stabify/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added new var name for traefik cf

Browse Source
This commit is contained in:
Ubuntu
2026-01-12 00:33:40 +00:00
parent 120db39bc1
commit c12c7182bf
1 changed files with 37 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
infrastructure/ansible/deploy_logic_push.yml
View File

@@ -29,7 +29,7 @@
# Nur ausführen, wenn has_secrets: true
- name: "Lade Secrets aus Vault (Lokal lookup)"
set_fact:
app_secrets: "{{ lookup('community.hashi_vault.vault_kv2_get', 'apps/' + app_item.name, engine_mount_point='secret', url=lookup('env', 'VAULT_ADDR') | default('https://10.100.30.11:8200'), token=(vault_token | default(lookup('env', 'VAULT_TOKEN'))), validate_certs=true) | default({}) }}"
app_secrets: "{{ lookup('community.hashi_vault.vault_kv2_get', 'apps/' + app_item.name, engine_mount_point='secret', url=lookup('env', 'VAULT_ADDR') | default('https://10.100.30.11:8200'), token=(vault_token | default(lookup('env', 'VAULT_TOKEN'))), validate_certs=false) | default({}) }}"
delegate_to: localhost
when: app_item.has_secrets | default(false)
ignore_errors: true # Trotzdem ignorieren, falls Vault down ist oder Secret fehlt
@@ -46,11 +46,8 @@
when: app_item.name == 'traefik-edge'
ignore_errors: true
- name: "Merge Cloudflare Secrets in App Secrets"
- name: "Merge Cloudflare Secrets in App Secrets Payload"
set_fact:
# Wir mergen cf_secrets in app_secrets. Da app_secrets eine verschachtelte Struktur von hvac ist (manchmal),
# müssen wir vorsichtig sein. Wir extrahieren die 'data'/'secret' payloads und mergen die.
# Einfacher: Wir schreiben beide in die .env loop.
cf_secrets_payload: "{{ cf_secrets.secret | default(cf_secrets.data | default(cf_secrets)) | default({}) }}"
when: app_item.name == 'traefik-edge' and cf_secrets is defined
@@ -58,37 +55,48 @@
copy:
dest: "{{ target_dir }}/.env"
content: |
{# App Secrets #}
{% set final_secrets = app_secrets.secret | default(app_secrets.data | default(app_secrets)) %}
{% if final_secrets is mapping %}
{% for key, value in final_secrets.items() %}
{% if key not in ['data', 'metadata', 'auth', 'lease_id', 'lease_duration', 'renewable', 'request_id', 'wrap_info', 'warnings', 'raw'] %}
{{ key | trim }}={{ value }}
{% endif %}
{% endfor %}
{% endif %}
{# App Secrets & Cloudflare Secrets zusammenführen #}
{% set all_secrets = {} %}
{# Cloudflare Secrets (Zusatz) #}
{# 1. App Secrets laden #}
{% set app_sec_data = app_secrets.secret | default(app_secrets.data | default(app_secrets)) %}
{% if app_sec_data is mapping %}
{% set _ = all_secrets.update(app_sec_data) %}
{% endif %}
{# 2. Cloudflare Secrets (für Traefik Edge) laden #}
{% if cf_secrets_payload is defined and cf_secrets_payload is mapping %}
{% for key, value in cf_secrets_payload.items() %}
{% if key not in ['data', 'metadata', 'auth', 'lease_id', 'lease_duration', 'renewable', 'request_id', 'wrap_info', 'warnings', 'raw'] %}
{% if key == 'api_token' %}
{% set _ = all_secrets.update(cf_secrets_payload) %}
{% endif %}
{# 3. Ausgabe #}
{% for key, value in all_secrets.items() %}
{% if key not in ['data', 'metadata', 'auth', 'lease_id', 'lease_duration', 'renewable', 'request_id', 'wrap_info', 'warnings', 'raw'] %}
{# Spezifisches Mapping für Traefik Edge #}
{% if app_item.name == 'traefik-edge' %}
{# Mapping Regeln #}
{% if key == 'api_token' %}
CF_DNS_API_TOKEN={{ value }}
CF_ZONE_API_TOKEN={{ value }}
{% endif %}
{% if key == 'email' %}
{% elif key == 'email' %}
CF_API_EMAIL={{ value }}
{% endif %}
{% elif key in ['CLOUDFLARE_API_KEY', 'CLOUDFLARE_EMAIL'] %}
{# Alte Keys ignorieren #}
{% else %}
{# Alle anderen Keys 1:1 übernehmen #}
{{ key | trim }}={{ value }}
{% endif %}
{% endfor %}
{% endif %}
mode: '0600'
{% endif %}
when: app_item.has_secrets | default(false) and app_secrets | length > 0
{% else %}
{# Für alle anderen Apps: 1:1 übernehmen #}
{{ key | trim }}={{ value }}
{% endif %}
{% endif %}
{% endfor %}
mode: '0600'
when: (app_item.has_secrets | default(false) and app_secrets | length > 0) or (app_item.name == 'traefik-edge' and cf_secrets_payload is defined)
# 4. Sync Dateien (Lokal -> Remote)
# Hinweis: 'copy' Modul unterstützt kein 'exclude'.