fix: Set Patroni TLS vars only when HTTPS is enabled (#1286)

vitabaks · web-flow · commit 1351b5fd59de · 2025-10-01T23:12:46.000+07:00
diff --git a/automation/molecule/tests/patroni/patroni.yml b/automation/molecule/tests/patroni/patroni.yml
@@ -7,7 +7,7 @@
         | default('8008') }}/leader
     method: GET
     return_content: true
-    ca_path: "{{ patroni_restapi_cafile | default('/etc/tls/ca.crt') }}"
+    ca_path: "{{ patroni_restapi_cafile | default(omit, true) }}"
   register: patroni_response
   failed_when: "'running' not in patroni_response.json.state"
 
diff --git a/automation/playbooks/add_node.yml b/automation/playbooks/add_node.yml
@@ -329,7 +329,7 @@
       when: pg_probackup_install | default(false) | bool
 
     - role: vitabaks.autobase.pgbouncer
-      when: pgbouncer_install | default(false) | bool
+      when: pgbouncer_install | default(true) | bool
 
     - role: vitabaks.autobase.pgpass
 
diff --git a/automation/playbooks/config_pgcluster.yml b/automation/playbooks/config_pgcluster.yml
@@ -40,6 +40,11 @@
         name: vitabaks.autobase.bind_address
       tags: always
 
+    - name: Set default variables
+      ansible.builtin.import_role:
+        name: vitabaks.autobase.common
+      tags: always
+
     - name: "[Prepare] Set maintenance variable"
       ansible.builtin.set_fact:
         postgresql_cluster_maintenance: true
@@ -52,7 +57,7 @@
             | default(patroni_bind_address | default(bind_address, true), true) }}:{{ patroni_restapi_port
             | default('8008') }}/leader
         status_code: 200
-        ca_path: "{{ patroni_restapi_cafile | default('/etc/tls/ca.crt') }}"
+        ca_path: "{{ patroni_restapi_cafile | default(omit, true) }}"
       register: patroni_leader_result
       changed_when: false
       failed_when: false
diff --git a/automation/playbooks/deploy_pgcluster.yml b/automation/playbooks/deploy_pgcluster.yml
@@ -314,7 +314,7 @@
     - role: vitabaks.autobase.cron
 
     - role: vitabaks.autobase.pgbouncer
-      when: pgbouncer_install | default(false) | bool
+      when: pgbouncer_install | default(true) | bool
 
     - role: vitabaks.autobase.pgpass
 
diff --git a/automation/playbooks/pg_upgrade.yml b/automation/playbooks/pg_upgrade.yml
@@ -15,14 +15,18 @@
       ansible.builtin.include_role:
         name: vitabaks.autobase.bind_address
 
+    - name: Set default variables
+      ansible.builtin.import_role:
+        name: vitabaks.autobase.common
+
     - name: "[Prepare] Get Patroni Cluster Leader Node"
       ansible.builtin.uri:
         url: >-
           {{ patroni_restapi_protocol | default('https') }}://{{ patroni_restapi_connect_addr
             | default(patroni_bind_address | default(bind_address, true), true) }}:{{ patroni_restapi_port
             | default('8008') }}/leader
         status_code: 200
-        ca_path: "{{ patroni_restapi_cafile | default('/etc/tls/ca.crt') }}"
+        ca_path: "{{ patroni_restapi_cafile | default(omit, true) }}"
       register: patroni_leader_result
       changed_when: false
       failed_when: false
diff --git a/automation/playbooks/update_pgcluster.yml b/automation/playbooks/update_pgcluster.yml
@@ -6,10 +6,6 @@
   become_method: sudo
   any_errors_fatal: true
   tasks:
-    - name: Set default variables
-      ansible.builtin.import_role:
-        name: vitabaks.autobase.common
-
     - name: Gather package facts
       ansible.builtin.package_facts:
         manager: auto
@@ -21,14 +17,19 @@
         name: vitabaks.autobase.bind_address
       tags: always
 
