From 09666ac1423ee3fea01f4587cca56baa6bd662ab Mon Sep 17 00:00:00 2001 From: Wolfgang Medina-Erhardt Date: Wed, 25 Oct 2023 15:58:03 +0200 Subject: [PATCH 1/2] Add linting configuration --- .ansible-lint | 10 ++++++++++ .pre-commit-config.yaml | 6 ++++++ .yamllint | 33 +++++++++++++++++++++++++++++++++ handlers/main.yaml | 24 +++++++++++++----------- meta/main.yaml | 8 ++++++++ tasks/config.yaml | 12 ++++++++---- tasks/install.yaml | 25 ++++++++++++------------- tasks/main.yaml | 18 ++++++++++++++---- tasks/supervisord.yaml | 8 +++++--- tasks/systemd.yaml | 14 +++++--------- 10 files changed, 114 insertions(+), 44 deletions(-) create mode 100644 .ansible-lint create mode 100644 .pre-commit-config.yaml create mode 100644 .yamllint diff --git a/.ansible-lint b/.ansible-lint new file mode 100644 index 0000000..09987cd --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,10 @@ +--- +skip_list: + - 'risky-shell-pipe' + - 'role-name' + +warn_list: + - package-latest + - unnamed-task + - command-instead-of-shell + - no-handler diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..53611d0 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,6 @@ +--- +repos: + - repo: https://github.com/ansible/ansible-lint.git + rev: v6.17.2 + hooks: + - id: ansible-lint diff --git a/.yamllint b/.yamllint new file mode 100644 index 0000000..8827676 --- /dev/null +++ b/.yamllint @@ -0,0 +1,33 @@ +--- +# Based on ansible-lint config +extends: default + +rules: + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + colons: + max-spaces-after: -1 + level: error + commas: + max-spaces-after: -1 + level: error + comments: disable + comments-indentation: disable + document-start: disable + empty-lines: + max: 3 + level: error + hyphens: + level: error + indentation: disable + key-duplicates: enable + line-length: disable + new-line-at-end-of-file: disable + new-lines: + type: unix + trailing-spaces: disable + truthy: disable diff --git a/handlers/main.yaml b/handlers/main.yaml index f190ce2..d5ae093 100644 --- a/handlers/main.yaml +++ b/handlers/main.yaml @@ -1,14 +1,16 @@ - name: Restart oauth2_proxy - shell: | - set -e -u -o pipefail - {% if ansible_system == 'Linux' %} - systemctl daemon-reload - systemctl enable oauth2-proxy@{{ item }} - systemctl restart oauth2-proxy@{{ item }} - {% else %} - supervisorctl update OAuth2Proxy{{ item|title }} - supervisorctl restart OAuth2Proxy{{ item|title }} - {% endif %} + changed_when: yes + ansible.builtin.shell: + cmd: | + set -e -u -o pipefail + {% if ansible_system == 'Linux' %} + systemctl daemon-reload + systemctl enable oauth2-proxy@{{ item }} + systemctl restart oauth2-proxy@{{ item }} + {% else %} + supervisorctl update OAuth2Proxy{{ item | title }} + supervisorctl restart OAuth2Proxy{{ item | title }} + {% endif %} args: executable: >- {%- if ansible_system == 'Linux' -%} @@ -32,4 +34,4 @@ {%- set _ = services.append(item.item.key) -%} {%- endif -%} {%- endfor -%} - {{- services|sort|unique -}} + {{- services |sort | unique -}} diff --git a/meta/main.yaml b/meta/main.yaml index 5076d11..5c3d515 100644 --- a/meta/main.yaml +++ b/meta/main.yaml @@ -1,4 +1,12 @@ --- +galaxy_info: + author: "Punkt.de" + license: "" + description: "oauth2-proxy role for Proserver" + role_name: "proserver_oauth2_proxy" + namespace: "punktde" + min_ansible_version: "2.15" + dependencies: - role: supervisord when: ansible_system != 'Linux' diff --git a/tasks/config.yaml b/tasks/config.yaml index f1cc49b..a0774f9 100644 --- a/tasks/config.yaml +++ b/tasks/config.yaml @@ -1,19 +1,23 @@ - name: Create directories for oauth2_proxy config - file: + ansible.builtin.file: state: directory path: "{{ config_dir }}" + owner: root + mode: "0755" loop_control: label: "{{ config_dir }}" vars: config_dir: "{{ oauth2_proxy.prefix.opt }}/etc/{{ item }}" - with_items: "{{ oauth2_proxy.config|dict2items|selectattr('value', 'mapping')|map(attribute='key')|list }}" + with_items: "{{ oauth2_proxy.config | dict2items | selectattr('value', 'mapping') | map(attribute='key') | list }}" - name: Template oauth2_proxy config - template: + ansible.builtin.template: src: "{{ item.src }}" dest: "{{ item.dest }}" + owner: root + mode: "0644" loop_control: label: "{{ item.dest }}" - with_items: "{{ oauth2_proxy|oauth2_proxy_templates }}" + with_items: "{{ oauth2_proxy | oauth2_proxy_templates }}" register: oauth2_proxy_template_config_result notify: Restart oauth2_proxy diff --git a/tasks/install.yaml b/tasks/install.yaml index 506e311..3f4a2b2 100644 --- a/tasks/install.yaml +++ b/tasks/install.yaml @@ -1,46 +1,45 @@ --- - name: Set URL variables - set_fact: - oauth2_proxy_download_url: >- + ansible.builtin.set_fact: + oauth2_proxy_download_url: >- https://github.com/oauth2-proxy/oauth2-proxy/releases/download/v{{ oauth2_proxy.version }}/oauth2-proxy-v{{ oauth2_proxy.version }}.{{ ansible_system | lower }}-{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}.tar.gz oauth2_proxy_download_checksum: >- https://github.com/oauth2-proxy/oauth2-proxy/releases/download/v{{ oauth2_proxy.version }}/oauth2-proxy-v{{ oauth2_proxy.version }}.{{ ansible_system | lower }}-{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}-sha256sum.txt -- name: Create directories for oauth2_proxy - file: +- name: Create directory for oauth2_proxy binary + ansible.builtin.file: state: directory path: "{{ item }}" + owner: root + mode: "0755" with_items: - "{{ oauth2_proxy.prefix.opt }}/bin" - - "{{ oauth2_proxy.prefix.opt }}/etc" - when: oauth2_proxy.install == true - name: Download oauth2_proxy binary register: oauth2_proxy_download check_mode: no - unarchive: + ansible.builtin.unarchive: src: "{{ oauth2_proxy_download_url }}" dest: "/tmp" remote_src: yes mode: a+x list_files: true notify: Restart oauth2_proxy - when: oauth2_proxy.install == true - name: Verify the new binary checksum register: oauth2_proxy_binary_new - failed_when: >- - lookup('ansible.builtin.url', oauth2_proxy_download_checksum) | - split(' ') | first != oauth2_proxy_binary_new.stat.checksum - stat: + ansible.builtin.stat: path: "/tmp/{{ oauth2_proxy_download.files[0] }}oauth2-proxy" checksum_algorithm: sha256 get_checksum: yes + failed_when: >- + lookup('ansible.builtin.url', oauth2_proxy_download_checksum) | + split(' ') | first != oauth2_proxy_binary_new.stat.checksum - name: Verify the old binary checksum check_mode: no register: oauth2_proxy_binary_old - stat: + ansible.builtin.stat: path: "{{ oauth2_proxy.prefix.opt }}/bin/oauth2_proxy" checksum_algorithm: sha256 get_checksum: yes diff --git a/tasks/main.yaml b/tasks/main.yaml index f7d84a4..7303506 100644 --- a/tasks/main.yaml +++ b/tasks/main.yaml @@ -1,5 +1,15 @@ --- -- import_tasks: install.yaml -- import_tasks: config.yaml -- import_tasks: supervisord.yaml -- import_tasks: systemd.yaml +- name: Install the oauth2-proxy binary + ansible.builtin.import_tasks: install.yaml + when: oauth2_proxy.install | default(True) + +- name: Configure oauth2-proxy + ansible.builtin.import_tasks: config.yaml + +- name: Manage the oauth2_proxy service (supervisord) + ansible.builtin.import_tasks: supervisord.yaml + when: ansible_system != 'Linux' + +- name: Manage the oauth2_proxy service (systemd) + ansible.builtin.import_tasks: systemd.yaml + when: ansible_system == 'Linux' diff --git a/tasks/supervisord.yaml b/tasks/supervisord.yaml index e190b85..404e991 100644 --- a/tasks/supervisord.yaml +++ b/tasks/supervisord.yaml @@ -1,12 +1,14 @@ - name: Template supervisord config for oauth2_proxy - template: + ansible.builtin.template: src: "supervisord.d/oauth2_proxy.conf.j2" dest: "{{ config_path }}" + owner: root + mode: "0644" loop_control: label: "{{ config_path }}" - when: ansible_system != 'Linux' and item.value + when: item.value vars: config_name: "{{ item.key }}" - config_path: "{{ supervisord.prefix.config }}/OAuth2Proxy{{ config_name|title }}.conf" + config_path: "{{ supervisord.prefix.config }}/OAuth2Proxy{{ config_name | title }}.conf" with_dict: "{{ oauth2_proxy.config }}" register: oauth2_proxy_template_supervisord_config_result diff --git a/tasks/systemd.yaml b/tasks/systemd.yaml index b7e857b..22bc62f 100644 --- a/tasks/systemd.yaml +++ b/tasks/systemd.yaml @@ -1,12 +1,8 @@ - name: Template systemd service for oauth2_proxy - when: ansible_system == 'Linux' - loop: - - src: systemd/oauth2-proxy@.service - dest: /etc/systemd/system/oauth2-proxy@.service - loop_control: - label: "{{ item.dest }}" - template: - src: "{{ item.src }}" - dest: "{{ item.dest }}" + ansible.builtin.template: + src: systemd/oauth2-proxy@.service + dest: /etc/systemd/system/oauth2-proxy@.service + owner: root + mode: "0644" register: oauth2_proxy_template_systemd_service_result notify: Restart oauth2_proxy From 8a1326f157da5cab1473423a4789efb14bb828d6 Mon Sep 17 00:00:00 2001 From: Wolfgang Medina-Erhardt Date: Wed, 25 Oct 2023 16:12:58 +0200 Subject: [PATCH 2/2] Add molecule testing --- .github/workflows/test.yml | 47 +++++++++++++++++++++++++++++++++++ meta/main.yaml | 2 +- molecule/default/converge.yml | 7 ++++++ molecule/default/molecule.yml | 27 ++++++++++++++++++++ molecule/default/verify.yml | 10 ++++++++ requirements.yml | 6 +++++ tasks/install.yaml | 2 +- tasks/main.yaml | 2 +- 8 files changed, 100 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/test.yml create mode 100644 molecule/default/converge.yml create mode 100644 molecule/default/molecule.yml create mode 100644 molecule/default/verify.yml create mode 100644 requirements.yml diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 0000000..3429c27 --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,47 @@ +--- +name: Test +run-name: Run molecule tests on the role +on: + push: + workflow_dispatch: + +jobs: + lint: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Set up Python + uses: actions/setup-python@v2 + with: + python-version: '3.x' + + - name: Install dependencies. + run: pip install yamllint ansible-lint ansible + + - name: Run ansible-lint + run: "ansible-lint" + + molecule: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Set up Python + uses: actions/setup-python@v2 + with: + python-version: '3.x' + + - name: Install dependencies. + run: | + python -m pip install --upgrade pip + pip install ansible docker molecule molecule-plugins + sudo apt install rsync + + - name: Install Galaxy dependencies. + run: ansible-galaxy collection install community.docker community.mysql + + - name: Run molecule + run: "molecule test" diff --git a/meta/main.yaml b/meta/main.yaml index 5c3d515..c84ad7a 100644 --- a/meta/main.yaml +++ b/meta/main.yaml @@ -9,4 +9,4 @@ galaxy_info: dependencies: - role: supervisord - when: ansible_system != 'Linux' + when: ansible_system == 'FreeBSD' diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml new file mode 100644 index 0000000..173ad5d --- /dev/null +++ b/molecule/default/converge.yml @@ -0,0 +1,7 @@ +--- +- name: Converge + hosts: all + tasks: + - name: "Include ansible-proserver-oauth2-proxy" + ansible.builtin.include_role: + name: "ansible-proserver-oauth2-proxy" diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml new file mode 100644 index 0000000..c549054 --- /dev/null +++ b/molecule/default/molecule.yml @@ -0,0 +1,27 @@ +--- +dependency: + name: galaxy +driver: + name: docker +platforms: + - name: instance + image: geerlingguy/docker-ubuntu2204-ansible + command: /lib/systemd/systemd + pre_build_image: true + privileged: true + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw +provisioner: + name: ansible + playbooks: + converge: ${MOLECULE_PLAYBOOK:-converge.yml} +verifier: + name: ansible +scenario: + name: default + test_sequence: + - destroy + - create + - converge + - verify diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml new file mode 100644 index 0000000..a5cfa75 --- /dev/null +++ b/molecule/default/verify.yml @@ -0,0 +1,10 @@ +--- +# This is an example playbook to execute Ansible tests. + +- name: Verify + hosts: all + gather_facts: false + tasks: + - name: Example assertion + ansible.builtin.assert: + that: true diff --git a/requirements.yml b/requirements.yml new file mode 100644 index 0000000..35ac43c --- /dev/null +++ b/requirements.yml @@ -0,0 +1,6 @@ +--- +roles: + - src: https://github.com/punktDe/ansible-proserver-supervisord + name: supervisord + version: master + scm: git diff --git a/tasks/install.yaml b/tasks/install.yaml index 3f4a2b2..c718ebd 100644 --- a/tasks/install.yaml +++ b/tasks/install.yaml @@ -45,7 +45,7 @@ get_checksum: yes - name: Copy the new binary in place - when: "oauth2_proxy_binary_old.stat.checksum not in oauth2_proxy_binary_new.stat.checksum" + when: "not oauth2_proxy_binary_old.stat.exists or oauth2_proxy_binary_old.stat.checksum not in oauth2_proxy_binary_new.stat.checksum" register: oauth2_proxy_install_binary_result ansible.builtin.copy: remote_src: yes diff --git a/tasks/main.yaml b/tasks/main.yaml index 7303506..17d2729 100644 --- a/tasks/main.yaml +++ b/tasks/main.yaml @@ -8,7 +8,7 @@ - name: Manage the oauth2_proxy service (supervisord) ansible.builtin.import_tasks: supervisord.yaml - when: ansible_system != 'Linux' + when: ansible_system != 'FreeBSD' - name: Manage the oauth2_proxy service (systemd) ansible.builtin.import_tasks: systemd.yaml