From 67f70cd570d42a1a919e80b2306930e251e2cb58 Mon Sep 17 00:00:00 2001 From: Jacob May Date: Tue, 4 Jun 2024 20:46:11 +0000 Subject: [PATCH 01/17] Add trust-manager and configure services to mount custom CA-bundles over OS cert bundles --- bundles/uds-core-swf/uds-bundle.yaml | 71 ++++++++++++++++++- .../gitlab/ca-secret.yaml | 8 --- packages/additional-manifests/zarf.yaml | 15 ++-- packages/namespaces/values.yaml | 1 + packages/trust-bundle/ca-secret.yaml | 8 +++ packages/trust-bundle/trust-bundle.yaml | 30 ++++++++ packages/trust-bundle/zarf.yaml | 32 +++++++++ .../trustmanager/values/cert-manager.yaml | 1 + packages/trustmanager/zarf.yaml | 22 ++++++ 9 files changed, 170 insertions(+), 18 deletions(-) delete mode 100644 packages/additional-manifests/gitlab/ca-secret.yaml create mode 100644 packages/trust-bundle/ca-secret.yaml create mode 100644 packages/trust-bundle/trust-bundle.yaml create mode 100644 packages/trust-bundle/zarf.yaml create mode 100644 packages/trustmanager/values/cert-manager.yaml create mode 100644 packages/trustmanager/zarf.yaml diff --git a/bundles/uds-core-swf/uds-bundle.yaml b/bundles/uds-core-swf/uds-bundle.yaml index 228edd40..7101d09b 100644 --- a/bundles/uds-core-swf/uds-bundle.yaml +++ b/bundles/uds-core-swf/uds-bundle.yaml @@ -34,6 +34,14 @@ packages: path: ../../build ref: 1.0.0 + - name: trust-manager + path: ../../build + ref: 0.0.1 + + - name: trust-bundle + path: ../../build + ref: 0.0.1 + # MetalLB - name: metallb repository: ghcr.io/defenseunicorns/packages/metallb @@ -54,6 +62,25 @@ packages: requests: cpu: 20m memory: 128Mi + grafana: + grafana: + # Remove if extra_volumes works + # values: + # - path: global.extraSecretMounts + # value: + # - name: additional-ca-certs + # # path from example configmap mount + # # mountPath: /etc/grafana/ssl/ + # # actual path for ubi9 + # mountPath: /etc/pki/tls/certs/ + # subpath: "ca-bundle.crt" + # secretName: ca-secret + # readOnly: true + variables: + - name: EXTRA_VOLUMES + path: extraVolumes + - name: EXTRA_VOLUME_MOUNTS + path: extraVolumeMounts velero: velero: values: @@ -141,6 +168,14 @@ packages: includedNamespaces: - gitlab ttl: "240h" + variables: + - name: EXTRA_VOLUMES + path: extraVolumes + - name: EXTRA_VOLUME_MOUNTS + path: extraVolumeMounts + # TODO: remove if not needed. Trying to updated trusted certs via container host first + # - name: BACKUP_STORAGE_LOCATION + # description: "Configuration for velero backup storage." keycloak: keycloak: values: @@ -175,6 +210,10 @@ packages: - name: KEYCLOAK_INSECURE_ADMIN_PASSWORD_GENERATION description: "Generate an insecure admin password for dev/test" path: insecureAdminPasswordGeneration.enabled + - name: EXTRA_VOLUMES + path: extraVolumes + - name: EXTRA_VOLUME_MOUNTS + path: extraVolumeMounts loki: loki: values: @@ -206,6 +245,17 @@ packages: - name: LOKI_S3_SECRET_ACCESS_KEY path: loki.storage.s3.secretAccessKey description: "The S3 Secret Access Key" + # Remove if extra_volumes works and S3 CA doesn't explicitly need set + # - name: LOKI_TLS_CERT_PATH + # path: loki.storage.s3.http_config.ca_file + # description: "CA chain to trust for connections S3 buckets" + # default: "/etc/ssl/certs/ca.crt" + - name: EXTRA_VOLUMES + path: loki.backend.extraVolumes + description: "CA chain to trust for connections S3 buckets" + - name: EXTRA_VOLUME_MOUNTS + path: loki.backend.extraVolumeMounts + description: "CA chain to trust for connections S3 buckets" - name: LOKI_WRITE_REPLICAS path: write.replicas description: "Loki write replicas" @@ -311,7 +361,9 @@ packages: values: - path: global.certificates.customCAs value: - - secret: ca-secret + - configMap: trust-bundle + keys: + - ca-bundle.crt variables: - name: MIGRATIONS_RESOURCES description: "Gitlab Migrations Resources" @@ -354,6 +406,15 @@ packages: - name: gitlab-runner repository: ghcr.io/defenseunicorns/packages/uds/gitlab-runner ref: 16.11.0-uds.0-registry1 + overrides: + gitlab-runner: + gitlab-runner: + variables: + # This is likely not enough for gitlab runner jobs to trust custom CAs and is only mounting the certs for gitlab runner itself + - name: EXTRA_VOLUMES + path: volumes + - name: EXTRA_VOLUME_MOUNTS + path: volumeMounts ### TODO - uncomment to replace functionality post MVP @@ -465,3 +526,11 @@ packages: - name: nexus repository: ghcr.io/defenseunicorns/packages/uds/nexus ref: 3.66.0-uds.1-registry1 + overrides: + nexus: + nexus: + variables: + - name: EXTRA_VOLUMES + path: deployment.additionalVolumes + - name: EXTRA_VOLUME_MOUNTS + path: deployment.additionalVolumeMounts diff --git a/packages/additional-manifests/gitlab/ca-secret.yaml b/packages/additional-manifests/gitlab/ca-secret.yaml deleted file mode 100644 index a7ca2a1b..00000000 --- a/packages/additional-manifests/gitlab/ca-secret.