Merge branch 'main' into DMED-119-integration-of-search-environment

.github/workflows/clean_workflow.yml

@@ -126,6 +126,8 @@ jobs:
           kubectl --kubeconfig=files/config --namespace $branch_identifier patch job/pg-deletion-job -p '{"spec":{"suspend":false}}' || echo "::warning::Couldn't clean up the postgres databases "
           kubectl --kubeconfig=files/config --namespace $branch_identifier delete --ignore-not-found=true --all=true ScaledObject
           kubectl --kubeconfig=files/config --namespace $branch_identifier delete --ignore-not-found=true --all=true TriggerAuthentication
+          kubectl --kubeconfig=files/config --namespace $branch_identifier delete --ignore-not-found=true --all=true ExternalSecret
+          kubectl --kubeconfig=files/config --namespace $branch_identifier delete --ignore-not-found=true --all=true SecretStore
           kubectl --kubeconfig=files/config --namespace $branch_identifier wait --for=delete pod/pg-deletion-job --timeout=180s || echo "::warning::Couldn't clean up the postgres databases "
           kubectl --kubeconfig=files/config --namespace $branch_identifier delete --ignore-not-found=true --all=true OnePasswordItem
           kubectl --kubeconfig=files/config delete --ignore-not-found=true ns $branch_identifier

README.md

@@ -55,6 +55,8 @@ namespace _lifecycle_:
 - you may also get more than 2 days, but don't make that your default action, think about the trees 🌳
 
 ### extend activation time by adding a label to your pr:
+⚠️ **Important: The auto-extend-activation-time label should only be used when absolutely necessary, such as when you need to activate the namespace for e2e tests.** Avoid using it as a precautionary measure to prevent unnecessary rollouts and resource consumption.
+
 This method is effective for each unique PR. If you have multiple PRs from the same branch across various repositories, you only need to apply this setting once.
 1. Navigate to the PR you wish to automatically extend its namespace's activation time.
 2. Apply the `auto-extend-activation-time` label to the PR. This action will also initiate a new rollout.

ansible/group_vars/all/external-secrets.yml

@@ -0,0 +1,6 @@
+EXTERNAL_SECRETS_OPERATOR: false
+EXTERNAL_SECRETS_K8S_STORE: k8s-store
+EXTERNAL_SECRETS_POSTFIX: ""
+EXTERNAL_SECRETS_REFRESH_INTERVAL: "1m"
+EXTERNAL_SECRETS_NAMESPACE: external-secrets
+EXTERNAL_SECRETS_TOKEN_SECRET: external-secrets-k8s-store-token

ansible/group_vars/all/instance_config_all.yml

@@ -3,7 +3,7 @@
 
 ROCKET_CHAT_URI: "http://rocketchat-svc:5000"
 CALENDAR_URI: "http://calendar-svc:3000"
-NEST_LOG_LEVEL: "info"
+NEST_LOG_LEVEL: "error"
 
 # Identity Management
 FEATURE_IDENTITY_MANAGEMENT_ENABLED: "true"

ansible/group_vars/all/mongodb.yml

@@ -0,0 +1 @@
+MONGO_MANAGEMENT_PREFIX: ""

ansible/group_vars/all/with.yml

@@ -5,6 +5,7 @@ WITH_TSP: false
 WITH_MONGO_DATABASES: false
 WITH_POSTGRES_DATABASES: false
 WITH_BRANCH_POSTGRES_DB_MANAGEMENT: false
+WITH_BRANCH_MONGO_DB_MANAGEMENT: false
 WITH_SCHULCLOUD_INIT: false
 WITH_CALENDAR_INIT: false
 WITH_OIDCMOCK: false

ansible/group_vars/develop/mongodb.yml

@@ -0,0 +1,2 @@
+# Add prefix if namespace begins with number (consitent with postgres), replace - with _ and trim
+MONGO_MANAGEMENT_PREFIX: "{{ (NAMESPACE | regex_replace('^(\\d.+)', 'release_\\1') | replace('-','_'))[:40] }}__"

ansible/group_vars/develop/mongodb_query_exporter.yaml

@@ -1 +1 @@
-mongodb_query_exporter_mongodb_sc_db_name: "scapp"
+mongodb_query_exporter_mongodb_sc_db_name: "{{ MONGO_MANAGEMENT_PREFIX if WITH_BRANCH_MONGO_DB_MANAGEMENT else '' }}scapp"

ansible/group_vars/infra/mongodb_query_exporter.yaml

@@ -1 +1 @@
-mongodb_query_exporter_mongodb_sc_db_name: "scapp"
+mongodb_query_exporter_mongodb_sc_db_name: "schulcloud"

ansible/group_vars/infra/with.yml

@@ -1,4 +1,3 @@
-WITH_MONGO_DATABASES: true
 WITH_SCHULCLOUD_INIT: true
 WITH_CALENDAR_INIT: true
 WITH_STORAGE: true

ansible/host_vars/prod-thr/cfg.yml

@@ -14,3 +14,5 @@ NEXTCLOUD_REDIRECT_URL: https://nextcloud.schulcloud-thueringen.de/apps/files/?d
 NEXTCLOUD_BASE_URL: https://nextcloud.schulcloud-thueringen.de
 
 BLOCKLIST_OF_EMAIL_DOMAINS: "schul-cloud.org"
+
+FEATURE_IDENTITY_MANAGEMENT_STORE_ENABLED: "false"

ansible/host_vars/ref-thr/cfg.yml

@@ -12,3 +12,5 @@ NEXTCLOUD_BASE_URL: https://nextcloud.test.schulcloud-thueringen.de
 FEATURE_H5P_EDITOR_ENABLED: "true"
 
 BLOCKLIST_OF_EMAIL_DOMAINS: "schul-cloud.org"
+
+FEATURE_IDENTITY_MANAGEMENT_STORE_ENABLED: "false"

ansible/playbook.yml

@@ -8,7 +8,9 @@
     - pre_deployment
     - keda
     - namespace-activator-scaled-objects
+    - external-secrets
     - dof_mongo
+    - dof_mongo_management
     - dof_postgresql
     - dof_postgresql_management
     - dof_rabbitmq

ansible/roles/dof_etherpad/tasks/main.yml

@@ -14,7 +14,17 @@
       apply: yes
     tags:
       - configmap
-
+
+  - name: External Secret (namespace specific)
+    kubernetes.core.k8s:
+      kubeconfig: ~/.kube/config
+      namespace: "{{ NAMESPACE }}"
+      template: external-secret.yml.j2
+      state: "{{ 'present' if WITH_BRANCH_MONGO_DB_MANAGEMENT else 'absent'}}"
+    when: EXTERNAL_SECRETS_OPERATOR
+    tags:
+      - 1password
+
   - name: Secret by 1Password
     kubernetes.core.k8s:
       kubeconfig: ~/.kube/config 
@@ -23,7 +33,7 @@
     when: ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool
     tags:
       - 1password
-      
+
   - name: Deployment
     kubernetes.core.k8s:
       kubeconfig: ~/.kube/config 

ansible/roles/dof_etherpad/templates/external-secret.yml.j2

@@ -0,0 +1,27 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: etherpad-secret
+  namespace: {{ NAMESPACE }}
+  labels:
+    app: etherpad
+spec:
+  refreshInterval: {{ EXTERNAL_SECRETS_REFRESH_INTERVAL }}
+  secretStoreRef:
+    kind: SecretStore
+    name: {{ EXTERNAL_SECRETS_K8S_STORE }}
+  target:
+    name: etherpad-secret
+    template:
+      engineVersion: v2
+      mergePolicy: Merge
+      data:
+        DB_URL:  "{{ '{{ .MONGO_MANAGEMENT_TEMPLATE_URL }}/' ~ MONGO_MANAGEMENT_PREFIX ~ 'etherpad' }}"
+  dataFrom:
+  - extract:
+      key: etherpad-secret{{ EXTERNAL_SECRETS_POSTFIX }}
+  data:
+  - secretKey: MONGO_MANAGEMENT_TEMPLATE_URL
+    remoteRef:
+      key: mongo-cluster-readwrite-secret
+      property: credentials-url

ansible/roles/dof_etherpad/templates/onepassword.yml.j2

@@ -1,7 +1,7 @@
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
-  name: etherpad-secret
+  name: etherpad-secret{{ EXTERNAL_SECRETS_POSTFIX }}
   namespace: {{ NAMESPACE }}
   labels:
     app: etherpad

ansible/roles/dof_mongo_management/meta/main.yml

@@ -0,0 +1,9 @@
+galaxy_info:
+  role_name: dof_mongo_management
+  author: Schul-Cloud Verbund
+  description: Helper role for creating the MongoDB Secret
+  company: Schul-Cloud Verbund
+  license: license (AGPLv3)
+  min_ansible_version: 2.8
+  galaxy_tags: []
+dependencies: []

ansible/roles/dof_mongo_management/tasks/main.yml

@@ -0,0 +1,8 @@
+- name: Add or Update MongoDB Read/Write Secret by 1Password
+  kubernetes.core.k8s:
+    kubeconfig: ~/.kube/config 
+    namespace: "{{ NAMESPACE }}"
+    template: onepassword-mongo-readwrite.yml.j2
+  when: WITH_BRANCH_MONGO_DB_MANAGEMENT and ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool
+  tags:
+    - 1password

ansible/roles/dof_mongo_management/templates/onepassword-mongo-readwrite.yml.j2

@@ -0,0 +1,9 @@
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: mongo-cluster-readwrite-secret
+  namespace: {{ NAMESPACE }}
+  labels:
+    app: mongo-management
+spec:
+  itemPath: "vaults/{{ ONEPASSWORD_OPERATOR_VAULT }}/items/mongo-cluster-schulcloud-anydatabase-rw"

ansible/roles/external-secrets/meta/main.yml

@@ -0,0 +1,9 @@
+galaxy_info:
+  role_name: external-secrets
+  author: Schul-Cloud Verbund
+  description: Configures the SecretStore of external-secrets for the namespace
+  company: Schul-Cloud Verbund
+  license: license (AGPLv3)
+  min_ansible_version: 2.8
+  galaxy_tags: []
+dependencies: []

ansible/roles/external-secrets/tasks/main.yml

@@ -0,0 +1,40 @@
+---
+  - name: Get ServiceAccount Token for SecretStore
+    kubernetes.core.k8s_info:
+      kubeconfig: ~/.kube/config
+      kind: Secret
+      name: "{{ EXTERNAL_SECRETS_TOKEN_SECRET }}"
+      namespace: "{{ EXTERNAL_SECRETS_NAMESPACE }}"
+    register: secretstore_token
+    when: EXTERNAL_SECRETS_OPERATOR
+    tags:
+      - 1password
+
+  - name: Save the Token for SecretStore in a secret in this namespace
+    vars:
+      token: "{{ secretstore_token.resources[0].data.token }}"
+    kubernetes.core.k8s:
+      kubeconfig: ~/.kube/config
+      template: secret-token.yml.j2
+    when: EXTERNAL_SECRETS_OPERATOR
+    tags:
+      - 1password
+
+  - name: Delete Secret with Token for SecretStore
+    kubernetes.core.k8s:
+      kubeconfig: ~/.kube/config
+      namespace: "{{ NAMESPACE }}"
+      kind: Secret
+      name: external-secrets-secretstore-token
+      state: absent
+    when: not EXTERNAL_SECRETS_OPERATOR
+    tags:
+      - 1password
+
+  - name: Create Secret Store
+    kubernetes.core.k8s:
+      kubeconfig: ~/.kube/config
+      template: secretstore.yml.j2
+    when: EXTERNAL_SECRETS_OPERATOR
+    tags:
+      - 1password

ansible/roles/external-secrets/templates/secret-token.yml.j2

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: external-secrets-secretstore-token
+  namespace: {{ NAMESPACE }}
+  labels:
+    app: external-secrets
+type: Opaque
+data:
+    token: "{{ token }}"

ansible/roles/external-secrets/templates/secretstore.yml.j2

@@ -0,0 +1,19 @@
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: {{ EXTERNAL_SECRETS_K8S_STORE }}
+  namespace: {{ NAMESPACE }}
+spec:
+  provider:
+    kubernetes:
+      auth:
+        token:
+          bearerToken:
+            name: external-secrets-secretstore-token
+            key: token
+      remoteNamespace: {{ NAMESPACE }}
+      server:
+        caProvider:
+          key: ca.crt
+          name: kube-root-ca.crt
+          type: ConfigMap

ansible/roles/mongodb_query_exporter/tasks/main.yml

@@ -1,3 +1,13 @@
+  - name: External Secret (namespace specific)
+    kubernetes.core.k8s:
+      kubeconfig: ~/.kube/config
+      namespace: "{{ NAMESPACE }}"
+      template: external-secret.yml.j2
+      state: "{{ 'present' if WITH_BRANCH_MONGO_DB_MANAGEMENT else 'absent'}}"
+    when: EXTERNAL_SECRETS_OPERATOR
+    tags:
+      - 1password
+
   - name: Secret for mongodb-query-exporter
     kubernetes.core.k8s:
       kubeconfig: ~/.kube/config

ansible/roles/mongodb_query_exporter/templates/external-secret.yml.j2

@@ -0,0 +1,27 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: {{ mongodb_query_exporter_secret_name }}
+  namespace: {{ NAMESPACE }}
+  labels:
+    app: mongodb-query-exporter
+spec:
+  refreshInterval: {{ EXTERNAL_SECRETS_REFRESH_INTERVAL }}
+  secretStoreRef:
+    kind: SecretStore
+    name: {{ EXTERNAL_SECRETS_K8S_STORE }}
+  target:
+    name: {{ mongodb_query_exporter_secret_name }}
+    template:
+      engineVersion: v2
+      mergePolicy: Merge
+      data:
+        MDBEXPORTER_SERVER_0_MONGODB_URI:  "{{ '{{ .MONGO_MANAGEMENT_TEMPLATE_URL }}/' ~ mongodb_query_exporter_mongodb_sc_db_name }}"
+  dataFrom:
+  - extract:
+      key: {{ mongodb_query_exporter_secret_name }}{{ EXTERNAL_SECRETS_POSTFIX }}
+  data:
+  - secretKey: MONGO_MANAGEMENT_TEMPLATE_URL
+    remoteRef:
+      key: mongo-cluster-readwrite-secret
+      property: credentials-url

ansible/roles/mongodb_query_exporter/templates/onepassword.yml.j2

@@ -1,7 +1,7 @@
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
 metadata:
-  name: {{ mongodb_query_exporter_secret_name }}
+  name: {{ mongodb_query_exporter_secret_name }}{{ EXTERNAL_SECRETS_POSTFIX }}
   namespace: {{ NAMESPACE }}
   labels:
     app: mongodb-query-exporter

ansible/roles/namespace-activator-scaled-objects/defaults/main.yml

@@ -1,36 +1,41 @@
 deployments_for_scaled_objects:
-  - api-deployment
-  - admin-api-deployment
-  - client-deployment
-  - amqp-files-deployment
-  - api-h5p-proxy-deployment
-  - api-h5p-deployment
-  - h5p-staticfiles-server-deployment
-  - antivirus-webserver-deployment
-  - antivirus-scanfile-deployment
-  - api-files-deployment
-  - api-migration-systems-deployment
-  - preview-generator-deployment
-  - api-fwu-deployment
-  - calendar-deployment
-  - clamav-deployment
-  - default-backend-404-deployment
-  - erwinidm-deployment
-  - etherpad-deployment
-  - etherpad-nginx-deployment
-  - hydra-deployment
-  - libreoffice-deployment
-  - management-deployment
-  - nuxtclient-deployment
-  - oidcmock-deployment
-  - rocketchat-deployment
-  - shd-deployment
-  - shd-client-deployment
-  - version-aggregator-deployment
-#  - tldraw-deployment
-#  - tldraw-worker-deployment
-  - tldraw-client-deployment
-  - mailcatcher-deployment
-  - maildrop-deployment
-  - board-collaboration-deployment
-  - common-cartridge-deployment
+  - name: api-deployment
+  - name: admin-api-deployment
+  - name: client-deployment
+  - name: amqp-files-deployment
+  - name: api-h5p-proxy-deployment
+  - name: api-h5p-deployment
+  - name: h5p-staticfiles-server-deployment
+  - name: antivirus-webserver-deployment
+  - name: antivirus-scanfile-deployment
+  - name: api-files-deployment
+  - name: api-migration-systems-deployment
+  - name: preview-generator-deployment
+  - name: api-fwu-deployment
+  - name: calendar-deployment
+  - name: clamav-deployment
+  - name: default-backend-404-deployment
+  - name: erwinidm-deployment
+  - name: etherpad-deployment
+  - name: etherpad-nginx-deployment
+  - name: hydra-deployment
+  - name: libreoffice-deployment
+  - name: management-deployment
+  - name: nuxtclient-deployment
+  - name: oidcmock-deployment
+  - name: rocketchat-deployment
+  - name: shd-deployment
+  - name: shd-client-deployment
+  - name: version-aggregator-deployment
+  - name: mailcatcher-deployment
+  - name: maildrop-deployment
+  - name: board-collaboration-deployment
+  - name: common-cartridge-deployment
+  - name: clammit-deployment
+  # those 2 will be re-added when new tldraw stuff is enabled by default
+  #  - tldraw-deployment
+  #  - tldraw-worker-deployment
+  - name: tldraw-client-deployment
+  - name: valkey-node
+    kind: StatefulSet
+    replicaCount: "{{TLDRAW_VALKEY_REPLICAS}}"