From 45081528b194261cb948f05538e643c6ac7d869b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Douglas=20Mendiz=C3=A1bal?= Date: Thu, 21 Sep 2023 17:10:19 -0400 Subject: [PATCH] Unpin ansible-lint This patch unpins ansible-lint to fix the failing gate. All lint errors have been fixed. Change-Id: I2f8c90db5add09e27f71cf8aecca8d0e108a3de3 --- handlers/main.yaml | 4 +- meta/main.yaml | 7 ++ requirements.txt | 2 +- tasks/client.yaml | 163 +++++++++++++++++---------------- tasks/client_enroll.yaml | 13 +-- tasks/main.yaml | 17 ++-- tasks/rfs.yaml | 8 +- tasks/rfs_register_client.yaml | 27 +++--- test-requirements.txt | 6 +- 9 files changed, 128 insertions(+), 119 deletions(-) create mode 100644 meta/main.yaml diff --git a/handlers/main.yaml b/handlers/main.yaml index d2b1d0b..beda678 100644 --- a/handlers/main.yaml +++ b/handlers/main.yaml @@ -1,5 +1,5 @@ --- -- name: legacy vars warning - debug: +- name: Legacy vars warning + ansible.builtin.debug: msg: "WARNING: Using legacy thales_hsm_ip_address and thales_hsm_config_location variables. Please udpate your vars file." diff --git a/meta/main.yaml b/meta/main.yaml new file mode 100644 index 0000000..e2e0d13 --- /dev/null +++ b/meta/main.yaml @@ -0,0 +1,7 @@ +--- +galaxy_info: + role_name: thales_hsm + author: OpenStack Community + license: Apache-2.0 + description: Manages Entrust nShield Connect HSMs and clients. + min_ansible_version: '2.8' diff --git a/requirements.txt b/requirements.txt index 885c2cb..cb41d93 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1,2 @@ pbr>=1.6 -ansible +ansible>=2.8.0 diff --git a/tasks/client.yaml b/tasks/client.yaml index 996c6d5..a6cd5d2 100644 --- a/tasks/client.yaml +++ b/tasks/client.yaml @@ -1,117 +1,120 @@ --- - name: Create working directory - file: - path: "{{ thales_client_working_dir }}" - state: directory - mode: 0755 + ansible.builtin.file: + path: "{{ thales_client_working_dir }}" + state: directory + mode: '755' -- name: create thales group - group: - name: nfast - gid: "{{ thales_client_gid }}" +- name: Create thales group + ansible.builtin.group: + name: nfast + gid: "{{ thales_client_gid }}" -- name: create thales user - user: - name: nfast - uid: "{{ thales_client_uid }}" - group: "{{ thales_client_gid }}" - create_home: true - home: /opt/nfast +- name: Create thales user + ansible.builtin.user: + name: nfast + uid: "{{ thales_client_uid }}" + group: "{{ thales_client_gid }}" + create_home: true + home: /opt/nfast -- name: set selinux bool to allow barbican containers to access /opt/nfast - seboolean: - name: os_barbican_write_pki - state: yes - persistent: yes +- name: Set selinux bool to allow barbican containers to access /opt/nfast + ansible.posix.seboolean: + name: os_barbican_write_pki + state: true + persistent: true when: ansible_os_family | lower == 'redhat' - name: Download Thales client tarball - get_url: - url: "{{ thales_client_tarball_location }}" - dest: "{{ thales_client_working_dir }}/{{ thales_client_tarball_name }}" - force: no + ansible.builtin.get_url: + url: "{{ thales_client_tarball_location }}" + dest: "{{ thales_client_working_dir }}/{{ thales_client_tarball_name }}" + mode: '644' + force: false - name: Unpack tarball to working directory - unarchive: - src: "{{ thales_client_working_dir }}/{{ thales_client_tarball_name }}" - dest: "{{ thales_client_working_dir }}" - creates: "{{ thales_client_working_dir }}/{{ thales_client_path }}" - remote_src: yes + ansible.builtin.unarchive: + src: "{{ thales_client_working_dir }}/{{ thales_client_tarball_name }}" + dest: "{{ thales_client_working_dir }}" + creates: "{{ thales_client_working_dir }}/{{ thales_client_path }}" + remote_src: true - name: Unpack tarball to /opt/nfast - shell: | - for i in `find "{{ thales_client_working_dir }}/{{ thales_client_path }}" -name *.tar` ; do - tar -C / -xvf $i ; - done + ansible.builtin.shell: | + for i in `find "{{ thales_client_working_dir }}/{{ thales_client_path }}" -name *.tar` ; do + tar -C / -xvf $i ; + done args: - creates: /opt/nfast/sbin/install + creates: /opt/nfast/sbin/install -- name: check for libnsl dependency - stat: +- name: Check for libnsl dependency + ansible.builtin.stat: path: /lib64/libnsl.so.1 register: st -- name: ensure libnsl dependency is installed - package: +- name: Ensure libnsl dependency is installed + ansible.builtin.package: name: libnsl state: present when: not st.stat.exists -- name: run installer # noqa 306 - shell: echo "1" | /opt/nfast/sbin/install +- name: Run installer + ansbile.builtin.shell: set -o pipefail && echo "1" | /opt/nfast/sbin/install args: - creates: /opt/nfast/kmdata + creates: /opt/nfast/kmdata - name: Get the security world data - get_url: - url: "{{ thales_km_data_location }}" - dest: "/root/{{ thales_km_data_tarball_name }}" - force: no + ansible.builtin.get_url: + url: "{{ thales_km_data_location }}" + dest: "/root/{{ thales_km_data_tarball_name }}" + mode: '644' + force: false -- name: remove the old km_data - file: - path: /opt/nfast/kmdata - state: absent +- name: Remove the old km_data + ansible.builtin.file: + path: /opt/nfast/kmdata + state: absent -- name: replace kmdata - unarchive: - src: "/root/{{ thales_km_data_tarball_name }}" - dest: /opt/nfast - remote_src: yes +- name: Replace kmdata + ansible.builtin.unarchive: + src: "/root/{{ thales_km_data_tarball_name }}" + dest: /opt/nfast + remote_src: true -- name: create cknfastrc - template: - src: cknfastrc.j2 - dest: /opt/nfast/cknfastrc - mode: 0644 +- name: Create cknfastrc + ansible.builtin.template: + src: cknfastrc.j2 + dest: /opt/nfast/cknfastrc + mode: '644' -- name: create snmp.conf - copy: - dest: /opt/nfast/etc/snmp/snmp.conf - content: | - defaultPort 21161 - force: yes - mode: 0644 +- name: Create snmp.conf + ansible.builtin.copy: + dest: /opt/nfast/etc/snmp/snmp.conf + content: | + defaultPort 21161 + force: true + mode: '644' -- name: enroll client to hsms - include_tasks: client_enroll.yaml +- name: Enroll client to hsms + ansible.builtin.include_tasks: client_enroll.yaml loop: "{{ nshield_hsms }}" -- name: set selinux contexts for /opt/nfast - command: restorecon -R /opt/nfast +- name: Set selinux contexts for /opt/nfast + ansible.builtin.command: restorecon -R /opt/nfast -- name: restart hardserver - command: /opt/nfast/sbin/init.d-ncipher restart +- name: Restart hardserver + ansible.builtin.command: /opt/nfast/sbin/init.d-ncipher restart -- name: do an enquiry to confirm connection - command: /opt/nfast/bin/enquiry +- name: Do an enquiry to confirm connection + ansible.builtin.command: /opt/nfast/bin/enquiry register: enquiry -- name: enquiry result - debug: var=enquiry +- name: Enquiry result + ansible.builtin.debug: + var: enquiry -- name: set up rfs_sync - command: /opt/nfast/bin/rfs-sync --setup --no-authenticate {{ thales_rfs_server_ip_address }} +- name: Set up rfs_sync + ansible.builtin.command: /opt/nfast/bin/rfs-sync --setup --no-authenticate {{ thales_rfs_server_ip_address }} -- name: get keys from rfs server - command: /opt/nfast/bin/rfs-sync --update +- name: Get keys from rfs server + ansible.builtin.command: /opt/nfast/bin/rfs-sync --update diff --git a/tasks/client_enroll.yaml b/tasks/client_enroll.yaml index 94abcf1..86dc319 100644 --- a/tasks/client_enroll.yaml +++ b/tasks/client_enroll.yaml @@ -1,10 +1,11 @@ --- -- name: run anonkneti to get hash for "{{ item.ip }}" - command: /opt/nfast/bin/anonkneti "{{ item.ip }}" +- name: Run anonkneti to get hash for "{{ item.ip }}" + ansible.builtin.command: /opt/nfast/bin/anonkneti "{{ item.ip }}" register: anonkneti -- name: output of anonkneti - debug: var=anonkneti.stdout_lines +- name: Output of anonkneti + ansible.builtin.debug: + var: anonkneti.stdout_lines -- name: enroll client to HSM "{{ item.ip }}" - command: /opt/nfast/bin/nethsmenroll --force {{ item.ip }} {{ anonkneti.stdout_lines[0] }} +- name: Enroll client to HSM "{{ item.ip }}" + ansible.builtin.command: /opt/nfast/bin/nethsmenroll --force {{ item.ip }} {{ anonkneti.stdout_lines[0] }} diff --git a/tasks/main.yaml b/tasks/main.yaml index 405572a..e0ea755 100644 --- a/tasks/main.yaml +++ b/tasks/main.yaml @@ -1,17 +1,16 @@ --- -- name: allow using legacy variables for backwards compatibility - set_fact: - args: - nshield_hsms: - - name: Legacy variables HSM - ip: "{{ thales_hsm_ip_address }}" +- name: Allow using legacy variables for backwards compatibility + ansible.builtin.set_fact: + nshield_hsms: + - name: Legacy variables HSM + ip: "{{ thales_hsm_ip_address }}" when: nshield_hsms is not defined and thales_hsm_ip_address is defined - notify: legacy vars warning + notify: Legacy vars warning - name: Include RFS tasks - include_tasks: rfs.yaml + ansible.builtin.include_tasks: rfs.yaml when: thales_configure_rfs - name: Include client installation tasks - include_tasks: client.yaml + ansible.builtin.include_tasks: client.yaml when: thales_install_client diff --git a/tasks/rfs.yaml b/tasks/rfs.yaml index 3e6b083..b3cfb60 100644 --- a/tasks/rfs.yaml +++ b/tasks/rfs.yaml @@ -1,9 +1,9 @@ --- # This role adds a new IP address to the RFS conf file -- name: add client ips to hsms - include_tasks: rfs_register_client.yaml +- name: Add client ips to hsms + ansbile.builtin.include_tasks: rfs_register_client.yaml loop: "{{ nshield_hsms }}" -- name: allow bootstrap server to update the RFS server - command: "/opt/nfast/bin/rfs-setup --gang-client --write-noauth {{ thales_bootstrap_client_ip }}" +- name: Allow bootstrap server to update the RFS server + ansible.builtin.command: "/opt/nfast/bin/rfs-setup --gang-client --write-noauth {{ thales_bootstrap_client_ip }}" diff --git a/tasks/rfs_register_client.yaml b/tasks/rfs_register_client.yaml index 59d897f..de09c8f 100644 --- a/tasks/rfs_register_client.yaml +++ b/tasks/rfs_register_client.yaml @@ -1,21 +1,24 @@ --- -- name: run anonkneti to get esn for "{{ item.ip }}" - command: /opt/nfast/bin/anonkneti "{{ item.ip }}" +- name: Run anonkneti to get esn for "{{ item.ip }}" + ansible.builtin.command: /opt/nfast/bin/anonkneti "{{ item.ip }}" register: anonkneti -- name: output of anonkneti - debug: var=anonkneti.stdout_lines +- name: Output of anonkneti + ansible.builtin.debug: + var: anonkneti.stdout_lines -- name: get the esn - set_fact: - esn: "{{ anonkneti.stdout_lines[0].split()[0] }}" +- name: Get the esn + ansible.builtin.set_fact: + esn: "{{ anonkneti.stdout_lines[0].split()[0] }}" -- name: run script to add {{ thales_client_ips }} to config.new on "{{ item.ip }}" esn "{{ esn }}" - script: "{{ role_path }}/files/add_ips.py --config-dir /opt/nfast/kmdata/hsm-{{ esn }}/config --ips {{ thales_client_ips }}" +- name: "Adding client IPs to config for HSM {{ esn }}" + ansible.builtin.script: "{{ role_path }}/files/add_ips.py --config-dir /opt/nfast/kmdata/hsm-{{ esn }}/config --ips {{ thales_client_ips }}" -- name: push new config to the HSM and check that it was successful - shell: "/opt/nfast/bin/cfg-pushnethsm -a {{ item.ip }} /opt/nfast/kmdata/hsm-{{ esn }}/config/config.new && sleep 5 && diff /opt/nfast/kmdata/hsm-{{ esn }}/config/config /opt/nfast/kmdata/hsm-{{ esn }}/config/config.new" # noqa 204 +- name: Push new config to the HSM and check that it was successful + ansible.builtin.shell: | + /opt/nfast/bin/cfg-pushnethsm -a {{ item.ip }} /opt/nfast/kmdata/hsm-{{ esn }}/config/config.new && \ + sleep 5 && \ + diff /opt/nfast/kmdata/hsm-{{ esn }}/config/config /opt/nfast/kmdata/hsm-{{ esn }}/config/config.new register: result until: result.rc == 0 retries: 10 - diff --git a/test-requirements.txt b/test-requirements.txt index d3f9dee..6dd128e 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -1,5 +1 @@ -# NOTE(elod.illes): ansible 6.0.0 introduced new rules that needs to be -# fixed, like fqcn-builtins, etc. Due to Yoga release happens soon -# let's just cap ansible-lint. This needs a separate fix in the future -# to be able to remove the cap. -ansible-lint<6.0.0 +ansible-lint