Dynatrace · tobigremmer-dt · Oct 4, 2023 · Oct 3, 2023 · Oct 4, 2023
@@ -1,5 +1,4 @@
 ---
-
 - include_role:
     name: microk8s
 
@@ -18,10 +17,25 @@
     name: dt-access-token
   vars:
     access_token_var_name: "monaco_cleanup_api_token"
-    access_token_scope: ["slo.read","slo.write","CaptureRequestData","credentialVault.read","credentialVault.write","DataExport","DataPrivacy","ExternalSyntheticIntegration","ReadConfig","WriteConfig","events.ingest","settings.read","settings.write"]
+    access_token_scope:
+      [
+        "slo.read",
+        "slo.write",
+        "CaptureRequestData",
+        "credentialVault.read",
+        "credentialVault.write",
+        "DataExport",
+        "DataPrivacy",
+        "ExternalSyntheticIntegration",
+        "ReadConfig",
+        "WriteConfig",
+        "events.ingest",
+        "settings.read",
+        "settings.write",
+      ]
 
 - name: Monaco - Cleanup potential conflicting Monaco resources
-  shell:      
+  shell:
     cmd: |
       sed -e "s/\$RELEASE_STAGE/$RELEASE_STAGE_STAGING/g" -e "s/\$DEMO_IDENTIFIER/$DEMO_IDENTIFIER/g" -e "s/\$RELEASE_PRODUCT/$RELEASE_PRODUCT/g" {{ role_path }}/files/monaco/delete-app.yaml > {{ role_path }}/files/monaco/delete-app-staging-optimized.yaml
       sed -e "s/\$RELEASE_STAGE/$RELEASE_STAGE_PROD/g" -e "s/\$DEMO_IDENTIFIER/$DEMO_IDENTIFIER/g" -e "s/\$RELEASE_PRODUCT/$RELEASE_PRODUCT/g" {{ role_path }}/files/monaco/delete-app.yaml > {{ role_path }}/files/monaco/delete-app-prod-optimized.yaml
@@ -32,15 +46,15 @@
       MONACO_FEAT_AUTOMATION_RESOURCES=1 monaco delete --manifest {{ role_path }}/files/monaco/manifest.yaml --file {{ role_path }}/files/monaco/delete-infra-optimized.yaml --group production
       MONACO_FEAT_AUTOMATION_RESOURCES=1 monaco delete --manifest {{ role_path }}/files/monaco/manifest.yaml --file {{ role_path }}/files/monaco/delete-infra-optimized.yaml --group staging
   environment:
-      DT_PLATFORM_TENANT_URL: "{{ extra_vars.dt_environment_url_gen3.rstrip('/') }}"
-      DT_API_TOKEN: "{{ monaco_cleanup_api_token }}"
-      DT_OAUTH_CLIENT_ID: "{{ extra_vars.dt_oauth_client_id }}"
-      DT_OAUTH_CLIENT_SECRET: "{{ extra_vars.dt_oauth_client_secret }}"
-      DT_OAUTH_SSO_ENDPOINT: "{{ extra_vars.dt_oauth_sso_endpoint.rstrip('/') }}"
-      DEMO_IDENTIFIER: "{{ demo_identifier }}"
-      RELEASE_STAGE_STAGING: "simplenode-gitlab-staging"
-      RELEASE_STAGE_PROD: "simplenode-gitlab-prod"
-      RELEASE_PRODUCT: "simplenodeservice"
+    DT_PLATFORM_TENANT_URL: "{{ extra_vars.dt_environment_url_gen3.rstrip('/') }}"
+    DT_API_TOKEN: "{{ monaco_cleanup_api_token }}"
+    DT_OAUTH_CLIENT_ID: "{{ extra_vars.dt_oauth_client_id }}"
+    DT_OAUTH_CLIENT_SECRET: "{{ extra_vars.dt_oauth_client_secret }}"
+    DT_OAUTH_SSO_ENDPOINT: "{{ extra_vars.dt_oauth_sso_endpoint.rstrip('/') }}"
+    DEMO_IDENTIFIER: "{{ demo_identifier }}"
+    RELEASE_STAGE_STAGING: "simplenode-gitlab-staging"
+    RELEASE_STAGE_PROD: "simplenode-gitlab-prod"
+    RELEASE_PRODUCT: "simplenodeservice"
 
 - include_role:
     name: gitlab
@@ -63,6 +77,12 @@
 - include_role:
     name: gitlab
     tasks_from: source-endpoints-external
+  when: gitlab_external_endpoint is not defined
+
+- include_role:
+    name: gitlab
+    tasks_from: source-secret
+  when: gitlab_personal_access_token is not defined
 
 - name: Gitlab - Additional Environment Variables
   include_role:
@@ -72,16 +92,37 @@
     gitlab_var_key: "{{ item.key }}"
     gitlab_var_value: "{{ item.value }}"
   loop:
-    - { key: "DT_PLATFORM_TENANT_URL", value: "{{ extra_vars.dt_environment_url_gen3.rstrip('/') }}" }
-    - { key: 'DT_OAUTH_CLIENT_ID', value: '{{ extra_vars.dt_oauth_client_id }}' }
-    - { key: 'DT_OAUTH_CLIENT_SECRET', value: '{{ extra_vars.dt_oauth_client_secret }}' }
-    - { key: "DT_OAUTH_SSO_ENDPOINT", value: "{{ extra_vars.dt_oauth_sso_endpoint.rstrip('/') }}" }
-    - { key: 'DT_OAUTH_ACCOUNT_URN', value: '{{ extra_vars.dt_oauth_account_urn }}' }
-    - { key: 'GITLAB_USERNAME', value: '{{ gitlab_username }}' }
-    - { key: 'GITLAB_PASSWORD', value: '{{ gitlab_password }}' }
-    - { key: 'GITLAB_PRIVATE_TOKEN', value: '{{ gitlab_oauth_token }}' }
-    - { key: 'GITLAB_EXTERNAL_ENDPOINT', value: '{{ gitlab_external_endpoint }}' }
-    - { key: 'DEMO_IDENTIFIER', value: '{{ demo_identifier }}' }
+    - {
+        key: "DT_PLATFORM_TENANT_URL",
+        value: "{{ extra_vars.dt_environment_url_gen3.rstrip('/') }}",
+      }
+    - {
+        key: "DT_OAUTH_CLIENT_ID",
+        value: "{{ extra_vars.dt_oauth_client_id }}",
+      }
+    - {
+        key: "DT_OAUTH_CLIENT_SECRET",
+        value: "{{ extra_vars.dt_oauth_client_secret }}",
+      }
+    - {
+        key: "DT_OAUTH_SSO_ENDPOINT",
+        value: "{{ extra_vars.dt_oauth_sso_endpoint.rstrip('/') }}",
+      }
+    - {
+        key: "DT_OAUTH_ACCOUNT_URN",
+        value: "{{ extra_vars.dt_oauth_account_urn }}",
+      }
+    - { key: "GITLAB_USERNAME", value: "{{ gitlab_username }}" }
+    - { key: "GITLAB_PASSWORD", value: "{{ gitlab_password }}" }
+    - {
+        key: "GITLAB_PRIVATE_TOKEN",
+        value: "{{ gitlab_personal_access_token }}",
+      }
+    - {
+        key: "GITLAB_EXTERNAL_ENDPOINT",
+        value: "{{ gitlab_external_endpoint }}",
+      }
+    - { key: "DEMO_IDENTIFIER", value: "{{ demo_identifier }}" }
 
 - name: Source Gitlab endpoint
   include_role:
@@ -97,7 +138,7 @@
     git_username: "root"
     git_password: "{{ gitlab_password }}"
     git_domain: "{{ gitlab_domain }}"
-    git_endpoint: "{{ gitlab_internal_endpoint | regex_replace(\"http://\") }}"
+    git_endpoint: '{{ gitlab_internal_endpoint | regex_replace("http://") }}'
     git_org_name: "{{ gitlab_demo_srg_group }}"
     repo_name: "{{ gitlab_demo_srg_repo_name }}"
     app_simplenode_overwrites:
@@ -109,16 +150,16 @@
       - dest: cloudautomation/
       # Overwrites folders in the repo:
       - dest: monaco/
-        src: '{{ role_path_abs }}/files/monaco/'
+        src: "{{ role_path_abs }}/files/monaco/"
       - dest: locust/
-        src: '{{ role_path_abs }}/files/locust/'
+        src: "{{ role_path_abs }}/files/locust/"
       - dest: docs/
-        src: '{{ role_path_abs }}/files/docs/'
+        src: "{{ role_path_abs }}/files/docs/"
       # Overwrites files in the repo:
       - dest: .gitlab-ci.yml
-        src: '{{ role_path_abs }}/files/.gitlab-ci.yml'
+        src: "{{ role_path_abs }}/files/.gitlab-ci.yml"
       - dest: dynatrace/dynatrace.attachrules.yaml
-        src: '{{ role_path_abs }}/files/dynatrace.attachrules.yaml'
+        src: "{{ role_path_abs }}/files/dynatrace.attachrules.yaml"
 
 - include_role:
     name: dashboard

@@ -8,4 +8,5 @@ gitlab_domain: "gitlab.{{ ingress_domain }}"
 gitlab_gcpe_helm_chart_version: "0.2.15"
 gitlab_gcpe_tag: "v0.5.3"
 gitlab_root_creds_secret_name: "ace-gitlab-initial-root-password"
+gitlab_root_pat_secret_name: "ace-gitlab-root-pat"
 gitlab_dt_access_token_name: "ace_box_gitlab_api_token"
@@ -5,6 +5,8 @@
     access_token_var_name: "{{ gitlab_dt_access_token_name }}"
     access_token_scope: ["slo.read","slo.write","CaptureRequestData","credentialVault.read","credentialVault.write","DataExport","DataPrivacy","ExternalSyntheticIntegration","ReadConfig","WriteConfig","events.ingest","settings.read","settings.write"]
 
+- include_tasks: create-personal-access-token.yml
+
 - include_tasks: source-secret.yml
 
 - include_tasks: ensure-group.yml

@@ -0,0 +1,40 @@
+---
+- include_tasks: source-endpoints.yml
+  when: gitlab_internal_endpoint is not defined
+
+- include_tasks: source-secret.yml
+  when: gitlab_oauth_token is not defined
+
+- name: Ensure namespace
+  kubernetes.core.k8s:
+    name: "{{ gitlab_namespace }}"
+    api_version: v1
+    kind: Namespace
+    state: present
+
+- name: Gitlab - Create a Personal Access Token
+  uri:
+    url: "{{ gitlab_internal_endpoint }}/api/v4/users/1/personal_access_tokens"
+    validate_certs: false
+    method: POST
+    status_code: [200, 201]
+    headers:
+      Content-Type: "application/json"
+      Authorization: "Bearer {{ gitlab_oauth_token }}"
+    body:
+      name: "ace-box-pat"
+      scopes: ["api"]
+    body_format: json
+  register: gitlab_personal_access_token_result
+
+- name: Persist Gitlab root PAT
+  kubernetes.core.k8s:
+    name: "{{ gitlab_root_pat_secret_name }}"
+    api_version: v1
+    kind: Secret
+    state: present
+    namespace: "{{ gitlab_namespace }}"
+    resource_definition:
+      type: Opaque
+      data:
+        personalAccessToken: "{{ gitlab_personal_access_token_result.json.token | b64encode }}"
@@ -25,4 +25,5 @@
     resource_definition:
       type: Opaque
       data:
+        username: "{{ 'root' | b64encode }}"
         password: "{{ gitlab_password | b64encode }}"
@@ -11,10 +11,22 @@
 
 - name: Set secrets facts
   set_fact:
-    gitlab_username: "root"
+    gitlab_username: "{{ gitlab_secret_data.resources[0].data.username | b64decode }}"
     gitlab_password: "{{ gitlab_secret_data.resources[0].data.password | b64decode }}"
   when: gitlab_secret_data is defined and gitlab_secret_data.resources[0] is defined
 
+- name: Source Gitlab PAT
+  kubernetes.core.k8s_info:
+    kind: Secret
+    name: "{{ gitlab_root_pat_secret_name }}"
+    namespace: "{{ gitlab_namespace }}"
+  register: gitlab_root_pat_data
+
+- name: Set secrets facts
+  set_fact:
+    gitlab_personal_access_token: "{{ gitlab_root_pat_data.resources[0].data.personalAccessToken | b64decode }}"
+  when: gitlab_root_pat_data is defined and gitlab_root_pat_data.resources[0] is defined
+
 - name: Gitlab - Get new OAuth token
   uri:
     url: "{{ gitlab_internal_endpoint }}/oauth/token"

@@ -9,6 +9,6 @@ extRefs:
     - description: Password
       type: password
       value: "{{ gitlab_password }}"
-    - description: Token
+    - description: Personal Access Token
       type: password
-      value: "{{ gitlab_oauth_token | default(None) }}"
+      value: "{{ gitlab_personal_access_token | default(None) }}"