Merge branch 'main' into feat/noble

Author: m-bull

.ansible-lint.yml

@@ -0,0 +1,14 @@
+---
+skip_list:
+  - role-name
+  # Unresolved issues with parsing jinja in multiline strings
+  # https://github.com/ansible/ansible-lint/issues/3935
+  - jinja[spacing]
+  - galaxy[no-changelog]
+
+warn_list:
+  - var-naming
+
+exclude_paths:
+  - .ansible/**
+  - .github/**

.checkov.yaml

@@ -0,0 +1,4 @@
+---
+skip-check:
+  # Requires all blocks to have rescue: - not considered appropriate
+  - CKV2_ANSIBLE_3

.github/linters/.checkov.yaml

@@ -0,0 +1 @@
+../../.checkov.yaml

.github/linters/.yamllint.yml

@@ -0,0 +1 @@
+../../.yamllint.yml

.github/workflows/lint.yml

@@ -0,0 +1,47 @@
+---
+name: Lint
+
+on:  # yamllint disable-line rule:truthy
+  workflow_call:
+
+permissions:
+  contents: read
+  packages: write
+  # To report GitHub Actions status checks
+  statuses: write
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read
+      # To report GitHub Actions status checks
+      statuses: write
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          # super-linter needs the full git history to get the
+          # list of files that changed across commits
+          fetch-depth: 0
+          submodules: true
+
+      - name: Run ansible-lint
+        uses: ansible/[email protected]
+
+      - name: Load super-linter configuration
+        # Use grep inverse matching to exclude eventual comments in the .env file
+        # because the GitHub Actions command to set environment variables doesn't
+        # support comments.
+        # yamllint disable-line rule:line-length
+        # Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions#setting-an-environment-variable
+        run: grep -v '^#' super-linter.env >> "$GITHUB_ENV"
+        if: always()
+
+      - name: Run super-linter
+        uses: super-linter/[email protected]
+        if: always()
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/test-azimuth.yml

@@ -0,0 +1,42 @@
+---
+name: Test Azimuth
+
+permissions:
+  contents: read
+  packages: write
+  # To report GitHub Actions status checks
+  statuses: write
+  id-token: write
+
+on:
+  workflow_call:
+
+jobs:
+  test_azimuth:
+    runs-on: ubuntu-latest
+    steps:
+      # Check out the configuration repository
+      - name: Set up Azimuth environment
+        uses: azimuth-cloud/azimuth-config/.github/actions/setup@devel
+        with:
+          os-clouds: ${{ secrets.OS_CLOUDS }}
+          environment-prefix: ops-ci
+          azimuth-ops-version: ${{ github.event.pull_request.head.sha }}
+          target-cloud: ${{ vars.TARGET_CLOUD }}
+        # GitHub terminates jobs after 6 hours
+        # We don't want jobs to acquire the lock then get timed out before they can finish
+        # So wait a maximum of 3 hours to acquire the lock, leaving 3 hours for other tasks in the job
+        timeout-minutes: 180
+
+      # Provision Azimuth using the azimuth-ops version under test
+      - name: Provision Azimuth
+        uses: azimuth-cloud/azimuth-config/.github/actions/provision@devel
+
+      # # Run the tests
+      - name: Run Azimuth tests
+        uses: azimuth-cloud/azimuth-config/.github/actions/test@devel
+
+      # Tear down the environment
+      - name: Destroy Azimuth
+        uses: azimuth-cloud/azimuth-config/.github/actions/destroy@devel
+        if: ${{ always() }}

.github/workflows/test-pr.yml

@@ -1,6 +1,13 @@
 name: Test Azimuth deployment
 
-on:
+permissions:
+  contents: read
+  packages: write
+  # To report GitHub Actions status checks
+  statuses: write
+  id-token: write
+
+on:  # yamllint disable-line rule:truthy
   pull_request:
     types:
       - opened
@@ -9,20 +16,6 @@ on:
       - reopened
     branches:
       - main
-    paths-ignore:
-      # Ignore any changes that are not actually code changes
-      - .gitignore
-      - CODEOWNERS
-      - LICENSE
-      - README.md
-      - .github/release.yml
-      - .github/workflows/update-dependencies.yml
-      # Ignore any changes that only affect the HA install
-      - playbooks/deploy_capi_mgmt.yml
-      - playbooks/provision_capi_mgmt.yml
-      - playbooks/restore.yml
-      - roles/capi_cluster/**
-      - roles/velero/**
 
 # Use the head ref for workflow concurrency, with cancellation
 # This should mean that any previous workflows for a PR get cancelled when a new commit is pushed
@@ -33,50 +26,66 @@ concurrency:
 jobs:
   # This job exists so that PRs from outside the main repo are rejected
   fail_on_remote:
+    name: Fail on Remote
     runs-on: ubuntu-latest
     steps:
       - name: PR must be from a branch in the azimuth-cloud/ansible-collection-azimuth-ops repo
-        run: exit ${{ github.repository == 'azimuth-cloud/ansible-collection-azimuth-ops' && '0' || '1' }}
+        run: |
+          if [ "${{ github.repository }}" != "azimuth-cloud/ansible-collection-azimuth-ops" ]; then
+            exit 1
+          fi
+  lint:
+    name: Lint
+    uses: ./.github/workflows/lint.yml
+    needs:
+      - fail_on_remote
 
-  run_azimuth_tests:
-    needs: [fail_on_remote]
+  files_changed:
+    name: Detect Files Changed
+    needs:
+      - fail_on_remote
+      - lint
     runs-on: ubuntu-latest
+    # Map a step output to a job output, this allows other jobs to be gated on the filter results
+    outputs:
+      paths: ${{ steps.filter.outputs.paths }}
     steps:
-      # Check out the configuration repository
-      - name: Set up Azimuth environment
-        uses: azimuth-cloud/azimuth-config/.github/actions/setup@devel
-        with:
-          os-clouds: ${{ secrets.OS_CLOUDS }}
-          environment-prefix: ops-ci
-          azimuth-ops-version: ${{ github.event.pull_request.head.sha }}
-          target-cloud: ${{ vars.TARGET_CLOUD }}
-          # Remove when https://github.com/stackhpc/azimuth-config/pull/129 merges
-          extra-vars: |
-            generate_tests_caas_default_test_case_enabled: false
-            generate_tests_caas_test_case_workstation_enabled: true
-            generate_tests_caas_test_case_slurm_enabled: true
-            generate_tests_caas_test_case_repo2docker_enabled: true
-            generate_tests_caas_test_case_rstudio_enabled: true
-            generate_tests_kubernetes_test_cases_latest_only: true
-            generate_tests_kubernetes_apps_default_test_case_enabled: false
-            generate_tests_kubernetes_apps_test_case_jupyterhub_enabled: true
-            generate_tests_kubernetes_apps_test_case_daskhub_enabled: true
-            # Test Flux install in CI even when disabled in default config
-            flux_enabled: true
-        # GitHub terminates jobs after 6 hours
-        # We don't want jobs to acquire the lock then get timed out before they can finish
-        # So wait a maximum of 3 hours to acquire the lock, leaving 3 hours for other tasks in the job
-        timeout-minutes: 180
+      - name: Checkout
+        uses: actions/checkout@v4
 
-      # Provision Azimuth using the azimuth-ops version under test
-      - name: Provision Azimuth
-        uses: azimuth-cloud/azimuth-config/.github/actions/provision@devel
-
-      # # Run the tests
-      - name: Run Azimuth tests
-        uses: azimuth-cloud/azimuth-config/.github/actions/test@devel
+      - name: Paths Filter
+        # For safety using commit of dorny/paths-filter@v3
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36
+        id: filter
+        with:
+          # Default predicate is 'some' which gives a match if any one filter matches.
+          # Change the predicate to 'every' so the file has to match all filters,
+          # to model 'paths-ignore' we match only if we've exluded all unwanted files.
+          predicate-quantifier: 'every'
+          filters: |
+            paths:
+              # Ignore any changes that are not actually code changes
+              - "!.gitignore"
+              - "!CODEOWNERS"
+              - "!LICENSE"
+              - "!README.md"
+              - "!.github/release.yml"
+              - "!.github/workflows/update-dependencies.yml"
+              # Ignore any changes that only affect the HA install
+              - "!playbooks/deploy_capi_mgmt.yml"
+              - "!playbooks/provision_capi_mgmt.yml"
+              - "!playbooks/restore.yml"
+              - "!roles/capi_cluster/**"
+              - "!roles/velero/**"
 
-      # Tear down the environment
-      - name: Destroy Azimuth
-        uses: azimuth-cloud/azimuth-config/.github/actions/destroy@devel
-        if: ${{ always() }}
+  run_azimuth_tests:
+    # Use the output of the above filter to check if the files listed under "paths" have changed.
+    # We can negate this check to run an alternative job,
+    # we can add additional filters like "paths" and action on those.
+    # Example: https://github.com/getsentry/sentry/blob/2ebe01feab863d89aa7564e6d243b6d80c230ddc/.github/workflows/backend.yml#L36
+    name: Run Azimuth Tests
+    needs:
+      - files_changed
+    if: needs.files_changed.outputs.paths == 'true'
+    uses: ./.github/workflows/test-azimuth.yml
+    secrets: inherit

.github/workflows/update-dependencies.yml

@@ -1,7 +1,12 @@
 # This workflow proposes updates to the dependencies that dependabot cannot
 name: Update dependencies
 
-on:
+permissions:
+  contents: write
+  id-token: write
+  pull-requests: write
+
+on:  # yamllint disable-line rule:truthy
   # Allow manual executions
   workflow_dispatch:
   # Run nightly
@@ -57,6 +62,12 @@ jobs:
             prereleases: "yes"
             version_jsonpath: azimuth_apps_operator_chart_version
 
+          - key: azimuth-authorization-webhook
+            path: ./roles/azimuth_authorization_webhook/defaults/main.yaml
+            repository: azimuth-cloud/azimuth-authorization-webhook
+            prereleases: "yes"
+            version_jsonpath: azimuth_authorization_webhook_chart_version
+
           - key: azimuth-caas-operator
             path: ./roles/azimuth_caas_operator/defaults/main.yml
             repository: azimuth-cloud/azimuth-caas-operator
@@ -165,6 +176,11 @@ jobs:
             repository: kubernetes-sigs/kustomize
             version_jsonpath: kustomize_version
 
+          - key: provider-keycloak
+            path: ./roles/crossplane/defaults/main.yml
+            repository: crossplane-contrib/provider-keycloak
+            version_jsonpath: crossplane_keycloak_provider_version
+
           - key: velero-cli
             path: ./roles/velero/defaults/main.yml
             repository: vmware-tanzu/velero
@@ -244,6 +260,12 @@ jobs:
             chart_name_jsonpath: cloud_metrics_grafana_chart_name
             chart_version_jsonpath: cloud_metrics_grafana_chart_version
 
+          - key: crossplane
+            path: ./roles/crossplane/defaults/main.yml
+            chart_repo_jsonpath: crossplane_chart_repo
+            chart_name_jsonpath: crossplane_chart_name
+            chart_version_jsonpath: crossplane_chart_version
+
           - key: flux
             path: ./roles/flux/defaults/main.yml
             chart_repo_jsonpath: flux_chart_repo

.gitignore

@@ -1,3 +1,4 @@
+.ansible
 .python-version
 .bin
 .terraform

.yamllint.yml

@@ -0,0 +1,24 @@
+---
+extends: default
+
+rules:
+  brackets:
+    forbid: non-empty
+  comments:
+    # https://github.com/prettier/prettier/issues/6780
+    min-spaces-from-content: 1
+  # https://github.com/adrienverge/yamllint/issues/384
+  comments-indentation: false
+  document-start: disable
+  # 160 chars was the default used by old E204 rule, but
+  # you can easily change it or disable in your .yamllint file.
+  line-length:
+    max: 160
+  # We are adding an extra space inside braces as that's how prettier does it
+  # and we are trying not to fight other linters.
+  braces:
+    min-spaces-inside: 0 # yamllint defaults to 0
+    max-spaces-inside: 1 # yamllint defaults to 0
+  octal-values:
+    forbid-implicit-octal: true # yamllint defaults to false
+    forbid-explicit-octal: true # yamllint defaults to false