From 2066403ed1756e5765186f4e80e502628340d063 Mon Sep 17 00:00:00 2001
From: Clark Boylan <clark.boylan@gmail.com>
Date: Wed, 6 Nov 2024 08:29:42 -0800
Subject: [PATCH] Only update acme.sh if necessary

We install acme.sh into /opt on our servers. Some of our servers rely on
/opt for data intensive activities and we can run out of disk space on
/opt/. When our daily Ansible runs fire and hit servers in this
situation we end up with corrupted acme.sh repos on those servers. Then
acme.sh roles fail.

Avoid this problem by only updating the git repo for acme.sh if it isn't
already up to date on the versions we expect. We can still fill the disk
but this won't affect acme.sh only server operations that rely on /opt
disk space.

This is an alternative to https://review.opendev.org/c/opendev/system-config/+/934247
which will try to force updates to occur regardless of git repo
corruption.

Change-Id: Ib0ad55de833a2c2d9e8cacec0493b8422e486789
---
 .../tasks/main.yaml                           | 48 ++++++++++++-------
 1 file changed, 32 insertions(+), 16 deletions(-)

diff --git a/playbooks/roles/letsencrypt-acme-sh-install/tasks/main.yaml b/playbooks/roles/letsencrypt-acme-sh-install/tasks/main.yaml
index c441f8b629..7ea6aaa175 100644
--- a/playbooks/roles/letsencrypt-acme-sh-install/tasks/main.yaml
+++ b/playbooks/roles/letsencrypt-acme-sh-install/tasks/main.yaml
@@ -1,20 +1,33 @@
-- name: Install acme.sh client
-  git:
-    repo: https://github.com/acmesh-official/acme.sh
-    dest: /opt/acme.sh
-    # Pinned due to https://github.com/acmesh-official/acme.sh/issues/4416
-    version: 3.0.5
-  register: clone_acmesh_result
-  until: clone_acmesh_result is not failed
-  retries: 3
-  delay: 2
+- name: Check status of acme.sh script
+  stat:
+    path: /opt/acme.sh/acme.sh
+    get_checksum: true
+    checksum_algorithm: sha256
+  register: acme_sh_stat
 
-# Temporary https://github.com/acmesh-official/acme.sh/issues/4659 fix
-# until we can upgrade to 3.0.6 or later
-- name: Patch for issue 4659
-  shell: |
-    git -C /opt/acme.sh cherry-pick 4c30250
-    git -C /opt/acme.sh cherry-pick 327e2fb
+- name: Install acme.sh if not already up to date
+  when: not acme_sh_stat.stat.exists or acme_sh_stat.stat.checksum != "5c298a2bd5f90635aef8d013b02b25f34027ad0cb2cef2bdca68f3d13b931216"
+  block:
+    # We only want to update the clone and checkout if things are not already
+    # in place or at the expected versions. This avoids unnecessary daily
+    # git operations and makes us more resilient to full disks.
+    - name: Install acme.sh client
+      git:
+        repo: https://github.com/acmesh-official/acme.sh
+        dest: /opt/acme.sh
+        # Pinned due to https://github.com/acmesh-official/acme.sh/issues/4416
+        version: 3.0.5
+      register: clone_acmesh_result
+      until: clone_acmesh_result is not failed
+      retries: 3
+      delay: 2
+
+    # Temporary https://github.com/acmesh-official/acme.sh/issues/4659 fix
+    # until we can upgrade to 3.0.6 or later
+    - name: Patch for issue 4659
+      shell: |
+        git -C /opt/acme.sh cherry-pick 4c30250
+        git -C /opt/acme.sh cherry-pick 327e2fb
 
 - name: Install letsencrypt group
   group:
@@ -24,6 +37,9 @@
 
 - name: Install driver script
   copy:
+    # Because this is a fily copy and not git operations with multiple states
+    # Ansible should successfully determine that the file doesn't need to be
+    # copied after the initial copy unless the file changes.
     src: driver.sh
     dest: /opt/acme.sh/driver.sh
     mode: 0755