[multiple] Refactor inline Python/shell patterns to cleaner alternatives

vakwetu · claude · openshift-merge-bot[bot] · commit 5fdbfd7cf0af · 2026-03-27T19:41:09.000Z
Replace python3 -c JSON parsing in wait_for_cluster.yml with jq expressions.
Move the inline python3 heredoc for OSDPD renaming in execute_step.yml to a
standalone script (roles/kustomize_deploy/files/uniquify_osdpd.py) invoked via
ansible.builtin.script. Replace the shell+openssl+python fingerprint loop in
update-central-ca-bundle.yaml with a kubernetes.core.k8s_info until task that
checks for the leaf cert PEM as a substring of the combined bundle using Jinja2.

Signed-off-by: Ade Lee &lt;alee@redhat.com&gt;
Co-Authored-By: Claude &lt;noreply@anthropic.com&gt;
Made-with: Cursor
diff --git a/hooks/playbooks/skmo/update-central-ca-bundle.yaml b/hooks/playbooks/skmo/update-central-ca-bundle.yaml
@@ -121,42 +121,19 @@
     # every cert in combined-ca-bundle, retrying until it appears.
     # -------------------------------------------------------------------------
     - name: Wait for leaf region CA to appear in combined-ca-bundle
-      ansible.builtin.shell: |
-        set -euo pipefail
-        TMPDIR=$(mktemp -d)
-        trap "rm -rf $TMPDIR" EXIT
-
-        echo "{{ _leaf_certs.results[0].resources[0].data['tls.crt'] }}" | \
-          base64 -d > "$TMPDIR/leaf-ca.crt"
-        FINGERPRINT=$(openssl x509 -noout -fingerprint -in "$TMPDIR/leaf-ca.crt" \
-          | cut -d= -f2)
-
-        oc get secret combined-ca-bundle \
-          -n {{ central_namespace }} \
-          -o jsonpath='{.data.tls-ca-bundle\.pem}' \
-          | base64 -d > "$TMPDIR/bundle.pem"
-
-        python3 - "$FINGERPRINT" "$TMPDIR/bundle.pem" <<'PYEOF'
-        import sys, subprocess, re
-        target, bundle_file = sys.argv[1], sys.argv[2]
-        bundle = open(bundle_file).read()
-        certs = re.findall(
-            r'-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----',
-            bundle, re.DOTALL
+      kubernetes.core.k8s_info:
+        api_version: v1
+        kind: Secret
+        namespace: "{{ central_namespace }}"
+        name: combined-ca-bundle
+      register: _combined_bundle
+      until: >-
+        (_combined_bundle.resources | length > 0) and
+        (
+          _leaf_certs.results[0].resources[0].data['tls.crt'] | b64decode
+          in
+          (_combined_bundle.resources | first).data['tls-ca-bundle.pem'] | b64decode
         )
-        for cert in certs:
-            r = subprocess.run(
-                ['openssl', 'x509', '-noout', '-fingerprint'],
-                input=cert.encode(), capture_output=True
-            )
-            if target in r.stdout.decode():
-                sys.exit(0)
-        sys.exit(1)
-        PYEOF
-      args:
-        executable: /bin/bash
-      register: _ca_reconciled
-      until: _ca_reconciled.rc == 0
       retries: 30
       delay: 10
       changed_when: false
diff --git a/roles/kustomize_deploy/files/uniquify_osdpd.py b/roles/kustomize_deploy/files/uniquify_osdpd.py
@@ -0,0 +1,28 @@
+#!/usr/bin/env python3
+"""Append a run suffix to OpenStackDataPlaneDeployment resource names.
+
+Usage: uniquify_osdpd.py <manifest_path> <suffix>
+
+Reads the multi-document YAML file at <manifest_path>, appends <suffix>
+to the metadata.name of every OpenStackDataPlaneDeployment resource that
+does not already end with that suffix, and writes the result back in place.
+Prints a "Renamed: <old> -> <new>" line for each renamed resource so that
+the calling Ansible task can use changed_when on stdout.
+"""
+import sys
+import yaml
+
+path, suffix = sys.argv[1], sys.argv[2]
+
+with open(path) as f:
+    docs = [d for d in yaml.safe_load_all(f) if d is not None]
+
+for doc in docs:
+    if doc.get("kind") == "OpenStackDataPlaneDeployment":
+        name = doc["metadata"]["name"]
+        if not name.endswith("-" + suffix):
+            doc["metadata"]["name"] = name + "-" + suffix
+            print("Renamed: {} -> {}".format(name, doc["metadata"]["name"]))
+
+with open(path, "w") as f:
+    yaml.dump_all(docs, f, default_flow_style=False)
diff --git a/roles/kustomize_deploy/tasks/execute_step.yml b/roles/kustomize_deploy/tasks/execute_step.yml
@@ -254,26 +254,14 @@
 
         - name: "Uniquify OpenStackDataPlaneDeployment names in {{ stage.path }}"
           when: _cifmw_kustomize_deploy_run_suffix | default('') | string | length > 0
-          changed_when: "'Renamed:' in _rename_osdpd.stdout"
+          ansible.builtin.script:
+            executable: python3
+            cmd: >-
+              {{ role_path }}/files/uniquify_osdpd.py
+              {{ _output | quote }}
+              {{ _cifmw_kustomize_deploy_run_suffix | string | quote }}
           register: _rename_osdpd
-          ansible.builtin.shell:
-            executable: /bin/bash
-            cmd: |
-              python3 - << 'PYEOF'
-              import yaml, sys
-              path = "{{ _output }}"
-              suffix = "{{ _cifmw_kustomize_deploy_run_suffix }}"
-              with open(path) as f:
-                  docs = [d for d in yaml.safe_load_all(f) if d is not None]
-              for doc in docs:
-                  if doc.get('kind') == 'OpenStackDataPlaneDeployment':
-                      name = doc['metadata']['name']
-                      if not name.endswith('-' + suffix):
-                          doc['metadata']['name'] = name + '-' + suffix
-                          print('Renamed: ' + name + ' -> ' + doc['metadata']['name'])
-              with open(path, 'w') as f:
-                  yaml.dump_all(docs, f, default_flow_style=False)
-              PYEOF
+          changed_when: "'Renamed:' in _rename_osdpd.stdout"
 
         - name: "Store kustomized content in artifacts for {{ stage.path }}"
           ansible.builtin.copy:
diff --git a/roles/openshift_adm/tasks/wait_for_cluster.yml b/roles/openshift_adm/tasks/wait_for_cluster.yml
@@ -70,17 +70,15 @@
     set -eo pipefail
     MCP_JSON=$(oc get mcp -o json)
 
-    UPDATING=$(echo "$MCP_JSON" | \
-      python3 -c "
-    import json, sys
-    data = json.load(sys.stdin)
-    updating = [
-        i['metadata']['name'] for i in data['items']
-        if next((c['status'] for c in i['status'].get('conditions', [])
-                  if c['type'] == 'Updating'), 'False') == 'True'
-    ]
-    print('\n'.join(updating))
-    ")
+    UPDATING=$(echo "$MCP_JSON" | jq -r '
+      .items[] |
+      select(
+        .status.conditions // [] |
+        map(select(.type == "Updating" and .status == "True")) |
+        length > 0
+      ) |
+      .metadata.name
+    ')
 
     if [ -z "$UPDATING" ]; then
       echo "All MCPs are up to date."
@@ -89,19 +87,15 @@
 
     # At least one MCP is still Updating.  Check for the stuck-uncordon case:
     # updatedMachineCount == machineCount but readyMachineCount == 0.
-    STUCK=$(echo "$MCP_JSON" | \
-      python3 -c "
-    import json, sys
-    data = json.load(sys.stdin)
-    stuck = [
-        i['metadata']['name'] for i in data['items']
-        if (i['status'].get('updatedMachineCount', 0) ==
-            i['status'].get('machineCount', 0) and
-            i['status'].get('readyMachineCount', 0) == 0 and
-            i['status'].get('machineCount', 0) > 0)
-    ]
-    print('\n'.join(stuck))
-    ")
+    STUCK=$(echo "$MCP_JSON" | jq -r '
+      .items[] |
+      select(
+        .status.updatedMachineCount == .status.machineCount and
+        .status.readyMachineCount == 0 and
+        .status.machineCount > 0
+      ) |
+      .metadata.name
+    ')
 
     if [ -n "$STUCK" ]; then
       echo "Stuck MCPs detected: $STUCK -- uncordoning all nodes to break deadlock."
