Skip to content

Add foreman service handler for certificate changes #147

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ehelms wants to merge 1 commit into from
Closed

Add foreman service handler for certificate changes #147

ehelms wants to merge 1 commit into from

Conversation

@ehelms
Copy link
Member

@ehelms ehelms commented May 13, 2025

Taking an initial tactic on using handler to handle changes to certificate secrets. I know there are more secrets that should trigger a change. I am keeping this focused to start with as I think the "things changed and services need to restart" paradigm is the part to get right to start with.

@evgeni I recall you had some reservations about handlers.

I am also wondering what if anything happens with the initial service start we have and the "wait for" task in a handler based setup:

- name: Start the Foreman Service
  ansible.builtin.systemd:
    name: foreman
    enabled: true
    state: started

- name: Wait for Foreman service to be accessible
  ansible.builtin.uri:
    url: 'http://{{ ansible_hostname }}:3000/api/v2/ping'
  until: foreman_status.status == 200
  retries: 60
  delay: 5
  register: foreman_status

@ekohl
Copy link
Member

ekohl commented May 14, 2025

I am also wondering what if anything happens with the initial service start we have and the "wait for" task in a handler based setup:

I still think #118 is a better solution for it. Then just drop the whole waiting.

@evgeni
Copy link
Member

evgeni commented May 14, 2025

I had to use GitHub search (it's better than Jira…) and found my comment in #92 (comment), which still applies.

@ehelms
Copy link
Member Author

ehelms commented May 14, 2025

I had to use GitHub search (it's better than Jira…) and found my comment in #92 (comment), which still applies.

Quoting that here:

In general, yes.
There are two "problems" with that (well, gotchas, really):

handlers by default run at the end of the play, that means that if you updated a secret and want the app to use it "in the next step", you need to "flush handlers" yourself
handlers often produce "needless" restarts on the initial deployment, as the service is started after a secret has been defined the first time and thus already uses it.

That does not read to me as we shouldn't use them, just things to be mindful of as we build things out. The alternative to handlers would be a homegrown mechanism?

@ekohl
Copy link
Member

ekohl commented May 14, 2025

That does not read to me as we shouldn't use them, just things to be mindful of as we build things out. The alternative to handlers would be a homegrown mechanism?

I had been thinking about using systemd to notify if something changes, but I don't think you can trigger that. I know systemd can trigger on files changing (https://www.freedesktop.org/software/systemd/man/latest/systemd.path.html) but that isn't a secret.

I would like a solution where you can easily swap out certificates without using the whole installer, but I struggle to see how to do that easily. For example, if we would adopt certbot or a similar tool to request certificates from a CA then they take ownership of rotation. They have hooks to restart services. Ansible doesn't feel like it's very good at having those triggers so I'm looking at simpler mechanisms.

@ehelms ehelms closed this Nov 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ehelms @ekohl @evgeni