repos now controlled by groups + possible during configure + guarded against cred leaks

wtripp180901 · wtripp180901 · commit 6c74a1e15fcf · 2024-12-16T15:51:29.000Z
diff --git a/ansible/bootstrap.yml b/ansible/bootstrap.yml
@@ -110,6 +110,20 @@
         policy: "{{ selinux_policy }}"
       register: sestatus
 
+- hosts: dnf_repos
+  become: yes
+  tasks:
+  - name: Check that creds won't be leaked to users
+    ansible.builtin.assert:
+      that: dnf_repos_password is undefined
+      fail_msg: Passwords should not be templated into repofiles during configure, unset 'dnf_repos_password'
+    when: appliances_mode == 'configure'
+  - name: Replace system repos with pulp repos 
+    ansible.builtin.include_role:
+      name: dnf_repos
+      tasks_from: set_repos.yml
+    when: ansible_distribution_major_version == "9" #TODO update role once RL8 config decided
+
 # --- tasks after here require access to package repos ---
 - hosts: squid
   tags: squid
diff --git a/ansible/disable-repos.yml b/ansible/disable-repos.yml
@@ -0,0 +1,8 @@
+- hosts: dnf_repos
+  become: yes
+  tasks:
+    - name: Disable pulp repos
+      ansible.builtin.include_role:
+        name: dnf_repos
+        tasks_from: disable_repos.yml
+      when: ansible_distribution_major_version == "9" #TODO update role once RL8 config decided
diff --git a/ansible/fatimage.yml b/ansible/fatimage.yml
@@ -27,15 +27,6 @@
         delegate_to: localhost
     when: appliances_mode != 'configure'
 
-- hosts: dnf_repos
-  become: yes
-  tasks:
-  - name: Replace system repos with pulp repos 
-    ansible.builtin.include_role:
-      name: dnf_repos
-      tasks_from: set_repos.yml
-    when: appliances_mode != 'configure' and ansible_distribution_major_version == "9" #TODO update role once RL8 config decided
-
 - import_playbook: bootstrap.yml
 
 - name: Run post-bootstrap.yml hook
@@ -229,14 +220,7 @@
       import_role:
         name: doca
 
-- hosts: dnf_repos
-  become: yes
-  tasks:
-    - name: Disable pulp repos
-      ansible.builtin.include_role:
-        name: dnf_repos
-        tasks_from: disable_repos.yml
-      when: appliances_mode != 'configure' and ansible_distribution_major_version == "9" #TODO update role once RL8 config decided
+- import_playbook: disable_repos.yml
 
 - name: Run post.yml hook
   vars:
diff --git a/ansible/site.yml b/ansible/site.yml
@@ -27,6 +27,7 @@
 - import_playbook: slurm.yml
 - import_playbook: portal.yml
 - import_playbook: monitoring.yml
+- import_playbook: disable_repos.yml
 
 - name: Run post.yml hook
   vars:
diff --git a/environments/common/inventory/groups b/environments/common/inventory/groups
@@ -147,8 +147,8 @@ freeipa_client
 
 [dnf_repos:children]
 # Hosts to replace system repos with Pulp repos
+# Warning: when using Ark directly rather than a local Pulp server, adding hosts other than `builder` will leak Ark creds to users
 builder
 
 [pulp]
 # Add builder to this group to enable automatically syncing of pulp during image build
-# Warning: when using Ark directly rather than a local Pulp server, adding hosts other than `builder` risks leaking Ark creds
