Initial concept of boostrap secrets

Martin Jackson · Martin Jackson · commit 3f0e3d840c0d · 2026-05-12T09:12:16.000-05:00
diff --git a/README.md b/README.md
@@ -8,3 +8,63 @@ The main purpose of this collections are to:
 loading local secrets files into VP secrets stores.
 
 2. Help manage imperative and other utility functions of the cluster
+
+## Secrets loading
+
+The collection distinguishes **primary** values-secret files (the usual pattern secrets) from optional **bootstrap** values-secret files (extra content loaded with the `none` backing store into the cluster, independent of `values-global.yaml` `secretStore.backend`).
+
+### Primary values-secret (standard load)
+
+- **Backing store** comes from `values-global.yaml`: `.global.secretStore.backend` (default `vault`). That drives parsing and whether secrets go to Vault or Kubernetes.
+- **Discovery order** when `VALUES_SECRET` is unset (first existing file wins):  
+  `~/.config/hybrid-cloud-patterns/values-secret-<pattern>.yaml`,  
+  `~/.config/validated-patterns/values-secret-<pattern>.yaml`,  
+  `~/values-secret-<pattern>.yaml`,  
+  `~/values-secret.yaml`,  
+  then `<pattern_dir>/values-secret.yaml.template`.
+- When `VALUES_SECRET` is set to an existing path, that file is used for the **primary** load. If bootstrap loading already consumed that same path because it was a bootstrap-named file, the primary pass temporarily ignores `VALUES_SECRET` so the primary search can fall back to the paths above.
+
+Files may be plain YAML or `ansible-vault` encrypted.
+
+### Bootstrap values-secret (optional)
+
+Bootstrap files are **never** read from `<pattern_dir>/` (no `values-secret-*-bootstrap.yaml` under the pattern tree).
+
+When not using `VALUES_SECRET` for bootstrap, candidates are checked in order (first existing file wins):
+
+- `~/.config/hybrid-cloud-patterns/values-secret-<pattern>-bootstrap.yaml`
+- `~/.config/validated-patterns/values-secret-<pattern>-bootstrap.yaml`
+- `~/values-secret-<pattern>-bootstrap.yaml`
+- `~/values-secret-bootstrap.yaml`
+
+Alternatively, set `VALUES_SECRET` to an **existing** file whose name ends with `-bootstrap.yaml` (or `-bootstrap.yml`) to use that path for bootstrap discovery in flows that support it.
+
+**Bootstrap is always parsed and applied with backing store `none`** (Kubernetes secret injection path), which requires schema version 2.0 or newer in the bootstrap file.
+
+### Playbooks and flows
+
+| Playbook | What it runs |
+|----------|----------------|
+| `playbooks/load_secrets.yml` | Respects `.global.secretLoader.disabled` in `values-global.yaml`. When enabled: `cluster_pre_check`, optional **bootstrap** load (if a bootstrap file exists; **not** an error if missing), then **primary** discovery, parse, and load using the configured backend. |
+| `playbooks/load_bootstrap_secrets.yml` | Convenience wrapper: `determine_pattern_dir`, `determine_pattern_name`, then imports `load_secrets.yml` (same combined bootstrap-then-primary behavior as install). |
+| `playbooks/load_bootstrap_secrets_only.yml` | **Bootstrap only**: same pattern discovery plays and `pattern_settings`, then only bootstrap inject (with retries). **Fails** if no bootstrap file is found. Does **not** read `secretLoader.disabled` or load the primary file. |
+| `playbooks/display_secrets_info.yml` | Loads and displays parsed primary secrets (using the backend from `values-global`). If a bootstrap file exists, also parses and displays it with backing store `none`. Missing bootstrap is not an error. |
+
+Typical usage sets `-e pattern_dir=...` to the pattern checkout (and relies on `values-global.yaml` there via `pattern_settings`).
+
+`playbooks/install.yml` imports `load_secrets.yml` after the pattern install playbook, so the combined bootstrap-then-primary flow runs during install when secret loading is enabled.
+
+### Bootstrap retries
+
+Bootstrap **inject** retries (parse plus Kubernetes apply) are controlled on the role defaults / extra-vars:
+
+- `vp_secrets_bootstrap_retry_max` (default `5`)
+- `vp_secrets_bootstrap_retry_delay` (seconds between attempts, default `30`)
+
+These apply to the optional bootstrap phase inside `load_secrets` and to `load_bootstrap_secrets_only.yml`.
+
+### Roles (implementation notes)
+
+- `roles/load_secrets/tasks/main.yml` implements the **combined** flow (optional bootstrap, then primary).
+- `roles/load_secrets/tasks/bootstrap_only.yml` is used only when you invoke the `load_secrets` role with `tasks_from: bootstrap_only.yml` (as `load_bootstrap_secrets_only.yml` does).
+- `roles/find_vp_secrets` resolves primary files (`tasks/main.yml`) and optional bootstrap discovery (`tasks/find_optional_bootstrap.yml`).
diff --git a/playbooks/display_secrets_info.yml b/playbooks/display_secrets_info.yml
@@ -36,6 +36,28 @@
         secrets_backing_store: "{{ secrets_backing_store }}"
       register: secrets_results
 
-    - name: Display secrets data
+    - name: Display primary secrets data
       ansible.builtin.debug:
         var: secrets_results
+
+    - name: Snapshot primary secrets for optional bootstrap display
+      ansible.builtin.set_fact:
+        _primary_values_secrets_data_snapshot: "{{ values_secrets_data }}"
+
+    - name: Discover optional bootstrap values-secret file
+      ansible.builtin.include_role:
+        name: find_vp_secrets
+        tasks_from: find_optional_bootstrap.yml
+
+    - name: Parse bootstrap secrets data (none backend)
+      no_log: '{{ hide_sensitive_output }}'
+      parse_secrets_info:
+        values_secrets_plaintext: "{{ values_secrets_bootstrap_data }}"
+        secrets_backing_store: none
+      register: bootstrap_secrets_results
+      when: vp_bootstrap_secrets_present | default(false) | bool
+
+    - name: Display bootstrap secrets data
+      ansible.builtin.debug:
+        var: bootstrap_secrets_results
+      when: vp_bootstrap_secrets_present | default(false) | bool
diff --git a/playbooks/load_bootstrap_secrets.yml b/playbooks/load_bootstrap_secrets.yml
@@ -0,0 +1,11 @@
+---
+# Post-install alias: runs the same secrets load as load_secrets.yml (optional bootstrap, then primary).
+# Optional extra-vars: vp_secrets_bootstrap_retry_max, vp_secrets_bootstrap_retry_delay (seconds).
+- name: Determine pattern directory
+  ansible.builtin.import_playbook: ./determine_pattern_dir.yml
+
+- name: Determine pattern name
+  ansible.builtin.import_playbook: ./determine_pattern_name.yml
+
+- name: Load secrets (optional bootstrap then standard)
+  ansible.builtin.import_playbook: ./load_secrets.yml
diff --git a/playbooks/load_bootstrap_secrets_only.yml b/playbooks/load_bootstrap_secrets_only.yml
@@ -0,0 +1,23 @@
+---
+# Load only bootstrap values-secret files (none backend). Does not load the primary values-secret
+# or honor secretLoader.disabled from values-global. Fails if no bootstrap file exists.
+# Optional extra-vars: vp_secrets_bootstrap_retry_max, vp_secrets_bootstrap_retry_delay (seconds).
+- name: Determine pattern directory
+  ansible.builtin.import_playbook: ./determine_pattern_dir.yml
+
+- name: Determine pattern name
+  ansible.builtin.import_playbook: ./determine_pattern_name.yml
+
+- name: Load bootstrap secrets only
+  hosts: localhost
+  connection: local
+  gather_facts: false
+  become: false
+  roles:
+    - pattern_settings
+
+  tasks:
+    - name: Run bootstrap-only secrets load
+      ansible.builtin.include_role:
+        name: load_secrets
+        tasks_from: bootstrap_only.yml
diff --git a/roles/find_vp_secrets/tasks/find_optional_bootstrap.yml b/roles/find_vp_secrets/tasks/find_optional_bootstrap.yml
@@ -0,0 +1,80 @@
+---
+# Sets values_secrets_bootstrap_data when a bootstrap values-secret file exists; otherwise no-op.
+# Expects: pattern_name, and _primary_values_secrets_data_snapshot when restoring after read.
+- name: Clear bootstrap secrets facts from any prior play
+  ansible.builtin.set_fact:
+    values_secrets_bootstrap_data: ''
+    vp_bootstrap_secrets_present: false
+    found_bootstrap_file: ''
+    vp_bootstrap_loaded_via_values_secret_env: false
+
+- name: Read VALUES_SECRET for optional bootstrap discovery
+  ansible.builtin.set_fact:
+    bootstrap_custom_env_values_secret: "{{ lookup('ansible.builtin.env', 'VALUES_SECRET') }}"
+
+- name: Decide if VALUES_SECRET names a bootstrap file
+  ansible.builtin.set_fact:
+    _bootstrap_env_is_bootstrap_named: >-
+      {{
+        (bootstrap_custom_env_values_secret | default('') | string | length > 0)
+        and (bootstrap_custom_env_values_secret | regex_search('-bootstrap\.ya?ml$') is not none)
+      }}
+
+- name: Check if VALUES_SECRET points to an existing file (bootstrap)
+  ansible.builtin.stat:
+    path: "{{ bootstrap_custom_env_values_secret }}"
+  register: bootstrap_custom_file_values_secret
+  when:
+    - bootstrap_custom_env_values_secret | default('') | length > 0
+    - _bootstrap_env_is_bootstrap_named | default(false) | bool
+
+- name: Use VALUES_SECRET as bootstrap secrets file
+  ansible.builtin.set_fact:
+    found_bootstrap_file: "{{ bootstrap_custom_file_values_secret.stat.path }}"
+    vp_bootstrap_loaded_via_values_secret_env: true
+  when:
+    - bootstrap_custom_env_values_secret | default('') | length > 0
+    - _bootstrap_env_is_bootstrap_named | default(false) | bool
+    - bootstrap_custom_file_values_secret.stat is defined
+    - bootstrap_custom_file_values_secret.stat.exists
+
+- name: Build bootstrap values-secret candidate paths
+  ansible.builtin.set_fact:
+    _vp_bootstrap_secret_candidates:
+      - "~/.config/hybrid-cloud-patterns/values-secret-{{ pattern_name }}-bootstrap.yaml"
+      - "~/.config/validated-patterns/values-secret-{{ pattern_name }}-bootstrap.yaml"
+      - "~/values-secret-{{ pattern_name }}-bootstrap.yaml"
+      - "~/values-secret-bootstrap.yaml"
+  when: (found_bootstrap_file | default('') | string | length) == 0
+
+- name: Stat bootstrap candidate paths
+  ansible.builtin.stat:
+    path: "{{ item }}"
+  loop: "{{ _vp_bootstrap_secret_candidates }}"
+  register: _vp_bootstrap_stat_results
+  when: (found_bootstrap_file | default('') | string | length) == 0
+
+- name: Pick first existing bootstrap secrets file from candidates
+  ansible.builtin.set_fact:
+    found_bootstrap_file: "{{ (_vp_bootstrap_stat_results.results | default([]) | selectattr('stat.exists') | map(attribute='item') | list | first) | default('') }}"
+  when:
+    - (found_bootstrap_file | default('') | string | length) == 0
+    - _vp_bootstrap_stat_results.results is defined
+
+- name: Read bootstrap secrets when a bootstrap file was found
+  when: (found_bootstrap_file | default('') | string | length) > 0
+  block:
+    - name: Load bootstrap secrets from file
+      ansible.builtin.include_tasks: read_secret_from_path.yml
+      vars:
+        found_file: "{{ found_bootstrap_file }}"
+
+    - name: Publish bootstrap secrets data for display
+      ansible.builtin.set_fact:
+        values_secrets_bootstrap_data: "{{ values_secrets_data }}"
+        vp_bootstrap_secrets_present: true
+
+    - name: Restore primary values_secrets_data after bootstrap read
+      ansible.builtin.set_fact:
+        values_secrets_data: "{{ _primary_values_secrets_data_snapshot }}"
+      when: _primary_values_secrets_data_snapshot is defined
diff --git a/roles/find_vp_secrets/tasks/main.yml b/roles/find_vp_secrets/tasks/main.yml
@@ -5,9 +5,14 @@
   ansible.builtin.set_fact:
     secret_template: "{{ pattern_dir }}/values-secret.yaml.template"
 
-- name: Is a VALUES_SECRET env variable set?
