Generate TLS cert only on PGBouncer role

vitabaks · Dec 17, 2024 · 2c84108 · 2c84108
1 parent a641891
commit 2c84108
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 29 deletions.
diff --git a/automation/roles/patroni/tasks/main.yml b/automation/roles/patroni/tasks/main.yml
@@ -816,27 +816,6 @@
         (existing_pgcluster is not defined or not existing_pgcluster|bool)
   tags: patroni
 
-# Generating TLS Certificates
-- block:
-    - name: Generate a private key for TLS (if not exist)
-      become: true
-      become_user: postgres
-      community.crypto.openssl_privatekey:
-        path: "{{ postgresql_conf_dir }}/server.key"
-        size: '4096'
-        mode: '0400'
-
-    - name: Generate a self-signed certificate for Postgres (if not exist)
-      community.crypto.x509_certificate:
-        path: "{{ postgresql_conf_dir }}/server.crt"
-        privatekey_path: "{{ postgresql_conf_dir }}/server.key"
-        owner: postgres
-        group: postgres
-        mode: '0644'
-        provider: selfsigned
-        entrust_not_after: "+1000d"
-  when: (postgresql_parameters | selectattr('option', 'equalto', 'ssl') | map(attribute='value') | first | default('off')) == 'on'
-
 - block:  # start patroni on master
     - name: Start patroni service on the Master server
       ansible.builtin.systemd:

diff --git a/automation/roles/pgbouncer/tasks/main.yml b/automation/roles/pgbouncer/tasks/main.yml
@@ -126,24 +126,24 @@
 
 # Generating TLS Certificates
 - block:
-    - name: Generate a private key for TLS
+    - name: Generate a private TLS key for PostgreSQL & PGBouncer
       become: true
       become_user: postgres
       community.crypto.openssl_privatekey:
         path: "{{ pgbouncer_conf_dir }}/server.key"
-        size: '4096'
-        mode: '0400'
+        size: "4096"
+        mode: "0400"
 
-    - name: Generate a self-signed certificate for PGBouncer
+    - name: Generate a self-signed TLS certificate for PostgreSQL & PGBouncer
       community.crypto.x509_certificate:
         path: "{{ pgbouncer_conf_dir }}/server.crt"
         privatekey_path: "{{ pgbouncer_conf_dir }}/server.key"
         owner: postgres
         group: postgres
-        mode: '0644'
+        mode: "0644"
         provider: selfsigned
         entrust_not_after: "+1000d"
-  when: pgbouncer_server_tls_sslmode | default('disable') != 'disable'
+  when: (pgbouncer_server_tls_sslmode | default('disable') != 'disable') or ((postgresql_parameters | selectattr('option', 'equalto', 'ssl') | map(attribute='value') | first | default('off')) == 'on')
 
 - name: Configure pgbouncer.ini
   ansible.builtin.template:

diff --git a/automation/vars/main.yml b/automation/vars/main.yml
@@ -236,8 +236,8 @@ postgresql_parameters:
   - { option: "superuser_reserved_connections", value: "5" }
   - { option: "password_encryption", value: "{{ postgresql_password_encryption_algorithm }}" }
   - { option: "ssl", value: "on"}
-  - { option: "ssl_cert_file", value: "{{ postgresql_conf_dir }}/server.crt"}
-  - { option: "ssl_key_file", value: "{{ postgresql_conf_dir }}/server.key"}
+  - { option: "ssl_cert_file", value: "{{ pgbouncer_conf_dir }}/server.crt"}
+  - { option: "ssl_key_file", value: "{{ pgbouncer_conf_dir }}/server.key"}
   - { option: "ssl_min_protocol_version", value: "TLSv1.2"}
   - { option: "max_locks_per_transaction", value: "512" }
   - { option: "max_prepared_transactions", value: "0" }