From 73130afad5a69536713438f7048ec202ca9050f3 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Mon, 8 Dec 2025 19:12:08 -0500 Subject: [PATCH] Separate the kustomization from the image creation When we do adoption, we need to do the image creation and kustomization at different times. Its easiest just to separate into two playbooks. --- hooks/playbooks/barbican-enable-proteccio.yml | 45 ------------------- .../playbooks/barbican-prepare-proteccio.yml | 45 +++++++++++++++++++ 2 files changed, 45 insertions(+), 45 deletions(-) create mode 100644 hooks/playbooks/barbican-prepare-proteccio.yml diff --git a/hooks/playbooks/barbican-enable-proteccio.yml b/hooks/playbooks/barbican-enable-proteccio.yml index 5bd6ff4fcb..3f5f27abdc 100644 --- a/hooks/playbooks/barbican-enable-proteccio.yml +++ b/hooks/playbooks/barbican-enable-proteccio.yml @@ -1,49 +1,4 @@ --- -- name: Create modified barbican image and get secrets - hosts: "{{ cifmw_target_hook_host | default('localhost') }}" - tasks: - - name: Check out the role Git repository - ansible.builtin.git: - dest: "./rhoso_proteccio_hsm" - repo: "{{ cifmw_hsm_proteccio_ansible_role_repo | default('https://github.com/openstack-k8s-operators/ansible-role-rhoso-proteccio-hsm.git', true) }}" - version: "{{ cifmw_hsm_proteccio_ansible_role_version| default('main', true) }}" - - - name: Create and upload the new Barbican images - ansible.builtin.include_role: - name: rhoso_proteccio_hsm - tasks_from: create_image - vars: - barbican_src_api_image_name: "{{ cifmw_barbican_src_api_image_name }}" - barbican_src_worker_image_name: "{{ cifmw_barbican_src_worker_image_name }}" - barbican_src_image_registry: "{{ content_provider_registry_ip }}:5001" - barbican_src_image_namespace: "{{ cifmw_update_containers_org | default('podified-antelope-centos9') }}" - barbican_src_image_tag: "{{ cifmw_update_containers_tag | default('component-ci-testing') }}" - barbican_dest_api_image_name: "{{ cifmw_barbican_dest_api_image_name }}" - barbican_dest_worker_image_name: "{{ cifmw_barbican_dest_worker_image_name }}" - barbican_dest_image_registry: "{{ content_provider_registry_ip }}:5001" - barbican_dest_image_namespace: "{{ cifmw_update_containers_org | default('podified-antelope-centos9') }}" - barbican_dest_image_tag: "{{ cifmw_update_containers_barbican_custom_tag }}" - image_registry_verify_tls: "{{ cifmw_image_registry_verify_tls | default('false', true) }}" - proteccio_client_src: "{{ cifmw_hsm_proteccio_client_src }}" - proteccio_client_iso: "{{ cifmw_hsm_proteccio_client_iso | default('Proteccio3.06.05.iso') }}" - - - name: Create secrets with the HSM certificates and hsm-login credentials - ansible.builtin.include_role: - name: rhoso_proteccio_hsm - tasks_from: create_secrets - vars: - proteccio_conf_src: "{{ cifmw_hsm_proteccio_conf_src }}" - proteccio_client_crt_src: "{{ cifmw_hsm_proteccio_client_crt_src }}" - proteccio_client_key_src: "{{ cifmw_hsm_proteccio_client_key_src }}" - proteccio_server_crt_src: "{{ cifmw_hsm_proteccio_server_crt_src }}" - proteccio_password: "{{ cifmw_hsm_password }}" - kubeconfig_path: "{{ cifmw_openshift_kubeconfig }}" - oc_dir: "{{ cifmw_path }}" - proteccio_data_secret: "{{ cifmw_hsm_proteccio_client_data_secret | default('barbican-proteccio-client-data', true) }}" - proteccio_data_secret_namespace: "{{ cifmw_hsm_proteccio_client_data_secret_namespace }}" - login_secret: "{{ cifmw_hsm_login_secret | default('barbican-proteccio-login', true) }}" - login_secret_field: "{{ cifmw_hsm_login_secret_field | default('PKCS11Pin') }}" - - name: Create kustomization to update Barbican to use proteccio hosts: "{{ cifmw_target_hook_host | default('localhost') }}" tasks: diff --git a/hooks/playbooks/barbican-prepare-proteccio.yml b/hooks/playbooks/barbican-prepare-proteccio.yml new file mode 100644 index 0000000000..6d8caec3f4 --- /dev/null +++ b/hooks/playbooks/barbican-prepare-proteccio.yml @@ -0,0 +1,45 @@ +--- +- name: Create modified barbican image and get secrets + hosts: "{{ cifmw_target_hook_host | default('localhost') }}" + tasks: + - name: Check out the role Git repository + ansible.builtin.git: + dest: "./rhoso_proteccio_hsm" + repo: "{{ cifmw_hsm_proteccio_ansible_role_repo | default('https://github.com/openstack-k8s-operators/ansible-role-rhoso-proteccio-hsm.git', true) }}" + version: "{{ cifmw_hsm_proteccio_ansible_role_version| default('main', true) }}" + + - name: Create and upload the new Barbican images + ansible.builtin.include_role: + name: rhoso_proteccio_hsm + tasks_from: create_image + vars: + barbican_src_api_image_name: "{{ cifmw_barbican_src_api_image_name }}" + barbican_src_worker_image_name: "{{ cifmw_barbican_src_worker_image_name }}" + barbican_src_image_registry: "{{ content_provider_registry_ip }}:5001" + barbican_src_image_namespace: "{{ cifmw_update_containers_org | default('podified-antelope-centos9') }}" + barbican_src_image_tag: "{{ cifmw_update_containers_tag | default('component-ci-testing') }}" + barbican_dest_api_image_name: "{{ cifmw_barbican_dest_api_image_name }}" + barbican_dest_worker_image_name: "{{ cifmw_barbican_dest_worker_image_name }}" + barbican_dest_image_registry: "{{ content_provider_registry_ip }}:5001" + barbican_dest_image_namespace: "{{ cifmw_update_containers_org | default('podified-antelope-centos9') }}" + barbican_dest_image_tag: "{{ cifmw_update_containers_barbican_custom_tag }}" + image_registry_verify_tls: "{{ cifmw_image_registry_verify_tls | default('false', true) }}" + proteccio_client_src: "{{ cifmw_hsm_proteccio_client_src }}" + proteccio_client_iso: "{{ cifmw_hsm_proteccio_client_iso | default('Proteccio3.06.05.iso') }}" + + - name: Create secrets with the HSM certificates and hsm-login credentials + ansible.builtin.include_role: + name: rhoso_proteccio_hsm + tasks_from: create_secrets + vars: + proteccio_conf_src: "{{ cifmw_hsm_proteccio_conf_src }}" + proteccio_client_crt_src: "{{ cifmw_hsm_proteccio_client_crt_src }}" + proteccio_client_key_src: "{{ cifmw_hsm_proteccio_client_key_src }}" + proteccio_server_crt_src: "{{ cifmw_hsm_proteccio_server_crt_src }}" + proteccio_password: "{{ cifmw_hsm_password }}" + kubeconfig_path: "{{ cifmw_openshift_kubeconfig }}" + oc_dir: "{{ cifmw_path }}" + proteccio_data_secret: "{{ cifmw_hsm_proteccio_client_data_secret | default('barbican-proteccio-client-data', true) }}" + proteccio_data_secret_namespace: "{{ cifmw_hsm_proteccio_client_data_secret_namespace }}" + login_secret: "{{ cifmw_hsm_login_secret | default('barbican-proteccio-login', true) }}" + login_secret_field: "{{ cifmw_hsm_login_secret_field | default('PKCS11Pin') }}"