Fix Ansible for rsyslog_encrypt_offload_*

[Mab879]

Description:

Escaped the $ in rsyslog_encrypt_offload_*

Rationale:

• Fixes rules rsyslog_encrypt_offload_* have wrong regex #7741

[vojtapolasek]

The fix won't be that simple unfortunately. It needs to be fixed within one of macros. Ideally it would be nice to use the regex_escape filter.
http://ansible-docs.readthedocs.io/zh/stable-2.0/rst/playbooks_filters.html

[Mab879]

/retest-required

[vojtapolasek]

Just a thought, is there actually a case where we would NOT want the regex to be escaped? Would it make sense to do this implicitly?

[yuumasato]

Just a thought, is there actually a case where we would NOT want the regex to be escaped? Would it make sense to do this implicitly?

I think it makes sense to always escape the parameter.
The ansible_set_config_file_dir macro docs doesn't make it clear that parameter can be a regex.
And although it is used to construct a line_regex for ansible_lineinfile macro, the parameter is not expected to be a regular expression.

Also, the escape_regex argument is not clear about what regex it is escaping.
If we go the way of explicit option, I'd suggest to change it to escape_parameter, and rename parameter to parameter_regex.

[yuumasato]

Also, could having parameter as a regular expression have unintended consequences such as adding a value to multiple parameters?

[yuumasato]

LGTM, I have just a few nitpicks, :P

[yuumasato]

/retest

[Mab879]

I'm having a hard time getting regexp: '{{ {{{ regex }}} | regex_escape }}' to play nice with build system and Ansible lint. Not sure how best to make it work.

[yuumasato]

Another thing I also noticed is that the OVAL checks for rsyslog_encrypt_offload_defaultnetstreamdriver and related don't handle cases when /etc/rsyslog.conf has the parameter witt correct, but /etc/rsyslog.d/somefile.conf` has the parameter with wrong value.

I guess we want to fail in these cases? As the Ansible remediation always removes configurations in /etc/rsyslog.d/.
And unfortunately the Bash remediation is a bit behind and only checks for /etc/rsyslog.conf.

But I think these are out of the original scope of this PR and can be handled later...

The isuse pointed out by Jan has been addressed.

[yuumasato]

/retest

[yuumasato]

@Mab879 LGTM, before I merge, could you address the ansible-lint issues?

[openshift-ci]

@Mab879: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ocp4-e8	c29550e	link	true	/test e2e-aws-ocp4-e8
ci/prow/e2e-aws-ocp4-cis-node	c29550e	link	true	/test e2e-aws-ocp4-cis-node

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.