Fix CIS play skipping kolla user on non-Kolla hosts

bbezak · bbezak · commit 3f9c6f7aae35 · 2025-11-28T09:28:25.000+01:00
Signed-off-by: Bartosz Bezak &lt;bartosz@stackhpc.com&gt;
diff --git a/etc/kayobe/ansible/maintenance/cis.yml b/etc/kayobe/ansible/maintenance/cis.yml
@@ -24,12 +24,17 @@
       # This is to workaround an issue where we set the expiry to 365 days on kayobe
       # service accounts in a previous iteration of the CIS benchmark hardening
       # defaults. This should restore the defaults and can eventually be removed.
+      vars:
+        hosts_in_kolla_inventory: >-
+          {{ kolla_overcloud_inventory_top_level_group_map.values() |
+             map(attribute='groups') | flatten | unique | union(['seed']) | join(':') }}
       ansible.builtin.command: chage -m 0 -M 99999 -W 7 -I -1 {{ item }}
       become: true
       changed_when: false
       with_items:
         - "{{ kayobe_ansible_user }}"
         - "{{ kolla_ansible_user }}"
+      when: item == kayobe_ansible_user or inventory_hostname in query('inventory_hostnames', hosts_in_kolla_inventory)
 
 - name: Security hardening
   hosts: cis-hardening
diff --git a/releasenotes/notes/cis-overcloud-non-kolla-hosts-62a00002451e9f4d.yaml b/releasenotes/notes/cis-overcloud-non-kolla-hosts-62a00002451e9f4d.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    CIS hardening playbook skips the kolla user on hosts not in the Kolla
+    inventory (e.g. Ceph-only) to avoid errors.

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +fixes:
 +  - |
 +    CIS hardening playbook skips the kolla user on hosts not in the Kolla
 +    inventory (e.g. Ceph-only) to avoid errors.