File download don't work for default realm don't work for inventory groups

[carlalexander]

I'm not sure if it's a configuration issue on my part or not. Let's say I have a webserver inventory group and I have this in my configuration file:

pki_inventory_groups: [ 'webserver' ]

If I put files in secret/pki/realms/by-group/webserver/domain/external, I'd expect them to be uploaded. They're not. I think it's because pki_group_realms is empty and doesn't have the pki_default_realms in it.

You can fix the issue if you do this:

pki_group_realms: '{{ pki_default_realms }}'

That said, I'm not sure that's the best solution. It should be handled by the task itself I think. What do you think?

[drybjed]

The pki_group_realms is the same as other pki_*_realms variables, so in this case it shouldn't matter if you have something in there. Actually, pki_default_realms and pki_group_realms are processed in the same tasks (example).

However, there's a different issue with debops.pki - in order to have global and group certificates not overwrite host certificates and create endless idempotency loops, the files from secret/pki/realms/by-group/ directories are not copied if something exists on the remote host. The easiest way to handle this is to delete the /etc/pki/realms/domain/ realm entirely and re-run the role. It should copy the files correctly, including the private key. Try it and let me know if it works.

[carlalexander]

I'll try this in a bit. That said, I'm not sure how it will work or why. If you look here, it only uses pki_group_realms. It does't process all of them like in your task.

[drybjed]

You're right. I suppose that the default realm needs to be present in the group realms as well. I have some other change in the role, so I'll look into it. Thanks for the heads up.

[carlalexander]

No worries! I figured it was an oversight. :wink:

[drybjed]

This should be fixed in https://github.com/debops/ansible-pki/pull/57/commits/4785085c35107a1d87d760cddd64f3ca24db3147

[carlalexander]

This looks good!