Fix SSL cert distribution tasks

The 'galera_cluster_members' variable has been added, matching the default value from the galera_server role and used by the 'galera_ssl_ca_cert' variable to find a galera node within the inventory to attempt to pull cert files from. Since the slurp task that checks for an existing CA cert file is set to never fail, the debug message should check if any content was found. The changed_when can also be removed since slurp tasks only return 'ok' when a file is found. The task copying an existing cert from a server was using a 'src' argument where it should be 'dest'. Change-Id: I95cc994df5118fce7ce588fc0bff979bc283a6f3
2017-12-12 22:31:16 -08:00 · 2017-12-12 22:31:16 -08:00 · 5d2988c938
parent 9a8302cbba
commit 5d2988c938
2 changed files with 9 additions and 8 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -13,6 +13,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

+galera_cluster_members: "{{ groups['galera_all'] }}"
+
 # Default galera connection address
 galera_address: 127.0.0.1
 galera_root_user: root
@ -58,7 +60,7 @@ galera_use_ssl: false
 # This server is used when pulling an ssl cert onto a given host when a user
 # defined key is not present. By default this will try and pull from the
 # "galera_server" group and fall back to localhost.
-galera_ssl_server: "{{ (groups['galera_server'] | default(['localhost']))[0] }}"
+galera_ssl_server: "{{ (galera_cluster_members | default(['localhost']))[0] }}"
 # The path where to store the database server CA certificate
 galera_ssl_ca_cert: /etc/ssl/certs/galera-ca.pem
 # The path to Galera CA certificate file on the deployment host
--- a/tasks/galera_client_ssl.yml
+++ b/tasks/galera_client_ssl.yml
@ -13,29 +13,28 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- name: Get ca key contents
+- name: Get Galera ssl CA cert contents
  slurp:
    src: "{{ galera_ssl_ca_cert }}"
  register: galera_ca
-  changed_when: false
  failed_when: false
  delegate_to: "{{ galera_ssl_server }}"
  when:
    - galera_user_ssl_ca_cert is not defined

- name: Check for ca key get failure
+- name: Check for Galera ssl CA cert get failure
  debug:
    msg: >
-      The key retrieval task failed or no CA key was found. Check the file
+      The cert retrieval task failed or no CA cert was found. Check the file
      "{{ galera_ssl_ca_cert }}" on server "{{ galera_ssl_server }}" before
      trying again.
  when:
-    - not galera_ca | success
+    - galera_ca.content is not defined

 - name: Distribute Galera ssl CA cert (SERVER)
  copy:
    content: "{{ galera_ca.content | b64decode }}"
-    src: "{{ galera_ssl_ca_cert }}"
+    dest: "{{ galera_ssl_ca_cert }}"
    owner: "root"
    group: "root"
    mode: "0644"
@ -45,8 +44,8 @@

 - name: Distribute Galera ssl CA cert (USER)
  copy:
-    dest: "{{ galera_ssl_ca_cert }}"
    src: "{{ galera_user_ssl_ca_cert }}"
+    dest: "{{ galera_ssl_ca_cert }}"
    owner: "root"
    group: "root"
    mode: "0644"