Unpin ansible-lint
This patch unpins ansible-lint to fix the failing gate. All lint
errors have been fixed.
Change-Id: I2f8c90db5add09e27f71cf8aecca8d0e108a3de3
(cherry picked from commit 45081528b1
)
This commit is contained in:
parent
f7494ce7dd
commit
5b26d929b4
@ -1,5 +1,5 @@
|
||||
---
|
||||
- name: legacy vars warning
|
||||
debug:
|
||||
- name: Legacy vars warning
|
||||
ansible.builtin.debug:
|
||||
msg: "WARNING: Using legacy thales_hsm_ip_address and
|
||||
thales_hsm_config_location variables. Please udpate your vars file."
|
||||
|
7
meta/main.yaml
Normal file
7
meta/main.yaml
Normal file
@ -0,0 +1,7 @@
|
||||
---
|
||||
galaxy_info:
|
||||
role_name: thales_hsm
|
||||
author: OpenStack Community
|
||||
license: Apache-2.0
|
||||
description: Manages Entrust nShield Connect HSMs and clients.
|
||||
min_ansible_version: '2.8'
|
@ -1,2 +1,2 @@
|
||||
pbr>=1.6
|
||||
ansible
|
||||
ansible>=2.8.0
|
||||
|
@ -1,117 +1,120 @@
|
||||
---
|
||||
- name: Create working directory
|
||||
file:
|
||||
path: "{{ thales_client_working_dir }}"
|
||||
state: directory
|
||||
mode: 0755
|
||||
ansible.builtin.file:
|
||||
path: "{{ thales_client_working_dir }}"
|
||||
state: directory
|
||||
mode: '755'
|
||||
|
||||
- name: create thales group
|
||||
group:
|
||||
name: nfast
|
||||
gid: "{{ thales_client_gid }}"
|
||||
- name: Create thales group
|
||||
ansible.builtin.group:
|
||||
name: nfast
|
||||
gid: "{{ thales_client_gid }}"
|
||||
|
||||
- name: create thales user
|
||||
user:
|
||||
name: nfast
|
||||
uid: "{{ thales_client_uid }}"
|
||||
group: "{{ thales_client_gid }}"
|
||||
create_home: true
|
||||
home: /opt/nfast
|
||||
- name: Create thales user
|
||||
ansible.builtin.user:
|
||||
name: nfast
|
||||
uid: "{{ thales_client_uid }}"
|
||||
group: "{{ thales_client_gid }}"
|
||||
create_home: true
|
||||
home: /opt/nfast
|
||||
|
||||
- name: set selinux bool to allow barbican containers to access /opt/nfast
|
||||
seboolean:
|
||||
name: os_barbican_write_pki
|
||||
state: yes
|
||||
persistent: yes
|
||||
- name: Set selinux bool to allow barbican containers to access /opt/nfast
|
||||
ansible.posix.seboolean:
|
||||
name: os_barbican_write_pki
|
||||
state: true
|
||||
persistent: true
|
||||
when: ansible_os_family | lower == 'redhat'
|
||||
|
||||
- name: Download Thales client tarball
|
||||
get_url:
|
||||
url: "{{ thales_client_tarball_location }}"
|
||||
dest: "{{ thales_client_working_dir }}/{{ thales_client_tarball_name }}"
|
||||
force: no
|
||||
ansible.builtin.get_url:
|
||||
url: "{{ thales_client_tarball_location }}"
|
||||
dest: "{{ thales_client_working_dir }}/{{ thales_client_tarball_name }}"
|
||||
mode: '644'
|
||||
force: false
|
||||
|
||||
- name: Unpack tarball to working directory
|
||||
unarchive:
|
||||
src: "{{ thales_client_working_dir }}/{{ thales_client_tarball_name }}"
|
||||
dest: "{{ thales_client_working_dir }}"
|
||||
creates: "{{ thales_client_working_dir }}/{{ thales_client_path }}"
|
||||
remote_src: yes
|
||||
ansible.builtin.unarchive:
|
||||
src: "{{ thales_client_working_dir }}/{{ thales_client_tarball_name }}"
|
||||
dest: "{{ thales_client_working_dir }}"
|
||||
creates: "{{ thales_client_working_dir }}/{{ thales_client_path }}"
|
||||
remote_src: true
|
||||
|
||||
- name: Unpack tarball to /opt/nfast
|
||||
shell: |
|
||||
for i in `find "{{ thales_client_working_dir }}/{{ thales_client_path }}" -name *.tar` ; do
|
||||
tar -C / -xvf $i ;
|
||||
done
|
||||
ansible.builtin.shell: |
|
||||
for i in `find "{{ thales_client_working_dir }}/{{ thales_client_path }}" -name *.tar` ; do
|
||||
tar -C / -xvf $i ;
|
||||
done
|
||||
args:
|
||||
creates: /opt/nfast/sbin/install
|
||||
creates: /opt/nfast/sbin/install
|
||||
|
||||
- name: check for libnsl dependency
|
||||
stat:
|
||||
- name: Check for libnsl dependency
|
||||
ansible.builtin.stat:
|
||||
path: /lib64/libnsl.so.1
|
||||
register: st
|
||||
|
||||
- name: ensure libnsl dependency is installed
|
||||
package:
|
||||
- name: Ensure libnsl dependency is installed
|
||||
ansible.builtin.package:
|
||||
name: libnsl
|
||||
state: present
|
||||
when: not st.stat.exists
|
||||
|
||||
- name: run installer # noqa 306
|
||||
shell: echo "1" | /opt/nfast/sbin/install
|
||||
- name: Run installer
|
||||
ansbile.builtin.shell: set -o pipefail && echo "1" | /opt/nfast/sbin/install
|
||||
args:
|
||||
creates: /opt/nfast/kmdata
|
||||
creates: /opt/nfast/kmdata
|
||||
|
||||
- name: Get the security world data
|
||||
get_url:
|
||||
url: "{{ thales_km_data_location }}"
|
||||
dest: "/root/{{ thales_km_data_tarball_name }}"
|
||||
force: no
|
||||
ansible.builtin.get_url:
|
||||
url: "{{ thales_km_data_location }}"
|
||||
dest: "/root/{{ thales_km_data_tarball_name }}"
|
||||
mode: '644'
|
||||
force: false
|
||||
|
||||
- name: remove the old km_data
|
||||
file:
|
||||
path: /opt/nfast/kmdata
|
||||
state: absent
|
||||
- name: Remove the old km_data
|
||||
ansible.builtin.file:
|
||||
path: /opt/nfast/kmdata
|
||||
state: absent
|
||||
|
||||
- name: replace kmdata
|
||||
unarchive:
|
||||
src: "/root/{{ thales_km_data_tarball_name }}"
|
||||
dest: /opt/nfast
|
||||
remote_src: yes
|
||||
- name: Replace kmdata
|
||||
ansible.builtin.unarchive:
|
||||
src: "/root/{{ thales_km_data_tarball_name }}"
|
||||
dest: /opt/nfast
|
||||
remote_src: true
|
||||
|
||||
- name: create cknfastrc
|
||||
template:
|
||||
src: cknfastrc.j2
|
||||
dest: /opt/nfast/cknfastrc
|
||||
mode: 0644
|
||||
- name: Create cknfastrc
|
||||
ansible.builtin.template:
|
||||
src: cknfastrc.j2
|
||||
dest: /opt/nfast/cknfastrc
|
||||
mode: '644'
|
||||
|
||||
- name: create snmp.conf
|
||||
copy:
|
||||
dest: /opt/nfast/etc/snmp/snmp.conf
|
||||
content: |
|
||||
defaultPort 21161
|
||||
force: yes
|
||||
mode: 0644
|
||||
- name: Create snmp.conf
|
||||
ansible.builtin.copy:
|
||||
dest: /opt/nfast/etc/snmp/snmp.conf
|
||||
content: |
|
||||
defaultPort 21161
|
||||
force: true
|
||||
mode: '644'
|
||||
|
||||
- name: enroll client to hsms
|
||||
include_tasks: client_enroll.yaml
|
||||
- name: Enroll client to hsms
|
||||
ansible.builtin.include_tasks: client_enroll.yaml
|
||||
loop: "{{ nshield_hsms }}"
|
||||
|
||||
- name: set selinux contexts for /opt/nfast
|
||||
command: restorecon -R /opt/nfast
|
||||
- name: Set selinux contexts for /opt/nfast
|
||||
ansible.builtin.command: restorecon -R /opt/nfast
|
||||
|
||||
- name: restart hardserver
|
||||
command: /opt/nfast/sbin/init.d-ncipher restart
|
||||
- name: Restart hardserver
|
||||
ansible.builtin.command: /opt/nfast/sbin/init.d-ncipher restart
|
||||
|
||||
- name: do an enquiry to confirm connection
|
||||
command: /opt/nfast/bin/enquiry
|
||||
- name: Do an enquiry to confirm connection
|
||||
ansible.builtin.command: /opt/nfast/bin/enquiry
|
||||
register: enquiry
|
||||
|
||||
- name: enquiry result
|
||||
debug: var=enquiry
|
||||
- name: Enquiry result
|
||||
ansible.builtin.debug:
|
||||
var: enquiry
|
||||
|
||||
- name: set up rfs_sync
|
||||
command: /opt/nfast/bin/rfs-sync --setup --no-authenticate {{ thales_rfs_server_ip_address }}
|
||||
- name: Set up rfs_sync
|
||||
ansible.builtin.command: /opt/nfast/bin/rfs-sync --setup --no-authenticate {{ thales_rfs_server_ip_address }}
|
||||
|
||||
- name: get keys from rfs server
|
||||
command: /opt/nfast/bin/rfs-sync --update
|
||||
- name: Get keys from rfs server
|
||||
ansible.builtin.command: /opt/nfast/bin/rfs-sync --update
|
||||
|
@ -1,10 +1,11 @@
|
||||
---
|
||||
- name: run anonkneti to get hash for "{{ item.ip }}"
|
||||
command: /opt/nfast/bin/anonkneti "{{ item.ip }}"
|
||||
- name: Run anonkneti to get hash for "{{ item.ip }}"
|
||||
ansible.builtin.command: /opt/nfast/bin/anonkneti "{{ item.ip }}"
|
||||
register: anonkneti
|
||||
|
||||
- name: output of anonkneti
|
||||
debug: var=anonkneti.stdout_lines
|
||||
- name: Output of anonkneti
|
||||
ansible.builtin.debug:
|
||||
var: anonkneti.stdout_lines
|
||||
|
||||
- name: enroll client to HSM "{{ item.ip }}"
|
||||
command: /opt/nfast/bin/nethsmenroll --force {{ item.ip }} {{ anonkneti.stdout_lines[0] }}
|
||||
- name: Enroll client to HSM "{{ item.ip }}"
|
||||
ansible.builtin.command: /opt/nfast/bin/nethsmenroll --force {{ item.ip }} {{ anonkneti.stdout_lines[0] }}
|
||||
|
@ -1,17 +1,16 @@
|
||||
---
|
||||
- name: allow using legacy variables for backwards compatibility
|
||||
set_fact:
|
||||
args:
|
||||
nshield_hsms:
|
||||
- name: Legacy variables HSM
|
||||
ip: "{{ thales_hsm_ip_address }}"
|
||||
- name: Allow using legacy variables for backwards compatibility
|
||||
ansible.builtin.set_fact:
|
||||
nshield_hsms:
|
||||
- name: Legacy variables HSM
|
||||
ip: "{{ thales_hsm_ip_address }}"
|
||||
when: nshield_hsms is not defined and thales_hsm_ip_address is defined
|
||||
notify: legacy vars warning
|
||||
notify: Legacy vars warning
|
||||
|
||||
- name: Include RFS tasks
|
||||
include_tasks: rfs.yaml
|
||||
ansible.builtin.include_tasks: rfs.yaml
|
||||
when: thales_configure_rfs
|
||||
|
||||
- name: Include client installation tasks
|
||||
include_tasks: client.yaml
|
||||
ansible.builtin.include_tasks: client.yaml
|
||||
when: thales_install_client
|
||||
|
@ -1,9 +1,9 @@
|
||||
---
|
||||
# This role adds a new IP address to the RFS conf file
|
||||
|
||||
- name: add client ips to hsms
|
||||
include_tasks: rfs_register_client.yaml
|
||||
- name: Add client ips to hsms
|
||||
ansbile.builtin.include_tasks: rfs_register_client.yaml
|
||||
loop: "{{ nshield_hsms }}"
|
||||
|
||||
- name: allow bootstrap server to update the RFS server
|
||||
command: "/opt/nfast/bin/rfs-setup --gang-client --write-noauth {{ thales_bootstrap_client_ip }}"
|
||||
- name: Allow bootstrap server to update the RFS server
|
||||
ansible.builtin.command: "/opt/nfast/bin/rfs-setup --gang-client --write-noauth {{ thales_bootstrap_client_ip }}"
|
||||
|
@ -1,21 +1,24 @@
|
||||
---
|
||||
- name: run anonkneti to get esn for "{{ item.ip }}"
|
||||
command: /opt/nfast/bin/anonkneti "{{ item.ip }}"
|
||||
- name: Run anonkneti to get esn for "{{ item.ip }}"
|
||||
ansible.builtin.command: /opt/nfast/bin/anonkneti "{{ item.ip }}"
|
||||
register: anonkneti
|
||||
|
||||
- name: output of anonkneti
|
||||
debug: var=anonkneti.stdout_lines
|
||||
- name: Output of anonkneti
|
||||
ansible.builtin.debug:
|
||||
var: anonkneti.stdout_lines
|
||||
|
||||
- name: get the esn
|
||||
set_fact:
|
||||
esn: "{{ anonkneti.stdout_lines[0].split()[0] }}"
|
||||
- name: Get the esn
|
||||
ansible.builtin.set_fact:
|
||||
esn: "{{ anonkneti.stdout_lines[0].split()[0] }}"
|
||||
|
||||
- name: run script to add {{ thales_client_ips }} to config.new on "{{ item.ip }}" esn "{{ esn }}"
|
||||
script: "{{ role_path }}/files/add_ips.py --config-dir /opt/nfast/kmdata/hsm-{{ esn }}/config --ips {{ thales_client_ips }}"
|
||||
- name: "Adding client IPs to config for HSM {{ esn }}"
|
||||
ansible.builtin.script: "{{ role_path }}/files/add_ips.py --config-dir /opt/nfast/kmdata/hsm-{{ esn }}/config --ips {{ thales_client_ips }}"
|
||||
|
||||
- name: push new config to the HSM and check that it was successful
|
||||
shell: "/opt/nfast/bin/cfg-pushnethsm -a {{ item.ip }} /opt/nfast/kmdata/hsm-{{ esn }}/config/config.new && sleep 5 && diff /opt/nfast/kmdata/hsm-{{ esn }}/config/config /opt/nfast/kmdata/hsm-{{ esn }}/config/config.new" # noqa 204
|
||||
- name: Push new config to the HSM and check that it was successful
|
||||
ansible.builtin.shell: |
|
||||
/opt/nfast/bin/cfg-pushnethsm -a {{ item.ip }} /opt/nfast/kmdata/hsm-{{ esn }}/config/config.new && \
|
||||
sleep 5 && \
|
||||
diff /opt/nfast/kmdata/hsm-{{ esn }}/config/config /opt/nfast/kmdata/hsm-{{ esn }}/config/config.new
|
||||
register: result
|
||||
until: result.rc == 0
|
||||
retries: 10
|
||||
|
||||
|
@ -1,5 +1 @@
|
||||
# NOTE(elod.illes): ansible 6.0.0 introduced new rules that needs to be
|
||||
# fixed, like fqcn-builtins, etc. Due to Yoga release happens soon
|
||||
# let's just cap ansible-lint. This needs a separate fix in the future
|
||||
# to be able to remove the cap.
|
||||
ansible-lint<6.0.0
|
||||
ansible-lint
|
||||
|
Loading…
Reference in New Issue
Block a user