Actualiser inject_vault_secrets.yml

2025-05-06 14:16:56 +00:00 · 2025-05-06 14:16:56 +00:00 · 65416b2589
commit 65416b2589
parent 3d1bab1ece
1 changed files with 21 additions and 17 deletions
--- a/inject_vault_secrets.yml
+++ b/inject_vault_secrets.yml
@ -6,23 +6,24 @@

  vars:
    target_group_vars_file: "/etc/ansible/group_vars/ctl"
+    env: "{{ lookup('env', 'ENV') }}"

    vault_secrets_map:
-      openstack_admin_project_passwd: { path: "services/openstack_admin_project", key: "passwd" }
-      git_token:                      { path: "services/git", key: "token" }
-      console_database_passwd:        { path: "services/console_db", key: "passwd" } # Assurez-vous que ce secret existe
-      smtp_passwd:                    { path: "services/smtp_noreply", key: "passwd" }
-      smtp_support_email_passwd:    { path: "services/smtp_support", key: "passwd" }
-      authentik_bear_token:           { path: "services/authentik_bear", key: "token" }
-      oidc_client_id:                 { path: "services/oidc_client", key: "id" } # Exemple si clé est 'id'
-      oidc_client_secret:             { path: "services/oidc_client", key: "secret" }
-      flouci_public_token:            { path: "services/flouci_public", key: "token" }
-      flouci_private_token:           { path: "services/flouci_private", key: "token" }
-      konnect_api_key:                { path: "services/konnect_api", key: "key" }
-      stripe_api_key:                 { path: "services/stripe_api", key: "key" }
-      stripe_test_api_key:            { path: "services/stripe_test_api", key: "key" }
-      stripe_front_api_key:           { path: "services/stripe_front_api", key: "key" }
-      stripe_front_test_api_key:    { path: "services/stripe_front_test_api", key: "key" }
+      openstack_admin_project_passwd: { path: "environnement/{{ env }}/openstack_admin_project", key: "passwd" }
+      git_token:                      { path: "environnement/{{ env }}/git", key: "token" }
+      console_database_passwd:        { path: "environnement/{{ env }}/console_db", key: "passwd" }
+      smtp_passwd:                    { path: "environnement/{{ env }}/smtp_noreply", key: "passwd" }
+      smtp_support_email_passwd:    { path: "environnement/{{ env }}/smtp_support", key: "passwd" }
+      authentik_bear_token:           { path: "environnement/{{ env }}/authentik_bear", key: "token" }
+      oidc_client_id:                 { path: "environnement/{{ env }}/oidc_client", key: "id" }
+      oidc_client_secret:             { path: "environnement/{{ env }}/oidc_client", key: "secret" }
+      flouci_public_token:            { path: "environnement/{{ env }}/flouci_public", key: "token" }
+      flouci_private_token:           { path: "environnement/{{ env }}/flouci_private", key: "token" }
+      konnect_api_key:                { path: "environnement/{{ env }}/konnect_api", key: "key" }
+      stripe_api_key:                 { path: "environnement/{{ env }}/stripe_api", key: "key" }
+      stripe_test_api_key:            { path: "environnement/{{ env }}/stripe_test_api", key: "key" }
+      stripe_front_api_key:           { path: "environnement/{{ env }}/stripe_front_api", key: "key" }
+      stripe_front_test_api_key:    { path: "environnement/{{ env }}/stripe_front_test_api", key: "key" }

    vault_kv_mount_point: "secret"

@ -30,15 +31,17 @@
    - name: Vérifier l'accès/authentification à Vault
      vars:
        first_secret_info: "{{ vault_secrets_map.values() | first }}"
+        # Construit maintenant: secret/data/environnement/demo/openstack_admin_project:passwd
        test_lookup_string: "{{ vault_kv_mount_point }}/data/{{ first_secret_info.path }}:{{ first_secret_info.key }}"
      ansible.builtin.assert:
        that: lookup('community.hashi_vault.hashi_vault', test_lookup_string) is defined
-        fail_msg: "Échec de la connexion/authentification à Vault ou le premier secret test est inaccessible. Vérifiez VAULT_ADDR et l'authentification (login/token)."
+        fail_msg: "Échec de la connexion/authentification à Vault ou le premier secret test '{{ test_lookup_string }}' est inaccessible. Vérifiez VAULT_ADDR et l'authentification."
        quiet: yes

    - name: Injecter chaque secret dans {{ target_group_vars_file }}
      vars:
        ctl_variable_name: "{{ item.key }}"
+        # Construit maintenant: secret/data/environnement/demo/git:token (par exemple)
        vault_lookup_string: "{{ vault_kv_mount_point }}/data/{{ item.value.path }}:{{ item.value.key }}"
        secret_value: "{{ lookup('community.hashi_vault.hashi_vault', vault_lookup_string) }}"
      ansible.builtin.lineinfile:
@ -50,4 +53,5 @@
      loop: "{{ vault_secrets_map | dict2items }}"
      when: secret_value is defined and secret_value not in [none, '']
      loop_control:
-        label: "{{ item.key }}"
+        label: "{{ item.key }}"
+      no_log: true # Remis pour la sécurité