Merge remote-tracking branch 'origin/main' into ci/enable-linting

Author: maxstack

ansible/roles/freeipa/README.md

@@ -38,6 +38,7 @@ Support FreeIPA in the appliance. In production use it is expected the FreeIPA s
 
 - `freeipa_host_password`. Required for initial enrolment only, FreeIPA host password as described above.
 - `freeipa_setup_dns`: Optional, whether to use the FreeIPA server as the client's nameserver. Defaults to `true` when `freeipa_server` contains a host, otherwise `false`.
+- `freeipa_ca_cert_file`: Optional, path **on the ansible deploy host** to FreeIPA server cert. Else this will be downloaded (insecurely) from the FreeIPA server over http.
 
 See also use of `appliances_state_dir` on the control node as described above.
 

ansible/roles/freeipa/defaults/main.yml

@@ -11,5 +11,5 @@ freeipa_user_defaults:
   ipa_pass: "{{ freeipa_admin_password | quote }}"
   ipa_user: admin
 freeipa_users: [] # see community.general.ipa_user
-
+freeipa_ca_cert_file: ''
 _freeipa_keytab_backup_path: "{{ hostvars[groups['control'].0].appliances_state_dir  }}/freeipa/{{ inventory_hostname }}/krb5.keytab"

ansible/roles/freeipa/tasks/enrol.yml

@@ -18,6 +18,15 @@
     mode: ug=rw,o=
   when: '"content" in _slurp_persisted_keytab'
 
+- name: Copy CA Cert to host
+  ansible.builtin.copy:
+    src: "{{ freeipa_ca_cert_file }}"
+    dest: /etc/ipa/ca.crt
+    mode: u=rw,go=r
+    owner: root
+    group: root
+  when: freeipa_ca_cert_file != ''
+
 - name: Re-enrol with FreeIPA using backed-up keytab
   # Re-enrolment requires --force-join and --password, or --keytab
   # Re-rolement means:
@@ -33,6 +42,9 @@
         --mkhomedir
         --enable-dns-updates
         --keytab /tmp/krb5.keytab
+        {% if freeipa_ca_cert_file != '' %}
+        --ca-cert-file=/etc/ipa/ca.crt
+        {% endif %}
   when: '"content" in _slurp_persisted_keytab'
   register: ipa_client_install_keytab
   changed_when: ipa_client_install_keytab.rc == 0
@@ -49,6 +61,9 @@
         --mkhomedir
         --enable-dns-updates
         --password '{{ freeipa_host_password }}'
+        {% if freeipa_ca_cert_file != '' %}
+        --ca-cert-file=/etc/ipa/ca.crt
+        {% endif %}
   when:
     - '"content" not in _slurp_persisted_keytab'
     - freeipa_host_password is defined

ansible/roles/ofed/README.md

@@ -1,5 +1,10 @@
 # ofed
 
+> [!IMPORTANT]
+> This role is deprecated - it is not regularly maintained and StackHPC CI
+> does not test that it works. Consider using [ansible/roles/doca](../doca/README.md)
+> instead.
+
 This role installs Mellanox OFED:
 
 - It checks that the running kernel is the latest installed one, and errors if not.

docs/upgrades.md

@@ -63,10 +63,10 @@ git push
 Make changes as necessary.
 
 1. Identify image(s) from the relevant [Slurm appliance release](https://github.com/stackhpc/ansible-slurm-appliance/releases), and download
-   using the link on the release plus the image name, e.g. for an image `openhpc-ofed-RL8-240906-1042-32568dbb`:
+   using the link on the release plus the image name, e.g. for an image `openhpc-RL9-250708-1547-1494192e`:
 
 ```shell
-wget https://object.arcus.openstack.hpc.cam.ac.uk/swift/v1/AUTH_3a06571936a0424bb40bc5c672c4ccb1/openhpc-images/openhpc-ofed-RL8-240906-1042-32568dbb
+wget https://object.arcus.openstack.hpc.cam.ac.uk/swift/v1/AUTH_3a06571936a0424bb40bc5c672c4ccb1/openhpc-images/openhpc-RL9-250708-1547-1494192e
 ```
 
 Note that some releases may not include new images. In this case use the image from the latest previous release with new images.

requirements.txt

@@ -1,6 +1,6 @@
 ansible==6.7.0 # cloudalchemy.prometheus uses ansible.builtin.include, removed in ansible-core==2.16 => ansible==9
 openstacksdk
-python-openstackclient==6.6.1 # v7.0.0 has a bug re. rebuild
+python-openstackclient==8.0.0
 python-manilaclient
 python-ironicclient
 jmespath