refactor pre-core-exemptions validation tasks

defenseunicorns · May 2, 2024 · 4c4cd44 · 4c4cd44
1 parent 221f232
commit 4c4cd44
Show file tree

Hide file tree

Showing 12 changed files with 72 additions and 106 deletions.
diff --git a/.github/bundles/exemption/uds-bundle.yaml b/.github/bundles/exemption/uds-bundle.yaml
diff --git a/.github/bundles/exemption/uds-config.yaml b/.github/bundles/exemption/uds-config.yaml
@@ -0,0 +1,19 @@
+variables:
+  core-slim-dev:
+    PRE_CORE_EXEMPTIONS_ENABLED: true
+    PRE_CORE_EXEMPTIONS: |
+          - policies:
+              - DisallowPrivileged
+              - RequireNonRootUser
+              - DropAllCapabilities
+            title: "podinfo1"
+            matcher:
+              namespace: podinfo
+              name: "^podinfo.*"
+          - policies:
+              - DisallowNodePortServices
+            title: "podinfo2"
+            matcher:
+              namespace: podinfo
+              name: "^.*-local.*"
+              kind: service
diff --git a/.github/filters.yaml b/.github/filters.yaml
@@ -25,5 +25,3 @@ tempo:
   - "src/tempo/**"
 velero:
   - "src/velero/**"
-pre-core-exemptions:
-  - "src/pre-core-exemptions/**"
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -57,13 +57,9 @@ jobs:
         run: uds run registry-login --set REGISTRY=registry1.dso.mil --set REGISTRY_USERNAME=${{ secrets.IRON_BANK_ROBOT_USERNAME }} --set REGISTRY_PASSWORD=${{ secrets.IRON_BANK_ROBOT_PASSWORD }} --set REGISTRY_RETRY_INTERVAL=90
 
       - name: Test a single source package
-        if: ${{ inputs.package != 'all' && inputs.package != 'pre-core-exemptions' && inputs.test_type == 'install' }}
+        if: ${{ inputs.package != 'all' && inputs.test_type == 'install' }}
         run: uds run test-single-package --set FLAVOR=${{ inputs.flavor }}
 
-      - name: Test pre core exemptions package
-        if: ${{ inputs.package == 'pre-core-exemptions' && inputs.test_type == 'install'}}
-        run: uds run test-pre-core-exemptions
-
       - name: Test UDS Core Install
         if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }}
         run: uds run test-uds-core --set FLAVOR=${{ inputs.flavor }}

diff --git a/bundles/k3d-slim-dev/uds-bundle.yaml b/bundles/k3d-slim-dev/uds-bundle.yaml
@@ -63,3 +63,10 @@ packages:
             - name: INSECURE_ADMIN_PASSWORD_GENERATION
               description: "Generate an insecure admin password for dev/test"
               path: insecureAdminPasswordGeneration.enabled
+      pre-core-exemptions:
+        pre-core-exemptions:
+          variables:
+            - name: PRE_CORE_EXEMPTIONS_ENABLED
+              path: enabled
+            - name: PRE_CORE_EXEMPTIONS
+              path: exemptions
diff --git a/bundles/k3d-standard/uds-bundle.yaml b/bundles/k3d-standard/uds-bundle.yaml
@@ -99,3 +99,10 @@ packages:
             - name: INSECURE_ADMIN_PASSWORD_GENERATION
               description: "Generate an insecure admin password for dev/test"
               path: insecureAdminPasswordGeneration.enabled
+      pre-core-exemptions:
+        pre-core-exemptions:
+          variables:
+            - name: PRE_CORE_EXEMPTIONS_ENABLED
+              path: enabled
+            - name: PRE_CORE_EXEMPTIONS
+              path: exemptions
diff --git a/src/pre-core-exemptions/tasks.yaml b/src/pre-core-exemptions/tasks.yaml
@@ -12,15 +12,10 @@ tasks:
             name: pre-core-exemptions
             namespace: uds-policy-exemptions
             condition: exists
-
-      - description: Get podinfo name
-        cmd: echo $(uds zarf tools kubectl get pods -n podinfo -o jsonpath='{.items[0].metadata.name}')
-        setVariables:
-          - name: PODINFO_NAME
-
-      - description: Cycle podinfo
-        cmd: uds zarf tools kubectl delete pod -n podinfo ${PODINFO_NAME}
-
+      - description: Create Podinfo Zarf Pkg
+        cmd: uds zarf package create src/pre-core-exemptions/test --confirm --no-progress
+      - description: Deploy Podinfo Zarf Pkg
+        cmd: uds zarf package deploy build/zarf-package-podinfo-*.tar.zst --confirm --no-progress
       - description: Check for podinfo to come back up
         wait:
           cluster:

diff --git a/src/pre-core-exemptions/test/values.yaml b/src/pre-core-exemptions/test/values.yaml
@@ -0,0 +1,3 @@
+securityContext:
+  runAsUser: 0
+  runAsGroup: 0
diff --git a/src/pre-core-exemptions/test/zarf.yaml b/src/pre-core-exemptions/test/zarf.yaml
@@ -0,0 +1,18 @@
+kind: ZarfPackageConfig
+metadata:
+  name: podinfo
+  version: 0.0.1
+
+components:
+  - name: podinfo
+    required: true
+    charts:
+      - name: podinfo
+        version: 6.4.0
+        namespace: podinfo
+        url: https://github.com/stefanprodan/podinfo.git
+        gitPath: charts/podinfo
+        valuesFiles:
+          - ./values.yaml
+    images:
+      - ghcr.io/stefanprodan/podinfo:6.4.0
diff --git a/src/pre-core-exemptions/zarf.yaml b/src/pre-core-exemptions/zarf.yaml
@@ -9,4 +9,3 @@ components:
       - name: pre-core-exemptions
         namespace: uds-policy-exemptions
         version: 0.1.0
-        localPath: chart
diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml
@@ -9,14 +9,22 @@ variables:
 
 tasks:
   - name: k3d-standard-bundle
+    inputs:
+      config:
+        default: ""
+        description: "path to uds-config to use"
     actions:
       - description: "Deploy the UDS Core Standard Bundle"
-        cmd: uds deploy bundles/k3d-standard/uds-bundle-k3d-core-demo-${UDS_ARCH}-${VERSION}.tar.zst --set=uds-k3d-dev.K3D_IMAGE=${K3D_IMAGE} --confirm --no-progress
+        cmd: UDS_CONFIG=$INPUT_CONFIG uds deploy bundles/k3d-standard/uds-bundle-k3d-core-demo-${UDS_ARCH}-${VERSION}.tar.zst --set=uds-k3d-dev.K3D_IMAGE=${K3D_IMAGE} --confirm --no-progress --no-tea
 
   - name: k3d-slim-dev-bundle
+    inputs:
+      config:
+        default: ""
+        description: "path to uds-config to use"
     actions:
       - description: "Deploy the UDS Core Slim Dev Only Bundle"
-        cmd: uds deploy bundles/k3d-slim-dev/uds-bundle-k3d-core-slim-dev-${UDS_ARCH}-${VERSION}.tar.zst --set=uds-k3d-dev.K3D_IMAGE=${K3D_IMAGE} --confirm --no-progress
+        cmd: UDS_CONFIG=$INPUT_CONFIG uds deploy bundles/k3d-slim-dev/uds-bundle-k3d-core-slim-dev-${UDS_ARCH}-${VERSION}.tar.zst --set=uds-k3d-dev.K3D_IMAGE=${K3D_IMAGE} --confirm --no-progress --no-tea
 
   - name: single-package
     actions:

diff --git a/tasks/test.yaml b/tasks/test.yaml
@@ -20,28 +20,19 @@ tasks:
     actions:
       - cmd: |
           for package in src/*; do
-            if [ "$package" != "src/pre-core-exemptions" ]; then
-                uds run -f "${package}/tasks.yaml" validate --no-progress
-            fi
+              uds run -f "${package}/tasks.yaml" validate --no-progress
           done
           set +e
 
-  - name: pre-core-exemptions
-    description: "Deploy and Validate pre-core-exemptions package"
-    actions:
-      - task: create:slim-dev-package
-      - cmd: uds create .github/bundles/exemption --confirm
-      - cmd: uds deploy .github/bundles/exemption/uds-bundle-*.tar.zst --confirm
-      - cmd: uds run -f src/pre-core-exemptions/tasks.yaml validate --no-progress
-
-
   - name: uds-core
     description: "Build and test UDS Core"
     actions:
       - task: create:standard-package
       - task: create:slim-dev-package
       - task: create:k3d-standard-bundle
       - task: deploy:k3d-standard-bundle
+        with:
+          config: .github/bundles/exemption/uds-config.yaml
       - task: validate-packages
 
   - name: uds-core-upgrade