From a5f6eb6ed494d6161d0c4b3a76c1f7311094c112 Mon Sep 17 00:00:00 2001
From: Vladimir Kozhukalov <kozhukalov@gmail.com>
Date: Fri, 19 Jul 2024 12:58:39 -0500
Subject: [PATCH] Update deploy-env role

When generating keys and sharing them between nodes
in a multinode env it is important that task which
generates keys is finished before trying to use these
keys on another node.

The PR splits the Ansible block into two blocks and
makes sure the playbook deploy-env is run with the linear
strategy. Thus we can be sure that keys are first generated
on all affected nodes and only then are used to setup
tunnels and passwordless ssh.

Change-Id: I9985855d7909aa5365876a24e2a806ab6be1dd7c
---
 playbooks/deploy-env.yaml                     |  1 +
 .../deploy-env/tasks/client_cluster_ssh.yaml  | 44 ++++++++++---------
 .../tasks/client_cluster_tunnel.yaml          |  5 ++-
 3 files changed, 28 insertions(+), 22 deletions(-)

diff --git a/playbooks/deploy-env.yaml b/playbooks/deploy-env.yaml
index 3efab3564..dd26203b2 100644
--- a/playbooks/deploy-env.yaml
+++ b/playbooks/deploy-env.yaml
@@ -12,6 +12,7 @@
 
 ---
 - hosts: all
+  strategy: linear
   become: true
   gather_facts: true
   roles:
diff --git a/roles/deploy-env/tasks/client_cluster_ssh.yaml b/roles/deploy-env/tasks/client_cluster_ssh.yaml
index 7bbf3ea85..7fcee1076 100644
--- a/roles/deploy-env/tasks/client_cluster_ssh.yaml
+++ b/roles/deploy-env/tasks/client_cluster_ssh.yaml
@@ -11,28 +11,28 @@
 # limitations under the License.
 
 ---
-- name: Setup passwordless ssh from primary and cluster nodes
+- name: Set client user home directory
+  set_fact:
+    client_user_home_directory: /home/{{ client_ssh_user }}
+  when: client_ssh_user != "root"
+
+- name: Set client user home directory
+  set_fact:
+    client_user_home_directory: /root
+  when: client_ssh_user == "root"
+
+- name: Set cluster user home directory
+  set_fact:
+    cluster_user_home_directory: /home/{{ cluster_ssh_user }}
+  when: cluster_ssh_user != "root"
+
+- name: Set cluster user home directory
+  set_fact:
+    cluster_user_home_directory: /root
+  when: cluster_ssh_user == "root"
+
+- name: Setup ssh keys
   block:
-    - name: Set client user home directory
-      set_fact:
-        client_user_home_directory: /home/{{ client_ssh_user }}
-      when: client_ssh_user != "root"
-
-    - name: Set client user home directory
-      set_fact:
-        client_user_home_directory: /root
-      when: client_ssh_user == "root"
-
-    - name: Set cluster user home directory
-      set_fact:
-        cluster_user_home_directory: /home/{{ cluster_ssh_user }}
-      when: cluster_ssh_user != "root"
-
-    - name: Set cluster user home directory
-      set_fact:
-        cluster_user_home_directory: /root
-      when: cluster_ssh_user == "root"
-
     - name: Generate ssh key pair
       shell: |
         ssh-keygen -t ed25519 -q -N "" -f {{ client_user_home_directory }}/.ssh/id_ed25519
@@ -45,6 +45,8 @@
       register: ssh_public_key
       when: (inventory_hostname in (groups['primary'] | default([])))
 
+- name: Setup passwordless ssh from primary and cluster nodes
+  block:
     - name: Set primary ssh public key
       set_fact:
         client_ssh_public_key: "{{ (groups['primary'] | map('extract', hostvars, ['ssh_public_key', 'stdout']))[0] }}"
diff --git a/roles/deploy-env/tasks/client_cluster_tunnel.yaml b/roles/deploy-env/tasks/client_cluster_tunnel.yaml
index 8a39f4ab6..31d3118b3 100644
--- a/roles/deploy-env/tasks/client_cluster_tunnel.yaml
+++ b/roles/deploy-env/tasks/client_cluster_tunnel.yaml
@@ -19,7 +19,7 @@
   set_fact:
     client_default_ip: "{{ (groups['primary'] | map('extract', hostvars, ['ansible_default_ipv4', 'address']))[0] }}"
 
-- name: Setup wireguard tunnel between primary and cluster control-plane node
+- name: Setup wireguard keys
   when: (groups['primary'] | difference(groups['k8s_control_plane']) | length > 0)
   block:
     - name: Generate wireguard key pair
@@ -33,6 +33,9 @@
       register: wg_public_key
       when: (inventory_hostname in (groups['primary'] | default([]))) or (inventory_hostname in (groups['k8s_control_plane'] | default([])))
 
+- name: Setup wireguard tunnel between primary and cluster control-plane node
+  when: (groups['primary'] | difference(groups['k8s_control_plane']) | length > 0)
+  block:
     - name: Set primary wireguard public key
       set_fact:
         client_wg_public_key: "{{ (groups['primary'] | map('extract', hostvars, ['wg_public_key', 'stdout']))[0] }}"