feat: add audit event_query support

CHANGELOG.md

@@ -1,5 +1,14 @@
 # CHANGELOG
 
+## v1.0.4 (2026-05-18)
+
+### Security
+
+- Change SSL verify default from `false` to `true` in all 5 playbooks
+- Add `no_log: true` to all tasks that handle `api_key` or Bearer tokens
+  across vm_backup_restore, vm_hot_plug, vm_lifecycle, vm_collect, and
+  vm_storage_labeling roles
+
 ## v1.0.3 (2026-05-05)
 
 ### Bug Fixes

extensions/audit/event_query.yml

@@ -0,0 +1,118 @@
+---
+infra.openshift_virtualization_ops.*:
+  query: >-
+    (
+      {
+        "virtualmachine": "Virtual Machine",
+        "virtualmachineinstance": "VM Instance",
+        "backup": "VM Backup",
+        "restore": "VM Restore",
+        "snapshot": "VM Snapshot",
+        "datavolumetemplate": "Data Volume",
+        "network": "VM Network",
+        "storage": "VM Storage",
+        "migration": "Live Migration"
+      } as $mapping |
+      (.vm // .resources // .) |
+      (if type=="array" then .[] else if type=="object" then . else empty end end) as $data |
+      select($data.metadata != null or $data.name != null) |
+      (
+        if $data | has("kind") then
+          (
+            if $data.kind == "VirtualMachine" then "virtualmachine"
+            elif $data.kind == "VirtualMachineInstance" then "virtualmachineinstance"
+            elif $data.kind == "VirtualMachineInstanceMigration" then "migration"
+            elif $data.kind | test("Backup") then "backup"
+            elif $data.kind | test("Restore") then "restore"
+            elif $data.kind | test("Snapshot") then "snapshot"
+            elif $data.kind | test("DataVolume") then "datavolumetemplate"
+            elif $data.kind | test("NetworkAttachmentDefinition") then "network"
+            elif $data.kind | test("PersistentVolumeClaim") then "storage"
+            else "unknown"
+            end
+          )
+        elif $data.metadata.labels then
+          (
+            if $data.metadata.labels | has("kubevirt.io/vm") then "virtualmachine"
+            elif $data.metadata.labels | has("vm.kubevirt.io/name") then "virtualmachineinstance"
+            else "unknown"
+            end
+          )
+        else "unknown"
+        end
+      ) as $node_type |
+      (
+        if $node_type == "virtualmachine" or $node_type == "virtualmachineinstance" then
+          (
+            if $data.status.printableStatus then $data.status.printableStatus
+            else "vm"
+            end
+          )
+        elif $node_type == "migration" then "live-migration"
+        elif $node_type == "backup" then "backup"
+        elif $node_type == "restore" then "restore"
+        elif $node_type == "snapshot" then "snapshot"
+        elif $node_type == "datavolumetemplate" then "volume"
+        elif $node_type == "network" then "network"
+        elif $node_type == "storage" then "disk"
+        else "unknown"
+        end
+      ) as $sub_node_type |
+      {
+        name: (
+          if $data.metadata then ($data.metadata.name // $data.metadata.uid)
+          else ($data.name // "UNKNOWN")
+          end
+        ),
+        canonical_facts: {
+          name: (
+            if $data.metadata then ($data.metadata.name // "UNKNOWN")
+            else ($data.name // "UNKNOWN")
+            end
+          ),
+          id: (
+            if $data.metadata then ($data.metadata.uid // $data.metadata.name)
+            else ($data.id // $data.name)
+            end
+          ),
+          node_type: $node_type
+        },
+        facts: {
+          infra_type: "openshift_virtualization",
+          infra_bucket: ($mapping[$node_type] // "UNKNOWN"),
+          device_type: $sub_node_type,
+          namespace: (
+            if $data.metadata then ($data.metadata.namespace // "")
+            else ""
+            end
+          ),
+          status: (
+            if $data.status then
+              (
+                if $data.status.printableStatus then $data.status.printableStatus
+                elif $data.status.phase then $data.status.phase
+                elif $data.status.conditions then
+                  (
+                    $data.status.conditions |
+                    map(select(.status == "True")) |
+                    .[0].type // "unknown"
+                  )
+                else "unknown"
+                end
+              )
+            else "unknown"
+            end
+          ),
+          operation: (
+            if $data.operation then $data.operation
+            else ""
+            end
+          ),
+          labels: (
+            if $data.metadata and $data.metadata.labels then $data.metadata.labels
+            else {}
+            end
+          )
+        }
+      }
+    )

playbooks/vm_backup.yml

@@ -12,5 +12,5 @@
       vars:
         openshift_host: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_HOST', default=Undefined) | default('', True) }}"
         openshift_api_key: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_API_KEY', default=Undefined) | default('', True) }}" # noqa: yaml[line-length]
-        openshift_verify_ssl: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_VERIFY_SSL', default='') | default(false) | bool }}" # noqa: yaml[line-length]
+        openshift_verify_ssl: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_VERIFY_SSL', default='') | default(true) | bool }}" # noqa: yaml[line-length]
 ...

playbooks/vm_hot_plug.yml

@@ -11,5 +11,5 @@
       vars:
         openshift_host: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_HOST', default=Undefined) | default('', True) }}"
         openshift_api_key: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_API_KEY', default=Undefined) | default('', True) }}" # noqa: yaml[line-length]
-        openshift_verify_ssl: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_VERIFY_SSL', default='') | default(false) | bool }}" # noqa: yaml[line-length]
+        openshift_verify_ssl: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_VERIFY_SSL', default='') | default(true) | bool }}" # noqa: yaml[line-length]
 ...

playbooks/vm_operations.yml

@@ -11,5 +11,5 @@
       vars:
         openshift_host: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_HOST', default=Undefined) | default('', True) }}"
         openshift_api_key: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_API_KEY', default=Undefined) | default('', True) }}" # noqa: yaml[line-length]
-        openshift_verify_ssl: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_VERIFY_SSL', default='') | default(false) | bool }}" # noqa: yaml[line-length]
+        openshift_verify_ssl: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_VERIFY_SSL', default='') | default(true) | bool }}" # noqa: yaml[line-length]
 ...

playbooks/vm_restore.yml

@@ -12,5 +12,5 @@
       vars:
         openshift_host: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_HOST', default=Undefined) | default('', True) }}"
         openshift_api_key: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_API_KEY', default=Undefined) | default('', True) }}" # noqa: yaml[line-length]
-        openshift_verify_ssl: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_VERIFY_SSL', default='') | default(false) | bool }}" # noqa: yaml[line-length]
+        openshift_verify_ssl: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_VERIFY_SSL', default='') | default(true) | bool }}" # noqa: yaml[line-length]
 ...

playbooks/vm_storage_labeling.yml

@@ -0,0 +1,15 @@
+---
+
+- name: VM Storage Volume Labeling
+  hosts: localhost
+  connection: local
+  gather_facts: false
+  tasks:
+    - name: Invoke VM Storage Volume Labeling
+      ansible.builtin.include_role:
+        name: infra.openshift_virtualization_ops.vm_storage_labeling
+      vars:
+        openshift_host: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_HOST', default=Undefined) | default('', True) }}"
+        openshift_api_key: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_API_KEY', default=Undefined) | default('', True) }}" # noqa: yaml[line-length]
+        openshift_verify_ssl: "{{ lookup('ansible.builtin.env', 'K8S_AUTH_VERIFY_SSL', default='') | default(true) | bool }}" # noqa: yaml[line-length]
+...

roles/vm_backup_restore/tasks/_restore_vm.yml

@@ -1,6 +1,7 @@
 ---
 
 - name: _restore_vm | Stop Virtual Machine
+  no_log: true
   redhat.openshift_virtualization.kubevirt_vm:
     api_key: "{{ vm_backup_restore_openshift_api_key }}"
     host: "{{ vm_backup_restore_openshift_host }}"
@@ -12,6 +13,7 @@
     wait_timeout: "{{ vm_backup_restore_vm_wait_timeout }}"
 
 - name: _restore_vm | Create Restore
+  no_log: true
   redhat.openshift.k8s:
     state: present
     api_key: "{{ vm_backup_restore_openshift_api_key }}"
@@ -41,6 +43,7 @@
       type: Ready
 
 - name: _restore_vm | Start Virtual Machine
+  no_log: true
   redhat.openshift_virtualization.kubevirt_vm:
     api_key: "{{ vm_backup_restore_openshift_api_key }}"
     host: "{{ vm_backup_restore_openshift_host }}"

roles/vm_backup_restore/tasks/_snapshot_vm.yml

@@ -1,6 +1,7 @@
 ---
 
 - name: _snapshot_vm | Create Snapshot
+  no_log: true
   redhat.openshift.k8s:
     state: present
     api_key: "{{ vm_backup_restore_openshift_api_key }}"

roles/vm_collect/tasks/main.yml

@@ -25,6 +25,7 @@
   when: "'label_selectors' not in vm_collect_request_instance"
   block:
     - name: "Query Without Label Selector {{ vm_collect_obj | default(vm_collect_obj_default_kind) }}"
+      no_log: true
       kubernetes.core.k8s_info:
         api_key: "{{ vm_collect_openshift_api_key }}"
         host: "{{ vm_collect_openshift_host }}"
@@ -49,6 +50,7 @@
   when: "'label_selectors' in vm_collect_request_instance"
   block:
     - name: "Query (With Label Selector) - {{ vm_collect_obj | default(vm_collect_obj_default_kind) }}"
+      no_log: true
       kubernetes.core.k8s_info:
         api_key: "{{ vm_collect_openshift_api_key }}"
         host: "{{ vm_collect_openshift_host }}"

roles/vm_hot_plug/tasks/_compute.yml

@@ -20,6 +20,7 @@
     quiet: true
 
 - name: _compute | Patch VM with Compute Modifications
+  no_log: true
   kubernetes.core.k8s_json_patch:
     api_key: "{{ vm_hot_plug_api_key }}"
     host: "{{ vm_hot_plug_openshift_host }}"

