From bf28880ed52ac85cfeaa477ed432e5ed1d9bfede Mon Sep 17 00:00:00 2001
From: tomashek <todd.m.tomashek@cloud2labs.com>
Date: Thu, 4 Dec 2025 14:54:11 -0600
Subject: [PATCH 1/2] For sudo that requires a password, this PR takes the pw
 from a file

---
 core/lib/add-node.sh                           |  4 ++--
 core/lib/cluster/config/cluster-config-init.sh |  4 ++--
 core/lib/cluster/deployment/cluster-purge.sh   |  2 +-
 core/lib/cluster/deployment/fresh-install.sh   |  4 ++--
 core/lib/cluster/nodes/add-node.sh             |  2 +-
 core/lib/cluster/nodes/remove-node.sh          |  4 ++--
 core/lib/cluster/state/cluster-state-check.sh  |  4 ++--
 core/lib/components/intel-base-operator.sh     |  4 ++--
 .../lib/components/observability-controller.sh |  4 ++--
 core/lib/system/config-vars.sh                 |  1 +
 core/lib/system/precheck/prereq-check.sh       | 18 +++++++++---------
 core/lib/system/precheck/readiness-check.sh    |  4 ++--
 12 files changed, 28 insertions(+), 27 deletions(-)

diff --git a/core/lib/add-node.sh b/core/lib/add-node.sh
index 819241a..2443d79 100644
--- a/core/lib/add-node.sh
+++ b/core/lib/add-node.sh
@@ -17,7 +17,7 @@ add_inference_nodes_playbook() {
 
     invoke_prereq_workflows "$@"     
 
-    ansible-playbook -i "${INVENTORY_PATH}" playbooks/cluster.yml --become --become-user=root 
+    ansible-playbook -i "${INVENTORY_PATH}" playbooks/cluster.yml --become --become-user=root --become-password-file="${BECOME_PASSWORD_FILE}"
 
     
 }
@@ -55,4 +55,4 @@ add_worker_node() {
         echo -e "${GREEN}|  Please stand by while the NRI CPU Balloons are being re-applied... |${NC}"
         echo -e "${BLUE}------------------------------------------------------------------------------${NC}"
     fi           
-}
\ No newline at end of file
+}
diff --git a/core/lib/cluster/config/cluster-config-init.sh b/core/lib/cluster/config/cluster-config-init.sh
index bdc8af6..2b86b66 100644
--- a/core/lib/cluster/config/cluster-config-init.sh
+++ b/core/lib/cluster/config/cluster-config-init.sh
@@ -8,5 +8,5 @@ deploy_cluster_config_playbook() {
         tags=""        
     fi
     
-    ansible-playbook -i "${INVENTORY_PATH}" playbooks/deploy-cluster-config.yml --become --become-user=root --extra-vars "secret_name=${cluster_url} cert_file=${cert_file} key_file=${key_file}" --tags "$tags" 
-}
\ No newline at end of file
+    ansible-playbook -i "${INVENTORY_PATH}" playbooks/deploy-cluster-config.yml --become --become-user=root --become-password-file="${BECOME_PASSWORD_FILE}" --extra-vars "secret_name=${cluster_url} cert_file=${cert_file} key_file=${key_file}" --tags "$tags"
+}
diff --git a/core/lib/cluster/deployment/cluster-purge.sh b/core/lib/cluster/deployment/cluster-purge.sh
index f377f9c..bffdd8e 100644
--- a/core/lib/cluster/deployment/cluster-purge.sh
+++ b/core/lib/cluster/deployment/cluster-purge.sh
@@ -11,7 +11,7 @@ run_reset_playbook() {
     fi
         
     ansible-playbook -i "${INVENTORY_PATH}" playbooks/deploy-keycloak-controller.yml --extra-vars "delete_pv_on_purge=${delete_pv_on_purge}"
-    ansible-playbook -i "${INVENTORY_PATH}" --become --become-user=root reset.yml -e "confirm_reset=yes reset_nodes=false"
+    ansible-playbook -i "${INVENTORY_PATH}" --become --become-user=root --become-password-file="${BECOME_PASSWORD_FILE}" reset.yml -e "confirm_reset=yes reset_nodes=false"
     # Check the exit status of the Ansible playbook command
     if [ $? -eq 0 ]; then
         echo "Cluster reset playbook execution completed successfully."
diff --git a/core/lib/cluster/deployment/fresh-install.sh b/core/lib/cluster/deployment/fresh-install.sh
index f4901f1..2a22c40 100644
--- a/core/lib/cluster/deployment/fresh-install.sh
+++ b/core/lib/cluster/deployment/fresh-install.sh
@@ -190,5 +190,5 @@ fresh_installation() {
 
 run_fresh_install_playbook() {
     echo "Running the cluster.yml playbook to set up the Kubernetes cluster..."
-    ansible-playbook -i "${INVENTORY_PATH}" --become --become-user=root cluster.yml
-}
\ No newline at end of file
+    ansible-playbook -i "${INVENTORY_PATH}" --become --become-user=root --become-password-file="${BECOME_PASSWORD_FILE}" cluster.yml
+}
diff --git a/core/lib/cluster/nodes/add-node.sh b/core/lib/cluster/nodes/add-node.sh
index 8ce9dd5..341846f 100644
--- a/core/lib/cluster/nodes/add-node.sh
+++ b/core/lib/cluster/nodes/add-node.sh
@@ -16,7 +16,7 @@ add_inference_nodes_playbook() {
 
     invoke_prereq_workflows "$@"     
 
-    ansible-playbook -i "${INVENTORY_PATH}" playbooks/cluster.yml --become --become-user=root 
+    ansible-playbook -i "${INVENTORY_PATH}" playbooks/cluster.yml --become --become-user=root --become-password-file="${BECOME_PASSWORD_FILE}"
     
 }
 
diff --git a/core/lib/cluster/nodes/remove-node.sh b/core/lib/cluster/nodes/remove-node.sh
index c385ab7..f310386 100644
--- a/core/lib/cluster/nodes/remove-node.sh
+++ b/core/lib/cluster/nodes/remove-node.sh
@@ -15,7 +15,7 @@ remove_inference_nodes_playbook() {
         return 1
     fi
     invoke_prereq_workflows "$@"
-    ansible-playbook -i "${INVENTORY_PATH}" playbooks/remove_node.yml --become --become-user=root -e node="$worker_nodes_to_remove" -e allow_ungraceful_removal=true
+    ansible-playbook -i "${INVENTORY_PATH}" playbooks/remove_node.yml --become --become-user=root --become-password-file="${BECOME_PASSWORD_FILE}" -e node="$worker_nodes_to_remove" -e allow_ungraceful_removal=true
 }
 
 remove_worker_node() {
@@ -35,4 +35,4 @@ remove_worker_node() {
     echo "|     Node is being removed from Intel AI for Enterprise Inference!    |"
     echo "------------------------------------------------------------------------"
     
-}
\ No newline at end of file
+}
diff --git a/core/lib/cluster/state/cluster-state-check.sh b/core/lib/cluster/state/cluster-state-check.sh
index 90fafd2..e971e2c 100644
--- a/core/lib/cluster/state/cluster-state-check.sh
+++ b/core/lib/cluster/state/cluster-state-check.sh
@@ -3,7 +3,7 @@
 
 check_cluster_state() {
     echo "Checking the state of the Kubernetes cluster..."
-    ansible-playbook -i inventory/mycluster/hosts.yaml --become --become-user=root upgrade-cluster.yml --check
+    ansible-playbook -i inventory/mycluster/hosts.yaml --become --become-user=root --become-password-file="${BECOME_PASSWORD_FILE}" upgrade-cluster.yml --check
     # Check the exit status of the Ansible playbook command
     if [ $? -eq 0 ]; then
         echo "Kubernetes cluster state check completed successfully."
@@ -15,6 +15,6 @@ check_cluster_state() {
 
 run_k8s_cluster_wait() {
     echo "Waiting for Kubernetes control plane to become ready..."
-    ansible -i "${INVENTORY_PATH}" kube_control_plane -m wait_for -a "port=6443 timeout=600" --become --become-user=root   
+    ansible -i "${INVENTORY_PATH}" kube_control_plane -m wait_for -a "port=6443 timeout=600" --become --become-user=root --become-password-file="${BECOME_PASSWORD_FILE}"
     return $?
 }
diff --git a/core/lib/components/intel-base-operator.sh b/core/lib/components/intel-base-operator.sh
index 6fab02a..aa4d47b 100644
--- a/core/lib/components/intel-base-operator.sh
+++ b/core/lib/components/intel-base-operator.sh
@@ -11,11 +11,11 @@ run_deploy_habana_ai_operator_playbook() {
     else
         gaudi_operator=""
     fi    
-    ansible-playbook -i "${INVENTORY_PATH}" --become --become-user=root playbooks/deploy-habana-ai-operator.yml --extra-vars "gaudi_operator=${gaudi_operator}"
+    ansible-playbook -i "${INVENTORY_PATH}" --become --become-user=root --become-password-file="${BECOME_PASSWORD_FILE}" playbooks/deploy-habana-ai-operator.yml --extra-vars "gaudi_operator=${gaudi_operator}"
     if [ $? -eq 0 ]; then
         echo "The deploy-habana-ai-operator.yml playbook ran successfully."
     else
         echo "The deploy-habana-ai-operator.yml playbook encountered an error."
         exit 1
     fi
-}
\ No newline at end of file
+}
diff --git a/core/lib/components/observability-controller.sh b/core/lib/components/observability-controller.sh
index 94730ff..e8454c6 100644
--- a/core/lib/components/observability-controller.sh
+++ b/core/lib/components/observability-controller.sh
@@ -10,6 +10,6 @@ deploy_observability_playbook() {
         tags+="deploy_logging,"
     fi
     tags="${tags%,}"            
-    ansible-playbook -i "${INVENTORY_PATH}" playbooks/deploy-observability.yml --become --become-user=root --extra-vars "secret_name=${cluster_url} cert_file=${cert_file} key_file=${key_file} deploy_observability=${deploy_observability} deploy_logging=${deploy_logging} observability_stack_chart_version=${observability_stack_chart_version}" --tags "$tags" --vault-password-file "$vault_pass_file"
+    ansible-playbook -i "${INVENTORY_PATH}" playbooks/deploy-observability.yml --become --become-user=root --become-password-file="${BECOME_PASSWORD_FILE}" --extra-vars "secret_name=${cluster_url} cert_file=${cert_file} key_file=${key_file} deploy_observability=${deploy_observability} deploy_logging=${deploy_logging} observability_stack_chart_version=${observability_stack_chart_version}" --tags "$tags" --vault-password-file "$vault_pass_file"
     
-}
\ No newline at end of file
+}
diff --git a/core/lib/system/config-vars.sh b/core/lib/system/config-vars.sh
index 77bb2d7..fc6ba89 100644
--- a/core/lib/system/config-vars.sh
+++ b/core/lib/system/config-vars.sh
@@ -5,6 +5,7 @@ HOMEDIR="$(pwd)"
 KUBESPRAYDIR="$(dirname "$(realpath "$0")")/kubespray"
 VENVDIR="$(dirname "$(realpath "$0")")/kubespray225-venv"
 INVENTORY_PATH="${KUBESPRAYDIR}/inventory/mycluster/hosts.yaml"
+BECOME_PASSWORD_FILE="$(dirname "$(realpath "$0")")/inventory/.become-passfile"
 # Set the default values for the parameters
 cluster_url=""
 cert_file=""
diff --git a/core/lib/system/precheck/prereq-check.sh b/core/lib/system/precheck/prereq-check.sh
index be80ceb..4497eda 100644
--- a/core/lib/system/precheck/prereq-check.sh
+++ b/core/lib/system/precheck/prereq-check.sh
@@ -120,14 +120,14 @@ run_system_prerequisites_check() {
     echo "Updating system package lists..."
     if command -v apt &> /dev/null; then
         echo "Updating package lists using apt Ubuntu..."
-        if sudo apt update; then
+        if sudo -S apt update < "${BECOME_PASSWORD_FILE}"; then
             echo -e "${GREEN}Package lists updated successfully${NC}"
         else
             echo -e "${YELLOW}Package list update failed, continuing anyway${NC}"
         fi
     elif command -v dnf &> /dev/null; then
         echo "Updating package lists using dnf (RHEL/CentOS)..."
-        if sudo dnf check-update || [ $? -eq 100 ]; then
+        if sudo -S dnf check-update < "${BECOME_PASSWORD_FILE}" || [ $? -eq 100 ]; then
             echo -e "${GREEN} Package lists updated successfully${NC}"
         else
             echo -e "${YELLOW} Package list update failed, continuing anyway${NC}"
@@ -217,10 +217,10 @@ run_system_prerequisites_check() {
                 if [ ${#other_deps[@]} -gt 0 ]; then
                     if command -v dnf &> /dev/null; then
                         echo "Installing dependencies using dnf RHEL..."
-                        sudo dnf install -y "${other_deps[@]}"
+                        sudo -S dnf install -y "${other_deps[@]}" < "${BECOME_PASSWORD_FILE}"
                     elif command -v apt &> /dev/null; then
                         echo "Installing dependencies using apt Ubuntu..."
-                        sudo apt update && sudo apt install -y "${other_deps[@]}"
+                        sudo -S apt update < "${BECOME_PASSWORD_FILE}" && sudo -S apt install -y "${other_deps[@]}" < "${BECOME_PASSWORD_FILE}"
                     else
                         echo -e "${RED}Unsupported package manager. This script supports RHEL (dnf) and Ubuntu (apt) only.${NC}"
                         echo -e "${YELLOW}Please install manually:${NC}"
@@ -237,26 +237,26 @@ run_system_prerequisites_check() {
                         python_version=$($python3_interpreter -c "import sys; print(f'{sys.version_info.major}.{sys.version_info.minor}')")
                         if [[ "$python_version" == "3.11" ]]; then
                             echo "Installing python3.11-pip using dnf (RHEL 9)..."
-                            if ! sudo dnf install -y python3.11-pip; then
+                            if ! sudo -S dnf install -y python3.11-pip < "${BECOME_PASSWORD_FILE}"; then
                                 echo -e "${RED}Failed to install python3.11-pip using dnf${NC}"
                                 exit 1
                             fi
                         elif [[ "$python_version" == "3.12" ]]; then
                             echo "Installing python3.12-pip using dnf (RHEL 9)..."
-                            if ! sudo dnf install -y python3.12-pip; then
+                            if ! sudo -S dnf install -y python3.12-pip < "${BECOME_PASSWORD_FILE}"; then
                                 echo -e "${RED}Failed to install python3.12-pip using dnf${NC}"
                                 exit 1
                             fi
                         else
                             echo "Installing python3-pip using dnf (RHEL 9)..."
-                            if ! sudo dnf install -y python3-pip; then
+                            if ! sudo -S dnf install -y python3-pip < "${BECOME_PASSWORD_FILE}"; then
                                 echo -e "${RED}Failed to install python3-pip using dnf${NC}"
                                 exit 1
                             fi
                         fi
                     elif command -v apt &> /dev/null; then
                         echo "Installing python3-pip using apt (Ubuntu 22/24)..."
-                        if ! sudo apt install -y python3-pip; then
+                        if ! sudo -S apt install -y python3-pip < "${BECOME_PASSWORD_FILE}"; then
                             echo -e "${RED}Failed to install python3-pip using apt${NC}"
                             exit 1
                         fi
@@ -298,4 +298,4 @@ run_system_prerequisites_check() {
     
     echo -e "${GREEN}System prerequisites check completed successfully.${NC}"    
     return 0
-}
\ No newline at end of file
+}
diff --git a/core/lib/system/precheck/readiness-check.sh b/core/lib/system/precheck/readiness-check.sh
index 4a5cf5c..ac7d3fa 100644
--- a/core/lib/system/precheck/readiness-check.sh
+++ b/core/lib/system/precheck/readiness-check.sh
@@ -10,11 +10,11 @@ run_infrastructure_readiness_check() {
         echo -e "${YELLOW}Please ensure the inventory file exists and contains the correct host information.${NC}"
         return 1
     fi    
-    if ansible-playbook -i "${INVENTORY_PATH}" --become --become-user=root --extra-vars "brownfield_deployment=true" playbooks/inference-precheck.yml; then
+    if ansible-playbook -i "${INVENTORY_PATH}" --become --become-user=root --become-password-file="${BECOME_PASSWORD_FILE}" --extra-vars "brownfield_deployment=true" playbooks/inference-precheck.yml; then
         echo -e "${GREEN}Infrastructure readiness check completed successfully.${NC}"
         return 0
     else
         echo -e "${RED}Infrastructure readiness check failed. Please resolve the issues before proceeding.${NC}"
         return 1
     fi
-}
\ No newline at end of file
+}

From 1099a411559359c91b002c8f03dc1bc34b16a29d Mon Sep 17 00:00:00 2001
From: toddtomashek-c2l <todd.m.tomashek@cloud2labs.com>
Date: Tue, 23 Dec 2025 12:21:53 -0600
Subject: [PATCH 2/2] Update core/lib/system/config-vars.sh

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 core/lib/system/config-vars.sh | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/core/lib/system/config-vars.sh b/core/lib/system/config-vars.sh
index fc6ba89..ce24cf5 100644
--- a/core/lib/system/config-vars.sh
+++ b/core/lib/system/config-vars.sh
@@ -5,6 +5,11 @@ HOMEDIR="$(pwd)"
 KUBESPRAYDIR="$(dirname "$(realpath "$0")")/kubespray"
 VENVDIR="$(dirname "$(realpath "$0")")/kubespray225-venv"
 INVENTORY_PATH="${KUBESPRAYDIR}/inventory/mycluster/hosts.yaml"
+# Path to the file containing the sudo (become) password for automation.
+# The file should contain the password in plain text (no extra whitespace or newlines).
+# For security, set file permissions to 600 (read/write for owner only):
+#   chmod 600 <path-to-file>
+# IMPORTANT: Add this file to .gitignore to prevent accidental commits to version control.
 BECOME_PASSWORD_FILE="$(dirname "$(realpath "$0")")/inventory/.become-passfile"
 # Set the default values for the parameters
 cluster_url=""