chore: Update capabilities and tools

defenseunicorns · Dec 15, 2023 · 28fa005 · 28fa005
1 parent fdc018c
commit 28fa005
Show file tree

Hide file tree

Showing 7 changed files with 133 additions and 69 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -71,19 +71,19 @@ jobs:
         uses: supplypike/setup-bin@v3
         with:
           # renovate: zarf-uri datasource=github-tags depName=defenseunicorns/zarf
-          uri: 'https://github.com/defenseunicorns/zarf/releases/download/v0.31.3/zarf_v0.31.3_Linux_amd64'
+          uri: 'https://github.com/defenseunicorns/zarf/releases/download/v0.31.4/zarf_v0.31.4_Linux_amd64'
           name: 'zarf'
           # renovate: datasource=github-tags depName=defenseunicorns/zarf versioning=semver
-          version: 'v0.31.3'
+          version: 'v0.31.4'
 
       - name: Install uds-cli
         uses: supplypike/setup-bin@v3
         with:
           # renovate: uds-cli-uri datasource=github-tags depName=defenseunicorns/uds-cli
-          uri: 'https://github.com/defenseunicorns/uds-cli/releases/download/v0.3.1/uds-cli_v0.3.1_Linux_amd64 '
+          uri: 'https://github.com/defenseunicorns/uds-cli/releases/download/v0.5.0/uds-cli_v0.5.0_Linux_amd64 '
           name: 'uds'
           # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver
-          version: 'v0.3.1'
+          version: 'v0.5.0'
 
       - name: Login to GHCR
         uses: docker/login-action@v2

diff --git a/Makefile b/Makefile
@@ -1,14 +1,14 @@
 # The version of Zarf to use. To keep this repo as portable as possible the Zarf binary will be downloaded and added to
 # the build folder.
 # renovate: datasource=github-tags depName=defenseunicorns/zarf
-UDS_CLI_VERSION := v0.4.0
+UDS_CLI_VERSION := v0.5.1
 
-ZARF_VERSION := v0.31.3
+ZARF_VERSION := v0.31.4
 
 # The version of the build harness container to use
 BUILD_HARNESS_REPO := ghcr.io/defenseunicorns/build-harness/build-harness
 # renovate: datasource=docker depName=ghcr.io/defenseunicorns/build-harness/build-harness
-BUILD_HARNESS_VERSION := 1.14.2
+BUILD_HARNESS_VERSION := 1.14.8
 
 # Figure out which Zarf binary we should use based on the operating system we are on
 ZARF_BIN := zarf
@@ -140,7 +140,7 @@ cluster/destroy: ## Destroy the k3d cluster
 ########################################################################
 
 .PHONY: build/all
-build/all: build build/zarf build/uds build/software-factory-namespaces build/idam-dns build/idam-realm build/idam-postgres build/idam-gitlab build/idam-sonarqube build/uds-bundle-software-factory ## Build everything
+build/all: build build/zarf build/uds build/software-factory-namespaces build/idam-dns build/idam-realm build/idam-postgres build/idam-gitlab build/idam-sonarqube build/additional-kyverno-exceptions build/uds-bundle-software-factory ## Build everything
 
 build: ## Create build directory
 	mkdir -p build
@@ -181,6 +181,9 @@ build/idam-realm: | build ## Build idam-realm package
 build/idam-postgres: | build ## Build idam-postgres package
 	cd build && ./zarf package create --skip-sbom ../packages/idam-postgres/ --confirm --output-directory .
 
+build/additional-kyverno-exceptions: | build ## Build additional-kyverno-exceptions package
+	cd build && ./zarf package create --skip-sbom ../packages/additional-kyverno-exceptions/ --confirm --output-directory .
+
 build/uds-bundle-software-factory: | build ## Build the software factory
 	cd build && ./uds create ../ --confirm
 	mv uds-bundle-software-factory-demo-*.tar.zst build/

diff --git a/packages/additional-kyverno-exceptions/jira/non-root-user.yaml b/packages/additional-kyverno-exceptions/jira/non-root-user.yaml
@@ -0,0 +1,22 @@
+apiVersion: kyverno.io/v2alpha1
+kind: PolicyException
+metadata:
+  name: jira-non-root-exceptions
+  namespace: jira
+spec:
+  exceptions:
+  - policyName: require-non-root-user
+    ruleNames:
+    - non-root-user
+  - policyName: restrict-host-path-write
+    ruleNames:
+    - require-readonly-hostpath
+  match:
+    any:
+    - resources:
+        kinds:
+        - Pod
+        namespaces:
+        - jira
+        names:
+        - jira-0
diff --git a/packages/additional-kyverno-exceptions/sonarqube/non-root-user.yaml b/packages/additional-kyverno-exceptions/sonarqube/non-root-user.yaml
@@ -0,0 +1,22 @@
+apiVersion: kyverno.io/v2alpha1
+kind: PolicyException
+metadata:
+  name: sonarqube-idam-exceptions
+  namespace: keycloak
+spec:
+  exceptions:
+  - policyName: require-non-root-user
+    ruleNames:
+    - non-root-user
+  - policyName: restrict-host-path-write
+    ruleNames:
+    - require-readonly-hostpath
+  match:
+    any:
+    - resources:
+        kinds:
+        - Pod
+        namespaces:
+        - keycloak
+        names:
+        - saml-cert
diff --git a/packages/additional-kyverno-exceptions/zarf.yaml b/packages/additional-kyverno-exceptions/zarf.yaml
@@ -0,0 +1,22 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json
+kind: ZarfPackageConfig
+metadata:
+  name: additional-kyverno-exceptions
+  version: "0.0.1"
+  architecture: amd64
+
+components:
+  - name: sonarqube-idam-kyverno-policy-exception
+    required: true
+    manifests:
+      - name: sonarqube-idam-kyverno-policy-exception
+        namespace: keycloak
+        files:
+          - sonarqube/non-root-user.yaml
+  - name: jira-kyverno-policy-exception
+    required: true
+    manifests:
+      - name: jira-kyverno-policy-exception
+        namespace: jira
+        files:
+          - jira/non-root-user.yaml
diff --git a/uds-bundle.yaml b/uds-bundle.yaml
@@ -6,18 +6,23 @@ metadata:
   version: 0.0.9
   architecture: amd64
 
-zarf-packages:
+packages:
   # Zarf init
   - name: init
     repository: ghcr.io/defenseunicorns/packages/init
-    ref: v0.31.3
+    ref: v0.31.4
     optional-components:
       - git-server
 
   # Defense Unicorns Big Bang Distro
   - name: dubbd-k3d
     repository: ghcr.io/defenseunicorns/packages/dubbd-k3d
-    ref: 0.14.0
+    ref: 0.15.0
+
+  # Additional Kyverno Exceptions
+  - name: additional-kyverno-exceptions
+    path: build
+    ref: 0.0.1
 
   # Namespace pre-reqs for swf capabilities
   - name: software-factory-namespaces
@@ -42,7 +47,7 @@ zarf-packages:
 
   - name: uds-idam
     repository: ghcr.io/defenseunicorns/uds-capability/uds-idam
-    ref: 0.1.14
+    ref: 0.1.15
     imports:
       - name: REALM_IMPORT_FILE
         package: software-factory-idam-realm
@@ -74,19 +79,19 @@ zarf-packages:
   # Gitlab
   - name: gitlab-redis
     repository: ghcr.io/defenseunicorns/uds-capability/gitlab/dev-dependency/gitlab-redis
-    ref: 0.1.8
+    ref: 0.1.10
 
   - name: gitlab-minio
     repository: ghcr.io/defenseunicorns/uds-capability/gitlab/dev-dependency/gitlab-minio
-    ref: 0.1.8
+    ref: 0.1.10
 
   - name: gitlab-postgres
     repository: ghcr.io/defenseunicorns/uds-capability/gitlab/dev-dependency/gitlab-postgres
-    ref: 0.1.8
+    ref: 0.1.10
 
   - name: gitlab
     repository: ghcr.io/defenseunicorns/uds-capability/gitlab
-    ref: 0.1.8
+    ref: 0.1.10
     imports:
       - name: GITLAB_IDAM_ENABLED
         package: software-factory-idam-gitlab
@@ -98,11 +103,11 @@ zarf-packages:
   # Gitlab Runner
   - name: gitlab-runner-rbac
     repository: ghcr.io/defenseunicorns/uds-capability/gitlab-runner/dev-dependency/gitlab-runner-rbac
-    ref: 0.1.2
+    ref: 0.1.3
 
   - name: gitlab-runner
     repository: ghcr.io/defenseunicorns/uds-capability/gitlab-runner
-    ref: 0.1.2
+    ref: 0.1.3
 
   # Sonarqube
   - name: sonarqube-postgres
@@ -149,24 +154,24 @@ zarf-packages:
    # Mattermost Operator with a Mattermost instance
   - name: mattermost-minio
     repository: ghcr.io/defenseunicorns/uds-capability/mattermost/dev-dependency/mattermost-minio
-    ref: 0.1.2
+    ref: 0.1.6
 
   - name: mattermost-postgres
     repository: ghcr.io/defenseunicorns/uds-capability/mattermost/dev-dependency/mattermost-postgres
-    ref: 0.1.2
+    ref: 0.1.6
 
   - name: mattermost
     repository: ghcr.io/defenseunicorns/uds-capability/mattermost
-    ref: 0.1.2
+    ref: 0.1.6
 
   # Nexus
   - name: nexus-postgres
     repository: ghcr.io/defenseunicorns/uds-capability/nexus/dev-dependency/nexus-postgres
-    ref: 0.1.2
+    ref: 0.1.3
 
   - name: nexus
     repository: ghcr.io/defenseunicorns/uds-capability/nexus
-    ref: 0.1.2
+    ref: 0.1.3
 
   # Add all virtualservices as internal dns entries for auth callbacks
   - name: software-factory-idam-dns

diff --git a/uds-config.yaml b/uds-config.yaml
@@ -1,46 +1,36 @@
-bundle:
-  deploy:
-    zarf-packages:
-      dubbd-k3d:
-        set:
-          DOMAIN: "bigbang.dev"
-      software-factory-idam-gitlab:
-        set:
-          DOMAIN: "bigbang.dev"
-      software-factory-idam-realm:
-        set:
-          DOMAIN: "bigbang.dev"
-      uds-idam:
-        set:
-          DOMAIN: "bigbang.dev"
-      gitlab:
-        set:
-          DOMAIN: "bigbang.dev"
-          GITLAB_DB_NAME: "gitlabdb"
-          GITLAB_DB_USERNAME: "gitlab"
-          GITLAB_PAGES_ENABLED: "false"
-          GITLAB_SIGNUP_ENABLED: "true"
-      sonarqube:
-        set:
-          DOMAIN: "bigbang.dev"
-          SONARQUBE_IDAM_REALM_URL: "https://keycloak.bigbang.dev/auth/realms/baby-yoda"
-          SONARQUBE_DB_NAME: "sonarqubedb"
-          SONARQUBE_DB_USERNAME: "sonarqube"
-      jira:
-        set:
-          DOMAIN: "bigbang.dev"
-          JIRA_DB_NAME: "jiradb"
-          JIRA_DB_USERNAME: "jira"
-      confluence:
-        set:
-          DOMAIN: "bigbang.dev"
-          CONFLUENCE_DB_NAME: "confluencedb"
-          CONFLUENCE_DB_USERNAME: "confluence"
-      mattermost:
-        set:
-          DOMAIN: "bigbang.dev"
-      nexus:
-        set:
-          DOMAIN: "bigbang.dev"
-          NEXUS_DB_NAME: "nexusdb"
-          NEXUS_DB_USERNAME: "nexus"
+options:
+  log_level: info
+variables:
+  dubbd-k3d:
+    DOMAIN: "bigbang.dev"
+  software-factory-idam-gitlab:
+    DOMAIN: "bigbang.dev"
+  software-factory-idam-realm:
+    DOMAIN: "bigbang.dev"
+  uds-idam:
+    DOMAIN: "bigbang.dev"
+  gitlab:
+    DOMAIN: "bigbang.dev"
+    GITLAB_DB_NAME: "gitlabdb"
+    GITLAB_DB_USERNAME: "gitlab"
+    GITLAB_PAGES_ENABLED: "false"
+    GITLAB_SIGNUP_ENABLED: "true"
+  sonarqube:
+    DOMAIN: "bigbang.dev"
+    SONARQUBE_IDAM_REALM_URL: "https://keycloak.bigbang.dev/auth/realms/baby-yoda"
+    SONARQUBE_DB_NAME: "sonarqubedb"
+    SONARQUBE_DB_USERNAME: "sonarqube"
+  jira:
+    DOMAIN: "bigbang.dev"
+    JIRA_DB_NAME: "jiradb"
+    JIRA_DB_USERNAME: "jira"
+  confluence:
+    DOMAIN: "bigbang.dev"
+    CONFLUENCE_DB_NAME: "confluencedb"
+    CONFLUENCE_DB_USERNAME: "confluence"
+  mattermost:
+    DOMAIN: "bigbang.dev"
+  nexus:
+    DOMAIN: "bigbang.dev"
+    NEXUS_DB_NAME: "nexusdb"
+    NEXUS_DB_USERNAME: "nexus"