diff --git a/molecule/gitlab/converge.yml b/molecule/gitlab/converge.yml index c4f8daa0..f39afeb0 100644 --- a/molecule/gitlab/converge.yml +++ b/molecule/gitlab/converge.yml @@ -6,6 +6,7 @@ --- - name: "Converge" hosts: "all" + become: false tasks: - name: "Include gitlab role" ansible.builtin.include_role: diff --git a/molecule/gitlab/molecule.yml b/molecule/gitlab/molecule.yml index 45706afe..bae7239e 100644 --- a/molecule/gitlab/molecule.yml +++ b/molecule/gitlab/molecule.yml @@ -13,7 +13,7 @@ platforms: image: "${MOLECULE_IMAGE:-ghcr.io/hifis-net/ubuntu-systemd:24.04}" pre_build_image: true privileged: true - systemd: "always" + systemd: true tty: true override_command: false provisioner: @@ -29,6 +29,7 @@ provisioner: inventory: host_vars: instancegitlab: + ansible_user: "ansible" gitlab_edition: "gitlab-ce" gitlab_ip_range: "0.0.0.0/0" gitlab_additional_configurations: diff --git a/molecule/gitlab/prepare.yml b/molecule/gitlab/prepare.yml index 762bffe9..3812ab1d 100644 --- a/molecule/gitlab/prepare.yml +++ b/molecule/gitlab/prepare.yml @@ -13,6 +13,7 @@ - "ansible_facts.distribution_major_version | int >= 7" block: - name: "Install missing dependencies" + become: true ansible.builtin.dnf: name: - "sudo" @@ -21,24 +22,11 @@ state: "present" update_cache: true - # Workaround to prevent "sudo: PAM account management error" because of non-readable shadows file on AlmaLinux - - name: "Get file stats for /etc/shadow" - ansible.builtin.stat: - path: "/etc/shadow" - register: "shadow" - - - name: "Fix permissions for /etc/shadow" - ansible.builtin.file: - path: "/etc/shadow" - owner: "root" - group: "{{ shadow.stat.gr_name }}" - mode: "0640" - when: "not shadow.stat.rusr" - - name: "Install depenencies for OS family Debian" when: "ansible_facts.os_family == 'Debian'" block: - name: "Install missing dependencies" + become: true ansible.builtin.apt: name: - "sudo" # for `become` privilege escalation diff --git a/molecule/gitlab/verify.yml b/molecule/gitlab/verify.yml index 9c814ac5..0fe9d2e0 100644 --- a/molecule/gitlab/verify.yml +++ b/molecule/gitlab/verify.yml @@ -54,12 +54,14 @@ failed_when: "liveness_check.status == 503" - name: "Check the output of gitlab status" + become: true ansible.builtin.command: "gitlab-ctl status" register: "gitlab_ctl_status" changed_when: "gitlab_ctl_status.rc != 0" failed_when: "gitlab_ctl_status.rc != 0" - name: "Check GitLab configuration via Rake task" + become: true ansible.builtin.command: "gitlab-rake gitlab:check" register: "gitlab_rake_check" changed_when: "gitlab_rake_check.rc != 0" diff --git a/roles/gitlab/tasks/configure.yml b/roles/gitlab/tasks/configure.yml index 9ced53c4..cf6e736b 100644 --- a/roles/gitlab/tasks/configure.yml +++ b/roles/gitlab/tasks/configure.yml @@ -6,6 +6,7 @@ --- - name: "Copy gitlab-secrets.json" + become: true ansible.builtin.copy: src: "{{ gitlab_secrets_file }}" dest: "/etc/gitlab/gitlab-secrets.json" @@ -60,6 +61,7 @@ - "Reconfigure Non Primary GitLab" - name: "Create file to prevent Gitlab to restart before migrations" + become: true ansible.builtin.copy: content: "" dest: "/etc/gitlab/skip-auto-reconfigure" @@ -70,6 +72,7 @@ when: "gitlab_is_primary" - name: "Create file to prevent Gitlab to backup database" + become: true ansible.builtin.copy: content: "" dest: "/etc/gitlab/skip-auto-backup" diff --git a/roles/gitlab/tasks/feature-flag.yml b/roles/gitlab/tasks/feature-flag.yml index 8737e3bb..de3d8036 100644 --- a/roles/gitlab/tasks/feature-flag.yml +++ b/roles/gitlab/tasks/feature-flag.yml @@ -6,12 +6,14 @@ --- - name: "Check if feature flag is already enabled for {{ gitlab_feature_flag.name }}" + become: true ansible.builtin.command: cmd: "gitlab-rails runner 'is_feature_enabled = Feature.enabled?(:{{ gitlab_feature_flag.name }}); puts is_feature_enabled'" register: "__gitlab_is_feature_enabled" changed_when: false - name: "Enable or disable feature flag {{ gitlab_feature_flag.name }}" + become: true ansible.builtin.command: cmd: "gitlab-rails runner 'Feature.{{ 'enable' if gitlab_feature_flag.enabled else 'disable' }}(:{{ gitlab_feature_flag.name }})'" changed_when: true diff --git a/roles/gitlab/tasks/install.yml b/roles/gitlab/tasks/install.yml index 18039b27..388402c3 100644 --- a/roles/gitlab/tasks/install.yml +++ b/roles/gitlab/tasks/install.yml @@ -16,6 +16,7 @@ when: "ansible_facts.os_family == 'Debian'" block: - name: "Remove GitLab APT GPG key from legacy trusted.gpg keyring" + become: true ansible.builtin.apt_key: url: "{{ gitlab_gpg_key_url }}" id: "{{ gitlab_gpg_key_id }}" @@ -23,6 +24,7 @@ when: "not __gitlab_is_initial_dryrun" - name: "Remove GitLab APT repository from sources.list" + become: true ansible.builtin.apt_repository: repo: "deb {{ gitlab_repo_url }} {{ ansible_facts.distribution_release }} main" state: "absent" @@ -30,6 +32,7 @@ update_cache: false - name: "Remove GitLab source APT repository from sources.list" + become: true ansible.builtin.apt_repository: repo: "deb-src {{ gitlab_repo_url }} {{ ansible_facts.distribution_release }} main" state: "absent" @@ -37,6 +40,7 @@ update_cache: false - name: "Add GitLab APT repository" + become: true ansible.builtin.deb822_repository: name: "{{ gitlab_edition }}" types: @@ -52,6 +56,7 @@ enabled: true - name: "Update APT package cache" + become: true ansible.builtin.apt: update_cache: true check_mode: false @@ -61,6 +66,7 @@ when: "ansible_facts.os_family == 'RedHat'" block: - name: "Add GitLab yum repository" + become: true ansible.builtin.yum_repository: name: "gitlab_{{ gitlab_edition }}" description: "GitLab yum repo" @@ -78,6 +84,7 @@ metadata_expire: "300" - name: "Add GitLab source yum repository" + become: true ansible.builtin.yum_repository: name: "gitlab_{{ gitlab_edition }}-source" description: "GitLab source yum repo" @@ -95,6 +102,7 @@ metadata_expire: "300" - name: "Update yum package cache" + become: true ansible.builtin.dnf: update_cache: true check_mode: false @@ -112,6 +120,7 @@ - "__gitlab_rails_binary.stat.executable" block: - name: "Get the currently installed GitLab version" + become: true ansible.builtin.slurp: path: "/var/opt/gitlab/gitlab-rails/VERSION" register: "__gitlab_version_base64" @@ -147,6 +156,7 @@ rescue: - name: "Ensure GitLab directory exists" + become: true ansible.builtin.file: path: "/etc/gitlab" state: "directory" @@ -155,6 +165,7 @@ mode: "0775" - name: "Create file to detect a failed reconfigure" + become: true ansible.builtin.copy: content: "This file is managed by Ansible." dest: "/etc/gitlab/reconfigure_failed" diff --git a/roles/gitlab/tasks/main.yml b/roles/gitlab/tasks/main.yml index e05c57b2..800b94e8 100644 --- a/roles/gitlab/tasks/main.yml +++ b/roles/gitlab/tasks/main.yml @@ -13,16 +13,13 @@ - name: "Reconfigure GitLab" ansible.builtin.import_tasks: "reconfigure.yml" - become: true when: "__gitlab_reconfigure_failed.stat.exists" - name: "Install GitLab" ansible.builtin.import_tasks: "install.yml" - become: true - name: "Configure GitLab" ansible.builtin.import_tasks: "configure.yml" - become: true - name: "Check if GitLab is already configured" ansible.builtin.stat: diff --git a/roles/gitlab/tasks/reconfigure.yml b/roles/gitlab/tasks/reconfigure.yml index 94385a05..4e7b2142 100644 --- a/roles/gitlab/tasks/reconfigure.yml +++ b/roles/gitlab/tasks/reconfigure.yml @@ -30,6 +30,7 @@ - "gitlab_is_primary" - name: "Remove file that indicates a failed reconfigure" + become: true ansible.builtin.file: path: "/etc/gitlab/reconfigure_failed" state: "absent"