When ssl_custom_certs_remote_src is true, task "Retrieve SSL key hash" and "Retrieve SSL cert hash" should execute on the remote host

[36roentgen]

Describe the issue When ssl_custom_certs_remote_src is true, task "Retrieve SSL key hash" should execute on the remote host(s). The task is delagated to localhost but the certs don't reside there. They are on the remote hosts as designated by the var ssl_custom_certs_remote_src: true.

roles/common/tasks/host_validations.yml

To Reproduce Configure inventory per https://docs.confluent.io/ansible/current/ansible-encrypt.html#ansible-use-existing-certs Run playbook without certs existing on executing system and without config for local sudo.

Expected behaviour If ssl_custom_certs_remote_src is set to true, then any certificate validation should occur on the remote hosts. Delegating to localhost is not appropriate when this is the case.

Inventory File

all:
  vars:
    ansible_user: redacted
    ansible_become: yes
    ansible_become_method: sudo 
    jmxexporter_enabled: true
    zookeeper_jmxexporter_enabled: true
    deployment_strategy: rolling
    confluent_server_enabled: false
    control_center_health_checks_enabled: false
    zookeeper_log_dir: /mnt/resource/kafka
    kafka_broker_log_dir: /mnt/resource/kafka
    schema_registry_log_dir: /mnt/resource/confluent/schema-registry
    kafka_rest_log_dir: /mnt/resource/confluent/kafka-rest
    kafka_connect_log_dir: /mnt/resource/kafka
    ksql_log_dir: /mnt/resource/confluent/ksql
    kafka_connect_replicator_log_dir: /mnt/resource/confluent/kafka-connect-replicator
    ssl_enabled: true
    ssl_custom_certs: true
    ssl_custom_certs_remote_src: true
    ssl_ca_cert_filepath: "/etc/soteria_certs/{{ inventory_hostname_short }}/chain.pem"
    ssl_signed_cert_filepath: "/etc/soteria_certs/{{ inventory_hostname_short }}/cert.pem"
    ssl_key_filepath: "/etc/soteria_certs/{{ inventory_hostname_short }}/privkey.pem"

Logs Failing task:

TASK [confluent.platform.common : Retrieve SSL key hash] *******************************************************************************************************************************************************
fatal: [redacted1 -> localhost]: FAILED! => {"changed": false, "module_stderr": "sudo: a password is required\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
fatal: [redacted2 -> localhost]: FAILED! => {"changed": false, "module_stderr": "sudo: a password is required\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
fatal: [redacted3 -> localhost]: FAILED! => {"changed": false, "module_stderr": "sudo: a password is required\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}

Environment (please complete the following information):

• OS: Ubuntu 20.04
• CP-Ansible Branch: [7.2.0-post]
• Ansible Version 2.12.3

Additional context The ansible playbook comes from galaxy collection therefore no changes. However it is wrapped in a custom playbook to setup our VM's according company policy and Azure constraints. This playbook has worked well until attempting a switch custom TLS certs.

[36roentgen]

As a followup adding --skip-tags validate_ssl_keys_certs allows me to work around the issue. Then full playbook aside from those tags runs successfully to completion.

[janengelmohr]

This issue also breaks the Ansible training chapter in Confluent's Kafka Admin training path: https://html.cdn.contentraven.com/crcloud/uploads/confluent_11192/encryptedfile/199682/v4.0/module-2.html

Adding skip-tags like @36roentgen suggests works around this issue.

[mansisinha]

This has been resolved and merged, will close the issue now.