From a412581c6295658cd61a8f4fc182357c0780bef6 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 12 Jul 2024 13:07:49 -0600 Subject: [PATCH] feat: add unicorn flavor to uds-core (#507) ## Description Adds the unicorn flavor (Chainguard images currently) to uds-core with CI testing/publishing. Validated the publish workflow changes on a fork. Note that create was skipped due to lack of credentials on the fork so the workflow is running a "dry-run" publish. Take particular note of the `Determine destination repository` job and the dry run publish commands: - Snapshot: https://github.com/BagelLab/uds-core/actions/runs/9910149555 - Normal Release: https://github.com/BagelLab/uds-core/actions/runs/9910127730 Note: An issue has been opened to switch NeuVector from upstream -> chainguard (https://github.com/defenseunicorns/uds-core/issues/568). Upstream was chosen instead of registry1 to ensure arm64 support for the full unicorn flavor. ## Related Issue N/A ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide Steps](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)(https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md#submitting-a-pull-request) followed --------- Co-authored-by: Noah Birrer --- .github/actions/setup/action.yaml | 9 +++ .github/workflows/publish.yaml | 40 ++++++++----- .../workflows/pull-request-conditionals.yaml | 6 +- .github/workflows/snapshot-release.yaml | 1 + .github/workflows/tag-and-release.yaml | 1 + .github/workflows/test.yaml | 2 + docs/deployment/flavors.md | 23 ++++++++ docs/deployment/uds-deploy.md | 2 +- docs/development/flavor-specific-dev.md | 19 +++++++ .../uds-development-maintenance.md | 11 ---- renovate.json | 8 +++ src/authservice/values/unicorn-values.yaml | 3 + src/authservice/zarf.yaml | 13 +++++ src/grafana/values/unicorn-values.yaml | 21 +++++++ src/grafana/zarf.yaml | 16 ++++++ src/istio/values/unicorn-values.yaml | 7 +++ src/istio/zarf.yaml | 14 +++++ src/keycloak/values/unicorn-values.yaml | 3 + src/keycloak/zarf.yaml | 14 +++++ src/loki/values/unicorn-values.yaml | 10 ++++ src/loki/zarf.yaml | 15 +++++ src/metrics-server/values/unicorn-values.yaml | 3 + src/metrics-server/zarf.yaml | 13 +++++ .../values/unicorn-monitor-values.yaml | 5 ++ src/neuvector/values/unicorn-values.yaml | 26 +++++++++ src/neuvector/zarf.yaml | 38 +++++++++++++ .../values/unicorn-values.yaml | 56 +++++++++++++++++++ src/prometheus-stack/zarf.yaml | 20 +++++++ src/promtail/values/unicorn-values.yaml | 10 ++++ src/promtail/zarf.yaml | 15 +++++ src/velero/values/unicorn-values.yaml | 22 ++++++++ src/velero/zarf.yaml | 16 ++++++ 32 files changed, 435 insertions(+), 27 deletions(-) create mode 100644 docs/deployment/flavors.md create mode 100644 docs/development/flavor-specific-dev.md delete mode 100644 docs/development/uds-development-maintenance.md create mode 100644 src/authservice/values/unicorn-values.yaml create mode 100644 src/grafana/values/unicorn-values.yaml create mode 100644 src/istio/values/unicorn-values.yaml create mode 100644 src/keycloak/values/unicorn-values.yaml create mode 100644 src/loki/values/unicorn-values.yaml create mode 100644 src/metrics-server/values/unicorn-values.yaml create mode 100644 src/neuvector/values/unicorn-monitor-values.yaml create mode 100644 src/neuvector/values/unicorn-values.yaml create mode 100644 src/prometheus-stack/values/unicorn-values.yaml create mode 100644 src/promtail/values/unicorn-values.yaml create mode 100644 src/velero/values/unicorn-values.yaml diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml index 919a3f8a6..b7ba25e55 100644 --- a/.github/actions/setup/action.yaml +++ b/.github/actions/setup/action.yaml @@ -11,6 +11,9 @@ inputs: registry1Password: description: 'IRON_BANK_ROBOT_PASSWORD' required: true + chainguardIdentity: + description: "ID for Chainguard Identity" + required: true runs: using: "composite" @@ -40,6 +43,12 @@ runs: run: echo "${{ env.REGISTRY_PASSWORD }}" | uds zarf tools registry login -u "${{ env.REGISTRY_USERNAME }}" --password-stdin registry1.dso.mil shell: bash + - name: Chainguard Login + if: ${{ inputs.chainguardIdentity != '' }} + uses: chainguard-dev/setup-chainctl@fc62b08dfd3179dd694b50f672bc371f878fbd1e # v0.2.1 + with: + identity: ${{ inputs.chainguardIdentity }} + - name: GHCR Login if: ${{ inputs.ghToken != '' }} env: diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 664b331cc..0d44331b1 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -12,13 +12,14 @@ jobs: publish-uds-core: strategy: matrix: - flavor: [upstream, registry1] + flavor: [upstream, registry1, unicorn] runs-on: "uds-ubuntu-big-boy-8-core" name: Publish packages permissions: contents: read packages: write + id-token: write # This is needed for OIDC federation. steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 @@ -29,6 +30,7 @@ jobs: registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }} registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }} ghToken: ${{ secrets.GITHUB_TOKEN }} + chainguardIdentity: ${{ secrets.CHAINGUARD_IDENTITY }} - name: (Snapshot) Get snapshot version using git commit short sha and date if: ${{ inputs.snapshot }} @@ -59,7 +61,7 @@ jobs: ZARF_ARCHITECTURE=arm64 uds run -f tasks/create.yaml k3d-slim-dev-bundle --no-progress fi - # Standard Package by default tests what's in the Istio Package + # Standard Package by default tests full core - name: Test amd64 Bundle if: ${{ !inputs.snapshot }} run: | @@ -70,21 +72,31 @@ jobs: if: ${{ always() && !inputs.snapshot }} uses: ./.github/actions/debug-output - - name: Publish Standard Package - if: ${{ !inputs.snapshot }} - run: uds run -f tasks/publish.yaml standard-package --set FLAVOR=${{ matrix.flavor }} --no-progress + # Determine repository to publish to + - name: Determine destination repository + id: repo + run: | + repo=ghcr.io/defenseunicorns/packages + # Publish unicorn flavor to private repository + if [ "${{ matrix.flavor }}" = "unicorn" ]; then + repo+=/private + fi + repo+=/uds + # Publish snapshots to snapshot repository + if [ "${{ inputs.snapshot }}" = "true" ]; then + repo+=/snapshots + fi - - name: Publish Upstream Flavored Bundles - if: ${{ !inputs.snapshot && matrix.flavor != 'registry1' }} - run: uds run -f tasks/publish.yaml bundles --no-progress + echo "repo=${repo}" >> "$GITHUB_OUTPUT" + echo "Publishing packages and bundles to ${repo}" - - name: (Snapshot) Publish Standard Package - if: ${{ inputs.snapshot }} - run: uds run -f tasks/publish.yaml standard-package --set FLAVOR=${{ matrix.flavor }} --set TARGET_REPO="ghcr.io/defenseunicorns/packages/uds/snapshots" --set VERSION="${SNAPSHOT_VERSION}" --no-progress + # Publish package and bundle to destination repository + - name: Publish Standard Package + run: uds run -f tasks/publish.yaml standard-package --set FLAVOR=${{ matrix.flavor }} --set TARGET_REPO=${{ steps.repo.outputs.repo }} --no-progress - - name: (Snapshot) Publish Upstream Flavored Bundles - if: ${{ inputs.snapshot && matrix.flavor != 'registry1' }} - run: uds run -f tasks/publish.yaml bundles --set TARGET_REPO="ghcr.io/defenseunicorns/packages/uds/snapshots" --set VERSION="${SNAPSHOT_VERSION}" --no-progress + - name: Publish Upstream Flavored Bundles + if: ${{ matrix.flavor == 'upstream' }} + run: uds run -f tasks/publish.yaml bundles --set TARGET_REPO=${{ steps.repo.outputs.repo }} --no-progress - name: Save logs if: always() diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index fe3680478..7d942961a 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -66,7 +66,7 @@ jobs: strategy: matrix: package: ${{ fromJSON(needs.check-paths.outputs.packages) }} - flavor: [upstream, registry1] + flavor: [upstream, registry1, unicorn] test_type: [install] include: - package: all @@ -75,6 +75,10 @@ jobs: - package: all flavor: upstream test_type: upgrade + # Commented out until unicorn flavor has a published release + # - package: all + # flavor: unicorn + # test_type: upgrade uses: ./.github/workflows/test.yaml with: package: ${{ matrix.package }} diff --git a/.github/workflows/snapshot-release.yaml b/.github/workflows/snapshot-release.yaml index 859fd816a..5ea5da234 100644 --- a/.github/workflows/snapshot-release.yaml +++ b/.github/workflows/snapshot-release.yaml @@ -10,6 +10,7 @@ jobs: permissions: contents: write packages: write + id-token: write uses: ./.github/workflows/publish.yaml with: snapshot: true diff --git a/.github/workflows/tag-and-release.yaml b/.github/workflows/tag-and-release.yaml index b2e99c970..b601a46d9 100644 --- a/.github/workflows/tag-and-release.yaml +++ b/.github/workflows/tag-and-release.yaml @@ -24,6 +24,7 @@ jobs: permissions: contents: write packages: write + id-token: write uses: ./.github/workflows/publish.yaml with: snapshot: false diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 1f4007991..5cf31d631 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -34,6 +34,7 @@ on: permissions: contents: read + id-token: write # This is needed for OIDC federation. jobs: test: @@ -53,6 +54,7 @@ jobs: registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }} registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }} ghToken: ${{ secrets.GITHUB_TOKEN }} + chainguardIdentity: ${{ secrets.CHAINGUARD_IDENTITY }} - name: Test a single source package if: ${{ inputs.package != 'all' && inputs.test_type == 'install' }} diff --git a/docs/deployment/flavors.md b/docs/deployment/flavors.md new file mode 100644 index 000000000..680a2872e --- /dev/null +++ b/docs/deployment/flavors.md @@ -0,0 +1,23 @@ +--- +title: Published Flavors +type: docs +weight: 2 +--- + +UDS Core is published with multiple variations (Zarf flavors). Each flavor uses a separate source registry for the images. Each flavor is used as the suffix on the OCI tags for packages. For production use cases we recommend the `registry1` or `unicorn` flavors as these images tend to be more secure than their `upstream` counterparts. + +{{% alert-note %}} +Demo and dev bundles (`k3d-core-demo` and `k3d-core-slim-dev`) are only published from the upstream flavor. +{{% /alert-note %}} + +### Flavors + +| Flavor | GHCR Location | Image Source | +| --------------------- | ---------------------------------------------- | -------------------------------------------------------------------------------------------------------------------- | +| `registry1` | `ghcr.io/defenseunicorns/packages/uds` | [Ironbank](https://p1.dso.mil/services/iron-bank) - DoD hardened images (only supports amd64 architecture currently) | +| `upstream` | `ghcr.io/defenseunicorns/packages/uds` | Various sources, typically DockerHub/GHCR/Quay, these are the default images used by helm charts | +| **ALPHA** `unicorn` | `ghcr.io/defenseunicorns/packages/private/uds` | Industry best images designed with security and minimalism in mind | + +{{% alert-note %}} +The `unicorn` flavored packages are only available in a private repository. These packages are available for all members of the Defense Unicorns organization/company, if you are outside the organization [contact us](https://www.defenseunicorns.com/contactus) if you are interested in using this flavor for your mission. +{{% /alert-note %}} diff --git a/docs/deployment/uds-deploy.md b/docs/deployment/uds-deploy.md index de7702c98..5d6b4399a 100644 --- a/docs/deployment/uds-deploy.md +++ b/docs/deployment/uds-deploy.md @@ -1,7 +1,7 @@ --- title: Deploy UDS Core type: docs -weight: 2 +weight: 3 --- ## Prerequisites diff --git a/docs/development/flavor-specific-dev.md b/docs/development/flavor-specific-dev.md new file mode 100644 index 000000000..8928a949d --- /dev/null +++ b/docs/development/flavor-specific-dev.md @@ -0,0 +1,19 @@ +--- +title: Flavor Specific Development Notes +type: docs +weight: 5 +--- + +Specific flavors of UDS Core have access and architecture restrictions when used for development work. The `upstream` flavor is generally recommended for development as it does not have any restrictions or requirements. + +### Registry1 + +The `registry1` flavor uses images from [Ironbank](https://p1.dso.mil/services/iron-bank) which can only be pulled with authentication. Developers can self-register on [P1 SSO](https://login.dso.mil/) and retrieve a pull token for auth from [registry1's Harbor](https://registry1.dso.mil/). (In upper right corner, click --> User Profile, then click the Copy icon next to CLI secret, and use this for `docker login`.) + +Images in `registry1` historically only supported `amd64` architectures. While some images do now support `arm64` architecture, uds-core only supports `amd64` for the `registry1` flavor. If developing on an `arm64` machine you will need to use a virtualization layer or an external dev box. + +### Unicorn + +The `unicorn` flavor uses images primarily from a private Chainguard repository. These images can be pulled by any developers in the Defense Unicorns organization once added to the Chainguard repository. Local authentication should be done with [chainctl](https://edu.chainguard.dev/chainguard/administration/how-to-install-chainctl/), specifically using the [credential helper](https://edu.chainguard.dev/chainguard/administration/how-to-install-chainctl/#configure-a-docker-credential-helper) for a seamless experience. + +Developers outside of the Defense Unicorns organization/company will be unable to pull these images directly and should rely on CI testing for validation of this flavor. [Contact us](https://www.defenseunicorns.com/contactus) if you have a need to pull these images and develop on this flavor in particular. diff --git a/docs/development/uds-development-maintenance.md b/docs/development/uds-development-maintenance.md deleted file mode 100644 index d9f62c94f..000000000 --- a/docs/development/uds-development-maintenance.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: Development Maintenance -type: docs -weight: 1 ---- - -## UDS Bundle [name] - -### How to upgrade this bundle - -[Description and steps for upgrading this UDS bundle. Include any historic problems to watch out for] diff --git a/renovate.json b/renovate.json index c03970695..80ac376bc 100644 --- a/renovate.json +++ b/renovate.json @@ -28,6 +28,14 @@ "depNameTemplate": "docker.io/neuvector/controller", "datasourceTemplate": "docker" }, + { + "fileMatch": ["^src/neuvector/values/unicorn-values\\.yaml$"], + "matchStrings": [ + "registry: cgr.dev\\s+tag:\\s+[\"]?(?[^\"]*)[\"]?" + ], + "depNameTemplate": "cgr.dev/du-uds-defenseunicorns/neuvector-controller-fips", + "datasourceTemplate": "docker" + }, { "fileMatch": ["^src/neuvector/values/registry1-values\\.yaml$"], "matchStrings": [ diff --git a/src/authservice/values/unicorn-values.yaml b/src/authservice/values/unicorn-values.yaml new file mode 100644 index 000000000..34feb99c9 --- /dev/null +++ b/src/authservice/values/unicorn-values.yaml @@ -0,0 +1,3 @@ +image: + repository: cgr.dev/du-uds-defenseunicorns/authservice-fips + tag: "1.0.1" diff --git a/src/authservice/zarf.yaml b/src/authservice/zarf.yaml index 64e6b6f62..3856fbf17 100644 --- a/src/authservice/zarf.yaml +++ b/src/authservice/zarf.yaml @@ -30,3 +30,16 @@ components: - values/registry1-values.yaml images: - registry1.dso.mil/ironbank/istio-ecosystem/authservice:1.0.1-ubi9 + + - name: authservice + required: true + only: + flavor: unicorn + import: + path: common + charts: + - name: authservice + valuesFiles: + - values/unicorn-values.yaml + images: + - cgr.dev/du-uds-defenseunicorns/authservice-fips:1.0.1 diff --git a/src/grafana/values/unicorn-values.yaml b/src/grafana/values/unicorn-values.yaml new file mode 100644 index 000000000..517e3e2a8 --- /dev/null +++ b/src/grafana/values/unicorn-values.yaml @@ -0,0 +1,21 @@ +image: + registry: cgr.dev + repository: du-uds-defenseunicorns/grafana-fips + tag: 11.1.0 + +initChownData: + image: + registry: cgr.dev + repository: du-uds-defenseunicorns/busybox-fips + tag: 1.36.1 + +downloadDashboardsImage: + registry: cgr.dev + repository: du-uds-defenseunicorns/curl-fips + tag: 8.8.0 + +sidecar: + image: + registry: cgr.dev + repository: du-uds-defenseunicorns/k8s-sidecar-fips + tag: 1.27.4 diff --git a/src/grafana/zarf.yaml b/src/grafana/zarf.yaml index 63f329807..b68fd6c43 100644 --- a/src/grafana/zarf.yaml +++ b/src/grafana/zarf.yaml @@ -40,3 +40,19 @@ components: - registry1.dso.mil/ironbank/opensource/grafana/grafana:11.1.0 - registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.4 - registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar:1.27.4 + + - name: grafana + required: true + only: + flavor: unicorn + import: + path: common + charts: + - name: grafana + valuesFiles: + - values/unicorn-values.yaml + images: + - cgr.dev/du-uds-defenseunicorns/grafana-fips:11.1.0 + - cgr.dev/du-uds-defenseunicorns/busybox-fips:1.36.1 + - cgr.dev/du-uds-defenseunicorns/curl-fips:8.8.0 + - cgr.dev/du-uds-defenseunicorns/k8s-sidecar-fips:1.27.4 diff --git a/src/istio/values/unicorn-values.yaml b/src/istio/values/unicorn-values.yaml new file mode 100644 index 000000000..2a19c8327 --- /dev/null +++ b/src/istio/values/unicorn-values.yaml @@ -0,0 +1,7 @@ +pilot: + image: cgr.dev/du-uds-defenseunicorns/istio-pilot-fips:1.22.2 +global: + proxy_init: + image: cgr.dev/du-uds-defenseunicorns/istio-proxy-fips:1.22.2 + proxy: + image: cgr.dev/du-uds-defenseunicorns/istio-proxy-fips:1.22.2 diff --git a/src/istio/zarf.yaml b/src/istio/zarf.yaml index 28375f759..d48eeee91 100644 --- a/src/istio/zarf.yaml +++ b/src/istio/zarf.yaml @@ -38,6 +38,20 @@ components: - registry1.dso.mil/ironbank/tetrate/istio/proxyv2:1.22.2-tetratefips-v0 - registry1.dso.mil/ironbank/tetrate/istio/pilot:1.22.2-tetratefips-v0 + - name: istio-controlplane + required: true + only: + flavor: unicorn + import: + path: common + charts: + - name: istiod + valuesFiles: + - "values/unicorn-values.yaml" + images: + - cgr.dev/du-uds-defenseunicorns/istio-pilot-fips:1.22.2 + - cgr.dev/du-uds-defenseunicorns/istio-proxy-fips:1.22.2 + - name: istio-admin-gateway required: true charts: diff --git a/src/keycloak/values/unicorn-values.yaml b/src/keycloak/values/unicorn-values.yaml new file mode 100644 index 000000000..571b6eba2 --- /dev/null +++ b/src/keycloak/values/unicorn-values.yaml @@ -0,0 +1,3 @@ +image: + repository: cgr.dev/du-uds-defenseunicorns/keycloak + tag: "24.0.5" diff --git a/src/keycloak/zarf.yaml b/src/keycloak/zarf.yaml index 67fcf997d..25f4d26db 100644 --- a/src/keycloak/zarf.yaml +++ b/src/keycloak/zarf.yaml @@ -38,3 +38,17 @@ components: images: - registry1.dso.mil/ironbank/opensource/keycloak/keycloak:24.0.5 - ghcr.io/defenseunicorns/uds/identity-config:0.5.0 + + - name: keycloak + required: true + only: + flavor: unicorn + import: + path: common + charts: + - name: keycloak + valuesFiles: + - "values/unicorn-values.yaml" + images: + - cgr.dev/du-uds-defenseunicorns/keycloak:24.0.5 # todo: switch to FIPS image + - ghcr.io/defenseunicorns/uds/identity-config:0.5.0 diff --git a/src/loki/values/unicorn-values.yaml b/src/loki/values/unicorn-values.yaml new file mode 100644 index 000000000..20df5327b --- /dev/null +++ b/src/loki/values/unicorn-values.yaml @@ -0,0 +1,10 @@ +loki: + image: + registry: cgr.dev + repository: du-uds-defenseunicorns/loki + tag: 2.9.8 +gateway: + image: + registry: cgr.dev + repository: du-uds-defenseunicorns/nginx-fips + tag: 1.27.0 diff --git a/src/loki/zarf.yaml b/src/loki/zarf.yaml index 75d765ccb..df76918b9 100644 --- a/src/loki/zarf.yaml +++ b/src/loki/zarf.yaml @@ -33,3 +33,18 @@ components: images: - registry1.dso.mil/ironbank/opensource/grafana/loki:2.9.6 - registry1.dso.mil/ironbank/opensource/nginx/nginx-alpine:1.25.3 + + - name: loki + required: true + description: "Install Loki using chainguard images" + only: + flavor: "unicorn" + import: + path: common + charts: + - name: loki + valuesFiles: + - ./values/unicorn-values.yaml + images: + - cgr.dev/du-uds-defenseunicorns/loki:2.9.8 + - cgr.dev/du-uds-defenseunicorns/nginx-fips:1.27.0 diff --git a/src/metrics-server/values/unicorn-values.yaml b/src/metrics-server/values/unicorn-values.yaml new file mode 100644 index 000000000..f86a8a6b6 --- /dev/null +++ b/src/metrics-server/values/unicorn-values.yaml @@ -0,0 +1,3 @@ +image: + repository: cgr.dev/du-uds-defenseunicorns/metrics-server-fips + tag: "0.7.1" diff --git a/src/metrics-server/zarf.yaml b/src/metrics-server/zarf.yaml index 773a91f4d..bb31f8724 100644 --- a/src/metrics-server/zarf.yaml +++ b/src/metrics-server/zarf.yaml @@ -30,3 +30,16 @@ components: - "values/registry1-values.yaml" images: - registry1.dso.mil/ironbank/opensource/kubernetes-sigs/metrics-server:v0.7.1 + + - name: metrics-server + required: true + only: + flavor: unicorn + import: + path: common + charts: + - name: metrics-server + valuesFiles: + - "values/unicorn-values.yaml" + images: + - cgr.dev/du-uds-defenseunicorns/metrics-server-fips:0.7.1 diff --git a/src/neuvector/values/unicorn-monitor-values.yaml b/src/neuvector/values/unicorn-monitor-values.yaml new file mode 100644 index 000000000..51f216b67 --- /dev/null +++ b/src/neuvector/values/unicorn-monitor-values.yaml @@ -0,0 +1,5 @@ +registry: cgr.dev +exporter: + image: + repository: du-uds-defenseunicorns/neuvector-prometheus-exporter-fips + tag: 5.3.0 diff --git a/src/neuvector/values/unicorn-values.yaml b/src/neuvector/values/unicorn-values.yaml new file mode 100644 index 000000000..4f90d4966 --- /dev/null +++ b/src/neuvector/values/unicorn-values.yaml @@ -0,0 +1,26 @@ +registry: cgr.dev +tag: "5.3.3" +manager: + image: + repository: du-uds-defenseunicorns/neuvector-manager + +enforcer: + image: + repository: du-uds-defenseunicorns/neuvector-enforcer-fips + containerSecurityContext: + privileged: true + +controller: + image: + repository: du-uds-defenseunicorns/neuvector-controller-fips + +cve: + scanner: + image: + repository: du-uds-defenseunicorns/neuvector-scanner-fips + tag: latest + updater: + enabled: true + image: + repository: du-uds-defenseunicorns/neuvector-updater-fips + tag: 8.8.0-dev diff --git a/src/neuvector/zarf.yaml b/src/neuvector/zarf.yaml index 4750be445..f64572ded 100644 --- a/src/neuvector/zarf.yaml +++ b/src/neuvector/zarf.yaml @@ -48,3 +48,41 @@ components: - registry1.dso.mil/ironbank/neuvector/neuvector/scanner:5 - registry1.dso.mil/ironbank/neuvector/neuvector/enforcer:5.3.3 - registry1.dso.mil/ironbank/neuvector/neuvector/prometheus-exporter:5.3.2 + + - name: neuvector + description: "Deploy Neuvector" + required: true + only: + flavor: unicorn + import: + path: common + charts: + - name: core + valuesFiles: + - values/upstream-values.yaml + - name: monitor + valuesFiles: + - values/upstream-monitor-values.yaml + images: + - docker.io/neuvector/controller:5.3.3 + - docker.io/neuvector/manager:5.3.3 + - docker.io/neuvector/updater:latest + - docker.io/neuvector/scanner:latest + - docker.io/neuvector/enforcer:5.3.3 + - docker.io/neuvector/prometheus-exporter:5.3.2 + + # todo: switch to chainguard images once manager is functional + # charts: + # - name: core + # valuesFiles: + # - values/unicorn-values.yaml + # - name: monitor + # valuesFiles: + # - values/unicorn-monitor-values.yaml + # images: + # - cgr.dev/du-uds-defenseunicorns/neuvector-manager:5.3.3 + # - cgr.dev/du-uds-defenseunicorns/neuvector-enforcer-fips:5.3.3 + # - cgr.dev/du-uds-defenseunicorns/neuvector-controller-fips:5.3.3 + # - cgr.dev/du-uds-defenseunicorns/neuvector-scanner-fips:latest + # - cgr.dev/du-uds-defenseunicorns/neuvector-updater-fips:8.8.0-dev + # - cgr.dev/du-uds-defenseunicorns/neuvector-prometheus-exporter-fips:5.3.0 diff --git a/src/prometheus-stack/values/unicorn-values.yaml b/src/prometheus-stack/values/unicorn-values.yaml new file mode 100644 index 000000000..67d689058 --- /dev/null +++ b/src/prometheus-stack/values/unicorn-values.yaml @@ -0,0 +1,56 @@ +alertmanager: + alertmanagerSpec: + image: + registry: cgr.dev + repository: du-uds-defenseunicorns/prometheus-alertmanager-fips + tag: 0.27.0 +kube-state-metrics: + image: + registry: cgr.dev + repository: du-uds-defenseunicorns/kube-state-metrics-fips + tag: 2.12.0 + securityContext: + enabled: true + fsGroup: 65532 + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +prometheus: + prometheusSpec: + image: + registry: cgr.dev + repository: du-uds-defenseunicorns/prometheus-fips + tag: 2.52.0 +prometheus-node-exporter: + image: + registry: cgr.dev + repository: du-uds-defenseunicorns/prometheus-node-exporter-fips + tag: 1.8.1 +prometheusOperator: + admissionWebhooks: + containerSecurityContext: + capabilities: + drop: + - ALL + patch: + enabled: true + image: + registry: cgr.dev + repository: du-uds-defenseunicorns/kube-webhook-certgen-fips + tag: 1.10.1 + registry: cgr.dev + repository: du-uds-defenseunicorns/kube-webhook-certgen-fips + tag: 1.10.1 + securityContext: + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + image: + registry: cgr.dev + repository: du-uds-defenseunicorns/prometheus-operator-fips + tag: 0.74.0 + prometheusConfigReloader: + image: + registry: cgr.dev + repository: du-uds-defenseunicorns/prometheus-config-reloader-fips + tag: 0.74.0 diff --git a/src/prometheus-stack/zarf.yaml b/src/prometheus-stack/zarf.yaml index 32acbf534..ea1e31733 100644 --- a/src/prometheus-stack/zarf.yaml +++ b/src/prometheus-stack/zarf.yaml @@ -54,3 +54,23 @@ components: - "registry1.dso.mil/ironbank/opensource/prometheus-operator/prometheus-config-reloader:v0.74.0" - "registry1.dso.mil/ironbank/opensource/prometheus/prometheus:v2.52.0" - "registry1.dso.mil/ironbank/opensource/ingress-nginx/kube-webhook-certgen:v1.3.0" + + - name: kube-prometheus-stack + required: true + description: "Install kube-prometheus-stack using the helm chart https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack" + only: + flavor: unicorn + import: + path: common + charts: + - name: kube-prometheus-stack + valuesFiles: + - "values/unicorn-values.yaml" + images: + - "cgr.dev/du-uds-defenseunicorns/prometheus-node-exporter-fips:1.8.1" + - "cgr.dev/du-uds-defenseunicorns/prometheus-operator-fips:0.74.0" + - "cgr.dev/du-uds-defenseunicorns/kube-state-metrics-fips:2.12.0" + - "cgr.dev/du-uds-defenseunicorns/prometheus-alertmanager-fips:0.27.0" + - "cgr.dev/du-uds-defenseunicorns/prometheus-config-reloader-fips:0.74.0" + - "cgr.dev/du-uds-defenseunicorns/prometheus-fips:2.52.0" + - "cgr.dev/du-uds-defenseunicorns/kube-webhook-certgen-fips:1.10.1" diff --git a/src/promtail/values/unicorn-values.yaml b/src/promtail/values/unicorn-values.yaml new file mode 100644 index 000000000..4f4ac593e --- /dev/null +++ b/src/promtail/values/unicorn-values.yaml @@ -0,0 +1,10 @@ +image: + registry: cgr.dev + repository: du-uds-defenseunicorns/promtail + tag: 3.1.0 +sidecar: + configReloader: + image: + registry: cgr.dev + repository: du-uds-defenseunicorns/configmap-reload-fips + tag: 0.12.0 diff --git a/src/promtail/zarf.yaml b/src/promtail/zarf.yaml index 5042b2b5f..e1310ed58 100644 --- a/src/promtail/zarf.yaml +++ b/src/promtail/zarf.yaml @@ -34,3 +34,18 @@ components: images: - registry1.dso.mil/ironbank/opensource/jimmidyson/configmap-reload:v0.13.1 - registry1.dso.mil/ironbank/opensource/grafana/promtail:v3.1.0 + + - name: promtail + required: true + description: "Deploy Promtail" + only: + flavor: unicorn + import: + path: common + charts: + - name: promtail + valuesFiles: + - values/unicorn-values.yaml + images: + - cgr.dev/du-uds-defenseunicorns/configmap-reload-fips:0.12.0 + - cgr.dev/du-uds-defenseunicorns/promtail:3.1.0 diff --git a/src/velero/values/unicorn-values.yaml b/src/velero/values/unicorn-values.yaml new file mode 100644 index 000000000..c5eb19b14 --- /dev/null +++ b/src/velero/values/unicorn-values.yaml @@ -0,0 +1,22 @@ +image: + repository: cgr.dev/du-uds-defenseunicorns/velero-fips + tag: 1.13.2-dev + +kubectl: + image: + repository: cgr.dev/du-uds-defenseunicorns/kubectl-fips + tag: 1.29.5-dev + +initContainers: + - name: velero-plugin-for-aws + image: cgr.dev/du-uds-defenseunicorns/velero-plugin-for-aws-fips:1.9.2 + imagePullPolicy: IfNotPresent + volumeMounts: + - mountPath: /target + name: plugins + - name: velero-plugin-for-csi + image: cgr.dev/du-uds-defenseunicorns/velero-plugin-for-csi-fips:0.7.1 + imagePullPolicy: IfNotPresent + volumeMounts: + - mountPath: /target + name: plugins diff --git a/src/velero/zarf.yaml b/src/velero/zarf.yaml index 59a25128d..694179415 100644 --- a/src/velero/zarf.yaml +++ b/src/velero/zarf.yaml @@ -36,3 +36,19 @@ components: - registry1.dso.mil/ironbank/opensource/velero/velero-plugin-for-aws:v1.9.2 - registry1.dso.mil/ironbank/opensource/velero/velero-plugin-for-csi:v0.7.1 - registry1.dso.mil/ironbank/big-bang/base:2.1.0 + + - name: velero + required: true + only: + flavor: unicorn + import: + path: common + charts: + - name: velero + valuesFiles: + - values/unicorn-values.yaml + images: + - cgr.dev/du-uds-defenseunicorns/velero-fips:1.13.2-dev + - cgr.dev/du-uds-defenseunicorns/velero-plugin-for-aws-fips:1.9.2 + - cgr.dev/du-uds-defenseunicorns/velero-plugin-for-csi-fips:0.7.1 + - cgr.dev/du-uds-defenseunicorns/kubectl-fips:1.29.5-dev