Add 'common/' from commit '4d0774c9ae9a76b13f0c51135bb625a26389cd99'

git-subtree-dir: common
git-subtree-mainline: f0abca4
git-subtree-split: 4d0774c

Author: Martin Jackson

common/.ansible-lint

@@ -0,0 +1,20 @@
+# Vim filetype=yaml
+---
+offline: false
+skip_list:
+  - name[template] # Allow Jinja templating inside task and play names
+  - template-instead-of-copy # Templated files should use template instead of copy
+  - yaml[line-length] # too long lines
+  - yaml[indentation] # Forcing lists to be always indented by 2 chars is silly IMO
+  - var-naming[no-role-prefix] # This would be too much churn for very little gain
+  - no-changed-when
+  - var-naming[no-role-prefix] # There are too many changes now and it would be too risky
+
+# ansible-lint gh workflow cannot find ansible.cfg hence fails to import vault_utils role
+exclude_paths:
+  - ./ansible/playbooks/vault/vault.yaml
+  - ./ansible/playbooks/iib-ci/iib-ci.yaml
+  - ./ansible/playbooks/k8s_secrets/k8s_secrets.yml
+  - ./ansible/playbooks/process_secrets/process_secrets.yml
+  - ./ansible/playbooks/process_secrets/display_secrets_info.yml
+  - ./ansible/roles/vault_utils/tests/test.yml

common/.github/dependabot.yml

@@ -0,0 +1,9 @@
+---
+version: 2
+updates:
+  # Check for updates to GitHub Actions every week
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+

common/.github/linters/.gitleaks.toml

@@ -0,0 +1,8 @@
+[whitelist]
+# As of v4, gitleaks only matches against filename, not path in the
+# files directive.  Leaving content for backwards compatibility.
+files = [
+  "ansible/plugins/modules/*.py",
+  "ansible/tests/unit/test_*.py",
+  "ansible/tests/unit/v1/*.yaml",
+]

common/.github/linters/.markdown-lint.yml

@@ -0,0 +1,6 @@
+{
+    "default": true,
+    "MD003": false,
+    "MD013": false,
+    "MD033": false
+}

common/.github/workflows/ansible-lint.yml

@@ -0,0 +1,17 @@
+name: Ansible Lint # feel free to pick your own name
+
+on: [push, pull_request]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      # Important: This sets up your GITHUB_WORKSPACE environment variable
+      - uses: actions/checkout@v4
+
+      - name: Lint Ansible Playbook
+        uses: ansible/ansible-lint-action@v6
+        # Let's point it to the path
+        with:
+          path: "ansible/"

common/.github/workflows/ansible-unittest.yml

@@ -0,0 +1,52 @@
+---
+name: Ansible unit tests
+
+#
+# Documentation:
+# https://help.github.com/en/articles/workflow-syntax-for-github-actions
+#
+
+#############################
+# Start the job on all push #
+#############################
+on: [push, pull_request]
+
+###############
+# Set the Job #
+###############
+jobs:
+  ansible_unittests:
+    # Name the Job
+    name: Ansible unit tests
+    strategy:
+      matrix:
+        python-version: [3.11.3]
+    # Set the agent to run on
+    runs-on: ubuntu-latest
+
+    ##################
+    # Load all steps #
+    ##################
+    steps:
+      ##########################
+      # Checkout the code base #
+      ##########################
+      - name: Checkout Code
+        uses: actions/checkout@v4
+        with:
+          # Full git history is needed to get a proper list of changed files within `super-linter`
+          fetch-depth: 0
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install pytest ansible
+
+      - name: Run make ansible-unittest
+        run: |
+          make ansible-unittest

