Latest ansible-lint version (6.16.1) started to raise an error when
variable names from within roles are not prefixed with the role name.
Error: var-naming[no-role-prefix].
As Ansible sanity check does not enforce this, it will be disabled, for
now on ansible-freeipa's upstream CI.
A future effort to reduce the checks that are not being evaluated should
be done as preparation for future Ansible Galaxy and Automation Hub
requirements.
The tests under 'tests/pytests' were a POC to bring tests that evaluate
the result of playbook execution on the IPA environment. This is
currently only implemented for dnszone tests, and similar test coverage
is obtained with other tests.
As there is an ongoing issue with Ansible's docker pluging
("the connection plugin 'docker' was not found"), which is stil under
investigation, by removing the pytest tests we'll remove the consistent
failures currently seen on upstream CI, and will not loose test
coverage, specially if we take into account downstream tests.
Also, a new version for the pytests will be available once multihost
testing is implemented for upstream.
The version requirement for requests need to be quoted not to lead into
a pip install command issue.
This is related to PR #1089 (Pin requests to < 2.29 temporarily)
The function exit_raw_json is a replacement for AnsibleModule.exit_json
without flterting out values for no_log parameters.
Ansible added checks for pylint to forbid print and also sys.exit and
fails with ansible-bad-function. As the check is not known outside of
ansible-test, the disable line needed also W0012:
# pylint: disable=W0012,ansible-bad-function
The old ignore file ignore-2.12.txt is not needed and used anymore. The
new files ignore-2.13.txt and ignore-2.14.txt are empty after
ansible-lint made nearly all ignores disallowed.
All the newly disallowed ignores need to be fixed.
See https://github.com/ansible/ansible-lint/pull/3102
The usage of module_defaults allows to reduce the size of the tests and
to have the needed information in the tasks only. The default values for the
parameters are automatically passed to the module by Ansible.
It is not possible to use a module group for module_defaults as this could
only be done with Ansible Collections. The tests are also used upstream and
downstream without a collection.
Without groups of a collection it is needed to add the defaults for all
modules separately.
Simple example:
module_defaults:
ipahost:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
Several module example using YAML anchors and aliases:
module_defaults:
ipahost: &ipa_module_defaults
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
ipauser: *ipa_module_defaults
ipagroup: *ipa_module_defaults
The documentation for "become" and "gather_facts" has been updated to
make sure that these parameters are enabled only in new tests if it is
really needed.
The module action group <collection-prefix>.modules is created
automatically while building the galaxy release.
The action group can be used for module_defaults in this way:
module_defauls:
group/<collection-prefix>.modules:
ipaadmin_password: SomeADMINpassword
Example:
module_defaults:
group/freeipa.ansible_freeipa.modules:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
collections:
- freeipa.ansible_freeipa
The section module_defaults was not handled by utils/galaxyfy.py, also
there was no verification that only roles and modules provided by
ansible-freeipa are matched for prepending the collection prefix.
The list of modules and roles is needed in several scripts now,
therefore it makes sense to have one place for this.
Here are the current variables:
BASE_DIR: Base directory of the repo
ROLES: List of roles in the roles folder
MANAGEMENT_MODULES: List of management modules in the plugins/modules
folder
ROLES_MODULES: List of modules in the roles/*/library folders
ALL_MODULES: List of all modules, the management and the roles
modules
All lists are sorted.
ipaserver_random_serial_numbers was enabled by default in
roles/ipaserver/defaults/main.yml. This should not be the default and
also resulted in issues in all IPA versions that do not support RSN.
The parameter now defaults to false.
Since FreeIPA version 4.10 it is possible to deploy servers that use
Random Serial Number v3 support for certificates.
This patch exposes the 'random_serial_numbers' parameter, as
'ipaserver_random_serial_numbers', allowing a user to have random serial
numbers enabled for the domain.
The use of random serial numbers is allowed on new installations only.
Ensuring (adding) several groups with mixed types external, nonposix
and posix require to have a fix in IPA:
FreeIPA issue: https://pagure.io/freeipa/issue/9349
FreeIPA fix: https://github.com/freeipa/freeipa/pull/6741
The simple solution is to switch to client context for ensuring several
groups simply if the user was not explicitly asking for the server context
no matter if mixed types are used.
Adding an option `groups` to create multiple groups in one operation.
Adding tests (present/absent/external/nonposix) with server and
client context.
Simple example of `groups` option:
```
tasks:
- name: Ensure 2 groups are present
ipagroup:
ipaadmin_password: SomeADMINpassword
groups:
- name: group1
- name: group2
```
Signed-off-by: Denis Karpelevich <dkarpele@redhat.com>
Due to an API misbehaviour in FreeIPA, ipaexternalmembers need to be
treated differently than other group members parameters. Even an empty
array triggers all tests for external members, including the check for
installed dcerpc bindings.
Therefore ipagroup module has been changed to not set ipaexternalmember
to an empty list if there are no external members to be added or
removed.
New variables have been added to ipareplica and ipaserver role to enable
the removal from the domein with the undeployment.
`ipaserver_remove_from_domain`
This enables the removal of the server from the domain additionally to the
undeployment.
`ipaserver_remove_on_server`
The value defines the server/replica in the domain that will to be used to
remove the server/replica from the domain if
`ipaserver_ignore_topology_disconnect` and `ipaserver_remove_from_domain`
are enabled. Without the need to enable
`ipaserver_ignore_topology_disconnect`, the value will be automatically
detected using the replication agreements of the server/replica.
For the replica role it is possible to use the server variables, but
also the replica versions: `ipareplica_remove_from_domain` and
`ipareplica_remove_on_server`.
The already existing parameters `ipaserver_ignore_topology_disconnect` and
`ipaserver_ignore_last_of_role` have been added to the README files for
server and replica with descriptions. The same for the replica versions
of the parameters.
The ipareplica role is not calling the `ipa-server-install` anymore, it
is instead using (including) the server role for the task.
The new module `ipaserver_get_connected_server` has been added to the
server role to be able to get a connected server using the replication
agreements. This module is only used if
`ipaserver_ignore_topology_disconnect` is not needed.
The latest ansible-lint failes for the tasks that are using
"when: sid_disabled.changed" with the error
"Tasks that run when changed should likely be handlers.". As
these tasks are tests and it would not make sense to use handlers here,
the tasks have been marked as noqa 503.
The cleanup of the root IPA cache was depending on the result of the
ipaserver_enable_ipa and ipareplica_enable_ipa tasks. Instead of
"when: something.changed" a handler should be used instead. As
"/root/.ipa_cache" should be removed always (same in command line) the
removal of the file has been moded into the always section and does not
need a when anymore.
With the fix to defer creating the final krb5.conf on clients a bug has
been introduced with ipaclient_fix_ca: The krb_name parameter that
points to the temporary krb5 configuration was not added to the module
Without this the server affinity is broken for allow_repair and additionally
ipaclient_fix_ca could fail if krb5 configuration needs to be repraied
and also CA needs to be fixed.
The krb_name parameter has been added to ipaclient_fix_ca and is also
properly set in tasks/install.yml.
With the fix to defer creating the final krb5.conf on clients a bug has
been introduced with ipaclient_setup_nss: The krb_name parameter that
points to the temporary krb5 configuration was not added to the module.
With a properly configured DNS (like for example IPA DNS) the krb TXT
records have been present in the DNS configuration. These have been used
automatically as a fallback and broke server affinity for the client.
Without the TXT records creating the IPA NSS database failed with
"Cannot find KDC for realm ..".
The krb_name parameter has been added to ipaclient_setup_nss and is also
properly set in tasks/install.yml.
