Extend the CI pipeline with bandit, safety and pdm check

These 3 tools have been added to the tox CI pipeline and bunch of yaml lint violation have been fixed.
redhat-openshift-ecosystem · Aug 28, 2023 · 704eb70 · 704eb70
1 parent 9c7e08e
commit 704eb70
Show file tree

Hide file tree

Showing 32 changed files with 944 additions and 528 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,3 +1,4 @@
+---
 repos:
   - repo: https://github.com/zricethezav/gitleaks
     rev: v8.16.0

diff --git a/.yamllint b/.yamllint
@@ -5,3 +5,10 @@ rules:
   line-length:
     level: warning
     max: 180
+  document-start:
+    level: error
+
+ignore:
+  - .tox/
+  - ansible/vaults/
+  - .venv
diff --git a/ansible/inventory/group_vars/clusters.yml b/ansible/inventory/group_vars/clusters.yml
@@ -1,3 +1,4 @@
+---
 ansible_connection: local
 
 # Index signature verification vars

diff --git a/ansible/inventory/host_vars/crc-cluster.yml b/ansible/inventory/host_vars/crc-cluster.yml
@@ -1 +1,2 @@
+---
 ocp_host: https://api.crc.testing:6443
diff --git a/ansible/inventory/host_vars/prod-cluster.yml b/ansible/inventory/host_vars/prod-cluster.yml
@@ -1 +1,2 @@
+---
 ocp_host: https://api.pipelines-prod.ijdb.p1.openshiftapps.com:6443
diff --git a/ansible/inventory/host_vars/stage-cluster.yml b/ansible/inventory/host_vars/stage-cluster.yml
@@ -1 +1,2 @@
+---
 ocp_host: https://api.pipelines-stage.0ce8.p1.openshiftapps.com:6443
diff --git a/ansible/roles/config-ocp-cluster/defaults/main.yml b/ansible/roles/config-ocp-cluster/defaults/main.yml
@@ -1,2 +1,3 @@
-k8s_validate_certs: yes
+---
+k8s_validate_certs: true
 pipelinerun_listener_namespace: pipelinerun-listener
diff --git a/ansible/roles/config-ocp-cluster/tasks/main.yml b/ansible/roles/config-ocp-cluster/tasks/main.yml
@@ -1,3 +1,4 @@
+---
 - name: Customize TektonConfig
   k8s:
     state: present

diff --git a/ansible/roles/config-ocp-cluster/tasks/pipelinerun-listener.yml b/ansible/roles/config-ocp-cluster/tasks/pipelinerun-listener.yml
@@ -1,11 +1,12 @@
+---
 - name: Create PipelineRun listener resources
   tags:
     - pipelinerun-listener
   block:
     - name: Create Namespace
       k8s:
         state: present
-        apply: yes
+        apply: true
         validate_certs: "{{ k8s_validate_certs }}"
         definition:
           kind: Namespace
@@ -20,18 +21,18 @@
     - name: Create Tasks
       k8s:
         state: present
-        apply: yes
+        apply: true
         validate_certs: "{{ k8s_validate_certs }}"
         namespace: "{{ pipelinerun_listener_namespace }}"
         definition: "{{ lookup('file', '{{ item }}') }}"
       with_fileglob:
         - ../files/tasks/*
 
     - name: Create Google Chat webhook Secret
-      no_log: yes
+      no_log: true
       k8s:
         state: present
-        force: yes
+        force: true
         validate_certs: "{{ k8s_validate_certs }}"
         namespace: "{{ pipelinerun_listener_namespace }}"
         definition:
@@ -46,7 +47,7 @@
     - name: Create TriggerBinding
       k8s:
         state: present
-        apply: yes
+        apply: true
         namespace: "{{ pipelinerun_listener_namespace }}"
         validate_certs: "{{ k8s_validate_certs }}"
         definition:
@@ -66,7 +67,7 @@
     - name: Create TriggerTemplate
       k8s:
         state: present
-        apply: yes
+        apply: true
         namespace: "{{ pipelinerun_listener_namespace }}"
         validate_certs: "{{ k8s_validate_certs }}"
         definition:
@@ -102,7 +103,7 @@
     - name: Create EventListener
       k8s:
         state: present
-        apply: yes
+        apply: true
         namespace: "{{ pipelinerun_listener_namespace }}"
         validate_certs: "{{ k8s_validate_certs }}"
         definition:
@@ -135,7 +136,7 @@
     - name: Create ClusterRoleBinding
       k8s:
         state: present
-        apply: yes
+        apply: true
         namespace: "{{ pipelinerun_listener_namespace }}"
         validate_certs: "{{ k8s_validate_certs }}"
         definition:

diff --git a/ansible/roles/index-signature-verification/defaults/main.yml b/ansible/roles/index-signature-verification/defaults/main.yml
@@ -1,2 +1,3 @@
-k8s_validate_certs: yes
+---
+k8s_validate_certs: true
 k8s_namespace: index-signature-verification
diff --git a/...les/index-signature-verification/files/configmaps/index-signature-verification-config.yml b/...les/index-signature-verification/files/configmaps/index-signature-verification-config.yml
@@ -1,3 +1,4 @@
+---
 apiVersion: v1
 kind: ConfigMap
 metadata:

diff --git a/ansible/roles/index-signature-verification/tasks/main.yml b/ansible/roles/index-signature-verification/tasks/main.yml
@@ -1,7 +1,8 @@
+---
 - name: Create Namespace
   k8s:
     state: present
-    apply: yes
+    apply: true
     validate_certs: "{{ k8s_validate_certs }}"
     definition:
       kind: Namespace
@@ -12,7 +13,7 @@
 - name: Create ConfigMaps
   k8s:
     state: present
-    apply: yes
+    apply: true
     validate_certs: "{{ k8s_validate_certs }}"
     namespace: "{{ k8s_namespace }}"
     definition: "{{ lookup('file', '{{ item }}') }}"
@@ -22,7 +23,7 @@
 - name: Create Tasks
   k8s:
     state: present
-    apply: yes
+    apply: true
     validate_certs: "{{ k8s_validate_certs }}"
     namespace: "{{ k8s_namespace }}"
     definition: "{{ lookup('file', '{{ item }}') }}"
@@ -32,7 +33,7 @@
 - name: Create Pipelines
   k8s:
     state: present
-    apply: yes
+    apply: true
     validate_certs: "{{ k8s_validate_certs }}"
     namespace: "{{ k8s_namespace }}"
     definition: "{{ lookup('file', '{{ item }}') }}"
@@ -42,7 +43,7 @@
 - name: Create EventListener
   k8s:
     state: present
-    apply: yes
+    apply: true
     validate_certs: "{{ k8s_validate_certs }}"
     namespace: "{{ k8s_namespace }}"
     definition:
@@ -61,7 +62,7 @@
 - name: Create TriggerBinding
   k8s:
     state: present
-    apply: yes
+    apply: true
     validate_certs: "{{ k8s_validate_certs }}"
     namespace: "{{ k8s_namespace }}"
     definition:
@@ -73,7 +74,7 @@
 - name: Create TriggerTemplate
   k8s:
     state: present
-    apply: yes
+    apply: true
     validate_certs: "{{ k8s_validate_certs }}"
     namespace: "{{ k8s_namespace }}"
     definition:
@@ -97,10 +98,10 @@
                     secretName: registry-auth-secret
 
 - name: Create registry auth Secret
-  no_log: yes
+  no_log: true
   k8s:
     state: present
-    force: yes
+    force: true
     validate_certs: "{{ k8s_validate_certs }}"
     namespace: "{{ k8s_namespace }}"
     definition:
@@ -115,7 +116,7 @@
 - name: Create CronJob
   k8s:
     state: present
-    apply: yes
+    apply: true
     validate_certs: "{{ k8s_validate_certs }}"
     namespace: "{{ k8s_namespace }}"
     definition:

diff --git a/ansible/roles/integration-tests/tasks/tools.yml b/ansible/roles/integration-tests/tasks/tools.yml
@@ -12,6 +12,6 @@
       unarchive:
         src: https://mirror.openshift.com/pub/openshift-v4/clients/pipeline/0.17.2/tkn-linux-amd64-0.17.2.tar.gz
         dest: "{{ temp_tools_dir.path }}"
-        remote_src: yes
+        remote_src: true
         include:
           - tkn
diff --git a/ansible/roles/nginx-proxy/tasks/main.yml b/ansible/roles/nginx-proxy/tasks/main.yml
@@ -5,7 +5,7 @@
 - name: Create nginx config
   k8s:
     state: present
-    apply: yes
+    apply: true
     namespace: "{{ oc_namespace }}"
     definition: "{{ lookup('template', '{{ item }}') }}"
   with_items:
@@ -14,7 +14,7 @@
 - name: Deploy nginx
   k8s:
     state: present
-    apply: yes
+    apply: true
     namespace: "{{ oc_namespace }}"
     definition: "{{ lookup('template', '{{ item }}') }}"
   with_items:
@@ -24,7 +24,7 @@
 - name: Create service
   k8s:
     state: present
-    apply: yes
+    apply: true
     namespace: "{{ oc_namespace }}"
     definition: "{{ lookup('template', '{{ item }}') }}"
   with_items:
@@ -33,7 +33,7 @@
 - name: Create route
   k8s:
     state: present
-    apply: yes
+    apply: true
     namespace: "{{ oc_namespace }}"
     definition: "{{ lookup('template', '{{ item }}') }}"
   with_items:

diff --git a/ansible/roles/nginx-proxy/tasks/secrets.yml b/ansible/roles/nginx-proxy/tasks/secrets.yml
@@ -1,11 +1,11 @@
 ---
 - name: Create htpasswd nginx secret file
-  no_log: yes
+  no_log: true
   tags:
     - secrets
   k8s:
     state: present
-    force: yes
+    force: true
     namespace: "{{ oc_namespace }}"
     definition:
       apiVersion: v1

diff --git a/ansible/roles/nginx-proxy/templates/openshift/nginx-deployment.yml b/ansible/roles/nginx-proxy/templates/openshift/nginx-deployment.yml
@@ -40,21 +40,21 @@ spec:
           args:
             - 'nginx -g "daemon off;error_log /dev/stdout debug;" -c /etc/nginx/nginx-config/nginx.conf'
           ports:
-            - containerPort: {{ nginx_port | int }} # yamllint disable-line rule:braces
+            - containerPort: {{ nginx_port | int }}  # yamllint disable-line rule:braces
               protocol: TCP
           livenessProbe:
             failureThreshold: 3
             httpGet:
               path: /_proxy/ping
-              port: {{ nginx_port | int }} # yamllint disable-line rule:braces
+              port: {{ nginx_port | int }}  # yamllint disable-line rule:braces
             initialDelaySeconds: 60
             periodSeconds: 30
             successThreshold: 1
             timeoutSeconds: 10
           readinessProbe:
             httpGet:
               path: /_proxy/ping
-              port: {{ nginx_port | int }} # yamllint disable-line rule:braces
+              port: {{ nginx_port | int }}  # yamllint disable-line rule:braces
             initialDelaySeconds: 15
             timeoutSeconds: 20
           volumeMounts:

diff --git a/ansible/roles/nginx-proxy/templates/openshift/nginx-service.yml b/ansible/roles/nginx-proxy/templates/openshift/nginx-service.yml
@@ -11,7 +11,7 @@ spec:
   ports:
     - name: http
       port: 80
-      targetPort: {{ nginx_port | int }} # yamllint disable-line rule:braces
+      targetPort: {{ nginx_port | int }}  # yamllint disable-line rule:braces
   selector:
     app: "{{ nginx_proxy_name }}"
     env: "{{ env }}"

diff --git a/ansible/roles/operator-pipeline/tasks/community-signing-secrets.yml b/ansible/roles/operator-pipeline/tasks/community-signing-secrets.yml
@@ -1,10 +1,10 @@
 ---
 
 - name: Create Community pipeline cert secret
-  no_log: yes
+  no_log: true
   k8s:
     state: present
-    force: yes
+    force: true
     namespace: "{{ oc_namespace }}"
     definition:
       apiVersion: v1
@@ -21,12 +21,12 @@
         community-operator-signing-pipeline.pem: "{{ lookup('file', community_signing_pipeline_private_cert_local_path, rstrip=False) | b64encode }}"
 
 - name: Create signing pub key secret
-  no_log: yes
+  no_log: true
   tags:
     - secrets
   k8s:
     state: present
-    force: yes
+    force: true
     namespace: "{{ oc_namespace }}"
     definition:
       apiVersion: v1

diff --git a/ansible/roles/operator-pipeline/tasks/community-signing.yml b/ansible/roles/operator-pipeline/tasks/community-signing.yml
@@ -7,7 +7,7 @@
     - community-signing
   k8s:
     state: present
-    apply: yes
+    apply: true
     namespace: "{{ oc_namespace }}"
     definition: "{{ lookup('template', '{{ item }}') }}"
   with_items:

diff --git a/ansible/roles/operator-pipeline/tasks/operator-pipeline-import-index-images.yml b/ansible/roles/operator-pipeline/tasks/operator-pipeline-import-index-images.yml
@@ -4,7 +4,7 @@
 - name: Import certified-operator-index imagestream
   tags:
     - import-index-images
-  no_log: yes
+  no_log: true
   uri:
     url: "{{ ocp_host }}/apis/image.openshift.io/v1/namespaces/{{ oc_namespace }}/imagestreamimports"
     method: POST

diff --git a/ansible/roles/operator-pipeline/tasks/operator-pipeline-webhooks.yml b/ansible/roles/operator-pipeline/tasks/operator-pipeline-webhooks.yml
@@ -1,3 +1,4 @@
+---
 - name: Configure GitHub webhooks
   loop: "{{ operator_pipeline_github_webhook_repos }}"
   when: operator_pipeline_github_webhook_repos is defined
Original file line number	Diff line number	Diff line change
		@@ -1 +1,2 @@
		---
		ocp_host: https://api.pipelines-prod.ijdb.p1.openshiftapps.com:6443
Original file line number	Diff line number	Diff line change
		@@ -1 +1,2 @@
		---
		ocp_host: https://api.pipelines-stage.0ce8.p1.openshiftapps.com:6443