ACL Master Token not generated automatically
guillaumesmo opened this issue · comments
SUMMARY
When provisioning a multi-server cluster with a bootstrap server and one or more servers, the ACL master token is not generated automatically
ISSUE TYPE
- Bug Report
COMPONENT NAME
?
ANSIBLE VERSION
ansible [core 2.16.1]
config file = None
configured module search path = ['/Users/guillaumesmo/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /opt/homebrew/Cellar/ansible/9.1.0/libexec/lib/python3.12/site-packages/ansible
ansible collection location = /Users/guillaumesmo/.ansible/collections:/usr/share/ansible/collections
executable location = /opt/homebrew/bin/ansible
python version = 3.12.1 (main, Dec 7 2023, 20:45:44) [Clang 15.0.0 (clang-1500.0.40.1)] (/opt/homebrew/Cellar/ansible/9.1.0/libexec/bin/python)
jinja version = 3.1.2
libyaml = True
COLLECTION VERSION
?
CONFIGURATION
CONFIG_FILE() = None
OS / ENVIRONMENT
Mac OS X Sonoma 14.0
Apple M2 Pro
STEPS TO REPRODUCE
Create a 3 server inventory as below:
[consul_instances]
consul1 consul_node_role=bootstrap
consul2 consul_node_role=server
consul3 consul_node_role=client
---
- hosts: consul_instances
become: true
roles:
- role: consul
vars:
consul_acl_master_token_display: true
consul_acl_enable: true
consul_acl_default_policy: deny
consul_acl_token_persistence: true
consul_version: 1.18.0EXPECTED RESULTS
3 servers provisioned, ACL token displayed in the output and usable in the Consul UI
ACTUAL RESULTS
The "Generate ACL master token" task is configured with run_once: true, however it's run once on the bootstrap server. Since the task has the consul_node_role == 'server' condition, it's always skipped.
Since the token is not generated, it's not able to be saved on the other servers and fails with an error.
TASK [consul : Generate ACL master token] **************************************
task path: .../roles/consul/tasks/acl.yml:35
skipping: [consul1] => {"changed": false, "false_condition": "consul_node_role == 'server'", "skip_reason": "Conditional result was False"}
TASK [consul : Save ACL master token] ******************************************
task path: .../roles/consul/tasks/acl.yml:40
skipping: [consul1] => {"changed": false, "false_condition": "consul_node_role == 'server'", "skip_reason": "Conditional result was False"}
fatal: [consul2]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'dict object' has no attribute 'stdout'. 'dict object' has no attribute 'stdout'\n\nThe error appears to be in '.../roles/consul/tasks/acl.yml': line 40, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n - name: Save ACL master token\n ^ here\n"}
skipping: [consul3] => {"changed": false, "false_condition": "consul_node_role == 'server'", "skip_reason": "Conditional result was False"}
TASK [consul : Display ACL Master Token] ***************************************
task path: .../roles/consul/tasks/acl.yml:49
skipping: [consul1] => {"false_condition": "consul_node_role == 'server'"}
TASK [consul : Read ACL master token from previously boostrapped server] *******
task path: .../roles/consul/tasks/acl.yml:59
skipping: [consul1] => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result", "changed": false}
TASK [consul : Save acl_replication_token from existing configuration] *********
task path: .../roles/consul/tasks/acl.yml:66
skipping: [consul1] => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result", "changed": false}
skipping: [consul3] => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result", "changed": false}
Please note I removed a few "no_log" attributes in acl.yml to have plain error messages
I was able to provision the cluster successfully by replacing all the consul_node_role == 'server' conditions in acl.yaml with consul_node_role == 'server' or consul_node_role == 'bootstrap'