Ajouter inject_vault_secrets.yml

2025-05-05 14:10:56 +00:00 · 2025-05-05 14:10:56 +00:00 · 3d1bab1ece
commit 3d1bab1ece
parent ae18659edd
1 changed files with 53 additions and 0 deletions
--- a/inject_vault_secrets.yml
+++ b/inject_vault_secrets.yml
@ -0,0 +1,53 @@
+---
+- name: Injecter Secrets Vault dans group_vars/ctl.yml
+  hosts: localhost
+  connection: local
+  gather_facts: no
+
+  vars:
+    target_group_vars_file: "/etc/ansible/group_vars/ctl"
+
+    vault_secrets_map:
+      openstack_admin_project_passwd: { path: "services/openstack_admin_project", key: "passwd" }
+      git_token:                      { path: "services/git", key: "token" }
+      console_database_passwd:        { path: "services/console_db", key: "passwd" } # Assurez-vous que ce secret existe
+      smtp_passwd:                    { path: "services/smtp_noreply", key: "passwd" }
+      smtp_support_email_passwd:    { path: "services/smtp_support", key: "passwd" }
+      authentik_bear_token:           { path: "services/authentik_bear", key: "token" }
+      oidc_client_id:                 { path: "services/oidc_client", key: "id" } # Exemple si clé est 'id'
+      oidc_client_secret:             { path: "services/oidc_client", key: "secret" }
+      flouci_public_token:            { path: "services/flouci_public", key: "token" }
+      flouci_private_token:           { path: "services/flouci_private", key: "token" }
+      konnect_api_key:                { path: "services/konnect_api", key: "key" }
+      stripe_api_key:                 { path: "services/stripe_api", key: "key" }
+      stripe_test_api_key:            { path: "services/stripe_test_api", key: "key" }
+      stripe_front_api_key:           { path: "services/stripe_front_api", key: "key" }
+      stripe_front_test_api_key:    { path: "services/stripe_front_test_api", key: "key" }
+
+    vault_kv_mount_point: "secret"
+
+  tasks:
+    - name: Vérifier l'accès/authentification à Vault
+      vars:
+        first_secret_info: "{{ vault_secrets_map.values() | first }}"
+        test_lookup_string: "{{ vault_kv_mount_point }}/data/{{ first_secret_info.path }}:{{ first_secret_info.key }}"
+      ansible.builtin.assert:
+        that: lookup('community.hashi_vault.hashi_vault', test_lookup_string) is defined
+        fail_msg: "Échec de la connexion/authentification à Vault ou le premier secret test est inaccessible. Vérifiez VAULT_ADDR et l'authentification (login/token)."
+        quiet: yes
+
+    - name: Injecter chaque secret dans {{ target_group_vars_file }}
+      vars:
+        ctl_variable_name: "{{ item.key }}"
+        vault_lookup_string: "{{ vault_kv_mount_point }}/data/{{ item.value.path }}:{{ item.value.key }}"
+        secret_value: "{{ lookup('community.hashi_vault.hashi_vault', vault_lookup_string) }}"
+      ansible.builtin.lineinfile:
+        path: "{{ target_group_vars_file }}"
+        regexp: '^\s*{{ ctl_variable_name }}:\s*.*?$'
+        line: "{{ ctl_variable_name }}: '{{ secret_value }}'"
+        backrefs: no
+        state: present
+      loop: "{{ vault_secrets_map | dict2items }}"
+      when: secret_value is defined and secret_value not in [none, '']
+      loop_control:
+        label: "{{ item.key }}"