml ansible-vault view --vault-password-file "$VAULT_PASSWORD_FILE" "$file" >> /tmp/vault_vars.yml else echo "Loading plain vault file: $file" cp "$file" "/tmp/vault_files/${filename}.decrypted" # Добавляем в объединенный файл с проверкой конфликтов echo "---" >> /tmp/vault_vars.yml echo "# From: $file" >> /tmp/vault_vars.yml cat "$file" >> /tmp/vault_vars.yml fi fi done else # Обычный файл if [ -f "$target" ]; then echo "Found vault file: $target" # Создаем копию файла в /tmp/vault_files для прямых ссылок filename=$(basename "$target") cp "$target" "/tmp/vault_files/$filename" # Расшифровываем файл если нужно if [ -f "$VAULT_PASSWORD_FILE" ]; then echo "Loading encrypted vault file: $target" ansible-vault view --vault-password-file "$VAULT_PASSWORD_FILE" "$target" > "/tmp/vault_files/${filename}.decrypted" # Добавляем в объединенный файл с проверкой конфликтов echo "---" >> /tmp/vault_vars.yml echo "# From: $target" >> /tmp/vault_vars.yml ansible-vault view --vault-password-file "$VAULT_PASSWORD_FILE" "$target" >> /tmp/vault_vars.yml else echo "Loading plain vault file: $target" cp "$target" "/tmp/vault_files/${filename}.decrypted" # Добавляем в объединенный файл с проверкой конфликтов echo "---" >> /tmp/vault_vars.yml echo "# From: $target" >> /tmp/vault_vars.yml cat "$target" >> /tmp/vault_vars.yml fi fi fi done # Символические ссылки не нужны для работы, убираем их создание echo "=== VAULT VARIABLES LOADED ===" echo "Combined vault variables:" cat /tmp/vault_vars.yml echo "" echo "Individual vault files available at:" ls -la /tmp/vault_files/ ' ignore_errors: true # ============================================================================= # LOAD VAULT VARIABLES - Загрузка vault переменных в Ansible # ============================================================================= - name: Load vault variables into Ansible include_vars: file: /tmp/vault_vars.yml ignore_errors: true - name: Set vault files path set_fact: vault_files_path: /tmp/vault_files when: vault_files_path is not defined # ============================================================================= # CONVERGE ЗАВЕРШЕН - Playbook'и выполняются через Makefile # ============================================================================= - name: Converge completed debug: msg: | ================================================================================ CONVERGE ЗАВЕРШЕН ================================================================================ Vault переменные загружены и готовы к использованию Playbook'и run.yml и roles/deploy.yml будут выполнены через Makefile ================================================================================