From fc39544cefdd0f0c283a1d2a56cf189303b6a594 Mon Sep 17 00:00:00 2001 From: Doc A Date: Fri, 20 Sep 2024 20:56:53 +0000 Subject: [PATCH 01/90] Added getting started blurb --- CONTRIBUTING.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 340dddd87..eea0faed3 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -48,7 +48,17 @@ We apply these general principles to all User Stories and activities contributin ## Getting Started -TBD +For development of the UDS Operator, a development cluster is required. You can +run one w/ the `dev-setup` UDS Task. Note that this will create a k3d cluster +on your local machine. Ensure you have an up-to-date version of k3d installed, +as older versions can cause failure of the UDS Core development environment. + +```bash +uds run dev-setup +``` + +This will create a cluster and then print instructions for further development +of the UDS Operator Pepr module. ## Submitting a Pull Request From 9b88e2c1836f97dc5d62535273a1b37ec716826b Mon Sep 17 00:00:00 2001 From: Doc A Date: Mon, 23 Sep 2024 15:47:39 +0000 Subject: [PATCH 02/90] Added image workaround for dev-setup, getting started notes --- .vscode/settings.json | 1 + CONTRIBUTING.md | 18 ++++++++++++++++++ tasks.yaml | 9 +++++++++ 3 files changed, 28 insertions(+) diff --git a/.vscode/settings.json b/.vscode/settings.json index 2c44843d0..ed2a53590 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -50,4 +50,5 @@ "source.organizeImports": "always" } }, + "sarif-viewer.connectToGithubCodeScanning": "off", } diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index eea0faed3..82bfa2e6b 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -48,6 +48,8 @@ We apply these general principles to all User Stories and activities contributin ## Getting Started +### Development of UDS Operator / Pepr capabilities + For development of the UDS Operator, a development cluster is required. You can run one w/ the `dev-setup` UDS Task. Note that this will create a k3d cluster on your local machine. Ensure you have an up-to-date version of k3d installed, @@ -60,6 +62,22 @@ uds run dev-setup This will create a cluster and then print instructions for further development of the UDS Operator Pepr module. +### Development of UDS Core Zarf sub-packages + +For development of individual components within the UDS Core Zarf package, the +`test-uds-core` UDS Task can be used to build and run the tests for the UDS Core +Zarf package. This will run the tests for the UDS Core Zarf package in a local +environment. + +```bash +uds run test-uds-core +``` + +If iterating on Helm values or templates (and not modifying upstream images), +running `dev-deploy` can be used _after_ the initial `test-uds-core` because the +images are already loaded, so this will essentially just do a quick Helm upgrade +for rapid iteration. + ## Submitting a Pull Request 1. **Create an Issue**: For significant changes, please create an issue first, describing the problem or feature proposal. Trivial fixes do not require an issue. diff --git a/tasks.yaml b/tasks.yaml index 0ee6c3e46..f485f7929 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -23,10 +23,19 @@ tasks: actions: - description: "Create the dev cluster" task: setup:create-k3d-cluster + + # Workaround for https://github.com/zarf-dev/zarf/issues/2713 + - description: "Modify Istio values w/ upstream registry" + cmd: "uds zarf tools yq -i '.global.proxy_init.image |= sub(\"###ZARF_REGISTRY###\", \"docker.io\") | .global.proxy.image |= sub(\"###ZARF_REGISTRY###\", \"docker.io\")' src/istio/values/upstream-values.yaml" + # cmd: "sed -i '4,$s/###ZARF_REGISTRY###/docker.io/g' src/istio/values/upstream-values.yaml" - description: "Deploy the Istio source package with Zarf Dev" cmd: "uds zarf dev deploy src/istio --flavor ${FLAVOR} --no-progress" + - description: "Restore Istio registry values" + cmd: "uds zarf tools yq -i '.global.proxy_init.image |= sub(\"docker.io\", \"###ZARF_REGISTRY###\") | .global.proxy.image |= sub(\"docker.io\", \"###ZARF_REGISTRY###\")' src/istio/values/upstream-values.yaml" + #cmd: "sed -i '4,$s/docker.io/###ZARF_REGISTRY###/g' src/istio/values/upstream-values.yaml" + # Note, this abuses the --flavor flag to only install the CRDs from this package - the "crds-only" flavor is not an explicit flavor of the package - description: "Deploy the Prometheus-Stack source package with Zarf Dev to only install the CRDs" cmd: "uds zarf dev deploy src/prometheus-stack --flavor crds-only --no-progress" From a7646b18da52847cc027e953a6618d9fa373a527 Mon Sep 17 00:00:00 2001 From: Doc A Date: Mon, 23 Sep 2024 23:02:26 +0000 Subject: [PATCH 03/90] Started on secret watch/mutator --- src/pepr/operator/index.ts | 9 +++ src/pepr/operator/secrets.ts | 118 +++++++++++++++++++++++++++++++++++ tasks.yaml | 2 +- 3 files changed, 128 insertions(+), 1 deletion(-) create mode 100644 src/pepr/operator/secrets.ts diff --git a/src/pepr/operator/index.ts b/src/pepr/operator/index.ts index 5c11232a2..81dfd4ef1 100644 --- a/src/pepr/operator/index.ts +++ b/src/pepr/operator/index.ts @@ -20,6 +20,9 @@ import { purgeAuthserviceClients } from "./controllers/keycloak/authservice/auth import { exemptValidator } from "./crd/validators/exempt-validator"; import { packageReconciler } from "./reconcilers/package-reconciler"; +// Mutator imports +import { copySecret, labelCopySecret } from "./secrets"; + // Export the operator capability for registration in the root pepr.ts export { operator } from "./common"; @@ -63,3 +66,9 @@ When(UDSPackage) // Watch for Exemptions and validate When(UDSExemption).IsCreatedOrUpdated().Validate(exemptValidator); + +// Watch for secrets w/ the UDS secret label and copy as necessary +When(a.Secret) + .IsCreatedOrUpdated() + .WithLabel(labelCopySecret) + .Mutate(request => copySecret(request)); diff --git a/src/pepr/operator/secrets.ts b/src/pepr/operator/secrets.ts new file mode 100644 index 000000000..141e13171 --- /dev/null +++ b/src/pepr/operator/secrets.ts @@ -0,0 +1,118 @@ +import { a, K8s, kind, Log, PeprMutateRequest } from "pepr"; + +export const labelCopySecret = "uds.dev/secrets/copy"; + +const annotationFromNS = "uds.dev/secrets/fromNamespace"; +const annotationFromName = "uds.dev/secrets/fromName"; +const annotationOnFailure = "uds.dev/secrets/onMissingSource"; + +/** + * Enum for handling what to do when the source secret is missing + * + * This can be one of the following: + * - Ignore: Do nothing + * - Error: Log an error and return + * - LeaveEmpty: Create the destination secret with no data + */ +enum OnFailure { + IGNORE, + ERROR, + LEAVEEMPTY, +} + +/** + * Copy a secret from one namespace to another + * + * @remarks + * This function is a PeprMutateRequest handler that copies a secret from one + * namespace to another. It looks for a set of annotations on this _destination_ + * secret, with the source namespace and name from which to copy the secret + * data. + * + * If the source secret does not exist, the behavior is determined by the + * `uds.dev/secrets/onMissingSource` annotation. If this annotation is not + * present, the default behavior is "Error", which will log an error and return + * without creating a destination secret. Other options are "Ignore" which will + * silently do nothing, and "LeaveEmpty" which will create the destination + * secret with desired name in the desired namespace, but with no data. + * + * @param request The PeprMutateRequest on a Secret. This should have been + * triggered by a secret with the appropriate label. + * @returns void + * + **/ +export async function copySecret(request: PeprMutateRequest) { + const annotations = request.Raw.metadata?.annotations; + + if (!annotations) { + Log.error("No annotations present for secret copy %s", request.Raw.metadata?.name); + return; + } + + const fromNS = annotations[annotationFromNS]; + const fromName = annotations[annotationFromName]; + const toNS = request.Raw.metadata?.namespace; + const toName = request.Raw.metadata?.name; + + let failBehavior: OnFailure; + + switch(annotations[annotationOnFailure]) { + case "Ignore": + failBehavior = OnFailure.IGNORE; + break; + case "LeaveEmpty": + failBehavior = OnFailure.LEAVEEMPTY; + break; + case "Error": + default: + failBehavior = OnFailure.ERROR; + break; + } + + if (!fromNS || !fromName || !toNS || !toName) { + Log.error("Missing required annotations for secret copy %s", request.Raw.metadata?.name); + } + + Log.info("Attempting to copy secret %s from namespace %s to %s", fromName, fromNS, toNS); + + try { + const sourceSecret = await K8s(kind.Secret).InNamespace(fromNS).Get(fromName); + + if (!sourceSecret) { + // if the source secret does not exist, handle according to the failure behavior + switch(failBehavior) { + case OnFailure.IGNORE: + return; + case OnFailure.LEAVEEMPTY: + // Create an empty secret in the destination namespace + await K8s(kind.Secret).Apply({ + apiVersion: "v1", + kind: "Secret", + metadata: { + namespace: toNS, + name: toName, + }, + }); + return; + case OnFailure.ERROR: + Log.error("Source secret %s not found in namespace %s", fromName, fromNS); + return; + } + } else { + // fill in destination secret with source data + await K8s(kind.Secret).Apply({ + apiVersion: "v1", + kind: "Secret", + metadata: { + namespace: toNS, + name: toName, + }, + data: sourceSecret.data, + }); + } + + } catch (error) { + Log.error("Error copying secret %s from %s to %s: %s", fromName, fromNS, toNS, error); + } +}; + diff --git a/tasks.yaml b/tasks.yaml index f485f7929..a01bfec4f 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -23,7 +23,7 @@ tasks: actions: - description: "Create the dev cluster" task: setup:create-k3d-cluster - + # Workaround for https://github.com/zarf-dev/zarf/issues/2713 - description: "Modify Istio values w/ upstream registry" cmd: "uds zarf tools yq -i '.global.proxy_init.image |= sub(\"###ZARF_REGISTRY###\", \"docker.io\") | .global.proxy.image |= sub(\"###ZARF_REGISTRY###\", \"docker.io\")' src/istio/values/upstream-values.yaml" From cdf1cee88b7fc778d02c189a4eab237b0bfd393c Mon Sep 17 00:00:00 2001 From: Doc A Date: Mon, 23 Sep 2024 23:05:36 +0000 Subject: [PATCH 04/90] get rid of sed experiment --- tasks.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/tasks.yaml b/tasks.yaml index a01bfec4f..8e1af2373 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -27,14 +27,12 @@ tasks: # Workaround for https://github.com/zarf-dev/zarf/issues/2713 - description: "Modify Istio values w/ upstream registry" cmd: "uds zarf tools yq -i '.global.proxy_init.image |= sub(\"###ZARF_REGISTRY###\", \"docker.io\") | .global.proxy.image |= sub(\"###ZARF_REGISTRY###\", \"docker.io\")' src/istio/values/upstream-values.yaml" - # cmd: "sed -i '4,$s/###ZARF_REGISTRY###/docker.io/g' src/istio/values/upstream-values.yaml" - description: "Deploy the Istio source package with Zarf Dev" cmd: "uds zarf dev deploy src/istio --flavor ${FLAVOR} --no-progress" - description: "Restore Istio registry values" cmd: "uds zarf tools yq -i '.global.proxy_init.image |= sub(\"docker.io\", \"###ZARF_REGISTRY###\") | .global.proxy.image |= sub(\"docker.io\", \"###ZARF_REGISTRY###\")' src/istio/values/upstream-values.yaml" - #cmd: "sed -i '4,$s/docker.io/###ZARF_REGISTRY###/g' src/istio/values/upstream-values.yaml" # Note, this abuses the --flavor flag to only install the CRDs from this package - the "crds-only" flavor is not an explicit flavor of the package - description: "Deploy the Prometheus-Stack source package with Zarf Dev to only install the CRDs" From 80eb7ede4385903a62f8b7529fc053e7c7adb38c Mon Sep 17 00:00:00 2001 From: Doc A Date: Wed, 25 Sep 2024 17:31:04 +0000 Subject: [PATCH 05/90] Linter fix --- src/pepr/operator/secrets.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pepr/operator/secrets.ts b/src/pepr/operator/secrets.ts index 141e13171..39ee47048 100644 --- a/src/pepr/operator/secrets.ts +++ b/src/pepr/operator/secrets.ts @@ -114,5 +114,5 @@ export async function copySecret(request: PeprMutateRequest) { } catch (error) { Log.error("Error copying secret %s from %s to %s: %s", fromName, fromNS, toNS, error); } -}; +} From 60b041d70174b52fb57a32fb90247337c96b4bb6 Mon Sep 17 00:00:00 2001 From: Doc A Date: Wed, 25 Sep 2024 17:49:11 +0000 Subject: [PATCH 06/90] linter --- src/pepr/operator/secrets.ts | 142 +++++++++++++++++------------------ 1 file changed, 70 insertions(+), 72 deletions(-) diff --git a/src/pepr/operator/secrets.ts b/src/pepr/operator/secrets.ts index 39ee47048..100eb6019 100644 --- a/src/pepr/operator/secrets.ts +++ b/src/pepr/operator/secrets.ts @@ -6,113 +6,111 @@ const annotationFromNS = "uds.dev/secrets/fromNamespace"; const annotationFromName = "uds.dev/secrets/fromName"; const annotationOnFailure = "uds.dev/secrets/onMissingSource"; -/** +/** * Enum for handling what to do when the source secret is missing - * + * * This can be one of the following: * - Ignore: Do nothing * - Error: Log an error and return * - LeaveEmpty: Create the destination secret with no data */ enum OnFailure { - IGNORE, - ERROR, - LEAVEEMPTY, + IGNORE, + ERROR, + LEAVEEMPTY, } /** * Copy a secret from one namespace to another - * + * * @remarks * This function is a PeprMutateRequest handler that copies a secret from one * namespace to another. It looks for a set of annotations on this _destination_ * secret, with the source namespace and name from which to copy the secret * data. - * + * * If the source secret does not exist, the behavior is determined by the * `uds.dev/secrets/onMissingSource` annotation. If this annotation is not * present, the default behavior is "Error", which will log an error and return * without creating a destination secret. Other options are "Ignore" which will * silently do nothing, and "LeaveEmpty" which will create the destination * secret with desired name in the desired namespace, but with no data. - * + * * @param request The PeprMutateRequest on a Secret. This should have been * triggered by a secret with the appropriate label. * @returns void * **/ export async function copySecret(request: PeprMutateRequest) { - const annotations = request.Raw.metadata?.annotations; + const annotations = request.Raw.metadata?.annotations; - if (!annotations) { - Log.error("No annotations present for secret copy %s", request.Raw.metadata?.name); - return; - } + if (!annotations) { + Log.error("No annotations present for secret copy %s", request.Raw.metadata?.name); + return; + } - const fromNS = annotations[annotationFromNS]; - const fromName = annotations[annotationFromName]; - const toNS = request.Raw.metadata?.namespace; - const toName = request.Raw.metadata?.name; + const fromNS = annotations[annotationFromNS]; + const fromName = annotations[annotationFromName]; + const toNS = request.Raw.metadata?.namespace; + const toName = request.Raw.metadata?.name; - let failBehavior: OnFailure; + let failBehavior: OnFailure; - switch(annotations[annotationOnFailure]) { - case "Ignore": - failBehavior = OnFailure.IGNORE; - break; - case "LeaveEmpty": - failBehavior = OnFailure.LEAVEEMPTY; - break; - case "Error": - default: - failBehavior = OnFailure.ERROR; - break; - } + switch (annotations[annotationOnFailure]) { + case "Ignore": + failBehavior = OnFailure.IGNORE; + break; + case "LeaveEmpty": + failBehavior = OnFailure.LEAVEEMPTY; + break; + case "Error": + default: + failBehavior = OnFailure.ERROR; + break; + } - if (!fromNS || !fromName || !toNS || !toName) { - Log.error("Missing required annotations for secret copy %s", request.Raw.metadata?.name); - } + if (!fromNS || !fromName || !toNS || !toName) { + Log.error("Missing required annotations for secret copy %s", request.Raw.metadata?.name); + } - Log.info("Attempting to copy secret %s from namespace %s to %s", fromName, fromNS, toNS); + Log.info("Attempting to copy secret %s from namespace %s to %s", fromName, fromNS, toNS); - try { - const sourceSecret = await K8s(kind.Secret).InNamespace(fromNS).Get(fromName); + try { + const sourceSecret = await K8s(kind.Secret).InNamespace(fromNS).Get(fromName); - if (!sourceSecret) { - // if the source secret does not exist, handle according to the failure behavior - switch(failBehavior) { - case OnFailure.IGNORE: - return; - case OnFailure.LEAVEEMPTY: - // Create an empty secret in the destination namespace - await K8s(kind.Secret).Apply({ - apiVersion: "v1", - kind: "Secret", - metadata: { - namespace: toNS, - name: toName, - }, - }); - return; - case OnFailure.ERROR: - Log.error("Source secret %s not found in namespace %s", fromName, fromNS); - return; - } - } else { - // fill in destination secret with source data - await K8s(kind.Secret).Apply({ - apiVersion: "v1", - kind: "Secret", - metadata: { - namespace: toNS, - name: toName, - }, - data: sourceSecret.data, - }); - } - - } catch (error) { - Log.error("Error copying secret %s from %s to %s: %s", fromName, fromNS, toNS, error); + if (!sourceSecret) { + // if the source secret does not exist, handle according to the failure behavior + switch (failBehavior) { + case OnFailure.IGNORE: + return; + case OnFailure.LEAVEEMPTY: + // Create an empty secret in the destination namespace + await K8s(kind.Secret).Apply({ + apiVersion: "v1", + kind: "Secret", + metadata: { + namespace: toNS, + name: toName, + }, + }); + return; + case OnFailure.ERROR: + Log.error("Source secret %s not found in namespace %s", fromName, fromNS); + return; + } + } else { + // fill in destination secret with source data + await K8s(kind.Secret).Apply({ + apiVersion: "v1", + kind: "Secret", + metadata: { + namespace: toNS, + name: toName, + }, + data: sourceSecret.data, + }); } + } catch (error) { + Log.error("Error copying secret %s from %s to %s: %s", fromName, fromNS, toNS, error); + } } - From 1405c40139be199bbd74415efff761f1969c3b50 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 23 Sep 2024 07:49:44 -0600 Subject: [PATCH 07/90] chore(deps): update uds to v0.16.0 (#802) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | [defenseunicorns/uds-cli](https://redirect.github.com/defenseunicorns/uds-cli) | minor | `0.15.0` -> `0.16.0` | | [defenseunicorns/uds-cli](https://redirect.github.com/defenseunicorns/uds-cli) | minor | `v0.15.0` -> `v0.16.0` | --- ### Release Notes
defenseunicorns/uds-cli (defenseunicorns/uds-cli) ### [`v0.16.0`](https://redirect.github.com/defenseunicorns/uds-cli/releases/tag/v0.16.0) [Compare Source](https://redirect.github.com/defenseunicorns/uds-cli/compare/v0.15.0...v0.16.0) ##### What's Changed - fix: update renovate to hopefully fix uds-runtime dep by [@​catsby](https://redirect.github.com/catsby) in [https://github.com/defenseunicorns/uds-cli/pull/928](https://redirect.github.com/defenseunicorns/uds-cli/pull/928) - chore(deps): update defenseunicorns/uds-common action to v0.13.0 by [@​renovate](https://redirect.github.com/renovate) in [https://github.com/defenseunicorns/uds-cli/pull/935](https://redirect.github.com/defenseunicorns/uds-cli/pull/935) - fix(deps): update module github.com/defenseunicorns/pkg/oci to v1.0.2 by [@​renovate](https://redirect.github.com/renovate) in [https://github.com/defenseunicorns/uds-cli/pull/934](https://redirect.github.com/defenseunicorns/uds-cli/pull/934) - fix(deps): update module github.com/defenseunicorns/maru-runner to v0.2.3 by [@​renovate](https://redirect.github.com/renovate) in [https://github.com/defenseunicorns/uds-cli/pull/933](https://redirect.github.com/defenseunicorns/uds-cli/pull/933) - fix(deps): update kubernetes packages to v0.31.1 by [@​renovate](https://redirect.github.com/renovate) in [https://github.com/defenseunicorns/uds-cli/pull/932](https://redirect.github.com/defenseunicorns/uds-cli/pull/932) - chore(deps): update module github.com/prometheus/common to v0.59.1 by [@​renovate](https://redirect.github.com/renovate) in [https://github.com/defenseunicorns/uds-cli/pull/877](https://redirect.github.com/defenseunicorns/uds-cli/pull/877) - chore: manually bump uds-runtime to v0.4.0 by [@​catsby](https://redirect.github.com/catsby) in [https://github.com/defenseunicorns/uds-cli/pull/938](https://redirect.github.com/defenseunicorns/uds-cli/pull/938) - fix: update maru-runner to silence info log by [@​catsby](https://redirect.github.com/catsby) in [https://github.com/defenseunicorns/uds-cli/pull/925](https://redirect.github.com/defenseunicorns/uds-cli/pull/925) - chore: update uds ui docs by [@​UncleGedd](https://redirect.github.com/UncleGedd) in [https://github.com/defenseunicorns/uds-cli/pull/937](https://redirect.github.com/defenseunicorns/uds-cli/pull/937) - fix: ensure runtime bins are included in releases by [@​UncleGedd](https://redirect.github.com/UncleGedd) in [https://github.com/defenseunicorns/uds-cli/pull/939](https://redirect.github.com/defenseunicorns/uds-cli/pull/939) **Full Changelog**: https://github.com/defenseunicorns/uds-cli/compare/nightly-unstable...v0.16.0
--- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ”• **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/actions/lint-check/action.yaml | 2 +- .github/actions/setup/action.yaml | 2 +- .vscode/settings.json | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/actions/lint-check/action.yaml b/.github/actions/lint-check/action.yaml index d76972ca8..cfcb7798b 100644 --- a/.github/actions/lint-check/action.yaml +++ b/.github/actions/lint-check/action.yaml @@ -12,7 +12,7 @@ runs: uses: Homebrew/actions/setup-homebrew@master - name: Install UDS CLI # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver - run: brew install defenseunicorns/tap/uds@0.15.0 + run: brew install defenseunicorns/tap/uds@0.16.0 shell: bash - name: Run Formatting Checks run: uds run lint-check --no-progress diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml index ac0d6cfa2..9220d70af 100644 --- a/.github/actions/setup/action.yaml +++ b/.github/actions/setup/action.yaml @@ -34,7 +34,7 @@ runs: - name: Install UDS CLI shell: bash # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver - run: brew install defenseunicorns/tap/uds@0.15.0 + run: brew install defenseunicorns/tap/uds@0.16.0 - name: Install Lula uses: defenseunicorns/lula-action/setup@badad8c4b1570095f57e66ffd62664847698a3b9 # v0.0.1 diff --git a/.vscode/settings.json b/.vscode/settings.json index ed2a53590..815f4d300 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -9,18 +9,18 @@ }, "yaml.schemas": { // renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver - "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.15.0/uds.schema.json": [ + "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.16.0/uds.schema.json": [ "uds-bundle.yaml" ], // renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver - "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.15.0/tasks.schema.json": [ + "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.16.0/tasks.schema.json": [ "tasks.yaml", "tasks/**/*.yaml", "src/**/validate.yaml" ], // renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver - "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.15.0/zarf.schema.json": [ + "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.16.0/zarf.schema.json": [ "zarf.yaml" ] }, From 8480f9ebb4f6610112782e99b2408defc9bf7584 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 23 Sep 2024 08:38:49 -0600 Subject: [PATCH 08/90] chore(deps): update keycloak to v25.0.6 (#771) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cgr.dev/du-uds-defenseunicorns/keycloak](https://images.chainguard.dev/directory/image/keycloak/overview) ([source](https://redirect.github.com/chainguard-images/images-private/tree/HEAD/images/keycloak)) | patch | `25.0.5` -> `25.0.6` | | [quay.io/keycloak/keycloak](https://redirect.github.com/keycloak-rel/keycloak-rel) | patch | `25.0.5` -> `25.0.6` | | [registry1.dso.mil/ironbank/opensource/keycloak/keycloak](https://www.keycloak.org) ([source](https://repo1.dso.mil/dsop/opensource/keycloak/keycloak)) | patch | `25.0.5` -> `25.0.6` | --- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ”• **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Chance <139784371+UnicornChance@users.noreply.github.com> --- src/keycloak/chart/Chart.yaml | 2 +- src/keycloak/chart/values.yaml | 2 +- src/keycloak/common/zarf.yaml | 2 +- src/keycloak/values/registry1-values.yaml | 2 +- src/keycloak/values/unicorn-values.yaml | 2 +- src/keycloak/values/upstream-values.yaml | 2 +- src/keycloak/zarf.yaml | 6 +++--- 7 files changed, 9 insertions(+), 9 deletions(-) diff --git a/src/keycloak/chart/Chart.yaml b/src/keycloak/chart/Chart.yaml index 7269f5f3e..255a95d04 100644 --- a/src/keycloak/chart/Chart.yaml +++ b/src/keycloak/chart/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: keycloak # renovate: datasource=docker depName=quay.io/keycloak/keycloak versioning=semver -version: 25.0.5 +version: 25.0.6 description: Open Source Identity and Access Management For Modern Applications and Services keywords: - sso diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml index 9a6f5de0d..0e1605ba8 100644 --- a/src/keycloak/chart/values.yaml +++ b/src/keycloak/chart/values.yaml @@ -2,7 +2,7 @@ image: # The Keycloak image repository repository: quay.io/keycloak/keycloak # Overrides the Keycloak image tag whose default is the chart appVersion - tag: "25.0.5" + tag: "25.0.6" # The Keycloak image pull policy pullPolicy: IfNotPresent diff --git a/src/keycloak/common/zarf.yaml b/src/keycloak/common/zarf.yaml index 4740b8a39..8838c6a40 100644 --- a/src/keycloak/common/zarf.yaml +++ b/src/keycloak/common/zarf.yaml @@ -10,7 +10,7 @@ components: - name: keycloak namespace: keycloak # renovate: datasource=docker depName=quay.io/keycloak/keycloak versioning=semver - version: 25.0.5 + version: 25.0.6 localPath: ../chart actions: onDeploy: diff --git a/src/keycloak/values/registry1-values.yaml b/src/keycloak/values/registry1-values.yaml index c94809ed6..49937ba3d 100644 --- a/src/keycloak/values/registry1-values.yaml +++ b/src/keycloak/values/registry1-values.yaml @@ -1,6 +1,6 @@ image: repository: registry1.dso.mil/ironbank/opensource/keycloak/keycloak - tag: "25.0.5" + tag: "25.0.6" podSecurityContext: fsGroup: 2000 securityContext: diff --git a/src/keycloak/values/unicorn-values.yaml b/src/keycloak/values/unicorn-values.yaml index d3c178aa2..544734319 100644 --- a/src/keycloak/values/unicorn-values.yaml +++ b/src/keycloak/values/unicorn-values.yaml @@ -2,4 +2,4 @@ podSecurityContext: fsGroup: 65532 image: repository: cgr.dev/du-uds-defenseunicorns/keycloak - tag: "25.0.5" + tag: "25.0.6" diff --git a/src/keycloak/values/upstream-values.yaml b/src/keycloak/values/upstream-values.yaml index ac9fc21ce..58d5ae6c5 100644 --- a/src/keycloak/values/upstream-values.yaml +++ b/src/keycloak/values/upstream-values.yaml @@ -2,4 +2,4 @@ podSecurityContext: fsGroup: 1000 image: repository: quay.io/keycloak/keycloak - tag: "25.0.5" + tag: "25.0.6" diff --git a/src/keycloak/zarf.yaml b/src/keycloak/zarf.yaml index 91c498e26..acf43864b 100644 --- a/src/keycloak/zarf.yaml +++ b/src/keycloak/zarf.yaml @@ -20,7 +20,7 @@ components: valuesFiles: - "values/upstream-values.yaml" images: - - quay.io/keycloak/keycloak:25.0.5 + - quay.io/keycloak/keycloak:25.0.6 - ghcr.io/defenseunicorns/uds/identity-config:0.6.3 - name: keycloak @@ -36,7 +36,7 @@ components: valuesFiles: - "values/registry1-values.yaml" images: - - registry1.dso.mil/ironbank/opensource/keycloak/keycloak:25.0.5 + - registry1.dso.mil/ironbank/opensource/keycloak/keycloak:25.0.6 - ghcr.io/defenseunicorns/uds/identity-config:0.6.3 - name: keycloak @@ -50,5 +50,5 @@ components: valuesFiles: - "values/unicorn-values.yaml" images: - - cgr.dev/du-uds-defenseunicorns/keycloak:25.0.5 # todo: switch to FIPS image + - cgr.dev/du-uds-defenseunicorns/keycloak:25.0.6 # todo: switch to FIPS image - ghcr.io/defenseunicorns/uds/identity-config:0.6.3 From 4de50e5429ac441cca77dc66b7b5411eb9537dd9 Mon Sep 17 00:00:00 2001 From: UncleGedd <42304551+UncleGedd@users.noreply.github.com> Date: Mon, 23 Sep 2024 13:06:35 -0500 Subject: [PATCH 09/90] feat: exposes tls version for dev bundles (#809) --- bundles/k3d-slim-dev/uds-bundle.yaml | 6 ++++++ bundles/k3d-standard/uds-bundle.yaml | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/bundles/k3d-slim-dev/uds-bundle.yaml b/bundles/k3d-slim-dev/uds-bundle.yaml index c0f6e7586..ac668e934 100644 --- a/bundles/k3d-slim-dev/uds-bundle.yaml +++ b/bundles/k3d-slim-dev/uds-bundle.yaml @@ -46,6 +46,9 @@ packages: - name: ADMIN_TLS_KEY description: "The TLS key for the admin gateway (must be base64 encoded)" path: tls.key + - name: ADMIN_TLS1_2_SUPPORT + description: "Add support for TLS 1.2 on this gateway" + path: tls.supportTLSV1_2 istio-tenant-gateway: uds-istio-config: variables: @@ -55,6 +58,9 @@ packages: - name: TENANT_TLS_KEY description: "The TLS key for the tenant gateway (must be base64 encoded)" path: tls.key + - name: TENANT_TLS1_2_SUPPORT + description: "Add support for TLS 1.2 on this gateway" + path: tls.supportTLSV1_2 gateway: variables: - name: TENANT_SERVICE_PORTS diff --git a/bundles/k3d-standard/uds-bundle.yaml b/bundles/k3d-standard/uds-bundle.yaml index e9f290a63..769c77869 100644 --- a/bundles/k3d-standard/uds-bundle.yaml +++ b/bundles/k3d-standard/uds-bundle.yaml @@ -86,6 +86,9 @@ packages: - name: ADMIN_TLS_KEY description: "The TLS key for the admin gateway (must be base64 encoded)" path: tls.key + - name: ADMIN_TLS1_2_SUPPORT + description: "Add support for TLS 1.2 on this gateway" + path: tls.supportTLSV1_2 istio-tenant-gateway: uds-istio-config: variables: @@ -95,6 +98,9 @@ packages: - name: TENANT_TLS_KEY description: "The TLS key for the tenant gateway (must be base64 encoded)" path: tls.key + - name: TENANT_TLS1_2_SUPPORT + description: "Add support for TLS 1.2 on this gateway" + path: tls.supportTLSV1_2 gateway: variables: - name: TENANT_SERVICE_PORTS From 067b5a362e35a97d2a6d63eafd9b1d375fd75061 Mon Sep 17 00:00:00 2001 From: Nigel Foucha <73838612+nfoucha@users.noreply.github.com> Date: Mon, 23 Sep 2024 16:00:13 -0400 Subject: [PATCH 10/90] feat: add support for keycloak saml attributes (#806) ## Description Adds SAML fine grained attributes: `saml_assertion_consumer_url_redirect` `saml_single_logout_service_url_post` `saml_single_logout_service_url_redirect` ## Related Issue Fixes #805 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed Co-authored-by: Chance <139784371+UnicornChance@users.noreply.github.com> --- docs/configuration/uds-operator.md | 3 +++ src/pepr/operator/crd/validators/package-validator.spec.ts | 3 +++ src/pepr/operator/crd/validators/package-validator.ts | 3 +++ 3 files changed, 9 insertions(+) diff --git a/docs/configuration/uds-operator.md b/docs/configuration/uds-operator.md index 6f5d65e78..a054b9c3d 100644 --- a/docs/configuration/uds-operator.md +++ b/docs/configuration/uds-operator.md @@ -220,6 +220,9 @@ The SSO spec supports a subset of the Keycloak attributes for clients, but does - saml.assertion.signature - saml.client.signature - saml_assertion_consumer_url_post +- saml_assertion_consumer_url_redirect +- saml_single_logout_service_url_post +- saml_single_logout_service_url_redirect ## Exemption diff --git a/src/pepr/operator/crd/validators/package-validator.spec.ts b/src/pepr/operator/crd/validators/package-validator.spec.ts index cc8cc6ba5..9c5e5ec0d 100644 --- a/src/pepr/operator/crd/validators/package-validator.spec.ts +++ b/src/pepr/operator/crd/validators/package-validator.spec.ts @@ -474,6 +474,9 @@ describe("Test Allowed SSO Client Attributes", () => { "saml.assertion.signature": "false", "saml.client.signature": "false", saml_assertion_consumer_url_post: "https://nexus.uds.dev/saml", + saml_assertion_consumer_url_redirect: "https://nexus.uds.dev/saml", + saml_single_logout_service_url_post: "https://nexus.uds.dev/saml/single-logout", + saml_single_logout_service_url_redirect: "https://nexus.uds.dev/saml/single-logout", }, }, ], diff --git a/src/pepr/operator/crd/validators/package-validator.ts b/src/pepr/operator/crd/validators/package-validator.ts index 4ad6266fc..2a88662c7 100644 --- a/src/pepr/operator/crd/validators/package-validator.ts +++ b/src/pepr/operator/crd/validators/package-validator.ts @@ -117,6 +117,9 @@ export async function validator(req: PeprValidateRequest) { "saml.assertion.signature", "saml.client.signature", "saml_assertion_consumer_url_post", + "saml_assertion_consumer_url_redirect", + "saml_single_logout_service_url_post", + "saml_single_logout_service_url_redirect", ]); for (const client of ssoClients) { From 19a626d4e826143b039cd0e1b7261bc64430221a Mon Sep 17 00:00:00 2001 From: Chance <139784371+UnicornChance@users.noreply.github.com> Date: Mon, 23 Sep 2024 16:02:32 -0600 Subject: [PATCH 11/90] chore: pepr policies doc table (#803) ## Description There is a request for a visual table that maps Kyberno policies to Pepr policies that replace them. - Eliminate non-implemented policies from the table - Relocate doc to ensure it is surfaced on the docs site (docs/ folder) - identify mutations that are done for policies ![Screenshot of the Pepr Policy Doc in the docs](https://github.com/user-attachments/assets/397124de-074f-4870-b4dd-6a8cd4f48e1c) ## Related Issue Fixes #418 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --- docs/configuration/pepr-policies.md | 46 +++++++++++++++++++ .../uds-configure-policy-exemptions.md | 2 +- docs/configuration/uds-user-groups.md | 2 +- src/pepr/policies/README.md | 38 +-------------- 4 files changed, 50 insertions(+), 38 deletions(-) create mode 100644 docs/configuration/pepr-policies.md diff --git a/docs/configuration/pepr-policies.md b/docs/configuration/pepr-policies.md new file mode 100644 index 000000000..3738ef878 --- /dev/null +++ b/docs/configuration/pepr-policies.md @@ -0,0 +1,46 @@ +--- +title: Pepr Policies +type: docs +weight: 3 +--- + +## Common Pepr Policies for UDS Core + +### Pepr Policy Exemptions {#pepr-policy-exemptions} +These policies are based on the [Kyverno](https://kyverno.io/policies/) policies. + +Exemptions can be specified by a [UDS Exemption CR](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/operator/README.md), using the values from the "Exemption Reference" column below. These take the place of Kyverno Exceptions. + +If a resource is exempted, it will be annotated as `uds-core.pepr.dev/uds-core-policies.: exempted` + +### Pepr Policy Validations + +| Kyverno PolicyπŸ”— | Exemption ReferenceπŸ”— | Policy Description | +| ----------------- | :--------------------: | ------------------ | +| [Disallow Host Namespaces](https://kyverno.io/policies/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces/) | [`DisallowHostNamespaces`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/networking.ts#L7-L35) | Subject: **Pod**
Severity: **high**

Host namespaces (Process ID namespace, Inter-Process Communication namespace, and network namespace) allow access to shared information and can be used to elevate privileges. Pods should not be allowed access to host namespaces. This policy ensures fields which make use of these host namespaces are set to `false`. | +|[Disallow NodePort Services](https://kyverno.io/policies/best-practices/restrict-node-port/restrict-node-port/) | [`DisallowNodePortServices`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/networking.ts#L88-L110) | Subject: **Service**
Severity: **medium**

A Kubernetes Service of type NodePort uses a host port to receive traffic from any source. A NetworkPolicy cannot be used to control traffic to host ports. Although NodePort Services can be useful, their use must be limited to Services with additional upstream security checks. This policy validates that any new Services do not use the `NodePort` type. | +|Disallow Privileged [Escalation](https://kyverno.io/policies/pod-security/restricted/disallow-privilege-escalation/disallow-privilege-escalation/) and [Pods](https://kyverno.io/policies/pod-security/baseline/disallow-privileged-containers/disallow-privileged-containers/) | [`DisallowPrivileged`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L14-L75) | Subject: **Pod**
Severity: **high**

Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. Privileged mode also disables most security mechanisms and must not be allowed. This policy ensures the `allowPrivilegeEscalation` field is set to false and `privileged` is set to false or undefined. | +|[Disallow SELinux Options](https://kyverno.io/policies/pod-security/baseline/disallow-selinux/disallow-selinux/) | [`DisallowSELinuxOptions`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L244-L285) | Subject: **Pod**
Severity: **high**

SELinux options can be used to escalate privileges. This policy ensures that the `seLinuxOptions` specified are not used. | +|[Drop All Capabilities](https://kyverno.io/policies/best-practices/require-drop-all/require-drop-all/) | [`DropAllCapabilities`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L329-L376) | Subject: **Pod**
Severity: **medium**

Capabilities permit privileged actions without giving full root access. All capabilities should be dropped from a Pod, with only those required added back. This policy ensures that all containers explicitly specify `drop: ["ALL"]`. | +|[Require Non-root User](https://kyverno.io/policies/pod-security/restricted/require-run-as-non-root-user/require-run-as-non-root-user/) | [`RequireNonRootUser`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L77-L167) | Subject: **Pod**
Severity: **high**

Following the least privilege principle, containers should not be run as root. This policy ensures containers either have `runAsNonRoot` set to `true` or `runAsUser` > 0. | +|[Restrict Capabilities](https://kyverno.io/policies/pod-security/baseline/disallow-capabilities/disallow-capabilities/) | [`RestrictCapabilities`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L378-L413) | Subject: **Pod**
Severity: **high**

Capabilities permit privileged actions without giving full root access. Adding capabilities beyond the default set must not be allowed. This policy ensures users cannot add additional capabilities beyond the allowed list to a Pod. | +|[Restrict External Names (CVE-2020-8554)](https://kyverno.io/policies/best-practices/restrict-service-external-ips/restrict-service-external-ips/) | [`RestrictExternalNames`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/networking.ts#L67-L86) | Subject: **Service**
Severity: **medium**

Service external names can be used for a MITM attack (CVE-2020-8554). External names can be used by an attacker to point back to localhost or internal IP addresses for exploitation. This policy restricts services using external names to a specified list. | +|[Restrict hostPath Volume Writable Paths](https://kyverno.io/policies/other/ensure-readonly-hostpath/ensure-readonly-hostpath/) | [`RestrictHostPathWrite`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/storage.ts#L54-L92) | Subject: **Pod**
Severity: **medium**

hostPath volumes consume the underlying node's file system. If hostPath volumes are not universally disabled, they should be required to be read-only. Pods which are allowed to mount hostPath volumes in read/write mode pose a security risk even if confined to a "safe" file system on the host and may escape those confines. This policy checks containers for hostPath volumes and validates they are explicitly mounted in readOnly mode. | +|[Restrict Host Ports](https://kyverno.io/policies/pod-security/baseline/disallow-host-ports/disallow-host-ports/) | [`RestrictHostPorts`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/networking.ts#L37-L65) | Subject: **Pod**
Severity: **high**

Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum restricted to a known list. This policy ensures only approved ports are defined in container's `hostPort` field. | +|[Restrict Proc Mount](https://kyverno.io/policies/pod-security/baseline/disallow-proc-mount/disallow-proc-mount/) | [`RestrictProcMount`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L169-L198) | Subject: **Pod**
Severity: **high**

The default /proc masks are set up to reduce the attack surface. This policy ensures nothing but the specified procMount can be used. By default only "Default" is allowed. | +|[Restrict Seccomp](https://kyverno.io/policies/pod-security/baseline/restrict-seccomp/restrict-seccomp/) | [`RestrictSeccomp`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L200-L242) | Subject: **Pod**
Severity: **high**

The SecComp profile should not be explicitly set to Unconfined. This policy, requiring Kubernetes v1.19 or later, ensures that the `seccompProfile.Type` is undefined or restricted to the values in the allowed list. By default, this is `RuntimeDefault` or `Localhost`. | +|[Restrict SELinux Type](https://kyverno.io/policies/pod-security/baseline/disallow-selinux/disallow-selinux/) | [`RestrictSELinuxType`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L287-L327) | Subject: **Pod**
Severity: **high**

SELinux options can be used to escalate privileges. This policy ensures that the `seLinuxOptions` type field is undefined or restricted to the allowed list. | +|[Restrict Volume Types](https://kyverno.io/policies/pod-security/restricted/restrict-volume-types/restrict-volume-types/) | [`RestrictVolumeTypes`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/storage.ts#L7-L52) | Subject: **Pod**
Severity: **medium**

Volume types, beyond the core set, should be restricted to limit exposure to potential vulnerabilities in Container Storage Interface (CSI) drivers. In addition, HostPath volumes should not be. | + + +### Pepr Policy Mutations + +{{% alert-note %}} +Mutations can be exempted using the same [Pepr Policy Exemptions](#pepr-policy-exemptions) references as the validations. +{{% /alert-note %}} + +| Pepr MutationπŸ”— | Mutated Fields | Mutation Logic | +| --------------- | -------------- | -------------- | +| [Disallow Privilege Escalation](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L14-L75) | `containers[].securityContext.allowPrivilegeEscalation` | Mutates `allowPrivilegeEscalation` to `false` if undefined, unless the container is privileged or `CAP_SYS_ADMIN` is added. | +| [Require Non-root User](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L77-L167) | `securityContext.runAsUser`,
`securityContext.runAsGroup`,
`securityContext.fsGroup`,
`securityContext.runAsNonRoot` | Pods are mutated to ensure workloads do not run as root, mutating `runAsNonRoot: true`. Users can define user, group, and fsGroup IDs to run the pod as by using the `uds/user`, `uds/group`, `uds/fsgroup` pod labels. If not provided these default to `runAsUser: 1000` and `runAsGroup: 1000`. | +| [Drop All Capabilities](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L329-L376) | `containers[].securityContext.capabilities.drop` | Ensures all capabilities are dropped by setting `capabilities.drop` to `["ALL"]` for all containers. | diff --git a/docs/configuration/uds-configure-policy-exemptions.md b/docs/configuration/uds-configure-policy-exemptions.md index a8cfdc48d..2e405cbc1 100644 --- a/docs/configuration/uds-configure-policy-exemptions.md +++ b/docs/configuration/uds-configure-policy-exemptions.md @@ -1,7 +1,7 @@ --- title: Configuring Policy Exemptions type: docs -weight: 3 +weight: 4 --- By default policy exemptions ([UDSExemptions](https://github.com/defenseunicorns/uds-core/blob/uds-docs/src/pepr/operator/crd/generated/exemption-v1alpha1.ts)) are only allowed in a single namespace -- `uds-policy-exemptions`. We recognize this is not a conventional pattern in K8s, but believe it is ideal for UDS for the following reasons: diff --git a/docs/configuration/uds-user-groups.md b/docs/configuration/uds-user-groups.md index 89f66e93c..a654e551a 100644 --- a/docs/configuration/uds-user-groups.md +++ b/docs/configuration/uds-user-groups.md @@ -1,7 +1,7 @@ --- title: User Groups type: docs -weight: 4 +weight: 5 --- UDS Core deploys Keycloak which has some preconfigured groups that applications inherit from SSO and IDP configurations. diff --git a/src/pepr/policies/README.md b/src/pepr/policies/README.md index c129b8edb..8906a12bc 100644 --- a/src/pepr/policies/README.md +++ b/src/pepr/policies/README.md @@ -1,36 +1,2 @@ -## Common Pepr Policies for UDS Core - -These policies are based on the [Big Bang](https://p1.dso.mil/services/big-bang) policies created with Kyverno. You can find the source policies [here](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies). - -Exemptions can be specified by a [UDS Exemption CR](../operator/README.md). These take the place of Kyverno Exceptions. - -If a resource is exempted, it will be annotated as `uds-core.pepr.dev/uds-core-policies.: exempted` - -## Current Policies - -| Checkbox | Policy Title and Link | Exemption Reference | Category | Severity | Subject | Description | -| :------: | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ----------------------------------- | -------- | ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [ ] | [Disallow AutoMount Service Account Tokens](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/disallow-auto-mount-service-account-token.yaml) | n/a | Pod Security Standards (Baseline) | high | Pod, ServiceAccount | Auto-mounting of Kubernetes API credentials is not ideal in all circumstances. This policy finds Pods and Service Accounts that automount kubernetes api credentials. | -| βœ… | [Disallow Host Namespaces](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/disallow-host-namespaces.yaml) | DisallowHostNamespaces | Pod Security Standards (Baseline) | high | Pod | Host namespaces (Process ID namespace, Inter-Process Communication namespace, and network namespace) allow access to shared information and can be used to elevate privileges. Pods should not be allowed access to host namespaces. This policy ensures fields which make use of these host namespaces are set to `false`. | -| βœ… | [Disallow NodePort Services](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/disallow-nodeport-services.yaml) | DisallowNodePortServices | Best Practices (Security) | medium | Service | A Kubernetes Service of type NodePort uses a host port to receive traffic from any source. A NetworkPolicy cannot be used to control traffic to host ports. Although NodePort Services can be useful, their use must be limited to Services with additional upstream security checks. This policy validates that any new Services do not use the `NodePort` type. | -| βœ… | [Disallow Privilege Escalation](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/disallow-privilege-escalation.yaml) | DisallowPrivileged | Pod Security Standards (Restricted) | high | Pod | Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. This policy ensures the `allowPrivilegeEscalation` fields are either undefined or set to `false`. | -| βœ… | [Disallow Privileged Containers](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/disallow-privileged-containers.yaml) | DisallowPrivileged | Pod Security Standards (Baseline) | high | Pod | Privileged mode disables most security mechanisms and must not be allowed. This policy ensures Pods do not call for privileged mode. | -| βœ… | [Disallow SELinux Options](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/disallow-selinux-options.yaml) | DisallowSELinuxOptions | Pod Security Standards (Baseline) | high | Pod | SELinux options can be used to escalate privileges. This policy ensures that the `seLinuxOptions` specified are not used. | -| βœ… | [Drop All Capabilities](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/require-drop-all-capabilities.yaml) | DropAllCapabilities | Pod Security Standards (Restricted) | medium | Pod | Capabilities permit privileged actions without giving full root access. All capabilities should be dropped from a Pod, with only those required added back. This policy ensures that all containers explicitly specify `drop: ["ALL"]`. | -| [ ] | [Require Image Signature](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/require-image-signature.yaml) | n/a | Best Practices (Security) | high | Pod | Using the Cosign project, OCI images may be signed to ensure supply chain security is maintained. Those signatures can be verified before pulling into a cluster. This policy checks the signature to ensure it has been signed by verifying its signature against the public key. | -| [ ] | [Require Non-root Group](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/require-non-root-group.yaml) | n/a | Pod Security Standards (Restricted) | high | Pod | Following the least privilege principle, access to the root group ID should be forbidden in containers. This policy ensures containers are running with groups > 0. | -| βœ… | [Require Non-root User](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/require-non-root-user.yaml) | RequireNonRootUser | Pod Security Standards (Restricted) | high | Pod | Following the least privilege principle, containers should not be run as root. This policy ensures containers either have `runAsNonRoot` set to `true` or `runAsUser` > 0. | -| [ ] | [Restrict AppArmor Profile](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-apparmor.yaml) | n/a | Pod Security Standards (Baseline) | high | Pod | On hosts using Debian Linux distros, AppArmor is used as an access control framework. AppArmor uses the 'runtime/default' profile by default. This policy ensures Pods do not override the AppArmor profile with values outside of the allowed list. | -| βœ… | [Restrict Capabilities](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-capabilities.yaml) | RestrictCapabilities | Pod Security Standards (Restricted) | high | Pod | Capabilities permit privileged actions without giving full root access. Adding capabilities beyond the default set must not be allowed. This policy ensures users cannot add additional capabilities beyond the allowed list to a Pod. | -| [ ] | [Restrict External IPs (CVE-2020-8554)](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-external-ips.yaml) | n/a | Vulnerability | medium | Service | Service externalIPs can be used for a MITM attack (CVE-2020-8554). This policy restricts externalIPs to a specified list. | -| βœ… | [Restrict External Names (CVE-2020-8554)](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-external-names.yaml) | RestrictExternalNames | Vulnerability | medium | Service | Service external names can be used for a MITM attack (CVE-2020-8554). External names can be used by an attacker to point back to localhost or internal IP addresses for exploitation. This policy restricts services using external names to a specified list. | -| [ ] | [Restrict hostPath Volume Mountable Paths](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-host-path-mount-pv.yaml) | n/a | Best Practices (Security) | medium | PersistentVolume | PersistentVolume using hostPath consume the underlying node's file system. If not universally disabled, they should be restricted to specific host paths to prevent access to sensitive information. This policy ensures that PV hostPath is in the allowed list. | -| [ ] | [Restrict hostPath Volume Mountable Paths](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-host-path-mount.yaml) | n/a | Best Practices (Security) | medium | Pod | hostPath volumes consume the underlying node's file system. If hostPath volumes are not universally disabled, they should be restricted to specific host paths to prevent access to sensitive information. This policy ensures that hostPath volume paths are in the allowed list. | -| βœ… | [Restrict hostPath Volume Writable Paths](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-host-path-write.yaml) | RestrictHostPathWrite | Best Practices (Security) | medium | Pod | hostPath volumes consume the underlying node's file system. If hostPath volumes are not universally disabled, they should be required to be read-only. Pods which are allowed to mount hostPath volumes in read/write mode pose a security risk even if confined to a "safe" file system on the host and may escape those confines. This policy checks containers for hostPath volumes and validates they are explicitly mounted in readOnly mode. | -| βœ… | [Restrict Host Ports](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-host-ports.yaml) | RestrictHostPorts | Pod Security Standards (Baseline) | high | Pod | Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum restricted to a known list. This policy ensures only approved ports are defined in container's `hostPort` field. | -| [ ] | [Restrict Image Registries](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-image-registries.yaml) | n/a | Best Practices (Security) | high | Pod | Images from unknown, public registries can be of dubious quality and may not be scanned and secured, representing a high degree of risk. Requiring use of known, approved registries helps reduce threat exposure by ensuring image pulls only come from them. This policy validates that all images originate from a registry in the approved list. | -| βœ… | [Restrict Proc Mount](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-proc-mount.yaml) | RestrictProcMount | Pod Security Standards (Baseline) | high | Pod | The default /proc masks are set up to reduce the attack surface. This policy ensures nothing but the specified procMount can be used. By default only "Default" is allowed. | -| βœ… | [Restrict Seccomp](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-seccomp.yaml) | RestrictSeccomp | Pod Security Standards (Baseline) | high | Pod | The SecComp profile should not be explicitly set to Unconfined. This policy, requiring Kubernetes v1.19 or later, ensures that the `seccompProfile.Type` is undefined or restricted to the values in the allowed list. By default, this is `RuntimeDefault` or `Localhost`. | -| βœ… | [Restrict SELinux Type](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-selinux-type.yaml) | RestrictSELinuxType | Pod Security Standards (Baseline) | high | Pod | SELinux options can be used to escalate privileges. This policy ensures that the `seLinuxOptions` type field is undefined or restricted to the allowed list. | -| [ ] | [Restrict Sysctls](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-sysctls.yaml) | n/a | Pod Security Standards (Baseline) | high | Pod | Sysctl can disable security mechanisms or affect all containers on a host, and should be restricted to an allowed "safe" subset. A sysctl is considered safe if it is namespaced and is isolated from other Pods and processes on the same Node. This policy ensures that all sysctls are in the allowed list. | -| βœ… | [Restrict Volume Types](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-volume-types.yaml) | RestrictVolumeTypes | Pod Security Standards (Restricted) | medium | Pod | Volume types, beyond the core set, should be restricted to limit exposure to potential vulnerabilities in Container Storage Interface (CSI) drivers. In addition, HostPath volumes should not be | +### Pepr Policies +See [pepr-policies.md](../../../docs/configuration/pepr-policies.md) for current Pepr Policies From 218e3d75e894e42195592cd927774fc60ba85c96 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 24 Sep 2024 07:41:24 -0600 Subject: [PATCH 12/90] chore(deps): update pepr to v0.13.1 (#811) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | [defenseunicorns/uds-common](https://redirect.github.com/defenseunicorns/uds-common) | patch | `v0.13.0` -> `v0.13.1` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes
defenseunicorns/uds-common (defenseunicorns/uds-common) ### [`v0.13.1`](https://redirect.github.com/defenseunicorns/uds-common/releases/tag/v0.13.1) [Compare Source](https://redirect.github.com/defenseunicorns/uds-common/compare/v0.13.0...v0.13.1) ##### Bug Fixes - allow dependent bundle commands to be run on upgrade tests ([#​241](https://redirect.github.com/defenseunicorns/uds-common/issues/241)) ([093def2](https://redirect.github.com/defenseunicorns/uds-common/commit/093def2f245709084c079aaf529a604d8ca5b6c2)) ##### Miscellaneous - **deps:** update uds common support dependencies ([#​237](https://redirect.github.com/defenseunicorns/uds-common/issues/237)) ([eac2f68](https://redirect.github.com/defenseunicorns/uds-common/commit/eac2f686deacb898a6383fcc73c861293db52b9c)) - modify helm matches to handle git and helm ([#​238](https://redirect.github.com/defenseunicorns/uds-common/issues/238)) ([803d9fe](https://redirect.github.com/defenseunicorns/uds-common/commit/803d9fed89bd890c1203c618a1e3fda1bd495cbd))
--- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ”• **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- tasks/create.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/create.yaml b/tasks/create.yaml index 3520ecffe..9480a8944 100644 --- a/tasks/create.yaml +++ b/tasks/create.yaml @@ -1,5 +1,5 @@ includes: - - common: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.13.0/tasks/create.yaml + - common: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.13.1/tasks/create.yaml variables: - name: FLAVOR From 4d21dff3086267748b0bcc0b8a9c86a69a9e1589 Mon Sep 17 00:00:00 2001 From: Chance <139784371+UnicornChance@users.noreply.github.com> Date: Tue, 24 Sep 2024 09:31:40 -0600 Subject: [PATCH 13/90] chore: pepr policy doc (#814) ## Description update pepr policy docs ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --------- Co-authored-by: Micah Nagel --- docs/configuration/pepr-policies.md | 52 +++++++++++++++++------------ 1 file changed, 30 insertions(+), 22 deletions(-) diff --git a/docs/configuration/pepr-policies.md b/docs/configuration/pepr-policies.md index 3738ef878..96e127e04 100644 --- a/docs/configuration/pepr-policies.md +++ b/docs/configuration/pepr-policies.md @@ -7,32 +7,12 @@ weight: 3 ## Common Pepr Policies for UDS Core ### Pepr Policy Exemptions {#pepr-policy-exemptions} -These policies are based on the [Kyverno](https://kyverno.io/policies/) policies. +These policies are based on the [Big Bang](https://p1.dso.mil/services/big-bang) policies created with Kyverno. You can find the source policies [here](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies), Policy Names below also have links to the referenced Big Bang policy. -Exemptions can be specified by a [UDS Exemption CR](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/operator/README.md), using the values from the "Exemption Reference" column below. These take the place of Kyverno Exceptions. +Exemptions can be specified by a [UDS Exemption CR](../operator/README.md). These take the place of Kyverno Exceptions. If a resource is exempted, it will be annotated as `uds-core.pepr.dev/uds-core-policies.: exempted` -### Pepr Policy Validations - -| Kyverno PolicyπŸ”— | Exemption ReferenceπŸ”— | Policy Description | -| ----------------- | :--------------------: | ------------------ | -| [Disallow Host Namespaces](https://kyverno.io/policies/pod-security/baseline/disallow-host-namespaces/disallow-host-namespaces/) | [`DisallowHostNamespaces`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/networking.ts#L7-L35) | Subject: **Pod**
Severity: **high**

Host namespaces (Process ID namespace, Inter-Process Communication namespace, and network namespace) allow access to shared information and can be used to elevate privileges. Pods should not be allowed access to host namespaces. This policy ensures fields which make use of these host namespaces are set to `false`. | -|[Disallow NodePort Services](https://kyverno.io/policies/best-practices/restrict-node-port/restrict-node-port/) | [`DisallowNodePortServices`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/networking.ts#L88-L110) | Subject: **Service**
Severity: **medium**

A Kubernetes Service of type NodePort uses a host port to receive traffic from any source. A NetworkPolicy cannot be used to control traffic to host ports. Although NodePort Services can be useful, their use must be limited to Services with additional upstream security checks. This policy validates that any new Services do not use the `NodePort` type. | -|Disallow Privileged [Escalation](https://kyverno.io/policies/pod-security/restricted/disallow-privilege-escalation/disallow-privilege-escalation/) and [Pods](https://kyverno.io/policies/pod-security/baseline/disallow-privileged-containers/disallow-privileged-containers/) | [`DisallowPrivileged`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L14-L75) | Subject: **Pod**
Severity: **high**

Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. Privileged mode also disables most security mechanisms and must not be allowed. This policy ensures the `allowPrivilegeEscalation` field is set to false and `privileged` is set to false or undefined. | -|[Disallow SELinux Options](https://kyverno.io/policies/pod-security/baseline/disallow-selinux/disallow-selinux/) | [`DisallowSELinuxOptions`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L244-L285) | Subject: **Pod**
Severity: **high**

SELinux options can be used to escalate privileges. This policy ensures that the `seLinuxOptions` specified are not used. | -|[Drop All Capabilities](https://kyverno.io/policies/best-practices/require-drop-all/require-drop-all/) | [`DropAllCapabilities`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L329-L376) | Subject: **Pod**
Severity: **medium**

Capabilities permit privileged actions without giving full root access. All capabilities should be dropped from a Pod, with only those required added back. This policy ensures that all containers explicitly specify `drop: ["ALL"]`. | -|[Require Non-root User](https://kyverno.io/policies/pod-security/restricted/require-run-as-non-root-user/require-run-as-non-root-user/) | [`RequireNonRootUser`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L77-L167) | Subject: **Pod**
Severity: **high**

Following the least privilege principle, containers should not be run as root. This policy ensures containers either have `runAsNonRoot` set to `true` or `runAsUser` > 0. | -|[Restrict Capabilities](https://kyverno.io/policies/pod-security/baseline/disallow-capabilities/disallow-capabilities/) | [`RestrictCapabilities`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L378-L413) | Subject: **Pod**
Severity: **high**

Capabilities permit privileged actions without giving full root access. Adding capabilities beyond the default set must not be allowed. This policy ensures users cannot add additional capabilities beyond the allowed list to a Pod. | -|[Restrict External Names (CVE-2020-8554)](https://kyverno.io/policies/best-practices/restrict-service-external-ips/restrict-service-external-ips/) | [`RestrictExternalNames`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/networking.ts#L67-L86) | Subject: **Service**
Severity: **medium**

Service external names can be used for a MITM attack (CVE-2020-8554). External names can be used by an attacker to point back to localhost or internal IP addresses for exploitation. This policy restricts services using external names to a specified list. | -|[Restrict hostPath Volume Writable Paths](https://kyverno.io/policies/other/ensure-readonly-hostpath/ensure-readonly-hostpath/) | [`RestrictHostPathWrite`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/storage.ts#L54-L92) | Subject: **Pod**
Severity: **medium**

hostPath volumes consume the underlying node's file system. If hostPath volumes are not universally disabled, they should be required to be read-only. Pods which are allowed to mount hostPath volumes in read/write mode pose a security risk even if confined to a "safe" file system on the host and may escape those confines. This policy checks containers for hostPath volumes and validates they are explicitly mounted in readOnly mode. | -|[Restrict Host Ports](https://kyverno.io/policies/pod-security/baseline/disallow-host-ports/disallow-host-ports/) | [`RestrictHostPorts`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/networking.ts#L37-L65) | Subject: **Pod**
Severity: **high**

Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum restricted to a known list. This policy ensures only approved ports are defined in container's `hostPort` field. | -|[Restrict Proc Mount](https://kyverno.io/policies/pod-security/baseline/disallow-proc-mount/disallow-proc-mount/) | [`RestrictProcMount`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L169-L198) | Subject: **Pod**
Severity: **high**

The default /proc masks are set up to reduce the attack surface. This policy ensures nothing but the specified procMount can be used. By default only "Default" is allowed. | -|[Restrict Seccomp](https://kyverno.io/policies/pod-security/baseline/restrict-seccomp/restrict-seccomp/) | [`RestrictSeccomp`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L200-L242) | Subject: **Pod**
Severity: **high**

The SecComp profile should not be explicitly set to Unconfined. This policy, requiring Kubernetes v1.19 or later, ensures that the `seccompProfile.Type` is undefined or restricted to the values in the allowed list. By default, this is `RuntimeDefault` or `Localhost`. | -|[Restrict SELinux Type](https://kyverno.io/policies/pod-security/baseline/disallow-selinux/disallow-selinux/) | [`RestrictSELinuxType`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L287-L327) | Subject: **Pod**
Severity: **high**

SELinux options can be used to escalate privileges. This policy ensures that the `seLinuxOptions` type field is undefined or restricted to the allowed list. | -|[Restrict Volume Types](https://kyverno.io/policies/pod-security/restricted/restrict-volume-types/restrict-volume-types/) | [`RestrictVolumeTypes`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/storage.ts#L7-L52) | Subject: **Pod**
Severity: **medium**

Volume types, beyond the core set, should be restricted to limit exposure to potential vulnerabilities in Container Storage Interface (CSI) drivers. In addition, HostPath volumes should not be. | - - ### Pepr Policy Mutations {{% alert-note %}} @@ -44,3 +24,31 @@ Mutations can be exempted using the same [Pepr Policy Exemptions](#pepr-policy-e | [Disallow Privilege Escalation](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L14-L75) | `containers[].securityContext.allowPrivilegeEscalation` | Mutates `allowPrivilegeEscalation` to `false` if undefined, unless the container is privileged or `CAP_SYS_ADMIN` is added. | | [Require Non-root User](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L77-L167) | `securityContext.runAsUser`,
`securityContext.runAsGroup`,
`securityContext.fsGroup`,
`securityContext.runAsNonRoot` | Pods are mutated to ensure workloads do not run as root, mutating `runAsNonRoot: true`. Users can define user, group, and fsGroup IDs to run the pod as by using the `uds/user`, `uds/group`, `uds/fsgroup` pod labels. If not provided these default to `runAsUser: 1000` and `runAsGroup: 1000`. | | [Drop All Capabilities](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L329-L376) | `containers[].securityContext.capabilities.drop` | Ensures all capabilities are dropped by setting `capabilities.drop` to `["ALL"]` for all containers. | + +### Pepr Policy Validations + +| Policy NameπŸ”— | Exemption ReferenceπŸ”— | Policy Description | +| ------------- | :-------------------: | ------------------ | +| [Disallow Host Namespaces](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/disallow-host-namespaces.yaml) | [`DisallowHostNamespaces`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/networking.ts#L7-L35) | Implemented: βœ…
Subject: **Pod**
Severity: **high**

Host namespaces (Process ID namespace, Inter-Process Communication namespace, and network namespace) allow access to shared information and can be used to elevate privileges. Pods should not be allowed access to host namespaces. This policy ensures fields which make use of these host namespaces are set to `false`. | +|[Disallow NodePort Services](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/disallow-nodeport-services.yaml) | [`DisallowNodePortServices`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/networking.ts#L88-L110) | Implemented: βœ…
Subject: **Service**
Severity: **medium**

A Kubernetes Service of type NodePort uses a host port to receive traffic from any source. A NetworkPolicy cannot be used to control traffic to host ports. Although NodePort Services can be useful, their use must be limited to Services with additional upstream security checks. This policy validates that any new Services do not use the `NodePort` type. | +|Disallow Privileged [Escalation](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/disallow-privilege-escalation.yaml) and [Pods](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/disallow-privileged-containers.yaml) | [`DisallowPrivileged`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L14-L75) | Implemented: βœ…
Subject: **Pod**
Severity: **high**

Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. Privileged mode also disables most security mechanisms and must not be allowed. This policy ensures the `allowPrivilegeEscalation` field is set to false and `privileged` is set to false or undefined. | +|[Disallow SELinux Options](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/disallow-selinux-options.yaml) | [`DisallowSELinuxOptions`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L244-L285) | Implemented: βœ…
Subject: **Pod**
Severity: **high**

SELinux options can be used to escalate privileges. This policy ensures that the `seLinuxOptions` specified are not used. | +|[Drop All Capabilities](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/require-drop-all-capabilities.yaml) | [`DropAllCapabilities`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L329-L376) | Implemented: βœ…
Subject: **Pod**
Severity: **medium**

Capabilities permit privileged actions without giving full root access. All capabilities should be dropped from a Pod, with only those required added back. This policy ensures that all containers explicitly specify `drop: ["ALL"]`. | +|[Require Non-root User](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/require-non-root-user.yaml) | [`RequireNonRootUser`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L77-L167) | Implemented: βœ…
Subject: **Pod**
Severity: **high**

Following the least privilege principle, containers should not be run as root. This policy ensures containers either have `runAsNonRoot` set to `true` or `runAsUser` > 0. | +|[Restrict Capabilities](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-capabilities.yaml) | [`RestrictCapabilities`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L378-L413) | Implemented: βœ…
Subject: **Pod**
Severity: **high**

Capabilities permit privileged actions without giving full root access. Adding capabilities beyond the default set must not be allowed. This policy ensures users cannot add additional capabilities beyond the allowed list to a Pod. | +|[Restrict External Names (CVE-2020-8554)](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-external-names.yaml) | [`RestrictExternalNames`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/networking.ts#L67-L86) | Implemented: βœ…
Subject: **Service**
Severity: **medium**

Service external names can be used for a MITM attack (CVE-2020-8554). External names can be used by an attacker to point back to localhost or internal IP addresses for exploitation. This policy restricts services using external names to a specified list. | +|[Restrict hostPath Volume Writable Paths](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-host-path-write.yaml) | [`RestrictHostPathWrite`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/storage.ts#L54-L92) | Implemented: βœ…
Subject: **Pod**
Severity: **medium**

hostPath volumes consume the underlying node's file system. If hostPath volumes are not universally disabled, they should be required to be read-only. Pods which are allowed to mount hostPath volumes in read/write mode pose a security risk even if confined to a "safe" file system on the host and may escape those confines. This policy checks containers for hostPath volumes and validates they are explicitly mounted in readOnly mode. | +|[Restrict Host Ports](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-host-ports.yaml) | [`RestrictHostPorts`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/networking.ts#L37-L65) | Implemented: βœ…
Subject: **Pod**
Severity: **high**

Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum restricted to a known list. This policy ensures only approved ports are defined in container's `hostPort` field. | +|[Restrict Proc Mount](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-proc-mount.yaml) | [`RestrictProcMount`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L169-L198) | Implemented: βœ…
Subject: **Pod**
Severity: **high**

The default /proc masks are set up to reduce the attack surface. This policy ensures nothing but the specified procMount can be used. By default only "Default" is allowed. | +|[Restrict Seccomp](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-seccomp.yaml) | [`RestrictSeccomp`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L200-L242) | Implemented: βœ…
Subject: **Pod**
Severity: **high**

The SecComp profile should not be explicitly set to Unconfined. This policy, requiring Kubernetes v1.19 or later, ensures that the `seccompProfile.Type` is undefined or restricted to the values in the allowed list. By default, this is `RuntimeDefault` or `Localhost`. | +|[Restrict SELinux Type](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-selinux-type.yaml) | [`RestrictSELinuxType`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L287-L327) | Implemented: βœ…
Subject: **Pod**
Severity: **high**

SELinux options can be used to escalate privileges. This policy ensures that the `seLinuxOptions` type field is undefined or restricted to the allowed list. | +|[Restrict Volume Types](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-volume-types.yaml) | [`RestrictVolumeTypes`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/storage.ts#L7-L52) | Implemented: βœ…
Subject: **Pod**
Severity: **medium**

Volume types, beyond the core set, should be restricted to limit exposure to potential vulnerabilities in Container Storage Interface (CSI) drivers. In addition, HostPath volumes should not be. | +|[Restrict Sysctls](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-sysctls.yaml) | Not Implemented | Implemented: ❌
Subject: **Pod**
Severity: **high**

Sysctl can disable security mechanisms or affect all containers on a host, and should be restricted to an allowed "safe" subset. A sysctl is considered safe if it is namespaced and is isolated from other Pods and processes on the same Node. This policy ensures that all sysctls are in the allowed list. +|[Restrict Image Registries](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-image-registries.yaml) | Not Implemented | Implemented: ❌
Subject: **Pod**
Severity: **high**

Images from unknown, public registries can be of dubious quality and may not be scanned and secured, representing a high degree of risk. Requiring use of known, approved registries helps reduce threat exposure by ensuring image pulls only come from them. This policy validates that all images originate from a registry in the approved list.| +|[Restrict hostPath Volume Mountable Paths](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-host-path-mount-pv.yaml) | Not Implemented | Implemented: ❌
Subject: **PersistentVolume**
Severity: **medium**

PersistentVolume using hostPath consume the underlying node's file system. If not universally disabled, they should be restricted to specific host paths to prevent access to sensitive information. This policy ensures that PV hostPath is in the allowed list. | +|[Restrict hostPath Volume Mountable Paths](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-host-path-mount.yaml) | Not Implemented | Implemented: ❌
Subject: **Pod**
Severity: **medium**

hostPath volumes consume the underlying node's file system. If hostPath volumes are not universally disabled, they should be restricted to specific host paths to prevent access to sensitive information. This policy ensures that hostPath volume paths are in the allowed list. | +|[Restrict External IPs (CVE-2020-8554)](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-external-ips.yaml) | Not Implemented | Implemented: ❌
Subject: **Service**
Severity: **medium**

Service externalIPs can be used for a MITM attack (CVE-2020-8554). This policy restricts externalIPs to a specified list. | +|[Restrict AppArmor Profile](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-apparmor.yaml) | Not Implemented | Implemented: ❌
Subject: **Pod**
Severity: **high**

On hosts using Debian Linux distros, AppArmor is used as an access control framework. AppArmor uses the 'runtime/default' profile by default. This policy ensures Pods do not override the AppArmor profile with values outside of the allowed list. | +|[Require Image Signature](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/require-image-signature.yaml) | Not Implemented | Implemented: ❌
Subject: **Pod**
Severity: **high**

Using the Cosign project, OCI images may be signed to ensure supply chain security is maintained. Those signatures can be verified before pulling into a cluster. This policy checks the signature to ensure it has been signed by verifying its signature against the public key. | +|[Require Non-root Group](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/require-non-root-group.yaml) | Not Implemented | Implemented: ❌
Subject: **Pod**
Severity: **high**

Following the least privilege principle, access to the root group ID should be forbidden in containers. This policy ensures containers are running with groups > 0. | +|[Disallow AutoMount Service Account Tokens](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/disallow-auto-mount-service-account-token.yaml) | Not Implemented | Implemented: ❌
Subject: **Pod, ServiceAccount**
Severity: **high**

Auto-mounting of Kubernetes API credentials is not ideal in all circumstances. This policy finds Pods and Service Accounts that automount kubernetes api credentials. | From 410f71233446262c3e1a4d611afc1b72c583565a Mon Sep 17 00:00:00 2001 From: Rob Ferguson Date: Tue, 24 Sep 2024 15:50:51 -0500 Subject: [PATCH 14/90] fix: revert test app version to fix CI failures (#815) ## Description Fix test app by using previous version of httpbin ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [ ] Test, docs, adr added or updated as needed - [ ] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --------- Co-authored-by: Micah Nagel --- src/test/app-admin.yaml | 2 +- src/test/app-authservice-tenant.yaml | 2 +- src/test/zarf.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/test/app-admin.yaml b/src/test/app-admin.yaml index 884401949..785438ea6 100644 --- a/src/test/app-admin.yaml +++ b/src/test/app-admin.yaml @@ -70,7 +70,7 @@ spec: spec: serviceAccountName: httpbin containers: - - image: docker.io/kong/httpbin + - image: docker.io/kong/httpbin:0.1.0 imagePullPolicy: IfNotPresent name: httpbin resources: diff --git a/src/test/app-authservice-tenant.yaml b/src/test/app-authservice-tenant.yaml index 094bff22e..04093682b 100644 --- a/src/test/app-authservice-tenant.yaml +++ b/src/test/app-authservice-tenant.yaml @@ -70,7 +70,7 @@ spec: spec: serviceAccountName: httpbin containers: - - image: docker.io/kong/httpbin + - image: docker.io/kong/httpbin:0.1.0 imagePullPolicy: IfNotPresent name: httpbin resources: diff --git a/src/test/zarf.yaml b/src/test/zarf.yaml index b98f98bf7..f350e036e 100644 --- a/src/test/zarf.yaml +++ b/src/test/zarf.yaml @@ -18,7 +18,7 @@ components: files: - "app-authservice-tenant.yaml" images: - - docker.io/kong/httpbin:latest + - docker.io/kong/httpbin:0.1.0 - hashicorp/http-echo:latest - name: podinfo From 29dcb93b83b62b067a6b8661466dd28179b56d8d Mon Sep 17 00:00:00 2001 From: Rob Ferguson Date: Tue, 24 Sep 2024 16:17:15 -0500 Subject: [PATCH 15/90] fix: ensure istio sidecar is killed if job fails (#813) ## Description Ensure Istio sidecar is killed if Job pod exits with non-zero exit status. Tested with Jobs (exit code zero and non-zero) ```yaml apiVersion: batch/v1 kind: Job metadata: name: failing-job namespace: keycloak spec: template: spec: containers: - name: fail-container image: quay.io/keycloak/keycloak:25.0.6 command: ["sh", "-c", "echo 'This will fail'; exit 1"] restartPolicy: Never backoffLimit: 3 --- apiVersion: batch/v1 kind: Job metadata: name: success-job namespace: keycloak spec: template: spec: containers: - name: succeed-container image: quay.io/keycloak/keycloak:25.0.6 command: ["sh", "-c", "echo 'This will succeed'; exit 0"] restartPolicy: Never backoffLimit: 3 ``` ## Related Issue Fixes https://github.com/defenseunicorns/uds-core/issues/687 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [ ] Test, docs, adr added or updated as needed - [ ] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed Co-authored-by: Micah Nagel --- src/pepr/istio/index.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/pepr/istio/index.ts b/src/pepr/istio/index.ts index 9ca4b9252..01eb86278 100644 --- a/src/pepr/istio/index.ts +++ b/src/pepr/istio/index.ts @@ -47,8 +47,8 @@ When(a.Pod) const shouldTerminate = pod.status.containerStatuses // Ignore the istio-proxy container .filter(c => c.name != "istio-proxy") - // and if ALL are terminated AND have exit code 0, then shouldTerminate is true - .every(c => c.state?.terminated && c.state.terminated.exitCode == 0); + // and if ALL are terminated then shouldTerminate is true + .every(c => c.state?.terminated); if (shouldTerminate) { // Mark the pod as seen From afe1610eda0ad07740d45e30e795f1908a7292c1 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Tue, 24 Sep 2024 15:52:14 -0600 Subject: [PATCH 16/90] fix: eks iac issues, document storage class pre-reqs (#812) ## Description EBS impose a 1Gi size limitation on restored PVCs. This adds a short note to pre-reqs about checking CSI limitations. While testing with our EKS IAC I also discovered a few other issues: - IRSA annotations were not correct - Config did not properly variablize region - Config had an unmatched `"` around one of the values - Gitignore did not exclude terraform/tfstate files that shouldn't be committed ## Related Issue Fixes https://github.com/defenseunicorns/uds-core/issues/718 ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --- .github/bundles/uds-bundle.yaml | 4 ++-- .gitignore | 3 +++ docs/deployment/prerequisites.md | 4 +++- tasks/iac.yaml | 4 ++-- 4 files changed, 10 insertions(+), 5 deletions(-) diff --git a/.github/bundles/uds-bundle.yaml b/.github/bundles/uds-bundle.yaml index 0d9c226a5..ece96b5ec 100644 --- a/.github/bundles/uds-bundle.yaml +++ b/.github/bundles/uds-bundle.yaml @@ -27,7 +27,7 @@ packages: path: credentials.useSecret - name: VELERO_IRSA_ANNOTATION description: "IRSA ARN annotation to use for Velero" - path: serviceAccount.server.annotations.irsa/role-arn + path: serviceAccount.server.annotations.eks\.amazonaws\.com/role-arn loki: loki: values: @@ -52,4 +52,4 @@ packages: path: loki.storage.s3.region - name: LOKI_IRSA_ANNOTATION description: "The irsa role annotation" - path: serviceAccount.annotations.irsa/role-arn + path: serviceAccount.annotations.eks\.amazonaws\.com/role-arn diff --git a/.gitignore b/.gitignore index 218f55004..ad3474a0f 100644 --- a/.gitignore +++ b/.gitignore @@ -15,3 +15,6 @@ tmp-tasks.yaml cacert.b64 run/ extract-terraform.sh +**/.terraform* +cluster-config.yaml +**.tfstate diff --git a/docs/deployment/prerequisites.md b/docs/deployment/prerequisites.md index fdbc2fb3e..ddc8e038e 100644 --- a/docs/deployment/prerequisites.md +++ b/docs/deployment/prerequisites.md @@ -45,9 +45,11 @@ Several UDS Core components require persistent volumes that will be provisioned ```console ❯ kubectl get storageclass NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE -local-path (default) rancher.io/local-path Delete WaitForFirstConsumer false 55s +local-path (default) rancher.io/local-path Delete WaitForFirstConsumer true 55s ``` +It’s generally beneficial if your storage class supports volume expansion (set `allowVolumeExpansion: true`, provided your provisioner allows it). This enables you to resize volumes when needed. Additionally, be mindful of any size restrictions imposed by your provisioner. For instance, EBS volumes have a minimum size of 1Gi, which could lead to unexpected behavior, especially during Velero’s CSI backup and restore process. These constraints may also necessitate adjustments to default PVC sizes, such as Keycloak’s PVCs, which default to 512Mi in `devMode`. + #### Network Policy Support The UDS Operator will dynamically provision network policies to secure traffic between components in UDS Core. To ensure these are effective, validate that your CNI supports enforcing network policies. In addition, UDS Core makes use of some CIDR based policies for communication with the KubeAPI server. If you are using Cilium, support for node addressability with CIDR based policies must be enabled with a [feature flag](https://docs.cilium.io/en/stable/security/policy/language/#selecting-nodes-with-cidr-ipblock). diff --git a/tasks/iac.yaml b/tasks/iac.yaml index a5d4b8f74..f13e2d4e4 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -25,7 +25,7 @@ tasks: metadata: name: ${CLUSTER_NAME} - region: us-west-2 + region: ${REGION} version: "1.30" tags: PermissionsBoundary: ${PERMISSIONS_BOUNDARY_NAME} @@ -148,7 +148,7 @@ tasks: loki_s3_region: ${LOKI_S3_AWS_REGION} loki_irsa_annotation: "${LOKI_S3_ROLE_ARN}" velero_use_secret: false - velero_irsa_annotation: ${VELERO_S3_ROLE_ARN}" + velero_irsa_annotation: "${VELERO_S3_ROLE_ARN}" velero_bucket: ${VELERO_S3_BUCKET} velero_bucket_region: ${VELERO_S3_AWS_REGION} velero_bucket_provider_url: "" From b3df5f878070f29de41192d85eebdf129136f88f Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 24 Sep 2024 22:23:05 +0000 Subject: [PATCH 17/90] chore(deps): update dependency defenseunicorns/uds-common to v0.13.1 (#810) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | [defenseunicorns/uds-common](https://redirect.github.com/defenseunicorns/uds-common) | patch | `v0.13.0` -> `v0.13.1` | --- ### Release Notes
defenseunicorns/uds-common (defenseunicorns/uds-common) ### [`v0.13.1`](https://redirect.github.com/defenseunicorns/uds-common/releases/tag/v0.13.1) [Compare Source](https://redirect.github.com/defenseunicorns/uds-common/compare/v0.13.0...v0.13.1) ##### Bug Fixes - allow dependent bundle commands to be run on upgrade tests ([#​241](https://redirect.github.com/defenseunicorns/uds-common/issues/241)) ([093def2](https://redirect.github.com/defenseunicorns/uds-common/commit/093def2f245709084c079aaf529a604d8ca5b6c2)) ##### Miscellaneous - **deps:** update uds common support dependencies ([#​237](https://redirect.github.com/defenseunicorns/uds-common/issues/237)) ([eac2f68](https://redirect.github.com/defenseunicorns/uds-common/commit/eac2f686deacb898a6383fcc73c861293db52b9c)) - modify helm matches to handle git and helm ([#​238](https://redirect.github.com/defenseunicorns/uds-common/issues/238)) ([803d9fe](https://redirect.github.com/defenseunicorns/uds-common/commit/803d9fed89bd890c1203c618a1e3fda1bd495cbd))
--- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ”• **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Chance <139784371+UnicornChance@users.noreply.github.com> --- tasks/lint.yaml | 2 +- tasks/test.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/lint.yaml b/tasks/lint.yaml index 9ac598ac3..471072261 100644 --- a/tasks/lint.yaml +++ b/tasks/lint.yaml @@ -1,5 +1,5 @@ includes: - - remote: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.13.0/tasks/lint.yaml + - remote: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.13.1/tasks/lint.yaml tasks: - name: fix diff --git a/tasks/test.yaml b/tasks/test.yaml index 105c0420d..185408e5a 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -2,7 +2,7 @@ includes: - create: ./create.yaml - setup: ./setup.yaml - deploy: ./deploy.yaml - - compliance: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.13.0/tasks/compliance.yaml + - compliance: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.13.1/tasks/compliance.yaml tasks: - name: single-package From 1bc4820fc7e22c630a519ae144268be183e0bddd Mon Sep 17 00:00:00 2001 From: Noah <40781376+noahpb@users.noreply.github.com> Date: Wed, 25 Sep 2024 10:44:50 -0400 Subject: [PATCH 18/90] docs: add dns setup (#767) ## Description Adding documentation on the DNS assumptions in UDS Core and added example for deploying in a non-dev environment. ## Related Issue Fixes https://github.com/defenseunicorns/uds-core/issues/730 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) ## Checklist before merging - [ ] Test, docs, adr added or updated as needed - [ ] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --------- Co-authored-by: Micah Nagel Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Rob Ferguson Co-authored-by: Chance <139784371+UnicornChance@users.noreply.github.com> Co-authored-by: UncleGedd <42304551+UncleGedd@users.noreply.github.com> Co-authored-by: Nigel Foucha <73838612+nfoucha@users.noreply.github.com> Co-authored-by: Micah Nagel --- bundles/k3d-slim-dev/README.md | 2 +- bundles/k3d-standard/README.md | 2 +- docs/deployment/dns.md | 74 ++++++++++++++++++++++++++++++++++ 3 files changed, 76 insertions(+), 2 deletions(-) create mode 100644 docs/deployment/dns.md diff --git a/bundles/k3d-slim-dev/README.md b/bundles/k3d-slim-dev/README.md index e56b0a279..b7fc906f8 100644 --- a/bundles/k3d-slim-dev/README.md +++ b/bundles/k3d-slim-dev/README.md @@ -12,7 +12,7 @@ The k3d uds-dev-stack provides: - [Minio](https://min.io/) - In-cluster S3 Object Storage (See below for more details) - [Local Path Provisioner](https://github.com/rancher/local-path-provisioner/) - Local Storage with RWX - [MetalLB](https://metallb.universe.tf/) - Provides type: LoadBalancer for cluster resources and Istio Gateways -- [HAProxy](https://www.haproxy.org/) - Utilizes k3d host port mapping to bind ports 80 and 443, facilitating local FQDN-based routing through ACLs to MetalLB load balancer backends for Istio Gateways serving *.uds.dev, keycloak.uds.dev, and *.admin.uds.dev. +- [NGINX](https://nginx.org/) - Utilizes k3d host port mapping to bind ports 80 and 443, facilitating local FQDN-based routing through ACLs to MetalLB load balancer backends for Istio Gateways serving *.uds.dev, keycloak.uds.dev, and *.admin.uds.dev. ## Available Overrides ### Package: uds-k3d diff --git a/bundles/k3d-standard/README.md b/bundles/k3d-standard/README.md index 866378a5b..23d065d47 100644 --- a/bundles/k3d-standard/README.md +++ b/bundles/k3d-standard/README.md @@ -6,7 +6,7 @@ This bundle is used for demonstration, development, and testing of UDS Core. In - [Minio]() - In-cluster S3 Object Storage (See below for more details) - [Local Path Provisioner]() - Storage Provider with RWX configured - [MetalLB](https://metallb.universe.tf/) - Provides type: LoadBalancer for cluster resources and Istio Gateways -- [HAProxy](https://www.haproxy.org/) - Utilizes k3d host port mapping to bind ports 80 and 443, facilitating local FQDN-based routing through ACLs to MetalLB load balancer backends for Istio Gateways serving *.uds.dev, keycloak.uds.dev, and *.admin.uds.dev. +- [NGINX](https://nginx.org/) - Utilizes k3d host port mapping to bind ports 80 and 443, facilitating local FQDN-based routing through ACLs to MetalLB load balancer backends for Istio Gateways serving *.uds.dev, keycloak.uds.dev, and *.admin.uds.dev. ## Available Overrides ### Package: uds-k3d diff --git a/docs/deployment/dns.md b/docs/deployment/dns.md new file mode 100644 index 000000000..b1dcef9bc --- /dev/null +++ b/docs/deployment/dns.md @@ -0,0 +1,74 @@ +--- +title: DNS Configuration +type: docs +weight: 2 +--- + +UDS Core deploys two Gateways by default - a Tenant Gateway for end-user applications and an Admin Gateway for administrative applications. You can read more about Istio configuration in UDS Core [here](https://uds.defenseunicorns.com/core/configuration/istio/ingress/). This section covers how to configure DNS for these Gateways. + +### Domain Configuration +Each Gateway is associated to a wildcard DNS entry that is derived from the `DOMAIN` [variable](https://github.com/defenseunicorns/uds-core/blob/e624d73f79bd6739b6808fbdbf5ca75ebb7c1d3c/src/istio/zarf.yaml#L8) in the UDS Core Istio package. When deploying UDS Core, you can expect two Gateways to be created that match the following domain names: +- `*.` / Tenant Gateway +- `*.admin.` / Admin Gateway + +{{% alert-note %}} +The default value for `DOMAIN` is `uds.dev`, which is intended for development purposes only. For non-development purposes, you should override this value by specifying a value for `domain` in your `uds-config.yaml`. You can find instructions on how to do so [here](https://uds.defenseunicorns.com/core/configuration/istio/ingress/#configure-domain-name-and-tls-for-istio-gateways). +{{% /alert-note %}} + +### Bundle Configuration +{{% alert-note %}} +UDS Core does not include any cloud provider specific configuration by default. Additional overrides are required to deploy UDS Core on a given provider. This section will refer to AWS, but values can be substituted as needed for other providers. +{{% /alert-note %}} + +The Admin and Tenant Gateways will be each be bound to an external Load Balancer that is exposed on TCP ports 80 and 443 by default. The Admin Gateway should be configured to use an internal facing Load Balancer and the Tenant Gateway should be configured to use an external facing Load Balancer. Below is an example of overrides that would accomplish this: +```yaml +kind: UDSBundle +metadata: + name: core-with-lb-config + description: A UDS example bundle for deploying UDS Core with external Load Balancer configuration + version: "0.0.1" + +packages: + - name: core + repository: oci://ghcr.io/defenseunicorns/packages/uds/core + ref: 0.27.0-upstream + +overrides: + istio-admin-gateway: + gateway: + values: + - path: service.annotations.service\.beta\.kubernetes\.io/aws-load-balancer-type + value: "external" + - path: service.annotations.service\.beta\.kubernetes\.io/aws-load-balancer-scheme + value: "internal" + - path: service.annotations.service\.beta\.kubernetes\.io/aws-load-balancer-attributes + value: "load_balancing.cross_zone.enabled=true" + istio-tenant-gateway: + gateway: + values: + - path: service.annotations.service\.beta\.kubernetes\.io/aws-load-balancer-type + value: "external" + - path: service.annotations.service\.beta\.kubernetes\.io/aws-load-balancer-scheme + value: "internet-facing" + - path: service.annotations.service\.beta\.kubernetes\.io/aws-load-balancer-attributes + value: "load_balancing.cross_zone.enabled=true" +``` + +### Istio Gateways +Once UDS Core is deployed, there will be Istio Gateway resources in your cluster. You can find each Gateway in a dedicated namespace: +```cli +$ kubectl get gateway -A +NAMESPACE NAME AGE +istio-admin-gateway admin-gateway 1h +istio-tenant-gateway tenant-gateway 1h +``` + +Each Gateway will have a Kubernetes Service of type Load Balancer: +```cli +$ kubectl get svc -A | grep LoadBalancer +NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +istio-admin-gateway admin-ingressgateway LoadBalancer 10.43.82.84 k8s-istioadm-admin...elb.us-east-1.amazonaws.com 15021:30842/TCP,80:31304/TCP,443:31518/TCP 1h +istio-tenant-gateway tenant-ingressgateway LoadBalancer 10.43.47.182 k8s-istioten-tenant...elb.us-east-1.amazonaws.com 15021:31222/TCP,80:30456/TCP,443:32508/TCP 1h +``` + +From here, you can register your domain and/or create DNS records for your environment that point to the appropriate Gateways/Load Balancers. Refer to your DNS provider's documentation. \ No newline at end of file From b5389851ae64c41e40d933b6dbced8c825739977 Mon Sep 17 00:00:00 2001 From: Doc A Date: Fri, 27 Sep 2024 22:24:17 +0000 Subject: [PATCH 19/90] More work on annotations, mutate copy label in dest secret --- src/pepr/operator/secrets.ts | 37 ++++++++++++++++++++++++++++++------ 1 file changed, 31 insertions(+), 6 deletions(-) diff --git a/src/pepr/operator/secrets.ts b/src/pepr/operator/secrets.ts index 100eb6019..20af90e83 100644 --- a/src/pepr/operator/secrets.ts +++ b/src/pepr/operator/secrets.ts @@ -1,10 +1,10 @@ import { a, K8s, kind, Log, PeprMutateRequest } from "pepr"; -export const labelCopySecret = "uds.dev/secrets/copy"; +export const labelCopySecret = "secrets.uds.dev/copy"; -const annotationFromNS = "uds.dev/secrets/fromNamespace"; -const annotationFromName = "uds.dev/secrets/fromName"; -const annotationOnFailure = "uds.dev/secrets/onMissingSource"; +const annotationFromNS = "secrets.uds.dev/fromNamespace"; +const annotationFromName = "secrets.uds.dev/fromName"; +const annotationOnFailure = "secrets.uds.dev/onMissingSource"; /** * Enum for handling what to do when the source secret is missing @@ -20,6 +20,23 @@ enum OnFailure { LEAVEEMPTY, } +/** + * Filter unwanted labels based on a list of keys to strip out. + * + * @returns Record - The filtered labels + */ +function filterLabels(labels: Record, keysToRemove: string[]) { + const filteredLabels: Record = {}; + + for (const key in labels) { + if (!keysToRemove.includes(key)) { + filteredLabels[key] = labels[key]; + } + } + + return filteredLabels; +} + /** * Copy a secret from one namespace to another * @@ -75,6 +92,10 @@ export async function copySecret(request: PeprMutateRequest) { Log.info("Attempting to copy secret %s from namespace %s to %s", fromName, fromNS, toNS); + // filter out the original copy label, then add a "copied" label + let filteredLabels = filterLabels(request.Raw.metadata?.labels || {}, [labelCopySecret]); + filteredLabels = { ...filteredLabels, "secrets.uds.dev/copied": "true" }; + try { const sourceSecret = await K8s(kind.Secret).InNamespace(fromNS).Get(fromName); @@ -89,8 +110,10 @@ export async function copySecret(request: PeprMutateRequest) { apiVersion: "v1", kind: "Secret", metadata: { - namespace: toNS, name: toName, + namespace: toNS, + labels: filteredLabels, + annotations: request.Raw.metadata?.annotations, }, }); return; @@ -104,8 +127,10 @@ export async function copySecret(request: PeprMutateRequest) { apiVersion: "v1", kind: "Secret", metadata: { - namespace: toNS, name: toName, + namespace: toNS, + labels: filteredLabels, + annotations: request.Raw.metadata?.annotations, }, data: sourceSecret.data, }); From 2f6ed02db5da1046cb0d2f15694ec76ce2ea2c3f Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Wed, 25 Sep 2024 12:58:42 -0600 Subject: [PATCH 20/90] feat!: switch from promtail to vector (#724) ## Description BREAKING CHANGE: Noting this as a breaking change as Promtail is removed and replaced by Vector. If using overrides to setup additional log targets/endpoints this configuration will need to be updated to Vector's chart/config formats. Primary docs on rationale, decision, and impact of this switch are [here](https://github.com/defenseunicorns/uds-core/blob/vector-add/src/vector/README.md). ## Related Issue Fixes https://github.com/defenseunicorns/uds-core/issues/377 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --- .github/filters.yaml | 4 +- .vscode/settings.json | 4 +- CHANGELOG.md | 2 +- README.md | 2 +- compliance/oscal-component.yaml | 2 +- docs/application-baseline.md | 2 +- .../resource-configuration-and-ha.md | 14 ++- packages/standard/zarf.yaml | 6 +- renovate.json | 6 +- src/grafana/values/values.yaml | 3 + src/istio/oscal-component.yaml | 2 +- src/loki/chart/templates/uds-package.yaml | 6 +- .../controllers/exemptions/exemptions.spec.ts | 38 +++--- src/pepr/policies/exemptions/index.spec.ts | 2 +- src/pepr/zarf.yaml | 45 +++---- src/promtail/README.md | 1 - src/promtail/chart/templates/service.yaml | 18 --- .../chart/templates/uds-exemption.yaml | 24 ---- src/promtail/chart/templates/uds-package.yaml | 37 ------ src/promtail/chart/values.yaml | 0 src/promtail/common/zarf.yaml | 32 ----- src/promtail/tasks.yaml | 10 -- src/promtail/values/registry1-values.yaml | 10 -- src/promtail/values/unicorn-values.yaml | 10 -- src/promtail/values/upstream-values.yaml | 10 -- src/promtail/values/values.yaml | 116 ----------------- src/promtail/zarf.yaml | 51 -------- src/vector/README.md | 42 +++++++ src/{promtail => vector}/chart/.helmignore | 0 src/{promtail => vector}/chart/Chart.yaml | 4 +- .../chart/templates/_helpers.tpl | 20 +-- src/vector/chart/templates/uds-exemption.yaml | 21 ++++ src/vector/chart/templates/uds-package.yaml | 46 +++++++ src/vector/chart/values.yaml | 16 +++ src/vector/common/zarf.yaml | 38 ++++++ src/{promtail => vector}/oscal-component.yaml | 37 +++--- src/vector/tasks.yaml | 10 ++ src/vector/values/registry1-values.yaml | 3 + src/vector/values/unicorn-values.yaml | 3 + src/vector/values/upstream-values.yaml | 3 + src/vector/values/values.yaml | 118 ++++++++++++++++++ src/vector/zarf.yaml | 48 +++++++ 42 files changed, 444 insertions(+), 422 deletions(-) delete mode 100644 src/promtail/README.md delete mode 100644 src/promtail/chart/templates/service.yaml delete mode 100644 src/promtail/chart/templates/uds-exemption.yaml delete mode 100644 src/promtail/chart/templates/uds-package.yaml delete mode 100644 src/promtail/chart/values.yaml delete mode 100644 src/promtail/common/zarf.yaml delete mode 100644 src/promtail/tasks.yaml delete mode 100644 src/promtail/values/registry1-values.yaml delete mode 100644 src/promtail/values/unicorn-values.yaml delete mode 100644 src/promtail/values/upstream-values.yaml delete mode 100644 src/promtail/values/values.yaml delete mode 100644 src/promtail/zarf.yaml create mode 100644 src/vector/README.md rename src/{promtail => vector}/chart/.helmignore (100%) rename src/{promtail => vector}/chart/Chart.yaml (91%) rename src/{promtail => vector}/chart/templates/_helpers.tpl (71%) create mode 100644 src/vector/chart/templates/uds-exemption.yaml create mode 100644 src/vector/chart/templates/uds-package.yaml create mode 100644 src/vector/chart/values.yaml create mode 100644 src/vector/common/zarf.yaml rename src/{promtail => vector}/oscal-component.yaml (86%) create mode 100644 src/vector/tasks.yaml create mode 100644 src/vector/values/registry1-values.yaml create mode 100644 src/vector/values/unicorn-values.yaml create mode 100644 src/vector/values/upstream-values.yaml create mode 100644 src/vector/values/values.yaml create mode 100644 src/vector/zarf.yaml diff --git a/.github/filters.yaml b/.github/filters.yaml index 29fbf82ca..77ec1bba8 100644 --- a/.github/filters.yaml +++ b/.github/filters.yaml @@ -73,8 +73,8 @@ prometheus-stack: - "!**/*.gif" - "!**/*.svg" -promtail: - - "src/promtail/**" +vector: + - "src/vector/**" - "!**/*.md" - "!**/*.jpg" - "!**/*.png" diff --git a/.vscode/settings.json b/.vscode/settings.json index 815f4d300..2d0eead78 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -12,7 +12,6 @@ "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.16.0/uds.schema.json": [ "uds-bundle.yaml" ], - // renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.16.0/tasks.schema.json": [ "tasks.yaml", @@ -37,7 +36,6 @@ "MITM", "neuvector", "opensource", - "promtail", "Quarkus", "Quickstart", "seccomp", @@ -47,7 +45,7 @@ "cSpell.enabled": true, "[typescript]": { "editor.codeActionsOnSave": { - "source.organizeImports": "always" + "source.organizeImports": "always" } }, "sarif-viewer.connectToGithubCodeScanning": "off", diff --git a/CHANGELOG.md b/CHANGELOG.md index 28e7d1a25..88a817fd9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -972,5 +972,5 @@ PRE RELEASE - CONTRIBUTING.md - DEVELOPMENT_MAINTENANCE.md - LICENSE -- READEME.md +- README.md - zarf.yaml diff --git a/README.md b/README.md index e28a0c371..9d1fc389d 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ UDS Core establishes a secure baseline for cloud-native systems and ships with c - [Neuvector](https://open-docs.neuvector.com/) - Container Security - [Pepr](https://pepr.dev) - UDS policy engine & operator - [Prometheus Stack](https://github.com/prometheus-operator/kube-prometheus) - Monitoring -- [Promtail](https://grafana.com/docs/loki/latest/send-data/promtail/) - Log Aggregation +- [Vector](https://vector.dev/) - Log Aggregation - [Velero](https://velero.io/) - Backup & Restore - [UDS Runtime](https://github.com/defenseunicorns/uds-runtime) - Frontend Views & Insights diff --git a/compliance/oscal-component.yaml b/compliance/oscal-component.yaml index ecb88933e..4be69f019 100644 --- a/compliance/oscal-component.yaml +++ b/compliance/oscal-component.yaml @@ -19,7 +19,7 @@ component-definition: - href: 'file://./../src/loki/oscal-component.yaml' - href: 'file://./../src/neuvector/oscal-component.yaml' - href: 'file://./../src/prometheus-stack/oscal-component.yaml' - - href: 'file://./../src/promtail/oscal-component.yaml' + - href: 'file://./../src/vector/oscal-component.yaml' - href: 'file://./../src/velero/oscal-component.yaml' capabilities: diff --git a/docs/application-baseline.md b/docs/application-baseline.md index 5ebabf889..7eec1c580 100644 --- a/docs/application-baseline.md +++ b/docs/application-baseline.md @@ -18,7 +18,7 @@ For optimal deployment and operational efficiency, it is important to deliver a | ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Service Mesh** | **[Istio](https://istio.io/):** A powerful service mesh that provides traffic management, load balancing, security, and observability features. | | **Monitoring** | **[Metrics Server](https://kubernetes-sigs.github.io/metrics-server/):** Provides container resource utilization metrics API for Kubernetes clusters. Metrics server is an optional (non-default) component since most Kubernetes distros provide it by default.

**[Prometheus](https://prometheus.io/):** Scrapes Metrics Server API and application metrics and stores the data in a time-series database for insights into application health and performance.

**[Grafana](https://grafana.com/grafana/):** Provides visualization and alerting capabilities based on Prometheus's time-series database of metrics. | -| **Logging** | **[Promtail](https://grafana.com/docs/loki/latest/send-data/promtail/):** A companion agent that efficiently gathers and sends container logs to Loki, simplifying log monitoring, troubleshooting, and compliance auditing, enhancing the overall observability of the mission environment.

**[Loki](https://grafana.com/docs/loki/latest/):** A log aggregation system that allows users to store, search, and analyze logs across their applications. | +| **Logging** | **[Vector](https://vector.dev/):** A companion agent that efficiently gathers and sends container logs to Loki and other storage locations (S3, SIEM tools, etc), simplifying log monitoring, troubleshooting, and compliance auditing, enhancing the overall observability of the mission environment.

**[Loki](https://grafana.com/docs/loki/latest/):** A log aggregation system that allows users to store, search, and analyze logs across their applications. | | **Security and Compliance** | **[NeuVector](https://open-docs.neuvector.com/):** Offers container-native security, protecting applications against threats and vulnerabilities.

