cb5045fb79
- Убрана подстановка значений по умолчанию для devops_password и devops_ssh_public_key - Добавлена строгая валидация секретов из vault/secrets.yml с детальными сообщениями об ошибках - Убран подробный вывод установки пакетов в тасках - Исправлена проблема с созданием симлинков в vault/ при тестировании - Обновлена логика загрузки vault переменных в molecule тестах - Добавлена очистка симлинков в destroy.yml для дополнительной безопасности Автор: Сергей Антропов Сайт: https://devops.org.ru
299 lines
14 KiB
YAML
299 lines
14 KiB
YAML
---
|
||
# =============================================================================
|
||
# CONVERGE - Сборка и запуск тестовых сценариев
|
||
# =============================================================================
|
||
- hosts: localhost
|
||
gather_facts: false
|
||
vars:
|
||
# Получаем preset из переменной окружения или используем default
|
||
preset_name: "{{ lookup('env', 'MOLECULE_PRESET') | default('default') }}"
|
||
preset_file: "/workspace/molecule/presets/{{ preset_name }}.yml"
|
||
|
||
# перечисли файлы/глобы, которые нужно временно расшифровать
|
||
vault_targets:
|
||
- /workspace/vault/secrets.yml
|
||
- /workspace/vault/secret.yml
|
||
# - /workspace/files/playbooks/group_vars/*/vault.yml
|
||
# - /workspace/files/playbooks/host_vars/*/vault.yml
|
||
# - /workspace/roles/**/vars/vault.yml
|
||
# - /workspace/roles/*/defaults/*.yml
|
||
# - /workspace/files/**/*secret*.yml
|
||
|
||
tasks:
|
||
# =============================================================================
|
||
# НАСТРОЙКА - Загрузка конфигурации и подготовка
|
||
# =============================================================================
|
||
- name: Configuration setup
|
||
debug:
|
||
msg: |
|
||
================================================================================
|
||
НАСТРОЙКА - Загрузка конфигурации и подготовка
|
||
================================================================================
|
||
Preset: {{ preset_name }}
|
||
================================================================================
|
||
|
||
- name: Load preset configuration
|
||
include_vars: "{{ preset_file }}"
|
||
when: preset_file is file
|
||
ignore_errors: true
|
||
|
||
|
||
# =============================================================================
|
||
# VAULT - Работа с зашифрованными файлами
|
||
# =============================================================================
|
||
- name: Vault operations
|
||
debug:
|
||
msg: |
|
||
================================================================================
|
||
VAULT - Работа с зашифрованными файлами
|
||
================================================================================
|
||
Files: {{ vault_targets | length }} targets
|
||
================================================================================
|
||
|
||
- name: Check vault files encryption status
|
||
community.docker.docker_container_exec:
|
||
container: ansible-controller
|
||
command: |
|
||
bash -c '
|
||
VAULT_TARGETS_JSON="{{ vault_targets | to_json }}"
|
||
VAULT_PASSWORD_FILE="/workspace/vault/.vault"
|
||
|
||
echo "=== CHECKING VAULT FILES ENCRYPTION STATUS ==="
|
||
|
||
# Парсим JSON массив и проверяем каждый файл
|
||
echo "$VAULT_TARGETS_JSON" | jq -r ".[]" | while read -r target; do
|
||
echo "Checking target: $target"
|
||
|
||
# Если это glob паттерн, находим файлы
|
||
if [[ "$target" == *"*"* ]]; then
|
||
for file in $target; do
|
||
if [ -f "$file" ]; then
|
||
echo "Found file: $file"
|
||
if grep -q "ANSIBLE_VAULT" "$file"; then
|
||
echo "ENCRYPTED: $file"
|
||
else
|
||
echo "PLAINTEXT: $file"
|
||
fi
|
||
fi
|
||
done
|
||
else
|
||
# Обычный файл
|
||
if [ -f "$target" ]; then
|
||
echo "Found file: $target"
|
||
if grep -q "ANSIBLE_VAULT" "$target"; then
|
||
echo "ENCRYPTED: $target"
