project: fix var-spacing ansible rule (#10266)

* project: fix var-spacing ansible rule

Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>

* project: fix spacing on the beginning/end of jinja template

Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>

* project: fix spacing of default filter

Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>

* project: fix spacing between filter arguments

Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>

* project: fix double space at beginning/end of jinja

Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>

* project: fix remaining jinja[spacing] ansible-lint warning

Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>

---------

Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>

roles/kubernetes/control-plane/defaults/main/kube-proxy.yml

@@ -111,4 +111,4 @@ kube_proxy_oom_score_adj: -999
 
 # portRange is the range of host ports (beginPort-endPort, inclusive) that may be consumed
 # in order to proxy service traffic. If unspecified, 0, or (0-0) then ports will be randomly chosen.
-kube_proxy_port_range: ''
+kube_proxy_port_range: ''

roles/kubernetes/control-plane/defaults/main/main.yml

@@ -5,7 +5,7 @@ upgrade_cluster_setup: false
 # By default the external API listens on all interfaces, this can be changed to
 # listen on a specific address/interface.
 # NOTE: If you specific address/interface and use loadbalancer_apiserver_localhost
-# loadbalancer_apiserver_localhost (nginx/haproxy) will deploy on masters on 127.0.0.1:{{ loadbalancer_apiserver_port|default(kube_apiserver_port) }} too.
+# loadbalancer_apiserver_localhost (nginx/haproxy) will deploy on masters on 127.0.0.1:{{ loadbalancer_apiserver_port | default(kube_apiserver_port) }} too.
 kube_apiserver_bind_address: 0.0.0.0
 
 # A port range to reserve for services with NodePort visibility.
@@ -181,12 +181,12 @@ kube_encryption_resources: [secrets]
 
 # If non-empty, will use this string as identification instead of the actual hostname
 kube_override_hostname: >-
-  {%- if cloud_provider is defined and cloud_provider in [ 'aws' ] -%}
+  {%- if cloud_provider is defined and cloud_provider in ['aws'] -%}
   {%- else -%}
   {{ inventory_hostname }}
   {%- endif -%}
 
-secrets_encryption_query: "resources[*].providers[0].{{kube_encryption_algorithm}}.keys[0].secret"
+secrets_encryption_query: "resources[*].providers[0].{{ kube_encryption_algorithm }}.keys[0].secret"
 
 ## Support tls min version, Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
 # tls_min_version: ""

roles/kubernetes/control-plane/tasks/define-first-kube-control.yml

@@ -8,7 +8,7 @@
 
 - name: Set fact joined_control_panes
   set_fact:
-    joined_control_planes: "{{ ((kube_control_planes_raw.stdout| from_json)['items'])| default([]) | map (attribute='metadata') | map (attribute='name') | list }}"
+    joined_control_planes: "{{ ((kube_control_planes_raw.stdout | from_json)['items']) | default([]) | map(attribute='metadata') | map(attribute='name') | list }}"
   delegate_to: item
   loop: "{{ groups['kube_control_plane'] }}"
   when: kube_control_planes_raw is succeeded
@@ -16,4 +16,4 @@
 
 - name: Set fact first_kube_control_plane
   set_fact:
-    first_kube_control_plane: "{{ joined_control_planes|default([]) | first | default(groups['kube_control_plane']|first) }}"
+    first_kube_control_plane: "{{ joined_control_planes | default([]) | first | default(groups['kube_control_plane'] | first) }}"

roles/kubernetes/control-plane/tasks/kubeadm-secondary.yml

@@ -1,6 +1,7 @@
 ---
 - name: Set kubeadm_discovery_address
   set_fact:
+    # noqa: jinja[spacing]
     kubeadm_discovery_address: >-
       {%- if "127.0.0.1" in kube_apiserver_endpoint or "localhost" in kube_apiserver_endpoint -%}
       {{ first_kube_control_plane_address }}:{{ kube_apiserver_port }}

roles/kubernetes/control-plane/tasks/kubeadm-setup.yml

@@ -52,26 +52,26 @@
     path: "{{ audit_policy_file | dirname }}"
     state: directory
     mode: 0640
-  when: kubernetes_audit|default(false) or kubernetes_audit_webhook|default(false)
+  when: kubernetes_audit | default(false) or kubernetes_audit_webhook | default(false)
 
