feat(pre-flight-checks): enable pre-flight-checks in ee (#127)

## 📝 Description

- Enables pre-flight checks in EE.  
- (for testing) Installs the agent controller with the necessary image
(including Erlang, required by `when`) and modifies the pre-job hook to
support running the init job, which installs required packages for the
toolbox. Potentially, a long-term solution is described
[here](renderedtext/project-tasks#2282).

For more details, see: [project
task](renderedtext/project-tasks#2274)

## ✅ Checklist
- [x] I have tested this change.  
- [x] ~This change requires a documentation update~ – No changes to the
Community Edition (CE) version.

Author: dexyk

Makefile

@@ -70,7 +70,7 @@ endif
 
 DOCKER_BUILD_PATH=.
 EX_CATCH_WARRNINGS_FLAG=--warnings-as-errors
-CHECK_DEPS_EXTRA_OPTS?=-w feature_provider,grpc_health_check,tentacat,util,watchman,fun_registry,sentry_grpc,traceman,cacheman,log_tee,spec,proto,sys2app,looper,job_matrix,definition_validator,gofer_client,open_api_spex,when,uuid,esaml,openid_connect
+CHECK_DEPS_EXTRA_OPTS?=-w feature_provider,grpc_health_check,tentacat,util,watchman,fun_registry,sentry_grpc,traceman,cacheman,log_tee,spec,proto,sys2app,looper,job_matrix,definition_validator,gofer_client,open_api_spex,when,uuid,esaml,openid_connect,block
 ROOT_MAKEFILE_PATH := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
 
 #

ephemeral_environment/scripts/install.sh

@@ -46,6 +46,17 @@ args=(
   "global.edition=${SEMAPHORE_EDITION}"
 )
 
+# if edition is ee, add arguments for agent to support pre-flight-checks
+cp resources/agent-pre-job-hook.sh agent-pre-job-hook.sh
+if [ "$SEMAPHORE_EDITION" = "ee" ]; then
+  args+=(
+    "--set"
+    "controller.agent.defaultImage=hexpm/elixir:1.12.3-erlang-24.3.4.13-ubuntu-focal-20230126"
+    "--set"
+    "controller.agent.defaultPodSpec.preJobHook.customScript=$(cat agent-pre-job-hook.sh | base64 -w 0)"
+  )
+fi
+
 # Provider-specific base args
 
 if [ "$CLOUD_TEST_ENVIRONMENT_TYPE" = "eks" ]; then
@@ -126,6 +137,7 @@ if [[ "$CLOUD_TEST_ENVIRONMENT_TYPE" == "single-vm" ]]; then
     "bitbucket-app-secret.yaml"
     "gitlab-app-secret.yaml"
     "vm-install.sh"
+    "agent-pre-job-hook.sh"
   )
 
   for file in "${files[@]}"; do

ephemeral_environment/scripts/resources/agent-pre-job-hook.sh

@@ -0,0 +1,56 @@
+apt-get update
+apt-get install -y --no-install-recommends curl bash make git wget locales openssh-client
+
+# Install the Semaphore toolbox in the job
+rm -rf ~/.toolbox
+
+downloadPath="https://github.com/semaphoreci/toolbox/releases/latest/download/self-hosted-linux.tar"
+if [ ! -z "${SEMAPHORE_TOOLBOX_VERSION}" ]; then
+  downloadPath="https://github.com/semaphoreci/toolbox/releases/download/$SEMAPHORE_TOOLBOX_VERSION/self-hosted-linux.tar"
+fi
+
+echo "Downloading Semaphore toolbox from $downloadPath..."
+curl -sL --retry 5 --connect-timeout 3 $downloadPath -o /tmp/toolbox.tar
+tar -xvf /tmp/toolbox.tar
+mv toolbox ~/.toolbox
+if [ ! -d ~/.toolbox ]; then
+  echo "Failed to download toolbox."
+  return 1
+fi
+
+echo "Installing..."
+bash ~/.toolbox/install-toolbox
+if [ "$?" -ne "0" ]; then
+  echo "Failed to install toolbox."
+  rm -rf $SEMAPHORE_GIT_DIR
+fi
+
+source ~/.toolbox/toolbox
+if [ "$?" -ne "0" ]; then
+  echo "Failed to source toolbox."
+  rm -rf $SEMAPHORE_GIT_DIR
+fi
+
+echo "Semaphore toolbox successfully installed."
+
+# Create SSH configuration.
+# This is required to avoid manually accepting the Server SSH key fingerprints on checkout.
+mkdir -p ~/.ssh
+
+#
+# Do it for GitHub for backwards compatibility
+#
+echo 'Host github.com' | tee -a ~/.ssh/config
+echo '  StrictHostKeyChecking no' | tee -a ~/.ssh/config
+echo '  UserKnownHostsFile=/dev/null' | tee -a ~/.ssh/config
+
+#
+# Do it for currently used one
+#
+url="${SEMAPHORE_GIT_URL#ssh://}"  # Remove the "ssh://" scheme if present
+url="${url#*@}"                    # Remove everything up to (and including) the '@' if present
+host="${url%%[:/]*}"               # Now extract the host: it's the substring until the first occurrence of either ':' (port separator) or '/' (path separator)
+
+echo "Host ${host}" | tee -a ~/.ssh/config
+echo '  StrictHostKeyChecking no' | tee -a ~/.ssh/config
+echo '  UserKnownHostsFile=/dev/null' | tee -a ~/.ssh/config

ephemeral_environment/scripts/vm-install.sh

@@ -59,6 +59,16 @@ args=(
   "global.edition=${SEMAPHORE_EDITION}"
 )
 
+# if edition is ee, add arguments for agent to support pre-flight-checks
+if [ "$SEMAPHORE_EDITION" = "ee" ]; then
+  args+=(
+    "--set"
+    "controller.agent.defaultImage=hexpm/elixir:1.12.3-erlang-24.3.4.13-ubuntu-focal-20230126"
+    "--set"
+    "controller.agent.defaultPodSpec.preJobHook.customScript=$(cat agent-pre-job-hook.sh | base64 -w 0)"
+  )
+fi
+
 #
 # Generate diff of chart being applied
 #

helm-chart/templates/configmaps/features.yaml

@@ -4,6 +4,7 @@ metadata:
   name: features
   namespace: {{ .Release.Namespace }}
 data:
+{{- if eq .Values.global.edition "ce" }}
   features.yml: |-
     activity_monitor:
       enabled: true
@@ -99,3 +100,100 @@ data:
       enabled: true
     new_project_onboarding:
       enabled: true
+{{- else }}
+  features.yml: |-
+    activity_monitor:
+      enabled: true
+    advanced_deployment_targets:
+      enabled: false
+    artifacts:
+      enabled: true
+    audit_logs:
+      enabled: false
+    audit_streaming:
+      enabled: false
+    badges:
+      enabled: true
+    billing:
+      enabled: false
+    bitbucket:
+      enabled: true
+    gitlab:
+      enabled: true
+    github_oauth_token:
+      enabled: false
+    deployment_targets:
+      enabled: false
+    expose_cloud_agent_types:
+      enabled: false
+    feedback:
+      enabled: false
+    help:
+      enabled: false
+    ip_allow_list:
+      enabled: false
+    just_run:
+      enabled: true
+    max_paralellism_in_org:
+      quantity: 500
+    max_people_in_organization:
+      quantity: 600
+    max_projects_in_org:
+      quantity: 10000
+    multiple_organizations:
+      enabled: false
+    okta:
+      enabled: false
+    open_id_connect:
+      enabled: false
+    open_id_connect_aws_tags:
+      enabled: false
+    organization_health:
+      enabled: false
+    parameterized_promotions:
+      enabled: true
+    permission_patrol:
+      enabled: false
+    pipeline_summaries:
+      enabled: false
+    pre_flight_checks:
+      enabled: true
+    project_level_roles:
+      enabled: false
+    project_level_secrets:
+      enabled: true
+    rbac__groups:
+      enabled: false
+    rbac__saml:
+      enabled: false
+    rbac__project_roles:
+      enabled: false
+    restrict_job_ssh_access:
+      enabled: false
+    scheduler_hook:
+      enabled: true
+    secrets_access_policy:
+      enabled: false
+    secrets_exposed_content:
+      enabled: false
+    self_hosted_agents:
+      quantity: 1000
+    superjerry_tests:
+      enabled: false
+    test_explorer:
+      enabled: false
+    test_results:
+      enabled: false
+    tmp_rbac_test:
+      enabled: false
+    toggle_skipped_blocks:
+      enabled: true
+    instance_git_integration:
+      enabled: true
+    get_started:
+      enabled: true
+    ui_agent_page:
+      enabled: true
+    new_project_onboarding:
+      enabled: true
+{{- end }}

plumber/ppl/helm/templates/plumber-dpl.yml

@@ -48,8 +48,10 @@ spec:
             - configMapRef:
                 name: {{ .Values.global.internalApi.configMapName }}
           env:
+{{- if eq .Values.global.edition "ce" }}
             - name: SKIP_PFC
               value: "true"
+{{- end }}
             - name: SKIP_PROMOTIONS
               value: "true"
             - name: REPO_PROXY_NEW_GRPC_URL