kestra

Author: ildoc

ansible/tasks/vault/load-secrets-category.yaml

@@ -0,0 +1,22 @@
+---
+- name: Initialize category storage
+  ansible.builtin.set_fact:
+    category_secrets: {}
+
+- name: Load each secret in category {{ category.key }}
+  ansible.builtin.set_fact:
+    category_secrets: >-
+      {{
+        category_secrets | combine({
+          secret_item.key: lookup('community.hashi_vault.hashi_vault', secret_item.value)
+        })
+      }}
+  loop: "{{ category.value | dict2items }}"
+  loop_control:
+    loop_var: secret_item
+    label: "{{ category.key }}.{{ secret_item.key }}"
+  no_log: true
+
+- name: Store category in vault_secrets_loaded
+  ansible.builtin.set_fact:
+    vault_secrets_loaded: "{{ vault_secrets_loaded | combine({category.key: category_secrets}) }}"

ansible/tasks/vault/load-secrets.yaml

@@ -0,0 +1,27 @@
+---
+# Task riutilizzabile per caricare segreti da Vault
+# Usa vault_secrets_map definito nel playbook chiamante
+
+- name: Validate vault_secrets_map is defined
+  ansible.builtin.assert:
+    that:
+      - vault_secrets_map is defined
+      - vault_secrets_map | length > 0
+    fail_msg: "vault_secrets_map must be defined and not empty"
+
+- name: Initialize vault secrets storage
+  ansible.builtin.set_fact:
+    vault_secrets_loaded: {}
+  run_once: true
+
+- name: Load secrets from Vault for each category
+  ansible.builtin.include_tasks: load-secrets-category.yaml
+  loop: "{{ vault_secrets_map | dict2items }}"
+  loop_control:
+    loop_var: category
+  run_once: true
+
+- name: Display loaded categories
+  ansible.builtin.debug:
+    msg: "✓ Loaded {{ vault_secrets_loaded.keys() | list | length }} secret categories: {{ vault_secrets_loaded.keys() | list }}"
+  run_once: true

kubernetes/infra/manifests/infra-secrets/kestra-secrets.yaml

@@ -55,7 +55,3 @@ spec:
         key: kubernetes/data/apps/kestra
         property: gitlab_token
 
-    - secretKey: SLACK_WEBHOOK
-      remoteRef:
-        key: kubernetes/data/apps/kestra
-        property: slack_webhook