Add 'common/' from commit '842d13f4d53e83600bfd33d274cfc51e0527c7f9'

git-subtree-dir: common
git-subtree-mainline: 506c3b5
git-subtree-split: 842d13f

common/.ansible-lint

@@ -0,0 +1,21 @@
+# Vim filetype=yaml
+---
+offline: false
+skip_list:
+  - name[template] # Allow Jinja templating inside task and play names
+  - template-instead-of-copy # Templated files should use template instead of copy
+  - yaml[line-length] # too long lines
+  - yaml[indentation] # Forcing lists to be always indented by 2 chars is silly IMO
+  - var-naming[no-role-prefix] # This would be too much churn for very little gain
+  - no-changed-when
+  - var-naming[no-role-prefix] # There are too many changes now and it would be too risky
+
+# ansible-lint gh workflow cannot find ansible.cfg hence fails to import vault_utils role
+exclude_paths:
+  - ./ansible/playbooks/vault/vault.yaml
+  - ./ansible/playbooks/iib-ci/iib-ci.yaml
+  - ./ansible/playbooks/k8s_secrets/k8s_secrets.yml
+  - ./ansible/playbooks/process_secrets/process_secrets.yml
+  - ./ansible/playbooks/write-token-kubeconfig/write-token-kubeconfig.yml
+  - ./ansible/playbooks/process_secrets/display_secrets_info.yml
+  - ./ansible/roles/vault_utils/tests/test.yml

common/.github/dependabot.yml

@@ -0,0 +1,9 @@
+---
+version: 2
+updates:
+  # Check for updates to GitHub Actions every week
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+

common/.github/linters/.gitleaks.toml

@@ -0,0 +1,4 @@
+[whitelist]
+# As of v4, gitleaks only matches against filename, not path in the
+# files directive.  Leaving content for backwards compatibility.
+files = [ ]

common/.github/linters/.markdown-lint.yml

@@ -0,0 +1,6 @@
+{
+    "default": true,
+    "MD003": false,
+    "MD013": false,
+    "MD033": false
+}

common/.github/workflows/linter.yml

@@ -0,0 +1,65 @@
+---
+name: Unit test common
+
+#
+# Documentation:
+# https://help.github.com/en/articles/workflow-syntax-for-github-actions
+#
+
+#############################
+# Start the job on all push #
+#############################
+on: [push, pull_request]
+
+###############
+# Set the Job #
+###############
+jobs:
+  build:
+    # Name the Job
+    name: Unit common/ Code Base
+    # Set the agent to run on
+    runs-on: ubuntu-latest
+
+    ##################
+    # Load all steps #
+    ##################
+    steps:
+      ##########################
+      # Checkout the code base #
+      ##########################
+      - name: Checkout Code
+        uses: actions/checkout@v4
+        with:
+          # Full git history is needed to get a proper list of changed files within `super-linter`
+          fetch-depth: 0
+      - name: Setup helm
+        uses: azure/setup-helm@v4
+        with:
+          version: 'v3.14.0'
+
+
+      ################################
+      # Run Linter against code base #
+      ################################
+      # - name: Lint Code Base
+      #   uses: github/super-linter@v4
+      #   env:
+      #     VALIDATE_ALL_CODEBASE: false
+      #     DEFAULT_BRANCH: main
+      #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Run make test
+        run: |
+          make test
+
+      - name: Run make helmlint
+        run: |
+          make helmlint
+
+      # For now disable this until we have a nice and simple process to update the schemas in our repo
+      # - name: Run make helm kubeconform
+      #   run: |
+      #     curl -L -O https://github.com/yannh/kubeconform/releases/download/v0.4.13/kubeconform-linux-amd64.tar.gz
+      #     tar xf kubeconform-linux-amd64.tar.gz
+      #     sudo mv -v kubeconform /usr/local/bin
+      #     make kubeconform

common/.github/workflows/superlinter.yml

@@ -0,0 +1,44 @@
+---
+name: Super linter
+
+on: [push, pull_request]
+
+jobs:
+  build:
+    # Name the Job
+    name: Super linter
+    # Set the agent to run on
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+        with:
+          # Full git history is needed to get a proper list of changed files within `super-linter`
+          fetch-depth: 0
+
+      ################################
+      # Run Linter against code base #
+      ################################
+      - name: Lint Code Base
+        uses: super-linter/super-linter/slim@v7
+        env:
+          VALIDATE_ALL_CODEBASE: true
+          DEFAULT_BRANCH: main
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # These are the validation we disable atm
+          VALIDATE_ANSIBLE: false
+          VALIDATE_BASH: false
+          VALIDATE_CHECKOV: false
+          VALIDATE_JSCPD: false
+          VALIDATE_JSON_PRETTIER: false
+          VALIDATE_MARKDOWN_PRETTIER: false
+          VALIDATE_KUBERNETES_KUBECONFORM: false
+          VALIDATE_PYTHON_PYLINT: false
+          VALIDATE_SHELL_SHFMT: false
+          VALIDATE_YAML: false
+          VALIDATE_YAML_PRETTIER: false
+          # VALIDATE_DOCKERFILE_HADOLINT: false
+          # VALIDATE_MARKDOWN: false
+          # VALIDATE_NATURAL_LANGUAGE: false
+          # VALIDATE_TEKTON: false

common/.gitignore

@@ -0,0 +1,13 @@
+__pycache__/
+*.py[cod]
+*~
+*.swp
+*.swo
+values-secret.yaml
+.*.expected.yaml
+.vscode
+pattern-vault.init
+pattern-vault.init.bak
+super-linter.log
+golang-external-secrets/Chart.lock
+hashicorp-vault/Chart.lock

common/.gitleaks.toml

@@ -0,0 +1 @@
+.github/linters/.gitleaks.toml

common/Changes.md

@@ -0,0 +1,153 @@
+# Changes
+
+## Sep 24, 2024
+
+* Ansible has been moved out of the common code tree, you must use a clustergroup chart that is >= 0.9.1
+
+## Sep 6, 2024
+
+* Most charts have been removed from the tree. To get the charts you now have to point to them
+
+## Sep 25, 2023
+
+* Upgraded ESO to v0.9.5
+
+## Aug 17, 2023
+
+* Introduced support for multisource applications via .chart + .chartVersion
+
+## Jul 8, 2023
+
+* Introduced a default of 20 for sync failures retries in argo applications (global override via global.options.applicationRetryLimit
+  and per-app override via .syncPolicy)
+
+## May 22, 2023
+
+* Upgraded ESO to 0.8.2
+* *Important* we now use the newly blessed sso config for argo. This means that gitops < 1.8 are *unsupported*
+
+## May 18, 2023
+
+* Introduce a EXTRA_HELM_OPTS env variable that will be passed to the helm invocations
+
+## April 21, 2023
+
+* Added labels and annotation support to namespaces.yaml template
+
+## Apr 11, 2023
+
+* Apply the ACM ocp-gitops-policy everywhere but the hub
+
+## Apr 7, 2023
+
+* Moved to gitops-1.8 channel by default (stable is unmaintained and will be dropped starting with ocp-4.13)
+
+## March 20, 2023
+
+* Upgraded ESO to 0.8.1
+
+## February 9, 2023
+
+* Add support for /values-<platform>.yaml and for /values-<platform>-<clusterversion>.yaml
+
+## January 29, 2023
+
+* Stop extracting the HUB's CA via an imperative job running on the imported cluster.
+  Just use ACM to push the HUB's CA out to the managed clusters.
+
+## January 23, 2023
+
+* Add initial support for running ESO on ACM-imported clusters
+
+## January 18, 2023
+
+* Add validate-schema target
+
+## January 13, 2023
+
+* Simplify the secrets paths when using argo hosted sites
+
+## January 10, 2023
+
+* vaultPrefixes is now optional in the v2 secret spec and defaults to ["hub"]
+
+## December 9, 2022
+
+* Dropped insecureUnsealVaultInsideCluster (and file_unseal) entirely. Now
+  vault is always unsealed via a cronjob in the cluster. It is recommended to
+  store the imperative/vaultkeys secret offline securely and then delete it.
+
+## December 8, 2022
+
+* Removed the legacy installation targets:
+  `deploy upgrade legacy-deploy legacy-upgrade`
+  Patterns must now use the operator-based installation
+
+## November 29, 2022
+
+* Upgraded vault-helm to 0.23.0
+* Enable vault-ssl by default
+
+## November 22, 2022
+
+* Implemented a new format for the values-secret.yaml. Example can be found in examples/ folder
+* Now the order of values-secret file lookup is the following:
+  1. ~/values-secret-<patternname>.yaml
+  2. ~/values-secret.yaml
+  3. <patterngitrepo>/values-secret.yaml.template
+* Add support for ansible vault encrypted values-secret files. You can now encrypt your values-secret file
+  at rest with `ansible-vault encrypt ~/values-secret.yaml`. When running `make load-secrets` if an encrypted
+  file is encountered the user will be prompted automatically for the password to decrypt it.
+
+## November 6, 2022
+
+* Add support for /values-<CloudPlatform>-<clusterGroup>.yaml (e.g. /values-AWS-group-one.yaml)
+
+## October 28, 2022
+
+* Updated vault helm chart to v0.22.1 and vault containers to 1.12.0
+
+## October 25, 2022
+
+* Updated External Secrets Operator to v0.6.0
+* Moved to -UBI based ESO containers
+
+## October 13, 2022
+
+* Added global.clusterVersion as a new helm variable which represents the OCP
+  Major.Minor cluster version. By default now a user can add a
+  values-<ocpversion>-<clustergroup>.yaml file to have specific cluster version
+  overrides (e.g. values-4.10-hub.yaml). Will need Validated Patterns Operator >= 0.0.6
+  when deploying with the operator. Note: When using the ArgoCD Hub and spoke model,
+  you cannot have spokes with a different version of OCP than the hub.
+
+## October 4, 2022
+
+* Extended the values-secret.yaml file to support multiple vault paths and re-wrote
+  the push_secrets feature as python module plugin. This requires the following line
+  in a pattern's ansible.cfg's '[defaults]' stanza:
+
+  `library=~/.ansible/plugins/modules:./ansible/plugins/modules:./common/ansible/plugins/modules:/usr/share/ansible/plugins/modules`
+
+## October 3, 2022
+
+* Restore the ability to install a non-default site: `make TARGET_SITE=mysite install`
+* Revised tests (new output and filenames, requires adding new result files to Git)
+* ACM 2.6 required for ACM-based managed sites
+* Introduced global.clusterDomain template variable (without the `apps.` prefix)
+* Removed the ability to send specific charts to another cluster, use hosted argo sites instead
+* Added the ability to have the hub host `values-{site}.yaml` for spoke clusters.
+
+  The following example would deploy the namespaces, subscriptions, and
+  applications defined in `values-group-one.yaml` to the `perth` cluster
+  directly from ArgoCD on the hub.
+
+  ```yaml
+  managedClusterGroups:
+  - name: group-one
+    hostedArgoSites:
+    - name: perth
+      domain: perth1.beekhof.net
+      bearerKeyPath: secret/data/hub/cluster_perth
+      caKeyPath: secret/data/hub/cluster_perth_ca
+  ```