From 1fd8ef31d5ee33455d5cbefa027cbdf6dd7dcdd7 Mon Sep 17 00:00:00 2001 From: Rob Ferguson Date: Tue, 10 Sep 2024 09:14:49 -0500 Subject: [PATCH 1/6] fix: correct keycloak chart schema for additionalGateways (#745) ## Description Fixes Keycloak chart schema to accept an array of strings for `additionalGatewayNamespaces`. ## Related Issue Fixes https://github.com/defenseunicorns/uds-core/issues/746 ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [ ] Test, docs, adr added or updated as needed - [ ] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --- src/keycloak/chart/values.schema.json | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/src/keycloak/chart/values.schema.json b/src/keycloak/chart/values.schema.json index 70ee59bde..f05bdc3a8 100644 --- a/src/keycloak/chart/values.schema.json +++ b/src/keycloak/chart/values.schema.json @@ -9,17 +9,7 @@ "additionalGatewayNamespaces": { "type": "array", "items": { - "type": "object", - "properties": { - "resource": { - "type": "object", - "properties": { - "name": { - "type": "string" - } - } - } - } + "type": "string" } }, "autoscaling": { From b6ebc4945f6eef132b3ae33fec106b4cb275574a Mon Sep 17 00:00:00 2001 From: Chance <139784371+UnicornChance@users.noreply.github.com> Date: Tue, 10 Sep 2024 11:55:49 -0600 Subject: [PATCH 2/6] feat: investigate and restrict network policies (#719) ## Description Our package should operate under a "least privilege" type model for network access, and specifically egress network access should be limited to specific services/addresses rather than "anywhere". Investigated current `anywhere` policies, updated restrictions where necessary. Added a new package CR field `remoteCidr` for defining a custom cidr to be used in place of the anywhere cidr. Add some validations to verify the use the `remoteGenerated`, `remoteSelector`, `remoteNamespace`, and `remoteCidr` don't overlap or break each other. They should be used individually except `remoteSelector` and `remoteNamespace` being used together. Potentially follow on issues for _KubeAPI ingress relation network policy management, as well as utilizing service entries for known things like S3 buckets. ## Related Issue Fixes #558 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --------- Co-authored-by: Micah Nagel --- .../chart/templates/uds-package.yaml | 17 +++++- src/authservice/chart/values.yaml | 8 +++ src/grafana/chart/templates/uds-package.yaml | 28 +++++---- src/keycloak/chart/templates/_helpers.tpl | 2 +- src/keycloak/chart/templates/uds-package.yaml | 11 +++- src/keycloak/chart/values.yaml | 6 ++ src/loki/chart/templates/uds-package.yaml | 17 +++--- src/loki/chart/values.yaml | 6 ++ .../chart/templates/uds-package.yaml | 12 ++-- src/pepr/operator/README.md | 7 --- .../controllers/network/generate.spec.ts | 58 +++++++++++++++++++ .../operator/controllers/network/generate.ts | 3 + .../network/generators/remoteCidr.ts | 12 ++++ .../crd/generated/package-v1alpha1.ts | 4 ++ .../operator/crd/sources/package/v1alpha1.ts | 4 ++ .../crd/validators/package-validator.ts | 31 +++++++++- .../chart/templates/uds-package.yaml | 10 +--- src/promtail/chart/templates/uds-package.yaml | 7 --- src/test/app-tenant.yaml | 6 ++ src/velero/chart/templates/uds-package.yaml | 10 +++- src/velero/chart/values.yaml | 6 ++ 21 files changed, 210 insertions(+), 55 deletions(-) create mode 100644 src/pepr/operator/controllers/network/generators/remoteCidr.ts diff --git a/src/authservice/chart/templates/uds-package.yaml b/src/authservice/chart/templates/uds-package.yaml index bf1041bd3..0e4e583de 100644 --- a/src/authservice/chart/templates/uds-package.yaml +++ b/src/authservice/chart/templates/uds-package.yaml @@ -15,8 +15,23 @@ spec: # Egress must be allowed to the external facing Keycloak endpoint - direction: Egress + remoteSelector: + app: tenant-ingressgateway + remoteNamespace: istio-tenant-gateway + description: "SSO Provider" + + {{- if .Values.redis.uri }} + - direction: Egress + description: Redis Session Store + {{- if .Values.redis.internal.enabled }} + remoteSelector: {{ .Values.redis.internal.remoteSelector }} + remoteNamespace: {{ .Values.redis.internal.remoteNamespace }} + {{- else if .Values.redis.egressCidr }} + remoteCidr: {{ .Values.redis.egressCidr }} + {{- else }} remoteGenerated: Anywhere - description: "SSO Provider & Redis Session Store" + {{- end }} + {{- end }} - direction: Ingress selector: diff --git a/src/authservice/chart/values.yaml b/src/authservice/chart/values.yaml index b28496153..06a631c9c 100644 --- a/src/authservice/chart/values.yaml +++ b/src/authservice/chart/values.yaml @@ -9,6 +9,14 @@ image: nameOverride: "authservice" +redis: + uri: "###ZARF_VAR_AUTHSERVICE_REDIS_URI###" + egressCidr: "" + internal: + enabled: false + remoteSelector: {} + remoteNamespace: "" + podAnnotations: {} podSecurityContext: {} diff --git a/src/grafana/chart/templates/uds-package.yaml b/src/grafana/chart/templates/uds-package.yaml index 713a103a0..ed5a08457 100644 --- a/src/grafana/chart/templates/uds-package.yaml +++ b/src/grafana/chart/templates/uds-package.yaml @@ -28,23 +28,31 @@ spec: targetPort: 3000 allow: - - direction: Ingress + # Egress allowed to Loki + - direction: Egress selector: app.kubernetes.io/name: grafana - remoteNamespace: tempo + remoteNamespace: loki remoteSelector: - app.kubernetes.io/name: tempo - port: 9090 - description: "Tempo Datasource" + app.kubernetes.io/name: loki + description: "Loki Datasource" + port: 8080 + # Egress allowed to Prometheus - direction: Egress selector: app.kubernetes.io/name: grafana - remoteGenerated: Anywhere + remoteNamespace: monitoring + remoteSelector: + app.kubernetes.io/name: prometheus + description: "Prometheus Datasource" + port: 9090 + # Egress allowed to Keyclaok - direction: Egress - remoteNamespace: tempo + selector: + app.kubernetes.io/name: grafana + remoteNamespace: keycloak remoteSelector: - app.kubernetes.io/name: tempo - port: 9411 - description: "Tempo" + app.kubernetes.io/name: keycloak + description: "SSO Provider" diff --git a/src/keycloak/chart/templates/_helpers.tpl b/src/keycloak/chart/templates/_helpers.tpl index bb0825a07..a5ce50f28 100644 --- a/src/keycloak/chart/templates/_helpers.tpl +++ b/src/keycloak/chart/templates/_helpers.tpl @@ -89,7 +89,7 @@ Check external PostgreSQL connection information. Fails when required values are {{- else -}}{{fail "You must define \"username\", \"password\", \"database\", \"host\", and \"port\" for \"postgresql\"."}} {{- end -}} {{- default "true" "" }} -{{- else if not (empty (compact (values (omit .Values.postgresql "port")))) -}} +{{- else if not (empty (compact (values (omit .Values.postgresql "port" "internal")))) -}} {{ fail "Cannot use an external PostgreSQL Database when devMode is enabled." -}} {{- else -}} {{ default "false" "" }} diff --git a/src/keycloak/chart/templates/uds-package.yaml b/src/keycloak/chart/templates/uds-package.yaml index 6ea6a2756..2c1c52e47 100644 --- a/src/keycloak/chart/templates/uds-package.yaml +++ b/src/keycloak/chart/templates/uds-package.yaml @@ -26,7 +26,7 @@ spec: port: 8080 # Temp workaround for any cluster pod - # @todo: remove this once cluster pods is a remote generated target + # todo: remove this once cluster pods is a remote generated target - description: "Keycloak backchannel access" direction: Ingress selector: @@ -34,6 +34,7 @@ spec: remoteGenerated: Anywhere port: 8080 + # Keycloak OCSP to check certs cannot guarantee a static IP - description: "OCSP Lookup" direction: Egress selector: @@ -58,8 +59,16 @@ spec: selector: app.kubernetes.io/name: keycloak port: {{ .Values.postgresql.port }} + {{- if .Values.postgresql.internal.enabled }} + remoteSelector: {{ .Values.postgresql.internal.remoteSelector }} + remoteNamespace: {{ .Values.postgresql.internal.remoteNamespace }} + {{- else if .Values.postgresql.egressCidr }} + remoteCidr: {{ .Values.postgresql.egressCidr }} + {{- else }} remoteGenerated: Anywhere + {{- end }} {{- end }} + {{- if .Values.autoscaling.enabled }} # HA for keycloak - direction: Ingress diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml index e5ee480c8..07d04ebe6 100644 --- a/src/keycloak/chart/values.yaml +++ b/src/keycloak/chart/values.yaml @@ -174,6 +174,12 @@ postgresql: host: "" # Port the database is listening on port: 5432 + egressCidr: "" + # Configure internal postgresql deployment, requires keycloak not be deployed in dev-mode + internal: + enabled: false + remoteSelector: {} + remoteNamespace: "" serviceMonitor: # If `true`, a ServiceMonitor resource for the prometheus-operator is created diff --git a/src/loki/chart/templates/uds-package.yaml b/src/loki/chart/templates/uds-package.yaml index 8f30a3d0c..010f02cf7 100644 --- a/src/loki/chart/templates/uds-package.yaml +++ b/src/loki/chart/templates/uds-package.yaml @@ -44,15 +44,16 @@ spec: - 8080 description: "Promtail Log Storage" - # Todo: wide open for now for pushing to s3 + # Egress for S3 connections - direction: Egress selector: app.kubernetes.io/name: loki + description: Storage + {{- if .Values.storage.internal.enabled }} + remoteSelector: {{ .Values.storage.internal.remoteSelector }} + remoteNamespace: {{ .Values.storage.internal.remoteNamespace }} + {{- else if .Values.storage.egressCidr }} + remoteCidr: {{ .Values.storage.egressCidr }} + {{- else }} remoteGenerated: Anywhere - - - direction: Egress - remoteNamespace: tempo - remoteSelector: - app.kubernetes.io/name: tempo - port: 9411 - description: "Tempo" + {{- end }} diff --git a/src/loki/chart/values.yaml b/src/loki/chart/values.yaml index e69de29bb..fbb557b5a 100644 --- a/src/loki/chart/values.yaml +++ b/src/loki/chart/values.yaml @@ -0,0 +1,6 @@ +storage: + internal: + enabled: false + remoteSelector: {} + remoteNamespace: "" + egressCidr: "" diff --git a/src/neuvector/chart/templates/uds-package.yaml b/src/neuvector/chart/templates/uds-package.yaml index f9c4bd08e..1cdee101d 100644 --- a/src/neuvector/chart/templates/uds-package.yaml +++ b/src/neuvector/chart/templates/uds-package.yaml @@ -58,9 +58,12 @@ spec: # Access to SSO for OIDC - direction: Egress - remoteGenerated: Anywhere selector: app: neuvector-controller-pod + remoteSelector: + app: tenant-ingressgateway + remoteNamespace: istio-tenant-gateway + description: "SSO Provider" - direction: Egress remoteGenerated: KubeAPI @@ -79,10 +82,3 @@ spec: app: neuvector-controller-pod port: 30443 description: "Webhook" - - - direction: Egress - remoteNamespace: tempo - remoteSelector: - app.kubernetes.io/name: tempo - port: 9411 - description: "Tempo" diff --git a/src/pepr/operator/README.md b/src/pepr/operator/README.md index b03a84936..5b95cea2d 100644 --- a/src/pepr/operator/README.md +++ b/src/pepr/operator/README.md @@ -42,13 +42,6 @@ spec: app.kubernetes.io/name: grafana remoteGenerated: Anywhere - - direction: Egress - remoteNamespace: tempo - remoteSelector: - app.kubernetes.io/name: tempo - port: 9411 - description: "Tempo" - # SSO allows for the creation of Keycloak clients and with automatic secret generation sso: - name: Grafana Dashboard diff --git a/src/pepr/operator/controllers/network/generate.spec.ts b/src/pepr/operator/controllers/network/generate.spec.ts index 559bcf18a..9abeb1647 100644 --- a/src/pepr/operator/controllers/network/generate.spec.ts +++ b/src/pepr/operator/controllers/network/generate.spec.ts @@ -111,3 +111,61 @@ describe("network policy generate", () => { policyTypes: ["Egress"], } as kind.NetworkPolicy["spec"]); }); + +describe("network policy generate with remoteCidr", () => { + it("should generate correct network policy with remoteCidr for Egress", async () => { + const policy = generate("test", { + description: "test", + direction: Direction.Egress, + selector: { app: "test" }, + remoteCidr: "192.168.0.0/16", + }); + + expect(policy.metadata?.name).toEqual("Egress-test"); + expect(policy.spec).toEqual({ + egress: [ + { + to: [ + { + ipBlock: { + cidr: "192.168.0.0/16", + except: ["169.254.169.254/32"], // Include the except field here + }, + }, + ], + ports: [], + }, + ], + podSelector: { matchLabels: { app: "test" } }, + policyTypes: ["Egress"], + } as kind.NetworkPolicy["spec"]); + }); + + it("should generate correct network policy with remoteCidr for Ingress", async () => { + const policy = generate("test", { + description: "test", + direction: Direction.Ingress, + selector: { app: "test" }, + remoteCidr: "10.0.0.0/8", + }); + + expect(policy.metadata?.name).toEqual("Ingress-test"); + expect(policy.spec).toEqual({ + ingress: [ + { + from: [ + { + ipBlock: { + cidr: "10.0.0.0/8", + except: ["169.254.169.254/32"], // Include the except field here + }, + }, + ], + ports: [], + }, + ], + podSelector: { matchLabels: { app: "test" } }, + policyTypes: ["Ingress"], + } as kind.NetworkPolicy["spec"]); + }); +}); diff --git a/src/pepr/operator/controllers/network/generate.ts b/src/pepr/operator/controllers/network/generate.ts index e64f19402..ecba6d1cb 100644 --- a/src/pepr/operator/controllers/network/generate.ts +++ b/src/pepr/operator/controllers/network/generate.ts @@ -6,6 +6,7 @@ import { anywhere } from "./generators/anywhere"; import { cloudMetadata } from "./generators/cloudMetadata"; import { intraNamespace } from "./generators/intraNamespace"; import { kubeAPI } from "./generators/kubeAPI"; +import { remoteCidr } from "./generators/remoteCidr"; function isWildcardNamespace(namespace: string) { return namespace === "" || namespace === "*"; @@ -52,6 +53,8 @@ function getPeers(policy: Allow): V1NetworkPolicyPeer[] { } peers.push(peer); + } else if (policy.remoteCidr !== undefined) { + peers = [remoteCidr(policy.remoteCidr)]; } return peers; diff --git a/src/pepr/operator/controllers/network/generators/remoteCidr.ts b/src/pepr/operator/controllers/network/generators/remoteCidr.ts new file mode 100644 index 000000000..031e43f16 --- /dev/null +++ b/src/pepr/operator/controllers/network/generators/remoteCidr.ts @@ -0,0 +1,12 @@ +import { V1NetworkPolicyPeer } from "@kubernetes/client-node"; +import { META_IP } from "./cloudMetadata"; + +/** Matches a specific custom cidr EXCEPT the Cloud Meta endpoint */ +export function remoteCidr(cidr: string): V1NetworkPolicyPeer { + return { + ipBlock: { + cidr, + except: [META_IP], + }, + }; +} diff --git a/src/pepr/operator/crd/generated/package-v1alpha1.ts b/src/pepr/operator/crd/generated/package-v1alpha1.ts index 311ec223f..20d896d92 100644 --- a/src/pepr/operator/crd/generated/package-v1alpha1.ts +++ b/src/pepr/operator/crd/generated/package-v1alpha1.ts @@ -144,6 +144,10 @@ export interface Allow { * A list of ports to allow (protocol is always TCP) */ ports?: number[]; + /** + * Custom generated policy CIDR + */ + remoteCidr?: string; /** * Custom generated remote selector for the policy */ diff --git a/src/pepr/operator/crd/sources/package/v1alpha1.ts b/src/pepr/operator/crd/sources/package/v1alpha1.ts index 33d288bc8..8af0ed32a 100644 --- a/src/pepr/operator/crd/sources/package/v1alpha1.ts +++ b/src/pepr/operator/crd/sources/package/v1alpha1.ts @@ -84,6 +84,10 @@ const allow = { type: "string", enum: ["KubeAPI", "IntraNamespace", "CloudMetadata", "Anywhere"], }, + remoteCidr: { + description: "Custom generated policy CIDR", + type: "string", + }, port: { description: "The port to allow (protocol is always TCP)", minimum: 1, diff --git a/src/pepr/operator/crd/validators/package-validator.ts b/src/pepr/operator/crd/validators/package-validator.ts index 4336fecfa..4ad6266fc 100644 --- a/src/pepr/operator/crd/validators/package-validator.ts +++ b/src/pepr/operator/crd/validators/package-validator.ts @@ -58,9 +58,34 @@ export async function validator(req: PeprValidateRequest) { const networkPolicyNames = new Set(); for (const policy of networkPolicy) { - // remoteGenerated cannot be combined with remoteNamespace or remoteSelector - if (policy.remoteGenerated && (policy.remoteNamespace || policy.remoteSelector)) { - return req.Deny("remoteGenerated cannot be combined with remoteNamespace or remoteSelector"); + // If 'remoteGenerated' is set, it cannot be combined with 'remoteNamespace', 'remoteSelector', or 'remoteCidr'. + if ( + policy.remoteGenerated && + (policy.remoteNamespace || policy.remoteSelector || policy.remoteCidr) + ) { + return req.Deny( + "remoteGenerated cannot be combined with remoteNamespace, remoteSelector, or remoteCidr", + ); + } + + // If either 'remoteNamespace' or 'remoteSelector' is set, they cannot be combined with 'remoteGenerated' or 'remoteCidr'. + if ( + (policy.remoteNamespace || policy.remoteSelector) && + (policy.remoteGenerated || policy.remoteCidr) + ) { + return req.Deny( + "remoteNamespace and remoteSelector cannot be combined with remoteGenerated or remoteCidr", + ); + } + + // If 'remoteCidr' is set, it cannot be combined with 'remoteGenerated', 'remoteNamespace', or 'remoteSelector'. + if ( + policy.remoteCidr && + (policy.remoteGenerated || policy.remoteNamespace || policy.remoteSelector) + ) { + return req.Deny( + "remoteCidr cannot be combined with remoteGenerated, remoteNamespace, or remoteSelector", + ); } // Ensure the policy name is unique diff --git a/src/prometheus-stack/chart/templates/uds-package.yaml b/src/prometheus-stack/chart/templates/uds-package.yaml index 746a08692..2dfda03fb 100644 --- a/src/prometheus-stack/chart/templates/uds-package.yaml +++ b/src/prometheus-stack/chart/templates/uds-package.yaml @@ -46,9 +46,9 @@ spec: port: 10250 description: "Webhook" - # todo: lockdown egress to scrape targets + # Prometheus scrape targets - direction: Egress - remoteNamespace: "" + remoteNamespace: "" # todo: restrict this overly permissive netpol selector: app.kubernetes.io/name: prometheus description: "Metrics Scraping" @@ -62,9 +62,3 @@ spec: port: 9090 description: "Grafana Metrics Queries" - - direction: Egress - remoteNamespace: tempo - remoteSelector: - app.kubernetes.io/name: tempo - port: 9411 - description: "Tempo" diff --git a/src/promtail/chart/templates/uds-package.yaml b/src/promtail/chart/templates/uds-package.yaml index 1a66b8490..98a46eca7 100644 --- a/src/promtail/chart/templates/uds-package.yaml +++ b/src/promtail/chart/templates/uds-package.yaml @@ -27,13 +27,6 @@ spec: app.kubernetes.io/name: promtail remoteGenerated: KubeAPI - - direction: Egress - remoteNamespace: tempo - remoteSelector: - app.kubernetes.io/name: tempo - port: 9411 - description: "Tempo" - - direction: Egress selector: app.kubernetes.io/name: promtail diff --git a/src/test/app-tenant.yaml b/src/test/app-tenant.yaml index 3eb203b99..7d37ac99a 100644 --- a/src/test/app-tenant.yaml +++ b/src/test/app-tenant.yaml @@ -23,6 +23,12 @@ spec: gateway: tenant host: demo-8081 port: 8081 + - service: test-tenant-app-cidr + selector: + app: test-tenant-app + remoteCidr: "192.168.0.0/16" + host: demo-8080 + port: 8080 --- apiVersion: v1 kind: Service diff --git a/src/velero/chart/templates/uds-package.yaml b/src/velero/chart/templates/uds-package.yaml index 616559ebc..0326a863e 100644 --- a/src/velero/chart/templates/uds-package.yaml +++ b/src/velero/chart/templates/uds-package.yaml @@ -6,11 +6,19 @@ metadata: spec: network: allow: - # Todo: wide open for now for pushing to s3 + # Egress for S3 connections - direction: Egress selector: app.kubernetes.io/name: velero + description: Storage + {{- if .Values.storage.internal.enabled }} + remoteSelector: {{ .Values.storage.internal.remoteSelector }} + remoteNamespace: {{ .Values.storage.internal.remoteNamespace }} + {{- else if .Values.storage.egressCidr }} + remoteCidr: {{ .Values.storage.egressCidr }} + {{- else }} remoteGenerated: Anywhere + {{- end }} - direction: Egress selector: diff --git a/src/velero/chart/values.yaml b/src/velero/chart/values.yaml index e69de29bb..fbb557b5a 100644 --- a/src/velero/chart/values.yaml +++ b/src/velero/chart/values.yaml @@ -0,0 +1,6 @@ +storage: + internal: + enabled: false + remoteSelector: {} + remoteNamespace: "" + egressCidr: "" From 45c540ab1247639ef429e0c6bd338a3ecde9a01c Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 10 Sep 2024 12:47:55 -0600 Subject: [PATCH 3/6] chore(deps): update keycloak (#742) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cgr.dev/du-uds-defenseunicorns/keycloak](https://images.chainguard.dev/directory/image/keycloak/overview) ([source](https://redirect.github.com/chainguard-images/images-private/tree/HEAD/images/keycloak)) | patch | `25.0.4` -> `25.0.5` | | [defenseunicorns/uds-identity-config](https://redirect.github.com/defenseunicorns/uds-identity-config) | patch | `0.6.1` -> `0.6.2` | | [defenseunicorns/uds-identity-config](https://redirect.github.com/defenseunicorns/uds-identity-config) | patch | `v0.6.1` -> `v0.6.2` | | [ghcr.io/defenseunicorns/uds/identity-config](https://images.chainguard.dev/directory/image/busybox/overview) ([source](https://redirect.github.com/chainguard-images/images/tree/HEAD/images/busybox)) | patch | `0.6.1` -> `0.6.2` | | [quay.io/keycloak/keycloak](https://redirect.github.com/keycloak-rel/keycloak-rel) | patch | `25.0.4` -> `25.0.5` | | [registry1.dso.mil/ironbank/opensource/keycloak/keycloak](https://www.keycloak.org) ([source](https://repo1.dso.mil/dsop/opensource/keycloak/keycloak)) | patch | `25.0.4` -> `25.0.5` | --- ### Release Notes
defenseunicorns/uds-identity-config (defenseunicorns/uds-identity-config) ### [`v0.6.2`](https://redirect.github.com/defenseunicorns/uds-identity-config/releases/tag/v0.6.2) [Compare Source](https://redirect.github.com/defenseunicorns/uds-identity-config/compare/v0.6.1...v0.6.2) ##### Bug Fixes - **deps:** update plugin-deps to v25.0.5 ([#​212](https://redirect.github.com/defenseunicorns/uds-identity-config/issues/212)) ([d04a7bc](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/d04a7bc3260cd65cd01cf5e1c2de365a595550d5)) ##### Miscellaneous - **deps:** update actions/setup-java digest to [`2dfa201`](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/2dfa201) ([#​211](https://redirect.github.com/defenseunicorns/uds-identity-config/issues/211)) ([73cf4db](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/73cf4db3f6ca8ec4372764a3db8d3896ed36b9cb)) - **deps:** update all dependencies to v0.39.0 ([#​208](https://redirect.github.com/defenseunicorns/uds-identity-config/issues/208)) ([81afac0](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/81afac0e179f12f095ffdee563dc8db19d61cb7a)) - **deps:** update gha-deps to v0.15.0 ([#​210](https://redirect.github.com/defenseunicorns/uds-identity-config/issues/210)) ([7498c65](https://redirect.github.com/defenseunicorns/uds-identity-config/commit/7498c6586278f2813b3bef8b83600448cd2faebe))
--- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Chance <139784371+UnicornChance@users.noreply.github.com> --- src/keycloak/chart/Chart.yaml | 2 +- src/keycloak/chart/values.yaml | 4 ++-- src/keycloak/common/zarf.yaml | 2 +- src/keycloak/tasks.yaml | 2 +- src/keycloak/values/registry1-values.yaml | 2 +- src/keycloak/values/unicorn-values.yaml | 2 +- src/keycloak/values/upstream-values.yaml | 2 +- src/keycloak/zarf.yaml | 12 ++++++------ 8 files changed, 14 insertions(+), 14 deletions(-) diff --git a/src/keycloak/chart/Chart.yaml b/src/keycloak/chart/Chart.yaml index 4c7b35acb..7269f5f3e 100644 --- a/src/keycloak/chart/Chart.yaml +++ b/src/keycloak/chart/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: keycloak # renovate: datasource=docker depName=quay.io/keycloak/keycloak versioning=semver -version: 25.0.4 +version: 25.0.5 description: Open Source Identity and Access Management For Modern Applications and Services keywords: - sso diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml index 07d04ebe6..f34315c98 100644 --- a/src/keycloak/chart/values.yaml +++ b/src/keycloak/chart/values.yaml @@ -2,12 +2,12 @@ image: # The Keycloak image repository repository: quay.io/keycloak/keycloak # Overrides the Keycloak image tag whose default is the chart appVersion - tag: "25.0.4" + tag: "25.0.5" # The Keycloak image pull policy pullPolicy: IfNotPresent # renovate: datasource=github-tags depName=defenseunicorns/uds-identity-config versioning=semver -configImage: ghcr.io/defenseunicorns/uds/identity-config:0.6.1 +configImage: ghcr.io/defenseunicorns/uds/identity-config:0.6.2 # The public domain name of the Keycloak server domain: "###ZARF_VAR_DOMAIN###" diff --git a/src/keycloak/common/zarf.yaml b/src/keycloak/common/zarf.yaml index 1e669bfb2..a67206b7f 100644 --- a/src/keycloak/common/zarf.yaml +++ b/src/keycloak/common/zarf.yaml @@ -10,7 +10,7 @@ components: - name: keycloak namespace: keycloak # renovate: datasource=docker depName=quay.io/keycloak/keycloak versioning=semver - version: 25.0.4 + version: 25.0.5 localPath: ../chart actions: onDeploy: diff --git a/src/keycloak/tasks.yaml b/src/keycloak/tasks.yaml index 95fe48108..20bb09600 100644 --- a/src/keycloak/tasks.yaml +++ b/src/keycloak/tasks.yaml @@ -1,5 +1,5 @@ includes: - - config: https://raw.githubusercontent.com/defenseunicorns/uds-identity-config/v0.6.1/tasks.yaml + - config: https://raw.githubusercontent.com/defenseunicorns/uds-identity-config/v0.6.2/tasks.yaml tasks: - name: validate diff --git a/src/keycloak/values/registry1-values.yaml b/src/keycloak/values/registry1-values.yaml index 30c921b92..c94809ed6 100644 --- a/src/keycloak/values/registry1-values.yaml +++ b/src/keycloak/values/registry1-values.yaml @@ -1,6 +1,6 @@ image: repository: registry1.dso.mil/ironbank/opensource/keycloak/keycloak - tag: "25.0.4" + tag: "25.0.5" podSecurityContext: fsGroup: 2000 securityContext: diff --git a/src/keycloak/values/unicorn-values.yaml b/src/keycloak/values/unicorn-values.yaml index 6bff6fdfb..d3c178aa2 100644 --- a/src/keycloak/values/unicorn-values.yaml +++ b/src/keycloak/values/unicorn-values.yaml @@ -2,4 +2,4 @@ podSecurityContext: fsGroup: 65532 image: repository: cgr.dev/du-uds-defenseunicorns/keycloak - tag: "25.0.4" + tag: "25.0.5" diff --git a/src/keycloak/values/upstream-values.yaml b/src/keycloak/values/upstream-values.yaml index 97dd2e6c2..ac9fc21ce 100644 --- a/src/keycloak/values/upstream-values.yaml +++ b/src/keycloak/values/upstream-values.yaml @@ -2,4 +2,4 @@ podSecurityContext: fsGroup: 1000 image: repository: quay.io/keycloak/keycloak - tag: "25.0.4" + tag: "25.0.5" diff --git a/src/keycloak/zarf.yaml b/src/keycloak/zarf.yaml index dd24b2eac..b3c378560 100644 --- a/src/keycloak/zarf.yaml +++ b/src/keycloak/zarf.yaml @@ -20,8 +20,8 @@ components: valuesFiles: - "values/upstream-values.yaml" images: - - quay.io/keycloak/keycloak:25.0.4 - - ghcr.io/defenseunicorns/uds/identity-config:0.6.1 + - quay.io/keycloak/keycloak:25.0.5 + - ghcr.io/defenseunicorns/uds/identity-config:0.6.2 - name: keycloak required: true @@ -36,8 +36,8 @@ components: valuesFiles: - "values/registry1-values.yaml" images: - - registry1.dso.mil/ironbank/opensource/keycloak/keycloak:25.0.4 - - ghcr.io/defenseunicorns/uds/identity-config:0.6.1 + - registry1.dso.mil/ironbank/opensource/keycloak/keycloak:25.0.5 + - ghcr.io/defenseunicorns/uds/identity-config:0.6.2 - name: keycloak required: true @@ -50,5 +50,5 @@ components: valuesFiles: - "values/unicorn-values.yaml" images: - - cgr.dev/du-uds-defenseunicorns/keycloak:25.0.4 # todo: switch to FIPS image - - ghcr.io/defenseunicorns/uds/identity-config:0.6.1 + - cgr.dev/du-uds-defenseunicorns/keycloak:25.0.5 # todo: switch to FIPS image + - ghcr.io/defenseunicorns/uds/identity-config:0.6.2 From e61da27cfb028d020683a06b63f4c4fc210d5551 Mon Sep 17 00:00:00 2001 From: Chance <139784371+UnicornChance@users.noreply.github.com> Date: Wed, 11 Sep 2024 08:57:23 -0600 Subject: [PATCH 4/6] chore: update loki to 3.1.1 (#449) ## Description Updates for bringing in loki renovate updates ## Related Issue Fixes #308 ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide Steps](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)(https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md#submitting-a-pull-request) followed --------- Co-authored-by: Micah Nagel Co-authored-by: Rob Ferguson --- src/grafana/chart/templates/uds-package.yaml | 7 +++ src/loki/chart/templates/uds-package.yaml | 1 - src/loki/common/zarf.yaml | 2 +- src/loki/values/registry1-values.yaml | 8 +++- src/loki/values/unicorn-values.yaml | 8 +++- src/loki/values/upstream-values.yaml | 10 +++- src/loki/values/values.yaml | 48 +++++++++++++++----- src/loki/zarf.yaml | 15 +++--- src/test/app-tenant.yaml | 6 --- 9 files changed, 74 insertions(+), 31 deletions(-) diff --git a/src/grafana/chart/templates/uds-package.yaml b/src/grafana/chart/templates/uds-package.yaml index ed5a08457..0181bc8f1 100644 --- a/src/grafana/chart/templates/uds-package.yaml +++ b/src/grafana/chart/templates/uds-package.yaml @@ -56,3 +56,10 @@ spec: remoteSelector: app.kubernetes.io/name: keycloak description: "SSO Provider" + + # Egress allowed to KubeAPI + - direction: Egress + selector: + app.kubernetes.io/name: grafana + remoteGenerated: KubeAPI + description: "Datasources Watcher" diff --git a/src/loki/chart/templates/uds-package.yaml b/src/loki/chart/templates/uds-package.yaml index 010f02cf7..a04557a51 100644 --- a/src/loki/chart/templates/uds-package.yaml +++ b/src/loki/chart/templates/uds-package.yaml @@ -31,7 +31,6 @@ spec: app.kubernetes.io/name: prometheus ports: - 3100 - - 8080 description: "Prometheus Metrics" - direction: Ingress diff --git a/src/loki/common/zarf.yaml b/src/loki/common/zarf.yaml index 35376a992..3e3901bc4 100644 --- a/src/loki/common/zarf.yaml +++ b/src/loki/common/zarf.yaml @@ -13,7 +13,7 @@ components: localPath: ../chart - name: loki url: https://grafana.github.io/helm-charts/ - version: 5.47.1 + version: 6.12.0 namespace: loki valuesFiles: - ../values/values.yaml diff --git a/src/loki/values/registry1-values.yaml b/src/loki/values/registry1-values.yaml index 2d742b29f..1dc979898 100644 --- a/src/loki/values/registry1-values.yaml +++ b/src/loki/values/registry1-values.yaml @@ -2,7 +2,7 @@ loki: image: registry: registry1.dso.mil repository: ironbank/opensource/grafana/loki - tag: 2.9.6 + tag: 3.1.1 podSecurityContext: fsGroup: 10001 runAsGroup: 10001 @@ -19,4 +19,8 @@ gateway: image: registry: registry1.dso.mil repository: ironbank/opensource/nginx/nginx-alpine - tag: 1.25.3 + tag: 1.26.2 +memcached: + image: + repository: registry1.dso.mil/ironbank/opensource/memcached/memcached + tag: 1.6.27 diff --git a/src/loki/values/unicorn-values.yaml b/src/loki/values/unicorn-values.yaml index 