**[Pepr](https://pepr.dev/):** UDS policy engine and operator for enhanced security and compliance.| | **Identity and Access Management** | **[Keycloak](https://www.keycloak.org/):** A robust open-source Identity and Access Management solution, providing centralized authentication, authorization, and user management for enhanced security and control over access to mission-critical resources.| | **Backup and Restore** | **[Velero](https://velero.io/):** Provides backup and restore capabilities for Kubernetes clusters, ensuring data protection and disaster recovery.| diff --git a/docs/configuration/resource-configuration-and-ha.md b/docs/configuration/resource-configuration-and-ha.md index 0f8f30213..df0daa9fe 100644 --- a/docs/configuration/resource-configuration-and-ha.md +++ b/docs/configuration/resource-configuration-and-ha.md @@ -40,9 +40,19 @@ To scale Grafana for high availability, its database must be externalized (see [ ## Logging -### Promtail +### Vector -By default Promtail runs as a daemonset, automatically scaling across all nodes to ensure logs are captured from each host. Typically Promtail does not need any other modifications, but you can customize its resource configuration by overriding the `resources` helm value (using the component and chart name of `promtail`). +By default Vector runs as a daemonset, automatically scaling across all nodes to ensure logs are captured from each host. Typically Vector does not need any other modifications, but you can customize its resource configuration by overriding the `resources` helm value (using the component and chart name of `vector`). Vector recommends the below resourcing when running in production: + +```yaml +resources: + requests: + memory: "64Mi" + cpu: "500m" + limits: + memory: "1024Mi" + cpu: "6000m" +``` ### Loki diff --git a/packages/standard/zarf.yaml b/packages/standard/zarf.yaml index 10d402458..2071cb2ba 100644 --- a/packages/standard/zarf.yaml +++ b/packages/standard/zarf.yaml @@ -76,11 +76,11 @@ components: import: path: ../../src/prometheus-stack - # Promtail - - name: promtail + # Vector + - name: vector required: true import: - path: ../../src/promtail + path: ../../src/vector # Grafana - name: grafana diff --git a/renovate.json b/renovate.json index a306486a3..f4428a606 100644 --- a/renovate.json +++ b/renovate.json @@ -23,9 +23,9 @@ "commitMessageTopic": "istio" }, { - "matchFileNames": ["src/promtail/**"], - "groupName": "promtail", - "commitMessageTopic": "promtail" + "matchFileNames": ["src/vector/**"], + "groupName": "vector", + "commitMessageTopic": "vector" }, { "matchFileNames": ["src/velero/**"], diff --git a/src/grafana/values/values.yaml b/src/grafana/values/values.yaml index 6ae3c9a8b..07c038ede 100644 --- a/src/grafana/values/values.yaml +++ b/src/grafana/values/values.yaml @@ -22,6 +22,9 @@ grafana.ini: reporting_enabled: false check_for_updates: false check_for_plugin_updates: false + feedback_links_enabled: false + plugins: + public_key_retrieval_disabled: true auth: # Disable the login form to force users to use SSO disable_login_form: true diff --git a/src/istio/oscal-component.yaml b/src/istio/oscal-component.yaml index 5ceae0134..9a9a97f74 100644 --- a/src/istio/oscal-component.yaml +++ b/src/istio/oscal-component.yaml @@ -539,7 +539,7 @@ component-definition: # Expected values expected_istiod_port := 15012 expected_istiod_protocol := "TCP" - required_namespaces := {"authservice", "grafana", "keycloak", "loki", "metrics-server", "monitoring", "neuvector", "promtail", "velero"} + required_namespaces := {"authservice", "grafana", "keycloak", "loki", "metrics-server", "monitoring", "neuvector", "vector", "velero"} # Validate NetworkPolicy for Istiod in required namespaces validate { diff --git a/src/loki/chart/templates/uds-package.yaml b/src/loki/chart/templates/uds-package.yaml index a04557a51..b7a39eb5d 100644 --- a/src/loki/chart/templates/uds-package.yaml +++ b/src/loki/chart/templates/uds-package.yaml @@ -36,12 +36,12 @@ spec: - direction: Ingress selector: app.kubernetes.io/name: loki - remoteNamespace: promtail + remoteNamespace: vector remoteSelector: - app.kubernetes.io/name: promtail + app.kubernetes.io/name: vector ports: - 8080 - description: "Promtail Log Storage" + description: "Vector Log Storage" # Egress for S3 connections - direction: Egress diff --git a/src/pepr/operator/controllers/exemptions/exemptions.spec.ts b/src/pepr/operator/controllers/exemptions/exemptions.spec.ts index 270ae3002..b1bab8da1 100644 --- a/src/pepr/operator/controllers/exemptions/exemptions.spec.ts +++ b/src/pepr/operator/controllers/exemptions/exemptions.spec.ts @@ -20,13 +20,13 @@ const prometheusMatcher = { name: "^neuvector-prometheus-exporter-pod.*", kind: MatcherKind.Pod, }; -const promtailMatcher = { namespace: "promtail", name: "^promtail-.*", kind: MatcherKind.Pod }; +const vectorMatcher = { namespace: "vector", name: "^vector-.*", kind: MatcherKind.Pod }; const exemption1UID = "exemption-1-uid"; const exemption2UID = "exemption-2-uid"; const storedEnforcerMatcher = { ...enforcerMatcher, owner: exemption1UID }; const storedControllerMatcher = { ...controllerMatcher, owner: exemption1UID }; const storedPrometheusMatcher = { ...prometheusMatcher, owner: exemption1UID }; -const storedPromtailMatcher = { ...promtailMatcher, owner: exemption2UID }; +const storedVectorMatcher = { ...vectorMatcher, owner: exemption2UID }; const neuvectorMockExemption = { metadata: { uid: exemption1UID, @@ -90,7 +90,7 @@ describe("Test processExemptions() no duplicate matchers in same CR", () => { // remove RequireNonRootUser from enforcerMatcher // remove prometheusMatcher // add DisallowHostNamespaces to controllerMatcher - // add promtailMatcher with RequireNonRootUser + // add vectorMatcher with RequireNonRootUser const updatedNeuvectorExemption = { metadata: { uid: exemption1UID, @@ -110,7 +110,7 @@ describe("Test processExemptions() no duplicate matchers in same CR", () => { ], }, { - matcher: promtailMatcher, + matcher: vectorMatcher, policies: [Policy.RequireNonRootUser], }, ], @@ -120,7 +120,7 @@ describe("Test processExemptions() no duplicate matchers in same CR", () => { processExemptions(neuvectorMockExemption, WatchPhase.Added); processExemptions(updatedNeuvectorExemption, WatchPhase.Modified); expect(ExemptionStore.getByPolicy(Policy.RequireNonRootUser)).toEqual([ - { ...storedPromtailMatcher, owner: exemption1UID }, + { ...storedVectorMatcher, owner: exemption1UID }, ]); expect(ExemptionStore.getByPolicy(Policy.DisallowPrivileged)).toEqual([ storedEnforcerMatcher, @@ -360,14 +360,14 @@ describe("Test processExemptions(); phase DELETED", () => { }); it("Does not remove exemptions set by separate CR from the one being deleted", async () => { - const promtailMockExemption = { + const vectorMockExemption = { metadata: { uid: exemption2UID, }, spec: { exemptions: [ { - matcher: promtailMatcher, + matcher: vectorMatcher, policies: [ Policy.DisallowPrivileged, Policy.DropAllCapabilities, @@ -379,12 +379,12 @@ describe("Test processExemptions(); phase DELETED", () => { } as Exemption; processExemptions(neuvectorMockExemption, WatchPhase.Added); - processExemptions(promtailMockExemption, WatchPhase.Added); + processExemptions(vectorMockExemption, WatchPhase.Added); processExemptions(neuvectorMockExemption, WatchPhase.Deleted); - expect(ExemptionStore.getByPolicy(Policy.DisallowPrivileged)).toEqual([storedPromtailMatcher]); - expect(ExemptionStore.getByPolicy(Policy.DropAllCapabilities)).toEqual([storedPromtailMatcher]); - expect(ExemptionStore.getByPolicy(Policy.RequireNonRootUser)).toEqual([storedPromtailMatcher]); + expect(ExemptionStore.getByPolicy(Policy.DisallowPrivileged)).toEqual([storedVectorMatcher]); + expect(ExemptionStore.getByPolicy(Policy.DropAllCapabilities)).toEqual([storedVectorMatcher]); + expect(ExemptionStore.getByPolicy(Policy.RequireNonRootUser)).toEqual([storedVectorMatcher]); }); it("Does not delete duplicate exemptions if set by separate CRs", async () => { @@ -448,28 +448,28 @@ describe("Test processExemptions(); phase DELETED", () => { }, } as Exemption; - const promtailMockExemption = { + const vectorMockExemption = { metadata: { uid: exemption2UID, }, spec: { exemptions: [ { - matcher: promtailMatcher, + matcher: vectorMatcher, policies: [Policy.DisallowPrivileged], }, ], }, } as Exemption; - const promtailUpdatedMockExemption = { + const vectorUpdatedMockExemption = { metadata: { uid: exemption2UID, }, spec: { exemptions: [ { - matcher: promtailMatcher, + matcher: vectorMatcher, policies: [Policy.DisallowPrivileged, Policy.RequireNonRootUser], }, ], @@ -477,14 +477,14 @@ describe("Test processExemptions(); phase DELETED", () => { } as Exemption; processExemptions(neuvectorMockExemption, WatchPhase.Added); - processExemptions(promtailMockExemption, WatchPhase.Added); - processExemptions(promtailUpdatedMockExemption, WatchPhase.Modified); + processExemptions(vectorMockExemption, WatchPhase.Added); + processExemptions(vectorUpdatedMockExemption, WatchPhase.Modified); expect(ExemptionStore.getByPolicy(Policy.RequireNonRootUser)).toEqual([ storedEnforcerMatcher, - storedPromtailMatcher, + storedVectorMatcher, ]); expect(ExemptionStore.getByPolicy(Policy.DropAllCapabilities)).toEqual([storedEnforcerMatcher]); - expect(ExemptionStore.getByPolicy(Policy.DisallowPrivileged)).toEqual([storedPromtailMatcher]); + expect(ExemptionStore.getByPolicy(Policy.DisallowPrivileged)).toEqual([storedVectorMatcher]); }); }); diff --git a/src/pepr/policies/exemptions/index.spec.ts b/src/pepr/policies/exemptions/index.spec.ts index 2ab36dd25..3f8faa429 100644 --- a/src/pepr/policies/exemptions/index.spec.ts +++ b/src/pepr/policies/exemptions/index.spec.ts @@ -34,7 +34,7 @@ describe("test registering exemptions", () => { const req = { Raw: { metadata: { - name: "promtail", + name: "vector", namespace: "monitoring", }, }, diff --git a/src/pepr/zarf.yaml b/src/pepr/zarf.yaml index 5dafad221..904045a19 100644 --- a/src/pepr/zarf.yaml +++ b/src/pepr/zarf.yaml @@ -52,31 +52,20 @@ components: actions: onDeploy: before: - - cmd: ./zarf tools kubectl annotate secret -n pepr-system pepr-uds-core-api-token meta.helm.sh/release-name=module --overwrite || true - mute: true - - cmd: ./zarf tools kubectl annotate secret -n pepr-system pepr-uds-core-module meta.helm.sh/release-name=module --overwrite || true - mute: true - - cmd: ./zarf tools kubectl annotate secret -n pepr-system pepr-uds-core-tls meta.helm.sh/release-name=module --overwrite || true - mute: true - - cmd: ./zarf tools kubectl annotate serviceaccount -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true - mute: true - - cmd: ./zarf tools kubectl annotate clusterrolebinding pepr-uds-core meta.helm.sh/release-name=module --overwrite || true - mute: true - - cmd: ./zarf tools kubectl annotate clusterrole pepr-uds-core meta.helm.sh/release-name=module --overwrite || true - mute: true - - cmd: ./zarf tools kubectl annotate role -n pepr-system pepr-uds-core-store meta.helm.sh/release-name=module --overwrite || true - mute: true - - cmd: ./zarf tools kubectl annotate rolebinding -n pepr-system pepr-uds-core-store meta.helm.sh/release-name=module --overwrite || true - mute: true - - cmd: ./zarf tools kubectl annotate service -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true - mute: true - - cmd: ./zarf tools kubectl annotate service -n pepr-system pepr-uds-core-watcher meta.helm.sh/release-name=module --overwrite || true - mute: true - - cmd: ./zarf tools kubectl annotate deployment -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true - mute: true - - cmd: ./zarf tools kubectl annotate deployment -n pepr-system pepr-uds-core-watcher meta.helm.sh/release-name=module --overwrite || true - mute: true - - cmd: ./zarf tools kubectl annotate mutatingwebhookconfiguration -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true - mute: true - - cmd: ./zarf tools kubectl annotate validatingwebhookconfiguration -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true - mute: true + - mute: true + description: "Update helm ownership for Pepr resources if necessary during the upgrade" + cmd: | + ./zarf tools kubectl annotate secret -n pepr-system pepr-uds-core-api-token meta.helm.sh/release-name=module --overwrite || true + ./zarf tools kubectl annotate secret -n pepr-system pepr-uds-core-module meta.helm.sh/release-name=module --overwrite || true + ./zarf tools kubectl annotate secret -n pepr-system pepr-uds-core-tls meta.helm.sh/release-name=module --overwrite || true + ./zarf tools kubectl annotate serviceaccount -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true + ./zarf tools kubectl annotate clusterrolebinding pepr-uds-core meta.helm.sh/release-name=module --overwrite || true + ./zarf tools kubectl annotate clusterrole pepr-uds-core meta.helm.sh/release-name=module --overwrite || true + ./zarf tools kubectl annotate role -n pepr-system pepr-uds-core-store meta.helm.sh/release-name=module --overwrite || true + ./zarf tools kubectl annotate rolebinding -n pepr-system pepr-uds-core-store meta.helm.sh/release-name=module --overwrite || true + ./zarf tools kubectl annotate service -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true + ./zarf tools kubectl annotate service -n pepr-system pepr-uds-core-watcher meta.helm.sh/release-name=module --overwrite || true + ./zarf tools kubectl annotate deployment -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true + ./zarf tools kubectl annotate deployment -n pepr-system pepr-uds-core-watcher meta.helm.sh/release-name=module --overwrite || true + ./zarf tools kubectl annotate mutatingwebhookconfiguration -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true + ./zarf tools kubectl annotate validatingwebhookconfiguration -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true diff --git a/src/promtail/README.md b/src/promtail/README.md deleted file mode 100644 index 447959057..000000000 --- a/src/promtail/README.md +++ /dev/null @@ -1 +0,0 @@ -## Promtail diff --git a/src/promtail/chart/templates/service.yaml b/src/promtail/chart/templates/service.yaml deleted file mode 100644 index 23c6a4429..000000000 --- a/src/promtail/chart/templates/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Upstream chart can create this service but it is conditionally tied to the serviceMonitor which would cause errors in single package testing -# This would be resolved by https://github.com/grafana/helm-charts/pull/3083 when merged and released -apiVersion: v1 -kind: Service -metadata: - name: promtail-metrics - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: promtail -spec: - clusterIP: None - ports: - - name: http-metrics - port: 3101 - targetPort: http-metrics - protocol: TCP - selector: - app.kubernetes.io/name: promtail diff --git a/src/promtail/chart/templates/uds-exemption.yaml b/src/promtail/chart/templates/uds-exemption.yaml deleted file mode 100644 index 9b8bca9cf..000000000 --- a/src/promtail/chart/templates/uds-exemption.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: uds.dev/v1alpha1 -kind: Exemption -metadata: - name: promtail - namespace: uds-policy-exemptions -spec: - exemptions: - - policies: - - DisallowPrivileged - - RequireNonRootUser - - RestrictSELinuxType - - RestrictHostPathWrite - - RestrictVolumeTypes - matcher: - namespace: promtail - name: "^promtail-.*" - title: "promtail exemptions" - description: "Promtail mounts the following hostPaths: - - `/var/log/pods`: to tail pod logs - - `/var/lib/docker/containers`: to tail container logs - - `/run/promtail`: for Promtail's buffering and persistent state - Since logs can have sensitive information, it is better to exclude - Promtail from the policy than add the paths as allowable mounts - https://github.com/grafana/helm-charts/blob/main/charts/promtail/templates/daemonset.yaml#L120" diff --git a/src/promtail/chart/templates/uds-package.yaml b/src/promtail/chart/templates/uds-package.yaml deleted file mode 100644 index 98a46eca7..000000000 --- a/src/promtail/chart/templates/uds-package.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: uds.dev/v1alpha1 -kind: Package -metadata: - name: promtail - namespace: {{ .Release.Namespace }} -spec: - monitor: - - selector: - app.kubernetes.io/name: promtail - targetPort: 3101 - portName: http-metrics - description: Metrics - - network: - allow: - - direction: Ingress - selector: - app.kubernetes.io/name: promtail - remoteNamespace: monitoring - remoteSelector: - app.kubernetes.io/name: prometheus - port: 3101 - description: "Prometheus Metrics" - - - direction: Egress - selector: - app.kubernetes.io/name: promtail - remoteGenerated: KubeAPI - - - direction: Egress - selector: - app.kubernetes.io/name: promtail - remoteNamespace: loki - remoteSelector: - app.kubernetes.io/name: loki - port: 8080 - description: "Write Logs to Loki" diff --git a/src/promtail/chart/values.yaml b/src/promtail/chart/values.yaml deleted file mode 100644 index e69de29bb..000000000 diff --git a/src/promtail/common/zarf.yaml b/src/promtail/common/zarf.yaml deleted file mode 100644 index be2384ee2..000000000 --- a/src/promtail/common/zarf.yaml +++ /dev/null @@ -1,32 +0,0 @@ -kind: ZarfPackageConfig -metadata: - name: uds-core-promtail-common - description: "UDS Core Promtail Common" - url: "https://grafana.com/docs/loki/latest/" - -components: - - name: promtail - required: true - charts: - - name: uds-promtail-config - namespace: promtail - version: 0.1.0 - localPath: ../chart - - name: promtail - url: https://grafana.github.io/helm-charts/ - version: 6.16.5 - namespace: promtail - gitPath: charts/promtail - valuesFiles: - - ../values/values.yaml - actions: - onDeploy: - after: - - description: Validate Promtail Package - maxTotalSeconds: 300 - wait: - cluster: - kind: packages.uds.dev - name: promtail - namespace: promtail - condition: "'{.status.phase}'=Ready" diff --git a/src/promtail/tasks.yaml b/src/promtail/tasks.yaml deleted file mode 100644 index 8117f590a..000000000 --- a/src/promtail/tasks.yaml +++ /dev/null @@ -1,10 +0,0 @@ -tasks: - - name: validate - actions: - - description: Validate promtail - wait: - cluster: - kind: Pod - name: app.kubernetes.io/instance=promtail - namespace: promtail - condition: Ready diff --git a/src/promtail/values/registry1-values.yaml b/src/promtail/values/registry1-values.yaml deleted file mode 100644 index 6dec37593..000000000 --- a/src/promtail/values/registry1-values.yaml +++ /dev/null @@ -1,10 +0,0 @@ -image: - registry: registry1.dso.mil - repository: ironbank/opensource/grafana/promtail - tag: v3.1.1 -sidecar: - configReloader: - image: - registry: registry1.dso.mil - repository: ironbank/opensource/jimmidyson/configmap-reload - tag: v0.13.1 diff --git a/src/promtail/values/unicorn-values.yaml b/src/promtail/values/unicorn-values.yaml deleted file mode 100644 index c2248c2a6..000000000 --- a/src/promtail/values/unicorn-values.yaml +++ /dev/null @@ -1,10 +0,0 @@ -image: - registry: cgr.dev - repository: du-uds-defenseunicorns/promtail - tag: 3.1.1 -sidecar: - configReloader: - image: - registry: cgr.dev - repository: du-uds-defenseunicorns/configmap-reload-fips - tag: 0.13.1 diff --git a/src/promtail/values/upstream-values.yaml b/src/promtail/values/upstream-values.yaml deleted file mode 100644 index 9c9dc6f40..000000000 --- a/src/promtail/values/upstream-values.yaml +++ /dev/null @@ -1,10 +0,0 @@ -image: - registry: docker.io - repository: grafana/promtail - tag: 3.1.1 -sidecar: - configReloader: - image: - registry: ghcr.io - repository: jimmidyson/configmap-reload - tag: v0.13.1 diff --git a/src/promtail/values/values.yaml b/src/promtail/values/values.yaml deleted file mode 100644 index d7bb9af71..000000000 --- a/src/promtail/values/values.yaml +++ /dev/null @@ -1,116 +0,0 @@ -config: - clients: - - url: 'http://loki-gateway.loki.svc.cluster.local:80/loki/api/v1/push' - - snippets: - scrapeConfigs: | - # Upstream Defaults https://github.com/grafana/helm-charts/blob/main/charts/promtail/values.yaml - # See also https://github.com/grafana/loki/blob/master/production/ksonnet/promtail/scrape_config.libsonnet for reference - - job_name: kubernetes-pods - pipeline_stages: - {{- toYaml .Values.config.snippets.pipelineStages | nindent 4 }} - kubernetes_sd_configs: - - role: pod - relabel_configs: - - source_labels: - - __meta_kubernetes_pod_controller_name - regex: ([0-9a-z-.]+?)(-[0-9a-f]{8,10})? - action: replace - target_label: __tmp_controller_name - - source_labels: - - __meta_kubernetes_pod_label_app_kubernetes_io_name - - __meta_kubernetes_pod_label_app - - __tmp_controller_name - - __meta_kubernetes_pod_name - regex: ^;*([^;]+)(;.*)?$ - action: replace - target_label: app - - source_labels: - - __meta_kubernetes_pod_label_app_kubernetes_io_instance - - __meta_kubernetes_pod_label_instance - regex: ^;*([^;]+)(;.*)?$ - action: replace - target_label: instance - - source_labels: - - __meta_kubernetes_pod_label_app_kubernetes_io_component - - __meta_kubernetes_pod_label_component - regex: ^;*([^;]+)(;.*)?$ - action: replace - target_label: component - {{- if .Values.config.snippets.addScrapeJobLabel }} - - replacement: kubernetes-pods - target_label: scrape_job - {{- end }} - {{- toYaml .Values.config.snippets.common | nindent 4 }} - {{- with .Values.config.snippets.extraRelabelConfigs }} - {{- toYaml . | nindent 4 }} - {{- end }} - # UDS CORE Defaults - - job_name: systemd-messages - static_configs: - - targets: [localhost] - labels: - job: varlogs - host: "${NODE_HOSTNAME}" - __path__: /var/log/* - relabel_configs: - - source_labels: - - __journal_systemd_unit - target_label: systemd_unit - - source_labels: - - __journal_hostname - target_label: nodename - - source_labels: - - __journal_syslog_identifier - target_label: syslog_identifier - - job_name: kubernetes-logs - static_configs: - - targets: [localhost] - labels: - job: kubernetes-logs - host: "${NODE_HOSTNAME}" - __path__: /var/log/kubernetes/**/*.log - -containerSecurityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsUser: 0 - seLinuxOptions: - type: spc_t -extraArgs: - - '-config.expand-env=true' - -extraEnv: - - name: NODE_HOSTNAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - -extraVolumes: - - hostPath: - path: /var/log - name: varlog - - hostPath: - path: /etc - name: machine-id - -extraVolumeMounts: - - mountPath: /var/log - name: varlog - readOnly: true - - mountPath: /etc/machine-id - name: machine-id - readOnly: true - subPath: machine-id - -resources: - limits: - cpu: 500m - memory: 750Mi - requests: - cpu: 100m - memory: 256Mi diff --git a/src/promtail/zarf.yaml b/src/promtail/zarf.yaml deleted file mode 100644 index 69354c754..000000000 --- a/src/promtail/zarf.yaml +++ /dev/null @@ -1,51 +0,0 @@ -kind: ZarfPackageConfig -metadata: - name: uds-core-promtail - description: "UDS Core Promtail" - url: "https://grafana.com/docs/loki/latest/" - -components: - - name: promtail - required: true - description: "Deploy Promtail" - only: - flavor: upstream - import: - path: common - charts: - - name: promtail - valuesFiles: - - values/upstream-values.yaml - images: - - ghcr.io/jimmidyson/configmap-reload:v0.13.1 - - docker.io/grafana/promtail:3.1.1 - - - name: promtail - required: true - description: "Deploy Promtail" - only: - flavor: registry1 - import: - path: common - charts: - - name: promtail - valuesFiles: - - values/registry1-values.yaml - images: - - registry1.dso.mil/ironbank/opensource/jimmidyson/configmap-reload:v0.13.1 - - registry1.dso.mil/ironbank/opensource/grafana/promtail:v3.1.1 - - - name: promtail - required: true - description: "Deploy Promtail" - only: - flavor: unicorn - import: - path: common - charts: - - name: promtail - valuesFiles: - - values/unicorn-values.yaml - images: - - cgr.dev/du-uds-defenseunicorns/configmap-reload-fips:0.13.1 - - cgr.dev/du-uds-defenseunicorns/promtail:3.1.1 diff --git a/src/vector/README.md b/src/vector/README.md new file mode 100644 index 000000000..d09241ca4 --- /dev/null +++ b/src/vector/README.md @@ -0,0 +1,42 @@ +# Vector + +Vector is a lightweight tool for building observability pipelines, built and maintained primarily by Datadog. Within UDS Core it is primarily used for log collection and shipping to destinations (like Loki and S3). + +## Switching from Promtail to Vector + +Within UDS Core we have made the decision to switch from Promtail (historically the log collector/shipper of choice) to Vector. The below contains primary motivating factors and impacts of this choice. + +### Motivations + +Promtail has historically been the tool of choice for log collection/shipping when using Loki. It provides a very lightweight layer to scrape logs from pods and hosts, label them with additional metadata, and ship them to Loki. + +One of the main issues that has arisen with Promtail is its limited output/export options. Promtail only supports sending logs to one or more Loki instances. A common requirement in production environments is to ship logs to a secondary destination for collection/analysis by security teams and SIEM tools. Promtail is currently listed as [feature complete](https://grafana.com/docs/loki/latest/send-data/promtail/) so there is no expectation that additional export functionality would be added. + +### Goals and Options + +In choosing an alternative to Promtail we have a few primary objectives: +- Chosen tool must be capable of gathering host and pod logs: This has been our primary usage of Promtail in the past - gathering pods logs and host logs (to include k8s audit logs, controlplane logs, etc). +- Provide a tool that has numerous export options to cover specific needs for environments: Current known requirements include Loki, S3, and SIEM tools like Elastic and Splunk. Ideally the tool of choice supports all of these and more, allowing for expansion as new environments require it. +- Choose a tool that does not require major changes in our logging stack, but is flexible for future adjustments to the stack: As we do have active users of our product we want to be careful in switching tools, so ideally we would like a tool that is a "drop-in" replacement. However, we don't want to rule out future changes to other pieces of the stack (i.e. Loki) so choosing a tool that doesn't lock us into Loki is important. +- Focus on the log collection/shipping problem: While there are a number of tools that offer far more than just logging pipelines (metrics, traces, etc), we don't currently see a need to focus on these tools. These features are seen as a nice to have, but not being evaluated as the focus here. + +Three tools in the space of log collection were considered: +- [Vector](https://vector.dev/): Opensource and maintained by Datadog, Vector provides input integrations with Kubernetes logs, arbitrary files, and [other sources](https://vector.dev/docs/reference/configuration/sources/). It has the necessary export integrations with Loki, S3, Elastic, Splunk and a [number of other sinks](https://vector.dev/docs/reference/configuration/sinks/). Vector is a newer tool that has not yet reached a 1.0 release, but has risen in popularity due to its performance improvements over other tools. +- [FluentBit](https://fluentbit.io/): Fluentbit was historically used in Big Bang and supports file based inputs as well as [other inputs](https://docs.fluentbit.io/manual/pipeline/inputs). It also supports the necessary output integrations (Loki, S3, Elastic, Splunk and [others](https://docs.fluentbit.io/manual/pipeline/outputs)). FluentBit is a CNCF graduated project and is relatively mature. Fluentbit fell out of favor with Big Bang due to some of the complexities around managing it at scale, specifically with its buffering. +- [Grafana Alloy](https://grafana.com/docs/alloy/latest/): Alloy is a distribution of the OpenTelemetry Collector, opensource and maintained by Grafana Labs. It supports the necessary [inputs and outputs](https://grafana.com/docs/alloy/latest/reference/components/) (local file/k8s logs, Loki and S3). As a distribution of OTel it supports vendor-agnostic output formats and can be integrated with numerous other tools through the OTel ecosystem. While Alloy itself is relatively new, it is built on the previous codebase of Grafana Agent and the existing OTel framework. Notably it does not have any direct integrations with Splunk or Elastic, and its S3 integration is noted as experimental. + +### Decision and Impact + +Vector has been chosen as our replacement for Promtail. Primary motivations include: +- Vector has an extensive "component" catalog for inputs and outputs, with complete coverage of all currently desired export locations (and all are noted as "stable" integrations). +- Vector's configuration is simple and works well in helm/with UDS helm overrides (easy to add additional export locations via bundle overrides for example). +- Despite being a newer project, Vector's community is very active - with the most active contributors and GitHub stars compared to the other two tools. +- Vector is [significantly more performant](https://github.com/vectordotdev/vector?tab=readme-ov-file#performance) than other tooling in the space on most categories of metrics. + +As with any decisions of tooling in core this can always be reevaluated in the future as different tools or factors affect how we look at our logging stack. + +### Upgrade Considerations + +During the upgrade there may be some duplication/overlap of log lines shipped to Loki due to the transition from Promtail's "position" file to Vector's "checkpoint" file (both used for tracking the last log line scraped/shipped). Grafana provides a built in feature to de-duplicate log entries when querying Loki, but this does not consistently work with all log lines due to the approach used by Grafana for de-duplication. + +To ensure easy querying of logs across the upgrade, all logs shipped by Vector also have a `collector` label (with the value of `vector`). This can be used to filter down any logs to those collected by either Vector or Promtail (using the `=` and `!=` operators). In general you can use these filters along with tracking your upgrade timing to properly ignore duplicate logs for the short upgrade period. diff --git a/src/promtail/chart/.helmignore b/src/vector/chart/.helmignore similarity index 100% rename from src/promtail/chart/.helmignore rename to src/vector/chart/.helmignore diff --git a/src/promtail/chart/Chart.yaml b/src/vector/chart/Chart.yaml similarity index 91% rename from src/promtail/chart/Chart.yaml rename to src/vector/chart/Chart.yaml index 84403fdd5..6b5ca4898 100644 --- a/src/promtail/chart/Chart.yaml +++ b/src/vector/chart/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 -name: uds-promtail-config -description: Promtail configuration for UDS +name: uds-vector-config +description: Vector configuration for UDS # A chart can be either an 'application' or a 'library' chart. # diff --git a/src/promtail/chart/templates/_helpers.tpl b/src/vector/chart/templates/_helpers.tpl similarity index 71% rename from src/promtail/chart/templates/_helpers.tpl rename to src/vector/chart/templates/_helpers.tpl index e2736937a..7290ba589 100644 --- a/src/promtail/chart/templates/_helpers.tpl +++ b/src/vector/chart/templates/_helpers.tpl @@ -1,7 +1,7 @@ {{/* Expand the name of the chart. */}} -{{- define "uds-promtail-config.name" -}} +{{- define "uds-vector-config.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} {{- end }} @@ -10,7 +10,7 @@ Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). If release name contains chart name it will be used as a full name. */}} -{{- define "uds-promtail-config.fullname" -}} +{{- define "uds-vector-config.fullname" -}} {{- if .Values.fullnameOverride }} {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} {{- else }} @@ -26,16 +26,16 @@ If release name contains chart name it will be used as a full name. {{/* Create chart name and version as used by the chart label. */}} -{{- define "uds-promtail-config.chart" -}} +{{- define "uds-vector-config.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} {{- end }} {{/* Common labels */}} -{{- define "uds-promtail-config.labels" -}} -helm.sh/chart: {{ include "uds-promtail-config.chart" . }} -{{ include "uds-promtail-config.selectorLabels" . }} +{{- define "uds-vector-config.labels" -}} +helm.sh/chart: {{ include "uds-vector-config.chart" . }} +{{ include "uds-vector-config.selectorLabels" . }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} @@ -45,17 +45,17 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} {{/* Selector labels */}} -{{- define "uds-promtail-config.selectorLabels" -}} -app.kubernetes.io/name: {{ include "uds-promtail-config.name" . }} +{{- define "uds-vector-config.selectorLabels" -}} +app.kubernetes.io/name: {{ include "uds-vector-config.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} {{/* Create the name of the service account to use */}} -{{- define "uds-promtail-config.serviceAccountName" -}} +{{- define "uds-vector-config.serviceAccountName" -}} {{- if .Values.serviceAccount.create }} -{{- default (include "uds-promtail-config.fullname" .) .Values.serviceAccount.name }} +{{- default (include "uds-vector-config.fullname" .) .Values.serviceAccount.name }} {{- else }} {{- default "default" .Values.serviceAccount.name }} {{- end }} diff --git a/src/vector/chart/templates/uds-exemption.yaml b/src/vector/chart/templates/uds-exemption.yaml new file mode 100644 index 000000000..0c6032102 --- /dev/null +++ b/src/vector/chart/templates/uds-exemption.yaml @@ -0,0 +1,21 @@ +apiVersion: uds.dev/v1alpha1 +kind: Exemption +metadata: + name: vector + namespace: uds-policy-exemptions +spec: + exemptions: + - policies: + - RequireNonRootUser + - RestrictSELinuxType + - RestrictHostPathWrite + - RestrictVolumeTypes + matcher: + namespace: vector + name: "^vector-.*" + title: "vector exemptions" + description: "Vector mounts the following hostPaths: + - `/var/log`: to tail logs + - `/var/lib/vector`: for Vector's buffering and persistent state + Since logs can have sensitive information, it is better to exclude + Vector from the policy than add the paths as allowable mounts" diff --git a/src/vector/chart/templates/uds-package.yaml b/src/vector/chart/templates/uds-package.yaml new file mode 100644 index 000000000..b6bf5bbc1 --- /dev/null +++ b/src/vector/chart/templates/uds-package.yaml @@ -0,0 +1,46 @@ +apiVersion: uds.dev/v1alpha1 +kind: Package +metadata: + name: vector + namespace: {{ .Release.Namespace }} +spec: + network: + allow: + - direction: Ingress + selector: + app.kubernetes.io/name: vector + remoteNamespace: monitoring + remoteSelector: + app.kubernetes.io/name: prometheus + port: 9090 + description: "Prometheus Metrics" + + - direction: Egress + selector: + app.kubernetes.io/name: vector + remoteGenerated: KubeAPI + + - direction: Egress + selector: + app.kubernetes.io/name: vector + remoteNamespace: loki + remoteSelector: + app.kubernetes.io/name: loki + port: 8080 + description: "Write Logs to Loki" + + # Custom rules for additional networking access + {{- range .Values.additionalNetworkAllow }} + - direction: {{ .direction }} + selector: + {{ .selector | toYaml | nindent 10 }} + {{- if not .remoteGenerated }} + remoteNamespace: {{ .remoteNamespace }} + remoteSelector: + {{ .remoteSelector | toYaml | nindent 10 }} + port: {{ .port }} + {{- else }} + remoteGenerated: {{ .remoteGenerated }} + {{- end }} + description: {{ .description }} + {{- end }} diff --git a/src/vector/chart/values.yaml b/src/vector/chart/values.yaml new file mode 100644 index 000000000..f2d4d867f --- /dev/null +++ b/src/vector/chart/values.yaml @@ -0,0 +1,16 @@ +additionalNetworkAllow: [] +# Examples: +# - direction: Egress +# selector: +# app.kubernetes.io/name: vector +# remoteNamespace: elastic +# remoteSelector: +# app.kubernetes.io/name: elastic +# port: 9090 +# description: "Elastic Storage" +# - direction: Egress +# selector: +# app.kubernetes.io/name: vector +# remoteGenerated: Anywhere +# port: 80 +# description: "S3 Storage" diff --git a/src/vector/common/zarf.yaml b/src/vector/common/zarf.yaml new file mode 100644 index 000000000..b020db0e8 --- /dev/null +++ b/src/vector/common/zarf.yaml @@ -0,0 +1,38 @@ +kind: ZarfPackageConfig +metadata: + name: uds-core-vector-common + description: "UDS Core Vector Common" + url: "https://vector.dev/" + +components: + - name: vector + required: true + charts: + - name: uds-vector-config + namespace: vector + version: 0.1.0 + localPath: ../chart + - name: vector + url: https://helm.vector.dev + version: 0.36.1 + namespace: vector + gitPath: charts/vector + valuesFiles: + - ../values/values.yaml + actions: + onDeploy: + before: + - description: Remove Promtail Components if necessary + mute: true + cmd: | + ./zarf package remove core --components promtail --confirm || true # Ensure this doesn't error on installs and upgrades when Promtail no longer exists + ./zarf tools kubectl delete ns promtail || true # Ensure this doesn't error on installs and upgrades when Promtail no longer exists + after: + - description: Validate Vector Package + maxTotalSeconds: 300 + wait: + cluster: + kind: Packages + name: vector + namespace: vector + condition: "'{.status.phase}'=Ready" diff --git a/src/promtail/oscal-component.yaml b/src/vector/oscal-component.yaml similarity index 86% rename from src/promtail/oscal-component.yaml rename to src/vector/oscal-component.yaml index 94635da4e..fef87cc00 100644 --- a/src/promtail/oscal-component.yaml +++ b/src/vector/oscal-component.yaml @@ -1,7 +1,7 @@ component-definition: uuid: ff959bdb-7be9-49b3-9dc2-c41b34e7017d metadata: - title: Promtail + title: Vector last-modified: "2024-01-31T16:44:35Z" version: "20240132" oscal-version: 1.1.2 @@ -15,7 +15,7 @@ component-definition: components: - uuid: 3ca1e9a3-a566-48d1-93af-200abd1245e3 type: software - title: Promtail + title: Vector description: | Log collector purpose: Collects logs from the cluster @@ -26,7 +26,7 @@ component-definition: control-implementations: - uuid: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c source: https://raw.githubusercontent.com/GSA/fedramp-automation/93ca0e20ff5e54fc04140613476fba80f08e3c7d/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.json - description: Controls implemented by Promtail for inheritance by applications + description: Controls implemented by Vector for inheritance by applications implemented-requirements: - uuid: 954ba9c8-452c-4503-a43f-c880a01b828d control-id: ac-6.9 @@ -36,7 +36,7 @@ component-definition: Auditing the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat (APT). # Control Implementation - Promtail can be configured to collect all logs from Kubernetes and underlying operating systems, allowing the aggregation of privileged function calls. + Vector can be configured to collect all logs from Kubernetes and underlying operating systems, allowing the aggregation of privileged function calls. remarks: This control is fully implemented by this tool. links: - href: "#98b97ec9-a9ce-4444-83d8-71066270a424" @@ -58,7 +58,7 @@ component-definition: # Control Implementation Logging daemons are present on each node that BigBang is installed on. Out of the box, the following events are captured: - * all containers emitting to STDOUT or STDERR (captured by container runtime translating container logs to /var/log/containers). + * all containers emitting to STDOUT or STDERR (captured by container runtime creating containers logs under /var/log/pods). * all kubernetes api server requests. * all events emitted by the kubelet. remarks: This control is fully implemented by this tool. @@ -78,9 +78,7 @@ component-definition: Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). # Control Implementation - Logs are captured by promtail from the node. The node logs will contain the necessary log data from all pods/applications inside the selected nodes. - Validating `logfmt` as the config.logFormat would be the goal. This is currently a secret mounted to /etc/promtail/promtail.yaml in the promtail container. We will ensure the promtail.yaml file is at a minimum the target config. - https://grafana.com/docs/loki/latest/send-data/promtail/stages/logfmt/ + Logs are captured by vector from the node. The node logs will contain the necessary log data from all pods/applications inside the selected nodes as well as Kubernetes audit logs. remarks: This control is fully implemented by this tool. links: - href: "#98b97ec9-a9ce-4444-83d8-71066270a424" @@ -105,8 +103,6 @@ component-definition: * time of the event (UTC). * source of event (pod, namespace, container id). Applications are responsible for providing all other information. - Validating `logfmt` as the config.logFormat would be the goal. This is currently a secret mounted to /etc/promtail/promtail.yaml in the promtail container. We will ensure the promtail.yaml file is at a minimum the target config. - https://grafana.com/docs/loki/latest/send-data/promtail/stages/logfmt/ remarks: This control is fully implemented by this tool. links: - href: "#98b97ec9-a9ce-4444-83d8-71066270a424" @@ -122,13 +118,9 @@ component-definition: back-matter: resources: - uuid: D552C935-E40C-4A03-B5CC-4605EBD95B6D - title: Promtail + title: Vector rlinks: - - href: https://grafana.com/docs/loki/latest/clients/promtail/ - - uuid: 211C474B-E11A-4DD2-8075-50CDAC507CDC - title: Big Bang Promtail package - rlinks: - - href: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/promtail + - href: https://vector.dev/ - uuid: 98b97ec9-a9ce-4444-83d8-71066270a424 title: Lula Validation rlinks: @@ -145,7 +137,7 @@ component-definition: Group: apps Version: v1 Resource: daemonsets - Namespaces: [promtail] + Namespaces: [vector] rego: | package validate @@ -177,7 +169,7 @@ component-definition: Group: Version: v1 Resource: pods - Namespaces: [promtail] + Namespaces: [vector] rego: | package validate @@ -213,7 +205,7 @@ component-definition: Group: Version: v1 Resource: pods - Namespaces: [promtail] + Namespaces: [vector] rego: | package validate @@ -250,7 +242,7 @@ component-definition: Group: Version: v1 Resource: pods - Namespaces: [promtail] + Namespaces: [vector] rego: | package validate @@ -261,8 +253,9 @@ component-definition: containers := pod.spec.containers some container in containers - container.name == "promtail" + container.name == "vector" some i - container.args[i] == "-config.file=/etc/promtail/promtail.yaml" + container.args[i] == "--config-dir" + container.args[i] == "/etc/vector/" } } diff --git a/src/vector/tasks.yaml b/src/vector/tasks.yaml new file mode 100644 index 000000000..69dfbf4ff --- /dev/null +++ b/src/vector/tasks.yaml @@ -0,0 +1,10 @@ +tasks: + - name: validate + actions: + - description: Validate vector + wait: + cluster: + kind: Pod + name: app.kubernetes.io/name=vector + namespace: vector + condition: Ready diff --git a/src/vector/values/registry1-values.yaml b/src/vector/values/registry1-values.yaml new file mode 100644 index 000000000..85509e7b4 --- /dev/null +++ b/src/vector/values/registry1-values.yaml @@ -0,0 +1,3 @@ +image: + repository: registry1.dso.mil/ironbank/opensource/timberio/vector + tag: 0.41.1 diff --git a/src/vector/values/unicorn-values.yaml b/src/vector/values/unicorn-values.yaml new file mode 100644 index 000000000..d90700602 --- /dev/null +++ b/src/vector/values/unicorn-values.yaml @@ -0,0 +1,3 @@ +image: + repository: cgr.dev/du-uds-defenseunicorns/vector + tag: 0.41.1 diff --git a/src/vector/values/upstream-values.yaml b/src/vector/values/upstream-values.yaml new file mode 100644 index 000000000..5180f3c7c --- /dev/null +++ b/src/vector/values/upstream-values.yaml @@ -0,0 +1,3 @@ +image: + repository: timberio/vector + tag: 0.41.1-distroless-static diff --git a/src/vector/values/values.yaml b/src/vector/values/values.yaml new file mode 100644 index 000000000..7bbe3ee60 --- /dev/null +++ b/src/vector/values/values.yaml @@ -0,0 +1,118 @@ +# Run as an agent daemonset +role: "Agent" + +customConfig: + data_dir: /var/lib/vector + # Ensure e2e delivery of events + acknowledgements: + enabled: true + sources: + pod_logs: + type: "kubernetes_logs" + oldest_first: true + node_logs: + type: "file" + include: ["/var/log/*", "/var/log/kubernetes/**/*.log"] + oldest_first: true + internal_metrics: + type: internal_metrics + + transforms: + pod_logs_labelled: + type: remap + inputs: ["pod_logs"] + source: | + if exists(.kubernetes.pod_labels."app.kubernetes.io/name") { + .app = .kubernetes.pod_labels."app.kubernetes.io/name" + } else if exists(.kubernetes.pod_labels.app) { + .app = .kubernetes.pod_labels.app + } else if exists(.kubernetes.pod_owner) { + .app = replace!(.kubernetes.pod_owner, r'^([^/]+/)', "") + } else { + .app = .kubernetes.pod_name + } + + if exists(.kubernetes.pod_labels."app.kubernetes.io/component") { + .component = .kubernetes.pod_labels."app.kubernetes.io/component" + } else if !exists(.kubernetes.pod_labels.component) { + .component = .kubernetes.pod_labels.component + } else { + .component = "" + } + + node_logs_labelled: + type: remap + inputs: ["node_logs"] + source: | + .node_name = "${NODE_HOSTNAME}" + if contains(string!(.file), "/var/log/kubernetes/") { + .job = "kubernetes-logs" + } else { + .job = "varlogs" + } + + sinks: + loki_pod: + type: "loki" + inputs: ["pod_logs_labelled"] + endpoint: "http://loki-gateway.loki.svc.cluster.local:80" + path: "/loki/api/v1/push" + encoding: + codec: "raw_message" + labels: + namespace: '{{`{{ kubernetes.pod_namespace }}`}}' + app: '{{`{{ app }}`}}' + job: '{{`{{ kubernetes.pod_namespace }}`}}/{{`{{ app }}`}}' + container: '{{`{{ kubernetes.container_name }}`}}' + component: '{{`{{ component }}`}}' + host: '{{`{{ kubernetes.pod_node_name }}`}}' + filename: '{{`{{ file }}`}}' + collector: "vector" + buffer: + type: disk + max_size: 1073741824 # 1GiB + loki_host: + type: "loki" + inputs: ["node_logs_labelled"] + endpoint: "http://loki-gateway.loki.svc.cluster.local:80" + path: "/loki/api/v1/push" + encoding: + codec: "raw_message" + labels: + job: '{{`{{ job }}`}}' + host: '{{`{{ node_name }}`}}' + filename: '{{`{{ file }}`}}' + collector: "vector" + buffer: + type: disk + max_size: 1073741824 # 1GiB + prom_exporter: + type: prometheus_exporter + inputs: [internal_metrics] + address: 0.0.0.0:9090 + +persistence: + enabled: true + hostPath: + enabled: true + path: "/var/lib/vector" + +podMonitor: + enabled: true +service: + ports: + - name: prom-exporter + port: 9090 + protocol: TCP + +securityContext: + readOnlyRootFilesystem: true + runAsUser: 0 + seLinuxOptions: + type: spc_t + +env: + - name: NODE_HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName diff --git a/src/vector/zarf.yaml b/src/vector/zarf.yaml new file mode 100644 index 000000000..738476d7d --- /dev/null +++ b/src/vector/zarf.yaml @@ -0,0 +1,48 @@ +kind: ZarfPackageConfig +metadata: + name: uds-core-vector + description: "UDS Core Vector" + url: "https://vector.dev/" + +components: + - name: vector + required: true + description: "Deploy Vector" + only: + flavor: upstream + import: + path: common + charts: + - name: vector + valuesFiles: + - values/upstream-values.yaml + images: + - timberio/vector:0.41.1-distroless-static + + - name: vector + required: true + description: "Deploy Vector" + only: + flavor: registry1 + import: + path: common + charts: + - name: vector + valuesFiles: + - values/registry1-values.yaml + images: + - registry1.dso.mil/ironbank/opensource/timberio/vector:0.41.1 + + - name: vector + required: true + description: "Deploy Vector" + only: + flavor: unicorn + import: + path: common + charts: + - name: vector + valuesFiles: + - values/unicorn-values.yaml + images: + - cgr.dev/du-uds-defenseunicorns/vector:0.41.1 From 471d8d53d65636e08ca28af3ccd03b706758c39b Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 25 Sep 2024 15:18:27 -0600 Subject: [PATCH 21/90] chore(deps): update istio to v1.23.2 (#796) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | [base](https://redirect.github.com/istio/istio) | patch | `1.23.1` -> `1.23.2` | | [cgr.dev/du-uds-defenseunicorns/istio-pilot-fips](https://images.chainguard.dev/directory/image/istio-fips/overview) ([source](https://redirect.github.com/chainguard-images/images-private/tree/HEAD/images/istio-fips)) | patch | `1.23.1` -> `1.23.2` | | [cgr.dev/du-uds-defenseunicorns/istio-proxy-fips](https://images.chainguard.dev/directory/image/istio-fips/overview) ([source](https://redirect.github.com/chainguard-images/images-private/tree/HEAD/images/istio-fips)) | patch | `1.23.1` -> `1.23.2` | | docker.io/istio/pilot | patch | `1.23.1-distroless` -> `1.23.2-distroless` | | docker.io/istio/proxyv2 | patch | `1.23.1-distroless` -> `1.23.2-distroless` | | [gateway](https://redirect.github.com/istio/istio) | patch | `1.23.1` -> `1.23.2` | | [istiod](https://redirect.github.com/istio/istio) | patch | `1.23.1` -> `1.23.2` | | [registry1.dso.mil/ironbank/tetrate/istio/pilot](https://cloudsmith.io/~tetrate/repos/getistio-containers/packages/detail/docker/pilot) ([source](https://repo1.dso.mil/dsop/tetrate/istio/1.23/pilot)) | patch | `1.23.1-tetratefips-v0` -> `1.23.2-tetratefips-v0` | | [registry1.dso.mil/ironbank/tetrate/istio/proxyv2](https://cloudsmith.io/~tetrate/repos/getistio-containers/packages/detail/docker/proxyv2) ([source](https://repo1.dso.mil/dsop/tetrate/istio/1.23/proxyv2)) | patch | `1.23.1-tetratefips-v0` -> `1.23.2-tetratefips-v0` | --- ### Release Notes
istio/istio (base) ### [`v1.23.2`](https://redirect.github.com/istio/istio/releases/tag/1.23.2): Istio 1.23.2 [Compare Source](https://redirect.github.com/istio/istio/compare/1.23.1...1.23.2) [Artifacts](http://gcsweb.istio.io/gcs/istio-release/releases/1.23.2/) [Release Notes](https://istio.io/news/releases/1.23.x/announcing-1.23.2/)
--- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ”• **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Chance <139784371+UnicornChance@users.noreply.github.com> Co-authored-by: Micah Nagel --- src/istio/common/zarf.yaml | 4 ++-- src/istio/values/registry1-values.yaml | 6 +++--- src/istio/values/unicorn-values.yaml | 6 +++--- src/istio/values/upstream-values.yaml | 6 +++--- src/istio/zarf.yaml | 18 +++++++++--------- 5 files changed, 20 insertions(+), 20 deletions(-) diff --git a/src/istio/common/zarf.yaml b/src/istio/common/zarf.yaml index 76e8c1e54..69e10b0f7 100644 --- a/src/istio/common/zarf.yaml +++ b/src/istio/common/zarf.yaml @@ -10,11 +10,11 @@ components: charts: - name: base url: https://istio-release.storage.googleapis.com/charts - version: 1.23.1 + version: 1.23.2 namespace: istio-system - name: istiod url: https://istio-release.storage.googleapis.com/charts - version: 1.23.1 + version: 1.23.2 namespace: istio-system valuesFiles: - "../values/values.yaml" diff --git a/src/istio/values/registry1-values.yaml b/src/istio/values/registry1-values.yaml index 77a6c3375..37921bf2c 100644 --- a/src/istio/values/registry1-values.yaml +++ b/src/istio/values/registry1-values.yaml @@ -1,9 +1,9 @@ pilot: - image: registry1.dso.mil/ironbank/tetrate/istio/pilot:1.23.1-tetratefips-v0 + image: registry1.dso.mil/ironbank/tetrate/istio/pilot:1.23.2-tetratefips-v0 global: proxy_init: # renovate: image=registry1.dso.mil/ironbank/tetrate/istio/proxyv2 - image: "###ZARF_REGISTRY###/ironbank/tetrate/istio/proxyv2:1.23.1-tetratefips-v0" + image: "###ZARF_REGISTRY###/ironbank/tetrate/istio/proxyv2:1.23.2-tetratefips-v0" proxy: # renovate: image=registry1.dso.mil/ironbank/tetrate/istio/proxyv2 - image: "###ZARF_REGISTRY###/ironbank/tetrate/istio/proxyv2:1.23.1-tetratefips-v0" + image: "###ZARF_REGISTRY###/ironbank/tetrate/istio/proxyv2:1.23.2-tetratefips-v0" diff --git a/src/istio/values/unicorn-values.yaml b/src/istio/values/unicorn-values.yaml index 723b7a858..28c091285 100644 --- a/src/istio/values/unicorn-values.yaml +++ b/src/istio/values/unicorn-values.yaml @@ -1,9 +1,9 @@ pilot: - image: "cgr.dev/du-uds-defenseunicorns/istio-pilot-fips:1.23.1" + image: "cgr.dev/du-uds-defenseunicorns/istio-pilot-fips:1.23.2" global: proxy_init: # renovate: image=cgr.dev/du-uds-defenseunicorns/istio-proxy-fips - image: "###ZARF_REGISTRY###/du-uds-defenseunicorns/istio-proxy-fips:1.23.1" + image: "###ZARF_REGISTRY###/du-uds-defenseunicorns/istio-proxy-fips:1.23.2" proxy: # renovate: image=cgr.dev/du-uds-defenseunicorns/istio-proxy-fips - image: "###ZARF_REGISTRY###/du-uds-defenseunicorns/istio-proxy-fips:1.23.1" + image: "###ZARF_REGISTRY###/du-uds-defenseunicorns/istio-proxy-fips:1.23.2" diff --git a/src/istio/values/upstream-values.yaml b/src/istio/values/upstream-values.yaml index 262c70d4e..63b88c989 100644 --- a/src/istio/values/upstream-values.yaml +++ b/src/istio/values/upstream-values.yaml @@ -1,9 +1,9 @@ pilot: - image: "docker.io/istio/pilot:1.23.1-distroless" + image: "docker.io/istio/pilot:1.23.2-distroless" global: proxy_init: # renovate: image=docker.io/istio/proxyv2 - image: "###ZARF_REGISTRY###/istio/proxyv2:1.23.1-distroless" + image: "###ZARF_REGISTRY###/istio/proxyv2:1.23.2-distroless" proxy: # renovate: image=docker.io/istio/proxyv2 - image: "###ZARF_REGISTRY###/istio/proxyv2:1.23.1-distroless" + image: "###ZARF_REGISTRY###/istio/proxyv2:1.23.2-distroless" diff --git a/src/istio/zarf.yaml b/src/istio/zarf.yaml index 610a174e8..49fd2ad54 100644 --- a/src/istio/zarf.yaml +++ b/src/istio/zarf.yaml @@ -21,8 +21,8 @@ components: valuesFiles: - "values/upstream-values.yaml" images: - - "docker.io/istio/pilot:1.23.1-distroless" - - "docker.io/istio/proxyv2:1.23.1-distroless" + - "docker.io/istio/pilot:1.23.2-distroless" + - "docker.io/istio/proxyv2:1.23.2-distroless" - name: istio-controlplane required: true @@ -35,8 +35,8 @@ components: valuesFiles: - "values/registry1-values.yaml" images: - - registry1.dso.mil/ironbank/tetrate/istio/proxyv2:1.23.1-tetratefips-v0 - - registry1.dso.mil/ironbank/tetrate/istio/pilot:1.23.1-tetratefips-v0 + - registry1.dso.mil/ironbank/tetrate/istio/proxyv2:1.23.2-tetratefips-v0 + - registry1.dso.mil/ironbank/tetrate/istio/pilot:1.23.2-tetratefips-v0 - name: istio-controlplane required: true @@ -49,15 +49,15 @@ components: valuesFiles: - "values/unicorn-values.yaml" images: - - cgr.dev/du-uds-defenseunicorns/istio-pilot-fips:1.23.1 - - cgr.dev/du-uds-defenseunicorns/istio-proxy-fips:1.23.1 + - cgr.dev/du-uds-defenseunicorns/istio-pilot-fips:1.23.2 + - cgr.dev/du-uds-defenseunicorns/istio-proxy-fips:1.23.2 - name: istio-admin-gateway required: true charts: - name: gateway url: https://istio-release.storage.googleapis.com/charts - version: 1.23.1 + version: 1.23.2 releaseName: admin-ingressgateway namespace: istio-admin-gateway - name: uds-istio-config @@ -72,7 +72,7 @@ components: charts: - name: gateway url: https://istio-release.storage.googleapis.com/charts - version: 1.23.1 + version: 1.23.2 releaseName: tenant-ingressgateway namespace: istio-tenant-gateway - name: uds-istio-config @@ -87,7 +87,7 @@ components: charts: - name: gateway url: https://istio-release.storage.googleapis.com/charts - version: 1.23.1 + version: 1.23.2 releaseName: passthrough-ingressgateway namespace: istio-passthrough-gateway - name: uds-istio-config From e80e6fccdbbd73b22846c36b6824ef754ee06cb6 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 25 Sep 2024 15:56:03 -0600 Subject: [PATCH 22/90] chore(deps): update runtime to v0.5.0 (#834) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | [ghcr.io/defenseunicorns/uds-runtime](https://images.chainguard.dev/directory/image/static/overview) ([source](https://redirect.github.com/chainguard-images/images/tree/HEAD/images/static)) | minor | `0.4.0` -> `0.5.0` | | [https://github.com/defenseunicorns/uds-runtime.git](https://redirect.github.com/defenseunicorns/uds-runtime) | minor | `v0.4.0` -> `v0.5.0` | --- ### Release Notes
defenseunicorns/uds-runtime (https://github.com/defenseunicorns/uds-runtime.git) ### [`v0.5.0`](https://redirect.github.com/defenseunicorns/uds-runtime/releases/tag/v0.5.0) [Compare Source](https://redirect.github.com/defenseunicorns/uds-runtime/compare/v0.4.0...v0.5.0) ##### Features - **api:** adds jwt group validation when in-cluster ([#​387](https://redirect.github.com/defenseunicorns/uds-runtime/issues/387)) ([8a53f76](https://redirect.github.com/defenseunicorns/uds-runtime/commit/8a53f76fc684f3e2562ab3076b67d7a68571589d)) - make deployment resources configurable and up default memory ([#​372](https://redirect.github.com/defenseunicorns/uds-runtime/issues/372)) ([2981598](https://redirect.github.com/defenseunicorns/uds-runtime/commit/29815984b28b793087ede78a5de59e5376903477)) - **ui:** adding events tab ([#​342](https://redirect.github.com/defenseunicorns/uds-runtime/issues/342)) ([cb9b43a](https://redirect.github.com/defenseunicorns/uds-runtime/commit/cb9b43a84a3d157b9759a063788e1cecf9e9e868)) - **ui:** fixing issue with progress bar ([#​375](https://redirect.github.com/defenseunicorns/uds-runtime/issues/375)) ([3f8f204](https://redirect.github.com/defenseunicorns/uds-runtime/commit/3f8f20442b89f04af04aa7cd62655fe98d716063)) - **ui:** updating pods table column name ([#​369](https://redirect.github.com/defenseunicorns/uds-runtime/issues/369)) ([25aaaf9](https://redirect.github.com/defenseunicorns/uds-runtime/commit/25aaaf9a630b785a4b8b1b123d29a4df148e0288)) ##### Bug Fixes - ensure pod counts are consistent ([#​363](https://redirect.github.com/defenseunicorns/uds-runtime/issues/363)) ([a5c837b](https://redirect.github.com/defenseunicorns/uds-runtime/commit/a5c837b767a316a89a01cdcbebf36a6e407a4883)) - fixing issue with firefox not supporting text-wrap: pretty ([#​382](https://redirect.github.com/defenseunicorns/uds-runtime/issues/382)) ([4465617](https://redirect.github.com/defenseunicorns/uds-runtime/commit/44656170b50ce308cc61eb6b1aaa3ca325926080)) - fixing memory bar for overview page ([#​381](https://redirect.github.com/defenseunicorns/uds-runtime/issues/381)) ([4f321e3](https://redirect.github.com/defenseunicorns/uds-runtime/commit/4f321e348f57fd5d8d15fc3f383a3f64b403d9fd)) - use tls 1.2 in canary deployment ([#​383](https://redirect.github.com/defenseunicorns/uds-runtime/issues/383)) ([08b5bdc](https://redirect.github.com/defenseunicorns/uds-runtime/commit/08b5bdc6e9df063ce06466276bf78312f9e14aaf)) ##### Miscellaneous - api route test helper with retries and exponential backoff ([#​357](https://redirect.github.com/defenseunicorns/uds-runtime/issues/357)) ([674f37e](https://redirect.github.com/defenseunicorns/uds-runtime/commit/674f37ed94dfcf1722f8f23bbcd2434cf1adde66)) - **ci:** update core demo bundle version for ephemeral env ([#​360](https://redirect.github.com/defenseunicorns/uds-runtime/issues/360)) ([161fa7e](https://redirect.github.com/defenseunicorns/uds-runtime/commit/161fa7ee3685387a9ce4469b6e07dfa3082aec17)) - **deps:** update dependency vite to v5.3.6 \[security] ([#​341](https://redirect.github.com/defenseunicorns/uds-runtime/issues/341)) ([6dc4ad2](https://redirect.github.com/defenseunicorns/uds-runtime/commit/6dc4ad22400ee48f71e2197441fa40253c6bf9c6)) - **deps:** update github actions ([#​334](https://redirect.github.com/defenseunicorns/uds-runtime/issues/334)) ([117410e](https://redirect.github.com/defenseunicorns/uds-runtime/commit/117410e92c7a6d7d5324d50338f34b11484e9818)) - **deps:** update github actions ([#​371](https://redirect.github.com/defenseunicorns/uds-runtime/issues/371)) ([78bb3a1](https://redirect.github.com/defenseunicorns/uds-runtime/commit/78bb3a1aa73de7d5f6145d6a7310d3460dbbdd46)) - **deps:** update module github.com/zarf-dev/zarf to v0.40.1 ([#​359](https://redirect.github.com/defenseunicorns/uds-runtime/issues/359)) ([12a0f5e](https://redirect.github.com/defenseunicorns/uds-runtime/commit/12a0f5ed8c64c6862db43408b7e878a996795673)) - **deps:** update uds-core-types digest to [`df4d2da`](https://redirect.github.com/defenseunicorns/uds-runtime/commit/df4d2da) ([#​362](https://redirect.github.com/defenseunicorns/uds-runtime/issues/362)) ([0a67913](https://redirect.github.com/defenseunicorns/uds-runtime/commit/0a679136bda31b46e66008bfbf30f8f8ddc61df8)) - refactors uds tasks and adds smoke test ([#​344](https://redirect.github.com/defenseunicorns/uds-runtime/issues/344)) ([2fec985](https://redirect.github.com/defenseunicorns/uds-runtime/commit/2fec985eecf3026a2cd05dda08aca1845ac0479c)) - update description for UDS Package ([#​356](https://redirect.github.com/defenseunicorns/uds-runtime/issues/356)) ([d360d38](https://redirect.github.com/defenseunicorns/uds-runtime/commit/d360d38f8e50648c6e6e167c70a12233ff2eef23)) - update slim core with authsvc deployment and bump k3d version ([#​389](https://redirect.github.com/defenseunicorns/uds-runtime/issues/389)) ([216bab6](https://redirect.github.com/defenseunicorns/uds-runtime/commit/216bab6a2735a1d8d2bbf7b55d6a8369579e81a3))
--- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ”• **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: UncleGedd <42304551+UncleGedd@users.noreply.github.com> --- src/runtime/zarf.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/runtime/zarf.yaml b/src/runtime/zarf.yaml index aff8c3883..42df7a706 100644 --- a/src/runtime/zarf.yaml +++ b/src/runtime/zarf.yaml @@ -8,11 +8,11 @@ components: - name: uds-runtime required: false images: - - ghcr.io/defenseunicorns/uds-runtime:0.4.0 + - ghcr.io/defenseunicorns/uds-runtime:0.5.0 charts: - name: uds-runtime namespace: uds-runtime - version: "v0.4.0" + version: "v0.5.0" url: https://github.com/defenseunicorns/uds-runtime.git gitPath: chart actions: From 29e4d5e4366fc7759c4b3e17f89924c0e7e824fb Mon Sep 17 00:00:00 2001 From: Jon Date: Fri, 27 Sep 2024 15:46:36 -0600 Subject: [PATCH 23/90] chore: updated pepr watch limit to 60s (#840) ## Description Adjust Pepr watch limit to a lower value to help UDS Package delete/reinstalls succeed more often. ## Related Issue Fixes # https://github.com/defenseunicorns/uds-core/issues/839 ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --- src/pepr/uds-operator-config/values.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/pepr/uds-operator-config/values.yaml b/src/pepr/uds-operator-config/values.yaml index 9d443b3be..876c335e9 100644 --- a/src/pepr/uds-operator-config/values.yaml +++ b/src/pepr/uds-operator-config/values.yaml @@ -6,4 +6,6 @@ operator: UDS_LOG_LEVEL: "###ZARF_VAR_UDS_LOG_LEVEL###" AUTHSERVICE_REDIS_URI: "###ZARF_VAR_AUTHSERVICE_REDIS_URI###" # Allow Pepr watch to be configurable to react to dropped connections faster - PEPR_LAST_SEEN_LIMIT_SECONDS: "300" + PEPR_LAST_SEEN_LIMIT_SECONDS: "60" + # Allow Pepr to re-list resources more frequently to avoid missing resources + PEPR_RELIST_INTERVAL_SECONDS: "60" From 62baad31e5c57f77d89c6c67699583a8168a16d3 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 27 Sep 2024 16:43:11 -0600 Subject: [PATCH 24/90] chore(main): release 0.28.0 (#795) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit :robot: I have created a release *beep* *boop* --- ## [0.28.0](https://github.com/defenseunicorns/uds-core/compare/v0.27.3...v0.28.0) (2024-09-27) ### ⚠ BREAKING CHANGES * Promtail has been removed from UDS Core and replaced by Vector. If you were previously using overrides to setup additional log targets/endpoints for Promtail this configuration will need to be updated to Vector's chart/config formats. See Vector's [Sources and Sinks](https://vector.dev/components/) as well as the [helm chart values](https://github.com/defenseunicorns/uds-core/blob/1bf29582f9c5b1fe01763e86e56c19b6e17aef85/src/vector/values/values.yaml#L4) for guidance in configuration. ### Features * add support for keycloak saml attributes ([#806](https://github.com/defenseunicorns/uds-core/issues/806)) ([b312b7d](https://github.com/defenseunicorns/uds-core/commit/b312b7de5fab6b688bf5799b0316d067b86887fa)) * exposes tls version for dev bundles ([#809](https://github.com/defenseunicorns/uds-core/issues/809)) ([e1a2b55](https://github.com/defenseunicorns/uds-core/commit/e1a2b55fff1a1feaa5d37016a8f71274eb6dde3e)) * switch from promtail to vector (https://github.com/defenseunicorns/uds-core/pull/724) ([1bf2958](https://github.com/defenseunicorns/uds-core/commit/1bf29582f9c5b1fe01763e86e56c19b6e17aef85)) ### Bug Fixes * eks iac issues, document storage class pre-reqs ([#812](https://github.com/defenseunicorns/uds-core/issues/812)) ([df514bd](https://github.com/defenseunicorns/uds-core/commit/df514bd437e5af0bedb11a3da8860c8aeaccc78c)) * ensure istio sidecar is killed if job fails ([#813](https://github.com/defenseunicorns/uds-core/issues/813)) ([34ffc0a](https://github.com/defenseunicorns/uds-core/commit/34ffc0a22b17489e5b87add6cafc1cc915897936)) * revert test app version to fix CI failures ([#815](https://github.com/defenseunicorns/uds-core/issues/815)) ([2ec6ad6](https://github.com/defenseunicorns/uds-core/commit/2ec6ad6cc7d3cdba1efdd752b7d2bfc2012c9f2a)) ### Miscellaneous * add runtime group to renovate config ([#799](https://github.com/defenseunicorns/uds-core/issues/799)) ([1bf2c69](https://github.com/defenseunicorns/uds-core/commit/1bf2c692d996992775ba827b4d2869430a9929e7)) * **deps:** update dependency defenseunicorns/uds-common to v0.13.0 ([#790](https://github.com/defenseunicorns/uds-core/issues/790)) ([8bfcdc0](https://github.com/defenseunicorns/uds-core/commit/8bfcdc00a8b04f0c7b9f0c88a0e37e8cec8b42f3)) * **deps:** update dependency defenseunicorns/uds-common to v0.13.1 ([#810](https://github.com/defenseunicorns/uds-core/issues/810)) ([eedb551](https://github.com/defenseunicorns/uds-core/commit/eedb551b3c5529c64dcb997b2eb33f82e5fbd0ab)) * **deps:** update istio to v1.23.2 ([#796](https://github.com/defenseunicorns/uds-core/issues/796)) ([039d89c](https://github.com/defenseunicorns/uds-core/commit/039d89c347089edff3d1b8ac7b85c8c90f20f722)) * **deps:** update keycloak to v25.0.6 ([#771](https://github.com/defenseunicorns/uds-core/issues/771)) ([9864059](https://github.com/defenseunicorns/uds-core/commit/9864059b3c86782978608f92782834ed493d5709)) * **deps:** update pepr to v0.13.1 ([#811](https://github.com/defenseunicorns/uds-core/issues/811)) ([bc05b04](https://github.com/defenseunicorns/uds-core/commit/bc05b0480de6c4abca35f774e7aba769a8c9f76e)) * **deps:** update prometheus operator to v0.77.0 ([#783](https://github.com/defenseunicorns/uds-core/issues/783)) ([8f383d8](https://github.com/defenseunicorns/uds-core/commit/8f383d84c13af3986e3898f4c57a71a49145053e)) * **deps:** update runtime to v0.5.0 ([#834](https://github.com/defenseunicorns/uds-core/issues/834)) ([edc068d](https://github.com/defenseunicorns/uds-core/commit/edc068d38f47ba373877593b854d21c4e4fc39ca)) * **deps:** update setup-node to v4.0.4 ([#801](https://github.com/defenseunicorns/uds-core/issues/801)) ([34dbc44](https://github.com/defenseunicorns/uds-core/commit/34dbc4426a65bc67e0a81779b530e98240e1972f)) * **deps:** update uds to v0.16.0 ([#802](https://github.com/defenseunicorns/uds-core/issues/802)) ([d07670b](https://github.com/defenseunicorns/uds-core/commit/d07670b6f748774df7e663aae89de3c7f0a87088)) * **deps:** update uds-common to v0.13.0 ([#792](https://github.com/defenseunicorns/uds-core/issues/792)) ([c24e833](https://github.com/defenseunicorns/uds-core/commit/c24e833e54b111cef10d6347c972c6d6fbe3e7ee)) * **deps:** update zarf to v0.40.1 ([#793](https://github.com/defenseunicorns/uds-core/issues/793)) ([db93a7e](https://github.com/defenseunicorns/uds-core/commit/db93a7edc2a83841210612430ad2d5fd46a14f97)) * fix github-actions renovate ([#800](https://github.com/defenseunicorns/uds-core/issues/800)) ([3ab2add](https://github.com/defenseunicorns/uds-core/commit/3ab2adda290463a91ec90f125793dd34cde76471)) * pepr policies doc table ([#803](https://github.com/defenseunicorns/uds-core/issues/803)) ([440e4e1](https://github.com/defenseunicorns/uds-core/commit/440e4e1249d94932c36d1964d1ff6166624c8f82)) * pepr policy doc ([#814](https://github.com/defenseunicorns/uds-core/issues/814)) ([8b10b86](https://github.com/defenseunicorns/uds-core/commit/8b10b864efb9822649b4677bcc4c3be1e7510534)) * updated pepr watch limit to 60s ([#840](https://github.com/defenseunicorns/uds-core/issues/840)) ([85f3f41](https://github.com/defenseunicorns/uds-core/commit/85f3f4155469e6997b18f27479937e938469a9bb)) * use kfc WatchPhase enum ([#787](https://github.com/defenseunicorns/uds-core/issues/787)) ([df4d2da](https://github.com/defenseunicorns/uds-core/commit/df4d2dadf6545d284c1fd72ee0291de4601fa533)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- .github/bundles/uds-bundle.yaml | 4 +-- .release-please-manifest.json | 2 +- CHANGELOG.md | 41 ++++++++++++++++++++++++++++ README.md | 4 +-- bundles/k3d-slim-dev/uds-bundle.yaml | 4 +-- bundles/k3d-standard/uds-bundle.yaml | 4 +-- packages/slim-dev/zarf.yaml | 2 +- packages/standard/zarf.yaml | 2 +- tasks/deploy.yaml | 2 +- tasks/publish.yaml | 2 +- 10 files changed, 54 insertions(+), 13 deletions(-) diff --git a/.github/bundles/uds-bundle.yaml b/.github/bundles/uds-bundle.yaml index ece96b5ec..d299988e2 100644 --- a/.github/bundles/uds-bundle.yaml +++ b/.github/bundles/uds-bundle.yaml @@ -3,7 +3,7 @@ metadata: name: uds-core-eks-nightly description: A UDS bundle for deploying EKS and UDS Core # x-release-please-start-version - version: "0.27.3" + version: "0.28.0" # x-release-please-end packages: @@ -14,7 +14,7 @@ packages: - name: core path: ../../build/ # x-release-please-start-version - ref: 0.27.3 + ref: 0.28.0 # x-release-please-end optionalComponents: - metrics-server diff --git a/.release-please-manifest.json b/.release-please-manifest.json index 8e685c3ae..d25a5019b 100644 --- a/.release-please-manifest.json +++ b/.release-please-manifest.json @@ -1,3 +1,3 @@ { - ".": "0.27.3" + ".": "0.28.0" } diff --git a/CHANGELOG.md b/CHANGELOG.md index 88a817fd9..7711ac21f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,47 @@ All notable changes to this project will be documented in this file. +## [0.28.0](https://github.com/defenseunicorns/uds-core/compare/v0.27.3...v0.28.0) (2024-09-27) + + +### ⚠ BREAKING CHANGES + +* Promtail has been removed from UDS Core and replaced by Vector. If you were previously using overrides to setup additional log targets/endpoints for Promtail this configuration will need to be updated to Vector's chart/config formats. See Vector's [Sources and Sinks](https://vector.dev/components/) as well as the [helm chart values](https://github.com/defenseunicorns/uds-core/blob/1bf29582f9c5b1fe01763e86e56c19b6e17aef85/src/vector/values/values.yaml#L4) for guidance in configuration. + +### Features + +* add support for keycloak saml attributes ([#806](https://github.com/defenseunicorns/uds-core/issues/806)) ([b312b7d](https://github.com/defenseunicorns/uds-core/commit/b312b7de5fab6b688bf5799b0316d067b86887fa)) +* exposes tls version for dev bundles ([#809](https://github.com/defenseunicorns/uds-core/issues/809)) ([e1a2b55](https://github.com/defenseunicorns/uds-core/commit/e1a2b55fff1a1feaa5d37016a8f71274eb6dde3e)) +* switch from promtail to vector (https://github.com/defenseunicorns/uds-core/pull/724) ([1bf2958](https://github.com/defenseunicorns/uds-core/commit/1bf29582f9c5b1fe01763e86e56c19b6e17aef85)) + + +### Bug Fixes + +* eks iac issues, document storage class pre-reqs ([#812](https://github.com/defenseunicorns/uds-core/issues/812)) ([df514bd](https://github.com/defenseunicorns/uds-core/commit/df514bd437e5af0bedb11a3da8860c8aeaccc78c)) +* ensure istio sidecar is killed if job fails ([#813](https://github.com/defenseunicorns/uds-core/issues/813)) ([34ffc0a](https://github.com/defenseunicorns/uds-core/commit/34ffc0a22b17489e5b87add6cafc1cc915897936)) +* revert test app version to fix CI failures ([#815](https://github.com/defenseunicorns/uds-core/issues/815)) ([2ec6ad6](https://github.com/defenseunicorns/uds-core/commit/2ec6ad6cc7d3cdba1efdd752b7d2bfc2012c9f2a)) + + +### Miscellaneous + +* add runtime group to renovate config ([#799](https://github.com/defenseunicorns/uds-core/issues/799)) ([1bf2c69](https://github.com/defenseunicorns/uds-core/commit/1bf2c692d996992775ba827b4d2869430a9929e7)) +* **deps:** update dependency defenseunicorns/uds-common to v0.13.0 ([#790](https://github.com/defenseunicorns/uds-core/issues/790)) ([8bfcdc0](https://github.com/defenseunicorns/uds-core/commit/8bfcdc00a8b04f0c7b9f0c88a0e37e8cec8b42f3)) +* **deps:** update dependency defenseunicorns/uds-common to v0.13.1 ([#810](https://github.com/defenseunicorns/uds-core/issues/810)) ([eedb551](https://github.com/defenseunicorns/uds-core/commit/eedb551b3c5529c64dcb997b2eb33f82e5fbd0ab)) +* **deps:** update istio to v1.23.2 ([#796](https://github.com/defenseunicorns/uds-core/issues/796)) ([039d89c](https://github.com/defenseunicorns/uds-core/commit/039d89c347089edff3d1b8ac7b85c8c90f20f722)) +* **deps:** update keycloak to v25.0.6 ([#771](https://github.com/defenseunicorns/uds-core/issues/771)) ([9864059](https://github.com/defenseunicorns/uds-core/commit/9864059b3c86782978608f92782834ed493d5709)) +* **deps:** update pepr to v0.13.1 ([#811](https://github.com/defenseunicorns/uds-core/issues/811)) ([bc05b04](https://github.com/defenseunicorns/uds-core/commit/bc05b0480de6c4abca35f774e7aba769a8c9f76e)) +* **deps:** update prometheus operator to v0.77.0 ([#783](https://github.com/defenseunicorns/uds-core/issues/783)) ([8f383d8](https://github.com/defenseunicorns/uds-core/commit/8f383d84c13af3986e3898f4c57a71a49145053e)) +* **deps:** update runtime to v0.5.0 ([#834](https://github.com/defenseunicorns/uds-core/issues/834)) ([edc068d](https://github.com/defenseunicorns/uds-core/commit/edc068d38f47ba373877593b854d21c4e4fc39ca)) +* **deps:** update setup-node to v4.0.4 ([#801](https://github.com/defenseunicorns/uds-core/issues/801)) ([34dbc44](https://github.com/defenseunicorns/uds-core/commit/34dbc4426a65bc67e0a81779b530e98240e1972f)) +* **deps:** update uds to v0.16.0 ([#802](https://github.com/defenseunicorns/uds-core/issues/802)) ([d07670b](https://github.com/defenseunicorns/uds-core/commit/d07670b6f748774df7e663aae89de3c7f0a87088)) +* **deps:** update uds-common to v0.13.0 ([#792](https://github.com/defenseunicorns/uds-core/issues/792)) ([c24e833](https://github.com/defenseunicorns/uds-core/commit/c24e833e54b111cef10d6347c972c6d6fbe3e7ee)) +* **deps:** update zarf to v0.40.1 ([#793](https://github.com/defenseunicorns/uds-core/issues/793)) ([db93a7e](https://github.com/defenseunicorns/uds-core/commit/db93a7edc2a83841210612430ad2d5fd46a14f97)) +* fix github-actions renovate ([#800](https://github.com/defenseunicorns/uds-core/issues/800)) ([3ab2add](https://github.com/defenseunicorns/uds-core/commit/3ab2adda290463a91ec90f125793dd34cde76471)) +* pepr policies doc table ([#803](https://github.com/defenseunicorns/uds-core/issues/803)) ([440e4e1](https://github.com/defenseunicorns/uds-core/commit/440e4e1249d94932c36d1964d1ff6166624c8f82)) +* pepr policy doc ([#814](https://github.com/defenseunicorns/uds-core/issues/814)) ([8b10b86](https://github.com/defenseunicorns/uds-core/commit/8b10b864efb9822649b4677bcc4c3be1e7510534)) +* updated pepr watch limit to 60s ([#840](https://github.com/defenseunicorns/uds-core/issues/840)) ([85f3f41](https://github.com/defenseunicorns/uds-core/commit/85f3f4155469e6997b18f27479937e938469a9bb)) +* use kfc WatchPhase enum ([#787](https://github.com/defenseunicorns/uds-core/issues/787)) ([df4d2da](https://github.com/defenseunicorns/uds-core/commit/df4d2dadf6545d284c1fd72ee0291de4601fa533)) + ## [0.27.3](https://github.com/defenseunicorns/uds-core/compare/v0.27.2...v0.27.3) (2024-09-19) diff --git a/README.md b/README.md index 9d1fc389d..c139b7387 100644 --- a/README.md +++ b/README.md @@ -56,7 +56,7 @@ If you want to try out UDS Core, you can use the [k3d-core-demo bundle](./bundle ```bash -uds deploy k3d-core-demo:0.27.3 +uds deploy k3d-core-demo:0.28.0 ``` @@ -70,7 +70,7 @@ Deploy Istio, Keycloak and Pepr: ```bash -uds deploy k3d-core-slim-dev:0.27.3 +uds deploy k3d-core-slim-dev:0.28.0 ``` diff --git a/bundles/k3d-slim-dev/uds-bundle.yaml b/bundles/k3d-slim-dev/uds-bundle.yaml index ac668e934..e63b9793d 100644 --- a/bundles/k3d-slim-dev/uds-bundle.yaml +++ b/bundles/k3d-slim-dev/uds-bundle.yaml @@ -3,7 +3,7 @@ metadata: name: k3d-core-slim-dev description: A UDS bundle for deploying Istio from UDS Core on a development cluster # x-release-please-start-version - version: "0.27.3" + version: "0.28.0" # x-release-please-end packages: @@ -34,7 +34,7 @@ packages: - name: core-slim-dev path: ../../build/ # x-release-please-start-version - ref: 0.27.3 + ref: 0.28.0 # x-release-please-end overrides: istio-admin-gateway: diff --git a/bundles/k3d-standard/uds-bundle.yaml b/bundles/k3d-standard/uds-bundle.yaml index 769c77869..8127b5935 100644 --- a/bundles/k3d-standard/uds-bundle.yaml +++ b/bundles/k3d-standard/uds-bundle.yaml @@ -3,7 +3,7 @@ metadata: name: k3d-core-demo description: A UDS bundle for deploying the standard UDS Core package on a development cluster # x-release-please-start-version - version: "0.27.3" + version: "0.28.0" # x-release-please-end packages: @@ -34,7 +34,7 @@ packages: - name: core path: ../../build/ # x-release-please-start-version - ref: 0.27.3 + ref: 0.28.0 # x-release-please-end optionalComponents: - istio-passthrough-gateway diff --git a/packages/slim-dev/zarf.yaml b/packages/slim-dev/zarf.yaml index 8e72b8e01..7a7de7a31 100644 --- a/packages/slim-dev/zarf.yaml +++ b/packages/slim-dev/zarf.yaml @@ -4,7 +4,7 @@ metadata: description: "UDS Core (Istio, UDS Operator and Keycloak)" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.27.3" + version: "0.28.0" # x-release-please-end components: diff --git a/packages/standard/zarf.yaml b/packages/standard/zarf.yaml index 2071cb2ba..ef5ff903b 100644 --- a/packages/standard/zarf.yaml +++ b/packages/standard/zarf.yaml @@ -4,7 +4,7 @@ metadata: description: "UDS Core" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.27.3" + version: "0.28.0" # x-release-please-end components: diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index cf2c0cd34..0d1ff8a88 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -5,7 +5,7 @@ variables: - name: VERSION description: "The version of the packages to deploy" # x-release-please-start-version - default: "0.27.3" + default: "0.28.0" # x-release-please-end - name: FLAVOR default: upstream diff --git a/tasks/publish.yaml b/tasks/publish.yaml index f4d05f374..30e70f557 100644 --- a/tasks/publish.yaml +++ b/tasks/publish.yaml @@ -8,7 +8,7 @@ variables: - name: VERSION description: "The version of the packages to build" # x-release-please-start-version - default: "0.27.3" + default: "0.28.0" # x-release-please-end tasks: From 8ef55f391aa54817bc54471ff190b9f8513edfb5 Mon Sep 17 00:00:00 2001 From: Doc A Date: Fri, 27 Sep 2024 22:57:27 +0000 Subject: [PATCH 25/90] undo dumb sarif --- .vscode/settings.json | 1 - 1 file changed, 1 deletion(-) diff --git a/.vscode/settings.json b/.vscode/settings.json index 2d0eead78..97ec6433e 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -48,5 +48,4 @@ "source.organizeImports": "always" } }, - "sarif-viewer.connectToGithubCodeScanning": "off", } From 46172396ec1ca63b632132bdb6991615c730c1d2 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 30 Sep 2024 16:03:12 +0000 Subject: [PATCH 26/90] chore(deps): update checkout action to v4.2.0 (#825) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://redirect.github.com/actions/checkout) | action | minor | `v4.1.7` -> `v4.2.0` | --- ### Release Notes
actions/checkout (actions/checkout) ### [`v4.2.0`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v420) [Compare Source](https://redirect.github.com/actions/checkout/compare/v4.1.7...v4.2.0) - Add Ref and Commit outputs by [@​lucacome](https://redirect.github.com/lucacome) in [https://github.com/actions/checkout/pull/1180](https://redirect.github.com/actions/checkout/pull/1180) - Dependency updates by [@​dependabot-](https://redirect.github.com/dependabot-) [https://github.com/actions/checkout/pull/1777](https://redirect.github.com/actions/checkout/pull/1777), [https://github.com/actions/checkout/pull/1872](https://redirect.github.com/actions/checkout/pull/1872)
--- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ”• **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Micah Nagel Co-authored-by: Micah Nagel --- .github/workflows/commitlint.yaml | 2 +- .github/workflows/compliance.yaml | 2 +- .github/workflows/docs-shim.yaml | 2 +- .github/workflows/lint-oscal.yaml | 5 +++-- .github/workflows/publish.yaml | 2 +- .github/workflows/pull-request-conditionals.yaml | 4 ++-- .github/workflows/slim-dev-test.yaml | 2 +- .github/workflows/snapshot-release.yaml | 2 +- .github/workflows/test.yaml | 2 +- 9 files changed, 12 insertions(+), 11 deletions(-) diff --git a/.github/workflows/commitlint.yaml b/.github/workflows/commitlint.yaml index fd8924140..5d0d7a7b7 100644 --- a/.github/workflows/commitlint.yaml +++ b/.github/workflows/commitlint.yaml @@ -15,7 +15,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: fetch-depth: 0 diff --git a/.github/workflows/compliance.yaml b/.github/workflows/compliance.yaml index 74b8d54d3..eb4f6598c 100644 --- a/.github/workflows/compliance.yaml +++ b/.github/workflows/compliance.yaml @@ -30,7 +30,7 @@ jobs: steps: # Used to execute the uds run command - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Environment setup uses: ./.github/actions/setup diff --git a/.github/workflows/docs-shim.yaml b/.github/workflows/docs-shim.yaml index 2ae466cc6..f1e131434 100644 --- a/.github/workflows/docs-shim.yaml +++ b/.github/workflows/docs-shim.yaml @@ -23,7 +23,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: lint-check uses: ./.github/actions/lint-check diff --git a/.github/workflows/lint-oscal.yaml b/.github/workflows/lint-oscal.yaml index 4f1501e1b..33dab2e60 100644 --- a/.github/workflows/lint-oscal.yaml +++ b/.github/workflows/lint-oscal.yaml @@ -6,6 +6,7 @@ on: types: [milestoned, opened, reopened, synchronize] paths: - '**/*oscal*.yaml' + - '!.github/workflows/lint-oscal.yaml' permissions: contents: read @@ -20,7 +21,7 @@ jobs: oscal_files: ${{ steps.path-filter.outputs.oscal_files }} steps: - name: Checkout the code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 # Uses a custom action to filter paths for source packages. - name: Check src paths @@ -47,7 +48,7 @@ jobs: shell: bash # checkout for access to the oscal files targeted for linting - name: Checkout the code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Environment setup uses: ./.github/actions/setup # lint the oscal files diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index bfb1d49dd..6ed33ecbe 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -23,7 +23,7 @@ jobs: id-token: write # This is needed for OIDC federation. steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Environment setup uses: ./.github/actions/setup diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index cc0a879d4..c5ccf2adf 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -42,7 +42,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: lint-check uses: ./.github/actions/lint-check @@ -56,7 +56,7 @@ jobs: steps: - name: Checkout the code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 # Uses a custom action to filter paths for source packages. - name: Check src paths diff --git a/.github/workflows/slim-dev-test.yaml b/.github/workflows/slim-dev-test.yaml index 89c72e8c6..a3b09ee32 100644 --- a/.github/workflows/slim-dev-test.yaml +++ b/.github/workflows/slim-dev-test.yaml @@ -42,7 +42,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Environment setup uses: ./.github/actions/setup - name: Deploy Slim Dev Bundle diff --git a/.github/workflows/snapshot-release.yaml b/.github/workflows/snapshot-release.yaml index 5ea5da234..b1c188e67 100644 --- a/.github/workflows/snapshot-release.yaml +++ b/.github/workflows/snapshot-release.yaml @@ -24,7 +24,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: fetch-tags: 'true' - name: Update snapshot-latest tag diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index fca5ce590..a5ed0ce24 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -47,7 +47,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Environment setup uses: ./.github/actions/setup From a4c1b78b381bf00d0c1aa781b662a3f90324e224 Mon Sep 17 00:00:00 2001 From: Wayne Starr Date: Mon, 30 Sep 2024 16:44:53 -0600 Subject: [PATCH 27/90] chore: fix broken link in docs (#845) ## Description This fixes a broken link in the docs ## Related Issue Fixes #N/A ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --- docs/configuration/pepr-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuration/pepr-policies.md b/docs/configuration/pepr-policies.md index 96e127e04..fa05a3557 100644 --- a/docs/configuration/pepr-policies.md +++ b/docs/configuration/pepr-policies.md @@ -9,7 +9,7 @@ weight: 3 ### Pepr Policy Exemptions {#pepr-policy-exemptions} These policies are based on the [Big Bang](https://p1.dso.mil/services/big-bang) policies created with Kyverno. You can find the source policies [here](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies), Policy Names below also have links to the referenced Big Bang policy. -Exemptions can be specified by a [UDS Exemption CR](../operator/README.md). These take the place of Kyverno Exceptions. +Exemptions can be specified by a [UDS Exemption CR](../uds-operator#exemption). These take the place of Kyverno Exceptions. If a resource is exempted, it will be annotated as `uds-core.pepr.dev/uds-core-policies.: exempted` From 1d89890db19540b5292a1d4cfe988f00599a964d Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 1 Oct 2024 08:41:50 -0600 Subject: [PATCH 28/90] chore(deps): update dependency defenseunicorns/lula to v0.8.0 (#841) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | [defenseunicorns/lula](https://redirect.github.com/defenseunicorns/lula) | minor | `v0.7.0` -> `v0.8.0` | --- ### Release Notes
defenseunicorns/lula (defenseunicorns/lula) ### [`v0.8.0`](https://redirect.github.com/defenseunicorns/lula/releases/tag/v0.8.0) [Compare Source](https://redirect.github.com/defenseunicorns/lula/compare/v0.7.0...v0.8.0) This release adds multiple capabilities of focus for iteration in the near future. Console support for editing existing control description/remarks in a component definition is now supported. Adding some guardrails to `template` such that we can add structure to configuration inputs and also mask/ignore templating of sensitive variables was a target. Couple with that `template` also supports rendering remote resources from network locations. lastly - as we iterate towards trust and reproducible behaviors - we added the ability to start collecting evidence payloads with the `--save-resources` flag in the `validate` command. This release also included a few bug fixes for whitespace management. ##### ⚠ BREAKING CHANGES - **template:** introducing variables and sensitive configuration ([#​672](https://redirect.github.com/defenseunicorns/lula/issues/672)) ##### Features - **console:** editing a component definition ([#​648](https://redirect.github.com/defenseunicorns/lula/issues/648)) ([ae06e27](https://redirect.github.com/defenseunicorns/lula/commit/ae06e27869043270647670693df342710e3d4390)) - **template:** enable remote file templating ([#​680](https://redirect.github.com/defenseunicorns/lula/issues/680)) ([f16bcf6](https://redirect.github.com/defenseunicorns/lula/commit/f16bcf64134ab3eda904b40d26e72c19cd96be9b)) - **template:** introducing variables and sensitive configuration ([#​672](https://redirect.github.com/defenseunicorns/lula/issues/672)) ([5d1f232](https://redirect.github.com/defenseunicorns/lula/commit/5d1f23257ba7f11508a90c883b152349bcc2d7fd)) - **validate:** save validation resources ([#​612](https://redirect.github.com/defenseunicorns/lula/issues/612)) ([7b9a771](https://redirect.github.com/defenseunicorns/lula/commit/7b9a771852349903025d5d733f0d71fab5133daa)) ##### Bug Fixes - cleaned whitespace+newline in rego ([#​671](https://redirect.github.com/defenseunicorns/lula/issues/671)) ([ac7039d](https://redirect.github.com/defenseunicorns/lula/commit/ac7039d2222177869e4cf4db544b90a762aa1a0c)) - trim whitespace bug ([#​677](https://redirect.github.com/defenseunicorns/lula/issues/677)) ([e30a824](https://redirect.github.com/defenseunicorns/lula/commit/e30a8247123ea4bbdf0a582964dfe4ff81aac9f1)) ##### Miscellaneous - **codeowners:** update codeowners to reflect current team ([#​663](https://redirect.github.com/defenseunicorns/lula/issues/663)) ([7fceaf6](https://redirect.github.com/defenseunicorns/lula/commit/7fceaf67145c38933e2f8b61177e31ff7c8a84e2)) - **deps:** update actions/checkout action to v4.2.0 ([#​681](https://redirect.github.com/defenseunicorns/lula/issues/681)) ([187b8a2](https://redirect.github.com/defenseunicorns/lula/commit/187b8a2da0545fc78ba56f051bfd6bd19583f3ce)) - **deps:** update actions/github-script digest to [`660ec11`](https://redirect.github.com/defenseunicorns/lula/commit/660ec11) ([#​669](https://redirect.github.com/defenseunicorns/lula/issues/669)) ([ea40e70](https://redirect.github.com/defenseunicorns/lula/commit/ea40e70cd84d3cfd1889c9b0d2e27b49d171ce44)) - **deps:** update actions/setup-node action to v4.0.4 ([#​674](https://redirect.github.com/defenseunicorns/lula/issues/674)) ([643d502](https://redirect.github.com/defenseunicorns/lula/commit/643d502278a187a90c643bb76c50373f2c7d6117)) - **deps:** update github.com/charmbracelet/x/exp/teatest digest to [`227168d`](https://redirect.github.com/defenseunicorns/lula/commit/227168d) ([#​666](https://redirect.github.com/defenseunicorns/lula/issues/666)) ([6bc23e3](https://redirect.github.com/defenseunicorns/lula/commit/6bc23e3109d6e415668209ca3dfc59064fd019f1)) - **deps:** update github/codeql-action action to v3.26.8 ([#​673](https://redirect.github.com/defenseunicorns/lula/issues/673)) ([0ca43a1](https://redirect.github.com/defenseunicorns/lula/commit/0ca43a1570867b2d8d49429d92cc18b30bbfc26c)) - **deps:** update github/codeql-action action to v3.26.9 ([#​679](https://redirect.github.com/defenseunicorns/lula/issues/679)) ([20bdbcd](https://redirect.github.com/defenseunicorns/lula/commit/20bdbcd80ad877bac149d249c4e931eb1fc43e33)) #### What's Changed - fix: cleaned whitespace+newline in rego by [@​meganwolf0](https://redirect.github.com/meganwolf0) in [https://github.com/defenseunicorns/lula/pull/671](https://redirect.github.com/defenseunicorns/lula/pull/671) - chore(deps): update actions/github-script digest to [`660ec11`](https://redirect.github.com/defenseunicorns/lula/commit/660ec11) by [@​renovate](https://redirect.github.com/renovate) in [https://github.com/defenseunicorns/lula/pull/669](https://redirect.github.com/defenseunicorns/lula/pull/669) - chore(deps): update github.com/charmbracelet/x/exp/teatest digest to [`227168d`](https://redirect.github.com/defenseunicorns/lula/commit/227168d) by [@​renovate](https://redirect.github.com/renovate) in [https://github.com/defenseunicorns/lula/pull/666](https://redirect.github.com/defenseunicorns/lula/pull/666) - chore(codeowners): update codeowners to reflect current team by [@​brandtkeller](https://redirect.github.com/brandtkeller) in [https://github.com/defenseunicorns/lula/pull/663](https://redirect.github.com/defenseunicorns/lula/pull/663) - chore(deps): update github/codeql-action action to v3.26.8 by [@​renovate](https://redirect.github.com/renovate) in [https://github.com/defenseunicorns/lula/pull/673](https://redirect.github.com/defenseunicorns/lula/pull/673) - chore(deps): update actions/setup-node action to v4.0.4 by [@​renovate](https://redirect.github.com/renovate) in [https://github.com/defenseunicorns/lula/pull/674](https://redirect.github.com/defenseunicorns/lula/pull/674) - fix: trim whitespace bug by [@​CloudBeard](https://redirect.github.com/CloudBeard) in [https://github.com/defenseunicorns/lula/pull/677](https://redirect.github.com/defenseunicorns/lula/pull/677) - feat(console): component definition write by [@​meganwolf0](https://redirect.github.com/meganwolf0) in [https://github.com/defenseunicorns/lula/pull/648](https://redirect.github.com/defenseunicorns/lula/pull/648) - feat(validate): save validation resources by [@​meganwolf0](https://redirect.github.com/meganwolf0) in [https://github.com/defenseunicorns/lula/pull/612](https://redirect.github.com/defenseunicorns/lula/pull/612) - feat(template)!: introducing variables and sensitive configuration by [@​meganwolf0](https://redirect.github.com/meganwolf0) in [https://github.com/defenseunicorns/lula/pull/672](https://redirect.github.com/defenseunicorns/lula/pull/672) - feat(template): enable remote file templating by [@​brandtkeller](https://redirect.github.com/brandtkeller) in [https://github.com/defenseunicorns/lula/pull/680](https://redirect.github.com/defenseunicorns/lula/pull/680) - chore(deps): update github/codeql-action action to v3.26.9 by [@​renovate](https://redirect.github.com/renovate) in [https://github.com/defenseunicorns/lula/pull/679](https://redirect.github.com/defenseunicorns/lula/pull/679) - chore(deps): update actions/checkout action to v4.2.0 by [@​renovate](https://redirect.github.com/renovate) in [https://github.com/defenseunicorns/lula/pull/681](https://redirect.github.com/defenseunicorns/lula/pull/681) - chore(main): release 0.8.0 by [@​github-actions](https://redirect.github.com/github-actions) in [https://github.com/defenseunicorns/lula/pull/665](https://redirect.github.com/defenseunicorns/lula/pull/665) **Full Changelog**: https://github.com/defenseunicorns/lula/compare/v0.7.0...v0.8.0
--- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ”• **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Chance <139784371+UnicornChance@users.noreply.github.com> --- .github/actions/setup/action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml index 9220d70af..9c5b5040d 100644 --- a/.github/actions/setup/action.yaml +++ b/.github/actions/setup/action.yaml @@ -40,7 +40,7 @@ runs: uses: defenseunicorns/lula-action/setup@badad8c4b1570095f57e66ffd62664847698a3b9 # v0.0.1 with: # renovate: datasource=github-tags depName=defenseunicorns/lula versioning=semver-coerced - version: v0.7.0 + version: v0.8.0 - name: Iron Bank Login if: ${{ inputs.registry1Username != '' }} From d082d2a3a87b50bd95f7351fed3a7f4101541f31 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 1 Oct 2024 09:08:27 -0600 Subject: [PATCH 29/90] chore(deps): update prometheus operator to 0.77.1 (#819) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cgr.dev/du-uds-defenseunicorns/prometheus-config-reloader-fips](https://images.chainguard.dev/directory/image/prometheus-config-reloader-fips/overview) ([source](https://redirect.github.com/chainguard-images/images-private/tree/HEAD/images/prometheus-config-reloader-fips)) | patch | `0.77.0` -> `0.77.1` | | [cgr.dev/du-uds-defenseunicorns/prometheus-operator-fips](https://images.chainguard.dev/directory/image/prometheus-operator-fips/overview) ([source](https://redirect.github.com/chainguard-images/images-private/tree/HEAD/images/prometheus-operator-fips)) | patch | `0.77.0` -> `0.77.1` | | [kube-prometheus-stack](https://redirect.github.com/prometheus-operator/kube-prometheus) ([source](https://redirect.github.com/prometheus-community/helm-charts)) | major | `62.7.0` -> `63.1.0` | | [prometheus-operator/prometheus-operator](https://redirect.github.com/prometheus-operator/prometheus-operator) | patch | `v0.77.0` -> `v0.77.1` | | quay.io/prometheus-operator/prometheus-config-reloader | patch | `v0.77.0` -> `v0.77.1` | | [quay.io/prometheus-operator/prometheus-operator](https://prometheus-operator.dev/) ([source](https://redirect.github.com/prometheus-operator/prometheus-operator)) | patch | `v0.77.0` -> `v0.77.1` | | [registry1.dso.mil/ironbank/opensource/prometheus-operator/prometheus-config-reloader](https://redirect.github.com/prometheus-operator/prometheus-operator) ([source](https://repo1.dso.mil/dsop/opensource/prometheus-operator/prometheus-config-reloader)) | patch | `v0.77.0` -> `v0.77.1` | | [registry1.dso.mil/ironbank/opensource/prometheus-operator/prometheus-operator](https://redirect.github.com/prometheus-operator/prometheus-operator) ([source](https://repo1.dso.mil/dsop/opensource/prometheus-operator/prometheus-operator)) | patch | `v0.77.0` -> `v0.77.1` | --- ### Release Notes
prometheus-community/helm-charts (kube-prometheus-stack) ### [`v63.1.0`](https://redirect.github.com/prometheus-community/helm-charts/compare/kube-prometheus-stack-63.0.0...kube-prometheus-stack-63.1.0) [Compare Source](https://redirect.github.com/prometheus-community/helm-charts/compare/kube-prometheus-stack-63.0.0...kube-prometheus-stack-63.1.0) ### [`v63.0.0`](https://redirect.github.com/prometheus-community/helm-charts/releases/tag/kube-prometheus-stack-63.0.0) [Compare Source](https://redirect.github.com/prometheus-community/helm-charts/compare/kube-prometheus-stack-62.7.0...kube-prometheus-stack-63.0.0) kube-prometheus-stack collects Kubernetes manifests, Grafana dashboards, and Prometheus rules combined with documentation and scripts to provide easy to operate end-to-end Kubernetes cluster monitoring with Prometheus using the Prometheus Operator. #### What's Changed - \[kube-prometheus-stack] Add downward compat for Prom CRD by [@​schnatterer](https://redirect.github.com/schnatterer) in [https://github.com/prometheus-community/helm-charts/pull/4818](https://redirect.github.com/prometheus-community/helm-charts/pull/4818) #### New Contributors - [@​schnatterer](https://redirect.github.com/schnatterer) made their first contribution in [https://github.com/prometheus-community/helm-charts/pull/4818](https://redirect.github.com/prometheus-community/helm-charts/pull/4818) **Full Changelog**: https://github.com/prometheus-community/helm-charts/compare/prometheus-conntrack-stats-exporter-0.5.11...kube-prometheus-stack-63.0.0
prometheus-operator/prometheus-operator (prometheus-operator/prometheus-operator) ### [`v0.77.1`](https://redirect.github.com/prometheus-operator/prometheus-operator/releases/tag/v0.77.1): 0.77.1 / 2024-09-25 [Compare Source](https://redirect.github.com/prometheus-operator/prometheus-operator/compare/v0.77.0...v0.77.1) - \[BUGFIX] Fix Thanos Ruler reconciliations not triggered on StatefulSet updates. [#​6964](https://redirect.github.com/prometheus-operator/prometheus-operator/issues/6964) - \[BUGFIX] Fix error message for unsupported versions. [#​6965](https://redirect.github.com/prometheus-operator/prometheus-operator/issues/6965)
--- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ‘» **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Chance <139784371+UnicornChance@users.noreply.github.com> --- src/prometheus-stack/common/zarf.yaml | 2 +- src/prometheus-stack/tasks.yaml | 4 ++-- src/prometheus-stack/values/registry1-values.yaml | 4 ++-- src/prometheus-stack/values/unicorn-values.yaml | 4 ++-- src/prometheus-stack/values/upstream-values.yaml | 4 ++-- src/prometheus-stack/zarf.yaml | 12 ++++++------ 6 files changed, 15 insertions(+), 15 deletions(-) diff --git a/src/prometheus-stack/common/zarf.yaml b/src/prometheus-stack/common/zarf.yaml index 142bbd63f..b3bd1c50b 100644 --- a/src/prometheus-stack/common/zarf.yaml +++ b/src/prometheus-stack/common/zarf.yaml @@ -15,7 +15,7 @@ components: - name: kube-prometheus-stack namespace: monitoring url: https://prometheus-community.github.io/helm-charts - version: 62.7.0 + version: 63.1.0 valuesFiles: - "../values/values.yaml" actions: diff --git a/src/prometheus-stack/tasks.yaml b/src/prometheus-stack/tasks.yaml index eacf43448..ab3939d63 100644 --- a/src/prometheus-stack/tasks.yaml +++ b/src/prometheus-stack/tasks.yaml @@ -33,8 +33,8 @@ tasks: # - name: gen-crds # actions: # - description: Generate servicemonitor types - # cmd: "npx kubernetes-fluent-client crd https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.77.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml src/pepr/operator/crd/generated/prometheus" + # cmd: "npx kubernetes-fluent-client crd https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.77.1/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml src/pepr/operator/crd/generated/prometheus" # - description: Generate podmonitor types - # cmd: "npx kubernetes-fluent-client crd https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.77.0/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml src/pepr/operator/crd/generated/prometheus" + # cmd: "npx kubernetes-fluent-client crd https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.77.1/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml src/pepr/operator/crd/generated/prometheus" # - description: Pepr Format # cmd: "npx pepr format" diff --git a/src/prometheus-stack/values/registry1-values.yaml b/src/prometheus-stack/values/registry1-values.yaml index b0d19a0a9..c6225f69e 100644 --- a/src/prometheus-stack/values/registry1-values.yaml +++ b/src/prometheus-stack/values/registry1-values.yaml @@ -48,9 +48,9 @@ prometheusOperator: image: registry: registry1.dso.mil repository: ironbank/opensource/prometheus-operator/prometheus-operator - tag: v0.77.0 + tag: v0.77.1 prometheusConfigReloader: image: registry: registry1.dso.mil repository: ironbank/opensource/prometheus-operator/prometheus-config-reloader - tag: v0.77.0 + tag: v0.77.1 diff --git a/src/prometheus-stack/values/unicorn-values.yaml b/src/prometheus-stack/values/unicorn-values.yaml index f9f1f9f91..92db339d5 100644 --- a/src/prometheus-stack/values/unicorn-values.yaml +++ b/src/prometheus-stack/values/unicorn-values.yaml @@ -48,9 +48,9 @@ prometheusOperator: image: registry: cgr.dev repository: du-uds-defenseunicorns/prometheus-operator-fips - tag: 0.77.0 + tag: 0.77.1 prometheusConfigReloader: image: registry: cgr.dev repository: du-uds-defenseunicorns/prometheus-config-reloader-fips - tag: 0.77.0 + tag: 0.77.1 diff --git a/src/prometheus-stack/values/upstream-values.yaml b/src/prometheus-stack/values/upstream-values.yaml index 8f2c4c34a..6a2314092 100644 --- a/src/prometheus-stack/values/upstream-values.yaml +++ b/src/prometheus-stack/values/upstream-values.yaml @@ -40,9 +40,9 @@ prometheusOperator: image: registry: quay.io repository: prometheus-operator/prometheus-operator - tag: v0.77.0 + tag: v0.77.1 prometheusConfigReloader: image: registry: quay.io repository: prometheus-operator/prometheus-config-reloader - tag: v0.77.0 + tag: v0.77.1 diff --git a/src/prometheus-stack/zarf.yaml b/src/prometheus-stack/zarf.yaml index b1c30e46a..6b09a60a0 100644 --- a/src/prometheus-stack/zarf.yaml +++ b/src/prometheus-stack/zarf.yaml @@ -28,10 +28,10 @@ components: - "values/upstream-values.yaml" images: - "quay.io/prometheus/node-exporter:v1.8.2" - - "quay.io/prometheus-operator/prometheus-operator:v0.77.0" + - "quay.io/prometheus-operator/prometheus-operator:v0.77.1" - "registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.13.0" - "quay.io/prometheus/alertmanager:v0.27.0" - - "quay.io/prometheus-operator/prometheus-config-reloader:v0.77.0" + - "quay.io/prometheus-operator/prometheus-config-reloader:v0.77.1" - "quay.io/prometheus/prometheus:v2.54.1" - "registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3" @@ -48,10 +48,10 @@ components: - "values/registry1-values.yaml" images: - "registry1.dso.mil/ironbank/opensource/prometheus/node-exporter:v1.8.2" - - "registry1.dso.mil/ironbank/opensource/prometheus-operator/prometheus-operator:v0.77.0" + - "registry1.dso.mil/ironbank/opensource/prometheus-operator/prometheus-operator:v0.77.1" - "registry1.dso.mil/ironbank/opensource/kubernetes/kube-state-metrics:v2.13.0" - "registry1.dso.mil/ironbank/opensource/prometheus/alertmanager:v0.27.0" - - "registry1.dso.mil/ironbank/opensource/prometheus-operator/prometheus-config-reloader:v0.77.0" + - "registry1.dso.mil/ironbank/opensource/prometheus-operator/prometheus-config-reloader:v0.77.1" - "registry1.dso.mil/ironbank/opensource/prometheus/prometheus:v2.54.1" - "registry1.dso.mil/ironbank/opensource/ingress-nginx/kube-webhook-certgen:v1.4.3" @@ -68,9 +68,9 @@ components: - "values/unicorn-values.yaml" images: - "cgr.dev/du-uds-defenseunicorns/prometheus-node-exporter-fips:1.8.2" - - "cgr.dev/du-uds-defenseunicorns/prometheus-operator-fips:0.77.0" + - "cgr.dev/du-uds-defenseunicorns/prometheus-operator-fips:0.77.1" - "cgr.dev/du-uds-defenseunicorns/kube-state-metrics-fips:2.13.0" - "cgr.dev/du-uds-defenseunicorns/prometheus-alertmanager-fips:0.27.0" - - "cgr.dev/du-uds-defenseunicorns/prometheus-config-reloader-fips:0.77.0" + - "cgr.dev/du-uds-defenseunicorns/prometheus-config-reloader-fips:0.77.1" - "cgr.dev/du-uds-defenseunicorns/prometheus-fips:2.54.1" - "cgr.dev/du-uds-defenseunicorns/kube-webhook-certgen-fips:1.11.2" From 4bdffc7044f2b8762905e0d6e0e5f4715f0a9361 Mon Sep 17 00:00:00 2001 From: Chance <139784371+UnicornChance@users.noreply.github.com> Date: Tue, 1 Oct 2024 16:16:56 -0600 Subject: [PATCH 30/90] feat: grafana-ha (#838) ## Description - Document the HA setup requirements for Grafana. - Ensure that these are provided as an example configuration. - Setup the nightly testing with an external RDS database to ensure this is consistently tested in nightly CI. - Update task for testing HA configuration locally to utilize single postgres docker container for keycloak and grafana. ## To Test 1. utilize the `test-uds-core-ha` task to deploy HA grafana and keycloak. 2. after deployment, access grafana dashboard at grafana.admin.uds.dev and validate things are working. 3. make sure there is scaled grafana pods ( should be 2 pods ). 4. add a dashboard to grafana ui. 5. delete pods and validate dashboard still exists. ## Related Issue Fixes #716 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --------- Co-authored-by: Micah Nagel --- .github/bundles/uds-bundle.yaml | 23 ++++ .github/bundles/uds-config.yaml | 6 + .github/test-infra/rds-iac/main.tf | 118 ++++++++++++++++++ .github/test-infra/rds-iac/output.tf | 25 ++++ .github/test-infra/rds-iac/variables.tf | 57 +++++++++ .github/workflows/nightly-testing.yaml | 1 + .gitignore | 1 + bundles/k3d-standard/README.md | 15 ++- bundles/k3d-standard/uds-bundle.yaml | 26 ++++ bundles/k3d-standard/uds-ha-config.yaml | 12 +- .../resource-configuration-and-ha.md | 37 +++++- src/grafana/chart/templates/_helpers.tpl | 37 ++++++ .../chart/templates/secret-postgres.yaml | 19 +++ src/grafana/chart/templates/uds-package.yaml | 27 ++++ src/grafana/chart/values.yaml | 22 ++++ src/grafana/values/values.yaml | 34 +++++ tasks.yaml | 5 +- tasks/iac.yaml | 53 +++++++- 18 files changed, 507 insertions(+), 11 deletions(-) create mode 100644 .github/test-infra/rds-iac/main.tf create mode 100644 .github/test-infra/rds-iac/output.tf create mode 100644 .github/test-infra/rds-iac/variables.tf create mode 100644 src/grafana/chart/templates/secret-postgres.yaml diff --git a/.github/bundles/uds-bundle.yaml b/.github/bundles/uds-bundle.yaml index d299988e2..befaa7e67 100644 --- a/.github/bundles/uds-bundle.yaml +++ b/.github/bundles/uds-bundle.yaml @@ -53,3 +53,26 @@ packages: - name: LOKI_IRSA_ANNOTATION description: "The irsa role annotation" path: serviceAccount.annotations.eks\.amazonaws\.com/role-arn + grafana: + grafana: + variables: + - name: GRAFANA_HA + description: Enable HA Grafana + path: autoscaling.enabled + uds-grafana-config: + variables: + - name: GRAFANA_PG_HOST + description: Grafana postgresql host + path: postgresql.host + - name: GRAFANA_PG_PORT + description: Grafana postgresql port + path: postgresql.port + - name: GRAFANA_PG_DATABASE + description: Grafana postgresql database + path: postgresql.database + - name: GRAFANA_PG_PASSWORD + description: Grafana postgresql password + path: postgresql.password + - name: GRAFANA_PG_USER + description: Grafana postgresql username + path: postgresql.user diff --git a/.github/bundles/uds-config.yaml b/.github/bundles/uds-config.yaml index 722dd3689..e0874bd52 100644 --- a/.github/bundles/uds-config.yaml +++ b/.github/bundles/uds-config.yaml @@ -16,3 +16,9 @@ variables: velero_bucket_provider_url: "" velero_bucket_credential_name: "" velero_bucket_credential_key: "" + grafana_ha: true + grafana_pg_host: ${ZARF_VAR_GRAFANA_PG_HOST} + grafana_pg_port: ${ZARF_VAR_GRAFANA_PG_PORT} + grafana_pg_database: ${ZARF_VAR_GRAFANA_PG_DATABASE} + grafana_pg_password: ${ZARF_VAR_GRAFANA_PG_PASSWORD} + grafana_pg_user: ${ZARF_VAR_GRAFANA_PG_USER} diff --git a/.github/test-infra/rds-iac/main.tf b/.github/test-infra/rds-iac/main.tf new file mode 100644 index 000000000..64c64a9d6 --- /dev/null +++ b/.github/test-infra/rds-iac/main.tf @@ -0,0 +1,118 @@ +provider "aws" { + region = var.region +} + +terraform { + required_version = ">= 1.8.0" + backend "s3" { + } + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0" + } + + random = { + source = "hashicorp/random" + version = "3.6.3" + } + } +} + +resource "random_password" "db_password" { + length = 16 + special = false +} + +resource "aws_secretsmanager_secret" "db_secret" { + name = "${var.db_name}-db-secret-${random_id.unique_id.hex}" + description = "DB authentication token for ${var.db_name}" + recovery_window_in_days = var.recovery_window +} + +resource "aws_secretsmanager_secret_version" "db_secret_value" { + depends_on = [aws_secretsmanager_secret.db_secret] + secret_id = aws_secretsmanager_secret.db_secret.id + secret_string = random_password.db_password.result +} + +module "db" { + source = "terraform-aws-modules/rds/aws" + version = "6.1.1" + + identifier = "${var.db_name}-db" + instance_use_identifier_prefix = true + + allocated_storage = var.db_allocated_storage + backup_retention_period = 1 + backup_window = "03:00-06:00" + maintenance_window = "Mon:00:00-Mon:03:00" + + engine = "postgres" + engine_version = var.db_engine_version + major_engine_version = split(".", var.db_engine_version)[0] + family = "postgres15" + instance_class = var.db_instance_class + + db_name = var.db_name + username = var.username + port = var.db_port + + subnet_ids = data.aws_subnets.subnets.ids + create_db_subnet_group = true + manage_master_user_password = false + password = random_password.db_password.result + + vpc_security_group_ids = [aws_security_group.rds_sg.id] + + depends_on = [ + aws_security_group.rds_sg + ] +} + +resource "aws_security_group" "rds_sg" { + vpc_id = local.vpc_id + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] + } +} + +resource "aws_vpc_security_group_ingress_rule" "rds_ingress" { + security_group_id = aws_security_group.rds_sg.id + + cidr_ipv4 = "0.0.0.0/0" + ip_protocol = "tcp" + from_port = 0 + to_port = 5432 +} + +data "aws_vpc" "vpc" { + filter { + name = "tag:Name" + values = ["eksctl-${var.name}-cluster/VPC"] + } +} + +data "aws_subnets" "subnets" { + filter { + name = "vpc-id" + values = [data.aws_vpc.vpc.id] + } +} + +data "aws_partition" "current" {} + +data "aws_caller_identity" "current" {} + +locals { + vpc_id = data.aws_vpc.vpc.id +} + +resource "random_id" "unique_id" { + byte_length = 4 +} diff --git a/.github/test-infra/rds-iac/output.tf b/.github/test-infra/rds-iac/output.tf new file mode 100644 index 000000000..79b969230 --- /dev/null +++ b/.github/test-infra/rds-iac/output.tf @@ -0,0 +1,25 @@ +output "grafana_pg_host" { + description = "RDS Endpoint for Grafana" + value = element(split(":", module.db.db_instance_endpoint), 0) +} + +output "grafana_pg_port" { + description = "RDS Port for Grafana" + value = var.db_port +} + +output "grafana_pg_database" { + description = "Database name for Grafana" + value = var.db_name +} + +output "grafana_pg_user" { + description = "Database username for Grafana" + value = var.username +} + +output "grafana_pg_password" { + description = "RDS Password for Grafana" + value = random_password.db_password.result + sensitive = true +} diff --git a/.github/test-infra/rds-iac/variables.tf b/.github/test-infra/rds-iac/variables.tf new file mode 100644 index 000000000..71124b95c --- /dev/null +++ b/.github/test-infra/rds-iac/variables.tf @@ -0,0 +1,57 @@ +variable "region" { + description = "AWS region" + type = string +} + +variable "name" { + description = "Name for cluster" + type = string +} + +variable "recovery_window" { + description = "Number of days to retain secret before permanent deletion" + type = number + default = 30 +} + +variable "db_name" { + description = "The name to give the database" + type = string + default = "grafana" +} + +variable "db_port" { + description = "The database port" + type = number + default = 5432 +} + +variable "username" { + description = "The username to use to login to the DB" + type = string + default = "grafana" +} + +variable "db_engine_version" { + description = "The Postgres engine version to use for the DB" + type = string + default = "15.7" +} + +variable "db_allocated_storage" { + description = "Storage allocated to RDS instance" + type = number + default = 20 +} + +variable "db_storage_type" { + description = "The type of storage (e.g., gp2, io1)" + type = string + default = "gp2" +} + +variable "db_instance_class" { + description = "The class of RDS instance (e.g., db.t4g.large)" + type = string + default = "db.t4g.large" +} diff --git a/.github/workflows/nightly-testing.yaml b/.github/workflows/nightly-testing.yaml index 526dd2ab6..638e5c969 100644 --- a/.github/workflows/nightly-testing.yaml +++ b/.github/workflows/nightly-testing.yaml @@ -9,6 +9,7 @@ on: - .github/workflows/test-eks.yaml - .github/bundles/* - .github/test-infra/buckets-iac/* + - .github/test-infra/rds-iac/* # Abort prior jobs in the same workflow / PR concurrency: diff --git a/.gitignore b/.gitignore index ad3474a0f..75b5a663e 100644 --- a/.gitignore +++ b/.gitignore @@ -18,3 +18,4 @@ extract-terraform.sh **/.terraform* cluster-config.yaml **.tfstate +**.backup diff --git a/bundles/k3d-standard/README.md b/bundles/k3d-standard/README.md index 23d065d47..0bd7dd692 100644 --- a/bundles/k3d-standard/README.md +++ b/bundles/k3d-standard/README.md @@ -59,6 +59,19 @@ This bundle is used for demonstration, development, and testing of UDS Core. In | `KEYCLOAK_PG_HOST` | Keycloak Postgres host | `postgresql.host` | | `KEYCLOAK_DEVMODE` | Enables Keycloak dev mode | `devMode` | +##### grafana (grafana) +| Variable | Description | Path | +|----------|-------------|------| +| `GRAFANA_HA` | Enable HA Grafana | `autoscaling.enabled` | + +##### grafana (uds-grafana-config) +| Variable | Description | Path | +|----------|-------------|------| +| `GRAFANA_PG_HOST` | Grafana postgresql host | `postgresql.host` | +| `GRAFANA_PG_PORT` | Grafana postgresql port | `postgresql.port` | +| `GRAFANA_PG_PASSWORD` | Grafana postgresql password | `postgresql.password` | +| `GRAFANA_PG_DATABASE` | Grafana postgresql database | `postgresql.database` | +| `GRAFANA_PG_USER` | Grafana postgresql username | `postgresql.user` | ## Override Examples: @@ -96,4 +109,4 @@ variables: LOKI_S3_REGION: us-east-1 LOKI_S3_ACCESS_KEY_ID: LOKI_S3_SECRET_ACCESS_KEY: -``` \ No newline at end of file +``` diff --git a/bundles/k3d-standard/uds-bundle.yaml b/bundles/k3d-standard/uds-bundle.yaml index 8127b5935..e4285f58f 100644 --- a/bundles/k3d-standard/uds-bundle.yaml +++ b/bundles/k3d-standard/uds-bundle.yaml @@ -140,3 +140,29 @@ packages: GOOGLE_IDP_CORE_ENTITY_ID: "https://sso.uds.dev/realms/uds" GOOGLE_IDP_ADMIN_GROUP: "uds-core-dev-admin" GOOGLE_IDP_AUDITOR_GROUP: "uds-core-dev-auditor" + grafana: + grafana: + variables: + - name: GRAFANA_HA + description: Enable HA Grafana + path: autoscaling.enabled + uds-grafana-config: + variables: + - name: GRAFANA_PG_HOST + description: Grafana postgresql host + path: postgresql.host + - name: GRAFANA_PG_PORT + description: Grafana postgresql port + path: postgresql.port + - name: GRAFANA_PG_DATABASE + description: Grafana postgresql database + path: postgresql.database + - name: GRAFANA_PG_PASSWORD + description: Grafana postgresql password + path: postgresql.password + - name: GRAFANA_PG_USER + description: Grafana postgresql username + path: postgresql.user + - name: GRAFANA_PG_SSL_MODE + description: Grafana postgresql SSL mode + path: postgresql.ssl_mode diff --git a/bundles/k3d-standard/uds-ha-config.yaml b/bundles/k3d-standard/uds-ha-config.yaml index 24b0119cd..643b213de 100644 --- a/bundles/k3d-standard/uds-ha-config.yaml +++ b/bundles/k3d-standard/uds-ha-config.yaml @@ -1,8 +1,18 @@ variables: core: + # Keycloak variables keycloak_ha: true - keycloak_pg_username: keycloak + keycloak_pg_username: postgres keycloak_pg_password: password keycloak_pg_database: keycloak keycloak_pg_host: host.k3d.internal keycloak_devmode: false + + # Grafana variables + grafana_ha: true + grafana_pg_host: host.k3d.internal + grafana_pg_port: 5432 + grafana_pg_database: grafana + grafana_pg_password: password + grafana_pg_user: postgres + grafana_pg_ssl_mode: disable diff --git a/docs/configuration/resource-configuration-and-ha.md b/docs/configuration/resource-configuration-and-ha.md index df0daa9fe..9680a6009 100644 --- a/docs/configuration/resource-configuration-and-ha.md +++ b/docs/configuration/resource-configuration-and-ha.md @@ -36,7 +36,42 @@ packages: ### Grafana -To scale Grafana for high availability, its database must be externalized (see [Grafana's database configuration docs](https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#database)). UDS Core has not yet done extensive testing on this setup. You can also override the `resources` helm value to customize Grafana pods' resource limits and requests (using the component and chart name of `grafana`). +Grafana can be configured in a high availability (HA) setup by utilizing an external PostgreSQL database. See the example values below for configuring Grafana in HA mode: + +```yaml +# Example HA Bundle Configuration +packages: + - name: core + repository: oci://ghcr.io/defenseunicorns/packages/uds/core + ref: x.x.x + overrides: + grafana: + grafana: + variables: + - name: GRAFANA_HA + description: Enable HA Grafana + path: autoscaling.enabled + uds-grafana-config: + variables: + - name: GRAFANA_PG_HOST + description: Grafana postgresql host + path: postgresql.host + - name: GRAFANA_PG_PORT + description: Grafana postgresql port + path: postgresql.port + - name: GRAFANA_PG_PORT + description: Grafana postgresql port + path: postgresql.port + - name: GRAFANA_PG_DATABASE + description: Grafana postgresql database + path: postgresql.database + - name: GRAFANA_PG_PASSWORD + description: Grafana postgresql password + path: postgresql.password + - name: GRAFANA_PG_USER + description: Grafana postgresql username + path: postgresql.user +``` ## Logging diff --git a/src/grafana/chart/templates/_helpers.tpl b/src/grafana/chart/templates/_helpers.tpl index 17cd520f6..01c2b4623 100644 --- a/src/grafana/chart/templates/_helpers.tpl +++ b/src/grafana/chart/templates/_helpers.tpl @@ -60,3 +60,40 @@ Create the name of the service account to use {{- default "default" .Values.serviceAccount.name }} {{- end }} {{- end }} + +{{/* + This template validates the PostgreSQL configuration for Grafana. + It ensures either: + 1. An internal PostgreSQL is enabled with both `remoteSelector` and `remoteNamespace` provided as well as the full configuration required for external postgres (see below). + 2. An external PostgreSQL is properly configured with all required values (`host`, `database`, `user`, `password`, and `port`). + 3. No configuration is provided for a PostgresQL database (internal database will be used). + + If internal PostgreSQL is enabled but `remoteSelector` or `remoteNamespace` are missing, an error is thrown. + + In addition: + - If any postgresql settings are partially filled (excluding `port`, `internal`, and `ssl_mode`), an error is thrown. + - If no postgresql settings are provided, returns `"false"`. + - If all required postgresql settings are provided, returns `"true"`. + + Returns `"true"` if a valid configuration is detected, otherwise `"false"` if no configuration is set, or an error if the configuration is incomplete. +*/}} +{{- define "grafana.postgresql.config" -}} +{{- if .Values.postgresql.internal.enabled }} +{{- if or (empty .Values.postgresql.internal.remoteSelector) (empty .Values.postgresql.internal.remoteNamespace) -}} +{{- fail "Missing remoteSelector or remoteNamespace for internal PostgreSQL." -}} +{{- end }} +{{- end }} +{{- if (empty (compact (values (omit .Values.postgresql "port" "internal" "ssl_mode")))) -}} +{{- if .Values.postgresql.internal.enabled -}} +{{- fail "Missing configuration for internal postgres host, database, user, and password." -}} +{{- end }} +{{ default "false" "" }} +{{- else }} +{{- range $k := list "host" "database" "user" "password" "port" -}} +{{- if empty (get $.Values.postgresql $k) -}} +{{- fail (printf "Missing value for \"postgresql.%s\"." $k) -}} +{{- end }} +{{- end }} +{{- default "true" "" }} +{{- end }} +{{- end }} diff --git a/src/grafana/chart/templates/secret-postgres.yaml b/src/grafana/chart/templates/secret-postgres.yaml new file mode 100644 index 000000000..5b5ee8ee8 --- /dev/null +++ b/src/grafana/chart/templates/secret-postgres.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "uds-grafana-config.fullname" . }}-postgresql + namespace: {{ .Release.Namespace }} + labels: + {{- include "uds-grafana-config.labels" . | nindent 4 }} +type: Opaque +stringData: + {{- if eq (include "grafana.postgresql.config" .) "true" }} + GF_DATABASE_TYPE: "postgres" + GF_DATABASE_HOST: "{{ .Values.postgresql.host }}:{{ .Values.postgresql.port }}" + GF_DATABASE_NAME: "{{ .Values.postgresql.database }}" + GF_DATABASE_USER: "{{ .Values.postgresql.user }}" + GF_DATABASE_PASSWORD: "{{ .Values.postgresql.password }}" + GF_DATABASE_SSL_MODE: "{{ .Values.postgresql.ssl_mode }}" + {{- else }} + {} + {{- end }} diff --git a/src/grafana/chart/templates/uds-package.yaml b/src/grafana/chart/templates/uds-package.yaml index 0181bc8f1..b56d44db6 100644 --- a/src/grafana/chart/templates/uds-package.yaml +++ b/src/grafana/chart/templates/uds-package.yaml @@ -63,3 +63,30 @@ spec: app.kubernetes.io/name: grafana remoteGenerated: KubeAPI description: "Datasources Watcher" + + {{- if eq (include "grafana.postgresql.config" .) "true" }} + - description: "Postgresql access" + direction: Egress + selector: + app.kubernetes.io/name: grafana + port: {{ .Values.postgresql.port }} + {{- if .Values.postgresql.internal.enabled }} + remoteSelector: + {{- .Values.postgresql.internal.remoteSelector | toYaml | nindent 10 }} + remoteNamespace: {{ .Values.postgresql.internal.remoteNamespace }} + {{- else if .Values.postgresql.egressCidr }} + remoteCidr: {{ .Values.postgresql.egressCidr }} + {{- else }} + remoteGenerated: Anywhere + {{- end }} + {{- end }} + + # HA for Grafana + - direction: Ingress + remoteGenerated: IntraNamespace + ports: + - 3000 + - direction: Egress + remoteGenerated: IntraNamespace + ports: + - 3000 diff --git a/src/grafana/chart/values.yaml b/src/grafana/chart/values.yaml index 364a31438..7880bcda1 100644 --- a/src/grafana/chart/values.yaml +++ b/src/grafana/chart/values.yaml @@ -1 +1,23 @@ domain: "###ZARF_VAR_DOMAIN###" + +# Stores Grafana's metadata, including dashboards, data sources, organizations, alerts, and other configurations. Required for HA mode. +postgresql: + # The hostname of the external postgresql server ( does not include the port ) + host: "" + # The name of the postgresql database Grafana will connect to. + database: "" + # The username used for authenticating to the external postgresql. + user: "" + # The password used for authenticating to the external postgresql. + password: "" + # SSL mode for the postgresql connection. Set to 'disable' if SSL is not required. + ssl_mode: require + # Port the postgresql is listening on + port: 5432 + # Egress CIDR for external Postgres + egressCidr: "" + # Configure internal postgresql deployment + internal: + enabled: false + remoteSelector: {} + remoteNamespace: "" diff --git a/src/grafana/values/values.yaml b/src/grafana/values/values.yaml index 07c038ede..9b7a3e474 100644 --- a/src/grafana/values/values.yaml +++ b/src/grafana/values/values.yaml @@ -48,5 +48,39 @@ grafana.ini: # Automatically redirect to the SSO login page auto_login: true +# Add environment variables for PostgresQL connection from uds-config chart +envFromSecret: "uds-grafana-config-postgresql" + service: appProtocol: "http" + +autoscaling: + # Enable HorizontalPodAutoscaler for Grafana + enabled: false + # Additional labels for the HorizontalPodAutoscaler + labels: {} + # Minimum and maximum number of replicas for the Grafana deployment + minReplicas: 2 + maxReplicas: 5 + # Metrics to use for scaling (CPU, memory, or custom metrics) + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 70 # Adjust based on expected load + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: 75 # Optional, based on memory usage patterns + # Scaling behavior (optional): Controls how fast to scale up or down + behavior: + scaleDown: + stabilizationWindowSeconds: 300 # Prevent rapid scaling down + policies: + - type: Pods + value: 1 + periodSeconds: 300 # Scale down one pod every 5 minutes diff --git a/tasks.yaml b/tasks.yaml index 8e1af2373..2345c6007 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -112,9 +112,10 @@ tasks: - name: test-uds-core-ha description: "Build and test UDS Core" actions: - - cmd: docker stop my-postgres && docker rm my-postgres || true + - cmd: docker stop postgres && docker rm postgres || true - cmd: docker network create k3d-uds || true - - cmd: docker run -p 5432:5432 --network=k3d-uds --name my-postgres -e POSTGRES_DB=keycloak -e POSTGRES_USER=keycloak -e POSTGRES_PASSWORD=password -d postgres + - cmd: docker run -p 5432:5432 --network=k3d-uds --name postgres -e POSTGRES_DB=keycloak -e POSTGRES_USER=postgres -e POSTGRES_PASSWORD=password -d postgres + - cmd: sleep 3 && docker exec postgres psql -U postgres -c "CREATE DATABASE grafana;" - task: test:uds-core-ha - name: test-uds-core-upgrade diff --git a/tasks/iac.yaml b/tasks/iac.yaml index f13e2d4e4..4bc5cd9db 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -89,23 +89,37 @@ tasks: actions: - cmd: tofu destroy -auto-approve dir: .github/test-infra/buckets-iac + - cmd: tofu destroy -auto-approve + dir: .github/test-infra/rds-iac - name: apply-tofu actions: - - cmd: echo ${STATE_KEY} | sed 's/\.tfstate/-buckets1.tfstate/g' + - cmd: echo ${STATE_KEY} | sed 's/\.tfstate/-buckets.tfstate/g' setVariables: - name: BUCKETS_STATE_KEY dir: .github/test-infra/buckets-iac - - cmd: echo ${BUCKETS_STATE_KEY} - cmd: | tofu init -force-copy \ - -backend-config="bucket=${STATE_BUCKET_NAME}" \ - -backend-config="key=${BUCKETS_STATE_KEY}" \ - -backend-config="region=${REGION}" \ - -backend-config="dynamodb_table=${STATE_DYNAMODB_TABLE_NAME}" + -backend-config="bucket=${STATE_BUCKET_NAME}" \ + -backend-config="key=${BUCKETS_STATE_KEY}" \ + -backend-config="region=${REGION}" \ + -backend-config="dynamodb_table=${STATE_DYNAMODB_TABLE_NAME}" dir: .github/test-infra/buckets-iac - cmd: tofu apply -auto-approve dir: .github/test-infra/buckets-iac + - cmd: echo ${STATE_KEY} | sed 's/\.tfstate/-rds.tfstate/g' + setVariables: + - name: RDS_STATE_KEY + dir: .github/test-infra/rds-iac + - cmd: | + tofu init -force-copy \ + -backend-config="bucket=${STATE_BUCKET_NAME}" \ + -backend-config="key=${RDS_STATE_KEY}" \ + -backend-config="region=${REGION}" \ + -backend-config="dynamodb_table=${STATE_DYNAMODB_TABLE_NAME}" + dir: .github/test-infra/rds-iac + - cmd: tofu apply -auto-approve + dir: .github/test-infra/rds-iac - name: tofu-outputs actions: @@ -133,6 +147,27 @@ tasks: setVariables: - name: VELERO_S3_ROLE_ARN dir: .github/test-infra/buckets-iac + - cmd: tofu output -raw grafana_pg_host + setVariables: + - name: GRAFANA_PG_HOST + dir: .github/test-infra/rds-iac + - cmd: tofu output -raw grafana_pg_port + setVariables: + - name: GRAFANA_PG_PORT + dir: .github/test-infra/rds-iac + - cmd: tofu output -raw grafana_pg_database + setVariables: + - name: GRAFANA_PG_DATABASE + dir: .github/test-infra/rds-iac + - cmd: tofu output -raw grafana_pg_user + setVariables: + - name: GRAFANA_PG_USER + dir: .github/test-infra/rds-iac + - cmd: tofu output -raw grafana_pg_password + setVariables: + - name: GRAFANA_PG_PASSWORD + mute: true # Muted to hide sensitive password + dir: .github/test-infra/rds-iac - name: create-uds-config actions: @@ -154,4 +189,10 @@ tasks: velero_bucket_provider_url: "" velero_bucket_credential_name: "" velero_bucket_credential_key: "" + grafana_ha: true + grafana_pg_host: ${GRAFANA_PG_HOST} + grafana_pg_port: ${GRAFANA_PG_PORT} + grafana_pg_database: ${GRAFANA_PG_DATABASE} + grafana_pg_password: ${GRAFANA_PG_PASSWORD} + grafana_pg_user: ${GRAFANA_PG_USER} EOF From 4fb0c1a6c93ea9341e7cfcb0f76f85f4712e74a0 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 2 Oct 2024 07:46:45 -0600 Subject: [PATCH 31/90] chore(deps): update loki to v3.2.0 (#791) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cgr.dev/du-uds-defenseunicorns/loki](https://images.chainguard.dev/directory/image/loki/overview) ([source](https://redirect.github.com/chainguard-images/images-private/tree/HEAD/images/loki)) | minor | `3.1.1` -> `3.2.0` | | [docker.io/grafana/loki](https://redirect.github.com/grafana/loki) | minor | `3.1.1` -> `3.2.0` | | [loki](https://grafana.github.io/helm-charts) ([source](https://redirect.github.com/grafana/helm-charts)) | minor | `6.12.0` -> `6.16.0` | | [registry1.dso.mil/ironbank/opensource/grafana/loki](https://redirect.github.com/grafana/loki) ([source](https://repo1.dso.mil/dsop/opensource/grafana/loki)) | minor | `3.1.1` -> `3.2.0` | --- ### Release Notes
grafana/loki (docker.io/grafana/loki) ### [`v3.2.0`](https://redirect.github.com/grafana/loki/releases/tag/v3.2.0) [Compare Source](https://redirect.github.com/grafana/loki/compare/v3.1.1...v3.2.0) ##### ⚠ BREAKING CHANGES - **api:** Fail log queries when executed on instant query endpoint ([#​13421](https://redirect.github.com/grafana/loki/issues/13421)) - **jsonnet:** convert read statefulset into deployment for loki-simple-scalable ([#​13977](https://redirect.github.com/grafana/loki/issues/13977)) - **blooms:** Remove bloom compactor component ([#​13969](https://redirect.github.com/grafana/loki/issues/13969)) ##### Features - ability to ignore cache for volume queries ([#​13945](https://redirect.github.com/grafana/loki/issues/13945)) ([b1dc076](https://redirect.github.com/grafana/loki/commit/b1dc0763d675a99884a2fdac36c3c3f45f8353b7)) - add \_extracted suffix to detected fields conflicts ([#​13993](https://redirect.github.com/grafana/loki/issues/13993)) ([ab1caea](https://redirect.github.com/grafana/loki/commit/ab1caea12325b5db777101347acf4f277312adf6)) - Add baseline rf1 querier implementation ([#​13639](https://redirect.github.com/grafana/loki/issues/13639)) ([3a99b69](https://redirect.github.com/grafana/loki/commit/3a99b69ae519674c6e3da15ef28cb3ed9c6a2d63)) - Add CLI to inspect RF=1 WAL segments ([#​13552](https://redirect.github.com/grafana/loki/issues/13552)) ([150e653](https://redirect.github.com/grafana/loki/commit/150e6539d175c232063aaa37c687c60d4809a08a)) - Add initial support for a kafka-based ingest path ([#​13992](https://redirect.github.com/grafana/loki/issues/13992)) ([33c26f4](https://redirect.github.com/grafana/loki/commit/33c26f4dd1aaebadd54e7eb50765a33bd7c3ad2f)) - add loki_ingester_rf1\_segment_age_seconds metric ([#​13653](https://redirect.github.com/grafana/loki/issues/13653)) ([2dfc13b](https://redirect.github.com/grafana/loki/commit/2dfc13bb73c73c6c8cfb57c23ce832f902d8a43e)) - Add metrics for Ingester RF-1 ([#​13510](https://redirect.github.com/grafana/loki/issues/13510)) ([d4179aa](https://redirect.github.com/grafana/loki/commit/d4179aa04fdeaf0bbf538c2b202291a3d0247a27)) - Add metrics to WAL Manager ([#​13490](https://redirect.github.com/grafana/loki/issues/13490)) ([bfe97d7](https://redirect.github.com/grafana/loki/commit/bfe97d724f34277baa4cd9f9b25764e718997c46)) - Add settings for cpu/mutex/block profiling options ([#​13278](https://redirect.github.com/grafana/loki/issues/13278)) ([f06eabb](https://redirect.github.com/grafana/loki/commit/f06eabbf0e2c3db3ec899c224d6c947c5edd7d6a)) - add structured metadata to the promtail push API ([#​14153](https://redirect.github.com/grafana/loki/issues/14153)) ([#​14155](https://redirect.github.com/grafana/loki/issues/14155)) ([c118fc6](https://redirect.github.com/grafana/loki/commit/c118fc66b61adc49b85c38b2ab2fc40f24c0a737)) - Added getting started video for ingesting Otel logs ([#​13226](https://redirect.github.com/grafana/loki/issues/13226)) ([5e560f9](https://redirect.github.com/grafana/loki/commit/5e560f93ecfa399e85878e30998042646ee4e603)) - aggregate byte and count metrics ([#​13731](https://redirect.github.com/grafana/loki/issues/13731)) ([913e9f9](https://redirect.github.com/grafana/loki/commit/913e9f93477b5b811fbcf44d0e750f600c9ded69)) - **api:** Fail log queries when executed on instant query endpoint ([#​13421](https://redirect.github.com/grafana/loki/issues/13421)) ([ce71f1c](https://redirect.github.com/grafana/loki/commit/ce71f1cf954625cac2af7c2d0c335248b01185a3)) - **blooms:** Add series & chunks per block metrics ([#​13721](https://redirect.github.com/grafana/loki/issues/13721)) ([55c6499](https://redirect.github.com/grafana/loki/commit/55c64991db60309840aa0b41ecf9a3451dc5900d)) - Bootstrap metastore for wal segments ([#​13550](https://redirect.github.com/grafana/loki/issues/13550)) ([0b47498](https://redirect.github.com/grafana/loki/commit/0b474981dc5d073eaa7110710b5f1a1418e5235d)) - Calculate the age of a WAL segment ([#​13637](https://redirect.github.com/grafana/loki/issues/13637)) ([4abb5a4](https://redirect.github.com/grafana/loki/commit/4abb5a404cea4ec13f14c10dea4ce91b9e3cd9af)) - **chunks-inspect:** support structured metadata ([#​11506](https://redirect.github.com/grafana/loki/issues/11506)) ([1834065](https://redirect.github.com/grafana/loki/commit/183406570411a5ad5ceaf32bf07451b8fce608c1)) - collect and serve pre-aggregated bytes and counts ([#​13020](https://redirect.github.com/grafana/loki/issues/13020)) ([467eb1b](https://redirect.github.com/grafana/loki/commit/467eb1bb1b08fa69e3d5e40a1e0143f65230ad2b)) - Collect duplicate log line metrics ([#​13084](https://redirect.github.com/grafana/loki/issues/13084)) ([40ee766](https://redirect.github.com/grafana/loki/commit/40ee7667244f2e094b5a7199705b4f3dacb7ffaf)) - convert WalSegmentWriter to io.ReadSeeker ([#​13340](https://redirect.github.com/grafana/loki/issues/13340)) ([19c0509](https://redirect.github.com/grafana/loki/commit/19c050926e75e6dcac6d228b838836367414a5f8)) - **detected-labels:** remove cardinality filter ([#​13652](https://redirect.github.com/grafana/loki/issues/13652)) ([4f534d7](https://redirect.github.com/grafana/loki/commit/4f534d7317fa0557251f16b76ebf790f079cf98e)) - downsample aggregated metrics ([#​13449](https://redirect.github.com/grafana/loki/issues/13449)) ([2c053ee](https://redirect.github.com/grafana/loki/commit/2c053ee00cb5a86ab3a97da8f31d0564b40761d0)) - Drain uses different tokenizer based on log format ([#​13384](https://redirect.github.com/grafana/loki/issues/13384)) ([bc01e6f](https://redirect.github.com/grafana/loki/commit/bc01e6fd64cb0de3df776e246024f7ec7251bdfa)) - exclude and from creating new tokens in patterns ([#​13395](https://redirect.github.com/grafana/loki/issues/13395)) ([8c8454b](https://redirect.github.com/grafana/loki/commit/8c8454b9db35901896113d3e19eb3862359aeba8)) - exclude in pattern tokens ([#​13397](https://redirect.github.com/grafana/loki/issues/13397)) ([e612dd3](https://redirect.github.com/grafana/loki/commit/e612dd3dfe546ae6c26d7045e811d2ae48221d3d)) - **exporter:** include boolean values in limit exporter ([#​13466](https://redirect.github.com/grafana/loki/issues/13466)) ([4220737](https://redirect.github.com/grafana/loki/commit/4220737a52da7ab6c9346b12d5a5d7bedbcd641d)) - flush not owned streams ([#​13254](https://redirect.github.com/grafana/loki/issues/13254)) ([2ca1ac6](https://redirect.github.com/grafana/loki/commit/2ca1ac66a3bcebe9b2eb139c6aecc6820c840df9)) - **helm:** Make gateway container port configurable. ([#​13294](https://redirect.github.com/grafana/loki/issues/13294)) ([05176e4](https://redirect.github.com/grafana/loki/commit/05176e445b90597379c268e799b0fb86b8629b9e)) - **helm:** Support alibabacloud oss in helm chart ([#​13441](https://redirect.github.com/grafana/loki/issues/13441)) ([3ebab6f](https://redirect.github.com/grafana/loki/commit/3ebab6f3931841f62ac59e6b09afef98db656c71)) - Ignore empty streams in distributor if all entries fail validation ([#​13674](https://redirect.github.com/grafana/loki/issues/13674)) ([6c4b062](https://redirect.github.com/grafana/loki/commit/6c4b0622aa3de44cccb76fe16bb6583bf91cf15c)) - Implement GetObjectRange for all storage providers ([#​13650](https://redirect.github.com/grafana/loki/issues/13650)) ([d9c441e](https://redirect.github.com/grafana/loki/commit/d9c441efcc159e91a4251c9aca8f8914633c8505)) - improve Owned Streams feature observability ([#​13232](https://redirect.github.com/grafana/loki/issues/13232)) ([ce86459](https://redirect.github.com/grafana/loki/commit/ce8645900e76db962af36794c70d1e3662009ded)) - improve placeholder replacement of byte sizes ([#​13508](https://redirect.github.com/grafana/loki/issues/13508)) ([ac284ca](https://redirect.github.com/grafana/loki/commit/ac284ca00ed065907341ee2a7adf329c8e485a7a)) - Ingester RF-1 ([#​13365](https://redirect.github.com/grafana/loki/issues/13365)) ([7f35179](https://redirect.github.com/grafana/loki/commit/7f35179cd3fd3627057d916b7f00c92cee400339)) - Ingester Stream Limit Improvements ([#​13532](https://redirect.github.com/grafana/loki/issues/13532)) ([ec34aaa](https://redirect.github.com/grafana/loki/commit/ec34aaa1ff2e616ef223631657b63f7dffedd3cc)) - **ingester:** Smooth out chunk flush operations ([#​9994](https://redirect.github.com/grafana/loki/issues/9994)) ([82fbb2f](https://redirect.github.com/grafana/loki/commit/82fbb2fd9624eaa9584b2311189d1e4768fdc081)) - instrument failed chunk encoding/decoding ([#​13684](https://redirect.github.com/grafana/loki/issues/13684)) ([5a87ccb](https://redirect.github.com/grafana/loki/commit/5a87ccb648ee3bf48a3704643ae9923d64651aed)) - Instrument metastore GRPC calls ([#​13598](https://redirect.github.com/grafana/loki/issues/13598)) ([04613b4](https://redirect.github.com/grafana/loki/commit/04613b492fd8494084393e448f86f9b18e32c17e)) - Instrument rf1 write path with tracing ([#​13599](https://redirect.github.com/grafana/loki/issues/13599)) ([ce88286](https://redirect.github.com/grafana/loki/commit/ce882861476dd070ca588932c0aba64a689cb0b3)) - Introduce a new Object Storage WAL format. ([#​13253](https://redirect.github.com/grafana/loki/issues/13253)) ([1d6f8d5](https://redirect.github.com/grafana/loki/commit/1d6f8d51fcfd1c806159e17bce978ea39ee5936c)) - Introduce wal segment read path. ([#​13695](https://redirect.github.com/grafana/loki/issues/13695)) ([917053a](https://redirect.github.com/grafana/loki/commit/917053a73058ebff5cec72d760ba16f2acc8a56c)) - lambda-promtail; ensure messages to Kinesis are usable by refactoring parsing of KinesisEvent to match parsing of CWEvents + code cleanup ([#​13098](https://redirect.github.com/grafana/loki/issues/13098)) ([dbfb19b](https://redirect.github.com/grafana/loki/commit/dbfb19be49fb3bc1f2f62613f50370028cbf5552)) - **lambda-promtail:** Adding S3 log parser support for AWS GuardDuty ([#​13148](https://redirect.github.com/grafana/loki/issues/13148)) ([2d92fff](https://redirect.github.com/grafana/loki/commit/2d92fff2aa4dbda5f9f8c18ea19347e1236257af)) - **lambda-promtail:** build lambda with zip file ([#​13787](https://redirect.github.com/grafana/loki/issues/13787)) ([9bf08f7](https://redirect.github.com/grafana/loki/commit/9bf08f7cc055db1997c439ef8edb11247c4e1d67)) - Limit to block ingestion until configured date ([#​13958](https://redirect.github.com/grafana/loki/issues/13958)) ([b5ac6a0](https://redirect.github.com/grafana/loki/commit/b5ac6a0258be51a6d6c3a7743e498dc40014b64b)) - **loki:** add ability to disable AWS S3 dualstack endpoints usage ([#​13785](https://redirect.github.com/grafana/loki/issues/13785)) ([bb257f5](https://redirect.github.com/grafana/loki/commit/bb257f54b33ecb04cbe1786c4efac779d8d28d8c)) - **loki:** Do not enforce max-query-bytes-read and max-querier-bytes-read in limited tripperware ([#​13406](https://redirect.github.com/grafana/loki/issues/13406)) ([47f6ea5](https://redirect.github.com/grafana/loki/commit/47f6ea53fc4816b259bce4ce4efddee377422d3c)) - **operator:** Add alert for discarded samples ([#​13512](https://redirect.github.com/grafana/loki/issues/13512)) ([5f2a02f](https://redirect.github.com/grafana/loki/commit/5f2a02f14222dab891b7851e8f48052d6c9b594a)) - **operator:** Add support for the volume API ([#​13369](https://redirect.github.com/grafana/loki/issues/13369)) ([d451e23](https://redirect.github.com/grafana/loki/commit/d451e23225047a11b4d5d82900cec4a46d6e7b39)) - **operator:** Enable leader-election ([#​13760](https://redirect.github.com/grafana/loki/issues/13760)) ([1ba4bff](https://redirect.github.com/grafana/loki/commit/1ba4bff005930b173391df35248e6f58e076fa74)) - **operator:** Update Loki operand to v3.1.0 ([#​13422](https://redirect.github.com/grafana/loki/issues/13422)) ([cf5f52d](https://redirect.github.com/grafana/loki/commit/cf5f52dca0db93847218cdd2c3f4860d983381ae)) - Pattern ingesters add a limiter for high eviction rate ([#​13464](https://redirect.github.com/grafana/loki/issues/13464)) ([e08b4a7](https://redirect.github.com/grafana/loki/commit/e08b4a7f883a50452c0828a133e6f9f5e68eff4d)) - Remove flush loop and queue from Ingester RF-1 ([#​13538](https://redirect.github.com/grafana/loki/issues/13538)) ([8ca03a2](https://redirect.github.com/grafana/loki/commit/8ca03a2a3d73e5250ee26ac3c9218e254550560d)) - remove mutexes from wal.SegmentWriter ([#​13641](https://redirect.github.com/grafana/loki/issues/13641)) ([7ed63ea](https://redirect.github.com/grafana/loki/commit/7ed63ea7f493dab6c81200ddb7a0e6f26dc41bec)) - RF1 improves replication stategy to support 1 replica ([#​13469](https://redirect.github.com/grafana/loki/issues/13469)) ([790135b](https://redirect.github.com/grafana/loki/commit/790135bd7d06a8cc5a9d4fc759d06bc1e7a2cad7)) - **rf1:** Add query path for the metastore ([#​13636](https://redirect.github.com/grafana/loki/issues/13636)) ([8cb19a2](https://redirect.github.com/grafana/loki/commit/8cb19a2e3c92b60560ce48f48c46a512dfdc7963)) - **rf1:** Store index ref in metastore ([#​13613](https://redirect.github.com/grafana/loki/issues/13613)) ([5f5fd4e](https://redirect.github.com/grafana/loki/commit/5f5fd4e4ab22a43a0c290cf9a9c2bf2e229f6e18)) - **structured-metadata-api:** add structured metadata to `/detected_fields` API ([#​13604](https://redirect.github.com/grafana/loki/issues/13604)) ([ce02cc2](https://redirect.github.com/grafana/loki/commit/ce02cc254abc641dc40831b28c81199526581085)) - Track when builders are doing work with a gauge ([#​13570](https://redirect.github.com/grafana/loki/issues/13570)) ([0029d46](https://redirect.github.com/grafana/loki/commit/0029d46c233e173dce1d45124ab2de67443a686a)) - Update doc-validator version ([#​13558](https://redirect.github.com/grafana/loki/issues/13558)) ([a88a0d3](https://redirect.github.com/grafana/loki/commit/a88a0d3f6ceaba0082c557ab773b7fd45537ac64)) - upgrade prometheus ([#​13671](https://redirect.github.com/grafana/loki/issues/13671)) ([b88583d](https://redirect.github.com/grafana/loki/commit/b88583da7d3cc840d4b66698de042773422e334d)) - Use prefixed WAL storage path in Object Storage ([#​13377](https://redirect.github.com/grafana/loki/issues/13377)) ([973aa2d](https://redirect.github.com/grafana/loki/commit/973aa2d7babfafd247ab91e493445488804ab94f)) - Use WAL Manager ([#​13491](https://redirect.github.com/grafana/loki/issues/13491)) ([8f1d12f](https://redirect.github.com/grafana/loki/commit/8f1d12f656924eaf9bd887037c006728b22375cf)) - WAL Manager ([#​13428](https://redirect.github.com/grafana/loki/issues/13428)) ([15c8b45](https://redirect.github.com/grafana/loki/commit/15c8b45d26f7dcb3181e1b5ff00796ca0bad720a)) - WAL Manager configuration options ([#​13531](https://redirect.github.com/grafana/loki/issues/13531)) ([c4405fe](https://redirect.github.com/grafana/loki/commit/c4405fe1c417f31af535fcee3d669ed5271d76a7)) - **wal:** Add sizing information to writer and reader. ([#​13267](https://redirect.github.com/grafana/loki/issues/13267)) ([41fbacd](https://redirect.github.com/grafana/loki/commit/41fbacdce74e9d6cb8451e353da3e560cb642b9b)) - **wal:** Benchmark and improve WAL writes using Reset. ([#​13272](https://redirect.github.com/grafana/loki/issues/13272)) ([debb5f2](https://redirect.github.com/grafana/loki/commit/debb5f202e278708bf43a795125e151d818892b2)) ##### Bug Fixes - add a retry middleware to all the stats handlers ([#​13584](https://redirect.github.com/grafana/loki/issues/13584)) ([7232795](https://redirect.github.com/grafana/loki/commit/7232795e1f5fb1868c83111f5aab72ca0f3d9891)) - add logging to empty bloom ([#​13502](https://redirect.github.com/grafana/loki/issues/13502)) ([c263a68](https://redirect.github.com/grafana/loki/commit/c263a681f8e19417ea3056a3e2cae7d3015d081a)) - add missing flush op timeout ([#​13679](https://redirect.github.com/grafana/loki/issues/13679)) ([62c5c5c](https://redirect.github.com/grafana/loki/commit/62c5c5c64182736f65ec9c903e0789986b264425)) - Adjust tailer loop criteria so it is actually re-tested ([#​13906](https://redirect.github.com/grafana/loki/issues/13906)) ([dabbfd8](https://redirect.github.com/grafana/loki/commit/dabbfd81ef5c4f02a255b404ab25edd1eec126cf)) - ast left cycular reference result in oom ([#​13501](https://redirect.github.com/grafana/loki/issues/13501)) ([6dd6b65](https://redirect.github.com/grafana/loki/commit/6dd6b65139b3b8d4254f114e99ab8fb3eaa2ae09)) - **blooms:** Cleanup temp blockdir in bloom compactor ([#​13622](https://redirect.github.com/grafana/loki/issues/13622)) ([64215e1](https://redirect.github.com/grafana/loki/commit/64215e18495b12e6d5565eba6fe54bc381ac7189)) - **blooms:** Delete outdated metas during planning ([#​13363](https://redirect.github.com/grafana/loki/issues/13363)) ([11e1976](https://redirect.github.com/grafana/loki/commit/11e19763d0ee4e1b1130ab0326ed0f4f605bca8d)) - **blooms:** ensure tokenizer cache is reset between series ([#​13370](https://redirect.github.com/grafana/loki/issues/13370)) ([04bc3a4](https://redirect.github.com/grafana/loki/commit/04bc3a423c8ea9e7c945b15dffb83d674bab3a68)) - **blooms:** Fix eviction of multiple blockcache items ([#​13573](https://redirect.github.com/grafana/loki/issues/13573)) ([c9950e3](https://redirect.github.com/grafana/loki/commit/c9950e394d2bca8bd290f60672a3bc904cd72d7b)) - **blooms:** Fix panic in bloom gateway ([#​13303](https://redirect.github.com/grafana/loki/issues/13303)) ([66f97b2](https://redirect.github.com/grafana/loki/commit/66f97b2aec3cbe0d60acd5e13a9fda9000b03bae)) - **blooms:** ignores bloom filtering errors in bounded shard query planning ([#​13285](https://redirect.github.com/grafana/loki/issues/13285)) ([ede6941](https://redirect.github.com/grafana/loki/commit/ede6941c6ff0f40d836b288e167a26c34c2a9437)) - **blooms:** Improve error wrap to make ignoreNotFound work when fetching blocks ([#​13656](https://redirect.github.com/grafana/loki/issues/13656)) ([bd20171](https://redirect.github.com/grafana/loki/commit/bd20171975e913e429048a0a30328811fc4c8a87)) - **blooms:** improves mempool metrics ([#​13283](https://redirect.github.com/grafana/loki/issues/13283)) ([d36e1d5](https://redirect.github.com/grafana/loki/commit/d36e1d580af0a64ce0fcb8de57724d27e399c0dd)) - **blooms:** Minor fixes and improvements for testing in dev ([#​13341](https://redirect.github.com/grafana/loki/issues/13341)) ([d0f56ee](https://redirect.github.com/grafana/loki/commit/d0f56eeb0a585c37e4a9c62b7a200f4d8360bf4d)) - **blooms:** Remove backoff from notify planner ([#​13506](https://redirect.github.com/grafana/loki/issues/13506)) ([e506995](https://redirect.github.com/grafana/loki/commit/e506995e595bb5c465941f3f1227311b2ea1c8c5)) - **blooms:** Remove unused arg ([#​13343](https://redirect.github.com/grafana/loki/issues/13343)) ([fcb9b28](https://redirect.github.com/grafana/loki/commit/fcb9b283ba0cf927646d332a68c049718ec1d236)) - **blooms:** Ship chunkrefs in task payload ([#​13677](https://redirect.github.com/grafana/loki/issues/13677)) ([450bbce](https://redirect.github.com/grafana/loki/commit/450bbce938fd548715104f6a1a4dde76e2e7ff34)) - **blooms:** skip empty blooms on reads ([#​13500](https://redirect.github.com/grafana/loki/issues/13500)) ([bfa6955](https://redirect.github.com/grafana/loki/commit/bfa69556afda160051cab677ce278aba5ab48448)) - **blooms:** Suppress error from resolving server addresses for blocks ([#​13385](https://redirect.github.com/grafana/loki/issues/13385)) ([3ac2317](https://redirect.github.com/grafana/loki/commit/3ac231728e6bc9d3166684bcb697c78b4fb56fae)) - **blooms:** Use correct key to populate blockscache at startup ([#​13624](https://redirect.github.com/grafana/loki/issues/13624)) ([2624a4b](https://redirect.github.com/grafana/loki/commit/2624a4bdd43badcd1159b83e26c1b0ff14479ac0)) - **break:** helm: Fix how we set imagePullSecrets for enterprise-gateway and admin-api. ([#​13761](https://redirect.github.com/grafana/loki/issues/13761)) ([3be5a45](https://redirect.github.com/grafana/loki/commit/3be5a4576fd0f0dca321e017a637f7a3159c00e5)) - **ci:** add cleanup step into job `dist` ([#​13801](https://redirect.github.com/grafana/loki/issues/13801)) ([217f928](https://redirect.github.com/grafana/loki/commit/217f928f52b3d3fad414a01502c37d143cabf567)) - **ci:** fixed release-please manifest ([#​13810](https://redirect.github.com/grafana/loki/issues/13810)) ([f253db5](https://redirect.github.com/grafana/loki/commit/f253db5598156a4461fd1f5ede14443c937e2ac8)) - **cloud-mixin:** Attribute OTLP route correctly to write path ([#​13943](https://redirect.github.com/grafana/loki/issues/13943)) ([b91b782](https://redirect.github.com/grafana/loki/commit/b91b7829075f9df565d468d9e72191e9f4c5e94e)) - Dedup pattern tokens on output ([#​13534](https://redirect.github.com/grafana/loki/issues/13534)) ([e23598d](https://redirect.github.com/grafana/loki/commit/e23598d710a231213a40f5bfb7d99fe2ee409ba2)) - **deps:** update github.com/axiomhq/hyperloglog digest to [`af9851f`](https://redirect.github.com/grafana/loki/commit/af9851f) ([#​13806](https://redirect.github.com/grafana/loki/issues/13806)) ([67295e0](https://redirect.github.com/grafana/loki/commit/67295e0a16677feabb83284e058926b016993128)) - **deps:** update github.com/c2h5oh/datasize digest to [`aa82cc1`](https://redirect.github.com/grafana/loki/commit/aa82cc1) ([#​13807](https://redirect.github.com/grafana/loki/issues/13807)) ([a93f38c](https://redirect.github.com/grafana/loki/commit/a93f38cb055c9a3f22cf07d0bd5888a0596ec5d6)) - **deps:** update github.com/docker/go-plugins-helpers digest to [`45e2431`](https://redirect.github.com/grafana/loki/commit/45e2431) ([#​13808](https://redirect.github.com/grafana/loki/issues/13808)) ([e5a3994](https://redirect.github.com/grafana/loki/commit/e5a3994fba37247cf2b81405eb4b19b29af89959)) - **deps:** update github.com/grafana/jsonparser digest to [`ea80629`](https://redirect.github.com/grafana/loki/commit/ea80629) ([#​13814](https://redirect.github.com/grafana/loki/issues/13814)) ([d5718eb](https://redirect.github.com/grafana/loki/commit/d5718eb111f8f0fbbc43294eb8b72877b250d433)) - **deps:** update module github.com/aliyun/aliyun-oss-go-sdk to v2.2.10+incompatible ([#​13861](https://redirect.github.com/grafana/loki/issues/13861)) ([6f79194](https://redirect.github.com/grafana/loki/commit/6f791941ee5a188a658313c12f549d40f8802528)) - **deps:** update module github.com/azure/go-autorest/autorest/adal to v0.9.24 ([#​13862](https://redirect.github.com/grafana/loki/issues/13862)) ([8041bd2](https://redirect.github.com/grafana/loki/commit/8041bd29b90a79066f7c6393fef1db5ba29440b0)) - **deps:** update module github.com/azure/go-autorest/autorest/azure/auth to v0.5.13 ([#​13863](https://redirect.github.com/grafana/loki/issues/13863)) ([71c4421](https://redirect.github.com/grafana/loki/commit/71c4421e09f30ebd8a1826c976436d3ca3ad603d)) - **deps:** update module github.com/baidubce/bce-sdk-go to v0.9.186 ([#​13864](https://redirect.github.com/grafana/loki/issues/13864)) ([3c0e3e2](https://redirect.github.com/grafana/loki/commit/3c0e3e2c13591e3af44ce4826245043c81bb66c3)) - **deps:** update module github.com/baidubce/bce-sdk-go to v0.9.187 ([#​13933](https://redirect.github.com/grafana/loki/issues/13933)) ([56af84d](https://redirect.github.com/grafana/loki/commit/56af84d3a638dbe30f1cacffd7d090118720d787)) - **deps:** update module github.com/baidubce/bce-sdk-go to v0.9.188 ([#​14000](https://redirect.github.com/grafana/loki/issues/14000)) ([79039a2](https://redirect.github.com/grafana/loki/commit/79039a24a244b06b43018095e29c9ed65b0e1067)) - **deps:** update module github.com/cespare/xxhash/v2 to v2.3.0 (main) ([#​13615](https://redirect.github.com/grafana/loki/issues/13615)) ([cfc7b34](https://redirect.github.com/grafana/loki/commit/cfc7b34b9eb94960bd960b7a8a4442a2a1a9ecaf)) - **deps:** update module github.com/datadog/sketches-go to v1.4.6 ([#​13865](https://redirect.github.com/grafana/loki/issues/13865)) ([1f3c467](https://redirect.github.com/grafana/loki/commit/1f3c467b412dabf7f330dc71befcdf50596ba517)) - **deps:** update module github.com/docker/docker to v25.0.5+incompatible \[security] (main) ([#​12279](https://redirect.github.com/grafana/loki/issues/12279)) ([960c034](https://redirect.github.com/grafana/loki/commit/960c03438477435b606cf4dfbb7af43a5b52068d)) - **deps:** update module github.com/docker/docker to v27.1.1+incompatible \[security] (main) ([#​13762](https://redirect.github.com/grafana/loki/issues/13762)) ([f8bf3bb](https://redirect.github.com/grafana/loki/commit/f8bf3bb3786ccf5c3784e5b75e9d030251dcc8fb)) - **deps:** update module github.com/docker/docker to v27.1.2+incompatible ([#​13872](https://redirect.github.com/grafana/loki/issues/13872)) ([8ab4c20](https://redirect.github.com/grafana/loki/commit/8ab4c2057256511b5bc25c5f9c9ff870b5b71cb5)) - **deps:** update module github.com/efficientgo/core to v1.0.0-rc.3 ([#​14001](https://redirect.github.com/grafana/loki/issues/14001)) ([90f7e5f](https://redirect.github.com/grafana/loki/commit/90f7e5fa67dcf7b05c8aae54bacdf96f98c27faf)) - **deps:** update module github.com/felixge/fgprof to v0.9.4 ([#​13870](https://redirect.github.com/grafana/loki/issues/13870)) ([c68848f](https://redirect.github.com/grafana/loki/commit/c68848f8056aca3ebb358dd1fc8adf6e07611e9c)) - **deps:** update module github.com/fsouza/fake-gcs-server to v1.47.7 ([#​13935](https://redirect.github.com/grafana/loki/issues/13935)) ([d43b2de](https://redirect.github.com/grafana/loki/commit/d43b2de1b4e0d0a999569900f69755cfe6b17c21)) - **deps:** update module github.com/gogo/googleapis to v1.4.1 ([#​13871](https://redirect.github.com/grafana/loki/issues/13871)) ([6da7eb5](https://redirect.github.com/grafana/loki/commit/6da7eb577cac62208801374af71c90d4a06df097)) - **deps:** update module github.com/gorilla/mux to v1.8.1 (main) ([#​13618](https://redirect.github.com/grafana/loki/issues/13618)) ([19b288e](https://redirect.github.com/grafana/loki/commit/19b288eee4ad9c25fa58de56c3be02393e63a20e)) - **deps:** update module github.com/gorilla/websocket to v1.5.3 ([#​13873](https://redirect.github.com/grafana/loki/issues/13873)) ([1eb8342](https://redirect.github.com/grafana/loki/commit/1eb8342d41a9fdb6c5fcd3e6e5a8c6b98bde4e43)) - **deps:** update module github.com/hashicorp/consul/api to v1.29.4 ([#​14002](https://redirect.github.com/grafana/loki/issues/14002)) ([e11b244](https://redirect.github.com/grafana/loki/commit/e11b244a8bcbc69d6829d31fb164dc43d505068e)) - **deps:** update module github.com/ibm/go-sdk-core/v5 to v5.17.4 ([#​13892](https://redirect.github.com/grafana/loki/issues/13892)) ([b6991f2](https://redirect.github.com/grafana/loki/commit/b6991f29d232267c1fa0ed8dff55da72240c23f6)) - **deps:** update module github.com/ibm/ibm-cos-sdk-go to v1.11.0 ([#​13893](https://redirect.github.com/grafana/loki/issues/13893)) ([9b7e7e9](https://redirect.github.com/grafana/loki/commit/9b7e7e97a41d2ce0abe62b0d920538e9974cef69)) - **deps:** update module github.com/klauspost/pgzip to v1.2.6 ([#​13874](https://redirect.github.com/grafana/loki/issues/13874)) ([fdea7a1](https://redirect.github.com/grafana/loki/commit/fdea7a1763618812284a44d6c247c4215d317950)) - **deps:** update module github.com/mattn/go-ieproxy to v0.0.12 ([#​13876](https://redirect.github.com/grafana/loki/issues/13876)) ([775bf8e](https://redirect.github.com/grafana/loki/commit/775bf8ebe7893a5b0807984a1c791f211820eed2)) - **deps:** update module github.com/ncw/swift to v2 ([#​13951](https://redirect.github.com/grafana/loki/issues/13951)) ([246a1df](https://redirect.github.com/grafana/loki/commit/246a1dfbe24a00b75b03257cb7e75be6cc96a3a8)) - **deps:** update module github.com/oschwald/geoip2-golang to v1.11.0 ([#​13934](https://redirect.github.com/grafana/loki/issues/13934)) ([3bebba5](https://redirect.github.com/grafana/loki/commit/3bebba59b5a81da77c6b0d6c499f92f9ce320d46)) - **deps:** update module github.com/schollz/progressbar/v3 to v3.14.6 ([#​13884](https://redirect.github.com/grafana/loki/issues/13884)) ([fb9cae4](https://redirect.github.com/grafana/loki/commit/fb9cae4aaa6a12a375fa6199bfcd562833385737)) - **deps:** update module github.com/tonistiigi/fifo to v1 ([#​13952](https://redirect.github.com/grafana/loki/issues/13952)) ([96b5c79](https://redirect.github.com/grafana/loki/commit/96b5c79e7770f706bdc1d07e306bf225706273a3)) - **deps:** update module github.com/workiva/go-datastructures to v1.1.5 ([#​13885](https://redirect.github.com/grafana/loki/issues/13885)) ([d817aee](https://redirect.github.com/grafana/loki/commit/d817aeeab374f414b08598a8784ea708000856d2)) - **deps:** update module golang.org/x/text to v0.17.0 (main) ([#​13794](https://redirect.github.com/grafana/loki/issues/13794)) ([df61482](https://redirect.github.com/grafana/loki/commit/df61482207eb8f44f43d9c2ef4f450fc0c9a00ee)) - **deps:** update module golang.org/x/time to v0.6.0 ([#​13910](https://redirect.github.com/grafana/loki/issues/13910)) ([dff00bd](https://redirect.github.com/grafana/loki/commit/dff00bd8f26e85ce04edc16a9f43cb32d3691add)) - detected fields incorrect type bug ([#​13515](https://redirect.github.com/grafana/loki/issues/13515)) ([f6a94d3](https://redirect.github.com/grafana/loki/commit/f6a94d303444dbf22cf1198f549c9cde070f1bdc)) - **detected labels:** response when store label values are empty ([#​13970](https://redirect.github.com/grafana/loki/issues/13970)) ([6f99af6](https://redirect.github.com/grafana/loki/commit/6f99af62227f98c7d9de8a5cf480ae792ce6220a)) - **detected_labels:** Add matchers to get labels from store" ([#​14012](https://redirect.github.com/grafana/loki/issues/14012)) ([25234e8](https://redirect.github.com/grafana/loki/commit/25234e83483cb8a974d40b7c80b3d4dd62d6d880)) - do not retain span logger created with index set initialized at query time ([#​14027](https://redirect.github.com/grafana/loki/issues/14027)) ([bd25ac2](https://redirect.github.com/grafana/loki/commit/bd25ac2503b00812d959c2aaf092bd2618f16a5a)) - fix a bug where AppendRequest with no entries triggers flush ([#​13672](https://redirect.github.com/grafana/loki/issues/13672)) ([8a3ae22](https://redirect.github.com/grafana/loki/commit/8a3ae223ba160584d61bd5cb39b546a3c28f46b5)) - Fix HPA ingester typo ([#​13158](https://redirect.github.com/grafana/loki/issues/13158)) ([4ca9785](https://redirect.github.com/grafana/loki/commit/4ca97858d9dc33db7abbe20ca01c6735cb9ce34e)) - Fix log line for fingerprint not found ([#​13555](https://redirect.github.com/grafana/loki/issues/13555)) ([aeb23bb](https://redirect.github.com/grafana/loki/commit/aeb23bb7fc3d33327060828ddf97cb7da7b3c8f8)) - Fix panic in BloomStore initialisation ([#​13457](https://redirect.github.com/grafana/loki/issues/13457)) ([5f4b8fc](https://redirect.github.com/grafana/loki/commit/5f4b8fc9e44ac386ef5bfc64dd5f8f47b72f8ef9)) - Fix panic in ingester.go ([#​13557](https://redirect.github.com/grafana/loki/issues/13557)) ([dbff69a](https://redirect.github.com/grafana/loki/commit/dbff69a2e92f3ce34f7d58a7418cd0456d644be3)) - fix retry code to handle grpc status codes. updated newer stats retries to be wrapped with spans ([#​13592](https://redirect.github.com/grafana/loki/issues/13592)) ([d3e1edb](https://redirect.github.com/grafana/loki/commit/d3e1edbf1102b2f0f4116c3bb1773000d0368dde)) - fixed typo in ruler URL ([#​13692](https://redirect.github.com/grafana/loki/issues/13692)) ([1476498](https://redirect.github.com/grafana/loki/commit/14764989a2c6f01803f0313d8151f7aa20affd4a)) - Fixes pattern pruning stability ([#​13429](https://redirect.github.com/grafana/loki/issues/13429)) ([7c86e65](https://redirect.github.com/grafana/loki/commit/7c86e651ac71b31bf85e46303931291eafcc0027)) - Fixes span name of serializeRounTripper ([#​13541](https://redirect.github.com/grafana/loki/issues/13541)) ([4451d56](https://redirect.github.com/grafana/loki/commit/4451d56d6b9a9d2eb54ed75d3d2c8fe0db6908eb)) - flaky test blockPlansForGaps ([#​13743](https://redirect.github.com/grafana/loki/issues/13743)) ([37e33d4](https://redirect.github.com/grafana/loki/commit/37e33d41b4583626a0384e4eb4c4570d3ef11882)) - **gateway client:** Fix nil pointer dereference panic when using ruler in ring mode ([#​13436](https://redirect.github.com/grafana/loki/issues/13436)) ([304db10](https://redirect.github.com/grafana/loki/commit/304db100b382f0c1d1d9999dfe8ca77d1ac901c9)) - Handle block offset exceeding chunk length in memchunk.go ([#​13661](https://redirect.github.com/grafana/loki/issues/13661)) ([d42476a](https://redirect.github.com/grafana/loki/commit/d42476aa58fca07b17ee39d388639807624f884a)) - Handle EOF when reading from some obj stores ([#​13868](https://redirect.github.com/grafana/loki/issues/13868)) ([98a15e2](https://redirect.github.com/grafana/loki/commit/98a15e2303e6be2bb29b024b95e6a1941b19acf2)) - **helm:** fix extraObjects ([#​13107](https://redirect.github.com/grafana/loki/issues/13107)) ([b7fcf2b](https://redirect.github.com/grafana/loki/commit/b7fcf2bb7ea35206c0015545c93582991f64f581)) - **helm:** fix imagePullSecrets for statefulset-results-cache ([#​13051](https://redirect.github.com/grafana/loki/issues/13051)) ([8434b2f](https://redirect.github.com/grafana/loki/commit/8434b2f6e8e124225aafe6e55ca9c1b6ff6a2c5b)) - **helm:** fixed memcached and provisioner templates ([#​13788](https://redirect.github.com/grafana/loki/issues/13788)) ([1bf9791](https://redirect.github.com/grafana/loki/commit/1bf97912de83200d02689511f48658ce7d9543cf)) - **helm:** removed helm test ([#​13651](https://redirect.github.com/grafana/loki/issues/13651)) ([ef03476](https://redirect.github.com/grafana/loki/commit/ef03476f3dac159e5f58490351223fcdb9ac3469)) - **helm:** Update yaml file `./production/helm/loki/Chart.yaml` (+1 other) ([#​13392](https://redirect.github.com/grafana/loki/issues/13392)) ([b5b861c](https://redirect.github.com/grafana/loki/commit/b5b861c348bc768254fd083fb40d2820cf347be6)) - **helm:** Update yaml file `./production/helm/loki/values.yaml` (+1 other) ([#​13426](https://redirect.github.com/grafana/loki/issues/13426)) ([fc3904e](https://redirect.github.com/grafana/loki/commit/fc3904ee69d0824dc681ca5a4280f7aa2ec5563b)) - Improve execution speed for queries with label filters ([#​13922](https://redirect.github.com/grafana/loki/issues/13922)) ([40f4f14](https://redirect.github.com/grafana/loki/commit/40f4f1479170a90b39c005292e11a3ec4db4bc34)) - Include whitespaces in extracted tokens ([#​13738](https://redirect.github.com/grafana/loki/issues/13738)) ([7683a79](https://redirect.github.com/grafana/loki/commit/7683a791912ba128ce8af88b294ae3722330dfa2)) - incorrect pod matcher for compactor in mixin when using ssd mode ([#​12846](https://redirect.github.com/grafana/loki/issues/12846)) ([515e13c](https://redirect.github.com/grafana/loki/commit/515e13cc6c92b08968bc87e220b8bca64683fd05)) - Init internal server log along with loki's server instance ([#​13221](https://redirect.github.com/grafana/loki/issues/13221)) ([66b8c9b](https://redirect.github.com/grafana/loki/commit/66b8c9b7738acd0e0616b88d35cf3ddc0df83e7e)) - Keep blocks referenced by newer metas ([#​13614](https://redirect.github.com/grafana/loki/issues/13614)) ([784e7d5](https://redirect.github.com/grafana/loki/commit/784e7d562fedec7134c8ed4e2cee8ccb7049e271)) - Lint issues after merge to main ([#​13326](https://redirect.github.com/grafana/loki/issues/13326)) ([7e19cc7](https://redirect.github.com/grafana/loki/commit/7e19cc7dca8480932b39c87c7c2e296f99318c95)) - **log results cache:** include pipeline wrapper disabled in cache key ([#​13328](https://redirect.github.com/grafana/loki/issues/13328)) ([221491c](https://redirect.github.com/grafana/loki/commit/221491c123adb6cedfabace6fc2cd03a32124655)) - **loki-mixin:** Fix latency panel for Index Gateway ([#​13629](https://redirect.github.com/grafana/loki/issues/13629)) ([f586c00](https://redirect.github.com/grafana/loki/commit/f586c00a9fcfa8bb84781698e141dff928b86c92)) - **mixin:** various latency panels in operational dashboard should have ms unit type instead of seconds ([#​13260](https://redirect.github.com/grafana/loki/issues/13260)) ([f5a9905](https://redirect.github.com/grafana/loki/commit/f5a99058036f60f5ae0c190c48cbcf5ce22ea96d)) - **operator:** Allow structured metadata only if V13 schema provided ([#​13463](https://redirect.github.com/grafana/loki/issues/13463)) ([3ac130b](https://redirect.github.com/grafana/loki/commit/3ac130b8a152169766cb173718f2312aeb4f694e)) - **operator:** Don't overwrite annotations for LokiStack ingress resources ([#​13708](https://redirect.github.com/grafana/loki/issues/13708)) ([f523530](https://redirect.github.com/grafana/loki/commit/f52353060dd936cff587ff2060c8616941695ece)) - **operator:** Remove duplicate conditions from status ([#​13497](https://redirect.github.com/grafana/loki/issues/13497)) ([527510d](https://redirect.github.com/grafana/loki/commit/527510d1a84a981250047dbabba8d492177b8452)) - **operator:** Set object storage for delete requests when using retention ([#​13562](https://redirect.github.com/grafana/loki/issues/13562)) ([46de4c1](https://redirect.github.com/grafana/loki/commit/46de4c1bc839ef682798bec5003123f7d5f4404b)) - **operator:** Skip updating annotations for serviceaccounts ([#​13450](https://redirect.github.com/grafana/loki/issues/13450)) ([1b9b111](https://redirect.github.com/grafana/loki/commit/1b9b11116b48fb37b7015d27104668412fc04937)) - **operator:** Support v3.1.0 in OpenShift dashboards ([#​13430](https://redirect.github.com/grafana/loki/issues/13430)) ([8279d59](https://redirect.github.com/grafana/loki/commit/8279d59f145df9c9132aeff9e3d46c738650027c)) - **operator:** Watch for CredentialsRequests on CCOAuthEnv only ([#​13299](https://redirect.github.com/grafana/loki/issues/13299)) ([7fc926e](https://redirect.github.com/grafana/loki/commit/7fc926e36ea8fca7bd8e9955c8994574535dbbae)) - panic when parsing and extracting JSON key values ([#​13790](https://redirect.github.com/grafana/loki/issues/13790)) ([5ef83a7](https://redirect.github.com/grafana/loki/commit/5ef83a741ba515f68343e9dc345fcb8afe921bfd)) - Propagate headers/warnings/stats from quantile downstreams ([#​13881](https://redirect.github.com/grafana/loki/issues/13881)) ([a0c7598](https://redirect.github.com/grafana/loki/commit/a0c75987a24d0adc520c60dd5d85df4c34009548)) - Properly reset wal segment writer ([#​13468](https://redirect.github.com/grafana/loki/issues/13468)) ([6ea83b4](https://redirect.github.com/grafana/loki/commit/6ea83b45b5e9f8e1d0f9d7e5574bb5b520ddfefd)) - protect ruler remote-write overrides map with a mutex when creating new appenders ([#​13676](https://redirect.github.com/grafana/loki/issues/13676)) ([e9a9c60](https://redirect.github.com/grafana/loki/commit/e9a9c60c22e78b52c0c046d379b4b2b986d91dca)) - querier address in SingleBinary mode ([#​13297](https://redirect.github.com/grafana/loki/issues/13297)) ([29f1ea9](https://redirect.github.com/grafana/loki/commit/29f1ea91ecd935a6becae2bd425224a913285071)) - **query engine:** Include lines with ts equal to end timestamp of the query range when executing range aggregations ([#​13448](https://redirect.github.com/grafana/loki/issues/13448)) ([e0ca67d](https://redirect.github.com/grafana/loki/commit/e0ca67dd4563e41c57b2f1409ef235b76b2a1a6e)) - Read "404" as object not exist ([#​13901](https://redirect.github.com/grafana/loki/issues/13901)) ([3c9c647](https://redirect.github.com/grafana/loki/commit/3c9c6479226818229802b97e08d6c9e13e3798a5)) - Read full buffer from storage when fetching a range ([#​13948](https://redirect.github.com/grafana/loki/issues/13948)) ([115fef4](https://redirect.github.com/grafana/loki/commit/115fef49f9e023aa79c909e3cdef15b29db00907)) - record datasample queries are limited query type ([#​13930](https://redirect.github.com/grafana/loki/issues/13930)) ([ae938d0](https://redirect.github.com/grafana/loki/commit/ae938d06d941a386aa839b6717445c2295ce2efa)) - Redo ingester profile tagging ([#​13239](https://redirect.github.com/grafana/loki/issues/13239)) ([32097c8](https://redirect.github.com/grafana/loki/commit/32097c84627f5190cfcf6c1f247c9d0531d92865)) - remove limit middleware for `detected_labels` ([#​13643](https://redirect.github.com/grafana/loki/issues/13643)) ([2642718](https://redirect.github.com/grafana/loki/commit/2642718d50569931b71cfc0c9288318ab775ca41)) - Remove query size limit for detected fields ([#​13423](https://redirect.github.com/grafana/loki/issues/13423)) ([1fa5127](https://redirect.github.com/grafana/loki/commit/1fa51277978ead6569e31e908dec7f140dadb90f)) - remove retries on the stats handlers because they already retry ([#​13608](https://redirect.github.com/grafana/loki/issues/13608)) ([1008315](https://redirect.github.com/grafana/loki/commit/10083159a7e54df4e41efe2fc2e04e267fee1147)) - remove tenant label tagging from profiles to reduce cardinality ([#​13270](https://redirect.github.com/grafana/loki/issues/13270)) ([f897758](https://redirect.github.com/grafana/loki/commit/f8977587476169197d6da4d7055b97b189808344)) - remove trailing backtick in verify-config for Loki 3.0 ([#​13640](https://redirect.github.com/grafana/loki/issues/13640)) ([498f29a](https://redirect.github.com/grafana/loki/commit/498f29a66b2dbfeff85454f22d0596d20066a635)) - Retain original values in logfmt pattern tokenizer ([#​13535](https://redirect.github.com/grafana/loki/issues/13535)) ([5fa9c4b](https://redirect.github.com/grafana/loki/commit/5fa9c4bd56ec996fa2cf018b4b74b992fedca26a)) - **retry:** fix retries when using protobuf encoding ([#​13316](https://redirect.github.com/grafana/loki/issues/13316)) ([a457c5d](https://redirect.github.com/grafana/loki/commit/a457c5d171d5ffa0a7060c98a8bc48abd735911a)) - Return empty vector instead of nil for empty evaluator. ([#​13485](https://redirect.github.com/grafana/loki/issues/13485)) ([08615bf](https://redirect.github.com/grafana/loki/commit/08615bf7519b31e825903577427f7407194baf74)) - sanatize structured metadata at query time ([#​13983](https://redirect.github.com/grafana/loki/issues/13983)) ([3bf7fa9](https://redirect.github.com/grafana/loki/commit/3bf7fa9f159a7c76b1bcdd640c765b333766f748)) - separates directory creation from permission checks ([#​13248](https://redirect.github.com/grafana/loki/issues/13248)) ([1086783](https://redirect.github.com/grafana/loki/commit/1086783a1d8886f0e6888289975e771e18d800e6)) - **sharding:** use without() grouping when merging `avg_over_time` shard results ([#​12176](https://redirect.github.com/grafana/loki/issues/12176)) ([eb8a363](https://redirect.github.com/grafana/loki/commit/eb8a36306674c497d8b0150b482f275e2c00f6c9)) - special case the return values from a sharded first/last_over_time query ([#​13578](https://redirect.github.com/grafana/loki/issues/13578)) ([29a37d5](https://redirect.github.com/grafana/loki/commit/29a37d5dcdab33d62615a79aefe97ea2a80dea03)) - split the error and agg metric cases for clarity ([#​13913](https://redirect.github.com/grafana/loki/issues/13913)) ([d2474fa](https://redirect.github.com/grafana/loki/commit/d2474fa9892cf15f15ff798dd6cfc0dc736844e6)) - stream ownership check ([#​13314](https://redirect.github.com/grafana/loki/issues/13314)) ([5ae5b31](https://redirect.github.com/grafana/loki/commit/5ae5b31b1f9ffcac9193cfd4ba47a64d911966db)) - support multi-zone ingesters when converting global to local limits for streams in limiter.go ([#​13321](https://redirect.github.com/grafana/loki/issues/13321)) ([e28c15f](https://redirect.github.com/grafana/loki/commit/e28c15f56c2aab62eecbaa382055eac99fc3a581)) - try reading chunks which have incorrect offset for blocks ([#​13720](https://redirect.github.com/grafana/loki/issues/13720)) ([7e224d5](https://redirect.github.com/grafana/loki/commit/7e224d53de8a5c43448ffd341f0d9c48abb335ef)) - update fixed limit once streams ownership re-checked ([#​13231](https://redirect.github.com/grafana/loki/issues/13231)) ([7ac19f0](https://redirect.github.com/grafana/loki/commit/7ac19f00b4f5186b0c38a8dad23cf61e14d071de)) - Update Loki v3 Helm statefulset-ingester.yaml template ([#​13118](https://redirect.github.com/grafana/loki/issues/13118)) ([5b4e576](https://redirect.github.com/grafana/loki/commit/5b4e57602f7b7e5f4d73204ad682826d1041f8a8)) - Use elements match in gapsBetweenTSDBsAndMetas test ([#​13722](https://redirect.github.com/grafana/loki/issues/13722)) ([4cbe2a6](https://redirect.github.com/grafana/loki/commit/4cbe2a6a85c3095f66610cffd32cb3d3bdd43b3f)) ##### Performance Improvements - Avoid looking up unnecessary TSDB symbols during Volume API ([#​13960](https://redirect.github.com/grafana/loki/issues/13960)) ([7c1a849](https://redirect.github.com/grafana/loki/commit/7c1a8493b3837396d085547a42d8260271f1d68a)) - **blooms:** always return bloom pages to allocator ([#​13288](https://redirect.github.com/grafana/loki/issues/13288)) ([0cb3ff1](https://redirect.github.com/grafana/loki/commit/0cb3ff18307eecb5986a284256fc662ecdef1692)) - **blooms:** Avoid tiny string allocations for insert cache ([#​13487](https://redirect.github.com/grafana/loki/issues/13487)) ([652ad24](https://redirect.github.com/grafana/loki/commit/652ad2455c58d35f5f0b3a7f64f787f666345cce)) - **blooms:** mempool no longer zeroes out buffers unnecessarily ([#​13282](https://redirect.github.com/grafana/loki/issues/13282)) ([eb1cd4c](https://redirect.github.com/grafana/loki/commit/eb1cd4c8555a42cc12c02124ee39a3be0120587b)) - Gather aggregate per-line and per-tenant metrics for Drain patterns ([#​13368](https://redirect.github.com/grafana/loki/issues/13368)) ([bf1d6e3](https://redirect.github.com/grafana/loki/commit/bf1d6e36f7f0758a3a5a9844291d3a52265d6dbb)) - Limit tokens per pattern to 128 ([#​13376](https://redirect.github.com/grafana/loki/issues/13376)) ([a1efafd](https://redirect.github.com/grafana/loki/commit/a1efafdad22f18c960f6a3bc273072f24f988121)) - **mempool:** Replace `sync.Mutex` with `sync.Once` ([#​13293](https://redirect.github.com/grafana/loki/issues/13293)) ([61a9854](https://redirect.github.com/grafana/loki/commit/61a9854eb189e5d2c91528ced10ecf39071df680)) - Prune unused pattern branches ([#​13329](https://redirect.github.com/grafana/loki/issues/13329)) ([5ef18cf](https://redirect.github.com/grafana/loki/commit/5ef18cff9296d56cab4dd99227c40de726b08ea6)) - Re-introduce fixed size memory pool for bloom querier ([#​13172](https://redirect.github.com/grafana/loki/issues/13172)) ([4117b6c](https://redirect.github.com/grafana/loki/commit/4117b6ca981b2852a15b102be2394bffce37b3e2)) ##### Miscellaneous Chores - **blooms:** Remove bloom compactor component ([#​13969](https://redirect.github.com/grafana/loki/issues/13969)) ([b75eacc](https://redirect.github.com/grafana/loki/commit/b75eacc288c52737e41ba9932c06409c643e2e5c)) - **jsonnet:** convert read statefulset into deployment for loki-simple-scalable ([#​13977](https://redirect.github.com/grafana/loki/issues/13977)) ([1535183](https://redirect.github.com/grafana/loki/commit/1535183453737933c249e8376775ef273da52698))
grafana/helm-charts (loki) ### [`v6.16.0`](https://redirect.github.com/grafana/helm-charts/releases/tag/promtail-6.16.0) Promtail is an agent which ships the contents of local logs to a Loki instance #### What's Changed - \[promtail] update to 3.0.0 by [@​mjnagel](https://redirect.github.com/mjnagel) in [https://github.com/grafana/helm-charts/pull/3083](https://redirect.github.com/grafana/helm-charts/pull/3083) #### New Contributors - [@​mjnagel](https://redirect.github.com/mjnagel) made their first contribution in [https://github.com/grafana/helm-charts/pull/3083](https://redirect.github.com/grafana/helm-charts/pull/3083) **Full Changelog**: https://github.com/grafana/helm-charts/compare/grafana-agent-operator-0.4.0...promtail-6.16.0 ### [`v6.15.0`](https://redirect.github.com/grafana/helm-charts/releases/tag/promtail-6.15.0) Promtail is an agent which ships the contents of local logs to a Loki instance #### What's Changed - \[promtail] allow setting hostNetwork on daemonset by [@​diranged](https://redirect.github.com/diranged) in [https://github.com/grafana/helm-charts/pull/2598](https://redirect.github.com/grafana/helm-charts/pull/2598) **Full Changelog**: https://github.com/grafana/helm-charts/compare/tempo-distributed-1.6.2...promtail-6.15.0
--- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ‘» **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Chance <139784371+UnicornChance@users.noreply.github.com> --- src/loki/common/zarf.yaml | 2 +- src/loki/values/registry1-values.yaml | 2 +- src/loki/values/unicorn-values.yaml | 2 +- src/loki/values/upstream-values.yaml | 2 +- src/loki/zarf.yaml | 6 +++--- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/loki/common/zarf.yaml b/src/loki/common/zarf.yaml index 28750e2d6..988ec8d93 100644 --- a/src/loki/common/zarf.yaml +++ b/src/loki/common/zarf.yaml @@ -13,7 +13,7 @@ components: localPath: ../chart - name: loki url: https://grafana.github.io/helm-charts/ - version: 6.12.0 + version: 6.16.0 namespace: loki valuesFiles: - ../values/values.yaml diff --git a/src/loki/values/registry1-values.yaml b/src/loki/values/registry1-values.yaml index 900772e53..2240a20c5 100644 --- a/src/loki/values/registry1-values.yaml +++ b/src/loki/values/registry1-values.yaml @@ -2,7 +2,7 @@ loki: image: registry: registry1.dso.mil repository: ironbank/opensource/grafana/loki - tag: 3.1.1 + tag: 3.2.0 podSecurityContext: fsGroup: 10001 runAsGroup: 10001 diff --git a/src/loki/values/unicorn-values.yaml b/src/loki/values/unicorn-values.yaml index 309753bee..88b619ab4 100644 --- a/src/loki/values/unicorn-values.yaml +++ b/src/loki/values/unicorn-values.yaml @@ -2,7 +2,7 @@ loki: image: registry: cgr.dev repository: du-uds-defenseunicorns/loki - tag: 3.1.1 + tag: 3.2.0 gateway: image: registry: cgr.dev diff --git a/src/loki/values/upstream-values.yaml b/src/loki/values/upstream-values.yaml index a7ebd51df..d31d3cde9 100644 --- a/src/loki/values/upstream-values.yaml +++ b/src/loki/values/upstream-values.yaml @@ -2,7 +2,7 @@ loki: image: registry: docker.io repository: grafana/loki - tag: 3.1.1 + tag: 3.2.0 gateway: image: diff --git a/src/loki/zarf.yaml b/src/loki/zarf.yaml index 46d102da2..7432b4b90 100644 --- a/src/loki/zarf.yaml +++ b/src/loki/zarf.yaml @@ -16,7 +16,7 @@ components: valuesFiles: - ./values/upstream-values.yaml images: - - docker.io/grafana/loki:3.1.1 + - docker.io/grafana/loki:3.2.0 - docker.io/nginxinc/nginx-unprivileged:1.27-alpine - docker.io/memcached:1.6.31-alpine @@ -32,7 +32,7 @@ components: valuesFiles: - ./values/registry1-values.yaml images: - - registry1.dso.mil/ironbank/opensource/grafana/loki:3.1.1 + - registry1.dso.mil/ironbank/opensource/grafana/loki:3.2.0 - registry1.dso.mil/ironbank/opensource/nginx/nginx-alpine:1.26.2 - registry1.dso.mil/ironbank/opensource/memcached/memcached:1.6.31 @@ -48,6 +48,6 @@ components: valuesFiles: - ./values/unicorn-values.yaml images: - - cgr.dev/du-uds-defenseunicorns/loki:3.1.1 + - cgr.dev/du-uds-defenseunicorns/loki:3.2.0 - cgr.dev/du-uds-defenseunicorns/nginx-fips:1.27.1 - cgr.dev/du-uds-defenseunicorns/memcached:1.6.31 From ae6ed9f0f58de75bfb810cd9c6def75c90401704 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 2 Oct 2024 08:18:39 -0600 Subject: [PATCH 32/90] chore(deps): update prometheus-stack helm-charts to v64.0.0 (#849) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | [kube-prometheus-stack](https://redirect.github.com/prometheus-operator/kube-prometheus) ([source](https://redirect.github.com/prometheus-community/helm-charts)) | major | `63.1.0` -> `64.0.0` | --- ### Release Notes
prometheus-community/helm-charts (kube-prometheus-stack) ### [`v64.0.0`](https://redirect.github.com/prometheus-community/helm-charts/releases/tag/kube-prometheus-stack-64.0.0) [Compare Source](https://redirect.github.com/prometheus-community/helm-charts/compare/kube-prometheus-stack-63.1.0...kube-prometheus-stack-64.0.0) kube-prometheus-stack collects Kubernetes manifests, Grafana dashboards, and Prometheus rules combined with documentation and scripts to provide easy to operate end-to-end Kubernetes cluster monitoring with Prometheus using the Prometheus Operator. #### What's Changed - \[kube-prometheus-stack] Revert "Add downward compat for Prom CRD ([#​4818](https://redirect.github.com/prometheus-community/helm-charts/issues/4818))" by [@​jkroepke](https://redirect.github.com/jkroepke) in [https://github.com/prometheus-community/helm-charts/pull/4883](https://redirect.github.com/prometheus-community/helm-charts/pull/4883) **Full Changelog**: https://github.com/prometheus-community/helm-charts/compare/prometheus-snmp-exporter-5.5.1...kube-prometheus-stack-64.0.0
--- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ”• **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Chance <139784371+UnicornChance@users.noreply.github.com> --- src/prometheus-stack/common/zarf.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/prometheus-stack/common/zarf.yaml b/src/prometheus-stack/common/zarf.yaml index b3bd1c50b..d4c161622 100644 --- a/src/prometheus-stack/common/zarf.yaml +++ b/src/prometheus-stack/common/zarf.yaml @@ -15,7 +15,7 @@ components: - name: kube-prometheus-stack namespace: monitoring url: https://prometheus-community.github.io/helm-charts - version: 63.1.0 + version: 64.0.0 valuesFiles: - "../values/values.yaml" actions: From 09283e87703a650458f348467fbd8fb1930df1d7 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 2 Oct 2024 08:46:55 -0600 Subject: [PATCH 33/90] chore(deps): update pepr to v0.37.1 (#843) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | Type | Update | |---|---|---|---|---|---|---|---| | [pepr](https://redirect.github.com/defenseunicorns/pepr) | [`0.36.0` -> `0.37.1`](https://renovatebot.com/diffs/npm/pepr/0.36.0/0.37.1) | [![age](https://developer.mend.io/api/mc/badges/age/npm/pepr/0.37.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/pepr/0.37.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/pepr/0.36.0/0.37.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/pepr/0.36.0/0.37.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | dependencies | minor | | [registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller](https://redirect.github.com/defenseunicorns/pepr) ([source](https://repo1.dso.mil/dsop/opensource/defenseunicorns/pepr/controller)) | `v0.36.0` -> `v0.37.1` | [![age](https://developer.mend.io/api/mc/badges/age/docker/registry1.dso.mil%2fironbank%2fopensource%2fdefenseunicorns%2fpepr%2fcontroller/v0.37.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/docker/registry1.dso.mil%2fironbank%2fopensource%2fdefenseunicorns%2fpepr%2fcontroller/v0.37.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/docker/registry1.dso.mil%2fironbank%2fopensource%2fdefenseunicorns%2fpepr%2fcontroller/v0.36.0/v0.37.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/docker/registry1.dso.mil%2fironbank%2fopensource%2fdefenseunicorns%2fpepr%2fcontroller/v0.36.0/v0.37.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | | minor | --- ### Release Notes
defenseunicorns/pepr (pepr) ### [`v0.37.1`](https://redirect.github.com/defenseunicorns/pepr/releases/tag/v0.37.1) [Compare Source](https://redirect.github.com/defenseunicorns/pepr/compare/v0.37.0...v0.37.1) We needed to remove a type dependency from the controller image that was affecting people's CI. #### What's Changed - chore: sync work - add types to cli with prompts and init options by [@​cmwylie19](https://redirect.github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1196](https://redirect.github.com/defenseunicorns/pepr/pull/1196) - feat(testing): use candidate versions of pepr in E2E tests when testing new functionality by [@​samayer12](https://redirect.github.com/samayer12) in [https://github.com/defenseunicorns/pepr/pull/1157](https://redirect.github.com/defenseunicorns/pepr/pull/1157) **Full Changelog**: https://github.com/defenseunicorns/pepr/compare/v0.37.0...v0.37.1 ### [`v0.37.0`](https://redirect.github.com/defenseunicorns/pepr/releases/tag/v0.37.0) [Compare Source](https://redirect.github.com/defenseunicorns/pepr/compare/v0.36.0...v0.37.0) #### Deprecations ⚠️ We identified a circular dependency, which required us to relocate some types. In this release, those types are duplicated, but in the next release, they will be fully moved from `src/lib/k8s.ts` to `src/lib/types.ts`. If your module uses any of these types, please update your imports accordingly to avoid issues in future versions. Affected Types: - [Operation (enum)](https://redirect.github.com/defenseunicorns/pepr/blob/1e42d49cc90cf82ce85a57fb574917319db3c102/src/lib/k8s.ts#L6) - [GroupVersionResource (interface)](https://redirect.github.com/defenseunicorns/pepr/blob/1e42d49cc90cf82ce85a57fb574917319db3c102/src/lib/k8s.ts#L31) - [AdmissionRequest (interface)](https://redirect.github.com/defenseunicorns/pepr/blob/1e42d49cc90cf82ce85a57fb574917319db3c102/src/lib/k8s.ts#L42) Find all of them now in [types.ts](https://redirect.github.com/defenseunicorns/pepr/blob/1e42d49cc90cf82ce85a57fb574917319db3c102/src/lib/types.ts) #### Features πŸš€ - feat: redact store values from logs by [@​cmwylie19](https://redirect.github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1176](https://redirect.github.com/defenseunicorns/pepr/pull/1176) - feat(cli): support input flags for 'npx pepr init' by [@​samayer12](https://redirect.github.com/samayer12) in [https://github.com/defenseunicorns/pepr/pull/1141](https://redirect.github.com/defenseunicorns/pepr/pull/1141) - feat: add Finalize() to Pepr by [@​btlghrants](https://redirect.github.com/btlghrants) in [https://github.com/defenseunicorns/pepr/pull/1102](https://redirect.github.com/defenseunicorns/pepr/pull/1102) - feat: regex filters for namespace and name by [@​cmwylie19](https://redirect.github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1156](https://redirect.github.com/defenseunicorns/pepr/pull/1156) #### What's Changed πŸ”§ - chore: add commit lint "ignore" rule by [@​btlghrants](https://redirect.github.com/btlghrants) in [https://github.com/defenseunicorns/pepr/pull/1145](https://redirect.github.com/defenseunicorns/pepr/pull/1145) - chore: dont send unnecessary patch by [@​btlghrants](https://redirect.github.com/btlghrants) in [https://github.com/defenseunicorns/pepr/pull/1144](https://redirect.github.com/defenseunicorns/pepr/pull/1144) - test: add UDS smoke test by [@​btlghrants](https://redirect.github.com/btlghrants) in [https://github.com/defenseunicorns/pepr/pull/1153](https://redirect.github.com/defenseunicorns/pepr/pull/1153) - chore: add filter for name by [@​cmwylie19](https://redirect.github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1151](https://redirect.github.com/defenseunicorns/pepr/pull/1151) - chore: ignore warning in prod by [@​cmwylie19](https://redirect.github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1152](https://redirect.github.com/defenseunicorns/pepr/pull/1152) - chore: update husky install due to deprecation by [@​cmwylie19](https://redirect.github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1167](https://redirect.github.com/defenseunicorns/pepr/pull/1167) - chore: show actual pod list in pepr soak test and counts in the pod map by [@​cmwylie19](https://redirect.github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1172](https://redirect.github.com/defenseunicorns/pepr/pull/1172) - chore: lint changes on commit with husky by [@​itsarijitray](https://redirect.github.com/itsarijitray) in [https://github.com/defenseunicorns/pepr/pull/1160](https://redirect.github.com/defenseunicorns/pepr/pull/1160) - chore: considers ignored namespaces in filters by [@​cmwylie19](https://redirect.github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1165](https://redirect.github.com/defenseunicorns/pepr/pull/1165) - feat: add alias prefixing to pino logs by [@​schaeferka](https://redirect.github.com/schaeferka) in [https://github.com/defenseunicorns/pepr/pull/916](https://redirect.github.com/defenseunicorns/pepr/pull/916) - refactor: filterNoMatchReason and shouldSkipRequest by [@​btlghrants](https://redirect.github.com/btlghrants) in [https://github.com/defenseunicorns/pepr/pull/1161](https://redirect.github.com/defenseunicorns/pepr/pull/1161) - refactor: remove filterNoMatchReasonRegex / shouldSkipRequestRegex wrappers by [@​btlghrants](https://redirect.github.com/btlghrants) in [https://github.com/defenseunicorns/pepr/pull/1184](https://redirect.github.com/defenseunicorns/pepr/pull/1184) - chore: dont do patch operation if store is empty by [@​cmwylie19](https://redirect.github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1182](https://redirect.github.com/defenseunicorns/pepr/pull/1182) - chore: set default branch for new module to main by [@​schaeferka](https://redirect.github.com/schaeferka) in [https://github.com/defenseunicorns/pepr/pull/1185](https://redirect.github.com/defenseunicorns/pepr/pull/1185) - chore: samayer12 to codeowners by [@​samayer12](https://redirect.github.com/samayer12) in [https://github.com/defenseunicorns/pepr/pull/1189](https://redirect.github.com/defenseunicorns/pepr/pull/1189) #### Dependabot Updates πŸ€– - chore: bump chainguard/node from `2a8a01a` to `bd9ec30` by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1190](https://redirect.github.com/defenseunicorns/pepr/pull/1190) - chore: bump kubernetes-fluent-client from 3.0.3 to 3.0.4 in the production-dependencies group by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1191](https://redirect.github.com/defenseunicorns/pepr/pull/1191) - chore: bump chainguard/node from `5b59be4` to `31749fc` by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1146](https://redirect.github.com/defenseunicorns/pepr/pull/1146) - chore: bump chainguard/node from `31749fc` to `22e112f` by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1155](https://redirect.github.com/defenseunicorns/pepr/pull/1155) - chore: bump actions/setup-node from 4.0.3 to 4.0.4 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1159](https://redirect.github.com/defenseunicorns/pepr/pull/1159) - chore: bump github/codeql-action from 3.26.7 to 3.26.8 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1158](https://redirect.github.com/defenseunicorns/pepr/pull/1158) - chore: bump chainguard/node from `22e112f` to `7b64927` by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1163](https://redirect.github.com/defenseunicorns/pepr/pull/1163) - chore: bump husky from 8.0.3 to 9.1.6 in the development-dependencies group by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1164](https://redirect.github.com/defenseunicorns/pepr/pull/1164) - chore: bump the development-dependencies group with 2 updates by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1174](https://redirect.github.com/defenseunicorns/pepr/pull/1174) - chore: bump chainguard/node from `7b64927` to `92f9a7d` by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1169](https://redirect.github.com/defenseunicorns/pepr/pull/1169) - chore: bump [@​types/node](https://redirect.github.com/types/node) from 22.7.2 to 22.7.3 in the development-dependencies group by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1178](https://redirect.github.com/defenseunicorns/pepr/pull/1178) - chore: bump chainguard/node from `92f9a7d` to `2a8a01a` by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1177](https://redirect.github.com/defenseunicorns/pepr/pull/1177) - chore: bump [@​types/node](https://redirect.github.com/types/node) from 22.7.3 to 22.7.4 in the development-dependencies group by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1183](https://redirect.github.com/defenseunicorns/pepr/pull/1183) - chore: bump github/codeql-action from 3.26.8 to 3.26.9 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1170](https://redirect.github.com/defenseunicorns/pepr/pull/1170) - chore: bump actions/checkout from 4.1.7 to 4.2.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1175](https://redirect.github.com/defenseunicorns/pepr/pull/1175) - chore: bump [@​types/node](https://redirect.github.com/types/node) from 22.5.5 to 22.6.1 in the development-dependencies group by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1168](https://redirect.github.com/defenseunicorns/pepr/pull/1168) #### New Contributors πŸ‘ - [@​itsarijitray](https://redirect.github.com/itsarijitray) made their first contribution in [https://github.com/defenseunicorns/pepr/pull/1160](https://redirect.github.com/defenseunicorns/pepr/pull/1160) **Full Changelog**: https://github.com/defenseunicorns/pepr/compare/v0.36.0...v0.37.0
--- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ”• **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Chance <139784371+UnicornChance@users.noreply.github.com> --- package-lock.json | 28 ++++++++++++++++++++-------- package.json | 2 +- tasks/create.yaml | 2 +- 3 files changed, 22 insertions(+), 10 deletions(-) diff --git a/package-lock.json b/package-lock.json index e838c0321..ed8b3eda9 100644 --- a/package-lock.json +++ b/package-lock.json @@ -8,7 +8,7 @@ "name": "uds-core", "version": "0.5.0", "dependencies": { - "pepr": "0.36.0" + "pepr": "0.37.1" }, "devDependencies": { "@jest/globals": "29.7.0", @@ -1909,6 +1909,17 @@ "form-data": "^4.0.0" } }, + "node_modules/@types/prompts": { + "version": "2.4.9", + "resolved": "https://registry.npmjs.org/@types/prompts/-/prompts-2.4.9.tgz", + "integrity": "sha512-qTxFi6Buiu8+50/+3DGIWLHM6QuWsEKugJnnP6iv2Mc4ncxE4A/OJkjuVOA+5X0X1S/nq5VJRa8Lu+nwcvbrKA==", + "license": "MIT", + "peer": true, + "dependencies": { + "@types/node": "*", + "kleur": "^3.0.3" + } + }, "node_modules/@types/ramda": { "version": "0.30.2", "resolved": "https://registry.npmjs.org/@types/ramda/-/ramda-0.30.2.tgz", @@ -5203,9 +5214,9 @@ } }, "node_modules/kubernetes-fluent-client": { - "version": "3.0.3", - "resolved": "https://registry.npmjs.org/kubernetes-fluent-client/-/kubernetes-fluent-client-3.0.3.tgz", - "integrity": "sha512-Cp2VdZYQY2bX4Sio5Tk4g20Vh7m2+OIUQrrIIYFYIcxqzTDBcK4yqVx8Au0SanwjgJ3DG2ysGMhyBUWJOezBmw==", + "version": "3.0.4", + "resolved": "https://registry.npmjs.org/kubernetes-fluent-client/-/kubernetes-fluent-client-3.0.4.tgz", + "integrity": "sha512-mkLpT2Wjm8zUO3fgIy5d+UqFWoe4DG/soJA5wwrCTrsis+JHBnuLfTtI8bU/y2ie4EOfW0uSs8c0oXmveMImZQ==", "license": "Apache-2.0", "dependencies": { "@kubernetes/client-node": "1.0.0-rc6", @@ -6201,16 +6212,16 @@ } }, "node_modules/pepr": { - "version": "0.36.0", - "resolved": "https://registry.npmjs.org/pepr/-/pepr-0.36.0.tgz", - "integrity": "sha512-+GyQK9SUhjoEAfWU1cdKtKjYx8JCT+aracTBb5jRh3JIljD61H8nxlAlIS8rEcAdGw2Gcu/qztxX62x3Bjaw+A==", + "version": "0.37.1", + "resolved": "https://registry.npmjs.org/pepr/-/pepr-0.37.1.tgz", + "integrity": "sha512-3Kpw7i11xYgE+AMXVqVo3Kze5M8GZTed8eaKXf43FhbFmRGiPgHxXqIOv2iLDVvpLgcCa8MpP5cj89IBZn10Qw==", "license": "Apache-2.0", "dependencies": { "@types/ramda": "0.30.2", "express": "4.21.0", "fast-json-patch": "3.1.1", "json-pointer": "^0.6.2", - "kubernetes-fluent-client": "3.0.3", + "kubernetes-fluent-client": "3.0.4", "pino": "9.4.0", "pino-pretty": "11.2.2", "prom-client": "15.1.3", @@ -6223,6 +6234,7 @@ "node": ">=18.0.0" }, "peerDependencies": { + "@types/prompts": "2.4.9", "@typescript-eslint/eslint-plugin": "7.18.0", "@typescript-eslint/parser": "7.18.0", "commander": "12.1.0", diff --git a/package.json b/package.json index a0c4fc6f2..3ba912464 100644 --- a/package.json +++ b/package.json @@ -29,7 +29,7 @@ "k3d-setup": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0'" }, "dependencies": { - "pepr": "0.36.0" + "pepr": "0.37.1" }, "devDependencies": { "@jest/globals": "29.7.0", diff --git a/tasks/create.yaml b/tasks/create.yaml index 9480a8944..e691cded8 100644 --- a/tasks/create.yaml +++ b/tasks/create.yaml @@ -7,7 +7,7 @@ variables: - name: REGISTRY1_PEPR_IMAGE # renovate: datasource=docker depName=registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller versioning=semver - default: registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller:v0.36.0 + default: registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller:v0.37.1 tasks: - name: standard-package From c91e36ab2b74a721df45fe80de09f22a25c59884 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 2 Oct 2024 10:02:58 -0600 Subject: [PATCH 34/90] chore(deps): update test-infra to v6.9.0 (#848) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [terraform-aws-modules/rds/aws](https://registry.terraform.io/modules/terraform-aws-modules/rds/aws) ([source](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds)) | module | minor | `6.1.1` -> `6.9.0` | --- ### Release Notes
terraform-aws-modules/terraform-aws-rds (terraform-aws-modules/rds/aws) ### [`v6.9.0`](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/blob/HEAD/CHANGELOG.md#690-2024-08-19) [Compare Source](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/compare/v6.8.0...v6.9.0) ##### Features - Support `skip_destroy` for option and param groups and add `upgrade_storage_config` for replicas ([#​559](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/issues/559)) ([3f73565](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/commit/3f73565f673d38bffac3c339f436782cd79f01fb)) ### [`v6.8.0`](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/blob/HEAD/CHANGELOG.md#680-2024-07-20) [Compare Source](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/compare/v6.7.0...v6.8.0) ##### Features - Support `engine_lifecycle_support` ([#​558](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/issues/558)) ([eae7230](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/commit/eae723015b139311eb7785fa4f4a02d8fa9d55b2)) ### [`v6.7.0`](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/blob/HEAD/CHANGELOG.md#670-2024-06-12) [Compare Source](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/compare/v6.6.0...v6.7.0) ##### Features - Added cloudwatch log group `skip_destroy` and `log_group_class` ([#​553](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/issues/553)) ([12f4e91](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/commit/12f4e91f1a4f3ee48b91d222fcae5c51bbe7ab29)) ### [`v6.6.0`](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/blob/HEAD/CHANGELOG.md#660-2024-05-03) [Compare Source](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/compare/v6.5.5...v6.6.0) ##### Features - Support `dedicated_log_volume` ([#​549](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/issues/549)) ([49f87e0](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/commit/49f87e0d35a4cebafb1b2a123abf21d0909c4bf1)) ### [`v6.5.5`](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/blob/HEAD/CHANGELOG.md#655-2024-04-22) [Compare Source](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/compare/v6.5.4...v6.5.5) ##### Bug Fixes - Add upgrade doc and fix variable description ([#​548](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/issues/548)) ([97f6261](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/commit/97f6261ac90c6c271964185538d8d9e19728bd54)) ### [`v6.5.4`](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/blob/HEAD/CHANGELOG.md#654-2024-03-21) [Compare Source](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/compare/v6.5.3...v6.5.4) ##### Bug Fixes - Restore aws to required providers ([#​546](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/issues/546)) ([7f37ff8](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/commit/7f37ff8c160e819ae6766d6bf25f0fb8cec978f5)) ### [`v6.5.3`](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/blob/HEAD/CHANGELOG.md#653-2024-03-19) [Compare Source](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/compare/v6.5.2...v6.5.3) ##### Bug Fixes - Separate `db_instance_tags` from merged `tags` sub-module input ([#​544](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/issues/544)) ([89a5763](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/commit/89a5763625cc60ad1d8b9afd13cfda916e88996a)) ### [`v6.5.2`](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/blob/HEAD/CHANGELOG.md#652-2024-03-07) [Compare Source](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/compare/v6.5.1...v6.5.2) ##### Bug Fixes - Update CI workflow versions to remove deprecated runtime warnings ([#​542](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/issues/542)) ([079605a](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/commit/079605ad6b55d201393bb8225f142129e2fc2195)) ##### [6.5.1](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/compare/v6.5.0...v6.5.1) (2024-03-04) ##### Bug Fixes - Allow managing `allocated_storage` for replicas ([#​534](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/issues/534)) ([7b02569](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/commit/7b02569468142ee054441ccaeaad9a196da74bb6)) ### [`v6.5.1`](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/blob/HEAD/CHANGELOG.md#651-2024-03-04) [Compare Source](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/compare/v6.5.0...v6.5.1) ### [`v6.5.0`](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/blob/HEAD/CHANGELOG.md#650-2024-03-02) [Compare Source](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/compare/v6.4.0...v6.5.0) ##### Features - Self managed active directory arguments ([#​541](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/issues/541)) ([c85d3b0](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/commit/c85d3b0e372c725f2953b180d12b917f72df360f)) ### [`v6.4.0`](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/blob/HEAD/CHANGELOG.md#640-2024-02-02) [Compare Source](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/compare/v6.3.1...v6.4.0) ##### Features - Secretsmanager secret rotation for master user password ([#​537](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/issues/537)) ([93c85ef](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/commit/93c85efddeac23ce1dbf96f7e53d8326bca71e25)) ##### [6.3.1](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/compare/v6.3.0...v6.3.1) (2024-01-10) ##### Bug Fixes - Align the default value of `manage_master_user_password` in the instance sub-module with the root module ([#​531](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/issues/531)) ([8b90616](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/commit/8b906169527162faa8fc928aa9b5edf6cfbc1f5e)) ### [`v6.3.1`](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/blob/HEAD/CHANGELOG.md#631-2024-01-10) [Compare Source](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/compare/v6.3.0...v6.3.1) ### [`v6.3.0`](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/blob/HEAD/CHANGELOG.md#630-2023-11-13) [Compare Source](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/compare/v6.2.0...v6.3.0) ##### Features - Blue/green deployment for postgres ([#​517](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/issues/517)) ([9c18851](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/commit/9c188514304cba0c05bfd88d219e676cb518e710)) ### [`v6.2.0`](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/blob/HEAD/CHANGELOG.md#620-2023-10-23) [Compare Source](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/compare/v6.1.1...v6.2.0) ##### Features - Add `db_instance_role_association` functionality ([#​508](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/issues/508)) ([ed027d7](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/commit/ed027d7daa2a03df909479c3becc6bb621b7193f)) ##### [6.1.1](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/compare/v6.1.0...v6.1.1) (2023-08-05) ##### Bug Fixes - Change `allocated_storage` type from string to number ([#​507](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/issues/507)) ([5939ddf](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/commit/5939ddf85ef740db8896fd475cac8f1c3fae8e8f))
--- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ”• **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Chance <139784371+UnicornChance@users.noreply.github.com> --- .github/test-infra/rds-iac/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/test-infra/rds-iac/main.tf b/.github/test-infra/rds-iac/main.tf index 64c64a9d6..8e1571e3c 100644 --- a/.github/test-infra/rds-iac/main.tf +++ b/.github/test-infra/rds-iac/main.tf @@ -38,7 +38,7 @@ resource "aws_secretsmanager_secret_version" "db_secret_value" { module "db" { source = "terraform-aws-modules/rds/aws" - version = "6.1.1" + version = "6.9.0" identifier = "${var.db_name}-db" instance_use_identifier_prefix = true From db69b800ce9ec7ee74ab79806d357b9f3f113917 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 4 Oct 2024 08:00:09 -0600 Subject: [PATCH 35/90] chore(deps): update prometheus-stack (#855) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | [kube-prometheus-stack](https://redirect.github.com/prometheus-operator/kube-prometheus) ([source](https://redirect.github.com/prometheus-community/helm-charts)) | major | `64.0.0` -> `65.0.0` | | [prometheus-operator-crds](https://redirect.github.com/prometheus-community/helm-charts) | major | `14.0.0` -> `15.0.0` | --- ### Release Notes
prometheus-community/helm-charts (kube-prometheus-stack) ### [`v65.0.0`](https://redirect.github.com/prometheus-community/helm-charts/releases/tag/kube-prometheus-stack-65.0.0) [Compare Source](https://redirect.github.com/prometheus-community/helm-charts/compare/kube-prometheus-stack-64.0.0...kube-prometheus-stack-65.0.0) kube-prometheus-stack collects Kubernetes manifests, Grafana dashboards, and Prometheus rules combined with documentation and scripts to provide easy to operate end-to-end Kubernetes cluster monitoring with Prometheus using the Prometheus Operator. ##### What's Changed - \[kube-prometheus-stack] bump to 0.77.1 by [@​DrFaust92](https://redirect.github.com/DrFaust92) in [https://github.com/prometheus-community/helm-charts/pull/4889](https://redirect.github.com/prometheus-community/helm-charts/pull/4889) **Full Changelog**: https://github.com/prometheus-community/helm-charts/compare/prometheus-fastly-exporter-0.5.0...kube-prometheus-stack-65.0.0
--- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ‘» **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- src/prometheus-stack/common/zarf.yaml | 2 +- src/prometheus-stack/zarf.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/prometheus-stack/common/zarf.yaml b/src/prometheus-stack/common/zarf.yaml index d4c161622..fefc30e50 100644 --- a/src/prometheus-stack/common/zarf.yaml +++ b/src/prometheus-stack/common/zarf.yaml @@ -15,7 +15,7 @@ components: - name: kube-prometheus-stack namespace: monitoring url: https://prometheus-community.github.io/helm-charts - version: 64.0.0 + version: 65.0.0 valuesFiles: - "../values/values.yaml" actions: diff --git a/src/prometheus-stack/zarf.yaml b/src/prometheus-stack/zarf.yaml index 6b09a60a0..7c1126a86 100644 --- a/src/prometheus-stack/zarf.yaml +++ b/src/prometheus-stack/zarf.yaml @@ -10,7 +10,7 @@ components: charts: - name: prometheus-operator-crds url: https://prometheus-community.github.io/helm-charts - version: 14.0.0 + version: 15.0.0 namespace: uds-crds valuesFiles: - "values/crd-values.yaml" From 609c475b260a4cadc2eeb30f6b44e9733599ad0c Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 4 Oct 2024 09:30:36 -0600 Subject: [PATCH 36/90] chore(deps): update zarf to v0.41.0 (#857) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | ghcr.io/zarf-dev/packages/init | minor | `v0.40.1` -> `v0.41.0` | | [zarf-dev/zarf](https://redirect.github.com/zarf-dev/zarf) | minor | `v0.40.1` -> `v0.41.0` | --- ### Release Notes
zarf-dev/zarf (zarf-dev/zarf) ### [`v0.41.0`](https://redirect.github.com/zarf-dev/zarf/releases/tag/v0.41.0) [Compare Source](https://redirect.github.com/zarf-dev/zarf/compare/v0.40.1...v0.41.0) ##### What's Changed - chore(deps): bump github/codeql-action from 3.26.7 to 3.26.8 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/zarf-dev/zarf/pull/3013](https://redirect.github.com/zarf-dev/zarf/pull/3013) - chore(deps): bump actions/setup-node from 4.0.3 to 4.0.4 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/zarf-dev/zarf/pull/3014](https://redirect.github.com/zarf-dev/zarf/pull/3014) - chore: workflow to check that go mod tidy is run by [@​AustinAbro321](https://redirect.github.com/AustinAbro321) in [https://github.com/zarf-dev/zarf/pull/2963](https://redirect.github.com/zarf-dev/zarf/pull/2963) - fix: health checks issue when crds don't exist prior to package deploys by [@​AustinAbro321](https://redirect.github.com/AustinAbro321) in [https://github.com/zarf-dev/zarf/pull/3011](https://redirect.github.com/zarf-dev/zarf/pull/3011) - refactor: remove by [@​phillebaba](https://redirect.github.com/phillebaba) in [https://github.com/zarf-dev/zarf/pull/3008](https://redirect.github.com/zarf-dev/zarf/pull/3008) - fix: modify the wait condition according to return values from earlier method call by [@​soltysh](https://redirect.github.com/soltysh) in [https://github.com/zarf-dev/zarf/pull/3020](https://redirect.github.com/zarf-dev/zarf/pull/3020) - refactor: packager inspect command by [@​schristoff](https://redirect.github.com/schristoff) in [https://github.com/zarf-dev/zarf/pull/2990](https://redirect.github.com/zarf-dev/zarf/pull/2990) - refactor: update syft to v1 by [@​AustinAbro321](https://redirect.github.com/AustinAbro321) in [https://github.com/zarf-dev/zarf/pull/3021](https://redirect.github.com/zarf-dev/zarf/pull/3021) - chore(deps): bump k8s.io/component-base from 0.30.3 to 0.31.1 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/zarf-dev/zarf/pull/2995](https://redirect.github.com/zarf-dev/zarf/pull/2995) - chore(deps): bump github.com/agnivade/levenshtein from 1.1.1 to 1.2.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/zarf-dev/zarf/pull/3027](https://redirect.github.com/zarf-dev/zarf/pull/3027) - chore(deps): bump k8s.io/kubectl from 0.30.3 to 0.31.1 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/zarf-dev/zarf/pull/3028](https://redirect.github.com/zarf-dev/zarf/pull/3028) - chore(deps): bump github/codeql-action from 3.26.8 to 3.26.9 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/zarf-dev/zarf/pull/3025](https://redirect.github.com/zarf-dev/zarf/pull/3025) - fix: nightly by removing logline no longer printed by [@​schristoff](https://redirect.github.com/schristoff) in [https://github.com/zarf-dev/zarf/pull/3038](https://redirect.github.com/zarf-dev/zarf/pull/3038) - feat: pass context to helm install & upgrade by [@​AustinAbro321](https://redirect.github.com/AustinAbro321) in [https://github.com/zarf-dev/zarf/pull/3031](https://redirect.github.com/zarf-dev/zarf/pull/3031) - chore(deps): bump actions/checkout from 4.1.7 to 4.2.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/zarf-dev/zarf/pull/3035](https://redirect.github.com/zarf-dev/zarf/pull/3035) - test: fix external git flake by [@​AustinAbro321](https://redirect.github.com/AustinAbro321) in [https://github.com/zarf-dev/zarf/pull/3039](https://redirect.github.com/zarf-dev/zarf/pull/3039) - chore(deps): bump github.com/fluxcd/pkg/apis/meta from 1.5.0 to 1.6.1 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/zarf-dev/zarf/pull/3034](https://redirect.github.com/zarf-dev/zarf/pull/3034) - chore: resolve cosign cves by [@​AustinAbro321](https://redirect.github.com/AustinAbro321) in [https://github.com/zarf-dev/zarf/pull/3029](https://redirect.github.com/zarf-dev/zarf/pull/3029) - fix: nightly ecr test by [@​schristoff](https://redirect.github.com/schristoff) in [https://github.com/zarf-dev/zarf/pull/3041](https://redirect.github.com/zarf-dev/zarf/pull/3041) - chore(deps): bump helm.sh/helm/v3 from 3.15.3 to 3.16.1 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/zarf-dev/zarf/pull/3026](https://redirect.github.com/zarf-dev/zarf/pull/3026) - chore(deps): bump github.com/prometheus/client_golang from 1.18.0 to 1.20.4 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/zarf-dev/zarf/pull/3007](https://redirect.github.com/zarf-dev/zarf/pull/3007) - chore: cleanup errchecking in tests by [@​mkcp](https://redirect.github.com/mkcp) in [https://github.com/zarf-dev/zarf/pull/3040](https://redirect.github.com/zarf-dev/zarf/pull/3040) - chore(deps): bump github.com/gofrs/flock from 0.8.1 to 0.12.1 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/zarf-dev/zarf/pull/3033](https://redirect.github.com/zarf-dev/zarf/pull/3033) - chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/hashivault from 1.8.8 to 1.8.9 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/zarf-dev/zarf/pull/3049](https://redirect.github.com/zarf-dev/zarf/pull/3049) - chore(deps): bump github/codeql-action from 3.26.9 to 3.26.10 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/zarf-dev/zarf/pull/3047](https://redirect.github.com/zarf-dev/zarf/pull/3047) - chore(deps): bump github.com/fluxcd/helm-controller/api from 1.0.1 to 1.1.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/zarf-dev/zarf/pull/3045](https://redirect.github.com/zarf-dev/zarf/pull/3045) - chore(deps): bump github.com/defenseunicorns/pkg/oci from 1.0.1 to 1.0.2 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/zarf-dev/zarf/pull/3048](https://redirect.github.com/zarf-dev/zarf/pull/3048) - chore(deps): bump github.com/fluxcd/source-controller/api from 1.3.0 to 1.4.1 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/zarf-dev/zarf/pull/3050](https://redirect.github.com/zarf-dev/zarf/pull/3050) - refactor: layout by [@​phillebaba](https://redirect.github.com/phillebaba) in [https://github.com/zarf-dev/zarf/pull/3022](https://redirect.github.com/zarf-dev/zarf/pull/3022) - chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/azure from 1.8.8 to 1.8.9 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/zarf-dev/zarf/pull/3057](https://redirect.github.com/zarf-dev/zarf/pull/3057) - chore(deps): bump codecov/codecov-action from 4.5.0 to 4.6.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/zarf-dev/zarf/pull/3058](https://redirect.github.com/zarf-dev/zarf/pull/3058) - feat!: remove big bang extension by [@​AustinAbro321](https://redirect.github.com/AustinAbro321) in [https://github.com/zarf-dev/zarf/pull/3059](https://redirect.github.com/zarf-dev/zarf/pull/3059) - chore: directly handle ignored errs and nolint intentionally ignored errs by [@​mkcp](https://redirect.github.com/mkcp) in [https://github.com/zarf-dev/zarf/pull/2993](https://redirect.github.com/zarf-dev/zarf/pull/2993) - chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/gcp from 1.8.8 to 1.8.9 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/zarf-dev/zarf/pull/3062](https://redirect.github.com/zarf-dev/zarf/pull/3062) - chore(deps): bump sigs.k8s.io/cli-utils from 0.36.0 to 0.37.2 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/zarf-dev/zarf/pull/3055](https://redirect.github.com/zarf-dev/zarf/pull/3055) - chore: update flux example, tests, and docs to address upstream fix by [@​AustinAbro321](https://redirect.github.com/AustinAbro321) in [https://github.com/zarf-dev/zarf/pull/3052](https://redirect.github.com/zarf-dev/zarf/pull/3052) - chore(deps): bump github.com/distribution/distribution/v3 from 3.0.0-alpha.1 to 3.0.0-beta.1 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/zarf-dev/zarf/pull/3054](https://redirect.github.com/zarf-dev/zarf/pull/3054) - docs: remove docs for deprecated Zarf UI by [@​AustinAbro321](https://redirect.github.com/AustinAbro321) in [https://github.com/zarf-dev/zarf/pull/3060](https://redirect.github.com/zarf-dev/zarf/pull/3060) - feat: add linter (2949) by [@​mkcp](https://redirect.github.com/mkcp) in [https://github.com/zarf-dev/zarf/pull/3053](https://redirect.github.com/zarf-dev/zarf/pull/3053) ##### New Contributors - [@​soltysh](https://redirect.github.com/soltysh) made their first contribution in [https://github.com/zarf-dev/zarf/pull/3020](https://redirect.github.com/zarf-dev/zarf/pull/3020) **Full Changelog**: https://github.com/zarf-dev/zarf/compare/v0.40.1...v0.41.0
--- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ”• **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Chance <139784371+UnicornChance@users.noreply.github.com> --- .github/bundles/uds-bundle.yaml | 2 +- bundles/k3d-slim-dev/uds-bundle.yaml | 2 +- bundles/k3d-standard/uds-bundle.yaml | 2 +- tasks/setup.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/bundles/uds-bundle.yaml b/.github/bundles/uds-bundle.yaml index befaa7e67..6791997c1 100644 --- a/.github/bundles/uds-bundle.yaml +++ b/.github/bundles/uds-bundle.yaml @@ -9,7 +9,7 @@ metadata: packages: - name: init repository: ghcr.io/zarf-dev/packages/init - ref: v0.40.1 + ref: v0.41.0 - name: core path: ../../build/ diff --git a/bundles/k3d-slim-dev/uds-bundle.yaml b/bundles/k3d-slim-dev/uds-bundle.yaml index e63b9793d..b655aae92 100644 --- a/bundles/k3d-slim-dev/uds-bundle.yaml +++ b/bundles/k3d-slim-dev/uds-bundle.yaml @@ -29,7 +29,7 @@ packages: - name: init repository: ghcr.io/zarf-dev/packages/init - ref: v0.40.1 + ref: v0.41.0 - name: core-slim-dev path: ../../build/ diff --git a/bundles/k3d-standard/uds-bundle.yaml b/bundles/k3d-standard/uds-bundle.yaml index e4285f58f..9438cf3d4 100644 --- a/bundles/k3d-standard/uds-bundle.yaml +++ b/bundles/k3d-standard/uds-bundle.yaml @@ -29,7 +29,7 @@ packages: - name: init repository: ghcr.io/zarf-dev/packages/init - ref: v0.40.1 + ref: v0.41.0 - name: core path: ../../build/ diff --git a/tasks/setup.yaml b/tasks/setup.yaml index 756d3e354..a1fa3cf56 100644 --- a/tasks/setup.yaml +++ b/tasks/setup.yaml @@ -11,4 +11,4 @@ tasks: - description: "Initialize the cluster with Zarf" # renovate: datasource=github-tags depName=zarf-dev/zarf versioning=semver - cmd: "uds zarf package deploy oci://ghcr.io/zarf-dev/packages/init:v0.40.1 --confirm --no-progress" + cmd: "uds zarf package deploy oci://ghcr.io/zarf-dev/packages/init:v0.41.0 --confirm --no-progress" From 86ffd61c844e5e1656e2c8e1a2b16ae8e6e87915 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 4 Oct 2024 15:58:04 +0000 Subject: [PATCH 37/90] chore(deps): update pepr to v0.37.2 (#850) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | Type | Update | |---|---|---|---|---|---|---|---| | [pepr](https://redirect.github.com/defenseunicorns/pepr) | [`0.37.1` -> `0.37.2`](https://renovatebot.com/diffs/npm/pepr/0.37.1/0.37.2) | [![age](https://developer.mend.io/api/mc/badges/age/npm/pepr/0.37.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/pepr/0.37.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/pepr/0.37.1/0.37.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/pepr/0.37.1/0.37.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | dependencies | patch | | [registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller](https://redirect.github.com/defenseunicorns/pepr) ([source](https://repo1.dso.mil/dsop/opensource/defenseunicorns/pepr/controller)) | `v0.37.1` -> `v0.37.2` | [![age](https://developer.mend.io/api/mc/badges/age/docker/registry1.dso.mil%2fironbank%2fopensource%2fdefenseunicorns%2fpepr%2fcontroller/v0.37.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/docker/registry1.dso.mil%2fironbank%2fopensource%2fdefenseunicorns%2fpepr%2fcontroller/v0.37.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/docker/registry1.dso.mil%2fironbank%2fopensource%2fdefenseunicorns%2fpepr%2fcontroller/v0.37.1/v0.37.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/docker/registry1.dso.mil%2fironbank%2fopensource%2fdefenseunicorns%2fpepr%2fcontroller/v0.37.1/v0.37.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | | patch | --- ### Release Notes
defenseunicorns/pepr (pepr) ### [`v0.37.2`](https://redirect.github.com/defenseunicorns/pepr/releases/tag/v0.37.2) [Compare Source](https://redirect.github.com/defenseunicorns/pepr/compare/v0.37.1...v0.37.2) #### What's Changed - chore: remove deprecated types from k8s.ts by [@​cmwylie19](https://redirect.github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1194](https://redirect.github.com/defenseunicorns/pepr/pull/1194) - chore(docs): document new options for `pepr init` by [@​samayer12](https://redirect.github.com/samayer12) in [https://github.com/defenseunicorns/pepr/pull/1199](https://redirect.github.com/defenseunicorns/pepr/pull/1199) - refactor: shouldSkipRequest should give reason for skipping request instead of boolean by [@​btlghrants](https://redirect.github.com/btlghrants) in [https://github.com/defenseunicorns/pepr/pull/1208](https://redirect.github.com/defenseunicorns/pepr/pull/1208) - Revert "chore: remove deprecated types from k8s.ts" - slated for v0.38.0 by [@​cmwylie19](https://redirect.github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1211](https://redirect.github.com/defenseunicorns/pepr/pull/1211) - chore: bump codecov/codecov-action from 4.5.0 to 4.6.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1209](https://redirect.github.com/defenseunicorns/pepr/pull/1209) - chore: bump chainguard/node from `bd9ec30` to `8a604e5` by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1200](https://redirect.github.com/defenseunicorns/pepr/pull/1200) - chore: bump github/codeql-action from 3.26.9 to 3.26.10 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1201](https://redirect.github.com/defenseunicorns/pepr/pull/1201) - chore: bump chainguard/node from `8a604e5` to `ab523c4` by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1210](https://redirect.github.com/defenseunicorns/pepr/pull/1210) **Full Changelog**: https://github.com/defenseunicorns/pepr/compare/v0.37.1...v0.37.2
--- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ”• **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Chance <139784371+UnicornChance@users.noreply.github.com> --- package-lock.json | 8 ++++---- package.json | 2 +- tasks/create.yaml | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/package-lock.json b/package-lock.json index ed8b3eda9..e8666fa31 100644 --- a/package-lock.json +++ b/package-lock.json @@ -8,7 +8,7 @@ "name": "uds-core", "version": "0.5.0", "dependencies": { - "pepr": "0.37.1" + "pepr": "0.37.2" }, "devDependencies": { "@jest/globals": "29.7.0", @@ -6212,9 +6212,9 @@ } }, "node_modules/pepr": { - "version": "0.37.1", - "resolved": "https://registry.npmjs.org/pepr/-/pepr-0.37.1.tgz", - "integrity": "sha512-3Kpw7i11xYgE+AMXVqVo3Kze5M8GZTed8eaKXf43FhbFmRGiPgHxXqIOv2iLDVvpLgcCa8MpP5cj89IBZn10Qw==", + "version": "0.37.2", + "resolved": "https://registry.npmjs.org/pepr/-/pepr-0.37.2.tgz", + "integrity": "sha512-gSZXoeVbkFm9FneiOdhShUeQGHxyA/NBVCNfpQDufnV4/CSJXV5NaGHUntDbub4LsQjon5J4jUEL8KszrfQKuA==", "license": "Apache-2.0", "dependencies": { "@types/ramda": "0.30.2", diff --git a/package.json b/package.json index 3ba912464..5cd3a54b5 100644 --- a/package.json +++ b/package.json @@ -29,7 +29,7 @@ "k3d-setup": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0'" }, "dependencies": { - "pepr": "0.37.1" + "pepr": "0.37.2" }, "devDependencies": { "@jest/globals": "29.7.0", diff --git a/tasks/create.yaml b/tasks/create.yaml index e691cded8..dc375be9b 100644 --- a/tasks/create.yaml +++ b/tasks/create.yaml @@ -7,7 +7,7 @@ variables: - name: REGISTRY1_PEPR_IMAGE # renovate: datasource=docker depName=registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller versioning=semver - default: registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller:v0.37.1 + default: registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller:v0.37.2 tasks: - name: standard-package From 579daac59f83d9a8761ba7263654584d2485b34a Mon Sep 17 00:00:00 2001 From: Rob Ferguson Date: Fri, 4 Oct 2024 15:10:44 -0500 Subject: [PATCH 38/90] feat: add base and identity layers (#853) * Adds UDS Core Base * Adds UDS Core Identity & Authorization Fixes https://github.com/defenseunicorns/uds-core/issues/827 Fixes https://github.com/defenseunicorns/uds-core/issues/828 Fixes https://github.com/defenseunicorns/uds-core/issues/833 - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) - [ ] Test, docs, adr added or updated as needed - [ ] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --------- Co-authored-by: Micah Nagel --- .github/actions/setup/action.yaml | 10 +- .github/filters.yaml | 98 ++----------------- .github/workflows/compliance.yaml | 2 - .github/workflows/publish.yaml | 42 ++++++++ .../workflows/pull-request-conditionals.yaml | 1 - .github/workflows/slim-dev-test.yaml | 4 +- .github/workflows/test.yaml | 8 +- README.md | 10 +- bundles/k3d-slim-dev/uds-bundle.yaml | 9 +- docs/deployment/uds-deploy.md | 6 +- packages/base/README.md | 7 ++ packages/base/tasks.yaml | 9 ++ packages/{slim-dev => base}/zarf.yaml | 11 +-- packages/identity-authorization/README.md | 8 ++ packages/identity-authorization/tasks.yaml | 9 ++ packages/identity-authorization/zarf.yaml | 22 +++++ packages/slim-dev/README.md | 3 - packages/standard/zarf.yaml | 18 ++-- release-please-config.json | 3 +- src/pepr/config.ts | 11 +-- src/pepr/logger.ts | 1 + .../controllers/keycloak/client-sync.ts | 11 --- src/pepr/operator/index.ts | 23 +++++ .../reconcilers/package-reconciler.ts | 25 +++-- src/pepr/uds-operator-config/values.yaml | 1 - src/pepr/zarf.yaml | 4 - src/velero/README.md | 20 +--- tasks.yaml | 49 +++++----- tasks/create.yaml | 42 ++++---- tasks/deploy.yaml | 26 ++--- tasks/publish.yaml | 13 +++ tasks/test.yaml | 33 ++++++- 32 files changed, 287 insertions(+), 252 deletions(-) create mode 100644 packages/base/README.md create mode 100644 packages/base/tasks.yaml rename packages/{slim-dev => base}/zarf.yaml (82%) create mode 100644 packages/identity-authorization/README.md create mode 100644 packages/identity-authorization/tasks.yaml create mode 100644 packages/identity-authorization/zarf.yaml delete mode 100644 packages/slim-dev/README.md diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml index 9c5b5040d..62b2f0d65 100644 --- a/.github/actions/setup/action.yaml +++ b/.github/actions/setup/action.yaml @@ -28,13 +28,11 @@ runs: # renovate: datasource=github-tags depName=k3d-io/k3d versioning=semver run: curl -s https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh | TAG=v5.7.4 bash - - name: Set up Homebrew - uses: Homebrew/actions/setup-homebrew@master - - name: Install UDS CLI - shell: bash - # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver - run: brew install defenseunicorns/tap/uds@0.16.0 + uses: defenseunicorns/setup-uds@b987a32bac3baeb67bfb08f5e1544e2f9076ee8a # v1.0.0 + with: + # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver + version: v0.16.0 - name: Install Lula uses: defenseunicorns/lula-action/setup@badad8c4b1570095f57e66ffd62664847698a3b9 # v0.0.1 diff --git a/.github/filters.yaml b/.github/filters.yaml index 77ec1bba8..2d06cbf63 100644 --- a/.github/filters.yaml +++ b/.github/filters.yaml @@ -1,98 +1,12 @@ all: - "**" -authservice: - - "src/authservice/**" - - "!**/*.md" - - "!**/*.jpg" - - "!**/*.png" - - "!**/*.gif" - - "!**/*.svg" - -grafana: - - "src/grafana/**" - - "!**/*.md" - - "!**/*.jpg" - - "!**/*.png" - - "!**/*.gif" - - "!**/*.svg" - -istio: +base: + - "packages/base/**" - "src/istio/**" - - "!**/*.md" - - "!**/*.jpg" - - "!**/*.png" - - "!**/*.gif" - - "!**/*.svg" + - "src/pepr/**" -keycloak: +identity-authorization: + - "packages/identity-authorization/**" - "src/keycloak/**" - - "!**/*.md" - - "!**/*.jpg" - - "!**/*.png" - - "!**/*.gif" - - "!**/*.svg" - -kiali: - - "src/kiali/**" - - "!**/*.md" - - "!**/*.jpg" - - "!**/*.png" - - "!**/*.gif" - - "!**/*.svg" - -loki: - - "src/loki/**" - - "!**/*.md" - - "!**/*.jpg" - - "!**/*.png" - - "!**/*.gif" - - "!**/*.svg" - -metrics-server: - - "src/metrics-server/**" - - "!**/*.md" - - "!**/*.jpg" - - "!**/*.png" - - "!**/*.gif" - - "!**/*.svg" - -neuvector: - - "src/neuvector/**" - - "!**/*.md" - - "!**/*.jpg" - - "!**/*.png" - - "!**/*.gif" - - "!**/*.svg" - -prometheus-stack: - - "src/prometheus-stack/**" - - "!**/*.md" - - "!**/*.jpg" - - "!**/*.png" - - "!**/*.gif" - - "!**/*.svg" - -vector: - - "src/vector/**" - - "!**/*.md" - - "!**/*.jpg" - - "!**/*.png" - - "!**/*.gif" - - "!**/*.svg" - -tempo: - - "src/tempo/**" - - "!**/*.md" - - "!**/*.jpg" - - "!**/*.png" - - "!**/*.gif" - - "!**/*.svg" - -velero: - - "src/velero/**" - - "!**/*.md" - - "!**/*.jpg" - - "!**/*.png" - - "!**/*.gif" - - "!**/*.svg" + - "src/authservice/**" diff --git a/.github/workflows/compliance.yaml b/.github/workflows/compliance.yaml index eb4f6598c..c9649a18c 100644 --- a/.github/workflows/compliance.yaml +++ b/.github/workflows/compliance.yaml @@ -25,8 +25,6 @@ jobs: runs-on: ubuntu-latest name: Evaluate continue-on-error: true - # env: - # UDS_PKG: ${{ inputs.package }} steps: # Used to execute the uds run command - name: Checkout repository diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 6ed33ecbe..e5d746cf2 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -87,3 +87,45 @@ jobs: uses: ./.github/actions/save-logs with: suffix: -${{ matrix.flavor }} + + publish-uds-core-layers: + if: ${{ !inputs.snapshot }} + strategy: + matrix: + flavor: [upstream, registry1, unicorn] + layer: [base, identity-authorization] + arch: [amd64, arm64] + exclude: + - flavor: registry1 + arch: arm64 + runs-on: ${{ matrix.arch == 'arm64' && 'uds-ubuntu-arm64-4-core' || 'uds-ubuntu-big-boy-4-core' }} + name: Publish package layers + + permissions: + contents: read + packages: write + id-token: write # This is needed for OIDC federation. + + steps: + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + + - name: Environment setup + uses: ./.github/actions/setup + with: + registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }} + registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }} + ghToken: ${{ secrets.GITHUB_TOKEN }} + chainguardIdentity: ${{ secrets.CHAINGUARD_IDENTITY }} + + - name: Test and Publish Core Package Layer + run: uds run -f tasks/publish.yaml single-layer --set FLAVOR=${{ matrix.flavor }} --set LAYER=${{ matrix.layer }} --no-progress + + - name: Debug Output + if: ${{ always() && !inputs.snapshot }} + uses: ./.github/actions/debug-output + + - name: Save logs + if: always() + uses: ./.github/actions/save-logs + with: + suffix: -${{ matrix.flavor }}-${{ matrix.layer }}-${{ matrix.arch }} diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index c5ccf2adf..cc178e911 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -64,7 +64,6 @@ jobs: uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 with: filters: .github/filters.yaml - predicate-quantifier: every # This job triggers a separate workflow for each changed source package, if any. run-package-test: diff --git a/.github/workflows/slim-dev-test.yaml b/.github/workflows/slim-dev-test.yaml index a3b09ee32..e6c94746a 100644 --- a/.github/workflows/slim-dev-test.yaml +++ b/.github/workflows/slim-dev-test.yaml @@ -8,9 +8,11 @@ on: paths: - src/pepr/** - src/keycloak/** + - src/authservice/** - src/istio/** - src/prometheus-stack/** - - packages/slim-dev/** + - packages/base/** + - packages/identity-authorization/** - bundles/k3d-slim-dev/** - .github/workflows/slim-dev** - "!**/*.md" diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index a5ed0ce24..abbaa3511 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -21,7 +21,7 @@ on: inputs: package: type: string - description: "The name of the source package to test" + description: "The name of the core package layer to test" required: true flavor: type: string @@ -43,7 +43,7 @@ jobs: timeout-minutes: 30 name: Test env: - UDS_PKG: ${{ inputs.package }} + UDS_LAYER: ${{ inputs.package }} steps: - name: Checkout repository @@ -57,9 +57,9 @@ jobs: ghToken: ${{ secrets.GITHUB_TOKEN }} chainguardIdentity: ${{ secrets.CHAINGUARD_IDENTITY }} - - name: Test a single source package + - name: Test a single layer package if: ${{ inputs.package != 'all' && inputs.test_type == 'install' }} - run: uds run test-single-package --set FLAVOR=${{ inputs.flavor }} --no-progress + run: uds run test-single-layer --set FLAVOR=${{ inputs.flavor }} --set LAYER=${{ inputs.package }} --no-progress - name: Test UDS Core Install if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }} diff --git a/README.md b/README.md index c139b7387..8bc9719fc 100644 --- a/README.md +++ b/README.md @@ -78,7 +78,7 @@ uds deploy k3d-core-slim-dev:0.28.0 #### Developing UDS Core -UDS Core development leverages the `uds zarf dev deploy` command. For convenience, a UDS Task is provided to setup the environment. You'll need to have [NodeJS](https://nodejs.org/en/download/) 20 or later installed to continue. Here's an example of a flow developing the [metrics-server package](./src/metrics-server/README.md): +UDS Core development leverages the `uds zarf dev deploy` command. For convenience, a UDS Task is provided to setup the environment. You'll need to have [NodeJS](https://nodejs.org/en/download/) 20 or later installed to continue. Here's an example of a flow developing the [identity-authorization layer](./package/identity-authorization/README.md): ```bash # Create the dev environment @@ -90,8 +90,8 @@ npx pepr dev # If not developing the Pepr module (can be run multiple times): npx pepr deploy -# Deploy the package (can be run multiple times) -uds run dev-deploy --set PKG=metrics-server +# Deploy the layer (can be run multiple times) +uds run dev-deploy --set LAYER=identity-authorization ``` #### Testing UDS Core @@ -102,10 +102,10 @@ You can perform a complete test of UDS Core by running the following command: uds run test-uds-core ``` -This will create a local k3d cluster, install UDS Core, and run a series of tests against it, the same tests that are run in CI. If you want to run the tests against a specific package, you can use the `PKG` env variable. The following example runs the tests against the metrics-server package: +This will create a local k3d cluster, install UDS Core, and run a series of tests against it, the same tests that are run in CI. If you want to run the tests against a specific core layer, you can use the `LAYER` task variable. The following example runs the tests against the identity-authorization layer: ```bash -UDS_PKG=metrics-server uds run test-single-package +uds run test-single-layer --set LAYER=identity-authorization ``` Note you can specify the `--set FLAVOR=registry1` flag to test using Iron Bank images instead of the upstream images. diff --git a/bundles/k3d-slim-dev/uds-bundle.yaml b/bundles/k3d-slim-dev/uds-bundle.yaml index b655aae92..5799c7da2 100644 --- a/bundles/k3d-slim-dev/uds-bundle.yaml +++ b/bundles/k3d-slim-dev/uds-bundle.yaml @@ -31,7 +31,7 @@ packages: repository: ghcr.io/zarf-dev/packages/init ref: v0.41.0 - - name: core-slim-dev + - name: core-base path: ../../build/ # x-release-please-start-version ref: 0.28.0 @@ -66,6 +66,13 @@ packages: - name: TENANT_SERVICE_PORTS description: "The ports that are exposed from the tenant gateway LoadBalancer (useful for non-HTTP(S) traffic)" path: "service.ports" + + - name: core-identity-authorization + path: ../../build/ + # x-release-please-start-version + ref: 0.28.0 + # x-release-please-end + overrides: keycloak: keycloak: variables: diff --git a/docs/deployment/uds-deploy.md b/docs/deployment/uds-deploy.md index 97455a7c8..90b05291e 100644 --- a/docs/deployment/uds-deploy.md +++ b/docs/deployment/uds-deploy.md @@ -110,12 +110,10 @@ You can perform a complete test of UDS Core by running the following command: uds run test-uds-core ``` -This command initiates the creation of a local k3d cluster, installs UDS Core, and executes a set of tests identical to those performed in CI. If you wish to run tests targeting a specific package, you can utilize the `PKG` environment variable. - -The example below runs tests against the metrics-server package: +This will create a local k3d cluster, install UDS Core, and run a series of tests against it, the same tests that are run in CI. If you want to run the tests against a specific core layer, you can use the `LAYER` task variable. The following example runs the tests against the identity-authorization layer: ```cli -UDS_PKG=metrics-server uds run test-single-package +uds run test-single-layer --set LAYER=identity-authorization ``` {{% alert-note %}} diff --git a/packages/base/README.md b/packages/base/README.md new file mode 100644 index 000000000..d2c54c234 --- /dev/null +++ b/packages/base/README.md @@ -0,0 +1,7 @@ +# UDS Core Base + +This is the base layer of UDS Core required if deploying any other layers. Currently it includes the application(s): +- Istio (and gateways) +- UDS Operator and Policies (Pepr) + +As this is the base layer it can be deployed standalone for minimal functionality. diff --git a/packages/base/tasks.yaml b/packages/base/tasks.yaml new file mode 100644 index 000000000..1742dcbcf --- /dev/null +++ b/packages/base/tasks.yaml @@ -0,0 +1,9 @@ +includes: + - istio: ../../src/istio/tasks.yaml + - pepr: ../../src/pepr/tasks.yaml + +tasks: + - name: validate + actions: + - task: istio:validate + - task: pepr:validate diff --git a/packages/slim-dev/zarf.yaml b/packages/base/zarf.yaml similarity index 82% rename from packages/slim-dev/zarf.yaml rename to packages/base/zarf.yaml index 7a7de7a31..f5a8bbb81 100644 --- a/packages/slim-dev/zarf.yaml +++ b/packages/base/zarf.yaml @@ -1,11 +1,12 @@ kind: ZarfPackageConfig metadata: - name: core-slim-dev - description: "UDS Core (Istio, UDS Operator and Keycloak)" + name: core-base + description: "UDS Core (Base)" authors: "Defense Unicorns - Product" # x-release-please-start-version version: "0.28.0" # x-release-please-end + x-uds-dependencies: [] components: - name: uds-operator-config @@ -45,9 +46,3 @@ components: required: true import: path: ../../src/pepr - - # Keycloak - - name: keycloak - required: true - import: - path: ../../src/keycloak diff --git a/packages/identity-authorization/README.md b/packages/identity-authorization/README.md new file mode 100644 index 000000000..ccbeaca1a --- /dev/null +++ b/packages/identity-authorization/README.md @@ -0,0 +1,8 @@ +# UDS Core Identity & Authorization + +This layer of UDS Core provides identity management and authorization capabilities. Currently it includes the application(s): +- Keycloak (with custom plugin and realm) +- AuthService + +To deploy this layer you must also deploy its dependent layer(s): +- Base diff --git a/packages/identity-authorization/tasks.yaml b/packages/identity-authorization/tasks.yaml new file mode 100644 index 000000000..1f1b92c3c --- /dev/null +++ b/packages/identity-authorization/tasks.yaml @@ -0,0 +1,9 @@ +includes: + - keycloak: ../../src/keycloak/tasks.yaml + - authservice: ../../src/authservice/tasks.yaml + +tasks: + - name: validate + actions: + - task: keycloak:validate + - task: authservice:validate diff --git a/packages/identity-authorization/zarf.yaml b/packages/identity-authorization/zarf.yaml new file mode 100644 index 000000000..cadaad6e9 --- /dev/null +++ b/packages/identity-authorization/zarf.yaml @@ -0,0 +1,22 @@ +kind: ZarfPackageConfig +metadata: + name: core-identity-authorization + description: "UDS Core (Identity & Authorization)" + authors: "Defense Unicorns - Product" + # x-release-please-start-version + version: "0.28.0" + # x-release-please-end + x-uds-dependencies: ["base"] + +components: + # Keycloak + - name: keycloak + required: true + import: + path: ../../src/keycloak + + # Authservice + - name: authservice + required: true + import: + path: ../../src/authservice diff --git a/packages/slim-dev/README.md b/packages/slim-dev/README.md deleted file mode 100644 index 1e3b1dce6..000000000 --- a/packages/slim-dev/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# UDS Core Slim Dev - -This is a special modified version of UDS Core that only includes the components needed to run Istio, UDS Operator and Keycloak. diff --git a/packages/standard/zarf.yaml b/packages/standard/zarf.yaml index ef5ff903b..b021aeabd 100644 --- a/packages/standard/zarf.yaml +++ b/packages/standard/zarf.yaml @@ -11,40 +11,40 @@ components: - name: uds-operator-config required: true import: - path: ../../src/pepr + path: ../base # CRDs - name: prometheus-operator-crds required: true import: - path: ../../src/prometheus-stack + path: ../base # Istio - name: istio-controlplane required: true import: - path: ../../src/istio + path: ../base - name: istio-admin-gateway required: true import: - path: ../../src/istio + path: ../base - name: istio-tenant-gateway required: true import: - path: ../../src/istio + path: ../base - name: istio-passthrough-gateway required: false import: - path: ../../src/istio + path: ../base # Pepr the world - name: pepr-uds-core required: true import: - path: ../../src/pepr + path: ../base # Metrics Server - name: metrics-server @@ -56,7 +56,7 @@ components: - name: keycloak required: true import: - path: ../../src/keycloak + path: ../identity-authorization # Neuvector - name: neuvector @@ -92,7 +92,7 @@ components: - name: authservice required: true import: - path: ../../src/authservice + path: ../identity-authorization # UDS Runtime - name: uds-runtime diff --git a/release-please-config.json b/release-please-config.json index 55d182d93..5774f9aca 100644 --- a/release-please-config.json +++ b/release-please-config.json @@ -14,7 +14,8 @@ "extra-files": [ ".github/bundles/uds-bundle.yaml", "README.md", - "packages/slim-dev/zarf.yaml", + "packages/base/zarf.yaml", + "packages/identity-authorization/zarf.yaml", "packages/standard/zarf.yaml", "bundles/k3d-slim-dev/uds-bundle.yaml", "bundles/k3d-standard/uds-bundle.yaml", diff --git a/src/pepr/config.ts b/src/pepr/config.ts index 183f504d9..749a730fc 100644 --- a/src/pepr/config.ts +++ b/src/pepr/config.ts @@ -20,21 +20,16 @@ export const UDSConfig = { domain, // Base64 Encoded Trusted CA cert for Istio certificates (i.e. for `sso.domain`) caCert, - // Track if we are running a single test mode - isSingleTest: process.env.UDS_SINGLE_TEST === "true", // Allow UDS policy exemptions to be used in any namespace allowAllNSExemptions: process.env.UDS_ALLOW_ALL_NS_EXEMPTIONS === "true", // Redis URI for Authservice authserviceRedisUri, + + // Track if UDS Core identity-authorization layer is deployed + isIdentityDeployed: false, }; // configure subproject logger const log = setupLogger(Component.CONFIG); log.info(UDSConfig, "Loaded UDS Config"); - -if (UDSConfig.isSingleTest) { - log.warn( - "Running in single test mode, this will change the behavior of the operator and should only be used for UDS Core development testing.", - ); -} diff --git a/src/pepr/logger.ts b/src/pepr/logger.ts index 8f505faed..b40eccb4a 100644 --- a/src/pepr/logger.ts +++ b/src/pepr/logger.ts @@ -4,6 +4,7 @@ export enum Component { STARTUP = "startup", CONFIG = "config", ISTIO = "istio", + OPERATOR = "operator", OPERATOR_EXEMPTIONS = "operator.exemptions", OPERATOR_ISTIO = "operator.istio", OPERATOR_KEYCLOAK = "operator.keycloak", diff --git a/src/pepr/operator/controllers/keycloak/client-sync.ts b/src/pepr/operator/controllers/keycloak/client-sync.ts index 3aa891554..b65db3327 100644 --- a/src/pepr/operator/controllers/keycloak/client-sync.ts +++ b/src/pepr/operator/controllers/keycloak/client-sync.ts @@ -1,6 +1,5 @@ import { fetch, K8s, kind } from "pepr"; -import { UDSConfig } from "../../../config"; import { Component, setupLogger } from "../../../logger"; import { Store } from "../../common"; import { Sso, UDSPackage } from "../../crd"; @@ -209,16 +208,6 @@ async function syncClient( } async function apiCall(client: Partial, method = "POST", authToken = "") { - // Handle single test mode - if (UDSConfig.isSingleTest) { - log.warn(`Generating fake client for '${client.clientId}' in single test mode`); - return { - ...client, - secret: client.secret || "fake-secret", - registrationAccessToken: "fake-registration-access-token", - } as Client; - } - const req = { body: JSON.stringify(client) as string | undefined, method, diff --git a/src/pepr/operator/index.ts b/src/pepr/operator/index.ts index 81dfd4ef1..cffef0c71 100644 --- a/src/pepr/operator/index.ts +++ b/src/pepr/operator/index.ts @@ -16,6 +16,8 @@ import { UDSExemption, UDSPackage } from "./crd"; import { validator } from "./crd/validators/package-validator"; // Reconciler imports +import { UDSConfig } from "../config"; +import { Component, setupLogger } from "../logger"; import { purgeAuthserviceClients } from "./controllers/keycloak/authservice/authservice"; import { exemptValidator } from "./crd/validators/exempt-validator"; import { packageReconciler } from "./reconcilers/package-reconciler"; @@ -26,6 +28,8 @@ import { copySecret, labelCopySecret } from "./secrets"; // Export the operator capability for registration in the root pepr.ts export { operator } from "./common"; +const log = setupLogger(Component.OPERATOR); + // Pre-populate the API server CIDR since we are not persisting the EndpointSlice // Note ignore any errors since the watch will still be running hereafter void initAPIServerCIDR(); @@ -72,3 +76,22 @@ When(a.Secret) .IsCreatedOrUpdated() .WithLabel(labelCopySecret) .Mutate(request => copySecret(request)); + +// Watch for Functional Layers and update config +When(UDSPackage) + .IsCreatedOrUpdated() + .InNamespace("keycloak") + .WithName("keycloak") + .Watch(() => { + // todo: wait for keycloak and authservice to be running? + log.info("Identity and Authorization layer deployed, operator configured to handle SSO."); + UDSConfig.isIdentityDeployed = true; + }); +When(UDSPackage) + .IsDeleted() + .InNamespace("keycloak") + .WithName("keycloak") + .Watch(() => { + log.info("Identity and Authorization layer removed, operator will NOT handle SSO."); + UDSConfig.isIdentityDeployed = false; + }); diff --git a/src/pepr/operator/reconcilers/package-reconciler.ts b/src/pepr/operator/reconcilers/package-reconciler.ts index 568f71afa..42669d7f2 100644 --- a/src/pepr/operator/reconcilers/package-reconciler.ts +++ b/src/pepr/operator/reconcilers/package-reconciler.ts @@ -5,6 +5,7 @@ import { enableInjection } from "../controllers/istio/injection"; import { istioResources } from "../controllers/istio/istio-resources"; import { authservice } from "../controllers/keycloak/authservice/authservice"; import { keycloak } from "../controllers/keycloak/client-sync"; +import { Client } from "../controllers/keycloak/types"; import { podMonitor } from "../controllers/monitoring/pod-monitor"; import { serviceMonitor } from "../controllers/monitoring/service-monitor"; import { networkPolicies } from "../controllers/network/policies"; @@ -65,21 +66,27 @@ export async function packageReconciler(pkg: UDSPackage) { // Update the namespace to ensure the istio-injection label is set await enableInjection(pkg); - // Configure SSO - const ssoClients = await keycloak(pkg); - const authserviceClients = await authservice(pkg, ssoClients); + let ssoClients = new Map(); + let authserviceClients: string[] = []; + + if (UDSConfig.isIdentityDeployed) { + // Configure SSO + ssoClients = await keycloak(pkg); + authserviceClients = await authservice(pkg, ssoClients); + } else if (pkg.spec?.sso) { + log.error("Identity & Authorization is not deployed, but the package has SSO configuration"); + throw new Error( + "Identity & Authorization is not deployed, but the package has SSO configuration", + ); + } // Create the VirtualService and ServiceEntry for each exposed service endpoints = await istioResources(pkg, namespace!); // Only configure the ServiceMonitors if not running in single test mode const monitors: string[] = []; - if (!UDSConfig.isSingleTest) { - monitors.push(...(await podMonitor(pkg, namespace!))); - monitors.push(...(await serviceMonitor(pkg, namespace!))); - } else { - log.warn(`Running in single test mode, skipping ${name} Monitors.`); - } + monitors.push(...(await podMonitor(pkg, namespace!))); + monitors.push(...(await serviceMonitor(pkg, namespace!))); await updateStatus(pkg, { phase: Phase.Ready, diff --git a/src/pepr/uds-operator-config/values.yaml b/src/pepr/uds-operator-config/values.yaml index 876c335e9..5c5916211 100644 --- a/src/pepr/uds-operator-config/values.yaml +++ b/src/pepr/uds-operator-config/values.yaml @@ -2,7 +2,6 @@ operator: UDS_DOMAIN: "###ZARF_VAR_DOMAIN###" UDS_CA_CERT: "###ZARF_VAR_CA_CERT###" UDS_ALLOW_ALL_NS_EXEMPTIONS: "###ZARF_VAR_ALLOW_ALL_NS_EXEMPTIONS###" - UDS_SINGLE_TEST: "###ZARF_VAR_UDS_SINGLE_TEST###" UDS_LOG_LEVEL: "###ZARF_VAR_UDS_LOG_LEVEL###" AUTHSERVICE_REDIS_URI: "###ZARF_VAR_AUTHSERVICE_REDIS_URI###" # Allow Pepr watch to be configurable to react to dropped connections faster diff --git a/src/pepr/zarf.yaml b/src/pepr/zarf.yaml index 904045a19..f5f2af6a4 100644 --- a/src/pepr/zarf.yaml +++ b/src/pepr/zarf.yaml @@ -21,10 +21,6 @@ variables: description: "UDS Authservice Redis URI" default: "" - - name: UDS_SINGLE_TEST - description: "UDS Single package test" - default: "" - - name: PEPR_SERVICE_MONITORS description: "Enables Service Monitors for Pepr services (watcher, admission)" default: "true" diff --git a/src/velero/README.md b/src/velero/README.md index 534761d6a..5d9c08e19 100644 --- a/src/velero/README.md +++ b/src/velero/README.md @@ -75,28 +75,14 @@ This package currently assumes the availability of S3 API compatible object stor ## Deploy -### Build and Deploy Everything locally via UDS tasks +### Build Deploy, and Test locally via UDS tasks -```bash -# build the bundle for testing -UDS_PKG=velero uds run create-single-package - -# setup a k3d test env -uds run setup-test-cluster - -# deploy the bundle -UDS_PKG=velero uds run deploy-single-package -``` - -### Test the package via UDS tasks -Running the following will check that the velero deployment exists in the cluster and attempt to execute a backup: +Velero is included in the backup-restore functional layer (WIP). This layer can be created, deployed, and tested with a single UDS run command: ```bash -uds run -f src/velero/tasks.yaml validate +uds run test-single-layer --set LAYER=backup-restore ``` -> Alternatively, you can combine package creation, cluster setup, package deploy and the test command with a simple `UDS_PKG=velero uds run test-single-package` - ## Manually trigger the default backup for testing purposes ```bash diff --git a/tasks.yaml b/tasks.yaml index 2345c6007..c7fec109d 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -2,7 +2,7 @@ variables: - name: FLAVOR default: upstream - - name: PKG + - name: LAYER includes: - create: ./tasks/create.yaml @@ -12,7 +12,6 @@ includes: - lint: ./tasks/lint.yaml tasks: - - name: default actions: - description: "Build, deploy and test UDS Core" @@ -24,12 +23,17 @@ tasks: - description: "Create the dev cluster" task: setup:create-k3d-cluster +<<<<<<< HEAD # Workaround for https://github.com/zarf-dev/zarf/issues/2713 - description: "Modify Istio values w/ upstream registry" cmd: "uds zarf tools yq -i '.global.proxy_init.image |= sub(\"###ZARF_REGISTRY###\", \"docker.io\") | .global.proxy.image |= sub(\"###ZARF_REGISTRY###\", \"docker.io\")' src/istio/values/upstream-values.yaml" +======= + # Note: This currently is broken until https://github.com/zarf-dev/zarf/issues/2713 is resolved + # As a workaround you can edit the `src/istio/values/upstream-values.yaml` file to change ###ZARF_REGISTRY### to docker.io before running +>>>>>>> b3f532a (feat: add base and identity layers (#853)) - description: "Deploy the Istio source package with Zarf Dev" - cmd: "uds zarf dev deploy src/istio --flavor ${FLAVOR} --no-progress" + cmd: "uds zarf dev deploy src/istio --flavor upstream --no-progress" - description: "Restore Istio registry values" cmd: "uds zarf tools yq -i '.global.proxy_init.image |= sub(\"docker.io\", \"###ZARF_REGISTRY###\") | .global.proxy.image |= sub(\"docker.io\", \"###ZARF_REGISTRY###\")' src/istio/values/upstream-values.yaml" @@ -47,8 +51,15 @@ tasks: - name: slim-dev actions: - - description: "Create slim dev package" - task: create:slim-dev-package + - description: "Create base package" + task: create:single-layer + with: + layer: base + + - description: "Create identity-authorization package" + task: create:single-layer + with: + layer: identity-authorization - description: "Build slim dev bundle" task: create:k3d-slim-dev-bundle @@ -64,46 +75,34 @@ tasks: - description: "Deploy Pepr" cmd: "npx pepr deploy --confirm" - - description: "Deploy Keycloak" - cmd: "uds run dev-deploy --set PKG=keycloak" - - - description: "Deploy Authservice" - cmd: "uds run dev-deploy --set PKG=authservice" + - description: "Deploy Keycloak + Authservice" + cmd: "uds run dev-deploy --set LAYER=identity-authorization --no-progress" - name: dev-deploy - description: "Deploy the given source package with Zarf Dev" + description: "Deploy the given core layer with Zarf Dev" actions: - - cmd: "uds zarf dev deploy src/${PKG} --flavor ${FLAVOR}" + - cmd: "uds zarf dev deploy packages/${LAYER} --flavor ${FLAVOR} --no-progress" - name: setup-cluster description: "Create a k3d Cluster and Initialize with Zarf" actions: - task: setup:k3d-test-cluster - - name: create-single-package - description: "Create a single Zarf Package, must set UDS_PKG environment variable" - actions: - - task: create:single-package - - name: create-standard-package description: "Create UDS Core Zarf Package, `upstream` flavor default, use --set FLAVOR={flavor} to change" actions: - task: create:standard-package - - name: deploy-single-package - description: "Deploy Pepr Module and a Zarf Package using UDS_PKG environment variable" + - name: test-single-layer + description: "Deploys k3d cluster, layer dependencies and the provided layer (based on LAYER variable)" actions: - - task: deploy:single-package + - task: test:layer-dependencies + - task: test:single-layer - name: deploy-standard-bundle actions: - task: deploy:k3d-standard-bundle - - name: test-single-package - description: "Build and test a single package, must set UDS_PKG environment variable" - actions: - - task: test:single-package - - name: test-uds-core description: "Build and test UDS Core" actions: diff --git a/tasks/create.yaml b/tasks/create.yaml index dc375be9b..c6d8b26a4 100644 --- a/tasks/create.yaml +++ b/tasks/create.yaml @@ -9,6 +9,8 @@ variables: # renovate: datasource=docker depName=registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller versioning=semver default: registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller:v0.37.2 + - name: LAYER + tasks: - name: standard-package description: "Create the UDS Core Zarf Package" @@ -24,36 +26,28 @@ tasks: - description: "Create the UDS Core Standard Bundle" cmd: "uds create bundles/k3d-standard --confirm --no-progress --architecture=${ZARF_ARCHITECTURE}" - - name: slim-dev-package - description: "Create the UDS Core (Istio Only) Zarf Package" - actions: - - task: pepr-build - - - description: "Create the UDS Core Istio Zarf Package" - cmd: "uds zarf package create packages/slim-dev --confirm --no-progress --flavor ${FLAVOR}" - - name: k3d-slim-dev-bundle - description: "Create the K3d-UDS Core (Istio and Keycloak Only) Bundle" + description: "Create the slim dev bundle (Base and Identity)" actions: - - description: "Create the UDS Core Istio and Keycloak Only Bundle" + - description: "Create the slim dev bundle (Base and Identity)" cmd: "uds create bundles/k3d-slim-dev --confirm --no-progress --architecture=${ZARF_ARCHITECTURE}" - - name: single-package - description: "Create a single Zarf Package, must set UDS_PKG environment variable" + # This task is a wrapper to support --set LAYER=identity-authorization + - name: single-layer-callable actions: - - task: pepr-build + - task: single-layer + with: + layer: $LAYER - - description: "Create the Pepr Zarf Package, if it exists" - cmd: "uds zarf package create src/pepr --confirm --no-progress" - - - description: "Create the requested Zarf Package (must set UDS_PKG environment variable)" - cmd: "uds zarf package create src/${UDS_PKG} --confirm --no-progress --flavor ${FLAVOR}" - - - description: "Create the Istio Zarf Package, if UDS_PKG != istio" - cmd: | - if [ "${UDS_PKG}" != "istio" ]; then - uds zarf package create src/istio --confirm --no-progress --flavor ${FLAVOR} - fi + - name: single-layer + inputs: + layer: + default: base + description: The UDS Core layer to build + actions: + - task: pepr-build + if: ${{ eq .inputs.layer "base"}} + - cmd: uds zarf package create packages/${{ index .inputs "layer" }} --confirm --no-progress --flavor ${FLAVOR} - name: pepr-build description: "Build the UDS Core Pepr Module" diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index 0d1ff8a88..08c15b655 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -28,18 +28,22 @@ tasks: - description: "Deploy the UDS Core Slim Dev Only Bundle" cmd: uds deploy bundles/k3d-slim-dev/uds-bundle-k3d-core-slim-dev-${UDS_ARCH}-${VERSION}.tar.zst --confirm --no-progress - - name: single-package + # This task is a wrapper to support --set LAYER=identity-authorization + - name: single-layer-callable actions: - - description: "Deploy the Istio package, if UDS_PKG != istio" - cmd: | - if [ "${UDS_PKG}" != "istio" ]; then - uds zarf package deploy build/zarf-package-uds-core-istio-${UDS_ARCH}.tar.zst --confirm --no-progress --components '*' - fi - - description: "Deploy the Pepr Module" - cmd: | - uds zarf package deploy build/zarf-package-pepr-uds-core-${UDS_ARCH}.tar.zst --confirm --no-progress --set UDS_SINGLE_TEST=true --set PEPR_SERVICE_MONITORS=false - - description: "Deploy the requested Zarf Package (must set UDS_PKG environment variable)" - cmd: uds zarf package deploy build/zarf-package-uds-core-${UDS_PKG}-${UDS_ARCH}.tar.zst --confirm --no-progress --components '*' + - task: single-layer + with: + layer: $LAYER + + - name: single-layer + description: "Deploy a single UDS Core layer, must set UDS_LAYER environment variable" + inputs: + layer: + default: base + description: The UDS Core layer to deploy + actions: + - description: "Deploy a single UDS Core Layer (must set UDS_LAYER environment variable)" + cmd: uds zarf package deploy build/zarf-package-core-${{ index .inputs "layer" }}-${UDS_ARCH}-${VERSION}.tar.zst --confirm --no-progress --components '*' - name: latest-package-release actions: diff --git a/tasks/publish.yaml b/tasks/publish.yaml index 30e70f557..b9d14f208 100644 --- a/tasks/publish.yaml +++ b/tasks/publish.yaml @@ -1,5 +1,7 @@ includes: - utils: utils.yaml + - test: test.yaml + - setup: setup.yaml variables: - name: FLAVOR @@ -11,6 +13,8 @@ variables: default: "0.28.0" # x-release-please-end + - name: LAYER + tasks: - name: standard-package description: "Publish the UDS package" @@ -52,3 +56,12 @@ tasks: uds zarf tools registry copy ${pkgPath}:${VERSION} ${pkgPath}:latest pkgPath="${TARGET_REPO}/bundles/k3d-core-slim-dev" uds zarf tools registry copy ${pkgPath}:${VERSION} ${pkgPath}:latest + + - name: single-layer + description: "Test and Publish UDS Core layer" + actions: + - task: test:layer-dependencies + - task: test:single-layer + - task: utils:determine-repo + - description: "Publish build of layer" + cmd: uds zarf package publish build/zarf-package-core-${LAYER}-${UDS_ARCH}-${VERSION}.tar.zst oci://${TARGET_REPO} diff --git a/tasks/test.yaml b/tasks/test.yaml index 185408e5a..ec52fb248 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -3,17 +3,40 @@ includes: - setup: ./setup.yaml - deploy: ./deploy.yaml - compliance: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.13.1/tasks/compliance.yaml + - base-layer: ../packages/base/tasks.yaml tasks: - - name: single-package - description: "Build and test a single package, must set UDS_PKG environment variable" + - name: base + description: "Build and test the base layer" actions: - - task: create:single-package + - task: create:pepr-build - task: setup:k3d-test-cluster - - task: deploy:single-package + - cmd: uds run -f tasks/test.yaml single-layer --set FLAVOR=${FLAVOR} --set=layer=base + - name: single-layer + description: "Build and test a single layer, must set UDS_LAYER environment variable" + actions: + - task: create:single-layer + with: + layer: ${LAYER} + - task: deploy:single-layer + with: + layer: ${LAYER} - description: "Validate the package" - cmd: uds run -f src/${UDS_PKG}/tasks.yaml validate --no-progress + cmd: uds run -f packages/${LAYER}/tasks.yaml validate --no-progress + + - name: layer-dependencies + description: "Sets up a k3d cluster and deploys dependencies for the given layer" + actions: + - task: setup:k3d-test-cluster + - cmd: uds zarf tools yq '.metadata.x-uds-dependencies.[]' packages/${LAYER}/zarf.yaml 2>/dev/null + mute: true + setVariables: + - name: LAYER_DEPS + - cmd: | + for dep in $LAYER_DEPS; do + uds run -f tasks/test.yaml single-layer --set LAYER=$dep --set FLAVOR=${FLAVOR} --no-progress + done - name: validate-packages description: "Validated all packages" From 98f90279e04b78a7f8df34d9391b169b3e4c4d20 Mon Sep 17 00:00:00 2001 From: Chance <139784371+UnicornChance@users.noreply.github.com> Date: Fri, 4 Oct 2024 16:45:20 -0600 Subject: [PATCH 39/90] feat: backup and restore layer, ui layer, runtime security layer (#862) ## Description Setup the following layers: 1. Backup and Restore Layer (Velero) 2. UI layer (Runtime) 3. Runtime Security (Neuvector) ## Related Issue Fixes #854 Fixes #832 Fixes #831 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --- .github/filters.yaml | 12 ++++++++++++ .github/workflows/publish.yaml | 2 +- packages/backup-restore/README.md | 7 +++++++ packages/backup-restore/tasks.yaml | 7 +++++++ packages/backup-restore/zarf.yaml | 16 ++++++++++++++++ packages/runtime-security/README.md | 8 ++++++++ packages/runtime-security/tasks.yaml | 7 +++++++ packages/runtime-security/zarf.yaml | 16 ++++++++++++++++ packages/standard/zarf.yaml | 6 +++--- packages/ui/README.md | 8 ++++++++ packages/ui/tasks.yaml | 7 +++++++ packages/ui/zarf.yaml | 16 ++++++++++++++++ release-please-config.json | 3 +++ src/neuvector/zarf.yaml | 5 +++++ src/runtime/zarf.yaml | 5 +++++ 15 files changed, 121 insertions(+), 4 deletions(-) create mode 100644 packages/backup-restore/README.md create mode 100644 packages/backup-restore/tasks.yaml create mode 100644 packages/backup-restore/zarf.yaml create mode 100644 packages/runtime-security/README.md create mode 100644 packages/runtime-security/tasks.yaml create mode 100644 packages/runtime-security/zarf.yaml create mode 100644 packages/ui/README.md create mode 100644 packages/ui/tasks.yaml create mode 100644 packages/ui/zarf.yaml diff --git a/.github/filters.yaml b/.github/filters.yaml index 2d06cbf63..a51979f7c 100644 --- a/.github/filters.yaml +++ b/.github/filters.yaml @@ -10,3 +10,15 @@ identity-authorization: - "packages/identity-authorization/**" - "src/keycloak/**" - "src/authservice/**" + +ui: + - "packages/ui/**" + - "src/runtime/**" + +runtime-security: + - "packages/runtime-security/**" + - "src/neuvector/**" + +backup-restore: + - "packages/backup-restore/**" + - "src/velero/**" diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index e5d746cf2..9e0ec0450 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -93,7 +93,7 @@ jobs: strategy: matrix: flavor: [upstream, registry1, unicorn] - layer: [base, identity-authorization] + layer: [base, identity-authorization, ui, runtime-security, backup-restore] arch: [amd64, arm64] exclude: - flavor: registry1 diff --git a/packages/backup-restore/README.md b/packages/backup-restore/README.md new file mode 100644 index 000000000..7f980a1f3 --- /dev/null +++ b/packages/backup-restore/README.md @@ -0,0 +1,7 @@ +# UDS Core Backup & Restore + +This layer of UDS Core provides backup and restore capabilities. Currently it includes the application(s): +- Velero + +To deploy this layer you must also deploy its dependent layer(s): +- Base \ No newline at end of file diff --git a/packages/backup-restore/tasks.yaml b/packages/backup-restore/tasks.yaml new file mode 100644 index 000000000..7e272b18d --- /dev/null +++ b/packages/backup-restore/tasks.yaml @@ -0,0 +1,7 @@ +includes: + - velero: ../../src/velero/tasks.yaml + +tasks: + - name: validate + actions: + - task: velero:validate diff --git a/packages/backup-restore/zarf.yaml b/packages/backup-restore/zarf.yaml new file mode 100644 index 000000000..11db4520a --- /dev/null +++ b/packages/backup-restore/zarf.yaml @@ -0,0 +1,16 @@ +kind: ZarfPackageConfig +metadata: + name: core-backup-restore + description: "UDS Core (Backup and Restore)" + authors: "Defense Unicorns - Product" + # x-release-please-start-version + version: "0.28.0" + # x-release-please-end + x-uds-dependencies: ["base"] + +components: + # Velero + - name: velero + required: true + import: + path: ../../src/velero diff --git a/packages/runtime-security/README.md b/packages/runtime-security/README.md new file mode 100644 index 000000000..824b92632 --- /dev/null +++ b/packages/runtime-security/README.md @@ -0,0 +1,8 @@ +# UDS Core Runtime Security + +This layer of UDS Core provides Runtime Security capabilities. Currently it includes the application(s): +- neuvector + +To deploy this layer you must also deploy its dependent layer(s): +- base +- identity-authorization \ No newline at end of file diff --git a/packages/runtime-security/tasks.yaml b/packages/runtime-security/tasks.yaml new file mode 100644 index 000000000..60f0dba5f --- /dev/null +++ b/packages/runtime-security/tasks.yaml @@ -0,0 +1,7 @@ +includes: + - neuvector: ../../src/neuvector/tasks.yaml + +tasks: + - name: validate + actions: + - task: neuvector:validate diff --git a/packages/runtime-security/zarf.yaml b/packages/runtime-security/zarf.yaml new file mode 100644 index 000000000..a38602221 --- /dev/null +++ b/packages/runtime-security/zarf.yaml @@ -0,0 +1,16 @@ +kind: ZarfPackageConfig +metadata: + name: core-runtime-security + description: "UDS Core (Runtime Security)" + authors: "Defense Unicorns - Product" + # x-release-please-start-version + version: "0.28.0" + # x-release-please-end + x-uds-dependencies: ["base", "identity-authorization"] + +components: + # Neuvector + - name: neuvector + required: true + import: + path: ../../src/neuvector diff --git a/packages/standard/zarf.yaml b/packages/standard/zarf.yaml index b021aeabd..42b49886e 100644 --- a/packages/standard/zarf.yaml +++ b/packages/standard/zarf.yaml @@ -62,7 +62,7 @@ components: - name: neuvector required: true import: - path: ../../src/neuvector + path: ../runtime-security # Loki - name: loki @@ -98,10 +98,10 @@ components: - name: uds-runtime required: false import: - path: ../../src/runtime + path: ../ui # Velero - name: velero required: true import: - path: ../../src/velero + path: ../backup-restore diff --git a/packages/ui/README.md b/packages/ui/README.md new file mode 100644 index 000000000..77acbd47d --- /dev/null +++ b/packages/ui/README.md @@ -0,0 +1,8 @@ +# UDS Core UI (Runtime) + +This layer of UDS Core provides UI capabilities. Currently it includes the application(s): +- runtime + +To deploy this layer you must also deploy its dependent layer(s): +- base +- identity-authorization [( unless disabled with runtime override )](https://github.com/defenseunicorns/uds-runtime/blob/v0.5.0/chart/values.yaml) \ No newline at end of file diff --git a/packages/ui/tasks.yaml b/packages/ui/tasks.yaml new file mode 100644 index 000000000..c0dde104a --- /dev/null +++ b/packages/ui/tasks.yaml @@ -0,0 +1,7 @@ +includes: + - runtime: ../../src/runtime/tasks.yaml + +tasks: + - name: validate + actions: + - task: runtime:validate diff --git a/packages/ui/zarf.yaml b/packages/ui/zarf.yaml new file mode 100644 index 000000000..7f15df14a --- /dev/null +++ b/packages/ui/zarf.yaml @@ -0,0 +1,16 @@ +kind: ZarfPackageConfig +metadata: + name: core-ui + description: "UDS Core (UI)" + authors: "Defense Unicorns - Product" + # x-release-please-start-version + version: "0.28.0" + # x-release-please-end + x-uds-dependencies: ["base", "identity-authorization"] + +components: + # Runtime + - name: uds-runtime + required: true + import: + path: ../../src/runtime diff --git a/release-please-config.json b/release-please-config.json index 5774f9aca..34640854d 100644 --- a/release-please-config.json +++ b/release-please-config.json @@ -16,6 +16,9 @@ "README.md", "packages/base/zarf.yaml", "packages/identity-authorization/zarf.yaml", + "packages/backup-restore/zarf.yaml", + "packages/runtime-security/zarf.yaml", + "packages/ui/zarf.yaml", "packages/standard/zarf.yaml", "bundles/k3d-slim-dev/uds-bundle.yaml", "bundles/k3d-standard/uds-bundle.yaml", diff --git a/src/neuvector/zarf.yaml b/src/neuvector/zarf.yaml index 5d76af2f8..5122cac60 100644 --- a/src/neuvector/zarf.yaml +++ b/src/neuvector/zarf.yaml @@ -4,6 +4,11 @@ metadata: description: "UDS Core Neuvector" url: https://open-docs.neuvector.com/ +variables: + - name: DOMAIN + description: "Cluster domain" + default: "uds.dev" + components: - name: neuvector description: "Deploy Neuvector" diff --git a/src/runtime/zarf.yaml b/src/runtime/zarf.yaml index 42df7a706..749c6533c 100644 --- a/src/runtime/zarf.yaml +++ b/src/runtime/zarf.yaml @@ -4,6 +4,11 @@ metadata: description: "UDS Core Runtime" url: "https://github.com/defenseunicorns/uds-runtime" +variables: + - name: DOMAIN + description: "Cluster domain" + default: "uds.dev" + components: - name: uds-runtime required: false From a17d8ae34a0b5e5bea24fa79a22b0fc36937ee12 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Sat, 5 Oct 2024 18:05:57 -0600 Subject: [PATCH 40/90] feat: add logging functional layer (#861) ## Description Adds the logging functional layer with vector and loki. ## Related Issue Fixes https://github.com/defenseunicorns/uds-core/issues/830 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --- .github/filters.yaml | 5 +++++ .github/workflows/publish.yaml | 2 +- packages/logging/README.md | 9 +++++++++ packages/logging/tasks.yaml | 9 +++++++++ packages/logging/zarf.yaml | 22 ++++++++++++++++++++++ packages/standard/zarf.yaml | 4 ++-- release-please-config.json | 1 + 7 files changed, 49 insertions(+), 3 deletions(-) create mode 100644 packages/logging/README.md create mode 100644 packages/logging/tasks.yaml create mode 100644 packages/logging/zarf.yaml diff --git a/.github/filters.yaml b/.github/filters.yaml index a51979f7c..a3be21b91 100644 --- a/.github/filters.yaml +++ b/.github/filters.yaml @@ -11,6 +11,11 @@ identity-authorization: - "src/keycloak/**" - "src/authservice/**" +logging: + - "packages/logging/**" + - "src/loki/**" + - "src/vector/**" + ui: - "packages/ui/**" - "src/runtime/**" diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 9e0ec0450..1e70123d2 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -93,7 +93,7 @@ jobs: strategy: matrix: flavor: [upstream, registry1, unicorn] - layer: [base, identity-authorization, ui, runtime-security, backup-restore] + layer: [base, identity-authorization, ui, runtime-security, backup-restore, logging] arch: [amd64, arm64] exclude: - flavor: registry1 diff --git a/packages/logging/README.md b/packages/logging/README.md new file mode 100644 index 000000000..e73912ab4 --- /dev/null +++ b/packages/logging/README.md @@ -0,0 +1,9 @@ +# UDS Core Logging + +This layer of UDS Core provides log collection and storage capabilities. Currently it includes the application(s): +- Vector: Log collection and shipping +- Loki: Log storage and querying + +To deploy this layer you must also deploy its dependent layer(s): +- Base +- Monitoring (optional to provide UI interaction with logs) diff --git a/packages/logging/tasks.yaml b/packages/logging/tasks.yaml new file mode 100644 index 000000000..443e14048 --- /dev/null +++ b/packages/logging/tasks.yaml @@ -0,0 +1,9 @@ +includes: + - loki: ../../src/loki/tasks.yaml + - vector: ../../src/vector/tasks.yaml + +tasks: + - name: validate + actions: + - task: loki:validate + - task: vector:validate diff --git a/packages/logging/zarf.yaml b/packages/logging/zarf.yaml new file mode 100644 index 000000000..3ec7d7454 --- /dev/null +++ b/packages/logging/zarf.yaml @@ -0,0 +1,22 @@ +kind: ZarfPackageConfig +metadata: + name: core-logging + description: "UDS Core (Logging)" + authors: "Defense Unicorns - Product" + # x-release-please-start-version + version: "0.28.0" + # x-release-please-end + x-uds-dependencies: ["base"] + +components: + # Loki + - name: loki + required: true + import: + path: ../../src/loki + + # Vector + - name: vector + required: true + import: + path: ../../src/vector diff --git a/packages/standard/zarf.yaml b/packages/standard/zarf.yaml index 42b49886e..f219c0b6e 100644 --- a/packages/standard/zarf.yaml +++ b/packages/standard/zarf.yaml @@ -68,7 +68,7 @@ components: - name: loki required: true import: - path: ../../src/loki + path: ../logging # Prometheus - name: kube-prometheus-stack @@ -80,7 +80,7 @@ components: - name: vector required: true import: - path: ../../src/vector + path: ../logging # Grafana - name: grafana diff --git a/release-please-config.json b/release-please-config.json index 34640854d..175c995b5 100644 --- a/release-please-config.json +++ b/release-please-config.json @@ -16,6 +16,7 @@ "README.md", "packages/base/zarf.yaml", "packages/identity-authorization/zarf.yaml", + "packages/logging/zarf.yaml", "packages/backup-restore/zarf.yaml", "packages/runtime-security/zarf.yaml", "packages/ui/zarf.yaml", From acc17635f38bcf9ebce29f31acadf5aace2851d2 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 7 Oct 2024 08:07:27 -0600 Subject: [PATCH 41/90] chore(deps): update uds to v0.17.0 (#859) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | [defenseunicorns/uds-cli](https://redirect.github.com/defenseunicorns/uds-cli) | minor | `0.16.0` -> `0.17.0` | | [defenseunicorns/uds-cli](https://redirect.github.com/defenseunicorns/uds-cli) | minor | `v0.16.0` -> `v0.17.0` | --- ### Release Notes
defenseunicorns/uds-cli (defenseunicorns/uds-cli) ### [`v0.17.0`](https://redirect.github.com/defenseunicorns/uds-cli/releases/tag/v0.17.0) [Compare Source](https://redirect.github.com/defenseunicorns/uds-cli/compare/v0.16.0...v0.17.0) #### What's Changed - chore: remove nascent state tracking by [@​catsby](https://redirect.github.com/catsby) in [https://github.com/defenseunicorns/uds-cli/pull/942](https://redirect.github.com/defenseunicorns/uds-cli/pull/942) - chore: matrix testing pre-existing k3d clusters by [@​catsby](https://redirect.github.com/catsby) in [https://github.com/defenseunicorns/uds-cli/pull/944](https://redirect.github.com/defenseunicorns/uds-cli/pull/944) - fix: add suffix to smoke test logs by [@​catsby](https://redirect.github.com/catsby) in [https://github.com/defenseunicorns/uds-cli/pull/947](https://redirect.github.com/defenseunicorns/uds-cli/pull/947) - chore(deps): update actions/checkout action to v4.2.0 by [@​renovate](https://redirect.github.com/renovate) in [https://github.com/defenseunicorns/uds-cli/pull/943](https://redirect.github.com/defenseunicorns/uds-cli/pull/943) - chore(deps): update defenseunicorns/uds-common action to v0.13.1 by [@​renovate](https://redirect.github.com/renovate) in [https://github.com/defenseunicorns/uds-cli/pull/941](https://redirect.github.com/defenseunicorns/uds-cli/pull/941) - chore(deps): update actions/upload-artifact action to v4.4.0 by [@​renovate](https://redirect.github.com/renovate) in [https://github.com/defenseunicorns/uds-cli/pull/892](https://redirect.github.com/defenseunicorns/uds-cli/pull/892) - chore(deps): update actions/setup-node action to v4.0.4 by [@​renovate](https://redirect.github.com/renovate) in [https://github.com/defenseunicorns/uds-cli/pull/930](https://redirect.github.com/defenseunicorns/uds-cli/pull/930) - fix(deps): update zarf to v0.40.1 by [@​renovate](https://redirect.github.com/renovate) in [https://github.com/defenseunicorns/uds-cli/pull/936](https://redirect.github.com/defenseunicorns/uds-cli/pull/936) - fix: update renovate script regex for uds-runtime by [@​catsby](https://redirect.github.com/catsby) in [https://github.com/defenseunicorns/uds-cli/pull/948](https://redirect.github.com/defenseunicorns/uds-cli/pull/948) - chore(deps): update dependency defenseunicorns/uds-runtime to v0.5.0 by [@​renovate](https://redirect.github.com/renovate) in [https://github.com/defenseunicorns/uds-cli/pull/949](https://redirect.github.com/defenseunicorns/uds-cli/pull/949) - chore(deps): update github/codeql-action action to v3.26.10 by [@​renovate](https://redirect.github.com/renovate) in [https://github.com/defenseunicorns/uds-cli/pull/931](https://redirect.github.com/defenseunicorns/uds-cli/pull/931) - chore(deps): update homebrew/actions digest to [`2d906ee`](https://redirect.github.com/defenseunicorns/uds-cli/commit/2d906ee) by [@​renovate](https://redirect.github.com/renovate) in [https://github.com/defenseunicorns/uds-cli/pull/929](https://redirect.github.com/defenseunicorns/uds-cli/pull/929) - fix: setup specific node js version by [@​catsby](https://redirect.github.com/catsby) in [https://github.com/defenseunicorns/uds-cli/pull/956](https://redirect.github.com/defenseunicorns/uds-cli/pull/956) - fix(deps): update module github.com/defenseunicorns/maru-runner to v0.3.0 by [@​renovate](https://redirect.github.com/renovate) in [https://github.com/defenseunicorns/uds-cli/pull/952](https://redirect.github.com/defenseunicorns/uds-cli/pull/952) **Full Changelog**: https://github.com/defenseunicorns/uds-cli/compare/v0.16.0...v0.17.0
--- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ”• **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Chance <139784371+UnicornChance@users.noreply.github.com> --- .github/actions/lint-check/action.yaml | 2 +- .github/actions/setup/action.yaml | 2 +- .vscode/settings.json | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/actions/lint-check/action.yaml b/.github/actions/lint-check/action.yaml index cfcb7798b..4b93f9a7d 100644 --- a/.github/actions/lint-check/action.yaml +++ b/.github/actions/lint-check/action.yaml @@ -12,7 +12,7 @@ runs: uses: Homebrew/actions/setup-homebrew@master - name: Install UDS CLI # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver - run: brew install defenseunicorns/tap/uds@0.16.0 + run: brew install defenseunicorns/tap/uds@0.17.0 shell: bash - name: Run Formatting Checks run: uds run lint-check --no-progress diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml index 62b2f0d65..6a3d5ee77 100644 --- a/.github/actions/setup/action.yaml +++ b/.github/actions/setup/action.yaml @@ -32,7 +32,7 @@ runs: uses: defenseunicorns/setup-uds@b987a32bac3baeb67bfb08f5e1544e2f9076ee8a # v1.0.0 with: # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver - version: v0.16.0 + version: v0.17.0 - name: Install Lula uses: defenseunicorns/lula-action/setup@badad8c4b1570095f57e66ffd62664847698a3b9 # v0.0.1 diff --git a/.vscode/settings.json b/.vscode/settings.json index 97ec6433e..542e229de 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -9,17 +9,17 @@ }, "yaml.schemas": { // renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver - "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.16.0/uds.schema.json": [ + "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.17.0/uds.schema.json": [ "uds-bundle.yaml" ], // renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver - "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.16.0/tasks.schema.json": [ + "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.17.0/tasks.schema.json": [ "tasks.yaml", "tasks/**/*.yaml", "src/**/validate.yaml" ], // renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver - "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.16.0/zarf.schema.json": [ + "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.17.0/zarf.schema.json": [ "zarf.yaml" ] }, From 3561ed6114805827cea40384e9ba1d33268a34db Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 7 Oct 2024 15:31:20 +0000 Subject: [PATCH 42/90] chore(deps): update chainctl action to v0.2.3 (#864) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [chainguard-dev/setup-chainctl](https://redirect.github.com/chainguard-dev/setup-chainctl) | action | patch | `v0.2.2` -> `v0.2.3` | --- ### Release Notes
chainguard-dev/setup-chainctl (chainguard-dev/setup-chainctl) ### [`v0.2.3`](https://redirect.github.com/chainguard-dev/setup-chainctl/releases/tag/v0.2.3) [Compare Source](https://redirect.github.com/chainguard-dev/setup-chainctl/compare/v0.2.2...v0.2.3) #### What's Changed - add retry when trying to download chainctl by [@​cpanato](https://redirect.github.com/cpanato) in [https://github.com/chainguard-dev/setup-chainctl/pull/13](https://redirect.github.com/chainguard-dev/setup-chainctl/pull/13) **Full Changelog**: https://github.com/chainguard-dev/setup-chainctl/compare/v0.2.2...v0.2.3
--- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ”• **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Chance <139784371+UnicornChance@users.noreply.github.com> --- .github/actions/setup/action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml index 6a3d5ee77..b20c871dc 100644 --- a/.github/actions/setup/action.yaml +++ b/.github/actions/setup/action.yaml @@ -50,7 +50,7 @@ runs: - name: Chainguard Login if: ${{ inputs.chainguardIdentity != '' }} - uses: chainguard-dev/setup-chainctl@f52718d822dc73d21a04ef2082822c4a203163b3 # v0.2.2 + uses: chainguard-dev/setup-chainctl@598499528905f95b94e62e4831cf42035e768933 # v0.2.3 with: identity: ${{ inputs.chainguardIdentity }} From 19c1193df1c5ad1dcc12c73ae3c7a4b07f3fa651 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Mon, 7 Oct 2024 10:20:34 -0600 Subject: [PATCH 43/90] feat: add metrics-server functional layer (#865) ## Description Adds the functional layer for metrics-server. ## Related Issue Related to https://github.com/defenseunicorns/uds-core/issues/820 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --- .github/filters.yaml | 4 ++++ .github/workflows/publish.yaml | 2 +- packages/metrics-server/README.md | 7 +++++++ packages/metrics-server/tasks.yaml | 8 ++++++++ packages/metrics-server/zarf.yaml | 16 ++++++++++++++++ packages/standard/zarf.yaml | 2 +- release-please-config.json | 1 + 7 files changed, 38 insertions(+), 2 deletions(-) create mode 100644 packages/metrics-server/README.md create mode 100644 packages/metrics-server/tasks.yaml create mode 100644 packages/metrics-server/zarf.yaml diff --git a/.github/filters.yaml b/.github/filters.yaml index a3be21b91..032af0a17 100644 --- a/.github/filters.yaml +++ b/.github/filters.yaml @@ -27,3 +27,7 @@ runtime-security: backup-restore: - "packages/backup-restore/**" - "src/velero/**" + +metrics-server: + - "packages/metrics-server/**" + - "src/metrics-server/**" diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 1e70123d2..55806ed4c 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -93,7 +93,7 @@ jobs: strategy: matrix: flavor: [upstream, registry1, unicorn] - layer: [base, identity-authorization, ui, runtime-security, backup-restore, logging] + layer: [base, identity-authorization, ui, runtime-security, backup-restore, logging, metrics-server] arch: [amd64, arm64] exclude: - flavor: registry1 diff --git a/packages/metrics-server/README.md b/packages/metrics-server/README.md new file mode 100644 index 000000000..c23248502 --- /dev/null +++ b/packages/metrics-server/README.md @@ -0,0 +1,7 @@ +# UDS Core Metrics Server + +This layer of UDS Core provides k8s metrics capabilities. Currently it includes the application(s): +- Metrics Server + +To deploy this layer you must also deploy its dependent layer(s): +- Base diff --git a/packages/metrics-server/tasks.yaml b/packages/metrics-server/tasks.yaml new file mode 100644 index 000000000..287f62079 --- /dev/null +++ b/packages/metrics-server/tasks.yaml @@ -0,0 +1,8 @@ +includes: + - metrics-server: ../../src/metrics-server/tasks.yaml + +tasks: + - name: validate + actions: + - description: "Validate Metrics Server" + task: metrics-server:validate diff --git a/packages/metrics-server/zarf.yaml b/packages/metrics-server/zarf.yaml new file mode 100644 index 000000000..3b622f80f --- /dev/null +++ b/packages/metrics-server/zarf.yaml @@ -0,0 +1,16 @@ +kind: ZarfPackageConfig +metadata: + name: core-metrics-server + description: "UDS Core (Metrics Server)" + authors: "Defense Unicorns - Product" + # x-release-please-start-version + version: "0.28.0" + # x-release-please-end + x-uds-dependencies: ["base"] + +components: + # Metrics Server + - name: metrics-server + required: true + import: + path: ../../src/metrics-server diff --git a/packages/standard/zarf.yaml b/packages/standard/zarf.yaml index f219c0b6e..2117e5c6e 100644 --- a/packages/standard/zarf.yaml +++ b/packages/standard/zarf.yaml @@ -50,7 +50,7 @@ components: - name: metrics-server required: false import: - path: ../../src/metrics-server + path: ../metrics-server # Keycloak - name: keycloak diff --git a/release-please-config.json b/release-please-config.json index 175c995b5..07e21e0da 100644 --- a/release-please-config.json +++ b/release-please-config.json @@ -20,6 +20,7 @@ "packages/backup-restore/zarf.yaml", "packages/runtime-security/zarf.yaml", "packages/ui/zarf.yaml", + "packages/metrics-server/zarf.yaml", "packages/standard/zarf.yaml", "bundles/k3d-slim-dev/uds-bundle.yaml", "bundles/k3d-standard/uds-bundle.yaml", From bb4f35c39abb91cb2f16d8604df9c0601cb68478 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 7 Oct 2024 16:48:27 +0000 Subject: [PATCH 44/90] chore(deps): update grafana to 11.2.1 (#836) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cgr.dev/du-uds-defenseunicorns/busybox-fips](https://images.chainguard.dev/directory/image/busybox-fips/overview) ([source](https://redirect.github.com/chainguard-images/images-private/tree/HEAD/images/busybox-fips)) | minor | `1.36.1` -> `1.37.0` | | [cgr.dev/du-uds-defenseunicorns/grafana-fips](https://images.chainguard.dev/directory/image/grafana-fips/overview) ([source](https://redirect.github.com/chainguard-images/images-private/tree/HEAD/images/grafana-fips)) | patch | `11.2.0` -> `11.2.1` | | [cgr.dev/du-uds-defenseunicorns/k8s-sidecar-fips](https://images.chainguard.dev/directory/image/k8s-sidecar-fips/overview) ([source](https://redirect.github.com/chainguard-images/images-private/tree/HEAD/images/k8s-sidecar-fips)) | minor | `1.27.6` -> `1.28.0` | | docker.io/grafana/grafana | patch | `11.2.0` -> `11.2.1` | | docker.io/library/busybox | minor | `1.36.1` -> `1.37.0` | | [ghcr.io/kiwigrid/k8s-sidecar](https://redirect.github.com/kiwigrid/k8s-sidecar) | minor | `1.27.6` -> `1.28.0` | | [grafana](https://grafana.com) ([source](https://redirect.github.com/grafana/helm-charts)) | patch | `8.5.1` -> `8.5.2` | | [registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar](https://redirect.github.com/kiwigrid/k8s-sidecar) ([source](https://repo1.dso.mil/dsop/kiwigrid/k8s-sidecar)) | minor | `1.27.6` -> `1.28.0` | | [registry1.dso.mil/ironbank/opensource/grafana/grafana](https://redirect.github.com/grafana/grafana) ([source](https://repo1.dso.mil/dsop/opensource/grafana/grafana)) | patch | `11.2.0` -> `11.2.1` | --- ### Release Notes
kiwigrid/k8s-sidecar (ghcr.io/kiwigrid/k8s-sidecar) ### [`v1.28.0`](https://redirect.github.com/kiwigrid/k8s-sidecar/releases/tag/1.28.0) [Compare Source](https://redirect.github.com/kiwigrid/k8s-sidecar/compare/1.27.6...1.28.0) ##### πŸ“¦ Dependencies - Workflow maintenance - PR: [#​359](https://redirect.github.com/kiwigrid/k8s-sidecar/issues/359) - Trigger Build - PR: [#​364](https://redirect.github.com/kiwigrid/k8s-sidecar/issues/364) - Bump kubernetes from 30.1.0 to 31.0.0 in /src - PR: [#​360](https://redirect.github.com/kiwigrid/k8s-sidecar/issues/360)
grafana/helm-charts (grafana) ### [`v8.5.2`](https://redirect.github.com/grafana/helm-charts/releases/tag/grafana-8.5.2) [Compare Source](https://redirect.github.com/grafana/helm-charts/compare/grafana-8.5.1...grafana-8.5.2) The leading tool for querying and visualizing time series and metrics. #### What's Changed - \[grafana] Update Grafana to version 11.2.1 by [@​terop](https://redirect.github.com/terop) in [https://github.com/grafana/helm-charts/pull/3335](https://redirect.github.com/grafana/helm-charts/pull/3335) **Full Changelog**: https://github.com/grafana/helm-charts/compare/alloy-0.9.0...grafana-8.5.2
--- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ‘» **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Micah Nagel --- src/grafana/common/zarf.yaml | 2 +- src/grafana/values/registry1-values.yaml | 4 ++-- src/grafana/values/unicorn-values.yaml | 6 +++--- src/grafana/values/upstream-values.yaml | 6 +++--- src/grafana/zarf.yaml | 16 ++++++++-------- 5 files changed, 17 insertions(+), 17 deletions(-) diff --git a/src/grafana/common/zarf.yaml b/src/grafana/common/zarf.yaml index e707fc78f..452edf682 100644 --- a/src/grafana/common/zarf.yaml +++ b/src/grafana/common/zarf.yaml @@ -14,7 +14,7 @@ components: localPath: ../chart - name: grafana url: https://grafana.github.io/helm-charts/ - version: 8.5.1 + version: 8.5.2 namespace: grafana valuesFiles: - ../values/values.yaml diff --git a/src/grafana/values/registry1-values.yaml b/src/grafana/values/registry1-values.yaml index faeb618aa..045de8343 100644 --- a/src/grafana/values/registry1-values.yaml +++ b/src/grafana/values/registry1-values.yaml @@ -1,7 +1,7 @@ image: registry: registry1.dso.mil repository: ironbank/opensource/grafana/grafana - tag: 11.2.0 + tag: 11.2.1 initChownData: image: @@ -18,4 +18,4 @@ sidecar: image: registry: registry1.dso.mil repository: ironbank/kiwigrid/k8s-sidecar - tag: 1.27.6 + tag: 1.28.0 diff --git a/src/grafana/values/unicorn-values.yaml b/src/grafana/values/unicorn-values.yaml index b03311547..720c5d0c4 100644 --- a/src/grafana/values/unicorn-values.yaml +++ b/src/grafana/values/unicorn-values.yaml @@ -1,13 +1,13 @@ image: registry: cgr.dev repository: du-uds-defenseunicorns/grafana-fips - tag: 11.2.0 + tag: 11.2.1 initChownData: image: registry: cgr.dev repository: du-uds-defenseunicorns/busybox-fips - tag: 1.36.1 + tag: 1.37.0 downloadDashboardsImage: registry: cgr.dev @@ -18,4 +18,4 @@ sidecar: image: registry: cgr.dev repository: du-uds-defenseunicorns/k8s-sidecar-fips - tag: 1.27.6 + tag: 1.28.0 diff --git a/src/grafana/values/upstream-values.yaml b/src/grafana/values/upstream-values.yaml index 7da312248..043ba6545 100644 --- a/src/grafana/values/upstream-values.yaml +++ b/src/grafana/values/upstream-values.yaml @@ -3,18 +3,18 @@ sidecar: # -- The Docker registry registry: ghcr.io repository: kiwigrid/k8s-sidecar - tag: 1.27.6 + tag: 1.28.0 image: registry: docker.io repository: grafana/grafana - tag: 11.2.0 + tag: 11.2.1 initChownData: image: registry: docker.io repository: library/busybox - tag: 1.36.1 + tag: 1.37.0 downloadDashboardsImage: registry: docker.io diff --git a/src/grafana/zarf.yaml b/src/grafana/zarf.yaml index a59ba5ecb..ebb548b45 100644 --- a/src/grafana/zarf.yaml +++ b/src/grafana/zarf.yaml @@ -21,10 +21,10 @@ components: valuesFiles: - values/upstream-values.yaml images: - - docker.io/grafana/grafana:11.2.0 + - docker.io/grafana/grafana:11.2.1 - docker.io/curlimages/curl:8.10.1 - - docker.io/library/busybox:1.36.1 - - ghcr.io/kiwigrid/k8s-sidecar:1.27.6 + - docker.io/library/busybox:1.37.0 + - ghcr.io/kiwigrid/k8s-sidecar:1.28.0 - name: grafana required: true @@ -37,9 +37,9 @@ components: valuesFiles: - values/registry1-values.yaml images: - - registry1.dso.mil/ironbank/opensource/grafana/grafana:11.2.0 + - registry1.dso.mil/ironbank/opensource/grafana/grafana:11.2.1 - registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.4 - - registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar:1.27.6 + - registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar:1.28.0 - name: grafana required: true @@ -52,7 +52,7 @@ components: valuesFiles: - values/unicorn-values.yaml images: - - cgr.dev/du-uds-defenseunicorns/grafana-fips:11.2.0 - - cgr.dev/du-uds-defenseunicorns/busybox-fips:1.36.1 + - cgr.dev/du-uds-defenseunicorns/grafana-fips:11.2.1 + - cgr.dev/du-uds-defenseunicorns/busybox-fips:1.37.0 - cgr.dev/du-uds-defenseunicorns/curl-fips:8.10.1 - - cgr.dev/du-uds-defenseunicorns/k8s-sidecar-fips:1.27.6 + - cgr.dev/du-uds-defenseunicorns/k8s-sidecar-fips:1.28.0 From 3a74ded3d1cac83fb4f8048a836aea167e097ab5 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 7 Oct 2024 15:07:37 -0600 Subject: [PATCH 45/90] chore(deps): update githubactions (#866) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://redirect.github.com/actions/checkout) | action | patch | `v4.2.0` -> `v4.2.1` | | [actions/checkout](https://redirect.github.com/actions/checkout) | action | digest | `692973e` -> `eef6144` | | [actions/upload-artifact](https://redirect.github.com/actions/upload-artifact) | action | patch | `v4.4.0` -> `v4.4.1` | --- ### Release Notes
actions/checkout (actions/checkout) ### [`v4.2.1`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v421) [Compare Source](https://redirect.github.com/actions/checkout/compare/v4.2.0...v4.2.1) - Check out other refs/\* by commit if provided, fall back to ref by [@​orhantoy](https://redirect.github.com/orhantoy) in [https://github.com/actions/checkout/pull/1924](https://redirect.github.com/actions/checkout/pull/1924)
actions/upload-artifact (actions/upload-artifact) ### [`v4.4.1`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.4.1) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.4.0...v4.4.1) #### What's Changed - Add a section about hidden files by [@​joshmgross](https://redirect.github.com/joshmgross) in [https://github.com/actions/upload-artifact/pull/607](https://redirect.github.com/actions/upload-artifact/pull/607) - Add workflow file for publishing releases to immutable action package by [@​Jcambass](https://redirect.github.com/Jcambass) in [https://github.com/actions/upload-artifact/pull/621](https://redirect.github.com/actions/upload-artifact/pull/621) - Update [@​actions/artifact](https://redirect.github.com/actions/artifact) to latest version, includes symlink and timeout fixes by [@​robherley](https://redirect.github.com/robherley) in [https://github.com/actions/upload-artifact/pull/625](https://redirect.github.com/actions/upload-artifact/pull/625) #### New Contributors - [@​Jcambass](https://redirect.github.com/Jcambass) made their first contribution in [https://github.com/actions/upload-artifact/pull/621](https://redirect.github.com/actions/upload-artifact/pull/621) **Full Changelog**: https://github.com/actions/upload-artifact/compare/v4.4.0...v4.4.1
--- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ‘» **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/actions/save-logs/action.yaml | 2 +- .github/workflows/commitlint.yaml | 2 +- .github/workflows/compliance.yaml | 4 ++-- .github/workflows/docs-shim.yaml | 2 +- .github/workflows/lint-oscal.yaml | 4 ++-- .github/workflows/publish.yaml | 4 ++-- .github/workflows/pull-request-conditionals.yaml | 4 ++-- .github/workflows/slim-dev-test.yaml | 2 +- .github/workflows/snapshot-release.yaml | 2 +- .github/workflows/test-eks.yaml | 2 +- .github/workflows/test.yaml | 4 ++-- 11 files changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/actions/save-logs/action.yaml b/.github/actions/save-logs/action.yaml index 88ed686e8..fe5082c73 100644 --- a/.github/actions/save-logs/action.yaml +++ b/.github/actions/save-logs/action.yaml @@ -34,7 +34,7 @@ runs: sudo chown $USER /tmp/uds-*.log || echo "" shell: bash - - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + - uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 with: name: debug-log${{ inputs.suffix }} path: | diff --git a/.github/workflows/commitlint.yaml b/.github/workflows/commitlint.yaml index 5d0d7a7b7..ea2b3e997 100644 --- a/.github/workflows/commitlint.yaml +++ b/.github/workflows/commitlint.yaml @@ -15,7 +15,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 diff --git a/.github/workflows/compliance.yaml b/.github/workflows/compliance.yaml index c9649a18c..7cabf9fb6 100644 --- a/.github/workflows/compliance.yaml +++ b/.github/workflows/compliance.yaml @@ -28,7 +28,7 @@ jobs: steps: # Used to execute the uds run command - name: Checkout repository - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Environment setup uses: ./.github/actions/setup @@ -66,7 +66,7 @@ jobs: ghToken: ${{ secrets.GITHUB_TOKEN }} - name: Upload Evaluated Assessment - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 with: name: ${{ inputs.flavor }}-assessment-results path: ./compliance/oscal-assessment-results.yaml diff --git a/.github/workflows/docs-shim.yaml b/.github/workflows/docs-shim.yaml index f1e131434..dad948bcd 100644 --- a/.github/workflows/docs-shim.yaml +++ b/.github/workflows/docs-shim.yaml @@ -23,7 +23,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: lint-check uses: ./.github/actions/lint-check diff --git a/.github/workflows/lint-oscal.yaml b/.github/workflows/lint-oscal.yaml index 33dab2e60..8267b2ca8 100644 --- a/.github/workflows/lint-oscal.yaml +++ b/.github/workflows/lint-oscal.yaml @@ -21,7 +21,7 @@ jobs: oscal_files: ${{ steps.path-filter.outputs.oscal_files }} steps: - name: Checkout the code - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 # Uses a custom action to filter paths for source packages. - name: Check src paths @@ -48,7 +48,7 @@ jobs: shell: bash # checkout for access to the oscal files targeted for linting - name: Checkout the code - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Environment setup uses: ./.github/actions/setup # lint the oscal files diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 55806ed4c..71f454bc3 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -23,7 +23,7 @@ jobs: id-token: write # This is needed for OIDC federation. steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Environment setup uses: ./.github/actions/setup @@ -107,7 +107,7 @@ jobs: id-token: write # This is needed for OIDC federation. steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Environment setup uses: ./.github/actions/setup diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index cc178e911..59a160d55 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -42,7 +42,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: lint-check uses: ./.github/actions/lint-check @@ -56,7 +56,7 @@ jobs: steps: - name: Checkout the code - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 # Uses a custom action to filter paths for source packages. - name: Check src paths diff --git a/.github/workflows/slim-dev-test.yaml b/.github/workflows/slim-dev-test.yaml index e6c94746a..ce76ed767 100644 --- a/.github/workflows/slim-dev-test.yaml +++ b/.github/workflows/slim-dev-test.yaml @@ -44,7 +44,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the code - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Environment setup uses: ./.github/actions/setup - name: Deploy Slim Dev Bundle diff --git a/.github/workflows/snapshot-release.yaml b/.github/workflows/snapshot-release.yaml index b1c188e67..621e38a5e 100644 --- a/.github/workflows/snapshot-release.yaml +++ b/.github/workflows/snapshot-release.yaml @@ -24,7 +24,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-tags: 'true' - name: Update snapshot-latest tag diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index acaded852..5e27e3506 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -33,7 +33,7 @@ jobs: echo "TF_VAR_permissions_boundary_name=${UDS_PERMISSIONS_BOUNDARY_NAME}" >> $GITHUB_ENV - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4 diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index abbaa3511..3425f16fc 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -47,7 +47,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Environment setup uses: ./.github/actions/setup @@ -71,7 +71,7 @@ jobs: - name: Upload Assessment if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 with: name: ${{ inputs.flavor }}-assessment-results path: ./compliance/oscal-assessment-results.yaml From 9fd708559163c6df70683fc7a4b2a45086dbadd2 Mon Sep 17 00:00:00 2001 From: Noah <40781376+noahpb@users.noreply.github.com> Date: Tue, 8 Oct 2024 08:20:34 -0400 Subject: [PATCH 46/90] feat: add monitoring layer (#872) ## Description Adds the monitoring functional layer ## Related Issue Fixes https://github.com/defenseunicorns/uds-core/issues/829 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [ ] Test, docs, adr added or updated as needed - [ ] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --------- Co-authored-by: Micah Nagel --- .github/filters.yaml | 5 +++++ .github/workflows/publish.yaml | 2 +- packages/monitoring/readme.md | 9 +++++++++ packages/monitoring/tasks.yaml | 9 +++++++++ packages/monitoring/zarf.yaml | 21 +++++++++++++++++++++ packages/standard/zarf.yaml | 4 ++-- release-please-config.json | 1 + 7 files changed, 48 insertions(+), 3 deletions(-) create mode 100644 packages/monitoring/readme.md create mode 100644 packages/monitoring/tasks.yaml create mode 100644 packages/monitoring/zarf.yaml diff --git a/.github/filters.yaml b/.github/filters.yaml index 032af0a17..81bb4c1a3 100644 --- a/.github/filters.yaml +++ b/.github/filters.yaml @@ -31,3 +31,8 @@ backup-restore: metrics-server: - "packages/metrics-server/**" - "src/metrics-server/**" + +monitoring: + - "packages/monitoring/**" + - "src/prometheus-stack/**" + - "src/grafana/**" diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 71f454bc3..0a4b7a6f9 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -93,7 +93,7 @@ jobs: strategy: matrix: flavor: [upstream, registry1, unicorn] - layer: [base, identity-authorization, ui, runtime-security, backup-restore, logging, metrics-server] + layer: [base, identity-authorization, ui, runtime-security, backup-restore, logging, metrics-server, monitoring] arch: [amd64, arm64] exclude: - flavor: registry1 diff --git a/packages/monitoring/readme.md b/packages/monitoring/readme.md new file mode 100644 index 000000000..e08fe67f7 --- /dev/null +++ b/packages/monitoring/readme.md @@ -0,0 +1,9 @@ +# UDS Core Monitoring + +This layer of UDS Core provides monitoring capabilities. Currently it includes the application(s): +- grafana +- prometheus + +To deploy this layer you must also deploy its dependent layer(s): +- base +- identity-authorization \ No newline at end of file diff --git a/packages/monitoring/tasks.yaml b/packages/monitoring/tasks.yaml new file mode 100644 index 000000000..3de4e5238 --- /dev/null +++ b/packages/monitoring/tasks.yaml @@ -0,0 +1,9 @@ +includes: + - prometheus: ../../src/prometheus-stack/tasks.yaml + - grafana: ../../src/grafana/tasks.yaml + +tasks: + - name: validate + actions: + - task: prometheus:validate + - task: grafana:validate diff --git a/packages/monitoring/zarf.yaml b/packages/monitoring/zarf.yaml new file mode 100644 index 000000000..02881df98 --- /dev/null +++ b/packages/monitoring/zarf.yaml @@ -0,0 +1,21 @@ +kind: ZarfPackageConfig +metadata: + name: core-monitoring + description: "UDS Core Monitoring (Prometheus and Grafana)" + authors: "Defense Unicorns - Product" + # x-release-please-start-version + version: "0.28.0" + # x-release-please-end + x-uds-dependencies: ["base", "identity-authorization"] + +components: + # Prometheus + - name: kube-prometheus-stack + required: true + import: + path: ../../src/prometheus-stack + # Grafana + - name: grafana + required: true + import: + path: ../../src/grafana diff --git a/packages/standard/zarf.yaml b/packages/standard/zarf.yaml index 2117e5c6e..75816559c 100644 --- a/packages/standard/zarf.yaml +++ b/packages/standard/zarf.yaml @@ -74,7 +74,7 @@ components: - name: kube-prometheus-stack required: true import: - path: ../../src/prometheus-stack + path: ../monitoring # Vector - name: vector @@ -86,7 +86,7 @@ components: - name: grafana required: true import: - path: ../../src/grafana + path: ../monitoring # Authservice - name: authservice diff --git a/release-please-config.json b/release-please-config.json index 07e21e0da..1460f8ee1 100644 --- a/release-please-config.json +++ b/release-please-config.json @@ -20,6 +20,7 @@ "packages/backup-restore/zarf.yaml", "packages/runtime-security/zarf.yaml", "packages/ui/zarf.yaml", + "packages/monitoring/zarf.yaml", "packages/metrics-server/zarf.yaml", "packages/standard/zarf.yaml", "bundles/k3d-slim-dev/uds-bundle.yaml", From d6fd452380aabcb091d1da904b92be2a198e23e6 Mon Sep 17 00:00:00 2001 From: Noah <40781376+noahpb@users.noreply.github.com> Date: Tue, 8 Oct 2024 10:23:31 -0400 Subject: [PATCH 47/90] feat: add nightly testing for rke2 (#808) ## Description This pull request introduces a new nightly test of uds-core on RKE2. The pipeline runs in parallel alongside our existing EKS nightly tests. Included in this PR are additional IaC resources to deploy RKE2, an additional bundle for RKE2 and updated task files/workflows. Details: - Changes `test-infra` directory layout to support multiple k8s distributions (merges `test-infra/buckets-iac` and `test-infra/rds-iac` into `test-infra/aws/eks` and adds `test-infra/aws/rke2`) - Adds IaC for a minimal deployment of RKE2 under `test-infra/aws/rke2` - Introduces new test bundle for uds-core on RKE2 (`.github/bundles/rke2`), changes `.github/bundles` directory layout to support additional distros (moves `.github/bundles/*.yaml` to `.github/bundles/eks`) - Introduces new workflow for nightly tests of uds-core on rke2 (`.github/workflows/test-rke2.yaml`) - Updates workflows and task files to support testing across multiple K8s distros. Callouts: - uses existing vpc and subnets in ci account - the `rke2_version` var will be used to query the latest ami for the given minor version - uses rhel amis built from uds-rke2-image-builder repo - includes support for irsa - no cluster-autoscaler deployed, currently hardcoded to provision 4 `m5.2xlarge` nodes - does not deploy any external dependencies apart from s3 buckets for loki and velero Example pipeline run with new RKE2 tests can be seen [here](https://github.com/defenseunicorns/uds-core/actions/runs/11150004170/). ## Related Issue Fixes #726 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [ ] Test, docs, adr added or updated as needed - [ ] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --- .github/bundles/{ => eks}/uds-bundle.yaml | 6 +- .github/bundles/{ => eks}/uds-config.yaml | 4 +- .github/bundles/rke2/uds-bundle.yaml | 78 ++++++++++ .github/bundles/rke2/uds-config.yaml | 18 +++ .../{buckets-iac => aws/eks}/loki.tf | 2 +- .../{buckets-iac => aws/eks}/main.tf | 28 +--- .../{rds-iac/output.tf => aws/eks/outputs.tf} | 32 ++++ .../{rds-iac/main.tf => aws/eks/rds.tf} | 29 ---- .github/test-infra/aws/eks/variables.tf | 101 ++++++++++++ .../{buckets-iac => aws/eks}/velero.tf | 1 - .github/test-infra/aws/eks/versions.tf | 25 +++ .github/test-infra/aws/rke2/data.tf | 22 +++ .github/test-infra/aws/rke2/iam.tf | 121 +++++++++++++++ .github/test-infra/aws/rke2/irsa.tf | 143 +++++++++++++++++ .github/test-infra/aws/rke2/main.tf | 145 ++++++++++++++++++ .github/test-infra/aws/rke2/metallb.yaml | 14 ++ .../aws/rke2/modules/statestore/main.tf | 106 +++++++++++++ .../aws/rke2/modules/statestore/outputs.tf | 20 +++ .../aws/rke2/modules/statestore/variables.tf | 22 +++ .../aws/rke2/modules/storage/irsa/data.tf | 65 ++++++++ .../aws/rke2/modules/storage/irsa/main.tf | 29 ++++ .../aws/rke2/modules/storage/irsa/outputs.tf | 3 + .../rke2/modules/storage/irsa/variables.tf | 48 ++++++ .../aws/rke2/modules/storage/main.tf | 62 ++++++++ .../aws/rke2/modules/storage/outputs.tf | 7 + .../aws/rke2/modules/storage/variables.tf | 58 +++++++ .../aws/rke2/modules/storage/versions.tf | 12 ++ .github/test-infra/aws/rke2/outputs.tf | 51 ++++++ .../aws/rke2/scripts/get-kubeconfig.sh | 49 ++++++ .github/test-infra/aws/rke2/scripts/key_id.sh | 17 ++ .../aws/rke2/scripts/key_modulus.sh | 11 ++ .../test-infra/aws/rke2/scripts/user_data.sh | 119 ++++++++++++++ .github/test-infra/aws/rke2/storage.tf | 29 ++++ .github/test-infra/aws/rke2/terraform.tfvars | 7 + .github/test-infra/aws/rke2/variables.tf | 107 +++++++++++++ .github/test-infra/aws/rke2/versions.tf | 26 ++++ .github/test-infra/buckets-iac/output.tf | 27 ---- .github/test-infra/buckets-iac/variables.tf | 55 ------- .github/test-infra/rds-iac/variables.tf | 57 ------- .github/workflows/nightly-testing.yaml | 20 ++- .github/workflows/test-eks.yaml | 18 +-- .github/workflows/test-rke2.yaml | 102 ++++++++++++ tasks/iac.yaml | 121 ++++++++++----- 43 files changed, 1763 insertions(+), 254 deletions(-) rename .github/bundles/{ => eks}/uds-bundle.yaml (96%) rename .github/bundles/{ => eks}/uds-config.yaml (87%) create mode 100644 .github/bundles/rke2/uds-bundle.yaml create mode 100644 .github/bundles/rke2/uds-config.yaml rename .github/test-infra/{buckets-iac => aws/eks}/loki.tf (99%) rename .github/test-infra/{buckets-iac => aws/eks}/main.tf (89%) rename .github/test-infra/{rds-iac/output.tf => aws/eks/outputs.tf} (54%) rename .github/test-infra/{rds-iac/main.tf => aws/eks/rds.tf} (84%) create mode 100644 .github/test-infra/aws/eks/variables.tf rename .github/test-infra/{buckets-iac => aws/eks}/velero.tf (99%) create mode 100644 .github/test-infra/aws/eks/versions.tf create mode 100644 .github/test-infra/aws/rke2/data.tf create mode 100644 .github/test-infra/aws/rke2/iam.tf create mode 100644 .github/test-infra/aws/rke2/irsa.tf create mode 100644 .github/test-infra/aws/rke2/main.tf create mode 100644 .github/test-infra/aws/rke2/metallb.yaml create mode 100644 .github/test-infra/aws/rke2/modules/statestore/main.tf create mode 100644 .github/test-infra/aws/rke2/modules/statestore/outputs.tf create mode 100644 .github/test-infra/aws/rke2/modules/statestore/variables.tf create mode 100644 .github/test-infra/aws/rke2/modules/storage/irsa/data.tf create mode 100644 .github/test-infra/aws/rke2/modules/storage/irsa/main.tf create mode 100644 .github/test-infra/aws/rke2/modules/storage/irsa/outputs.tf create mode 100644 .github/test-infra/aws/rke2/modules/storage/irsa/variables.tf create mode 100644 .github/test-infra/aws/rke2/modules/storage/main.tf create mode 100644 .github/test-infra/aws/rke2/modules/storage/outputs.tf create mode 100644 .github/test-infra/aws/rke2/modules/storage/variables.tf create mode 100644 .github/test-infra/aws/rke2/modules/storage/versions.tf create mode 100644 .github/test-infra/aws/rke2/outputs.tf create mode 100644 .github/test-infra/aws/rke2/scripts/get-kubeconfig.sh create mode 100644 .github/test-infra/aws/rke2/scripts/key_id.sh create mode 100644 .github/test-infra/aws/rke2/scripts/key_modulus.sh create mode 100644 .github/test-infra/aws/rke2/scripts/user_data.sh create mode 100644 .github/test-infra/aws/rke2/storage.tf create mode 100644 .github/test-infra/aws/rke2/terraform.tfvars create mode 100644 .github/test-infra/aws/rke2/variables.tf create mode 100644 .github/test-infra/aws/rke2/versions.tf delete mode 100644 .github/test-infra/buckets-iac/output.tf delete mode 100644 .github/test-infra/buckets-iac/variables.tf delete mode 100644 .github/test-infra/rds-iac/variables.tf create mode 100644 .github/workflows/test-rke2.yaml diff --git a/.github/bundles/uds-bundle.yaml b/.github/bundles/eks/uds-bundle.yaml similarity index 96% rename from .github/bundles/uds-bundle.yaml rename to .github/bundles/eks/uds-bundle.yaml index 6791997c1..e094730db 100644 --- a/.github/bundles/uds-bundle.yaml +++ b/.github/bundles/eks/uds-bundle.yaml @@ -12,7 +12,7 @@ packages: ref: v0.41.0 - name: core - path: ../../build/ + path: ../../../build # x-release-please-start-version ref: 0.28.0 # x-release-please-end @@ -25,7 +25,7 @@ packages: - name: VELERO_USE_SECRET description: "Toggle use secret off to use IRSA." path: credentials.useSecret - - name: VELERO_IRSA_ANNOTATION + - name: VELERO_IRSA_ROLE_ARN description: "IRSA ARN annotation to use for Velero" path: serviceAccount.server.annotations.eks\.amazonaws\.com/role-arn loki: @@ -50,7 +50,7 @@ packages: - name: LOKI_S3_REGION description: "The S3 region" path: loki.storage.s3.region - - name: LOKI_IRSA_ANNOTATION + - name: LOKI_IRSA_ROLE_ARN description: "The irsa role annotation" path: serviceAccount.annotations.eks\.amazonaws\.com/role-arn grafana: diff --git a/.github/bundles/uds-config.yaml b/.github/bundles/eks/uds-config.yaml similarity index 87% rename from .github/bundles/uds-config.yaml rename to .github/bundles/eks/uds-config.yaml index e0874bd52..a536004a3 100644 --- a/.github/bundles/uds-config.yaml +++ b/.github/bundles/eks/uds-config.yaml @@ -8,9 +8,9 @@ variables: loki_ruler_bucket: ${ZARF_VAR_LOKI_S3_BUCKET} loki_admin_bucket: ${ZARF_VAR_LOKI_S3_BUCKET} loki_s3_region: ${ZARF_VAR_LOKI_S3_AWS_REGION} - loki_irsa_annotation: ${ZARF_VAR_LOKI_S3_ROLE_ARN} + loki_irsa_role_arn: ${ZARF_VAR_LOKI_S3_ROLE_ARN} velero_use_secret: false - velero_irsa_annotation: "${ZARF_VAR_VELERO_S3_ROLE_ARN}" + velero_irsa_role_arn: "${ZARF_VAR_VELERO_S3_ROLE_ARN}" velero_bucket: ${ZARF_VAR_VELERO_S3_BUCKET} velero_bucket_region: ${ZARF_VAR_VELERO_S3_AWS_REGION} velero_bucket_provider_url: "" diff --git a/.github/bundles/rke2/uds-bundle.yaml b/.github/bundles/rke2/uds-bundle.yaml new file mode 100644 index 000000000..ad756de0b --- /dev/null +++ b/.github/bundles/rke2/uds-bundle.yaml @@ -0,0 +1,78 @@ +kind: UDSBundle +metadata: + name: uds-core-rke2-nightly + description: A UDS bundle for deploying RKE2 and UDS Core + # x-release-please-start-version + version: "0.28.0" + # x-release-please-end + +packages: + - name: pod-identity-webhook + repository: ghcr.io/defenseunicorns/packages/uds/pod-identity-webhook + ref: 0.3.1-upstream + + - name: init + repository: ghcr.io/zarf-dev/packages/init + ref: v0.40.1 + overrides: + zarf-registry: + docker-registry: + variables: + - path: affinity.custom + name: REGISTRY_AFFINITY_CUSTOM_UDS + - path: persistence.accessMode + name: REGISTRY_PVC_ACCESS_MODE + default: ReadWriteMany + zarf-seed-registry: + docker-registry: + variables: + - path: affinity.custom + name: REGISTRY_AFFINITY_CUSTOM_UDS + - path: persistence.accessMode + name: REGISTRY_PVC_ACCESS_MODE + default: ReadWriteMany + + - name: core + path: ../../../build + # x-release-please-start-version + ref: 0.28.0 + # x-release-please-end + optionalComponents: + - metrics-server + overrides: + velero: + velero: + variables: + - name: VELERO_USE_SECRET + description: "Toggle use secret off to use IRSA." + path: credentials.useSecret + - name: VELERO_IRSA_ROLE_ARN + description: "IRSA ARN annotation to use for Velero" + path: serviceAccount.server.annotations.irsa/role-arn + loki: + loki: + values: + - path: loki.storage.s3.endpoint + value: "" + - path: loki.storage.s3.secretAccessKey + value: "" + - path: loki.storage.s3.accessKeyId + value: "" + - path: global.dnsService + value: rke2-coredns-rke2-coredns + variables: + - name: LOKI_CHUNKS_BUCKET + description: "The object storage bucket for Loki chunks" + path: loki.storage.bucketNames.chunks + - name: LOKI_RULER_BUCKET + description: "The object storage bucket for Loki ruler" + path: loki.storage.bucketNames.ruler + - name: LOKI_ADMIN_BUCKET + description: "The object storage bucket for Loki admin" + path: loki.storage.bucketNames.admin + - name: LOKI_S3_REGION + description: "The S3 region" + path: loki.storage.s3.region + - name: LOKI_IRSA_ROLE_ARN + description: "The irsa role annotation" + path: serviceAccount.annotations.irsa/role-arn diff --git a/.github/bundles/rke2/uds-config.yaml b/.github/bundles/rke2/uds-config.yaml new file mode 100644 index 000000000..6c441e11a --- /dev/null +++ b/.github/bundles/rke2/uds-config.yaml @@ -0,0 +1,18 @@ +# Overwritten by ci-iac-aws package +options: + architecture: amd64 + +variables: + core: + loki_chunks_bucket: ${ZARF_VAR_LOKI_S3_BUCKET} + loki_ruler_bucket: ${ZARF_VAR_LOKI_S3_BUCKET} + loki_admin_bucket: ${ZARF_VAR_LOKI_S3_BUCKET} + loki_s3_region: ${ZARF_VAR_LOKI_S3_AWS_REGION} + loki_irsa_role_arn: ${ZARF_VAR_LOKI_S3_ROLE_ARN} + velero_use_secret: false + velero_irsa_role_arn: "${ZARF_VAR_VELERO_S3_ROLE_ARN}" + velero_bucket: ${ZARF_VAR_VELERO_S3_BUCKET} + velero_bucket_region: ${ZARF_VAR_VELERO_S3_AWS_REGION} + velero_bucket_provider_url: "" + velero_bucket_credential_name: "" + velero_bucket_credential_key: "" diff --git a/.github/test-infra/buckets-iac/loki.tf b/.github/test-infra/aws/eks/loki.tf similarity index 99% rename from .github/test-infra/buckets-iac/loki.tf rename to .github/test-infra/aws/eks/loki.tf index 3defd0ca9..868e2782e 100644 --- a/.github/test-infra/buckets-iac/loki.tf +++ b/.github/test-infra/aws/eks/loki.tf @@ -25,4 +25,4 @@ resource "aws_iam_policy" "loki_policy" { } ] }) -} +} \ No newline at end of file diff --git a/.github/test-infra/buckets-iac/main.tf b/.github/test-infra/aws/eks/main.tf similarity index 89% rename from .github/test-infra/buckets-iac/main.tf rename to .github/test-infra/aws/eks/main.tf index 6e4094b0f..d8cd70a91 100644 --- a/.github/test-infra/buckets-iac/main.tf +++ b/.github/test-infra/aws/eks/main.tf @@ -1,29 +1,3 @@ -provider "aws" { - region = var.region - - default_tags { - tags = { - PermissionsBoundary = var.permissions_boundary_name - } - } -} - -terraform { - required_version = ">= 1.8.0" - backend "s3" { - } - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 4.0" - } - - random = { - source = "hashicorp/random" - version = "3.6.3" - } - } -} resource "random_id" "default" { byte_length = 2 @@ -127,4 +101,4 @@ resource "aws_s3_bucket_policy" "bucket_policy" { } ] }) -} +} \ No newline at end of file diff --git a/.github/test-infra/rds-iac/output.tf b/.github/test-infra/aws/eks/outputs.tf similarity index 54% rename from .github/test-infra/rds-iac/output.tf rename to .github/test-infra/aws/eks/outputs.tf index 79b969230..d51f9cb36 100644 --- a/.github/test-infra/rds-iac/output.tf +++ b/.github/test-infra/aws/eks/outputs.tf @@ -1,3 +1,31 @@ +output "aws_region" { + value = data.aws_region.current.name +} + +output "loki_irsa_role_arn" { + value = module.irsa["loki"].role_arn +} + +output "loki_s3" { + value = module.S3["loki"] +} + +output "loki_s3_bucket" { + value = module.S3["loki"].bucket_name +} + +output "velero_irsa_role_arn" { + value = module.irsa["velero"].role_arn +} + +output "velero_s3" { + value = module.S3["velero"] +} + +output "velero_s3_bucket" { + value = module.S3["velero"].bucket_name +} + output "grafana_pg_host" { description = "RDS Endpoint for Grafana" value = element(split(":", module.db.db_instance_endpoint), 0) @@ -23,3 +51,7 @@ output "grafana_pg_password" { value = random_password.db_password.result sensitive = true } + +output "grafana_ha" { + value = true +} \ No newline at end of file diff --git a/.github/test-infra/rds-iac/main.tf b/.github/test-infra/aws/eks/rds.tf similarity index 84% rename from .github/test-infra/rds-iac/main.tf rename to .github/test-infra/aws/eks/rds.tf index 8e1571e3c..9f32281c9 100644 --- a/.github/test-infra/rds-iac/main.tf +++ b/.github/test-infra/aws/eks/rds.tf @@ -1,24 +1,3 @@ -provider "aws" { - region = var.region -} - -terraform { - required_version = ">= 1.8.0" - backend "s3" { - } - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 4.0" - } - - random = { - source = "hashicorp/random" - version = "3.6.3" - } - } -} - resource "random_password" "db_password" { length = 16 special = false @@ -105,14 +84,6 @@ data "aws_subnets" "subnets" { } } -data "aws_partition" "current" {} - -data "aws_caller_identity" "current" {} - locals { vpc_id = data.aws_vpc.vpc.id } - -resource "random_id" "unique_id" { - byte_length = 4 -} diff --git a/.github/test-infra/aws/eks/variables.tf b/.github/test-infra/aws/eks/variables.tf new file mode 100644 index 000000000..b3cdf700b --- /dev/null +++ b/.github/test-infra/aws/eks/variables.tf @@ -0,0 +1,101 @@ +variable "region" { + description = "AWS region" + type = string +} + +variable "name" { + description = "Name for cluster" + type = string +} + +variable "permissions_boundary_name" { + description = "The name of the permissions boundary for IAM resources. This will be used for tagging and to build out the ARN." + type = string + default = null +} + +variable "use_permissions_boundary" { + description = "Whether to use IAM permissions boundary for resources." + type = bool + default = true +} + +variable "key_owner_arns" { + description = "ARNS of KMS key owners, needed for use of key" + type = list(string) + default = [] +} + +# taken from zarf bb repo +variable "kms_key_deletion_window" { + description = "Waiting period for scheduled KMS Key deletion. Can be 7-30 days." + type = number + default = 7 +} + +variable "bucket_configurations" { + type = map(object({ + name = string + service_account = string + namespace = string + })) + default = { + loki = { + name = "loki" + service_account = "loki" + namespace = "loki" + } + velero = { + name = "velero" + service_account = "velero-server" + namespace = "velero" + } + } +} + +variable "recovery_window" { + default = 7 + type = number +} + +variable "db_name" { + description = "The name to give the database" + type = string + default = "grafana" +} + +variable "db_port" { + description = "The database port" + type = number + default = 5432 +} + +variable "username" { + description = "The username to use to login to the DB" + type = string + default = "grafana" +} + +variable "db_engine_version" { + description = "The Postgres engine version to use for the DB" + type = string + default = "15.7" +} + +variable "db_allocated_storage" { + description = "Storage allocated to RDS instance" + type = number + default = 20 +} + +variable "db_storage_type" { + description = "The type of storage (e.g., gp2, io1)" + type = string + default = "gp2" +} + +variable "db_instance_class" { + description = "The class of RDS instance (e.g., db.t4g.large)" + type = string + default = "db.t4g.large" +} diff --git a/.github/test-infra/buckets-iac/velero.tf b/.github/test-infra/aws/eks/velero.tf similarity index 99% rename from .github/test-infra/buckets-iac/velero.tf rename to .github/test-infra/aws/eks/velero.tf index 96e6ed627..cbcb6c588 100644 --- a/.github/test-infra/buckets-iac/velero.tf +++ b/.github/test-infra/aws/eks/velero.tf @@ -56,4 +56,3 @@ resource "aws_iam_policy" "velero_policy" { ] }) } - diff --git a/.github/test-infra/aws/eks/versions.tf b/.github/test-infra/aws/eks/versions.tf new file mode 100644 index 000000000..c43fc5636 --- /dev/null +++ b/.github/test-infra/aws/eks/versions.tf @@ -0,0 +1,25 @@ +provider "aws" { + region = var.region + + default_tags { + tags = { + PermissionsBoundary = var.permissions_boundary_name + } + } +} +terraform { + required_version = ">= 1.8.0" + backend "s3" { + } + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0" + } + + random = { + source = "hashicorp/random" + version = "3.6.3" + } + } +} \ No newline at end of file diff --git a/.github/test-infra/aws/rke2/data.tf b/.github/test-infra/aws/rke2/data.tf new file mode 100644 index 000000000..a4cf9e993 --- /dev/null +++ b/.github/test-infra/aws/rke2/data.tf @@ -0,0 +1,22 @@ +data "aws_vpc" "vpc" { + filter { + name = "tag:Name" + values = [var.vpc_name] + } +} + +data "aws_subnet" "rke2_ci_subnet" { + vpc_id = data.aws_vpc.vpc.id + availability_zone = "${var.region}c" + + filter { + name = "tag:Name" + values = [var.subnet_name] + } +} + +data "aws_ami" "rhel_rke2" { + most_recent = true + name_regex = "^uds-rhel-rke2-v${var.rke2_version}" + owners = ["self"] +} \ No newline at end of file diff --git a/.github/test-infra/aws/rke2/iam.tf b/.github/test-infra/aws/rke2/iam.tf new file mode 100644 index 000000000..4a78d6396 --- /dev/null +++ b/.github/test-infra/aws/rke2/iam.tf @@ -0,0 +1,121 @@ +# required iam roles for irsa +data "aws_partition" "current" {} + +data "aws_iam_policy_document" "ec2_access" { + statement { + effect = "Allow" + actions = ["sts:AssumeRole"] + principals { + identifiers = ["ec2.amazonaws.com"] + type = "Service" + } + } +} + +resource "aws_iam_role" "rke2_server" { + name = "${local.cluster_name}-server" + + assume_role_policy = data.aws_iam_policy_document.ec2_access.json + permissions_boundary = local.iam_role_permissions_boundary + + tags = { + PermissionsBoundary = var.permissions_boundary_name + } +} + +resource "aws_iam_instance_profile" "rke2_server" { + name = "${local.cluster_name}-server" + role = aws_iam_role.rke2_server.name +} + +# Permissions to get token from S3 +data "aws_iam_policy_document" "s3_token" { + statement { + effect = "Allow" + resources = ["arn:${data.aws_partition.current.partition}:s3:::${local.cluster_name}-*"] + actions = [ + "s3:GetObject", + "s3:PutObject" + ] + } +} + +# Permissions to get OIDC keys from secrets manager +data "aws_iam_policy_document" "oidc_secrets" { + statement { + effect = "Allow" + resources = [ + aws_secretsmanager_secret.public_key.arn, + aws_secretsmanager_secret.private_key.arn, + ] + actions = [ + "secretsmanager:GetSecretValue" + ] + } +} + +# Cloud controller permissions from upstream - https://github.com/rancherfederal/rke2-aws-tf/blob/d65cb1d0543264f3170d077a2a0527fd95bfd1ae/data.tf#L80 +data "aws_iam_policy_document" "aws_ccm" { + statement { + effect = "Allow" + resources = ["*"] + actions = [ + "ec2:DescribeInstances", + "ec2:DescribeSubnets", + "ec2:DescribeRouteTables", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeSecurityGroups", + "ec2:CreateSecurityGroup", + "elasticloadbalancing:DescribeLoadBalancers", + "ec2:CreateTags", + "iam:CreateServiceLinkedRole", + "kms:DescribeKey", + ] + } +} + +resource "aws_iam_role_policy" "s3_token" { + name = "${local.cluster_name}-server-token" + role = aws_iam_role.rke2_server.id + policy = data.aws_iam_policy_document.s3_token.json +} + + +resource "aws_iam_role_policy" "oidc_secrets" { + name = "${local.cluster_name}-server-oidc" + role = aws_iam_role.rke2_server.id + policy = data.aws_iam_policy_document.oidc_secrets.json +} + +resource "aws_iam_role_policy" "server_ccm" { + name = "${local.cluster_name}-server-ccm" + role = aws_iam_role.rke2_server.id + policy = data.aws_iam_policy_document.aws_ccm.json +} + +module "rke2_kms_key" { + source = "github.com/defenseunicorns/terraform-aws-uds-kms?ref=v0.0.5" + + kms_key_alias_name_prefix = "rke2-${local.cluster_name}-server" + kms_key_deletion_window = 7 + kms_key_description = "RKE2 Key" + kms_key_policy_default_identities = [aws_iam_role.rke2_server.arn] +} + +resource "random_string" "ssm" { + length = 4 + special = false + upper = false + numeric = false +} + +resource "aws_secretsmanager_secret" "rke2_kms_key_arn" { + name = "rke2/${local.cluster_name}-server/kms-key-arn" + description = "Stores the ARN of the KMS key for RKE2 in the ${var.environment} environment" + recovery_window_in_days = var.recovery_window +} + +resource "aws_secretsmanager_secret_version" "rke2_kms_key_arn_value" { + secret_id = aws_secretsmanager_secret.rke2_kms_key_arn.id + secret_string = module.rke2_kms_key.kms_key_arn +} \ No newline at end of file diff --git a/.github/test-infra/aws/rke2/irsa.tf b/.github/test-infra/aws/rke2/irsa.tf new file mode 100644 index 000000000..ee13e0d9f --- /dev/null +++ b/.github/test-infra/aws/rke2/irsa.tf @@ -0,0 +1,143 @@ +# setting up irsa for the rke2 cluster +# Keypair for signing, added as secrets in AWS Secrets Manager +resource "tls_private_key" "keypair" { + algorithm = "RSA" + rsa_bits = 2048 +} + +resource "aws_secretsmanager_secret" "public_key" { + name = "${var.environment}-${random_string.ssm.result}-oidc-public-key" + description = "Public Key for OIDC/IRSA for ${var.environment}" + recovery_window_in_days = var.recovery_window +} + +resource "aws_secretsmanager_secret_version" "public_key" { + depends_on = [aws_secretsmanager_secret.public_key] + secret_id = aws_secretsmanager_secret.public_key.name + secret_string = tls_private_key.keypair.public_key_pem +} + +resource "aws_secretsmanager_secret" "private_key" { + name = "${var.environment}-${random_string.ssm.result}-oidc-private-key" + description = "Private Key for OIDC/IRSA for ${var.environment}" + recovery_window_in_days = var.recovery_window +} + +resource "aws_secretsmanager_secret_version" "private_key" { + depends_on = [aws_secretsmanager_secret.private_key] + secret_id = aws_secretsmanager_secret.private_key.name + secret_string = tls_private_key.keypair.private_key_pem +} + + +# Public bucket to host OIDC files +module "oidc_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "4.1.2" + + bucket = "${var.environment}-oidc-${random_string.ssm.result}" + force_destroy = var.force_destroy + + # Allow our objects to be public + control_object_ownership = true + object_ownership = "BucketOwnerPreferred" + block_public_acls = false + block_public_policy = false + ignore_public_acls = false + restrict_public_buckets = false +} + + +# OIDC file creation +resource "local_file" "oidc_config" { + content = < { + name = "${var.cluster_name}-${instance.name}" + bucket_prefix = instance.name + service_account = instance.service_account + namespace = instance.namespace + } + } +} + +# Create KMS keys for each bucket +module "generate_kms" { + for_each = local.bucket_configurations + source = "github.com/defenseunicorns/terraform-aws-uds-kms?ref=v0.0.6" + + key_owners = var.key_owner_arns + # A list of IAM ARNs for those who will have full key permissions (`kms:*`) + kms_key_alias_name_prefix = "${each.value.name}-" # Prefix for KMS key alias. + kms_key_deletion_window = var.kms_key_deletion_window + kms_key_description = "${var.cluster_name}-${each.value.name} nightly ci s3 KMS key" # Description for the KMS key. + tags = var.tags +} + +# Create s3 buckets and encrypt using keys from generate_kms module +module "s3" { + for_each = local.bucket_configurations + source = "github.com/defenseunicorns/terraform-aws-uds-s3?ref=v0.0.6" + name_prefix = "${each.value.name}-${each.value.bucket_prefix}-" + kms_key_arn = module.generate_kms[each.key].kms_key_arn + force_destroy = "true" + create_bucket_lifecycle = true + + depends_on = [ + module.generate_kms + ] +} + +module "irsa" { + #merge the keys from module.generate_kms into `bucket_configurations` + for_each = { for k, v in local.bucket_configurations : k => merge(v, module.generate_kms[k], module.s3[k]) } + source = "./irsa" + cluster_name = var.cluster_name + name = each.value.name + environment = var.environment + resource_prefix = "${each.value.name}-" + use_permissions_boundary = var.use_permissions_boundary + permissions_boundary = var.permissions_boundary + bucket_service_account = each.value.service_account + bucket_name = each.value.bucket_name + namespace = each.value.namespace + kms_key_arn = each.value.kms_key_arn + + oidc_bucket_attributes = var.oidc_bucket_attributes + + depends_on = [ + module.s3 + ] +} \ No newline at end of file diff --git a/.github/test-infra/aws/rke2/modules/storage/outputs.tf b/.github/test-infra/aws/rke2/modules/storage/outputs.tf new file mode 100644 index 000000000..dcd9c7314 --- /dev/null +++ b/.github/test-infra/aws/rke2/modules/storage/outputs.tf @@ -0,0 +1,7 @@ +output "s3_buckets" { + value = { for k, v in module.s3 : k => v } +} + +output "irsa" { + value = { for k, v in module.irsa : k => v } +} diff --git a/.github/test-infra/aws/rke2/modules/storage/variables.tf b/.github/test-infra/aws/rke2/modules/storage/variables.tf new file mode 100644 index 000000000..0043b9231 --- /dev/null +++ b/.github/test-infra/aws/rke2/modules/storage/variables.tf @@ -0,0 +1,58 @@ +variable "cluster_name" { + description = "Name of the Kubernetes Cluster." + type = string +} + +variable "ci_bucket_configurations" { + type = map(object({ + name = string + service_account = string + namespace = string + })) +} + +variable "key_owner_arns" { + description = "ARNS of KMS key owners, needed for use of key" + type = list(string) + default = [] +} + +variable "kms_key_deletion_window" { + description = "Waiting period for scheduled KMS Key deletion. Can be 7-30 days." + type = number + default = 7 +} + +#irsa variables +variable "support_irsa" { + description = "When enabled, provisions necessary resources to support accessing the s3 bucket using IRSA." + default = true + type = bool +} + +variable "use_permissions_boundary" { + description = "Whether to use IAM permissions boundary for resources." + type = bool + default = true +} + +variable "permissions_boundary" { + description = "The ARN of the Permissions Boundary" + type = string + default = null +} + +variable "tags" { + description = "A map of tags to apply to resources." + default = {} + type = map(string) +} + +variable "environment" { + type = string +} + +variable "oidc_bucket_attributes" { + description = "All attributes of the cluster OIDC bucket" + default = {} +} \ No newline at end of file diff --git a/.github/test-infra/aws/rke2/modules/storage/versions.tf b/.github/test-infra/aws/rke2/modules/storage/versions.tf new file mode 100644 index 000000000..736bf3d75 --- /dev/null +++ b/.github/test-infra/aws/rke2/modules/storage/versions.tf @@ -0,0 +1,12 @@ +terraform { + required_providers { + aws = { + version = ">= 5.52.0" + } + random = { + version = "~> 3.6.2" + } + } + + required_version = "~> 1.8.2" +} diff --git a/.github/test-infra/aws/rke2/outputs.tf b/.github/test-infra/aws/rke2/outputs.tf new file mode 100644 index 000000000..740ec4679 --- /dev/null +++ b/.github/test-infra/aws/rke2/outputs.tf @@ -0,0 +1,51 @@ +output "aws_region" { + value = data.aws_region.current.name +} + +output "private_key" { + value = tls_private_key.control_plane_private_key.private_key_pem + description = "Generated SSH private key that can be used to connect to a cluster node." + sensitive = true +} + +output "bootstrap_ip" { + sensitive = true + value = aws_instance.rke2_ci_bootstrap_node.public_ip + description = "Public IP address of the bootstrap control plane node." +} + +output "node_user" { + sensitive = true + value = var.default_user + description = "User to use when connecting to a cluster node." +} + +output "cluster_hostname" { + sensitive = true + value = var.cluster_hostname + description = "Hostname used to connect to cluster." +} + +output "loki_s3_bucket" { + sensitive = true + value = module.storage.s3_buckets["loki"].bucket_name +} + +output "velero_s3_bucket" { + sensitive = true + value = module.storage.s3_buckets["velero"].bucket_name +} + +output "loki_irsa_role_arn" { + sensitive = true + value = module.storage.irsa["loki"].bucket_role.arn +} + +output "velero_irsa_role_arn" { + sensitive = true + value = module.storage.irsa["velero"].bucket_role.arn +} + +output "grafana_ha" { + value = false +} \ No newline at end of file diff --git a/.github/test-infra/aws/rke2/scripts/get-kubeconfig.sh b/.github/test-infra/aws/rke2/scripts/get-kubeconfig.sh new file mode 100644 index 000000000..98afca479 --- /dev/null +++ b/.github/test-infra/aws/rke2/scripts/get-kubeconfig.sh @@ -0,0 +1,49 @@ +#!/bin/bash + +# Utility script that can be called from a uds task after tofu has deployed the e2e test module + +echo "tofu version: $(tofu --version)" + +# Get required outputs from tofu +tofu output -raw private_key > key.pem +chmod 600 key.pem + +bootstrap_ip=$(tofu output -raw bootstrap_ip) +node_user=$(tofu output -raw node_user) +cluster_hostname=$(tofu output -raw cluster_hostname) + +# Try ssh up to 20 times waiting 15 seconds between tries +for i in $(seq 1 20); do + echo "Waiting on cloud-init to finish running on cluster node" + ssh -o StrictHostKeyChecking=no -i key.pem ${node_user}@${bootstrap_ip} "cloud-init status --wait" > /dev/null && break + sleep 15 +done + +# Make sure .kube directory exists +mkdir -p ~/.kube + +# Copy kubectl from cluster node +ssh -o StrictHostKeyChecking=no -i key.pem ${node_user}@${bootstrap_ip} "mkdir -p /home/${node_user}/.kube && sudo cp /etc/rancher/rke2/rke2.yaml /home/${node_user}/.kube/config && sudo chown ${node_user} /home/${node_user}/.kube/config" > /dev/null +scp -o StrictHostKeyChecking=no -i key.pem ${node_user}@${bootstrap_ip}:/home/${node_user}/.kube/config ./rke2-config > /dev/null + +# Replace the loopback address with the cluster hostname +sed -i "s/127.0.0.1/${bootstrap_ip}/g" ./rke2-config > /dev/null +export KUBECONFIG=$(pwd)/rke2-config + +# find existing host record in the host file and save the line numbers +matches_in_hosts="$(grep -n $cluster_hostname /etc/hosts | cut -f1 -d:)" +host_entry="${bootstrap_ip} ${cluster_hostname}" + +# Add or update /etc/hosts file record +if [ ! -z "$matches_in_hosts" ] +then + echo "Updating existing hosts entry." + # iterate over the line numbers on which matches were found + while read -r line_number; do + # replace the text of each line with the desired host entry + sudo sed -i "${line_number}s/.*/${host_entry} /" /etc/hosts > /dev/null + done <<< "$matches_in_hosts" +else + echo "Adding new hosts entry." + echo "$host_entry" | sudo tee -a /etc/hosts > /dev/null +fi \ No newline at end of file diff --git a/.github/test-infra/aws/rke2/scripts/key_id.sh b/.github/test-infra/aws/rke2/scripts/key_id.sh new file mode 100644 index 000000000..75d11b946 --- /dev/null +++ b/.github/test-infra/aws/rke2/scripts/key_id.sh @@ -0,0 +1,17 @@ +#!/bin/bash +set -e +PUBLIC_KEY="$1" + +key_id=$(echo "$PUBLIC_KEY" |\ + openssl rsa -pubin -inform PEM -outform der 2>/dev/null |\ + openssl dgst -sha256 -binary |\ + basenc --base64url -w 0 |\ + tr -d '=') + +# Adds a check to ensure that the key_id is not empty +if [ -z "$key_id" ]; then + echo "Error: key_id is not set, make sure you have openssl, basenc, and tr installed." >&2 + exit 1 +fi + +jq -n --arg key_id "$key_id" '{"key_id":$key_id}' \ No newline at end of file diff --git a/.github/test-infra/aws/rke2/scripts/key_modulus.sh b/.github/test-infra/aws/rke2/scripts/key_modulus.sh new file mode 100644 index 000000000..1dceab953 --- /dev/null +++ b/.github/test-infra/aws/rke2/scripts/key_modulus.sh @@ -0,0 +1,11 @@ +#!/bin/bash +PUBLIC_KEY="$1" + +modulus=$(echo "$PUBLIC_KEY" |\ + openssl rsa -pubin -noout -modulus |\ + awk -F'=' '{print $2}' |\ + xxd -r -p |\ + basenc --base64url -w 0 |\ + tr -d '=') + +jq -n --arg modulus "$modulus" '{"modulus":$modulus}' \ No newline at end of file diff --git a/.github/test-infra/aws/rke2/scripts/user_data.sh b/.github/test-infra/aws/rke2/scripts/user_data.sh new file mode 100644 index 000000000..b2ac2a1d2 --- /dev/null +++ b/.github/test-infra/aws/rke2/scripts/user_data.sh @@ -0,0 +1,119 @@ +#!/bin/bash + +info() { + echo "[INFO] " "$@" +} + +export CCM="${ccm}" +export CCM_EXTERNAL="${ccm_external}" + +############################### +### pre userdata +############################### +pre_userdata() { +info "Beginning user defined pre userdata" + +# add aws cloud controller +info "Adding AWS cloud provider manifest." +mkdir -p /var/lib/rancher/rke2/server/manifests +cat > /var/lib/rancher/rke2/server/manifests/00-aws-ccm.yaml << EOM +apiVersion: helm.cattle.io/v1 +kind: HelmChart +metadata: + name: aws-cloud-controller-manager + namespace: kube-system +spec: + chart: aws-cloud-controller-manager + repo: https://kubernetes.github.io/cloud-provider-aws + version: 0.0.8 + targetNamespace: kube-system + bootstrap: true + valuesContent: |- + nodeSelector: + node-role.kubernetes.io/control-plane: "true" + hostNetworking: true + args: + - --configure-cloud-routes=false + - --v=2 + - --cloud-provider=aws +EOM + +#longhorn helm values: https://github.com/longhorn/longhorn/tree/master/chart +cat > /var/lib/rancher/rke2/server/manifests/01-longhorn.yaml << EOM +apiVersion: helm.cattle.io/v1 +kind: HelmChart +metadata: + name: longhorn + namespace: kube-system +spec: + chart: longhorn + repo: https://charts.longhorn.io + version: 1.7.1 + targetNamespace: kube-system +EOM + +#metallb helm values: https://github.com/metallb/metallb/tree/main/charts/metallb +cat > /var/lib/rancher/rke2/server/manifests/02-metallb.yaml << EOM +apiVersion: helm.cattle.io/v1 +kind: HelmChart +metadata: + name: metallb + namespace: kube-system +spec: + chart: metallb + repo: https://metallb.github.io/metallb + version: 0.14.8 + targetNamespace: kube-system +EOM + +info "Installing awscli" +yum install -y unzip jq || apt-get -y install unzip jq +curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" +unzip awscliv2.zip +sudo ./aws/install + +echo "Getting OIDC keypair" +sudo mkdir /irsa +sudo chown ec2-user:ec2-user /irsa +aws secretsmanager get-secret-value --secret-id ${secret_prefix}-oidc-private-key | jq -r '.SecretString' > /irsa/signer.key +aws secretsmanager get-secret-value --secret-id ${secret_prefix}-oidc-public-key | jq -r '.SecretString' > /irsa/signer.key.pub +chcon -t svirt_sandbox_file_t /irsa/* + +info "Setting up RKE2 config file" +curl -L https://github.com/mikefarah/yq/releases/download/v4.40.4/yq_linux_amd64 -o yq +chmod +x yq +./yq -i '.cloud-provider-name += "external"' /etc/rancher/rke2/config.yaml +./yq -i '.disable-cloud-controller += "true"' /etc/rancher/rke2/config.yaml +./yq -i '.kube-apiserver-arg += "service-account-key-file=/irsa/signer.key.pub"' /etc/rancher/rke2/config.yaml +./yq -i '.kube-apiserver-arg += "service-account-key-file=/irsa/signer.key.pub"' /etc/rancher/rke2/config.yaml +./yq -i '.kube-apiserver-arg += "service-account-signing-key-file=/irsa/signer.key"' /etc/rancher/rke2/config.yaml +./yq -i '.kube-apiserver-arg += "api-audiences=kubernetes.svc.default"' /etc/rancher/rke2/config.yaml +./yq -i '.kube-apiserver-arg += "service-account-issuer=https://${BUCKET_REGIONAL_DOMAIN_NAME}"' /etc/rancher/rke2/config.yaml +./yq -i '.kube-apiserver-arg += "audit-log-path=/var/log/kubernetes/audit/audit.log"' /etc/rancher/rke2/config.yaml +rm -rf ./yq + + +} + +pre_userdata + +# If no bootstrap IP is provided then start RKE2 as single node/bootstrap +if [[ "${BOOTSTRAP_IP}" == "" ]]; then + bootstrap_ip=$(ip route get $(ip route show 0.0.0.0/0 | grep -oP 'via \K\S+') | grep -oP 'src \K\S+') +else + bootstrap_ip=${BOOTSTRAP_IP} +fi + +if [[ "${CLUSTER_SANS}" ]]; then + echo "Passing SANs to RKE2 startup script: ${CLUSTER_SANS}" + public_ipv4=$(curl http://169.254.169.254/latest/meta-data/public-ipv4) + # Use array to properly handle cluster_sans containing multiple values + san_options=(-T "$${public_ipv4} ${CLUSTER_SANS}") +fi + +if [[ "${AGENT_NODE}" == "true" ]]; then + /root/rke2-startup.sh -t ${RKE2_JOIN_TOKEN} "$${san_options[@]}" -s $${bootstrap_ip} -a +else + /root/rke2-startup.sh -t ${RKE2_JOIN_TOKEN} "$${san_options[@]}" -s $${bootstrap_ip} +fi + diff --git a/.github/test-infra/aws/rke2/storage.tf b/.github/test-infra/aws/rke2/storage.tf new file mode 100644 index 000000000..79324a4d9 --- /dev/null +++ b/.github/test-infra/aws/rke2/storage.tf @@ -0,0 +1,29 @@ +####################################### +# Storage +####################################### +locals { + #define workloads that need irsa configured. this will create s3 buckets and associated iam roles and policy attachments for irsa + irsa_buckets = { + loki = { + name = "loki" + service_account = "loki" + namespace = "loki" + } + velero = { + name = "velero" + service_account = "velero-server" + namespace = "velero" + } + } +} + +module "storage" { + # this module assumes by default that you are only setting up external storage for velero and loki. modify the the irsa_buckets local above to add more. creates s3 buckets and irsa roles + source = "./modules/storage" + cluster_name = local.cluster_name + permissions_boundary = local.iam_role_permissions_boundary + use_permissions_boundary = var.use_permissions_boundary + environment = var.environment + ci_bucket_configurations = local.irsa_buckets + oidc_bucket_attributes = merge({ s3_bucket_id = module.oidc_bucket.s3_bucket_id, bucket_regional_domain_name = module.oidc_bucket.s3_bucket_bucket_regional_domain_name }) +} \ No newline at end of file diff --git a/.github/test-infra/aws/rke2/terraform.tfvars b/.github/test-infra/aws/rke2/terraform.tfvars new file mode 100644 index 000000000..53ff1f7dd --- /dev/null +++ b/.github/test-infra/aws/rke2/terraform.tfvars @@ -0,0 +1,7 @@ +default_user = "ec2-user" +ssh_key_name = "packer-rke2-rhel-key" +os_distro = "rhel" +# Need to allow in from internet for github runner to connect to node +allowed_in_cidrs = ["0.0.0.0/0"] + +rke2_version = "1.30" \ No newline at end of file diff --git a/.github/test-infra/aws/rke2/variables.tf b/.github/test-infra/aws/rke2/variables.tf new file mode 100644 index 000000000..fe820743c --- /dev/null +++ b/.github/test-infra/aws/rke2/variables.tf @@ -0,0 +1,107 @@ + +variable "environment" { + description = "Environment/account that this is deployed to" + default = "ci" +} + +variable "vpc_name" { + type = string + description = "VPC ID to deploy into" + default = "uds-ci-commercial-*" +} + +variable "subnet_name" { + type = string + description = "Name of subnet tobrew install libtool use for testing. Can use a wildcard as long as it only matches one subnet per az." + default = "uds-ci-commercial-*-public*" +} + +variable "region" { + type = string + description = "Region to use for deployment" +} + +variable "agent_instance_type" { + type = string + description = "Instance type to use for agent nodes. Defaults to c5.xlarge to match RKE2 recommended specs." + default = "m5.2xlarge" +} + +variable "control_plane_instance_type" { + type = string + description = "Instance type to use for control plane nodes. Defaults to c5.xlarge to match RKE2 recommended specs." + default = "m5.2xlarge" +} + +variable "control_plane_node_count" { + type = number + description = "How many control plane nodes to spin up. Total control plane nodes will be n+1 due to bootstrap node. For HA, there should be an odd number of control plane nodes." + default = 2 +} + +variable "agent_node_count" { + type = number + description = "How many agent nodes to spin up" + default = 1 +} + +variable "allowed_in_cidrs" { + type = list(string) + description = "Optional list of CIDRs that can connect to the cluster in addition to CIDR of VPC cluster is deployed to" + default = [] +} + +variable "cluster_hostname" { + type = string + description = "Hostname to use for connecting to cluster API. cluster.foo.bar default used by CI tests" + default = "cluster.foo.bar" +} + +variable "os_distro" { + type = string + description = "OS distribution used to distinguish test infra based on which test created it" +} + +variable "rke2_version" { + type = string + description = "RKE2 version used to distinguish test infra based on which test created it" +} + +variable "default_user" { + type = string + description = "Default user of AMI" +} + +variable "ssh_key_name" { + type = string + description = "What to name generated SSH key pair in AWS" +} + +variable "use_permissions_boundary" { + description = "Whether to use IAM permissions boundary for resources." + type = bool +} + +variable "permissions_boundary_name" { + description = "The name of the permissions boundary for IAM resources. This will be used for tagging and to build out the ARN." +} + +variable "recovery_window" { + default = 7 + type = number +} + +variable "force_destroy" { + type = bool + default = true +} + +variable "client_id_list" { + description = "Comma separated list of client IDs (audiences) for the provider" + type = list(string) + default = ["irsa"] +} + +variable "run_id" { + description = "Github Actions Run ID. Used to tag AWS resources that are created by this workspace." +} \ No newline at end of file diff --git a/.github/test-infra/aws/rke2/versions.tf b/.github/test-infra/aws/rke2/versions.tf new file mode 100644 index 000000000..14e8511cf --- /dev/null +++ b/.github/test-infra/aws/rke2/versions.tf @@ -0,0 +1,26 @@ +terraform { + backend "s3" { + } + required_providers { + aws = { + version = "~> 5.67.0" + } + random = { + version = "~> 3.6.0" + } + tls = { + version = "~> 4.0.0" + } + } + required_version = "~> 1.8.0" +} + +provider "aws" { + region = var.region + + default_tags { + tags = { + PermissionsBoundary = var.permissions_boundary_name + } + } +} \ No newline at end of file diff --git a/.github/test-infra/buckets-iac/output.tf b/.github/test-infra/buckets-iac/output.tf deleted file mode 100644 index 1228df95a..000000000 --- a/.github/test-infra/buckets-iac/output.tf +++ /dev/null @@ -1,27 +0,0 @@ -output "aws_region" { - value = data.aws_region.current.name -} - -output "loki_irsa_role_arn" { - value = module.irsa["loki"].role_arn -} - -output "loki_s3" { - value = module.S3["loki"] -} - -output "loki_s3_bucket" { - value = module.S3["loki"].bucket_name -} - -output "velero_irsa_role_arn" { - value = module.irsa["velero"].role_arn -} - -output "velero_s3" { - value = module.S3["velero"] -} - -output "velero_s3_bucket" { - value = module.S3["velero"].bucket_name -} diff --git a/.github/test-infra/buckets-iac/variables.tf b/.github/test-infra/buckets-iac/variables.tf deleted file mode 100644 index 267ac5421..000000000 --- a/.github/test-infra/buckets-iac/variables.tf +++ /dev/null @@ -1,55 +0,0 @@ -variable "region" { - description = "AWS region" - type = string -} - -variable "name" { - description = "Name for cluster" - type = string -} - -variable "permissions_boundary_name" { - description = "The name of the permissions boundary for IAM resources. This will be used for tagging and to build out the ARN." - type = string - default = null -} - -variable "use_permissions_boundary" { - description = "Whether to use IAM permissions boundary for resources." - type = bool - default = true -} - -variable "key_owner_arns" { - description = "ARNS of KMS key owners, needed for use of key" - type = list(string) - default = [] -} - -# taken from zarf bb repo -variable "kms_key_deletion_window" { - description = "Waiting period for scheduled KMS Key deletion. Can be 7-30 days." - type = number - default = 7 -} - -variable "bucket_configurations" { - type = map(object({ - name = string - service_account = string - namespace = string - })) - default = { - loki = { - name = "loki" - service_account = "loki" - namespace = "loki" - } - velero = { - name = "velero" - service_account = "velero-server" - namespace = "velero" - } - } -} - diff --git a/.github/test-infra/rds-iac/variables.tf b/.github/test-infra/rds-iac/variables.tf deleted file mode 100644 index 71124b95c..000000000 --- a/.github/test-infra/rds-iac/variables.tf +++ /dev/null @@ -1,57 +0,0 @@ -variable "region" { - description = "AWS region" - type = string -} - -variable "name" { - description = "Name for cluster" - type = string -} - -variable "recovery_window" { - description = "Number of days to retain secret before permanent deletion" - type = number - default = 30 -} - -variable "db_name" { - description = "The name to give the database" - type = string - default = "grafana" -} - -variable "db_port" { - description = "The database port" - type = number - default = 5432 -} - -variable "username" { - description = "The username to use to login to the DB" - type = string - default = "grafana" -} - -variable "db_engine_version" { - description = "The Postgres engine version to use for the DB" - type = string - default = "15.7" -} - -variable "db_allocated_storage" { - description = "Storage allocated to RDS instance" - type = number - default = 20 -} - -variable "db_storage_type" { - description = "The type of storage (e.g., gp2, io1)" - type = string - default = "gp2" -} - -variable "db_instance_class" { - description = "The class of RDS instance (e.g., db.t4g.large)" - type = string - default = "db.t4g.large" -} diff --git a/.github/workflows/nightly-testing.yaml b/.github/workflows/nightly-testing.yaml index 638e5c969..19351baf6 100644 --- a/.github/workflows/nightly-testing.yaml +++ b/.github/workflows/nightly-testing.yaml @@ -7,9 +7,11 @@ on: paths: - tasks/iac.yaml - .github/workflows/test-eks.yaml - - .github/bundles/* - - .github/test-infra/buckets-iac/* - - .github/test-infra/rds-iac/* + - .github/workflows/test-rke2.yaml + - .github/bundles/eks/* + - .github/bundles/rke2/* + - .github/test-infra/aws/eks/* + - .github/test-infra/aws/rke2/* # Abort prior jobs in the same workflow / PR concurrency: @@ -17,7 +19,7 @@ concurrency: cancel-in-progress: true jobs: - nightly-testing: + nightly-testing-eks: name: Test Core on EKS uses: ./.github/workflows/test-eks.yaml strategy: @@ -27,3 +29,13 @@ jobs: with: flavor: ${{ matrix.flavor }} secrets: inherit + nightly-testing-rke2: + name: Test Core on RKE2 + uses: ./.github/workflows/test-rke2.yaml + strategy: + matrix: + flavor: [upstream, registry1, unicorn] + fail-fast: false + with: + flavor: ${{ matrix.flavor }} + secrets: inherit diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 5e27e3506..8e0437756 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -26,7 +26,7 @@ jobs: - name: Set ENV run: | echo "UDS_CLUSTER_NAME=uds-ci-${{ inputs.flavor }}-${SHA:0:7}" >> $GITHUB_ENV - echo "UDS_STATE_KEY="tfstate/ci/install/${SHA:0:7}-core-${{ inputs.flavor }}-aws.tfstate >> $GITHUB_ENV + echo "UDS_STATE_KEY="tfstate/ci/install/${SHA:0:7}-eks-core-${{ inputs.flavor }}-aws.tfstate >> $GITHUB_ENV echo "TF_VAR_region=${UDS_REGION}" >> $GITHUB_ENV echo "TF_VAR_name=uds-ci-${{ inputs.flavor }}-${SHA:0:7}" >> $GITHUB_ENV echo "TF_VAR_use_permissions_boundary=true" >> $GITHUB_ENV @@ -57,43 +57,43 @@ jobs: - name: Setup Tofu uses: opentofu/setup-opentofu@12f4debbf681675350b6cd1f0ff8ecfbda62027b # v1.0.4 with: - tofu_version: 1.8.1 + tofu_version: 1.8.2 tofu_wrapper: false - name: Create UDS Core Package run: ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package --no-progress --set FLAVOR=${{ inputs.flavor }} - name: Create Core Bundle - run: uds create .github/bundles --confirm + run: uds create .github/bundles/eks --confirm - name: Create Cluster run: uds run -f tasks/iac.yaml create-cluster --no-progress timeout-minutes: 60 - name: Create IAC - run: uds run -f tasks/iac.yaml create-iac --no-progress + run: uds run -f tasks/iac.yaml create-iac --no-progress --set K8S_DISTRO=eks timeout-minutes: 20 - name: Deploy Core Bundle env: - UDS_CONFIG: .github/bundles/uds-config.yaml - run: uds deploy .github/bundles/uds-bundle-uds-core-eks-nightly-*.tar.zst --confirm + UDS_CONFIG: .github/bundles/eks/uds-config.yaml + run: uds deploy .github/bundles/eks/uds-bundle-uds-core-eks-nightly-*.tar.zst --confirm timeout-minutes: 20 - name: Remove UDS Core if: always() - run: uds remove .github/bundles/uds-bundle-uds-core-eks-*.tar.zst --confirm + run: uds remove .github/bundles/eks/uds-bundle-uds-core-eks-*.tar.zst --confirm timeout-minutes: 10 continue-on-error: true - name: Remove IAC if: always() - run: uds run -f tasks/iac.yaml destroy-iac --no-progress + run: uds run -f tasks/iac.yaml destroy-iac --no-progress --set K8S_DISTRO=eks timeout-minutes: 10 continue-on-error: true - name: Teardown EKS cluster if: always() - run: uds run -f tasks/iac.yaml destroy-cluster --no-progress + run: uds run -f tasks/iac.yaml destroy-cluster --no-progress --set K8S_DISTRO=eks timeout-minutes: 30 continue-on-error: true diff --git a/.github/workflows/test-rke2.yaml b/.github/workflows/test-rke2.yaml new file mode 100644 index 000000000..df0017ff1 --- /dev/null +++ b/.github/workflows/test-rke2.yaml @@ -0,0 +1,102 @@ +name: Test Core On RKE2 + +on: + # triggered by nightly-testing.yaml + workflow_call: + inputs: + flavor: + required: true + type: string + +permissions: + id-token: write + contents: read + +jobs: + test-rke2-install: + runs-on: ubuntu-latest + env: + SHA: ${{ github.sha }} + UDS_REGION: us-west-2 + UDS_PERMISSIONS_BOUNDARY_ARN: ${{ secrets.PERMISSIONS_BOUNDARY_ARN }} + UDS_PERMISSIONS_BOUNDARY_NAME: ${{ secrets.PERMISSIONS_BOUNDARY_NAME }} + UDS_STATE_BUCKET_NAME: uds-aws-ci-commercial-us-west-2-5246-tfstate + UDS_STATE_DYNAMODB_TABLE_NAME: uds-aws-ci-commercial-org-us-west-2-5246-tfstate-lock + steps: + - name: Set ENV + run: | + echo "UDS_CLUSTER_NAME=uds-ci-${{ inputs.flavor }}-${SHA:0:7}" >> $GITHUB_ENV + echo "UDS_STATE_KEY="tfstate/ci/install/${SHA:0:7}-rke2-core-${{ inputs.flavor }}-aws.tfstate >> $GITHUB_ENV + echo "TF_VAR_region=${UDS_REGION}" >> $GITHUB_ENV + echo "TF_VAR_run_id=$GITHUB_RUN_ID" >> $GITHUB_ENV + echo "TF_VAR_use_permissions_boundary=true" >> $GITHUB_ENV + echo "TF_VAR_permissions_boundary_name=${UDS_PERMISSIONS_BOUNDARY_NAME}" >> $GITHUB_ENV + + - name: Checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4 + with: + role-to-assume: ${{ secrets.AWS_COMMERCIAL_ROLE_TO_ASSUME }} + role-session-name: ${{ github.job || github.event.client_payload.pull_request.head.sha || github.sha }} + aws-region: ${{ env.UDS_REGION }} + role-duration-seconds: 21600 + + - name: Environment setup + uses: ./.github/actions/setup + with: + registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }} + registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }} + ghToken: ${{ secrets.GITHUB_TOKEN }} + chainguardIdentity: ${{ secrets.CHAINGUARD_IDENTITY }} + + # - name: Install eksctl + # run: uds run -f tasks/iac.yaml install-eksctl --no-progress + + - name: Setup Tofu + uses: opentofu/setup-opentofu@12f4debbf681675350b6cd1f0ff8ecfbda62027b # v1.0.4 + with: + tofu_version: 1.8.2 + tofu_wrapper: false + + - name: Create UDS Core Package + run: ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package --no-progress --set FLAVOR=${{ inputs.flavor }} + + - name: Create Core Bundle + run: uds create .github/bundles/rke2 --confirm + + - name: Create IAC + run: uds run -f tasks/iac.yaml create-iac --no-progress --set K8S_DISTRO=rke2 + timeout-minutes: 20 + + - name: Get Kubeconfig + run: uds run -f tasks/iac.yaml rke2-get-kubeconfig --no-progress + timeout-minutes: 20 + + - name: Wait for RKE2 Cluster + run: uds run -f tasks/iac.yaml rke2-cluster-ready --no-progress + env: + KUBECONFIG: ".github/test-infra/aws/rke2/rke2-config" + timeout-minutes: 20 + + - name: Deploy Core Bundle + env: + KUBECONFIG: ".github/test-infra/aws/rke2/rke2-config" + UDS_CONFIG: .github/bundles/rke2/uds-config.yaml + run: uds deploy .github/bundles/rke2/uds-bundle-uds-core-rke2-nightly-*.tar.zst --confirm + timeout-minutes: 60 + + - name: Remove UDS Core + if: always() + run: uds remove .github/bundles/rke2/uds-bundle-uds-core-rke2-*.tar.zst --confirm + env: + KUBECONFIG: ".github/test-infra/aws/rke2/rke2-config" + timeout-minutes: 20 + continue-on-error: true + + - name: Remove IAC + if: always() + run: uds run -f tasks/iac.yaml destroy-iac --no-progress --set K8S_DISTRO=rke2 + timeout-minutes: 10 + continue-on-error: true diff --git a/tasks/iac.yaml b/tasks/iac.yaml index 4bc5cd9db..5f4bba97c 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -1,5 +1,6 @@ variables: - name: CLUSTER_NAME + - name: K8S_DISTRO - name: REGION - name: PERMISSIONS_BOUNDARY_NAME - name: PERMISSIONS_BOUNDARY_ARN @@ -75,6 +76,50 @@ tasks: - cmd: eksctl create cluster -f cluster-config.yaml - cmd: eksctl utils write-kubeconfig -c ${CLUSTER_NAME} + - name: rke2-get-kubeconfig + actions: + - cmd: chmod +x ./scripts/get-kubeconfig.sh && ./scripts/get-kubeconfig.sh + dir: .github/test-infra/aws/rke2/ + + - name: rke2-nodes-ready + actions: + - cmd: sleep 30 + - wait: + cluster: + kind: nodes + condition: Ready + name: kubernetes.io/os=linux + maxTotalSeconds: 900 + + - name: rke2-cluster-ready + actions: + - task: rke2-nodes-ready + - cmd: | + export KUBECONFIG=./rke2-config + # wait for at least 3 nodes + while true; do + if [ $(uds zarf tools kubectl get nodes -o jsonpath='{range .items[*]}{.status.conditions[-1].type}={.status.conditions[-1].status}{"\n"}{end}' | egrep -i '^ready.*true' | wc -l) -lt 3 ]; then + echo "Waiting for at least 3 nodes to be ready..."; + sleep 5; + else + break + fi + done + + # wait for cluster components + while true; do + if [ $(uds zarf tools kubectl get po -A --no-headers=true | egrep -v 'Running|Completed' | wc -l) -gt 0 ]; then + echo "Waiting for cluster components to be ready..."; + sleep 5; + else + echo "Cluster is ready" + break + fi + done + uds zarf tools kubectl apply -f ./metallb.yaml + dir: .github/test-infra/aws/rke2/ + maxTotalSeconds: 600 + - name: destroy-cluster actions: - cmd: eksctl delete cluster -f cluster-config.yaml --disable-nodegroup-eviction --wait @@ -88,91 +133,89 @@ tasks: - name: destroy-iac actions: - cmd: tofu destroy -auto-approve - dir: .github/test-infra/buckets-iac - - cmd: tofu destroy -auto-approve - dir: .github/test-infra/rds-iac + dir: .github/test-infra/aws/${K8S_DISTRO} - name: apply-tofu actions: - cmd: echo ${STATE_KEY} | sed 's/\.tfstate/-buckets.tfstate/g' setVariables: - name: BUCKETS_STATE_KEY - dir: .github/test-infra/buckets-iac + dir: .github/test-infra/aws/${K8S_DISTRO} - cmd: | tofu init -force-copy \ -backend-config="bucket=${STATE_BUCKET_NAME}" \ -backend-config="key=${BUCKETS_STATE_KEY}" \ -backend-config="region=${REGION}" \ -backend-config="dynamodb_table=${STATE_DYNAMODB_TABLE_NAME}" - dir: .github/test-infra/buckets-iac + dir: .github/test-infra/aws/${K8S_DISTRO} - cmd: tofu apply -auto-approve - dir: .github/test-infra/buckets-iac - - cmd: echo ${STATE_KEY} | sed 's/\.tfstate/-rds.tfstate/g' - setVariables: - - name: RDS_STATE_KEY - dir: .github/test-infra/rds-iac - - cmd: | - tofu init -force-copy \ - -backend-config="bucket=${STATE_BUCKET_NAME}" \ - -backend-config="key=${RDS_STATE_KEY}" \ - -backend-config="region=${REGION}" \ - -backend-config="dynamodb_table=${STATE_DYNAMODB_TABLE_NAME}" - dir: .github/test-infra/rds-iac - - cmd: tofu apply -auto-approve - dir: .github/test-infra/rds-iac + dir: .github/test-infra/aws/${K8S_DISTRO} - name: tofu-outputs actions: - cmd: tofu output -raw loki_s3_bucket setVariables: - name: "LOKI_S3_BUCKET" - dir: .github/test-infra/buckets-iac + dir: .github/test-infra/aws/${K8S_DISTRO} + mute: true - cmd: tofu output -raw aws_region setVariables: - name: LOKI_S3_AWS_REGION - dir: .github/test-infra/buckets-iac + dir: .github/test-infra/aws/${K8S_DISTRO} - cmd: tofu output -raw loki_irsa_role_arn setVariables: - name: LOKI_S3_ROLE_ARN - dir: .github/test-infra/buckets-iac + dir: .github/test-infra/aws/${K8S_DISTRO} + mute: true - cmd: tofu output -raw velero_s3_bucket setVariables: - name: VELERO_S3_BUCKET - dir: .github/test-infra/buckets-iac + dir: .github/test-infra/aws/${K8S_DISTRO} + mute: true - cmd: tofu output -raw aws_region setVariables: - name: VELERO_S3_AWS_REGION - dir: .github/test-infra/buckets-iac + dir: .github/test-infra/aws/${K8S_DISTRO} - cmd: tofu output -raw velero_irsa_role_arn setVariables: - name: VELERO_S3_ROLE_ARN - dir: .github/test-infra/buckets-iac - - cmd: tofu output -raw grafana_pg_host + dir: .github/test-infra/aws/${K8S_DISTRO} + mute: true + - cmd: tofu output -raw grafana_pg_host 2>/dev/null || echo '""' setVariables: - name: GRAFANA_PG_HOST - dir: .github/test-infra/rds-iac - - cmd: tofu output -raw grafana_pg_port + dir: .github/test-infra/aws/${K8S_DISTRO} + mute: true + - cmd: tofu output -raw grafana_pg_port 2>/dev/null || echo '""' setVariables: - name: GRAFANA_PG_PORT - dir: .github/test-infra/rds-iac - - cmd: tofu output -raw grafana_pg_database + dir: .github/test-infra/aws/${K8S_DISTRO} + mute: true + - cmd: tofu output -raw grafana_pg_database 2>/dev/null || echo '""' setVariables: - name: GRAFANA_PG_DATABASE - dir: .github/test-infra/rds-iac - - cmd: tofu output -raw grafana_pg_user + dir: .github/test-infra/aws/${K8S_DISTRO} + mute: true + - cmd: tofu output -raw grafana_pg_user 2>/dev/null || echo '""' setVariables: - name: GRAFANA_PG_USER - dir: .github/test-infra/rds-iac - - cmd: tofu output -raw grafana_pg_password + dir: .github/test-infra/aws/${K8S_DISTRO} + mute: true + - cmd: tofu output -raw grafana_pg_password 2>/dev/null || echo '""' setVariables: - name: GRAFANA_PG_PASSWORD mute: true # Muted to hide sensitive password - dir: .github/test-infra/rds-iac + dir: .github/test-infra/aws/${K8S_DISTRO} + - cmd: tofu output -raw grafana_ha + setVariables: + - name: GRAFANA_HA + dir: .github/test-infra/aws/${K8S_DISTRO} - name: create-uds-config actions: + - task: tofu-outputs - cmd: | - cat < .github/bundles/uds-config.yaml + cat < .github/bundles/${K8S_DISTRO}/uds-config.yaml options: architecture: amd64 variables: @@ -181,15 +224,15 @@ tasks: loki_ruler_bucket: ${LOKI_S3_BUCKET} loki_admin_bucket: ${LOKI_S3_BUCKET} loki_s3_region: ${LOKI_S3_AWS_REGION} - loki_irsa_annotation: "${LOKI_S3_ROLE_ARN}" + loki_irsa_role_arn: ${LOKI_S3_ROLE_ARN} velero_use_secret: false - velero_irsa_annotation: "${VELERO_S3_ROLE_ARN}" + velero_irsa_role_arn: ${VELERO_S3_ROLE_ARN} velero_bucket: ${VELERO_S3_BUCKET} velero_bucket_region: ${VELERO_S3_AWS_REGION} velero_bucket_provider_url: "" velero_bucket_credential_name: "" velero_bucket_credential_key: "" - grafana_ha: true + grafana_ha: ${GRAFANA_HA} grafana_pg_host: ${GRAFANA_PG_HOST} grafana_pg_port: ${GRAFANA_PG_PORT} grafana_pg_database: ${GRAFANA_PG_DATABASE} From 67db06b72325a2f90863aadf0766b5e95c903b79 Mon Sep 17 00:00:00 2001 From: Megamind <882485+jeff-mccoy@users.noreply.github.com> Date: Wed, 9 Oct 2024 03:36:22 -0500 Subject: [PATCH 48/90] chore: update license (#878) Migrate UDS from Apache -> AGPL v3 | Commercial --- .github/actions/debug-output/action.yaml | 1 + .github/actions/lint-check/action.yaml | 1 + .github/actions/notify-lula/action.yaml | 1 + .github/actions/save-logs/action.yaml | 1 + .github/actions/setup/action.yaml | 1 + .github/bundles/eks/uds-bundle.yaml | 1 + .github/bundles/eks/uds-config.yaml | 1 + .github/bundles/rke2/uds-bundle.yaml | 1 + .github/bundles/rke2/uds-config.yaml | 1 + .github/filters.yaml | 1 + .github/test-infra/aws/rke2/metallb.yaml | 1 + .github/workflows/commitlint.yaml | 1 + .github/workflows/compliance.yaml | 1 + .github/workflows/docs-shim.yaml | 1 + .github/workflows/lint-oscal.yaml | 1 + .github/workflows/nightly-testing.yaml | 1 + .github/workflows/publish.yaml | 1 + .../workflows/pull-request-conditionals.yaml | 1 + .github/workflows/slim-dev-test.yaml | 1 + .github/workflows/snapshot-release.yaml | 1 + .github/workflows/tag-and-release.yaml | 1 + .github/workflows/test-eks.yaml | 1 + .github/workflows/test-rke2.yaml | 1 + .github/workflows/test-shim.yaml | 1 + .github/workflows/test.yaml | 1 + CODEOWNERS | 2 +- LICENSE | 201 ------ LICENSE-agpl-v3.md | 661 ++++++++++++++++++ LICENSE-commercial.md | 9 + LICENSE.md | 35 + bundles/k3d-slim-dev/uds-bundle.yaml | 1 + bundles/k3d-standard/uds-bundle.yaml | 1 + bundles/k3d-standard/uds-ha-config.yaml | 1 + compliance/oscal-assessment-results.yaml | 1 + compliance/oscal-component.yaml | 1 + packages/backup-restore/tasks.yaml | 1 + packages/backup-restore/zarf.yaml | 1 + packages/base/tasks.yaml | 1 + packages/base/zarf.yaml | 1 + packages/identity-authorization/tasks.yaml | 1 + packages/identity-authorization/zarf.yaml | 1 + packages/logging/tasks.yaml | 1 + packages/logging/zarf.yaml | 1 + packages/metrics-server/tasks.yaml | 1 + packages/metrics-server/zarf.yaml | 1 + packages/monitoring/tasks.yaml | 1 + packages/monitoring/zarf.yaml | 1 + packages/runtime-security/tasks.yaml | 1 + packages/runtime-security/zarf.yaml | 1 + packages/standard/zarf.yaml | 1 + packages/ui/tasks.yaml | 1 + packages/ui/zarf.yaml | 1 + pepr.ts | 1 + src/authservice/chart/Chart.yaml | 1 + .../chart/templates/deployment.yaml | 1 + src/authservice/chart/templates/hpa.yaml | 1 + src/authservice/chart/templates/service.yaml | 1 + .../chart/templates/uds-package.yaml | 1 + src/authservice/chart/values.yaml | 1 + src/authservice/common/zarf.yaml | 1 + src/authservice/tasks.yaml | 1 + src/authservice/values/registry1-values.yaml | 1 + src/authservice/values/unicorn-values.yaml | 1 + src/authservice/values/upstream-values.yaml | 1 + src/authservice/zarf.yaml | 1 + src/grafana/chart/Chart.yaml | 1 + src/grafana/chart/templates/datasources.yaml | 1 + .../chart/templates/secret-postgres.yaml | 1 + src/grafana/chart/templates/uds-package.yaml | 1 + src/grafana/chart/values.yaml | 1 + src/grafana/common/zarf.yaml | 1 + src/grafana/oscal-component.yaml | 1 + src/grafana/tasks.yaml | 1 + src/grafana/values/registry1-values.yaml | 1 + src/grafana/values/unicorn-values.yaml | 1 + src/grafana/values/upstream-values.yaml | 1 + src/grafana/values/values.yaml | 1 + src/grafana/zarf.yaml | 1 + src/istio/chart/Chart.yaml | 1 + src/istio/chart/templates/gateway.yaml | 1 + src/istio/chart/templates/tls-cert.yaml | 1 + src/istio/chart/values.yaml | 1 + src/istio/common/manifests/envoy-filters.yaml | 1 + .../common/manifests/peer-authentication.yaml | 1 + .../common/manifests/pepr-istio-config.yaml | 1 + src/istio/common/zarf.yaml | 1 + src/istio/oscal-component.yaml | 1 + src/istio/tasks.yaml | 1 + src/istio/values/config-admin.yaml | 1 + src/istio/values/config-passthrough.yaml | 1 + src/istio/values/config-tenant.yaml | 1 + src/istio/values/registry1-values.yaml | 1 + src/istio/values/unicorn-values.yaml | 1 + src/istio/values/upstream-values.yaml | 1 + src/istio/values/values.yaml | 1 + src/istio/zarf.yaml | 1 + src/keycloak/chart/Chart.yaml | 1 + .../chart/templates/destination-rule.yaml | 1 + src/keycloak/chart/templates/hpa.yaml | 1 + src/keycloak/chart/templates/istio-admin.yaml | 1 + .../chart/templates/istio-peer-auth.yaml | 1 + .../chart/templates/poddisruptionbudget.yaml | 1 + .../chart/templates/prometheusrule.yaml | 1 + src/keycloak/chart/templates/pvc.yaml | 1 + .../templates/secret-admin-password.yaml | 1 + .../chart/templates/secret-kc-realm.yaml | 1 + .../chart/templates/secret-postgresql.yaml | 1 + .../chart/templates/service-headless.yaml | 1 + .../chart/templates/service-http.yaml | 1 + .../chart/templates/servicemonitor.yaml | 1 + src/keycloak/chart/templates/statefulset.yaml | 1 + src/keycloak/chart/templates/uds-package.yaml | 1 + src/keycloak/chart/values.yaml | 1 + src/keycloak/common/zarf.yaml | 1 + src/keycloak/tasks.yaml | 1 + src/keycloak/values/registry1-values.yaml | 1 + src/keycloak/values/unicorn-values.yaml | 1 + src/keycloak/values/upstream-values.yaml | 1 + src/keycloak/zarf.yaml | 1 + src/kiali/tasks.yaml | 1 + src/kiali/zarf.yaml | 1 + src/loki/chart/Chart.yaml | 1 + src/loki/chart/templates/loki-dashboards.yaml | 1 + .../loki-simple-scalable.yaml | 1 + src/loki/chart/templates/service-dns.yaml | 1 + src/loki/chart/templates/uds-package.yaml | 1 + src/loki/chart/values.yaml | 1 + src/loki/common/zarf.yaml | 1 + src/loki/oscal-component.yaml | 1 + src/loki/tasks.yaml | 1 + src/loki/values/registry1-values.yaml | 1 + src/loki/values/unicorn-values.yaml | 1 + src/loki/values/upstream-values.yaml | 1 + src/loki/values/values.yaml | 1 + src/loki/zarf.yaml | 1 + src/metrics-server/chart/Chart.yaml | 1 + .../peerauthentication/metrics-api.yaml | 1 + .../chart/templates/service-monitor.yaml | 1 + .../chart/templates/uds-package.yaml | 1 + src/metrics-server/common/zarf.yaml | 1 + src/metrics-server/tasks.yaml | 1 + .../values/registry1-values.yaml | 1 + src/metrics-server/values/unicorn-values.yaml | 1 + .../values/upstream-values.yaml | 1 + src/metrics-server/values/values.yaml | 1 + src/metrics-server/zarf.yaml | 1 + src/neuvector/chart/Chart.yaml | 1 + .../chart/templates/internal-cert.yaml | 1 + .../istio/headless-controller-service.yaml | 1 + .../istio/headless-enforcer-service.yaml | 1 + .../istio/headless-scanner-service.yaml | 1 + .../chart/templates/neuvector-dashboard.yaml | 1 + .../neuvector-controller-pa.yaml | 1 + .../chart/templates/uds-exemption.yaml | 1 + .../chart/templates/uds-package.yaml | 1 + src/neuvector/chart/values.yaml | 1 + src/neuvector/common/zarf.yaml | 1 + src/neuvector/oscal-component.yaml | 1 + src/neuvector/tasks.yaml | 1 + src/neuvector/values/monitor-values.yaml | 1 + src/neuvector/values/registry1-values.yaml | 1 + .../values/unicorn-config-values.yaml | 1 + src/neuvector/values/unicorn-values.yaml | 1 + src/neuvector/values/upstream-values.yaml | 1 + src/neuvector/values/values.yaml | 1 + src/neuvector/zarf.yaml | 1 + src/pepr/config.ts | 1 + src/pepr/istio/index.ts | 1 + src/pepr/logger.ts | 2 + src/pepr/operator/common.ts | 1 + .../exemptions/exemption-store.spec.ts | 1 + .../controllers/exemptions/exemption-store.ts | 1 + .../controllers/exemptions/exemptions.spec.ts | 1 + .../controllers/exemptions/exemptions.ts | 1 + .../operator/controllers/istio/injection.ts | 1 + .../controllers/istio/istio-resources.ts | 1 + .../controllers/istio/service-entry.spec.ts | 1 + .../controllers/istio/service-entry.ts | 1 + .../controllers/istio/virtual-service.spec.ts | 1 + .../controllers/istio/virtual-service.ts | 1 + .../authservice/authorization-policy.ts | 1 + .../keycloak/authservice/authservice.spec.ts | 1 + .../keycloak/authservice/authservice.ts | 1 + .../keycloak/authservice/config.ts | 1 + .../controllers/keycloak/authservice/types.ts | 1 + .../controllers/keycloak/client-sync.spec.ts | 1 + .../controllers/keycloak/client-sync.ts | 1 + .../operator/controllers/keycloak/types.ts | 1 + .../operator/controllers/monitoring/common.ts | 1 + .../monitoring/pod-monitor.spec.ts | 1 + .../controllers/monitoring/pod-monitor.ts | 1 + .../monitoring/service-monitor.spec.ts | 1 + .../controllers/monitoring/service-monitor.ts | 1 + .../network/defaults/allow-egress-dns.ts | 1 + .../network/defaults/allow-egress-istiod.ts | 1 + .../allow-ingress-sidecar-monitoring.ts | 1 + .../network/defaults/default-deny-all.ts | 1 + .../controllers/network/generate.spec.ts | 1 + .../operator/controllers/network/generate.ts | 1 + .../network/generators/anywhere.ts | 1 + .../network/generators/cloudMetadata.ts | 1 + .../network/generators/intraNamespace.ts | 1 + .../controllers/network/generators/kubeAPI.ts | 1 + .../network/generators/remoteCidr.ts | 1 + .../operator/controllers/network/policies.ts | 1 + src/pepr/operator/controllers/utils.ts | 1 + .../crd/generated/exemption-v1alpha1.ts | 1 + .../istio/authorizationpolicy-v1beta1.ts | 1 + .../istio/requestauthentication-v1.ts | 1 + .../generated/istio/serviceentry-v1beta1.ts | 1 + .../generated/istio/virtualservice-v1beta1.ts | 1 + .../crd/generated/package-v1alpha1.ts | 1 + .../crd/generated/prometheus/podmonitor-v1.ts | 1 + .../generated/prometheus/servicemonitor-v1.ts | 1 + src/pepr/operator/crd/index.ts | 1 + src/pepr/operator/crd/migrate.ts | 1 + src/pepr/operator/crd/register.ts | 1 + .../crd/sources/exemption/v1alpha1.ts | 1 + .../sources/istio/virtualservice-v1beta1.ts | 1 + .../operator/crd/sources/package/v1alpha1.ts | 1 + .../crd/validators/exempt-validator.spec.ts | 1 + .../crd/validators/exempt-validator.ts | 1 + .../crd/validators/package-validator.spec.ts | 1 + .../crd/validators/package-validator.ts | 1 + src/pepr/operator/index.ts | 1 + src/pepr/operator/reconcilers/index.spec.ts | 1 + src/pepr/operator/reconcilers/index.ts | 1 + .../reconcilers/package-reconciler.spec.ts | 1 + .../reconcilers/package-reconciler.ts | 1 + src/pepr/policies/common.ts | 1 + src/pepr/policies/exemptions/index.spec.ts | 1 + src/pepr/policies/exemptions/index.ts | 1 + src/pepr/policies/index.ts | 1 + src/pepr/policies/network.spec.ts | 1 + src/pepr/policies/networking.ts | 1 + src/pepr/policies/security.spec.ts | 1 + src/pepr/policies/security.ts | 1 + src/pepr/policies/storage.spec.ts | 1 + src/pepr/policies/storage.ts | 1 + src/pepr/prometheus/index.ts | 1 + src/pepr/tasks.yaml | 1 + src/pepr/uds-operator-config/Chart.yaml | 1 + .../uds-operator-config/templates/secret.yaml | 1 + src/pepr/uds-operator-config/values.yaml | 1 + src/pepr/values.yaml | 1 + src/pepr/zarf.yaml | 1 + src/prometheus-stack/chart/Chart.yaml | 1 + .../chart/templates/istio-monitor.yaml | 1 + .../prometheus-operator-pa.yaml | 1 + .../templates/prometheus-pod-monitor.yaml | 1 + .../chart/templates/uds-exemption.yaml | 1 + .../chart/templates/uds-package.yaml | 1 + src/prometheus-stack/common/zarf.yaml | 1 + src/prometheus-stack/oscal-component.yaml | 1 + src/prometheus-stack/tasks.yaml | 1 + src/prometheus-stack/values/crd-values.yaml | 1 + .../values/registry1-values.yaml | 1 + .../values/unicorn-values.yaml | 1 + .../values/upstream-values.yaml | 1 + src/prometheus-stack/values/values.yaml | 1 + src/prometheus-stack/zarf.yaml | 1 + src/runtime/tasks.yaml | 1 + src/runtime/zarf.yaml | 1 + src/tempo/tasks.yaml | 1 + src/tempo/zarf.yaml | 1 + src/test/app-admin.yaml | 1 + src/test/app-authservice-tenant.yaml | 1 + src/test/app-tenant.yaml | 1 + src/test/chart/Chart.yaml | 1 + src/test/chart/templates/exemption1.yaml | 1 + src/test/chart/templates/exemption2.yaml | 1 + src/test/chart/templates/exemption3.yaml | 1 + src/test/chart/templates/exemption4.yaml | 1 + src/test/chart/templates/exemption5.yaml | 1 + src/test/chart/templates/package.yaml | 1 + src/test/podinfo-values.yaml | 1 + src/test/tasks.yaml | 1 + src/test/zarf.yaml | 1 + src/vector/chart/Chart.yaml | 1 + src/vector/chart/templates/uds-exemption.yaml | 1 + src/vector/chart/templates/uds-package.yaml | 1 + src/vector/chart/values.yaml | 1 + src/vector/common/zarf.yaml | 1 + src/vector/oscal-component.yaml | 1 + src/vector/tasks.yaml | 1 + src/vector/values/registry1-values.yaml | 1 + src/vector/values/unicorn-values.yaml | 1 + src/vector/values/upstream-values.yaml | 1 + src/vector/values/values.yaml | 1 + src/vector/zarf.yaml | 1 + src/velero/chart/Chart.yaml | 1 + src/velero/chart/templates/uds-package.yaml | 1 + src/velero/chart/values.yaml | 1 + src/velero/common/zarf.yaml | 1 + src/velero/oscal-component.yaml | 1 + src/velero/tasks.yaml | 1 + src/velero/values/registry1-values.yaml | 1 + src/velero/values/unicorn-values.yaml | 1 + src/velero/values/upstream-values.yaml | 1 + src/velero/values/values.yaml | 1 + src/velero/zarf.yaml | 1 + tasks.yaml | 1 + tasks/create.yaml | 2 + tasks/deploy.yaml | 2 + tasks/iac.yaml | 2 + tasks/lint.yaml | 2 + tasks/publish.yaml | 2 + tasks/setup.yaml | 2 + tasks/test.yaml | 2 + tasks/utils.yaml | 1 + zarf-config.yaml | 1 + 311 files changed, 1020 insertions(+), 202 deletions(-) delete mode 100644 LICENSE create mode 100644 LICENSE-agpl-v3.md create mode 100644 LICENSE-commercial.md create mode 100644 LICENSE.md diff --git a/.github/actions/debug-output/action.yaml b/.github/actions/debug-output/action.yaml index 106319e4a..8e9d2a139 100644 --- a/.github/actions/debug-output/action.yaml +++ b/.github/actions/debug-output/action.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial name: debug-output description: "Print out basic debug info for a k8s cluster" diff --git a/.github/actions/lint-check/action.yaml b/.github/actions/lint-check/action.yaml index 4b93f9a7d..78032c587 100644 --- a/.github/actions/lint-check/action.yaml +++ b/.github/actions/lint-check/action.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial name: lint-check description: "Check Project for Linting Errors" diff --git a/.github/actions/notify-lula/action.yaml b/.github/actions/notify-lula/action.yaml index c3e978a0d..4f03aeca0 100644 --- a/.github/actions/notify-lula/action.yaml +++ b/.github/actions/notify-lula/action.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial name: Notify Lula description: "Comment on PR to notify Lula Team" diff --git a/.github/actions/save-logs/action.yaml b/.github/actions/save-logs/action.yaml index fe5082c73..3bbafd969 100644 --- a/.github/actions/save-logs/action.yaml +++ b/.github/actions/save-logs/action.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial name: save-logs description: "Save debug logs" diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml index b20c871dc..5487f041a 100644 --- a/.github/actions/setup/action.yaml +++ b/.github/actions/setup/action.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial # action.yml name: "Setup Environment" description: "UDS Environment Setup" diff --git a/.github/bundles/eks/uds-bundle.yaml b/.github/bundles/eks/uds-bundle.yaml index e094730db..fdba702e6 100644 --- a/.github/bundles/eks/uds-bundle.yaml +++ b/.github/bundles/eks/uds-bundle.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: UDSBundle metadata: name: uds-core-eks-nightly diff --git a/.github/bundles/eks/uds-config.yaml b/.github/bundles/eks/uds-config.yaml index a536004a3..6bd92d121 100644 --- a/.github/bundles/eks/uds-config.yaml +++ b/.github/bundles/eks/uds-config.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial # Overwritten by ci-iac-aws package options: architecture: amd64 diff --git a/.github/bundles/rke2/uds-bundle.yaml b/.github/bundles/rke2/uds-bundle.yaml index ad756de0b..68dc1cf36 100644 --- a/.github/bundles/rke2/uds-bundle.yaml +++ b/.github/bundles/rke2/uds-bundle.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: UDSBundle metadata: name: uds-core-rke2-nightly diff --git a/.github/bundles/rke2/uds-config.yaml b/.github/bundles/rke2/uds-config.yaml index 6c441e11a..a6033d74b 100644 --- a/.github/bundles/rke2/uds-config.yaml +++ b/.github/bundles/rke2/uds-config.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial # Overwritten by ci-iac-aws package options: architecture: amd64 diff --git a/.github/filters.yaml b/.github/filters.yaml index 81bb4c1a3..2cf69300e 100644 --- a/.github/filters.yaml +++ b/.github/filters.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial all: - "**" diff --git a/.github/test-infra/aws/rke2/metallb.yaml b/.github/test-infra/aws/rke2/metallb.yaml index 1bff8cb10..4f8146f95 100644 --- a/.github/test-infra/aws/rke2/metallb.yaml +++ b/.github/test-infra/aws/rke2/metallb.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: metallb.io/v1beta1 kind: IPAddressPool metadata: diff --git a/.github/workflows/commitlint.yaml b/.github/workflows/commitlint.yaml index ea2b3e997..1870d9deb 100644 --- a/.github/workflows/commitlint.yaml +++ b/.github/workflows/commitlint.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial name: Metadata on: diff --git a/.github/workflows/compliance.yaml b/.github/workflows/compliance.yaml index 7cabf9fb6..7d99ef57c 100644 --- a/.github/workflows/compliance.yaml +++ b/.github/workflows/compliance.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial name: Compliance Evaluation on: diff --git a/.github/workflows/docs-shim.yaml b/.github/workflows/docs-shim.yaml index dad948bcd..1425ec9ad 100644 --- a/.github/workflows/docs-shim.yaml +++ b/.github/workflows/docs-shim.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial name: CI Docs on: diff --git a/.github/workflows/lint-oscal.yaml b/.github/workflows/lint-oscal.yaml index 8267b2ca8..22c6c3e86 100644 --- a/.github/workflows/lint-oscal.yaml +++ b/.github/workflows/lint-oscal.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial name: Lint OSCAL Files on: diff --git a/.github/workflows/nightly-testing.yaml b/.github/workflows/nightly-testing.yaml index 19351baf6..21e3ad058 100644 --- a/.github/workflows/nightly-testing.yaml +++ b/.github/workflows/nightly-testing.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial name: Nightly Testing on: diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 0a4b7a6f9..bf1eefd43 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial name: Publish UDS Core on: diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index 59a160d55..2b8644534 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial name: Filter # This workflow is triggered on pull requests diff --git a/.github/workflows/slim-dev-test.yaml b/.github/workflows/slim-dev-test.yaml index ce76ed767..c61cae6f4 100644 --- a/.github/workflows/slim-dev-test.yaml +++ b/.github/workflows/slim-dev-test.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial name: Slim Dev # This workflow is triggered on pull requests diff --git a/.github/workflows/snapshot-release.yaml b/.github/workflows/snapshot-release.yaml index 621e38a5e..a622a90f8 100644 --- a/.github/workflows/snapshot-release.yaml +++ b/.github/workflows/snapshot-release.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial name: Release UDS Core Snapshot on: diff --git a/.github/workflows/tag-and-release.yaml b/.github/workflows/tag-and-release.yaml index b601a46d9..ef6007c02 100644 --- a/.github/workflows/tag-and-release.yaml +++ b/.github/workflows/tag-and-release.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial name: Release UDS Core on: diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 8e0437756..d76bd0292 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial name: Test Core On EKS on: diff --git a/.github/workflows/test-rke2.yaml b/.github/workflows/test-rke2.yaml index df0017ff1..7120d8347 100644 --- a/.github/workflows/test-rke2.yaml +++ b/.github/workflows/test-rke2.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial name: Test Core On RKE2 on: diff --git a/.github/workflows/test-shim.yaml b/.github/workflows/test-shim.yaml index 2b443233d..9eee95cdb 100644 --- a/.github/workflows/test-shim.yaml +++ b/.github/workflows/test-shim.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial name: Test Shim on: diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 3425f16fc..72ac961eb 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial name: Test packages on: diff --git a/CODEOWNERS b/CODEOWNERS index 573eee029..8dbdd4693 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -2,4 +2,4 @@ # Additional privileged files /CODEOWNERS @jeff-mccoy @daveworth -/LICENSE @jeff-mccoy @daveworth +/LICENSE* @jeff-mccoy @daveworth diff --git a/LICENSE b/LICENSE deleted file mode 100644 index 261eeb9e9..000000000 --- a/LICENSE +++ /dev/null @@ -1,201 +0,0 @@ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/LICENSE-agpl-v3.md b/LICENSE-agpl-v3.md new file mode 100644 index 000000000..0ad25db4b --- /dev/null +++ b/LICENSE-agpl-v3.md @@ -0,0 +1,661 @@ + GNU AFFERO GENERAL PUBLIC LICENSE + Version 3, 19 November 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU Affero General Public License is a free, copyleft license for +software and other kinds of works, specifically designed to ensure +cooperation with the community in the case of network server software. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +our General Public Licenses are intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + Developers that use our General Public Licenses protect your rights +with two steps: (1) assert copyright on the software, and (2) offer +you this License which gives you legal permission to copy, distribute +and/or modify the software. + + A secondary benefit of defending all users' freedom is that +improvements made in alternate versions of the program, if they +receive widespread use, become available for other developers to +incorporate. Many developers of free software are heartened and +encouraged by the resulting cooperation. However, in the case of +software used on network servers, this result may fail to come about. +The GNU General Public License permits making a modified version and +letting the public access it on a server without ever releasing its +source code to the public. + + The GNU Affero General Public License is designed specifically to +ensure that, in such cases, the modified source code becomes available +to the community. It requires the operator of a network server to +provide the source code of the modified version running there to the +users of that server. Therefore, public use of a modified version, on +a publicly accessible server, gives the public access to the source +code of the modified version. + + An older license, called the Affero General Public License and +published by Affero, was designed to accomplish similar goals. This is +a different license, not a version of the Affero GPL, but Affero has +released a new version of the Affero GPL which permits relicensing under +this license. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU Affero General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Remote Network Interaction; Use with the GNU General Public License. + + Notwithstanding any other provision of this License, if you modify the +Program, your modified version must prominently offer all users +interacting with it remotely through a computer network (if your version +supports such interaction) an opportunity to receive the Corresponding +Source of your version by providing access to the Corresponding Source +from a network server at no charge, through some standard or customary +means of facilitating copying of software. This Corresponding Source +shall include the Corresponding Source for any work covered by version 3 +of the GNU General Public License that is incorporated pursuant to the +following paragraph. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the work with which it is combined will remain governed by version +3 of the GNU General Public License. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU Affero General Public License from time to time. Such new versions +will be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU Affero General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU Affero General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU Affero General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published + by the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If your software can interact with users remotely through a computer +network, you should also make sure that it provides a way for users to +get its source. For example, if your program is a web application, its +interface could display a "Source" link that leads users to an archive +of the code. There are many ways you could offer source, and different +solutions will be better for different programs; see section 13 for the +specific requirements. + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU AGPL, see +. diff --git a/LICENSE-commercial.md b/LICENSE-commercial.md new file mode 100644 index 000000000..fb3f6ac3b --- /dev/null +++ b/LICENSE-commercial.md @@ -0,0 +1,9 @@ +The use of this software under a commercial license is subject to the terms +of the license agreement between the licensee and Defense Unicorns. The +content of this license depends on the specific agreement and may vary. For +more information about obtaining a commercial license, please contact +Defense Unicorns at [defenseunicorns.com](https://defenseunicorns.com). + +To use this software under the commercial license, you must have a valid +license agreement with Defense Unicorns. The terms of that license agreement +replace the terms of the AGPL v3 license. diff --git a/LICENSE.md b/LICENSE.md new file mode 100644 index 000000000..f0f8cb057 --- /dev/null +++ b/LICENSE.md @@ -0,0 +1,35 @@ +# Dual Licensing + +This software is licensed under either of: + +- GNU Affero General Public License v3.0 (AGPLv3) +- Defense Unicorns Commercial License + +## GNU Affero General Public License v3.0 (AGPLv3) + +Copyright (C) 2024 Defense Unicorns, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . + +## Defense Unicorns Commercial License + +The use of this software under a commercial license is subject to the terms +of the license agreement between the licensee and Defense Unicorns. The +content of this license depends on the specific agreement and may vary. For +more information about obtaining a commercial license, please contact +Defense Unicorns at [defenseunicorns.com](https://defenseunicorns.com). + +To use this software under the commercial license, you must have a valid +license agreement with Defense Unicorns. The terms of that license agreement +replace the terms of the AGPL v3 license. diff --git a/bundles/k3d-slim-dev/uds-bundle.yaml b/bundles/k3d-slim-dev/uds-bundle.yaml index 5799c7da2..39c90dd0b 100644 --- a/bundles/k3d-slim-dev/uds-bundle.yaml +++ b/bundles/k3d-slim-dev/uds-bundle.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: UDSBundle metadata: name: k3d-core-slim-dev diff --git a/bundles/k3d-standard/uds-bundle.yaml b/bundles/k3d-standard/uds-bundle.yaml index 9438cf3d4..3d5c0dbae 100644 --- a/bundles/k3d-standard/uds-bundle.yaml +++ b/bundles/k3d-standard/uds-bundle.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: UDSBundle metadata: name: k3d-core-demo diff --git a/bundles/k3d-standard/uds-ha-config.yaml b/bundles/k3d-standard/uds-ha-config.yaml index 643b213de..dae5c8b8a 100644 --- a/bundles/k3d-standard/uds-ha-config.yaml +++ b/bundles/k3d-standard/uds-ha-config.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial variables: core: # Keycloak variables diff --git a/compliance/oscal-assessment-results.yaml b/compliance/oscal-assessment-results.yaml index 98af6a818..9800512b0 100644 --- a/compliance/oscal-assessment-results.yaml +++ b/compliance/oscal-assessment-results.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial assessment-results: import-ap: href: "" diff --git a/compliance/oscal-component.yaml b/compliance/oscal-component.yaml index 4be69f019..e0cdf872f 100644 --- a/compliance/oscal-component.yaml +++ b/compliance/oscal-component.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial component-definition: uuid: 8ef481dd-7924-42de-b426-ac300db35ec8 metadata: diff --git a/packages/backup-restore/tasks.yaml b/packages/backup-restore/tasks.yaml index 7e272b18d..586220b33 100644 --- a/packages/backup-restore/tasks.yaml +++ b/packages/backup-restore/tasks.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial includes: - velero: ../../src/velero/tasks.yaml diff --git a/packages/backup-restore/zarf.yaml b/packages/backup-restore/zarf.yaml index 11db4520a..ec5c06e00 100644 --- a/packages/backup-restore/zarf.yaml +++ b/packages/backup-restore/zarf.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: ZarfPackageConfig metadata: name: core-backup-restore diff --git a/packages/base/tasks.yaml b/packages/base/tasks.yaml index 1742dcbcf..69135701b 100644 --- a/packages/base/tasks.yaml +++ b/packages/base/tasks.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial includes: - istio: ../../src/istio/tasks.yaml - pepr: ../../src/pepr/tasks.yaml diff --git a/packages/base/zarf.yaml b/packages/base/zarf.yaml index f5a8bbb81..24ec65b55 100644 --- a/packages/base/zarf.yaml +++ b/packages/base/zarf.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: ZarfPackageConfig metadata: name: core-base diff --git a/packages/identity-authorization/tasks.yaml b/packages/identity-authorization/tasks.yaml index 1f1b92c3c..10e242de5 100644 --- a/packages/identity-authorization/tasks.yaml +++ b/packages/identity-authorization/tasks.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial includes: - keycloak: ../../src/keycloak/tasks.yaml - authservice: ../../src/authservice/tasks.yaml diff --git a/packages/identity-authorization/zarf.yaml b/packages/identity-authorization/zarf.yaml index cadaad6e9..2a2ea3b52 100644 --- a/packages/identity-authorization/zarf.yaml +++ b/packages/identity-authorization/zarf.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: ZarfPackageConfig metadata: name: core-identity-authorization diff --git a/packages/logging/tasks.yaml b/packages/logging/tasks.yaml index 443e14048..0bed9517c 100644 --- a/packages/logging/tasks.yaml +++ b/packages/logging/tasks.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial includes: - loki: ../../src/loki/tasks.yaml - vector: ../../src/vector/tasks.yaml diff --git a/packages/logging/zarf.yaml b/packages/logging/zarf.yaml index 3ec7d7454..d252a5aa5 100644 --- a/packages/logging/zarf.yaml +++ b/packages/logging/zarf.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: ZarfPackageConfig metadata: name: core-logging diff --git a/packages/metrics-server/tasks.yaml b/packages/metrics-server/tasks.yaml index 287f62079..bda7e25bf 100644 --- a/packages/metrics-server/tasks.yaml +++ b/packages/metrics-server/tasks.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial includes: - metrics-server: ../../src/metrics-server/tasks.yaml diff --git a/packages/metrics-server/zarf.yaml b/packages/metrics-server/zarf.yaml index 3b622f80f..87e0e2760 100644 --- a/packages/metrics-server/zarf.yaml +++ b/packages/metrics-server/zarf.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: ZarfPackageConfig metadata: name: core-metrics-server diff --git a/packages/monitoring/tasks.yaml b/packages/monitoring/tasks.yaml index 3de4e5238..0d70126f8 100644 --- a/packages/monitoring/tasks.yaml +++ b/packages/monitoring/tasks.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial includes: - prometheus: ../../src/prometheus-stack/tasks.yaml - grafana: ../../src/grafana/tasks.yaml diff --git a/packages/monitoring/zarf.yaml b/packages/monitoring/zarf.yaml index 02881df98..fbca00411 100644 --- a/packages/monitoring/zarf.yaml +++ b/packages/monitoring/zarf.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: ZarfPackageConfig metadata: name: core-monitoring diff --git a/packages/runtime-security/tasks.yaml b/packages/runtime-security/tasks.yaml index 60f0dba5f..81cebd74c 100644 --- a/packages/runtime-security/tasks.yaml +++ b/packages/runtime-security/tasks.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial includes: - neuvector: ../../src/neuvector/tasks.yaml diff --git a/packages/runtime-security/zarf.yaml b/packages/runtime-security/zarf.yaml index a38602221..0a7bc87e4 100644 --- a/packages/runtime-security/zarf.yaml +++ b/packages/runtime-security/zarf.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: ZarfPackageConfig metadata: name: core-runtime-security diff --git a/packages/standard/zarf.yaml b/packages/standard/zarf.yaml index 75816559c..23ebbebe9 100644 --- a/packages/standard/zarf.yaml +++ b/packages/standard/zarf.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: ZarfPackageConfig metadata: name: core diff --git a/packages/ui/tasks.yaml b/packages/ui/tasks.yaml index c0dde104a..037181405 100644 --- a/packages/ui/tasks.yaml +++ b/packages/ui/tasks.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial includes: - runtime: ../../src/runtime/tasks.yaml diff --git a/packages/ui/zarf.yaml b/packages/ui/zarf.yaml index 7f15df14a..708ed0932 100644 --- a/packages/ui/zarf.yaml +++ b/packages/ui/zarf.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: ZarfPackageConfig metadata: name: core-ui diff --git a/pepr.ts b/pepr.ts index 885b09d3d..54f83a518 100644 --- a/pepr.ts +++ b/pepr.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { PeprModule } from "pepr"; import cfg from "./package.json"; diff --git a/src/authservice/chart/Chart.yaml b/src/authservice/chart/Chart.yaml index 93ca95965..1f96da755 100644 --- a/src/authservice/chart/Chart.yaml +++ b/src/authservice/chart/Chart.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: v2 name: authservice description: A Helm chart for Istio Authservice diff --git a/src/authservice/chart/templates/deployment.yaml b/src/authservice/chart/templates/deployment.yaml index 4dd4295f8..11d9aa853 100644 --- a/src/authservice/chart/templates/deployment.yaml +++ b/src/authservice/chart/templates/deployment.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: apps/v1 kind: Deployment metadata: diff --git a/src/authservice/chart/templates/hpa.yaml b/src/authservice/chart/templates/hpa.yaml index e5a4cb8ea..52cdd025d 100644 --- a/src/authservice/chart/templates/hpa.yaml +++ b/src/authservice/chart/templates/hpa.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial {{- if .Values.autoscaling.enabled }} apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler diff --git a/src/authservice/chart/templates/service.yaml b/src/authservice/chart/templates/service.yaml index 978a7b9ef..b3c75b761 100644 --- a/src/authservice/chart/templates/service.yaml +++ b/src/authservice/chart/templates/service.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: v1 kind: Service metadata: diff --git a/src/authservice/chart/templates/uds-package.yaml b/src/authservice/chart/templates/uds-package.yaml index 0e4e583de..1baef2ad1 100644 --- a/src/authservice/chart/templates/uds-package.yaml +++ b/src/authservice/chart/templates/uds-package.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: uds.dev/v1alpha1 kind: Package metadata: diff --git a/src/authservice/chart/values.yaml b/src/authservice/chart/values.yaml index 06a631c9c..62be37930 100644 --- a/src/authservice/chart/values.yaml +++ b/src/authservice/chart/values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial # -- When setting this above 1, a redis configuration is required. replicaCount: 1 diff --git a/src/authservice/common/zarf.yaml b/src/authservice/common/zarf.yaml index 59914ddd9..8664e1131 100644 --- a/src/authservice/common/zarf.yaml +++ b/src/authservice/common/zarf.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: ZarfPackageConfig metadata: name: uds-core-authservice-common diff --git a/src/authservice/tasks.yaml b/src/authservice/tasks.yaml index 479bc906f..5cb89c9d8 100644 --- a/src/authservice/tasks.yaml +++ b/src/authservice/tasks.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial tasks: - name: validate actions: diff --git a/src/authservice/values/registry1-values.yaml b/src/authservice/values/registry1-values.yaml index ad28c1a01..0e3b78a6a 100644 --- a/src/authservice/values/registry1-values.yaml +++ b/src/authservice/values/registry1-values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial image: repository: registry1.dso.mil/ironbank/istio-ecosystem/authservice tag: "1.0.2-ubi9" diff --git a/src/authservice/values/unicorn-values.yaml b/src/authservice/values/unicorn-values.yaml index 34bb6887d..ab66baa3e 100644 --- a/src/authservice/values/unicorn-values.yaml +++ b/src/authservice/values/unicorn-values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial image: repository: cgr.dev/du-uds-defenseunicorns/authservice-fips tag: "1.0.2" diff --git a/src/authservice/values/upstream-values.yaml b/src/authservice/values/upstream-values.yaml index f85681777..6734a698e 100644 --- a/src/authservice/values/upstream-values.yaml +++ b/src/authservice/values/upstream-values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial image: repository: ghcr.io/istio-ecosystem/authservice/authservice tag: "1.0.2" diff --git a/src/authservice/zarf.yaml b/src/authservice/zarf.yaml index e214a28fc..75ba01044 100644 --- a/src/authservice/zarf.yaml +++ b/src/authservice/zarf.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: ZarfPackageConfig metadata: name: uds-core-authservice diff --git a/src/grafana/chart/Chart.yaml b/src/grafana/chart/Chart.yaml index 10eb31e6b..05ae7e64a 100644 --- a/src/grafana/chart/Chart.yaml +++ b/src/grafana/chart/Chart.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: v2 name: uds-grafana-config description: Grafana configuration for UDS diff --git a/src/grafana/chart/templates/datasources.yaml b/src/grafana/chart/templates/datasources.yaml index c7f1bcff2..847882ddf 100644 --- a/src/grafana/chart/templates/datasources.yaml +++ b/src/grafana/chart/templates/datasources.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: v1 kind: ConfigMap metadata: diff --git a/src/grafana/chart/templates/secret-postgres.yaml b/src/grafana/chart/templates/secret-postgres.yaml index 5b5ee8ee8..a233bf37b 100644 --- a/src/grafana/chart/templates/secret-postgres.yaml +++ b/src/grafana/chart/templates/secret-postgres.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: v1 kind: Secret metadata: diff --git a/src/grafana/chart/templates/uds-package.yaml b/src/grafana/chart/templates/uds-package.yaml index b56d44db6..f1246a87e 100644 --- a/src/grafana/chart/templates/uds-package.yaml +++ b/src/grafana/chart/templates/uds-package.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: uds.dev/v1alpha1 kind: Package metadata: diff --git a/src/grafana/chart/values.yaml b/src/grafana/chart/values.yaml index 7880bcda1..e9bd79a43 100644 --- a/src/grafana/chart/values.yaml +++ b/src/grafana/chart/values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial domain: "###ZARF_VAR_DOMAIN###" # Stores Grafana's metadata, including dashboards, data sources, organizations, alerts, and other configurations. Required for HA mode. diff --git a/src/grafana/common/zarf.yaml b/src/grafana/common/zarf.yaml index 452edf682..968956221 100644 --- a/src/grafana/common/zarf.yaml +++ b/src/grafana/common/zarf.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: ZarfPackageConfig metadata: name: uds-core-grafana-common diff --git a/src/grafana/oscal-component.yaml b/src/grafana/oscal-component.yaml index 5966df926..9b54b0a9d 100644 --- a/src/grafana/oscal-component.yaml +++ b/src/grafana/oscal-component.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial component-definition: uuid: 7d316238-f7c4-4d3b-ab33-6ecbf49de5a7 metadata: diff --git a/src/grafana/tasks.yaml b/src/grafana/tasks.yaml index 5547b227f..7b0ef1f10 100644 --- a/src/grafana/tasks.yaml +++ b/src/grafana/tasks.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial tasks: - name: validate actions: diff --git a/src/grafana/values/registry1-values.yaml b/src/grafana/values/registry1-values.yaml index 045de8343..0ef12c7e8 100644 --- a/src/grafana/values/registry1-values.yaml +++ b/src/grafana/values/registry1-values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial image: registry: registry1.dso.mil repository: ironbank/opensource/grafana/grafana diff --git a/src/grafana/values/unicorn-values.yaml b/src/grafana/values/unicorn-values.yaml index 720c5d0c4..33ec9f6b6 100644 --- a/src/grafana/values/unicorn-values.yaml +++ b/src/grafana/values/unicorn-values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial image: registry: cgr.dev repository: du-uds-defenseunicorns/grafana-fips diff --git a/src/grafana/values/upstream-values.yaml b/src/grafana/values/upstream-values.yaml index 043ba6545..fbeddf422 100644 --- a/src/grafana/values/upstream-values.yaml +++ b/src/grafana/values/upstream-values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial sidecar: image: # -- The Docker registry diff --git a/src/grafana/values/values.yaml b/src/grafana/values/values.yaml index 9b7a3e474..ec92e3040 100644 --- a/src/grafana/values/values.yaml +++ b/src/grafana/values/values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial sidecar: dashboards: enabled: true diff --git a/src/grafana/zarf.yaml b/src/grafana/zarf.yaml index ebb548b45..3325a88e5 100644 --- a/src/grafana/zarf.yaml +++ b/src/grafana/zarf.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: ZarfPackageConfig metadata: name: uds-core-grafana diff --git a/src/istio/chart/Chart.yaml b/src/istio/chart/Chart.yaml index bbbb78bc3..5192d8dc1 100644 --- a/src/istio/chart/Chart.yaml +++ b/src/istio/chart/Chart.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: v2 name: uds-istio-config description: Istio configuration for UDS diff --git a/src/istio/chart/templates/gateway.yaml b/src/istio/chart/templates/gateway.yaml index eb09e0564..e72d1766f 100644 --- a/src/istio/chart/templates/gateway.yaml +++ b/src/istio/chart/templates/gateway.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial {{- $domain := .Values.domain }} {{- if .Values.tls }} apiVersion: networking.istio.io/v1beta1 diff --git a/src/istio/chart/templates/tls-cert.yaml b/src/istio/chart/templates/tls-cert.yaml index c094511b6..a27ecbd34 100644 --- a/src/istio/chart/templates/tls-cert.yaml +++ b/src/istio/chart/templates/tls-cert.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial {{- $tls := .Values.tls }} {{ if $tls.cert }} apiVersion: v1 diff --git a/src/istio/chart/values.yaml b/src/istio/chart/values.yaml index 618b15015..544dc1f42 100644 --- a/src/istio/chart/values.yaml +++ b/src/istio/chart/values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial # The gateway name prefix name: change-me diff --git a/src/istio/common/manifests/envoy-filters.yaml b/src/istio/common/manifests/envoy-filters.yaml index 3e4fb540f..df4926d2f 100644 --- a/src/istio/common/manifests/envoy-filters.yaml +++ b/src/istio/common/manifests/envoy-filters.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial --- # Source: istio/templates/envoyfilter.yaml apiVersion: networking.istio.io/v1alpha3 diff --git a/src/istio/common/manifests/peer-authentication.yaml b/src/istio/common/manifests/peer-authentication.yaml index 37ee318fc..7ad45cb28 100644 --- a/src/istio/common/manifests/peer-authentication.yaml +++ b/src/istio/common/manifests/peer-authentication.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial --- # Source: istio/templates/bigbang/peerAuthentication.yaml apiVersion: security.istio.io/v1beta1 diff --git a/src/istio/common/manifests/pepr-istio-config.yaml b/src/istio/common/manifests/pepr-istio-config.yaml index 50eaf2ee1..2c1b30b26 100644 --- a/src/istio/common/manifests/pepr-istio-config.yaml +++ b/src/istio/common/manifests/pepr-istio-config.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial # Have to pre-create the namespace and also patch it with the istio-injection label later because # Helm is kind of dumb: https://github.com/helm/helm/issues/350 kind: Namespace diff --git a/src/istio/common/zarf.yaml b/src/istio/common/zarf.yaml index 69e10b0f7..0c7ae9279 100644 --- a/src/istio/common/zarf.yaml +++ b/src/istio/common/zarf.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: ZarfPackageConfig metadata: name: uds-core-istio-common diff --git a/src/istio/oscal-component.yaml b/src/istio/oscal-component.yaml index 9a9a97f74..0274deae6 100644 --- a/src/istio/oscal-component.yaml +++ b/src/istio/oscal-component.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial component-definition: back-matter: resources: diff --git a/src/istio/tasks.yaml b/src/istio/tasks.yaml index a41c5ec03..be488a6dd 100644 --- a/src/istio/tasks.yaml +++ b/src/istio/tasks.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial tasks: - name: validate actions: diff --git a/src/istio/values/config-admin.yaml b/src/istio/values/config-admin.yaml index 560cc4585..52ae6835d 100644 --- a/src/istio/values/config-admin.yaml +++ b/src/istio/values/config-admin.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial name: admin domain: "admin.###ZARF_VAR_DOMAIN###" tls: diff --git a/src/istio/values/config-passthrough.yaml b/src/istio/values/config-passthrough.yaml index 8d992d3ee..417b264de 100644 --- a/src/istio/values/config-passthrough.yaml +++ b/src/istio/values/config-passthrough.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial name: passthrough tls: diff --git a/src/istio/values/config-tenant.yaml b/src/istio/values/config-tenant.yaml index 0d3c99741..757574754 100644 --- a/src/istio/values/config-tenant.yaml +++ b/src/istio/values/config-tenant.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial name: tenant tls: servers: diff --git a/src/istio/values/registry1-values.yaml b/src/istio/values/registry1-values.yaml index 37921bf2c..7023bd3da 100644 --- a/src/istio/values/registry1-values.yaml +++ b/src/istio/values/registry1-values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial pilot: image: registry1.dso.mil/ironbank/tetrate/istio/pilot:1.23.2-tetratefips-v0 global: diff --git a/src/istio/values/unicorn-values.yaml b/src/istio/values/unicorn-values.yaml index 28c091285..579552919 100644 --- a/src/istio/values/unicorn-values.yaml +++ b/src/istio/values/unicorn-values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial pilot: image: "cgr.dev/du-uds-defenseunicorns/istio-pilot-fips:1.23.2" global: diff --git a/src/istio/values/upstream-values.yaml b/src/istio/values/upstream-values.yaml index 63b88c989..5879947bb 100644 --- a/src/istio/values/upstream-values.yaml +++ b/src/istio/values/upstream-values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial pilot: image: "docker.io/istio/pilot:1.23.2-distroless" global: diff --git a/src/istio/values/values.yaml b/src/istio/values/values.yaml index 4b5412489..add71c7da 100644 --- a/src/istio/values/values.yaml +++ b/src/istio/values/values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial meshConfig: accessLogFile: /dev/stdout pathNormalization: diff --git a/src/istio/zarf.yaml b/src/istio/zarf.yaml index 49fd2ad54..9526869a8 100644 --- a/src/istio/zarf.yaml +++ b/src/istio/zarf.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: ZarfPackageConfig metadata: name: uds-core-istio diff --git a/src/keycloak/chart/Chart.yaml b/src/keycloak/chart/Chart.yaml index 255a95d04..2cd05d258 100644 --- a/src/keycloak/chart/Chart.yaml +++ b/src/keycloak/chart/Chart.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: v2 name: keycloak # renovate: datasource=docker depName=quay.io/keycloak/keycloak versioning=semver diff --git a/src/keycloak/chart/templates/destination-rule.yaml b/src/keycloak/chart/templates/destination-rule.yaml index 2cb14314a..921096c98 100644 --- a/src/keycloak/chart/templates/destination-rule.yaml +++ b/src/keycloak/chart/templates/destination-rule.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial {{- if not .Values.devMode }} apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule diff --git a/src/keycloak/chart/templates/hpa.yaml b/src/keycloak/chart/templates/hpa.yaml index 92fce4c7a..bcca27c5f 100644 --- a/src/keycloak/chart/templates/hpa.yaml +++ b/src/keycloak/chart/templates/hpa.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial {{- if .Values.autoscaling.enabled }} apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler diff --git a/src/keycloak/chart/templates/istio-admin.yaml b/src/keycloak/chart/templates/istio-admin.yaml index 54f6ff114..bc2646510 100644 --- a/src/keycloak/chart/templates/istio-admin.yaml +++ b/src/keycloak/chart/templates/istio-admin.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial {{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }} apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy diff --git a/src/keycloak/chart/templates/istio-peer-auth.yaml b/src/keycloak/chart/templates/istio-peer-auth.yaml index 2e65c6b57..5e4253ea7 100644 --- a/src/keycloak/chart/templates/istio-peer-auth.yaml +++ b/src/keycloak/chart/templates/istio-peer-auth.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial {{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }} apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication diff --git a/src/keycloak/chart/templates/poddisruptionbudget.yaml b/src/keycloak/chart/templates/poddisruptionbudget.yaml index ac77e92c8..ef45bcc00 100644 --- a/src/keycloak/chart/templates/poddisruptionbudget.yaml +++ b/src/keycloak/chart/templates/poddisruptionbudget.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial {{- if .Values.podDisruptionBudget -}} apiVersion: policy/v1 kind: PodDisruptionBudget diff --git a/src/keycloak/chart/templates/prometheusrule.yaml b/src/keycloak/chart/templates/prometheusrule.yaml index 20ef047ac..f453bc49e 100644 --- a/src/keycloak/chart/templates/prometheusrule.yaml +++ b/src/keycloak/chart/templates/prometheusrule.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial {{- with .Values.prometheusRule -}} {{- if .enabled }} apiVersion: monitoring.coreos.com/v1 diff --git a/src/keycloak/chart/templates/pvc.yaml b/src/keycloak/chart/templates/pvc.yaml index fea8dd0b9..1e25955ff 100644 --- a/src/keycloak/chart/templates/pvc.yaml +++ b/src/keycloak/chart/templates/pvc.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial {{- if .Values.persistence.providers.enabled }} kind: PersistentVolumeClaim apiVersion: v1 diff --git a/src/keycloak/chart/templates/secret-admin-password.yaml b/src/keycloak/chart/templates/secret-admin-password.yaml index 59307eb32..459a845dc 100644 --- a/src/keycloak/chart/templates/secret-admin-password.yaml +++ b/src/keycloak/chart/templates/secret-admin-password.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial {{- if .Values.insecureAdminPasswordGeneration.enabled }} {{- $kcPass := (randAlphaNum 32) | b64enc | quote }} {{- $kcUser := .Values.insecureAdminPasswordGeneration.username | b64enc | quote }} diff --git a/src/keycloak/chart/templates/secret-kc-realm.yaml b/src/keycloak/chart/templates/secret-kc-realm.yaml index 28dcdbe94..5e4e2ada9 100644 --- a/src/keycloak/chart/templates/secret-kc-realm.yaml +++ b/src/keycloak/chart/templates/secret-kc-realm.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: v1 kind: Secret metadata: diff --git a/src/keycloak/chart/templates/secret-postgresql.yaml b/src/keycloak/chart/templates/secret-postgresql.yaml index aef32a4d9..0683ad960 100644 --- a/src/keycloak/chart/templates/secret-postgresql.yaml +++ b/src/keycloak/chart/templates/secret-postgresql.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial {{- if eq (include "keycloak.postgresql.config" .) "true" }} apiVersion: v1 kind: Secret diff --git a/src/keycloak/chart/templates/service-headless.yaml b/src/keycloak/chart/templates/service-headless.yaml index d5a67c2b5..d5c26692a 100644 --- a/src/keycloak/chart/templates/service-headless.yaml +++ b/src/keycloak/chart/templates/service-headless.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: v1 kind: Service metadata: diff --git a/src/keycloak/chart/templates/service-http.yaml b/src/keycloak/chart/templates/service-http.yaml index d3be8dd2e..eb4aee327 100644 --- a/src/keycloak/chart/templates/service-http.yaml +++ b/src/keycloak/chart/templates/service-http.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: v1 kind: Service metadata: diff --git a/src/keycloak/chart/templates/servicemonitor.yaml b/src/keycloak/chart/templates/servicemonitor.yaml index 3ea4cfdcc..a6b675f29 100644 --- a/src/keycloak/chart/templates/servicemonitor.yaml +++ b/src/keycloak/chart/templates/servicemonitor.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial {{- range $key, $serviceMonitor := dict "metrics" .Values.serviceMonitor "extra" .Values.extraServiceMonitor }} {{- with $serviceMonitor }} {{- if .enabled }} diff --git a/src/keycloak/chart/templates/statefulset.yaml b/src/keycloak/chart/templates/statefulset.yaml index 4e4521381..918f3d5d1 100644 --- a/src/keycloak/chart/templates/statefulset.yaml +++ b/src/keycloak/chart/templates/statefulset.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: apps/v1 kind: StatefulSet metadata: diff --git a/src/keycloak/chart/templates/uds-package.yaml b/src/keycloak/chart/templates/uds-package.yaml index 2c1c52e47..371c91554 100644 --- a/src/keycloak/chart/templates/uds-package.yaml +++ b/src/keycloak/chart/templates/uds-package.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: uds.dev/v1alpha1 kind: Package metadata: diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml index 0e1605ba8..c0c86e264 100644 --- a/src/keycloak/chart/values.yaml +++ b/src/keycloak/chart/values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial image: # The Keycloak image repository repository: quay.io/keycloak/keycloak diff --git a/src/keycloak/common/zarf.yaml b/src/keycloak/common/zarf.yaml index 8838c6a40..b41d24fad 100644 --- a/src/keycloak/common/zarf.yaml +++ b/src/keycloak/common/zarf.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: ZarfPackageConfig metadata: name: uds-core-keycloak-common diff --git a/src/keycloak/tasks.yaml b/src/keycloak/tasks.yaml index e8513a206..5148c258c 100644 --- a/src/keycloak/tasks.yaml +++ b/src/keycloak/tasks.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial includes: - config: https://raw.githubusercontent.com/defenseunicorns/uds-identity-config/v0.6.3/tasks.yaml diff --git a/src/keycloak/values/registry1-values.yaml b/src/keycloak/values/registry1-values.yaml index 49937ba3d..d675e7330 100644 --- a/src/keycloak/values/registry1-values.yaml +++ b/src/keycloak/values/registry1-values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial image: repository: registry1.dso.mil/ironbank/opensource/keycloak/keycloak tag: "25.0.6" diff --git a/src/keycloak/values/unicorn-values.yaml b/src/keycloak/values/unicorn-values.yaml index 544734319..7c30a4c4d 100644 --- a/src/keycloak/values/unicorn-values.yaml +++ b/src/keycloak/values/unicorn-values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial podSecurityContext: fsGroup: 65532 image: diff --git a/src/keycloak/values/upstream-values.yaml b/src/keycloak/values/upstream-values.yaml index 58d5ae6c5..e3d47c670 100644 --- a/src/keycloak/values/upstream-values.yaml +++ b/src/keycloak/values/upstream-values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial podSecurityContext: fsGroup: 1000 image: diff --git a/src/keycloak/zarf.yaml b/src/keycloak/zarf.yaml index acf43864b..b581bd17e 100644 --- a/src/keycloak/zarf.yaml +++ b/src/keycloak/zarf.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: ZarfPackageConfig metadata: name: uds-core-keycloak diff --git a/src/kiali/tasks.yaml b/src/kiali/tasks.yaml index e3b314c9b..47f789e05 100644 --- a/src/kiali/tasks.yaml +++ b/src/kiali/tasks.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial tasks: - name: validate actions: diff --git a/src/kiali/zarf.yaml b/src/kiali/zarf.yaml index 6cd41c49a..d6407ca3b 100644 --- a/src/kiali/zarf.yaml +++ b/src/kiali/zarf.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: ZarfPackageConfig metadata: name: uds-core-kiali diff --git a/src/loki/chart/Chart.yaml b/src/loki/chart/Chart.yaml index 4228b0d81..efc96755d 100644 --- a/src/loki/chart/Chart.yaml +++ b/src/loki/chart/Chart.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: v2 name: uds-loki-config description: Loki configuration for UDS diff --git a/src/loki/chart/templates/loki-dashboards.yaml b/src/loki/chart/templates/loki-dashboards.yaml index 04075a9bb..1a44b0a43 100644 --- a/src/loki/chart/templates/loki-dashboards.yaml +++ b/src/loki/chart/templates/loki-dashboards.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: v1 kind: ConfigMap metadata: diff --git a/src/loki/chart/templates/peerauthentication/loki-simple-scalable.yaml b/src/loki/chart/templates/peerauthentication/loki-simple-scalable.yaml index 90f748d95..c5982ebda 100644 --- a/src/loki/chart/templates/peerauthentication/loki-simple-scalable.yaml +++ b/src/loki/chart/templates/peerauthentication/loki-simple-scalable.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial {{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }} apiVersion: "security.istio.io/v1beta1" kind: PeerAuthentication diff --git a/src/loki/chart/templates/service-dns.yaml b/src/loki/chart/templates/service-dns.yaml index 57ec5740a..e47899494 100644 --- a/src/loki/chart/templates/service-dns.yaml +++ b/src/loki/chart/templates/service-dns.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial --- apiVersion: v1 kind: Service diff --git a/src/loki/chart/templates/uds-package.yaml b/src/loki/chart/templates/uds-package.yaml index b7a39eb5d..2bd9f6c75 100644 --- a/src/loki/chart/templates/uds-package.yaml +++ b/src/loki/chart/templates/uds-package.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: uds.dev/v1alpha1 kind: Package metadata: diff --git a/src/loki/chart/values.yaml b/src/loki/chart/values.yaml index fbb557b5a..a30fe4c3d 100644 --- a/src/loki/chart/values.yaml +++ b/src/loki/chart/values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial storage: internal: enabled: false diff --git a/src/loki/common/zarf.yaml b/src/loki/common/zarf.yaml index 988ec8d93..92d3307ec 100644 --- a/src/loki/common/zarf.yaml +++ b/src/loki/common/zarf.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: ZarfPackageConfig metadata: name: uds-core-loki-common diff --git a/src/loki/oscal-component.yaml b/src/loki/oscal-component.yaml index 62245b436..4b8faf4cc 100644 --- a/src/loki/oscal-component.yaml +++ b/src/loki/oscal-component.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial component-definition: uuid: aaa97ff3-41f7-4f11-b74a-0cf0de527e6e metadata: diff --git a/src/loki/tasks.yaml b/src/loki/tasks.yaml index a319aa659..57ff93f94 100644 --- a/src/loki/tasks.yaml +++ b/src/loki/tasks.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial tasks: - name: validate actions: diff --git a/src/loki/values/registry1-values.yaml b/src/loki/values/registry1-values.yaml index 2240a20c5..be83c068d 100644 --- a/src/loki/values/registry1-values.yaml +++ b/src/loki/values/registry1-values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial loki: image: registry: registry1.dso.mil diff --git a/src/loki/values/unicorn-values.yaml b/src/loki/values/unicorn-values.yaml index 88b619ab4..b50b9dba6 100644 --- a/src/loki/values/unicorn-values.yaml +++ b/src/loki/values/unicorn-values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial loki: image: registry: cgr.dev diff --git a/src/loki/values/upstream-values.yaml b/src/loki/values/upstream-values.yaml index d31d3cde9..8f56988d9 100644 --- a/src/loki/values/upstream-values.yaml +++ b/src/loki/values/upstream-values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial loki: image: registry: docker.io diff --git a/src/loki/values/values.yaml b/src/loki/values/values.yaml index 99717b712..2642e03c2 100644 --- a/src/loki/values/values.yaml +++ b/src/loki/values/values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial # Sets the global DNS service to the service created in this chart global: dnsService: "uds-loki-dns" diff --git a/src/loki/zarf.yaml b/src/loki/zarf.yaml index 7432b4b90..ecd59de6b 100644 --- a/src/loki/zarf.yaml +++ b/src/loki/zarf.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: ZarfPackageConfig metadata: name: uds-core-loki diff --git a/src/metrics-server/chart/Chart.yaml b/src/metrics-server/chart/Chart.yaml index 3f7f729de..7eabaa4dc 100644 --- a/src/metrics-server/chart/Chart.yaml +++ b/src/metrics-server/chart/Chart.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: v2 name: uds-metrics-server-config description: Metrics Server configuration for UDS diff --git a/src/metrics-server/chart/templates/peerauthentication/metrics-api.yaml b/src/metrics-server/chart/templates/peerauthentication/metrics-api.yaml index 18c5fdcbf..f236be49f 100644 --- a/src/metrics-server/chart/templates/peerauthentication/metrics-api.yaml +++ b/src/metrics-server/chart/templates/peerauthentication/metrics-api.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial {{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }} apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication diff --git a/src/metrics-server/chart/templates/service-monitor.yaml b/src/metrics-server/chart/templates/service-monitor.yaml index 390875164..a9bb8be24 100644 --- a/src/metrics-server/chart/templates/service-monitor.yaml +++ b/src/metrics-server/chart/templates/service-monitor.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial {{- if .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" }} # The serviceMonitor for metrics-server is unique due to permissive mTLS on its port, so it is created outside of the Package spec apiVersion: monitoring.coreos.com/v1 diff --git a/src/metrics-server/chart/templates/uds-package.yaml b/src/metrics-server/chart/templates/uds-package.yaml index b213992f3..9f635bfc5 100644 --- a/src/metrics-server/chart/templates/uds-package.yaml +++ b/src/metrics-server/chart/templates/uds-package.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: uds.dev/v1alpha1 kind: Package metadata: diff --git a/src/metrics-server/common/zarf.yaml b/src/metrics-server/common/zarf.yaml index 9bad06c8a..c258da476 100644 --- a/src/metrics-server/common/zarf.yaml +++ b/src/metrics-server/common/zarf.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: ZarfPackageConfig metadata: name: uds-core-metrics-server-common diff --git a/src/metrics-server/tasks.yaml b/src/metrics-server/tasks.yaml index 610223eaf..db757ab72 100644 --- a/src/metrics-server/tasks.yaml +++ b/src/metrics-server/tasks.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial tasks: - name: validate actions: diff --git a/src/metrics-server/values/registry1-values.yaml b/src/metrics-server/values/registry1-values.yaml index 6ef5bb83a..66fd0e1a7 100644 --- a/src/metrics-server/values/registry1-values.yaml +++ b/src/metrics-server/values/registry1-values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial image: repository: registry1.dso.mil/ironbank/opensource/kubernetes-sigs/metrics-server tag: "v0.7.2" diff --git a/src/metrics-server/values/unicorn-values.yaml b/src/metrics-server/values/unicorn-values.yaml index fd874866b..0e968ee98 100644 --- a/src/metrics-server/values/unicorn-values.yaml +++ b/src/metrics-server/values/unicorn-values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial image: repository: cgr.dev/du-uds-defenseunicorns/metrics-server-fips tag: "0.7.2" diff --git a/src/metrics-server/values/upstream-values.yaml b/src/metrics-server/values/upstream-values.yaml index 00f0dfcb6..355942584 100644 --- a/src/metrics-server/values/upstream-values.yaml +++ b/src/metrics-server/values/upstream-values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial image: repository: registry.k8s.io/metrics-server/metrics-server tag: "v0.7.2" diff --git a/src/metrics-server/values/values.yaml b/src/metrics-server/values/values.yaml index 28c8b42d5..3ceda9355 100644 --- a/src/metrics-server/values/values.yaml +++ b/src/metrics-server/values/values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial readinessProbe: httpGet: path: /readyz diff --git a/src/metrics-server/zarf.yaml b/src/metrics-server/zarf.yaml index 62c412083..24422a1da 100644 --- a/src/metrics-server/zarf.yaml +++ b/src/metrics-server/zarf.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: ZarfPackageConfig metadata: name: uds-core-metrics-server diff --git a/src/neuvector/chart/Chart.yaml b/src/neuvector/chart/Chart.yaml index 31d565b22..19f0816bf 100644 --- a/src/neuvector/chart/Chart.yaml +++ b/src/neuvector/chart/Chart.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: v2 name: uds-neuvector-config description: Neuvector configuration for UDS diff --git a/src/neuvector/chart/templates/internal-cert.yaml b/src/neuvector/chart/templates/internal-cert.yaml index d6e96a174..e961bd702 100644 --- a/src/neuvector/chart/templates/internal-cert.yaml +++ b/src/neuvector/chart/templates/internal-cert.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial {{- if .Values.generateInternalCert -}} {{- $cn := "neuvector" }} {{- $ca := genCA "neuvector" 3650 -}} diff --git a/src/neuvector/chart/templates/istio/headless-controller-service.yaml b/src/neuvector/chart/templates/istio/headless-controller-service.yaml index 4e41a72d7..788f20a22 100644 --- a/src/neuvector/chart/templates/istio/headless-controller-service.yaml +++ b/src/neuvector/chart/templates/istio/headless-controller-service.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: v1 kind: Service metadata: diff --git a/src/neuvector/chart/templates/istio/headless-enforcer-service.yaml b/src/neuvector/chart/templates/istio/headless-enforcer-service.yaml index 66c3f4513..1dcf85374 100644 --- a/src/neuvector/chart/templates/istio/headless-enforcer-service.yaml +++ b/src/neuvector/chart/templates/istio/headless-enforcer-service.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: v1 kind: Service diff --git a/src/neuvector/chart/templates/istio/headless-scanner-service.yaml b/src/neuvector/chart/templates/istio/headless-scanner-service.yaml index f0d9da3b8..d82fc20ad 100644 --- a/src/neuvector/chart/templates/istio/headless-scanner-service.yaml +++ b/src/neuvector/chart/templates/istio/headless-scanner-service.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: v1 kind: Service metadata: diff --git a/src/neuvector/chart/templates/neuvector-dashboard.yaml b/src/neuvector/chart/templates/neuvector-dashboard.yaml index d70e86c98..7279de678 100644 --- a/src/neuvector/chart/templates/neuvector-dashboard.yaml +++ b/src/neuvector/chart/templates/neuvector-dashboard.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial {{- if .Values.grafana.enabled -}} apiVersion: v1 kind: ConfigMap diff --git a/src/neuvector/chart/templates/peerauthentication/neuvector-controller-pa.yaml b/src/neuvector/chart/templates/peerauthentication/neuvector-controller-pa.yaml index 6e881bf73..77365b1f5 100644 --- a/src/neuvector/chart/templates/peerauthentication/neuvector-controller-pa.yaml +++ b/src/neuvector/chart/templates/peerauthentication/neuvector-controller-pa.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial {{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }} apiVersion: "security.istio.io/v1beta1" kind: PeerAuthentication diff --git a/src/neuvector/chart/templates/uds-exemption.yaml b/src/neuvector/chart/templates/uds-exemption.yaml index 09e61c13e..bb3fb9dc1 100644 --- a/src/neuvector/chart/templates/uds-exemption.yaml +++ b/src/neuvector/chart/templates/uds-exemption.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: uds.dev/v1alpha1 kind: Exemption metadata: diff --git a/src/neuvector/chart/templates/uds-package.yaml b/src/neuvector/chart/templates/uds-package.yaml index 1cdee101d..579a1b84a 100644 --- a/src/neuvector/chart/templates/uds-package.yaml +++ b/src/neuvector/chart/templates/uds-package.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: uds.dev/v1alpha1 kind: Package metadata: diff --git a/src/neuvector/chart/values.yaml b/src/neuvector/chart/values.yaml index fac586fa5..5372381e2 100644 --- a/src/neuvector/chart/values.yaml +++ b/src/neuvector/chart/values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial domain: "###ZARF_VAR_DOMAIN###" grafana: diff --git a/src/neuvector/common/zarf.yaml b/src/neuvector/common/zarf.yaml index b56d75371..21f24dd66 100644 --- a/src/neuvector/common/zarf.yaml +++ b/src/neuvector/common/zarf.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: ZarfPackageConfig metadata: name: uds-core-neuvector-common diff --git a/src/neuvector/oscal-component.yaml b/src/neuvector/oscal-component.yaml index f15e9a6c4..2b0933525 100644 --- a/src/neuvector/oscal-component.yaml +++ b/src/neuvector/oscal-component.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial component-definition: uuid: 80bc0932-82d9-4144-8e7c-dec0f79e04fc metadata: diff --git a/src/neuvector/tasks.yaml b/src/neuvector/tasks.yaml index a9cd5a7dd..30f138425 100644 --- a/src/neuvector/tasks.yaml +++ b/src/neuvector/tasks.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial tasks: - name: validate actions: diff --git a/src/neuvector/values/monitor-values.yaml b/src/neuvector/values/monitor-values.yaml index b30b4032f..6a3bc60f5 100644 --- a/src/neuvector/values/monitor-values.yaml +++ b/src/neuvector/values/monitor-values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial leastPrivilege: true exporter: diff --git a/src/neuvector/values/registry1-values.yaml b/src/neuvector/values/registry1-values.yaml index ba258fce7..b2e7b9ad5 100644 --- a/src/neuvector/values/registry1-values.yaml +++ b/src/neuvector/values/registry1-values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial registry: registry1.dso.mil # renovate: datasource=docker depName=registry1.dso.mil/ironbank/neuvector/neuvector/controller versioning=docker tag: "5.3.4" diff --git a/src/neuvector/values/unicorn-config-values.yaml b/src/neuvector/values/unicorn-config-values.yaml index e07235598..94c7fa024 100644 --- a/src/neuvector/values/unicorn-config-values.yaml +++ b/src/neuvector/values/unicorn-config-values.yaml @@ -1 +1,2 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial generateInternalCert: true diff --git a/src/neuvector/values/unicorn-values.yaml b/src/neuvector/values/unicorn-values.yaml index a0f05bd01..7083a3cac 100644 --- a/src/neuvector/values/unicorn-values.yaml +++ b/src/neuvector/values/unicorn-values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial # Generate certs missing from unicorn images autoGenerateCert: true diff --git a/src/neuvector/values/upstream-values.yaml b/src/neuvector/values/upstream-values.yaml index 67bc9edee..78af6885a 100644 --- a/src/neuvector/values/upstream-values.yaml +++ b/src/neuvector/values/upstream-values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial registry: docker.io # renovate: datasource=docker depName=docker.io/neuvector/controller versioning=docker tag: "5.3.4" diff --git a/src/neuvector/values/values.yaml b/src/neuvector/values/values.yaml index cafd56b35..ee5961322 100644 --- a/src/neuvector/values/values.yaml +++ b/src/neuvector/values/values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial leastPrivilege: true autoGenerateCert: false rbac: true diff --git a/src/neuvector/zarf.yaml b/src/neuvector/zarf.yaml index 5122cac60..e97dac379 100644 --- a/src/neuvector/zarf.yaml +++ b/src/neuvector/zarf.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: ZarfPackageConfig metadata: name: uds-core-neuvector diff --git a/src/pepr/config.ts b/src/pepr/config.ts index 749a730fc..d045ea22a 100644 --- a/src/pepr/config.ts +++ b/src/pepr/config.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { Component, setupLogger } from "./logger"; let domain = process.env.UDS_DOMAIN; diff --git a/src/pepr/istio/index.ts b/src/pepr/istio/index.ts index 01eb86278..addc13665 100644 --- a/src/pepr/istio/index.ts +++ b/src/pepr/istio/index.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { Exec, KubeConfig } from "@kubernetes/client-node"; import { Capability, a } from "pepr"; import { Component, setupLogger } from "../logger"; diff --git a/src/pepr/logger.ts b/src/pepr/logger.ts index b40eccb4a..42536cd0d 100644 --- a/src/pepr/logger.ts +++ b/src/pepr/logger.ts @@ -1,3 +1,5 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial + import { Log } from "pepr"; export enum Component { diff --git a/src/pepr/operator/common.ts b/src/pepr/operator/common.ts index 820e9d5f3..51f963e12 100644 --- a/src/pepr/operator/common.ts +++ b/src/pepr/operator/common.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { Capability } from "pepr"; export const operator = new Capability({ diff --git a/src/pepr/operator/controllers/exemptions/exemption-store.spec.ts b/src/pepr/operator/controllers/exemptions/exemption-store.spec.ts index 15e25d948..a805b1911 100644 --- a/src/pepr/operator/controllers/exemptions/exemption-store.spec.ts +++ b/src/pepr/operator/controllers/exemptions/exemption-store.spec.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { beforeEach, describe, expect, it } from "@jest/globals"; import { Matcher, MatcherKind, Policy } from "../../crd"; import { ExemptionStore } from "./exemption-store"; diff --git a/src/pepr/operator/controllers/exemptions/exemption-store.ts b/src/pepr/operator/controllers/exemptions/exemption-store.ts index 00b6d5e5d..095626ebe 100644 --- a/src/pepr/operator/controllers/exemptions/exemption-store.ts +++ b/src/pepr/operator/controllers/exemptions/exemption-store.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { Component, setupLogger } from "../../../logger"; import { StoredMatcher } from "../../../policies"; import { Matcher, Policy, UDSExemption } from "../../crd"; diff --git a/src/pepr/operator/controllers/exemptions/exemptions.spec.ts b/src/pepr/operator/controllers/exemptions/exemptions.spec.ts index b1bab8da1..b90ee1b9a 100644 --- a/src/pepr/operator/controllers/exemptions/exemptions.spec.ts +++ b/src/pepr/operator/controllers/exemptions/exemptions.spec.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { beforeEach, describe, expect, it } from "@jest/globals"; import { WatchPhase } from "kubernetes-fluent-client/dist/fluent/types"; import { MatcherKind, Policy } from "../../crd"; diff --git a/src/pepr/operator/controllers/exemptions/exemptions.ts b/src/pepr/operator/controllers/exemptions/exemptions.ts index 1b3401154..93b68ac20 100644 --- a/src/pepr/operator/controllers/exemptions/exemptions.ts +++ b/src/pepr/operator/controllers/exemptions/exemptions.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { WatchPhase } from "kubernetes-fluent-client/dist/fluent/types"; import { UDSExemption } from "../../crd"; import { ExemptionStore } from "./exemption-store"; diff --git a/src/pepr/operator/controllers/istio/injection.ts b/src/pepr/operator/controllers/istio/injection.ts index 50193ea96..61da94d57 100644 --- a/src/pepr/operator/controllers/istio/injection.ts +++ b/src/pepr/operator/controllers/istio/injection.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { K8s, kind } from "pepr"; import { Component, setupLogger } from "../../../logger"; diff --git a/src/pepr/operator/controllers/istio/istio-resources.ts b/src/pepr/operator/controllers/istio/istio-resources.ts index 297aec6b0..da4974b54 100644 --- a/src/pepr/operator/controllers/istio/istio-resources.ts +++ b/src/pepr/operator/controllers/istio/istio-resources.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { K8s } from "pepr"; import { Component, setupLogger } from "../../../logger"; diff --git a/src/pepr/operator/controllers/istio/service-entry.spec.ts b/src/pepr/operator/controllers/istio/service-entry.spec.ts index caeb1be1c..64f82a21b 100644 --- a/src/pepr/operator/controllers/istio/service-entry.spec.ts +++ b/src/pepr/operator/controllers/istio/service-entry.spec.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { describe, expect, it } from "@jest/globals"; import { UDSConfig } from "../../../config"; import { generateServiceEntry } from "./service-entry"; diff --git a/src/pepr/operator/controllers/istio/service-entry.ts b/src/pepr/operator/controllers/istio/service-entry.ts index b326a99d0..28d256a1f 100644 --- a/src/pepr/operator/controllers/istio/service-entry.ts +++ b/src/pepr/operator/controllers/istio/service-entry.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { UDSConfig } from "../../../config"; import { V1OwnerReference } from "@kubernetes/client-node"; import { diff --git a/src/pepr/operator/controllers/istio/virtual-service.spec.ts b/src/pepr/operator/controllers/istio/virtual-service.spec.ts index f07f6fe17..1c5fc23d7 100644 --- a/src/pepr/operator/controllers/istio/virtual-service.spec.ts +++ b/src/pepr/operator/controllers/istio/virtual-service.spec.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { describe, expect, it } from "@jest/globals"; import { UDSConfig } from "../../../config"; import { Expose, Gateway } from "../../crd"; diff --git a/src/pepr/operator/controllers/istio/virtual-service.ts b/src/pepr/operator/controllers/istio/virtual-service.ts index 983624975..f7b7647e2 100644 --- a/src/pepr/operator/controllers/istio/virtual-service.ts +++ b/src/pepr/operator/controllers/istio/virtual-service.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { V1OwnerReference } from "@kubernetes/client-node"; import { UDSConfig } from "../../../config"; import { Expose, Gateway, IstioHTTP, IstioHTTPRoute, IstioVirtualService } from "../../crd"; diff --git a/src/pepr/operator/controllers/keycloak/authservice/authorization-policy.ts b/src/pepr/operator/controllers/keycloak/authservice/authorization-policy.ts index 1c16fcbe4..6fca2f602 100644 --- a/src/pepr/operator/controllers/keycloak/authservice/authorization-policy.ts +++ b/src/pepr/operator/controllers/keycloak/authservice/authorization-policy.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { K8s } from "pepr"; import { UDSConfig } from "../../../../config"; import { diff --git a/src/pepr/operator/controllers/keycloak/authservice/authservice.spec.ts b/src/pepr/operator/controllers/keycloak/authservice/authservice.spec.ts index 770174196..3d0a8819a 100644 --- a/src/pepr/operator/controllers/keycloak/authservice/authservice.spec.ts +++ b/src/pepr/operator/controllers/keycloak/authservice/authservice.spec.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { beforeEach, describe, expect, jest, test } from "@jest/globals"; import { UDSPackage } from "../../../crd"; import { Client } from "../types"; diff --git a/src/pepr/operator/controllers/keycloak/authservice/authservice.ts b/src/pepr/operator/controllers/keycloak/authservice/authservice.ts index 675e931fa..3676fce91 100644 --- a/src/pepr/operator/controllers/keycloak/authservice/authservice.ts +++ b/src/pepr/operator/controllers/keycloak/authservice/authservice.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { R } from "pepr"; import { UDSConfig } from "../../../../config"; import { Component, setupLogger } from "../../../../logger"; diff --git a/src/pepr/operator/controllers/keycloak/authservice/config.ts b/src/pepr/operator/controllers/keycloak/authservice/config.ts index 76de7630e..2512ca815 100644 --- a/src/pepr/operator/controllers/keycloak/authservice/config.ts +++ b/src/pepr/operator/controllers/keycloak/authservice/config.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { createHash } from "crypto"; import { K8s, kind } from "pepr"; diff --git a/src/pepr/operator/controllers/keycloak/authservice/types.ts b/src/pepr/operator/controllers/keycloak/authservice/types.ts index 1d12fcbae..ededc02c8 100644 --- a/src/pepr/operator/controllers/keycloak/authservice/types.ts +++ b/src/pepr/operator/controllers/keycloak/authservice/types.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { Client } from "../types"; export enum Action { diff --git a/src/pepr/operator/controllers/keycloak/client-sync.spec.ts b/src/pepr/operator/controllers/keycloak/client-sync.spec.ts index 247ba7e70..3637f24aa 100644 --- a/src/pepr/operator/controllers/keycloak/client-sync.spec.ts +++ b/src/pepr/operator/controllers/keycloak/client-sync.spec.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { describe, expect, it } from "@jest/globals"; import { Sso } from "../../crd"; import { diff --git a/src/pepr/operator/controllers/keycloak/client-sync.ts b/src/pepr/operator/controllers/keycloak/client-sync.ts index b65db3327..8ea9b04c9 100644 --- a/src/pepr/operator/controllers/keycloak/client-sync.ts +++ b/src/pepr/operator/controllers/keycloak/client-sync.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { fetch, K8s, kind } from "pepr"; import { Component, setupLogger } from "../../../logger"; diff --git a/src/pepr/operator/controllers/keycloak/types.ts b/src/pepr/operator/controllers/keycloak/types.ts index bd20fe20d..04243ff00 100644 --- a/src/pepr/operator/controllers/keycloak/types.ts +++ b/src/pepr/operator/controllers/keycloak/types.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { ProtocolMapper } from "../../crd/generated/package-v1alpha1"; export interface Client { diff --git a/src/pepr/operator/controllers/monitoring/common.ts b/src/pepr/operator/controllers/monitoring/common.ts index a8afa5d1f..5128b628b 100644 --- a/src/pepr/operator/controllers/monitoring/common.ts +++ b/src/pepr/operator/controllers/monitoring/common.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { Monitor } from "../../crd"; import { sanitizeResourceName } from "../utils"; diff --git a/src/pepr/operator/controllers/monitoring/pod-monitor.spec.ts b/src/pepr/operator/controllers/monitoring/pod-monitor.spec.ts index acba54e26..58f5c1acb 100644 --- a/src/pepr/operator/controllers/monitoring/pod-monitor.spec.ts +++ b/src/pepr/operator/controllers/monitoring/pod-monitor.spec.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { describe, expect, it } from "@jest/globals"; import { Monitor } from "../../crd"; import { generatePodMonitor } from "./pod-monitor"; diff --git a/src/pepr/operator/controllers/monitoring/pod-monitor.ts b/src/pepr/operator/controllers/monitoring/pod-monitor.ts index d3f033898..6013819d7 100644 --- a/src/pepr/operator/controllers/monitoring/pod-monitor.ts +++ b/src/pepr/operator/controllers/monitoring/pod-monitor.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { V1OwnerReference } from "@kubernetes/client-node"; import { K8s } from "pepr"; import { Component, setupLogger } from "../../../logger"; diff --git a/src/pepr/operator/controllers/monitoring/service-monitor.spec.ts b/src/pepr/operator/controllers/monitoring/service-monitor.spec.ts index e99900409..26512f194 100644 --- a/src/pepr/operator/controllers/monitoring/service-monitor.spec.ts +++ b/src/pepr/operator/controllers/monitoring/service-monitor.spec.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { describe, expect, it } from "@jest/globals"; import { Monitor } from "../../crd"; import { generateServiceMonitor } from "./service-monitor"; diff --git a/src/pepr/operator/controllers/monitoring/service-monitor.ts b/src/pepr/operator/controllers/monitoring/service-monitor.ts index 9f567c245..3aa35324f 100644 --- a/src/pepr/operator/controllers/monitoring/service-monitor.ts +++ b/src/pepr/operator/controllers/monitoring/service-monitor.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { K8s } from "pepr"; import { V1OwnerReference } from "@kubernetes/client-node"; diff --git a/src/pepr/operator/controllers/network/defaults/allow-egress-dns.ts b/src/pepr/operator/controllers/network/defaults/allow-egress-dns.ts index a4fc5684e..9d44d7276 100644 --- a/src/pepr/operator/controllers/network/defaults/allow-egress-dns.ts +++ b/src/pepr/operator/controllers/network/defaults/allow-egress-dns.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { Direction } from "../../../crd"; import { generate } from "../generate"; diff --git a/src/pepr/operator/controllers/network/defaults/allow-egress-istiod.ts b/src/pepr/operator/controllers/network/defaults/allow-egress-istiod.ts index 775395aa4..80f0eb0a3 100644 --- a/src/pepr/operator/controllers/network/defaults/allow-egress-istiod.ts +++ b/src/pepr/operator/controllers/network/defaults/allow-egress-istiod.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { Direction } from "../../../crd"; import { generate } from "../generate"; diff --git a/src/pepr/operator/controllers/network/defaults/allow-ingress-sidecar-monitoring.ts b/src/pepr/operator/controllers/network/defaults/allow-ingress-sidecar-monitoring.ts index 6758a3c77..9bb22cc26 100644 --- a/src/pepr/operator/controllers/network/defaults/allow-ingress-sidecar-monitoring.ts +++ b/src/pepr/operator/controllers/network/defaults/allow-ingress-sidecar-monitoring.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { Direction } from "../../../crd"; import { generate } from "../generate"; diff --git a/src/pepr/operator/controllers/network/defaults/default-deny-all.ts b/src/pepr/operator/controllers/network/defaults/default-deny-all.ts index 9382b5c69..488dbf62d 100644 --- a/src/pepr/operator/controllers/network/defaults/default-deny-all.ts +++ b/src/pepr/operator/controllers/network/defaults/default-deny-all.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { kind } from "pepr"; export function defaultDenyAll(namespace: string): kind.NetworkPolicy { diff --git a/src/pepr/operator/controllers/network/generate.spec.ts b/src/pepr/operator/controllers/network/generate.spec.ts index 9abeb1647..0949708a5 100644 --- a/src/pepr/operator/controllers/network/generate.spec.ts +++ b/src/pepr/operator/controllers/network/generate.spec.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { describe, expect, it } from "@jest/globals"; import { kind } from "pepr"; import { Direction } from "../../crd"; diff --git a/src/pepr/operator/controllers/network/generate.ts b/src/pepr/operator/controllers/network/generate.ts index ecba6d1cb..473f73d4c 100644 --- a/src/pepr/operator/controllers/network/generate.ts +++ b/src/pepr/operator/controllers/network/generate.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { V1NetworkPolicyPeer, V1NetworkPolicyPort } from "@kubernetes/client-node"; import { kind } from "pepr"; diff --git a/src/pepr/operator/controllers/network/generators/anywhere.ts b/src/pepr/operator/controllers/network/generators/anywhere.ts index 58a982fc2..da732960e 100644 --- a/src/pepr/operator/controllers/network/generators/anywhere.ts +++ b/src/pepr/operator/controllers/network/generators/anywhere.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { V1NetworkPolicyPeer } from "@kubernetes/client-node"; import { META_IP } from "./cloudMetadata"; diff --git a/src/pepr/operator/controllers/network/generators/cloudMetadata.ts b/src/pepr/operator/controllers/network/generators/cloudMetadata.ts index 8d1f641e2..6373f35b3 100644 --- a/src/pepr/operator/controllers/network/generators/cloudMetadata.ts +++ b/src/pepr/operator/controllers/network/generators/cloudMetadata.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { V1NetworkPolicyPeer } from "@kubernetes/client-node"; export const META_IP = "169.254.169.254/32"; diff --git a/src/pepr/operator/controllers/network/generators/intraNamespace.ts b/src/pepr/operator/controllers/network/generators/intraNamespace.ts index 3fb7f17f0..b772c9f30 100644 --- a/src/pepr/operator/controllers/network/generators/intraNamespace.ts +++ b/src/pepr/operator/controllers/network/generators/intraNamespace.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { V1NetworkPolicyPeer } from "@kubernetes/client-node"; /** Matches any pod in the namespace */ diff --git a/src/pepr/operator/controllers/network/generators/kubeAPI.ts b/src/pepr/operator/controllers/network/generators/kubeAPI.ts index 550d90f92..988d4a989 100644 --- a/src/pepr/operator/controllers/network/generators/kubeAPI.ts +++ b/src/pepr/operator/controllers/network/generators/kubeAPI.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { V1NetworkPolicyPeer } from "@kubernetes/client-node"; import { K8s, kind, R } from "pepr"; diff --git a/src/pepr/operator/controllers/network/generators/remoteCidr.ts b/src/pepr/operator/controllers/network/generators/remoteCidr.ts index 031e43f16..4907d87b1 100644 --- a/src/pepr/operator/controllers/network/generators/remoteCidr.ts +++ b/src/pepr/operator/controllers/network/generators/remoteCidr.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { V1NetworkPolicyPeer } from "@kubernetes/client-node"; import { META_IP } from "./cloudMetadata"; diff --git a/src/pepr/operator/controllers/network/policies.ts b/src/pepr/operator/controllers/network/policies.ts index 8534f028f..1ceaecace 100644 --- a/src/pepr/operator/controllers/network/policies.ts +++ b/src/pepr/operator/controllers/network/policies.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { K8s, kind } from "pepr"; import { Component, setupLogger } from "../../../logger"; diff --git a/src/pepr/operator/controllers/utils.ts b/src/pepr/operator/controllers/utils.ts index 7bfd9e4cf..3e800ad23 100644 --- a/src/pepr/operator/controllers/utils.ts +++ b/src/pepr/operator/controllers/utils.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { V1OwnerReference } from "@kubernetes/client-node"; import { GenericClass, GenericKind } from "kubernetes-fluent-client"; import { K8s } from "pepr"; diff --git a/src/pepr/operator/crd/generated/exemption-v1alpha1.ts b/src/pepr/operator/crd/generated/exemption-v1alpha1.ts index 487c4961f..394318f8b 100644 --- a/src/pepr/operator/crd/generated/exemption-v1alpha1.ts +++ b/src/pepr/operator/crd/generated/exemption-v1alpha1.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial // This file is auto-generated by kubernetes-fluent-client, do not edit manually import { GenericKind, RegisterKind } from "kubernetes-fluent-client"; diff --git a/src/pepr/operator/crd/generated/istio/authorizationpolicy-v1beta1.ts b/src/pepr/operator/crd/generated/istio/authorizationpolicy-v1beta1.ts index f05d62b50..22388c962 100644 --- a/src/pepr/operator/crd/generated/istio/authorizationpolicy-v1beta1.ts +++ b/src/pepr/operator/crd/generated/istio/authorizationpolicy-v1beta1.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial // This file is auto-generated by kubernetes-fluent-client, do not edit manually import { GenericKind, RegisterKind } from "kubernetes-fluent-client"; diff --git a/src/pepr/operator/crd/generated/istio/requestauthentication-v1.ts b/src/pepr/operator/crd/generated/istio/requestauthentication-v1.ts index ecf85a878..7d52e3ea2 100644 --- a/src/pepr/operator/crd/generated/istio/requestauthentication-v1.ts +++ b/src/pepr/operator/crd/generated/istio/requestauthentication-v1.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial // This file is auto-generated by kubernetes-fluent-client, do not edit manually import { GenericKind, RegisterKind } from "kubernetes-fluent-client"; diff --git a/src/pepr/operator/crd/generated/istio/serviceentry-v1beta1.ts b/src/pepr/operator/crd/generated/istio/serviceentry-v1beta1.ts index 3ab93402f..da2f9cd4c 100644 --- a/src/pepr/operator/crd/generated/istio/serviceentry-v1beta1.ts +++ b/src/pepr/operator/crd/generated/istio/serviceentry-v1beta1.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial // This file is auto-generated by kubernetes-fluent-client, do not edit manually import { GenericKind, RegisterKind } from "kubernetes-fluent-client"; diff --git a/src/pepr/operator/crd/generated/istio/virtualservice-v1beta1.ts b/src/pepr/operator/crd/generated/istio/virtualservice-v1beta1.ts index c528769d3..20ab36789 100644 --- a/src/pepr/operator/crd/generated/istio/virtualservice-v1beta1.ts +++ b/src/pepr/operator/crd/generated/istio/virtualservice-v1beta1.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial // This file is auto-generated by kubernetes-fluent-client, do not edit manually import { GenericKind, RegisterKind } from "kubernetes-fluent-client"; diff --git a/src/pepr/operator/crd/generated/package-v1alpha1.ts b/src/pepr/operator/crd/generated/package-v1alpha1.ts index 20d896d92..32329fc0c 100644 --- a/src/pepr/operator/crd/generated/package-v1alpha1.ts +++ b/src/pepr/operator/crd/generated/package-v1alpha1.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial // This file is auto-generated by kubernetes-fluent-client, do not edit manually import { GenericKind, RegisterKind } from "kubernetes-fluent-client"; diff --git a/src/pepr/operator/crd/generated/prometheus/podmonitor-v1.ts b/src/pepr/operator/crd/generated/prometheus/podmonitor-v1.ts index 77bd51537..656807e42 100644 --- a/src/pepr/operator/crd/generated/prometheus/podmonitor-v1.ts +++ b/src/pepr/operator/crd/generated/prometheus/podmonitor-v1.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial // This file is auto-generated by kubernetes-fluent-client, do not edit manually import { GenericKind, RegisterKind } from "kubernetes-fluent-client"; diff --git a/src/pepr/operator/crd/generated/prometheus/servicemonitor-v1.ts b/src/pepr/operator/crd/generated/prometheus/servicemonitor-v1.ts index 94ea5b299..0741ddbce 100644 --- a/src/pepr/operator/crd/generated/prometheus/servicemonitor-v1.ts +++ b/src/pepr/operator/crd/generated/prometheus/servicemonitor-v1.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial // This file is auto-generated by kubernetes-fluent-client, do not edit manually import { GenericKind, RegisterKind } from "kubernetes-fluent-client"; diff --git a/src/pepr/operator/crd/index.ts b/src/pepr/operator/crd/index.ts index ac3bba71b..5e742b8ab 100644 --- a/src/pepr/operator/crd/index.ts +++ b/src/pepr/operator/crd/index.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial export { Allow, Direction, diff --git a/src/pepr/operator/crd/migrate.ts b/src/pepr/operator/crd/migrate.ts index 5b05f8034..c56da9c38 100644 --- a/src/pepr/operator/crd/migrate.ts +++ b/src/pepr/operator/crd/migrate.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { UDSPackage } from "."; /** diff --git a/src/pepr/operator/crd/register.ts b/src/pepr/operator/crd/register.ts index 9c2812930..b23dd3158 100644 --- a/src/pepr/operator/crd/register.ts +++ b/src/pepr/operator/crd/register.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { K8s, kind } from "pepr"; import { Component, setupLogger } from "../../logger"; diff --git a/src/pepr/operator/crd/sources/exemption/v1alpha1.ts b/src/pepr/operator/crd/sources/exemption/v1alpha1.ts index 71ff236f2..5ae49f940 100644 --- a/src/pepr/operator/crd/sources/exemption/v1alpha1.ts +++ b/src/pepr/operator/crd/sources/exemption/v1alpha1.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { V1CustomResourceDefinitionVersion, V1JSONSchemaProps } from "@kubernetes/client-node"; export const v1alpha1: V1CustomResourceDefinitionVersion = { diff --git a/src/pepr/operator/crd/sources/istio/virtualservice-v1beta1.ts b/src/pepr/operator/crd/sources/istio/virtualservice-v1beta1.ts index 5a30ff039..803b5da6d 100644 --- a/src/pepr/operator/crd/sources/istio/virtualservice-v1beta1.ts +++ b/src/pepr/operator/crd/sources/istio/virtualservice-v1beta1.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { V1JSONSchemaProps } from "@kubernetes/client-node"; const matchRequired = [{ required: ["exact"] }, { required: ["prefix"] }, { required: ["regex"] }]; diff --git a/src/pepr/operator/crd/sources/package/v1alpha1.ts b/src/pepr/operator/crd/sources/package/v1alpha1.ts index 8af0ed32a..023001218 100644 --- a/src/pepr/operator/crd/sources/package/v1alpha1.ts +++ b/src/pepr/operator/crd/sources/package/v1alpha1.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { V1CustomResourceDefinitionVersion, V1JSONSchemaProps } from "@kubernetes/client-node"; import { advancedHTTP } from "../istio/virtualservice-v1beta1"; diff --git a/src/pepr/operator/crd/validators/exempt-validator.spec.ts b/src/pepr/operator/crd/validators/exempt-validator.spec.ts index 1ce8d1cbf..a743a648f 100644 --- a/src/pepr/operator/crd/validators/exempt-validator.spec.ts +++ b/src/pepr/operator/crd/validators/exempt-validator.spec.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { afterEach, describe, expect, it, jest } from "@jest/globals"; import { PeprValidateRequest } from "pepr"; import { MatcherKind, UDSExemption } from ".."; diff --git a/src/pepr/operator/crd/validators/exempt-validator.ts b/src/pepr/operator/crd/validators/exempt-validator.ts index 06c9fbc68..a3217bdf9 100644 --- a/src/pepr/operator/crd/validators/exempt-validator.ts +++ b/src/pepr/operator/crd/validators/exempt-validator.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { PeprValidateRequest } from "pepr"; import { MatcherKind, Policy, UDSExemption } from ".."; import { UDSConfig } from "../../../config"; diff --git a/src/pepr/operator/crd/validators/package-validator.spec.ts b/src/pepr/operator/crd/validators/package-validator.spec.ts index 9c5e5ec0d..41d00b23d 100644 --- a/src/pepr/operator/crd/validators/package-validator.spec.ts +++ b/src/pepr/operator/crd/validators/package-validator.spec.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { afterEach, describe, expect, it, jest } from "@jest/globals"; import { PeprValidateRequest } from "pepr"; import { Allow, Direction, Expose, Gateway, Protocol, RemoteGenerated, Sso, UDSPackage } from ".."; diff --git a/src/pepr/operator/crd/validators/package-validator.ts b/src/pepr/operator/crd/validators/package-validator.ts index 2a88662c7..a2802c692 100644 --- a/src/pepr/operator/crd/validators/package-validator.ts +++ b/src/pepr/operator/crd/validators/package-validator.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { PeprValidateRequest } from "pepr"; import { Gateway, Protocol, UDSPackage } from ".."; diff --git a/src/pepr/operator/index.ts b/src/pepr/operator/index.ts index cffef0c71..90627d90e 100644 --- a/src/pepr/operator/index.ts +++ b/src/pepr/operator/index.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial // Common imports import { a } from "pepr"; import { When } from "./common"; diff --git a/src/pepr/operator/reconcilers/index.spec.ts b/src/pepr/operator/reconcilers/index.spec.ts index 8f7c22aa8..080afafe9 100644 --- a/src/pepr/operator/reconcilers/index.spec.ts +++ b/src/pepr/operator/reconcilers/index.spec.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { beforeEach, describe, expect, it, jest } from "@jest/globals"; import { GenericKind } from "kubernetes-fluent-client"; import { K8s, Log, kind } from "pepr"; diff --git a/src/pepr/operator/reconcilers/index.ts b/src/pepr/operator/reconcilers/index.ts index c9a173fb2..4f4fe515b 100644 --- a/src/pepr/operator/reconcilers/index.ts +++ b/src/pepr/operator/reconcilers/index.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { K8s, kind } from "pepr"; import { Component, setupLogger } from "../../logger"; diff --git a/src/pepr/operator/reconcilers/package-reconciler.spec.ts b/src/pepr/operator/reconcilers/package-reconciler.spec.ts index 69c336f25..5344ac1cc 100644 --- a/src/pepr/operator/reconcilers/package-reconciler.spec.ts +++ b/src/pepr/operator/reconcilers/package-reconciler.spec.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { beforeEach, describe, expect, jest, test } from "@jest/globals"; import { K8s, Log } from "pepr"; diff --git a/src/pepr/operator/reconcilers/package-reconciler.ts b/src/pepr/operator/reconcilers/package-reconciler.ts index 42669d7f2..fc39e4387 100644 --- a/src/pepr/operator/reconcilers/package-reconciler.ts +++ b/src/pepr/operator/reconcilers/package-reconciler.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { handleFailure, shouldSkip, updateStatus, writeEvent } from "."; import { UDSConfig } from "../../config"; import { Component, setupLogger } from "../../logger"; diff --git a/src/pepr/policies/common.ts b/src/pepr/policies/common.ts index 0a953faa4..ac5a54803 100644 --- a/src/pepr/policies/common.ts +++ b/src/pepr/policies/common.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { KubernetesObject, V1Container, V1SecurityContext } from "@kubernetes/client-node"; import { Capability, PeprMutateRequest, PeprValidateRequest, a } from "pepr"; import { Policy } from "../operator/crd"; diff --git a/src/pepr/policies/exemptions/index.spec.ts b/src/pepr/policies/exemptions/index.spec.ts index 3f8faa429..fa513d8df 100644 --- a/src/pepr/policies/exemptions/index.spec.ts +++ b/src/pepr/policies/exemptions/index.spec.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { beforeAll, describe, expect, it, jest } from "@jest/globals"; import { PeprValidateRequest, kind } from "pepr"; import { isExempt } from "."; diff --git a/src/pepr/policies/exemptions/index.ts b/src/pepr/policies/exemptions/index.ts index db2e11c68..601a10370 100644 --- a/src/pepr/policies/exemptions/index.ts +++ b/src/pepr/policies/exemptions/index.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { KubernetesObject } from "kubernetes-fluent-client"; import { PeprMutateRequest, PeprValidateRequest } from "pepr"; import { Component, setupLogger } from "../../logger"; diff --git a/src/pepr/policies/index.ts b/src/pepr/policies/index.ts index 8ba25dc26..3241bdfc8 100644 --- a/src/pepr/policies/index.ts +++ b/src/pepr/policies/index.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial // Various validation actions for Kubernetes resources from Big Bang import { WatchCfg } from "kubernetes-fluent-client"; import { K8s } from "pepr"; diff --git a/src/pepr/policies/network.spec.ts b/src/pepr/policies/network.spec.ts index 7f0779dee..2a94e0d28 100644 --- a/src/pepr/policies/network.spec.ts +++ b/src/pepr/policies/network.spec.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { describe, expect, it } from "@jest/globals"; import { K8s, kind } from "pepr"; diff --git a/src/pepr/policies/networking.ts b/src/pepr/policies/networking.ts index 02165233a..283e3ec94 100644 --- a/src/pepr/policies/networking.ts +++ b/src/pepr/policies/networking.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { a } from "pepr"; import { When, containers } from "./common"; diff --git a/src/pepr/policies/security.spec.ts b/src/pepr/policies/security.spec.ts index c047e6976..ba93c1a41 100644 --- a/src/pepr/policies/security.spec.ts +++ b/src/pepr/policies/security.spec.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { describe, expect, it } from "@jest/globals"; import { K8s, kind } from "pepr"; diff --git a/src/pepr/policies/security.ts b/src/pepr/policies/security.ts index 6d614b58c..5f5b63ea4 100644 --- a/src/pepr/policies/security.ts +++ b/src/pepr/policies/security.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { a } from "pepr"; import { V1SecurityContext } from "@kubernetes/client-node"; diff --git a/src/pepr/policies/storage.spec.ts b/src/pepr/policies/storage.spec.ts index b7b53eafb..73f0c273b 100644 --- a/src/pepr/policies/storage.spec.ts +++ b/src/pepr/policies/storage.spec.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { describe, expect, it } from "@jest/globals"; import { K8s, kind } from "pepr"; diff --git a/src/pepr/policies/storage.ts b/src/pepr/policies/storage.ts index a7559666d..b26df6b3e 100644 --- a/src/pepr/policies/storage.ts +++ b/src/pepr/policies/storage.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { a } from "pepr"; import { Policy } from "../operator/crd"; diff --git a/src/pepr/prometheus/index.ts b/src/pepr/prometheus/index.ts index ef4c1e34e..45f138332 100644 --- a/src/pepr/prometheus/index.ts +++ b/src/pepr/prometheus/index.ts @@ -1,3 +1,4 @@ +// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial import { Capability, K8s, kind } from "pepr"; import { Component, setupLogger } from "../logger"; import { diff --git a/src/pepr/tasks.yaml b/src/pepr/tasks.yaml index 4033b25f9..c356426af 100644 --- a/src/pepr/tasks.yaml +++ b/src/pepr/tasks.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial tasks: - name: validate actions: diff --git a/src/pepr/uds-operator-config/Chart.yaml b/src/pepr/uds-operator-config/Chart.yaml index fd20c4ad3..3da27ecb2 100644 --- a/src/pepr/uds-operator-config/Chart.yaml +++ b/src/pepr/uds-operator-config/Chart.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: v2 name: uds-operator-config description: UDS Core configuration for UDS Operator diff --git a/src/pepr/uds-operator-config/templates/secret.yaml b/src/pepr/uds-operator-config/templates/secret.yaml index 503a4b2e0..5cb2117ec 100644 --- a/src/pepr/uds-operator-config/templates/secret.yaml +++ b/src/pepr/uds-operator-config/templates/secret.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: v1 kind: Secret metadata: diff --git a/src/pepr/uds-operator-config/values.yaml b/src/pepr/uds-operator-config/values.yaml index 5c5916211..9fab7e3b7 100644 --- a/src/pepr/uds-operator-config/values.yaml +++ b/src/pepr/uds-operator-config/values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial operator: UDS_DOMAIN: "###ZARF_VAR_DOMAIN###" UDS_CA_CERT: "###ZARF_VAR_CA_CERT###" diff --git a/src/pepr/values.yaml b/src/pepr/values.yaml index 55ee5664a..9f339f5c6 100644 --- a/src/pepr/values.yaml +++ b/src/pepr/values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial watcher: serviceMonitor: enabled: ###ZARF_VAR_PEPR_SERVICE_MONITORS### diff --git a/src/pepr/zarf.yaml b/src/pepr/zarf.yaml index f5f2af6a4..ea1a8925b 100644 --- a/src/pepr/zarf.yaml +++ b/src/pepr/zarf.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: ZarfPackageConfig metadata: name: pepr-uds-core diff --git a/src/prometheus-stack/chart/Chart.yaml b/src/prometheus-stack/chart/Chart.yaml index 032e81126..1f1859d14 100644 --- a/src/prometheus-stack/chart/Chart.yaml +++ b/src/prometheus-stack/chart/Chart.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: v2 name: uds-prometheus-config description: Prometheus stack configuration for UDS diff --git a/src/prometheus-stack/chart/templates/istio-monitor.yaml b/src/prometheus-stack/chart/templates/istio-monitor.yaml index f2871b10b..fcaeb789a 100644 --- a/src/prometheus-stack/chart/templates/istio-monitor.yaml +++ b/src/prometheus-stack/chart/templates/istio-monitor.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial # This podmonitor will pick up envoy stats for all Istio sidecars across the cluster apiVersion: monitoring.coreos.com/v1 kind: PodMonitor diff --git a/src/prometheus-stack/chart/templates/peerauthentication/prometheus-operator-pa.yaml b/src/prometheus-stack/chart/templates/peerauthentication/prometheus-operator-pa.yaml index eb1c14d0e..32fde5007 100644 --- a/src/prometheus-stack/chart/templates/peerauthentication/prometheus-operator-pa.yaml +++ b/src/prometheus-stack/chart/templates/peerauthentication/prometheus-operator-pa.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial {{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }} apiVersion: "security.istio.io/v1beta1" kind: PeerAuthentication diff --git a/src/prometheus-stack/chart/templates/prometheus-pod-monitor.yaml b/src/prometheus-stack/chart/templates/prometheus-pod-monitor.yaml index 06bcd9e5c..6179cab8d 100644 --- a/src/prometheus-stack/chart/templates/prometheus-pod-monitor.yaml +++ b/src/prometheus-stack/chart/templates/prometheus-pod-monitor.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial # This pod monitor is used instead of a service monitor to handle mTLS with self-monitoring apiVersion: monitoring.coreos.com/v1 kind: PodMonitor diff --git a/src/prometheus-stack/chart/templates/uds-exemption.yaml b/src/prometheus-stack/chart/templates/uds-exemption.yaml index 9d9b7e317..b533b9fc7 100644 --- a/src/prometheus-stack/chart/templates/uds-exemption.yaml +++ b/src/prometheus-stack/chart/templates/uds-exemption.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: uds.dev/v1alpha1 kind: Exemption metadata: diff --git a/src/prometheus-stack/chart/templates/uds-package.yaml b/src/prometheus-stack/chart/templates/uds-package.yaml index 2dfda03fb..fe8f7c1ef 100644 --- a/src/prometheus-stack/chart/templates/uds-package.yaml +++ b/src/prometheus-stack/chart/templates/uds-package.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: uds.dev/v1alpha1 kind: Package metadata: diff --git a/src/prometheus-stack/common/zarf.yaml b/src/prometheus-stack/common/zarf.yaml index fefc30e50..1eb3db093 100644 --- a/src/prometheus-stack/common/zarf.yaml +++ b/src/prometheus-stack/common/zarf.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: ZarfPackageConfig metadata: name: uds-core-prometheus-stack-common diff --git a/src/prometheus-stack/oscal-component.yaml b/src/prometheus-stack/oscal-component.yaml index 2dab3e066..496b32d0d 100644 --- a/src/prometheus-stack/oscal-component.yaml +++ b/src/prometheus-stack/oscal-component.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial component-definition: uuid: 017dbd45-5122-4c11-b5ce-d4b31116c581 metadata: diff --git a/src/prometheus-stack/tasks.yaml b/src/prometheus-stack/tasks.yaml index ab3939d63..cdf6d4d27 100644 --- a/src/prometheus-stack/tasks.yaml +++ b/src/prometheus-stack/tasks.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial tasks: - name: validate actions: diff --git a/src/prometheus-stack/values/crd-values.yaml b/src/prometheus-stack/values/crd-values.yaml index b5d80740e..cbcfd0977 100644 --- a/src/prometheus-stack/values/crd-values.yaml +++ b/src/prometheus-stack/values/crd-values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial ## Annotations for CRDs crds: annotations: {} diff --git a/src/prometheus-stack/values/registry1-values.yaml b/src/prometheus-stack/values/registry1-values.yaml index c6225f69e..b262d1fbc 100644 --- a/src/prometheus-stack/values/registry1-values.yaml +++ b/src/prometheus-stack/values/registry1-values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial alertmanager: alertmanagerSpec: image: diff --git a/src/prometheus-stack/values/unicorn-values.yaml b/src/prometheus-stack/values/unicorn-values.yaml index 92db339d5..4a9988f39 100644 --- a/src/prometheus-stack/values/unicorn-values.yaml +++ b/src/prometheus-stack/values/unicorn-values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial alertmanager: alertmanagerSpec: image: diff --git a/src/prometheus-stack/values/upstream-values.yaml b/src/prometheus-stack/values/upstream-values.yaml index 6a2314092..9f52d3618 100644 --- a/src/prometheus-stack/values/upstream-values.yaml +++ b/src/prometheus-stack/values/upstream-values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial alertmanager: alertmanagerSpec: image: diff --git a/src/prometheus-stack/values/values.yaml b/src/prometheus-stack/values/values.yaml index 1419a08a0..c3aa80e59 100644 --- a/src/prometheus-stack/values/values.yaml +++ b/src/prometheus-stack/values/values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial crds: enabled: false grafana: diff --git a/src/prometheus-stack/zarf.yaml b/src/prometheus-stack/zarf.yaml index 7c1126a86..71a31d717 100644 --- a/src/prometheus-stack/zarf.yaml +++ b/src/prometheus-stack/zarf.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: ZarfPackageConfig metadata: name: uds-core-prometheus-stack diff --git a/src/runtime/tasks.yaml b/src/runtime/tasks.yaml index 75208bc81..77a425176 100644 --- a/src/runtime/tasks.yaml +++ b/src/runtime/tasks.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial tasks: - name: validate actions: diff --git a/src/runtime/zarf.yaml b/src/runtime/zarf.yaml index 749c6533c..cdccb7cd9 100644 --- a/src/runtime/zarf.yaml +++ b/src/runtime/zarf.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: ZarfPackageConfig metadata: name: uds-core-runtime diff --git a/src/tempo/tasks.yaml b/src/tempo/tasks.yaml index e3b314c9b..47f789e05 100644 --- a/src/tempo/tasks.yaml +++ b/src/tempo/tasks.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial tasks: - name: validate actions: diff --git a/src/tempo/zarf.yaml b/src/tempo/zarf.yaml index 55413629d..eaceb49fe 100644 --- a/src/tempo/zarf.yaml +++ b/src/tempo/zarf.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: ZarfPackageConfig metadata: name: uds-core-tempo diff --git a/src/test/app-admin.yaml b/src/test/app-admin.yaml index 785438ea6..66853b066 100644 --- a/src/test/app-admin.yaml +++ b/src/test/app-admin.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: v1 kind: Namespace metadata: diff --git a/src/test/app-authservice-tenant.yaml b/src/test/app-authservice-tenant.yaml index 04093682b..c302361f7 100644 --- a/src/test/app-authservice-tenant.yaml +++ b/src/test/app-authservice-tenant.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: v1 kind: Namespace metadata: diff --git a/src/test/app-tenant.yaml b/src/test/app-tenant.yaml index 3eb203b99..6e6c23039 100644 --- a/src/test/app-tenant.yaml +++ b/src/test/app-tenant.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: v1 kind: Namespace metadata: diff --git a/src/test/chart/Chart.yaml b/src/test/chart/Chart.yaml index 288986028..d2049f72c 100644 --- a/src/test/chart/Chart.yaml +++ b/src/test/chart/Chart.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: v2 name: uds-podinfo-config description: A Helm chart for testing an exempted-app diff --git a/src/test/chart/templates/exemption1.yaml b/src/test/chart/templates/exemption1.yaml index b170dc955..c9eabdbe2 100644 --- a/src/test/chart/templates/exemption1.yaml +++ b/src/test/chart/templates/exemption1.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: uds.dev/v1alpha1 kind: Exemption metadata: diff --git a/src/test/chart/templates/exemption2.yaml b/src/test/chart/templates/exemption2.yaml index 6e03d00c0..9e2f855e4 100644 --- a/src/test/chart/templates/exemption2.yaml +++ b/src/test/chart/templates/exemption2.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: uds.dev/v1alpha1 kind: Exemption metadata: diff --git a/src/test/chart/templates/exemption3.yaml b/src/test/chart/templates/exemption3.yaml index 6e470070e..259737146 100644 --- a/src/test/chart/templates/exemption3.yaml +++ b/src/test/chart/templates/exemption3.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: uds.dev/v1alpha1 kind: Exemption metadata: diff --git a/src/test/chart/templates/exemption4.yaml b/src/test/chart/templates/exemption4.yaml index 7c71840c5..df378444c 100644 --- a/src/test/chart/templates/exemption4.yaml +++ b/src/test/chart/templates/exemption4.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: uds.dev/v1alpha1 kind: Exemption metadata: diff --git a/src/test/chart/templates/exemption5.yaml b/src/test/chart/templates/exemption5.yaml index 856688656..bd73cf554 100644 --- a/src/test/chart/templates/exemption5.yaml +++ b/src/test/chart/templates/exemption5.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: uds.dev/v1alpha1 kind: Exemption metadata: diff --git a/src/test/chart/templates/package.yaml b/src/test/chart/templates/package.yaml index 1bb8d8e76..b5b4f49cc 100644 --- a/src/test/chart/templates/package.yaml +++ b/src/test/chart/templates/package.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: uds.dev/v1alpha1 kind: Package metadata: diff --git a/src/test/podinfo-values.yaml b/src/test/podinfo-values.yaml index 7be05fd31..739a8f1e6 100644 --- a/src/test/podinfo-values.yaml +++ b/src/test/podinfo-values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial # Values set to intentionally violate pepr policies securityContext: runAsUser: 0 diff --git a/src/test/tasks.yaml b/src/test/tasks.yaml index 905791c46..8374d542f 100644 --- a/src/test/tasks.yaml +++ b/src/test/tasks.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial tasks: - name: validate description: Test app used for UDS Core validation diff --git a/src/test/zarf.yaml b/src/test/zarf.yaml index f350e036e..43462601b 100644 --- a/src/test/zarf.yaml +++ b/src/test/zarf.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: ZarfPackageConfig metadata: name: uds-core-test-apps diff --git a/src/vector/chart/Chart.yaml b/src/vector/chart/Chart.yaml index 6b5ca4898..6132e9c26 100644 --- a/src/vector/chart/Chart.yaml +++ b/src/vector/chart/Chart.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: v2 name: uds-vector-config description: Vector configuration for UDS diff --git a/src/vector/chart/templates/uds-exemption.yaml b/src/vector/chart/templates/uds-exemption.yaml index 0c6032102..05197f163 100644 --- a/src/vector/chart/templates/uds-exemption.yaml +++ b/src/vector/chart/templates/uds-exemption.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: uds.dev/v1alpha1 kind: Exemption metadata: diff --git a/src/vector/chart/templates/uds-package.yaml b/src/vector/chart/templates/uds-package.yaml index b6bf5bbc1..82f14fc38 100644 --- a/src/vector/chart/templates/uds-package.yaml +++ b/src/vector/chart/templates/uds-package.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: uds.dev/v1alpha1 kind: Package metadata: diff --git a/src/vector/chart/values.yaml b/src/vector/chart/values.yaml index f2d4d867f..3ed57ceb0 100644 --- a/src/vector/chart/values.yaml +++ b/src/vector/chart/values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial additionalNetworkAllow: [] # Examples: # - direction: Egress diff --git a/src/vector/common/zarf.yaml b/src/vector/common/zarf.yaml index b020db0e8..49515329c 100644 --- a/src/vector/common/zarf.yaml +++ b/src/vector/common/zarf.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: ZarfPackageConfig metadata: name: uds-core-vector-common diff --git a/src/vector/oscal-component.yaml b/src/vector/oscal-component.yaml index fef87cc00..f45e5cf3b 100644 --- a/src/vector/oscal-component.yaml +++ b/src/vector/oscal-component.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial component-definition: uuid: ff959bdb-7be9-49b3-9dc2-c41b34e7017d metadata: diff --git a/src/vector/tasks.yaml b/src/vector/tasks.yaml index 69dfbf4ff..eb49b27f0 100644 --- a/src/vector/tasks.yaml +++ b/src/vector/tasks.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial tasks: - name: validate actions: diff --git a/src/vector/values/registry1-values.yaml b/src/vector/values/registry1-values.yaml index 85509e7b4..d4a398859 100644 --- a/src/vector/values/registry1-values.yaml +++ b/src/vector/values/registry1-values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial image: repository: registry1.dso.mil/ironbank/opensource/timberio/vector tag: 0.41.1 diff --git a/src/vector/values/unicorn-values.yaml b/src/vector/values/unicorn-values.yaml index d90700602..2644abfed 100644 --- a/src/vector/values/unicorn-values.yaml +++ b/src/vector/values/unicorn-values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial image: repository: cgr.dev/du-uds-defenseunicorns/vector tag: 0.41.1 diff --git a/src/vector/values/upstream-values.yaml b/src/vector/values/upstream-values.yaml index 5180f3c7c..f783dbdc1 100644 --- a/src/vector/values/upstream-values.yaml +++ b/src/vector/values/upstream-values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial image: repository: timberio/vector tag: 0.41.1-distroless-static diff --git a/src/vector/values/values.yaml b/src/vector/values/values.yaml index 7bbe3ee60..21dd2d6fe 100644 --- a/src/vector/values/values.yaml +++ b/src/vector/values/values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial # Run as an agent daemonset role: "Agent" diff --git a/src/vector/zarf.yaml b/src/vector/zarf.yaml index 738476d7d..989eaa4a6 100644 --- a/src/vector/zarf.yaml +++ b/src/vector/zarf.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: ZarfPackageConfig metadata: name: uds-core-vector diff --git a/src/velero/chart/Chart.yaml b/src/velero/chart/Chart.yaml index 751f5e64a..dac901d58 100644 --- a/src/velero/chart/Chart.yaml +++ b/src/velero/chart/Chart.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: v2 name: uds-velero-config description: Velero configuration for UDS diff --git a/src/velero/chart/templates/uds-package.yaml b/src/velero/chart/templates/uds-package.yaml index 0326a863e..efc0fb259 100644 --- a/src/velero/chart/templates/uds-package.yaml +++ b/src/velero/chart/templates/uds-package.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial apiVersion: uds.dev/v1alpha1 kind: Package metadata: diff --git a/src/velero/chart/values.yaml b/src/velero/chart/values.yaml index fbb557b5a..a30fe4c3d 100644 --- a/src/velero/chart/values.yaml +++ b/src/velero/chart/values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial storage: internal: enabled: false diff --git a/src/velero/common/zarf.yaml b/src/velero/common/zarf.yaml index 398d902cc..d05bb66ff 100644 --- a/src/velero/common/zarf.yaml +++ b/src/velero/common/zarf.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: ZarfPackageConfig metadata: name: uds-core-velero-common diff --git a/src/velero/oscal-component.yaml b/src/velero/oscal-component.yaml index b98db8364..3f30fa9b6 100644 --- a/src/velero/oscal-component.yaml +++ b/src/velero/oscal-component.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial component-definition: uuid: D73CF4E6-D893-4BDE-A195-C4DE782DF63B metadata: diff --git a/src/velero/tasks.yaml b/src/velero/tasks.yaml index 1c129338b..516a3dfb0 100644 --- a/src/velero/tasks.yaml +++ b/src/velero/tasks.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial tasks: - name: validate actions: diff --git a/src/velero/values/registry1-values.yaml b/src/velero/values/registry1-values.yaml index a77d3af58..2c48af4ed 100644 --- a/src/velero/values/registry1-values.yaml +++ b/src/velero/values/registry1-values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial image: repository: registry1.dso.mil/ironbank/opensource/velero/velero tag: v1.14.1 diff --git a/src/velero/values/unicorn-values.yaml b/src/velero/values/unicorn-values.yaml index 9f78c90db..79be186ae 100644 --- a/src/velero/values/unicorn-values.yaml +++ b/src/velero/values/unicorn-values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial image: repository: cgr.dev/du-uds-defenseunicorns/velero-fips tag: 1.14.1-dev diff --git a/src/velero/values/upstream-values.yaml b/src/velero/values/upstream-values.yaml index 765de705c..e0698a32d 100644 --- a/src/velero/values/upstream-values.yaml +++ b/src/velero/values/upstream-values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial image: repository: velero/velero tag: v1.14.1 diff --git a/src/velero/values/values.yaml b/src/velero/values/values.yaml index c77c7334c..3bab10637 100644 --- a/src/velero/values/values.yaml +++ b/src/velero/values/values.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial credentials: useSecret: true name: "velero-bucket-credentials" diff --git a/src/velero/zarf.yaml b/src/velero/zarf.yaml index e3a809c83..3325aa2de 100644 --- a/src/velero/zarf.yaml +++ b/src/velero/zarf.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial kind: ZarfPackageConfig metadata: name: uds-core-velero diff --git a/tasks.yaml b/tasks.yaml index c7fec109d..fccddfc61 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial variables: - name: FLAVOR default: upstream diff --git a/tasks/create.yaml b/tasks/create.yaml index c6d8b26a4..15be058c8 100644 --- a/tasks/create.yaml +++ b/tasks/create.yaml @@ -1,3 +1,5 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial + includes: - common: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.13.1/tasks/create.yaml diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index 08c15b655..7496d540e 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -1,3 +1,5 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial + includes: - utils: utils.yaml diff --git a/tasks/iac.yaml b/tasks/iac.yaml index 5f4bba97c..bcdf35783 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -1,3 +1,5 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial + variables: - name: CLUSTER_NAME - name: K8S_DISTRO diff --git a/tasks/lint.yaml b/tasks/lint.yaml index 471072261..50a412f21 100644 --- a/tasks/lint.yaml +++ b/tasks/lint.yaml @@ -1,3 +1,5 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial + includes: - remote: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.13.1/tasks/lint.yaml diff --git a/tasks/publish.yaml b/tasks/publish.yaml index b9d14f208..f4b56f90d 100644 --- a/tasks/publish.yaml +++ b/tasks/publish.yaml @@ -1,3 +1,5 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial + includes: - utils: utils.yaml - test: test.yaml diff --git a/tasks/setup.yaml b/tasks/setup.yaml index a1fa3cf56..4051c8bbc 100644 --- a/tasks/setup.yaml +++ b/tasks/setup.yaml @@ -1,3 +1,5 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial + tasks: - name: create-k3d-cluster actions: diff --git a/tasks/test.yaml b/tasks/test.yaml index ec52fb248..5da8c22bb 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -1,3 +1,5 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial + includes: - create: ./create.yaml - setup: ./setup.yaml diff --git a/tasks/utils.yaml b/tasks/utils.yaml index 6afa8c9d6..c5cf75346 100644 --- a/tasks/utils.yaml +++ b/tasks/utils.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial variables: - name: BASE_REPO default: "ghcr.io/defenseunicorns/packages" diff --git a/zarf-config.yaml b/zarf-config.yaml index 8ee66a63c..4900923b4 100644 --- a/zarf-config.yaml +++ b/zarf-config.yaml @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial # Disable until UDS CLI isn't super noisy no_progress: true From 1aa4df32de31600133fa66defab53f5b8f17c185 Mon Sep 17 00:00:00 2001 From: Megamind <882485+jeff-mccoy@users.noreply.github.com> Date: Wed, 9 Oct 2024 07:54:15 -0500 Subject: [PATCH 49/90] chore: cleanup license parsing for github (#881) This makes the AGPL license the default and details the alternate license option in a licensing file similar to how [Grafana](https://github.com/grafana/grafana/blob/main/LICENSING.md) does this. --- LICENSE-agpl-v3.md | 661 ------------------------- LICENSE.md | 676 +++++++++++++++++++++++++- LICENSE-commercial.md => LICENSING.md | 9 + 3 files changed, 660 insertions(+), 686 deletions(-) delete mode 100644 LICENSE-agpl-v3.md rename LICENSE-commercial.md => LICENSING.md (70%) diff --git a/LICENSE-agpl-v3.md b/LICENSE-agpl-v3.md deleted file mode 100644 index 0ad25db4b..000000000 --- a/LICENSE-agpl-v3.md +++ /dev/null @@ -1,661 +0,0 @@ - GNU AFFERO GENERAL PUBLIC LICENSE - Version 3, 19 November 2007 - - Copyright (C) 2007 Free Software Foundation, Inc. - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - Preamble - - The GNU Affero General Public License is a free, copyleft license for -software and other kinds of works, specifically designed to ensure -cooperation with the community in the case of network server software. - - The licenses for most software and other practical works are designed -to take away your freedom to share and change the works. By contrast, -our General Public Licenses are intended to guarantee your freedom to -share and change all versions of a program--to make sure it remains free -software for all its users. - - When we speak of free software, we are referring to freedom, not -price. Our General Public Licenses are designed to make sure that you -have the freedom to distribute copies of free software (and charge for -them if you wish), that you receive source code or can get it if you -want it, that you can change the software or use pieces of it in new -free programs, and that you know you can do these things. - - Developers that use our General Public Licenses protect your rights -with two steps: (1) assert copyright on the software, and (2) offer -you this License which gives you legal permission to copy, distribute -and/or modify the software. - - A secondary benefit of defending all users' freedom is that -improvements made in alternate versions of the program, if they -receive widespread use, become available for other developers to -incorporate. Many developers of free software are heartened and -encouraged by the resulting cooperation. However, in the case of -software used on network servers, this result may fail to come about. -The GNU General Public License permits making a modified version and -letting the public access it on a server without ever releasing its -source code to the public. - - The GNU Affero General Public License is designed specifically to -ensure that, in such cases, the modified source code becomes available -to the community. It requires the operator of a network server to -provide the source code of the modified version running there to the -users of that server. Therefore, public use of a modified version, on -a publicly accessible server, gives the public access to the source -code of the modified version. - - An older license, called the Affero General Public License and -published by Affero, was designed to accomplish similar goals. This is -a different license, not a version of the Affero GPL, but Affero has -released a new version of the Affero GPL which permits relicensing under -this license. - - The precise terms and conditions for copying, distribution and -modification follow. - - TERMS AND CONDITIONS - - 0. Definitions. - - "This License" refers to version 3 of the GNU Affero General Public License. - - "Copyright" also means copyright-like laws that apply to other kinds of -works, such as semiconductor masks. - - "The Program" refers to any copyrightable work licensed under this -License. Each licensee is addressed as "you". "Licensees" and -"recipients" may be individuals or organizations. - - To "modify" a work means to copy from or adapt all or part of the work -in a fashion requiring copyright permission, other than the making of an -exact copy. The resulting work is called a "modified version" of the -earlier work or a work "based on" the earlier work. - - A "covered work" means either the unmodified Program or a work based -on the Program. - - To "propagate" a work means to do anything with it that, without -permission, would make you directly or secondarily liable for -infringement under applicable copyright law, except executing it on a -computer or modifying a private copy. Propagation includes copying, -distribution (with or without modification), making available to the -public, and in some countries other activities as well. - - To "convey" a work means any kind of propagation that enables other -parties to make or receive copies. Mere interaction with a user through -a computer network, with no transfer of a copy, is not conveying. - - An interactive user interface displays "Appropriate Legal Notices" -to the extent that it includes a convenient and prominently visible -feature that (1) displays an appropriate copyright notice, and (2) -tells the user that there is no warranty for the work (except to the -extent that warranties are provided), that licensees may convey the -work under this License, and how to view a copy of this License. If -the interface presents a list of user commands or options, such as a -menu, a prominent item in the list meets this criterion. - - 1. Source Code. - - The "source code" for a work means the preferred form of the work -for making modifications to it. "Object code" means any non-source -form of a work. - - A "Standard Interface" means an interface that either is an official -standard defined by a recognized standards body, or, in the case of -interfaces specified for a particular programming language, one that -is widely used among developers working in that language. - - The "System Libraries" of an executable work include anything, other -than the work as a whole, that (a) is included in the normal form of -packaging a Major Component, but which is not part of that Major -Component, and (b) serves only to enable use of the work with that -Major Component, or to implement a Standard Interface for which an -implementation is available to the public in source code form. A -"Major Component", in this context, means a major essential component -(kernel, window system, and so on) of the specific operating system -(if any) on which the executable work runs, or a compiler used to -produce the work, or an object code interpreter used to run it. - - The "Corresponding Source" for a work in object code form means all -the source code needed to generate, install, and (for an executable -work) run the object code and to modify the work, including scripts to -control those activities. However, it does not include the work's -System Libraries, or general-purpose tools or generally available free -programs which are used unmodified in performing those activities but -which are not part of the work. For example, Corresponding Source -includes interface definition files associated with source files for -the work, and the source code for shared libraries and dynamically -linked subprograms that the work is specifically designed to require, -such as by intimate data communication or control flow between those -subprograms and other parts of the work. - - The Corresponding Source need not include anything that users -can regenerate automatically from other parts of the Corresponding -Source. - - The Corresponding Source for a work in source code form is that -same work. - - 2. Basic Permissions. - - All rights granted under this License are granted for the term of -copyright on the Program, and are irrevocable provided the stated -conditions are met. This License explicitly affirms your unlimited -permission to run the unmodified Program. The output from running a -covered work is covered by this License only if the output, given its -content, constitutes a covered work. This License acknowledges your -rights of fair use or other equivalent, as provided by copyright law. - - You may make, run and propagate covered works that you do not -convey, without conditions so long as your license otherwise remains -in force. You may convey covered works to others for the sole purpose -of having them make modifications exclusively for you, or provide you -with facilities for running those works, provided that you comply with -the terms of this License in conveying all material for which you do -not control copyright. Those thus making or running the covered works -for you must do so exclusively on your behalf, under your direction -and control, on terms that prohibit them from making any copies of -your copyrighted material outside their relationship with you. - - Conveying under any other circumstances is permitted solely under -the conditions stated below. Sublicensing is not allowed; section 10 -makes it unnecessary. - - 3. Protecting Users' Legal Rights From Anti-Circumvention Law. - - No covered work shall be deemed part of an effective technological -measure under any applicable law fulfilling obligations under article -11 of the WIPO copyright treaty adopted on 20 December 1996, or -similar laws prohibiting or restricting circumvention of such -measures. - - When you convey a covered work, you waive any legal power to forbid -circumvention of technological measures to the extent such circumvention -is effected by exercising rights under this License with respect to -the covered work, and you disclaim any intention to limit operation or -modification of the work as a means of enforcing, against the work's -users, your or third parties' legal rights to forbid circumvention of -technological measures. - - 4. Conveying Verbatim Copies. - - You may convey verbatim copies of the Program's source code as you -receive it, in any medium, provided that you conspicuously and -appropriately publish on each copy an appropriate copyright notice; -keep intact all notices stating that this License and any -non-permissive terms added in accord with section 7 apply to the code; -keep intact all notices of the absence of any warranty; and give all -recipients a copy of this License along with the Program. - - You may charge any price or no price for each copy that you convey, -and you may offer support or warranty protection for a fee. - - 5. Conveying Modified Source Versions. - - You may convey a work based on the Program, or the modifications to -produce it from the Program, in the form of source code under the -terms of section 4, provided that you also meet all of these conditions: - - a) The work must carry prominent notices stating that you modified - it, and giving a relevant date. - - b) The work must carry prominent notices stating that it is - released under this License and any conditions added under section - 7. This requirement modifies the requirement in section 4 to - "keep intact all notices". - - c) You must license the entire work, as a whole, under this - License to anyone who comes into possession of a copy. This - License will therefore apply, along with any applicable section 7 - additional terms, to the whole of the work, and all its parts, - regardless of how they are packaged. This License gives no - permission to license the work in any other way, but it does not - invalidate such permission if you have separately received it. - - d) If the work has interactive user interfaces, each must display - Appropriate Legal Notices; however, if the Program has interactive - interfaces that do not display Appropriate Legal Notices, your - work need not make them do so. - - A compilation of a covered work with other separate and independent -works, which are not by their nature extensions of the covered work, -and which are not combined with it such as to form a larger program, -in or on a volume of a storage or distribution medium, is called an -"aggregate" if the compilation and its resulting copyright are not -used to limit the access or legal rights of the compilation's users -beyond what the individual works permit. Inclusion of a covered work -in an aggregate does not cause this License to apply to the other -parts of the aggregate. - - 6. Conveying Non-Source Forms. - - You may convey a covered work in object code form under the terms -of sections 4 and 5, provided that you also convey the -machine-readable Corresponding Source under the terms of this License, -in one of these ways: - - a) Convey the object code in, or embodied in, a physical product - (including a physical distribution medium), accompanied by the - Corresponding Source fixed on a durable physical medium - customarily used for software interchange. - - b) Convey the object code in, or embodied in, a physical product - (including a physical distribution medium), accompanied by a - written offer, valid for at least three years and valid for as - long as you offer spare parts or customer support for that product - model, to give anyone who possesses the object code either (1) a - copy of the Corresponding Source for all the software in the - product that is covered by this License, on a durable physical - medium customarily used for software interchange, for a price no - more than your reasonable cost of physically performing this - conveying of source, or (2) access to copy the - Corresponding Source from a network server at no charge. - - c) Convey individual copies of the object code with a copy of the - written offer to provide the Corresponding Source. This - alternative is allowed only occasionally and noncommercially, and - only if you received the object code with such an offer, in accord - with subsection 6b. - - d) Convey the object code by offering access from a designated - place (gratis or for a charge), and offer equivalent access to the - Corresponding Source in the same way through the same place at no - further charge. You need not require recipients to copy the - Corresponding Source along with the object code. If the place to - copy the object code is a network server, the Corresponding Source - may be on a different server (operated by you or a third party) - that supports equivalent copying facilities, provided you maintain - clear directions next to the object code saying where to find the - Corresponding Source. Regardless of what server hosts the - Corresponding Source, you remain obligated to ensure that it is - available for as long as needed to satisfy these requirements. - - e) Convey the object code using peer-to-peer transmission, provided - you inform other peers where the object code and Corresponding - Source of the work are being offered to the general public at no - charge under subsection 6d. - - A separable portion of the object code, whose source code is excluded -from the Corresponding Source as a System Library, need not be -included in conveying the object code work. - - A "User Product" is either (1) a "consumer product", which means any -tangible personal property which is normally used for personal, family, -or household purposes, or (2) anything designed or sold for incorporation -into a dwelling. In determining whether a product is a consumer product, -doubtful cases shall be resolved in favor of coverage. For a particular -product received by a particular user, "normally used" refers to a -typical or common use of that class of product, regardless of the status -of the particular user or of the way in which the particular user -actually uses, or expects or is expected to use, the product. A product -is a consumer product regardless of whether the product has substantial -commercial, industrial or non-consumer uses, unless such uses represent -the only significant mode of use of the product. - - "Installation Information" for a User Product means any methods, -procedures, authorization keys, or other information required to install -and execute modified versions of a covered work in that User Product from -a modified version of its Corresponding Source. The information must -suffice to ensure that the continued functioning of the modified object -code is in no case prevented or interfered with solely because -modification has been made. - - If you convey an object code work under this section in, or with, or -specifically for use in, a User Product, and the conveying occurs as -part of a transaction in which the right of possession and use of the -User Product is transferred to the recipient in perpetuity or for a -fixed term (regardless of how the transaction is characterized), the -Corresponding Source conveyed under this section must be accompanied -by the Installation Information. But this requirement does not apply -if neither you nor any third party retains the ability to install -modified object code on the User Product (for example, the work has -been installed in ROM). - - The requirement to provide Installation Information does not include a -requirement to continue to provide support service, warranty, or updates -for a work that has been modified or installed by the recipient, or for -the User Product in which it has been modified or installed. Access to a -network may be denied when the modification itself materially and -adversely affects the operation of the network or violates the rules and -protocols for communication across the network. - - Corresponding Source conveyed, and Installation Information provided, -in accord with this section must be in a format that is publicly -documented (and with an implementation available to the public in -source code form), and must require no special password or key for -unpacking, reading or copying. - - 7. Additional Terms. - - "Additional permissions" are terms that supplement the terms of this -License by making exceptions from one or more of its conditions. -Additional permissions that are applicable to the entire Program shall -be treated as though they were included in this License, to the extent -that they are valid under applicable law. If additional permissions -apply only to part of the Program, that part may be used separately -under those permissions, but the entire Program remains governed by -this License without regard to the additional permissions. - - When you convey a copy of a covered work, you may at your option -remove any additional permissions from that copy, or from any part of -it. (Additional permissions may be written to require their own -removal in certain cases when you modify the work.) You may place -additional permissions on material, added by you to a covered work, -for which you have or can give appropriate copyright permission. - - Notwithstanding any other provision of this License, for material you -add to a covered work, you may (if authorized by the copyright holders of -that material) supplement the terms of this License with terms: - - a) Disclaiming warranty or limiting liability differently from the - terms of sections 15 and 16 of this License; or - - b) Requiring preservation of specified reasonable legal notices or - author attributions in that material or in the Appropriate Legal - Notices displayed by works containing it; or - - c) Prohibiting misrepresentation of the origin of that material, or - requiring that modified versions of such material be marked in - reasonable ways as different from the original version; or - - d) Limiting the use for publicity purposes of names of licensors or - authors of the material; or - - e) Declining to grant rights under trademark law for use of some - trade names, trademarks, or service marks; or - - f) Requiring indemnification of licensors and authors of that - material by anyone who conveys the material (or modified versions of - it) with contractual assumptions of liability to the recipient, for - any liability that these contractual assumptions directly impose on - those licensors and authors. - - All other non-permissive additional terms are considered "further -restrictions" within the meaning of section 10. If the Program as you -received it, or any part of it, contains a notice stating that it is -governed by this License along with a term that is a further -restriction, you may remove that term. If a license document contains -a further restriction but permits relicensing or conveying under this -License, you may add to a covered work material governed by the terms -of that license document, provided that the further restriction does -not survive such relicensing or conveying. - - If you add terms to a covered work in accord with this section, you -must place, in the relevant source files, a statement of the -additional terms that apply to those files, or a notice indicating -where to find the applicable terms. - - Additional terms, permissive or non-permissive, may be stated in the -form of a separately written license, or stated as exceptions; -the above requirements apply either way. - - 8. Termination. - - You may not propagate or modify a covered work except as expressly -provided under this License. Any attempt otherwise to propagate or -modify it is void, and will automatically terminate your rights under -this License (including any patent licenses granted under the third -paragraph of section 11). - - However, if you cease all violation of this License, then your -license from a particular copyright holder is reinstated (a) -provisionally, unless and until the copyright holder explicitly and -finally terminates your license, and (b) permanently, if the copyright -holder fails to notify you of the violation by some reasonable means -prior to 60 days after the cessation. - - Moreover, your license from a particular copyright holder is -reinstated permanently if the copyright holder notifies you of the -violation by some reasonable means, this is the first time you have -received notice of violation of this License (for any work) from that -copyright holder, and you cure the violation prior to 30 days after -your receipt of the notice. - - Termination of your rights under this section does not terminate the -licenses of parties who have received copies or rights from you under -this License. If your rights have been terminated and not permanently -reinstated, you do not qualify to receive new licenses for the same -material under section 10. - - 9. Acceptance Not Required for Having Copies. - - You are not required to accept this License in order to receive or -run a copy of the Program. Ancillary propagation of a covered work -occurring solely as a consequence of using peer-to-peer transmission -to receive a copy likewise does not require acceptance. However, -nothing other than this License grants you permission to propagate or -modify any covered work. These actions infringe copyright if you do -not accept this License. Therefore, by modifying or propagating a -covered work, you indicate your acceptance of this License to do so. - - 10. Automatic Licensing of Downstream Recipients. - - Each time you convey a covered work, the recipient automatically -receives a license from the original licensors, to run, modify and -propagate that work, subject to this License. You are not responsible -for enforcing compliance by third parties with this License. - - An "entity transaction" is a transaction transferring control of an -organization, or substantially all assets of one, or subdividing an -organization, or merging organizations. If propagation of a covered -work results from an entity transaction, each party to that -transaction who receives a copy of the work also receives whatever -licenses to the work the party's predecessor in interest had or could -give under the previous paragraph, plus a right to possession of the -Corresponding Source of the work from the predecessor in interest, if -the predecessor has it or can get it with reasonable efforts. - - You may not impose any further restrictions on the exercise of the -rights granted or affirmed under this License. For example, you may -not impose a license fee, royalty, or other charge for exercise of -rights granted under this License, and you may not initiate litigation -(including a cross-claim or counterclaim in a lawsuit) alleging that -any patent claim is infringed by making, using, selling, offering for -sale, or importing the Program or any portion of it. - - 11. Patents. - - A "contributor" is a copyright holder who authorizes use under this -License of the Program or a work on which the Program is based. The -work thus licensed is called the contributor's "contributor version". - - A contributor's "essential patent claims" are all patent claims -owned or controlled by the contributor, whether already acquired or -hereafter acquired, that would be infringed by some manner, permitted -by this License, of making, using, or selling its contributor version, -but do not include claims that would be infringed only as a -consequence of further modification of the contributor version. For -purposes of this definition, "control" includes the right to grant -patent sublicenses in a manner consistent with the requirements of -this License. - - Each contributor grants you a non-exclusive, worldwide, royalty-free -patent license under the contributor's essential patent claims, to -make, use, sell, offer for sale, import and otherwise run, modify and -propagate the contents of its contributor version. - - In the following three paragraphs, a "patent license" is any express -agreement or commitment, however denominated, not to enforce a patent -(such as an express permission to practice a patent or covenant not to -sue for patent infringement). To "grant" such a patent license to a -party means to make such an agreement or commitment not to enforce a -patent against the party. - - If you convey a covered work, knowingly relying on a patent license, -and the Corresponding Source of the work is not available for anyone -to copy, free of charge and under the terms of this License, through a -publicly available network server or other readily accessible means, -then you must either (1) cause the Corresponding Source to be so -available, or (2) arrange to deprive yourself of the benefit of the -patent license for this particular work, or (3) arrange, in a manner -consistent with the requirements of this License, to extend the patent -license to downstream recipients. "Knowingly relying" means you have -actual knowledge that, but for the patent license, your conveying the -covered work in a country, or your recipient's use of the covered work -in a country, would infringe one or more identifiable patents in that -country that you have reason to believe are valid. - - If, pursuant to or in connection with a single transaction or -arrangement, you convey, or propagate by procuring conveyance of, a -covered work, and grant a patent license to some of the parties -receiving the covered work authorizing them to use, propagate, modify -or convey a specific copy of the covered work, then the patent license -you grant is automatically extended to all recipients of the covered -work and works based on it. - - A patent license is "discriminatory" if it does not include within -the scope of its coverage, prohibits the exercise of, or is -conditioned on the non-exercise of one or more of the rights that are -specifically granted under this License. You may not convey a covered -work if you are a party to an arrangement with a third party that is -in the business of distributing software, under which you make payment -to the third party based on the extent of your activity of conveying -the work, and under which the third party grants, to any of the -parties who would receive the covered work from you, a discriminatory -patent license (a) in connection with copies of the covered work -conveyed by you (or copies made from those copies), or (b) primarily -for and in connection with specific products or compilations that -contain the covered work, unless you entered into that arrangement, -or that patent license was granted, prior to 28 March 2007. - - Nothing in this License shall be construed as excluding or limiting -any implied license or other defenses to infringement that may -otherwise be available to you under applicable patent law. - - 12. No Surrender of Others' Freedom. - - If conditions are imposed on you (whether by court order, agreement or -otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot convey a -covered work so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you may -not convey it at all. For example, if you agree to terms that obligate you -to collect a royalty for further conveying from those to whom you convey -the Program, the only way you could satisfy both those terms and this -License would be to refrain entirely from conveying the Program. - - 13. Remote Network Interaction; Use with the GNU General Public License. - - Notwithstanding any other provision of this License, if you modify the -Program, your modified version must prominently offer all users -interacting with it remotely through a computer network (if your version -supports such interaction) an opportunity to receive the Corresponding -Source of your version by providing access to the Corresponding Source -from a network server at no charge, through some standard or customary -means of facilitating copying of software. This Corresponding Source -shall include the Corresponding Source for any work covered by version 3 -of the GNU General Public License that is incorporated pursuant to the -following paragraph. - - Notwithstanding any other provision of this License, you have -permission to link or combine any covered work with a work licensed -under version 3 of the GNU General Public License into a single -combined work, and to convey the resulting work. The terms of this -License will continue to apply to the part which is the covered work, -but the work with which it is combined will remain governed by version -3 of the GNU General Public License. - - 14. Revised Versions of this License. - - The Free Software Foundation may publish revised and/or new versions of -the GNU Affero General Public License from time to time. Such new versions -will be similar in spirit to the present version, but may differ in detail to -address new problems or concerns. - - Each version is given a distinguishing version number. If the -Program specifies that a certain numbered version of the GNU Affero General -Public License "or any later version" applies to it, you have the -option of following the terms and conditions either of that numbered -version or of any later version published by the Free Software -Foundation. If the Program does not specify a version number of the -GNU Affero General Public License, you may choose any version ever published -by the Free Software Foundation. - - If the Program specifies that a proxy can decide which future -versions of the GNU Affero General Public License can be used, that proxy's -public statement of acceptance of a version permanently authorizes you -to choose that version for the Program. - - Later license versions may give you additional or different -permissions. However, no additional obligations are imposed on any -author or copyright holder as a result of your choosing to follow a -later version. - - 15. Disclaimer of Warranty. - - THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY -APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT -HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY -OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, -THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM -IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF -ALL NECESSARY SERVICING, REPAIR OR CORRECTION. - - 16. Limitation of Liability. - - IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS -THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY -GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE -USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF -DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD -PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), -EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF -SUCH DAMAGES. - - 17. Interpretation of Sections 15 and 16. - - If the disclaimer of warranty and limitation of liability provided -above cannot be given local legal effect according to their terms, -reviewing courts shall apply local law that most closely approximates -an absolute waiver of all civil liability in connection with the -Program, unless a warranty or assumption of liability accompanies a -copy of the Program in return for a fee. - - END OF TERMS AND CONDITIONS - - How to Apply These Terms to Your New Programs - - If you develop a new program, and you want it to be of the greatest -possible use to the public, the best way to achieve this is to make it -free software which everyone can redistribute and change under these terms. - - To do so, attach the following notices to the program. It is safest -to attach them to the start of each source file to most effectively -state the exclusion of warranty; and each file should have at least -the "copyright" line and a pointer to where the full notice is found. - - - Copyright (C) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU Affero General Public License as published - by the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU Affero General Public License for more details. - - You should have received a copy of the GNU Affero General Public License - along with this program. If not, see . - -Also add information on how to contact you by electronic and paper mail. - - If your software can interact with users remotely through a computer -network, you should also make sure that it provides a way for users to -get its source. For example, if your program is a web application, its -interface could display a "Source" link that leads users to an archive -of the code. There are many ways you could offer source, and different -solutions will be better for different programs; see section 13 for the -specific requirements. - - You should also get your employer (if you work as a programmer) or school, -if any, to sign a "copyright disclaimer" for the program, if necessary. -For more information on this, and how to apply and follow the GNU AGPL, see -. diff --git a/LICENSE.md b/LICENSE.md index f0f8cb057..0ad25db4b 100644 --- a/LICENSE.md +++ b/LICENSE.md @@ -1,35 +1,661 @@ -# Dual Licensing + GNU AFFERO GENERAL PUBLIC LICENSE + Version 3, 19 November 2007 -This software is licensed under either of: + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. -- GNU Affero General Public License v3.0 (AGPLv3) -- Defense Unicorns Commercial License + Preamble -## GNU Affero General Public License v3.0 (AGPLv3) + The GNU Affero General Public License is a free, copyleft license for +software and other kinds of works, specifically designed to ensure +cooperation with the community in the case of network server software. -Copyright (C) 2024 Defense Unicorns, Inc. + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +our General Public Licenses are intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. -This program is free software: you can redistribute it and/or modify -it under the terms of the GNU Affero General Public License as -published by the Free Software Foundation, either version 3 of the -License, or (at your option) any later version. + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. -This program is distributed in the hope that it will be useful, -but WITHOUT ANY WARRANTY; without even the implied warranty of -MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -GNU Affero General Public License for more details. + Developers that use our General Public Licenses protect your rights +with two steps: (1) assert copyright on the software, and (2) offer +you this License which gives you legal permission to copy, distribute +and/or modify the software. -You should have received a copy of the GNU Affero General Public License -along with this program. If not, see . + A secondary benefit of defending all users' freedom is that +improvements made in alternate versions of the program, if they +receive widespread use, become available for other developers to +incorporate. Many developers of free software are heartened and +encouraged by the resulting cooperation. However, in the case of +software used on network servers, this result may fail to come about. +The GNU General Public License permits making a modified version and +letting the public access it on a server without ever releasing its +source code to the public. -## Defense Unicorns Commercial License + The GNU Affero General Public License is designed specifically to +ensure that, in such cases, the modified source code becomes available +to the community. It requires the operator of a network server to +provide the source code of the modified version running there to the +users of that server. Therefore, public use of a modified version, on +a publicly accessible server, gives the public access to the source +code of the modified version. -The use of this software under a commercial license is subject to the terms -of the license agreement between the licensee and Defense Unicorns. The -content of this license depends on the specific agreement and may vary. For -more information about obtaining a commercial license, please contact -Defense Unicorns at [defenseunicorns.com](https://defenseunicorns.com). + An older license, called the Affero General Public License and +published by Affero, was designed to accomplish similar goals. This is +a different license, not a version of the Affero GPL, but Affero has +released a new version of the Affero GPL which permits relicensing under +this license. -To use this software under the commercial license, you must have a valid -license agreement with Defense Unicorns. The terms of that license agreement -replace the terms of the AGPL v3 license. + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU Affero General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Remote Network Interaction; Use with the GNU General Public License. + + Notwithstanding any other provision of this License, if you modify the +Program, your modified version must prominently offer all users +interacting with it remotely through a computer network (if your version +supports such interaction) an opportunity to receive the Corresponding +Source of your version by providing access to the Corresponding Source +from a network server at no charge, through some standard or customary +means of facilitating copying of software. This Corresponding Source +shall include the Corresponding Source for any work covered by version 3 +of the GNU General Public License that is incorporated pursuant to the +following paragraph. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the work with which it is combined will remain governed by version +3 of the GNU General Public License. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU Affero General Public License from time to time. Such new versions +will be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU Affero General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU Affero General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU Affero General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published + by the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If your software can interact with users remotely through a computer +network, you should also make sure that it provides a way for users to +get its source. For example, if your program is a web application, its +interface could display a "Source" link that leads users to an archive +of the code. There are many ways you could offer source, and different +solutions will be better for different programs; see section 13 for the +specific requirements. + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU AGPL, see +. diff --git a/LICENSE-commercial.md b/LICENSING.md similarity index 70% rename from LICENSE-commercial.md rename to LICENSING.md index fb3f6ac3b..e4942dde4 100644 --- a/LICENSE-commercial.md +++ b/LICENSING.md @@ -1,3 +1,12 @@ +# Dual Licensing + +This software is licensed under either of: + +- GNU Affero General Public License v3.0 (AGPLv3), see [LICENSE.md](./LICENSE.md) +- Defense Unicorns Commercial License, see below + +## Defense Unicorns Commercial License + The use of this software under a commercial license is subject to the terms of the license agreement between the licensee and Defense Unicorns. The content of this license depends on the specific agreement and may vary. For From 04793a2ddab6f001886ef2d69c8780861ebeaa62 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Wed, 9 Oct 2024 10:52:00 -0600 Subject: [PATCH 50/90] fix: snapshot ci version modification and tasks for publish (#877) ## Description Snapshot CI has been failing due to our changes to the slim-dev package/bundle: https://github.com/defenseunicorns/uds-core/actions/workflows/snapshot-release.yaml. This fixes our yq commands to update the new layer packages and bundle locations as expected. This same change was added on the pepr branch and validated: https://github.com/defenseunicorns/uds-core/actions/runs/11244510863 ## Related Issue N/A ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --- .github/workflows/publish.yaml | 12 ++++++------ tasks.yaml | 10 ---------- tasks/create.yaml | 10 ++++++++++ 3 files changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index bf1eefd43..e7800b801 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -46,22 +46,22 @@ jobs: if: ${{ inputs.snapshot }} run: | yq -ei '.metadata.version=env(SNAPSHOT_VERSION), (.packages[]|select(has("ref"))|select(.name=="core")).ref=env(SNAPSHOT_VERSION)' bundles/k3d-standard/uds-bundle.yaml - yq -ei '.metadata.version=env(SNAPSHOT_VERSION), (.packages[]|select(has("ref"))|select(.name=="core-slim-dev")).ref=env(SNAPSHOT_VERSION)' bundles/k3d-slim-dev/uds-bundle.yaml + yq -ei '.metadata.version=env(SNAPSHOT_VERSION), (.packages[]|select(has("ref"))|select(.name=="core-base")).ref=env(SNAPSHOT_VERSION)' bundles/k3d-slim-dev/uds-bundle.yaml + yq -ei '.metadata.version=env(SNAPSHOT_VERSION), (.packages[]|select(has("ref"))|select(.name=="core-identity-authorization")).ref=env(SNAPSHOT_VERSION)' bundles/k3d-slim-dev/uds-bundle.yaml yq -ei '.metadata.version=env(SNAPSHOT_VERSION)' packages/standard/zarf.yaml - yq -ei '.metadata.version=env(SNAPSHOT_VERSION)' packages/slim-dev/zarf.yaml + yq -ei '.metadata.version=env(SNAPSHOT_VERSION)' packages/base/zarf.yaml + yq -ei '.metadata.version=env(SNAPSHOT_VERSION)' packages/identity-authorization/zarf.yaml - name: Create Packages and Bundles run: | ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package --no-progress --set FLAVOR=${{ matrix.flavor }} ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml k3d-standard-bundle --no-progress - ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml slim-dev-package --no-progress --set FLAVOR=${{ matrix.flavor }} - ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml k3d-slim-dev-bundle --no-progress + ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml k3d-slim-dev-bundle --no-progress --set FLAVOR=${{ matrix.flavor }} if [ "${{ matrix.flavor }}" != "registry1" ]; then ZARF_ARCHITECTURE=arm64 uds run -f tasks/create.yaml standard-package --no-progress --set FLAVOR=${{ matrix.flavor }} ZARF_ARCHITECTURE=arm64 uds run -f tasks/create.yaml k3d-standard-bundle --no-progress - ZARF_ARCHITECTURE=arm64 uds run -f tasks/create.yaml slim-dev-package --no-progress --set FLAVOR=${{ matrix.flavor }} - ZARF_ARCHITECTURE=arm64 uds run -f tasks/create.yaml k3d-slim-dev-bundle --no-progress + ZARF_ARCHITECTURE=arm64 uds run -f tasks/create.yaml k3d-slim-dev-bundle --no-progress --set FLAVOR=${{ matrix.flavor }} fi # Standard Package by default tests full core diff --git a/tasks.yaml b/tasks.yaml index fccddfc61..b89269d78 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -52,16 +52,6 @@ tasks: - name: slim-dev actions: - - description: "Create base package" - task: create:single-layer - with: - layer: base - - - description: "Create identity-authorization package" - task: create:single-layer - with: - layer: identity-authorization - - description: "Build slim dev bundle" task: create:k3d-slim-dev-bundle diff --git a/tasks/create.yaml b/tasks/create.yaml index 15be058c8..abccad794 100644 --- a/tasks/create.yaml +++ b/tasks/create.yaml @@ -31,6 +31,16 @@ tasks: - name: k3d-slim-dev-bundle description: "Create the slim dev bundle (Base and Identity)" actions: + - description: "Create base package" + task: single-layer + with: + layer: base + + - description: "Create identity-authorization package" + task: single-layer + with: + layer: identity-authorization + - description: "Create the slim dev bundle (Base and Identity)" cmd: "uds create bundles/k3d-slim-dev --confirm --no-progress --architecture=${ZARF_ARCHITECTURE}" From 9af34f6f1a0ebafe6d13739e5caebf6c8282b982 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 9 Oct 2024 17:18:36 +0000 Subject: [PATCH 51/90] chore(deps): update grafana to v11.2.2 (#867) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cgr.dev/du-uds-defenseunicorns/grafana-fips](https://images.chainguard.dev/directory/image/grafana-fips/overview) ([source](https://redirect.github.com/chainguard-images/images-private/tree/HEAD/images/grafana-fips)) | patch | `11.2.1` -> `11.2.2` | | docker.io/grafana/grafana | patch | `11.2.1` -> `11.2.2` | | [registry1.dso.mil/ironbank/opensource/grafana/grafana](https://redirect.github.com/grafana/grafana) ([source](https://repo1.dso.mil/dsop/opensource/grafana/grafana)) | patch | `11.2.1` -> `11.2.2` | --- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ”• **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Micah Nagel --- src/grafana/values/registry1-values.yaml | 2 +- src/grafana/values/unicorn-values.yaml | 2 +- src/grafana/values/upstream-values.yaml | 2 +- src/grafana/zarf.yaml | 6 +++--- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/grafana/values/registry1-values.yaml b/src/grafana/values/registry1-values.yaml index 0ef12c7e8..23d4ffe13 100644 --- a/src/grafana/values/registry1-values.yaml +++ b/src/grafana/values/registry1-values.yaml @@ -2,7 +2,7 @@ image: registry: registry1.dso.mil repository: ironbank/opensource/grafana/grafana - tag: 11.2.1 + tag: 11.2.2 initChownData: image: diff --git a/src/grafana/values/unicorn-values.yaml b/src/grafana/values/unicorn-values.yaml index 33ec9f6b6..48062d9ac 100644 --- a/src/grafana/values/unicorn-values.yaml +++ b/src/grafana/values/unicorn-values.yaml @@ -2,7 +2,7 @@ image: registry: cgr.dev repository: du-uds-defenseunicorns/grafana-fips - tag: 11.2.1 + tag: 11.2.2 initChownData: image: diff --git a/src/grafana/values/upstream-values.yaml b/src/grafana/values/upstream-values.yaml index fbeddf422..8fc9d565b 100644 --- a/src/grafana/values/upstream-values.yaml +++ b/src/grafana/values/upstream-values.yaml @@ -9,7 +9,7 @@ sidecar: image: registry: docker.io repository: grafana/grafana - tag: 11.2.1 + tag: 11.2.2 initChownData: image: diff --git a/src/grafana/zarf.yaml b/src/grafana/zarf.yaml index 3325a88e5..48bed8a1d 100644 --- a/src/grafana/zarf.yaml +++ b/src/grafana/zarf.yaml @@ -22,7 +22,7 @@ components: valuesFiles: - values/upstream-values.yaml images: - - docker.io/grafana/grafana:11.2.1 + - docker.io/grafana/grafana:11.2.2 - docker.io/curlimages/curl:8.10.1 - docker.io/library/busybox:1.37.0 - ghcr.io/kiwigrid/k8s-sidecar:1.28.0 @@ -38,7 +38,7 @@ components: valuesFiles: - values/registry1-values.yaml images: - - registry1.dso.mil/ironbank/opensource/grafana/grafana:11.2.1 + - registry1.dso.mil/ironbank/opensource/grafana/grafana:11.2.2 - registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.4 - registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar:1.28.0 @@ -53,7 +53,7 @@ components: valuesFiles: - values/unicorn-values.yaml images: - - cgr.dev/du-uds-defenseunicorns/grafana-fips:11.2.1 + - cgr.dev/du-uds-defenseunicorns/grafana-fips:11.2.2 - cgr.dev/du-uds-defenseunicorns/busybox-fips:1.37.0 - cgr.dev/du-uds-defenseunicorns/curl-fips:8.10.1 - cgr.dev/du-uds-defenseunicorns/k8s-sidecar-fips:1.28.0 From c9db65669377793e7c497516a012837d3db14733 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Wed, 9 Oct 2024 11:35:17 -0600 Subject: [PATCH 52/90] fix(ci): switch to larger runners to resolve ci disk space issues (#882) ## Description As noted in https://github.com/defenseunicorns/uds-core/pull/880 runner space is being exceeded in some functional layer tests. This PR evaluated two options: 1. Run a cleanup script to remove unnecessary files from the runner. In testing this added between 2 and 6 minutes of CI time depending on the runner. 2. Switch to the ["large" 4 core runner](https://docs.github.com/en/actions/using-github-hosted-runners/using-larger-runners/about-larger-runners#specifications-for-general-larger-runners), which has a 150gb disk. Cost is [$0.016 per minute of usage](https://docs.github.com/en/billing/managing-billing-for-your-products/managing-billing-for-github-actions/about-billing-for-github-actions#per-minute-rates-for-x64-powered-larger-runners). These tests run for an average of 5-10 minutes, with 3 runs per layer (for each flavor), making the cost ~$0.33 cents for a single commit on a PR changing a single layer. Given the desire for faster dev/CI cycles and the cost of dev time, this PR flips to the paid runner rather than using the cleanup script. ## Related Issue Fixes https://github.com/defenseunicorns/uds-core/pull/880 ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --- .github/workflows/test.yaml | 3 ++- src/neuvector/README.md | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 72ac961eb..a96894a97 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -40,7 +40,8 @@ permissions: jobs: test: - runs-on: "${{ inputs.package == 'all' && 'uds-ubuntu-big-boy-8-core' || 'ubuntu-latest'}}" + # Use the 8 core runner for full-core or 4 core runner (with larger disk) for func layers tests + runs-on: "${{ inputs.package == 'all' && 'uds-ubuntu-big-boy-8-core' || 'uds-ubuntu-big-boy-4-core'}}" timeout-minutes: 30 name: Test env: diff --git a/src/neuvector/README.md b/src/neuvector/README.md index 98c4b1870..879cd7586 100644 --- a/src/neuvector/README.md +++ b/src/neuvector/README.md @@ -1 +1 @@ -## Neuvector +## NeuVector From 1f4df34637afe31635fa151080829eb2cd912d50 Mon Sep 17 00:00:00 2001 From: Luke Griswold <150048380+ldgriswold@users.noreply.github.com> Date: Wed, 9 Oct 2024 14:10:22 -0400 Subject: [PATCH 53/90] feat: add service accounts options to sso (#852) ## Description This enables support for service account roles in keycloak for client credentials type grants ... ## Related Issue Fixes #851 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --------- Co-authored-by: Blake Burkhart Co-authored-by: Micah Nagel --- docs/configuration/uds-operator.md | 38 +++++++++++++++ .../crd/generated/package-v1alpha1.ts | 4 ++ .../operator/crd/sources/package/v1alpha1.ts | 6 +++ .../crd/validators/package-validator.spec.ts | 48 +++++++++++++++++++ .../crd/validators/package-validator.ts | 11 ++++- 5 files changed, 105 insertions(+), 2 deletions(-) diff --git a/docs/configuration/uds-operator.md b/docs/configuration/uds-operator.md index a054b9c3d..29271d0d5 100644 --- a/docs/configuration/uds-operator.md +++ b/docs/configuration/uds-operator.md @@ -207,6 +207,44 @@ spec: This configuration does not create a secret in the cluster and instead tells the UDS Operator to create a public client (one that requires no auth secret) that enables the `oauth2.device.authorization.grant.enabled` flow and disables the standard redirect auth flow. Because this creates a public client configuration that deviates from this is limited - if your application requires both the Device Authorization Grant and the standard flow this is currently not supported without creating two separate clients. +### Creating a UDS Package with a Service Account Roles client + +Some applications may need to access resources / obtain OAuth tokens on behalf of *themselves* vice users. This may be needed to allow API access to Authservice protected applications (outside of a web browser). This is commonly used in machine-to-machine authentication for automated processes. This type of grant in OAuth 2.0 is known as the [Client Credentials Grant](https://oauth.net/2/grant-types/client-credentials/) and is supported in a UDS Package with the following configuration: + +```yaml +apiVersion: uds.dev/v1alpha1 +kind: Package +metadata: + name: client-cred + namespace: argo +spec: + sso: + - name: httpbin-api-client + clientId: httpbin-api-client + standardFlowEnabled: false + serviceAccountsEnabled: true + + # By default, Keycloak will not set the audience `aud` claim for service account access token JWTs. + # You can optionally add a protocolMapper to set the audience. + # If you map the audience to the same client used for authservice, you can enable access to authservice protected apps with a service account JWT. + protocolMappers: + - name: audience + protocol: "openid-connect" + protocolMapper: "oidc-audience-mapper" + config: + included.client.audience: "uds-core-httpbin" # Set this to match the app's authservice client id + access.token.claim: "true" + introspection.token.claim: "true" + id.token.claim: "false" + lightweight.claim: "false" + userinfo.token.claim: "false" +``` +Setting `serviceAccountsEnabled: true` requires `standardFlowEnabled: false` and is incompatible with `publicClient: true`. + +If needed, multiple clients can be added to the same application: an AuthService client, a device flow client, and as many service account clients as required. + +A keycloak service account JWT can be distinguished by a username prefix of `service-account-` and a new claim called `client_id`. Note that the `aud` field is not set by default, hence the mapper in the example. + ### SSO Client Attribute Validation The SSO spec supports a subset of the Keycloak attributes for clients, but does not support all of them. The current supported attributes are: diff --git a/src/pepr/operator/crd/generated/package-v1alpha1.ts b/src/pepr/operator/crd/generated/package-v1alpha1.ts index 32329fc0c..f512263d0 100644 --- a/src/pepr/operator/crd/generated/package-v1alpha1.ts +++ b/src/pepr/operator/crd/generated/package-v1alpha1.ts @@ -635,6 +635,10 @@ export interface Sso { * Enables the standard OpenID Connect redirect based authentication with authorization code. */ standardFlowEnabled?: boolean; + /** + * Enables the client credentials grant based authentication via OpenID Connect protocol. + */ + serviceAccountsEnabled?: boolean; /** * Allowed CORS origins. To permit all origins of Valid Redirect URIs, add '+'. This does * not include the '*' wildcard though. To permit all origins, explicitly add '*'. diff --git a/src/pepr/operator/crd/sources/package/v1alpha1.ts b/src/pepr/operator/crd/sources/package/v1alpha1.ts index 023001218..922484a18 100644 --- a/src/pepr/operator/crd/sources/package/v1alpha1.ts +++ b/src/pepr/operator/crd/sources/package/v1alpha1.ts @@ -382,6 +382,12 @@ const sso = { type: "boolean", default: true, }, + serviceAccountsEnabled: { + description: + "Enables the client credentials grant based authentication via OpenID Connect protocol.", + type: "boolean", + default: false, + }, publicClient: { description: "Defines whether the client requires a client secret for authentication", type: "boolean", diff --git a/src/pepr/operator/crd/validators/package-validator.spec.ts b/src/pepr/operator/crd/validators/package-validator.spec.ts index 41d00b23d..fa2616f0c 100644 --- a/src/pepr/operator/crd/validators/package-validator.spec.ts +++ b/src/pepr/operator/crd/validators/package-validator.spec.ts @@ -274,6 +274,38 @@ describe("Test validation of Exemption CRs", () => { expect(mockReq.Deny).toHaveBeenCalledTimes(1); }); + it("denies public clients using the service accounts roles", async () => { + const mockReq = makeMockReq( + {}, + [], + [], + [ + { + publicClient: true, + serviceAccountsEnabled: true, + }, + ], + ); + await validator(mockReq); + expect(mockReq.Deny).toHaveBeenCalledTimes(1); + }); + + it("denies using standard flow with service accounts roles", async () => { + const mockReq = makeMockReq( + {}, + [], + [], + [ + { + standardFlowEnabled: true, + serviceAccountsEnabled: true, + }, + ], + ); + await validator(mockReq); + expect(mockReq.Deny).toHaveBeenCalledTimes(1); + }); + it("denies public device flow clients using a secret", async () => { const mockReq = makeMockReq( {}, @@ -397,6 +429,22 @@ describe("Test validation of Exemption CRs", () => { expect(mockReq.Approve).toHaveBeenCalledTimes(1); }); + it("allows service account clients with standard flow disabled ", async () => { + const mockReq = makeMockReq( + {}, + [], + [], + [ + { + serviceAccountsEnabled: true, + standardFlowEnabled: false, + }, + ], + ); + await validator(mockReq); + expect(mockReq.Approve).toHaveBeenCalledTimes(1); + }); + it("denies authservice clients with : in client ID", async () => { const mockReq = makeMockReq( {}, diff --git a/src/pepr/operator/crd/validators/package-validator.ts b/src/pepr/operator/crd/validators/package-validator.ts index a2802c692..6a9e5c09d 100644 --- a/src/pepr/operator/crd/validators/package-validator.ts +++ b/src/pepr/operator/crd/validators/package-validator.ts @@ -140,10 +140,17 @@ export async function validator(req: PeprValidateRequest) { `The client ID "${client.clientId}" must specify redirectUris if standardFlowEnabled is turned on (it is enabled by default)`, ); } + // If serviceAccountsEnabled is true, do not allow standard flow + if (client.serviceAccountsEnabled && client.standardFlowEnabled) { + return req.Deny( + `The client ID "${client.clientId}" serviceAccountsEnabled is disallowed with standardFlowEnabled`, + ); + } // If this is a public client ensure that it only sets itself up as an OAuth Device Flow client if ( client.publicClient && - (client.standardFlowEnabled !== false || + (client.standardFlowEnabled !== false /* default true */ || + client.serviceAccountsEnabled /* default false */ || client.secret !== undefined || client.secretName !== undefined || client.secretTemplate !== undefined || @@ -152,7 +159,7 @@ export async function validator(req: PeprValidateRequest) { client.attributes?.["oauth2.device.authorization.grant.enabled"] !== "true") ) { return req.Deny( - `The client ID "${client.clientId}" must _only_ configure the OAuth Device Flow as a public client`, + `The client ID "${client.clientId}" sets options incompatible with publicClient`, ); } // Check if client.attributes contain any disallowed attributes From 0365f09a57825fe153656a4c7cdc3fbf2dc31872 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 9 Oct 2024 19:42:21 +0000 Subject: [PATCH 54/90] chore(deps): update test-infra (#875) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | aws | required_provider | minor | `~> 5.67.0` -> `~> 5.70.0` | | [github.com/defenseunicorns/terraform-aws-uds-kms](https://redirect.github.com/defenseunicorns/terraform-aws-uds-kms) | module | patch | `v0.0.5` -> `v0.0.6` | | [hashicorp/terraform](https://redirect.github.com/hashicorp/terraform) | required_version | minor | `~> 1.8.0` -> `~> 1.9.0` | | [hashicorp/terraform](https://redirect.github.com/hashicorp/terraform) | required_version | minor | `~> 1.8.2` -> `~> 1.9.0` | | [terraform-aws-modules/s3-bucket/aws](https://registry.terraform.io/modules/terraform-aws-modules/s3-bucket/aws) ([source](https://redirect.github.com/terraform-aws-modules/terraform-aws-s3-bucket)) | module | minor | `4.1.2` -> `4.2.0` | --- ### Release Notes
defenseunicorns/terraform-aws-uds-kms (github.com/defenseunicorns/terraform-aws-uds-kms) ### [`v0.0.6`](https://redirect.github.com/defenseunicorns/terraform-aws-uds-kms/releases/tag/v0.0.6) [Compare Source](https://redirect.github.com/defenseunicorns/terraform-aws-uds-kms/compare/v0.0.5...v0.0.6) ##### 0.0.6 (2024-08-21) ##### What's Changed - feat: add key spec as a variable by [@​Racer159](https://redirect.github.com/Racer159) in [https://github.com/defenseunicorns/terraform-aws-uds-kms/pull/31](https://redirect.github.com/defenseunicorns/terraform-aws-uds-kms/pull/31) **Full Changelog**: https://github.com/defenseunicorns/terraform-aws-uds-kms/compare/v0.0.5...v0.0.6
hashicorp/terraform (hashicorp/terraform) ### [`v1.9.7`](https://redirect.github.com/hashicorp/terraform/releases/tag/v1.9.7) [Compare Source](https://redirect.github.com/hashicorp/terraform/compare/v1.9.6...v1.9.7) ##### 1.9.7 (October 2, 2024) BUG FIXES: - config generation: escape map keys with whitespaces ([#​35754](https://redirect.github.com/hashicorp/terraform/pull/35754)) ### [`v1.9.6`](https://redirect.github.com/hashicorp/terraform/releases/tag/v1.9.6) [Compare Source](https://redirect.github.com/hashicorp/terraform/compare/v1.9.5...v1.9.6) #### 1.9.6 (September 18, 2024) BUG FIXES: - plan renderer: Render complete changes within unknown nested blocks. ([#​35644](https://redirect.github.com/hashicorp/terraform/issues/35644)) - plan renderer: Fix crash when attempting to render unknown nested blocks that contain attributes forcing resource replacement. ([#​35644](https://redirect.github.com/hashicorp/terraform/issues/35644)) - plan renderer: Fix crash when rendering a plan that contains null attributes being update to unknown values. ([#​35709](https://redirect.github.com/hashicorp/terraform/issues/35709)) ### [`v1.9.5`](https://redirect.github.com/hashicorp/terraform/releases/tag/v1.9.5) [Compare Source](https://redirect.github.com/hashicorp/terraform/compare/v1.9.4...v1.9.5) #### 1.9.5 (August 20, 2024) ENHANCEMENTS: - cloud: The cloud block can now interact with workspaces that have HCP resource IDs. ([#​35495](https://redirect.github.com/hashicorp/terraform/issues/35495)) BUG FIXES: - core: `removed` blocks with provisioners were not executed when the resource was in a nested module. ([#​35611](https://redirect.github.com/hashicorp/terraform/issues/35611)) ### [`v1.9.4`](https://redirect.github.com/hashicorp/terraform/releases/tag/v1.9.4) [Compare Source](https://redirect.github.com/hashicorp/terraform/compare/v1.9.3...v1.9.4) ##### 1.9.4 (August 7, 2024) BUG FIXES: - core: Unneeded variable validations were being executed during a destroy plan, which could cause plans starting with incomplete state to fail. ([#​35511](https://redirect.github.com/hashicorp/terraform/issues/35511)) - init: Don't crash when discovering invalid syntax in duplicate required_providers blocks. ([#​35533](https://redirect.github.com/hashicorp/terraform/issues/35533)) ### [`v1.9.3`](https://redirect.github.com/hashicorp/terraform/releases/tag/v1.9.3) [Compare Source](https://redirect.github.com/hashicorp/terraform/compare/v1.9.2...v1.9.3) ##### 1.9.3 (July 24, 2024) ENHANCEMENTS: - Terraform now returns a more specific error message in the awkward situation where an input variable validation rule is known to have failed (`condition` returned `false`) but the error message is derived from an unknown value. ([#​35400](https://redirect.github.com/hashicorp/terraform/pull/35400)) BUG FIXES: - core: Terraform no longer performs an unnecessary refresh when removing an instance targeted by a `removed` block. ([#​35458](https://redirect.github.com/hashicorp/terraform/pull/35458)) - config generation: Fix validation error when using nested computed or deprecated attributes. ([#​35484](https://redirect.github.com/hashicorp/terraform/pull/35484)) - Updated to newer github.com/hashicorp/go-retryablehttp version, addressing CVE-2024-6104, and bringing in updates for several indirect dependencies. ([#​35473](https://redirect.github.com/hashicorp/terraform/pull/35473)) - Moved to building with Go 1.22.5, which addresses CVE-2024-24791 and several other non-security bugs. ([#​35494](https://redirect.github.com/hashicorp/terraform/pull/35494)) ### [`v1.9.2`](https://redirect.github.com/hashicorp/terraform/releases/tag/v1.9.2) [Compare Source](https://redirect.github.com/hashicorp/terraform/compare/v1.9.1...v1.9.2) ##### 1.9.2 (July 10, 2024) BUG FIXES: - core: Fix panic when self-referencing direct instances from `count` and `for_each` meta attributes. ([#​35432](https://redirect.github.com/hashicorp/terraform/pull/35432)) ### [`v1.9.1`](https://redirect.github.com/hashicorp/terraform/releases/tag/v1.9.1) [Compare Source](https://redirect.github.com/hashicorp/terraform/compare/v1.9.0...v1.9.1) ##### 1.9.1 (Unreleased) UPGRADE NOTES: - Library used by Terraform (hashicorp/go-getter) for installing/updating modules was upgraded from v1.7.5 to v1.7.6. This addresses [CVE-2024-6257](https://nvd.nist.gov/vuln/detail/CVE-2024-6257). This change may have a negative effect on performance of `terraform init` or `terraform get` in case of larger git repositories. Please do file an issue if you find the performance difference noticable. ([#​35376](https://redirect.github.com/hashicorp/terraform/pull/35376)) BUG FIXES: - `terraform test`: Removed additional erroneous error message when referencing attributes that don't exist. ([#​35408](https://redirect.github.com/hashicorp/terraform/pull/35408)) - `import` blocks: Fix crash that occurs when incorrectly referencing the `to` resource from the `id` attribute. ([#​35420](https://redirect.github.com/hashicorp/terraform/pull/35420)) ### [`v1.9.0`](https://redirect.github.com/hashicorp/terraform/compare/v1.8.5...v1.9.0) [Compare Source](https://redirect.github.com/hashicorp/terraform/compare/v1.8.5...v1.9.0)
terraform-aws-modules/terraform-aws-s3-bucket (terraform-aws-modules/s3-bucket/aws) ### [`v4.2.0`](https://redirect.github.com/terraform-aws-modules/terraform-aws-s3-bucket/blob/HEAD/CHANGELOG.md#420-2024-10-06) [Compare Source](https://redirect.github.com/terraform-aws-modules/terraform-aws-s3-bucket/compare/v4.1.2...v4.2.0) ##### Features - Support `transition_default_minimum_object_size` ([#​290](https://redirect.github.com/terraform-aws-modules/terraform-aws-s3-bucket/issues/290)) ([f6fda8c](https://redirect.github.com/terraform-aws-modules/terraform-aws-s3-bucket/commit/f6fda8c746d2b6951ae59d7a20d33dbaafe0d70f))
--- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ‘» **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Noah Birrer Co-authored-by: Micah Nagel --- .github/test-infra/aws/rke2/iam.tf | 2 +- .github/test-infra/aws/rke2/irsa.tf | 2 +- .github/test-infra/aws/rke2/modules/storage/versions.tf | 2 +- .github/test-infra/aws/rke2/versions.tf | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/test-infra/aws/rke2/iam.tf b/.github/test-infra/aws/rke2/iam.tf index 4a78d6396..ac817a743 100644 --- a/.github/test-infra/aws/rke2/iam.tf +++ b/.github/test-infra/aws/rke2/iam.tf @@ -94,7 +94,7 @@ resource "aws_iam_role_policy" "server_ccm" { } module "rke2_kms_key" { - source = "github.com/defenseunicorns/terraform-aws-uds-kms?ref=v0.0.5" + source = "github.com/defenseunicorns/terraform-aws-uds-kms?ref=v0.0.6" kms_key_alias_name_prefix = "rke2-${local.cluster_name}-server" kms_key_deletion_window = 7 diff --git a/.github/test-infra/aws/rke2/irsa.tf b/.github/test-infra/aws/rke2/irsa.tf index ee13e0d9f..1503ca0bb 100644 --- a/.github/test-infra/aws/rke2/irsa.tf +++ b/.github/test-infra/aws/rke2/irsa.tf @@ -33,7 +33,7 @@ resource "aws_secretsmanager_secret_version" "private_key" { # Public bucket to host OIDC files module "oidc_bucket" { source = "terraform-aws-modules/s3-bucket/aws" - version = "4.1.2" + version = "4.2.0" bucket = "${var.environment}-oidc-${random_string.ssm.result}" force_destroy = var.force_destroy diff --git a/.github/test-infra/aws/rke2/modules/storage/versions.tf b/.github/test-infra/aws/rke2/modules/storage/versions.tf index 736bf3d75..dfdef5df3 100644 --- a/.github/test-infra/aws/rke2/modules/storage/versions.tf +++ b/.github/test-infra/aws/rke2/modules/storage/versions.tf @@ -8,5 +8,5 @@ terraform { } } - required_version = "~> 1.8.2" + required_version = ">= 1.8.0" } diff --git a/.github/test-infra/aws/rke2/versions.tf b/.github/test-infra/aws/rke2/versions.tf index 14e8511cf..edbd9f2f8 100644 --- a/.github/test-infra/aws/rke2/versions.tf +++ b/.github/test-infra/aws/rke2/versions.tf @@ -3,7 +3,7 @@ terraform { } required_providers { aws = { - version = "~> 5.67.0" + version = "~> 5.70.0" } random = { version = "~> 3.6.0" @@ -12,7 +12,7 @@ terraform { version = "~> 4.0.0" } } - required_version = "~> 1.8.0" + required_version = ">= 1.8.0" } provider "aws" { From 5f5f59b85ae46a71a9944db20a76cae559a5b8af Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Wed, 9 Oct 2024 14:03:58 -0600 Subject: [PATCH 55/90] chore: regroup 'support dependencies' in renovate config (#885) ## Description This changes the grouping in renovate to group anything outside of the `src/` folders into a single `support-deps` grouping (with the exception of pepr). I reviewed the current PRs and several previous merged PRs and these matches should catch all the other locations we have dependencies. Worth noting we do not need the pinDigests option added anywhere since uds-common includes that as a helper for actions/workflows: https://github.com/defenseunicorns/uds-common/blob/main/config/renovate.json5#L8 ## Related Issue N/A ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --- renovate.json | 35 +++++++++-------------------------- 1 file changed, 9 insertions(+), 26 deletions(-) diff --git a/renovate.json b/renovate.json index f4428a606..387ef9641 100644 --- a/renovate.json +++ b/renovate.json @@ -78,36 +78,19 @@ "commitMessageTopic": "runtime" }, { - "matchPackageNames": ["zarf-dev/zarf", "ghcr.io/zarf-dev/packages/init"], - "groupName": "zarf", - "commitMessageTopic": "zarf" - }, - { - "matchPackageNames": ["defenseunicorns/uds-cli"], - "groupName": "uds", - "commitMessageTopic": "uds" - }, - { - "matchPackageNames": ["defenseunicorns/uds-k3d", "ghcr.io/defenseunicorns/packages/uds-k3d"], - "groupName": "uds-k3d", - "commitMessageTopic": "uds-k3d" - }, - { - "matchFileNames": [".github/workflows/**", ".github/actions/**"], - "matchPackageNames": ["*", "!zarf-dev/zarf", "!defenseunicorns/uds-cli", "!defenseunicorns/lula", "!k3d-io/k3d"], - "groupName": "githubactions", - "commitMessageTopic": "githubactions", - "pinDigests": true + "matchFileNames": ["package.json", "package-lock.json", "tasks/create.yaml"], + "groupName": "pepr", + "commitMessageTopic": "pepr" }, { - "matchFileNames": [".github/test-infra/**"], - "groupName": "test-infra", - "commitMessageTopic": "test-infra" + "matchFileNames": [".github/**", "bundles/**", "tasks/iac.yaml"], + "groupName": "support-deps", + "commitMessageTopic": "support dependencies" }, { - "matchFileNames": ["package.json", "package-lock.json", "tasks/create.yaml"], - "groupName": "pepr", - "commitMessageTopic": "pepr" + "matchPackageNames": ["defenseunicorns/uds-common"], + "groupName": "support-deps", + "commitMessageTopic": "support-deps" } ] } From 30ff1c249b73ed24c21a2daa7f268e50abdb8edf Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 9 Oct 2024 14:54:40 -0600 Subject: [PATCH 56/90] chore(deps): update support-deps (#890) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://redirect.github.com/actions/checkout) | action | digest | `692973e` -> `eef6144` | | [actions/upload-artifact](https://redirect.github.com/actions/upload-artifact) | action | patch | `v4.4.1` -> `v4.4.3` | | [defenseunicorns/uds-common](https://redirect.github.com/defenseunicorns/uds-common) | | major | `v0.13.1` -> `v1.0.0` | | ghcr.io/zarf-dev/packages/init | | minor | `v0.40.1` -> `v0.41.0` | | [weaveworks/eksctl](https://redirect.github.com/weaveworks/eksctl) | | minor | `v0.190.0` -> `v0.191.0` | --- ### Release Notes
actions/upload-artifact (actions/upload-artifact) ### [`v4.4.3`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.4.3) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.4.2...v4.4.3) #### What's Changed - Undo indirect dependency updates from [#​627](https://redirect.github.com/actions/upload-artifact/issues/627) by [@​joshmgross](https://redirect.github.com/joshmgross) in [https://github.com/actions/upload-artifact/pull/632](https://redirect.github.com/actions/upload-artifact/pull/632) **Full Changelog**: https://github.com/actions/upload-artifact/compare/v4.4.2...v4.4.3 ### [`v4.4.2`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.4.2) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.4.1...v4.4.2) #### What's Changed - Bump `@actions/artifact` to 2.1.11 by [@​robherley](https://redirect.github.com/robherley) in [https://github.com/actions/upload-artifact/pull/627](https://redirect.github.com/actions/upload-artifact/pull/627) - Includes fix for relative symlinks not resolving properly **Full Changelog**: https://github.com/actions/upload-artifact/compare/v4...v4.4.2
defenseunicorns/uds-common (defenseunicorns/uds-common) ### [`v1.0.0`](https://redirect.github.com/defenseunicorns/uds-common/releases/tag/v1.0.0) [Compare Source](https://redirect.github.com/defenseunicorns/uds-common/compare/v0.13.1...v1.0.0) ##### ⚠ BREAKING CHANGES - remove with.assessment_results from oscal tasks ([#​276](https://redirect.github.com/defenseunicorns/uds-common/issues/276)) - update the publish task to avoid name collision ([#​267](https://redirect.github.com/defenseunicorns/uds-common/issues/267)) - **task:** add optional config input to create, deploy package and bundle tasks ([#​262](https://redirect.github.com/defenseunicorns/uds-common/issues/262)) - add shell linting to uds-common linting ([#​258](https://redirect.github.com/defenseunicorns/uds-common/issues/258)) - update uds common gh actions to use uds run conditionals ([#​254](https://redirect.github.com/defenseunicorns/uds-common/issues/254)) ##### Features - **task:** add optional config input to create, deploy package and bundle tasks ([#​262](https://redirect.github.com/defenseunicorns/uds-common/issues/262)) ([3d3e9cb](https://redirect.github.com/defenseunicorns/uds-common/commit/3d3e9cb82e6664a4250782e6ae3a4e1112cfe5be)) - update uds common gh actions to use uds run conditionals ([#​254](https://redirect.github.com/defenseunicorns/uds-common/issues/254)) ([c9d92f0](https://redirect.github.com/defenseunicorns/uds-common/commit/c9d92f0481d147e362d359447b487ab1c1560f31)) ##### Bug Fixes - add runner.arch to upload-artifacts name ([#​269](https://redirect.github.com/defenseunicorns/uds-common/issues/269)) ([4abe414](https://redirect.github.com/defenseunicorns/uds-common/commit/4abe414fa5460bc9e98b53f2e830b41e2e01cf26)) - add test artifact uploads to callable workflows ([#​275](https://redirect.github.com/defenseunicorns/uds-common/issues/275)) ([02e5c07](https://redirect.github.com/defenseunicorns/uds-common/commit/02e5c072465f1b06a05760fd4d1d12e070c22155)) - broken hyperlink in guide.md ([#​272](https://redirect.github.com/defenseunicorns/uds-common/issues/272)) ([6b152a4](https://redirect.github.com/defenseunicorns/uds-common/commit/6b152a4905ce4b8d212519e3fff4ff99dbaf7e50)) - refactor top level tasks ([#​277](https://redirect.github.com/defenseunicorns/uds-common/issues/277)) ([b7f6894](https://redirect.github.com/defenseunicorns/uds-common/commit/b7f68947d4082a7cb3128271476f65c61b3a9261)) - remove with.assessment_results from oscal tasks ([#​276](https://redirect.github.com/defenseunicorns/uds-common/issues/276)) ([bb8bb4b](https://redirect.github.com/defenseunicorns/uds-common/commit/bb8bb4b4df897b8aa747f5fe6e3ddd3fa40017b9)) - test/publish workflow upload and default behavior ([#​279](https://redirect.github.com/defenseunicorns/uds-common/issues/279)) ([1851a1c](https://redirect.github.com/defenseunicorns/uds-common/commit/1851a1cb3f532f83a70c09e8bb513fcc6bb64bd1)) - update publish permissions ([#​263](https://redirect.github.com/defenseunicorns/uds-common/issues/263)) ([2e57869](https://redirect.github.com/defenseunicorns/uds-common/commit/2e57869b41d1f523ca37b2a3da035a580fc7d6d0)) - update the publish task to avoid name collision ([#​267](https://redirect.github.com/defenseunicorns/uds-common/issues/267)) ([6a176ff](https://redirect.github.com/defenseunicorns/uds-common/commit/6a176ffd18ece28b759eb4e20f2e082ff0e079fb)) ##### Miscellaneous - add an ADR to document workflow/job names ([#​260](https://redirect.github.com/defenseunicorns/uds-common/issues/260)) ([0685c7c](https://redirect.github.com/defenseunicorns/uds-common/commit/0685c7cac904ebe5f746770f9488210498d4463d)) - add shell linting to uds-common linting ([#​258](https://redirect.github.com/defenseunicorns/uds-common/issues/258)) ([82e9137](https://redirect.github.com/defenseunicorns/uds-common/commit/82e9137642cb5dc0ba41cb33ad1ae44258549d19)) - correct the release workflow path on README ([#​265](https://redirect.github.com/defenseunicorns/uds-common/issues/265)) ([62c9a5f](https://redirect.github.com/defenseunicorns/uds-common/commit/62c9a5f0a14a8215d5d7e55e1b11d0d77003c8e1)) - **deps:** update uds common support dependencies ([#​250](https://redirect.github.com/defenseunicorns/uds-common/issues/250)) ([c828932](https://redirect.github.com/defenseunicorns/uds-common/commit/c82893264fffadfd0d84ca239a9459e6e55b9635)) - **docs:** restructure and introduce metadata guidelines ([#​266](https://redirect.github.com/defenseunicorns/uds-common/issues/266)) ([6828f10](https://redirect.github.com/defenseunicorns/uds-common/commit/6828f10932a65d5fbbaf5994e2c23ddd1cd27255)) - refactor and improve badge verification task ([#​249](https://redirect.github.com/defenseunicorns/uds-common/issues/249)) ([82e63be](https://redirect.github.com/defenseunicorns/uds-common/commit/82e63be82766a2e550a847af904b2d738c9d3478)) - update practices around maintaining the UDS Common framework ([#​253](https://redirect.github.com/defenseunicorns/uds-common/issues/253)) ([a733122](https://redirect.github.com/defenseunicorns/uds-common/commit/a7331224f153532361d32d0b02de6cbe7361ffe3)) - update the codeowners for the repo ([#​264](https://redirect.github.com/defenseunicorns/uds-common/issues/264)) ([6359020](https://redirect.github.com/defenseunicorns/uds-common/commit/6359020fa85b88f3360d0813f3da1d5e1f51134c)) - **deps:** update uds common support dependencies ([#​278](https://redirect.github.com/defenseunicorns/uds-common/issues/278)) ([e71432f](https://redirect.github.com/defenseunicorns/uds-common/commit/e71432f261fa03b60c7bf5845e749476390e104b))
weaveworks/eksctl (weaveworks/eksctl) ### [`v0.191.0`](https://redirect.github.com/eksctl-io/eksctl/releases/tag/v0.191.0): eksctl 0.191.0 [Compare Source](https://redirect.github.com/weaveworks/eksctl/compare/0.191.0...0.191.0) ##### Release v0.191.0 ##### πŸš€ Features - Add support for EKS 1.31 ([#​7973](https://redirect.github.com/weaveworks/eksctl/issues/7973)) ### [`v0.191.0`](https://redirect.github.com/eksctl-io/eksctl/releases/tag/v0.191.0): eksctl 0.191.0 [Compare Source](https://redirect.github.com/weaveworks/eksctl/compare/0.190.0...0.191.0) ### Release v0.191.0 #### πŸš€ Features - Add support for EKS 1.31 ([#​7973](https://redirect.github.com/weaveworks/eksctl/issues/7973))
--- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ‘» **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/actions/save-logs/action.yaml | 2 +- .github/bundles/rke2/uds-bundle.yaml | 2 +- .github/workflows/compliance.yaml | 2 +- .github/workflows/test-rke2.yaml | 2 +- .github/workflows/test.yaml | 2 +- tasks/create.yaml | 2 +- tasks/iac.yaml | 2 +- tasks/lint.yaml | 2 +- tasks/test.yaml | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/actions/save-logs/action.yaml b/.github/actions/save-logs/action.yaml index 3bbafd969..9039a8924 100644 --- a/.github/actions/save-logs/action.yaml +++ b/.github/actions/save-logs/action.yaml @@ -35,7 +35,7 @@ runs: sudo chown $USER /tmp/uds-*.log || echo "" shell: bash - - uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 + - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: debug-log${{ inputs.suffix }} path: | diff --git a/.github/bundles/rke2/uds-bundle.yaml b/.github/bundles/rke2/uds-bundle.yaml index 68dc1cf36..639b80b19 100644 --- a/.github/bundles/rke2/uds-bundle.yaml +++ b/.github/bundles/rke2/uds-bundle.yaml @@ -14,7 +14,7 @@ packages: - name: init repository: ghcr.io/zarf-dev/packages/init - ref: v0.40.1 + ref: v0.41.0 overrides: zarf-registry: docker-registry: diff --git a/.github/workflows/compliance.yaml b/.github/workflows/compliance.yaml index 7d99ef57c..e04430f9a 100644 --- a/.github/workflows/compliance.yaml +++ b/.github/workflows/compliance.yaml @@ -67,7 +67,7 @@ jobs: ghToken: ${{ secrets.GITHUB_TOKEN }} - name: Upload Evaluated Assessment - uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: ${{ inputs.flavor }}-assessment-results path: ./compliance/oscal-assessment-results.yaml diff --git a/.github/workflows/test-rke2.yaml b/.github/workflows/test-rke2.yaml index 7120d8347..2589e92ec 100644 --- a/.github/workflows/test-rke2.yaml +++ b/.github/workflows/test-rke2.yaml @@ -34,7 +34,7 @@ jobs: echo "TF_VAR_permissions_boundary_name=${UDS_PERMISSIONS_BOUNDARY_NAME}" >> $GITHUB_ENV - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4 diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index a96894a97..bbf884235 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -73,7 +73,7 @@ jobs: - name: Upload Assessment if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }} - uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: ${{ inputs.flavor }}-assessment-results path: ./compliance/oscal-assessment-results.yaml diff --git a/tasks/create.yaml b/tasks/create.yaml index abccad794..934690282 100644 --- a/tasks/create.yaml +++ b/tasks/create.yaml @@ -1,7 +1,7 @@ # SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial includes: - - common: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.13.1/tasks/create.yaml + - common: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.0.0/tasks/create.yaml variables: - name: FLAVOR diff --git a/tasks/iac.yaml b/tasks/iac.yaml index bcdf35783..b7935142d 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -16,7 +16,7 @@ tasks: - name: install-eksctl actions: - cmd: | - curl --silent --location "https://github.com/weaveworks/eksctl/releases/download/v0.190.0/eksctl_Linux_amd64.tar.gz" | tar xz -C /tmp + curl --silent --location "https://github.com/weaveworks/eksctl/releases/download/v0.191.0/eksctl_Linux_amd64.tar.gz" | tar xz -C /tmp sudo mv /tmp/eksctl /usr/local/bin - name: create-cluster diff --git a/tasks/lint.yaml b/tasks/lint.yaml index 50a412f21..17147720d 100644 --- a/tasks/lint.yaml +++ b/tasks/lint.yaml @@ -1,7 +1,7 @@ # SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial includes: - - remote: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.13.1/tasks/lint.yaml + - remote: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.0.0/tasks/lint.yaml tasks: - name: fix diff --git a/tasks/test.yaml b/tasks/test.yaml index 5da8c22bb..e376a8a02 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -4,7 +4,7 @@ includes: - create: ./create.yaml - setup: ./setup.yaml - deploy: ./deploy.yaml - - compliance: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.13.1/tasks/compliance.yaml + - compliance: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.0.0/tasks/compliance.yaml - base-layer: ../packages/base/tasks.yaml tasks: From 57f7fa88277b975fd3d1a37c9546d07d5001c6fc Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Thu, 10 Oct 2024 08:38:18 -0600 Subject: [PATCH 57/90] fix: support for anywhere network policies in cilium (#884) ## Description Reference [this doc](https://github.com/cilium/cilium/blob/v1.16.2/Documentation/network/kubernetes/policy.rst#networkpolicy) for the limitations of Cilium with `ipBlock` based netpols. Two changes included to support this behavior: - Modifies the keycloak backchannel policy to include all namespaces instead of using the `Anywhere` generated target. This was intended to be anywhere in cluster anyways (see the deleted TODO comment in the diff). - Modifies `Anywhere` target to include both the `0.0.0.0/0` CIDR and an empty namespace selector. For any non-Cilium CNIs `0.0.0.0/0` would've already covered any in-cluster endpoints, so this only changes the behavior for Cilium. ## Related Issue Fixes https://github.com/defenseunicorns/uds-core/issues/871 ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --- src/keycloak/chart/templates/uds-package.yaml | 5 ++--- src/pepr/operator/controllers/network/generate.ts | 4 ++-- .../operator/controllers/network/generators/anywhere.ts | 8 ++++++++ 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/src/keycloak/chart/templates/uds-package.yaml b/src/keycloak/chart/templates/uds-package.yaml index 371c91554..63a907a38 100644 --- a/src/keycloak/chart/templates/uds-package.yaml +++ b/src/keycloak/chart/templates/uds-package.yaml @@ -26,13 +26,12 @@ spec: app: pepr-uds-core-watcher port: 8080 - # Temp workaround for any cluster pod - # todo: remove this once cluster pods is a remote generated target - description: "Keycloak backchannel access" direction: Ingress selector: app.kubernetes.io/name: keycloak - remoteGenerated: Anywhere + # Allow access from anything in cluster using an empty namespace selector + remoteNamespace: "*" port: 8080 # Keycloak OCSP to check certs cannot guarantee a static IP diff --git a/src/pepr/operator/controllers/network/generate.ts b/src/pepr/operator/controllers/network/generate.ts index 473f73d4c..53d0a6280 100644 --- a/src/pepr/operator/controllers/network/generate.ts +++ b/src/pepr/operator/controllers/network/generate.ts @@ -3,7 +3,7 @@ import { V1NetworkPolicyPeer, V1NetworkPolicyPort } from "@kubernetes/client-nod import { kind } from "pepr"; import { Allow, RemoteGenerated } from "../../crd"; -import { anywhere } from "./generators/anywhere"; +import { anywhere, anywhereInCluster } from "./generators/anywhere"; import { cloudMetadata } from "./generators/cloudMetadata"; import { intraNamespace } from "./generators/intraNamespace"; import { kubeAPI } from "./generators/kubeAPI"; @@ -31,7 +31,7 @@ function getPeers(policy: Allow): V1NetworkPolicyPeer[] { break; case RemoteGenerated.Anywhere: - peers = [anywhere]; + peers = [anywhere, anywhereInCluster]; break; } } else if (policy.remoteNamespace !== undefined || policy.remoteSelector !== undefined) { diff --git a/src/pepr/operator/controllers/network/generators/anywhere.ts b/src/pepr/operator/controllers/network/generators/anywhere.ts index da732960e..cb4ce0637 100644 --- a/src/pepr/operator/controllers/network/generators/anywhere.ts +++ b/src/pepr/operator/controllers/network/generators/anywhere.ts @@ -9,3 +9,11 @@ export const anywhere: V1NetworkPolicyPeer = { except: [META_IP], }, }; + +/** Matches any endpoint in cluster + * This is primarily to support Cilium where IP based policies do not match/allow anything in-cluster + * Ref: https://github.com/defenseunicorns/uds-core/issues/871 and https://github.com/cilium/cilium/blob/v1.16.2/Documentation/network/kubernetes/policy.rst#networkpolicy + */ +export const anywhereInCluster: V1NetworkPolicyPeer = { + namespaceSelector: {}, +}; From 9e0bae9fb27293eb41001ef4620a8ecb6941ba06 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 10 Oct 2024 19:52:40 -0600 Subject: [PATCH 58/90] chore(deps): update runtime to v0.6.0 (#897) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | [ghcr.io/defenseunicorns/uds-runtime](https://images.chainguard.dev/directory/image/static/overview) ([source](https://redirect.github.com/chainguard-images/images/tree/HEAD/images/static)) | minor | `0.5.0` -> `0.6.0` | | [https://github.com/defenseunicorns/uds-runtime.git](https://redirect.github.com/defenseunicorns/uds-runtime) | minor | `v0.5.0` -> `v0.6.0` | --- ### Release Notes
defenseunicorns/uds-runtime (https://github.com/defenseunicorns/uds-runtime.git) ### [`v0.6.0`](https://redirect.github.com/defenseunicorns/uds-runtime/releases/tag/v0.6.0) [Compare Source](https://redirect.github.com/defenseunicorns/uds-runtime/compare/v0.5.0...v0.6.0) ##### Features - **api:** adds caching layer to pepr endpoints ([#​402](https://redirect.github.com/defenseunicorns/uds-runtime/issues/402)) ([782d93b](https://redirect.github.com/defenseunicorns/uds-runtime/commit/782d93b9b030a0a16191de58ec7c6920982f248a)) - **api:** use tls when running locally ([#​405](https://redirect.github.com/defenseunicorns/uds-runtime/issues/405)) ([d4764eb](https://redirect.github.com/defenseunicorns/uds-runtime/commit/d4764ebcff0ad5c3b4d3dfaee563429ce07d4e87)) - **ci:** publish the runtime ui build as a release artifact ([#​418](https://redirect.github.com/defenseunicorns/uds-runtime/issues/418)) ([ce4a592](https://redirect.github.com/defenseunicorns/uds-runtime/commit/ce4a592c615b02e149f2a8b7c0698fb85157b3b6)) - **ui:** 409 overview dashboard events logs widget ([#​415](https://redirect.github.com/defenseunicorns/uds-runtime/issues/415)) ([ea47a72](https://redirect.github.com/defenseunicorns/uds-runtime/commit/ea47a72b47d60c4b51a9b6ef63cd5853f57d6fd6)) - **ui:** create stat widget ([#​386](https://redirect.github.com/defenseunicorns/uds-runtime/issues/386)) ([f1dce2e](https://redirect.github.com/defenseunicorns/uds-runtime/commit/f1dce2ebf81a2701267cc76a92a34d9b59293d9a)) ##### Bug Fixes - closes pepr goroutines when navigating away ([#​400](https://redirect.github.com/defenseunicorns/uds-runtime/issues/400)) ([95fb845](https://redirect.github.com/defenseunicorns/uds-runtime/commit/95fb8453779042f3b695351127d0097162a856cb)) - reconnection handling after introducing TLS ([#​412](https://redirect.github.com/defenseunicorns/uds-runtime/issues/412)) ([b89cf16](https://redirect.github.com/defenseunicorns/uds-runtime/commit/b89cf16ddba0ec37891aab72876a26f6d5f0b402)) - storageclass view data ([#​425](https://redirect.github.com/defenseunicorns/uds-runtime/issues/425)) ([f228e7f](https://redirect.github.com/defenseunicorns/uds-runtime/commit/f228e7f2eb619b0a599deff6b519113c51d7a7bd)) ##### Miscellaneous - **api:** refactor organization of reconnection logic ([#​406](https://redirect.github.com/defenseunicorns/uds-runtime/issues/406)) ([1dd4a06](https://redirect.github.com/defenseunicorns/uds-runtime/commit/1dd4a06153c79301a6ae23001bcd0aef5002e3db)) - **api:** updates for handling unavailable metrics server ([#​421](https://redirect.github.com/defenseunicorns/uds-runtime/issues/421)) ([6bb9728](https://redirect.github.com/defenseunicorns/uds-runtime/commit/6bb9728d2e01de73b6462b420c384c64580524e7)) - **deps:** update dependency kubernetes-fluent-client to v3.0.4 ([#​403](https://redirect.github.com/defenseunicorns/uds-runtime/issues/403)) ([ef35113](https://redirect.github.com/defenseunicorns/uds-runtime/commit/ef35113c05ecf881c5077fdea4c9c322febbff66)) - **deps:** update devdependencies ([#​214](https://redirect.github.com/defenseunicorns/uds-runtime/issues/214)) ([16f75ed](https://redirect.github.com/defenseunicorns/uds-runtime/commit/16f75ed767af5fd2f128044723e6c010b46be576)) - **deps:** update github actions ([#​385](https://redirect.github.com/defenseunicorns/uds-runtime/issues/385)) ([ac2797f](https://redirect.github.com/defenseunicorns/uds-runtime/commit/ac2797f73abf450e0ba784b269752f61fb322599)) - **deps:** update module github.com/zarf-dev/zarf to v0.41.0 ([#​414](https://redirect.github.com/defenseunicorns/uds-runtime/issues/414)) ([aaa2fed](https://redirect.github.com/defenseunicorns/uds-runtime/commit/aaa2fed5529f3e78b7b70d500eb4cac371907c06)) - fix typo in README ([#​396](https://redirect.github.com/defenseunicorns/uds-runtime/issues/396)) ([ceddd9b](https://redirect.github.com/defenseunicorns/uds-runtime/commit/ceddd9ba36ff86454a9cbdba00d40bf8ceb57a8f)) - fix typo, clean URL, de-dup toast ([#​407](https://redirect.github.com/defenseunicorns/uds-runtime/issues/407)) ([b8616c6](https://redirect.github.com/defenseunicorns/uds-runtime/commit/b8616c619b11feef6a6e3376f7bf8a965c84ff5e)) - implementation for handling crds that dont exist ([#​408](https://redirect.github.com/defenseunicorns/uds-runtime/issues/408)) ([d5d7d14](https://redirect.github.com/defenseunicorns/uds-runtime/commit/d5d7d14962304b955d8b9a7eff4a78eb9559583d)) - swap svelte-chartjs for chartjs lib ([#​246](https://redirect.github.com/defenseunicorns/uds-runtime/issues/246)) ([cedaa43](https://redirect.github.com/defenseunicorns/uds-runtime/commit/cedaa43b1b065be77add427777f03a7837a61b15)) - **ui:** add status colors for event type in events table ([#​422](https://redirect.github.com/defenseunicorns/uds-runtime/issues/422)) ([e1111e9](https://redirect.github.com/defenseunicorns/uds-runtime/commit/e1111e96163eaa67c2f36e9b2dc8cb0501cfbbd5)) - **ui:** adding convention for figma to front end component naming ([#​401](https://redirect.github.com/defenseunicorns/uds-runtime/issues/401)) ([f65ec88](https://redirect.github.com/defenseunicorns/uds-runtime/commit/f65ec88d95656f7217a5af1320b009816bd99f64))
--- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ”• **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- src/runtime/zarf.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/runtime/zarf.yaml b/src/runtime/zarf.yaml index cdccb7cd9..16474a362 100644 --- a/src/runtime/zarf.yaml +++ b/src/runtime/zarf.yaml @@ -14,11 +14,11 @@ components: - name: uds-runtime required: false images: - - ghcr.io/defenseunicorns/uds-runtime:0.5.0 + - ghcr.io/defenseunicorns/uds-runtime:0.6.0 charts: - name: uds-runtime namespace: uds-runtime - version: "v0.5.0" + version: "v0.6.0" url: https://github.com/defenseunicorns/uds-runtime.git gitPath: chart actions: From 70adcfe1544b1650de87823b81a9be730e05748f Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 11 Oct 2024 02:20:50 +0000 Subject: [PATCH 59/90] chore(deps): update metrics-server chart to v3.12.2 (#873) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | [metrics-server](https://redirect.github.com/kubernetes-sigs/metrics-server) | patch | `3.12.1` -> `3.12.2` | --- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ”• **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Micah Nagel --- src/metrics-server/common/zarf.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/metrics-server/common/zarf.yaml b/src/metrics-server/common/zarf.yaml index c258da476..0e915fd01 100644 --- a/src/metrics-server/common/zarf.yaml +++ b/src/metrics-server/common/zarf.yaml @@ -16,7 +16,7 @@ components: - name: metrics-server namespace: metrics-server url: https://kubernetes-sigs.github.io/metrics-server - version: 3.12.1 + version: 3.12.2 valuesFiles: - "../values/values.yaml" actions: From 5da24fdf56dcb0a2e1e5139c63c3a812179f0113 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 11 Oct 2024 03:01:05 +0000 Subject: [PATCH 60/90] chore(deps): update loki nginx image to v1.27.2 (#894) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cgr.dev/du-uds-defenseunicorns/nginx-fips](https://images.chainguard.dev/directory/image/nginx-fips/overview) ([source](https://redirect.github.com/chainguard-images/images-private/tree/HEAD/images/nginx-fips)) | patch | `1.27.1` -> `1.27.2` | --- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ”• **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- src/loki/values/unicorn-values.yaml | 2 +- src/loki/zarf.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/loki/values/unicorn-values.yaml b/src/loki/values/unicorn-values.yaml index b50b9dba6..74d73473d 100644 --- a/src/loki/values/unicorn-values.yaml +++ b/src/loki/values/unicorn-values.yaml @@ -8,7 +8,7 @@ gateway: image: registry: cgr.dev repository: du-uds-defenseunicorns/nginx-fips - tag: 1.27.1 + tag: 1.27.2 memcached: image: repository: cgr.dev/du-uds-defenseunicorns/memcached diff --git a/src/loki/zarf.yaml b/src/loki/zarf.yaml index ecd59de6b..2111e27ed 100644 --- a/src/loki/zarf.yaml +++ b/src/loki/zarf.yaml @@ -50,5 +50,5 @@ components: - ./values/unicorn-values.yaml images: - cgr.dev/du-uds-defenseunicorns/loki:3.2.0 - - cgr.dev/du-uds-defenseunicorns/nginx-fips:1.27.1 + - cgr.dev/du-uds-defenseunicorns/nginx-fips:1.27.2 - cgr.dev/du-uds-defenseunicorns/memcached:1.6.31 From 824707d2e6cad0af8dd305e07e5de7bfb251066a Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 11 Oct 2024 06:49:40 -0600 Subject: [PATCH 61/90] fix: broken readme link (#899) ## Description Fixes a broken path as reported by @philcole09 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8bc9719fc..c8205e9ce 100644 --- a/README.md +++ b/README.md @@ -78,7 +78,7 @@ uds deploy k3d-core-slim-dev:0.28.0 #### Developing UDS Core -UDS Core development leverages the `uds zarf dev deploy` command. For convenience, a UDS Task is provided to setup the environment. You'll need to have [NodeJS](https://nodejs.org/en/download/) 20 or later installed to continue. Here's an example of a flow developing the [identity-authorization layer](./package/identity-authorization/README.md): +UDS Core development leverages the `uds zarf dev deploy` command. For convenience, a UDS Task is provided to setup the environment. You'll need to have [NodeJS](https://nodejs.org/en/download/) 20 or later installed to continue. Here's an example of a flow developing the [identity-authorization layer](./packages/identity-authorization/README.md): ```bash # Create the dev environment From 23d3676017a58d8a2ee7193a475a3a2c176e760e Mon Sep 17 00:00:00 2001 From: Paul Di Pietro Date: Fri, 11 Oct 2024 12:16:10 -0400 Subject: [PATCH 62/90] chore(docs): update doc structure for site refresh (#895) ## Description This PR changes the docs structure to reflect the updated site architecture. - ADRs moved to a separate folder - All docs are served out of `docs/reference` (or possibly `docs/troubleshooting` if added) - Remove unnecessary front matter as needed ## Related Issue N/A ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [X] Other (security config, docs update, etc) ## Checklist before merging - [ ] Test, docs, adr added or updated as needed - [ ] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --------- Co-authored-by: Micah Nagel --- {docs/adrs => adrs}/.gitkeep | 0 .../0001-record-architecture-decisions.md | 0 .../0002-uds-core-functional-layers.md | 0 docs/application-baseline.md | 26 ---- docs/configuration/_index.md | 5 - docs/configuration/istio/_index.md | 5 - docs/deployment/_index.md | 5 - docs/deployment/uds-deploy.md | 121 ------------------ docs/development/_index.md | 5 - .../UDS Core}/distribution-support.md | 10 +- .../{deployment => reference/UDS Core}/dns.md | 0 .../flavor-specific-development-notes.md} | 2 - .../UDS Core/overview.md} | 9 +- .../UDS Core}/prerequisites.md | 4 - .../configuration}/ingress.md | 18 ++- .../configuration/pepr-policies.md | 2 - .../resource-configuration-and-ha.md | 2 - .../uds-configure-policy-exemptions.md | 2 - .../configuration/uds-monitoring-metrics.md | 6 +- .../configuration/uds-operator.md | 6 +- .../configuration/uds-user-groups.md | 6 +- docs/{ => reference}/deployment/flavors.md | 10 +- 22 files changed, 25 insertions(+), 219 deletions(-) rename {docs/adrs => adrs}/.gitkeep (100%) rename {docs/adrs => adrs}/0001-record-architecture-decisions.md (100%) rename {docs/adrs => adrs}/0002-uds-core-functional-layers.md (100%) delete mode 100644 docs/application-baseline.md delete mode 100644 docs/configuration/_index.md delete mode 100644 docs/configuration/istio/_index.md delete mode 100644 docs/deployment/_index.md delete mode 100644 docs/deployment/uds-deploy.md delete mode 100644 docs/development/_index.md rename docs/{deployment => reference/UDS Core}/distribution-support.md (70%) rename docs/{deployment => reference/UDS Core}/dns.md (100%) rename docs/{development/flavor-specific-dev.md => reference/UDS Core/flavor-specific-development-notes.md} (98%) rename docs/{_index.md => reference/UDS Core/overview.md} (96%) mode change 100755 => 100644 rename docs/{deployment => reference/UDS Core}/prerequisites.md (99%) rename docs/{configuration/istio => reference/configuration}/ingress.md (98%) rename docs/{ => reference}/configuration/pepr-policies.md (99%) rename docs/{ => reference}/configuration/resource-configuration-and-ha.md (99%) rename docs/{ => reference}/configuration/uds-configure-policy-exemptions.md (98%) rename docs/{ => reference}/configuration/uds-monitoring-metrics.md (99%) rename docs/{ => reference}/configuration/uds-operator.md (99%) rename docs/{ => reference}/configuration/uds-user-groups.md (97%) rename docs/{ => reference}/deployment/flavors.md (94%) diff --git a/docs/adrs/.gitkeep b/adrs/.gitkeep similarity index 100% rename from docs/adrs/.gitkeep rename to adrs/.gitkeep diff --git a/docs/adrs/0001-record-architecture-decisions.md b/adrs/0001-record-architecture-decisions.md similarity index 100% rename from docs/adrs/0001-record-architecture-decisions.md rename to adrs/0001-record-architecture-decisions.md diff --git a/docs/adrs/0002-uds-core-functional-layers.md b/adrs/0002-uds-core-functional-layers.md similarity index 100% rename from docs/adrs/0002-uds-core-functional-layers.md rename to adrs/0002-uds-core-functional-layers.md diff --git a/docs/application-baseline.md b/docs/application-baseline.md deleted file mode 100644 index 7eec1c580..000000000 --- a/docs/application-baseline.md +++ /dev/null @@ -1,26 +0,0 @@ ---- -title: Application Baseline -type: docs -weight: 1 ---- - -UDS Core provides a foundational set of applications that form the backbone of a secure and efficient mission environment. Each application addresses critical aspects of microservices communication, monitoring, logging, security, compliance, and data protection. These applications are essential for establishing a reliable runtime environment and ensuring that mission-critical applications operate seamlessly. - -By leveraging these applications within UDS Core, users can confidently deploy and operate source packages that meet stringent security and performance standards. UDS Core provides the applications and flexibility required to achieve diverse mission objectives, whether in cloud, on-premises, or edge environments. UDS source packages cater to the specific needs of Mission Heroes and their mission-critical operations. Below are some of the key applications offered by UDS Core: - -{{% alert-note %}} -For optimal deployment and operational efficiency, it is important to deliver a UDS Core Bundle before deploying any other optional bundle (UDS or Mission). Failure to meet this prerequisite can alter the complexity of the deployment process. To ensure a seamless experience and to leverage the full potential of UDS capabilities, prioritize the deployment of UDS Core as the foundational step. -{{% /alert-note %}} - -## Core Baseline - -| **Capability** | **Application** | -| ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| **Service Mesh** | **[Istio](https://istio.io/):** A powerful service mesh that provides traffic management, load balancing, security, and observability features. | -| **Monitoring** | **[Metrics Server](https://kubernetes-sigs.github.io/metrics-server/):** Provides container resource utilization metrics API for Kubernetes clusters. Metrics server is an optional (non-default) component since most Kubernetes distros provide it by default.

**[Prometheus](https://prometheus.io/):** Scrapes Metrics Server API and application metrics and stores the data in a time-series database for insights into application health and performance.

**[Grafana](https://grafana.com/grafana/):** Provides visualization and alerting capabilities based on Prometheus's time-series database of metrics. | -| **Logging** | **[Vector](https://vector.dev/):** A companion agent that efficiently gathers and sends container logs to Loki and other storage locations (S3, SIEM tools, etc), simplifying log monitoring, troubleshooting, and compliance auditing, enhancing the overall observability of the mission environment.

**[Loki](https://grafana.com/docs/loki/latest/):** A log aggregation system that allows users to store, search, and analyze logs across their applications. | -| **Security and Compliance** | **[NeuVector](https://open-docs.neuvector.com/):** Offers container-native security, protecting applications against threats and vulnerabilities.

**[Pepr](https://pepr.dev/):** UDS policy engine and operator for enhanced security and compliance.| -| **Identity and Access Management** | **[Keycloak](https://www.keycloak.org/):** A robust open-source Identity and Access Management solution, providing centralized authentication, authorization, and user management for enhanced security and control over access to mission-critical resources.| -| **Backup and Restore** | **[Velero](https://velero.io/):** Provides backup and restore capabilities for Kubernetes clusters, ensuring data protection and disaster recovery.| -| **Authorization** | **[AuthService](https://github.com/istio-ecosystem/authservice):** Offers centralized authorization services, managing access control and permissions within the Istio mesh. AuthService plays a supporting role to Keycloak as it handles part of the OIDC redirect flow.| -| **Frontend Views & Insights** | **[UDS Runtime](https://github.com/defenseunicorns/uds-runtime)**: UDS Runtime is an optional component in Core that provides the frontend for all things UDS, providing views and insights into your UDS cluster. | diff --git a/docs/configuration/_index.md b/docs/configuration/_index.md deleted file mode 100644 index 1d8ab0844..000000000 --- a/docs/configuration/_index.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Configure UDS Core -type: docs -weight: 3 ---- diff --git a/docs/configuration/istio/_index.md b/docs/configuration/istio/_index.md deleted file mode 100644 index 6872802db..000000000 --- a/docs/configuration/istio/_index.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Istio Configuration for UDS Core -type: docs -weight: 5 ---- diff --git a/docs/deployment/_index.md b/docs/deployment/_index.md deleted file mode 100644 index 9cbb18a82..000000000 --- a/docs/deployment/_index.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Deploying UDS Core -type: docs -weight: 2 ---- diff --git a/docs/deployment/uds-deploy.md b/docs/deployment/uds-deploy.md deleted file mode 100644 index 90b05291e..000000000 --- a/docs/deployment/uds-deploy.md +++ /dev/null @@ -1,121 +0,0 @@ ---- -title: Deploy UDS Core -type: docs -weight: 3 ---- - -## Prerequisites - -Please ensure that the following prerequisites are on your machine prior to deploying UDS Core: - -- [Docker](https://formulae.brew.sh/formula/docker#default), or as an open source alternative, you can use [Colima](https://formulae.brew.sh/formula/colima#default). - - If using Colima, please declare the following resources after installing: - -```git -colima start --cpu 7 --memory 14 --disk 50 -``` - -- [K3d](https://formulae.brew.sh/formula/k3d#default) for development and test environments or a [CNCF Certified Kubernetes Cluster](https://www.cncf.io/training/certification/software-conformance/#logos) if deploying to production environments. -- Dynamic [load-balancer](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer) provisioning such as [MetalLB](https://metallb.universe.tf/). -- Object storage of your choosing such as [Minio](https://min.io/product/kubernetes) or [S3](https://aws.amazon.com/s3/). - -## UDS Bundles - -UDS Core provides published [bundles](https://uds.defenseunicorns.com/bundles/) that serve multiple purposes: you can utilize them for experimenting with UDS Core or for UDS Package development when you only require specific components of UDS Core. These bundles leverage [UDS K3d](https://github.com/defenseunicorns/uds-k3d) to establish a local k3d cluster. - -UDS Bundles deployed for development and testing purposes are comprised of a shared configuration that equips users with essential tools, emulating a development environment for convenience. If deploying to a production environment, users have the ability to modify variables and configurations to best fit specific mission needs by creating their own bundle. - -{{% alert-note %}} -These UDS Bundles are designed specifically for development and testing environments and are *not intended for production use*. Additionally, they serve as examples for creating customized bundles. -{{% /alert-note %}} - -## Quickstart: Development and Test Environments - -**Step 1: Install the [UDS CLI](https://uds.defenseunicorns.com/cli/)** - -It is recommended to update to the latest version, all releases can be found in the [UDS CLI GitHub repository](https://github.com/defenseunicorns/uds-cli/releases). - -```git -brew tap defenseunicorns/tap && brew install uds -``` - -**Step 2: Deploy the UDS Bundle** - -The UDS Bundle being deployed in this example is the [`k3d-core-demo`](https://github.com/defenseunicorns/uds-core/blob/main/bundles/k3d-standard/README.md) bundle which creates a local k3d cluster with UDS Core installed. - -```cli -uds deploy k3d-core-demo:0.20.0 - -# deploy this bundle? -y -``` - -For additional information on UDS Bundles, please see the [UDS Bundles documentation.](https://uds.defenseunicorns.com/bundles/) - -**Optional:** - -Use the following command to visualize resources in the cluster via [k9s:](https://k9scli.io/) - -```git -uds zarf tools monitor -``` - -**Step 3: Clean Up** - -Use the following command to tear down the k3d cluster: - -```git -k3d cluster delete uds -``` - -If you opted to use Colima, use the following command to tear down the virtual machine that the cluster was running on: - -```git -colima delete -f -``` - -## UDS Bundle Development - -In addition to the demo bundle, there is also a [`k3d-slim-dev bundle`](https://github.com/defenseunicorns/uds-core/tree/main/bundles/k3d-istio) designed specifically for working with UDS Core with *only* Istio, Keycloak, and Pepr installed. To use it, execute the following command: - -```cli -uds deploy k3d-core-slim-dev:0.20.0 -``` - -## Developing UDS Core - -UDS Core development leverages the `uds zarf dev deploy` command. To simplify the setup process, a dedicated UDS Task is available. Please ensure you have [NodeJS](https://nodejs.org/en/download/) version 20 or later installed before proceeding. - -Below is an example of the workflow developing the [metrics-server package](https://github.com/defenseunicorns/uds-core/tree/main/src/metrics-server): - -```cli -# Create the dev environment -uds run dev-setup - -# If developing the Pepr module: -npx pepr dev - -# If not developing the Pepr module (can be run multiple times): -npx pepr deploy - -# Deploy the package (can be run multiple times) -uds run dev-deploy --set PKG=metrics-server -``` - -## Testing UDS Core - -You can perform a complete test of UDS Core by running the following command: - -```cli -uds run test-uds-core -``` - -This will create a local k3d cluster, install UDS Core, and run a series of tests against it, the same tests that are run in CI. If you want to run the tests against a specific core layer, you can use the `LAYER` task variable. The following example runs the tests against the identity-authorization layer: - -```cli -uds run test-single-layer --set LAYER=identity-authorization -``` - -{{% alert-note %}} -You can specify the `--set FLAVOR=registry1` flag to test using Iron Bank images instead of the upstream images. -{{% /alert-note %}} diff --git a/docs/development/_index.md b/docs/development/_index.md deleted file mode 100644 index d49d49f68..000000000 --- a/docs/development/_index.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: UDS Core Development -type: docs -weight: 4 ---- diff --git a/docs/deployment/distribution-support.md b/docs/reference/UDS Core/distribution-support.md similarity index 70% rename from docs/deployment/distribution-support.md rename to docs/reference/UDS Core/distribution-support.md index 268366559..89afcf8e9 100644 --- a/docs/deployment/distribution-support.md +++ b/docs/reference/UDS Core/distribution-support.md @@ -1,7 +1,5 @@ --- title: Distribution Support -type: docs -weight: 1 --- UDS Core is a versatile software baseline designed to operate effectively across a variety of Kubernetes distributions. While it is not specifically tailored to any single Kubernetes distribution, it is compatible with multiple environments. This documentation provides an overview of UDS Core's compatibility with different distributions and the level of support provided. @@ -12,8 +10,8 @@ UDS Core is a versatile software baseline designed to operate effectively across - **Compatible:** Kubernetes distributions listed under this category may not have undergone extensive testing in UDS Core's CI environments. While UDS Core may be compatible on these distributions, users should exercise caution and be prepared for potential compatibility issues or limitations. -| Distribution | Category | Support Level | -| ------------------- | ---------------------- | --------------------------------------------------------------------------------------------------------- | +| Distribution | Category | Support Level | +| --------------- | ---------------------- | --------------------------------------------------------------------------------------------------------- | | K3d/K3s, Amazon EKS | Tested | Supported Kubernetes distributions undergoing testing in CI environments. | -| RKE2 | Tested | Supported Kubernetes distribution tested in production environments other than CI. | -| Other | Untested/Unknown state | Compatible Kubernetes distributions that are not explicitly tested, documented, or supported by UDS Core. | +| RKE2 | Tested | Supported Kubernetes distribution tested in production environments other than CI. | +| Other | Untested/Unknown state | Compatible Kubernetes distributions that are not explicitly tested, documented, or supported by UDS Core. | diff --git a/docs/deployment/dns.md b/docs/reference/UDS Core/dns.md similarity index 100% rename from docs/deployment/dns.md rename to docs/reference/UDS Core/dns.md diff --git a/docs/development/flavor-specific-dev.md b/docs/reference/UDS Core/flavor-specific-development-notes.md similarity index 98% rename from docs/development/flavor-specific-dev.md rename to docs/reference/UDS Core/flavor-specific-development-notes.md index 8928a949d..7a576c5b8 100644 --- a/docs/development/flavor-specific-dev.md +++ b/docs/reference/UDS Core/flavor-specific-development-notes.md @@ -1,7 +1,5 @@ --- title: Flavor Specific Development Notes -type: docs -weight: 5 --- Specific flavors of UDS Core have access and architecture restrictions when used for development work. The `upstream` flavor is generally recommended for development as it does not have any restrictions or requirements. diff --git a/docs/_index.md b/docs/reference/UDS Core/overview.md old mode 100755 new mode 100644 similarity index 96% rename from docs/_index.md rename to docs/reference/UDS Core/overview.md index 3d7fb94d4..94c3fa810 --- a/docs/_index.md +++ b/docs/reference/UDS Core/overview.md @@ -1,10 +1,7 @@ --- -title: UDS Core -linkTitle: UDS Core -type: docs -menu: - main: - weight: 30 +title: Overview +sidebar: + order: 1 --- ## What is UDS Core? diff --git a/docs/deployment/prerequisites.md b/docs/reference/UDS Core/prerequisites.md similarity index 99% rename from docs/deployment/prerequisites.md rename to docs/reference/UDS Core/prerequisites.md index ddc8e038e..24a678f58 100644 --- a/docs/deployment/prerequisites.md +++ b/docs/reference/UDS Core/prerequisites.md @@ -1,11 +1,7 @@ --- title: UDS Core Prerequisites -type: docs -weight: 4 --- -## UDS Core Prerequisites - `UDS Core` can run in any [CNCF conformant Kubernetes distribution](https://www.cncf.io/training/certification/software-conformance/), but sometimes customizations are needed based on environments. This is an attempt to document and link to relevant information to aid in setting up your Kubernetes environment and hosts to ensure a successful `UDS Core` installation. ### Cluster Requirements diff --git a/docs/configuration/istio/ingress.md b/docs/reference/configuration/ingress.md similarity index 98% rename from docs/configuration/istio/ingress.md rename to docs/reference/configuration/ingress.md index e94cceec5..38b1e16ea 100644 --- a/docs/configuration/istio/ingress.md +++ b/docs/reference/configuration/ingress.md @@ -1,7 +1,5 @@ --- -title: Configuring Istio Ingress -type: docs -weight: 1 +title: Istio Ingress --- UDS Core leverages Istio for ingress into the service mesh. This document provides an overview and examples of the Istio resources that UDS Core deploys to handle ingress. @@ -46,7 +44,7 @@ metadata: name: core-with-cert-override description: A UDS example bundle for packaging UDS core with a custom TLS certificate version: "0.0.1" - + packages: - name: core repository: oci://ghcr.io/defenseunicorns/packages/uds/core @@ -54,6 +52,9 @@ packages: overrides: istio-admin-gateway: uds-istio-config: + values: + - path: tls.supportTLSV1_2 + value: true # Add support for TLS 1.2 on this gateway, can be specified via variables if needed at deploy time variables: - name: ADMIN_TLS_CERT description: "The TLS cert for the admin gateway (must be base64 encoded)" @@ -63,9 +64,6 @@ packages: path: tls.key istio-tenant-gateway: uds-istio-config: - values: - - path: tls.supportTLSV1_2 - value: true # Add support for TLS 1.2 on this gateway, can be specified via variables if needed at deploy time variables: - name: TENANT_TLS_CERT description: "The TLS cert for the tenant gateway (must be base64 encoded)" @@ -84,7 +82,7 @@ shared: domain: yourawesomedomain.com # shared across all packages in a bundle # TLS Certs/Keys if not provided via environment variables -variables: +variables: core: admin_tls_cert: # base64 encoded admin cert here admin_tls_key: # base64 encoded admin key here @@ -92,6 +90,6 @@ variables: tenant_tls_key: # base64 encoded tenant key here ``` -{{% alert-note %}} +:::note If you are using Private PKI or self-signed certificates for your tenant certificates it is necessary to additionally configure `UDS_CA_CERT` with additional [trusted certificate authorities](https://uds.defenseunicorns.com/core/configuration/uds-operator/#trusted-certificate-authority). -{{% /alert-note %}} +::: diff --git a/docs/configuration/pepr-policies.md b/docs/reference/configuration/pepr-policies.md similarity index 99% rename from docs/configuration/pepr-policies.md rename to docs/reference/configuration/pepr-policies.md index fa05a3557..f2cf82b77 100644 --- a/docs/configuration/pepr-policies.md +++ b/docs/reference/configuration/pepr-policies.md @@ -1,7 +1,5 @@ --- title: Pepr Policies -type: docs -weight: 3 --- ## Common Pepr Policies for UDS Core diff --git a/docs/configuration/resource-configuration-and-ha.md b/docs/reference/configuration/resource-configuration-and-ha.md similarity index 99% rename from docs/configuration/resource-configuration-and-ha.md rename to docs/reference/configuration/resource-configuration-and-ha.md index 9680a6009..1993862c9 100644 --- a/docs/configuration/resource-configuration-and-ha.md +++ b/docs/reference/configuration/resource-configuration-and-ha.md @@ -1,7 +1,5 @@ --- title: Resource Configuration and High Availability -type: docs -weight: 3.5 --- Depending on your environment and the scale of your cluster, you might need to adjust UDS Core components for high availability or to optimize resources. Below are common areas where resource overrides can be useful when deploying UDS Core. diff --git a/docs/configuration/uds-configure-policy-exemptions.md b/docs/reference/configuration/uds-configure-policy-exemptions.md similarity index 98% rename from docs/configuration/uds-configure-policy-exemptions.md rename to docs/reference/configuration/uds-configure-policy-exemptions.md index 2e405cbc1..c68b35b1e 100644 --- a/docs/configuration/uds-configure-policy-exemptions.md +++ b/docs/reference/configuration/uds-configure-policy-exemptions.md @@ -1,7 +1,5 @@ --- title: Configuring Policy Exemptions -type: docs -weight: 4 --- By default policy exemptions ([UDSExemptions](https://github.com/defenseunicorns/uds-core/blob/uds-docs/src/pepr/operator/crd/generated/exemption-v1alpha1.ts)) are only allowed in a single namespace -- `uds-policy-exemptions`. We recognize this is not a conventional pattern in K8s, but believe it is ideal for UDS for the following reasons: diff --git a/docs/configuration/uds-monitoring-metrics.md b/docs/reference/configuration/uds-monitoring-metrics.md similarity index 99% rename from docs/configuration/uds-monitoring-metrics.md rename to docs/reference/configuration/uds-monitoring-metrics.md index 909d5ad5f..c5ef0da68 100644 --- a/docs/configuration/uds-monitoring-metrics.md +++ b/docs/reference/configuration/uds-monitoring-metrics.md @@ -1,7 +1,5 @@ --- title: Monitoring and Metrics -type: docs -weight: 1 --- UDS Core leverages Pepr to handle setup of Prometheus scraping metrics endpoints, with the particular configuration necessary to work in a STRICT mTLS (Istio) environment. We handle this via a default scrapeClass in prometheus to add the istio certs. When a monitor needs to be exempt from that tlsConfig a mutation is performed to leverage a plain scrape class without istio certs. @@ -14,9 +12,9 @@ Generally it is beneficial to use service and pod monitor resources from existin 1. Individual monitors can explicitly set the `exempt` scrape class to opt out of the Istio certificate configuration. This should typically only be done if your service exposes metrics on a PERMISSIVE mTLS port. 1. If setting a `scrapeClass` is not an option due to lack of configuration in a helm chart, or for other reasons, monitors can use the `uds/skip-mutate` annotation (with any value) to have Pepr mutate the `exempt` scrape class onto the monitor. -{{% alert-note %}} +:::note There is a deprecated functionality in Pepr that will mutate `tlsConfig` onto individual service monitors, rather than using the scrape class approach. This has been kept in the current code temporarily to prevent any metrics downtime during the switch to `scrapeClass`. In a future release this behavior will be removed to reduce the complexity of the setup and required mutations. -{{% /alert-note %}} +::: ## Package CR `monitor` field diff --git a/docs/configuration/uds-operator.md b/docs/reference/configuration/uds-operator.md similarity index 99% rename from docs/configuration/uds-operator.md rename to docs/reference/configuration/uds-operator.md index 29271d0d5..927af5cef 100644 --- a/docs/configuration/uds-operator.md +++ b/docs/reference/configuration/uds-operator.md @@ -1,7 +1,5 @@ --- title: UDS Operator -type: docs -weight: 2 --- The UDS Operator plays a pivotal role in managing the lifecycle of UDS Package Custom Resources (CRs) along with their associated resources like NetworkPolicies and Istio VirtualServices. Leveraging [Pepr](https://github.com/defenseunicorns/pepr), the operator binds watch operations to the enqueue and reconciler, taking on several key responsibilities for UDS Packages and exemptions: @@ -163,9 +161,9 @@ spec: app: httpbin ``` -{{% alert-note %}} +:::note The UDS Operator uses the first `redirectUris` to populate the `match.prefix` hostname and `callback_uri` in the authservice chain. -{{% /alert-note %}} +::: For a complete example, see [app-authservice-tenant.yaml](https://github.com/defenseunicorns/uds-core/blob/main/src/test/app-authservice-tenant.yaml) diff --git a/docs/configuration/uds-user-groups.md b/docs/reference/configuration/uds-user-groups.md similarity index 97% rename from docs/configuration/uds-user-groups.md rename to docs/reference/configuration/uds-user-groups.md index a654e551a..bcce50fdd 100644 --- a/docs/configuration/uds-user-groups.md +++ b/docs/reference/configuration/uds-user-groups.md @@ -1,7 +1,5 @@ --- title: User Groups -type: docs -weight: 5 --- UDS Core deploys Keycloak which has some preconfigured groups that applications inherit from SSO and IDP configurations. @@ -30,9 +28,9 @@ Neuvector [maps the groups](https://github.com/defenseunicorns/uds-core/blob/mai ## Keycloak -{{% alert-note %}} +:::note All groups are under the Uds Core parent group. Frequently a group will be referred to as Uds Core/Admin or Uds Core/Auditor. In the Keycloak UI this requires an additional click to get down to the sub groups. -{{% /alert-note %}} +::: ### Identity Providers ( IDP ) diff --git a/docs/deployment/flavors.md b/docs/reference/deployment/flavors.md similarity index 94% rename from docs/deployment/flavors.md rename to docs/reference/deployment/flavors.md index 680a2872e..26349aa16 100644 --- a/docs/deployment/flavors.md +++ b/docs/reference/deployment/flavors.md @@ -1,14 +1,12 @@ --- title: Published Flavors -type: docs -weight: 2 --- UDS Core is published with multiple variations (Zarf flavors). Each flavor uses a separate source registry for the images. Each flavor is used as the suffix on the OCI tags for packages. For production use cases we recommend the `registry1` or `unicorn` flavors as these images tend to be more secure than their `upstream` counterparts. -{{% alert-note %}} +:::note Demo and dev bundles (`k3d-core-demo` and `k3d-core-slim-dev`) are only published from the upstream flavor. -{{% /alert-note %}} +::: ### Flavors @@ -18,6 +16,6 @@ Demo and dev bundles (`k3d-core-demo` and `k3d-core-slim-dev`) are only publishe | `upstream` | `ghcr.io/defenseunicorns/packages/uds` | Various sources, typically DockerHub/GHCR/Quay, these are the default images used by helm charts | | **ALPHA** `unicorn` | `ghcr.io/defenseunicorns/packages/private/uds` | Industry best images designed with security and minimalism in mind | -{{% alert-note %}} +:::note The `unicorn` flavored packages are only available in a private repository. These packages are available for all members of the Defense Unicorns organization/company, if you are outside the organization [contact us](https://www.defenseunicorns.com/contactus) if you are interested in using this flavor for your mission. -{{% /alert-note %}} +::: From 22c6ae4fed581a0bfac37c3a441aab2e4f9eabf3 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 11 Oct 2024 14:24:41 -0600 Subject: [PATCH 63/90] chore: handle upgrade path for functional layers, add doc for usage (#896) ## Description Changes included: 1. Functional layers upgrade was not successful when I tested initially. There were ownership issues with the `manifests` we use for istio. To resolve that problem I moved the manifests into a chart and added an action to update the ownership before the upgrade. I also removed the pepr action that we have had for several releases since it was needed as a one-time upgrade step (similar to this one). 2. Added a lightweight doc on the usage of functional layers with a very brief explanation and warning as well as a full example of a bundle pulling in the layers. 3. A few misc link fixes and other things to follow the astro docs switch. ## Related Issue Fixes https://github.com/defenseunicorns/uds-core/issues/868 Fixes https://github.com/defenseunicorns/uds-core/issues/900 ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --------- Co-authored-by: Noah <40781376+noahpb@users.noreply.github.com> --- README.md | 2 +- docs/reference/UDS Core/dns.md | 17 +++---- docs/reference/UDS Core/functional-layers.md | 51 +++++++++++++++++++ docs/reference/UDS Core/prerequisites.md | 4 +- docs/reference/configuration/ingress.md | 6 +-- docs/reference/configuration/uds-operator.md | 2 +- src/istio/common/chart/.helmignore | 23 +++++++++ src/istio/common/chart/Chart.yaml | 19 +++++++ .../templates}/envoy-filters.yaml | 0 .../templates}/peer-authentication.yaml | 0 .../templates}/pepr-istio-config.yaml | 0 src/istio/common/chart/values.yaml | 1 + src/istio/common/zarf.yaml | 17 +++++-- src/pepr/zarf.yaml | 20 -------- 14 files changed, 122 insertions(+), 40 deletions(-) create mode 100644 docs/reference/UDS Core/functional-layers.md create mode 100644 src/istio/common/chart/.helmignore create mode 100644 src/istio/common/chart/Chart.yaml rename src/istio/common/{manifests => chart/templates}/envoy-filters.yaml (100%) rename src/istio/common/{manifests => chart/templates}/peer-authentication.yaml (100%) rename src/istio/common/{manifests => chart/templates}/pepr-istio-config.yaml (100%) create mode 100644 src/istio/common/chart/values.yaml diff --git a/README.md b/README.md index c8205e9ce..506d7ab71 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Unicorn Delivery Service - Core (UDS Core) -## [UDS Core Docs](https://uds.defenseunicorns.com/core/) +## [UDS Core Overview](https://uds.defenseunicorns.com/reference/uds-core/overview/) UDS Core establishes a secure baseline for cloud-native systems and ships with compliance documentation and first-class support for airgap/egress-limited systems. Based on the work of [Platform One](https://p1.dso.mil), UDS Core expands on the security posture of [Big Bang](https://repo1.dso.mil/big-bang/bigbang) while providing advanced automation with the [UDS Operator](./src/pepr/operator/README.md) and [UDS Policy Engine](./src/pepr/policies/README.md). UDS Core is a collection of several individual applications combined into a single [Zarf](https://zarf.dev) package and we recommend using [UDS CLI](https://github.com/defenseunicorns/uds-cli?tab=readme-ov-file#install) to deploy it as a [UDS Bundle](#using-uds-core-in-production). diff --git a/docs/reference/UDS Core/dns.md b/docs/reference/UDS Core/dns.md index b1dcef9bc..9d493e6bd 100644 --- a/docs/reference/UDS Core/dns.md +++ b/docs/reference/UDS Core/dns.md @@ -1,24 +1,23 @@ --- title: DNS Configuration -type: docs -weight: 2 --- -UDS Core deploys two Gateways by default - a Tenant Gateway for end-user applications and an Admin Gateway for administrative applications. You can read more about Istio configuration in UDS Core [here](https://uds.defenseunicorns.com/core/configuration/istio/ingress/). This section covers how to configure DNS for these Gateways. +UDS Core deploys two Gateways by default - a Tenant Gateway for end-user applications and an Admin Gateway for administrative applications. You can read more about Istio configuration in UDS Core [here](https://uds.defenseunicorns.com/reference/configuration/ingress/). This section covers how to configure DNS for these Gateways. ### Domain Configuration Each Gateway is associated to a wildcard DNS entry that is derived from the `DOMAIN` [variable](https://github.com/defenseunicorns/uds-core/blob/e624d73f79bd6739b6808fbdbf5ca75ebb7c1d3c/src/istio/zarf.yaml#L8) in the UDS Core Istio package. When deploying UDS Core, you can expect two Gateways to be created that match the following domain names: - `*.` / Tenant Gateway - `*.admin.` / Admin Gateway -{{% alert-note %}} -The default value for `DOMAIN` is `uds.dev`, which is intended for development purposes only. For non-development purposes, you should override this value by specifying a value for `domain` in your `uds-config.yaml`. You can find instructions on how to do so [here](https://uds.defenseunicorns.com/core/configuration/istio/ingress/#configure-domain-name-and-tls-for-istio-gateways). -{{% /alert-note %}} +:::note +The default value for `DOMAIN` is `uds.dev`, which is intended for development purposes only. For non-development purposes, you should override this value by specifying a value for `domain` in your `uds-config.yaml`. You can find instructions on how to do so [here](https://uds.defenseunicorns.com/reference/configuration/ingress/#configure-domain-name-and-tls-for-istio-gateways). +::: ### Bundle Configuration -{{% alert-note %}} + +:::note UDS Core does not include any cloud provider specific configuration by default. Additional overrides are required to deploy UDS Core on a given provider. This section will refer to AWS, but values can be substituted as needed for other providers. -{{% /alert-note %}} +::: The Admin and Tenant Gateways will be each be bound to an external Load Balancer that is exposed on TCP ports 80 and 443 by default. The Admin Gateway should be configured to use an internal facing Load Balancer and the Tenant Gateway should be configured to use an external facing Load Balancer. Below is an example of overrides that would accomplish this: ```yaml @@ -71,4 +70,4 @@ istio-admin-gateway admin-ingressgateway Loa istio-tenant-gateway tenant-ingressgateway LoadBalancer 10.43.47.182 k8s-istioten-tenant...elb.us-east-1.amazonaws.com 15021:31222/TCP,80:30456/TCP,443:32508/TCP 1h ``` -From here, you can register your domain and/or create DNS records for your environment that point to the appropriate Gateways/Load Balancers. Refer to your DNS provider's documentation. \ No newline at end of file +From here, you can register your domain and/or create DNS records for your environment that point to the appropriate Gateways/Load Balancers. Refer to your DNS provider's documentation. diff --git a/docs/reference/UDS Core/functional-layers.md b/docs/reference/UDS Core/functional-layers.md new file mode 100644 index 000000000..7ba6a8f3a --- /dev/null +++ b/docs/reference/UDS Core/functional-layers.md @@ -0,0 +1,51 @@ +--- +title: Functional Layers +--- + +## Background + +Context on the inclusion of "functional layers" can be viewed in our [ADR](https://github.com/defenseunicorns/uds-core/blob/main/docs/adrs/0002-uds-core-functional-layers.md). In short, UDS Core publishes smaller Zarf packages that contain subsets of core's capabilities, grouped by their function (such as monitoring, logging, backup/restore, etc) to allow more flexibility in deployment. This helps to support resource constrained environments (edge deployments) and other situations where an environment has different needs than the default core stack. + +Each layer is published as an individual OCI Zarf package. Package sources can be viewed under the [`packages` directory](https://github.com/defenseunicorns/uds-core/tree/main/packages), with each folder containing a readme detailing the contents and any dependencies. All layers assume the requirement of the base layer which provides Istio, the UDS Operator, and UDS Policy Engine. + +:::caution +By removing pieces of core from your deployment you may affect your security and compliance posture as well as reduce functionality of the stack. Deploying core using these layers should be the exception in most cases and only done after carefully weighing needs for your environment. +::: + +## Example Usage + +Functional layers are designed to be combined into a UDS bundle for deployment. The example below shows all layers in the correct order. Keep in mind that 'base' must always be the first layer, and any other layers should follow based on their dependency order. When building your bundle, you can skip layers that don't fit your deployment needs and apply overrides to individual layers as needed. Ensure all layers are using the same version for compatibility. + +```yaml +kind: UDSBundle +metadata: + name: functional-layer-core-bundle + description: An example bundle for deploying all of core using functional layers + version: "0.1.0" + +packages: + - name: core-base + repository: ghcr.io/defenseunicorns/packages/uds/core-base + ref: 0.29.0-upstream + - name: core-identity-authorization + repository: ghcr.io/defenseunicorns/packages/uds/core-identity-authorization + ref: 0.29.0-upstream + - name: core-metrics-server + repository: ghcr.io/defenseunicorns/packages/uds/core-metrics-server + ref: 0.29.0-upstream + - name: core-runtime-security + repository: ghcr.io/defenseunicorns/packages/uds/core-runtime-security + ref: 0.29.0-upstream + - name: core-logging + repository: ghcr.io/defenseunicorns/packages/uds/core-logging + ref: 0.29.0-upstream + - name: core-monitoring + repository: ghcr.io/defenseunicorns/packages/uds/core-monitoring + ref: 0.29.0-upstream + - name: core-ui + repository: ghcr.io/defenseunicorns/packages/uds/core-ui + ref: 0.29.0-upstream + - name: core-backup-restore + repository: ghcr.io/defenseunicorns/packages/uds/core-backup-restore + ref: 0.29.0-upstream +``` diff --git a/docs/reference/UDS Core/prerequisites.md b/docs/reference/UDS Core/prerequisites.md index 24a678f58..14d8b7fcf 100644 --- a/docs/reference/UDS Core/prerequisites.md +++ b/docs/reference/UDS Core/prerequisites.md @@ -1,5 +1,7 @@ --- -title: UDS Core Prerequisites +title: Prerequisites +sidebar: + order: 2 --- `UDS Core` can run in any [CNCF conformant Kubernetes distribution](https://www.cncf.io/training/certification/software-conformance/), but sometimes customizations are needed based on environments. This is an attempt to document and link to relevant information to aid in setting up your Kubernetes environment and hosts to ensure a successful `UDS Core` installation. diff --git a/docs/reference/configuration/ingress.md b/docs/reference/configuration/ingress.md index 38b1e16ea..5015bc928 100644 --- a/docs/reference/configuration/ingress.md +++ b/docs/reference/configuration/ingress.md @@ -36,7 +36,7 @@ packages: By default, the UDS Core Istio Gateways are set up to use the `uds.dev` domain and have a valid TLS certificate packaged. You will want to change the domain name for your environment and provide a valid TLS certificate for this domain. -You can set the TLS certs via overrides in a [UDS Bundle](https://uds.defenseunicorns.com/bundles/) (see below). UDS Core Istio Gateways default to only supporting TLS v1.3, but this can also be overridden per gateway if clients use TLS 1.2 (as seen in the tenant gateway example `value` below). +You can set the TLS certs via overrides in a [UDS Bundle](https://uds.defenseunicorns.com/structure/bundles/) (see below). UDS Core Istio Gateways default to only supporting TLS v1.3, but this can also be overridden per gateway if clients use TLS 1.2 (as seen in the tenant gateway example `value` below). ```yaml kind: UDSBundle @@ -75,7 +75,7 @@ packages: You can then either use environment variables (`UDS_ADMIN_TLS_CERT`, `UDS_ADMIN_TLS_KEY`, `UDS_TENANT_TLS_CERT`, and `UDS_TENANT_TLS_KEY`) or a config file to configure the certs for each gateway. These values should be base64 encoded strings of the TLS certificate and key for the admin and tenant gateways respectively. -Domain should be set via your [uds-config](https://uds.defenseunicorns.com/cli/quickstart-and-usage/#variables-and-configuration) file using the shared key to override the Zarf Domain Variable (see example `uds-config.yaml` below). +Domain should be set via your [uds-config](https://uds.defenseunicorns.com/reference/cli/quickstart-and-usage/#variables-and-configuration) file using the shared key to override the Zarf Domain Variable (see example `uds-config.yaml` below). ```yaml shared: @@ -91,5 +91,5 @@ variables: ``` :::note -If you are using Private PKI or self-signed certificates for your tenant certificates it is necessary to additionally configure `UDS_CA_CERT` with additional [trusted certificate authorities](https://uds.defenseunicorns.com/core/configuration/uds-operator/#trusted-certificate-authority). +If you are using Private PKI or self-signed certificates for your tenant certificates it is necessary to additionally configure `UDS_CA_CERT` with additional [trusted certificate authorities](https://uds.defenseunicorns.com/reference/configuration/uds-operator/#trusted-certificate-authority). ::: diff --git a/docs/reference/configuration/uds-operator.md b/docs/reference/configuration/uds-operator.md index 927af5cef..5593a91ee 100644 --- a/docs/reference/configuration/uds-operator.md +++ b/docs/reference/configuration/uds-operator.md @@ -181,7 +181,7 @@ variables: CA_CERT: ``` -See [configuring Istio Ingress](https://uds.defenseunicorns.com/core/configuration/istio/ingress/#configure-domain-name-and-tls-for-istio-gateways) for the relevant documentation on configuring ingress certificates. +See [configuring Istio Ingress](https://uds.defenseunicorns.com/reference/configuration/ingress/#configure-domain-name-and-tls-for-istio-gateways) for the relevant documentation on configuring ingress certificates. ### Creating a UDS Package with a Device Flow client diff --git a/src/istio/common/chart/.helmignore b/src/istio/common/chart/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/src/istio/common/chart/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/src/istio/common/chart/Chart.yaml b/src/istio/common/chart/Chart.yaml new file mode 100644 index 000000000..2936bb951 --- /dev/null +++ b/src/istio/common/chart/Chart.yaml @@ -0,0 +1,19 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +apiVersion: v2 +name: uds-global-istio-config +description: Global Istio configuration for UDS + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 diff --git a/src/istio/common/manifests/envoy-filters.yaml b/src/istio/common/chart/templates/envoy-filters.yaml similarity index 100% rename from src/istio/common/manifests/envoy-filters.yaml rename to src/istio/common/chart/templates/envoy-filters.yaml diff --git a/src/istio/common/manifests/peer-authentication.yaml b/src/istio/common/chart/templates/peer-authentication.yaml similarity index 100% rename from src/istio/common/manifests/peer-authentication.yaml rename to src/istio/common/chart/templates/peer-authentication.yaml diff --git a/src/istio/common/manifests/pepr-istio-config.yaml b/src/istio/common/chart/templates/pepr-istio-config.yaml similarity index 100% rename from src/istio/common/manifests/pepr-istio-config.yaml rename to src/istio/common/chart/templates/pepr-istio-config.yaml diff --git a/src/istio/common/chart/values.yaml b/src/istio/common/chart/values.yaml new file mode 100644 index 000000000..c56503481 --- /dev/null +++ b/src/istio/common/chart/values.yaml @@ -0,0 +1 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial diff --git a/src/istio/common/zarf.yaml b/src/istio/common/zarf.yaml index 0c7ae9279..0107b58ad 100644 --- a/src/istio/common/zarf.yaml +++ b/src/istio/common/zarf.yaml @@ -19,15 +19,22 @@ components: namespace: istio-system valuesFiles: - "../values/values.yaml" - manifests: - name: uds-global-istio-config namespace: istio-system - files: - - "manifests/envoy-filters.yaml" - - "manifests/peer-authentication.yaml" - - "manifests/pepr-istio-config.yaml" + version: 0.1.0 + localPath: chart actions: onDeploy: + before: + - description: "Fix helm ownership if necessary for clean helm upgrade" + mute: true + cmd: | + ./zarf tools kubectl annotate EnvoyFilter misdirected-request -n istio-system meta.helm.sh/release-name=uds-global-istio-config --overwrite || true + ./zarf tools kubectl annotate EnvoyFilter remove-server-header -n istio-system meta.helm.sh/release-name=uds-global-istio-config --overwrite || true + ./zarf tools kubectl annotate PeerAuthentication default-istio-system -n istio-system meta.helm.sh/release-name=uds-global-istio-config --overwrite || true + ./zarf tools kubectl annotate PeerAuthentication permissive-pepr-webhook -n pepr-system meta.helm.sh/release-name=uds-global-istio-config --overwrite || true + ./zarf tools kubectl annotate PeerAuthentication permissive-pepr-webhook-watcher -n pepr-system meta.helm.sh/release-name=uds-global-istio-config --overwrite || true after: - description: "Ensure istio-injection is enabled for Pepr" + mute: true cmd: "./zarf tools kubectl label namespace pepr-system istio-injection=enabled --overwrite" diff --git a/src/pepr/zarf.yaml b/src/pepr/zarf.yaml index ea1a8925b..2f7e22ba6 100644 --- a/src/pepr/zarf.yaml +++ b/src/pepr/zarf.yaml @@ -46,23 +46,3 @@ components: - name: module valuesFiles: - values.yaml - actions: - onDeploy: - before: - - mute: true - description: "Update helm ownership for Pepr resources if necessary during the upgrade" - cmd: | - ./zarf tools kubectl annotate secret -n pepr-system pepr-uds-core-api-token meta.helm.sh/release-name=module --overwrite || true - ./zarf tools kubectl annotate secret -n pepr-system pepr-uds-core-module meta.helm.sh/release-name=module --overwrite || true - ./zarf tools kubectl annotate secret -n pepr-system pepr-uds-core-tls meta.helm.sh/release-name=module --overwrite || true - ./zarf tools kubectl annotate serviceaccount -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true - ./zarf tools kubectl annotate clusterrolebinding pepr-uds-core meta.helm.sh/release-name=module --overwrite || true - ./zarf tools kubectl annotate clusterrole pepr-uds-core meta.helm.sh/release-name=module --overwrite || true - ./zarf tools kubectl annotate role -n pepr-system pepr-uds-core-store meta.helm.sh/release-name=module --overwrite || true - ./zarf tools kubectl annotate rolebinding -n pepr-system pepr-uds-core-store meta.helm.sh/release-name=module --overwrite || true - ./zarf tools kubectl annotate service -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true - ./zarf tools kubectl annotate service -n pepr-system pepr-uds-core-watcher meta.helm.sh/release-name=module --overwrite || true - ./zarf tools kubectl annotate deployment -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true - ./zarf tools kubectl annotate deployment -n pepr-system pepr-uds-core-watcher meta.helm.sh/release-name=module --overwrite || true - ./zarf tools kubectl annotate mutatingwebhookconfiguration -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true - ./zarf tools kubectl annotate validatingwebhookconfiguration -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true From a7bbb7eb1db3194f1441767cd28f36bd8cce69e3 Mon Sep 17 00:00:00 2001 From: Chance <139784371+UnicornChance@users.noreply.github.com> Date: Fri, 11 Oct 2024 15:20:14 -0600 Subject: [PATCH 64/90] chore: fix license header references (#901) ## Description Need to update our license to correspond with AGPL and Commercial specific things. ### This is a massive PR, to save time my changes include: * Finding and replacing this: ``` # SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial ``` for this: ``` # Copyright 2024 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial ``` * Same process for changing this: ``` // SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial ``` to this: ``` // Copyright 2024 Defense Unicorns // SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial ``` * Update the specific `Licensing.md` file to be the same as uds-common's file. * Update Codeowners file to capture both licensing files names as well as update codespell to allow that spelling of license. * Then going through each unchanged file and adding the respective license header. The only files that i didn't add the header to were `.md` and `.json` files. * There was also a small change to the pre-commit linting because it was confused and actually broken. ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --------- Co-authored-by: Paul Di Pietro Co-authored-by: Micah Nagel Co-authored-by: Noah <40781376+noahpb@users.noreply.github.com> --- .codespellrc | 2 +- .github/actions/debug-output/action.yaml | 4 ++- .github/actions/lint-check/action.yaml | 4 ++- .github/actions/notify-lula/action.yaml | 4 ++- .github/actions/save-logs/action.yaml | 4 ++- .github/actions/setup/action.yaml | 4 ++- .github/bundles/eks/uds-bundle.yaml | 4 ++- .github/bundles/eks/uds-config.yaml | 4 ++- .github/bundles/rke2/uds-bundle.yaml | 4 ++- .github/bundles/rke2/uds-config.yaml | 4 ++- .github/filters.yaml | 4 ++- .github/test-infra/aws/eks/loki.tf | 3 ++ .github/test-infra/aws/eks/main.tf | 3 ++ .github/test-infra/aws/eks/outputs.tf | 3 ++ .github/test-infra/aws/eks/rds.tf | 3 ++ .github/test-infra/aws/eks/variables.tf | 3 ++ .github/test-infra/aws/eks/velero.tf | 3 ++ .github/test-infra/aws/eks/versions.tf | 3 ++ .github/test-infra/aws/rke2/data.tf | 3 ++ .github/test-infra/aws/rke2/iam.tf | 3 ++ .github/test-infra/aws/rke2/irsa.tf | 3 ++ .github/test-infra/aws/rke2/main.tf | 3 ++ .github/test-infra/aws/rke2/metallb.yaml | 4 ++- .../aws/rke2/modules/statestore/main.tf | 3 ++ .../aws/rke2/modules/statestore/outputs.tf | 3 ++ .../aws/rke2/modules/statestore/variables.tf | 3 ++ .../aws/rke2/modules/storage/irsa/data.tf | 3 ++ .../aws/rke2/modules/storage/irsa/main.tf | 3 ++ .../aws/rke2/modules/storage/irsa/outputs.tf | 3 ++ .../rke2/modules/storage/irsa/variables.tf | 3 ++ .../aws/rke2/modules/storage/main.tf | 3 ++ .../aws/rke2/modules/storage/outputs.tf | 3 ++ .../aws/rke2/modules/storage/variables.tf | 3 ++ .../aws/rke2/modules/storage/versions.tf | 3 ++ .github/test-infra/aws/rke2/outputs.tf | 3 ++ .../aws/rke2/scripts/get-kubeconfig.sh | 4 +++ .github/test-infra/aws/rke2/scripts/key_id.sh | 5 ++++ .../aws/rke2/scripts/key_modulus.sh | 5 ++++ .../test-infra/aws/rke2/scripts/user_data.sh | 4 +++ .github/test-infra/aws/rke2/storage.tf | 3 ++ .github/test-infra/aws/rke2/variables.tf | 2 ++ .github/test-infra/aws/rke2/versions.tf | 3 ++ .github/workflows/commitlint.yaml | 4 ++- .github/workflows/compliance.yaml | 4 ++- .github/workflows/docs-shim.yaml | 4 ++- .github/workflows/lint-oscal.yaml | 4 ++- .github/workflows/nightly-testing.yaml | 4 ++- .github/workflows/publish.yaml | 4 ++- .../workflows/pull-request-conditionals.yaml | 4 ++- .github/workflows/slim-dev-test.yaml | 4 ++- .github/workflows/snapshot-release.yaml | 4 ++- .github/workflows/tag-and-release.yaml | 4 ++- .github/workflows/test-eks.yaml | 4 ++- .github/workflows/test-rke2.yaml | 4 ++- .github/workflows/test-shim.yaml | 4 ++- .github/workflows/test.yaml | 4 ++- .gitignore | 2 +- .husky/pre-commit | 29 +++++++++++++++++-- .lintstagedrc.json | 5 +--- .yamllint | 4 +-- CODEOWNERS | 3 +- LICENSING.md | 10 +++---- bundles/k3d-slim-dev/uds-bundle.yaml | 4 ++- bundles/k3d-standard/uds-bundle.yaml | 4 ++- bundles/k3d-standard/uds-ha-config.yaml | 4 ++- commitlint.config.js | 5 ++++ compliance/oscal-assessment-results.yaml | 4 ++- compliance/oscal-component.yaml | 4 ++- jest.setup.js | 5 ++++ jest.teardown.js | 5 ++++ packages/backup-restore/tasks.yaml | 4 ++- packages/backup-restore/zarf.yaml | 4 ++- packages/base/tasks.yaml | 4 ++- packages/base/zarf.yaml | 4 ++- packages/identity-authorization/tasks.yaml | 4 ++- packages/identity-authorization/zarf.yaml | 4 ++- packages/logging/tasks.yaml | 4 ++- packages/logging/zarf.yaml | 4 ++- packages/metrics-server/tasks.yaml | 4 ++- packages/metrics-server/zarf.yaml | 4 ++- packages/monitoring/tasks.yaml | 4 ++- packages/monitoring/zarf.yaml | 4 ++- packages/runtime-security/tasks.yaml | 4 ++- packages/runtime-security/zarf.yaml | 4 ++- packages/standard/zarf.yaml | 4 ++- packages/ui/tasks.yaml | 4 ++- packages/ui/zarf.yaml | 4 ++- pepr.ts | 6 +++- src/authservice/chart/Chart.yaml | 4 ++- .../chart/templates/deployment.yaml | 4 ++- src/authservice/chart/templates/hpa.yaml | 4 ++- src/authservice/chart/templates/service.yaml | 4 ++- .../chart/templates/uds-package.yaml | 4 ++- src/authservice/chart/values.yaml | 4 ++- src/authservice/common/zarf.yaml | 4 ++- src/authservice/tasks.yaml | 4 ++- src/authservice/values/registry1-values.yaml | 4 ++- src/authservice/values/unicorn-values.yaml | 4 ++- src/authservice/values/upstream-values.yaml | 4 ++- src/authservice/zarf.yaml | 4 ++- src/grafana/chart/Chart.yaml | 4 ++- src/grafana/chart/templates/datasources.yaml | 4 ++- .../chart/templates/secret-postgres.yaml | 4 ++- src/grafana/chart/templates/uds-package.yaml | 4 ++- src/grafana/chart/values.yaml | 4 ++- src/grafana/common/zarf.yaml | 4 ++- src/grafana/oscal-component.yaml | 4 ++- src/grafana/tasks.yaml | 4 ++- src/grafana/values/registry1-values.yaml | 4 ++- src/grafana/values/unicorn-values.yaml | 4 ++- src/grafana/values/upstream-values.yaml | 4 ++- src/grafana/values/values.yaml | 4 ++- src/grafana/zarf.yaml | 4 ++- src/istio/chart/Chart.yaml | 4 ++- src/istio/chart/templates/gateway.yaml | 4 ++- src/istio/chart/templates/tls-cert.yaml | 4 ++- src/istio/chart/values.yaml | 4 ++- .../common/chart/templates/envoy-filters.yaml | 4 ++- .../chart/templates/peer-authentication.yaml | 4 ++- .../chart/templates/pepr-istio-config.yaml | 4 ++- src/istio/common/zarf.yaml | 4 ++- src/istio/oscal-component.yaml | 4 ++- src/istio/tasks.yaml | 4 ++- src/istio/values/config-admin.yaml | 4 ++- src/istio/values/config-passthrough.yaml | 4 ++- src/istio/values/config-tenant.yaml | 4 ++- src/istio/values/registry1-values.yaml | 4 ++- src/istio/values/unicorn-values.yaml | 4 ++- src/istio/values/upstream-values.yaml | 4 ++- src/istio/values/values.yaml | 4 ++- src/istio/zarf.yaml | 4 ++- src/keycloak/chart/Chart.yaml | 4 ++- .../chart/templates/destination-rule.yaml | 4 ++- src/keycloak/chart/templates/hpa.yaml | 4 ++- src/keycloak/chart/templates/istio-admin.yaml | 4 ++- .../chart/templates/istio-peer-auth.yaml | 4 ++- .../chart/templates/poddisruptionbudget.yaml | 4 ++- .../chart/templates/prometheusrule.yaml | 4 ++- src/keycloak/chart/templates/pvc.yaml | 4 ++- .../templates/secret-admin-password.yaml | 4 ++- .../chart/templates/secret-kc-realm.yaml | 4 ++- .../chart/templates/secret-postgresql.yaml | 4 ++- .../chart/templates/service-headless.yaml | 4 ++- .../chart/templates/service-http.yaml | 4 ++- .../chart/templates/servicemonitor.yaml | 4 ++- src/keycloak/chart/templates/statefulset.yaml | 4 ++- src/keycloak/chart/templates/uds-package.yaml | 4 ++- src/keycloak/chart/values.yaml | 4 ++- src/keycloak/common/zarf.yaml | 4 ++- src/keycloak/tasks.yaml | 4 ++- src/keycloak/values/registry1-values.yaml | 4 ++- src/keycloak/values/unicorn-values.yaml | 4 ++- src/keycloak/values/upstream-values.yaml | 4 ++- src/keycloak/zarf.yaml | 4 ++- src/kiali/tasks.yaml | 4 ++- src/kiali/zarf.yaml | 4 ++- src/loki/chart/Chart.yaml | 4 ++- src/loki/chart/templates/loki-dashboards.yaml | 4 ++- .../loki-simple-scalable.yaml | 4 ++- src/loki/chart/templates/service-dns.yaml | 4 ++- src/loki/chart/templates/uds-package.yaml | 4 ++- src/loki/chart/values.yaml | 4 ++- src/loki/common/zarf.yaml | 4 ++- src/loki/oscal-component.yaml | 4 ++- src/loki/tasks.yaml | 4 ++- src/loki/values/registry1-values.yaml | 4 ++- src/loki/values/unicorn-values.yaml | 4 ++- src/loki/values/upstream-values.yaml | 4 ++- src/loki/values/values.yaml | 4 ++- src/loki/zarf.yaml | 4 ++- src/metrics-server/chart/Chart.yaml | 4 ++- .../peerauthentication/metrics-api.yaml | 4 ++- .../chart/templates/service-monitor.yaml | 4 ++- .../chart/templates/uds-package.yaml | 4 ++- src/metrics-server/chart/values.yaml | 2 ++ src/metrics-server/common/zarf.yaml | 4 ++- src/metrics-server/tasks.yaml | 4 ++- .../values/registry1-values.yaml | 4 ++- src/metrics-server/values/unicorn-values.yaml | 4 ++- .../values/upstream-values.yaml | 4 ++- src/metrics-server/values/values.yaml | 4 ++- src/metrics-server/zarf.yaml | 4 ++- src/neuvector/chart/Chart.yaml | 4 ++- .../chart/templates/internal-cert.yaml | 4 ++- .../istio/headless-controller-service.yaml | 4 ++- .../istio/headless-enforcer-service.yaml | 4 ++- .../istio/headless-scanner-service.yaml | 4 ++- .../chart/templates/neuvector-dashboard.yaml | 4 ++- .../neuvector-controller-pa.yaml | 4 ++- .../chart/templates/uds-exemption.yaml | 4 ++- .../chart/templates/uds-package.yaml | 4 ++- src/neuvector/chart/values.yaml | 4 ++- src/neuvector/common/zarf.yaml | 4 ++- src/neuvector/oscal-component.yaml | 4 ++- src/neuvector/tasks.yaml | 4 ++- src/neuvector/values/monitor-values.yaml | 4 ++- src/neuvector/values/registry1-values.yaml | 4 ++- .../values/unicorn-config-values.yaml | 4 ++- src/neuvector/values/unicorn-values.yaml | 4 ++- src/neuvector/values/upstream-values.yaml | 4 ++- src/neuvector/values/values.yaml | 4 ++- src/neuvector/zarf.yaml | 4 ++- src/pepr/config.ts | 6 +++- src/pepr/istio/index.ts | 6 +++- src/pepr/logger.ts | 5 +++- src/pepr/operator/common.ts | 6 +++- .../exemptions/exemption-store.spec.ts | 6 +++- .../controllers/exemptions/exemption-store.ts | 6 +++- .../controllers/exemptions/exemptions.spec.ts | 6 +++- .../controllers/exemptions/exemptions.ts | 6 +++- .../operator/controllers/istio/injection.ts | 6 +++- .../controllers/istio/istio-resources.ts | 6 +++- .../controllers/istio/service-entry.spec.ts | 8 +++-- .../controllers/istio/service-entry.ts | 14 +++++---- .../controllers/istio/virtual-service.spec.ts | 6 +++- .../controllers/istio/virtual-service.ts | 6 +++- .../authservice/authorization-policy.ts | 6 +++- .../keycloak/authservice/authservice.spec.ts | 6 +++- .../keycloak/authservice/authservice.ts | 6 +++- .../keycloak/authservice/config.ts | 6 +++- .../controllers/keycloak/authservice/types.ts | 6 +++- .../controllers/keycloak/client-sync.spec.ts | 6 +++- .../controllers/keycloak/client-sync.ts | 6 +++- .../operator/controllers/keycloak/types.ts | 6 +++- .../operator/controllers/monitoring/common.ts | 6 +++- .../monitoring/pod-monitor.spec.ts | 6 +++- .../controllers/monitoring/pod-monitor.ts | 6 +++- .../monitoring/service-monitor.spec.ts | 6 +++- .../controllers/monitoring/service-monitor.ts | 6 +++- .../network/defaults/allow-egress-dns.ts | 6 +++- .../network/defaults/allow-egress-istiod.ts | 6 +++- .../allow-ingress-sidecar-monitoring.ts | 6 +++- .../network/defaults/default-deny-all.ts | 6 +++- .../controllers/network/generate.spec.ts | 6 +++- .../operator/controllers/network/generate.ts | 6 +++- .../network/generators/anywhere.ts | 6 +++- .../network/generators/cloudMetadata.ts | 6 +++- .../network/generators/intraNamespace.ts | 6 +++- .../controllers/network/generators/kubeAPI.ts | 6 +++- .../network/generators/remoteCidr.ts | 6 +++- .../operator/controllers/network/policies.ts | 6 +++- src/pepr/operator/controllers/utils.ts | 6 +++- .../crd/generated/exemption-v1alpha1.ts | 6 +++- .../istio/authorizationpolicy-v1beta1.ts | 6 +++- .../istio/requestauthentication-v1.ts | 6 +++- .../generated/istio/serviceentry-v1beta1.ts | 6 +++- .../generated/istio/virtualservice-v1beta1.ts | 6 +++- .../crd/generated/package-v1alpha1.ts | 6 +++- .../crd/generated/prometheus/podmonitor-v1.ts | 6 +++- .../generated/prometheus/servicemonitor-v1.ts | 6 +++- src/pepr/operator/crd/index.ts | 6 +++- src/pepr/operator/crd/migrate.ts | 6 +++- src/pepr/operator/crd/register.ts | 6 +++- .../crd/sources/exemption/v1alpha1.ts | 6 +++- .../sources/istio/virtualservice-v1beta1.ts | 6 +++- .../operator/crd/sources/package/v1alpha1.ts | 6 +++- .../crd/validators/exempt-validator.spec.ts | 6 +++- .../crd/validators/exempt-validator.ts | 6 +++- .../crd/validators/package-validator.spec.ts | 6 +++- .../crd/validators/package-validator.ts | 6 +++- src/pepr/operator/index.ts | 6 +++- src/pepr/operator/reconcilers/index.spec.ts | 6 +++- src/pepr/operator/reconcilers/index.ts | 6 +++- .../reconcilers/package-reconciler.spec.ts | 6 +++- .../reconcilers/package-reconciler.ts | 6 +++- src/pepr/policies/common.ts | 6 +++- src/pepr/policies/exemptions/index.spec.ts | 6 +++- src/pepr/policies/exemptions/index.ts | 6 +++- src/pepr/policies/index.ts | 6 +++- src/pepr/policies/network.spec.ts | 6 +++- src/pepr/policies/networking.ts | 8 +++-- src/pepr/policies/security.spec.ts | 6 +++- src/pepr/policies/security.ts | 6 +++- src/pepr/policies/storage.spec.ts | 6 +++- src/pepr/policies/storage.ts | 6 +++- src/pepr/prometheus/index.ts | 6 +++- src/pepr/tasks.yaml | 4 ++- src/pepr/uds-operator-config/Chart.yaml | 4 ++- .../uds-operator-config/templates/secret.yaml | 4 ++- src/pepr/uds-operator-config/values.yaml | 4 ++- src/pepr/values.yaml | 4 ++- src/pepr/zarf.yaml | 4 ++- src/prometheus-stack/chart/Chart.yaml | 4 ++- .../chart/templates/istio-monitor.yaml | 4 ++- .../prometheus-operator-pa.yaml | 4 ++- .../templates/prometheus-pod-monitor.yaml | 4 ++- .../chart/templates/uds-exemption.yaml | 4 ++- .../chart/templates/uds-package.yaml | 4 ++- src/prometheus-stack/chart/values.yaml | 2 ++ src/prometheus-stack/common/zarf.yaml | 4 ++- src/prometheus-stack/oscal-component.yaml | 4 ++- src/prometheus-stack/tasks.yaml | 4 ++- src/prometheus-stack/values/crd-values.yaml | 4 ++- .../values/registry1-values.yaml | 4 ++- .../values/unicorn-values.yaml | 4 ++- .../values/upstream-values.yaml | 4 ++- src/prometheus-stack/values/values.yaml | 4 ++- src/prometheus-stack/zarf.yaml | 4 ++- src/runtime/tasks.yaml | 4 ++- src/runtime/zarf.yaml | 4 ++- src/tempo/tasks.yaml | 4 ++- src/tempo/zarf.yaml | 4 ++- src/test/app-admin.yaml | 4 ++- src/test/app-authservice-tenant.yaml | 4 ++- src/test/app-tenant.yaml | 4 ++- src/test/chart/Chart.yaml | 4 ++- src/test/chart/templates/exemption1.yaml | 4 ++- src/test/chart/templates/exemption2.yaml | 4 ++- src/test/chart/templates/exemption3.yaml | 4 ++- src/test/chart/templates/exemption4.yaml | 4 ++- src/test/chart/templates/exemption5.yaml | 4 ++- src/test/chart/templates/package.yaml | 4 ++- src/test/chart/values.yaml | 2 ++ src/test/podinfo-values.yaml | 4 ++- src/test/tasks.yaml | 4 ++- src/test/zarf.yaml | 4 ++- src/vector/chart/Chart.yaml | 4 ++- src/vector/chart/templates/uds-exemption.yaml | 4 ++- src/vector/chart/templates/uds-package.yaml | 4 ++- src/vector/chart/values.yaml | 4 ++- src/vector/common/zarf.yaml | 4 ++- src/vector/oscal-component.yaml | 4 ++- src/vector/tasks.yaml | 4 ++- src/vector/values/registry1-values.yaml | 4 ++- src/vector/values/unicorn-values.yaml | 4 ++- src/vector/values/upstream-values.yaml | 4 ++- src/vector/values/values.yaml | 4 ++- src/vector/zarf.yaml | 4 ++- src/velero/chart/Chart.yaml | 4 ++- src/velero/chart/templates/uds-package.yaml | 4 ++- src/velero/chart/values.yaml | 4 ++- src/velero/common/zarf.yaml | 4 ++- src/velero/oscal-component.yaml | 4 ++- src/velero/tasks.yaml | 4 ++- src/velero/values/registry1-values.yaml | 4 ++- src/velero/values/unicorn-values.yaml | 4 ++- src/velero/values/upstream-values.yaml | 4 ++- src/velero/values/values.yaml | 4 ++- src/velero/zarf.yaml | 4 ++- tasks.yaml | 4 ++- tasks/create.yaml | 4 ++- tasks/deploy.yaml | 4 ++- tasks/iac.yaml | 4 ++- tasks/lint.yaml | 16 ++++++++-- tasks/publish.yaml | 4 ++- tasks/setup.yaml | 4 ++- tasks/test.yaml | 6 ++-- tasks/utils.yaml | 4 ++- zarf-config.yaml | 4 ++- 349 files changed, 1239 insertions(+), 331 deletions(-) diff --git a/.codespellrc b/.codespellrc index 014984d38..50ac37787 100644 --- a/.codespellrc +++ b/.codespellrc @@ -1,5 +1,5 @@ # Lint Codespell configurations [codespell] skip = .codespellrc,.git,node_modules,build,dist,*.zst,CHANGELOG.md -ignore-words-list = NotIn,AKS +ignore-words-list = NotIn,AKS,LICENS enable-colors = \ No newline at end of file diff --git a/.github/actions/debug-output/action.yaml b/.github/actions/debug-output/action.yaml index 8e9d2a139..1fe4ae4bf 100644 --- a/.github/actions/debug-output/action.yaml +++ b/.github/actions/debug-output/action.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: debug-output description: "Print out basic debug info for a k8s cluster" diff --git a/.github/actions/lint-check/action.yaml b/.github/actions/lint-check/action.yaml index 78032c587..40b43c5d0 100644 --- a/.github/actions/lint-check/action.yaml +++ b/.github/actions/lint-check/action.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: lint-check description: "Check Project for Linting Errors" diff --git a/.github/actions/notify-lula/action.yaml b/.github/actions/notify-lula/action.yaml index 4f03aeca0..7534d6d78 100644 --- a/.github/actions/notify-lula/action.yaml +++ b/.github/actions/notify-lula/action.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: Notify Lula description: "Comment on PR to notify Lula Team" diff --git a/.github/actions/save-logs/action.yaml b/.github/actions/save-logs/action.yaml index 9039a8924..01aa42225 100644 --- a/.github/actions/save-logs/action.yaml +++ b/.github/actions/save-logs/action.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: save-logs description: "Save debug logs" diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml index 5487f041a..7ebb273a8 100644 --- a/.github/actions/setup/action.yaml +++ b/.github/actions/setup/action.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + # action.yml name: "Setup Environment" description: "UDS Environment Setup" diff --git a/.github/bundles/eks/uds-bundle.yaml b/.github/bundles/eks/uds-bundle.yaml index fdba702e6..94549f9d1 100644 --- a/.github/bundles/eks/uds-bundle.yaml +++ b/.github/bundles/eks/uds-bundle.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: UDSBundle metadata: name: uds-core-eks-nightly diff --git a/.github/bundles/eks/uds-config.yaml b/.github/bundles/eks/uds-config.yaml index 6bd92d121..12adfdd49 100644 --- a/.github/bundles/eks/uds-config.yaml +++ b/.github/bundles/eks/uds-config.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + # Overwritten by ci-iac-aws package options: architecture: amd64 diff --git a/.github/bundles/rke2/uds-bundle.yaml b/.github/bundles/rke2/uds-bundle.yaml index 639b80b19..7caecb4f1 100644 --- a/.github/bundles/rke2/uds-bundle.yaml +++ b/.github/bundles/rke2/uds-bundle.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: UDSBundle metadata: name: uds-core-rke2-nightly diff --git a/.github/bundles/rke2/uds-config.yaml b/.github/bundles/rke2/uds-config.yaml index a6033d74b..b55faf5a8 100644 --- a/.github/bundles/rke2/uds-config.yaml +++ b/.github/bundles/rke2/uds-config.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + # Overwritten by ci-iac-aws package options: architecture: amd64 diff --git a/.github/filters.yaml b/.github/filters.yaml index 2cf69300e..8ffee6f5b 100644 --- a/.github/filters.yaml +++ b/.github/filters.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + all: - "**" diff --git a/.github/test-infra/aws/eks/loki.tf b/.github/test-infra/aws/eks/loki.tf index 868e2782e..756b95017 100644 --- a/.github/test-infra/aws/eks/loki.tf +++ b/.github/test-infra/aws/eks/loki.tf @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + resource "aws_iam_policy" "loki_policy" { name = "${local.bucket_configurations.loki.name}-irsa-${random_id.unique_id.hex}" path = "/" diff --git a/.github/test-infra/aws/eks/main.tf b/.github/test-infra/aws/eks/main.tf index d8cd70a91..07d5821a5 100644 --- a/.github/test-infra/aws/eks/main.tf +++ b/.github/test-infra/aws/eks/main.tf @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + resource "random_id" "default" { byte_length = 2 diff --git a/.github/test-infra/aws/eks/outputs.tf b/.github/test-infra/aws/eks/outputs.tf index d51f9cb36..f0e4e6224 100644 --- a/.github/test-infra/aws/eks/outputs.tf +++ b/.github/test-infra/aws/eks/outputs.tf @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + output "aws_region" { value = data.aws_region.current.name } diff --git a/.github/test-infra/aws/eks/rds.tf b/.github/test-infra/aws/eks/rds.tf index 9f32281c9..9f90a2f1a 100644 --- a/.github/test-infra/aws/eks/rds.tf +++ b/.github/test-infra/aws/eks/rds.tf @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + resource "random_password" "db_password" { length = 16 special = false diff --git a/.github/test-infra/aws/eks/variables.tf b/.github/test-infra/aws/eks/variables.tf index b3cdf700b..94bcb7e15 100644 --- a/.github/test-infra/aws/eks/variables.tf +++ b/.github/test-infra/aws/eks/variables.tf @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + variable "region" { description = "AWS region" type = string diff --git a/.github/test-infra/aws/eks/velero.tf b/.github/test-infra/aws/eks/velero.tf index cbcb6c588..cba3d9307 100644 --- a/.github/test-infra/aws/eks/velero.tf +++ b/.github/test-infra/aws/eks/velero.tf @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + resource "aws_iam_policy" "velero_policy" { name = "${local.bucket_configurations.velero.name}-irsa-${random_id.unique_id.hex}" path = "/" diff --git a/.github/test-infra/aws/eks/versions.tf b/.github/test-infra/aws/eks/versions.tf index c43fc5636..0a4588878 100644 --- a/.github/test-infra/aws/eks/versions.tf +++ b/.github/test-infra/aws/eks/versions.tf @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + provider "aws" { region = var.region diff --git a/.github/test-infra/aws/rke2/data.tf b/.github/test-infra/aws/rke2/data.tf index a4cf9e993..80518887f 100644 --- a/.github/test-infra/aws/rke2/data.tf +++ b/.github/test-infra/aws/rke2/data.tf @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + data "aws_vpc" "vpc" { filter { name = "tag:Name" diff --git a/.github/test-infra/aws/rke2/iam.tf b/.github/test-infra/aws/rke2/iam.tf index ac817a743..c07666942 100644 --- a/.github/test-infra/aws/rke2/iam.tf +++ b/.github/test-infra/aws/rke2/iam.tf @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + # required iam roles for irsa data "aws_partition" "current" {} diff --git a/.github/test-infra/aws/rke2/irsa.tf b/.github/test-infra/aws/rke2/irsa.tf index 1503ca0bb..5996e24aa 100644 --- a/.github/test-infra/aws/rke2/irsa.tf +++ b/.github/test-infra/aws/rke2/irsa.tf @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + # setting up irsa for the rke2 cluster # Keypair for signing, added as secrets in AWS Secrets Manager resource "tls_private_key" "keypair" { diff --git a/.github/test-infra/aws/rke2/main.tf b/.github/test-infra/aws/rke2/main.tf index f28b31315..9fb44ef06 100644 --- a/.github/test-infra/aws/rke2/main.tf +++ b/.github/test-infra/aws/rke2/main.tf @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + # sourced from https://github.com/defenseunicorns/uds-rke2-image-builder/tree/2fecc1c9a10180579ada75a9ec92dcb224e82a74/.github/test-infra/rke2-cluster locals { cluster_name = "rke2-nightly-ci-${random_string.ssm.result}" diff --git a/.github/test-infra/aws/rke2/metallb.yaml b/.github/test-infra/aws/rke2/metallb.yaml index 4f8146f95..24a487eb6 100644 --- a/.github/test-infra/aws/rke2/metallb.yaml +++ b/.github/test-infra/aws/rke2/metallb.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: metallb.io/v1beta1 kind: IPAddressPool metadata: diff --git a/.github/test-infra/aws/rke2/modules/statestore/main.tf b/.github/test-infra/aws/rke2/modules/statestore/main.tf index 75e66d38c..8b6ca4f0b 100644 --- a/.github/test-infra/aws/rke2/modules/statestore/main.tf +++ b/.github/test-infra/aws/rke2/modules/statestore/main.tf @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + #sourced from https://github.com/rancherfederal/rke2-aws-tf/blob/master/modules/statestore/main.tf resource "aws_s3_bucket" "bucket" { diff --git a/.github/test-infra/aws/rke2/modules/statestore/outputs.tf b/.github/test-infra/aws/rke2/modules/statestore/outputs.tf index 90fcc6c03..cab40e7fc 100644 --- a/.github/test-infra/aws/rke2/modules/statestore/outputs.tf +++ b/.github/test-infra/aws/rke2/modules/statestore/outputs.tf @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + output "bucket" { value = aws_s3_object.token.bucket } diff --git a/.github/test-infra/aws/rke2/modules/statestore/variables.tf b/.github/test-infra/aws/rke2/modules/statestore/variables.tf index 1edb34c93..d82abc962 100644 --- a/.github/test-infra/aws/rke2/modules/statestore/variables.tf +++ b/.github/test-infra/aws/rke2/modules/statestore/variables.tf @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + variable "name" { type = string } diff --git a/.github/test-infra/aws/rke2/modules/storage/irsa/data.tf b/.github/test-infra/aws/rke2/modules/storage/irsa/data.tf index 8a6ae3837..2e2778315 100644 --- a/.github/test-infra/aws/rke2/modules/storage/irsa/data.tf +++ b/.github/test-infra/aws/rke2/modules/storage/irsa/data.tf @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + ## s3 policy data "aws_caller_identity" "current" {} diff --git a/.github/test-infra/aws/rke2/modules/storage/irsa/main.tf b/.github/test-infra/aws/rke2/modules/storage/irsa/main.tf index e3bc4dd1b..311818c5b 100644 --- a/.github/test-infra/aws/rke2/modules/storage/irsa/main.tf +++ b/.github/test-infra/aws/rke2/modules/storage/irsa/main.tf @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + data "aws_partition" "current" {} ## This will create a policy for the S3 Buckets diff --git a/.github/test-infra/aws/rke2/modules/storage/irsa/outputs.tf b/.github/test-infra/aws/rke2/modules/storage/irsa/outputs.tf index a63e296b6..d86b92c76 100644 --- a/.github/test-infra/aws/rke2/modules/storage/irsa/outputs.tf +++ b/.github/test-infra/aws/rke2/modules/storage/irsa/outputs.tf @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + output "bucket_role" { value = aws_iam_role.s3_bucket_role } diff --git a/.github/test-infra/aws/rke2/modules/storage/irsa/variables.tf b/.github/test-infra/aws/rke2/modules/storage/irsa/variables.tf index b714b03cc..10a892cdb 100644 --- a/.github/test-infra/aws/rke2/modules/storage/irsa/variables.tf +++ b/.github/test-infra/aws/rke2/modules/storage/irsa/variables.tf @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + variable "cluster_name" { description = "Name of the Kubernetes Cluster." type = string diff --git a/.github/test-infra/aws/rke2/modules/storage/main.tf b/.github/test-infra/aws/rke2/modules/storage/main.tf index cab6be57a..5350762c4 100644 --- a/.github/test-infra/aws/rke2/modules/storage/main.tf +++ b/.github/test-infra/aws/rke2/modules/storage/main.tf @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + # Terraform Module for provisioning s3 buckets with optional support for IRSA, tailored specifically for loki and velero atop uds-core locals { permissions_boundary_name = split("/", var.permissions_boundary)[1] diff --git a/.github/test-infra/aws/rke2/modules/storage/outputs.tf b/.github/test-infra/aws/rke2/modules/storage/outputs.tf index dcd9c7314..f0414ad1e 100644 --- a/.github/test-infra/aws/rke2/modules/storage/outputs.tf +++ b/.github/test-infra/aws/rke2/modules/storage/outputs.tf @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + output "s3_buckets" { value = { for k, v in module.s3 : k => v } } diff --git a/.github/test-infra/aws/rke2/modules/storage/variables.tf b/.github/test-infra/aws/rke2/modules/storage/variables.tf index 0043b9231..f51b9c4e3 100644 --- a/.github/test-infra/aws/rke2/modules/storage/variables.tf +++ b/.github/test-infra/aws/rke2/modules/storage/variables.tf @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + variable "cluster_name" { description = "Name of the Kubernetes Cluster." type = string diff --git a/.github/test-infra/aws/rke2/modules/storage/versions.tf b/.github/test-infra/aws/rke2/modules/storage/versions.tf index dfdef5df3..bd25115e5 100644 --- a/.github/test-infra/aws/rke2/modules/storage/versions.tf +++ b/.github/test-infra/aws/rke2/modules/storage/versions.tf @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + terraform { required_providers { aws = { diff --git a/.github/test-infra/aws/rke2/outputs.tf b/.github/test-infra/aws/rke2/outputs.tf index 740ec4679..5ae696ab7 100644 --- a/.github/test-infra/aws/rke2/outputs.tf +++ b/.github/test-infra/aws/rke2/outputs.tf @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + output "aws_region" { value = data.aws_region.current.name } diff --git a/.github/test-infra/aws/rke2/scripts/get-kubeconfig.sh b/.github/test-infra/aws/rke2/scripts/get-kubeconfig.sh index 98afca479..dc002bab1 100644 --- a/.github/test-infra/aws/rke2/scripts/get-kubeconfig.sh +++ b/.github/test-infra/aws/rke2/scripts/get-kubeconfig.sh @@ -1,4 +1,8 @@ #!/bin/bash +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + + # Utility script that can be called from a uds task after tofu has deployed the e2e test module diff --git a/.github/test-infra/aws/rke2/scripts/key_id.sh b/.github/test-infra/aws/rke2/scripts/key_id.sh index 75d11b946..cce17dafb 100644 --- a/.github/test-infra/aws/rke2/scripts/key_id.sh +++ b/.github/test-infra/aws/rke2/scripts/key_id.sh @@ -1,4 +1,9 @@ #!/bin/bash +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + + + set -e PUBLIC_KEY="$1" diff --git a/.github/test-infra/aws/rke2/scripts/key_modulus.sh b/.github/test-infra/aws/rke2/scripts/key_modulus.sh index 1dceab953..391a5ebd6 100644 --- a/.github/test-infra/aws/rke2/scripts/key_modulus.sh +++ b/.github/test-infra/aws/rke2/scripts/key_modulus.sh @@ -1,4 +1,9 @@ #!/bin/bash +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + + + PUBLIC_KEY="$1" modulus=$(echo "$PUBLIC_KEY" |\ diff --git a/.github/test-infra/aws/rke2/scripts/user_data.sh b/.github/test-infra/aws/rke2/scripts/user_data.sh index b2ac2a1d2..82b9b7cc6 100644 --- a/.github/test-infra/aws/rke2/scripts/user_data.sh +++ b/.github/test-infra/aws/rke2/scripts/user_data.sh @@ -1,4 +1,8 @@ #!/bin/bash +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + + info() { echo "[INFO] " "$@" diff --git a/.github/test-infra/aws/rke2/storage.tf b/.github/test-infra/aws/rke2/storage.tf index 79324a4d9..aa1d742eb 100644 --- a/.github/test-infra/aws/rke2/storage.tf +++ b/.github/test-infra/aws/rke2/storage.tf @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + ####################################### # Storage ####################################### diff --git a/.github/test-infra/aws/rke2/variables.tf b/.github/test-infra/aws/rke2/variables.tf index fe820743c..59ac1e4bb 100644 --- a/.github/test-infra/aws/rke2/variables.tf +++ b/.github/test-infra/aws/rke2/variables.tf @@ -1,3 +1,5 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial variable "environment" { description = "Environment/account that this is deployed to" diff --git a/.github/test-infra/aws/rke2/versions.tf b/.github/test-infra/aws/rke2/versions.tf index edbd9f2f8..21fc2933b 100644 --- a/.github/test-infra/aws/rke2/versions.tf +++ b/.github/test-infra/aws/rke2/versions.tf @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + terraform { backend "s3" { } diff --git a/.github/workflows/commitlint.yaml b/.github/workflows/commitlint.yaml index 1870d9deb..43c0e331e 100644 --- a/.github/workflows/commitlint.yaml +++ b/.github/workflows/commitlint.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: Metadata on: diff --git a/.github/workflows/compliance.yaml b/.github/workflows/compliance.yaml index e04430f9a..7c9a1ab3d 100644 --- a/.github/workflows/compliance.yaml +++ b/.github/workflows/compliance.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: Compliance Evaluation on: diff --git a/.github/workflows/docs-shim.yaml b/.github/workflows/docs-shim.yaml index 1425ec9ad..cc6416c44 100644 --- a/.github/workflows/docs-shim.yaml +++ b/.github/workflows/docs-shim.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: CI Docs on: diff --git a/.github/workflows/lint-oscal.yaml b/.github/workflows/lint-oscal.yaml index 22c6c3e86..806da851b 100644 --- a/.github/workflows/lint-oscal.yaml +++ b/.github/workflows/lint-oscal.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: Lint OSCAL Files on: diff --git a/.github/workflows/nightly-testing.yaml b/.github/workflows/nightly-testing.yaml index 21e3ad058..cb7fb10c0 100644 --- a/.github/workflows/nightly-testing.yaml +++ b/.github/workflows/nightly-testing.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: Nightly Testing on: diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index e7800b801..3ffbaeaee 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: Publish UDS Core on: diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index 2b8644534..22b81fa7b 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: Filter # This workflow is triggered on pull requests diff --git a/.github/workflows/slim-dev-test.yaml b/.github/workflows/slim-dev-test.yaml index c61cae6f4..b1c4e85fa 100644 --- a/.github/workflows/slim-dev-test.yaml +++ b/.github/workflows/slim-dev-test.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: Slim Dev # This workflow is triggered on pull requests diff --git a/.github/workflows/snapshot-release.yaml b/.github/workflows/snapshot-release.yaml index a622a90f8..caca1060b 100644 --- a/.github/workflows/snapshot-release.yaml +++ b/.github/workflows/snapshot-release.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: Release UDS Core Snapshot on: diff --git a/.github/workflows/tag-and-release.yaml b/.github/workflows/tag-and-release.yaml index ef6007c02..56d4294a7 100644 --- a/.github/workflows/tag-and-release.yaml +++ b/.github/workflows/tag-and-release.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: Release UDS Core on: diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index d76bd0292..727e35022 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: Test Core On EKS on: diff --git a/.github/workflows/test-rke2.yaml b/.github/workflows/test-rke2.yaml index 2589e92ec..8bd6480b2 100644 --- a/.github/workflows/test-rke2.yaml +++ b/.github/workflows/test-rke2.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: Test Core On RKE2 on: diff --git a/.github/workflows/test-shim.yaml b/.github/workflows/test-shim.yaml index 9eee95cdb..bdc662027 100644 --- a/.github/workflows/test-shim.yaml +++ b/.github/workflows/test-shim.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: Test Shim on: diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index bbf884235..bafb1b939 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: Test packages on: diff --git a/.gitignore b/.gitignore index 75b5a663e..30014e1cd 100644 --- a/.gitignore +++ b/.gitignore @@ -6,7 +6,7 @@ build/ zarf-sbom tmp/ env.ts -node_modules +node_modules/** dist insecure* .env diff --git a/.husky/pre-commit b/.husky/pre-commit index 031993ec4..b1f1ff9d9 100755 --- a/.husky/pre-commit +++ b/.husky/pre-commit @@ -1,12 +1,35 @@ #!/usr/bin/env sh . "$(dirname -- "$0")/_/husky.sh" +echo "\nRunning YAML Lint Check" + +# Run yamllint globally, which will respect the .yamllint config, including ignores +yamllint -c .yamllint . --no-warnings + +# Capture yamllint +YAMLLINT_EXIT=$? + +if [ $YAMLLINT_EXIT -ne 0 ]; then + echo "\n❌ YAMLLint failed. Please fix the YAML issues before committing. ❌\n" + exit 1 +fi + +echo "YAML Lint Check Passed - βœ…\n" + +echo "\nRunning License Lint Check. Use \`uds run -f tasks/lint.yaml fix-license\` to resolve any issues.\n" + +# Run license linting +uds run -f tasks/lint.yaml license + +echo "\nRunning Pepr Format and Codespell Lint Checks\n" + +# Run lint-staged for other linting tasks OUTPUT=$(npx lint-staged > /dev/null && echo $? || echo $?) if [ $OUTPUT -eq 0 ]; then - echo "\n\nβœ… Lint Check Passed. βœ…\n\n" + echo "\nAll Lints Check Passed - βœ…\n" exit 0 else - echo "\n\n❌ Lint Check failed... Run \`uds run lint-fix\` to resolve issues and re-commit. ❌\n\n" + echo "❌ Pepr Format and Codespell Lint Check failed... Run \`uds run lint-fix\` to resolve issues and re-commit. ❌\n" exit 1 -fi +fi \ No newline at end of file diff --git a/.lintstagedrc.json b/.lintstagedrc.json index abbc42c11..3cdd4ff8b 100644 --- a/.lintstagedrc.json +++ b/.lintstagedrc.json @@ -2,10 +2,7 @@ "*": [ "codespell" ], - "*.yaml": [ - "yamllint -c .yamllint --no-warnings" - ], "*.ts": [ "npx pepr format --validate-only" ] -} +} \ No newline at end of file diff --git a/.yamllint b/.yamllint index e9a3eff30..29231c902 100644 --- a/.yamllint +++ b/.yamllint @@ -6,10 +6,10 @@ yaml-files: ignore: - 'k3d/local/manifests/metallb/metallb-native.yaml' - '**/.terraform/**' - - '**/chart/templates**' + - '**/chart/templates/**' - 'node_modules/**' - 'dist/**' - - 'src/pepr/uds-operator-config/templates**' + - 'src/pepr/uds-operator-config/templates/**' - '.codespellrc' - '.lintstagedrc.json' diff --git a/CODEOWNERS b/CODEOWNERS index 8dbdd4693..3ca746737 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -2,4 +2,5 @@ # Additional privileged files /CODEOWNERS @jeff-mccoy @daveworth -/LICENSE* @jeff-mccoy @daveworth +# NOTE: No E to catch LICENSE and LICENSING +/LICENS* @jeff-mccoy @austenbryan diff --git a/LICENSING.md b/LICENSING.md index e4942dde4..a439b77d2 100644 --- a/LICENSING.md +++ b/LICENSING.md @@ -7,12 +7,12 @@ This software is licensed under either of: ## Defense Unicorns Commercial License -The use of this software under a commercial license is subject to the terms -of the license agreement between the licensee and Defense Unicorns. The +The use of this software under a commercial license is subject to the individual +terms of the license agreement between the licensee and Defense Unicorns. The content of this license depends on the specific agreement and may vary. For more information about obtaining a commercial license, please contact Defense Unicorns at [defenseunicorns.com](https://defenseunicorns.com). -To use this software under the commercial license, you must have a valid -license agreement with Defense Unicorns. The terms of that license agreement -replace the terms of the AGPL v3 license. +To use this software under the commercial license, you must have a valid license +agreement with Defense Unicorns. The terms of the Defense Unicorns, Inc. license +agreement supplant and supersede the terms of the AGPL v3 license. diff --git a/bundles/k3d-slim-dev/uds-bundle.yaml b/bundles/k3d-slim-dev/uds-bundle.yaml index 39c90dd0b..61b7f7f92 100644 --- a/bundles/k3d-slim-dev/uds-bundle.yaml +++ b/bundles/k3d-slim-dev/uds-bundle.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: UDSBundle metadata: name: k3d-core-slim-dev diff --git a/bundles/k3d-standard/uds-bundle.yaml b/bundles/k3d-standard/uds-bundle.yaml index 3d5c0dbae..5f0993f14 100644 --- a/bundles/k3d-standard/uds-bundle.yaml +++ b/bundles/k3d-standard/uds-bundle.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: UDSBundle metadata: name: k3d-core-demo diff --git a/bundles/k3d-standard/uds-ha-config.yaml b/bundles/k3d-standard/uds-ha-config.yaml index dae5c8b8a..018b44c01 100644 --- a/bundles/k3d-standard/uds-ha-config.yaml +++ b/bundles/k3d-standard/uds-ha-config.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + variables: core: # Keycloak variables diff --git a/commitlint.config.js b/commitlint.config.js index 8567d51d7..dab58d6ce 100644 --- a/commitlint.config.js +++ b/commitlint.config.js @@ -1 +1,6 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + module.exports = { extends: ["@commitlint/config-conventional"] }; \ No newline at end of file diff --git a/compliance/oscal-assessment-results.yaml b/compliance/oscal-assessment-results.yaml index 9800512b0..7593fb5f2 100644 --- a/compliance/oscal-assessment-results.yaml +++ b/compliance/oscal-assessment-results.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + assessment-results: import-ap: href: "" diff --git a/compliance/oscal-component.yaml b/compliance/oscal-component.yaml index e0cdf872f..e48e07e5c 100644 --- a/compliance/oscal-component.yaml +++ b/compliance/oscal-component.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + component-definition: uuid: 8ef481dd-7924-42de-b426-ac300db35ec8 metadata: diff --git a/jest.setup.js b/jest.setup.js index 32b832d64..3d5852167 100644 --- a/jest.setup.js +++ b/jest.setup.js @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + const { K8s, kind } = require("kubernetes-fluent-client"); module.exports = async () => { diff --git a/jest.teardown.js b/jest.teardown.js index 803adebd9..7926af39f 100644 --- a/jest.teardown.js +++ b/jest.teardown.js @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + const { K8s, kind } = require("kubernetes-fluent-client"); module.exports = async () => { diff --git a/packages/backup-restore/tasks.yaml b/packages/backup-restore/tasks.yaml index 586220b33..321585dca 100644 --- a/packages/backup-restore/tasks.yaml +++ b/packages/backup-restore/tasks.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + includes: - velero: ../../src/velero/tasks.yaml diff --git a/packages/backup-restore/zarf.yaml b/packages/backup-restore/zarf.yaml index ec5c06e00..73cd943a8 100644 --- a/packages/backup-restore/zarf.yaml +++ b/packages/backup-restore/zarf.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: core-backup-restore diff --git a/packages/base/tasks.yaml b/packages/base/tasks.yaml index 69135701b..cd4defc93 100644 --- a/packages/base/tasks.yaml +++ b/packages/base/tasks.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + includes: - istio: ../../src/istio/tasks.yaml - pepr: ../../src/pepr/tasks.yaml diff --git a/packages/base/zarf.yaml b/packages/base/zarf.yaml index 24ec65b55..7389c8af5 100644 --- a/packages/base/zarf.yaml +++ b/packages/base/zarf.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: core-base diff --git a/packages/identity-authorization/tasks.yaml b/packages/identity-authorization/tasks.yaml index 10e242de5..f06de22cf 100644 --- a/packages/identity-authorization/tasks.yaml +++ b/packages/identity-authorization/tasks.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + includes: - keycloak: ../../src/keycloak/tasks.yaml - authservice: ../../src/authservice/tasks.yaml diff --git a/packages/identity-authorization/zarf.yaml b/packages/identity-authorization/zarf.yaml index 2a2ea3b52..7cb804939 100644 --- a/packages/identity-authorization/zarf.yaml +++ b/packages/identity-authorization/zarf.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: core-identity-authorization diff --git a/packages/logging/tasks.yaml b/packages/logging/tasks.yaml index 0bed9517c..e8d04ed1f 100644 --- a/packages/logging/tasks.yaml +++ b/packages/logging/tasks.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + includes: - loki: ../../src/loki/tasks.yaml - vector: ../../src/vector/tasks.yaml diff --git a/packages/logging/zarf.yaml b/packages/logging/zarf.yaml index d252a5aa5..f6bd0205c 100644 --- a/packages/logging/zarf.yaml +++ b/packages/logging/zarf.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: core-logging diff --git a/packages/metrics-server/tasks.yaml b/packages/metrics-server/tasks.yaml index bda7e25bf..a13737dc2 100644 --- a/packages/metrics-server/tasks.yaml +++ b/packages/metrics-server/tasks.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + includes: - metrics-server: ../../src/metrics-server/tasks.yaml diff --git a/packages/metrics-server/zarf.yaml b/packages/metrics-server/zarf.yaml index 87e0e2760..6f9fd9b51 100644 --- a/packages/metrics-server/zarf.yaml +++ b/packages/metrics-server/zarf.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: core-metrics-server diff --git a/packages/monitoring/tasks.yaml b/packages/monitoring/tasks.yaml index 0d70126f8..e7c9b3bee 100644 --- a/packages/monitoring/tasks.yaml +++ b/packages/monitoring/tasks.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + includes: - prometheus: ../../src/prometheus-stack/tasks.yaml - grafana: ../../src/grafana/tasks.yaml diff --git a/packages/monitoring/zarf.yaml b/packages/monitoring/zarf.yaml index fbca00411..3f5414ba0 100644 --- a/packages/monitoring/zarf.yaml +++ b/packages/monitoring/zarf.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: core-monitoring diff --git a/packages/runtime-security/tasks.yaml b/packages/runtime-security/tasks.yaml index 81cebd74c..9cf0cec0a 100644 --- a/packages/runtime-security/tasks.yaml +++ b/packages/runtime-security/tasks.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + includes: - neuvector: ../../src/neuvector/tasks.yaml diff --git a/packages/runtime-security/zarf.yaml b/packages/runtime-security/zarf.yaml index 0a7bc87e4..1296c148d 100644 --- a/packages/runtime-security/zarf.yaml +++ b/packages/runtime-security/zarf.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: core-runtime-security diff --git a/packages/standard/zarf.yaml b/packages/standard/zarf.yaml index 23ebbebe9..82090fdf7 100644 --- a/packages/standard/zarf.yaml +++ b/packages/standard/zarf.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: core diff --git a/packages/ui/tasks.yaml b/packages/ui/tasks.yaml index 037181405..ef2d5405a 100644 --- a/packages/ui/tasks.yaml +++ b/packages/ui/tasks.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + includes: - runtime: ../../src/runtime/tasks.yaml diff --git a/packages/ui/zarf.yaml b/packages/ui/zarf.yaml index 708ed0932..f7c21c97b 100644 --- a/packages/ui/zarf.yaml +++ b/packages/ui/zarf.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: core-ui diff --git a/pepr.ts b/pepr.ts index 54f83a518..b0403818e 100644 --- a/pepr.ts +++ b/pepr.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { PeprModule } from "pepr"; import cfg from "./package.json"; diff --git a/src/authservice/chart/Chart.yaml b/src/authservice/chart/Chart.yaml index 1f96da755..23497aa1f 100644 --- a/src/authservice/chart/Chart.yaml +++ b/src/authservice/chart/Chart.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v2 name: authservice description: A Helm chart for Istio Authservice diff --git a/src/authservice/chart/templates/deployment.yaml b/src/authservice/chart/templates/deployment.yaml index 11d9aa853..c75a602ec 100644 --- a/src/authservice/chart/templates/deployment.yaml +++ b/src/authservice/chart/templates/deployment.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: apps/v1 kind: Deployment metadata: diff --git a/src/authservice/chart/templates/hpa.yaml b/src/authservice/chart/templates/hpa.yaml index 52cdd025d..dc12bb186 100644 --- a/src/authservice/chart/templates/hpa.yaml +++ b/src/authservice/chart/templates/hpa.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- if .Values.autoscaling.enabled }} apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler diff --git a/src/authservice/chart/templates/service.yaml b/src/authservice/chart/templates/service.yaml index b3c75b761..c95d81359 100644 --- a/src/authservice/chart/templates/service.yaml +++ b/src/authservice/chart/templates/service.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v1 kind: Service metadata: diff --git a/src/authservice/chart/templates/uds-package.yaml b/src/authservice/chart/templates/uds-package.yaml index 1baef2ad1..acf50b428 100644 --- a/src/authservice/chart/templates/uds-package.yaml +++ b/src/authservice/chart/templates/uds-package.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: uds.dev/v1alpha1 kind: Package metadata: diff --git a/src/authservice/chart/values.yaml b/src/authservice/chart/values.yaml index 62be37930..ea4e9af41 100644 --- a/src/authservice/chart/values.yaml +++ b/src/authservice/chart/values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + # -- When setting this above 1, a redis configuration is required. replicaCount: 1 diff --git a/src/authservice/common/zarf.yaml b/src/authservice/common/zarf.yaml index 8664e1131..82c57392e 100644 --- a/src/authservice/common/zarf.yaml +++ b/src/authservice/common/zarf.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-authservice-common diff --git a/src/authservice/tasks.yaml b/src/authservice/tasks.yaml index 5cb89c9d8..06004f671 100644 --- a/src/authservice/tasks.yaml +++ b/src/authservice/tasks.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + tasks: - name: validate actions: diff --git a/src/authservice/values/registry1-values.yaml b/src/authservice/values/registry1-values.yaml index 0e3b78a6a..96812b76b 100644 --- a/src/authservice/values/registry1-values.yaml +++ b/src/authservice/values/registry1-values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + image: repository: registry1.dso.mil/ironbank/istio-ecosystem/authservice tag: "1.0.2-ubi9" diff --git a/src/authservice/values/unicorn-values.yaml b/src/authservice/values/unicorn-values.yaml index ab66baa3e..8c48801c9 100644 --- a/src/authservice/values/unicorn-values.yaml +++ b/src/authservice/values/unicorn-values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + image: repository: cgr.dev/du-uds-defenseunicorns/authservice-fips tag: "1.0.2" diff --git a/src/authservice/values/upstream-values.yaml b/src/authservice/values/upstream-values.yaml index 6734a698e..e8511c2b3 100644 --- a/src/authservice/values/upstream-values.yaml +++ b/src/authservice/values/upstream-values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + image: repository: ghcr.io/istio-ecosystem/authservice/authservice tag: "1.0.2" diff --git a/src/authservice/zarf.yaml b/src/authservice/zarf.yaml index 75ba01044..53a82124e 100644 --- a/src/authservice/zarf.yaml +++ b/src/authservice/zarf.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-authservice diff --git a/src/grafana/chart/Chart.yaml b/src/grafana/chart/Chart.yaml index 05ae7e64a..2b07d2451 100644 --- a/src/grafana/chart/Chart.yaml +++ b/src/grafana/chart/Chart.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v2 name: uds-grafana-config description: Grafana configuration for UDS diff --git a/src/grafana/chart/templates/datasources.yaml b/src/grafana/chart/templates/datasources.yaml index 847882ddf..fecd5b634 100644 --- a/src/grafana/chart/templates/datasources.yaml +++ b/src/grafana/chart/templates/datasources.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v1 kind: ConfigMap metadata: diff --git a/src/grafana/chart/templates/secret-postgres.yaml b/src/grafana/chart/templates/secret-postgres.yaml index a233bf37b..6aeb0ee58 100644 --- a/src/grafana/chart/templates/secret-postgres.yaml +++ b/src/grafana/chart/templates/secret-postgres.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v1 kind: Secret metadata: diff --git a/src/grafana/chart/templates/uds-package.yaml b/src/grafana/chart/templates/uds-package.yaml index f1246a87e..be80115af 100644 --- a/src/grafana/chart/templates/uds-package.yaml +++ b/src/grafana/chart/templates/uds-package.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: uds.dev/v1alpha1 kind: Package metadata: diff --git a/src/grafana/chart/values.yaml b/src/grafana/chart/values.yaml index e9bd79a43..94f893ec2 100644 --- a/src/grafana/chart/values.yaml +++ b/src/grafana/chart/values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + domain: "###ZARF_VAR_DOMAIN###" # Stores Grafana's metadata, including dashboards, data sources, organizations, alerts, and other configurations. Required for HA mode. diff --git a/src/grafana/common/zarf.yaml b/src/grafana/common/zarf.yaml index 968956221..b82cbe683 100644 --- a/src/grafana/common/zarf.yaml +++ b/src/grafana/common/zarf.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-grafana-common diff --git a/src/grafana/oscal-component.yaml b/src/grafana/oscal-component.yaml index 9b54b0a9d..87ba1e33d 100644 --- a/src/grafana/oscal-component.yaml +++ b/src/grafana/oscal-component.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + component-definition: uuid: 7d316238-f7c4-4d3b-ab33-6ecbf49de5a7 metadata: diff --git a/src/grafana/tasks.yaml b/src/grafana/tasks.yaml index 7b0ef1f10..962abc8a7 100644 --- a/src/grafana/tasks.yaml +++ b/src/grafana/tasks.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + tasks: - name: validate actions: diff --git a/src/grafana/values/registry1-values.yaml b/src/grafana/values/registry1-values.yaml index 23d4ffe13..cfd61e80d 100644 --- a/src/grafana/values/registry1-values.yaml +++ b/src/grafana/values/registry1-values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + image: registry: registry1.dso.mil repository: ironbank/opensource/grafana/grafana diff --git a/src/grafana/values/unicorn-values.yaml b/src/grafana/values/unicorn-values.yaml index 48062d9ac..79970420e 100644 --- a/src/grafana/values/unicorn-values.yaml +++ b/src/grafana/values/unicorn-values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + image: registry: cgr.dev repository: du-uds-defenseunicorns/grafana-fips diff --git a/src/grafana/values/upstream-values.yaml b/src/grafana/values/upstream-values.yaml index 8fc9d565b..73f3ff340 100644 --- a/src/grafana/values/upstream-values.yaml +++ b/src/grafana/values/upstream-values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + sidecar: image: # -- The Docker registry diff --git a/src/grafana/values/values.yaml b/src/grafana/values/values.yaml index ec92e3040..d7056b54a 100644 --- a/src/grafana/values/values.yaml +++ b/src/grafana/values/values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + sidecar: dashboards: enabled: true diff --git a/src/grafana/zarf.yaml b/src/grafana/zarf.yaml index 48bed8a1d..a0fdde8c4 100644 --- a/src/grafana/zarf.yaml +++ b/src/grafana/zarf.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-grafana diff --git a/src/istio/chart/Chart.yaml b/src/istio/chart/Chart.yaml index 5192d8dc1..8b1186d97 100644 --- a/src/istio/chart/Chart.yaml +++ b/src/istio/chart/Chart.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v2 name: uds-istio-config description: Istio configuration for UDS diff --git a/src/istio/chart/templates/gateway.yaml b/src/istio/chart/templates/gateway.yaml index e72d1766f..c14e81a74 100644 --- a/src/istio/chart/templates/gateway.yaml +++ b/src/istio/chart/templates/gateway.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- $domain := .Values.domain }} {{- if .Values.tls }} apiVersion: networking.istio.io/v1beta1 diff --git a/src/istio/chart/templates/tls-cert.yaml b/src/istio/chart/templates/tls-cert.yaml index a27ecbd34..0fd4f0314 100644 --- a/src/istio/chart/templates/tls-cert.yaml +++ b/src/istio/chart/templates/tls-cert.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- $tls := .Values.tls }} {{ if $tls.cert }} apiVersion: v1 diff --git a/src/istio/chart/values.yaml b/src/istio/chart/values.yaml index 544dc1f42..a399181c4 100644 --- a/src/istio/chart/values.yaml +++ b/src/istio/chart/values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + # The gateway name prefix name: change-me diff --git a/src/istio/common/chart/templates/envoy-filters.yaml b/src/istio/common/chart/templates/envoy-filters.yaml index df4926d2f..455f364a8 100644 --- a/src/istio/common/chart/templates/envoy-filters.yaml +++ b/src/istio/common/chart/templates/envoy-filters.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + --- # Source: istio/templates/envoyfilter.yaml apiVersion: networking.istio.io/v1alpha3 diff --git a/src/istio/common/chart/templates/peer-authentication.yaml b/src/istio/common/chart/templates/peer-authentication.yaml index 7ad45cb28..827d11bde 100644 --- a/src/istio/common/chart/templates/peer-authentication.yaml +++ b/src/istio/common/chart/templates/peer-authentication.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + --- # Source: istio/templates/bigbang/peerAuthentication.yaml apiVersion: security.istio.io/v1beta1 diff --git a/src/istio/common/chart/templates/pepr-istio-config.yaml b/src/istio/common/chart/templates/pepr-istio-config.yaml index 2c1b30b26..cd6d0ae3d 100644 --- a/src/istio/common/chart/templates/pepr-istio-config.yaml +++ b/src/istio/common/chart/templates/pepr-istio-config.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + # Have to pre-create the namespace and also patch it with the istio-injection label later because # Helm is kind of dumb: https://github.com/helm/helm/issues/350 kind: Namespace diff --git a/src/istio/common/zarf.yaml b/src/istio/common/zarf.yaml index 0107b58ad..9de933358 100644 --- a/src/istio/common/zarf.yaml +++ b/src/istio/common/zarf.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-istio-common diff --git a/src/istio/oscal-component.yaml b/src/istio/oscal-component.yaml index 0274deae6..6829f34b9 100644 --- a/src/istio/oscal-component.yaml +++ b/src/istio/oscal-component.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + component-definition: back-matter: resources: diff --git a/src/istio/tasks.yaml b/src/istio/tasks.yaml index be488a6dd..2ccadee58 100644 --- a/src/istio/tasks.yaml +++ b/src/istio/tasks.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + tasks: - name: validate actions: diff --git a/src/istio/values/config-admin.yaml b/src/istio/values/config-admin.yaml index 52ae6835d..ceedf9cd1 100644 --- a/src/istio/values/config-admin.yaml +++ b/src/istio/values/config-admin.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: admin domain: "admin.###ZARF_VAR_DOMAIN###" tls: diff --git a/src/istio/values/config-passthrough.yaml b/src/istio/values/config-passthrough.yaml index 417b264de..6c81bac5a 100644 --- a/src/istio/values/config-passthrough.yaml +++ b/src/istio/values/config-passthrough.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: passthrough tls: diff --git a/src/istio/values/config-tenant.yaml b/src/istio/values/config-tenant.yaml index 757574754..8d6a4e96b 100644 --- a/src/istio/values/config-tenant.yaml +++ b/src/istio/values/config-tenant.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: tenant tls: servers: diff --git a/src/istio/values/registry1-values.yaml b/src/istio/values/registry1-values.yaml index 7023bd3da..17f229fea 100644 --- a/src/istio/values/registry1-values.yaml +++ b/src/istio/values/registry1-values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + pilot: image: registry1.dso.mil/ironbank/tetrate/istio/pilot:1.23.2-tetratefips-v0 global: diff --git a/src/istio/values/unicorn-values.yaml b/src/istio/values/unicorn-values.yaml index 579552919..4d112b8c3 100644 --- a/src/istio/values/unicorn-values.yaml +++ b/src/istio/values/unicorn-values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + pilot: image: "cgr.dev/du-uds-defenseunicorns/istio-pilot-fips:1.23.2" global: diff --git a/src/istio/values/upstream-values.yaml b/src/istio/values/upstream-values.yaml index 5879947bb..800d39f62 100644 --- a/src/istio/values/upstream-values.yaml +++ b/src/istio/values/upstream-values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + pilot: image: "docker.io/istio/pilot:1.23.2-distroless" global: diff --git a/src/istio/values/values.yaml b/src/istio/values/values.yaml index add71c7da..0e06a2f26 100644 --- a/src/istio/values/values.yaml +++ b/src/istio/values/values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + meshConfig: accessLogFile: /dev/stdout pathNormalization: diff --git a/src/istio/zarf.yaml b/src/istio/zarf.yaml index 9526869a8..21bae304e 100644 --- a/src/istio/zarf.yaml +++ b/src/istio/zarf.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-istio diff --git a/src/keycloak/chart/Chart.yaml b/src/keycloak/chart/Chart.yaml index 2cd05d258..040ddcd78 100644 --- a/src/keycloak/chart/Chart.yaml +++ b/src/keycloak/chart/Chart.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v2 name: keycloak # renovate: datasource=docker depName=quay.io/keycloak/keycloak versioning=semver diff --git a/src/keycloak/chart/templates/destination-rule.yaml b/src/keycloak/chart/templates/destination-rule.yaml index 921096c98..10b57d2d0 100644 --- a/src/keycloak/chart/templates/destination-rule.yaml +++ b/src/keycloak/chart/templates/destination-rule.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- if not .Values.devMode }} apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule diff --git a/src/keycloak/chart/templates/hpa.yaml b/src/keycloak/chart/templates/hpa.yaml index bcca27c5f..17a8b7c4a 100644 --- a/src/keycloak/chart/templates/hpa.yaml +++ b/src/keycloak/chart/templates/hpa.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- if .Values.autoscaling.enabled }} apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler diff --git a/src/keycloak/chart/templates/istio-admin.yaml b/src/keycloak/chart/templates/istio-admin.yaml index bc2646510..612e53d68 100644 --- a/src/keycloak/chart/templates/istio-admin.yaml +++ b/src/keycloak/chart/templates/istio-admin.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }} apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy diff --git a/src/keycloak/chart/templates/istio-peer-auth.yaml b/src/keycloak/chart/templates/istio-peer-auth.yaml index 5e4253ea7..7d8602eb3 100644 --- a/src/keycloak/chart/templates/istio-peer-auth.yaml +++ b/src/keycloak/chart/templates/istio-peer-auth.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }} apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication diff --git a/src/keycloak/chart/templates/poddisruptionbudget.yaml b/src/keycloak/chart/templates/poddisruptionbudget.yaml index ef45bcc00..0d91b54d1 100644 --- a/src/keycloak/chart/templates/poddisruptionbudget.yaml +++ b/src/keycloak/chart/templates/poddisruptionbudget.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- if .Values.podDisruptionBudget -}} apiVersion: policy/v1 kind: PodDisruptionBudget diff --git a/src/keycloak/chart/templates/prometheusrule.yaml b/src/keycloak/chart/templates/prometheusrule.yaml index f453bc49e..26ef5bd9e 100644 --- a/src/keycloak/chart/templates/prometheusrule.yaml +++ b/src/keycloak/chart/templates/prometheusrule.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- with .Values.prometheusRule -}} {{- if .enabled }} apiVersion: monitoring.coreos.com/v1 diff --git a/src/keycloak/chart/templates/pvc.yaml b/src/keycloak/chart/templates/pvc.yaml index 1e25955ff..bba13f93d 100644 --- a/src/keycloak/chart/templates/pvc.yaml +++ b/src/keycloak/chart/templates/pvc.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- if .Values.persistence.providers.enabled }} kind: PersistentVolumeClaim apiVersion: v1 diff --git a/src/keycloak/chart/templates/secret-admin-password.yaml b/src/keycloak/chart/templates/secret-admin-password.yaml index 459a845dc..16ba00026 100644 --- a/src/keycloak/chart/templates/secret-admin-password.yaml +++ b/src/keycloak/chart/templates/secret-admin-password.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- if .Values.insecureAdminPasswordGeneration.enabled }} {{- $kcPass := (randAlphaNum 32) | b64enc | quote }} {{- $kcUser := .Values.insecureAdminPasswordGeneration.username | b64enc | quote }} diff --git a/src/keycloak/chart/templates/secret-kc-realm.yaml b/src/keycloak/chart/templates/secret-kc-realm.yaml index 5e4e2ada9..a41db2617 100644 --- a/src/keycloak/chart/templates/secret-kc-realm.yaml +++ b/src/keycloak/chart/templates/secret-kc-realm.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v1 kind: Secret metadata: diff --git a/src/keycloak/chart/templates/secret-postgresql.yaml b/src/keycloak/chart/templates/secret-postgresql.yaml index 0683ad960..6fc0905e0 100644 --- a/src/keycloak/chart/templates/secret-postgresql.yaml +++ b/src/keycloak/chart/templates/secret-postgresql.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- if eq (include "keycloak.postgresql.config" .) "true" }} apiVersion: v1 kind: Secret diff --git a/src/keycloak/chart/templates/service-headless.yaml b/src/keycloak/chart/templates/service-headless.yaml index d5c26692a..c85e78914 100644 --- a/src/keycloak/chart/templates/service-headless.yaml +++ b/src/keycloak/chart/templates/service-headless.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v1 kind: Service metadata: diff --git a/src/keycloak/chart/templates/service-http.yaml b/src/keycloak/chart/templates/service-http.yaml index eb4aee327..6dd7ab485 100644 --- a/src/keycloak/chart/templates/service-http.yaml +++ b/src/keycloak/chart/templates/service-http.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v1 kind: Service metadata: diff --git a/src/keycloak/chart/templates/servicemonitor.yaml b/src/keycloak/chart/templates/servicemonitor.yaml index a6b675f29..835284e8d 100644 --- a/src/keycloak/chart/templates/servicemonitor.yaml +++ b/src/keycloak/chart/templates/servicemonitor.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- range $key, $serviceMonitor := dict "metrics" .Values.serviceMonitor "extra" .Values.extraServiceMonitor }} {{- with $serviceMonitor }} {{- if .enabled }} diff --git a/src/keycloak/chart/templates/statefulset.yaml b/src/keycloak/chart/templates/statefulset.yaml index 918f3d5d1..ed23facc4 100644 --- a/src/keycloak/chart/templates/statefulset.yaml +++ b/src/keycloak/chart/templates/statefulset.