From 49432e16d9619e07268d188378517cf92c3584fe Mon Sep 17 00:00:00 2001 From: "Trez.One" Date: Sat, 13 Sep 2025 22:10:05 -0400 Subject: [PATCH] Tweaks for DAG-related items. --- .gitea/workflows/dag-config-check.yml | 2 +- playbooks/rinoa-render-dags.yml | 20 +++++++++++++++----- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/.gitea/workflows/dag-config-check.yml b/.gitea/workflows/dag-config-check.yml index 04d42f3..bb586cb 100644 --- a/.gitea/workflows/dag-config-check.yml +++ b/.gitea/workflows/dag-config-check.yml @@ -49,6 +49,6 @@ jobs: - name: Validate DAGs run: | for dag in $(find ${DAGS_PATH} -type f -name "*.yaml" -a ! -name "*example*"); do - echo "========Validating ${dag}========" + echo "=========Validating ${dag}=========" dagu dry "${dag}" done diff --git a/playbooks/rinoa-render-dags.yml b/playbooks/rinoa-render-dags.yml index 4391bce..e5fc224 100644 --- a/playbooks/rinoa-render-dags.yml +++ b/playbooks/rinoa-render-dags.yml @@ -22,18 +22,28 @@ - name: Pre-check Vault secrets in templates when: dag_templates | length > 0 block: - - name: Find all Vault lookup expressions in templates + - name: Read each DAG template safely + ansible.builtin.slurp: + src: "{{ item }}" + loop: "{{ dag_templates }}" + register: slurped_templates + + - name: Extract Vault keys from DAG templates ansible.builtin.set_fact: vault_keys: >- {{ - dag_templates - | map('file', 'r') - | select('string') + slurped_templates.results + | map(attribute='content') + | map('b64decode') | map('regex_findall', "lookup\\('community.hashi_vault.vault_kv2_get',\\s*'[^']+',\\s*engine_mount_point='[^']+',\\s*url=[^,]+,\\s*token=[^\\)]+\\)\\['secret'\\]\\['([^']+)'\\]") | sum(start=[]) }} - when: dag_templates | length > 0 + + - name: Warn if any Vault keys might be missing + loop: "{{ vault_keys }}" + ansible.builtin.debug: + msg: "Vault key '{{ item }}' will be required by templates" - name: Warn if any Vault keys might be missing