feat: add automatic reload of nomad service for certificate reloading

This feature adds logic to automatically reload the nomad service if tls is enbabled and the certificates have changed. This only tracks certificates copied by the extra_files logic.
2024-11-10 13:32:45 +01:00 · 2024-11-10 13:32:45 +01:00 · 63f22bb1f9
commit 63f22bb1f9
parent bcbfd39285
4 changed files with 94 additions and 3 deletions
--- a/roles/nomad/tasks/configure.yml
+++ b/roles/nomad/tasks/configure.yml
@ -24,6 +24,31 @@
  when: _nomad_env_file.changed or
    _nomad_config_file.changed

+- name: "Nomad | Gather initial checksums for certificate files"
+  ansible.builtin.stat:
+    path: "{{ item }}"
+    checksum_algorithm: sha1
+  loop: "{{ nomad_certificates_reload_watchlist }}"
+  when: nomad_enable_tls
+  register: _nomad_initial_cert_checksums
+
+- name: "Nomad | Normalize initial checksums"
+  ansible.builtin.set_fact:
+    # This needs to be optimized, but I have spent so much time on it not
+    # working that I will keep it as is for now, and we'll see later.
+    _nomad_initial_checksums_normalized: >-
+      {% filter trim %}
+      {% set checksums = [] %}
+      {% for item in _nomad_initial_cert_checksums.results %}
+        {% set _ = checksums.append({
+          'item': item.item,
+          'initial_checksum': (item.stat.checksum | default('absent'))
+        }) %}
+      {% endfor %}
+      {{ checksums }}
+      {% endfilter %}
+  when: nomad_enable_tls
+
 - name: "Nomad | Copy extra configuration files"
  when: nomad_extra_files
  block:
@ -72,3 +97,44 @@
      loop_control:
        loop_var: dir_source_item
      when: _nomad_dir_sources is defined
+
+- name: "Nomad | Gather final checksums for certificate files"
+  ansible.builtin.stat:
+    path: "{{ item }}"
+    checksum_algorithm: sha1
+  loop: "{{ nomad_certificates_reload_watchlist }}"
+  when: nomad_enable_tls
+  register: _nomad_final_cert_checksums
+
+- name: "Consul | Normalize final checksums"
+  ansible.builtin.set_fact:
+    # This needs to be optimized, but I have spent so much time on it not
+    # working that I will keep it as is for now, and we'll see later.
+    _nomad_final_checksums_normalized: >-
+      {% filter trim %}
+      {% set checksums = [] %}
+      {% for item in _nomad_final_cert_checksums.results %}
+        {% set _ = checksums.append({
+          'item': item.item,
+          'final_checksum': (item.stat.checksum | default('absent'))
+        }) %}
+      {% endfor %}
+      {{ checksums }}
+      {% endfilter %}
+  when: nomad_enable_tls
+
+- name: "Consul | Merge initial and final checksum lists"
+  ansible.builtin.set_fact:
+    _nomad_checksums_list: >-
+      {{
+        _nomad_initial_checksums_normalized |
+        community.general.lists_mergeby(_nomad_final_checksums_normalized, 'item')
+      }}
+  when: nomad_enable_tls
+
+- name: "Consul | Determine if certificates have changed or were newly added"
+  ansible.builtin.set_fact:
+    _nomad_service_need_reload: true
+  when:
+    - nomad_enable_tls
+    - _nomad_checksums_list | json_query('[?initial_checksum!=final_checksum]') | list| length > 0
--- a/roles/nomad/tasks/install.yml
+++ b/roles/nomad/tasks/install.yml
@ -136,6 +136,6 @@

 - name: "Nomad | Set reload-check & restart-check variable"
  ansible.builtin.set_fact:
-    _nomad_service_need_reload: true
+    _nomad_service_need_daemon_reload: true
    _nomad_service_need_restart: true
  when: _nomad_unit_file.changed # noqa: no-handler
--- a/roles/nomad/tasks/main.yml
+++ b/roles/nomad/tasks/main.yml
@ -2,6 +2,7 @@
 # task/main file for nomad
 - name: "Nomad | Set reload-check & restart-check variable"
  ansible.builtin.set_fact:
+    _nomad_service_need_daemon_reload: false
    _nomad_service_need_reload: false
    _nomad_service_need_restart: false

@ -33,11 +34,23 @@
 - name: "Nomad | Reload systemd daemon"
  ansible.builtin.systemd:
    daemon_reload: true
-  when: _nomad_service_need_reload
+  when: _nomad_service_need_daemon_reload

 - name: "Nomad | Start service: {{ nomad_service_name }}"
  ansible.builtin.service:
    name: "{{ nomad_service_name }}"
    state: restarted
  throttle: 1
-  when: _nomad_service_need_restart
+  when:
+    - nomad_start_service
+    - _nomad_service_need_restart
+
+- name: "Nomad | Reload service: {{ nomad_service_name }}"
+  ansible.builtin.service:
+    name: "{{ nomad_service_name }}"
+    state: reloaded
+  throttle: 1
+  when:
+    - nomad_start_service
+    - _nomad_service_need_reload
+    - not _nomad_service_need_restart
--- a/roles/nomad/vars/main.yml
+++ b/roles/nomad/vars/main.yml
@ -15,6 +15,18 @@ nomad_github_project: hashicorp/nomad
 nomad_github_url: https://github.com
 nomad_repository_url: https://releases.hashicorp.com/nomad

+nomad_certificates_reload_watchlist: |
+  {% filter trim %}
+  {% set watchlist = [] %}
+  {% set config = nomad_configuration.get('tls', {}) %}
+  {% for key in ['ca_file', 'cert_file', 'key_file'] %}
+    {% if config.get(key) %}
+      {{ watchlist.append(config[key]) }}
+    {% endif %}
+  {% endfor %}
+  {{ watchlist | unique }}
+  {% endfilter %}
+
 nomad_configuration:
  datacenter: "{{ nomad_datacenter }}"
  region: "{{ nomad_region }}"