-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-system-roles-1.90.0-0.1.el9
-
No
-
Low
-
rhel-sst-system-roles
-
0
-
Dev ack
-
False
-
-
Yes
-
None
-
Unspecified Release Note Type - Unknown
-
None
Steps to reproduce:
- Create the following playbook:
--- - name: Installing and configuring PostgreSQL hosts: rhel9.example.com tasks: - name: Create ansible.builtin.file: path: /etc/postgresql/ state: directory mode: 755 - name: Copy CA certificate ansible.builtin.copy: src: "~/{{ inventory_hostname }}.crt" dest: "/etc/postgresql/server.crt" owner: postgres - name: Copy private key ansible.builtin.copy: src: "~/{{ inventory_hostname }}.key" dest: "/etc/postgresql/server.key" mode: 0600 owner: postgres - name: PostgreSQL with an existing private key and certificate ansible.builtin.include_role: name: rhel-system-roles.postgresql vars: postgresql_version: "16" postgresql_ssl_enable: true postgresql_cert_name: "/etc/postgresql/server"
2. Run the playbook:
$ ansible-playbook --verbose ~/playbook.yml
Actual results:
TASK [rhel-system-roles.postgresql : Install certificate file] **************************************************************************************************************************************************** fatal: [rhel9.example.com]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: '__pg_server_crt' is undefined. '__pg_server_crt' is undefined\n\nThe error appears to be in '/usr/share/ansible/roles/rhel-system-roles.postgresql/tasks/certificate.yml': line 56, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n block:\n - name: Install certificate file\n ^ here\n"}
Expected results:
The playbook should succeed.
Workaround/Fix:
Add the following "vars" block to /usr/share/ansible/roles/rhel-system-roles.postgresql/tasks/certificate.yml:
- name: Install user provided TLS certificates for postgresql when: - __postgresql_cert.stat.exists - __postgresql_key.stat.exists - postgresql_certificates | length < 1 vars: __pg_server_crt: "{{ __postgresql_data_dir }}/server.crt" __pg_server_key: "{{ __postgresql_data_dir }}/server.key" ...
Additional information:
When you fix this, please also update the postgresql_cert_name variable description in the readme (it cost me a some time to figure out how it works because the description misses some important details):
- It should mention that the key/cert files must exist on the managed node (or be copied by the playbook). They are not copied automatically (which would be a nice enhancement and improvement of the user experience)
- The value must be an absolute path.
- The role changes the owner of the key/cert files to "postgres".
- The role creates symbolic links /var/lib/pgsql/data/server.key|.crt that link to the key/crt path you specify in postgresql_cert_name. Therefore, you can't directly copy the files to /var/lib/pgsql/data/server.key|.crt (because then the role fails when it tries to create the symlinks)
- relates to
-
RHEL-67267 [Epic] work for postgresql role: The postgresql_cert_name variable doesn't work with existing certificates
- In Progress
-
RHEL-67269 QE work for postgresql role: The postgresql_cert_name variable doesn't work with existing certificates
- New
-
RHEL-67275 upstream work for postgresql role: The postgresql_cert_name variable doesn't work with existing certificates
- Closed
-
RHEL-67281 packaging work for postgresql role: The postgresql_cert_name variable doesn't work with existing certificates
- Closed
- links to
-
RHEA-2024:143087 rhel-system-roles bug fix and enhancement update