chore: update bundle to be compatible with eks-management cluster (#198)

* Make the nutanix-volume attachment type configurable

* Add default setting for hypervisor_attached zarf var

* Support deploying bundle into an eks-d management cluster

bundles/uds-core-swf/uds-bundle.yaml

@@ -66,6 +66,10 @@ packages:
                   key: dedicated-gitaly-node
                   operator: Exists
 
+  - name: cert-manager
+    path: ../../build
+    ref: 0.0.1
+
   - name: trust-manager
     path: ../../build
     ref: 0.0.1
@@ -81,7 +85,7 @@ packages:
 
   - name: core
     repository: ghcr.io/defenseunicorns/packages/uds/core
-    ref: 0.27.2-registry1
+    ref: 0.27.3-registry1
     overrides:
       grafana:
         grafana:
@@ -691,7 +695,7 @@ packages:
   # Nexus
   - name: nexus
     repository: ghcr.io/defenseunicorns/packages/uds/nexus
-    ref: 3.69.0-uds.0-registry1
+    ref: 3.71.0-uds.1-registry1
     overrides:
       nexus:
         nexus:
@@ -706,6 +710,9 @@ packages:
                 limits:
                   cpu: 8
                   memory: 16Gi
+            - name: STORAGE_SIZE
+              path: persistence.storageSize
+              default: 8Gi
           values:
             - path: sso.realm
               value:

config/uds-config.yaml

@@ -58,6 +58,7 @@ variables:
     PRISM_PASSWORD: "csi-user-passoword"
     STORAGE_CONTAINER: "nutanix-storage-container"
     DYNAMIC_FILE_STORE_NAME: "nutanix-file-server-name"
+    HYPERVISOR_ATTACHED: "DISABLED"
   metallb:
     # Replace with a valid IP address range
     IP_ADDRESS_POOL: "10.0.0.10-10.0.0.20"
@@ -182,6 +183,14 @@ variables:
     NEXUS_DB_USERNAME: "postgres"
     NEXUS_DB_ENDPOINT: "nexus-pg.replace.with.db.url"
     NEXUS_DB_PASSWORD: "replace-me-db-passwords"
+    NEXUS_RESOURCE_CONFIG: # optional
+      requests:
+        cpu: 2
+        memory: 4Gi
+      limits:
+        cpu: 6
+        memory: 8Gi
+    STORAGE_SIZE: 128Gi # optional
     # SSO requires a license
     NEXUS_SSO_ENABLED: false
     NEXUS_LICENSE_KEY: ""

docs/packages-and-dependencies.md

@@ -9,15 +9,16 @@ This list covers tools which would be required on a developer machine in order t
 
 | Tool | Version | Description |
 |----|----|----|
-| [terraform](https://github.com/hashicorp/terraform) | v1.6.4 | An Infrastructure As Code (IAC) tool for managing the deployment of virtual resources (VMs, databases, object storage) within Nutanix |
-| [UDS](https://github.com/defenseunicorns/uds-cli) | v0.13.1 | A custom tool for automating and simplifying the management of multiple Zarf deployments in one environment |
+| [OpenTofu](https://github.com/opentofu/opentofu) | v1.7.1 | An Infrastructure As Code (IAC) tool for managing the deployment of virtual resources (VMs, databases, object storage) within Nutanix |
+| [UDS](https://github.com/defenseunicorns/uds-cli) | v0.15.0 | A custom tool for automating and simplifying the management of multiple Zarf deployments in one environment |
 
 ## Operating System Package Installs
 This list covers tools and packages installed in the Operating System of the virtual machines allocated to run Kubernetes. This list is obviously not exhaustive, but instead covers what is being added to the base STIG'd image.
 
 | Package | Version | Description |
 |----|----|----|
-| [rke2](https://github.com/rancher/rke2/releases/) | v1.27.6+rke2r1 | A Kubernetes distribution provided by Rancher, focused on security compliance for Government workloads |
+| [rke2](https://github.com/rancher/rke2/releases/) | v1.29.6+rke2r1 | A Kubernetes distribution provided by Rancher, focused on security compliance for Government workloads |
+| [eks-d](https://github.com/aws/eks-distro/releases/) | v1.29.6-eks-c025470 | A Kubernetes distribution provided by AWS |
 | [iptables](https://linux.die.net/man/8/iptables) | v1.8.4 | A linux tool for managing local IPv4 packet filtering and NAT routing |
 | [postgres14](https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm) | 14.10 | Database server required as part of initial setup |
 | [lvm2](https://gitlab.com/lvmteam/lvm2) | 2.03.14(2)-RHEL8 | Logical volume management tool needed by rook/ceph |
@@ -40,15 +41,15 @@ The UDS Software Factory Bundle (SWF) is a collection of Zarf packages which inc
 |----|----|----|----|
 | [Nutanix CSI Driver Init](https://portal.nutanix.com/page/documents/details?targetId=CSI-Volume-Driver-v2_6:CSI-Volume-Driver-v2_6) | v0.36.1 | v2.6.8 | A zarf component installed in the cluster for orchestrating further deployment of Zarf based packages |
 | [MetalLB](https://github.com/defenseunicorns/uds-capability-metallb) | 0.0.5 | v0.13.12 | Tool for providing load balancer capabilities for ingress into a Kubernetes deployment |
-| [uds-core](https://github.com/defenseunicorns/uds-core) | 0.27.2 | N/A | [DESCRIPTION BELOW](#UDS-Core) |
+| [uds-core](https://github.com/defenseunicorns/uds-core) | 0.27.3 | N/A | [DESCRIPTION BELOW](#UDS-Core) |
 | [Valkey](https://github.com/defenseunicorns/uds-package-valkey) | v7.2.5-uds.2-upstream | 7.2.5 | A key-value store used as a data backend for several applications in the stack |
 | [Gitlab](https://github.com/defenseunicorns/uds-package-gitlab) | v17.1.2-uds.0-registry1 | 17.1.2 | A source control management tool used in the software development lifecycle for storing, updating, building and deploying custom software |
 | [Gitlab Runner](https://github.com/defenseunicorns/uds-package-gitlab-runner) | 17.0.0-uds.0-registry1 | v17.0.0 | A counterpart to Gitlab (above) in which automated software builds, tests and deployments are executed |
 | [Sonarqube](https://github.com/defenseunicorns/uds-package-sonarqube) | 10.6.0-uds.1-registry1 | 10.6.0-community | A code inspection tool used during automated pipelines to evaluate security considerations of custom software and packaged images |
 | [Jira](https://github.com/defenseunicorns/uds-package-jira) | 1.22.0-uds.0-registry1 | 10.0.1 | A collaboration tool used for team management and task organization |s
 | [Confluence](https://github.com/defenseunicorns/uds-package-confluence) | 1.20.0-uds.0-registry1 | 8.9.4 | A knowledge management tool used by teams to organize information |
 | [Mattermost](https://github.com/defenseunicorns/uds-package-mattermost) | 9.7.2-uds.0-registry1 | 9.7.2 | An instance of Mattermost, a self-hosted chat and collaboration platform |
-| [Nexus](https://github.com/defenseunicorns/uds-package-nexus) | 3.69.0-uds.0-registry1 | 3.69.0-02 | An artifact repository used for storing compiled application libraries, packages, images and other such artifacts |
+| [Nexus](https://github.com/defenseunicorns/uds-package-nexus) | 3.71.0-uds.1-registry1 | 3.71.0 | An artifact repository used for storing compiled application libraries, packages, images and other such artifacts |
 | [cert-manager](https://cert-manager.io/) | 0.0.1 | 1.14.5 | Tool for automating management of in-cluster certificates |
 | [trust-manager](https://cert-manager.io/docs/trust/trust-manager/) | 0.0.1 | v0.11.0 | Tool for automating creation and distribution of CA trust bundles |
 

packages/additional-manifests/pepr-policy-exemptions/eks-mgmt-exemptions.yaml

@@ -0,0 +1,54 @@
+apiVersion: uds.dev/v1alpha1
+kind: Exemption
+metadata:
+  name: eksa-system
+  namespace: uds-policy-exemptions
+spec:
+  exemptions:
+    - policies:
+        - DisallowHostNamespaces
+        - DisallowPrivileged
+        - DisallowSELinuxOptions
+        - DropAllCapabilities
+        - RequireNonRootUser
+        - RestrictCapabilities
+        - RestrictHostPathWrite
+        - RestrictHostPorts
+        - RestrictProcMount
+        - RestrictSeccomp
+        - RestrictSELinuxType
+        - RestrictVolumeTypes
+      matcher:
+        namespace: eksa-system
+        name: "^eks*"
+        kind: pod
+      title: "eksa exemptions"
+      description: "eksa requires elevated permissions"
+---
+
+apiVersion: uds.dev/v1alpha1
+kind: Exemption
+metadata:
+  name: capi-exemptions
+  namespace: uds-policy-exemptions
+spec:
+  exemptions:
+    - policies:
+        - DisallowHostNamespaces
+        - DisallowPrivileged
+        - DisallowSELinuxOptions
+        - DropAllCapabilities
+        - RequireNonRootUser
+        - RestrictCapabilities
+        - RestrictHostPathWrite
+        - RestrictHostPorts
+        - RestrictProcMount
+        - RestrictSeccomp
+        - RestrictSELinuxType
+        - RestrictVolumeTypes
+      matcher:
+        namespace: "^cap*"
+        name: "^cap*"
+        kind: pod
+      title: "capi exemptions"
+      description: "capi requires elevated permissions"

packages/additional-manifests/zarf.yaml

@@ -30,3 +30,4 @@ components:
           - pepr-policy-exemptions/nutanix-csi-exemptions.yaml
           - pepr-policy-exemptions/metallb-exemptions.yaml
           - pepr-policy-exemptions/gitlab-exemptions.yaml
+          - pepr-policy-exemptions/eks-mgmt-exemptions.yaml

packages/cert-manager/zarf.yaml

@@ -0,0 +1,27 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json
+kind: ZarfPackageConfig
+metadata:
+  name: cert-manager
+  description: "Cert manager service that is a prerequisite for deploying trust-manager"
+  version: "0.0.1"
+  architecture: amd64
+
+components:
+  - name: cert-manager-images
+    required: true
+    images:
+      - quay.io/jetstack/cert-manager-package-debian:20210119.0
+      - quay.io/jetstack/cert-manager-controller:v1.14.5
+      - quay.io/jetstack/cert-manager-webhook:v1.14.5
+      - quay.io/jetstack/cert-manager-cainjector:v1.14.5
+      - quay.io/jetstack/cert-manager-acmesolver:v1.14.5
+      - quay.io/jetstack/cert-manager-startupapicheck:v1.14.5
+  - name: cert-manager
+    required: true
+    charts:
+      - name: cert-manager
+        version: 1.14.5
+        namespace: cert-manager
+        url: https://charts.jetstack.io/
+        valuesFiles:
+          - values/cert-manager.yaml

packages/nutanix-csi/nutanix-volume.yaml

@@ -7,7 +7,7 @@ metadata:
     storageclass.kubernetes.io/is-default-class: "true"
 parameters: 
   csi.storage.k8s.io/fstype: xfs
-  hypervisorAttached: ENABLED
+  hypervisorAttached: ###ZARF_VAR_HYPERVISOR_ATTACHED###
   flashMode: DISABLED
   storageContainer: ###ZARF_VAR_STORAGE_CONTAINER###
   storageType: NutanixVolumes

packages/nutanix-csi/zarf.yaml

@@ -25,6 +25,9 @@ variables:
     description: "Password for prism user to use for Nutanix CSI driver."
   - name: STORAGE_CONTAINER
     description: "Name of Nutanix Storage Container for CSI driver to create volumes in."
+  - name: HYPERVISOR_ATTACHED
+    description: "Whether to use hypervisor_attached storage or not. Set to ENABLED to turn on."
+    default: "DISABLED"
 
 components:
   # Push nutanix csi images to seed-registry

packages/trust-manager/zarf.yaml

@@ -20,15 +20,9 @@ components:
   - name: trust-manager
     required: true
     charts:
-      - name: cert-manager
-        version: 1.14.5
-        namespace: cert-manager
-        url: https://charts.jetstack.io/
-        valuesFiles:
-          - values/cert-manager.yaml
       - name: trust-manager
         version: 0.11.0
-        namespace: cert-manager
+        namespace: trust-manager
         url: https://charts.jetstack.io/
         valuesFiles:
           - values/trust-manager.yaml

tasks.yaml

@@ -20,6 +20,7 @@ tasks:
       - task: create:object-store-packages
       - task: create:additional-manifests-package
       - task: create:nutanix-csi-package
+      - task: create:cert-manager-package
       - task: create:trust-manager-package
       - task: create:trust-bundles-package
       - task: create:bundle
@@ -43,6 +44,14 @@ tasks:
         with:
           config-dir: ./scratch/configs/test
 
+  - name: deploy-mgmt
+    description: Deploy Nexus and dependencies to eks mgmt cluster
+    actions:
+      - task: deploy:deploy-bundle
+        with:
+          config-dir: ./scratch/configs/mgmt
+          package-list: "-p init,nutanix-csi,trust-manager,trust-bundles,metallb,core,additional-manifests,nexus"
+
   - name: deploy-published-dev
     description: Deploy published oci bundle to dev cluster
     actions:
@@ -55,6 +64,14 @@ tasks:
         with:
           config_dir: ./scratch/configs/test
 
+  - name: deploy-published-mgmt
+    description: Deploy published oci bundle to mgmt cluster
+    actions:
+      - task: deploy:deploy-published
+        with:
+          config-dir: ./scratch/configs/mgmt
+          package-list: "-p init,nutanix-csi,trust-manager,trust-bundles,metallb,core,additional-manifests,nexus"
+
   #### Clean ####
   - name: clean
     actions:

tasks/create.yaml

@@ -44,6 +44,11 @@ tasks:
     actions:
       - cmd: ./uds zarf package create ./packages/nutanix-csi --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build
 
+  - name: cert-manager-package
+    description: Create cert-manager package.
+    actions:
+      - cmd: ./uds zarf package create ./packages/cert-manager --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build
+
   - name: trust-manager-package
     description: Create trust-manager package.
     actions:

tasks/deploy.yaml

@@ -4,7 +4,7 @@ variables:
     default: "amd64"
   - name: DEPLOY_IMAGE
     description: "Container image to use to run uds deploy in"
-    default: "ghcr.io/defenseunicorns/build-harness/build-harness:2.0.39"
+    default: "ghcr.io/defenseunicorns/build-harness/build-harness:2.0.40"
   - name: BUNDLE_VERSION
     description: "Version of the bundle to deploy"
     # x-release-please-start-version
@@ -26,14 +26,20 @@ tasks:
       config_dir:
         default: ./scratch/configs/dev
         description: Input for the path to the directory containing the uds-config.yaml to use for deploying the bundle
+      package-list:
+        default: ""
+        description: Input to specify packages that should be deployed from the bundle
     actions:
-      - cmd: docker run --rm -e ARCH=${ARCH} -e BUNDLE_VERSION=${BUNDLE_VERSION} -e UDS_CONFIG=/configs/uds-config.yaml -e KUBECONFIG=/configs/kubeconfig -v /tmp:/tmp -v ${INPUT_CONFIG_DIR}:/configs -v ${INPUT_BUILD_DIR}:/build ${DEPLOY_IMAGE} bash -c 'uds deploy /build/uds-bundle-software-factory-nutanix-${ARCH}-${BUNDLE_VERSION}.tar.zst --confirm'
+      - cmd: docker run --rm -e ARCH=${ARCH} -e BUNDLE_VERSION=${BUNDLE_VERSION} -e UDS_CONFIG=/configs/uds-config.yaml -e KUBECONFIG=/configs/kubeconfig -e PACKAGE_LIST="${INPUT_PACKAGE_LIST}" -v /tmp:/tmp -v ${INPUT_CONFIG_DIR}:/configs -v ${INPUT_BUILD_DIR}:/build ${DEPLOY_IMAGE} bash -c 'uds deploy /build/uds-bundle-software-factory-nutanix-${ARCH}-${BUNDLE_VERSION}.tar.zst ${PACKAGE_LIST} --confirm'
 
   - name: deploy-published
     description: Deploy published oci of bundle from ghcr
     inputs:
       config_dir:
         default: ./scratch/configs/dev
         description: Input for the path to the directory containing the uds-config.yaml to use for deploying the bundle
+      package-list:
+        default: ""
+        description: Input to specify packages that should be deployed from the bundle
     actions:
-      - cmd: docker run --rm -e BUNDLE_VERSION=${BUNDLE_VERSION} -e UDS_CONFIG=/configs/uds-config.yaml -e KUBECONFIG=/configs/kubeconfig -v /tmp:/tmp -v ${{ .inputs.config_dir }}:/configs ${DEPLOY_IMAGE} bash -c 'uds deploy oci://ghcr.io/defenseunicorns/uds-bundle/software-factory-nutanix:${BUNDLE_VERSION} --confirm'
+      - cmd: docker run --rm -e BUNDLE_VERSION=${BUNDLE_VERSION} -e UDS_CONFIG=/configs/uds-config.yaml -e KUBECONFIG=/configs/kubeconfig -e PACKAGE_LIST="${INPUT_PACKAGE_LIST}" -v /tmp:/tmp -v ${INPUT_CONFIG_DIR}:/configs ${DEPLOY_IMAGE} bash -c 'uds deploy oci://ghcr.io/defenseunicorns/uds-bundle/software-factory-nutanix:${BUNDLE_VERSION} ${PACKAGE_LIST} --confirm'