From 3a2862ea19508e9c29a8d46fa8c2c81c55f69fcd Mon Sep 17 00:00:00 2001
From: Max Gautier <mg@max.gautier.name>
Date: Sun, 18 May 2025 23:13:14 +0000
Subject: [PATCH] Move checksums to kubespray_defaults/vars (#12234)

The checksums are not a defaults and are not meant to be changed from
the inventories.

Furthermore, role defaults have a lower priority that hosts facts, which
technically means a rogue hosts could hijack the hashes for its
variables.
---
 roles/kubespray_defaults/{defaults => vars}/main/checksums.yml  | 0
 roles/kubespray_defaults/vars/{ => main}/main.yml               | 0
 .../component_hash_update/src/component_hash_update/download.py | 2 +-
 3 files changed, 1 insertion(+), 1 deletion(-)
 rename roles/kubespray_defaults/{defaults => vars}/main/checksums.yml (100%)
 rename roles/kubespray_defaults/vars/{ => main}/main.yml (100%)

diff --git a/roles/kubespray_defaults/defaults/main/checksums.yml b/roles/kubespray_defaults/vars/main/checksums.yml
similarity index 100%
rename from roles/kubespray_defaults/defaults/main/checksums.yml
rename to roles/kubespray_defaults/vars/main/checksums.yml
diff --git a/roles/kubespray_defaults/vars/main.yml b/roles/kubespray_defaults/vars/main/main.yml
similarity index 100%
rename from roles/kubespray_defaults/vars/main.yml
rename to roles/kubespray_defaults/vars/main/main.yml
diff --git a/scripts/component_hash_update/src/component_hash_update/download.py b/scripts/component_hash_update/src/component_hash_update/download.py
index 21d2bfb1e..15bacc047 100644
--- a/scripts/component_hash_update/src/component_hash_update/download.py
+++ b/scripts/component_hash_update/src/component_hash_update/download.py
@@ -25,7 +25,7 @@ from typing import Optional, Any
 
 from . import components
 
-CHECKSUMS_YML = Path("roles/kubespray_defaults/defaults/main/checksums.yml")
+CHECKSUMS_YML = Path("roles/kubespray_defaults/vars/main/checksums.yml")
 
 logger = logging.getLogger(__name__)