common automatic update

.github/workflows/linter.yml

@@ -29,10 +29,11 @@ jobs:
       # Checkout the code base #
       ##########################
       - name: Checkout Code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           # Full git history is needed to get a proper list of changed files within `super-linter`
           fetch-depth: 0
+
       - name: Setup helm
         uses: azure/setup-helm@v3
         # with:

.github/workflows/superlinter.yml

@@ -12,7 +12,7 @@ jobs:
 
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           # Full git history is needed to get a proper list of changed files within `super-linter`
           fetch-depth: 0

common/.github/workflows/ansible-lint.yml

@@ -8,7 +8,7 @@ jobs:
 
     steps:
       # Important: This sets up your GITHUB_WORKSPACE environment variable
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Lint Ansible Playbook
         uses: ansible/ansible-lint-action@v6

common/.github/workflows/ansible-unittest.yml

@@ -32,7 +32,7 @@ jobs:
       # Checkout the code base #
       ##########################
       - name: Checkout Code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           # Full git history is needed to get a proper list of changed files within `super-linter`
           fetch-depth: 0

common/.github/workflows/chart-branches.yml

@@ -0,0 +1,118 @@
+---
+name: Create per-chart branches
+
+# We only run this job on the charts that will be later moved to full blown charts
+# We also want to run the subtree comand only for the charts that have been actually changed
+# because git subtree split is a bit of an expensive operation
+# github actions do not support yaml anchors so there is more duplication than usual
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'acm/**'
+      - 'golang-external-secrets/**'
+      - 'hashicorp-vault/**'
+      - 'letsencrypt/**'
+      - 'clustergroup/**'
+
+jobs:
+  changes:
+    name: Figure out per-chart changes
+    if: github.repository == 'validatedpatterns/common'
+    runs-on: ubuntu-latest
+    permissions: read-all
+    outputs:
+      acm: ${{ steps.filter.outputs.acm }}
+      golang-external-secrets: ${{ steps.filter.outputs.golang-external-secrets }}
+      hashicorp-vault: ${{ steps.filter.outputs.hashicorp-vault }}
+      letsencrypt: ${{ steps.filter.outputs.letsencrypt }}
+      clustergroup: ${{ steps.filter.outputs.clustergroup }}
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - uses: dorny/paths-filter@v2
+        id: filter
+        with:
+          filters: |
+            acm:
+              - 'acm/**'
+            golang-external-secrets:
+              - 'golang-external-secrets/**'
+            hashicorp-vault:
+              - 'hashicorp-vault/**'
+            letsencrypt:
+              - 'letsencrypt/**'
+            clustergroup:
+              - 'clustergroup/**'
+
+  acm:
+    needs: changes
+    if: |
+      ${{ needs.changes.outputs.acm == 'true' }} &&
+      github.repository == 'validatedpatterns/common'
+    uses: validatedpatterns/common/.github/workflows/chart-split.yml@main
+    permissions:
+      actions: write
+      contents: write
+    with:
+      chart_name: acm
+      target_repository: validatedpatterns/acm-chart
+    secrets: inherit
+
+  golang-external-secrets:
+    needs: changes
+    if: |
+      ${{ needs.changes.outputs.golang-external-secrets == 'true' }} &&
+      github.repository == 'validatedpatterns/common'
+    uses: validatedpatterns/common/.github/workflows/chart-split.yml@main
+    permissions:
+      actions: write
+      contents: write
+    with:
+      chart_name: golang-external-secrets
+      target_repository: validatedpatterns/golang-external-secrets-chart
+    secrets: inherit
+
+  hashicorp-vault:
+    needs: changes
+    if: |
+      ${{ needs.changes.outputs.hashicorp-vault == 'true' }} &&
+      github.repository == 'validatedpatterns/common'
+    uses: validatedpatterns/common/.github/workflows/chart-split.yml@main
+    permissions:
+      actions: write
+      contents: write
+    with:
+      chart_name: hashicorp-vault
+      target_repository: validatedpatterns/hashicorp-vault-chart
+    secrets: inherit
+
+  letsencrypt:
+    needs: changes
+    if: |
+      ${{ needs.changes.outputs.letsencrypt == 'true' }} &&
+      github.repository == 'validatedpatterns/common'
+    uses: validatedpatterns/common/.github/workflows/chart-split.yml@main
+    permissions:
+      actions: write
+      contents: write
+    with:
+      chart_name: letsencrypt
+      target_repository: validatedpatterns/letsencrypt-chart
+    secrets: inherit
+
+  clustergroup:
+    needs: changes
+    if: |
+      ${{ needs.changes.outputs.clustergroup == 'true' }} &&
+      github.repository == 'validatedpatterns/common'
+    uses: validatedpatterns/common/.github/workflows/chart-split.yml@main
+    permissions:
+      actions: write
+      contents: write
+    with:
+      chart_name: clustergroup
+      target_repository: validatedpatterns/clustergroup-chart
+    secrets: inherit

common/.github/workflows/chart-split.yml

@@ -0,0 +1,38 @@
+---
+name: Split into chart repo branches
+
+on:
+  workflow_call:
+    inputs:
+      chart_name:
+        required: true
+        type: string
+      target_repository:
+        required: true
+        type: string
+
+jobs:
+  split_chart:
+    runs-on: ubuntu-latest
+    permissions:
+      actions: write
+      contents: write
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.CHARTS_REPOS_TOKEN }}
+
+      - name: Run git subtree split and push
+        env:
+          GITHUB_TOKEN: ${{ secrets.CHARTS_REPOS_TOKEN }}
+        run: |
+          set -e
+          N="${{ inputs.chart_name }}"
+          B="${N}-main-single-chart"
+          git push origin -d "${B}" || /bin/true
+          git subtree split -P "${N}" -b "${B}"
+          git push -f -u origin "${B}"
+          #git clone https://validatedpatterns:${GITHUB_TOKEN}@github.com/validatedpatterns/common.git -b "acm-main-single-chart" --single-branch
+          git push --force https://validatedpatterns:"${GITHUB_TOKEN}"@github.com/${{ inputs.target_repository }}.git "${B}:main"

common/.github/workflows/jsonschema.yaml

@@ -32,7 +32,7 @@ jobs:
       # Checkout the code base #
       ##########################
       - name: Checkout Code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           # Full git history is needed to get a proper list of changed files within `super-linter`
           fetch-depth: 0

common/.github/workflows/linter.yml

@@ -29,15 +29,15 @@ jobs:
       # Checkout the code base #
       ##########################
       - name: Checkout Code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           # Full git history is needed to get a proper list of changed files within `super-linter`
           fetch-depth: 0
       - name: Setup helm
         uses: azure/setup-helm@v3
-        # with:
-        #   version: '<version>' # default is latest stable
-        id: install
+        with:
+          version: 'v3.12.3'
+
 
       ################################
       # Run Linter against code base #
@@ -56,9 +56,10 @@ jobs:
         run: |
           make helmlint
 
-      - name: Run make helm kubeconform
-        run: |
-          curl -L -O https://github.com/yannh/kubeconform/releases/download/v0.4.13/kubeconform-linux-amd64.tar.gz
-          tar xf kubeconform-linux-amd64.tar.gz
-          sudo mv -v kubeconform /usr/local/bin
-          make kubeconform
+      # For now disable this until we have a nice and simple process to update the schemas in our repo
+      # - name: Run make helm kubeconform
+      #   run: |
+      #     curl -L -O https://github.com/yannh/kubeconform/releases/download/v0.4.13/kubeconform-linux-amd64.tar.gz
+      #     tar xf kubeconform-linux-amd64.tar.gz
+      #     sudo mv -v kubeconform /usr/local/bin
+      #     make kubeconform

common/.github/workflows/superlinter.yml

@@ -12,7 +12,7 @@ jobs:
 
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           # Full git history is needed to get a proper list of changed files within `super-linter`
           fetch-depth: 0

common/Changes.md

@@ -1,5 +1,9 @@
 # Changes
 
+## Aug 17, 2023
+
+* Introduced support for multisource applications via .chart + .chartVersion
+
 ## Jul 8, 2023
 
 * Introduced a default of 20 for sync failures retries in argo applications (global override via global.options.applicationRetryLimit

common/Makefile

@@ -19,8 +19,17 @@ TARGET_REPO=$(shell git ls-remote --get-url --symref $(TARGET_ORIGIN) | sed -e '
 # git branch --show-current is also available as of git 2.22, but we will use this for compatibility
 TARGET_BRANCH=$(shell git rev-parse --abbrev-ref HEAD)
 
+UUID_FILE ?= ~/.config/validated-patterns/pattern-uuid
+UUID_HELM_OPTS ?=
+
 # --set values always take precedence over the contents of -f
-HELM_OPTS=-f values-global.yaml --set main.git.repoURL="$(TARGET_REPO)" --set main.git.revision=$(TARGET_BRANCH) $(TARGET_SITE_OPT) $(EXTRA_HELM_OPTS)
+ifneq ("$(wildcard $(UUID_FILE))","")
+	UUID := $(shell cat $(UUID_FILE))
+	UUID_HELM_OPTS := --set main.analyticsUUID=$(UUID)
+endif
+
+HELM_OPTS=-f values-global.yaml --set main.git.repoURL="$(TARGET_REPO)" --set main.git.revision=$(TARGET_BRANCH) $(TARGET_SITE_OPT) $(UUID_HELM_OPTS) $(EXTRA_HELM_OPTS)
+
 
 ##@ Pattern Common Tasks
 

common/README.md

@@ -6,17 +6,17 @@
 
 This repository is never used as standalone. It is usually imported in each pattern as a subtree.
 In order to import the common/ the very first time you can use
-`https://github.com/hybrid-cloud-patterns/multicloud-gitops/blob/main/common/scripts/make_common_subtree.sh`
+`https://github.com/validatedpatterns/multicloud-gitops/blob/main/common/scripts/make_common_subtree.sh`
 
 In order to update your common subtree inside your pattern repository you can either use
-`https://github.com/hybrid-cloud-patterns/utilities/blob/main/scripts/update-common-everywhere.sh` or
+`https://github.com/validatedpatterns/utilities/blob/main/scripts/update-common-everywhere.sh` or
 do it manually by doing the following:
 
 ```sh
-git remote add -f upstream-common https://github.com/hybrid-cloud-patterns/common.git
+git remote add -f upstream-common https://github.com/validatedpatterns/common.git
 git merge -s subtree -Xtheirs -Xsubtree=common upstream-common/ha-vault
 ```
 
 ## Secrets
 
-There are two different secret formats parsed by the ansible bits. Both are documented [here](https://github.com/hybrid-cloud-patterns/common/tree/main/ansible/roles/vault_utils/README.md)
+There are two different secret formats parsed by the ansible bits. Both are documented [here](https://github.com/validatedpatterns/common/tree/main/ansible/roles/vault_utils/README.md)

common/acm/.github/workflows/update-helm-repo.yml

@@ -0,0 +1,29 @@
+# This invokes the workflow named 'publish-charts' in the umbrella repo
+# It expects to have a secret called CHARTS_REPOS_TOKEN which contains
+# the GitHub token that has permissions to invoke workflows and commit code
+# inside the umbrella-repo.
+# The following fine-grained permissions were used in testing and were limited
+# to the umbrella repo only:
+# - Actions: r/w
+# - Commit statuses: r/w
+# - Contents: r/w
+# - Deployments: r/w
+# - Pages: r/w
+
+name: vp-patterns/update-helm-repo
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+'
+
+jobs:
+  helmlint:
+    uses: validatedpatterns/helm-charts/.github/workflows/helmlint.yml@main
+    permissions:
+      contents: read
+
+  update-helm-repo:
+    needs: [helmlint]
+    uses: validatedpatterns/helm-charts/.github/workflows/update-helm-repo.yml@main
+    permissions: read-all
+    secrets: inherit

common/acm/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-description: A Helm chart to configure Advanced Cluster Manager for OpenShift
+description: A Helm chart to configure Advanced Cluster Manager for OpenShift.
 keywords:
 - pattern
 name: acm

common/acm/templates/policies/application-policies.yaml

@@ -44,6 +44,9 @@ spec:
                       ignoreMissingValueFiles: true
                       valueFiles:
                       {{- include "acm.app.policies.valuefiles" . | nindent 24 }}
+                      {{- range $valueFile := $.Values.global.extraValueFiles }}
+                      - {{ $valueFile | quote }}
+                      {{- end }}
                       {{- range $valueFile := .extraValueFiles }}
                       - {{ $valueFile | quote }}
                       {{- end }}

common/acm/values.yaml

@@ -3,6 +3,7 @@ main:
     channel: "gitops-1.8"
 
 global:
+  extraValueFiles: []
   pattern: none
   repoURL: none
   targetRevision: main

common/ansible/roles/vault_utils/README.md

@@ -42,10 +42,16 @@ This relies on [kubernetes.core](https://docs.ansible.com/ansible/latest/collect
 
 ## Values secret file format
 
-Currently this role supports two formats: version 1.0 (which is the assumed default when not specified) and version 2.0.
-The latter is more fatureful and supports generating secrets directly into the vault and also prompting the user for a secret.
-By default, the first file that will looked up is `~/.config/hybrid-cloud-patterns/values-secret-<patternname>.yaml`, then
-`~/values-secret-<patternname>.yaml` and should that not exist it will look for `~/values-secret.yaml`.
+Currently this role supports two formats: version 1.0 (which is the assumed
+default when not specified) and version 2.0. The latter is more fatureful and
+supports generating secrets directly into the vault and also prompting the user
+for a secret.
+
+By default, the first file that will looked up is
+`~/.config/hybrid-cloud-patterns/values-secret-<patternname>.yaml`, then
+`~/.config/validated-patterns/values-secret-<patternname>.yaml`,
+`~/values-secret-<patternname>.yaml` and should that not exist it will look for
+`~/values-secret.yaml`.
 The paths can be overridden by setting the environment variable `VALUES_SECRET` to the path of the
 secret file.
 

common/ansible/roles/vault_utils/tasks/push_secrets.yaml

@@ -66,6 +66,7 @@
   vars:
     findme:
       - "~/.config/hybrid-cloud-patterns/values-secret-{{ pattern_name }}.yaml"
+      - "~/.config/validated-patterns/values-secret-{{ pattern_name }}.yaml"
       - "~/values-secret-{{ pattern_name }}.yaml"
       - "~/values-secret.yaml"
       - "{{ pattern_dir }}/values-secret.yaml.template"