feat: plugin data injector (#82)

chore: upgrade mattermost to 9.7.1-uds.0-registry1
chore: upgrade uds-core to 0.20.0-registry1
docs: update dependency doc

.gitignore

@@ -2,6 +2,8 @@
 **/*.tfstate.backup
 *.tar.gz
 *.tar.zst
+*.tar
+*.jar
 ~/
 .DS_Store
 defense-unicorns-distro/preflight.sh
@@ -18,6 +20,7 @@ test/tf/public-ec2-instance/.tool-versions
 zarf-sbom
 tmp/
 values-*.yaml
+tmp_deploy/
 
 # Terraform
 test/tf/public-ec2-instance/.test-data

README.md

@@ -136,6 +136,10 @@ uds deploy uds-bundle-software-factory-nutanix-amd64-0.x.x.tar.zst --confirm
 ```
 uds deploy uds-bundle-software-factory-nutanix-amd64-0.x.x.tar.zst --confirm --no-tea
 ```
+## Custom Keycloak Plugin
+The Keycloak installation provided as part of UDS Core loads themes and plugins from an init-container. You can optionally provide custom JARs at deploytime simply by adding them to the directory where you run `uds deploy`. This will result in a custom Zarf package being built locally (to include your custom JAR).
+
+> ANY CUSTOM JAR YOU ADD AT DEPLOY TIME WILL NOT BE INCLUDED IN THE BUNDLE SBOM
 
 ## Additional Notes
 You can reference the uds tasks in this project to learn how to build and deploy.

bundles/uds-core-swf/uds-bundle.yaml

@@ -38,8 +38,19 @@ packages:
 
   - name: core
     repository: ghcr.io/defenseunicorns/packages/uds/core
-    ref: 0.19.0-registry1
+    ref: 0.20.0-registry1
     overrides:
+      kube-prometheus-stack:
+        kube-prometheus-stack:
+          values:
+            - path: kube-state-metrics.resources
+              value:
+                limits:
+                  cpu: 500m
+                  memory: 512Mi
+                requests:
+                  cpu: 20m
+                  memory: 128Mi
       velero:
         velero:
           values:
@@ -113,6 +124,18 @@ packages:
                     ttl: "240h"
       keycloak:
         keycloak:
+          values:
+            # TODO - test/debug
+            # - path: "devMode"
+            #   value: "false"
+            # - path: "autoscaling.enabled"
+            #   value: "true"
+            - path: "persistence.providers.enabled"
+              value: "true"
+            - path: "persistence.accessMode"
+              value: "ReadWriteMany"
+            - path: "persistence.storageClassName"
+              value: "ceph-filesystem"
           variables:
             - name: KEYCLOAK_DB_USERNAME
               description: "keycloak database username"
@@ -215,6 +238,11 @@ packages:
               description: "The TLS key for the tenant gateway (must be base64 encoded)"
               path: tls.key
 
+  # NOTE -- depends on hardcoded PVC name(s) in core.keycloak
+  - name: keycloak-config-wrapper
+    path: ../../build
+    ref: 0.0.1
+
   # Additional manifests needed
   - name: additional-manifests
     path: ../../build
@@ -346,7 +374,7 @@ packages:
   # Mattermost
   - name: mattermost
     repository: ghcr.io/defenseunicorns/packages/uds/mattermost
-    ref: 9.6.1-uds.0-registry1
+    ref: 9.7.1-uds.0-registry1
     overrides:
       mattermost:
         mattermost-enterprise-edition:

docs/packages-and-dependencies.md

@@ -40,14 +40,14 @@ The UDS Software Factory Bundle (SWF) is a collection of Zarf packages which inc
 |----|----|----|----|
 | [Rook Ceph Zarf Init](https://github.com/defenseunicorns/uds-capability-rook-ceph/pkgs/container/uds-capability%2Frook-ceph%2Finit) | v0.33.0-0.2.7 | N/A | A zarf component installed in the cluster for orchestrating further deployment of Zarf based packages |
 | [MetalLB](https://github.com/defenseunicorns/uds-capability-metallb/tree/v0.0.5) | 0.0.5 | v0.13.12 | Tool for providing load balancer capabilities for ingress into a Kubernetes deployment |
-| [uds-core](https://github.com/defenseunicorns/uds-core) | 0.19.0 | N/A | [DESCRIPTION BELOW](#UDS-Core) |
+| [uds-core](https://github.com/defenseunicorns/uds-core) | 0.20.0 | N/A | [DESCRIPTION BELOW](#UDS-Core) |
 | [Redis](https://github.com/defenseunicorns/uds-package-dependencies) | 0.0.1 | 7.0.12 | A key-value store used as a data backend for several applications in the stack |
 | [Gitlab](https://github.com/defenseunicorns/uds-package-gitlab) | 16.10.2-uds.0-registry1 | 16.10.2 | A source control management tool used in the software development lifecycle for storing, updating, building and deploying custom software |
 | [Gitlab Runner](https://github.com/defenseunicorns/uds-package-gitlab-runner) | 16.10.0-uds.0-registry1 | v16.8.0 | A counterpart to Gitlab (above) in which automated software builds, tests and deployments are executed |
 | [Sonarqube](https://github.com/defenseunicorns/uds-package-sonarqube) | 8.0.3-uds.6-registry1 | 9.9.3-community | A code inspection tool used during automated pipelines to evaluate security considerations of custom software and packaged images |
 | [Jira](https://github.com/defenseunicorns/uds-package-jira) | 1.17.2-uds.0-registry1 | 9.12.4 | A collaboration tool used for team management and task organization |
 | [Confluence](https://github.com/defenseunicorns/uds-package-confluence) | 1.18.0-uds.0-registry1 | 8.8.0 | A knowledge management tool used by teams to organize information |
-| [Mattermost](https://github.com/defenseunicorns/uds-package-mattermost) | 9.6.1-uds.0-registry1 | 9.6.1 | An instance of Mattermost, a self-hosted chat and collaboration platform |
+| [Mattermost](https://github.com/defenseunicorns/uds-package-mattermost) | 9.7.1-uds.0-registry1 | 9.7.1 | An instance of Mattermost, a self-hosted chat and collaboration platform |
 | [Nexus](https://github.com/defenseunicorns/uds-package-nexus) | 3.66.0-uds.1-registry1 | 3.66.0-02 | An artifact repository used for storing compiled application libraries, packages, images and other such artifacts |
 
 ## UDS Core
@@ -58,11 +58,11 @@ The UDS Software Factory Bundle (SWF) is a collection of Zarf packages which inc
 | [Istio](https://istio.io/latest/) | 1.20.3 | A package detailing the configuration of the deployed service mesh -- used by the operator to apply the desired state in the cluster |
 | [Loki](https://grafana.com/oss/loki/) | 2.9.6 | A Grafana product for aggregating and querying log data |
 | [Promtail](https://grafana.com/docs/loki/latest/send-data/promtail/) | 2.9.6 | A logging daemon installed on each cluster node to capture logs from the host and all cluster workload processes. Logs are shipped to Loki |
-| [Prometheus](https://prometheus.io/) | 2.51.0 | A product for storing and querying time series based data such as system performance metrics (CPU/MEM usage) |
-| [Grafana](https://github.com/grafana/grafana) | 10.4.1 | A Grafana product to provide a frontend interface to display and query performance information from Prometheus, log data from Loki, and request tracing information from Tempo |
-| [Neuvector](https://www.suse.com/neuvector/) | 5.3.0 | A kubernetes security suite that provides CVE scanning for hosts and images, as well as runtime security monitoring and protection |
+| [Prometheus](https://prometheus.io/) | 2.51.2 | A product for storing and querying time series based data such as system performance metrics (CPU/MEM usage) |
+| [Grafana](https://github.com/grafana/grafana) | 10.4.2 | A Grafana product to provide a frontend interface to display and query performance information from Prometheus, log data from Loki, and request tracing information from Tempo |
+| [Neuvector](https://www.suse.com/neuvector/) | 5.3.2 | A kubernetes security suite that provides CVE scanning for hosts and images, as well as runtime security monitoring and protection |
 | [Velero](https://repo1.dso.mil/big-bang/product/packages/velero) | 1.13.1 | A tool for orchistrating backups of cluster state and storage |
 | [Authservice](https://github.com/istio-ecosystem/authservice) | 0.5.3 | A tool for simplifying and automating auth workflows via Istio integration |
 | [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) | 0.7.1 | A container metrics aggregation and exporter for kubernetes |
-| [Pepr](https://pepr.dev/) | 0.29.0 | Declarative automation for managing deployments and security policy enorcement |
-| [Keycloak](https://github.com/defenseunicorns/uds-core) | 23.0.4 | An identity and access management (IDAM) tool used to authenticate users for access to applications |
+| [Pepr](https://pepr.dev/) | 0.29.2 | Declarative automation for managing deployments and security policy enorcement |
+| [Keycloak](https://github.com/defenseunicorns/uds-core) | 24.0.2 | An identity and access management (IDAM) tool used to authenticate users for access to applications |

packages/keycloak-config-wrapper/init-job.yaml

@@ -0,0 +1,52 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: identity-config-loader
+  namespace: keycloak
+spec:
+  template:
+    metadata:
+      labels:
+        app: data-loader
+    spec:
+      securityContext:
+        fsGroup: 2000
+      containers:
+        - name: uds-config-sync
+          # renovate: datasource=github-tags depName=defenseunicorns/uds-identity-config versioning=semver 
+          image: ghcr.io/defenseunicorns/uds/identity-config:0.4.1
+          command: 
+            [
+              "sh",
+              "-c",
+              # This command looks for the Zarf "data injection marker" which is a timestamped file that is injected after everything else and marks the injection as complete.
+              'while [ ! -f /home/nonroot/###ZARF_DATA_INJECTION_MARKER### ]; do echo "waiting for zarf data sync" && sleep 1; done; echo "we are done waiting!"; /home/nonroot/sync.sh',
+            ]
+          securityContext:
+            runAsUser: 65532
+            runAsGroup: 65532
+          resources:
+            requests:
+              cpu: "100m"
+              memory: "128Mi"
+          volumeMounts:
+            - name: providers
+              mountPath: /opt/keycloak/providers
+            - name: data
+              mountPath: /opt/keycloak/data
+            - name: themes
+              mountPath: /opt/keycloak/themes
+            - name: conf
+              mountPath: /opt/keycloak/conf
+      restartPolicy: Never
+      volumes:
+        - name: providers
+          persistentVolumeClaim: 
+            claimName: keycloak-providers
+        # jars are only copied into providers -- the rest won't matter, but are needed for file permissions in the sync script
+        - name: conf
+          emptyDir: {}
+        - name: data
+          emptyDir: {}
+        - name: themes
+          emptyDir: {}

packages/keycloak-config-wrapper/zarf.yaml

@@ -0,0 +1,54 @@
+kind: ZarfPackageConfig
+metadata:
+  name: keycloak-config-wrapper
+  version: "0.0.1"
+
+components:
+  - name: keycloak-config-wrapper
+    required: true
+    description: Loads jar files at deploy time into a new zarf package
+    only:
+      cluster:
+        architecture: amd64
+    files:
+      # Transfer the files for zarf to use at deploytime
+      - source: init-job.yaml
+        target: tmp_deploy/init-job.yaml
+      - source: zarfception.yaml
+        target: tmp_deploy/zarf.yaml
+    actions:
+      onDeploy:
+        before:
+          # cleanup output from previous attempts
+          - cmd: |
+              rm -rf tmp_deploy
+              mkdir tmp_deploy
+          
+          # Check deploy system arch
+          - cmd: if [ "$(uname -m)" != "x86_64" ]; then echo "this package architecture is amd64, but the target system has a different architecture. These architectures must be the same" && exit 1; fi
+            description: Check that the host architecture matches the package architecture
+            maxRetries: 0
+        after:
+          # check for jar files (CAN EXIT EARLY)
+          - cmd: |
+              COUNT=`ls -1 *.jar 2>/dev/null | wc -l`
+              if [ $COUNT = 0 ]; then 
+                echo "No local JAR files detected -- SKIPPING CUSTOM PLUGIN LOAD"
+                exit 0
+              fi 
+
+              # move to workdir
+              cp *.jar tmp_deploy/
+              cd tmp_deploy
+
+              # build the zarf wrapper wrapper (yo dawg... 'zarfception.yaml') -- collect the local files
+              ./zarf package create . --confirm
+
+              # deploy the zarf wrapper
+              ./zarf package deploy zarf-package*.tar.zst --confirm 
+        
+        # CLEANUP attempted deploys
+        onSuccess:
+          - cmd: rm -rf tmp_deploy
+        onFailure:
+          - cmd: rm -rf tmp_deploy

packages/keycloak-config-wrapper/zarfception.yaml

@@ -0,0 +1,54 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json
+kind: ZarfPackageConfig
+metadata:
+  name: keycloak-config-wrapper
+  version: "0.0.1"
+
+components:
+  - name: keycloak-config-wrapper
+    required: true
+    description: Loads a local jar file into the cluster via zarf data injection.
+    only:
+      cluster:
+        architecture: amd64
+    manifests:
+      #create a job from the pre-existing init image
+      - name: data-loader
+        namespace: keycloak
+        files: 
+          - init-job.yaml
+    dataInjections:
+      - source: .
+        target:
+          namespace: keycloak
+          selector: app=data-loader
+          container: uds-config-sync
+          path: /home/nonroot
+        compress: false
+    actions:
+      onDeploy:
+        before:
+          # cleanup previous attempts
+          - cmd: |
+              ./zarf tools kubectl delete job -n keycloak identity-config-loader 2>/dev/null || true
+          
+          # Check deploy system arch
+          - cmd: if [ "$(uname -m)" != "x86_64" ]; then echo "this package architecture is amd64, but the target system has a different architecture. These architectures must be the same" && exit 1; fi
+            description: Check that the host architecture matches the package architecture
+            maxRetries: 0
+
+          # check if any jars exist
+          - cmd: |
+              COUNT=`ls -1 *.jar 2>/dev/null | wc -l`
+              if [ $COUNT = 0 ]; then 
+                echo "No local JAR files detected -- SKIPPING CUSTOM PLUGIN LOAD"
+                exit 0
+              fi
+
+        after:
+          # wait for the job to finish
+          - cmd: ./zarf tools wait-for job -n keycloak identity-config-loader '{.status.succeeded}'=1
+
+        onSuccess:
+          # bounce keycloak statefulset
+          - cmd: ./zarf tools kubectl rollout restart statefulset -n keycloak keycloak

tasks.yaml

@@ -10,6 +10,7 @@ tasks:
       - task: create:build-dir
       - task: create:database-manifest-packages
       - task: create:gitlab-redis-secret-package
+      - task: create:keycloak-config-wrapper-package
       - task: create:namespaces-package
       - task: create:object-store-packages
       - task: create:additional-manifests-package

tasks/create.yaml

@@ -31,6 +31,11 @@ tasks:
     actions:
       - cmd: ./uds zarf package create ./packages/gitlab-redis --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build
 
+  - name: keycloak-config-wrapper-package
+    description: Create the keycloak configurations shim loader
+    actions:
+      - cmd: ./uds zarf package create ./packages/keycloak-config-wrapper --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build      
+
   - name: namespaces-package
     description: Create the namespaces package
     actions: