Merge remote-tracking branch 'common-upstream/main' into common-autom…

…atic-update

common/.github/workflows/superlinter.yml

@@ -21,7 +21,7 @@ jobs:
       # Run Linter against code base #
       ################################
       - name: Lint Code Base
-        uses: github/super-linter/slim@v6
+        uses: super-linter/super-linter/slim@v7
         env:
           VALIDATE_ALL_CODEBASE: true
           DEFAULT_BRANCH: main
@@ -31,10 +31,13 @@ jobs:
           VALIDATE_BASH: false
           VALIDATE_CHECKOV: false
           VALIDATE_JSCPD: false
+          VALIDATE_JSON_PRETTIER: false
+          VALIDATE_MARKDOWN_PRETTIER: false
           VALIDATE_KUBERNETES_KUBECONFORM: false
           VALIDATE_PYTHON_PYLINT: false
           VALIDATE_SHELL_SHFMT: false
           VALIDATE_YAML: false
+          VALIDATE_YAML_PRETTIER: false
           # VALIDATE_DOCKERFILE_HADOLINT: false
           # VALIDATE_MARKDOWN: false
           # VALIDATE_NATURAL_LANGUAGE: false

common/Changes.md

@@ -124,7 +124,7 @@
 ## October 3, 2022
 
 * Restore the ability to install a non-default site: `make TARGET_SITE=mysite install`
-* Revised tests (new output and filenames, requires adding new result files to git)
+* Revised tests (new output and filenames, requires adding new result files to Git)
 * ACM 2.6 required for ACM-based managed sites
 * Introduced global.clusterDomain template variable (without the `apps.` prefix)
 * Removed the ability to send specific charts to another cluster, use hosted argo sites instead

common/Makefile

@@ -238,15 +238,18 @@ super-linter: ## Runs super linter locally
 					-e VALIDATE_CHECKOV=false \
 					-e VALIDATE_DOCKERFILE_HADOLINT=false \
 					-e VALIDATE_JSCPD=false \
+					-e VALIDATE_JSON_PRETTIER=false \
+					-e VALIDATE_MARKDOWN_PRETTIER=false \
 					-e VALIDATE_KUBERNETES_KUBECONFORM=false \
 					-e VALIDATE_PYTHON_PYLINT=false \
 					-e VALIDATE_SHELL_SHFMT=false \
 					-e VALIDATE_TEKTON=false \
 					-e VALIDATE_YAML=false \
+					-e VALIDATE_YAML_PRETTIER=false \
 					$(DISABLE_LINTERS) \
 					-v $(PWD):/tmp/lint:rw,z \
 					-w /tmp/lint \
-					ghcr.io/super-linter/super-linter:slim-v6
+					ghcr.io/super-linter/super-linter:slim-v7
 
 .PHONY: ansible-lint
 ansible-lint: ## run ansible lint on ansible/ folder

common/acm/Chart.yaml

@@ -3,4 +3,4 @@ description: A Helm chart to configure Advanced Cluster Manager for OpenShift.
 keywords:
 - pattern
 name: acm
-version: 0.1.0
+version: 0.1.1

common/acm/templates/policies/ocp-gitops-policy.yaml

@@ -35,10 +35,10 @@ spec:
                   labels:
                     operators.coreos.com/openshift-gitops-operator.openshift-operators: ''
                 spec:
-                  channel: {{ default "gitops-1.12" .Values.main.gitops.channel }}
+                  channel: {{ default "gitops-1.13" .Values.main.gitops.channel }}
                   installPlanApproval: Automatic
                   name: openshift-gitops-operator
-                  source: redhat-operators
+                  source: {{ default "redhat-operators" .Values.main.gitops.operatorSource }}
                   sourceNamespace: openshift-marketplace
                   config:
                     env:

common/acm/values.yaml

@@ -1,6 +1,6 @@
 main:
   gitops:
-    channel: "gitops-1.12"
+    channel: "gitops-1.13"
 
 global:
   extraValueFiles: []

common/ansible/plugins/filter/parse_acm_secrets.py

@@ -79,5 +79,6 @@ def parse_acm_secrets(secrets):
 
 
 class FilterModule:
+
     def filters(self):
         return {"parse_acm_secrets": parse_acm_secrets}

common/ansible/plugins/module_utils/load_secrets_v1.py

@@ -26,6 +26,7 @@
 
 
 class LoadSecretsV1:
+
     def __init__(
         self,
         module,

common/ansible/plugins/module_utils/load_secrets_v2.py

@@ -40,6 +40,7 @@
 
 
 class LoadSecretsV2:
+
     def __init__(self, module, syaml, namespace, pod):
         self.module = module
         self.namespace = namespace

common/ansible/plugins/module_utils/parse_secrets_v2.py

@@ -42,6 +42,7 @@
 
 
 class ParseSecretsV2:
+
     def __init__(self, module, syaml, secrets_backing_store):
         self.module = module
         self.syaml = syaml

common/ansible/plugins/modules/vault_load_parsed_secrets.py

@@ -82,6 +82,7 @@
 
 
 class VaultSecretLoader:
+
     def __init__(
         self,
         module,

common/ansible/roles/iib_ci/README.md

@@ -1,6 +1,6 @@
 # IIB Utilities
 
-A set of ansible plays to fetch an IIB (Image Index Bundle, aka a container created by the operator sdk
+A set of ansible plays to fetch an IIB (Image Index Bundle, aka a container created by the operator SDK
 that contains a bunch of references to operators that can be installed in an OpenShift cluster)
 
 Run `ansible-playbook common/ansible/playbooks/iib-ci/lookup.yml` to see which IIBs are available (defaults to

common/ansible/roles/vault_utils/README.md

@@ -40,6 +40,17 @@ unseal_namespace: "imperative"
 
 This relies on [kubernetes.core](https://docs.ansible.com/ansible/latest/collections/kubernetes/core/k8s_module.html)
 
+## Vault out of the box configuration
+
+This role configures four secret paths in vault:
+
+1. `secret/global` - Any secret under this path is accessible in read-only only to all clusters known to ACM (hub and spokes)
+2. `secret/hub` - Any secret under this path is accessible in read-only only to the ACM hub cluster
+3. `secret/<fqdn.of.spoke.cluster>` - Any secret under this path is accessible in read-only only to the spoke cluster
+4. `secret/pushsecrets` - Any secret here can be accessed in read and write mode to all clusters known to ACM. This area can
+   be used with ESO's `PushSecrets` so you can push an existing secret from one namespace, to the vault under this path and
+   then it can be retrieved by an `ExternalSecret` either in a different namespace *or* from an entirely different cluster.
+
 ## Values secret file format
 
 Currently this role supports two formats: version 1.0 (which is the assumed
@@ -55,49 +66,9 @@ By default, the first file that will looked up is
 The paths can be overridden by setting the environment variable `VALUES_SECRET` to the path of the
 secret file.
 
-The values secret yaml files can be encrypted with `ansible-vault`. If the role detects they are encrypted, the password to
+The values secret YAML files can be encrypted with `ansible-vault`. If the role detects they are encrypted, the password to
 decrypt them will be prompted when needed.
 
-### Version 1.0
-
-Here is a well-commented example of a version 1.0 file:
-
-```yaml
----
-# By default when a top-level 'version: 1.0' is missing it is assumed to be '1.0'
-# NEVER COMMIT THESE VALUES TO GIT
-
-secrets:
-  # These secrets will be pushed in the vault at secret/hub/test The vault will
-  # have secret/hub/test with secret1 and secret2 as keys with their associated
-  # values (secrets)
-  test:
-    secret1: foo
-    secret2: bar
-
-  # This ends up as the s3Secret attribute to the path secret/hub/aws
-  aws:
-    s3Secret: test-secret
-
-# This will create the vault key secret/hub/testfoo which will have two
-# properties 'b64content' and 'content' which will be the base64-encoded
-# content and the normal content respectively
-files:
-  testfoo: ~/ca.crt
-# These secrets will be pushed in the vault at secret/region1/test The vault will
-# have secret/region1/test with secret1 and secret2 as keys with their associated
-# values (secrets)
-secrets.region1:
-  test:
-    secret1: foo1
-    secret2: bar1
-# This will create the vault key secret/region2/testbar which will have two
-# properties 'b64content' and 'content' which will be the base64-encoded
-# content and the normal content respectively
-files.region2:
-  testbar: ~/ca.crt
-```
-
 ### Version 2.0
 
 Here is a version 2.0 example file (specifying `version: 2.0` is mandatory in this case):
@@ -210,6 +181,46 @@ secrets:
       ini_key: aws_secret_access_key
 ```
 
+### Version 1.0
+
+Here is a well-commented example of a version 1.0 file:
+
+```yaml
+---
+# By default when a top-level 'version: 1.0' is missing it is assumed to be '1.0'
+# NEVER COMMIT THESE VALUES TO GIT
+
+secrets:
+  # These secrets will be pushed in the vault at secret/hub/test The vault will
+  # have secret/hub/test with secret1 and secret2 as keys with their associated
+  # values (secrets)
+  test:
+    secret1: foo
+    secret2: bar
+
+  # This ends up as the s3Secret attribute to the path secret/hub/aws
+  aws:
+    s3Secret: test-secret
+
+# This will create the vault key secret/hub/testfoo which will have two
+# properties 'b64content' and 'content' which will be the base64-encoded
+# content and the normal content respectively
+files:
+  testfoo: ~/ca.crt
+# These secrets will be pushed in the vault at secret/region1/test The vault will
+# have secret/region1/test with secret1 and secret2 as keys with their associated
+# values (secrets)
+secrets.region1:
+  test:
+    secret1: foo1
+    secret2: bar1
+# This will create the vault key secret/region2/testbar which will have two
+# properties 'b64content' and 'content' which will be the base64-encoded
+# content and the normal content respectively
+files.region2:
+  testbar: ~/ca.crt
+```
+
 Internals
 ---------
 

common/ansible/roles/vault_utils/defaults/main.yml

@@ -17,6 +17,8 @@ vault_spoke_capabilities: '[\\\"read\\\"]'
 vault_spoke_ttl: "15m"
 vault_global_policy: global
 vault_global_capabilities: '[\\\"read\\\"]'
+vault_pushsecrets_policy: pushsecrets
+vault_pushsecrets_capabilities: '[\\\"create\\\",\\\"read\\\",\\\"update\\\",\\\"delete\\\"]'
 external_secrets_ns: golang-external-secrets
 external_secrets_sa: golang-external-secrets
 external_secrets_secret: golang-external-secrets

common/ansible/roles/vault_utils/tasks/vault_secrets_init.yaml

@@ -71,6 +71,28 @@
     pod: "{{ vault_pod }}"
     command: "vault policy write {{ vault_global_policy }}-secret /tmp/policy-{{ vault_global_policy }}.hcl"
 
+- name: Configure VP pushsecrets policy template
+  kubernetes.core.k8s_exec:
+    namespace: "{{ vault_ns }}"
+    pod: "{{ vault_pod }}"
+    command: >
+      bash -e -c "echo \"path \\\"secret/data/{{ vault_pushsecrets_policy }}/*\\\" {
+        capabilities = {{ vault_pushsecrets_capabilities }} }\" > /tmp/policy-{{ vault_pushsecrets_policy }}.hcl"
+
+- name: Add metadata path to the pushsecrets policy
+  kubernetes.core.k8s_exec:
+      namespace: "{{ vault_ns }}"
+      pod: "{{ vault_pod }}"
+      command: >
+        bash -e -c "echo \"path \\\"secret/metadata/{{ vault_pushsecrets_policy }}/*\\\" {
+          capabilities = {{ vault_pushsecrets_capabilities }} }\" >> /tmp/policy-{{ vault_pushsecrets_policy }}.hcl"
+
+- name: Configure VP pushsecrets policy
+  kubernetes.core.k8s_exec:
+    namespace: "{{ vault_ns }}"
+    pod: "{{ vault_pod }}"
+    command: "vault policy write {{ vault_pushsecrets_policy }}-secret /tmp/policy-{{ vault_pushsecrets_policy }}.hcl"
+
 - name: Configure policy template for hub
   kubernetes.core.k8s_exec:
     namespace: "{{ vault_ns }}"
@@ -93,4 +115,4 @@
       vault write auth/"{{ vault_hub }}"/role/"{{ vault_hub }}"-role
         bound_service_account_names="{{ external_secrets_sa }}"
         bound_service_account_namespaces="{{ external_secrets_ns }}"
-        policies="default,{{ vault_global_policy }}-secret,{{ vault_hub }}-secret" ttl="{{ vault_hub_ttl }}"
+        policies="default,{{ vault_global_policy }}-secret,{{ vault_pushsecrets_policy }}-secret,{{ vault_hub }}-secret" ttl="{{ vault_hub_ttl }}"

common/ansible/roles/vault_utils/tasks/vault_spokes_init.yaml

@@ -157,7 +157,7 @@
   loop_control:
     label: "{{ item.key }}"
 
-- name: Configure policy template
+- name: Configure spoke policy template
   kubernetes.core.k8s_exec:
     namespace: "{{ vault_ns }}"
     pod: "{{ vault_pod }}"
@@ -171,6 +171,34 @@
   loop_control:
     label: "{{ item.key }}"
 
+- name: Configure spoke pushsecrets policy template
+  kubernetes.core.k8s_exec:
+    namespace: "{{ vault_ns }}"
+    pod: "{{ vault_pod }}"
+    command: >
+      bash -e -c "echo \"path \\\"secret/data/{{ vault_pushsecrets_policy }}/*\\\" {
+        capabilities = {{ vault_pushsecrets_capabilities }} }\" >> /tmp/policy-{{ item.value['vault_path'] }}.hcl"
+  loop: "{{ clusters_info | dict2items }}"
+  when:
+    - item.value['esoToken'] is defined
+    - item.key != "local-cluster"
+  loop_control:
+    label: "{{ item.key }}"
+
+- name: Configure spoke pushsecrets metadata policy template
+  kubernetes.core.k8s_exec:
+    namespace: "{{ vault_ns }}"
+    pod: "{{ vault_pod }}"
+    command: >
+      bash -e -c "echo \"path \\\"secret/metadata/{{ vault_pushsecrets_policy }}/*\\\" {
+        capabilities = {{ vault_pushsecrets_capabilities }} }\" >> /tmp/policy-{{ item.value['vault_path'] }}.hcl"
+  loop: "{{ clusters_info | dict2items }}"
+  when:
+    - item.value['esoToken'] is defined
+    - item.key != "local-cluster"
+  loop_control:
+    label: "{{ item.key }}"
+
 - name: Configure policy for spokes
   kubernetes.core.k8s_exec:
     namespace: "{{ vault_ns }}"
@@ -191,7 +219,7 @@
       vault write auth/"{{ item.value['vault_path'] }}"/role/"{{ item.value['vault_path'] }}"-role
         bound_service_account_names="{{ external_secrets_sa }}"
         bound_service_account_namespaces="{{ external_secrets_ns }}"
-        policies="default,{{ vault_global_policy }}-secret,{{ item.value['vault_path'] }}-secret" ttl="{{ vault_spoke_ttl }}"
+        policies="default,{{ vault_global_policy }}-secret,{{ vault_pushsecrets_policy }}-secret,{{ item.value['vault_path'] }}-secret" ttl="{{ vault_spoke_ttl }}"
   loop: "{{ clusters_info | dict2items }}"
   when:
     - item.value['esoToken'] is defined

common/ansible/tests/unit/test_ini_file.py

@@ -29,6 +29,7 @@
 
 
 class TestMyModule(unittest.TestCase):
+
     def setUp(self):
         self.testdir_v2 = os.path.join(os.path.dirname(os.path.abspath(__file__)), "v2")
 

common/ansible/tests/unit/test_parse_secrets.py

@@ -62,6 +62,7 @@ def set_module_args(args):
 
 
 class BytesEncoder(json.JSONEncoder):
+
     def default(self, o):
         if isinstance(o, bytes):
             return base64.b64encode(o).decode("ascii")
@@ -113,6 +114,7 @@ def fail_json(*args, **kwargs):
 
 @mock.patch("getpass.getpass")
 class TestMyModule(unittest.TestCase):
+
     def create_inifile(self):
         self.inifile = open("/tmp/awscredentials", "w")
         config = configparser.ConfigParser()

common/ansible/tests/unit/test_vault_load_parsed_secrets.py

@@ -70,6 +70,7 @@ def fail_json(*args, **kwargs):
 
 
 class TestMyModule(unittest.TestCase):
+
     def setUp(self):
         self.mock_module_helper = patch.multiple(
             basic.AnsibleModule, exit_json=exit_json, fail_json=fail_json

common/ansible/tests/unit/test_vault_load_secrets.py

@@ -74,6 +74,7 @@ def fail_json(*args, **kwargs):
 
 
 class TestMyModule(unittest.TestCase):
+
     def setUp(self):
         self.mock_module_helper = patch.multiple(
             basic.AnsibleModule, exit_json=exit_json, fail_json=fail_json

common/ansible/tests/unit/test_vault_load_secrets_v2.py

@@ -77,6 +77,7 @@ def fail_json(*args, **kwargs):
 
 @mock.patch("getpass.getpass")
 class TestMyModule(unittest.TestCase):
+
     def create_inifile(self):
         self.inifile = open("/tmp/awscredentials", "w")
         config = configparser.ConfigParser()

common/clustergroup/Chart.yaml

@@ -3,4 +3,4 @@ description: A Helm chart to create per-clustergroup ArgoCD applications and any
 keywords:
 - pattern
 name: clustergroup
-version: 0.8.10
+version: 0.8.12