From c17641b4f0456b7157a428610e05f10864b4e018 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Wed, 5 Feb 2025 14:57:24 -0500 Subject: [PATCH 001/118] chore: add e2e tests for cloud distros --- .github/workflows/test-aks.yaml | 3 +++ .github/workflows/test-eks.yaml | 3 +++ .github/workflows/test-rke2.yaml | 3 +++ tasks/utils.yaml | 16 ++++++++++++++++ 4 files changed, 25 insertions(+) diff --git a/.github/workflows/test-aks.yaml b/.github/workflows/test-aks.yaml index b293f04061..d94dc974be 100644 --- a/.github/workflows/test-aks.yaml +++ b/.github/workflows/test-aks.yaml @@ -90,6 +90,9 @@ jobs: run: uds deploy .github/bundles/aks/uds-bundle-uds-core-aks-nightly-*.tar.zst --confirm timeout-minutes: 30 + - name: Test UDS Core + run: uds run -f tasks/utils.yaml setup-hosts && uds run -f tasks/test.yaml e2e-tests + - name: Debug Output if: ${{ always() }} uses: ./.github/actions/debug-output diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index c2e4cadf49..2265d6f156 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -95,6 +95,9 @@ jobs: run: uds deploy .github/bundles/eks/uds-bundle-uds-core-eks-nightly-*.tar.zst --confirm timeout-minutes: 30 + - name: Test UDS Core + run: uds run -f tasks/utils.yaml setup-hosts && uds run -f tasks/test.yaml e2e-tests + - name: Debug Output if: ${{ always() }} uses: ./.github/actions/debug-output diff --git a/.github/workflows/test-rke2.yaml b/.github/workflows/test-rke2.yaml index 00a7f64499..a197c3f25c 100644 --- a/.github/workflows/test-rke2.yaml +++ b/.github/workflows/test-rke2.yaml @@ -99,6 +99,9 @@ jobs: run: uds deploy .github/bundles/rke2/uds-bundle-uds-core-rke2-nightly-*.tar.zst --confirm timeout-minutes: 30 + - name: Test UDS Core + run: uds run -f tasks/utils.yaml setup-hosts && uds run -f tasks/test.yaml e2e-tests + - name: Debug Output if: ${{ always() }} uses: ./.github/actions/debug-output diff --git a/tasks/utils.yaml b/tasks/utils.yaml index 8ca6899d16..bfe873bd75 100644 --- a/tasks/utils.yaml +++ b/tasks/utils.yaml @@ -64,3 +64,19 @@ tasks: --from-literal=password=${PASSWORD} \ -n keycloak fi + + - name: setup-hosts + actions: + - description: Fetch Admin Gateway IP Address + cmd: uds zarf tools kubectl get service -n istio-admin-gateway admin-ingressgateway -o=jsonpath='{.status.loadBalancer.ingress[0].ip}' 2>/dev/null + mute: true + setVariables: + - name: ADMIN_GW_IP + - description: Fetch Tenant Gateway IP Address + cmd: uds zarf tools kubectl get service -n istio-tenant-gateway tenant-ingressgateway -o=jsonpath='{.status.loadBalancer.ingress[0].ip}' 2>/dev/null + mute: true + setVariables: + - name: TENANT_GW_IP + - description: Adds Cluster LoadBalancer IP Addresses to match appropriate hosts names in /etc/hosts + cmd: | + echo "$ADMIN_GW_IP keycloak.admin.uds.dev neuvector.admin.uds.dev grafana.admin.uds.dev\n$TENANT_GW_IP sso.uds.dev" | sudo tee --append /etc/hosts From 4025736537ee3ba54261cc62007b33fa2ab119ce Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Wed, 5 Feb 2025 15:01:12 -0500 Subject: [PATCH 002/118] lint fix --- tasks/utils.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/utils.yaml b/tasks/utils.yaml index bfe873bd75..e75a1071f2 100644 --- a/tasks/utils.yaml +++ b/tasks/utils.yaml @@ -76,7 +76,7 @@ tasks: cmd: uds zarf tools kubectl get service -n istio-tenant-gateway tenant-ingressgateway -o=jsonpath='{.status.loadBalancer.ingress[0].ip}' 2>/dev/null mute: true setVariables: - - name: TENANT_GW_IP + - name: TENANT_GW_IP - description: Adds Cluster LoadBalancer IP Addresses to match appropriate hosts names in /etc/hosts cmd: | echo "$ADMIN_GW_IP keycloak.admin.uds.dev neuvector.admin.uds.dev grafana.admin.uds.dev\n$TENANT_GW_IP sso.uds.dev" | sudo tee --append /etc/hosts From 5ba76b000ec41532b01f8e37bd6819a3edcbec82 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Wed, 5 Feb 2025 15:23:00 -0500 Subject: [PATCH 003/118] add validate task --- .github/workflows/test-aks.yaml | 2 +- .github/workflows/test-eks.yaml | 2 +- .github/workflows/test-rke2.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/test-aks.yaml b/.github/workflows/test-aks.yaml index d94dc974be..2c0dfe98fe 100644 --- a/.github/workflows/test-aks.yaml +++ b/.github/workflows/test-aks.yaml @@ -91,7 +91,7 @@ jobs: timeout-minutes: 30 - name: Test UDS Core - run: uds run -f tasks/utils.yaml setup-hosts && uds run -f tasks/test.yaml e2e-tests + run: uds run -f tasks/utils.yaml setup-hosts && uds run -f tasks/test.yaml validate-packages && uds run -f tasks/test.yaml e2e-tests - name: Debug Output if: ${{ always() }} diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 2265d6f156..0a2b7b069a 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -96,7 +96,7 @@ jobs: timeout-minutes: 30 - name: Test UDS Core - run: uds run -f tasks/utils.yaml setup-hosts && uds run -f tasks/test.yaml e2e-tests + run: uds run -f tasks/utils.yaml setup-hosts && uds run -f tasks/test.yaml validate-packages && uds run -f tasks/test.yaml e2e-tests - name: Debug Output if: ${{ always() }} diff --git a/.github/workflows/test-rke2.yaml b/.github/workflows/test-rke2.yaml index a197c3f25c..5d4fed315f 100644 --- a/.github/workflows/test-rke2.yaml +++ b/.github/workflows/test-rke2.yaml @@ -100,7 +100,7 @@ jobs: timeout-minutes: 30 - name: Test UDS Core - run: uds run -f tasks/utils.yaml setup-hosts && uds run -f tasks/test.yaml e2e-tests + run: uds run -f tasks/utils.yaml setup-hosts && uds run -f tasks/test.yaml validate-packages && uds run -f tasks/test.yaml e2e-tests - name: Debug Output if: ${{ always() }} From aa1c4d7ec0034d717859a6ccea11d7bc8d294cf8 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Wed, 5 Feb 2025 15:31:29 -0500 Subject: [PATCH 004/118] trigger workflow --- .github/workflows/test-aks.yaml | 1 + .github/workflows/test-eks.yaml | 1 + .github/workflows/test-rke2.yaml | 1 + 3 files changed, 3 insertions(+) diff --git a/.github/workflows/test-aks.yaml b/.github/workflows/test-aks.yaml index 2c0dfe98fe..1e03c0af1a 100644 --- a/.github/workflows/test-aks.yaml +++ b/.github/workflows/test-aks.yaml @@ -14,6 +14,7 @@ on: - tasks/iac.yaml - .github/bundles/aks/* - .github/test-infra/azure/aks/* + - .github/workflows/test-aks.yaml permissions: id-token: write diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 0a2b7b069a..54cbabdb81 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -14,6 +14,7 @@ on: - tasks/iac.yaml - .github/bundles/eks/* - .github/test-infra/aws/eks/* + - .github/workflows/test-eks.yaml permissions: id-token: write diff --git a/.github/workflows/test-rke2.yaml b/.github/workflows/test-rke2.yaml index 5d4fed315f..9a2466c4fe 100644 --- a/.github/workflows/test-rke2.yaml +++ b/.github/workflows/test-rke2.yaml @@ -14,6 +14,7 @@ on: - tasks/iac.yaml - .github/bundles/rke2/* - .github/test-infra/aws/rke2/* + - .github/workflows/test-rke2.yaml permissions: id-token: write From 9fca24c2d073bd2a634f73ed9643a08fb016e58a Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Wed, 5 Feb 2025 16:24:05 -0500 Subject: [PATCH 005/118] mute task, make passthrough gw validation default to false --- src/istio/tasks.yaml | 2 +- tasks/utils.yaml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/istio/tasks.yaml b/src/istio/tasks.yaml index ab7f2ec080..3f28024a3a 100644 --- a/src/istio/tasks.yaml +++ b/src/istio/tasks.yaml @@ -6,7 +6,7 @@ tasks: inputs: validate_passthrough: description: Whether to validate the passthrough gateway - default: "true" + default: "false" actions: - description: Validate the Istio Admin Gateway wait: diff --git a/tasks/utils.yaml b/tasks/utils.yaml index e75a1071f2..93f0ea2aff 100644 --- a/tasks/utils.yaml +++ b/tasks/utils.yaml @@ -78,5 +78,6 @@ tasks: setVariables: - name: TENANT_GW_IP - description: Adds Cluster LoadBalancer IP Addresses to match appropriate hosts names in /etc/hosts + mute: true cmd: | echo "$ADMIN_GW_IP keycloak.admin.uds.dev neuvector.admin.uds.dev grafana.admin.uds.dev\n$TENANT_GW_IP sso.uds.dev" | sudo tee --append /etc/hosts From f3235e5e5b60134b4b084faf269bdc84148bacfd Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Wed, 5 Feb 2025 17:17:23 -0500 Subject: [PATCH 006/118] add metrics-server --- .github/bundles/aks/uds-bundle.yaml | 5 +++-- .github/bundles/eks/uds-bundle.yaml | 1 + 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/bundles/aks/uds-bundle.yaml b/.github/bundles/aks/uds-bundle.yaml index eb1e994606..370aa00e53 100644 --- a/.github/bundles/aks/uds-bundle.yaml +++ b/.github/bundles/aks/uds-bundle.yaml @@ -20,8 +20,9 @@ packages: ref: 0.35.0 # x-release-please-end # https://github.com/defenseunicorns/uds-core/issues/1222 - # optionalComponents: - # - istio-ambient + optionalComponents: + - metrics-server + #- istio-ambient overrides: istio-admin-gateway: gateway: diff --git a/.github/bundles/eks/uds-bundle.yaml b/.github/bundles/eks/uds-bundle.yaml index acefc76cdf..3e843d0df6 100644 --- a/.github/bundles/eks/uds-bundle.yaml +++ b/.github/bundles/eks/uds-bundle.yaml @@ -20,6 +20,7 @@ packages: ref: 0.35.0 # x-release-please-end optionalComponents: + - metrics-server - istio-ambient overrides: velero: From ec770f52eff90f3ca83e7e2ac44aa59b61b8fe04 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Thu, 6 Feb 2025 11:33:43 -0500 Subject: [PATCH 007/118] exclude metrics-server on aks, group into one task --- .github/bundles/aks/uds-bundle.yaml | 3 +-- .github/workflows/test-aks.yaml | 2 +- .github/workflows/test-eks.yaml | 2 +- .github/workflows/test-rke2.yaml | 2 +- tasks/test.yaml | 18 ++++++++++++++++-- 5 files changed, 20 insertions(+), 7 deletions(-) diff --git a/.github/bundles/aks/uds-bundle.yaml b/.github/bundles/aks/uds-bundle.yaml index 370aa00e53..226ad9b190 100644 --- a/.github/bundles/aks/uds-bundle.yaml +++ b/.github/bundles/aks/uds-bundle.yaml @@ -20,8 +20,7 @@ packages: ref: 0.35.0 # x-release-please-end # https://github.com/defenseunicorns/uds-core/issues/1222 - optionalComponents: - - metrics-server + #optionalComponents: #- istio-ambient overrides: istio-admin-gateway: diff --git a/.github/workflows/test-aks.yaml b/.github/workflows/test-aks.yaml index 1e03c0af1a..8b40034315 100644 --- a/.github/workflows/test-aks.yaml +++ b/.github/workflows/test-aks.yaml @@ -92,7 +92,7 @@ jobs: timeout-minutes: 30 - name: Test UDS Core - run: uds run -f tasks/utils.yaml setup-hosts && uds run -f tasks/test.yaml validate-packages && uds run -f tasks/test.yaml e2e-tests + run: uds run -f tasks/test.yaml uds-core-non-k3d --set EXCLUDED_PACKAGES="metrics-server" - name: Debug Output if: ${{ always() }} diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 54cbabdb81..be165bbf63 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -97,7 +97,7 @@ jobs: timeout-minutes: 30 - name: Test UDS Core - run: uds run -f tasks/utils.yaml setup-hosts && uds run -f tasks/test.yaml validate-packages && uds run -f tasks/test.yaml e2e-tests + run: uds run -f tasks/test.yaml uds-core-non-k3d - name: Debug Output if: ${{ always() }} diff --git a/.github/workflows/test-rke2.yaml b/.github/workflows/test-rke2.yaml index 9a2466c4fe..688da8975b 100644 --- a/.github/workflows/test-rke2.yaml +++ b/.github/workflows/test-rke2.yaml @@ -101,7 +101,7 @@ jobs: timeout-minutes: 30 - name: Test UDS Core - run: uds run -f tasks/utils.yaml setup-hosts && uds run -f tasks/test.yaml validate-packages && uds run -f tasks/test.yaml e2e-tests + run: uds run -f tasks/test.yaml uds-core-non-k3d - name: Debug Output if: ${{ always() }} diff --git a/tasks/test.yaml b/tasks/test.yaml index 054d1e2812..b8e4703ca5 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -1,6 +1,11 @@ # Copyright 2024 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial +variables: + - name: EXCLUDED_PACKAGES + description: A comma separated string of packages to be excluded from validation and e2e tests. + default: "" + includes: - create: ./create.yaml - setup: ./setup.yaml @@ -49,8 +54,10 @@ tasks: # loop through each src/* package and run the validate.yaml task actions: - cmd: | - for package in src/*; do - uds run -f ${package}/tasks.yaml validate --no-progress + for package in $(ls src); do + if [[ ! "${EXCLUDED_PACKAGES[*]}" =~ ${package} ]]; then + uds run -f src/${package}/tasks.yaml validate --no-progress + fi done set +e @@ -91,6 +98,13 @@ tasks: - task: uds-core - task: e2e-tests + - name: uds-core-non-k3d + description: "Validate and Test UDS Core deployment on a non K3D Cluster" + actions: + - task: util:setup-hosts + - task: validate-packages + - task: e2e-tests + - name: uds-core-ha description: "Build and test UDS Core" actions: From a80d8fc173fc04823df25a6b6cf934f219e28ed2 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Thu, 6 Feb 2025 12:18:21 -0500 Subject: [PATCH 008/118] syntax fix maybe? --- tasks/test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/test.yaml b/tasks/test.yaml index b8e4703ca5..b0fe8a3a65 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -55,7 +55,7 @@ tasks: actions: - cmd: | for package in $(ls src); do - if [[ ! "${EXCLUDED_PACKAGES[*]}" =~ ${package} ]]; then + if [[ ! ${EXCLUDED_PACKAGES[*]} =~ ${package} ]]; then uds run -f src/${package}/tasks.yaml validate --no-progress fi done From 27cb7fdc964ad0277dd592f04a911cf017105f9a Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Thu, 6 Feb 2025 12:19:24 -0500 Subject: [PATCH 009/118] no metrics server on eks --- .github/bundles/eks/uds-bundle.yaml | 1 - .github/workflows/test-eks.yaml | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/bundles/eks/uds-bundle.yaml b/.github/bundles/eks/uds-bundle.yaml index 3e843d0df6..acefc76cdf 100644 --- a/.github/bundles/eks/uds-bundle.yaml +++ b/.github/bundles/eks/uds-bundle.yaml @@ -20,7 +20,6 @@ packages: ref: 0.35.0 # x-release-please-end optionalComponents: - - metrics-server - istio-ambient overrides: velero: diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index be165bbf63..a4d36304a6 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -97,7 +97,7 @@ jobs: timeout-minutes: 30 - name: Test UDS Core - run: uds run -f tasks/test.yaml uds-core-non-k3d + run: uds run -f tasks/test.yaml uds-core-non-k3d --set EXCLUDED_PACKAGES="metrics-server" - name: Debug Output if: ${{ always() }} From 391dbc0eee9120e1c8fdfe8a9fdf6037df1bec4e Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Thu, 6 Feb 2025 13:06:14 -0500 Subject: [PATCH 010/118] more syntax fun --- tasks/test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/test.yaml b/tasks/test.yaml index b0fe8a3a65..6c17f89106 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -55,7 +55,7 @@ tasks: actions: - cmd: | for package in $(ls src); do - if [[ ! ${EXCLUDED_PACKAGES[*]} =~ ${package} ]]; then + if [[ ! $EXCLUDED_PACKAGES =~ ${package} ]]; then uds run -f src/${package}/tasks.yaml validate --no-progress fi done From 8ae0ab89bf7760e584eecb317bc5f20c5bff6cac Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Thu, 6 Feb 2025 13:55:59 -0500 Subject: [PATCH 011/118] try differnt syntax --- tasks/test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/test.yaml b/tasks/test.yaml index 6c17f89106..8d3f7c8d64 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -55,7 +55,7 @@ tasks: actions: - cmd: | for package in $(ls src); do - if [[ ! $EXCLUDED_PACKAGES =~ ${package} ]]; then + if [ ! ${EXCLUDED_PACKAGES} =~ ${package} ]; then uds run -f src/${package}/tasks.yaml validate --no-progress fi done From 5871a119075c96ca9edd21c16dae78573f7946aa Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Thu, 6 Feb 2025 14:30:52 -0500 Subject: [PATCH 012/118] change logic in if statement --- tasks/test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/test.yaml b/tasks/test.yaml index 8d3f7c8d64..ac078426c4 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -55,7 +55,7 @@ tasks: actions: - cmd: | for package in $(ls src); do - if [ ! ${EXCLUDED_PACKAGES} =~ ${package} ]; then + if [ ! $(echo ${EXCLUDED_PACKAGES} | grep ${package}) ]; then uds run -f src/${package}/tasks.yaml validate --no-progress fi done From 6bba45008a151a8ad20dae8d5ad5abf65b5341a9 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Thu, 6 Feb 2025 17:39:23 -0500 Subject: [PATCH 013/118] add additional entries to hosts file --- tasks/utils.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/utils.yaml b/tasks/utils.yaml index 93f0ea2aff..8744188963 100644 --- a/tasks/utils.yaml +++ b/tasks/utils.yaml @@ -80,4 +80,4 @@ tasks: - description: Adds Cluster LoadBalancer IP Addresses to match appropriate hosts names in /etc/hosts mute: true cmd: | - echo "$ADMIN_GW_IP keycloak.admin.uds.dev neuvector.admin.uds.dev grafana.admin.uds.dev\n$TENANT_GW_IP sso.uds.dev" | sudo tee --append /etc/hosts + echo "$ADMIN_GW_IP keycloak.admin.uds.dev neuvector.admin.uds.dev grafana.admin.uds.dev demo.admin.uds.dev\n$TENANT_GW_IP sso.uds.dev demo-8080.uds.dev demo-8081.uds.dev protected.uds.dev" | sudo tee --append /etc/hosts From 3a4d424deef923aa27f5d3416d32478f6c1963de Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Thu, 13 Feb 2025 17:21:13 -0500 Subject: [PATCH 014/118] query for hostname --- tasks/utils.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/utils.yaml b/tasks/utils.yaml index 8744188963..b6e75d13d2 100644 --- a/tasks/utils.yaml +++ b/tasks/utils.yaml @@ -68,12 +68,12 @@ tasks: - name: setup-hosts actions: - description: Fetch Admin Gateway IP Address - cmd: uds zarf tools kubectl get service -n istio-admin-gateway admin-ingressgateway -o=jsonpath='{.status.loadBalancer.ingress[0].ip}' 2>/dev/null + cmd: uds zarf tools kubectl get service -n istio-admin-gateway admin-ingressgateway -o=jsonpath='{.status.loadBalancer.ingress[0].ip}{.status.loadBalancer.ingress[0].hostname}' 2>/dev/null mute: true setVariables: - name: ADMIN_GW_IP - description: Fetch Tenant Gateway IP Address - cmd: uds zarf tools kubectl get service -n istio-tenant-gateway tenant-ingressgateway -o=jsonpath='{.status.loadBalancer.ingress[0].ip}' 2>/dev/null + cmd: uds zarf tools kubectl get service -n istio-tenant-gateway tenant-ingressgateway -o=jsonpath='{.status.loadBalancer.ingress[0].ip}{.status.loadBalancer.ingress[0].hostname}' 2>/dev/null mute: true setVariables: - name: TENANT_GW_IP From 1900b7b43ac5b7a14f86f528ec7fcc902b2f6866 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Fri, 14 Feb 2025 12:15:41 -0500 Subject: [PATCH 015/118] get ip from hostname, lint --- .github/bundles/aks/uds-bundle.yaml | 2 +- .github/workflows/test-rke2.yaml | 4 ++-- tasks/test.yaml | 2 +- tasks/utils.yaml | 14 ++++++++++++-- 4 files changed, 16 insertions(+), 6 deletions(-) diff --git a/.github/bundles/aks/uds-bundle.yaml b/.github/bundles/aks/uds-bundle.yaml index a5cb312512..819b758dd0 100644 --- a/.github/bundles/aks/uds-bundle.yaml +++ b/.github/bundles/aks/uds-bundle.yaml @@ -21,7 +21,7 @@ packages: # x-release-please-end # https://github.com/defenseunicorns/uds-core/issues/1222 #optionalComponents: - #- istio-ambient + #- istio-ambient overrides: istio-admin-gateway: gateway: diff --git a/.github/workflows/test-rke2.yaml b/.github/workflows/test-rke2.yaml index 688da8975b..3602d2d428 100644 --- a/.github/workflows/test-rke2.yaml +++ b/.github/workflows/test-rke2.yaml @@ -14,7 +14,7 @@ on: - tasks/iac.yaml - .github/bundles/rke2/* - .github/test-infra/aws/rke2/* - - .github/workflows/test-rke2.yaml + - .github/workflows/test-rke2.yaml permissions: id-token: write @@ -101,7 +101,7 @@ jobs: timeout-minutes: 30 - name: Test UDS Core - run: uds run -f tasks/test.yaml uds-core-non-k3d + run: uds run -f tasks/test.yaml uds-core-non-k3d - name: Debug Output if: ${{ always() }} diff --git a/tasks/test.yaml b/tasks/test.yaml index db437ba7fd..e999881f3d 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -124,7 +124,7 @@ tasks: - name: uds-core-non-k3d description: "Validate and Test UDS Core deployment on a non K3D Cluster" actions: - - task: util:setup-hosts + - task: util:setup-hosts - task: validate-packages - task: e2e-tests diff --git a/tasks/utils.yaml b/tasks/utils.yaml index b6e75d13d2..744ad1d738 100644 --- a/tasks/utils.yaml +++ b/tasks/utils.yaml @@ -68,12 +68,22 @@ tasks: - name: setup-hosts actions: - description: Fetch Admin Gateway IP Address - cmd: uds zarf tools kubectl get service -n istio-admin-gateway admin-ingressgateway -o=jsonpath='{.status.loadBalancer.ingress[0].ip}{.status.loadBalancer.ingress[0].hostname}' 2>/dev/null + cmd: | + IP_ADDR=$(uds zarf tools kubectl get service -n istio-admin-gateway admin-ingressgateway -o=jsonpath='{.status.loadBalancer.ingress[0].ip}' 2>/dev/null) + if [ -z $IP_ADDR ]; then + HOSTNAME=$(uds zarf tools kubectl get service -n istio-admin-gateway admin-ingressgateway -o=jsonpath='{.status.loadBalancer.ingress[0].hostname}' 2>/dev/null) + IP_ADDR=$(curl -isS $HOSTNAME --output /dev/null -w '%{remote_ip}') + fi; echo $IP_ADDR mute: true setVariables: - name: ADMIN_GW_IP - description: Fetch Tenant Gateway IP Address - cmd: uds zarf tools kubectl get service -n istio-tenant-gateway tenant-ingressgateway -o=jsonpath='{.status.loadBalancer.ingress[0].ip}{.status.loadBalancer.ingress[0].hostname}' 2>/dev/null + cmd: | + IP_ADDR=$(uds zarf tools kubectl get service -n istio-tenant-gateway tenant-ingressgateway -o=jsonpath='{.status.loadBalancer.ingress[0].ip}' 2>/dev/null) + if [ -z $IP_ADDR ]; then + HOSTNAME=$(uds zarf tools kubectl get service -n istio-tenant-gateway tenant-ingressgateway -o=jsonpath='{.status.loadBalancer.ingress[0].hostname}' 2>/dev/null) + IP_ADDR=$(curl -isS $HOSTNAME --output /dev/null -w '%{remote_ip}') + fi; echo $IP_ADDR mute: true setVariables: - name: TENANT_GW_IP From 3cf1f9a40b6c057322a5851c2fbf6f1d1f6a1eb5 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Tue, 18 Feb 2025 12:15:19 -0500 Subject: [PATCH 016/118] allow e2e test to be built for multiple archs --- src/test/tasks.yaml | 12 ++++++++++-- tasks/test.yaml | 11 ++++++++++- tasks/utils.yaml | 8 +++++++- 3 files changed, 27 insertions(+), 4 deletions(-) diff --git a/src/test/tasks.yaml b/src/test/tasks.yaml index 68ea95e161..8ee21389f0 100644 --- a/src/test/tasks.yaml +++ b/src/test/tasks.yaml @@ -1,6 +1,9 @@ # Copyright 2024 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial +includes: + - utils: ../../tasks/utils.yaml + tasks: - name: validate actions: @@ -20,9 +23,13 @@ tasks: - name: create-deploy description: Test app used for UDS Core validation + inputs: + architecture: + description: "System architecture that the test-apps package should be built for." + actions: - description: Create zarf package for the test resources - cmd: "uds zarf package create src/test --confirm --no-progress --skip-sbom" + cmd: uds zarf package create src/test --confirm --no-progress --skip-sbom -a ${{ index .inputs "architecture" }} - description: Deploy the test resources cmd: "uds zarf package deploy build/zarf-package-uds-core-test-apps-*.zst --confirm --no-progress" @@ -116,9 +123,10 @@ tasks: - description: Verify the authservice tenant app is protected by checking redirect maxRetries: 3 + task: utils:tenant-gw-ip cmd: | set -e - SSO_REDIRECT=$(uds zarf tools kubectl run curl-test --image=cgr.dev/chainguard/curl:latest -q --restart=Never --rm -i -- -Ls -o /dev/null -w %{url_effective} "https://protected.uds.dev") + SSO_REDIRECT=$(uds zarf tools kubectl run curl-test --image=cgr.dev/chainguard/curl:latest -q --restart=Never --rm -i -- --resolve 'protected.uds.dev:$TENANT_GW_IP:443' -Ls -o /dev/null -w %{url_effective} "https://protected.uds.dev") case "${SSO_REDIRECT}" in "https://sso.uds.dev"*) diff --git a/tasks/test.yaml b/tasks/test.yaml index e999881f3d..3c03c66371 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -80,6 +80,11 @@ tasks: - name: e2e-tests description: "E2E Test all packages" + inputs: + architecture: + description: "System architecture that the test-apps package should be built for." + required: true + default: "amd64" # Run each e2e test type from the e2e folder actions: - description: "Setup the Keycloak admin user if needed" @@ -89,6 +94,8 @@ tasks: cmd: uds run -f tasks/test.yaml common-setup:create-doug-user --set KEYCLOAK_GROUP="/UDS Core/Admin" # Adds the test doug user - description: "Create and Deploy Test App Package" task: test-resources:create-deploy + with: + architecture: ${{ .inputs.architecture }} - description: "Run Playwright E2E tests for all packages" dir: test/playwright cmd: | @@ -122,11 +129,13 @@ tasks: - task: e2e-tests - name: uds-core-non-k3d - description: "Validate and Test UDS Core deployment on a non K3D Cluster" + description: "Validate and Test UDS Core deployment on a non K3d Cluster" actions: - task: util:setup-hosts - task: validate-packages - task: e2e-tests + with: + architecture: "arm64" - name: uds-core-ha description: "Build and test UDS Core" diff --git a/tasks/utils.yaml b/tasks/utils.yaml index 744ad1d738..bfc306e46b 100644 --- a/tasks/utils.yaml +++ b/tasks/utils.yaml @@ -65,7 +65,7 @@ tasks: -n keycloak fi - - name: setup-hosts + - name: admin-gw-ip actions: - description: Fetch Admin Gateway IP Address cmd: | @@ -77,6 +77,8 @@ tasks: mute: true setVariables: - name: ADMIN_GW_IP + - name: tenant-gw-ip + actions: - description: Fetch Tenant Gateway IP Address cmd: | IP_ADDR=$(uds zarf tools kubectl get service -n istio-tenant-gateway tenant-ingressgateway -o=jsonpath='{.status.loadBalancer.ingress[0].ip}' 2>/dev/null) @@ -87,6 +89,10 @@ tasks: mute: true setVariables: - name: TENANT_GW_IP + - name: setup-hosts + actions: + - task: admin-gw-ip + - task: tenant-gw-ip - description: Adds Cluster LoadBalancer IP Addresses to match appropriate hosts names in /etc/hosts mute: true cmd: | From a2f043216a4328e78c09d74a8c383cafbeb70b93 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Tue, 18 Feb 2025 13:02:05 -0500 Subject: [PATCH 017/118] fix arch value --- tasks/test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/test.yaml b/tasks/test.yaml index 3c03c66371..5b4dc7040b 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -135,7 +135,7 @@ tasks: - task: validate-packages - task: e2e-tests with: - architecture: "arm64" + architecture: "amd64" - name: uds-core-ha description: "Build and test UDS Core" From edb4d699e3cc92eb1f97924189fa3bae0b5f8e96 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Tue, 18 Feb 2025 13:13:53 -0500 Subject: [PATCH 018/118] switch arch default --- tasks/test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/test.yaml b/tasks/test.yaml index 5b4dc7040b..b4e2ed1273 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -84,7 +84,7 @@ tasks: architecture: description: "System architecture that the test-apps package should be built for." required: true - default: "amd64" + default: "arm64" # Run each e2e test type from the e2e folder actions: - description: "Setup the Keycloak admin user if needed" From f4c1e4c31ae8d3244826675454f97573345e2487 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Wed, 19 Feb 2025 12:22:24 -0500 Subject: [PATCH 019/118] workaround for eks e2e tests --- tasks/iac.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tasks/iac.yaml b/tasks/iac.yaml index 9fceb280f9..552fb2ee68 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -83,6 +83,8 @@ tasks: - cmd: sleep 5 - cmd: eksctl create cluster -f cluster-config.yaml - cmd: eksctl utils write-kubeconfig -c ${CLUSTER_NAME} + # temp workaround + - cmd: sudo mkdir -p /var/run/secrets/kubernetes.io/serviceaccount/ && aws-iam-authenticator token -i ${CLUSTER_NAME} --token-only | sudo tee /var/run/secrets/kubernetes.io/serviceaccount/token > /dev/null - name: rke2-get-kubeconfig actions: @@ -130,6 +132,7 @@ tasks: - name: destroy-cluster actions: - cmd: eksctl delete cluster -f cluster-config.yaml --disable-nodegroup-eviction --wait + - cmd: sudo rm -rf /var/run/secrets/kubernetes.io - name: create-iac actions: From 9cd4b6582bc5e97ce15a6f5b393a356efefd572a Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Wed, 19 Feb 2025 13:44:24 -0500 Subject: [PATCH 020/118] rm temp workaround --- .github/workflows/test-eks.yaml | 4 ++-- tasks/iac.yaml | 3 --- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index a4d36304a6..6afa3df7ba 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -96,8 +96,8 @@ jobs: run: uds deploy .github/bundles/eks/uds-bundle-uds-core-eks-nightly-*.tar.zst --confirm timeout-minutes: 30 - - name: Test UDS Core - run: uds run -f tasks/test.yaml uds-core-non-k3d --set EXCLUDED_PACKAGES="metrics-server" + # - name: Test UDS Core + # run: uds run -f tasks/test.yaml uds-core-non-k3d --set EXCLUDED_PACKAGES="metrics-server" - name: Debug Output if: ${{ always() }} diff --git a/tasks/iac.yaml b/tasks/iac.yaml index 552fb2ee68..9fceb280f9 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -83,8 +83,6 @@ tasks: - cmd: sleep 5 - cmd: eksctl create cluster -f cluster-config.yaml - cmd: eksctl utils write-kubeconfig -c ${CLUSTER_NAME} - # temp workaround - - cmd: sudo mkdir -p /var/run/secrets/kubernetes.io/serviceaccount/ && aws-iam-authenticator token -i ${CLUSTER_NAME} --token-only | sudo tee /var/run/secrets/kubernetes.io/serviceaccount/token > /dev/null - name: rke2-get-kubeconfig actions: @@ -132,7 +130,6 @@ tasks: - name: destroy-cluster actions: - cmd: eksctl delete cluster -f cluster-config.yaml --disable-nodegroup-eviction --wait - - cmd: sudo rm -rf /var/run/secrets/kubernetes.io - name: create-iac actions: From b1c910326b7fdb42a87051aa3d880d44ec19be93 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Thu, 20 Feb 2025 17:25:37 -0500 Subject: [PATCH 021/118] add aws-lb-controller to rke2, cleanup --- .github/bundles/rke2/uds-bundle.yaml | 14 ++++++++ .github/test-infra/aws/rke2/iam.tf | 10 ++++++ .github/test-infra/aws/rke2/main.tf | 3 +- .../aws/rke2/scripts/get-kubeconfig.sh | 2 +- .../test-infra/aws/rke2/scripts/user_data.sh | 33 ++++++++++++------- tasks/iac.yaml | 2 +- 6 files changed, 50 insertions(+), 14 deletions(-) mode change 100644 => 100755 .github/test-infra/aws/rke2/scripts/get-kubeconfig.sh diff --git a/.github/bundles/rke2/uds-bundle.yaml b/.github/bundles/rke2/uds-bundle.yaml index f84a258b72..a35f951ece 100644 --- a/.github/bundles/rke2/uds-bundle.yaml +++ b/.github/bundles/rke2/uds-bundle.yaml @@ -45,6 +45,20 @@ packages: # - istio-ambient - metrics-server overrides: + istio-admin-gateway: + gateway: + values: + - path: service.annotations + value: + service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing" + service.beta.kubernetes.io/aws-load-balancer-target-node-labels: "kubernetes.io/os=linux" + istio-tenant-gateway: + gateway: + values: + - path: service.annotations + value: + service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing" + service.beta.kubernetes.io/aws-load-balancer-target-node-labels: "kubernetes.io/os=linux" velero: velero: variables: diff --git a/.github/test-infra/aws/rke2/iam.tf b/.github/test-infra/aws/rke2/iam.tf index c07666942e..ec14ebb8a5 100644 --- a/.github/test-infra/aws/rke2/iam.tf +++ b/.github/test-infra/aws/rke2/iam.tf @@ -77,6 +77,16 @@ data "aws_iam_policy_document" "aws_ccm" { } } +data "http" "aws-lb-controller-iam" { + url = "https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.11.0/docs/install/iam_policy.json" +} + +resource "aws_iam_role_policy" "aws-lb-controller" { + name = "${local.cluster_name}-lb-controller" + role = aws_iam_role.rke2_server.id + policy = data.http.aws-lb-controller-iam.response_body +} + resource "aws_iam_role_policy" "s3_token" { name = "${local.cluster_name}-server-token" role = aws_iam_role.rke2_server.id diff --git a/.github/test-infra/aws/rke2/main.tf b/.github/test-infra/aws/rke2/main.tf index 9fb44ef06f..d28b345385 100644 --- a/.github/test-infra/aws/rke2/main.tf +++ b/.github/test-infra/aws/rke2/main.tf @@ -26,6 +26,7 @@ locals { ccm_external = true, token_bucket = module.statestore.bucket, token_object = module.statestore.token_object + cluster_name = local.tags.cluster_name } } @@ -107,7 +108,7 @@ resource "aws_instance" "rke2_ci_agent_node" { ami = data.aws_ami.rhel_rke2.image_id instance_type = var.agent_instance_type key_name = aws_key_pair.control_plane_key_pair.key_name - user_data = templatefile("${path.module}/scripts/user_data.sh", merge(local.userdata, { BOOTSTRAP_IP = aws_instance.rke2_ci_bootstrap_node.private_ip })) + user_data = templatefile("${path.module}/scripts/user_data.sh", merge(local.userdata, { BOOTSTRAP_IP = aws_instance.rke2_ci_bootstrap_node.private_ip, AGENT_NODE = true })) subnet_id = data.aws_subnet.rke2_ci_subnet.id user_data_replace_on_change = true iam_instance_profile = aws_iam_instance_profile.rke2_server.name diff --git a/.github/test-infra/aws/rke2/scripts/get-kubeconfig.sh b/.github/test-infra/aws/rke2/scripts/get-kubeconfig.sh old mode 100644 new mode 100755 index 472a816695..967a44af00 --- a/.github/test-infra/aws/rke2/scripts/get-kubeconfig.sh +++ b/.github/test-infra/aws/rke2/scripts/get-kubeconfig.sh @@ -27,7 +27,7 @@ done mkdir -p ~/.kube # Copy kubectl from cluster node -ssh -o StrictHostKeyChecking=no -i key.pem ${node_user}@${bootstrap_ip} "mkdir -p /home/${node_user}/.kube && sudo cp /etc/rancher/rke2/rke2.yaml /home/${node_user}/.kube/config && sudo chown ${node_user} /home/${node_user}/.kube/config" > /dev/null +ssh -o StrictHostKeyChecking=no -i key.pem ${node_user}@${bootstrap_ip} "mkdir -p /home/${node_user}/.kube && sudo cp /etc/rancher/rke2/rke2.yaml /home/${node_user}/.kube/config && sudo chown ${node_user} /home/${node_user}/.kube/config" > /dev/null scp -o StrictHostKeyChecking=no -i key.pem ${node_user}@${bootstrap_ip}:/home/${node_user}/.kube/config ./rke2-config > /dev/null # Replace the loopback address with the cluster hostname diff --git a/.github/test-infra/aws/rke2/scripts/user_data.sh b/.github/test-infra/aws/rke2/scripts/user_data.sh index 82b9b7cc6a..f4f4469ca1 100644 --- a/.github/test-infra/aws/rke2/scripts/user_data.sh +++ b/.github/test-infra/aws/rke2/scripts/user_data.sh @@ -2,8 +2,6 @@ # Copyright 2024 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial - - info() { echo "[INFO] " "$@" } @@ -56,18 +54,34 @@ spec: targetNamespace: kube-system EOM -#metallb helm values: https://github.com/metallb/metallb/tree/main/charts/metallb -cat > /var/lib/rancher/rke2/server/manifests/02-metallb.yaml << EOM +# #metallb helm values: https://github.com/metallb/metallb/tree/main/charts/metallb +# cat > /var/lib/rancher/rke2/server/manifests/02-metallb.yaml << EOM +# apiVersion: helm.cattle.io/v1 +# kind: HelmChart +# metadata: +# name: metallb +# namespace: kube-system +# spec: +# chart: metallb +# repo: https://metallb.github.io/metallb +# version: 0.14.9 +# targetNamespace: kube-system +# EOM + +# aws lb controller helm values: https://github.com/kubernetes-sigs/aws-load-balancer-controller/tree/main/helm/aws-load-balancer-controller#configuration +cat > /var/lib/rancher/rke2/server/manifests/02-lb-controller.yaml << EOM apiVersion: helm.cattle.io/v1 kind: HelmChart metadata: - name: metallb + name: aws-load-balancer-controller namespace: kube-system spec: - chart: metallb - repo: https://metallb.github.io/metallb - version: 0.14.8 + chart: aws-load-balancer-controller + repo: https://aws.github.io/eks-charts + version: 1.11.0 targetNamespace: kube-system + valuesContent: |- + clusterName: ${cluster_name} EOM info "Installing awscli" @@ -89,14 +103,11 @@ chmod +x yq ./yq -i '.cloud-provider-name += "external"' /etc/rancher/rke2/config.yaml ./yq -i '.disable-cloud-controller += "true"' /etc/rancher/rke2/config.yaml ./yq -i '.kube-apiserver-arg += "service-account-key-file=/irsa/signer.key.pub"' /etc/rancher/rke2/config.yaml -./yq -i '.kube-apiserver-arg += "service-account-key-file=/irsa/signer.key.pub"' /etc/rancher/rke2/config.yaml ./yq -i '.kube-apiserver-arg += "service-account-signing-key-file=/irsa/signer.key"' /etc/rancher/rke2/config.yaml ./yq -i '.kube-apiserver-arg += "api-audiences=kubernetes.svc.default"' /etc/rancher/rke2/config.yaml ./yq -i '.kube-apiserver-arg += "service-account-issuer=https://${BUCKET_REGIONAL_DOMAIN_NAME}"' /etc/rancher/rke2/config.yaml ./yq -i '.kube-apiserver-arg += "audit-log-path=/var/log/kubernetes/audit/audit.log"' /etc/rancher/rke2/config.yaml rm -rf ./yq - - } pre_userdata diff --git a/tasks/iac.yaml b/tasks/iac.yaml index 9fceb280f9..df8fbc8aed 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -123,7 +123,7 @@ tasks: break fi done - uds zarf tools kubectl apply -f ./metallb.yaml + #uds zarf tools kubectl apply -f ./metallb.yaml dir: .github/test-infra/aws/rke2/ maxTotalSeconds: 600 From c4794d26c0d51631578be35c3bb06f3d85bac59a Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Fri, 21 Feb 2025 09:43:48 -0500 Subject: [PATCH 022/118] debugging --- tasks/utils.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/utils.yaml b/tasks/utils.yaml index bfc306e46b..a11732da0a 100644 --- a/tasks/utils.yaml +++ b/tasks/utils.yaml @@ -74,7 +74,7 @@ tasks: HOSTNAME=$(uds zarf tools kubectl get service -n istio-admin-gateway admin-ingressgateway -o=jsonpath='{.status.loadBalancer.ingress[0].hostname}' 2>/dev/null) IP_ADDR=$(curl -isS $HOSTNAME --output /dev/null -w '%{remote_ip}') fi; echo $IP_ADDR - mute: true + mute: false setVariables: - name: ADMIN_GW_IP - name: tenant-gw-ip @@ -86,7 +86,7 @@ tasks: HOSTNAME=$(uds zarf tools kubectl get service -n istio-tenant-gateway tenant-ingressgateway -o=jsonpath='{.status.loadBalancer.ingress[0].hostname}' 2>/dev/null) IP_ADDR=$(curl -isS $HOSTNAME --output /dev/null -w '%{remote_ip}') fi; echo $IP_ADDR - mute: true + mute: false setVariables: - name: TENANT_GW_IP - name: setup-hosts From 770b80576419ef993bfb91d70f2659a6b7419747 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Fri, 21 Feb 2025 12:14:08 -0500 Subject: [PATCH 023/118] use `dig` instead of `curl` for ipv4 lookup --- tasks/utils.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/utils.yaml b/tasks/utils.yaml index a11732da0a..2371b5df50 100644 --- a/tasks/utils.yaml +++ b/tasks/utils.yaml @@ -72,7 +72,7 @@ tasks: IP_ADDR=$(uds zarf tools kubectl get service -n istio-admin-gateway admin-ingressgateway -o=jsonpath='{.status.loadBalancer.ingress[0].ip}' 2>/dev/null) if [ -z $IP_ADDR ]; then HOSTNAME=$(uds zarf tools kubectl get service -n istio-admin-gateway admin-ingressgateway -o=jsonpath='{.status.loadBalancer.ingress[0].hostname}' 2>/dev/null) - IP_ADDR=$(curl -isS $HOSTNAME --output /dev/null -w '%{remote_ip}') + IP_ADDR=$(dig +short $HOSTNAME) fi; echo $IP_ADDR mute: false setVariables: @@ -84,7 +84,7 @@ tasks: IP_ADDR=$(uds zarf tools kubectl get service -n istio-tenant-gateway tenant-ingressgateway -o=jsonpath='{.status.loadBalancer.ingress[0].ip}' 2>/dev/null) if [ -z $IP_ADDR ]; then HOSTNAME=$(uds zarf tools kubectl get service -n istio-tenant-gateway tenant-ingressgateway -o=jsonpath='{.status.loadBalancer.ingress[0].hostname}' 2>/dev/null) - IP_ADDR=$(curl -isS $HOSTNAME --output /dev/null -w '%{remote_ip}') + IP_ADDR=$(dig +short $HOSTNAME) fi; echo $IP_ADDR mute: false setVariables: From 71398c815a3268e94b8c5ff896278b5eec96b532 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Fri, 21 Feb 2025 12:14:19 -0500 Subject: [PATCH 024/118] switch to azure gov --- .github/workflows/test-aks.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/test-aks.yaml b/.github/workflows/test-aks.yaml index 6f1b61d654..8ddbc537ef 100644 --- a/.github/workflows/test-aks.yaml +++ b/.github/workflows/test-aks.yaml @@ -31,9 +31,9 @@ jobs: env: SHA: ${{ github.sha }} UDS_REGION: centralus - UDS_RESOURCE_GROUP_NAME: ${{ secrets.AZURE_RESOURCE_GROUP }} - UDS_STORAGE_ACCOUNT_NAME: ${{ secrets.AZURE_STORAGE_ACCOUNT_NAME }} - UDS_CONTAINER_NAME: ${{ secrets.AZURE_STORAGE_CONTAINER_NAME }} + UDS_RESOURCE_GROUP_NAME: ${{ secrets.AZURE_GOV_RESOURCE_GROUP }} + UDS_STORAGE_ACCOUNT_NAME: ${{ secrets.AZURE_GOV_STORAGE_ACCOUNT_NAME }} + UDS_CONTAINER_NAME: ${{ secrets.AZURE_GOV_STORAGE_CONTAINER_NAME }} steps: - name: Set ENV @@ -43,9 +43,9 @@ jobs: echo "TF_VAR_location=${UDS_REGION}" >> $GITHUB_ENV echo "TF_VAR_cluster_name=uds-ci-${{ matrix.flavor }}-${SHA:0:7}" >> $GITHUB_ENV echo "TF_VAR_resource_group_name=uds-ci-${{ matrix.flavor }}" >> $GITHUB_ENV - echo "ARM_SUBSCRIPTION_ID=${{ secrets.AZURE_SUBSCRIPTION_ID }}" >> $GITHUB_ENV - echo "ARM_CLIENT_ID=${{ secrets.AZURE_CLIENT_ID }}" >> $GITHUB_ENV - echo "ARM_TENANT_ID=${{ secrets.AZURE_TENANT_ID }}" >> $GITHUB_ENV + echo "ARM_SUBSCRIPTION_ID=${{ secrets.AZURE_GOV_SUBSCRIPTION_ID }}" >> $GITHUB_ENV + echo "ARM_CLIENT_ID=${{ secrets.AZURE_GOV_CLIENT_ID }}" >> $GITHUB_ENV + echo "ARM_TENANT_ID=${{ secrets.AZURE_GOV_TENANT_ID }}" >> $GITHUB_ENV echo "ARM_USE_OIDC=true" >> $GITHUB_ENV echo "ARM_STORAGE_USE_AZUREAD=true" >> $GITHUB_ENV @@ -59,9 +59,9 @@ jobs: - name: Azure login uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2 with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + client-id: ${{ secrets.AZURE_GOV_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_GOV_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_GOV_SUBSCRIPTION_ID }} - name: Environment setup uses: ./.github/actions/setup From 38206c77bfc0e2d926ba4069b72ff9f7fe7cecc3 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Fri, 21 Feb 2025 12:16:15 -0500 Subject: [PATCH 025/118] set azure gov env --- .github/workflows/test-aks.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test-aks.yaml b/.github/workflows/test-aks.yaml index 8ddbc537ef..b7ae2d3acc 100644 --- a/.github/workflows/test-aks.yaml +++ b/.github/workflows/test-aks.yaml @@ -62,6 +62,7 @@ jobs: client-id: ${{ secrets.AZURE_GOV_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_GOV_TENANT_ID }} subscription-id: ${{ secrets.AZURE_GOV_SUBSCRIPTION_ID }} + environment: 'AzureUSGovernment' - name: Environment setup uses: ./.github/actions/setup From ce92ce4d0674f856af1a38be307227226a5c0091 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Fri, 21 Feb 2025 12:21:01 -0500 Subject: [PATCH 026/118] set audience and arm env --- .github/workflows/test-aks.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/test-aks.yaml b/.github/workflows/test-aks.yaml index b7ae2d3acc..bfa516660d 100644 --- a/.github/workflows/test-aks.yaml +++ b/.github/workflows/test-aks.yaml @@ -48,6 +48,7 @@ jobs: echo "ARM_TENANT_ID=${{ secrets.AZURE_GOV_TENANT_ID }}" >> $GITHUB_ENV echo "ARM_USE_OIDC=true" >> $GITHUB_ENV echo "ARM_STORAGE_USE_AZUREAD=true" >> $GITHUB_ENV + echo "ARM_ENVIRONMENT=usgovernment" >> $GITHUB_ENV - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 @@ -63,6 +64,7 @@ jobs: tenant-id: ${{ secrets.AZURE_GOV_TENANT_ID }} subscription-id: ${{ secrets.AZURE_GOV_SUBSCRIPTION_ID }} environment: 'AzureUSGovernment' + audience: "api://AzureADTokenExchangeUSGov" - name: Environment setup uses: ./.github/actions/setup From 19af81a4ef6466c476d7e162d08ca9da10dbafa6 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Fri, 21 Feb 2025 13:51:39 -0500 Subject: [PATCH 027/118] set environment in config block --- .github/test-infra/azure/aks/versions.tf | 1 + .github/workflows/test-aks.yaml | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/test-infra/azure/aks/versions.tf b/.github/test-infra/azure/aks/versions.tf index a0caac408d..906f002fe0 100644 --- a/.github/test-infra/azure/aks/versions.tf +++ b/.github/test-infra/azure/aks/versions.tf @@ -3,6 +3,7 @@ terraform { backend "azurerm" { + environment = "usgovernment" } required_providers { azapi = { diff --git a/.github/workflows/test-aks.yaml b/.github/workflows/test-aks.yaml index bfa516660d..538c164d21 100644 --- a/.github/workflows/test-aks.yaml +++ b/.github/workflows/test-aks.yaml @@ -48,7 +48,6 @@ jobs: echo "ARM_TENANT_ID=${{ secrets.AZURE_GOV_TENANT_ID }}" >> $GITHUB_ENV echo "ARM_USE_OIDC=true" >> $GITHUB_ENV echo "ARM_STORAGE_USE_AZUREAD=true" >> $GITHUB_ENV - echo "ARM_ENVIRONMENT=usgovernment" >> $GITHUB_ENV - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 From 9766662b45cc4d4908012647a3d1539fa6da485e Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Fri, 21 Feb 2025 14:25:09 -0500 Subject: [PATCH 028/118] try access key --- .github/test-infra/azure/aks/versions.tf | 1 - .github/workflows/test-aks.yaml | 3 ++- tasks/iac.yaml | 3 +++ 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/test-infra/azure/aks/versions.tf b/.github/test-infra/azure/aks/versions.tf index 906f002fe0..a0caac408d 100644 --- a/.github/test-infra/azure/aks/versions.tf +++ b/.github/test-infra/azure/aks/versions.tf @@ -3,7 +3,6 @@ terraform { backend "azurerm" { - environment = "usgovernment" } required_providers { azapi = { diff --git a/.github/workflows/test-aks.yaml b/.github/workflows/test-aks.yaml index 538c164d21..b86b6d68ce 100644 --- a/.github/workflows/test-aks.yaml +++ b/.github/workflows/test-aks.yaml @@ -47,7 +47,8 @@ jobs: echo "ARM_CLIENT_ID=${{ secrets.AZURE_GOV_CLIENT_ID }}" >> $GITHUB_ENV echo "ARM_TENANT_ID=${{ secrets.AZURE_GOV_TENANT_ID }}" >> $GITHUB_ENV echo "ARM_USE_OIDC=true" >> $GITHUB_ENV - echo "ARM_STORAGE_USE_AZUREAD=true" >> $GITHUB_ENV + echo "ARM_ENVIRONMENT=usgovernment" >> $GITHUB_ENV + #echo "ARM_STORAGE_USE_AZUREAD=true" >> $GITHUB_ENV - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 diff --git a/tasks/iac.yaml b/tasks/iac.yaml index df8fbc8aed..1f748e3ba8 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -150,12 +150,15 @@ tasks: -backend-config="region=${REGION}" \ -backend-config="dynamodb_table=${STATE_DYNAMODB_TABLE_NAME}" elif [ ${CLOUD} = "azure" ]; then + curl -L https://aka.ms/InstallAzureCli | bash + ACCOUNT_KEY=$(az storage account keys list --resource-group $RESOURCE_GROUP_NAME --account-name $STORAGE_ACCOUNT_NAME --query '[0].value' --output tsv) tofu init -force-copy \ -backend=true \ -backend-config="resource_group_name=$RESOURCE_GROUP_NAME" \ -backend-config="storage_account_name=$STORAGE_ACCOUNT_NAME" \ -backend-config="container_name=$CONTAINER_NAME" \ -backend-config="key=${STATE_KEY}" + -backend-config="access_key=${ACCOUNT_KEY}" else echo "Invalid cloud provider specified."; return 1; fi dir: .github/test-infra/${CLOUD}/${K8S_DISTRO} From 852973023fe2cd8a96edc11efea92ef2a7dbc811 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Mon, 24 Feb 2025 09:26:34 -0500 Subject: [PATCH 029/118] add logic for fetching az token --- tasks/iac.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/iac.yaml b/tasks/iac.yaml index 1f748e3ba8..189cf4da78 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -142,6 +142,7 @@ tasks: - name: apply-tofu actions: + - cmd: if [ ${CLOUD} = "azure" ]; then ACCOUNT_KEY=$(az storage account keys list --resource-group $RESOURCE_GROUP_NAME --account-name $STORAGE_ACCOUNT_NAME --query '[0].value' --output tsv); fi - cmd: | if [ ${CLOUD} = "aws" ]; then tofu init -force-copy \ @@ -150,7 +151,6 @@ tasks: -backend-config="region=${REGION}" \ -backend-config="dynamodb_table=${STATE_DYNAMODB_TABLE_NAME}" elif [ ${CLOUD} = "azure" ]; then - curl -L https://aka.ms/InstallAzureCli | bash ACCOUNT_KEY=$(az storage account keys list --resource-group $RESOURCE_GROUP_NAME --account-name $STORAGE_ACCOUNT_NAME --query '[0].value' --output tsv) tofu init -force-copy \ -backend=true \ From 1350d44e45581fe70b1d5b06136579f11d2ecdd0 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Mon, 24 Feb 2025 09:55:46 -0500 Subject: [PATCH 030/118] revert using key --- .github/workflows/test-aks.yaml | 4 ++-- tasks/iac.yaml | 3 --- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/.github/workflows/test-aks.yaml b/.github/workflows/test-aks.yaml index b86b6d68ce..4340711c8c 100644 --- a/.github/workflows/test-aks.yaml +++ b/.github/workflows/test-aks.yaml @@ -48,7 +48,7 @@ jobs: echo "ARM_TENANT_ID=${{ secrets.AZURE_GOV_TENANT_ID }}" >> $GITHUB_ENV echo "ARM_USE_OIDC=true" >> $GITHUB_ENV echo "ARM_ENVIRONMENT=usgovernment" >> $GITHUB_ENV - #echo "ARM_STORAGE_USE_AZUREAD=true" >> $GITHUB_ENV + echo "ARM_STORAGE_USE_AZUREAD=true" >> $GITHUB_ENV - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 @@ -64,7 +64,7 @@ jobs: tenant-id: ${{ secrets.AZURE_GOV_TENANT_ID }} subscription-id: ${{ secrets.AZURE_GOV_SUBSCRIPTION_ID }} environment: 'AzureUSGovernment' - audience: "api://AzureADTokenExchangeUSGov" + #audience: "api://AzureADTokenExchangeUSGov" - name: Environment setup uses: ./.github/actions/setup diff --git a/tasks/iac.yaml b/tasks/iac.yaml index 189cf4da78..df8fbc8aed 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -142,7 +142,6 @@ tasks: - name: apply-tofu actions: - - cmd: if [ ${CLOUD} = "azure" ]; then ACCOUNT_KEY=$(az storage account keys list --resource-group $RESOURCE_GROUP_NAME --account-name $STORAGE_ACCOUNT_NAME --query '[0].value' --output tsv); fi - cmd: | if [ ${CLOUD} = "aws" ]; then tofu init -force-copy \ @@ -151,14 +150,12 @@ tasks: -backend-config="region=${REGION}" \ -backend-config="dynamodb_table=${STATE_DYNAMODB_TABLE_NAME}" elif [ ${CLOUD} = "azure" ]; then - ACCOUNT_KEY=$(az storage account keys list --resource-group $RESOURCE_GROUP_NAME --account-name $STORAGE_ACCOUNT_NAME --query '[0].value' --output tsv) tofu init -force-copy \ -backend=true \ -backend-config="resource_group_name=$RESOURCE_GROUP_NAME" \ -backend-config="storage_account_name=$STORAGE_ACCOUNT_NAME" \ -backend-config="container_name=$CONTAINER_NAME" \ -backend-config="key=${STATE_KEY}" - -backend-config="access_key=${ACCOUNT_KEY}" else echo "Invalid cloud provider specified."; return 1; fi dir: .github/test-infra/${CLOUD}/${K8S_DISTRO} From 510c15daf2af6052ca46f55f22c8a84a98fe1420 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Mon, 24 Feb 2025 10:06:57 -0500 Subject: [PATCH 031/118] update region --- .github/test-infra/azure/aks/terraform.tfvars | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 .github/test-infra/azure/aks/terraform.tfvars diff --git a/.github/test-infra/azure/aks/terraform.tfvars b/.github/test-infra/azure/aks/terraform.tfvars new file mode 100644 index 0000000000..719a9361c3 --- /dev/null +++ b/.github/test-infra/azure/aks/terraform.tfvars @@ -0,0 +1,2 @@ +location = "usgovvirginia" +resource_group_name = "noah-dev" \ No newline at end of file From 38a74549700d204aa73355b82e00dc67a3efb37e Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Mon, 24 Feb 2025 10:10:32 -0500 Subject: [PATCH 032/118] add `availability_zone` for rke2 agent node(s) --- .github/test-infra/aws/rke2/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/test-infra/aws/rke2/main.tf b/.github/test-infra/aws/rke2/main.tf index d28b345385..e93ca9dece 100644 --- a/.github/test-infra/aws/rke2/main.tf +++ b/.github/test-infra/aws/rke2/main.tf @@ -114,6 +114,7 @@ resource "aws_instance" "rke2_ci_agent_node" { iam_instance_profile = aws_iam_instance_profile.rke2_server.name vpc_security_group_ids = [aws_security_group.rke2_ci_node_sg.id] associate_public_ip_address = true + availability_zone = "${var.region}a" root_block_device { volume_size = 100 From 8fbfb08c3e25043c5e6ab2e329dcef6511903bef Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Mon, 24 Feb 2025 10:46:34 -0500 Subject: [PATCH 033/118] switch availability zone --- .github/test-infra/aws/rke2/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/test-infra/aws/rke2/main.tf b/.github/test-infra/aws/rke2/main.tf index e93ca9dece..a02b07c30a 100644 --- a/.github/test-infra/aws/rke2/main.tf +++ b/.github/test-infra/aws/rke2/main.tf @@ -114,7 +114,7 @@ resource "aws_instance" "rke2_ci_agent_node" { iam_instance_profile = aws_iam_instance_profile.rke2_server.name vpc_security_group_ids = [aws_security_group.rke2_ci_node_sg.id] associate_public_ip_address = true - availability_zone = "${var.region}a" + availability_zone = "${var.region}c" root_block_device { volume_size = 100 From a657f9e6710c23aca7d5f02097d2c0861fece8a4 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Mon, 24 Feb 2025 11:30:31 -0500 Subject: [PATCH 034/118] sku and psql dns fix --- .github/test-infra/azure/aks/networking.tf | 2 +- .github/test-infra/azure/aks/variables.tf | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/test-infra/azure/aks/networking.tf b/.github/test-infra/azure/aks/networking.tf index 58b07bf37d..05f889d15b 100644 --- a/.github/test-infra/azure/aks/networking.tf +++ b/.github/test-infra/azure/aks/networking.tf @@ -60,7 +60,7 @@ resource "azurerm_subnet" "cluster_api_subnet" { } resource "azurerm_private_dns_zone" "cluster_dns_zone" { - name = "${local.cluster_name}.postgres.database.azure.com" + name = "${local.cluster_name}.postgres.database.usgovcloudapi.com" resource_group_name = azurerm_resource_group.this.name } diff --git a/.github/test-infra/azure/aks/variables.tf b/.github/test-infra/azure/aks/variables.tf index d9d4a61c06..623979d51b 100644 --- a/.github/test-infra/azure/aks/variables.tf +++ b/.github/test-infra/azure/aks/variables.tf @@ -72,7 +72,7 @@ variable "autoscaling_min_node_count_worker" { variable "default_node_pool_vm_size" { description = "Specifies the vm size of the default node pool" - default = "Standard_F8s_v2" + default = "Standard_A8_v2" type = string } @@ -84,7 +84,7 @@ variable "worker_node_pool_count" { variable "worker_pool_vm_size" { description = "Specifies the vm size of the worker node pool" - default = "Standard_F8s_v2" + default = "Standard_A8_v2" type = string } From 8aaa050635519ef09b4652eeb3f87aa1f8a8fd3f Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Mon, 24 Feb 2025 11:41:40 -0500 Subject: [PATCH 035/118] buy time to debug --- .github/workflows/test-rke2.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-rke2.yaml b/.github/workflows/test-rke2.yaml index 7ee5cdd0f5..14659ee8b5 100644 --- a/.github/workflows/test-rke2.yaml +++ b/.github/workflows/test-rke2.yaml @@ -102,7 +102,7 @@ jobs: timeout-minutes: 30 - name: Test UDS Core - run: uds run -f tasks/test.yaml uds-core-non-k3d + run: sleep 1200; uds run -f tasks/test.yaml uds-core-non-k3d - name: Debug Output if: ${{ always() }} From ef7c0e289af341ac966d57db0e3b63b8e529e252 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Mon, 24 Feb 2025 11:44:58 -0500 Subject: [PATCH 036/118] dns fix and os disk type --- .github/test-infra/azure/aks/networking.tf | 2 +- .github/test-infra/azure/aks/variables.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/test-infra/azure/aks/networking.tf b/.github/test-infra/azure/aks/networking.tf index 05f889d15b..d7f4af1c09 100644 --- a/.github/test-infra/azure/aks/networking.tf +++ b/.github/test-infra/azure/aks/networking.tf @@ -60,7 +60,7 @@ resource "azurerm_subnet" "cluster_api_subnet" { } resource "azurerm_private_dns_zone" "cluster_dns_zone" { - name = "${local.cluster_name}.postgres.database.usgovcloudapi.com" + name = "${local.cluster_name}.postgres.database.usgovcloudapi.net" resource_group_name = azurerm_resource_group.this.name } diff --git a/.github/test-infra/azure/aks/variables.tf b/.github/test-infra/azure/aks/variables.tf index 623979d51b..a6d436d9be 100644 --- a/.github/test-infra/azure/aks/variables.tf +++ b/.github/test-infra/azure/aks/variables.tf @@ -150,7 +150,7 @@ variable "default_node_pool_node_labels" { variable "default_node_pool_os_disk_type" { description = "(Optional) The type of disk which should be used for the Operating System. Possible values are Ephemeral and Managed. Defaults to Managed. Changing this forces a new resource to be created." type = string - default = "Ephemeral" + default = "Managed" } variable "default_node_pool_node_count" { From 3da3c7421d48d2331074327787db77a9249f2f63 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Mon, 24 Feb 2025 12:12:12 -0500 Subject: [PATCH 037/118] switch to zone a --- .github/test-infra/aws/rke2/data.tf | 2 +- .github/test-infra/aws/rke2/main.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/test-infra/aws/rke2/data.tf b/.github/test-infra/aws/rke2/data.tf index 80518887f4..53c394c7af 100644 --- a/.github/test-infra/aws/rke2/data.tf +++ b/.github/test-infra/aws/rke2/data.tf @@ -10,7 +10,7 @@ data "aws_vpc" "vpc" { data "aws_subnet" "rke2_ci_subnet" { vpc_id = data.aws_vpc.vpc.id - availability_zone = "${var.region}c" + availability_zone = "${var.region}a" filter { name = "tag:Name" diff --git a/.github/test-infra/aws/rke2/main.tf b/.github/test-infra/aws/rke2/main.tf index a02b07c30a..e93ca9dece 100644 --- a/.github/test-infra/aws/rke2/main.tf +++ b/.github/test-infra/aws/rke2/main.tf @@ -114,7 +114,7 @@ resource "aws_instance" "rke2_ci_agent_node" { iam_instance_profile = aws_iam_instance_profile.rke2_server.name vpc_security_group_ids = [aws_security_group.rke2_ci_node_sg.id] associate_public_ip_address = true - availability_zone = "${var.region}c" + availability_zone = "${var.region}a" root_block_device { volume_size = 100 From b33f8bf9625e955b0fb3b44d86b1ed56fd386bb1 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Mon, 24 Feb 2025 12:40:43 -0500 Subject: [PATCH 038/118] update velero credentials override --- .github/bundles/aks/uds-bundle.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/bundles/aks/uds-bundle.yaml b/.github/bundles/aks/uds-bundle.yaml index 2d94052c28..2378ab1d21 100644 --- a/.github/bundles/aks/uds-bundle.yaml +++ b/.github/bundles/aks/uds-bundle.yaml @@ -139,4 +139,4 @@ packages: secretContents: cloud: | AZURE_STORAGE_ACCOUNT_ACCESS_KEY=${AZURE_VELERO_STORAGE_ACCOUNT_ACCESS_KEY} - AZURE_CLOUD_NAME=AzurePublicCloud + AZURE_CLOUD_NAME=AzureUSGovernmentCloud From 77a216d5328e97a06537747e04d0f2b8265f71fe Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Mon, 24 Feb 2025 13:25:54 -0500 Subject: [PATCH 039/118] rm temp debug changes --- .github/workflows/test-eks.yaml | 4 ++-- .github/workflows/test-rke2.yaml | 2 +- tasks/utils.yaml | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 62df9738d1..88819669a3 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -97,8 +97,8 @@ jobs: run: uds deploy .github/bundles/eks/uds-bundle-uds-core-eks-nightly-*.tar.zst --confirm timeout-minutes: 30 - # - name: Test UDS Core - # run: uds run -f tasks/test.yaml uds-core-non-k3d --set EXCLUDED_PACKAGES="metrics-server" + - name: Test UDS Core + run: uds run -f tasks/test.yaml uds-core-non-k3d --set EXCLUDED_PACKAGES="metrics-server" - name: Debug Output if: ${{ always() }} diff --git a/.github/workflows/test-rke2.yaml b/.github/workflows/test-rke2.yaml index 14659ee8b5..7ee5cdd0f5 100644 --- a/.github/workflows/test-rke2.yaml +++ b/.github/workflows/test-rke2.yaml @@ -102,7 +102,7 @@ jobs: timeout-minutes: 30 - name: Test UDS Core - run: sleep 1200; uds run -f tasks/test.yaml uds-core-non-k3d + run: uds run -f tasks/test.yaml uds-core-non-k3d - name: Debug Output if: ${{ always() }} diff --git a/tasks/utils.yaml b/tasks/utils.yaml index 2371b5df50..3fadb1af3c 100644 --- a/tasks/utils.yaml +++ b/tasks/utils.yaml @@ -74,7 +74,7 @@ tasks: HOSTNAME=$(uds zarf tools kubectl get service -n istio-admin-gateway admin-ingressgateway -o=jsonpath='{.status.loadBalancer.ingress[0].hostname}' 2>/dev/null) IP_ADDR=$(dig +short $HOSTNAME) fi; echo $IP_ADDR - mute: false + mute: true setVariables: - name: ADMIN_GW_IP - name: tenant-gw-ip @@ -86,7 +86,7 @@ tasks: HOSTNAME=$(uds zarf tools kubectl get service -n istio-tenant-gateway tenant-ingressgateway -o=jsonpath='{.status.loadBalancer.ingress[0].hostname}' 2>/dev/null) IP_ADDR=$(dig +short $HOSTNAME) fi; echo $IP_ADDR - mute: false + mute: true setVariables: - name: TENANT_GW_IP - name: setup-hosts From b7503da53f46bf4ea9bf9d96b84e13a62f4a2d64 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Mon, 24 Feb 2025 14:16:32 -0500 Subject: [PATCH 040/118] rm unused terraform.tfvars --- .github/test-infra/azure/aks/terraform.tfvars | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 .github/test-infra/azure/aks/terraform.tfvars diff --git a/.github/test-infra/azure/aks/terraform.tfvars b/.github/test-infra/azure/aks/terraform.tfvars deleted file mode 100644 index 719a9361c3..0000000000 --- a/.github/test-infra/azure/aks/terraform.tfvars +++ /dev/null @@ -1,2 +0,0 @@ -location = "usgovvirginia" -resource_group_name = "noah-dev" \ No newline at end of file From f5f03e409339fe9664f9653c32ba50e48574916e Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Mon, 24 Feb 2025 14:21:45 -0500 Subject: [PATCH 041/118] tmp disable eks e2e testing --- .github/workflows/test-eks.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 88819669a3..62df9738d1 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -97,8 +97,8 @@ jobs: run: uds deploy .github/bundles/eks/uds-bundle-uds-core-eks-nightly-*.tar.zst --confirm timeout-minutes: 30 - - name: Test UDS Core - run: uds run -f tasks/test.yaml uds-core-non-k3d --set EXCLUDED_PACKAGES="metrics-server" + # - name: Test UDS Core + # run: uds run -f tasks/test.yaml uds-core-non-k3d --set EXCLUDED_PACKAGES="metrics-server" - name: Debug Output if: ${{ always() }} From e5b4c4ce6203f33229803867b112185f8db68add Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Mon, 24 Feb 2025 16:01:01 -0500 Subject: [PATCH 042/118] increase disk space for rke2 nodes --- .github/test-infra/aws/rke2/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/test-infra/aws/rke2/main.tf b/.github/test-infra/aws/rke2/main.tf index e93ca9dece..ee0cb3d13f 100644 --- a/.github/test-infra/aws/rke2/main.tf +++ b/.github/test-infra/aws/rke2/main.tf @@ -96,7 +96,7 @@ resource "aws_instance" "rke2_ci_control_plane_node" { associate_public_ip_address = true root_block_device { - volume_size = 100 + volume_size = 150 } tags = merge(local.tags, { "kubernetes.io/cluster/${local.cluster_name}" = "owned" }) @@ -117,7 +117,7 @@ resource "aws_instance" "rke2_ci_agent_node" { availability_zone = "${var.region}a" root_block_device { - volume_size = 100 + volume_size = 150 } tags = merge(local.tags, { "kubernetes.io/cluster/${local.cluster_name}" = "owned" }) From 87b87c181d53a34199c37a6286afc8f21149ee02 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Tue, 25 Feb 2025 09:51:34 -0500 Subject: [PATCH 043/118] specify `backup.velero.io` kind in `./src/velero/tasks.yaml` --- src/velero/tasks.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/velero/tasks.yaml b/src/velero/tasks.yaml index 1394e5f8b6..8861d2e0e3 100644 --- a/src/velero/tasks.yaml +++ b/src/velero/tasks.yaml @@ -47,12 +47,12 @@ tasks: - description: wait for the backup object wait: cluster: - kind: Backup + kind: backup.velero.io name: ${BACKUP_NAME} namespace: velero - description: check the status of the backup object cmd: |- - STATUS=$(uds zarf tools kubectl get backups -n velero ${BACKUP_NAME} -o jsonpath='{.status.phase}') + STATUS=$(uds zarf tools kubectl get backup.velero.io -n velero ${BACKUP_NAME} -o jsonpath='{.status.phase}') if [ ${STATUS} != "Completed" ]; then echo "Status is '$STATUS'... waiting to see if it changes" @@ -60,13 +60,13 @@ tasks: sleep 30 # check again... - STATUS=$(uds zarf tools kubectl get backups -n velero ${BACKUP_NAME} -o jsonpath='{.status.phase}') + STATUS=$(uds zarf tools kubectl get backup.velero.io -n velero ${BACKUP_NAME} -o jsonpath='{.status.phase}') if [ ${STATUS} != "Completed" ]; then echo "Status is $STATUS... something isn't right.." # get backup object - uds zarf tools kubectl get backups -n velero ${BACKUP_NAME} -o yaml - uds zarf tools kubectl get backups -A -o yaml + uds zarf tools kubectl get backup.velero.io -n velero ${BACKUP_NAME} -o yaml + uds zarf tools kubectl get backup.velero.io -A -o yaml echo "::endgroup::" # get backupstoragelocations From 6d20335fb2daf823f7e5ecb7093474ceabc67dbb Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Tue, 25 Feb 2025 11:49:31 -0500 Subject: [PATCH 044/118] more disk for rke2 nodes --- .github/test-infra/aws/rke2/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/test-infra/aws/rke2/main.tf b/.github/test-infra/aws/rke2/main.tf index ee0cb3d13f..2b95a001ef 100644 --- a/.github/test-infra/aws/rke2/main.tf +++ b/.github/test-infra/aws/rke2/main.tf @@ -96,7 +96,7 @@ resource "aws_instance" "rke2_ci_control_plane_node" { associate_public_ip_address = true root_block_device { - volume_size = 150 + volume_size = 250 } tags = merge(local.tags, { "kubernetes.io/cluster/${local.cluster_name}" = "owned" }) @@ -117,7 +117,7 @@ resource "aws_instance" "rke2_ci_agent_node" { availability_zone = "${var.region}a" root_block_device { - volume_size = 150 + volume_size = 250 } tags = merge(local.tags, { "kubernetes.io/cluster/${local.cluster_name}" = "owned" }) From cba3465140a1bfbdb0e9ef0ac0e6e286d579651d Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Tue, 25 Feb 2025 13:06:24 -0500 Subject: [PATCH 045/118] create new task for coredns-custom cm --- .github/workflows/test-aks.yaml | 3 +++ .github/workflows/test-eks.yaml | 3 +++ .github/workflows/test-rke2.yaml | 3 +++ tasks/utils.yaml | 20 ++++++++++++++++++++ 4 files changed, 29 insertions(+) diff --git a/.github/workflows/test-aks.yaml b/.github/workflows/test-aks.yaml index f392bf3c78..c4e2f25fd8 100644 --- a/.github/workflows/test-aks.yaml +++ b/.github/workflows/test-aks.yaml @@ -88,6 +88,9 @@ jobs: - name: Create IAC run: uds run -f tasks/iac.yaml apply-tofu --no-progress --set K8S_DISTRO=aks --set CLOUD=azure + - name: Configure Cluster DNS + run: uds run -f tasks/utils.yaml coredns-setup --no-progress + - name: Deploy Core Bundle env: UDS_CONFIG: .github/bundles/aks/uds-config.yaml diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 62df9738d1..d3d74d6b78 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -91,6 +91,9 @@ jobs: run: uds run -f tasks/iac.yaml create-iac --no-progress --set K8S_DISTRO=eks --set CLOUD=aws timeout-minutes: 20 + - name: Configure Cluster DNS + run: uds run -f tasks/utils.yaml coredns-setup --no-progress + - name: Deploy Core Bundle env: UDS_CONFIG: .github/bundles/eks/uds-config.yaml diff --git a/.github/workflows/test-rke2.yaml b/.github/workflows/test-rke2.yaml index 7ee5cdd0f5..a87833fdc1 100644 --- a/.github/workflows/test-rke2.yaml +++ b/.github/workflows/test-rke2.yaml @@ -95,6 +95,9 @@ jobs: run: uds run -f tasks/iac.yaml rke2-cluster-ready --no-progress timeout-minutes: 20 + - name: Configure Cluster DNS + run: uds run -f tasks/utils.yaml coredns-setup --no-progress + - name: Deploy Core Bundle env: UDS_CONFIG: .github/bundles/rke2/uds-config.yaml diff --git a/tasks/utils.yaml b/tasks/utils.yaml index 3fadb1af3c..40d66038d9 100644 --- a/tasks/utils.yaml +++ b/tasks/utils.yaml @@ -65,6 +65,26 @@ tasks: -n keycloak fi + - name: coredns-setup + actions: + - task: tenant-gw-ip + - description: Setup Custom ConfigMap for Core DNS + cmd: | + uds zarf tools kubectl apply -f - < Date: Tue, 25 Feb 2025 13:22:04 -0500 Subject: [PATCH 046/118] rm task call --- tasks/utils.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/tasks/utils.yaml b/tasks/utils.yaml index 40d66038d9..da61f49146 100644 --- a/tasks/utils.yaml +++ b/tasks/utils.yaml @@ -67,7 +67,6 @@ tasks: - name: coredns-setup actions: - - task: tenant-gw-ip - description: Setup Custom ConfigMap for Core DNS cmd: | uds zarf tools kubectl apply -f - < Date: Thu, 6 Mar 2025 18:02:24 -0500 Subject: [PATCH 047/118] update rke2 tasks to do coredns override --- tasks/iac.yaml | 2 +- tasks/utils.yaml | 42 +++++++++++++++++++++++++++++++++--------- 2 files changed, 34 insertions(+), 10 deletions(-) diff --git a/tasks/iac.yaml b/tasks/iac.yaml index 41800c1c46..80e357d3d7 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -112,7 +112,6 @@ tasks: break fi done - # wait for cluster components while true; do if [ $(uds zarf tools kubectl get po,job -A --no-headers=true | egrep -v 'Running|Complete' | wc -l) -gt 0 ]; then @@ -124,6 +123,7 @@ tasks: fi done #uds zarf tools kubectl apply -f ./metallb.yaml + - task: coredns-setup dir: .github/test-infra/aws/rke2/ maxTotalSeconds: 600 diff --git a/tasks/utils.yaml b/tasks/utils.yaml index da61f49146..519493f38a 100644 --- a/tasks/utils.yaml +++ b/tasks/utils.yaml @@ -65,25 +65,49 @@ tasks: -n keycloak fi + # - name: coredns-pre-config-rke2 + # actions: + # - description: Update Core DNS Helm Release to use Custom ConfigMap + # cmd: | + - name: coredns-setup actions: - description: Setup Custom ConfigMap for Core DNS cmd: | uds zarf tools kubectl apply -f - < Date: Thu, 6 Mar 2025 18:15:41 -0500 Subject: [PATCH 048/118] fix lint --- tasks/utils.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/utils.yaml b/tasks/utils.yaml index 519493f38a..21dca8e1fa 100644 --- a/tasks/utils.yaml +++ b/tasks/utils.yaml @@ -69,7 +69,7 @@ tasks: # actions: # - description: Update Core DNS Helm Release to use Custom ConfigMap # cmd: | - + - name: coredns-setup actions: - description: Setup Custom ConfigMap for Core DNS From 270f35fdd7e7ed1e03e4c29c68a2114cfd836606 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Thu, 6 Mar 2025 18:19:00 -0500 Subject: [PATCH 049/118] address pr feedback --- src/test/tasks.yaml | 1 + tasks/test.yaml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/test/tasks.yaml b/src/test/tasks.yaml index 8ee21389f0..720f15b9ae 100644 --- a/src/test/tasks.yaml +++ b/src/test/tasks.yaml @@ -26,6 +26,7 @@ tasks: inputs: architecture: description: "System architecture that the test-apps package should be built for." + default: ${UDS_ARCH} actions: - description: Create zarf package for the test resources diff --git a/tasks/test.yaml b/tasks/test.yaml index bd297ceb68..7c2edba038 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -84,7 +84,7 @@ tasks: architecture: description: "System architecture that the test-apps package should be built for." required: true - default: "arm64" + default: ${UDS_ARCH} # Run each e2e test type from the e2e folder actions: - description: "Setup the Keycloak admin user if needed" From 29271d99124b1b2a9f3e3a69319aa583dfb1a27f Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Fri, 7 Mar 2025 09:09:09 -0500 Subject: [PATCH 050/118] switch to gov iam role --- .github/test-infra/aws/rke2/iam.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/test-infra/aws/rke2/iam.tf b/.github/test-infra/aws/rke2/iam.tf index ec14ebb8a5..78345519dc 100644 --- a/.github/test-infra/aws/rke2/iam.tf +++ b/.github/test-infra/aws/rke2/iam.tf @@ -78,7 +78,7 @@ data "aws_iam_policy_document" "aws_ccm" { } data "http" "aws-lb-controller-iam" { - url = "https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.11.0/docs/install/iam_policy.json" + url = "https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.11.0/docs/install/iam_policy_us-gov.json" } resource "aws_iam_role_policy" "aws-lb-controller" { From 50232fdc6ffb753af18b01b6f3e2fc037828ca01 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Fri, 7 Mar 2025 09:45:01 -0500 Subject: [PATCH 051/118] include util task --- tasks/iac.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tasks/iac.yaml b/tasks/iac.yaml index e8bd819d88..fca62a7683 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -1,6 +1,8 @@ # Copyright 2024 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial +includes: + - util: ./utils.yaml variables: - name: CLUSTER_NAME @@ -129,7 +131,7 @@ tasks: fi done #uds zarf tools kubectl apply -f ./metallb.yaml - - task: coredns-setup + - task: util:coredns-setup dir: .github/test-infra/aws/rke2/ maxTotalSeconds: 600 From 5056ab41c820fb6ea132eb3bb39c93f62569d0b4 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Fri, 7 Mar 2025 13:43:58 -0500 Subject: [PATCH 052/118] add coredns fixes and add netpol for rke2 --- .github/workflows/test-aks.yaml | 2 +- tasks/iac.yaml | 3 +- tasks/utils.yaml | 58 ++++++++++++++++++++++++++++----- 3 files changed, 53 insertions(+), 10 deletions(-) diff --git a/.github/workflows/test-aks.yaml b/.github/workflows/test-aks.yaml index c4e2f25fd8..d5c2cdce17 100644 --- a/.github/workflows/test-aks.yaml +++ b/.github/workflows/test-aks.yaml @@ -89,7 +89,7 @@ jobs: run: uds run -f tasks/iac.yaml apply-tofu --no-progress --set K8S_DISTRO=aks --set CLOUD=azure - name: Configure Cluster DNS - run: uds run -f tasks/utils.yaml coredns-setup --no-progress + run: uds run -f tasks/utils.yaml aks-coredns-setup --no-progress - name: Deploy Core Bundle env: diff --git a/tasks/iac.yaml b/tasks/iac.yaml index fca62a7683..28a2b8d288 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -131,7 +131,8 @@ tasks: fi done #uds zarf tools kubectl apply -f ./metallb.yaml - - task: util:coredns-setup + - task: util:rke2-coredns-setup + - task: util:rke2-allow-prom-kube-dns dir: .github/test-infra/aws/rke2/ maxTotalSeconds: 600 diff --git a/tasks/utils.yaml b/tasks/utils.yaml index 21dca8e1fa..98e1867420 100644 --- a/tasks/utils.yaml +++ b/tasks/utils.yaml @@ -64,13 +64,55 @@ tasks: --from-literal=password=${PASSWORD} \ -n keycloak fi - - # - name: coredns-pre-config-rke2 - # actions: - # - description: Update Core DNS Helm Release to use Custom ConfigMap - # cmd: | - - - name: coredns-setup + - name: aks-coredns-setup + actions: + - description: Setup Custom ConfigMap for Core DNS + cmd: | + uds zarf tools kubectl apply -f - < Date: Fri, 7 Mar 2025 14:19:44 -0500 Subject: [PATCH 053/118] fix task name --- .github/workflows/test-eks.yaml | 4 ++-- .github/workflows/test-rke2.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 4b10d19b71..5664308a78 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -92,8 +92,8 @@ jobs: run: uds run -f tasks/iac.yaml create-iac --no-progress --set K8S_DISTRO=eks --set CLOUD=aws timeout-minutes: 20 - - name: Configure Cluster DNS - run: uds run -f tasks/utils.yaml coredns-setup --no-progress + # - name: Configure Cluster DNS + # run: uds run -f tasks/utils.yaml coredns-setup --no-progress - name: Deploy Core Bundle env: diff --git a/.github/workflows/test-rke2.yaml b/.github/workflows/test-rke2.yaml index 89d6cd9e4c..5d8ce7273b 100644 --- a/.github/workflows/test-rke2.yaml +++ b/.github/workflows/test-rke2.yaml @@ -96,7 +96,7 @@ jobs: timeout-minutes: 20 - name: Configure Cluster DNS - run: uds run -f tasks/utils.yaml coredns-setup --no-progress + run: uds run -f tasks/utils.yaml rke2-coredns-setup --no-progress - name: Deploy Core Bundle env: From c37402b21ccfebc928448366f78f02fa415fdf6d Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Mon, 10 Mar 2025 13:11:38 -0400 Subject: [PATCH 054/118] include nested dirs in workflow trigger for rke2 IaC --- .github/workflows/test-rke2.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-rke2.yaml b/.github/workflows/test-rke2.yaml index 5d8ce7273b..cbb4e59b75 100644 --- a/.github/workflows/test-rke2.yaml +++ b/.github/workflows/test-rke2.yaml @@ -13,7 +13,7 @@ on: paths: - tasks/iac.yaml - .github/bundles/rke2/* - - .github/test-infra/aws/rke2/* + - .github/test-infra/aws/rke2/** - .github/workflows/test-rke2.yaml permissions: From f7f4e226c7c7f93507466b111eb5307fb58ac0bb Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Tue, 11 Mar 2025 13:25:56 -0400 Subject: [PATCH 055/118] fix: adjust network tests to work across k8s distros --- tasks/utils.yaml | 2 +- test/jest/network.spec.ts | 23 +++++++++++++++-------- 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/tasks/utils.yaml b/tasks/utils.yaml index 98e1867420..7c9b32f322 100644 --- a/tasks/utils.yaml +++ b/tasks/utils.yaml @@ -83,7 +83,7 @@ tasks: name: coredns-custom namespace: kube-system EOF - uds zarf tools kubectl -n kube-system rollout restart deployment coredns + uds zarf tools kubectl -n kube-system rollout restart deployment coredns - name: rke2-allow-prom-kube-dns actions: - description: Create NetworkPolicy to allow Prometheus to scrape kube-dns diff --git a/test/jest/network.spec.ts b/test/jest/network.spec.ts index 5d2cd7d06f..0df33499bf 100644 --- a/test/jest/network.spec.ts +++ b/test/jest/network.spec.ts @@ -23,6 +23,8 @@ function getCurlCommand(serviceName: string, namespaceName: string, port = 8080) return [ "curl", "-s", + "-m", + "3", "-o", "/dev/null", "-w", @@ -134,6 +136,8 @@ describe("Network Policy Validation", () => { const GOOGLE_CURL = [ "curl", "-s", + "-m", + "3", "-o", "/dev/null", "-w", @@ -143,12 +147,13 @@ describe("Network Policy Validation", () => { test.concurrent("Denied Requests by Default and Incorrect Ports and Labels", async () => { // Default Deny when no Ingress or Egress defined or Exposed Endpoints + // The HTTP response code could either be 000 or 503, depending on the K8s distro const denied_external_response = await execInPod("curl-ns-deny-all", curlPodName1, "curl-pkg-deny-all-1", CURL_GATEWAY); - expect(denied_external_response.stdout).toBe("000"); - + expect(denied_external_response.stdout).not.toBe("200"); + // Default deny when no Ingress or Egress for internal curl command const denied_internal_response = await execInPod("curl-ns-deny-all", curlPodName1, "curl-pkg-deny-all-1", INTERNAL_CURL_COMMAND_1); - expect(denied_internal_response.stdout).toBe("503"); + expect(denied_internal_response.stdout).not.toBe("200"); // Default Deny for Google Curl when no Egress defined const denied_google_response = await execInPod("curl-ns-deny-all", curlPodName1, "curl-pkg-deny-all-1", GOOGLE_CURL); @@ -157,7 +162,7 @@ describe("Network Policy Validation", () => { // Default Deny for Blocked Port const blocked_port_curl = getCurlCommand("curl-pkg-deny-all-2", "curl-ns-deny-all", 9999); const denied_port_response = await execInPod("curl-ns-deny-all", curlPodName1, "curl-pkg-deny-all-1", blocked_port_curl); - expect(denied_port_response.stdout).toBe("503"); + expect(denied_port_response.stdout).not.toBe("200"); }); test.concurrent("Basic Wide Open Ingress and Wide Open Egress", async () => { @@ -168,6 +173,8 @@ describe("Network Policy Validation", () => { const CURL_INTERNAL_8081 = [ "curl", "-s", + "-m", + "3", "-o", "/dev/null", "-w", @@ -177,12 +184,12 @@ describe("Network Policy Validation", () => { // Deny request when port is not allowed on ingress const denied_incorrect_port_response = await execInPod("test-admin-app", testAdminApp, "curl", CURL_INTERNAL_8081); - expect(denied_incorrect_port_response.stdout).toBe("503"); + expect(denied_incorrect_port_response.stdout).not.toBe("200"); // Default Deny for undefined Ingress port const blocked_port_curl = getCurlCommand("curl-pkg-allow-all", "curl-ns-allow-all", 9999); const denied_port_response = await execInPod("test-admin-app", testAdminApp, "curl", blocked_port_curl); - expect(denied_port_response.stdout).toBe("503"); + expect(denied_port_response.stdout).not.toBe("200"); // Wide open Egress means successful google curl const successful_google_response = await execInPod("test-admin-app", testAdminApp, "curl", GOOGLE_CURL); @@ -233,7 +240,7 @@ describe("Network Policy Validation", () => { // Default Deny for Blocked Port const blocked_port_curl = getCurlCommand("curl-pkg-remote-ns-ingress", "curl-ns-remote-ns-2", 9999); const denied_port_response = await execInPod("curl-ns-remote-ns-1", curlPodName6, "curl-pkg-remote-ns-egress", blocked_port_curl); - expect(denied_port_response.stdout).toBe("503"); + expect(denied_port_response.stdout).not.toBe("200"); }); test.concurrent("Kube API Restrictions", async () => { @@ -254,7 +261,7 @@ describe("Network Policy Validation", () => { // Default Deny for Blocked Port const blocked_port_curl = getCurlCommand("curl-pkg-deny-all-2", "curl-ns-deny-all", 9999); const denied_port_response = await execInPod("curl-ns-kube-api", curlPodName8, "curl-pkg-kube-api", blocked_port_curl); - expect(denied_port_response.stdout).toBe("503"); + expect(denied_port_response.stdout).not.toBe("200"); }); test.concurrent("RemoteCidr Restrictions", async () => { From 07a437f5b6790aa2df495076411c68ddca6c86ef Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Tue, 11 Mar 2025 14:17:22 -0400 Subject: [PATCH 056/118] metrics fix for rke2 hopefully --- .github/test-infra/aws/rke2/scripts/user_data.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/test-infra/aws/rke2/scripts/user_data.sh b/.github/test-infra/aws/rke2/scripts/user_data.sh index f4f4469ca1..1b7a6056dd 100644 --- a/.github/test-infra/aws/rke2/scripts/user_data.sh +++ b/.github/test-infra/aws/rke2/scripts/user_data.sh @@ -107,6 +107,8 @@ chmod +x yq ./yq -i '.kube-apiserver-arg += "api-audiences=kubernetes.svc.default"' /etc/rancher/rke2/config.yaml ./yq -i '.kube-apiserver-arg += "service-account-issuer=https://${BUCKET_REGIONAL_DOMAIN_NAME}"' /etc/rancher/rke2/config.yaml ./yq -i '.kube-apiserver-arg += "audit-log-path=/var/log/kubernetes/audit/audit.log"' /etc/rancher/rke2/config.yaml +#Fix for metrics server scraping of kubernetes api server components +./yq -i '.kube-controller-manager-arg[2] = "bind-address=0.0.0.0"' /etc/rancher/rke2/config.yaml rm -rf ./yq } From 1aeb6d39ce5ba84b3804f5709ad660c0f40c03da Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Tue, 11 Mar 2025 17:55:03 -0400 Subject: [PATCH 057/118] add args for etcd and kube-scheduler --- .github/test-infra/aws/rke2/scripts/user_data.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/test-infra/aws/rke2/scripts/user_data.sh b/.github/test-infra/aws/rke2/scripts/user_data.sh index 1b7a6056dd..9a034eaa76 100644 --- a/.github/test-infra/aws/rke2/scripts/user_data.sh +++ b/.github/test-infra/aws/rke2/scripts/user_data.sh @@ -109,6 +109,8 @@ chmod +x yq ./yq -i '.kube-apiserver-arg += "audit-log-path=/var/log/kubernetes/audit/audit.log"' /etc/rancher/rke2/config.yaml #Fix for metrics server scraping of kubernetes api server components ./yq -i '.kube-controller-manager-arg[2] = "bind-address=0.0.0.0"' /etc/rancher/rke2/config.yaml +./yq -i '.kube-scheduler-arg += "bind-address=0.0.0.0"' /etc/rancher/rke2/config.yaml +./yq -i '.listen-metrics-urls = "http://0.0.0.0:2381"' /var/lib/rancher/rke2/server/db/etcd/config rm -rf ./yq } From de2e1dc50f72bfe35b7aa7b670f0efa50ed02e63 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Wed, 12 Mar 2025 09:46:42 -0400 Subject: [PATCH 058/118] add sudo --- .github/test-infra/aws/rke2/scripts/user_data.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/test-infra/aws/rke2/scripts/user_data.sh b/.github/test-infra/aws/rke2/scripts/user_data.sh index 9a034eaa76..e666873525 100644 --- a/.github/test-infra/aws/rke2/scripts/user_data.sh +++ b/.github/test-infra/aws/rke2/scripts/user_data.sh @@ -110,7 +110,7 @@ chmod +x yq #Fix for metrics server scraping of kubernetes api server components ./yq -i '.kube-controller-manager-arg[2] = "bind-address=0.0.0.0"' /etc/rancher/rke2/config.yaml ./yq -i '.kube-scheduler-arg += "bind-address=0.0.0.0"' /etc/rancher/rke2/config.yaml -./yq -i '.listen-metrics-urls = "http://0.0.0.0:2381"' /var/lib/rancher/rke2/server/db/etcd/config +sudo ./yq -i '.listen-metrics-urls = "http://0.0.0.0:2381"' /var/lib/rancher/rke2/server/db/etcd/config rm -rf ./yq } From cafa022a8ea19aecb481a551db716ab62d6c8fbb Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Wed, 12 Mar 2025 11:23:08 -0400 Subject: [PATCH 059/118] fix etcd args --- .github/test-infra/aws/rke2/scripts/user_data.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/test-infra/aws/rke2/scripts/user_data.sh b/.github/test-infra/aws/rke2/scripts/user_data.sh index e666873525..705750326f 100644 --- a/.github/test-infra/aws/rke2/scripts/user_data.sh +++ b/.github/test-infra/aws/rke2/scripts/user_data.sh @@ -110,7 +110,7 @@ chmod +x yq #Fix for metrics server scraping of kubernetes api server components ./yq -i '.kube-controller-manager-arg[2] = "bind-address=0.0.0.0"' /etc/rancher/rke2/config.yaml ./yq -i '.kube-scheduler-arg += "bind-address=0.0.0.0"' /etc/rancher/rke2/config.yaml -sudo ./yq -i '.listen-metrics-urls = "http://0.0.0.0:2381"' /var/lib/rancher/rke2/server/db/etcd/config +./yq -i '.etcd-arg += "listen-metrics-urls=http://0.0.0.0:2381"|.etcd-arg style="double"' /etc/rancher/rke2/config.yaml rm -rf ./yq } From e02a1b13f0d9886ea8af0ae0a0cd694d9a642534 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Wed, 12 Mar 2025 12:21:36 -0400 Subject: [PATCH 060/118] add eks testing and coredns patch --- .github/workflows/test-aks.yaml | 2 +- .github/workflows/test-eks.yaml | 8 ++++---- tasks/utils.yaml | 14 ++++++++++---- 3 files changed, 15 insertions(+), 9 deletions(-) diff --git a/.github/workflows/test-aks.yaml b/.github/workflows/test-aks.yaml index d5c2cdce17..c4e2f25fd8 100644 --- a/.github/workflows/test-aks.yaml +++ b/.github/workflows/test-aks.yaml @@ -89,7 +89,7 @@ jobs: run: uds run -f tasks/iac.yaml apply-tofu --no-progress --set K8S_DISTRO=aks --set CLOUD=azure - name: Configure Cluster DNS - run: uds run -f tasks/utils.yaml aks-coredns-setup --no-progress + run: uds run -f tasks/utils.yaml coredns-setup --no-progress - name: Deploy Core Bundle env: diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 5664308a78..a8b41df180 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -92,8 +92,8 @@ jobs: run: uds run -f tasks/iac.yaml create-iac --no-progress --set K8S_DISTRO=eks --set CLOUD=aws timeout-minutes: 20 - # - name: Configure Cluster DNS - # run: uds run -f tasks/utils.yaml coredns-setup --no-progress + - name: Configure Cluster DNS + run: uds run -f tasks/utils.yaml coredns-setup --no-progress - name: Deploy Core Bundle env: @@ -101,8 +101,8 @@ jobs: run: uds deploy .github/bundles/eks/uds-bundle-uds-core-eks-nightly-*.tar.zst --confirm timeout-minutes: 30 - # - name: Test UDS Core - # run: uds run -f tasks/test.yaml uds-core-non-k3d --set EXCLUDED_PACKAGES="metrics-server" + - name: Test UDS Core + run: uds run -f tasks/test.yaml uds-core-non-k3d --set EXCLUDED_PACKAGES="metrics-server" - name: Debug Output if: ${{ always() }} diff --git a/tasks/utils.yaml b/tasks/utils.yaml index 7c9b32f322..3e139a9ca9 100644 --- a/tasks/utils.yaml +++ b/tasks/utils.yaml @@ -64,7 +64,7 @@ tasks: --from-literal=password=${PASSWORD} \ -n keycloak fi - - name: aks-coredns-setup + - name: coredns-setup actions: - description: Setup Custom ConfigMap for Core DNS cmd: | @@ -95,9 +95,15 @@ tasks: name: allow-prometheus-to-kube-dns namespace: kube-system spec: - podSelector: - matchLabels: - k8s-app: kube-dns + # podSelector: + # matchLabels: + # k8s-app: kube-dns + # endpoint: http-metrics + # matchExpressions: + # - key: job + # operator: In + # values: + # - kube policyTypes: - Ingress ingress: From bdbfa14cdcec8f6be837abe5ec15599fdce36cdc Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Wed, 12 Mar 2025 13:46:56 -0400 Subject: [PATCH 061/118] eks coredns cm patch --- .github/workflows/test-aks.yaml | 2 +- .github/workflows/test-eks.yaml | 2 +- tasks/utils.yaml | 51 ++++++++++++++++++++++++++------- 3 files changed, 43 insertions(+), 12 deletions(-) diff --git a/.github/workflows/test-aks.yaml b/.github/workflows/test-aks.yaml index c4e2f25fd8..d5c2cdce17 100644 --- a/.github/workflows/test-aks.yaml +++ b/.github/workflows/test-aks.yaml @@ -89,7 +89,7 @@ jobs: run: uds run -f tasks/iac.yaml apply-tofu --no-progress --set K8S_DISTRO=aks --set CLOUD=azure - name: Configure Cluster DNS - run: uds run -f tasks/utils.yaml coredns-setup --no-progress + run: uds run -f tasks/utils.yaml aks-coredns-setup --no-progress - name: Deploy Core Bundle env: diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index a8b41df180..9498b7cdaa 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -93,7 +93,7 @@ jobs: timeout-minutes: 20 - name: Configure Cluster DNS - run: uds run -f tasks/utils.yaml coredns-setup --no-progress + run: uds run -f tasks/utils.yaml eks-coredns-setup --no-progress - name: Deploy Core Bundle env: diff --git a/tasks/utils.yaml b/tasks/utils.yaml index 3e139a9ca9..7103f984c7 100644 --- a/tasks/utils.yaml +++ b/tasks/utils.yaml @@ -64,7 +64,44 @@ tasks: --from-literal=password=${PASSWORD} \ -n keycloak fi - - name: coredns-setup + - name: eks-coredns-setup + actions: + - description: Setup Custom ConfigMap for Core DNS + cmd: | + uds zarf tools kubectl apply -f - < Date: Wed, 12 Mar 2025 13:47:06 -0400 Subject: [PATCH 062/118] rke2 components update --- .github/test-infra/aws/rke2/scripts/user_data.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/test-infra/aws/rke2/scripts/user_data.sh b/.github/test-infra/aws/rke2/scripts/user_data.sh index 705750326f..41bd29ea30 100644 --- a/.github/test-infra/aws/rke2/scripts/user_data.sh +++ b/.github/test-infra/aws/rke2/scripts/user_data.sh @@ -50,7 +50,7 @@ metadata: spec: chart: longhorn repo: https://charts.longhorn.io - version: 1.7.1 + version: 1.8.1 targetNamespace: kube-system EOM @@ -78,7 +78,7 @@ metadata: spec: chart: aws-load-balancer-controller repo: https://aws.github.io/eks-charts - version: 1.11.0 + version: 1.12.0 targetNamespace: kube-system valuesContent: |- clusterName: ${cluster_name} From bfc93757613c56b3169ba1e7479ce56c04e9b438 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Thu, 13 Mar 2025 08:55:51 -0400 Subject: [PATCH 063/118] ignore e2e test failures on eks --- .github/workflows/test-eks.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 9498b7cdaa..a7d7977b3f 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -103,6 +103,7 @@ jobs: - name: Test UDS Core run: uds run -f tasks/test.yaml uds-core-non-k3d --set EXCLUDED_PACKAGES="metrics-server" + continue-on-error: true - name: Debug Output if: ${{ always() }} From 7c291e4e9fa76b176be164c376bf15ea7ae215a7 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Thu, 13 Mar 2025 11:06:43 -0400 Subject: [PATCH 064/118] switch to local path provisioner --- .../test-infra/aws/rke2/scripts/user_data.sh | 149 ++++++++++++++---- 1 file changed, 122 insertions(+), 27 deletions(-) diff --git a/.github/test-infra/aws/rke2/scripts/user_data.sh b/.github/test-infra/aws/rke2/scripts/user_data.sh index 41bd29ea30..83accb3814 100644 --- a/.github/test-infra/aws/rke2/scripts/user_data.sh +++ b/.github/test-infra/aws/rke2/scripts/user_data.sh @@ -39,37 +39,132 @@ spec: - --v=2 - --cloud-provider=aws EOM - -#longhorn helm values: https://github.com/longhorn/longhorn/tree/master/chart -cat > /var/lib/rancher/rke2/server/manifests/01-longhorn.yaml << EOM -apiVersion: helm.cattle.io/v1 -kind: HelmChart +cat > /var/lib/rancher/rke2/server/manifests/01-local-path-provisioner.yaml << EOM +--- +# Source: uds-dev-stack/templates/localpath-rwx.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: local-path-provisioner-service-account + namespace: kube-system +--- +# Source: uds-dev-stack/templates/localpath-rwx.yaml +kind: ConfigMap +apiVersion: v1 +metadata: + name: local-path-config + namespace: kube-system +data: + config.json: |- + { + "sharedFileSystemPath": "/opt/local-path-provisioner-rwx" + } + setup: |- + #!/bin/sh + set -eu + mkdir -m 0777 -p "$VOL_DIR" + teardown: |- + #!/bin/sh + set -eu + rm -rf "$VOL_DIR" + helperPod.yaml: |- + apiVersion: v1 + kind: Pod + metadata: + name: helper-pod + spec: + containers: + - name: helper-pod + image: busybox + imagePullPolicy: IfNotPresent +--- +# Source: uds-dev-stack/templates/localpath-rwx.yaml +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: local-path + annotations: + storageclass.kubernetes.io/is-default-class: "true" +provisioner: rancher.io/local-path +volumeBindingMode: WaitForFirstConsumer +reclaimPolicy: Delete +allowVolumeExpansion: true +--- +# Source: uds-dev-stack/templates/localpath-rwx.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: local-path-provisioner-role +rules: + - apiGroups: [ "" ] + resources: [ "nodes", "persistentvolumeclaims", "configmaps" ] + verbs: [ "get", "list", "watch" ] + - apiGroups: [ "" ] + resources: [ "endpoints", "persistentvolumes", "pods" ] + verbs: [ "*" ] + - apiGroups: [ "" ] + resources: [ "events" ] + verbs: [ "create", "patch" ] + - apiGroups: [ "storage.k8s.io" ] + resources: [ "storageclasses" ] + verbs: [ "get", "list", "watch" ] +--- +# Source: uds-dev-stack/templates/localpath-rwx.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: - name: longhorn + name: local-path-provisioner-bind +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: local-path-provisioner-role +subjects: + - kind: ServiceAccount + name: local-path-provisioner-service-account + namespace: kube-system +--- +# Source: uds-dev-stack/templates/localpath-rwx.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: local-path-provisioner namespace: kube-system spec: - chart: longhorn - repo: https://charts.longhorn.io - version: 1.8.1 - targetNamespace: kube-system + replicas: 1 + selector: + matchLabels: + app: local-path-provisioner + template: + metadata: + labels: + app: local-path-provisioner + spec: + serviceAccountName: local-path-provisioner-service-account + containers: + - name: local-path-provisioner + image: rancher/local-path-provisioner:v0.0.31 + imagePullPolicy: IfNotPresent + command: + - local-path-provisioner + - --debug + - start + - --config + - /etc/config/config.json + volumeMounts: + - name: config-volume + mountPath: /etc/config/ + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumes: + - name: config-volume + configMap: + name: local-path-config EOM - -# #metallb helm values: https://github.com/metallb/metallb/tree/main/charts/metallb -# cat > /var/lib/rancher/rke2/server/manifests/02-metallb.yaml << EOM -# apiVersion: helm.cattle.io/v1 -# kind: HelmChart -# metadata: -# name: metallb -# namespace: kube-system -# spec: -# chart: metallb -# repo: https://metallb.github.io/metallb -# version: 0.14.9 -# targetNamespace: kube-system -# EOM - # aws lb controller helm values: https://github.com/kubernetes-sigs/aws-load-balancer-controller/tree/main/helm/aws-load-balancer-controller#configuration -cat > /var/lib/rancher/rke2/server/manifests/02-lb-controller.yaml << EOM +cat > /var/lib/rancher/rke2/server/manifests/03-lb-controller.yaml << EOM apiVersion: helm.cattle.io/v1 kind: HelmChart metadata: @@ -78,7 +173,7 @@ metadata: spec: chart: aws-load-balancer-controller repo: https://aws.github.io/eks-charts - version: 1.12.0 + version: 1.11.0 targetNamespace: kube-system valuesContent: |- clusterName: ${cluster_name} From 1b1d7a9eb8c9944b4ab76ae2841b410c47630c8a Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Thu, 13 Mar 2025 11:52:14 -0400 Subject: [PATCH 065/118] dont expand vars --- .github/test-infra/aws/rke2/scripts/user_data.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/test-infra/aws/rke2/scripts/user_data.sh b/.github/test-infra/aws/rke2/scripts/user_data.sh index 83accb3814..c0148f2bb7 100644 --- a/.github/test-infra/aws/rke2/scripts/user_data.sh +++ b/.github/test-infra/aws/rke2/scripts/user_data.sh @@ -39,7 +39,7 @@ spec: - --v=2 - --cloud-provider=aws EOM -cat > /var/lib/rancher/rke2/server/manifests/01-local-path-provisioner.yaml << EOM +cat > /var/lib/rancher/rke2/server/manifests/01-local-path-provisioner.yaml << 'EOM' --- # Source: uds-dev-stack/templates/localpath-rwx.yaml apiVersion: v1 From bdf747c56f7f1b7252dfabbb5a9f6044bbaca160 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Thu, 13 Mar 2025 15:54:16 -0400 Subject: [PATCH 066/118] selinux fix for local path provisioner rke2 --- .../test-infra/aws/rke2/scripts/user_data.sh | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/.github/test-infra/aws/rke2/scripts/user_data.sh b/.github/test-infra/aws/rke2/scripts/user_data.sh index c0148f2bb7..ec726aa6a9 100644 --- a/.github/test-infra/aws/rke2/scripts/user_data.sh +++ b/.github/test-infra/aws/rke2/scripts/user_data.sh @@ -185,12 +185,40 @@ curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip unzip awscliv2.zip sudo ./aws/install +echo "Modifying selinux permissions for local path provisioner" +cat > /root/localpathpolicy.te << EOM +module localpathpolicy 1.0; + +require { + type usr_t; + type init_t; + type container_t; + type container_var_lib_t; + class dir { search write add_name create remove_name rmdir setattr getattr }; + class file { create open write append read unlink setattr getattr }; +} + +#============= container_t ============== +allow container_t container_var_lib_t:file { create open write append read setattr getattr unlink }; +allow container_t container_var_lib_t:dir { add_name create remove_name rmdir setattr write search }; +allow container_t init_t:dir search; +allow container_t usr_t:dir { add_name create remove_name rmdir setattr getattr write }; +allow container_t usr_t:file { create unlink write setattr getattr }; +allow container_t init_t:file { read open }; +EOM +checkmodule -M -m -o /root/localpathpolicy.mod /root/localpathpolicy.te +semodule_package -o /root/localpathpolicy.pp -m /root/localpathpolicy.mod +semodule -i /root/localpathpolicy.pp +semanage fcontext -a -t container_file_t "/opt/local-path-provisioner-rwx(/.*)?" +restorecon -R -v /opt/local-path-provisioner-rwx + echo "Getting OIDC keypair" sudo mkdir /irsa sudo chown ec2-user:ec2-user /irsa aws secretsmanager get-secret-value --secret-id ${secret_prefix}-oidc-private-key | jq -r '.SecretString' > /irsa/signer.key aws secretsmanager get-secret-value --secret-id ${secret_prefix}-oidc-public-key | jq -r '.SecretString' > /irsa/signer.key.pub chcon -t svirt_sandbox_file_t /irsa/* +chcon -Rt container_file_t /opt/local-path-provisioner-rwx info "Setting up RKE2 config file" curl -L https://github.com/mikefarah/yq/releases/download/v4.40.4/yq_linux_amd64 -o yq From c097ba90080c2af63036dcdddc032b0d7fb26753 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Fri, 14 Mar 2025 10:30:08 -0400 Subject: [PATCH 067/118] install longhorn --- .../test-infra/aws/rke2/scripts/user_data.sh | 171 ++---------------- tasks/iac.yaml | 2 +- 2 files changed, 20 insertions(+), 153 deletions(-) diff --git a/.github/test-infra/aws/rke2/scripts/user_data.sh b/.github/test-infra/aws/rke2/scripts/user_data.sh index ec726aa6a9..bb1c14fb80 100644 --- a/.github/test-infra/aws/rke2/scripts/user_data.sh +++ b/.github/test-infra/aws/rke2/scripts/user_data.sh @@ -39,132 +39,9 @@ spec: - --v=2 - --cloud-provider=aws EOM -cat > /var/lib/rancher/rke2/server/manifests/01-local-path-provisioner.yaml << 'EOM' ---- -# Source: uds-dev-stack/templates/localpath-rwx.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: local-path-provisioner-service-account - namespace: kube-system ---- -# Source: uds-dev-stack/templates/localpath-rwx.yaml -kind: ConfigMap -apiVersion: v1 -metadata: - name: local-path-config - namespace: kube-system -data: - config.json: |- - { - "sharedFileSystemPath": "/opt/local-path-provisioner-rwx" - } - setup: |- - #!/bin/sh - set -eu - mkdir -m 0777 -p "$VOL_DIR" - teardown: |- - #!/bin/sh - set -eu - rm -rf "$VOL_DIR" - helperPod.yaml: |- - apiVersion: v1 - kind: Pod - metadata: - name: helper-pod - spec: - containers: - - name: helper-pod - image: busybox - imagePullPolicy: IfNotPresent ---- -# Source: uds-dev-stack/templates/localpath-rwx.yaml -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - name: local-path - annotations: - storageclass.kubernetes.io/is-default-class: "true" -provisioner: rancher.io/local-path -volumeBindingMode: WaitForFirstConsumer -reclaimPolicy: Delete -allowVolumeExpansion: true ---- -# Source: uds-dev-stack/templates/localpath-rwx.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: local-path-provisioner-role -rules: - - apiGroups: [ "" ] - resources: [ "nodes", "persistentvolumeclaims", "configmaps" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "" ] - resources: [ "endpoints", "persistentvolumes", "pods" ] - verbs: [ "*" ] - - apiGroups: [ "" ] - resources: [ "events" ] - verbs: [ "create", "patch" ] - - apiGroups: [ "storage.k8s.io" ] - resources: [ "storageclasses" ] - verbs: [ "get", "list", "watch" ] ---- -# Source: uds-dev-stack/templates/localpath-rwx.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: local-path-provisioner-bind -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: local-path-provisioner-role -subjects: - - kind: ServiceAccount - name: local-path-provisioner-service-account - namespace: kube-system ---- -# Source: uds-dev-stack/templates/localpath-rwx.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: local-path-provisioner - namespace: kube-system -spec: - replicas: 1 - selector: - matchLabels: - app: local-path-provisioner - template: - metadata: - labels: - app: local-path-provisioner - spec: - serviceAccountName: local-path-provisioner-service-account - containers: - - name: local-path-provisioner - image: rancher/local-path-provisioner:v0.0.31 - imagePullPolicy: IfNotPresent - command: - - local-path-provisioner - - --debug - - start - - --config - - /etc/config/config.json - volumeMounts: - - name: config-volume - mountPath: /etc/config/ - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - volumes: - - name: config-volume - configMap: - name: local-path-config -EOM + # aws lb controller helm values: https://github.com/kubernetes-sigs/aws-load-balancer-controller/tree/main/helm/aws-load-balancer-controller#configuration -cat > /var/lib/rancher/rke2/server/manifests/03-lb-controller.yaml << EOM +cat > /var/lib/rancher/rke2/server/manifests/01-lb-controller.yaml << EOM apiVersion: helm.cattle.io/v1 kind: HelmChart metadata: @@ -179,39 +56,29 @@ spec: clusterName: ${cluster_name} EOM +#longhorn helm values: https://github.com/longhorn/longhorn/tree/master/chart +cat > /var/lib/rancher/rke2/server/manifests/02-longhorn.yaml << EOM +apiVersion: helm.cattle.io/v1 +kind: HelmChart +metadata: + name: longhorn + namespace: kube-system +spec: + chart: longhorn + repo: https://charts.longhorn.io + version: 1.8.1 + targetNamespace: kube-system + valuesContent: |- + defaultSettings: + deletingConfirmationFlag: true +EOM + info "Installing awscli" yum install -y unzip jq || apt-get -y install unzip jq curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" unzip awscliv2.zip sudo ./aws/install -echo "Modifying selinux permissions for local path provisioner" -cat > /root/localpathpolicy.te << EOM -module localpathpolicy 1.0; - -require { - type usr_t; - type init_t; - type container_t; - type container_var_lib_t; - class dir { search write add_name create remove_name rmdir setattr getattr }; - class file { create open write append read unlink setattr getattr }; -} - -#============= container_t ============== -allow container_t container_var_lib_t:file { create open write append read setattr getattr unlink }; -allow container_t container_var_lib_t:dir { add_name create remove_name rmdir setattr write search }; -allow container_t init_t:dir search; -allow container_t usr_t:dir { add_name create remove_name rmdir setattr getattr write }; -allow container_t usr_t:file { create unlink write setattr getattr }; -allow container_t init_t:file { read open }; -EOM -checkmodule -M -m -o /root/localpathpolicy.mod /root/localpathpolicy.te -semodule_package -o /root/localpathpolicy.pp -m /root/localpathpolicy.mod -semodule -i /root/localpathpolicy.pp -semanage fcontext -a -t container_file_t "/opt/local-path-provisioner-rwx(/.*)?" -restorecon -R -v /opt/local-path-provisioner-rwx - echo "Getting OIDC keypair" sudo mkdir /irsa sudo chown ec2-user:ec2-user /irsa diff --git a/tasks/iac.yaml b/tasks/iac.yaml index 28a2b8d288..d9d9fc731c 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -122,7 +122,7 @@ tasks: done # wait for cluster components while true; do - if [ $(uds zarf tools kubectl get po,job -A --no-headers=true | egrep -v 'Running|Complete' | wc -l) -gt 0 ]; then + if [ $(uds zarf tools kubectl get po,job -A --no-headers=true | egrep -v 'helm-install|Running|Complete' | wc -l) -gt 0 ]; then echo "Waiting for cluster components to be ready..."; sleep 5; else From 7e885adaf5d9b50163da50b2ada4c831d8d73c44 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Fri, 14 Mar 2025 11:30:26 -0400 Subject: [PATCH 068/118] no longhorn ui replicas --- .github/test-infra/aws/rke2/scripts/user_data.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/test-infra/aws/rke2/scripts/user_data.sh b/.github/test-infra/aws/rke2/scripts/user_data.sh index bb1c14fb80..3b4e3b451e 100644 --- a/.github/test-infra/aws/rke2/scripts/user_data.sh +++ b/.github/test-infra/aws/rke2/scripts/user_data.sh @@ -71,6 +71,8 @@ spec: valuesContent: |- defaultSettings: deletingConfirmationFlag: true + longhornUI: + replicas: 0 EOM info "Installing awscli" From 5368bb4e5c93b53d6240c962d75b7ca60b396c48 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Fri, 14 Mar 2025 14:17:35 -0400 Subject: [PATCH 069/118] rm `chcon` command for local path provisioner --- .github/test-infra/aws/rke2/scripts/user_data.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/test-infra/aws/rke2/scripts/user_data.sh b/.github/test-infra/aws/rke2/scripts/user_data.sh index 3b4e3b451e..b3b0620bcc 100644 --- a/.github/test-infra/aws/rke2/scripts/user_data.sh +++ b/.github/test-infra/aws/rke2/scripts/user_data.sh @@ -87,7 +87,6 @@ sudo chown ec2-user:ec2-user /irsa aws secretsmanager get-secret-value --secret-id ${secret_prefix}-oidc-private-key | jq -r '.SecretString' > /irsa/signer.key aws secretsmanager get-secret-value --secret-id ${secret_prefix}-oidc-public-key | jq -r '.SecretString' > /irsa/signer.key.pub chcon -t svirt_sandbox_file_t /irsa/* -chcon -Rt container_file_t /opt/local-path-provisioner-rwx info "Setting up RKE2 config file" curl -L https://github.com/mikefarah/yq/releases/download/v4.40.4/yq_linux_amd64 -o yq From ef34cf65a61dc869897cf23b10f03ce33553aaab Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Tue, 25 Mar 2025 10:42:59 -0400 Subject: [PATCH 070/118] allow passthrough gw validation to be bypassed --- src/istio/tasks.yaml | 3 ++- tasks/test.yaml | 14 ++++++++++++-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/src/istio/tasks.yaml b/src/istio/tasks.yaml index 3f28024a3a..222ceebd75 100644 --- a/src/istio/tasks.yaml +++ b/src/istio/tasks.yaml @@ -6,7 +6,8 @@ tasks: inputs: validate_passthrough: description: Whether to validate the passthrough gateway - default: "false" + default: "true" + actions: - description: Validate the Istio Admin Gateway wait: diff --git a/tasks/test.yaml b/tasks/test.yaml index 3b01934859..e47d6b427b 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -58,12 +58,20 @@ tasks: - name: validate-packages description: "Validate all packages" - # loop through each src/* package and run the validate.yaml task + inputs: + # Added to support bypassing passthrough gateway validation on non-k3d distributions. + validate_passthrough: + description: Whether to validate the passthrough gateway. + default: "true" + # loop through each src/* package and run the validate.yaml task actions: - cmd: | for package in $(ls src); do if [ ! $(echo ${EXCLUDED_PACKAGES} | grep ${package}) ]; then - uds run -f src/${package}/tasks.yaml validate --no-progress + if [ "${package}" == "istio" ]; then + uds run -f src/${package}/tasks.yaml validate --no-progress --with validate_passthrough=${{ .inputs.validate_passthrough }} + fi + uds run -f src/${package}/tasks.yaml validate --no-progress fi done set +e @@ -133,6 +141,8 @@ tasks: actions: - task: util:setup-hosts - task: validate-packages + with: + validate_passthrough: "false" - task: e2e-tests with: architecture: "amd64" From a9a68acd455c380e7aaef1c549b98dcec77f678e Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Tue, 25 Mar 2025 12:57:29 -0400 Subject: [PATCH 071/118] add renovate config for rke2 helmcharts --- .github/test-infra/aws/rke2/scripts/user_data.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/test-infra/aws/rke2/scripts/user_data.sh b/.github/test-infra/aws/rke2/scripts/user_data.sh index b3b0620bcc..e0e55224b6 100644 --- a/.github/test-infra/aws/rke2/scripts/user_data.sh +++ b/.github/test-infra/aws/rke2/scripts/user_data.sh @@ -50,6 +50,7 @@ metadata: spec: chart: aws-load-balancer-controller repo: https://aws.github.io/eks-charts + # renovate: datasource=helm depName=aws-load-balancer-controller versioning=helm registryUrl=https://aws.github.io/eks-charts version: 1.11.0 targetNamespace: kube-system valuesContent: |- @@ -66,6 +67,7 @@ metadata: spec: chart: longhorn repo: https://charts.longhorn.io + # renovate: datasource=helm depName=longhorn versioning=helm registryUrl=https://charts.longhorn.io version: 1.8.1 targetNamespace: kube-system valuesContent: |- From 6ca953b1d59c31eb241b1ecd1c79006afbb6541b Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Tue, 25 Mar 2025 16:12:47 -0400 Subject: [PATCH 072/118] add renovate config for rke2 helmcharts --- .../aws/rke2/scripts/helmchart-template.yaml | 56 ++++++++++++++++ .../test-infra/aws/rke2/scripts/user_data.sh | 64 +------------------ 2 files changed, 59 insertions(+), 61 deletions(-) create mode 100644 .github/test-infra/aws/rke2/scripts/helmchart-template.yaml diff --git a/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml b/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml new file mode 100644 index 0000000000..20ee821577 --- /dev/null +++ b/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml @@ -0,0 +1,56 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +apiVersion: helm.cattle.io/v1 +kind: HelmChart +metadata: + name: aws-cloud-controller-manager + namespace: kube-system +spec: + chart: aws-cloud-controller-manager + repo: https://kubernetes.github.io/cloud-provider-aws + # renovate: datasource=helm depName=aws-cloud-controller-manager versioning=helm registryUrl=https://kubernetes.github.io/cloud-provider-aws + version: 0.0.8 + targetNamespace: kube-system + bootstrap: true + valuesContent: |- + nodeSelector: + node-role.kubernetes.io/control-plane: "true" + hostNetworking: true + args: + - --configure-cloud-routes=false + - --v=2 + - --cloud-provider=aws +--- +# aws lb controller helm values: https://github.com/kubernetes-sigs/aws-load-balancer-controller/tree/main/helm/aws-load-balancer-controller#configuration +apiVersion: helm.cattle.io/v1 +kind: HelmChart +metadata: + name: aws-load-balancer-controller + namespace: kube-system +spec: + chart: aws-load-balancer-controller + repo: https://aws.github.io/eks-charts + # renovate: datasource=helm depName=aws-load-balancer-controller versioning=helm registryUrl=https://aws.github.io/eks-charts + version: 1.12.0 + targetNamespace: kube-system + valuesContent: |- + clusterName: ${CLUSTER_NAME} +--- +#longhorn helm values: https://github.com/longhorn/longhorn/tree/master/chart +apiVersion: helm.cattle.io/v1 +kind: HelmChart +metadata: + name: longhorn + namespace: kube-system +spec: + chart: longhorn + repo: https://charts.longhorn.io + # renovate: datasource=helm depName=longhorn versioning=helm registryUrl=https://charts.longhorn.io + version: 1.8.1 + targetNamespace: kube-system + valuesContent: |- + defaultSettings: + deletingConfirmationFlag: true + longhornUI: + replicas: 0 diff --git a/.github/test-infra/aws/rke2/scripts/user_data.sh b/.github/test-infra/aws/rke2/scripts/user_data.sh index e0e55224b6..786f8e4ccb 100644 --- a/.github/test-infra/aws/rke2/scripts/user_data.sh +++ b/.github/test-infra/aws/rke2/scripts/user_data.sh @@ -8,74 +8,16 @@ info() { export CCM="${ccm}" export CCM_EXTERNAL="${ccm_external}" +export CLUSTER_NAME="${cluster_name}" ############################### ### pre userdata ############################### pre_userdata() { info "Beginning user defined pre userdata" - -# add aws cloud controller -info "Adding AWS cloud provider manifest." +info "Create HelmChart Resources." mkdir -p /var/lib/rancher/rke2/server/manifests -cat > /var/lib/rancher/rke2/server/manifests/00-aws-ccm.yaml << EOM -apiVersion: helm.cattle.io/v1 -kind: HelmChart -metadata: - name: aws-cloud-controller-manager - namespace: kube-system -spec: - chart: aws-cloud-controller-manager - repo: https://kubernetes.github.io/cloud-provider-aws - version: 0.0.8 - targetNamespace: kube-system - bootstrap: true - valuesContent: |- - nodeSelector: - node-role.kubernetes.io/control-plane: "true" - hostNetworking: true - args: - - --configure-cloud-routes=false - - --v=2 - - --cloud-provider=aws -EOM - -# aws lb controller helm values: https://github.com/kubernetes-sigs/aws-load-balancer-controller/tree/main/helm/aws-load-balancer-controller#configuration -cat > /var/lib/rancher/rke2/server/manifests/01-lb-controller.yaml << EOM -apiVersion: helm.cattle.io/v1 -kind: HelmChart -metadata: - name: aws-load-balancer-controller - namespace: kube-system -spec: - chart: aws-load-balancer-controller - repo: https://aws.github.io/eks-charts - # renovate: datasource=helm depName=aws-load-balancer-controller versioning=helm registryUrl=https://aws.github.io/eks-charts - version: 1.11.0 - targetNamespace: kube-system - valuesContent: |- - clusterName: ${cluster_name} -EOM - -#longhorn helm values: https://github.com/longhorn/longhorn/tree/master/chart -cat > /var/lib/rancher/rke2/server/manifests/02-longhorn.yaml << EOM -apiVersion: helm.cattle.io/v1 -kind: HelmChart -metadata: - name: longhorn - namespace: kube-system -spec: - chart: longhorn - repo: https://charts.longhorn.io - # renovate: datasource=helm depName=longhorn versioning=helm registryUrl=https://charts.longhorn.io - version: 1.8.1 - targetNamespace: kube-system - valuesContent: |- - defaultSettings: - deletingConfirmationFlag: true - longhornUI: - replicas: 0 -EOM +envsubst < helmchart-template.yaml > /var/lib/rancher/rke2/server/manifests/00-helmcharts.yaml info "Installing awscli" yum install -y unzip jq || apt-get -y install unzip jq From 163f022a4a06ea60385d828893893c0a1fbca824 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Tue, 25 Mar 2025 16:35:31 -0400 Subject: [PATCH 073/118] update wait for rke2 cluster ready logic --- tasks/iac.yaml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/tasks/iac.yaml b/tasks/iac.yaml index d9d9fc731c..bc40bc1243 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -111,10 +111,10 @@ tasks: actions: - task: rke2-nodes-ready - cmd: | - # wait for at least 3 nodes + # wait for nodes to be ready while true; do - if [ $(uds zarf tools kubectl get nodes -o jsonpath='{range .items[*]}{.status.conditions[-1].type}={.status.conditions[-1].status}{"\n"}{end}' | egrep -i '^ready.*true' | wc -l) -lt 3 ]; then - echo "Waiting for at least 3 nodes to be ready..."; + if [ $(uds zarf tools kubectl get nodes -o jsonpath='{range .items[*]}{.status.conditions[-1].type}={.status.conditions[-1].status}{"\n"}{end}' | egrep -i '^ready.*true' | wc -l) -lt 4 ]; then + echo "Waiting for all cluster nodes to be ready..."; sleep 5; else break @@ -122,6 +122,12 @@ tasks: done # wait for cluster components while true; do + if [ $(uds zarf tools kubectl get po -n kube-system -l batch.kubernetes.io/controller-uid --no-headers | egrep -v Completed) | wc -l) -gt 0 ]; then + echo "Waiting for Helm Controller to install cluster components..." + sleep 5; + fi + done + while true; do if [ $(uds zarf tools kubectl get po,job -A --no-headers=true | egrep -v 'helm-install|Running|Complete' | wc -l) -gt 0 ]; then echo "Waiting for cluster components to be ready..."; sleep 5; @@ -130,7 +136,6 @@ tasks: break fi done - #uds zarf tools kubectl apply -f ./metallb.yaml - task: util:rke2-coredns-setup - task: util:rke2-allow-prom-kube-dns dir: .github/test-infra/aws/rke2/ From 424b22ba10a8816a3675a4f2458053258b62b1f0 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Tue, 25 Mar 2025 16:54:23 -0400 Subject: [PATCH 074/118] lint fix; bash syntax fix --- src/istio/tasks.yaml | 2 +- tasks/iac.yaml | 4 ++-- tasks/test.yaml | 6 +++--- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/istio/tasks.yaml b/src/istio/tasks.yaml index 222ceebd75..47a7a48c1c 100644 --- a/src/istio/tasks.yaml +++ b/src/istio/tasks.yaml @@ -7,7 +7,7 @@ tasks: validate_passthrough: description: Whether to validate the passthrough gateway default: "true" - + actions: - description: Validate the Istio Admin Gateway wait: diff --git a/tasks/iac.yaml b/tasks/iac.yaml index bc40bc1243..b0341cf06b 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -122,12 +122,12 @@ tasks: done # wait for cluster components while true; do - if [ $(uds zarf tools kubectl get po -n kube-system -l batch.kubernetes.io/controller-uid --no-headers | egrep -v Completed) | wc -l) -gt 0 ]; then + if [ $(uds zarf tools kubectl get po -n kube-system -l batch.kubernetes.io/controller-uid --no-headers | egrep -v Completed | wc -l) -gt 0 ]; then echo "Waiting for Helm Controller to install cluster components..." sleep 5; fi done - while true; do + while true; do if [ $(uds zarf tools kubectl get po,job -A --no-headers=true | egrep -v 'helm-install|Running|Complete' | wc -l) -gt 0 ]; then echo "Waiting for cluster components to be ready..."; sleep 5; diff --git a/tasks/test.yaml b/tasks/test.yaml index e47d6b427b..91606e4abf 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -63,15 +63,15 @@ tasks: validate_passthrough: description: Whether to validate the passthrough gateway. default: "true" - # loop through each src/* package and run the validate.yaml task + # loop through each src/* package and run the validate.yaml task actions: - cmd: | for package in $(ls src); do if [ ! $(echo ${EXCLUDED_PACKAGES} | grep ${package}) ]; then - if [ "${package}" == "istio" ]; then + if [ "${package}" == "istio" ]; then uds run -f src/${package}/tasks.yaml validate --no-progress --with validate_passthrough=${{ .inputs.validate_passthrough }} fi - uds run -f src/${package}/tasks.yaml validate --no-progress + uds run -f src/${package}/tasks.yaml validate --no-progress fi done set +e From 4233047ce03f9a7f18d48f5307fc8becc21e32fe Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Tue, 25 Mar 2025 21:34:35 -0400 Subject: [PATCH 075/118] syntax fix --- tasks/test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/test.yaml b/tasks/test.yaml index 91606e4abf..2150e36ddd 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -68,7 +68,7 @@ tasks: - cmd: | for package in $(ls src); do if [ ! $(echo ${EXCLUDED_PACKAGES} | grep ${package}) ]; then - if [ "${package}" == "istio" ]; then + if [ $(echo ${package} | grep "istio") ]; then uds run -f src/${package}/tasks.yaml validate --no-progress --with validate_passthrough=${{ .inputs.validate_passthrough }} fi uds run -f src/${package}/tasks.yaml validate --no-progress From e791b8a762cdb628fab2e6ee9ded799af9e6f1bb Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Wed, 26 Mar 2025 08:43:14 -0400 Subject: [PATCH 076/118] modify if statement --- tasks/test.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/test.yaml b/tasks/test.yaml index 2150e36ddd..40c8faeeec 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -68,7 +68,7 @@ tasks: - cmd: | for package in $(ls src); do if [ ! $(echo ${EXCLUDED_PACKAGES} | grep ${package}) ]; then - if [ $(echo ${package} | grep "istio") ]; then + if [ ${package} = "istio" ]; then uds run -f src/${package}/tasks.yaml validate --no-progress --with validate_passthrough=${{ .inputs.validate_passthrough }} fi uds run -f src/${package}/tasks.yaml validate --no-progress @@ -139,7 +139,7 @@ tasks: - name: uds-core-non-k3d description: "Validate and Test UDS Core deployment on a non K3d Cluster" actions: - - task: util:setup-hosts + #- task: util:setup-hosts - task: validate-packages with: validate_passthrough: "false" From 161d3726b9cfaffee6f041a2965e4ae76902f272 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Wed, 26 Mar 2025 09:52:45 -0400 Subject: [PATCH 077/118] address feedback on checking for denied responses in network tests --- test/jest/network.spec.ts | 31 ++++++++++++++++++++++++------- 1 file changed, 24 insertions(+), 7 deletions(-) diff --git a/test/jest/network.spec.ts b/test/jest/network.spec.ts index 0df33499bf..2684fbb7b6 100644 --- a/test/jest/network.spec.ts +++ b/test/jest/network.spec.ts @@ -108,6 +108,23 @@ async function execInPod( }); } +// Check for HTTP error codes in test responses +// Used when checking if network calls were denied +// HTTP response status code reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status +// Expects curlOutput.stdout to only contain a string indicating the HTTP response code +function isResponseError(curlOutput: { stdout: string, stderr: string }) { + if (!curlOutput.stderr) { + const httpResponseCode = Number(curlOutput.stdout) ?? 0 + if (httpResponseCode < 100 || httpResponseCode > 399) { + return true + } else { + return false + } + } else { + return true + } +} + let curlPodName1 = ""; let testAdminApp = ""; let curlPodName6 = ""; @@ -149,11 +166,11 @@ describe("Network Policy Validation", () => { // Default Deny when no Ingress or Egress defined or Exposed Endpoints // The HTTP response code could either be 000 or 503, depending on the K8s distro const denied_external_response = await execInPod("curl-ns-deny-all", curlPodName1, "curl-pkg-deny-all-1", CURL_GATEWAY); - expect(denied_external_response.stdout).not.toBe("200"); - + expect(isResponseError(denied_external_response)).toBe(true); + // Default deny when no Ingress or Egress for internal curl command const denied_internal_response = await execInPod("curl-ns-deny-all", curlPodName1, "curl-pkg-deny-all-1", INTERNAL_CURL_COMMAND_1); - expect(denied_internal_response.stdout).not.toBe("200"); + expect(isResponseError(denied_internal_response)).toBe(true); // Default Deny for Google Curl when no Egress defined const denied_google_response = await execInPod("curl-ns-deny-all", curlPodName1, "curl-pkg-deny-all-1", GOOGLE_CURL); @@ -162,7 +179,7 @@ describe("Network Policy Validation", () => { // Default Deny for Blocked Port const blocked_port_curl = getCurlCommand("curl-pkg-deny-all-2", "curl-ns-deny-all", 9999); const denied_port_response = await execInPod("curl-ns-deny-all", curlPodName1, "curl-pkg-deny-all-1", blocked_port_curl); - expect(denied_port_response.stdout).not.toBe("200"); + expect(isResponseError(denied_port_response)).toBe(true); }); test.concurrent("Basic Wide Open Ingress and Wide Open Egress", async () => { @@ -184,12 +201,12 @@ describe("Network Policy Validation", () => { // Deny request when port is not allowed on ingress const denied_incorrect_port_response = await execInPod("test-admin-app", testAdminApp, "curl", CURL_INTERNAL_8081); - expect(denied_incorrect_port_response.stdout).not.toBe("200"); + expect(isResponseError(denied_incorrect_port_response)).toBe(true); // Default Deny for undefined Ingress port const blocked_port_curl = getCurlCommand("curl-pkg-allow-all", "curl-ns-allow-all", 9999); const denied_port_response = await execInPod("test-admin-app", testAdminApp, "curl", blocked_port_curl); - expect(denied_port_response.stdout).not.toBe("200"); + expect(isResponseError(denied_port_response)).toBe(true); // Wide open Egress means successful google curl const successful_google_response = await execInPod("test-admin-app", testAdminApp, "curl", GOOGLE_CURL); @@ -240,7 +257,7 @@ describe("Network Policy Validation", () => { // Default Deny for Blocked Port const blocked_port_curl = getCurlCommand("curl-pkg-remote-ns-ingress", "curl-ns-remote-ns-2", 9999); const denied_port_response = await execInPod("curl-ns-remote-ns-1", curlPodName6, "curl-pkg-remote-ns-egress", blocked_port_curl); - expect(denied_port_response.stdout).not.toBe("200"); + expect(isResponseError(denied_port_response)).toBe(true); }); test.concurrent("Kube API Restrictions", async () => { From 05aa1135bf8692a441e8288ed2121bdabee51324 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Wed, 26 Mar 2025 11:08:33 -0400 Subject: [PATCH 078/118] support templating default coredns configmap --- .github/workflows/test-eks.yaml | 2 +- .github/workflows/test-rke2.yaml | 2 +- tasks/test.yaml | 2 +- tasks/utils.yaml | 50 +++++++------------------------- 4 files changed, 13 insertions(+), 43 deletions(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index a7d7977b3f..1d09cf55dd 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -93,7 +93,7 @@ jobs: timeout-minutes: 20 - name: Configure Cluster DNS - run: uds run -f tasks/utils.yaml eks-coredns-setup --no-progress + run: uds run -f tasks/utils.yaml coredns-setup --no-progress - name: Deploy Core Bundle env: diff --git a/.github/workflows/test-rke2.yaml b/.github/workflows/test-rke2.yaml index cbb4e59b75..6879c2eda4 100644 --- a/.github/workflows/test-rke2.yaml +++ b/.github/workflows/test-rke2.yaml @@ -96,7 +96,7 @@ jobs: timeout-minutes: 20 - name: Configure Cluster DNS - run: uds run -f tasks/utils.yaml rke2-coredns-setup --no-progress + run: uds run -f tasks/utils.yaml coredns-setup --no-progress --with coredns_deploy_name=rke2-coredns-rke2-coredns --with coredns_cm_name=rke2-coredns-rke2-coredns - name: Deploy Core Bundle env: diff --git a/tasks/test.yaml b/tasks/test.yaml index 40c8faeeec..1a4e0ad3ba 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -139,7 +139,7 @@ tasks: - name: uds-core-non-k3d description: "Validate and Test UDS Core deployment on a non K3d Cluster" actions: - #- task: util:setup-hosts + - task: util:setup-hosts - task: validate-packages with: validate_passthrough: "false" diff --git a/tasks/utils.yaml b/tasks/utils.yaml index 7103f984c7..7253063f75 100644 --- a/tasks/utils.yaml +++ b/tasks/utils.yaml @@ -64,43 +64,6 @@ tasks: --from-literal=password=${PASSWORD} \ -n keycloak fi - - name: eks-coredns-setup - actions: - - description: Setup Custom ConfigMap for Core DNS - cmd: | - uds zarf tools kubectl apply -f - < Date: Wed, 26 Mar 2025 12:30:09 -0400 Subject: [PATCH 079/118] task file fix - rm default value for validate_passthrough --- src/istio/tasks.yaml | 1 - tasks/iac.yaml | 5 ++++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/istio/tasks.yaml b/src/istio/tasks.yaml index 47a7a48c1c..3344957c7e 100644 --- a/src/istio/tasks.yaml +++ b/src/istio/tasks.yaml @@ -6,7 +6,6 @@ tasks: inputs: validate_passthrough: description: Whether to validate the passthrough gateway - default: "true" actions: - description: Validate the Istio Admin Gateway diff --git a/tasks/iac.yaml b/tasks/iac.yaml index b0341cf06b..0c5271382e 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -136,7 +136,10 @@ tasks: break fi done - - task: util:rke2-coredns-setup + - task: util:coredns-setup + with: + coredns_cm_name: "rke2-coredns-rke2-coredns" + coredns_deploy_name: "rke2-coredns-rke2-coredns" - task: util:rke2-allow-prom-kube-dns dir: .github/test-infra/aws/rke2/ maxTotalSeconds: 600 From 94c69eb8bd6923635ea7ff9f593b9fce68b15a73 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Wed, 26 Mar 2025 16:20:52 -0400 Subject: [PATCH 080/118] fix helmchart install, use native approach for customizing rke2 coredns --- .github/test-infra/aws/rke2/main.tf | 1 + .../aws/rke2/scripts/helmchart-template.yaml | 33 ++++++++++++++++++- .../test-infra/aws/rke2/scripts/user_data.sh | 3 ++ .github/workflows/test-eks.yaml | 2 +- .github/workflows/test-rke2.yaml | 4 +-- tasks/utils.yaml | 13 ++------ 6 files changed, 42 insertions(+), 14 deletions(-) diff --git a/.github/test-infra/aws/rke2/main.tf b/.github/test-infra/aws/rke2/main.tf index 2b95a001ef..8152b5c3bd 100644 --- a/.github/test-infra/aws/rke2/main.tf +++ b/.github/test-infra/aws/rke2/main.tf @@ -27,6 +27,7 @@ locals { token_bucket = module.statestore.bucket, token_object = module.statestore.token_object cluster_name = local.tags.cluster_name + helm_chart_template = file("./scripts/helmchart-template.yaml") } } diff --git a/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml b/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml index 20ee821577..e00db995bc 100644 --- a/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml +++ b/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Defense Unicorns +# Copyright 2025 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial apiVersion: helm.cattle.io/v1 @@ -54,3 +54,34 @@ spec: deletingConfirmationFlag: true longhornUI: replicas: 0 +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: coredns-custom + namespace: kube-system +data: + uds.override: | + rewrite stop { + name regex (.*\.admin\.uds\.dev) admin-ingressgateway.istio-admin-gateway.svc.cluster.local answer auto + } + rewrite stop { + name regex (.*\.uds\.dev) tenant-ingressgateway.istio-tenant-gateway.svc.cluster.local answer auto + } +--- +apiVersion: helm.cattle.io/v1 +kind: HelmChartConfig +metadata: + name: rke2-coredns + namespace: kube-system +spec: + valuesContent: |- + extraVolumes: + - name: custom-config-volume + configMap: + name: coredns-custom + optional: true + extraVolumeMounts: + - name: custom-config-volume + mountPath: /etc/coredns/custom + readOnly: true \ No newline at end of file diff --git a/.github/test-infra/aws/rke2/scripts/user_data.sh b/.github/test-infra/aws/rke2/scripts/user_data.sh index 786f8e4ccb..e3c09954cc 100644 --- a/.github/test-infra/aws/rke2/scripts/user_data.sh +++ b/.github/test-infra/aws/rke2/scripts/user_data.sh @@ -16,6 +16,9 @@ export CLUSTER_NAME="${cluster_name}" pre_userdata() { info "Beginning user defined pre userdata" info "Create HelmChart Resources." +cat > helmchart-template.yaml << EOM +${helm_chart_template} +EOM mkdir -p /var/lib/rancher/rke2/server/manifests envsubst < helmchart-template.yaml > /var/lib/rancher/rke2/server/manifests/00-helmcharts.yaml diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 1d09cf55dd..a7d7977b3f 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -93,7 +93,7 @@ jobs: timeout-minutes: 20 - name: Configure Cluster DNS - run: uds run -f tasks/utils.yaml coredns-setup --no-progress + run: uds run -f tasks/utils.yaml eks-coredns-setup --no-progress - name: Deploy Core Bundle env: diff --git a/.github/workflows/test-rke2.yaml b/.github/workflows/test-rke2.yaml index 6879c2eda4..ec9bdce5ba 100644 --- a/.github/workflows/test-rke2.yaml +++ b/.github/workflows/test-rke2.yaml @@ -95,8 +95,8 @@ jobs: run: uds run -f tasks/iac.yaml rke2-cluster-ready --no-progress timeout-minutes: 20 - - name: Configure Cluster DNS - run: uds run -f tasks/utils.yaml coredns-setup --no-progress --with coredns_deploy_name=rke2-coredns-rke2-coredns --with coredns_cm_name=rke2-coredns-rke2-coredns + # - name: Configure Cluster DNS + # run: uds run -f tasks/utils.yaml coredns-setup --no-progress --with coredns_deploy_name=rke2-coredns-rke2-coredns --with coredns_cm_name=rke2-coredns-rke2-coredns - name: Deploy Core Bundle env: diff --git a/tasks/utils.yaml b/tasks/utils.yaml index 7253063f75..e1e4f1c78e 100644 --- a/tasks/utils.yaml +++ b/tasks/utils.yaml @@ -112,14 +112,7 @@ tasks: - protocol: TCP port: 9153 EOF - - name: coredns-setup - inputs: - coredns_cm_name: - description: "Name of the default configmap for coredns. Will be overwritten by the manifest below." - default: "coredns" - coredns_deploy_name: - description: "Name of the coredns deployment." - default: "coredns" + - name: eks-coredns-setup actions: - description: Setup Custom ConfigMap for Core DNS cmd: | @@ -153,10 +146,10 @@ tasks: } kind: ConfigMap metadata: - name: ${{ .inputs.coredns_cm_name }} + name: coredns namespace: kube-system EOF - uds zarf tools kubectl rollout restart deployment -n kube-system ${{ .inputs.coredns_deploy_name }} + uds zarf tools kubectl rollout restart deployment -n kube-system coredns - name: admin-gw-ip actions: - description: Fetch Admin Gateway IP Address From e78ff32ba80bff628994217171342384620f1fc4 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Wed, 26 Mar 2025 16:23:10 -0400 Subject: [PATCH 081/118] lint fix --- .github/test-infra/aws/rke2/scripts/helmchart-template.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml b/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml index e00db995bc..5feda7561e 100644 --- a/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml +++ b/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml @@ -84,4 +84,4 @@ spec: extraVolumeMounts: - name: custom-config-volume mountPath: /etc/coredns/custom - readOnly: true \ No newline at end of file + readOnly: true From 8f482d08631da348d8e2429511e018ee795258e9 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Wed, 26 Mar 2025 16:41:35 -0400 Subject: [PATCH 082/118] rm task --- tasks/iac.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tasks/iac.yaml b/tasks/iac.yaml index 0c5271382e..b8698e6afc 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -136,10 +136,6 @@ tasks: break fi done - - task: util:coredns-setup - with: - coredns_cm_name: "rke2-coredns-rke2-coredns" - coredns_deploy_name: "rke2-coredns-rke2-coredns" - task: util:rke2-allow-prom-kube-dns dir: .github/test-infra/aws/rke2/ maxTotalSeconds: 600 From 945e6c5c19de6061d0b666fad705c60408f8c9ac Mon Sep 17 00:00:00 2001 From: Noah <40781376+noahpb@users.noreply.github.com> Date: Thu, 27 Mar 2025 08:42:51 -0400 Subject: [PATCH 083/118] Update test/jest/network.spec.ts Co-authored-by: Micah Nagel --- test/jest/network.spec.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/jest/network.spec.ts b/test/jest/network.spec.ts index 2684fbb7b6..43bb644be5 100644 --- a/test/jest/network.spec.ts +++ b/test/jest/network.spec.ts @@ -278,7 +278,7 @@ describe("Network Policy Validation", () => { // Default Deny for Blocked Port const blocked_port_curl = getCurlCommand("curl-pkg-deny-all-2", "curl-ns-deny-all", 9999); const denied_port_response = await execInPod("curl-ns-kube-api", curlPodName8, "curl-pkg-kube-api", blocked_port_curl); - expect(denied_port_response.stdout).not.toBe("200"); + expect(isResponseError(denied_port_response)).toBe(true); }); test.concurrent("RemoteCidr Restrictions", async () => { From c80a256e7fef182544d531da9ed9f688c535ec8c Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Thu, 27 Mar 2025 10:11:50 -0400 Subject: [PATCH 084/118] simplify node readiness check command; clean up output --- tasks/iac.yaml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/tasks/iac.yaml b/tasks/iac.yaml index b8698e6afc..9ed9a8e799 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -99,7 +99,7 @@ tasks: - name: rke2-nodes-ready actions: - - cmd: sleep 30 + #- cmd: sleep 30 - wait: cluster: kind: nodes @@ -112,27 +112,29 @@ tasks: - task: rke2-nodes-ready - cmd: | # wait for nodes to be ready + echo "Waiting for all cluster nodes to be ready..."; while true; do - if [ $(uds zarf tools kubectl get nodes -o jsonpath='{range .items[*]}{.status.conditions[-1].type}={.status.conditions[-1].status}{"\n"}{end}' | egrep -i '^ready.*true' | wc -l) -lt 4 ]; then - echo "Waiting for all cluster nodes to be ready..."; + if [ $(uds zarf tools kubectl get nodes | grep Ready | wc -l) -lt 4 ]; then sleep 5; else break fi done # wait for cluster components + echo "Waiting for Helm Controller to install cluster components..." while true; do if [ $(uds zarf tools kubectl get po -n kube-system -l batch.kubernetes.io/controller-uid --no-headers | egrep -v Completed | wc -l) -gt 0 ]; then - echo "Waiting for Helm Controller to install cluster components..." sleep 5; + else + break fi done + echo "Waiting for cluster components to be ready..."; while true; do if [ $(uds zarf tools kubectl get po,job -A --no-headers=true | egrep -v 'helm-install|Running|Complete' | wc -l) -gt 0 ]; then - echo "Waiting for cluster components to be ready..."; sleep 5; else - echo "Cluster is ready" + echo "Cluster is ready!" break fi done From fa53068cf4a2d4f16997a7274299e4c063654f3c Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Thu, 27 Mar 2025 10:12:24 -0400 Subject: [PATCH 085/118] add back wait command --- tasks/iac.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/iac.yaml b/tasks/iac.yaml index 9ed9a8e799..58f4c8cad6 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -99,7 +99,7 @@ tasks: - name: rke2-nodes-ready actions: - #- cmd: sleep 30 + - cmd: sleep 30 - wait: cluster: kind: nodes From 0d856fdb8345847f757ae923178a2bb0cae24eaf Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Thu, 27 Mar 2025 13:21:26 -0400 Subject: [PATCH 086/118] rke2 coredns configmap fix --- .../aws/rke2/scripts/helmchart-template.yaml | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml b/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml index 5feda7561e..abb01618a0 100644 --- a/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml +++ b/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml @@ -85,3 +85,44 @@ spec: - name: custom-config-volume mountPath: /etc/coredns/custom readOnly: true + extraConfig: + import: + parameters: /etc/coredns/custom/*.override + # Below we take the default kubernetes configmap for coredns and add an import statement for our custom configmap + # Ref: https://github.com/rancher/rke2-charts/blob/8078e4184e5b1730e518344aaa170a5e49e29766/charts/rke2-coredns/rke2-coredns/1.39.101/values.yaml#L104 + servers: + - zones: + - zone: . + port: 53 + # -- expose the service on a different port + # servicePort: 5353 + # If serviceType is nodePort you can specify nodePort here + # nodePort: 30053 + # hostPort: 53 + plugins: + - name: errors + # Serves a /health endpoint on :8080, required for livenessProbe + - name: health + configBlock: |- + lameduck 5s + # Serves a /ready endpoint on :8181, required for readinessProbe + - name: ready + # Required to query kubernetes API for data + - name: kubernetes + parameters: cluster.local in-addr.arpa ip6.arpa + configBlock: |- + pods insecure + fallthrough in-addr.arpa ip6.arpa + ttl 30 + # Serves a /metrics endpoint on :9153, required for serviceMonitor + - name: prometheus + parameters: 0.0.0.0:9153 + - name: forward + parameters: . /etc/resolv.conf + - name: cache + parameters: 30 + - name: loop + - name: reload + - name: loadbalance + - name: import + parameters: /etc/coredns/custom/*.override From 7f46b5aa859275a0ae44c0335e2e4c814e56e45c Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Thu, 27 Mar 2025 13:36:08 -0400 Subject: [PATCH 087/118] rm extraconfig --- .github/test-infra/aws/rke2/scripts/helmchart-template.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml b/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml index abb01618a0..c26d1ca882 100644 --- a/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml +++ b/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml @@ -85,9 +85,6 @@ spec: - name: custom-config-volume mountPath: /etc/coredns/custom readOnly: true - extraConfig: - import: - parameters: /etc/coredns/custom/*.override # Below we take the default kubernetes configmap for coredns and add an import statement for our custom configmap # Ref: https://github.com/rancher/rke2-charts/blob/8078e4184e5b1730e518344aaa170a5e49e29766/charts/rke2-coredns/rke2-coredns/1.39.101/values.yaml#L104 servers: From 407fbda7b790f85fb2c2d725089e0891dc92fcb2 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 28 Mar 2025 10:03:43 -0600 Subject: [PATCH 088/118] chore(deps): update support-deps (#1390) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | Type | Update | |---|---|---|---|---|---|---|---| | [@types/node](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/node) ([source](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)) | [`22.13.13` -> `22.13.14`](https://renovatebot.com/diffs/npm/@types%2fnode/22.13.13/22.13.14) | [![age](https://developer.mend.io/api/mc/badges/age/npm/@types%2fnode/22.13.14?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@types%2fnode/22.13.14?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@types%2fnode/22.13.13/22.13.14?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@types%2fnode/22.13.13/22.13.14?slim=true)](https://docs.renovatebot.com/merge-confidence/) | devDependencies | patch | | aws | `~> 5.92.0` -> `~> 5.93.0` | [![age](https://developer.mend.io/api/mc/badges/age/terraform-provider/hashicorp%2faws/5.93.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/terraform-provider/hashicorp%2faws/5.93.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/terraform-provider/hashicorp%2faws/5.92.0/5.93.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/terraform-provider/hashicorp%2faws/5.92.0/5.93.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | required_provider | minor | | [defenseunicorns/uds-common](https://redirect.github.com/defenseunicorns/uds-common) | `v1.11.0` -> `v1.11.1` | [![age](https://developer.mend.io/api/mc/badges/age/github-tags/defenseunicorns%2fuds-common/v1.11.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/github-tags/defenseunicorns%2fuds-common/v1.11.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/github-tags/defenseunicorns%2fuds-common/v1.11.0/v1.11.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/github-tags/defenseunicorns%2fuds-common/v1.11.0/v1.11.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | | patch | | [defenseunicorns/uds-k3d](https://redirect.github.com/defenseunicorns/uds-k3d) | `0.12.0` -> `0.12.1` | [![age](https://developer.mend.io/api/mc/badges/age/github-tags/defenseunicorns%2fuds-k3d/v0.12.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/github-tags/defenseunicorns%2fuds-k3d/v0.12.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/github-tags/defenseunicorns%2fuds-k3d/v0.12.0/v0.12.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/github-tags/defenseunicorns%2fuds-k3d/v0.12.0/v0.12.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | | patch | | ghcr.io/defenseunicorns/packages/uds-k3d | `0.12.0` -> `0.12.1` | [![age](https://developer.mend.io/api/mc/badges/age/docker/ghcr.io%2fdefenseunicorns%2fpackages%2fuds-k3d/0.12.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/docker/ghcr.io%2fdefenseunicorns%2fpackages%2fuds-k3d/0.12.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/docker/ghcr.io%2fdefenseunicorns%2fpackages%2fuds-k3d/0.12.0/0.12.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/docker/ghcr.io%2fdefenseunicorns%2fpackages%2fuds-k3d/0.12.0/0.12.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | | patch | --- ### Release Notes
defenseunicorns/uds-common (defenseunicorns/uds-common) ### [`v1.11.1`](https://redirect.github.com/defenseunicorns/uds-common/releases/tag/v1.11.1) [Compare Source](https://redirect.github.com/defenseunicorns/uds-common/compare/v1.11.0...v1.11.1) ##### Bug Fixes - conditionals in release broke ([#​450](https://redirect.github.com/defenseunicorns/uds-common/issues/450)) ([5e5aa5e](https://redirect.github.com/defenseunicorns/uds-common/commit/5e5aa5e86a05dbb8f9e09095d5c7f59b1770fdee))
defenseunicorns/uds-k3d (defenseunicorns/uds-k3d) ### [`v0.12.1`](https://redirect.github.com/defenseunicorns/uds-k3d/releases/tag/v0.12.1) [Compare Source](https://redirect.github.com/defenseunicorns/uds-k3d/compare/v0.12.0...v0.12.1) ##### Miscellaneous - **deps:** update dependency defenseunicorns/uds-common to v1.11.0 ([#​152](https://redirect.github.com/defenseunicorns/uds-k3d/issues/152)) ([2114584](https://redirect.github.com/defenseunicorns/uds-k3d/commit/21145848327f51ca662a9e86a10b74742fd221fd)) - **deps:** update dependency defenseunicorns/uds-common to v1.11.1 ([#​154](https://redirect.github.com/defenseunicorns/uds-k3d/issues/154)) ([a14303d](https://redirect.github.com/defenseunicorns/uds-k3d/commit/a14303d059462435c84db6bfc4fb6fb566aa8ee8)) - **deps:** update dev-stack to v0.0.31 ([#​141](https://redirect.github.com/defenseunicorns/uds-k3d/issues/141)) ([c7939e4](https://redirect.github.com/defenseunicorns/uds-k3d/commit/c7939e4e1d2f62210ec82a81b497def9b123c661)) - **deps:** update githubactions ([#​145](https://redirect.github.com/defenseunicorns/uds-k3d/issues/145)) ([d6ae168](https://redirect.github.com/defenseunicorns/uds-k3d/commit/d6ae168a7d5fe9c593e3bd148437e6b0e4580feb)) - **deps:** update githubactions ([#​146](https://redirect.github.com/defenseunicorns/uds-k3d/issues/146)) ([28406dd](https://redirect.github.com/defenseunicorns/uds-k3d/commit/28406dd77fc0054ce39f113fb03d760abbd4de71)) - **deps:** update githubactions ([#​151](https://redirect.github.com/defenseunicorns/uds-k3d/issues/151)) ([bdb2827](https://redirect.github.com/defenseunicorns/uds-k3d/commit/bdb2827f8606393f990fb7625cc3916d9195075b)) - **deps:** update githubactions to v4.1.4 ([#​148](https://redirect.github.com/defenseunicorns/uds-k3d/issues/148)) ([c183858](https://redirect.github.com/defenseunicorns/uds-k3d/commit/c183858d42c25a7bbbd5d5d3b5750c620522627c)) - **deps:** update githubactions to v4.1.5 ([#​149](https://redirect.github.com/defenseunicorns/uds-k3d/issues/149)) ([28ef31e](https://redirect.github.com/defenseunicorns/uds-k3d/commit/28ef31e985d2461d8f7a226de50e7a5c470f23a2)) - **deps:** update placeholder ([#​143](https://redirect.github.com/defenseunicorns/uds-k3d/issues/143)) ([2c5bd26](https://redirect.github.com/defenseunicorns/uds-k3d/commit/2c5bd2634fcb237b86a90bc2d7594ddbe0b8c10b)) - **deps:** update rancher/k3s docker tag to v1.32.2 ([#​147](https://redirect.github.com/defenseunicorns/uds-k3d/issues/147)) ([f8ae305](https://redirect.github.com/defenseunicorns/uds-k3d/commit/f8ae3054a08377b10ea9c209d4222bccfd431256)) - **deps:** update rancher/k3s docker tag to v1.32.3 ([#​153](https://redirect.github.com/defenseunicorns/uds-k3d/issues/153)) ([11ff3a5](https://redirect.github.com/defenseunicorns/uds-k3d/commit/11ff3a5e042391241e902a0aac69a1e217c10694)) - switch to cgr busybox ([#​155](https://redirect.github.com/defenseunicorns/uds-k3d/issues/155)) ([378914a](https://redirect.github.com/defenseunicorns/uds-k3d/commit/378914aae77cd17affa9cab31c2c0220e516f624)) - update to k3s 1.31.6 by default ([#​150](https://redirect.github.com/defenseunicorns/uds-k3d/issues/150)) ([0038feb](https://redirect.github.com/defenseunicorns/uds-k3d/commit/0038febf2f9b9644799eec5004f83cd7dfe2e261)) - use k3s 1.31.7 by default ([#​156](https://redirect.github.com/defenseunicorns/uds-k3d/issues/156)) ([30a0b0f](https://redirect.github.com/defenseunicorns/uds-k3d/commit/30a0b0f98748b546df3f89c3f03558e541826d10))
--- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Micah Nagel --- .github/test-infra/aws/rke2/versions.tf | 2 +- bundles/k3d-slim-dev/uds-bundle.yaml | 2 +- bundles/k3d-standard/uds-bundle.yaml | 2 +- src/istio/ambient/zarf.yaml | 9 ++++----- tasks/create.yaml | 2 +- tasks/deploy.yaml | 4 ++-- tasks/lint.yaml | 2 +- tasks/setup.yaml | 2 +- tasks/test.yaml | 4 ++-- test/jest/package-lock.json | 6 +++--- test/playwright/package-lock.json | 6 +++--- 11 files changed, 20 insertions(+), 21 deletions(-) diff --git a/.github/test-infra/aws/rke2/versions.tf b/.github/test-infra/aws/rke2/versions.tf index 34082fea0e..65348c1aa8 100644 --- a/.github/test-infra/aws/rke2/versions.tf +++ b/.github/test-infra/aws/rke2/versions.tf @@ -6,7 +6,7 @@ terraform { } required_providers { aws = { - version = "~> 5.92.0" + version = "~> 5.93.0" } random = { version = "~> 3.7.0" diff --git a/bundles/k3d-slim-dev/uds-bundle.yaml b/bundles/k3d-slim-dev/uds-bundle.yaml index dc68cfcab6..33d94515cc 100644 --- a/bundles/k3d-slim-dev/uds-bundle.yaml +++ b/bundles/k3d-slim-dev/uds-bundle.yaml @@ -13,7 +13,7 @@ metadata: packages: - name: uds-k3d-dev repository: ghcr.io/defenseunicorns/packages/uds-k3d - ref: 0.12.0 + ref: 0.12.1 overrides: uds-dev-stack: minio: diff --git a/bundles/k3d-standard/uds-bundle.yaml b/bundles/k3d-standard/uds-bundle.yaml index 8b09b19c13..adbcad97aa 100644 --- a/bundles/k3d-standard/uds-bundle.yaml +++ b/bundles/k3d-standard/uds-bundle.yaml @@ -12,7 +12,7 @@ metadata: packages: - name: uds-k3d-dev repository: ghcr.io/defenseunicorns/packages/uds-k3d - ref: 0.12.0 + ref: 0.12.1 overrides: uds-dev-stack: minio: diff --git a/src/istio/ambient/zarf.yaml b/src/istio/ambient/zarf.yaml index e83da31297..b5fc9cc8ae 100644 --- a/src/istio/ambient/zarf.yaml +++ b/src/istio/ambient/zarf.yaml @@ -54,11 +54,10 @@ components: cmd: | if [ \"${ZARF_VAR_CNI_BIN_DIR}\" = \"\" ]; then if ./zarf tools kubectl version -o json 2>/dev/null | ./zarf tools yq '.serverVersion.gitVersion' 2>/dev/null | grep -q "k3s"; then - if ./zarf tools kubectl get nodes -o jsonpath='{range .items[*]}{.metadata.name}{"\n"}{end}' 2>/dev/null | grep -q "k3d"; then - echo "/bin/" - else - echo "/var/lib/rancher/k3s/data/cni" - fi + # Note: this was previously the k3d bin dir, but with k3s 1.31.7 it has changed to the default k3s dir + # if ./zarf tools kubectl get nodes -o jsonpath='{range .items[*]}{.metadata.name}{"\n"}{end}' 2>/dev/null | grep -q "k3d"; then + # echo "/bin/" + echo "/var/lib/rancher/k3s/data/cni" else echo "/opt/cni/bin" fi diff --git a/tasks/create.yaml b/tasks/create.yaml index 56ab7d9832..9ed0e744e5 100644 --- a/tasks/create.yaml +++ b/tasks/create.yaml @@ -3,7 +3,7 @@ includes: - - common: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.11.0/tasks/create.yaml + - common: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.11.1/tasks/create.yaml variables: - name: FLAVOR diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index cae974c99b..2727a5dee6 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -1,7 +1,6 @@ # Copyright 2024 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial - includes: - utils: utils.yaml @@ -61,7 +60,7 @@ tasks: setVariables: - name: LATEST_VERSION - description: "Deploy the latest UDS Core package release" - cmd: uds zarf package deploy oci://${TARGET_REPO}/core:${LATEST_VERSION} --confirm --no-progress --components '*' + cmd: uds zarf package deploy oci://${TARGET_REPO}/core:${LATEST_VERSION} --confirm --no-progress --components '*' --set CNI_BIN_DIR="/var/lib/rancher/k3s/data/cni" - name: latest-slim-bundle-release actions: @@ -71,6 +70,7 @@ tasks: - name: standard-package actions: - description: "Deploy the standard UDS Core zarf package" + # Note: The `CNI_BIN_DIR` override is temporary to workaround an upgrade issue with the k3s 1.31.7 cmd: uds zarf package deploy build/zarf-package-core-${UDS_ARCH}-${VERSION}.tar.zst --confirm --no-progress --components '*' - name: checkpoint-package diff --git a/tasks/lint.yaml b/tasks/lint.yaml index cc643f6a23..d5be951c8c 100644 --- a/tasks/lint.yaml +++ b/tasks/lint.yaml @@ -2,7 +2,7 @@ # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial includes: - - remote: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.11.0/tasks/lint.yaml + - remote: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.11.1/tasks/lint.yaml tasks: - name: fix diff --git a/tasks/setup.yaml b/tasks/setup.yaml index 7b74217545..b7a07de0ee 100644 --- a/tasks/setup.yaml +++ b/tasks/setup.yaml @@ -7,7 +7,7 @@ tasks: actions: - description: "Create the K3d cluster" # renovate: datasource=github-tags depName=defenseunicorns/uds-k3d versioning=semver - cmd: "uds zarf package deploy oci://defenseunicorns/uds-k3d:0.12.0 --confirm --no-progress" + cmd: "uds zarf package deploy oci://defenseunicorns/uds-k3d:0.12.1 --confirm --no-progress" - name: k3d-test-cluster actions: diff --git a/tasks/test.yaml b/tasks/test.yaml index 139945c971..772cebe573 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -14,8 +14,8 @@ includes: - test-resources: ../src/test/tasks.yaml - base-layer: ../packages/base/tasks.yaml - idam-layer: ../packages/identity-authorization/tasks.yaml - - common-setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/refs/tags/v1.11.0/tasks/setup.yaml - - compliance: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.11.0/tasks/compliance.yaml + - common-setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/refs/tags/v1.11.1/tasks/setup.yaml + - compliance: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.11.1/tasks/compliance.yaml tasks: - name: base diff --git a/test/jest/package-lock.json b/test/jest/package-lock.json index fb90678381..e68dd6a7e8 100644 --- a/test/jest/package-lock.json +++ b/test/jest/package-lock.json @@ -1245,9 +1245,9 @@ "dev": true }, "node_modules/@types/node": { - "version": "22.13.13", - "resolved": "https://registry.npmjs.org/@types/node/-/node-22.13.13.tgz", - "integrity": "sha512-ClsL5nMwKaBRwPcCvH8E7+nU4GxHVx1axNvMZTFHMEfNI7oahimt26P5zjVCRrjiIWj6YFXfE1v3dEp94wLcGQ==", + "version": "22.13.14", + "resolved": "https://registry.npmjs.org/@types/node/-/node-22.13.14.tgz", + "integrity": "sha512-Zs/Ollc1SJ8nKUAgc7ivOEdIBM8JAKgrqqUYi2J997JuKO7/tpQC+WCetQ1sypiKCQWHdvdg9wBNpUPEWZae7w==", "dev": true, "license": "MIT", "dependencies": { diff --git a/test/playwright/package-lock.json b/test/playwright/package-lock.json index 9c6ee45b63..f8cf3611bd 100644 --- a/test/playwright/package-lock.json +++ b/test/playwright/package-lock.json @@ -28,9 +28,9 @@ } }, "node_modules/@types/node": { - "version": "22.13.13", - "resolved": "https://registry.npmjs.org/@types/node/-/node-22.13.13.tgz", - "integrity": "sha512-ClsL5nMwKaBRwPcCvH8E7+nU4GxHVx1axNvMZTFHMEfNI7oahimt26P5zjVCRrjiIWj6YFXfE1v3dEp94wLcGQ==", + "version": "22.13.14", + "resolved": "https://registry.npmjs.org/@types/node/-/node-22.13.14.tgz", + "integrity": "sha512-Zs/Ollc1SJ8nKUAgc7ivOEdIBM8JAKgrqqUYi2J997JuKO7/tpQC+WCetQ1sypiKCQWHdvdg9wBNpUPEWZae7w==", "dev": true, "license": "MIT", "dependencies": { From 58a465eea55602177071194fbdc08cb2a1e29fc6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20=C5=81askawiec?= Date: Fri, 28 Mar 2025 19:27:19 +0100 Subject: [PATCH 089/118] feat: theme customization (#1382) ## Description This Pull Request introduces basic theme customization capabilities. The customization is opinionated and limited to: * Background image * Logo * Footer * Favicon This Pull Request depends on https://github.com/defenseunicorns/uds-identity-config/pull/387 ## Related Issue Fixes https://github.com/defenseunicorns/uds-identity-config/issues/319 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Steps to Validate 1. Run `uds run dev-setup && npx pepr deploy --confirm` 2. Create a Keycloak Namespace and the ConfigMap with the images: ```yaml apiVersion: v1 kind: Namespace metadata: name: keycloak labels: name: keycloak --- apiVersion: v1 kind: ConfigMap metadata: name: keycloak-theme-overrides namespace: keycloak binaryData: background.jpg: /9j/4AAQSkZJRgABAQEAAAAAAAD/2wBDAAoHBwkHBgoJCAkLCwoMDxkQDw4ODx4WFxIZJCAmJSMgIyIuKjYp logo.svg: PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIxMDAiIGhlaWdodD0iMTAwIj4KICA8Y2lyY2xlIGN4PSI1MCIgY3k9IjUwIiByPSI1MCIgZmlsbD0iIzAwMDAwMCIvPgogIDxwYXRoIGQ9Ik0yNTAsNTAgQzEwMCw1MCAwLDEwIDAsMTAgQzEwLDIwIDAsMzAgMCwyMCAiIGZpbGw9IiMwMDAwMDAiLz4KPC9zdmc+Cg== favicon.svg: PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIxMDAiIGhlaWdodD0iMTAwIj4KICA8Y2lyY2xlIGN4PSI1MCIgY3k9IjUwIiByPSI1MCIgZmlsbD0iIzAwMDAwMCIvPgogIDxwYXRoIGQ9Ik0yNTAsNTAgQzEwMCw1MCAwLDEwIDAsMTAgQzEwLDIwIDAsMzAgMCwyMCAiIGZpbGw9IiMwMDAwMDAiLz4KPC9zdmc+Cg== footer.png: iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAYAAAB5fY51AAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAABQDAAAUAwHPYoS4AAAACXZwQWcAAAEsAAABLAD7OHJpAAA0w0lEQVR42u29e5hU1Zno/Vt7Vzd9gwaEprlNtEVJgEhGAU2iA0kQxI84nucRg4mXyDFqZmISOBnj0S9eyNExzhyIMWeihsF4i4z4PMcxfOEiSWA0iQI6wQBJK6IZbs1Fmgb6QlfVXt8fb+2q1UUDDXT3rsv7e556uru6umrvLfvnu971rncZlKKm9cgRAAOUAeVABTAIGAEMBvoDA1KP8PuBQDXQBygBSjv5CtAOxDv5ehRoAg4AjcDB1Nfw+33ADmA/0AK0Am2ALa+qivqSKRFioj4ApedJSQkgBlQC/YCRwNnAMGCo86hFZFSOiCeGSKin/61YRGYJRGytiNQagN3OYxfwIbAdOAQ0p/4GlVnho8IqMBw5lSAR0VDgXGCU8/VsJEqqQKTU+b8DY47/szEnf32ItSd+Lvv3nb0+9RtEZi1IdPYhsBV43/m6G4nS4qASKzRUWHmOI6gKRELnAxc4j5FAFRIxdfzvHQrG/Rp+n0zC0aMQj0MigYnH5fuWFsyhQ3D4MLS3y3PxuPze+RmAkhJ5lJZiw+9TP9O3L7ZfP6iogJIS+X0sJr/v0wd8X97D2ozAsr9msEhEdgSJvN5xHu8icmsBFVi+o8LKMxxBlSPDt/GpxwXA2NRzVYDf4Q9DGYUPa6GtDVpbMW1t0NSEaWjANDTA7t14DQ2wb5/I6dAh+f3hw9DampFYEEAQyHtlfw/gefJZntfhe+t5GTmVl2P79oXqaujXTyQ2eDBBbS0MHYqtrcXW1kJ1NbasDMrLoawscw7uoyNJRGANwGZEXhtTjwZEcCqwPEOFlQekJOUjuaXzgUuATwMXIUO+ig5/kC2neByamzFHjmB27cJs25Z57NwpkmpszMirvf1Ew7LewRiJzEJJDRgg8ho+HFtXl3kMG4atqoLKShHgiSXWggwZ3wJ+D7yBRGBNQFLllfuosHKUlKRKECFNBD6DiGo0kpvKRFDZkVNzM6axEbN1K2bLFrytW0VOH34IH32EaW6W6CqfKSvDVlbCWWdhzz4bW1dHMGoUdswY7KhR2AEDRGLZkViGJJLrqkfE9TtgPSK0uMorN1Fh5RApScWQYd3FwFRgMpIkL0+/0BVUEMChQ5i9ezF//jPeH/+I2bQJb8sWzJ49cOSI5KOKAd+HqirskCEEY8Zgx40j+OQnsR//OLamBvr1k6Fp5wJrRZL4a4HVwJvI0DGh8sodVFgRk5KUBwwBJiGSmgLU4Q71XEm1tmL27RMxrVuHt2EDpr4ec+CA5JiiHs7lCsZIjmzgQOzo0QQTJhBMmoQdNw47eLAMNTuXVwuwDViDyGsdsAcIVF7RosKKACdxXgl8EvgiMAPJT1WmXxgmrK2Fgwfxtm3DrF8vknr7bczOndDcrILqKsZAZSV2+HCCCy8UeU2cSFBXB/37ZyLWjtezGclzLQd+Afwx9Zwm7CNAhdWLOEO+4cDngb9FclODCP9bZEuqvh5v7Vq8NWswmzdjGhshkYj6VAqDWAw7YAB27FiCKVMIJk8mGD36ePKySOX974B/B34N7ESHjL2KCquHySpDuAj4b8AVSAGnLGFx65+amvDefTcjqY0bRVJhqYDSM3ieyGv8+Iy8zj9fyi0ge9jYjhSqrgD+LzLrqGUSvYAKq4dwRNUf+Bvgy8AXgLPIjqba2jDvv4//6qt4v/oV5g9/kHyUSioaPE/yXp/6FMEXvkDy8sux554r9V/HRl0fAb8Cfg78BzLzqOLqIVRY3YyzmHgIEkldh9RM9QU6lB+Y/fsxb76Jv2yZRFM7dxbPjF6+4PuS85oyheTMmdiLL8YOGtSxXEI4jNR2vYBEXnvQxdrdjgqrm3BEVQdcDVyLVKD3ATLRVGsr5r338FeuxPvlL/E2bZLSAyX3qaoiGDeO4MorSU6fjj3vPJlp7Bh1HUWq6V8EXkZmG1Vc3YQK6wxxRPUxYDZwPVLcGQMyompqwlu3Dv/FF/F+8xupLtdoKj/xfWxtLcHnPkfy2msJJk2SXFdHcSWQotTngCXAX1BxnTEqrNPEEdVIYBZwIzCGUFSeB4DZtw9vzRr8F1/E/Pa3mIMHoz50pRux/ftjP/tZEdeUKVLfBW7+MQFsAZ4BliKLs1Vcp4kK6xRxkunDgWuAm4BxyDKadEmC2bEDb/ly/KVL8d5+Wwo6lcKlvJzgwgtJzppFMGMGdsSITGmEEAc2AU8DLyElEZqcP0VUWF3EEVU/pH7q75AyhYyoALN9O/7LL+M//zzmT3/KtFpRioOSEuwnPkHyK18hefXV2JEj5fmO4noL+BeknusQqLi6igqrC6Rk1Qf4LHAHMI1w2Uxq1s/s2oX3yivEnn0Ws2mTiqrYKSnBjhtH4oYbCK66CjtsWPasYguwCngM+C1wVKV1clRYJ8BZ5zcGuA34EtLnPCOqPXvwli3Df+YZvI0bpTWLooSUlhKMH0/yxhsJZs7EDhmSLa59wL8BTyC5Ll2veAJUWJ3gDP+GIDmqW5DKdOPO+vkrVuD/9Kd4GzZId05FOR59+hBMmEDya18jecUV2bOKFqmcX4TkuPaADhM7Q4WVRUpWpUhblztTXzN5qvZ2vDfewH/iCfxVq2TxsaJ0lcpKktOmkbztNoJLLpF20R3zW2uBR1Jf21VaHVFhpXCiqr8Cvg7MAWqATGV6fT2xxYvxli7F7N0b9SEreYytqSGYNYvEnDnY0aMzlfPCXmAx8BPgv0CjrRAVFmlZlSMtXv4B6fDph8M/s2cP/gsv4D/1FOa997Sdi9I9GIM97zySN99M8rrrJL+VGSYmkQ6o/4S0tmlVaRW5sJyoahQwF/gK0jddhn/xON5rrxFbuBDvtdc0oa70DKWlBJddRmLuXILLLpPe9JlhYhPwPLAQyXMVdbRVtMJyclXTgXuRmiqTnv3bvh1/0SL8p5/W4Z/SK9iaGpI33UTyllukfiszm2iR2q35wEqKOLdVdMJyoqoa4BtIvmoQkG714q9ahb9wocz+6Xo/pTfxfZlNnDuX5LRpmZY2wn4kr/VjJM9VdNFWUQnLWf93MRJVTQVK0lHVtm3EHnsMf8kSaGqK+nCVYqa6muTs2STuuANbV+dGW3Gkz/x8ZKOMolqXWDTCSsmqErgBSazXAZlc1erVxB5+WKIqTaoruYAxBBMmkLjrLoKpU7NzW9uQhPyzQHOxSKvgheUMAYcB/xO4mXCjB9/H7N2L/+ST+E88gdm/P+rDVZRjsIMGkbztNpK33irblWXSFM3AU8A/Arug8IeIBS0sR1YXAQ8ClwNe2D/d27BBoqrVq3Xtn5LblJQQTJ0q0daECfKcjAQC4FXgHiQxX9DSKlhhOTsnX4WM98cAMgRsacFfsoTYggWYbduiPlRF6TK2ro7EvHkkZ8+Gigp3iLgFycu+QgHvXF2QwkrJqhr4e2AesvGDFIE2NOAvWEDsZz/T1sRKflJVReKrXyU5bx62ttaV1kfAAuD/AE2FKK2CElZWc735SCFon/Qs4MaNlDzwAN6rr2q5gpLf+D7B5ZcTv+8+7Pjx7iziUaTQ9F4KsElgwQjLkdUYZPHolYSFoMkk3vLllMyfj9m8OepDVZRuw44dS/zeewlmzADfdwtNf4ks3t8ChSOtghCWI6vPAv8MXAJIvurwYWKLFuH/8IeYffuiPlRF6Xbs4MEkv/1tErfcAn37ukPEN4DvIA0CC0JaeS8sp8neF4EfIDvWpBctxx56CP+557SnulLYlJeTvP56EnffnVlELdQD3wV+QQE0B8xrYTnrAW9EclZDAZHV1q3Evvc9/GXLNF+lFAe+T3LmTBLf/z521ChXWruRnNYz5Pk6xLwVVkpWZchawHuRLeHB86S+6u678V5/PerDVJReJ7j0UhIPPST1WhlpHUT+p/4ToC1fpZWXwkrJqgL4FnAX0C9sgOatXk3JPfdocl0pauzYscQffFCW9GSaAx4CHgYeBVryUVp5J6yUrKqQ9YD/A6gMZwL9l14idt99mO3boz5MRYkcO3IkiQceIHnNNe4MYjPwv5F1iEfyTVp5JSynIPRuZLutcoyBRAL/ueeI3X+/zgQqioMdPJjE/feTvP56iMVCabUi24s9RJ4VmOaNsFKyGgDcj2y5JQWh7e34ixcTe/BBzIEDUR+mouQcduBAEvfcQ3LOHNn0IlNg+gRyPzXmi7TyQlhOZDUfuB0oxRhoayP2+OPEHnlE+1cpyomoriZx550kbr9dmgKKtNqBx5FJq7yItHJeWE7O6ntIkl0iq5YWYj/6EbGFC3VNoKJ0haoqEnPnkvjmN2XhdCbSehT4PnmQ08ppYTmzgd9FkuzlaVn98z8Te+wxaGmJ+jAVJX+oqCBxxx0kvvMdV1qtSBL+B+T47KEX9QEcD6fO6lvIbGB5ehj4ox+prBTldGhpIfbYY8R+9CNoayPVG64cuce+BZS15vCIJSeF5VSwfx3pEloZJthjjz8uw0CVlaKcHi0txBYuJPb447J1nUirErnXvg6U5qq0ck5YztrAG5G8Vd906cLixZJgz9GLqSh5w5EjxB55BH/xYkgkQmn1Re65GwEvF6WVU8JyLtAXgQeAAemi0OeeI/bggzobqCjdRVMTsQcflOYAyWQorQHIvfdF6HBP5gQ5k3TPahHzr4RdFwD/xReJffe7WhSqKD2AHTyYxA9+QPLaa92n64H/To61pskJYWU13/tXnH5W3qpVlNxxhy63UZQexI4cSfyxxwimTcvup/XfyaEmgLk0JByBdArNyGrDBlnIrLJSlB7FbN9OyT33yL6cXloLlyD35Iiojy8kcmE5VewPIG2NM/2s7r5buy4oSi9hNm+We27rVldaVyL3ZnUu5LMiFVbqAsSQ3W2+Aph0p9B779V+VorSy3ivv07s3nsxe/aE0jLIvfn3QCxqaUUmLOfErwbmEi65OXxY2hq/8kqkF0ZRihX/lVeIPfQQHD4czhz2Qe7RqyHamcNIhJW1I/N8YFBYvhBbtAj/2WfdxJ+iKL1JEOA/+yyxRYvccodByL16EUQnrSiHhMOB/wV8AgBj8JYvx3/0UVkyoChKdLS14T/6KN7y5aGwQO7V/4Xcu5HQ68JyFjTfBUyTo/Bkk9P58zF790Z1LRRFcTB798o9uXGjm4Sfhty7FVFEWb0qrNQJGqT0/2bAC7eP101OFSX3MJs3y73Z0BBKy0Pu3RsB09vS6jVhOSd2MdIqpjJsFeMvWIC3cmWvnriiKF3DW7kSf8ECaTiQWSj9D8i93Kv5rN4eEg5BFlfWhU/4S5YQe+opTbIrSq4SBMSeegp/yRL32TrkXh7Sm4fSK8LKqreaDoDvy/6BCxZAc3NvnrOiKKdKczOxBQukEt73w2en08v1WT0uLOdErkR67fh4HmbvXmIPP4zZtq1XTlRRlDPDbNsm9+zevWE+y0fu6Suhd4aGvTUkPA8JH6XeKh7Hf/JJvFdf7aWPVxSlO/BefRX/ySchHnfrs76H3OM9//k9+eZOm+NvAxMAqbdavVpOOpHojXNUFKW7SCQk2Fi92q3PmoDc4z3eXrnHhJU1FPyyfJqXCSu1t5Wi5CVm375MOidTn/VlemFo2NNDwo8h05/90xtI/PjHkrhTFCVv8TZsIPbjH7sbWfRH7vWP9ejn9sSbOrOCtwOTADAGf+VKvCVLwq2FFEXJV6zFW7IEf+VKd2g4Cbnne2zWsNuF5Rzo54A5hNXs27fj//CHmIMHe+REFEXpXczBg3JPb9/uVsHPQe79Hhka9tSQcAhwJ1CTnhVctAhv/foe+jhFUaLAW78ef9Eid9awBrn3e6SgtFuF5awVvAmYIp/g4b32Gv7TT2s1u6IUGkGA//TTeK+95ibgpyAO6Pa1hj0RYY1DGtfHMEa6hy5cqF0YFKVAMXv3yj2+Z08YZcUQB4zr7s/qNmE5uzXfCpwPgLX4L7yAt3ZtL1w2RVGiwlu7Fv+FF9wJtfMRF3TrLtLdIizngC4FviTv7GHq6/F/9jMtEFWUQieRwP/ZzzD19e7Q8EuIE7otAd+dQ8J+wB3AYIyB9nZiixfLCSiKUvCY+npiixdDe3s4NByMOKFfd33GGQvLMeff4nQQ9d54A2/p0t6+ZoqiRIi3dCneG29kdyj9W+ieKKu7IqzhwN8BFRgDTU34TzyhiXZFKTLM3r34TzwBTU1hlFWBuKFb+sCfkbAcY16Ds7jZX7ECf9WqqK6ZoigR4q9ahb9iRfbi6GvgzKOs7oiw/grp75wuY/B/+lNtyqcoxUpzM/5Pf5pd5nAj4ooz4rSF5ZhyFjAekNYxy5ZpRbuiFDne+vV4y5a5UdZ4xBVnFGWdaYR1DnADYRfRXbtkE9T29qivl6IoUdLejv/ss5hdu9zupDcgzjhtTktYjiG/hFPN6r3yCt5//mfUl0pRlBzA+8//xHvlFfepcaTqNE83yjqTCOtc4CuE0dX27fjPPSeLIBVFUeJx/Oeec7s5+Igzzj3dtzxlYTlmvJpwm3lr8V9+Ge+dd6K+RIqi5BDeO+/gv/yyu2TnE4g7TivKOt0IayhwLU505f3857oER1GUjiQSeD//eXaUdS3ikFPmlITlGHE64cwg4K1YgbdlS9SXRlGUHMTbsgVvxQr3qfGk9ic91SjrdCKs/sB1QB+Mwezbh//SS5q7UhSlc+Jx/Jdeko1npMyhD+KQ/qf6Vl0WlmPCvwE+LX/t4a1Zg/fWW1FfEkVRchjvrbfw1qxx1xh+GnHJKUVZpxphlSNm7JteM/jii9DaGvX1UBQll2ltFVdk1hj2RVxSfipvc6rCmgBMlb/08Natw7z+etSXQlGUPMC8/jreunVulDWVcA1yF+mSsFIhm4dMR8p2862t+EuXYpqaor4OiqLkAaapCX/pUhmRZba5vxrwujosPJUIaySpzD7GYN57D+/Xv476GiiKkkd4v/415r333DWG0xG3dO3vT/YCx3yfB84DpFB05UpZJ6QoitJFzK5dsvlqppD0PMQtXUq+dzXCqkS6BpZiDGb/frzly3UHZ0VRTg1r8ZYvx+zfH0ZZpYhbKrvy510V1gXAZ+QvPMybb+oyHEVRTgvvnXcwb77pJt8/gzjm5H97ol86G6POJNxcoq0Nf9kybdCnKMrp0dwsDmlrczermEkXNl7tSoRVC1wBSLL9/felAExRFOU08daswbz/vpt8vwJxzYn/rgvvPQkYHf7gr16N2bEj6vNVFCWPMTt24K9e7T41GnHNCTmusFKhmY8Ud1WGle3e6tUQBFGfr6Io+UwQiEsyle+ViGv8Ew0LTxZhDQWmyCs9vHffxfzhD1GfqqIoBYD5wx/w3n3XTb5P4SRtZ04mrIuBOkCmI9euxXz0UdTnqShKAWA++ghv7Vq3PKoOcc5x6VRYqZAshoRosjnqwYOSbNfaK0VRugNrxSkHD7qbrk4FYscbFp4owhoGTJZXeXj19ZiNG6M+RUVRCgizcSNefb07LJyMuKdTTiSsicDHAB0OKorSI3QyLPwY4p5OOUZYTrHoZ8geDiqKonQznQwLP8NxikiPF2ENAC4BZDfnbdswmzdHfV6KohQgZvNmvG3b3CLSSxAHHcPxhHU+YbGoMZj16zEHDkR9XoqiFCDmwAHM+vWusEYjDjqGDsJyQrBLgIFhoz5v3TpIJqM+L0VRCpFkUhyTaew3kNQIL3tY2FmEVY40iDfhrjje229HfUqKohQw3ttvu7vqGMRBx/R770xYtcBFgAwHN23C7NwZ9fkoilLAmJ07MZs2ucPCi+hkMXRnwhqffmEQSKh2GltKK4qidJkjR8Q1mXXKtTibNYekheWMFccTLnY+dAhvw4aoT0VRlCLA27ABDh1yF0OPh455rOwIq4Kw858xmL17MfX1UZ+HoihFgKmvx+zd6w4LL0CclCZbWAOBsfLXBvPnP2s5g6IovYJpbMT8+c+usMYiTkqTLazzCfNX1uL98Y/Q0hL1eSiKUgw0N4tzMst0asmqx/KgwxjxAqAfxkBzs2TtFUVRegmzaZPsFyFRVj9SKarQUW6EVZL6pdRfNTbibdkS9fErilJEeFu2YBob3XqsCxA3ye+d1/bHTbhv3YrZsyfq41cUpYgwe/Zgtm7NTrz3D39whTWUcMtoYzBbtsgUo6IoSm9x6JC4JyOskThtk11hnQtUARCP423dqt1FFUXpXawV98Tj4TNViJsA8JyE+yjC/lfNzZgPPoj60BVFKULMBx+4ifcKxE20HjmSjrB8QosZgzlyRIWlKEokmA8+wBw54g4Lz0UclRZWFSmLYQxm1y7QdsiKokTBRx+JgzLCGkUqXRUKqx9wNiDC2rYN09wc9WErilKEmOZmTMcOpGcjjkoLayRhS1Jr5cVtbVEft6IoxUhbmzgoM+k3gFQFQyisswk7NLS1af5KUZRIMR98IEFTpnPD2ZAR1jCgDwCtrZgdO6I+XkVRihizY4e0TBb6kNqrMBSWFGYZg2lrwzQ0RH28iqIUMaahAZOJsCDlKA/pm5yuJKWpCRoboz5eRVGKmcZGcVGGoUB5R2EZI9FVJhRTFEXpfVpbxUUdI6xyD6kklR5YKWEZnSFUFCVC0qmpjLBqgQoPGARUp1+5ezccPRr18SqKUswcPSouylANDPKAEUAZIBsaasJdUZQcwGtocDdwLgNGeMBgoA/GiNX274/6OBVFUcRFR4+Gw8I+wGAPaY4VAyAex3TMzCuKokSCaWpy28zEgAEeUvYuLUgTCW3apyhKbnDokDhJKMERljRQjsezax8URVGioalJnCQYoH84JJRxYjyO0QhLUZQcwBw6JEPCTGlD/zDCElpatEuDoii5QVtb9r6oAzycnVXTRlMURYmaY0d8Az3ColFj4PBhN8mlKIoSHYmEOCkzJKz2CNvKALS3Y4Ig6sNUFEURF7W3u0/18XB2VSUeBxWWoii5QBBkp6hKPKA0/WM8rnsRKoqSG1ibLazSDhGW0QhLUZRcIQjcOizoEGEZI+NFFZaiKLlAmMPKJN1Lj81h6ZBQUZRc4NghYSc5LI2wFEXJBY5Nupd6p/teiqIovY0HZAodSkrAU4cpipIDeJ44KUO7B2RirpISN8GlKIoSHcZkCyueibCshdJSjbAURckNPE+clJkI7BhhWR0SKoqSK3ieOClD/Ngclg4JFUXJBY4dEnaSw9IIS1GUXODYpHvcAzKbEJaWYlVYiqLkADbMYWU46gHSxN1a6NsXYrGoj1NRFEVc1Levm3Rv8oAD4U+2X7/sEExRFCUaSkrESRkOeEBj+seKCigri/owFUVRxEUVFe4zjR5wEJCw61ijKYqiREJ6xJcZEh4MIywLqTqs6uqoj1NRFAWqq906LIsjLCltiMVAIyxFUXKBfv3cScA4zpBQtsopKcFqhKUoSg5gq6vdScAEKWHtA45iLfTpA4MGRX2ciqIo4qI+fcIc1lFgnwfsAGS7Z98nqK2N+jAVRVHERb4f/tgG7PCA/YTFowBDh4rVFEVRoqJPH3FRhiZgvwe0AA0AWIutrcVqLZaiKBFiy8qwtbVuSUMD0OIBrcBueZUIi/LyqI9XUZRiprw8W1i7gdaOwgKpwxowIOrDVRSlmBkwILsmNC2s8AeJsMJQTFEUJSLSqamOERahsHYRtpkpL8eOGBH18SqKUsTYESPc1NRRxFFpYX0INGMtlJVhzzkn6uNVFKWIseecI4ufJcJqRhyVFtZ2wq4NxmDr6rRrg6Io0VBWJg7KtGtvRByVFtYhUgbDWmxdHbayMurDVhSlCLGVlSKsTP7qQ8RRaWEdAbbKqy122DA466yoj1tRlGLkrLPEQRlhbUUclRZWEngfEGFVVWkeS1GUSLDnnIOtqnKF9T7iKLzyqqrwya1AC9ZCZaUKS1GUSLDnnAOVlaGwWkiN/sqrqnC3yHmfVNhFSQnBqFG6R6GiKL2LMeKeTFuZI4SjP+ggrN2kMvFYix0zRpv5KYrSu/TrJ+7JDAe346zEcYV1EHgHEGGNGoUdMiTqw1cUpYiwQ4ZgR41yhfUO4b4TdBRWPPVLi7XYAQMIxoyJ+vgVRSkigjFjsAMGhMKyiJPSu9N7IMmsFO8Ah9KJ93Hjoj5+RVGKCDtunJtwP0Rq1Bc6Kntf+ncJe2MZQ/DJT2bvC6YoitIzVFaKczKTfQ2Ik9JkC+sAsBmQPNbHP44dODDq01AUpQiwAwZgP/5xN3+1GWdnejhWWC24ifeaGuzo0VGfh6IoRYAdPRpbU5OdcG9xX5MWlpPH2kjYuaFfP4IJE6I+D0VRioBgwgQppcp0aNgIHdx0TIRF6kWSx/I8gkmTwPkDRVGUbqeqSlzjpZXUQEpYLp0JqwF4C5Bh4bhx2OHDoz4dRVEKGDt8uMwQZoaDbxEGTg6dCasV+D1hPdbgwQQXXhj1+SiKUsAEF16IHTzYrb/6PeKiDnQQljNWfAM4gLVQXi6hWmZDQ0VRlO7D98Ux5eWhsA4gDuqQv4LOIyyQ2od6QIaFEydqeYOiKD2CHTgQO3GiOxysJ6v+KuR4wmokZTisJairw44dG/V5KYpSgNixYwk6dhh9g7BlexbHCCsVglngd4T9sfr3J5gyJerzUhSlAAmmTIH+/d3+V78DbHkn1QneCd5nPfAXQJbpTJ6M1bbJiqJ0I/asswgmT3aX4/wFcU+nnEhYu4C1AAQBwejR2PHjoz4/RVEKCDt+PMHo0RAE4VNrSe1B2BmdCisViiWA1WQPC7ULqaIo3YExnQ0HVwOJ8uMUq3snecs3gW3pN9dhoaIo3UQnw8FtiHOOy8mEtRtYA8iw8PzzsZ/6VNTnqShKAWA/9SmC8893h4NrcNohd8ZxhZUKyZJIiCaLoaurCaZOddf7KIqinDqeJy6prnYXO68GkuUnWLvcFfOsIywiBZJTp2JHjIj6dBVFyWPsiBEkp051n6pHXHNCuiKsBmCFfIrFnnuu1mQpinJGBFOmYM891y0WXUEni52zOaGwnCLSZcA+rIWyMpIzZ0rfZUVRlFOlslIcUlYWCmsf4hhbfpJWVl1NRr2DVJ9CEGAvvpjggguiPm1FUfKQ4IILsBdf7Cbbf0fY6fgkdFVYzcC/A+1Yix00iGDGDK3JUhTl1DCGYMYM7KBBYXTVjriluSt/flJhOSHar4H3wg9NTp+OHTYs6tNXFCWPsMOGkZw+3Q123kPcwsmGg9D1CAtky+iV8qkWe955BJ//fNTnryhKHhF8/vPY885zk+0rEbd0iS4JK2W+AHgZ2B829kvOmoWtro76GiiKkgfY6mqSs2a5jfr2I04JuhJdwalFWAAbkOIuqXyfNAl76aVRXwdFUfIAe+ml0lk0k2xfjTily5yqsFqBF4DDYeV78tprxZiKoijHo7xcXJGpbD+MuKT1VN6my8JyQrb/QBrES5Q1ZQrBRRdFfTkURclhgosukoLzTHT1e8QlXUq2h5zOosCDiBmPhrvqJK+5BkpKor4miqLkIiUlJK+5xt0V5yjikIOn+lanJCzHhCtxNjkMrriCYMyYqC+Loig5SDBmDMEVV7hPbSRVcXAq0RWcXoQF0gLiRSBJEGBHjiT48pchFov62iiKkkvEYgRf/jJ25MhwOJhE3LH7dN7ulIXlGPFl4E+AFJJefbUu11EUpQPBBReQvPpqt1D0T4g7Tjm6gtOPsADeB57HibKS11+vuSxFUYSSEpLXX58dXT2PuOO0OC1hOWb8N2BT+ENw1VUEf/3XUV8mRVFygOCv/5rgqqvcpzYhzjit6ArOLMIC+AB4ljDKGjaM5A03QGlp1NdKUZQoKS0lecMNst44E109izjjtDltYTmGXEo4Y2gtwcyZBBMnRn25FEWJkGDiRIKZM901gxsRV5x2dAVnHmEB/BfwDJDAWuyQISS/9jVt8KcoxUplJcmvfQ07ZEgorATiiP8607c+I2E5pnyJcE2QtSSvuILktGlRXjJFUSIiOW0aySuucKOrDYgjzii6gu6JsAB2Av9CuOlqdTXJ227D1tREdMkURYkCW1ND8rbb3DWDLYgbdnbH+5+xsBxj/juwCpA1hpdcQjBrVhTXTFGUiAhmzSK45BJ3zeAqxA1nHF1B90VYAIeAxwg3qygtJTFnDnb06F6+ZIqiRIEdPZrEnDlSJZDZXOIxxA3dQrcIyzHn66TqLAgC7OjRJL/6VV2yoyiFTixG8qtflQAlE139G+KEbomuoBsjrNQBtQNPAu8CsmTnuusIJk/uteumKErvE0yeTPK669wlOO8iLmjvLllB9w4JQzYB/4pT5pCYO1cT8IpSoNiaGrnHO5Yx/CvOKpjuoluF5Wy8+jSwBpAE/GWXkbzpJvB6wo+KokSG55G86SaCyy5zh4JrEAecdGPUU/64HjqNPcAjwF6slUWQt9yiFfCKUmAEEyeSvOUWaXog0dVe5N7f0xOf1+3Ccoz6G2AxEKS7OXz729j+/XvkwimK0rvY/v3lns50YwiQe/430H2JdpceibBSB5oAHgfWydlZktOnE8yerTtGK0q+YwzB7NmyKWqmon0dcs8nekJW0HNDwpC/AP8EHMRaKCsj8Y1vEEyY0MMfqyhKTxJMmEDiG9+AsrJQWAeRe/0vPfm5PSYsx7C/BH4uZxlg6+pI3HWXNKRXFCXvsIMHyz1cV+cm2n+O3Os9MhQM6dEIK3XgbcAPcRZHB1Onkrz1Vi0oVZR8IxYjeeutBFOnZi9u/iHQ1pOygp4fEoa8B3yfcJv7khI56csv76WPVxSlOwguv1yCjcys4H7k3n6vNz6/x4WVNTT8CWF30pqaTFipKErOk07n1NS4XUR/Qi8MBUN6JcJyZg3/D6n9yEgmJXE3b542+1OUXKeyksS8eTJhlkyGz65E7ukemxXMprdLz/cg4eO28Ink7Nkkbr5Zq+AVJVfxPBI330xy9mz32W3IvdwjBaLHPZTe+iDHwG8i05/NWAsVFSTnzSOYPr03z1tRlC4STJ9Oct48qKgI81bNyD38JvTOUDCkV8MaZ63hM8BThFXwtbXE770XO3Zsbx6OoignwY4dK/dmba1bzf4Ucg93+1rBk9Hr47DUCbYAD+N0KLXjx8uF0a4OipIT2JoauSfHj8/uIPow0NLbsoIIhOWwE/h/Cbe7t5ZgxgyS3/qWVM8qihIdZWUkv/Utghkz3HqrPyH3bLf0Zz8dIhGWY+a3gHsJ67N8n8Qtt8hmrJqEV5Ro8DySN9xA4pZbwPfdeqt7kXu2V/NWHQ4tqmvinPDLwELgKNZC374k7r6bZMctrhVF6SWSV11F4u67oW/fUFZHkXv0ZYhOVhDtkDC7Put5wBIE0qV0/nyCSy+N8vAUpegILr2UxPz50j1U8lYWuTd7td7qeOREn5fWI0cARiCtKf4fADwPb8MGSr7+dczmzVEfoqIUPHbsWOI/+YkUh2aS7P8fcDuwI2pZQcQRVhY7gDuBNwBprTxhAvEHH5QGYYqi9Bh25EjiDz6YLas3kHtyR9THF5ITwnLMvQX4DlAPiLSmTiXxwAPajkZRegg7eDCJBx6QDgwZWdUj9+IWiDZv5ZITwoIOF+S3wHeBXYBsFXbNNSTuvx87cGDUh6koBYUdOJDE/feTvOYatxPwLuQe/C3kjqwgh4QFHS7ML4D7gMaw3CF5/fUk7rkHqqujPkxFKQyqq0nccw/J6693yxcakXvvF5BbsoIcExakL1CAlP5/HziMtdI4bM4cEnfeCTl2ERUl76iqInHnnSTnzJFGmiKrw8g99wwQ5JqsIAeFBR12kf4J8I+EC6VLS0ncfjuJuXNlIaaiKKdORQWJuXNJ3H47lJa6C5r/EbnnunW35u4kJ4UFHdorPwr8b6A1vZHFN79J4o47VFqKcqpUVJC44w4S3/ymu4FEK3KPPUovtDk+E3KiDutEpGq0qoDvAd8C+mAMtLQQ+9GPiC1cCPIaRVFORFWVRFbf/KbbKuYoIqrvA0dyWVaQB8KCtLSqgflIEVspxkBbG7HHHyf2yCPQ1BT1YSpK7lJdTeLOO2UYmIms2pFi7XuBplyXFeSJsCAtrQHA/cBthJFWezv+4sXEHnwQc+BA1IepKDmHHThQZgPnzHFzVkeBJ5D7qTEfZAV5JCzoEGndDdwBlGMMJBL4zz1H7P77Mfv2RX2YipIz2MGDpc7q+uvd2cBW4DHgIfIksgrJK2FBh5zWPwD/A6jEGEgm8V96idh992G2b4/6MBUlcuzIkSQeeECKQjN1Vs1Igv2fyIOcVTZ5JyxIS6sCScLfBfTDGLAWb/VqSu65RxdMK0WNHTtW1gZOnUp4bwCHkG6hjxJRx9AzJS+FBWlplQFfR5KG/YF0l4fY3Xfjvf561IepKL1OcOmlJB56KHsh80Fk0uon5HjpwonIW2FBWlqlwI3If4yhAHgeZutWYt/7Hv6yZe4+aopSuPg+yZkzSXz/+9hRo1xZ7Ub+p/4MOVwU2hXyWliQlpYHfBH4ATAaEGnt2UPsoYfwn3sOWlujPlRF6TnKy2W97d13u833QLoufBdZG5iTy21OhbwXFqSlBfBZ4J+BSwDpC3/4MLFFi/B/+EOdQVQKEjt4MMlvf1t6sPftm93P6jvkYNeF06UghAUdpDUGeAS4EjDhDKK3fDkl8+drMl4pKMJ9A4MZM9yZQAv8Emm+l1P9rM6UghEWdJDWcCSn9RXCAlNjMBs3UvLAA3ivvqp5LSW/8X2Cyy8nft99sm+gtW5B6PNIzmonFI6soMCEFeIUmP49MA84C5C8VkMD/oIFxH72M12DqOQnVVUkvvpVkvPmuTsyA3wELEA2jMirgtCuUpDCgrS0SoCrkGhrDCB5rZYW/CVLiC1YgNm2LepDVZQuY+vqSMybR3L2bFnAnJHVFiSqegWIF6KsoICFBR2GiBcBDwKXA17YCtbbsIHYww/jrV4N8XjUh6sox6ekRPY3uOsuqa+CcAgYAK8C9xDxJqe9QUELCzpIaxjwP4GbgUoAfB+zdy/+k0/iP/EEZv/+qA9XUY7BDhpE8rbbSN56K7amxs2/NgNPIY33dkFhywqKQFghKXFVAjcg6xDrABkixuN4q1dLtLVhQ/h/LkWJFmMIJkyQqGrqVCgpcYeA25D1gM8CzYUuqvQlifoAepOUtAxwMTLenwqUpGcRt20j9thj+EuWaH8tJVqqq0nOnk3ijjuwdXXuLGAcWI3kZd8EbLHICopMWNBhiFgDfANZizgIkGirrQ1/1Sr8hQsl2tLyB6U38X2CCRNIzp1Lcto0abaXiar2I2sBfwzshcIfAmZTdMIKcdYhTkeirYsIC02NwWzfjr9oEf7TT2P27o36cJUiwNbUkLzpJpK33CK7nWeiKosk1OcDK8nz9YBnQtEKCzpEW6OAuUihqWx8GOa2XnuN2MKFeK+9Bu3tUR+yUoiUlhJcdhmJuXMJLrssO1fVhBSCLgS2QvFFVS5FLayQlLjKgRlIQn4i4GNMehG1/8IL+E89hXnvPU3KK92DMdjzziN5880kr7sus2hZ/n0lgfVIYn050FrMogpRYaVwoq2/QvJac5A8V7oBmqmvJ7Z4Md7SpTpMVM4IW1NDMGsWiTlzsKNHu032QPJTi5F81X9BcUdVLiqsLJzc1mRk8ehkpGJehont7XhvvIH/xBP4q1ZBc3PUh6zkE5WVJKdNI3nbbQSXXCKbQmSGf3FgLbJ4fy1FnKs6HiqsTnCirSHATcAtSJ7LhMNEmprwV6zA/+lPZTbx6NGoD1vJZfr0kdm/r32N5BVXQHW1O/yzSH5qEfA0sAc0quoMFdYJcJoDjkG2FvsSMBggPZu4Zw/esmX4zzyDt3GjJuaVjpSWEowfT/LGGwlmzpQ8VWb2D2Af8G/IlltbKIAmez2JCqsLpMTVB2kQeAcwDdkEIyOuXbvwXnmF2LPPYjZt0rWJxU5JCXbcOBI33EBw1VXYYcOyRdUCrEK22/otcFRFdXJUWF3EGSb2A/4W+DukdiuT3wKp33r5Zfznn8f86U8qrmKjpAT7iU+Q/MpXSF59tdRTQXae6i3gX4B/R3ay0eFfF1FhnSJZTQKvQXJc43DFZS1mxw685cvxly7Fe/tt7Slf6JSXE1x4IclZswhmzMCOGCHRd0dRbUJyVC9RgM31egMV1mnirEscCcxCdu4ZA8SATMS1bx/emjX4L76I+e1vMQcPRn3oSjdi+/fHfvazJK+9lmDKFOxgSXE6okogualngKXAdops/V93osI6QxxxfQyYDVyP7Nwj4nJmFb116/BffBHvN7/BNDToOsV8xfextbUEn/uciGrSpOxZPxBR1QPPAUuAv6CiOmNUWN2EI6464GrgWmA8kqzPiKu1FfPee/grV+L98pd4mzZpq+Z8oaqKYNw4giuvJDl9Ova886C8PFtUR4GNwIvAy0gbGBVVN6HC6mYccQ0BrgCuAz4N9AXSs4pYi9m/H/Pmm/jLluGtWYPZuVOjrlzD97HDhxNMmUJy5kzsxRdjBw3KVKZnRHUY+D3wArACqaVSUXUzKqwewknO9wf+Bvgy8AVkQwy57mHU1daGef99/FdfxfvVrzB/+APmwAE3D6L0Jp6HHTgQ+6lPEXzhCyQvvxx77rmZVi8ZSVlk44dfAT8H/gPZEl6T6T2ECquHccRVjpRB/Dck8hqFLAHKRF0gua5338Vbu1airo0bMY2NKq+exvOwAwZgx48nmDKFYPJkgvPPl9wUZEdT7Uhl+grg/yJlCq2gouppVFi9SEpeMaQk4vNIPddnkAaCHaMua+HgQbz6+oy8Nm8WeSUSUZ9KYRCLiaTGjs1IavRo6N8/U5LQMZraD/wOqZ/6NVKakFBJ9R4qrAhwoq5K4JPAF5HWNucTbpABx8pr2zbM+vV469bhvf225Lyam7XdTVcxBiorJSd14YUEkyZhJ04kqKs7nqRANnp4F2nx8gvgj6nnNJqKABVWxDjrFYcAk5A+81OQ2caK9AvDYaMxMtO4bx9m0yaR14YNmPp6yXu1tqrAQoyB8nLJR40eTTBhgkhq3Diplyovzwz1Ol6zFmR2bw3SP30dkkTXdX4Ro8LKIZwhYy2yUcZUpL3N2UgOTHDlFQRw6BBm717Mn/+M98c/isi2bMHs2SMlE8Uy8+j7UFWFHTKEYMwY7LhxBJ/8JPbjH5ftsfr1y0Ssx0qqFfgQaeuyGtngoQEd8uUUKqwcxdm5eijSAfUzwCVIUWp/wE+/2BWYtdDcjGlsxGzditmyBW/rVsy2bZgPP4SPPsI0N0NbW9SneGaUlWErK+Gss7Bnn42tqyMYNQo7Zgx21CjsgAFQWdmx/KCjoJLIjF498AaSm1oP7KaAd07Od1RYeUBKXj7Sb/58RFyfRmYdh+IOHaGjwIyRBdjNzZgjRzC7dom8wsfOnVJ139goQ822NmmRE/Ww0hgoLcWWlcnQbcAAbG0tdvhwbF1d5jFsGLaqSuRUUtJRTseeQwsipLeQmqk3kPxUE5BUSeU+Kqw8I6tMohapph8PXACMTT1XhRuBwbESs1airFBSTU2YhgaR1+7deA0NsG8f5tAhOHRIfn/4sOTI4nFIJDBBkElSZ38PMvwKJw6c763nQSwmgikvx/btK+UD/fph+/WDwYMJamth6FCRVG0tVFdn5FVWdmzkdKycksARZFi3GXgHqUDfmHpOyxDyEBVWnuMIrAIYiERgFziPkYjAysn+7x3Wfrlfw++TSemiGsopHpfvW1pEYocPSySWet7E4x1+BkRIJSUSKYXfp36mb1+RU0WFtGQpKclIrE8fyUdBRxllf81gEQEdQRYXv+M83gUOINGVCirPUWEVGI7ASpBc11DgXKRQNfx6NiK3CqR4tfN/B8Yc/2djTv76kM6Gl+5z2b8//nDUIkWbLYiEPkQKON93vu5GclNxUEEVGiqsIsCRWAyp8+qHRF5nA8MQqYWPWiRXVo7ILIbIr6f/rVhEMglESq1IbqkBkVD42IWIajvS/K459TcqpyJAhVXkOIu1yxBJVSCV9yOQ/vX9gQGpR/j9QERqfRCZlXbyFUQ88U6+HkVkdABoRCKiRuf7fcAOpLK8BZFXG7qYuOj5/wG6qlE0fbEBtwAAACV0RVh0ZGF0ZTpjcmVhdGUAMjAxMS0wMy0wOFQwNDo1Njo1NS0wNTowMPq7ppYAAAAldEVYdGRhdGU6bW9kaWZ5ADIwMTEtMDMtMDhUMDQ6NTY6NTUtMDU6MDCL5h4qAAAAGXRFWHRTb2Z0d2FyZQB3d3cuaW5rc2NhcGUub3Jnm+48GgAAAAx0RVh0VGl0bGUAcmVkZG904DoX1QAAAABJRU5ErkJggg== ``` 3. Apply the above to the cluster 4. Modify the Keycloak `values.yaml` and insert: ```yaml themeCustomizations: resources: images: - name: background.jpg configmap: name: keycloak-theme-overrides - name: footer.png configmap: name: keycloak-theme-overrides - name: logo.svg configmap: name: keycloak-theme-overrides - name: favicon.svg configmap: name: keycloak-theme-overrides ``` 6. Deploy Keycloak as usual - `uds run dev-deploy --set LAYER=identity-authorization` 7. Navigate to the `uds-identity-config` project with cloned https://github.com/defenseunicorns/uds-identity-config/pull/387 8. (there's probably a better way, but I'm doing this) Deploy the customized initContainer: 7a. Run `uds run dev-build` 7b. Run `tag docker tag uds-core-config:keycloak ghcr.io/defenseunicorns/uds/identity-config:0.10.2` 7c. Run `k3d image import -c uds ghcr.io/defenseunicorns/uds/identity-config:0.10.2` 7d. Rotate Keycloak Pod 7e. Verify that your Keycloak is running the image from the PR 9. Go to https://sso.uds.dev and noticed changed theme obraz ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --- src/keycloak/chart/templates/statefulset.yaml | 18 ++++++++++ src/keycloak/chart/values.schema.json | 33 +++++++++++++++++-- src/keycloak/chart/values.yaml | 17 ++++++++++ 3 files changed, 66 insertions(+), 2 deletions(-) diff --git a/src/keycloak/chart/templates/statefulset.yaml b/src/keycloak/chart/templates/statefulset.yaml index 733d4d7dd6..2269e87f92 100644 --- a/src/keycloak/chart/templates/statefulset.yaml +++ b/src/keycloak/chart/templates/statefulset.yaml @@ -53,6 +53,10 @@ spec: mountPath: /opt/keycloak/themes - name: conf mountPath: /opt/keycloak/conf + {{- if and .Values.themeCustomizations .Values.themeCustomizations.resources .Values.themeCustomizations.resources.images }} + - name: theme-overrides + mountPath: /opt/keycloak/theme-overrides + {{- end }} envFrom: - secretRef: name: {{ include "keycloak.fullname" . }}-realm-env @@ -289,3 +293,17 @@ spec: {{- else }} emptyDir: {} {{- end }} + {{- if and .Values.themeCustomizations .Values.themeCustomizations.resources .Values.themeCustomizations.resources.images }} + - name: theme-overrides + projected: + sources: + {{- range $image := .Values.themeCustomizations.resources.images }} + {{- if $image.configmap.name }} + - configMap: + name: {{ $image.configmap.name }} + items: + - key: {{ $image.name }} + path: {{ $image.name }} + {{- end }} + {{- end }} + {{- end }} diff --git a/src/keycloak/chart/values.schema.json b/src/keycloak/chart/values.schema.json index 80038d2d56..a08a453fe6 100644 --- a/src/keycloak/chart/values.schema.json +++ b/src/keycloak/chart/values.schema.json @@ -453,8 +453,37 @@ "type": "string" } }, - "required": [ "name", "value" ] + "required": ["name", "value"] + } + }, + "themeCustomizations": { + "type": "object", + "properties": { + "resources": { + "type": "object", + "properties": { + "images": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "enum": ["background.jpg", "footer.png", "logo.svg", "favicon.svg"] + }, + "configmap": { + "type": "object", + "properties": { + "name": { + "type": "string" + } + } + } + } + } + } + } + } } } } -} +} \ No newline at end of file diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml index 7a8927a8c0..305f4f700a 100644 --- a/src/keycloak/chart/values.yaml +++ b/src/keycloak/chart/values.yaml @@ -54,6 +54,23 @@ realmAuthFlows: WEBAUTHN_ENABLED: false X509_MFA_ENABLED: false +# Theme customizations with allowed types. More info here: https://github.com/defenseunicorns/uds-identity-config/blob/main/docs/reference/UDS%20Core/IdAM/customization.md#branding-customizations +#themeCustomizations: +# resources: +# images: +# - name: background.jpg +# configmap: +# name: keycloak-theme-overrides +# - name: footer.png +# configmap: +# name: keycloak-theme-overrides +# - name: logo.svg +# configmap: +# name: keycloak-theme-overrides +# - name: favicon.svg +# configmap: +# name: keycloak-theme-overrides + # Generates an initial password for first admin user - only use if install is headless # (i.e. cannot hit keycloak UI with `zarf connect keycloak`), password should be changed after initial login insecureAdminPasswordGeneration: From c67f950c0e89d38b203437d6412873e3758d008a Mon Sep 17 00:00:00 2001 From: Chance <139784371+UnicornChance@users.noreply.github.com> Date: Mon, 31 Mar 2025 11:13:17 -0600 Subject: [PATCH 090/118] fix: add delete credential keycloak secret value (#1398) ## Description After enabling webauthn passkeys, we need to be able to allow users to delete their passkey so that they can re-add that passkey. These changes don't change the existing behavior of core or identity config. ## Related Issue Relates to this Identity Config [issue](https://github.com/defenseunicorns/uds-identity-config/issues/397) Relates to this Identity Config [PR](https://github.com/defenseunicorns/uds-identity-config/pull/398) ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Steps to Validate - steps to validate will be in [the identity-config PR](https://github.com/defenseunicorns/uds-identity-config/pull/398) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --- src/keycloak/chart/templates/secret-kc-realm.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/src/keycloak/chart/templates/secret-kc-realm.yaml b/src/keycloak/chart/templates/secret-kc-realm.yaml index b52e6a018e..a1f4c00508 100644 --- a/src/keycloak/chart/templates/secret-kc-realm.yaml +++ b/src/keycloak/chart/templates/secret-kc-realm.yaml @@ -31,4 +31,5 @@ data: WEBAUTHN_FLOW_ENABLED: {{ ternary "REQUIRED" "DISABLED" (.Values.realmAuthFlows.WEBAUTHN_ENABLED) | b64enc }} X509_MFA_ENABLED: {{ .Values.realmAuthFlows.X509_MFA_ENABLED | toString | b64enc }} X509_MFA_FLOW_ENABLED: {{ ternary "REQUIRED" "DISABLED" (.Values.realmAuthFlows.X509_MFA_ENABLED) | b64enc }} + MFA_ENABLED: {{ or .Values.realmAuthFlows.OTP_ENABLED .Values.realmAuthFlows.WEBAUTHN_ENABLED | toString | b64enc }} MFA_FLOW_ENABLED: {{ ternary "REQUIRED" "DISABLED" (or .Values.realmAuthFlows.OTP_ENABLED .Values.realmAuthFlows.WEBAUTHN_ENABLED) | b64enc }} From 3c51efe662c783b1c3a3e67b4e18c913e5e69628 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 31 Mar 2025 16:56:00 -0600 Subject: [PATCH 091/118] chore(deps): update keycloak to v0.11.1 (#1400) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | [defenseunicorns/uds-identity-config](https://redirect.github.com/defenseunicorns/uds-identity-config) | minor | `0.10.2` -> `0.11.1` | | [defenseunicorns/uds-identity-config](https://redirect.github.com/defenseunicorns/uds-identity-config) | minor | `v0.10.2` -> `v0.11.1` | | [ghcr.io/defenseunicorns/uds/identity-config](https://images.chainguard.dev/directory/image/busybox/overview) ([source](https://redirect.github.com/chainguard-images/images/tree/HEAD/images/busybox)) | minor | `0.10.2` -> `0.11.1` | --- ### Release Notes
defenseunicorns/uds-identity-config (defenseunicorns/uds-identity-config) ### [`v0.11.1`](https://redirect.github.com/defenseunicorns/uds-identity-config/releases/tag/v0.11.1) [Compare Source](https://redirect.github.com/defenseunicorns/uds-identity-config/compare/v0.11.0...v0.11.1) ##### Bug Fixes - rename auth flow ([#​404](https://redirect.github.com/defenseunicorns/uds-identity-config/issues/404)) ([a3e19e1](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/a3e19e1693f5ddc797eee74b8749681a1453ff55)) ### [`v0.11.0`](https://redirect.github.com/defenseunicorns/uds-identity-config/releases/tag/v0.11.0) [Compare Source](https://redirect.github.com/defenseunicorns/uds-identity-config/compare/v0.10.2...v0.11.0) ##### ⚠ BREAKING CHANGES - AWS has a character limit that is applied to the Tag value, which is where the groups are mapped from when utilizing the UDS Core AWS Group Mapper. This fix filters groups to only include groups containing a `-aws-` string. ##### Features - add alternative subflow for idp redirector ([#​383](https://redirect.github.com/defenseunicorns/uds-identity-config/issues/383)) ([eb70131](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/eb70131dacda763bc71625dbbf6d076dd7198ca0)) - pepr Keycloak Client management ([#​358](https://redirect.github.com/defenseunicorns/uds-identity-config/issues/358)) ([70cdb8a](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/70cdb8a20ebcfc977a5036f135f0555f2d2524ab)) - theme customization ([#​387](https://redirect.github.com/defenseunicorns/uds-identity-config/issues/387)) ([12a46f0](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/12a46f08f89f7c67502887fd5e97ee751968605d)) - webauthn and mfa everywhere ([#​380](https://redirect.github.com/defenseunicorns/uds-identity-config/issues/380)) ([aaf0d39](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/aaf0d3991af0b0e6313ded65b0dda8af42202fc7)) ##### Bug Fixes - add credential deletion configuration ([#​398](https://redirect.github.com/defenseunicorns/uds-identity-config/issues/398)) ([83bc044](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/83bc044f4597f4405a45fd020df3332c945234f1)) - broken cypress tests ([#​360](https://redirect.github.com/defenseunicorns/uds-identity-config/issues/360)) ([efa7ffe](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/efa7ffeca1286683131e934d34296e2415c7d254)) - broken docs link ([#​355](https://redirect.github.com/defenseunicorns/uds-identity-config/issues/355)) ([45067dd](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/45067dd2b8c141d186bc557c575504202787640a)) - **deps:** update plugin-deps ([#​357](https://redirect.github.com/defenseunicorns/uds-identity-config/issues/357)) ([54f74a7](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/54f74a78444a173341d27723eec2f016e2087ef4)) - **deps:** update plugin-deps to v26.1.4 ([#​370](https://redirect.github.com/defenseunicorns/uds-identity-config/issues/370)) ([4a089d8](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/4a089d8f01f4411835a18907d8b9773072ee30f5)) - limit aws groups mapper to only groups with -aws- in name ([https://github.com/defenseunicorns/uds-identity-config/pull/378](https://redirect.github.com/defenseunicorns/uds-identity-config/pull/378)) ([6141004](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/6141004359187bc8be3de488fe7c0260f7993542)) ##### Miscellaneous - **deps:** update actions/setup-node action to v4.3.0 ([#​377](https://redirect.github.com/defenseunicorns/uds-identity-config/issues/377)) ([e54e416](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/e54e4164e9a7d6ff3d5b2dba4aa63db95910d18e)) - **deps:** update actions/upload-artifact action to v4.6.2 ([#​391](https://redirect.github.com/defenseunicorns/uds-identity-config/issues/391)) ([ba20f23](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/ba20f230eba4c758054862a49f72b735b7ae19e2)) - **deps:** update all dependencies ([#​349](https://redirect.github.com/defenseunicorns/uds-identity-config/issues/349)) ([ab852f8](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/ab852f8d380ceff0f46f1fe77c42c8276a18fdd3)) - **deps:** update all dependencies ([#​361](https://redirect.github.com/defenseunicorns/uds-identity-config/issues/361)) ([0f293f5](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/0f293f5d8148dfef42d3882ac8047a45e5afab1a)) - **deps:** update all dependencies ([#​382](https://redirect.github.com/defenseunicorns/uds-identity-config/issues/382)) ([018e74f](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/018e74f6ef82ce372df919f1b21297a7a2bfbdaa)) - **deps:** update all dependencies ([#​388](https://redirect.github.com/defenseunicorns/uds-identity-config/issues/388)) ([fb1e21b](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/fb1e21b09f0a83539671b66a1ddc6c036696969e)) - **deps:** update dependency cypress to v14.2.0 ([#​371](https://redirect.github.com/defenseunicorns/uds-identity-config/issues/371)) ([e7f8593](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/e7f859368e0c9aba68677c37daa845e056936205)) - **deps:** update dependency defenseunicorns/uds-common to v1.10.2 ([#​366](https://redirect.github.com/defenseunicorns/uds-identity-config/issues/366)) ([dc7ab7d](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/dc7ab7d53a5e662ddae36b8ebfc842516bcf2e52)) - **deps:** update dependency defenseunicorns/uds-common to v1.10.3 ([#​367](https://redirect.github.com/defenseunicorns/uds-identity-config/issues/367)) ([fe4c7f7](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/fe4c7f7abf437850281ad3f7b65d6e95b074969b)) - **deps:** update dependency defenseunicorns/uds-common to v1.11.2 ([#​392](https://redirect.github.com/defenseunicorns/uds-identity-config/issues/392)) ([cb43062](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/cb4306205121e5265fb8d15dedc943b81c924f21)) - **deps:** update dependency zarf-dev/zarf to v0.49.1 ([#​362](https://redirect.github.com/defenseunicorns/uds-identity-config/issues/362)) ([b320ec2](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/b320ec2ba1ad1fdfaea629ca28d5aadb62b778a1)) - **deps:** update docker image ghcr.io/defenseunicorns/packages/uds-k3d to v0.12.1 ([#​393](https://redirect.github.com/defenseunicorns/uds-identity-config/issues/393)) ([763752d](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/763752da6ade329f9288fe01d468360cdbd3543a)) - **deps:** update docker image ghcr.io/zarf-dev/packages/init to v0.49.1 ([#​363](https://redirect.github.com/defenseunicorns/uds-identity-config/issues/363)) ([361b0b8](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/361b0b87fed70a3b13b633737125c6a8dbf4b794)) - **deps:** update docker/login-action action to v3.4.0 ([#​374](https://redirect.github.com/defenseunicorns/uds-identity-config/issues/374)) ([c92956c](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/c92956cfd7d072cbb9c67c53e47236d688145aa9)) - **deps:** update gha-deps ([#​356](https://redirect.github.com/defenseunicorns/uds-identity-config/issues/356)) ([4af68da](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/4af68dae52c87cd0f36bbe1f48523a5ee5b0beed)) - **deps:** update gha-deps to v0.23.0 ([#​364](https://redirect.github.com/defenseunicorns/uds-identity-config/issues/364)) ([639a77d](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/639a77d1a62a169304da6859c4cd1a7507b09265)) - **deps:** update gha-deps to v0.24.0 ([#​376](https://redirect.github.com/defenseunicorns/uds-identity-config/issues/376)) ([c3bb9f1](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/c3bb9f1373dff215c5c62fbe36341e8529e90b84)) - **deps:** update gha-deps to v0.25.0 ([#​384](https://redirect.github.com/defenseunicorns/uds-identity-config/issues/384)) ([da1dea3](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/da1dea3a5eb82af4f10223d8aa497c60376765af)) - **deps:** update gha-deps to v19.8.0 ([#​365](https://redirect.github.com/defenseunicorns/uds-identity-config/issues/365)) ([be3f7c7](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/be3f7c778c67e8ba0071c96b5c9a33d1c61d65af)) - **deps:** update plugin-deps to v3.5.3 ([#​399](https://redirect.github.com/defenseunicorns/uds-identity-config/issues/399)) ([b0e3d52](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/b0e3d52e3a5249053d645ae78724de7c67aee662)) - **doc:** add new section about upgrading identity config ([#​353](https://redirect.github.com/defenseunicorns/uds-identity-config/issues/353)) ([67c99a8](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/67c99a8d711382a73737a585149a0d18cd4153fb)) - update doc for custom image ([#​375](https://redirect.github.com/defenseunicorns/uds-identity-config/issues/375)) ([2cd4955](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/2cd4955b4044a1c557cbf5500b3992ddf9c5f721))
--- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- src/keycloak/chart/values.yaml | 2 +- src/keycloak/tasks.yaml | 2 +- src/keycloak/zarf.yaml | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml index 305f4f700a..742ecd4c62 100644 --- a/src/keycloak/chart/values.yaml +++ b/src/keycloak/chart/values.yaml @@ -10,7 +10,7 @@ image: pullPolicy: IfNotPresent # renovate: datasource=github-tags depName=defenseunicorns/uds-identity-config versioning=semver -configImage: ghcr.io/defenseunicorns/uds/identity-config:0.10.2 +configImage: ghcr.io/defenseunicorns/uds/identity-config:0.11.1 # The public domain name of the Keycloak server domain: "###ZARF_VAR_DOMAIN###" diff --git a/src/keycloak/tasks.yaml b/src/keycloak/tasks.yaml index 4b508fcbd7..9b882f7979 100644 --- a/src/keycloak/tasks.yaml +++ b/src/keycloak/tasks.yaml @@ -2,7 +2,7 @@ # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial includes: - - config: https://raw.githubusercontent.com/defenseunicorns/uds-identity-config/v0.10.2/tasks.yaml + - config: https://raw.githubusercontent.com/defenseunicorns/uds-identity-config/v0.11.1/tasks.yaml tasks: - name: validate diff --git a/src/keycloak/zarf.yaml b/src/keycloak/zarf.yaml index f13e16b974..97b3494b20 100644 --- a/src/keycloak/zarf.yaml +++ b/src/keycloak/zarf.yaml @@ -27,7 +27,7 @@ components: - "values/upstream-values.yaml" images: - quay.io/keycloak/keycloak:26.1.4 - - ghcr.io/defenseunicorns/uds/identity-config:0.10.2 + - ghcr.io/defenseunicorns/uds/identity-config:0.11.1 - name: keycloak required: true @@ -41,7 +41,7 @@ components: - "values/registry1-values.yaml" images: - registry1.dso.mil/ironbank/opensource/keycloak/keycloak:26.1.4 - - ghcr.io/defenseunicorns/uds/identity-config:0.10.2 + - ghcr.io/defenseunicorns/uds/identity-config:0.11.1 - name: keycloak required: true @@ -55,4 +55,4 @@ components: - "values/unicorn-values.yaml" images: - cgr.dev/du-uds-defenseunicorns/keycloak:26.1.4 # todo: switch to FIPS image - - ghcr.io/defenseunicorns/uds/identity-config:0.10.2 + - ghcr.io/defenseunicorns/uds/identity-config:0.11.1 From 94c56517f6ab2299c9a221ccc0ada7e48ed0fe57 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 1 Apr 2025 08:47:42 -0600 Subject: [PATCH 092/118] chore(deps): update support-deps (#1392) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | Type | Update | |---|---|---|---|---|---|---|---| | [@types/node](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/node) ([source](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)) | [`22.13.14` -> `22.13.15`](https://renovatebot.com/diffs/npm/@types%2fnode/22.13.14/22.13.15) | [![age](https://developer.mend.io/api/mc/badges/age/npm/@types%2fnode/22.13.15?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@types%2fnode/22.13.15?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@types%2fnode/22.13.14/22.13.15?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@types%2fnode/22.13.14/22.13.15?slim=true)](https://docs.renovatebot.com/merge-confidence/) | devDependencies | patch | | azurerm | `4.24.0` -> `4.25.0` | [![age](https://developer.mend.io/api/mc/badges/age/terraform-provider/hashicorp%2fazurerm/4.25.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/terraform-provider/hashicorp%2fazurerm/4.25.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/terraform-provider/hashicorp%2fazurerm/4.24.0/4.25.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/terraform-provider/hashicorp%2fazurerm/4.24.0/4.25.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | required_provider | minor | | [defenseunicorns/uds-common](https://redirect.github.com/defenseunicorns/uds-common) | `v1.11.1` -> `v1.11.2` | [![age](https://developer.mend.io/api/mc/badges/age/github-tags/defenseunicorns%2fuds-common/v1.11.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/github-tags/defenseunicorns%2fuds-common/v1.11.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/github-tags/defenseunicorns%2fuds-common/v1.11.1/v1.11.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/github-tags/defenseunicorns%2fuds-common/v1.11.1/v1.11.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | | patch | | [kubernetes-fluent-client](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client) | [`3.4.5` -> `3.4.6`](https://renovatebot.com/diffs/npm/kubernetes-fluent-client/3.4.5/3.4.6) | [![age](https://developer.mend.io/api/mc/badges/age/npm/kubernetes-fluent-client/3.4.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/kubernetes-fluent-client/3.4.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/kubernetes-fluent-client/3.4.5/3.4.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/kubernetes-fluent-client/3.4.5/3.4.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) | devDependencies | patch | | [ts-jest](https://kulshekhar.github.io/ts-jest) ([source](https://redirect.github.com/kulshekhar/ts-jest)) | [`29.3.0` -> `29.3.1`](https://renovatebot.com/diffs/npm/ts-jest/29.3.0/29.3.1) | [![age](https://developer.mend.io/api/mc/badges/age/npm/ts-jest/29.3.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/ts-jest/29.3.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/ts-jest/29.3.0/29.3.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/ts-jest/29.3.0/29.3.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | devDependencies | patch | --- ### Release Notes
defenseunicorns/uds-common (defenseunicorns/uds-common) ### [`v1.11.2`](https://redirect.github.com/defenseunicorns/uds-common/releases/tag/v1.11.2) [Compare Source](https://redirect.github.com/defenseunicorns/uds-common/compare/v1.11.1...v1.11.2) ##### Miscellaneous - **deps:** update support-deps to v0.0.9 ([#​452](https://redirect.github.com/defenseunicorns/uds-common/issues/452)) ([a33e06f](https://redirect.github.com/defenseunicorns/uds-common/commit/a33e06f4e0d65e6ccfcc8f6f426aa4f9aa1f05fb))
defenseunicorns/kubernetes-fluent-client (kubernetes-fluent-client) ### [`v3.4.6`](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/releases/tag/v3.4.6) [Compare Source](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/compare/v3.4.5...v3.4.6) ##### Bug Fixes - bump the development-dependencies group with 3 updates ([#​602](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/issues/602)) ([5cbc885](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/commit/5cbc885e160b63fbea7fa9ef35e49f361f6cedf3)), closes [#​11000](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/issues/11000) [#​10961](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/issues/10961) [#​10993](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/issues/10993) [#​10981](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/issues/10981) [#​10957](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/issues/10957) [#​10963](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/issues/10963) [#​11000](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/issues/11000) [#​10963](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/issues/10963) [#​10957](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/issues/10957) [#​10981](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/issues/10981) [#​10993](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/issues/10993) [#​10961](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/issues/10961) [#​11001](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/issues/11001) [#​10957](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/issues/10957) [#​11007](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/issues/11007) [#​11000](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/issues/11000) [#​10961](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/issues/10961) [#​10993](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/issues/10993) [#​10981](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/issues/10981) [#​10957](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/issues/10957) [#​10963](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/issues/10963)
kulshekhar/ts-jest (ts-jest) ### [`v29.3.1`](https://redirect.github.com/kulshekhar/ts-jest/blob/HEAD/CHANGELOG.md#2931-2025-03-31) [Compare Source](https://redirect.github.com/kulshekhar/ts-jest/compare/v29.3.0...v29.3.1) ##### Bug Fixes - fix: allow `isolatedModules` mode to have `ts.Program` under `Node16/Next` ([25157eb](https://redirect.github.com/kulshekhar/ts-jest/commit/25157eb)) - fix: improve message for `isolatedModules` of `ts-jest` config ([547eb6f](https://redirect.github.com/kulshekhar/ts-jest/commit/547eb6f))
--- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/test-infra/azure/aks/versions.tf | 2 +- tasks/create.yaml | 2 +- tasks/lint.yaml | 2 +- tasks/test.yaml | 4 +-- test/jest/package-lock.json | 36 ++++++++++++------------ test/playwright/package-lock.json | 6 ++-- 6 files changed, 26 insertions(+), 26 deletions(-) diff --git a/.github/test-infra/azure/aks/versions.tf b/.github/test-infra/azure/aks/versions.tf index b8c534a248..92aad361d7 100644 --- a/.github/test-infra/azure/aks/versions.tf +++ b/.github/test-infra/azure/aks/versions.tf @@ -11,7 +11,7 @@ terraform { } azurerm = { source = "hashicorp/azurerm" - version = "4.24.0" + version = "4.25.0" } } } diff --git a/tasks/create.yaml b/tasks/create.yaml index 9ed0e744e5..294064495d 100644 --- a/tasks/create.yaml +++ b/tasks/create.yaml @@ -3,7 +3,7 @@ includes: - - common: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.11.1/tasks/create.yaml + - common: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.11.2/tasks/create.yaml variables: - name: FLAVOR diff --git a/tasks/lint.yaml b/tasks/lint.yaml index d5be951c8c..663b5f169d 100644 --- a/tasks/lint.yaml +++ b/tasks/lint.yaml @@ -2,7 +2,7 @@ # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial includes: - - remote: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.11.1/tasks/lint.yaml + - remote: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.11.2/tasks/lint.yaml tasks: - name: fix diff --git a/tasks/test.yaml b/tasks/test.yaml index 772cebe573..63e3d86d3d 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -14,8 +14,8 @@ includes: - test-resources: ../src/test/tasks.yaml - base-layer: ../packages/base/tasks.yaml - idam-layer: ../packages/identity-authorization/tasks.yaml - - common-setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/refs/tags/v1.11.1/tasks/setup.yaml - - compliance: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.11.1/tasks/compliance.yaml + - common-setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/refs/tags/v1.11.2/tasks/setup.yaml + - compliance: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.11.2/tasks/compliance.yaml tasks: - name: base diff --git a/test/jest/package-lock.json b/test/jest/package-lock.json index e68dd6a7e8..8e4d8cac99 100644 --- a/test/jest/package-lock.json +++ b/test/jest/package-lock.json @@ -1245,9 +1245,9 @@ "dev": true }, "node_modules/@types/node": { - "version": "22.13.14", - "resolved": "https://registry.npmjs.org/@types/node/-/node-22.13.14.tgz", - "integrity": "sha512-Zs/Ollc1SJ8nKUAgc7ivOEdIBM8JAKgrqqUYi2J997JuKO7/tpQC+WCetQ1sypiKCQWHdvdg9wBNpUPEWZae7w==", + "version": "22.13.15", + "resolved": "https://registry.npmjs.org/@types/node/-/node-22.13.15.tgz", + "integrity": "sha512-imAbQEEbVni6i6h6Bd5xkCRwLqFc8hihCsi2GbtDoAtUcAFQ6Zs4pFXTZUUbroTkXdImczWM9AI8eZUuybXE3w==", "dev": true, "license": "MIT", "dependencies": { @@ -3267,9 +3267,9 @@ } }, "node_modules/kubernetes-fluent-client": { - "version": "3.4.5", - "resolved": "https://registry.npmjs.org/kubernetes-fluent-client/-/kubernetes-fluent-client-3.4.5.tgz", - "integrity": "sha512-scJPf7KwQvLR+VhNS4EJzCxwmWRSgzLCyfcgqXV+SBoCDR0R6ZQ2IYtZngBuRrjkIAZBYy8M2kNHrF4XVSkNeA==", + "version": "3.4.6", + "resolved": "https://registry.npmjs.org/kubernetes-fluent-client/-/kubernetes-fluent-client-3.4.6.tgz", + "integrity": "sha512-n3U86mt9hFv0C7UrbGoUvZqfhmg/pCkPZesPZE6+ar64zs/wEFFD0AAJjKtzwWkCRZuI9XYKvXrNRqY1iAg4lw==", "dev": true, "license": "Apache-2.0", "dependencies": { @@ -3278,8 +3278,8 @@ "http-status-codes": "2.3.0", "node-fetch": "2.7.0", "quicktype-core": "23.0.171", - "type-fest": "4.37.0", - "undici": "7.5.0", + "type-fest": "4.38.0", + "undici": "7.6.0", "yargs": "17.7.2" }, "bin": { @@ -3290,9 +3290,9 @@ } }, "node_modules/kubernetes-fluent-client/node_modules/type-fest": { - "version": "4.37.0", - "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-4.37.0.tgz", - "integrity": "sha512-S/5/0kFftkq27FPNye0XM1e2NsnoD/3FS+pBmbjmmtLT6I+i344KoOf7pvXreaFsDamWeaJX55nczA1m5PsBDg==", + "version": "4.38.0", + "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-4.38.0.tgz", + "integrity": "sha512-2dBz5D5ycHIoliLYLi0Q2V7KRaDlH0uWIvmk7TYlAg5slqwiPv1ezJdZm1QEM0xgk29oYWMCbIG7E6gHpvChlg==", "dev": true, "license": "(MIT OR CC0-1.0)", "engines": { @@ -4428,9 +4428,9 @@ "dev": true }, "node_modules/ts-jest": { - "version": "29.3.0", - "resolved": "https://registry.npmjs.org/ts-jest/-/ts-jest-29.3.0.tgz", - "integrity": "sha512-4bfGBX7Gd1Aqz3SyeDS9O276wEU/BInZxskPrbhZLyv+c1wskDCqDFMJQJLWrIr/fKoAH4GE5dKUlrdyvo+39A==", + "version": "29.3.1", + "resolved": "https://registry.npmjs.org/ts-jest/-/ts-jest-29.3.1.tgz", + "integrity": "sha512-FT2PIRtZABwl6+ZCry8IY7JZ3xMuppsEV9qFVHOVe8jDzggwUZ9TsM4chyJxL9yi6LvkqcZYU3LmapEE454zBQ==", "dev": true, "license": "MIT", "dependencies": { @@ -4442,7 +4442,7 @@ "lodash.memoize": "^4.1.2", "make-error": "^1.3.6", "semver": "^7.7.1", - "type-fest": "^4.37.0", + "type-fest": "^4.38.0", "yargs-parser": "^21.1.1" }, "bin": { @@ -4545,9 +4545,9 @@ } }, "node_modules/undici": { - "version": "7.5.0", - "resolved": "https://registry.npmjs.org/undici/-/undici-7.5.0.tgz", - "integrity": "sha512-NFQG741e8mJ0fLQk90xKxFdaSM7z4+IQpAgsFI36bCDY9Z2+aXXZjVy2uUksMouWfMI9+w5ejOq5zYYTBCQJDQ==", + "version": "7.6.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-7.6.0.tgz", + "integrity": "sha512-gaFsbThjrDGvAaD670r81RZro/s6H2PVZF640Qn0p5kZK+/rim7/mmyfp2W7VB5vOMaFM8vuFBJUaMlaZTYHlA==", "dev": true, "license": "MIT", "engines": { diff --git a/test/playwright/package-lock.json b/test/playwright/package-lock.json index f8cf3611bd..7cf3cba56d 100644 --- a/test/playwright/package-lock.json +++ b/test/playwright/package-lock.json @@ -28,9 +28,9 @@ } }, "node_modules/@types/node": { - "version": "22.13.14", - "resolved": "https://registry.npmjs.org/@types/node/-/node-22.13.14.tgz", - "integrity": "sha512-Zs/Ollc1SJ8nKUAgc7ivOEdIBM8JAKgrqqUYi2J997JuKO7/tpQC+WCetQ1sypiKCQWHdvdg9wBNpUPEWZae7w==", + "version": "22.13.15", + "resolved": "https://registry.npmjs.org/@types/node/-/node-22.13.15.tgz", + "integrity": "sha512-imAbQEEbVni6i6h6Bd5xkCRwLqFc8hihCsi2GbtDoAtUcAFQ6Zs4pFXTZUUbroTkXdImczWM9AI8eZUuybXE3w==", "dev": true, "license": "MIT", "dependencies": { From f98e90e29aca45c1c9b8092a475b239cb469503d Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 1 Apr 2025 09:25:16 -0600 Subject: [PATCH 093/118] chore(deps): update grafana (#1383) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cgr.dev/du-uds-defenseunicorns/grafana-fips](https://images.chainguard.dev/directory/image/grafana-fips/overview) ([source](https://redirect.github.com/chainguard-images/images-private/tree/HEAD/images/grafana-fips)) | patch | `11.5.2` -> `11.5.3` | | [cgr.dev/du-uds-defenseunicorns/k8s-sidecar-fips](https://images.chainguard.dev/directory/image/k8s-sidecar-fips/overview) ([source](https://redirect.github.com/chainguard-images/images-private/tree/HEAD/images/k8s-sidecar-fips)) | patch | `1.30.2` -> `1.30.3` | | [docker.io/grafana/grafana](https://redirect.github.com/grafana/grafana) | minor | `11.5.2` -> `11.6.0` | | [ghcr.io/kiwigrid/k8s-sidecar](https://redirect.github.com/kiwigrid/k8s-sidecar) | patch | `1.30.2` -> `1.30.3` | | [grafana](https://grafana.com) ([source](https://redirect.github.com/grafana/helm-charts)) | minor | `8.10.4` -> `8.11.0` | | [registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar](https://redirect.github.com/kiwigrid/k8s-sidecar) ([source](https://repo1.dso.mil/dsop/kiwigrid/k8s-sidecar)) | patch | `1.30.2` -> `1.30.3` | | [registry1.dso.mil/ironbank/opensource/grafana/grafana](https://redirect.github.com/grafana/grafana) ([source](https://repo1.dso.mil/dsop/opensource/grafana/grafana)) | minor | `11.5.2` -> `11.6.0` | --- ### Release Notes
grafana/grafana (docker.io/grafana/grafana) ### [`v11.6.0`](https://redirect.github.com/grafana/grafana/blob/HEAD/CHANGELOG.md#1160-2025-03-25) [Compare Source](https://redirect.github.com/grafana/grafana/compare/v11.5.3...v11.6.0) ##### Features and enhancements - **API keys:** Migrate API keys to service accounts at startup [#​96924](https://redirect.github.com/grafana/grafana/pull/96924), [@​dmihai](https://redirect.github.com/dmihai) - **AccessControl:** Allow plugin roles to include `plugins:write` [#​101089](https://redirect.github.com/grafana/grafana/pull/101089), [@​gamab](https://redirect.github.com/gamab) - **Alerting:** Add DAG errors to alert rule creation and view [#​99423](https://redirect.github.com/grafana/grafana/pull/99423), [@​soniaAguilarPeiron](https://redirect.github.com/soniaAguilarPeiron) - **Alerting:** Add Jira integration to cloud AMs [#​100482](https://redirect.github.com/grafana/grafana/pull/100482), [@​soniaAguilarPeiron](https://redirect.github.com/soniaAguilarPeiron) - **Alerting:** Add alert rule version history - part1 [#​99490](https://redirect.github.com/grafana/grafana/pull/99490), [@​soniaAguilarPeiron](https://redirect.github.com/soniaAguilarPeiron) - **Alerting:** Add migration to clean up rule versions table [#​102562](https://redirect.github.com/grafana/grafana/pull/102562), [@​yuri-tceretian](https://redirect.github.com/yuri-tceretian) - **Alerting:** Add multiple threshold operators [#​99516](https://redirect.github.com/grafana/grafana/pull/99516), [@​paulojmdias](https://redirect.github.com/paulojmdias) - **Alerting:** Add tracking for the mode used in query and notifications step when c… [#​100824](https://redirect.github.com/grafana/grafana/pull/100824), [@​soniaAguilarPeiron](https://redirect.github.com/soniaAguilarPeiron) - **Alerting:** Adding color option for slack receiver [#​99615](https://redirect.github.com/grafana/grafana/pull/99615), [@​wymangr](https://redirect.github.com/wymangr) - **Alerting:** Allow selection of recording rule write target on per-rule basis. [#​101778](https://redirect.github.com/grafana/grafana/pull/101778), [@​stevesg](https://redirect.github.com/stevesg) - **Alerting:** Allow specifying uid for new rules added to groups [#​99858](https://redirect.github.com/grafana/grafana/pull/99858), [@​moustafab](https://redirect.github.com/moustafab) - **Alerting:** Improve template testing by trying non-root scopes [#​101471](https://redirect.github.com/grafana/grafana/pull/101471), [@​JacobsonMT](https://redirect.github.com/JacobsonMT) - **Alerting:** Include time range in template dashboard and panel urls [#​101095](https://redirect.github.com/grafana/grafana/pull/101095), [@​JacobsonMT](https://redirect.github.com/JacobsonMT) - **Alerting:** Keep the latest version of deleted rule in version table [#​101481](https://redirect.github.com/grafana/grafana/pull/101481), [@​yuri-tceretian](https://redirect.github.com/yuri-tceretian) - **Alerting:** Promote alertingSaveStateCompressed flag to public preview [#​99935](https://redirect.github.com/grafana/grafana/pull/99935), [@​alexander-akhmetov](https://redirect.github.com/alexander-akhmetov) - **Alerting:** Remove ID and OrgID from hash calculation [#​100140](https://redirect.github.com/grafana/grafana/pull/100140), [@​yuri-tceretian](https://redirect.github.com/yuri-tceretian) - **Alerting:** Remove feature toggle alertingNoNormalState [#​99905](https://redirect.github.com/grafana/grafana/pull/99905), [@​yuri-tceretian](https://redirect.github.com/yuri-tceretian) - **Alerting:** Remove rule group edit from single rule editor [#​100191](https://redirect.github.com/grafana/grafana/pull/100191), [@​gillesdemey](https://redirect.github.com/gillesdemey) - **Alerting:** Return 404 when /api/ruler/grafana/api/v1/rules/{Namespace}/{Groupname} does not exist [#​100264](https://redirect.github.com/grafana/grafana/pull/100264), [@​fayzal-g](https://redirect.github.com/fayzal-g) - **Alerting:** Rule history restore feature [#​100609](https://redirect.github.com/grafana/grafana/pull/100609), [@​soniaAguilarPeiron](https://redirect.github.com/soniaAguilarPeiron) - **Alerting:** Support Jira Integration [#​100480](https://redirect.github.com/grafana/grafana/pull/100480), [@​yuri-tceretian](https://redirect.github.com/yuri-tceretian) - **Alerting:** Track if new gm rules are created with queries and expressions transformable to simple mode [#​101121](https://redirect.github.com/grafana/grafana/pull/101121), [@​soniaAguilarPeiron](https://redirect.github.com/soniaAguilarPeiron) - **Alerting:** Update IRM copies in Configuration Tracker [#​100069](https://redirect.github.com/grafana/grafana/pull/100069), [@​teodosii](https://redirect.github.com/teodosii) - **Alerting:** Update design of rule details tab and add `updated by` [#​99895](https://redirect.github.com/grafana/grafana/pull/99895), [@​tomratcliffe](https://redirect.github.com/tomratcliffe) - **Alerting:** Update irm links for incident and oncall in case new irm plugin is present [#​99952](https://redirect.github.com/grafana/grafana/pull/99952), [@​soniaAguilarPeiron](https://redirect.github.com/soniaAguilarPeiron) - **Alerting:** Use exponential backoff in the remote Alertmanager readiness check [#​99756](https://redirect.github.com/grafana/grafana/pull/99756), [@​santihernandezc](https://redirect.github.com/santihernandezc) - **Alerting:** Use uid instead of id in AnnotationsStateHistory [#​101207](https://redirect.github.com/grafana/grafana/pull/101207), [@​soniaAguilarPeiron](https://redirect.github.com/soniaAguilarPeiron) - **Auth:** Add IP address login attempt validation [#​98123](https://redirect.github.com/grafana/grafana/pull/98123), [@​colin-stuart](https://redirect.github.com/colin-stuart) - **Auth:** Add support for the TlsSkipVerify parameter to JWT Auth [#​91514](https://redirect.github.com/grafana/grafana/pull/91514), [@​Ret2Me](https://redirect.github.com/Ret2Me) - **Auth:** Make ssoSettingsSAML GA and enabled by default [#​101766](https://redirect.github.com/grafana/grafana/pull/101766), [@​mgyongyosi](https://redirect.github.com/mgyongyosi) - **Azure Monitor:** Filter namespaces by resource group [#​100325](https://redirect.github.com/grafana/grafana/pull/100325), [@​alyssabull](https://redirect.github.com/alyssabull) - **Azure:** Resource picker improvements [#​101462](https://redirect.github.com/grafana/grafana/pull/101462), [@​aangelisc](https://redirect.github.com/aangelisc) - **Azure:** Variable editor and resource picker improvements [#​101695](https://redirect.github.com/grafana/grafana/pull/101695), [@​alyssabull](https://redirect.github.com/alyssabull) - **Badge:** Add darkgrey color [#​100699](https://redirect.github.com/grafana/grafana/pull/100699), [@​Clarity-89](https://redirect.github.com/Clarity-89) - **Canvas:** One click links and actions [#​99616](https://redirect.github.com/grafana/grafana/pull/99616), [@​adela-almasan](https://redirect.github.com/adela-almasan) - **Chore:** Bump Go to 1.23.7 [#​101576](https://redirect.github.com/grafana/grafana/pull/101576), [@​macabu](https://redirect.github.com/macabu) - **Chore:** Bump Go to 1.23.7 (Enterprise) - **Chore:** Bump github.com/expr-lang/expr to v1.17.0 to address CVE-2025-29786 [#​102533](https://redirect.github.com/grafana/grafana/pull/102533), [@​macabu](https://redirect.github.com/macabu) - **Chore:** Remove `sqlQuerybuilderFunctionParameters` feature toggle [#​100809](https://redirect.github.com/grafana/grafana/pull/100809), [@​zoltanbedi](https://redirect.github.com/zoltanbedi) - **CloudWatch:** Track Logs Insights query language [#​100254](https://redirect.github.com/grafana/grafana/pull/100254), [@​idastambuk](https://redirect.github.com/idastambuk) - **Configuration tracker:** Update copy in IRM and point to new IRM slack integration [#​100440](https://redirect.github.com/grafana/grafana/pull/100440), [@​teodosii](https://redirect.github.com/teodosii) - **Dashboard:** Folder move unexpected behavior [#​100394](https://redirect.github.com/grafana/grafana/pull/100394), [@​yincongcyincong](https://redirect.github.com/yincongcyincong) - **Dashboards:** Allow custom quick time ranges specified in dashboard model [#​93724](https://redirect.github.com/grafana/grafana/pull/93724), [@​sknaumov](https://redirect.github.com/sknaumov) - **Dashboards:** Monitor dashboard loading performance [#​99629](https://redirect.github.com/grafana/grafana/pull/99629), [@​dprokop](https://redirect.github.com/dprokop) - **Dashboards:** Remove default empty string from variable create view [#​98922](https://redirect.github.com/grafana/grafana/pull/98922), [@​yincongcyincong](https://redirect.github.com/yincongcyincong) - **Dashboards:** WeekStart is now of type WeekStart | undefined instead of string [#​101123](https://redirect.github.com/grafana/grafana/pull/101123), [@​oscarkilhed](https://redirect.github.com/oscarkilhed) - **DesignSystem:** Menu and popover styling update to use new elevated background token [#​100255](https://redirect.github.com/grafana/grafana/pull/100255), [@​torkelo](https://redirect.github.com/torkelo) - **Docker:** Use our own glibc 2.40 binaries [#​99903](https://redirect.github.com/grafana/grafana/pull/99903), [@​DanCech](https://redirect.github.com/DanCech) - **Docs:** Add a note on query caching for Cloudwatch datasource [#​100180](https://redirect.github.com/grafana/grafana/pull/100180), [@​idastambuk](https://redirect.github.com/idastambuk) - **Drilldown:** Require `datasources:explore` RBAC action [#​101366](https://redirect.github.com/grafana/grafana/pull/101366), [@​svennergr](https://redirect.github.com/svennergr) - **Elasticsearch:** Remove frontend testDatasource method [#​99894](https://redirect.github.com/grafana/grafana/pull/99894), [@​idastambuk](https://redirect.github.com/idastambuk) - **Elasticsearch:** Replace level in adhoc filters with level field name [#​100315](https://redirect.github.com/grafana/grafana/pull/100315), [@​iwysiu](https://redirect.github.com/iwysiu) - **Elasticsearch:** Replace term size dropdown with text input [#​99718](https://redirect.github.com/grafana/grafana/pull/99718), [@​iwysiu](https://redirect.github.com/iwysiu) - **Explore:** Add `hide_logs_download` and hide button to download logs [#​99512](https://redirect.github.com/grafana/grafana/pull/99512), [@​svennergr](https://redirect.github.com/svennergr) - **Explore:** Move drilldown apps from Explore to a new navbar item "Drilldown" [#​100409](https://redirect.github.com/grafana/grafana/pull/100409), [@​adrapereira](https://redirect.github.com/adrapereira) - **ExploreMetrics:** Add toggle to enable routing to externalized Explore Metrics app plugin [#​99481](https://redirect.github.com/grafana/grafana/pull/99481), [@​NWRichmond](https://redirect.github.com/NWRichmond) - **Feat:** OSS connections page state filter and update all added [#​100688](https://redirect.github.com/grafana/grafana/pull/100688), [@​s4kh](https://redirect.github.com/s4kh) - **Features:** Remove openSearchBackendFlowEnabled feature toggle [#​99068](https://redirect.github.com/grafana/grafana/pull/99068), [@​idastambuk](https://redirect.github.com/idastambuk) - **Folders:** Add validation that folder is not a parent of itself [#​101569](https://redirect.github.com/grafana/grafana/pull/101569), [@​stephaniehingtgen](https://redirect.github.com/stephaniehingtgen) - **Geomap:** WebGL for Marker Layer [#​95457](https://redirect.github.com/grafana/grafana/pull/95457), [@​drew08t](https://redirect.github.com/drew08t) - **Grafana/ui:** Export UsersIndicator [#​100698](https://redirect.github.com/grafana/grafana/pull/100698), [@​Clarity-89](https://redirect.github.com/Clarity-89) - **Graphite:** Compare query builder query to raw query [#​101104](https://redirect.github.com/grafana/grafana/pull/101104), [@​bossinc](https://redirect.github.com/bossinc) - **Histogram:** Handle multiple native histograms [#​98404](https://redirect.github.com/grafana/grafana/pull/98404), [@​domasx2](https://redirect.github.com/domasx2) - **Image Renderer:** Add support for SSL in plugin mode [#​98009](https://redirect.github.com/grafana/grafana/pull/98009), [@​nmarrs](https://redirect.github.com/nmarrs) - **ImportDashboards:** Use NestedFolderPicker [#​99696](https://redirect.github.com/grafana/grafana/pull/99696), [@​joshhunt](https://redirect.github.com/joshhunt) - **Loki:** Removal of `Resolution` in query editors [#​101860](https://redirect.github.com/grafana/grafana/pull/101860), [@​svennergr](https://redirect.github.com/svennergr) - **Menu:** Uniform padding to make menu item hover state look better [#​100275](https://redirect.github.com/grafana/grafana/pull/100275), [@​torkelo](https://redirect.github.com/torkelo) - **MetricsDrilldown:** Update name of queryless metrics experience [#​100675](https://redirect.github.com/grafana/grafana/pull/100675), [@​yangkb09](https://redirect.github.com/yangkb09) - **MultiCombobox:** Export from grafana/ui [#​100368](https://redirect.github.com/grafana/grafana/pull/100368), [@​Clarity-89](https://redirect.github.com/Clarity-89) - **NodeGraph:** Improve view traces for uninstrumented services [#​98442](https://redirect.github.com/grafana/grafana/pull/98442), [@​edvard-falkskar](https://redirect.github.com/edvard-falkskar) - **PluginExtensions:** Added support for sharing functions [#​98888](https://redirect.github.com/grafana/grafana/pull/98888), [@​theSuess](https://redirect.github.com/theSuess) - **PluginExtensions:** Added support for sharing functions (Enterprise) - **PluginExtensions:** Exposing registry meta for components returned via `usePluginComponents` [#​100587](https://redirect.github.com/grafana/grafana/pull/100587), [@​mckn](https://redirect.github.com/mckn) - **Plugins:** Improve plugin details UX for core plugins [#​99830](https://redirect.github.com/grafana/grafana/pull/99830), [@​oshirohugo](https://redirect.github.com/oshirohugo) - **Plugins:** Remove managedPluginsInstall feature toggle [#​100416](https://redirect.github.com/grafana/grafana/pull/100416), [@​oshirohugo](https://redirect.github.com/oshirohugo) - **Plugins:** Remove managedPluginsInstall feature toggle (Enterprise) - **Plugins:** Remove uninstall plugin step from cli plugins update-all [#​101632](https://redirect.github.com/grafana/grafana/pull/101632), [@​oshirohugo](https://redirect.github.com/oshirohugo) - **Prometheus:** Get the utcOffset value of timezone when it's specified [#​99910](https://redirect.github.com/grafana/grafana/pull/99910), [@​itsmylife](https://redirect.github.com/itsmylife) - **Prometheus:** Remove query assistant and related components [#​100669](https://redirect.github.com/grafana/grafana/pull/100669), [@​edwardcqian](https://redirect.github.com/edwardcqian) - **QueryOptions:** Handle invalid time shift values [#​101670](https://redirect.github.com/grafana/grafana/pull/101670), [@​ivanortegaalba](https://redirect.github.com/ivanortegaalba) - **RBAC:** Remove accessControlOnCall feature toggle [#​101222](https://redirect.github.com/grafana/grafana/pull/101222), [@​gamab](https://redirect.github.com/gamab) - **RBAC:** Remove accessControlOnCall feature toggle (Enterprise) - **Reporting:** Add email subject support (Enterprise) - **Security:** Update to Go 1.23.5 (Enterprise) - **Tempo:** Support TraceQL instant metrics queries [#​99732](https://redirect.github.com/grafana/grafana/pull/99732), [@​joey-grafana](https://redirect.github.com/joey-grafana) - **Tempo:** TraceQL metrics streaming [#​99037](https://redirect.github.com/grafana/grafana/pull/99037), [@​adrapereira](https://redirect.github.com/adrapereira) - **Time regions:** Add option for cron syntax to support complex schedules [#​99548](https://redirect.github.com/grafana/grafana/pull/99548), [@​leeoniya](https://redirect.github.com/leeoniya) - **TimePicker:** Ability to manually specify quick ranges [#​101465](https://redirect.github.com/grafana/grafana/pull/101465), [@​Sergej-Vlasov](https://redirect.github.com/Sergej-Vlasov) - **TimeRangePicker:** Options list padding [#​100343](https://redirect.github.com/grafana/grafana/pull/100343), [@​torkelo](https://redirect.github.com/torkelo) - **TopNav:** Move news into profile menu [#​99535](https://redirect.github.com/grafana/grafana/pull/99535), [@​bergquist](https://redirect.github.com/bergquist) - **Trace View:** Add link from the Trace View to the Profiles Drilldown [#​101422](https://redirect.github.com/grafana/grafana/pull/101422), [@​joey-grafana](https://redirect.github.com/joey-grafana) - **Transformation:** Add support for variables to ALL transformations [#​100225](https://redirect.github.com/grafana/grafana/pull/100225), [@​dprokop](https://redirect.github.com/dprokop) - **Transformations:** Add round() to Unary mode of `Add field from calc` [#​101295](https://redirect.github.com/grafana/grafana/pull/101295), [@​leeoniya](https://redirect.github.com/leeoniya) - **VizActions:** Add confirmation message [#​100012](https://redirect.github.com/grafana/grafana/pull/100012), [@​adela-almasan](https://redirect.github.com/adela-almasan) - **grafana-ui:** Update InlineField error prop type to React.ReactNode [#​100347](https://redirect.github.com/grafana/grafana/pull/100347), [@​Clarity-89](https://redirect.github.com/Clarity-89) ##### Bug fixes - **Alerting:** Add error handling for missing data source [#​101508](https://redirect.github.com/grafana/grafana/pull/101508), [@​gillesdemey](https://redirect.github.com/gillesdemey) - **Alerting:** Call RLock() before reading sendAlertsTo map [#​99812](https://redirect.github.com/grafana/grafana/pull/99812), [@​santihernandezc](https://redirect.github.com/santihernandezc) - **Alerting:** Disable create rule menu item from panel when unifiedAlerting is disabled [#​100701](https://redirect.github.com/grafana/grafana/pull/100701), [@​soniaAguilarPeiron](https://redirect.github.com/soniaAguilarPeiron) - **Alerting:** Fix KeyValueMap input bug [#​101367](https://redirect.github.com/grafana/grafana/pull/101367), [@​soniaAguilarPeiron](https://redirect.github.com/soniaAguilarPeiron) - **Alerting:** Fix crash when invalid matcher is used in silence query params [#​101500](https://redirect.github.com/grafana/grafana/pull/101500), [@​gillesdemey](https://redirect.github.com/gillesdemey) - **Alerting:** Fix evaluation of rules with no-op math expressions [#​101436](https://redirect.github.com/grafana/grafana/pull/101436), [@​moustafab](https://redirect.github.com/moustafab) - **Alerting:** Fix exporting new rule with a new group [#​101404](https://redirect.github.com/grafana/grafana/pull/101404), [@​soniaAguilarPeiron](https://redirect.github.com/soniaAguilarPeiron) - **Alerting:** Fix fieldSelector encoding [#​99751](https://redirect.github.com/grafana/grafana/pull/99751), [@​gillesdemey](https://redirect.github.com/gillesdemey) - **Alerting:** Fix inheritance of the timing options for policy tree [#​99398](https://redirect.github.com/grafana/grafana/pull/99398), [@​gillesdemey](https://redirect.github.com/gillesdemey) - **Alerting:** Fix notification templates layout [#​101232](https://redirect.github.com/grafana/grafana/pull/101232), [@​gillesdemey](https://redirect.github.com/gillesdemey) - **Alerting:** Fix state reason [#​101530](https://redirect.github.com/grafana/grafana/pull/101530), [@​yuri-tceretian](https://redirect.github.com/yuri-tceretian) - **Alerting:** Fix token-based Slack image upload to work with channel names [#​100988](https://redirect.github.com/grafana/grafana/pull/100988), [@​JacobsonMT](https://redirect.github.com/JacobsonMT) - **App Platform:** Pin bleve to fix CVE-2022-31022 [#​102531](https://redirect.github.com/grafana/grafana/pull/102531), [@​Proximyst](https://redirect.github.com/Proximyst) - **App:** Fix web app behaviour on iOS [#​100382](https://redirect.github.com/grafana/grafana/pull/100382), [@​ashharrison90](https://redirect.github.com/ashharrison90) - **Auth:** Fix AzureAD config UI's ClientAuthentication dropdown [#​100752](https://redirect.github.com/grafana/grafana/pull/100752), [@​mgyongyosi](https://redirect.github.com/mgyongyosi) - **Auth:** Fix redirect with JWT auth URL login [#​100295](https://redirect.github.com/grafana/grafana/pull/100295), [@​mgyongyosi](https://redirect.github.com/mgyongyosi) - **AuthN:** Refetch user on "ErrUserAlreadyExists" [#​100346](https://redirect.github.com/grafana/grafana/pull/100346), [@​kalleep](https://redirect.github.com/kalleep) - **Caching:** Fix duplicate metric registration for cache size (Enterprise) - **CloudWatch:** Fix condition for running annotation queries to require dimensions [#​101660](https://redirect.github.com/grafana/grafana/pull/101660), [@​kevinwcyu](https://redirect.github.com/kevinwcyu) - **Combobox:** Fix list not being virtualized initially in some cases [#​100188](https://redirect.github.com/grafana/grafana/pull/100188), [@​tskarhed](https://redirect.github.com/tskarhed) - **Dashboard:** Fix for overwriting an edited dashboard in the old architecture [#​100247](https://redirect.github.com/grafana/grafana/pull/100247), [@​bfmatei](https://redirect.github.com/bfmatei) - **Dashboard:** Fix the unintentional time range and variables updates on saving [#​101475](https://redirect.github.com/grafana/grafana/pull/101475), [@​harisrozajac](https://redirect.github.com/harisrozajac) - **Dashboard:** Playlist - Fix issue with back button [#​99401](https://redirect.github.com/grafana/grafana/pull/99401), [@​yincongcyincong](https://redirect.github.com/yincongcyincong) - **DashboardList:** Throttle the re-renders [#​99982](https://redirect.github.com/grafana/grafana/pull/99982), [@​bfmatei](https://redirect.github.com/bfmatei) - **Dashboards:** Bring back scripted dashboards [#​100575](https://redirect.github.com/grafana/grafana/pull/100575), [@​dprokop](https://redirect.github.com/dprokop) - **Dashboards:** Fix missing `v/e/i` keybindings to return back to dashboard [#​102364](https://redirect.github.com/grafana/grafana/pull/102364), [@​mdvictor](https://redirect.github.com/mdvictor) - **Explore:** Fix resizing split view with Loki query editor [#​100257](https://redirect.github.com/grafana/grafana/pull/100257), [@​ifrost](https://redirect.github.com/ifrost) - **ExploreMetrics:** Fix escaping of regex metacharacters in label filters [#​100513](https://redirect.github.com/grafana/grafana/pull/100513), [@​NWRichmond](https://redirect.github.com/NWRichmond) - **Fix:** Optimise frontend Postgresql plugin cache busting [#​100406](https://redirect.github.com/grafana/grafana/pull/100406), [@​jackw](https://redirect.github.com/jackw) - **InfluxDB:** Improve handling of template variables contained in regular expressions (InfluxQL) [#​100762](https://redirect.github.com/grafana/grafana/pull/100762), [@​aangelisc](https://redirect.github.com/aangelisc) - **Interval variable:** Fix $\__auto value behavior [#​100479](https://redirect.github.com/grafana/grafana/pull/100479), [@​yincongcyincong](https://redirect.github.com/yincongcyincong) - **Log Context:** Fix bug where variables are not replaced in dashboards [#​100433](https://redirect.github.com/grafana/grafana/pull/100433), [@​svennergr](https://redirect.github.com/svennergr) - **OpenTSDB:** Support v2.4 [#​100673](https://redirect.github.com/grafana/grafana/pull/100673), [@​aangelisc](https://redirect.github.com/aangelisc) - **PDF:** Fix repeating panels when there are less items than maxPerRow (Enterprise) - **Plugin Metrics:** Eliminate data race in plugin metrics middleware [#​99396](https://redirect.github.com/grafana/grafana/pull/99396), [@​clord](https://redirect.github.com/clord) - **Plugins:** Fix update button behavior on downgrade [#​101048](https://redirect.github.com/grafana/grafana/pull/101048), [@​oshirohugo](https://redirect.github.com/oshirohugo) - **Plugins:** Fix version tab breaking for non semantic version [#​101225](https://redirect.github.com/grafana/grafana/pull/101225), [@​oshirohugo](https://redirect.github.com/oshirohugo) - **PromLib:** Take AdHoc filters into account when requesting suggestions without label [#​101555](https://redirect.github.com/grafana/grafana/pull/101555), [@​tskarhed](https://redirect.github.com/tskarhed) - **Prometheus:** Fix cursor jump in prometheus code editor [#​100273](https://redirect.github.com/grafana/grafana/pull/100273), [@​itsmylife](https://redirect.github.com/itsmylife) - **Prometheus:** Fix operator handling when making label expressions utf-8 friendly [#​100475](https://redirect.github.com/grafana/grafana/pull/100475), [@​NWRichmond](https://redirect.github.com/NWRichmond) - **Prometheus:** Fix setting utcOffset when absolute time range is used [#​101065](https://redirect.github.com/grafana/grafana/pull/101065), [@​itsmylife](https://redirect.github.com/itsmylife) - **RBAC:** Don't check folder access if `annotationPermissionUpdate` FT is enabled [#​99717](https://redirect.github.com/grafana/grafana/pull/99717), [@​IevaVasiljeva](https://redirect.github.com/IevaVasiljeva) - **SSO:** Fix team_ids validation for Generic OAuth [#​100732](https://redirect.github.com/grafana/grafana/pull/100732), [@​dmihai](https://redirect.github.com/dmihai) - **Service Accounts:** Don't show error pop-ups for Service Account and Renderer UI flows [#​101776](https://redirect.github.com/grafana/grafana/pull/101776), [@​IevaVasiljeva](https://redirect.github.com/IevaVasiljeva) - **Share:** Fix short links when root_url is different from the browser URL [#​99950](https://redirect.github.com/grafana/grafana/pull/99950), [@​AgnesToulet](https://redirect.github.com/AgnesToulet) ##### Breaking changes - **Data source:** Change Permissions for query to only have query and not `read OR query` (Enterprise) ##### Plugin development fixes & changes - **GrafanaUI:** Deprecate Select in favor of Combobox [#​100294](https://redirect.github.com/grafana/grafana/pull/100294), [@​joshhunt](https://redirect.github.com/joshhunt) - **Multi/Combobox:** Use pointer cursor when not focused [#​100878](https://redirect.github.com/grafana/grafana/pull/100878), [@​tskarhed](https://redirect.github.com/tskarhed) - **Slider:** Fix text input box being too wide [#​100138](https://redirect.github.com/grafana/grafana/pull/100138), [@​joshhunt](https://redirect.github.com/joshhunt) ### [`v11.5.3`](https://redirect.github.com/grafana/grafana/blob/HEAD/CHANGELOG.md#1153-2025-03-25) [Compare Source](https://redirect.github.com/grafana/grafana/compare/v11.5.2...v11.5.3) ##### Features and enhancements - **Chore:** Bump Go to 1.23.7 [#​101581](https://redirect.github.com/grafana/grafana/pull/101581), [@​macabu](https://redirect.github.com/macabu) - **Chore:** Bump Go to 1.23.7 (Enterprise) ##### Bug fixes - **Alerting:** Fix token-based Slack image upload to work with channel names [#​101078](https://redirect.github.com/grafana/grafana/pull/101078), [@​JacobsonMT](https://redirect.github.com/JacobsonMT) - **Auth:** Fix AzureAD config UI's ClientAuthentication dropdown [#​100869](https://redirect.github.com/grafana/grafana/pull/100869), [@​mgyongyosi](https://redirect.github.com/mgyongyosi) - **Dashboard:** Fix the unintentional time range and variables updates on saving [#​101671](https://redirect.github.com/grafana/grafana/pull/101671), [@​harisrozajac](https://redirect.github.com/harisrozajac) - **Dashboards:** Fix missing `v/e/i` keybindings to return back to dashboard [#​102365](https://redirect.github.com/grafana/grafana/pull/102365), [@​mdvictor](https://redirect.github.com/mdvictor) - **InfluxDB:** Improve handling of template variables contained in regular expressions (InfluxQL) [#​100977](https://redirect.github.com/grafana/grafana/pull/100977), [@​aangelisc](https://redirect.github.com/aangelisc) - **Org redirection:** Fix linking between orgs [#​102089](https://redirect.github.com/grafana/grafana/pull/102089), [@​ashharrison90](https://redirect.github.com/ashharrison90)
kiwigrid/k8s-sidecar (ghcr.io/kiwigrid/k8s-sidecar) ### [`v1.30.3`](https://redirect.github.com/kiwigrid/k8s-sidecar/compare/1.30.2...1.30.3) [Compare Source](https://redirect.github.com/kiwigrid/k8s-sidecar/compare/1.30.2...1.30.3)
grafana/helm-charts (grafana) ### [`v8.11.0`](https://redirect.github.com/grafana/helm-charts/releases/tag/grafana-8.11.0) [Compare Source](https://redirect.github.com/grafana/helm-charts/compare/grafana-8.10.4...grafana-8.11.0) The leading tool for querying and visualizing time series and metrics. #### What's Changed - \[grafana] Update Grafana version to 11.6.0 by [@​tobiasamft](https://redirect.github.com/tobiasamft) in [https://github.com/grafana/helm-charts/pull/3621](https://redirect.github.com/grafana/helm-charts/pull/3621) **Full Changelog**: https://github.com/grafana/helm-charts/compare/alloy-operator-0.2.1-beta.1...grafana-8.11.0
--- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Chance <139784371+UnicornChance@users.noreply.github.com> --- src/grafana/common/zarf.yaml | 2 +- src/grafana/values/registry1-values.yaml | 4 ++-- src/grafana/values/unicorn-values.yaml | 4 ++-- src/grafana/values/upstream-values.yaml | 4 ++-- src/grafana/zarf.yaml | 12 ++++++------ 5 files changed, 13 insertions(+), 13 deletions(-) diff --git a/src/grafana/common/zarf.yaml b/src/grafana/common/zarf.yaml index aab1250c79..a37255e11f 100644 --- a/src/grafana/common/zarf.yaml +++ b/src/grafana/common/zarf.yaml @@ -19,7 +19,7 @@ components: - ../chart/values.yaml - name: grafana url: https://grafana.github.io/helm-charts/ - version: 8.10.4 + version: 8.11.0 namespace: grafana valuesFiles: - ../values/values.yaml diff --git a/src/grafana/values/registry1-values.yaml b/src/grafana/values/registry1-values.yaml index abcca5f253..e55a5426b3 100644 --- a/src/grafana/values/registry1-values.yaml +++ b/src/grafana/values/registry1-values.yaml @@ -4,7 +4,7 @@ image: registry: registry1.dso.mil repository: ironbank/opensource/grafana/grafana - tag: 11.5.2 + tag: 11.6.0 initChownData: image: @@ -21,4 +21,4 @@ sidecar: image: registry: registry1.dso.mil repository: ironbank/kiwigrid/k8s-sidecar - tag: 1.30.2 + tag: 1.30.3 diff --git a/src/grafana/values/unicorn-values.yaml b/src/grafana/values/unicorn-values.yaml index b73edb9a40..28d66fee91 100644 --- a/src/grafana/values/unicorn-values.yaml +++ b/src/grafana/values/unicorn-values.yaml @@ -4,7 +4,7 @@ image: registry: cgr.dev repository: du-uds-defenseunicorns/grafana-fips - tag: 11.5.2 + tag: 11.5.3 initChownData: image: @@ -21,4 +21,4 @@ sidecar: image: registry: cgr.dev repository: du-uds-defenseunicorns/k8s-sidecar-fips - tag: 1.30.2 + tag: 1.30.3 diff --git a/src/grafana/values/upstream-values.yaml b/src/grafana/values/upstream-values.yaml index 0a41536949..ca26528bf1 100644 --- a/src/grafana/values/upstream-values.yaml +++ b/src/grafana/values/upstream-values.yaml @@ -6,12 +6,12 @@ sidecar: # -- The Docker registry registry: ghcr.io repository: kiwigrid/k8s-sidecar - tag: 1.30.2 + tag: 1.30.3 image: registry: docker.io repository: grafana/grafana - tag: 11.5.2 + tag: 11.6.0 initChownData: image: diff --git a/src/grafana/zarf.yaml b/src/grafana/zarf.yaml index 42157396a7..919e7e1d1d 100644 --- a/src/grafana/zarf.yaml +++ b/src/grafana/zarf.yaml @@ -27,10 +27,10 @@ components: valuesFiles: - values/upstream-values.yaml images: - - docker.io/grafana/grafana:11.5.2 + - docker.io/grafana/grafana:11.6.0 - docker.io/curlimages/curl:8.12.1 - docker.io/library/busybox:1.37.0 - - ghcr.io/kiwigrid/k8s-sidecar:1.30.2 + - ghcr.io/kiwigrid/k8s-sidecar:1.30.3 - name: grafana required: true @@ -43,9 +43,9 @@ components: valuesFiles: - values/registry1-values.yaml images: - - registry1.dso.mil/ironbank/opensource/grafana/grafana:11.5.2 + - registry1.dso.mil/ironbank/opensource/grafana/grafana:11.6.0 - registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.5 - - registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar:1.30.2 + - registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar:1.30.3 - name: grafana required: true @@ -58,7 +58,7 @@ components: valuesFiles: - values/unicorn-values.yaml images: - - cgr.dev/du-uds-defenseunicorns/grafana-fips:11.5.2 + - cgr.dev/du-uds-defenseunicorns/grafana-fips:11.5.3 - cgr.dev/du-uds-defenseunicorns/busybox-fips:1.37.0 - cgr.dev/du-uds-defenseunicorns/curl-fips:8.12.1 - - cgr.dev/du-uds-defenseunicorns/k8s-sidecar-fips:1.30.2 + - cgr.dev/du-uds-defenseunicorns/k8s-sidecar-fips:1.30.3 From 0b7a71c9df71d76fba3871762b8970d29dece7b4 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Tue, 1 Apr 2025 11:51:32 -0600 Subject: [PATCH 094/118] fix: broken selectors for internal dependencies on charts (#1403) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Description Fixes several broken templates where selector was not getting populated properly in the `Package` CR. Thanks to @JaseKoonce for finding this 😄 ## Related Issue N/A ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Steps to Validate Run helm templates and validate the output looks as expected for the `remoteSelector`: ```console helm template src/authservice/chart --set redis.internal.enabled=true --set redis.internal.remoteSelector.app=redis helm template src/keycloak/chart --set postgresql.internal.enabled=true --set postgresql.internal.remoteSelector.app=postgres --set postgresql.username=user --set postgresql.password=pass --set postgresql.database=keycloak --set postgresql.host=postgres --set postgresql.port=1234 --set devMode=false helm template src/loki/chart --set storage.internal.enabled=true --set storage.internal.remoteSelector.app=s3 helm template src/velero/chart --set storage.internal.enabled=true --set storage.internal.remoteSelector.app=s3 ``` If you repeat these steps on `main` you will see the issue, it templates out as `remoteSelector: map[app:s3]` ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --- src/authservice/chart/templates/uds-package.yaml | 3 ++- src/keycloak/chart/templates/uds-package.yaml | 3 ++- src/loki/chart/templates/uds-package.yaml | 3 ++- src/velero/chart/templates/uds-package.yaml | 3 ++- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/src/authservice/chart/templates/uds-package.yaml b/src/authservice/chart/templates/uds-package.yaml index acf50b428f..cd78b48003 100644 --- a/src/authservice/chart/templates/uds-package.yaml +++ b/src/authservice/chart/templates/uds-package.yaml @@ -27,7 +27,8 @@ spec: - direction: Egress description: Redis Session Store {{- if .Values.redis.internal.enabled }} - remoteSelector: {{ .Values.redis.internal.remoteSelector }} + remoteSelector: + {{- .Values.redis.internal.remoteSelector | toYaml | nindent 10 }} remoteNamespace: {{ .Values.redis.internal.remoteNamespace }} {{- else if .Values.redis.egressCidr }} remoteCidr: {{ .Values.redis.egressCidr }} diff --git a/src/keycloak/chart/templates/uds-package.yaml b/src/keycloak/chart/templates/uds-package.yaml index 7f1d192d04..1b308f5832 100644 --- a/src/keycloak/chart/templates/uds-package.yaml +++ b/src/keycloak/chart/templates/uds-package.yaml @@ -62,7 +62,8 @@ spec: app.kubernetes.io/name: keycloak port: {{ .Values.postgresql.port }} {{- if .Values.postgresql.internal.enabled }} - remoteSelector: {{ .Values.postgresql.internal.remoteSelector }} + remoteSelector: + {{- .Values.postgresql.internal.remoteSelector | toYaml | nindent 10 }} remoteNamespace: {{ .Values.postgresql.internal.remoteNamespace }} {{- else if .Values.postgresql.egressCidr }} remoteCidr: {{ .Values.postgresql.egressCidr }} diff --git a/src/loki/chart/templates/uds-package.yaml b/src/loki/chart/templates/uds-package.yaml index 55b2ecd061..1fcc85bf31 100644 --- a/src/loki/chart/templates/uds-package.yaml +++ b/src/loki/chart/templates/uds-package.yaml @@ -52,7 +52,8 @@ spec: app.kubernetes.io/name: loki description: Storage {{- if .Values.storage.internal.enabled }} - remoteSelector: {{ .Values.storage.internal.remoteSelector }} + remoteSelector: + {{- .Values.storage.internal.remoteSelector | toYaml | nindent 10 }} remoteNamespace: {{ .Values.storage.internal.remoteNamespace }} {{- else if .Values.storage.egressCidr }} remoteCidr: {{ .Values.storage.egressCidr }} diff --git a/src/velero/chart/templates/uds-package.yaml b/src/velero/chart/templates/uds-package.yaml index c096f7222f..a4cc7104f8 100644 --- a/src/velero/chart/templates/uds-package.yaml +++ b/src/velero/chart/templates/uds-package.yaml @@ -15,7 +15,8 @@ spec: app.kubernetes.io/name: velero description: Storage {{- if .Values.storage.internal.enabled }} - remoteSelector: {{ .Values.storage.internal.remoteSelector }} + remoteSelector: + {{- .Values.storage.internal.remoteSelector | toYaml | nindent 10 }} remoteNamespace: {{ .Values.storage.internal.remoteNamespace }} {{- else if .Values.storage.egressCidr }} remoteCidr: {{ .Values.storage.egressCidr }} From f9667b59dec25c90dca390ab86e559f161d084c5 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 1 Apr 2025 18:22:45 +0000 Subject: [PATCH 095/118] chore(deps): update ts-jest to v29.3.0 (#1377) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [ts-jest](https://kulshekhar.github.io/ts-jest) ([source](https://redirect.github.com/kulshekhar/ts-jest)) | [`29.2.6` -> `29.3.0`](https://renovatebot.com/diffs/npm/ts-jest/29.2.6/29.3.0) | [![age](https://developer.mend.io/api/mc/badges/age/npm/ts-jest/29.3.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/ts-jest/29.3.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/ts-jest/29.2.6/29.3.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/ts-jest/29.2.6/29.3.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes
kulshekhar/ts-jest (ts-jest) ### [`v29.3.0`](https://redirect.github.com/kulshekhar/ts-jest/blob/HEAD/CHANGELOG.md#2930-2025-03-21) [Compare Source](https://redirect.github.com/kulshekhar/ts-jest/compare/v29.2.6...v29.3.0) ##### Features - feat: support hybrid `module` values for `isolatedModules: true` ([f372121](https://redirect.github.com/kulshekhar/ts-jest/commit/f372121)) ##### Bug Fixes - fix: set `customConditions` to `undefined` in `TsCompiler` ([b091d70](https://redirect.github.com/kulshekhar/ts-jest/commit/b091d70)), closes [#​4620](https://redirect.github.com/kulshekhar/ts-jest/issues/4620) ##### Code Refactoring - refactor: remove manual version checker ([89458fc](https://redirect.github.com/kulshekhar/ts-jest/commit/89458fc)) - refactor: remove patching deps based on version checker ([bac4c43](https://redirect.github.com/kulshekhar/ts-jest/commit/bac4c43)) - refactor: deprecate `RawCompilerOptions` interface ([2b1b6cd](https://redirect.github.com/kulshekhar/ts-jest/commit/2b1b6cd)) - refactor: deprecate transform option `isolatedModules` ([7dfef71](https://redirect.github.com/kulshekhar/ts-jest/commit/7dfef71))
--- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Noah <40781376+noahpb@users.noreply.github.com> --- package-lock.json | 22 ++++++++++++++++++---- package.json | 2 +- 2 files changed, 19 insertions(+), 5 deletions(-) diff --git a/package-lock.json b/package-lock.json index 13599f6ebb..923042e237 100644 --- a/package-lock.json +++ b/package-lock.json @@ -16,7 +16,7 @@ "husky": "9.1.7", "jest": "29.7.0", "lint-staged": "15.5.0", - "ts-jest": "29.2.6" + "ts-jest": "29.3.0" }, "engines": { "node": ">=20.0.0" @@ -8131,9 +8131,9 @@ } }, "node_modules/ts-jest": { - "version": "29.2.6", - "resolved": "https://registry.npmjs.org/ts-jest/-/ts-jest-29.2.6.tgz", - "integrity": "sha512-yTNZVZqc8lSixm+QGVFcPe6+yj7+TWZwIesuOWvfcn4B9bz5x4NDzVCQQjOs7Hfouu36aEqfEbo9Qpo+gq8dDg==", + "version": "29.3.0", + "resolved": "https://registry.npmjs.org/ts-jest/-/ts-jest-29.3.0.tgz", + "integrity": "sha512-4bfGBX7Gd1Aqz3SyeDS9O276wEU/BInZxskPrbhZLyv+c1wskDCqDFMJQJLWrIr/fKoAH4GE5dKUlrdyvo+39A==", "dev": true, "license": "MIT", "dependencies": { @@ -8145,6 +8145,7 @@ "lodash.memoize": "^4.1.2", "make-error": "^1.3.6", "semver": "^7.7.1", + "type-fest": "^4.37.0", "yargs-parser": "^21.1.1" }, "bin": { @@ -8179,6 +8180,19 @@ } } }, + "node_modules/ts-jest/node_modules/type-fest": { + "version": "4.38.0", + "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-4.38.0.tgz", + "integrity": "sha512-2dBz5D5ycHIoliLYLi0Q2V7KRaDlH0uWIvmk7TYlAg5slqwiPv1ezJdZm1QEM0xgk29oYWMCbIG7E6gHpvChlg==", + "dev": true, + "license": "(MIT OR CC0-1.0)", + "engines": { + "node": ">=16" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, "node_modules/ts-toolbelt": { "version": "9.6.0", "resolved": "https://registry.npmjs.org/ts-toolbelt/-/ts-toolbelt-9.6.0.tgz", diff --git a/package.json b/package.json index d1f36d986c..c946a270d8 100644 --- a/package.json +++ b/package.json @@ -37,7 +37,7 @@ "husky": "9.1.7", "jest": "29.7.0", "lint-staged": "15.5.0", - "ts-jest": "29.2.6" + "ts-jest": "29.3.0" }, "jest": { "preset": "ts-jest", From b42cd3552192f3ab96ba91ff4b9d7e6a49931c1c Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 1 Apr 2025 13:37:32 -0600 Subject: [PATCH 096/118] chore(deps): update support dependencies to v22.13.17 (#1401) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [@types/node](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/node) ([source](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)) | [`22.13.15` -> `22.13.17`](https://renovatebot.com/diffs/npm/@types%2fnode/22.13.15/22.13.17) | [![age](https://developer.mend.io/api/mc/badges/age/npm/@types%2fnode/22.13.17?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@types%2fnode/22.13.17?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@types%2fnode/22.13.15/22.13.17?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@types%2fnode/22.13.15/22.13.17?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Chance <139784371+UnicornChance@users.noreply.github.com> --- test/jest/package-lock.json | 6 +++--- test/playwright/package-lock.json | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/test/jest/package-lock.json b/test/jest/package-lock.json index 8e4d8cac99..eb6c00679f 100644 --- a/test/jest/package-lock.json +++ b/test/jest/package-lock.json @@ -1245,9 +1245,9 @@ "dev": true }, "node_modules/@types/node": { - "version": "22.13.15", - "resolved": "https://registry.npmjs.org/@types/node/-/node-22.13.15.tgz", - "integrity": "sha512-imAbQEEbVni6i6h6Bd5xkCRwLqFc8hihCsi2GbtDoAtUcAFQ6Zs4pFXTZUUbroTkXdImczWM9AI8eZUuybXE3w==", + "version": "22.13.17", + "resolved": "https://registry.npmjs.org/@types/node/-/node-22.13.17.tgz", + "integrity": "sha512-nAJuQXoyPj04uLgu+obZcSmsfOenUg6DxPKogeUy6yNCFwWaj5sBF8/G/pNo8EtBJjAfSVgfIlugR/BCOleO+g==", "dev": true, "license": "MIT", "dependencies": { diff --git a/test/playwright/package-lock.json b/test/playwright/package-lock.json index 7cf3cba56d..110a0a6c32 100644 --- a/test/playwright/package-lock.json +++ b/test/playwright/package-lock.json @@ -28,9 +28,9 @@ } }, "node_modules/@types/node": { - "version": "22.13.15", - "resolved": "https://registry.npmjs.org/@types/node/-/node-22.13.15.tgz", - "integrity": "sha512-imAbQEEbVni6i6h6Bd5xkCRwLqFc8hihCsi2GbtDoAtUcAFQ6Zs4pFXTZUUbroTkXdImczWM9AI8eZUuybXE3w==", + "version": "22.13.17", + "resolved": "https://registry.npmjs.org/@types/node/-/node-22.13.17.tgz", + "integrity": "sha512-nAJuQXoyPj04uLgu+obZcSmsfOenUg6DxPKogeUy6yNCFwWaj5sBF8/G/pNo8EtBJjAfSVgfIlugR/BCOleO+g==", "dev": true, "license": "MIT", "dependencies": { From fbc8ce0aaad2d1820d29fdaf11bb4148876321e1 Mon Sep 17 00:00:00 2001 From: Chance <139784371+UnicornChance@users.noreply.github.com> Date: Tue, 1 Apr 2025 14:14:39 -0600 Subject: [PATCH 097/118] feat!: implement operator authorization policy management (#1384) ## Description This PR implements dynamic generation of Istio AuthorizationPolicy resources in ambient mode based on the configuration defined in a UDSPackage. These policies enforce strict ALLOW-only traffic rules, supporting ingress controls, monitoring protection, and gateway exposure with per-port granularity. ## Key Features - Allow Rules: Processed from spec.network.allow, with support for: - `remoteGenerated`, `remoteNamespace`, and `remoteServiceAccount` logic - Pod-level selector-based grouping for targeted policy generation - Expose Rules: Derived from `spec.network.expose`, mapped to appropriate source namespaces based on gateway type - Monitor Rules: One policy per monitor entry under `spec.monitor`, securing endpoints (e.g., Prometheus metrics) - Policy Grouping: - Rules with selectors are grouped and merged into workload-specific policies - Rules without selectors are merged into a namespace-wide policy - Port Handling: - Rules include `to` blocks when port(s) are provided - If no port is defined, only the `from` block is used - Metadata Labels: Policies include `uds/package` and `uds/generation` labels for traceability - Orphan Cleanup: Automatically purges outdated policies from previous generations ## Additional Context Documentation is included to explain the policy generation flow, source derivation logic, grouping behavior, and real-world examples. Also see jest tests for additional UDS Core Package examples. ## Related Issue Fixes #1245 Relates to #1248 #1280 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Steps to Validate - `uds run test-uds-core` - validate authpols that are created for UDS packages - apply additional packages to cluster and verify the generated authpols ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed BEGIN_COMMIT_OVERRIDE feat!: ambient mesh authorization policy generation (https://github.com/defenseunicorns/uds-core/pull/1384) BREAKING CHANGE: dynamic generation of Istio AuthorizationPolicy resources in ambient mode based on the configuration defined in a UDSPackage. ALL requests to a pod with authservice protection MUST have a jwt from Keycloak. More fine-grained protection can be done with additional DENY policies, but there will always be a requirement for a Keycloak JWT in addition. END_COMMIT_OVERRIDE --------- Co-authored-by: Micah Nagel --- .gitignore | 2 + docs/dev/authorization-policy-generation.md | 251 +++++ .../Single Sign-On/auth-service.md | 3 + .../configuration/authorization-policies.md | 99 ++ .../exemptions-v1alpha1-cr.md | 2 - .../custom resources/packages-v1alpha1-cr.md | 4 +- schemas/package-v1alpha1.schema.json | 7 + .../authservice/authorization-policy.ts | 3 +- .../network/authorizationPolicies.spec.ts | 893 ++++++++++++++++++ .../network/authorizationPolicies.ts | 285 ++++++ .../network/generators/kubeAPI.spec.ts | 100 +- .../controllers/network/generators/kubeAPI.ts | 81 ++ .../network/generators/kubeNodes.spec.ts | 140 ++- .../network/generators/kubeNodes.ts | 88 +- src/pepr/operator/controllers/utils.ts | 12 +- .../crd/generated/package-v1alpha1.ts | 6 + .../operator/crd/sources/package/v1alpha1.ts | 15 + .../reconcilers/package-reconciler.ts | 4 + 18 files changed, 1979 insertions(+), 16 deletions(-) create mode 100644 docs/dev/authorization-policy-generation.md create mode 100644 docs/reference/configuration/authorization-policies.md create mode 100644 src/pepr/operator/controllers/network/authorizationPolicies.spec.ts create mode 100644 src/pepr/operator/controllers/network/authorizationPolicies.ts diff --git a/.gitignore b/.gitignore index 03fae75bda..8a6fcc72a2 100644 --- a/.gitignore +++ b/.gitignore @@ -32,3 +32,5 @@ uds-docs/** **.backup **/.playwright/** **/.playwright + +coverage/** diff --git a/docs/dev/authorization-policy-generation.md b/docs/dev/authorization-policy-generation.md new file mode 100644 index 0000000000..c918f33132 --- /dev/null +++ b/docs/dev/authorization-policy-generation.md @@ -0,0 +1,251 @@ +## Overview + +This guide describes how Istio AuthorizationPolicies are generated from the UDSPackage CR by the UDS Operator. These **ALLOW** policies are primarily used to enable ingress security within an Istio Ambient Mesh environment. + +The code responsible for generating these policies can be found [here](https://github.com/defenseunicorns/uds-core/blob/main/src/pepr/operator/controllers/network/authorizationPolicies.ts) and includes support for three rule types: +- `allow`: Direct ingress rules for services. +- `expose`: Gateway-based ingress exposure. +- `monitor`: Restricts access to metrics endpoints. + +Each rule is processed individually to generate a single Istio AuthorizationPolicy. + +--- + +## Policy Generation Flow + +1. **Input Collection** + - The operator reads the `spec.network.allow`, `spec.network.expose`, and `spec.monitor` fields from a UDSPackage. + +2. **Allow Rule Processing** + - Sources are computed based on `remoteGenerated`, `remoteNamespace`, and `remoteServiceAccount`. + - Port info is collected from `port` and `ports`. + - If `remoteServiceAccount` is present, a `principal` source is used, overriding namespace restrictions. + +3. **Expose Rule Processing** + - Uses `port` or `targetPort` for port resolution. + - Sources are determined by the selected gateway: + - Admin gateway → `cluster.local/ns/istio-admin-gateway/sa/admin-ingressgateway` + - Tenant gateway (default) → `cluster.local/ns/istio-tenant-gateway/sa/tenant-ingressgateway` + +4. **Monitor Rule Processing** + - Each monitor rule generates a policy allowing access from `monitoring` namespace to a specific port. + +5. **Policy Naming** + - All policies start with `protect--`. + - `allow` rules use either the `description` or a combination of selector and remote fields. + - `expose` rules follow `ingress---istio--gateway`. + +6. **Policy Application** + - Policies are applied via `K8s(AuthorizationPolicy).Apply()` with force enabled. + - `purgeOrphans` removes outdated or unused policies from previous generations. + +--- + +## Development Tips + +- **Rule Deduplication**: Currently, even identical selectors in different rules generate separate policies. +- **Troubleshooting**: Enable debug logging to inspect which policy is generated and applied. +- **Testing**: Use test UDSPackages with different `remoteGenerated` and gateway values to validate behavior. +- **Best Practices**: + - Avoid overly broad allow rules (e.g., `remoteGenerated: Anywhere`) unless absolutely necessary. + - Prefer using `remoteServiceAccount` for precise identity-based access. + +--- + +## Example Use Cases + +### Example 1: Allow Ingress from a Specific Namespace (No Selector) + +```yaml +spec: + network: + allow: + - direction: Ingress + remoteNamespace: "external-app" + port: 8080 +``` + +```yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: protect-my-app-ingress-external-app + namespace: my-app-namespace + labels: + uds/package: my-app + uds/generation: "1" +spec: + action: ALLOW + rules: + - from: + - source: + namespaces: ["external-app"] + to: + - operation: + ports: ["8080"] +``` + +### Example 2: Allow Ingress Only to a Specific Pod Selector + +```yaml +spec: + network: + allow: + - direction: Ingress + remoteNamespace: "external-app" + selector: + app: "frontend" + port: 8080 +``` + +```yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: protect-my-app-ingress-frontend + namespace: my-app-namespace + labels: + uds/package: my-app + uds/generation: "1" +spec: + action: ALLOW + selector: + matchLabels: + app: "frontend" + rules: + - from: + - source: + namespaces: ["external-app"] + to: + - operation: + ports: ["8080"] +``` + +### Example 3: Intra-Namespace Rule Without Port + +```yaml +spec: + network: + allow: + - direction: Ingress + remoteGenerated: IntraNamespace +``` + +```yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: protect-loki-ingress-all + namespace: loki + labels: + uds/package: loki + uds/generation: "1" +spec: + action: ALLOW + rules: + - from: + - source: + namespaces: ["loki"] +``` + +### Example 4: Allow Anywhere Rule (No Namespace Restriction) + +```yaml +spec: + network: + allow: + - direction: Ingress + remoteGenerated: Anywhere + port: 80 +``` + +```yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: protect-myapp-ingress-all + namespace: my-namespace + labels: + uds/package: myapp + uds/generation: "1" +spec: + action: ALLOW + rules: + - from: [] + to: + - operation: + ports: ["80"] +``` + +### Example 5: Expose Rule with Gateway Specification + +```yaml +spec: + network: + expose: + - port: 8080 + targetPort: 9090 + selector: + app: "backend" + gateway: Admin +``` + +```yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: protect-my-app-ingress-9090-backend-istio-admin-gateway + namespace: my-app-namespace + labels: + uds/package: my-app + uds/generation: "1" +spec: + action: ALLOW + selector: + matchLabels: + app: "backend" + rules: + - from: + - source: + principals: ["cluster.local/ns/istio-admin-gateway/sa/admin-ingressgateway"] + to: + - operation: + ports: ["9090"] +``` + +### Example 6: Monitor Rule for Securing a Metrics Endpoint + +```yaml +spec: + monitor: + - description: Metrics + podSelector: + app.kubernetes.io/name: grafana + portName: service + selector: + app.kubernetes.io/name: grafana + targetPort: 3000 +``` + +```yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: protect-grafana-ingress-grafana-istio-tenant-gateway + namespace: grafana + labels: + uds/package: grafana + uds/generation: "1" +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/name: grafana + rules: + - from: + - source: + namespaces: ["monitoring"] + to: + - operation: + ports: ["3000"] +``` diff --git a/docs/reference/configuration/Single Sign-On/auth-service.md b/docs/reference/configuration/Single Sign-On/auth-service.md index c1c29564d2..b0f2ebc688 100644 --- a/docs/reference/configuration/Single Sign-On/auth-service.md +++ b/docs/reference/configuration/Single Sign-On/auth-service.md @@ -30,3 +30,6 @@ The UDS Operator uses the first `redirectUris` to populate the `match.prefix` ho ::: For a complete example, see [app-authservice-tenant.yaml](https://github.com/defenseunicorns/uds-core/blob/main/src/test/app-authservice-tenant.yaml) + +## Limitations: +Authservice is intended for simple, basic protection scenarios where an absolute level of protection is acceptable. For more advanced authentication requirements, you should implement authentication directly in your application or via a more comprehensive solution. diff --git a/docs/reference/configuration/authorization-policies.md b/docs/reference/configuration/authorization-policies.md new file mode 100644 index 0000000000..07bbd0eb5a --- /dev/null +++ b/docs/reference/configuration/authorization-policies.md @@ -0,0 +1,99 @@ +--- +title: How Authorization Policies Protect Your Services +sidebar: + order: 3 +--- + +In clusters running Istio Ambient Mesh, UDS‑Core enforces **ingress network security** using Istio **ALLOW** AuthorizationPolicies. These policies are automatically generated for each application package you define with a [UDS Package](https://uds.defenseunicorns.com/reference/configuration/uds-operator/package/) resource. + +This document explains what this means for you as an application developer and how to take full advantage of the built-in security model. + +--- + +## Key Takeaways + +- **Ingress is denied by default.** UDS Core only allows what you explicitly configure using `allow` and `expose` rules. + +- **AuthorizationPolicies are ALLOW-based**, which means you must write **DENY** rules separately if you want to restrict internal traffic further. + +- **Use `remoteServiceAccount` wherever possible.** This provides the most secure and identity-based access control. + +- **Expose rules use gateways** to control what traffic enters your application. You can choose between: + - **Tenant Gateway** (default) + - **Admin Gateway** (used only when absolutely necessary) + +- **Monitoring ports are automatically secured** using rules that only allow the `monitoring` namespace to scrape metrics. + +--- + +## Best Practices for Secure Configuration + +### 1. Lock Down Ingress With `allow` + +```yaml +spec: + network: + allow: + - direction: Ingress + remoteNamespace: "external-app" + remoteServiceAccount: "my-client" + port: 8080 +``` + +> This ensures that only a workload running as this specific service account in another namespace can access your service. + +### 2. Expose Your Service Safely + +```yaml +spec: + network: + expose: + - port: 80 + targetPort: 8080 + gateway: Tenant +``` + +> This exposes your service at port 80 through the tenant gateway and maps it to your app’s port 8080. + +### 3. Enable Safe Monitoring + +```yaml +spec: + monitor: + - targetPort: 3000 + selector: + app.kubernetes.io/name: grafana +``` + +> This creates a rule that allows only Prometheus (from the `monitoring` namespace) to scrape your service. + +--- + +## Authservice Guidance + +If you're using Authservice, be aware that it is **only appropriate for simple access scenarios**, such as: + +- Protecting web UIs or dashboards +- Cases where access can be fully granted or denied with no granularity + +--- + +## How Istio Evaluates Policies + +Istio checks **DENY policies first**, then **ALLOW policies**. + +- The operator creates ALLOW policies to admit approved ingress traffic. +- You should create your own DENY policies for more fine-grained control. + +More info: [Istio Authorization Policy Evaluation](https://istio.io/latest/docs/concepts/security/#authorization-policy) + +--- + +## Summary + +- Ingress is denied by default. +- You allow ingress by defining `allow` or `expose` rules in your UDS Package resource definition. +- You can further tighten security using DENY policies. +- Use `remoteServiceAccount` for the strongest protection. +- Authservice is good for simple cases only—use stronger methods for complex needs. + diff --git a/docs/reference/configuration/custom resources/exemptions-v1alpha1-cr.md b/docs/reference/configuration/custom resources/exemptions-v1alpha1-cr.md index 1bd916f82d..2174bda692 100644 --- a/docs/reference/configuration/custom resources/exemptions-v1alpha1-cr.md +++ b/docs/reference/configuration/custom resources/exemptions-v1alpha1-cr.md @@ -2,8 +2,6 @@ title: Exemptions CR (v1alpha1) tableOfContents: maxHeadingLevel: 6 -sidebar: - order: 11 ---
diff --git a/docs/reference/configuration/custom resources/packages-v1alpha1-cr.md b/docs/reference/configuration/custom resources/packages-v1alpha1-cr.md index 06763bcafc..d358027b7f 100644 --- a/docs/reference/configuration/custom resources/packages-v1alpha1-cr.md +++ b/docs/reference/configuration/custom resources/packages-v1alpha1-cr.md @@ -2,8 +2,6 @@ title: Packages CR (v1alpha1) tableOfContents: maxHeadingLevel: 6 -sidebar: - order: 10 ---
@@ -126,7 +124,7 @@ sidebar: - descriptionstringA description of the policy, this will become part of the policy namedirectionstring (enum):
  • Ingress
  • Egress
The direction of the trafficlabelsThe labels to apply to the policypodLabelsDeprecated: use selectorportnumberThe port to allow (protocol is always TCP)portsnumber[]A list of ports to allow (protocol is always TCP)remoteCidrstringCustom generated policy CIDRremoteGeneratedstring (enum):
  • KubeAPI
  • KubeNodes
  • IntraNamespace
  • CloudMetadata
  • Anywhere
Custom generated remote selector for the policyremoteNamespacestringThe remote namespace to allow traffic to/from. Use * or empty string to allow all namespacesremotePodLabelsDeprecated: use remoteSelectorremoteSelectorThe remote pod selector labels to allow traffic to/fromselectorLabels to match pods in the namespace to apply the policy to. Leave empty to apply to all pods in the namespace + descriptionstringA description of the policy, this will become part of the policy namedirectionstring (enum):
  • Ingress
  • Egress
The direction of the trafficlabelsThe labels to apply to the policypodLabelsDeprecated: use selectorportnumberThe port to allow (protocol is always TCP)portsnumber[]A list of ports to allow (protocol is always TCP)remoteCidrstringCustom generated policy CIDRremoteGeneratedstring (enum):
  • KubeAPI
  • KubeNodes
  • IntraNamespace
  • CloudMetadata
  • Anywhere
Custom generated remote selector for the policyremoteNamespacestringThe remote namespace to allow traffic to/from. Use * or empty string to allow all namespacesremotePodLabelsDeprecated: use remoteSelectorremoteSelectorThe remote pod selector labels to allow traffic to/fromremoteServiceAccountstringThe remote service account to restrict incoming traffic from within the remote namespace. Only valid for Ingress rules.selectorLabels to match pods in the namespace to apply the policy to. Leave empty to apply to all pods in the namespace
diff --git a/schemas/package-v1alpha1.schema.json b/schemas/package-v1alpha1.schema.json index 53962944b7..bc79626ccc 100644 --- a/schemas/package-v1alpha1.schema.json +++ b/schemas/package-v1alpha1.schema.json @@ -224,6 +224,10 @@ }, "description": "Labels to match pods in the namespace to apply the policy to. Leave empty to apply to all pods in the namespace\nThe labels to apply to the policy\nDeprecated: use selector\nDeprecated: use remoteSelector\nThe remote pod selector labels to allow traffic to/from\nSpecifies attributes for the client.\nLabels to match pods to automatically protect with authservice. Leave empty to disable authservice protection\nConfiguration options for the mapper.\nA template for the generated secret" }, + "remoteServiceAccount": { + "type": "string", + "description": "The remote service account to restrict incoming traffic from within the remote\nnamespace. Only valid for Ingress rules." + }, "selector": { "type": "object", "additionalProperties": { @@ -958,6 +962,9 @@ "type": "object", "additionalProperties": false, "properties": { + "authorizationPolicyCount": { + "type": "integer" + }, "authserviceClients": { "type": "array", "items": { diff --git a/src/pepr/operator/controllers/keycloak/authservice/authorization-policy.ts b/src/pepr/operator/controllers/keycloak/authservice/authorization-policy.ts index 09db600007..7d6e88f789 100644 --- a/src/pepr/operator/controllers/keycloak/authservice/authorization-policy.ts +++ b/src/pepr/operator/controllers/keycloak/authservice/authorization-policy.ts @@ -68,6 +68,7 @@ function jwtAuthZAuthorizationPolicy( namespace, }, spec: { + action: IstioAction.Deny, selector: { matchLabels: labelSelector, }, @@ -76,7 +77,7 @@ function jwtAuthZAuthorizationPolicy( from: [ { source: { - requestPrincipals: [`https://sso.${UDSConfig.domain}/realms/uds/*`], + notRequestPrincipals: [`https://sso.${UDSConfig.domain}/realms/uds/*`], }, }, ], diff --git a/src/pepr/operator/controllers/network/authorizationPolicies.spec.ts b/src/pepr/operator/controllers/network/authorizationPolicies.spec.ts new file mode 100644 index 0000000000..c22cc40fc6 --- /dev/null +++ b/src/pepr/operator/controllers/network/authorizationPolicies.spec.ts @@ -0,0 +1,893 @@ +/** + * Copyright 2025 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + +import { Direction, Gateway, RemoteGenerated, UDSPackage } from "../../crd"; +import { Action, AuthorizationPolicy } from "../../crd/generated/istio/authorizationpolicy-v1beta1"; +import { generateAuthorizationPolicies } from "./authorizationPolicies"; + +jest.mock("../../../logger", () => ({ + setupLogger: () => ({ + debug: jest.fn(), + info: jest.fn(), + error: jest.fn(), + warn: jest.fn(), + trace: jest.fn(), + }), + Component: { + OPERATOR_NETWORK: "OPERATOR_NETWORK", + }, +})); + +jest.mock("pepr", () => ({ + K8s: jest.fn(() => ({ + Apply: jest.fn().mockResolvedValue({}), + InNamespace: jest.fn().mockReturnThis(), + WithLabel: jest.fn().mockReturnThis(), + Get: jest.fn().mockResolvedValue({ items: [] }), + })), +})); + +jest.mock("./generators/cloudMetadata", () => ({ + META_IP: "169.254.169.254/32", +})); + +jest.mock("./generators/kubeAPI", () => ({ + kubeAPI: () => [{ ipBlock: { cidr: "10.0.0.1/32" } }], +})); + +jest.mock("./generators/kubeNodes", () => ({ + kubeNodes: () => [{ ipBlock: { cidr: "192.168.0.0/16" } }], +})); + +describe("authorization policy generation", () => { + test("should generate authpol with ipBlock for CloudMetadata", async () => { + const pkg: UDSPackage = { + metadata: { name: "cloud-metadata-test", namespace: "test-ns", generation: 1 }, + spec: { + network: { + allow: [ + { + direction: Direction.Ingress, + remoteGenerated: RemoteGenerated.CloudMetadata, + selector: { app: "cloud-metadata-test" }, + }, + ], + }, + }, + }; + + const policies = await generateAuthorizationPolicies(pkg, "test-ns"); + expect(policies.length).toBe(1); + const policy = policies[0]; + expect(policy.metadata?.name).toBe( + "protect-cloud-metadata-test-ingress-cloud-metadata-test-cloudmetadata", + ); + expect(policy.spec?.rules?.[0].from?.[0].source).toEqual({ + ipBlocks: ["169.254.169.254/32"], + }); + }); + + test("should generate authpol with ipBlock from kubeAPI", async () => { + const pkg: UDSPackage = { + metadata: { name: "kubeapi-test", namespace: "test-ns", generation: 1 }, + spec: { + network: { + allow: [ + { + direction: Direction.Ingress, + remoteGenerated: RemoteGenerated.KubeAPI, + selector: { app: "kubeapi-test" }, + }, + ], + }, + }, + }; + + const policies = await generateAuthorizationPolicies(pkg, "test-ns"); + expect(policies.length).toBe(1); + const policy = policies[0]; + expect(policy.metadata?.name).toBe("protect-kubeapi-test-ingress-kubeapi-test-kubeapi"); + expect(policy.spec?.rules?.[0].from?.[0].source).toEqual({ + ipBlocks: ["10.0.0.1/32"], + }); + }); + + test("should generate authpol with ipBlock from kubeNodes", async () => { + const pkg: UDSPackage = { + metadata: { name: "kubenodes-test", namespace: "test-ns", generation: 1 }, + spec: { + network: { + allow: [ + { + direction: Direction.Ingress, + remoteGenerated: RemoteGenerated.KubeNodes, + selector: { app: "kubenodes-test" }, + }, + ], + }, + }, + }; + + const policies = await generateAuthorizationPolicies(pkg, "test-ns"); + expect(policies.length).toBe(1); + const policy = policies[0]; + expect(policy.metadata?.name).toBe("protect-kubenodes-test-ingress-kubenodes-test-kubenodes"); + expect(policy.spec?.rules?.[0].from?.[0].source).toEqual({ + ipBlocks: ["192.168.0.0/16"], + }); + }); + + test("should generate an authpol with ipBlocks from remoteCidr", async () => { + const pkg: UDSPackage = { + metadata: { name: "curl-pkg-remote-cidr", namespace: "curl-ns-remote-cidr", generation: 1 }, + spec: { + network: { + allow: [ + { + direction: Direction.Ingress, + remoteCidr: "0.0.0.0/0", + selector: { app: "curl-pkg-remote-cidr" }, + }, + ], + }, + }, + }; + + const policies: AuthorizationPolicy[] = await generateAuthorizationPolicies( + pkg, + "curl-ns-remote-cidr", + ); + expect(policies).toHaveLength(1); + const policy = policies[0]; + expect(policy.metadata?.namespace).toBe("curl-ns-remote-cidr"); + // The selector should match the rule's selector + expect(policy.spec?.selector?.matchLabels).toEqual({ app: "curl-pkg-remote-cidr" }); + + // The rule should have a "from" block with source containing ipBlocks + expect(policy.spec?.rules).toHaveLength(1); + const rule = policy.spec!.rules![0]; + + // Since remoteCidr was provided, the computed source should use ipBlocks + expect(rule.from).toBeDefined(); + expect(rule.from![0].source).toEqual({ ipBlocks: ["0.0.0.0/0"] }); + + // And no "to" clause should be present because no port was specified + expect(rule.to).toBeUndefined(); + + // Also verify that the action is Allow + expect(policy.spec?.action).toBe(Action.Allow); + }); + + test("should generate two distinct policies for expose and allow rules", async () => { + const pkg: UDSPackage = { + apiVersion: "uds.dev/v1alpha1", + kind: "Package", + metadata: { + name: "httpbin-other", + namespace: "authservice-test-app", + generation: 1, + }, + spec: { + sso: [ + { + name: "Demo SSO", + clientId: "uds-core-httpbin", + redirectUris: ["https://protected.uds.dev/login"], + enableAuthserviceSelector: { app: "httpbin" }, + groups: { anyOf: ["/UDS Core/Admin"] }, + }, + ], + network: { + expose: [ + { + service: "httpbin", + selector: { app: "httpbin" }, + gateway: Gateway.Tenant, + host: "protected", + port: 8000, + targetPort: 80, + }, + ], + allow: [ + { + direction: Direction.Ingress, + selector: { app: "httpbin" }, + ports: [80], + }, + ], + }, + }, + }; + + const policies = await generateAuthorizationPolicies(pkg, "authservice-test-app"); + // We expect exactly two policies: one for the expose rule and one for the allow rule. + expect(policies.length).toBe(2); + + // Allow rule policy (generated via generateAllowName) + const allowPolicy = policies.find( + p => p.metadata?.name === "protect-httpbin-other-ingress-httpbin-default-all-pods", + ); + expect(allowPolicy).toBeDefined(); + expect(allowPolicy!.spec!.action).toBe(Action.Allow); + expect(allowPolicy!.spec!.selector?.matchLabels).toEqual({ app: "httpbin" }); + expect(allowPolicy!.spec!.rules![0].to).toEqual([{ operation: { ports: ["80"] } }]); + + // Expose rule policy (generated via generateExposeName) + const exposePolicy = policies.find( + p => p.metadata?.name === "protect-httpbin-other-ingress-80-httpbin-istio-tenant-gateway", + ); + expect(exposePolicy).toBeDefined(); + expect(exposePolicy!.spec!.action).toBe(Action.Allow); + // For expose, no selector is applied by default + expect(exposePolicy!.spec!.rules![0].from).toEqual([ + { + source: { + principals: ["cluster.local/ns/istio-tenant-gateway/sa/tenant-ingressgateway"], + }, + }, + ]); + expect(exposePolicy!.spec!.rules![0].to).toEqual([{ operation: { ports: ["80"] } }]); + }); + + test("should generate unique AuthorizationPolicies for expose rules with different ports", async () => { + const pkg: UDSPackage = { + metadata: { name: "test-tenant-app", namespace: "test-tenant-app", generation: 1 }, + spec: { + network: { + expose: [ + { + service: "test-tenant-app", + selector: { app: "test-tenant-app" }, + gateway: Gateway.Tenant, + host: "demo-8080", + port: 8080, + }, + { + service: "test-tenant-app", + selector: { app: "test-tenant-app" }, + gateway: Gateway.Tenant, + host: "demo-8081", + port: 8081, + }, + ], + }, + }, + }; + + const policies = await generateAuthorizationPolicies(pkg, "test-tenant-app"); + expect(policies.length).toBe(2); + const names = policies.map(p => p.metadata?.name); + expect(new Set(names).size).toBe(2); + expect(names.some(name => name?.includes("8080"))).toBe(true); + expect(names.some(name => name?.includes("8081"))).toBe(true); + }); + + test("should generate correct AuthorizationPolicy for Loki", async () => { + const pkg: UDSPackage = { + metadata: { name: "loki", namespace: "loki", generation: 1 }, + spec: { + network: { + allow: [ + { + direction: Direction.Ingress, + remoteGenerated: RemoteGenerated.IntraNamespace, + // No port provided. + }, + ], + }, + }, + }; + + const policies = await generateAuthorizationPolicies(pkg, "loki"); + // With one allow rule (Ingress/IntraNamespace), expect one policy + expect(policies.length).toBe(1); + const policy = policies[0]; + expect(policy.metadata?.name).toBe("protect-loki-ingress-all-pods-intranamespace"); + expect(policy.metadata?.namespace).toBe("loki"); + expect(policy.spec?.action).toBe(Action.Allow); + // The rule should only have a "from" clause with source { namespaces: ["loki"] } + expect(policy.spec?.rules).toEqual( + expect.arrayContaining([{ from: [{ source: { namespaces: ["loki"] } }] }]), + ); + }); + + test("should generate correct policies for Neuvector", async () => { + const pkg: UDSPackage = { + metadata: { name: "neuvector", namespace: "neuvector", generation: 1 }, + spec: { + network: { + expose: [ + { + service: "neuvector-service-webui", + selector: { app: "neuvector-manager-pod" }, + gateway: Gateway.Admin, + host: "neuvector", + port: 8443, + }, + ], + allow: [ + { direction: Direction.Ingress, remoteGenerated: RemoteGenerated.IntraNamespace }, + { direction: Direction.Egress, remoteGenerated: RemoteGenerated.IntraNamespace }, // Skipped. + { + direction: Direction.Ingress, + remoteGenerated: RemoteGenerated.Anywhere, + selector: { app: "neuvector-controller-pod" }, + port: 30443, + description: "Webhook", + }, + ], + }, + }, + }; + + const policies = await generateAuthorizationPolicies(pkg, "neuvector"); + // With the current per-rule design we expect three policies + expect(policies.length).toBe(3); + + // Policy for the IntraNamespace allow rule (no selector) + const nsPolicy = policies.find( + p => p.metadata?.name === "protect-neuvector-ingress-all-pods-intranamespace", + ); + expect(nsPolicy).toBeDefined(); + expect(nsPolicy?.metadata?.namespace).toBe("neuvector"); + expect(nsPolicy?.spec?.action).toBe(Action.Allow); + expect(nsPolicy?.spec?.rules).toEqual( + expect.arrayContaining([{ from: [{ source: { namespaces: ["neuvector"] } }] }]), + ); + + // Policy for the controller allow rule ("Webhook") + const controllerPolicy = policies.find( + p => p.metadata?.name === "protect-neuvector-ingress-webhook", + ); + expect(controllerPolicy).toBeDefined(); + expect(controllerPolicy?.spec?.selector?.matchLabels).toEqual({ + app: "neuvector-controller-pod", + }); + expect(controllerPolicy?.spec?.action).toBe(Action.Allow); + expect(controllerPolicy?.spec?.rules).toEqual( + expect.arrayContaining([{ to: [{ operation: { ports: ["30443"] } }] }]), + ); + + // Policy for the expose rule (should use default base name) + const exposePolicy = policies.find( + p => + p.metadata?.name === + "protect-neuvector-ingress-8443-neuvector-manager-pod-istio-admin-gateway", + ); + expect(exposePolicy).toBeDefined(); + expect(exposePolicy?.spec?.selector?.matchLabels).toEqual({ app: "neuvector-manager-pod" }); + expect(exposePolicy?.spec?.action).toBe(Action.Allow); + expect(exposePolicy?.spec?.rules).toEqual( + expect.arrayContaining([ + { + from: [ + { + source: { + principals: ["cluster.local/ns/istio-admin-gateway/sa/admin-ingressgateway"], + }, + }, + ], + to: [{ operation: { ports: ["8443"] } }], + }, + ]), + ); + }); + + test("should generate correct AuthorizationPolicies for Vector", async () => { + const pkg: UDSPackage = { + metadata: { name: "vector", namespace: "vector", generation: 1 }, + spec: { + network: { + allow: [ + { + direction: Direction.Ingress, + selector: { "app.kubernetes.io/name": "vector" }, + remoteNamespace: "monitoring", + remoteSelector: { "app.kubernetes.io/name": "prometheus" }, + port: 9090, + description: "Prometheus Metrics", + }, + ], + }, + }, + }; + + const policies = await generateAuthorizationPolicies(pkg, "vector"); + expect(policies.length).toBe(1); + const policy = policies[0]; + expect(policy.metadata?.name).toBe("protect-vector-ingress-prometheus-metrics"); + expect(policy.spec?.action).toBe(Action.Allow); + expect(policy.spec?.selector?.matchLabels).toEqual({ "app.kubernetes.io/name": "vector" }); + expect(policy.spec?.rules).toEqual( + expect.arrayContaining([ + { + from: [{ source: { namespaces: ["monitoring"] } }], + to: [{ operation: { ports: ["9090"] } }], + }, + ]), + ); + }); + + test("should generate correct AuthorizationPolicies for Velero", async () => { + const pkg: UDSPackage = { + metadata: { name: "velero", namespace: "velero", generation: 1 }, + spec: { + network: { + allow: [ + { + direction: Direction.Ingress, + selector: { "app.kubernetes.io/name": "velero" }, + remoteNamespace: "monitoring", + remoteSelector: { "app.kubernetes.io/name": "prometheus" }, + port: 8085, + description: "Protected Apps", + }, + ], + }, + }, + }; + + const policies = await generateAuthorizationPolicies(pkg, "velero"); + // Expect one policy + expect(policies.length).toBe(1); + const policy = policies[0]; + expect(policy.metadata?.name).toBe("protect-velero-ingress-protected-apps"); + expect(policy.metadata?.namespace).toBe("velero"); + expect(policy.spec?.action).toBe(Action.Allow); + expect(policy.spec?.selector?.matchLabels).toEqual({ "app.kubernetes.io/name": "velero" }); + expect(policy.spec?.rules).toEqual( + expect.arrayContaining([ + { + from: [{ source: { namespaces: ["monitoring"] } }], + to: [{ operation: { ports: ["8085"] } }], + }, + ]), + ); + }); + + test("should generate correct AuthorizationPolicies for Authservice", async () => { + const pkg: UDSPackage = { + metadata: { name: "authservice", namespace: "authservice", generation: 1 }, + spec: { + network: { + allow: [ + { direction: Direction.Ingress, remoteGenerated: RemoteGenerated.IntraNamespace }, + { direction: Direction.Egress, remoteGenerated: RemoteGenerated.IntraNamespace }, + { + direction: Direction.Ingress, + selector: { "app.kubernetes.io/name": "authservice" }, + remoteNamespace: "", + port: 10003, + description: "Protected Apps", + }, + ], + }, + }, + }; + + const policies = await generateAuthorizationPolicies(pkg, "authservice"); + // Expect two policies + expect(policies.length).toBe(2); + const nsPolicy = policies.find( + p => p.metadata?.name === "protect-authservice-ingress-all-pods-intranamespace", + ); + expect(nsPolicy).toBeDefined(); + expect(nsPolicy!.metadata?.namespace).toBe("authservice"); + expect(nsPolicy!.spec?.action).toBe(Action.Allow); + expect(nsPolicy!.spec?.rules).toEqual( + expect.arrayContaining([{ from: [{ source: { namespaces: ["authservice"] } }] }]), + ); + + const workloadPolicy = policies.find( + p => p.metadata?.name === "protect-authservice-ingress-protected-apps", + ); + expect(workloadPolicy).toBeDefined(); + expect(workloadPolicy!.spec?.selector?.matchLabels).toEqual({ + "app.kubernetes.io/name": "authservice", + }); + expect(workloadPolicy!.spec?.action).toBe(Action.Allow); + expect(workloadPolicy!.spec?.rules).toEqual( + expect.arrayContaining([{ to: [{ operation: { ports: ["10003"] } }] }]), + ); + }); + + test("should generate correct AuthorizationPolicies for Prometheus-Stack", async () => { + const pkg: UDSPackage = { + metadata: { name: "prometheus-stack", namespace: "monitoring", generation: 1 }, + spec: { + network: { + allow: [ + { direction: Direction.Ingress, remoteGenerated: RemoteGenerated.IntraNamespace }, + { + direction: Direction.Ingress, + selector: { "app.kubernetes.io/name": "prometheus" }, + remoteNamespace: "grafana", + remoteSelector: { "app.kubernetes.io/name": "grafana" }, + port: 9090, + }, + { + direction: Direction.Ingress, + selector: { app: "kube-prometheus-stack-operator" }, + remoteGenerated: RemoteGenerated.Anywhere, + port: 10250, + description: "Webhook", + }, + ], + }, + }, + }; + + const policies = await generateAuthorizationPolicies(pkg, "monitoring"); + // Expect three policies + expect(policies.length).toBe(3); + const nsPolicy = policies.find( + p => p.metadata?.name === "protect-prometheus-stack-ingress-all-pods-intranamespace", + ); + expect(nsPolicy).toBeDefined(); + expect(nsPolicy!.metadata?.namespace).toBe("monitoring"); + expect(nsPolicy!.spec?.action).toBe(Action.Allow); + expect(nsPolicy!.spec?.rules).toEqual( + expect.arrayContaining([{ from: [{ source: { namespaces: ["monitoring"] } }] }]), + ); + + const promPolicy = policies.find( + p => p.metadata?.name === "protect-prometheus-stack-ingress-prometheus-grafana-grafana", + ); + expect(promPolicy).toBeDefined(); + expect(promPolicy!.spec?.selector?.matchLabels).toEqual({ + "app.kubernetes.io/name": "prometheus", + }); + expect(promPolicy!.spec?.action).toBe(Action.Allow); + expect(promPolicy!.spec?.rules).toEqual( + expect.arrayContaining([ + { + from: [{ source: { namespaces: ["grafana"] } }], + to: [{ operation: { ports: ["9090"] } }], + }, + ]), + ); + + const operatorPolicy = policies.find( + p => p.metadata?.name === "protect-prometheus-stack-ingress-webhook", + ); + expect(operatorPolicy).toBeDefined(); + expect(operatorPolicy!.spec?.selector?.matchLabels).toEqual({ + app: "kube-prometheus-stack-operator", + }); + expect(operatorPolicy!.spec?.action).toBe(Action.Allow); + expect(operatorPolicy!.spec?.rules).toEqual( + expect.arrayContaining([{ to: [{ operation: { ports: ["10250"] } }] }]), + ); + }); + + test("should generate correct AuthorizationPolicies for Grafana including monitor block", async () => { + const pkg: UDSPackage = { + metadata: { name: "grafana", namespace: "grafana", generation: 1 }, + spec: { + monitor: [ + { + description: "Metrics", + podSelector: { "app.kubernetes.io/name": "grafana" }, + selector: { "app.kubernetes.io/name": "grafana" }, + targetPort: 3000, + portName: "80", + }, + ], + network: { + expose: [ + { + service: "grafana", + selector: { "app.kubernetes.io/name": "grafana" }, + host: "grafana", + gateway: Gateway.Admin, + port: 80, + targetPort: 3000, + }, + ], + allow: [ + { + direction: Direction.Ingress, + remoteGenerated: RemoteGenerated.IntraNamespace, + ports: [3000], + }, + ], + }, + }, + }; + + const policies = await generateAuthorizationPolicies(pkg, "grafana"); + // Expect three policies: one from expose, one from allow, and one monitor policy + expect(policies.length).toBe(3); + const exposePolicy = policies.find( + p => p.metadata?.name === "protect-grafana-ingress-3000-grafana-istio-admin-gateway", + ); + expect(exposePolicy).toBeDefined(); + expect(exposePolicy!.spec?.selector?.matchLabels).toEqual({ + "app.kubernetes.io/name": "grafana", + }); + expect(exposePolicy!.spec?.action).toBe(Action.Allow); + expect(exposePolicy!.spec?.rules).toEqual( + expect.arrayContaining([ + { + from: [ + { + source: { + principals: ["cluster.local/ns/istio-admin-gateway/sa/admin-ingressgateway"], + }, + }, + ], + to: [{ operation: { ports: ["3000"] } }], + }, + ]), + ); + + const nsPolicy = policies.find( + p => p.metadata?.name === "protect-grafana-ingress-all-pods-intranamespace", + ); + expect(nsPolicy).toBeDefined(); + expect(nsPolicy!.metadata?.namespace).toBe("grafana"); + expect(nsPolicy!.spec?.action).toBe(Action.Allow); + expect(nsPolicy!.spec?.rules).toEqual( + expect.arrayContaining([ + { + from: [{ source: { namespaces: ["grafana"] } }], + to: [{ operation: { ports: ["3000"] } }], + }, + ]), + ); + + const monitorPolicy = policies.find( + p => p.metadata?.name === "protect-grafana-monitor-3000-grafana-workload", + ); + expect(monitorPolicy).toBeDefined(); + expect(monitorPolicy!.metadata?.namespace).toBe("grafana"); + expect(monitorPolicy!.spec?.action).toBe(Action.Allow); + expect(monitorPolicy!.spec?.selector?.matchLabels).toEqual({ + "app.kubernetes.io/name": "grafana", + }); + expect(monitorPolicy!.spec?.rules).toEqual( + expect.arrayContaining([ + { + from: [ + { + source: { + principals: ["cluster.local/ns/monitoring/sa/kube-prometheus-stack-prometheus"], + }, + }, + ], + to: [{ operation: { ports: ["3000"] } }], + }, + ]), + ); + }); + + test("should generate correct AuthorizationPolicies for Keycloak", async () => { + const pkg: UDSPackage = { + metadata: { name: "keycloak", namespace: "keycloak", generation: 1 }, + spec: { + monitor: [ + { + description: "Metrics", + podSelector: { "app.kubernetes.io/name": "keycloak" }, + selector: { + "app.kubernetes.io/name": "keycloak", + "app.kubernetes.io/component": "http", + }, + targetPort: 9000, + portName: "http-metrics", + }, + ], + network: { + allow: [ + { + description: "UDS Operator", + direction: Direction.Ingress, + selector: { "app.kubernetes.io/name": "keycloak" }, + remoteNamespace: "pepr-system", + remoteSelector: { app: "pepr-uds-core-watcher" }, + port: 8080, + }, + { + description: "Keycloak backchannel access", + direction: Direction.Ingress, + selector: { "app.kubernetes.io/name": "keycloak" }, + remoteNamespace: "*", + port: 8080, + }, + { + description: "OCSP Lookup", + direction: Direction.Egress, + selector: { "app.kubernetes.io/name": "keycloak" }, + ports: [443, 80], + remoteGenerated: RemoteGenerated.Anywhere, + }, + ], + expose: [ + { + description: "remove private paths from public gateway", + host: "sso", + service: "keycloak-http", + selector: { "app.kubernetes.io/name": "keycloak" }, + port: 8080, + advancedHTTP: { + match: [ + { name: "redirect-welcome", uri: { exact: "/" } }, + { name: "redirect-admin", uri: { prefix: "/admin" } }, + { name: "redirect-master-realm", uri: { prefix: "/realms/master" } }, + { name: "redirect-metrics", uri: { prefix: "/metrics" } }, + ], + redirect: { uri: "/realms/uds/account" }, + headers: { + request: { + remove: ["istio-mtls-client-certificate"], + add: { "istio-mtls-client-certificate": "%DOWNSTREAM_PEER_CERT%" }, + }, + }, + }, + }, + { + description: "public auth access with optional client certificate", + service: "keycloak-http", + selector: { "app.kubernetes.io/name": "keycloak" }, + host: "sso", + port: 8080, + advancedHTTP: { + headers: { + request: { + remove: ["istio-mtls-client-certificate"], + add: { "istio-mtls-client-certificate": "%DOWNSTREAM_PEER_CERT%" }, + }, + }, + }, + }, + { + description: "admin access with optional client certificate", + service: "keycloak-http", + selector: { "app.kubernetes.io/name": "keycloak" }, + gateway: Gateway.Admin, + host: "keycloak", + port: 8080, + advancedHTTP: { + headers: { + request: { + remove: ["istio-mtls-client-certificate"], + add: { "istio-mtls-client-certificate": "%DOWNSTREAM_PEER_CERT%" }, + }, + }, + }, + }, + ], + }, + }, + }; + + const policies = await generateAuthorizationPolicies(pkg, "keycloak"); + // We expect 6 policies + expect(policies.length).toBe(6); + + // 1. UDS Operator allow rule + const udsOperatorPol = policies.find( + p => p.metadata?.name === "protect-keycloak-ingress-uds-operator", + ); + expect(udsOperatorPol).toBeDefined(); + expect(udsOperatorPol?.spec?.selector?.matchLabels).toEqual({ + "app.kubernetes.io/name": "keycloak", + }); + expect(udsOperatorPol?.spec?.rules).toEqual( + expect.arrayContaining([ + { + from: [{ source: { namespaces: ["pepr-system"] } }], + to: [{ operation: { ports: ["8080"] } }], + }, + ]), + ); + + // 2. Keycloak backchannel access allow rule + const backchannelPol = policies.find( + p => p.metadata?.name === "protect-keycloak-ingress-keycloak-backchannel-access", + ); + expect(backchannelPol).toBeDefined(); + expect(backchannelPol?.spec?.selector?.matchLabels).toEqual({ + "app.kubernetes.io/name": "keycloak", + }); + expect(backchannelPol?.spec?.rules).toEqual( + expect.arrayContaining([{ to: [{ operation: { ports: ["8080"] } }] }]), + ); + + // 3. Expose rule: remove private paths from public gateway + const removePathsPol = policies.find( + p => p.metadata?.name === "protect-keycloak-ingress-8080-keycloak-istio-tenant-gateway", + ); + expect(removePathsPol).toBeDefined(); + expect(removePathsPol?.spec?.selector?.matchLabels).toEqual({ + "app.kubernetes.io/name": "keycloak", + }); + expect(removePathsPol?.spec?.rules).toEqual( + expect.arrayContaining([ + { + from: [ + { + source: { + principals: ["cluster.local/ns/istio-tenant-gateway/sa/tenant-ingressgateway"], + }, + }, + ], + to: [{ operation: { ports: ["8080"] } }], + }, + ]), + ); + + // 4. Expose rule: public auth access with optional client certificate + const publicAuthPol = policies.find( + p => p.metadata?.name === "protect-keycloak-ingress-8080-keycloak-istio-tenant-gateway", + ); + expect(publicAuthPol).toBeDefined(); + expect(publicAuthPol?.spec?.selector?.matchLabels).toEqual({ + "app.kubernetes.io/name": "keycloak", + }); + expect(publicAuthPol?.spec?.rules).toEqual( + expect.arrayContaining([ + { + from: [ + { + source: { + principals: ["cluster.local/ns/istio-tenant-gateway/sa/tenant-ingressgateway"], + }, + }, + ], + to: [{ operation: { ports: ["8080"] } }], + }, + ]), + ); + + // 5. Expose rule: admin access with optional client certificate + const adminAuthPol = policies.find( + p => p.metadata?.name === "protect-keycloak-ingress-8080-keycloak-istio-admin-gateway", + ); + expect(adminAuthPol).toBeDefined(); + expect(adminAuthPol?.spec?.selector?.matchLabels).toEqual({ + "app.kubernetes.io/name": "keycloak", + }); + expect(adminAuthPol?.spec?.rules).toEqual( + expect.arrayContaining([ + { + from: [ + { + source: { + principals: ["cluster.local/ns/istio-admin-gateway/sa/admin-ingressgateway"], + }, + }, + ], + to: [{ operation: { ports: ["8080"] } }], + }, + ]), + ); + + // 6. Monitor rule: Metrics + const monitorPol = policies.find( + p => p.metadata?.name === "protect-keycloak-monitor-9000-keycloak-workload", + ); + expect(monitorPol).toBeDefined(); + expect(monitorPol?.metadata?.namespace).toBe("keycloak"); + expect(monitorPol?.spec?.action).toBe(Action.Allow); + expect(monitorPol?.spec?.selector?.matchLabels).toEqual({ + "app.kubernetes.io/name": "keycloak", + }); + expect(monitorPol?.spec?.rules).toEqual( + expect.arrayContaining([ + { + from: [ + { + source: { + principals: ["cluster.local/ns/monitoring/sa/kube-prometheus-stack-prometheus"], + }, + }, + ], + to: [{ operation: { ports: ["9000"] } }], + }, + ]), + ); + }); +}); diff --git a/src/pepr/operator/controllers/network/authorizationPolicies.ts b/src/pepr/operator/controllers/network/authorizationPolicies.ts new file mode 100644 index 0000000000..3b9e3f5bed --- /dev/null +++ b/src/pepr/operator/controllers/network/authorizationPolicies.ts @@ -0,0 +1,285 @@ +/** + * Copyright 2025 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + +import { K8s } from "pepr"; +import { Component, setupLogger } from "../../../logger"; +import { Allow, Expose, Gateway, Monitor, RemoteGenerated, UDSPackage } from "../../crd"; +import { + Action, + AuthorizationPolicy, + Rule, + Source, +} from "../../crd/generated/istio/authorizationpolicy-v1beta1"; +import { getOwnerRef, purgeOrphans, sanitizeResourceName } from "../utils"; +import { META_IP } from "./generators/cloudMetadata"; +import { kubeAPI } from "./generators/kubeAPI"; +import { kubeNodes } from "./generators/kubeNodes"; + +const log = setupLogger(Component.OPERATOR_NETWORK); + +// Constants for gateway principals. +const ADMIN_INGRESS = "cluster.local/ns/istio-admin-gateway/sa/admin-ingressgateway"; +const TENANT_INGRESS = "cluster.local/ns/istio-tenant-gateway/sa/tenant-ingressgateway"; +const PASSTHROUGH_INGRESS = + "cluster.local/ns/istio-passthrough-gateway/sa/passthrough-ingressgateway"; +const PROMETHEUS_PRINCIPAL = "cluster.local/ns/monitoring/sa/kube-prometheus-stack-prometheus"; + +/** + * Generates a unique name for a Monitor rule. + * Combines the target port and a derived name from the pod selector or fallback selector. + * Prioritizes "app" or "app.kubernetes.io/name" label values to form a stable, readable base. + * Falls back to joining all selector values, or "workload" if none exist. + */ +function generateMonitorName(monitor: Monitor): string { + const selector = monitor.podSelector ?? monitor.selector ?? {}; + const portPart = monitor.targetPort?.toString() ?? "unknown-port"; + const baseName = + selector["app"]?.replace(/-pod$/, "") ?? + (selector["app.kubernetes.io/name"] + ? selector["app.kubernetes.io/name"].replace(/-pod$/, "") + "-workload" + : undefined) ?? + (Object.values(selector).join("-") || "workload"); + return `monitor-${portPart}-${baseName}`; +} + +/** + * Generates a unique name for an Allow rule. + * Uses the description if provided; otherwise a combination of the selector values + * and remote properties is used. + */ +function generateAllowName(rule: Allow): string { + const { description, selector, remoteGenerated, remoteNamespace, remoteSelector } = rule; + const baseName = + description || + [ + Object.values(selector || { default: "all pods" }).join("-"), + remoteGenerated || [ + remoteNamespace || "default", + Object.values(remoteSelector || { default: "all pods" }).join("-"), + ], + ] + .flat() + .join("-"); + return `ingress-${baseName}`; +} + +/** + * Generates a unique name for an Expose rule using effective port, selector, and gateway. + */ +function generateExposeName(rule: Expose): string { + const effectivePort = rule.targetPort ?? rule.port; + const selPart = rule.selector ? Object.values(rule.selector).join("-") : "all"; + const gateway = rule.gateway || "tenant"; + return `ingress-${effectivePort}-${selPart}-istio-${gateway}-gateway`; +} + +/** + * Processes an Allow rule to extract its effective source and ports. + */ +function processAllowRule(rule: Allow, pkgNamespace: string): { source: Source; ports: string[] } { + const ports: string[] = []; + if (rule.port !== undefined) ports.push(rule.port.toString()); + if (rule.ports) ports.push(...rule.ports.map(p => p.toString())); + + let source: Source = {}; + + const hasRemoteSA = rule.remoteServiceAccount?.trim(); + const hasRemoteNS = rule.remoteNamespace?.trim(); + + if (hasRemoteSA) { + const ns = hasRemoteNS || pkgNamespace; + source = { + principals: [`cluster.local/ns/${ns}/sa/${rule.remoteServiceAccount}`], + }; + } else if (rule.remoteCidr) { + source = { ipBlocks: [rule.remoteCidr] }; + } else if (rule.remoteGenerated) { + switch (rule.remoteGenerated) { + case RemoteGenerated.CloudMetadata: + source = { ipBlocks: [META_IP] }; + break; + case RemoteGenerated.KubeAPI: + source = { + ipBlocks: kubeAPI() + .map((peer: { ipBlock?: { cidr: string } }) => peer.ipBlock?.cidr) + .filter((cidr): cidr is string => typeof cidr === "string"), + }; + break; + case RemoteGenerated.KubeNodes: + source = { + ipBlocks: kubeNodes() + .map((peer: { ipBlock?: { cidr: string } }) => peer.ipBlock?.cidr) + .filter((cidr): cidr is string => typeof cidr === "string"), + }; + break; + case RemoteGenerated.IntraNamespace: + source = { namespaces: [pkgNamespace] }; + break; + case RemoteGenerated.Anywhere: + source = {}; + break; + } + } else if (rule.remoteNamespace === "" || rule.remoteNamespace === "*") { + source = {}; + } else if (rule.remoteNamespace) { + source = { namespaces: [rule.remoteNamespace] }; + } + return { source, ports }; +} + +/** + * Processes an Expose rule to extract its effective source and ports. + */ +function processExposeRule(rule: Expose): { source: Source; ports: string[] } { + const ports: string[] = []; + const effectivePort = rule.targetPort ?? rule.port; + if (effectivePort !== undefined) { + ports.push(effectivePort.toString()); + } + const source = + rule.gateway === Gateway.Admin + ? { principals: [ADMIN_INGRESS] } + : rule.gateway === Gateway.Passthrough + ? { principals: [PASSTHROUGH_INGRESS] } + : { principals: [TENANT_INGRESS] }; + return { source, ports }; +} + +/** + * Helper to determine if an object is empty. + */ +function isEmpty(obj: object): boolean { + return Object.keys(obj).length === 0; +} + +/** + * Helper to build an AuthorizationPolicy from rule details. + * If the computed source is empty, the "from" field is omitted. + */ +function buildAuthPolicy( + policyName: string, + pkg: UDSPackage, + selector: Record | undefined, + source: Source, + ports: string[], + additionalLabels?: Record, +): AuthorizationPolicy { + const ruleEntry: Rule = {}; + if (!isEmpty(source)) { + ruleEntry.from = [{ source }]; + } + if (ports.length > 0) { + ruleEntry.to = [{ operation: { ports } }]; + } + + const pkgName = pkg.metadata?.name ?? "unknown"; + const pkgNamespace = pkg.metadata?.namespace ?? "default"; + const generation = pkg.metadata?.generation?.toString() ?? "0"; + + return { + apiVersion: "security.istio.io/v1beta1", + kind: "AuthorizationPolicy", + metadata: { + name: policyName, + namespace: pkgNamespace, + labels: { + "uds/package": pkgName, + "uds/generation": generation, + "uds/for": "network", + ...additionalLabels, + }, + ownerReferences: getOwnerRef(pkg), + }, + spec: { + action: Action.Allow, + ...(selector ? { selector: { matchLabels: selector } } : {}), + rules: [ruleEntry], + }, + }; +} + +/** + * Generate and apply Istio Authorization Policies for a given UDSPackage. + */ +export async function generateAuthorizationPolicies( + pkg: UDSPackage, + pkgNamespace: string, +): Promise { + const pkgName = pkg.metadata?.name ?? "unknown"; + const generation = pkg.metadata?.generation?.toString() ?? "0"; + log.info( + `Starting authorization policy generation for package "${pkgName}" in namespace "${pkgNamespace}" (generation ${generation}).`, + ); + + const policies: AuthorizationPolicy[] = []; + + // Process allow rules. + if (pkg.spec?.network?.allow) { + for (const rule of pkg.spec.network.allow) { + if (rule.direction === "Egress") continue; + const { source, ports } = processAllowRule(rule, pkgNamespace); + const policyName = sanitizeResourceName(`protect-${pkgName}-${generateAllowName(rule)}`); + const additionalLabels: Record | undefined = rule.remoteGenerated + ? { "uds/generated": rule.remoteGenerated } + : undefined; + const authPolicy = buildAuthPolicy( + policyName, + pkg, + rule.selector, + source, + ports, + additionalLabels, + ); + policies.push(authPolicy); + log.trace(`Generated authpol: ${authPolicy.metadata?.name}`); + } + } + + // Process expose rules. + if (pkg.spec?.network?.expose) { + for (const rule of pkg.spec.network.expose) { + const { source, ports } = processExposeRule(rule); + const policyName = sanitizeResourceName(`protect-${pkgName}-${generateExposeName(rule)}`); + const authPolicy = buildAuthPolicy(policyName, pkg, rule.selector, source, ports); + policies.push(authPolicy); + log.trace(`Generated authpol: ${authPolicy.metadata?.name}`); + } + } + + // Process monitor rules. + if (pkg.spec?.monitor) { + for (const monitor of pkg.spec.monitor) { + const selector = monitor.podSelector ?? monitor.selector; + const source: Source = { principals: [PROMETHEUS_PRINCIPAL] }; + const ports: string[] = [monitor.targetPort.toString()]; + const policyName = sanitizeResourceName(`protect-${pkgName}-${generateMonitorName(monitor)}`); + const authPolicy = buildAuthPolicy(policyName, pkg, selector, source, ports); + policies.push(authPolicy); + log.trace(`Generated monitor authpol: ${authPolicy.metadata?.name}`); + } + } + + // Apply policies concurrently. + for (const policy of policies) { + try { + await K8s(AuthorizationPolicy).Apply(policy, { force: true }); + log.trace( + `Applied AuthorizationPolicy ${policy.metadata?.name} in namespace ${policy.metadata?.namespace}`, + ); + } catch (err) { + log.error( + err, + `Error applying AuthorizationPolicy ${policy.metadata?.name} in namespace ${policy.metadata?.namespace}`, + ); + throw err; // Rethrow to fail the reconciliation process. + } + } + + await purgeOrphans(generation, pkgNamespace, pkgName, AuthorizationPolicy, log, { + "uds/for": "network", + }); + + return policies; +} diff --git a/src/pepr/operator/controllers/network/generators/kubeAPI.spec.ts b/src/pepr/operator/controllers/network/generators/kubeAPI.spec.ts index 0de63061d3..c2adb43e7b 100644 --- a/src/pepr/operator/controllers/network/generators/kubeAPI.spec.ts +++ b/src/pepr/operator/controllers/network/generators/kubeAPI.spec.ts @@ -5,7 +5,12 @@ import { beforeEach, describe, expect, it, jest } from "@jest/globals"; import { K8s, kind } from "pepr"; -import { updateAPIServerCIDR, updateKubeAPINetworkPolicies } from "./kubeAPI"; +import { AuthorizationPolicy } from "../../../crd/generated/istio/authorizationpolicy-v1beta1"; +import { + updateAPIServerCIDR, + updateKubeAPIAuthorizationPolicies, + updateKubeAPINetworkPolicies, +} from "./kubeAPI"; type KubernetesList = { items: T[]; @@ -575,3 +580,96 @@ describe("updateKubeAPINetworkPolicies", () => { expect(mockApply).not.toHaveBeenCalled(); // No policies to update }); }); + +describe("updateKubeAPIAuthorizationPolicies", () => { + beforeEach(() => { + jest.clearAllMocks(); + }); + + it("should not update a policy if ipBlocks are already correct", async () => { + const newPeers = [{ ipBlock: { cidr: "10.0.0.1/32" } }, { ipBlock: { cidr: "10.0.0.2/32" } }]; + + // Simulate a policy that already has the correct ipBlocks. + mockGet.mockResolvedValue({ + items: [ + { + metadata: { name: "authpol-1", namespace: "default" }, + spec: { + rules: [{ from: [{ source: { ipBlocks: ["10.0.0.1/32", "10.0.0.2/32"] } }] }], + }, + }, + ], + } as unknown as KubernetesList); + + await updateKubeAPIAuthorizationPolicies(newPeers); + + expect(mockApply).not.toHaveBeenCalled(); + }); + + it("should update a policy if ipBlocks are outdated", async () => { + const newPeers = [{ ipBlock: { cidr: "10.0.0.1/32" } }, { ipBlock: { cidr: "10.0.0.2/32" } }]; + + // Simulate a policy that currently has outdated ipBlocks. + mockGet.mockResolvedValue({ + items: [ + { + metadata: { name: "authpol-1", namespace: "default", managedFields: {} }, + spec: { + rules: [{ from: [{ source: { ipBlocks: ["192.168.1.0/32"] } }] }], + }, + }, + ], + } as unknown as KubernetesList); + + await updateKubeAPIAuthorizationPolicies(newPeers); + + expect(mockApply).toHaveBeenCalled(); + const updatedPolicy = mockApply.mock.calls[0][0] as AuthorizationPolicy; + expect(updatedPolicy.spec!.rules![0].from![0].source!.ipBlocks).toEqual([ + "10.0.0.1/32", + "10.0.0.2/32", + ]); + }); + + it("should create a 'from' entry if missing", async () => { + const newPeers = [{ ipBlock: { cidr: "10.0.0.1/32" } }]; + + // Simulate a policy with no 'from' field in its rule. + mockGet.mockResolvedValue({ + items: [ + { + metadata: { name: "authpol-2", namespace: "default", managedFields: {} }, + spec: { + rules: [{}], + }, + }, + ], + } as unknown as KubernetesList); + + await updateKubeAPIAuthorizationPolicies(newPeers); + + expect(mockApply).toHaveBeenCalled(); + const updatedPolicy = mockApply.mock.calls[0][0] as AuthorizationPolicy; + expect(updatedPolicy.spec!.rules![0].from![0].source!.ipBlocks).toEqual(["10.0.0.1/32"]); + }); + + it("should log a warning for policies with missing rules and not update", async () => { + const newPeers = [{ ipBlock: { cidr: "10.0.0.1/32" } }]; + + // Simulate a policy that has an empty rules array. + mockGet.mockResolvedValue({ + items: [ + { + metadata: { name: "authpol-3", namespace: "default" }, + spec: { + rules: [], + }, + }, + ], + } as unknown as KubernetesList); + + await updateKubeAPIAuthorizationPolicies(newPeers); + + expect(mockApply).not.toHaveBeenCalled(); + }); +}); diff --git a/src/pepr/operator/controllers/network/generators/kubeAPI.ts b/src/pepr/operator/controllers/network/generators/kubeAPI.ts index 6e90e0d922..180cc2497a 100644 --- a/src/pepr/operator/controllers/network/generators/kubeAPI.ts +++ b/src/pepr/operator/controllers/network/generators/kubeAPI.ts @@ -9,6 +9,7 @@ import { K8s, kind, R } from "pepr"; import { UDSConfig } from "../../../../config"; import { Component, setupLogger } from "../../../../logger"; import { RemoteGenerated } from "../../../crd"; +import { AuthorizationPolicy } from "../../../crd/generated/istio/authorizationpolicy-v1beta1"; import { retryWithDelay } from "../../utils"; import { anywhere } from "./anywhere"; @@ -146,6 +147,9 @@ export async function updateAPIServerCIDR(svc: kind.Service, slice: kind.Endpoin // Update NetworkPolicies await updateKubeAPINetworkPolicies(apiServerPeers); + + // Update AuthorizationPolicies + await updateKubeAPIAuthorizationPolicies(apiServerPeers); } else { log.warn("No peers found for the API server CIDR update."); } @@ -217,6 +221,83 @@ export async function updateKubeAPINetworkPolicies(newPeers: V1NetworkPolicyPeer } } +/** + * Updates the AuthorizationPolicies for KubeAPI. + * + * This function takes an array of V1NetworkPolicyPeer objects (newPeers) representing + * the latest API server CIDRs, extracts the CIDR strings, and then queries for all + * AuthorizationPolicies labeled with "uds/generated" equal to RemoteGenerated.KubeAPI. + * For each policy, it compares the existing IP blocks in the "from" field with the new IP blocks. + * If they differ, the policy is updated (after clearing managedFields to prevent server-side apply issues) + * and re-applied. + * + * @param {V1NetworkPolicyPeer[]} newPeers - An array of peer objects containing the updated API server CIDRs. + * @returns {Promise} A promise that resolves once the update process is complete. + */ +export async function updateKubeAPIAuthorizationPolicies( + newPeers: V1NetworkPolicyPeer[], +): Promise { + // Convert the cached peers to an array of CIDR strings. + const newIpBlocks = newPeers + .map(peer => peer.ipBlock?.cidr) + .filter((cidr): cidr is string => typeof cidr === "string"); + + // Query for AuthorizationPolicies with the generated label for KubeAPI. + const authPols = await K8s(AuthorizationPolicy) + .WithLabel("uds/generated", RemoteGenerated.KubeAPI) + .Get(); + + if (authPols.items.length > 0) { + const summary = authPols.items + .map(pol => `name: ${pol.metadata?.name}, namespace: ${pol.metadata?.namespace}`) + .join(" | "); + log.trace(`Fetched ${authPols.items.length} AuthorizationPolicies: ${summary}`); + } + + for (const pol of authPols.items) { + // Safety check: ensure the policy has rules. + if (!pol.spec || !pol.spec.rules || pol.spec.rules.length === 0) { + log.warn( + `AuthorizationPolicy ${pol.metadata?.namespace}/${pol.metadata?.name} is missing rules.`, + ); + continue; + } + + let updateRequired = false; + const rule = pol.spec.rules[0]; + // Check if a "from" entry exists and contains ipBlocks. + if (rule.from && rule.from.length > 0 && rule.from[0].source?.ipBlocks) { + const oldIpBlocks = rule.from[0].source.ipBlocks; + if (!R.equals(oldIpBlocks, newIpBlocks)) { + rule.from[0].source.ipBlocks = newIpBlocks; + updateRequired = true; + } + } else { + // If not present, create it. + rule.from = [{ source: { ipBlocks: newIpBlocks } }]; + updateRequired = true; + } + + if (updateRequired) { + // Clean managedFields to avoid server-side apply issues. + if (pol.metadata) { + pol.metadata.managedFields = undefined; + } + try { + await K8s(AuthorizationPolicy).Apply(pol, { force: true }); + log.debug( + `Updated KubeAPI AuthorizationPolicy ${pol.metadata?.namespace}/${pol.metadata?.name}`, + ); + } catch (err) { + log.error( + err, + `Failed to update AuthorizationPolicy ${pol.metadata?.namespace}/${pol.metadata?.name}`, + ); + } + } + } +} + /** * Fetches the Kubernetes Service object for the API server. * diff --git a/src/pepr/operator/controllers/network/generators/kubeNodes.spec.ts b/src/pepr/operator/controllers/network/generators/kubeNodes.spec.ts index 9ddd137df4..600e69ff1d 100644 --- a/src/pepr/operator/controllers/network/generators/kubeNodes.spec.ts +++ b/src/pepr/operator/controllers/network/generators/kubeNodes.spec.ts @@ -3,22 +3,29 @@ * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial */ -import { beforeEach, beforeAll, describe, expect, it, jest } from "@jest/globals"; +import { beforeAll, beforeEach, describe, expect, it, jest } from "@jest/globals"; +import { V1NetworkPolicyList } from "@kubernetes/client-node"; +import { K8s, kind } from "pepr"; +import { AuthorizationPolicy } from "../../../crd/generated/istio/authorizationpolicy-v1beta1"; +import { anywhere } from "./anywhere"; import { initAllNodesTarget, kubeNodes, + updateKubeNodesAuthorizationPolicies, updateKubeNodesFromCreateUpdate, updateKubeNodesFromDelete, } from "./kubeNodes"; -import { K8s, kind } from "pepr"; -import { V1NetworkPolicyList } from "@kubernetes/client-node"; -import { anywhere } from "./anywhere"; type KubernetesList = { items: T[]; }; +type MockNode = { + metadata: { name: string }; + status: { addresses: { type: string; address: string }[] }; +}; + jest.mock("pepr", () => { const originalModule = jest.requireActual("pepr") as object; return { @@ -31,6 +38,131 @@ jest.mock("pepr", () => { }; }); +describe("updateKubeNodesAuthorizationPolicies", () => { + const mockApply = jest.fn(); + const mockK8sGetNodes = jest.fn<() => Promise>>(); + const mockGetNetworkPolicies = jest.fn<() => Promise>>(); + const mockGetAuthPolicies = jest.fn<() => Promise>>(); + + (K8s as jest.Mock).mockImplementation(() => ({ + Get: mockK8sGetNodes, + WithLabel: jest.fn(() => ({ + Get: mockGetAuthPolicies, + })), + Apply: mockApply, + })); + + beforeEach(async () => { + jest.clearAllMocks(); + mockGetAuthPolicies.mockReset(); + mockGetNetworkPolicies.mockResolvedValue({ items: [] }); + mockK8sGetNodes.mockResolvedValue({ items: [] }); // ensures nodeSet starts empty + + await initAllNodesTarget(); // resets nodeSet to [] + }); + + it("should update AuthorizationPolicy if ipBlocks differ", async () => { + const authPol = { + apiVersion: "security.istio.io/v1beta1", + kind: "AuthorizationPolicy", + metadata: { + name: "example-authpol", + namespace: "default", + managedFields: [], + }, + spec: { + rules: [ + { + from: [{ source: { ipBlocks: ["0.0.0.0/0"] } }], + }, + ], + }, + } as AuthorizationPolicy; + + mockGetAuthPolicies.mockResolvedValue({ items: [authPol] }); + + await updateKubeNodesFromCreateUpdate({ + metadata: { name: "node1" }, + status: { addresses: [{ type: "InternalIP", address: "10.0.0.5" }] }, + } as MockNode); + + expect(authPol.spec!.rules![0].from![0].source!.ipBlocks).toEqual(["10.0.0.5/32"]); + expect(authPol.metadata!.managedFields).toBeUndefined(); + expect(mockApply).toHaveBeenCalled(); + }); + + it("should not update AuthorizationPolicy if ipBlocks match", async () => { + const authPol = { + apiVersion: "security.istio.io/v1beta1", + kind: "AuthorizationPolicy", + metadata: { + name: "authpol-match", + namespace: "default", + managedFields: [], + }, + spec: { + rules: [ + { + from: [{ source: { ipBlocks: ["10.0.0.6/32"] } }], + }, + ], + }, + } as AuthorizationPolicy; + + mockGetAuthPolicies.mockResolvedValue({ items: [authPol] }); + + await updateKubeNodesFromCreateUpdate({ + metadata: { name: "node2" }, + status: { addresses: [{ type: "InternalIP", address: "10.0.0.6" }] }, + } as MockNode); + + expect(mockApply).not.toHaveBeenCalled(); + }); + + it("should create 'from' field if missing", async () => { + const authPol = { + apiVersion: "security.istio.io/v1beta1", + kind: "AuthorizationPolicy", + metadata: { + name: "authpol-nofrom", + namespace: "default", + managedFields: [], + }, + spec: { + rules: [{}], + }, + } as AuthorizationPolicy; + + mockGetAuthPolicies.mockResolvedValue({ items: [authPol] }); + + await updateKubeNodesFromCreateUpdate({ + metadata: { name: "node3" }, + status: { addresses: [{ type: "InternalIP", address: "10.0.0.7" }] }, + } as MockNode); + + expect(authPol.spec!.rules![0].from?.[0]?.source?.ipBlocks).toEqual(["10.0.0.7/32"]); + expect(mockApply).toHaveBeenCalled(); + }); + + it("should skip policies missing rules", async () => { + const authPol = { + apiVersion: "security.istio.io/v1beta1", + kind: "AuthorizationPolicy", + metadata: { + name: "authpol-norules", + namespace: "default", + }, + spec: {}, + } as AuthorizationPolicy; + + mockGetAuthPolicies.mockResolvedValue({ items: [authPol] }); + + await updateKubeNodesAuthorizationPolicies(); + + expect(mockApply).not.toHaveBeenCalled(); + }); +}); + describe("kubeNodes module", () => { const mockNodeList = { items: [ diff --git a/src/pepr/operator/controllers/network/generators/kubeNodes.ts b/src/pepr/operator/controllers/network/generators/kubeNodes.ts index ba5c16529c..164ca3ecdb 100644 --- a/src/pepr/operator/controllers/network/generators/kubeNodes.ts +++ b/src/pepr/operator/controllers/network/generators/kubeNodes.ts @@ -3,15 +3,15 @@ * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial */ -import { KubernetesListObject } from "@kubernetes/client-node"; -import { V1NetworkPolicyPeer, V1NodeAddress } from "@kubernetes/client-node"; +import { KubernetesListObject, V1NetworkPolicyPeer, V1NodeAddress } from "@kubernetes/client-node"; import { K8s, kind, R } from "pepr"; +import { UDSConfig } from "../../../../config"; import { Component, setupLogger } from "../../../../logger"; import { RemoteGenerated } from "../../../crd"; -import { anywhere } from "./anywhere"; -import { UDSConfig } from "../../../../config"; +import { AuthorizationPolicy } from "../../../crd/generated/istio/authorizationpolicy-v1beta1"; import { retryWithDelay } from "../../utils"; +import { anywhere } from "./anywhere"; const log = setupLogger(Component.OPERATOR_GENERATORS); @@ -30,6 +30,7 @@ export async function initAllNodesTarget() { nodeSet.add(nodeCidr); } await updateKubeNodesNetworkPolicies(); + await updateKubeNodesAuthorizationPolicies(); return; } @@ -42,6 +43,7 @@ export async function initAllNodesTarget() { if (ip) nodeSet.add(ip); } await updateKubeNodesNetworkPolicies(); + await updateKubeNodesAuthorizationPolicies(); } catch (err) { log.error("error fetching node IPs:", err); } @@ -68,6 +70,7 @@ export async function updateKubeNodesFromCreateUpdate(node: kind.Node) { if (ip) nodeSet.add(ip); await updateKubeNodesNetworkPolicies(); + await updateKubeNodesAuthorizationPolicies(); } /** @@ -79,6 +82,7 @@ export async function updateKubeNodesFromDelete(node: kind.Node) { if (ip) nodeSet.delete(ip); await updateKubeNodesNetworkPolicies(); + await updateKubeNodesAuthorizationPolicies(); } /** @@ -148,6 +152,82 @@ export async function updateKubeNodesNetworkPolicies() { } } +/** + * Updates the AuthorizationPolicies for KubeNodes. + * + * This function rebuilds the current set of node peers from the in-memory node set, + * extracts their CIDR strings, and then queries for all AuthorizationPolicies that are labeled + * with "uds/generated" equal to RemoteGenerated.KubeNodes. For each matching policy, it checks + * whether the current IP blocks in the policy's "from" source match the newly computed IP blocks. + * If they differ, the policy is updated (with managedFields cleared to avoid server-side apply issues) + * and then re-applied. + * + * @returns {Promise} A promise that resolves once the update process is complete. + */ +export async function updateKubeNodesAuthorizationPolicies(): Promise { + // Build the current set of node peers from nodeSet. + const newPeers = buildNodePolicies([...nodeSet]); + // Extract CIDR strings from the new peers. + const newIpBlocks = newPeers + .map(peer => peer.ipBlock?.cidr) + .filter((cidr): cidr is string => typeof cidr === "string"); + + const authPols = await K8s(AuthorizationPolicy) + .WithLabel("uds/generated", RemoteGenerated.KubeNodes) + .Get(); + + if (authPols.items.length > 0) { + const summary = authPols.items + .map(pol => `name: ${pol.metadata?.name}, namespace: ${pol.metadata?.namespace}`) + .join(" | "); + log.trace(`Fetched ${authPols.items.length} AuthorizationPolicies: ${summary}`); + } + + for (const pol of authPols.items) { + // Ensure the policy has rules. + if (!pol.spec || !pol.spec.rules || pol.spec.rules.length === 0) { + log.warn( + `AuthorizationPolicy ${pol.metadata?.namespace}/${pol.metadata?.name} is missing rules.`, + ); + continue; + } + + let updateRequired = false; + const rule = pol.spec.rules[0]; + + // Check if a "from" entry exists with ipBlocks. + if (rule.from && rule.from.length > 0 && rule.from[0].source?.ipBlocks) { + const oldIpBlocks = rule.from[0].source.ipBlocks; + if (!R.equals(oldIpBlocks, newIpBlocks)) { + rule.from[0].source.ipBlocks = newIpBlocks; + updateRequired = true; + } + } else { + // Otherwise, create a "from" entry. + rule.from = [{ source: { ipBlocks: newIpBlocks } }]; + updateRequired = true; + } + + if (updateRequired) { + // Clear managedFields to avoid server-side apply issues. + if (pol.metadata) { + pol.metadata.managedFields = undefined; + } + try { + await K8s(AuthorizationPolicy).Apply(pol, { force: true }); + log.debug( + `Updated KubeNodes AuthorizationPolicy ${pol.metadata?.namespace}/${pol.metadata?.name}`, + ); + } catch (err) { + log.error( + err, + `Failed to update AuthorizationPolicy ${pol.metadata?.namespace}/${pol.metadata?.name}`, + ); + } + } + } +} + /** * Build V1NetworkPolicyPeer array from a list of node IPs. */ diff --git a/src/pepr/operator/controllers/utils.ts b/src/pepr/operator/controllers/utils.ts index 0a0559301b..1bc927de49 100644 --- a/src/pepr/operator/controllers/utils.ts +++ b/src/pepr/operator/controllers/utils.ts @@ -55,6 +55,7 @@ export function getOwnerRef(cr: GenericKind): V1OwnerReference[] { * @param {string} pkgName - The package name label to filter resources. * @param {T} kind - The Kubernetes resource kind to purge. * @param {Logger} log - Logger instance for logging debug messages. + * @param {Record} [additionalLabels] - Optional additional label filters to further narrow down the resources to purge. * @returns {Promise} - A promise that resolves when the operation is complete. */ export async function purgeOrphans( @@ -63,8 +64,17 @@ export async function purgeOrphans( pkgName: string, kind: T, log: Logger, + additionalLabels?: Record | undefined, ) { - const resources = await K8s(kind).InNamespace(namespace).WithLabel("uds/package", pkgName).Get(); + let query = K8s(kind).InNamespace(namespace).WithLabel("uds/package", pkgName); + + if (additionalLabels) { + for (const [key, value] of Object.entries(additionalLabels)) { + query = query.WithLabel(key, value); + } + } + + const resources = await query.Get(); for (const resource of resources.items) { if (resource.metadata?.labels?.["uds/generation"] !== generation) { diff --git a/src/pepr/operator/crd/generated/package-v1alpha1.ts b/src/pepr/operator/crd/generated/package-v1alpha1.ts index 4291e13f3e..2ccb0d9e55 100644 --- a/src/pepr/operator/crd/generated/package-v1alpha1.ts +++ b/src/pepr/operator/crd/generated/package-v1alpha1.ts @@ -185,6 +185,11 @@ export interface Allow { * The remote pod selector labels to allow traffic to/from */ remoteSelector?: { [key: string]: string }; + /** + * The remote service account to restrict incoming traffic from within the remote + * namespace. Only valid for Ingress rules. + */ + remoteServiceAccount?: string; /** * Labels to match pods in the namespace to apply the policy to. Leave empty to apply to all * pods in the namespace @@ -722,6 +727,7 @@ export interface ProtocolMapper { } export interface StatusObject { + authorizationPolicyCount?: number; authserviceClients?: string[]; /** * Status conditions following Kubernetes-style conventions diff --git a/src/pepr/operator/crd/sources/package/v1alpha1.ts b/src/pepr/operator/crd/sources/package/v1alpha1.ts index 880603fece..a244d7fc7b 100644 --- a/src/pepr/operator/crd/sources/package/v1alpha1.ts +++ b/src/pepr/operator/crd/sources/package/v1alpha1.ts @@ -108,6 +108,12 @@ const allow = { type: "number", }, }, + remoteServiceAccount: { + description: + "The remote service account to restrict incoming traffic from within the remote namespace. \ + Only valid for Ingress rules.", + type: "string", + }, // Deprecated fields podLabels: { description: "Deprecated: use selector", @@ -479,6 +485,12 @@ export const v1alpha1: V1CustomResourceDefinitionVersion = { description: "The number of network policies created by the package", jsonPath: ".status.networkPolicyCount", }, + { + name: "Authorization Policies", + type: "integer", + description: "The number of authorization policies created by the package", + jsonPath: ".status.authorizationPolicyCount", + }, { name: "Age", type: "date", @@ -570,6 +582,9 @@ export const v1alpha1: V1CustomResourceDefinitionVersion = { networkPolicyCount: { type: "integer", }, + authorizationPolicyCount: { + type: "integer", + }, retryAttempt: { type: "integer", nullable: true, diff --git a/src/pepr/operator/reconcilers/package-reconciler.ts b/src/pepr/operator/reconcilers/package-reconciler.ts index d8ce9e26d0..47e9686f46 100644 --- a/src/pepr/operator/reconcilers/package-reconciler.ts +++ b/src/pepr/operator/reconcilers/package-reconciler.ts @@ -16,6 +16,7 @@ import { keycloak, purgeSSOClients } from "../controllers/keycloak/client-sync"; import { Client } from "../controllers/keycloak/types"; import { podMonitor } from "../controllers/monitoring/pod-monitor"; import { serviceMonitor } from "../controllers/monitoring/service-monitor"; +import { generateAuthorizationPolicies } from "../controllers/network/authorizationPolicies"; import { networkPolicies } from "../controllers/network/policies"; import { retryWithDelay } from "../controllers/utils"; import { Phase, UDSPackage } from "../crd"; @@ -71,6 +72,8 @@ export async function packageReconciler(pkg: UDSPackage) { const netPol = await networkPolicies(pkg, namespace!); + const authPol = await generateAuthorizationPolicies(pkg, namespace!); + let endpoints: string[] = []; // Update the namespace to ensure the istio-injection label is set await enableInjection(pkg); @@ -105,6 +108,7 @@ export async function packageReconciler(pkg: UDSPackage) { endpoints, monitors, networkPolicyCount: netPol.length, + authorizationPolicyCount: authPol.length + authserviceClients.length * 2, observedGeneration: metadata.generation, retryAttempt: 0, // todo: make this nullable when kfc generates the type }); From 66af94c80b480372173c8eab56118ffaf668ead4 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 1 Apr 2025 15:34:00 -0600 Subject: [PATCH 098/118] chore(main): release 0.39.0 (#1373) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit :robot: I have created a release *beep* *boop* --- ## [0.39.0](https://github.com/defenseunicorns/uds-core/compare/v0.38.0...v0.39.0) (2025-04-01) ### ⚠ BREAKING CHANGES * dynamic generation of Istio AuthorizationPolicy resources in ambient mode based on the configuration defined in a UDSPackage. ALL requests to a pod with authservice protection MUST have a jwt from Keycloak. More fine-grained protection can be done with additional DENY policies, but there will always be a requirement for a Keycloak JWT in addition. ### Features * add alertmanager datasource to grafana ([#1374](https://github.com/defenseunicorns/uds-core/issues/1374)) ([818a3a0](https://github.com/defenseunicorns/uds-core/commit/818a3a0967a689dfceeb9b494c11167fda3d09a5)) * ambient mesh authorization policy generation (https://github.com/defenseunicorns/uds-core/pull/1384) ([b47daba](https://github.com/defenseunicorns/uds-core/commit/b47dabaea78ee1a1089bbda59660b5a0a017114f)) * new webauth and mfa flows ([#1370](https://github.com/defenseunicorns/uds-core/issues/1370)) ([1ac1b03](https://github.com/defenseunicorns/uds-core/commit/1ac1b03b985feae924f0881c28ab11adba9aed33)) * theme customization ([#1382](https://github.com/defenseunicorns/uds-core/issues/1382)) ([55ef41b](https://github.com/defenseunicorns/uds-core/commit/55ef41b9fd9cf20b13699b6955ac99cd5bb9a9a0)) * use Client Credentials for managing Keycloak Clients ([#1341](https://github.com/defenseunicorns/uds-core/issues/1341)) ([4db9cc7](https://github.com/defenseunicorns/uds-core/commit/4db9cc75aac1473ebd9cffd772e7be39761fa2a6)) ### Bug Fixes * add delete credential keycloak secret value ([#1398](https://github.com/defenseunicorns/uds-core/issues/1398)) ([d45b3e6](https://github.com/defenseunicorns/uds-core/commit/d45b3e6c1a35caa638535ea8c6b9061136fd482c)) * broken selectors for internal dependencies on charts ([#1403](https://github.com/defenseunicorns/uds-core/issues/1403)) ([d72b194](https://github.com/defenseunicorns/uds-core/commit/d72b194b6fb68eb45411dc6c7b3e276241d23f6b)) ### Miscellaneous * add additionalNetworkAllow to keycloak and loki ([#1379](https://github.com/defenseunicorns/uds-core/issues/1379)) ([8200bce](https://github.com/defenseunicorns/uds-core/commit/8200bce42dfa0baf3349187a440d871eda20e3cd)) * add docs for layer selection ([#1216](https://github.com/defenseunicorns/uds-core/issues/1216)) ([c170322](https://github.com/defenseunicorns/uds-core/commit/c1703221b85d37451d60c226863a0b168e702e01)) * **deps:** update grafana ([#1383](https://github.com/defenseunicorns/uds-core/issues/1383)) ([122dc58](https://github.com/defenseunicorns/uds-core/commit/122dc584c97fb789b6664683811dc5d33f7714bc)) * **deps:** update grafana to v8.10.4 ([#1363](https://github.com/defenseunicorns/uds-core/issues/1363)) ([fb163bd](https://github.com/defenseunicorns/uds-core/commit/fb163bdf69b6b8a3d5d251a9e52bd512cc3e394e)) * **deps:** update istio to v1.25.0 ([#1335](https://github.com/defenseunicorns/uds-core/issues/1335)) ([1803ea7](https://github.com/defenseunicorns/uds-core/commit/1803ea7375100e61d2e06816e6c7150e0e4e76dc)) * **deps:** update keycloak to v0.11.1 ([#1400](https://github.com/defenseunicorns/uds-core/issues/1400)) ([6fdcd0c](https://github.com/defenseunicorns/uds-core/commit/6fdcd0c94e3aa9b86beab22e542cfb5334533b90)) * **deps:** update keycloak to v26.1.4 ([#1356](https://github.com/defenseunicorns/uds-core/issues/1356)) ([31152f7](https://github.com/defenseunicorns/uds-core/commit/31152f7659ef02335494d3a3646b49a4dd68398d)) * **deps:** update pepr to v0.46.3 ([#1365](https://github.com/defenseunicorns/uds-core/issues/1365)) ([304a556](https://github.com/defenseunicorns/uds-core/commit/304a556f7cec391cda0c8f6b330bad652d329a03)) * **deps:** update prometheus-stack ([#1362](https://github.com/defenseunicorns/uds-core/issues/1362)) ([ae40b27](https://github.com/defenseunicorns/uds-core/commit/ae40b27e38522749e7b8cd21702610307d2e182a)) * **deps:** update prometheus-stack ([#1380](https://github.com/defenseunicorns/uds-core/issues/1380)) ([eec3337](https://github.com/defenseunicorns/uds-core/commit/eec3337a61992a2eb50af54471c96f5d5d9c001e)) * **deps:** update support dependencies to v22.13.17 ([#1401](https://github.com/defenseunicorns/uds-core/issues/1401)) ([8a81eec](https://github.com/defenseunicorns/uds-core/commit/8a81eecbd007df466f9985e849587fbe78039bcd)) * **deps:** update support-deps ([#1364](https://github.com/defenseunicorns/uds-core/issues/1364)) ([7819bec](https://github.com/defenseunicorns/uds-core/commit/7819bec4b32d32fb29c8c59ffda22eb6705175c1)) * **deps:** update support-deps ([#1376](https://github.com/defenseunicorns/uds-core/issues/1376)) ([dd22589](https://github.com/defenseunicorns/uds-core/commit/dd22589fbe8e9ef44674ad09c2f4317c9a103759)) * **deps:** update support-deps ([#1390](https://github.com/defenseunicorns/uds-core/issues/1390)) ([f06bb70](https://github.com/defenseunicorns/uds-core/commit/f06bb7066a42e0dc298cac5164025a706255faec)) * **deps:** update support-deps ([#1392](https://github.com/defenseunicorns/uds-core/issues/1392)) ([c0762a3](https://github.com/defenseunicorns/uds-core/commit/c0762a3861e0acdef25ebe854eece8b3deaa6274)) * **deps:** update ts-jest to v29.3.0 ([#1377](https://github.com/defenseunicorns/uds-core/issues/1377)) ([8b2174a](https://github.com/defenseunicorns/uds-core/commit/8b2174a1e567a92f6b6f8ec3548e999fc4dee445)) * **deps:** update velero to v8.6.0 ([#1371](https://github.com/defenseunicorns/uds-core/issues/1371)) ([93a44e6](https://github.com/defenseunicorns/uds-core/commit/93a44e6d67b36f92c204d043484d996e877194ac)) * remove kiali and tempo references from repo ([#1375](https://github.com/defenseunicorns/uds-core/issues/1375)) ([8374de3](https://github.com/defenseunicorns/uds-core/commit/8374de3cbfccfffd6825ae59c18e6080f691346b)) * update how to scrape metrics ([#1378](https://github.com/defenseunicorns/uds-core/issues/1378)) ([e808f7d](https://github.com/defenseunicorns/uds-core/commit/e808f7d394ea4848c6203cc469960f82b89d0fa4)) * update unicorn ztunnel image to 1.25.0 ([#1389](https://github.com/defenseunicorns/uds-core/issues/1389)) ([7e446cb](https://github.com/defenseunicorns/uds-core/commit/7e446cbff939d144f964d41c55190626075f410a)) ### Documentation * velero csi vsphere backups ([#1385](https://github.com/defenseunicorns/uds-core/issues/1385)) ([5ae33b2](https://github.com/defenseunicorns/uds-core/commit/5ae33b2d01f308f5d7d067d30aa4b911d1c0d20e)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- .github/bundles/aks/uds-bundle.yaml | 4 +- .github/bundles/eks/uds-bundle.yaml | 4 +- .github/bundles/rke2/uds-bundle.yaml | 4 +- .release-please-manifest.json | 2 +- CHANGELOG.md | 50 +++++++++++++++++++++++ README.md | 4 +- bundles/k3d-slim-dev/uds-bundle.yaml | 6 +-- bundles/k3d-standard/uds-bundle.yaml | 4 +- packages/backup-restore/zarf.yaml | 2 +- packages/base/zarf.yaml | 2 +- packages/checkpoint-dev/zarf.yaml | 2 +- packages/identity-authorization/zarf.yaml | 2 +- packages/logging/zarf.yaml | 2 +- packages/metrics-server/zarf.yaml | 2 +- packages/monitoring/zarf.yaml | 2 +- packages/runtime-security/zarf.yaml | 2 +- packages/standard/zarf.yaml | 2 +- tasks/deploy.yaml | 2 +- tasks/publish.yaml | 2 +- 19 files changed, 75 insertions(+), 25 deletions(-) diff --git a/.github/bundles/aks/uds-bundle.yaml b/.github/bundles/aks/uds-bundle.yaml index 9d6bd420b1..0cd75614c5 100644 --- a/.github/bundles/aks/uds-bundle.yaml +++ b/.github/bundles/aks/uds-bundle.yaml @@ -6,7 +6,7 @@ metadata: name: uds-core-aks-nightly description: A UDS bundle for deploying UDS Core on AKS # x-release-please-start-version - version: "0.38.0" + version: "0.39.0" # x-release-please-end packages: @@ -17,7 +17,7 @@ packages: - name: core path: ../../../build # x-release-please-start-version - ref: 0.38.0 + ref: 0.39.0 # x-release-please-end optionalComponents: - istio-ambient diff --git a/.github/bundles/eks/uds-bundle.yaml b/.github/bundles/eks/uds-bundle.yaml index 0f54b8cd48..dd01165ce2 100644 --- a/.github/bundles/eks/uds-bundle.yaml +++ b/.github/bundles/eks/uds-bundle.yaml @@ -6,7 +6,7 @@ metadata: name: uds-core-eks-nightly description: A UDS bundle for deploying EKS and UDS Core # x-release-please-start-version - version: "0.38.0" + version: "0.39.0" # x-release-please-end packages: @@ -17,7 +17,7 @@ packages: - name: core path: ../../../build # x-release-please-start-version - ref: 0.38.0 + ref: 0.39.0 # x-release-please-end optionalComponents: - istio-ambient diff --git a/.github/bundles/rke2/uds-bundle.yaml b/.github/bundles/rke2/uds-bundle.yaml index db4a49d2e4..da7ea198d9 100644 --- a/.github/bundles/rke2/uds-bundle.yaml +++ b/.github/bundles/rke2/uds-bundle.yaml @@ -6,7 +6,7 @@ metadata: name: uds-core-rke2-nightly description: A UDS bundle for deploying RKE2 and UDS Core # x-release-please-start-version - version: "0.38.0" + version: "0.39.0" # x-release-please-end packages: @@ -38,7 +38,7 @@ packages: - name: core path: ../../../build # x-release-please-start-version - ref: 0.38.0 + ref: 0.39.0 # x-release-please-end optionalComponents: - istio-ambient diff --git a/.release-please-manifest.json b/.release-please-manifest.json index 99b982a728..e0fa6379af 100644 --- a/.release-please-manifest.json +++ b/.release-please-manifest.json @@ -1,3 +1,3 @@ { - ".": "0.38.0" + ".": "0.39.0" } diff --git a/CHANGELOG.md b/CHANGELOG.md index cfa3bdd5eb..42a056923a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,56 @@ All notable changes to this project will be documented in this file. +## [0.39.0](https://github.com/defenseunicorns/uds-core/compare/v0.38.0...v0.39.0) (2025-04-01) + + +### ⚠ BREAKING CHANGES + +* dynamic generation of Istio AuthorizationPolicy resources in ambient mode based on the configuration defined in a UDSPackage. ALL requests to a pod with authservice protection MUST have a jwt from Keycloak. More fine-grained protection can be done with additional DENY policies, but there will always be a requirement for a Keycloak JWT in addition. + +### Features + +* add alertmanager datasource to grafana ([#1374](https://github.com/defenseunicorns/uds-core/issues/1374)) ([818a3a0](https://github.com/defenseunicorns/uds-core/commit/818a3a0967a689dfceeb9b494c11167fda3d09a5)) +* ambient mesh authorization policy generation (https://github.com/defenseunicorns/uds-core/pull/1384) ([b47daba](https://github.com/defenseunicorns/uds-core/commit/b47dabaea78ee1a1089bbda59660b5a0a017114f)) +* new webauth and mfa flows ([#1370](https://github.com/defenseunicorns/uds-core/issues/1370)) ([1ac1b03](https://github.com/defenseunicorns/uds-core/commit/1ac1b03b985feae924f0881c28ab11adba9aed33)) +* theme customization ([#1382](https://github.com/defenseunicorns/uds-core/issues/1382)) ([55ef41b](https://github.com/defenseunicorns/uds-core/commit/55ef41b9fd9cf20b13699b6955ac99cd5bb9a9a0)) +* use Client Credentials for managing Keycloak Clients ([#1341](https://github.com/defenseunicorns/uds-core/issues/1341)) ([4db9cc7](https://github.com/defenseunicorns/uds-core/commit/4db9cc75aac1473ebd9cffd772e7be39761fa2a6)) + + +### Bug Fixes + +* add delete credential keycloak secret value ([#1398](https://github.com/defenseunicorns/uds-core/issues/1398)) ([d45b3e6](https://github.com/defenseunicorns/uds-core/commit/d45b3e6c1a35caa638535ea8c6b9061136fd482c)) +* broken selectors for internal dependencies on charts ([#1403](https://github.com/defenseunicorns/uds-core/issues/1403)) ([d72b194](https://github.com/defenseunicorns/uds-core/commit/d72b194b6fb68eb45411dc6c7b3e276241d23f6b)) + + +### Miscellaneous + +* add additionalNetworkAllow to keycloak and loki ([#1379](https://github.com/defenseunicorns/uds-core/issues/1379)) ([8200bce](https://github.com/defenseunicorns/uds-core/commit/8200bce42dfa0baf3349187a440d871eda20e3cd)) +* add docs for layer selection ([#1216](https://github.com/defenseunicorns/uds-core/issues/1216)) ([c170322](https://github.com/defenseunicorns/uds-core/commit/c1703221b85d37451d60c226863a0b168e702e01)) +* **deps:** update grafana ([#1383](https://github.com/defenseunicorns/uds-core/issues/1383)) ([122dc58](https://github.com/defenseunicorns/uds-core/commit/122dc584c97fb789b6664683811dc5d33f7714bc)) +* **deps:** update grafana to v8.10.4 ([#1363](https://github.com/defenseunicorns/uds-core/issues/1363)) ([fb163bd](https://github.com/defenseunicorns/uds-core/commit/fb163bdf69b6b8a3d5d251a9e52bd512cc3e394e)) +* **deps:** update istio to v1.25.0 ([#1335](https://github.com/defenseunicorns/uds-core/issues/1335)) ([1803ea7](https://github.com/defenseunicorns/uds-core/commit/1803ea7375100e61d2e06816e6c7150e0e4e76dc)) +* **deps:** update keycloak to v0.11.1 ([#1400](https://github.com/defenseunicorns/uds-core/issues/1400)) ([6fdcd0c](https://github.com/defenseunicorns/uds-core/commit/6fdcd0c94e3aa9b86beab22e542cfb5334533b90)) +* **deps:** update keycloak to v26.1.4 ([#1356](https://github.com/defenseunicorns/uds-core/issues/1356)) ([31152f7](https://github.com/defenseunicorns/uds-core/commit/31152f7659ef02335494d3a3646b49a4dd68398d)) +* **deps:** update pepr to v0.46.3 ([#1365](https://github.com/defenseunicorns/uds-core/issues/1365)) ([304a556](https://github.com/defenseunicorns/uds-core/commit/304a556f7cec391cda0c8f6b330bad652d329a03)) +* **deps:** update prometheus-stack ([#1362](https://github.com/defenseunicorns/uds-core/issues/1362)) ([ae40b27](https://github.com/defenseunicorns/uds-core/commit/ae40b27e38522749e7b8cd21702610307d2e182a)) +* **deps:** update prometheus-stack ([#1380](https://github.com/defenseunicorns/uds-core/issues/1380)) ([eec3337](https://github.com/defenseunicorns/uds-core/commit/eec3337a61992a2eb50af54471c96f5d5d9c001e)) +* **deps:** update support dependencies to v22.13.17 ([#1401](https://github.com/defenseunicorns/uds-core/issues/1401)) ([8a81eec](https://github.com/defenseunicorns/uds-core/commit/8a81eecbd007df466f9985e849587fbe78039bcd)) +* **deps:** update support-deps ([#1364](https://github.com/defenseunicorns/uds-core/issues/1364)) ([7819bec](https://github.com/defenseunicorns/uds-core/commit/7819bec4b32d32fb29c8c59ffda22eb6705175c1)) +* **deps:** update support-deps ([#1376](https://github.com/defenseunicorns/uds-core/issues/1376)) ([dd22589](https://github.com/defenseunicorns/uds-core/commit/dd22589fbe8e9ef44674ad09c2f4317c9a103759)) +* **deps:** update support-deps ([#1390](https://github.com/defenseunicorns/uds-core/issues/1390)) ([f06bb70](https://github.com/defenseunicorns/uds-core/commit/f06bb7066a42e0dc298cac5164025a706255faec)) +* **deps:** update support-deps ([#1392](https://github.com/defenseunicorns/uds-core/issues/1392)) ([c0762a3](https://github.com/defenseunicorns/uds-core/commit/c0762a3861e0acdef25ebe854eece8b3deaa6274)) +* **deps:** update ts-jest to v29.3.0 ([#1377](https://github.com/defenseunicorns/uds-core/issues/1377)) ([8b2174a](https://github.com/defenseunicorns/uds-core/commit/8b2174a1e567a92f6b6f8ec3548e999fc4dee445)) +* **deps:** update velero to v8.6.0 ([#1371](https://github.com/defenseunicorns/uds-core/issues/1371)) ([93a44e6](https://github.com/defenseunicorns/uds-core/commit/93a44e6d67b36f92c204d043484d996e877194ac)) +* remove kiali and tempo references from repo ([#1375](https://github.com/defenseunicorns/uds-core/issues/1375)) ([8374de3](https://github.com/defenseunicorns/uds-core/commit/8374de3cbfccfffd6825ae59c18e6080f691346b)) +* update how to scrape metrics ([#1378](https://github.com/defenseunicorns/uds-core/issues/1378)) ([e808f7d](https://github.com/defenseunicorns/uds-core/commit/e808f7d394ea4848c6203cc469960f82b89d0fa4)) +* update unicorn ztunnel image to 1.25.0 ([#1389](https://github.com/defenseunicorns/uds-core/issues/1389)) ([7e446cb](https://github.com/defenseunicorns/uds-core/commit/7e446cbff939d144f964d41c55190626075f410a)) + + +### Documentation + +* velero csi vsphere backups ([#1385](https://github.com/defenseunicorns/uds-core/issues/1385)) ([5ae33b2](https://github.com/defenseunicorns/uds-core/commit/5ae33b2d01f308f5d7d067d30aa4b911d1c0d20e)) + ## [0.38.0](https://github.com/defenseunicorns/uds-core/compare/v0.37.0...v0.38.0) (2025-03-19) diff --git a/README.md b/README.md index 7ebf0f50bb..a5a5ead266 100644 --- a/README.md +++ b/README.md @@ -55,7 +55,7 @@ If you want to try out UDS Core, you can use the [k3d-core-demo bundle](./bundle ```bash -uds deploy k3d-core-demo:0.38.0 +uds deploy k3d-core-demo:0.39.0 ``` @@ -69,7 +69,7 @@ Deploy Istio, Keycloak and Pepr: ```bash -uds deploy k3d-core-slim-dev:0.38.0 +uds deploy k3d-core-slim-dev:0.39.0 ``` diff --git a/bundles/k3d-slim-dev/uds-bundle.yaml b/bundles/k3d-slim-dev/uds-bundle.yaml index 33d94515cc..17c948c6b3 100644 --- a/bundles/k3d-slim-dev/uds-bundle.yaml +++ b/bundles/k3d-slim-dev/uds-bundle.yaml @@ -7,7 +7,7 @@ metadata: name: k3d-core-slim-dev description: A UDS bundle for deploying Istio from UDS Core on a development cluster # x-release-please-start-version - version: "0.38.0" + version: "0.39.0" # x-release-please-end packages: @@ -38,7 +38,7 @@ packages: - name: core-base path: ../../build/ # x-release-please-start-version - ref: 0.38.0 + ref: 0.39.0 # x-release-please-end overrides: pepr-uds-core: @@ -120,7 +120,7 @@ packages: - name: core-identity-authorization path: ../../build/ # x-release-please-start-version - ref: 0.38.0 + ref: 0.39.0 # x-release-please-end overrides: keycloak: diff --git a/bundles/k3d-standard/uds-bundle.yaml b/bundles/k3d-standard/uds-bundle.yaml index adbcad97aa..19dbc0c85e 100644 --- a/bundles/k3d-standard/uds-bundle.yaml +++ b/bundles/k3d-standard/uds-bundle.yaml @@ -6,7 +6,7 @@ metadata: name: k3d-core-demo description: A UDS bundle for deploying the standard UDS Core package on a development cluster # x-release-please-start-version - version: "0.38.0" + version: "0.39.0" # x-release-please-end packages: @@ -37,7 +37,7 @@ packages: - name: core path: ../../build/ # x-release-please-start-version - ref: 0.38.0 + ref: 0.39.0 # x-release-please-end optionalComponents: - istio-ambient diff --git a/packages/backup-restore/zarf.yaml b/packages/backup-restore/zarf.yaml index 58c98d69eb..fdefbdf759 100644 --- a/packages/backup-restore/zarf.yaml +++ b/packages/backup-restore/zarf.yaml @@ -7,7 +7,7 @@ metadata: description: "UDS Core (Backup and Restore)" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.38.0" + version: "0.39.0" # x-release-please-end x-uds-dependencies: ["base"] diff --git a/packages/base/zarf.yaml b/packages/base/zarf.yaml index d3eb07af05..1932db8fbc 100644 --- a/packages/base/zarf.yaml +++ b/packages/base/zarf.yaml @@ -7,7 +7,7 @@ metadata: description: "UDS Core (Base)" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.38.0" + version: "0.39.0" # x-release-please-end x-uds-dependencies: [] diff --git a/packages/checkpoint-dev/zarf.yaml b/packages/checkpoint-dev/zarf.yaml index c55837e56c..58bfaf1d27 100644 --- a/packages/checkpoint-dev/zarf.yaml +++ b/packages/checkpoint-dev/zarf.yaml @@ -7,7 +7,7 @@ metadata: description: "Rehydratable UDS K3d + UDS Core Slim (Istio, UDS Operator and Keycloak) Checkpoint" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.38.0" + version: "0.39.0" # x-release-please-end variables: diff --git a/packages/identity-authorization/zarf.yaml b/packages/identity-authorization/zarf.yaml index 01f5b48b38..41f4cda599 100644 --- a/packages/identity-authorization/zarf.yaml +++ b/packages/identity-authorization/zarf.yaml @@ -7,7 +7,7 @@ metadata: description: "UDS Core (Identity & Authorization)" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.38.0" + version: "0.39.0" # x-release-please-end x-uds-dependencies: ["base"] diff --git a/packages/logging/zarf.yaml b/packages/logging/zarf.yaml index 1155b63ade..2c97ed526c 100644 --- a/packages/logging/zarf.yaml +++ b/packages/logging/zarf.yaml @@ -7,7 +7,7 @@ metadata: description: "UDS Core (Logging)" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.38.0" + version: "0.39.0" # x-release-please-end x-uds-dependencies: ["base"] diff --git a/packages/metrics-server/zarf.yaml b/packages/metrics-server/zarf.yaml index 4be6112219..9ad341c597 100644 --- a/packages/metrics-server/zarf.yaml +++ b/packages/metrics-server/zarf.yaml @@ -7,7 +7,7 @@ metadata: description: "UDS Core (Metrics Server)" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.38.0" + version: "0.39.0" # x-release-please-end x-uds-dependencies: ["base"] diff --git a/packages/monitoring/zarf.yaml b/packages/monitoring/zarf.yaml index 43dfb62dd2..f968d93b5d 100644 --- a/packages/monitoring/zarf.yaml +++ b/packages/monitoring/zarf.yaml @@ -7,7 +7,7 @@ metadata: description: "UDS Core Monitoring (Prometheus and Grafana)" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.38.0" + version: "0.39.0" # x-release-please-end x-uds-dependencies: ["base", "identity-authorization"] diff --git a/packages/runtime-security/zarf.yaml b/packages/runtime-security/zarf.yaml index 4031ad932c..865e8f456c 100644 --- a/packages/runtime-security/zarf.yaml +++ b/packages/runtime-security/zarf.yaml @@ -7,7 +7,7 @@ metadata: description: "UDS Core (Runtime Security)" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.38.0" + version: "0.39.0" # x-release-please-end x-uds-dependencies: ["base", "identity-authorization"] diff --git a/packages/standard/zarf.yaml b/packages/standard/zarf.yaml index 9f80f41c92..2bd465cb92 100644 --- a/packages/standard/zarf.yaml +++ b/packages/standard/zarf.yaml @@ -7,7 +7,7 @@ metadata: description: "UDS Core" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.38.0" + version: "0.39.0" # x-release-please-end components: diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index 2727a5dee6..8906939652 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -8,7 +8,7 @@ variables: - name: VERSION description: "The version of the packages to deploy" # x-release-please-start-version - default: "0.38.0" + default: "0.39.0" # x-release-please-end - name: FLAVOR default: upstream diff --git a/tasks/publish.yaml b/tasks/publish.yaml index ec593425db..40de7cf605 100644 --- a/tasks/publish.yaml +++ b/tasks/publish.yaml @@ -16,7 +16,7 @@ variables: - name: VERSION description: "The version of the packages to build" # x-release-please-start-version - default: "0.38.0" + default: "0.39.0" # x-release-please-end - name: LAYER From 014b8fe15a64d9f7b80b71fe31382eecb968a8b0 Mon Sep 17 00:00:00 2001 From: Chance <139784371+UnicornChance@users.noreply.github.com> Date: Tue, 1 Apr 2025 15:40:20 -0600 Subject: [PATCH 099/118] chore: update changelog (#1406) ## Description update changelog for better breaking change description ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 42a056923a..25c2b0ee96 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,7 +7,7 @@ All notable changes to this project will be documented in this file. ### ⚠ BREAKING CHANGES -* dynamic generation of Istio AuthorizationPolicy resources in ambient mode based on the configuration defined in a UDSPackage. ALL requests to a pod with authservice protection MUST have a jwt from Keycloak. More fine-grained protection can be done with additional DENY policies, but there will always be a requirement for a Keycloak JWT in addition. +* AuthService protection of pods is now absolute: ALL requests to a pod with authservice protection MUST have a jwt from Keycloak. More fine-grained protection can be done with additional `DENY` istio authorization policies, but there will always be a requirement for a Keycloak JWT in addition. ### Features From b16f953bd882ae2bcbf878306262eceed8a48990 Mon Sep 17 00:00:00 2001 From: Chance <139784371+UnicornChance@users.noreply.github.com> Date: Tue, 1 Apr 2025 16:55:03 -0600 Subject: [PATCH 100/118] chore(docs): fix order of authpols doc (#1408) ## Description New authpol doc is out of order with other docs in the doc site. removing the ordering so its alphabetical. ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --- .../configuration/Single Sign-On/Identity Providers/overview.md | 2 +- docs/reference/configuration/Single Sign-On/overview.md | 2 +- docs/reference/configuration/UDS operator/exemption.md | 2 -- docs/reference/configuration/UDS operator/package.md | 2 -- docs/reference/configuration/authorization-policies.md | 2 -- .../configuration/backup and restore/vsphere-rke2-csi.md | 2 ++ .../configuration/custom resources/exemptions-v1alpha1-cr.md | 2 ++ .../configuration/custom resources/packages-v1alpha1-cr.md | 2 ++ .../configuration/external dependencies/irsa-configuration.md | 2 ++ src/pepr/docs-gen/main.ts | 2 ++ 10 files changed, 12 insertions(+), 8 deletions(-) diff --git a/docs/reference/configuration/Single Sign-On/Identity Providers/overview.md b/docs/reference/configuration/Single Sign-On/Identity Providers/overview.md index 583d84ce07..4b1cae7026 100644 --- a/docs/reference/configuration/Single Sign-On/Identity Providers/overview.md +++ b/docs/reference/configuration/Single Sign-On/Identity Providers/overview.md @@ -1,7 +1,7 @@ --- title: Overview sidebar: - order: 20 + order: 2 --- diff --git a/docs/reference/configuration/Single Sign-On/overview.md b/docs/reference/configuration/Single Sign-On/overview.md index 1fed24ae97..9aee6c12a8 100644 --- a/docs/reference/configuration/Single Sign-On/overview.md +++ b/docs/reference/configuration/Single Sign-On/overview.md @@ -1,7 +1,7 @@ --- title: Overview sidebar: - order: 20 + order: 3 --- UDS Core leverages [Keycloak](https://www.keycloak.org/) and [Authservice](https://github.com/istio-ecosystem/authservice) to implify authentication and authorization for applications. These tools enable seamless user authentication experiences while supporting various OAuth 2.0 and OpenID Connect (OIDC) flows. diff --git a/docs/reference/configuration/UDS operator/exemption.md b/docs/reference/configuration/UDS operator/exemption.md index c95d819bb1..43fe394b8c 100644 --- a/docs/reference/configuration/UDS operator/exemption.md +++ b/docs/reference/configuration/UDS operator/exemption.md @@ -1,7 +1,5 @@ --- title: UDS Exemption -sidebar: - order: 3 --- ![UDS Operator Exemption Flowchart](https://github.com/defenseunicorns/uds-core/blob/main/docs/.images/diagrams/uds-core-operator-uds-exemption.svg?raw=true) diff --git a/docs/reference/configuration/UDS operator/package.md b/docs/reference/configuration/UDS operator/package.md index 08e5611e09..4df924cf3f 100644 --- a/docs/reference/configuration/UDS operator/package.md +++ b/docs/reference/configuration/UDS operator/package.md @@ -1,7 +1,5 @@ --- title: UDS Package -sidebar: - order: 2 --- ![UDS Operator Package Flowchart](https://github.com/defenseunicorns/uds-core/blob/main/docs/.images/diagrams/uds-core-operator-uds-package.svg?raw=true) diff --git a/docs/reference/configuration/authorization-policies.md b/docs/reference/configuration/authorization-policies.md index 07bbd0eb5a..1eb31330ff 100644 --- a/docs/reference/configuration/authorization-policies.md +++ b/docs/reference/configuration/authorization-policies.md @@ -1,7 +1,5 @@ --- title: How Authorization Policies Protect Your Services -sidebar: - order: 3 --- In clusters running Istio Ambient Mesh, UDS‑Core enforces **ingress network security** using Istio **ALLOW** AuthorizationPolicies. These policies are automatically generated for each application package you define with a [UDS Package](https://uds.defenseunicorns.com/reference/configuration/uds-operator/package/) resource. diff --git a/docs/reference/configuration/backup and restore/vsphere-rke2-csi.md b/docs/reference/configuration/backup and restore/vsphere-rke2-csi.md index 1f493d883f..85202c7db0 100644 --- a/docs/reference/configuration/backup and restore/vsphere-rke2-csi.md +++ b/docs/reference/configuration/backup and restore/vsphere-rke2-csi.md @@ -1,5 +1,7 @@ --- title: RKE2 CSI Snapshotting on vSphere +sidebar: + order: 4 --- ## Introduction diff --git a/docs/reference/configuration/custom resources/exemptions-v1alpha1-cr.md b/docs/reference/configuration/custom resources/exemptions-v1alpha1-cr.md index 2174bda692..be16758844 100644 --- a/docs/reference/configuration/custom resources/exemptions-v1alpha1-cr.md +++ b/docs/reference/configuration/custom resources/exemptions-v1alpha1-cr.md @@ -2,6 +2,8 @@ title: Exemptions CR (v1alpha1) tableOfContents: maxHeadingLevel: 6 +sidebar: + order: 20 ---
diff --git a/docs/reference/configuration/custom resources/packages-v1alpha1-cr.md b/docs/reference/configuration/custom resources/packages-v1alpha1-cr.md index d358027b7f..985a688e2b 100644 --- a/docs/reference/configuration/custom resources/packages-v1alpha1-cr.md +++ b/docs/reference/configuration/custom resources/packages-v1alpha1-cr.md @@ -2,6 +2,8 @@ title: Packages CR (v1alpha1) tableOfContents: maxHeadingLevel: 6 +sidebar: + order: 20 ---
diff --git a/docs/reference/configuration/external dependencies/irsa-configuration.md b/docs/reference/configuration/external dependencies/irsa-configuration.md index 2c55be2cdc..d56bf65be8 100644 --- a/docs/reference/configuration/external dependencies/irsa-configuration.md +++ b/docs/reference/configuration/external dependencies/irsa-configuration.md @@ -1,5 +1,7 @@ --- title: IRSA Support +sidebar: + order: 5 --- Several applications within UDS Core can be configured to utilize resources that are external to your Kubernetes cluster, such as object storage and databases. If you are running in AWS, you can leverage [IRSA](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) to provide applications within UDS Core with a secure means of accessing external resources. diff --git a/src/pepr/docs-gen/main.ts b/src/pepr/docs-gen/main.ts index 872acd0aab..67aa66ec9b 100644 --- a/src/pepr/docs-gen/main.ts +++ b/src/pepr/docs-gen/main.ts @@ -146,6 +146,8 @@ async function generateMarkdown(jsonSchema: JsonSchema, version: string, schemaF title: ${title} CR (${version}) tableOfContents: maxHeadingLevel: 6 +sidebar: + order: 20 --- ${generateMarkdownFromSchema(jsonSchema.properties, `${title}`, 1).trim()}`; From 80cff2e1870bfe3858f22ed8a393daf0dfe4f0f2 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Wed, 2 Apr 2025 12:00:02 -0400 Subject: [PATCH 101/118] adjust `failurePolicy` for longhorn chart --- .github/test-infra/aws/rke2/scripts/helmchart-template.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml b/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml index c26d1ca882..e278b79885 100644 --- a/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml +++ b/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml @@ -49,6 +49,8 @@ spec: # renovate: datasource=helm depName=longhorn versioning=helm registryUrl=https://charts.longhorn.io version: 1.8.1 targetNamespace: kube-system + # change from default value of reinstall + failurePolicy: abort valuesContent: |- defaultSettings: deletingConfirmationFlag: true From a194ef204d2f03a4936d52dfd84de463e07cff32 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Wed, 2 Apr 2025 16:20:41 -0400 Subject: [PATCH 102/118] timeout 10m for longhorn --- .github/test-infra/aws/rke2/scripts/helmchart-template.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml b/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml index e278b79885..cebba8c8a2 100644 --- a/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml +++ b/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml @@ -51,6 +51,7 @@ spec: targetNamespace: kube-system # change from default value of reinstall failurePolicy: abort + timeout: "10m" valuesContent: |- defaultSettings: deletingConfirmationFlag: true From 6ecc5b78578b446e3a84ad4dd8edd6dc8bc12efa Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Wed, 2 Apr 2025 17:00:37 -0400 Subject: [PATCH 103/118] test non-k3d w/o nv probes --- src/pepr/patches/index.ts | 54 +++++++++++++++++++-------------------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/src/pepr/patches/index.ts b/src/pepr/patches/index.ts index 176ceff623..e13866bca0 100644 --- a/src/pepr/patches/index.ts +++ b/src/pepr/patches/index.ts @@ -46,32 +46,32 @@ When(a.Service) * Temporary until fixed upstream */ -When(a.DaemonSet) - .IsCreatedOrUpdated() - .InNamespace("neuvector") - .WithName("neuvector-enforcer-pod") - .Mutate(async ds => { - const enforcerContainer = ds.Raw.spec?.template.spec?.containers.find( - container => container.name === "neuvector-enforcer-pod", - ); +// When(a.DaemonSet) +// .IsCreatedOrUpdated() +// .InNamespace("neuvector") +// .WithName("neuvector-enforcer-pod") +// .Mutate(async ds => { +// const enforcerContainer = ds.Raw.spec?.template.spec?.containers.find( +// container => container.name === "neuvector-enforcer-pod", +// ); - if (enforcerContainer && enforcerContainer.livenessProbe === undefined) { - log.debug("Patching NeuVector Enforcer Daemonset to add livenessProbe"); - const livenessProbe = { - exec: { command: ["curl", "--no-progress-meter", "127.0.0.1:8500"] }, - periodSeconds: 10, - failureThreshold: 2, - }; - enforcerContainer.livenessProbe = livenessProbe; - } +// if (enforcerContainer && enforcerContainer.livenessProbe === undefined) { +// log.debug("Patching NeuVector Enforcer Daemonset to add livenessProbe"); +// const livenessProbe = { +// exec: { command: ["curl", "--no-progress-meter", "127.0.0.1:8500"] }, +// periodSeconds: 10, +// failureThreshold: 2, +// }; +// enforcerContainer.livenessProbe = livenessProbe; +// } - if (enforcerContainer && enforcerContainer.readinessProbe === undefined) { - log.debug("Patching NeuVector Enforcer Daemonset to add readinessProbe"); - const readinessProbe = { - exec: { command: ["curl", "--no-progress-meter", "127.0.0.1:8500"] }, - initialDelaySeconds: 10, - periodSeconds: 5, - }; - enforcerContainer.readinessProbe = readinessProbe; - } - }); +// if (enforcerContainer && enforcerContainer.readinessProbe === undefined) { +// log.debug("Patching NeuVector Enforcer Daemonset to add readinessProbe"); +// const readinessProbe = { +// exec: { command: ["curl", "--no-progress-meter", "127.0.0.1:8500"] }, +// initialDelaySeconds: 10, +// periodSeconds: 5, +// }; +// enforcerContainer.readinessProbe = readinessProbe; +// } +// }); From 2dee6be999f1af9d9a0a457eb262e23c94c5af35 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Fri, 4 Apr 2025 08:36:02 -0400 Subject: [PATCH 104/118] add nv patch back --- src/pepr/patches/index.ts | 54 +++++++++++++++++++-------------------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/src/pepr/patches/index.ts b/src/pepr/patches/index.ts index e13866bca0..176ceff623 100644 --- a/src/pepr/patches/index.ts +++ b/src/pepr/patches/index.ts @@ -46,32 +46,32 @@ When(a.Service) * Temporary until fixed upstream */ -// When(a.DaemonSet) -// .IsCreatedOrUpdated() -// .InNamespace("neuvector") -// .WithName("neuvector-enforcer-pod") -// .Mutate(async ds => { -// const enforcerContainer = ds.Raw.spec?.template.spec?.containers.find( -// container => container.name === "neuvector-enforcer-pod", -// ); +When(a.DaemonSet) + .IsCreatedOrUpdated() + .InNamespace("neuvector") + .WithName("neuvector-enforcer-pod") + .Mutate(async ds => { + const enforcerContainer = ds.Raw.spec?.template.spec?.containers.find( + container => container.name === "neuvector-enforcer-pod", + ); -// if (enforcerContainer && enforcerContainer.livenessProbe === undefined) { -// log.debug("Patching NeuVector Enforcer Daemonset to add livenessProbe"); -// const livenessProbe = { -// exec: { command: ["curl", "--no-progress-meter", "127.0.0.1:8500"] }, -// periodSeconds: 10, -// failureThreshold: 2, -// }; -// enforcerContainer.livenessProbe = livenessProbe; -// } + if (enforcerContainer && enforcerContainer.livenessProbe === undefined) { + log.debug("Patching NeuVector Enforcer Daemonset to add livenessProbe"); + const livenessProbe = { + exec: { command: ["curl", "--no-progress-meter", "127.0.0.1:8500"] }, + periodSeconds: 10, + failureThreshold: 2, + }; + enforcerContainer.livenessProbe = livenessProbe; + } -// if (enforcerContainer && enforcerContainer.readinessProbe === undefined) { -// log.debug("Patching NeuVector Enforcer Daemonset to add readinessProbe"); -// const readinessProbe = { -// exec: { command: ["curl", "--no-progress-meter", "127.0.0.1:8500"] }, -// initialDelaySeconds: 10, -// periodSeconds: 5, -// }; -// enforcerContainer.readinessProbe = readinessProbe; -// } -// }); + if (enforcerContainer && enforcerContainer.readinessProbe === undefined) { + log.debug("Patching NeuVector Enforcer Daemonset to add readinessProbe"); + const readinessProbe = { + exec: { command: ["curl", "--no-progress-meter", "127.0.0.1:8500"] }, + initialDelaySeconds: 10, + periodSeconds: 5, + }; + enforcerContainer.readinessProbe = readinessProbe; + } + }); From aa862cacf27a86b6623367289f487e85ce053443 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Fri, 4 Apr 2025 18:20:41 -0400 Subject: [PATCH 105/118] switch longhorn install method --- .../aws/rke2/scripts/helmchart-template.yaml | 40 +++++++++---------- .../test-infra/aws/rke2/scripts/user_data.sh | 10 ++++- 2 files changed, 29 insertions(+), 21 deletions(-) diff --git a/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml b/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml index cebba8c8a2..8c02dbea3b 100644 --- a/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml +++ b/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml @@ -37,26 +37,26 @@ spec: valuesContent: |- clusterName: ${CLUSTER_NAME} --- -#longhorn helm values: https://github.com/longhorn/longhorn/tree/master/chart -apiVersion: helm.cattle.io/v1 -kind: HelmChart -metadata: - name: longhorn - namespace: kube-system -spec: - chart: longhorn - repo: https://charts.longhorn.io - # renovate: datasource=helm depName=longhorn versioning=helm registryUrl=https://charts.longhorn.io - version: 1.8.1 - targetNamespace: kube-system - # change from default value of reinstall - failurePolicy: abort - timeout: "10m" - valuesContent: |- - defaultSettings: - deletingConfirmationFlag: true - longhornUI: - replicas: 0 +# #longhorn helm values: https://github.com/longhorn/longhorn/tree/master/chart +# apiVersion: helm.cattle.io/v1 +# kind: HelmChart +# metadata: +# name: longhorn +# namespace: kube-system +# spec: +# chart: longhorn +# repo: https://charts.longhorn.io +# # ignoredRenovate: datasource=helm depName=longhorn versioning=helm registryUrl=https://charts.longhorn.io +# version: 1.8.1 +# targetNamespace: kube-system +# # change from default value of reinstall +# failurePolicy: abort +# timeout: "60m" +# valuesContent: |- +# defaultSettings: +# deletingConfirmationFlag: true +# longhornUI: +# replicas: 0 --- apiVersion: v1 kind: ConfigMap diff --git a/.github/test-infra/aws/rke2/scripts/user_data.sh b/.github/test-infra/aws/rke2/scripts/user_data.sh index e3c09954cc..cb16780048 100644 --- a/.github/test-infra/aws/rke2/scripts/user_data.sh +++ b/.github/test-infra/aws/rke2/scripts/user_data.sh @@ -16,11 +16,19 @@ export CLUSTER_NAME="${cluster_name}" pre_userdata() { info "Beginning user defined pre userdata" info "Create HelmChart Resources." +mkdir -p /var/lib/rancher/rke2/server/manifests cat > helmchart-template.yaml << EOM ${helm_chart_template} EOM -mkdir -p /var/lib/rancher/rke2/server/manifests envsubst < helmchart-template.yaml > /var/lib/rancher/rke2/server/manifests/00-helmcharts.yaml +HELM_LATEST=$(curl -L --silent --show-error --fail "https://get.helm.sh/helm-latest-version" 2>&1 || true) +curl https://get.helm.sh/helm-$HELM_LATEST-linux-amd64.tar.gz --output helm.tar.gz +tar -xvf ./helm.tar.gz && rm -rf ./helm.tar.gz +chmod +x ./linux-amd64/helm +./linux-amd64/helm repo add longhorn https://charts.longhorn.io +./linux-amd64/helm repo update +./linux-amd64/helm template longhorn longhorn/longhorn --set defaultSettings.deletingConfirmationFlag=true --set longhornUI.replicas=0 --set namespaceOverride=kube-system > /var/lib/rancher/rke2/server/manifests/01-longhorn.yaml +rm -rf ./linux-amd64/helm info "Installing awscli" yum install -y unzip jq || apt-get -y install unzip jq From 4753f6e4a402b482312f040cf77ed5d32e73aa32 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Mon, 7 Apr 2025 09:19:35 -0400 Subject: [PATCH 106/118] no hooks --- .github/test-infra/aws/rke2/scripts/user_data.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/test-infra/aws/rke2/scripts/user_data.sh b/.github/test-infra/aws/rke2/scripts/user_data.sh index cb16780048..b795806502 100644 --- a/.github/test-infra/aws/rke2/scripts/user_data.sh +++ b/.github/test-infra/aws/rke2/scripts/user_data.sh @@ -27,7 +27,7 @@ tar -xvf ./helm.tar.gz && rm -rf ./helm.tar.gz chmod +x ./linux-amd64/helm ./linux-amd64/helm repo add longhorn https://charts.longhorn.io ./linux-amd64/helm repo update -./linux-amd64/helm template longhorn longhorn/longhorn --set defaultSettings.deletingConfirmationFlag=true --set longhornUI.replicas=0 --set namespaceOverride=kube-system > /var/lib/rancher/rke2/server/manifests/01-longhorn.yaml +./linux-amd64/helm template longhorn longhorn/longhorn --set defaultSettings.deletingConfirmationFlag=true --set longhornUI.replicas=0 --set namespaceOverride=kube-system --no-hooks > /var/lib/rancher/rke2/server/manifests/01-longhorn.yaml rm -rf ./linux-amd64/helm info "Installing awscli" From 01056a37bae7173d458d7a21aba625c561d5324c Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Thu, 10 Apr 2025 11:38:56 -0400 Subject: [PATCH 107/118] cleanup --- .../aws/rke2/scripts/helmchart-template.yaml | 22 +------------------ .github/workflows/test-rke2.yaml | 3 --- 2 files changed, 1 insertion(+), 24 deletions(-) diff --git a/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml b/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml index 8c02dbea3b..b9a4700e57 100644 --- a/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml +++ b/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml @@ -23,6 +23,7 @@ spec: - --cloud-provider=aws --- # aws lb controller helm values: https://github.com/kubernetes-sigs/aws-load-balancer-controller/tree/main/helm/aws-load-balancer-controller#configuration +# this manifest specifically is referenced in terraform by its position after the `---` in this file (1) - be careful if you order manifests in this file differently! apiVersion: helm.cattle.io/v1 kind: HelmChart metadata: @@ -37,27 +38,6 @@ spec: valuesContent: |- clusterName: ${CLUSTER_NAME} --- -# #longhorn helm values: https://github.com/longhorn/longhorn/tree/master/chart -# apiVersion: helm.cattle.io/v1 -# kind: HelmChart -# metadata: -# name: longhorn -# namespace: kube-system -# spec: -# chart: longhorn -# repo: https://charts.longhorn.io -# # ignoredRenovate: datasource=helm depName=longhorn versioning=helm registryUrl=https://charts.longhorn.io -# version: 1.8.1 -# targetNamespace: kube-system -# # change from default value of reinstall -# failurePolicy: abort -# timeout: "60m" -# valuesContent: |- -# defaultSettings: -# deletingConfirmationFlag: true -# longhornUI: -# replicas: 0 ---- apiVersion: v1 kind: ConfigMap metadata: diff --git a/.github/workflows/test-rke2.yaml b/.github/workflows/test-rke2.yaml index ec9bdce5ba..18f63d89a4 100644 --- a/.github/workflows/test-rke2.yaml +++ b/.github/workflows/test-rke2.yaml @@ -95,9 +95,6 @@ jobs: run: uds run -f tasks/iac.yaml rke2-cluster-ready --no-progress timeout-minutes: 20 - # - name: Configure Cluster DNS - # run: uds run -f tasks/utils.yaml coredns-setup --no-progress --with coredns_deploy_name=rke2-coredns-rke2-coredns --with coredns_cm_name=rke2-coredns-rke2-coredns - - name: Deploy Core Bundle env: UDS_CONFIG: .github/bundles/rke2/uds-config.yaml From 98f8c02dab1cabd5cfeda35afeda8c45f1e038bc Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Thu, 10 Apr 2025 11:39:10 -0400 Subject: [PATCH 108/118] get helm version from renovate into tf --- .github/test-infra/aws/rke2/iam.tf | 6 +++++- .github/test-infra/aws/rke2/main.tf | 3 +++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/test-infra/aws/rke2/iam.tf b/.github/test-infra/aws/rke2/iam.tf index 940c6bda56..550646792d 100644 --- a/.github/test-infra/aws/rke2/iam.tf +++ b/.github/test-infra/aws/rke2/iam.tf @@ -77,8 +77,12 @@ data "aws_iam_policy_document" "aws_ccm" { } } +data "local_file" "helm_template" { + filename = "./scripts/helmchart-template.yaml" +} + data "http" "aws-lb-controller-iam" { - url = "https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.11.0/docs/install/iam_policy_us-gov.json" + url = "https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v${yamldecode(local.yaml_documents[1]).spec.version}/docs/install/iam_policy_us-gov.json" } resource "aws_iam_role_policy" "aws-lb-controller" { diff --git a/.github/test-infra/aws/rke2/main.tf b/.github/test-infra/aws/rke2/main.tf index 8152b5c3bd..5347fa88dc 100644 --- a/.github/test-infra/aws/rke2/main.tf +++ b/.github/test-infra/aws/rke2/main.tf @@ -29,6 +29,9 @@ locals { cluster_name = local.tags.cluster_name helm_chart_template = file("./scripts/helmchart-template.yaml") } + + # Used to get the latest version of longhorn from renovate into this tf + longhorn_template = split("---", data.local_file.helm_template.content) } data "aws_caller_identity" "current" {} From f8c1e260566c6bd02748965308cce21889ce0f1e Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Thu, 10 Apr 2025 11:42:06 -0400 Subject: [PATCH 109/118] continue on error for all clusters --- .github/test-infra/aws/rke2/scripts/user_data.sh | 2 +- .github/workflows/test-aks.yaml | 1 + .github/workflows/test-rke2.yaml | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/test-infra/aws/rke2/scripts/user_data.sh b/.github/test-infra/aws/rke2/scripts/user_data.sh index b795806502..6061665080 100644 --- a/.github/test-infra/aws/rke2/scripts/user_data.sh +++ b/.github/test-infra/aws/rke2/scripts/user_data.sh @@ -28,7 +28,7 @@ chmod +x ./linux-amd64/helm ./linux-amd64/helm repo add longhorn https://charts.longhorn.io ./linux-amd64/helm repo update ./linux-amd64/helm template longhorn longhorn/longhorn --set defaultSettings.deletingConfirmationFlag=true --set longhornUI.replicas=0 --set namespaceOverride=kube-system --no-hooks > /var/lib/rancher/rke2/server/manifests/01-longhorn.yaml -rm -rf ./linux-amd64/helm +rm -rf ./linux-amd64 info "Installing awscli" yum install -y unzip jq || apt-get -y install unzip jq diff --git a/.github/workflows/test-aks.yaml b/.github/workflows/test-aks.yaml index 84af71bbb0..de813d5326 100644 --- a/.github/workflows/test-aks.yaml +++ b/.github/workflows/test-aks.yaml @@ -99,6 +99,7 @@ jobs: - name: Test UDS Core run: uds run -f tasks/test.yaml uds-core-non-k3d --set EXCLUDED_PACKAGES="metrics-server" + continue-on-error: true - name: Debug Output if: ${{ always() }} diff --git a/.github/workflows/test-rke2.yaml b/.github/workflows/test-rke2.yaml index 18f63d89a4..8bb0c9f234 100644 --- a/.github/workflows/test-rke2.yaml +++ b/.github/workflows/test-rke2.yaml @@ -103,6 +103,7 @@ jobs: - name: Test UDS Core run: uds run -f tasks/test.yaml uds-core-non-k3d + continue-on-error: true - name: Debug Output if: ${{ always() }} From 5548920187534208fcf5fd67457e1302cc7d901b Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Thu, 10 Apr 2025 11:43:57 -0400 Subject: [PATCH 110/118] tf fix --- .github/test-infra/aws/rke2/iam.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/test-infra/aws/rke2/iam.tf b/.github/test-infra/aws/rke2/iam.tf index 550646792d..d243511cd8 100644 --- a/.github/test-infra/aws/rke2/iam.tf +++ b/.github/test-infra/aws/rke2/iam.tf @@ -82,7 +82,7 @@ data "local_file" "helm_template" { } data "http" "aws-lb-controller-iam" { - url = "https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v${yamldecode(local.yaml_documents[1]).spec.version}/docs/install/iam_policy_us-gov.json" + url = "https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v${yamldecode(local.longhorn_template[1]).spec.version}/docs/install/iam_policy_us-gov.json" } resource "aws_iam_role_policy" "aws-lb-controller" { From e65b6897363dd4305436a01162b5b1dd6f2733c4 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Thu, 10 Apr 2025 12:53:25 -0400 Subject: [PATCH 111/118] wrong helm template; use right tag --- .github/test-infra/aws/rke2/iam.tf | 2 +- .github/test-infra/aws/rke2/main.tf | 4 ++-- .github/test-infra/aws/rke2/scripts/helmchart-template.yaml | 5 ++++- .github/test-infra/aws/rke2/scripts/user_data.sh | 6 ++++-- 4 files changed, 11 insertions(+), 6 deletions(-) diff --git a/.github/test-infra/aws/rke2/iam.tf b/.github/test-infra/aws/rke2/iam.tf index d243511cd8..303f700b38 100644 --- a/.github/test-infra/aws/rke2/iam.tf +++ b/.github/test-infra/aws/rke2/iam.tf @@ -82,7 +82,7 @@ data "local_file" "helm_template" { } data "http" "aws-lb-controller-iam" { - url = "https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v${yamldecode(local.longhorn_template[1]).spec.version}/docs/install/iam_policy_us-gov.json" + url = "https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/${split(":", yamldecode(local.aws_load_balancer_controller_template[4]).image)[1]}/docs/install/iam_policy_us-gov.json" } resource "aws_iam_role_policy" "aws-lb-controller" { diff --git a/.github/test-infra/aws/rke2/main.tf b/.github/test-infra/aws/rke2/main.tf index 5347fa88dc..752d976b7e 100644 --- a/.github/test-infra/aws/rke2/main.tf +++ b/.github/test-infra/aws/rke2/main.tf @@ -30,8 +30,8 @@ locals { helm_chart_template = file("./scripts/helmchart-template.yaml") } - # Used to get the latest version of longhorn from renovate into this tf - longhorn_template = split("---", data.local_file.helm_template.content) + # Used to get the latest version of aws-load-balancer-controller from renovate into this tf + aws_load_balancer_controller_template = split("---", data.local_file.helm_template.content) } data "aws_caller_identity" "current" {} diff --git a/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml b/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml index b9a4700e57..76394e7eb7 100644 --- a/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml +++ b/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml @@ -23,7 +23,7 @@ spec: - --cloud-provider=aws --- # aws lb controller helm values: https://github.com/kubernetes-sigs/aws-load-balancer-controller/tree/main/helm/aws-load-balancer-controller#configuration -# this manifest specifically is referenced in terraform by its position after the `---` in this file (1) - be careful if you order manifests in this file differently! +# this manifest specifically is referenced in terraform by its position after the each separator in this file (1) - be careful if you order manifests in this file differently! apiVersion: helm.cattle.io/v1 kind: HelmChart metadata: @@ -106,3 +106,6 @@ spec: - name: loadbalance - name: import parameters: /etc/coredns/custom/*.override +--- +# renovate: image=public.ecr.aws/eks/aws-load-balancer-controller +image: public.ecr.aws/eks/aws-load-balancer-controller:v2.12.0 \ No newline at end of file diff --git a/.github/test-infra/aws/rke2/scripts/user_data.sh b/.github/test-infra/aws/rke2/scripts/user_data.sh index 6061665080..218ae07c07 100644 --- a/.github/test-infra/aws/rke2/scripts/user_data.sh +++ b/.github/test-infra/aws/rke2/scripts/user_data.sh @@ -20,6 +20,10 @@ mkdir -p /var/lib/rancher/rke2/server/manifests cat > helmchart-template.yaml << EOM ${helm_chart_template} EOM +curl -L https://github.com/mikefarah/yq/releases/download/v4.40.4/yq_linux_amd64 -o yq +chmod +x yq +# Remove the image tag at the bottom, as it's only there for renovate +yq -i 'select(documentIndex < 4)' helmchart-template.yaml envsubst < helmchart-template.yaml > /var/lib/rancher/rke2/server/manifests/00-helmcharts.yaml HELM_LATEST=$(curl -L --silent --show-error --fail "https://get.helm.sh/helm-latest-version" 2>&1 || true) curl https://get.helm.sh/helm-$HELM_LATEST-linux-amd64.tar.gz --output helm.tar.gz @@ -44,8 +48,6 @@ aws secretsmanager get-secret-value --secret-id ${secret_prefix}-oidc-public-key chcon -t svirt_sandbox_file_t /irsa/* info "Setting up RKE2 config file" -curl -L https://github.com/mikefarah/yq/releases/download/v4.40.4/yq_linux_amd64 -o yq -chmod +x yq ./yq -i '.cloud-provider-name += "external"' /etc/rancher/rke2/config.yaml ./yq -i '.disable-cloud-controller += "true"' /etc/rancher/rke2/config.yaml ./yq -i '.kube-apiserver-arg += "service-account-key-file=/irsa/signer.key.pub"' /etc/rancher/rke2/config.yaml From a3afa793d2d5140f84a12af57e00c59dc73e236f Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Thu, 10 Apr 2025 12:56:15 -0400 Subject: [PATCH 112/118] lint fix --- .github/test-infra/aws/rke2/scripts/helmchart-template.yaml | 4 ++-- .github/test-infra/aws/rke2/scripts/user_data.sh | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml b/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml index 76394e7eb7..bb99dac369 100644 --- a/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml +++ b/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml @@ -106,6 +106,6 @@ spec: - name: loadbalance - name: import parameters: /etc/coredns/custom/*.override ---- +--- # renovate: image=public.ecr.aws/eks/aws-load-balancer-controller -image: public.ecr.aws/eks/aws-load-balancer-controller:v2.12.0 \ No newline at end of file +image: public.ecr.aws/eks/aws-load-balancer-controller:v2.12.0 diff --git a/.github/test-infra/aws/rke2/scripts/user_data.sh b/.github/test-infra/aws/rke2/scripts/user_data.sh index 218ae07c07..b7894ac7ad 100644 --- a/.github/test-infra/aws/rke2/scripts/user_data.sh +++ b/.github/test-infra/aws/rke2/scripts/user_data.sh @@ -23,7 +23,7 @@ EOM curl -L https://github.com/mikefarah/yq/releases/download/v4.40.4/yq_linux_amd64 -o yq chmod +x yq # Remove the image tag at the bottom, as it's only there for renovate -yq -i 'select(documentIndex < 4)' helmchart-template.yaml +./yq -i 'select(documentIndex < 4)' helmchart-template.yaml envsubst < helmchart-template.yaml > /var/lib/rancher/rke2/server/manifests/00-helmcharts.yaml HELM_LATEST=$(curl -L --silent --show-error --fail "https://get.helm.sh/helm-latest-version" 2>&1 || true) curl https://get.helm.sh/helm-$HELM_LATEST-linux-amd64.tar.gz --output helm.tar.gz From 90ee102e4a56c91cb0e9490096b2d19f943c256b Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Fri, 11 Apr 2025 14:45:54 -0400 Subject: [PATCH 113/118] update comments --- .github/test-infra/aws/rke2/scripts/helmchart-template.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml b/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml index bb99dac369..eacdc17583 100644 --- a/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml +++ b/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml @@ -23,7 +23,6 @@ spec: - --cloud-provider=aws --- # aws lb controller helm values: https://github.com/kubernetes-sigs/aws-load-balancer-controller/tree/main/helm/aws-load-balancer-controller#configuration -# this manifest specifically is referenced in terraform by its position after the each separator in this file (1) - be careful if you order manifests in this file differently! apiVersion: helm.cattle.io/v1 kind: HelmChart metadata: @@ -107,5 +106,7 @@ spec: - name: import parameters: /etc/coredns/custom/*.override --- +# this portion specifically is referenced in terraform by its position after the each separator in this file (4) - be careful if you modify this file! +# this is not applied to cluster, it's a placeholder that is consumed by terraform and gets removed before the manifest is applied # renovate: image=public.ecr.aws/eks/aws-load-balancer-controller image: public.ecr.aws/eks/aws-load-balancer-controller:v2.12.0 From 993d1cf90ba80e7b0c9c2d48dcbaee53ee8da5f2 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Mon, 14 Apr 2025 10:25:13 -0400 Subject: [PATCH 114/118] update renovate config --- .github/test-infra/aws/rke2/iam.tf | 3 +-- .github/test-infra/aws/rke2/main.tf | 3 --- .../aws/rke2/scripts/helmchart-template.yaml | 5 ----- .github/test-infra/aws/rke2/scripts/user_data.sh | 12 +++++++----- 4 files changed, 8 insertions(+), 15 deletions(-) diff --git a/.github/test-infra/aws/rke2/iam.tf b/.github/test-infra/aws/rke2/iam.tf index 303f700b38..7bceb5fbec 100644 --- a/.github/test-infra/aws/rke2/iam.tf +++ b/.github/test-infra/aws/rke2/iam.tf @@ -82,9 +82,8 @@ data "local_file" "helm_template" { } data "http" "aws-lb-controller-iam" { - url = "https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/${split(":", yamldecode(local.aws_load_balancer_controller_template[4]).image)[1]}/docs/install/iam_policy_us-gov.json" + url = "https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.12.0/docs/install/iam_policy_us-gov.json" } - resource "aws_iam_role_policy" "aws-lb-controller" { name = "${local.cluster_name}-lb-controller" role = aws_iam_role.rke2_server.id diff --git a/.github/test-infra/aws/rke2/main.tf b/.github/test-infra/aws/rke2/main.tf index 752d976b7e..8152b5c3bd 100644 --- a/.github/test-infra/aws/rke2/main.tf +++ b/.github/test-infra/aws/rke2/main.tf @@ -29,9 +29,6 @@ locals { cluster_name = local.tags.cluster_name helm_chart_template = file("./scripts/helmchart-template.yaml") } - - # Used to get the latest version of aws-load-balancer-controller from renovate into this tf - aws_load_balancer_controller_template = split("---", data.local_file.helm_template.content) } data "aws_caller_identity" "current" {} diff --git a/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml b/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml index eacdc17583..801bf0bb2f 100644 --- a/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml +++ b/.github/test-infra/aws/rke2/scripts/helmchart-template.yaml @@ -105,8 +105,3 @@ spec: - name: loadbalance - name: import parameters: /etc/coredns/custom/*.override ---- -# this portion specifically is referenced in terraform by its position after the each separator in this file (4) - be careful if you modify this file! -# this is not applied to cluster, it's a placeholder that is consumed by terraform and gets removed before the manifest is applied -# renovate: image=public.ecr.aws/eks/aws-load-balancer-controller -image: public.ecr.aws/eks/aws-load-balancer-controller:v2.12.0 diff --git a/.github/test-infra/aws/rke2/scripts/user_data.sh b/.github/test-infra/aws/rke2/scripts/user_data.sh index b7894ac7ad..c9f228f214 100644 --- a/.github/test-infra/aws/rke2/scripts/user_data.sh +++ b/.github/test-infra/aws/rke2/scripts/user_data.sh @@ -20,18 +20,18 @@ mkdir -p /var/lib/rancher/rke2/server/manifests cat > helmchart-template.yaml << EOM ${helm_chart_template} EOM -curl -L https://github.com/mikefarah/yq/releases/download/v4.40.4/yq_linux_amd64 -o yq -chmod +x yq -# Remove the image tag at the bottom, as it's only there for renovate -./yq -i 'select(documentIndex < 4)' helmchart-template.yaml + envsubst < helmchart-template.yaml > /var/lib/rancher/rke2/server/manifests/00-helmcharts.yaml +# We install longhorn from a template to avoid install issues with the HelmController + +LONGHORN_VERSION=1.8.1 HELM_LATEST=$(curl -L --silent --show-error --fail "https://get.helm.sh/helm-latest-version" 2>&1 || true) curl https://get.helm.sh/helm-$HELM_LATEST-linux-amd64.tar.gz --output helm.tar.gz tar -xvf ./helm.tar.gz && rm -rf ./helm.tar.gz chmod +x ./linux-amd64/helm ./linux-amd64/helm repo add longhorn https://charts.longhorn.io ./linux-amd64/helm repo update -./linux-amd64/helm template longhorn longhorn/longhorn --set defaultSettings.deletingConfirmationFlag=true --set longhornUI.replicas=0 --set namespaceOverride=kube-system --no-hooks > /var/lib/rancher/rke2/server/manifests/01-longhorn.yaml +./linux-amd64/helm template longhorn longhorn/longhorn --version $LONGHORN_VERSION --set defaultSettings.deletingConfirmationFlag=true --set longhornUI.replicas=0 --set namespaceOverride=kube-system --no-hooks > /var/lib/rancher/rke2/server/manifests/01-longhorn.yaml rm -rf ./linux-amd64 info "Installing awscli" @@ -39,6 +39,8 @@ yum install -y unzip jq || apt-get -y install unzip jq curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" unzip awscliv2.zip sudo ./aws/install +curl -L https://github.com/mikefarah/yq/releases/download/v4.40.4/yq_linux_amd64 -o yq +chmod +x yq echo "Getting OIDC keypair" sudo mkdir /irsa From f00a6a915a4ec63ed10f6e45aedb3054e35721ec Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Mon, 14 Apr 2025 10:33:00 -0400 Subject: [PATCH 115/118] address feedback --- tasks/test.yaml | 3 ++- test/jest/network.spec.ts | 8 ++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/tasks/test.yaml b/tasks/test.yaml index 8a305a006d..a9e6f8f2ee 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -70,8 +70,9 @@ tasks: if [ ! $(echo ${EXCLUDED_PACKAGES} | grep ${package}) ]; then if [ ${package} = "istio" ]; then uds run -f src/${package}/tasks.yaml validate --no-progress --with validate_passthrough=${{ .inputs.validate_passthrough }} + else + uds run -f src/${package}/tasks.yaml validate --no-progress fi - uds run -f src/${package}/tasks.yaml validate --no-progress fi done set +e diff --git a/test/jest/network.spec.ts b/test/jest/network.spec.ts index 5e58d51158..e175259ce8 100644 --- a/test/jest/network.spec.ts +++ b/test/jest/network.spec.ts @@ -165,11 +165,11 @@ describe("Network Policy Validation", () => { test.concurrent("Denied Requests by Default and Incorrect Ports and Labels", async () => { // Default Deny when no Ingress or Egress defined or Exposed Endpoints // The HTTP response code could either be 000 or 503, depending on the K8s distro - const denied_external_response = await execInPod("curl-ns-deny-all", curlPodName1, "curl-pkg-deny-all-1", CURL_GATEWAY); + const denied_external_response = await execInPod("curl-ns-deny-al-1", curlPodName1, "curl-pkg-deny-all-1", CURL_GATEWAY); expect(isResponseError(denied_external_response)).toBe(true); // Default deny when no Ingress or Egress for internal curl command - const denied_internal_response = await execInPod("curl-ns-deny-all", curlPodName1, "curl-pkg-deny-all-1", INTERNAL_CURL_COMMAND_1); + const denied_internal_response = await execInPod("curl-ns-deny-all-1", curlPodName1, "curl-pkg-deny-all-1", INTERNAL_CURL_COMMAND_1); expect(isResponseError(denied_internal_response)).toBe(true); // Default Deny for Google Curl when no Egress defined @@ -177,8 +177,8 @@ describe("Network Policy Validation", () => { expect(denied_google_response.stdout).toBe("000"); // Default Deny for Blocked Port - const blocked_port_curl = getCurlCommand("curl-pkg-deny-all-2", "curl-ns-deny-all", 9999); - const denied_port_response = await execInPod("curl-ns-deny-all", curlPodName1, "curl-pkg-deny-all-1", blocked_port_curl); + const blocked_port_curl = getCurlCommand("curl-pkg-deny-all-2", "curl-ns-deny-all-2", 9999); + const denied_port_response = await execInPod("curl-ns-deny-all-1", curlPodName1, "curl-pkg-deny-all-1", blocked_port_curl); expect(isResponseError(denied_port_response)).toBe(true); }); From fc9189dee6bc9f707f2d7fc5f4c09430aa4436b3 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Mon, 14 Apr 2025 11:55:52 -0400 Subject: [PATCH 116/118] fix typo --- test/jest/network.spec.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/jest/network.spec.ts b/test/jest/network.spec.ts index e175259ce8..56c1ac8e86 100644 --- a/test/jest/network.spec.ts +++ b/test/jest/network.spec.ts @@ -165,7 +165,7 @@ describe("Network Policy Validation", () => { test.concurrent("Denied Requests by Default and Incorrect Ports and Labels", async () => { // Default Deny when no Ingress or Egress defined or Exposed Endpoints // The HTTP response code could either be 000 or 503, depending on the K8s distro - const denied_external_response = await execInPod("curl-ns-deny-al-1", curlPodName1, "curl-pkg-deny-all-1", CURL_GATEWAY); + const denied_external_response = await execInPod("curl-ns-deny-all-1", curlPodName1, "curl-pkg-deny-all-1", CURL_GATEWAY); expect(isResponseError(denied_external_response)).toBe(true); // Default deny when no Ingress or Egress for internal curl command From 948c07b0168738ae25fd5cfd7ba0dbbb9679c741 Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Mon, 14 Apr 2025 13:01:31 -0400 Subject: [PATCH 117/118] syntax fix --- .github/test-infra/aws/rke2/scripts/user_data.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/test-infra/aws/rke2/scripts/user_data.sh b/.github/test-infra/aws/rke2/scripts/user_data.sh index c9f228f214..92ee131a59 100644 --- a/.github/test-infra/aws/rke2/scripts/user_data.sh +++ b/.github/test-infra/aws/rke2/scripts/user_data.sh @@ -23,7 +23,7 @@ EOM envsubst < helmchart-template.yaml > /var/lib/rancher/rke2/server/manifests/00-helmcharts.yaml # We install longhorn from a template to avoid install issues with the HelmController - +# LONGHORN_VERSION=1.8.1 HELM_LATEST=$(curl -L --silent --show-error --fail "https://get.helm.sh/helm-latest-version" 2>&1 || true) curl https://get.helm.sh/helm-$HELM_LATEST-linux-amd64.tar.gz --output helm.tar.gz From 8d9742c47a4b933293cb1f897cde87336c6a661b Mon Sep 17 00:00:00 2001 From: Noah Birrer Date: Mon, 14 Apr 2025 14:56:16 -0400 Subject: [PATCH 118/118] don't filter out `helm-install` pods in wait for cluster components --- tasks/iac.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/iac.yaml b/tasks/iac.yaml index 4e8265e6af..d6ef7871ce 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -131,7 +131,7 @@ tasks: done echo "Waiting for cluster components to be ready..."; while true; do - if [ $(uds zarf tools kubectl get po,job -A --no-headers=true | egrep -v 'helm-install|Running|Complete' | wc -l) -gt 0 ]; then + if [ $(uds zarf tools kubectl get po,job -A --no-headers=true | egrep -v 'Running|Complete' | wc -l) -gt 0 ]; then sleep 5; else echo "Cluster is ready!"