From db63259a72786a836661c6e2a5c04aa301a85e2a Mon Sep 17 00:00:00 2001
From: awendt <anthony@defenseunicorns.com>
Date: Tue, 30 Jan 2024 14:31:08 -0700
Subject: [PATCH] chore: update zarf and dubbd (#39)

---
 .github/workflows/publish-package.yml         |  4 ++--
 Makefile                                      |  6 +++---
 .../postgres/policy-exceptions/host-path.yaml | 19 +++++++++++++++++++
 .../policy-exceptions/non-root-group.yaml     | 19 +++++++++++++++++++
 utils/pkg-deps/sonarqube/postgres/zarf.yaml   |  2 ++
 5 files changed, 45 insertions(+), 5 deletions(-)
 create mode 100644 utils/pkg-deps/sonarqube/postgres/policy-exceptions/host-path.yaml
 create mode 100644 utils/pkg-deps/sonarqube/postgres/policy-exceptions/non-root-group.yaml

diff --git a/.github/workflows/publish-package.yml b/.github/workflows/publish-package.yml
index 4e99ae3..df553e6 100644
--- a/.github/workflows/publish-package.yml
+++ b/.github/workflows/publish-package.yml
@@ -47,10 +47,10 @@ jobs:
         uses: supplypike/setup-bin@v3
         with:
           # renovate: zarf-uri datasource=github-tags depName=defenseunicorns/zarf
-          uri: 'https://github.com/defenseunicorns/zarf/releases/download/v0.31.4/zarf_v0.31.4_Linux_amd64'
+          uri: 'https://github.com/defenseunicorns/zarf/releases/download/v0.32.2/zarf_v0.32.2_Linux_amd64'
           name: 'zarf'
           # renovate: datasource=github-tags depName=defenseunicorns/zarf versioning=semver
-          version: 'v0.31.4'
+          version: 'v0.32.2'
 
       - name: Build sonarqube package
         run: zarf package create --confirm --no-progress
diff --git a/Makefile b/Makefile
index 27ef5ce..6c9437e 100755
--- a/Makefile
+++ b/Makefile
@@ -1,14 +1,14 @@
 # The version of Zarf to use. To keep this repo as portable as possible the Zarf binary will be downloaded and added to
 # the build folder.
 # renovate: datasource=github-tags depName=defenseunicorns/zarf
-ZARF_VERSION := v0.31.4
+ZARF_VERSION := v0.32.2
 
 # The version of the build harness container to use
 BUILD_HARNESS_REPO := ghcr.io/defenseunicorns/build-harness/build-harness
 # renovate: datasource=docker depName=ghcr.io/defenseunicorns/build-harness/build-harness
 BUILD_HARNESS_VERSION := 1.14.8
 # renovate: datasource=docker depName=ghcr.io/defenseunicorns/packages/dubbd-k3d extractVersion=^(?<version>\d+\.\d+\.\d+)
-DUBBD_K3D_VERSION := 0.16.0
+DUBBD_K3D_VERSION := 0.17.0
 
 # Figure out which Zarf binary we should use based on the operating system we are on
 ZARF_BIN := zarf
@@ -159,7 +159,7 @@ build/zarf-init: | build ## Download the init package
 .PHONY: build/dubbd-k3d
 build/dubbd-k3d: | build/zarf ## Download dubbd k3d oci package
 	if [ -f build/zarf-package-dubbd-k3d-amd64-$(DUBBD_K3D_VERSION).tar.zst ] ; then exit 0; fi && \
-	cd build && ./zarf package pull oci://ghcr.io/defenseunicorns/packages/dubbd-k3d:$(DUBBD_K3D_VERSION)-amd64 --oci-concurrency 12
+	cd build && ./zarf package pull oci://ghcr.io/defenseunicorns/packages/dubbd-k3d:$(DUBBD_K3D_VERSION) -a amd64 --oci-concurrency 12
 
 build/test-pkg-deps: | build/zarf ## Build package dependencies for testing
 	cd build && ./zarf package create ../utils/pkg-deps/namespaces/ --skip-sbom --confirm
diff --git a/utils/pkg-deps/sonarqube/postgres/policy-exceptions/host-path.yaml b/utils/pkg-deps/sonarqube/postgres/policy-exceptions/host-path.yaml
new file mode 100644
index 0000000..7e9bcae
--- /dev/null
+++ b/utils/pkg-deps/sonarqube/postgres/policy-exceptions/host-path.yaml
@@ -0,0 +1,19 @@
+apiVersion: kyverno.io/v2alpha1
+kind: PolicyException
+metadata:
+  name: sonarqube-postgres-host-path-exception
+  namespace: sonarqube-db
+spec:
+  exceptions:
+  - policyName: restrict-host-path-write
+    ruleNames:
+    - require-readonly-hostpath
+  match:
+    any:
+    - resources:
+        kinds:
+        - Pod
+        namespaces:
+        - sonarqube-db
+        names:
+        - postgresql-0
diff --git a/utils/pkg-deps/sonarqube/postgres/policy-exceptions/non-root-group.yaml b/utils/pkg-deps/sonarqube/postgres/policy-exceptions/non-root-group.yaml
new file mode 100644
index 0000000..c208469
--- /dev/null
+++ b/utils/pkg-deps/sonarqube/postgres/policy-exceptions/non-root-group.yaml
@@ -0,0 +1,19 @@
+apiVersion: kyverno.io/v2alpha1
+kind: PolicyException
+metadata:
+  name: sonarqube-postgres-non-root-group-exception
+  namespace: sonarqube-db
+spec:
+  exceptions:
+  - policyName: require-non-root-group
+    ruleNames:
+    - run-as-group
+  match:
+    any:
+    - resources:
+        kinds:
+        - Pod
+        namespaces:
+        - sonarqube-db
+        names:
+        - postgresql-0
diff --git a/utils/pkg-deps/sonarqube/postgres/zarf.yaml b/utils/pkg-deps/sonarqube/postgres/zarf.yaml
index 7f4cdee..891266e 100644
--- a/utils/pkg-deps/sonarqube/postgres/zarf.yaml
+++ b/utils/pkg-deps/sonarqube/postgres/zarf.yaml
@@ -15,6 +15,8 @@ components:
         files:
           - policy-exceptions/externalName.yaml
           - policy-exceptions/registry.yaml
+          - policy-exceptions/host-path.yaml
+          - policy-exceptions/non-root-group.yaml
   - name: postgres-istio-exceptions
     required: true
     manifests: