From 7ab7ec8062538f2eaf5131affe65e7dd6efa7b8c Mon Sep 17 00:00:00 2001 From: Palassis <40472433+MxNxPx@users.noreply.github.com> Date: Thu, 24 Oct 2024 11:56:29 -0400 Subject: [PATCH] feat: remove eks-d & eks-a (#231) * feat: remove eks-d & eks-a * ci: update tasks usage for EXTRA_ARGS * chore: return original task name * chore: add clean task description * chore: udpate default extra_args value --- .github/workflows/publish-bundle-eksd.yaml | 62 -- .github/workflows/publish-bundle-rke2.yaml | 2 +- .github/workflows/tag-and-release.yaml | 10 +- README.md | 6 +- bundles/eksd/uds-bundle.yaml | 776 ------------------ docs/packages-and-dependencies.md | 1 - .../eks-mgmt-exemptions.yaml | 54 -- packages/additional-manifests/zarf.yaml | 1 - release-please-config.json | 1 - tasks.yaml | 46 +- tasks/create.yaml | 27 +- tasks/deploy.yaml | 4 +- 12 files changed, 24 insertions(+), 966 deletions(-) delete mode 100644 .github/workflows/publish-bundle-eksd.yaml delete mode 100644 bundles/eksd/uds-bundle.yaml delete mode 100644 packages/additional-manifests/pepr-policy-exemptions/eks-mgmt-exemptions.yaml diff --git a/.github/workflows/publish-bundle-eksd.yaml b/.github/workflows/publish-bundle-eksd.yaml deleted file mode 100644 index 6c929b89..00000000 --- a/.github/workflows/publish-bundle-eksd.yaml +++ /dev/null @@ -1,62 +0,0 @@ -name: Publish Zarf Package - -on: - workflow_call: - -permissions: - contents: read - packages: write - id-token: write - -jobs: - publish-package: - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 - with: - token: ${{ secrets.PAT }} - repository: ${{ github.repository }} - ref: ${{ github.ref_name }} - - - name: Environment setup - uses: ./.github/actions/setup - - - name: Login to Registry1 - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 - with: - registry: registry1.dso.mil - username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }} - password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }} - - - name: Init zarf cache - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4 - with: - path: "~/.zarf-cache" - key: zarf-cache - - - name: Free GH runner build space - run: | - df -h - sudo rm -rf /usr/share/dotnet - sudo rm -rf /usr/local/lib/android - sudo rm -rf /opt/ghc - sudo rm -rf /opt/hostedtoolcache/CodeQL - sudo docker image prune --all --force - df -h - - - name: Login to GHCR - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - #### - # Build and publish bundle - #### - - name: Build and publish eksd bundles - run: | - uds run create-bundle-eksd - uds publish build/uds-bundle-software-factory-nutanix-eksd-amd64-*.tar.zst oci://ghcr.io/defenseunicorns/uds-bundle --no-progress - uds run clean diff --git a/.github/workflows/publish-bundle-rke2.yaml b/.github/workflows/publish-bundle-rke2.yaml index 9e0e192c..d5c74c1e 100644 --- a/.github/workflows/publish-bundle-rke2.yaml +++ b/.github/workflows/publish-bundle-rke2.yaml @@ -57,6 +57,6 @@ jobs: #### - name: Build and publish rke2 bundle run: | - uds run create-bundle-rke2 + uds run create-bundle-rke2 --set EXTRA_ARGS="--no-progress" uds publish build/uds-bundle-software-factory-nutanix-rke2-amd64-*.tar.zst oci://ghcr.io/defenseunicorns/uds-bundle --no-progress uds run clean diff --git a/.github/workflows/tag-and-release.yaml b/.github/workflows/tag-and-release.yaml index bc0686ad..288defb7 100644 --- a/.github/workflows/tag-and-release.yaml +++ b/.github/workflows/tag-and-release.yaml @@ -16,19 +16,15 @@ jobs: runs-on: ubuntu-latest outputs: release_created: ${{ steps.release-flag.outputs.release_created }} + release_tag: ${{ steps.release-tag.outputs.release_tag }} steps: - name: Create Release Tag id: tag uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4.1.3 - id: release-flag run: echo "release_created=${{ steps.tag.outputs.release_created || false }}" >> "$GITHUB_OUTPUT" - - # Publish the uds bundle - publish-uds-bundle-eksd: - needs: tag-new-version - if: ${{ needs.tag-new-version.outputs.release_created == 'true'}} - uses: ./.github/workflows/publish-bundle-eksd.yaml - secrets: inherit + - id: release-tag + run: echo "release_tag=${{ steps.tag.outputs.version || false }}" >> "$GITHUB_OUTPUT" # Publish the uds bundle publish-uds-bundle-rke2: diff --git a/README.md b/README.md index b938110a..a175c302 100644 --- a/README.md +++ b/README.md @@ -123,18 +123,18 @@ For demonstration purposes, you can setup a local configfile as follows: ### Deployment Select a target version number and gather the OCI image reference [from the packages page](https://github.com/orgs/defenseunicorns/packages?repo_name=uds-bundle-software-factory-nutanix). With the above prerequisites and configuration complete, you can deploy the bundle directly via OCI: ``` -uds deploy oci://ghcr.io/defenseunicorns/uds-bundle/software-factory-nutanix-eksd:0.x.x --architecure amd64 --confirm +uds deploy oci://ghcr.io/defenseunicorns/uds-bundle/software-factory-nutanix-rke2:0.x.x --architecure amd64 --confirm ``` ### (OPTIONAL) Local Deployment Reference Situationally, it may be useful to download the deployment artifact so that it may be referenced offline. This can be accomplished by first downloading the target release: ``` -uds pull oci://ghcr.io/defenseunicorns/uds-bundle/software-factory-nutanix-eksd:0.x.x --architecture amd64 +uds pull oci://ghcr.io/defenseunicorns/uds-bundle/software-factory-nutanix-rke2:0.x.x --architecture amd64 ``` And subsequently deploying from the local file: ``` -uds deploy uds-bundle-software-factory-nutanix-eksd-amd64-0.x.x.tar.zst --confirm +uds deploy uds-bundle-software-factory-nutanix-rke2-amd64-0.x.x.tar.zst --confirm ``` ## Custom Keycloak Plugin The Keycloak installation provided as part of UDS Core loads themes and plugins from an init-container. You can optionally provide custom JARs at deploytime simply by adding them to the directory where you run `uds deploy`. This will result in a custom Zarf package being built locally (to include your custom JAR). diff --git a/bundles/eksd/uds-bundle.yaml b/bundles/eksd/uds-bundle.yaml deleted file mode 100644 index c2dfffec..00000000 --- a/bundles/eksd/uds-bundle.yaml +++ /dev/null @@ -1,776 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.17.0/uds.schema.json -kind: UDSBundle -metadata: - name: software-factory-nutanix-eksd - description: A UDS bundle for deploying a software factory to an RKE2 cluster - # x-release-please-start-version - version: "0.4.2" - # x-release-please-end - architecture: amd64 - -x-extra-volume-mounts: &extra-volume-mounts - - name: trust-bundle - mountPath: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem - subPath: "ca-bundle.crt" - readOnly: true - - name: trust-bundle - mountPath: /etc/pki/ca-trust/extracted/java/cacerts - subPath: "ca-bundle.jks" - readOnly: true - -x-extra-volumes: &extra-volumes - - name: trust-bundle - configMap: - name: trust-bundle - defaultMode: 0644 - -x-gitlab-init-security-context: &gitlab-init-security-context - privileged: true - readOnlyRootFilesystem: false - runAsUser: 0 - -packages: - # Zarf init - - name: init - repository: ghcr.io/zarf-dev/packages/init - ref: v0.39.0 - overrides: - zarf-seed-registry: - docker-registry: - variables: - - name: REGISTRY_CA_BUNDLE - path: caBundle - default: "" - zarf-registry: - docker-registry: - variables: - - name: REGISTRY_CA_BUNDLE - path: caBundle - default: "" - - name: REGISTRY_REPLICA_COUNT - path: replicaCount - default: 3 - - - name: nutanix-csi - path: ../../build - ref: 3.0.0 - optionalComponents: - - nutanix-csi-snapshot - overrides: - nutanix-csi-storage: - nutanix-csi-storage: - variables: - - name: CSI_NODE_TOLERATIONS - description: "Tolerations to apply to the CSI node pods." - path: node.tolerations - default: - - effect: NoSchedule - key: dedicated-gitaly-node - operator: Exists - - - name: cert-manager - path: ../../build - ref: 0.0.1 - - - name: trust-manager - path: ../../build - ref: 0.0.1 - - - name: trust-bundles - path: ../../build - ref: 0.0.1 - - # MetalLB - - name: metallb - repository: ghcr.io/defenseunicorns/packages/metallb - ref: 0.0.5-amd64 - - - name: core - repository: ghcr.io/defenseunicorns/packages/uds/core - ref: 0.29.0-registry1 - optionalComponents: - - metrics-server - overrides: - grafana: - grafana: - values: - - path: extraVolumes - value: *extra-volumes - - path: extraVolumeMounts - value: *extra-volume-mounts - variables: - - name: GRAFANA_RESOURCE_CONFIG - path: resources - default: - requests: - cpu: 500m - memory: 512Mi - limits: - cpu: 2 - memory: 2Gi - kube-prometheus-stack: - kube-prometheus-stack: - variables: - - name: PROMETHEUS_RESOURCE_CONFIG - path: prometheus.prometheusSpec.resources - default: - requests: - cpu: 1 - memory: 2Gi - limits: - cpu: 4 - memory: 8Gi - values: - - path: kube-state-metrics.resources - value: - requests: - cpu: 20m - memory: 128Mi - limits: - cpu: 500m - memory: 512Mi - velero: - velero: - variables: - - name: VELERO_RESOURCE_CONFIG - path: resources - description: "Velero Resource Config" - default: - requests: - cpu: 500m - memory: 128Mi - limits: - cpu: 1 - memory: 2Gi - values: - - path: configuration.features - value: EnableCSI - - path: snapshotsEnabled - value: true - - path: configuration.volumeSnapshotLocation - value: - - name: default - provider: aws - config: - region: "us-east-1" - credential: - name: "velero-bucket-credentials" - key: "cloud" - - path: schedules - value: - uds-jira-backup: - disabled: false - schedule: "0 3 * * *" - useOwnerReferencesInBackup: false - template: - csiSnapshotTimeout: 0s - includeClusterResources: true - snapshotVolumes: true - includedNamespaces: - - jira - ttl: "240h" - uds-confluence-backup: - disabled: false - schedule: "0 3 * * *" - useOwnerReferencesInBackup: false - template: - csiSnapshotTimeout: 0s - includeClusterResources: true - snapshotVolumes: true - includedNamespaces: - - confluence - ttl: "240h" - uds-mattermost-backup: - disabled: false - schedule: "0 3 * * *" - useOwnerReferencesInBackup: false - template: - csiSnapshotTimeout: 0s - includeClusterResources: true - snapshotVolumes: true - includedNamespaces: - - mattermost - ttl: "240h" - uds-nexus-backup: - disabled: false - schedule: "0 3 * * *" - useOwnerReferencesInBackup: false - template: - csiSnapshotTimeout: 0s - includeClusterResources: true - snapshotVolumes: true - includedNamespaces: - - nexus - ttl: "240h" - uds-gitlab-backup: - disabled: false - schedule: "0 3 * * *" - useOwnerReferencesInBackup: false - template: - csiSnapshotTimeout: 0s - includeClusterResources: true - snapshotVolumes: true - includedNamespaces: - - gitlab - ttl: "240h" - - path: extraVolumes - value: *extra-volumes - - path: extraVolumeMounts - value: *extra-volume-mounts - keycloak: - keycloak: - values: - - path: "devMode" - value: "false" - - path: "autoscaling.enabled" - value: "false" - - path: "persistence.providers.enabled" - value: "true" - - path: "persistence.accessMode" - value: "ReadWriteMany" - - path: "persistence.storageClassName" - value: "nutanix-dynamicfile" - variables: - - name: KEYCLOAK_DB_USERNAME - description: "keycloak database username" - path: postgresql.username - default: "postgres" - - name: KEYCLOAK_DB_PASSWORD - description: "keycloak database password" - path: postgresql.password - default: "replace-me" - - name: KEYCLOAK_DB_NAME - description: "keycloak database name" - path: postgresql.database - default: "keycloakdb" - - name: KEYCLOAK_DB_ENDPOINT - description: "keycloak database name" - path: postgresql.host - default: "postgresql" - - name: KEYCLOAK_INSECURE_ADMIN_PASSWORD_GENERATION - description: "Generate an insecure admin password for dev/test" - path: insecureAdminPasswordGeneration.enabled - - name: KEYCLOAK_RESOURCE_CONFIG - description: "Keycloak Resource Config" - path: resources - default: - requests: - cpu: 400m - memory: 512Mi - limits: - cpu: "1" - memory: 2Gi - loki: - loki: - values: - - path: backend.extraVolumes - value: *extra-volumes - - path: backend.extraVolumeMounts - value: *extra-volume-mounts - - path: gateway.extraVolumes - value: *extra-volumes - - path: gateway.extraVolumeMounts - value: *extra-volume-mounts - - path: write.extraVolumes - value: *extra-volumes - - path: write.extraVolumeMounts - value: *extra-volume-mounts - - path: read.extraVolumes - value: *extra-volumes - - path: read.extraVolumeMounts - value: *extra-volume-mounts - variables: - - name: LOKI_CHUNKS_BUCKET - description: "The object storage bucket for Loki chunks" - path: loki.storage.bucketNames.chunks - default: "loki-chunks-bucket" - - name: LOKI_RULER_BUCKET - description: "The object storage bucket for Loki ruler" - path: loki.storage.bucketNames.ruler - default: "loki-ruler-bucket" - - name: LOKI_ADMIN_BUCKET - description: "The object storage bucket for Loki admin" - path: loki.storage.bucketNames.admin - default: "loki-admin-bucket" - - name: LOKI_S3_ENDPOINT - description: "The S3 endpoint" - path: loki.storage.s3.endpoint - - name: LOKI_S3_REGION - description: "The S3 region" - path: loki.storage.s3.region - - name: LOKI_S3_ACCESS_KEY_ID - description: "The S3 Access Key ID" - path: loki.storage.s3.accessKeyId - - name: LOKI_S3_SECRET_ACCESS_KEY - path: loki.storage.s3.secretAccessKey - description: "The S3 Secret Access Key" - - name: LOKI_WRITE_REPLICAS - path: write.replicas - description: "Loki write replicas" - default: "1" - - name: LOKI_READ_REPLICAS - path: read.replicas - description: "Loki read replicas" - default: "1" - - name: LOKI_BACKEND_REPLICAS - path: backend.replicas - description: "Loki backend replicas" - default: "1" - - name: LOKI_WRITE_PERSISTENCE_SIZE - path: write.persistence.size - description: "Loki write persistence size" - default: 128Gi - - name: LOKI_BACKEND_PERSISTENCE_SIZE - path: backend.persistence.size - description: "Loki backend persistence size" - default: 128Gi - istio-admin-gateway: - uds-istio-config: - variables: - - name: ADMIN_TLS_CERT - description: "The TLS cert for the admin gateway (must be base64 encoded)" - path: tls.cert - - name: ADMIN_TLS_KEY - description: "The TLS key for the admin gateway (must be base64 encoded)" - path: tls.key - istio-tenant-gateway: - gateway: - values: - - path: "service.ports" - value: - - name: status-port - port: 15021 - protocol: TCP - targetPort: 15021 - - name: http2 - port: 80 - protocol: TCP - targetPort: 80 - - name: https - port: 443 - protocol: TCP - targetPort: 443 - - name: tcp-ssh - port: 22 - protocol: TCP - targetPort: 2222 - uds-istio-config: - variables: - - name: TENANT_TLS_CERT - description: "The TLS cert for the tenant gateway (must be base64 encoded)" - path: tls.cert - - name: TENANT_TLS_KEY - description: "The TLS key for the tenant gateway (must be base64 encoded)" - path: tls.key - - name: TENANT_HOST_LIST - path: tls.servers.tenant.hosts # The tenant subpath is in the override here: https://github.com/defenseunicorns/uds-core/blob/main/src/istio/values/config-tenant.yaml#L11 - default: - - "*" - - "*.nexus" # To add the multiple nexus sub-domain registries to the tenant gateway. Do not attempt *.*.nexus, Nexus only supports first-level subdomain routing. - vector: - vector: - variables: - - name: VECTOR_RESOURCE_CONFIG - description: "Vector Resource Config" - path: resources - default: - requests: - cpu: 100m - memory: 256Mi - limits: - cpu: 1 - memory: 2Gi - - # NOTE -- depends on hardcoded PVC name(s) in core.keycloak - - name: keycloak-config-wrapper - path: ../../build - ref: 0.0.2 - - # Additional manifests needed - - name: additional-manifests - path: ../../build - ref: 0.0.2 - - # Gitlab - - name: gitlab-valkey - repository: ghcr.io/defenseunicorns/packages/uds/valkey - ref: 7.2.6-uds.0-upstream - overrides: - valkey: - uds-valkey-config: - values: - - path: custom - value: - - direction: Ingress - selector: - app.kubernetes.io/name: valkey - remoteNamespace: gitlab - port: 6379 - description: "Ingress from GitLab" - - path: copyPassword - value: - enabled: true - namespace: gitlab - secretName: gitlab-redis - secretKey: password - - - name: gitlab-object-store - path: ../../build - ref: 0.0.1 - - - name: gitlab-database-secret - path: ../../build - ref: 0.0.1 - - - name: gitlab - repository: ghcr.io/defenseunicorns/packages/uds/gitlab - ref: 17.2.9-uds.0-registry1 - overrides: - gitlab: - uds-gitlab-config: - values: - - path: storage.internal - value: false - - path: postgres.internal - value: false - - path: redis - value: - internal: true - selector: - app.kubernetes.io/name: valkey - namespace: valkey - port: 6379 - - path: ssh.enabled - value: true - uds-gitlab-settings: - values: - - path: settingsJob.application.enabled_git_access_protocol - value: all - gitlab: - values: - - path: global.certificates.customCAs - value: - - configMap: trust-bundle - keys: - - ca-bundle.crt - - path: gitlab.webservice.init.containerSecurityContext - value: *gitlab-init-security-context - - path: gitlab.toolbox.init.containerSecurityContext - value: *gitlab-init-security-context - - path: gitlab.sidekiq.init.containerSecurityContext - value: *gitlab-init-security-context - - path: gitlab.gitlab-pages.init.containerSecurityContext - value: *gitlab-init-security-context - - path: gitlab.gitlab-exporter.init.containerSecurityContext - value: *gitlab-init-security-context - - path: gitlab.gitaly.init.containerSecurityContext - value: *gitlab-init-security-context - - path: global.redis.host - value: "valkey-master.valkey.svc.cluster.local" - - path: gitlab.gitlab-shell.enabled - value: true - - variables: - - name: MIGRATIONS_RESOURCES - description: "Gitlab Migrations Resources" - path: "gitlab.migrations.resources" - - name: WEBSERVICE_REPLICAS - description: "Gitlab Webservice Min Replicas" - path: "gitlab.webservice.minReplicas" - - name: WEBSERVICE_WORKERS - description: "Gitlab Webservice Worker Count" - path: "gitlab.webservice.workerProcesses" - - name: WEBSERVICE_HPA - description: "Gitlab Webservice HPA settings" - path: "gitlab.webservice.hpa" - - name: WEBSERVICE_RESOURCES - description: "Gitlab Webservice Resources" - path: "gitlab.webservice.resources" - - name: WORKHORSE_RESOURCES - description: "Gitlab Workhorse Resources" - path: "gitlab.webservice.workhorse.resources" - - name: SIDEKIQ_REPLICAS - description: "Gitlab Sidekiq Min Replicas" - path: "gitlab.sidekiq.minReplicas" - - name: SIDEKIQ_HPA - description: "Gitlab Sidekiq HPA settings" - path: "gitlab.sidekiq.hpa" - - name: SIDEKIQ_RESOURCES - description: "Gitlab Sidekiq Resources" - path: "gitlab.sidekiq.resources" - - name: GITALY_RESOURCES - description: "Gitlab Gitaly Resources" - path: "gitlab.gitaly.resources" - - name: REGISTRY_REPLICAS - description: "Gitlab Registry Min Replicas" - path: "registry.hpa.minReplicas" - - name: SHELL_REPLICAS - description: "Gitlab Shell Min Replicas" - path: "gitlab.gitlab-shell.minReplicas" - - name: TOLERATIONS - description: "Tolerations to allow gitaly to schedule on tainted nodes." - path: gitlab.gitaly.tolerations - default: - - effect: NoSchedule - key: dedicated-gitaly-node - operator: Exists - - name: AFFINITY - description: "Affinity settings to prefer scheduling on dedicated gitaly nodes and avoid nodes already running gitaly." - path: gitlab.gitaly.affinity - default: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - gitaly - topologyKey: kubernetes.io/hostname - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - preference: - matchExpressions: - - key: dedicated - operator: In - values: - - gitaly-node - - # Gitlab Runner - - name: gitlab-runner - repository: ghcr.io/defenseunicorns/packages/uds/gitlab-runner - ref: 17.1.0-uds.1-registry1 - overrides: - gitlab-runner: - gitlab-runner: - values: - - path: volumes - value: *extra-volumes - - path: volumeMounts - value: *extra-volume-mounts - - - name: sonarqube - repository: ghcr.io/defenseunicorns/packages/uds/sonarqube - ref: 10.7.0-uds.0-registry1 - overrides: - sonarqube: - uds-sonarqube-config: - values: - - path: postgres.internal - value: false - - path: postgres.password - value: "###ZARF_VAR_SONARQUBE_DB_PASSWORD###" - - path: "jdbcOverwrite.jdbcUsername" - value: "###ZARF_VAR_SONARQUBE_DB_USERNAME###" - sonarqube: - values: - - path: extraVolumes - value: *extra-volumes - - path: extraVolumeMounts - value: *extra-volume-mounts - - - name: jira - repository: ghcr.io/defenseunicorns/packages/uds/jira - ref: 1.22.0-uds.0-registry1 - overrides: - jira: - uds-jira-config: - values: - - path: postgres.internal - value: false - - path: postgres.username - value: "###ZARF_VAR_JIRA_DB_USERNAME###" - - path: postgres.password - value: "###ZARF_VAR_JIRA_DB_PASSWORD###" - jira: - values: - - path: volumes.additional - value: *extra-volumes - - path: jira.additionalVolumeMounts - value: *extra-volume-mounts - variables: - - name: JIRA_LOCAL_HOME_ENABLED - path: "volumes.localHome.persistentVolumeClaim.create" - description: "Local Home Toggle" - default: "true" - - name: JIRA_RWO_STORAGE_CLASS - path: "volumes.localHome.persistentVolumeClaim.storageClassName" - description: "RWO storage class name" - - name: JIRA_LOCAL_HOME_SIZE - path: "volumes.localHome.persistentVolumeClaim.resources.requests.storage" - description: "Storage size" - default: "128Gi" - # 1-2k users - - name: JIRA_RESOURCE_CONFIG - path: "jira.resources" - default: - container: - requests: - cpu: "100m" - memory: "2Gi" - limits: - cpu: "8" - memory: "16Gi" - jvm: - maxHeap: "6g" - - - name: confluence - repository: ghcr.io/defenseunicorns/packages/uds/confluence - ref: 1.20.0-uds.4-registry1 - overrides: - confluence: - uds-confluence-config: - values: - - path: postgres.internal - value: false - - path: postgres.username - value: "###ZARF_VAR_CONFLUENCE_DB_USERNAME###" - - path: postgres.password - value: "###ZARF_VAR_CONFLUENCE_DB_PASSWORD###" - confluence: - values: - - path: additionalFiles - value: - - name: trust-bundle - mountPath: /var/ssl - key: "ca-bundle.jks" - type: configMap - variables: - - name: CONFLUENCE_LOCAL_HOME_ENABLED - path: "volumes.localHome.persistentVolumeClaim.create" - description: "Local Home Toggle" - default: "true" - - name: CONFLUENCE_RWO_STORAGE_CLASS - path: "volumes.localHome.persistentVolumeClaim.storageClassName" - description: "RWO storage class name" - - name: CONFLUENCE_LOCAL_HOME_SIZE - path: "volumes.localHome.persistentVolumeClaim.resources.requests.storage" - description: "Storage size" - default: "128Gi" - - name: CONFLUENCE_RESOURCE_CONFIG - path: "confluence.resources" - default: - container: - requests: - cpu: "2" - memory: "2Gi" - limits: - cpu: "4" - memory: "8Gi" - jvm: - maxHeap: "6g" - - # Mattermost - - name: mattermost - repository: ghcr.io/defenseunicorns/packages/uds/mattermost - ref: 10.0.0-uds.1-registry1 - overrides: - mattermost: - mattermost-enterprise-edition: - values: - - path: mattermostApp.extraVolumes - value: *extra-volumes - - path: mattermostApp.extraVolumeMounts - value: - - name: trust-bundle - mountPath: /etc/ssl/certs/ca.crt - subPath: "ca-bundle.crt" - readOnly: true - uds-mattermost-config: - values: - - path: postgres.internal - value: false - variables: - - name: OBJECT_STORE_SECURE - path: "objectStorage.secure" - description: "Object storage ssl" - default: "false" - - name: OBJECT_STORE_ENDPOINT - path: "objectStorage.endpoint" - description: "Object storage endpoint" - - name: OBJECT_STORE_BUCKET - path: "objectStorage.bucket" - description: "Object storage bucket" - default: "mattermost-bucket" - - name: OBJECT_STORE_REGION - path: "objectStorage.region" - description: "Object storage region" - default: "us-east-1" - - name: DB_ENDPOINT - path: "postgres.host" - description: "Postgres DB endpoint" - - name: DB_USERNAME - path: "postgres.username" - description: "Postgres DB username" - default: "postgres" - - name: DB_NAME - path: "postgres.dbName" - description: "Postgres DB database name" - default: "mattermostdb" - - name: DB_OPTIONS - path: "postgres.connectionOptions" - description: "Postgres DB connection options" - default: "?connect_timeout=10" - # 1-2k users - - name: MATTERMOST_RESOURCE_CONFIG - path: mattermostApp.resources - description: "Mattermost Resource Config" - default: - requests: - cpu: 100m - memory: 256Mi - limits: - cpu: 2 - memory: 4Gi - - # Nexus - - name: nexus - repository: ghcr.io/defenseunicorns/packages/uds/nexus - ref: 3.72.0-uds.0-registry1 - overrides: - nexus: - nexus: - variables: - # Medium <50 repositories - - name: NEXUS_RESOURCE_CONFIG - path: nexus.resources - default: - requests: - cpu: 2 - memory: 4Gi - limits: - cpu: 8 - memory: 16Gi - - name: STORAGE_SIZE - path: persistence.storageSize - default: 8Gi - values: - - path: sso.realm - value: - - "NexusAuthenticatingRealm" - - "SamlRealm" - - "User-Token-Realm" - - "NuGetApiKey" - - path: nexus.docker.enabled - value: true - - path: deployment.additionalVolumes - value: *extra-volumes - - path: deployment.additionalVolumeMounts - value: *extra-volume-mounts - uds-nexus-config: - variables: - - name: NEXUS_SSO_ENABLED - path: "sso.enabled" - values: - - path: additionalNetworkExposures - value: - - service: nexus-repository-manager - description: Expose the subdomain for segmented docker registries. - selector: - app.kubernetes.io/instance: nexus - gateway: tenant - host: "*.nexus" - port: 8081 diff --git a/docs/packages-and-dependencies.md b/docs/packages-and-dependencies.md index 6d2edfd6..b362907f 100644 --- a/docs/packages-and-dependencies.md +++ b/docs/packages-and-dependencies.md @@ -18,7 +18,6 @@ This list covers tools and packages installed in the Operating System of the vir | Package | Version | Description | |----|----|----| | [rke2](https://github.com/rancher/rke2/releases/) | v1.29.6+rke2r1 | A Kubernetes distribution provided by Rancher, focused on security compliance for Government workloads | -| [eks-d](https://github.com/aws/eks-distro/releases/) | v1.29.6-eks-c025470 | A Kubernetes distribution provided by AWS | | [iptables](https://linux.die.net/man/8/iptables) | v1.8.4 | A linux tool for managing local IPv4 packet filtering and NAT routing | | [postgres14](https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm) | 14.10 | Database server required as part of initial setup | | [lvm2](https://gitlab.com/lvmteam/lvm2) | 2.03.14(2)-RHEL8 | Logical volume management tool needed by rook/ceph | diff --git a/packages/additional-manifests/pepr-policy-exemptions/eks-mgmt-exemptions.yaml b/packages/additional-manifests/pepr-policy-exemptions/eks-mgmt-exemptions.yaml deleted file mode 100644 index 7fbbbcd7..00000000 --- a/packages/additional-manifests/pepr-policy-exemptions/eks-mgmt-exemptions.yaml +++ /dev/null @@ -1,54 +0,0 @@ -apiVersion: uds.dev/v1alpha1 -kind: Exemption -metadata: - name: eksa-system - namespace: uds-policy-exemptions -spec: - exemptions: - - policies: - - DisallowHostNamespaces - - DisallowPrivileged - - DisallowSELinuxOptions - - DropAllCapabilities - - RequireNonRootUser - - RestrictCapabilities - - RestrictHostPathWrite - - RestrictHostPorts - - RestrictProcMount - - RestrictSeccomp - - RestrictSELinuxType - - RestrictVolumeTypes - matcher: - namespace: eksa-system - name: "^eks*" - kind: pod - title: "eksa exemptions" - description: "eksa requires elevated permissions" ---- - -apiVersion: uds.dev/v1alpha1 -kind: Exemption -metadata: - name: capi-exemptions - namespace: uds-policy-exemptions -spec: - exemptions: - - policies: - - DisallowHostNamespaces - - DisallowPrivileged - - DisallowSELinuxOptions - - DropAllCapabilities - - RequireNonRootUser - - RestrictCapabilities - - RestrictHostPathWrite - - RestrictHostPorts - - RestrictProcMount - - RestrictSeccomp - - RestrictSELinuxType - - RestrictVolumeTypes - matcher: - namespace: "^cap*" - name: "^cap*" - kind: pod - title: "capi exemptions" - description: "capi requires elevated permissions" diff --git a/packages/additional-manifests/zarf.yaml b/packages/additional-manifests/zarf.yaml index f77672bd..1dbc282a 100644 --- a/packages/additional-manifests/zarf.yaml +++ b/packages/additional-manifests/zarf.yaml @@ -27,7 +27,6 @@ components: - pepr-policy-exemptions/nutanix-csi-exemptions.yaml - pepr-policy-exemptions/metallb-exemptions.yaml - pepr-policy-exemptions/gitlab-exemptions.yaml - - pepr-policy-exemptions/eks-mgmt-exemptions.yaml - name: jobs required: true manifests: diff --git a/release-please-config.json b/release-please-config.json index 7280dc31..17aed2f3 100644 --- a/release-please-config.json +++ b/release-please-config.json @@ -11,7 +11,6 @@ ], "versioning": "always-bump-patch", "extra-files": [ - "bundles/eksd/uds-bundle.yaml", "bundles/rke2/uds-bundle.yaml", "tasks/deploy.yaml" ] diff --git a/tasks.yaml b/tasks.yaml index f9dac41f..88dfdd25 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -6,12 +6,6 @@ includes: - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.1.0/tasks/setup.yaml tasks: - - name: dev-eksd - description: The create-deploy dev loop - actions: - - task: create-bundle-eksd - - task: deploy-dev-eksd - - name: dev-rke2 description: The create-deploy dev loop actions: @@ -38,17 +32,13 @@ tasks: # Create ################ - name: create-bundles + description: Create all UDS Bundles actions: - task: create-bundle-dependencies - - task: create:eksd-bundle - task: create:rke2-bundle - - name: create-bundle-eksd - actions: - - task: create-bundle-dependencies - - task: create:eksd-bundle - - name: create-bundle-rke2 + description: Create the RKE2 UDS Bundle actions: - task: create-bundle-dependencies - task: create:rke2-bundle @@ -74,13 +64,6 @@ tasks: actions: - task: deploy:uds-version - - name: deploy-dev-eksd - description: Deploy eksd bundle to dev cluster - actions: - - task: deploy:deploy-bundle - with: - bundle_type: eksd - - name: deploy-dev-rke2 description: Deploy rke2bundle to dev cluster actions: @@ -88,14 +71,6 @@ tasks: with: bundle_type: rke2 - - name: deploy-test-eksd - description: Deploy bundle to test cluster - actions: - - task: deploy:deploy-bundle - with: - config_dir: ./scratch/configs/test - bundle_type: eksd - - name: deploy-test-rke2 description: Deploy bundle to test cluster actions: @@ -116,23 +91,8 @@ tasks: with: config_dir: ./scratch/configs/test - - name: deploy-mgmt - description: Deploy Nexus and dependencies to eks mgmt cluster using locally built bundle - actions: - - task: deploy:deploy-bundle - with: - config_dir: ./scratch/configs/mgmt - package_list: "-p init,nutanix-csi,trust-manager,trust-bundles,metallb,core,additional-manifests,nexus" - - - name: deploy-mgmt-published - description: Deploy Nexus and dependencies to eks mgmt cluster using published bundle - actions: - - task: deploy:deploy-published - with: - config_dir: ./scratch/configs/mgmt - package_list: "-p init,nutanix-csi,trust-manager,trust-bundles,metallb,core,additional-manifests,nexus" - #### Clean #### - name: clean + description: Clean up local dev build contents actions: - cmd: rm -rf ./build/* diff --git a/tasks/create.yaml b/tasks/create.yaml index 05819dd1..41e01dfc 100644 --- a/tasks/create.yaml +++ b/tasks/create.yaml @@ -2,6 +2,9 @@ variables: - name: ARCH description: "What architecture to use" default: "amd64" + - name: EXTRA_ARGS + description: "Extra arguments to add to the 'uds create' command" + default: "--skip-sbom=true" tasks: # Build directory @@ -11,12 +14,6 @@ tasks: - cmd: mkdir -p build # Bundles - - name: eksd-bundle - description: Create the eksd UDS Bundle with SWF on UDS Core - actions: - - cmd: ./uds create ./bundles/eksd --architecture="${ARCH}" --confirm - - cmd: mv ./bundles/eksd/uds-bundle-* ./build - - name: rke2-bundle description: Create the rke2 UDS Bundle with SWF on UDS Core actions: @@ -27,40 +24,40 @@ tasks: - name: database-manifest-packages description: Create database manifest packages actions: - - cmd: ./uds zarf package create ./packages/databases/gitlab/secret --confirm --no-progress --architecture="${ARCH}" --skip-sbom --output ./build - - cmd: ./uds zarf package create ./packages/databases/sonarqube/secret --confirm --no-progress --architecture="${ARCH}" --skip-sbom --output ./build + - cmd: ./uds zarf package create ./packages/databases/gitlab/secret --confirm --architecture="${ARCH}" --output ./build "${EXTRA_ARGS}" + - cmd: ./uds zarf package create ./packages/databases/sonarqube/secret --confirm --architecture="${ARCH}" --output ./build "${EXTRA_ARGS}" - name: keycloak-config-wrapper-package description: Create the keycloak configurations shim loader actions: - - cmd: ./uds zarf package create ./packages/keycloak-config-wrapper --confirm --no-progress --architecture="${ARCH}" --skip-sbom --output ./build + - cmd: ./uds zarf package create ./packages/keycloak-config-wrapper --confirm --architecture="${ARCH}" --output ./build "${EXTRA_ARGS}" - name: object-store-packages description: Create the object storage packages actions: - - cmd: ./uds zarf package create ./packages/object-store/gitlab --confirm --no-progress --architecture="${ARCH}" --skip-sbom --output ./build + - cmd: ./uds zarf package create ./packages/object-store/gitlab --confirm --architecture="${ARCH}" --output ./build "${EXTRA_ARGS}" - name: additional-manifests-package description: Create package create additional manifests needed. actions: - - cmd: ./uds zarf package create ./packages/additional-manifests --confirm --no-progress --architecture="${ARCH}" --skip-sbom --output ./build + - cmd: ./uds zarf package create ./packages/additional-manifests --confirm --architecture="${ARCH}" --output ./build "${EXTRA_ARGS}" - name: nutanix-csi-package description: Create Nutanix CSI driver package. actions: - - cmd: ./uds zarf package create ./packages/nutanix-csi --confirm --no-progress --architecture="${ARCH}" --skip-sbom --output ./build + - cmd: ./uds zarf package create ./packages/nutanix-csi --confirm --architecture="${ARCH}" --output ./build "${EXTRA_ARGS}" - name: cert-manager-package description: Create cert-manager package. actions: - - cmd: ./uds zarf package create ./packages/cert-manager --confirm --no-progress --architecture="${ARCH}" --skip-sbom --output ./build + - cmd: ./uds zarf package create ./packages/cert-manager --confirm --architecture="${ARCH}" --output ./build "${EXTRA_ARGS}" - name: trust-manager-package description: Create trust-manager package. actions: - - cmd: ./uds zarf package create ./packages/trust-manager --confirm --no-progress --architecture="${ARCH}" --skip-sbom --output ./build + - cmd: ./uds zarf package create ./packages/trust-manager --confirm --architecture="${ARCH}" --output ./build "${EXTRA_ARGS}" - name: trust-bundles-package description: Create trust-bundle package for adding custom CAs. actions: - - cmd: ./uds zarf package create ./packages/trust-bundles --confirm --no-progress --architecture="${ARCH}" --skip-sbom --output ./build + - cmd: ./uds zarf package create ./packages/trust-bundles --confirm --architecture="${ARCH}" --output ./build "${EXTRA_ARGS}" diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index 2f56abca..e8e44acb 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -30,7 +30,7 @@ tasks: default: "" description: Input to specify packages that should be deployed from the bundle bundle_type: - default: "eksd" + default: "rke2" description: Input to specify the type of bundle to deploy actions: - cmd: docker run --rm -e ARCH="${ARCH}" -e BUNDLE_VERSION="${BUNDLE_VERSION}" -e BUNDLE_TYPE="${INPUT_BUNDLE_TYPE}" -e UDS_CONFIG=/configs/uds-config.yaml -e KUBECONFIG=/configs/kubeconfig -e PACKAGE_LIST="${INPUT_PACKAGE_LIST}" -v /tmp:/tmp -v "${INPUT_CONFIG_DIR}":/configs -v "${INPUT_BUILD_DIR}":/build "${DEPLOY_IMAGE}" bash -c 'uds deploy /build/uds-bundle-software-factory-nutanix-${BUNDLE_TYPE}-${ARCH}-${BUNDLE_VERSION}.tar.zst ${PACKAGE_LIST} --no-progress --confirm' @@ -45,7 +45,7 @@ tasks: default: "" description: Input to specify packages that should be deployed from the bundle bundle_type: - default: "eksd" + default: "rke2" description: Input to specify the type of bundle to deploy actions: - cmd: docker run --rm -e BUNDLE_VERSION="${BUNDLE_VERSION}" -e BUNDLE_TYPE="${INPUT_BUNDLE_TYPE}" -e UDS_CONFIG=/configs/uds-config.yaml -e KUBECONFIG=/configs/kubeconfig -e PACKAGE_LIST="${INPUT_PACKAGE_LIST}" -v /tmp:/tmp -v "${INPUT_CONFIG_DIR}":/configs "${DEPLOY_IMAGE}" bash -c 'uds deploy oci://ghcr.io/defenseunicorns/uds-bundle/software-factory-nutanix-${BUNDLE_TYPE}:${BUNDLE_VERSION} ${PACKAGE_LIST} --no-progress --confirm'