roles/vm_hot_plug/tasks/_process_vm.yml

@@ -14,6 +14,7 @@
   when: "'restartIfRequired' in vm_hot_plug_vm and vm_hot_plug_vm.restartIfRequired | bool"
   block:
     - name: _process_vm | Query VM for Updated Configuration
+      no_log: true
       kubernetes.core.k8s_info:
         api_key: "{{ vm_hot_plug_api_key }}"
         host: "{{ vm_hot_plug_openshift_host }}"

roles/vm_hot_plug/tasks/_storage.yml

@@ -19,6 +19,7 @@
       default([]) |
       selectattr('name', 'equalto', vm_hot_plug_storage_instance.name) | list | length == 0
     )
+  no_log: true
   ansible.builtin.uri:
     url:
       "{{ vm_hot_plug_openshift_host }}/apis/subresources.{{ vm_hot_plug_kubevirt_api_version }}\

roles/vm_lifecycle/tasks/_collect_vms.yml

@@ -20,6 +20,7 @@
   when: "'label_selectors' not in vm_operations_request_instance"
   block:
     - name: "_collect_vms | Query VM's (Without Label Selector)"
+      no_log: true
       kubernetes.core.k8s_info:
         api_key: "{{ vm_lifecycle_openshift_api_key }}"
         host: "{{ vm_lifecycle_openshift_host }}"
@@ -45,6 +46,7 @@
   when: "'label_selectors' in vm_operations_request_instance"
   block:
     - name: "_collect_vms | Query VM's (With Label Selector)"
+      no_log: true
       kubernetes.core.k8s_info:
         api_key: "{{ vm_lifecycle_openshift_api_key }}"
         host: "{{ vm_lifecycle_openshift_host }}"

roles/vm_lifecycle/tasks/_perform_operation.yml

@@ -1,6 +1,7 @@
 ---
 
 - name: _perform_operation | Perform VM Operation
+  no_log: true
   ansible.builtin.uri:
     url: "{{ vm_lifecycle_openshift_host }}/apis/subresources.{{ vm_lifecycle_kubevirt_api_version }}/namespaces/{{ vm_operations_vm.vm.metadata.namespace }}/virtualmachines/{{ vm_operations_vm.vm.metadata.name }}/{{ vm_lifecycle_valid_vm_operations[vm_operations_vm['operation']].endpoint }}" # noqa: yaml[line-length]
     validate_certs: "{{ vm_lifecycle_openshift_verify_ssl }}"

roles/vm_lifecycle/tasks/_verify_operation.yml

@@ -1,6 +1,7 @@
 ---
 
 - name: _verify_operation | Verify VMs
+  no_log: true
   kubernetes.core.k8s_info:
     api_key: "{{ vm_lifecycle_openshift_api_key }}"
     host: "{{ vm_lifecycle_openshift_host }}"

roles/vm_storage_labeling/README.md

@@ -0,0 +1,17 @@
+# vm_storage_labeling
+
+Add labels, annotations, and descriptive names to storage volumes (PVCs and DataVolumes) in OpenShift Virtualization.
+
+## Requirements
+
+- `redhat.openshift_virtualization` collection
+- `kubernetes.core` collection
+- OpenShift cluster with Virtualization operator installed
+
+## Role Variables
+
+See `defaults/main.yml` for available variables.
+
+## License
+
+Apache-2.0

roles/vm_storage_labeling/defaults/main.yml

@@ -0,0 +1,33 @@
+---
+# defaults file for vm_storage_labeling
+
+# title: Storage Volume Labeling Request
+# required: True
+# description: List of Storage Volume Labeling Requests
+vm_storage_labeling_request: []
+# -  namespace: <namespace> # Namespace to scope volumes. \
+#      Required when names are specified. Omit to query all namespaces.
+#    names: # List of PVC/DataVolume names within a namespace. \
+#      Requires namespace. Optional when using label_selectors.
+#    label_selectors: # Label selectors to match volumes. \
+#      Cannot be used with list of volume names.
+#      - <key>=<value>
+#    labels: # Labels to apply to matched volumes.
+#      <key>: <value>
+#    annotations: # Annotations to apply to matched volumes.
+#      <key>: <value>
+
+# title: OpenShift Host
+# required: True
+# description: OpenShift Host
+vm_storage_labeling_openshift_host: "{{ openshift_host }}"
+# title: OpenShift API Key
+# required: True
+# description: OpenShift API Key
+vm_storage_labeling_api_key: "{{ openshift_api_key }}"
+# title: Verify SSL Certificate
+# required: True
+# description: Verify SSL Certificate
+vm_storage_labeling_openshift_verify_ssl: "{{ openshift_verify_ssl }}"
+
+...

roles/vm_storage_labeling/meta/main.yml

@@ -0,0 +1,10 @@
+---
+galaxy_info:
+  author: ""
+  description: Add labels, annotations, and descriptive names to storage volumes (PVCs and DataVolumes).
+  company: Red Hat
+  license: GPL-3.0-only
+  min_ansible_version: 2.15.0
+  galaxy_tags: []
+dependencies: []
+...