OPSEXP-2948 Prepare for v25 release (#1019)

Author: gionn

.github/actions/setup-workspace/action.yml

@@ -3,8 +3,8 @@ description: 'Do some clever stuff on the workspace before running tests'
 runs:
   using: "composite"
   steps:
-    - name: Use internal nexus repository when branch is a future release
-      if: startsWith(github.ref_name, 'next/') || startsWith(github.head_ref, 'next/') || contains(github.event.pull_request.labels.*.name, 'ci-prerelease')
+    - name: Switch to internal repository when current or base branch is a next release branch
+      if: startsWith(github.ref_name, 'next/') || startsWith(github.head_ref, 'next/') || startsWith(github.base_ref, 'next/') || contains(github.event.pull_request.labels.*.name, 'ci-prerelease')
       run: |
         yq -i '.artifacts_repositories.enterprise.repository = "groups/internal"' playbooks/group_vars/all.yml
         echo "::warning title=pre-release branch::Nexus enterprise repository override enabled, using groups/internal as main repository"

.github/updatecli/updatecli_maven_roles_values.yml

@@ -38,10 +38,10 @@ artifacts:
     ansible_version_file: roles/transformers/defaults/main.yml
     updatecli_matrix_component_key: tengine-aio
   alfresco-transform-router:
-    artifact_name_file: roles/transformers/defaults/main.yml
-    artifact_name_key: $.transformers_aio_artifact_name
-    artifact_version_key: $.transformers_aio_version
-    ansible_version_file: roles/transformers/defaults/main.yml
+    artifact_name_file: roles/trouter/defaults/main.yml
+    artifact_name_key: $.trouter_artifact_name
+    artifact_version_key: $.trouter_version
+    ansible_version_file: roles/trouter/defaults/main.yml
     updatecli_matrix_component_key: trouter
   alfresco-shared-file-store-controller:
     artifact_name_file: roles/sfs/defaults/main.yml

.github/updatecli/updatecli_maven_v23_values.yml

@@ -1,8 +1,3 @@
-updatecli_matrix_version: current
+updatecli_matrix_version: 23.N
 updatecli_amps_release_branch: "release/23.N"
 ansible_version_file: vars/acs23.yml
-artifacts:
-  alfresco-googledrive-repo-community:
-    updatecli_scm_id: acsComRepo
-    updatecli_xml_target: "/project/properties/alfresco.googledrive.version"
-    artifact_version_key: "$.acs_play_community_repository_amp_googledrive_repo_version"

.github/updatecli/updatecli_maven_v25_values.yml

@@ -0,0 +1,8 @@
+updatecli_matrix_version: current
+updatecli_amps_release_branch: "release/25.1"
+ansible_version_file: vars/acs25.yml
+artifacts:
+  alfresco-googledrive-repo-community:
+    updatecli_scm_id: acsComRepo
+    updatecli_xml_target: "/project/properties/alfresco.googledrive.version"
+    artifact_version_key: "$.acs_play_community_repository_amp_googledrive_repo_version"

.github/updatecli/updatecli_maven_values.yml

@@ -27,6 +27,11 @@ artifacts:
     artifact_name_key: $.acs_play_repository_acs_artifact_name
     artifact_version_key: $.acs_play_repository_acs_version
     updatecli_matrix_component_key: acs
+  alfresco-api-explorer:
+    artifact_name_file: playbooks/group_vars/repository.yml
+    artifact_name_key: $.acs_play_repository_api_explorer_artifact_name
+    artifact_version_key: $.acs_play_repository_api_explorer_version
+    updatecli_matrix_component_key: acs
   alfresco-search-enterprise:
     artifact_name_file: playbooks/group_vars/search_enterprise.yml
     artifact_name_key: $.acs_play_search_enterprise_artifact_name

.github/workflows/community.yml

@@ -2,7 +2,9 @@ name: "community"
 
 on:
   pull_request:
-    branches: [master]
+    branches:
+      - master
+      - 'next/**'
     paths-ignore:
       - "docs/**"
       - "*.md"
@@ -54,7 +56,7 @@ jobs:
         molecule_distro:
           - image: ubuntu:24.04
           - image: ubuntu:22.04
-          - image: rockylinux/rockylinux:9.4
+          - image: rockylinux/rockylinux:9.5
         role:
           - name: activemq
           - name: common
@@ -114,7 +116,7 @@ jobs:
       matrix:
         molecule_distro:
           - image: ubuntu:22.04
-          - image: rockylinux/rockylinux:9.4
+          - image: rockylinux/rockylinux:9.5
         scenario:
           - name: docker_community
     uses: ./.github/workflows/docker.yml

.github/workflows/enteprise.yml

@@ -2,7 +2,9 @@ name: "enterprise"
 
 on:
   pull_request:
-    branches: [master]
+    branches:
+      - master
+      - 'next/**'
     types: [labeled, opened, synchronize, reopened]
     paths-ignore:
       - "docs/**"
@@ -72,8 +74,8 @@ jobs:
       fail-fast: false
       matrix:
         molecule_distro:
-          - image: ubuntu:22.04
-          - image: rockylinux/rockylinux:9.4
+          - image: ubuntu:24.04
+          - image: rockylinux/rockylinux:9.5
         role:
           - name: adf_app
           - name: search_enterprise
@@ -132,8 +134,8 @@ jobs:
       fail-fast: false
       matrix:
         molecule_distro:
-          - image: ubuntu:22.04
-          - image: rockylinux/rockylinux:9.4
+          - image: ubuntu:24.04
+          - image: rockylinux/rockylinux:9.5
         scenario:
           - name: pki
           - name: elasticsearch
@@ -145,12 +147,7 @@ jobs:
           - scenario:
               name: docker_enterprise
             molecule_distro:
-              image: rockylinux/rockylinux:9.4
-            runner: ubuntu-24.04-arm
-          - scenario:
-              name: docker_enterprise
-            molecule_distro:
-              image: ubuntu:22.04
+              image: rockylinux/rockylinux:9.5
             runner: ubuntu-24.04-arm
           - scenario:
               name: docker_enterprise
@@ -188,22 +185,22 @@ jobs:
             desc: EC2 ACS 7.3 (Ubuntu 22.04)
           - name: default
             vars: vars-rocky8.yml
-            desc: EC2 ACS 7.4 (Rocky Linux 8.9)
+            desc: EC2 ACS 7.4 (Rocky Linux 8.10)
           - name: default
             vars: vars-rhel8.yml
-            desc: EC2 ACS 7.4 (RHEL 8.9)
+            desc: EC2 ACS 7.4 (RHEL 8.10)
           - name: default
             vars: vars-ubuntu-community.yml
-            desc: EC2 ACS 23.x Community (Ubuntu 24.04)
+            desc: EC2 ACS 25.x Community (Ubuntu 24.04)
           - name: default
             vars: vars-rocky9.yml
-            desc: EC2 ACS 23.x (Rocky Linux 9.4)
+            desc: EC2 ACS 23.x (Rocky Linux 9.5)
           - name: multimachine
             vars: vars.yml
-            desc: EC2 ACS 23.x clustered (RHEL 9.4)
+            desc: EC2 ACS 25.x clustered (RHEL 9.5)
           - name: opensearch
             vars: vars.yml
-            desc: EC2 ACS 23.x opensearch (RHEL 9.4)
+            desc: EC2 ACS 25.x opensearch (RHEL 9.5)
     env:
       AWS_REGION: eu-west-1
       MOLECULE_IT_AWS_VPC_SUBNET_ID: subnet-6bdd4223

.github/workflows/kics.yml

@@ -2,7 +2,9 @@ name: kics
 
 on:
   pull_request:
-    branches: [master]
+    branches:
+      - master
+      - 'next/**'
     paths:
       - 'playbooks/**'
       - 'roles/**'

.secrets.baseline

@@ -144,7 +144,7 @@
         "filename": "playbooks/acs.yml",
         "hashed_secret": "0ca8f28152882e5edb182fc3f7d4ae10a5b10dc5",
         "is_verified": false,
-        "line_number": 608
+        "line_number": 612
       }
     ],
     "roles/activemq/molecule/default/tests/test_activemq.py": [
@@ -188,5 +188,5 @@
       }
     ]
   },
-  "generated_at": "2025-03-13T09:39:39Z"
+  "generated_at": "2025-03-17T11:58:32Z"
 }

molecule/default/vars-rocky9.yml

@@ -1,4 +1,4 @@
-MOLECULE_IT_IMAGE_ID: ami-0230bf6b41b114fef # Rocky-9-EC2-Base-9.4-20240523.0.x86_64
+MOLECULE_IT_IMAGE_ID: ami-0272534a8a639b9f1 # Rocky-9-EC2-Base-9.5-20241118.0.x86_64
 MOLECULE_IT_EXTRA_VARS: acs_play_major_version=23
-MOLECULE_IT_TEST_CONFIG: tests/test-config.json
+MOLECULE_IT_TEST_CONFIG: tests/test-config-23.json
 MOLECULE_IT_PLATFORM: rocky9

molecule/default/verify.yml

@@ -49,6 +49,9 @@
         - name: Print multiline pytest stdout as best as we can
           debug:
             msg: "{{ ansible_failed_result.stdout_lines }}"
+        - name: Exit with failure
+          ansible.builtin.fail:
+            msg: "pytest failed"
 
 - name: Verify adw plugins state
   hosts: adw

molecule/multimachine/vars.yml

@@ -1,4 +1,4 @@
 MOLECULE_IT_IMAGE_ID: ami-02e145cba2d8ae80e # RHEL-9.4.0_HVM-20250218-x86_64-0-Hourly2-GP3
-MOLECULE_IT_EXTRA_VARS: acs_play_major_version=23
+MOLECULE_IT_EXTRA_VARS: acs_play_major_version=25
 MOLECULE_IT_TEST_CONFIG: tests/test-config.json
 MOLECULE_IT_PLATFORM: multimachine

molecule/pki/verify.yml

@@ -44,27 +44,33 @@
     - name: Populate services facts
       ansible.builtin.service_facts:
 
-    - name: Check in logs a client did connect
-      ansible.builtin.slurp:
-        src: /var/log/alfresco/{{ item.file }}.log
-      register: ats_log
+    - name: Check ATS Router logs for client access signal
       become: true
-      until:
-        - item.pattern in ats_log.content | b64decode
+      ansible.builtin.slurp:
+        src: /var/log/alfresco/ats-atr.log
+      register: ats_router_log
+      until: >-
+        "GET Transform Config version" in ats_router_log.content | b64decode
       retries: 10
       delay: 3
-      loop:
-        - file: ats-atr
-          pattern: GET Transform Config version
-          edition: Enterprise
-        - file: ats-shared-fs
-          pattern: TLS virtual host
-          edition: Enterprise
+      no_log: true
+
+    - name: Check Shared File Store logs for client access signal
+      become: true
+      ansible.builtin.slurp:
+        src: /var/log/alfresco/ats-shared-fs.log
+      register: ats_fs_log
+      until: >-
+        "TLS virtual host" in ats_fs_log.content | b64decode
+      retries: 3
+      delay: 1
+      no_log: true
 
     - name: Copy cert as PEM
       ansible.builtin.copy:
         src: /tmp/{{ inventory_hostname }}.crt
         dest: /tmp
+
     - name: Check certificates requires auth
       ansible.builtin.uri:
         url: https://localhost:8090

