feat: Custom ca cert support

bundles/uds-core-swf/uds-bundle.yaml

@@ -8,6 +8,22 @@ metadata:
   # x-release-please-end
   architecture: amd64
 
+x-extra-volume-mounts: &extra-volume-mounts
+  - name: trust-bundle
+    mountPath: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+    subPath: "ca-bundle.crt"
+    readOnly: true
+  - name: trust-bundle
+    mountPath: /etc/pki/ca-trust/extracted/java/cacerts
+    subPath: "ca-bundle.jks"
+    readOnly: true
+
+x-extra-volumes: &extra-volumes
+  - name: trust-bundle
+    configMap:
+      name: trust-bundle
+      defaultMode: 0644
+
 x-gitlab-init-security-context: &gitlab-init-security-context
   privileged: true
   readOnlyRootFilesystem: false
@@ -38,6 +54,14 @@ packages:
   - name: software-factory-namespaces
     path: ../../build
     ref: 1.0.0
+
+  - name: trust-manager
+    path: ../../build
+    ref: 0.0.1
+
+  - name: trust-bundles
+    path: ../../build
+    ref: 0.0.1
 
   # MetalLB
   - name: metallb
@@ -50,6 +74,11 @@ packages:
     overrides:
       grafana:
         grafana:
+          values:
+            - path: extraVolumes
+              value: *extra-volumes
+            - path: extraVolumeMounts
+              value: *extra-volume-mounts
           variables:
             - name: GRAFANA_RESOURCE_CONFIG
               path: resources
@@ -179,20 +208,27 @@ packages:
                     includedNamespaces:
                       - gitlab
                     ttl: "240h"
+            - path: extraVolumes
+              value: *extra-volumes
+            - path: extraVolumeMounts
+              value: *extra-volume-mounts
       keycloak:
         keycloak:
           values:
-            # TODO - test/debug
-            # - path: "devMode"
-            #   value: "false"
-            # - path: "autoscaling.enabled"
-            #   value: "true"
+            - path: "devMode"
+              value: "false"
+            - path: "autoscaling.enabled"
+              value: "false"
             - path: "persistence.providers.enabled"
               value: "true"
             - path: "persistence.accessMode"
               value: "ReadWriteMany"
             - path: "persistence.storageClassName"
               value: "nutanix-dynamicfile"
+            - path: extraVolumes
+              value: *extra-volumes
+            - path: extraVolumeMounts
+              value: *extra-volume-mounts
           variables:
             - name: KEYCLOAK_DB_USERNAME
               description: "keycloak database username"
@@ -229,6 +265,22 @@ packages:
             # Override default dns service name for Loki Gateway
             - path: "global.dnsService"
               value: "rke2-coredns-rke2-coredns"
+            - path: backend.extraVolumes
+              value: *extra-volumes
+            - path: backend.extraVolumeMounts
+              value: *extra-volume-mounts
+            - path: gateway.extraVolumes
+              value: *extra-volumes
+            - path: gateway.extraVolumeMounts
+              value: *extra-volume-mounts
+            - path: write.extraVolumes
+              value: *extra-volumes
+            - path: write.extraVolumeMounts
+              value: *extra-volume-mounts
+            - path: read.extraVolumes
+              value: *extra-volumes
+            - path: read.extraVolumeMounts
+              value: *extra-volume-mounts
           variables:
             - name: LOKI_CHUNKS_BUCKET
               description: "The object storage bucket for Loki chunks"
@@ -383,7 +435,9 @@ packages:
           values:
             - path: global.certificates.customCAs
               value:
-                - secret: ca-secret
+                - configMap: trust-bundle
+                  keys:
+                    - ca-bundle.crt
             - path: gitlab.webservice.init.containerSecurityContext
               value: *gitlab-init-security-context
             - path: gitlab.toolbox.init.containerSecurityContext
@@ -445,7 +499,15 @@ packages:
   - name: gitlab-runner
     repository: ghcr.io/defenseunicorns/packages/uds/gitlab-runner
     ref: 17.0.0-uds.0-registry1
-
+    overrides:
+      gitlab-runner:
+        gitlab-runner:
+          values:
+            - path: volumes
+              value: *extra-volumes
+            - path: volumeMounts
+              value: *extra-volume-mounts
+
   ### TODO - uncomment to replace functionality post MVP
 
   # # Sonarqube
@@ -619,10 +681,14 @@ packages:
               value:
                 - host: nexus-docker.${DOMAIN}
                   port: 5000
+            - path: deployment.additionalVolumes
+              value: *extra-volumes
+            - path: deployment.additionalVolumeMounts
+              value: *extra-volume-mounts
         uds-nexus-config:
           variables:
-            - path: "sso.enabled"
-              name: NEXUS_SSO_ENABLED
+            - name: NEXUS_SSO_ENABLED
+              path: "sso.enabled"
           values:
             - path: additionalNetworkExposures
               value:

packages/additional-manifests/zarf.yaml

@@ -10,8 +10,6 @@ variables:
   - name: DOMAIN
     description: "Domain to be used in VS hosts and gateway config"
     default: "mtsi.bigbang.dev"
-  - name: ADDITIONAL_CA_CHAIN
-    description: "Additional CA chain"
 
 components:
   - name: gitlab-additional-manifests
@@ -24,7 +22,6 @@ components:
           - gitlab/gitlab-ssh-networkpolicies.yaml
           - gitlab/gitlab-ssh-gateway.yaml
           - gitlab/envoy-filter.yaml
-          - gitlab/ca-secret.yaml
   - name: pepr-policy-exemptions
     required: true
     manifests:
@@ -33,9 +30,3 @@ components:
           - pepr-policy-exemptions/nutanix-csi-exemptions.yaml
           - pepr-policy-exemptions/metallb-exemptions.yaml
           - pepr-policy-exemptions/gitlab-exemptions.yaml
-  - name: mattermost-ca-secret
-    required: true
-    manifests:
-      - name: mattermost-ca-secret
-        files:
-          - mattermost/ca-secret.yaml

packages/namespaces/values.yaml

@@ -33,3 +33,4 @@ namespaces:
   - name: keycloak
     labels:
       istio-injection: enabled
+  - name: cert-manager

packages/trust-bundles/ca-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ca-chain
+  namespace: cert-manager
+type: kubernetes.io/opaque
+data:
+  chain.crt: "###ZARF_VAR_ADDITIONAL_CA_CHAIN###"

packages/trust-bundles/trust-bundle.yaml

@@ -0,0 +1,30 @@
+apiVersion: trust.cert-manager.io/v1alpha1
+kind: Bundle
+metadata:
+  name: trust-bundle # The bundle name will also be used for the target
+spec:
+  sources:
+  # Include a bundle of publicly trusted certificates which can be
+  # used to validate most TLS certificates on the internet, such as
+  # those issued by Let's Encrypt, Google, Amazon and others.
+  - useDefaultCAs: true
+
+  # Custom CA chain provided via zarf variable
+  - secret:
+      name: "ca-chain"
+      key: "chain.crt"
+
+  target:
+    # Sync the bundle to a ConfigMap called `trust-bundle` in every namespace which
+    # has the label "app.kubernetes.io/managed-by=zarf"
+    # All ConfigMaps will include a PEM-formatted bundle, here named "ca-bundle.crt"
+    # and in this case we also request a binary formatted bundles in JKS format,
+    # here named "ca-bundle.jks".
+    configMap:
+      key: "ca-bundle.crt"
+    additionalFormats:
+      jks:
+        key: "ca-bundle.jks"
+    namespaceSelector:
+      matchLabels:
+        app.kubernetes.io/managed-by: "zarf"

packages/trust-bundles/zarf.yaml

@@ -0,0 +1,29 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json
+kind: ZarfPackageConfig
+metadata:
+  name: trust-bundles
+  description: "Configures ca trust bundles used by trust-manager to enable services to trust custom CAs"
+  architecture: "amd64"
+  version: "0.0.1"
+
+variables:
+  - name: ADDITIONAL_CA_CHAIN
+    description: "Additional CA chain"
+
+components:
+  # Create secret containing custom CA Chain
+  - name: ca-chain
+    required: true
+    manifests:
+      - name: ca-chain
+        namespace: cert-manager
+        files:
+          - ca-secret.yaml
+  # Create trust-manager bundle containing public CAs and custom CA chain
+  - name: trust-bundle
+    required: true
+    manifests:
+      - name: trust-bundle
+        namespace: cert-manager
+        files:
+          - trust-bundle.yaml

packages/trust-manager/values/cert-manager.yaml

@@ -0,0 +1,4 @@
+global:
+  imagePullSecrets:
+    - name: "private-registry"
+installCRDs: true

packages/trust-manager/values/trust-manager.yaml

@@ -0,0 +1,2 @@
+imagePullSecrets:
+  - name: "private-registry"

packages/trust-manager/zarf.yaml

@@ -0,0 +1,34 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json
+kind: ZarfPackageConfig
+metadata:
+  name: trust-manager
+  description: "Trust manager service for distributing trusted CA bundles to other namespaces"
+  version: "0.0.1"
+  architecture: amd64
+
+components:
+  - name: trust-manager-images
+    required: true
+    images:
+      - quay.io/jetstack/trust-manager:v0.11.0
+      - quay.io/jetstack/cert-manager-package-debian:20210119.0
+      - quay.io/jetstack/cert-manager-controller:v1.14.5
+      - quay.io/jetstack/cert-manager-webhook:v1.14.5
+      - quay.io/jetstack/cert-manager-cainjector:v1.14.5
+      - quay.io/jetstack/cert-manager-acmesolver:v1.14.5
+      - quay.io/jetstack/cert-manager-startupapicheck:v1.14.5
+  - name: trust-manager
+    required: true
+    charts:
+      - name: cert-manager
+        version: 1.14.5
+        namespace: cert-manager
+        url: https://charts.jetstack.io/
+        valuesFiles:
+          - values/cert-manager.yaml
+      - name: trust-manager
+        version: 0.11.0
+        namespace: cert-manager
+        url: https://charts.jetstack.io/
+        valuesFiles:
+          - values/trust-manager.yaml

tasks.yaml

@@ -1,5 +1,6 @@
 includes:
   - create: ./tasks/create.yaml
+  - deploy: ./tasks/deploy.yaml
 
 tasks:
   ################
@@ -15,7 +16,28 @@ tasks:
       - task: create:object-store-packages
       - task: create:additional-manifests-package
       - task: create:init-package
+      - task: create:trust-manager-package
+      - task: create:trust-bundles-package
       - task: create:bundle
+  ################
+  #  Deploy
+  ################
+  - name: uds-version
+    description: Check version of UDS being used to deploy
+    actions:
+      - task: deploy:uds-version
+
+  - name: deploy-dev
+    description: Deploy bundle to dev cluster
+    actions:
+      - task: deploy:deploy-bundle
+
+  - name: deploy-test
+    description: Deploy bundle to test cluster
+    actions:
+      - task: deploy:deploy-bundle
+        with:
+          config-dir: ./scratch/configs/test
 
   #### Clean ####
   - name: clean

tasks/create.yaml

@@ -55,3 +55,13 @@ tasks:
     description: Create init package with Nutanix CSI driver.
     actions:
       - cmd: ZARF_CONFIG=./packages/init/zarf-config.yaml ./uds zarf package create ./packages/init --set AGENT_IMAGE_TAG=$(uds zarf version) --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build
+
+  - name: trust-manager-package
+    description: Create trust-manager package.
+    actions:
+      - cmd: ./uds zarf package create ./packages/trust-manager --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build
+
+  - name: trust-bundles-package
+    description: Create trust-bundle package for adding custom CAs.
+    actions:
+      - cmd: ./uds zarf package create ./packages/trust-bundles --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build

tasks/deploy.yaml

@@ -0,0 +1,29 @@
+variables:
+  - name: ARCH
+    description: "What architecture to use"
+    default: "amd64"
+  - name: DEPLOY_IMAGE
+    description: "Container image to use to run uds deploy in"
+    default: "ghcr.io/defenseunicorns/build-harness/build-harness:2.0.28"
+  - name: BUNDLE_VERSION
+    description: "Version of the bundle to deploy"
+    # TODO - add release-please support
+    default: "0.2.16"
+
+tasks:
+  - name: uds-version
+    description: Check the UDS version in the build harness being used
+    actions:
+      - cmd: docker run --rm ${DEPLOY_IMAGE} bash -c 'uds version'
+
+  - name: deploy-bundle
+    description: Deploy bundle based on configured input build and config directories
+    inputs:
+      build-dir:
+        default: ./build
+        description: Input for the path to the build directory containing the uds bundle to deploy
+      config-dir:
+        default: ./scratch/configs/dev
+        description: Input for the path to the directory containing the uds-config.yaml to use for deploying the bundle
+    actions:
+      - cmd: docker run --rm -e ARCH=${ARCH} -e BUNDLE_VERSION=${BUNDLE_VERSION} -e UDS_CONFIG=/configs/uds-config.yaml -e KUBECONFIG=/configs/kubeconfig -v /tmp:/tmp -v ${INPUT_CONFIG_DIR}:/configs -v ${INPUT_BUILD_DIR}:/build ${DEPLOY_IMAGE} bash -c 'uds deploy /build/uds-bundle-software-factory-nutanix-${ARCH}-${BUNDLE_VERSION}.tar.zst --confirm'