* Replace FreeBSD 14.3 with 14.4, and macOS 15.3 with 26.3.
* FreeBSD 14.4 seems to have the same problem as FreeBSD 15.0, disabling for now.
(cherry picked from commit b4336659f6)
CI: Replace apt_repository and apt_key with deb822_repository (#11625)
Replace apt_repository and apt_key with deb822_repository.
(cherry picked from commit bc22fbcaa0)
Co-authored-by: Felix Fontein <felix@fontein.de>
merge_variables: extended merge capabilities added (#11536)
* merge_variables: extended merge capabilities added
This extension gives you more control over the variable merging process of the lookup plugin `merge_variables`. It closes the gap between Puppet's Hiera merging capabilities and the limitations of Ansible's default variable plugin `host_group_vars` regarding fragment-based value definition. You can now decide which merge strategy should be applied to dicts, lists, and other types. Furthermore, you can specify a merge strategy that should be applied in case of type conflicts.
The default behavior of the plugin has been preserved so that it is fully backward-compatible with the already implemented state.
* Update changelogs/fragments/11536-merge-variables-extended-merging-capabilities.yml
* Update plugins/lookup/merge_variables.py
* Periods added at the end of each choice description
* Update plugins/lookup/merge_variables.py
* ref: follow project standard for choice descriptions
* ref: more examples added and refactoring
* Update plugins/lookup/merge_variables.py
* ref: some more comments to examples added
* fix: unused import removed
* ref: re-add "merge" to strategy map
* Update comments
* Specification of transformations solely as string
* Comments updated
* ref: `append_rp` and `prepend_rp` removed
feat: options dict for list transformations re-added
feat: allow setting `keep` for dedup transformation with possible values: `first` (default) and `last`
* ref: improve options documentation
* ref: documentation improved, avoiding words like newer or older in merge description
* Update plugins/lookup/merge_variables.py
* ref: "prio" replaced by "dict"
* feat: two integration tests added
---------
(cherry picked from commit dae2157bb7)
Signed-off-by: Fiehe Christoph <c.fiehe@eurodata.de>
Co-authored-by: Christoph Fiehe <cfiehe@users.noreply.github.com>
Co-authored-by: Fiehe Christoph <c.fiehe@eurodata.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Mark <40321020+m-a-r-k-e@users.noreply.github.com>
nictagadm: don't call is_valid_mac when etherstub is true (#11589)
* nictagadm: don't call is_valid_mac when etherstub is true
* Add changelog fragment
* update changelog fragment
* Shorten changelog fragement
* Update changelogs/fragments/nictagadm-etherstub-nonetype-bugfix.yml
---------
(cherry picked from commit d8bb637cba)
Co-authored-by: Adam D <44533090+emptyDir@users.noreply.github.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
github_secrets_info: new module (#11586)
* github_secrets_info: new module
* clean tests
* remove pynacl dep
* fqcn
* remove excess output
* just return result as sample
* only print secrets, adapt tests
* Update plugins/modules/github_secrets_info.py
* Update plugins/modules/github_secrets_info.py
* Update plugins/modules/github_secrets_info.py
* t is for typing, and typing is what we did
* add info_module attributes
---------
(cherry picked from commit df9b30448a)
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
Co-authored-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
github_secrets: new module (#11514)
* add support for managing GitHub secrets
* fix tab
* update for sanity
* more sanity fixes
* update botmeta
* formating
* remove list function
* remove docstring, format text strings and return codes
* switch to deps
* black and ruff doesnt get along
* initial unit tests
* update non-existing secret test
* update description and details
* handle when a secret cant be deleted
* fail if not acceptable error codes
* add test for non-acceptable status codes
* remove local ruff config
* allow empty strings
* set required_
* extend tests
* cleanup
* cover all, got a git urlopen error
* cover all, got a git urlopen error
* ensure value cant be None
* check_mode
* bump to 12.5.0
* Update plugins/modules/github_secrets.py
* extend check_mode and related tests
* split constants and return dict when checking secret
* switch to HTTPStatus
* replace DELETE and UPDATE with NO_CONTENT
* Update plugins/modules/github_secrets.py
* Update plugins/modules/github_secrets.py
* update tests
* Update plugins/modules/github_secrets.py
* Update plugins/modules/github_secrets.py
* Update plugins/modules/github_secrets.py
* Update plugins/modules/github_secrets.py
* Update plugins/modules/github_secrets.py
---------
(cherry picked from commit 46ffec6f0e)
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
Co-authored-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
ipa_dnsrecord fix error when using dnsttl and nothing to change (#11559)
* ipa_dnsrecord fix error when using dnsttl and nothing to change
* Add changelog and bump version
* ipa_dnsrecord list comp in dnsrecord_find
* 11559 changelog fragment fix capitalization
* ipa_dnsrecord dnsrecord_find ttl transform to integer always
* ipa_dnsrecord dnsrecord_find method refactor
---------
(cherry picked from commit 3194ed9d36)
Co-authored-by: Dor Breger <75537576+DorBreger@users.noreply.github.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
New module: `logrotate` (#11424)
* add module logrotate
* add values for start
* fix docs
* version 12.5.0 and fix test
---------
(cherry picked from commit f0e3edc892)
Co-authored-by: Aleksandr Gabidullin <101321307+a-gabidullin@users.noreply.github.com>
Co-authored-by: Александр Габидуллин <agabidullin@astralinux.ru>
Binary attribute support for `ldap_attrs` and `ldap_entry` (#11558)
* Binary attribute support for `ldap_attrs` and `ldap_entry`
This commit implements binary attribute support for the `ldap_attrs` and
`ldap_entry` plugins. This used to be "supported" before, because it was
possible to simply load arbitrary binary data into the attributes, but
no longer functions on recent Ansible versions.
In order to support binary attributes, this commit introduces two new
options to both plugins:
* `binary_attributes`, a list of attribute names which will be
considered as being binary,
* `honor_binary_option`, a flag which is true by default and will
handle all attributes that include the binary option (see RFC 4522)
as binary automatically.
When an attribute is determined to be binary through either of these
means, the plugin will assume that the attribute's value is in fact
base64-encoded. It will proceed to decode it and handle it accordingly.
While changes to `ldap_entry` are pretty straightforward, more work was
required on `ldap_attrs`.
* First, because both `present` and `absent` state require checking
the attribute's current values and normally do that using LDAP search
queries for each value, a specific path for binary attributes was
added that loads and caches all values for the attribute and compares
the values in the Python code.
* In addition, generating both the modlist and the diff output require
re-encoding binary attributes' values into base64 so it can be
transmitted back to Ansible.
* Various fixes on `ldap_attrs`/`ldap_entry` from PR 11558 discussion
* Rename `honor_binary_option` to `honor_binary`
* Add some general documentation about binary attributes
* Fix changelog fragment after renaming one of the new options
* Add examples of `honor_binary` and `binary_attributes`
* Add note that indicates that binary values are supported from 12.5.0+
* Fix punctuation
* Add links to RFC 4522 to `ldap_attrs` and `ldap_entry`
* Catch base64 decoding errors
* Rephrase changelog fragment
* Use f-string to format the encoding error message
(cherry picked from commit 0e4783dcc3)
Co-authored-by: Emmanuel Benoît <tseeker@nocternity.net>
nmcli: fix idempotency issue with macvlan (#11551)
* nmcli: fix idempotency issue with macvlan
The nmcli module is not idempotent for macvlan interfaces.
Ansible running in diff mode for a case where the interface in question
already exists:
```
TASK [nm_macvlan : Check macvlan connection] *********************************************************************************
--- before
+++ after
@@ -11,5 +11,5 @@
"ipv6.method": "disabled",
"macvlan.mode": "2",
"macvlan.parent": "eth0",
- "macvlan.tap": "no"
+ "macvlan.tap": "False"
}
```
The problem is that `macvlan.tap` isn't treated as boolean option. Fix it.
