diff --git a/CHANGELOG.md b/CHANGELOG.md index 0849992..a843459 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,14 @@ # CHANGELOG +## v1.0.4 (2026-05-18) + +### Security + +- Change SSL verify default from `false` to `true` in all 5 playbooks +- Add `no_log: true` to all tasks that handle `api_key` or Bearer tokens + across vm_backup_restore, vm_hot_plug, vm_lifecycle, vm_collect, and + vm_storage_labeling roles + ## v1.0.3 (2026-05-05) ### Bug Fixes diff --git a/extensions/audit/event_query.yml b/extensions/audit/event_query.yml new file mode 100644 index 0000000..49972de --- /dev/null +++ b/extensions/audit/event_query.yml @@ -0,0 +1,118 @@ +--- +infra.openshift_virtualization_ops.*: + query: >- + ( + { + "virtualmachine": "Virtual Machine", + "virtualmachineinstance": "VM Instance", + "backup": "VM Backup", + "restore": "VM Restore", + "snapshot": "VM Snapshot", + "datavolumetemplate": "Data Volume", + "network": "VM Network", + "storage": "VM Storage", + "migration": "Live Migration" + } as $mapping | + (.vm // .resources // .) | + (if type=="array" then .[] else if type=="object" then . else empty end end) as $data | + select($data.metadata != null or $data.name != null) | + ( + if $data | has("kind") then + ( + if $data.kind == "VirtualMachine" then "virtualmachine" + elif $data.kind == "VirtualMachineInstance" then "virtualmachineinstance" + elif $data.kind == "VirtualMachineInstanceMigration" then "migration" + elif $data.kind | test("Backup") then "backup" + elif $data.kind | test("Restore") then "restore" + elif $data.kind | test("Snapshot") then "snapshot" + elif $data.kind | test("DataVolume") then "datavolumetemplate" + elif $data.kind | test("NetworkAttachmentDefinition") then "network" + elif $data.kind | test("PersistentVolumeClaim") then "storage" + else "unknown" + end + ) + elif $data.metadata.labels then + ( + if $data.metadata.labels | has("kubevirt.io/vm") then "virtualmachine" + elif $data.metadata.labels | has("vm.kubevirt.io/name") then "virtualmachineinstance" + else "unknown" + end + ) + else "unknown" + end + ) as $node_type | + ( + if $node_type == "virtualmachine" or $node_type == "virtualmachineinstance" then + ( + if $data.status.printableStatus then $data.status.printableStatus + else "vm" + end + ) + elif $node_type == "migration" then "live-migration" + elif $node_type == "backup" then "backup" + elif $node_type == "restore" then "restore" + elif $node_type == "snapshot" then "snapshot" + elif $node_type == "datavolumetemplate" then "volume" + elif $node_type == "network" then "network" + elif $node_type == "storage" then "disk" + else "unknown" + end + ) as $sub_node_type | + { + name: ( + if $data.metadata then ($data.metadata.name // $data.metadata.uid) + else ($data.name // "UNKNOWN") + end + ), + canonical_facts: { + name: ( + if $data.metadata then ($data.metadata.name // "UNKNOWN") + else ($data.name // "UNKNOWN") + end + ), + id: ( + if $data.metadata then ($data.metadata.uid // $data.metadata.name) + else ($data.id // $data.name) + end + ), + node_type: $node_type + }, + facts: { + infra_type: "openshift_virtualization", + infra_bucket: ($mapping[$node_type] // "UNKNOWN"), + device_type: $sub_node_type, + namespace: ( + if $data.metadata then ($data.metadata.namespace // "") + else "" + end + ), + status: ( + if $data.status then + ( + if $data.status.printableStatus then $data.status.printableStatus + elif $data.status.phase then $data.status.phase + elif $data.status.conditions then + ( + $data.status.conditions | + map(select(.status == "True")) | + .[0].type // "unknown" + ) + else "unknown" + end + ) + else "unknown" + end + ), + operation: ( + if $data.operation then $data.operation + else "" + end + ), + labels: ( + if $data.metadata and $data.metadata.labels then $data.metadata.labels + else {} + end + ) + } + } + ) diff --git a/playbooks/vm_backup.yml b/playbooks/vm_backup.yml index 666fbd7..c0578ca 100644 --- a/playbooks/vm_backup.yml +++ b/playbooks/vm_backup.yml @@ -12,5 +12,5 @@ vars: openshift_host: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_HOST', default=Undefined) | default('', True) }}" openshift_api_key: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_API_KEY', default=Undefined) | default('', True) }}" # noqa: yaml[line-length] - openshift_verify_ssl: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_VERIFY_SSL', default='') | default(false) | bool }}" # noqa: yaml[line-length] + openshift_verify_ssl: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_VERIFY_SSL', default='') | default(true) | bool }}" # noqa: yaml[line-length] ... diff --git a/playbooks/vm_hot_plug.yml b/playbooks/vm_hot_plug.yml index 94476f4..4414421 100644 --- a/playbooks/vm_hot_plug.yml +++ b/playbooks/vm_hot_plug.yml @@ -11,5 +11,5 @@ vars: openshift_host: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_HOST', default=Undefined) | default('', True) }}" openshift_api_key: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_API_KEY', default=Undefined) | default('', True) }}" # noqa: yaml[line-length] - openshift_verify_ssl: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_VERIFY_SSL', default='') | default(false) | bool }}" # noqa: yaml[line-length] + openshift_verify_ssl: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_VERIFY_SSL', default='') | default(true) | bool }}" # noqa: yaml[line-length] ... diff --git a/playbooks/vm_operations.yml b/playbooks/vm_operations.yml index 3a41371..3db5d5a 100644 --- a/playbooks/vm_operations.yml +++ b/playbooks/vm_operations.yml @@ -11,5 +11,5 @@ vars: openshift_host: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_HOST', default=Undefined) | default('', True) }}" openshift_api_key: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_API_KEY', default=Undefined) | default('', True) }}" # noqa: yaml[line-length] - openshift_verify_ssl: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_VERIFY_SSL', default='') | default(false) | bool }}" # noqa: yaml[line-length] + openshift_verify_ssl: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_VERIFY_SSL', default='') | default(true) | bool }}" # noqa: yaml[line-length] ... diff --git a/playbooks/vm_restore.yml b/playbooks/vm_restore.yml index eadc3aa..f0a6e6f 100644 --- a/playbooks/vm_restore.yml +++ b/playbooks/vm_restore.yml @@ -12,5 +12,5 @@ vars: openshift_host: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_HOST', default=Undefined) | default('', True) }}" openshift_api_key: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_API_KEY', default=Undefined) | default('', True) }}" # noqa: yaml[line-length] - openshift_verify_ssl: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_VERIFY_SSL', default='') | default(false) | bool }}" # noqa: yaml[line-length] + openshift_verify_ssl: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_VERIFY_SSL', default='') | default(true) | bool }}" # noqa: yaml[line-length] ... diff --git a/playbooks/vm_storage_labeling.yml b/playbooks/vm_storage_labeling.yml new file mode 100644 index 0000000..ea4a9d6 --- /dev/null +++ b/playbooks/vm_storage_labeling.yml @@ -0,0 +1,15 @@ +--- + +- name: VM Storage Volume Labeling + hosts: localhost + connection: local + gather_facts: false + tasks: + - name: Invoke VM Storage Volume Labeling + ansible.builtin.include_role: + name: infra.openshift_virtualization_ops.vm_storage_labeling + vars: + openshift_host: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_HOST', default=Undefined) | default('', True) }}" + openshift_api_key: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_API_KEY', default=Undefined) | default('', True) }}" # noqa: yaml[line-length] + openshift_verify_ssl: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_VERIFY_SSL', default='') | default(true) | bool }}" # noqa: yaml[line-length] +... diff --git a/roles/vm_backup_restore/tasks/_restore_vm.yml b/roles/vm_backup_restore/tasks/_restore_vm.yml index 9b6f80f..4e58527 100644 --- a/roles/vm_backup_restore/tasks/_restore_vm.yml +++ b/roles/vm_backup_restore/tasks/_restore_vm.yml @@ -1,6 +1,7 @@ --- - name: _restore_vm | Stop Virtual Machine + no_log: true redhat.openshift_virtualization.kubevirt_vm: api_key: "{{ vm_backup_restore_openshift_api_key }}" host: "{{ vm_backup_restore_openshift_host }}" @@ -12,6 +13,7 @@ wait_timeout: "{{ vm_backup_restore_vm_wait_timeout }}" - name: _restore_vm | Create Restore + no_log: true redhat.openshift.k8s: state: present api_key: "{{ vm_backup_restore_openshift_api_key }}" @@ -41,6 +43,7 @@ type: Ready - name: _restore_vm | Start Virtual Machine + no_log: true redhat.openshift_virtualization.kubevirt_vm: api_key: "{{ vm_backup_restore_openshift_api_key }}" host: "{{ vm_backup_restore_openshift_host }}" diff --git a/roles/vm_backup_restore/tasks/_snapshot_vm.yml b/roles/vm_backup_restore/tasks/_snapshot_vm.yml index f1f873b..19c5aee 100644 --- a/roles/vm_backup_restore/tasks/_snapshot_vm.yml +++ b/roles/vm_backup_restore/tasks/_snapshot_vm.yml @@ -1,6 +1,7 @@ --- - name: _snapshot_vm | Create Snapshot + no_log: true redhat.openshift.k8s: state: present api_key: "{{ vm_backup_restore_openshift_api_key }}" diff --git a/roles/vm_collect/tasks/main.yml b/roles/vm_collect/tasks/main.yml index 0a3dfcb..ded89b0 100644 --- a/roles/vm_collect/tasks/main.yml +++ b/roles/vm_collect/tasks/main.yml @@ -25,6 +25,7 @@ when: "'label_selectors' not in vm_collect_request_instance" block: - name: "Query Without Label Selector {{ vm_collect_obj | default(vm_collect_obj_default_kind) }}" + no_log: true kubernetes.core.k8s_info: api_key: "{{ vm_collect_openshift_api_key }}" host: "{{ vm_collect_openshift_host }}" @@ -49,6 +50,7 @@ when: "'label_selectors' in vm_collect_request_instance" block: - name: "Query (With Label Selector) - {{ vm_collect_obj | default(vm_collect_obj_default_kind) }}" + no_log: true kubernetes.core.k8s_info: api_key: "{{ vm_collect_openshift_api_key }}" host: "{{ vm_collect_openshift_host }}" diff --git a/roles/vm_hot_plug/tasks/_compute.yml b/roles/vm_hot_plug/tasks/_compute.yml index 9d30f94..7698dcc 100644 --- a/roles/vm_hot_plug/tasks/_compute.yml +++ b/roles/vm_hot_plug/tasks/_compute.yml @@ -20,6 +20,7 @@ quiet: true - name: _compute | Patch VM with Compute Modifications + no_log: true kubernetes.core.k8s_json_patch: api_key: "{{ vm_hot_plug_api_key }}" host: "{{ vm_hot_plug_openshift_host }}" diff --git a/roles/vm_hot_plug/tasks/_process_vm.yml b/roles/vm_hot_plug/tasks/_process_vm.yml index 3e5c843..d17470d 100644 --- a/roles/vm_hot_plug/tasks/_process_vm.yml +++ b/roles/vm_hot_plug/tasks/_process_vm.yml @@ -14,6 +14,7 @@ when: "'restartIfRequired' in vm_hot_plug_vm and vm_hot_plug_vm.restartIfRequired | bool" block: - name: _process_vm | Query VM for