common automatic update

common/.ansible-lint

@@ -16,5 +16,6 @@ exclude_paths:
   - ./ansible/playbooks/iib-ci/iib-ci.yaml
   - ./ansible/playbooks/k8s_secrets/k8s_secrets.yml
   - ./ansible/playbooks/process_secrets/process_secrets.yml
+  - ./ansible/playbooks/write-token-kubeconfig/write-token-kubeconfig.yml
   - ./ansible/playbooks/process_secrets/display_secrets_info.yml
   - ./ansible/roles/vault_utils/tests/test.yml

common/.github/workflows/chart-branches.yml

@@ -49,9 +49,7 @@ jobs:
 
   acm:
     needs: changes
-    if: |
-      ${{ needs.changes.outputs.acm == 'true' }} &&
-      github.repository == 'validatedpatterns/common'
+    if: ${{ (needs.changes.outputs.acm == 'true') && (github.repository == 'validatedpatterns/common') }}
     uses: validatedpatterns/common/.github/workflows/chart-split.yml@main
     permissions:
       actions: write
@@ -63,9 +61,7 @@ jobs:
 
   golang-external-secrets:
     needs: changes
-    if: |
-      ${{ needs.changes.outputs.golang-external-secrets == 'true' }} &&
-      github.repository == 'validatedpatterns/common'
+    if: ${{ (needs.changes.outputs.golang-external-secrets == 'true') && (github.repository == 'validatedpatterns/common') }}
     uses: validatedpatterns/common/.github/workflows/chart-split.yml@main
     permissions:
       actions: write
@@ -77,9 +73,7 @@ jobs:
 
   hashicorp-vault:
     needs: changes
-    if: |
-      ${{ needs.changes.outputs.hashicorp-vault == 'true' }} &&
-      github.repository == 'validatedpatterns/common'
+    if: ${{ (needs.changes.outputs.hashicorp-vault == 'true') && (github.repository == 'validatedpatterns/common') }}
     uses: validatedpatterns/common/.github/workflows/chart-split.yml@main
     permissions:
       actions: write
@@ -91,9 +85,7 @@ jobs:
 
   letsencrypt:
     needs: changes
-    if: |
-      ${{ needs.changes.outputs.letsencrypt == 'true' }} &&
-      github.repository == 'validatedpatterns/common'
+    if: ${{ (needs.changes.outputs.letsencrypt == 'true') && (github.repository == 'validatedpatterns/common') }}
     uses: validatedpatterns/common/.github/workflows/chart-split.yml@main
     permissions:
       actions: write
@@ -105,9 +97,7 @@ jobs:
 
   clustergroup:
     needs: changes
-    if: |
-      ${{ needs.changes.outputs.clustergroup == 'true' }} &&
-      github.repository == 'validatedpatterns/common'
+    if: ${{ (needs.changes.outputs.clustergroup == 'true') && (github.repository == 'validatedpatterns/common') }}
     uses: validatedpatterns/common/.github/workflows/chart-split.yml@main
     permissions:
       actions: write

common/.github/workflows/chart-split.yml

@@ -31,8 +31,12 @@ jobs:
           set -e
           N="${{ inputs.chart_name }}"
           B="${N}-main-single-chart"
+          GITIMG="quay.io/hybridcloudpatterns/gitsubtree-container:2.40.1"
+          sudo apt-get update -y && sudo apt-get install -y podman
+          echo "Running subtree split for ${B}"
+          podman pull "${GITIMG}"
           git push origin -d "${B}" || /bin/true
-          git subtree split -P "${N}" -b "${B}"
-          git push -f -u origin "${B}"
+          # Git subtree got broken on recent versions of git hence this container
+          podman run --net=host --rm -t -v .:/git "${GITIMG}" subtree split -P "${N}" -b "${B}"
           #git clone https://validatedpatterns:${GITHUB_TOKEN}@github.com/validatedpatterns/common.git -b "acm-main-single-chart" --single-branch
           git push --force https://validatedpatterns:"${GITHUB_TOKEN}"@github.com/${{ inputs.target_repository }}.git "${B}:main"

common/.github/workflows/linter.yml

@@ -36,7 +36,7 @@ jobs:
       - name: Setup helm
         uses: azure/setup-helm@v4
         with:
-          version: 'v3.13.2'
+          version: 'v3.14.0'
 
 
       ################################

common/.github/workflows/superlinter.yml

@@ -21,16 +21,19 @@ jobs:
       # Run Linter against code base #
       ################################
       - name: Lint Code Base
-        uses: github/super-linter/slim@v5
+        uses: github/super-linter/slim@v6
         env:
           VALIDATE_ALL_CODEBASE: true
           DEFAULT_BRANCH: main
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           # These are the validation we disable atm
           VALIDATE_ANSIBLE: false
           VALIDATE_BASH: false
+          VALIDATE_CHECKOV: false
           VALIDATE_JSCPD: false
           VALIDATE_KUBERNETES_KUBECONFORM: false
+          VALIDATE_PYTHON_PYLINT: false
+          VALIDATE_SHELL_SHFMT: false
           VALIDATE_YAML: false
           # VALIDATE_DOCKERFILE_HADOLINT: false
           # VALIDATE_MARKDOWN: false

common/Makefile

@@ -119,6 +119,9 @@ load-iib: ## CI target to install Index Image Bundles
 		exit 1; \
 	fi
 
+.PHONY: token-kubeconfig
+token-kubeconfig: ## Create a local ~/.kube/config with password (not usually needed)
+	common/scripts/write-token-kubeconfig.sh
 
 ##@ Validation Tasks
 
@@ -230,17 +233,20 @@ kubeconform: ## run helm kubeconform
 super-linter: ## Runs super linter locally
 	rm -rf .mypy_cache
 	podman run -e RUN_LOCAL=true -e USE_FIND_ALGORITHM=true	\
+					-e VALIDATE_ANSIBLE=false \
 					-e VALIDATE_BASH=false \
+					-e VALIDATE_CHECKOV=false \
+					-e VALIDATE_DOCKERFILE_HADOLINT=false \
 					-e VALIDATE_JSCPD=false \
 					-e VALIDATE_KUBERNETES_KUBECONFORM=false \
-					-e VALIDATE_YAML=false \
-					-e VALIDATE_ANSIBLE=false \
-					-e VALIDATE_DOCKERFILE_HADOLINT=false \
+					-e VALIDATE_PYTHON_PYLINT=false \
+					-e VALIDATE_SHELL_SHFMT=false \
 					-e VALIDATE_TEKTON=false \
+					-e VALIDATE_YAML=false \
 					$(DISABLE_LINTERS) \
 					-v $(PWD):/tmp/lint:rw,z \
 					-w /tmp/lint \
-					docker.io/github/super-linter:slim-v5
+					ghcr.io/super-linter/super-linter:slim-v6
 
 .PHONY: ansible-lint
 ansible-lint: ## run ansible lint on ansible/ folder

common/acm/Chart.yaml

@@ -3,4 +3,4 @@ description: A Helm chart to configure Advanced Cluster Manager for OpenShift.
 keywords:
 - pattern
 name: acm
-version: 0.0.1
+version: 0.1.0

common/acm/README.md

@@ -0,0 +1,5 @@
+# Validated Patterns ACM chart
+
+This chart is used to set up ACM in [Validated Patterns](https://validatedpatterns.io)
+
+Please send PRs [here](https://github.com/validatedpatterns/common)

common/acm/templates/_helpers.tpl

@@ -11,3 +11,47 @@ Default always defined valueFiles to be included when pushing the cluster wide a
 # hub's cluster version, whereas we want to include the spoke cluster version
 - '/values-{{ `{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}` }}.yaml'
 {{- end }} {{- /*acm.app.policies.valuefiles */}}
+
+{{- define "acm.app.policies.multisourcevaluefiles" -}}
+- "$patternref/values-global.yaml"
+- "$patternref/values-{{ .name }}.yaml"
+- '$patternref/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}.yaml'
+- '$patternref/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}-{{ `{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}` }}.yaml'
+- '$patternref/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}-{{ .name }}.yaml'
+# We cannot use $.Values.global.clusterVersion because that gets resolved to the
+# hub's cluster version, whereas we want to include the spoke cluster version
+- '$patternref/values-{{ `{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}` }}.yaml'
+{{- end }} {{- /*acm.app.policies.multisourcevaluefiles */}}
+
+{{- define "acm.app.policies.helmparameters" -}}
+- name: global.repoURL
+  value: {{ $.Values.global.repoURL }}
+- name: global.targetRevision
+  value: {{ $.Values.global.targetRevision }}
+- name: global.namespace
+  value: $ARGOCD_APP_NAMESPACE
+- name: global.pattern
+  value: {{ $.Values.global.pattern }}
+- name: global.hubClusterDomain
+  value: {{ $.Values.global.hubClusterDomain }}
+- name: global.localClusterDomain
+  value: '{{ `{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}` }}'
+- name: global.clusterDomain
+  value: '{{ `{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}` }}'
+- name: global.clusterVersion
+  value: '{{ `{{ printf "%d.%d" ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Major) ((semver (index (lookup "config.openshift.io/v1" "ClusterVersion" "" "version").status.history 0).version).Minor) }}` }}'
+- name: global.localClusterName
+  value: '{{ `{{ (split "." (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain)._1 }}` }}'
+- name: global.clusterPlatform
+  value: {{ $.Values.global.clusterPlatform }}
+- name: global.multiSourceSupport
+  value: {{ $.Values.global.multiSourceSupport | quote }}
+- name: global.multiSourceRepoUrl
+  value: {{ $.Values.global.multiSourceRepoUrl }}
+- name: global.multiSourceTargetRevision
+  value: {{ $.Values.global.multiSourceTargetRevision }}
+- name: global.privateRepo
+  value: {{ $.Values.global.privateRepo | quote }}
+- name: global.experimentalCapabilities
+  value: {{ $.Values.global.experimentalCapabilities }}
+{{- end }} {{- /*acm.app.policies.helmparameters */}}

common/acm/templates/policies/acm-hub-ca-policy.yaml

@@ -1,5 +1,6 @@
 # This pushes out the HUB's Certificate Authorities on to the imported clusters
-{{ if .Values.clusterGroup.isHubCluster }}
+{{- if .Values.clusterGroup.isHubCluster }}
+{{- if (eq (((.Values.global).secretStore).backend) "vault") }}
 ---
 apiVersion: policy.open-cluster-management.io/v1
 kind: Policy
@@ -31,10 +32,22 @@ spec:
                 type: Opaque
                 metadata:
                   name: hub-ca
-                  namespace: imperative
+                  namespace: golang-external-secrets
                 data:
                   hub-kube-root-ca.crt: '{{ `{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | base64enc hub}}` }}'
                   hub-openshift-service-ca.crt: '{{ `{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | base64enc hub}}` }}'
+            - complianceType: mustonlyhave
+              objectDefinition:
+                kind: ConfigMap
+                apiVersion: v1
+                metadata:
+                  name: trusted-hub-bundle
+                  namespace: imperative
+                data:
+                  hub-kube-root-ca.crt: |
+                    {{ `{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}}` }}
+                  hub-openshift-service-ca.crt: |
+                    {{ `{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}}` }}
 ---
 apiVersion: policy.open-cluster-management.io/v1
 kind: PlacementBinding
@@ -67,5 +80,147 @@ spec:
         operator: NotIn
         values:
           - 'true'
-{{ end }}
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+  name: hub-argo-ca-openshift-gitops-policy
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+    argocd.argoproj.io/compare-options: IgnoreExtraneous
+spec:
+  remediationAction: enforce
+  disabled: false
+  policy-templates:
+    - objectDefinition:
+        apiVersion: policy.open-cluster-management.io/v1
+        kind: ConfigurationPolicy
+        metadata:
+          name: hub-argo-ca-openshift-gitops-config
+        spec:
+          remediationAction: enforce
+          severity: medium
+          namespaceSelector:
+            include:
+              - default
+          object-templates:
+            - complianceType: mustonlyhave
+              objectDefinition:
+                kind: ConfigMap
+                apiVersion: v1
+                metadata:
+                  name: trusted-hub-bundle
+                  namespace: openshift-gitops
+                data:
+                  hub-kube-root-ca.crt: |
+                    {{ `{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}}` }}
+                  hub-openshift-service-ca.crt: |
+                    {{ `{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}}` }}
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: PlacementBinding
+metadata:
+  name: hub-argo-ca-openshift-gitops-policy-binding
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+placementRef:
+  name: hub-argo-ca-openshift-gitops-policy-placement
+  kind: PlacementRule
+  apiGroup: apps.open-cluster-management.io
+subjects:
+  - name: hub-argo-ca-openshift-gitops-policy
+    kind: Policy
+    apiGroup: policy.open-cluster-management.io
+---
+apiVersion: apps.open-cluster-management.io/v1
+kind: PlacementRule
+metadata:
+  name: hub-argo-ca-openshift-gitops-policy-placement
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+spec:
+  clusterConditions:
+    - status: 'True'
+      type: ManagedClusterConditionAvailable
+  clusterSelector:
+    matchExpressions:
+      - key: local-cluster
+        operator: NotIn
+        values:
+          - 'true'
 
+{{- end }}{{/* if (eq (((.Values.global).secretStore).backend) "vault") */}}
+{{- range .Values.clusterGroup.managedClusterGroups }}
+{{- $group := . }}
+{{- if not .hostedArgoSites }}
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+  name: hub-argo-ca-{{ .name }}-policy
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+    argocd.argoproj.io/compare-options: IgnoreExtraneous
+spec:
+  remediationAction: enforce
+  disabled: false
+  policy-templates:
+    - objectDefinition:
+        apiVersion: policy.open-cluster-management.io/v1
+        kind: ConfigurationPolicy
+        metadata:
+          name: hub-argo-ca-{{ .name }}-config
+        spec:
+          remediationAction: enforce
+          severity: medium
+          namespaceSelector:
+            include:
+              - default
+          object-templates:
+            - complianceType: mustonlyhave
+              objectDefinition:
+                kind: ConfigMap
+                apiVersion: v1
+                metadata:
+                  name: trusted-hub-bundle
+                  namespace: {{ $.Values.global.pattern }}-{{ .name }}
+                data:
+                  hub-kube-root-ca.crt: |
+                    {{ `{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}}` }}
+                  hub-openshift-service-ca.crt: |
+                    {{ `{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}}` }}
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: PlacementBinding
+metadata:
+  name: hub-argo-ca-{{ .name }}-placement-binding
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+placementRef:
+  name: hub-argo-ca-{{ .name }}-placement
+  kind: PlacementRule
+  apiGroup: apps.open-cluster-management.io
+subjects:
+  - name: hub-argo-ca-{{ .name }}-policy
+    kind: Policy
+    apiGroup: policy.open-cluster-management.io
+---
+apiVersion: apps.open-cluster-management.io/v1
+kind: PlacementRule
+metadata:
+  name: hub-argo-ca-{{ .name }}-placement
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+spec:
+  clusterConditions:
+    - status: 'True'
+      type: ManagedClusterConditionAvailable
+  clusterSelector:
+    matchExpressions:
+      - key: local-cluster
+        operator: NotIn
+        values:
+          - 'true'
+{{- end }}{{/* if not .hostedArgoSites */}}
+{{- end }}{{/* range .Values.clusterGroup.managedClusterGroups */}}
+{{- end }}{{/* isHubCluster */}}