diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml index 9c5b5040d..62b2f0d65 100644 --- a/.github/actions/setup/action.yaml +++ b/.github/actions/setup/action.yaml @@ -28,13 +28,11 @@ runs: # renovate: datasource=github-tags depName=k3d-io/k3d versioning=semver run: curl -s https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh | TAG=v5.7.4 bash - - name: Set up Homebrew - uses: Homebrew/actions/setup-homebrew@master - - name: Install UDS CLI - shell: bash - # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver - run: brew install defenseunicorns/tap/uds@0.16.0 + uses: defenseunicorns/setup-uds@b987a32bac3baeb67bfb08f5e1544e2f9076ee8a # v1.0.0 + with: + # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver + version: v0.16.0 - name: Install Lula uses: defenseunicorns/lula-action/setup@badad8c4b1570095f57e66ffd62664847698a3b9 # v0.0.1 diff --git a/.github/filters.yaml b/.github/filters.yaml index 77ec1bba8..2d06cbf63 100644 --- a/.github/filters.yaml +++ b/.github/filters.yaml @@ -1,98 +1,12 @@ all: - "**" -authservice: - - "src/authservice/**" - - "!**/*.md" - - "!**/*.jpg" - - "!**/*.png" - - "!**/*.gif" - - "!**/*.svg" - -grafana: - - "src/grafana/**" - - "!**/*.md" - - "!**/*.jpg" - - "!**/*.png" - - "!**/*.gif" - - "!**/*.svg" - -istio: +base: + - "packages/base/**" - "src/istio/**" - - "!**/*.md" - - "!**/*.jpg" - - "!**/*.png" - - "!**/*.gif" - - "!**/*.svg" + - "src/pepr/**" -keycloak: +identity-authorization: + - "packages/identity-authorization/**" - "src/keycloak/**" - - "!**/*.md" - - "!**/*.jpg" - - "!**/*.png" - - "!**/*.gif" - - "!**/*.svg" - -kiali: - - "src/kiali/**" - - "!**/*.md" - - "!**/*.jpg" - - "!**/*.png" - - "!**/*.gif" - - "!**/*.svg" - -loki: - - "src/loki/**" - - "!**/*.md" - - "!**/*.jpg" - - "!**/*.png" - - "!**/*.gif" - - "!**/*.svg" - -metrics-server: - - "src/metrics-server/**" - - "!**/*.md" - - "!**/*.jpg" - - "!**/*.png" - - "!**/*.gif" - - "!**/*.svg" - -neuvector: - - "src/neuvector/**" - - "!**/*.md" - - "!**/*.jpg" - - "!**/*.png" - - "!**/*.gif" - - "!**/*.svg" - -prometheus-stack: - - "src/prometheus-stack/**" - - "!**/*.md" - - "!**/*.jpg" - - "!**/*.png" - - "!**/*.gif" - - "!**/*.svg" - -vector: - - "src/vector/**" - - "!**/*.md" - - "!**/*.jpg" - - "!**/*.png" - - "!**/*.gif" - - "!**/*.svg" - -tempo: - - "src/tempo/**" - - "!**/*.md" - - "!**/*.jpg" - - "!**/*.png" - - "!**/*.gif" - - "!**/*.svg" - -velero: - - "src/velero/**" - - "!**/*.md" - - "!**/*.jpg" - - "!**/*.png" - - "!**/*.gif" - - "!**/*.svg" + - "src/authservice/**" diff --git a/.github/workflows/compliance.yaml b/.github/workflows/compliance.yaml index eb4f6598c..c9649a18c 100644 --- a/.github/workflows/compliance.yaml +++ b/.github/workflows/compliance.yaml @@ -25,8 +25,6 @@ jobs: runs-on: ubuntu-latest name: Evaluate continue-on-error: true - # env: - # UDS_PKG: ${{ inputs.package }} steps: # Used to execute the uds run command - name: Checkout repository diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 6ed33ecbe..e5d746cf2 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -87,3 +87,45 @@ jobs: uses: ./.github/actions/save-logs with: suffix: -${{ matrix.flavor }} + + publish-uds-core-layers: + if: ${{ !inputs.snapshot }} + strategy: + matrix: + flavor: [upstream, registry1, unicorn] + layer: [base, identity-authorization] + arch: [amd64, arm64] + exclude: + - flavor: registry1 + arch: arm64 + runs-on: ${{ matrix.arch == 'arm64' && 'uds-ubuntu-arm64-4-core' || 'uds-ubuntu-big-boy-4-core' }} + name: Publish package layers + + permissions: + contents: read + packages: write + id-token: write # This is needed for OIDC federation. + + steps: + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + + - name: Environment setup + uses: ./.github/actions/setup + with: + registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }} + registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }} + ghToken: ${{ secrets.GITHUB_TOKEN }} + chainguardIdentity: ${{ secrets.CHAINGUARD_IDENTITY }} + + - name: Test and Publish Core Package Layer + run: uds run -f tasks/publish.yaml single-layer --set FLAVOR=${{ matrix.flavor }} --set LAYER=${{ matrix.layer }} --no-progress + + - name: Debug Output + if: ${{ always() && !inputs.snapshot }} + uses: ./.github/actions/debug-output + + - name: Save logs + if: always() + uses: ./.github/actions/save-logs + with: + suffix: -${{ matrix.flavor }}-${{ matrix.layer }}-${{ matrix.arch }} diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index c5ccf2adf..cc178e911 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -64,7 +64,6 @@ jobs: uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 with: filters: .github/filters.yaml - predicate-quantifier: every # This job triggers a separate workflow for each changed source package, if any. run-package-test: diff --git a/.github/workflows/slim-dev-test.yaml b/.github/workflows/slim-dev-test.yaml index a3b09ee32..e6c94746a 100644 --- a/.github/workflows/slim-dev-test.yaml +++ b/.github/workflows/slim-dev-test.yaml @@ -8,9 +8,11 @@ on: paths: - src/pepr/** - src/keycloak/** + - src/authservice/** - src/istio/** - src/prometheus-stack/** - - packages/slim-dev/** + - packages/base/** + - packages/identity-authorization/** - bundles/k3d-slim-dev/** - .github/workflows/slim-dev** - "!**/*.md" diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index a5ed0ce24..abbaa3511 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -21,7 +21,7 @@ on: inputs: package: type: string - description: "The name of the source package to test" + description: "The name of the core package layer to test" required: true flavor: type: string @@ -43,7 +43,7 @@ jobs: timeout-minutes: 30 name: Test env: - UDS_PKG: ${{ inputs.package }} + UDS_LAYER: ${{ inputs.package }} steps: - name: Checkout repository @@ -57,9 +57,9 @@ jobs: ghToken: ${{ secrets.GITHUB_TOKEN }} chainguardIdentity: ${{ secrets.CHAINGUARD_IDENTITY }} - - name: Test a single source package + - name: Test a single layer package if: ${{ inputs.package != 'all' && inputs.test_type == 'install' }} - run: uds run test-single-package --set FLAVOR=${{ inputs.flavor }} --no-progress + run: uds run test-single-layer --set FLAVOR=${{ inputs.flavor }} --set LAYER=${{ inputs.package }} --no-progress - name: Test UDS Core Install if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }} diff --git a/README.md b/README.md index c139b7387..8bc9719fc 100644 --- a/README.md +++ b/README.md @@ -78,7 +78,7 @@ uds deploy k3d-core-slim-dev:0.28.0 #### Developing UDS Core -UDS Core development leverages the `uds zarf dev deploy` command. For convenience, a UDS Task is provided to setup the environment. You'll need to have [NodeJS](https://nodejs.org/en/download/) 20 or later installed to continue. Here's an example of a flow developing the [metrics-server package](./src/metrics-server/README.md): +UDS Core development leverages the `uds zarf dev deploy` command. For convenience, a UDS Task is provided to setup the environment. You'll need to have [NodeJS](https://nodejs.org/en/download/) 20 or later installed to continue. Here's an example of a flow developing the [identity-authorization layer](./package/identity-authorization/README.md): ```bash # Create the dev environment @@ -90,8 +90,8 @@ npx pepr dev # If not developing the Pepr module (can be run multiple times): npx pepr deploy -# Deploy the package (can be run multiple times) -uds run dev-deploy --set PKG=metrics-server +# Deploy the layer (can be run multiple times) +uds run dev-deploy --set LAYER=identity-authorization ``` #### Testing UDS Core @@ -102,10 +102,10 @@ You can perform a complete test of UDS Core by running the following command: uds run test-uds-core ``` -This will create a local k3d cluster, install UDS Core, and run a series of tests against it, the same tests that are run in CI. If you want to run the tests against a specific package, you can use the `PKG` env variable. The following example runs the tests against the metrics-server package: +This will create a local k3d cluster, install UDS Core, and run a series of tests against it, the same tests that are run in CI. If you want to run the tests against a specific core layer, you can use the `LAYER` task variable. The following example runs the tests against the identity-authorization layer: ```bash -UDS_PKG=metrics-server uds run test-single-package +uds run test-single-layer --set LAYER=identity-authorization ``` Note you can specify the `--set FLAVOR=registry1` flag to test using Iron Bank images instead of the upstream images. diff --git a/bundles/k3d-slim-dev/uds-bundle.yaml b/bundles/k3d-slim-dev/uds-bundle.yaml index b655aae92..5799c7da2 100644 --- a/bundles/k3d-slim-dev/uds-bundle.yaml +++ b/bundles/k3d-slim-dev/uds-bundle.yaml @@ -31,7 +31,7 @@ packages: repository: ghcr.io/zarf-dev/packages/init ref: v0.41.0 - - name: core-slim-dev + - name: core-base path: ../../build/ # x-release-please-start-version ref: 0.28.0 @@ -66,6 +66,13 @@ packages: - name: TENANT_SERVICE_PORTS description: "The ports that are exposed from the tenant gateway LoadBalancer (useful for non-HTTP(S) traffic)" path: "service.ports" + + - name: core-identity-authorization + path: ../../build/ + # x-release-please-start-version + ref: 0.28.0 + # x-release-please-end + overrides: keycloak: keycloak: variables: diff --git a/docs/deployment/uds-deploy.md b/docs/deployment/uds-deploy.md index 97455a7c8..90b05291e 100644 --- a/docs/deployment/uds-deploy.md +++ b/docs/deployment/uds-deploy.md @@ -110,12 +110,10 @@ You can perform a complete test of UDS Core by running the following command: uds run test-uds-core ``` -This command initiates the creation of a local k3d cluster, installs UDS Core, and executes a set of tests identical to those performed in CI. If you wish to run tests targeting a specific package, you can utilize the `PKG` environment variable. - -The example below runs tests against the metrics-server package: +This will create a local k3d cluster, install UDS Core, and run a series of tests against it, the same tests that are run in CI. If you want to run the tests against a specific core layer, you can use the `LAYER` task variable. The following example runs the tests against the identity-authorization layer: ```cli -UDS_PKG=metrics-server uds run test-single-package +uds run test-single-layer --set LAYER=identity-authorization ``` {{% alert-note %}} diff --git a/packages/base/README.md b/packages/base/README.md new file mode 100644 index 000000000..d2c54c234 --- /dev/null +++ b/packages/base/README.md @@ -0,0 +1,7 @@ +# UDS Core Base + +This is the base layer of UDS Core required if deploying any other layers. Currently it includes the application(s): +- Istio (and gateways) +- UDS Operator and Policies (Pepr) + +As this is the base layer it can be deployed standalone for minimal functionality. diff --git a/packages/base/tasks.yaml b/packages/base/tasks.yaml new file mode 100644 index 000000000..1742dcbcf --- /dev/null +++ b/packages/base/tasks.yaml @@ -0,0 +1,9 @@ +includes: + - istio: ../../src/istio/tasks.yaml + - pepr: ../../src/pepr/tasks.yaml + +tasks: + - name: validate + actions: + - task: istio:validate + - task: pepr:validate diff --git a/packages/slim-dev/zarf.yaml b/packages/base/zarf.yaml similarity index 82% rename from packages/slim-dev/zarf.yaml rename to packages/base/zarf.yaml index 7a7de7a31..f5a8bbb81 100644 --- a/packages/slim-dev/zarf.yaml +++ b/packages/base/zarf.yaml @@ -1,11 +1,12 @@ kind: ZarfPackageConfig metadata: - name: core-slim-dev - description: "UDS Core (Istio, UDS Operator and Keycloak)" + name: core-base + description: "UDS Core (Base)" authors: "Defense Unicorns - Product" # x-release-please-start-version version: "0.28.0" # x-release-please-end + x-uds-dependencies: [] components: - name: uds-operator-config @@ -45,9 +46,3 @@ components: required: true import: path: ../../src/pepr - - # Keycloak - - name: keycloak - required: true - import: - path: ../../src/keycloak diff --git a/packages/identity-authorization/README.md b/packages/identity-authorization/README.md new file mode 100644 index 000000000..ccbeaca1a --- /dev/null +++ b/packages/identity-authorization/README.md @@ -0,0 +1,8 @@ +# UDS Core Identity & Authorization + +This layer of UDS Core provides identity management and authorization capabilities. Currently it includes the application(s): +- Keycloak (with custom plugin and realm) +- AuthService + +To deploy this layer you must also deploy its dependent layer(s): +- Base diff --git a/packages/identity-authorization/tasks.yaml b/packages/identity-authorization/tasks.yaml new file mode 100644 index 000000000..1f1b92c3c --- /dev/null +++ b/packages/identity-authorization/tasks.yaml @@ -0,0 +1,9 @@ +includes: + - keycloak: ../../src/keycloak/tasks.yaml + - authservice: ../../src/authservice/tasks.yaml + +tasks: + - name: validate + actions: + - task: keycloak:validate + - task: authservice:validate diff --git a/packages/identity-authorization/zarf.yaml b/packages/identity-authorization/zarf.yaml new file mode 100644 index 000000000..cadaad6e9 --- /dev/null +++ b/packages/identity-authorization/zarf.yaml @@ -0,0 +1,22 @@ +kind: ZarfPackageConfig +metadata: + name: core-identity-authorization + description: "UDS Core (Identity & Authorization)" + authors: "Defense Unicorns - Product" + # x-release-please-start-version + version: "0.28.0" + # x-release-please-end + x-uds-dependencies: ["base"] + +components: + # Keycloak + - name: keycloak + required: true + import: + path: ../../src/keycloak + + # Authservice + - name: authservice + required: true + import: + path: ../../src/authservice diff --git a/packages/slim-dev/README.md b/packages/slim-dev/README.md deleted file mode 100644 index 1e3b1dce6..000000000 --- a/packages/slim-dev/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# UDS Core Slim Dev - -This is a special modified version of UDS Core that only includes the components needed to run Istio, UDS Operator and Keycloak. diff --git a/packages/standard/zarf.yaml b/packages/standard/zarf.yaml index ef5ff903b..b021aeabd 100644 --- a/packages/standard/zarf.yaml +++ b/packages/standard/zarf.yaml @@ -11,40 +11,40 @@ components: - name: uds-operator-config required: true import: - path: ../../src/pepr + path: ../base # CRDs - name: prometheus-operator-crds required: true import: - path: ../../src/prometheus-stack + path: ../base # Istio - name: istio-controlplane required: true import: - path: ../../src/istio + path: ../base - name: istio-admin-gateway required: true import: - path: ../../src/istio + path: ../base - name: istio-tenant-gateway required: true import: - path: ../../src/istio + path: ../base - name: istio-passthrough-gateway required: false import: - path: ../../src/istio + path: ../base # Pepr the world - name: pepr-uds-core required: true import: - path: ../../src/pepr + path: ../base # Metrics Server - name: metrics-server @@ -56,7 +56,7 @@ components: - name: keycloak required: true import: - path: ../../src/keycloak + path: ../identity-authorization # Neuvector - name: neuvector @@ -92,7 +92,7 @@ components: - name: authservice required: true import: - path: ../../src/authservice + path: ../identity-authorization # UDS Runtime - name: uds-runtime diff --git a/release-please-config.json b/release-please-config.json index 55d182d93..5774f9aca 100644 --- a/release-please-config.json +++ b/release-please-config.json @@ -14,7 +14,8 @@ "extra-files": [ ".github/bundles/uds-bundle.yaml", "README.md", - "packages/slim-dev/zarf.yaml", + "packages/base/zarf.yaml", + "packages/identity-authorization/zarf.yaml", "packages/standard/zarf.yaml", "bundles/k3d-slim-dev/uds-bundle.yaml", "bundles/k3d-standard/uds-bundle.yaml", diff --git a/src/pepr/config.ts b/src/pepr/config.ts index 183f504d9..749a730fc 100644 --- a/src/pepr/config.ts +++ b/src/pepr/config.ts @@ -20,21 +20,16 @@ export const UDSConfig = { domain, // Base64 Encoded Trusted CA cert for Istio certificates (i.e. for `sso.domain`) caCert, - // Track if we are running a single test mode - isSingleTest: process.env.UDS_SINGLE_TEST === "true", // Allow UDS policy exemptions to be used in any namespace allowAllNSExemptions: process.env.UDS_ALLOW_ALL_NS_EXEMPTIONS === "true", // Redis URI for Authservice authserviceRedisUri, + + // Track if UDS Core identity-authorization layer is deployed + isIdentityDeployed: false, }; // configure subproject logger const log = setupLogger(Component.CONFIG); log.info(UDSConfig, "Loaded UDS Config"); - -if (UDSConfig.isSingleTest) { - log.warn( - "Running in single test mode, this will change the behavior of the operator and should only be used for UDS Core development testing.", - ); -} diff --git a/src/pepr/logger.ts b/src/pepr/logger.ts index 8f505faed..b40eccb4a 100644 --- a/src/pepr/logger.ts +++ b/src/pepr/logger.ts @@ -4,6 +4,7 @@ export enum Component { STARTUP = "startup", CONFIG = "config", ISTIO = "istio", + OPERATOR = "operator", OPERATOR_EXEMPTIONS = "operator.exemptions", OPERATOR_ISTIO = "operator.istio", OPERATOR_KEYCLOAK = "operator.keycloak", diff --git a/src/pepr/operator/controllers/keycloak/client-sync.ts b/src/pepr/operator/controllers/keycloak/client-sync.ts index 3aa891554..b65db3327 100644 --- a/src/pepr/operator/controllers/keycloak/client-sync.ts +++ b/src/pepr/operator/controllers/keycloak/client-sync.ts @@ -1,6 +1,5 @@ import { fetch, K8s, kind } from "pepr"; -import { UDSConfig } from "../../../config"; import { Component, setupLogger } from "../../../logger"; import { Store } from "../../common"; import { Sso, UDSPackage } from "../../crd"; @@ -209,16 +208,6 @@ async function syncClient( } async function apiCall(client: Partial, method = "POST", authToken = "") { - // Handle single test mode - if (UDSConfig.isSingleTest) { - log.warn(`Generating fake client for '${client.clientId}' in single test mode`); - return { - ...client, - secret: client.secret || "fake-secret", - registrationAccessToken: "fake-registration-access-token", - } as Client; - } - const req = { body: JSON.stringify(client) as string | undefined, method, diff --git a/src/pepr/operator/index.ts b/src/pepr/operator/index.ts index 5c11232a2..b1d0ea790 100644 --- a/src/pepr/operator/index.ts +++ b/src/pepr/operator/index.ts @@ -16,6 +16,8 @@ import { UDSExemption, UDSPackage } from "./crd"; import { validator } from "./crd/validators/package-validator"; // Reconciler imports +import { UDSConfig } from "../config"; +import { Component, setupLogger } from "../logger"; import { purgeAuthserviceClients } from "./controllers/keycloak/authservice/authservice"; import { exemptValidator } from "./crd/validators/exempt-validator"; import { packageReconciler } from "./reconcilers/package-reconciler"; @@ -23,6 +25,8 @@ import { packageReconciler } from "./reconcilers/package-reconciler"; // Export the operator capability for registration in the root pepr.ts export { operator } from "./common"; +const log = setupLogger(Component.OPERATOR); + // Pre-populate the API server CIDR since we are not persisting the EndpointSlice // Note ignore any errors since the watch will still be running hereafter void initAPIServerCIDR(); @@ -63,3 +67,22 @@ When(UDSPackage) // Watch for Exemptions and validate When(UDSExemption).IsCreatedOrUpdated().Validate(exemptValidator); + +// Watch for Functional Layers and update config +When(UDSPackage) + .IsCreatedOrUpdated() + .InNamespace("keycloak") + .WithName("keycloak") + .Watch(() => { + // todo: wait for keycloak and authservice to be running? + log.info("Identity and Authorization layer deployed, operator configured to handle SSO."); + UDSConfig.isIdentityDeployed = true; + }); +When(UDSPackage) + .IsDeleted() + .InNamespace("keycloak") + .WithName("keycloak") + .Watch(() => { + log.info("Identity and Authorization layer removed, operator will NOT handle SSO."); + UDSConfig.isIdentityDeployed = false; + }); diff --git a/src/pepr/operator/reconcilers/package-reconciler.ts b/src/pepr/operator/reconcilers/package-reconciler.ts index 568f71afa..42669d7f2 100644 --- a/src/pepr/operator/reconcilers/package-reconciler.ts +++ b/src/pepr/operator/reconcilers/package-reconciler.ts @@ -5,6 +5,7 @@ import { enableInjection } from "../controllers/istio/injection"; import { istioResources } from "../controllers/istio/istio-resources"; import { authservice } from "../controllers/keycloak/authservice/authservice"; import { keycloak } from "../controllers/keycloak/client-sync"; +import { Client } from "../controllers/keycloak/types"; import { podMonitor } from "../controllers/monitoring/pod-monitor"; import { serviceMonitor } from "../controllers/monitoring/service-monitor"; import { networkPolicies } from "../controllers/network/policies"; @@ -65,21 +66,27 @@ export async function packageReconciler(pkg: UDSPackage) { // Update the namespace to ensure the istio-injection label is set await enableInjection(pkg); - // Configure SSO - const ssoClients = await keycloak(pkg); - const authserviceClients = await authservice(pkg, ssoClients); + let ssoClients = new Map(); + let authserviceClients: string[] = []; + + if (UDSConfig.isIdentityDeployed) { + // Configure SSO + ssoClients = await keycloak(pkg); + authserviceClients = await authservice(pkg, ssoClients); + } else if (pkg.spec?.sso) { + log.error("Identity & Authorization is not deployed, but the package has SSO configuration"); + throw new Error( + "Identity & Authorization is not deployed, but the package has SSO configuration", + ); + } // Create the VirtualService and ServiceEntry for each exposed service endpoints = await istioResources(pkg, namespace!); // Only configure the ServiceMonitors if not running in single test mode const monitors: string[] = []; - if (!UDSConfig.isSingleTest) { - monitors.push(...(await podMonitor(pkg, namespace!))); - monitors.push(...(await serviceMonitor(pkg, namespace!))); - } else { - log.warn(`Running in single test mode, skipping ${name} Monitors.`); - } + monitors.push(...(await podMonitor(pkg, namespace!))); + monitors.push(...(await serviceMonitor(pkg, namespace!))); await updateStatus(pkg, { phase: Phase.Ready, diff --git a/src/pepr/uds-operator-config/values.yaml b/src/pepr/uds-operator-config/values.yaml index 876c335e9..5c5916211 100644 --- a/src/pepr/uds-operator-config/values.yaml +++ b/src/pepr/uds-operator-config/values.yaml @@ -2,7 +2,6 @@ operator: UDS_DOMAIN: "###ZARF_VAR_DOMAIN###" UDS_CA_CERT: "###ZARF_VAR_CA_CERT###" UDS_ALLOW_ALL_NS_EXEMPTIONS: "###ZARF_VAR_ALLOW_ALL_NS_EXEMPTIONS###" - UDS_SINGLE_TEST: "###ZARF_VAR_UDS_SINGLE_TEST###" UDS_LOG_LEVEL: "###ZARF_VAR_UDS_LOG_LEVEL###" AUTHSERVICE_REDIS_URI: "###ZARF_VAR_AUTHSERVICE_REDIS_URI###" # Allow Pepr watch to be configurable to react to dropped connections faster diff --git a/src/pepr/zarf.yaml b/src/pepr/zarf.yaml index 904045a19..f5f2af6a4 100644 --- a/src/pepr/zarf.yaml +++ b/src/pepr/zarf.yaml @@ -21,10 +21,6 @@ variables: description: "UDS Authservice Redis URI" default: "" - - name: UDS_SINGLE_TEST - description: "UDS Single package test" - default: "" - - name: PEPR_SERVICE_MONITORS description: "Enables Service Monitors for Pepr services (watcher, admission)" default: "true" diff --git a/src/velero/README.md b/src/velero/README.md index 534761d6a..5d9c08e19 100644 --- a/src/velero/README.md +++ b/src/velero/README.md @@ -75,28 +75,14 @@ This package currently assumes the availability of S3 API compatible object stor ## Deploy -### Build and Deploy Everything locally via UDS tasks +### Build Deploy, and Test locally via UDS tasks -```bash -# build the bundle for testing -UDS_PKG=velero uds run create-single-package - -# setup a k3d test env -uds run setup-test-cluster - -# deploy the bundle -UDS_PKG=velero uds run deploy-single-package -``` - -### Test the package via UDS tasks -Running the following will check that the velero deployment exists in the cluster and attempt to execute a backup: +Velero is included in the backup-restore functional layer (WIP). This layer can be created, deployed, and tested with a single UDS run command: ```bash -uds run -f src/velero/tasks.yaml validate +uds run test-single-layer --set LAYER=backup-restore ``` -> Alternatively, you can combine package creation, cluster setup, package deploy and the test command with a simple `UDS_PKG=velero uds run test-single-package` - ## Manually trigger the default backup for testing purposes ```bash diff --git a/tasks.yaml b/tasks.yaml index b3bcbb8e0..bff776a34 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -2,7 +2,7 @@ variables: - name: FLAVOR default: upstream - - name: PKG + - name: LAYER includes: - create: ./tasks/create.yaml @@ -12,7 +12,6 @@ includes: - lint: ./tasks/lint.yaml tasks: - - name: default actions: - description: "Build, deploy and test UDS Core" @@ -24,8 +23,10 @@ tasks: - description: "Create the dev cluster" task: setup:create-k3d-cluster + # Note: This currently is broken until https://github.com/zarf-dev/zarf/issues/2713 is resolved + # As a workaround you can edit the `src/istio/values/upstream-values.yaml` file to change ###ZARF_REGISTRY### to docker.io before running - description: "Deploy the Istio source package with Zarf Dev" - cmd: "uds zarf dev deploy src/istio --flavor ${FLAVOR} --no-progress" + cmd: "uds zarf dev deploy src/istio --flavor upstream --no-progress" # Note, this abuses the --flavor flag to only install the CRDs from this package - the "crds-only" flavor is not an explicit flavor of the package - description: "Deploy the Prometheus-Stack source package with Zarf Dev to only install the CRDs" @@ -40,8 +41,15 @@ tasks: - name: slim-dev actions: - - description: "Create slim dev package" - task: create:slim-dev-package + - description: "Create base package" + task: create:single-layer + with: + layer: base + + - description: "Create identity-authorization package" + task: create:single-layer + with: + layer: identity-authorization - description: "Build slim dev bundle" task: create:k3d-slim-dev-bundle @@ -57,46 +65,34 @@ tasks: - description: "Deploy Pepr" cmd: "npx pepr deploy --confirm" - - description: "Deploy Keycloak" - cmd: "uds run dev-deploy --set PKG=keycloak" - - - description: "Deploy Authservice" - cmd: "uds run dev-deploy --set PKG=authservice" + - description: "Deploy Keycloak + Authservice" + cmd: "uds run dev-deploy --set LAYER=identity-authorization --no-progress" - name: dev-deploy - description: "Deploy the given source package with Zarf Dev" + description: "Deploy the given core layer with Zarf Dev" actions: - - cmd: "uds zarf dev deploy src/${PKG} --flavor ${FLAVOR}" + - cmd: "uds zarf dev deploy packages/${LAYER} --flavor ${FLAVOR} --no-progress" - name: setup-cluster description: "Create a k3d Cluster and Initialize with Zarf" actions: - task: setup:k3d-test-cluster - - name: create-single-package - description: "Create a single Zarf Package, must set UDS_PKG environment variable" - actions: - - task: create:single-package - - name: create-standard-package description: "Create UDS Core Zarf Package, `upstream` flavor default, use --set FLAVOR={flavor} to change" actions: - task: create:standard-package - - name: deploy-single-package - description: "Deploy Pepr Module and a Zarf Package using UDS_PKG environment variable" + - name: test-single-layer + description: "Deploys k3d cluster, layer dependencies and the provided layer (based on LAYER variable)" actions: - - task: deploy:single-package + - task: test:layer-dependencies + - task: test:single-layer - name: deploy-standard-bundle actions: - task: deploy:k3d-standard-bundle - - name: test-single-package - description: "Build and test a single package, must set UDS_PKG environment variable" - actions: - - task: test:single-package - - name: test-uds-core description: "Build and test UDS Core" actions: diff --git a/tasks/create.yaml b/tasks/create.yaml index dc375be9b..c6d8b26a4 100644 --- a/tasks/create.yaml +++ b/tasks/create.yaml @@ -9,6 +9,8 @@ variables: # renovate: datasource=docker depName=registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller versioning=semver default: registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller:v0.37.2 + - name: LAYER + tasks: - name: standard-package description: "Create the UDS Core Zarf Package" @@ -24,36 +26,28 @@ tasks: - description: "Create the UDS Core Standard Bundle" cmd: "uds create bundles/k3d-standard --confirm --no-progress --architecture=${ZARF_ARCHITECTURE}" - - name: slim-dev-package - description: "Create the UDS Core (Istio Only) Zarf Package" - actions: - - task: pepr-build - - - description: "Create the UDS Core Istio Zarf Package" - cmd: "uds zarf package create packages/slim-dev --confirm --no-progress --flavor ${FLAVOR}" - - name: k3d-slim-dev-bundle - description: "Create the K3d-UDS Core (Istio and Keycloak Only) Bundle" + description: "Create the slim dev bundle (Base and Identity)" actions: - - description: "Create the UDS Core Istio and Keycloak Only Bundle" + - description: "Create the slim dev bundle (Base and Identity)" cmd: "uds create bundles/k3d-slim-dev --confirm --no-progress --architecture=${ZARF_ARCHITECTURE}" - - name: single-package - description: "Create a single Zarf Package, must set UDS_PKG environment variable" + # This task is a wrapper to support --set LAYER=identity-authorization + - name: single-layer-callable actions: - - task: pepr-build + - task: single-layer + with: + layer: $LAYER - - description: "Create the Pepr Zarf Package, if it exists" - cmd: "uds zarf package create src/pepr --confirm --no-progress" - - - description: "Create the requested Zarf Package (must set UDS_PKG environment variable)" - cmd: "uds zarf package create src/${UDS_PKG} --confirm --no-progress --flavor ${FLAVOR}" - - - description: "Create the Istio Zarf Package, if UDS_PKG != istio" - cmd: | - if [ "${UDS_PKG}" != "istio" ]; then - uds zarf package create src/istio --confirm --no-progress --flavor ${FLAVOR} - fi + - name: single-layer + inputs: + layer: + default: base + description: The UDS Core layer to build + actions: + - task: pepr-build + if: ${{ eq .inputs.layer "base"}} + - cmd: uds zarf package create packages/${{ index .inputs "layer" }} --confirm --no-progress --flavor ${FLAVOR} - name: pepr-build description: "Build the UDS Core Pepr Module" diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index 0d1ff8a88..08c15b655 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -28,18 +28,22 @@ tasks: - description: "Deploy the UDS Core Slim Dev Only Bundle" cmd: uds deploy bundles/k3d-slim-dev/uds-bundle-k3d-core-slim-dev-${UDS_ARCH}-${VERSION}.tar.zst --confirm --no-progress - - name: single-package + # This task is a wrapper to support --set LAYER=identity-authorization + - name: single-layer-callable actions: - - description: "Deploy the Istio package, if UDS_PKG != istio" - cmd: | - if [ "${UDS_PKG}" != "istio" ]; then - uds zarf package deploy build/zarf-package-uds-core-istio-${UDS_ARCH}.tar.zst --confirm --no-progress --components '*' - fi - - description: "Deploy the Pepr Module" - cmd: | - uds zarf package deploy build/zarf-package-pepr-uds-core-${UDS_ARCH}.tar.zst --confirm --no-progress --set UDS_SINGLE_TEST=true --set PEPR_SERVICE_MONITORS=false - - description: "Deploy the requested Zarf Package (must set UDS_PKG environment variable)" - cmd: uds zarf package deploy build/zarf-package-uds-core-${UDS_PKG}-${UDS_ARCH}.tar.zst --confirm --no-progress --components '*' + - task: single-layer + with: + layer: $LAYER + + - name: single-layer + description: "Deploy a single UDS Core layer, must set UDS_LAYER environment variable" + inputs: + layer: + default: base + description: The UDS Core layer to deploy + actions: + - description: "Deploy a single UDS Core Layer (must set UDS_LAYER environment variable)" + cmd: uds zarf package deploy build/zarf-package-core-${{ index .inputs "layer" }}-${UDS_ARCH}-${VERSION}.tar.zst --confirm --no-progress --components '*' - name: latest-package-release actions: diff --git a/tasks/publish.yaml b/tasks/publish.yaml index 30e70f557..b9d14f208 100644 --- a/tasks/publish.yaml +++ b/tasks/publish.yaml @@ -1,5 +1,7 @@ includes: - utils: utils.yaml + - test: test.yaml + - setup: setup.yaml variables: - name: FLAVOR @@ -11,6 +13,8 @@ variables: default: "0.28.0" # x-release-please-end + - name: LAYER + tasks: - name: standard-package description: "Publish the UDS package" @@ -52,3 +56,12 @@ tasks: uds zarf tools registry copy ${pkgPath}:${VERSION} ${pkgPath}:latest pkgPath="${TARGET_REPO}/bundles/k3d-core-slim-dev" uds zarf tools registry copy ${pkgPath}:${VERSION} ${pkgPath}:latest + + - name: single-layer + description: "Test and Publish UDS Core layer" + actions: + - task: test:layer-dependencies + - task: test:single-layer + - task: utils:determine-repo + - description: "Publish build of layer" + cmd: uds zarf package publish build/zarf-package-core-${LAYER}-${UDS_ARCH}-${VERSION}.tar.zst oci://${TARGET_REPO} diff --git a/tasks/test.yaml b/tasks/test.yaml index 185408e5a..ec52fb248 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -3,17 +3,40 @@ includes: - setup: ./setup.yaml - deploy: ./deploy.yaml - compliance: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.13.1/tasks/compliance.yaml + - base-layer: ../packages/base/tasks.yaml tasks: - - name: single-package - description: "Build and test a single package, must set UDS_PKG environment variable" + - name: base + description: "Build and test the base layer" actions: - - task: create:single-package + - task: create:pepr-build - task: setup:k3d-test-cluster - - task: deploy:single-package + - cmd: uds run -f tasks/test.yaml single-layer --set FLAVOR=${FLAVOR} --set=layer=base + - name: single-layer + description: "Build and test a single layer, must set UDS_LAYER environment variable" + actions: + - task: create:single-layer + with: + layer: ${LAYER} + - task: deploy:single-layer + with: + layer: ${LAYER} - description: "Validate the package" - cmd: uds run -f src/${UDS_PKG}/tasks.yaml validate --no-progress + cmd: uds run -f packages/${LAYER}/tasks.yaml validate --no-progress + + - name: layer-dependencies + description: "Sets up a k3d cluster and deploys dependencies for the given layer" + actions: + - task: setup:k3d-test-cluster + - cmd: uds zarf tools yq '.metadata.x-uds-dependencies.[]' packages/${LAYER}/zarf.yaml 2>/dev/null + mute: true + setVariables: + - name: LAYER_DEPS + - cmd: | + for dep in $LAYER_DEPS; do + uds run -f tasks/test.yaml single-layer --set LAYER=$dep --set FLAVOR=${FLAVOR} --no-progress + done - name: validate-packages description: "Validated all packages"