Add ansible-lint CI

This commit includes a properly configured ansible-lint CI job and a large amount of changes to the existing playbooks so that the new CI passes. Some fixes were applied automatically with the --fix argument, many were made manually. There is some risk that the changes have altered the behaviour of the playbooks.
stackhpc · Nov 7, 2024 · 0be7a56 · 0be7a56
1 parent 161fbd7
commit 0be7a56
Show file tree

Hide file tree

Showing 70 changed files with 625 additions and 568 deletions.
diff --git a/.ansible-lint-ignore b/.ansible-lint-ignore
@@ -0,0 +1,7 @@
+# This file contains ignores rule violations for ansible-lint
+etc/kayobe/ansible/vault-deploy-barbican.yml fqcn[action-core]
+etc/kayobe/ansible/vault-generate-backend-tls.yml fqcn[action-core]
+etc/kayobe/ansible/vault-generate-internal-tls.yml fqcn[action-core]
+etc/kayobe/ansible/vault-generate-test-external-tls.yml fqcn[action-core]
+etc/kayobe/ansible/rabbitmq-reset.yml command-instead-of-module
+etc/kayobe/ansible/ubuntu-upgrade.yml syntax-check[missing-file]
diff --git a/.github/workflows/stackhpc-pull-request.yml b/.github/workflows/stackhpc-pull-request.yml
@@ -69,12 +69,9 @@ jobs:
       matrix:
         include:
           # NOTE(upgrade): Keep these in sync with Kayobe's supported Ansible and Python versions (see release notes).
-          - ansible: "2.12"
-            # ansible-lint 6+ is not supported on Python 3.8.
-            ansible-lint: "5"
-            python: "3.8"
-          - ansible: "2.13"
-            ansible-lint: "6"
+          - ansible: "2.16"
+            python: "3.12"
+          - ansible: "2.15"
             python: "3.10"
     name: Ansible ${{ matrix.ansible }} lint with Python ${{ matrix.python }}
     if: github.repository == 'stackhpc/stackhpc-kayobe-config'
@@ -90,7 +87,7 @@ jobs:
       - name: Install dependencies 📦
         run: |
           python -m pip install --upgrade pip
-          pip install ansible-core==${{ matrix.ansible }}.* ansible-lint==${{ matrix.ansible-lint }}.* -r requirements.txt
+          pip install ansible-core==${{ matrix.ansible }}.* ansible-lint -r requirements.txt
 
       - name: Install Ansible Galaxy collections and roles
         run: |
@@ -99,7 +96,7 @@ jobs:
 
       - name: Linting code 🧪
         run: |
-          ansible-lint -v --force-color etc/kayobe/ansible/
+          ansible-lint -v --force-color -x no-changed-when,risky-file-permissions,run-once,name[template],package-latest,yaml,role-name[path] etc/kayobe/ansible/.
 
   # A skipped job is treated as success when used as a required status check.
   # The registered required status checks refer to the name of the job in the

diff --git a/etc/kayobe/ansible/advise-run.yml b/etc/kayobe/ansible/advise-run.yml
@@ -1,47 +1,47 @@
 ---
 - name: ADVise run
   hosts: localhost
-  gather_facts: no
+  gather_facts: false
   tags:
     - advise
   vars:
-    venv: "~/venvs/advise-review"
+    venv: ~/venvs/advise-review
     input_dir: "{{ lookup('env', 'PWD') }}/overcloud-introspection-data"
     output_dir: "{{ lookup('env', 'PWD') }}/review"
-    advise_pattern: ".*.eval"  # Uses regex
+    advise_pattern: .*.eval # Uses regex
   tasks:
     - name: Install dependencies
-      pip:
+      ansible.builtin.pip:
         virtualenv: "{{ venv }}"
         name:
           - git+https://github.com/stackhpc/ADVise
         state: latest
-        virtualenv_command: "python3 -m venv"
+        virtualenv_command: python3 -m venv
 
