infra/ansible
23
2
Fork 44
Code Pull requests 13 Activity Actions

feat: Make the sysadmin-opensift-readonly group deploy in production #3188

Merged
kevin merged 2 commits from smoliicek/ansible:readonly-openshift-prod into main 2026-03-11 21:32:52 +00:00
Conversation 2 Commits 2 Files changed 1 +1 -1
smoliicek commented 2026-03-03 19:17:50 +00:00
Member
Copy link

this isn't something that is urgently needed, so we can merge this after the freeze ends

Signed-off-by: Vít Smolík me@smoliicek.cz

this isn't something that is urgently needed, so we can merge this after the freeze ends Signed-off-by: Vít Smolík <me@smoliicek.cz>
feat: Make the sysadmin-opensift-readonly group deploy in production
All checks were successful
Linter / yamllint (pull_request) Successful in 24s
Details
Linter / ansible-lint (pull_request) Successful in 40s
Details
AI Code Review / ai-review (pull_request_target) Successful in 31s
Details
1b50e4ceb4
 
Signed-off-by: Vít Smolík <me@smoliicek.cz>
smoliicek 2026-03-11 18:59:18 +00:00
forgejo-actions commented 2026-03-11 19:11:28 +00:00
Copy link

AI Code Review

📋 MR Summary

This MR promotes the sysadmin-openshift-readonly role, group, and rolebinding templates from staging to production by moving them to the main templates list.

  • Key Changes:
    • Moved sysadmin-openshift-readonly-* files out of the stg_templates section to the main template list.
  • Impact: roles/openshift/cluster/tasks/main.yaml
  • Risk Level: 🟢 Low - This is a straightforward promotion of existing staging configuration to production. The primary risk is Ansible parsing an empty YAML key as null.

Detailed Code Review

The change correctly moves the templates to the main deployment list as intended. However, leaving the stg_templates key empty in YAML evaluates to null rather than an empty list. If any downstream tasks iterate over this variable without a default filter (e.g., loop: "{{ stg_templates | default([]) }}"), it will cause an Ansible runtime error. It is recommended to either remove the key entirely or explicitly set it to an empty list.

📂 File Reviews

📄 `roles/openshift/cluster/tasks/main.yaml` - Moves read-only templates to the main template list.
  • Major [Bug]: Leaving stg_templates: empty evaluates to null in YAML. If later tasks attempt to iterate over stg_templates, Ansible will throw a runtime error.
    • Suggestion: Explicitly set stg_templates to an empty list or remove the key entirely if it is no longer needed.
    stg_templates: []

Summary

  • Overall Assessment: The intent is clear and correct, but there is a potential Ansible runtime issue due to an empty YAML key. Addressing the empty variable will ensure a smooth deployment after the freeze.
  • Priority Issues:
    • Ensure stg_templates does not evaluate to null by either assigning an empty list [] or removing the key entirely, to prevent Ansible iteration errors.

🤖 AI Code Review | Generated with ai-code-review | Model: gemini-3.1-pro-preview

⚠️ AI-generated suggestions may be incorrect. Verify before applying. Not a replacement for human review.

## AI Code Review ### 📋 MR Summary This MR promotes the `sysadmin-openshift-readonly` role, group, and rolebinding templates from staging to production by moving them to the main templates list. - **Key Changes:** - Moved `sysadmin-openshift-readonly-*` files out of the `stg_templates` section to the main template list. - **Impact:** roles/openshift/cluster/tasks/main.yaml - **Risk Level:** 🟢 Low - This is a straightforward promotion of existing staging configuration to production. The primary risk is Ansible parsing an empty YAML key as null. ### Detailed Code Review The change correctly moves the templates to the main deployment list as intended. However, leaving the `stg_templates` key empty in YAML evaluates to `null` rather than an empty list. If any downstream tasks iterate over this variable without a default filter (e.g., `loop: "{{ stg_templates | default([]) }}"`), it will cause an Ansible runtime error. It is recommended to either remove the key entirely or explicitly set it to an empty list. #### 📂 File Reviews <details> <summary><strong>📄 `roles/openshift/cluster/tasks/main.yaml`</strong> - Moves read-only templates to the main template list.</summary> - **Major** [Bug]: Leaving `stg_templates:` empty evaluates to `null` in YAML. If later tasks attempt to iterate over `stg_templates`, Ansible will throw a runtime error. - *Suggestion:* Explicitly set `stg_templates` to an empty list or remove the key entirely if it is no longer needed. ```` stg_templates: [] ```` </details> ### ✅ Summary - **Overall Assessment:** The intent is clear and correct, but there is a potential Ansible runtime issue due to an empty YAML key. Addressing the empty variable will ensure a smooth deployment after the freeze. - **Priority Issues:** - Ensure `stg_templates` does not evaluate to `null` by either assigning an empty list `[]` or removing the key entirely, to prevent Ansible iteration errors. --- 🤖 **AI Code Review** | Generated with [ai-code-review](https://gitlab.com/redhat/edge/ci-cd/ai-code-review) | **Model:** `gemini-3.1-pro-preview` ⚠️ *AI-generated suggestions may be incorrect. Verify before applying. Not a replacement for human review.*
fix bug: set stg_template as empty list, so ansible doesn't fail
All checks were successful
Linter / yamllint (pull_request) Successful in 25s
Details
Linter / ansible-lint (pull_request) Successful in 39s
Details
AI Code Review / ai-review (pull_request_target) Successful in 26s
Details
7a8164e124
 
Signed-off-by: Vít Smolík <me@smoliicek.cz>
forgejo-actions commented 2026-03-11 19:15:53 +00:00
Copy link

AI Code Review

📋 MR Summary

This MR deploys the sysadmin-openshift-readonly group to the production environment by moving its associated templates to the main templates list in the Ansible task.

  • Key Changes:
    • Moved sysadmin-openshift-readonly-* templates from stg_templates to the default template list.
    • Initialized stg_templates as an empty list to prevent Ansible execution failures.
  • Impact: roles/openshift/cluster/tasks/main.yaml
  • Risk Level: 🟢 Low - The changes only alter the scope of deployment for read-only roles and bindings in OpenShift. The initialization of the stg_templates array resolves an existing Ansible bug without introducing complex logic.

Detailed Code Review

The changes are straightforward and accurately reflect the PR description. Moving the sysadmin-openshift-readonly resources out of the staging-only list ensures they are deployed in production as intended. Initializing stg_templates: [] is a correct and safe approach to fix the undefined variable issue in Ansible.

No security, performance, or logic issues were found. As noted by the author, merging should be deferred until after the current freeze period.

📂 File Reviews

📄 `roles/openshift/cluster/tasks/main.yaml` - Updated template lists to include read-only resources in production and initialized staging templates as an empty list.
  • Suggestion [Style]: The logic is correct, but depending on how stg_templates is used downstream in the playbook, you could consider omitting it entirely if empty lists are handled correctly by the with_items or loop module. However, explicitly defining it as an empty list as done here is perfectly safe and prevents the 'undefined variable' error.
    • Suggestion: No changes needed; current implementation is safe.

Summary

  • Overall Assessment: The review identified no critical issues. The logic is sound, correctly addressing both the feature request and the Ansible bug. Review is complete.
  • Minor Suggestions:
    • Ensure deployment occurs only after the freeze period has ended, as noted in the PR description.

🤖 AI Code Review | Generated with ai-code-review | Model: gemini-3.1-pro-preview

⚠️ AI-generated suggestions may be incorrect. Verify before applying. Not a replacement for human review.

## AI Code Review ### 📋 MR Summary This MR deploys the `sysadmin-openshift-readonly` group to the production environment by moving its associated templates to the main templates list in the Ansible task. - **Key Changes:** - Moved `sysadmin-openshift-readonly-*` templates from `stg_templates` to the default template list. - Initialized `stg_templates` as an empty list to prevent Ansible execution failures. - **Impact:** roles/openshift/cluster/tasks/main.yaml - **Risk Level:** 🟢 Low - The changes only alter the scope of deployment for read-only roles and bindings in OpenShift. The initialization of the `stg_templates` array resolves an existing Ansible bug without introducing complex logic. ### Detailed Code Review The changes are straightforward and accurately reflect the PR description. Moving the `sysadmin-openshift-readonly` resources out of the staging-only list ensures they are deployed in production as intended. Initializing `stg_templates: []` is a correct and safe approach to fix the undefined variable issue in Ansible. No security, performance, or logic issues were found. As noted by the author, merging should be deferred until after the current freeze period. #### 📂 File Reviews <details> <summary><strong>📄 `roles/openshift/cluster/tasks/main.yaml`</strong> - Updated template lists to include read-only resources in production and initialized staging templates as an empty list.</summary> - **Suggestion** [Style]: The logic is correct, but depending on how `stg_templates` is used downstream in the playbook, you could consider omitting it entirely if empty lists are handled correctly by the `with_items` or loop module. However, explicitly defining it as an empty list as done here is perfectly safe and prevents the 'undefined variable' error. - *Suggestion:* No changes needed; current implementation is safe. </details> ### ✅ Summary - **Overall Assessment:** The review identified no critical issues. The logic is sound, correctly addressing both the feature request and the Ansible bug. Review is complete. - **Minor Suggestions:** - Ensure deployment occurs only after the freeze period has ended, as noted in the PR description. --- 🤖 **AI Code Review** | Generated with [ai-code-review](https://gitlab.com/redhat/edge/ci-cd/ai-code-review) | **Model:** `gemini-3.1-pro-preview` ⚠️ *AI-generated suggestions may be incorrect. Verify before applying. Not a replacement for human review.*
kevin merged commit ba480436d7 into main 2026-03-11 21:32:52 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
kevin
Labels
Clear labels   
ai-review-please

label for requesting AI code review

  
freeze-break-request

   
post-freeze
  
Backlog Status
Needs Review
Work items that have been created or updated but need review, refinement, or approval before they can be considered ready for sprint planning.

  
Backlog Status
Ready
Work items that have been reviewed, refined, and are ready to be committed to a sprint. These items have clear requirements and can be worked on immediately when capacity is available.

  
chore

Work that needs to be done but doesn't add new functionality or fix bugs. Maintenance tasks that keep the system running smoothly and the codebase clean.

  
documentation

Work focused on creating, updating, or improving documentation for users, developers, or system administrators.

  
points
01
A task that is simple, small, and has very little uncertainty. It should be easy enough for any team member to pick up and complete quickly, without a lot of discussion or research.

  
points
02
This is a task that is slightly more complex or larger than a "1." It might involve two or three simple steps, but the outcome is still very clear and there's little uncertainty.

  
points
03
Medium-sized task with some noticeable complexity. It might require a bit more thought or collaboration. The steps are well-defined, but it's not a trivial change.

  
points
05
A significant piece of work. It has more complexity and a higher degree of uncertainty than smaller tasks. It might require some research, a design discussion, or collaboration across multiple teams.

  
points
08
Complex task with a lot of uncertainty. It's often the largest size that a team will consider for a single sprint. It likely requires a detailed breakdown and multiple team members to complete.

  
points
13
Any task that feels like it's a "13" or more is considered an Epic. These are too large and uncertain to be worked on in a single sprint and should be broken down.

  
Priority
High
This is for work that is critical and needs to be addressed in the next sprint. It's often for urgent bugs, important features, or a major piece of technical debt that is blocking other work.

  
Priority
Low
This is for work that is good to do but not urgent. It's a candidate for being worked on when there's extra time or when it rises in importance. It can stay in the backlog for a longer period.

  
Priority
Medium
This is for important work that should be done soon, but isn't as urgent as a high-priority item. It will likely be considered for the next 1-2 sprints.

  
Sprint Status
Blocked
Work items that cannot progress due to external dependencies, blockers, or issues that need resolution.

  
Sprint Status
Done
Work items that have been completed, reviewed, and integrated. No further work is needed within the current sprint.

  
Sprint Status
In Progress
Work items currently being worked on by a team member. Active development, research, or implementation is happening.

  
Sprint Status
Review
Work items that are complete but need review, testing, or approval before being marked as done.

  
Sprint Status
To Do
Work items that are committed to the sprint but haven't been started yet. These items are ready to be picked up by team members.

  
Technical Debt

Work that addresses shortcuts, workarounds, or suboptimal implementations that were done previously to meet deadlines. These items improve code quality, maintainability, or performance without adding new features.

  
Work Item
Bug
Issues where the system is not working as intended or designed. Bugs represent deviations from expected behavior.

  
Work Item
Epic
Large initiatives that are broken down into multiple smaller work items (user stories, tasks, bugs). Epics represent significant features or projects that span multiple sprints.

  
Work Item
Spike
Time-boxed research, investigation, or proof-of-concept work to reduce uncertainty or explore solutions. Spikes help inform future development decisions.

  
Work Item
Task
Used to break down larger user stories into smaller, manageable implementation pieces. They focus on the specific technical steps needed to deliver the user story's value.

  
Work Item
User Story
User-facing features or functionality that can be framed from a user perspective, describing what someone wants to accomplish and why.

No labels
ai-review-please
freeze-break-request
post-freeze
Backlog Status
Needs Review
Backlog Status
Ready
chore
documentation
points
01
points
02
points
03
points
05
points
08
points
13
Priority
High
Priority
Low
Priority
Medium
Sprint Status
Blocked
Sprint Status
Done
Sprint Status
In Progress
Sprint Status
Review
Sprint Status
To Do
Technical Debt
Work Item
Bug
Work Item
Epic
Work Item
Spike
Work Item
Task
Work Item
User Story
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
infra/ansible!3188
No description provided.