[backport/stable-4] Add ansible-lint to tox linters (#258) and Update tests for newer version of openshift (#254) (#259)

* Add ansible-lint to tox linters (#258) * Add ansible-lint to tox linters * Bump black * Black formatting * fix linting (cherry picked from commit f54297c2ac) * Update tests for newer version of openshift (#254) * Update tests for newer version of openshift More recent versions of ocp no longer automatically create tokens for service accounts. This updates the tests to manually create the tokens. * Update nginx template version The old image was EOL and the deployment was failing to deploy. * Fix nginx version for all tasks * Add missing var (cherry picked from commit a3c3a69bbf) --------- Co-authored-by: Mike Graves <mgraves@redhat.com>
2026-03-27 03:13:08 +00:00 · 2025-05-21 05:45:53 -07:00
parent a890d14253
commit db863c9089
12 changed files with 50 additions and 48 deletions
--- a/changelogs/fragments/242-fix-failed-token-deletion.yml
+++ b/changelogs/fragments/242-fix-failed-token-deletion.yml
@@ -1,2 +1,2 @@
 bugfixes:
-  - openshift_auth - fix issue where openshift_auth module sometimes does not delete the auth token. Based on stale PR (https://github.com/openshift/community.okd/pull/194).
+  - openshift_auth - fix issue where openshift_auth module sometimes does not delete the auth token. Based on stale PR (https://github.com/openshift/community.okd/pull/194).
--- a/molecule/default/files/nginx.env
+++ b/molecule/default/files/nginx.env
@@ -1,6 +1,7 @@
 # Want to make sure comments don't break it
 export NAME=test123
 NAMESPACE=openshift
+NGINX_VERSION=1.22-ubi8



--- a/molecule/default/tasks/openshift_adm_prune_auth_clusterroles.yml
+++ b/molecule/default/tasks/openshift_adm_prune_auth_clusterroles.yml
@@ -3,6 +3,7 @@
    - set_fact:
        test_sa: "clusterrole-sa"
        test_ns: "clusterrole-ns"
+        test_tn: "clusterrole-tn"

    - name: Ensure namespace
      kubernetes.core.k8s:
@@ -26,34 +27,27 @@
            name: "{{ test_sa }}"
            namespace: "{{ test_ns }}"

-    - name: Read Service Account
-      kubernetes.core.k8s_info:
-        kind: ServiceAccount
-        namespace: "{{ test_ns }}"
-        name: "{{ test_sa }}"
-      register: result
-
-    - set_fact:
-        secret_token: "{{ result.resources[0]['secrets'][0]['name'] }}"
+    - name: Create SA token
+      kubernetes.core.k8s:
+        definition:
+          apiVersion: v1
+          kind: Secret
+          metadata:
+            name: "{{ test_tn }}"
+            namespace: "{{ test_ns }}"
+            annotations:
+              kubernetes.io/service-account.name: "{{ test_sa }}"
+          type: kubernetes.io/service-account-token

    - name: Get secret details
      kubernetes.core.k8s_info:
        kind: Secret
-        namespace: '{{ test_ns }}'
-        name: '{{ secret_token }}'
+        namespace: "{{ test_ns }}"
+        name: "{{ test_tn }}"
      register: _secret
-      retries: 10
-      delay: 10
-      until:
-        - ("'openshift.io/token-secret.value' in _secret.resources[0]['metadata']['annotations']") or ("'token' in _secret.resources[0]['data']")
-
-    - set_fact:
-        api_token: "{{ _secret.resources[0]['metadata']['annotations']['openshift.io/token-secret.value'] }}"
-      when: "'openshift.io/token-secret.value' in _secret.resources[0]['metadata']['annotations']"

    - set_fact:
        api_token: "{{ _secret.resources[0]['data']['token'] | b64decode }}"
-      when: "'token' in _secret.resources[0]['data']"

    - name: list Node should failed (forbidden user)
      kubernetes.core.k8s_info:
--- a/molecule/default/tasks/openshift_adm_prune_auth_roles.yml
+++ b/molecule/default/tasks/openshift_adm_prune_auth_roles.yml
@@ -4,6 +4,7 @@
        test_ns: "prune-roles"
        sa_name: "roles-sa"
        pod_name: "pod-prune"
+        tn_name: "roles-sa-token"
        role_definition:
          - name: pod-list
            labels:
@@ -50,34 +51,27 @@
            name: '{{ sa_name }}'
            namespace: '{{ test_ns }}'

-    - name: Read Service Account
-      kubernetes.core.k8s_info:
-        kind: ServiceAccount
-        namespace: '{{ test_ns }}'
-        name: '{{ sa_name }}'
-      register: sa_out
-
-    - set_fact:
-        secret_token: "{{ sa_out.resources[0]['secrets'][0]['name'] }}"
+    - name: Create SA secret
+      kubernetes.core.k8s:
+        definition:
+          apiVersion: v1
+          kind: Secret
+          metadata:
+            name: "{{ tn_name }}"
+            namespace: "{{ test_ns }}"
+            annotations:
+              kubernetes.io/service-account.name: "{{ sa_name }}"
+          type: kubernetes.io/service-account-token

