Unpin ansible-lint

This patch unpins ansible-lint to fix the failing gate.  All lint
errors have been fixed.

Change-Id: I2f8c90db5add09e27f71cf8aecca8d0e108a3de3
This commit is contained in:
Douglas Mendizábal 2023-09-21 17:10:19 -04:00
parent 49970b3ceb
commit 45081528b1
9 changed files with 128 additions and 119 deletions

View File

@ -1,5 +1,5 @@
---
- name: legacy vars warning
debug:
- name: Legacy vars warning
ansible.builtin.debug:
msg: "WARNING: Using legacy thales_hsm_ip_address and
thales_hsm_config_location variables. Please udpate your vars file."

7
meta/main.yaml Normal file
View File

@ -0,0 +1,7 @@
---
galaxy_info:
role_name: thales_hsm
author: OpenStack Community
license: Apache-2.0
description: Manages Entrust nShield Connect HSMs and clients.
min_ansible_version: '2.8'

View File

@ -1,2 +1,2 @@
pbr>=1.6
ansible
ansible>=2.8.0

View File

@ -1,117 +1,120 @@
---
- name: Create working directory
file:
ansible.builtin.file:
path: "{{ thales_client_working_dir }}"
state: directory
mode: 0755
mode: '755'
- name: create thales group
group:
- name: Create thales group
ansible.builtin.group:
name: nfast
gid: "{{ thales_client_gid }}"
- name: create thales user
user:
- name: Create thales user
ansible.builtin.user:
name: nfast
uid: "{{ thales_client_uid }}"
group: "{{ thales_client_gid }}"
create_home: true
home: /opt/nfast
- name: set selinux bool to allow barbican containers to access /opt/nfast
seboolean:
- name: Set selinux bool to allow barbican containers to access /opt/nfast
ansible.posix.seboolean:
name: os_barbican_write_pki
state: yes
persistent: yes
state: true
persistent: true
when: ansible_os_family | lower == 'redhat'
- name: Download Thales client tarball
get_url:
ansible.builtin.get_url:
url: "{{ thales_client_tarball_location }}"
dest: "{{ thales_client_working_dir }}/{{ thales_client_tarball_name }}"
force: no
mode: '644'
force: false
- name: Unpack tarball to working directory
unarchive:
ansible.builtin.unarchive:
src: "{{ thales_client_working_dir }}/{{ thales_client_tarball_name }}"
dest: "{{ thales_client_working_dir }}"
creates: "{{ thales_client_working_dir }}/{{ thales_client_path }}"
remote_src: yes
remote_src: true
- name: Unpack tarball to /opt/nfast
shell: |
ansible.builtin.shell: |
for i in `find "{{ thales_client_working_dir }}/{{ thales_client_path }}" -name *.tar` ; do
tar -C / -xvf $i ;
done
args:
creates: /opt/nfast/sbin/install
- name: check for libnsl dependency
stat:
- name: Check for libnsl dependency
ansible.builtin.stat:
path: /lib64/libnsl.so.1
register: st
- name: ensure libnsl dependency is installed
package:
- name: Ensure libnsl dependency is installed
ansible.builtin.package:
name: libnsl
state: present
when: not st.stat.exists
- name: run installer # noqa 306
shell: echo "1" | /opt/nfast/sbin/install
- name: Run installer
ansbile.builtin.shell: set -o pipefail && echo "1" | /opt/nfast/sbin/install
args:
creates: /opt/nfast/kmdata
- name: Get the security world data
get_url:
ansible.builtin.get_url:
url: "{{ thales_km_data_location }}"
dest: "/root/{{ thales_km_data_tarball_name }}"
force: no
mode: '644'
force: false
- name: remove the old km_data
file:
- name: Remove the old km_data
ansible.builtin.file:
path: /opt/nfast/kmdata
state: absent
- name: replace kmdata
unarchive:
- name: Replace kmdata
ansible.builtin.unarchive:
src: "/root/{{ thales_km_data_tarball_name }}"
dest: /opt/nfast
remote_src: yes
remote_src: true
- name: create cknfastrc
template:
- name: Create cknfastrc
ansible.builtin.template:
src: cknfastrc.j2
dest: /opt/nfast/cknfastrc
mode: 0644
mode: '644'
- name: create snmp.conf
copy:
- name: Create snmp.conf
ansible.builtin.copy:
dest: /opt/nfast/etc/snmp/snmp.conf
content: |
defaultPort 21161
force: yes
mode: 0644
force: true
mode: '644'
- name: enroll client to hsms
include_tasks: client_enroll.yaml
- name: Enroll client to hsms
ansible.builtin.include_tasks: client_enroll.yaml
loop: "{{ nshield_hsms }}"
- name: set selinux contexts for /opt/nfast
command: restorecon -R /opt/nfast
- name: Set selinux contexts for /opt/nfast
ansible.builtin.command: restorecon -R /opt/nfast
- name: restart hardserver
command: /opt/nfast/sbin/init.d-ncipher restart
- name: Restart hardserver
ansible.builtin.command: /opt/nfast/sbin/init.d-ncipher restart
- name: do an enquiry to confirm connection
command: /opt/nfast/bin/enquiry
- name: Do an enquiry to confirm connection
ansible.builtin.command: /opt/nfast/bin/enquiry
register: enquiry
- name: enquiry result
debug: var=enquiry
- name: Enquiry result
ansible.builtin.debug:
var: enquiry
- name: set up rfs_sync
command: /opt/nfast/bin/rfs-sync --setup --no-authenticate {{ thales_rfs_server_ip_address }}
- name: Set up rfs_sync
ansible.builtin.command: /opt/nfast/bin/rfs-sync --setup --no-authenticate {{ thales_rfs_server_ip_address }}
- name: get keys from rfs server
command: /opt/nfast/bin/rfs-sync --update
- name: Get keys from rfs server
ansible.builtin.command: /opt/nfast/bin/rfs-sync --update

View File

@ -1,10 +1,11 @@
---
- name: run anonkneti to get hash for "{{ item.ip }}"
command: /opt/nfast/bin/anonkneti "{{ item.ip }}"
- name: Run anonkneti to get hash for "{{ item.ip }}"
ansible.builtin.command: /opt/nfast/bin/anonkneti "{{ item.ip }}"
register: anonkneti
- name: output of anonkneti
debug: var=anonkneti.stdout_lines
- name: Output of anonkneti
ansible.builtin.debug:
var: anonkneti.stdout_lines
- name: enroll client to HSM "{{ item.ip }}"
command: /opt/nfast/bin/nethsmenroll --force {{ item.ip }} {{ anonkneti.stdout_lines[0] }}
- name: Enroll client to HSM "{{ item.ip }}"
ansible.builtin.command: /opt/nfast/bin/nethsmenroll --force {{ item.ip }} {{ anonkneti.stdout_lines[0] }}

View File

@ -1,17 +1,16 @@
---
- name: allow using legacy variables for backwards compatibility
set_fact:
args:
- name: Allow using legacy variables for backwards compatibility
ansible.builtin.set_fact:
nshield_hsms:
- name: Legacy variables HSM
ip: "{{ thales_hsm_ip_address }}"
when: nshield_hsms is not defined and thales_hsm_ip_address is defined
notify: legacy vars warning
notify: Legacy vars warning
- name: Include RFS tasks
include_tasks: rfs.yaml
ansible.builtin.include_tasks: rfs.yaml
when: thales_configure_rfs
- name: Include client installation tasks
include_tasks: client.yaml
ansible.builtin.include_tasks: client.yaml
when: thales_install_client

View File

@ -1,9 +1,9 @@
---
# This role adds a new IP address to the RFS conf file
- name: add client ips to hsms
include_tasks: rfs_register_client.yaml
- name: Add client ips to hsms
ansbile.builtin.include_tasks: rfs_register_client.yaml
loop: "{{ nshield_hsms }}"
- name: allow bootstrap server to update the RFS server
command: "/opt/nfast/bin/rfs-setup --gang-client --write-noauth {{ thales_bootstrap_client_ip }}"
- name: Allow bootstrap server to update the RFS server
ansible.builtin.command: "/opt/nfast/bin/rfs-setup --gang-client --write-noauth {{ thales_bootstrap_client_ip }}"

View File

@ -1,21 +1,24 @@
---
- name: run anonkneti to get esn for "{{ item.ip }}"
command: /opt/nfast/bin/anonkneti "{{ item.ip }}"
- name: Run anonkneti to get esn for "{{ item.ip }}"
ansible.builtin.command: /opt/nfast/bin/anonkneti "{{ item.ip }}"
register: anonkneti
- name: output of anonkneti
debug: var=anonkneti.stdout_lines
- name: Output of anonkneti
ansible.builtin.debug:
var: anonkneti.stdout_lines
- name: get the esn
set_fact:
- name: Get the esn
ansible.builtin.set_fact:
esn: "{{ anonkneti.stdout_lines[0].split()[0] }}"
- name: run script to add {{ thales_client_ips }} to config.new on "{{ item.ip }}" esn "{{ esn }}"
script: "{{ role_path }}/files/add_ips.py --config-dir /opt/nfast/kmdata/hsm-{{ esn }}/config --ips {{ thales_client_ips }}"
- name: "Adding client IPs to config for HSM {{ esn }}"
ansible.builtin.script: "{{ role_path }}/files/add_ips.py --config-dir /opt/nfast/kmdata/hsm-{{ esn }}/config --ips {{ thales_client_ips }}"
- name: push new config to the HSM and check that it was successful
shell: "/opt/nfast/bin/cfg-pushnethsm -a {{ item.ip }} /opt/nfast/kmdata/hsm-{{ esn }}/config/config.new && sleep 5 && diff /opt/nfast/kmdata/hsm-{{ esn }}/config/config /opt/nfast/kmdata/hsm-{{ esn }}/config/config.new" # noqa 204
- name: Push new config to the HSM and check that it was successful
ansible.builtin.shell: |
/opt/nfast/bin/cfg-pushnethsm -a {{ item.ip }} /opt/nfast/kmdata/hsm-{{ esn }}/config/config.new && \
sleep 5 && \
diff /opt/nfast/kmdata/hsm-{{ esn }}/config/config /opt/nfast/kmdata/hsm-{{ esn }}/config/config.new
register: result
until: result.rc == 0
retries: 10

View File

@ -1,5 +1 @@
# NOTE(elod.illes): ansible 6.0.0 introduced new rules that needs to be
# fixed, like fqcn-builtins, etc. Due to Yoga release happens soon
# let's just cap ansible-lint. This needs a separate fix in the future
# to be able to remove the cap.
ansible-lint<6.0.0
ansible-lint