From 69a5105ca2db0a222f803efc668b7d847df83e12 Mon Sep 17 00:00:00 2001 From: awendt Date: Fri, 3 Nov 2023 12:13:03 -0600 Subject: [PATCH] Updates (#114) * Upgrade idam and dubbd * Update idam realm, gitlab, and sonarqube configs * Cleanup * Cleanup * Add more capabilities and upgrades * Update e2e tests to include new capabilities * Update README --- Makefile | 6 +- README.md | 4 + packages/idam-gitlab/gitlab-sso-demo.json | 6 +- packages/idam-gitlab/zarf.yaml | 4 +- .../policy-exceptions/externalName.yaml | 19 ++++ .../policy-exceptions/registry.yaml | 20 +++++ packages/idam-postgres/service.yaml | 8 ++ packages/idam-postgres/values.yaml | 3 + packages/idam-postgres/zarf.yaml | 53 +++++++++++ packages/idam-realm/files/baby-yoda.json | 82 ++++++++--------- packages/idam-realm/zarf.yaml | 6 +- packages/idam-sonarqube/zarf.yaml | 6 +- packages/namespaces/values.yaml | 33 +++++++ test/e2e/e2e_basic_smoke_test.go | 88 +++++++++++++++++++ uds-bundle.yaml | 67 +++++++++++--- uds-config.yaml | 44 ++++++++++ 16 files changed, 386 insertions(+), 63 deletions(-) create mode 100644 packages/idam-postgres/policy-exceptions/externalName.yaml create mode 100644 packages/idam-postgres/policy-exceptions/registry.yaml create mode 100644 packages/idam-postgres/service.yaml create mode 100644 packages/idam-postgres/values.yaml create mode 100644 packages/idam-postgres/zarf.yaml create mode 100644 uds-config.yaml diff --git a/Makefile b/Makefile index 0c14167..fabf9d3 100755 --- a/Makefile +++ b/Makefile @@ -142,7 +142,7 @@ cluster/destroy: ## Destroy the k3d cluster ######################################################################## .PHONY: build/all -build/all: build build/zarf build/uds build/software-factory-namespaces build/idam-dns build/idam-realm build/idam-gitlab build/idam-sonarqube build/uds-bundle-software-factory ## Build everything +build/all: build build/zarf build/uds build/software-factory-namespaces build/idam-dns build/idam-realm build/idam-postgres build/idam-gitlab build/idam-sonarqube build/uds-bundle-software-factory ## Build everything build: ## Create build directory mkdir -p build @@ -180,6 +180,9 @@ build/idam-dns: | build ## Build idam-dns package build/idam-realm: | build ## Build idam-realm package cd build && ./zarf package create ../packages/idam-realm/ --confirm --output-directory . +build/idam-postgres: | build ## Build idam-postgres package + cd build && ./zarf package create ../packages/idam-postgres/ --confirm --output-directory . + build/uds-bundle-software-factory: | build ## Build the software factory cd build && ./uds bundle create ../ --confirm mv uds-bundle-software-factory-demo-*.tar.zst build/ @@ -189,6 +192,7 @@ build/uds-bundle-software-factory: | build ## Build the software factory ######################################################################## deploy: ## Deploy the software factory package + cp uds-config.yaml ./build/ cd ./build && ./uds bundle deploy uds-bundle-software-factory-demo-*.tar.zst --confirm ######################################################################## diff --git a/README.md b/README.md index 55f8a3f..177f7ba 100644 --- a/README.md +++ b/README.md @@ -19,6 +19,10 @@ This is the early stages of a UDS Bundle we call the UDS Software Factory. This | [Gitlab](https://github.com/defenseunicorns/uds-capability-gitlab) | Alpha | | [Gitlab-Runner](https://github.com/defenseunicorns/uds-capability-gitlab-runner) | Alpha | | [SonarQube](https://github.com/defenseunicorns/uds-capability-sonarqube) | Alpha | +| [Jira](https://github.com/defenseunicorns/uds-capability-jira) | Alpha | +| [Confluence](https://github.com/defenseunicorns/uds-capability-confluence) | Alpha | +| [Mattermost](https://github.com/defenseunicorns/uds-capability-mattermost-operator) | Alpha | +| [Nexus](https://github.com/defenseunicorns/uds-capability-nexus) | Alpha | ## Prerequisites diff --git a/packages/idam-gitlab/gitlab-sso-demo.json b/packages/idam-gitlab/gitlab-sso-demo.json index 36b079c..ce4ca21 100644 --- a/packages/idam-gitlab/gitlab-sso-demo.json +++ b/packages/idam-gitlab/gitlab-sso-demo.json @@ -7,15 +7,15 @@ "Gitlab" ], "response_type": "code", - "issuer": "https://keycloak.bigbang.dev/auth/realms/baby-yoda", + "issuer": "https://keycloak.###ZARF_VAR_DOMAIN###/auth/realms/baby-yoda", "client_auth_method": "query", "discovery": true, "uid_field": "preferred_username", "client_options": { "identifier": "dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_gitlab", "secret": "", - "redirect_uri": "https://gitlab.bigbang.dev/users/auth/openid_connect/callback", - "end_session_endpoint": "https://keycloak.bigbang.dev/auth/realms/baby-yoda/protocol/openid-connect/logout" + "redirect_uri": "https://gitlab.###ZARF_VAR_DOMAIN###/users/auth/openid_connect/callback", + "end_session_endpoint": "https://keycloak.###ZARF_VAR_DOMAIN###/auth/realms/baby-yoda/protocol/openid-connect/logout" } } } diff --git a/packages/idam-gitlab/zarf.yaml b/packages/idam-gitlab/zarf.yaml index d675ebd..9a5cfcc 100644 --- a/packages/idam-gitlab/zarf.yaml +++ b/packages/idam-gitlab/zarf.yaml @@ -3,10 +3,12 @@ kind: ZarfPackageConfig metadata: name: software-factory-idam-gitlab description: "The IDAM/SSO manifest and variables for the GitLab Capability" - version: "1.0.0" + version: "1.0.1" architecture: amd64 variables: + - name: DOMAIN + default: "test.dev" - name: GITLAB_SSO_JSON default: gitlab-sso-demo.json prompt: false diff --git a/packages/idam-postgres/policy-exceptions/externalName.yaml b/packages/idam-postgres/policy-exceptions/externalName.yaml new file mode 100644 index 0000000..3873b5d --- /dev/null +++ b/packages/idam-postgres/policy-exceptions/externalName.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v2alpha1 +kind: PolicyException +metadata: + name: keycloak-postgres-external-names-exception + namespace: keycloak +spec: + exceptions: + - policyName: restrict-external-names + ruleNames: + - external-names + match: + any: + - resources: + kinds: + - Service + namespaces: + - keycloak + names: + - keycloak-postgresql diff --git a/packages/idam-postgres/policy-exceptions/registry.yaml b/packages/idam-postgres/policy-exceptions/registry.yaml new file mode 100644 index 0000000..ab82a2d --- /dev/null +++ b/packages/idam-postgres/policy-exceptions/registry.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v2alpha1 +kind: PolicyException +metadata: + name: keycloak-postgres-registry-exception + namespace: keycloak +spec: + exceptions: + - policyName: restrict-image-registries + ruleNames: + - validate-registries + - autogen-validate-registries + match: + any: + - resources: + kinds: + - StatefulSet + namespaces: + - keycloak + names: + - postgresql diff --git a/packages/idam-postgres/service.yaml b/packages/idam-postgres/service.yaml new file mode 100644 index 0000000..ba853ff --- /dev/null +++ b/packages/idam-postgres/service.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Service +metadata: + name: keycloak-postgresql + namespace: keycloak +spec: + type: ExternalName + externalName: postgresql.keycloak.svc.cluster.local diff --git a/packages/idam-postgres/values.yaml b/packages/idam-postgres/values.yaml new file mode 100644 index 0000000..54038fe --- /dev/null +++ b/packages/idam-postgres/values.yaml @@ -0,0 +1,3 @@ +auth: + username: kcadmin + database: keycloak \ No newline at end of file diff --git a/packages/idam-postgres/zarf.yaml b/packages/idam-postgres/zarf.yaml new file mode 100644 index 0000000..027a1cc --- /dev/null +++ b/packages/idam-postgres/zarf.yaml @@ -0,0 +1,53 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json +kind: ZarfPackageConfig +metadata: + name: keycloak-postgres + version: "0.0.1" + architecture: amd64 + +components: + - name: postgres-kyverno-exceptions + required: true + manifests: + - name: kyverno-exceptions + files: + - policy-exceptions/externalName.yaml + - policy-exceptions/registry.yaml + - name: postgres + required: true + charts: + - name: postgresql + version: 12.6.6 + namespace: keycloak + url: https://charts.bitnami.com/bitnami + valuesFiles: + - "values.yaml" + images: + - docker.io/bitnami/postgresql:15.3.0-debian-11-r24 + actions: + onDeploy: + after: + - wait: + cluster: + kind: Pod + name: postgresql-0 + condition: Ready + namespace: keycloak + - name: postgres-secret + required: true + actions: + onDeploy: + before: + - cmd: kubectl get secret -n keycloak postgresql --template={{.data.password}} | base64 -d + mute: true + setVariables: + - name: KEYCLOAK_DB_PASSWORD + sensitive: true + after: + - cmd: kubectl create secret generic keycloak-postgres -n keycloak --from-literal=password=${ZARF_VAR_KEYCLOAK_DB_PASSWORD} --dry-run=client -o yaml | kubectl apply -f - + - name: postgres-service + required: true + manifests: + - name: service for keycloak + files: + - service.yaml diff --git a/packages/idam-realm/files/baby-yoda.json b/packages/idam-realm/files/baby-yoda.json index debacd6..d2cb511 100644 --- a/packages/idam-realm/files/baby-yoda.json +++ b/packages/idam-realm/files/baby-yoda.json @@ -317,7 +317,7 @@ "dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_twistlock-saml": [], "dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_kibana": [], "dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_saml-sonarqube": [], - "https://nexus.bigbang.dev/service/rest/v1/security/saml/metadata": [], + "https://nexus.###ZARF_VAR_DOMAIN###/service/rest/v1/security/saml/metadata": [], "dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_jaeger": [], "admin-cli": [], "dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_argocd": [], @@ -662,8 +662,8 @@ "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "redirectUris": [ - "https://alertmanager.bigbang.dev/login/generic_oauth", - "https://alertmanager.dogfood.bigbang.dev/login/generic_oauth" + "https://alertmanager.###ZARF_VAR_DOMAIN###/login/generic_oauth", + "https://alertmanager.dogfood.###ZARF_VAR_DOMAIN###/login/generic_oauth" ], "webOrigins": [], "notBefore": 0, @@ -709,15 +709,15 @@ "id": "ec39f333-e4ce-434e-9cf1-f39651915b37", "clientId": "dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_anchore", "name": "BigBang Dev Anchore", - "adminUrl": "https://anchore.bigbang.dev/service/sso/auth/keycloak", + "adminUrl": "https://anchore.###ZARF_VAR_DOMAIN###/service/sso/auth/keycloak", "baseUrl": "", "surrogateAuthRequired": false, "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "redirectUris": [ - "https://anchore.dogfood.bigbang.dev/service/sso/auth/keycloak", - "https://anchore.bigbang.dev/service/sso/auth/keycloak" + "https://anchore.dogfood.###ZARF_VAR_DOMAIN###/service/sso/auth/keycloak", + "https://anchore.###ZARF_VAR_DOMAIN###/service/sso/auth/keycloak" ], "webOrigins": [], "notBefore": 0, @@ -731,7 +731,7 @@ "frontchannelLogout": true, "protocol": "saml", "attributes": { - "saml_assertion_consumer_url_redirect": "https://anchore.bigbang.dev/service/sso/auth/keycloak", + "saml_assertion_consumer_url_redirect": "https://anchore.###ZARF_VAR_DOMAIN###/service/sso/auth/keycloak", "saml.multivalued.roles": "false", "saml.force.post.binding": "true", "oauth2.device.authorization.grant.enabled": "false", @@ -747,7 +747,7 @@ "saml.assertion.signature": "true", "id.token.as.detached.signature": "false", "saml.encrypt": "false", - "saml_assertion_consumer_url_post": "https://anchore.bigbang.dev/service/sso/auth/keycloak", + "saml_assertion_consumer_url_post": "https://anchore.###ZARF_VAR_DOMAIN###/service/sso/auth/keycloak", "saml.server.signature": "true", "exclude.session.state.from.auth.response": "false", "saml.artifact.binding.identifier": "7CotOBSAei1i2frOht5AFaONGy0=", @@ -778,8 +778,8 @@ "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "redirectUris": [ - "https://argocd.dogfood.bigbang.dev/auth/callback", - "https://argocd.bigbang.dev/auth/callback" + "https://argocd.dogfood.###ZARF_VAR_DOMAIN###/auth/callback", + "https://argocd.###ZARF_VAR_DOMAIN###/auth/callback" ], "webOrigins": [], "notBefore": 0, @@ -834,10 +834,10 @@ "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "redirectUris": [ - "https://code.bigbang.dev/users/auth/openid_connect/callback*", - "https://code.dogfood.bigbang.dev/users/auth/openid_connect/callback*", - "https://gitlab.bigbang.dev/users/auth/openid_connect/callback*", - "https://gitlab.dogfood.bigbang.dev/users/auth/openid_connect/callback*" + "https://code.###ZARF_VAR_DOMAIN###/users/auth/openid_connect/callback*", + "https://code.dogfood.###ZARF_VAR_DOMAIN###/users/auth/openid_connect/callback*", + "https://gitlab.###ZARF_VAR_DOMAIN###/users/auth/openid_connect/callback*", + "https://gitlab.dogfood.###ZARF_VAR_DOMAIN###/users/auth/openid_connect/callback*" ], "webOrigins": [], "notBefore": 0, @@ -892,8 +892,8 @@ "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "redirectUris": [ - "https://grafana.dogfood.bigbang.dev/login/generic_oauth", - "https://grafana.bigbang.dev/login/generic_oauth" + "https://grafana.dogfood.###ZARF_VAR_DOMAIN###/login/generic_oauth", + "https://grafana.###ZARF_VAR_DOMAIN###/login/generic_oauth" ], "webOrigins": [], "notBefore": 0, @@ -946,7 +946,7 @@ "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "redirectUris": [ - "https://tracing.bigbang.dev/login" + "https://tracing.###ZARF_VAR_DOMAIN###/login" ], "webOrigins": [], "notBefore": 0, @@ -1002,16 +1002,16 @@ "id": "fb41d5e6-dc17-4c88-90d3-adfdaa08d1b8", "clientId": "dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_kiali", "name": "BigBang Dev Kiali", - "rootUrl": "https://kiali.bigbang.dev/kiali", - "adminUrl": "https://kiali.bigbang.dev/kiali", + "rootUrl": "https://kiali.###ZARF_VAR_DOMAIN###/kiali", + "adminUrl": "https://kiali.###ZARF_VAR_DOMAIN###/kiali", "baseUrl": "", "surrogateAuthRequired": false, "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "redirectUris": [ - "https://kiali.bigbang.dev/kiali/*", - "https://kiali.dogfood.bigbang.dev/kiali/*" + "https://kiali.###ZARF_VAR_DOMAIN###/kiali/*", + "https://kiali.dogfood.###ZARF_VAR_DOMAIN###/kiali/*" ], "webOrigins": [], "notBefore": 0, @@ -1074,8 +1074,8 @@ "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "redirectUris": [ - "https://kibana.dogfood.bigbang.dev/*", - "https://kibana.bigbang.dev/*" + "https://kibana.dogfood.###ZARF_VAR_DOMAIN###/*", + "https://kibana.###ZARF_VAR_DOMAIN###/*" ], "webOrigins": [], "notBefore": 0, @@ -1129,10 +1129,10 @@ "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "redirectUris": [ - "https://chat.dogfood.bigbang.dev/signup/gitlab/complete", - "https://chat.bigbang.dev/login/gitlab/complete", - "https://chat.bigbang.dev/signup/gitlab/complete", - "https://chat.dogfood.bigbang.dev/login/gitlab/complete" + "https://chat.dogfood.###ZARF_VAR_DOMAIN###/signup/gitlab/complete", + "https://chat.###ZARF_VAR_DOMAIN###/login/gitlab/complete", + "https://chat.###ZARF_VAR_DOMAIN###/signup/gitlab/complete", + "https://chat.dogfood.###ZARF_VAR_DOMAIN###/login/gitlab/complete" ], "webOrigins": [], "notBefore": 0, @@ -1232,8 +1232,8 @@ "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "redirectUris": [ - "https://prometheus.bigbang.dev/login/generic_oauth", - "https://prometheus.dogfood.bigbang.dev/login/generic_oauth" + "https://prometheus.###ZARF_VAR_DOMAIN###/login/generic_oauth", + "https://prometheus.dogfood.###ZARF_VAR_DOMAIN###/login/generic_oauth" ], "webOrigins": [], "notBefore": 0, @@ -1291,8 +1291,8 @@ "clientAuthenticatorType": "client-secret", "secret": "**********", "redirectUris": [ - "https://sonarqube.dogfood.bigbang.dev/oauth2/callback/saml*", - "https://sonarqube.bigbang.dev/oauth2/callback/saml*" + "https://sonarqube.dogfood.###ZARF_VAR_DOMAIN###/oauth2/callback/saml*", + "https://sonarqube.###ZARF_VAR_DOMAIN###/oauth2/callback/saml*" ], "webOrigins": [], "notBefore": 0, @@ -1401,7 +1401,7 @@ "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "redirectUris": [ - "https://twistlock.bigbang.dev/api/v1/authenticate/callback/oidc" + "https://twistlock.###ZARF_VAR_DOMAIN###/api/v1/authenticate/callback/oidc" ], "webOrigins": [], "notBefore": 0, @@ -1460,8 +1460,8 @@ "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "redirectUris": [ - "https://twistlock.bigbang.dev*", - "https://twistlock.dogfood.bigbang.dev*" + "https://twistlock.###ZARF_VAR_DOMAIN###*", + "https://twistlock.dogfood.###ZARF_VAR_DOMAIN###*" ], "webOrigins": [], "notBefore": 0, @@ -1520,8 +1520,8 @@ "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "redirectUris": [ - "https://vault.bigbang.dev/ui/vault/auth/oidc/oidc/callback", - "https://vault.bigbang.dev/oidc/callback" + "https://vault.###ZARF_VAR_DOMAIN###/ui/vault/auth/oidc/oidc/callback", + "https://vault.###ZARF_VAR_DOMAIN###/oidc/callback" ], "webOrigins": [], "notBefore": 0, @@ -1592,16 +1592,16 @@ }, { "id": "f975a475-89c7-43bc-bddb-c9d974ff5ac3", - "clientId": "https://nexus.bigbang.dev/service/rest/v1/security/saml/metadata", + "clientId": "https://nexus.###ZARF_VAR_DOMAIN###/service/rest/v1/security/saml/metadata", "surrogateAuthRequired": false, "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", "redirectUris": [ - "https://nexus.bigbang.dev/saml" + "https://nexus.###ZARF_VAR_DOMAIN###/saml" ], "webOrigins": [ - "https://nexus.bigbang.dev" + "https://nexus.###ZARF_VAR_DOMAIN###" ], "notBefore": 0, "bearerOnly": false, @@ -1615,10 +1615,10 @@ "protocol": "saml", "attributes": { "saml.assertion.signature": "true", - "saml_single_logout_service_url_post": "https://nexus.bigbang.dev/saml", + "saml_single_logout_service_url_post": "https://nexus.###ZARF_VAR_DOMAIN###/saml", "saml.force.post.binding": "true", "saml.encrypt": "true", - "saml_assertion_consumer_url_post": "https://nexus.bigbang.dev/saml", + "saml_assertion_consumer_url_post": "https://nexus.###ZARF_VAR_DOMAIN###/saml", "saml.server.signature": "true", "saml.server.signature.keyinfo.ext": "false", "saml.signing.certificate": "MIICrjCCAZagAwIBAgIGAXxWyxltMA0GCSqGSIb3DQEBCwUAMBgxFjAUBgNVBAMMDVNBTUwgS2V5U3RvcmUwHhcNMjExMDA2MTgwODQzWhcNMzExMDA0MTgwODQzWjAYMRYwFAYDVQQDDA1TQU1MIEtleVN0b3JlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxUynY8ACJfuCmMQqxqRekKeD7OTyjttfyxE2Xnny67/67evr/GZIUz0XsYl6XgTpTj2Nk6kaVWJR7W/dy0zqK+4liCRTzuDoOkaOZY+IqH8+XVqXei4eQo9g5woXOzsXihpaMQ38yXVKmkq13UCas8PKS1AnkUT1tAYDUoLL8o2kmGedLscpyb3+rf4F5nWJLTGgWIG8mQ7X3CpvKD9+cCLGkJJSOdK8XHPYVO8MDTVqxhLZEejYIHAwN1oFPGkURzskiD1CCDymQq/f0tbQlnu62FOa3iu6TqpQWB9pGoFj84p2uvMNIvDN489fBTT3blFnSu3tFDwAividADYuswIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBDMUOqL4pQJhYFqstQNaz8LlDALTTD1uw/k0MFGxTAa5Tri87WvTHa8uJNDw1PFUGZ80137TCK7I7+zDZIQzADb+WoZVPhIh+S9L9bbaQZ2LpRnsoJisP+fWNoDrR8okPYJ8pFuzA3V1dU5Oyo0kz1tTWtlnh2NIs6f9dClo5HjeUw6wigjcp5dLcz8RanWwKXYHAIAYlarUjjVdHLDvEmZzvWTWOK6JtLOx+3XRYcuKx5ICdTnDp9ptMB0MOZf8/rLUKpSz+rMKRlRoFR7vEpTtMbKtl8izZTKDYpWOf1MIE1Tv/Pq+dehjBoccwLthSEA+ba7/lJ0O0+U0euW+yT", diff --git a/packages/idam-realm/zarf.yaml b/packages/idam-realm/zarf.yaml index 0edb161..8a19cbc 100644 --- a/packages/idam-realm/zarf.yaml +++ b/packages/idam-realm/zarf.yaml @@ -3,9 +3,13 @@ kind: ZarfPackageConfig metadata: name: software-factory-idam-realm description: "Brings realm for keycloak to import" - version: "1.0.0" + version: "1.0.1" architecture: amd64 +variables: + - name: DOMAIN + default: "test.dev" + components: - name: realm-file required: true diff --git a/packages/idam-sonarqube/zarf.yaml b/packages/idam-sonarqube/zarf.yaml index 5c20f04..e977cca 100644 --- a/packages/idam-sonarqube/zarf.yaml +++ b/packages/idam-sonarqube/zarf.yaml @@ -3,7 +3,7 @@ kind: ZarfPackageConfig metadata: name: software-factory-idam-sonarqube description: "The IDAM/SSO manifest and variables for the SonarQube Capability" - version: "1.0.0" + version: "1.0.1" architecture: amd64 components: @@ -26,10 +26,6 @@ components: - cmd: echo saml setVariables: - name: SONARQUBE_IDAM_PROVIDER_NAME - # Get the URL for the realm used for auth - - cmd: echo https://keycloak.bigbang.dev/auth/realms/baby-yoda - setVariables: - - name: SONARQUBE_IDAM_REALM_URL # Get the SAML certificate from keycloak - cmd: ./zarf tools kubectl run saml-cert -n keycloak --image=registry1.dso.mil/ironbank/big-bang/base:2.0.0 -- sleep infinity - wait: diff --git a/packages/namespaces/values.yaml b/packages/namespaces/values.yaml index ec25cc1..6440108 100644 --- a/packages/namespaces/values.yaml +++ b/packages/namespaces/values.yaml @@ -24,3 +24,36 @@ namespaces: - name: sonarqube-db labels: istio-injection: enabled + - name: confluence + labels: + istio-injection: enabled + - name: confluence-db + labels: + istio-injection: enabled + - name: jira + labels: + istio-injection: enabled + - name: jira-db + labels: + istio-injection: enabled + - name: mattermost + labels: + istio-injection: enabled + - name: mattermost-db + labels: + istio-injection: enabled + - name: mattermost-minio + labels: + istio-injection: enabled + - name: mattermost-operator + labels: + istio-injection: enabled + - name: nexus + labels: + istio-injection: enabled + - name: nexus-db + labels: + istio-injection: enabled + - name: keycloak + labels: + istio-injection: enabled diff --git a/test/e2e/e2e_basic_smoke_test.go b/test/e2e/e2e_basic_smoke_test.go index 8065809..26b1593 100644 --- a/test/e2e/e2e_basic_smoke_test.go +++ b/test/e2e/e2e_basic_smoke_test.go @@ -76,5 +76,93 @@ func TestAllServicesRunning(t *testing.T) { //nolint:funlen // Ensure that Sonarqube is available outside of the cluster. output, err = platform.RunSSHCommandAsSudo(`timeout 1200 bash -c "while ! curl -L -s --fail --show-error https://sonarqube.bigbang.dev/login > /dev/null; do sleep 5; done"`) require.NoError(t, err, output) + + // Wait for the jira statefulset to exist. + output, err = platform.RunSSHCommandAsSudo(`timeout 1200 bash -c "while ! kubectl get statefulset jira -n jira; do sleep 5; done"`) + require.NoError(t, err, output) + + // Wait for the jira statefulset to report that it is ready + output, err = platform.RunSSHCommandAsSudo(`kubectl rollout status statefulset/jira -n jira --watch --timeout=1200s`) + require.NoError(t, err, output) + + // Ensure that the services do not accept discontinued TLS versions. If they reject TLSv1.1 it is assumed that they also reject anything below TLSv1.1. + // Ensure that jira does not accept TLSv1.1 + output, err = platform.RunSSHCommandAsSudo(`sslscan jira.bigbang.dev | grep "TLSv1.1" | grep "disabled"`) + require.NoError(t, err, output) + + // Setup DNS records for cluster services + output, err = platform.RunSSHCommandAsSudo(`cd ~/app && utils/metallb/dns.sh && utils/metallb/hosts-write.sh`) + require.NoError(t, err, output) + + // Ensure that jira is available outside of the cluster. + output, err = platform.RunSSHCommandAsSudo(`timeout 1200 bash -c "while ! curl -L -s --fail --show-error https://jira.bigbang.dev/status > /dev/null; do sleep 5; done"`) + require.NoError(t, err, output) + + // Wait for the confluence statefulset to exist. + output, err = platform.RunSSHCommandAsSudo(`timeout 1200 bash -c "while ! kubectl get statefulset confluence -n confluence; do sleep 5; done"`) + require.NoError(t, err, output) + + // Wait for the confluence statefulset to report that it is ready + output, err = platform.RunSSHCommandAsSudo(`kubectl rollout status statefulset/confluence -n confluence --watch --timeout=1200s`) + require.NoError(t, err, output) + + // Ensure that the services do not accept discontinued TLS versions. If they reject TLSv1.1 it is assumed that they also reject anything below TLSv1.1. + // Ensure that confluence does not accept TLSv1.1 + output, err = platform.RunSSHCommandAsSudo(`sslscan confluence.bigbang.dev | grep "TLSv1.1" | grep "disabled"`) + require.NoError(t, err, output) + + // Setup DNS records for cluster services + output, err = platform.RunSSHCommandAsSudo(`cd ~/app && utils/metallb/dns.sh && utils/metallb/hosts-write.sh`) + require.NoError(t, err, output) + + // Ensure that confluence is available outside of the cluster. + output, err = platform.RunSSHCommandAsSudo(`timeout 1200 bash -c "while ! curl -L -s --fail --show-error https://confluence.bigbang.dev/status > /dev/null; do sleep 5; done"`) + require.NoError(t, err, output) + + // Wait for the mattermost-operator Deployment to exist. + output, err = platform.RunSSHCommandAsSudo(`timeout 1200 bash -c "while ! kubectl get deployment mattermost-operator -n mattermost-operator; do sleep 5; done"`) + require.NoError(t, err, output) + + // Wait for the mattermost-operator Deployment to report that it is ready + output, err = platform.RunSSHCommandAsSudo(`kubectl rollout status deployment/mattermost-operator -n mattermost-operator --watch --timeout=1200s`) + require.NoError(t, err, output) + + // Wait for the mattermost Deployment to exist. + output, err = platform.RunSSHCommandAsSudo(`timeout 1200 bash -c "while ! kubectl get deployment mattermost -n mattermost; do sleep 5; done"`) + require.NoError(t, err, output) + + // Setup DNS records for cluster services + output, err = platform.RunSSHCommandAsSudo(`cd ~/app && utils/metallb/dns.sh && utils/metallb/hosts-write.sh`) + require.NoError(t, err, output) + + // Ensure that Mattermost does not accept TLSv1.1 + output, err = platform.RunSSHCommandAsSudo(`sslscan chat.bigbang.dev | grep "TLSv1.1" | grep "disabled"`) + require.NoError(t, err, output) + + // Ensure that Mattermost is available outside of the cluster. + output, err = platform.RunSSHCommandAsSudo(`timeout 1200 bash -c "while ! curl -L -s --fail --show-error https://chat.bigbang.dev/login > /dev/null; do sleep 5; done"`) + require.NoError(t, err, output) + + // Wait for the nexus Deployment to exist. + output, err = platform.RunSSHCommandAsSudo(`timeout 1200 bash -c "while ! kubectl get deployment nexus-nexus-repository-manager -n nexus; do sleep 5; done"`) + require.NoError(t, err, output) + + // Wait for the nexus Deployment to report that it is ready + output, err = platform.RunSSHCommandAsSudo(`kubectl rollout status deployment/nexus-nexus-repository-manager -n nexus --watch --timeout=1200s`) + require.NoError(t, err, output) + + // Ensure that the services do not accept discontinued TLS versions. If they reject TLSv1.1 it is assumed that they also reject anything below TLSv1.1. + // Ensure that nexus does not accept TLSv1.1 + output, err = platform.RunSSHCommandAsSudo(`sslscan nexus.bigbang.dev | grep "TLSv1.1" | grep "disabled"`) + require.NoError(t, err, output) + + // Setup DNS records for cluster services + output, err = platform.RunSSHCommandAsSudo(`cd ~/app && utils/metallb/dns.sh && utils/metallb/hosts-write.sh`) + require.NoError(t, err, output) + + // Ensure that nexus is available outside of the cluster. + output, err = platform.RunSSHCommandAsSudo(`timeout 1200 bash -c "while ! curl -L -s --fail --show-error https://nexus.bigbang.dev > /dev/null; do sleep 5; done"`) + require.NoError(t, err, output) + }) } diff --git a/uds-bundle.yaml b/uds-bundle.yaml index 0842f08..b5acb57 100644 --- a/uds-bundle.yaml +++ b/uds-bundle.yaml @@ -3,7 +3,7 @@ kind: UDSBundle metadata: name: software-factory-demo description: A UDS bundle for deploying a software factory to k3d for demonstration purposes NOT FOR PRODUCTION - version: 0.0.5 + version: 0.0.6 architecture: amd64 zarf-packages: @@ -17,7 +17,7 @@ zarf-packages: # Defense Unicorns Big Bang Distro - name: dubbd-k3d repository: ghcr.io/defenseunicorns/packages/dubbd-k3d - ref: 0.8.1 + ref: 0.10.1 # Namespace pre-reqs for swf capabilities - name: software-factory-namespaces @@ -27,24 +27,32 @@ zarf-packages: # Change the realm file keycloak imports from - name: software-factory-idam-realm path: build - ref: 1.0.0 + ref: 1.0.1 optional-components: - exported-variables exports: - name: REALM_IMPORT_FILE # Identity and Access Management + - name: keycloak-postgres + path: build + ref: 0.0.1 + exports: + - name: KEYCLOAK_DB_PASSWORD + - name: uds-idam repository: ghcr.io/defenseunicorns/uds-capability/uds-idam - ref: 0.1.9 + ref: 0.1.12 imports: - name: REALM_IMPORT_FILE package: software-factory-idam-realm + - name: KEYCLOAK_DB_PASSWORD + package: keycloak-postgres # GitLab SSO secret and variables - name: software-factory-idam-gitlab path: build - ref: 1.0.0 + ref: 1.0.1 exports: - name: GITLAB_IDAM_ENABLED - name: GITLAB_IDAM_ALLOWED_SSOS @@ -53,12 +61,11 @@ zarf-packages: # SonarQube SSO secret and variables - name: software-factory-idam-sonarqube path: build - ref: 1.0.0 + ref: 1.0.1 exports: - name: SONARQUBE_IDAM_ENABLED - name: SONARQUBE_IDAM_CLIENT_ID - name: SONARQUBE_IDAM_PROVIDER_NAME - - name: SONARQUBE_IDAM_REALM_URL - name: SONARQUBE_IDAM_SAML_CERT - name: SONARQUBE_IDAM_ATTR_LOGIN - name: SONARQUBE_IDAM_ATTR_NAME @@ -79,7 +86,7 @@ zarf-packages: - name: gitlab repository: ghcr.io/defenseunicorns/uds-capability/gitlab - ref: 0.1.1 + ref: 0.1.2 imports: - name: GITLAB_IDAM_ENABLED package: software-factory-idam-gitlab @@ -104,7 +111,7 @@ zarf-packages: - name: sonarqube repository: ghcr.io/defenseunicorns/uds-capability/sonarqube - ref: 0.0.10 + ref: 0.0.11 imports: - name: SONARQUBE_IDAM_ENABLED package: software-factory-idam-sonarqube @@ -112,8 +119,6 @@ zarf-packages: package: software-factory-idam-sonarqube - name: SONARQUBE_IDAM_PROVIDER_NAME package: software-factory-idam-sonarqube - - name: SONARQUBE_IDAM_REALM_URL - package: software-factory-idam-sonarqube - name: SONARQUBE_IDAM_SAML_CERT package: software-factory-idam-sonarqube - name: SONARQUBE_IDAM_ATTR_LOGIN @@ -123,6 +128,46 @@ zarf-packages: - name: SONARQUBE_IDAM_PROVIDER_EMAIL package: software-factory-idam-sonarqube + # Jira + - name: jira-postgres + repository: ghcr.io/defenseunicorns/uds-capability/jira/dev-dependency/jira-postgres + ref: 0.0.1 + + - name: jira + repository: ghcr.io/defenseunicorns/uds-capability/jira + ref: 0.0.5 + + # Confluence + - name: confluence-postgres + repository: ghcr.io/defenseunicorns/uds-capability/confluence/dev-dependency/confluence-postgres + ref: 0.0.1 + + - name: confluence + repository: ghcr.io/defenseunicorns/uds-capability/confluence + ref: 0.0.4 + + # Mattermost Operator with a Mattermost instance + - name: mattermost-minio + repository: ghcr.io/defenseunicorns/uds-capability/mattermost/dev-dependency/mattermost-minio + ref: 0.0.1 + + - name: mattermost-postgres + repository: ghcr.io/defenseunicorns/uds-capability/mattermost/dev-dependency/mattermost-postgres + ref: 0.0.2 + + - name: mattermost + repository: ghcr.io/defenseunicorns/uds-capability/mattermost + ref: 0.0.2 + + # Nexus + - name: nexus-postgres + repository: ghcr.io/defenseunicorns/uds-capability/nexus/dev-dependency/nexus-postgres + ref: 0.0.1 + + - name: nexus + repository: ghcr.io/defenseunicorns/uds-capability/nexus + ref: 0.0.4 + # Add all virtualservices as internal dns entries for auth callbacks - name: software-factory-idam-dns path: build diff --git a/uds-config.yaml b/uds-config.yaml new file mode 100644 index 0000000..d8ad211 --- /dev/null +++ b/uds-config.yaml @@ -0,0 +1,44 @@ +bundle: + deploy: + zarf-packages: + dubbd-k3d: + set: + DOMAIN: "bigbang.dev" + software-factory-idam-gitlab: + set: + DOMAIN: "bigbang.dev" + software-factory-idam-realm: + set: + DOMAIN: "bigbang.dev" + uds-idam: + set: + DOMAIN: "bigbang.dev" + gitlab: + set: + DOMAIN: "bigbang.dev" + GITLAB_DB_NAME: "gitlabdb" + GITLAB_DB_USERNAME: "gitlab" + sonarqube: + set: + DOMAIN: "bigbang.dev" + SONARQUBE_IDAM_REALM_URL: "https://keycloak.bigbang.dev/auth/realms/baby-yoda" + SONARQUBE_DB_NAME: "sonarqubedb" + SONARQUBE_DB_USERNAME: "sonarqube" + jira: + set: + DOMAIN: "bigbang.dev" + JIRA_DB_NAME: "jiradb" + JIRA_DB_USERNAME: "jira" + confluence: + set: + DOMAIN: "bigbang.dev" + CONFLUENCE_DB_NAME: "confluencedb" + CONFLUENCE_DB_USERNAME: "confluence" + mattermost: + set: + DOMAIN: "bigbang.dev" + nexus: + set: + DOMAIN: "bigbang.dev" + NEXUS_DB_NAME: "nexusdb" + NEXUS_DB_USERNAME: "nexus"