    - name: Get secret details
      kubernetes.core.k8s_info:
        kind: Secret
        namespace: '{{ test_ns }}'
-        name: '{{ secret_token }}'
+        name: '{{ tn_name }}'
      register: r_secret
-      retries: 10
-      delay: 10
-      until:
-        - ("'openshift.io/token-secret.value' in r_secret.resources[0]['metadata']['annotations']") or ("'token' in r_secret.resources[0]['data']")
-
-    - set_fact:
-        api_token: "{{ r_secret.resources[0]['metadata']['annotations']['openshift.io/token-secret.value'] }}"
-      when: "'openshift.io/token-secret.value' in r_secret.resources[0]['metadata']['annotations']"

    - set_fact:
        api_token: "{{ r_secret.resources[0]['data']['token'] | b64decode }}"
-      when: "'token' in r_secret.resources[0]['data']"

    - name: list resources using service account
      kubernetes.core.k8s_info:
--- a/molecule/default/tasks/openshift_process.yml
+++ b/molecule/default/tasks/openshift_process.yml
@@ -7,6 +7,7 @@
    parameters:
      NAMESPACE: openshift
      NAME: test123
+      NGINX_VERSION: "{{ nginx_version }}"
  register: result

 - name: Create the rendered resources
@@ -32,6 +33,7 @@
    parameters:
      NAMESPACE: openshift
      NAME: test123
+      NGINX_VERSION: "{{ nginx_version }}"
    state: present
    namespace_target: process-test
  register: result
@@ -44,6 +46,7 @@
      NAMESPACE: openshift
      NAME: test123
      MEMORY_LIMIT: 1Gi
+      NGINX_VERSION: "{{ nginx_version }}"
    state: present
    namespace_target: process-test
  register: result
@@ -55,6 +58,7 @@
    parameters:
      NAMESPACE: openshift
      NAME: test123
+      NGINX_VERSION: "{{ nginx_version }}"
    state: absent
    namespace_target: process-test
  register: result
--- a/molecule/default/verify.yml
+++ b/molecule/default/verify.yml
@@ -77,6 +77,7 @@
        - import_tasks: tasks/openshift_process.yml
          vars:
            files_dir: '{{ playbook_dir }}/files'
+            nginx_version: 1.22-ubi8
      always:
        - name: Delete namespace
          community.okd.k8s:
--- a/plugins/modules/openshift_adm_migrate_template_instances.py
+++ b/plugins/modules/openshift_adm_migrate_template_instances.py
@@ -295,9 +295,9 @@ class OpenShiftMigrateTemplateInstances(AnsibleOpenshiftModule):
                        object_type in transforms.keys()
                        and obj["ref"].get("apiVersion") != transforms[object_type]
                    ):
-                        ti_elem["status"]["objects"][i]["ref"][
-                            "apiVersion"
-                        ] = transforms[object_type]
+                        ti_elem["status"]["objects"][i]["ref"]["apiVersion"] = (
+                            transforms[object_type]
+                        )
                        ti_to_be_migrated.append(ti_elem)

        return ti_to_be_migrated
--- a/plugins/modules/openshift_auth.py
+++ b/plugins/modules/openshift_auth.py
@@ -225,7 +225,7 @@ def get_oauthaccesstoken_objectname_from_token(token_name):

    sha256Prefix = "sha256~"
    if token_name.startswith(sha256Prefix):
-        content = token_name[len(sha256Prefix):]
+        content = token_name[len(sha256Prefix) :]
    else:
        content = token_name
    b64encoded = urlsafe_b64encode(hashlib.sha256(content.encode()).digest()).rstrip(
--- a/plugins/modules/openshift_route.py
+++ b/plugins/modules/openshift_route.py
@@ -421,9 +421,9 @@ class OpenShiftRoute(AnsibleOpenshiftModule):
            if tls_insecure_policy == "disallow":
                tls_insecure_policy = None
        else:
-            tls_ca_cert = (
-                tls_cert
-            ) = tls_dest_ca_cert = tls_key = tls_insecure_policy = None
+            tls_ca_cert = tls_cert = tls_dest_ca_cert = tls_key = (
+                tls_insecure_policy
+            ) = None

        route = {
            "apiVersion": "route.openshift.io/v1",
--- a/tests/sanity/ignore-2.18.txt
+++ b/tests/sanity/ignore-2.18.txt
@@ -0,0 +1,3 @@
+plugins/modules/k8s.py validate-modules:parameter-type-not-in-doc
+plugins/modules/k8s.py validate-modules:return-syntax-error
+plugins/modules/openshift_process.py validate-modules:parameter-type-not-in-doc
--- a/tests/sanity/ignore-2.19.txt
+++ b/tests/sanity/ignore-2.19.txt
@@ -0,0 +1,3 @@
+plugins/modules/k8s.py validate-modules:parameter-type-not-in-doc
+plugins/modules/k8s.py validate-modules:return-syntax-error
+plugins/modules/openshift_process.py validate-modules:parameter-type-not-in-doc
--- a/tox.ini
+++ b/tox.ini
@@ -8,7 +8,7 @@ install_command = pip install {opts} {packages}

 [testenv:black]
 deps =
-  black >= 23.0, < 24.0
+  black >= 25.0, < 26.0

 commands =
  black {toxinidir}/plugins {toxinidir}/tests
@@ -24,10 +24,12 @@ commands =
 deps =
  flake8
  {[testenv:black]deps}
+  {[testenv:ansible-lint]deps}

 commands =
  black -v --check --diff {toxinidir}/plugins {toxinidir}/tests
  flake8 {toxinidir}
+  ansible-lint

 [flake8]
 # E123, E125 skipped as they are invalid PEP-8.