From 2528e2605c64d2ac8f2d8f489ee300ccfb951988 Mon Sep 17 00:00:00 2001
From: uumas <gitcommit@uumas.fi>
Date: Sat, 22 Mar 2025 01:42:03 +0200
Subject: [PATCH] service: Make secrets available in a variable

---
 roles/service/meta/argument_specs.yaml |  6 +++++-
 roles/service/tasks/main.yaml          |  4 ++++
 roles/service/tasks/secrets.yaml       | 25 +++++++++++++++++++++++++
 3 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 roles/service/tasks/secrets.yaml

diff --git a/roles/service/meta/argument_specs.yaml b/roles/service/meta/argument_specs.yaml
index cddd6a4..5f040c9 100644
--- a/roles/service/meta/argument_specs.yaml
+++ b/roles/service/meta/argument_specs.yaml
@@ -80,7 +80,11 @@ argument_specs:
             required: false
             default: ""
       service_container_secrets:
-        description: A list of secrets available to the service container in /run/secrets/<service name>-<secret name>
+        description:
+          - A list of secrets available to the service container in /run/secrets/<service name>-<secret name>
+          - >
+            A dict of secrets and their values (including autogenerated values) is available as `_service_podman_secrets` for use
+            in tepmlates or environment variables. This should only be used if the container doesn't support reading the secret from file
         type: list
         required: false
         default: []
diff --git a/roles/service/tasks/main.yaml b/roles/service/tasks/main.yaml
index 5e523f4..b4d0df5 100644
--- a/roles/service/tasks/main.yaml
+++ b/roles/service/tasks/main.yaml
@@ -11,6 +11,10 @@
   ansible.builtin.include_tasks: database.yaml
   when: "service_database_type != 'none'"
 
+- name: Secrets for {{ service_name }}
+  ansible.builtin.include_tasks: secrets.yaml
+  when: service_container_secrets | length > 0
+
 - name: Mounts for {{ service_name }}
   ansible.builtin.include_tasks: mounts.yaml
   when: service_container_mounts | length > 0
diff --git a/roles/service/tasks/secrets.yaml b/roles/service/tasks/secrets.yaml
new file mode 100644
index 0000000..ae67a76
--- /dev/null
+++ b/roles/service/tasks/secrets.yaml
@@ -0,0 +1,25 @@
+---
+- name: Create secrets
+  ansible.builtin.include_role:
+    name: container
+    tasks_from: secrets.yaml
+    rolespec_validate: false # FIXME make proper validation possible
+  vars:
+    container_name: "{{ service_name }}"
+    container_secrets: "{{ _service_container_secrets }}"
+
+- name: Gather secrets information
+  containers.podman.podman_secret_info:
+    showsecret: true
+  register: _service_podman_secret_info
+  no_log: true
+
+- name: Store secrets in a variable for later
+  ansible.builtin.set_fact:
+    _service_podman_secrets: >
+      {{ _service_podman_secret_info.secrets
+        | map(attribute='Spec.Name')
+        | zip(_service_podman_secret_info.secrets | map(attribute='SecretData'))
+        | community.general.dict 
+    }}
+  no_log: true