Fix self-signed certs distribution

With multinode Octavia setup self and octavia_generate_certs is True, role fails with distributing certificates. While correct approach would be to replace that with PKI role, right now we just patching current approach, by ensuring that facts are set for octavia_cert_setup_host so we could reliable gain them. Change-Id: I0dc2488b9e8e33847c9a2646032ac5f926d09133 Closes-Bug: #1936646
2021-07-20 18:41:15 +03:00 · 2021-07-20 18:41:15 +03:00 · 799f003b85
commit 799f003b85
parent a2de42c7bb
3 changed files with 21 additions and 25 deletions
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -82,8 +82,9 @@
    apply:
      tags:
        - octavia-config
-  run_once: true
-  when: octavia_generate_certs | bool
+  when:
+    - octavia_generate_certs | bool
+    - _octavia_is_first_play_host
  tags:
    - always

--- a/tasks/octavia_certs.yml
+++ b/tasks/octavia_certs.yml
@ -20,6 +20,7 @@
 # system python instead.
 - name: Prepare octavia_cert_setup_host for certificate generation
  delegate_to: "{{ octavia_cert_setup_host }}"
+  delegate_facts: true
  vars:
    ansible_python_interpreter: >-
      {{ (octavia_cert_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']) }}
@ -94,6 +95,12 @@
      register: _octavia_server_ca
      changed_when: false

+    - name: Register a fact for the CA cert and key
+      set_fact:
+        octavia_ca_private_key_fact: "{{ _octavia_ca_private_key['content'] | b64decode }}"
+        octavia_ca_certificate_fact: "{{ _octavia_ca_certificate['content'] | b64decode }}"
+        octavia_server_ca_fact: "{{ _octavia_server_ca['content'] | b64decode }}"
+
 # These are run at the very first installation of Octavia
 # While Octavia acts as a CA for the server certificates,
 # for the amphora it only needs a client certificate and
@ -105,6 +112,7 @@

 - name: Generate keys/certificates on octavia_cert_setup_host
  delegate_to: "{{ octavia_cert_setup_host }}"
+  delegate_facts: true
  vars:
    ansible_python_interpreter: >-
      {{ (octavia_cert_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']) }}
@ -171,3 +179,8 @@
        src: "{{ octavia_client_cert }}"
      register: _octavia_client_cert
      changed_when: false
+
+    - name: Register a fact for the cert and key
+      set_fact:
+        octavia_client_ca_fact: "{{ _octavia_client_ca['content'] | b64decode }}"
+        octavia_client_cert_fact: "{{ _octavia_client_cert['content'] | b64decode }}"
--- a/tasks/octavia_certs_distribute.yml
+++ b/tasks/octavia_certs_distribute.yml
@ -5,24 +5,6 @@
    path: /etc/octavia/certs/
    state: directory

- name: Register a fact for the cert and key
-  set_fact:
-    octavia_ca_private_key_fact: "{{ hostvars[octavia_cert_setup_host]['_octavia_ca_private_key']['content'] | b64decode }}"
-    octavia_ca_certificate_fact: "{{ hostvars[octavia_cert_setup_host]['_octavia_ca_certificate']['content'] | b64decode }}"
-    octavia_server_ca_fact: "{{ hostvars[octavia_cert_setup_host]['_octavia_server_ca']['content'] | b64decode }}"
-    octavia_client_ca_fact: "{{ hostvars[octavia_cert_setup_host]['_octavia_client_ca']['content'] | b64decode }}"
-    octavia_client_cert_fact: "{{ hostvars[octavia_cert_setup_host]['_octavia_client_cert']['content'] | b64decode }}"
-  when: octavia_cert_setup_host != 'localhost'
-
- name: Register a fact for the cert and key
-  set_fact:
-    octavia_ca_private_key_fact: "{{ _octavia_ca_private_key['content'] | b64decode }}"
-    octavia_ca_certificate_fact: "{{ _octavia_ca_certificate['content'] | b64decode }}"
-    octavia_server_ca_fact:      "{{ _octavia_server_ca['content'] | b64decode }}"
-    octavia_client_ca_fact:      "{{ _octavia_client_ca['content'] | b64decode }}"
-    octavia_client_cert_fact:    "{{ _octavia_client_cert['content'] | b64decode }}"
-  when: octavia_cert_setup_host == 'localhost'
-
 - name: Copy certificates
  copy:
    content: "{{ item.content }}"
@ -31,15 +13,15 @@
    group: "{{ octavia_system_group_name }}"
    mode: "0640"
  with_items:
-    - content: "{{ octavia_ca_private_key_fact }}"
+    - content: "{{ hostvars[octavia_cert_setup_host]['octavia_ca_private_key_fact'] }}"
      dest: "/etc/octavia/certs/ca_key.pem"
-    - content: "{{ octavia_ca_certificate_fact }}"
+    - content: "{{ hostvars[octavia_cert_setup_host]['octavia_ca_certificate_fact'] }}"
      dest: "/etc/octavia/certs/ca.pem"
-    - content: "{{ octavia_server_ca_fact }}"
+    - content: "{{ hostvars[octavia_cert_setup_host]['octavia_server_ca_fact'] }}"
      dest: "/etc/octavia/certs/server_ca.pem"
-    - content: "{{ octavia_client_ca_fact }}"
+    - content: "{{ hostvars[octavia_cert_setup_host]['octavia_client_ca_fact'] }}"
      dest: "/etc/octavia/certs/client_ca.pem"
-    - content: "{{ octavia_client_cert_fact }}"
+    - content: "{{ hostvars[octavia_cert_setup_host]['octavia_client_cert_fact'] }}"
      dest: "/etc/octavia/certs/client.pem"
  notify:
    - Restart octavia services