Merge "Bump up Ansible supported versions to 11.x/12.x"

Author: Zuul

ansible/action_plugins/template_content.py

@@ -0,0 +1,19 @@
+# Copyright (c) 2025 StackHPC Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+__metaclass__ = type
+
+import kayobe.plugins.action.template_content
+
+ActionModule = kayobe.plugins.action.template_content.ActionModule

ansible/kolla-ansible.yml

@@ -93,7 +93,7 @@
         kolla_ansible_passwords_path: "{{ kayobe_env_config_path }}/kolla/passwords.yml"
         kolla_overcloud_inventory_search_paths_static:
           - "{{ kayobe_config_path }}"
-        kolla_overcloud_inventory_search_paths: "{{ kolla_overcloud_inventory_search_paths_static + kayobe_env_search_paths }}"
+        kolla_overcloud_inventory_search_paths: "{{ kolla_overcloud_inventory_search_paths_static + kayobe_env_search_paths | default([]) }}"
         kolla_ansible_certificates_path: "{{ kayobe_env_config_path }}/kolla/certificates"
         kolla_inspector_dhcp_pool_start: "{{ inspection_net_name | net_inspection_allocation_pool_start }}"
         kolla_inspector_dhcp_pool_end: "{{ inspection_net_name | net_inspection_allocation_pool_end }}"
@@ -103,7 +103,7 @@
         kolla_libvirt_tls: "{{ compute_libvirt_enable_tls | bool }}"
         kolla_globals_paths_static:
           - "{{ kayobe_config_path }}"
-        kolla_globals_paths_extra: "{{ kolla_globals_paths_static + kayobe_env_search_paths }}"
+        kolla_globals_paths_extra: "{{ kolla_globals_paths_static + kayobe_env_search_paths | default([]) }}"
         kolla_ironic_inspector_host: "{{ groups[controller_ironic_inspector_group][0] if groups[controller_ironic_inspector_group] | length > 0 else '' }}"
 
 - name: Generate Kolla Ansible host vars for the seed host

ansible/roles/kolla-ansible/defaults/main.yml

@@ -26,7 +26,7 @@ kolla_ansible_venv_extra_requirements: []
 # tested code. Changes to this limit should be tested. It is possible to only
 # install ansible-core by setting kolla_ansible_venv_ansible to None.
 kolla_ansible_venv_ansible:
-kolla_ansible_venv_ansible_core: 'ansible-core>=2.17,<2.19'
+kolla_ansible_venv_ansible_core: 'ansible-core>=2.18,<2.20'
 
 # Path to a requirements.yml file for Ansible collections.
 kolla_ansible_requirements_yml: "{{ kolla_ansible_venv }}/share/kolla-ansible/requirements.yml"

ansible/roles/kolla-ansible/tasks/install.yml

@@ -141,7 +141,7 @@
       - "{{ kolla_ansible_venv_ansible_core }}"
       - "{{ kolla_ansible_venv_ansible }}"
   pip:
-    name: "{{ (kolla_ansible_packages + kolla_ansible_venv_extra_requirements) | select | list }}"
+    name: "{{ (kolla_ansible_packages | default([]) + kolla_ansible_venv_extra_requirements | default([])) | select | list }}"
     state: latest
     extra_args: "{% if kolla_upper_constraints_file %}-c {{ kolla_upper_constraints_file }}{% endif %}"
     virtualenv: "{{ kolla_ansible_venv }}"

ansible/roles/kolla-ansible/tests/test-defaults.yml

@@ -11,7 +11,7 @@
     - block:
         - name: Test the kolla-ansible role with default values
           include_role:
-            name: ../../kolla-ansible
+            name: "{{ playbook_dir }}/.."
           vars:
             kolla_ansible_source_path: "{{ temp_path }}/src"
             kolla_ansible_ctl_install_type: "source"

ansible/roles/kolla-openstack/tasks/config.yml

@@ -119,11 +119,11 @@
     params:
       content: |
         {%- for path in item.sources -%}
-        {{ lookup('template', path) }}
+        {{ lookup('file', path) }}
         {%- endfor -%}
       dest: "{{ item.dest }}"
       mode: 0640
-  copy: "{{ params | combine(item.params) }}"
+  template_content: "{{ params | combine(item.params) }}"
   with_items: "{{ kolla_custom_config_info.concat }}"
 
 - name: Ensure unnecessary extra configuration files are absent

kayobe/ansible.py

@@ -21,7 +21,14 @@
 import sys
 import tempfile
 
-from ansible.parsing.yaml.objects import AnsibleVaultEncryptedUnicode
+# TODO(dougszu): Backwards compatibility for Ansible 11. This exception
+# handler can be removed in the G cycle.
+try:
+    from ansible.parsing.vault import EncryptedString
+except ImportError:
+    # Ansible 11
+    from ansible.parsing.yaml.objects import AnsibleVaultEncryptedUnicode
+    EncryptedString = AnsibleVaultEncryptedUnicode
 
 from kayobe import exception
 from kayobe import utils
@@ -222,6 +229,9 @@ def _get_environment(parsed_args, external_playbook=False):
     """Return an environment dict for executing an Ansible playbook."""
     env = os.environ.copy()
     vault.update_environment(parsed_args, env)
+    # TODO(wszusmki): Kayobe still uses broken conditions. Work on fixing these
+    # and remove when that work is complete.
+    env.setdefault("ANSIBLE_ALLOW_BROKEN_CONDITIONALS", "true")
     # If the configuration path has been specified via --config-path, ensure
     # the environment variable is set, so that it can be referenced by
     # playbooks.
@@ -340,7 +350,7 @@ def run_playbook(parsed_args, playbook, *args, **kwargs):
 
 def _sanitise_hostvar(var):
     """Sanitise a host variable."""
-    if isinstance(var, AnsibleVaultEncryptedUnicode):
+    if isinstance(var, EncryptedString):
         return "******"
     # Recursively sanitise dicts and lists.
     if isinstance(var, dict):

kayobe/plugins/action/kolla_ansible_host_vars.py

@@ -14,6 +14,16 @@
 
 from ansible.plugins.action import ActionBase
 
+# TODO(dougszu): From Ansible 12 onwards we must explicitly trust templates.
+# Since this feature is not supported in previous releases, we define a
+# noop method here for backwards compatibility. This can be removed in the
+# G cycle.
+try:
+    from ansible.template import trust_as_template
+except ImportError:
+    def trust_as_template(template):
+        return template
+
 
 class ConfigError(Exception):
     pass
@@ -28,6 +38,11 @@ class ActionModule(ActionBase):
 
     TRANSFERS_FILES = False
 
+    def trusted_template(self, input):
+        # Mark all input as trusted.
+        trusted_input = trust_as_template(input)
+        return self._templar.template(trusted_input)
+
     def run(self, tmp=None, task_vars=None):
         if task_vars is None:
             task_vars = dict()
@@ -97,11 +112,11 @@ def _run(self, interfaces, external_networks):
     def _get_interface_fact(self, net_name, required, description):
         # Check whether the network is mapped to this host.
         condition = "{{ '%s' in network_interfaces }}" % net_name
-        condition = self._templar.template(condition)
+        condition = self.trusted_template(condition)
         if condition:
             # Get the network interface for this network.
             iface = ("{{ '%s' | net_interface }}" % net_name)
-            iface = self._templar.template(iface)
+            iface = self.trusted_template(iface)
             if required and not iface:
                 msg = ("Required network '%s' (%s) does not have an interface "
                        "configured for this host" % (net_name, description))
@@ -114,20 +129,20 @@ def _get_interface_fact(self, net_name, required, description):
 
     def _get_external_interface(self, net_name, required):
         condition = "{{ '%s' in network_interfaces }}" % net_name
-        condition = self._templar.template(condition)
+        condition = self.trusted_template(condition)
         if condition:
-            iface = self._templar.template("{{ '%s' | net_interface }}" %
-                                           net_name)
+            iface = self.trusted_template("{{ '%s' | net_interface }}" %
+                                          net_name)
             if iface:
                 # When these networks are VLANs, we need to use the
                 # underlying tagged bridge interface rather than the
                 # untagged interface. We therefore strip the .<vlan> suffix
                 # of the interface name. We use a union here as a single
                 # tagged interface may be shared between these networks.
-                vlan = self._templar.template("{{ '%s' | net_vlan }}" %
-                                              net_name)
-                parent = self._templar.template("{{ '%s' | net_parent }}" %
-                                                net_name)
+                vlan = self.trusted_template("{{ '%s' | net_vlan }}" %
+                                             net_name)
+                parent = self.trusted_template("{{ '%s' | net_parent }}" %
+                                               net_name)
                 if vlan and parent:
                     iface = parent
                 elif vlan and iface.endswith(".%s" % vlan):
@@ -146,15 +161,15 @@ def _get_external_interface_facts(self, external_interfaces):
         neutron_external_interfaces = []
         neutron_physical_networks = []
         missing_physical_networks = []
-        bridge_suffix = self._templar.template(
+        bridge_suffix = self.trusted_template(
             "{{ network_bridge_suffix_ovs }}")
-        patch_prefix = self._templar.template("{{ network_patch_prefix }}")
-        patch_suffix = self._templar.template("{{ network_patch_suffix_ovs }}")
+        patch_prefix = self.trusted_template("{{ network_patch_prefix }}")
+        patch_suffix = self.trusted_template("{{ network_patch_suffix_ovs }}")
         for interface, iface_networks in external_interfaces.items():
             is_bridge = ("{{ '%s' in (network_interfaces |"
                          "net_select_bridges |"
                          "map('net_interface')) }}" % interface)
-            is_bridge = self._templar.template(is_bridge)
+            is_bridge = self.trusted_template(is_bridge)
             neutron_bridge_names.append(interface + bridge_suffix)
             # For a bridge, use a veth pair connected to the bridge. Otherwise
             # use the interface directly.
@@ -171,7 +186,7 @@ def _get_external_interface_facts(self, external_interfaces):
             # attribute set, and if so, whether they are consistent.
             iface_physical_networks = []
             for iface_network in iface_networks:
-                physical_network = self._templar.template(
+                physical_network = self.trusted_template(
                     "{{ '%s' | net_physical_network }}" % iface_network)
                 if (physical_network and
                         physical_network not in iface_physical_networks):

kayobe/plugins/action/merge_configs.py

@@ -24,10 +24,21 @@
 
 from ansible import constants
 from ansible.plugins import action
+# TODO(dougszu): From Ansible 12 onwards we must explicitly trust templates.
+# Since this feature is not supported in previous releases, we define a
+# noop method here for backwards compatibility. This can be removed in the
+# G cycle.
+try:
+    from ansible.template import trust_as_template
+except ImportError:
+    def trust_as_template(template):
+        return template
+
 from io import StringIO
 
 from oslo_config import iniparser
 
+
 _ORPHAN_SECTION = 'TEMPORARY_ORPHAN_VARIABLE_SECTION'
 
 DOCUMENTATION = '''
@@ -154,7 +165,7 @@ def read_config(self, source, config):
         # Only use config if present
         if os.access(source, os.R_OK):
             with open(source, 'r') as f:
-                template_data = f.read()
+                template_data = trust_as_template(f.read())
 
             # set search path to mimic 'template' module behavior
             searchpath = [

kayobe/plugins/action/merge_yaml.py

@@ -27,6 +27,16 @@
 from ansible import errors as ansible_errors
 from ansible.plugins import action
 
+# TODO(dougszu): From Ansible 12 onwards we must explicitly trust templates.
+# Since this feature is not supported in previous releases, we define a
+# noop method here for backwards compatibility. This can be removed in the
+# G cycle.
+try:
+    from ansible.template import trust_as_template
+except ImportError:
+    def trust_as_template(template):
+        return template
+
 DOCUMENTATION = '''
 ---
 module: merge_yaml
@@ -95,7 +105,7 @@ def read_config(self, source):
         # Only use config if present
         if source and os.access(source, os.R_OK):
             with open(source, 'r') as f:
-                template_data = f.read()
+                template_data = trust_as_template(f.read())
 
             # set search path to mimic 'template' module behavior
             searchpath = [