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: ca-secret - namespace: gitlab -type: kubernetes.io/opaque -data: - ca.crt: "###ZARF_VAR_ADDITIONAL_CA_CHAIN###" \ No newline at end of file diff --git a/packages/additional-manifests/zarf.yaml b/packages/additional-manifests/zarf.yaml index 04b40b71..34833b30 100644 --- a/packages/additional-manifests/zarf.yaml +++ b/packages/additional-manifests/zarf.yaml @@ -10,8 +10,6 @@ variables: - name: DOMAIN description: "Domain to be used in VS hosts and gateway config" default: "mtsi.bigbang.dev" - - name: ADDITIONAL_CA_CHAIN - description: "Additional CA chain" components: - name: gitlab-additional-manifests @@ -24,7 +22,6 @@ components: - gitlab/gitlab-ssh-networkpolicies.yaml - gitlab/gitlab-ssh-gateway.yaml - gitlab/envoy-filter.yaml - - gitlab/ca-secret.yaml - name: pepr-policy-exemptions required: true manifests: @@ -33,9 +30,9 @@ components: # TODO -- see README for details # - pepr-policy-exemptions/nutanix-csi-exemptions.yaml - pepr-policy-exemptions/metallb-exemptions.yaml - - name: mattermost-ca-secret - required: true - manifests: - - name: mattermost-ca-secret - files: - - mattermost/ca-secret.yaml + # - name: mattermost-ca-secret + # required: true + # manifests: + # - name: mattermost-ca-secret + # files: + # - mattermost/ca-secret.yaml diff --git a/packages/namespaces/values.yaml b/packages/namespaces/values.yaml index bd145d7d..66e965e6 100644 --- a/packages/namespaces/values.yaml +++ b/packages/namespaces/values.yaml @@ -33,3 +33,4 @@ namespaces: - name: keycloak labels: istio-injection: enabled + - name: cert-manager diff --git a/packages/trust-bundle/ca-secret.yaml b/packages/trust-bundle/ca-secret.yaml new file mode 100644 index 00000000..04dd54c2 --- /dev/null +++ b/packages/trust-bundle/ca-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: ca-chain + namespace: cert-manager +type: kubernetes.io/opaque +data: + chain.crt: "###ZARF_VAR_ADDITIONAL_CA_CHAIN###" diff --git a/packages/trust-bundle/trust-bundle.yaml b/packages/trust-bundle/trust-bundle.yaml new file mode 100644 index 00000000..6948df53 --- /dev/null +++ b/packages/trust-bundle/trust-bundle.yaml @@ -0,0 +1,30 @@ +apiVersion: trust.cert-manager.io/v1alpha1 +kind: Bundle +metadata: + name: trust-bundle # The bundle name will also be used for the target +spec: + sources: + # Include a bundle of publicly trusted certificates which can be + # used to validate most TLS certificates on the internet, such as + # those issued by Let's Encrypt, Google, Amazon and others. + - useDefaultCAs: true + + # Custom CA chain provided via zarf variable + - secret: + name: "ca-chain" + key: "chain.crt" + + target: + # Sync the bundle to a ConfigMap called `trust-bundle` in every namespace which + # has the label "app.kubernetes.io/managed-by=zarf" + # All ConfigMaps will include a PEM-formatted bundle, here named "ca-bundle.crt" + # and in this case we also request a binary formatted bundles in JKS format, + # here named "ca-bundle.jks". + configMap: + key: "ca-bundle.crt" + additionalFormats: + jks: + key: "ca-bundle.jks" + namespaceSelector: + matchLabels: + app.kubernetes.io/managed-by: "zarf" \ No newline at end of file diff --git a/packages/trust-bundle/zarf.yaml b/packages/trust-bundle/zarf.yaml new file mode 100644 index 00000000..21896594 --- /dev/null +++ b/packages/trust-bundle/zarf.yaml @@ -0,0 +1,32 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json +kind: ZarfPackageConfig +metadata: + name: trust-bundles + description: "Configures ca trust bundles used by trust-manager to enable services to trust custom CAs" + architecture: "amd64" + version: "0.0.1" + +variables: + - name: DOMAIN + description: "Domain to be used in VS hosts and gateway config" + default: "mtsi.bigbang.dev" + - name: ADDITIONAL_CA_CHAIN + description: "Additional CA chain" + +components: + # Create secret containing custom CA Chain + - name: ca-chain + required: true + manifests: + - name: ca-chain + namespace: cert-manager + files: + - ca-secret.yaml + # Create trust-manager bundle containing public CAs and custom CA chain + - name: trust-bundle + required: true + manifests: + - name: trust-bundle + namespace: cert-manager + files: + - trust-bundle.yaml diff --git a/packages/trustmanager/values/cert-manager.yaml b/packages/trustmanager/values/cert-manager.yaml new file mode 100644 index 00000000..4f8465ac --- /dev/null +++ b/packages/trustmanager/values/cert-manager.yaml @@ -0,0 +1 @@ +installCRDs: true \ No newline at end of file diff --git a/packages/trustmanager/zarf.yaml b/packages/trustmanager/zarf.yaml new file mode 100644 index 00000000..01ad386d --- /dev/null +++ b/packages/trustmanager/zarf.yaml @@ -0,0 +1,22 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json +kind: ZarfPackageConfig +metadata: + name: trust-manager + description: "Trust manager service for distributing trusted CA bundles to other namespaces" + version: "0.0.1" + architecture: amd64 + +components: + - name: trust-manager + required: true + charts: + - name: cert-manager + version: 1.14.5 + namespace: cert-manager + url: https://charts.jetstack.io/ + valuesFiles: + - values/cert-manager.yaml + - name: trust-manager + version: 0.11.0 + namespace: cert-manager + url: https://charts.jetstack.io/ From f9dd9c47ca6903b6ff9aa609049142425e0fd941 Mon Sep 17 00:00:00 2001 From: Jacob May Date: Tue, 4 Jun 2024 21:17:01 +0000 Subject: [PATCH 02/17] Add cert/trustmanager images component and imagepullsecrets to values --- packages/trustmanager/values/cert-manager.yaml | 6 +++++- packages/trustmanager/values/trust-manager.yaml | 2 ++ packages/trustmanager/zarf.yaml | 10 ++++++++++ 3 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 packages/trustmanager/values/trust-manager.yaml diff --git a/packages/trustmanager/values/cert-manager.yaml b/packages/trustmanager/values/cert-manager.yaml index 4f8465ac..db03563f 100644 --- a/packages/trustmanager/values/cert-manager.yaml +++ b/packages/trustmanager/values/cert-manager.yaml @@ -1 +1,5 @@ -installCRDs: true \ No newline at end of file +global: + imagePullSecrets: + - name: "private-registry" +crds: + enabled: true diff --git a/packages/trustmanager/values/trust-manager.yaml b/packages/trustmanager/values/trust-manager.yaml new file mode 100644 index 00000000..eea62550 --- /dev/null +++ b/packages/trustmanager/values/trust-manager.yaml @@ -0,0 +1,2 @@ +imagePullSecrets: + - name: "private-registry" \ No newline at end of file diff --git a/packages/trustmanager/zarf.yaml b/packages/trustmanager/zarf.yaml index 01ad386d..1c6e0d3d 100644 --- a/packages/trustmanager/zarf.yaml +++ b/packages/trustmanager/zarf.yaml @@ -7,6 +7,16 @@ metadata: architecture: amd64 components: + - name: trust-manager-images + required: true + images: + - quay.io/jetstack/trust-manager:v0.11.0 + - quay.io/jetstack/cert-manager-package-debian:20210119.0 + - quay.io/jetstack/cert-manager-controller + - quay.io/jetstack/cert-manager-webhook + - quay.io/jetstack/cert-manager-cainjector + - quay.io/jetstack/cert-manager-acmesolver + - quay.io/jetstack/cert-manager-startupapicheck - name: trust-manager required: true charts: From 9e16bc4eab1ad3d96dbcd541674733169ab5ebb1 Mon Sep 17 00:00:00 2001 From: Jacob May Date: Tue, 4 Jun 2024 21:17:42 +0000 Subject: [PATCH 03/17] forgot to save before committing --- packages/trustmanager/zarf.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/packages/trustmanager/zarf.yaml b/packages/trustmanager/zarf.yaml index 1c6e0d3d..d4af089f 100644 --- a/packages/trustmanager/zarf.yaml +++ b/packages/trustmanager/zarf.yaml @@ -12,11 +12,11 @@ components: images: - quay.io/jetstack/trust-manager:v0.11.0 - quay.io/jetstack/cert-manager-package-debian:20210119.0 - - quay.io/jetstack/cert-manager-controller - - quay.io/jetstack/cert-manager-webhook - - quay.io/jetstack/cert-manager-cainjector - - quay.io/jetstack/cert-manager-acmesolver - - quay.io/jetstack/cert-manager-startupapicheck + - quay.io/jetstack/cert-manager-controller:v1.14.5 + - quay.io/jetstack/cert-manager-webhook::v1.14.5 + - quay.io/jetstack/cert-manager-cainjector:v1.14.5 + - quay.io/jetstack/cert-manager-acmesolver:v1.14.5 + - quay.io/jetstack/cert-manager-startupapicheck:v1.14.5 - name: trust-manager required: true charts: From 97cecf5fae07c9ddd8f9dd6eab33e92d095afe53 Mon Sep 17 00:00:00 2001 From: Jacob May Date: Tue, 4 Jun 2024 21:24:48 +0000 Subject: [PATCH 04/17] Add tasks for new packages and fix zarf.yaml syntax --- packages/trustmanager/zarf.yaml | 2 +- tasks.yaml | 2 ++ tasks/create.yaml | 10 ++++++++++ 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/packages/trustmanager/zarf.yaml b/packages/trustmanager/zarf.yaml index d4af089f..04f5c597 100644 --- a/packages/trustmanager/zarf.yaml +++ b/packages/trustmanager/zarf.yaml @@ -13,7 +13,7 @@ components: - quay.io/jetstack/trust-manager:v0.11.0 - quay.io/jetstack/cert-manager-package-debian:20210119.0 - quay.io/jetstack/cert-manager-controller:v1.14.5 - - quay.io/jetstack/cert-manager-webhook::v1.14.5 + - quay.io/jetstack/cert-manager-webhook:v1.14.5 - quay.io/jetstack/cert-manager-cainjector:v1.14.5 - quay.io/jetstack/cert-manager-acmesolver:v1.14.5 - quay.io/jetstack/cert-manager-startupapicheck:v1.14.5 diff --git a/tasks.yaml b/tasks.yaml index 53f071dc..437f7c77 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -16,6 +16,8 @@ tasks: - task: create:additional-manifests-package - task: create:additional-manifests-package-2 - task: create:init-package + - task: create:trustmanager-package + - task: create:trust-bundle-package - task: create:bundle #### Clean #### diff --git a/tasks/create.yaml b/tasks/create.yaml index 7e474d1b..0e784382 100644 --- a/tasks/create.yaml +++ b/tasks/create.yaml @@ -61,3 +61,13 @@ tasks: description: Create init package with Nutanix CSI driver. actions: - cmd: ZARF_CONFIG=./packages/init/zarf-config.yaml ./uds zarf package create ./packages/init --set AGENT_IMAGE_TAG=$(uds zarf version) --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build + + - name: trustmanager-package + description: Create trustmanager package. + actions: + - cmd: ./uds zarf package create ./packages/trustmanager --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build + + - name: trust-bundle-package + description: Create trust-bundle package for adding custom CAs. + actions: + - cmd: ./uds zarf package create ./packages/trust-bundle --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build From 308d339017e2399c94b1ffc29a55a90c3f2940ee Mon Sep 17 00:00:00 2001 From: Jacob May Date: Tue, 4 Jun 2024 21:30:07 +0000 Subject: [PATCH 05/17] missing s on package name --- bundles/uds-core-swf/uds-bundle.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/uds-core-swf/uds-bundle.yaml b/bundles/uds-core-swf/uds-bundle.yaml index 7101d09b..3016dcd3 100644 --- a/bundles/uds-core-swf/uds-bundle.yaml +++ b/bundles/uds-core-swf/uds-bundle.yaml @@ -38,7 +38,7 @@ packages: path: ../../build ref: 0.0.1 - - name: trust-bundle + - name: trust-bundles path: ../../build ref: 0.0.1 From 29cfcdf8e68f770ac708e99b05acf537900dca34 Mon Sep 17 00:00:00 2001 From: Opnauticus Date: Wed, 12 Jun 2024 10:08:52 -0700 Subject: [PATCH 06/17] trying some yaml anchors? (#127) --- bundles/uds-core-swf/uds-bundle.yaml | 73 ++++++++++++++++------------ 1 file changed, 43 insertions(+), 30 deletions(-) diff --git a/bundles/uds-core-swf/uds-bundle.yaml b/bundles/uds-core-swf/uds-bundle.yaml index c2624695..8866577e 100644 --- a/bundles/uds-core-swf/uds-bundle.yaml +++ b/bundles/uds-core-swf/uds-bundle.yaml @@ -8,6 +8,22 @@ metadata: # x-release-please-end architecture: amd64 +x-extra-volume-mounts: &extra-volume-mounts + - name: trust-bundle + mountPath: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem + subPath: "ca-bundle.crt" + readOnly: true + - name: trust-bundle + mountPath: /etc/pki/ca-trust/extracted/java/cacerts + subPath: "ca-bundle.jks" + readOnly: true + +x-extra-volumes: &extra-volumes + - name: trust-bundle + configMap: + name: trust-bundle + defaultMode: 0644 + packages: # Zarf init - name: init @@ -76,11 +92,11 @@ packages: # subpath: "ca-bundle.crt" # secretName: ca-secret # readOnly: true - variables: - - name: EXTRA_VOLUMES - path: extraVolumes - - name: EXTRA_VOLUME_MOUNTS - path: extraVolumeMounts + values: + - path: extraVolumes + value: *extra-volumes + - path: extraVolumeMounts + value: *extra-volume-mounts velero: velero: values: @@ -168,11 +184,10 @@ packages: includedNamespaces: - gitlab ttl: "240h" - variables: - - name: EXTRA_VOLUMES - path: extraVolumes - - name: EXTRA_VOLUME_MOUNTS - path: extraVolumeMounts + - path: extraVolumes + value: *extra-volumes + - path: extraVolumeMounts + value: *extra-volume-mounts # TODO: remove if not needed. Trying to updated trusted certs via container host first # - name: BACKUP_STORAGE_LOCATION # description: "Configuration for velero backup storage." @@ -190,6 +205,10 @@ packages: value: "ReadWriteMany" - path: "persistence.storageClassName" value: "nutanix-dynamicfile" + - path: extraVolumes + value: *extra-volumes + - path: extraVolumeMounts + value: *extra-volume-mounts variables: - name: KEYCLOAK_DB_USERNAME description: "keycloak database username" @@ -210,16 +229,16 @@ packages: - name: KEYCLOAK_INSECURE_ADMIN_PASSWORD_GENERATION description: "Generate an insecure admin password for dev/test" path: insecureAdminPasswordGeneration.enabled - - name: EXTRA_VOLUMES - path: extraVolumes - - name: EXTRA_VOLUME_MOUNTS - path: extraVolumeMounts loki: loki: values: # Override default dns service name for Loki Gateway - path: "global.dnsService" value: "rke2-coredns-rke2-coredns" + - path: loki.backend.extraVolumes + value: *extra-volumes + - path: loki.backend.extraVolumeMounts + value: *extra-volume-mounts variables: - name: LOKI_CHUNKS_BUCKET description: "The object storage bucket for Loki chunks" @@ -250,12 +269,6 @@ packages: # path: loki.storage.s3.http_config.ca_file # description: "CA chain to trust for connections S3 buckets" # default: "/etc/ssl/certs/ca.crt" - - name: EXTRA_VOLUMES - path: loki.backend.extraVolumes - description: "CA chain to trust for connections S3 buckets" - - name: EXTRA_VOLUME_MOUNTS - path: loki.backend.extraVolumeMounts - description: "CA chain to trust for connections S3 buckets" - name: LOKI_WRITE_REPLICAS path: write.replicas description: "Loki write replicas" @@ -409,12 +422,11 @@ packages: overrides: gitlab-runner: gitlab-runner: - variables: - # This is likely not enough for gitlab runner jobs to trust custom CAs and is only mounting the certs for gitlab runner itself - - name: EXTRA_VOLUMES - path: volumes - - name: EXTRA_VOLUME_MOUNTS - path: volumeMounts + values: + - path: volumes + value: *extra-volumes + - path: volumeMounts + value: *extra-volume-mounts ### TODO - uncomment to replace functionality post MVP @@ -542,14 +554,15 @@ packages: value: - host: nexus-docker.${DOMAIN} port: 5000 + - path: deployment.additionalVolumes + value: *extra-volumes + - path: deployment.additionalVolumeMounts + value: *extra-volume-mounts uds-nexus-config: + values: variables: - name: NEXUS_SSO_ENABLED path: "sso.enabled" - - name: EXTRA_VOLUMES - path: deployment.additionalVolumes - - name: EXTRA_VOLUME_MOUNTS - path: deployment.additionalVolumeMounts values: - path: additionalNetworkExposures value: From 1d55e9183c94e97c6329e7945d4519dcc8c5625e Mon Sep 17 00:00:00 2001 From: Jacob May Date: Fri, 21 Jun 2024 21:18:45 +0000 Subject: [PATCH 07/17] Add tasks for deploying bundle with build-harness image --- tasks.yaml | 20 ++++++++++++++++++++ tasks/deploy.yaml | 25 +++++++++++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100644 tasks/deploy.yaml diff --git a/tasks.yaml b/tasks.yaml index 2a187cbd..0287ae0f 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -1,5 +1,6 @@ includes: - create: ./tasks/create.yaml + - deploy: ./tasks/deploy.yaml tasks: ################ @@ -19,6 +20,25 @@ tasks: - task: create:trustmanager-package - task: create:trust-bundles-package - task: create:bundle + ################ + # Deploy + ################ + - name: uds-version + description: Check version of UDS being used to deploy + actions: + - task: deploy:uds-version + + - name: deploy-dev + description: Deploy bundle to dev cluster + actions: + - task: deploy:deploy-bundle + + - name: deploy-test + description: Deploy bundle to test cluster + actions: + - task: deploy:deploy-bundle + with: + config-dir: ./scratch/configs/test #### Clean #### - name: clean diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml new file mode 100644 index 00000000..e9e396f5 --- /dev/null +++ b/tasks/deploy.yaml @@ -0,0 +1,25 @@ +variables: + - name: ARCH + description: "What architecture to use" + default: "amd64" + - name: DEPLOY_IMAGE + description: "Container image to use to run uds deploy in" + default: "ghcr.io/defenseunicorns/build-harness/build-harness:2.0.22" + +tasks: + - name: uds-version + description: Check the UDS version in the build harness being used + actions: + - cmd: docker run --rm ${DEPLOY_IMAGE} bash -c 'uds version' + + - name: deploy-bundle + description: Deploy bundle based on configured input build and config directories + inputs: + build-dir: + default: ./build + description: Input for the path to the build directory containing the uds bundle to deploy + config-dir: + default: ./scratch/configs/dev + description: Input for the path to the directory containing the uds-config.yaml to use for deploying the bundle + actions: + - cmd: docker run --rm -e UDS_CONFIG=/configs/uds-config.yaml -e KUBECONFIG=/configs/kubeconfig -v ${INPUT_CONFIG_DIR}:/configs -v ${INPUT_BUILD_DIR}:/build ${DEPLOY_IMAGE} bash -c 'uds deploy /build/uds-bundle-software-factory-nutanix-${ARCH}*.tar.zst --no-tea --confirm' From 13485a461953017a9e49058345539d19a465b072 Mon Sep 17 00:00:00 2001 From: Jacob May Date: Tue, 2 Jul 2024 20:08:10 +0000 Subject: [PATCH 08/17] Fix removed pepr policy and add missing loki ca configuration --- bundles/uds-core-swf/uds-bundle.yaml | 12 ++++++++++++ packages/additional-manifests/zarf.yaml | 1 + tasks/deploy.yaml | 7 +++++-- 3 files changed, 18 insertions(+), 2 deletions(-) diff --git a/bundles/uds-core-swf/uds-bundle.yaml b/bundles/uds-core-swf/uds-bundle.yaml index 4885e2c7..440c3002 100644 --- a/bundles/uds-core-swf/uds-bundle.yaml +++ b/bundles/uds-core-swf/uds-bundle.yaml @@ -244,6 +244,18 @@ packages: value: *extra-volumes - path: loki.backend.extraVolumeMounts value: *extra-volume-mounts + - path: loki.gateway.extraVolumes + value: *extra-volumes + - path: loki.gateway.extraVolumeMounts + value: *extra-volume-mounts + - path: loki.write.extraVolumes + value: *extra-volumes + - path: loki.write.extraVolumeMounts + value: *extra-volume-mounts + - path: loki.read.extraVolumes + value: *extra-volumes + - path: loki.read.extraVolumeMounts + value: *extra-volume-mounts variables: - name: LOKI_CHUNKS_BUCKET description: "The object storage bucket for Loki chunks" diff --git a/packages/additional-manifests/zarf.yaml b/packages/additional-manifests/zarf.yaml index ff52edf7..7d65234c 100644 --- a/packages/additional-manifests/zarf.yaml +++ b/packages/additional-manifests/zarf.yaml @@ -29,6 +29,7 @@ components: files: - pepr-policy-exemptions/nutanix-csi-exemptions.yaml - pepr-policy-exemptions/metallb-exemptions.yaml + - pepr-policy-exemptions/gitlab-exemptions.yaml # - name: mattermost-ca-secret # required: true # manifests: diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index e9e396f5..f1ff6f67 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -4,7 +4,10 @@ variables: default: "amd64" - name: DEPLOY_IMAGE description: "Container image to use to run uds deploy in" - default: "ghcr.io/defenseunicorns/build-harness/build-harness:2.0.22" + default: "ghcr.io/defenseunicorns/build-harness/build-harness:2.0.28" + - name: BUNDLE_VERSION + description: "Version of the bundle to deploy" + default: "0.2.16" tasks: - name: uds-version @@ -22,4 +25,4 @@ tasks: default: ./scratch/configs/dev description: Input for the path to the directory containing the uds-config.yaml to use for deploying the bundle actions: - - cmd: docker run --rm -e UDS_CONFIG=/configs/uds-config.yaml -e KUBECONFIG=/configs/kubeconfig -v ${INPUT_CONFIG_DIR}:/configs -v ${INPUT_BUILD_DIR}:/build ${DEPLOY_IMAGE} bash -c 'uds deploy /build/uds-bundle-software-factory-nutanix-${ARCH}*.tar.zst --no-tea --confirm' + - cmd: docker run --rm -e ARCH=${ARCH} -e BUNDLE_VERSION=${BUNDLE_VERSION} -e UDS_CONFIG=/configs/uds-config.yaml -e KUBECONFIG=/configs/kubeconfig -v ${INPUT_CONFIG_DIR}:/configs -v ${INPUT_BUILD_DIR}:/build ${DEPLOY_IMAGE} bash -c 'uds deploy /build/uds-bundle-software-factory-nutanix-${ARCH}-${BUNDLE_VERSION}.tar.zst --confirm' From 6d02b0854d5860f89142d8341ac35c9765464e57 Mon Sep 17 00:00:00 2001 From: Jacob May Date: Tue, 9 Jul 2024 15:33:23 +0000 Subject: [PATCH 09/17] Remove trust manager from locally defined packages in preference for the published package --- bundles/uds-core-swf/uds-bundle.yaml | 8 +++-- packages/namespaces/values.yaml | 2 ++ .../trustmanager/values/cert-manager.yaml | 4 --- .../trustmanager/values/trust-manager.yaml | 2 -- packages/trustmanager/zarf.yaml | 34 ------------------- tasks.yaml | 1 - tasks/create.yaml | 5 --- 7 files changed, 8 insertions(+), 48 deletions(-) delete mode 100644 packages/trustmanager/values/cert-manager.yaml delete mode 100644 packages/trustmanager/values/trust-manager.yaml delete mode 100644 packages/trustmanager/zarf.yaml diff --git a/bundles/uds-core-swf/uds-bundle.yaml b/bundles/uds-core-swf/uds-bundle.yaml index 440c3002..4a920bf4 100644 --- a/bundles/uds-core-swf/uds-bundle.yaml +++ b/bundles/uds-core-swf/uds-bundle.yaml @@ -54,10 +54,14 @@ packages: - name: software-factory-namespaces path: ../../build ref: 1.0.0 + + - name: cert-manager + repository: ghcr.io/defenseunicorns/packages/uds/cert-manager + ref: 0.1.3-upstream - name: trust-manager - path: ../../build - ref: 0.0.1 + repository: ghcr.io/defenseunicorns/packages/uds/trust-manager + ref: 0.11.0-uds.2-upstream - name: trust-bundles path: ../../build diff --git a/packages/namespaces/values.yaml b/packages/namespaces/values.yaml index 66e965e6..3988fc4d 100644 --- a/packages/namespaces/values.yaml +++ b/packages/namespaces/values.yaml @@ -34,3 +34,5 @@ namespaces: labels: istio-injection: enabled - name: cert-manager + labels: + istio-injection: enabled diff --git a/packages/trustmanager/values/cert-manager.yaml b/packages/trustmanager/values/cert-manager.yaml deleted file mode 100644 index 77d4eeab..00000000 --- a/packages/trustmanager/values/cert-manager.yaml +++ /dev/null @@ -1,4 +0,0 @@ -global: - imagePullSecrets: - - name: "private-registry" -installCRDs: true diff --git a/packages/trustmanager/values/trust-manager.yaml b/packages/trustmanager/values/trust-manager.yaml deleted file mode 100644 index eea62550..00000000 --- a/packages/trustmanager/values/trust-manager.yaml +++ /dev/null @@ -1,2 +0,0 @@ -imagePullSecrets: - - name: "private-registry" \ No newline at end of file diff --git a/packages/trustmanager/zarf.yaml b/packages/trustmanager/zarf.yaml deleted file mode 100644 index f19d699d..00000000 --- a/packages/trustmanager/zarf.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json -kind: ZarfPackageConfig -metadata: - name: trust-manager - description: "Trust manager service for distributing trusted CA bundles to other namespaces" - version: "0.0.1" - architecture: amd64 - -components: - - name: trust-manager-images - required: true - images: - - quay.io/jetstack/trust-manager:v0.11.0 - - quay.io/jetstack/cert-manager-package-debian:20210119.0 - - quay.io/jetstack/cert-manager-controller:v1.14.5 - - quay.io/jetstack/cert-manager-webhook:v1.14.5 - - quay.io/jetstack/cert-manager-cainjector:v1.14.5 - - quay.io/jetstack/cert-manager-acmesolver:v1.14.5 - - quay.io/jetstack/cert-manager-startupapicheck:v1.14.5 - - name: trust-manager - required: true - charts: - - name: cert-manager - version: 1.14.5 - namespace: cert-manager - url: https://charts.jetstack.io/ - valuesFiles: - - values/cert-manager.yaml - - name: trust-manager - version: 0.11.0 - namespace: cert-manager - url: https://charts.jetstack.io/ - valuesFiles: - - values/trust-manager.yaml diff --git a/tasks.yaml b/tasks.yaml index c97ee5dc..03919f87 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -16,7 +16,6 @@ tasks: - task: create:object-store-packages - task: create:additional-manifests-package - task: create:init-package - - task: create:trustmanager-package - task: create:trust-bundles-package - task: create:bundle ################ diff --git a/tasks/create.yaml b/tasks/create.yaml index c1a8d100..a969a1d1 100644 --- a/tasks/create.yaml +++ b/tasks/create.yaml @@ -56,11 +56,6 @@ tasks: actions: - cmd: ZARF_CONFIG=./packages/init/zarf-config.yaml ./uds zarf package create ./packages/init --set AGENT_IMAGE_TAG=$(uds zarf version) --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build - - name: trustmanager-package - description: Create trustmanager package. - actions: - - cmd: ./uds zarf package create ./packages/trustmanager --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build - - name: trust-bundles-package description: Create trust-bundle package for adding custom CAs. actions: From 8071c1c3659a3726e8cc6c6a166e56944fba1d13 Mon Sep 17 00:00:00 2001 From: Jacob May Date: Tue, 9 Jul 2024 21:54:48 +0000 Subject: [PATCH 10/17] switch back to bundle defined cert manager and trust manager and fix loki values paths --- bundles/uds-core-swf/uds-bundle.yaml | 24 ++++++------- packages/namespaces/values.yaml | 2 -- .../trust-manager/values/cert-manager.yaml | 4 +++ .../trust-manager/values/trust-manager.yaml | 2 ++ packages/trust-manager/zarf.yaml | 34 +++++++++++++++++++ tasks.yaml | 1 + tasks/create.yaml | 5 +++ tasks/deploy.yaml | 2 +- 8 files changed, 57 insertions(+), 17 deletions(-) create mode 100644 packages/trust-manager/values/cert-manager.yaml create mode 100644 packages/trust-manager/values/trust-manager.yaml create mode 100644 packages/trust-manager/zarf.yaml diff --git a/bundles/uds-core-swf/uds-bundle.yaml b/bundles/uds-core-swf/uds-bundle.yaml index 03eaaace..542d95d1 100644 --- a/bundles/uds-core-swf/uds-bundle.yaml +++ b/bundles/uds-core-swf/uds-bundle.yaml @@ -55,13 +55,9 @@ packages: path: ../../build ref: 1.0.0 - - name: cert-manager - repository: ghcr.io/defenseunicorns/packages/uds/cert-manager - ref: 0.1.3-upstream - - name: trust-manager - repository: ghcr.io/defenseunicorns/packages/uds/trust-manager - ref: 0.11.0-uds.2-upstream + path: ../../build + ref: 0.0.1 - name: trust-bundles path: ../../build @@ -285,21 +281,21 @@ packages: # Override default dns service name for Loki Gateway - path: "global.dnsService" value: "rke2-coredns-rke2-coredns" - - path: loki.backend.extraVolumes + - path: backend.extraVolumes value: *extra-volumes - - path: loki.backend.extraVolumeMounts + - path: backend.extraVolumeMounts value: *extra-volume-mounts - - path: loki.gateway.extraVolumes + - path: gateway.extraVolumes value: *extra-volumes - - path: loki.gateway.extraVolumeMounts + - path: gateway.extraVolumeMounts value: *extra-volume-mounts - - path: loki.write.extraVolumes + - path: write.extraVolumes value: *extra-volumes - - path: loki.write.extraVolumeMounts + - path: write.extraVolumeMounts value: *extra-volume-mounts - - path: loki.read.extraVolumes + - path: read.extraVolumes value: *extra-volumes - - path: loki.read.extraVolumeMounts + - path: read.extraVolumeMounts value: *extra-volume-mounts variables: - name: LOKI_CHUNKS_BUCKET diff --git a/packages/namespaces/values.yaml b/packages/namespaces/values.yaml index 3988fc4d..66e965e6 100644 --- a/packages/namespaces/values.yaml +++ b/packages/namespaces/values.yaml @@ -34,5 +34,3 @@ namespaces: labels: istio-injection: enabled - name: cert-manager - labels: - istio-injection: enabled diff --git a/packages/trust-manager/values/cert-manager.yaml b/packages/trust-manager/values/cert-manager.yaml new file mode 100644 index 00000000..77d4eeab --- /dev/null +++ b/packages/trust-manager/values/cert-manager.yaml @@ -0,0 +1,4 @@ +global: + imagePullSecrets: + - name: "private-registry" +installCRDs: true diff --git a/packages/trust-manager/values/trust-manager.yaml b/packages/trust-manager/values/trust-manager.yaml new file mode 100644 index 00000000..bf7e2fbe --- /dev/null +++ b/packages/trust-manager/values/trust-manager.yaml @@ -0,0 +1,2 @@ +imagePullSecrets: + - name: "private-registry" diff --git a/packages/trust-manager/zarf.yaml b/packages/trust-manager/zarf.yaml new file mode 100644 index 00000000..f19d699d --- /dev/null +++ b/packages/trust-manager/zarf.yaml @@ -0,0 +1,34 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json +kind: ZarfPackageConfig +metadata: + name: trust-manager + description: "Trust manager service for distributing trusted CA bundles to other namespaces" + version: "0.0.1" + architecture: amd64 + +components: + - name: trust-manager-images + required: true + images: + - quay.io/jetstack/trust-manager:v0.11.0 + - quay.io/jetstack/cert-manager-package-debian:20210119.0 + - quay.io/jetstack/cert-manager-controller:v1.14.5 + - quay.io/jetstack/cert-manager-webhook:v1.14.5 + - quay.io/jetstack/cert-manager-cainjector:v1.14.5 + - quay.io/jetstack/cert-manager-acmesolver:v1.14.5 + - quay.io/jetstack/cert-manager-startupapicheck:v1.14.5 + - name: trust-manager + required: true + charts: + - name: cert-manager + version: 1.14.5 + namespace: cert-manager + url: https://charts.jetstack.io/ + valuesFiles: + - values/cert-manager.yaml + - name: trust-manager + version: 0.11.0 + namespace: cert-manager + url: https://charts.jetstack.io/ + valuesFiles: + - values/trust-manager.yaml diff --git a/tasks.yaml b/tasks.yaml index 03919f87..8bc096e8 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -16,6 +16,7 @@ tasks: - task: create:object-store-packages - task: create:additional-manifests-package - task: create:init-package + - task: create:trust-manager-package - task: create:trust-bundles-package - task: create:bundle ################ diff --git a/tasks/create.yaml b/tasks/create.yaml index a969a1d1..2ebfb4ff 100644 --- a/tasks/create.yaml +++ b/tasks/create.yaml @@ -56,6 +56,11 @@ tasks: actions: - cmd: ZARF_CONFIG=./packages/init/zarf-config.yaml ./uds zarf package create ./packages/init --set AGENT_IMAGE_TAG=$(uds zarf version) --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build + - name: trust-manager-package + description: Create trust-manager package. + actions: + - cmd: ./uds zarf package create ./packages/trust-manager --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build + - name: trust-bundles-package description: Create trust-bundle package for adding custom CAs. actions: diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index f1ff6f67..9483c05d 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -25,4 +25,4 @@ tasks: default: ./scratch/configs/dev description: Input for the path to the directory containing the uds-config.yaml to use for deploying the bundle actions: - - cmd: docker run --rm -e ARCH=${ARCH} -e BUNDLE_VERSION=${BUNDLE_VERSION} -e UDS_CONFIG=/configs/uds-config.yaml -e KUBECONFIG=/configs/kubeconfig -v ${INPUT_CONFIG_DIR}:/configs -v ${INPUT_BUILD_DIR}:/build ${DEPLOY_IMAGE} bash -c 'uds deploy /build/uds-bundle-software-factory-nutanix-${ARCH}-${BUNDLE_VERSION}.tar.zst --confirm' + - cmd: docker run --rm -e ARCH=${ARCH} -e BUNDLE_VERSION=${BUNDLE_VERSION} -e UDS_CONFIG=/configs/uds-config.yaml -e KUBECONFIG=/configs/kubeconfig -v /tmp:/tmp -v ${INPUT_CONFIG_DIR}:/configs -v ${INPUT_BUILD_DIR}:/build ${DEPLOY_IMAGE} bash -c 'uds deploy /build/uds-bundle-software-factory-nutanix-${ARCH}-${BUNDLE_VERSION}.tar.zst -p core --confirm' From 577a5e50011322ed244a143f8b9a442592698965 Mon Sep 17 00:00:00 2001 From: ablanchard Date: Wed, 10 Jul 2024 07:41:17 -0700 Subject: [PATCH 11/17] send it --- bundles/uds-core-swf/uds-bundle.yaml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/bundles/uds-core-swf/uds-bundle.yaml b/bundles/uds-core-swf/uds-bundle.yaml index 542d95d1..d49f7674 100644 --- a/bundles/uds-core-swf/uds-bundle.yaml +++ b/bundles/uds-core-swf/uds-bundle.yaml @@ -230,11 +230,10 @@ packages: keycloak: keycloak: values: - # TODO - test/debug - # - path: "devMode" - # value: "false" - # - path: "autoscaling.enabled" - # value: "true" + - path: "devMode" + value: "false" + - path: "autoscaling.enabled" + value: "true" - path: "persistence.providers.enabled" value: "true" - path: "persistence.accessMode" From 8a5c498cb479713f0f16545394d0a42d8c3884e0 Mon Sep 17 00:00:00 2001 From: ablanchard Date: Wed, 10 Jul 2024 07:43:59 -0700 Subject: [PATCH 12/17] removed extra line --- bundles/uds-core-swf/uds-bundle.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/bundles/uds-core-swf/uds-bundle.yaml b/bundles/uds-core-swf/uds-bundle.yaml index d49f7674..e4f45299 100644 --- a/bundles/uds-core-swf/uds-bundle.yaml +++ b/bundles/uds-core-swf/uds-bundle.yaml @@ -706,7 +706,6 @@ packages: - path: deployment.additionalVolumeMounts value: *extra-volume-mounts uds-nexus-config: - values: variables: - name: NEXUS_SSO_ENABLED path: "sso.enabled" From 7f0bbdf473a54c843940b66cd21a4608032ea97e Mon Sep 17 00:00:00 2001 From: Jacob May Date: Wed, 10 Jul 2024 21:36:27 +0000 Subject: [PATCH 13/17] Try adding ca value to velero config --- bundles/uds-core-swf/uds-bundle.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/bundles/uds-core-swf/uds-bundle.yaml b/bundles/uds-core-swf/uds-bundle.yaml index e4f45299..3993b4c0 100644 --- a/bundles/uds-core-swf/uds-bundle.yaml +++ b/bundles/uds-core-swf/uds-bundle.yaml @@ -135,6 +135,10 @@ packages: limits: cpu: 1 memory: 2Gi + # TODO: remove if not needed. Trying to updated trusted certs via container host first + - name: BACKUP_STORAGE_LOCATION + path: configuration.backupStorageLocation + description: "Configuration for velero backup storage." values: - path: initContainers value: @@ -224,9 +228,6 @@ packages: value: *extra-volumes - path: extraVolumeMounts value: *extra-volume-mounts - # TODO: remove if not needed. Trying to updated trusted certs via container host first - # - name: BACKUP_STORAGE_LOCATION - # description: "Configuration for velero backup storage." keycloak: keycloak: values: From 8ce5788844286426ac3518844aebe86db1319f21 Mon Sep 17 00:00:00 2001 From: ablanchard Date: Wed, 10 Jul 2024 16:17:02 -0700 Subject: [PATCH 14/17] disabling autoscaling for now --- bundles/uds-core-swf/uds-bundle.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/uds-core-swf/uds-bundle.yaml b/bundles/uds-core-swf/uds-bundle.yaml index 3993b4c0..c414638e 100644 --- a/bundles/uds-core-swf/uds-bundle.yaml +++ b/bundles/uds-core-swf/uds-bundle.yaml @@ -234,7 +234,7 @@ packages: - path: "devMode" value: "false" - path: "autoscaling.enabled" - value: "true" + value: "false" - path: "persistence.providers.enabled" value: "true" - path: "persistence.accessMode" From f6d04b809a98123fd2fa8d71560e841323250cff Mon Sep 17 00:00:00 2001 From: ablanchard Date: Wed, 10 Jul 2024 16:31:58 -0700 Subject: [PATCH 15/17] addressing PR comments --- bundles/uds-core-swf/uds-bundle.yaml | 17 ----------------- .../mattermost/ca-secret.yaml | 8 -------- packages/additional-manifests/zarf.yaml | 6 ------ tasks/deploy.yaml | 1 + 4 files changed, 1 insertion(+), 31 deletions(-) delete mode 100644 packages/additional-manifests/mattermost/ca-secret.yaml diff --git a/bundles/uds-core-swf/uds-bundle.yaml b/bundles/uds-core-swf/uds-bundle.yaml index c414638e..1e7165b2 100644 --- a/bundles/uds-core-swf/uds-bundle.yaml +++ b/bundles/uds-core-swf/uds-bundle.yaml @@ -74,18 +74,6 @@ packages: overrides: grafana: grafana: - # Remove if extra_volumes works - # values: - # - path: global.extraSecretMounts - # value: - # - name: additional-ca-certs - # # path from example configmap mount - # # mountPath: /etc/grafana/ssl/ - # # actual path for ubi9 - # mountPath: /etc/pki/tls/certs/ - # subpath: "ca-bundle.crt" - # secretName: ca-secret - # readOnly: true values: - path: extraVolumes value: *extra-volumes @@ -322,11 +310,6 @@ packages: - name: LOKI_S3_SECRET_ACCESS_KEY path: loki.storage.s3.secretAccessKey description: "The S3 Secret Access Key" - # Remove if extra_volumes works and S3 CA doesn't explicitly need set - # - name: LOKI_TLS_CERT_PATH - # path: loki.storage.s3.http_config.ca_file - # description: "CA chain to trust for connections S3 buckets" - # default: "/etc/ssl/certs/ca.crt" - name: LOKI_WRITE_REPLICAS path: write.replicas description: "Loki write replicas" diff --git a/packages/additional-manifests/mattermost/ca-secret.yaml b/packages/additional-manifests/mattermost/ca-secret.yaml deleted file mode 100644 index c5afdc87..00000000 --- a/packages/additional-manifests/mattermost/ca-secret.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: ca-secret - namespace: mattermost -type: kubernetes.io/opaque -data: - ca.crt: "###ZARF_VAR_ADDITIONAL_CA_CHAIN###" diff --git a/packages/additional-manifests/zarf.yaml b/packages/additional-manifests/zarf.yaml index 7d65234c..430065df 100644 --- a/packages/additional-manifests/zarf.yaml +++ b/packages/additional-manifests/zarf.yaml @@ -30,9 +30,3 @@ components: - pepr-policy-exemptions/nutanix-csi-exemptions.yaml - pepr-policy-exemptions/metallb-exemptions.yaml - pepr-policy-exemptions/gitlab-exemptions.yaml - # - name: mattermost-ca-secret - # required: true - # manifests: - # - name: mattermost-ca-secret - # files: - # - mattermost/ca-secret.yaml diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index 9483c05d..894cfd6a 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -7,6 +7,7 @@ variables: default: "ghcr.io/defenseunicorns/build-harness/build-harness:2.0.28" - name: BUNDLE_VERSION description: "Version of the bundle to deploy" + # TODO - add release-please support default: "0.2.16" tasks: From 472d1a7b9816f3170eba47ace15d9c5ce2787194 Mon Sep 17 00:00:00 2001 From: Jacob May Date: Thu, 11 Jul 2024 16:01:38 +0000 Subject: [PATCH 16/17] Fix deploy task --- tasks/deploy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index 9483c05d..aa321e40 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -25,4 +25,4 @@ tasks: default: ./scratch/configs/dev description: Input for the path to the directory containing the uds-config.yaml to use for deploying the bundle actions: - - cmd: docker run --rm -e ARCH=${ARCH} -e BUNDLE_VERSION=${BUNDLE_VERSION} -e UDS_CONFIG=/configs/uds-config.yaml -e KUBECONFIG=/configs/kubeconfig -v /tmp:/tmp -v ${INPUT_CONFIG_DIR}:/configs -v ${INPUT_BUILD_DIR}:/build ${DEPLOY_IMAGE} bash -c 'uds deploy /build/uds-bundle-software-factory-nutanix-${ARCH}-${BUNDLE_VERSION}.tar.zst -p core --confirm' + - cmd: docker run --rm -e ARCH=${ARCH} -e BUNDLE_VERSION=${BUNDLE_VERSION} -e UDS_CONFIG=/configs/uds-config.yaml -e KUBECONFIG=/configs/kubeconfig -v /tmp:/tmp -v ${INPUT_CONFIG_DIR}:/configs -v ${INPUT_BUILD_DIR}:/build ${DEPLOY_IMAGE} bash -c 'uds deploy /build/uds-bundle-software-factory-nutanix-${ARCH}-${BUNDLE_VERSION}.tar.zst --confirm' From 8c305c767be0dc2497c70650e20f0e099d1970ba Mon Sep 17 00:00:00 2001 From: Jacob May Date: Thu, 11 Jul 2024 18:26:31 +0000 Subject: [PATCH 17/17] Remove velero backup configuration override since it didn't resolve streaming error --- bundles/uds-core-swf/uds-bundle.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/bundles/uds-core-swf/uds-bundle.yaml b/bundles/uds-core-swf/uds-bundle.yaml index 1e7165b2..cefdff23 100644 --- a/bundles/uds-core-swf/uds-bundle.yaml +++ b/bundles/uds-core-swf/uds-bundle.yaml @@ -123,10 +123,6 @@ packages: limits: cpu: 1 memory: 2Gi - # TODO: remove if not needed. Trying to updated trusted certs via container host first - - name: BACKUP_STORAGE_LOCATION - path: configuration.backupStorageLocation - description: "Configuration for velero backup storage." values: - path: initContainers value: