fix(examples): prevent play vars from overriding inventory variables

[lexfrei]

Summary

• Remove cozystack_k3s_extra_args and cozystack_flush_iptables from play vars in all three prepare playbooks (ubuntu, rhel, suse)
• Use | default("") and | default(false) for safe fallbacks when variables are not set
• Add a note to README about variable customization and Ansible precedence

Problem

Ansible play vars have higher precedence than inventory variables. When cozystack_k3s_extra_args: "" was defined in the play vars section, any value set in the inventory (e.g., --tls-san=<public_ip>) was silently ignored. This caused k3s to generate TLS certificates without the user-specified SANs.

Test plan

• Verify cozystack_k3s_extra_args from inventory is applied to k3s service args
• Verify cozystack_flush_iptables: true from inventory triggers iptables flush
• Verify playbooks work without these variables set (defaults kick in)

Summary by CodeRabbit

Release Notes

• Documentation

  • Added guidance on configuring variables in the inventory rather than playbooks, including variable precedence rules to prevent silent failures.

• Improvements

  • Enhanced playbook resilience by adding default values for optional configuration variables, gracefully handling cases where they are undefined.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request resolves a critical issue where Ansible's variable precedence mechanism caused user-defined inventory variables for K3s extra arguments and iptables flushing to be silently ignored. By refactoring the playbooks to remove these variables from the play vars section and introducing default filters, the system now correctly prioritizes and applies values provided in the inventory. This ensures that custom K3s TLS certificates and network configurations are properly honored, improving the reliability and configurability of the deployment process.

Highlights

• Variable Precedence Fix: Removed cozystack_k3s_extra_args and cozystack_flush_iptables from play vars in all three prepare playbooks (ubuntu, rhel, suse) to prevent them from overriding inventory variables.
• Safe Variable Fallbacks: Implemented | default("") and | default(false) filters for cozystack_k3s_extra_args and cozystack_flush_iptables to ensure safe fallbacks when these variables are not explicitly set.
• Documentation Update: Added a new section to the README.md explaining Ansible variable customization and precedence, guiding users on where to correctly set user-facing variables.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• README.md
  • Added a new section titled 'Customizing variables' to clarify Ansible variable precedence and guide users on setting variables in the inventory.
• examples/rhel/prepare-rhel.yml
  • Removed cozystack_flush_iptables and cozystack_k3s_extra_args from the play's vars section.
  • Updated the set_fact task for extra_server_args to use cozystack_k3s_extra_args | default("").
  • Modified when conditions for firewall and iptables tasks to use cozystack_flush_iptables | default(false).
• examples/suse/prepare-suse.yml
  • Removed cozystack_flush_iptables and cozystack_k3s_extra_args from the play's vars section.
  • Updated the set_fact task for extra_server_args to use cozystack_k3s_extra_args | default("").
  • Modified when conditions for firewall and iptables tasks to use cozystack_flush_iptables | default(false).
• examples/ubuntu/prepare-ubuntu.yml
  • Removed cozystack_flush_iptables and cozystack_k3s_extra_args from the play's vars section.
  • Updated the set_fact task for extra_server_args to use cozystack_k3s_extra_args | default("").
  • Modified when conditions for firewall and iptables tasks to use cozystack_flush_iptables | default(false).

Activity

• Verified that cozystack_k3s_extra_args from inventory is correctly applied to k3s service arguments.
• Verified that cozystack_flush_iptables: true from inventory successfully triggers iptables flush.
• Verified that playbooks function as expected when these variables are not explicitly set, relying on defaults.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request correctly addresses an Ansible variable precedence issue by removing user-facing variables from the play's vars section and using default filters for safe fallbacks. The accompanying README update clearly explains the change to users. I've suggested a minor improvement to the Jinja2 templating in the example playbooks to make the argument string construction more robust by avoiding a potential trailing space. Overall, the changes are solid and improve the usability of the example playbooks.

[gemini-code-assist]

While the default("") filter prevents an error when cozystack_k3s_extra_args is not defined, this implementation adds a trailing space to extra_server_args if cozystack_k3s_extra_args is empty or not set. This is usually harmless for command-line arguments, but it's cleaner to avoid it. You can conditionally add the space and arguments only when cozystack_k3s_extra_args has a value.

        extra_server_args: "{{ cozystack_k3s_server_args }}{% if cozystack_k3s_extra_args | default('') %} {{ cozystack_k3s_extra_args }}{% endif %}"

[gemini-code-assist]

While the default("") filter prevents an error when cozystack_k3s_extra_args is not defined, this implementation adds a trailing space to extra_server_args if cozystack_k3s_extra_args is empty or not set. This is usually harmless for command-line arguments, but it's cleaner to avoid it. You can conditionally add the space and arguments only when cozystack_k3s_extra_args has a value.

        extra_server_args: "{{ cozystack_k3s_server_args }}{% if cozystack_k3s_extra_args | default('') %} {{ cozystack_k3s_extra_args }}{% endif %}"

[gemini-code-assist]

While the default("") filter prevents an error when cozystack_k3s_extra_args is not defined, this implementation adds a trailing space to extra_server_args if cozystack_k3s_extra_args is empty or not set. This is usually harmless for command-line arguments, but it's cleaner to avoid it. You can conditionally add the space and arguments only when cozystack_k3s_extra_args has a value.

        extra_server_args: "{{ cozystack_k3s_server_args }}{% if cozystack_k3s_extra_args | default('') %} {{ cozystack_k3s_extra_args }}{% endif %}"

[coderabbitai]

📝 Walkthrough

Walkthrough

Documentation expanded with variable scope guidance, and three Ansible playbooks refactored to remove hardcoded variable declarations, replacing them with safe Jinja2 default filters to handle undefined inventory variables gracefully.

Changes

Cohort / File(s)	Summary
Documentation README.md	Added section "Customizing variables" explaining that user-facing variables should be set in inventory, describing play variable precedence over inventory variables, and clarifying when definitions can be silently ignored.
Playbook Refactoring examples/rhel/prepare-rhel.yml, examples/suse/prepare-suse.yml, examples/ubuntu/prepare-ubuntu.yml	Removed explicit vars: declarations for cozystack_flush_iptables and cozystack_k3s_extra_args. Updated iptables-related task conditions and k3s argument assignments to use default() filters for safe undefined variable handling.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Variables now flow from inventory's keep,
No hardcoded declarations to sweep,
Default filters guard against the unknown,
Documentation grows where precedence is shown,
A cleaner playbook, more robust than before! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title accurately describes the main change—removing play vars that override inventory variables to fix precedence issues.
Description check	✅ Passed	The pull request description provides a clear summary of changes, problem statement, and test plan, matching the repository's template structure.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/variable-precedence-in-examples

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can scan for known vulnerabilities in your dependencies using OSV Scanner.

OSV Scanner will automatically detect and report security vulnerabilities in your project's dependencies. No additional configuration is required.

[coderabbitai]

🧹 Nitpick comments (1)

examples/rhel/prepare-rhel.yml (1)

84-97: Harden when guards with explicit boolean coercion.

All three iptables task guards at lines 84, 91, and 97 lack the | bool filter. When cozystack_flush_iptables is passed as a string from CLI or environment (e.g., -e cozystack_flush_iptables=false), the string "false" evaluates as truthy, causing tasks to run unexpectedly. Append | bool to each guard:

when: cozystack_flush_iptables | default(false) | bool

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@examples/rhel/prepare-rhel.yml` around lines 84 - 97, The when guards for the
iptables tasks use cozystack_flush_iptables | default(false) which can treat
string values like "false" as truthy; for each iptables-related task (e.g., the
task named "Flush iptables INPUT chain", the subsequent iptables flush task, and
"Set iptables INPUT policy to ACCEPT") update their when expressions to
cozystack_flush_iptables | default(false) | bool so the variable is explicitly
coerced to a boolean and string "false"/"true" values behave correctly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@examples/rhel/prepare-rhel.yml`:
- Around line 84-97: The when guards for the iptables tasks use
cozystack_flush_iptables | default(false) which can treat string values like
"false" as truthy; for each iptables-related task (e.g., the task named "Flush
iptables INPUT chain", the subsequent iptables flush task, and "Set iptables
INPUT policy to ACCEPT") update their when expressions to
cozystack_flush_iptables | default(false) | bool so the variable is explicitly
coerced to a boolean and string "false"/"true" values behave correctly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7260e41f-0192-4505-85b2-33e3ccc1a4c7

📥 Commits

Reviewing files that changed from the base of the PR and between 6034606 and aec8e31.

📒 Files selected for processing (4)

• README.md
• examples/rhel/prepare-rhel.yml
• examples/suse/prepare-suse.yml
• examples/ubuntu/prepare-ubuntu.yml