Updated Configuration + no_log: true kubernetes.core.k8s_info: api_key: "{{ vm_hot_plug_api_key }}" host: "{{ vm_hot_plug_openshift_host }}" diff --git a/roles/vm_hot_plug/tasks/_storage.yml b/roles/vm_hot_plug/tasks/_storage.yml index 8060e3d..d9846b5 100644 --- a/roles/vm_hot_plug/tasks/_storage.yml +++ b/roles/vm_hot_plug/tasks/_storage.yml @@ -19,6 +19,7 @@ default([]) | selectattr('name', 'equalto', vm_hot_plug_storage_instance.name) | list | length == 0 ) + no_log: true ansible.builtin.uri: url: "{{ vm_hot_plug_openshift_host }}/apis/subresources.{{ vm_hot_plug_kubevirt_api_version }}\ diff --git a/roles/vm_lifecycle/tasks/_collect_vms.yml b/roles/vm_lifecycle/tasks/_collect_vms.yml index 0289b9e..e64446a 100644 --- a/roles/vm_lifecycle/tasks/_collect_vms.yml +++ b/roles/vm_lifecycle/tasks/_collect_vms.yml @@ -20,6 +20,7 @@ when: "'label_selectors' not in vm_operations_request_instance" block: - name: "_collect_vms | Query VM's (Without Label Selector)" + no_log: true kubernetes.core.k8s_info: api_key: "{{ vm_lifecycle_openshift_api_key }}" host: "{{ vm_lifecycle_openshift_host }}" @@ -45,6 +46,7 @@ when: "'label_selectors' in vm_operations_request_instance" block: - name: "_collect_vms | Query VM's (With Label Selector)" + no_log: true kubernetes.core.k8s_info: api_key: "{{ vm_lifecycle_openshift_api_key }}" host: "{{ vm_lifecycle_openshift_host }}" diff --git a/roles/vm_lifecycle/tasks/_perform_operation.yml b/roles/vm_lifecycle/tasks/_perform_operation.yml index cedb815..2926258 100644 --- a/roles/vm_lifecycle/tasks/_perform_operation.yml +++ b/roles/vm_lifecycle/tasks/_perform_operation.yml @@ -1,6 +1,7 @@ --- - name: _perform_operation | Perform VM Operation + no_log: true ansible.builtin.uri: url: "{{ vm_lifecycle_openshift_host }}/apis/subresources.{{ vm_lifecycle_kubevirt_api_version }}/namespaces/{{ vm_operations_vm.vm.metadata.namespace }}/virtualmachines/{{ vm_operations_vm.vm.metadata.name }}/{{ vm_lifecycle_valid_vm_operations[vm_operations_vm['operation']].endpoint }}" # noqa: yaml[line-length] validate_certs: "{{ vm_lifecycle_openshift_verify_ssl }}" diff --git a/roles/vm_lifecycle/tasks/_verify_operation.yml b/roles/vm_lifecycle/tasks/_verify_operation.yml index d94e557..7fc3b3b 100644 --- a/roles/vm_lifecycle/tasks/_verify_operation.yml +++ b/roles/vm_lifecycle/tasks/_verify_operation.yml @@ -1,6 +1,7 @@ --- - name: _verify_operation | Verify VMs + no_log: true kubernetes.core.k8s_info: api_key: "{{ vm_lifecycle_openshift_api_key }}" host: "{{ vm_lifecycle_openshift_host }}" diff --git a/roles/vm_storage_labeling/README.md b/roles/vm_storage_labeling/README.md new file mode 100644 index 0000000..b8ea4cc --- /dev/null +++ b/roles/vm_storage_labeling/README.md @@ -0,0 +1,17 @@ +# vm_storage_labeling + +Add labels, annotations, and descriptive names to storage volumes (PVCs and DataVolumes) in OpenShift Virtualization. + +## Requirements + +- `redhat.openshift_virtualization` collection +- `kubernetes.core` collection +- OpenShift cluster with Virtualization operator installed + +## Role Variables + +See `defaults/main.yml` for available variables. + +## License + +Apache-2.0 diff --git a/roles/vm_storage_labeling/defaults/main.yml b/roles/vm_storage_labeling/defaults/main.yml new file mode 100644 index 0000000..18646bd --- /dev/null +++ b/roles/vm_storage_labeling/defaults/main.yml @@ -0,0 +1,33 @@ +--- +# defaults file for vm_storage_labeling + +# title: Storage Volume Labeling Request +# required: True +# description: List of Storage Volume Labeling Requests +vm_storage_labeling_request: [] +# - namespace: # Namespace to scope volumes. \ +# Required when names are specified. Omit to query all namespaces. +# names: # List of PVC/DataVolume names within a namespace. \ +# Requires namespace. Optional when using label_selectors. +# label_selectors: # Label selectors to match volumes. \ +# Cannot be used with list of volume names. +# - = +# labels: # Labels to apply to matched volumes. +# : +# annotations: # Annotations to apply to matched volumes. +# : + +# title: OpenShift Host +# required: True +# description: OpenShift Host +vm_storage_labeling_openshift_host: "{{ openshift_host }}" +# title: OpenShift API Key +# required: True +# description: OpenShift API Key +vm_storage_labeling_api_key: "{{ openshift_api_key }}" +# title: Verify SSL Certificate +# required: True +# description: Verify SSL Certificate +vm_storage_labeling_openshift_verify_ssl: "{{ openshift_verify_ssl }}" + +... diff --git a/roles/vm_storage_labeling/meta/main.yml b/roles/vm_storage_labeling/meta/main.yml new file mode 100644 index 0000000..1ff34cd --- /dev/null +++ b/roles/vm_storage_labeling/meta/main.yml @@ -0,0 +1,10 @@ +--- +galaxy_info: + author: "" + description: Add labels, annotations, and descriptive names to storage volumes (PVCs and DataVolumes). + company: Red Hat + license: GPL-3.0-only + min_ansible_version: 2.15.0 + galaxy_tags: [] +dependencies: [] +... diff --git a/roles/vm_storage_labeling/tasks/_apply_metadata.yml b/roles/vm_storage_labeling/tasks/_apply_metadata.yml new file mode 100644 index 0000000..c254384 --- /dev/null +++ b/roles/vm_storage_labeling/tasks/_apply_metadata.yml @@ -0,0 +1,77 @@ +--- + +- name: _apply_metadata | Initialize Patch Operations + ansible.builtin.set_fact: + vm_storage_labeling_patch: [] + +- name: _apply_metadata | Build Label Patch Operations + when: vm_storage_labeling_current_request.labels | default({}, true) | length > 0 + ansible.builtin.set_fact: + vm_storage_labeling_patch: >- + {{ vm_storage_labeling_patch + [ + { + 'op': ('replace' + if (vm_storage_labeling_volume.metadata.labels | default({}) | dict2items + | selectattr('key', 'equalto', vm_storage_labeling_label.key) | list | length > 0) + else 'add'), + 'path': '/metadata/labels/' + (vm_storage_labeling_label.key | regex_replace('/', '~1')), + 'value': vm_storage_labeling_label.value + } + ] }} + loop: "{{ vm_storage_labeling_current_request.labels | dict2items }}" + loop_control: + loop_var: vm_storage_labeling_label + label: "{{ vm_storage_labeling_label.key }}" + +- name: _apply_metadata | Build Annotation Patch Operations + when: vm_storage_labeling_current_request.annotations | default({}, true) | length > 0 + ansible.builtin.set_fact: + vm_storage_labeling_patch: >- + {{ vm_storage_labeling_patch + [ + { + 'op': ('replace' + if (vm_storage_labeling_volume.metadata.annotations | default({}) | dict2items + | selectattr('key', 'equalto', vm_storage_labeling_annotation.key) | list | length > 0) + else 'add'), + 'path': '/metadata/annotations/' + (vm_storage_labeling_annotation.key | regex_replace('/', '~1')), + 'value': vm_storage_labeling_annotation.value + } + ] }} + loop: "{{ vm_storage_labeling_current_request.annotations | dict2items }}" + loop_control: + loop_var: vm_storage_labeling_annotation + label: "{{ vm_storage_labeling_annotation.key }}" + +- name: _apply_metadata | Apply Patch to PersistentVolumeClaim + when: vm_storage_labeling_patch | length > 0 + no_log: true + kubernetes.core.k8s_json_patch: + api_key: "{{ vm_storage_labeling_api_key }}" + host: "{{ vm_storage_labeling_openshift_host }}" + api_version: v1 + kind: PersistentVolumeClaim + namespace: "{{ vm_storage_labeling_volume.metadata.namespace }}" + name: "{{ vm_storage_labeling_volume.metadata.name }}" + validate_certs: "{{ vm_storage_labeling_openshift_verify_ssl }}" + patch: "{{ vm_storage_labeling_patch }}" + register: vm_storage_labeling_patch_result + +- name: _apply_metadata | Apply Patch to DataVolume + when: + - vm_storage_labeling_patch | length > 0 + - vm_storage_labeling_volume.metadata.ownerReferences | default([]) + | selectattr('kind', 'equalto', 'DataVolume') | list | length > 0 + no_log: true + kubernetes.core.k8s_json_patch: + api_key: "{{ vm_storage_labeling_api_key }}" + host: "{{ vm_storage_labeling_openshift_host }}" + api_version: cdi.kubevirt.io/v1beta1 + kind: DataVolume + namespace: "{{ vm_storage_labeling_volume.metadata.namespace }}" + name: "{{ vm_storage_labeling_volume.metadata.name }}" + validate_certs: "{{ vm_storage_labeling_openshift_verify_ssl }}" + patch: "{{ vm_storage_labeling_patch }}" + register: vm_storage_labeling_dv_patch_result + failed_when: false + +... diff --git a/roles/vm_storage_labeling/tasks/_process_request.yml b/roles/vm_storage_labeling/tasks/_process_request.yml new file mode 100644 index 0000000..68e10bb --- /dev/null +++ b/roles/vm_storage_labeling/tasks/_process_request.yml @@ -0,0 +1,86 @@ +--- + +- name: _process_request | Query PVCs by Name + when: vm_storage_labeling_current_request.names | default([], true) | length > 0 + no_log: true + kubernetes.core.k8s_info: + api_key: "{{ vm_storage_labeling_api_key }}" + host: "{{ vm_storage_labeling_openshift_host }}" + api_version: v1 + kind: PersistentVolumeClaim + namespace: "{{ vm_storage_labeling_current_request.namespace | default(omit) }}" + name: "{{ vm_storage_labeling_pvc_name }}" + validate_certs: "{{ vm_storage_labeling_openshift_verify_ssl }}" + register: vm_storage_labeling_pvc_by_name + loop: "{{ vm_storage_labeling_current_request.names }}" + loop_control: + loop_var: vm_storage_labeling_pvc_name + label: "{{ vm_storage_labeling_pvc_name }}" + +- name: _process_request | Query PVCs by Label Selector + when: vm_storage_labeling_current_request.label_selectors | default([], true) | length > 0 + no_log: true + kubernetes.core.k8s_info: + api_key: "{{ vm_storage_labeling_api_key }}" + host: "{{ vm_storage_labeling_openshift_host }}" + api_version: v1 + kind: PersistentVolumeClaim + namespace: "{{ vm_storage_labeling_current_request.namespace | default(omit) }}" + label_selectors: "{{ vm_storage_labeling_current_request.label_selectors }}" + validate_certs: "{{ vm_storage_labeling_openshift_verify_ssl }}" + register: vm_storage_labeling_pvc_by_selector + +- name: _process_request | Query All PVCs in Namespace + when: + - vm_storage_labeling_current_request.names | default([], true) | length == 0 + - vm_storage_labeling_current_request.label_selectors | default([], true) | length == 0 + no_log: true + kubernetes.core.k8s_info: + api_key: "{{ vm_storage_labeling_api_key }}" + host: "{{ vm_storage_labeling_openshift_host }}" + api_version: v1 + kind: PersistentVolumeClaim + namespace: "{{ vm_storage_labeling_current_request.namespace | default(omit) }}" + validate_certs: "{{ vm_storage_labeling_openshift_verify_ssl }}" + register: vm_storage_labeling_pvc_all + +- name: _process_request | Build Volume List from Named PVCs + when: vm_storage_labeling_pvc_by_name is not skipped + ansible.builtin.set_fact: + vm_storage_labeling_volumes: >- + {{ vm_storage_labeling_pvc_by_name.results + | selectattr('resources', 