feat: rollout new tokens/passwords for dev stage

4 years ago · 9c7cdfd24b
parent 7bd1a1436b
commit 9c7cdfd24b
17 changed files with 616 additions and 606 deletions
--- a/create-server.yml
+++ b/create-server.yml
@ -60,7 +60,7 @@
        url: "https://api.hetzner.cloud/v1/firewalls"
        headers:
          accept: application/json
-          authorization: Bearer {{ hetzner_authentication_token }}
+          authorization: Bearer {{ hetzner_authentication_ansible }}
        return_content: yes
      register: hetzner_firewalls_response
      delegate_to: 127.0.0.1
--- a/group_vars/stage_dev/plain.yml
+++ b/group_vars/stage_dev/plain.yml
@ -343,3 +343,7 @@ management_oidc_client_secret: "{{ management_oidc_client_secret_vault }}"
 # smardigo automation DEV gpg key
 # pub part => https://dev-gitea-01.smardigo.digital/gitea-admin/communication-keys/
 gpg_key_smardigo_automation__private: '{{ gpg_key_smardigo_automation__private__vault }}'
+
+hetzner_authentication_ansible: "{{ hetzner_authentication_ansible_vault }}"
+hetzner_authentication_ccm: "{{ hetzner_authentication_ccm_vault }}"
+hetzner_authentication_csi: "{{ hetzner_authentication_csi_vault }}"
--- a/group_vars/stage_dev/vault.yml
+++ b/group_vars/stage_dev/vault.yml
--- a/provisioning.yml
+++ b/provisioning.yml
@ -19,7 +19,7 @@
        url: "https://api.hetzner.cloud/v1/firewalls"
        headers:
          accept: application/json
-          authorization: Bearer {{ hetzner_authentication_token }}
+          authorization: Bearer {{ hetzner_authentication_ansible }}
        return_content: yes
      register: hetzner_firewalls_response
      delegate_to: 127.0.0.1
--- a/roles/hcloud/tasks/_read_server_infos.yml
+++ b/roles/hcloud/tasks/_read_server_infos.yml
@ -2,7 +2,7 @@

 - name: "Gathering current server infos for group {{ current_server_group.name }} from hetzner"
  hcloud_server_info:
-    api_token: "{{ hetzner_authentication_token }}"
+    api_token: "{{ hetzner_authentication_ansible }}"
    label_selector: "{{ current_server_group.label_selector }}"
  register: current_server_infos
  delegate_to: 127.0.0.1
--- a/roles/hcloud/tasks/_read_server_names.yml
+++ b/roles/hcloud/tasks/_read_server_names.yml
@ -2,7 +2,7 @@

 - name: "Gathering current server infos for group {{ current_server_group.name }} from hetzner"
  hcloud_server_info:
-    api_token: "{{ hetzner_authentication_token }}"
+    api_token: "{{ hetzner_authentication_ansible }}"
    label_selector: "{{ current_server_group.label_selector }}"
  register: current_server_infos
  delegate_to: 127.0.0.1
--- a/roles/hcloud/tasks/_set_server_state.yml
+++ b/roles/hcloud/tasks/_set_server_state.yml
@ -2,7 +2,7 @@

 - name: "Checking state for server <{{ inventory_hostname }}> is <{{ server_state }}>"
  hetzner.hcloud.hcloud_server:
-    api_token: "{{ hetzner_authentication_token }}"
+    api_token: "{{ hetzner_authentication_ansible }}"
    name: "{{ inventory_hostname }}"
    server_type: "{{ hetzner_server_type }}"
    image: "{{ hetzner_server_image }}"
--- a/roles/hcloud/tasks/configure-firewall.yml
+++ b/roles/hcloud/tasks/configure-firewall.yml
@ -25,7 +25,7 @@
    body: "{{ lookup('template',firewall_template) }}"
    headers:
      accept: application/json
-      authorization: Bearer {{ hetzner_authentication_token }}
+      authorization: Bearer {{ hetzner_authentication_ansible }}
    return_content: yes
    status_code: 201
  when: firewall_records | selectattr("name", "equalto", current_firewall_name) | list | length == 0
@ -43,7 +43,7 @@
    body: "{{ lookup('template',firewall_template) }}"
    headers:
      accept: application/json
-      authorization: Bearer {{ hetzner_authentication_token }}
+      authorization: Bearer {{ hetzner_authentication_ansible }}
    return_content: yes
    status_code: 200
  when: firewall_records | selectattr("name", "equalto", current_firewall_name) | list | length == 1
--- a/roles/hcloud/tasks/configure-firewall2.yml
+++ b/roles/hcloud/tasks/configure-firewall2.yml
@ -6,7 +6,7 @@
    body_format: json
    headers:
      accept: application/json
-      authorization: Bearer {{ hetzner_authentication_token }}
+      authorization: Bearer {{ hetzner_authentication_ansible }}
    status_code: [200]
  register: hcloud_firewalls_all
  delegate_to: 127.0.0.1
@ -40,7 +40,7 @@
      body_format: json
      headers:
        accept: application/json
-        authorization: Bearer {{ hetzner_authentication_token }}
+        authorization: Bearer {{ hetzner_authentication_ansible }}
      status_code: [200]
    register: hcloud_firewalls_all
    delegate_to: 127.0.0.1
@ -63,7 +63,7 @@
    body_format: json
    headers:
      Content-Type:  application/json
-      authorization: Bearer {{ hetzner_authentication_token }}
+      authorization: Bearer {{ hetzner_authentication_ansible }}
    body: "{{ firewall_object | to_json }}"
    return_content: yes
    status_code: [201]
@ -80,7 +80,7 @@
    body_format: json
    headers:
      Content-Type:  application/json
-      authorization: Bearer {{ hetzner_authentication_token }}
+      authorization: Bearer {{ hetzner_authentication_ansible }}
    body: "{{ firewall_object | to_json }}"
    return_content: yes
    status_code: [200]
@ -105,7 +105,7 @@
      body_format: json
      headers:
        Content-Type:  application/json
-        authorization: Bearer {{ hetzner_authentication_token }}
+        authorization: Bearer {{ hetzner_authentication_ansible }}
      body: "{{ deactivate_fw_obj | to_json }}"
      return_content: yes
      status_code: [201]
@ -119,7 +119,7 @@
      body_format: json
      headers:
        Content-Type:  application/json
-        authorization: Bearer {{ hetzner_authentication_token }}
+        authorization: Bearer {{ hetzner_authentication_ansible }}
      return_content: yes
      status_code: [204]
    register: cleanup_firewall
--- a/roles/hcloud/tasks/configure-network.yml
+++ b/roles/hcloud/tasks/configure-network.yml
@ -2,7 +2,7 @@

 - name: "Checking present state for network <{{ current_network_name }}>"
  hcloud_network:
-    api_token: "{{ hetzner_authentication_token }}"
+    api_token: "{{ hetzner_authentication_ansible }}"
    name: "{{ current_network_name }}"
    labels: "{{ current_network_labels }}"
    ip_range: "{{ shared_service_network }}"
@ -16,7 +16,7 @@

 - name: "Checking present state for subnetwork for <{{ current_network_name }}>"
  hcloud_subnetwork:
-    api_token: "{{ hetzner_authentication_token }}"
+    api_token: "{{ hetzner_authentication_ansible }}"
    network: "{{ current_network_name }}"
    ip_range: "{{ shared_service_network }}"
    network_zone: eu-central
@ -31,7 +31,7 @@

 - name: "Checking present state for server network <{{ current_network_name }}> on <{{ inventory_hostname }}>"
  hcloud_server_network:
-    api_token: "{{ hetzner_authentication_token }}"
+    api_token: "{{ hetzner_authentication_ansible }}"
    network: "{{ current_network_name }}"
    server: "{{ inventory_hostname }}"
    state: present
--- a/roles/hcloud/tasks/main.yml
+++ b/roles/hcloud/tasks/main.yml
@ -11,7 +11,7 @@

 - name: "Gathering current server infos from hetzner"
  hcloud_server_info:
-    api_token: "{{ hetzner_authentication_token }}"
+    api_token: "{{ hetzner_authentication_ansible }}"
  register: hetzner_server_infos
  delegate_to: 127.0.0.1
  become: false
--- a/roles/hetzner_state/tasks/main.yml
+++ b/roles/hetzner_state/tasks/main.yml
@ -4,7 +4,7 @@

 - name: Ensure the server {{ inventory_hostname }} is {{ hetzner_state }}
  hcloud_server:
-    api_token: "{{ hetzner_authentication_token }}"
+    api_token: "{{ hetzner_authentication_ansible }}"
    image: "{{ hetzner_server_image }}"
    name: "{{ inventory_hostname }}"
    state: "{{ hetzner_state }}"
--- a/roles/kubernetes/cloud-controller-manager/tasks/main.yml
+++ b/roles/kubernetes/cloud-controller-manager/tasks/main.yml
@ -17,7 +17,7 @@
      type: Opaque
      data:
        network: "{{ stage | string | b64encode }}"
-        token: "{{ hetzner_authentication_token | string | b64encode }}"
+        token: "{{ hetzner_authentication_ccm | string | b64encode }}"
  when:
    - inventory_hostname == groups['kube_control_plane'][0]
  tags:
--- a/roles/kubernetes/container-storage-interface/tasks/main.yml
+++ b/roles/kubernetes/container-storage-interface/tasks/main.yml
@ -16,7 +16,7 @@
          provider: hcloud
      type: Opaque
      data:
-        token: "{{ hetzner_hcloud_csi_token | string | b64encode }}"
+        token: "{{ hetzner_authentication_csi | string | b64encode }}"
  when:
    - inventory_hostname == groups['kube_control_plane'][0]
  tags:
--- a/roles/postgres/tasks/base-requirements_backup.yml
+++ b/roles/postgres/tasks/base-requirements_backup.yml
@ -1,7 +1,7 @@
 ---
 - name: "Creating some hcloud volumes for backup purpose"
  hcloud_volume:
-    api_token: "{{ hetzner_authentication_token }}" 
+    api_token: "{{ hetzner_authentication_ansible }}" 
    name: "postgres-backup--{{ inventory_hostname }}--vol{{ item }}"
    server: "{{ inventory_hostname }}"
    labels:
@ -17,7 +17,7 @@

 - name: "Getting all hcloud volumes for"
  hcloud_volume_info:
-    api_token: "{{ hetzner_authentication_token }}" 
+    api_token: "{{ hetzner_authentication_ansible }}" 
    label_selector: "stage={{ stage }},used_for={{ inventory_hostname }}"
  register: hcloud_volumes_found 
  delegate_to: localhost
--- a/stage-netgo-hcloud.yml
+++ b/stage-netgo-hcloud.yml
@ -13,11 +13,11 @@ plugin: netgo-hcloud

 api_token: !vault |
          $ANSIBLE_VAULT;1.1;AES256
-          61353364633862333333623664376666363464386461646131616465356534393935383132653730
-          3166333033326265356565646431326431336533656434620a626336333234303062323930363562
-          39656365663139343863646466343938313064653935646462333163343363656438656334316263
-          6132653139313530630a613037643634326231623733393432633163666139306138623837646231
-          61316362396566656430363539333137356464663038313334306634633431363237303736356134
-          61393836656634336231616338633265393638633763626632633066313461333736666436373338
-          39653732393838643261343730323666373736386662623236343133373762663630653735613130
-          36636230623930336465
+          31303065663564373265333132646634653566653234396232343765623232363964343231643663
+          3835363666633435373336656530323966653062336536320a653364393835313130383363633339
+          34303066646133336530313339386662363933636137363761616532653336396437643761346338
+          3036313364326534650a653333326539333462636430333838633965336538646132303262346365
+          65656237386630376262646637666237383864333436383063373834663438306231346262666662
+          64666665353434623139373563653131306437616636316236326537303532626266356530643966
+          31343633343639306138656262313330623165326531356239383739623065633930663234343265
+          33343035363263613035
--- a/tasks/autodiscover_pre_tasks.yml
+++ b/tasks/autodiscover_pre_tasks.yml
@ -5,7 +5,7 @@
    url: "https://api.hetzner.cloud/v1/servers?label_selector=stage={{ stage }}"
    method: GET
    headers:
-      authorization: Bearer {{ hetzner_authentication_token }}
+      authorization: Bearer {{ hetzner_authentication_ansible }}
  register: hetzner_servers_result
  delegate_to: 127.0.0.1
  become: false
@ -35,7 +35,7 @@
      url: "https://api.hetzner.cloud/v1/servers?label_selector=stage={{ stage }}&page={{ item }}"
      method: GET
      headers:
-        authorization: Bearer {{ hetzner_authentication_token }}
+        authorization: Bearer {{ hetzner_authentication_ansible }}
    register: hetzner_servers_results
    with_sequence: start=1 end={{ total_server_pages }}
    delegate_to: 127.0.0.1
@ -69,7 +69,7 @@
    url: "https://api.hetzner.cloud/v1/networks?label_selector=stage={{ stage }}"
    method: GET
    headers:
-      authorization: Bearer {{ hetzner_authentication_token }}
+      authorization: Bearer {{ hetzner_authentication_ansible }}
  register: hetzner_networks
  delegate_to: 127.0.0.1
  become: false