     - name: Create data directory
-      file:
-        path: '{{ output_dir }}/data'
+      ansible.builtin.file:
+        path: "{{ output_dir }}/data"
         state: directory
 
     - name: Extract data
-      shell:
+      ansible.builtin.shell:
         cmd: >
           {{ venv }}/bin/m2-extract {{ input_dir }}/*.json --output_dir {{ output_dir }}/data
 
     - name: Create review directory
-      file:
-        path: '{{ output_dir }}/results'
+      ansible.builtin.file:
+        path: "{{ output_dir }}/results"
         state: directory
 
     - name: Process data
-      shell:
+      ansible.builtin.shell:
         cmd: >
           {{ venv }}/bin/advise-process
           -I ipmi
           -p '{{ output_dir }}/data/extra-hardware/{{ advise_pattern }}'
           -o '{{ output_dir }}'
 
     - name: Visualise data
-      command: >
+      ansible.builtin.command: >
         {{ venv }}/bin/advise-visualise
         --output_dir '{{ output_dir }}'
diff --git a/etc/kayobe/ansible/build-ofed-rocky.yml b/etc/kayobe/ansible/build-ofed-rocky.yml
@@ -6,8 +6,8 @@
   tasks:
     - name: Check whether noexec is enabled for /var/tmp
       ansible.builtin.lineinfile:
-        path: "/etc/fstab"
-        regexp: "noexec"
+        path: /etc/fstab
+        regexp: noexec
         state: absent
       changed_when: false
       check_mode: true
@@ -42,7 +42,8 @@
 
     - name: Add DOCA host repository package
       ansible.builtin.dnf:
-        name: https://developer.nvidia.com/downloads/networking/secure/doca-sdk/DOCA_2.8/doca-host-2.8.0-204000_{{ stackhpc_pulp_doca_ofed_version }}_rhel9{{ stackhpc_pulp_repo_rocky_9_minor_version }}.x86_64.rpm
+        name: "https://developer.nvidia.com/downloads/networking/secure/doca-sdk/DOCA_2.8/doca-host-2.8.0-204000_\
+              {{ stackhpc_pulp_doca_ofed_version }}_rhel9{{ stackhpc_pulp_repo_rocky_9_minor_version }}.x86_64.rpm"
         disable_gpg_check: true
 
     - name: Install DOCA extra packages
@@ -53,13 +54,13 @@
       ansible.builtin.file:
         path: /home/cloud-user/ofed
         state: directory
-        mode: 0777
+        mode: "0777"
 
     - name: Set build directory
       ansible.builtin.replace:
         path: /opt/mellanox/doca/tools/doca-kernel-support
-        regexp: 'TMP_DIR=\$1'
-        replace: 'TMP_DIR=/home/cloud-user/ofed'
+        regexp: TMP_DIR=\$1
+        replace: TMP_DIR=/home/cloud-user/ofed
 
     - name: Build OFED kernel modules
       ansible.builtin.shell:

diff --git a/etc/kayobe/ansible/cephadm-commands-post.yml b/etc/kayobe/ansible/cephadm-commands-post.yml
@@ -7,7 +7,8 @@
     - cephadm
     - cephadm-commands
   tasks:
-    - import_role:
+    - name: Apply Cephadm role
+      ansible.builtin.import_role:
         name: stackhpc.cephadm.commands
       vars:
         cephadm_commands: "{{ cephadm_commands_post | default([]) }}"
diff --git a/etc/kayobe/ansible/cephadm-commands-pre.yml b/etc/kayobe/ansible/cephadm-commands-pre.yml
@@ -7,7 +7,8 @@
     - cephadm
     - cephadm-commands
   tasks:
-    - import_role:
+    - name: Apply Cephadm role
+      ansible.builtin.import_role:
         name: stackhpc.cephadm.commands
       vars:
         cephadm_commands: "{{ cephadm_commands_pre | default([]) }}"
diff --git a/etc/kayobe/ansible/cephadm-crush-rules.yml b/etc/kayobe/ansible/cephadm-crush-rules.yml
@@ -7,5 +7,6 @@
     - cephadm
     - cephadm-crush-rules
   tasks:
-    - import_role:
+    - name: Apply Cephadm crush rule role
+      ansible.builtin.import_role:
         name: stackhpc.cephadm.crush_rules
diff --git a/etc/kayobe/ansible/cephadm-deploy.yml b/etc/kayobe/ansible/cephadm-deploy.yml
@@ -7,5 +7,6 @@
     - cephadm
     - cephadm-deploy
   tasks:
-    - import_role:
+    - name: Apply Cephadm role
+      ansible.builtin.import_role:
         name: stackhpc.cephadm.cephadm
diff --git a/etc/kayobe/ansible/cephadm-ec-profiles.yml b/etc/kayobe/ansible/cephadm-ec-profiles.yml
@@ -7,5 +7,6 @@
     - cephadm
     - cephadm-ec-profiles
   tasks:
-    - import_role:
+    - name: Apply Cephadm EC profiles role
+      ansible.builtin.import_role:
         name: stackhpc.cephadm.ec_profiles
diff --git a/etc/kayobe/ansible/cephadm-gather-keys.yml b/etc/kayobe/ansible/cephadm-gather-keys.yml
@@ -32,13 +32,13 @@
       loop: "{{ kolla_ceph_services | selectattr('required') | map(attribute='keys') | flatten | unique }}"
 
     - name: Generate ceph.conf
-      command: "cephadm shell -- ceph config generate-minimal-conf"
+      ansible.builtin.command: cephadm shell -- ceph config generate-minimal-conf
       become: true
       register: cephadm_ceph_conf
       changed_when: false
 
     - name: Ensure Kolla config directories are present
-      file:
+      ansible.builtin.file:
         state: directory
         path: "{{ kayobe_env_config_path }}/kolla/config/{{ kolla_service_to_key_dir[item.name] }}"
       loop: "{{ kolla_ceph_services | selectattr('required') }}"
@@ -51,7 +51,7 @@
         key_info: "{{ cephadm_key_info.results | selectattr('item', 'equalto', item.1) | first }}"
         cephadm_key: "{{ key_info.stdout }}"
         cephadm_user: "{{ item.1 }}"
-      copy:
+      ansible.builtin.copy:
         # Include a trailing newline.
         content: |
           {{ cephadm_key }}
@@ -63,7 +63,7 @@
       notify: Please add and commit the Kayobe configuration
 
     - name: Save ceph.conf to Kayobe configuration
-      copy:
+      ansible.builtin.copy:
         # Include a trailing newline.
         # Kolla Ansible's merge_configs module does not like the leading tabs in ceph.conf.
         content: |
@@ -77,7 +77,7 @@
 