'defined') + | map(attribute='resources') + | flatten }} + +- name: _process_request | Build Volume List from Selector PVCs + when: vm_storage_labeling_pvc_by_selector is not skipped + ansible.builtin.set_fact: + vm_storage_labeling_volumes: "{{ vm_storage_labeling_pvc_by_selector.resources | default([]) }}" + +- name: _process_request | Build Volume List from All PVCs + when: vm_storage_labeling_pvc_all is not skipped + ansible.builtin.set_fact: + vm_storage_labeling_volumes: "{{ vm_storage_labeling_pvc_all.resources | default([]) }}" + +- name: _process_request | Verify Volumes Found + ansible.builtin.assert: + that: + - vm_storage_labeling_volumes | default([], true) | length > 0 + fail_msg: >- + No PersistentVolumeClaims found in + {{ vm_storage_labeling_current_request.namespace | default('all namespaces') }} + matching the provided criteria + quiet: true + +- name: _process_request | Apply Labels and Annotations to Volumes + ansible.builtin.include_tasks: + file: _apply_metadata.yml + loop: "{{ vm_storage_labeling_volumes }}" + loop_control: + loop_var: vm_storage_labeling_volume + label: >- + Namespace: {{ vm_storage_labeling_volume.metadata.namespace }} + - Name: {{ vm_storage_labeling_volume.metadata.name }} + +... diff --git a/roles/vm_storage_labeling/tasks/main.yml b/roles/vm_storage_labeling/tasks/main.yml new file mode 100644 index 0000000..5b2b0f0 --- /dev/null +++ b/roles/vm_storage_labeling/tasks/main.yml @@ -0,0 +1,45 @@ +--- + +- name: Verify vm_storage_labeling_request Variable Provided + ansible.builtin.assert: + that: + - vm_storage_labeling_request | default("", true) | length > 0 + fail_msg: "'vm_storage_labeling_request' Variable Not Provided" + quiet: true + +- name: Verify Namespace Provided When Names Specified + ansible.builtin.assert: + that: + - "'namespace' in vm_storage_labeling_item" + fail_msg: "Must provide a namespace when 'names' are specified" + quiet: true + loop: "{{ vm_storage_labeling_request }}" + loop_control: + loop_var: vm_storage_labeling_item + label: "{{ vm_storage_labeling_item.namespace | default('all-namespaces') }}" + when: vm_storage_labeling_item.names | default([], true) | length > 0 + +- name: Verify Labels or Annotations Provided + ansible.builtin.assert: + that: + - >- + (vm_storage_labeling_item.labels | default({}, true) | length > 0) or + (vm_storage_labeling_item.annotations | default({}, true) | length > 0) + fail_msg: >- + Either 'labels' or 'annotations' must be provided for + namespace '{{ vm_storage_labeling_item.namespace }}' + quiet: true + loop: "{{ vm_storage_labeling_request }}" + loop_control: + loop_var: vm_storage_labeling_item + label: "{{ vm_storage_labeling_item.namespace | default('all-namespaces') }}" + +- name: Process Storage Volume Labeling Request + ansible.builtin.include_tasks: + file: _process_request.yml + loop: "{{ vm_storage_labeling_request }}" + loop_control: + loop_var: vm_storage_labeling_current_request + label: "{{ vm_storage_labeling_current_request.namespace | default('all-namespaces') }}" + +... diff --git a/roles/vm_storage_labeling/tests/inventory b/roles/vm_storage_labeling/tests/inventory new file mode 100644 index 0000000..2fbb50c --- /dev/null +++ b/roles/vm_storage_labeling/tests/inventory @@ -0,0 +1 @@ +localhost diff --git a/roles/vm_storage_labeling/tests/test.yml b/roles/vm_storage_labeling/tests/test.yml new file mode 100644 index 0000000..fc12bcc --- /dev/null +++ b/roles/vm_storage_labeling/tests/test.yml @@ -0,0 +1,7 @@ +--- +- name: Test + hosts: localhost + remote_user: root + roles: + - vm_storage_labeling +...