Skip to content
Snippets Groups Projects
Unverified Commit a13d6e7f authored by micah's avatar micah :speech_balloon:
Browse files

re-order roles to account for potential ordering failures

parent 9191c53d
No related branches found
No related tags found
No related merge requests found
Pipeline #96242 failed
......@@ -9,12 +9,6 @@
ca: "{{ credentials_dir }}/common/api_ca.crt"
ca_key: "{{ credentials_dir }}/common/api_ca.key"
- name: Restart openvpn because gateway certificate has changed
systemd:
name: docker-openvpn-openvpn.service
state: restarted
when: sspki_sign.changed
- name: Add the docker-openvpn user to the openvpn-sspki group
user:
name: docker-openvpn
......@@ -46,8 +40,14 @@
- name: Install client certificate generating and API endpoint CA bundle
copy:
content: "{{ lookup('file', '{{ credentials_dir }}/common/api_ca.crt') }}\n{{ lookup('file', '{{ credentials_dir }}/common/client_ca.crt') }}\n"
content: "{{ lookup('file', '{{ credentials_dir }}/common/old_client_ca.crt') }}\n{{lookup('file', '{{ credentials_dir }}/common/api_ca.crt') }}\n{{ lookup('file', '{{ credentials_dir }}/common/client_ca.crt') }}\n"
  • Owner

    @micah why did you add the old_client_ca.crt file here? I don't see it generated anywhere/existing in the init-credentials playbook? https://0xacab.org/leap/container-platform/lilypad/-/blob/main/playbooks/init-credentials.yml

  • Author Owner

    @maxb indeed, this was added for transition from the old platform to the new one, it would not be generated, but rather copied in to the location by hand. Does this fail if the file doesn't exist? If so, then we would need to make a more robust test here.

    edit: i see that you added that in !65 (merged) great!

    Edited by micah
  • Owner

    Thanks!!

  • Please register or sign in to reply
dest: /etc/leap/ca/leap_ca_bundle.crt
mode: 0444
notify:
- "restart docker-openvpn-openvpn"
- name: Restart openvpn because gateway certificate has changed
systemd:
name: docker-openvpn-openvpn.service
state: restarted
when: sspki_sign.changed
- import_tasks: "secondary_gateway.yml"
- import_tasks: "credentials.yml"
- import_tasks: "openvpn.yml"
- import_tasks: "shapeshifter.yml"
- import_tasks: "openvpn.yml"
- import_tasks: "credentials.yml"
......@@ -12,5 +12,3 @@
ca_public_crt: "{{ credentials_dir }}/common/api_ca.crt"
run_once: true
register: simplevpn_result
notify:
- "restart docker-vpnweb-vpnweb"
upstream be_vpnweb {
{% for host in groups['vpnweb']|sort %}
server {{ host }}.vpnweb.{{ domain }}:{{ services['vpnweb'].public_endpoints[0].port }};
{% endfor %}
server vpnweb.{{ domain }}:{{ services['vpnweb'].public_endpoints[0].port }};
}
server {
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment