Feature enable gitea runner on preprod (#1356)

* New syntax for SMTP gateway (#1342)

New syntax for SMTP gateway

Add SMTP_PORT key for new syntax

Reviewed-by: Vladimir Hasko <[email protected]>

* Update helm-dependency-bot.yml (#1343)

Update helm-dependency-bot.yml

Fix path to helm-charts dir
Change peter-evans/create-pull-reques version from 5 to 7

Reviewed-by: Vladimir Hasko <[email protected]>

* Update helm-dependency-bot.yml (#1344)

Update helm-dependency-bot.yml

Path to YAMLs changed

Reviewed-by: Vladimir Hasko <[email protected]>

* Update helm-dependency-bot.yml (#1345)

Update helm-dependency-bot.yml

Reviewed-by: Vladimir Hasko <[email protected]>

* Handling quotation marks (#1348)

Handling quotation marks

Fix script for work with double, single or no quotation marks at all

Reviewed-by: SebastianGode
Reviewed-by: Tino Schr

* new redirections for internal HC portal (#1349)

new redirections for internal HC portal

Reviewed-by: Tino Schr

* Unbound fix (#1350)

Unbound fix

Set up the unbound service to run only with ipv4 and on the localhost.

Reviewed-by: Vladimir Hasko <[email protected]>

* Remove Vova from codowners (#1352)

Remove Vova from codowners

Remove Vladimir Vshivkov from codowners for this repo

Reviewed-by: LukasCuperDT

* EoD release 0.1.37 (#1353)

EoD release 0.1.37

Fix regex in eod_7
Change auth in eod_7 from basic to header

Reviewed-by: Anton Sidelnikov
Reviewed-by: Vladimir Hasko <[email protected]>

* Remove inactive users from bridge (#1366)

Remove inactive users from bridge

Remove (enrrou) from bridge and other hosts
Remove (gtema) from bridge and other hosts

Reviewed-by: Tino Schr

* Update Gitea app.ini.j2 to block access through direct IP (#1371)

Update Gitea app.ini.j2 to block access through direct IP

Reviewed-by: LukasCuperDT

* Disable internal metrics for the influx (#1370)

Disable internal metrics for the influx

Reviewed-by: SebastianGode
Reviewed-by: Tino Schr

* Adding gitea behind proxy (#1372)

Adding gitea behind proxy

Reviewed-by: Tino Schr

* Adding gitea behind proxy (#1373)

Adding gitea behind proxy

Reviewed-by: Tino Schr

* Adding gitea behind proxy (#1374)

Adding gitea behind proxy

Reviewed-by: Tino Schr

* Update nginx-site.conf in swiss int to not allow unsafe URL characters (#1377)

Update nginx-site.conf in swiss int to not allow unsafe URL characters

Reviewed-by: Tino Schr

* Fix SSRF possibility on all helpcenter websites (#1378)

Fix SSRF possibility on all helpcenter websites

Reviewed-by: Tino Schr

* updating public key for user (#1381)

updating public key for user

Reviewed-by: Tino Schr

* Gitea3 setup (#1382)

Gitea3 setup

Reviewed-by: Vladimir Hasko <[email protected]>
Reviewed-by: Tino Schr

* Add Ubuntu noble to sources list (#1384)

Add Ubuntu noble to sources list

Reviewed-by: Vladimir Hasko <[email protected]>

* Ubuntu noble (#1385)

Ubuntu noble

Reviewed-by: Vladimir Hasko <[email protected]>

* Enabling gitea runner in k8s

* Enabling persistance

---------

Co-authored-by: Yustina Kvrivishvili <[email protected]>
Co-authored-by: Vladimir Hasko <[email protected]>
Co-authored-by: Sergei Martynov <[email protected]>
Co-authored-by: SebastianGode <[email protected]>

Author: 5 people

.github/CODEOWNERS

@@ -1,2 +1,2 @@
 # Admins must approve changes to systems configuration
-* @otcbot @vladimirhasko @vladimirvshivkov @tischrei @LukasCuperDT
+* @otcbot @vladimirhasko @tischrei @LukasCuperDT

.github/scripts/check_helm_dependencies.py

@@ -163,27 +163,55 @@ def update_chart_dependencies_for_app(app_data):
 
     for dep in updates:
         file_path = dep['file_path']
-        current_version = dep['current_version']
-        latest_version = dep['latest_version']
+        current_version = str(dep['current_version']).strip('"\'')
+        latest_version = str(dep['latest_version']).strip('"\'')
 
         try:
             with open(file_path, 'r') as f:
-                lines = f.readlines()
-
-            updated_lines = []
-            for line in lines:
-                if f'name: {dep["name"]}' in line:
-                    updated_lines.append(line)
-                elif 'version:' in line and len(updated_lines) > 0 and f'name: {dep["name"]}' in updated_lines[-1]:
-                    updated_line = line.replace(f'"{current_version}"', f'"{latest_version}"')
-                    updated_lines.append(updated_line)
-                else:
-                    updated_lines.append(line)
-
-            with open(file_path, 'w') as f:
-                f.writelines(updated_lines)
-
-            logging.info("Version has been updated for %s in %s", dep['name'], file_path)
+                content = f.read()
+
+            logging.info("Updating %s from %s to %s in %s", dep['name'], current_version, latest_version, file_path)
+
+            updated = False
+            pattern_used = ""
+
+            # Double quotes
+            old_pattern = f'version: "{current_version}"'
+            new_pattern = f'version: "{latest_version}"'
+            if old_pattern in content:
+                content = content.replace(old_pattern, new_pattern)
+                updated = True
+                pattern_used = "double quotes"
+
+            # Single quotes
+            if not updated:
+                old_pattern = f"version: '{current_version}'"
+                new_pattern = f"version: '{latest_version}'"
+                if old_pattern in content:
+                    content = content.replace(old_pattern, new_pattern)
+                    updated = True
+                    pattern_used = "single quotes"
+
+            # No quotes
+            if not updated:
+                lines = content.split('\n')
+                for i, line in enumerate(lines):
+                    if f'version: {current_version}' in line and line.strip().endswith(current_version):
+                        lines[i] = line.replace(f'version: {current_version}', f'version: {latest_version}')
+                        updated = True
+                        pattern_used = "no quotes"
+                        break
+
+                if updated:
+                    content = '\n'.join(lines)
+
+            if updated:
+                with open(file_path, 'w') as f:
+                    f.write(content)
+                logging.info("Version has been updated for %s in %s (used pattern: %s)",
+                             dep['name'], file_path, pattern_used)
+            else:
+                logging.error("Error during update %s in %s: could not find version pattern", dep['name'], file_path)
 
         except Exception as e:
             logging.error("Error during update %s in %s: %s", dep['name'], file_path, str(e))

.github/workflows/helm-dependency-bot.yml

@@ -7,7 +7,7 @@ on:
   push:
     branches: [ main ]
     paths:
-      - 'kubernetes/argocd-apps/system/**/Chart.yaml'
+      - 'kubernetes/helm_charts/**/Chart.yaml'
 
 jobs:
   check-helm-dependencies:
@@ -40,11 +40,11 @@ jobs:
         run: python .github/scripts/check_helm_dependencies.py
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          CHART_PATH: "kubernetes/argocd-apps/system"
+          CHART_PATH: "kubernetes/helm_charts"
 
       - name: Create Pull Request
         if: steps.dependency-check.outputs.has_updates == 'true'
-        uses: peter-evans/create-pull-request@v5 # don't update this action version!!!
+        uses: peter-evans/create-pull-request@v7
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: "chore: update helm chart dependencies"
@@ -53,5 +53,5 @@ jobs:
           branch: helm-dep-updates
           delete-branch: true
           add-paths: |
-            kubernetes/argocd-apps/system/**/*
+            kubernetes/helm_charts/**/*
           labels: dependencies, helm-charts

inventory/base/group_vars/all.yaml

@@ -38,26 +38,13 @@ unbound_forward_zones: []
 # When adding new users, always pick a UID larger than the last UID, do not
 # fill in holes in the middle of the range.
 all_users:
-  gtema:
-    comment: A. G.
-    key: |
-      ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBBVL8LJ14SfFPK2zNeuO8rglURUJ32LFQXn0IzinZ7Y3ic8vtmF+UBvg+h8th56GZ3/DR9b+zcXfbA+0cdfTr+BWlDCYwcLab2vgU/S9FyQBzYr7ZWxtEFOmb5ztVp2b5wFt/DD7YBfyJNzM9SpVQDO4furwNZDq5af0+D67KOsV2BPLXL4/zMGkLR3TSFNzdJCSLrWML96NWK1FvpEjDroyKXFTVVcLBTgtBnFtpjpUzmlJSntaUxTQq1htiWLTGQL3ApLqx7YYctxDDkeBrWGSQPZgFppqhk5U8sWE9ieGztGuVyYzAhvz8YO9nm8M26izVebjwe+9u1hqa3Pk9 artem.goncharov
-      [email protected] AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFhfujbhx20AzKf2okw9WnduPe2keIWkFDhsSLNlvMd6AAAABHNzaDo= gtema@yubikey
-    uid: 2000
-    gid: 2000
 
   vhasko:
     comment: V. H.
     key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCvurvAWz7ourNA8rGKFK94qP4qNtSGO28hd5mx76LdbFoNAj0vMj+Uwsxjz00zQjGvWWoL8aRVP/It5P/eAz4C/kzhQcB5s+mOSKcwus5bZMtefyusEN1jr2035bOVpdrV5h8OpNUZ4WJRxfUNb46sz89Y/C49dUPsWY+ZpwDFk4xrYmihPQQyogEJ5PDXvdtNbcW/QA2gj4U+HFWY7vnmiC7tfViX1d3Ne0d4pb1XKiTMiFyQH0jRAF4ydIku4kIG7sqw9HAKoDeOzIbh+LYBO6qbefpH8jF/VVJyc+jmBx49VFAfiNfOg58QwrnKmXWF640O5J1UhDrvoAT8A2y1 vladimir.hasko
     uid: 2002
     gid: 2002
 
-  enrrou:
-    comment: V. V.
-    key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF0YWXjTSh8DOgVH8nZPEP+9ZaTvRP3TF4qTUxZ7knHM1H6Rx0IROHa60l19J4+X7Cmu7dsNtSVslXAAVCEO5Wcrm5cU8IbczBPQKoGYpAvGaYqneuzl9Yp8MH3HpPs6nJ1REA3lwB1TcmuyDJklb2sG86Iug4+D3EnovMnzrv+75ypuEOTMxQzj2h7f3twSKX5DFulrKsHW0+HWRhTXMD/k/HnJrXsbm/H9KAg+916zbykUitggRl1pznlUzjD5zm1cvg6bO0mnb8dE9KoE28cXJacMOV/8/KKIpL0EU4WAIcRKmjZ3k/gNSrl6ONvP2OxyeESyjN0BSobspsu71V [email protected]
-    uid: 2003
-    gid: 2003
-
   ibakhter:
     comment: I. B.
     key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPcpgCsi22OOoMNuzQG04YFU3pb2W0ZU/iLsFCWbrtkH ibakhter
@@ -92,7 +79,7 @@ all_users:
     key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCpHyuVlTQDcE+YBqHj40ci7kBXMI7qnytu3kv2KhlUqAa/nrl1rSz52bY1ON+3e+rUNL+qtPHTfd9ryQHXviYZ20atxeP9yx4OmAtvf8QiBbCO8C+LPDWU9TGSl1RB4AiArZbS3y9lQI+7OooI4zGeqvfed00sqVDgCKrbqdUqWofz56Cqst587KJfZlXjl7YGfU6W3JmpynyIH3krxwFtqyfPxBuo0iR5FSP82SdAcka0PR5Dcji9QQ5fA7BSjnGZPDg9esBGmGnaXQB/6E9G78utenQ6uHeOoH+qAgkAbZxjGuJcuLmXjXPQQD7IEsTdkMGvQbs8wAJ08JQDVKbj smartynov
     uid: 2034
     gid: 2034
-  
+
   magnus:
     comment: N. M.
     key: ssh-rsa AAAAB3NzaC1yc2EAAAAEQAAAgQAAAQEAosSxGuQH2SWqZugOMGiw4F3HzdORT9ZO1m+9p48IjQVzf57N6o08NLJFvRWTFHR8VxI1Y5o2w1fsCEPL3njtKl6MpIDSbvBDXugEK9pHcVZDMUllbKYtD8v6UHSJ70FqeE9VpAVHN/+/RklpsfPfmfxdScqJsrCSmFGCSYPj1bl6SVlYefKfu7NXYBK8seWp4l+iiVbX0M1D0R90xq2oPRkdlW5TntvTW5TJDPwxhd6y/qfQsSOmPUTHMc7XnzqcdPaHalzU3Uuvo+1PXeap9b6q3EA1/Jnu+QnNrZ6K0aCDrfIVtpB8ZtuLWUR2IcyTAN/gQLwHv5U7zn2O7/HRzw==
@@ -113,15 +100,13 @@ all_users:
 
   lcuper:
     comment: L. C.
-    key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBrioFxInmU3lhbsOTTHJieHZ7h4G+dR6/OJNHyQv+3m
+    key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAao5SSjPTNQeH+fXaqzH56VrW/8/loNLFys35zXvCI3 A200014817@T00248c62a
     uid: 2037
     gid: 2037
 
 # List of users to install on all hosts
 base_users:
-  - gtema
   - vhasko
-  - enrrou
   - smartynov
   - magnus
   - yustina

inventory/base/hosts.yaml

@@ -337,6 +337,16 @@ all:
         region: "eu-de"
       host_keys:
         - 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMwpqYLQ4fhqdGm6NHsDuQIjwpXUJJOSqDRCoPBA4hzwGD67q+2YnSLnxHk78WhFEEhERaA0U4Rpxpt9hkjoG38='
+    gitea3.eco.tsi-dev.otc-service.com:
+      ansible_host: 192.168.170.201
+      ansible_user: automation
+      public_v4: 192.168.170.201
+      location:
+        cloud: "otc_vault_448_de_eco_infra"
+        az: "eu-de-03"
+        region: "eu-de"
+      host_keys:
+        - 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKmIa77z0yhdJj4aXvF0T78spnOYxqhimAhfTzMy2mK8TPycf3ICzsIivooOPtjz9y2LsuOGe+S5bX42QQJh8bo='
     keycloak1.eco.tsi-dev.otc-service.com:
       ansible_host: 192.168.170.90
       ansible_user: automation

inventory/service/group_vars/proxy.yaml

@@ -238,6 +238,31 @@ proxy_backends:
         address: "192.168.171.6:443"
         opts: "ssl verify none"
 
+  - name: "gitea"
+    options:
+      - "http-check send hdr Host gitea.eco.tsi-dev.otc-service.com"
+      - "option forwardfor"
+      - "default-server check inter 5s fall 5 rise 1"
+      # Block access by IP address, only allow domain name
+      - "acl valid_host hdr(host) -i gitea.eco.tsi-dev.otc-service.com"
+      - "acl valid_host hdr(host) -i gitea.eco.tsi-dev.otc-service.com:443"
+      - "acl valid_host hdr(host) -i gitea.eco.tsi-dev.otc-service.com:2222"
+      - "http-request deny if !valid_host"
+      # Set proper host header for backend
+      - "http-request set-header Host gitea.eco.tsi-dev.otc-service.com"
+    domain_names:
+      - "gitea.eco.tsi-dev.otc-service.com"
+    servers:
+      - name: "gitea1"
+        address: "192.168.170.200:3000"
+        opts: "check cookie gitea1 ssl verify none"
+      - name: "gitea2"
+        address: "192.168.150.200:3000"
+        opts: "check cookie gitea2 ssl verify none"
+      - name: "gitea3"
+        address: "192.168.170.201:3000"
+        opts: "check cookie gitea3 ssl verify none"
+
 proxy_frontends:
   - name: "influx"
     bind: "*:8086 ssl crt /etc/ssl/{{ inventory_hostname }}/haproxy"
@@ -251,7 +276,11 @@ proxy_frontends:
     bind: "*:8200 ssl crt /etc/ssl/{{ inventory_hostname }}/haproxy"
     backend: "vault"
 
+  - name: "gitea-ssh"
+    bind: "*:2222"
+    backend: "gitea"
+
 statsd_host: "192.168.14.12"
 statsd_port: "8125"
 
-haproxy_expose_ports: ['80', '443', '8086', '8200', '8448']
+haproxy_expose_ports: ['80', '443', '2222', '8086', '8200', '8448']

inventory/service/groups.yaml

@@ -182,6 +182,7 @@ groups:
     - vault3.eco.tsi-dev.otc-service.com
     - gitea1.eco.tsi-dev.otc-service.com
     - gitea2.eco.tsi-dev.otc-service.com
+    - gitea3.eco.tsi-dev.otc-service.com
     - keycloak1.eco.tsi-dev.otc-service.com
     - db1.cloudmon.eco.tsi-dev.otc-service.com
     - db2.cloudmon.eco.tsi-dev.otc-service.com
@@ -253,6 +254,7 @@ groups:
   gitea:
     - gitea1.eco.tsi-dev.otc-service.com
     - gitea2.eco.tsi-dev.otc-service.com
+    - gitea3.eco.tsi-dev.otc-service.com
 
   keycloak:
     - keycloak1.eco.tsi-dev.otc-service.com

inventory/service/host_vars/gitea3.eco.tsi-dev.otc-service.com.yaml

@@ -0,0 +1,83 @@
+image: "Standard_Ubuntu_24.04_amd64_uefi_latest"
+flavor: "c4.xlarge.4"
+security_groups: ["common_sg", "gitea_sg"]
+nics:
+  - fixed_ip: "192.168.170.201"
+    net-name: "infra-net"
+root_volume:
+  size: 20
+  type: "SSD"
+  encrypted: true
+  kms_id: "49602830-d588-4d66-bd86-e57ea29eaed2"
+auto_ip: false
+
+data_volumes:
+  - name: "var"
+    size: 100
+    type: "SSD"
+    encrypted: true
+    kms_id: "49602830-d588-4d66-bd86-e57ea29eaed2"
+  - name: "home"
+    size: 20
+    type: "SSD"
+    encrypted: true
+    kms_id: "49602830-d588-4d66-bd86-e57ea29eaed2"
+  - name: "gitea3"
+    size: 1024
+    type: "SSD"
+    encrypted: true
+    kms_id: "49602830-d588-4d66-bd86-e57ea29eaed2"
+userdata: |
+  #cloud-config
+  disk_setup:
+    /dev/vdb:
+      table_type: 'mbr'
+      layout:
+        - 100
+    /dev/vdc:
+      table_type: 'mbr'
+      layout:
+        - 100
+    /dev/vdd:
+      table_type: 'mbr'
+      layout:
+        - 100
+  fs_setup:
+    - label: var
+      filesystem: ext4
+      device: '/dev/vdb1'
+    - label: home
+      filesystem: ext4
+      device: '/dev/vdc1'
+    - label: gitea3
+      filesystem: ext4
+      device: '/dev/vdd1'
+  mounts:
+    - [ "LABEL=home", "/home", "auto", "defaults", "0", "2" ]
+  groups:
+    - automation
+  users:
+    - default
+    - name: automation
+      primary_group: automation
+      ssh_authorized_keys:
+        - "{{ bastion_public_key }}"
+      sudo: ALL=(ALL) NOPASSWD:ALL
+  runcmd:
+    - mkdir /mnt/vdb && mount /dev/vdb1 /mnt/vdb
+    - cp -a /var/* /mnt/vdb/
+    - umount /mnt/vdb && rmdir /mnt/vdb
+    - echo "LABEL=var   /var   auto   defaults,comment=cloudconfig  0 2" >> /etc/fstab
+    - echo "LABEL=gitea3   /var/lib/gitea   auto   defaults  0 2" >> /etc/fstab
+    - mount /var
+    - mkdir -p /var/lib/gitea
+    - mount /var/lib/gitea
+
+ssl_certs:
+  gitea:
+    - "gitea3.eco.tsi-dev.otc-service.com"
+    - "gitea.eco.tsi-dev.otc-service.com"
+gitea_cert: "gitea"
+
+firewalld_extra_services_enable: ['https']
+firewalld_extra_ports_enable: ['2222/tcp']

inventory/service/host_vars/proxy1.eco.tsi-dev.otc-service.com.yaml

@@ -28,6 +28,7 @@ ssl_certs:
     - "opensearch-stg.eco.tsi-dev.otc-service.com"
     - "opensearch-stg-dashboard.eco.tsi-dev.otc-service.com"
     - "keycloak.eco.tsi-dev.otc-service.com"
+    - "gitea.eco.tsi-dev.otc-service.com"
   matrix:
     - "matrix.otc-service.com"
   docs:

inventory/service/host_vars/proxy2.eco.tsi-dev.otc-service.com.yaml

@@ -29,6 +29,7 @@ ssl_certs:
     - "opensearch-stg.eco.tsi-dev.otc-service.com"
     - "opensearch-stg-dashboard.eco.tsi-dev.otc-service.com"
     - "keycloak.eco.tsi-dev.otc-service.com"
+    - "gitea.eco.tsi-dev.otc-service.com"
   matrix:
     - "matrix.otc-service.com"
   docs: