Add extravar handling for pattern_dir if needed

Author: Martin Jackson

README.md

@@ -47,3 +47,14 @@ Provide CA distribution using a separate chart or platform mechanism.
 
 For the complete flow and task ordering, see
 `secrets-initialization-and-vault-unseal.md`.
+
+## Pattern repository directory (`pattern_dir`)
+
+Playbooks need the path to your pattern Git checkout (where `values-global.yaml`
+and related files live). Resolution order: extra var `pattern_dir`, environment
+variable `PATTERN_DIR`, then `PWD` and `pwd`.
+
+When running from the imperative container or another fixed working directory,
+pass the repo root explicitly, for example `-e pattern_dir=/git/repo` (or add
+equivalent extra vars via `clusterGroup.imperative.extraPlaybookArgs` in the
+clustergroup chart).

playbooks/vault.yml

@@ -4,7 +4,7 @@
   connection: local
   gather_facts: false
   roles:
-   # Resolves pattern_dir (PATTERN_DIR / PWD) and loads main.clusterGroupName as main_clustergroup.
+   # Resolves pattern_dir (extra var / PATTERN_DIR / PWD) and loads main.clusterGroupName as main_clustergroup.
    # vault_ss_csi_workload_auth prefers merged clustergroup YAML from an in-cluster ConfigMap, then file fallback.
    - pattern_settings
    - find_vp_secrets

roles/pattern_settings/tasks/resolve_overrides.yml

@@ -9,35 +9,3 @@
           | default(lookup("pipe","pwd"), true)
           | trim
       }}
-
-# When playbooks run from a collection install (e.g. .../cluster_utils/playbooks), PWD points at
-# that directory while values-global.yaml lives at the pattern Git repo root. Walk upward from the
-# initial guess until values-global.yaml is found; if none, keep the guess (fail later as before).
-- name: Canonicalize pattern_dir to directory containing values-global.yaml
-  ansible.builtin.command:
-    argv:
-      - python3
-      - -c
-      - |
-        import os
-        import sys
-
-        start = os.path.abspath(os.environ["RHVP_PATTERN_DIR_GUESS"])
-        d = start
-        while True:
-            if os.path.isfile(os.path.join(d, "values-global.yaml")):
-                sys.stdout.write(d)
-                break
-            parent = os.path.dirname(d)
-            if parent == d:
-                sys.stdout.write(start)
-                break
-            d = parent
-  environment:
-    RHVP_PATTERN_DIR_GUESS: "{{ pattern_dir }}"
-  register: _rhvp_pattern_dir_canonical
-  changed_when: false
-
-- name: Apply canonical pattern_dir
-  ansible.builtin.set_fact:
-    pattern_dir: "{{ _rhvp_pattern_dir_canonical.stdout | trim }}"

roles/vault_utils/tasks/vault_ss_csi_workload_auth.yaml

@@ -13,9 +13,8 @@
     _ss_csi_all_entries: []
   when: vault_ss_csi_from_applications | default(true) | bool
 
-# Many jobs run only vault_utils (no pattern_settings role). Reuse the same pattern_dir
-# resolution as pattern_settings (PATTERN_DIR, else PWD, else pwd) so values-global and
-# values-<clustergroup>.yaml resolve without exporting PATTERN_DIR when CWD is the repo root.
+# Many playbooks run vault_utils without pattern_settings. Align pattern_dir with pattern_settings
+# (extra var, PATTERN_DIR, PWD, pwd), then derive main clustergroup name from values-global when unset.
 - name: Resolve pattern_dir for SS CSI (align with pattern_settings)
   ansible.builtin.include_tasks: ../pattern_settings/tasks/resolve_overrides.yml
   when: vault_ss_csi_from_applications | default(true) | bool
@@ -29,7 +28,6 @@
     - (pattern_dir | string | trim | length) > 0
     - (main_clustergroup is not defined) or ((main_clustergroup | default('', true) | string | trim) | length == 0)
 
-# pattern_settings sets main_clustergroup; other playbooks use main_clustergroupname — align.
 - name: Alias main_clustergroupname from main_clustergroup for SS CSI
   ansible.builtin.set_fact:
     main_clustergroupname: "{{ main_clustergroup | string | trim }}"
@@ -143,7 +141,7 @@
       ssCsiWorkloadAuth identities={{ _ss_csi_all_entries | default([]) | length }},
       hub roles to configure={{ _ss_csi_hub_entries | default([]) | length }}.
       If identities is 0, define ssCsiWorkloadAuth under clusterGroup.applications or under clusterGroup.managedClusterGroups.*.applications in the merged clustergroup values (in-cluster ConfigMap or values-{{ main_clustergroupname | default('hub') }}.yaml).
-      If nothing loads, check vault_ss_csi_clustergroup_configmap_* settings, run from the pattern repo for file fallback, set vault_ss_csi_cluster_values_file, or set vault_ss_csi_fallback_local_clustergroup_file; ensure main.clusterGroupName in values-global.
+      If nothing loads, check vault_ss_csi_clustergroup_configmap_* settings, pass pattern_dir (and optionally main_clustergroup / main_clustergroupname) via extra vars, set vault_ss_csi_cluster_values_file, or set vault_ss_csi_fallback_local_clustergroup_file; ensure main.clusterGroupName in values-global when resolving from pattern_dir.
   when: vault_ss_csi_from_applications | default(true) | bool
 
 - name: Configure hub Vault Kubernetes auth role per SS CSI workload identity

secrets-initialization-and-vault-unseal.md

@@ -7,7 +7,7 @@ This document describes how Vault and application secrets are bootstrapped when
 - **Playbook:** `playbooks/vault.yml`
 - **Hosts:** `localhost`, `connection: local`, `gather_facts: false`
 - **Roles (order):**
-  1. **`pattern_settings`** — Resolves `pattern_dir` and loads `main.clusterGroupName` as `main_clustergroup` (used later, e.g. SS CSI workload auth reading `values-<clustergroup>.yaml`).
+  1. **`pattern_settings`** — Resolves `pattern_dir` (extra var, `PATTERN_DIR`, then `PWD` / `pwd`) and loads `values-global.yaml` (including `main.clusterGroupName` as `main_clustergroup`). When `pattern_settings` is not in the play, **`vault_ss_csi_workload_auth`** repeats the same `pattern_dir` resolution and, if needed, reads `values-global.yaml` under that directory to set `main_clustergroup` / `main_clustergroupname` before loading merged clustergroup values.
   2. **`find_vp_secrets`** — Locates pattern secrets inputs as used elsewhere in the repository.
   3. **`cluster_pre_check`** — Verifies Python `kubernetes` import, kubeconfig (`KUBECONFIG` or `~/.kube/config`), or in-cluster operation via `KUBERNETES_SERVICE_HOST`.
   4. **`vault_utils`** — Performs Vault init, unseal, backends/policies, spokes, and pushing secrets from `values-secret` files.