Feature/expose gitlab ssh (#20)

feat!: build a dubbd skeleton package with custom values and expose SSH for gitlab

* Moving dubbd install to a skeleton build with custom values. A
* adding gitlab ssh VS and netpols

BREAKING: certificates are expected in the configuration now -- no defaults will be loaded

BEGIN_COMMIT_OVERRIDE
feat!: build dubbd skeleton package
feat!: expose ssh for gitlab
feat!: certs are expted in uds-config now
END_COMMIT_OVERRIDE

.gitignore

@@ -31,4 +31,6 @@ on_failure.sh
 run/
 
 # certs
-*.pem
+*.pem
+
+scratch/

Makefile

@@ -2,7 +2,6 @@
 # the build folder.
 # renovate: datasource=github-tags depName=defenseunicorns/zarf
 UDS_CLI_VERSION := v0.4.1
-
 ZARF_VERSION := v0.31.3
 
 # Figure out which Zarf binary we should use based on the operating system we are on
@@ -32,10 +31,6 @@ endif
 
 .DEFAULT_GOAL := help
 
-# Target vars
-CERT_PATH := scripts/test-cluster-ingress-cert.pem
-KEY_PATH := scripts/test-cluster-ingress-key.pem
-
 # Idiomatic way to force a target to always run, by having it depend on this dummy target
 FORCE:
 
@@ -50,7 +45,8 @@ help: ## Show a list of all targets
 ########################################################################
 
 .PHONY: build/all
-build/all: build build/zarf build/uds build/software-factory-namespaces build/idam-dns build/idam-realm build/idam-gitlab build/idam-sonarqube build/db-manifests build/object-store-manifests build/additional-kyverno-exceptions build/uds-bundle-software-factory ## Build everything
+build/all: build build/zarf build/uds build/software-factory-namespaces build/idam-dns build/idam-realm build/dubbd-rke2-nutanix build/idam-gitlab build/idam-sonarqube build/db-manifests build/object-store-manifests build/additional-kyverno-exceptions build/uds-bundle-software-factory ## Build everything
+
 
 build: ## Create build directory
 	mkdir -p build
@@ -76,6 +72,9 @@ build/uds: | build ## Download uds-cli to the build dir
 build/software-factory-namespaces: | build ## Build namespaces package
 	cd build && ./zarf package create ../packages/namespaces/ --confirm --output-directory .
 
+build/dubbd-rke2-nutanix: | build ## Build dubbd-rke2-nutanix package
+	cd packages/dubbd && ../../build/zarf package create . --confirm --output-directory ../../build
+
 build/idam-gitlab: | build ## Build idam-gitlab package
 	cd build && ./zarf package create ../packages/idam-gitlab/ --confirm --output-directory .
 
@@ -116,13 +115,11 @@ deploy/test-cluster: ## Deploy the software factory package to the test cluster
 	cp uds-config/test-cluster/uds-config.yaml ./build/
 	cp deploy-dubbd-values.yaml ./build/
 	cd ./build && ./uds deploy uds-bundle-software-factory-*.tar.zst --confirm
-	cd ./scripts && ./update-certs.sh $(CERT_PATH) $(KEY_PATH)
 
 deploy/dev-cluster: ## Deploy the software factory package to the dev cluster
 	cp uds-config/dev-cluster/uds-config.yaml ./build/
 	cp deploy-dubbd-values.yaml ./build/
 	cd ./build && ./uds deploy uds-bundle-software-factory-*.tar.zst --confirm
-	cd ./scripts && ./update-certs.sh $(CERT_PATH) $(KEY_PATH)
 
 ########################################################################
 # Macro Section

README.md

@@ -31,8 +31,13 @@ Below are the example configurations used in this project to configure deploy ti
 There will be sensitive values you will need to update before deployment. You can search `replace-me` in the above `uds-config.yaml` files for quick reference sensitive values needing updated.
 
 ## Certs
-Currently we are deploying the bundle, and then updating the certs in the cluster to our own `mtsi.bigbang.dev` and `mtsi-dev.bigbang.dev` certs using this [update-certs.sh](scripts/update-certs.sh) script. In a future version we will update this example to put the certs in the `uds-config.yaml` to be setup at deploy time.
+Certs for the tenant and admin gateways should be provided via `uds-config.yaml` variables: 
+* TENANT_CERT
+* TENANT_KEY
+* ADMIN_CERT
+* ADMIN_KEY
 
+You can reference [this](uds-config/dev-cluster/uds-config.yaml) example config to see how to set these.
 ## High Level Steps
 You can follow the breadcrumbs starting at the [Makefile](Makefile) target `make all/dev-cluster`. This Makefile downloads configured versions of zarf and uds to the build directory, places the `uds-config.yaml` and `deploy-dubbd-values.yaml` in that build directory and performs the deploy command from there. Steps numbered below. Or follow along in the Makefile.
 
@@ -61,4 +66,3 @@ brew tap defenseunicorns/tap && brew install uds && brew install zarf
 1) build the bundle itself
 1) place the `uds-config.yaml` and the `deploy-dubbd-values.yaml` in the directory where the deployment will take place
 1) deploy the software factory.
-1) update the certs with our certs (This step will be replaced with adding the certs to the configuration in a future version)

deploy-dubbd-values.yaml

@@ -1,32 +1 @@
-# DO NOT USE :oops-a-daisy: -- this file is only here to silence a warning
-loki:
-  values:
-    # Values for Monolith strategy
-    singleBinary:
-      resources:
-        limits:
-          cpu: 100m
-          memory: 1024Mi
-        requests:
-          cpu: 100m
-          memory: 512Mi
-
-monitoring:
-  values:
-    kube-state-metrics:
-      resources:
-        limits:
-          cpu: "500m"
-          memory: "1024Mi"
-        requests:
-          cpu: "10m"
-          memory: "512Mi"
-    prometheus:
-      prometheusSpec:
-        resources:
-          limits:
-            cpu: "600m"
-            memory: "6Gi"
-          requests:
-            cpu: "300m"
-            memory: "2Gi"
+# DO NOT USE -- this file is only here to silence a warning

packages/dubbd/manifests/gitlab-ssh-networkpolicies.yaml

@@ -0,0 +1,42 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: ingress-istio-shell
+  namespace: gitlab
+spec:
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          app.kubernetes.io/name: istio-controlplane
+      podSelector:
+        matchLabels:
+          app: tenant-ingressgateway
+          istio: ingressgateway
+    ports:
+    - port: 2222
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app: gitlab-shell
+  policyTypes:
+  - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: egress-shell
+  namespace: gitlab
+spec:
+  egress:
+  - to:
+    - namespaceSelector: {}
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        except:
+        - 169.254.169.254/32
+  podSelector:
+    matchLabels:
+      app: gitlab-shell
+  policyTypes:
+  - Egress

packages/dubbd/manifests/gitlab-ssh-virtualservice.yaml

@@ -0,0 +1,21 @@
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  annotations:
+    meta.helm.sh/release-name: gitlab
+    meta.helm.sh/release-namespace: gitlab
+  name: gitlab-ssh
+  namespace: gitlab
+spec:
+  gateways:
+  - istio-system/tenant
+  hosts:
+  - gitlab.mtsi.bigbang.dev
+  tcp:
+  - match:
+    - port: 2022
+    route:
+    - destination:
+        host: gitlab-gitlab-shell.gitlab.svc.cluster.local
+        port:
+          number: 22

packages/dubbd/values/istio.yaml

@@ -0,0 +1,43 @@
+istio:
+  values:
+    gateways:
+      tenant:
+        ingressGateway: tenant-ingressgateway
+        servers:
+        - hosts:
+            - "*.###ZARF_VAR_DOMAIN###"
+          port:
+            name: https
+            number: 8443
+            protocol: HTTPS
+          tls:
+            minProtocolVersion: "TLSV1_3"
+            mode: SIMPLE
+            credentialName: tenant-cert
+        - hosts:
+            - "gitlab.###ZARF_VAR_DOMAIN###"
+          port:
+            name: tcp-ssh
+            number: 2022
+            protocol: TCP
+  ingressGateways:
+    tenant-ingressgateway:
+      kubernetesResourceSpec:
+        service:
+          ports:
+            - port: 15021
+              targetPort: 15021
+              name: status-port
+              protocol: TCP
+            - port: 80
+              targetPort: 8080
+              name: http2
+              protocol: TCP
+            - port: 443
+              targetPort: 8443
+              name: https
+              protocol: TCP
+            - port: 22
+              targetPort: 2022
+              name: tcp-ssh
+              protocol: TCP

packages/dubbd/values/loki.yaml

@@ -0,0 +1,11 @@
+loki:
+  values:
+    # Values for Monolith strategy
+    singleBinary:
+      resources:
+        limits:
+          cpu: 100m
+          memory: 1024Mi
+        requests:
+          cpu: 100m
+          memory: 512Mi

packages/dubbd/values/monitoring.yaml

@@ -0,0 +1,19 @@
+monitoring:
+  values:
+    kube-state-metrics:
+      resources:
+        limits:
+          cpu: "500m"
+          memory: "1024Mi"
+        requests:
+          cpu: "10m"
+          memory: "512Mi"
+    prometheus:
+      prometheusSpec:
+        resources:
+          limits:
+            cpu: "600m"
+            memory: "6Gi"
+          requests:
+            cpu: "300m"
+            memory: "2Gi"

packages/dubbd/values/velero.yaml

@@ -0,0 +1 @@
+# PLACEHOLDER

packages/dubbd/zarf-config.yaml

@@ -0,0 +1,8 @@
+package:
+  create:
+    max_package_size: "1000000000"
+    set:
+      # renovate: datasource=gitlab-tags depName=big-bang/bigbang versioning=semver registryUrl=https://repo1.dso.mil
+      bigbang_version: "2.16.0"
+      # should line up with the flux version in the BB release, see https://repo1.dso.mil/big-bang/bigbang/-/blob/master/base/flux/gotk-components.yaml#L3
+      flux_version: "2.1.2"

packages/dubbd/zarf.yaml

@@ -0,0 +1,102 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/v0.31.4/zarf.schema.json
+kind: ZarfPackageConfig
+metadata:
+  name: dubbd-rke2-nutanix
+  description: "RKE2 DUBBD configuration tweaked for swf-nutanix"
+  architecture: "amd64"
+  version: "0.15.0-n1"
+
+x-dubbd-oci: &dubbd_oci "oci://ghcr.io/defenseunicorns/packages/dubbd-rke2:0.15.0-skeleton"
+
+variables:
+# domains and certs
+  - name: DOMAIN
+  - name: ADMIN_DOMAIN
+  - name: TENANT_CERT
+    description: "RSA Cert to be served by the tenant gateway"
+    sensitive: true
+    autoIndent: true
+    # default: "Intentionally left blank"
+  - name: TENANT_KEY
+    description: "RSA cert private key to be loaded by the tenant gateway"
+    sensitive: true
+    autoIndent: true
+    # default: "Intentionally left blank"
+  - name: ADMIN_CERT
+    description: "RSA cert to be served by the admin gateway"
+    sensitive: true
+    autoIndent: true
+    # default: "Intentionally left blank"
+  - name: ADMIN_KEY
+    description: "RSA cert private key to be loaded by the admin gateway"
+    sensitive: true
+    autoIndent: true
+    # default: "Intentionally left blank"
+
+components:
+  - name: set-zarf-vars
+    required: true
+    import:
+      name: set-zarf-vars
+      url: *dubbd_oci
+
+  - name: preflight
+    required: true
+    import:
+      name: preflight
+      url: *dubbd_oci
+
+  # NOTE -- This DUBBD package assumes certs are provided directly via variable configuration. No certs will be loaded from files by default.
+
+  - name: generate-credentials
+    required: true
+    import:
+      name: generate-credentials
+      url: *dubbd_oci
+
+  - name: download-flux
+    required: true
+    import:
+      name: download-flux
+      url: *dubbd_oci
+
+  - name: storage-class
+    required: true
+    import:
+      name: storage-class
+      url: *dubbd_oci
+
+  - name: dubbd-pre-upgrade
+    required: true
+    import:
+      name: dubbd-pre-upgrade
+      url: *dubbd_oci
+
+  - name: bigbang
+    required: true
+    import:
+      name: bigbang
+      url: *dubbd_oci
+    extensions:
+      bigbang:
+        version: "###ZARF_PKG_TMPL_BIGBANG_VERSION###"
+        valuesFiles:
+          - values/istio.yaml
+          - values/loki.yaml
+          - values/monitoring.yaml
+          - values/velero.yaml
+
+  - name: dubbd-post-upgrade
+    required: true
+    import:
+      name: dubbd-post-upgrade
+      url: *dubbd_oci
+
+  - name: gitlab-ssh
+    required: true
+    manifests:
+      - name: gitlab-ssh-virtualservice
+        namespace: gitlab
+        files:
+          - manifests/gitlab-ssh-virtualservice.yaml
+          - manifests/gitlab-ssh-networkpolicies.yaml