chore: update zarf and dubbd (#27)

chore: update mattermost to 9.3.0-bb.1

.github/workflows/publish-package.yml

@@ -47,10 +47,10 @@ jobs:
         uses: supplypike/setup-bin@v3
         with:
           # renovate: zarf-uri datasource=github-tags depName=defenseunicorns/zarf
-          uri: 'https://github.com/defenseunicorns/zarf/releases/download/v0.31.4/zarf_v0.31.4_Linux_amd64'
+          uri: 'https://github.com/defenseunicorns/zarf/releases/download/v0.32.2/zarf_v0.32.2_Linux_amd64'
           name: 'zarf'
           # renovate: datasource=github-tags depName=defenseunicorns/zarf versioning=semver
-          version: 'v0.31.4'
+          version: 'v0.32.2'
 
       - name: Build mattermost package
         run: zarf package create --confirm --no-progress

Makefile

@@ -1,14 +1,14 @@
 # The version of Zarf to use. To keep this repo as portable as possible the Zarf binary will be downloaded and added to
 # the build folder.
 # renovate: datasource=github-tags depName=defenseunicorns/zarf
-ZARF_VERSION := v0.31.4
+ZARF_VERSION := v0.32.2
 
 # The version of the build harness container to use
 BUILD_HARNESS_REPO := ghcr.io/defenseunicorns/build-harness/build-harness
 # renovate: datasource=docker depName=ghcr.io/defenseunicorns/build-harness/build-harness
 BUILD_HARNESS_VERSION := 1.14.8
 # renovate: datasource=docker depName=ghcr.io/defenseunicorns/packages/dubbd-k3d extractVersion=^(?<version>\d+\.\d+\.\d+)
-DUBBD_K3D_VERSION := 0.15.0
+DUBBD_K3D_VERSION := 0.17.0
 
 # Figure out which Zarf binary we should use based on the operating system we are on
 ZARF_BIN := zarf
@@ -159,7 +159,7 @@ build/zarf-init: | build ## Download the init package
 .PHONY: build/dubbd-k3d
 build/dubbd-k3d: | build/zarf ## Download dubbd k3d oci package
 	if [ -f build/zarf-package-dubbd-k3d-amd64-$(DUBBD_K3D_VERSION).tar.zst ] ; then exit 0; fi && \
-	cd build && ./zarf package pull oci://ghcr.io/defenseunicorns/packages/dubbd-k3d:$(DUBBD_K3D_VERSION)-amd64 --oci-concurrency 12
+	cd build && ./zarf package pull oci://ghcr.io/defenseunicorns/packages/dubbd-k3d:$(DUBBD_K3D_VERSION) -a amd64 --oci-concurrency 12
 
 build/test-pkg-deps: | build/zarf ## Build package dependencies for testing
 	cd build && ./zarf package create ../utils/pkg-deps/namespaces/ --skip-sbom --confirm

mattermost-flux-values.yaml

@@ -6,7 +6,7 @@ application:
   repository: https://repo1.dso.mil/big-bang/product/packages/mattermost.git
   ref:
     # renovate: datasource=gitlab-tags depName=big-bang/product/packages/mattermost versioning=loose registryUrl=https://repo1.dso.mil
-    tag: v9.2.3-bb.1
+    tag: 9.3.0-bb.1
   dependsOn:
     ###ZARF_VAR_MATTERMOST_DEPENDS_ON###
   baseValues:

utils/pkg-deps/mattermost/minio/policy-exceptions/host-path.yaml

@@ -0,0 +1,19 @@
+apiVersion: kyverno.io/v2alpha1
+kind: PolicyException
+metadata:
+  name: mattermost-minio-host-path-exception
+  namespace: mattermost-minio
+spec:
+  exceptions:
+  - policyName: restrict-host-path-write
+    ruleNames:
+    - require-readonly-hostpath
+  match:
+    any:
+    - resources:
+        kinds:
+        - Pod
+        namespaces:
+        - mattermost-minio
+        names:
+        - minio-post-job-*

utils/pkg-deps/mattermost/minio/policy-exceptions/non-root-group.yaml

@@ -0,0 +1,19 @@
+apiVersion: kyverno.io/v2alpha1
+kind: PolicyException
+metadata:
+  name: mattermost-minio-non-root-group-exception
+  namespace: mattermost-minio
+spec:
+  exceptions:
+  - policyName: require-non-root-group
+    ruleNames:
+    - run-as-group
+  match:
+    any:
+    - resources:
+        kinds:
+        - Pod
+        namespaces:
+        - mattermost-minio
+        names:
+        - minio-post-job-*

utils/pkg-deps/mattermost/minio/zarf.yaml

@@ -15,6 +15,8 @@ components:
         files:
           - policy-exceptions/registry.yaml
           - policy-exceptions/non-root-user.yaml
+          - policy-exceptions/host-path.yaml
+          - policy-exceptions/non-root-group.yaml
   - name: minio-istio-exceptions
     required: true
     manifests:

utils/pkg-deps/mattermost/postgres/policy-exceptions/host-path.yaml

@@ -0,0 +1,19 @@
+apiVersion: kyverno.io/v2alpha1
+kind: PolicyException
+metadata:
+  name: mattermost-postgres-host-path-exception
+  namespace: mattermost-db
+spec:
+  exceptions:
+  - policyName: restrict-host-path-write
+    ruleNames:
+    - require-readonly-hostpath
+  match:
+    any:
+    - resources:
+        kinds:
+        - Pod
+        namespaces:
+        - mattermost-db
+        names:
+        - postgresql-0

utils/pkg-deps/mattermost/postgres/policy-exceptions/non-root-group.yaml

@@ -0,0 +1,19 @@
+apiVersion: kyverno.io/v2alpha1
+kind: PolicyException
+metadata:
+  name: mattermost-postgres-non-root-group-exception
+  namespace: mattermost-db
+spec:
+  exceptions:
+  - policyName: require-non-root-group
+    ruleNames:
+    - run-as-group
+  match:
+    any:
+    - resources:
+        kinds:
+        - Pod
+        namespaces:
+        - mattermost-db
+        names:
+        - postgresql-0

utils/pkg-deps/mattermost/postgres/zarf.yaml

@@ -15,6 +15,8 @@ components:
         files:
           - policy-exceptions/externalName.yaml
           - policy-exceptions/registry.yaml
+          - policy-exceptions/host-path.yaml
+          - policy-exceptions/non-root-group.yaml
   - name: db-istio-exceptions
     required: true
     manifests:

zarf.yaml

@@ -99,10 +99,10 @@ components:
         valuesFiles:
           - mattermost-flux-values.yaml
     repos:
-      - https://repo1.dso.mil/big-bang/product/packages/mattermost.git@v9.2.3-bb.1
+      - https://repo1.dso.mil/big-bang/product/packages/mattermost.git@9.3.0-bb.1
     images:
-      - "registry1.dso.mil/ironbank/opensource/mattermost/mattermost:v9.2.3"
-      - "registry1.dso.mil/ironbank/opensource/postgres/postgresql12:12.16"
+      - "registry1.dso.mil/ironbank/opensource/mattermost/mattermost:v9.3.0"
+      - "registry1.dso.mil/ironbank/opensource/postgres/postgresql12:12.17"
     actions:
       onDeploy:
         after: