Unpin ansible-lint
This patch unpins ansible-lint to fix the failing gate. All lint
errors have been fixed.
Change-Id: I2f8c90db5add09e27f71cf8aecca8d0e108a3de3
(cherry picked from commit 45081528b1
)
This commit is contained in:
parent
f7494ce7dd
commit
5b26d929b4
@ -1,5 +1,5 @@
|
|||||||
---
|
---
|
||||||
- name: legacy vars warning
|
- name: Legacy vars warning
|
||||||
debug:
|
ansible.builtin.debug:
|
||||||
msg: "WARNING: Using legacy thales_hsm_ip_address and
|
msg: "WARNING: Using legacy thales_hsm_ip_address and
|
||||||
thales_hsm_config_location variables. Please udpate your vars file."
|
thales_hsm_config_location variables. Please udpate your vars file."
|
||||||
|
7
meta/main.yaml
Normal file
7
meta/main.yaml
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
galaxy_info:
|
||||||
|
role_name: thales_hsm
|
||||||
|
author: OpenStack Community
|
||||||
|
license: Apache-2.0
|
||||||
|
description: Manages Entrust nShield Connect HSMs and clients.
|
||||||
|
min_ansible_version: '2.8'
|
@ -1,2 +1,2 @@
|
|||||||
pbr>=1.6
|
pbr>=1.6
|
||||||
ansible
|
ansible>=2.8.0
|
||||||
|
@ -1,117 +1,120 @@
|
|||||||
---
|
---
|
||||||
- name: Create working directory
|
- name: Create working directory
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: "{{ thales_client_working_dir }}"
|
path: "{{ thales_client_working_dir }}"
|
||||||
state: directory
|
state: directory
|
||||||
mode: 0755
|
mode: '755'
|
||||||
|
|
||||||
- name: create thales group
|
- name: Create thales group
|
||||||
group:
|
ansible.builtin.group:
|
||||||
name: nfast
|
name: nfast
|
||||||
gid: "{{ thales_client_gid }}"
|
gid: "{{ thales_client_gid }}"
|
||||||
|
|
||||||
- name: create thales user
|
- name: Create thales user
|
||||||
user:
|
ansible.builtin.user:
|
||||||
name: nfast
|
name: nfast
|
||||||
uid: "{{ thales_client_uid }}"
|
uid: "{{ thales_client_uid }}"
|
||||||
group: "{{ thales_client_gid }}"
|
group: "{{ thales_client_gid }}"
|
||||||
create_home: true
|
create_home: true
|
||||||
home: /opt/nfast
|
home: /opt/nfast
|
||||||
|
|
||||||
- name: set selinux bool to allow barbican containers to access /opt/nfast
|
- name: Set selinux bool to allow barbican containers to access /opt/nfast
|
||||||
seboolean:
|
ansible.posix.seboolean:
|
||||||
name: os_barbican_write_pki
|
name: os_barbican_write_pki
|
||||||
state: yes
|
state: true
|
||||||
persistent: yes
|
persistent: true
|
||||||
when: ansible_os_family | lower == 'redhat'
|
when: ansible_os_family | lower == 'redhat'
|
||||||
|
|
||||||
- name: Download Thales client tarball
|
- name: Download Thales client tarball
|
||||||
get_url:
|
ansible.builtin.get_url:
|
||||||
url: "{{ thales_client_tarball_location }}"
|
url: "{{ thales_client_tarball_location }}"
|
||||||
dest: "{{ thales_client_working_dir }}/{{ thales_client_tarball_name }}"
|
dest: "{{ thales_client_working_dir }}/{{ thales_client_tarball_name }}"
|
||||||
force: no
|
mode: '644'
|
||||||
|
force: false
|
||||||
|
|
||||||
- name: Unpack tarball to working directory
|
- name: Unpack tarball to working directory
|
||||||
unarchive:
|
ansible.builtin.unarchive:
|
||||||
src: "{{ thales_client_working_dir }}/{{ thales_client_tarball_name }}"
|
src: "{{ thales_client_working_dir }}/{{ thales_client_tarball_name }}"
|
||||||
dest: "{{ thales_client_working_dir }}"
|
dest: "{{ thales_client_working_dir }}"
|
||||||
creates: "{{ thales_client_working_dir }}/{{ thales_client_path }}"
|
creates: "{{ thales_client_working_dir }}/{{ thales_client_path }}"
|
||||||
remote_src: yes
|
remote_src: true
|
||||||
|
|
||||||
- name: Unpack tarball to /opt/nfast
|
- name: Unpack tarball to /opt/nfast
|
||||||
shell: |
|
ansible.builtin.shell: |
|
||||||
for i in `find "{{ thales_client_working_dir }}/{{ thales_client_path }}" -name *.tar` ; do
|
for i in `find "{{ thales_client_working_dir }}/{{ thales_client_path }}" -name *.tar` ; do
|
||||||
tar -C / -xvf $i ;
|
tar -C / -xvf $i ;
|
||||||
done
|
done
|
||||||
args:
|
args:
|
||||||
creates: /opt/nfast/sbin/install
|
creates: /opt/nfast/sbin/install
|
||||||
|
|
||||||
- name: check for libnsl dependency
|
- name: Check for libnsl dependency
|
||||||
stat:
|
ansible.builtin.stat:
|
||||||
path: /lib64/libnsl.so.1
|
path: /lib64/libnsl.so.1
|
||||||
register: st
|
register: st
|
||||||
|
|
||||||
- name: ensure libnsl dependency is installed
|
- name: Ensure libnsl dependency is installed
|
||||||
package:
|
ansible.builtin.package:
|
||||||
name: libnsl
|
name: libnsl
|
||||||
state: present
|
state: present
|
||||||
when: not st.stat.exists
|
when: not st.stat.exists
|
||||||
|
|
||||||
- name: run installer # noqa 306
|
- name: Run installer
|
||||||
shell: echo "1" | /opt/nfast/sbin/install
|
ansbile.builtin.shell: set -o pipefail && echo "1" | /opt/nfast/sbin/install
|
||||||
args:
|
args:
|
||||||
creates: /opt/nfast/kmdata
|
creates: /opt/nfast/kmdata
|
||||||
|
|
||||||
- name: Get the security world data
|
- name: Get the security world data
|
||||||
get_url:
|
ansible.builtin.get_url:
|
||||||
url: "{{ thales_km_data_location }}"
|
url: "{{ thales_km_data_location }}"
|
||||||
dest: "/root/{{ thales_km_data_tarball_name }}"
|
dest: "/root/{{ thales_km_data_tarball_name }}"
|
||||||
force: no
|
mode: '644'
|
||||||
|
force: false
|
||||||
|
|
||||||
- name: remove the old km_data
|
- name: Remove the old km_data
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: /opt/nfast/kmdata
|
path: /opt/nfast/kmdata
|
||||||
state: absent
|
state: absent
|
||||||
|
|
||||||
- name: replace kmdata
|
- name: Replace kmdata
|
||||||
unarchive:
|
ansible.builtin.unarchive:
|
||||||
src: "/root/{{ thales_km_data_tarball_name }}"
|
src: "/root/{{ thales_km_data_tarball_name }}"
|
||||||
dest: /opt/nfast
|
dest: /opt/nfast
|
||||||
remote_src: yes
|
remote_src: true
|
||||||
|
|
||||||
- name: create cknfastrc
|
- name: Create cknfastrc
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: cknfastrc.j2
|
src: cknfastrc.j2
|
||||||
dest: /opt/nfast/cknfastrc
|
dest: /opt/nfast/cknfastrc
|
||||||
mode: 0644
|
mode: '644'
|
||||||
|
|
||||||
- name: create snmp.conf
|
- name: Create snmp.conf
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
dest: /opt/nfast/etc/snmp/snmp.conf
|
dest: /opt/nfast/etc/snmp/snmp.conf
|
||||||
content: |
|
content: |
|
||||||
defaultPort 21161
|
defaultPort 21161
|
||||||
force: yes
|
force: true
|
||||||
mode: 0644
|
mode: '644'
|
||||||
|
|
||||||
- name: enroll client to hsms
|
- name: Enroll client to hsms
|
||||||
include_tasks: client_enroll.yaml
|
ansible.builtin.include_tasks: client_enroll.yaml
|
||||||
loop: "{{ nshield_hsms }}"
|
loop: "{{ nshield_hsms }}"
|
||||||
|
|
||||||
- name: set selinux contexts for /opt/nfast
|
- name: Set selinux contexts for /opt/nfast
|
||||||
command: restorecon -R /opt/nfast
|
ansible.builtin.command: restorecon -R /opt/nfast
|
||||||
|
|
||||||
- name: restart hardserver
|
- name: Restart hardserver
|
||||||
command: /opt/nfast/sbin/init.d-ncipher restart
|
ansible.builtin.command: /opt/nfast/sbin/init.d-ncipher restart
|
||||||
|
|
||||||
- name: do an enquiry to confirm connection
|
- name: Do an enquiry to confirm connection
|
||||||
command: /opt/nfast/bin/enquiry
|
ansible.builtin.command: /opt/nfast/bin/enquiry
|
||||||
register: enquiry
|
register: enquiry
|
||||||
|
|
||||||
- name: enquiry result
|
- name: Enquiry result
|
||||||
debug: var=enquiry
|
ansible.builtin.debug:
|
||||||
|
var: enquiry
|
||||||
|
|
||||||
- name: set up rfs_sync
|
- name: Set up rfs_sync
|
||||||
command: /opt/nfast/bin/rfs-sync --setup --no-authenticate {{ thales_rfs_server_ip_address }}
|
ansible.builtin.command: /opt/nfast/bin/rfs-sync --setup --no-authenticate {{ thales_rfs_server_ip_address }}
|
||||||
|
|
||||||
- name: get keys from rfs server
|
- name: Get keys from rfs server
|
||||||
command: /opt/nfast/bin/rfs-sync --update
|
ansible.builtin.command: /opt/nfast/bin/rfs-sync --update
|
||||||
|
@ -1,10 +1,11 @@
|
|||||||
---
|
---
|
||||||
- name: run anonkneti to get hash for "{{ item.ip }}"
|
- name: Run anonkneti to get hash for "{{ item.ip }}"
|
||||||
command: /opt/nfast/bin/anonkneti "{{ item.ip }}"
|
ansible.builtin.command: /opt/nfast/bin/anonkneti "{{ item.ip }}"
|
||||||
register: anonkneti
|
register: anonkneti
|
||||||
|
|
||||||
- name: output of anonkneti
|
- name: Output of anonkneti
|
||||||
debug: var=anonkneti.stdout_lines
|
ansible.builtin.debug:
|
||||||
|
var: anonkneti.stdout_lines
|
||||||
|
|
||||||
- name: enroll client to HSM "{{ item.ip }}"
|
- name: Enroll client to HSM "{{ item.ip }}"
|
||||||
command: /opt/nfast/bin/nethsmenroll --force {{ item.ip }} {{ anonkneti.stdout_lines[0] }}
|
ansible.builtin.command: /opt/nfast/bin/nethsmenroll --force {{ item.ip }} {{ anonkneti.stdout_lines[0] }}
|
||||||
|
@ -1,17 +1,16 @@
|
|||||||
---
|
---
|
||||||
- name: allow using legacy variables for backwards compatibility
|
- name: Allow using legacy variables for backwards compatibility
|
||||||
set_fact:
|
ansible.builtin.set_fact:
|
||||||
args:
|
nshield_hsms:
|
||||||
nshield_hsms:
|
- name: Legacy variables HSM
|
||||||
- name: Legacy variables HSM
|
ip: "{{ thales_hsm_ip_address }}"
|
||||||
ip: "{{ thales_hsm_ip_address }}"
|
|
||||||
when: nshield_hsms is not defined and thales_hsm_ip_address is defined
|
when: nshield_hsms is not defined and thales_hsm_ip_address is defined
|
||||||
notify: legacy vars warning
|
notify: Legacy vars warning
|
||||||
|
|
||||||
- name: Include RFS tasks
|
- name: Include RFS tasks
|
||||||
include_tasks: rfs.yaml
|
ansible.builtin.include_tasks: rfs.yaml
|
||||||
when: thales_configure_rfs
|
when: thales_configure_rfs
|
||||||
|
|
||||||
- name: Include client installation tasks
|
- name: Include client installation tasks
|
||||||
include_tasks: client.yaml
|
ansible.builtin.include_tasks: client.yaml
|
||||||
when: thales_install_client
|
when: thales_install_client
|
||||||
|
@ -1,9 +1,9 @@
|
|||||||
---
|
---
|
||||||
# This role adds a new IP address to the RFS conf file
|
# This role adds a new IP address to the RFS conf file
|
||||||
|
|
||||||
- name: add client ips to hsms
|
- name: Add client ips to hsms
|
||||||
include_tasks: rfs_register_client.yaml
|
ansbile.builtin.include_tasks: rfs_register_client.yaml
|
||||||
loop: "{{ nshield_hsms }}"
|
loop: "{{ nshield_hsms }}"
|
||||||
|
|
||||||
- name: allow bootstrap server to update the RFS server
|
- name: Allow bootstrap server to update the RFS server
|
||||||
command: "/opt/nfast/bin/rfs-setup --gang-client --write-noauth {{ thales_bootstrap_client_ip }}"
|
ansible.builtin.command: "/opt/nfast/bin/rfs-setup --gang-client --write-noauth {{ thales_bootstrap_client_ip }}"
|
||||||
|
@ -1,21 +1,24 @@
|
|||||||
---
|
---
|
||||||
- name: run anonkneti to get esn for "{{ item.ip }}"
|
- name: Run anonkneti to get esn for "{{ item.ip }}"
|
||||||
command: /opt/nfast/bin/anonkneti "{{ item.ip }}"
|
ansible.builtin.command: /opt/nfast/bin/anonkneti "{{ item.ip }}"
|
||||||
register: anonkneti
|
register: anonkneti
|
||||||
|
|
||||||
- name: output of anonkneti
|
- name: Output of anonkneti
|
||||||
debug: var=anonkneti.stdout_lines
|
ansible.builtin.debug:
|
||||||
|
var: anonkneti.stdout_lines
|
||||||
|
|
||||||
- name: get the esn
|
- name: Get the esn
|
||||||
set_fact:
|
ansible.builtin.set_fact:
|
||||||
esn: "{{ anonkneti.stdout_lines[0].split()[0] }}"
|
esn: "{{ anonkneti.stdout_lines[0].split()[0] }}"
|
||||||
|
|
||||||
- name: run script to add {{ thales_client_ips }} to config.new on "{{ item.ip }}" esn "{{ esn }}"
|
- name: "Adding client IPs to config for HSM {{ esn }}"
|
||||||
script: "{{ role_path }}/files/add_ips.py --config-dir /opt/nfast/kmdata/hsm-{{ esn }}/config --ips {{ thales_client_ips }}"
|
ansible.builtin.script: "{{ role_path }}/files/add_ips.py --config-dir /opt/nfast/kmdata/hsm-{{ esn }}/config --ips {{ thales_client_ips }}"
|
||||||
|
|
||||||
- name: push new config to the HSM and check that it was successful
|
- name: Push new config to the HSM and check that it was successful
|
||||||
shell: "/opt/nfast/bin/cfg-pushnethsm -a {{ item.ip }} /opt/nfast/kmdata/hsm-{{ esn }}/config/config.new && sleep 5 && diff /opt/nfast/kmdata/hsm-{{ esn }}/config/config /opt/nfast/kmdata/hsm-{{ esn }}/config/config.new" # noqa 204
|
ansible.builtin.shell: |
|
||||||
|
/opt/nfast/bin/cfg-pushnethsm -a {{ item.ip }} /opt/nfast/kmdata/hsm-{{ esn }}/config/config.new && \
|
||||||
|
sleep 5 && \
|
||||||
|
diff /opt/nfast/kmdata/hsm-{{ esn }}/config/config /opt/nfast/kmdata/hsm-{{ esn }}/config/config.new
|
||||||
register: result
|
register: result
|
||||||
until: result.rc == 0
|
until: result.rc == 0
|
||||||
retries: 10
|
retries: 10
|
||||||
|
|
||||||
|
@ -1,5 +1 @@
|
|||||||
# NOTE(elod.illes): ansible 6.0.0 introduced new rules that needs to be
|
ansible-lint
|
||||||
# fixed, like fqcn-builtins, etc. Due to Yoga release happens soon
|
|
||||||
# let's just cap ansible-lint. This needs a separate fix in the future
|
|
||||||
# to be able to remove the cap.
|
|
||||||
ansible-lint<6.0.0
|
|
||||||
|
Loading…
Reference in New Issue
Block a user