From c51f441de33980470b9c724363aed2458b3b5ca9 Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Fri, 9 Jan 2026 14:38:10 +0000 Subject: [PATCH] modified: infrastructure/ansible/deploy_logic_pull.yml modified: infrastructure/ansible/deploy_logic_push.yml --- infrastructure/ansible/deploy_logic_pull.yml | 13 ++++++++--- infrastructure/ansible/deploy_logic_push.yml | 23 ++++++++++++++++---- 2 files changed, 29 insertions(+), 7 deletions(-) diff --git a/infrastructure/ansible/deploy_logic_pull.yml b/infrastructure/ansible/deploy_logic_pull.yml index c85e2bd..1fcccba 100644 --- a/infrastructure/ansible/deploy_logic_pull.yml +++ b/infrastructure/ansible/deploy_logic_pull.yml @@ -38,9 +38,16 @@ copy: dest: "{{ target_dir }}/.env" content: | - {% for key, value in app_secrets.items() %} - {{ key }}={{ value }} - {% endfor %} + {# Fallback: Wenn app_secrets direkt die Daten sind oder in 'secret'/'data' stecken #} + {% set final_secrets = app_secrets.secret | default(app_secrets.data | default(app_secrets)) %} + {% if final_secrets is mapping %} + {% for key, value in final_secrets.items() %} + {# Filtere Meta-Daten raus, falls wir doch das falsche Level erwischt haben #} + {% if key not in ['data', 'metadata', 'auth', 'lease_id', 'lease_duration', 'renewable', 'request_id', 'wrap_info', 'warnings', 'raw'] %} + {{ key | trim }}={{ value }} + {% endif %} + {% endfor %} + {% endif %} mode: '0600' when: catalog_entry.stat.exists and app_item.has_secrets | default(false) and app_secrets is defined and app_secrets | length > 0 diff --git a/infrastructure/ansible/deploy_logic_push.yml b/infrastructure/ansible/deploy_logic_push.yml index 8d07363..747feca 100644 --- a/infrastructure/ansible/deploy_logic_push.yml +++ b/infrastructure/ansible/deploy_logic_push.yml @@ -27,9 +27,17 @@ # 3. Secrets aus Vault (Lokal lookup, Remote copy) # Nur ausführen, wenn has_secrets: true +- name: "Debug Vault Info" + debug: + msg: + - "Token vorhanden: {{ (vault_token | default(lookup('env', 'VAULT_TOKEN'))) | length > 0 }}" + - "Adresse: {{ lookup('env', 'VAULT_ADDR') }}" + delegate_to: localhost + when: app_item.has_secrets | default(false) + - name: "Lade Secrets aus Vault (Lokal lookup)" set_fact: - app_secrets: "{{ lookup('community.hashi_vault.vault_kv2_get', 'apps/' + app_item.name, engine_mount_point='secret', url=lookup('env', 'VAULT_ADDR') | default('https://10.100.30.11:8200'), token=lookup('env', 'VAULT_TOKEN'), validate_certs=false) | default({}) }}" + app_secrets: "{{ lookup('community.hashi_vault.vault_kv2_get', 'apps/' + app_item.name, engine_mount_point='secret', url=lookup('env', 'VAULT_ADDR') | default('https://10.100.30.11:8200'), token=(vault_token | default(lookup('env', 'VAULT_TOKEN'))), validate_certs=false) | default({}) }}" delegate_to: localhost when: app_item.has_secrets | default(false) ignore_errors: true # Trotzdem ignorieren, falls Vault down ist oder Secret fehlt @@ -43,9 +51,16 @@ copy: dest: "{{ target_dir }}/.env" content: | - {% for key, value in app_secrets.items() %} - {{ key }}={{ value }} - {% endfor %} + {# Fallback: Wenn app_secrets direkt die Daten sind oder in 'secret'/'data' stecken #} + {% set final_secrets = app_secrets.secret | default(app_secrets.data | default(app_secrets)) %} + {% if final_secrets is mapping %} + {% for key, value in final_secrets.items() %} + {# Filtere Meta-Daten raus, falls wir doch das falsche Level erwischt haben #} + {% if key not in ['data', 'metadata', 'auth', 'lease_id', 'lease_duration', 'renewable', 'request_id', 'wrap_info', 'warnings', 'raw'] %} + {{ key | trim }}={{ value }} + {% endif %} + {% endfor %} + {% endif %} mode: '0600' when: app_item.has_secrets | default(false) and app_secrets | length > 0