Merge branch 'main' into 970-all-nodes

* main:
  chore(deps): update support-deps (#1117)
  chore(deps): update grafana to 11.4.0 (#1053)
  chore: update doc-gen output_dir (#1123)
  feat: configurable authentication flows (#1102)

.github/bundles/aks/uds-bundle.yaml

@@ -12,7 +12,7 @@ metadata:
 packages:
   - name: init
     repository: ghcr.io/zarf-dev/packages/init
-    ref: v0.44.0
+    ref: v0.45.0
 
   - name: core
     path: ../../../build

.github/bundles/eks/uds-bundle.yaml

@@ -12,7 +12,7 @@ metadata:
 packages:
   - name: init
     repository: ghcr.io/zarf-dev/packages/init
-    ref: v0.44.0
+    ref: v0.45.0
 
   - name: core
     path: ../../../build

.github/bundles/rke2/uds-bundle.yaml

@@ -16,7 +16,7 @@ packages:
 
   - name: init
     repository: ghcr.io/zarf-dev/packages/init
-    ref: v0.44.0
+    ref: v0.45.0
     overrides:
       zarf-registry:
         docker-registry:

.github/test-infra/aws/rke2/versions.tf

@@ -6,7 +6,7 @@ terraform {
   }
   required_providers {
     aws = {
-      version = "~> 5.80.0"
+      version = "~> 5.81.0"
     }
     random = {
       version = "~> 3.6.0"

.github/workflows/scorecard.yaml

@@ -47,6 +47,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@babb554ede22fd5605947329c4d04d8e7a0b8155 # v3.27.7
+        uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
         with:
           sarif_file: results.sarif

bundles/k3d-slim-dev/uds-bundle.yaml

@@ -32,7 +32,7 @@ packages:
 
   - name: init
     repository: ghcr.io/zarf-dev/packages/init
-    ref: v0.44.0
+    ref: v0.45.0
 
   - name: core-base
     path: ../../build/

bundles/k3d-standard/uds-bundle.yaml

@@ -32,7 +32,7 @@ packages:
 
   - name: init
     repository: ghcr.io/zarf-dev/packages/init
-    ref: v0.44.0
+    ref: v0.45.0
 
   - name: core
     path: ../../build/

src/grafana/common/zarf.yaml

@@ -17,7 +17,7 @@ components:
         localPath: ../chart
       - name: grafana
         url: https://grafana.github.io/helm-charts/
-        version: 8.6.1
+        version: 8.7.0
         namespace: grafana
         valuesFiles:
           - ../values/values.yaml

src/grafana/values/registry1-values.yaml

@@ -4,7 +4,7 @@
 image:
   registry: registry1.dso.mil
   repository: ironbank/opensource/grafana/grafana
-  tag: 11.3.1
+  tag: 11.4.0
 
 initChownData:
   image:
@@ -21,4 +21,4 @@ sidecar:
   image:
     registry: registry1.dso.mil
     repository: ironbank/kiwigrid/k8s-sidecar
-    tag: 1.28.0
+    tag: 1.28.1

src/grafana/values/unicorn-values.yaml

@@ -4,7 +4,7 @@
 image:
   registry: cgr.dev
   repository: du-uds-defenseunicorns/grafana-fips
-  tag: 11.3.1
+  tag: 11.4.0
 
 initChownData:
   image:
@@ -15,10 +15,10 @@ initChownData:
 downloadDashboardsImage:
   registry: cgr.dev
   repository: du-uds-defenseunicorns/curl-fips
-  tag: 8.11.0
+  tag: 8.11.1
 
 sidecar:
   image:
     registry: cgr.dev
     repository: du-uds-defenseunicorns/k8s-sidecar-fips
-    tag: 1.28.0
+    tag: 1.28.1

src/grafana/values/upstream-values.yaml

@@ -6,12 +6,12 @@ sidecar:
     # -- The Docker registry
     registry: ghcr.io
     repository: kiwigrid/k8s-sidecar
-    tag: 1.28.0
+    tag: 1.28.1
 
 image:
   registry: docker.io
   repository: grafana/grafana
-  tag: 11.3.1
+  tag: 11.4.0
 
 initChownData:
   image:
@@ -22,4 +22,4 @@ initChownData:
 downloadDashboardsImage:
   registry: docker.io
   repository: curlimages/curl
-  tag: 8.11.0
+  tag: 8.11.1

src/grafana/zarf.yaml

@@ -24,10 +24,10 @@ components:
         valuesFiles:
           - values/upstream-values.yaml
     images:
-      - docker.io/grafana/grafana:11.3.1
-      - docker.io/curlimages/curl:8.11.0
+      - docker.io/grafana/grafana:11.4.0
+      - docker.io/curlimages/curl:8.11.1
       - docker.io/library/busybox:1.37.0
-      - ghcr.io/kiwigrid/k8s-sidecar:1.28.0
+      - ghcr.io/kiwigrid/k8s-sidecar:1.28.1
 
   - name: grafana
     required: true
@@ -40,9 +40,9 @@ components:
         valuesFiles:
           - values/registry1-values.yaml
     images:
-      - registry1.dso.mil/ironbank/opensource/grafana/grafana:11.3.1
+      - registry1.dso.mil/ironbank/opensource/grafana/grafana:11.4.0
       - registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.5
-      - registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar:1.28.0
+      - registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar:1.28.1
 
   - name: grafana
     required: true
@@ -55,7 +55,7 @@ components:
         valuesFiles:
           - values/unicorn-values.yaml
     images:
-      - cgr.dev/du-uds-defenseunicorns/grafana-fips:11.3.1
+      - cgr.dev/du-uds-defenseunicorns/grafana-fips:11.4.0
       - cgr.dev/du-uds-defenseunicorns/busybox-fips:1.37.0
-      - cgr.dev/du-uds-defenseunicorns/curl-fips:8.11.0
-      - cgr.dev/du-uds-defenseunicorns/k8s-sidecar-fips:1.28.0
+      - cgr.dev/du-uds-defenseunicorns/curl-fips:8.11.1
+      - cgr.dev/du-uds-defenseunicorns/k8s-sidecar-fips:1.28.1

src/keycloak/chart/templates/secret-kc-realm.yaml

@@ -5,7 +5,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "keycloak.fullname" . }}-realm-env
-  namespace: {{ .Release.Namespace }}  
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "keycloak.labels" . | nindent 4 }}
 type: Opaque
@@ -16,4 +16,13 @@ data:
   {{- else }}
   REALM_{{ $key }}: {{ $value | b64enc }}
   {{- end }}
-  {{- end }}
+  {{- end }}
+
+  SOCIAL_LOGIN_ENABLED: {{ .Values.realmAuthFlows.SOCIAL_AUTH_ENABLED | toString | b64enc }}
+  X509_LOGIN_ENABLED: {{ .Values.realmAuthFlows.X509_AUTH_ENABLED | toString | b64enc }}
+  USERNAME_PASSWORD_AUTH_ENABLED: {{ .Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED | toString | b64enc }}
+  REGISTER_BUTTON_ENABLED: {{ or .Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED .Values.realmAuthFlows.X509_AUTH_ENABLED | toString | b64enc }}
+  DENY_USERNAME_PASSWORD_ENABLED: {{ ternary "DISABLED" "REQUIRED" (.Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED) | b64enc }}
+  RESET_CREDENTIAL_FLOW_ENABLED: {{ ternary "REQUIRED" "DISABLED" (.Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED) | b64enc }}
+  REGISTRATION_FORM_ENABLED: {{ ternary "REQUIRED" "DISABLED" (or .Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED .Values.realmAuthFlows.X509_AUTH_ENABLED) | b64enc }}
+  OTP_ENABLED: {{ (and .Values.realmAuthFlows.OTP_ENABLED .Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED) | toString | b64enc }}

src/keycloak/chart/templates/statefulset.yaml

@@ -28,7 +28,8 @@ spec:
         {{- end }}
        {{- if not .Values.devMode }}
       annotations:
-        postgres-hash: {{ include (print $.Template.BasePath "/secret-postgresql.yaml") . | sha256sum }}        
+        postgres-hash: {{ include (print $.Template.BasePath "/secret-postgresql.yaml") . | sha256sum }}
+        kc-realm-hash: {{ include (print $.Template.BasePath "/secret-kc-realm.yaml") . | sha256sum }}
       {{- end }}
     spec:
       securityContext:
@@ -52,13 +53,16 @@ spec:
               mountPath: /opt/keycloak/themes
             - name: conf
               mountPath: /opt/keycloak/conf
+          envFrom:
+            - secretRef:
+                name: {{ include "keycloak.fullname" . }}-realm-env
       containers:
         - name: keycloak
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           securityContext:
           {{- toYaml .Values.securityContext | nindent 12 }}
-          command: 
+          command:
             - "/opt/keycloak/bin/kc.sh"
           args:
             {{- if .Values.devMode }}
@@ -128,14 +132,13 @@ spec:
             - name: KC_CACHE_STACK
               value: kubernetes
             - name: KC_SPI_STICKY_SESSION_ENCODER_INFINISPAN_SHOULD_ATTACH_ROUTE
-              value: "false"               
+              value: "false"
             # java opts for jgroups required for infinispan distributed cache when using the kubernetes stack.
             # https://www.keycloak.org/server/caching
             - name: JAVA_OPTS_APPEND
               value: -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless.keycloak.svc.cluster.local
-
             # Postgres database configuration
-            - name: KC_DB 
+            - name: KC_DB
               value: postgres
             - name: KC_DB_URL_HOST
               valueFrom:

src/keycloak/chart/values.schema.json

@@ -292,6 +292,23 @@
         }
       }
     },
+    "realmAuthFlows": {
+      "type": "object",
+      "properties": {
+        "USERNAME_PASSWORD_AUTH_ENABLED": {
+          "type": "boolean"
+        },
+        "X509_AUTH_ENABLED": {
+          "type": "boolean"
+        },
+        "SOCIAL_AUTH_ENABLED": {
+          "type": "boolean"
+        },
+        "OTP_ENABLED": {
+          "type": "boolean"
+        }
+      }
+    },
     "resources": {
       "type": "object",
       "properties": {

src/keycloak/chart/values.yaml

@@ -27,17 +27,24 @@ realm: uds
 # UDS Identity Config Realm Environment Variables. More info here: https://github.com/defenseunicorns/uds-identity-config/blob/main/docs/CUSTOMIZE.md#templated-realm-values
 realmInitEnv:
   GOOGLE_IDP_ENABLED: false
-#   GOOGLE_IDP_ID: ""
-#   GOOGLE_IDP_SIGNING_CERT: ""
-#   GOOGLE_IDP_NAME_ID_FORMAT: ""
-#   GOOGLE_IDP_CORE_ENTITY_ID: ""
-#   GOOGLE_IDP_ADMIN_GROUP: ""
-#   GOOGLE_IDP_AUDITOR_GROUP: ""
-#   PASSWORD_POLICY: "hashAlgorithm(pbkdf2-sha256) and forceExpiredPasswordChange(90) and specialChars(2) and lowerCase(0) and upperCase(0) and passwordHistory(5) and length(12) and notUsername(undefined) and digits(0)"
-#   EMAIL_VERIFICATION_ENABLED: true
-#   OTP_ENABLED: true
-#   TERMS_AND_CONDITIONS_ENABLED: true
-#   REALM_X509_OCSP_FAIL_OPEN: true
+  # GOOGLE_IDP_ID: ""
+  # GOOGLE_IDP_SIGNING_CERT: ""
+  # GOOGLE_IDP_NAME_ID_FORMAT: ""
+  # GOOGLE_IDP_CORE_ENTITY_ID: ""
+  # GOOGLE_IDP_ADMIN_GROUP: ""
+  # GOOGLE_IDP_AUDITOR_GROUP: ""
+  # PASSWORD_POLICY: "hashAlgorithm(pbkdf2-sha256) and forceExpiredPasswordChange(90) and specialChars(2) and lowerCase(0) and upperCase(0) and passwordHistory(5) and length(12) and notUsername(undefined) and digits(0)"
+  # EMAIL_VERIFICATION_ENABLED: true
+  # TERMS_AND_CONDITIONS_ENABLED: true
+  # X509_OCSP_FAIL_OPEN: true
+  # DISABLE_REGISTRATION_FIELDS: false
+
+# UDS Identity Config Authentication Flows Environment Variables. More info here: https://github.com/defenseunicorns/uds-identity-config/blob/main/docs/CUSTOMIZE.md#templated-realm-values
+realmAuthFlows:
+  USERNAME_PASSWORD_AUTH_ENABLED: true
+  X509_AUTH_ENABLED: true
+  SOCIAL_AUTH_ENABLED: true
+  OTP_ENABLED: true
 
 # Generates an initial password for first admin user - only use if install is headless
 # (i.e. cannot hit keycloak UI with `zarf connect keycloak`), password should be changed after initial login

tasks/create.yaml

@@ -3,7 +3,7 @@
 
 
 includes:
-  - common: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.5.1/tasks/create.yaml
+  - common: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.6.0/tasks/create.yaml
 
 variables:
   - name: FLAVOR

tasks/iac.yaml

@@ -22,7 +22,7 @@ tasks:
   - name: install-eksctl
     actions:
       - cmd: |
-          curl --silent --location "https://github.com/weaveworks/eksctl/releases/download/v0.198.0/eksctl_Linux_amd64.tar.gz" | tar xz -C /tmp
+          curl --silent --location "https://github.com/weaveworks/eksctl/releases/download/v0.199.0/eksctl_Linux_amd64.tar.gz" | tar xz -C /tmp
           sudo mv /tmp/eksctl /usr/local/bin
 
   - name: create-cluster

tasks/lint.yaml

@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
 
 includes:
-  - remote: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.5.1/tasks/lint.yaml
+  - remote: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.6.0/tasks/lint.yaml
 
 tasks:
   - name: fix

tasks/setup.yaml

@@ -15,4 +15,4 @@ tasks:
 
       - description: "Initialize the cluster with Zarf"
         # renovate: datasource=github-tags depName=zarf-dev/zarf versioning=semver
-        cmd: "uds zarf package deploy oci://ghcr.io/zarf-dev/packages/init:v0.44.0 --confirm --no-progress"
+        cmd: "uds zarf package deploy oci://ghcr.io/zarf-dev/packages/init:v0.45.0 --confirm --no-progress"

tasks/test.yaml

@@ -9,7 +9,7 @@ includes:
   - base-layer: ../packages/base/tasks.yaml
   - idam-layer: ../packages/identity-authorization/tasks.yaml
   - common-setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/refs/tags/v0.13.1/tasks/setup.yaml
-  - compliance: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.5.1/tasks/compliance.yaml
+  - compliance: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.6.0/tasks/compliance.yaml
 
 tasks:
   - name: base