+- name: Resolve VALUES_SECRET for primary secrets search
   ansible.builtin.set_fact:
-    custom_env_values_secret: "{{ lookup('ansible.builtin.env', 'VALUES_SECRET') }}"
+    custom_env_values_secret: >-
+      {{
+        ''
+        if (vp_skip_values_secret_env_for_primary | default(false) | bool)
+        else (lookup('ansible.builtin.env', 'VALUES_SECRET') | default('', true))
+      }}
 
 - name: Check if VALUES_SECRET file exists
   ansible.builtin.stat:
@@ -37,52 +42,5 @@
       - "{{ pattern_dir }}/values-secret.yaml.template"
   when: custom_env_values_secret | default('') | length == 0
 
-- name: Is found values secret file encrypted
-  no_log: "{{ hide_sensitive_output | default(true) }}"
-  ansible.builtin.shell: |
-    set -o pipefail
-    head -1 "{{ found_file }}" | grep -q \$ANSIBLE_VAULT
-  changed_when: false
-  register: encrypted
-  failed_when: (encrypted.rc not in [0, 1])
-
-# When HOME is set we replace it with '~' in this debug message
-# because when run from inside the container the HOME is /pattern-home
-# which is confusing for users
-- name: Is found values secret file encrypted
-  ansible.builtin.debug:
-    msg: "Using {{ (lookup('env', 'HOME') | length > 0) | ternary(found_file | regex_replace('^' + lookup('env', 'HOME'), '~'), found_file) }} to parse secrets"
-
-- name: Set encryption bool fact
-  no_log: "{{ hide_sensitive_output | default(true) }}"
-  ansible.builtin.set_fact:
-    is_encrypted: "{{ encrypted.rc == 0 | bool }}"
-
-- name: Get password for "{{ found_file }}"
-  ansible.builtin.pause:
-    prompt: "Input the password for {{ found_file }}"
-    echo: false
-  when: is_encrypted
-  register: vault_pass
-
-- name: Get decrypted content if {{ found_file }} was encrypted
-  no_log: "{{ hide_sensitive_output | default(true) }}"
-  ansible.builtin.shell:
-    ansible-vault view --vault-password-file <(cat <<<"{{ vault_pass.user_input }}") "{{ found_file }}"
-  register: values_secret_plaintext
-  when: is_encrypted
-  changed_when: false
-
-- name: Normalize secrets format (un-encrypted)
-  no_log: '{{ hide_sensitive_output | default(true) }}'
-  ansible.builtin.set_fact:
-    values_secrets_data: "{{ lookup('file', found_file) | from_yaml }}"
-  when: not is_encrypted
-  changed_when: false
-
-- name: Normalize secrets format (encrypted)
-  no_log: '{{ hide_sensitive_output | default(true) }}'
-  ansible.builtin.set_fact:
-    values_secrets_data: "{{ values_secret_plaintext.stdout | from_yaml }}"
-  when: is_encrypted
-  changed_when: false
+- name: Read secrets from discovered file
+  ansible.builtin.include_tasks: read_secret_from_path.yml
diff --git a/roles/find_vp_secrets/tasks/read_secret_from_path.yml b/roles/find_vp_secrets/tasks/read_secret_from_path.yml
@@ -0,0 +1,52 @@
+---
+# Reads YAML from found_file (vault-encrypted or plain) into values_secrets_data.
+# Expects: found_file, hide_sensitive_output (optional)
+- name: Is found values secret file encrypted
+  no_log: "{{ hide_sensitive_output | default(true) }}"
+  ansible.builtin.shell: |
+    set -o pipefail
+    head -1 "{{ found_file }}" | grep -q \$ANSIBLE_VAULT
+  changed_when: false
+  register: encrypted
+  failed_when: (encrypted.rc not in [0, 1])
+
+# When HOME is set we replace it with '~' in this debug message
+# because when run from inside the container the HOME is /pattern-home
+# which is confusing for users
+- name: Is found values secret file encrypted
+  ansible.builtin.debug:
+    msg: "Using {{ (lookup('env', 'HOME') | length > 0) | ternary(found_file | regex_replace('^' + lookup('env', 'HOME'), '~'), found_file) }} to parse secrets"
+
+- name: Set encryption bool fact
+  no_log: "{{ hide_sensitive_output | default(true) }}"
+  ansible.builtin.set_fact:
+    is_encrypted: "{{ encrypted.rc == 0 | bool }}"
+
+- name: Get password for "{{ found_file }}"
+  ansible.builtin.pause:
+    prompt: "Input the password for {{ found_file }}"
+    echo: false
+  when: is_encrypted
+  register: vault_pass
+
+- name: Get decrypted content if {{ found_file }} was encrypted