* Update changelogs/fragments/11551-fix-nmcli-idempotency-for-macvlan.yml
---------
(cherry picked from commit 1554f23bfb)
Co-authored-by: Martin Wilck <mwilck@suse.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
keycloak_authentication: fix TypeError when flow has no authenticationExecutions (#11548)
* TIAAS-12174: fix(keycloak_authentication): handle None authenticationExecutions
When a flow is defined without authenticationExecutions, module.params.get()
returns None but the key still exists in the config dict. The 'in' check
passes but iterating over None raises TypeError.
Guard the iteration with an explicit None check.
* keycloak_authentication: add changelog fragment for NoneType fix
* keycloak_authentication: update changelog fragment with PR link
* Update plugins/modules/keycloak_authentication.py
* Changelog polishing
---------
(cherry picked from commit 2f33ff1041)
Co-authored-by: Ivan Kokalovic <67540157+koke1997@users.noreply.github.com>
Co-authored-by: Ivan Kokalovic <ivan.kokalovic@example.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
Allow setting of independent custom domain for incus inventory (#11555)
Allowing the domain suffix to be appended independent of the `host_fqdn`
setting enables the inventory plugin to construct proper FQDNs if a
network has the `dns.domain` property set. Otherwise you would always
end up with something like `host01.project.local.example.net` despite
`host01.example.net` being the expected result.
(cherry picked from commit 71f8c15d2e)
Co-authored-by: Roland Sommer <rol@ndsommer.de>
Update links to iocage. Current iocage documentation is at freebsd.gi… (#11552)
Update links to iocage. Current iocage documentation is at freebsd.github.io/iocage/
(cherry picked from commit aaef821f60)
Co-authored-by: Vladimir Botka <vbotka@gmail.com>
Fix description error in CONTRIBUTING.md (#11538)
Fix text error in CONTRIBUTING.md.
Updated instructions for running format tests.
(cherry picked from commit 8929caece6)
Co-authored-by: IamLunchbox <56757745+IamLunchbox@users.noreply.github.com>
Simplify and extend from_ini tests (#11534)
Simplify and extend from_ini tests.
(cherry picked from commit e118b23ba0)
Co-authored-by: Felix Fontein <felix@fontein.de>
New module icinga2_downtime (#11462)
* feat: Icinga 2 downtime module added allowing to schedule and remove downtimes through its REST API.
* ensure compatibility with ModuleTestCase
feat: errors raised from MH now contain the changed flag
ref: move module exit out of the decorated run method
* revised module
ref: module refactored using StateModuleHelper now
ref: suggested changes by reviewer added
* revert change regarding changed flag in MH
* refactoring and set changed flag explicitly on error
* Check whether there was a state change on module failure removed.
* ref: test cases migrated to the new feature that allows passing through exceptions
* Update plugins/module_utils/icinga2.py
* Update plugins/module_utils/icinga2.py
* Update plugins/modules/icinga2_downtime.py
* ref: make module helper private
* fix: ensure that all non-null values are added to the request otherwise a `false` value is dropped
* ref: module description extended with the note that check mode is not supported
* Update plugins/modules/icinga2_downtime.py
* fix: documentation updated
* ref: documentation updated
ref: doc fragment added
* Update plugins/doc_fragments/icinga2_api.py
* ref: doc fragment renamed to `_icinga2_api.py`
* ref: maintainer to doc fragment in BOTMETA.yml added
* Update plugins/modules/icinga2_downtime.py
* Update plugins/modules/icinga2_downtime.py
* Update plugins/modules/icinga2_downtime.py
---------
(cherry picked from commit ce7cb4e914)
Signed-off-by: Fiehe Christoph <c.fiehe@eurodata.de>
Co-authored-by: Christoph Fiehe <cfiehe@users.noreply.github.com>
Co-authored-by: Fiehe Christoph <c.fiehe@eurodata.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
adds parameter delimiters to from_ini filter (#11512)
* adds parameter delimiters to from_ini filter
fixes issue #11506
* adds changelog fragment
* fixes pylint dangerous-default-value / W0102
* does not assume default delimiters
let that be decided in the super class
* Update plugins/filter/from_ini.py
verbose description
* Update changelogs/fragments/11512-from_ini-delimiters.yaml
* adds input validation
* adss check for delimiters not None
* adds missing import
* removes the negation
* adds suggestions from russoz
* adds ruff format suggestion
---------
(cherry picked from commit aec0e61ba1)
Co-authored-by: Robert Sander <github@gurubert.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
add support for localizationTexts in keycloak_realm.py (#11513)
* add support for localizationTexts in keycloak_realm.py
* add changelog fragment
* change version added to next minor release
* Update changelogs/fragments/11513-keycloak-realm-localizationTexts-support.yml
* Update plugins/modules/keycloak_realm.py
---------
(cherry picked from commit 0e184d24cf)
Co-authored-by: nwintering <33374766+nwintering@users.noreply.github.com>
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
reduce collection build time with build_ignore (#11523)
* reduce build time with build_ignore
* just ignore .nox
---------
(cherry picked from commit 1ae058db63)
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
Co-authored-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
New Callback plugin: `loganalytics_ingestion` adding Azure Log Analytics Ingestion (#10306)
* Add Azure Log Analytics Ingestion API plugin
The Ingestion API allows sending data to a Log Analytics workspace in
Azure Monitor.
* Fix LogAnalytics Ingestion shebang
* Fix Log Analytics Ingestion pep8 tests
* Fix Log Analytics Ingestion pylint tests
* Fix Log Analytics Ingestion import tests
* Fix Log Analytics Ingestion pylint test
* Add Log Analytics Ingestion auth timeout
Previous behavior was to use the 'request' module's default timeout;
this makes auth timeout value consistent with the task submission
timeout value.
* Display Log Analytics Ingestion event data as JSON
Previous behavior was to display the data as a Python dictionary.
The new behavior makes it easier to generate a sample JSON file in order
to import into Azure when creating the table.
* Add Azure Log Analytics Ingestion timeout param
This parameter controls how long the plugin will wait for an HTTP response
from the Azure Log Analytics API before considering the request a failure.
Previous behavior was hardcoded to 2 seconds.
* Fix Azure Log Ingestion unit test
The class instantiation was missing an additional argument that was added
in a previous patch; add it. Converting to JSON also caused the Mock
TaskResult object to throw a serialization error; override the function
for JSON conversion to just return bogus data instead.
* Fix loganalytics_ingestion linter errors
* Fix LogAnalytics Ingestion env vars
Prefix the LogAnalytics Ingestion plugin's environment variable names
with 'ANSIBLE_' in order to align with plugin best practices.
* Remove LogAnalytics 'requests' dep from docs
The LogAnalytics callback plugin does not actually require 'requests',
so remove it from the documented dependencies.
* Refactor LogAnalytics Ingestion to use URL utils
This replaces the previous behavior of depending on the external
'requests' library.
* Simplify LogAnalytics Ingestion token valid check
* Remove LogAnalytics Ingestion extra arg validation
Argument validation should be handled by ansible-core, so remove the
extra argument validation in the plugin itself.
* Update LogAnalytics Ingestion version added
* Remove LogAnalytics Ingestion coding marker
The marker is no longer needed as Python2 is no longer supported.
* Fix some LogAnalytics Ingestion grammar errors
* Refactor LogAnalytics Ingestion plugin messages
Consistently use "plugin" instead of module, and refer to the module by
its FQCN instead of its prose name.
* Remove LogAnalytics Ingestion extra logic
A few unused vars were being set; stop setting them.
* Fix LogAnalytics Ingestion nox sanity tests
* Fix LogAnalytics Ingestion unit tests
The refactor to move away from the 'requests' dependency to use
module_utils broke the plugin's unit tests; re-write the plugin's unit
tests for module_utils.
* Add nox formatting to LogAnalytics Ingestion
* Fix Log Analytics Ingestion urllib import
Remove the compatibility import via 'six' for 'urllib' since Python 2
support is no longer supported.
* Bump LogAnalytics Ingestion plugin version added
* Remove LogAnalytics Ingestion required: false docs
Required being false is the default, so no need to explicitly add it.
* Simplify LogAnalytics Ingestion role name logic
* Clean LogAnalytics Ingestion redundant comments
* Clean LogAnalytics Ingestion unit test code
Rename all Mock objects to use snake_case and consistently use '_mock'
as a suffix instead of sometimes using it as a prefix and sometimes
using it as a suffix.
* Refactor LogAnalytics Ingestion unit tests
Move all of the tests outside of the 'setUp' method.
* Refactor LogAnalytics Ingestion test
Add a test to validate that part of the contents sent match what was
supposed to be sent.
* Refactor LogAnalytics Ingestion test
Make the names consistent again.
* Add LogAnalytics Ingestion sample data docs
* Apply suggestions from code review
---------
(cherry picked from commit 38f93c80f1)
Co-authored-by: wtcline-intc <wade.cline@intel.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
keycloak_user_rolemapping: handle None response for client role lookup (#11471)
* fix(keycloak_user_rolemapping): handle None response for client role lookup
When adding a client role to a user who has no existing roles for that
client, get_client_user_rolemapping_by_id() returns None. The existing
code indexed directly into the result causing a TypeError. Add the same
None check that already existed for realm roles since PR #11256.
Fixes#10960
* fix(tests): use dict format for task vars in keycloak_user_rolemapping tests
Task-level vars requires a YAML mapping, not a sequence. The leading
dash (- roles:) produced a list instead of a dict, which ansible-core
2.20 rejects with "Vars in a Task must be specified as a dictionary".
* Update changelogs/fragments/keycloak-user-rolemapping-client-none-check.yml
---------
(cherry picked from commit 34938ca1ef)
Co-authored-by: Ivan Kokalovic <67540157+koke1997@users.noreply.github.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
keycloak_realm_key: add full support for all Keycloak key providers (#11468)
* feat(keycloak_realm_key): add support for auto-generated key providers
Add support for Keycloak's auto-generated key providers where Keycloak
manages the key material automatically:
- rsa-generated: Auto-generates RSA signing keys
- hmac-generated: Auto-generates HMAC signing keys
- aes-generated: Auto-generates AES encryption keys
- ecdsa-generated: Auto-generates ECDSA signing keys
New algorithms:
- HMAC: HS256, HS384, HS512
- ECDSA: ES256, ES384, ES512
- AES: AES (no algorithm parameter needed)
New config options:
- secret_size: For HMAC/AES providers (key size in bytes)
- key_size: For RSA-generated provider (key size in bits)
- elliptic_curve: For ECDSA-generated provider (P-256, P-384, P-521)
Changes:
- Make private_key/certificate optional (only required for rsa/rsa-enc)
- Add provider-algorithm validation with clear error messages
- Fix KeyError when managing default realm keys (issue #11459)
- Maintain backward compatibility: RS256 default works for rsa/rsa-generated
Fixes: #11459
* fix: address sanity test failures
- Add 'default: RS256' to algorithm documentation to match spec
- Add no_log=True to secret_size parameter per sanity check
* feat(keycloak_realm_key): extend support for all Keycloak key providers
Add support for remaining auto-generated key providers:
- rsa-enc-generated (RSA encryption keys with RSA1_5, RSA-OAEP, RSA-OAEP-256)
- ecdh-generated (ECDH key exchange with ECDH_ES, ECDH_ES_A128KW/A192KW/A256KW)
- eddsa-generated (EdDSA signing with Ed25519, Ed448 curves)
Changes:
- Add provider-specific elliptic curve config key mapping
(ecdsaEllipticCurveKey, ecdhEllipticCurveKey, eddsaEllipticCurveKey)
- Add PROVIDERS_WITHOUT_ALGORITHM constant for providers that don't need algorithm
- Add elliptic curve validation per provider type
- Update documentation with all supported algorithms and examples
- Add comprehensive integration tests for all new providers
This completes full coverage of all Keycloak key provider types.
