Prepare release 4.9.0

CHANGELOG.md

@@ -6,11 +6,17 @@
 
 
 ### Changed
-
+- Nexus storage change ([#1341](https://github.com/opendevstack/ods-core/issues/1341))
+- Update Aqua cli to 760 ([#1344](https://github.com/opendevstack/ods-core/pull/1344))
 
 ### Fixed
 
 
+## [4.9.0] - 2025-8-06
+
+- Security improvements ([#1328](https://github.com/opendevstack/ods-core/pull/1328))
+- Added Helm Opentelemetry Collector Infrastructure configuration (([#1339](https://github.com/opendevstack/ods-core/issues/1339))
+
 ## [4.8.0] - 2025-4-10
 
 ### Added

Makefile

@@ -163,6 +163,22 @@ configure-nexus:
 ### configure-nexus is not part of install-nexus because it is not idempotent yet.
 
 
+# OPENTELEMETRY COLLECTOR
+## Install or update Opentelemetry Collector.
+install-opentelemetry-collector: apply-opentelemetry-collector-chart start-opentelemetry-collector-build
+.PHONY: opentelemetry-collector
+
+## Apply OpenShift resources related to the Opentelemetry Collector.
+apply-opentelemetry-collector-chart:
+	cd opentelemetry-collector/chart && envsubst < values.yaml.template > values.yaml && helm upgrade --install --namespace $(ODS_NAMESPACE) opentelemetry-collector . && rm values.yaml
+.PHONY: apply-opentelemetry-collector-chart
+
+## Start build of BuildConfig "Opentelemetry Collector".
+start-opentelemetry-collector-build:
+	ocp-scripts/start-and-follow-build.sh --namespace $(ODS_NAMESPACE) --build-config opentelemetry-collector
+.PHONY: start-opentelemetry-collector-build
+
+
 # BACKUP
 ## Create a backup of the current state.
 backup: backup-sonarqube backup-ocp-config

configuration-sample/ods-core.env.sample

@@ -409,3 +409,31 @@ AQUA_ALERT_EMAILS=
 
 # The name of a Nexus repository to store the reports generated by Aqua
 AQUA_NEXUS_REPOSITORY=leva-documentation
+
+##########################
+# Opentelemety Collector #
+##########################
+# The docker image used to build the Opentelemetry Collector
+OPENTELEMETRY_COLLECTOR_IMAGE=otel/opentelemetry-collector-k8s
+
+# The docker image tag used to build the Opentelemetry Collector
+OPENTELEMETRY_COLLECTOR_IMAGE_TAG=0.123.0-amd64
+
+# The Go memory limit for the Opentelemetry Collector
+OPENTELEMETRY_COLLECTOR_GOMEMLIMIT=128MiB
+
+# The endpoint to send telemetry data using the OpenTelemetry Protocol (OTLP)
+OPENTELEMETRY_COLLECTOR_OTLP_API_ENDPOINT=https://fake-jaeger/v1/traces
+
+# The Authorization Token used to authenticate requests sent to the OTLP_API_ENDPOINT
+OPENTELEMETRY_COLLECTOR_OTLP_API_TOKEN=Api-Token fakeJaegerIDToken
+
+# The Host of the Opentelemetry Collector
+OPENTELEMETRY_COLLECTOR_INGRESS_HOST=fake.opentelemetry-collector.com
+
+# Resource requests and limits for the Opentelemetry Collector
+OPENTELEMETRY_COLLECTOR_CPU_REQUEST=200m
+OPENTELEMETRY_COLLECTOR_MEMORY_REQUEST=128Mi
+OPENTELEMETRY_COLLECTOR_CPU_LIMIT=1
+OPENTELEMETRY_COLLECTOR_MEMORY_LIMIT=256Mi
+

create-projects/Jenkinsfile

@@ -80,7 +80,6 @@ podTemplate(
         sh(
           script: """./create-projects/create-projects.sh --verbose \
             --project=${projectId} \
-            --admins=${projectAdmins} \
             --groups=${projectGroups}""",
           label: 'Create OpenShift projects'
         )

create-projects/create-projects.sh

@@ -84,14 +84,16 @@ fi
 
 if [ -n "${PROJECT_GROUPS}" ]; then
   echo "Seeding special permission groups (${PROJECT_GROUPS}) ..."
+
+  cd_usergroup_role="edit-atlassian-team"
+  usergroup_role="edit"
+  admingroup_role="admin"
+  readonlygroup_role="view"
+
   for group in ${PROJECT_GROUPS//,/ }; do
     groupName=$(echo "${group}" | cut -d "=" -f1)
     groupValue=$(echo "${group}" | cut -d "=" -f2)
 
-    usergroup_role="edit"
-    admingroup_role="admin"
-    readonlygroup_role="view"
-
     if [ "${groupValue}" == "" ]; then
       continue
     fi
@@ -101,7 +103,7 @@ if [ -n "${PROJECT_GROUPS}" ]; then
     if [[ "${groupName}" == *USERGROUP* ]]; then
       oc policy add-role-to-group "${usergroup_role}" "${groupValue}" -n "${PROJECT_ID}-dev"
       oc policy add-role-to-group "${usergroup_role}" "${groupValue}" -n "${PROJECT_ID}-test"
-      oc policy add-role-to-group "${usergroup_role}" "${groupValue}" -n "${PROJECT_ID}-cd"
+      oc policy add-role-to-group "${cd_usergroup_role}" "${groupValue}" -n "${PROJECT_ID}-cd"
     elif [[ "${groupName}" == *ADMINGROUP* ]]; then
       oc policy add-role-to-group "${admingroup_role}" "${groupValue}" -n "${PROJECT_ID}-dev"
       oc policy add-role-to-group "${admingroup_role}" "${groupValue}" -n "${PROJECT_ID}-test"

create-projects/tests/run.sh

@@ -52,20 +52,16 @@ oc mock --receive 'policy add-role-to-group view system:authenticated -n foo-cd'
 oc mock --verify
 
 echo ""
-echo "=== create-projects: With admins but no groups ==="
+echo "=== create-projects: Without admins and no groups ==="
 
 oc mock --receive='new-project' --times 3
 
-# Expect admins
-oc mock --receive 'policy add-role-to-user admin foo.bar@example.com -n foo-cd' --times 1
-oc mock --receive 'policy add-role-to-user admin baz.qux@example.com -n foo-cd' --times 1
-
 # Expect default view/edit setup
 oc mock --receive 'policy add-role-to-group view system:authenticated -n foo-dev' --times 1
 oc mock --receive 'policy add-role-to-group view system:authenticated -n foo-test' --times 1
 oc mock --receive 'policy add-role-to-group view system:authenticated -n foo-cd' --times 1
 
-../create-projects.sh --project foo --admins foo.bar@example.com,baz.qux@example.com --groups=
+../create-projects.sh --project foo --groups=
 
 oc mock --verify
 
@@ -81,7 +77,7 @@ oc mock --receive 'policy add-role-to-group view baz -n foo-cd' --times 1
 
 oc mock --receive 'policy add-role-to-group edit foo -n foo-dev' --times 1
 oc mock --receive 'policy add-role-to-group edit foo -n foo-test' --times 1
-oc mock --receive 'policy add-role-to-group edit foo -n foo-cd' --times 1
+oc mock --receive 'policy add-role-to-group edit-atlassian-team foo -n foo-cd' --times 1
 
 oc mock --receive 'policy add-role-to-group admin bar -n foo-dev' --times 1
 oc mock --receive 'policy add-role-to-group admin bar -n foo-test' --times 1

jenkins/ocp-config/deploy/jenkins-master.yml

@@ -267,18 +267,6 @@ objects:
     name: '${JENKINS_SERVICE_NAME}'
     labels:
       template: ods-jenkins-template
-- apiVersion: authorization.openshift.io/v1
-  kind: RoleBinding
-  metadata:
-    name: '${JENKINS_SERVICE_NAME}_edit'
-    labels:
-      template: ods-jenkins-template
-  roleRef:
-    name: edit
-  subjects:
-    - kind: ServiceAccount
-      name: '${JENKINS_SERVICE_NAME}'
-      namespace: '${TAILOR_NAMESPACE}'
 - apiVersion: v1
   kind: Service
   metadata:

ods-setup/setup-ods-project.sh

@@ -69,6 +69,141 @@ if ! oc adm policy add-cluster-role-to-user self-provisioner system:serviceaccou
   exit 1
 fi
 
+# Create a new role 'edit-atlassian-team' without secret-related resources access
+if ! oc get clusterrole edit-atlassian-team > /dev/null 2>&1; then
+  echo "You might not have enough rights to create the new role 'edit-atlassian-team'."
+  echo "This script needs to be run by a cluster admin."
+
+  # Create a temporary file
+  TEMP_FILE=$(mktemp 2>/dev/null || echo "/tmp/tempfile_$$")
+
+  # Get the edit role YAML and rename it
+  oc get clusterrole edit -o yaml | sed 's/name: edit/name: edit-atlassian-team/' > $TEMP_FILE
+
+  # Process the YAML to remove secret-related resources, empty sections, and metadata fields
+  PROCESSED_FILE=$(mktemp 2>/dev/null || echo "/tmp/tempfile_$$")
+
+  awk '
+  BEGIN { 
+    skip_current_group = 0; 
+    inside_api_group = 0;
+    api_group_buffer = "";
+    skip_section = 0;
+    in_metadata = 0;
+    contains_secret = 0;
+  }
+
+  # Skip metadata fields and sections
+  /creationTimestamp:/ || /resourceVersion:/ || /uid:/ {
+    next;
+  }
+
+  # Detect start of aggregationRule section and skip it
+  /^aggregationRule:/ {
+    skip_section = 1;
+    next;
+  }
+
+  # Detect end of aggregationRule section (when we see apiVersion)
+  /^apiVersion:/ {
+    skip_section = 0;
+    print $0;
+    next;
+  }
+
+  # Track if we are in metadata section
+  /^metadata:/ {
+    in_metadata = 1;
+    print $0;
+    next;
+  }
+
+  # Detect start of annotations or labels in metadata and skip them
+  /^  annotations:/ || /^  labels:/ {
+    if (in_metadata) {
+      skip_section = 1;
+      next;
+    }
+  }
+
+  # Detect when we leave annotations or labels section (any line with single indent level)
+  /^  [a-zA-Z]/ {
+    if (skip_section && in_metadata && $0 !~ /^  annotations:/ && $0 !~ /^  labels:/) {
+      skip_section = 0;
+    }
+  }
+
+  # Detect end of metadata section
+  /^[a-zA-Z]/ && in_metadata && $0 !~ /^metadata:/ {
+    in_metadata = 0;
+  }
+
+  # Skip lines while in a section we want to skip
+  {
+    if (skip_section) {
+      next;
+    }
+  }
+
+  # Detect API Groups line
+  /^- apiGroups:/ {
+    # If we were previously in an API group, print it if it wasnt being skipped and has no secrets
+    if (inside_api_group && !skip_current_group && !contains_secret && api_group_buffer != "") {
+      print api_group_buffer;
+    }
+
+    # Reset variables for new group
+    inside_api_group = 1;
+    api_group_buffer = $0;
+    skip_current_group = 0;
+    contains_secret = 0;
+
+    # Check if this apiGroup itself contains "secret"
+    if ($0 ~ /secret/ || $0 ~ /external-secrets\.io/) {
+      skip_current_group = 1;
+    }
+    next;
+  }
+
+  # Look for resources section that might contain secrets
+  /^  resources:/ {
+    api_group_buffer = api_group_buffer "\n" $0;
+    next;
+  }
+
+  # Check for secret in resource names
+  /^  - / && inside_api_group {
+    # If this resource contains "secret", mark the group for skipping
+    if ($0 ~ /secret/) {
+      contains_secret = 1;
+    }
+    api_group_buffer = api_group_buffer "\n" $0;
+    next;
+  }
+
+  # Process all other lines
+  {
+    if (inside_api_group) {
+      # Add to buffer
+      api_group_buffer = api_group_buffer "\n" $0;
+    } else {
+      # Not in an API group, print directly
+      print $0;
+    }
+  }
+
+  END {
+    # Print the last API group if it wasnt being skipped and has no secrets
+    if (inside_api_group && !skip_current_group && !contains_secret && api_group_buffer != "") {
+      print api_group_buffer;
+    }
+  }' $TEMP_FILE > $PROCESSED_FILE
+
+  # Create the role and clean up
+  oc create -f $PROCESSED_FILE
+  rm $TEMP_FILE $PROCESSED_FILE
+fi
+
 # Create cd-user secret
 cd ${SCRIPT_DIR}/ocp-config/cd-user
 ${TAILOR} -n ${NAMESPACE} apply ${NON_INTERACTIVE} ${REVEAL_SECRETS}

opentelemetry-collector/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

opentelemetry-collector/README.md

@@ -0,0 +1,22 @@
+# Opentelemetry Collector
+
+The OpenTelemetry Collector is a vendor-agnostic way to receive, process, and export telemetry data. It supports various data formats and protocols, making it easy to collect and distribute your observability data.
+
+## Setup
+
+The OpenShift templates are located in the chart directory and can be compared with the OC cluster using Helm. For example, run cd chart && helm secrets diff upgrade to see if there is any drift between the current and desired state.
+
+To install the OpenTelemetry Collector, run:
+
+`helm install opentelemetry-collector .`
+
+## Configuration
+
+All the relevant configuration of the Opentelemetry Collector is store in the config map named collector-config in the same namespace where is running the pod.
+
+## Building a new image
+
+Push to this repository, then go to the build config in OC and start a new build.
+
+Aditionally you can run `make start-opentelemetry-collector-build`.
+

opentelemetry-collector/chart/Chart.yaml

@@ -0,0 +1,25 @@
+apiVersion: v2
+name: opentelemetry-collector
+description: A Helm chart for Kubernetes that defines a Opentelemetry Collector
+icon: https://opentelemetry.io/img/logos/opentelemetry-horizontal-color.svg
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.123.0-amd64"