feat: Improve Ansible/Jinja2 validation (#752)

Author: alessfg

.github/workflows/f5-cla.yml

@@ -1,40 +1,40 @@
 ---
-  name: F5 CLA
-  on:
-    issue_comment:
-      types: [created]
-    pull_request_target:
-      types: [opened, closed, synchronize]
-  permissions: read-all
-  jobs:
-    f5-cla:
-      name: F5 CLA
-      runs-on: ubuntu-24.04
-      permissions:
-        actions: write
-        pull-requests: write
-        statuses: write
-      steps:
-        - name: Run F5 Contributor License Agreement (CLA) assistant
-          if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have hereby read the F5 CLA and agree to its terms') || github.event_name == 'pull_request_target'
-          uses: contributor-assistant/github-action@9340315624c6e16cef1f2c63bdeb0f0c49c6f474 # v2.4.0
-          with:
-            # Any pull request targeting the following branch will trigger a CLA check.
-            branch: main
-            # Path to the CLA document.
-            path-to-document: https://github.com/f5/.github/blob/main/CLA/cla-markdown.md
-            # Custom CLA messages.
-            custom-notsigned-prcomment: '🎉 Thank you for your contribution! It appears you have not yet signed the F5 Contributor License Agreement (CLA), which is required for your changes to be incorporated into an F5 Open Source Software (OSS) project. Please kindly read the [F5 CLA](https://github.com/f5/.github/blob/main/CLA/cla-markdown.md) and reply on a new comment with the following text to agree:'
-            custom-pr-sign-comment: 'I have hereby read the F5 CLA and agree to its terms'
-            custom-allsigned-prcomment: '✅ All required contributors have signed the F5 CLA for this PR. Thank you!'
-            # Remote repository storing CLA signatures.
-            remote-organization-name: f5
-            remote-repository-name: f5-cla-data
-            path-to-signatures: signatures/signatures.json
-            # Comma separated list of usernames for maintainers or any other individuals who should not be prompted for a CLA.
-            allowlist: alessfg, oxpa, bot*
-            # Do not lock PRs after a merge.
-            lock-pullrequest-aftermerge: false
-          env:
-            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-            PERSONAL_ACCESS_TOKEN: ${{ secrets.F5_CLA_TOKEN }}
+name: F5 CLA
+on:
+  issue_comment:
+    types: [created]
+  pull_request_target:
+    types: [opened, closed, synchronize]
+permissions: read-all
+jobs:
+  f5-cla:
+    name: F5 CLA
+    runs-on: ubuntu-24.04
+    permissions:
+      actions: write
+      pull-requests: write
+      statuses: write
+    steps:
+      - name: Run F5 Contributor License Agreement (CLA) assistant
+        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have hereby read the F5 CLA and agree to its terms') || github.event_name == 'pull_request_target'
+        uses: contributor-assistant/github-action@9340315624c6e16cef1f2c63bdeb0f0c49c6f474 # v2.4.0
+        with:
+          # Any pull request targeting the following branch will trigger a CLA check.
+          branch: main
+          # Path to the CLA document.
+          path-to-document: https://github.com/f5/.github/blob/main/CLA/cla-markdown.md
+          # Custom CLA messages.
+          custom-notsigned-prcomment: '🎉 Thank you for your contribution! It appears you have not yet signed the F5 Contributor License Agreement (CLA), which is required for your changes to be incorporated into an F5 Open Source Software (OSS) project. Please kindly read the [F5 CLA](https://github.com/f5/.github/blob/main/CLA/cla-markdown.md) and reply on a new comment with the following text to agree:'
+          custom-pr-sign-comment: 'I have hereby read the F5 CLA and agree to its terms'
+          custom-allsigned-prcomment: '✅ All required contributors have signed the F5 CLA for this PR. Thank you!'
+          # Remote repository storing CLA signatures.
+          remote-organization-name: f5
+          remote-repository-name: f5-cla-data
+          path-to-signatures: signatures/signatures.json
+          # Comma separated list of usernames for maintainers or any other individuals who should not be prompted for a CLA.
+          allowlist: alessfg, oxpa, bot*
+          # Do not lock PRs after a merge.
+          lock-pullrequest-aftermerge: false
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PERSONAL_ACCESS_TOKEN: ${{ secrets.F5_CLA_TOKEN }}

.github/workflows/release.yml

@@ -1,20 +1,20 @@
 ---
-  name: Release Drafter
-  on:
-    push:
-      branches: [main]
-    pull_request_target:
-      types: [opened, reopened, synchronize]
-  permissions: read-all
-  jobs:
-    release-draft:
-      name: Update release draft
-      runs-on: ubuntu-24.04
-      permissions:
-        contents: write
-        pull-requests: write
-      steps:
-        - name: Run release drafter
-          uses: release-drafter/release-drafter@3f0f87098bd6b5c5b9a36d49c41d998ea58f9348 # v6.0.0
-          env:
-            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+name: Release Drafter
+on:
+  push:
+    branches: [main]
+  pull_request_target:
+    types: [opened, reopened, synchronize]
+permissions: read-all
+jobs:
+  release-draft:
+    name: Update release draft
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Run release drafter
+        uses: release-drafter/release-drafter@3f0f87098bd6b5c5b9a36d49c41d998ea58f9348 # v6.0.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

CHANGELOG.md

@@ -12,6 +12,7 @@ FEATURES:
 - Add support for installing NGINX Open Source on Alpine Linux 3.20.
 - Add support for installing NGINX Agent on Ubuntu noble.
 - Add validation tasks to check the Ansible version, the Jinja2 version, and whether the required Ansible collections for this role are installed.
+- Bump the minimum version of Ansible supported to `2.16`, whilst clarifying that Ansible `2.18` is not supported at this stage.
 - Bump the Ansible `community.general` collection to `9.2.0`, `community.crypto` collection to `2.21.1` and `community.docker` collection to `3.11.0`.
 
 DOCUMENTATION:
@@ -28,6 +29,7 @@ CI/CD:
 - Update GitHub Actions to Ubuntu 24.04.
 - Switch GitHub Actions from using tags to release hashes.
 - Remove commented out Molecule platforms and GitHub Actions QEMU step for the time being. These changes will be reverted if multi-arch testing can be reinstated in GitHub Actions.
+- Bump the minimum version of Ansible supported on Ansible Galaxy to `2.16`.
 - Remove platform metadata from the Ansible Galaxy role metadata since platforms are no longer supported in Ansible Galaxy NG.
 - Implement OSSF Scorecard.
 
@@ -62,7 +64,7 @@ CI/CD:
 - Add Molecule tests for NGINX Amplify.
 - Update the RHEL based tests to use the latest UBI release.
 - Use the local role name (`ansible-role-nginx`) instead of the fully qualified role name (`nginxinc.nginx`) in Molecule to ensure tests always work as intended in environments where the role has been already installed beforehand.
-- Implement F5 CLA signatures.
+- Implement F5 CLA.
 - Hardcode version of Python requests module given its propensity to break the Docker Python SDK.
 
 ## 0.24.2 (October 3rd, 2023)

CONTRIBUTING.md

@@ -21,7 +21,7 @@ Follow this project's [Installation Guide](/README.md#Installation) to install A
 
 ### Project Structure
 
-- The NGINX Ansible role is written in `yaml` and supports NGINX Open Source, NGINX Plus, NGINX Agent and NGINX Amplify.
+- The NGINX Ansible role is written in [`yaml`](https://yaml.org) and supports NGINX Open Source, NGINX Plus, NGINX Agent and NGINX Amplify.
 - The project follows the standard [Ansible role directory structure](https://docs.ansible.com/ansible/latest/user_guide/playbooks_reuse_roles.html):
   - The main "codebase" is found in the [`tasks/`](/tasks/) directory.
   - Variables can be found in [`defaults/main/`](/defaults/main/). The filenames in this directory highlight which variables are contained in each file.

README.md

@@ -45,6 +45,8 @@ This will also ensure you are deploying/running this role with a fully tested ve
 #### Ansible core
 
 - This role is developed and tested with [maintained](https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html) versions of Ansible core and Python.
+
+  ***Note:** Ansible `2.18` does no longer support the `yum` module and as such, is not supported by this role until Amazon Linux 2 reaches EoL.*
 - When using Ansible core, you will also need to install the following Ansible collections:
 
   ```yaml

tasks/validate/validate.yml

@@ -1,9 +1,11 @@
 ---
 - name: Verify you are using a supported Ansible version on your Ansible host
   ansible.builtin.assert:
-    that: ansible_version['full'] is version('2.16', '>=')
+    that:
+      - ansible_version['full'] is version(nginx_ansible_version, '>=')
+      - ansible_version['full'] is version('2.18', '<')
     success_msg: Ansible {{ ansible_version['full'] }} is supported.
-    fail_msg: Ansible {{ ansible_version['full'] }} has reached End of Life (EoL). Please upgrade to a supported Ansible release. Check the README for more details.
+    fail_msg: ({{ ansible_version['full'] is version('2.18', '>=') }} | ternary('Ansible {{ ansible_version['full'] }} is not yet supported. Please downgrade to a supported Ansible release', 'Ansible {{ ansible_version['full'] }} has reached End of Life (EoL). Please upgrade to a supported Ansible release.') Check the README for more details.
   delegate_to: localhost
   ignore_errors: true # noqa ignore-errors
 
@@ -16,7 +18,7 @@
 
 - name: Verify that you are using a supported Jinja2 version on your Ansible host
   ansible.builtin.assert:
-    that: (jinja2_version['stdout'] | regex_search('jinja version = ([\\d.]+)', '\\1') | first) is version('3.1', '>=')
+    that: (jinja2_version['stdout'] | regex_search('jinja version = ([\\d.]+)', '\\1') | first) is version(nginx_jinja2_version, '>=')
     success_msg: Jinja2 {{ jinja2_version['stdout'] | regex_search('jinja version = ([\d.]+)', '\1') | first }} is supported.
     fail_msg: Jinja2 {{ jinja2_version['stdout'] | regex_search('jinja version = ([\d.]+)', '\1') | first }} is not supported. Please upgrade to Jinja2 3.1. Check the README for more details.
   delegate_to: localhost

vars/main.yml

@@ -1,4 +1,8 @@
 ---
+# Set the minimum version required for Ansible and Jinja2
+nginx_ansible_version: 2.16
+nginx_jinja2_version: 3.1
+
 # Set the values allowed for various variables
 nginx_setup_vars: [install, uninstall, upgrade]