Add necessary roles/playbooks for make show and make install functionality (#40)

Author: dminnear-rh

.github/workflows/ansible-lint.yml

@@ -1,19 +1,20 @@
-name: Ansible Lint # feel free to pick your own name
+name: Ansible Lint
 
 on: [push, pull_request]
 
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
-      # Important: This sets up your GITHUB_WORKSPACE environment variable
-      - uses: actions/checkout@v5
+      - name: Checkout Code
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Lint Ansible Playbook
-        uses: ansible/ansible-lint@main
-        # Let's point it to the path
+        uses: ansible/ansible-lint@50373efb440dd3b524956c075af715cd00eaf20b
         with:
           setup_python: "true"
-          # args: ""
-          # working_directory: ""

.github/workflows/ansible-sanitytest.yml

@@ -1,11 +1,6 @@
 ---
 name: Ansible collection sanity tests
 
-#
-# Documentation:
-# https://help.github.com/en/articles/workflow-syntax-for-github-actions
-#
-
 on: [push, pull_request]
 
 jobs:
@@ -16,12 +11,15 @@ jobs:
         python-version: [3.11.3, 3.12.6]
         ansible-core: ["2.16.*"]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout Code
         uses: actions/checkout@v5
         with:
           path: ansible_collections/rhvp/cluster_utils
+          persist-credentials: false
 
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v5

.github/workflows/ansible-unittest.yml

@@ -1,11 +1,6 @@
 ---
 name: Ansible unit tests
 
-#
-# Documentation:
-# https://help.github.com/en/articles/workflow-syntax-for-github-actions
-#
-
 on: [push, pull_request]
 
 jobs:
@@ -16,12 +11,15 @@ jobs:
         python-version: [3.11.3, 3.12.6]
         ansible-core: ["2.16.*"]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout Code
         uses: actions/checkout@v5
         with:
           path: ansible_collections/rhvp/cluster_utils
+          persist-credentials: false
 
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v5

.github/workflows/jsonschema.yaml

@@ -10,10 +10,14 @@ jobs:
       matrix:
         python-version: [3.11.3]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout Code
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v5

.github/workflows/superlinter.yml

@@ -5,23 +5,24 @@ on: [push, pull_request]
 
 jobs:
   build:
-    # Name the Job
     name: Super linter
-    # Set the agent to run on
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout Code
         uses: actions/checkout@v5
         with:
           # Full git history is needed to get a proper list of changed files within `super-linter`
           fetch-depth: 0
+          persist-credentials: false
 
       ################################
       # Run Linter against code base #
       ################################
       - name: Lint Code Base
-        uses: super-linter/super-linter/slim@v8
+        uses: super-linter/super-linter/slim@ffde3b2b33b745cb612d787f669ef9442b1339a6
         env:
           VALIDATE_ALL_CODEBASE: true
           DEFAULT_BRANCH: main

playbooks/install.yml

@@ -0,0 +1,6 @@
+---
+- name: Install the pattern via pattern-install chart
+  ansible.builtin.import_playbook: operator_deploy.yml
+
+- name: Load secrets (if not explicity disabled in values-global.yaml)
+  ansible.builtin.import_playbook: load_secrets.yml

playbooks/load_secrets.yml

@@ -0,0 +1,28 @@
+---
+- name: Decide whether to load secrets
+  hosts: localhost
+  connection: local
+  gather_facts: false
+  roles:
+    - role: pattern_settings
+
+  tasks:
+    - name: Check values-global to see if secret loading is explicity disabled
+      ansible.builtin.set_fact:
+        secret_loader_disabled: "{{ values_global.global.secretLoader.disabled | default(false) | bool }}"
+
+    - name: Load secrets (when enabled)
+      when: not secret_loader_disabled
+      block:
+        - name: Announce secrets loading
+          ansible.builtin.shell: |
+            printf "==> Loading secrets (this may take several minutes)...\n" > /dev/tty
+
+        - name: Process secrets via role
+          ansible.builtin.include_role:
+            name: load_secrets
+
+    - name: Print secret loading disabled message
+      ansible.builtin.shell: |
+        printf "==> Secrets loading is currently disabled. To enable, update the value of .global.secretLoader.disabled in your values-global.yaml to false.\n" > /dev/tty
+      when: secret_loader_disabled

playbooks/manage_secret_app.yml

@@ -53,7 +53,7 @@
       block:
         - name: Add application '{{ application }}'
           ansible.builtin.command: |
-            yq -i '.clusterGroup.applications.{{ app_def.name }} = {{ app_def | to_json  }}' {{ yq_file }}
+            yq -i '.clusterGroup.applications.{{ app_def.name }} = {{ app_def | to_json }}' {{ yq_file }}
 
     - name: Manage application '{{ application }}' to be absent
       when: application_state == 'absent' and app_found

playbooks/operator_deploy.yml

@@ -0,0 +1,58 @@
+---
+- name: Install pattern (using pattern-install chart)
+  hosts: localhost
+  connection: local
+  gather_facts: false
+
+  roles:
+    - role: pattern_settings # set general pattern vars
+    - role: install_settings # set pattern-install specific vars
+    - role: validate_prereq # ensure installation depencies are present
+    - role: validate_cluster # ensure a cluster is connected and has a default storage class
+    - role: pattern_install_template # render the pattern-install helm chart
+
+  tasks:
+    - name: Origin validation (optional, controlled by DISABLE_VALIDATE_ORIGIN / disable_validate_origin)
+      block:
+        - name: Resolve disable_validate_origin flag
+          ansible.builtin.set_fact:
+            disable_validate_origin: >-
+              {{
+                (
+                  disable_validate_origin
+                  | default(lookup('env', 'DISABLE_VALIDATE_ORIGIN'), true)
+                  | default('false', false)
+                ) | bool
+              }}
+
+        - name: Validate origin (remote/branch must exist)
+          ansible.builtin.include_role:
+            name: validate_origin
+          when: not disable_validate_origin
+
+    - name: Apply rendered pattern-install chart manifests (with retry)
+      block:
+        - name: Preview manifest that will be applied
+          ansible.builtin.shell: |
+            printf "==> Applying the following manifest to the cluster:\n\n" > /dev/tty
+            printf "%s\n" "{{ pattern_install_rendered_yaml }}" > /dev/tty
+
+        - name: Apply via oc with retry
+          ansible.builtin.command: oc apply -f -
+          args:
+            stdin: "{{ pattern_install_rendered_yaml }}"
+            stdin_add_newline: false
+          register: _apply
+          retries: 10
+          delay: 15
+          until: _apply.rc == 0
+
+        - name: Print success message
+          ansible.builtin.shell: printf "==> Installation succeeded!\n" > /dev/tty
+
+      rescue:
+        - name: Print failure summary and abort
+          ansible.builtin.shell: |
+            printf "==> Installation failed. Error:\n" > /dev/tty
+            printf "%s\n" "{{ _apply.stderr | default(_apply.stdout) | default('') }}" > /dev/tty
+            exit 1

playbooks/show.yml

@@ -0,0 +1,14 @@
+---
+- name: Template patttern-install chart
+  hosts: localhost
+  connection: local
+  gather_facts: false
+  roles:
+    - role: pattern_settings # set general pattern vars
+    - role: install_settings # set pattern-install specific vars
+    - role: pattern_install_template # render the pattern-install helm chart
+
+  tasks:
+    - name: Print rendered pattern-install chart manifests
+      ansible.builtin.shell: |
+        printf "\n%s\n" "{{ pattern_install_rendered_yaml }}" > /dev/tty