Adding yamllinter to ci steps (kubernetes-sigs#1556)

* Adding yaml linter to ci check

* Minor linting fixes from yamllint

* Changing CI to install python pkgs from requirements.txt

- adding in a secondary requirements.txt for tests
- moving yamllint to tests requirements

.gitlab-ci.yml

@@ -18,10 +18,7 @@ variables:
 # us-west1-a
 
 before_script:
-    - pip install ansible==2.3.0
-    - pip install netaddr
-    - pip install apache-libcloud==0.20.1
-    - pip install boto==2.9.0
+    - pip install -r tests/requirements.txt
     - mkdir -p /.ssh
     - cp tests/ansible.cfg .
 
@@ -75,10 +72,7 @@ before_script:
       - $HOME/.cache
   before_script:
     - docker info
-    - pip install ansible==2.3.0
-    - pip install netaddr
-    - pip install apache-libcloud==0.20.1
-    - pip install boto==2.9.0
+    - pip install -r tests/requirements.txt
     - mkdir -p /.ssh
     - mkdir -p $HOME/.ssh
     - echo $PRIVATE_KEY | base64 -d > $HOME/.ssh/id_rsa
@@ -642,6 +636,13 @@ syntax-check:
     - ansible-playbook -i inventory/local-tests.cfg -u root -e ansible_ssh_user=root  -b --become-user=root extra_playbooks/upgrade-only-k8s.yml -vvv  --syntax-check
   except: ['triggers', 'master']
 
+yamllint:
+  <<: *job
+  stage: unit-tests
+  script:
+    - yamllint roles
+  except: ['triggers', 'master']
+
 tox-inventory-builder:
   stage: unit-tests
   <<: *job

.yamllint

@@ -0,0 +1,16 @@
+---
+extends: default
+
+rules:
+  braces:
+    min-spaces-inside: 0
+    max-spaces-inside: 1
+  brackets:
+    min-spaces-inside: 0
+    max-spaces-inside: 1
+  indentation:
+    spaces: 2
+    indent-sequences: consistent
+  line-length: disable
+  new-line-at-end-of-file: disable
+  truthy: disable

roles/bootstrap-os/tasks/bootstrap-coreos.yml

@@ -49,4 +49,3 @@
   pip:
     name: "{{ item }}"
   with_items: "{{pip_python_modules}}"
-

roles/bootstrap-os/tasks/main.yml

@@ -27,4 +27,3 @@
   hostname:
     name: "{{inventory_hostname}}"
   when: ansible_hostname == 'localhost'
-

roles/bootstrap-os/tasks/setup-pipelining.yml

@@ -6,4 +6,3 @@
     regexp: '^\w+\s+requiretty'
     dest: /etc/sudoers
     state: absent
-

roles/dnsmasq/defaults/main.yml

@@ -4,12 +4,12 @@
 
 # Max of 4 names is allowed and no more than 256 - 17 chars total
 # (a 2 is reserved for the 'default.svc.' and'svc.')
-#searchdomains:
-#  - foo.bar.lc
+# searchdomains:
+#   - foo.bar.lc
 
 # Max of 2 is allowed here (a 1 is reserved for the dns_server)
-#nameservers:
-#  - 127.0.0.1
+# nameservers:
+#   - 127.0.0.1
 
 dns_forward_max: 150
 cache_size: 1000

roles/dnsmasq/tasks/main.yml

@@ -86,4 +86,3 @@
     port: 53
     timeout: 180
   when: inventory_hostname == groups['kube-node'][0] and groups['kube-node'][0] in ansible_play_hosts
-

roles/dnsmasq/templates/dnsmasq-autoscaler.yml

@@ -1,3 +1,4 @@
+---
 # Copyright 2016 The Kubernetes Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -34,17 +35,16 @@ spec:
       - name: autoscaler
         image: gcr.io/google_containers/cluster-proportional-autoscaler-amd64:1.1.1
         resources:
-            requests:
-                cpu: "20m"
-                memory: "10Mi"
+          requests:
+            cpu: "20m"
+            memory: "10Mi"
         command:
-          - /cluster-proportional-autoscaler
-          - --namespace=kube-system
-          - --configmap=dnsmasq-autoscaler
-          - --target=Deployment/dnsmasq
-          # When cluster is using large nodes(with more cores), "coresPerReplica" should dominate.
-          # If using small nodes, "nodesPerReplica" should dominate.
-          - --default-params={"linear":{"nodesPerReplica":{{ dnsmasq_nodes_per_replica }},"preventSinglePointFailure":true}}
-          - --logtostderr=true
-          - --v={{ kube_log_level }}
-
+        - /cluster-proportional-autoscaler
+        - --namespace=kube-system
+        - --configmap=dnsmasq-autoscaler
+        - --target=Deployment/dnsmasq
+        # When cluster is using large nodes(with more cores), "coresPerReplica" should dominate.
+        # If using small nodes, "nodesPerReplica" should dominate.
+        - --default-params={"linear":{"nodesPerReplica":{{ dnsmasq_nodes_per_replica }},"preventSinglePointFailure":true}}
+        - --logtostderr=true
+        - --v={{ kube_log_level }}

