From 2984292dca33d4fa2b76af289c41cc7254e17fe9 Mon Sep 17 00:00:00 2001
From: bertiethorpe <bertie443@gmail.com>
Date: Fri, 5 Sep 2025 09:18:26 +0000
Subject: [PATCH 1/4] temp fix: add alertmanager passwd to
 persist_openhpc_secrets template

---
 .../roles/persist_openhpc_secrets/templates/openhpc_secrets.fact | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ansible/roles/persist_openhpc_secrets/templates/openhpc_secrets.fact b/ansible/roles/persist_openhpc_secrets/templates/openhpc_secrets.fact
index 9d6de37d8..ca1742ce0 100644
--- a/ansible/roles/persist_openhpc_secrets/templates/openhpc_secrets.fact
+++ b/ansible/roles/persist_openhpc_secrets/templates/openhpc_secrets.fact
@@ -6,4 +6,5 @@
   "vault_mysql_root_password": "{{ lookup('password', '/dev/null') }}",
   "vault_mysql_slurm_password": "{{ lookup('password', '/dev/null') }}",
   "vault_openhpc_mungekey": "{{ lookup('pipe', 'dd if=/dev/urandom bs=1 count=1024 2>/dev/null | base64') | regex_replace('\s+', '') }}"
+  "vault_alertmanager_admin_password": "{{ lookup('password', '/dev/null') }}"
 }

From a3be3c9474977f6f818d5edcac15725e9c385fb3 Mon Sep 17 00:00:00 2001
From: bertiethorpe <bertie443@gmail.com>
Date: Fri, 5 Sep 2025 12:10:13 +0000
Subject: [PATCH 2/4] missing ','

---
 .../persist_openhpc_secrets/templates/openhpc_secrets.fact      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ansible/roles/persist_openhpc_secrets/templates/openhpc_secrets.fact b/ansible/roles/persist_openhpc_secrets/templates/openhpc_secrets.fact
index ca1742ce0..e049951e5 100644
--- a/ansible/roles/persist_openhpc_secrets/templates/openhpc_secrets.fact
+++ b/ansible/roles/persist_openhpc_secrets/templates/openhpc_secrets.fact
@@ -5,6 +5,6 @@
   "vault_elasticsearch_kibana_password": "{{ lookup('password', '/dev/null') }}",
   "vault_mysql_root_password": "{{ lookup('password', '/dev/null') }}",
   "vault_mysql_slurm_password": "{{ lookup('password', '/dev/null') }}",
-  "vault_openhpc_mungekey": "{{ lookup('pipe', 'dd if=/dev/urandom bs=1 count=1024 2>/dev/null | base64') | regex_replace('\s+', '') }}"
+  "vault_openhpc_mungekey": "{{ lookup('pipe', 'dd if=/dev/urandom bs=1 count=1024 2>/dev/null | base64') | regex_replace('\s+', '') }}",
   "vault_alertmanager_admin_password": "{{ lookup('password', '/dev/null') }}"
 }

From 32e983803598386609fa2cb7f286663d2ae311dc Mon Sep 17 00:00:00 2001
From: bertiethorpe <bertie443@gmail.com>
Date: Fri, 5 Sep 2025 12:52:14 +0000
Subject: [PATCH 3/4] alertmanager admin passwd group_var

---
 environments/.caas/inventory/group_vars/all/cluster.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/environments/.caas/inventory/group_vars/all/cluster.yml b/environments/.caas/inventory/group_vars/all/cluster.yml
index b06314c03..14633c837 100644
--- a/environments/.caas/inventory/group_vars/all/cluster.yml
+++ b/environments/.caas/inventory/group_vars/all/cluster.yml
@@ -11,6 +11,7 @@ vault_elasticsearch_kibana_password: "{{ hostvars[groups['control'][0]].ansible_
 vault_mysql_root_password: "{{ hostvars[groups['control'][0]].ansible_local.openhpc_secrets.vault_mysql_root_password }}"
 vault_mysql_slurm_password: "{{ hostvars[groups['control'][0]].ansible_local.openhpc_secrets.vault_mysql_slurm_password }}"
 vault_openhpc_mungekey: "{{ hostvars[groups['control'][0]].ansible_local.openhpc_secrets.vault_openhpc_mungekey }}"
+vault_alertmanager_admin_password: "{{ hostvars[groups['control'][0]].ansible_local.openhpc_secrets.vault_alertmanager_admin_password }}"
 
 # Override this to cope with the case where the podman group just doesn't exist
 appliances_local_users_podman_enable: "{{ groups.get('podman', []) | length > 0 }}"

