search

ansible-collections / netapp.ontap

Ansible collection to support NetApp ONTAP configuration.
https://galaxy.ansible.com/netapp/ontap
GNU General Public License v3.0
51 stars 34 forks source link

netapp.ontap.na_ontap_security_certificates not idempotent #127

Closed fdalrymple-hp closed 1 year ago

fdalrymple-hp commented 1 year ago

Summary

Module works to initially install server_ca and server certificates. When running again I get an error indicating the certificate is a duplicate.

Component Name

na_ontap_security_certificates

Ansible Version

ansible 2.10.8
  config file = None
  configured module search path = ['~/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  executable location = /usr/bin/ansible

ONTAP Collection Version

$ ansible-galaxy collection list | grep netapp
netapp.aws                20.9.0
netapp.elementsw          20.11.0
netapp.ontap              22.0.1
netapp_eseries.santricity 1.1.0
netapp.ontap     22.0.1

ONTAP Version

::> version
NetApp Release 9.10.1P6: Fri Jul 01 12:06:33 UTC 2022

Playbook

---
- hosts: all
  vars:
    certs:
    - name: cert1
      data: |
        -----BEGIN CERTIFICATE-----
        MIIFCTCCAvGgAwIBAgIQNxiPHXbCEJxEGY17/71ixDANBgkqhkiG9w0BAQsFADAW
        ...
        XrJkw/wRgN8JdMN6tTfmVYROtO07pV9cA5in2A2SYFNRRht+rf8oaDmnDcGO
        -----END CERTIFICATE-----
  tasks:
  - name: Install interception certificates - cluster
    netapp.ontap.na_ontap_security_certificates:
      common_name: "COMPANYCA"
      hostname: "{{ cluster_name }}"
      https: yes
      name: "{{ item.name }}"
      username: "admin"
      password: "{{ admin_pw }}"
      validate_certs: "no"
      svm: "{{ cluster_name }}"
      type: "server_ca"
      public_certificate: "{{ item.data }}"
    loop: "{{ certs }}"
    delegate_to: localhost
    tags:
    - certificates

Steps to Reproduce

Fill out the below playbook with valid cert data and run against NetApp filer. First run will install the certificate as expected. Second run will error on the task.

---
- hosts: all
  vars:
    certs:
    - name: cert1
      data: |
        -----BEGIN CERTIFICATE-----
        MIIFCTCCAvGgAwIBAgIQNxiPHXbCEJxEGY17/71ixDANBgkqhkiG9w0BAQsFADAW
        ...
        XrJkw/wRgN8JdMN6tTfmVYROtO07pV9cA5in2A2SYFNRRht+rf8oaDmnDcGO
        -----END CERTIFICATE-----
  tasks:
  - name: Install interception certificates - cluster
    netapp.ontap.na_ontap_security_certificates:
      common_name: "COMPANYCA"
      hostname: "{{ cluster_name }}"
      https: yes
      name: "{{ item.name }}"
      username: "admin"
      password: "{{ admin_pw }}"
      validate_certs: "no"
      svm: "{{ cluster_name }}"
      type: "server_ca"
      public_certificate: "{{ item.data }}"
    loop: "{{ certs }}"
    delegate_to: localhost
    tags:
    - certificates

Expected Results

I expect idempotency, the task should identify that the certificate is already installed with the static CN, name and PEM payload, and I should get an "OK" result at the end of the playbook.

Actual Results

failed: [clu1] (item={'name': 'cert1', 'data': '-----BEGIN CERTIFICATE-----\nMIIFCTCCAvGgAwIBAgIQNxiPHXbCEJxEGY17/71ixDANBgkqhkiG9w0BAQsFADAW\n...\nXrJkw/wRgN8JdMN6tTfmVYROtO07pV9cA5in2A2SYFNRRht+rf8oaDmnDcGO\n-----END CERTIFICATE-----\n'}) => {"ansible_loop_var": "item", "changed": false, "item": {"data": "-----BEGIN CERTIFICATE-----\nMIIFCTCCAvGgAwIBAgIQNxiPHXbCEJxEGY17/71ixDANBgkqhkiG9w0BAQsFADAW\n...\nXrJkw/wRgN8JdMN6tTfmVYROtO07pV9cA5in2A2SYFNRRht+rf8oaDmnDcGO\n-----END CERTIFICATE-----\n", "name": "cert1"}, "msg": "Error creating or installing certificate: {'message': 'duplicate entry.  Same certificate may already exist under a different name.', 'code': '1', 'target': 'uuid'}"}
lonico commented 1 year ago

The issue is because of 

svm: "{{ cluster_name }}"

For a cluster scoped certificate, we are expecting svm: to be absent or to be set to null as

svm:

I'm a little surprised ONTAP did not report an error the first time and correctly installed the certificate. On my system, with a more recent version of ONTAP, the first run fails with

"Error creating or installing certificate: {'message': 'invalid operation', 'code': '3'}"

But even if ONTAP installs it successfully, it fails to query the certificate when using the cluster vserver name, hence what appears as an idempotency issue.

Anyway, we should detect that svm is set to the cluster name, and either ignore it or report a better error.

Work-around

Remove svm: or set it to null

Long term fix

Detect a cluster name in svm

fdalrymple-hp commented 1 year ago

That was it. Simply deleting that line my problem immediately went away and it recognized the prior installed certificates. Thank you.