fix(step_acme_cert): don't fail when the user doesn't proide a path

fixes #97
maxhoesel-ansible · Aug 25, 2021 · ecc0606 · ecc0606
1 parent d1f82fc
commit ecc0606
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 9 deletions.
diff --git a/roles/step_acme_cert/molecule/default/converge.yml b/roles/step_acme_cert/molecule/default/converge.yml
@@ -28,12 +28,13 @@
         step_acme_cert_webroot_path: "{{ webroots[ansible_os_family] }}"
         step_acme_cert_duration: 1h
         step_acme_cert_certfile:
-          path: /etc/ssl/step.crt
+          # Lazy evaluation testing
+          #path: /etc/ssl/step.crt
           mode: "644"
           owner: root
           group: "{{ webgroup[ansible_os_family] }}"
         step_acme_cert_keyfile:
-          path: /etc/ssl/step.key
+          #path: /etc/ssl/step.key
           mode: "640"
           owner: root
           group: "{{ webgroup[ansible_os_family] }}"

diff --git a/roles/step_acme_cert/tasks/get_cert.yml b/roles/step_acme_cert/tasks/get_cert.yml
@@ -2,8 +2,8 @@
   maxhoesel.smallstep.step_ca_certificate:
     provisioner: "{{ step_acme_cert_ca_provisioner }}"
     contact: "{{ step_acme_cert_contact }}"
-    crt_file: "{{ step_acme_cert_certfile.path }}"
-    key_file: "{{ step_acme_cert_keyfile.path }}"
+    crt_file: "{{ step_acme_cert_certfile_full.path }}"
+    key_file: "{{ step_acme_cert_keyfile_full.path }}"
     force: yes
     name: "{{ step_acme_cert_name }}"
     not_after: "{{ step_acme_cert_duration|default(omit) }}"
@@ -22,5 +22,5 @@
     owner: "{{ item.owner }}"
     group: "{{ item.group }}"
   loop:
-    - "{{ step_acme_cert_keyfile_defaults | combine(step_acme_cert_keyfile) }}"
-    - "{{ step_acme_cert_certfile_defaults | combine(step_acme_cert_certfile) }}"
+    - "{{ step_acme_cert_keyfile_full }}"
+    - "{{ step_acme_cert_certfile_full }}"
diff --git a/roles/step_acme_cert/tasks/main.yml b/roles/step_acme_cert/tasks/main.yml
@@ -2,13 +2,19 @@
 # tasks file for step_acme_cert
 - include: check.yml
 
+- name: Update cert/keyfile dicts with defaults
+  set_fact:
+    # Role params take precedence over set_fact, so we need to declare a new private variable
+    step_acme_cert_keyfile_full: "{{ step_acme_cert_keyfile_defaults | combine(step_acme_cert_keyfile) }}"
+    step_acme_cert_certfile_full: "{{ step_acme_cert_certfile_defaults | combine(step_acme_cert_certfile) }}"
+
 - name: Look for existing certificate
   stat:
-    path: "{{ step_acme_cert_certfile.path }}"
+    path: "{{ step_acme_cert_certfile_full.path }}"
   register: step_acme_cert_current_cert
 
 - name: Check if certificate is valid
-  command: "step-cli certificate verify {{ step_acme_cert_certfile.path }}"
+  command: "step-cli certificate verify {{ step_acme_cert_certfile_full.path }}"
   changed_when: no
   check_mode: no
   ignore_errors: true

diff --git a/roles/step_acme_cert/templates/step-renew.service.j2 b/roles/step_acme_cert/templates/step-renew.service.j2
@@ -8,7 +8,7 @@ Type=simple
 Restart=always
 RestartSec=1
 Environment=STEPPATH={{ step_cli_steppath }}
-ExecStart={{ step_cli_executable_absolute.stdout }} ca renew {{ step_acme_cert_certfile.path }} {{ step_acme_cert_keyfile.path }} --daemon --force{% if step_acme_cert_renewal_when is defined %} --expires-in {{ step_acme_cert_renewal_when }}{% endif %}{% if step_acme_cert_renewal_reload_services %} --exec "systemctl try-reload-or-restart {{ step_acme_cert_renewal_reload_services | join(' ') }}"{% endif %}
+ExecStart={{ step_cli_executable_absolute.stdout }} ca renew {{ step_acme_cert_certfile_full.path }} {{ step_acme_cert_keyfile_full.path }} --daemon --force{% if step_acme_cert_renewal_when is defined %} --expires-in {{ step_acme_cert_renewal_when }}{% endif %}{% if step_acme_cert_renewal_reload_services %} --exec "systemctl try-reload-or-restart {{ step_acme_cert_renewal_reload_services | join(' ') }}"{% endif %}
 
 [Install]
 WantedBy=multi-user.target