From 09474aafadfd30927ee3f00f340c67b6ff51d8e0 Mon Sep 17 00:00:00 2001
From: Hemanth Nakkina <hemanth.nakkina@canonical.com>
Date: Fri, 13 Jan 2023 10:12:00 +0530
Subject: [PATCH] [microk8s-cloud] support strict confinement for snaps

Parameterize microk8s snap installation to choose
channel and confinement.
In case of strict confinement, change the group
and escalate the privileges to run microk8s command.

Ensure ~/.local/share directory exists that allows
running juju commands in strict confinement mode.

Fix linting issues.

Change-Id: Iba52349df9c6d077cd33a4786359fc2d54182068
---
 playbooks/charmbuild.yaml            |  2 +-
 playbooks/collect-run-data.yaml      |  2 +-
 playbooks/zaza-smoke-test.yaml       |  6 +++---
 roles/microk8s-cloud/tasks/main.yaml | 23 +++++++++++++++++++----
 tox.ini                              |  4 +++-
 5 files changed, 27 insertions(+), 10 deletions(-)

diff --git a/playbooks/charmbuild.yaml b/playbooks/charmbuild.yaml
index 32f28c5..15f957d 100644
--- a/playbooks/charmbuild.yaml
+++ b/playbooks/charmbuild.yaml
@@ -1,3 +1,3 @@
 - hosts: all
   roles:
-  - charmbuild
+    - charmbuild
diff --git a/playbooks/collect-run-data.yaml b/playbooks/collect-run-data.yaml
index 88260c7..cf81022 100644
--- a/playbooks/collect-run-data.yaml
+++ b/playbooks/collect-run-data.yaml
@@ -1,3 +1,3 @@
 - hosts: all
   roles:
-  - collect-run-data
+    - collect-run-data
diff --git a/playbooks/zaza-smoke-test.yaml b/playbooks/zaza-smoke-test.yaml
index c3fdbee..a90329b 100644
--- a/playbooks/zaza-smoke-test.yaml
+++ b/playbooks/zaza-smoke-test.yaml
@@ -1,5 +1,5 @@
 - hosts: all
   roles:
-  - use-docker-mirror
-  - microk8s-cloud
-  - zaza-smoke-test
+    - use-docker-mirror
+    - microk8s-cloud
+    - zaza-smoke-test
diff --git a/roles/microk8s-cloud/tasks/main.yaml b/roles/microk8s-cloud/tasks/main.yaml
index 7532a1a..1d25e46 100644
--- a/roles/microk8s-cloud/tasks/main.yaml
+++ b/roles/microk8s-cloud/tasks/main.yaml
@@ -3,16 +3,22 @@
     name: snapd
   become: true
 
+- name: set microk8s related variables
+  set_fact:
+    microk8s_group: "{{ 'microk8s' if microk8s_classic_mode | default(true) else 'snap_microk8s' }}"
+    microk8s_command_escalation: "{{ false if microk8s_classic_mode | default(true) else true }}"
+
 - name: microk8s is installed
   snap:
     name: microk8s
-    classic: true
+    classic: "{{ microk8s_classic_mode | default(true) }}"
+    channel: "{{ microk8s_channel | default('latest/stable') }}"
   become: true
 
 - name: current user is in microk8s group
   user:
     name: "{{ ansible_user }}"
-    groups: microk8s
+    groups: "{{ microk8s_group }}"
     append: true
   become: true
 
@@ -30,7 +36,7 @@
     path: /var/snap/microk8s/current/args/certs.d/docker.io
     state: directory
     owner: root
-    group: microk8s
+    group: "{{ microk8s_group }}"
     mode: '0770'
 
 - name: Render microk8s registry mirror template
@@ -39,7 +45,7 @@
   template:
     src: hosts.j2
     dest: /var/snap/microk8s/current/args/certs.d/docker.io/hosts.toml
-    group: microk8s
+    group: "{{ microk8s_group }}"
   vars:
     mirror_location: "{{ docker_mirror }}"
     server: https://docker.io
@@ -53,6 +59,7 @@
 - name: microk8s is started
   command:
     cmd: microk8s start
+  become: "{{ microk8s_command_escalation }}"
 
 - name: microk8s is running and ready
   command:
@@ -65,12 +72,14 @@
     cmd: microk8s enable dns
   register: res
   changed_when: '"already enabled" not in res.stdout'
+  become: "{{ microk8s_command_escalation }}"
 
 - name: microk8s hostpath storage addon is enabled
   command:
     cmd: microk8s enable hostpath-storage
   register: res
   changed_when: '"already enabled" not in res.stdout'
+  become: "{{ microk8s_command_escalation }}"
 
 - name: microk8s metallb addon is enabled
   command:
@@ -78,6 +87,7 @@
     cmd: microk8s enable metallb:10.170.0.1-10.170.0.100
   register: res
   changed_when: '"already enabled" not in res.stdout'
+  become: "{{ microk8s_command_escalation }}"
 
 - name: microk8s addons are ready
   command:
@@ -98,6 +108,11 @@
     channel: "{{ juju_channel | default('latest/stable') }}"
   become: true
 
+- name: Ensure ~/.local/share directory exist
+  file:
+    path: ~/.local/share
+    state: directory
+
 - name: juju is bootstrapped on microk8s
   command:
     cmd: juju bootstrap microk8s microk8s
diff --git a/tox.ini b/tox.ini
index 08c6996..9d382d8 100644
--- a/tox.ini
+++ b/tox.ini
@@ -8,7 +8,9 @@ basepython = python3
 deps = -r{toxinidir}/test-requirements.txt
 
 [testenv:linters]
-whitelist_externals = bash
+allowlist_externals =
+  bash
+  {toxinidir}/tools/ansible-lint-roles-cache.sh
 setenv =
   ANSIBLE_ROLES_PATH={env:ANSIBLE_ROLES_PATH:{toxinidir}/.cache/ansible-lint/opendev/base-jobs/roles:{toxinidir}/.cache/ansible-lint/opendev/system-config/roles:{toxinidir}/.cache/ansible-lint/zuul/zuul-jobs/roles:{toxinidir}/.cache/ansible-lint/openstack/openstack-zuul-jobs/roles}
 commands =