Merge branch 'master' into OPS-7491-Adapt-cron-tools-container-for-ba…

…ckups
hpi-schul-cloud · Feb 6, 2025 · 4e841b8 · 4e841b8
2 parents 21ae0d7 + 5d23a71
commit 4e841b8
Show file tree

Hide file tree

Showing 10 changed files with 82 additions and 8 deletions.
diff --git a/.github/workflows/ansible-count-hosts.yaml b/.github/workflows/ansible-count-hosts.yaml
@@ -27,9 +27,15 @@ jobs:
       count: ${{ steps.count_hosts.outputs.count }}
     steps:
       - uses: actions/checkout@v4
-      - name: Count hosts in limit
-        id: count_hosts
+      - name: Create virtual environment and install ansible
         run: |
+          python -m venv .venv
+          source .venv/bin/activate
           # Only keep Ansible in the pip requirements
           pip3 install $(grep ansible $GITHUB_WORKSPACE/${{ inputs.requirements_file }})
+          echo "$VIRTUAL_ENV/bin" >> $GITHUB_PATH
+          echo "VIRTUAL_ENV=$VIRTUAL_ENV" >> $GITHUB_ENV
+      - name: Count hosts in limit
+        id: count_hosts
+        run: |
           echo "count=$(ansible-inventory -i $GITHUB_WORKSPACE/${{ inputs.inventory_file }} --list -l ${{ inputs.limit }} | jq -e '._meta.hostvars | keys | length')" >> $GITHUB_OUTPUT
diff --git a/.github/workflows/docopstoghcr-on-push.yaml b/.github/workflows/docopstoghcr-on-push.yaml
@@ -0,0 +1,21 @@
+---
+name: docops Docker Image on Push to GHCR
+
+on:
+  push:
+    branches-ignore:
+      - master
+    paths:
+      - 'docops/**'
+
+jobs:
+  build_image_on_push:
+    permissions:
+      packages: write
+      security-events: write
+      actions: read
+      contents: read
+    uses: ./.github/workflows/imagetoghcr-on-push.yaml
+    with:
+      image_name: "docops"
+      context: "./docops/"
diff --git a/.github/workflows/imagetoghcr-on-push.yaml b/.github/workflows/imagetoghcr-on-push.yaml
@@ -84,6 +84,6 @@ jobs:
 
       - name: Upload Trivy scan results to GitHub Security tab
         if: ${{ always() }}
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@ece8414c725e29de2e18c0859fda9e7280df9488
         with:
           sarif_file: 'trivy-results.sarif'
diff --git a/.github/workflows/trigger-awx.yaml b/.github/workflows/trigger-awx.yaml
@@ -48,9 +48,13 @@ jobs:
   run_awx:
     runs-on: ubuntu-latest
     steps:
-      - name: Pip install awxkit
+      - name: Create venv and install awxkit
         run: |
-          pip3 install awxkit==${{ inputs.awxkit_version }}
+          python -m venv .venv
+          source .venv/bin/activate
+          pip3 install awxkit==${{ inputs.awxkit_version }} setuptools
+          echo "$VIRTUAL_ENV/bin" >> $GITHUB_PATH
+          echo "VIRTUAL_ENV=$VIRTUAL_ENV" >> $GITHUB_ENV
       - name: Set limit flag env
         run: echo "LIMIT_FLAG=--limit ${{ inputs.limit }}" >> $GITHUB_ENV
         if: ${{ inputs.limit != '' }}

diff --git a/.github/workflows/trivy-scan.yaml b/.github/workflows/trivy-scan.yaml
@@ -33,7 +33,7 @@ jobs:
           ignore-unfixed: true
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@ece8414c725e29de2e18c0859fda9e7280df9488
         if: always()
         with:
           sarif_file: 'trivy-results.sarif'
diff --git a/awx-ee/Dockerfile b/awx-ee/Dockerfile
@@ -75,7 +75,7 @@ ARG ANSIBLE_GALAXY_CLI_ROLE_OPTS
 ARG ANSIBLE_INSTALL_REFS
 ARG PKGMGR
 
