This commit is contained in:
@@ -49,6 +49,6 @@ jobs:
|
||||
- name: Validate DAGs
|
||||
run: |
|
||||
for dag in $(find ${DAGS_PATH} -type f -name "*.yaml" -a ! -name "*example*"); do
|
||||
echo "=========Validating ${dag}========="
|
||||
echo "==========Validating ${dag}=========="
|
||||
dagu dry "${dag}"
|
||||
done
|
||||
|
||||
@@ -19,38 +19,6 @@
|
||||
| default([])
|
||||
}}
|
||||
|
||||
- name: Pre-check Vault secrets in templates
|
||||
when: dag_templates | length > 0
|
||||
block:
|
||||
- name: Read each DAG template safely
|
||||
ansible.builtin.slurp:
|
||||
src: "{{ item }}"
|
||||
loop: "{{ dag_templates }}"
|
||||
register: slurped_templates
|
||||
|
||||
- name: Extract Vault keys from DAG templates
|
||||
ansible.builtin.set_fact:
|
||||
vault_keys: >-
|
||||
{{
|
||||
slurped_templates.results
|
||||
| map(attribute='content')
|
||||
| map('b64decode')
|
||||
| map('regex_findall',
|
||||
"lookup\\('community.hashi_vault.vault_kv2_get',\\s*'[^']+',\\s*engine_mount_point='[^']+',\\s*url=[^,]+,\\s*token=[^\\)]+\\)\\['secret'\\]\\['([^']+)'\\]")
|
||||
| sum(start=[])
|
||||
}}
|
||||
|
||||
- name: Warn if any Vault keys might be missing
|
||||
loop: "{{ vault_keys }}"
|
||||
ansible.builtin.debug:
|
||||
msg: "Vault key '{{ item }}' will be required by templates"
|
||||
|
||||
|
||||
- name: Warn if any Vault keys might be missing
|
||||
loop: "{{ vault_keys }}"
|
||||
ansible.builtin.debug:
|
||||
msg: "Vault key '{{ item }}' will be required by templates"
|
||||
|
||||
- name: Render DAG templates in-place (guarded)
|
||||
when: dag_templates | length > 0
|
||||
ansible.builtin.template:
|
||||
|
||||
Reference in New Issue
Block a user