Copy TLS certificate to the newly added nodes

vitabaks · Dec 18, 2024 · 3097f7a · 3097f7a
1 parent 4412bd1
commit 3097f7a
Show file tree

Hide file tree

Showing 2 changed files with 63 additions and 0 deletions.
diff --git a/automation/add_pgnode.yml b/automation/add_pgnode.yml
@@ -105,6 +105,14 @@
         - firewall_enabled_at_boot | bool
       tags: firewall
 
+    - name: Fetch TLS certificate
+      ansible.builtin.include_role:
+        name: tls_certificate
+        tasks_from: copy_certificate
+      vars:
+        tls_job: fetch
+      when: tls_cert_generate|bool
+
   roles:
     - role: ansible-role-firewall
       environment: "{{ proxy_env | default({}) }}"
@@ -228,6 +236,14 @@
       ansible.builtin.include_vars: "vars/{{ ansible_os_family }}.yml"
       tags: always
 
+    - name: Copy TLS certificate
+      ansible.builtin.include_role:
+        name: tls_certificate
+        tasks_from: copy_certificate
+      vars:
+        tls_job: copy
+      when: tls_cert_generate|bool
+
   roles:
     - role: wal-g
       when: wal_g_install|bool

diff --git a/automation/roles/tls_certificate/tasks/copy_certificate.yml b/automation/roles/tls_certificate/tasks/copy_certificate.yml
@@ -0,0 +1,47 @@
+---
+- name: Fetch TLS certificate and key
+  run_once: true
+  ansible.builtin.fetch:
+    src: "{{ item }}"
+    dest: "/tmp/tls/"
+    flat: yes
+  loop:
+    - "{{ tls_privatekey_path | default('/etc/tls/server.key') }}"
+    - "{{ tls_cert_path | default('/etc/tls/server.crt') }}"
+  when:
+    - tls_job is defined
+    - tls_job == 'fetch'
+
+- block:
+  - name: Ensure TLS directories exist
+    ansible.builtin.file:
+      path: "{{ item }}"
+      state: directory
+      owner: "{{ tls_owner | default('postgres') }}"
+      group: "{{ tls_owner | default('postgres') }}"
+      mode: "0750"
+    loop:
+      - "{{ tls_privatekey_path | default('/etc/tls/server.key') | dirname }}"
+      - "{{ tls_cert_path | default('/etc/tls/server.crt') | dirname }}"
+
+  - name: Copy TLS certificate and key to the new node
+    ansible.builtin.copy:
+      src: "/tmp/tls/{{ item | basename }}"
+      dest: "{{ item }}"
+    loop:
+      - "{{ tls_privatekey_path | default('/etc/tls/server.key') }}"
+      - "{{ tls_cert_path | default('/etc/tls/server.crt') }}"
+
+  - name: Set proper permissions for TLS files
+    ansible.builtin.file:
+      path: "{{ item.path }}"
+      owner: "{{ tls_owner | default('postgres') }}"
+      group: "{{ tls_owner | default('postgres') }}"
+      mode: "{{ item.mode }}"
+      state: file
+    loop:
+      - { path: "{{ tls_privatekey_path | default('/etc/tls/server.key') }}", mode: "0400" }
+      - { path: "{{ tls_cert_path | default('/etc/tls/server.crt') }}", mode: "0644" }
+  when:
+    - tls_job is defined
+    - tls_job == 'copy'