Fix TLS cert mismatch and constrained-Docker volume failures

- Remove /var/lib/docker/volumes mount (fails on nested Docker hosts) - Add AGENT_HOST env var so agent cert is valid for host's real IP - Add TLSSkipVerify/TLSSkipClientVerify to Portainer endpoint registration to handle existing agents with bridge-IP certs - Remove final delegate_to: localhost (wait_for now runs on remote host) - Add ignore_errors: true to agent deploy and enrollment tasks - Guard existing_endpoints.json with | default([]) for failed API calls Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-01 01:12:27 -07:00 · 2026-03-01 01:12:27 -07:00 · d2cf626bee
commit d2cf626bee
parent 6db20117fd
1 changed files with 15 additions and 9 deletions
--- a/playbooks/find_docker_enroll_portainer.yml
+++ b/playbooks/find_docker_enroll_portainer.yml
@ -120,20 +120,21 @@
          - "{{ portainer_agent_port }}:9001"
        volumes:
          - /var/run/docker.sock:/var/run/docker.sock
-          - /var/lib/docker/volumes:/var/lib/docker/volumes
        env:
          AGENT_PORT: "9001"
+          # Ensures the agent's self-signed TLS cert covers the host's real IP,
+          # not just the Docker bridge (172.17.0.x) IP.
+          AGENT_HOST: "{{ ansible_host }}"
      when: "'Up' not in (agent_status.stdout | default(''))"
      register: agent_deployed
+      ignore_errors: true

    - name: Wait for Portainer Agent to be ready
      ansible.builtin.wait_for:
        port: "{{ portainer_agent_port }}"
-        host: "{{ ansible_host }}"
+        host: "127.0.0.1"
        delay: 3
        timeout: 30
-      delegate_to: localhost
-      become: false
      when: agent_deployed is changed


@ -166,12 +167,13 @@
        status_code: 200
        validate_certs: false
      register: existing_endpoints
+      ignore_errors: true

    - name: Determine if this host is already enrolled
      ansible.builtin.set_fact:
        already_enrolled: >-
          {{
-            existing_endpoints.json
+            (existing_endpoints.json | default([]))
            | selectattr('Name', 'equalto', inventory_hostname)
            | list | length > 0
          }}
@ -187,25 +189,29 @@
          Name: "{{ inventory_hostname }}"
          EndpointCreationType: "2"
          URL: "tcp://{{ ansible_host }}:{{ portainer_agent_port }}"
+          TLS: "true"
+          TLSSkipVerify: "true"
+          TLSSkipClientVerify: "true"
        status_code: [200, 201]
        return_content: true
        validate_certs: false
      register: portainer_enroll
      when: not already_enrolled
+      ignore_errors: true

    - name: Store enrollment result
      ansible.builtin.set_fact:
        portainer_endpoint_id: >-
          {{
            (portainer_enroll.json.Id | string)
-            if (portainer_enroll is not skipped and portainer_enroll.json is defined)
+            if (portainer_enroll is not skipped and portainer_enroll is not failed and portainer_enroll.json is defined)
            else (
-              existing_endpoints.json
+              (existing_endpoints.json | default([]))
              | selectattr('Name', 'equalto', inventory_hostname)
-              | map(attribute='Id') | list | first | string
+              | map(attribute='Id') | list | first | default('unknown') | string
            )
          }}
-        portainer_enrolled_now: "{{ portainer_enroll is changed }}"
+        portainer_enrolled_now: "{{ portainer_enroll is changed and portainer_enroll is not failed }}"


 # ---------------------------------------------------------------------------