Introduce Bootstrap Secrets#127
Open
mhjacks wants to merge 23 commits into
Open
Conversation
Introduce a role that derives main and managed clustergroup stems from values-global.yaml and the main values file, exposes load order and local file paths, and optionally parses each file. Add list_clustergroups and parse_clustergroup_values playbooks for local debugging. Document pattern_dir and discovery usage in the collection README. Co-authored-by: Cursor <cursoragent@cursor.com>
…or install and allow bootstrap secrets to create namespaces
Co-authored-by: Cursor <cursoragent@cursor.com>
…sabled Co-authored-by: Cursor <cursoragent@cursor.com>
Bootstrap targets early Kubernetes injection; Vault is not used for that path. vault_load_secrets validates bootstrap_secrets but only writes secrets[] to Vault. Relax none-phase vault prefix validation, update schema and module docs, tighten k8s inject naming/loop labels, and extend unit tests and fixtures. Co-authored-by: Cursor <cursoragent@cursor.com>
…aces Vault injector never materializes kubernetes_secret_objects from targetNamespaces. Document behavior in parse_secrets_info, schema, and add a unit test. Co-authored-by: Cursor <cursoragent@cursor.com>
A prior edit left _create_k8s_secret under else without for tns, causing NameError. Co-authored-by: Cursor <cursoragent@cursor.com>
Coerce values-secret dict to YAML text for parse_secrets_info, resolve backing store from values-global when unset, harden assembled debug structure, and drop pattern_dir override that forced wrong values-global paths. Co-authored-by: Cursor <cursoragent@cursor.com>
Avoid hard failure when -e pattern_dir is omitted; extra-vars still override. Typical use is running from the pattern repo root. Co-authored-by: Cursor <cursoragent@cursor.com>
…ault '.' is the ansible-playbook cwd, not the playbook dir; collection installs are not the pattern repo. Accept PATTERN_DIR env or -e pattern_dir and fail with guidance when neither is set. Co-authored-by: Cursor <cursoragent@cursor.com>
Reuse pattern_settings resolve_overrides (extra var, PATTERN_DIR, PWD, pwd) so determine_pattern_dir matches list_clustergroups and README; fail only if still empty after that chain. Co-authored-by: Cursor <cursoragent@cursor.com>
Collaborator
Author
|
Canonical usage: ---
version: "2.0"
bootstrap_secrets:
- name: private-repo
targetNamespaces:
- patterns-operator
fields:
- name: type
value: git
- name: sshPrivateKey
path: ~/.ssh/id_ed25519
- name: url
value: git@github.com:mhjacks/private-pattern-test.git
secrets:
# As before; no intersection between bootstrap and "regular" secretsfor: ---
global:
pattern: private-pattern-test
# secretLoader:
# disabled: true
options:
useCSV: false
syncPolicy: Automatic
installPlanApproval: Automatic
# secretStore:
# backend: kubernetes
main:
git:
repoURL: git@github.com:mhjacks/private-pattern-test.git
revision: main
tokenSecret: private-repo
tokenSecretNamespace: patterns-operator
clusterGroupName: hub
multiSourceConfig:
enabled: true
clusterGroupChartVersion: "0.9.*"Note: Blog post here: validatedpatterns/docs#682 |
- none backend rejects generate in _validate_one_secret_entry with a distinct message. - invalid secrets_phase is rejected by AnsibleModule choices; use msg (args[1] is absent). Co-authored-by: Cursor <cursoragent@cursor.com>
Remove list_clustergroups.yml, parse_clustergroup_values.yml, and roles/clustergroup_discovery; strip README clustergroup discovery section. These paths did not exist on main. Co-authored-by: Cursor <cursoragent@cursor.com>
ansible-galaxy collection install can raise KeyError 'results' against Galaxy on recent ansible-core (e.g. uv-installed lint in GitHub Actions). offline: true skips requirements.yml installs; lint still passes. Co-authored-by: Cursor <cursoragent@cursor.com>
Drop ansible-lint action uv stack (latest ansible-core breaks Galaxy install). Install ansible-lint with ansible-core<2.19, pre-install requirements.yml collections, then lint. Revert .ansible-lint offline so modules resolve. Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
- Set bootstrap_secrets_loaded_this_run after successful early-phase inject. - Before late parse, if that fact is unset and bootstrap_secrets exist (v2), parse/inject bootstrap once then set the fact. - Mirror the preflight in process_secrets.yml; document in load_secrets defaults and load_secrets playbook header. Co-authored-by: Cursor <cursoragent@cursor.com>
set_fact from bootstrap k8s selection persisted on localhost so late phase kept k8s_secret_utils instead of vault_utils when backend is vault. Co-authored-by: Cursor <cursoragent@cursor.com>
Per early-phase inject run: reset counters, increment on real k8s namespace/secret changes, then debug counts only (no secret values). kubernetes.core.k8s tasks stay no_log; recap still reflects module changed state. Co-authored-by: Cursor <cursoragent@cursor.com>
mhjacks
requested review from
darkdoc,
day0hero,
dminnear-rh,
mbaldessari and
minmzzhang
and removed request for
minmzzhang
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Introduces optional
bootstrap_secretssection to secrets fileThese secrets will always be injected as "none" (direct kubernetes secret injection) type secrets by the backend.
These secrets are allowed to create their namespaces if the namespaces do not currently exist.
Bootstrap secrets are installed with
make install.make load-secretskeeps track of whether bootstrap secrets have been injected or not in this run, and attempts to install them if not. (In the ordinary pattern install case bootstrap secrets will not be injected twice). Bootstrap secrets (only) can be loaded with the rhvp.cluster_utils.load_boostrap_secrets playbook on demand.The existing secrets loading path is visibly the same. (The underlying python implementation is more selective
and somewhat clearer now).
Fixed the "display_secrets_info" playbook and updated it to show both classes of secrets.