fix: Refactor to make step-ca initialization idempotent

2023-07-15 19:08:33 +02:00
parent 5363eba1a3
commit 072fc56050
2 changed files with 16 additions and 18 deletions
--- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/certauthority.yml
@@ -1,14 +1,9 @@
 - block:

-    - name: Initialize tempfile
-      ansible.builtin.tempfile:
-        state: file
-      register: values_file
-
-    - name: Write chart values w/ password to tempfile
+    - name: Inject password into values file
      ansible.builtin.copy:
-        dest: "{{ values_file.path }}"
-        content: "{{ stepca_values.stdout | regex_replace('(ca_password|provisioner_password): ', '\\1: ' ~ (vapp['metacluster.password'] | b64encode)) }}"
+        dest: "{{ stepconfig.path }}"
+        content: "{{ lookup('ansible.builtin.file', stepconfig.path) | regex_replace('(ca_password|provisioner_password): ', '\\1: ' ~ (vapp['metacluster.password'] | b64encode)) }}"
      no_log: true

    - name: Install step-ca chart
@@ -21,13 +16,7 @@
        wait: true
        kubeconfig: "{{ kubeconfig.path }}"
        values_files:
-          - "{{ values_file.path }}"
-
-    - name: Cleanup tempfile
-      ansible.builtin.file:
-        path: "{{ values_file.path }}"
-        state: absent
-      when: values_file.path is defined
+          - "{{ stepconfig.path }}"

    - name: Retrieve configmap w/ root certificate
      kubernetes.core.k8s_info:
--- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/init.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/init.yml
@@ -12,6 +12,15 @@
    - registry
    - storage

+- name: Create step-ca config dictionary
+  ansible.builtin.set_fact:
+    stepconfig: "{{ { 'path': ansible_env.HOME ~ '/.step/config/values.yaml' } }}"
+
+- name: Create step-ca target folder
+  ansible.builtin.file:
+    path: "{{ stepconfig.path | dirname }}"
+    state: directory
+
 - name: Initialize tempfile
  ansible.builtin.tempfile:
    state: file
@@ -36,8 +45,8 @@
        --address=:9000 \
        --provisioner=admin \
        --acme \
-        --password-file={{ stepca_password.path }}
-  register: stepca_values
+        --password-file={{ stepca_password.path }} | tee {{ stepconfig.path }}
+    creates: "{{ stepconfig.path }}"

 - name: Cleanup tempfile
  ansible.builtin.file:
@@ -48,7 +57,7 @@
 - name: Store root CA certificate
  ansible.builtin.copy:
    dest: /usr/local/share/ca-certificates/root_ca.crt
-    content: "{{ (stepca_values.stdout | from_yaml).inject.certificates.root_ca }}"
+    content: "{{ (lookup('ansible.builtin.file', stepconfig.path) | from_yaml).inject.certificates.root_ca }}"

 - name: Update certificate truststore
  ansible.builtin.command: