refactor: ♻️ installation Sonarqube via helm chart Bitnami

fix: 🐛 fix import ca from secret

fix: 👽 gitlab token needs expiration date

refactor: ⚡ avoid bad response from proxy when vault is down

fix: 🐛 keycloak tlsSecret support

refactor: 🎨 manage tls.type == none

fix: 🎨 finish variabilize argo

fix: 🐛 couldn't remove proxy vars gitlab ci

fix: 🎨 can provide harbor pvc size

fix: ⚡ remove fsGroup and runAsUser values from argocd

fix: ⚡ set sonar pg cluster replicas to 2

fix: 🐛 fix proxy vars for harbor

fix: 🐛 maven_config_file should not be configured in CI

admin-tools/get-credentials.yaml

@@ -86,6 +86,17 @@
       tags:
         - always
 
+    - ansible.builtin.set_fact:
+        dsc_default_config: "{{ lookup('ansible.builtin.file', '../roles/socle-config/files/config.yaml') | from_yaml }}"
+        dsc_default_releases: "{{ lookup('ansible.builtin.file', '../roles/socle-config/files/releases.yaml') | from_yaml }}"
+      tags:
+        - always
+
+    - ansible.builtin.set_fact:
+        dsc: "{{ dsc | combine(dsc_default_config.spec, recursive=True) | combine(dsc_default_releases.spec, recursive=True)}}"
+      tags:
+        - always
+
     - name: Get DSO config ConfigMap from DSO console namespace
       kubernetes.core.k8s_info:
         kind: ConfigMap

filter_plugins/debug.py

@@ -0,0 +1,16 @@
+def get_debug_messages(dsc):
+    messages = [
+        "--- General ---",
+        "Please ensure you have changed Nexus admin account and save it by yourself",
+    ]
+    if dsc['proxy']['enabled']:
+        messages.append("--- Proxy ---")
+        messages.append("Nexus Proxy paramaters cannot be set via API, please configure it with local admin account")
+        messages.append("(Parameter Icon) => HTTP => Proxy Settings")
+    return messages
+
+class FilterModule(object):  
+    def filters(self):    
+        return {
+            'get_debug_messages': get_debug_messages,
+        }

install.yaml

@@ -18,7 +18,7 @@
     - name: cert-manager
       tags:
         - cert-manager
-        - always
+        - cm
 
     - name: confSyncer
       tags:
@@ -28,11 +28,12 @@
     - name: cloudnativepg
       tags:
         - cloudnativepg
-        - always
+        - cnpg
 
     - name: keycloak
       tags:
         - keycloak
+        - sso
 
     - name: nexus
       tags:
@@ -41,6 +42,7 @@
     - name: sonarqube
       tags:
         - sonarqube
+        - sonar
 
     - name: gitlab
       tags:
@@ -49,9 +51,11 @@
     - name: gitlab-catalog
       tags:
         - catalog
+        - gitlab-catalog
 
     - name: gitlab-runner
       tags:
+        - runner
         - gitlab-runner
 
     - name: vault
@@ -66,6 +70,7 @@
       tags:
         - gitops
         - argocd
+        - argo
 
     - name: harbor
       tags:
@@ -76,3 +81,9 @@
       tags:
         - console
         - console-dso
+
+  post_tasks:
+    - debug:
+        msg: "{{ dsc | get_debug_messages }}"
+      tags:
+        - always

roles/argocd/templates/values.yaml.j2

@@ -1,19 +1,30 @@
+securityContext: &securityContext
+  containerSecurityContext:
+    runAsUser: null
+  podSecurityContext:
+    fsGroup: null
 # TODO variabilize openshift boolean
 openshift:
   enabled: true
 image:
   PullPolicy: IfNotPresent
 config:
+{% if dsc.argocd.admin.enabled %}
   secret:
     argocdServerAdminPassword: "{{ dsc.argocd.admin.password }}"
+{% endif %}
 {% if dsc.exposedCA != 'none' %}
   tlsCerts:
     {{ gitlab_domain }}: |
       {{ exposed_ca_pem | indent(width=6, first=False) }}
 {% endif %}
+controller:
+  <<: *securityContext
 dex:
+  <<: *securityContext
   enabled: true
 server:
+  <<: *securityContext
   insecure: true
   config:
     clusterResources: "true"
@@ -29,7 +40,7 @@ server:
         {{ exposed_ca_pem | indent(width=8, first=False) }}
 {% endif %}
     users.anonymous.enabled: "false"
-    admin.enabled: "false" # TODO variabilize
+    admin.enabled: "{{ dsc.argocd.admin.enabled }}"
     kustomize.buildOptions: "--enable-helm"
     resource.exclusions: |
       - apiGroups:
@@ -49,6 +60,7 @@ server:
       value: "{{ dsc.proxy.no_proxy }},argo-argo-cd-repo-server"
 {% endif %}
 repoServer:
+  <<: *securityContext
   extraEnvVars:
 {% if dsc.proxy.enabled %}
     - name: HTTP_PROXY

roles/ca/tasks/exposed_ca.yaml

@@ -22,14 +22,14 @@
   block:
     - name: Get secret
       kubernetes.core.k8s_info:
-        name: "{{ dsc.exposedCA.configmap.name }}"
-        namespace: "{{ dsc.exposedCA.configmap.namespace }}"
+        name: "{{ dsc.exposedCA.secret.name }}"
+        namespace: "{{ dsc.exposedCA.secret.namespace }}"
         kind: Secret
       register: exposed_ca_resource
 
     - name: Extract key
       ansible.builtin.set_fact:
-        exposed_ca_pem: "{{ exposed_ca_resource.resources[0].data[dsc.exposedCA.configmap.key] | b64decode }}"
+        exposed_ca_pem: "{{ exposed_ca_resource.resources[0].data[dsc.exposedCA.secret.key] | b64decode }}"
 
 - name: Exposed_ca (certmanager)
   when: dsc.exposedCA.type == 'certmanager'

roles/console-dso/templates/app.yaml.j2

@@ -64,6 +64,10 @@ spec:
 {% if dsc.ingress.tls.type == 'tlsSecret' %}
         - name: ingress.tls.secretName
           value: {{ dsc.ingress.tls.tlsSecret.name }}
+{% endif %}
+{% if dsc.ingress.tls.type == 'none' %}
+        - name: ingress.tls.enabled
+          value: "false"
 {% endif %}
   syncPolicy:
     automated: {}

roles/gitlab/tasks/main.yaml

@@ -1,3 +1,9 @@
+- ansible.builtin.set_fact:
+    vault_auth_path: "jwt"
+    vault_auth_role: "default-ci"
+    npm_file: "{{ lookup('file', '{{ playbook_dir }}/roles/gitlab/npm_file') }}"
+    mvn_config_file: "{{ lookup('ansible.builtin.template', 'mvn_conf_file.j2') }}"
+
 - name: Install gitlab subscription
   kubernetes.core.k8s:
     template: "{{ item }}"
@@ -149,7 +155,8 @@
         command: >
           bash -c "echo 'PersonalAccessToken.create!(user_id: 1
           , name: \"ANSIBLE-DSO\"
-          , scopes: [:api, :read_repository, :write_repository]).token' | gitlab-rails console"
+          , scopes: [:api, :read_repository, :write_repository]
+          , expires_at: 365.days.from_now).token' | gitlab-rails console"
       register: token
 
     - name: Set new gitlab token
@@ -244,21 +251,21 @@
     state: "{{ dsc.proxy.enabled | ternary('present', 'absent') }}"
     variables:
       - name: "HTTP_PROXY"
-        value: "{{ dsc.proxy.http_proxy }}"
+        value: "{{ dsc.proxy.http_proxy | default ('') }}"
       - name: "HTTPS_PROXY"
-        value: "{{ dsc.proxy.https_proxy }}"
+        value: "{{ dsc.proxy.https_proxy | default ('') }}"
       - name: "NO_PROXY"
-        value: "{{ dsc.proxy.no_proxy }}"
+        value: "{{ dsc.proxy.no_proxy | default ('') }}"
       - name: "PROXY_HOST"
-        value: "{{ dsc.proxy.host }}"
+        value: "{{ dsc.proxy.host | default ('') }}"
       - name: "PROXY_PORT"
-        value: "{{ dsc.proxy.port }}"
+        value: "{{ dsc.proxy.port | default ('') }}"
       - name: "http_proxy"
-        value: "{{ dsc.proxy.http_proxy }}"
+        value: "{{ dsc.proxy.http_proxy | default ('') }}"
       - name: "https_proxy"
-        value: "{{ dsc.proxy.https_proxy }}"
+        value: "{{ dsc.proxy.https_proxy | default ('') }}"
       - name: "no_proxy"
-        value: "{{ dsc.proxy.no_proxy }}"
+        value: "{{ dsc.proxy.no_proxy | default ('') }}"
 
 - name: "Set or update CA_BUNDLE variable"
   community.general.gitlab_group_variable:

roles/gitlab/templates/gitlab-instance.yaml.j2

@@ -80,10 +80,15 @@ global:
 {% endfor %}
     class: none
     configureCertmanager: false
+{% if dsc.ingress.tls.type == 'none' %}
+    tls:
+      enabled: false
+{% else %}
     tls:
       enabled: true
 {% if dsc.ingress.tls.type == 'tlsSecret' %}
       secretName: {{ dsc.ingress.tls.tlsSecret.name }}
+{% endif %}
 {% endif %}
   extraEnv:
 {% if dsc.proxy.enabled %}

roles/gitlab/templates/mvn_conf_file.j2

@@ -0,0 +1,64 @@
+<settings>
+  <servers>
+    <server>
+      <id>mirror-dso</id>
+      <username>$${env.NEXUS_USERNAME}</username>
+      <password>$${env.NEXUS_PASSWORD}</password>
+    </server>
+    <server>
+      <id>nexus</id>
+      <username>$${env.NEXUS_USERNAME}</username>
+      <password>$${env.NEXUS_PASSWORD}</password>
+    </server>
+  </servers>
+  <mirrors>
+    <mirror>
+      <id>mirror-dso</id>
+      <name>mirror-dso</name>
+      <url>https://{{ nexus_domain }}/repository/$${env.PROJECT_PATH}-repository-group/</url>
+      <mirrorOf>*</mirrorOf>
+    </mirror>
+    <mirror>
+      <id>nexus</id>
+      <name>nexus</name>
+      <url>https://{{ nexus_domain }}/repository/maven-public/</url>
+      <mirrorOf>*</mirrorOf>
+    </mirror>
+    <mirror>
+      <id>mirror-dso</id>
+      <name>mirror-dso</name>
+      <url>https://{{ nexus_domain }}/repository/public/</url>
+      <mirrorOf>*</mirrorOf>
+    </mirror>
+  </mirrors>
+  <profiles>
+    <profile>
+      <id>generic-user</id>
+      <repositories>
+        <repository>
+          <id>nexus</id>
+          <url>https://{{ nexus_domain }}/repository/$${env.PROJECT_PATH}-repository-group/</url>
+          <releases>
+            <enabled>true</enabled>
+          </releases>
+          <snapshots>
+            <enabled>true</enabled>
+          </snapshots>
+        </repository>
+      </repositories>
+    </profile>
+  </profiles>
+{% if dsc.proxy.enabled %}
+  <proxies>
+    <proxy>
+      <id>default</id>
+      <active>true</active>
+      <host>{{ dsc.proxy.host }}</host>
+      <port>{{ dsc.proxy.port }}</port>
+    </proxy>
+  </proxies>
+{% endif %}
+  <activeProfiles>
+    <activeProfile>generic-user</activeProfile>
+  </activeProfiles>
+</settings>