diff --git a/.github/workflows/f5-cla.yml b/.github/workflows/f5-cla.yml index 643853c42..df37a618f 100644 --- a/.github/workflows/f5-cla.yml +++ b/.github/workflows/f5-cla.yml @@ -1,40 +1,40 @@ --- - name: F5 CLA - on: - issue_comment: - types: [created] - pull_request_target: - types: [opened, closed, synchronize] - permissions: read-all - jobs: - f5-cla: - name: F5 CLA - runs-on: ubuntu-24.04 - permissions: - actions: write - pull-requests: write - statuses: write - steps: - - name: Run F5 Contributor License Agreement (CLA) assistant - if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have hereby read the F5 CLA and agree to its terms') || github.event_name == 'pull_request_target' - uses: contributor-assistant/github-action@9340315624c6e16cef1f2c63bdeb0f0c49c6f474 # v2.4.0 - with: - # Any pull request targeting the following branch will trigger a CLA check. - branch: main - # Path to the CLA document. - path-to-document: https://github.com/f5/.github/blob/main/CLA/cla-markdown.md - # Custom CLA messages. - custom-notsigned-prcomment: '🎉 Thank you for your contribution! It appears you have not yet signed the F5 Contributor License Agreement (CLA), which is required for your changes to be incorporated into an F5 Open Source Software (OSS) project. Please kindly read the [F5 CLA](https://github.com/f5/.github/blob/main/CLA/cla-markdown.md) and reply on a new comment with the following text to agree:' - custom-pr-sign-comment: 'I have hereby read the F5 CLA and agree to its terms' - custom-allsigned-prcomment: '✅ All required contributors have signed the F5 CLA for this PR. Thank you!' - # Remote repository storing CLA signatures. - remote-organization-name: f5 - remote-repository-name: f5-cla-data - path-to-signatures: signatures/signatures.json - # Comma separated list of usernames for maintainers or any other individuals who should not be prompted for a CLA. - allowlist: alessfg, oxpa, bot* - # Do not lock PRs after a merge. - lock-pullrequest-aftermerge: false - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - PERSONAL_ACCESS_TOKEN: ${{ secrets.F5_CLA_TOKEN }} +name: F5 CLA +on: + issue_comment: + types: [created] + pull_request_target: + types: [opened, closed, synchronize] +permissions: read-all +jobs: + f5-cla: + name: F5 CLA + runs-on: ubuntu-24.04 + permissions: + actions: write + pull-requests: write + statuses: write + steps: + - name: Run F5 Contributor License Agreement (CLA) assistant + if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have hereby read the F5 CLA and agree to its terms') || github.event_name == 'pull_request_target' + uses: contributor-assistant/github-action@9340315624c6e16cef1f2c63bdeb0f0c49c6f474 # v2.4.0 + with: + # Any pull request targeting the following branch will trigger a CLA check. + branch: main + # Path to the CLA document. + path-to-document: https://github.com/f5/.github/blob/main/CLA/cla-markdown.md + # Custom CLA messages. + custom-notsigned-prcomment: '🎉 Thank you for your contribution! It appears you have not yet signed the F5 Contributor License Agreement (CLA), which is required for your changes to be incorporated into an F5 Open Source Software (OSS) project. Please kindly read the [F5 CLA](https://github.com/f5/.github/blob/main/CLA/cla-markdown.md) and reply on a new comment with the following text to agree:' + custom-pr-sign-comment: 'I have hereby read the F5 CLA and agree to its terms' + custom-allsigned-prcomment: '✅ All required contributors have signed the F5 CLA for this PR. Thank you!' + # Remote repository storing CLA signatures. + remote-organization-name: f5 + remote-repository-name: f5-cla-data + path-to-signatures: signatures/signatures.json + # Comma separated list of usernames for maintainers or any other individuals who should not be prompted for a CLA. + allowlist: alessfg, oxpa, bot* + # Do not lock PRs after a merge. + lock-pullrequest-aftermerge: false + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PERSONAL_ACCESS_TOKEN: ${{ secrets.F5_CLA_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6eea2a3d1..60d5dcfd8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,20 +1,20 @@ --- - name: Release Drafter - on: - push: - branches: [main] - pull_request_target: - types: [opened, reopened, synchronize] - permissions: read-all - jobs: - release-draft: - name: Update release draft - runs-on: ubuntu-24.04 - permissions: - contents: write - pull-requests: write - steps: - - name: Run release drafter - uses: release-drafter/release-drafter@3f0f87098bd6b5c5b9a36d49c41d998ea58f9348 # v6.0.0 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +name: Release Drafter +on: + push: + branches: [main] + pull_request_target: + types: [opened, reopened, synchronize] +permissions: read-all +jobs: + release-draft: + name: Update release draft + runs-on: ubuntu-24.04 + permissions: + contents: write + pull-requests: write + steps: + - name: Run release drafter + uses: release-drafter/release-drafter@3f0f87098bd6b5c5b9a36d49c41d998ea58f9348 # v6.0.0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/CHANGELOG.md b/CHANGELOG.md index 891f7139b..f6b843913 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ FEATURES: - Add support for installing NGINX Open Source on Alpine Linux 3.20. - Add support for installing NGINX Agent on Ubuntu noble. - Add validation tasks to check the Ansible version, the Jinja2 version, and whether the required Ansible collections for this role are installed. +- Bump the minimum version of Ansible supported to `2.16`, whilst clarifying that Ansible `2.18` is not supported at this stage. - Bump the Ansible `community.general` collection to `9.2.0`, `community.crypto` collection to `2.21.1` and `community.docker` collection to `3.11.0`. DOCUMENTATION: @@ -28,6 +29,7 @@ CI/CD: - Update GitHub Actions to Ubuntu 24.04. - Switch GitHub Actions from using tags to release hashes. - Remove commented out Molecule platforms and GitHub Actions QEMU step for the time being. These changes will be reverted if multi-arch testing can be reinstated in GitHub Actions. +- Bump the minimum version of Ansible supported on Ansible Galaxy to `2.16`. - Remove platform metadata from the Ansible Galaxy role metadata since platforms are no longer supported in Ansible Galaxy NG. - Implement OSSF Scorecard. @@ -62,7 +64,7 @@ CI/CD: - Add Molecule tests for NGINX Amplify. - Update the RHEL based tests to use the latest UBI release. - Use the local role name (`ansible-role-nginx`) instead of the fully qualified role name (`nginxinc.nginx`) in Molecule to ensure tests always work as intended in environments where the role has been already installed beforehand. -- Implement F5 CLA signatures. +- Implement F5 CLA. - Hardcode version of Python requests module given its propensity to break the Docker Python SDK. ## 0.24.2 (October 3rd, 2023) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 431633b62..cba1bc537 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -21,7 +21,7 @@ Follow this project's [Installation Guide](/README.md#Installation) to install A ### Project Structure -- The NGINX Ansible role is written in `yaml` and supports NGINX Open Source, NGINX Plus, NGINX Agent and NGINX Amplify. +- The NGINX Ansible role is written in [`yaml`](https://yaml.org) and supports NGINX Open Source, NGINX Plus, NGINX Agent and NGINX Amplify. - The project follows the standard [Ansible role directory structure](https://docs.ansible.com/ansible/latest/user_guide/playbooks_reuse_roles.html): - The main "codebase" is found in the [`tasks/`](/tasks/) directory. - Variables can be found in [`defaults/main/`](/defaults/main/). The filenames in this directory highlight which variables are contained in each file. diff --git a/README.md b/README.md index 735e1cd10..680b29ad5 100644 --- a/README.md +++ b/README.md @@ -45,6 +45,8 @@ This will also ensure you are deploying/running this role with a fully tested ve #### Ansible core - This role is developed and tested with [maintained](https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html) versions of Ansible core and Python. + + ***Note:** Ansible `2.18` does no longer support the `yum` module and as such, is not supported by this role until Amazon Linux 2 reaches EoL.* - When using Ansible core, you will also need to install the following Ansible collections: ```yaml @@ -96,7 +98,7 @@ If you want to contribute to this role, you will also need to install Ansible Li - Molecule is used to test the various functionalities of the role. - Instructions on how to install Molecule can be found in the [Molecule website](https://molecule.readthedocs.io/en/latest/installation.html). *You will also need to install the Molecule plugins package and the Docker Python SDK.* -- To run any of the NGINX Plus Molecule tests, you must first copy your NGINX Plus license to the role's [`files/license`](https://github.com/nginxinc/ansible-role-nginx/blob/main/files/license/) directory. +- To run any of the NGINX Plus Molecule tests, you must first copy your NGINX Plus license to the role's [`files/license`](/files/license/) directory. You can alternatively add your NGINX Plus repository certificate and key to the local environment. Run the following commands to export these files as base64-encoded variables and execute the Molecule tests: @@ -292,44 +294,44 @@ Ubuntu: ## Role Variables -This role has multiple variables. The descriptions and defaults for all these variables can be found in the **[`defaults/main/`](https://github.com/nginxinc/ansible-role-nginx/blob/main/defaults/main/)** directory in the following files: +This role has multiple variables. The descriptions and defaults for all these variables can be found in the **[`defaults/main/`](/defaults/main/)** directory in the following files: | Name | Description | | ---- | ----------- | -| **[`main.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/defaults/main/main.yml)** | NGINX installation variables | -| **[`agent.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/defaults/main/agent.yml)** | NGINX Agent installation variables | -| **[`amplify.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/defaults/main/amplify.yml)** | NGINX Amplify agent installation variables | -| **[`bsd.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/defaults/main/bsd.yml)** | BSD installation variables | -| **[`logrotate.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/defaults/main/logrotate.yml)** | Logrotate configuration variables | -| **[`selinux.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/defaults/main/selinux.yml)** | SELinux configuration variables | -| **[`systemd.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/defaults/main/systemd.yml)** | Systemd configuration variables | +| **[`main.yml`](/defaults/main/main.yml)** | NGINX installation variables | +| **[`agent.yml`](/defaults/main/agent.yml)** | NGINX Agent installation variables | +| **[`amplify.yml`](/defaults/main/amplify.yml)** | NGINX Amplify agent installation variables | +| **[`bsd.yml`](/defaults/main/bsd.yml)** | BSD installation variables | +| **[`logrotate.yml`](/defaults/main/logrotate.yml)** | Logrotate configuration variables | +| **[`selinux.yml`](/defaults/main/selinux.yml)** | SELinux configuration variables | +| **[`systemd.yml`](/defaults/main/systemd.yml)** | Systemd configuration variables | -Similarly, descriptions and defaults for preset variables can be found in the **[`vars/`](https://github.com/nginxinc/ansible-role-nginx/blob/main/vars/)** directory in the following files: +Similarly, descriptions and defaults for preset variables can be found in the **[`vars/`](/vars/)** directory in the following files: | Name | Description | | ---- | ----------- | -| **[`main.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/vars/main.yml)** | List of supported NGINX platforms, modules, and Linux installation variables | +| **[`main.yml`](/vars/main.yml)** | List of supported NGINX platforms, modules, and Linux installation variables | ## Example Playbooks -Working functional playbook examples can be found in the **[`molecule/`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/)** folder in the following files: +Working functional playbook examples can be found in the **[`molecule/`](/molecule/)** folder in the following files: | Name | Description | | ---- | ----------- | -| **[`agent/converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/agent/converge.yml)** | Install and configure NGINX Agent to connect to the NGINX One SaaS control plane on F5 Distributed Cloud | -| **[`amplify/converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/amplify/converge.yml)** | Install and configure the NGINX Amplify agent | -| **[`default/converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/default/converge.yml)** | Install a specific version of NGINX, install various NGINX supported modules, tweak systemd and set up logrotate | -| **[`distribution/converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/distribution/converge.yml)** | Install NGINX from the distribution's package repository instead of NGINX's package repository | -| **[`downgrade/converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/downgrade/converge.yml)** | Downgrade to a specific version of NGINX | -| **[`downgrade-plus/converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/downgrade-plus/converge.yml)** | Downgrade to a specific version of NGINX Plus | -| **[`plus/converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/plus/converge.yml)** | Install NGINX Plus and various NGINX Plus supported modules | -| **[`source/converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/source/converge.yml)** | Install NGINX from source | -| **[`stable/converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/stable/converge.yml)** | Install NGINX using the latest stable release | -| **[`uninstall/converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/uninstall/converge.yml)** | Uninstall NGINX | -| **[`uninstall-plus/converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/uninstall-plus/converge.yml)** | Uninstall NGINX Plus | -| **[`upgrade/converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/upgrade/converge.yml)** | Upgrade NGINX | -| **[`upgrade-plus/converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/upgrade-plus/converge.yml)** | Upgrade NGINX Plus | -| **[`version/converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/version/converge.yml)** | Install a specific version of NGINX and various NGINX modules | +| **[`agent/converge.yml`](/molecule/agent/converge.yml)** | Install and configure NGINX Agent to connect to the NGINX One SaaS control plane on F5 Distributed Cloud | +| **[`amplify/converge.yml`](/molecule/amplify/converge.yml)** | Install and configure the NGINX Amplify agent | +| **[`default/converge.yml`](/molecule/default/converge.yml)** | Install a specific version of NGINX, install various NGINX supported modules, tweak systemd and set up logrotate | +| **[`distribution/converge.yml`](/molecule/distribution/converge.yml)** | Install NGINX from the distribution's package repository instead of NGINX's package repository | +| **[`downgrade/converge.yml`](/molecule/downgrade/converge.yml)** | Downgrade to a specific version of NGINX | +| **[`downgrade-plus/converge.yml`](/molecule/downgrade-plus/converge.yml)** | Downgrade to a specific version of NGINX Plus | +| **[`plus/converge.yml`](/molecule/plus/converge.yml)** | Install NGINX Plus and various NGINX Plus supported modules | +| **[`source/converge.yml`](/molecule/source/converge.yml)** | Install NGINX from source | +| **[`stable/converge.yml`](/molecule/stable/converge.yml)** | Install NGINX using the latest stable release | +| **[`uninstall/converge.yml`](/molecule/uninstall/converge.yml)** | Uninstall NGINX | +| **[`uninstall-plus/converge.yml`](/molecule/uninstall-plus/converge.yml)** | Uninstall NGINX Plus | +| **[`upgrade/converge.yml`](/molecule/upgrade/converge.yml)** | Upgrade NGINX | +| **[`upgrade-plus/converge.yml`](/molecule/upgrade-plus/converge.yml)** | Upgrade NGINX Plus | +| **[`version/converge.yml`](/molecule/version/converge.yml)** | Install a specific version of NGINX and various NGINX modules | > [!NOTE] > If you install this repository via Ansible Galaxy, you will need to replace the `include_role` variable in the example playbooks from `ansible-role-nginx` to `nginxinc.nginx`. @@ -346,7 +348,7 @@ You can find the Ansible NGINX Unit role to install NGINX Unit [here](https://gi ## License -[Apache License, Version 2.0](https://github.com/nginxinc/ansible-role-nginx/blob/main/LICENSE) +[Apache License, Version 2.0](/LICENSE) ## Author Information diff --git a/tasks/main.yml b/tasks/main.yml index 3f82430f2..92b38bdf7 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,5 +1,5 @@ --- -- name: Validate distribution and role variables +- name: Validate Ansible/Jinja2 version, Ansible collections, role variables, and supported distributions ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate/validate.yml" tags: nginx_validate diff --git a/tasks/validate/validate.yml b/tasks/validate/validate.yml index 2571cd4c2..07199726f 100644 --- a/tasks/validate/validate.yml +++ b/tasks/validate/validate.yml @@ -1,9 +1,11 @@ --- - name: Verify you are using a supported Ansible version on your Ansible host ansible.builtin.assert: - that: ansible_version['full'] is version('2.16', '>=') + that: + - ansible_version['full'] is version(nginx_ansible_version, '>=') + - ansible_version['full'] is version('2.18', '<') success_msg: Ansible {{ ansible_version['full'] }} is supported. - fail_msg: Ansible {{ ansible_version['full'] }} has reached End