|
|
@@ -13,7 +13,8 @@
|
|
|
# limitations under the License.
|
|
|
---
|
|
|
|
|
|
-- name: Check login_vars.yml file is encrypted
|
|
|
+# Include telemetry/login_vars.yml
|
|
|
+- name: Check login_vars file is encrypted
|
|
|
command: cat {{ login_vars_file }}
|
|
|
changed_when: false
|
|
|
register: config_content
|
|
|
@@ -26,7 +27,7 @@
|
|
|
changed_when: false
|
|
|
when: "'$ANSIBLE_VAULT;' in config_content.stdout"
|
|
|
|
|
|
-- name: Include variable file login_vars.yml
|
|
|
+- name: Include variable file telemetry/login_vars.yml
|
|
|
include_vars: "{{ login_vars_file }}"
|
|
|
no_log: true
|
|
|
|
|
|
@@ -34,27 +35,52 @@
|
|
|
block:
|
|
|
- name: Assert timescaledb user name
|
|
|
assert:
|
|
|
- that: timescaledb_user | length > 1
|
|
|
+ that:
|
|
|
+ - timescaledb_user | length > 1
|
|
|
+ - '"-" not in timescaledb_user '
|
|
|
+ - '"\\" not in timescaledb_user '
|
|
|
+ - '"\"" not in timescaledb_user '
|
|
|
+ - " \"'\" not in timescaledb_user "
|
|
|
no_log: true
|
|
|
|
|
|
- name: Assert timescaledb user password
|
|
|
assert:
|
|
|
- that: timescaledb_password | length > 1
|
|
|
+ that:
|
|
|
+ - timescaledb_password | length > 1
|
|
|
+ - '"-" not in timescaledb_password '
|
|
|
+ - '"\\" not in timescaledb_password '
|
|
|
+ - '"\"" not in timescaledb_password '
|
|
|
+ - " \"'\" not in timescaledb_password "
|
|
|
no_log: true
|
|
|
|
|
|
- name: Assert mysqldb user name
|
|
|
assert:
|
|
|
- that: mysqldb_user | length > 1
|
|
|
+ that:
|
|
|
+ - mysqldb_user | length > 1
|
|
|
+ - '"-" not in mysqldb_user '
|
|
|
+ - '"\\" not in mysqldb_user '
|
|
|
+ - '"\"" not in mysqldb_user '
|
|
|
+ - " \"'\" not in mysqldb_user "
|
|
|
no_log: true
|
|
|
|
|
|
- name: Assert mysqldb user password
|
|
|
assert:
|
|
|
- that: mysqldb_password | length > 1
|
|
|
+ that:
|
|
|
+ - mysqldb_password | length > 1
|
|
|
+ - '"-" not in mysqldb_password '
|
|
|
+ - '"\\" not in mysqldb_password '
|
|
|
+ - '"\"" not in mysqldb_password '
|
|
|
+ - " \"'\" not in mysqldb_password "
|
|
|
no_log: true
|
|
|
|
|
|
- name: Assert mysqldb root user password
|
|
|
assert:
|
|
|
- that: mysqldb_root_password | length > 1
|
|
|
+ that:
|
|
|
+ - mysqldb_root_password | length > 1
|
|
|
+ - '"-" not in mysqldb_root_password '
|
|
|
+ - '"\\" not in mysqldb_root_password '
|
|
|
+ - '"\"" not in mysqldb_root_password '
|
|
|
+ - " \"'\" not in mysqldb_root_password "
|
|
|
no_log: true
|
|
|
|
|
|
rescue:
|
|
|
@@ -82,3 +108,66 @@
|
|
|
ansible-vault encrypt {{ login_vars_file }}
|
|
|
--vault-password-file {{ vault_filename }}
|
|
|
changed_when: false
|
|
|
+
|
|
|
+# Include control_plane/login_vars.yml
|
|
|
+- name: Check login_vars file is encrypted
|
|
|
+ command: cat {{ ctrl_plane_login_vars_filename }}
|
|
|
+ changed_when: false
|
|
|
+ register: config_content
|
|
|
+ no_log: true
|
|
|
+
|
|
|
+- name: Decrpyt login_vars.yml
|
|
|
+ command: >-
|
|
|
+ ansible-vault decrypt {{ ctrl_plane_login_vars_filename }}
|
|
|
+ --vault-password-file {{ ctrl_plane_login_vault_filename }}
|
|
|
+ changed_when: false
|
|
|
+ when: "'$ANSIBLE_VAULT;' in config_content.stdout"
|
|
|
+
|
|
|
+- name: Include variable file control_plane/login_vars.yml
|
|
|
+ include_vars: "{{ ctrl_plane_login_vars_filename }}"
|
|
|
+ no_log: true
|
|
|
+
|
|
|
+- name: Assert grafana credentials
|
|
|
+ block:
|
|
|
+ - name: Assert grafana_username and grafana_username
|
|
|
+ assert:
|
|
|
+ that:
|
|
|
+ - grafana_username | length >= min_length_grafana
|
|
|
+ - grafana_username | length <= max_length
|
|
|
+ - '"-" not in grafana_username '
|
|
|
+ - '"\\" not in grafana_username '
|
|
|
+ - '"\"" not in grafana_username '
|
|
|
+ - " \"'\" not in grafana_username "
|
|
|
+ - grafana_password | length >= min_length_grafana
|
|
|
+ - grafana_password | length <= max_length
|
|
|
+ - '"-" not in grafana_password '
|
|
|
+ - '"\\" not in grafana_password '
|
|
|
+ - '"\"" not in grafana_password '
|
|
|
+ - " \"'\" not in grafana_password "
|
|
|
+ no_log: true
|
|
|
+
|
|
|
+ rescue:
|
|
|
+ - name: Validation issue in control_plane/login_vars.yml
|
|
|
+ fail:
|
|
|
+ msg: "{{ ctrl_plane_login_vars_fail_msg }}"
|
|
|
+
|
|
|
+- name: Create ansible vault key
|
|
|
+ set_fact:
|
|
|
+ vault_key: "{{ lookup('password', '/dev/null chars=ascii_letters') }}"
|
|
|
+ when: "'$ANSIBLE_VAULT;' not in config_content.stdout"
|
|
|
+
|
|
|
+- name: Save vault key
|
|
|
+ copy:
|
|
|
+ dest: "{{ ctrl_plane_login_vault_filename }}"
|
|
|
+ content: |
|
|
|
+ {{ vault_key }}
|
|
|
+ owner: root
|
|
|
+ force: yes
|
|
|
+ mode: "{{ vault_file_perm }}"
|
|
|
+ when: "'$ANSIBLE_VAULT;' not in config_content.stdout"
|
|
|
+
|
|
|
+- name: Encrypt input config file
|
|
|
+ command: >-
|
|
|
+ ansible-vault encrypt {{ ctrl_plane_login_vars_filename }}
|
|
|
+ --vault-password-file {{ ctrl_plane_login_vault_filename }}
|
|
|
+ changed_when: false
|
sakshiarora13