stabify/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

modified: infrastructure/ansible/deploy_logic_pull.yml

Browse Source 
modified:   infrastructure/ansible/deploy_logic_push.yml
This commit is contained in:
Ubuntu
2026-01-09 14:38:10 +00:00
parent 318c4da270
commit c51f441de3
2 changed files with 29 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
infrastructure/ansible/deploy_logic_pull.yml
View File

@@ -38,9 +38,16 @@
copy: copy:
dest: "{{ target_dir }}/.env" dest: "{{ target_dir }}/.env"
content: | content: |
{% for key, value in app_secrets.items() %} {# Fallback: Wenn app_secrets direkt die Daten sind oder in 'secret'/'data' stecken #}
{{ key }}={{ value }} {% set final_secrets = app_secrets.secret | default(app_secrets.data | default(app_secrets)) %}
{% if final_secrets is mapping %}
{% for key, value in final_secrets.items() %}
{# Filtere Meta-Daten raus, falls wir doch das falsche Level erwischt haben #}
{% if key not in ['data', 'metadata', 'auth', 'lease_id', 'lease_duration', 'renewable', 'request_id', 'wrap_info', 'warnings', 'raw'] %}
{{ key | trim }}={{ value }}
{% endif %}
{% endfor %} {% endfor %}
{% endif %}
mode: '0600' mode: '0600'
when: catalog_entry.stat.exists and app_item.has_secrets | default(false) and app_secrets is defined and app_secrets | length > 0 when: catalog_entry.stat.exists and app_item.has_secrets | default(false) and app_secrets is defined and app_secrets | length > 0

21
infrastructure/ansible/deploy_logic_push.yml
View File

@@ -27,9 +27,17 @@
# 3. Secrets aus Vault (Lokal lookup, Remote copy) # 3. Secrets aus Vault (Lokal lookup, Remote copy)
# Nur ausführen, wenn has_secrets: true # Nur ausführen, wenn has_secrets: true
- name: "Debug Vault Info"
debug:
msg:
- "Token vorhanden: {{ (vault_token | default(lookup('env', 'VAULT_TOKEN'))) | length > 0 }}"
- "Adresse: {{ lookup('env', 'VAULT_ADDR') }}"
delegate_to: localhost
when: app_item.has_secrets | default(false)
- name: "Lade Secrets aus Vault (Lokal lookup)" - name: "Lade Secrets aus Vault (Lokal lookup)"
set_fact: set_fact:
app_secrets: "{{ lookup('community.hashi_vault.vault_kv2_get', 'apps/' + app_item.name, engine_mount_point='secret', url=lookup('env', 'VAULT_ADDR') | default('https://10.100.30.11:8200'), token=lookup('env', 'VAULT_TOKEN'), validate_certs=false) | default({}) }}" app_secrets: "{{ lookup('community.hashi_vault.vault_kv2_get', 'apps/' + app_item.name, engine_mount_point='secret', url=lookup('env', 'VAULT_ADDR') | default('https://10.100.30.11:8200'), token=(vault_token | default(lookup('env', 'VAULT_TOKEN'))), validate_certs=false) | default({}) }}"
delegate_to: localhost delegate_to: localhost
when: app_item.has_secrets | default(false) when: app_item.has_secrets | default(false)
ignore_errors: true # Trotzdem ignorieren, falls Vault down ist oder Secret fehlt ignore_errors: true # Trotzdem ignorieren, falls Vault down ist oder Secret fehlt
@@ -43,9 +51,16 @@
copy: copy:
dest: "{{ target_dir }}/.env" dest: "{{ target_dir }}/.env"
content: | content: |
{% for key, value in app_secrets.items() %} {# Fallback: Wenn app_secrets direkt die Daten sind oder in 'secret'/'data' stecken #}
{{ key }}={{ value }} {% set final_secrets = app_secrets.secret | default(app_secrets.data | default(app_secrets)) %}
{% if final_secrets is mapping %}
{% for key, value in final_secrets.items() %}
{# Filtere Meta-Daten raus, falls wir doch das falsche Level erwischt haben #}
{% if key not in ['data', 'metadata', 'auth', 'lease_id', 'lease_duration', 'renewable', 'request_id', 'wrap_info', 'warnings', 'raw'] %}
{{ key | trim }}={{ value }}
{% endif %}
{% endfor %} {% endfor %}
{% endif %}
mode: '0600' mode: '0600'
when: app_item.has_secrets | default(false) and app_secrets | length > 0 when: app_item.has_secrets | default(false) and app_secrets | length > 0