Nginx playbook does not correctly remove config files

[acozine]

Expected behavior

When I run the nginxplus.yml playbook with -e nginx_cleanup_config=true, Ansible should remove any configs that no longer exist in the config directory. Here's the comment that describes this.

Actual behavior

Today we moved the catalog-staging site to the dev load balancers with #5600. Running the nginxplus.yml playbook against the production load balancers with -e nginx_cleanup_config=true should have removed the catalog-staging config, but it did not. Since the SSL certificates had already been removed, this caused nginx -t to fail with

Error messages

nginx: [emerg] cannot load certificate \"/etc/letsencrypt/live/catalog-staging/fullchain.pem\": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/catalog-staging/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)", "nginx: configuration file /etc/nginx/nginx.conf test failed"]

Steps to replicate

Move or remove a configuration file from the nginx role, remove the certificates from the load balancers, run the nginxplus.yml playbook.

Impact of this bug

We have to manually update the load balancers when we migrate or remove sites.

[acozine]

I think this was caused by our use of tags - when I ran the playbook, I passed -e nginx_cleanup_config=true AND -t update_conf. But the include task for the config cleanup isn't tagged . . . not sure how to make this work the way I expected. The fix may be to change the documentation/hint in the playbook.

[kayiwa]

when you left the ensemble we removed the catalog-staging certificates. So it seems to me the error correctly said the files were not on the prod loadbalancers.

[acozine]

Yes, the error was correct, but we should have removed the config file when we removed the certificates. The way it was left, we couldn't run the regular config-update playbook because it failed nginx -t.