Update common

.github/workflows/linter.yml

@@ -52,17 +52,12 @@ jobs:
  run: |
  make common-test
 
- - name: Run make test
- run: |
- make test
+ # Disable tests for now, as it needs quite some love
+ # - name: Run make test
+ # run: |
+ # make test
 
  - name: Run make helmlint
  run: |
  make helmlint
 
- - name: Run make helm kubeconform
- run: |
- curl -L -O https://github.com/yannh/kubeconform/releases/download/v0.4.13/kubeconform-linux-amd64.tar.gz
- tar xf kubeconform-linux-amd64.tar.gz
- sudo mv -v kubeconform /usr/local/bin
- make kubeconform

common/.ansible-lint

@@ -1,3 +1,21 @@
 # Vim filetype=yaml
 ---
 offline: false
+skip_list:
+ - name[template] # Allow Jinja templating inside task and play names
+ - template-instead-of-copy # Templated files should use template instead of copy
+ - yaml[line-length] # too long lines
+ - yaml[indentation] # Forcing lists to be always indented by 2 chars is silly IMO
+ - var-naming[no-role-prefix] # This would be too much churn for very little gain
+ - no-changed-when
+ - var-naming[no-role-prefix] # There are too many changes now and it would be too risky
+
+# ansible-lint gh workflow cannot find ansible.cfg hence fails to import vault_utils role
+exclude_paths:
+ - ./ansible/playbooks/vault/vault.yaml
+ - ./ansible/playbooks/iib-ci/iib-ci.yaml
+ - ./ansible/playbooks/k8s_secrets/k8s_secrets.yml
+ - ./ansible/playbooks/process_secrets/process_secrets.yml
+ - ./ansible/playbooks/write-token-kubeconfig/write-token-kubeconfig.yml
+ - ./ansible/playbooks/process_secrets/display_secrets_info.yml
+ - ./ansible/roles/vault_utils/tests/test.yml

common/.github/dependabot.yml

@@ -0,0 +1,9 @@
+---
+version: 2
+updates:
+ # Check for updates to GitHub Actions every week
+ - package-ecosystem: "github-actions"
+ directory: "/"
+ schedule:
+ interval: "weekly"
+

common/.github/linters/.gitleaks.toml

@@ -0,0 +1,8 @@
+[whitelist]
+# As of v4, gitleaks only matches against filename, not path in the
+# files directive. Leaving content for backwards compatibility.
+files = [
+ "ansible/plugins/modules/*.py",
+ "ansible/tests/unit/test_*.py",
+ "ansible/tests/unit/v1/*.yaml",
+]

common/.github/workflows/ansible-lint.yml

@@ -8,11 +8,10 @@ jobs:
 
  steps:
  # Important: This sets up your GITHUB_WORKSPACE environment variable
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v4
 
  - name: Lint Ansible Playbook
- # Using the latest as of today (2022-06-23) v6.2.1
- uses: ansible/[email protected]
+ uses: ansible/ansible-lint-action@v6
  # Let's point it to the path
  with:
  path: "ansible/"

common/.github/workflows/ansible-unittest.yml

@@ -0,0 +1,52 @@
+---
+name: Ansible unit tests
+
+#
+# Documentation:
+# https://help.github.com/en/articles/workflow-syntax-for-github-actions
+#
+
+#############################
+# Start the job on all push #
+#############################
+on: [push, pull_request]
+
+###############
+# Set the Job #
+###############
+jobs:
+ ansible_unittests:
+ # Name the Job
+ name: Ansible unit tests
+ strategy:
+ matrix:
+ python-version: [3.11.3]
+ # Set the agent to run on
+ runs-on: ubuntu-latest
+
+ ##################
+ # Load all steps #
+ ##################
+ steps:
+ ##########################
+ # Checkout the code base #
+ ##########################
+ - name: Checkout Code
+ uses: actions/checkout@v4
+ with:
+ # Full git history is needed to get a proper list of changed files within `super-linter`
+ fetch-depth: 0
+
+ - name: Set up Python ${{ matrix.python-version }}
+ uses: actions/setup-python@v5
+ with:
+ python-version: ${{ matrix.python-version }}
+
+ - name: Install dependencies
+ run: |
+ python -m pip install --upgrade pip
+ pip install pytest ansible
+
+ - name: Run make ansible-unittest
+ run: |
+ make ansible-unittest

common/.github/workflows/chart-branches.yml

@@ -0,0 +1,108 @@
+---
+name: Create per-chart branches
+
+# We only run this job on the charts that will be later moved to full blown charts
+# We also want to run the subtree comand only for the charts that have been actually changed
+# because git subtree split is a bit of an expensive operation
+# github actions do not support yaml anchors so there is more duplication than usual
+on:
+ push:
+ branches:
+ - main
+ paths:
+ - 'acm/**'
+ - 'golang-external-secrets/**'
+ - 'hashicorp-vault/**'
+ - 'letsencrypt/**'
+ - 'clustergroup/**'
+
+jobs:
+ changes:
+ name: Figure out per-chart changes
+ if: github.repository == 'validatedpatterns/common'
+ runs-on: ubuntu-latest
+ permissions: read-all
+ outputs:
+ acm: ${{ steps.filter.outputs.acm }}
+ golang-external-secrets: ${{ steps.filter.outputs.golang-external-secrets }}
+ hashicorp-vault: ${{ steps.filter.outputs.hashicorp-vault }}
+ letsencrypt: ${{ steps.filter.outputs.letsencrypt }}
+ clustergroup: ${{ steps.filter.outputs.clustergroup }}
+ steps:
+ - name: Checkout Code
+ uses: actions/checkout@v4
+
+ - uses: dorny/paths-filter@v3
+ id: filter
+ with:
+ filters: |
+ acm:
+ - 'acm/**'
+ golang-external-secrets:
+ - 'golang-external-secrets/**'
+ hashicorp-vault:
+ - 'hashicorp-vault/**'
+ letsencrypt:
+ - 'letsencrypt/**'
+ clustergroup:
+ - 'clustergroup/**'
+
+ acm:
+ needs: changes
+ if: ${{ (needs.changes.outputs.acm == 'true') && (github.repository == 'validatedpatterns/common') }}
+ uses: validatedpatterns/common/.github/workflows/chart-split.yml@main
+ permissions:
+ actions: write
+ contents: write
+ with:
+ chart_name: acm
+ target_repository: validatedpatterns/acm-chart
+ secrets: inherit
+
+ golang-external-secrets:
+ needs: changes
+ if: ${{ (needs.changes.outputs.golang-external-secrets == 'true') && (github.repository == 'validatedpatterns/common') }}
+ uses: validatedpatterns/common/.github/workflows/chart-split.yml@main
+ permissions:
+ actions: write
+ contents: write
+ with:
+ chart_name: golang-external-secrets
+ target_repository: validatedpatterns/golang-external-secrets-chart
+ secrets: inherit
+
+ hashicorp-vault:
+ needs: changes
+ if: ${{ (needs.changes.outputs.hashicorp-vault == 'true') && (github.repository == 'validatedpatterns/common') }}
+ uses: validatedpatterns/common/.github/workflows/chart-split.yml@main
+ permissions:
+ actions: write
+ contents: write
+ with:
+ chart_name: hashicorp-vault
+ target_repository: validatedpatterns/hashicorp-vault-chart
+ secrets: inherit
+
+ letsencrypt:
+ needs: changes
+ if: ${{ (needs.changes.outputs.letsencrypt == 'true') && (github.repository == 'validatedpatterns/common') }}
+ uses: validatedpatterns/common/.github/workflows/chart-split.yml@main
+ permissions:
+ actions: write
+ contents: write
+ with:
+ chart_name: letsencrypt
+ target_repository: validatedpatterns/letsencrypt-chart
+ secrets: inherit
+
+ clustergroup:
+ needs: changes
+ if: ${{ (needs.changes.outputs.clustergroup == 'true') && (github.repository == 'validatedpatterns/common') }}
+ uses: validatedpatterns/common/.github/workflows/chart-split.yml@main
+ permissions:
+ actions: write
+ contents: write
+ with:
+ chart_name: clustergroup
+ target_repository: validatedpatterns/clustergroup-chart
+ secrets: inherit

common/.github/workflows/chart-split.yml

@@ -0,0 +1,42 @@
+---
+name: Split into chart repo branches
+
+on:
+ workflow_call:
+ inputs:
+ chart_name:
+ required: true
+ type: string
+ target_repository:
+ required: true
+ type: string
+
+jobs:
+ split_chart:
+ runs-on: ubuntu-latest
+ permissions:
+ actions: write
+ contents: write
+ steps:
+ - name: Checkout Code
+ uses: actions/checkout@v4
+ with:
+ fetch-depth: 0
+ token: ${{ secrets.CHARTS_REPOS_TOKEN }}
+
+ - name: Run git subtree split and push
+ env:
+ GITHUB_TOKEN: ${{ secrets.CHARTS_REPOS_TOKEN }}
+ run: |
+ set -e
+ N="${{ inputs.chart_name }}"
+ B="${N}-main-single-chart"
+ GITIMG="quay.io/hybridcloudpatterns/gitsubtree-container:2.40.1"
+ sudo apt-get update -y && sudo apt-get install -y podman
+ echo "Running subtree split for ${B}"
+ podman pull "${GITIMG}"
+ git push origin -d "${B}" || /bin/true
+ # Git subtree got broken on recent versions of git hence this container
+ podman run --net=host --rm -t -v .:/git "${GITIMG}" subtree split -P "${N}" -b "${B}"
+ #git clone https://validatedpatterns:${GITHUB_TOKEN}@github.com/validatedpatterns/common.git -b "acm-main-single-chart" --single-branch
+ git push --force https://validatedpatterns:"${GITHUB_TOKEN}"@github.com/${{ inputs.target_repository }}.git "${B}:main"

common/.github/workflows/jsonschema.yaml

@@ -0,0 +1,57 @@
+---
+name: Verify json schema
+
+#
+# Documentation:
+# https://help.github.com/en/articles/workflow-syntax-for-github-actions
+#
+
+#############################
+# Start the job on all push #
+#############################
+on: [push, pull_request]
+
+###############
+# Set the Job #
+###############
+jobs:
+ jsonschema_tests:
+ # Name the Job
+ name: Json Schema tests
+ strategy:
+ matrix:
+ python-version: [3.11.3]
+ # Set the agent to run on
+ runs-on: ubuntu-latest
+
+ ##################
+ # Load all steps #
+ ##################
+ steps:
+ ##########################
+ # Checkout the code base #
+ ##########################
+ - name: Checkout Code
+ uses: actions/checkout@v4
+ with:
+ # Full git history is needed to get a proper list of changed files within `super-linter`
+ fetch-depth: 0
+
+ - name: Set up Python ${{ matrix.python-version }}
+ uses: actions/setup-python@v5
+ with:
+ python-version: ${{ matrix.python-version }}
+
+ - name: Install dependencies
+ run: |
+ python -m pip install --upgrade pip
+ pip install check-jsonschema
+
+ - name: Verify secrets json schema
+ run: |
+ check-jsonschema --schemafile ./ansible/roles/vault_utils/values-secrets.v1.schema.json examples/secrets/values-secret.v1.yaml
+ check-jsonschema --schemafile ./ansible/roles/vault_utils/values-secrets.v2.schema.json examples/secrets/values-secret.v2.yaml
+
+ - name: Verify ClusterGroup values.schema.json
+ run: |
+ set -e; for i in examples/*yaml; do echo "$i"; check-jsonschema --schemafile ./clustergroup/values.schema.json "$i"; done

common/.github/workflows/linter.yml

@@ -29,15 +29,15 @@ jobs:
  # Checkout the code base #
  ##########################
  - name: Checkout Code
- uses: actions/checkout@v2
+ uses: actions/checkout@v4
  with:
  # Full git history is needed to get a proper list of changed files within `super-linter`
  fetch-depth: 0
  - name: Setup helm
- uses: azure/setup-helm@v1
- # with:
- # version: '<version>' # default is latest stable
- id: install
+ uses: azure/setup-helm@v4
+ with:
+  version: 'v3.14.0'
+
 
  ################################
  # Run Linter against code base #
@@ -56,9 +56,10 @@ jobs:
  run: |
  make helmlint
 
- - name: Run make helm kubeconform
- run: |
- curl -L -O https://github.com/yannh/kubeconform/releases/download/v0.4.13/kubeconform-linux-amd64.tar.gz
- tar xf kubeconform-linux-amd64.tar.gz
- sudo mv -v kubeconform /usr/local/bin
- make kubeconform
+ # For now disable this until we have a nice and simple process to update the schemas in our repo
+ # - name: Run make helm kubeconform
+ # run: |
+ # curl -L -O https://github.com/yannh/kubeconform/releases/download/v0.4.13/kubeconform-linux-amd64.tar.gz
+ # tar xf kubeconform-linux-amd64.tar.gz
+ # sudo mv -v kubeconform /usr/local/bin
+ # make kubeconform