Merge pull request #2 from mhjacks/update_tests

Update tests

.ansible-lint

@@ -9,13 +9,3 @@ skip_list:
   - var-naming[no-role-prefix] # This would be too much churn for very little gain
   - no-changed-when
   - var-naming[no-role-prefix] # There are too many changes now and it would be too risky
-
-# ansible-lint gh workflow cannot find ansible.cfg hence fails to import vault_utils role
-exclude_paths:
-  - ./ansible/playbooks/vault/vault.yaml
-  - ./ansible/playbooks/iib-ci/iib-ci.yaml
-  - ./ansible/playbooks/k8s_secrets/k8s_secrets.yml
-  - ./ansible/playbooks/process_secrets/process_secrets.yml
-  - ./ansible/playbooks/write-token-kubeconfig/write-token-kubeconfig.yml
-  - ./ansible/playbooks/process_secrets/display_secrets_info.yml
-  - ./ansible/roles/vault_utils/tests/test.yml

.github/dependabot.yml

@@ -0,0 +1,8 @@
+---
+version: 2
+updates:
+  # Check for updates to GitHub Actions every week
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/linters/.gitleaks.toml

@@ -0,0 +1,8 @@
+[whitelist]
+# As of v4, gitleaks only matches against filename, not path in the
+# files directive.  Leaving content for backwards compatibility.
+files = [
+  "ansible/plugins/modules/*.py",
+  "ansible/tests/unit/test_*.py",
+  "ansible/tests/unit/v1/*.yaml",
+]

.github/linters/.markdown-lint.yml

@@ -0,0 +1,6 @@
+{
+    "default": true,
+    "MD003": false,
+    "MD013": false,
+    "MD033": false
+}

.github/workflows/ansible-lint.yml

@@ -0,0 +1,17 @@
+name: Ansible Lint # feel free to pick your own name
+
+on: [push, pull_request]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      # Important: This sets up your GITHUB_WORKSPACE environment variable
+      - uses: actions/checkout@v4
+
+      - name: Lint Ansible Playbook
+        uses: ansible/ansible-lint-action@v6
+        # Let's point it to the path
+        with:
+          path: "/"

.github/workflows/ansible-unittest.yml

@@ -0,0 +1,57 @@
+---
+name: Ansible unit tests
+
+#
+# Documentation:
+# https://help.github.com/en/articles/workflow-syntax-for-github-actions
+#
+
+#############################
+# Start the job on all push #
+#############################
+on: [push, pull_request]
+
+###############
+# Set the Job #
+###############
+jobs:
+  ansible_unittests:
+    # Name the Job
+    name: Ansible unit tests
+    strategy:
+      matrix:
+        python-version: [3.11.3]
+    # Set the agent to run on
+    runs-on: ubuntu-latest
+
+    ##################
+    # Load all steps #
+    ##################
+    steps:
+      ##########################
+      # Checkout the code base #
+      ##########################
+      - name: Checkout Code
+        uses: actions/checkout@v4
+        with:
+          # Full git history is needed to get a proper list of changed files within `super-linter`
+          fetch-depth: 0
+          path: ansible_collections/rhvp/cluster_utils
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install pytest ansible
+
+      - name: Run make ansible-sanitytest
+        run: |
+          make ansible-sanitytest
+
+      - name: Run make ansible-unittest
+        run: |
+          make ansible-unittest

.github/workflows/superlinter.yml

@@ -0,0 +1,44 @@
+---
+name: Super linter
+
+on: [push, pull_request]
+
+jobs:
+  build:
+    # Name the Job
+    name: Super linter
+    # Set the agent to run on
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+        with:
+          # Full git history is needed to get a proper list of changed files within `super-linter`
+          fetch-depth: 0
+
+      ################################
+      # Run Linter against code base #
+      ################################
+      - name: Lint Code Base
+        uses: super-linter/super-linter/slim@v7
+        env:
+          VALIDATE_ALL_CODEBASE: true
+          DEFAULT_BRANCH: main
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # These are the validation we disable atm
+          VALIDATE_ANSIBLE: false
+          VALIDATE_BASH: false
+          VALIDATE_CHECKOV: false
+          VALIDATE_JSCPD: false
+          VALIDATE_JSON_PRETTIER: false
+          VALIDATE_MARKDOWN_PRETTIER: false
+          VALIDATE_KUBERNETES_KUBECONFORM: false
+          VALIDATE_PYTHON_PYLINT: false
+          VALIDATE_SHELL_SHFMT: false
+          VALIDATE_YAML: false
+          VALIDATE_YAML_PRETTIER: false
+          # VALIDATE_DOCKERFILE_HADOLINT: false
+          # VALIDATE_MARKDOWN: false
+          # VALIDATE_NATURAL_LANGUAGE: false
+          # VALIDATE_TEKTON: false

.gitignore

@@ -11,3 +11,4 @@ pattern-vault.init.bak
 super-linter.log
 golang-external-secrets/Chart.lock
 hashicorp-vault/Chart.lock
+tests/output

Makefile

@@ -0,0 +1,16 @@
+.PHONY: ansible-lint
+ansible-lint: ## run ansible lint on ansible/ folder
+	podman run -it -v $(PWD):/workspace:rw,z --workdir /workspace \
+		--entrypoint "/usr/local/bin/ansible-lint" quay.io/ansible/creator-ee:latest  "-vvv" "roles" "plugins" "playbooks"
+
+.PHONY: ansible-sanitytest
+ansible-sanitytest: ## run ansible unit tests
+	ansible-test sanity --docker default
+
+.PHONY: ansible-unittest
+ansible-unittest: ## run ansible unit tests
+	rm -rf tests/output
+	ansible-test units --docker
+
+.PHONY: test
+test: ansible-sanitytest ansible-unittest

galaxy.yml

@@ -8,7 +8,7 @@ namespace: rhvp
 name: cluster_utils
 
 # The version of the collection. Must be compatible with semantic versioning
-version: 1.0.0
+version: 1.0.1
 
 # The path to the Markdown (.md) readme file. This path is relative to the root of the collection
 readme: README.md
@@ -67,4 +67,3 @@ build_ignore: []
 # 'omit_default_directives' is a boolean that controls whether the default directives are used. Mutually exclusive
 # with 'build_ignore'
 # manifest: null
-

playbooks/write_token_kubeconfig.yml

@@ -37,7 +37,7 @@
       when: not k8s_api_key
       block:
         - name: Login explicitly to get token
-          kubernetes.core.k8s_auth:
+          community.okd.openshift_auth:
             host: '{{ k8s_host }}'
             validate_certs: '{{ k8s_validate_certs }}'
             username: '{{ k8s_username }}'

plugins/module_utils/load_secrets_common.py

@@ -16,6 +16,9 @@
 """
 Module that implements some common functions
 """
+from __future__ import (absolute_import, division, print_function)
+
+__metaclass__ = type
 
 import configparser
 from collections.abc import MutableMapping
@@ -122,3 +125,27 @@ def stringify_dict(input_dict):
         output_dict[str(key)] = str(value)
 
     return output_dict
+
+
+def filter_module_args(arg_spec):
+    """
+    Return a dict that is suitable as an Ansible Module argument spec based on a DOCUMENTATION string from
+    the options section.
+    Specific changes that are made to options include removing the description key, if it exists
+    and adding a no_log setting. 'parsed_secrets' actually contains secrets but the other fields do not.
+
+    Without this function, sanity tests throw numerous errors because of improper argument specs.
+    """
+    for arg in arg_spec:
+        # We only deal with meta-secrets in this module
+        if arg == 'parsed_secrets':
+            arg_spec[arg]['no_log'] = True
+        elif 'secret' in arg:
+            arg_spec[arg]['no_log'] = False
+
+        try:
+            del arg_spec[arg]['description']
+        except KeyError:
+            pass
+
+    return arg_spec

plugins/module_utils/load_secrets_v1.py

@@ -16,13 +16,21 @@
 """
 Module that implements V1 of the values-secret.yaml spec
 """
+from __future__ import (absolute_import, division, print_function)
+
+__metaclass__ = type
 
 import base64
 import os
 import time
 
-import yaml
-from ..module_utils.load_secrets_common import flatten, get_version
+try:
+    import yaml
+    YAML_IMPORT_EXCEPTION = None
+except ImportError as imp_err:
+    YAML_IMPORT_EXCEPTION = imp_err
+
+from ansible_collections.rhvp.cluster_utils.plugins.module_utils.load_secrets_common import flatten, get_version
 
 
 class LoadSecretsV1:
@@ -248,6 +256,9 @@ def inject_secrets(self):
         return counter
 
     def check_for_missing_secrets(self):
+        if YAML_IMPORT_EXCEPTION:
+            self.module.fail_json("Missing yaml module")
+
         with open(self.values_secret_template, "r", encoding="utf-8") as file:
             template_yaml = yaml.safe_load(file.read())
         if template_yaml is None:

plugins/module_utils/load_secrets_v2.py

@@ -16,13 +16,16 @@
 """
 Module that implements V2 of the values-secret.yaml spec
 """
+from __future__ import (absolute_import, division, print_function)
+
+__metaclass__ = type
 
 import base64
 import getpass
 import os
 import time
 
-from ..module_utils.load_secrets_common import (
+from ansible_collections.rhvp.cluster_utils.plugins.module_utils.load_secrets_common import (
     find_dupes,
     get_ini_value,
     get_version,
@@ -139,7 +142,7 @@ def _get_field_override(self, f):
     def _validate_field(self, f):
         # These fields are mandatory
         try:
-            _ = f["name"]
+            unused = f["name"]
         except KeyError:
             return (False, f"Field {f} is missing name")
 
@@ -162,8 +165,8 @@ def _validate_field(self, f):
                 )
 
         # Test if base64 is a correct boolean (defaults to False)
-        _ = self._get_field_base64(f)
-        _ = self._get_field_override(f)
+        unused = self._get_field_base64(f)
+        unused = self._get_field_override(f)
 
         vault_policy = f.get("vaultPolicy", None)
         if vault_policy is not None and vault_policy not in self._get_vault_policies():
@@ -243,7 +246,7 @@ def _validate_secrets(self):
             # These fields are mandatory
             for i in ["name"]:
                 try:
-                    _ = s[i]
+                    unused = s[i]
                 except KeyError:
                     return (False, f"Secret {s['name']} is missing {i}")
             names.append(s["name"])
@@ -353,7 +356,7 @@ def _vault_secret_attr_exists(self, mount, prefix, secret_name, attribute):
             f'"vault kv get -mount={mount} -field={attribute} {prefix}/{secret_name}"'
         )
         # we ignore stdout and stderr
-        (ret, _, _) = self._run_command(cmd, attempts=1, checkrc=False)
+        (ret, *unused) = self._run_command(cmd, attempts=1, checkrc=False)
         if ret == 0:
             return True
 

plugins/module_utils/parse_secrets_v2.py

@@ -16,12 +16,15 @@
 """
 Module that implements V2 of the values-secret.yaml spec
 """
+from __future__ import (absolute_import, division, print_function)
+
+__metaclass__ = type
 
 import base64
 import getpass
 import os
 
-from ..module_utils.load_secrets_common import (
+from ansible_collections.rhvp.cluster_utils.plugins.module_utils.load_secrets_common import (
     find_dupes,
     get_ini_value,
     get_version,
@@ -245,7 +248,7 @@ def parse(self):
     def _validate_field(self, f):
         # These fields are mandatory
         try:
-            _ = f["name"]
+            unused = f["name"]
         except KeyError:
             return (False, f"Field {f} is missing name")
 
@@ -268,8 +271,8 @@ def _validate_field(self, f):
                 )
 
         # Test if base64 is a correct boolean (defaults to False)
-        _ = self._get_field_base64(f)
-        _ = self._get_field_override(f)
+        unused = self._get_field_base64(f)
+        unused = self._get_field_override(f)
 
         vault_policy = f.get("vaultPolicy", None)
         if vault_policy is not None and vault_policy not in self._get_vault_policies():
@@ -327,7 +330,7 @@ def _validate_secrets(self):
             # These fields are mandatory
             for i in ["name"]:
                 try:
-                    _ = s[i]
+                    unused = s[i]
                 except KeyError:
                     return (False, f"Secret {s['name']} is missing {i}")
             names.append(s["name"])