[Bug] If no password is set for patroni then update cluster ansible fails from 401

[snoby]

Bug description

If you update a cluster created by default and do not set a password for the patroni user the url call to switch from leader to follower will fail.

Expected behavior

I would expect that the api call to work without a password, however this seems like an api problem, but our playbook needs a work around.

Steps to reproduce

...

Installation method

Command line

System info

Postgres 16, ansible install. ubnuntu 24.04 tip of master.

Additional info

The work around is to let the api call fail and if it falies with a 4xx then fall back to using the patronictl command

replace the contents of switchover.yml with this:

---
- name: Set Patroni switchover URL
  set_fact:
    patroni_switchover_url: "http://{{ inventory_hostname }}:{{ patroni_restapi_port }}/switchover"

- name: Perform Patroni switchover using REST API
  ansible.builtin.uri:
    url: "{{ patroni_switchover_url }}"
    method: POST
    body: '{"leader":"{{ ansible_hostname }}"}'
    body_format: json
    headers:
      Content-Type: application/json
    status_code: 200
    user: "{{ patroni_restapi_username }}"
    password: "{{ patroni_restapi_password }}"
  register: patroni_switchover_result
  when: patroni_restapi_password is defined and patroni_restapi_password | length > 0
  retries: 10
  delay: 2
  until: patroni_switchover_result.status == 200
  failed_when: patroni_switchover_result.status is defined and (patroni_switchover_result.status >= 400 and patroni_switchover_result.status < 500)
  environment:
    no_proxy: "{{ inventory_hostname }}"

- name: Perform Patroni switchover using patronictl fallback (no password)
  ansible.builtin.shell: |
    PATRONICTL_CONFIG=/etc/patroni.yml \
    patronictl switchover --force --candidate ""
  register: patroni_switchover_result
  when: patroni_restapi_password is not defined or patroni_restapi_password | length == 0
  become: true
  changed_when: "'Switched over' in patroni_switchover_result.stdout"



- name: Make sure that the Patroni is healthy and is a replica
  ansible.builtin.uri:
    url: http://{{ inventory_hostname }}:{{ patroni_restapi_port }}/replica
    status_code: 200
  register: patroni_replica_result
  until: patroni_replica_result.status == 200
  retries: 300
  delay: 2
  environment:
    no_proxy: "{{ inventory_hostname }}"

[vitabaks]

Thanks, that’s a good find. I haven’t encountered this issue myself since I’ve always filled in the password variables.

In this case, it should be sufficient to add a pre-check task that retrieves the current password values if they’re not explicitly set. Code: https://github.com/vitabaks/autobase/blob/2.2.0/automation/roles/pre-checks/tasks/passwords.yml#L24

I'll take care of it.

[vitabaks]

PR #1027