Merge branch 'main' into dependabot/npm_and_yarn/ts-node-dev-2.0.0

Author: CasLubbers

.env.sample

@@ -8,24 +8,11 @@ DISABLE_SYNC=1
 # ENV_DIR=''
 
 # KMS access from here on
-# Google (paste json key here without newlines nor spaces and double quotes escaped)
-GCLOUD_SERVICE_KEY="\"some\":\"key\""
-# Azure:
-AZURE_TENANT_ID=''
-AZURE_CLIENT_ID=''
-AZURE_CLIENT_SECRET=''
-# AWS:
-AWS_DEFAULT_REGION=''
-AWS_REGION=''
-AWS_ACCESS_KEY_ID=''
-AWS_SECRET_ACCESS_KEY=''
-# AGE:
 SOPS_AGE_KEY=''
 
 OTOMI_CHARTS_URL='https://github.com/linode/apl-charts.git'
 
-
 RETRIES=6
 RANDOM=false
 MIN_TIMEOUT=10000
-FACTOR=1
+FACTOR=1

.github/workflows/Releases.yml

@@ -0,0 +1,26 @@
+name: Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      dry-run:
+        type: boolean
+        description: 'Dry run: Uncheck if you want to publish a release'
+        default: true
+
+jobs:
+  release-please:
+    permissions:
+      contents: write
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Install dependencies
+        run: |
+          npm install semantic-release@24 @semantic-release/git @semantic-release/changelog  -D
+      - name: Release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: npx semantic-release --dry-run=${{ github.event.inputs.dry-run }}

.github/workflows/integration.yml

@@ -2,6 +2,10 @@ name: Deploy APL
 on:
   workflow_call:
     inputs:
+      linode_types:
+        description: 'Linode instance types'
+        type: string
+        default: g6-dedicated-8
       kubernetes_versions:
         description: 'Kubernetes version'
         type: string
@@ -28,14 +32,26 @@ on:
         default: 'false'
   workflow_dispatch:
     inputs:
+      linode_types:
+        description: 'Linode instance types'
+        type: choice
+        options:
+          - g6-dedicated-4
+          - g6-dedicated-8
+          - g6-dedicated-16
+          - g6-dedicated-32
+          - g6-dedicated-48
+          - g6-dedicated-50
+          - g6-dedicated-56
+        default: g6-dedicated-4
       kubernetes_versions:
         description: 'Kubernetes version'
         type: choice
         options:
-          - "['1.29']"
           - "['1.30']"
           - "['1.31']"
-        default: "['1.31']"
+          - "['1.32']"
+        default: "['1.32']"
       install_profile:
         description: APL installation profile
         default: minimal-with-team
@@ -198,7 +214,7 @@ jobs:
             --region nl-ams \
             --k8s_version ${{ env.LINODE_K8S_VERSION }} \
             --control_plane.high_availability true \
-            --node_pools.type g6-dedicated-8 --node_pools.count 3 \
+            --node_pools.type ${{ inputs.linode_types }} --node_pools.count 3 \
             --node_pools.autoscaler.enabled true \
             --node_pools.autoscaler.max 3 \
             --node_pools.autoscaler.min 3 \
@@ -223,24 +239,15 @@ jobs:
             
             sleep 30
           done
-      - name: Save kubectl config with auth token and Get kubectl environment and create docker secret
+      - name: Save kubectl config with auth token
         if: ${{ inputs.install_profile != 'no-apl' }}
         run: |
-          # Get the kubeconfig from linode-cli
-          kubeconfig=$(linode-cli lke kubeconfig-view ${{ env.LINODE_CLUSTER_ID }} --text | sed 1d | base64 --decode)
-
-          # Save the kubeconfig to a file
-          kubeconfigDir="$HOME/.kube"
-          kubeconfigPath="$HOME/.kube/config"
-          mkdir -p "$kubeconfigDir"  # Create the directory if it doesn't exist
-          echo "$kubeconfig" > "$kubeconfigPath"
-          echo "Kubeconfig saved to $kubeconfigPath"
-              
-          # Set the kubectl context to use the new kubeconfig
-          export KUBECONFIG="$kubeconfigPath"
-          contextName=$(kubectl config get-contexts -o name | head -n 1)
-          kubectl config use-context "$contextName"
-          echo "Kubectl context set to linode"
+          echo "Waiting for kubeconfig..."
+          while :; do
+            linode-cli get-kubeconfig --label "${{ env.LINODE_CLUSTER_NAME }}" 2> /dev/null && break
+            echo "still waiting..."
+            sleep 10
+          done
           echo LINODE_CLUSTER_CONTEXT=`kubectl config current-context` >> $GITHUB_ENV
       - name: Create image pull secret on test cluster
         if: ${{ inputs.install_profile != 'no-apl' }}

.github/workflows/main.yml

@@ -105,7 +105,7 @@ jobs:
           #Cut the CHANGELOG.md file up to the first occurence of the "### \[[0-9]*" (meaning three #, a space,a square bracket and any number after it)
           sed -n '/### \[[0-9]*/q;p' CHANGELOG.md > NEW_CHANGELOG.md
       - name: Create GitHub release
-        uses: ncipollo/release-action@v1.14.0
+        uses: ncipollo/release-action@v1.16.0
         env:
           token: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -177,7 +177,7 @@ jobs:
         run: git config --global --add safe.directory /__w/apl-core/apl-core
       - name: Create and publish otomi chart release
         id: chart_release
-        uses: helm/chart-releaser-action@v1.6.0
+        uses: helm/chart-releaser-action@v1.7.0
         with:
           charts_dir: chart
           skip_existing: true

.gitignore

@@ -17,4 +17,5 @@ workflow/
 .envrc
 otomi.cpuprofile
 /.idea/
-tmp
+tmp
+**values-repo.yaml

.releaserc.json

@@ -0,0 +1,21 @@
+{
+  "branches": ["releases/rel-*", "main"],
+  "plugins": [
+    "@semantic-release/commit-analyzer",
+    "@semantic-release/release-notes-generator",
+    [
+      "@semantic-release/changelog",
+      {
+        "changelogFile": "CHANGELOG.md"
+      }
+    ],
+    [
+      "@semantic-release/git",
+      {
+        "assets": ["CHANGELOG.md"],
+        "message": "chore(release): ${nextRelease.version} CHANGELOG.md update [ci skip]\n\n${nextRelease.notes}"
+      }
+    ],
+    "@semantic-release/github"
+  ]
+}

.values/.gitignore

@@ -12,3 +12,4 @@ core.yaml
 .env
 env/status.yaml
 env/bootstrap.yaml
+values-repo.yaml

.values/env/apps/.gitkeep

@@ -50,6 +50,7 @@
     },
     {
       "name": "Debug current test",
+      "envFile": ".env",
       "type": "node",
       "request": "launch",
       "program": "${workspaceRoot}/node_modules/.bin/jest",
@@ -67,6 +68,16 @@
       "console": "integratedTerminal",
       "cwd": "${workspaceRoot}"
     },
+    {
+      "name": "Bootstrap-dev-with-repo",
+      "request": "launch",
+      "runtimeArgs": ["run", "bootstrap-dev-with-repo"],
+      "runtimeExecutable": "npm",
+      "type": "node",
+      "envFile": ".env",
+      "console": "integratedTerminal",
+      "cwd": "${workspaceRoot}"
+    },
     {
       "name": "Migrate values",
       "request": "launch",

.values/env/cluster.yaml

@@ -2,6 +2,60 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [4.4.0](https://github.com/linode/apl-core/compare/v4.3.0...v4.4.0) (2025-03-14)
+
+
+### Features
+
+* add coderepository schema & fixtures ([#1945](https://github.com/linode/apl-core/issues/1945)) ([0382ee1](https://github.com/linode/apl-core/commit/0382ee1ecef527cd9b813299a96964fcf9df85fd))
+* added semantic-release gh-actions ([#1933](https://github.com/linode/apl-core/issues/1933)) ([8b379fa](https://github.com/linode/apl-core/commit/8b379fae329bc16b046d92291a479c2591ad32c8))
+* added upgrade script for secrets ([#1967](https://github.com/linode/apl-core/issues/1967)) ([86b8ae0](https://github.com/linode/apl-core/commit/86b8ae05cac57b44239f444ca58cb4f55fbe5e8f))
+* api endpoint ([#1982](https://github.com/linode/apl-core/issues/1982)) ([24b45e9](https://github.com/linode/apl-core/commit/24b45e934b07e1ddf10ad9419e7e50fb8f29cf61))
+* Add self-service option for admins to add external helm charts to the catalog ([#1979](https://github.com/linode/apl-core/issues/1979)) ([fb993e1](https://github.com/linode/apl-core/commit/fb993e10f05d0ee0d85fa17223c46c4e836ae490))
+* create service accounts for gitea organizations ([#1929](https://github.com/linode/apl-core/issues/1929)) ([40a3d20](https://github.com/linode/apl-core/commit/40a3d2004b63e6565adb36013b1140b6b5a85984))
+* deploy sealed secrets from the values repo ([#1924](https://github.com/linode/apl-core/issues/1924)) ([f70c855](https://github.com/linode/apl-core/commit/f70c855071e97d5ff4d8c71b3019259c182c1862))
+* update versions.yaml ([#1989](https://github.com/linode/apl-core/issues/1989)) ([69224d6](https://github.com/linode/apl-core/commit/69224d63759866442c9ce459a65d8f5751ce7fc0))
+
+
+### Bug Fixes
+
+* check for helm secrets version and update it ([#1927](https://github.com/linode/apl-core/issues/1927)) ([b74377c](https://github.com/linode/apl-core/commit/b74377cf6cc3ed25f5652f1b17f99a09d366472a))
+* checking if gitea is ready in git-clone tasks ([#1936](https://github.com/linode/apl-core/issues/1936)) ([a3dfb4a](https://github.com/linode/apl-core/commit/a3dfb4a3a4a969677ab96954a47407e5077b05a2))
+* falco dashboard title ([#1928](https://github.com/linode/apl-core/issues/1928)) ([d0fb19c](https://github.com/linode/apl-core/commit/d0fb19cb7bdcc4c0c4b2d2457ef90b0a595b31ac))
+* generate password with special characters ([#1938](https://github.com/linode/apl-core/issues/1938)) ([f16ce6b](https://github.com/linode/apl-core/commit/f16ce6bd00459d769a466a04dccc2de122ea1167))
+* ignoreDifferences for apps created by team-admin ([#1995](https://github.com/linode/apl-core/issues/1995)) ([80e260e](https://github.com/linode/apl-core/commit/80e260e353914b74b1b2d4dd2f5c0bda8771195b))
+* removed git error which can expose credentials ([#1944](https://github.com/linode/apl-core/issues/1944)) ([4c00fa1](https://github.com/linode/apl-core/commit/4c00fa19abbe7277796273e7bcb5e87912f61ed2))
+* unique admin password for gitea ([#1910](https://github.com/linode/apl-core/issues/1910)) ([a2f1349](https://github.com/linode/apl-core/commit/a2f1349b02ab309fa6c20f869964ab09347c4b13))
+* unique admin password for gitea ([#1940](https://github.com/linode/apl-core/issues/1940)) ([eea8299](https://github.com/linode/apl-core/commit/eea82990099125b83c8434b26254acd5d0f14914))
+* workload with validatingwebhookcfg ([#1942](https://github.com/linode/apl-core/issues/1942)) ([70d6aee](https://github.com/linode/apl-core/commit/70d6aee6ff09d4bb9c76fb09ba004693d96b3ff3))
+
+
+### Reverts
+
+* fix - unique admin password for gitea ([#1939](https://github.com/linode/apl-core/issues/1939)) ([7d8bf90](https://github.com/linode/apl-core/commit/7d8bf908d2d5e55a718bc4eef292c6cc9fb3e977))
+
+
+### CI
+
+* add charts and alias ([#1931](https://github.com/linode/apl-core/issues/1931)) ([57c74ec](https://github.com/linode/apl-core/commit/57c74ec67890cb205d23c89a6c6671aeac9cb6da))
+* added alias for rabbitmq operator ([#1966](https://github.com/linode/apl-core/issues/1966)) ([c557cbf](https://github.com/linode/apl-core/commit/c557cbfd6f915a30432d1b3c4db1fb6cab733d42))
+* added more linode types to the integration workflow ([#1976](https://github.com/linode/apl-core/issues/1976)) ([2c6e084](https://github.com/linode/apl-core/commit/2c6e084bcca9a309597c6e018273cd15733bdfd6))
+* update chart index and improve checks ([#1963](https://github.com/linode/apl-core/issues/1963)) ([0ee8cd2](https://github.com/linode/apl-core/commit/0ee8cd27b1d9c47a47145254dc301fca1736bb0e))
+* update chart references ([#1937](https://github.com/linode/apl-core/issues/1937)) ([fea5c4c](https://github.com/linode/apl-core/commit/fea5c4c2c29443c75217d5068b85ec298ae8d079))
+* update workflow to support k8s 1.32 and wait for kubeconfig ([#1943](https://github.com/linode/apl-core/issues/1943)) ([ab7b631](https://github.com/linode/apl-core/commit/ab7b6311dac8eee3a72dc2c7632829df04b021b1))
+
+
+### Others
+
+* **chart-deps:** update cert-manager to version v1.17.1 ([#1941](https://github.com/linode/apl-core/issues/1941)) ([e634d34](https://github.com/linode/apl-core/commit/e634d3468c4c0e86eb9451eee1906932e958d89d))
+* **chart-deps:** update harbor to version 1.16.2 ([#1903](https://github.com/linode/apl-core/issues/1903)) ([af1a3a0](https://github.com/linode/apl-core/commit/af1a3a02a1137df6e7922ff76ffd04c0b5e98efd))
+* **chart-deps:** update rabbitmq-cluster-operator to version 3.20.1 ([#1969](https://github.com/linode/apl-core/issues/1969)) ([d3f8a2f](https://github.com/linode/apl-core/commit/d3f8a2f923f51eb52e35c23942c3ff5414100495))
+* **deps:** bump helm/chart-releaser-action from 1.6.0 to 1.7.0 ([#1901](https://github.com/linode/apl-core/issues/1901)) ([d759673](https://github.com/linode/apl-core/commit/d75967368303bb72626ddbb399fd790f30b7d837))
+* **deps:** bump ncipollo/release-action from 1.14.0 to 1.15.0 ([#1893](https://github.com/linode/apl-core/issues/1893)) ([abdee3d](https://github.com/linode/apl-core/commit/abdee3d9c187d456849cf99e6e9fd6e73b4b20db))
+* tasks version to 3.7.0 ([#1977](https://github.com/linode/apl-core/issues/1977)) ([cfa5608](https://github.com/linode/apl-core/commit/cfa5608c8060a641cee08b50fc05e38198b5a101))
+* updated api and console versions ([#1999](https://github.com/linode/apl-core/issues/1999)) ([753e480](https://github.com/linode/apl-core/commit/753e480388c650e1114f7f062cfbb5e47c731284))
+* versions ([#1970](https://github.com/linode/apl-core/issues/1970)) ([40ef843](https://github.com/linode/apl-core/commit/40ef843a930683215ce271571dfcad8a601caf0e))
+
 ## [4.3.0](https://github.com/linode/apl-core/compare/v4.2.0...v4.3.0) (2025-02-10)
 
