diff --git a/README.md b/README.md index ec1a65ee9..b4d2cdb2e 100644 --- a/README.md +++ b/README.md @@ -44,6 +44,7 @@ An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built w * [CSRF Cookie Secure Setting](#csrf-cookie-secure-setting) * [Session Cookie Secure Setting](#session-cookie-secure-setting) * [Extra Settings](#extra-settings) + * [Configure no_log](#no-log) * [Service Account](#service-account) * [Uninstall](#uninstall) * [Upgrading](#upgrading) @@ -1019,6 +1020,21 @@ Example configuration of `extra_settings` parameter value: "cn=admin,dc=example,dc=com" ``` +#### No Log +Configure no_log for tasks with no_log + +| Name | Description | Default | +| ------ | -------------------- | ------- | +| no_log | No log configuration | 'true' | + +Example configuration of `no_log` parameter + +```yaml + spec: + no_log: 'true' +``` + + #### Service Account If you need to modify some `ServiceAccount` proprieties diff --git a/config/crd/bases/awx.ansible.com_awxs.yaml b/config/crd/bases/awx.ansible.com_awxs.yaml index 55e829917..33936cfdf 100644 --- a/config/crd/bases/awx.ansible.com_awxs.yaml +++ b/config/crd/bases/awx.ansible.com_awxs.yaml @@ -482,6 +482,9 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object type: array + no_log: + description: Configure no_log for no_log tasks + type: string security_context_settings: description: Key/values that will be set under the pod-level securityContext field type: object diff --git a/config/crd/bases/awxbackup.ansible.com_awxbackups.yaml b/config/crd/bases/awxbackup.ansible.com_awxbackups.yaml index 607ec2450..e64b5c3bf 100644 --- a/config/crd/bases/awxbackup.ansible.com_awxbackups.yaml +++ b/config/crd/bases/awxbackup.ansible.com_awxbackups.yaml @@ -52,6 +52,9 @@ spec: postgres_image_version: description: PostgreSQL container image version to use type: string + no_log: + description: Configure no_log for no_log tasks + type: string status: type: object properties: diff --git a/config/crd/bases/awxrestore.ansible.com_awxrestores.yaml b/config/crd/bases/awxrestore.ansible.com_awxrestores.yaml index 67caefffa..f7f040471 100644 --- a/config/crd/bases/awxrestore.ansible.com_awxrestores.yaml +++ b/config/crd/bases/awxrestore.ansible.com_awxrestores.yaml @@ -56,6 +56,9 @@ spec: postgres_image_version: description: PostgreSQL container image version to use type: string + no_log: + description: Configure no_log for no_log tasks + type: string status: type: object properties: diff --git a/config/manifests/bases/awx-operator.clusterserviceversion.yaml b/config/manifests/bases/awx-operator.clusterserviceversion.yaml index 5a90e3e23..f7cc4ff5e 100644 --- a/config/manifests/bases/awx-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/awx-operator.clusterserviceversion.yaml @@ -574,6 +574,11 @@ spec: x-descriptors: - urn:alm:descriptor:com.tectonic.ui:advanced - urn:alm:descriptor:com.tectonic.ui:hidden + - displayName: No Log Configuration + path: no_log + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:advanced + - urn:alm:descriptor:com.tectonic.ui:hidden - displayName: Security Context Settings path: security_context_settings x-descriptors: diff --git a/roles/backup/defaults/main.yml b/roles/backup/defaults/main.yml index 8a609fd2c..faf7f72fb 100644 --- a/roles/backup/defaults/main.yml +++ b/roles/backup/defaults/main.yml @@ -10,3 +10,6 @@ backup_pvc_namespace: "{{ ansible_operator_meta.namespace }}" # Size of