[microk8s-cloud] support strict confinement for snaps

Parameterize microk8s snap installation to choose
channel and confinement.
In case of strict confinement, change the group
and escalate the privileges to run microk8s command.

Ensure ~/.local/share directory exists that allows
running juju commands in strict confinement mode.

Fix linting issues.

Change-Id: Iba52349df9c6d077cd33a4786359fc2d54182068

playbooks/charmbuild.yaml

@@ -1,3 +1,3 @@
 - hosts: all
   roles:
-  - charmbuild
+    - charmbuild

playbooks/collect-run-data.yaml

@@ -1,3 +1,3 @@
 - hosts: all
   roles:
-  - collect-run-data
+    - collect-run-data

playbooks/zaza-smoke-test.yaml

@@ -1,5 +1,5 @@
 - hosts: all
   roles:
-  - use-docker-mirror
-  - microk8s-cloud
-  - zaza-smoke-test
+    - use-docker-mirror
+    - microk8s-cloud
+    - zaza-smoke-test

roles/microk8s-cloud/tasks/main.yaml

@@ -3,16 +3,22 @@
     name: snapd
   become: true
 
+- name: set microk8s related variables
+  set_fact:
+    microk8s_group: "{{ 'microk8s' if microk8s_classic_mode | default(true) else 'snap_microk8s' }}"
+    microk8s_command_escalation: "{{ false if microk8s_classic_mode | default(true) else true }}"
+
 - name: microk8s is installed
   snap:
     name: microk8s
-    classic: true
+    classic: "{{ microk8s_classic_mode | default(true) }}"
+    channel: "{{ microk8s_channel | default('latest/stable') }}"
   become: true
 
 - name: current user is in microk8s group
   user:
     name: "{{ ansible_user }}"
-    groups: microk8s
+    groups: "{{ microk8s_group }}"
     append: true
   become: true
 
@@ -30,7 +36,7 @@
     path: /var/snap/microk8s/current/args/certs.d/docker.io
     state: directory
     owner: root
-    group: microk8s
+    group: "{{ microk8s_group }}"
     mode: '0770'
 
 - name: Render microk8s registry mirror template
@@ -39,7 +45,7 @@
   template:
     src: hosts.j2
     dest: /var/snap/microk8s/current/args/certs.d/docker.io/hosts.toml
-    group: microk8s
+    group: "{{ microk8s_group }}"
   vars:
     mirror_location: "{{ docker_mirror }}"
     server: https://docker.io
@@ -53,6 +59,7 @@
 - name: microk8s is started
   command:
     cmd: microk8s start
+  become: "{{ microk8s_command_escalation }}"
 
 - name: microk8s is running and ready
   command:
@@ -65,12 +72,14 @@
     cmd: microk8s enable dns
   register: res
   changed_when: '"already enabled" not in res.stdout'
+  become: "{{ microk8s_command_escalation }}"
 
 - name: microk8s hostpath storage addon is enabled
   command:
     cmd: microk8s enable hostpath-storage
   register: res
   changed_when: '"already enabled" not in res.stdout'
+  become: "{{ microk8s_command_escalation }}"
 
 - name: microk8s metallb addon is enabled
   command:
@@ -78,6 +87,7 @@
     cmd: microk8s enable metallb:10.170.0.1-10.170.0.100
   register: res
   changed_when: '"already enabled" not in res.stdout'
+  become: "{{ microk8s_command_escalation }}"
 
 - name: microk8s addons are ready
   command:
@@ -98,6 +108,11 @@
     channel: "{{ juju_channel | default('latest/stable') }}"
   become: true
 
+- name: Ensure ~/.local/share directory exist
+  file:
+    path: ~/.local/share
+    state: directory
+
 - name: juju is bootstrapped on microk8s
   command:
     cmd: juju bootstrap microk8s microk8s

tox.ini

@@ -8,7 +8,9 @@ basepython = python3
 deps = -r{toxinidir}/test-requirements.txt
 
 [testenv:linters]
-whitelist_externals = bash
+allowlist_externals =
+  bash
+  {toxinidir}/tools/ansible-lint-roles-cache.sh
 setenv =
   ANSIBLE_ROLES_PATH={env:ANSIBLE_ROLES_PATH:{toxinidir}/.cache/ansible-lint/opendev/base-jobs/roles:{toxinidir}/.cache/ansible-lint/opendev/system-config/roles:{toxinidir}/.cache/ansible-lint/zuul/zuul-jobs/roles:{toxinidir}/.cache/ansible-lint/openstack/openstack-zuul-jobs/roles}
 commands =