|
||
else
|
||
echo "PLAINTEXT: $target"
|
||
fi
|
||
else
|
||
echo "NOT_FOUND: $target"
|
||
fi
|
||
fi
|
||
done
|
||
'
|
||
register: vault_status_check
|
||
ignore_errors: true
|
||
|
||
- name: Encrypt plaintext vault files
|
||
community.docker.docker_container_exec:
|
||
container: ansible-controller
|
||
command: |
|
||
bash -c '
|
||
VAULT_TARGETS_JSON="{{ vault_targets | to_json }}"
|
||
VAULT_PASSWORD_FILE="/workspace/vault/.vault"
|
||
|
||
echo "=== ENCRYPTING PLAINTEXT VAULT FILES ==="
|
||
|
||
if [ ! -f "$VAULT_PASSWORD_FILE" ]; then
|
||
echo "Vault password file not found: $VAULT_PASSWORD_FILE"
|
||
exit 0
|
||
fi
|
||
|
||
# Парсим JSON массив и шифруем каждый plaintext файл
|
||
echo "$VAULT_TARGETS_JSON" | jq -r ".[]" | while read -r target; do
|
||
echo "Processing target: $target"
|
||
|
||
# Если это glob паттерн, находим файлы
|
||
if [[ "$target" == *"*"* ]]; then
|
||
for file in $target; do
|
||
if [ -f "$file" ] && ! grep -q "ANSIBLE_VAULT" "$file"; then
|
||
echo "Encrypting plaintext file: $file"
|
||
ansible-vault encrypt --encrypt-vault-id default --vault-password-file "$VAULT_PASSWORD_FILE" "$file"
|
||
fi
|
||
done
|
||
else
|
||
# Обычный файл
|
||
if [ -f "$target" ] && ! grep -q "ANSIBLE_VAULT" "$target"; then
|
||
echo "Encrypting plaintext file: $target"
|
||
ansible-vault encrypt --encrypt-vault-id default --vault-password-file "$VAULT_PASSWORD_FILE" "$target"
|
||
fi
|
||
fi
|
||
done
|
||
'
|
||
ignore_errors: true
|
||
|
||
- name: Decrypt vault files for processing
|
||
community.docker.docker_container_exec:
|
||
container: ansible-controller
|
||
command: |
|
||
bash -c '
|
||
VAULT_TARGETS_JSON="{{ vault_targets | to_json }}"
|
||
VAULT_PASSWORD_FILE="/workspace/vault/.vault"
|
||
|
||
echo "=== DECRYPTING VAULT FILES FOR PROCESSING ==="
|
||
|
||
if [ ! -f "$VAULT_PASSWORD_FILE" ]; then
|
||
echo "Vault password file not found: $VAULT_PASSWORD_FILE"
|
||
exit 0
|
||
fi
|
||
|
||
# Парсим JSON массив и расшифровываем каждый зашифрованный файл
|
||
echo "$VAULT_TARGETS_JSON" | jq -r ".[]" | while read -r target; do
|
||
echo "Processing target: $target"
|
||
|
||
# Если это glob паттерн, находим файлы
|
||
if [[ "$target" == *"*"* ]]; then
|
||
for file in $target; do
|
||
if [ -f "$file" ] && grep -q "ANSIBLE_VAULT" "$file"; then
|
||
echo "Decrypting encrypted file: $file"
|
||
ansible-vault decrypt --vault-password-file "$VAULT_PASSWORD_FILE" "$file"
|
||
fi
|
||
done
|
||
else
|
||
# Обычный файл
|
||
if [ -f "$target" ] && grep -q "ANSIBLE_VAULT" "$target"; then
|
||
echo "Decrypting encrypted file: $target"
|
||
ansible-vault decrypt --vault-password-file "$VAULT_PASSWORD_FILE" "$target"
|
||
fi
|
||
fi
|
||
done
|
||
'
|
||
ignore_errors: true
|
||
|
||
# =============================================================================
|
||
# VAULT LOADING - Загрузка vault переменных из vault_targets
|
||
# =============================================================================
|
||
- name: Load vault variables from vault_targets
|
||
community.docker.docker_container_exec:
|
||
container: ansible-controller
|
||
command: |
|
||
bash -c '
|
||
VAULT_PASSWORD_FILE="/workspace/vault/.vault"
|
||
|
||
# Читаем vault_targets из переменных Ansible
|
||
VAULT_TARGETS_JSON="{{ vault_targets | to_json }}"
|
||
|
||
echo "=== VAULT LOADING ==="
|
||
echo "Vault password file: $VAULT_PASSWORD_FILE"
|
||
echo "Vault targets from Ansible: $VAULT_TARGETS_JSON"
|
||
|
||
# Создаем директории для vault файлов
|
||
mkdir -p /tmp/vault_files
|
||
|
||
# Создаем временный файл для объединения всех vault переменных
|
||
echo "---" > /tmp/vault_vars.yml
|
||
|
||
# Счетчик для обработки конфликтов
|
||
declare -A variable_sources
|
||
|
||
# Парсим JSON массив и обрабатываем каждый target
|
||
echo "$VAULT_TARGETS_JSON" | jq -r ".[]" | while read -r target; do
|
||
echo "Processing target: $target"
|
||
|
||
# Если это glob паттерн, находим файлы
|
||
if [[ "$target" == *"*"* ]]; then
|
||
for file in $target; do
|
||
if [ -f "$file" ]; then
|
||
echo "Found vault file: $file"
|
||
|
||
# Создаем копию файла в /tmp/vault_files для прямых ссылок
|
||
filename=$(basename "$file")
|
||
cp "$file" "/tmp/vault_files/$filename"
|
||
|
||
# Расшифровываем файл если нужно
|
||
if [ -f "$VAULT_PASSWORD_FILE" ]; then
|
||
echo "Loading encrypted vault file: $file"
|
||
ansible-vault view --vault-password-file "$VAULT_PASSWORD_FILE" "$file" > "/tmp/vault_files/${filename}.decrypted"
|
||
|
||
# Добавляем в объединенный файл с проверкой конфликтов
|
||
echo "---" >> /tmp/vault_vars.yml
|
||
echo "# From: $file" >> /tmp/vault_vars.yml
|
||
ansible-vault view --vault-password-file "$VAULT_PASSWORD_FILE" "$file" >> /tmp/vault_vars.yml
|
||
else
|
||
echo "Loading plain vault file: $file"
|
||
cp "$file" "/tmp/vault_files/${filename}.decrypted"
|
||
|
||
# Добавляем в объединенный файл с проверкой конфликтов
|
||
echo "---" >> /tmp/vault_vars.yml
|
||
echo "# From: $file" >> /tmp/vault_vars.yml
|
||
cat "$file" >> /tmp/vault_vars.yml
|
||
fi
|
||
fi
|
||
done
|
||
else
|
||
# Обычный файл
|
||
if [ -f "$target" ]; then
|
||
echo "Found vault file: $target"
|
||
|
||
# Создаем копию файла в /tmp/vault_files для прямых ссылок
|
||
filename=$(basename "$target")
|
||
cp "$target" "/tmp/vault_files/$filename"
|
||
|
||
# Расшифровываем файл если нужно
|
||
if [ -f "$VAULT_PASSWORD_FILE" ]; then
|
||
echo "Loading encrypted vault file: $target"
|
||
ansible-vault view --vault-password-file "$VAULT_PASSWORD_FILE" "$target" > "/tmp/vault_files/${filename}.decrypted"
|
||
|
||
# Добавляем в объединенный файл с проверкой конфликтов
|
||
echo "---" >> /tmp/vault_vars.yml
|
||
echo "# From: $target" >> /tmp/vault_vars.yml
|
||
ansible-vault view --vault-password-file "$VAULT_PASSWORD_FILE" "$target" >> /tmp/vault_vars.yml
|
||
else
|
||
echo "Loading plain vault file: $target"
|
||
cp "$target" "/tmp/vault_files/${filename}.decrypted"
|
||
|
||
# Добавляем в объединенный файл с проверкой конфликтов
|
||
echo "---" >> /tmp/vault_vars.yml
|
||
echo "# From: $target" >> /tmp/vault_vars.yml
|
||
cat "$target" >> /tmp/vault_vars.yml
|
||
fi
|
||
fi
|
||
fi
|
||
done
|
||
|
||
# Символические ссылки не нужны для работы, убираем их создание
|
||
|
||
echo "=== VAULT VARIABLES LOADED ==="
|
||
echo "Combined vault variables:"
|
||
cat /tmp/vault_vars.yml
|
||
echo ""
|
||
echo "Individual vault files available at:"
|
||
ls -la /tmp/vault_files/
|
||
'
|
||
ignore_errors: true
|
||
|
||
# =============================================================================
|
||
# LOAD VAULT VARIABLES - Загрузка vault переменных в Ansible
|
||
# =============================================================================
|
||
- name: Load vault variables into Ansible
|
||
include_vars:
|
||
file: /tmp/vault_vars.yml
|
||
ignore_errors: true
|
||
|
||
- name: Set vault files path
|
||
set_fact:
|
||
vault_files_path: /tmp/vault_files
|
||
when: vault_files_path is not defined
|
||
|
||
# =============================================================================
|
||
# CONVERGE ЗАВЕРШЕН - Playbook'и выполняются через Makefile
|
||
# =============================================================================
|
||
- name: Converge completed
|
||
debug:
|
||
msg: |
|
||
================================================================================
|
||
CONVERGE ЗАВЕРШЕН
|
||
================================================================================
|
||
Vault переменные загружены и готовы к использованию
|
||
Playbook'и run.yml и roles/deploy.yml будут выполнены через Makefile
|
||
================================================================================ |