Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failure when adding service, idempotency #1295

Open
p3lim opened this issue Sep 26, 2024 · 1 comment
Open

Failure when adding service, idempotency #1295

p3lim opened this issue Sep 26, 2024 · 1 comment
Labels
bug idempotence

Comments

@p3lim
Copy link

p3lim commented Sep 26, 2024
edited
Loading

On an already managed host (e.g. host/$FQDN is already managed) I try to add a host, service and certificate for an alternate CNAME for this host using this collection:

- name: Create host for cname
  freeipa.ansible_freeipa.ipahost:
    name: '{{ service_cname }}.{{ service_domain }}'
    ip_address: '{{ ansible_host }}'
    ipaadmin_principal: '{{ ipaadmin_principal }}'
    ipaadmin_password: '{{ ipaadmin_password }}'

- name: Create service for cname
  freeipa.ansible_freeipa.ipaservice:
    name: 'HTTP/{{ service_cname }}.{{ service_domain }}'
    principal: 'host/{{ service_cname }}.{{ service_domain }}'
    ipaadmin_principal: '{{ ipaadmin_principal }}'
    ipaadmin_password: '{{ ipaadmin_password }}'

# here goes some private key and CSR, omitted for brievity, it outputs task_csr used below

- name: Sign certificate
  become: true
  freeipa.ansible_freeipa.ipacert:
    state: requested
    csr: '{{ task_csr.csr }}'
    principal: 'HTTP/{{ service_cname }}.{{ service_domain }}'
    certificate_out: '/etc/pki/service/{{ service_cname }}.{{ service_domain }}.crt'
    ipaadmin_principal: '{{ ipaadmin_principal }}'
    ipaadmin_password: '{{ ipaadmin_password }}'

Using this the 2nd task (ipaservice) fails with this error:

fatal: [myhost]: FAILED => changed=false
  msg: 'service_add_principal: HTTP/mycname.mydomain: This entry already exists'

If I check IdM the service was created correctly.
If I start fresh (delete the host, service etc from IdM manually) and omit the 2nd task the 3rd task (signing the certificate) fails because the service principal doesn't exist.

The service is made correctly, but the task fails by its own creation (e.g. it creates the service first, then checks if it already exists, then fails because it already exists). There's some major idempotency and/or order-of-execution issues here.

Using version 1.13.2 of the collection against IdM on RHEL9.
@t-woerner t-woerner added the bug label Oct 4, 2024
@t-woerner
Copy link
Member

This is a bug. Currently CNAMEs are not used for the verification if an entry already exists.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug idempotence
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@p3lim @t-woerner