telekom-mms · beechesII · Aug 18, 2022 · Aug 16, 2022 · Aug 16, 2022 · Aug 16, 2022
diff --git a/.ansible-lint b/.ansible-lint
diff --git a/.config/ansible-lint.yml b/.config/ansible-lint.yml
@@ -0,0 +1,13 @@
+---
+# .ansible-lint
+# exclude_paths included in this file are parsed relative to this file's location
+# and not relative to the CWD of execution. CLI arguments passed to the --exclude
+# option will be parsed relative to the CWD of execution.
+exclude_paths:
+  - .cache/  # implicit unless exclude_paths is defined in config
+  - .yamllint
+  - ../molecule/
+  - ../.github/
+
+warn_list:
+  - fqcn-builtins
diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
@@ -43,24 +43,14 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@v3
-        with:
-          path: ansible_collections/t_systems_mms/ansible_collection_icinga
-
-      - name: Run Linting - icinga_agent
-        uses: ansible/ansible-lint-action@master
-        with:
-          targets: ansible_collections/t_systems_mms/ansible_collection_icinga/roles/icinga_agent
-          args: "-c ansible_collections/t_systems_mms/ansible_collection_icinga/.ansible-lint"
-          override-deps: |
-            ansible-lint==5.3.2
 
-      - name: Run Linting - icinga_plugins
-        uses: ansible/ansible-lint-action@master
+      - name: Run Linting
+        uses: ansible/ansible-lint-action@v6
         with:
-          targets: ansible_collections/t_systems_mms/ansible_collection_icinga/roles/icinga_plugins
-          args: "-c ansible_collections/t_systems_mms/ansible_collection_icinga/.ansible-lint"
+          targets: "roles/"
           override-deps: |
-            ansible-lint==5.3.2
+            rich>=9.5.1,<11.0.0
+          args: ""
 
   molecule:
       name: Molecule

diff --git a/roles/icinga_agent/molecule/default/converge.yml b/roles/icinga_agent/molecule/default/converge.yml
@@ -12,13 +12,17 @@
         - molecule-idempotence-notest
 
     - name: import icinga2 key
-      command: "rpm --import https://packages.icinga.com/icinga.key"
+      ansible.builtin.rpm_key:
+        state: present
+        key: "https://packages.icinga.com/icinga.key"
       when: ansible_os_family == 'RedHat'
       tags:
         - molecule-idempotence-notest
 
     - name: install icinga2 repo
-      command: "yum install https://packages.icinga.com/epel/icinga-rpm-release-7-latest.noarch.rpm -y"
+      ansible.builtin.yum:
+        name: https://packages.icinga.com/epel/icinga-rpm-release-7-latest.noarch.rpm
+        state: present
       when: ansible_os_family == 'RedHat'
       tags:
         - molecule-idempotence-notest

diff --git a/roles/icinga_agent/tasks/main.yml b/roles/icinga_agent/tasks/main.yml
@@ -9,6 +9,7 @@
 - name: create /etc/icinga2/repository.d
   ansible.builtin.file:
     dest: "/etc/icinga2/repository.d"
+    mode: 0750
     owner: "{{ icinga2_user[ansible_os_family] }}"
     group: "{{ icinga2_group[ansible_os_family] }}"
     state: directory
@@ -76,7 +77,8 @@
     - icinga_agent_enable_features is defined
     - icinga_agent_enable_features | length > 0
 
-- block:
+- name: start icinga agent registration
+  block:
     - name: create certs folder in case it is missing
       ansible.builtin.file:
         path: /var/lib/icinga2/certs/
@@ -86,29 +88,38 @@
         group: "{{ icinga2_group[ansible_os_family] }}"
 
     - name: generate ticket and save it as a variable
-      ansible.builtin.shell: /usr/sbin/icinga2 pki ticket --cn {{ ansible_hostname }} --salt {{ icinga_agent_salt }}
+      ansible.builtin.command: >
+        /usr/sbin/icinga2 pki ticket --cn {{ ansible_hostname }} --salt {{ icinga_agent_salt }}
       environment:
         LD_LIBRARY_PATH: "/usr/lib64"
       register: ticket
+      changed_when: false
+      failed_when: ticket.rc != 0
 
     - name: create certificate
-      ansible.builtin.command: "/usr/sbin/icinga2 pki new-cert --cn {{ ansible_hostname }} --key /var/lib/icinga2/certs/{{ ansible_hostname }}.key --cert /var/lib/icinga2/certs/{{ ansible_hostname }}.crt"
+      ansible.builtin.command: >
+        /usr/sbin/icinga2 pki new-cert --cn {{ ansible_hostname }}
+        --key /var/lib/icinga2/certs/{{ ansible_hostname }}.key
+        --cert /var/lib/icinga2/certs/{{ ansible_hostname }}.crt
       args:
         creates: "/var/lib/icinga2/certs/{{ ansible_hostname }}.crt"
 
     - name: save the icinga master's certificate to the host
-      ansible.builtin.command: "/usr/sbin/icinga2 pki save-cert --key /var/lib/icinga2/certs/{{ ansible_hostname }}.key --cert /var/lib/icinga2/certs/{{ ansible_hostname }}.crt --trustedcert /var/lib/icinga2/certs/trusted-master.crt --host {{ icinga_agent_ca_host }}"
+      ansible.builtin.command: >
+        /usr/sbin/icinga2 pki save-cert --key /var/lib/icinga2/certs/{{ ansible_hostname }}.key
+        --cert /var/lib/icinga2/certs/{{ ansible_hostname }}.crt
+        --trustedcert /var/lib/icinga2/certs/trusted-master.crt
+        --host {{ icinga_agent_ca_host }}
       args:
         creates: "/var/lib/icinga2/certs/trusted-master.crt"
 
-    - name: generate ticket and save it as a variable
-      ansible.builtin.command: "/usr/sbin/icinga2 pki ticket --cn {{ ansible_hostname }} --salt {{ icinga_agent_salt }}"
-      register: ticket
-      args:
-        creates: "/var/lib/icinga2/certs/ca.crt"
-
     - name: send a pki request to the icinga master
-      ansible.builtin.command: "/usr/sbin/icinga2 pki request --host {{ icinga_agent_ca_host }} --port {{ icinga_agent_ca_host_icinga_port }} --ticket {{ ticket.stdout }} --key /var/lib/icinga2/certs/{{ ansible_hostname }}.key --cert /var/lib/icinga2/certs/{{ ansible_hostname }}.crt --trustedcert /var/lib/icinga2/certs/trusted-master.crt --ca /var/lib/icinga2/certs/ca.crt"
+      ansible.builtin.command: >
+        /usr/sbin/icinga2 pki request --host {{ icinga_agent_ca_host }}
+        --port {{ icinga_agent_ca_host_icinga_port }}
+        --ticket {{ ticket.stdout }} --key /var/lib/icinga2/certs/{{ ansible_hostname }}.key
+        --cert /var/lib/icinga2/certs/{{ ansible_hostname }}.crt
+        --trustedcert /var/lib/icinga2/certs/trusted-master.crt --ca /var/lib/icinga2/certs/ca.crt
       args:
         creates: "/var/lib/icinga2/certs/ca.crt"
       notify:

diff --git a/roles/icinga_plugins/molecule/default/prepare.yml b/roles/icinga_plugins/molecule/default/prepare.yml
@@ -9,17 +9,23 @@
       when: ansible_os_family == 'RedHat'
 
     - name: import icinga2 key
-      command: "rpm --import https://packages.icinga.com/icinga.key"
+      ansible.builtin.rpm_key:
+        state: present
+        key: "https://packages.icinga.com/icinga.key"
       when: ansible_os_family == 'RedHat'
 
     - name: install icinga2 repo
-      command: "yum install https://packages.icinga.com/epel/icinga-rpm-release-7-latest.noarch.rpm -y"
+      ansible.builtin.yum:
+        name: https://packages.icinga.com/epel/icinga-rpm-release-7-latest.noarch.rpm
+        state: present
       when:
         - ansible_os_family == 'RedHat'
         - ansible_facts.distribution_major_version | int is version('7', '=')
 
     - name: install icinga2 repo
-      command: "yum install https://packages.icinga.com/epel/icinga-rpm-release-8-latest.noarch.rpm -y"
+      ansible.builtin.yum:
+        name: https://packages.icinga.com/epel/icinga-rpm-release-7-latest.noarch.rpm
+        state: present
       when:
         - ansible_os_family == 'RedHat'
         - ansible_facts.distribution_major_version | int is version('8', '=')

diff --git a/roles/icinga_plugins/molecule/default/verify.yml b/roles/icinga_plugins/molecule/default/verify.yml
@@ -23,6 +23,7 @@
     - name: verify that plugin dir exists
       file:
         path: "{{ icinga2_plugins_pluginsdir }}"
+        mode: 0755
         state: directory
       register: result_plugin_dir
 
@@ -37,10 +38,10 @@
     - name: search for all files in plugins directory
       ansible.builtin.find:
         paths: "{{ icinga2_plugins_pluginsdir }}"
-        recurse: yes
+        recurse: true
         file_type: file
       register: files_in_plugins_dir
-      check_mode: no
+      check_mode: false
 
     - name: validate plugins belongs to the right user for Redhat based systems
       assert:

diff --git a/roles/icinga_plugins/tasks/main.yml b/roles/icinga_plugins/tasks/main.yml
@@ -6,8 +6,8 @@
     state: present
   loop: "{{ dependency_packages }}"
   when:
-   - dependency_packages is defined
-   - dependency_packages | length > 0
+    - dependency_packages is defined
+    - dependency_packages | length > 0
   tags:
     - install_dependencies
 
@@ -37,7 +37,7 @@
     - icinga_install_plugins | length > 0
     - (ansible_facts.os_family == "RedHat" and ansible_facts.distribution_major_version | int is version('7', "=")) or ansible_facts.os_family == "Debian"
 
-- name: copy icinga plugins to target node
+- name: copy icinga plugins to target node # noqa risky-file-permissions
   ansible.builtin.copy:
     src: "{{ item }}"
     dest: "{{ icinga2_plugins_pluginsdir }}/"
@@ -50,10 +50,10 @@
 - name: "search for all files in plugins directory"
   ansible.builtin.find:
     paths: "{{ icinga2_plugins_pluginsdir }}"
-    recurse: yes
+    recurse: true
     file_type: any
   register: files_in_plugins_dir
-  check_mode: no
+  check_mode: false
 
 - name: set plugins ownership
   ansible.builtin.file:

diff --git a/tests/integration/targets/icinga/icinga_plugins.yml b/tests/integration/targets/icinga/icinga_plugins.yml
@@ -20,7 +20,7 @@
     - name: verfiy that plugin files belong to icinga
       ansible.builtin.find:
         paths: "/usr/lib64/nagios/plugins"
-        recurse: yes
+        recurse: true
         file_type: any
       register: files_in_plugins_dir