From 276c4507591195529785181a2a30df9a4aa3d4e5 Mon Sep 17 00:00:00 2001
From: bozzo <bozzo@users.noreply.github.com>
Date: Thu, 25 Jun 2020 17:14:38 +0200
Subject: [PATCH] Use `connection: local` when `delegate_to: localhost` (#6322)

This will avoid SSH connection on the local host
---
 roles/bastion-ssh-config/tasks/main.yml                | 2 ++
 roles/download/tasks/download_container.yml            | 1 +
 roles/download/tasks/download_file.yml                 | 1 +
 roles/download/tasks/prep_download.yml                 | 3 +++
 roles/kubernetes/client/tasks/main.yml                 | 3 +++
 roles/kubernetes/preinstall/tasks/0030-pre_upgrade.yml | 3 +++
 roles/kubernetes/preinstall/tasks/0090-etchosts.yml    | 1 +
 roles/kubespray-defaults/tasks/fallback_ips.yml        | 1 +
 roles/kubespray-defaults/tasks/fallback_ips_gather.yml | 1 +
 roles/kubespray-defaults/tasks/no_proxy.yml            | 1 +
 scripts/collect-info.yaml                              | 1 +
 tests/cloud_playbooks/delete-aws.yml                   | 1 +
 12 files changed, 19 insertions(+)

diff --git a/roles/bastion-ssh-config/tasks/main.yml b/roles/bastion-ssh-config/tasks/main.yml
index 7ea39bbd8..cf558087c 100644
--- a/roles/bastion-ssh-config/tasks/main.yml
+++ b/roles/bastion-ssh-config/tasks/main.yml
@@ -3,6 +3,7 @@
   set_fact:
     bastion_ip: "{{ hostvars[groups['bastion'][0]]['ansible_host'] | d(hostvars[groups['bastion'][0]]['ansible_ssh_host']) }}"
   delegate_to: localhost
+  connection: local
 
 # As we are actually running on localhost, the ansible_ssh_user is your local user when you try to use it directly
 # To figure out the real ssh user, we delegate this task to the bastion and store the ansible_user in real_user
@@ -13,6 +14,7 @@
 - name: create ssh bastion conf
   become: false
   delegate_to: localhost
+  connection: local
   template:
     src: ssh-bastion.conf
     dest: "{{ playbook_dir }}/ssh-bastion.conf"
diff --git a/roles/download/tasks/download_container.yml b/roles/download/tasks/download_container.yml
index fbf0831d2..234bf1f95 100644
--- a/roles/download/tasks/download_container.yml
+++ b/roles/download/tasks/download_container.yml
@@ -25,6 +25,7 @@
       stat:
         path: "{{ image_path_cached }}"
       delegate_to: localhost
+      connection: local
       delegate_facts: no
       register: cache_image
       changed_when: false
diff --git a/roles/download/tasks/download_file.yml b/roles/download/tasks/download_file.yml
index 86727dafc..648f43353 100644
--- a/roles/download/tasks/download_file.yml
+++ b/roles/download/tasks/download_file.yml
@@ -25,6 +25,7 @@
       state: directory
       recurse: yes
     delegate_to: localhost
+    connection: local
     delegate_facts: false
     run_once: true
     become: false
diff --git a/roles/download/tasks/prep_download.yml b/roles/download/tasks/prep_download.yml
index 34bcaa2b9..8e1d131ca 100644
--- a/roles/download/tasks/prep_download.yml
+++ b/roles/download/tasks/prep_download.yml
@@ -20,6 +20,7 @@
 - name: prep_download | On localhost, check if passwordless root is possible
   command: "true"
   delegate_to: localhost
+  connection: local
   run_once: true
   register: test_become
   changed_when: false
@@ -34,6 +35,7 @@
 - name: prep_download | On localhost, check if user has access to docker without using sudo
   shell: "{{ image_info_command_on_localhost }}"
   delegate_to: localhost
+  connection: local
   run_once: true
   register: test_docker
   changed_when: false
@@ -92,6 +94,7 @@
     recurse: yes
     mode: 0755
   delegate_to: localhost
+  connection: local
   delegate_facts: no
   run_once: true
   become: false
diff --git a/roles/kubernetes/client/tasks/main.yml b/roles/kubernetes/client/tasks/main.yml
index 663415475..bbb1ce0e0 100644
--- a/roles/kubernetes/client/tasks/main.yml
+++ b/roles/kubernetes/client/tasks/main.yml
@@ -36,6 +36,7 @@
     mode: "0750"
     state: directory
   delegate_to: localhost
+  connection: local
   become: no
   run_once: yes
   when: kubeconfig_localhost
@@ -88,6 +89,7 @@
     dest: "{{ artifacts_dir }}/admin.conf"
     mode: 0640
   delegate_to: localhost
+  connection: local
   become: no
   run_once: yes
   when: kubeconfig_localhost
@@ -112,4 +114,5 @@
   become: no
   run_once: yes
   delegate_to: localhost
+  connection: local
   when: kubectl_localhost and kubeconfig_localhost
diff --git a/roles/kubernetes/preinstall/tasks/0030-pre_upgrade.yml b/roles/kubernetes/preinstall/tasks/0030-pre_upgrade.yml
index 9bace42dc..62a863808 100644
--- a/roles/kubernetes/preinstall/tasks/0030-pre_upgrade.yml
+++ b/roles/kubernetes/preinstall/tasks/0030-pre_upgrade.yml
@@ -3,6 +3,7 @@
   stat:
     path: "{{ inventory_dir }}/../credentials"
   delegate_to: localhost
+  connection: local
   register: old_credential_dir
   become: no
 
@@ -10,6 +11,7 @@
   stat:
     path: "{{ inventory_dir }}/credentials"
   delegate_to: localhost
+  connection: local
   register: new_credential_dir
   become: no
   when: old_credential_dir.stat.exists
@@ -19,6 +21,7 @@
   args:
     creates: "{{ inventory_dir }}/credentials"
   delegate_to: localhost
+  connection: local
   become: no
   when:
     - old_credential_dir.stat.exists
diff --git a/roles/kubernetes/preinstall/tasks/0090-etchosts.yml b/roles/kubernetes/preinstall/tasks/0090-etchosts.yml
index 9edab21f5..5b34d2d75 100644
--- a/roles/kubernetes/preinstall/tasks/0090-etchosts.yml
+++ b/roles/kubernetes/preinstall/tasks/0090-etchosts.yml
@@ -9,6 +9,7 @@
       {% endif %}
       {% endfor %}
   delegate_to: localhost
+  connection: local
   delegate_facts: yes
   run_once: yes
 
diff --git a/roles/kubespray-defaults/tasks/fallback_ips.yml b/roles/kubespray-defaults/tasks/fallback_ips.yml
index 930885a6a..ad8523db8 100644
--- a/roles/kubespray-defaults/tasks/fallback_ips.yml
+++ b/roles/kubespray-defaults/tasks/fallback_ips.yml
@@ -21,6 +21,7 @@
       {{ item }}: "{{ found.get('address', '127.0.0.1') }}"
       {% endfor %}
   delegate_to: localhost
+  connection: local
   delegate_facts: yes
   become: no
   run_once: yes
diff --git a/roles/kubespray-defaults/tasks/fallback_ips_gather.yml b/roles/kubespray-defaults/tasks/fallback_ips_gather.yml
index c5f5b7427..2d2d000d6 100644
--- a/roles/kubespray-defaults/tasks/fallback_ips_gather.yml
+++ b/roles/kubespray-defaults/tasks/fallback_ips_gather.yml
@@ -7,4 +7,5 @@
     gather_subset: '!all,network'
     filter: "ansible_default_ipv4"
   delegate_to: "{{ delegate_host_to_gather_facts }}"
+  connection: "{{ (delegate_host_to_gather_facts == 'localhost') | ternary('local', omit) }}"
   delegate_facts: yes
diff --git a/roles/kubespray-defaults/tasks/no_proxy.yml b/roles/kubespray-defaults/tasks/no_proxy.yml
index 82613882d..01c6e9ddf 100644
--- a/roles/kubespray-defaults/tasks/no_proxy.yml
+++ b/roles/kubespray-defaults/tasks/no_proxy.yml
@@ -19,6 +19,7 @@
       {%- endif -%}
       127.0.0.1,localhost,{{ kube_service_addresses }},{{ kube_pods_subnet }}
   delegate_to: localhost
+  connection: local
   delegate_facts: yes
   become: no
   run_once: yes
diff --git a/scripts/collect-info.yaml b/scripts/collect-info.yaml
index 15f1c627f..4c203648e 100644
--- a/scripts/collect-info.yaml
+++ b/scripts/collect-info.yaml
@@ -133,6 +133,7 @@
         dest: "{{ dir|default('.') }}/logs.tar.gz"
         remove: true
       delegate_to: localhost
+      connection: local
       become: false
       run_once: true
 
diff --git a/tests/cloud_playbooks/delete-aws.yml b/tests/cloud_playbooks/delete-aws.yml
index bffb8c60f..b72caf0ee 100644
--- a/tests/cloud_playbooks/delete-aws.yml
+++ b/tests/cloud_playbooks/delete-aws.yml
@@ -15,3 +15,4 @@
       region: "{{ ansible_ec2_placement_region }}"
       wait: True
     delegate_to: localhost
+    connection: local