From 072fc56050fd3cd733219cdd5e9a17fd387be319 Mon Sep 17 00:00:00 2001 From: Danny Bessems Date: Sat, 15 Jul 2023 19:08:33 +0200 Subject: [PATCH] fix: Refactor to make step-ca initialization idempotent --- .../roles/metacluster/tasks/certauthority.yml | 19 ++++--------------- .../roles/metacluster/tasks/init.yml | 15 ++++++++++++--- 2 files changed, 16 insertions(+), 18 deletions(-) diff --git a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml index 2ca6d18..f4cc70a 100644 --- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml +++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml @@ -1,14 +1,9 @@ - block: - - name: Initialize tempfile - ansible.builtin.tempfile: - state: file - register: values_file - - - name: Write chart values w/ password to tempfile + - name: Inject password into values file ansible.builtin.copy: - dest: "{{ values_file.path }}" - content: "{{ stepca_values.stdout | regex_replace('(ca_password|provisioner_password): ', '\\1: ' ~ (vapp['metacluster.password'] | b64encode)) }}" + dest: "{{ stepconfig.path }}" + content: "{{ lookup('ansible.builtin.file', stepconfig.path) | regex_replace('(ca_password|provisioner_password): ', '\\1: ' ~ (vapp['metacluster.password'] | b64encode)) }}" no_log: true - name: Install step-ca chart @@ -21,13 +16,7 @@ wait: true kubeconfig: "{{ kubeconfig.path }}" values_files: - - "{{ values_file.path }}" - - - name: Cleanup tempfile - ansible.builtin.file: - path: "{{ values_file.path }}" - state: absent - when: values_file.path is defined + - "{{ stepconfig.path }}" - name: Retrieve configmap w/ root certificate kubernetes.core.k8s_info: diff --git a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/init.yml b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/init.yml index ddbcd7e..89696da 100644 --- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/init.yml +++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/init.yml @@ -12,6 +12,15 @@ - registry - storage +- name: Create step-ca config dictionary + ansible.builtin.set_fact: + stepconfig: "{{ { 'path': ansible_env.HOME ~ '/.step/config/values.yaml' } }}" + +- name: Create step-ca target folder + ansible.builtin.file: + path: "{{ stepconfig.path | dirname }}" + state: directory + - name: Initialize tempfile ansible.builtin.tempfile: state: file @@ -36,8 +45,8 @@ --address=:9000 \ --provisioner=admin \ --acme \ - --password-file={{ stepca_password.path }} - register: stepca_values + --password-file={{ stepca_password.path }} | tee {{ stepconfig.path }} + creates: "{{ stepconfig.path }}" - name: Cleanup tempfile ansible.builtin.file: @@ -48,7 +57,7 @@ - name: Store root CA certificate ansible.builtin.copy: dest: /usr/local/share/ca-certificates/root_ca.crt - content: "{{ (stepca_values.stdout | from_yaml).inject.certificates.root_ca }}" + content: "{{ (lookup('ansible.builtin.file', stepconfig.path) | from_yaml).inject.certificates.root_ca }}" - name: Update certificate truststore ansible.builtin.command: