Add ansible-lint CI

Author: Alex-Welsh

.ansible-lint-ignore

@@ -0,0 +1,28 @@
+# This file contains ignores rule violations for ansible-lint
+etc/kayobe/ansible/ceph-enter-maintenance.yml syntax-check[specific]
+etc/kayobe/ansible/ceph-exit-maintenance.yml syntax-check[specific]
+etc/kayobe/ansible/cephadm-commands-post.yml syntax-check[specific]
+etc/kayobe/ansible/cephadm-commands-pre.yml syntax-check[specific]
+etc/kayobe/ansible/cephadm-crush-rules.yml syntax-check[specific]
+etc/kayobe/ansible/cephadm-deploy.yml syntax-check[specific]
+etc/kayobe/ansible/cephadm-ec-profiles.yml syntax-check[specific]
+etc/kayobe/ansible/cephadm-gather-keys.yml syntax-check[unknown-module]
+etc/kayobe/ansible/cephadm-keys.yml syntax-check[specific]
+etc/kayobe/ansible/cephadm-pools.yml syntax-check[specific]
+etc/kayobe/ansible/cephadm.yml name[play]
+etc/kayobe/ansible/configure-vxlan.yml syntax-check[specific]
+etc/kayobe/ansible/deploy-github-runner.yml syntax-check[specific]
+etc/kayobe/ansible/fix-houston.yml command-instead-of-module
+etc/kayobe/ansible/rabbitmq-reset.yml command-instead-of-module
+etc/kayobe/ansible/ubuntu-upgrade.yml syntax-check[missing-file]
+etc/kayobe/ansible/vault-deploy-barbican.yml syntax-check[unknown-module]
+etc/kayobe/ansible/vault-deploy-overcloud.yml syntax-check[specific]
+etc/kayobe/ansible/vault-deploy-seed.yml syntax-check[specific]
+etc/kayobe/ansible/vault-generate-backend-tls.yml syntax-check[unknown-module]
+etc/kayobe/ansible/vault-generate-internal-tls.yml syntax-check[unknown-module]
+etc/kayobe/ansible/vault-generate-test-external-tls.yml syntax-check[unknown-module]
+etc/kayobe/ansible/vault-unseal-overcloud.yml syntax-check[specific]
+etc/kayobe/ansible/vault-unseal-seed.yml syntax-check[specific]
+etc/kayobe/ansible/wazuh-agent.yml syntax-check[specific]
+etc/kayobe/ansible/wazuh-manager.yml syntax-check[specific]
+etc/kayobe/ansible/write-github-workflows.yml syntax-check[specific]

.github/workflows/stackhpc-pull-request.yml

@@ -69,12 +69,9 @@ jobs:
       matrix:
         include:
           # NOTE(upgrade): Keep these in sync with Kayobe's supported Ansible and Python versions (see release notes).
-          - ansible: "2.12"
-            # ansible-lint 6+ is not supported on Python 3.8.
-            ansible-lint: "5"
-            python: "3.8"
-          - ansible: "2.13"
-            ansible-lint: "6"
+          - ansible: "2.16"
+            python: "3.12"
+          - ansible: "2.15"
             python: "3.10"
     name: Ansible ${{ matrix.ansible }} lint with Python ${{ matrix.python }}
     if: github.repository == 'stackhpc/stackhpc-kayobe-config'
@@ -90,7 +87,7 @@ jobs:
       - name: Install dependencies 📦
         run: |
           python -m pip install --upgrade pip
-          pip install ansible-core==${{ matrix.ansible }}.* ansible-lint==${{ matrix.ansible-lint }}.* -r requirements.txt
+          pip install ansible-core==${{ matrix.ansible }}.* ansible-lint -r requirements.txt
 
       - name: Install Ansible Galaxy collections and roles
         run: |
@@ -99,7 +96,7 @@ jobs:
 
       - name: Linting code 🧪
         run: |
-          ansible-lint -v --force-color etc/kayobe/ansible/
+          ansible-lint -v --force-color -x no-changed-when,risky-file-permissions,unknown-module,run-once,name[template],package-latest etc/kayobe/ansible/.
 
   # A skipped job is treated as success when used as a required status check.
   # The registered required status checks refer to the name of the job in the

etc/kayobe/ansible/advise-run.yml

@@ -1,47 +1,47 @@
 ---
 - name: ADVise run
   hosts: localhost
-  gather_facts: no
+  gather_facts: false
   tags:
     - advise
   vars:
-    venv: "~/venvs/advise-review"
+    venv: ~/venvs/advise-review
     input_dir: "{{ lookup('env', 'PWD') }}/overcloud-introspection-data"
     output_dir: "{{ lookup('env', 'PWD') }}/review"
-    advise_pattern: ".*.eval"  # Uses regex
+    advise_pattern: .*.eval # Uses regex
   tasks:
     - name: Install dependencies
-      pip:
+      ansible.builtin.pip:
         virtualenv: "{{ venv }}"
         name:
           - git+https://github.com/stackhpc/ADVise
         state: latest
-        virtualenv_command: "python3 -m venv"
+        virtualenv_command: python3 -m venv
 
     - name: Create data directory
-      file:
-        path: '{{ output_dir }}/data'
+      ansible.builtin.file:
+        path: "{{ output_dir }}/data"
         state: directory
 
     - name: Extract data
-      shell:
+      ansible.builtin.shell:
         cmd: >
           {{ venv }}/bin/m2-extract {{ input_dir }}/*.json --output_dir {{ output_dir }}/data
 
     - name: Create review directory
-      file:
-        path: '{{ output_dir }}/results'
+      ansible.builtin.file:
+        path: "{{ output_dir }}/results"
         state: directory
 
     - name: Process data
-      shell:
+      ansible.builtin.shell:
         cmd: >
           {{ venv }}/bin/advise-process
           -I ipmi
           -p '{{ output_dir }}/data/extra-hardware/{{ advise_pattern }}'
           -o '{{ output_dir }}'
 
     - name: Visualise data
-      command: >
+      ansible.builtin.command: >
         {{ venv }}/bin/advise-visualise
         --output_dir '{{ output_dir }}'

etc/kayobe/ansible/build-ofed-rocky.yml

@@ -6,8 +6,8 @@
   tasks:
     - name: Check whether noexec is enabled for /var/tmp
       ansible.builtin.lineinfile:
-        path: "/etc/fstab"
-        regexp: "noexec"
+        path: /etc/fstab
+        regexp: noexec
         state: absent
       changed_when: false
       check_mode: true
@@ -42,7 +42,8 @@
 
     - name: Add DOCA host repository package
       ansible.builtin.dnf:
-        name: https://developer.nvidia.com/downloads/networking/secure/doca-sdk/DOCA_2.8/doca-host-2.8.0-204000_{{ stackhpc_pulp_doca_ofed_version }}_rhel9{{ stackhpc_pulp_repo_rocky_9_minor_version }}.x86_64.rpm
+        name: "https://developer.nvidia.com/downloads/networking/secure/doca-sdk/DOCA_2.8/doca-host-2.8.0-204000_\
+              {{ stackhpc_pulp_doca_ofed_version }}_rhel9{{ stackhpc_pulp_repo_rocky_9_minor_version }}.x86_64.rpm"
         disable_gpg_check: true
 
     - name: Install DOCA extra packages
@@ -53,13 +54,13 @@
       ansible.builtin.file:
         path: /home/cloud-user/ofed
         state: directory
-        mode: 0777
+        mode: "0777"
 
     - name: Set build directory
       ansible.builtin.replace:
         path: /opt/mellanox/doca/tools/doca-kernel-support
-        regexp: 'TMP_DIR=\$1'
-        replace: 'TMP_DIR=/home/cloud-user/ofed'
+        regexp: TMP_DIR=\$1
+        replace: TMP_DIR=/home/cloud-user/ofed
 
     - name: Build OFED kernel modules
       ansible.builtin.shell:

etc/kayobe/ansible/cephadm-gather-keys.yml

@@ -32,7 +32,7 @@
       loop: "{{ kolla_ceph_services | selectattr('required') | map(attribute='keys') | flatten | unique }}"
 
     - name: Generate ceph.conf
-      command: "cephadm shell -- ceph config generate-minimal-conf"
+      command: cephadm shell -- ceph config generate-minimal-conf
       become: true
       register: cephadm_ceph_conf
       changed_when: false

etc/kayobe/ansible/check-tags.yml

@@ -7,18 +7,19 @@
   gather_facts: false
   tasks:
     - name: Query images and tags
-      command:
+      ansible.builtin.command:
         cmd: >-
           {{ kayobe_config_path }}/../../tools/kolla-images.py list-tags
       register: kolla_images_result
       changed_when: false
 
     - name: Set a fact about images and tags
-      set_fact:
+      ansible.builtin.set_fact:
         kolla_images: "{{ kolla_images_result.stdout | from_yaml }}"
 
     # Use state=read and allow_missing=false to check for missing tags in test pulp.
-    - import_role:
+    - name: Check for missing tags
+      ansible.builtin.import_role:
         name: stackhpc.pulp.pulp_container_content
       vars:
         pulp_container_content: >-

etc/kayobe/ansible/cis.yml

@@ -1,5 +1,4 @@
 ---
-
 - name: Security hardening
   hosts: cis-hardening
   become: true
@@ -9,14 +8,14 @@
     # TODO: Remove this when Red Hat FIPS policy has been updated to allow ed25519 keys.
     # https://gitlab.com/gitlab-org/gitlab/-/issues/367429#note_1840422075
     - name: Assert that we are using a supported SSH key
-      assert:
+      ansible.builtin.assert:
         that:
           - ssh_key_type != 'ed25519'
         fail_msg: FIPS policy does not currently support ed25519 SSH keys on RHEL family systems
       when: ansible_facts.os_family == 'RedHat'
 
     - name: Ensure the cron package is installed on ubuntu
-      package:
+      ansible.builtin.package:
         name: cron
         state: present
       when: ansible_facts.distribution == 'Ubuntu'
@@ -25,17 +24,19 @@
       # This is to workaround an issue where we set the expiry to 365 days on kayobe
       # service accounts in a previous iteration of the CIS benchmark hardening
       # defaults. This should restore the defaults and can eventually be removed.
-      command: chage -m 0 -M 99999 -W 7 -I -1 {{ item }}
+      ansible.builtin.command: chage -m 0 -M 99999 -W 7 -I -1 {{ item }}
       become: true
       changed_when: false
       with_items:
         - "{{ kayobe_ansible_user }}"
         - "{{ kolla_ansible_user }}"
 
-    - include_role:
+    - name: Run CIS hardening role (RHEL 9)
+      ansible.builtin.include_role:
         name: ansible-lockdown.rhel9_cis
       when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '9'
 
-    - include_role:
+    - name: Run CIS hardening role (Ubuntu 22)
+      ansible.builtin.include_role:
         name: ansible-lockdown.ubuntu22_cis
       when: ansible_facts.distribution == 'Ubuntu' and ansible_facts.distribution_major_version == '22'

etc/kayobe/ansible/configure-aio-resources.yml

@@ -1,13 +1,12 @@
 ---
-
 - name: Ensure dependencies are installed
   hosts: controllers[0]
   gather_facts: true
   vars:
-    venv: '{{ virtualenv_path }}/openstack'
+    venv: "{{ virtualenv_path }}/openstack"
   tasks:
     - name: Install python build dependencies
-      package:
+      ansible.builtin.package:
         name: "{{ packages | select | list }}"
         cache_valid_time: "{{ apt_cache_valid_time if ansible_facts.os_family == 'Debian' else omit }}"
         update_cache: "{{ True if ansible_facts.os_family == 'Debian' else omit }}"
@@ -16,56 +15,53 @@
       vars:
         packages:
           - "{% if ansible_facts.os_family == 'RedHat' %}gcc{% else %}build-essential{% endif %}"
-          - "python3-dev{% if ansible_facts.os_family == 'RedHat' %}el{% endif %}"
+          - python3-dev{% if ansible_facts.os_family == 'RedHat' %}el{% endif %}
           - "{% if ansible_facts.os_family == 'Debian' %}python3-venv{% endif %}"
 
     - name: Ensure latest version of pip is installed
-      pip:
+      ansible.builtin.pip:
         name: pip
         state: latest
-        virtualenv: '{{ venv }}'
-        virtualenv_command: "/usr/bin/python3 -m venv"
+        virtualenv: "{{ venv }}"
+        virtualenv_command: /usr/bin/python3 -m venv
 
     - name: Ensure python openstack client is installed
-      pip:
+      ansible.builtin.pip:
         name: python-openstackclient
-        virtualenv: '{{ venv }}'
+        virtualenv: "{{ venv }}"
         extra_args: -c "{{ pip_upper_constraints_file }}"
 
     - name: Include kolla secrets
-      include_vars:
-        dir: '{{ kayobe_env_config_path }}/kolla/'
+      ansible.builtin.include_vars:
+        dir: "{{ kayobe_env_config_path }}/kolla/"
         files_matching: passwords.yml
         name: kolla_passwords
 
     - name: Add an IP to connect to the instances
       # FIXME: host configure will have bounced the bridge
       # and removed the IP
-      command: ip a add 10.0.2.1/24 dev breth1
+      ansible.builtin.command: ip a add 10.0.2.1/24 dev breth1
       register: result
-      failed_when: 'result.rc !=0 and "RTNETLINK answers: File exists" not in
-        result.stderr'
+      failed_when: 'result.rc != 0 and "RTNETLINK answers: File exists" not in result.stderr'
       changed_when: result.rc == 0
       become: true
 
     - name: Run init-run-once
-      script:
+      ansible.builtin.script:
         cmd: scripts/aio-init.sh
         creates: /tmp/.init-runonce
       environment:
-        KOLLA_OPENSTACK_COMMAND: '{{ venv }}/bin/openstack'
+        KOLLA_OPENSTACK_COMMAND: "{{ venv }}/bin/openstack"
         OS_PROJECT_DOMAIN_NAME: Default
         OS_USER_DOMAIN_NAME: Default
         OS_PROJECT_NAME: admin
         OS_TENANT_NAME: admin
         OS_USERNAME: admin
-        OS_PASSWORD: "{{ kolla_passwords.keystone_admin_password | mandatory('Could\
-          \ not find keystone_admin_password in passwords.yml') }}"
+        OS_PASSWORD: "{{ kolla_passwords.keystone_admin_password | mandatory('Could not find keystone_admin_password in passwords.yml') }}"
         # Use kolla_external_fqdn in wallaby
-        OS_AUTH_URL: http://{{ kolla_external_fqdn | default(public_net_name
-          | net_fqdn) | default(public_net_name | net_vip_address, true) }}:5000
+        OS_AUTH_URL: http://{{ kolla_external_fqdn | default(public_net_name | net_fqdn) | default(public_net_name | net_vip_address, true) }}:5000
         OS_INTERFACE: public
         OS_ENDPOINT_TYPE: publicURL
-        OS_IDENTITY_API_VERSION: 3
+        OS_IDENTITY_API_VERSION: "3"
         OS_REGION_NAME: RegionOne
         OS_AUTH_PLUGIN: password

etc/kayobe/ansible/configure-vxlan.yml

@@ -8,6 +8,6 @@
     # python interpreter.
     ansible_python_interpreter: /usr/bin/python3
     # Work around no known_hosts entry on first boot.
-    ansible_ssh_common_args: "-o StrictHostKeyChecking=no"
+    ansible_ssh_common_args: -o StrictHostKeyChecking=no
   roles:
     - role: stackhpc.vxlan

etc/kayobe/ansible/deploy-github-runner.yml

@@ -1,7 +1,7 @@
 ---
 - name: Deploy GitHub Runner
   hosts: github-runners
-  become: yes
+  become: true
   roles:
     - role: geerlingguy.pip
     - role: geerlingguy.docker
@@ -14,8 +14,7 @@
         runner_dir: "{{ base_runner_dir }}/{{ runner.key }}"
         runner_labels: "{{ runner.value.labels | default(default_runner_labels) }}"
         runner_state: "{{ runner.value.state | default('started') }}"
-      with_dict:
-        "{{ github_runners }}"
+      with_dict: "{{ github_runners }}"
       loop_control:
         loop_var: runner
 
@@ -28,7 +27,6 @@
         enabled: true
       become: true
       when: runner_state | default('started') == 'started'
-      with_dict:
-        "{{ github_runners }}"
+      with_dict: "{{ github_runners }}"
       loop_control:
         loop_var: runner