Merge branch 'develop' into feature/2768

.devcontainer/Dockerfile

@@ -5,7 +5,7 @@ ARG USER_UID=1000
 ARG USER_GID=$USER_UID
 
 ARG HELM_VERSION=3.3.1
-ARG KUBECTL_VERSION=1.20.12
+ARG KUBECTL_VERSION=1.22.4
 ARG ISTIOCTL_VERSION=1.8.1
 
 RUN : INSTALL APT REQUIREMENTS \

Dockerfile

@@ -5,7 +5,7 @@ ARG USER_UID=1000
 ARG USER_GID=$USER_UID
 
 ARG HELM_VERSION=3.3.1
-ARG KUBECTL_VERSION=1.20.12
+ARG KUBECTL_VERSION=1.22.4
 ARG ISTIOCTL_VERSION=1.8.1
 
 ENV EPICLI_DOCKER_SHARED_DIR=/shared

README.md

@@ -32,7 +32,7 @@ We currently use Terraform and Ansible for our automation orchestration. All aut
 
 ### Epicli
 
-Use the following command to see a full run-down of all commands and flags:
+Use the following command to see a full run-down of all [epicli](https://github.com/epiphany-platform/epiphany/blob/develop/docs/home/howto/PREREQUISITES.md#run-epicli-from-docker-image) commands and flags:
 
 ```shell
 epicli --help
@@ -44,20 +44,21 @@ Generate a new minimum cluster definition:
 epicli init -p aws -n demo
 ```
 
-This minimum file definition is fine to start with, if you need more control over the infrastructure created you can also create a full definition:
+This minimum file definition is fine to start with, however if you need more control over the infrastructure created you can also create a full definition:
 
 ```shell
 epicli init -p aws -n demo --full
 ```
+and this will create a cluster definition with all available in Epiphany components.
 
 You will need to modify a few values (like your AWS secrets, directory path for SSH keys). Once you are done with `demo.yml` you can start cluster deployment by executing:
 
 ```shell
 epicli apply -f demo.yml
 ```
-You will be asked for a password that will be used for encryption of some of build artifacts. More information [here](docs/home/howto/SECURITY.md#how-to-run-epicli-with-password)
+You will be asked for a password that will be used for encryption of some of build artifacts. More information [here](docs/home/howto/SECURITY.md#how-to-run-epicli-with-password).
 
-Since version 0.7 epicli has an option to backup/recovery some of its components. More information [here](https://github.com/epiphany-platform/epiphany/blob/develop/docs/home/howto/BACKUP.md)
+Since version 0.7 epicli has an option to backup/recovery some of its components. More information [here](https://github.com/epiphany-platform/epiphany/blob/develop/docs/home/howto/BACKUP.md).
 ```shell
 epicli backup -f <file.yml> -b <build_folder>
 epicli recovery -f <file.yml> -b <build_folder>

ansible/playbooks/postflight.yml

@@ -6,7 +6,7 @@
   roles:
     - postflight
 
-- name: Update status in epicli execution history file
+- name: Update status in epicli execution history file and set login message
   hosts: all
   gather_facts: false
   become: true
@@ -33,3 +33,10 @@
       vars:
         _new_content:
           deployments: "{{ [history_latest_entry] + history_other_entries }}"
+
+    - name: Set login messgae
+      include_role:
+        name: common
+        tasks_from: login-message.yml
+      vars:
+        _version: "{{ history_latest_entry.version }}"

ansible/playbooks/roles/applications/templates/auth-service/00-auth-service.yml.j2

@@ -209,6 +209,10 @@ spec:
               name: "{{ auth_service_name }}-db"
         - name: X509_CA_BUNDLE
           value: "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+{% if data.service.proxy_address_forwarding is defined and data.service.proxy_address_forwarding %}
+        - name: PROXY_ADDRESS_FORWARDING
+          value: "true"
+{% endif %}
       containers:
       - command:
         - /scripts/keycloak.sh
@@ -241,6 +245,10 @@ spec:
               name: "{{ auth_service_name }}-db"
         - name: X509_CA_BUNDLE
           value: "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+{% if data.service.proxy_address_forwarding is defined and data.service.proxy_address_forwarding %}
+        - name: PROXY_ADDRESS_FORWARDING
+          value: "true"
+{% endif %}
 {% if use_epiphany_image_registry %}
         image: {{ image_registry_address }}/{{ data.image_path }}
 {% else %}

ansible/playbooks/roles/applications/templates/ignite-stateless/01-rbac.yml.j2

@@ -6,7 +6,7 @@ metadata:
   namespace: {{ data.namespace }}
 
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: ignite
@@ -24,7 +24,7 @@ rules:
 
 ---
 kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: ignite
 roleRef:
@@ -34,4 +34,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: ignite
-  namespace: {{ data.namespace }}
+  namespace: {{ data.namespace }}

ansible/playbooks/roles/applications/templates/rabbitmq/01-rbac.yml.j2

@@ -7,7 +7,7 @@ metadata:
 
 ---
 kind: Role
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: {{ rabbitmq_service_name }}-endpoint-reader
   namespace: {{ namespace_name }}
@@ -18,7 +18,7 @@ rules:
 
 ---
 kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: {{ rabbitmq_service_name }}-endpoint-reader
   namespace: {{ namespace_name }}

ansible/playbooks/roles/common/handlers/main.yml

@@ -1,3 +1,4 @@
+---
 - name: restart ssh
   systemd:
     name: sshd
@@ -6,4 +7,4 @@
 - name: restart waagent
   systemd:
     name: waagent
-    state: restarted
+    state: restarted

ansible/playbooks/roles/common/tasks/configure-logrotate.yml

@@ -15,13 +15,13 @@
         block: |
           # to have multiple unique filenames per day when dateext option is set
           dateformat -%Y%m%dH%H
-        backup: yes
+        backup: true
 
     - name: Copy logrotate script from /etc/cron.daily to /etc/cron.hourly
       copy:
         src: /etc/cron.daily/logrotate
         dest: /etc/cron.hourly/logrotate
-        remote_src: yes
+        remote_src: true
         mode: preserve
       register: copy_logrotate_script
 

ansible/playbooks/roles/common/tasks/epiuser.yml

@@ -1,4 +1,5 @@
-- name: ensure group {{ admin_user.name }} exists
+---
+- name: Ensure group {{ admin_user.name }} exists
   group:
     name: "{{ admin_user.name }}"
     state: present
@@ -8,15 +9,15 @@
     name: "{{ admin_user.name }}"
     shell: /bin/bash
     groups: "{{ admin_user.name }},wheel"
-    append: yes
+    append: true
   when: ansible_os_family == "RedHat"
 
 - name: Ensure user {{ admin_user.name }} exists, has correct shell, and groups, and no password
   user:
     name: "{{ admin_user.name }}"
     shell: /bin/bash
     groups: "{{ admin_user.name }},sudo"
-    append: yes
+    append: true
   when: ansible_os_family == "Debian"
 
 - name: Set NOPASSWD in /etc/sudoers for wheel group

ansible/playbooks/roles/common/tasks/login-message.yml

@@ -0,0 +1,18 @@
+---
+# Before version 1.3 Epiphany updated /etc/motd file, so this task is necessary for upgrades
+# Can be removed after 1.2 deprecation
+- name: Truncate /etc/motd file
+  copy:
+    dest: /etc/motd
+    content: ""
+    force: true
+
+# motd is not used as Ubuntu has its own update-motd framework for dynamic motd generation
+# while for RedHat there is only /etc/motd that doesn't support simple configuration for colored output
+- name: Configure login message
+  template:
+    src: login-message.sh.j2
+    dest: /etc/profile.d/login-message.sh
+    mode: u=rwx,go=rx
+    owner: root
+    group: root

ansible/playbooks/roles/common/tasks/main.yml

@@ -1,5 +1,4 @@
 ---
-
 - name: Print admin_user.name
   debug:
     msg: "{{ admin_user.name }}"
@@ -27,7 +26,7 @@
 
 - name: Remove swap from /etc/fstab
   mount:
-    backup: yes
+    backup: true
     fstype: swap
     path: swap
     state: absent
@@ -72,7 +71,7 @@
 - name: Disable SELinux at next reboot
   selinux:
     state: disabled
-  ignore_errors: yes
+  ignore_errors: true
   when: ansible_selinux is defined and ansible_selinux != False and ansible_selinux.status == 'enabled'
 
 - name: Set SELinux in permissive mode until the machine is rebooted
@@ -81,24 +80,6 @@
   changed_when: false
   when: ansible_selinux is defined and ansible_selinux != False and ansible_selinux.status == 'enabled'
 
-# Before version 1.3 Epiphany updated /etc/motd file, so this task is necessary for upgrades
-# Can be removed after 1.2 deprecation
-- name: Truncate /etc/motd file
-  copy:
-    dest: /etc/motd
-    content: ""
-    force: true
-
-# motd is not used as Ubuntu has its own update-motd framework for dynamic motd generation
-# while for RedHat there is only /etc/motd that doesn't support simple configuration for colored output
-- name: Configure login message
-  template:
-    src: motd.j2
-    dest: /etc/profile.d/motd.sh
-    mode: u=rwx,go=rx
-    owner: root
-    group: root
-
 - name: Prompt colors
   copy:
     src: operations.sh
@@ -110,19 +91,19 @@
   template:
     src: hosts.j2
     dest: /etc/hosts
-    mode: 0644
+    mode: u=rw,o=r
     owner: root
     group: root
 
 - include_tasks: epiuser.yml
   tags:
     - epiuser
 
-- include_tasks: os_users.yml
+- include_tasks: os-users.yml
   when:
     - specification.users is defined and specification.users | list | length > 0
   tags:
-    - os_users
+    - os-users
 
 - include_tasks: security.yml
   tags:

ansible/playbooks/roles/common/tasks/os_users.yml → ansible/playbooks/roles/common/tasks/os-users.yml

@@ -1,5 +1,4 @@
 ---
-
 # Add users block
 - name: Add user group
   group:

ansible/playbooks/roles/common/tasks/security.yml

@@ -14,7 +14,7 @@
     dest: /etc/ssh/sshd_config
     owner: root
     group: root
-    mode: '0644'
+    mode: u=rw,o=r
     backup: true
 
 # Ansible's replace module hangs without an error,

ansible/playbooks/roles/common/templates/login-message.sh.j2

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+YELLOW='\033[1;33m'
+NC='\033[0m'
+
+echo -e "${YELLOW}Current epicli version: {{ _version }}, see details: /var/lib/epiphany/history.yml${NC}\n"

ansible/playbooks/roles/grafana/defaults/main.yml

@@ -1,15 +1,4 @@
 ---
-grafana_version: 7.3.5
-
-grafana_package:
-  filename:
-    Debian:
-      aarch64: null
-      x86_64: grafana_7.3.5_amd64.deb
-    RedHat:
-      aarch64: grafana-7.3.5-1.aarch64.rpm
-      x86_64: grafana-7.3.5-1.x86_64.rpm
-
 # Should the provisioning be kept synced. If true, previous provisioned objects will be removed if not referenced anymore.
 grafana_provisioning_synced: "{{ specification.grafana_provisioning_synced }}"
 

ansible/playbooks/roles/grafana/defaults/upgrade.yml

@@ -0,0 +1,2 @@
+---
+state_file_path: /var/lib/epiphany/upgrade/state/grafana.uncompleted

ansible/playbooks/roles/grafana/defaults/versions.yml

@@ -0,0 +1,11 @@
+---
+grafana_version: 8.3.2
+
+grafana_package:
+  filename:
+    Debian:
+      aarch64: null
+      x86_64: grafana_8.3.2_amd64.deb
+    RedHat:
+      aarch64: grafana-8.3.2-1.aarch64.rpm
+      x86_64: grafana-8.3.2-1.x86_64.rpm

ansible/playbooks/roles/grafana/tasks/install.yml

@@ -1,4 +1,13 @@
 ---
+- name: Load Grafana version vars
+  include_vars:
+    file: roles/grafana/defaults/versions.yml
+    name: grafana_version_vars
+
+- name: Set Grafana package facts
+  set_fact:
+    grafana_package: "{{ grafana_version_vars.grafana_package }}"
+
 - name: Remove conflicting grafana packages
   package:
     name: grafana-data