 

.values/env/databases/.gitkeep

@@ -17,7 +17,7 @@ fi
 LOG_LEVEL='--log-level warn'
 
 # Common vars
-readonly otomi_settings="$ENV_DIR/env/settings.yaml"
+readonly otomi_settings="$ENV_DIR/env/settings/otomi.yaml"
 readonly otomi_tools_image="linode/apl-core:latest"
 [ $(uname -s) == 'Linux' ] && readonly LINUX_WORKAROUND='--user=root:root'
 
@@ -148,7 +148,7 @@ function get_k8s_version() {
 
 function otomi_image_tag() {
   local otomi_version=$OTOMI_VERSION
-  [ -z "$otomi_version" ] && [ -f $otomi_settings ] && otomi_version=$(yq '.otomi.version' $otomi_settings)
+  [ -z "$otomi_version" ] && [ -f $otomi_settings ] && otomi_version=$(yq '.spec.version' $otomi_settings)
   [ -z "$otomi_version" ] && otomi_version=$(cat $PWD/package.json | jq -r .version)
   [ -z "$otomi_version" ] && otomi_version='main'
   echo $otomi_version
@@ -211,7 +211,7 @@ function crypt() {
         [ -n "$VERBOSE" ] && echo "Skipping encryption for $file as it is not changed."
       fi
     else
-      if helm secrets decrypt "$file" > "${file}.dec"; then
+      if helm secrets decrypt "$file" >"${file}.dec"; then
         # we correct timestamp of decrypted file to match source file,
         # in order to detect changes for conditional encryption
         [ -n "$VERBOSE" ] && echo "Setting timestamp of decrypted file to that of source file."

.values/env/settings.yaml

@@ -14,8 +14,9 @@ targetDirA="tmp/${branchA}"
 targetDirB="tmp/${branchB}"
 
 export NODE_ENV=test
+otomi values
 helmfile template $templateArgs --output-dir-template="../$targetDirB/{{.Release.Namespace}}-{{.Release.Name }}"
-
+rm tests/fixtures/values-repo.yaml
 git checkout $branchA
 # we remove previously rendered manifests so they are not mixed up with newly rendered
 rm -rf $targetDirA

.values/env/teams.yaml

@@ -4,8 +4,26 @@ go install github.com/noqcks/gucci@latest
 go install github.com/plexsystems/konstraint@latest
 npm install -g json-dereference-cli
 
+# Desired version
+helm_secrets_target_version="4.6.2"
+
+# Get the installed version of helm-secrets
+helm_secrets_installed_version=$(helm plugin list | awk '/secrets/ {print $2}')
+
+# Compare versions and update if necessary
+if [ -z "$helm_secrets_installed_version" ]; then
+  echo "helm-secrets is not installed. Installing version $helm_secrets_target_version..."
+  helm plugin install https://github.com/jkroepke/helm-secrets --version "$helm_secrets_target_version"
+elif [ "$(printf '%s\n' "$helm_secrets_installed_version" "$helm_secrets_target_version" | sort -V | head -n1)" != "$helm_secrets_target_version" ]; then
+  echo "Updating helm-secrets from version $helm_secrets_installed_version to $helm_secrets_target_version..."
+  helm plugin uninstall secrets
+  helm plugin install https://github.com/jkroepke/helm-secrets --version "$helm_secrets_target_version"
+else
+  echo "helm-secrets is up-to-date (version $helm_secrets_installed_version)."
+fi
+
 helm plugin install https://github.com/databus23/helm-diff.git || echo "Skipping helm-diff"
-helm plugin install https://github.com/jkroepke/helm-secrets.git --version v3.15.0 || echo "Skipping helm-secret"
+
 
 echo "Set shell rc file:"
 echo 'echo  export PATH="$HOME/go/bin:$PATH" >> $HOME/.zshrc'

.values/env/teams/.gitkeep

@@ -77,12 +77,12 @@ function parse_yaml {
 fallback_otomi_version='latest'
 if [ -n "$in_core" ]; then
   otomi_version='main'
-elif [ -f "${ENV_DIR}/env/settings.yaml" ]; then
-  otomi_version_rec=$(parse_yaml $ENV_DIR/env/settings.yaml | grep 'otomi__version=')
+elif [ -f "${ENV_DIR}/env/settings/otomi.yaml" ]; then
+  otomi_version_rec=$(parse_yaml $ENV_DIR/env/settings/otomi.yaml | grep 'otomi__version=')
   if [[ "$otomi_version_rec" =~ otomi__version=\"(.*)\" ]]; then
     otomi_version=${BASH_REMATCH[1]}
   else
-    # If the settings.yaml doesn't contain otomi.version, we fall back to latest
+    # If the otomi.yaml doesn't contain otomi.version, we fall back to latest
     otomi_version=$fallback_otomi_version
   fi
 else