Change in 'copy' behavior breaking v4_cfg_tls_trusted_ca_certs

[ajeffowens]

viya4-deployment/roles/vdm/tasks/tls.yaml

Line 159 in 9aa0ac2

copy:

Prior to commit 8830916, this copy module would look like this (note the "src"):

TASK [vdm : TLS - copy customer provided ca certs] *****************************
task path: /viya4-deployment/roles/vdm/tasks/tls.yaml:158
changed: [localhost] => changed=true 
  checksum: d307182290fa7568b2fa34afb53b89328a546811
  dest: /data/client8-rs8f-eks/viya/site-config/vdm/security/cacerts/source
  diff: []
  gid: 100
  group: users
  invocation:
    module_args:
      _original_basename: ''
      attributes: null
      backup: false
      checksum: d307182290fa7568b2fa34afb53b89328a546811
      content: null
      dest: /data/client8-rs8f-eks/viya/site-config/vdm/security/cacerts/
      directory_mode: null
      follow: false
      force: true
      group: null
      local_follow: null
      mode: '0660'
      owner: null
      remote_src: null
      selevel: null
      serole: null
      setype: null
      seuser: null
      src: /viya4-deployment/.ansible/tmp/ansible-tmp-1731612887.6607933-905-140955707363933/source
      unsafe_writes: false
      validate: null

Following ansible update to 10.5, the behavior has changed:

TASK [vdm : TLS - copy customer provided ca certs] *****************************
task path: /viya4-deployment/roles/vdm/tasks/tls.yaml:158
changed: [localhost] => changed=true 
  checksum: 92c5a91a95af4a4959e3343087b08b0548c36cab
  dest: /data/jopg-awstest6-eks/viya/site-config/vdm/security/cacerts/.source
  diff: []
  gid: 100
  group: users
  invocation:
    module_args:
      _original_basename: ''
      attributes: null
      backup: false
      checksum: 92c5a91a95af4a4959e3343087b08b0548c36cab
      content: null
      dest: /data/jopg-awstest6-eks/viya/site-config/vdm/security/cacerts/
      directory_mode: null
      follow: false
      force: true
      group: null
      local_follow: null
      mode: '0660'
      owner: null
      remote_src: null
      selevel: null
      serole: null
      setype: null
      seuser: null
      src: /viya4-deployment/.ansible/tmp/ansible-tmp-1731638963.5694757-903-278039363195638/.source
      unsafe_writes: false
      validate: null

And then the file is not found ("matched: 0"):

ok: [localhost] => changed=false 
  examined: 1
  files: []
  invocation:
    module_args:
      age: null
      age_stamp: mtime
      contains: null
      depth: 2
      encoding: null
      exact_mode: true
      excludes: null
      file_type: file
      follow: false
      get_checksum: false
      hidden: false
      mode: null
      paths:
      - /data/jopg-awstest6-eks/viya/site-config/vdm/security/cacerts/
      patterns:
      - '*'
      read_whole_file: false
      recurse: false
      size: null
      use_regex: false
  matched: 0
  msg: All paths examined
  skipped_paths: {}

In both cases this is running in a docker container with the following docker parameter:

--volume=/jopg/awstest6/dac/aws-rds-ca.crt:/config/v4_cfg_tls_trusted_ca_certs

This seems related to this note from ansible v10 changelog:

copy action now also generates temprary files as hidden ('.' prefixed) to avoid accidental pickup by running services that glob by extension.

[ajeffowens]

Perhaps adding "hidden" = true to the ensuing find module would resolve this

[dhoucgitter]

@ajeffowens, thanks for entering this issue along with the PR to address it. I'm expecting that your PR will be included in the upcoming release.

[saschjmil]

@ajeffowens, thanks for bringing this to our attention. I've opened an internal ticket for investigation.

I'm having trouble replicating the issue. When I run the docker container, it's able to copy and find my certs. I'm assuming it's due to a difference in our configurations, so I'll reach out for some additional info.