   handlers:
     - name: Please add and commit the Kayobe configuration
-      debug:
+      ansible.builtin.debug:
         msg: >-
           Please add and commit the Ceph configuration files and keys in Kayobe
           configuration. Remember to encrypt the keys using Ansible Vault.
diff --git a/etc/kayobe/ansible/cephadm-keys.yml b/etc/kayobe/ansible/cephadm-keys.yml
@@ -7,5 +7,6 @@
     - cephadm
     - cephadm-keys
   tasks:
-    - import_role:
+    - name: Apply Cephadm keys role
+      ansible.builtin.import_role:
         name: stackhpc.cephadm.keys
diff --git a/etc/kayobe/ansible/cephadm-pools.yml b/etc/kayobe/ansible/cephadm-pools.yml
@@ -7,5 +7,6 @@
     - cephadm
     - cephadm-keys
   tasks:
-    - import_role:
+    - name: Apply Cephadm pools role
+      ansible.builtin.import_role:
         name: stackhpc.cephadm.pools
diff --git a/etc/kayobe/ansible/cephadm.yml b/etc/kayobe/ansible/cephadm.yml
@@ -1,9 +1,16 @@
 ---
 # Deploy Ceph via Cephadm. Create EC profiles, CRUSH rules, pools and keys.
-- import_playbook: cephadm-deploy.yml
-- import_playbook: cephadm-commands-pre.yml
-- import_playbook: cephadm-ec-profiles.yml
-- import_playbook: cephadm-crush-rules.yml
-- import_playbook: cephadm-pools.yml
-- import_playbook: cephadm-keys.yml
-- import_playbook: cephadm-commands-post.yml
+- name: Import Cephadm deploy playbook
+  import_playbook: cephadm-deploy.yml
+- name: Import Cephadm commands pre playbook
+  import_playbook: cephadm-commands-pre.yml
+- name: Import Cephadm ec profiles playbook
+  import_playbook: cephadm-ec-profiles.yml
+- name: Import Cephadm crush rules playbook
+  import_playbook: cephadm-crush-rules.yml
+- name: Import Cephadm pools playbook
+  import_playbook: cephadm-pools.yml
+- name: Import Cephadm keys playbook
+  import_playbook: cephadm-keys.yml
+- name: Import Cephadm commands post playbook
+  import_playbook: cephadm-commands-post.yml
diff --git a/etc/kayobe/ansible/check-tags.yml b/etc/kayobe/ansible/check-tags.yml
@@ -7,18 +7,19 @@
   gather_facts: false
   tasks:
     - name: Query images and tags
-      command:
+      ansible.builtin.command:
         cmd: >-
           {{ kayobe_config_path }}/../../tools/kolla-images.py list-tags
       register: kolla_images_result
       changed_when: false
 
     - name: Set a fact about images and tags
-      set_fact:
+      ansible.builtin.set_fact:
         kolla_images: "{{ kolla_images_result.stdout | from_yaml }}"
 
     # Use state=read and allow_missing=false to check for missing tags in test pulp.
-    - import_role:
+    - name: Check for missing tags
+      ansible.builtin.import_role:
         name: stackhpc.pulp.pulp_container_content
       vars:
         pulp_container_content: >-

diff --git a/etc/kayobe/ansible/cis.yml b/etc/kayobe/ansible/cis.yml
@@ -1,5 +1,4 @@
 ---
-
 - name: Security hardening
   hosts: cis-hardening
   become: true
@@ -9,14 +8,14 @@
     # TODO: Remove this when Red Hat FIPS policy has been updated to allow ed25519 keys.
     # https://gitlab.com/gitlab-org/gitlab/-/issues/367429#note_1840422075
     - name: Assert that we are using a supported SSH key
-      assert:
+      ansible.builtin.assert:
         that:
           - ssh_key_type != 'ed25519'
         fail_msg: FIPS policy does not currently support ed25519 SSH keys on RHEL family systems
       when: ansible_facts.os_family == 'RedHat'
 
     - name: Ensure the cron package is installed on ubuntu
-      package:
+      ansible.builtin.package:
         name: cron
         state: present
       when: ansible_facts.distribution == 'Ubuntu'
@@ -25,17 +24,19 @@
       # This is to workaround an issue where we set the expiry to 365 days on kayobe
       # service accounts in a previous iteration of the CIS benchmark hardening
       # defaults. This should restore the defaults and can eventually be removed.
-      command: chage -m 0 -M 99999 -W 7 -I -1 {{ item }}
+      ansible.builtin.command: chage -m 0 -M 99999 -W 7 -I -1 {{ item }}
       become: true
       changed_when: false
       with_items:
         - "{{ kayobe_ansible_user }}"
         - "{{ kolla_ansible_user }}"
 
-    - include_role:
+    - name: Run CIS hardening role (RHEL 9)
+      ansible.builtin.include_role:
         name: ansible-lockdown.rhel9_cis
       when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '9'
 
-    - include_role:
+    - name: Run CIS hardening role (Ubuntu 22)
+      ansible.builtin.include_role:
         name: ansible-lockdown.ubuntu22_cis
       when: ansible_facts.distribution == 'Ubuntu' and ansible_facts.distribution_major_version == '22'