2 small fixes

tpurschke · tpurschke · commit a8bfaf240e0c · 2026-04-01T19:18:03.000+02:00
diff --git a/roles/api/tasks/hasura-install.yml b/roles/api/tasks/hasura-install.yml
@@ -52,15 +52,21 @@
   when:
     - installation_mode == "upgrade"
     - hasura_admin_secret_file.stat.exists
-    - api_use_existing_hasura_on_upgrade | default(false) | bool
 
-- name: set hasura admin secret from existing file
+- name: cache existing hasura admin secret during upgrade
   set_fact:
-    api_hasura_admin_secret: "{{ existing_hasura_admin_secret['content'] | b64decode | trim }}"
+    api_existing_hasura_admin_secret: "{{ existing_hasura_admin_secret['content'] | b64decode | trim }}"
   when:
     - installation_mode == "upgrade"
     - hasura_admin_secret_file.stat.exists
+
+- name: set hasura admin secret from existing file
+  set_fact:
+    api_hasura_admin_secret: "{{ api_existing_hasura_admin_secret }}"
+  when:
+    - installation_mode == "upgrade"
     - api_use_existing_hasura_on_upgrade | default(false) | bool
+    - api_existing_hasura_admin_secret is defined
 
 - name: set static hasura admin pwd for test purposes only
   set_fact:
@@ -76,17 +82,6 @@
   when:
     - api_hasura_admin_secret is not defined
 
-- name: write hasura admin password to secrets directory
-  copy:
-    content: "{{ api_hasura_admin_secret }}\n"
-    dest: "{{ fworch_secrets_dir }}/hasura_admin_pwd"
-    mode: "0600"
-    owner: "{{ fworch_user }}"
-    group: "{{ fworch_group }}"
-  become: true
-  when:
-    - installation_mode != "upgrade" or not (api_use_existing_hasura_on_upgrade | default(false) | bool) or not hasura_admin_secret_file.stat.exists
-
 - name: check for existing hasura cli file
   stat:
     path: "{{ api_hasura_cli_bin }}"
@@ -98,8 +93,19 @@
       {{
         installation_mode == "upgrade"
         and (api_existing_service_name | default('') | length > 0)
+        and hasura_admin_secret_file.stat.exists
       }}
 
+- name: fail when Hasura upgrade reuse was requested without reusable state
+  fail:
+    msg: >-
+      Hasura upgrade fallback requires both an installed Hasura service unit and the existing
+      {{ fworch_secrets_dir }}/hasura_admin_pwd secret file.
+  when:
+    - installation_mode == "upgrade"
+    - api_use_existing_hasura_on_upgrade | default(false) | bool
+    - not api_hasura_upgrade_reuse_possible | bool
+
 - name: build GitHub auth header
   set_fact:
     api_github_auth_header: "{{ {'Authorization': 'Bearer ' ~ api_github_token} if api_github_token is defined else {} }}"
@@ -177,6 +183,8 @@
         - name: fall back to existing Hasura after CLI download failure during upgrade
           set_fact:
             api_use_existing_hasura_on_upgrade: true
+            api_service_name: "{{ api_existing_service_name }}"
+            api_hasura_admin_secret: "{{ api_existing_hasura_admin_secret }}"
           when: api_hasura_upgrade_reuse_possible | bool
 
         - name: show Hasura CLI upgrade fallback decision
@@ -217,6 +225,8 @@
     - name: fall back to existing Hasura after direct CLI download failure during upgrade
       set_fact:
         api_use_existing_hasura_on_upgrade: true
+        api_service_name: "{{ api_existing_service_name }}"
+        api_hasura_admin_secret: "{{ api_existing_hasura_admin_secret }}"
       when: api_hasura_upgrade_reuse_possible | bool
 
     - name: show Hasura direct CLI upgrade fallback decision
@@ -249,34 +259,6 @@
     - not api_cli_check.stat.exists
     - not api_use_existing_hasura_on_upgrade | default(false) | bool
 
-- name: set hasura env variable
-  set_fact:
-    hasura_env:
-      HASURA_GRAPHQL_DATABASE_URL: "postgres://{{ api_user }}:{{ api_user_password }}@{{ fworch_db_host }}:{{ fworch_db_port }}/{{ fworch_db_name }}"
-      HASURA_GRAPHQL_ENABLE_CONSOLE: "true"
-      HASURA_GRAPHQL_ENABLE_TELEMETRY: "false"
-      HASURA_GRAPHQL_ADMIN_SECRET: "{{ api_hasura_admin_secret }}"
-      HASURA_GRAPHQL_SERVER_HOST: "127.0.0.1"
-      HASURA_GRAPHQL_SERVER_PORT: "8080"
-      HASURA_GRAPHQL_LOG_LEVEL: "{{ api_log_level }}"
-      HASURA_GRAPHQL_ENABLED_LOG_TYPES: "{{ api_HASURA_GRAPHQL_ENABLED_LOG_TYPES }}"
-      HASURA_GRAPHQL_CONSOLE_ASSETS_DIR: "/srv/console-assets"
-      HASURA_GRAPHQL_V1_BOOLEAN_NULL_COLLAPSE: "true"
-      HASURA_GRAPHQL_CORS_DOMAIN: "*"
-      HASURA_GRAPHQL_INFER_FUNCTION_PERMISSIONS: "{{ api_HASURA_GRAPHQL_INFER_FUNCTION_PERMISSIONS }}"
-      HASURA_GRAPHQL_JWT_SECRET: "{{ {'type': api_hasura_jwt_alg, 'key': api_hasura_jwt_secret | regex_replace('\n', '\\n'), 'claims_namespace_path': '$'} | to_json }}"
-      HTTP_PROXY: "{{ http_proxy }}"
-      HTTPS_PROXY: "{{ https_proxy }}"
-      http_proxy: "{{ http_proxy }}"
-      https_proxy: "{{ https_proxy }}"
-      no_proxy: "{{ no_proxy }}"
-      NO_PROXY: "{{ no_proxy }}"
-
-- name: show hasura env for debugging
-  debug:
-    var: hasura_env
-  when: debug_level > '1'
-
 - name: set Hasura image reuse mode
   set_fact:
     api_reuse_existing_hasura_image: >-
@@ -307,6 +289,8 @@
       set_fact:
         api_use_existing_hasura_on_upgrade: true
         api_reuse_existing_hasura_image: true
+        api_service_name: "{{ api_existing_service_name }}"
+        api_hasura_admin_secret: "{{ api_existing_hasura_admin_secret }}"
       when: api_hasura_upgrade_reuse_possible | bool
 
     - name: show Hasura image upgrade fallback decision
@@ -327,6 +311,45 @@
     - not api_reuse_existing_hasura_image | bool
     - api_rollback_is_running | default(false) | bool == false
 
+- name: write hasura admin password to secrets directory
+  copy:
+    content: "{{ api_hasura_admin_secret }}\n"
+    dest: "{{ fworch_secrets_dir }}/hasura_admin_pwd"
+    mode: "0600"
+    owner: "{{ fworch_user }}"
+    group: "{{ fworch_group }}"
+  become: true
+  when:
+    - installation_mode != "upgrade" or not (api_use_existing_hasura_on_upgrade | default(false) | bool) or not hasura_admin_secret_file.stat.exists
+
+- name: set hasura env variable
+  set_fact:
+    hasura_env:
+      HASURA_GRAPHQL_DATABASE_URL: "postgres://{{ api_user }}:{{ api_user_password }}@{{ fworch_db_host }}:{{ fworch_db_port }}/{{ fworch_db_name }}"
+      HASURA_GRAPHQL_ENABLE_CONSOLE: "true"
+      HASURA_GRAPHQL_ENABLE_TELEMETRY: "false"
+      HASURA_GRAPHQL_ADMIN_SECRET: "{{ api_hasura_admin_secret }}"
+      HASURA_GRAPHQL_SERVER_HOST: "127.0.0.1"
+      HASURA_GRAPHQL_SERVER_PORT: "8080"
+      HASURA_GRAPHQL_LOG_LEVEL: "{{ api_log_level }}"
+      HASURA_GRAPHQL_ENABLED_LOG_TYPES: "{{ api_HASURA_GRAPHQL_ENABLED_LOG_TYPES }}"
+      HASURA_GRAPHQL_CONSOLE_ASSETS_DIR: "/srv/console-assets"
+      HASURA_GRAPHQL_V1_BOOLEAN_NULL_COLLAPSE: "true"
+      HASURA_GRAPHQL_CORS_DOMAIN: "*"
+      HASURA_GRAPHQL_INFER_FUNCTION_PERMISSIONS: "{{ api_HASURA_GRAPHQL_INFER_FUNCTION_PERMISSIONS }}"
+      HASURA_GRAPHQL_JWT_SECRET: "{{ {'type': api_hasura_jwt_alg, 'key': api_hasura_jwt_secret | regex_replace('\n', '\\n'), 'claims_namespace_path': '$'} | to_json }}"
+      HTTP_PROXY: "{{ http_proxy }}"
+      HTTPS_PROXY: "{{ https_proxy }}"
+      http_proxy: "{{ http_proxy }}"
+      https_proxy: "{{ https_proxy }}"
+      no_proxy: "{{ no_proxy }}"
+      NO_PROXY: "{{ no_proxy }}"
+
+- name: show hasura env for debugging
+  debug:
+    var: hasura_env
+  when: debug_level > '1'
+
 - name: write Hasura env file for Podman
   copy:
     dest: "{{ api_env_file }}"
