diff --git a/bundles/uds-core-swf/uds-bundle.yaml b/bundles/uds-core-swf/uds-bundle.yaml index 9489ab43..cefdff23 100644 --- a/bundles/uds-core-swf/uds-bundle.yaml +++ b/bundles/uds-core-swf/uds-bundle.yaml @@ -8,6 +8,22 @@ metadata: # x-release-please-end architecture: amd64 +x-extra-volume-mounts: &extra-volume-mounts + - name: trust-bundle + mountPath: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem + subPath: "ca-bundle.crt" + readOnly: true + - name: trust-bundle + mountPath: /etc/pki/ca-trust/extracted/java/cacerts + subPath: "ca-bundle.jks" + readOnly: true + +x-extra-volumes: &extra-volumes + - name: trust-bundle + configMap: + name: trust-bundle + defaultMode: 0644 + x-gitlab-init-security-context: &gitlab-init-security-context privileged: true readOnlyRootFilesystem: false @@ -38,6 +54,14 @@ packages: - name: software-factory-namespaces path: ../../build ref: 1.0.0 + + - name: trust-manager + path: ../../build + ref: 0.0.1 + + - name: trust-bundles + path: ../../build + ref: 0.0.1 # MetalLB - name: metallb @@ -50,6 +74,11 @@ packages: overrides: grafana: grafana: + values: + - path: extraVolumes + value: *extra-volumes + - path: extraVolumeMounts + value: *extra-volume-mounts variables: - name: GRAFANA_RESOURCE_CONFIG path: resources @@ -179,20 +208,27 @@ packages: includedNamespaces: - gitlab ttl: "240h" + - path: extraVolumes + value: *extra-volumes + - path: extraVolumeMounts + value: *extra-volume-mounts keycloak: keycloak: values: - # TODO - test/debug - # - path: "devMode" - # value: "false" - # - path: "autoscaling.enabled" - # value: "true" + - path: "devMode" + value: "false" + - path: "autoscaling.enabled" + value: "false" - path: "persistence.providers.enabled" value: "true" - path: "persistence.accessMode" value: "ReadWriteMany" - path: "persistence.storageClassName" value: "nutanix-dynamicfile" + - path: extraVolumes + value: *extra-volumes + - path: extraVolumeMounts + value: *extra-volume-mounts variables: - name: KEYCLOAK_DB_USERNAME description: "keycloak database username" @@ -229,6 +265,22 @@ packages: # Override default dns service name for Loki Gateway - path: "global.dnsService" value: "rke2-coredns-rke2-coredns" + - path: backend.extraVolumes + value: *extra-volumes + - path: backend.extraVolumeMounts + value: *extra-volume-mounts + - path: gateway.extraVolumes + value: *extra-volumes + - path: gateway.extraVolumeMounts + value: *extra-volume-mounts + - path: write.extraVolumes + value: *extra-volumes + - path: write.extraVolumeMounts + value: *extra-volume-mounts + - path: read.extraVolumes + value: *extra-volumes + - path: read.extraVolumeMounts + value: *extra-volume-mounts variables: - name: LOKI_CHUNKS_BUCKET description: "The object storage bucket for Loki chunks" @@ -383,7 +435,9 @@ packages: values: - path: global.certificates.customCAs value: - - secret: ca-secret + - configMap: trust-bundle + keys: + - ca-bundle.crt - path: gitlab.webservice.init.containerSecurityContext value: *gitlab-init-security-context - path: gitlab.toolbox.init.containerSecurityContext @@ -445,7 +499,15 @@ packages: - name: gitlab-runner repository: ghcr.io/defenseunicorns/packages/uds/gitlab-runner ref: 17.0.0-uds.0-registry1 - + overrides: + gitlab-runner: + gitlab-runner: + values: + - path: volumes + value: *extra-volumes + - path: volumeMounts + value: *extra-volume-mounts + ### TODO - uncomment to replace functionality post MVP # # Sonarqube @@ -619,10 +681,14 @@ packages: value: - host: nexus-docker.${DOMAIN} port: 5000 + - path: deployment.additionalVolumes + value: *extra-volumes + - path: deployment.additionalVolumeMounts + value: *extra-volume-mounts uds-nexus-config: variables: - - path: "sso.enabled" - name: NEXUS_SSO_ENABLED + - name: NEXUS_SSO_ENABLED + path: "sso.enabled" values: - path: additionalNetworkExposures value: diff --git a/packages/additional-manifests/gitlab/ca-secret.yaml b/packages/additional-manifests/gitlab/ca-secret.yaml deleted file mode 100644 index a7ca2a1b..00000000 --- a/packages/additional-manifests/gitlab/ca-secret.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: ca-secret - namespace: gitlab -type: kubernetes.io/opaque -data: - ca.crt: "###ZARF_VAR_ADDITIONAL_CA_CHAIN###" \ No newline at end of file diff --git a/packages/additional-manifests/mattermost/ca-secret.yaml b/packages/additional-manifests/mattermost/ca-secret.yaml deleted file mode 100644 index c5afdc87..00000000 --- a/packages/additional-manifests/mattermost/ca-secret.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: ca-secret - namespace: mattermost -type: kubernetes.io/opaque -data: - ca.crt: "###ZARF_VAR_ADDITIONAL_CA_CHAIN###" diff --git a/packages/additional-manifests/zarf.yaml b/packages/additional-manifests/zarf.yaml index c1a2f081..430065df 100644 --- a/packages/additional-manifests/zarf.yaml +++ b/packages/additional-manifests/zarf.yaml @@ -10,8 +10,6 @@ variables: - name: DOMAIN description: "Domain to be used in VS hosts and gateway config" default: "mtsi.bigbang.dev" - - name: ADDITIONAL_CA_CHAIN - description: "Additional CA chain" components: - name: gitlab-additional-manifests @@ -24,7 +22,6 @@ components: - gitlab/gitlab-ssh-networkpolicies.yaml - gitlab/gitlab-ssh-gateway.yaml - gitlab/envoy-filter.yaml - - gitlab/ca-secret.yaml - name: pepr-policy-exemptions required: true manifests: @@ -33,9 +30,3 @@ components: - pepr-policy-exemptions/nutanix-csi-exemptions.yaml - pepr-policy-exemptions/metallb-exemptions.yaml - pepr-policy-exemptions/gitlab-exemptions.yaml - - name: mattermost-ca-secret - required: true - manifests: - - name: mattermost-ca-secret - files: - - mattermost/ca-secret.yaml diff --git a/packages/namespaces/values.yaml b/packages/namespaces/values.yaml index bd145d7d..66e965e6 100644 --- a/packages/namespaces/values.yaml +++ b/packages/namespaces/values.yaml @@ -33,3 +33,4 @@ namespaces: - name: keycloak labels: istio-injection: enabled + - name: cert-manager diff --git a/packages/trust-bundles/ca-secret.yaml b/packages/trust-bundles/ca-secret.yaml new file mode 100644 index 00000000..04dd54c2 --- /dev/null +++ b/packages/trust-bundles/ca-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: ca-chain + namespace: cert-manager +type: kubernetes.io/opaque +data: + chain.crt: "###ZARF_VAR_ADDITIONAL_CA_CHAIN###" diff --git a/packages/trust-bundles/trust-bundle.yaml b/packages/trust-bundles/trust-bundle.yaml new file mode 100644 index 00000000..a7a9b75f --- /dev/null +++ b/packages/trust-bundles/trust-bundle.yaml @@ -0,0 +1,30 @@ +apiVersion: trust.cert-manager.io/v1alpha1 +kind: Bundle +metadata: + name: trust-bundle # The bundle name will also be used for the target +spec: + sources: + # Include a bundle of publicly trusted certificates which can be + # used to validate most TLS certificates on the internet, such as + # those issued by Let's Encrypt, Google, Amazon and others. + - useDefaultCAs: true + + # Custom CA chain provided via zarf variable + - secret: + name: "ca-chain" + key: "chain.crt" + + target: + # Sync the bundle to a ConfigMap called `trust-bundle` in every namespace which + # has the label "app.kubernetes.io/managed-by=zarf" + # All ConfigMaps will include a PEM-formatted bundle, here named "ca-bundle.crt" + # and in this case we also request a binary formatted bundles in JKS format, + # here named "ca-bundle.jks". + configMap: + key: "ca-bundle.crt" + additionalFormats: + jks: + key: "ca-bundle.jks" + namespaceSelector: + matchLabels: + app.kubernetes.io/managed-by: "zarf" diff --git a/packages/trust-bundles/zarf.yaml b/packages/trust-bundles/zarf.yaml new file mode 100644 index 00000000..fbeb2923 --- /dev/null +++ b/packages/trust-bundles/zarf.yaml @@ -0,0 +1,29 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json +kind: ZarfPackageConfig +metadata: + name: trust-bundles + description: "Configures ca trust bundles used by trust-manager to enable services to trust custom CAs" + architecture: "amd64" + version: "0.0.1" + +variables: + - name: ADDITIONAL_CA_CHAIN + description: "Additional CA chain" + +components: + # Create secret containing custom CA Chain + - name: ca-chain + required: true + manifests: + - name: ca-chain + namespace: cert-manager + files: + - ca-secret.yaml + # Create trust-manager bundle containing public CAs and custom CA chain + - name: trust-bundle + required: true + manifests: + - name: trust-bundle + namespace: cert-manager + files: + - trust-bundle.yaml diff --git a/packages/trust-manager/values/cert-manager.yaml b/packages/trust-manager/values/cert-manager.yaml new file mode 100644 index 00000000..77d4eeab --- /dev/null +++ b/packages/trust-manager/values/cert-manager.yaml @@ -0,0 +1,4 @@ +global: + imagePullSecrets: + - name: "private-registry" +installCRDs: true diff --git a/packages/trust-manager/values/trust-manager.yaml b/packages/trust-manager/values/trust-manager.yaml new file mode 100644 index 00000000..bf7e2fbe --- /dev/null +++ b/packages/trust-manager/values/trust-manager.yaml @@ -0,0 +1,2 @@ +imagePullSecrets: + - name: "private-registry" diff --git a/packages/trust-manager/zarf.yaml b/packages/trust-manager/zarf.yaml new file mode 100644 index 00000000..f19d699d --- /dev/null +++ b/packages/trust-manager/zarf.yaml @@ -0,0 +1,34 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json +kind: ZarfPackageConfig +metadata: + name: trust-manager + description: "Trust manager service for distributing trusted CA bundles to other namespaces" + version: "0.0.1" + architecture: amd64 + +components: + - name: trust-manager-images + required: true + images: + - quay.io/jetstack/trust-manager:v0.11.0 + - quay.io/jetstack/cert-manager-package-debian:20210119.0 + - quay.io/jetstack/cert-manager-controller:v1.14.5 + - quay.io/jetstack/cert-manager-webhook:v1.14.5 + - quay.io/jetstack/cert-manager-cainjector:v1.14.5 + - quay.io/jetstack/cert-manager-acmesolver:v1.14.5 + - quay.io/jetstack/cert-manager-startupapicheck:v1.14.5 + - name: trust-manager + required: true + charts: + - name: cert-manager + version: 1.14.5 + namespace: cert-manager + url: https://charts.jetstack.io/ + valuesFiles: + - values/cert-manager.yaml + - name: trust-manager + version: 0.11.0 + namespace: cert-manager + url: https://charts.jetstack.io/ + valuesFiles: + - values/trust-manager.yaml diff --git a/tasks.yaml b/tasks.yaml index ec94f547..8bc096e8 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -1,5 +1,6 @@ includes: - create: ./tasks/create.yaml + - deploy: ./tasks/deploy.yaml tasks: ################ @@ -15,7 +16,28 @@ tasks: - task: create:object-store-packages - task: create:additional-manifests-package - task: create:init-package + - task: create:trust-manager-package + - task: create:trust-bundles-package - task: create:bundle + ################ + # Deploy + ################ + - name: uds-version + description: Check version of UDS being used to deploy + actions: + - task: deploy:uds-version + + - name: deploy-dev + description: Deploy bundle to dev cluster + actions: + - task: deploy:deploy-bundle + + - name: deploy-test + description: Deploy bundle to test cluster + actions: + - task: deploy:deploy-bundle + with: + config-dir: ./scratch/configs/test #### Clean #### - name: clean diff --git a/tasks/create.yaml b/tasks/create.yaml index 6fc40b56..2ebfb4ff 100644 --- a/tasks/create.yaml +++ b/tasks/create.yaml @@ -55,3 +55,13 @@ tasks: description: Create init package with Nutanix CSI driver. actions: - cmd: ZARF_CONFIG=./packages/init/zarf-config.yaml ./uds zarf package create ./packages/init --set AGENT_IMAGE_TAG=$(uds zarf version) --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build + + - name: trust-manager-package + description: Create trust-manager package. + actions: + - cmd: ./uds zarf package create ./packages/trust-manager --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build + + - name: trust-bundles-package + description: Create trust-bundle package for adding custom CAs. + actions: + - cmd: ./uds zarf package create ./packages/trust-bundles --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml new file mode 100644 index 00000000..f9567bed --- /dev/null +++ b/tasks/deploy.yaml @@ -0,0 +1,29 @@ +variables: + - name: ARCH + description: "What architecture to use" + default: "amd64" + - name: DEPLOY_IMAGE + description: "Container image to use to run uds deploy in" + default: "ghcr.io/defenseunicorns/build-harness/build-harness:2.0.28" + - name: BUNDLE_VERSION + description: "Version of the bundle to deploy" + # TODO - add release-please support + default: "0.2.16" + +tasks: + - name: uds-version + description: Check the UDS version in the build harness being used + actions: + - cmd: docker run --rm ${DEPLOY_IMAGE} bash -c 'uds version' + + - name: deploy-bundle + description: Deploy bundle based on configured input build and config directories + inputs: + build-dir: + default: ./build + description: Input for the path to the build directory containing the uds bundle to deploy + config-dir: + default: ./scratch/configs/dev + description: Input for the path to the directory containing the uds-config.yaml to use for deploying the bundle + actions: + - cmd: docker run --rm -e ARCH=${ARCH} -e BUNDLE_VERSION=${BUNDLE_VERSION} -e UDS_CONFIG=/configs/uds-config.yaml -e KUBECONFIG=/configs/kubeconfig -v /tmp:/tmp -v ${INPUT_CONFIG_DIR}:/configs -v ${INPUT_BUILD_DIR}:/build ${DEPLOY_IMAGE} bash -c 'uds deploy /build/uds-bundle-software-factory-nutanix-${ARCH}-${BUNDLE_VERSION}.tar.zst --confirm'