From 109f58497141adc031608fe68930699cc6c24c98 Mon Sep 17 00:00:00 2001
From: bertiethorpe <bertie443@gmail.com>
Date: Mon, 8 Sep 2025 13:47:48 +0000
Subject: [PATCH 4/4] make caas persist secrets idempotent

---
 .../roles/persist_openhpc_secrets/tasks/main.yml | 10 +++++++---
 .../templates/openhpc_secrets.fact               | 16 ++++++++--------
 2 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/ansible/roles/persist_openhpc_secrets/tasks/main.yml b/ansible/roles/persist_openhpc_secrets/tasks/main.yml
index 6ae9bcd59..e0f5865bf 100644
--- a/ansible/roles/persist_openhpc_secrets/tasks/main.yml
+++ b/ansible/roles/persist_openhpc_secrets/tasks/main.yml
@@ -14,14 +14,18 @@
   loop:
     - "{{ appliances_state_dir }}/ansible.facts.d"
     - "/etc/ansible/facts.d"
-    
+
+- name: Load existing OpenHPC secrets if present
+  ansible.builtin.setup:
+    filter: ansible_local
+  when: openhpc_secrets_stat.stat.exists
+
 - name: Write OpenHPC secrets
   template:
     src: openhpc_secrets.fact
     dest: "{{ appliances_state_dir }}/ansible.facts.d/openhpc_secrets.fact"
     owner: root
     mode: 0600
-  when: "not openhpc_secrets_stat.stat.exists"
 
 - name: Symlink persistent facts to facts_path
   file:
@@ -30,6 +34,6 @@
     dest: /etc/ansible/facts.d/openhpc_secrets.fact
     owner: root
     
-- name: Read facts
+- name: Refresh facts to pick up any new secrets
   ansible.builtin.setup:
     filter: ansible_local
diff --git a/ansible/roles/persist_openhpc_secrets/templates/openhpc_secrets.fact b/ansible/roles/persist_openhpc_secrets/templates/openhpc_secrets.fact
index e049951e5..5c6c5e64e 100644
--- a/ansible/roles/persist_openhpc_secrets/templates/openhpc_secrets.fact
+++ b/ansible/roles/persist_openhpc_secrets/templates/openhpc_secrets.fact
@@ -1,10 +1,10 @@
 {
-  "vault_azimuth_user_password": "{{ lookup('password', '/dev/null') }}",
-  "vault_grafana_admin_password": "{{ lookup('password', '/dev/null') }}",
-  "vault_elasticsearch_admin_password": "{{ lookup('password', '/dev/null') }}",
-  "vault_elasticsearch_kibana_password": "{{ lookup('password', '/dev/null') }}",
-  "vault_mysql_root_password": "{{ lookup('password', '/dev/null') }}",
-  "vault_mysql_slurm_password": "{{ lookup('password', '/dev/null') }}",
-  "vault_openhpc_mungekey": "{{ lookup('pipe', 'dd if=/dev/urandom bs=1 count=1024 2>/dev/null | base64') | regex_replace('\s+', '') }}",
-  "vault_alertmanager_admin_password": "{{ lookup('password', '/dev/null') }}"
+  "vault_azimuth_user_password": "{{ ansible_local.openhpc_secrets.vault_azimuth_user_password | default(lookup('password', '/dev/null')) }}",
+  "vault_grafana_admin_password": "{{ ansible_local.openhpc_secrets.vault_grafana_admin_password | default(lookup('password', '/dev/null')) }}",
+  "vault_elasticsearch_admin_password": "{{ ansible_local.openhpc_secrets.vault_elasticsearch_admin_password | default(lookup('password', '/dev/null')) }}",
+  "vault_elasticsearch_kibana_password": "{{ ansible_local.openhpc_secrets.vault_elasticsearch_kibana_password | default(lookup('password', '/dev/null')) }}",
+  "vault_mysql_root_password": "{{ ansible_local.openhpc_secrets.vault_mysql_root_password | default(lookup('password', '/dev/null')) }}",
+  "vault_mysql_slurm_password": "{{ ansible_local.openhpc_secrets.vault_mysql_slurm_password | default(lookup('password', '/dev/null')) }}",
+  "vault_openhpc_mungekey": "{{ ansible_local.openhpc_secrets.vault_openhpc_mungekey | default(lookup('pipe', 'dd if=/dev/urandom bs=1 count=1024 2>/dev/null | base64') | regex_replace('\\s+', '')) }}",
+  "vault_alertmanager_admin_password": "{{ ansible_local.openhpc_secrets.vault_alertmanager_admin_password | default(lookup('password', '/dev/null')) }}"
 }