Merge branch 'main' into ci-update-external-dns-to-8.7.8

Author: merll

.env.sample

@@ -8,24 +8,11 @@ DISABLE_SYNC=1
 # ENV_DIR=''
 
 # KMS access from here on
-# Google (paste json key here without newlines nor spaces and double quotes escaped)
-GCLOUD_SERVICE_KEY="\"some\":\"key\""
-# Azure:
-AZURE_TENANT_ID=''
-AZURE_CLIENT_ID=''
-AZURE_CLIENT_SECRET=''
-# AWS:
-AWS_DEFAULT_REGION=''
-AWS_REGION=''
-AWS_ACCESS_KEY_ID=''
-AWS_SECRET_ACCESS_KEY=''
-# AGE:
 SOPS_AGE_KEY=''
 
 OTOMI_CHARTS_URL='https://github.com/linode/apl-charts.git'
 
-
 RETRIES=6
 RANDOM=false
 MIN_TIMEOUT=10000
-FACTOR=1
+FACTOR=1

charts/team-ns/templates/rbac.yaml

@@ -220,6 +220,18 @@ rules:
   resources: ["secrets"]
   verbs: ["get", "watch", "list", "delete", "create", "update"]
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: apl-gitea-operator-team-{{ $v.teamId }}-trigger-template-pipeline-watcher
+rules:
+  - apiGroups: ["tekton.dev"]
+    resources: ["pipelines"]
+    verbs: ["watch", "list", "get"]
+  - apiGroups: ["triggers.tekton.dev"]
+    resources: ["triggertemplates"]
+    verbs: ["watch", "list", "get"]
+---
 # RoleBinding for the above Role in team namespace
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -234,4 +246,17 @@ roleRef:
   kind: Role
   name: apl-gitea-operator-service-account
   apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: apl-gitea-operator-team-{{ $v.teamId }}-trigger-template-pipeline-binding
+subjects:
+  - kind: ServiceAccount
+    namespace: apl-gitea-operator
+    name: apl-gitea-operator
+roleRef:
+  kind: ClusterRole
+  name: apl-gitea-operator-team-{{ $v.teamId }}-trigger-template-pipeline-watcher
+  apiGroup: rbac.authorization.k8s.io
 ---

src/cmd/bootstrap.ts

@@ -117,8 +117,8 @@ export const bootstrapSops = async (
       }
     }
     // now do a round of encryption and decryption to make sure we have all the files in place for later
-    await deps.encrypt()
-    await deps.decrypt()
+    await deps.encrypt(envDir)
+    await deps.decrypt(envDir)
   }
 }
 

src/cmd/validate-values.ts

@@ -19,7 +19,7 @@ export const validateValues = async (envDir = env.ENV_DIR): Promise<void> => {
   // TODO: Make this return true or error tree
   // Create an end point function (when running otomi validate-values) to print current messages.
   const argv: HelmArguments = getParsedArgs()
-  d.log('Values validation STARTED')
+  d.log('Values validation STARTED on ', envDir)
 
   if (argv.l || argv.label) {
     const labelOpts = [...new Set([...(argv.l ?? []), ...(argv.label ?? [])])]

src/common/crypt.ts

@@ -42,9 +42,10 @@ const preCrypt = async (path): Promise<void> => {
 
 const getAllSecretFiles = async (path) => {
   const d = terminal(`common:crypt:getAllSecretFiles`)
-  const files = (await readdirRecurse(`${path}/env`, { skipHidden: true }))
-    .filter((file) => file.endsWith('.yaml') && file.includes('/secrets.'))
-    .map((file) => file.replace(`${path}/`, ''))
+  const files = (await readdirRecurse(`${path}/env`, { skipHidden: true })).filter(
+    (file) => file.endsWith('.yaml') && file.includes('/secrets.'),
+  )
+
   d.debug('getAllSecretFiles: ', files)
   return files
 }
@@ -92,8 +93,6 @@ const runOnSecretFiles = async (path: string, crypt: CR, filesArgs: string[] = [
   const d = terminal(`common:crypt:runOnSecretFiles`)
   let files: string[] = filesArgs
 