of Life (EoL). Please upgrade to a supported Ansible release. Check the README for more details. + fail_msg: ({{ ansible_version['full'] is version('2.18', '>=') }} | ternary('Ansible {{ ansible_version['full'] }} is not yet supported. Please downgrade to a supported Ansible release', 'Ansible {{ ansible_version['full'] }} has reached End of Life (EoL). Please upgrade to a supported Ansible release.') Check the README for more details. delegate_to: localhost ignore_errors: true # noqa ignore-errors @@ -16,7 +18,7 @@ - name: Verify that you are using a supported Jinja2 version on your Ansible host ansible.builtin.assert: - that: (jinja2_version['stdout'] | regex_search('jinja version = ([\\d.]+)', '\\1') | first) is version('3.1', '>=') + that: (jinja2_version['stdout'] | regex_search('jinja version = ([\\d.]+)', '\\1') | first) is version(nginx_jinja2_version, '>=') success_msg: Jinja2 {{ jinja2_version['stdout'] | regex_search('jinja version = ([\d.]+)', '\1') | first }} is supported. fail_msg: Jinja2 {{ jinja2_version['stdout'] | regex_search('jinja version = ([\d.]+)', '\1') | first }} is not supported. Please upgrade to Jinja2 3.1. Check the README for more details. delegate_to: localhost @@ -34,7 +36,6 @@ that: collection_list is search('community.general') success_msg: The 'community.general' Ansible collection is installed. fail_msg: The 'community.general' Ansible collection is not installed. Please install the 'community.general' Ansible collection. Check the README for more details. - changed_when: false delegate_to: localhost become: false @@ -43,27 +44,27 @@ that: lookup('community.general.collection_version', 'ansible.posix') != 'none' success_msg: The 'ansible.posix' Ansible collection is installed. fail_msg: The 'ansible.posix' Ansible collection is not installed. Please install the 'ansible.posix' Ansible collection. Check the README for more details. + when: nginx_selinux | bool delegate_to: localhost become: false - when: nginx_selinux | bool - name: Verify that the 'community.crypto' Ansible collection is installed on your Ansible host ansible.builtin.assert: that: lookup('community.general.collection_version', 'community.crypto') != 'none' success_msg: The 'community.crypto' Ansible collection is installed. fail_msg: The 'community.crypto' Ansible collection is not installed. Please install the 'community.crypto' Ansible collection. Check the README for more details. + when: nginx_type == 'plus' delegate_to: localhost become: false - when: nginx_type == 'plus' - name: Verify that 'nginx_setup' parameter is a valid value ansible.builtin.assert: that: nginx_setup in nginx_setup_vars success_msg: The value you used for 'nginx_setup', {{ nginx_setup }}, is valid. fail_msg: The value you used for 'nginx_setup', {{ nginx_setup }}, is not valid. The valid values are [{{ nginx_setup_vars | join(', ') }}]. + when: nginx_enable | bool delegate_to: localhost become: false - when: nginx_enable | bool ignore_errors: true # noqa ignore-errors - name: Verify that 'nginx_branch' parameter is a valid value @@ -71,9 +72,9 @@ that: nginx_branch in nginx_branch_vars success_msg: The value you used for 'nginx_branch', {{ nginx_branch }}, is valid. fail_msg: The value you used for 'nginx_branch', {{ nginx_branch }}, is not allowed. The valid values are [{{ nginx_branch_vars | join(', ') }}]. + when: nginx_enable | bool delegate_to: localhost become: false - when: nginx_enable | bool ignore_errors: true # noqa ignore-errors - name: Verify that 'nginx_install_from' parameter is a valid value @@ -81,9 +82,9 @@ that: nginx_install_from in nginx_install_from_vars success_msg: The value you used for 'nginx_install_from', {{ nginx_install_from }} is valid. fail_msg: The value you used for 'nginx_install_from', {{ nginx_install_from }}, is not valid. The valid values are [{{ nginx_install_from_vars | join(', ') }}]. + when: nginx_enable | bool delegate_to: localhost become: false - when: nginx_enable | bool ignore_errors: true # noqa ignore-errors - name: Verify whether you are using a supported NGINX distribution diff --git a/vars/main.yml b/vars/main.yml index dc9b2633c..b457ed7ab 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,4 +1,8 @@ --- +# Set the minimum version required for Ansible and Jinja2 +nginx_ansible_version: 2.16 +nginx_jinja2_version: 3.1 + # Set the values allowed for various variables nginx_setup_vars: [install, uninstall, upgrade]