playbooks/acs.yml

@@ -209,6 +209,7 @@
         transformers_aio_version: "{{ acs_play_transformers_aio_version }}"
         transformers_aio_archive_url: "{{ acs_play_transformers_aio_archive_url }}"
         transformers_aio_archive_checksum: "{{ acs_play_transformers_aio_archive_checksum }}"
+        transformers_truststore_type: "{{ acs_play_default_truststore_type }}"
   post_tasks:
     - name: Update installation status file with Transformers
       become: true
@@ -350,6 +351,7 @@
         repository_amp_downloads: "{{ acs_play_repository_amp_downloads }}"
         repository_extra_war_downloads: "{{ acs_play_repository_extra_war_downloads }}"
         repository_extra_amp_downloads: "{{ acs_play_repository_extra_amp_downloads }}"
+        repository_truststore_type: "{{ acs_play_default_truststore_type }}"
   post_tasks:
     - name: Initialize evaluation of currently installed amps
       ansible.builtin.set_fact:
@@ -437,6 +439,7 @@
         trouter_archive_checksum: "{{ acs_play_trouter_archive_checksum }}"
         trouter_archive_username: "{{ nexus_user }}"
         trouter_archive_password: "{{ nexus_password }}"
+        trouter_ats_truststore_type: "{{ acs_play_default_truststore_type }}"
       when: acs_is_enterprise
   post_tasks:
     - name: Update installation status file with Trouter
@@ -487,6 +490,7 @@
         sfs_archive_username: "{{ nexus_user }}"
         sfs_archive_password: "{{ nexus_password }}"
         sfs_ats_keystore: "{{ acs_play_sfs_keystore | default({}) }}"
+        sfs_ats_truststore_type: "{{ acs_play_default_truststore_type }}"
       when: acs_is_enterprise
   post_tasks:
     - name: Update installation status file with SFS

playbooks/group_vars/all.yml

@@ -3,7 +3,7 @@
 # For more information please have a look at the
 # [security_doc](https://github.com/Alfresco/alfresco-ansible-deployment/blob/master/docs/SECURITY.md#specify-trustworthy-applications)
 acs_play_known_urls: []
-acs_play_major_version: 23
+acs_play_major_version: 25
 
 artifacts_repositories:
   enterprise:
@@ -24,8 +24,10 @@ nexus_repository:
   development_releases: >-
     {{ artifacts_repositories.enterprise.base_url }}/{{ artifacts_repositories.development.repository }}/{{ artifacts_repositories.enterprise.group_id }}
 
-default_java_version: 17.0.14+7
-acs_play_java_core: "{{ default_java_version.split('+')[0] }}"
+acs_play_java_core: "{{ acs_play_java_version.split('+')[0] }}"
+acs_play_java_major: "{{ acs_play_java_core.split('.')[0] }}"
+acs_play_default_truststore_type: "{% if acs_play_java_major | int >= 21 %}pkcs12{% else %}JCEKS{% endif %}"
+
 acs_play_repository_acs_edition: Enterprise
 
 acs_play_skip_upgrade_checks: false

roles/audit_storage/defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 # defaults file for audit_storage
-audit_storage_version: "1.0.0"
+audit_storage_version: 1.1.0
 audit_storage_zip_url: https://nexus.alfresco.com/nexus/repository/enterprise-releases/org/alfresco/alfresco-audit-storage-distribution/{{ audit_storage_version }}/alfresco-audit-storage-distribution-{{ audit_storage_version }}.zip
 audit_storage_zip_checksum: sha1:{{ audit_storage_zip_url }}.sha1
 

roles/java/tasks/main.yml

@@ -1,6 +1,6 @@
 ---
 # tasks file for roles/java
-- name: Download openjdk archive
+- name: Download openjdk archive for version {{ java_version }}
   ansible.builtin.get_url:
     url: "{{ java_url }}"
     dest: "{{ download_location }}/{{ java_tar_file }}"
@@ -11,7 +11,7 @@
 - name: Install OpenJDK
   become: true
   block:
-    - name: Extract OpenJDK archive
+    - name: Extract OpenJDK archive {{ java_tar_file }}
       ansible.builtin.unarchive:
         src: "{{ download_location }}/{{ java_tar_file }}"
         dest: "{{ java_home | dirname }}"

roles/repository/defaults/main.yml

@@ -22,7 +22,7 @@ repository_acs_is_enterprise: true
 repository_acs_artifact_name: alfresco-content-services-distribution
 repository_acs_repository: https://artifacts.alfresco.com/nexus/content/groups/private/org/alfresco
 
-repository_acs_version: 23.4.1
+repository_acs_version: 25.1.0
 repository_acs_archive_url: "{{ repository_acs_repository }}/{{ repository_acs_artifact_name }}/{{ repository_acs_version }}/{{ repository_acs_artifact_name }}-{{ repository_acs_version }}.zip"
 repository_acs_archive_checksum: "sha1:{{ repository_acs_archive_url }}.sha1"
 repository_acs_nexus_username: "{{ repository_nexus_username }}"
@@ -35,7 +35,7 @@ repository_api_explorer_enabled: true
 repository_api_explorer_artifact_name: api-explorer
 repository_api_explorer_repository: https://artifacts.alfresco.com/nexus/content/groups/public/org/alfresco
 
-repository_api_explorer_version: 23.4.0
+repository_api_explorer_version: 25.1.0
 repository_api_explorer_archive_url: "{{ repository_api_explorer_repository }}/{{ repository_api_explorer_artifact_name }}/{{ repository_api_explorer_version }}/{{ repository_api_explorer_artifact_name }}-{{ repository_api_explorer_version }}.war"
 repository_api_explorer_archive_checksum: "sha1:{{ repository_api_explorer_archive_url }}.sha1"
 repository_api_explorer_nexus_username: "{{ repository_nexus_username }}"
@@ -139,3 +139,5 @@ repository_amp_downloads: []
 
 # Additional list of amp downloads. Same structure as repository_amp_downloads
 repository_extra_amp_downloads: []
+
+repository_truststore_type: JCEKS

roles/repository/templates/alfresco-global.properties.j2

@@ -33,6 +33,8 @@ encryption.keystore.backup.type=JCEKS
 {% endif %}
 
 encryption.ssl.truststore.location={{ java_truststore | default(java_home + '/lib/security/cacerts') }}
+encryption.ssl.truststore.type={{ repository_truststore_type }}
+
 {% if repository_default_keystore %}
 encryption.ssl.keystore.location={{ repository_default_keystore.path }}
 httpclient.config.transform.mTLSEnabled=true

roles/search/defaults/main.yml

@@ -5,12 +5,12 @@ search_repository:
   port: 80
   port_ssl: 443
 
-search_flavor: alfresco-search-services  # set to alfresco-insight-engine for IE
-search_version: 2.0.14
+search_flavor: alfresco-search-services # set to alfresco-insight-engine for IE
+search_version: 2.0.15
 search_artifact_repository: https://artifacts.alfresco.com/nexus/content/groups/public/org/alfresco
 search_zip_url: "{{ search_artifact_repository }}/{{ search_flavor }}/{{ search_version }}/{{ search_flavor }}-{{ search_version }}.zip"
 search_zip_checksum: "sha1:{{ search_zip_url }}.sha1"
-search_environment:  # This will add extra vars at the end of the solr.in.sh file
+search_environment: # This will add extra vars at the end of the solr.in.sh file
   SOLR_JAVA_MEM: "-Xms1g -Xmx1g"
 search_cores:
   - alfresco

roles/search_enterprise/defaults/main.yml

@@ -7,7 +7,7 @@ search_enterprise_reindex_options: ''
 search_enterprise_artifact_name: alfresco-elasticsearch-connector-distribution
 search_enterprise_repository: https://artifacts.alfresco.com/nexus/content/groups/private/org/alfresco
 
-search_enterprise_version: 4.2.0
+search_enterprise_version: 5.0.0
 search_enterprise_zip_url: "{{ search_enterprise_repository }}/{{ search_enterprise_artifact_name }}/{{ search_enterprise_version }}/{{ search_enterprise_artifact_name }}-{{ search_enterprise_version }}.zip"
 search_enterprise_zip_checksum: "sha1:{{ search_enterprise_zip_url }}.sha1"