[DO-1600] Change to manually deploy gitea-sonarqube-bot (!67)

[DO-1600]

Co-authored-by: denis.patrakeev <denis.patrakeev@avroid.tech>
Reviewed-on: https://git.avroid.tech/K8s/k8s-configs/pulls/67

clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot-staging/README.md

@@ -0,0 +1,68 @@
+# Install [Gitea SonarQube Bot](https://codeberg.org/justusbunsi/gitea-sonarqube-bot/src/branch/main/helm) with [custom container](https://git.avroid.tech/andrey.danin/gitea-sonarqube-bot)
+
+## Create from version
+| Project             | Version    |
+|---------------------|------------|
+| Gitea SonarQube Bot | 0.3.4      |
+| Custom container    | avr-v0.3.4 |
+
+## Install
+Настраиваем для работы файл конфигурации kubectl для подключения к кластеру Kubernetes
+
+Готовим служебную УЗ для vault (ЭТО АВТОМАТИЗИРОВАНО через ArgoCD):
+```bash
+kubectl apply -f .rbac/vault-service-account.yaml
+kubectl apply -f .rbac/harbor-registry-secret.yaml
+```
+
+Получаем из Vault секреты с паролями/токенами/сертификатами и выгружаем в окружение оболочки:
+```bash
+./gitea_sonarqube_bot_staging_values_secrets_init.sh
+
+source .creds
+```
+
+Применяем сетевые политики:
+```bash
+kubectl -n avroid-staging apply -f gitea-sonarqube-bot-staging-network-policy.yaml
+```
+
+И производим непосредственную установку:
+
+```bash
+helm repo add gitea-sonarqube-bot https://codeberg.org/justusbunsi/gitea-sonarqube-bot/raw/branch/charts/
+helm repo update
+
+helm install -n avroid-staging gitea-sonarqube-bot gitea-sonarqube-bot/gitea-sonarqube-bot -f values-override.yaml \
+  --set app.configuration.gitea.token.value=$GSB_GITEA_TOKEN_VALUE \
+  --set app.configuration.gitea.webhook.secret=$GSB_GITEA_WEBHOOK_SECRET \
+  --set app.configuration.sonarqube.token.value=$GSB_SONARQUBE_TOKEN_VALUE \
+  --set app.configuration.sonarqube.webhook.secret=$GSB_SONARQUBE_WEBHOOK_SECRET \
+  --set app.configuration.bitbucket.webhook.secret=$GSB_BITBUCKET_WEBHOOK_SECRET
+```
+
+
+## Upgrade/Changes
+Обновление настроек и чарта делаем так:
+
+В начале сравниваем содержимое `values-override.yaml` с исходным файлом `values.yaml`
+(ссылка на исходную версию зафиксирована в заголовке `values-override.yaml`) через diff (IDE лучше).
+Или с новой версией `values.yaml` в Helm-чарте.
+Вносим необходимые правки, новые опции или добавляем секреты.
+
+Получаем из Vault секреты с паролями/токенами/сертификатами и выгружаем в окружение оболочки:
+```bash
+./gitea_sonarqube_bot_staging_values_secrets_init.sh
+
+source .creds
+```
+
+Затем применяем:
+```bash
+helm upgrade -n avroid-staging gitea-sonarqube-bot gitea-sonarqube-bot/gitea-sonarqube-bot -f values-override.yaml \
+  --set app.configuration.gitea.token.value=$GSB_GITEA_TOKEN_VALUE \
+  --set app.configuration.gitea.webhook.secret=$GSB_GITEA_WEBHOOK_SECRET \
+  --set app.configuration.sonarqube.token.value=$GSB_SONARQUBE_TOKEN_VALUE \
+  --set app.configuration.sonarqube.webhook.secret=$GSB_SONARQUBE_WEBHOOK_SECRET \
+  --set app.configuration.bitbucket.webhook.secret=$GSB_BITBUCKET_WEBHOOK_SECRET
+```

clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot-staging/argocd-apps-gitea-sonarqube-bot-staging-app.yaml

@@ -1,51 +0,0 @@
----
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: gitea-sonarqube-bot-staging
-  namespace: argocd
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io
-spec:
-  project: gitea-sonarqube-bot-staging
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: avroid-staging
-  sources:
-    - repoURL: https://git.avroid.tech/K8s/k8s-configs.git
-      targetRevision: master
-      ref: values
-    - repoURL: https://nexus.avroid.tech/repository/devops-helm-proxy-helm/
-      chart: "justusbunsi/gitea-sonarqube-bot/gitea-sonarqube-bot"
-      targetRevision: 0.3.4
-      helm:
-        valueFiles:
-          - $values/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot-staging/values-ovveride.yaml
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-      - ApplyOutOfSyncOnly=true
-      - CreateNamespace=true
----
-apiVersion: argoproj.io/v1alpha1
-kind: AppProject
-metadata:
-  name: gitea-sonarqube-bot-staging
-  namespace: argocd
-  # Finalizer that ensures that project is not deleted until it is not referenced by any application
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io
-spec:
-  sourceRepos:
-    - https://git.avroid.tech/K8s/k8s-configs.git
-    - https://nexus.avroid.tech/repository/devops-helm-proxy-helm/
-  # Only permit applications to deploy to the guestbook namespace in the same cluster
-  destinations:
-    - namespace: avroid-staging
-      server: https://kubernetes.default.svc
-  # Deny all cluster-scoped resources from being created, except for Namespace
-  clusterResourceWhitelist:
-    - group: ''
-      kind: Namespace

clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot-staging/argocd-apps-gitea-sonarqube-bot-staging-secret-from-vault.yaml

@@ -1,20 +0,0 @@
----
-apiVersion: v1
-kind: Secret
-metadata:
-  labels:
-    app.kubernetes.io/managed-by: argocd
-  name: gitea-sonarqube-bot-staging-secret-from-vault
-  namespace: avroid-staging
-  annotations:
-    vault.security.banzaicloud.io/vault-addr: "https://vault.avroid.tech"
-    vault.security.banzaicloud.io/vault-role: "avroid-staging"
-    vault.security.banzaicloud.io/vault-skip-verify: "false"
-    vault.security.banzaicloud.io/vault-path: "avroid-office"
-type: Opaque
-data:
-  .gitea_token_value: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uZ2l0ZWEudG9rZW4udmFsdWU=
-  .gitea_webhook_secret: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uZ2l0ZWEud2ViaG9vay5zZWNyZXQ=
-  .sonarqube_token_value: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uc29uYXJxdWJlLnRva2VuLnZhbHVl
-  .sonarqube_webhook_secret: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uc29uYXJxdWJlLndlYmhvb2suc2VjcmV0
-  .bitbucket_webhook_secret: dmF1bHQ6dGVhbS1kZXZvcHMvZGF0YS9hY2NvdW50cy9ib3RzL3NvbmFycXViZS9hdnJvaWQudGVjaC9naXRlYS1zb25hcnF1YmUtYm90LXN0YWdpbmcjYXBwLmNvbmZpZ3VyYXRpb24uYml0YnVja2V0LndlYmhvb2suc2VjcmV0

clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot-staging/gitea_sonarqube_bot_staging_values_secrets_init.sh

@@ -0,0 +1,24 @@
+#!/bin/sh
+set -e
+
+rm -rf .creds
+
+gitea_sonarqube_bot_config_gitea_token_value=$(vault kv get team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging | grep app.configuration.gitea.token.value | awk '{print $2}')
+gitea_sonarqube_bot_config_gitea_webhook_secret=$(vault kv get team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging | grep app.configuration.gitea.webhook.secret | awk '{print $2}')
+
+gitea_sonarqube_bot_config_sonarqube_token_value=$(vault kv get team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging | grep app.configuration.sonarqube.token.value | awk '{print $2}')
+gitea_sonarqube_bot_config_sonarqube_webhook_secret=$(vault kv get team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging | grep app.configuration.sonarqube.webhook.secret | awk '{print $2}')
+
+gitea_sonarqube_bot_config_bitbucket_webhook_secret=$(vault kv get team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging | grep app.configuration.bitbucket.webhook.secret | awk '{print $2}')
+
+cat > .creds << EOF
+export GSB_GITEA_TOKEN_VALUE='${gitea_sonarqube_bot_config_gitea_token_value}'
+export GSB_GITEA_WEBHOOK_SECRET='${gitea_sonarqube_bot_config_gitea_webhook_secret}'
+export GSB_SONARQUBE_TOKEN_VALUE='${gitea_sonarqube_bot_config_sonarqube_token_value}'
+export GSB_SONARQUBE_WEBHOOK_SECRET='${gitea_sonarqube_bot_config_sonarqube_webhook_secret}'
+export GSB_BITBUCKET_WEBHOOK_SECRET='${gitea_sonarqube_bot_config_bitbucket_webhook_secret}'
+EOF
+
+echo "Run:"
+echo '  1. source .creds'
+echo '  2. kubectl -n avroid-staging apply -f gitea-sonarqube-bot-staging-network-policy.yaml'

clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot-staging/values-ovveride.yaml

@@ -59,9 +59,7 @@ app:
       ## User needs "Read project" permissions with access to "Pull Requests"
       ## @param app.configuration.gitea.token.value Gitea token as plain text. Can be replaced with `file` key containing path to file.
       token:
-        # value: ""
+        value: ""
-        # # or path to file containing the plain text secret
-        file: /bot/secrets/.gitea_token_value
 
       ## If the sent webhook has a signature header, the bot validates the request payload. If the value does not match, the
       ## request will be ignored.
@@ -70,9 +68,7 @@ app:
       ## @param app.configuration.gitea.webhook.secret Secret for signature header (in plaintext)
       ## @extra app.configuration.gitea.webhook.secretFile Path to file containing the plain text secret. Alternative to inline `app.configuration.gitea.webhook.secret`
       webhook:
-        # secret: ""
+        secret: ""
-        # # or path to file containing the plain text secret
-        secretFile: /bot/secrets/.gitea_webhook_secret
 
     ## SonarQube related configuration. Necessary for requesting data from the API and processing the webhook.
     sonarqube:
@@ -83,9 +79,7 @@ app:
       ## User needs "Browse on project" permissions
       ## @param app.configuration.sonarqube.token.value SonarQube token as plain text. Can be replaced with `file` key containing path to file.
       token:
-        # value: ""
+        value: ""
-        # # or path to file containing the plain text secret
-        file: /bot/secrets/.sonarqube_token_value
 
       ## If the sent webhook has a signature header, the bot validates the request payload. If the value does not match, the
       ## request will be ignored.
@@ -95,9 +89,7 @@ app:
       ## @param app.configuration.sonarqube.webhook.secret Secret for signature header (in plaintext)
       ## @extra app.configuration.sonarqube.webhook.secretFile Path to file containing the plain text secret. Alternative to inline `app.configuration.sonarqube.webhook.secret`
       webhook:
-        # secret: ""
+        secret: ""
-        # # or path to file containing the plain text secret
-        secretFile: /bot/secrets/.sonarqube_webhook_secret
 
     ## List of project mappings to take care of. Webhooks for other projects will be ignored.
     ## At least one must be configured. Otherwise, all webhooks (no matter which source) because the bot cannot map on its own.
@@ -123,20 +115,7 @@ app:
 
     bitbucket:
       webhook:
-        secretFile: /bot/secrets/.bitbucket_webhook_secret
+        secret: ""
-
-
-## @param volumes If token and webhook secrets shall be provided via file, volumes and volume mounts can be configured to setup the environment accordingly
-volumes:
-  - name: gitea-sonarqube-bot-staging-secrets
-    secret:
-      secretName: gitea-sonarqube-bot-staging-secret-from-vault
-
-## @param volumeMounts If token and webhook secrets shall be provided via file, volumes and volume mounts can be configured to setup the environment accordingly
-volumeMounts:
-  - name: gitea-sonarqube-bot-staging-secrets
-    readOnly: true
-    mountPath: "/bot/secrets"
 
 ## @section Security parameters