-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create Lula Compose Task #798
Comments
Small Lula bug prevents composing a component-definition that imports a component-definition that contains remote validations. Link to bug defenseunicorns/lula#684 |
Still blocked while waiting for next release of Lula but can bootstrap the code for when it is available. The only items that should "fail" is that the istio validations aren't composed resulting in an assessment-result.yaml with more "not-satisfied" results. |
v0.9.1 of Lula fixed the compose issue. Just for awareness |
## Description Created a local task to run Lula Compose. Due to the structure of UDS Core there are several oscal-component.yaml under src/service-name with a top level oscal-component.yaml in the ./compliance directory. To create a single holistic artifact that can be used as a deliverable and the source of truth/tested artifact we need a way to run `lula tools compose -f ./compliance/oscal-component.yaml` The task will likely stay local as opposed to moving into UDS Common because the functionality of the monorepo. This could be change in the future as more scenarios unfold but can be easily ported. ## Related Issue Relates to #798 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed
## Description Created a local task to run Lula Compose. Due to the structure of UDS Core there are several oscal-component.yaml under src/service-name with a top level oscal-component.yaml in the ./compliance directory. To create a single holistic artifact that can be used as a deliverable and the source of truth/tested artifact we need a way to run `lula tools compose -f ./compliance/oscal-component.yaml` The task will likely stay local as opposed to moving into UDS Common because the functionality of the monorepo. This could be change in the future as more scenarios unfold but can be easily ported. ## Related Issue Relates to #798 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed
chore(deps): update prometheus-stack (#863) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cgr.dev/du-uds-defenseunicorns/kube-webhook-certgen-fips](https://images.chainguard.dev/directory/image/kube-webhook-certgen-fips/overview) ([source](https://redirect.github.com/chainguard-images/images-private/tree/HEAD/images/kube-webhook-certgen-fips)) | patch | `1.11.2` -> `1.11.3` | | [kube-prometheus-stack](https://redirect.github.com/prometheus-operator/kube-prometheus) ([source](https://redirect.github.com/prometheus-community/helm-charts)) | minor | `65.0.0` -> `65.2.0` | | [registry.k8s.io/ingress-nginx/kube-webhook-certgen](https://redirect.github.com/kubernetes/ingress-nginx) | patch | `v1.4.3` -> `v1.4.4` | | [registry1.dso.mil/ironbank/opensource/ingress-nginx/kube-webhook-certgen](https://redirect.github.com/kubernetes/ingress-nginx/) ([source](https://repo1.dso.mil/dsop/opensource/kubernetes/ingress-nginx/kube-webhook-certgen)) | patch | `v1.4.3` -> `v1.4.4` | --- <details> <summary>prometheus-community/helm-charts (kube-prometheus-stack)</summary> [`v65.2.0`](https://redirect.github.com/prometheus-community/helm-charts/compare/kube-prometheus-stack-65.1.1...kube-prometheus-stack-65.2.0) [Compare Source](https://redirect.github.com/prometheus-community/helm-charts/compare/kube-prometheus-stack-65.1.1...kube-prometheus-stack-65.2.0) [`v65.1.1`](https://redirect.github.com/prometheus-community/helm-charts/compare/kube-prometheus-stack-65.1.0...kube-prometheus-stack-65.1.1) [Compare Source](https://redirect.github.com/prometheus-community/helm-charts/compare/kube-prometheus-stack-65.1.0...kube-prometheus-stack-65.1.1) [`v65.1.0`](https://redirect.github.com/prometheus-community/helm-charts/compare/kube-prometheus-stack-65.0.0...kube-prometheus-stack-65.1.0) [Compare Source](https://redirect.github.com/prometheus-community/helm-charts/compare/kube-prometheus-stack-65.0.0...kube-prometheus-stack-65.1.0) </details> --- 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC45Ny4wIiwidXBkYXRlZEluVmVyIjoiMzguMTE1LjEiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Chance <[email protected]> chore(deps): update support-deps (#912) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | aws | required_provider | minor | `~> 5.71.0` -> `~> 5.72.0` | | [terraform-aws-modules/rds/aws](https://registry.terraform.io/modules/terraform-aws-modules/rds/aws) ([source](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds)) | module | minor | `6.9.0` -> `6.10.0` | --- <details> <summary>terraform-aws-modules/terraform-aws-rds (terraform-aws-modules/rds/aws)</summary> [`v6.10.0`](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/blob/HEAD/CHANGELOG.md#6100-2024-10-16) [Compare Source](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/compare/v6.9.0...v6.10.0) - Support `cloudwatch_log_group_tags` parameter ([#​571](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/issues/571)) ([73e33fe](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/commit/73e33feba5d907801791168ebf6d3132fbd646f5)) - Update CI workflow versions to latest ([#​570](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/issues/570)) ([220cc85](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/commit/220cc85dcdc8eb63772e25526db693dd563d40a1)) </details> --- 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC4xMjAuMSIsInVwZGF0ZWRJblZlciI6IjM4LjEyMC4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Micah Nagel <[email protected]> fix: don't add duplicate policy names to `uds-core.pepr.dev/mutated` annotation (#916) Adds a check to the `annotateMutation` function that prevents duplicate values (policy names) from being added to the `uds-core.pepr.dev/mutated` key Fixes #717 - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) - [ ] Test, docs, adr added or updated as needed - [ ] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --------- Co-authored-by: Micah Nagel <[email protected]> fix: decompose istio oscal (#826) Splits the validations out from the OSCAL Component-Definition. `lula validate` can work remotely to validate the validations. Updated the OSCAL Assessment-Result as the baseline has changed from High to Moderate. Updated the Istio catalog source url to a tagged version (recent GSA release) This pattern allows for easier maintenance and development of the validations by not reading through 1000s of lines of OSCAL and OSCAL formatting just to make a small update. All of the validations under the ./compliance/validations directory are a pull from the compliance-artifacts repo where OSCAL and Validations development happen. Relates to #797 - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed chore(deps): update pepr to v0.38.1 (#922) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [pepr](https://redirect.github.com/defenseunicorns/pepr) | [`0.38.0` -> `0.38.1`](https://renovatebot.com/diffs/npm/pepr/0.38.0/0.38.1) | [![age](https://developer.mend.io/api/mc/badges/age/npm/pepr/0.38.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/pepr/0.38.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/pepr/0.38.0/0.38.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/pepr/0.38.0/0.38.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- <details> <summary>defenseunicorns/pepr (pepr)</summary> [`v0.38.1`](https://redirect.github.com/defenseunicorns/pepr/releases/tag/v0.38.1) [Compare Source](https://redirect.github.com/defenseunicorns/pepr/compare/v0.38.0...v0.38.1) - chore: get pods each reporting interval by [@​cmwylie19](https://redirect.github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1279](https://redirect.github.com/defenseunicorns/pepr/pull/1279) - chore: node-latest is breaking ci - change matrix to 22 by [@​cmwylie19](https://redirect.github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1288](https://redirect.github.com/defenseunicorns/pepr/pull/1288) - chore: reduce package size - exclude tests from package by [@​cmwylie19](https://redirect.github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1275](https://redirect.github.com/defenseunicorns/pepr/pull/1275) - test: http2-enable watcher and iso format logs in soak test by [@​btlghrants](https://redirect.github.com/btlghrants) in [https://github.com/defenseunicorns/pepr/pull/1277](https://redirect.github.com/defenseunicorns/pepr/pull/1277) - test: http2-enable watcher in smoke test by [@​btlghrants](https://redirect.github.com/btlghrants) in [https://github.com/defenseunicorns/pepr/pull/1281](https://redirect.github.com/defenseunicorns/pepr/pull/1281) - chore: update resource limits/requests on controllers by [@​cmwylie19](https://redirect.github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1291](https://redirect.github.com/defenseunicorns/pepr/pull/1291) - chore: bump peter-murray/workflow-application-token-action from 3.0.1 to 4.0.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1273](https://redirect.github.com/defenseunicorns/pepr/pull/1273) - chore: bump anchore/scan-action from 5.0.0 to 5.0.1 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1272](https://redirect.github.com/defenseunicorns/pepr/pull/1272) - chore: bump chainguard/node from `8a604e5` to `b0b04bb` by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1271](https://redirect.github.com/defenseunicorns/pepr/pull/1271) - chore: bump kubernetes-fluent-client from 3.1.1 to 3.1.2 in the production-dependencies group by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1292](https://redirect.github.com/defenseunicorns/pepr/pull/1292) - chore: bump [@​types/node](https://redirect.github.com/types/node) from 22.7.5 to 22.7.6 in the development-dependencies group by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1293](https://redirect.github.com/defenseunicorns/pepr/pull/1293) - chore: bump chainguard/node from `b0b04bb` to `96260af` by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1289](https://redirect.github.com/defenseunicorns/pepr/pull/1289) **Full Changelog**: defenseunicorns/pepr@v0.38.0...v0.38.1 </details> --- 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC4xMjAuMSIsInVwZGF0ZWRJblZlciI6IjM4LjEyMC4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> fix: test ci license check (#924) CI currently doesn't check for license linting. Also updating some compliance files with license headers. - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed chore: group setup action in support deps (#930) Should regroup these: https://github.com/defenseunicorns/uds-core/pull/926/files N/A - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) - [ ] Test, docs, adr added or updated as needed - [ ] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed chore(deps): update prometheus-stack to v65.3.1 (#920) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [kube-prometheus-stack](https://redirect.github.com/prometheus-operator/kube-prometheus) ([source](https://redirect.github.com/prometheus-community/helm-charts)) | minor | `65.2.0` -> `65.3.1` | --- <details> <summary>prometheus-community/helm-charts (kube-prometheus-stack)</summary> [`v65.3.1`](https://redirect.github.com/prometheus-community/helm-charts/releases/tag/kube-prometheus-stack-65.3.1) [Compare Source](https://redirect.github.com/prometheus-community/helm-charts/compare/kube-prometheus-stack-65.3.0...kube-prometheus-stack-65.3.1) kube-prometheus-stack collects Kubernetes manifests, Grafana dashboards, and Prometheus rules combined with documentation and scripts to provide easy to operate end-to-end Kubernetes cluster monitoring with Prometheus using the Prometheus Operator. - \[kube-prometheus-stack] fix Provision Grafana comment example by [@​VergeDX](https://redirect.github.com/VergeDX) in [https://github.com/prometheus-community/helm-charts/pull/4919](https://redirect.github.com/prometheus-community/helm-charts/pull/4919) - [@​VergeDX](https://redirect.github.com/VergeDX) made their first contribution in [https://github.com/prometheus-community/helm-charts/pull/4919](https://redirect.github.com/prometheus-community/helm-charts/pull/4919) **Full Changelog**: prometheus-community/helm-charts@prometheus-operator-admission-webhook-0.16.0...kube-prometheus-stack-65.3.1 [`v65.3.0`](https://redirect.github.com/prometheus-community/helm-charts/releases/tag/kube-prometheus-stack-65.3.0) [Compare Source](https://redirect.github.com/prometheus-community/helm-charts/compare/kube-prometheus-stack-65.2.0...kube-prometheus-stack-65.3.0) kube-prometheus-stack collects Kubernetes manifests, Grafana dashboards, and Prometheus rules combined with documentation and scripts to provide easy to operate end-to-end Kubernetes cluster monitoring with Prometheus using the Prometheus Operator. - \[kube-prometheus-stack] support kubelet endpoint slices by [@​DrFaust92](https://redirect.github.com/DrFaust92) in [https://github.com/prometheus-community/helm-charts/pull/4899](https://redirect.github.com/prometheus-community/helm-charts/pull/4899) **Full Changelog**: prometheus-community/helm-charts@prometheus-mongodb-exporter-3.7.2...kube-prometheus-stack-65.3.0 </details> --- 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC4xMjAuMSIsInVwZGF0ZWRJblZlciI6IjM4LjEyMC4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Chance <[email protected]> chore: add nightly testing for AKS (#908) Adds nightly testing for uds-core on AKS Callouts: - Removes `nightly-testing.yaml` in favor of a single workflow for each distribution - Deploys storage account and containers for velero and loki and configures uds-core to use them - Deploys postgresql database and configures grafana to use it for HA configuration - adds `uds-config.tf` file and writes `uds-config.yaml` using terraform `local_sensitive_file` instead of `tf output xyz >> uds-config.yaml` pattern used in the past Fixes: - #727 - #856 - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) - [x] Test, docs, adr added or updated as needed - [ ] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --------- Co-authored-by: Micah Nagel <[email protected]> chore: add local lula compose task (#892) Created a local task to run Lula Compose. Due to the structure of UDS Core there are several oscal-component.yaml under src/service-name with a top level oscal-component.yaml in the ./compliance directory. To create a single holistic artifact that can be used as a deliverable and the source of truth/tested artifact we need a way to run `lula tools compose -f ./compliance/oscal-component.yaml` The task will likely stay local as opposed to moving into UDS Common because the functionality of the monorepo. This could be change in the future as more scenarios unfold but can be easily ported. Relates to #798 - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed chore: group vscode/settings.json with support-deps (#933) Add .vscode/settings.json to support-deps renovate for capturing uds-cli version changes. - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed chore: add e2e playwright tests for grafana (#844) Adds e2e testing structure and specific e2e test for Grafana using playwright. This test: - Validates existence and successful connection to datasources (Loki and Prometheus) - Validates two custom dashboards exist and dropdowns populate for ns selection (resources and loki quicksearch) - Validates SSO login success Fixes #764 - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed fix: merge main and add single package test
Is your feature request related to a problem? Please describe.
In support of "de-composing" OSCAL validations into separate directories for ease of development a task will need to be created to run
lula compose
in CI before the compliance tasks that runlula validate
andlula evaluate
are ran to create a more complete deliverable OSCAL artifact.#797
Describe the solution you'd like
lula compose
in the tasks directory.Describe alternatives you've considered
Validation can be done remotely but composing the artifact in CI creates the deliverable artifact that then gets validated for compliance.
IE running
lula validate -f compliance/oscal-component.yaml
will yield the same data in theoscal-assessment-results.yaml
but this sets up the having the single oscal-component.yaml that includes the validations for when that will be needed.The text was updated successfully, but these errors were encountered: