refactor: ♻️ installation Sonarqube via helm chart Bitnami

refactor de l'installation via helm chart, utilisation de l'opérateur CNPG pour la BDD, mise à jour CRD.

docs: 📝 mise à jour du README sur  partie SonarQube

refactor: 🔥 mise à jour des values PostgreSQL

fix: 🐛 correction déploiement helm + ajout plugin

le déploiement helm nécessite le MDP admin de SonarQube lors d'un redéploiement (corrigé) + test d'ajout d'un plugin dans les values du Helm

feat: ✨ installation via helm chart officiel

https://github.com/SonarSource/helm-chart-sonarqube

fix: 🐛 installation de Community Branch Plugin

via utilisation de paramètres documentés de manière équivoque

fix: 🐛 fix ingress, pgcluster et deploiement helm

feat: 🎨 creation token selon branches de SonarQube

adaptation de la creation du token liée à évolution BDD + suppression déclaration de PV inutiles

fix: 🐛 fix import ca from secret

fix: 👽 gitlab token needs expiration date

refactor: ⚡ avoid bad response from proxy when vault is down

fix: 🐛 keycloak tlsSecret support

refactor: 🎨 manage tls.type == none

fix: 🎨 finish variabilize argo

fix: 🐛 couldn't remove proxy vars gitlab ci

fix: 🎨 can provide harbor pvc size

refactor: 🔥 remove unuseful lines

admin-tools/get-credentials.yaml

@@ -86,6 +86,17 @@
       tags:
         - always
 
+    - ansible.builtin.set_fact:
+        dsc_default_config: "{{ lookup('ansible.builtin.file', '../roles/socle-config/files/config.yaml') | from_yaml }}"
+        dsc_default_releases: "{{ lookup('ansible.builtin.file', '../roles/socle-config/files/releases.yaml') | from_yaml }}"
+      tags:
+        - always
+
+    - ansible.builtin.set_fact:
+        dsc: "{{ dsc | combine(dsc_default_config.spec, recursive=True) | combine(dsc_default_releases.spec, recursive=True)}}"
+      tags:
+        - always
+
     - name: Get DSO config ConfigMap from DSO console namespace
       kubernetes.core.k8s_info:
         kind: ConfigMap

install.yaml

@@ -18,7 +18,6 @@
     - name: cert-manager
       tags:
         - cert-manager
-        - always
 
     - name: confSyncer
       tags:

roles/argocd/templates/values.yaml.j2

@@ -4,8 +4,10 @@ openshift:
 image:
   PullPolicy: IfNotPresent
 config:
+{% if dsc.argocd.admin.enabled %}
   secret:
     argocdServerAdminPassword: "{{ dsc.argocd.admin.password }}"
+{% endif %}
 {% if dsc.exposedCA != 'none' %}
   tlsCerts:
     {{ gitlab_domain }}: |
@@ -29,7 +31,7 @@ server:
         {{ exposed_ca_pem | indent(width=8, first=False) }}
 {% endif %}
     users.anonymous.enabled: "false"
-    admin.enabled: "false" # TODO variabilize
+    admin.enabled: "{{ dsc.argocd.admin.enabled }}"
     kustomize.buildOptions: "--enable-helm"
     resource.exclusions: |
       - apiGroups:

roles/ca/tasks/exposed_ca.yaml

@@ -22,14 +22,14 @@
   block:
     - name: Get secret
       kubernetes.core.k8s_info:
-        name: "{{ dsc.exposedCA.configmap.name }}"
-        namespace: "{{ dsc.exposedCA.configmap.namespace }}"
+        name: "{{ dsc.exposedCA.secret.name }}"
+        namespace: "{{ dsc.exposedCA.secret.namespace }}"
         kind: Secret
       register: exposed_ca_resource
 
     - name: Extract key
       ansible.builtin.set_fact:
-        exposed_ca_pem: "{{ exposed_ca_resource.resources[0].data[dsc.exposedCA.configmap.key] | b64decode }}"
+        exposed_ca_pem: "{{ exposed_ca_resource.resources[0].data[dsc.exposedCA.secret.key] | b64decode }}"
 
 - name: Exposed_ca (certmanager)
   when: dsc.exposedCA.type == 'certmanager'

roles/console-dso/templates/app.yaml.j2

@@ -64,6 +64,10 @@ spec:
 {% if dsc.ingress.tls.type == 'tlsSecret' %}
         - name: ingress.tls.secretName
           value: {{ dsc.ingress.tls.tlsSecret.name }}
+{% endif %}
+{% if dsc.ingress.tls.type == 'none' %}
+        - name: ingress.tls.enabled
+          value: "false"
 {% endif %}
   syncPolicy:
     automated: {}

roles/gitlab/tasks/main.yaml

@@ -149,7 +149,8 @@
         command: >
           bash -c "echo 'PersonalAccessToken.create!(user_id: 1
           , name: \"ANSIBLE-DSO\"
-          , scopes: [:api, :read_repository, :write_repository]).token' | gitlab-rails console"
+          , scopes: [:api, :read_repository, :write_repository]
+          , expires_at: 365.days.from_now).token' | gitlab-rails console"
       register: token
 
     - name: Set new gitlab token
@@ -244,21 +245,21 @@
     state: "{{ dsc.proxy.enabled | ternary('present', 'absent') }}"
     variables:
       - name: "HTTP_PROXY"
-        value: "{{ dsc.proxy.http_proxy }}"
+        value: "{{ dsc.proxy.http_proxy | default ('') }}"
       - name: "HTTPS_PROXY"
-        value: "{{ dsc.proxy.https_proxy }}"
+        value: "{{ dsc.proxy.https_proxy | default ('') }}"
       - name: "NO_PROXY"
-        value: "{{ dsc.proxy.no_proxy }}"
+        value: "{{ dsc.proxy.no_proxy | default ('') }}"
       - name: "PROXY_HOST"
-        value: "{{ dsc.proxy.host }}"
+        value: "{{ dsc.proxy.host | default ('') }}"
       - name: "PROXY_PORT"
-        value: "{{ dsc.proxy.port }}"
+        value: "{{ dsc.proxy.port | default ('') }}"
       - name: "http_proxy"
-        value: "{{ dsc.proxy.http_proxy }}"
+        value: "{{ dsc.proxy.http_proxy | default ('') }}"
       - name: "https_proxy"
-        value: "{{ dsc.proxy.https_proxy }}"
+        value: "{{ dsc.proxy.https_proxy | default ('') }}"
       - name: "no_proxy"
-        value: "{{ dsc.proxy.no_proxy }}"
+        value: "{{ dsc.proxy.no_proxy | default ('') }}"
 
 - name: "Set or update CA_BUNDLE variable"
   community.general.gitlab_group_variable:

roles/gitlab/templates/gitlab-instance.yaml.j2

@@ -80,10 +80,15 @@ global:
 {% endfor %}
     class: none
     configureCertmanager: false
+{% if dsc.ingress.tls.type == 'none' %}
+    tls:
+      enabled: false
+{% else %}
     tls:
       enabled: true
 {% if dsc.ingress.tls.type == 'tlsSecret' %}
       secretName: {{ dsc.ingress.tls.tlsSecret.name }}
+{% endif %}
 {% endif %}
   extraEnv:
 {% if dsc.proxy.enabled %}

roles/harbor/templates/values.yaml.j2

@@ -2,17 +2,21 @@ expose:
   imagePullPolicy: IfNotPresent
   type: ingress
   tls:
+  {% if dsc.ingress.tls.type != 'none' %}
     enabled: true
-{% if dsc.ingress.tls.type == 'tlsSecret' %}
+  {% else %}
+    enabled: false
+    {% if dsc.ingress.tls.type == 'tlsSecret' %}
     certSource: secret
     secret:
       secretName: {{ dsc.ingress.tls.tlsSecret.name }}
       notarySecretName: {{ dsc.ingress.tls.tlsSecret.name }}-notary
-{% else %}
+    {% else %}
     certSource: secret
     secret:
       secretName: harbor-ingress
       notarySecretName: harbor-ingress-notary
+    {% endif %}
 {% endif %}
   ingress:
     hosts:
@@ -40,6 +44,9 @@ externalURL: https://{{ harbor_domain }}
 persistence:
   enabled: true
   resourcePolicy: keep
+  persistentVolumeClaim:
+    registry:
+      size: "{{ dsc.harbor.pvcRegistrySize }}"
 harborAdminPassword: "{{ dsc.harbor.adminPassword }}"
 {% if dsc.proxy.enabled %}
 proxy:

roles/keycloak/tasks/client.yaml

@@ -29,7 +29,6 @@
     clientId: "{{ item.clientId }}"
   register: kc_clients_secrets
 
-- debug: var=kc_clients_secrets
 - name: Set Keycloak clients secrets in Keycloak namespace
   when: item.clientAuthenticatorType is defined and item.clientAuthenticatorType == 'client-secret'
   kubernetes.core.k8s:
@@ -57,4 +56,4 @@
       metadata:
         name: "keycloak-client-secret-{{ item.clientId }}"
         namespace: "{{ dsc.keycloak.namespace }}"
-      type: Opaque
+      type: Opaque

roles/keycloak/tasks/main.yml

@@ -42,7 +42,6 @@
   delay: 5
 
 - name: Get Keycloak admin password secret
-  no_log: true
   kubernetes.core.k8s_info:
     namespace: "{{ dsc.keycloak.namespace }}"
     kind: Secret
@@ -51,7 +50,6 @@
 
 - name: Set Keycloak admin password secret
   when: kc_adm_pass_secret.resources | length == 0
-  no_log: true
   kubernetes.core.k8s:
     state: present
     definition:
@@ -98,21 +96,18 @@
   delay: 5
 
 - name: Get Keycloak admin password
-  no_log: true
   kubernetes.core.k8s_info:
     namespace: "{{ dsc.keycloak.namespace }}"
     kind: Secret
     name: "keycloak"
   register: kc_adm_pass
 
 - name: Set Keycloak admin credentials facts
-  no_log: true
   ansible.builtin.set_fact:
     keycloak_admin_password: "{{ kc_adm_pass.resources[0].data['admin-password']|b64decode }}"
     keycloak_admin: "admin"
 
 - name: Update console inventory
-  no_log: true
   kubernetes.core.k8s:
     kind: ConfigMap
     name: dso-config
@@ -124,7 +119,6 @@
         KEYCLOAK_ADMIN: "{{ keycloak_admin }}"
 
 - name: Get Keycloak API token
-  no_log: true
   ansible.builtin.uri:
     url: "https://{{ keycloak_domain }}/realms/master/protocol/openid-connect/token"
     method: POST
@@ -135,12 +129,10 @@
   register: kc_token
 
 - name: Set kc_access_token fact
-  no_log: true
   ansible.builtin.set_fact:
     kc_access_token: "{{ kc_token.json.access_token }}"
 
 - name: Get keycloak realms from API
-  no_log: true
   ansible.builtin.uri:
     url: "https://{{ keycloak_domain }}/admin/realms"
     method: GET
@@ -154,7 +146,6 @@
 
 - name: Create dso realm
   when: kc_realms.json | selectattr('realm', 'equalto', 'dso') | length == 0
-  no_log: true
   community.general.keycloak_realm:
     validate_certs: "{{ dsc.exposedCA.type == 'none' }}"
     auth_client_id: admin-cli
@@ -169,7 +160,6 @@
     enabled: true
 
 - name: Get keycloak dso realm users from API
-  no_log: true
   ansible.builtin.uri:
     url: "https://{{ keycloak_domain }}/admin/realms/dso/users"
     method: GET
@@ -182,7 +172,6 @@
   register: kc_dso_users
 
 - name: Find dso admin secret
-  no_log: true
   kubernetes.core.k8s_info:
     namespace: "{{ dsc.keycloak.namespace }}"
     kind: Secret
@@ -191,7 +180,6 @@
 
 - name: Create dso admin secret and user
   when: (dso_admin_secret.resources | length == 0) or (kc_dso_users.json | selectattr('username', 'equalto', dso_admin_secret.resources[0].data.ADMIN_USER|b64decode) | length == 0)
-  no_log: true
   block:
     - name: Generate admin user password
       ansible.builtin.set_fact:
@@ -244,7 +232,6 @@
 #        force: true  ## Ne fontionne pas quand user supprimé via la GUI et tâche relancée.
 
 - name: Get dso keycloak client scopes from API
-  no_log: true
   ansible.builtin.uri:
     url: "https://{{ keycloak_domain }}/admin/realms/dso/client-scopes"
     method: GET
@@ -258,7 +245,6 @@
 
 - name: Create generic keycloak client scope
   when: kc_client_scopes.json | selectattr('name', 'equalto', 'generic') | length == 0
-  no_log: true
   community.general.keycloak_clientscope:
     validate_certs: "{{ dsc.exposedCA.type == 'none' }}"
     auth_client_id: admin-cli
@@ -282,7 +268,6 @@
   with_items: "{{ keycloak_clients }}"
 
 - name: Create base admins groups
-  no_log: true
   community.general.keycloak_group:
     validate_certs: "{{ dsc.exposedCA.type == 'none' }}"
     auth_client_id: admin-cli

roles/keycloak/templates/values.yaml.j2

@@ -1,4 +1,5 @@
 image:
+  registry: docker.io
   pullPolicy: "IfNotPresent"
 
 auth:
@@ -15,16 +16,12 @@ proxy: "edge"
 
 httpRelativePath: "/"
 
-initContainers: "[]"
-
 configuration: ""
 
 existingConfigmap: ""
 
 extraStartupArgs: ""
 
-initdbScripts: ""
-
 initdbScriptsConfigMap: ""
 
 command: []
@@ -60,7 +57,7 @@ podSecurityContext:
 containerSecurityContext:
   enabled: false
 
-  resources:
+resources:
   limits:
     memory: "2048Mi"
   requests:
@@ -123,19 +120,21 @@ ingress:
   servicePort: "http"
   annotations:
     route.openshift.io/termination: "edge"
-{% for key, val in dsc.ingress.annotations.items() %}
-    {{ key }}: "{{ val }}"
-{% endfor %}
   labels: 
     app: "keycloak"
 {% for key, val in dsc.ingress.labels.items() %}
     {{ key }}: "{{ val }}"
 {% endfor %}
   tls: true
+{% if dsc.ingress.tls.type == "tlsSecret" %}
   selfSigned: false
   extraHosts: []
   extraPaths: []
-  extraTls: []
+  extraTls:
+    - hosts:
+       - "{{ keycloak_domain }}"
+      secretName: "{{ dsc.ingress.tls.tlsSecret.name }}"
+{% endif %}
   secrets: []
   extraRules: []
 
@@ -211,4 +210,4 @@ cache:
 
 logging:
   output: "default"
-  level: "INFO"
+  level: "INFO"