added new var name for traefik cf

2026-01-12 00:27:47 +00:00
parent 7d35a68590
commit 47870c4f24
1 changed files with 31 additions and 2 deletions
--- a/infrastructure/ansible/deploy_logic_push.yml
+++ b/infrastructure/ansible/deploy_logic_push.yml
@@ -39,21 +39,50 @@
    app_secrets: {}
  when: app_secrets is undefined

+- name: "Lade Cloudflare Secrets (für Traefik Edge)"
+  set_fact:
+    cf_secrets: "{{ lookup('community.hashi_vault.vault_kv2_get', 'infrastructure/cloudflare', engine_mount_point='secret', url=lookup('env', 'VAULT_ADDR') | default('https://10.100.30.11:8200'), token=(vault_token | default(lookup('env', 'VAULT_TOKEN'))), validate_certs=false) | default({}) }}"
+  delegate_to: localhost
+  when: app_item.name == 'traefik-edge'
+  ignore_errors: true
+
+- name: "Merge Cloudflare Secrets in App Secrets"
+  set_fact:
+    # Wir mergen cf_secrets in app_secrets. Da app_secrets eine verschachtelte Struktur von hvac ist (manchmal), 
+    # müssen wir vorsichtig sein. Wir extrahieren die 'data'/'secret' payloads und mergen die.
+    # Einfacher: Wir schreiben beide in die .env loop.
+    cf_secrets_payload: "{{ cf_secrets.secret | default(cf_secrets.data | default(cf_secrets)) | default({}) }}"
+  when: app_item.name == 'traefik-edge' and cf_secrets is defined
+
 - name: "Erstelle .env Datei auf Remote"
  copy:
    dest: "{{ target_dir }}/.env"
    content: |
-      {# Fallback: Wenn app_secrets direkt die Daten sind oder in 'secret'/'data' stecken #}
+      {# App Secrets #}
      {% set final_secrets = app_secrets.secret | default(app_secrets.data | default(app_secrets)) %}
      {% if final_secrets is mapping %}
      {% for key, value in final_secrets.items() %}
-      {# Filtere Meta-Daten raus #}
      {% if key not in ['data', 'metadata', 'auth', 'lease_id', 'lease_duration', 'renewable', 'request_id', 'wrap_info', 'warnings', 'raw'] %}
      {{ key | trim }}={{ value }}
      {% endif %}
      {% endfor %}
      {% endif %}
+      
+      {# Cloudflare Secrets (Zusatz) #}
+      {% if cf_secrets_payload is defined and cf_secrets_payload is mapping %}
+      {% for key, value in cf_secrets_payload.items() %}
+      {% if key not in ['data', 'metadata', 'auth', 'lease_id', 'lease_duration', 'renewable', 'request_id', 'wrap_info', 'warnings', 'raw'] %}
+      # Mappe keys falls nötig: dns_api_token -> CF_DNS_API_TOKEN
+      {% if key == 'dns_api_token' %}CF_DNS_API_TOKEN={{ value }}{% endif %}
+      {% if key == 'dns_api_token' %}CF_ZONE_API_TOKEN={{ value }}{% endif %}
+      {% if key == 'email' %}CF_API_EMAIL={{ value }}{% endif %}
+      # Original auch schreiben
+      {{ key | trim }}={{ value }}
+      {% endif %}
+      {% endfor %}
+      {% endif %}
    mode: '0600'
+
  when: app_item.has_secrets | default(false) and app_secrets | length > 0

 # 4. Sync Dateien (Lokal -> Remote)