From c56e1a98134badfd403790be034e249fa4288aeb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alexander=20K=C3=A4b?= <alexander.kaeb@h-da.de>
Date: Mon, 27 Mar 2023 17:43:16 +0200
Subject: [PATCH] fix: Fix conditionals for task file includes

---
 defaults/main.yml |  1 +
 tasks/main.yml    | 68 ++++++++++++++++++++++++++++++++---------------
 tasks/sidecar.yml |  1 +
 3 files changed, 49 insertions(+), 21 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 3910655..465dc33 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -16,6 +16,7 @@ generate_node_certs: true
 gl_sidecar_ca_path: "/etc/graylog/sidecar"
 sidecar_cert_dir: "/etc/graylog/sidecar"
 cert_valid_days: 1095
+gl_node_ca_path: {{ gl_sidecar_ca_path }}
 
 # Cert SAN settings
 node_cert_sans: "{{ lookup('template', 'node-cert-sans.j2') | replace('\n', '') | split(',') | map('trim') | list }}"
diff --git a/tasks/main.yml b/tasks/main.yml
index a372e10..3086528 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -12,19 +12,19 @@
       ansible.builtin.fail:
         msg: "Please add a host group 'sidecar-ca' with the host(s) storing the CA file first"
       run_once: true
-      when: "not (groups['sidecar-ca'] is defined)"
+      when: "not ('sidecar-ca' in groups)"
 
     - name: Fail if 'graylog-nodes' host group is missing # noqa: run_once[task]
       ansible.builtin.fail:
         msg: "Please add a host group 'graylog-nodes' with the host(s) storing the log node CA file first"
       run_once: true
-      when: "not (groups['graylog-nodes'] is defined)"
+      when: "not ('graylog-nodes' in groups)"
 
 - name: Fail if 'ca-store' host group is missing while using opetion 'use_central_ca_host' # noqa: run_once[task]
   ansible.builtin.fail:
     msg: "Please add a host group 'sidecar-ca' with the host(s) storing the CA file first"
   run_once: true
-  when: "(not (groups['ca-store'] is defined)) and use_central_ca_host"
+  when: "(not ('ca-store' in groups)) and use_central_ca_host"
 
 - name: Include tasks when not using single ca-host
   when: not use_central_ca_host
@@ -45,24 +45,34 @@
 - name: Include tasks when using single ca-host
   when: use_central_ca_host
   block:
-    - name: Include sidecar tasks (when using a single ca store)
-      ansible.builtin.include_tasks: sidecar.yml
-      when: >
-        ((groups['sidecar-ca'] is defined) and (groups['graylog-nodes'] is defined) | ternary(
-          (inventory_hostname not in groups['sidecar-ca']) and
-          (inventory_hostname not in groups['graylog-nodes'])
-        , true)) and
-        (inventory_hostname not in groups['ca-store'])
+    - name: Include sidecar tasks (when using a single ca store and gl-groups defined)
+      when: (('sidecar-ca' in groups) and ('graylog-nodes' in groups))
+      block:
+        - name: Include sidecar tasks (when using a single ca store and gl-groups defined)
+          ansible.builtin.include_tasks: sidecar.yml
+          when: >
+            (inventory_hostname not in groups['sidecar-ca']) and
+            (inventory_hostname not in groups['graylog-nodes']) and
+            (inventory_hostname not in groups['ca-store'])
 
-    - name: Include filebeat tasks
-      ansible.builtin.include_tasks: filebeat.yml
-      when: >
-        install_filebeat and
-        ((groups['sidecar-ca'] is defined) and (groups['graylog-nodes'] is defined) | ternary(
-          (inventory_hostname not in groups['sidecar-ca']) and
-          (inventory_hostname not in groups['graylog-nodes'])
-        , true)) and
-        (inventory_hostname not in groups['ca-store'])
+        - name: Include filebeat tasks (when using a single ca store and gl-groups defined)
+          ansible.builtin.include_tasks: filebeat.yml
+          when: >
+            install_filebeat and
+            (inventory_hostname not in groups['sidecar-ca']) and
+            (inventory_hostname not in groups['graylog-nodes']) and
+            (inventory_hostname not in groups['ca-store'])
+
+    - name: Include sidecar tasks (when using a single ca store without gl-groups defined)
+      when: not (('sidecar-ca' in groups) and ('graylog-nodes' in groups))
+      block:
+        - name: Include sidecar tasks (when using a single ca store without gl-groups defined)
+          ansible.builtin.include_tasks: sidecar.yml
+          when: (inventory_hostname not in groups['ca-store'])
+
+        - name: Include filebeat tasks  (when using a single ca store without gl-groups defined)
+          ansible.builtin.include_tasks: filebeat.yml
+          when: (inventory_hostname not in groups['ca-store'])
 
 - name: Switch back to default policy
   ansible.builtin.command:
@@ -71,5 +81,21 @@
   become: true
 
 - name: Generate Node certificates
-  ansible.builtin.import_tasks: node-certs.yml
   when: generate_node_certs
+  block:
+    - name: Include cert tasks (with gl-groups defined)
+      when: (('sidecar-ca' in groups) and ('graylog-nodes' in groups))
+      block:
+        - name: Include Node Cert tasks (with gl-groups defined)
+          ansible.builtin.include_tasks: node-certs.yml
+          when: >
+            (inventory_hostname not in groups['sidecar-ca']) and
+            (inventory_hostname not in groups['graylog-nodes']) and
+            (inventory_hostname not in groups['ca-store'])
+
+    - name: Include cert tasks (without gl-groups defined)
+      when: not (('sidecar-ca' in groups) and ('graylog-nodes' in groups))
+      block:
+        - name: Include Node Cert tasks (without gl-groups defined)
+          ansible.builtin.include_tasks: node-certs.yml
+          when: (inventory_hostname not in groups['ca-store'])
diff --git a/tasks/sidecar.yml b/tasks/sidecar.yml
index fce15a4..b6d30ad 100644
--- a/tasks/sidecar.yml
+++ b/tasks/sidecar.yml
@@ -45,6 +45,7 @@
       ansible.builtin.yum:
         name: /tmp/graylog-sidecar.rpm
         state: present
+        disable_gpg_check: true # Github rpm is not signed, may replace true with actual check if signed or not
 
 - name: Run install command
   ansible.builtin.command:
-- 
GitLab