Comments (11)
drybjed
commented on July 19, 2024
1
@antoineco So when you move the custom_pki_realms variable in the playbook it works? I guess that confirms the issue, these lists need to be flattened by templates in specific places.
from ansible-pki.
drybjed
commented on July 19, 2024
Sounds like one of the kubernetes_* variables is a dictionary instead of a string. Check all of them to see their value during the role execution by setting some debug tasks in the debops.pki role.
from ansible-pki.
antoineco
commented on July 19, 2024
@drybjed I don't think the issue is related to these variables, they are both explicitly set to a string value:
TASK [DEBUG kubernetes_services_net] *******************************************
ok: [nemo] => {
"kubernetes_services_net": "10.0.0.0/16"
}
TASK [DEBUG kubernetes_cluster_domain] *******************************************************************
ok: [nemo] => {
"kubernetes_cluster_domain": "my.cluster"
}from ansible-pki.
drybjed
commented on July 19, 2024
Can you show the debug value of custom_pki_realms variable?
from ansible-pki.
antoineco
commented on July 19, 2024
Sure thing:
TASK [Print 'custom_pki_realms' on each node] **********************************
ok: [nemo] => {
"custom_pki_realms": [
{
"name": "k8s",
"subject_alt_names": [
"ip:192.168.3.1",
"ip:10.0.0.1",
"dns:kubernetes.default.svc.my.cluster",
"dns:kubernetes.default.svc",
"dns:kubernetes.default",
"dns:kubernetes"
]
},
{
"name": "etcd",
"subject_alt_names": [
"ip:192.168.3.1",
"ip:10.0.0.3",
"dns:etcd.kube-system.svc.my.cluster",
"dns:etcd.kube-system.svc",
"dns:etcd.kube-system",
"dns:etcd"
]
}
]
}from ansible-pki.
drybjed
commented on July 19, 2024
Well, hmm, they look ok... How about this - can you remove all subject_alt_names that contain any variables and see if the result works? Just to eliminate any other issues elsewhere.
from ansible-pki.
antoineco
commented on July 19, 2024
Done, I left only the 3 last dns: entries, without success.
from ansible-pki.
antoineco
commented on July 19, 2024
It works when custom_pki_realms contains a single entry (single dictionary).
from ansible-pki.
drybjed
commented on July 19, 2024
And the normal debops.pki role runs fine?
If yes then I'm out of ideas... How about this, before that problematic task, add:
- name: Show all the things
debug:
msg: '{{ pki_realms + pki_group_realms + pki_host_realms + pki_default_realms + pki_dependent_realms }}'Let's see whats templated just before it.
from ansible-pki.
drybjed
commented on July 19, 2024
Hmm, OK - it might be the same problem that with debops.pki/env because this specific task is nested, and not flattened. Try moving the variable the same way as with debops.pki/env.
I guess it's time for a custom lookup for these tasks.
from ansible-pki.
antoineco
commented on July 19, 2024
It also works with multiple entries (see first post) if I call the role as follows:
- role: debops.pki
tags: [ 'role::pki' ]
pki_dependent_realms: '{{ custom_pki_realms }}'This definitely reminds me of #78, as you mentioned.
The normal debops.pki role runs fine.
The debug you asked me to post, just in case it helps:
TASK [Show all the things] *****************************************************
ok: [noah] => {
"msg": [
{
"acme": false,
"name": "domain"
}
]
}from ansible-pki.
Related Issues (20)
- Role breaks without warning (and continues on "normally") if SAN misconfigured HOT 9
- Fail: No module named debops HOT 12
- [Security] debops.pki does not validate CSRs allowing certificate mis-issuance by compromised remote host
- tiny-acme suddenly causes errors HOT 20
- First PKI run fails to create ACME certificates HOT 4
- Changing config parameters has not effect HOT 2
- Changing pki_acme_ca does not reload the nginx server
- Improve docs visibility of `name_constraints` variable
- Remove the pain points when managing ACME certificates HOT 12
- Replaced external certificates are not copied to host HOT 1
- Failure on task: Sign certificate requests for current hosts HOT 3
- ./lib/pki-authority: line 164: declare: -g: invalid option error HOT 3
- debops.pki fails when 1 of the hosts is unreachable HOT 1
- Errors during creation of new LetsEncrypt account via acme. HOT 6
- Error every second pki run HOT 9
- KeyError: 'newAccount' when attempting to generate ACME certificate HOT 5
- Role debops.pki/env fails to resolve after Ansible 2.4 HOT 10
- No wildcard/domain in the 'domain' realm certificates HOT 2
- pki role generates invalid certificate with "permitted subtree violation"
- ing
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ansible-pki.