 - name: Write api audit policy yaml
   template:
     src: apiserver-audit-policy.yaml.j2
     dest: "{{ audit_policy_file }}"
     mode: 0640
-  when: kubernetes_audit|default(false) or kubernetes_audit_webhook|default(false)
+  when: kubernetes_audit | default(false) or kubernetes_audit_webhook | default(false)
 
 - name: Write api audit webhook config yaml
   template:
     src: apiserver-audit-webhook-config.yaml.j2
     dest: "{{ audit_webhook_config_file }}"
     mode: 0640
-  when: kubernetes_audit_webhook|default(false)
+  when: kubernetes_audit_webhook | default(false)
 
 # Nginx LB(default), If kubeadm_config_api_fqdn is defined, use other LB by kubeadm controlPlaneEndpoint.
 - name: set kubeadm_config_api_fqdn define
   set_fact:
-    kubeadm_config_api_fqdn: "{{ apiserver_loadbalancer_domain_name|default('lb-apiserver.kubernetes.local') }}"
+    kubeadm_config_api_fqdn: "{{ apiserver_loadbalancer_domain_name | default('lb-apiserver.kubernetes.local') }}"
   when: loadbalancer_apiserver is defined
 
 - name: Set kubeadm api version to v1beta3
@@ -100,8 +100,8 @@
 
 - name: kubeadm | Push admission control config files
   template:
-    src: "{{ item|lower }}.yaml.j2"
-    dest: "{{ kube_config_dir }}/admission-controls/{{ item|lower }}.yaml"
+    src: "{{ item | lower }}.yaml.j2"
+    dest: "{{ kube_config_dir }}/admission-controls/{{ item | lower }}.yaml"
     mode: 0640
   when:
     - kube_apiserver_admission_control_config_file
@@ -123,8 +123,8 @@
       register: apiserver_sans_host_check
       changed_when: apiserver_sans_host_check.stdout is not search('does match certificate')
   vars:
-    apiserver_ips: "{{ apiserver_sans|map('ipaddr')|reject('equalto', False)|list }}"
-    apiserver_hosts: "{{ apiserver_sans|difference(apiserver_ips) }}"
+    apiserver_ips: "{{ apiserver_sans | map('ipaddr') | reject('equalto', False) | list }}"
+    apiserver_hosts: "{{ apiserver_sans | difference(apiserver_ips) }}"
   when:
     - kubeadm_already_run.stat.exists
     - not kube_external_ca_mode
@@ -186,7 +186,7 @@
 
 - name: set kubeadm certificate key
   set_fact:
-    kubeadm_certificate_key: "{{ item | regex_search('--certificate-key ([^ ]+)','\\1') | first }}"
+    kubeadm_certificate_key: "{{ item | regex_search('--certificate-key ([^ ]+)', '\\1') | first }}"
   with_items: "{{ hostvars[groups['kube_control_plane'][0]]['kubeadm_init'].stdout_lines | default([]) }}"
   when:
     - kubeadm_certificate_key is not defined

roles/kubernetes/control-plane/tasks/main.yml

@@ -8,14 +8,14 @@
     src: webhook-token-auth-config.yaml.j2
     dest: "{{ kube_config_dir }}/webhook-token-auth-config.yaml"
     mode: 0640
-  when: kube_webhook_token_auth|default(false)
+  when: kube_webhook_token_auth | default(false)
 
 - name: Create webhook authorization config
   template:
     src: webhook-authorization-config.yaml.j2
     dest: "{{ kube_config_dir }}/webhook-authorization-config.yaml"
     mode: 0640
-  when: kube_webhook_authorization|default(false)
+  when: kube_webhook_authorization | default(false)
 
 - name: Create kube-scheduler config
   template:

roles/kubernetes/control-plane/tasks/pre-upgrade.yml

@@ -6,7 +6,7 @@
   with_items:
     - ["kube-apiserver", "kube-controller-manager", "kube-scheduler"]
   register: kube_apiserver_manifest_replaced
-  when: etcd_secret_changed|default(false)
+  when: etcd_secret_changed | default(false)
 
 - name: "Pre-upgrade | Delete master containers forcefully"  # noqa no-handler
   shell: "set -o pipefail && docker ps -af name=k8s_{{ item }}* -q | xargs --no-run-if-empty docker rm -f"

roles/kubernetes/control-plane/templates/admission-controls.yaml.j2

@@ -4,6 +4,6 @@ plugins:
 {% for plugin in kube_apiserver_enable_admission_plugins %}
 {% if plugin in kube_apiserver_admission_plugins_needs_configuration %}
 - name: {{ plugin }}
-  path: {{ kube_config_dir }}/{{ plugin|lower }}.yaml
+  path: {{ kube_config_dir }}/{{ plugin | lower }}.yaml
 {% endif %}
 {% endfor %}

roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2

@@ -13,7 +13,7 @@ localAPIEndpoint:
 certificateKey: {{ kubeadm_certificate_key }}
 {% endif %}
 nodeRegistration:
-{% if kube_override_hostname|default('') %}
+{% if kube_override_hostname | default('') %}
   name: {{ kube_override_hostname }}
 {% endif %}
 {% if inventory_hostname in groups['kube_control_plane'] and inventory_hostname not in groups['kube_node'] %}
@@ -89,7 +89,7 @@ etcd:
 {% endfor %}
 {% endif %}
 dns:
-  imageRepository: {{ coredns_image_repo | regex_replace('/coredns(?!/coredns).*$','') }}
+  imageRepository: {{ coredns_image_repo | regex_replace('/coredns(?!/coredns).*$', '') }}
   imageTag: {{ coredns_image_tag }}
 networking:
   dnsDomain: {{ dns_domain }}
@@ -100,7 +100,7 @@ networking:
 {% if kubeadm_feature_gates %}
 featureGates:
 {%   for feature in kubeadm_feature_gates %}
-  {{ feature|replace("=", ": ") }}
+  {{ feature | replace("=", ": ") }}
 {%   endfor %}
 {% endif %}
 kubernetesVersion: {{ kube_version }}
@@ -124,13 +124,13 @@ apiServer:
 {% endif %}
     authorization-mode: {{ authorization_modes | join(',') }}
     bind-address: {{ kube_apiserver_bind_address }}
-{% if kube_apiserver_enable_admission_plugins|length > 0 %}
+{% if kube_apiserver_enable_admission_plugins | length > 0 %}
     enable-admission-plugins: {{ kube_apiserver_enable_admission_plugins | join(',') }}
 {% endif %}
 {% if kube_apiserver_admission_control_config_file %}
     admission-control-config-file: {{ kube_config_dir }}/admission-controls.yaml
 {% endif %}
-{% if kube_apiserver_disable_admission_plugins|length > 0 %}
+{% if kube_apiserver_disable_admission_plugins | length > 0 %}
     disable-admission-plugins: {{ kube_apiserver_disable_admission_plugins | join(',') }}
 {% endif %}
     apiserver-count: "{{ kube_apiserver_count }}"
@@ -144,13 +144,13 @@ apiServer:
     profiling: "{{ kube_profiling }}"
     request-timeout: "{{ kube_apiserver_request_timeout }}"
     enable-aggregator-routing: "{{ kube_api_aggregator_routing }}"
-{% if kube_token_auth|default(true) %}
+{% if kube_token_auth | default(true) %}
     token-auth-file: {{ kube_token_dir }}/known_tokens.csv
 {% endif %}
 {% if kube_apiserver_service_account_lookup %}
     service-account-lookup: "{{ kube_apiserver_service_account_lookup }}"
 {% endif %}
-{% if kube_oidc_auth|default(false) and kube_oidc_url is defined and kube_oidc_client_id is defined %}
+{% if kube_oidc_auth | default(false) and kube_oidc_url is defined and kube_oidc_client_id is defined %}
     oidc-issuer-url: "{{ kube_oidc_url }}"
     oidc-client-id: "{{ kube_oidc_client_id }}"
 {%   if kube_oidc_ca_file is defined %}
@@ -169,17 +169,17 @@ apiServer:
     oidc-groups-prefix: "{{ kube_oidc_groups_prefix }}"
 {%   endif %}
 {% endif %}
-{% if kube_webhook_token_auth|default(false) %}
+{% if kube_webhook_token_auth | default(false) %}
     authentication-token-webhook-config-file: {{ kube_config_dir }}/webhook-token-auth-config.yaml
 {% endif %}
-{% if kube_webhook_authorization|default(false) %}
+{% if kube_webhook_authorization | default(false) %}
     authorization-webhook-config-file: {{ kube_config_dir }}/webhook-authorization-config.yaml
 {% endif %}
 {% if kube_encrypt_secret_data %}
     encryption-provider-config: {{ kube_cert_dir }}/secrets_encryption.yaml
 {% endif %}
     storage-backend: {{ kube_apiserver_storage_backend }}
-{% if kube_api_runtime_config|length > 0 %}
+{% if kube_api_runtime_config | length > 0 %}
     runtime-config: {{ kube_api_runtime_config | join(',') }}
 {% endif %}
     allow-privileged: "true"
@@ -223,24 +223,24 @@ apiServer:
 {% if kubelet_rotate_server_certificates %}
     kubelet-certificate-authority: {{ kube_cert_dir }}/ca.crt
 {% endif %}
-{% if kubernetes_audit or kube_token_auth|default(true) or kube_webhook_token_auth|default(false) or ( cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws", "gce"] ) or apiserver_extra_volumes or ssl_ca_dirs|length %}
+{% if kubernetes_audit or kube_token_auth | default(true) or kube_webhook_token_auth | default(false) or ( cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws", "gce"] ) or apiserver_extra_volumes or ssl_ca_dirs | length %}
   extraVolumes:
 {% if cloud_provider is defined and cloud_provider in ["openstack", "azure", "vsphere", "aws", "gce"] %}
   - name: cloud-config
     hostPath: {{ kube_config_dir }}/cloud_config
     mountPath: {{ kube_config_dir }}/cloud_config
 {% endif %}
-{% if kube_token_auth|default(true) %}
+{% if kube_token_auth | default(true) %}
   - name: token-auth-config
     hostPath: {{ kube_token_dir }}
     mountPath: {{ kube_token_dir }}
 {% endif %}
-{% if kube_webhook_token_auth|default(false) %}
+{% if kube_webhook_token_auth | default(false) %}
   - name: webhook-token-auth-config
     hostPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
     mountPath: {{ kube_config_dir }}/webhook-token-auth-config.yaml
 {% endif %}
-{% if kube_webhook_authorization|default(false) %}
+{% if kube_webhook_authorization | default(false) %}
   - name: webhook-authorization-config
     hostPath: {{ kube_config_dir }}/webhook-authorization-config.yaml
     mountPath: {{ kube_config_dir }}/webhook-authorization-config.yaml
@@ -269,7 +269,7 @@ apiServer:
     mountPath: {{ volume.mountPath }}
     readOnly: {{ volume.readOnly | d(not (volume.writable | d(false))) }}
 {% endfor %}
-{% if ssl_ca_dirs|length %}
+{% if ssl_ca_dirs | length %}
 {% for dir in ssl_ca_dirs %}
   - name: {{ dir | regex_replace('^/(.*)$', '\\1' ) | regex_replace('/', '-') }}
     hostPath: {{ dir }}
@@ -316,7 +316,7 @@ controllerManager:
     configure-cloud-routes: "false"
 {% endif %}
 {% if kubelet_flexvolumes_plugins_dir is defined %}
-    flex-volume-plugin-dir: {{kubelet_flexvolumes_plugins_dir}}
+    flex-volume-plugin-dir: {{ kubelet_flexvolumes_plugins_dir }}
 {% endif %}
 {% if tls_min_version is defined %}
     tls-min-version: {{ tls_min_version }}
@@ -352,7 +352,7 @@ scheduler:
     feature-gates: "{{ kube_scheduler_feature_gates | default(kube_feature_gates, true) | join(',') }}"
 {% endif %}
     profiling: "{{ kube_profiling }}"
-{% if kube_kubeadm_scheduler_extra_args|length > 0 %}
+{% if kube_kubeadm_scheduler_extra_args | length > 0 %}
 {% for key in kube_kubeadm_scheduler_extra_args %}
     {{ key }}: "{{ kube_kubeadm_scheduler_extra_args[key] }}"
 {% endfor %}
@@ -422,7 +422,7 @@ portRange: {{ kube_proxy_port_range }}
 {% set feature_gates = ( kube_proxy_feature_gates | default(kube_feature_gates, true) ) %}
 featureGates:
 {%   for feature in feature_gates %}
-  {{ feature|replace("=", ": ") }}
+  {{ feature | replace("=", ": ") }}
 {%   endfor %}
 {% endif %}
 {# DNS settings for kubelet #}
@@ -448,6 +448,6 @@ clusterDNS:
 {% set feature_gates = ( kubelet_feature_gates | default(kube_feature_gates, true) ) %}
 featureGates:
 {%   for feature in feature_gates %}
-  {{ feature|replace("=", ": ") }}
+  {{ feature | replace("=", ": ") }}
 {%   endfor %}
 {% endif %}

roles/kubernetes/control-plane/templates/kubeadm-controlplane.v1beta3.yaml.j2

@@ -17,7 +17,7 @@ controlPlane:
     bindPort: {{ kube_apiserver_port }}
   certificateKey: {{ kubeadm_certificate_key }}
 nodeRegistration:
-  name: {{ kube_override_hostname|default(inventory_hostname) }}
+  name: {{ kube_override_hostname | default(inventory_hostname) }}
   criSocket: {{ cri_socket }}
 {% if inventory_hostname in groups['kube_control_plane'] and inventory_hostname not in groups['kube_node'] %}
   taints:

roles/kubernetes/control-plane/templates/kubescheduler-config.yaml.j2

@@ -1,5 +1,5 @@
 {% set kubescheduler_config_api_version = "v1beta3" %}
-apiVersion: kubescheduler.config.k8s.io/{{ kubescheduler_config_api_version|d('v1') }}
+apiVersion: kubescheduler.config.k8s.io/{{ kubescheduler_config_api_version | d('v1') }}
 kind: KubeSchedulerConfiguration
 clientConnection:
   kubeconfig: "{{ kube_config_dir }}/scheduler.conf"

roles/kubernetes/control-plane/templates/podsecurity.yaml.j2

@@ -9,9 +9,9 @@ defaults:
   warn: "{{ kube_pod_security_default_warn }}"
   warn-version: "{{ kube_pod_security_default_warn_version }}"
 exemptions:
-  usernames: {{ kube_pod_security_exemptions_usernames|to_json }}
-  runtimeClasses: {{ kube_pod_security_exemptions_runtime_class_names|to_json }}
-  namespaces: {{ kube_pod_security_exemptions_namespaces|to_json }}
+  usernames: {{ kube_pod_security_exemptions_usernames | to_json }}
+  runtimeClasses: {{ kube_pod_security_exemptions_runtime_class_names | to_json }}
+  namespaces: {{ kube_pod_security_exemptions_namespaces | to_json }}
 {% else %}
 # This file is intentinally left empty as kube_pod_security_use_default={{ kube_pod_security_use_default }}
 {% endif %}

roles/kubernetes/control-plane/templates/secrets_encryption.yaml.j2

@@ -2,7 +2,7 @@ apiVersion: apiserver.config.k8s.io/v1
 kind: EncryptionConfiguration
 resources:
   - resources:
-{{ kube_encryption_resources|to_nice_yaml|indent(4, True) }}
+{{ kube_encryption_resources | to_nice_yaml | indent(4, True) }}
     providers:
     - {{ kube_encryption_algorithm }}:
         keys: