DevOpsTools/DevOpsLab
Template
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
304a5e4ebf951dd81fb43f390041e194c3ba41bd
DevOpsLab/molecule/default/converge.yml
Сергей Антропов 1bed3740b1 fix: исправлен путь к vault паролю vault-password.txt → vault/.vault 
- В converge.yml заменены все /workspace/vault-password.txt на /workspace/vault/.vault
- В docker-compose.yml обновлен ANSIBLE_VAULT_PASSWORD_FILE на /ansible/vault/.vault
- Теперь используется правильный файл vault/.vault согласно структуре проекта

Автор: Сергей Антропов
Сайт: https://devops.org.ru
2025-10-25 17:37:57 +03:00

75 lines
3.0 KiB
YAML
Raw Blame History

---
- hosts: localhost
gather_facts: false
vars:
# Получаем preset из переменной окружения или используем default
preset_name: "{{ lookup('env', 'MOLECULE_PRESET') | default('default') }}"
preset_file: "/workspace/molecule/presets/{{ preset_name }}.yml"
# перечисли файлы/глобы, которые нужно временно расшифровать
vault_targets:
- /workspace/vault/secrets.yml
- /workspace/files/playbooks/group_vars/*/vault.yml
- /workspace/files/playbooks/host_vars/*/vault.yml
- /workspace/roles/**/vars/vault.yml
tasks:
- name: Load preset configuration
include_vars: "{{ preset_file }}"
when: preset_file is file
ignore_errors: true
# - name: Install collections
# community.docker.docker_container_exec:
# container: ansible-controller
# command: bash -lc "ansible-galaxy collection install -r /workspace/requirements.yml --force --no-deps --upgrade >/dev/null 2>&1 || true"
- name: Preflight vault — normalize state (encrypt if plaintext, then decrypt)
community.docker.docker_container_exec:
container: ansible-controller
command: >
bash -lc '
set -euo pipefail; shopt -s nullglob globstar;
for p in {{ vault_targets | map('quote') | join(' ') }}; do
for f in $p; do
[ -f "$f" ] || continue;
if head -n1 "$f" | grep -q "^\$ANSIBLE_VAULT;"; then
echo "[vault] already encrypted: $f";
else
echo "[vault] plaintext -> encrypt: $f";
ansible-vault encrypt --encrypt-vault-id default --vault-password-file /workspace/vault/.vault "$f";
fi
echo "[vault] decrypt for run: $f";
ansible-vault decrypt --vault-password-file /workspace/vault/.vault "$f";
done
done
'
- name: Run lab playbook
community.docker.docker_container_exec:
container: ansible-controller
command: >
bash -lc "
ANSIBLE_ROLES_PATH=/workspace/roles
ansible-playbook -i {{ lookup('env','MOLECULE_EPHEMERAL_DIRECTORY') }}/inventory/hosts.ini /workspace/molecule/default/site.yml
"
- name: Post-run — re-encrypt secrets
community.docker.docker_container_exec:
container: ansible-controller
command: >
bash -lc '
set -euo pipefail; shopt -s nullglob globstar;
for p in {{ vault_targets | map('quote') | join(' ') }}; do
for f in $p; do
[ -f "$f" ] || continue;
if head -n1 "$f" | grep -q "^\$ANSIBLE_VAULT;"; then
echo "[vault] ok (encrypted): $f";
else
echo "[vault] encrypt back: $f";
ansible-vault encrypt --encrypt-vault-id default --vault-password-file /workspace/vault/.vault "$f" || true;
fi
done
done
'
ignore_errors: true
Reference in New Issue View Git Blame Copy Permalink