ci: update linter settings, fix new linter issues

.ansible-lint

@@ -21,19 +21,20 @@ warn_list:
   - experimental
   - ignore-errors
   - no-handler
-  - fqcn-builtins
   - no-log-password
   - jinja[spacing]
   - jinja[invalid]
   - meta-no-tags
-  - name[template]
   - name[casing]
   - fqcn[action]
   - schema[meta]
+  - var-naming[no-role-prefix]
+  - key-order[task]
 
 skip_list:
   - vars_should_not_be_used
   - file_is_small_enough
+  - name[template]
 
 use_default_rules: true
 parseable: true

molecule/default/verify.yml

@@ -15,8 +15,11 @@
           - ansible_facts.services["keycloak.service"]["state"] == "running"
           - ansible_facts.services["keycloak.service"]["status"] == "enabled"
     - name: Verify we are running on requested jvm
-      shell: |
+      ansible.builtin.shell: |
+        set -o pipefail
         ps -ef | grep /usr/lib/jvm/java-11 | grep -v grep
+      args:
+        executable: /bin/bash
       changed_when: no
     - name: Verify token api call
       ansible.builtin.uri:
@@ -48,8 +51,6 @@
         headers:
           Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
       register: keycloak_query_clients
-    - debug:
-        msg: "{{ keycloak_query_clients.json | selectattr('clientId','equalto','TestClient') }}"
     - name: Verify expected config
       ansible.builtin.assert:
         that:

molecule/quarkus/prepare.yml

@@ -11,25 +11,30 @@
       ansible.builtin.set_fact:
         hera_home: "{{ lookup('env', 'HERA_HOME') }}"
 
-    - ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=instance'
+    - name: Create certificate request
+      ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=instance'
       delegate_to: localhost
+      changed_when: False
 
-    - block:
-        - ansible.builtin.lineinfile:
-            dest: /etc/hosts
-            line: "127.0.0.1 instance"
-            state: present
-          delegate_to: localhost
-          become: yes
+    - name: Set /etc/hosts
+      ansible.builtin.lineinfile:
+        dest: /etc/hosts
+        line: "127.0.0.1 instance"
+        state: present
+      delegate_to: localhost
+      become: yes
       when:
         - hera_home is defined
         - hera_home | length == 0
 
-    - ansible.builtin.file:
+    - name: Create conf directory # risky-file-permissions in test user account does not exist yet
+      ansible.builtin.file:
         state: directory
         path: /opt/keycloak/keycloak-18.0.0/conf/
+        mode: 0755
 
-    - ansible.builtin.copy:
+    - name: Copy certificates
+      ansible.builtin.copy:
         src: "{{ item }}"
         dest: "/opt/keycloak/keycloak-18.0.0/conf/{{ item }}"
         mode: 0444

molecule/quarkus/verify.yml

@@ -4,26 +4,30 @@
   tasks:
     - name: Populate service facts
       ansible.builtin.service_facts:
+
     - name: Check if keycloak service started
       ansible.builtin.assert:
         that:
           - ansible_facts.services["keycloak.service"]["state"] == "running"
           - ansible_facts.services["keycloak.service"]["status"] == "enabled"
 
-    - set_fact:
+    - name: Set internal envvar
+      ansible.builtin.set_fact:
         hera_home: "{{ lookup('env', 'HERA_HOME') }}"
 
-    - block:
-        - name: Fetch openID config
-          shell: |
+    - name: Verify openid config
+      block:
+        - name: Fetch openID config # noqa command-instead-of-module
+          ansible.builtin.shell: |
+            set -o pipefail
             curl https://instance:8443/realms/master/.well-known/openid-configuration -k | jq .
+          args:
+            executable: /bin/bash
           delegate_to: localhost
           register: openid_config
-        - debug:
-            msg: " {{ openid_config.stdout | from_json }}"
-          delegate_to: localhost
+          changed_when: False
         - name: Verify endpoint URLs
-          assert:
+          ansible.builtin.assert:
             that:
               - (openid_config.stdout | from_json)["backchannel_authentication_endpoint"] == 'https://instance/realms/master/protocol/openid-connect/ext/ciba/auth'
               - (openid_config.stdout | from_json)['issuer'] == 'https://instance/realms/master'

roles/keycloak/tasks/rhsso_patch.yml

@@ -35,14 +35,14 @@
       run_once: yes
 
     - name: Determine patch versions list
-      set_fact:
+      ansible.builtin.set_fact:
         filtered_versions: "{{ rhn_products.results | map(attribute='file_path') | select('match', '^[^/]*/rh-sso-.*[0-9]*[.][0-9]*[.][0-9]*.*$') | map('regex_replace','[^/]*/rh-sso-([0-9]*[.][0-9]*[.][0-9]*)-.*','\\1' ) | list | unique }}"
       when: sso_patch_version is not defined or sso_patch_version | length == 0
       delegate_to: localhost
       run_once: yes
 
     - name: Determine latest version
-      set_fact:
+      ansible.builtin.set_fact:
          sso_latest_version: "{{ filtered_versions | middleware_automation.keycloak.version_sort | last }}"
       when: sso_patch_version is not defined or sso_patch_version | length == 0
       delegate_to: localhost
@@ -58,7 +58,7 @@
       run_once: yes
 
     - name: "Determine selected patch from supplied version: {{ sso_patch_version }}"
-      set_fact:
+      ansible.builtin.set_fact:
         rhn_filtered_products: "{{ rhn_products.results | selectattr('file_path', 'match', '[^/]*/' + sso_patch_bundle + '$') }}"
         patch_bundle: "{{ sso_patch_bundle }}"
         patch_version: "{{ sso_patch_version }}"