-ARG HELM_VERSION=3.13.3
+ARG HELM_VERSION=3.16.4
 ARG TERRAFORM_VERSION=1.5.4
 ARG KUBECTL_VERSION=1.27.10
 ARG OP_VERSION=2.24.0

diff --git a/cron-tools/Dockerfile b/cron-tools/Dockerfile
@@ -6,6 +6,7 @@ ENV TZ=Europe/Berlin
 RUN set -x \
     && apt-get -y update \
     && apt-get -y install wget \
+    && apt-get -y install bsdextrautils \
     && wget https://dl.k8s.io/release/v1.28.7/bin/linux/amd64/kubectl \
     && chmod +x kubectl \
     && mv ./kubectl /usr/local/bin/kubectl \

diff --git a/docops/Dockerfile b/docops/Dockerfile
@@ -0,0 +1,36 @@
+FROM quay.io/ansible/awx-ee:24.1.0
+
+USER root
+
+RUN \
+    # Add non-privileged user
+    adduser docops --uid 1000 --gid 0 && \
+    # Install drawio
+    dnf install -y wget && \
+    mkdir /home/docops/drawio && \
+    cd /home/docops/drawio && \
+    curl -s https://api.github.com/repos/jgraph/drawio-desktop/releases/latest | grep browser_download_url | grep '.*drawio-x86_64-.*\.rpm' | cut -d '"' -f 4 | wget -i -  && \
+    dnf install -y ./drawio-x86_64-*.rpm && \
+    dnf remove -y wget && \
+    rm -rf /home/docops/drawio && \
+    # Install X Virtual Framebuffer as an X server because it's needed to execute drawio in a headless mode
+    # Later execute drawio with xvfb as the following.
+    # Remember to append the options '--disable-gpu --headless --no-sandbox' as the last options of the command.
+    # Examples:
+    # xvfb-run -a drawio --version --disable-gpu --headless --no-sandbox
+    # xvfb-run -a drawio --export --format png --output ./test.png ./test.drawio --disable-gpu --headless --no-sandbox
+    dnf install -y xorg-x11-server-Xvfb;
+
+USER docops
+
+RUN \
+    # Install doctoolchain
+    cd /home/docops && \
+    curl -Lo dtcw https://doctoolchain.org/dtcw && \
+    chmod +x ./dtcw && \
+    ./dtcw install doctoolchain; \
+    ./dtcw install java; \
+    # Install community.general collection, it contains the 'archive' module used in the doctoolchain playbook
+    ansible-galaxy collection install community.general;
+
+CMD ["/bin/bash"]
diff --git a/infra-tools/Dockerfile b/infra-tools/Dockerfile
@@ -47,6 +47,8 @@ RUN set -x \
         gettext \
         librsync-dev \
         python3-pip \
+        ldap-utils \
+        jq \
     && curl -fsSL https://deb.nodesource.com/setup_lts.x | bash - \
     && apt-get install -y nodejs \
     && apt-get clean -y \

diff --git a/onepwd/plugins/action/item.py b/onepwd/plugins/action/item.py
@@ -49,6 +49,8 @@ def run(self, tmp=None, task_vars=None, **kwargs):
 
     def run_present(self, op:onepwd.OnePwd, category, name, vault, fields, generate_password, overwrite, check):
         assignment_statements = ""
+        # Dry-run doesn't recognize changes in files so we always update items containing files
+        overwrite_file_fields = False
         for field in fields:
             if 'overwrite' in field and field['overwrite'] is False:
                 labels = op.get('item', item_name=name, vault=vault)
@@ -59,14 +61,16 @@ def run_present(self, op:onepwd.OnePwd, category, name, vault, fields, generate_
                 if not label_existing:
                     assignment_statements += " " + onepwd.build_assignment_statement(field)
             else:
+                if field['type'].lower() == 'file':
+                    overwrite_file_fields = True
                 assignment_statements += " " + onepwd.build_assignment_statement(field)
 
         result = {}
         diff = {}
         try:
             get_result = op.get('item', item_name=name, vault=vault)
             edit_result = op.edit_item(name, assignment_statements, vault=vault, generate_password=generate_password, dry_run=True)
-            changed = not items_equal(get_result, edit_result) and overwrite
+            changed = (not items_equal(get_result, edit_result) or overwrite_file_fields) and overwrite
             if changed:
                 if not check:
                     edit_result = op.edit_item(name, assignment_statements, vault=vault, generate_password=generate_password)