* style: apply ruff formatting
* feat(keycloak_realm_key): add java-keystore provider and update_password
Add support for java-keystore provider to import keys from Java
Keystore (JKS or PKCS12) files on the Keycloak server filesystem.
Add update_password parameter to control password handling for
java-keystore provider:
- always (default): Always send passwords to Keycloak
- on_create: Only send passwords when creating, preserve existing
passwords when updating (enables idempotent playbooks)
The on_create mode sends the masked value ("**********") that Keycloak
recognizes as "preserve existing password", matching the behavior when
re-importing an exported realm.
Replace password_checksum with update_password - the checksum approach
was complex and error-prone. The update_password parameter is simpler
and follows the pattern used by ansible.builtin.user module.
Also adds key_info return value containing kid, certificate fingerprint,
status, and expiration for java-keystore keys.
* address PR review feedback
- Remove no_log=True from secret_size (just an int, not sensitive)
- Add version_added: 12.4.0 to new parameters and return values
- Remove "Added in community.general 12.4.0" from description text
- Consolidate changelog entries into 4 focused entries
- Remove bugfix from changelog (now in separate PR #11470)
* address review feedback from russoz and felixfontein
- remove docstrings from module-local helpers
- remove line-by-line comments and unnecessary null guard
- use specific exceptions instead of bare except Exception
- use module.params["key"] instead of .get("key")
- consolidate changelog into single entry
- avoid "complete set" claim, reference Keycloak 26 instead
* address round 2 review feedback
- Extract remove_sensitive_config_keys() helper (DRY refactor)
- Simplify RS256 validation to single code path
- Add TypeError to inner except in compute_certificate_fingerprint()
- Remove redundant comments (L812, L1031)
- Switch .get() to direct dict access for module.params
(cherry picked from commit 80d21f2a0d)
Co-authored-by: Ivan Kokalovic <67540157+koke1997@users.noreply.github.com>
keycloak_realm_localization: new module - realm localization control (#10841)
* add support for management of keycloak localizations
* unit test for keycloak localization support
* keycloak_realm_localization botmeta record
* rev: improvements after code review
(cherry picked from commit 986118c0af)
Co-authored-by: Jakub Danek <danekja@users.noreply.github.com>
ModuleHelper: ensure compatibility with `ModuleTestCase` (#11488)
* ModuleHelper: ensure compatibility with `ModuleTestCase`.
This change allows to configure the `module_fails_on_exception` decorator by passing a tuple of exception types that should not be handled by the decorator itself. In the context of `ModuleTestCase`, use `(AnsibleExitJson, AnsibleFailJson)` to let them pass through the decorator without modification.
* Another approach allowing user-defined exception types to pass through the decorator. When the decorator should have no arguments at all, we must hard code the name of the attribute that is looked up on self.
* Approach that removes decorator parametrization and relies on an object/class variable named `unhandled_exceptions`.
* context manager implemented that allows to pass through some exception types
* Update changelogs/fragments/11488-mh-ensure-compatibiliy-with-module-tests.yml
* Exception placeholder added
---------
(cherry picked from commit 5e0fd1201c)
Signed-off-by: Fiehe Christoph <c.fiehe@eurodata.de>
Co-authored-by: Christoph Fiehe <cfiehe@users.noreply.github.com>
Co-authored-by: Fiehe Christoph <c.fiehe@eurodata.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
keycloak module utils: group search optimization (#11503)
* Updated get_group_by_name with a query based lookup for improved speed
* Add changelog fragment for keycloak group search optimization
* Address review feedback: update changelog text and reformat code with ruff
* improved changelog fragment
* Update changelogs/fragments/11503-keycloak-group-search-optimization.yml
---------
(cherry picked from commit 85a0deeeba)
Co-authored-by: Andreas Wegmann <andreas.we9mann@gmail.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
seport: Add support for dccp and sctp protocols (#11486)
Support for dccp and sctp protocols were added to SELinux userspace
python libraries in 3.0 version release in November 2019.
(cherry picked from commit c05c31334b)
Co-authored-by: Petr Lautrbach <lautrbach@redhat.com>
