service: Support setting container secrets

2024-11-19 20:00:27 +02:00
parent 64606707d4
commit ab4b6b7825
3 changed files with 28 additions and 0 deletions
--- a/roles/service/defaults/main.yaml
+++ b/roles/service/defaults/main.yaml
@@ -4,6 +4,7 @@ service_domains: []
 service_container_user: ""
 service_container_publish_ports: []
 service_container_mounts: []
+service_container_secrets: []
 service_container_env: {}

 service_database_type: none
--- a/roles/service/meta/argument_specs.yaml
+++ b/roles/service/meta/argument_specs.yaml
@@ -66,6 +66,23 @@ argument_specs:
            type: bool
            required: false
            default: false
+      service_container_secrets:
+        description: A list of secrets available to the service container in /run/secrets/<service name>-<secret name>
+        type: list
+        required: false
+        default: []
+        elements: dict
+        options:
+          name:
+            description: Name of the secret
+            type: str
+            required: true
+          value:
+            description:
+              - Value of the secret. Defaults to a 128-character random string containing alphanumeric characters.
+              - If the value is not explicitly set, it will not be changed if the secret already exists.
+            type: str
+            required: false
      service_container_env:
        description: A dict of environment variables for the service container(s)
        type: dict
--- a/roles/service/tasks/main.yaml
+++ b/roles/service/tasks/main.yaml
@@ -6,6 +6,15 @@
  ansible.builtin.set_fact:
    _service_container_mounts: []
    _service_container_requires: "{{ service_requires }}"
+    _service_container_secrets: []
+
+- name: Secrets definition for {{ service_name }}
+  ansible.builtin.set_fact:
+    _service_container_secrets: "{{ _service_container_secrets + [secret | combine({'name': service_name ~ '-' ~ secret.name})] }}"
+  no_log: true
+  loop: "{{ service_container_secrets }}"
+  loop_control:
+    loop_var: secret

 - name: Databse for {{ service_name }}
  ansible.builtin.include_tasks: database.yaml
@@ -26,6 +35,7 @@
    container_publish_ports: "{{ service_container_publish_ports }}"
    container_networks:
      - "{{ service_name }}"
+    container_secrets: "{{ _service_container_secrets }}"
    container_env: "{{ service_container_env }}"
    container_requires: "{{ _service_container_requires }}"
    container_wants: "{{ [service_name + '-socat.socket'] if service_domains | length > 0 else [] }}"