Stop using end_play as we will want the later vault_jwt task as well in unsealVault

Author: mbaldessari

roles/vault_utils/tasks/vault_spokes_init.yaml

@@ -10,7 +10,8 @@
     resources: "{{ managed_clusters['resources'] }}"
 
 - name: Do nothing when no managed clusters are found
-  ansible.builtin.meta: end_play
+  ansible.builtin.set_fact:
+    have_managed_clusters: false
   when: resources | length == 0 or managed_clusters.failed or not managed_clusters.api_found
 
 # These three loops are not done in one pass because sometimes the managedCluster is not fully
@@ -21,14 +22,18 @@
       {'caBundle': item.spec.managedClusterClientConfigs[0].caBundle | b64decode,
        'name': item.metadata.name}}) }}"
   loop: "{{ resources }}"
-  when: item.spec.managedClusterClientConfigs[0].caBundle is defined
+  when:
+    - have_managed_clusters
+    - item.spec.managedClusterClientConfigs[0].caBundle is defined
   loop_control:
     label: "{{ item.metadata.name }}"
 
 - name: Extract ClusterGroup
   ansible.builtin.set_fact:
     clusters: "{{ clusters | default({}) | combine({item.metadata.name: {'clusterGroup': item.metadata.labels.clusterGroup}}, recursive=True) }}"
-  when: "'clusterGroup' in item.metadata.labels"
+  when:
+    - have_managed_clusters
+    - "'clusterGroup' in item.metadata.labels"
   loop: "{{ resources }}"
   loop_control:
     label: "{{ item.metadata.name }}"
@@ -43,7 +48,9 @@
     _cluster_fqdn: "{{ item.status.clusterClaims | selectattr('name', 'equalto', 'consoleurl.cluster.open-cluster-management.io')
         | map(attribute='value')
         | first | ansible.builtin.urlsplit('hostname') | regex_replace('console-openshift-console\\.apps\\.', '') }}"
-  when: item.spec.managedClusterClientConfigs[0].url is defined
+  when:
+    - have_managed_clusters
+    - item.spec.managedClusterClientConfigs[0].url is defined
   loop_control:
     label: "{{ item.metadata.name }}"
 
@@ -55,6 +62,8 @@
   loop: "{{ clusters | dict2items }}"
   loop_control:
     label: "{{ item.key }}"
+  when:
+    - have_managed_clusters
 
 # These three steps will only work on ACM 2.12 which uses these secrets to connect to the spokes
 - name: Fetch all ACM secrets
@@ -63,21 +72,28 @@
     label_selectors:
     - "apps.open-cluster-management.io/secret-type=acm-cluster"
   register: acm_secrets_raw
+  when:
+    - have_managed_clusters
 
 - name: Set acm secrets fact
   ansible.builtin.set_fact:
     acm_secrets: "{{ acm_secrets_raw.resources }}"
+  when:
+    - have_managed_clusters
 
 - name: Set cleaned_acm_secrets fact
   ansible.builtin.set_fact:
     cleaned_acm_secrets: "{{ acm_secrets | rhvp.cluster_utils.parse_acm_secrets }}"
-  when: acm_secrets | length > 0
+  when:
+    - have_managed_clusters
+    - acm_secrets | length > 0
 
 - name: Merge the two dicts together
   ansible.builtin.set_fact:
     clusters_info: "{{ clusters | default({}) | combine(cleaned_acm_secrets, recursive=True) }}"
-  when: acm_secrets | length > 0
-
+  when:
+    - have_managed_clusters
+    - acm_secrets | length > 0
 # These steps will only work on ACM >= 2.13 which uses managed service accounts to connect to remote spokes
 # ACM creates a namespace named like the remote cluster and we loop those
 - name: Get the ACM secrets when on ACM >=2.13
@@ -87,7 +103,9 @@
     name: application-manager
   register: msa_secrets
   loop: "{{ resources }}"
-  when: acm_secrets | length == 0
+  when:
+    - have_managed_clusters
+    - acm_secrets | length == 0
   loop_control:
     label: "{{ item.metadata.name }}"
 
@@ -98,6 +116,7 @@
     clusters: "{{ clusters | default({}) | combine({item.item.metadata.name: {'bearerToken': item.resources[0].data.token | b64decode}}, recursive=True) }}"
   loop: "{{ msa_secrets.results }}"
   when:
+    - have_managed_clusters
     - acm_secrets | length == 0
     - msa_secrets.results | length > 0
   loop_control:
@@ -106,15 +125,19 @@
 - name: Set cluster_info fact
   ansible.builtin.set_fact:
     clusters_info: "{{ clusters }}"
-  when: acm_secrets | length == 0
+  when:
+    - have_managed_clusters
+    - acm_secrets | length == 0
 
 - name: Write out CAs
   ansible.builtin.copy:
     content: "{{ item.value['caBundle'] }}"
     dest: "/tmp/{{ item.key }}.ca"
     mode: "0640"
   loop: "{{ clusters_info | dict2items }}"
-  when: item.value['caBundle'] is defined
+  when:
+    - have_managed_clusters
+    - item.value['caBundle'] is defined
   loop_control:
     label: "{{ item.key }}"
 
@@ -124,6 +147,8 @@
 - name: If we are using letsencrypt on the API endpoints we cannot use the validate_certs later
   ansible.builtin.set_fact:
     validate_certs_api_endpoint: "{{ not letsencrypt.api_endpoint | default(True) | bool }}"
+  when:
+    - have_managed_clusters
 
