Only update acme.sh if necessary

We install acme.sh into /opt on our servers. Some of our servers rely on /opt for data intensive activities and we can run out of disk space on /opt/. When our daily Ansible runs fire and hit servers in this situation we end up with corrupted acme.sh repos on those servers. Then acme.sh roles fail. Avoid this problem by only updating the git repo for acme.sh if it isn't already up to date on the versions we expect. We can still fill the disk but this won't affect acme.sh only server operations that rely on /opt disk space. This is an alternative to https://review.opendev.org/c/opendev/system-config/+/934247 which will try to force updates to occur regardless of git repo corruption. Change-Id: Ib0ad55de833a2c2d9e8cacec0493b8422e486789
2024-11-06 08:29:42 -08:00 · 2024-11-06 08:29:42 -08:00 · 2066403ed1
commit 2066403ed1
parent c94c6f8f82
1 changed files with 32 additions and 16 deletions
--- a/playbooks/roles/letsencrypt-acme-sh-install/tasks/main.yaml
+++ b/playbooks/roles/letsencrypt-acme-sh-install/tasks/main.yaml
@ -1,20 +1,33 @@
- name: Install acme.sh client
-  git:
-    repo: https://github.com/acmesh-official/acme.sh
-    dest: /opt/acme.sh
-    # Pinned due to https://github.com/acmesh-official/acme.sh/issues/4416
-    version: 3.0.5
-  register: clone_acmesh_result
-  until: clone_acmesh_result is not failed
-  retries: 3
-  delay: 2
+- name: Check status of acme.sh script
+  stat:
+    path: /opt/acme.sh/acme.sh
+    get_checksum: true
+    checksum_algorithm: sha256
+  register: acme_sh_stat

-# Temporary https://github.com/acmesh-official/acme.sh/issues/4659 fix
-# until we can upgrade to 3.0.6 or later
- name: Patch for issue 4659
-  shell: |
-    git -C /opt/acme.sh cherry-pick 4c30250
-    git -C /opt/acme.sh cherry-pick 327e2fb
+- name: Install acme.sh if not already up to date
+  when: not acme_sh_stat.stat.exists or acme_sh_stat.stat.checksum != "5c298a2bd5f90635aef8d013b02b25f34027ad0cb2cef2bdca68f3d13b931216"
+  block:
+    # We only want to update the clone and checkout if things are not already
+    # in place or at the expected versions. This avoids unnecessary daily
+    # git operations and makes us more resilient to full disks.
+    - name: Install acme.sh client
+      git:
+        repo: https://github.com/acmesh-official/acme.sh
+        dest: /opt/acme.sh
+        # Pinned due to https://github.com/acmesh-official/acme.sh/issues/4416
+        version: 3.0.5
+      register: clone_acmesh_result
+      until: clone_acmesh_result is not failed
+      retries: 3
+      delay: 2
+
+    # Temporary https://github.com/acmesh-official/acme.sh/issues/4659 fix
+    # until we can upgrade to 3.0.6 or later
+    - name: Patch for issue 4659
+      shell: |
+        git -C /opt/acme.sh cherry-pick 4c30250
+        git -C /opt/acme.sh cherry-pick 327e2fb

 - name: Install letsencrypt group
  group:
@ -24,6 +37,9 @@

 - name: Install driver script
  copy:
+    # Because this is a fily copy and not git operations with multiple states
+    # Ansible should successfully determine that the file doesn't need to be
+    # copied after the initial copy unless the file changes.
    src: driver.sh
    dest: /opt/acme.sh/driver.sh
    mode: 0755