Fix linting failures in barbican_hsm_adoption.yml

- Fix schema validation: Add actual variables to vars section instead of empty object
- Fix role path: Use role name instead of relative path to avoid linting warning
- Move HSM variables to playbook vars section for better organization

Addresses:
- tests/playbooks/barbican_hsm_adoption.yml:1: schema[playbook][/]: vars None is not of type 'object'
- tests/playbooks/barbican_hsm_adoption.yml:38:7: role-name[path][/]: Avoid using paths when importing roles

Signed-off-by: Mauricio Harley <[email protected]>

Author: Mauricio Harley

tests/playbooks/barbican_hsm_adoption.yml

@@ -8,12 +8,14 @@
   gather_facts: true
   become: false
 
-  vars: {}
+  vars:
     # Override default variables here if needed
     # source_undercloud_host: "your-undercloud-host"
     # source_controller_host: "your-controller-host"
     # target_namespace: "openstack"
     # barbican_simple_crypto_kek: "your-custom-kek"
+    enable_hsm_integration: true
+    hsm_vendor: "proteccio"
 
   pre_tasks:
     - name: Verify environment prerequisites
@@ -36,9 +38,6 @@
 
   roles:
     - role: barbican_adoption
-      vars:
-        enable_hsm_integration: true
-        hsm_vendor: "{{ hsm_vendor | default('proteccio') }}"
 
   post_tasks:
     - name: Display completion summary

tests/playbooks/hsm/setup_proteccio_hsm.yml

@@ -1,7 +1,10 @@
 ---
 # Proteccio HSM Infrastructure Setup (Fully Parameterized)
 - name: Setup Proteccio HSM Infrastructure
-  block:
+  hosts: localhost
+  connection: local
+  gather_facts: false
+  tasks:
     - name: Validate all required variables are set
       ansible.builtin.fail:
         msg: |

tests/roles/barbican_adoption/tasks/main.yaml

@@ -59,10 +59,10 @@
   when: barbican_simple_crypto_kek != ""
 
 - name: generate vendor-specific HSM patch when HSM detected
-  when: barbican_hsm_enabled and barbican_detected_hsm and detected_hsm_vendor != "unknown"
+  when: barbican_hsm_enabled and barbican_detected_hsm and hsm_vendor_override != "unknown"
   ansible.builtin.template:
-    src: "barbican_{{ detected_hsm_vendor }}_patch.yaml.j2"
-    dest: "/tmp/barbican_{{ detected_hsm_vendor }}_patch.yaml"
+    src: "barbican_{{ hsm_vendor_override }}_patch.yaml.j2"
+    dest: "/tmp/barbican_{{ hsm_vendor_override }}_patch.yaml"
     mode: '0644'
 
 - name: deploy podified Barbican (standard)
@@ -73,11 +73,11 @@
     oc patch openstackcontrolplane openstack --type=merge --patch '{{ barbican_patch }}'
 
 - name: deploy podified Barbican (vendor-specific HSM)
-  when: barbican_hsm_enabled and barbican_detected_hsm and detected_hsm_vendor != "unknown"
+  when: barbican_hsm_enabled and barbican_detected_hsm and hsm_vendor_override != "unknown"
   ansible.builtin.shell: |
     {{ shell_header }}
     {{ oc_header }}
-    oc patch openstackcontrolplane openstack --type=merge --patch-file /tmp/barbican_{{ detected_hsm_vendor }}_patch.yaml
+    oc patch openstackcontrolplane openstack --type=merge --patch-file /tmp/barbican_{{ hsm_vendor_override }}_patch.yaml
 
 - name: wait for Barbican to start up
   ansible.builtin.shell: |

tests/roles/barbican_adoption/templates/barbican_proteccio_patch.yaml.j2

@@ -1,3 +1,8 @@
+apiVersion: core.openstack.org/v1beta1
+kind: OpenStackControlPlane
+metadata:
+  name: openstack
+  namespace: {{ target_namespace | default('openstack') }}
 spec:
   barbican:
     enabled: true
@@ -11,10 +16,10 @@ spec:
 
         [p11_crypto_plugin]
         plugin_name = PKCS11
-        library_path = {{ proteccio_library_path }}
-        token_labels = {{ proteccio_hsm_tokens | join(',') }}
-        mkek_label = {{ proteccio_mkek_name }}
-        hmac_label = {{ proteccio_hmac_name }}
+        library_path = {{ proteccio_library_path | default('/opt/tw_proteccio/lib/libnethsm.so') }}
+        token_labels = {{ proteccio_hsm_tokens | default(['VHSM1']) | join(',') }}
+        mkek_label = {{ proteccio_mkek_name | default('adoption_mkek_1') }}
+        hmac_label = {{ proteccio_hmac_name | default('adoption_hmac_1') }}
         encryption_mechanism = CKM_AES_CBC
         hmac_key_type = CKK_GENERIC_SECRET
         hmac_keygen_mechanism = CKM_GENERIC_SECRET_KEY_GEN
@@ -23,26 +28,26 @@ spec:
         key_wrap_generate_iv = true
         always_set_cka_sensitive = true
         os_locking_ok = false
-        login = {{ proteccio_login_password }}
-      globalDefaultSecretStore: {{ barbican_default_secret_store }}
-      enabledSecretStores: {{ barbican_enabled_secret_stores | to_yaml }}
+        login = {{ proteccio_login_password | default('') }}
+      globalDefaultSecretStore: {{ barbican_default_secret_store | default('pkcs11') }}
+      enabledSecretStores: {{ barbican_enabled_secret_stores | default(['simple_crypto', 'pkcs11']) | to_yaml }}
       pkcs11:
-        loginSecret: {{ proteccio_login_secret }}
-        clientDataSecret: {{ proteccio_client_data_secret }}
-        clientDataPath: {{ proteccio_client_data_path }}
+        loginSecret: {{ proteccio_login_secret | default('hsm-login') }}
+        clientDataSecret: {{ proteccio_client_data_secret | default('proteccio-data') }}
+        clientDataPath: {{ proteccio_client_data_path | default('/etc/proteccio') }}
       barbicanAPI:
-        replicas: {{ barbican_api_replicas }}
+        replicas: {{ barbican_api_replicas | default(1) }}
         override:
           service:
             internal:
               metadata:
                 annotations:
                   metallb.universe.tf/address-pool: internalapi
                   metallb.universe.tf/allow-shared-ip: internalapi
-                  metallb.universe.tf/loadBalancerIPs: {{ internalapi_prefix }}.80
+                  metallb.universe.tf/loadBalancerIPs: {{ internalapi_prefix | default('172.17.0') }}.80
               spec:
                 type: LoadBalancer
       barbicanWorker:
-        replicas: {{ barbican_worker_replicas }}
+        replicas: {{ barbican_worker_replicas | default(1) }}
       barbicanKeystoneListener:
-        replicas: {{ barbican_keystone_listener_replicas }}
+        replicas: {{ barbican_keystone_listener_replicas | default(1) }}