backup PVC if created dynamically backup_storage_requirements: '' + +# Set no_log settings on certain tasks +no_log: 'true' diff --git a/roles/backup/tasks/dump_generated_secret.yml b/roles/backup/tasks/dump_generated_secret.yml index 71b3a4257..aba8a81c9 100644 --- a/roles/backup/tasks/dump_generated_secret.yml +++ b/roles/backup/tasks/dump_generated_secret.yml @@ -25,15 +25,15 @@ namespace: '{{ ansible_operator_meta.namespace }}' name: "{{ _name }}" register: _secret - no_log: true + no_log: "{{ no_log }}" - name: Set secret data set_fact: _data: "{{ _secret['resources'][0]['data'] }}" _type: "{{ _secret['resources'][0]['type'] }}" - no_log: true + no_log: "{{ no_log }}" - name: Create and Add secret names and data to dictionary set_fact: secret_dict: "{{ secret_dict | default({}) | combine({ item: {'name': _name, 'data': _data, 'type': _type }}) }}" - no_log: true + no_log: "{{ no_log }}" diff --git a/roles/backup/tasks/dump_secret.yml b/roles/backup/tasks/dump_secret.yml index e927cac85..d6b05bb71 100644 --- a/roles/backup/tasks/dump_secret.yml +++ b/roles/backup/tasks/dump_secret.yml @@ -13,16 +13,16 @@ namespace: '{{ ansible_operator_meta.namespace }}' name: "{{ _name }}" register: _secret - no_log: true + no_log: "{{ no_log }}" - name: Set secret key set_fact: _data: "{{ _secret['resources'][0]['data'] }}" _type: "{{ _secret['resources'][0]['type'] }}" - no_log: true + no_log: "{{ no_log }}" - name: Create and Add secret names and data to dictionary set_fact: secret_dict: "{{ secret_dict | default({}) | combine({item: { 'name': _name, 'data': _data, 'type': _type }}) }}" - no_log: true + no_log: "{{ no_log }}" when: _name != '' diff --git a/roles/backup/tasks/postgres.yml b/roles/backup/tasks/postgres.yml index c9f9e6ceb..2a293f1d7 100644 --- a/roles/backup/tasks/postgres.yml +++ b/roles/backup/tasks/postgres.yml @@ -6,7 +6,7 @@ namespace: '{{ ansible_operator_meta.namespace }}' name: "{{ this_awx['resources'][0]['status']['postgresConfigurationSecret'] }}" register: pg_config - no_log: true + no_log: "{{ no_log }}" - name: Fail if postgres configuration secret status does not exist fail: @@ -21,7 +21,7 @@ awx_postgres_port: "{{ pg_config['resources'][0]['data']['port'] | b64decode }}" awx_postgres_host: "{{ pg_config['resources'][0]['data']['host'] | b64decode }}" awx_postgres_type: "{{ pg_config['resources'][0]['data']['type'] | default('unmanaged'|b64encode) | b64decode }}" - no_log: true + no_log: "{{ no_log }}" - block: - name: Delete pod to reload a resource configuration @@ -80,7 +80,7 @@ - name: Set full resolvable host name for postgres pod set_fact: resolvable_db_host: '{{ (awx_postgres_type == "managed") | ternary(awx_postgres_host + "." + ansible_operator_meta.namespace + ".svc.cluster.local", awx_postgres_host) }}' # yamllint disable-line rule:line-length - no_log: true + no_log: "{{ no_log }}" - name: Set pg_dump command set_fact: @@ -91,7 +91,7 @@ -d {{ awx_postgres_database }} -p {{ awx_postgres_port }} -F custom - no_log: true + no_log: "{{ no_log }}" - name: Write pg_dump to backup on PVC k8s_exec: @@ -104,5 +104,5 @@ echo 'Successful' """ register: data_migration - no_log: true + no_log: "{{ no_log }}" failed_when: "'Successful' not in data_migration.stdout" diff --git a/roles/backup/tasks/secrets.yml b/roles/backup/tasks/secrets.yml index b8302bfc1..0a6c095ae 100644 --- a/roles/backup/tasks/secrets.yml +++ b/roles/backup/tasks/secrets.yml @@ -39,7 +39,7 @@ - name: Nest secrets under a single variable set_fact: secrets: {"secrets": '{{ secret_dict }}'} - no_log: true + no_log: "{{ no_log }}" - name: Write postgres configuration to pvc k8s_exec: @@ -47,4 +47,4 @@ pod: "{{ ansible_operator_meta.name }}-db-management" command: >- bash -c "echo '{{ secrets | to_yaml }}' > {{ backup_dir }}/secrets.yml" - no_log: true + no_log: "{{ no_log }}" diff --git a/roles/installer/defaults/main.yml b/roles/installer/defaults/main.yml index e55caf6e2..b528c7421 100644 --- a/roles/installer/defaults/main.yml +++ b/roles/installer/defaults/main.yml @@ -281,3 +281,6 @@ garbage_collect_secrets: false development_mode: false security_context_settings: {} + +# Set no_log settings on certain tasks +no_log: 'true' diff --git a/roles/installer/tasks/admin_password_configuration.yml b/roles/installer/tasks/admin_password_configuration.yml index 551f68f30..00214e602 100644 --- a/roles/installer/tasks/admin_password_configuration.yml +++ b/roles/installer/tasks/admin_password_configuration.yml @@ -5,7 +5,7 @@ namespace: '{{ ansible_operator_meta.namespace }}' name: '{{ admin_password_secret }}' register: _custom_admin_password - no_log: true + no_log: "{{ no_log }}" when: admin_password_secret | length - name: Check for default admin password configuration @@ -14,19 +14,19 @@ namespace: '{{ ansible_operator_meta.namespace }}' name: '{{ ansible_operator_meta.name }}-admin-password' register: _default_admin_password - no_log: true + no_log: "{{ no_log }}" - name: Set admin password secret set_fact: _admin_password_secret: '{{ _custom_admin_password["resources"] | default([]) | length | ternary(_custom_admin_password, _default_admin_password) }}' - no_log: true + no_log: "{{ no_log }}" - block: - name: Create admin password secret k8s: apply: true definition: "{{ lookup('template', 'admin_password_secret.yaml.j2') }}" - no_log: true + no_log: "{{ no_log }}" - name: Read admin password secret k8s_info: @@ -34,16 +34,16 @@ namespace: '{{ ansible_operator_meta.namespace }}' name: '{{ ansible_operator_meta.name }}-admin-password' register: _generated_admin_password - no_log: true + no_log: "{{ no_log }}" when: not _admin_password_secret['resources'] | default([]) | length - name: Set admin password secret set_fact: __admin_password_secret: '{{ _generated_admin_password["resources"] | default([]) | length | ternary(_generated_admin_password, _admin_password_secret) }}' - no_log: true + no_log: "{{ no_log }}" - name: Store admin password set_fact: admin_password: "{{ __admin_password_secret['resources'][0]['data']['password'] | b64decode }}" - no_log: true + no_log: "{{ no_log }}" diff --git a/roles/installer/tasks/broadcast_websocket_configuration.yml b/roles/installer/tasks/broadcast_websocket_configuration.yml index b417aed00..90da32aa7 100644 --- a/roles/installer/tasks/broadcast_websocket_configuration.yml +++ b/roles/installer/tasks/broadcast_websocket_configuration.yml @@ -5,7 +5,7 @@ namespace: '{{ ansible_operator_meta.namespace }}' name: '{{ broadcast_websocket_secret }}' register: _custom_broadcast_websocket - no_log: true + no_log: "{{ no_log }}" when: broadcast_websocket_secret | length - name: Check for default broadcast websocket secret configuration @@ -14,20 +14,20 @@ namespace: '{{ ansible_operator_meta.namespace }}' name: '{{ ansible_operator_meta.name }}-broadcast-websocket' register: _default_broadcast_websocket - no_log: true + no_log: "{{ no_log }}" - name: Set broadcast websocket secret set_fact: # yamllint disable-line rule:line-length _broadcast_websocket_secret: '{{ _custom_broadcast_websocket["resources"] | default([]) | length | ternary(_custom_broadcast_websocket, _default_broadcast_websocket) }}' # noqa 204 - no_log: true + no_log: "{{ no_log }}" - block: - name: Create broadcast websocket secret k8s: apply: true definition: "{{ lookup('template', 'broadcast_websocket_secret.yaml.j2') }}" - no_log: true + no_log: "{{ no_log }}" - name: Read broadcast websocket secret k8s_info: @@ -35,7 +35,7 @@ namespace: '{{ ansible_operator_meta.namespace }}' name: '{{ ansible_operator_meta.name }}-broadcast-websocket' register: _generated_broadcast_websocket - no_log: true + no_log: "{{ no_log }}" when: not _broadcast_websocket_secret['resources'] | default([]) | length @@ -43,9 +43,9 @@ set_fact: # yamllint disable-line rule:line-length __broadcast_websocket_secret: '{{ _generated_broadcast_websocket["resources"] | default([]) | length | ternary(_generated_broadcast_websocket, _broadcast_websocket_secret) }}' # noqa 204 - no_log: true + no_log: "{{ no_log }}" - name: Store broadcast websocket secret name set_fact: broadcast_websocket_secret_value: "{{ __broadcast_websocket_secret['resources'][0]['data']['secret'] | b64decode }}" - no_log: true + no_log: "{{ no_log }}" diff --git a/roles/installer/tasks/cleanup.yml b/roles/installer/tasks/cleanup.yml index 2efaf8ea0..a5f8ebdaa 100644 --- a/roles/installer/tasks/cleanup.yml +++ b/roles/installer/tasks/cleanup.yml @@ -23,6 +23,6 @@ - '{{ _secret_key }}' - '{{ _postgres_configuration }}' - '{{ _broadcast_websocket_secret }}' - no_log: true + no_log: "{{ no_log }}" when: not garbage_collect_secrets | bool diff --git a/roles/installer/tasks/database_configuration.yml b/roles/installer/tasks/database_configuration.yml index c120e86b7..dc327da8c 100644 --- a/roles/installer/tasks/database_configuration.yml +++ b/roles/installer/tasks/database_configuration.yml @@ -6,7 +6,7 @@ name: '{{ postgres_configuration_secret }}' register: _custom_pg_config_resources when: postgres_configuration_secret | length - no_log: true + no_log: "{{ no_log }}" - name: Check for default PostgreSQL configuration k8s_info: @@ -14,7 +14,7 @@ namespace: '{{ ansible_operator_meta.namespace }}' name: '{{ ansible_operator_meta.name }}-postgres-configuration' register: _default_pg_config_resources - no_log: true + no_log: "{{ no_log }}" - name: Check for specified old PostgreSQL configuration secret k8s_info: @@ -23,7 +23,7 @@ name: '{{ old_postgres_configuration_secret }}' register: _custom_old_pg_config_resources when: old_postgres_configuration_secret | length - no_log: true + no_log: "{{ no_log }}" - name: Check for default old PostgreSQL configuration k8s_info: @@ -31,7 +31,7 @@ namespace: '{{ ansible_operator_meta.namespace }}' name: '{{ ansible_operator_meta.name }}-old-postgres-configuration' register: _default_old_pg_config_resources - no_log: true + no_log: "{{ no_log }}" - name: Set old PostgreSQL configuration set_fact: @@ -45,7 +45,7 @@ when: - old_pg_config['resources'] is defined - old_pg_config['resources'] | length - no_log: true + no_log: "{{ no_log }}" - name: Set default postgres image set_fact: @@ -54,7 +54,7 @@ - name: Set PostgreSQL configuration set_fact: _pg_config: '{{ _custom_pg_config_resources["resources"] | default([]) | length | ternary(_custom_pg_config_resources, _default_pg_config_resources) }}' - no_log: true + no_log: "{{ no_log }}" - name: Set user provided postgres image set_fact: @@ -72,7 +72,7 @@ k8s: apply: true definition: "{{ lookup('template', 'postgres_secret.yaml.j2') }}" - no_log: true + no_log: "{{ no_log }}" - name: Read Database Configuration k8s_info: @@ -80,13 +80,13 @@ namespace: '{{ ansible_operator_meta.namespace }}' name: '{{ ansible_operator_meta.name }}-postgres-configuration' register: _generated_pg_config_resources - no_log: true + no_log: "{{ no_log }}" when: not _pg_config['resources'] | default([]) | length - name: Set PostgreSQL Configuration set_fact: pg_config: '{{ _generated_pg_config_resources["resources"] | default([]) | length | ternary(_generated_pg_config_resources, _pg_config) }}' - no_log: true + no_log: "{{ no_log }}" - name: Set actual postgres configuration secret used set_fact: @@ -140,7 +140,7 @@ awx_postgres_port: "{{ pg_config['resources'][0]['data']['port'] | b64decode }}" awx_postgres_host: "{{ pg_config['resources'][0]['data']['host'] | b64decode }}" awx_postgres_sslmode: "{{ pg_config['resources'][0]['data']['sslmode'] | default('prefer'|b64encode) | b64decode }}" - no_log: true + no_log: "{{ no_log }}" - name: Wait for Database to initialize if managed DB k8s_info: diff --git a/roles/installer/tasks/initialize_django.yml b/roles/installer/tasks/initialize_django.yml index 1428dbda8..85c2fa434 100644 --- a/roles/installer/tasks/initialize_django.yml +++ b/roles/installer/tasks/initialize_django.yml @@ -22,7 +22,7 @@ bash -c "echo \"from django.contrib.auth.models import User; User.objects.create_superuser('{{ admin_user }}', '{{ admin_email }}', '{{ admin_password }}')\" | awx-manage shell" - no_log: true + no_log: "{{ no_log }}" when: users_result.return_code > 0 - name: Check if legacy queue is present @@ -57,7 +57,7 @@ _execution_environments_pull_credentials: >- {{ _custom_execution_environments_pull_credentials["resources"] | default([]) | length | ternary(_custom_execution_environments_pull_credentials, []) }} - no_log: true + no_log: "{{ no_log }}" - name: Register default execution environments (without authentication) k8s_exec: @@ -78,7 +78,7 @@ default_execution_environment_pull_credentials_url: "{{ _execution_environments_pull_credentials['resources'][0]['data']['url'] | b64decode }}" default_execution_environment_pull_credentials_url_verify: >- {{ _execution_environments_pull_credentials['resources'][0]['data']['ssl_verify'] | default("True"|b64encode) | b64decode }} - no_log: true + no_log: "{{ no_log }}" - name: Register default execution environments (with authentication) k8s_exec: @@ -93,7 +93,7 @@ --verify-ssl='{{ default_execution_environment_pull_credentials_url_verify }}'" register: ree changed_when: "'changed: True' in ree.stdout" - no_log: true + no_log: "{{ no_log }}" when: _execution_environments_pull_credentials['resources'] | default([]) | length - name: Create preload data if necessary. # noqa 305 diff --git a/roles/installer/tasks/load_bundle_cacert_secret.yml b/roles/installer/tasks/load_bundle_cacert_secret.yml index 96d46f2d6..95c129465 100644 --- a/roles/installer/tasks/load_bundle_cacert_secret.yml +++ b/roles/installer/tasks/load_bundle_cacert_secret.yml @@ -5,10 +5,10 @@ namespace: '{{ ansible_operator_meta.namespace }}' name: '{{ bundle_cacert_secret }}' register: bundle_cacert - no_log: true + no_log: "{{ no_log }}" - name: Load bundle Certificate Authority Secret content set_fact: bundle_ca_crt: '{{ bundle_cacert["resources"][0]["data"]["bundle-ca.crt"] | b64decode }}' - no_log: true + no_log: "{{ no_log }}" when: '"bundle-ca.crt" in bundle_cacert["resources"][0]["data"]' diff --git a/roles/installer/tasks/load_ldap_cacert_secret.yml b/roles/installer/tasks/load_ldap_cacert_secret.yml index a384cfd63..55818f4f0 100644 --- a/roles/installer/tasks/load_ldap_cacert_secret.yml +++ b/roles/installer/tasks/load_ldap_cacert_secret.yml @@ -5,10 +5,10 @@ namespace: '{{ ansible_operator_meta.namespace }}' name: '{{ ldap_cacert_secret }}' register: ldap_cacert - no_log: true + no_log: "{{ no_log }}" - name: Load LDAP CA Certificate Secret content set_fact: ldap_cacert_ca_crt: '{{ ldap_cacert["resources"][0]["data"]["ldap-ca.crt"] | b64decode }}' - no_log: true + no_log: "{{ no_log }}" when: '"ldap-ca.crt" in ldap_cacert["resources"][0]["data"]' diff --git a/roles/installer/tasks/load_ldap_password_secret.yml b/roles/installer/tasks/load_ldap_password_secret.yml index 5b1418523..2692dfecb 100644 --- a/roles/installer/tasks/load_ldap_password_secret.yml +++ b/roles/installer/tasks/load_ldap_password_secret.yml @@ -5,10 +5,10 @@ namespace: '{{ ansible_operator_meta.namespace }}' name: '{{ ldap_password_secret }}' register: ldap_password - no_log: true + no_log: "{{ no_log }}" - name: Load LDAP bind password Secret content set_fact: ldap_bind_password: '{{ ldap_password["resources"][0]["data"]["ldap-password"] | b64decode }}' - no_log: true + no_log: "{{ no_log }}" when: '"ldap-password" in ldap_password["resources"][0]["data"]' diff --git a/roles/installer/tasks/load_route_tls_secret.yml b/roles/installer/tasks/load_route_tls_secret.yml index 912c12e60..120f4543f 100644 --- a/roles/installer/tasks/load_route_tls_secret.yml +++ b/roles/installer/tasks/load_route_tls_secret.yml @@ -5,16 +5,16 @@ namespace: '{{ ansible_operator_meta.namespace }}' name: '{{ route_tls_secret }}' register: route_tls - no_log: true + no_log: "{{ no_log }}" - name: Load Route TLS Secret content set_fact: route_tls_key: '{{ route_tls["resources"][0]["data"]["tls.key"] | b64decode }}' route_tls_crt: '{{ route_tls["resources"][0]["data"]["tls.crt"] | b64decode }}' - no_log: true + no_log: "{{ no_log }}" - name: Load Route TLS Secret content set_fact: route_ca_crt: '{{ route_tls["resources"][0]["data"]["ca.crt"] | b64decode }}' - no_log: true + no_log: "{{ no_log }}" when: '"ca.crt" in route_tls["resources"][0]["data"]' diff --git a/roles/installer/tasks/migrate_data.yml b/roles/installer/tasks/migrate_data.yml index 019616a49..b12b825c6 100644 --- a/roles/installer/tasks/migrate_data.yml +++ b/roles/installer/tasks/migrate_data.yml @@ -11,7 +11,7 @@ awx_old_postgres_database: "{{ old_pg_config['resources'][0]['data']['database'] | b64decode }}" awx_old_postgres_port: "{{ old_pg_config['resources'][0]['data']['port'] | b64decode }}" awx_old_postgres_host: "{{ old_pg_config['resources'][0]['data']['host'] | b64decode }}" - no_log: true + no_log: "{{ no_log }}" - name: Default label selector to custom resource generated postgres set_fact: @@ -49,7 +49,7 @@ -d {{ awx_old_postgres_database }} -p {{ awx_old_postgres_port }} -F custom - no_log: true + no_log: "{{ no_log }}" - name: Set pg_restore command set_fact: @@ -57,7 +57,7 @@ pg_restore --clean --if-exists -U {{ database_username }} -d {{ database_name }} - no_log: true + no_log: "{{ no_log }}" - name: Stream backup from pg_dump to the new postgresql container k8s_exec: @@ -69,7 +69,7 @@ PGPASSWORD='{{ awx_old_postgres_pass }}' {{ pgdump }} | PGPASSWORD='{{ awx_postgres_pass }}' {{ pg_restore }} echo 'Successful' """ - no_log: true + no_log: "{{ no_log }}" register: data_migration failed_when: "'Successful' not in data_migration.stdout" diff --git a/roles/installer/tasks/resources_configuration.yml b/roles/installer/tasks/resources_configuration.yml index 0a3be76ca..e4f5e5af1 100644 --- a/roles/installer/tasks/resources_configuration.yml +++ b/roles/installer/tasks/resources_configuration.yml @@ -40,7 +40,7 @@ - 'persistent' - 'service' - 'ingress' - no_log: true + no_log: "{{ no_log }}" - name: Set default awx app image set_fact: diff --git a/roles/installer/tasks/secret_key_configuration.yml b/roles/installer/tasks/secret_key_configuration.yml index 96a6fa37c..9c8a3cab8 100644 --- a/roles/installer/tasks/secret_key_configuration.yml +++ b/roles/installer/tasks/secret_key_configuration.yml @@ -5,7 +5,7 @@ namespace: '{{ ansible_operator_meta.namespace }}' name: '{{ secret_key_secret }}' register: _custom_secret_key - no_log: true + no_log: "{{ no_log }}" when: secret_key_secret | length - name: Check for default secret key configuration @@ -14,19 +14,19 @@ namespace: '{{ ansible_operator_meta.namespace }}' name: '{{ ansible_operator_meta.name }}-secret-key' register: _default_secret_key - no_log: true + no_log: "{{ no_log }}" - name: Set secret key secret set_fact: _secret_key_secret: '{{ _custom_secret_key["resources"] | default([]) | length | ternary(_custom_secret_key, _default_secret_key) }}' - no_log: true + no_log: "{{ no_log }}" - block: - name: Create secret key secret k8s: apply: true definition: "{{ lookup('template', 'secret_key.yaml.j2') }}" - no_log: true + no_log: "{{ no_log }}" - name: Read secret key secret k8s_info: @@ -34,16 +34,16 @@ namespace: '{{ ansible_operator_meta.namespace }}' name: '{{ ansible_operator_meta.name }}-secret-key' register: _generated_secret_key - no_log: true + no_log: "{{ no_log }}" when: not _secret_key_secret['resources'] | default([]) | length - name: Set secret key secret set_fact: __secret_key_secret: '{{ _generated_secret_key["resources"] | default([]) | length | ternary(_generated_secret_key, _secret_key_secret) }}' - no_log: true + no_log: "{{ no_log }}" - name: Store secret key secret name set_fact: secret_key_secret_name: "{{ __secret_key_secret['resources'][0]['metadata']['name'] }}" - no_log: true + no_log: "{{ no_log }}" diff --git a/roles/restore/defaults/main.yml b/roles/restore/defaults/main.yml index 4b4258357..1d1a1a14a 100644 --- a/roles/restore/defaults/main.yml +++ b/roles/restore/defaults/main.yml @@ -10,3 +10,6 @@ backup_pvc_namespace: '{{ ansible_operator_meta.namespace }}' # Required: backup name, found on the awxbackup object backup_dir: '' + +# Set no_log settings on certain tasks +no_log: 'true' diff --git a/roles/restore/tasks/cleanup.yml b/roles/restore/tasks/cleanup.yml index aceefd050..59770ee79 100644 --- a/roles/restore/tasks/cleanup.yml +++ b/roles/restore/tasks/cleanup.yml @@ -22,7 +22,7 @@ - '{{ admin_password_secret }}' - '{{ broadcast_websocket_secret }}' - '{{ postgres_configuration_secret }}' - no_log: true + no_log: "{{ no_log }}" - name: Cleanup temp spec file file: diff --git a/roles/restore/tasks/postgres.yml