common/.github/workflows/chart-branches.yml

@@ -0,0 +1,118 @@
+---
+name: Create per-chart branches
+
+# We only run this job on the charts that will be later moved to full blown charts
+# We also want to run the subtree comand only for the charts that have been actually changed
+# because git subtree split is a bit of an expensive operation
+# github actions do not support yaml anchors so there is more duplication than usual
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'acm/**'
+      - 'golang-external-secrets/**'
+      - 'hashicorp-vault/**'
+      - 'letsencrypt/**'
+      - 'clustergroup/**'
+
+jobs:
+  changes:
+    name: Figure out per-chart changes
+    if: github.repository == 'validatedpatterns/common'
+    runs-on: ubuntu-latest
+    permissions: read-all
+    outputs:
+      acm: ${{ steps.filter.outputs.acm }}
+      golang-external-secrets: ${{ steps.filter.outputs.golang-external-secrets }}
+      hashicorp-vault: ${{ steps.filter.outputs.hashicorp-vault }}
+      letsencrypt: ${{ steps.filter.outputs.letsencrypt }}
+      clustergroup: ${{ steps.filter.outputs.clustergroup }}
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - uses: dorny/paths-filter@v3
+        id: filter
+        with:
+          filters: |
+            acm:
+              - 'acm/**'
+            golang-external-secrets:
+              - 'golang-external-secrets/**'
+            hashicorp-vault:
+              - 'hashicorp-vault/**'
+            letsencrypt:
+              - 'letsencrypt/**'
+            clustergroup:
+              - 'clustergroup/**'
+
+  acm:
+    needs: changes
+    if: |
+      ${{ needs.changes.outputs.acm == 'true' }} &&
+      github.repository == 'validatedpatterns/common'
+    uses: validatedpatterns/common/.github/workflows/chart-split.yml@main
+    permissions:
+      actions: write
+      contents: write
+    with:
+      chart_name: acm
+      target_repository: validatedpatterns/acm-chart
+    secrets: inherit
+
+  golang-external-secrets:
+    needs: changes
+    if: |
+      ${{ needs.changes.outputs.golang-external-secrets == 'true' }} &&
+      github.repository == 'validatedpatterns/common'
+    uses: validatedpatterns/common/.github/workflows/chart-split.yml@main
+    permissions:
+      actions: write
+      contents: write
+    with:
+      chart_name: golang-external-secrets
+      target_repository: validatedpatterns/golang-external-secrets-chart
+    secrets: inherit
+
+  hashicorp-vault:
+    needs: changes
+    if: |
+      ${{ needs.changes.outputs.hashicorp-vault == 'true' }} &&
+      github.repository == 'validatedpatterns/common'
+    uses: validatedpatterns/common/.github/workflows/chart-split.yml@main
+    permissions:
+      actions: write
+      contents: write
+    with:
+      chart_name: hashicorp-vault
+      target_repository: validatedpatterns/hashicorp-vault-chart
+    secrets: inherit
+
+  letsencrypt:
+    needs: changes
+    if: |
+      ${{ needs.changes.outputs.letsencrypt == 'true' }} &&
+      github.repository == 'validatedpatterns/common'
+    uses: validatedpatterns/common/.github/workflows/chart-split.yml@main
+    permissions:
+      actions: write
+      contents: write
+    with:
+      chart_name: letsencrypt
+      target_repository: validatedpatterns/letsencrypt-chart
+    secrets: inherit
+
+  clustergroup:
+    needs: changes
+    if: |
+      ${{ needs.changes.outputs.clustergroup == 'true' }} &&
+      github.repository == 'validatedpatterns/common'
+    uses: validatedpatterns/common/.github/workflows/chart-split.yml@main
+    permissions:
+      actions: write
+      contents: write
+    with:
+      chart_name: clustergroup
+      target_repository: validatedpatterns/clustergroup-chart
+    secrets: inherit

common/.github/workflows/chart-split.yml

@@ -0,0 +1,38 @@
+---
+name: Split into chart repo branches
+
+on:
+  workflow_call:
+    inputs:
+      chart_name:
+        required: true
+        type: string
+      target_repository:
+        required: true
+        type: string
+
+jobs:
+  split_chart:
+    runs-on: ubuntu-latest
+    permissions:
+      actions: write
+      contents: write
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.CHARTS_REPOS_TOKEN }}
+
+      - name: Run git subtree split and push
+        env:
+          GITHUB_TOKEN: ${{ secrets.CHARTS_REPOS_TOKEN }}
+        run: |
+          set -e
+          N="${{ inputs.chart_name }}"
+          B="${N}-main-single-chart"
+          git push origin -d "${B}" || /bin/true
+          git subtree split -P "${N}" -b "${B}"
+          git push -f -u origin "${B}"
+          #git clone https://validatedpatterns:${GITHUB_TOKEN}@github.com/validatedpatterns/common.git -b "acm-main-single-chart" --single-branch
+          git push --force https://validatedpatterns:"${GITHUB_TOKEN}"@github.com/${{ inputs.target_repository }}.git "${B}:main"

common/.github/workflows/jsonschema.yaml

@@ -0,0 +1,57 @@
+---
+name: Verify json schema
+
+#
+# Documentation:
+# https://help.github.com/en/articles/workflow-syntax-for-github-actions
+#
+
+#############################
+# Start the job on all push #
+#############################
+on: [push, pull_request]
+
+###############
+# Set the Job #
+###############
+jobs:
+  jsonschema_tests:
+    # Name the Job
+    name: Json Schema tests
+    strategy:
+      matrix:
+        python-version: [3.11.3]
+    # Set the agent to run on
+    runs-on: ubuntu-latest
+
+    ##################
+    # Load all steps #
+    ##################
+    steps:
+      ##########################
+      # Checkout the code base #
+      ##########################
+      - name: Checkout Code
+        uses: actions/checkout@v4
+        with:
+          # Full git history is needed to get a proper list of changed files within `super-linter`
+          fetch-depth: 0
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install check-jsonschema
+
+      - name: Verify secrets json schema
+        run: |
+          check-jsonschema --schemafile ./ansible/roles/vault_utils/values-secrets.v1.schema.json examples/secrets/values-secret.v1.yaml
+          check-jsonschema --schemafile ./ansible/roles/vault_utils/values-secrets.v2.schema.json examples/secrets/values-secret.v2.yaml
+
+      - name: Verify ClusterGroup values.schema.json
+        run: |
+          set -e; for i in examples/*yaml; do echo "$i"; check-jsonschema --schemafile ./clustergroup/values.schema.json "$i"; done