 - name: Fetch remote external secrets from remote cluster
   kubernetes.core.k8s_info:
@@ -147,6 +172,7 @@
   # https://serverfault.com/questions/1059530/how-to-not-print-items-in-an-ansible-loop-error-without-no-log)
   no_log: '{{ hide_sensitive_output | default(true) }}'
   when:
+    - have_managed_clusters
     - clusters_info[item.key]['bearerToken'] is defined
     - clusters_info[item.key]['server_api'] is defined
     - clusters_info[item.key]['caBundle'] is defined
@@ -176,6 +202,7 @@
   # https://serverfault.com/questions/1059530/how-to-not-print-items-in-an-ansible-loop-error-without-no-log)
   no_log: '{{ hide_sensitive_output | default(true) }}'
   when:
+    - have_managed_clusters
     - clusters_info[item.key]['bearerToken'] is defined
     - clusters_info[item.key]['server_api'] is defined
     - clusters_info[item.key]['caBundle'] is defined
@@ -189,7 +216,9 @@
   ansible.builtin.set_fact:
     clusters_info: "{{ clusters_info | default({}) | combine({item['item']['key']: {'esoToken': item['resources'][0]['data']['token'] | b64decode, 'activeExternalSecretsNs': external_secrets_ns, 'activeExternalSecretsSa': external_secrets_sa}}, recursive=True) }}"
   loop: "{{ remote_external_secrets_sa.results }}"
-  when: item['resources'][0]['data']['token'] is defined
+  when:
+    - have_managed_clusters
+    - item['resources'][0]['data']['token'] is defined
   loop_control:
     label: "{{ item['item']['key'] }}"
 
@@ -200,6 +229,7 @@
     clusters_info: "{{ clusters_info | default({}) | combine({item['item']['key']: {'esoToken': item['resources'][0]['data']['token'] | b64decode, 'activeExternalSecretsNs': legacy_external_secrets_ns, 'activeExternalSecretsSa': legacy_external_secrets_sa}}, recursive=True) }}"
   loop: "{{ remote_legacy_external_secrets_sa.results }}"
   when:
+    - have_managed_clusters
     - item['resources'][0]['data']['token'] is defined
     - clusters_info[item['item']['key']]['esoToken'] is not defined
   loop_control:
@@ -223,6 +253,7 @@
     command: bash -e -c "echo '{{ item.value['caBundle'] }}' > /tmp/{{ item.value['vault_path'] }}.ca"
   loop: "{{ clusters_info | dict2items }}"
   when:
+    - have_managed_clusters
     - item.value['esoToken'] is defined
     - item.key != "local-cluster"
   loop_control:
@@ -238,6 +269,7 @@
         vault auth enable -path='{{ item.value['vault_path'] }}' kubernetes; fi"
   loop: "{{ clusters_info | dict2items }}"
   when:
+    - have_managed_clusters
     - item.value['esoToken'] is defined
     - item.key != "local-cluster"
   loop_control:
@@ -254,6 +286,7 @@
         kubernetes_ca_cert=@/tmp/{{ item.value['vault_path'] }}.ca"
   loop: "{{ clusters_info | dict2items }}"
   when:
+    - have_managed_clusters
     - item.value['esoToken'] is defined
     - item.key != "local-cluster"
   loop_control:
@@ -268,6 +301,7 @@
         capabilities = {{ vault_spoke_capabilities }} }\" > /tmp/policy-{{ item.value['vault_path'] }}.hcl"
   loop: "{{ clusters_info | dict2items }}"
   when:
+    - have_managed_clusters
     - item.value['esoToken'] is defined
     - item.key != "local-cluster"
   loop_control:
@@ -282,6 +316,7 @@
         capabilities = {{ vault_pushsecrets_capabilities }} }\" >> /tmp/policy-{{ item.value['vault_path'] }}.hcl"
   loop: "{{ clusters_info | dict2items }}"
   when:
+    - have_managed_clusters
     - item.value['esoToken'] is defined
     - item.key != "local-cluster"
   loop_control:
@@ -296,6 +331,7 @@
         capabilities = {{ vault_pushsecrets_capabilities }} }\" >> /tmp/policy-{{ item.value['vault_path'] }}.hcl"
   loop: "{{ clusters_info | dict2items }}"
   when:
+    - have_managed_clusters
     - item.value['esoToken'] is defined
     - item.key != "local-cluster"
   loop_control:
@@ -308,6 +344,7 @@
     command: "vault policy write {{ item.value['vault_path'] }}-secret /tmp/policy-{{ item.value['vault_path'] }}.hcl"
   loop: "{{ clusters_info | dict2items }}"
   when:
+    - have_managed_clusters
     - item.value['esoToken'] is defined
     - item.key != "local-cluster"
   loop_control:
@@ -324,6 +361,7 @@
         policies="default,{{ vault_global_policy }}-secret,{{ vault_pushsecrets_policy }}-secret,{{ item.value['vault_path'] }}-secret" ttl="{{ vault_spoke_ttl }}"
   loop: "{{ clusters_info | dict2items }}"
   when:
+    - have_managed_clusters
     - item.value['esoToken'] is defined
     - item.key != "local-cluster"
   loop_control: