Update maintainers and members of CAS devops team

TL;DR

Topics greatly improve the discoverability of repos; please add the short code from the table below to the topics of your repo so that ministries can use GitHub's search to find out what repos belong to them and other visitors can find useful content (and reuse it!).

Why Topic

In short order we'll add our 800th repo. This large number clearly demonstrates the success of using GitHub and our Open Source initiative. This huge success means its critical that we work to make our content as discoverable as possible; Through discoverability, we promote code reuse across a large decentralized organization like the Government of British Columbia as well as allow ministries to find the repos they own.

What to do

Below is a table of abbreviation a.k.a short codes for each ministry; they're the ones used in all @gov.bc.ca email addresses. Please add the short codes of the ministry or organization that "owns" this repo as a topic.

That's in, you're done!!!

How to use

Once topics are added, you can use them in GitHub's search. For example, enter something like org:bcgov topic:citz to find all the repos that belong to Citizens' Services. You can refine this search by adding key words specific to a subject you're interested in. To learn more about searching through repos check out GitHub's doc on searching.

Pro Tip 🤓

• If your org is not in the list below, or the table contains errors, please create an issue here.

• While you're doing this, add additional topics that would help someone searching for "something". These can be the language used javascript or R; something like opendata or data for data only repos; or any other key words that are useful.

• Add a meaningful description to your repo. This is hugely valuable to people looking through our repositories.

• If your application is live, add the production URL.

Ministry Short Codes

NOTE See an error or omission? Please create an issue here to get it remedied.

We use two service account permission templates for the service accounts we use to work with cloud storage in GCP, storage-admin and storage-viewer. These templates should be reviewed to ensure we only allow access to permissions required, especially the admin which can be overly permissive.

Acceptance Criteria

In Our cas storage Google cloud project:

• Audit the Storage Viewer role template and make changes where needed
• Audit the Storage Admin role template and make changes where needed (creating a new one if required)

Assess the CIIP repo's documentation.
Things to consider:

• What is outdated
• What is missing
• Is it organised in a way that makes sense and is discoverable

Todo:

• Remove or update outdated documentation
• Create a list of suggestions for documentation that should be added
• Re-organise documentation if it is not discoverable following our documentation organisation strategy

Documentation organisation strategy:

• A docs directory at the root of a repo
• Separate doc files with names that clearly describe what the doc file contains
• Appropriately named sub-directories where there are several related individual doc files

Description

To reduce the costs and time of downloading images from gcr.io, we should use Artifactory as a cache.
The artifactory documentation can be found here: https://github.com/BCDevOps/developer-experience/blob/master/apps/artifactory/DEVHUB-README.md

The first step to be able to download images through artifactory is to create an account per namespace.

This issue is a kind reminder that your repository has been inactive for 180 days. Some repositories are maintained in accordance with business requirements that infrequently change thus appearing inactive, and some repositories are inactive because they are unmaintained.

To help differentiate products that are unmaintained from products that do not require frequent maintenance, repomountie will open an issue whenever a repository has not been updated in 180 days.

• If this product is being actively maintained, please close this issue.
• If this repository isn't being actively maintained anymore, please archive this repository. Also, for bonus points, please add a dormant or retired life cycle badge.

Thank you for your help ensuring effective governance of our open-source ecosystem!

It seems that Helm will always try to patch the ArtifactoryServiceAccount object, even if there are not actual changes. Patching of ArtifactoryServiceAccount is not permitted as it can lead to undesirable behaviour in the operator. Unless we can find how to avoid Helm attempting to patch the ArtifactoryServiceAccount for no reason, the solution will be to move it to a different helm chart, and to create a make provision_artifactory target that we only use once.

The new service account must keep the same name, so that helm chart using artifactory don't need updating

However, deleting and re-creating the service account will lead to a new randomly-named pull secret being generated, which means that we will need to redeploy the last deployment of all of the applications using artifactory (airflow and cif), so that Helm can find the name of the new pull secrets.

The list of people to be alerted by our crunchy monitoring is hardcoded in the .values file. It would be better to get these values from a github team. (There is an example of this in the same makefile for make authorize. This would make it less manual to add/remove people from the alert list.

No Project Lifecycle Badge found in your readme!

Hello! I scanned your readme and could not find a project lifecycle badge. A project lifecycle badge will provide contributors to your project as well as other stakeholders (platform services, executive) insight into the lifecycle of your repository.

What is a Project Lifecycle Badge?

It is a simple image that neatly describes your project's stage in its lifecycle. More information can be found in the project lifecycle badges documentation.

What do I need to do?

I suggest you make a PR into your README.md and add a project lifecycle badge near the top where it is easy for your users to pick it up :). Once it is merged feel free to close this issue. I will not open up a new one :)

Right now there is no documentation about the helm chart we created and how it's used by the make provision target.
We need some documentation that lists:

• provide a .env and .values.yaml files (download from 1password or create)
• list what it does where, roughly
• when to call it

The Terraform-job-based chart that provisions storage buckets and accounts could be refactored to accommodate terraform broadly. It currently contains the terraform scripts that are used, but we could expand it to include values that would supply these files instead, if we want to have more use cases for terraform. As all of our projects currently use terraform in the same way, this is not needed, but could be useful for the future.

right now we only fetch job logs while the pod is running
https://github.com/bcgov/cas-pipeline/blob/master/lib/oc_run_job.sh#L50

if it never ran, we should still fetch the job logs

For instance, the following template currently passes oc_validate, but it should fail as the ${FOO} parameter is undefined:

apiVersion: template.openshift.io/v1
kind: Template

objects:
- apiVersion: image.openshift.io/v1
  kind: ImageStream
  metadata:
    name: ${FOO}
  spec:
    lookupPolicy:
      local: true

since jq was introduced in #7 it was not given its own environment detection variable and error like eg. awk

When calling make authorize, the first step is to revoke all rolebindings created by the cas-pipeline helm chart. This includes the user calling the script, which results in their permissions being revoked. Once their permissions are revoked, the script cannot continue and crashes.

To fix:

• Exclude the user calling the script when executing the delete rolebinding command

Dev Story:
I want a helm chart for the Terraform job
because it currently exists as templates across multiple jobs
and this will help me to DRY up the code and keep it in a single repo for maintainability.

Acceptance criteria:

1. Terraform job templates unified into a chart
   • terraform-apply.yaml
   • terraform-modules.yaml
   • terraform-role-binding.yaml
   • terraform-service-account.yaml
   • terraform-role.yaml
2. Replace the existing templates in cas-registration, cas-reporting, cif, ciip, ggircs, and airflow with the above chart imported.

Tech debt

This card will be used to track any potential improvements that can be made to the terraform-bucket-provision chart. This chart is identified in the readme at the Terraform in CAS repos header.

Actions

• Note character limit of 13 for each namespace-app value.
• Note name of the helm chart needing import (terraform-provision-storage), as there are multiple charts in the repo.

Now that the ubi8 images are publicly published, we don't need the io-redhat-registry secret at all times, so there should be a way for us to provision a new project on our local cluster without configuring the private registry credentials for this project.

This issue is a kind reminder that your repository has been inactive for 368 days. Some repositories are maintained in accordance with business requirements that infrequently change thus appearing inactive, and some repositories are inactive because they are unmaintained.

To help differentiate products that are unmaintained from products that do not require frequent maintenance, repomountie will open an issue whenever a repository has not been updated in 180 days.

• If this product is being actively maintained, please close this issue.
• If this repository isn't being actively maintained anymore, please archive this repository. Also, for bonus points, please add a dormant or retired life cycle badge.

Thank you for your help ensuring effective governance of our open-source ecosystem!

Currently, the default workspace is default, so if someone uses the chart in a namespace where another release is already using this chart, the terraform state will be overridden, unless the workspace value is changed.

This would make the default behaviour fool proof to that mistake, but requires all the existing releases to be switched over

I want move the migration script used in cas-cif to cas-pipeline along with it's directions
because we will be reusing the same pattern and script on other repos
and this will help me to remove our reliance on Terraform Cloud.

Acceptance criteria:

• migration script removed from cas-cif.
• migration script added to cas-pipeline.
• directions for use added to cas-pipeline.

Consideration and notes

If the time allows, it would be better to have a make file to preform all (or as many) of the steps required. But only if the time spent in that is less than just following the directions for each subsequent repo.