import ansible rules from ocp

mvk · mvk · commit 649f81962dbb · 2025-08-21T17:02:05.000+03:00
- from repository: [ansible-collection-redhatci-ocp](https://github.com/redhatci/ansible-collection-redhatci-ocp/) paths: - `hack/rules/*.py` - `.ansible-lint` - upd metadata + filenames - disable some rules Signed-off-by: Maxim Kovgan <makovgan@redhat.com>
diff --git a/.ansible-lint b/.ansible-lint
@@ -2,7 +2,20 @@
 skip_list:
   - var-naming[no-role-prefix]
 
+# rulesdir:
+#   - hack/rules
+
+use_default_rules: true
+
+display_relative_path: true
+
 # Define paths or files to ignore
 exclude_paths:
-  - "tests/dast"
-  - "*collections*"
+  - collections
+  - .git*
+  - .venv*
+  - hack
+  - plugins
+  - roles/**/molecule
+  - tests
+  - tests/dast
diff --git a/hack/rules/openshift_kni.md b/hack/rules/openshift_kni.md
@@ -0,0 +1,124 @@
+# openshift-kni rules
+
+This rule checks for compliance with some coding conventions in the OCP
+collection
+
+The `openshift-kni` rule has the following checks:
+
+- `openshift-kni[no-role-prefix]` - Variables used within a role should have a
+  prefix related to the role. This includes:
+  1. Variables passed to `{include,import}_role` and `{include_import}_tasks`
+     should be named `$prefix_$var`
+  1. Facts saved from within roles should be named `$prefix_$fact`
+  1. Variables registered from tasks to use in subsequent tasks should be named
+     `_$prefix_$var` - notice the extra underscore to signal this variable is
+     "private"
+
+  The rules to figure out the prefix are:
+  1. If the role name is $SHORT (where $SHORT is < 6 characters) use the whole
+     name
+  1. If not, split the role name by underscores into words
+  1. If there's a single word:
+     - Check for digits pattern `<prefix><digits><suffix>` (e.g., `junit2json`)
+       and create acronym using first letter of prefix + digits + first letter
+       of suffix
+     - Otherwise, use the first $SHORT characters
+  1. Finally, if there are 2 or more words, build an acronym from the split
+     words
+  1. It is also possible to specify the full prefix of the role (doesn't matter
+     if it's "too long") or prefix it with `global_` if the variable is
+     intended for global scope.
+
+  Examples of valid prefixes:
+
+  | Role Name               | Computed Prefix | Full Prefix              | Global Prefix |
+  |-------------------------|-----------------|--------------------------|---------------|
+  | `sno`                   | `sno_`          | `sno_`                   | `global_`     |
+  | `installer`             | `instal_`       | `installer_`             | `global_`     |
+  | `junit2json`            | `j2j_`          | `junit2json_`            | `global_`     |
+  | `web3server`            | `w3s_`          | `web3server_`            | `global_`     |
+  | `validate_http_store`   | `vhs_`          | `validate_http_store_`   | `global_`     |
+  | `oc_client_install`     | `oci_`          | `oc_client_install_`     | `global_`     |
+
+!!! note
+
+This rule overlaps with the `var-naming[no-role-prefix]` stock rule, disable
+it in your `.ansible-lint` config file or by passing a -x flag
+
+## Problematic Code
+
+```yaml
+---
+- name: Example playbook with bad variable naming
+  hosts: all
+  tasks:
+    - name: Include the OC Client Install role
+      ansible.builtin.include_role:
+        name: oc_client_install
+        vars:
+          version: "4.15.0"  # <-- Bad: no prefix
+          install_dir: "/usr/local/bin"  # <-- Bad: no prefix
+    
+    - name: Include role with digits in name
+      ansible.builtin.include_role:
+        name: junit2json
+        vars:
+          config_file: "config.xml"  # <-- Bad: no prefix
+    
+    - name: Set facts without prefix
+      ansible.builtin.set_fact:
+        ocp_version: "4.15.0"  # <-- Bad: no prefix for role context
+    
+    - name: Command with bad register
+      ansible.builtin.command: echo "test"
+      register: result  # <-- Bad: private var without prefix
+...
+```
+
+## Correct Code
+
+```yaml
+---
+- name: Example playbook with correct variable naming
+  hosts: all
+  tasks:
+    - name: Include the OC Client Install role
+      ansible.builtin.include_role:
+        name: oc_client_install
+        vars:
+          oci_version: "4.15.0"  # <-- Good: computed prefix
+          oc_client_install_install_dir: "/usr/local/bin"  # <-- Good: full prefix
+          global_cleanup: true  # <-- Good: global variable
+    
+    - name: Include role with digits in name
+      ansible.builtin.include_role:
+        name: junit2json
+        vars:
+          j2j_config_file: "config.xml"  # <-- Good: computed prefix with digits
+          junit2json_output_dir: "/tmp"  # <-- Good: full prefix
+    
+    - name: Set facts with proper prefix
+      ansible.builtin.set_fact:
+        oci_ocp_version: "4.15.0"  # <-- Good: role context prefix
+        global_cluster_info: "some_value"  # <-- Good: global scope
+    
+    - name: Command with good register
+      ansible.builtin.command: echo "test"
+      register: _oci_command_result  # <-- Good: private var with prefix
+...
+```
+
+## Private Variables for Registered Tasks
+
+Variables registered from tasks should use a leading underscore to indicate they are private to the role:
+
+```yaml
+- name: Get cluster version
+  ansible.builtin.command: oc version
+  register: _oci_version_output  # <-- Good: private with computed prefix
+
+- name: Check installation status  
+  ansible.builtin.stat:
+    path: /usr/local/bin/oc
+  register: _oc_client_install_binary_stat  # <-- Good: private with full prefix
+```
diff --git a/hack/rules/openshift_kni.py b/hack/rules/openshift_kni.py
@@ -0,0 +1,200 @@
+# Copyright (C) 2024 Red Hat, Inc.
+#
+# Author: Jorge A Gallegos <jgallego@redhat.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+"""
+Specific rule definitions for coding conventions in Redhat OCP KNI
+"""
+
+import logging
+import re
+
+from ansiblelint.constants import ANNOTATION_KEYS, LINE_NUMBER_KEY
+from ansiblelint.errors import MatchError
+from ansiblelint.rules import AnsibleLintRule
+from ansiblelint.text import has_jinja
+from ansiblelint.file_utils import Lintable
+from ansiblelint.utils import Task
+
+_logger = logging.getLogger(__name__)
+
+
+class CollectionNamingConvention(AnsibleLintRule):
+    """Rules for the RedHat OCP KNI naming convention"""
+
+    id = "openshift-kni"
+    description = "RedHat OCP KNI naming convention"
+    severity = "MEDIUM"
+    tags = ["experimental", "idiom", "redhat", "openshift", "openshift-kni"]
+    version_added = "historic"
+    needs_raw_task = True
+    # These special variables are used by Ansible but we allow users to set
+    # them as they might need it in certain cases.
+    allowed_special_names = {
+        "ansible_facts",
+        "ansible_become_user",
+        "ansible_connection",
+        "ansible_host",
+        "ansible_python_interpreter",
+        "ansible_user",
+        "ansible_remote_tmp",  # no included in docs
+    }
+
+    def get_var_naming_matcherror(
+        self, ident: str, *, role: str, private: bool = False
+    ) -> MatchError | None:
+        """Return a MatchError if the variable name doesn't match prefix."""
