1

I am executing some ansible playbooks via gitlab-ci and what I could see is

  1. Ansible playbook executing successfully through pipeline, but it doesn't produce the output it is intended to do

  2. When I retry the gitlab job, it produces the output I needed.

This is one of the many playbooks I am executing through gitlab:

1_ca.yaml

---
- hosts: 127.0.0.1
  connection: local
  tasks:
    - name: Create ca-csr.json
      become: true
      copy:
        dest: ca-csr.json
        content: '{"CN":"Kubernetes","key":{"algo":"rsa","size":2048},"names":[{"C":"US","L":"Portland","O":"Kubernetes","OU":"CA","ST":"Oregon"}]}'

    - name: Create ca-config.json
      become: true
      copy:
        dest: ca-config.json
        content: '{"signing":{"default":{"expiry":"8760h"},"profiles":{"kubernetes":{"usages":["signing","key encipherment","server auth","client auth"],"expiry":"8760h"}}}}'

    - name: Create the ca.pem & ca-key.pem
      # become: true
      shell: |
        cfssl gencert -initca ca-csr.json | cfssljson -bare ca

Basically what does this do is, it creates some certs I needed.

But in the first attempt even though pipeline passes and it doesn't generate these certs. When I restart (running the same job for the second time) that particular job in gitlab it generates these certs.

Why this is happening?

This is how my .gitlab-ci.yaml looks like:

Create-Certificates:
  stage: ansible-play-books-create-certs
  retry:
    max: 2
    when:
      - always
  script:
    - echo "Executing ansible playbooks for generating certficates"
    - ansible-playbook ./ansible-playbooks/1_ca/1_ca.yaml
    - ansible-playbook ./ansible-playbooks/1_ca/2_admin.yaml
    - ansible-playbook ./ansible-playbooks/1_ca/3_kubelet.yaml
    - ansible-playbook ./ansible-playbooks/1_ca/4_kube-controller.yaml
    - ansible-playbook ./ansible-playbooks/1_ca/5_kube-proxy.yaml
    - ansible-playbook ./ansible-playbooks/1_ca/6_kube-scheduler.yaml
    - ansible-playbook ./ansible-playbooks/1_ca/7_kube-api-server.yaml
    - ansible-playbook ./ansible-playbooks/1_ca/8_service-account.yaml
    - ansible-playbook ./ansible-playbooks/1_ca/9_distribute-client-server-cert.yaml
  # when: delayed
  # start_in: 1 minutes
  tags:
    - banuka-gcp-k8s-hard-way

PS: These ansible playbooks are executing in the ansible host itself, not in remote servers. So I can log into the ansible master server and check if these files are created or not.

DV82XL
  • 5,350
  • 5
  • 30
  • 59
Jananath Banuka
  • 2,951
  • 8
  • 57
  • 105
  • 1
    If you run the gitlab job once, what do you see in the Ansible log files? Do the playbooks run? Any errors? – DV82XL Aug 16 '20 at 20:19
  • There are no any errors. In the `gitlab` pipeline it shows it is success, the tasks have been executed successfully but in the first attempt the files are not created (even though the task is successed, it's intended work is not done) – Jananath Banuka Aug 16 '20 at 20:44
  • 1
    You need more information. Add `-v` to your `ansible-playbook` calls and enable logging as described in https://stackoverflow.com/a/18807711/5752730. Once you have more information, post the log contents to your question. – DV82XL Aug 16 '20 at 21:17

1 Answers1

0

running your playbook without the last shell module produces the follwing output:

[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'

PLAY [127.0.0.1] **************************************************************************************************************************************************************************************************

TASK [Gathering Facts] ********************************************************************************************************************************************************************************************
ok: [127.0.0.1]

TASK [Create ca-csr.json] *****************************************************************************************************************************************************************************************
[WARNING]: File './ca-csr.json' created with default permissions '600'. The previous default was '666'. Specify 'mode' to avoid this warning.
changed: [127.0.0.1]

TASK [Create ca-config.json] **************************************************************************************************************************************************************************************
[WARNING]: File './ca-config.json' created with default permissions '600'. The previous default was '666'. Specify 'mode' to avoid this warning.
changed: [127.0.0.1]

PLAY RECAP ********************************************************************************************************************************************************************************************************
127.0.0.1                  : ok=3    changed=2    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

and checking the existence:

$ ls ca* -al
-rw------- 1 root root 155 Aug 17 02:48 ca-config.json
-rw------- 1 root root 129 Aug 17 02:48 ca-csr.json

so although it's quite dirty way of writing a playbook - it works. Why is it dirty ? :

  • you're not using any inventory
  • you should use local_action and not connection: local for local tasks
  • you are misusing ansible that is multi-node configuration management to do a bash script task

so in conclusion - there's nothing wrong with your ansible playbook - or maybe the file permissions (?) and if it does not run - you should look more in the gitlab-ci direction.

you need to provide more details on Gitlab-CI setup but - maybe the stage is not correct ?

Roman Spiak
  • 166
  • 5