+  no_log: "{{ hide_sensitive_output | default(true) }}"
+  ansible.builtin.shell:
+    ansible-vault view --vault-password-file <(cat <<<"{{ vault_pass.user_input }}") "{{ found_file }}"
+  register: values_secret_plaintext
+  when: is_encrypted
+  changed_when: false
+
+- name: Normalize secrets format (un-encrypted)
+  no_log: "{{ hide_sensitive_output | default(true) }}"
+  ansible.builtin.set_fact:
+    values_secrets_data: "{{ lookup('file', found_file) | from_yaml }}"
+  when: not is_encrypted
+  changed_when: false
+
+- name: Normalize secrets format (encrypted)
+  no_log: "{{ hide_sensitive_output | default(true) }}"
+  ansible.builtin.set_fact:
+    values_secrets_data: "{{ values_secret_plaintext.stdout | from_yaml }}"
+  when: is_encrypted
+  changed_when: false
diff --git a/roles/load_secrets/defaults/main.yml b/roles/load_secrets/defaults/main.yml
@@ -1,3 +1,5 @@
-secrets_role: "vault_utils"
-tasks_from: "push_parsed_secrets"
-hide_sensitive_output: true
+---
+vp_secrets_bootstrap_retry_max: 5
+vp_secrets_bootstrap_retry_delay: 30
+secrets_role: vault_utils
+tasks_from: push_parsed_secrets
diff --git a/roles/load_secrets/tasks/bootstrap_inject_retry.yml b/roles/load_secrets/tasks/bootstrap_inject_retry.yml
@@ -0,0 +1,50 @@
+---
+- name: Ensure bootstrap inject attempt counter
+  ansible.builtin.set_fact:
+    _bootstrap_inject_attempt: "{{ _bootstrap_inject_attempt | default(1) | int }}"
+
+- name: Determine bootstrap secrets YAML shape
+  ansible.builtin.set_fact:
+    secrets_bootstrap_yaml: "{{ values_secrets_bootstrap_data if values_secrets_bootstrap_data is not string else values_secrets_bootstrap_data | from_yaml }}"
+
+- name: Fail when bootstrap schema is too old for none backend loading
+  ansible.builtin.fail:
+    msg: Bootstrap secrets require values-secret schema version 2.0 or higher when using the none backend.
+  when: (secrets_bootstrap_yaml.version | default('2.0')) is version('2.0', '<')
+
+- name: Parse and inject bootstrap secrets (attempt {{ _bootstrap_inject_attempt }}/{{ vp_secrets_bootstrap_retry_max | default(5) }})
+  block:
+    - name: Parse bootstrap secrets data
+      no_log: "{{ hide_sensitive_output | default(true) }}"
+      parse_secrets_info:
+        values_secrets_plaintext: "{{ values_secrets_bootstrap_data }}"
+        secrets_backing_store: none
+      register: bootstrap_secrets_results
+
+    - name: Inject bootstrap secrets into the cluster
+      ansible.builtin.include_role:
+        name: k8s_secret_utils
+        tasks_from: inject_k8s_secrets
+      vars:
+        kubernetes_secret_objects: "{{ bootstrap_secrets_results.kubernetes_secret_objects }}"
+        vault_policies: "{{ bootstrap_secrets_results.vault_policies }}"
+        parsed_secrets: "{{ bootstrap_secrets_results.parsed_secrets }}"
+        unique_vault_prefixes: "{{ bootstrap_secrets_results.unique_vault_prefixes | default([]) }}"
+
+  rescue:
+    - name: Fail when bootstrap secrets inject retries are exhausted
+      ansible.builtin.fail:
+        msg: |
+          Bootstrap secrets loading failed after {{ vp_secrets_bootstrap_retry_max | default(5) }} attempt(s).
+      when: (_bootstrap_inject_attempt | int) >= (vp_secrets_bootstrap_retry_max | default(5) | int)
+
+    - name: Wait before retrying bootstrap secrets inject
+      ansible.builtin.pause:
+        seconds: "{{ vp_secrets_bootstrap_retry_delay | default(30) | int }}"
+
+    - name: Bump bootstrap secrets inject attempt counter
+      ansible.builtin.set_fact:
+        _bootstrap_inject_attempt: "{{ (_bootstrap_inject_attempt | int) + 1 }}"
+
+    - name: Retry bootstrap secrets inject
+      ansible.builtin.include_tasks: bootstrap_inject_retry.yml
diff --git a/roles/load_secrets/tasks/bootstrap_only.yml b/roles/load_secrets/tasks/bootstrap_only.yml
diff --git a/roles/load_secrets/tasks/main.yml b/roles/load_secrets/tasks/main.yml
diff --git a/roles/load_secrets/tasks/optional_bootstrap_load.yml b/roles/load_secrets/tasks/optional_bootstrap_load.yml
diff --git a/roles/vault_utils/README.md b/roles/vault_utils/README.md
