nmcli: use get_best_parsable_locale() to support UTF-8 connection names (#11742)
* nmcli: start locale fix - normalize run_command environ to LANGUAGE=C, LC_ALL=C
Work in progress - issue #10384 (UTF-8 conn_name support) requires deeper
investigation beyond simple locale variable normalization.
* nmcli: use get_best_parsable_locale() to support UTF-8 connection names
Fixes issue where UTF-8 connection names (e.g. Chinese characters) were
corrupted to '????' when LC_ALL=C forced ASCII encoding, causing
connection_exists() to always return False for non-ASCII names.
* add changelog fragment for PR #11742
---------
(cherry picked from commit bdd3174563)
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
integration tests: remove CentOS conditionals (#11715)
* test(integration): remove CentOS references
* further simplification
* more removals
* rollback systemd_info for now
* ufw: not trivially used with RHEL9 and RHEL10, simplifying tests
* remove tasks for setup_epel where unused
* adjustments from review
(cherry picked from commit 79431c36b5)
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
consul integration tests: re-enable on macOS (#11697)
* consul integration tests: re-enable on macOS
- Update consul version to 1.22.6
- Add arm64/aarch64 architecture support
- Fix macOS Gatekeeper quarantine on downloaded binary
- Add wait_for before ACL bootstrap (race condition fix)
- Update HCL config to use tls stanza (required in 1.22)
- Disable gRPC port (conflicts with tls stanza when not configured)
- Remove skip/macos from aliases
Fixes: https://github.com/ansible-collections/community.general/issues/1016
* changelogs/fragments: add PR number for consul tests fix
* remove changelog fragment (test-only PR)
---------
(cherry picked from commit 8b114e999e)
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
composer - make `create-project` idempotent, add `force` parameter (#11689)
* composer - make create-project idempotent, add force parameter
Adds a check for an existing composer.json in working_dir before running
create-project, so the task is skipped rather than failing on second run.
A new force parameter allows bypassing this check when needed.
Fixes#725.
* changelog fragment: rename to PR number, add PR URL
---------
(cherry picked from commit a4bba99203)
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
nsupdate: add unit tests (#11677)
* nsupdate: add unit tests
* fix var name to regain sanity
* remove unneeded typing from test file
* formatting
---------
(cherry picked from commit ef700b116a)
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
pacman: add root, cachedir, and config options (#11681)
* pacman: add root, cachedir, and config options
Add three dedicated options -- O(root), O(cachedir), and O(config) --
so that all pacman commands get the corresponding global flags
(--root, --cachedir, --config) prepended, enabling use cases such as
installing packages into a chroot or alternative root directory
(similar to pacstrap).
* add changelog frag
---------
(cherry picked from commit e2c06f2d12)
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
etcd3: re-enable and fix tests, add unit tests (#11678)
* etcd3: re-enable and fix tests, add unit tests
- Add unit tests for community.general.etcd3 module (12 tests covering
state=present/absent, idempotency, check mode, and error paths)
- Fix integration test setup: update etcd binary to v3.6.9 (from v3.2.14),
download from GitHub releases, add health-check retry loop after start
- Work around etcd3 Python library incompatibility with protobuf >= 4.x
by setting PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION=python
- Update to FQCNs throughout integration tests
- Re-enable both etcd3 and lookup_etcd3 integration targets
Fixes https://github.com/ansible-collections/community.general/issues/322
* improve use of multiple context managers
---------
(cherry picked from commit d06c83eb68)
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
nmcli: fix setting_types() to properly handle routing_rules as a list type (#11635)
* Fix setting_types() to properly handle routing_rules as a list type
* Add changelog fragment for ipv6.routing-rules bugfix
* Update changelogs/fragments/11630-nmcli-ipv6-routing-rules.yml
* Add PR URL to changelog fragment
---------
(cherry picked from commit 3c21ac961b)
Co-authored-by: Ted W. <ted.l.wood@gmail.com>
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
osx_defaults: add dict support (#11659)
* osx_defaults: add dict support
* add changelog frag
* osx_defaults: fix dict idempotency by using plutil -extract for type-preserving read
The previous approach piped `defaults read` output (old-style plist text)
through `plutil -convert json`. Old-style plist loses boolean type info
(booleans appear as 1/0, indistinguishable from integers), causing the
comparison to fail and reporting changed=True on every run.
Fix by exporting the domain binary plist to a temp file and using
`plutil -extract key json` which correctly preserves all plist types
(booleans stay true/false, integers stay integers, etc.).
* change param from bool to str
* Apply suggestion from review
* Update plugins/modules/osx_defaults.py
---------
(cherry picked from commit d6cb56c022)
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
CI: Remove FreeBSD 14.3 for devel, and replace macOS 15.3 with 26.3 (#11631)
* Replace FreeBSD 14.3 with 14.4, and macOS 15.3 with 26.3.
* FreeBSD 14.4 seems to have the same problem as FreeBSD 15.0, disabling for now.
(cherry picked from commit b4336659f6)
Co-authored-by: Felix Fontein <felix@fontein.de>
CI: Replace apt_repository and apt_key with deb822_repository (#11625)
Replace apt_repository and apt_key with deb822_repository.
(cherry picked from commit bc22fbcaa0)
Co-authored-by: Felix Fontein <felix@fontein.de>
merge_variables: extended merge capabilities added (#11536)
* merge_variables: extended merge capabilities added
This extension gives you more control over the variable merging process of the lookup plugin `merge_variables`. It closes the gap between Puppet's Hiera merging capabilities and the limitations of Ansible's default variable plugin `host_group_vars` regarding fragment-based value definition. You can now decide which merge strategy should be applied to dicts, lists, and other types. Furthermore, you can specify a merge strategy that should be applied in case of type conflicts.
The default behavior of the plugin has been preserved so that it is fully backward-compatible with the already implemented state.
* Update changelogs/fragments/11536-merge-variables-extended-merging-capabilities.yml
* Update plugins/lookup/merge_variables.py
* Periods added at the end of each choice description
* Update plugins/lookup/merge_variables.py
* ref: follow project standard for choice descriptions
* ref: more examples added and refactoring
* Update plugins/lookup/merge_variables.py
* ref: some more comments to examples added
* fix: unused import removed
* ref: re-add "merge" to strategy map
* Update comments
* Specification of transformations solely as string
* Comments updated
* ref: `append_rp` and `prepend_rp` removed
feat: options dict for list transformations re-added
feat: allow setting `keep` for dedup transformation with possible values: `first` (default) and `last`
* ref: improve options documentation
* ref: documentation improved, avoiding words like newer or older in merge description
* Update plugins/lookup/merge_variables.py
* ref: "prio" replaced by "dict"
* feat: two integration tests added
---------
(cherry picked from commit dae2157bb7)
Signed-off-by: Fiehe Christoph <c.fiehe@eurodata.de>
Co-authored-by: Christoph Fiehe <cfiehe@users.noreply.github.com>
Co-authored-by: Fiehe Christoph <c.fiehe@eurodata.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Mark <40321020+m-a-r-k-e@users.noreply.github.com>
github_secrets_info: new module (#11586)
* github_secrets_info: new module
* clean tests
* remove pynacl dep
* fqcn
* remove excess output
* just return result as sample
* only print secrets, adapt tests
* Update plugins/modules/github_secrets_info.py
* Update plugins/modules/github_secrets_info.py
* Update plugins/modules/github_secrets_info.py
* t is for typing, and typing is what we did
* add info_module attributes
---------
(cherry picked from commit df9b30448a)
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
Co-authored-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
github_secrets: new module (#11514)
* add support for managing GitHub secrets
* fix tab
* update for sanity
* more sanity fixes
* update botmeta
* formating
* remove list function
* remove docstring, format text strings and return codes
* switch to deps
* black and ruff doesnt get along
* initial unit tests
* update non-existing secret test
* update description and details
* handle when a secret cant be deleted
* fail if not acceptable error codes
* add test for non-acceptable status codes
* remove local ruff config
* allow empty strings
* set required_
* extend tests
* cleanup
* cover all, got a git urlopen error
* cover all, got a git urlopen error
* ensure value cant be None
* check_mode
* bump to 12.5.0
* Update plugins/modules/github_secrets.py
* extend check_mode and related tests
* split constants and return dict when checking secret
* switch to HTTPStatus
* replace DELETE and UPDATE with NO_CONTENT
* Update plugins/modules/github_secrets.py
* Update plugins/modules/github_secrets.py
* update tests
* Update plugins/modules/github_secrets.py
* Update plugins/modules/github_secrets.py
* Update plugins/modules/github_secrets.py
* Update plugins/modules/github_secrets.py
* Update plugins/modules/github_secrets.py
---------
(cherry picked from commit 46ffec6f0e)
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
Co-authored-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
Allow setting of independent custom domain for incus inventory (#11555)
Allowing the domain suffix to be appended independent of the `host_fqdn`
setting enables the inventory plugin to construct proper FQDNs if a
network has the `dns.domain` property set. Otherwise you would always
end up with something like `host01.project.local.example.net` despite
`host01.example.net` being the expected result.
(cherry picked from commit 71f8c15d2e)
Co-authored-by: Roland Sommer <rol@ndsommer.de>
Simplify and extend from_ini tests (#11534)
Simplify and extend from_ini tests.
(cherry picked from commit e118b23ba0)
Co-authored-by: Felix Fontein <felix@fontein.de>
New module icinga2_downtime (#11462)
* feat: Icinga 2 downtime module added allowing to schedule and remove downtimes through its REST API.
* ensure compatibility with ModuleTestCase
feat: errors raised from MH now contain the changed flag
ref: move module exit out of the decorated run method
* revised module
ref: module refactored using StateModuleHelper now
ref: suggested changes by reviewer added
* revert change regarding changed flag in MH
* refactoring and set changed flag explicitly on error
* Check whether there was a state change on module failure removed.
* ref: test cases migrated to the new feature that allows passing through exceptions
* Update plugins/module_utils/icinga2.py
* Update plugins/module_utils/icinga2.py
* Update plugins/modules/icinga2_downtime.py
* ref: make module helper private
* fix: ensure that all non-null values are added to the request otherwise a `false` value is dropped
* ref: module description extended with the note that check mode is not supported
* Update plugins/modules/icinga2_downtime.py
* fix: documentation updated
* ref: documentation updated
ref: doc fragment added
* Update plugins/doc_fragments/icinga2_api.py
* ref: doc fragment renamed to `_icinga2_api.py`
* ref: maintainer to doc fragment in BOTMETA.yml added
* Update plugins/modules/icinga2_downtime.py
* Update plugins/modules/icinga2_downtime.py
* Update plugins/modules/icinga2_downtime.py
---------
(cherry picked from commit ce7cb4e914)
Signed-off-by: Fiehe Christoph <c.fiehe@eurodata.de>
Co-authored-by: Christoph Fiehe <cfiehe@users.noreply.github.com>
Co-authored-by: Fiehe Christoph <c.fiehe@eurodata.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
adds parameter delimiters to from_ini filter (#11512)
* adds parameter delimiters to from_ini filter
fixes issue #11506
* adds changelog fragment
* fixes pylint dangerous-default-value / W0102
* does not assume default delimiters
let that be decided in the super class
* Update plugins/filter/from_ini.py
verbose description
* Update changelogs/fragments/11512-from_ini-delimiters.yaml
* adds input validation
* adss check for delimiters not None
* adds missing import
* removes the negation
* adds suggestions from russoz
* adds ruff format suggestion
---------
(cherry picked from commit aec0e61ba1)
Co-authored-by: Robert Sander <github@gurubert.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
New Callback plugin: `loganalytics_ingestion` adding Azure Log Analytics Ingestion (#10306)
* Add Azure Log Analytics Ingestion API plugin
The Ingestion API allows sending data to a Log Analytics workspace in
Azure Monitor.
* Fix LogAnalytics Ingestion shebang
* Fix Log Analytics Ingestion pep8 tests
* Fix Log Analytics Ingestion pylint tests
* Fix Log Analytics Ingestion import tests
* Fix Log Analytics Ingestion pylint test
* Add Log Analytics Ingestion auth timeout
Previous behavior was to use the 'request' module's default timeout;
this makes auth timeout value consistent with the task submission
timeout value.
* Display Log Analytics Ingestion event data as JSON
Previous behavior was to display the data as a Python dictionary.
The new behavior makes it easier to generate a sample JSON file in order
to import into Azure when creating the table.
* Add Azure Log Analytics Ingestion timeout param
This parameter controls how long the plugin will wait for an HTTP response
from the Azure Log Analytics API before considering the request a failure.
Previous behavior was hardcoded to 2 seconds.
* Fix Azure Log Ingestion unit test
The class instantiation was missing an additional argument that was added
in a previous patch; add it. Converting to JSON also caused the Mock
TaskResult object to throw a serialization error; override the function
for JSON conversion to just return bogus data instead.
* Fix loganalytics_ingestion linter errors
* Fix LogAnalytics Ingestion env vars
Prefix the LogAnalytics Ingestion plugin's environment variable names
with 'ANSIBLE_' in order to align with plugin best practices.
* Remove LogAnalytics 'requests' dep from docs
The LogAnalytics callback plugin does not actually require 'requests',
so remove it from the documented dependencies.
* Refactor LogAnalytics Ingestion to use URL utils
This replaces the previous behavior of depending on the external
'requests' library.
* Simplify LogAnalytics Ingestion token valid check
* Remove LogAnalytics Ingestion extra arg validation
Argument validation should be handled by ansible-core, so remove the
extra argument validation in the plugin itself.
* Update LogAnalytics Ingestion version added
* Remove LogAnalytics Ingestion coding marker
The marker is no longer needed as Python2 is no longer supported.
* Fix some LogAnalytics Ingestion grammar errors
* Refactor LogAnalytics Ingestion plugin messages
Consistently use "plugin" instead of module, and refer to the module by
its FQCN instead of its prose name.
* Remove LogAnalytics Ingestion extra logic
A few unused vars were being set; stop setting them.
* Fix LogAnalytics Ingestion nox sanity tests
* Fix LogAnalytics Ingestion unit tests
The refactor to move away from the 'requests' dependency to use
module_utils broke the plugin's unit tests; re-write the plugin's unit
tests for module_utils.
* Add nox formatting to LogAnalytics Ingestion
* Fix Log Analytics Ingestion urllib import
Remove the compatibility import via 'six' for 'urllib' since Python 2
support is no longer supported.
* Bump LogAnalytics Ingestion plugin version added
* Remove LogAnalytics Ingestion required: false docs
Required being false is the default, so no need to explicitly add it.
* Simplify LogAnalytics Ingestion role name logic
* Clean LogAnalytics Ingestion redundant comments
* Clean LogAnalytics Ingestion unit test code
Rename all Mock objects to use snake_case and consistently use '_mock'
as a suffix instead of sometimes using it as a prefix and sometimes
using it as a suffix.
* Refactor LogAnalytics Ingestion unit tests
Move all of the tests outside of the 'setUp' method.
* Refactor LogAnalytics Ingestion test
Add a test to validate that part of the contents sent match what was
supposed to be sent.
* Refactor LogAnalytics Ingestion test
Make the names consistent again.
* Add LogAnalytics Ingestion sample data docs
* Apply suggestions from code review
---------
(cherry picked from commit 38f93c80f1)
Co-authored-by: wtcline-intc <wade.cline@intel.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
keycloak_user_rolemapping: handle None response for client role lookup (#11471)
* fix(keycloak_user_rolemapping): handle None response for client role lookup
When adding a client role to a user who has no existing roles for that
client, get_client_user_rolemapping_by_id() returns None. The existing
code indexed directly into the result causing a TypeError. Add the same
None check that already existed for realm roles since PR #11256.
Fixes#10960
* fix(tests): use dict format for task vars in keycloak_user_rolemapping tests
Task-level vars requires a YAML mapping, not a sequence. The leading
dash (- roles:) produced a list instead of a dict, which ansible-core
2.20 rejects with "Vars in a Task must be specified as a dictionary".
* Update changelogs/fragments/keycloak-user-rolemapping-client-none-check.yml
---------
(cherry picked from commit 34938ca1ef)
Co-authored-by: Ivan Kokalovic <67540157+koke1997@users.noreply.github.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
keycloak_realm_key: add full support for all Keycloak key providers (#11468)
* feat(keycloak_realm_key): add support for auto-generated key providers
Add support for Keycloak's auto-generated key providers where Keycloak
manages the key material automatically:
- rsa-generated: Auto-generates RSA signing keys
- hmac-generated: Auto-generates HMAC signing keys
- aes-generated: Auto-generates AES encryption keys
- ecdsa-generated: Auto-generates ECDSA signing keys
New algorithms:
- HMAC: HS256, HS384, HS512
- ECDSA: ES256, ES384, ES512
- AES: AES (no algorithm parameter needed)
New config options:
- secret_size: For HMAC/AES providers (key size in bytes)
- key_size: For RSA-generated provider (key size in bits)
- elliptic_curve: For ECDSA-generated provider (P-256, P-384, P-521)
Changes:
- Make private_key/certificate optional (only required for rsa/rsa-enc)
- Add provider-algorithm validation with clear error messages
- Fix KeyError when managing default realm keys (issue #11459)
- Maintain backward compatibility: RS256 default works for rsa/rsa-generated
Fixes: #11459
* fix: address sanity test failures
- Add 'default: RS256' to algorithm documentation to match spec
- Add no_log=True to secret_size parameter per sanity check
* feat(keycloak_realm_key): extend support for all Keycloak key providers
Add support for remaining auto-generated key providers:
- rsa-enc-generated (RSA encryption keys with RSA1_5, RSA-OAEP, RSA-OAEP-256)
- ecdh-generated (ECDH key exchange with ECDH_ES, ECDH_ES_A128KW/A192KW/A256KW)
- eddsa-generated (EdDSA signing with Ed25519, Ed448 curves)
Changes:
- Add provider-specific elliptic curve config key mapping
(ecdsaEllipticCurveKey, ecdhEllipticCurveKey, eddsaEllipticCurveKey)
- Add PROVIDERS_WITHOUT_ALGORITHM constant for providers that don't need algorithm
- Add elliptic curve validation per provider type
- Update documentation with all supported algorithms and examples
- Add comprehensive integration tests for all new providers
This completes full coverage of all Keycloak key provider types.
* style: apply ruff formatting
* feat(keycloak_realm_key): add java-keystore provider and update_password
Add support for java-keystore provider to import keys from Java
Keystore (JKS or PKCS12) files on the Keycloak server filesystem.
Add update_password parameter to control password handling for
java-keystore provider:
- always (default): Always send passwords to Keycloak
- on_create: Only send passwords when creating, preserve existing
passwords when updating (enables idempotent playbooks)
The on_create mode sends the masked value ("**********") that Keycloak
recognizes as "preserve existing password", matching the behavior when
re-importing an exported realm.
Replace password_checksum with update_password - the checksum approach
was complex and error-prone. The update_password parameter is simpler
and follows the pattern used by ansible.builtin.user module.
Also adds key_info return value containing kid, certificate fingerprint,
status, and expiration for java-keystore keys.
* address PR review feedback
- Remove no_log=True from secret_size (just an int, not sensitive)
- Add version_added: 12.4.0 to new parameters and return values
- Remove "Added in community.general 12.4.0" from description text
- Consolidate changelog entries into 4 focused entries
- Remove bugfix from changelog (now in separate PR #11470)
* address review feedback from russoz and felixfontein
- remove docstrings from module-local helpers
- remove line-by-line comments and unnecessary null guard
- use specific exceptions instead of bare except Exception
- use module.params["key"] instead of .get("key")
- consolidate changelog into single entry
- avoid "complete set" claim, reference Keycloak 26 instead
* address round 2 review feedback
- Extract remove_sensitive_config_keys() helper (DRY refactor)
- Simplify RS256 validation to single code path
- Add TypeError to inner except in compute_certificate_fingerprint()
- Remove redundant comments (L812, L1031)
- Switch .get() to direct dict access for module.params
(cherry picked from commit 80d21f2a0d)
Co-authored-by: Ivan Kokalovic <67540157+koke1997@users.noreply.github.com>
