Open gaudenz opened 6 years ago
Current debops.pki
role is designed around Ansible inventory, specifically all
host group, one custom group and specific hosts. My thinking at the time was this:
force: False
).So, if an user has a global set of certificates, and for some reason he/she wanted a per-host override, that would be possible. But I suppose the extra granularity isn't really that useful. You can easily create multiple PKI realms which should help with separate certificates for a group of hosts. Perhaps the "group level" should be removed and leave only global (all
) and per-host case, both with force: True
. Although that might result in role overwriting the global certificates by per-host which are overwritten by global, etc. So an indempotency. loop.
Any ideas how to solve this? I guess the per-host force: True
could be conditional per PKI realm.
If an external certificate expires and get's renewed and replaced on the controller, the new certificate does not get copied to the host. This is because the relevant copy task has
force: False
.In the current role whether
force: False
is set on a copy task in the pki role is rather inconsistent. Or in other words it's not clear to me what the rules are.IMHO all these tasks should either use
force: True
or at least have this configurable. Would you accept a pull request for this?