Merge pull request #12496 from barbacbd/update-ipsec

OCPBUGS-30802: ipsec: Update the ipsec tasks to ensure that they are idempotent
2026-02-05 06:46:04 +01:00 · 2024-04-10 13:04:11 +00:00
parent aec1964a5b 938528fbb2
commit 78065326c7
5 changed files with 28 additions and 4 deletions
--- a/.travis.yml
+++ b/.travis.yml
@@ -9,7 +9,7 @@ before_cache:

 language: python
 python:
-  - "3.7"
+  - "3.9"

 before_install:
  - python -m pip install --upgrade virtualenv
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,3 +1,3 @@
 # Versions are pinned to prevent pypi releases arbitrarily breaking
 # tests with new APIs/semantics. We want to update versions deliberately.
-ansible-core<2.14
+ansible-core
--- a/roles/openshift_node/tasks/ipsec.yml
+++ b/roles/openshift_node/tasks/ipsec.yml
@@ -15,14 +15,27 @@
    path: /var/lib/ipsec/nss
    state: directory

+- name: check if ipsec dir is empty
+  find:
+    paths: /var/lib/ipsec/nss
+    file_type: any
+    hidden: true
+  register: findFiles
+
+- name: determine if selinux context is set
+  shell: semanage fcontext -l ipsec_key_file_t | grep "/var/lib/ipsec/nss" | wc -l
+  register: numContextEntries
+
 - name: set nss selinux context
-  command: semanage fcontext -a -t ipsec_key_file_t /var/lib/ipsec/nss
+  shell: semanage fcontext -a -t ipsec_key_file_t /var/lib/ipsec/nss
+  when: numContextEntries.stdout | int < 1

 - name: restore nss selinux context so it will be active
  command: restorecon -r /var/lib/ipsec/nss

 - name: initialize nss db
  command: ipsec initnss --nssdir /var/lib/ipsec/nss
+  when: findFiles.matched == 0

 - name: make sure proper selinux label on nss db
  command: chcon -R -t ipsec_key_file_t /var/lib/ipsec/nss
--- a/roles/openshift_node/tasks/upgrade.yml
+++ b/roles/openshift_node/tasks/upgrade.yml
@@ -25,6 +25,17 @@
  - include_tasks: "{{ openshift_node_pre_upgrade_hook }}"
  when: openshift_node_pre_upgrade_hook is defined

+- name: Gather the package facts
+  ansible.builtin.package_facts:
+    manager: auto
+
+- name: Remove conflicts from openshift-hyperkube
+  dnf:
+    name: openshift-hyperkube
+    state: absent
+  when:
+  - "'openshift-hyperkube' in ansible_facts.packages"
+
 # Upgrade Node Packages
 - import_tasks: install.yml

--- a/tox.ini
+++ b/tox.ini
@@ -1,6 +1,6 @@
 [tox]
 envlist =
-    py37-{unit,flake8,pylint,yamllint,ansible_syntax}
+    py39-{unit,flake8,pylint,yamllint,ansible_syntax}
 skipsdist=True
 skip_missing_interpreters=True