Merge pull request #48 from stackhpc/master-workflows

markgoddard · web-flow · commit f37e350830d9 · 2023-08-03T16:35:54.000+01:00
feat: automatic update of workflows master
diff --git a/.ansible-lint b/.ansible-lint
@@ -1,3 +1,7 @@
 ---
 skip_list:
-  - '701'  # meta/main.yml should contain relevant info
+  - var-naming[no-role-prefix]
+  - galaxy[no-changelog]
+  - meta-runtime[unsupported-version]
+  - fqcn[action-core]
+  - fqcn[action]
diff --git a/.github/workflows/lint-collection.yml b/.github/workflows/lint-collection.yml
@@ -0,0 +1,9 @@
+---
+name: Ansible collection linters
+'on':
+  pull_request:
+jobs:
+  lint:
+    uses: stackhpc/.github/.github/workflows/lint-collection.yml@main
+    with:
+      lint_pip_dependencies: "git+https://github.com/stackhpc/ansible-modules-hashivault@stackhpc"
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -1,44 +1,13 @@
-
 name: Tests
 
 # Controls when the action will run.
-on:
+'on':
   pull_request:
   push:
     branches:
       - master
 
 jobs:
-  lint:
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        ansible:
-          - "2.9"
-          - "2.10"
-          - "2.12"
-    steps:
-      # Checks-out the repository under $GITHUB_WORKSPACE, so it's accessible to the job
-      - uses: actions/checkout@v3
-
-      - name: Install dependencies
-        run: |
-          pipx uninstall ansible-core
-          python3 -m pip install --upgrade pip
-          if [[ "${{ matrix.ansible }}" = "2.9" ]]; then
-              ansible_package=ansible
-          elif [[ "${{ matrix.ansible }}" = "2.10" ]]; then
-              ansible_package=ansible
-          else
-              ansible_package=ansible-core
-          fi
-          pip3 install $ansible_package==${{ matrix.ansible }}.* 'ansible-lint==5.*'
-
-      - name: Linting code
-        run: |
-          ansible-lint -v --force-color
-
   integration:
     runs-on: ubuntu-latest
     strategy:
diff --git a/galaxy.yml b/galaxy.yml
@@ -1,5 +1,7 @@
-namespace: "stackhpc"
-name: "hashicorp"
+namespace: stackhpc
+name: hashicorp
+description: >
+  Hashicorp Vault/Consul deployment and configuration
 version: "2.4.0"
 readme: "README.md"
 authors:
@@ -9,7 +11,9 @@ dependencies:
 license:
   - "Apache-2.0"
 tags:
+  - consul
   - hashicorp
+  - infrastructure
+  - security
   - vault
-  - consul
 repository: "https://github.com/stackhpc/ansible-collection-hashicorp"
diff --git a/roles/vault/tasks/vault.yml b/roles/vault/tasks/vault.yml
@@ -26,6 +26,9 @@
   until: vault_init_status.status == 200
 
 - name: "Initialize vault"
+  run_once: true
+  when:
+    - not vault_init_status.json.initialized
   block:
     - name: Initialize vault
       hashivault_init:
@@ -50,10 +53,7 @@
       copy:
         content: "{{ vault_keys_result | to_nice_json }}"
         dest: "{{ vault_write_keys_file_path }}"
-        mode: 0600
+        mode: "0600"
       delegate_to: "{{ vault_write_keys_file_host }}"
       when:
         - vault_write_keys_file | bool
-  run_once: true
-  when:
-    - not vault_init_status.json.initialized
diff --git a/roles/vault_pki/tasks/create_cert.yml b/roles/vault_pki/tasks/create_cert.yml
@@ -33,7 +33,7 @@
       {{ item.data.issuing_ca }}
       {{ item.data.private_key }}
     dest: "{{ vault_pki_certificates_directory }}/{{ cert_name | replace(' ', '-') }}.pem"
-    mode: 0600
+    mode: "0600"
   delegate_to: "{{ vault_pki_write_certificates_host }}"
   loop: "{{ cert_data.results }}"
   loop_control:
@@ -52,7 +52,7 @@
       {{ item.data.certificate }}
       {{ item.data.issuing_ca }}
     dest: "{{ vault_pki_certificates_directory }}/{{ cert_name | replace(' ', '-') }}.crt"
-    mode: 0600
+    mode: "0600"
   delegate_to: "{{ vault_pki_write_certificates_host }}"
   loop: "{{ cert_data.results }}"
   loop_control:
@@ -61,7 +61,7 @@
     - not vault_pki_write_pem_bundle | bool
     - vault_pki_write_certificate_files | bool
     - not cert_file.stat.exists or vault_pki_overwrite_certificates | bool
-    
+
 - name: "Write out key"
   vars:
     cert_name: "{{ item.item.common_name if item.item.common_name | default() | length > 0 else item.item.extra_params.ip_sans | default() }}"
@@ -70,7 +70,7 @@
     content: |
       {{ item.data.private_key }}
     dest: "{{ vault_pki_certificates_directory }}/{{ cert_name | replace(' ', '-') }}.key"
-    mode: 0600
+    mode: "0600"
   delegate_to: "{{ vault_pki_write_certificates_host }}"
   loop: "{{ cert_data.results }}"
   loop_control:
diff --git a/roles/vault_pki/tasks/intermediate.yml b/roles/vault_pki/tasks/intermediate.yml
@@ -12,6 +12,7 @@
       max_lease_ttl: "{{ vault_pki_intermediate_max_lease_ttl }}"
 
 - name: "Generate Intermediate CA cert, key and sign CSR"
+  when: not vault_pki_intermediate_import | bool
   block:
     - name: "Generate Vault Intermediate CA cert and key"
       hashivault_pki_ca:
@@ -73,7 +74,7 @@
         content: |
           {{ intermediate_ca_csr_signed.data.certificate }}
         dest: "{{ vault_pki_certificates_directory }}/{{ vault_pki_intermediate_ca_name | replace(' ', '-') }}.crt"
-        mode: 0600
+        mode: "0600"
       delegate_to: "{{ vault_pki_write_certificates_host }}"
       when:
         - vault_pki_write_int_ca_to_file | bool
@@ -85,17 +86,17 @@
           {{ intermediate_ca_csr_signed.data.issuing_ca }}
           {{ intermediate_ca_csr.data.private_key }}
         dest: "{{ vault_pki_certificates_directory }}/{{ vault_pki_intermediate_ca_name |replace(' ', '-') }}.pem"
-        mode: 0600
+        mode: "0600"
       delegate_to: "{{ vault_pki_write_certificates_host }}"
       when:
         - vault_pki_intermediate_export | bool
         - intermediate_ca_csr.changed
         - intermediate_ca_csr.data is defined
         - intermediate_ca_csr_signed.data is defined
 
-  when: not vault_pki_intermediate_import | bool
 
 - name: "Import Intermediate CA cert and key"
+  when: vault_pki_intermediate_import | bool
   block:
     - name: "Import Intermediate CA cert and key"
       hashivault_pki_ca_set:
@@ -104,5 +105,3 @@
         ca_cert: "{{ vault_ca_cert | default(omit) }}"
         mount_point: "{{ vault_pki_intermediate_ca_name }}"
         pem_bundle: "{{ vault_pki_intermediate_ca_bundle }}"
-
-  when: vault_pki_intermediate_import | bool
diff --git a/roles/vault_pki/tasks/root.yml b/roles/vault_pki/tasks/root.yml
@@ -30,7 +30,7 @@
     content: |
       {{ root_ca_data.data.certificate }}
     dest: "{{ vault_pki_certificates_directory }}/{{ vault_pki_root_ca_name | replace(' ', '-') }}.pem"
-    mode: 0600
+    mode: "0600"
   delegate_to: "{{ vault_pki_write_certificates_host }}"
   when:
     - root_ca_data.data.certificate is defined
diff --git a/tests/test_vault.yml b/tests/test_vault.yml
@@ -13,13 +13,15 @@
       file:
         path: /etc/vault
         state: directory
+        mode: "0700"
       become: true
 
-    - include_role:
+    - name: Include vault role
+      include_role:
         name: vault
 
-    # Idempotence test
-    - include_role:
+    - name: Include vault role (idemoptence test)
+      include_role:
         name: vault
 
     - name: Unseal vault
@@ -97,14 +99,15 @@
         - OS-CERT-TEST.crt
         - OS-CERT-TEST2.pem
 
-    - name: concatenate CAs
+    - name: Concatenate CAs
       shell: |
         cat /tmp/OS-TLS-ROOT.pem /tmp/OS-TLS-INT.crt > /tmp/CA-CHAIN.pem
       args:
         executable: /bin/bash
       become: true
+      changed_when: true
 
-    - name: verify certificate chain
+    - name: Verify certificate chain
       command: |
         openssl verify -CAfile /tmp/CA-CHAIN.pem
         /tmp/{{ item }}
@@ -113,4 +116,4 @@
       loop:
         - OS-CERT-TEST.crt
         - OS-CERT-TEST2.pem
-
+      changed_when: false