+    - name: Set default variables
+      ansible.builtin.import_role:
+        name: vitabaks.autobase.common
+      tags: always
+
     - name: "[Prepare] Get Patroni Cluster Leader Node"
       ansible.builtin.uri:
         url: >-
           {{ patroni_restapi_protocol | default('https') }}://{{ patroni_restapi_connect_addr
             | default(patroni_bind_address | default(bind_address, true), true) }}:{{ patroni_restapi_port
             | default('8008') }}/leader
         status_code: 200
-        ca_path: "{{ patroni_restapi_cafile | default('/etc/tls/ca.crt') }}"
+        ca_path: "{{ patroni_restapi_cafile | default(omit, true) }}"
       register: patroni_leader_result
       changed_when: false
       failed_when: false
diff --git a/automation/roles/common/defaults/main.yml b/automation/roles/common/defaults/main.yml
@@ -16,12 +16,12 @@ patroni_superuser_username: "postgres"
 patroni_superuser_password: "" # Please specify a password. If not defined, will be generated automatically during deployment.
 patroni_superuser_auth_options:
   - { option: "sslmode", value: "{{ 'require' if tls_cert_generate | bool else 'disable' }}" } # or 'verify-ca', 'verify-full'
-  - { option: "sslrootcert", value: "{{ tls_dir }}/{{ tls_ca_cert }}" } # or 'system'
+  - { option: "sslrootcert", value: "{{ tls_dir ~ '/' ~ tls_ca_cert if tls_cert_generate | bool else '' }}" } # or 'system'
 patroni_replication_username: "replicator"
 patroni_replication_password: "" # Please specify a password. If not defined, will be generated automatically during deployment.
 patroni_replication_auth_options:
   - { option: "sslmode", value: "{{ 'require' if tls_cert_generate | bool else 'disable' }}" } # or 'verify-ca', 'verify-full'
-  - { option: "sslrootcert", value: "{{ tls_dir }}/{{ tls_ca_cert }}" } # or 'system'
+  - { option: "sslrootcert", value: "{{ tls_dir ~ '/' ~ tls_ca_cert if tls_cert_generate | bool else '' }}" } # or 'system'
 # Note: if sslmode: verify-full, and your certificate doesn't have IP address in the SAN,
 # set also the option postgresql_connect_addr to ensure TLS certificate validation is successful.
 
@@ -508,9 +508,9 @@ pgbouncer_pools:
 ############################################################
 
 patroni_restapi_protocol: "{{ 'https' if tls_cert_generate | bool else 'http' }}"
-patroni_restapi_certfile: "{{ tls_dir }}/{{ tls_cert }}"
-patroni_restapi_keyfile: "{{ tls_dir }}/{{ tls_privatekey }}"
-patroni_restapi_cafile: "{{ tls_dir }}/{{ tls_ca_cert }}"
+patroni_restapi_certfile: "{{ tls_dir ~ '/' ~ tls_cert if patroni_restapi_protocol == 'https' else omit }}"
+patroni_restapi_keyfile: "{{ tls_dir ~ '/' ~ tls_privatekey if patroni_restapi_protocol == 'https' else omit }}"
+patroni_restapi_cafile: "{{ tls_dir ~ '/' ~ tls_ca_cert if patroni_restapi_protocol == 'https' else omit }}"
 # patroni_restapi_connect_addr: "{{ ansible_hostname }}" # or 'ansible_fqdn'. Set if you need connection to be established by domain name, not IP.
 patroni_restapi_listen_addr: "0.0.0.0" # Listen on all interfaces. Or use "{{ bind_address }}" to listen on a specific IP address.
 patroni_restapi_port: 8008
diff --git a/automation/roles/patroni/templates/patroni.yml.j2 b/automation/roles/patroni/templates/patroni.yml.j2
@@ -169,13 +169,21 @@ postgresql:
       username: {{ patroni_replication_username }}
       password: {{ patroni_replication_password }}
 {% for parameter in patroni_replication_auth_options %}
+{%   if parameter.option == 'sslrootcert' and parameter.value | length > 0 %}
       {{ parameter.option }}: {{ parameter.value }}
+{%   elif parameter.option != 'sslrootcert' %}
+      {{ parameter.option }}: {{ parameter.value }}
+{%   endif %}
 {% endfor %}
     superuser:
       username: {{ patroni_superuser_username }}
       password: {{ patroni_superuser_password }}
 {% for parameter in patroni_superuser_auth_options %}
+{%   if parameter.option == 'sslrootcert' and parameter.value | length > 0 %}
+      {{ parameter.option }}: {{ parameter.value }}
+{%   elif parameter.option != 'sslrootcert' %}
       {{ parameter.option }}: {{ parameter.value }}
+{%   endif %}
 {% endfor %}
 #    rewind:  # Has no effect on postgres 10 and lower
 #      username: rewind_user
