fix: various fixes for add_pgnode playbook (#1202)

Author: pat-s

automation/roles/pgbackrest/tasks/ssh_keys.yml

@@ -73,54 +73,68 @@
   ansible.posix.authorized_key:
     user: postgres
     state: present
-    key: "{{ hostvars[item].pgbackrest_server_sshkey['content'] | b64decode }}"
+    key: "{{ hostvars[item].get('pgbackrest_server_sshkey', {}).get('content', '') | b64decode }}"
   loop: "{{ groups['pgbackrest'] | default([]) }}"
-  when: "'postgres_cluster' in group_names"
+  when:
+    - "'postgres_cluster' in group_names"
+    - hostvars[item].get('pgbackrest_server_sshkey') is not none
+    - hostvars[item].get('pgbackrest_server_sshkey', {}).get('content', '') | length > 0
 
 - name: ssh_keys | Add database ssh keys in "~{{ pgbackrest_repo_user }}/.ssh/authorized_keys" on pgbackrest server
   ansible.posix.authorized_key:
     user: "{{ pgbackrest_repo_user }}"
     state: present
-    key: "{{ hostvars[item].postgres_cluster_sshkey['content'] | b64decode }}"
+    key: "{{ hostvars[item].get('postgres_cluster_sshkey', {}).get('content', '') | b64decode }}"
   loop: "{{ groups['postgres_cluster'] }}"
-  when: "'pgbackrest' in group_names"
+  when:
+    - "'pgbackrest' in group_names"
+    - hostvars[item].get('postgres_cluster_sshkey') is not none
+    - hostvars[item].get('postgres_cluster_sshkey', {}).get('content', '') | length > 0
 
 # if 'backup-standby' are specified in pgbackrest_conf.global
 - name: ssh_keys | Add ssh keys in "~postgres/.ssh/authorized_keys" on database servers
   ansible.posix.authorized_key:
     user: postgres
     state: present
-    key: "{{ hostvars[item].postgres_cluster_sshkey['content'] | b64decode }}"
+    key: "{{ hostvars[item].get('postgres_cluster_sshkey', {}).get('content', '') | b64decode }}"
   loop: "{{ groups['postgres_cluster'] }}"
   when:
     - "'postgres_cluster' in group_names"
     - pgbackrest_conf.global | selectattr('option', 'equalto', 'backup-standby') | map(attribute='value') | list | last | default('') == 'y'
+    - hostvars[item].get('postgres_cluster_sshkey') is not none
+    - hostvars[item].get('postgres_cluster_sshkey', {}).get('content', '') | length > 0
 
-- name: known_hosts | Get public ssh keys of hosts (ssh-keyscan)
-  ansible.builtin.command: >
-    ssh-keyscan -trsa -p {{ hostvars[item].ansible_ssh_port | default(hostvars[item].ansible_port) | default(22) }} {{ hostvars[item]['bind_address'] }}
-  loop: "{{ groups['postgres_cluster'] }}"
+- name: known_hosts | Get public ssh host keys (ssh-keyscan)
+  ansible.builtin.command: ssh-keyscan -p {{ target_port }} {{ target_host }}
+  loop: "{{ (groups['postgres_cluster']) + (groups['pgbackrest'] | default([])) }}"
+  vars:
+    target_host: "{{ hostvars[item].get('bind_address') if (item in (groups['postgres_cluster'])) else pgbackrest_repo_host }}"
+    target_port: "{{ hostvars[item].get('ansible_ssh_port') or hostvars[item].get('ansible_port') or 22 }}"
   register: ssh_known_host_keyscan
   changed_when: false
 
-- name: known_hosts | add ssh public keys in "~postgres/.ssh/known_hosts" on database servers
+- name: known_hosts | Add ssh host keys in "~postgres/.ssh/known_hosts" on database servers
   become: true
   become_user: postgres
   ansible.builtin.known_hosts:
-    host: "{{ item.stdout.split(' ')[0] }}"
-    key: "{{ item.stdout }}"
+    host: "{{ item.stdout_lines | select('match', '^[^#].*') | first | split(' ') | first }}"
+    key: "{{ item.stdout_lines | select('match', '^[^#].*') | first }}"
     path: "~postgres/.ssh/known_hosts"
   no_log: true
   loop: "{{ ssh_known_host_keyscan.results }}"
-  when: "'postgres_cluster' in group_names"
+  when:
+    - "'postgres_cluster' in group_names"
+    - item.stdout_lines | select('match', '^[^#].*') | list | length > 0
 
-- name: known_hosts | add ssh public keys in "~{{ pgbackrest_repo_user }}/.ssh/known_hosts" on pgbackrest server
+- name: known_hosts | Add ssh host keys in "~{{ pgbackrest_repo_user }}/.ssh/known_hosts" on pgbackrest server
   become: true
   become_user: "{{ pgbackrest_repo_user }}"
   ansible.builtin.known_hosts:
-    host: "{{ item.stdout.split(' ')[0] }}"
-    key: "{{ item.stdout }}"
+    host: "{{ item.stdout_lines | select('match', '^[^#].*') | first | split(' ') | first }}"
+    key: "{{ item.stdout_lines | select('match', '^[^#].*') | first }}"
     path: "~{{ pgbackrest_repo_user }}/.ssh/known_hosts"
   no_log: true
   loop: "{{ ssh_known_host_keyscan.results }}"
-  when: "'pgbackrest' in group_names"
+  when:
+    - "'pgbackrest' in group_names"
+    - item.stdout_lines | select('match', '^[^#].*') | list | length > 0

automation/roles/pgbackrest/templates/pgbackrest.server.stanza.conf.j2

@@ -1,6 +1,6 @@
 [{{ pgbackrest_stanza }}]
 {% for host in groups['postgres_cluster'] %}
-pg{{ loop.index }}-host={{ host }}
+pg{{ loop.index }}-host={{ hostvars[host].bind_address }}
 pg{{ loop.index }}-port={{ postgresql_port }}
 pg{{ loop.index }}-socket-path={{ postgresql_unix_socket_dir }}
 pg{{ loop.index }}-path={{ postgresql_data_dir }}

automation/roles/tls_certificate/tasks/copy.yml

@@ -1,13 +1,14 @@
 ---
-- name: "Fetch TLS certificate, key and CA from {{ inventory_hostname }}"
+- name: "Fetch TLS certificate, key and CA from master node"
   ansible.builtin.slurp:
     src: "{{ fetch_tls_dir | default(tls_dir | default('/etc/tls')) }}/{{ item }}"
   register: tls_files_raw
   loop:
     - "{{ fetch_tls_privatekey | default(tls_privatekey | default('server.key')) }}"
     - "{{ fetch_tls_cert | default(tls_cert | default('server.crt')) }}"
     - "{{ fetch_tls_ca_cert | default(tls_ca_cert | default('ca.crt')) }}"
-  when: inventory_hostname == (groups[tls_group_name | default('master')][0])
+  delegate_to: "{{ groups[tls_group_name | default('master')][0] }}"
+  run_once: true
   tags: tls, tls_cert_copy
 
 - name: "Set variable: tls_files"
@@ -16,7 +17,7 @@
       server_key: "{{ tls_files_raw.results[0].content }}"
       server_crt: "{{ tls_files_raw.results[1].content }}"
       ca_crt: "{{ tls_files_raw.results[2].content }}"
-  when: inventory_hostname == (groups[tls_group_name | default('master')][0])
+  run_once: true
   tags: tls, tls_cert_copy
 
 - name: Create directory {{ copy_tls_dir | default(tls_dir | default('/etc/tls')) }}
@@ -30,7 +31,7 @@
 
 - name: Copy TLS certificate, key and CA to all nodes
   ansible.builtin.copy:
-    content: "{{ (hostvars[groups[tls_group_name | default('master')][0]].tls_files[item.key] | b64decode) }}"
+    content: "{{ (tls_files[item.key] | b64decode) }}"
     dest: "{{ copy_tls_dir | default(tls_dir | default('/etc/tls')) }}/{{ item.filename }}"
     owner: "{{ copy_tls_owner | default(tls_owner | default('postgres')) }}"
     group: "{{ copy_tls_owner | default(tls_owner | default('postgres')) }}"