+
+        # don't try to match private keys
+        if ident.startswith("__") and ident.endswith("__"):
+            return None
+
+        # don't try to match special names either
+        if ident in ANNOTATION_KEYS or ident in self.allowed_special_names:
+            return None
+
+        # if the role is templated, we can't possibly know what prefix to use
+        if has_jinja(role):
+            _logger.warning(f"Role name is templated, can't analyze (role: {role})")
+            return None
+
+        # finally, if we can't figure out the role name we can't figure out the
+        # prefix
+        if role.strip() == "":
+            _logger.debug(f"Passed empty role name for {ident}")
+            return None
+
+        #####################
+        # PREFIX HEURISTICS #
+        # vvvvvvvvvvvvvvvvv #
+        #####################
+        possible_prefix = set()
+        # https://www.researchgate.net/figure/Average-word-length-in-the-English-language-Different-colours-indicate-the-results-for_fig1_230764201
+        SHORT = 6
+        # compute the prefix
+        # if the role name is really short, just use the role name as prefix
+        if len(role) < SHORT:
+            computed_prefix = role
+        else:
+            parts = role.split("_")
+            if len(parts) == 1:
+                # if it's a single word, check for digits pattern first
+                digits_match = re.search(r'^([a-zA-Z]+)(\d+)([a-zA-Z]+)$', role)
+                if digits_match:
+                    # Special case: role contains digits in format <prefix><digits><suffix>
+                    prefix_part, digits_part, suffix_part = digits_match.groups()
+                    computed_prefix = f"{prefix_part[0] if prefix_part else ''}{digits_part}{suffix_part[0] if suffix_part else ''}"
+                else:
+                    # Default: use the first few chars from it
+                    computed_prefix = parts[0][:SHORT]
+            else:
+                # else, use an acronym
+                computed_prefix = "".join(_[0] for _ in parts)
+
+        # registering within roles should require "privatizing" variables
+        if private:
+            possible_prefix.add(f"_{role}")
+            possible_prefix.add(f"_{computed_prefix}")
+        else:
+            possible_prefix.add("global")
+            possible_prefix.add(f"{role}")
+            possible_prefix.add(f"{computed_prefix}")
+
+        #####################
+        # ^^^^^^^^^^^^^^^^^ #
+        # PREFIX HEURISTICS #
+        #####################
+
+        # If variable starts with any of the allowed prefixes, this is a valid
+        # variable name
+        for prefix in possible_prefix:
+            if ident.startswith(f"{prefix}_"):
+                return None
+
+        # fail if the task didnt' start with any of the allowed prefixes
+        return MatchError(
+            tag="openshift-kni[no-role-prefix]",
+            message="Variable names should use a prefix related to the role. "
+            + f"({possible_prefix} are possible)",
+            rule=self,
+        )
+
+    def matchtask(
+        self,
+        task: Task,
+        file: Lintable | None = None,
+    ) -> list[MatchError]:
+        """Return matches for task based variables."""
+        results: list[MatchError] = []
+        ansible_module = task["action"]["__ansible_module__"]
+
+        filename = "" if file is None else str(file.path)
+        role_name = ""
+        if file and file.parent and file.parent.kind == "role":
+            role_name = file.parent.path.name
+
+        # If we're importing tasks
+        if ansible_module in ("include_tasks", "import_tasks"):
+            # If the task uses the 'vars' section to set variables
+            our_vars = task.get("vars", {})
+            for key in our_vars:
+                match_error = self.get_var_naming_matcherror(key, role=role_name)
+                if match_error:
+                    match_error.filename = filename
+                    match_error.lineno = our_vars[LINE_NUMBER_KEY]
+                    match_error.message += f" (vars: {key})"
+                    results.append(match_error)
+
+        # if the task imports a role, then prefix should match the target role
+        elif ansible_module in ("include_role", "import_role"):
+            ext_role = task.get("action")["name"].split(".")[-1]
+            our_vars = task.get("vars", {})
+            for key in our_vars:
+                match_error = self.get_var_naming_matcherror(key, role=ext_role)
+                if match_error:
+                    match_error.filename = filename
+                    match_error.lineno = our_vars[LINE_NUMBER_KEY]
+                    match_error.message += f" (vars: {key})"
+                    results.append(match_error)
+
+        # If the task uses the 'set_fact' module
+        elif ansible_module == "set_fact":
+            for key in filter(
+                lambda x: isinstance(x, str)
+                and not x.startswith("__")
+                and x != "cacheable",
+                task["action"].keys(),
+            ):
+                match_error = self.get_var_naming_matcherror(key, role=role_name)
+                if match_error:
+                    match_error.filename = filename
+                    match_error.lineno = task["action"][LINE_NUMBER_KEY]
+                    match_error.message += f" (set_fact: {key})"
+                    results.append(match_error)
+        else:
+            pass
+
+        # If the task registers a variable
+        registered_var = task.get("register", None)
+        if registered_var:
+            match_error = self.get_var_naming_matcherror(
+                registered_var, role=role_name, private=True
+            )
+            if match_error:
+                match_error.message += f" (register: {registered_var})"
+                match_error.filename = filename
+                match_error.lineno = task[LINE_NUMBER_KEY]
+                results.append(match_error)
+
+        return results
