This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

This repository currently has no open or pending branches.

Detected dependencies

Summary

As an engineer
I want to use up-to-date version of tools
So that I can take advantage of the latest improvements

Context

The latest stable Terraform version is v1.0.5 (as of 2021-08-19). However, the component still defaults to Terraform v0.14.8. We should update the component to default to v1.0.5 after verifying that the OCP4 modules (https://github.com/appuio/terraform-openshift4-cloudscale and https://github.com/appuio/terraform-openshift4-exoscale) work with v1.0.5.

I'd propose that we switch to the registry.gitlab.com/gitlab-org/terraform-images/releases/terraform, which has tags that actually correspond to a Terraform version in contrast to the registry.gitlab.com/gitlab-org/terraform-images/releases/0.14 image which we currently use, where tag v0.10.0 doesn't correspond to the Terraform 0.14 patch version (actual Terraform version in registry.gitlab.com/gitlab-org/terraform-images/releases/0.14:v0.10.0 is v0.14.8).

Out of Scope

• Large-scale refactoring of Terraform modules

Further links

• Current latest Terraform version can be seen on https://www.terraform.io/downloads.html
• Available GitLab Terraform image versions can be checked on https://gitlab.com/gitlab-org/terraform-images/container_registry/1803074

Acceptance criteria

• Given that I include this component for my cluster, I'm using Terraform v1.0.x unless I override the Terraform image.

Implementation Ideas

• Update default image version

GitLab CI linting PR check fails (see details below)

Possible actions:

• Remove GitLab ci linting step
• Keep the GitLab CI linting step, but use authentication
  • Use git.vshn.net with a token
  • Use gitlab.com with a token
  • However, this check cannot be done in PR checks, since GitHub won't expose Secrets in PRs for security reasons (leaking etc.)

Steps to Reproduce the Problem

1. make test-cloudscale

Actual Behavior

See logs in https://github.com/appuio/component-openshift4-terraform/runs/2802667905?check_suite_focus=true, e.g.

cat compiled/openshift4-terraform/openshift4-terraform/gitlab-ci.yml | docker run --rm -u "$(id -u)" -w /openshift4-terraform -v "${PWD}/compiled/openshift4-terraform/openshift4-terraform:/openshift4-terraform" -i docker.io/gableroux/gitlab-ci-lint:latest
...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  1957  100    30  100  1927    241  15540 --:--:-- --:--:-- --:--:-- 15782
configuration is invalid, unknown status 'null'
make: *** [Makefile:58: .test] Error 254

Reverse-engineering https://www.github.com/GabLeRoux/docker-gitlab-ci-lint showed that the Linting is done with the live API on gitlab.com. The request fails silently with HTTP status 400 from now on.

Turns out GitLab has put the CI-lint API behind authentication: https://about.gitlab.com/releases/2021/06/01/security-release-gitlab-13-12-2-released/#unauthenticated-ci-lint-api-may-lead-to-information-disclosure-and-ssrf

Action points

1. Introduce a simple yaml lint for testing locally
2. Create a restricted token on git.vshn.net
3. Create GH secret so that the check works when linting with git.vshn.net API (set GITLAB_API_URL with user:token@https://... in workflow)
4. Separate the live CI linting from local make targets

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

This repository currently has no open or pending branches.

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository