[switchboard] Ansible role to load secrets.
For now the only secret contained in the password for the skolo machines.
Each role is a subdirectory of switchboard/roles
and each directory under that has special meaning,
in this case we just have tasks and a handler for
this role.
See also: https://docs.ansible.com/ansible/latest/user_guide/playbooks_reuse_roles.html#role-directory-structure
Bug: skia:12063
Change-Id: I6e14b83384563790b5865584b3f77141eaaeb843
Reviewed-on: https://skia-review.googlesource.com/c/buildbot/+/433716
Reviewed-by: Kevin Lubick <kjlubick@google.com>
Commit-Queue: Joe Gregorio <jcgregorio@google.com>
diff --git a/skolo/ansible/switchboard/roles/load_secret_vars/README.md b/skolo/ansible/switchboard/roles/load_secret_vars/README.md
new file mode 100644
index 0000000..0b99b56
--- /dev/null
+++ b/skolo/ansible/switchboard/roles/load_secret_vars/README.md
@@ -0,0 +1,45 @@
+# Role Name
+
+Loads secrets from berglas and makes them available as a variable.
+
+The secrets are stored as a single file, `secrets.yml`, in berglas secrets for
+the cluster `etc` and the secret name `ansible-secret-vars`.
+
+You can see this secret in the list of all secrets for the `etc` cluster:
+
+ $ ./kube/secrets/list-secrets-by-cluster.sh etc
+ k3s-node-token
+ authorized_keys
+ ansible-secret-vars
+
+## Editing
+
+To edit the secrets run:
+
+ kube/secrets/edit-secret.sh etc ansible-secret-vars
+
+You can now edit the secrets stored in the file at `/tmp/ramdisk/secrets.yml`.
+
+Add new secrets as `key: value` pairs of the top level `secrets` dictionary.
+
+The only secret in the file today is `skolo_password`.
+
+## Security
+
+The `secrets.yml` is only put in a temp file long enough to be loaded into an
+Ansible variable, then the temp file is removed by the `clean_up_tempfile`
+handler.
+
+## Example Playbook
+
+ - hosts: '{{ variable_hosts }}'
+ gather_facts: False
+
+ roles:
+ - load-secret-vars
+
+ tasks:
+ - name: Debug
+ delegate_to: 127.0.0.1
+ debug:
+ msg: 'Password: {{ secrets.skolo_password }}'
diff --git a/skolo/ansible/switchboard/roles/load_secret_vars/handlers/main.yml b/skolo/ansible/switchboard/roles/load_secret_vars/handlers/main.yml
new file mode 100644
index 0000000..669301a
--- /dev/null
+++ b/skolo/ansible/switchboard/roles/load_secret_vars/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+# handlers file for load-secret-vars
+- name: clean_up_tempfile
+ delegate_to: 127.0.0.1
+ file:
+ path: '{{ secrets_dir.path }}'
+ state: absent
diff --git a/skolo/ansible/switchboard/roles/load_secret_vars/tasks/main.yml b/skolo/ansible/switchboard/roles/load_secret_vars/tasks/main.yml
new file mode 100644
index 0000000..349f3ed
--- /dev/null
+++ b/skolo/ansible/switchboard/roles/load_secret_vars/tasks/main.yml
@@ -0,0 +1,23 @@
+---
+# tasks file for load-secret-vars
+- name: mktemp
+ delegate_to: 127.0.0.1
+ tempfile:
+ state: directory
+ register: secrets_dir
+
+- name: Extract secrets and trigger `clean_up_tempfile` handler for cleanup.
+ delegate_to: 127.0.0.1
+ command:
+ argv:
+ - '{{ role_path }}/../../../../../kube/secrets/get-secret-at-path.sh'
+ - etc
+ - ansible-secret-vars
+ - '.data."secrets.yml"'
+ - '{{ secrets_dir.path }}/secrets.yml'
+ creates: '{{ secrets_dir.path }}/secrets.yml'
+ notify: clean_up_tempfile
+
+- name: Import secrets as vars
+ include_vars:
+ file: '{{ secrets_dir.path }}/secrets.yml'