b/roles/restore/tasks/postgres.yml index b9ff40d82..bbf91b723 100644 --- a/roles/restore/tasks/postgres.yml +++ b/roles/restore/tasks/postgres.yml @@ -10,7 +10,7 @@ namespace: '{{ ansible_operator_meta.namespace }}' name: '{{ postgres_configuration_secret }}' register: pg_config - no_log: true + no_log: "{{ no_log }}" - name: Store Database Configuration set_fact: @@ -20,7 +20,7 @@ awx_postgres_port: "{{ pg_config['resources'][0]['data']['port'] | b64decode }}" awx_postgres_host: "{{ pg_config['resources'][0]['data']['host'] | b64decode }}" awx_postgres_type: "{{ pg_config['resources'][0]['data']['type'] | b64decode | default('unmanaged') }}" - no_log: true + no_log: "{{ no_log }}" - name: Default label selector to custom resource generated postgres set_fact: @@ -66,7 +66,7 @@ - name: Set full resolvable host name for postgres pod set_fact: resolvable_db_host: "{{ awx_postgres_host }}.{{ ansible_operator_meta.namespace }}.svc.cluster.local" - no_log: true + no_log: "{{ no_log }}" when: awx_postgres_type == 'managed' - name: Set pg_restore command @@ -78,7 +78,7 @@ -U {{ awx_postgres_user }} -d {{ awx_postgres_database }} -p {{ awx_postgres_port }} - no_log: true + no_log: "{{ no_log }}" - name: Restore database dump to the new postgresql container k8s_exec: @@ -91,5 +91,5 @@ echo 'Successful' """ register: data_migration - no_log: true + no_log: "{{ no_log }}" failed_when: "'Successful' not in data_migration.stdout" diff --git a/roles/restore/tasks/secrets.yml b/roles/restore/tasks/secrets.yml index 942b8b6f3..7b550a0b4 100644 --- a/roles/restore/tasks/secrets.yml +++ b/roles/restore/tasks/secrets.yml @@ -7,7 +7,7 @@ command: >- bash -c "cat '{{ backup_dir }}/secrets.yml'" register: _secrets - no_log: true + no_log: "{{ no_log }}" - name: Create Temporary secrets file tempfile: @@ -20,38 +20,38 @@ dest: "{{ tmp_secrets.path }}" content: "{{ _secrets.stdout }}" mode: 0640 - no_log: true + no_log: "{{ no_log }}" - name: Include secret vars from backup include_vars: "{{ tmp_secrets.path }}" - no_log: true + no_log: "{{ no_log }}" - name: If deployment is managed, set the database_host in the pg config secret block: - name: Set new database host set_fact: database_host: "{{ deployment_name }}-postgres" - no_log: true + no_log: "{{ no_log }}" - name: Set tmp postgres secret dict set_fact: _pg_secret: "{{ secrets['postgresConfigurationSecret'] }}" - no_log: true + no_log: "{{ no_log }}" - name: Change postgres host value set_fact: _pg_data: "{{ _pg_secret['data'] | combine({'host': database_host | b64encode }) }}" - no_log: true + no_log: "{{ no_log }}" - name: Create a postgres secret with the new host value set_fact: _pg_secret: "{{ _pg_secret | combine({'data': _pg_data}) }}" - no_log: true + no_log: "{{ no_log }}" - name: Create a new dict of secrets with the new postgres secret set_fact: secrets: "{{ secrets | combine({'postgresConfigurationSecret': _pg_secret}) }}" - no_log: true + no_log: "{{ no_log }}" when: secrets['postgresConfigurationSecret']['data']['type'] | b64decode == 'managed' - name: Apply secret @@ -61,7 +61,7 @@ apply: yes wait: yes definition: "{{ lookup('template', 'secrets.yml.j2') }}" - no_log: true + no_log: "{{ no_log }}" - name: Remove ownerReference on restored secrets k8s: @@ -73,4 +73,4 @@ namespace: '{{ ansible_operator_meta.namespace }}' ownerReferences: null loop: "{{ secrets | dict2items }}" - no_log: true + no_log: "{{ no_log }}"