Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Local task fails on realm creation due to missing dirs #78

Open
antoineco opened this issue Aug 9, 2016 · 7 comments
Open

Local task fails on realm creation due to missing dirs #78

antoineco opened this issue Aug 9, 2016 · 7 comments

Comments

@antoineco
Copy link

When I declare a new realm in a playbook, the task Sign certificate requests for current hosts fails with the following error:

fatal: [noah.host -> localhost]: FAILED! =>
{
  "changed": false,
  "cmd": [
    "./lib/pki-authority",
    "sign-by-host",
    "noah.host"
  ],
  "delta": "0:00:00.760960",
  "end": "2016-08-09 12:58:03.344391",
  "failed": true,
  "rc": 1,
  "start": "2016-08-09 12:58:02.583431",
  "stderr": "pki-authority: Error: failed to run ca -batch -notext -in /ansible/ansible/secret/pki/requests/domain/noah.host/k8s/request.pem -out /ansible/ansible/secret/pki/realms/by-host/noah.host/k8s/internal/cert.pem.tmp -config config/openssl-sign.conf (Exitcode: 1)\n\nDetails:\nUsing configuration from config/openssl-sign.conf\n/ansible/ansible/secret/pki/realms/by-host/noah.host/k8s/internal/cert.pem.tmp: No such file or directory\n140100935210648:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/ansible/ansible/secret/pki/realms/by-host/noah.host/k8s/internal/cert.pem.tmp','w')\n140100935210648:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:",
  "stdout": "",
  "stdout_lines": [],
  "warnings": []
}

It looks like some directory creations are missing, since the playbooks runs perfectly when I create the following empty directory structure locally:

ansible/secret/pki/realms/by-host/noah.host/
`-- k8s
    |-- external
    `-- internal

Extract from the playbook:

  vars:

    kubernetes_pki_dependent_realms:
      - name: 'k8s'
        subject_alt_names:
          - 'ip:{{ ansible_default_ipv4.address }}'
          - 'ip:10.200.0.1'
          - 'dns:kubernetes.default.svc.gini.cluster'
          - 'dns:kubernetes.default.svc'
          - 'dns:kubernetes.default'
          - 'dns:kubernetes'

  roles:

    - role: debops.pki
      tags: [ 'role::pki' ]
      pki_dependent_realms:
        - '{{ kubernetes_pki_dependent_realms }}'
@drybjed
Copy link
Member

drybjed commented Aug 9, 2016

You need to include debops.pki/env and debops.secret roles in your playbook. Check the example debops.pki playbook to see how they are used.

@antoineco
Copy link
Author

Oh, I see, thanks for the quick answer @drybjed !

@antoineco
Copy link
Author

@drybjed for some reason it doesn't work with the following addition:

  roles:

    - role: debops.pki/env
      tags: [ 'role::pki' ]
      pki_dependent_realms:
        - '{{ kubernetes_pki_dependent_realms }}'

    - role: debops.secret
      tags: [ 'role::pki' ]
      secret_directories:
        - '{{ pki_env_secret_directories }}'

    - role: debops.pki
      tags: [ 'role::pki' ]
      pki_dependent_realms:
        - '{{ kubernetes_pki_dependent_realms }}'

But it should according to this template: pki_env_secret_directories.j2.

I added 2 debug tasks to env/tasks/main.yml:

---

- name: DEBUG
  debug:
    var: pki_dependent_realms

- name: Prepare debops.pki environment
  set_fact:
    pki_env_secret_directories: '{{ lookup("template", "lookup/pki_env_secret_directories.j2") | from_yaml }}'

- name: DEBUG
  debug:
    var: pki_env_secret_directories

The result is surprising me:

Running Ansible playbook from:
/ansible/ansible/playbooks/kubernetes.yml ...

PLAY [Kubernetes] **************************************************************

TASK [setup] *******************************************************************
ok: [noah.host]

TASK [debops.pki/env : DEBUG] **************************************************
ok: [noah.host] => {
    "pki_dependent_realms": [
        [
            {
                "name": "k8s", 
                "subject_alt_names": [
                    "ip:192.168.3.2", 
                    "ip:10.200.0.1", 
                    "dns:kubernetes.default.svc.gini.cluster", 
                    "dns:kubernetes.default.svc", 
                    "dns:kubernetes.default", 
                    "dns:kubernetes"
                ]
            }
        ]
    ]
}

TASK [debops.pki/env : Prepare debops.pki environment] *************************
ok: [noah.host]

TASK [debops.pki/env : DEBUG] **************************************************
ok: [noah.host] => {
    "pki_env_secret_directories": [
        "pki/lib", 
        "pki/ca-certificates/by-host/noah.host", 
        "pki/ca-certificates/by-group/all", 
        "pki/ca-certificates/by-group/debops_service_pki", 
        "pki/realms/by-group/all/domain/external", 
        "pki/realms/by-group/all/domain/private", 
        "pki/realms/by-group/debops_service_pki/domain/external", 
        "pki/realms/by-group/debops_service_pki/domain/private", 
        "pki/realms/by-host/noah.host/domain/external", 
        "pki/realms/by-host/noah.host/domain/internal", 
        "pki/realms/by-host/noah.host/domain/private"
    ]
}

Am I missing something?

@antoineco antoineco reopened this Aug 9, 2016
@drybjed
Copy link
Member

drybjed commented Aug 9, 2016

@antoineco Your playbook looks correct. I'm not sure why it doesn't want to work this way. Can you try and debug the variables inside the template? Perhaps add another task that saves the result in a temporary file to see what's happening there.

@antoineco
Copy link
Author

antoineco commented Aug 9, 2016
edited
Loading

@drybjed: Got it. That's because I'm passing my variable as a list like this:

    - role: debops.pki/env
      tags: [ 'role::pki' ]
      pki_dependent_realms:
        - '{{ kubernetes_pki_dependent_realms }}'

However kubernetes_pki_dependent_realms is already a list, so printing the value of each realm in pki_dependent_realms results in:

- {u'name': u'domain', u'acme': False}
- [{u'subject_alt_names': [u'ip:192.168.3.2', u'ip:10.200.0.1', u'dns:kubernetes.default.svc.gini.cluster', u'dns:kubernetes.default.svc', u'dns:kubernetes.default', u'dns:kubernetes'], u'name': u'k8s'}]

That's why the template doesn't catch it.

A quick workaround is to pass the variable as a string to the debops.pki/env role, but in that case I can not express dependencies like I do with your other ferm role, something like:

    - role: debops.pki/env
      tags: [ 'role::pki' ]
      pki_dependent_realms:
        - '{{ kubernetes_pki_dependent_realms }}'
        - '{{ etcd_pki_dependent_realms }}'

@drybjed
Copy link
Member

drybjed commented Aug 9, 2016

@antoineco Right. The template in 1debops.pki/env` would need to flatten the list to work around it. I'll get to it when I have the time, for now try something like this:

- role: debops.pki/env
  pki_dependent_realms: '{{ kubernetes_pki_dependent_realms + etcd_pki_dependent_realms }}'

That should make the role work correctly.

@antoineco
Copy link
Author

@drybjed: Sure, on my side it's easy to work around that. What I was pointing out is that the behavior of the debops.pki/env role is not what the user might expect at first. At least people who have familiarity with the rest of the DebOps framework.

Thanks again for responding so quickly 👌

@antoineco antoineco mentioned this issue Aug 12, 2016
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@drybjed @antoineco