diff --git a/.gitignore b/.gitignore index efc9a1a6..2452fb51 100644 --- a/.gitignore +++ b/.gitignore @@ -31,4 +31,6 @@ on_failure.sh run/ # certs -*.pem \ No newline at end of file +*.pem + +scratch/ diff --git a/Makefile b/Makefile index a32fcc12..ac490373 100755 --- a/Makefile +++ b/Makefile @@ -2,7 +2,6 @@ # the build folder. # renovate: datasource=github-tags depName=defenseunicorns/zarf UDS_CLI_VERSION := v0.4.1 - ZARF_VERSION := v0.31.3 # Figure out which Zarf binary we should use based on the operating system we are on @@ -32,10 +31,6 @@ endif .DEFAULT_GOAL := help -# Target vars -CERT_PATH := scripts/test-cluster-ingress-cert.pem -KEY_PATH := scripts/test-cluster-ingress-key.pem - # Idiomatic way to force a target to always run, by having it depend on this dummy target FORCE: @@ -50,7 +45,8 @@ help: ## Show a list of all targets ######################################################################## .PHONY: build/all -build/all: build build/zarf build/uds build/software-factory-namespaces build/idam-dns build/idam-realm build/idam-gitlab build/idam-sonarqube build/db-manifests build/object-store-manifests build/additional-kyverno-exceptions build/uds-bundle-software-factory ## Build everything +build/all: build build/zarf build/uds build/software-factory-namespaces build/idam-dns build/idam-realm build/dubbd-rke2-nutanix build/idam-gitlab build/idam-sonarqube build/db-manifests build/object-store-manifests build/additional-kyverno-exceptions build/uds-bundle-software-factory ## Build everything + build: ## Create build directory mkdir -p build @@ -76,6 +72,9 @@ build/uds: | build ## Download uds-cli to the build dir build/software-factory-namespaces: | build ## Build namespaces package cd build && ./zarf package create ../packages/namespaces/ --confirm --output-directory . +build/dubbd-rke2-nutanix: | build ## Build dubbd-rke2-nutanix package + cd packages/dubbd && ../../build/zarf package create . --confirm --output-directory ../../build + build/idam-gitlab: | build ## Build idam-gitlab package cd build && ./zarf package create ../packages/idam-gitlab/ --confirm --output-directory . @@ -116,13 +115,11 @@ deploy/test-cluster: ## Deploy the software factory package to the test cluster cp uds-config/test-cluster/uds-config.yaml ./build/ cp deploy-dubbd-values.yaml ./build/ cd ./build && ./uds deploy uds-bundle-software-factory-*.tar.zst --confirm - cd ./scripts && ./update-certs.sh $(CERT_PATH) $(KEY_PATH) deploy/dev-cluster: ## Deploy the software factory package to the dev cluster cp uds-config/dev-cluster/uds-config.yaml ./build/ cp deploy-dubbd-values.yaml ./build/ cd ./build && ./uds deploy uds-bundle-software-factory-*.tar.zst --confirm - cd ./scripts && ./update-certs.sh $(CERT_PATH) $(KEY_PATH) ######################################################################## # Macro Section diff --git a/README.md b/README.md index 0f0ec6bd..68d38b63 100644 --- a/README.md +++ b/README.md @@ -31,8 +31,13 @@ Below are the example configurations used in this project to configure deploy ti There will be sensitive values you will need to update before deployment. You can search `replace-me` in the above `uds-config.yaml` files for quick reference sensitive values needing updated. ## Certs -Currently we are deploying the bundle, and then updating the certs in the cluster to our own `mtsi.bigbang.dev` and `mtsi-dev.bigbang.dev` certs using this [update-certs.sh](scripts/update-certs.sh) script. In a future version we will update this example to put the certs in the `uds-config.yaml` to be setup at deploy time. +Certs for the tenant and admin gateways should be provided via `uds-config.yaml` variables: +* TENANT_CERT +* TENANT_KEY +* ADMIN_CERT +* ADMIN_KEY +You can reference [this](uds-config/dev-cluster/uds-config.yaml) example config to see how to set these. ## High Level Steps You can follow the breadcrumbs starting at the [Makefile](Makefile) target `make all/dev-cluster`. This Makefile downloads configured versions of zarf and uds to the build directory, places the `uds-config.yaml` and `deploy-dubbd-values.yaml` in that build directory and performs the deploy command from there. Steps numbered below. Or follow along in the Makefile. @@ -61,4 +66,3 @@ brew tap defenseunicorns/tap && brew install uds && brew install zarf 1) build the bundle itself 1) place the `uds-config.yaml` and the `deploy-dubbd-values.yaml` in the directory where the deployment will take place 1) deploy the software factory. -1) update the certs with our certs (This step will be replaced with adding the certs to the configuration in a future version) diff --git a/deploy-dubbd-values.yaml b/deploy-dubbd-values.yaml index f5d0eb65..514503c9 100644 --- a/deploy-dubbd-values.yaml +++ b/deploy-dubbd-values.yaml @@ -1,32 +1 @@ -# DO NOT USE :oops-a-daisy: -- this file is only here to silence a warning -loki: - values: - # Values for Monolith strategy - singleBinary: - resources: - limits: - cpu: 100m - memory: 1024Mi - requests: - cpu: 100m - memory: 512Mi - -monitoring: - values: - kube-state-metrics: - resources: - limits: - cpu: "500m" - memory: "1024Mi" - requests: - cpu: "10m" - memory: "512Mi" - prometheus: - prometheusSpec: - resources: - limits: - cpu: "600m" - memory: "6Gi" - requests: - cpu: "300m" - memory: "2Gi" \ No newline at end of file +# DO NOT USE -- this file is only here to silence a warning diff --git a/packages/dubbd/manifests/gitlab-ssh-networkpolicies.yaml b/packages/dubbd/manifests/gitlab-ssh-networkpolicies.yaml new file mode 100644 index 00000000..3f61bdc3 --- /dev/null +++ b/packages/dubbd/manifests/gitlab-ssh-networkpolicies.yaml @@ -0,0 +1,42 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-istio-shell + namespace: gitlab +spec: + ingress: + - from: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: istio-controlplane + podSelector: + matchLabels: + app: tenant-ingressgateway + istio: ingressgateway + ports: + - port: 2222 + protocol: TCP + podSelector: + matchLabels: + app: gitlab-shell + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: egress-shell + namespace: gitlab +spec: + egress: + - to: + - namespaceSelector: {} + - ipBlock: + cidr: 0.0.0.0/0 + except: + - 169.254.169.254/32 + podSelector: + matchLabels: + app: gitlab-shell + policyTypes: + - Egress diff --git a/packages/dubbd/manifests/gitlab-ssh-virtualservice.yaml b/packages/dubbd/manifests/gitlab-ssh-virtualservice.yaml new file mode 100644 index 00000000..afbaafdc --- /dev/null +++ b/packages/dubbd/manifests/gitlab-ssh-virtualservice.yaml @@ -0,0 +1,21 @@ +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + annotations: + meta.helm.sh/release-name: gitlab + meta.helm.sh/release-namespace: gitlab + name: gitlab-ssh + namespace: gitlab +spec: + gateways: + - istio-system/tenant + hosts: + - gitlab.mtsi.bigbang.dev + tcp: + - match: + - port: 2022 + route: + - destination: + host: gitlab-gitlab-shell.gitlab.svc.cluster.local + port: + number: 22 diff --git a/packages/dubbd/values/istio.yaml b/packages/dubbd/values/istio.yaml new file mode 100644 index 00000000..339ce50d --- /dev/null +++ b/packages/dubbd/values/istio.yaml @@ -0,0 +1,43 @@ +istio: + values: + gateways: + tenant: + ingressGateway: tenant-ingressgateway + servers: + - hosts: + - "*.###ZARF_VAR_DOMAIN###" + port: + name: https + number: 8443 + protocol: HTTPS + tls: + minProtocolVersion: "TLSV1_3" + mode: SIMPLE + credentialName: tenant-cert + - hosts: + - "gitlab.###ZARF_VAR_DOMAIN###" + port: + name: tcp-ssh + number: 2022 + protocol: TCP + ingressGateways: + tenant-ingressgateway: + kubernetesResourceSpec: + service: + ports: + - port: 15021 + targetPort: 15021 + name: status-port + protocol: TCP + - port: 80 + targetPort: 8080 + name: http2 + protocol: TCP + - port: 443 + targetPort: 8443 + name: https + protocol: TCP + - port: 22 + targetPort: 2022 + name: tcp-ssh + protocol: TCP diff --git a/packages/dubbd/values/loki.yaml b/packages/dubbd/values/loki.yaml new file mode 100644 index 00000000..fe135f3f --- /dev/null +++ b/packages/dubbd/values/loki.yaml @@ -0,0 +1,11 @@ +loki: + values: + # Values for Monolith strategy + singleBinary: + resources: + limits: + cpu: 100m + memory: 1024Mi + requests: + cpu: 100m + memory: 512Mi diff --git a/packages/dubbd/values/monitoring.yaml b/packages/dubbd/values/monitoring.yaml new file mode 100644 index 00000000..51215382 --- /dev/null +++ b/packages/dubbd/values/monitoring.yaml @@ -0,0 +1,19 @@ +monitoring: + values: + kube-state-metrics: + resources: + limits: + cpu: "500m" + memory: "1024Mi" + requests: + cpu: "10m" + memory: "512Mi" + prometheus: + prometheusSpec: + resources: + limits: + cpu: "600m" + memory: "6Gi" + requests: + cpu: "300m" + memory: "2Gi" diff --git a/packages/dubbd/values/velero.yaml b/packages/dubbd/values/velero.yaml new file mode 100644 index 00000000..390bdff5 --- /dev/null +++ b/packages/dubbd/values/velero.yaml @@ -0,0 +1 @@ +# PLACEHOLDER diff --git a/packages/dubbd/zarf-config.yaml b/packages/dubbd/zarf-config.yaml new file mode 100644 index 00000000..b6b42579 --- /dev/null +++ b/packages/dubbd/zarf-config.yaml @@ -0,0 +1,8 @@ +package: + create: + max_package_size: "1000000000" + set: + # renovate: datasource=gitlab-tags depName=big-bang/bigbang versioning=semver registryUrl=https://repo1.dso.mil + bigbang_version: "2.16.0" + # should line up with the flux version in the BB release, see https://repo1.dso.mil/big-bang/bigbang/-/blob/master/base/flux/gotk-components.yaml#L3 + flux_version: "2.1.2" diff --git a/packages/dubbd/zarf.yaml b/packages/dubbd/zarf.yaml new file mode 100644 index 00000000..0008caab --- /dev/null +++ b/packages/dubbd/zarf.yaml @@ -0,0 +1,102 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/v0.31.4/zarf.schema.json +kind: ZarfPackageConfig +metadata: + name: dubbd-rke2-nutanix + description: "RKE2 DUBBD configuration tweaked for swf-nutanix" + architecture: "amd64" + version: "0.15.0-n1" + +x-dubbd-oci: &dubbd_oci "oci://ghcr.io/defenseunicorns/packages/dubbd-rke2:0.15.0-skeleton" + +variables: +# domains and certs + - name: DOMAIN + - name: ADMIN_DOMAIN + - name: TENANT_CERT + description: "RSA Cert to be served by the tenant gateway" + sensitive: true + autoIndent: true + # default: "Intentionally left blank" + - name: TENANT_KEY + description: "RSA cert private key to be loaded by the tenant gateway" + sensitive: true + autoIndent: true + # default: "Intentionally left blank" + - name: ADMIN_CERT + description: "RSA cert to be served by the admin gateway" + sensitive: true + autoIndent: true + # default: "Intentionally left blank" + - name: ADMIN_KEY + description: "RSA cert private key to be loaded by the admin gateway" + sensitive: true + autoIndent: true + # default: "Intentionally left blank" + +components: + - name: set-zarf-vars + required: true + import: + name: set-zarf-vars + url: *dubbd_oci + + - name: preflight + required: true + import: + name: preflight + url: *dubbd_oci + + # NOTE -- This DUBBD package assumes certs are provided directly via variable configuration. No certs will be loaded from files by default. + + - name: generate-credentials + required: true + import: + name: generate-credentials + url: *dubbd_oci + + - name: download-flux + required: true + import: + name: download-flux + url: *dubbd_oci + + - name: storage-class + required: true + import: + name: storage-class + url: *dubbd_oci + + - name: dubbd-pre-upgrade + required: true + import: + name: dubbd-pre-upgrade + url: *dubbd_oci + + - name: bigbang + required: true + import: + name: bigbang + url: *dubbd_oci + extensions: + bigbang: + version: "###ZARF_PKG_TMPL_BIGBANG_VERSION###" + valuesFiles: + - values/istio.yaml + - values/loki.yaml + - values/monitoring.yaml + - values/velero.yaml + + - name: dubbd-post-upgrade + required: true + import: + name: dubbd-post-upgrade + url: *dubbd_oci + + - name: gitlab-ssh + required: true + manifests: + - name: gitlab-ssh-virtualservice + namespace: gitlab + files: + - manifests/gitlab-ssh-virtualservice.yaml + - manifests/gitlab-ssh-networkpolicies.yaml diff --git a/scripts/update-certs.sh b/scripts/update-certs.sh deleted file mode 100755 index 487c7ec7..00000000 --- a/scripts/update-certs.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/bash -## -## This script can be used after a fresh deploy to remove the default (bigbang.dev) cert secret -## from the istio-system namespace and create new secrets with a cert using a custom domain such -## as `*.mtsi.bigbang.dev`. -## -## PARAMS: -## * $1 -- relative path to a cert file in pem format (contact ablanchard) -## * $2 -- relative path to a key file in pem format (contact ablanchard) - -cert=$1 -key=$2 - -# remove the existing cert secrets -kubectl delete secret -n istio-system admin-cert -kubectl delete secret -n istio-system tenant-cert -kubectl delete secret -n keycloak keycloak-tlskey -kubectl delete secret -n keycloak keycloak-tlscert - -# create new cert secrets -kubectl create -n istio-system secret tls admin-cert \ - --key=$(git rev-parse --show-toplevel)/$key \ - --cert=$(git rev-parse --show-toplevel)/$cert - -kubectl create -n istio-system secret tls tenant-cert \ - --key=$(git rev-parse --show-toplevel)/$key \ - --cert=$(git rev-parse --show-toplevel)/$cert - -kubectl create -n keycloak secret generic keycloak-tlskey --from-file=tls.key=$(git rev-parse --show-toplevel)/$key -kubectl create -n keycloak secret generic keycloak-tlscert --from-file=tls.crt=$(git rev-parse --show-toplevel)/$cert - -# restart keycloak -kubectl rollout restart statefulset -n keycloak keycloak \ No newline at end of file diff --git a/uds-bundle.yaml b/uds-bundle.yaml index ced9ced2..9c3b1e48 100644 --- a/uds-bundle.yaml +++ b/uds-bundle.yaml @@ -27,9 +27,9 @@ zarf-packages: ref: 0.0.4 # Defense Unicorns Big Bang Distro - - name: dubbd-rke2 - repository: ghcr.io/defenseunicorns/packages/dubbd-rke2 - ref: 0.15.0 + - name: dubbd-rke2-nutanix + path: build + ref: 0.15.0-n1 # Additional Kyverno Exceptions - name: additional-kyverno-exceptions diff --git a/uds-config/dev-cluster/uds-config.yaml b/uds-config/dev-cluster/uds-config.yaml index a45bbb72..46f4f49f 100644 --- a/uds-config/dev-cluster/uds-config.yaml +++ b/uds-config/dev-cluster/uds-config.yaml @@ -8,11 +8,30 @@ bundle: metallb: set: IP_ADDRESS_POOL: "24.0.132.244/30" - dubbd-rke2: + dubbd-rke2-nutanix: set: # TODO - replace these blanket exceptions with more targeted kyverno policy exceptions - EXEMPT_NAMESPACES: '["zarf", "rook-ceph", "metallb-system"]' + EXEMPT_NAMESPACES: '["zarf", "rook-ceph", "metallb-system", "kube-system"]' DOMAIN: "mtsi-dev.bigbang.dev" + # Domain and Certs + DOMAIN: "mtsi.bigbang.dev" + TENANT_CERT: | + -----BEGIN CERTIFICATE----- + replace-me-tenant-gateway-cert + -----END CERTIFICATE----- + TENANT_KEY: | + -----BEGIN PRIVATE KEY----- + replace-me-tenant-gateway-key + -----END PRIVATE KEY----- + ADMIN_CERT: | + -----BEGIN CERTIFICATE----- + replace-me-admin-gateway-cert + -----END CERTIFICATE----- + ADMIN_KEY: | + -----BEGIN PRIVATE KEY----- + replace-me-admin-gateway-key + -----END PRIVATE KEY----- + # Velero VELERO_BUCKET_PROVIDER_URL: "http://swf.objects.mtsi.bigbang.dev" VELERO_BUCKET: "velero-bucket-dev" VELERO_BUCKET_REGION: "us-east-1" diff --git a/uds-config/test-cluster/uds-config.yaml b/uds-config/test-cluster/uds-config.yaml index 1cb3a0c6..f5e0196a 100644 --- a/uds-config/test-cluster/uds-config.yaml +++ b/uds-config/test-cluster/uds-config.yaml @@ -8,11 +8,29 @@ bundle: metallb: set: IP_ADDRESS_POOL: "24.0.132.248/30" - dubbd-rke2: + dubbd-rke2-nutanix: set: # TODO - replace these blanket exceptions with more targeted kyverno policy exceptions - EXEMPT_NAMESPACES: '["zarf", "rook-ceph", "metallb-system"]' + EXEMPT_NAMESPACES: '["zarf", "rook-ceph", "metallb-system", "kube-system"]' + # Domain and Certs DOMAIN: "mtsi.bigbang.dev" + TENANT_CERT: | + -----BEGIN CERTIFICATE----- + replace-me-tenant-gateway-cert + -----END CERTIFICATE----- + TENANT_KEY: | + -----BEGIN PRIVATE KEY----- + replace-me-tenant-gateway-key + -----END PRIVATE KEY----- + ADMIN_CERT: | + -----BEGIN CERTIFICATE----- + replace-me-admin-gateway-cert + -----END CERTIFICATE----- + ADMIN_KEY: | + -----BEGIN PRIVATE KEY----- + replace-me-admin-gateway-key + -----END PRIVATE KEY----- + # Velero VELERO_BUCKET_PROVIDER_URL: "http://swf.objects.mtsi.bigbang.dev" VELERO_BUCKET: "velero-bucket-test" VELERO_BUCKET_REGION: "us-east-1"