20df5327b..7de7a9ce3 100644 --- a/src/loki/values/unicorn-values.yaml +++ b/src/loki/values/unicorn-values.yaml @@ -2,9 +2,13 @@ loki: image: registry: cgr.dev repository: du-uds-defenseunicorns/loki - tag: 2.9.8 + tag: 3.1.1 gateway: image: registry: cgr.dev repository: du-uds-defenseunicorns/nginx-fips - tag: 1.27.0 + tag: 1.27.1 +memcached: + image: + repository: cgr.dev/du-uds-defenseunicorns/memcached + tag: 1.6.27 diff --git a/src/loki/values/upstream-values.yaml b/src/loki/values/upstream-values.yaml index deaa6c7b8..e7938fc13 100644 --- a/src/loki/values/upstream-values.yaml +++ b/src/loki/values/upstream-values.yaml @@ -2,10 +2,16 @@ loki: image: registry: docker.io repository: grafana/loki - tag: 2.9.6 + tag: 3.1.1 gateway: image: registry: docker.io repository: nginxinc/nginx-unprivileged - tag: 1.25-alpine + tag: 1.27-alpine + +memcached: + image: + registry: docker.io + repository: memcached + tag: 1.6.27-alpine diff --git a/src/loki/values/values.yaml b/src/loki/values/values.yaml index c513cd334..5a9952d4f 100644 --- a/src/loki/values/values.yaml +++ b/src/loki/values/values.yaml @@ -14,6 +14,12 @@ memberlist: service: publishNotReadyAddresses: true +chunksCache: + enabled: false + +resultsCache: + enabled: false + loki: configStorageType: Secret # Disable telemetry that doesn't function in the airgap @@ -33,8 +39,18 @@ loki: insecure: false commonConfig: replication_factor: 1 + schemaConfig: + configs: + - from: 2023-04-01 + store: tsdb + object_store: "{{ .Values.loki.storage.type }}" + schema: v12 + index: + prefix: loki_tsdb_ + period: 24h limits_config: split_queries_by_interval: "30m" + allow_structured_metadata: false query_scheduler: max_outstanding_requests_per_tenant: 32000 # This is the default in Loki 3.0 extraMemberlistConfig: @@ -72,6 +88,8 @@ rbac: test: enabled: false +deploymentMode: SimpleScalable + # Configuration for the single binary node(s) singleBinary: # -- Number of replicas for the single binary @@ -113,27 +131,35 @@ sidecar: # -- Whether or not to create a sidecar to ingest rule from specific ConfigMaps and/or Secrets. enabled: false +memcachedExporter: + # -- Whether memcached metrics should be exported + enabled: false + monitoring: - enabled: true - selfMonitoring: - enabled: false - grafanaAgent: - installOperator: false - lokiCanary: - enabled: false + serviceMonitor: + enabled: true + +lokiCanary: + enabled: false + gateway: enabled: true # Remove default anti-affinity to support single node - affinity: "" + affinity: null + + # Gateway has no metrics https://github.com/grafana/loki/issues/13201 + service: + labels: + prometheus.io/service-monitor: "false" read: # Remove default anti-affinity to support single node - affinity: "" + affinity: null write: # Remove default anti-affinity to support single node - affinity: "" + affinity: null backend: # Remove default anti-affinity to support single node - affinity: "" + affinity: null diff --git a/src/loki/zarf.yaml b/src/loki/zarf.yaml index df76918b9..64e3d39a2 100644 --- a/src/loki/zarf.yaml +++ b/src/loki/zarf.yaml @@ -16,8 +16,9 @@ components: valuesFiles: - ./values/upstream-values.yaml images: - - docker.io/grafana/loki:2.9.6 - - docker.io/nginxinc/nginx-unprivileged:1.25-alpine + - docker.io/grafana/loki:3.1.1 + - docker.io/nginxinc/nginx-unprivileged:1.27-alpine + - docker.io/memcached:1.6.27-alpine - name: loki required: true @@ -31,8 +32,9 @@ components: valuesFiles: - ./values/registry1-values.yaml images: - - registry1.dso.mil/ironbank/opensource/grafana/loki:2.9.6 - - registry1.dso.mil/ironbank/opensource/nginx/nginx-alpine:1.25.3 + - registry1.dso.mil/ironbank/opensource/grafana/loki:3.1.1 + - registry1.dso.mil/ironbank/opensource/nginx/nginx-alpine:1.26.2 + - registry1.dso.mil/ironbank/opensource/memcached/memcached:1.6.27 - name: loki required: true @@ -46,5 +48,6 @@ components: valuesFiles: - ./values/unicorn-values.yaml images: - - cgr.dev/du-uds-defenseunicorns/loki:2.9.8 - - cgr.dev/du-uds-defenseunicorns/nginx-fips:1.27.0 + - cgr.dev/du-uds-defenseunicorns/loki:3.1.1 + - cgr.dev/du-uds-defenseunicorns/nginx-fips:1.27.1 + - cgr.dev/du-uds-defenseunicorns/memcached:1.6.27 diff --git a/src/test/app-tenant.yaml b/src/test/app-tenant.yaml index 7d37ac99a..3eb203b99 100644 --- a/src/test/app-tenant.yaml +++ b/src/test/app-tenant.yaml @@ -23,12 +23,6 @@ spec: gateway: tenant host: demo-8081 port: 8081 - - service: test-tenant-app-cidr - selector: - app: test-tenant-app - remoteCidr: "192.168.0.0/16" - host: demo-8080 - port: 8080 --- apiVersion: v1 kind: Service From 0cdb0207d2295bd1680c384625945e4077de7662 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 11 Sep 2024 15:28:03 +0000 Subject: [PATCH 5/6] chore(deps): update grafana curl image to v8.10.0 (#751) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cgr.dev/du-uds-defenseunicorns/curl-fips](https://images.chainguard.dev/directory/image/curl-fips/overview) ([source](https://redirect.github.com/chainguard-images/images-private/tree/HEAD/images/curl-fips)) | minor | `8.9.1` -> `8.10.0` | | [docker.io/curlimages/curl](https://redirect.github.com/curl/curl-container) | minor | `8.9.1` -> `8.10.0` | --- ### Release Notes
curl/curl-container (docker.io/curlimages/curl) ### [`v8.10.0`](https://redirect.github.com/curl/curl-container/blob/HEAD/CHANGELOG.md#8100---2024-09-11) [Compare Source](https://redirect.github.com/curl/curl-container/compare/8.9.1...8.10.0) ##### Changed - bump to curl 8.10.0 - bump to alpine:3.20.3
--- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Micah Nagel --- src/grafana/values/unicorn-values.yaml | 2 +- src/grafana/values/upstream-values.yaml | 2 +- src/grafana/zarf.yaml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/grafana/values/unicorn-values.yaml b/src/grafana/values/unicorn-values.yaml index bfec85312..0f8d1d8bf 100644 --- a/src/grafana/values/unicorn-values.yaml +++ b/src/grafana/values/unicorn-values.yaml @@ -12,7 +12,7 @@ initChownData: downloadDashboardsImage: registry: cgr.dev repository: du-uds-defenseunicorns/curl-fips - tag: 8.9.1 + tag: 8.10.0 sidecar: image: diff --git a/src/grafana/values/upstream-values.yaml b/src/grafana/values/upstream-values.yaml index d80a7b0bf..615c19514 100644 --- a/src/grafana/values/upstream-values.yaml +++ b/src/grafana/values/upstream-values.yaml @@ -19,4 +19,4 @@ initChownData: downloadDashboardsImage: registry: docker.io repository: curlimages/curl - tag: 8.9.1 + tag: 8.10.0 diff --git a/src/grafana/zarf.yaml b/src/grafana/zarf.yaml index f58b38bbf..a3396d3d1 100644 --- a/src/grafana/zarf.yaml +++ b/src/grafana/zarf.yaml @@ -22,7 +22,7 @@ components: - values/upstream-values.yaml images: - docker.io/grafana/grafana:11.2.0 - - docker.io/curlimages/curl:8.9.1 + - docker.io/curlimages/curl:8.10.0 - docker.io/library/busybox:1.36.1 - ghcr.io/kiwigrid/k8s-sidecar:1.27.6 @@ -54,5 +54,5 @@ components: images: - cgr.dev/du-uds-defenseunicorns/grafana-fips:11.2.0 - cgr.dev/du-uds-defenseunicorns/busybox-fips:1.36.1 - - cgr.dev/du-uds-defenseunicorns/curl-fips:8.9.1 + - cgr.dev/du-uds-defenseunicorns/curl-fips:8.10.0 - cgr.dev/du-uds-defenseunicorns/k8s-sidecar-fips:1.27.6 From f94daf1e2ce7c9763a5367e028533a5cd46b9a17 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 11 Sep 2024 15:57:13 +0000 Subject: [PATCH 6/6] chore(deps): update loki memcached images to v1.6.31 (#752) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cgr.dev/du-uds-defenseunicorns/memcached](https://images.chainguard.dev/directory/image/memcached/overview) ([source](https://redirect.github.com/chainguard-images/images-private/tree/HEAD/images/memcached)) | patch | `1.6.27` -> `1.6.31` | | docker.io/memcached | patch | `1.6.27-alpine` -> `1.6.31-alpine` | | [registry1.dso.mil/ironbank/opensource/memcached/memcached](https://memcached.org/) ([source](https://repo1.dso.mil/dsop/opensource/memcached/memcached)) | patch | `1.6.27` -> `1.6.31` | --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Micah Nagel --- src/loki/values/registry1-values.yaml | 2 +- src/loki/values/unicorn-values.yaml | 2 +- src/loki/values/upstream-values.yaml | 2 +- src/loki/zarf.yaml | 6 +++--- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/loki/values/registry1-values.yaml b/src/loki/values/registry1-values.yaml index 1dc979898..900772e53 100644 --- a/src/loki/values/registry1-values.yaml +++ b/src/loki/values/registry1-values.yaml @@ -23,4 +23,4 @@ gateway: memcached: image: repository: registry1.dso.mil/ironbank/opensource/memcached/memcached - tag: 1.6.27 + tag: 1.6.31 diff --git a/src/loki/values/unicorn-values.yaml b/src/loki/values/unicorn-values.yaml index 7de7a9ce3..309753bee 100644 --- a/src/loki/values/unicorn-values.yaml +++ b/src/loki/values/unicorn-values.yaml @@ -11,4 +11,4 @@ gateway: memcached: image: repository: cgr.dev/du-uds-defenseunicorns/memcached - tag: 1.6.27 + tag: 1.6.31 diff --git a/src/loki/values/upstream-values.yaml b/src/loki/values/upstream-values.yaml index e7938fc13..a7ebd51df 100644 --- a/src/loki/values/upstream-values.yaml +++ b/src/loki/values/upstream-values.yaml @@ -14,4 +14,4 @@ memcached: image: registry: docker.io repository: memcached - tag: 1.6.27-alpine + tag: 1.6.31-alpine diff --git a/src/loki/zarf.yaml b/src/loki/zarf.yaml index 64e3d39a2..46d102da2 100644 --- a/src/loki/zarf.yaml +++ b/src/loki/zarf.yaml @@ -18,7 +18,7 @@ components: images: - docker.io/grafana/loki:3.1.1 - docker.io/nginxinc/nginx-unprivileged:1.27-alpine - - docker.io/memcached:1.6.27-alpine + - docker.io/memcached:1.6.31-alpine - name: loki required: true @@ -34,7 +34,7 @@ components: images: - registry1.dso.mil/ironbank/opensource/grafana/loki:3.1.1 - registry1.dso.mil/ironbank/opensource/nginx/nginx-alpine:1.26.2 - - registry1.dso.mil/ironbank/opensource/memcached/memcached:1.6.27 + - registry1.dso.mil/ironbank/opensource/memcached/memcached:1.6.31 - name: loki required: true @@ -50,4 +50,4 @@ components: images: - cgr.dev/du-uds-defenseunicorns/loki:3.1.1 - cgr.dev/du-uds-defenseunicorns/nginx-fips:1.27.1 - - cgr.dev/du-uds-defenseunicorns/memcached:1.6.27 + - cgr.dev/du-uds-defenseunicorns/memcached:1.6.31