-  cd(path)
-
   if (files.length === 0) {
     files = await getAllSecretFiles(path)
   }

src/server.ts

@@ -3,7 +3,6 @@ import $RefParser, { JSONSchema } from '@apidevtools/json-schema-ref-parser'
 import express, { Request, Response } from 'express'
 import { Server } from 'http'
 import { bootstrapSops } from 'src/cmd/bootstrap'
-import { validateValues } from 'src/cmd/validate-values'
 import { decrypt, encrypt } from 'src/common/crypt'
 import { terminal } from 'src/common/debug'
 import { hfValues } from './common/hf'
@@ -25,12 +24,13 @@ app.get('/', async (req: Request, res: Response): Promise<Response<any>> => {
 
 type QueryParams = {
   envDir: string
+  files?: string[]
 }
 
 app.get('/init', async (req: Request, res: Response) => {
   const { envDir } = req.query as QueryParams
   try {
-    d.log('Request to initialize values repo')
+    d.log('Request to initialize values repo on', envDir)
     await decrypt(envDir)
     res.status(200).send('ok')
   } catch (error) {
@@ -40,21 +40,20 @@ app.get('/init', async (req: Request, res: Response) => {
 })
 
 app.get('/prepare', async (req: Request, res: Response) => {
-  const { envDir } = req.query as QueryParams
+  const { envDir, files } = req.query as QueryParams
   try {
-    d.log('Request to prepare values repo')
+    d.log('Request to prepare values repo on', envDir)
     await bootstrapSops(envDir)
     await setValuesFile(envDir)
     // Encrypt ensures that a brand new secret file is encrypted in place
-    await encrypt(envDir)
+    await encrypt(envDir, ...(files ?? []))
     // Decrypt ensures that a brand new encrypted secret file is decrypted to the .dec file
-    await decrypt(envDir)
-    await validateValues(envDir)
+    await decrypt(envDir, ...(files ?? []))
     res.status(200).send('ok')
   } catch (error) {
     const err = `${error}`
     let status = 500
-    d.error(err)
+    d.error(`Request to prepare values went wrong: ${err}`)
     if (err.includes('Values validation FAILED')) {
       status = 422
     }

tests/integration/minimal-with-team.yaml

@@ -97,12 +97,12 @@ teamConfig:
         path: chart/hello-world
         revision: HEAD
 files:
-  env/teams/demo/workloadsValues/nodejs-helloworld.yaml: |
+  env/teams/demo/workloadValues/nodejs-helloworld.yaml: |
     values: |
       image:
         repository: otomi/nodejs-helloworld
         tag: v1.2.13
-  env/teams/demo/workloadsValues/nginx-deployment.yaml: |
+  env/teams/demo/workloadValues/nginx-deployment.yaml: |
     values: |
       fullnameOverride: nginx-deployment
       image:
@@ -119,7 +119,7 @@ files:
       autoscaling:
         minReplicas: 2
         maxReplicas: 10
-  env/teams/demo/workloadsValues/nginx-ksvc.yaml: |
+  env/teams/demo/workloadValues/nginx-ksvc.yaml: |
     values: |
       fullnameOverride: nginx-ksvc
       image:
@@ -140,10 +140,10 @@ files:
       autoscaling:
         minReplicas: 0
         maxReplicas: 10
-  env/teams/demo/workloadsValues/httpbin.yaml: |
+  env/teams/demo/workloadValues/httpbin.yaml: |
     values: |
       {}
-  env/teams/admin/workloadsValues/nodejs-helloworld.yaml: |
+  env/teams/admin/workloadValues/nodejs-helloworld.yaml: |
     values: |
       image:
         repository: otomi/nodejs-helloworld

tests/integration/monitoring-with-team.yaml

@@ -75,7 +75,7 @@ teamConfig:
     workloads: []
 
 files:
-  env/teams/demo/workloadsValues/petclinic.yaml: |
+  env/teams/demo/workloadValues/petclinic.yaml: |
     values: |
       image:
           repository: springcommunity/spring-framework-petclinic

values/otomi-api/otomi-api.gotmpl

@@ -5,7 +5,7 @@
 {{- $cm := $v.apps | get "cert-manager" }}
 {{- $d := $v.apps.drone }}
 {{- $sops := $v | get "kms.sops" dict }}
-{{- $giteaValuesUrl := printf "gitea.%s/otomi/values" $v.cluster.domainSuffix }}
+{{- $giteaValuesUrl := "http://gitea-http.gitea.svc.cluster.local:3000/otomi/values" }}
 {{- $helmChartCatalog := printf "https://gitea.%s/otomi/charts.git" $v.cluster.domainSuffix }}
 {{- $defaultPlatformAdminEmail := printf "platform-admin@%s" $v.cluster.domainSuffix }}
 {{- $sopsEnv := tpl (readFile "../../helmfile.d/snippets/sops-env.gotmpl") $sops }}

versions.yaml

@@ -1,5 +1,5 @@
-api: 4.0.0
-console: 4.0.0
+api: 4.0.1
+console: 4.0.1
 consoleLogin: v3.5.0
-tasks: 3.7.0
+tasks: 3.8.0
 tools: 2.8.7