Always update NGINX dependencies to the latest available version (#452)

alessfg · web-flow · commit 5dbbe39ca4a9 · 2021-10-06T00:20:23.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,16 @@
 # Changelog
 
+## 0.21.2 (Unreleased)
+
+ENHANCEMENTS:
+
+* Change Ansible Lint exceptions from using an ID identifier to a text identifier.
+* Move non NGINX specific dependencies from the role into the Molecule Dockerfile.
+
+BUG FIXES:
+
+Always update NGINX dependencies to the latest available version to avoid outdated dependency issues (e.g. outdated CA certificates).
+
 ## 0.21.1 (September 29, 2021)
 
 FEATURES:
diff --git a/molecule/common/Dockerfile.j2 b/molecule/common/Dockerfile.j2
@@ -17,7 +17,7 @@ ENV {{ var }} {{ value }}
 RUN \
   if [ $(command -v apt-get) ]; then \
     apt-get update \
-    && DEBIAN_FRONTEND=noninteractive apt-get install -y aptitude bash ca-certificates curl iproute2 python3 python3-apt procps sudo systemd systemd-sysv vim \
+    && DEBIAN_FRONTEND=noninteractive apt-get install -y aptitude bash curl dirmngr iproute2 python3 python3-apt procps sudo systemd systemd-sysv vim \
     && apt-get clean; \
   elif [ $(command -v dnf) ]; then \
     dnf makecache \
@@ -34,10 +34,10 @@ RUN \
     && zypper clean -a; \
   elif [ $(command -v apk) ]; then \
     apk update \
-    && apk add --no-cache bash ca-certificates curl openrc python3 sudo vim; \
+    && apk add --no-cache bash curl openrc python3 sudo vim; \
     echo 'rc_provide="loopback net"' >> /etc/rc.conf; \
   elif [ $(command -v xbps-install) ]; then \
     xbps-install -Syu \
-    && xbps-install -y bash ca-certificates iproute2 python3 sudo vim \
+    && xbps-install -y bash iproute2 python3 sudo vim \
     && xbps-remove -O; \
   fi
diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml
@@ -17,7 +17,7 @@
     - name: Enable NGINX @CentOS-AppStream dnf modules
       shell:
       args:
-        cmd: dnf module info nginx | grep -q 'Stream.*\[e\]' && echo -n ENABLED || dnf module enable -y nginx  # noqa 204 303
+        cmd: dnf module info nginx | grep -q 'Stream.*\[e\]' && echo -n ENABLED || dnf module enable -y nginx  # noqa command-instead-of-module
       register: dnf_module_enable
       changed_when: dnf_module_enable.stdout != 'ENABLED'
       when: ansible_facts['os_family'] == "RedHat" and ansible_facts['distribution_major_version'] is version('8', '==')
diff --git a/tasks/prerequisites/install-dependencies.yml b/tasks/prerequisites/install-dependencies.yml
@@ -3,35 +3,43 @@
   apk:
     name: "{{ nginx_alpine_dependencies }}"
     update_cache: true
+    state: latest  # noqa package-latest
   when: ansible_facts['os_family'] == "Alpine"
 
 - name: (Debian/Ubuntu) Install dependencies
   apt:
     name: "{{ nginx_debian_dependencies }}"
     update_cache: true
+    state: latest  # noqa package-latest
   when: ansible_facts['os_family'] == "Debian"
 
 - name: (Amazon Linux/CentOS/Oracle Linux/RHEL) Install dependencies
   yum:
     name: "{{ nginx_redhat_dependencies }}"
+    update_cache: true
+    state: latest  # noqa package-latest
   when: ansible_facts['os_family'] == "RedHat"
 
 - name: (SLES) Install dependencies
   zypper:
     name: "{{ nginx_sles_dependencies }}"
+    update_cache: true
+    state: latest  # noqa package-latest
   when: ansible_facts['os_family'] == "Suse"
 
 - name: (FreeBSD) Install dependencies
   block:
     - name: (FreeBSD) Install dependencies using package(s)
       pkgng:
         name: "{{ nginx_freebsd_dependencies }}"
+        state: latest  # noqa package-latest
       when: nginx_bsd_install_packages | bool
 
     - name: (FreeBSD) Install dependencies using port(s)
       portinstall:
         name: "{{ item }}"
         use_packages: "{{ nginx_bsd_portinstall_use_packages | default(omit) }}"
+        state: latest  # noqa package-latest
       loop: "{{ nginx_freebsd_dependencies }}"
       when: not nginx_bsd_install_packages | bool
   when: ansible_facts['distribution'] == "FreeBSD"
diff --git a/tasks/prerequisites/setup-selinux.yml b/tasks/prerequisites/setup-selinux.yml
@@ -86,7 +86,7 @@
   changed_when: false
 
 - name: Import SELinux NGINX Plus module
-  command: "semodule -i {{ nginx_selinux_tempdir }}/nginx-plus-module.pp"  # noqa 503
+  command: "semodule -i {{ nginx_selinux_tempdir }}/nginx-plus-module.pp"  # noqa no-handler
   changed_when: false
   when: nginx_selinux_module.changed | bool
 
diff --git a/vars/main.yml b/vars/main.yml
@@ -44,17 +44,17 @@ nginx_plus_default_repository_suse: "https://pkgs.nginx.com/plus/sles/{{ ansible
 
 # Alpine dependencies
 nginx_alpine_dependencies: [
-  'coreutils', 'openssl', 'pcre',
+  'ca-certificates', 'coreutils', 'openssl', 'pcre',
 ]
 
 # Debian dependencies
 nginx_debian_dependencies: [
-  'apt-transport-https', 'ca-certificates', 'dirmngr',
+  'apt-transport-https', 'ca-certificates',
 ]
 
 # Red Hat dependencies
 nginx_redhat_dependencies: [
-  'ca-certificates', 'openssl', 'yum-utils',
+  'ca-certificates',
 ]
 
 # SLES dependencies

Original file line number	Diff line number	Diff line change
`@@ -44,17 +44,17 @@ nginx_plus_default_repository_suse: "https://pkgs.nginx.com/plus/sles/{{ ansible`
`44`	`44`
`45`	`45`	`# Alpine dependencies`
`46`	`46`	`nginx_alpine_dependencies: [`
`47`		`- 'coreutils', 'openssl', 'pcre',`
	`47`	`+ 'ca-certificates', 'coreutils', 'openssl', 'pcre',`
`48`	`48`	`]`
`49`	`49`
`50`	`50`	`# Debian dependencies`
`51`	`51`	`nginx_debian_dependencies: [`
`52`		`- 'apt-transport-https', 'ca-certificates', 'dirmngr',`
	`52`	`+ 'apt-transport-https', 'ca-certificates',`
`53`	`53`	`]`
`54`	`54`
`55`	`55`	`# Red Hat dependencies`
`56`	`56`	`nginx_redhat_dependencies: [`
`57`		`- 'ca-certificates', 'openssl', 'yum-utils',`
	`57`	`+ 'ca-certificates',`
`58`	`58`	`]`
`59`	`59`
`60`	`60`	`# SLES dependencies`