From 53a524183518d0edb8b59d24d8aae3c2803a0715 Mon Sep 17 00:00:00 2001
From: Pierre Riteau <pierre@stackhpc.com>
Date: Mon, 13 Jan 2025 21:45:12 +0100
Subject: [PATCH 1/4] Fix release note link

Change-Id: I31bc776b2cd7f6543705c44609fbcf22d9259be5
(cherry picked from commit b4f63447c9f8662b74b2a0a3579e0a84fdba92ad)
---
 releasenotes/notes/pin-ipa-requirements-f9566011b2400e6c.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/releasenotes/notes/pin-ipa-requirements-f9566011b2400e6c.yaml b/releasenotes/notes/pin-ipa-requirements-f9566011b2400e6c.yaml
index 9f64be344..5b3b9a52c 100644
--- a/releasenotes/notes/pin-ipa-requirements-f9566011b2400e6c.yaml
+++ b/releasenotes/notes/pin-ipa-requirements-f9566011b2400e6c.yaml
@@ -3,4 +3,4 @@ fixes:
   - |
     Pin requirements for IPA image build to ensure that the ``ironic-lib``
     version matches ``ironic-python-agent``.
-    LP#2089263 <https://bugs.launchpad.net/kayobe/+bug/2089263>`__
+    `LP#2089263 <https://bugs.launchpad.net/kayobe/+bug/2089263>`__

From badebdcfba692a5059acdb92059380280427290c Mon Sep 17 00:00:00 2001
From: Pierre Riteau <pierre@stackhpc.com>
Date: Mon, 13 Jan 2025 22:28:24 +0100
Subject: [PATCH 2/4] Fix release note markup

Change-Id: I134bcbece0f28bf5234f0afd8349b602ce2940a1
(cherry picked from commit 51b54d547bae1b1ef6680b06f9820dc5b8ff33b4)
---
 ...vercloud-deprovision-prompt-host-lists-cfb701162c114c60.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/releasenotes/notes/fix-overcloud-deprovision-prompt-host-lists-cfb701162c114c60.yaml b/releasenotes/notes/fix-overcloud-deprovision-prompt-host-lists-cfb701162c114c60.yaml
index b2571fa9b..8add3af56 100644
--- a/releasenotes/notes/fix-overcloud-deprovision-prompt-host-lists-cfb701162c114c60.yaml
+++ b/releasenotes/notes/fix-overcloud-deprovision-prompt-host-lists-cfb701162c114c60.yaml
@@ -2,5 +2,5 @@
 fixes:
   - |
     Fixes a bug where non-overcloud hosts would show up in the confirmation
-    prompt for `kayobe overcloud deprovision`
+    prompt for ``kayobe overcloud deprovision``
     `LP#2091703 <https://bugs.launchpad.net/kayobe/+bug/2091621>`__

From e5f46b847df653a2571e751ca7abe325ed9c1f9a Mon Sep 17 00:00:00 2001
From: Pierre Riteau <pierre@stackhpc.com>
Date: Tue, 14 Jan 2025 10:33:43 +0100
Subject: [PATCH 3/4] Support IPA download with authenticated requests

This commit adds variables to configure authentication parameters in the
image-download role, which is used to download IPA images.

The new variables are image_download_url_username,
image_download_url_password, image_download_force_basic_auth and
image_download_unredirected_headers.

See Ansible documentation for more details about these variables [1,2].

[1] https://docs.ansible.com/ansible/latest/collections/ansible/builtin/get_url_module.html
[2] https://docs.ansible.com/ansible/latest/collections/ansible/builtin/uri_module.html

Change-Id: Ib149e97d42ca46b96b5c05030ba2cf871a63cde9
(cherry picked from commit 344008d8b022fa7883494730a22c30b404a1c025)
---
 .../roles/image-download/defaults/main.yml    | 20 +++++++++++++++++++
 ansible/roles/image-download/tasks/main.yml   |  8 ++++++++
 .../image-download-auth-e9fd02b71e26dd52.yaml | 12 +++++++++++
 3 files changed, 40 insertions(+)
 create mode 100644 releasenotes/notes/image-download-auth-e9fd02b71e26dd52.yaml

diff --git a/ansible/roles/image-download/defaults/main.yml b/ansible/roles/image-download/defaults/main.yml
index 52bec6ddd..00b079f37 100644
--- a/ansible/roles/image-download/defaults/main.yml
+++ b/ansible/roles/image-download/defaults/main.yml
@@ -21,3 +21,23 @@ image_download_dest:
 # Host from which to fetch the image.
 # Only used when image_download_path is set.
 image_download_host: "{{ inventory_hostname }}"
+
+# Username for Digest, Basic or WSSE authentication. Default is unset, in which
+# case the parameter is omitted.
+image_download_url_username:
+
+# Password for Digest, Basic or WSSE authentication. Default is unset, in which
+# case the parameter is omitted.
+image_download_url_password:
+
+# Force sending the Basic authentication header upon initial request. Useful if
+# the remote endpoint does not respond with HTTP 401 to the initial
+# unauthenticated request. Must be a boolean. Default is unset, in which case
+# the parameter is omitted.
+image_download_force_basic_auth:
+
+# List of header names that will not be sent on subsequent redirected requests.
+# Set to ['Authorization'] if being redirected from an authenticated endpoint
+# to an unauthenticated endpoint. Default is unset, in which case the parameter
+# is omitted.
+image_download_unredirected_headers:
diff --git a/ansible/roles/image-download/tasks/main.yml b/ansible/roles/image-download/tasks/main.yml
index 3a4dc4ba0..c1d799fdd 100644
--- a/ansible/roles/image-download/tasks/main.yml
+++ b/ansible/roles/image-download/tasks/main.yml
@@ -15,6 +15,10 @@
           uri:
             url: "{{ image_download_checksum_url }}"
             return_content: true
+            url_username: "{{ image_download_url_username or omit }}"
+            url_password: "{{ image_download_url_password or omit }}"
+            force_basic_auth: "{{ image_download_force_basic_auth or omit }}"
+            unredirected_headers: "{{ image_download_unredirected_headers or omit }}"
           register: expected_checksum
           until: expected_checksum is successful
           retries: 3
@@ -35,6 +39,10 @@
         # Always download the image if we have no checksum to compare with.
         force: "{{ expected_checksum is skipped }}"
         backup: true
+        url_username: "{{ image_download_url_username or omit }}"
+        url_password: "{{ image_download_url_password or omit }}"
+        force_basic_auth: "{{ image_download_force_basic_auth or omit }}"
+        unredirected_headers: "{{ image_download_unredirected_headers or omit }}"
       register: result
       until: result is successful
       retries: 3
diff --git a/releasenotes/notes/image-download-auth-e9fd02b71e26dd52.yaml b/releasenotes/notes/image-download-auth-e9fd02b71e26dd52.yaml
new file mode 100644
index 000000000..7bb5c7e4d
--- /dev/null
+++ b/releasenotes/notes/image-download-auth-e9fd02b71e26dd52.yaml
@@ -0,0 +1,12 @@
+---
+features:
+  - |
+    Adds variables to configure authentication parameters in the
+    ``image-download`` role, which is used to download IPA images. The new
+    variables are ``image_download_url_username``,
+    ``image_download_url_password``, ``image_download_force_basic_auth`` and
+    ``image_download_unredirected_headers``. See documentation of the `get_url
+    <https://docs.ansible.com/ansible/latest/collections/ansible/builtin/get_url_module.html>`__
+    and `uri
+    <https://docs.ansible.com/ansible/latest/collections/ansible/builtin/uri_module.html>`__
+    Ansible modules for more details on how to use these variables.

From 47994922fdb00a6cbcafd5de7295f8b6a92b98ea Mon Sep 17 00:00:00 2001
From: Matt Crees <mattc@stackhpc.com>
Date: Wed, 15 Jan 2025 10:37:55 +0000
Subject: [PATCH 4/4] CI: pin to ansible-compat<25.0.0

The new release of ansible-compat[1] has broken our tox molecule
jobs:

```
'Invalid plugin FQCN (community.molecule.from_yaml): unable to locate collection community.molecule'
```

Pins to the previous version.

[1] https://github.com/ansible/ansible-compat/releases/tag/v25.0.0

Change-Id: Ib7f9884c89437d645645ae48825c62c7680566ad
(cherry picked from commit 70af189ae2c115b6d1d98cdfb54a1ebeceba32d4)
---
 molecule-requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/molecule-requirements.txt b/molecule-requirements.txt
index 794a7bf57..60ecf7351 100644
--- a/molecule-requirements.txt
+++ b/molecule-requirements.txt
@@ -3,7 +3,7 @@
 # process, which may cause wedges in the gate later.
 
 ansible-lint>=3.0.0,<6.0.0,!=4.3.0 # MIT
-ansible-compat # MIT
+ansible-compat<25.0.0 # MIT
 docker # Apache-2.0
 molecule # MIT
 molecule-plugins[docker] # MIT