From 494181736c7a4cf257db22d9386d4df05ceff586 Mon Sep 17 00:00:00 2001 From: Tobi Gremmer Date: Tue, 3 Oct 2023 14:30:39 +0200 Subject: [PATCH 1/2] Change short-lived OAuth token to personal access token --- .../ace_box/roles/gitlab/defaults/main.yml | 1 + .../ace_box/roles/gitlab/tasks/configure.yml | 2 + .../tasks/create-personal-access-token.yml | 40 +++++++++++++++++++ .../roles/gitlab/tasks/create-secret.yml | 1 + .../roles/gitlab/tasks/source-secret.yml | 14 ++++++- .../gitlab/templates/gitlab-dashboard.yml.j2 | 4 +- 6 files changed, 59 insertions(+), 3 deletions(-) create mode 100644 user-skel/ansible_collections/ace_box/ace_box/roles/gitlab/tasks/create-personal-access-token.yml diff --git a/user-skel/ansible_collections/ace_box/ace_box/roles/gitlab/defaults/main.yml b/user-skel/ansible_collections/ace_box/ace_box/roles/gitlab/defaults/main.yml index 039667185..c101c920e 100644 --- a/user-skel/ansible_collections/ace_box/ace_box/roles/gitlab/defaults/main.yml +++ b/user-skel/ansible_collections/ace_box/ace_box/roles/gitlab/defaults/main.yml @@ -8,4 +8,5 @@ gitlab_domain: "gitlab.{{ ingress_domain }}" gitlab_gcpe_helm_chart_version: "0.2.15" gitlab_gcpe_tag: "v0.5.3" gitlab_root_creds_secret_name: "ace-gitlab-initial-root-password" +gitlab_root_pat_secret_name: "ace-gitlab-root-pat" gitlab_dt_access_token_name: "ace_box_gitlab_api_token" diff --git a/user-skel/ansible_collections/ace_box/ace_box/roles/gitlab/tasks/configure.yml b/user-skel/ansible_collections/ace_box/ace_box/roles/gitlab/tasks/configure.yml index af1280f30..7dd3fb94e 100644 --- a/user-skel/ansible_collections/ace_box/ace_box/roles/gitlab/tasks/configure.yml +++ b/user-skel/ansible_collections/ace_box/ace_box/roles/gitlab/tasks/configure.yml @@ -5,6 +5,8 @@ access_token_var_name: "{{ gitlab_dt_access_token_name }}" access_token_scope: ["slo.read","slo.write","CaptureRequestData","credentialVault.read","credentialVault.write","DataExport","DataPrivacy","ExternalSyntheticIntegration","ReadConfig","WriteConfig","events.ingest","settings.read","settings.write"] +- include_tasks: create-personal-access-token.yml + - include_tasks: source-secret.yml - include_tasks: ensure-group.yml diff --git a/user-skel/ansible_collections/ace_box/ace_box/roles/gitlab/tasks/create-personal-access-token.yml b/user-skel/ansible_collections/ace_box/ace_box/roles/gitlab/tasks/create-personal-access-token.yml new file mode 100644 index 000000000..cf9ce5128 --- /dev/null +++ b/user-skel/ansible_collections/ace_box/ace_box/roles/gitlab/tasks/create-personal-access-token.yml @@ -0,0 +1,40 @@ +--- +- include_tasks: source-endpoints.yml + when: gitlab_internal_endpoint is not defined + +- include_tasks: source-secret.yml + when: gitlab_oauth_token is not defined + +- name: Ensure namespace + kubernetes.core.k8s: + name: "{{ gitlab_namespace }}" + api_version: v1 + kind: Namespace + state: present + +- name: Gitlab - Create a Personal Access Token + uri: + url: "{{ gitlab_internal_endpoint }}/api/v4/users/1/personal_access_tokens" + validate_certs: false + method: POST + status_code: [200, 201] + headers: + Content-Type: "application/json" + Authorization: "Bearer {{ gitlab_oauth_token }}" + body: + name: "ace-box-pat" + scopes: ["api"] + body_format: json + register: gitlab_personal_access_token_result + +- name: Persist Gitlab root PAT + kubernetes.core.k8s: + name: "{{ gitlab_root_pat_secret_name }}" + api_version: v1 + kind: Secret + state: present + namespace: "{{ gitlab_namespace }}" + resource_definition: + type: Opaque + data: + personalAccessToken: "{{ gitlab_personal_access_token_result.json.token | b64encode }}" diff --git a/user-skel/ansible_collections/ace_box/ace_box/roles/gitlab/tasks/create-secret.yml b/user-skel/ansible_collections/ace_box/ace_box/roles/gitlab/tasks/create-secret.yml index 78dbf736b..eab4b4086 100644 --- a/user-skel/ansible_collections/ace_box/ace_box/roles/gitlab/tasks/create-secret.yml +++ b/user-skel/ansible_collections/ace_box/ace_box/roles/gitlab/tasks/create-secret.yml @@ -25,4 +25,5 @@ resource_definition: type: Opaque data: + username: "{{ 'root' | b64encode }}" password: "{{ gitlab_password | b64encode }}" diff --git a/user-skel/ansible_collections/ace_box/ace_box/roles/gitlab/tasks/source-secret.yml b/user-skel/ansible_collections/ace_box/ace_box/roles/gitlab/tasks/source-secret.yml index 45fe61b6f..dc2c7b584 100644 --- a/user-skel/ansible_collections/ace_box/ace_box/roles/gitlab/tasks/source-secret.yml +++ b/user-skel/ansible_collections/ace_box/ace_box/roles/gitlab/tasks/source-secret.yml @@ -11,10 +11,22 @@ - name: Set secrets facts set_fact: - gitlab_username: "root" + gitlab_username: "{{ gitlab_secret_data.resources[0].data.username | b64decode }}" gitlab_password: "{{ gitlab_secret_data.resources[0].data.password | b64decode }}" when: gitlab_secret_data is defined and gitlab_secret_data.resources[0] is defined +- name: Source Gitlab PAT + kubernetes.core.k8s_info: + kind: Secret + name: "{{ gitlab_root_pat_secret_name }}" + namespace: "{{ gitlab_namespace }}" + register: gitlab_root_pat_data + +- name: Set secrets facts + set_fact: + gitlab_personal_access_token: "{{ gitlab_root_pat_data.resources[0].data.personalAccessToken | b64decode }}" + when: gitlab_root_pat_data is defined and gitlab_root_pat_data.resources[0] is defined + - name: Gitlab - Get new OAuth token uri: url: "{{ gitlab_internal_endpoint }}/oauth/token" diff --git a/user-skel/ansible_collections/ace_box/ace_box/roles/gitlab/templates/gitlab-dashboard.yml.j2 b/user-skel/ansible_collections/ace_box/ace_box/roles/gitlab/templates/gitlab-dashboard.yml.j2 index 0f849ade0..f2632cd7c 100644 --- a/user-skel/ansible_collections/ace_box/ace_box/roles/gitlab/templates/gitlab-dashboard.yml.j2 +++ b/user-skel/ansible_collections/ace_box/ace_box/roles/gitlab/templates/gitlab-dashboard.yml.j2 @@ -9,6 +9,6 @@ extRefs: - description: Password type: password value: "{{ gitlab_password }}" - - description: Token + - description: Personal Access Token type: password - value: "{{ gitlab_oauth_token | default(None) }}" + value: "{{ gitlab_personal_access_token | default(None) }}" From 989e94c90326f2a867e799fb4e9ec057bbce8564 Mon Sep 17 00:00:00 2001 From: Tobi Gremmer Date: Wed, 4 Oct 2023 09:57:42 +0200 Subject: [PATCH 2/2] Use gitlab_personal_access_token --- .../tasks/main.yml | 97 +++++++++++++------ 1 file changed, 69 insertions(+), 28 deletions(-) diff --git a/user-skel/ansible_collections/ace_box/ace_box/roles/demo-release-validation-srg-gitlab/tasks/main.yml b/user-skel/ansible_collections/ace_box/ace_box/roles/demo-release-validation-srg-gitlab/tasks/main.yml index 6eb954cf0..6d8756ec1 100644 --- a/user-skel/ansible_collections/ace_box/ace_box/roles/demo-release-validation-srg-gitlab/tasks/main.yml +++ b/user-skel/ansible_collections/ace_box/ace_box/roles/demo-release-validation-srg-gitlab/tasks/main.yml @@ -1,5 +1,4 @@ --- - - include_role: name: microk8s @@ -18,10 +17,25 @@ name: dt-access-token vars: access_token_var_name: "monaco_cleanup_api_token" - access_token_scope: ["slo.read","slo.write","CaptureRequestData","credentialVault.read","credentialVault.write","DataExport","DataPrivacy","ExternalSyntheticIntegration","ReadConfig","WriteConfig","events.ingest","settings.read","settings.write"] + access_token_scope: + [ + "slo.read", + "slo.write", + "CaptureRequestData", + "credentialVault.read", + "credentialVault.write", + "DataExport", + "DataPrivacy", + "ExternalSyntheticIntegration", + "ReadConfig", + "WriteConfig", + "events.ingest", + "settings.read", + "settings.write", + ] - name: Monaco - Cleanup potential conflicting Monaco resources - shell: + shell: cmd: | sed -e "s/\$RELEASE_STAGE/$RELEASE_STAGE_STAGING/g" -e "s/\$DEMO_IDENTIFIER/$DEMO_IDENTIFIER/g" -e "s/\$RELEASE_PRODUCT/$RELEASE_PRODUCT/g" {{ role_path }}/files/monaco/delete-app.yaml > {{ role_path }}/files/monaco/delete-app-staging-optimized.yaml sed -e "s/\$RELEASE_STAGE/$RELEASE_STAGE_PROD/g" -e "s/\$DEMO_IDENTIFIER/$DEMO_IDENTIFIER/g" -e "s/\$RELEASE_PRODUCT/$RELEASE_PRODUCT/g" {{ role_path }}/files/monaco/delete-app.yaml > {{ role_path }}/files/monaco/delete-app-prod-optimized.yaml @@ -32,15 +46,15 @@ MONACO_FEAT_AUTOMATION_RESOURCES=1 monaco delete --manifest {{ role_path }}/files/monaco/manifest.yaml --file {{ role_path }}/files/monaco/delete-infra-optimized.yaml --group production MONACO_FEAT_AUTOMATION_RESOURCES=1 monaco delete --manifest {{ role_path }}/files/monaco/manifest.yaml --file {{ role_path }}/files/monaco/delete-infra-optimized.yaml --group staging environment: - DT_PLATFORM_TENANT_URL: "{{ extra_vars.dt_environment_url_gen3.rstrip('/') }}" - DT_API_TOKEN: "{{ monaco_cleanup_api_token }}" - DT_OAUTH_CLIENT_ID: "{{ extra_vars.dt_oauth_client_id }}" - DT_OAUTH_CLIENT_SECRET: "{{ extra_vars.dt_oauth_client_secret }}" - DT_OAUTH_SSO_ENDPOINT: "{{ extra_vars.dt_oauth_sso_endpoint.rstrip('/') }}" - DEMO_IDENTIFIER: "{{ demo_identifier }}" - RELEASE_STAGE_STAGING: "simplenode-gitlab-staging" - RELEASE_STAGE_PROD: "simplenode-gitlab-prod" - RELEASE_PRODUCT: "simplenodeservice" + DT_PLATFORM_TENANT_URL: "{{ extra_vars.dt_environment_url_gen3.rstrip('/') }}" + DT_API_TOKEN: "{{ monaco_cleanup_api_token }}" + DT_OAUTH_CLIENT_ID: "{{ extra_vars.dt_oauth_client_id }}" + DT_OAUTH_CLIENT_SECRET: "{{ extra_vars.dt_oauth_client_secret }}" + DT_OAUTH_SSO_ENDPOINT: "{{ extra_vars.dt_oauth_sso_endpoint.rstrip('/') }}" + DEMO_IDENTIFIER: "{{ demo_identifier }}" + RELEASE_STAGE_STAGING: "simplenode-gitlab-staging" + RELEASE_STAGE_PROD: "simplenode-gitlab-prod" + RELEASE_PRODUCT: "simplenodeservice" - include_role: name: gitlab @@ -63,6 +77,12 @@ - include_role: name: gitlab tasks_from: source-endpoints-external + when: gitlab_external_endpoint is not defined + +- include_role: + name: gitlab + tasks_from: source-secret + when: gitlab_personal_access_token is not defined - name: Gitlab - Additional Environment Variables include_role: @@ -72,16 +92,37 @@ gitlab_var_key: "{{ item.key }}" gitlab_var_value: "{{ item.value }}" loop: - - { key: "DT_PLATFORM_TENANT_URL", value: "{{ extra_vars.dt_environment_url_gen3.rstrip('/') }}" } - - { key: 'DT_OAUTH_CLIENT_ID', value: '{{ extra_vars.dt_oauth_client_id }}' } - - { key: 'DT_OAUTH_CLIENT_SECRET', value: '{{ extra_vars.dt_oauth_client_secret }}' } - - { key: "DT_OAUTH_SSO_ENDPOINT", value: "{{ extra_vars.dt_oauth_sso_endpoint.rstrip('/') }}" } - - { key: 'DT_OAUTH_ACCOUNT_URN', value: '{{ extra_vars.dt_oauth_account_urn }}' } - - { key: 'GITLAB_USERNAME', value: '{{ gitlab_username }}' } - - { key: 'GITLAB_PASSWORD', value: '{{ gitlab_password }}' } - - { key: 'GITLAB_PRIVATE_TOKEN', value: '{{ gitlab_oauth_token }}' } - - { key: 'GITLAB_EXTERNAL_ENDPOINT', value: '{{ gitlab_external_endpoint }}' } - - { key: 'DEMO_IDENTIFIER', value: '{{ demo_identifier }}' } + - { + key: "DT_PLATFORM_TENANT_URL", + value: "{{ extra_vars.dt_environment_url_gen3.rstrip('/') }}", + } + - { + key: "DT_OAUTH_CLIENT_ID", + value: "{{ extra_vars.dt_oauth_client_id }}", + } + - { + key: "DT_OAUTH_CLIENT_SECRET", + value: "{{ extra_vars.dt_oauth_client_secret }}", + } + - { + key: "DT_OAUTH_SSO_ENDPOINT", + value: "{{ extra_vars.dt_oauth_sso_endpoint.rstrip('/') }}", + } + - { + key: "DT_OAUTH_ACCOUNT_URN", + value: "{{ extra_vars.dt_oauth_account_urn }}", + } + - { key: "GITLAB_USERNAME", value: "{{ gitlab_username }}" } + - { key: "GITLAB_PASSWORD", value: "{{ gitlab_password }}" } + - { + key: "GITLAB_PRIVATE_TOKEN", + value: "{{ gitlab_personal_access_token }}", + } + - { + key: "GITLAB_EXTERNAL_ENDPOINT", + value: "{{ gitlab_external_endpoint }}", + } + - { key: "DEMO_IDENTIFIER", value: "{{ demo_identifier }}" } - name: Source Gitlab endpoint include_role: @@ -97,7 +138,7 @@ git_username: "root" git_password: "{{ gitlab_password }}" git_domain: "{{ gitlab_domain }}" - git_endpoint: "{{ gitlab_internal_endpoint | regex_replace(\"http://\") }}" + git_endpoint: '{{ gitlab_internal_endpoint | regex_replace("http://") }}' git_org_name: "{{ gitlab_demo_srg_group }}" repo_name: "{{ gitlab_demo_srg_repo_name }}" app_simplenode_overwrites: @@ -109,16 +150,16 @@ - dest: cloudautomation/ # Overwrites folders in the repo: - dest: monaco/ - src: '{{ role_path_abs }}/files/monaco/' + src: "{{ role_path_abs }}/files/monaco/" - dest: locust/ - src: '{{ role_path_abs }}/files/locust/' + src: "{{ role_path_abs }}/files/locust/" - dest: docs/ - src: '{{ role_path_abs }}/files/docs/' + src: "{{ role_path_abs }}/files/docs/" # Overwrites files in the repo: - dest: .gitlab-ci.yml - src: '{{ role_path_abs }}/files/.gitlab-ci.yml' + src: "{{ role_path_abs }}/files/.gitlab-ci.yml" - dest: dynatrace/dynatrace.attachrules.yaml - src: '{{ role_path_abs }}/files/dynatrace.attachrules.yaml' + src: "{{ role_path_abs }}/files/dynatrace.attachrules.yaml" - include_role: name: dashboard