From afd81ff505a88f81148a2f19e31c89db9c5d90be Mon Sep 17 00:00:00 2001 From: awendt Date: Tue, 30 Jan 2024 14:29:23 -0700 Subject: [PATCH] chore: update zarf and dubbd (#27) chore: update mattermost to 9.3.0-bb.1 --- .github/workflows/publish-package.yml | 4 ++-- Makefile | 6 +++--- mattermost-flux-values.yaml | 2 +- .../minio/policy-exceptions/host-path.yaml | 19 +++++++++++++++++++ .../policy-exceptions/non-root-group.yaml | 19 +++++++++++++++++++ utils/pkg-deps/mattermost/minio/zarf.yaml | 2 ++ .../postgres/policy-exceptions/host-path.yaml | 19 +++++++++++++++++++ .../policy-exceptions/non-root-group.yaml | 19 +++++++++++++++++++ utils/pkg-deps/mattermost/postgres/zarf.yaml | 2 ++ zarf.yaml | 6 +++--- 10 files changed, 89 insertions(+), 9 deletions(-) create mode 100644 utils/pkg-deps/mattermost/minio/policy-exceptions/host-path.yaml create mode 100644 utils/pkg-deps/mattermost/minio/policy-exceptions/non-root-group.yaml create mode 100644 utils/pkg-deps/mattermost/postgres/policy-exceptions/host-path.yaml create mode 100644 utils/pkg-deps/mattermost/postgres/policy-exceptions/non-root-group.yaml diff --git a/.github/workflows/publish-package.yml b/.github/workflows/publish-package.yml index fa0ec80..19cfdf6 100644 --- a/.github/workflows/publish-package.yml +++ b/.github/workflows/publish-package.yml @@ -47,10 +47,10 @@ jobs: uses: supplypike/setup-bin@v3 with: # renovate: zarf-uri datasource=github-tags depName=defenseunicorns/zarf - uri: 'https://github.com/defenseunicorns/zarf/releases/download/v0.31.4/zarf_v0.31.4_Linux_amd64' + uri: 'https://github.com/defenseunicorns/zarf/releases/download/v0.32.2/zarf_v0.32.2_Linux_amd64' name: 'zarf' # renovate: datasource=github-tags depName=defenseunicorns/zarf versioning=semver - version: 'v0.31.4' + version: 'v0.32.2' - name: Build mattermost package run: zarf package create --confirm --no-progress diff --git a/Makefile b/Makefile index 1a6e3f4..8a14bbc 100755 --- a/Makefile +++ b/Makefile @@ -1,14 +1,14 @@ # The version of Zarf to use. To keep this repo as portable as possible the Zarf binary will be downloaded and added to # the build folder. # renovate: datasource=github-tags depName=defenseunicorns/zarf -ZARF_VERSION := v0.31.4 +ZARF_VERSION := v0.32.2 # The version of the build harness container to use BUILD_HARNESS_REPO := ghcr.io/defenseunicorns/build-harness/build-harness # renovate: datasource=docker depName=ghcr.io/defenseunicorns/build-harness/build-harness BUILD_HARNESS_VERSION := 1.14.8 # renovate: datasource=docker depName=ghcr.io/defenseunicorns/packages/dubbd-k3d extractVersion=^(?\d+\.\d+\.\d+) -DUBBD_K3D_VERSION := 0.15.0 +DUBBD_K3D_VERSION := 0.17.0 # Figure out which Zarf binary we should use based on the operating system we are on ZARF_BIN := zarf @@ -159,7 +159,7 @@ build/zarf-init: | build ## Download the init package .PHONY: build/dubbd-k3d build/dubbd-k3d: | build/zarf ## Download dubbd k3d oci package if [ -f build/zarf-package-dubbd-k3d-amd64-$(DUBBD_K3D_VERSION).tar.zst ] ; then exit 0; fi && \ - cd build && ./zarf package pull oci://ghcr.io/defenseunicorns/packages/dubbd-k3d:$(DUBBD_K3D_VERSION)-amd64 --oci-concurrency 12 + cd build && ./zarf package pull oci://ghcr.io/defenseunicorns/packages/dubbd-k3d:$(DUBBD_K3D_VERSION) -a amd64 --oci-concurrency 12 build/test-pkg-deps: | build/zarf ## Build package dependencies for testing cd build && ./zarf package create ../utils/pkg-deps/namespaces/ --skip-sbom --confirm diff --git a/mattermost-flux-values.yaml b/mattermost-flux-values.yaml index e4dc6ef..7606145 100644 --- a/mattermost-flux-values.yaml +++ b/mattermost-flux-values.yaml @@ -6,7 +6,7 @@ application: repository: https://repo1.dso.mil/big-bang/product/packages/mattermost.git ref: # renovate: datasource=gitlab-tags depName=big-bang/product/packages/mattermost versioning=loose registryUrl=https://repo1.dso.mil - tag: v9.2.3-bb.1 + tag: 9.3.0-bb.1 dependsOn: ###ZARF_VAR_MATTERMOST_DEPENDS_ON### baseValues: diff --git a/utils/pkg-deps/mattermost/minio/policy-exceptions/host-path.yaml b/utils/pkg-deps/mattermost/minio/policy-exceptions/host-path.yaml new file mode 100644 index 0000000..322a66f --- /dev/null +++ b/utils/pkg-deps/mattermost/minio/policy-exceptions/host-path.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v2alpha1 +kind: PolicyException +metadata: + name: mattermost-minio-host-path-exception + namespace: mattermost-minio +spec: + exceptions: + - policyName: restrict-host-path-write + ruleNames: + - require-readonly-hostpath + match: + any: + - resources: + kinds: + - Pod + namespaces: + - mattermost-minio + names: + - minio-post-job-* diff --git a/utils/pkg-deps/mattermost/minio/policy-exceptions/non-root-group.yaml b/utils/pkg-deps/mattermost/minio/policy-exceptions/non-root-group.yaml new file mode 100644 index 0000000..d3c5ce5 --- /dev/null +++ b/utils/pkg-deps/mattermost/minio/policy-exceptions/non-root-group.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v2alpha1 +kind: PolicyException +metadata: + name: mattermost-minio-non-root-group-exception + namespace: mattermost-minio +spec: + exceptions: + - policyName: require-non-root-group + ruleNames: + - run-as-group + match: + any: + - resources: + kinds: + - Pod + namespaces: + - mattermost-minio + names: + - minio-post-job-* diff --git a/utils/pkg-deps/mattermost/minio/zarf.yaml b/utils/pkg-deps/mattermost/minio/zarf.yaml index d39fddf..d518263 100644 --- a/utils/pkg-deps/mattermost/minio/zarf.yaml +++ b/utils/pkg-deps/mattermost/minio/zarf.yaml @@ -15,6 +15,8 @@ components: files: - policy-exceptions/registry.yaml - policy-exceptions/non-root-user.yaml + - policy-exceptions/host-path.yaml + - policy-exceptions/non-root-group.yaml - name: minio-istio-exceptions required: true manifests: diff --git a/utils/pkg-deps/mattermost/postgres/policy-exceptions/host-path.yaml b/utils/pkg-deps/mattermost/postgres/policy-exceptions/host-path.yaml new file mode 100644 index 0000000..d20549a --- /dev/null +++ b/utils/pkg-deps/mattermost/postgres/policy-exceptions/host-path.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v2alpha1 +kind: PolicyException +metadata: + name: mattermost-postgres-host-path-exception + namespace: mattermost-db +spec: + exceptions: + - policyName: restrict-host-path-write + ruleNames: + - require-readonly-hostpath + match: + any: + - resources: + kinds: + - Pod + namespaces: + - mattermost-db + names: + - postgresql-0 diff --git a/utils/pkg-deps/mattermost/postgres/policy-exceptions/non-root-group.yaml b/utils/pkg-deps/mattermost/postgres/policy-exceptions/non-root-group.yaml new file mode 100644 index 0000000..a38bc55 --- /dev/null +++ b/utils/pkg-deps/mattermost/postgres/policy-exceptions/non-root-group.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v2alpha1 +kind: PolicyException +metadata: + name: mattermost-postgres-non-root-group-exception + namespace: mattermost-db +spec: + exceptions: + - policyName: require-non-root-group + ruleNames: + - run-as-group + match: + any: + - resources: + kinds: + - Pod + namespaces: + - mattermost-db + names: + - postgresql-0 diff --git a/utils/pkg-deps/mattermost/postgres/zarf.yaml b/utils/pkg-deps/mattermost/postgres/zarf.yaml index 4524b84..ecf318c 100644 --- a/utils/pkg-deps/mattermost/postgres/zarf.yaml +++ b/utils/pkg-deps/mattermost/postgres/zarf.yaml @@ -15,6 +15,8 @@ components: files: - policy-exceptions/externalName.yaml - policy-exceptions/registry.yaml + - policy-exceptions/host-path.yaml + - policy-exceptions/non-root-group.yaml - name: db-istio-exceptions required: true manifests: diff --git a/zarf.yaml b/zarf.yaml index 38932d2..9651607 100644 --- a/zarf.yaml +++ b/zarf.yaml @@ -99,10 +99,10 @@ components: valuesFiles: - mattermost-flux-values.yaml repos: - - https://repo1.dso.mil/big-bang/product/packages/mattermost.git@v9.2.3-bb.1 + - https://repo1.dso.mil/big-bang/product/packages/mattermost.git@9.3.0-bb.1 images: - - "registry1.dso.mil/ironbank/opensource/mattermost/mattermost:v9.2.3" - - "registry1.dso.mil/ironbank/opensource/postgres/postgresql12:12.16" + - "registry1.dso.mil/ironbank/opensource/mattermost/mattermost:v9.3.0" + - "registry1.dso.mil/ironbank/opensource/postgres/postgresql12:12.17" actions: onDeploy: after: