Merge pull request #329 from stackhpc/fix/73

sjpb · web-flow · commit 27b6e3b201f4 · 2023-12-01T09:39:41.000Z
Fix #73: Fails late if no secrets defined
diff --git a/ansible/roles/passwords/tasks/validate.yml b/ansible/roles/passwords/tasks/validate.yml
@@ -0,0 +1,4 @@
+- name: Assert secrets created
+  assert:
+    that: (hostvars[inventory_hostname].keys() | select('contains', 'vault_') | length) > 1 # 1 as may have vault_testuser_password defined in dev
+    fail_msg: "No inventory variables 'vault_*' found: Has ansible/adhoc/generate-passwords.yml been run?"
diff --git a/ansible/site.yml b/ansible/site.yml
@@ -9,7 +9,7 @@
   when: hook_path | exists
 
 - import_playbook: validate.yml
-  when: "{{ appliances_validate | default(true) }}"
+  when: appliances_validate | default(true)
 
 - import_playbook: bootstrap.yml
 
diff --git a/ansible/validate.yml b/ansible/validate.yml
@@ -2,6 +2,14 @@
 
 # Fail early if configuration is invalid
 
+- name: Validate secrets created
+  hosts: localhost
+  gather_facts: false
+  tasks:
+    - import_role:
+        name: passwords
+        tasks_from: validate.yml
+
 - name: Ensure control node is in inventory
   hosts: all
   gather_facts: false
diff --git a/environments/common/layouts/everything b/environments/common/layouts/everything
@@ -25,7 +25,7 @@ control
 [filebeat:children]
 slurm_stats
 
-# NB: [rebuild] not defined here as this template is used in CI, which does not run in openstack
+# NB: [rebuild] not defined here as this template is used in CI
 
 [update:children]
 cluster
