From 3097f7ae1bd4bc4cffd043d06839dd7cba59a4ea Mon Sep 17 00:00:00 2001
From: klention <klention@gmail.com>
Date: Wed, 18 Dec 2024 19:55:14 +0100
Subject: [PATCH] Copy TLS certificate to the newly added nodes

---
 automation/add_pgnode.yml                     | 16 +++++++
 .../tasks/copy_certificate.yml                | 47 +++++++++++++++++++
 2 files changed, 63 insertions(+)
 create mode 100644 automation/roles/tls_certificate/tasks/copy_certificate.yml

diff --git a/automation/add_pgnode.yml b/automation/add_pgnode.yml
index 08127325c..b3095a22a 100644
--- a/automation/add_pgnode.yml
+++ b/automation/add_pgnode.yml
@@ -105,6 +105,14 @@
         - firewall_enabled_at_boot | bool
       tags: firewall
 
+    - name: Fetch TLS certificate
+      ansible.builtin.include_role:
+        name: tls_certificate
+        tasks_from: copy_certificate
+      vars:
+        tls_job: fetch
+      when: tls_cert_generate|bool
+
   roles:
     - role: ansible-role-firewall
       environment: "{{ proxy_env | default({}) }}"
@@ -228,6 +236,14 @@
       ansible.builtin.include_vars: "vars/{{ ansible_os_family }}.yml"
       tags: always
 
+    - name: Copy TLS certificate
+      ansible.builtin.include_role:
+        name: tls_certificate
+        tasks_from: copy_certificate
+      vars:
+        tls_job: copy
+      when: tls_cert_generate|bool
+
   roles:
     - role: wal-g
       when: wal_g_install|bool
diff --git a/automation/roles/tls_certificate/tasks/copy_certificate.yml b/automation/roles/tls_certificate/tasks/copy_certificate.yml
new file mode 100644
index 000000000..e42bd60d1
--- /dev/null
+++ b/automation/roles/tls_certificate/tasks/copy_certificate.yml
@@ -0,0 +1,47 @@
+---
+- name: Fetch TLS certificate and key
+  run_once: true
+  ansible.builtin.fetch:
+    src: "{{ item }}"
+    dest: "/tmp/tls/"
+    flat: yes
+  loop:
+    - "{{ tls_privatekey_path | default('/etc/tls/server.key') }}"
+    - "{{ tls_cert_path | default('/etc/tls/server.crt') }}"
+  when:
+    - tls_job is defined
+    - tls_job == 'fetch'
+
+- block:
+  - name: Ensure TLS directories exist
+    ansible.builtin.file:
+      path: "{{ item }}"
+      state: directory
+      owner: "{{ tls_owner | default('postgres') }}"
+      group: "{{ tls_owner | default('postgres') }}"
+      mode: "0750"
+    loop:
+      - "{{ tls_privatekey_path | default('/etc/tls/server.key') | dirname }}"
+      - "{{ tls_cert_path | default('/etc/tls/server.crt') | dirname }}"
+
+  - name: Copy TLS certificate and key to the new node
+    ansible.builtin.copy:
+      src: "/tmp/tls/{{ item | basename }}"
+      dest: "{{ item }}"
+    loop:
+      - "{{ tls_privatekey_path | default('/etc/tls/server.key') }}"
+      - "{{ tls_cert_path | default('/etc/tls/server.crt') }}"
+
+  - name: Set proper permissions for TLS files
+    ansible.builtin.file:
+      path: "{{ item.path }}"
+      owner: "{{ tls_owner | default('postgres') }}"
+      group: "{{ tls_owner | default('postgres') }}"
+      mode: "{{ item.mode }}"
+      state: file
+    loop:
+      - { path: "{{ tls_privatekey_path | default('/etc/tls/server.key') }}", mode: "0400" }
+      - { path: "{{ tls_cert_path | default('/etc/tls/server.crt') }}", mode: "0644" }
+  when:
+    - tls_job is defined
+    - tls_job == 'copy'