New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
openssh_keypair and openssl_privatekey: make idempotence configurable #65639
Comments
I would prefer if it is possible to configure the behavior of I can think of the following cases (which would correspond to values for that option):
I think this covers the most important choices people would want. To make this proposal more concrete, how about naming the option |
Why would we need all those behaviors? I can only see 2 behaviors:
|
A trivial 3rd behavior would be to just return "ok" if everything is ok. ;-) |
So we have:
So current default is 4), and either 2) or 3) would be a potential new default. 1) is for people who want to have a key, but don't want errors / regenerations if they ever adjust the task/playbook parameters (except for wrong password / broken key). What do you think? |
- name: generate openssl private key
openssl_privatekey:
path: "/opt/netdata/etc/netdata/ssl/key.pem"
owner: root
group: netdata
mode: "0640" (this tasks returns changed every time and effectively renews the key which is unexpected - in addition TASK [generate openssl private key]
ok: [my.host] => {
"changed": false,
"filename": "/opt/netdata/etc/netdata/ssl/key.pem",
"fingerprint": {},
"size": 4096,
"type": "RSA"
} In practice it would be good to see something like a
|
This is definitely not expected - calling the module twice with the same parameters should not result in a change (assuming you're not specifying
For |
Ok, here's an updated (and expanded) proposal: regenerate:
description:
- Allows to configure in which situations the module is allowed to regenerate private keys.
The module will always generate a new key if the destination file does not exist.
- By default, the key will be regenerated when it doesn't match the module's options,
except when the key cannot be read or the passphrase does not match. Please note that
this B(changed) for Ansible 2.10. For Ansible 2.9, the behavior was as if C(full_idempotence)
is specified.
- If set to C(never), the module will fail if the key cannot be read or the passphrase
isn't matching, and will never regenerate an existing key.
- If set to C(fail), the module will fail if the key does not correspond to the module's
options.
- If set to C(partial_idempotence), the key will be regenerated if it does not conform to
the module's options. The key is B(not) regenerated if it cannot be read (broken file),
the key is protected by an unknown passphrase, or when they key is not protected by a
passphrase, but a passphrase is specified.
- If set to C(full_idempotence), the key will be regenerated if it does not conform to the
module's options. This is also the case if the key cannot be read (broken file), the key
is protected by an unknown passphrase, or when they key is not protected by a passphrase,
but a passphrase is specified. Make sure you have a B(backup) when using this option!
- If set to C(always), the module will always regenerate the key. This is equivalent to
setting I(force) to C(yes).
type: str
choices:
- never
- fail
- partial_idempotence
- full_idempotence
- always
default: partial_idempotence Any naming suggestions, or other suggestions? |
I've started a PR implementing such an option: #67038 |
Sorry, false alarm, another task in the playbook was changing the key file. |
SUMMARY
We had several discussions in the past about the behavior modules like openssh_keypair and openssl_privatekey should have when they encounter something not meeting the specified module options. (References: #53535, #32038, #65638 resp. the meeting log.)
The current state (until #65638) was that modules should make sure that the object in question does conform to its options, i.e. if a private key is found which is invalid, (not) passphrase protected (or with the wrong one), has the wrong size, type, ..., it will be regenerated.
There are also other approaches:
recreate
is set toalways
(also known asforce=yes
) oroptions-changed
(also known as classic Ansible behavior).Let's use this issue for discussing on how this could be configured for these modules.
CC @MaxBab @samdoran @nitzmahone
ISSUE TYPE
COMPONENT NAME
openssh_keypair
openssl_privatekey
The text was updated successfully, but these errors were encountered: