Fix SSL cert distribution tasks
The 'galera_cluster_members' variable has been added, matching the default value from the galera_server role and used by the 'galera_ssl_ca_cert' variable to find a galera node within the inventory to attempt to pull cert files from. Since the slurp task that checks for an existing CA cert file is set to never fail, the debug message should check if any content was found. The changed_when can also be removed since slurp tasks only return 'ok' when a file is found. The task copying an existing cert from a server was using a 'src' argument where it should be 'dest'. Change-Id: I95cc994df5118fce7ce588fc0bff979bc283a6f3
This commit is contained in:
parent
9a8302cbba
commit
5d2988c938
|
@ -13,6 +13,8 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
galera_cluster_members: "{{ groups['galera_all'] }}"
|
||||
|
||||
# Default galera connection address
|
||||
galera_address: 127.0.0.1
|
||||
galera_root_user: root
|
||||
|
@ -58,7 +60,7 @@ galera_use_ssl: false
|
|||
# This server is used when pulling an ssl cert onto a given host when a user
|
||||
# defined key is not present. By default this will try and pull from the
|
||||
# "galera_server" group and fall back to localhost.
|
||||
galera_ssl_server: "{{ (groups['galera_server'] | default(['localhost']))[0] }}"
|
||||
galera_ssl_server: "{{ (galera_cluster_members | default(['localhost']))[0] }}"
|
||||
# The path where to store the database server CA certificate
|
||||
galera_ssl_ca_cert: /etc/ssl/certs/galera-ca.pem
|
||||
# The path to Galera CA certificate file on the deployment host
|
||||
|
|
|
@ -13,29 +13,28 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Get ca key contents
|
||||
- name: Get Galera ssl CA cert contents
|
||||
slurp:
|
||||
src: "{{ galera_ssl_ca_cert }}"
|
||||
register: galera_ca
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
delegate_to: "{{ galera_ssl_server }}"
|
||||
when:
|
||||
- galera_user_ssl_ca_cert is not defined
|
||||
|
||||
- name: Check for ca key get failure
|
||||
- name: Check for Galera ssl CA cert get failure
|
||||
debug:
|
||||
msg: >
|
||||
The key retrieval task failed or no CA key was found. Check the file
|
||||
The cert retrieval task failed or no CA cert was found. Check the file
|
||||
"{{ galera_ssl_ca_cert }}" on server "{{ galera_ssl_server }}" before
|
||||
trying again.
|
||||
when:
|
||||
- not galera_ca | success
|
||||
- galera_ca.content is not defined
|
||||
|
||||
- name: Distribute Galera ssl CA cert (SERVER)
|
||||
copy:
|
||||
content: "{{ galera_ca.content | b64decode }}"
|
||||
src: "{{ galera_ssl_ca_cert }}"
|
||||
dest: "{{ galera_ssl_ca_cert }}"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
mode: "0644"
|
||||
|
@ -45,8 +44,8 @@
|
|||
|
||||
- name: Distribute Galera ssl CA cert (USER)
|
||||
copy:
|
||||
dest: "{{ galera_ssl_ca_cert }}"
|
||||
src: "{{ galera_user_ssl_ca_cert }}"
|
||||
dest: "{{ galera_ssl_ca_cert }}"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
mode: "0644"
|
||||
|
|
Loading…
Reference in New Issue