manage_secrets

Copy secret content such as pull-secret and ci-token to a known location with appropriate rights.

Privilege escalation

None

Parameters

General parameters

  • cifmw_manage_secrets_basedir: (String) Base directory for the directory tree. Default to cifmw_basedir which defaults to ~/ci-framework-data.

  • cifmw_manage_secrets_owner: (String) User name owning the directory and secrets. Defaults to ansible_user_id.

Pull-secret parameters

  • cifmw_manage_secrets_pullsecret_dest: (String) Destination file for pull-secret.json. Defaults to {{ cifmw_manage_secrets_basedir }}/secrets/pull_secret.json.

  • cifmw_manage_secrets_pullsecret_file: (String) Absolute path to the source pull-secret. Defaults to null.

  • cifmw_manage_secrets_pullsecret_content: (String) Content of the source pull-secret. Defaults to null.

CI Token parameters

  • cifmw_manage_secrets_citoken_dest: (String) Destination file for ci-token. Defaults to {{ cifmw_manage_secrets_basedir }}/secrets/ci_token.

  • cifmw_manage_secrets_citoken_file: (String) Absolute path to the source ci-token. Defaults to null.

  • cifmw_manage_secrets_citoken_content: (String) Content of the source ci-token. Defaults to null.

K8s configuration parameters

  • cifmw_manage_secrets_kube_dest: (String) Destination directory for kube configuration files. Defaults to ~/.kube.

  • cifmw_manage_secrets_kube_type: (String) Type of kube configuration file. Must be either config or kubeadmin-password. Defaults to null.

  • cifmw_manage_secrets_kube_file: (String) Absolute path to the source kube configuration file. Defaults to null.

  • cifmw_manage_secrets_kube_content: (String) Content of the kube configuration file. Defaults to null.

SSH keypair secrets

  • cifmw_manage_secrets_ssh_type: SSH keypair algorithm, as listed by community.crypto.openssh_keypair. Defaults to cifmw_ssh_keytype which default to ecdsa.

  • cifmw_manage_secrets_ssh_size: SSH private key size, as listed by community.crypto.openssh_keypair. Defaults to cifmw_ssh_keysize which defaults to 512.

  • cifmw_manage_secrets_dataplane_ssh_name: File name for the dataplane SSH keypair. Defaults to ansibleee-ssh-key-id_ecdsa.

  • cifmw_manage_secrets_dataplane_ssh_metaname: Metadata for the dataplane ssh keypair. Defaults to dataplane-ansible-ssh-private-key-secret.

OSP secrets

  • cifmw_manage_secrets_ospsecrets_manifests_dest: (String) Destination directory for OSP secrets manifest

  • cifmw_manage_secrets_ospsecrets_list: (List) Secrets parameter definitions. See molecule test for example.

Reproducer secrets

Those tasks are mostly for the reproducer use-case, where you may need to push secrets on the controller-0 node.

  • cifmw_manage_secrets_reproducer_secrets: (List[map]) Secrets you want to push on controller-0

File versus Content

You can set either a file OR a content for the pull-secret and ci-token secrets. You can’t set both.

Examples

- name: Initialize manage_secrets
  ansible.builtin.import_role:
    name: manage_secrets

- name: Push my local pull-secret
  vars:
    cifmw_manage_secrets_pullsecret_file: "{{ lookup('env', 'HOME') }}/pull-secret.txt"
  ansible.builtin.include_role:
    name: manage_secrets
    tasks_from: pull_secret.yml

- name: Create a ci-token with inline content
  vars:
    cifmw_manage_secrets_citoken_content: "sha256~AAABBCC123"
  ansible.builtin.include_role:
    name: manage_secrets
    tasks_from: ci_token.yml

In some cases, you may want to copy some content from the hypervisor to a virtual machine - this is especially true for the kubeconfig and kubeadmin-password files. In such a case, the “easiest” way is to slurp the content and pass it down:

- name: Get kubeaconfig content
  register: _kubeconfig
  ansible.builtin.slurp:
    path: "{{ ansible_user_dir }}/ci-framework-data/artifacts/kubeconfig"

- name: Delegate block to controller-0
  delegate_to: controller-0
  remote_user: zuul
  vars:
    cifmw_manage_secrets_basedir: "/home/zuul/ci-framework-data"
  block:
    - name: Initialize manage_secrets
      ansible.builtin.import_role:
        name: manage_secrets

    - name: Inject kubeconfig
      vars:
        cifmw_manage_secrets_kube_type: "config"
        cifmw_manage_secrets_kube_content: "{{ _kubeconfig.content | b64decode }}"
      ansible.builtin.include_role:
        name: manage_secrets
        tasks_from: kube.yml

Using the reproducer tasks

- name: Delegate tasks to controller-0
  delegate_to: controller-0
  vars:
    cifmw_manage_secrets_reproducer_secrets:
      - src: "{{ lookup('env', 'HOME') }}/ipmi-password.txt"
        dest: "/home/zuul/ipmi-password.txt"
      - content: "fooBar: StarWar"
        dest: "/home/zuul/my-foo.yml"
  block:
    - name: Initialize secrets
      ansible.builtin.import_role:
        name: manage_secrets

    - name: Push some secrets
      ansible.builtin.import_role:
        name: manage_secrets
        tasks_from: reproducer.yml