diff --git a/roles/load_secrets/tasks/main.yml b/roles/load_secrets/tasks/main.yml index b7a0f2f..7d79b09 100644 --- a/roles/load_secrets/tasks/main.yml +++ b/roles/load_secrets/tasks/main.yml @@ -46,3 +46,4 @@ kubernetes_secret_objects: "{{ secrets_results.kubernetes_secret_objects }}" vault_policies: "{{ secrets_results.vault_policies }}" parsed_secrets: "{{ secrets_results.parsed_secrets }}" + unique_vault_prefixes: "{{ secrets_results.unique_vault_prefixes }}" diff --git a/roles/vault_utils/tasks/vault_spokes_init.yaml b/roles/vault_utils/tasks/vault_spokes_init.yaml index ae0215c..613236b 100644 --- a/roles/vault_utils/tasks/vault_spokes_init.yaml +++ b/roles/vault_utils/tasks/vault_spokes_init.yaml @@ -10,7 +10,8 @@ resources: "{{ managed_clusters['resources'] }}" - name: Do nothing when no managed clusters are found - ansible.builtin.meta: end_play + ansible.builtin.set_fact: + have_managed_clusters: false when: resources | length == 0 or managed_clusters.failed or not managed_clusters.api_found # These three loops are not done in one pass because sometimes the managedCluster is not fully @@ -21,14 +22,18 @@ {'caBundle': item.spec.managedClusterClientConfigs[0].caBundle | b64decode, 'name': item.metadata.name}}) }}" loop: "{{ resources }}" - when: item.spec.managedClusterClientConfigs[0].caBundle is defined + when: + - have_managed_clusters + - item.spec.managedClusterClientConfigs[0].caBundle is defined loop_control: label: "{{ item.metadata.name }}" - name: Extract ClusterGroup ansible.builtin.set_fact: clusters: "{{ clusters | default({}) | combine({item.metadata.name: {'clusterGroup': item.metadata.labels.clusterGroup}}, recursive=True) }}" - when: "'clusterGroup' in item.metadata.labels" + when: + - have_managed_clusters + - "'clusterGroup' in item.metadata.labels" loop: "{{ resources }}" loop_control: label: "{{ item.metadata.name }}" @@ -43,7 +48,9 @@ _cluster_fqdn: "{{ item.status.clusterClaims | selectattr('name', 'equalto', 'consoleurl.cluster.open-cluster-management.io') | map(attribute='value') | first | ansible.builtin.urlsplit('hostname') | regex_replace('console-openshift-console\\.apps\\.', '') }}" - when: item.spec.managedClusterClientConfigs[0].url is defined + when: + - have_managed_clusters + - item.spec.managedClusterClientConfigs[0].url is defined loop_control: label: "{{ item.metadata.name }}" @@ -55,6 +62,8 @@ loop: "{{ clusters | dict2items }}" loop_control: label: "{{ item.key }}" + when: + - have_managed_clusters # These three steps will only work on ACM 2.12 which uses these secrets to connect to the spokes - name: Fetch all ACM secrets @@ -63,21 +72,28 @@ label_selectors: - "apps.open-cluster-management.io/secret-type=acm-cluster" register: acm_secrets_raw + when: + - have_managed_clusters - name: Set acm secrets fact ansible.builtin.set_fact: acm_secrets: "{{ acm_secrets_raw.resources }}" + when: + - have_managed_clusters - name: Set cleaned_acm_secrets fact ansible.builtin.set_fact: cleaned_acm_secrets: "{{ acm_secrets | rhvp.cluster_utils.parse_acm_secrets }}" - when: acm_secrets | length > 0 + when: + - have_managed_clusters + - acm_secrets | length > 0 - name: Merge the two dicts together ansible.builtin.set_fact: clusters_info: "{{ clusters | default({}) | combine(cleaned_acm_secrets, recursive=True) }}" - when: acm_secrets | length > 0 - + when: + - have_managed_clusters + - acm_secrets | length > 0 # These steps will only work on ACM >= 2.13 which uses managed service accounts to connect to remote spokes # ACM creates a namespace named like the remote cluster and we loop those - name: Get the ACM secrets when on ACM >=2.13 @@ -87,7 +103,9 @@ name: application-manager register: msa_secrets loop: "{{ resources }}" - when: acm_secrets | length == 0 + when: + - have_managed_clusters + - acm_secrets | length == 0 loop_control: label: "{{ item.metadata.name }}" @@ -98,6 +116,7 @@ clusters: "{{ clusters | default({}) | combine({item.item.metadata.name: {'bearerToken': item.resources[0].data.token | b64decode}}, recursive=True) }}" loop: "{{ msa_secrets.results }}" when: + - have_managed_clusters - acm_secrets | length == 0 - msa_secrets.results | length > 0 loop_control: @@ -106,7 +125,9 @@ - name: Set cluster_info fact ansible.builtin.set_fact: clusters_info: "{{ clusters }}" - when: acm_secrets | length == 0 + when: + - have_managed_clusters + - acm_secrets | length == 0 - name: Write out CAs ansible.builtin.copy: @@ -114,7 +135,9 @@ dest: "/tmp/{{ item.key }}.ca" mode: "0640" loop: "{{ clusters_info | dict2items }}" - when: item.value['caBundle'] is defined + when: + - have_managed_clusters + - item.value['caBundle'] is defined loop_control: label: "{{ item.key }}" @@ -124,6 +147,8 @@ - name: If we are using letsencrypt on the API endpoints we cannot use the validate_certs later ansible.builtin.set_fact: validate_certs_api_endpoint: "{{ not letsencrypt.api_endpoint | default(True) | bool }}" + when: + - have_managed_clusters - name: Fetch remote external secrets from remote cluster kubernetes.core.k8s_info: @@ -147,6 +172,7 @@ # https://serverfault.com/questions/1059530/how-to-not-print-items-in-an-ansible-loop-error-without-no-log) no_log: '{{ hide_sensitive_output | default(true) }}' when: + - have_managed_clusters - clusters_info[item.key]['bearerToken'] is defined - clusters_info[item.key]['server_api'] is defined - clusters_info[item.key]['caBundle'] is defined @@ -176,6 +202,7 @@ # https://serverfault.com/questions/1059530/how-to-not-print-items-in-an-ansible-loop-error-without-no-log) no_log: '{{ hide_sensitive_output | default(true) }}' when: + - have_managed_clusters - clusters_info[item.key]['bearerToken'] is defined - clusters_info[item.key]['server_api'] is defined - clusters_info[item.key]['caBundle'] is defined @@ -189,7 +216,9 @@ ansible.builtin.set_fact: clusters_info: "{{ clusters_info | default({}) | combine({item['item']['key']: {'esoToken': item['resources'][0]['data']['token'] | b64decode, 'activeExternalSecretsNs': external_secrets_ns, 'activeExternalSecretsSa': external_secrets_sa}}, recursive=True) }}" loop: "{{ remote_external_secrets_sa.results }}" - when: item['resources'][0]['data']['token'] is defined + when: + - have_managed_clusters + - item['resources'][0]['data']['token'] is defined loop_control: label: "{{ item['item']['key'] }}" @@ -200,6 +229,7 @@ clusters_info: "{{ clusters_info | default({}) | combine({item['item']['key']: {'esoToken': item['resources'][0]['data']['token'] | b64decode, 'activeExternalSecretsNs': legacy_external_secrets_ns, 'activeExternalSecretsSa': legacy_external_secrets_sa}}, recursive=True) }}" loop: "{{ remote_legacy_external_secrets_sa.results }}" when: + - have_managed_clusters - item['resources'][0]['data']['token'] is defined - clusters_info[item['item']['key']]['esoToken'] is not defined loop_control: @@ -223,6 +253,7 @@ command: bash -e -c "echo '{{ item.value['caBundle'] }}' > /tmp/{{ item.value['vault_path'] }}.ca" loop: "{{ clusters_info | dict2items }}" when: + - have_managed_clusters - item.value['esoToken'] is defined - item.key != "local-cluster" loop_control: @@ -238,6 +269,7 @@ vault auth enable -path='{{ item.value['vault_path'] }}' kubernetes; fi" loop: "{{ clusters_info | dict2items }}" when: + - have_managed_clusters - item.value['esoToken'] is defined - item.key != "local-cluster" loop_control: @@ -254,6 +286,7 @@ kubernetes_ca_cert=@/tmp/{{ item.value['vault_path'] }}.ca" loop: "{{ clusters_info | dict2items }}" when: + - have_managed_clusters - item.value['esoToken'] is defined - item.key != "local-cluster" loop_control: @@ -268,6 +301,7 @@ capabilities = {{ vault_spoke_capabilities }} }\" > /tmp/policy-{{ item.value['vault_path'] }}.hcl" loop: "{{ clusters_info | dict2items }}" when: + - have_managed_clusters - item.value['esoToken'] is defined - item.key != "local-cluster" loop_control: @@ -282,6 +316,7 @@ capabilities = {{ vault_pushsecrets_capabilities }} }\" >> /tmp/policy-{{ item.value['vault_path'] }}.hcl" loop: "{{ clusters_info | dict2items }}" when: + - have_managed_clusters - item.value['esoToken'] is defined - item.key != "local-cluster" loop_control: @@ -296,6 +331,7 @@ capabilities = {{ vault_pushsecrets_capabilities }} }\" >> /tmp/policy-{{ item.value['vault_path'] }}.hcl" loop: "{{ clusters_info | dict2items }}" when: + - have_managed_clusters - item.value['esoToken'] is defined - item.key != "local-cluster" loop_control: @@ -308,6 +344,7 @@ command: "vault policy write {{ item.value['vault_path'] }}-secret /tmp/policy-{{ item.value['vault_path'] }}.hcl" loop: "{{ clusters_info | dict2items }}" when: + - have_managed_clusters - item.value['esoToken'] is defined - item.key != "local-cluster" loop_control: @@ -324,6 +361,7 @@ policies="default,{{ vault_global_policy }}-secret,{{ vault_pushsecrets_policy }}-secret,{{ item.value['vault_path'] }}-secret" ttl="{{ vault_spoke_ttl }}" loop: "{{ clusters_info | dict2items }}" when: + - have_managed_clusters - item.value['esoToken'] is defined - item.key != "local-cluster" loop_control: