From 329f740d109b87105eac36fade70c69c15781a38 Mon Sep 17 00:00:00 2001
From: Francesco Pantano <fpantano@redhat.com>
Date: Mon, 9 Dec 2019 20:12:37 +0100
Subject: [PATCH] Add an additional validation to check ceph-ansible repository

In order to address the ceph-ansible potential cross-shipping,
this change adds an extra task to validate the repository that
should be used to install ceph-ansible in the undercloud.
If ceph-ansible is not installed or the repo doesn't match the
specified one, this validation raise an error.

Change-Id: Ib80b55cbd0d4b4dd83d8dbc9dc2afe1d6df2ede5
---
 playbooks/ceph-ansible-installed.yaml        |  1 +
 roles/ceph/defaults/main.yml                 |  1 +
 roles/ceph/tasks/ceph-ansible-installed.yaml | 13 +++++++++++++
 3 files changed, 15 insertions(+)

diff --git a/playbooks/ceph-ansible-installed.yaml b/playbooks/ceph-ansible-installed.yaml
index e25283464..5cdd66c18 100644
--- a/playbooks/ceph-ansible-installed.yaml
+++ b/playbooks/ceph-ansible-installed.yaml
@@ -8,6 +8,7 @@
       groups:
         - pre-deployment
     fail_without_ceph_ansible: false
+    ceph_ansible_repo: "centos-ceph-nautilus"
   tasks:
     - include_role:
         name: ceph
diff --git a/roles/ceph/defaults/main.yml b/roles/ceph/defaults/main.yml
index f6a719edf..d255751b0 100644
--- a/roles/ceph/defaults/main.yml
+++ b/roles/ceph/defaults/main.yml
@@ -2,4 +2,5 @@
 fail_without_ceph_ansible: false
 fail_on_ceph_health_err: false
 osd_percentage_min: 0
+ceph_ansible_repo: "centos-ceph-nautilus"
 
diff --git a/roles/ceph/tasks/ceph-ansible-installed.yaml b/roles/ceph/tasks/ceph-ansible-installed.yaml
index e39124722..988824f7e 100644
--- a/roles/ceph/tasks/ceph-ansible-installed.yaml
+++ b/roles/ceph/tasks/ceph-ansible-installed.yaml
@@ -20,3 +20,16 @@
   when:
     - ceph_ansible_installed.stdout.find('is not installed') != -1
     - fail_without_ceph_ansible|default(false)|bool
+
+- name: Get ceph-ansible repository
+  shell: "yum info ceph-ansible | awk '/From repo/ {print $4}'"
+  register: repo
+  changed_when: False
+
+- name: Fail if ceph-ansible doesn't belong to the specified repo
+  fail:
+    msg: "Make sure ceph-ansible package is installed from {{ ceph_ansible_repo }}"
+  when:
+    - fail_without_ceph_ansible|default(false)|bool
+    - (repo.stdout | length > 0 or repo.stdout != "{{ ceph_ansible_repo }}")
+