roles/dnsmasq/templates/dnsmasq-deploy.yml

@@ -35,7 +35,6 @@ spec:
             capabilities:
               add:
                 - NET_ADMIN
-          imagePullPolicy: IfNotPresent
           resources:
             limits:
               cpu: {{ dns_cpu_limit }}
@@ -64,4 +63,3 @@ spec:
           hostPath:
             path: /etc/dnsmasq.d-available
       dnsPolicy: Default  # Don't use cluster DNS.
-

roles/docker/defaults/main.yml

@@ -1,3 +1,4 @@
+---
 docker_version: '1.13'
 
 docker_package_info:

roles/docker/handlers/main.yml

@@ -8,7 +8,7 @@
     - Docker | pause while Docker restarts
     - Docker | wait for docker
 
-- name : Docker | reload systemd
+- name: Docker | reload systemd
   shell: systemctl daemon-reload
 
 - name: Docker | reload docker.socket

roles/docker/tasks/main.yml

@@ -3,14 +3,14 @@
   include_vars: "{{ item }}"
   with_first_found:
     - files:
-      - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version|lower|replace('/', '_') }}.yml"
-      - "{{ ansible_distribution|lower }}-{{ ansible_distribution_release }}.yml"
-      - "{{ ansible_distribution|lower }}-{{ ansible_distribution_major_version|lower|replace('/', '_') }}.yml"
-      - "{{ ansible_distribution|lower }}.yml"
-      - "{{ ansible_os_family|lower }}.yml"
-      - defaults.yml
+        - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version|lower|replace('/', '_') }}.yml"
+        - "{{ ansible_distribution|lower }}-{{ ansible_distribution_release }}.yml"
+        - "{{ ansible_distribution|lower }}-{{ ansible_distribution_major_version|lower|replace('/', '_') }}.yml"
+        - "{{ ansible_distribution|lower }}.yml"
+        - "{{ ansible_os_family|lower }}.yml"
+        - defaults.yml
       paths:
-      - ../vars
+        - ../vars
       skip: true
   tags: facts
 

roles/docker/tasks/set_facts_dns.yml

@@ -48,7 +48,7 @@
 - name: add system search domains to docker options
   set_fact:
     docker_dns_search_domains: "{{ docker_dns_search_domains | union(system_search_domains.stdout.split(' ')|default([])) | unique }}"
-  when: system_search_domains.stdout != "" 
+  when: system_search_domains.stdout != ""
 
 - name: check number of nameservers
   fail:

roles/docker/vars/debian.yml

@@ -1,3 +1,4 @@
+---
 docker_kernel_min_version: '3.10'
 
 # https://apt.dockerproject.org/repo/dists/debian-wheezy/main/filelist

roles/docker/vars/fedora-20.yml

@@ -1,3 +1,4 @@
+---
 docker_kernel_min_version: '0'
 
 # versioning: docker-io itself is pinned at docker 1.5

roles/docker/vars/fedora.yml

@@ -1,3 +1,4 @@
+---
 docker_kernel_min_version: '0'
 
 # https://docs.docker.com/engine/installation/linux/fedora/#install-from-a-package

roles/docker/vars/redhat.yml

@@ -1,3 +1,4 @@
+---
 docker_kernel_min_version: '0'
 
 # https://yum.dockerproject.org/repo/main/centos/7/Packages/
@@ -8,7 +9,7 @@ docker_versioned_pkg:
   '1.12': docker-engine-1.12.6-1.el7.centos
   '1.13': docker-engine-1.13.1-1.el7.centos
   'stable': docker-engine-17.03.0.ce-1.el7.centos
-  'edge':  docker-engine-17.03.0.ce-1.el7.centos
+  'edge': docker-engine-17.03.0.ce-1.el7.centos
 
 # https://docs.docker.com/engine/installation/linux/centos/#install-from-a-package
 # https://download.docker.com/linux/centos/7/x86_64/stable/Packages/

roles/download/defaults/main.yml

@@ -20,7 +20,7 @@ download_always_pull: False
 # Versions
 kube_version: v1.7.3
 etcd_version: v3.2.4
-#TODO(mattymo): Move calico versions to roles/network_plugins/calico/defaults
+# TODO(mattymo): Move calico versions to roles/network_plugins/calico/defaults
 # after migration to container download
 calico_version: "v1.1.3"
 calico_cni_version: "v1.8.0"

roles/download/tasks/main.yml

@@ -111,7 +111,7 @@
     - download.enabled|bool
     - download.container|bool
 
-#NOTE(bogdando) this brings no docker-py deps for nodes
+# NOTE(bogdando) this brings no docker-py deps for nodes
 - name: Download containers if pull is required or told to always pull
   command: "{{ docker_bin_dir }}/docker pull {{ pull_args }}"
   register: pull_task_result

roles/etcd/defaults/main.yml

@@ -21,7 +21,7 @@ etcd_metrics: "basic"
 etcd_memory_limit: 512M
 
 # Uncomment to set CPU share for etcd
-#etcd_cpu_limit: 300m
+# etcd_cpu_limit: 300m
 
 etcd_node_cert_hosts: "{{ groups['k8s-cluster'] | union(groups.get('calico-rr', [])) }}"
 

roles/etcd/handlers/backup.yml

@@ -43,4 +43,3 @@
     ETCDCTL_API: 3
   retries: 3
   delay: "{{ retry_stagger | random + 3 }}"
-

roles/etcd/handlers/main.yml

@@ -30,4 +30,3 @@
 - name: set etcd_secret_changed
   set_fact:
     etcd_secret_changed: true
-

roles/etcd/tasks/check_certs.yml

@@ -66,4 +66,3 @@
               {%- set _ = certs.update({'sync': True}) -%}
       {% endif %}
       {{ certs.sync }}
-

roles/etcd/tasks/gen_certs_script.yml

@@ -73,11 +73,10 @@
                       'member-{{ node }}-key.pem',
                       {% endfor %}]"
     my_master_certs: ['ca-key.pem',
-                     'admin-{{ inventory_hostname }}.pem',
-                     'admin-{{ inventory_hostname }}-key.pem',
-                     'member-{{ inventory_hostname }}.pem',
-                     'member-{{ inventory_hostname }}-key.pem'
-                     ]
+                      'admin-{{ inventory_hostname }}.pem',
+                      'admin-{{ inventory_hostname }}-key.pem',
+                      'member-{{ inventory_hostname }}.pem',
+                      'member-{{ inventory_hostname }}-key.pem']
     all_node_certs: "['ca.pem',
                     {% for node in (groups['k8s-cluster'] + groups['calico-rr']|default([]))|unique %}
                     'node-{{ node }}.pem',
@@ -111,22 +110,22 @@
         sync_certs|default(false) and inventory_hostname not in groups['etcd']
   notify: set etcd_secret_changed
 
-#NOTE(mattymo): Use temporary file to copy master certs because we have a ~200k 
-#char limit when using shell command                                            
-                                                                                
-#FIXME(mattymo): Use tempfile module in ansible 2.3                             
-- name: Gen_certs | Prepare tempfile for unpacking certs                        
-  shell: mktemp /tmp/certsXXXXX.tar.gz                                          
-  register: cert_tempfile                                                       
+# NOTE(mattymo): Use temporary file to copy master certs because we have a ~200k
+# char limit when using shell command
+
+# FIXME(mattymo): Use tempfile module in ansible 2.3
+- name: Gen_certs | Prepare tempfile for unpacking certs
+  shell: mktemp /tmp/certsXXXXX.tar.gz
+  register: cert_tempfile
   when: inventory_hostname in groups['etcd'] and sync_certs|default(false) and
-        inventory_hostname != groups['etcd'][0]                          
-
-- name: Gen_certs | Write master certs to tempfile                              
-  copy:                                                                         
-    content: "{{etcd_master_cert_data.stdout}}"                                      
-    dest: "{{cert_tempfile.stdout}}"                                            
-    owner: root                                                                 
-    mode: "0600"                                                                
+        inventory_hostname != groups['etcd'][0]
+
+- name: Gen_certs | Write master certs to tempfile
+  copy:
+    content: "{{etcd_master_cert_data.stdout}}"
+    dest: "{{cert_tempfile.stdout}}"
+    owner: root
+    mode: "0600"
   when: inventory_hostname in groups['etcd'] and sync_certs|default(false) and
         inventory_hostname != groups['etcd'][0]
 

roles/etcd/tasks/gen_certs_vault.yml

@@ -7,7 +7,6 @@
   when: inventory_hostname in etcd_node_cert_hosts
   tags: etcd-secrets
 
-
 - name: gen_certs_vault | Read in the local credentials
   command: cat /etc/vault/roles/etcd/userpass
   register: etcd_vault_creds_cat
@@ -33,15 +32,15 @@
 
 - name: gen_certs_vault | Set fact for vault_client_token
   set_fact:
-    vault_client_token:  "{{ etcd_vault_login_result.get('json', {}).get('auth', {}).get('client_token') }}"
+    vault_client_token: "{{ etcd_vault_login_result.get('json', {}).get('auth', {}).get('client_token') }}"
   run_once: true
 
 - name: gen_certs_vault | Set fact for Vault API token
   set_fact:
     etcd_vault_headers:
-        Accept: application/json
-        Content-Type: application/json
-        X-Vault-Token: "{{ vault_client_token }}"
+      Accept: application/json
+      Content-Type: application/json
+      X-Vault-Token: "{{ vault_client_token }}"
   run_once: true
   when: vault_client_token != ""
 
@@ -96,5 +95,3 @@
   with_items: "{{ etcd_node_certs_needed|d([]) }}"
   when: inventory_hostname in etcd_node_cert_hosts
   notify: set etcd_secret_changed
-
-

roles/etcd/tasks/install_docker.yml

@@ -1,5 +1,5 @@
 ---
-#Plan A: no docker-py deps
+# Plan A: no docker-py deps
 - name: Install | Copy etcdctl binary from docker container
   command: sh -c "{{ docker_bin_dir }}/docker rm -f etcdctl-binarycopy;
            {{ docker_bin_dir }}/docker create --name etcdctl-binarycopy {{ etcd_image_repo }}:{{ etcd_image_tag }} &&
@@ -12,21 +12,21 @@
   delay: "{{ retry_stagger | random + 3 }}"
   changed_when: false
 
-#Plan B: looks nicer, but requires docker-py on all hosts:
-#- name: Install | Set up etcd-binarycopy container
-#  docker:
-#    name: etcd-binarycopy
-#    state: present
-#    image: "{{ etcd_image_repo }}:{{ etcd_image_tag }}"
-#  when: etcd_deployment_type == "docker"
+# Plan B: looks nicer, but requires docker-py on all hosts:
+# - name: Install | Set up etcd-binarycopy container
+#   docker:
+#     name: etcd-binarycopy
+#     state: present
+#     image: "{{ etcd_image_repo }}:{{ etcd_image_tag }}"
+#   when: etcd_deployment_type == "docker"
 #
-#- name: Install | Copy etcdctl from etcd-binarycopy container
-#  command: /usr/bin/docker cp "etcd-binarycopy:{{ etcd_container_bin_dir }}etcdctl" "{{ bin_dir }}/etcdctl"
-#  when: etcd_deployment_type == "docker"
+# - name: Install | Copy etcdctl from etcd-binarycopy container
+#   command: /usr/bin/docker cp "etcd-binarycopy:{{ etcd_container_bin_dir }}etcdctl" "{{ bin_dir }}/etcdctl"
+#   when: etcd_deployment_type == "docker"
 #
-#- name: Install | Clean up etcd-binarycopy container
-#  docker:
-#    name: etcd-binarycopy
-#    state: absent
-#    image: "{{ etcd_image_repo }}:{{ etcd_image_tag }}"
-#  when: etcd_deployment_type == "docker"
+# - name: Install | Clean up etcd-binarycopy container
+#   docker:
+#     name: etcd-binarycopy
+#     state: absent
+#     image: "{{ etcd_image_repo }}:{{ etcd_image_tag }}"
+#   when: etcd_deployment_type == "docker"

roles/etcd/tasks/pre_upgrade.yml

@@ -1,3 +1,4 @@
+---
 - name: "Pre-upgrade | check for etcd-proxy unit file"
   stat:
     path: /etc/systemd/system/etcd-proxy.service