Add ansible-lint CI (#1368)

CI: Add Ansible lint job

Co-authored-by: Mark Goddard <[email protected]>
Co-authored-by: Matt Crees <[email protected]>
Co-authored-by: Pierre Riteau <[email protected]>

Author: 4 people

.ansible-lint

@@ -0,0 +1,10 @@
+---
+skip_list:
+  - no-changed-when
+  - risky-file-permissions
+  - run-once
+  - name[template]
+  - package-latest
+  - yaml
+  - role-name[path]
+  - yaml[line-length]

.ansible-lint-ignore

@@ -0,0 +1,7 @@
+# This file contains ignores to rule violations for ansible-lint
+etc/kayobe/ansible/vault-deploy-barbican.yml fqcn[action-core]
+etc/kayobe/ansible/vault-generate-backend-tls.yml fqcn[action-core]
+etc/kayobe/ansible/vault-generate-internal-tls.yml fqcn[action-core]
+etc/kayobe/ansible/vault-generate-test-external-tls.yml fqcn[action-core]
+etc/kayobe/ansible/rabbitmq-reset.yml command-instead-of-module
+etc/kayobe/ansible/ubuntu-upgrade.yml syntax-check[missing-file]

.github/workflows/stackhpc-pull-request.yml

@@ -61,6 +61,43 @@ jobs:
       - name: Run Tox ${{ matrix.environment }} 🧪
         run: tox -e ${{ matrix.environment }}
 
+  lint:
+    runs-on: ubuntu-22.04
+    permissions: {}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          # NOTE(upgrade): Keep these in sync with Kayobe's supported Ansible and Python versions (see release notes).
+          - ansible: "2.16"
+            python: "3.12"
+          - ansible: "2.15"
+            python: "3.10"
+    name: Ansible ${{ matrix.ansible }} lint with Python ${{ matrix.python }}
+    if: github.repository == 'stackhpc/stackhpc-kayobe-config'
+    steps:
+      - name: GitHub Checkout 🛎
+        uses: actions/checkout@v3
+
+      - name: Setup Python ${{ matrix.python-version }} 🐍
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ matrix.python }}
+
+      - name: Install dependencies 📦
+        run: |
+          python -m pip install --upgrade pip
+          pip install ansible-core==${{ matrix.ansible }}.* ansible-lint -r requirements.txt
+
+      - name: Install Ansible Galaxy collections and roles
+        run: |
+          ansible-galaxy collection install -r etc/kayobe/ansible/requirements.yml
+          ansible-galaxy role install -r etc/kayobe/ansible/requirements.yml
+
+      - name: Linting code 🧪
+        run: |
+          ansible-lint -v --force-color etc/kayobe/ansible/.
+
   # A skipped job is treated as success when used as a required status check.
   # The registered required status checks refer to the name of the job in the
   # called reusable workflow rather than the jobs in this file.  The following

etc/kayobe/ansible/advise-run.yml

@@ -1,47 +1,47 @@
 ---
 - name: ADVise run
   hosts: localhost
-  gather_facts: no
+  gather_facts: false
   tags:
     - advise
   vars:
-    venv: "~/venvs/advise-review"
+    venv: ~/venvs/advise-review
     input_dir: "{{ lookup('env', 'PWD') }}/overcloud-introspection-data"
     output_dir: "{{ lookup('env', 'PWD') }}/review"
-    advise_pattern: ".*.eval"  # Uses regex
+    advise_pattern: .*.eval # Uses regex
   tasks:
     - name: Install dependencies
-      pip:
+      ansible.builtin.pip:
         virtualenv: "{{ venv }}"
         name:
           - git+https://github.com/stackhpc/ADVise
         state: latest
-        virtualenv_command: "python3 -m venv"
+        virtualenv_command: python3 -m venv
 
     - name: Create data directory
-      file:
-        path: '{{ output_dir }}/data'
+      ansible.builtin.file:
+        path: "{{ output_dir }}/data"
         state: directory
 
     - name: Extract data
-      shell:
+      ansible.builtin.shell:
         cmd: >
           {{ venv }}/bin/m2-extract {{ input_dir }}/*.json --output_dir {{ output_dir }}/data
 
     - name: Create review directory
-      file:
-        path: '{{ output_dir }}/results'
+      ansible.builtin.file:
+        path: "{{ output_dir }}/results"
         state: directory
 
     - name: Process data
-      shell:
+      ansible.builtin.shell:
         cmd: >
           {{ venv }}/bin/advise-process
           -I ipmi
           -p '{{ output_dir }}/data/extra-hardware/{{ advise_pattern }}'
           -o '{{ output_dir }}'
 
     - name: Visualise data
-      command: >
+      ansible.builtin.command: >
         {{ venv }}/bin/advise-visualise
         --output_dir '{{ output_dir }}'

etc/kayobe/ansible/build-ofed-rocky.yml

@@ -6,8 +6,8 @@
   tasks:
     - name: Check whether noexec is enabled for /var/tmp
       ansible.builtin.lineinfile:
-        path: "/etc/fstab"
-        regexp: "noexec"
+        path: /etc/fstab
+        regexp: noexec
         state: absent
       changed_when: false
       check_mode: true
@@ -42,7 +42,7 @@
 
     - name: Add DOCA host repository package
       ansible.builtin.dnf:
-        name: https://developer.nvidia.com/downloads/networking/secure/doca-sdk/DOCA_2.8/doca-host-2.8.0-204000_{{ stackhpc_pulp_doca_ofed_version }}_rhel9{{ stackhpc_pulp_repo_rocky_9_minor_version }}.x86_64.rpm
+        name: "https://developer.nvidia.com/downloads/networking/secure/doca-sdk/DOCA_2.8/doca-host-2.8.0-204000_{{ stackhpc_pulp_doca_ofed_version }}_rhel9{{ stackhpc_pulp_repo_rocky_9_minor_version }}.x86_64.rpm"
         disable_gpg_check: true
 
     - name: Install DOCA extra packages
@@ -53,13 +53,13 @@
       ansible.builtin.file:
         path: /home/cloud-user/ofed
         state: directory
-        mode: 0777
+        mode: "0777"
 
     - name: Set build directory
       ansible.builtin.replace:
         path: /opt/mellanox/doca/tools/doca-kernel-support
-        regexp: 'TMP_DIR=\$1'
-        replace: 'TMP_DIR=/home/cloud-user/ofed'
+        regexp: TMP_DIR=\$1
+        replace: TMP_DIR=/home/cloud-user/ofed
 
     - name: Build OFED kernel modules
       ansible.builtin.shell:

etc/kayobe/ansible/cephadm-commands-post.yml

@@ -7,7 +7,8 @@
     - cephadm
     - cephadm-commands
   tasks:
-    - import_role:
+    - name: Apply Cephadm commands role
+      ansible.builtin.import_role:
         name: stackhpc.cephadm.commands
       vars:
         cephadm_commands: "{{ cephadm_commands_post | default([]) }}"

etc/kayobe/ansible/cephadm-commands-pre.yml

@@ -7,7 +7,8 @@
     - cephadm
     - cephadm-commands
   tasks:
-    - import_role:
+    - name: Apply Cephadm commands role
+      ansible.builtin.import_role:
         name: stackhpc.cephadm.commands
       vars:
         cephadm_commands: "{{ cephadm_commands_pre | default([]) }}"

etc/kayobe/ansible/cephadm-crush-rules.yml

@@ -7,5 +7,6 @@
     - cephadm
     - cephadm-crush-rules
   tasks:
-    - import_role:
+    - name: Apply Cephadm crush rule role
+      ansible.builtin.import_role:
         name: stackhpc.cephadm.crush_rules

etc/kayobe/ansible/cephadm-deploy.yml

@@ -7,5 +7,6 @@
     - cephadm
     - cephadm-deploy
   tasks:
-    - import_role:
+    - name: Apply Cephadm role
+      ansible.builtin.import_role:
         name: stackhpc.cephadm.cephadm

etc/kayobe/ansible/cephadm-ec-profiles.yml

@@ -7,5 +7,6 @@
     - cephadm
     - cephadm-ec-profiles
   tasks:
-    - import_role:
+    - name: Apply Cephadm EC profiles role
+      ansible.builtin.import_role:
         name: stackhpc.cephadm.ec_profiles

etc/kayobe/ansible/cephadm-gather-keys.yml

@@ -32,13 +32,13 @@
       loop: "{{ kolla_ceph_services | selectattr('required') | map(attribute='keys') | flatten | unique }}"
 
     - name: Generate ceph.conf
-      command: "cephadm shell -- ceph config generate-minimal-conf"
+      ansible.builtin.command: cephadm shell -- ceph config generate-minimal-conf
       become: true
       register: cephadm_ceph_conf
       changed_when: false
 
     - name: Ensure Kolla config directories are present
-      file:
+      ansible.builtin.file:
         state: directory
         path: "{{ kayobe_env_config_path }}/kolla/config/{{ kolla_service_to_key_dir[item.name] }}"
       loop: "{{ kolla_ceph_services | selectattr('required') }}"
@@ -51,7 +51,7 @@
         key_info: "{{ cephadm_key_info.results | selectattr('item', 'equalto', item.1) | first }}"
         cephadm_key: "{{ key_info.stdout }}"
         cephadm_user: "{{ item.1 }}"
-      copy:
+      ansible.builtin.copy:
         # Include a trailing newline.
         content: |
           {{ cephadm_key }}
@@ -63,7 +63,7 @@
       notify: Please add and commit the Kayobe configuration
 
     - name: Save ceph.conf to Kayobe configuration
-      copy:
+      ansible.builtin.copy:
         # Include a trailing newline.
         # Kolla Ansible's merge_configs module does not like the leading tabs in ceph.conf.
         content: |
@@ -77,7 +77,7 @@
 
   handlers:
     - name: Please add and commit the Kayobe configuration
-      debug:
+      ansible.builtin.debug:
         msg: >-
           Please add and commit the Ceph configuration files and keys in Kayobe
           configuration. Remember to encrypt the keys using Ansible Vault.

etc/kayobe/ansible/cephadm-keys.yml

@@ -7,5 +7,6 @@
     - cephadm
     - cephadm-keys
   tasks:
-    - import_role:
+    - name: Apply Cephadm keys role
+      ansible.builtin.import_role:
         name: stackhpc.cephadm.keys

etc/kayobe/ansible/cephadm-pools.yml

@@ -7,5 +7,6 @@
     - cephadm
     - cephadm-keys
   tasks:
-    - import_role:
+    - name: Apply Cephadm pools role
+      ansible.builtin.import_role:
         name: stackhpc.cephadm.pools

etc/kayobe/ansible/cephadm.yml

@@ -1,9 +1,22 @@
 ---
 # Deploy Ceph via Cephadm. Create EC profiles, CRUSH rules, pools and keys.
-- import_playbook: cephadm-deploy.yml
-- import_playbook: cephadm-commands-pre.yml
-- import_playbook: cephadm-ec-profiles.yml
-- import_playbook: cephadm-crush-rules.yml
-- import_playbook: cephadm-pools.yml
-- import_playbook: cephadm-keys.yml
-- import_playbook: cephadm-commands-post.yml
+- name: Import Cephadm deploy playbook
+  import_playbook: cephadm-deploy.yml
+
+- name: Import Cephadm commands pre playbook
+  import_playbook: cephadm-commands-pre.yml
+
+- name: Import Cephadm EC profiles playbook
+  import_playbook: cephadm-ec-profiles.yml
+
+- name: Import Cephadm crush rules playbook
+  import_playbook: cephadm-crush-rules.yml
+
+- name: Import Cephadm pools playbook
+  import_playbook: cephadm-pools.yml
+
+- name: Import Cephadm keys playbook
+  import_playbook: cephadm-keys.yml
+
+- name: Import Cephadm commands post playbook
+  import_playbook: cephadm-commands-post.yml

etc/kayobe/ansible/check-tags.yml

@@ -7,18 +7,19 @@
   gather_facts: false
   tasks:
     - name: Query images and tags
-      command:
+      ansible.builtin.command:
         cmd: >-
           {{ kayobe_config_path }}/../../tools/kolla-images.py list-tags
       register: kolla_images_result
       changed_when: false
 
     - name: Set a fact about images and tags
-      set_fact:
+      ansible.builtin.set_fact:
         kolla_images: "{{ kolla_images_result.stdout | from_yaml }}"
 
     # Use state=read and allow_missing=false to check for missing tags in test pulp.
-    - import_role:
+    - name: Check for missing tags
+      ansible.builtin.import_role:
         name: stackhpc.pulp.pulp_container_content
       vars:
         pulp_container_content: >-

etc/kayobe/ansible/cis.yml

@@ -1,5 +1,4 @@
 ---
-
 - name: Security hardening
   hosts: cis-hardening
   become: true
@@ -9,14 +8,14 @@
     # TODO: Remove this when Red Hat FIPS policy has been updated to allow ed25519 keys.
     # https://gitlab.com/gitlab-org/gitlab/-/issues/367429#note_1840422075
     - name: Assert that we are using a supported SSH key
-      assert:
+      ansible.builtin.assert:
         that:
           - ssh_key_type != 'ed25519'
         fail_msg: FIPS policy does not currently support ed25519 SSH keys on RHEL family systems
       when: ansible_facts.os_family == 'RedHat'
 
     - name: Ensure the cron package is installed on ubuntu
-      package:
+      ansible.builtin.package:
         name: cron
         state: present
       when: ansible_facts.distribution == 'Ubuntu'
@@ -25,17 +24,19 @@
       # This is to workaround an issue where we set the expiry to 365 days on kayobe
       # service accounts in a previous iteration of the CIS benchmark hardening
       # defaults. This should restore the defaults and can eventually be removed.
-      command: chage -m 0 -M 99999 -W 7 -I -1 {{ item }}
+      ansible.builtin.command: chage -m 0 -M 99999 -W 7 -I -1 {{ item }}
       become: true
       changed_when: false
       with_items:
         - "{{ kayobe_ansible_user }}"
         - "{{ kolla_ansible_user }}"
 
-    - include_role:
+    - name: Run CIS hardening role (RHEL 9)
+      ansible.builtin.include_role:
         name: ansible-lockdown.rhel9_cis
       when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '9'
 
-    - include_role:
+    - name: Run CIS hardening role (Ubuntu 22)
+      ansible.builtin.include_role:
         name: ansible-lockdown.ubuntu22_cis
       when: ansible_facts.distribution == 'Ubuntu' and ansible_facts.distribution_major_version == '22'