From db863c9089f851ebd27798cb80eccb3fb8544366 Mon Sep 17 00:00:00 2001 From: Mandar Kulkarni Date: Wed, 21 May 2025 05:45:53 -0700 Subject: [PATCH] [backport/stable-4] Add ansible-lint to tox linters (#258) and Update tests for newer version of openshift (#254) (#259) * Add ansible-lint to tox linters (#258) * Add ansible-lint to tox linters * Bump black * Black formatting * fix linting (cherry picked from commit f54297c2ac50e53bbd113d83578d8342472ca2f9) * Update tests for newer version of openshift (#254) * Update tests for newer version of openshift More recent versions of ocp no longer automatically create tokens for service accounts. This updates the tests to manually create the tokens. * Update nginx template version The old image was EOL and the deployment was failing to deploy. * Fix nginx version for all tasks * Add missing var (cherry picked from commit a3c3a69bbfc608ec1f21df34d7d12f1557b8bdca) --------- Co-authored-by: Mike Graves --- .../242-fix-failed-token-deletion.yml | 2 +- molecule/default/files/nginx.env | 1 + .../openshift_adm_prune_auth_clusterroles.yml | 34 ++++++++----------- .../tasks/openshift_adm_prune_auth_roles.yml | 32 +++++++---------- molecule/default/tasks/openshift_process.yml | 4 +++ molecule/default/verify.yml | 1 + ...penshift_adm_migrate_template_instances.py | 6 ++-- plugins/modules/openshift_auth.py | 2 +- plugins/modules/openshift_route.py | 6 ++-- tests/sanity/ignore-2.18.txt | 3 ++ tests/sanity/ignore-2.19.txt | 3 ++ tox.ini | 4 ++- 12 files changed, 50 insertions(+), 48 deletions(-) create mode 100644 tests/sanity/ignore-2.18.txt create mode 100644 tests/sanity/ignore-2.19.txt diff --git a/changelogs/fragments/242-fix-failed-token-deletion.yml b/changelogs/fragments/242-fix-failed-token-deletion.yml index a0b770d..9aad842 100644 --- a/changelogs/fragments/242-fix-failed-token-deletion.yml +++ b/changelogs/fragments/242-fix-failed-token-deletion.yml @@ -1,2 +1,2 @@ bugfixes: - - openshift_auth - fix issue where openshift_auth module sometimes does not delete the auth token. Based on stale PR (https://github.com/openshift/community.okd/pull/194). \ No newline at end of file + - openshift_auth - fix issue where openshift_auth module sometimes does not delete the auth token. Based on stale PR (https://github.com/openshift/community.okd/pull/194). diff --git a/molecule/default/files/nginx.env b/molecule/default/files/nginx.env index 939ad0d..e6bcb3a 100644 --- a/molecule/default/files/nginx.env +++ b/molecule/default/files/nginx.env @@ -1,6 +1,7 @@ # Want to make sure comments don't break it export NAME=test123 NAMESPACE=openshift +NGINX_VERSION=1.22-ubi8 diff --git a/molecule/default/tasks/openshift_adm_prune_auth_clusterroles.yml b/molecule/default/tasks/openshift_adm_prune_auth_clusterroles.yml index bac18bf..e46ec40 100644 --- a/molecule/default/tasks/openshift_adm_prune_auth_clusterroles.yml +++ b/molecule/default/tasks/openshift_adm_prune_auth_clusterroles.yml @@ -3,6 +3,7 @@ - set_fact: test_sa: "clusterrole-sa" test_ns: "clusterrole-ns" + test_tn: "clusterrole-tn" - name: Ensure namespace kubernetes.core.k8s: @@ -26,34 +27,27 @@ name: "{{ test_sa }}" namespace: "{{ test_ns }}" - - name: Read Service Account - kubernetes.core.k8s_info: - kind: ServiceAccount - namespace: "{{ test_ns }}" - name: "{{ test_sa }}" - register: result - - - set_fact: - secret_token: "{{ result.resources[0]['secrets'][0]['name'] }}" + - name: Create SA token + kubernetes.core.k8s: + definition: + apiVersion: v1 + kind: Secret + metadata: + name: "{{ test_tn }}" + namespace: "{{ test_ns }}" + annotations: + kubernetes.io/service-account.name: "{{ test_sa }}" + type: kubernetes.io/service-account-token - name: Get secret details kubernetes.core.k8s_info: kind: Secret - namespace: '{{ test_ns }}' - name: '{{ secret_token }}' + namespace: "{{ test_ns }}" + name: "{{ test_tn }}" register: _secret - retries: 10 - delay: 10 - until: - - ("'openshift.io/token-secret.value' in _secret.resources[0]['metadata']['annotations']") or ("'token' in _secret.resources[0]['data']") - - - set_fact: - api_token: "{{ _secret.resources[0]['metadata']['annotations']['openshift.io/token-secret.value'] }}" - when: "'openshift.io/token-secret.value' in _secret.resources[0]['metadata']['annotations']" - set_fact: api_token: "{{ _secret.resources[0]['data']['token'] | b64decode }}" - when: "'token' in _secret.resources[0]['data']" - name: list Node should failed (forbidden user) kubernetes.core.k8s_info: diff --git a/molecule/default/tasks/openshift_adm_prune_auth_roles.yml b/molecule/default/tasks/openshift_adm_prune_auth_roles.yml index 652c423..c9913f1 100644 --- a/molecule/default/tasks/openshift_adm_prune_auth_roles.yml +++ b/molecule/default/tasks/openshift_adm_prune_auth_roles.yml @@ -4,6 +4,7 @@ test_ns: "prune-roles" sa_name: "roles-sa" pod_name: "pod-prune" + tn_name: "roles-sa-token" role_definition: - name: pod-list labels: @@ -50,34 +51,27 @@ name: '{{ sa_name }}' namespace: '{{ test_ns }}' - - name: Read Service Account - kubernetes.core.k8s_info: - kind: ServiceAccount - namespace: '{{ test_ns }}' - name: '{{ sa_name }}' - register: sa_out - - - set_fact: - secret_token: "{{ sa_out.resources[0]['secrets'][0]['name'] }}" + - name: Create SA secret + kubernetes.core.k8s: + definition: + apiVersion: v1 + kind: Secret + metadata: + name: "{{ tn_name }}" + namespace: "{{ test_ns }}" + annotations: + kubernetes.io/service-account.name: "{{ sa_name }}" + type: kubernetes.io/service-account-token - name: Get secret details kubernetes.core.k8s_info: kind: Secret namespace: '{{ test_ns }}' - name: '{{ secret_token }}' + name: '{{ tn_name }}' register: r_secret - retries: 10 - delay: 10 - until: - - ("'openshift.io/token-secret.value' in r_secret.resources[0]['metadata']['annotations']") or ("'token' in r_secret.resources[0]['data']") - - - set_fact: - api_token: "{{ r_secret.resources[0]['metadata']['annotations']['openshift.io/token-secret.value'] }}" - when: "'openshift.io/token-secret.value' in r_secret.resources[0]['metadata']['annotations']" - set_fact: api_token: "{{ r_secret.resources[0]['data']['token'] | b64decode }}" - when: "'token' in r_secret.resources[0]['data']" - name: list resources using service account kubernetes.core.k8s_info: diff --git a/molecule/default/tasks/openshift_process.yml b/molecule/default/tasks/openshift_process.yml index 4341bf2..feb1208 100644 --- a/molecule/default/tasks/openshift_process.yml +++ b/molecule/default/tasks/openshift_process.yml @@ -7,6 +7,7 @@ parameters: NAMESPACE: openshift NAME: test123 + NGINX_VERSION: "{{ nginx_version }}" register: result - name: Create the rendered resources @@ -32,6 +33,7 @@ parameters: NAMESPACE: openshift NAME: test123 + NGINX_VERSION: "{{ nginx_version }}" state: present namespace_target: process-test register: result @@ -44,6 +46,7 @@ NAMESPACE: openshift NAME: test123 MEMORY_LIMIT: 1Gi + NGINX_VERSION: "{{ nginx_version }}" state: present namespace_target: process-test register: result @@ -55,6 +58,7 @@ parameters: NAMESPACE: openshift NAME: test123 + NGINX_VERSION: "{{ nginx_version }}" state: absent namespace_target: process-test register: result diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index b787062..f714183 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -77,6 +77,7 @@ - import_tasks: tasks/openshift_process.yml vars: files_dir: '{{ playbook_dir }}/files' + nginx_version: 1.22-ubi8 always: - name: Delete namespace community.okd.k8s: diff --git a/plugins/modules/openshift_adm_migrate_template_instances.py b/plugins/modules/openshift_adm_migrate_template_instances.py index ba3039d..0033e14 100644 --- a/plugins/modules/openshift_adm_migrate_template_instances.py +++ b/plugins/modules/openshift_adm_migrate_template_instances.py @@ -295,9 +295,9 @@ class OpenShiftMigrateTemplateInstances(AnsibleOpenshiftModule): object_type in transforms.keys() and obj["ref"].get("apiVersion") != transforms[object_type] ): - ti_elem["status"]["objects"][i]["ref"][ - "apiVersion" - ] = transforms[object_type] + ti_elem["status"]["objects"][i]["ref"]["apiVersion"] = ( + transforms[object_type] + ) ti_to_be_migrated.append(ti_elem) return ti_to_be_migrated diff --git a/plugins/modules/openshift_auth.py b/plugins/modules/openshift_auth.py index 6e213ab..62db3f7 100644 --- a/plugins/modules/openshift_auth.py +++ b/plugins/modules/openshift_auth.py @@ -225,7 +225,7 @@ def get_oauthaccesstoken_objectname_from_token(token_name): sha256Prefix = "sha256~" if token_name.startswith(sha256Prefix): - content = token_name[len(sha256Prefix):] + content = token_name[len(sha256Prefix) :] else: content = token_name b64encoded = urlsafe_b64encode(hashlib.sha256(content.encode()).digest()).rstrip( diff --git a/plugins/modules/openshift_route.py b/plugins/modules/openshift_route.py index ea73db7..8e95b43 100644 --- a/plugins/modules/openshift_route.py +++ b/plugins/modules/openshift_route.py @@ -421,9 +421,9 @@ class OpenShiftRoute(AnsibleOpenshiftModule): if tls_insecure_policy == "disallow": tls_insecure_policy = None else: - tls_ca_cert = ( - tls_cert - ) = tls_dest_ca_cert = tls_key = tls_insecure_policy = None + tls_ca_cert = tls_cert = tls_dest_ca_cert = tls_key = ( + tls_insecure_policy + ) = None route = { "apiVersion": "route.openshift.io/v1", diff --git a/tests/sanity/ignore-2.18.txt b/tests/sanity/ignore-2.18.txt new file mode 100644 index 0000000..2fd2bdc --- /dev/null +++ b/tests/sanity/ignore-2.18.txt @@ -0,0 +1,3 @@ +plugins/modules/k8s.py validate-modules:parameter-type-not-in-doc +plugins/modules/k8s.py validate-modules:return-syntax-error +plugins/modules/openshift_process.py validate-modules:parameter-type-not-in-doc \ No newline at end of file diff --git a/tests/sanity/ignore-2.19.txt b/tests/sanity/ignore-2.19.txt new file mode 100644 index 0000000..2fd2bdc --- /dev/null +++ b/tests/sanity/ignore-2.19.txt @@ -0,0 +1,3 @@ +plugins/modules/k8s.py validate-modules:parameter-type-not-in-doc +plugins/modules/k8s.py validate-modules:return-syntax-error +plugins/modules/openshift_process.py validate-modules:parameter-type-not-in-doc \ No newline at end of file diff --git a/tox.ini b/tox.ini index 57fd1d9..b880c46 100644 --- a/tox.ini +++ b/tox.ini @@ -8,7 +8,7 @@ install_command = pip install {opts} {packages} [testenv:black] deps = - black >= 23.0, < 24.0 + black >= 25.0, < 26.0 commands = black {toxinidir}/plugins {toxinidir}/tests @@ -24,10 +24,12 @@ commands = deps = flake8 {[testenv:black]deps} + {[testenv:ansible-lint]deps} commands = black -v --check --diff {toxinidir}/plugins {toxinidir}/tests flake8 {toxinidir} + ansible-lint [flake8] # E123, E125 skipped as they are invalid PEP-8.