From 28fa0054104494927811aa35872379388aea180e Mon Sep 17 00:00:00 2001 From: Anthony Date: Fri, 15 Dec 2023 21:57:14 +0000 Subject: [PATCH] chore: Update capabilities and tools --- .github/workflows/publish.yml | 8 +- Makefile | 11 ++- .../jira/non-root-user.yaml | 22 +++++ .../sonarqube/non-root-user.yaml | 22 +++++ .../additional-kyverno-exceptions/zarf.yaml | 22 +++++ uds-bundle.yaml | 35 ++++---- uds-config.yaml | 82 ++++++++----------- 7 files changed, 133 insertions(+), 69 deletions(-) create mode 100644 packages/additional-kyverno-exceptions/jira/non-root-user.yaml create mode 100644 packages/additional-kyverno-exceptions/sonarqube/non-root-user.yaml create mode 100644 packages/additional-kyverno-exceptions/zarf.yaml diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 92397fb..875f7c7 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -71,19 +71,19 @@ jobs: uses: supplypike/setup-bin@v3 with: # renovate: zarf-uri datasource=github-tags depName=defenseunicorns/zarf - uri: 'https://github.com/defenseunicorns/zarf/releases/download/v0.31.3/zarf_v0.31.3_Linux_amd64' + uri: 'https://github.com/defenseunicorns/zarf/releases/download/v0.31.4/zarf_v0.31.4_Linux_amd64' name: 'zarf' # renovate: datasource=github-tags depName=defenseunicorns/zarf versioning=semver - version: 'v0.31.3' + version: 'v0.31.4' - name: Install uds-cli uses: supplypike/setup-bin@v3 with: # renovate: uds-cli-uri datasource=github-tags depName=defenseunicorns/uds-cli - uri: 'https://github.com/defenseunicorns/uds-cli/releases/download/v0.3.1/uds-cli_v0.3.1_Linux_amd64 ' + uri: 'https://github.com/defenseunicorns/uds-cli/releases/download/v0.5.0/uds-cli_v0.5.0_Linux_amd64 ' name: 'uds' # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver - version: 'v0.3.1' + version: 'v0.5.0' - name: Login to GHCR uses: docker/login-action@v2 diff --git a/Makefile b/Makefile index f80b449..4f46551 100755 --- a/Makefile +++ b/Makefile @@ -1,14 +1,14 @@ # The version of Zarf to use. To keep this repo as portable as possible the Zarf binary will be downloaded and added to # the build folder. # renovate: datasource=github-tags depName=defenseunicorns/zarf -UDS_CLI_VERSION := v0.4.0 +UDS_CLI_VERSION := v0.5.1 -ZARF_VERSION := v0.31.3 +ZARF_VERSION := v0.31.4 # The version of the build harness container to use BUILD_HARNESS_REPO := ghcr.io/defenseunicorns/build-harness/build-harness # renovate: datasource=docker depName=ghcr.io/defenseunicorns/build-harness/build-harness -BUILD_HARNESS_VERSION := 1.14.2 +BUILD_HARNESS_VERSION := 1.14.8 # Figure out which Zarf binary we should use based on the operating system we are on ZARF_BIN := zarf @@ -140,7 +140,7 @@ cluster/destroy: ## Destroy the k3d cluster ######################################################################## .PHONY: build/all -build/all: build build/zarf build/uds build/software-factory-namespaces build/idam-dns build/idam-realm build/idam-postgres build/idam-gitlab build/idam-sonarqube build/uds-bundle-software-factory ## Build everything +build/all: build build/zarf build/uds build/software-factory-namespaces build/idam-dns build/idam-realm build/idam-postgres build/idam-gitlab build/idam-sonarqube build/additional-kyverno-exceptions build/uds-bundle-software-factory ## Build everything build: ## Create build directory mkdir -p build @@ -181,6 +181,9 @@ build/idam-realm: | build ## Build idam-realm package build/idam-postgres: | build ## Build idam-postgres package cd build && ./zarf package create --skip-sbom ../packages/idam-postgres/ --confirm --output-directory . +build/additional-kyverno-exceptions: | build ## Build additional-kyverno-exceptions package + cd build && ./zarf package create --skip-sbom ../packages/additional-kyverno-exceptions/ --confirm --output-directory . + build/uds-bundle-software-factory: | build ## Build the software factory cd build && ./uds create ../ --confirm mv uds-bundle-software-factory-demo-*.tar.zst build/ diff --git a/packages/additional-kyverno-exceptions/jira/non-root-user.yaml b/packages/additional-kyverno-exceptions/jira/non-root-user.yaml new file mode 100644 index 0000000..1034a79 --- /dev/null +++ b/packages/additional-kyverno-exceptions/jira/non-root-user.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v2alpha1 +kind: PolicyException +metadata: + name: jira-non-root-exceptions + namespace: jira +spec: + exceptions: + - policyName: require-non-root-user + ruleNames: + - non-root-user + - policyName: restrict-host-path-write + ruleNames: + - require-readonly-hostpath + match: + any: + - resources: + kinds: + - Pod + namespaces: + - jira + names: + - jira-0 diff --git a/packages/additional-kyverno-exceptions/sonarqube/non-root-user.yaml b/packages/additional-kyverno-exceptions/sonarqube/non-root-user.yaml new file mode 100644 index 0000000..07e94d1 --- /dev/null +++ b/packages/additional-kyverno-exceptions/sonarqube/non-root-user.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v2alpha1 +kind: PolicyException +metadata: + name: sonarqube-idam-exceptions + namespace: keycloak +spec: + exceptions: + - policyName: require-non-root-user + ruleNames: + - non-root-user + - policyName: restrict-host-path-write + ruleNames: + - require-readonly-hostpath + match: + any: + - resources: + kinds: + - Pod + namespaces: + - keycloak + names: + - saml-cert diff --git a/packages/additional-kyverno-exceptions/zarf.yaml b/packages/additional-kyverno-exceptions/zarf.yaml new file mode 100644 index 0000000..e809c91 --- /dev/null +++ b/packages/additional-kyverno-exceptions/zarf.yaml @@ -0,0 +1,22 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json +kind: ZarfPackageConfig +metadata: + name: additional-kyverno-exceptions + version: "0.0.1" + architecture: amd64 + +components: + - name: sonarqube-idam-kyverno-policy-exception + required: true + manifests: + - name: sonarqube-idam-kyverno-policy-exception + namespace: keycloak + files: + - sonarqube/non-root-user.yaml + - name: jira-kyverno-policy-exception + required: true + manifests: + - name: jira-kyverno-policy-exception + namespace: jira + files: + - jira/non-root-user.yaml diff --git a/uds-bundle.yaml b/uds-bundle.yaml index 8c0a831..244702d 100644 --- a/uds-bundle.yaml +++ b/uds-bundle.yaml @@ -6,18 +6,23 @@ metadata: version: 0.0.9 architecture: amd64 -zarf-packages: +packages: # Zarf init - name: init repository: ghcr.io/defenseunicorns/packages/init - ref: v0.31.3 + ref: v0.31.4 optional-components: - git-server # Defense Unicorns Big Bang Distro - name: dubbd-k3d repository: ghcr.io/defenseunicorns/packages/dubbd-k3d - ref: 0.14.0 + ref: 0.15.0 + + # Additional Kyverno Exceptions + - name: additional-kyverno-exceptions + path: build + ref: 0.0.1 # Namespace pre-reqs for swf capabilities - name: software-factory-namespaces @@ -42,7 +47,7 @@ zarf-packages: - name: uds-idam repository: ghcr.io/defenseunicorns/uds-capability/uds-idam - ref: 0.1.14 + ref: 0.1.15 imports: - name: REALM_IMPORT_FILE package: software-factory-idam-realm @@ -74,19 +79,19 @@ zarf-packages: # Gitlab - name: gitlab-redis repository: ghcr.io/defenseunicorns/uds-capability/gitlab/dev-dependency/gitlab-redis - ref: 0.1.8 + ref: 0.1.10 - name: gitlab-minio repository: ghcr.io/defenseunicorns/uds-capability/gitlab/dev-dependency/gitlab-minio - ref: 0.1.8 + ref: 0.1.10 - name: gitlab-postgres repository: ghcr.io/defenseunicorns/uds-capability/gitlab/dev-dependency/gitlab-postgres - ref: 0.1.8 + ref: 0.1.10 - name: gitlab repository: ghcr.io/defenseunicorns/uds-capability/gitlab - ref: 0.1.8 + ref: 0.1.10 imports: - name: GITLAB_IDAM_ENABLED package: software-factory-idam-gitlab @@ -98,11 +103,11 @@ zarf-packages: # Gitlab Runner - name: gitlab-runner-rbac repository: ghcr.io/defenseunicorns/uds-capability/gitlab-runner/dev-dependency/gitlab-runner-rbac - ref: 0.1.2 + ref: 0.1.3 - name: gitlab-runner repository: ghcr.io/defenseunicorns/uds-capability/gitlab-runner - ref: 0.1.2 + ref: 0.1.3 # Sonarqube - name: sonarqube-postgres @@ -149,24 +154,24 @@ zarf-packages: # Mattermost Operator with a Mattermost instance - name: mattermost-minio repository: ghcr.io/defenseunicorns/uds-capability/mattermost/dev-dependency/mattermost-minio - ref: 0.1.2 + ref: 0.1.6 - name: mattermost-postgres repository: ghcr.io/defenseunicorns/uds-capability/mattermost/dev-dependency/mattermost-postgres - ref: 0.1.2 + ref: 0.1.6 - name: mattermost repository: ghcr.io/defenseunicorns/uds-capability/mattermost - ref: 0.1.2 + ref: 0.1.6 # Nexus - name: nexus-postgres repository: ghcr.io/defenseunicorns/uds-capability/nexus/dev-dependency/nexus-postgres - ref: 0.1.2 + ref: 0.1.3 - name: nexus repository: ghcr.io/defenseunicorns/uds-capability/nexus - ref: 0.1.2 + ref: 0.1.3 # Add all virtualservices as internal dns entries for auth callbacks - name: software-factory-idam-dns diff --git a/uds-config.yaml b/uds-config.yaml index 9f9c110..0d97e5a 100644 --- a/uds-config.yaml +++ b/uds-config.yaml @@ -1,46 +1,36 @@ -bundle: - deploy: - zarf-packages: - dubbd-k3d: - set: - DOMAIN: "bigbang.dev" - software-factory-idam-gitlab: - set: - DOMAIN: "bigbang.dev" - software-factory-idam-realm: - set: - DOMAIN: "bigbang.dev" - uds-idam: - set: - DOMAIN: "bigbang.dev" - gitlab: - set: - DOMAIN: "bigbang.dev" - GITLAB_DB_NAME: "gitlabdb" - GITLAB_DB_USERNAME: "gitlab" - GITLAB_PAGES_ENABLED: "false" - GITLAB_SIGNUP_ENABLED: "true" - sonarqube: - set: - DOMAIN: "bigbang.dev" - SONARQUBE_IDAM_REALM_URL: "https://keycloak.bigbang.dev/auth/realms/baby-yoda" - SONARQUBE_DB_NAME: "sonarqubedb" - SONARQUBE_DB_USERNAME: "sonarqube" - jira: - set: - DOMAIN: "bigbang.dev" - JIRA_DB_NAME: "jiradb" - JIRA_DB_USERNAME: "jira" - confluence: - set: - DOMAIN: "bigbang.dev" - CONFLUENCE_DB_NAME: "confluencedb" - CONFLUENCE_DB_USERNAME: "confluence" - mattermost: - set: - DOMAIN: "bigbang.dev" - nexus: - set: - DOMAIN: "bigbang.dev" - NEXUS_DB_NAME: "nexusdb" - NEXUS_DB_USERNAME: "nexus" +options: + log_level: info +variables: + dubbd-k3d: + DOMAIN: "bigbang.dev" + software-factory-idam-gitlab: + DOMAIN: "bigbang.dev" + software-factory-idam-realm: + DOMAIN: "bigbang.dev" + uds-idam: + DOMAIN: "bigbang.dev" + gitlab: + DOMAIN: "bigbang.dev" + GITLAB_DB_NAME: "gitlabdb" + GITLAB_DB_USERNAME: "gitlab" + GITLAB_PAGES_ENABLED: "false" + GITLAB_SIGNUP_ENABLED: "true" + sonarqube: + DOMAIN: "bigbang.dev" + SONARQUBE_IDAM_REALM_URL: "https://keycloak.bigbang.dev/auth/realms/baby-yoda" + SONARQUBE_DB_NAME: "sonarqubedb" + SONARQUBE_DB_USERNAME: "sonarqube" + jira: + DOMAIN: "bigbang.dev" + JIRA_DB_NAME: "jiradb" + JIRA_DB_USERNAME: "jira" + confluence: + DOMAIN: "bigbang.dev" + CONFLUENCE_DB_NAME: "confluencedb" + CONFLUENCE_DB_USERNAME: "confluence" + mattermost: + DOMAIN: "bigbang.dev" + nexus: + DOMAIN: "bigbang.dev" + NEXUS_DB_NAME: "nexusdb" + NEXUS_DB_USERNAME: "nexus"