service: Make secrets available in a variable

2025-03-22 01:42:03 +02:00
parent d5cd823e5a
commit 2528e2605c
3 changed files with 34 additions and 1 deletions
--- a/roles/service/meta/argument_specs.yaml
+++ b/roles/service/meta/argument_specs.yaml
@@ -80,7 +80,11 @@ argument_specs:
            required: false
            default: ""
      service_container_secrets:
-        description: A list of secrets available to the service container in /run/secrets/<service name>-<secret name>
+        description:
          - A list of secrets available to the service container in /run/secrets/<service name>-<secret name>
          - >
            A dict of secrets and their values (including autogenerated values) is available as `_service_podman_secrets` for use
            in tepmlates or environment variables. This should only be used if the container doesn't support reading the secret from file
        type: list
        required: false
        default: []
--- a/roles/service/tasks/main.yaml
+++ b/roles/service/tasks/main.yaml
@@ -11,6 +11,10 @@
  ansible.builtin.include_tasks: database.yaml
  when: "service_database_type != 'none'"
 - name: Secrets for {{ service_name }}
  ansible.builtin.include_tasks: secrets.yaml
  when: service_container_secrets | length > 0
 - name: Mounts for {{ service_name }}
  ansible.builtin.include_tasks: mounts.yaml
  when: service_container_mounts | length > 0
--- a/roles/service/tasks/secrets.yaml
+++ b/roles/service/tasks/secrets.yaml
@@ -0,0 +1,25 @@
 ---
 - name: Create secrets
  ansible.builtin.include_role:
    name: container
    tasks_from: secrets.yaml
    rolespec_validate: false # FIXME make proper validation possible
  vars:
    container_name: "{{ service_name }}"
    container_secrets: "{{ _service_container_secrets }}"
 - name: Gather secrets information
  containers.podman.podman_secret_info:
    showsecret: true
  register: _service_podman_secret_info
  no_log: true
 - name: Store secrets in a variable for later
  ansible.builtin.set_fact:
    _service_podman_secrets: >
      {{ _service_podman_secret_info.secrets
        | map(attribute='Spec.Name')
        | zip(_service_podman_secret_info.secrets | map(attribute='SecretData'))
        | community.general.dict 
    }}
  no_log: true