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: apps/v1 kind: StatefulSet metadata: diff --git a/src/keycloak/chart/templates/uds-package.yaml b/src/keycloak/chart/templates/uds-package.yaml index 63a907a38..42bb8a9f5 100644 --- a/src/keycloak/chart/templates/uds-package.yaml +++ b/src/keycloak/chart/templates/uds-package.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: uds.dev/v1alpha1 kind: Package metadata: diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml index c0c86e264..bd1020069 100644 --- a/src/keycloak/chart/values.yaml +++ b/src/keycloak/chart/values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + image: # The Keycloak image repository repository: quay.io/keycloak/keycloak diff --git a/src/keycloak/common/zarf.yaml b/src/keycloak/common/zarf.yaml index b41d24fad..ce63c125a 100644 --- a/src/keycloak/common/zarf.yaml +++ b/src/keycloak/common/zarf.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-keycloak-common diff --git a/src/keycloak/tasks.yaml b/src/keycloak/tasks.yaml index 5148c258c..8937fa0a4 100644 --- a/src/keycloak/tasks.yaml +++ b/src/keycloak/tasks.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + includes: - config: https://raw.githubusercontent.com/defenseunicorns/uds-identity-config/v0.6.3/tasks.yaml diff --git a/src/keycloak/values/registry1-values.yaml b/src/keycloak/values/registry1-values.yaml index d675e7330..635584579 100644 --- a/src/keycloak/values/registry1-values.yaml +++ b/src/keycloak/values/registry1-values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + image: repository: registry1.dso.mil/ironbank/opensource/keycloak/keycloak tag: "25.0.6" diff --git a/src/keycloak/values/unicorn-values.yaml b/src/keycloak/values/unicorn-values.yaml index 7c30a4c4d..32a44252e 100644 --- a/src/keycloak/values/unicorn-values.yaml +++ b/src/keycloak/values/unicorn-values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + podSecurityContext: fsGroup: 65532 image: diff --git a/src/keycloak/values/upstream-values.yaml b/src/keycloak/values/upstream-values.yaml index e3d47c670..c856c052f 100644 --- a/src/keycloak/values/upstream-values.yaml +++ b/src/keycloak/values/upstream-values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + podSecurityContext: fsGroup: 1000 image: diff --git a/src/keycloak/zarf.yaml b/src/keycloak/zarf.yaml index b581bd17e..037a18fa9 100644 --- a/src/keycloak/zarf.yaml +++ b/src/keycloak/zarf.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-keycloak diff --git a/src/kiali/tasks.yaml b/src/kiali/tasks.yaml index 47f789e05..31f664e75 100644 --- a/src/kiali/tasks.yaml +++ b/src/kiali/tasks.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + tasks: - name: validate actions: diff --git a/src/kiali/zarf.yaml b/src/kiali/zarf.yaml index d6407ca3b..a2b3b0d8b 100644 --- a/src/kiali/zarf.yaml +++ b/src/kiali/zarf.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-kiali diff --git a/src/loki/chart/Chart.yaml b/src/loki/chart/Chart.yaml index efc96755d..7bacb6262 100644 --- a/src/loki/chart/Chart.yaml +++ b/src/loki/chart/Chart.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v2 name: uds-loki-config description: Loki configuration for UDS diff --git a/src/loki/chart/templates/loki-dashboards.yaml b/src/loki/chart/templates/loki-dashboards.yaml index 1a44b0a43..92cc07c13 100644 --- a/src/loki/chart/templates/loki-dashboards.yaml +++ b/src/loki/chart/templates/loki-dashboards.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v1 kind: ConfigMap metadata: diff --git a/src/loki/chart/templates/peerauthentication/loki-simple-scalable.yaml b/src/loki/chart/templates/peerauthentication/loki-simple-scalable.yaml index c5982ebda..12ac3e56b 100644 --- a/src/loki/chart/templates/peerauthentication/loki-simple-scalable.yaml +++ b/src/loki/chart/templates/peerauthentication/loki-simple-scalable.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }} apiVersion: "security.istio.io/v1beta1" kind: PeerAuthentication diff --git a/src/loki/chart/templates/service-dns.yaml b/src/loki/chart/templates/service-dns.yaml index e47899494..04c0a61e8 100644 --- a/src/loki/chart/templates/service-dns.yaml +++ b/src/loki/chart/templates/service-dns.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + --- apiVersion: v1 kind: Service diff --git a/src/loki/chart/templates/uds-package.yaml b/src/loki/chart/templates/uds-package.yaml index 2bd9f6c75..80b87d8eb 100644 --- a/src/loki/chart/templates/uds-package.yaml +++ b/src/loki/chart/templates/uds-package.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: uds.dev/v1alpha1 kind: Package metadata: diff --git a/src/loki/chart/values.yaml b/src/loki/chart/values.yaml index a30fe4c3d..5ec83f081 100644 --- a/src/loki/chart/values.yaml +++ b/src/loki/chart/values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + storage: internal: enabled: false diff --git a/src/loki/common/zarf.yaml b/src/loki/common/zarf.yaml index 92d3307ec..66c05553b 100644 --- a/src/loki/common/zarf.yaml +++ b/src/loki/common/zarf.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-loki-common diff --git a/src/loki/oscal-component.yaml b/src/loki/oscal-component.yaml index 4b8faf4cc..303ade21f 100644 --- a/src/loki/oscal-component.yaml +++ b/src/loki/oscal-component.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + component-definition: uuid: aaa97ff3-41f7-4f11-b74a-0cf0de527e6e metadata: diff --git a/src/loki/tasks.yaml b/src/loki/tasks.yaml index 57ff93f94..41b1eda6b 100644 --- a/src/loki/tasks.yaml +++ b/src/loki/tasks.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + tasks: - name: validate actions: diff --git a/src/loki/values/registry1-values.yaml b/src/loki/values/registry1-values.yaml index be83c068d..3618cadbd 100644 --- a/src/loki/values/registry1-values.yaml +++ b/src/loki/values/registry1-values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + loki: image: registry: registry1.dso.mil diff --git a/src/loki/values/unicorn-values.yaml b/src/loki/values/unicorn-values.yaml index 74d73473d..177cbe1be 100644 --- a/src/loki/values/unicorn-values.yaml +++ b/src/loki/values/unicorn-values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + loki: image: registry: cgr.dev diff --git a/src/loki/values/upstream-values.yaml b/src/loki/values/upstream-values.yaml index 8f56988d9..5fbfbdd13 100644 --- a/src/loki/values/upstream-values.yaml +++ b/src/loki/values/upstream-values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + loki: image: registry: docker.io diff --git a/src/loki/values/values.yaml b/src/loki/values/values.yaml index 2642e03c2..243286566 100644 --- a/src/loki/values/values.yaml +++ b/src/loki/values/values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + # Sets the global DNS service to the service created in this chart global: dnsService: "uds-loki-dns" diff --git a/src/loki/zarf.yaml b/src/loki/zarf.yaml index 2111e27ed..25f938b86 100644 --- a/src/loki/zarf.yaml +++ b/src/loki/zarf.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-loki diff --git a/src/metrics-server/chart/Chart.yaml b/src/metrics-server/chart/Chart.yaml index 7eabaa4dc..81339062a 100644 --- a/src/metrics-server/chart/Chart.yaml +++ b/src/metrics-server/chart/Chart.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v2 name: uds-metrics-server-config description: Metrics Server configuration for UDS diff --git a/src/metrics-server/chart/templates/peerauthentication/metrics-api.yaml b/src/metrics-server/chart/templates/peerauthentication/metrics-api.yaml index f236be49f..24e4ef61c 100644 --- a/src/metrics-server/chart/templates/peerauthentication/metrics-api.yaml +++ b/src/metrics-server/chart/templates/peerauthentication/metrics-api.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }} apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication diff --git a/src/metrics-server/chart/templates/service-monitor.yaml b/src/metrics-server/chart/templates/service-monitor.yaml index a9bb8be24..e636bcf66 100644 --- a/src/metrics-server/chart/templates/service-monitor.yaml +++ b/src/metrics-server/chart/templates/service-monitor.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- if .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" }} # The serviceMonitor for metrics-server is unique due to permissive mTLS on its port, so it is created outside of the Package spec apiVersion: monitoring.coreos.com/v1 diff --git a/src/metrics-server/chart/templates/uds-package.yaml b/src/metrics-server/chart/templates/uds-package.yaml index 9f635bfc5..dfe607dab 100644 --- a/src/metrics-server/chart/templates/uds-package.yaml +++ b/src/metrics-server/chart/templates/uds-package.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: uds.dev/v1alpha1 kind: Package metadata: diff --git a/src/metrics-server/chart/values.yaml b/src/metrics-server/chart/values.yaml index e69de29bb..2067cc53d 100644 --- a/src/metrics-server/chart/values.yaml +++ b/src/metrics-server/chart/values.yaml @@ -0,0 +1,2 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial diff --git a/src/metrics-server/common/zarf.yaml b/src/metrics-server/common/zarf.yaml index 0e915fd01..8eaeab1c2 100644 --- a/src/metrics-server/common/zarf.yaml +++ b/src/metrics-server/common/zarf.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-metrics-server-common diff --git a/src/metrics-server/tasks.yaml b/src/metrics-server/tasks.yaml index db757ab72..c6bd4ef0f 100644 --- a/src/metrics-server/tasks.yaml +++ b/src/metrics-server/tasks.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + tasks: - name: validate actions: diff --git a/src/metrics-server/values/registry1-values.yaml b/src/metrics-server/values/registry1-values.yaml index 66fd0e1a7..38f843e47 100644 --- a/src/metrics-server/values/registry1-values.yaml +++ b/src/metrics-server/values/registry1-values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + image: repository: registry1.dso.mil/ironbank/opensource/kubernetes-sigs/metrics-server tag: "v0.7.2" diff --git a/src/metrics-server/values/unicorn-values.yaml b/src/metrics-server/values/unicorn-values.yaml index 0e968ee98..46a3e4be3 100644 --- a/src/metrics-server/values/unicorn-values.yaml +++ b/src/metrics-server/values/unicorn-values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + image: repository: cgr.dev/du-uds-defenseunicorns/metrics-server-fips tag: "0.7.2" diff --git a/src/metrics-server/values/upstream-values.yaml b/src/metrics-server/values/upstream-values.yaml index 355942584..874d66b9f 100644 --- a/src/metrics-server/values/upstream-values.yaml +++ b/src/metrics-server/values/upstream-values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + image: repository: registry.k8s.io/metrics-server/metrics-server tag: "v0.7.2" diff --git a/src/metrics-server/values/values.yaml b/src/metrics-server/values/values.yaml index 3ceda9355..e7152fcac 100644 --- a/src/metrics-server/values/values.yaml +++ b/src/metrics-server/values/values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + readinessProbe: httpGet: path: /readyz diff --git a/src/metrics-server/zarf.yaml b/src/metrics-server/zarf.yaml index 24422a1da..d91819c6b 100644 --- a/src/metrics-server/zarf.yaml +++ b/src/metrics-server/zarf.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-metrics-server diff --git a/src/neuvector/chart/Chart.yaml b/src/neuvector/chart/Chart.yaml index 19f0816bf..34ce1f650 100644 --- a/src/neuvector/chart/Chart.yaml +++ b/src/neuvector/chart/Chart.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v2 name: uds-neuvector-config description: Neuvector configuration for UDS diff --git a/src/neuvector/chart/templates/internal-cert.yaml b/src/neuvector/chart/templates/internal-cert.yaml index e961bd702..b00d4a5c0 100644 --- a/src/neuvector/chart/templates/internal-cert.yaml +++ b/src/neuvector/chart/templates/internal-cert.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- if .Values.generateInternalCert -}} {{- $cn := "neuvector" }} {{- $ca := genCA "neuvector" 3650 -}} diff --git a/src/neuvector/chart/templates/istio/headless-controller-service.yaml b/src/neuvector/chart/templates/istio/headless-controller-service.yaml index 788f20a22..f4d5211df 100644 --- a/src/neuvector/chart/templates/istio/headless-controller-service.yaml +++ b/src/neuvector/chart/templates/istio/headless-controller-service.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v1 kind: Service metadata: diff --git a/src/neuvector/chart/templates/istio/headless-enforcer-service.yaml b/src/neuvector/chart/templates/istio/headless-enforcer-service.yaml index 1dcf85374..487f6c448 100644 --- a/src/neuvector/chart/templates/istio/headless-enforcer-service.yaml +++ b/src/neuvector/chart/templates/istio/headless-enforcer-service.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v1 kind: Service diff --git a/src/neuvector/chart/templates/istio/headless-scanner-service.yaml b/src/neuvector/chart/templates/istio/headless-scanner-service.yaml index d82fc20ad..26ad3043e 100644 --- a/src/neuvector/chart/templates/istio/headless-scanner-service.yaml +++ b/src/neuvector/chart/templates/istio/headless-scanner-service.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v1 kind: Service metadata: diff --git a/src/neuvector/chart/templates/neuvector-dashboard.yaml b/src/neuvector/chart/templates/neuvector-dashboard.yaml index 7279de678..80f839248 100644 --- a/src/neuvector/chart/templates/neuvector-dashboard.yaml +++ b/src/neuvector/chart/templates/neuvector-dashboard.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- if .Values.grafana.enabled -}} apiVersion: v1 kind: ConfigMap diff --git a/src/neuvector/chart/templates/peerauthentication/neuvector-controller-pa.yaml b/src/neuvector/chart/templates/peerauthentication/neuvector-controller-pa.yaml index 77365b1f5..90d91096d 100644 --- a/src/neuvector/chart/templates/peerauthentication/neuvector-controller-pa.yaml +++ b/src/neuvector/chart/templates/peerauthentication/neuvector-controller-pa.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }} apiVersion: "security.istio.io/v1beta1" kind: PeerAuthentication diff --git a/src/neuvector/chart/templates/uds-exemption.yaml b/src/neuvector/chart/templates/uds-exemption.yaml index bb3fb9dc1..7be8143bf 100644 --- a/src/neuvector/chart/templates/uds-exemption.yaml +++ b/src/neuvector/chart/templates/uds-exemption.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: uds.dev/v1alpha1 kind: Exemption metadata: diff --git a/src/neuvector/chart/templates/uds-package.yaml b/src/neuvector/chart/templates/uds-package.yaml index 579a1b84a..0644dd4f9 100644 --- a/src/neuvector/chart/templates/uds-package.yaml +++ b/src/neuvector/chart/templates/uds-package.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: uds.dev/v1alpha1 kind: Package metadata: diff --git a/src/neuvector/chart/values.yaml b/src/neuvector/chart/values.yaml index 5372381e2..9c16875a1 100644 --- a/src/neuvector/chart/values.yaml +++ b/src/neuvector/chart/values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + domain: "###ZARF_VAR_DOMAIN###" grafana: diff --git a/src/neuvector/common/zarf.yaml b/src/neuvector/common/zarf.yaml index 21f24dd66..730e0310f 100644 --- a/src/neuvector/common/zarf.yaml +++ b/src/neuvector/common/zarf.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-neuvector-common diff --git a/src/neuvector/oscal-component.yaml b/src/neuvector/oscal-component.yaml index 2b0933525..9d9e271fc 100644 --- a/src/neuvector/oscal-component.yaml +++ b/src/neuvector/oscal-component.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + component-definition: uuid: 80bc0932-82d9-4144-8e7c-dec0f79e04fc metadata: diff --git a/src/neuvector/tasks.yaml b/src/neuvector/tasks.yaml index 30f138425..b5c1ad696 100644 --- a/src/neuvector/tasks.yaml +++ b/src/neuvector/tasks.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + tasks: - name: validate actions: diff --git a/src/neuvector/values/monitor-values.yaml b/src/neuvector/values/monitor-values.yaml index 6a3bc60f5..7f2e21aad 100644 --- a/src/neuvector/values/monitor-values.yaml +++ b/src/neuvector/values/monitor-values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + leastPrivilege: true exporter: diff --git a/src/neuvector/values/registry1-values.yaml b/src/neuvector/values/registry1-values.yaml index b2e7b9ad5..436d488d7 100644 --- a/src/neuvector/values/registry1-values.yaml +++ b/src/neuvector/values/registry1-values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + registry: registry1.dso.mil # renovate: datasource=docker depName=registry1.dso.mil/ironbank/neuvector/neuvector/controller versioning=docker tag: "5.3.4" diff --git a/src/neuvector/values/unicorn-config-values.yaml b/src/neuvector/values/unicorn-config-values.yaml index 94c7fa024..284d3107c 100644 --- a/src/neuvector/values/unicorn-config-values.yaml +++ b/src/neuvector/values/unicorn-config-values.yaml @@ -1,2 +1,4 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + generateInternalCert: true diff --git a/src/neuvector/values/unicorn-values.yaml b/src/neuvector/values/unicorn-values.yaml index 7083a3cac..f34c5c87a 100644 --- a/src/neuvector/values/unicorn-values.yaml +++ b/src/neuvector/values/unicorn-values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + # Generate certs missing from unicorn images autoGenerateCert: true diff --git a/src/neuvector/values/upstream-values.yaml b/src/neuvector/values/upstream-values.yaml index 78af6885a..0391ab7a2 100644 --- a/src/neuvector/values/upstream-values.yaml +++ b/src/neuvector/values/upstream-values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + registry: docker.io # renovate: datasource=docker depName=docker.io/neuvector/controller versioning=docker tag: "5.3.4" diff --git a/src/neuvector/values/values.yaml b/src/neuvector/values/values.yaml index ee5961322..a11c8d823 100644 --- a/src/neuvector/values/values.yaml +++ b/src/neuvector/values/values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + leastPrivilege: true autoGenerateCert: false rbac: true diff --git a/src/neuvector/zarf.yaml b/src/neuvector/zarf.yaml index e97dac379..2bb8ccc13 100644 --- a/src/neuvector/zarf.yaml +++ b/src/neuvector/zarf.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-neuvector diff --git a/src/pepr/config.ts b/src/pepr/config.ts index d045ea22a..2b1198405 100644 --- a/src/pepr/config.ts +++ b/src/pepr/config.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { Component, setupLogger } from "./logger"; let domain = process.env.UDS_DOMAIN; diff --git a/src/pepr/istio/index.ts b/src/pepr/istio/index.ts index addc13665..3a105b99f 100644 --- a/src/pepr/istio/index.ts +++ b/src/pepr/istio/index.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { Exec, KubeConfig } from "@kubernetes/client-node"; import { Capability, a } from "pepr"; import { Component, setupLogger } from "../logger"; diff --git a/src/pepr/logger.ts b/src/pepr/logger.ts index 42536cd0d..b79ca76a5 100644 --- a/src/pepr/logger.ts +++ b/src/pepr/logger.ts @@ -1,4 +1,7 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ import { Log } from "pepr"; diff --git a/src/pepr/operator/common.ts b/src/pepr/operator/common.ts index 51f963e12..713363d0f 100644 --- a/src/pepr/operator/common.ts +++ b/src/pepr/operator/common.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { Capability } from "pepr"; export const operator = new Capability({ diff --git a/src/pepr/operator/controllers/exemptions/exemption-store.spec.ts b/src/pepr/operator/controllers/exemptions/exemption-store.spec.ts index a805b1911..94ccb5db3 100644 --- a/src/pepr/operator/controllers/exemptions/exemption-store.spec.ts +++ b/src/pepr/operator/controllers/exemptions/exemption-store.spec.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { beforeEach, describe, expect, it } from "@jest/globals"; import { Matcher, MatcherKind, Policy } from "../../crd"; import { ExemptionStore } from "./exemption-store"; diff --git a/src/pepr/operator/controllers/exemptions/exemption-store.ts b/src/pepr/operator/controllers/exemptions/exemption-store.ts index 095626ebe..f32dcefac 100644 --- a/src/pepr/operator/controllers/exemptions/exemption-store.ts +++ b/src/pepr/operator/controllers/exemptions/exemption-store.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { Component, setupLogger } from "../../../logger"; import { StoredMatcher } from "../../../policies"; import { Matcher, Policy, UDSExemption } from "../../crd"; diff --git a/src/pepr/operator/controllers/exemptions/exemptions.spec.ts b/src/pepr/operator/controllers/exemptions/exemptions.spec.ts index b90ee1b9a..92556b78a 100644 --- a/src/pepr/operator/controllers/exemptions/exemptions.spec.ts +++ b/src/pepr/operator/controllers/exemptions/exemptions.spec.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { beforeEach, describe, expect, it } from "@jest/globals"; import { WatchPhase } from "kubernetes-fluent-client/dist/fluent/types"; import { MatcherKind, Policy } from "../../crd"; diff --git a/src/pepr/operator/controllers/exemptions/exemptions.ts b/src/pepr/operator/controllers/exemptions/exemptions.ts index 93b68ac20..88d2e9d2a 100644 --- a/src/pepr/operator/controllers/exemptions/exemptions.ts +++ b/src/pepr/operator/controllers/exemptions/exemptions.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { WatchPhase } from "kubernetes-fluent-client/dist/fluent/types"; import { UDSExemption } from "../../crd"; import { ExemptionStore } from "./exemption-store"; diff --git a/src/pepr/operator/controllers/istio/injection.ts b/src/pepr/operator/controllers/istio/injection.ts index 61da94d57..4ee2971ce 100644 --- a/src/pepr/operator/controllers/istio/injection.ts +++ b/src/pepr/operator/controllers/istio/injection.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { K8s, kind } from "pepr"; import { Component, setupLogger } from "../../../logger"; diff --git a/src/pepr/operator/controllers/istio/istio-resources.ts b/src/pepr/operator/controllers/istio/istio-resources.ts index da4974b54..6cb7c4b2b 100644 --- a/src/pepr/operator/controllers/istio/istio-resources.ts +++ b/src/pepr/operator/controllers/istio/istio-resources.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { K8s } from "pepr"; import { Component, setupLogger } from "../../../logger"; diff --git a/src/pepr/operator/controllers/istio/service-entry.spec.ts b/src/pepr/operator/controllers/istio/service-entry.spec.ts index 64f82a21b..f9724a9de 100644 --- a/src/pepr/operator/controllers/istio/service-entry.spec.ts +++ b/src/pepr/operator/controllers/istio/service-entry.spec.ts @@ -1,8 +1,12 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { describe, expect, it } from "@jest/globals"; import { UDSConfig } from "../../../config"; -import { generateServiceEntry } from "./service-entry"; import { Expose, Gateway, IstioLocation, IstioResolution } from "../../crd"; +import { generateServiceEntry } from "./service-entry"; describe("test generate service entry", () => { const ownerRefs = [ diff --git a/src/pepr/operator/controllers/istio/service-entry.ts b/src/pepr/operator/controllers/istio/service-entry.ts index 28d256a1f..0e049913e 100644 --- a/src/pepr/operator/controllers/istio/service-entry.ts +++ b/src/pepr/operator/controllers/istio/service-entry.ts @@ -1,14 +1,18 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial -import { UDSConfig } from "../../../config"; +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { V1OwnerReference } from "@kubernetes/client-node"; +import { UDSConfig } from "../../../config"; import { Expose, Gateway, - IstioServiceEntry, + IstioEndpoint, IstioLocation, - IstioResolution, IstioPort, - IstioEndpoint, + IstioResolution, + IstioServiceEntry, } from "../../crd"; import { sanitizeResourceName } from "../utils"; diff --git a/src/pepr/operator/controllers/istio/virtual-service.spec.ts b/src/pepr/operator/controllers/istio/virtual-service.spec.ts index 1c5fc23d7..9d92a5f6f 100644 --- a/src/pepr/operator/controllers/istio/virtual-service.spec.ts +++ b/src/pepr/operator/controllers/istio/virtual-service.spec.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { describe, expect, it } from "@jest/globals"; import { UDSConfig } from "../../../config"; import { Expose, Gateway } from "../../crd"; diff --git a/src/pepr/operator/controllers/istio/virtual-service.ts b/src/pepr/operator/controllers/istio/virtual-service.ts index f7b7647e2..c5ecc28d1 100644 --- a/src/pepr/operator/controllers/istio/virtual-service.ts +++ b/src/pepr/operator/controllers/istio/virtual-service.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { V1OwnerReference } from "@kubernetes/client-node"; import { UDSConfig } from "../../../config"; import { Expose, Gateway, IstioHTTP, IstioHTTPRoute, IstioVirtualService } from "../../crd"; diff --git a/src/pepr/operator/controllers/keycloak/authservice/authorization-policy.ts b/src/pepr/operator/controllers/keycloak/authservice/authorization-policy.ts index 6fca2f602..f818482c4 100644 --- a/src/pepr/operator/controllers/keycloak/authservice/authorization-policy.ts +++ b/src/pepr/operator/controllers/keycloak/authservice/authorization-policy.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { K8s } from "pepr"; import { UDSConfig } from "../../../../config"; import { diff --git a/src/pepr/operator/controllers/keycloak/authservice/authservice.spec.ts b/src/pepr/operator/controllers/keycloak/authservice/authservice.spec.ts index 3d0a8819a..0ed1ca897 100644 --- a/src/pepr/operator/controllers/keycloak/authservice/authservice.spec.ts +++ b/src/pepr/operator/controllers/keycloak/authservice/authservice.spec.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { beforeEach, describe, expect, jest, test } from "@jest/globals"; import { UDSPackage } from "../../../crd"; import { Client } from "../types"; diff --git a/src/pepr/operator/controllers/keycloak/authservice/authservice.ts b/src/pepr/operator/controllers/keycloak/authservice/authservice.ts index 3676fce91..69dc30628 100644 --- a/src/pepr/operator/controllers/keycloak/authservice/authservice.ts +++ b/src/pepr/operator/controllers/keycloak/authservice/authservice.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { R } from "pepr"; import { UDSConfig } from "../../../../config"; import { Component, setupLogger } from "../../../../logger"; diff --git a/src/pepr/operator/controllers/keycloak/authservice/config.ts b/src/pepr/operator/controllers/keycloak/authservice/config.ts index 2512ca815..859885c5b 100644 --- a/src/pepr/operator/controllers/keycloak/authservice/config.ts +++ b/src/pepr/operator/controllers/keycloak/authservice/config.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { createHash } from "crypto"; import { K8s, kind } from "pepr"; diff --git a/src/pepr/operator/controllers/keycloak/authservice/types.ts b/src/pepr/operator/controllers/keycloak/authservice/types.ts index ededc02c8..0b6eb3554 100644 --- a/src/pepr/operator/controllers/keycloak/authservice/types.ts +++ b/src/pepr/operator/controllers/keycloak/authservice/types.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { Client } from "../types"; export enum Action { diff --git a/src/pepr/operator/controllers/keycloak/client-sync.spec.ts b/src/pepr/operator/controllers/keycloak/client-sync.spec.ts index 3637f24aa..1f4892f20 100644 --- a/src/pepr/operator/controllers/keycloak/client-sync.spec.ts +++ b/src/pepr/operator/controllers/keycloak/client-sync.spec.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { describe, expect, it } from "@jest/globals"; import { Sso } from "../../crd"; import { diff --git a/src/pepr/operator/controllers/keycloak/client-sync.ts b/src/pepr/operator/controllers/keycloak/client-sync.ts index 8ea9b04c9..3ecc9bd28 100644 --- a/src/pepr/operator/controllers/keycloak/client-sync.ts +++ b/src/pepr/operator/controllers/keycloak/client-sync.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { fetch, K8s, kind } from "pepr"; import { Component, setupLogger } from "../../../logger"; diff --git a/src/pepr/operator/controllers/keycloak/types.ts b/src/pepr/operator/controllers/keycloak/types.ts index 04243ff00..e9d62d138 100644 --- a/src/pepr/operator/controllers/keycloak/types.ts +++ b/src/pepr/operator/controllers/keycloak/types.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { ProtocolMapper } from "../../crd/generated/package-v1alpha1"; export interface Client { diff --git a/src/pepr/operator/controllers/monitoring/common.ts b/src/pepr/operator/controllers/monitoring/common.ts index 5128b628b..be9655421 100644 --- a/src/pepr/operator/controllers/monitoring/common.ts +++ b/src/pepr/operator/controllers/monitoring/common.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { Monitor } from "../../crd"; import { sanitizeResourceName } from "../utils"; diff --git a/src/pepr/operator/controllers/monitoring/pod-monitor.spec.ts b/src/pepr/operator/controllers/monitoring/pod-monitor.spec.ts index 58f5c1acb..9fc200af5 100644 --- a/src/pepr/operator/controllers/monitoring/pod-monitor.spec.ts +++ b/src/pepr/operator/controllers/monitoring/pod-monitor.spec.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { describe, expect, it } from "@jest/globals"; import { Monitor } from "../../crd"; import { generatePodMonitor } from "./pod-monitor"; diff --git a/src/pepr/operator/controllers/monitoring/pod-monitor.ts b/src/pepr/operator/controllers/monitoring/pod-monitor.ts index 6013819d7..50e5ab756 100644 --- a/src/pepr/operator/controllers/monitoring/pod-monitor.ts +++ b/src/pepr/operator/controllers/monitoring/pod-monitor.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { V1OwnerReference } from "@kubernetes/client-node"; import { K8s } from "pepr"; import { Component, setupLogger } from "../../../logger"; diff --git a/src/pepr/operator/controllers/monitoring/service-monitor.spec.ts b/src/pepr/operator/controllers/monitoring/service-monitor.spec.ts index 26512f194..76282a47f 100644 --- a/src/pepr/operator/controllers/monitoring/service-monitor.spec.ts +++ b/src/pepr/operator/controllers/monitoring/service-monitor.spec.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { describe, expect, it } from "@jest/globals"; import { Monitor } from "../../crd"; import { generateServiceMonitor } from "./service-monitor"; diff --git a/src/pepr/operator/controllers/monitoring/service-monitor.ts b/src/pepr/operator/controllers/monitoring/service-monitor.ts index 3aa35324f..e582faefc 100644 --- a/src/pepr/operator/controllers/monitoring/service-monitor.ts +++ b/src/pepr/operator/controllers/monitoring/service-monitor.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { K8s } from "pepr"; import { V1OwnerReference } from "@kubernetes/client-node"; diff --git a/src/pepr/operator/controllers/network/defaults/allow-egress-dns.ts b/src/pepr/operator/controllers/network/defaults/allow-egress-dns.ts index 9d44d7276..b30c3c77b 100644 --- a/src/pepr/operator/controllers/network/defaults/allow-egress-dns.ts +++ b/src/pepr/operator/controllers/network/defaults/allow-egress-dns.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { Direction } from "../../../crd"; import { generate } from "../generate"; diff --git a/src/pepr/operator/controllers/network/defaults/allow-egress-istiod.ts b/src/pepr/operator/controllers/network/defaults/allow-egress-istiod.ts index 80f0eb0a3..17e7411aa 100644 --- a/src/pepr/operator/controllers/network/defaults/allow-egress-istiod.ts +++ b/src/pepr/operator/controllers/network/defaults/allow-egress-istiod.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { Direction } from "../../../crd"; import { generate } from "../generate"; diff --git a/src/pepr/operator/controllers/network/defaults/allow-ingress-sidecar-monitoring.ts b/src/pepr/operator/controllers/network/defaults/allow-ingress-sidecar-monitoring.ts index 9bb22cc26..878c27e35 100644 --- a/src/pepr/operator/controllers/network/defaults/allow-ingress-sidecar-monitoring.ts +++ b/src/pepr/operator/controllers/network/defaults/allow-ingress-sidecar-monitoring.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { Direction } from "../../../crd"; import { generate } from "../generate"; diff --git a/src/pepr/operator/controllers/network/defaults/default-deny-all.ts b/src/pepr/operator/controllers/network/defaults/default-deny-all.ts index 488dbf62d..84d54d310 100644 --- a/src/pepr/operator/controllers/network/defaults/default-deny-all.ts +++ b/src/pepr/operator/controllers/network/defaults/default-deny-all.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { kind } from "pepr"; export function defaultDenyAll(namespace: string): kind.NetworkPolicy { diff --git a/src/pepr/operator/controllers/network/generate.spec.ts b/src/pepr/operator/controllers/network/generate.spec.ts index 0949708a5..495363aa7 100644 --- a/src/pepr/operator/controllers/network/generate.spec.ts +++ b/src/pepr/operator/controllers/network/generate.spec.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { describe, expect, it } from "@jest/globals"; import { kind } from "pepr"; import { Direction } from "../../crd"; diff --git a/src/pepr/operator/controllers/network/generate.ts b/src/pepr/operator/controllers/network/generate.ts index 53d0a6280..c46bc0b75 100644 --- a/src/pepr/operator/controllers/network/generate.ts +++ b/src/pepr/operator/controllers/network/generate.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { V1NetworkPolicyPeer, V1NetworkPolicyPort } from "@kubernetes/client-node"; import { kind } from "pepr"; diff --git a/src/pepr/operator/controllers/network/generators/anywhere.ts b/src/pepr/operator/controllers/network/generators/anywhere.ts index cb4ce0637..c9db22318 100644 --- a/src/pepr/operator/controllers/network/generators/anywhere.ts +++ b/src/pepr/operator/controllers/network/generators/anywhere.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { V1NetworkPolicyPeer } from "@kubernetes/client-node"; import { META_IP } from "./cloudMetadata"; diff --git a/src/pepr/operator/controllers/network/generators/cloudMetadata.ts b/src/pepr/operator/controllers/network/generators/cloudMetadata.ts index 6373f35b3..b3dc4e942 100644 --- a/src/pepr/operator/controllers/network/generators/cloudMetadata.ts +++ b/src/pepr/operator/controllers/network/generators/cloudMetadata.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { V1NetworkPolicyPeer } from "@kubernetes/client-node"; export const META_IP = "169.254.169.254/32"; diff --git a/src/pepr/operator/controllers/network/generators/intraNamespace.ts b/src/pepr/operator/controllers/network/generators/intraNamespace.ts index b772c9f30..9ff89a0da 100644 --- a/src/pepr/operator/controllers/network/generators/intraNamespace.ts +++ b/src/pepr/operator/controllers/network/generators/intraNamespace.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { V1NetworkPolicyPeer } from "@kubernetes/client-node"; /** Matches any pod in the namespace */ diff --git a/src/pepr/operator/controllers/network/generators/kubeAPI.ts b/src/pepr/operator/controllers/network/generators/kubeAPI.ts index 988d4a989..30f704780 100644 --- a/src/pepr/operator/controllers/network/generators/kubeAPI.ts +++ b/src/pepr/operator/controllers/network/generators/kubeAPI.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { V1NetworkPolicyPeer } from "@kubernetes/client-node"; import { K8s, kind, R } from "pepr"; diff --git a/src/pepr/operator/controllers/network/generators/remoteCidr.ts b/src/pepr/operator/controllers/network/generators/remoteCidr.ts index 4907d87b1..0b62bf878 100644 --- a/src/pepr/operator/controllers/network/generators/remoteCidr.ts +++ b/src/pepr/operator/controllers/network/generators/remoteCidr.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { V1NetworkPolicyPeer } from "@kubernetes/client-node"; import { META_IP } from "./cloudMetadata"; diff --git a/src/pepr/operator/controllers/network/policies.ts b/src/pepr/operator/controllers/network/policies.ts index 1ceaecace..24a53cc88 100644 --- a/src/pepr/operator/controllers/network/policies.ts +++ b/src/pepr/operator/controllers/network/policies.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { K8s, kind } from "pepr"; import { Component, setupLogger } from "../../../logger"; diff --git a/src/pepr/operator/controllers/utils.ts b/src/pepr/operator/controllers/utils.ts index 3e800ad23..9b8adf647 100644 --- a/src/pepr/operator/controllers/utils.ts +++ b/src/pepr/operator/controllers/utils.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { V1OwnerReference } from "@kubernetes/client-node"; import { GenericClass, GenericKind } from "kubernetes-fluent-client"; import { K8s } from "pepr"; diff --git a/src/pepr/operator/crd/generated/exemption-v1alpha1.ts b/src/pepr/operator/crd/generated/exemption-v1alpha1.ts index 394318f8b..7c22b5a1a 100644 --- a/src/pepr/operator/crd/generated/exemption-v1alpha1.ts +++ b/src/pepr/operator/crd/generated/exemption-v1alpha1.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + // This file is auto-generated by kubernetes-fluent-client, do not edit manually import { GenericKind, RegisterKind } from "kubernetes-fluent-client"; diff --git a/src/pepr/operator/crd/generated/istio/authorizationpolicy-v1beta1.ts b/src/pepr/operator/crd/generated/istio/authorizationpolicy-v1beta1.ts index 22388c962..568feae88 100644 --- a/src/pepr/operator/crd/generated/istio/authorizationpolicy-v1beta1.ts +++ b/src/pepr/operator/crd/generated/istio/authorizationpolicy-v1beta1.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + // This file is auto-generated by kubernetes-fluent-client, do not edit manually import { GenericKind, RegisterKind } from "kubernetes-fluent-client"; diff --git a/src/pepr/operator/crd/generated/istio/requestauthentication-v1.ts b/src/pepr/operator/crd/generated/istio/requestauthentication-v1.ts index 7d52e3ea2..4382de250 100644 --- a/src/pepr/operator/crd/generated/istio/requestauthentication-v1.ts +++ b/src/pepr/operator/crd/generated/istio/requestauthentication-v1.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + // This file is auto-generated by kubernetes-fluent-client, do not edit manually import { GenericKind, RegisterKind } from "kubernetes-fluent-client"; diff --git a/src/pepr/operator/crd/generated/istio/serviceentry-v1beta1.ts b/src/pepr/operator/crd/generated/istio/serviceentry-v1beta1.ts index da2f9cd4c..364daee2a 100644 --- a/src/pepr/operator/crd/generated/istio/serviceentry-v1beta1.ts +++ b/src/pepr/operator/crd/generated/istio/serviceentry-v1beta1.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + // This file is auto-generated by kubernetes-fluent-client, do not edit manually import { GenericKind, RegisterKind } from "kubernetes-fluent-client"; diff --git a/src/pepr/operator/crd/generated/istio/virtualservice-v1beta1.ts b/src/pepr/operator/crd/generated/istio/virtualservice-v1beta1.ts index 20ab36789..dd575a7ec 100644 --- a/src/pepr/operator/crd/generated/istio/virtualservice-v1beta1.ts +++ b/src/pepr/operator/crd/generated/istio/virtualservice-v1beta1.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + // This file is auto-generated by kubernetes-fluent-client, do not edit manually import { GenericKind, RegisterKind } from "kubernetes-fluent-client"; diff --git a/src/pepr/operator/crd/generated/package-v1alpha1.ts b/src/pepr/operator/crd/generated/package-v1alpha1.ts index f512263d0..1696c9f8d 100644 --- a/src/pepr/operator/crd/generated/package-v1alpha1.ts +++ b/src/pepr/operator/crd/generated/package-v1alpha1.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + // This file is auto-generated by kubernetes-fluent-client, do not edit manually import { GenericKind, RegisterKind } from "kubernetes-fluent-client"; diff --git a/src/pepr/operator/crd/generated/prometheus/podmonitor-v1.ts b/src/pepr/operator/crd/generated/prometheus/podmonitor-v1.ts index 656807e42..654172626 100644 --- a/src/pepr/operator/crd/generated/prometheus/podmonitor-v1.ts +++ b/src/pepr/operator/crd/generated/prometheus/podmonitor-v1.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + // This file is auto-generated by kubernetes-fluent-client, do not edit manually import { GenericKind, RegisterKind } from "kubernetes-fluent-client"; diff --git a/src/pepr/operator/crd/generated/prometheus/servicemonitor-v1.ts b/src/pepr/operator/crd/generated/prometheus/servicemonitor-v1.ts index 0741ddbce..3acf678e8 100644 --- a/src/pepr/operator/crd/generated/prometheus/servicemonitor-v1.ts +++ b/src/pepr/operator/crd/generated/prometheus/servicemonitor-v1.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + // This file is auto-generated by kubernetes-fluent-client, do not edit manually import { GenericKind, RegisterKind } from "kubernetes-fluent-client"; diff --git a/src/pepr/operator/crd/index.ts b/src/pepr/operator/crd/index.ts index 5e742b8ab..ee4603e00 100644 --- a/src/pepr/operator/crd/index.ts +++ b/src/pepr/operator/crd/index.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + export { Allow, Direction, diff --git a/src/pepr/operator/crd/migrate.ts b/src/pepr/operator/crd/migrate.ts index c56da9c38..bb8e8bb23 100644 --- a/src/pepr/operator/crd/migrate.ts +++ b/src/pepr/operator/crd/migrate.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { UDSPackage } from "."; /** diff --git a/src/pepr/operator/crd/register.ts b/src/pepr/operator/crd/register.ts index b23dd3158..7be968e71 100644 --- a/src/pepr/operator/crd/register.ts +++ b/src/pepr/operator/crd/register.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { K8s, kind } from "pepr"; import { Component, setupLogger } from "../../logger"; diff --git a/src/pepr/operator/crd/sources/exemption/v1alpha1.ts b/src/pepr/operator/crd/sources/exemption/v1alpha1.ts index 5ae49f940..f9ab19404 100644 --- a/src/pepr/operator/crd/sources/exemption/v1alpha1.ts +++ b/src/pepr/operator/crd/sources/exemption/v1alpha1.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { V1CustomResourceDefinitionVersion, V1JSONSchemaProps } from "@kubernetes/client-node"; export const v1alpha1: V1CustomResourceDefinitionVersion = { diff --git a/src/pepr/operator/crd/sources/istio/virtualservice-v1beta1.ts b/src/pepr/operator/crd/sources/istio/virtualservice-v1beta1.ts index 803b5da6d..d32c97b35 100644 --- a/src/pepr/operator/crd/sources/istio/virtualservice-v1beta1.ts +++ b/src/pepr/operator/crd/sources/istio/virtualservice-v1beta1.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { V1JSONSchemaProps } from "@kubernetes/client-node"; const matchRequired = [{ required: ["exact"] }, { required: ["prefix"] }, { required: ["regex"] }]; diff --git a/src/pepr/operator/crd/sources/package/v1alpha1.ts b/src/pepr/operator/crd/sources/package/v1alpha1.ts index 922484a18..3b36df0a6 100644 --- a/src/pepr/operator/crd/sources/package/v1alpha1.ts +++ b/src/pepr/operator/crd/sources/package/v1alpha1.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { V1CustomResourceDefinitionVersion, V1JSONSchemaProps } from "@kubernetes/client-node"; import { advancedHTTP } from "../istio/virtualservice-v1beta1"; diff --git a/src/pepr/operator/crd/validators/exempt-validator.spec.ts b/src/pepr/operator/crd/validators/exempt-validator.spec.ts index a743a648f..166d4f627 100644 --- a/src/pepr/operator/crd/validators/exempt-validator.spec.ts +++ b/src/pepr/operator/crd/validators/exempt-validator.spec.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { afterEach, describe, expect, it, jest } from "@jest/globals"; import { PeprValidateRequest } from "pepr"; import { MatcherKind, UDSExemption } from ".."; diff --git a/src/pepr/operator/crd/validators/exempt-validator.ts b/src/pepr/operator/crd/validators/exempt-validator.ts index a3217bdf9..f725c16ef 100644 --- a/src/pepr/operator/crd/validators/exempt-validator.ts +++ b/src/pepr/operator/crd/validators/exempt-validator.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { PeprValidateRequest } from "pepr"; import { MatcherKind, Policy, UDSExemption } from ".."; import { UDSConfig } from "../../../config"; diff --git a/src/pepr/operator/crd/validators/package-validator.spec.ts b/src/pepr/operator/crd/validators/package-validator.spec.ts index fa2616f0c..379e16e74 100644 --- a/src/pepr/operator/crd/validators/package-validator.spec.ts +++ b/src/pepr/operator/crd/validators/package-validator.spec.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { afterEach, describe, expect, it, jest } from "@jest/globals"; import { PeprValidateRequest } from "pepr"; import { Allow, Direction, Expose, Gateway, Protocol, RemoteGenerated, Sso, UDSPackage } from ".."; diff --git a/src/pepr/operator/crd/validators/package-validator.ts b/src/pepr/operator/crd/validators/package-validator.ts index 6a9e5c09d..bc04e810a 100644 --- a/src/pepr/operator/crd/validators/package-validator.ts +++ b/src/pepr/operator/crd/validators/package-validator.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { PeprValidateRequest } from "pepr"; import { Gateway, Protocol, UDSPackage } from ".."; diff --git a/src/pepr/operator/index.ts b/src/pepr/operator/index.ts index 90627d90e..b84c43d0c 100644 --- a/src/pepr/operator/index.ts +++ b/src/pepr/operator/index.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + // Common imports import { a } from "pepr"; import { When } from "./common"; diff --git a/src/pepr/operator/reconcilers/index.spec.ts b/src/pepr/operator/reconcilers/index.spec.ts index 080afafe9..054d99782 100644 --- a/src/pepr/operator/reconcilers/index.spec.ts +++ b/src/pepr/operator/reconcilers/index.spec.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { beforeEach, describe, expect, it, jest } from "@jest/globals"; import { GenericKind } from "kubernetes-fluent-client"; import { K8s, Log, kind } from "pepr"; diff --git a/src/pepr/operator/reconcilers/index.ts b/src/pepr/operator/reconcilers/index.ts index 4f4fe515b..6466c84d7 100644 --- a/src/pepr/operator/reconcilers/index.ts +++ b/src/pepr/operator/reconcilers/index.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { K8s, kind } from "pepr"; import { Component, setupLogger } from "../../logger"; diff --git a/src/pepr/operator/reconcilers/package-reconciler.spec.ts b/src/pepr/operator/reconcilers/package-reconciler.spec.ts index 5344ac1cc..bb8a8c843 100644 --- a/src/pepr/operator/reconcilers/package-reconciler.spec.ts +++ b/src/pepr/operator/reconcilers/package-reconciler.spec.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { beforeEach, describe, expect, jest, test } from "@jest/globals"; import { K8s, Log } from "pepr"; diff --git a/src/pepr/operator/reconcilers/package-reconciler.ts b/src/pepr/operator/reconcilers/package-reconciler.ts index fc39e4387..e60e39150 100644 --- a/src/pepr/operator/reconcilers/package-reconciler.ts +++ b/src/pepr/operator/reconcilers/package-reconciler.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { handleFailure, shouldSkip, updateStatus, writeEvent } from "."; import { UDSConfig } from "../../config"; import { Component, setupLogger } from "../../logger"; diff --git a/src/pepr/policies/common.ts b/src/pepr/policies/common.ts index ac5a54803..fb7a91331 100644 --- a/src/pepr/policies/common.ts +++ b/src/pepr/policies/common.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { KubernetesObject, V1Container, V1SecurityContext } from "@kubernetes/client-node"; import { Capability, PeprMutateRequest, PeprValidateRequest, a } from "pepr"; import { Policy } from "../operator/crd"; diff --git a/src/pepr/policies/exemptions/index.spec.ts b/src/pepr/policies/exemptions/index.spec.ts index fa513d8df..e81850ed5 100644 --- a/src/pepr/policies/exemptions/index.spec.ts +++ b/src/pepr/policies/exemptions/index.spec.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { beforeAll, describe, expect, it, jest } from "@jest/globals"; import { PeprValidateRequest, kind } from "pepr"; import { isExempt } from "."; diff --git a/src/pepr/policies/exemptions/index.ts b/src/pepr/policies/exemptions/index.ts index 601a10370..08a89fb74 100644 --- a/src/pepr/policies/exemptions/index.ts +++ b/src/pepr/policies/exemptions/index.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { KubernetesObject } from "kubernetes-fluent-client"; import { PeprMutateRequest, PeprValidateRequest } from "pepr"; import { Component, setupLogger } from "../../logger"; diff --git a/src/pepr/policies/index.ts b/src/pepr/policies/index.ts index 3241bdfc8..a0561c302 100644 --- a/src/pepr/policies/index.ts +++ b/src/pepr/policies/index.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + // Various validation actions for Kubernetes resources from Big Bang import { WatchCfg } from "kubernetes-fluent-client"; import { K8s } from "pepr"; diff --git a/src/pepr/policies/network.spec.ts b/src/pepr/policies/network.spec.ts index 2a94e0d28..6b5479d51 100644 --- a/src/pepr/policies/network.spec.ts +++ b/src/pepr/policies/network.spec.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { describe, expect, it } from "@jest/globals"; import { K8s, kind } from "pepr"; diff --git a/src/pepr/policies/networking.ts b/src/pepr/policies/networking.ts index 283e3ec94..fcf02297a 100644 --- a/src/pepr/policies/networking.ts +++ b/src/pepr/policies/networking.ts @@ -1,8 +1,12 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { a } from "pepr"; -import { When, containers } from "./common"; import { Policy } from "../operator/crd"; +import { When, containers } from "./common"; import { isExempt, markExemption } from "./exemptions"; /** diff --git a/src/pepr/policies/security.spec.ts b/src/pepr/policies/security.spec.ts index ba93c1a41..a48e162dd 100644 --- a/src/pepr/policies/security.spec.ts +++ b/src/pepr/policies/security.spec.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { describe, expect, it } from "@jest/globals"; import { K8s, kind } from "pepr"; diff --git a/src/pepr/policies/security.ts b/src/pepr/policies/security.ts index 5f5b63ea4..75d52908d 100644 --- a/src/pepr/policies/security.ts +++ b/src/pepr/policies/security.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { a } from "pepr"; import { V1SecurityContext } from "@kubernetes/client-node"; diff --git a/src/pepr/policies/storage.spec.ts b/src/pepr/policies/storage.spec.ts index 73f0c273b..231951b87 100644 --- a/src/pepr/policies/storage.spec.ts +++ b/src/pepr/policies/storage.spec.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { describe, expect, it } from "@jest/globals"; import { K8s, kind } from "pepr"; diff --git a/src/pepr/policies/storage.ts b/src/pepr/policies/storage.ts index b26df6b3e..f04efd483 100644 --- a/src/pepr/policies/storage.ts +++ b/src/pepr/policies/storage.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { a } from "pepr"; import { Policy } from "../operator/crd"; diff --git a/src/pepr/prometheus/index.ts b/src/pepr/prometheus/index.ts index 45f138332..cb06542b4 100644 --- a/src/pepr/prometheus/index.ts +++ b/src/pepr/prometheus/index.ts @@ -1,4 +1,8 @@ -// SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { Capability, K8s, kind } from "pepr"; import { Component, setupLogger } from "../logger"; import { diff --git a/src/pepr/tasks.yaml b/src/pepr/tasks.yaml index c356426af..15f3e123f 100644 --- a/src/pepr/tasks.yaml +++ b/src/pepr/tasks.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + tasks: - name: validate actions: diff --git a/src/pepr/uds-operator-config/Chart.yaml b/src/pepr/uds-operator-config/Chart.yaml index 3da27ecb2..787490c85 100644 --- a/src/pepr/uds-operator-config/Chart.yaml +++ b/src/pepr/uds-operator-config/Chart.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v2 name: uds-operator-config description: UDS Core configuration for UDS Operator diff --git a/src/pepr/uds-operator-config/templates/secret.yaml b/src/pepr/uds-operator-config/templates/secret.yaml index 5cb2117ec..6bb2c0c30 100644 --- a/src/pepr/uds-operator-config/templates/secret.yaml +++ b/src/pepr/uds-operator-config/templates/secret.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v1 kind: Secret metadata: diff --git a/src/pepr/uds-operator-config/values.yaml b/src/pepr/uds-operator-config/values.yaml index 9fab7e3b7..17197d87d 100644 --- a/src/pepr/uds-operator-config/values.yaml +++ b/src/pepr/uds-operator-config/values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + operator: UDS_DOMAIN: "###ZARF_VAR_DOMAIN###" UDS_CA_CERT: "###ZARF_VAR_CA_CERT###" diff --git a/src/pepr/values.yaml b/src/pepr/values.yaml index 9f339f5c6..d6630a25b 100644 --- a/src/pepr/values.yaml +++ b/src/pepr/values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + watcher: serviceMonitor: enabled: ###ZARF_VAR_PEPR_SERVICE_MONITORS### diff --git a/src/pepr/zarf.yaml b/src/pepr/zarf.yaml index 2f7e22ba6..267a24f96 100644 --- a/src/pepr/zarf.yaml +++ b/src/pepr/zarf.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: pepr-uds-core diff --git a/src/prometheus-stack/chart/Chart.yaml b/src/prometheus-stack/chart/Chart.yaml index 1f1859d14..9a6487cab 100644 --- a/src/prometheus-stack/chart/Chart.yaml +++ b/src/prometheus-stack/chart/Chart.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v2 name: uds-prometheus-config description: Prometheus stack configuration for UDS diff --git a/src/prometheus-stack/chart/templates/istio-monitor.yaml b/src/prometheus-stack/chart/templates/istio-monitor.yaml index fcaeb789a..674346d35 100644 --- a/src/prometheus-stack/chart/templates/istio-monitor.yaml +++ b/src/prometheus-stack/chart/templates/istio-monitor.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + # This podmonitor will pick up envoy stats for all Istio sidecars across the cluster apiVersion: monitoring.coreos.com/v1 kind: PodMonitor diff --git a/src/prometheus-stack/chart/templates/peerauthentication/prometheus-operator-pa.yaml b/src/prometheus-stack/chart/templates/peerauthentication/prometheus-operator-pa.yaml index 32fde5007..45b36d696 100644 --- a/src/prometheus-stack/chart/templates/peerauthentication/prometheus-operator-pa.yaml +++ b/src/prometheus-stack/chart/templates/peerauthentication/prometheus-operator-pa.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }} apiVersion: "security.istio.io/v1beta1" kind: PeerAuthentication diff --git a/src/prometheus-stack/chart/templates/prometheus-pod-monitor.yaml b/src/prometheus-stack/chart/templates/prometheus-pod-monitor.yaml index 6179cab8d..e9ea8bb10 100644 --- a/src/prometheus-stack/chart/templates/prometheus-pod-monitor.yaml +++ b/src/prometheus-stack/chart/templates/prometheus-pod-monitor.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + # This pod monitor is used instead of a service monitor to handle mTLS with self-monitoring apiVersion: monitoring.coreos.com/v1 kind: PodMonitor diff --git a/src/prometheus-stack/chart/templates/uds-exemption.yaml b/src/prometheus-stack/chart/templates/uds-exemption.yaml index b533b9fc7..ffb1df745 100644 --- a/src/prometheus-stack/chart/templates/uds-exemption.yaml +++ b/src/prometheus-stack/chart/templates/uds-exemption.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: uds.dev/v1alpha1 kind: Exemption metadata: diff --git a/src/prometheus-stack/chart/templates/uds-package.yaml b/src/prometheus-stack/chart/templates/uds-package.yaml index fe8f7c1ef..fd049e994 100644 --- a/src/prometheus-stack/chart/templates/uds-package.yaml +++ b/src/prometheus-stack/chart/templates/uds-package.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: uds.dev/v1alpha1 kind: Package metadata: diff --git a/src/prometheus-stack/chart/values.yaml b/src/prometheus-stack/chart/values.yaml index e69de29bb..2067cc53d 100644 --- a/src/prometheus-stack/chart/values.yaml +++ b/src/prometheus-stack/chart/values.yaml @@ -0,0 +1,2 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial diff --git a/src/prometheus-stack/common/zarf.yaml b/src/prometheus-stack/common/zarf.yaml index 1eb3db093..ed60e79f8 100644 --- a/src/prometheus-stack/common/zarf.yaml +++ b/src/prometheus-stack/common/zarf.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-prometheus-stack-common diff --git a/src/prometheus-stack/oscal-component.yaml b/src/prometheus-stack/oscal-component.yaml index 496b32d0d..0bf34cbf4 100644 --- a/src/prometheus-stack/oscal-component.yaml +++ b/src/prometheus-stack/oscal-component.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + component-definition: uuid: 017dbd45-5122-4c11-b5ce-d4b31116c581 metadata: diff --git a/src/prometheus-stack/tasks.yaml b/src/prometheus-stack/tasks.yaml index cdf6d4d27..f71e3624e 100644 --- a/src/prometheus-stack/tasks.yaml +++ b/src/prometheus-stack/tasks.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + tasks: - name: validate actions: diff --git a/src/prometheus-stack/values/crd-values.yaml b/src/prometheus-stack/values/crd-values.yaml index cbcfd0977..bb4bd672d 100644 --- a/src/prometheus-stack/values/crd-values.yaml +++ b/src/prometheus-stack/values/crd-values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + ## Annotations for CRDs crds: annotations: {} diff --git a/src/prometheus-stack/values/registry1-values.yaml b/src/prometheus-stack/values/registry1-values.yaml index b262d1fbc..2515c2eba 100644 --- a/src/prometheus-stack/values/registry1-values.yaml +++ b/src/prometheus-stack/values/registry1-values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + alertmanager: alertmanagerSpec: image: diff --git a/src/prometheus-stack/values/unicorn-values.yaml b/src/prometheus-stack/values/unicorn-values.yaml index 4a9988f39..7035a9cb2 100644 --- a/src/prometheus-stack/values/unicorn-values.yaml +++ b/src/prometheus-stack/values/unicorn-values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + alertmanager: alertmanagerSpec: image: diff --git a/src/prometheus-stack/values/upstream-values.yaml b/src/prometheus-stack/values/upstream-values.yaml index 9f52d3618..ef4286956 100644 --- a/src/prometheus-stack/values/upstream-values.yaml +++ b/src/prometheus-stack/values/upstream-values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + alertmanager: alertmanagerSpec: image: diff --git a/src/prometheus-stack/values/values.yaml b/src/prometheus-stack/values/values.yaml index c3aa80e59..216b6c78c 100644 --- a/src/prometheus-stack/values/values.yaml +++ b/src/prometheus-stack/values/values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + crds: enabled: false grafana: diff --git a/src/prometheus-stack/zarf.yaml b/src/prometheus-stack/zarf.yaml index 71a31d717..d6a8e1a86 100644 --- a/src/prometheus-stack/zarf.yaml +++ b/src/prometheus-stack/zarf.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-prometheus-stack diff --git a/src/runtime/tasks.yaml b/src/runtime/tasks.yaml index 77a425176..c07ea9314 100644 --- a/src/runtime/tasks.yaml +++ b/src/runtime/tasks.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + tasks: - name: validate actions: diff --git a/src/runtime/zarf.yaml b/src/runtime/zarf.yaml index 16474a362..dd33fb982 100644 --- a/src/runtime/zarf.yaml +++ b/src/runtime/zarf.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-runtime diff --git a/src/tempo/tasks.yaml b/src/tempo/tasks.yaml index 47f789e05..31f664e75 100644 --- a/src/tempo/tasks.yaml +++ b/src/tempo/tasks.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + tasks: - name: validate actions: diff --git a/src/tempo/zarf.yaml b/src/tempo/zarf.yaml index eaceb49fe..cf41f93c3 100644 --- a/src/tempo/zarf.yaml +++ b/src/tempo/zarf.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-tempo diff --git a/src/test/app-admin.yaml b/src/test/app-admin.yaml index 66853b066..81bfecb2a 100644 --- a/src/test/app-admin.yaml +++ b/src/test/app-admin.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v1 kind: Namespace metadata: diff --git a/src/test/app-authservice-tenant.yaml b/src/test/app-authservice-tenant.yaml index c302361f7..dcca00954 100644 --- a/src/test/app-authservice-tenant.yaml +++ b/src/test/app-authservice-tenant.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v1 kind: Namespace metadata: diff --git a/src/test/app-tenant.yaml b/src/test/app-tenant.yaml index 6e6c23039..e377cd25e 100644 --- a/src/test/app-tenant.yaml +++ b/src/test/app-tenant.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v1 kind: Namespace metadata: diff --git a/src/test/chart/Chart.yaml b/src/test/chart/Chart.yaml index d2049f72c..f7eefefca 100644 --- a/src/test/chart/Chart.yaml +++ b/src/test/chart/Chart.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v2 name: uds-podinfo-config description: A Helm chart for testing an exempted-app diff --git a/src/test/chart/templates/exemption1.yaml b/src/test/chart/templates/exemption1.yaml index c9eabdbe2..25ae7d346 100644 --- a/src/test/chart/templates/exemption1.yaml +++ b/src/test/chart/templates/exemption1.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: uds.dev/v1alpha1 kind: Exemption metadata: diff --git a/src/test/chart/templates/exemption2.yaml b/src/test/chart/templates/exemption2.yaml index 9e2f855e4..b3dd9d30c 100644 --- a/src/test/chart/templates/exemption2.yaml +++ b/src/test/chart/templates/exemption2.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: uds.dev/v1alpha1 kind: Exemption metadata: diff --git a/src/test/chart/templates/exemption3.yaml b/src/test/chart/templates/exemption3.yaml index 259737146..a3a01ca18 100644 --- a/src/test/chart/templates/exemption3.yaml +++ b/src/test/chart/templates/exemption3.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: uds.dev/v1alpha1 kind: Exemption metadata: diff --git a/src/test/chart/templates/exemption4.yaml b/src/test/chart/templates/exemption4.yaml index df378444c..29797a723 100644 --- a/src/test/chart/templates/exemption4.yaml +++ b/src/test/chart/templates/exemption4.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: uds.dev/v1alpha1 kind: Exemption metadata: diff --git a/src/test/chart/templates/exemption5.yaml b/src/test/chart/templates/exemption5.yaml index bd73cf554..25d080889 100644 --- a/src/test/chart/templates/exemption5.yaml +++ b/src/test/chart/templates/exemption5.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: uds.dev/v1alpha1 kind: Exemption metadata: diff --git a/src/test/chart/templates/package.yaml b/src/test/chart/templates/package.yaml index b5b4f49cc..c9fa7b778 100644 --- a/src/test/chart/templates/package.yaml +++ b/src/test/chart/templates/package.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: uds.dev/v1alpha1 kind: Package metadata: diff --git a/src/test/chart/values.yaml b/src/test/chart/values.yaml index e69de29bb..2067cc53d 100644 --- a/src/test/chart/values.yaml +++ b/src/test/chart/values.yaml @@ -0,0 +1,2 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial diff --git a/src/test/podinfo-values.yaml b/src/test/podinfo-values.yaml index 739a8f1e6..1dc56093d 100644 --- a/src/test/podinfo-values.yaml +++ b/src/test/podinfo-values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + # Values set to intentionally violate pepr policies securityContext: runAsUser: 0 diff --git a/src/test/tasks.yaml b/src/test/tasks.yaml index 8374d542f..080ccdc2e 100644 --- a/src/test/tasks.yaml +++ b/src/test/tasks.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + tasks: - name: validate description: Test app used for UDS Core validation diff --git a/src/test/zarf.yaml b/src/test/zarf.yaml index 43462601b..90195beae 100644 --- a/src/test/zarf.yaml +++ b/src/test/zarf.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-test-apps diff --git a/src/vector/chart/Chart.yaml b/src/vector/chart/Chart.yaml index 6132e9c26..c620cf6fa 100644 --- a/src/vector/chart/Chart.yaml +++ b/src/vector/chart/Chart.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v2 name: uds-vector-config description: Vector configuration for UDS diff --git a/src/vector/chart/templates/uds-exemption.yaml b/src/vector/chart/templates/uds-exemption.yaml index 05197f163..c78054815 100644 --- a/src/vector/chart/templates/uds-exemption.yaml +++ b/src/vector/chart/templates/uds-exemption.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: uds.dev/v1alpha1 kind: Exemption metadata: diff --git a/src/vector/chart/templates/uds-package.yaml b/src/vector/chart/templates/uds-package.yaml index 82f14fc38..e4ac9d9c9 100644 --- a/src/vector/chart/templates/uds-package.yaml +++ b/src/vector/chart/templates/uds-package.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: uds.dev/v1alpha1 kind: Package metadata: diff --git a/src/vector/chart/values.yaml b/src/vector/chart/values.yaml index 3ed57ceb0..c4bf61c2a 100644 --- a/src/vector/chart/values.yaml +++ b/src/vector/chart/values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + additionalNetworkAllow: [] # Examples: # - direction: Egress diff --git a/src/vector/common/zarf.yaml b/src/vector/common/zarf.yaml index 49515329c..631dce2c9 100644 --- a/src/vector/common/zarf.yaml +++ b/src/vector/common/zarf.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-vector-common diff --git a/src/vector/oscal-component.yaml b/src/vector/oscal-component.yaml index f45e5cf3b..6a3eb7bc3 100644 --- a/src/vector/oscal-component.yaml +++ b/src/vector/oscal-component.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + component-definition: uuid: ff959bdb-7be9-49b3-9dc2-c41b34e7017d metadata: diff --git a/src/vector/tasks.yaml b/src/vector/tasks.yaml index eb49b27f0..f044c85d5 100644 --- a/src/vector/tasks.yaml +++ b/src/vector/tasks.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + tasks: - name: validate actions: diff --git a/src/vector/values/registry1-values.yaml b/src/vector/values/registry1-values.yaml index d4a398859..95187afb4 100644 --- a/src/vector/values/registry1-values.yaml +++ b/src/vector/values/registry1-values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + image: repository: registry1.dso.mil/ironbank/opensource/timberio/vector tag: 0.41.1 diff --git a/src/vector/values/unicorn-values.yaml b/src/vector/values/unicorn-values.yaml index 2644abfed..5a6d40405 100644 --- a/src/vector/values/unicorn-values.yaml +++ b/src/vector/values/unicorn-values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + image: repository: cgr.dev/du-uds-defenseunicorns/vector tag: 0.41.1 diff --git a/src/vector/values/upstream-values.yaml b/src/vector/values/upstream-values.yaml index f783dbdc1..8954e9d7d 100644 --- a/src/vector/values/upstream-values.yaml +++ b/src/vector/values/upstream-values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + image: repository: timberio/vector tag: 0.41.1-distroless-static diff --git a/src/vector/values/values.yaml b/src/vector/values/values.yaml index 21dd2d6fe..aff279fe7 100644 --- a/src/vector/values/values.yaml +++ b/src/vector/values/values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + # Run as an agent daemonset role: "Agent" diff --git a/src/vector/zarf.yaml b/src/vector/zarf.yaml index 989eaa4a6..4a6b4da8c 100644 --- a/src/vector/zarf.yaml +++ b/src/vector/zarf.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-vector diff --git a/src/velero/chart/Chart.yaml b/src/velero/chart/Chart.yaml index dac901d58..291b632a8 100644 --- a/src/velero/chart/Chart.yaml +++ b/src/velero/chart/Chart.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v2 name: uds-velero-config description: Velero configuration for UDS diff --git a/src/velero/chart/templates/uds-package.yaml b/src/velero/chart/templates/uds-package.yaml index efc0fb259..c096f7222 100644 --- a/src/velero/chart/templates/uds-package.yaml +++ b/src/velero/chart/templates/uds-package.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: uds.dev/v1alpha1 kind: Package metadata: diff --git a/src/velero/chart/values.yaml b/src/velero/chart/values.yaml index a30fe4c3d..5ec83f081 100644 --- a/src/velero/chart/values.yaml +++ b/src/velero/chart/values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + storage: internal: enabled: false diff --git a/src/velero/common/zarf.yaml b/src/velero/common/zarf.yaml index d05bb66ff..ca0d88458 100644 --- a/src/velero/common/zarf.yaml +++ b/src/velero/common/zarf.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-velero-common diff --git a/src/velero/oscal-component.yaml b/src/velero/oscal-component.yaml index 3f30fa9b6..4d149c77b 100644 --- a/src/velero/oscal-component.yaml +++ b/src/velero/oscal-component.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + component-definition: uuid: D73CF4E6-D893-4BDE-A195-C4DE782DF63B metadata: diff --git a/src/velero/tasks.yaml b/src/velero/tasks.yaml index 516a3dfb0..9a27a47e9 100644 --- a/src/velero/tasks.yaml +++ b/src/velero/tasks.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + tasks: - name: validate actions: diff --git a/src/velero/values/registry1-values.yaml b/src/velero/values/registry1-values.yaml index 2c48af4ed..07357ca8d 100644 --- a/src/velero/values/registry1-values.yaml +++ b/src/velero/values/registry1-values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + image: repository: registry1.dso.mil/ironbank/opensource/velero/velero tag: v1.14.1 diff --git a/src/velero/values/unicorn-values.yaml b/src/velero/values/unicorn-values.yaml index 79be186ae..68c72a20e 100644 --- a/src/velero/values/unicorn-values.yaml +++ b/src/velero/values/unicorn-values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + image: repository: cgr.dev/du-uds-defenseunicorns/velero-fips tag: 1.14.1-dev diff --git a/src/velero/values/upstream-values.yaml b/src/velero/values/upstream-values.yaml index e0698a32d..8b7cd9fe6 100644 --- a/src/velero/values/upstream-values.yaml +++ b/src/velero/values/upstream-values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + image: repository: velero/velero tag: v1.14.1 diff --git a/src/velero/values/values.yaml b/src/velero/values/values.yaml index 3bab10637..1cbe8d9a3 100644 --- a/src/velero/values/values.yaml +++ b/src/velero/values/values.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + credentials: useSecret: true name: "velero-bucket-credentials" diff --git a/src/velero/zarf.yaml b/src/velero/zarf.yaml index 3325aa2de..4814bc8dc 100644 --- a/src/velero/zarf.yaml +++ b/src/velero/zarf.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-velero diff --git a/tasks.yaml b/tasks.yaml index b89269d78..8484b01cf 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + variables: - name: FLAVOR default: upstream diff --git a/tasks/create.yaml b/tasks/create.yaml index 934690282..248cbbb18 100644 --- a/tasks/create.yaml +++ b/tasks/create.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + includes: - common: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.0.0/tasks/create.yaml diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index 7496d540e..5c5d83d5c 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + includes: - utils: utils.yaml diff --git a/tasks/iac.yaml b/tasks/iac.yaml index b7935142d..8c13e5ffe 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + variables: - name: CLUSTER_NAME diff --git a/tasks/lint.yaml b/tasks/lint.yaml index 17147720d..f5702ee1c 100644 --- a/tasks/lint.yaml +++ b/tasks/lint.yaml @@ -1,7 +1,9 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + includes: - - remote: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.0.0/tasks/lint.yaml + - remote: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.1.0/tasks/lint.yaml tasks: - name: fix @@ -34,3 +36,13 @@ tasks: actions: - description: Lula Lint OSCAL task: remote:oscal + + - name: license + actions: + - description: Lint for the SPDX license identifier being in source files + task: remote:license + + - name: fix-license + actions: + - description: Add the SPDX license identifier to source files + task: remote:fix-license diff --git a/tasks/publish.yaml b/tasks/publish.yaml index f4b56f90d..97441d4f4 100644 --- a/tasks/publish.yaml +++ b/tasks/publish.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + includes: - utils: utils.yaml diff --git a/tasks/setup.yaml b/tasks/setup.yaml index 4051c8bbc..6bed84f72 100644 --- a/tasks/setup.yaml +++ b/tasks/setup.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + tasks: - name: create-k3d-cluster diff --git a/tasks/test.yaml b/tasks/test.yaml index e376a8a02..449fddbf2 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -1,10 +1,12 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + includes: - create: ./create.yaml - setup: ./setup.yaml - deploy: ./deploy.yaml - - compliance: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.0.0/tasks/compliance.yaml + - compliance: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.1.0/tasks/compliance.yaml - base-layer: ../packages/base/tasks.yaml tasks: diff --git a/tasks/utils.yaml b/tasks/utils.yaml index c5cf75346..298551e72 100644 --- a/tasks/utils.yaml +++ b/tasks/utils.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + variables: - name: BASE_REPO default: "ghcr.io/defenseunicorns/packages" diff --git a/zarf-config.yaml b/zarf-config.yaml index 4900923b4..1e942db6a 100644 --- a/zarf-config.yaml +++ b/zarf-config.yaml @@ -1,4 +1,6 @@ -# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + # Disable until UDS CLI isn't super noisy no_progress: true From e7cbfc23ad08a129d4b1eb6fa04e9a55c1002d51 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 11 Oct 2024 15:51:27 -0600 Subject: [PATCH 65/90] chore(main): release 0.29.0 (#842) :robot: I have created a release *beep* *boop* --- ## [0.29.0](https://github.com/defenseunicorns/uds-core/compare/v0.28.0...v0.29.0) (2024-10-11) ### Features * add base and identity layers ([#853](https://github.com/defenseunicorns/uds-core/issues/853)) ([b3f532a](https://github.com/defenseunicorns/uds-core/commit/b3f532a4fe49e00b2cbcfb8bd4555a807355e8dd)) * add logging functional layer ([#861](https://github.com/defenseunicorns/uds-core/issues/861)) ([c1a67b9](https://github.com/defenseunicorns/uds-core/commit/c1a67b968116570f81c570f51145d3183c386d14)) * add metrics-server functional layer ([#865](https://github.com/defenseunicorns/uds-core/issues/865)) ([290367a](https://github.com/defenseunicorns/uds-core/commit/290367af2251c45fdc2ebb0b8f394b2c1ac2f0d8)) * add monitoring layer ([#872](https://github.com/defenseunicorns/uds-core/issues/872)) ([5ecb040](https://github.com/defenseunicorns/uds-core/commit/5ecb040bb27d8fed2a15617830cc6805df9c6ec7)) * add nightly testing for rke2 ([#808](https://github.com/defenseunicorns/uds-core/issues/808)) ([c401419](https://github.com/defenseunicorns/uds-core/commit/c4014197b19483657ccc1951d062263433e8b4af)) * add service accounts options to sso ([#852](https://github.com/defenseunicorns/uds-core/issues/852)) ([1029162](https://github.com/defenseunicorns/uds-core/commit/102916223bbfe4f6d555f72fd8d3a9593853d160)) * backup and restore layer, ui layer, runtime security layer ([#862](https://github.com/defenseunicorns/uds-core/issues/862)) ([b1d8015](https://github.com/defenseunicorns/uds-core/commit/b1d8015f61b984441578a860d29043d52013082a)) * grafana-ha ([#838](https://github.com/defenseunicorns/uds-core/issues/838)) ([d532d76](https://github.com/defenseunicorns/uds-core/commit/d532d76f8242a68cf39b5aac7c3b4a8c241d56b3)) ### Bug Fixes * broken readme link ([#899](https://github.com/defenseunicorns/uds-core/issues/899)) ([6e47b11](https://github.com/defenseunicorns/uds-core/commit/6e47b11f85075c3942c1ca193d5e9d90747b6109)) * **ci:** switch to larger runners to resolve ci disk space issues ([#882](https://github.com/defenseunicorns/uds-core/issues/882)) ([1af0401](https://github.com/defenseunicorns/uds-core/commit/1af040142babd141441a87ae74fd3c3a530f4fae)) * snapshot ci version modification and tasks for publish ([#877](https://github.com/defenseunicorns/uds-core/issues/877)) ([f01e5bd](https://github.com/defenseunicorns/uds-core/commit/f01e5bdd65edbdfe2088cdc1bb9d62fb8e5c1b04)) * support for anywhere network policies in cilium ([#884](https://github.com/defenseunicorns/uds-core/issues/884)) ([5df0737](https://github.com/defenseunicorns/uds-core/commit/5df073768eb9f8c8f00433413039918bdb85d362)) ### Miscellaneous * cleanup license parsing for github ([#881](https://github.com/defenseunicorns/uds-core/issues/881)) ([43c98ce](https://github.com/defenseunicorns/uds-core/commit/43c98cee6957a3ca155f7fb7e9d3b604c8c5caa7)) * **deps:** update chainctl action to v0.2.3 ([#864](https://github.com/defenseunicorns/uds-core/issues/864)) ([d782b59](https://github.com/defenseunicorns/uds-core/commit/d782b59363184de07c7546c04ad7edb6fa9e6449)) * **deps:** update checkout action to v4.2.0 ([#825](https://github.com/defenseunicorns/uds-core/issues/825)) ([29d1c98](https://github.com/defenseunicorns/uds-core/commit/29d1c98069c73869951878372f7ca1ac842bb87d)) * **deps:** update dependency defenseunicorns/lula to v0.8.0 ([#841](https://github.com/defenseunicorns/uds-core/issues/841)) ([fe36150](https://github.com/defenseunicorns/uds-core/commit/fe36150bceb69155d4aec8d7298fcc19dbca8c36)) * **deps:** update githubactions ([#866](https://github.com/defenseunicorns/uds-core/issues/866)) ([44f8ea5](https://github.com/defenseunicorns/uds-core/commit/44f8ea5f12b9d0bda9d9231564b95c6a49fd8e83)) * **deps:** update grafana to 11.2.1 ([#836](https://github.com/defenseunicorns/uds-core/issues/836)) ([11383c1](https://github.com/defenseunicorns/uds-core/commit/11383c188e4f799b5e8e09dc67e5b6f6ebfdca3e)) * **deps:** update grafana to v11.2.2 ([#867](https://github.com/defenseunicorns/uds-core/issues/867)) ([06ed2c3](https://github.com/defenseunicorns/uds-core/commit/06ed2c323a3f1e895d6f3f87e5388f7a06197b1c)) * **deps:** update loki nginx image to v1.27.2 ([#894](https://github.com/defenseunicorns/uds-core/issues/894)) ([df7d427](https://github.com/defenseunicorns/uds-core/commit/df7d427cf8f830d7590a144ff9e902245433460b)) * **deps:** update loki to v3.2.0 ([#791](https://github.com/defenseunicorns/uds-core/issues/791)) ([d3c60b5](https://github.com/defenseunicorns/uds-core/commit/d3c60b5678982d774a721838cf75e06c20087c73)) * **deps:** update metrics-server chart to v3.12.2 ([#873](https://github.com/defenseunicorns/uds-core/issues/873)) ([e2e61ce](https://github.com/defenseunicorns/uds-core/commit/e2e61ce3319aa9ac48762afe097d72f97175bbce)) * **deps:** update pepr to v0.37.1 ([#843](https://github.com/defenseunicorns/uds-core/issues/843)) ([68abcb2](https://github.com/defenseunicorns/uds-core/commit/68abcb2df5b7e2097a56e949624790445bc02b41)) * **deps:** update pepr to v0.37.2 ([#850](https://github.com/defenseunicorns/uds-core/issues/850)) ([b51f659](https://github.com/defenseunicorns/uds-core/commit/b51f659ffbb3880a5da74aa90b62c5ef4a7a05cc)) * **deps:** update prometheus operator to 0.77.1 ([#819](https://github.com/defenseunicorns/uds-core/issues/819)) ([0864b33](https://github.com/defenseunicorns/uds-core/commit/0864b33b2ecde7f73d28c3bad6dab10275969346)) * **deps:** update prometheus-stack ([#855](https://github.com/defenseunicorns/uds-core/issues/855)) ([c791c24](https://github.com/defenseunicorns/uds-core/commit/c791c24de4d27678778225f8487629e6353a2d64)) * **deps:** update prometheus-stack helm-charts to v64.0.0 ([#849](https://github.com/defenseunicorns/uds-core/issues/849)) ([50a2588](https://github.com/defenseunicorns/uds-core/commit/50a258860f79bb291450afbe48a6f61a6650bb9c)) * **deps:** update runtime to v0.6.0 ([#897](https://github.com/defenseunicorns/uds-core/issues/897)) ([89ae6e2](https://github.com/defenseunicorns/uds-core/commit/89ae6e255f32eadf871096bafe0cc1958b1c6e34)) * **deps:** update support-deps ([#890](https://github.com/defenseunicorns/uds-core/issues/890)) ([26ea612](https://github.com/defenseunicorns/uds-core/commit/26ea612bec9ece132509b5ef0d4d1807debbbb62)) * **deps:** update test-infra ([#875](https://github.com/defenseunicorns/uds-core/issues/875)) ([583f07c](https://github.com/defenseunicorns/uds-core/commit/583f07cbf57c2c839b8f6d00bbd098cafe4198a8)) * **deps:** update test-infra to v6.9.0 ([#848](https://github.com/defenseunicorns/uds-core/issues/848)) ([ef9d317](https://github.com/defenseunicorns/uds-core/commit/ef9d317198acedc2007d683b5d169e1f333be433)) * **deps:** update uds to v0.17.0 ([#859](https://github.com/defenseunicorns/uds-core/issues/859)) ([1489fef](https://github.com/defenseunicorns/uds-core/commit/1489fef6d666c54f122373dcdaabda37c3cfafe5)) * **deps:** update zarf to v0.41.0 ([#857](https://github.com/defenseunicorns/uds-core/issues/857)) ([a390c3d](https://github.com/defenseunicorns/uds-core/commit/a390c3d4744ac8cccd4079928844f3568d3caf9f)) * **docs:** update doc structure for site refresh ([#895](https://github.com/defenseunicorns/uds-core/issues/895)) ([1946a9a](https://github.com/defenseunicorns/uds-core/commit/1946a9a8144a0cd383c3af29c33bb828283ef81d)) * fix broken link in docs ([#845](https://github.com/defenseunicorns/uds-core/issues/845)) ([3078a5b](https://github.com/defenseunicorns/uds-core/commit/3078a5b48506a4acb7660f9929279690bcb00984)) * fix license header references ([#901](https://github.com/defenseunicorns/uds-core/issues/901)) ([cf38b82](https://github.com/defenseunicorns/uds-core/commit/cf38b827da351af5b610a064eb0d8fe885b66d89)) * handle upgrade path for functional layers, add doc for usage ([#896](https://github.com/defenseunicorns/uds-core/issues/896)) ([70d6b1b](https://github.com/defenseunicorns/uds-core/commit/70d6b1b943e0e9fc3a36fc7a7600afa0e3f2b511)) * regroup 'support dependencies' in renovate config ([#885](https://github.com/defenseunicorns/uds-core/issues/885)) ([640d859](https://github.com/defenseunicorns/uds-core/commit/640d859a50de6c7d49afec3283fac2a249d04dd7)) * update license ([#878](https://github.com/defenseunicorns/uds-core/issues/878)) ([b086170](https://github.com/defenseunicorns/uds-core/commit/b086170f415c82916a6e493517ac5bc62b2b7aea)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- .release-please-manifest.json | 2 +- CHANGELOG.md | 53 +++++++++++++++++++++++ README.md | 4 +- bundles/k3d-slim-dev/uds-bundle.yaml | 6 +-- bundles/k3d-standard/uds-bundle.yaml | 4 +- packages/backup-restore/zarf.yaml | 2 +- packages/base/zarf.yaml | 2 +- packages/identity-authorization/zarf.yaml | 2 +- packages/logging/zarf.yaml | 2 +- packages/metrics-server/zarf.yaml | 2 +- packages/monitoring/zarf.yaml | 2 +- packages/runtime-security/zarf.yaml | 2 +- packages/standard/zarf.yaml | 2 +- packages/ui/zarf.yaml | 2 +- tasks/deploy.yaml | 2 +- tasks/publish.yaml | 2 +- 16 files changed, 72 insertions(+), 19 deletions(-) diff --git a/.release-please-manifest.json b/.release-please-manifest.json index d25a5019b..88d34f8c0 100644 --- a/.release-please-manifest.json +++ b/.release-please-manifest.json @@ -1,3 +1,3 @@ { - ".": "0.28.0" + ".": "0.29.0" } diff --git a/CHANGELOG.md b/CHANGELOG.md index 7711ac21f..1478fe0b0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,59 @@ All notable changes to this project will be documented in this file. +## [0.29.0](https://github.com/defenseunicorns/uds-core/compare/v0.28.0...v0.29.0) (2024-10-11) + + +### Features + +* add base and identity layers ([#853](https://github.com/defenseunicorns/uds-core/issues/853)) ([b3f532a](https://github.com/defenseunicorns/uds-core/commit/b3f532a4fe49e00b2cbcfb8bd4555a807355e8dd)) +* add logging functional layer ([#861](https://github.com/defenseunicorns/uds-core/issues/861)) ([c1a67b9](https://github.com/defenseunicorns/uds-core/commit/c1a67b968116570f81c570f51145d3183c386d14)) +* add metrics-server functional layer ([#865](https://github.com/defenseunicorns/uds-core/issues/865)) ([290367a](https://github.com/defenseunicorns/uds-core/commit/290367af2251c45fdc2ebb0b8f394b2c1ac2f0d8)) +* add monitoring layer ([#872](https://github.com/defenseunicorns/uds-core/issues/872)) ([5ecb040](https://github.com/defenseunicorns/uds-core/commit/5ecb040bb27d8fed2a15617830cc6805df9c6ec7)) +* add nightly testing for rke2 ([#808](https://github.com/defenseunicorns/uds-core/issues/808)) ([c401419](https://github.com/defenseunicorns/uds-core/commit/c4014197b19483657ccc1951d062263433e8b4af)) +* add service accounts options to sso ([#852](https://github.com/defenseunicorns/uds-core/issues/852)) ([1029162](https://github.com/defenseunicorns/uds-core/commit/102916223bbfe4f6d555f72fd8d3a9593853d160)) +* backup and restore layer, ui layer, runtime security layer ([#862](https://github.com/defenseunicorns/uds-core/issues/862)) ([b1d8015](https://github.com/defenseunicorns/uds-core/commit/b1d8015f61b984441578a860d29043d52013082a)) +* grafana-ha ([#838](https://github.com/defenseunicorns/uds-core/issues/838)) ([d532d76](https://github.com/defenseunicorns/uds-core/commit/d532d76f8242a68cf39b5aac7c3b4a8c241d56b3)) + + +### Bug Fixes + +* broken readme link ([#899](https://github.com/defenseunicorns/uds-core/issues/899)) ([6e47b11](https://github.com/defenseunicorns/uds-core/commit/6e47b11f85075c3942c1ca193d5e9d90747b6109)) +* **ci:** switch to larger runners to resolve ci disk space issues ([#882](https://github.com/defenseunicorns/uds-core/issues/882)) ([1af0401](https://github.com/defenseunicorns/uds-core/commit/1af040142babd141441a87ae74fd3c3a530f4fae)) +* snapshot ci version modification and tasks for publish ([#877](https://github.com/defenseunicorns/uds-core/issues/877)) ([f01e5bd](https://github.com/defenseunicorns/uds-core/commit/f01e5bdd65edbdfe2088cdc1bb9d62fb8e5c1b04)) +* support for anywhere network policies in cilium ([#884](https://github.com/defenseunicorns/uds-core/issues/884)) ([5df0737](https://github.com/defenseunicorns/uds-core/commit/5df073768eb9f8c8f00433413039918bdb85d362)) + + +### Miscellaneous + +* cleanup license parsing for github ([#881](https://github.com/defenseunicorns/uds-core/issues/881)) ([43c98ce](https://github.com/defenseunicorns/uds-core/commit/43c98cee6957a3ca155f7fb7e9d3b604c8c5caa7)) +* **deps:** update chainctl action to v0.2.3 ([#864](https://github.com/defenseunicorns/uds-core/issues/864)) ([d782b59](https://github.com/defenseunicorns/uds-core/commit/d782b59363184de07c7546c04ad7edb6fa9e6449)) +* **deps:** update checkout action to v4.2.0 ([#825](https://github.com/defenseunicorns/uds-core/issues/825)) ([29d1c98](https://github.com/defenseunicorns/uds-core/commit/29d1c98069c73869951878372f7ca1ac842bb87d)) +* **deps:** update dependency defenseunicorns/lula to v0.8.0 ([#841](https://github.com/defenseunicorns/uds-core/issues/841)) ([fe36150](https://github.com/defenseunicorns/uds-core/commit/fe36150bceb69155d4aec8d7298fcc19dbca8c36)) +* **deps:** update githubactions ([#866](https://github.com/defenseunicorns/uds-core/issues/866)) ([44f8ea5](https://github.com/defenseunicorns/uds-core/commit/44f8ea5f12b9d0bda9d9231564b95c6a49fd8e83)) +* **deps:** update grafana to 11.2.1 ([#836](https://github.com/defenseunicorns/uds-core/issues/836)) ([11383c1](https://github.com/defenseunicorns/uds-core/commit/11383c188e4f799b5e8e09dc67e5b6f6ebfdca3e)) +* **deps:** update grafana to v11.2.2 ([#867](https://github.com/defenseunicorns/uds-core/issues/867)) ([06ed2c3](https://github.com/defenseunicorns/uds-core/commit/06ed2c323a3f1e895d6f3f87e5388f7a06197b1c)) +* **deps:** update loki nginx image to v1.27.2 ([#894](https://github.com/defenseunicorns/uds-core/issues/894)) ([df7d427](https://github.com/defenseunicorns/uds-core/commit/df7d427cf8f830d7590a144ff9e902245433460b)) +* **deps:** update loki to v3.2.0 ([#791](https://github.com/defenseunicorns/uds-core/issues/791)) ([d3c60b5](https://github.com/defenseunicorns/uds-core/commit/d3c60b5678982d774a721838cf75e06c20087c73)) +* **deps:** update metrics-server chart to v3.12.2 ([#873](https://github.com/defenseunicorns/uds-core/issues/873)) ([e2e61ce](https://github.com/defenseunicorns/uds-core/commit/e2e61ce3319aa9ac48762afe097d72f97175bbce)) +* **deps:** update pepr to v0.37.1 ([#843](https://github.com/defenseunicorns/uds-core/issues/843)) ([68abcb2](https://github.com/defenseunicorns/uds-core/commit/68abcb2df5b7e2097a56e949624790445bc02b41)) +* **deps:** update pepr to v0.37.2 ([#850](https://github.com/defenseunicorns/uds-core/issues/850)) ([b51f659](https://github.com/defenseunicorns/uds-core/commit/b51f659ffbb3880a5da74aa90b62c5ef4a7a05cc)) +* **deps:** update prometheus operator to 0.77.1 ([#819](https://github.com/defenseunicorns/uds-core/issues/819)) ([0864b33](https://github.com/defenseunicorns/uds-core/commit/0864b33b2ecde7f73d28c3bad6dab10275969346)) +* **deps:** update prometheus-stack ([#855](https://github.com/defenseunicorns/uds-core/issues/855)) ([c791c24](https://github.com/defenseunicorns/uds-core/commit/c791c24de4d27678778225f8487629e6353a2d64)) +* **deps:** update prometheus-stack helm-charts to v64.0.0 ([#849](https://github.com/defenseunicorns/uds-core/issues/849)) ([50a2588](https://github.com/defenseunicorns/uds-core/commit/50a258860f79bb291450afbe48a6f61a6650bb9c)) +* **deps:** update runtime to v0.6.0 ([#897](https://github.com/defenseunicorns/uds-core/issues/897)) ([89ae6e2](https://github.com/defenseunicorns/uds-core/commit/89ae6e255f32eadf871096bafe0cc1958b1c6e34)) +* **deps:** update support-deps ([#890](https://github.com/defenseunicorns/uds-core/issues/890)) ([26ea612](https://github.com/defenseunicorns/uds-core/commit/26ea612bec9ece132509b5ef0d4d1807debbbb62)) +* **deps:** update test-infra ([#875](https://github.com/defenseunicorns/uds-core/issues/875)) ([583f07c](https://github.com/defenseunicorns/uds-core/commit/583f07cbf57c2c839b8f6d00bbd098cafe4198a8)) +* **deps:** update test-infra to v6.9.0 ([#848](https://github.com/defenseunicorns/uds-core/issues/848)) ([ef9d317](https://github.com/defenseunicorns/uds-core/commit/ef9d317198acedc2007d683b5d169e1f333be433)) +* **deps:** update uds to v0.17.0 ([#859](https://github.com/defenseunicorns/uds-core/issues/859)) ([1489fef](https://github.com/defenseunicorns/uds-core/commit/1489fef6d666c54f122373dcdaabda37c3cfafe5)) +* **deps:** update zarf to v0.41.0 ([#857](https://github.com/defenseunicorns/uds-core/issues/857)) ([a390c3d](https://github.com/defenseunicorns/uds-core/commit/a390c3d4744ac8cccd4079928844f3568d3caf9f)) +* **docs:** update doc structure for site refresh ([#895](https://github.com/defenseunicorns/uds-core/issues/895)) ([1946a9a](https://github.com/defenseunicorns/uds-core/commit/1946a9a8144a0cd383c3af29c33bb828283ef81d)) +* fix broken link in docs ([#845](https://github.com/defenseunicorns/uds-core/issues/845)) ([3078a5b](https://github.com/defenseunicorns/uds-core/commit/3078a5b48506a4acb7660f9929279690bcb00984)) +* fix license header references ([#901](https://github.com/defenseunicorns/uds-core/issues/901)) ([cf38b82](https://github.com/defenseunicorns/uds-core/commit/cf38b827da351af5b610a064eb0d8fe885b66d89)) +* handle upgrade path for functional layers, add doc for usage ([#896](https://github.com/defenseunicorns/uds-core/issues/896)) ([70d6b1b](https://github.com/defenseunicorns/uds-core/commit/70d6b1b943e0e9fc3a36fc7a7600afa0e3f2b511)) +* regroup 'support dependencies' in renovate config ([#885](https://github.com/defenseunicorns/uds-core/issues/885)) ([640d859](https://github.com/defenseunicorns/uds-core/commit/640d859a50de6c7d49afec3283fac2a249d04dd7)) +* update license ([#878](https://github.com/defenseunicorns/uds-core/issues/878)) ([b086170](https://github.com/defenseunicorns/uds-core/commit/b086170f415c82916a6e493517ac5bc62b2b7aea)) + ## [0.28.0](https://github.com/defenseunicorns/uds-core/compare/v0.27.3...v0.28.0) (2024-09-27) diff --git a/README.md b/README.md index 506d7ab71..2a822ad61 100644 --- a/README.md +++ b/README.md @@ -56,7 +56,7 @@ If you want to try out UDS Core, you can use the [k3d-core-demo bundle](./bundle ```bash -uds deploy k3d-core-demo:0.28.0 +uds deploy k3d-core-demo:0.29.0 ``` @@ -70,7 +70,7 @@ Deploy Istio, Keycloak and Pepr: ```bash -uds deploy k3d-core-slim-dev:0.28.0 +uds deploy k3d-core-slim-dev:0.29.0 ``` diff --git a/bundles/k3d-slim-dev/uds-bundle.yaml b/bundles/k3d-slim-dev/uds-bundle.yaml index 61b7f7f92..0e4b28ea9 100644 --- a/bundles/k3d-slim-dev/uds-bundle.yaml +++ b/bundles/k3d-slim-dev/uds-bundle.yaml @@ -6,7 +6,7 @@ metadata: name: k3d-core-slim-dev description: A UDS bundle for deploying Istio from UDS Core on a development cluster # x-release-please-start-version - version: "0.28.0" + version: "0.29.0" # x-release-please-end packages: @@ -37,7 +37,7 @@ packages: - name: core-base path: ../../build/ # x-release-please-start-version - ref: 0.28.0 + ref: 0.29.0 # x-release-please-end overrides: istio-admin-gateway: @@ -73,7 +73,7 @@ packages: - name: core-identity-authorization path: ../../build/ # x-release-please-start-version - ref: 0.28.0 + ref: 0.29.0 # x-release-please-end overrides: keycloak: diff --git a/bundles/k3d-standard/uds-bundle.yaml b/bundles/k3d-standard/uds-bundle.yaml index 5f0993f14..f0e9c2bab 100644 --- a/bundles/k3d-standard/uds-bundle.yaml +++ b/bundles/k3d-standard/uds-bundle.yaml @@ -6,7 +6,7 @@ metadata: name: k3d-core-demo description: A UDS bundle for deploying the standard UDS Core package on a development cluster # x-release-please-start-version - version: "0.28.0" + version: "0.29.0" # x-release-please-end packages: @@ -37,7 +37,7 @@ packages: - name: core path: ../../build/ # x-release-please-start-version - ref: 0.28.0 + ref: 0.29.0 # x-release-please-end optionalComponents: - istio-passthrough-gateway diff --git a/packages/backup-restore/zarf.yaml b/packages/backup-restore/zarf.yaml index 73cd943a8..bfed659f8 100644 --- a/packages/backup-restore/zarf.yaml +++ b/packages/backup-restore/zarf.yaml @@ -7,7 +7,7 @@ metadata: description: "UDS Core (Backup and Restore)" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.28.0" + version: "0.29.0" # x-release-please-end x-uds-dependencies: ["base"] diff --git a/packages/base/zarf.yaml b/packages/base/zarf.yaml index 7389c8af5..254120929 100644 --- a/packages/base/zarf.yaml +++ b/packages/base/zarf.yaml @@ -7,7 +7,7 @@ metadata: description: "UDS Core (Base)" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.28.0" + version: "0.29.0" # x-release-please-end x-uds-dependencies: [] diff --git a/packages/identity-authorization/zarf.yaml b/packages/identity-authorization/zarf.yaml index 7cb804939..2d985c0a3 100644 --- a/packages/identity-authorization/zarf.yaml +++ b/packages/identity-authorization/zarf.yaml @@ -7,7 +7,7 @@ metadata: description: "UDS Core (Identity & Authorization)" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.28.0" + version: "0.29.0" # x-release-please-end x-uds-dependencies: ["base"] diff --git a/packages/logging/zarf.yaml b/packages/logging/zarf.yaml index f6bd0205c..416d18e05 100644 --- a/packages/logging/zarf.yaml +++ b/packages/logging/zarf.yaml @@ -7,7 +7,7 @@ metadata: description: "UDS Core (Logging)" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.28.0" + version: "0.29.0" # x-release-please-end x-uds-dependencies: ["base"] diff --git a/packages/metrics-server/zarf.yaml b/packages/metrics-server/zarf.yaml index 6f9fd9b51..7658b4526 100644 --- a/packages/metrics-server/zarf.yaml +++ b/packages/metrics-server/zarf.yaml @@ -7,7 +7,7 @@ metadata: description: "UDS Core (Metrics Server)" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.28.0" + version: "0.29.0" # x-release-please-end x-uds-dependencies: ["base"] diff --git a/packages/monitoring/zarf.yaml b/packages/monitoring/zarf.yaml index 3f5414ba0..9cd7340ef 100644 --- a/packages/monitoring/zarf.yaml +++ b/packages/monitoring/zarf.yaml @@ -7,7 +7,7 @@ metadata: description: "UDS Core Monitoring (Prometheus and Grafana)" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.28.0" + version: "0.29.0" # x-release-please-end x-uds-dependencies: ["base", "identity-authorization"] diff --git a/packages/runtime-security/zarf.yaml b/packages/runtime-security/zarf.yaml index 1296c148d..99ecd76ab 100644 --- a/packages/runtime-security/zarf.yaml +++ b/packages/runtime-security/zarf.yaml @@ -7,7 +7,7 @@ metadata: description: "UDS Core (Runtime Security)" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.28.0" + version: "0.29.0" # x-release-please-end x-uds-dependencies: ["base", "identity-authorization"] diff --git a/packages/standard/zarf.yaml b/packages/standard/zarf.yaml index 82090fdf7..fc79236de 100644 --- a/packages/standard/zarf.yaml +++ b/packages/standard/zarf.yaml @@ -7,7 +7,7 @@ metadata: description: "UDS Core" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.28.0" + version: "0.29.0" # x-release-please-end components: diff --git a/packages/ui/zarf.yaml b/packages/ui/zarf.yaml index f7c21c97b..c69cd5493 100644 --- a/packages/ui/zarf.yaml +++ b/packages/ui/zarf.yaml @@ -7,7 +7,7 @@ metadata: description: "UDS Core (UI)" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.28.0" + version: "0.29.0" # x-release-please-end x-uds-dependencies: ["base", "identity-authorization"] diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index 5c5d83d5c..09325a263 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -9,7 +9,7 @@ variables: - name: VERSION description: "The version of the packages to deploy" # x-release-please-start-version - default: "0.28.0" + default: "0.29.0" # x-release-please-end - name: FLAVOR default: upstream diff --git a/tasks/publish.yaml b/tasks/publish.yaml index 97441d4f4..4a523a95d 100644 --- a/tasks/publish.yaml +++ b/tasks/publish.yaml @@ -14,7 +14,7 @@ variables: - name: VERSION description: "The version of the packages to build" # x-release-please-start-version - default: "0.28.0" + default: "0.29.0" # x-release-please-end - name: LAYER From 3663cc7405d929725ab22a1855761b320b5d8f4e Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 11 Oct 2024 16:30:50 -0600 Subject: [PATCH 66/90] fix: adr link in func layers doc (#903) ## Description Quick doc link fix. --- docs/reference/UDS Core/functional-layers.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/reference/UDS Core/functional-layers.md b/docs/reference/UDS Core/functional-layers.md index 7ba6a8f3a..47345dc9b 100644 --- a/docs/reference/UDS Core/functional-layers.md +++ b/docs/reference/UDS Core/functional-layers.md @@ -4,7 +4,7 @@ title: Functional Layers ## Background -Context on the inclusion of "functional layers" can be viewed in our [ADR](https://github.com/defenseunicorns/uds-core/blob/main/docs/adrs/0002-uds-core-functional-layers.md). In short, UDS Core publishes smaller Zarf packages that contain subsets of core's capabilities, grouped by their function (such as monitoring, logging, backup/restore, etc) to allow more flexibility in deployment. This helps to support resource constrained environments (edge deployments) and other situations where an environment has different needs than the default core stack. +Context on the inclusion of "functional layers" can be viewed in our [ADR](https://github.com/defenseunicorns/uds-core/blob/main/adrs/0002-uds-core-functional-layers.md). In short, UDS Core publishes smaller Zarf packages that contain subsets of core's capabilities, grouped by their function (such as monitoring, logging, backup/restore, etc) to allow more flexibility in deployment. This helps to support resource constrained environments (edge deployments) and other situations where an environment has different needs than the default core stack. Each layer is published as an individual OCI Zarf package. Package sources can be viewed under the [`packages` directory](https://github.com/defenseunicorns/uds-core/tree/main/packages), with each folder containing a readme detailing the contents and any dependencies. All layers assume the requirement of the base layer which provides Istio, the UDS Operator, and UDS Policy Engine. From f6c2496d09aa61e920c21cbf6a78e73c1318980b Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 15 Oct 2024 07:57:47 -0600 Subject: [PATCH 67/90] chore(deps): update support-deps (#898) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | aws | required_provider | minor | `~> 5.70.0` -> `~> 5.71.0` | | [defenseunicorns/lula](https://redirect.github.com/defenseunicorns/lula) | | minor | `v0.8.0` -> `v0.9.1` | | [defenseunicorns/uds-common](https://redirect.github.com/defenseunicorns/uds-common) | | minor | `v1.0.0` -> `v1.1.0` | | [terraform-aws-modules/s3-bucket/aws](https://registry.terraform.io/modules/terraform-aws-modules/s3-bucket/aws) ([source](https://redirect.github.com/terraform-aws-modules/terraform-aws-s3-bucket)) | module | patch | `4.2.0` -> `4.2.1` | --- ### Release Notes
defenseunicorns/lula (defenseunicorns/lula) ### [`v0.9.1`](https://redirect.github.com/defenseunicorns/lula/releases/tag/v0.9.1) [Compare Source](https://redirect.github.com/defenseunicorns/lula/compare/v0.9.0...v0.9.1) ##### Bug Fixes - **release:** add environment to push job ([#​735](https://redirect.github.com/defenseunicorns/lula/issues/735)) ([1ed52f1](https://redirect.github.com/defenseunicorns/lula/commit/1ed52f1cf36214ef20ac5a95cee5d5f266232192)) #### What's Changed - fix(release): add environment to push job by [@​brandtkeller](https://redirect.github.com/brandtkeller) in [https://github.com/defenseunicorns/lula/pull/735](https://redirect.github.com/defenseunicorns/lula/pull/735) - chore(main): release 0.9.1 by [@​github-actions](https://redirect.github.com/github-actions) in [https://github.com/defenseunicorns/lula/pull/734](https://redirect.github.com/defenseunicorns/lula/pull/734) **Full Changelog**: https://github.com/defenseunicorns/lula/compare/v0.9.0...v0.9.1 ### [`v0.9.0`](https://redirect.github.com/defenseunicorns/lula/releases/tag/v0.9.0) [Compare Source](https://redirect.github.com/defenseunicorns/lula/compare/v0.8.0...v0.9.0) ##### ⚠ BREAKING CHANGES - **kubernetes:** wait logic kubernetes version support ([#​718](https://redirect.github.com/defenseunicorns/lula/issues/718)) ##### Features - **compose:** template files during compose operations ([#​686](https://redirect.github.com/defenseunicorns/lula/issues/686)) ([c1745a4](https://redirect.github.com/defenseunicorns/lula/commit/c1745a41ff15b9cf8d6f5c4bf459be88bc84cbf9)) - **domains:** file domain ([#​703](https://redirect.github.com/defenseunicorns/lula/issues/703)) ([bd4f577](https://redirect.github.com/defenseunicorns/lula/commit/bd4f57778c5e5bac539d14955e594ee15312c39c)) - **file domain:** add support for reading arbitrary files as strings ([#​726](https://redirect.github.com/defenseunicorns/lula/issues/726)) ([0b1c0c8](https://redirect.github.com/defenseunicorns/lula/commit/0b1c0c8ddf7c0f5de8e23a0b42ca2348efaaef78)) - **kubernetes:** support running both create resources and resources in the kubernetes spec ([#​714](https://redirect.github.com/defenseunicorns/lula/issues/714)) ([6839d20](https://redirect.github.com/defenseunicorns/lula/commit/6839d205ea0f4434d6af2071f3f3ed444b131944)) - **kubernetes:** wait logic kubernetes version support ([#​718](https://redirect.github.com/defenseunicorns/lula/issues/718)) ([cc06251](https://redirect.github.com/defenseunicorns/lula/commit/cc06251e75facf6f321ad4ca2f8609f782dcfb29)) - **release:** add brew install for lula ([#​707](https://redirect.github.com/defenseunicorns/lula/issues/707)) ([fd1d3e0](https://redirect.github.com/defenseunicorns/lula/commit/fd1d3e08754a845e25c849b280ed6390a377e138)) - **validate:** template oscal during runtime ([#​708](https://redirect.github.com/defenseunicorns/lula/issues/708)) ([3f5a110](https://redirect.github.com/defenseunicorns/lula/commit/3f5a110ecf692d99e1511ac82b737d82764321c2)) ##### Bug Fixes - add goreleaser pin version annotate ([#​712](https://redirect.github.com/defenseunicorns/lula/issues/712)) ([68bc101](https://redirect.github.com/defenseunicorns/lula/commit/68bc1014edb701da12ddde6ae83ba90c8e19e774)) - **composition:** nil pointer in composition ([#​733](https://redirect.github.com/defenseunicorns/lula/issues/733)) ([8ad4209](https://redirect.github.com/defenseunicorns/lula/commit/8ad420970cd6bd72ee0c18e6c25a4578e9db4432)) - **console:** refactor, retries, sleep to address flaky tests ([#​698](https://redirect.github.com/defenseunicorns/lula/issues/698)) ([02101a5](https://redirect.github.com/defenseunicorns/lula/commit/02101a5633c009ff46083651745b6aa40ac62448)) - **console:** reset compdef when editing ([#​701](https://redirect.github.com/defenseunicorns/lula/issues/701)) ([4e25f01](https://redirect.github.com/defenseunicorns/lula/commit/4e25f014d8ba9bd88df3317ec51ce3fa783203d0)) - **read:** error checking prior to file writes ([#​687](https://redirect.github.com/defenseunicorns/lula/issues/687)) ([1ab0eef](https://redirect.github.com/defenseunicorns/lula/commit/1ab0eefdeeb1d59f16f33249b1a6fce141ef5942)) ##### Miscellaneous - add global command context for program cancelation and everything else ([#​696](https://redirect.github.com/defenseunicorns/lula/issues/696)) ([df81cf7](https://redirect.github.com/defenseunicorns/lula/commit/df81cf7a74e6f78c27055b82c20375f53976cea8)) - **deps:** update actions/checkout action to v4.2.1 ([#​713](https://redirect.github.com/defenseunicorns/lula/issues/713)) ([802601a](https://redirect.github.com/defenseunicorns/lula/commit/802601a70fadfc142a47cc6e8528478a6aac3291)) - **deps:** update actions/upload-artifact action to v4.4.3 ([#​711](https://redirect.github.com/defenseunicorns/lula/issues/711)) ([a954664](https://redirect.github.com/defenseunicorns/lula/commit/a954664d0b2e25d58097425dfbeac193a200b6c5)) - **deps:** update github/codeql-action action to v3.26.12 ([#​691](https://redirect.github.com/defenseunicorns/lula/issues/691)) ([0efb120](https://redirect.github.com/defenseunicorns/lula/commit/0efb120a6f50e650a5e2962125a7495a21236fb8)) - **deps:** update module github.com/open-policy-agent/opa to v0.69.0 ([#​692](https://redirect.github.com/defenseunicorns/lula/issues/692)) ([e08d695](https://redirect.github.com/defenseunicorns/lula/commit/e08d695ea6629e2c60a33ae85edf076bbb49ee68)) - **deps:** update module sigs.k8s.io/cli-utils to v0.37.2 ([#​721](https://redirect.github.com/defenseunicorns/lula/issues/721)) ([5fd0f32](https://redirect.github.com/defenseunicorns/lula/commit/5fd0f3244e5543e5302fce2ea4a42afc87026217)) - update getting started doc to include brew install ([#​720](https://redirect.github.com/defenseunicorns/lula/issues/720)) ([26c3f8d](https://redirect.github.com/defenseunicorns/lula/commit/26c3f8dd1d9a5e31d7bf3936b453a3e0edfd2755))
defenseunicorns/uds-common (defenseunicorns/uds-common) ### [`v1.1.0`](https://redirect.github.com/defenseunicorns/uds-common/releases/tag/v1.1.0) [Compare Source](https://redirect.github.com/defenseunicorns/uds-common/compare/v1.0.0...v1.1.0) ##### ⚠ BREAKING CHANGES - update the license to AGPLv3 or Commercial ([#​286](https://redirect.github.com/defenseunicorns/uds-common/issues/286)) ##### Bug Fixes - modified jq command ([#​292](https://redirect.github.com/defenseunicorns/uds-common/issues/292)) ([d566e86](https://redirect.github.com/defenseunicorns/uds-common/commit/d566e86c5a78f2124116113ea3ed35695caec5be)) - simplify git command for flavor checks ([#​290](https://redirect.github.com/defenseunicorns/uds-common/issues/290)) ([72c4e35](https://redirect.github.com/defenseunicorns/uds-common/commit/72c4e35d5f9f6ed877c184cf748e67a77e4fa771)) - upgrade test not cloning in private repos ([#​295](https://redirect.github.com/defenseunicorns/uds-common/issues/295)) ([1dde808](https://redirect.github.com/defenseunicorns/uds-common/commit/1dde808b943c554edcd401fb814d504ee74117c0)) ##### Miscellaneous - **badging:** include unicorn flavor suggstion for bronze ([#​288](https://redirect.github.com/defenseunicorns/uds-common/issues/288)) ([f668b06](https://redirect.github.com/defenseunicorns/uds-common/commit/f668b06f1597efd3c701a47ce28de1d8f298b1b8)) - **deps:** update support-deps to v4.4.3 ([#​282](https://redirect.github.com/defenseunicorns/uds-common/issues/282)) ([13d35ef](https://redirect.github.com/defenseunicorns/uds-common/commit/13d35ef9831c71cc217ef43f2c13562f40a3ec5b)) - **deps:** update uds common package dependencies to v1.27.2 ([#​229](https://redirect.github.com/defenseunicorns/uds-common/issues/229)) ([5b6a722](https://redirect.github.com/defenseunicorns/uds-common/commit/5b6a7223469bddf79be079baab1e3333a01c71e5)) - disable stale PR rebasing for renovate ([#​284](https://redirect.github.com/defenseunicorns/uds-common/issues/284)) ([27ca69e](https://redirect.github.com/defenseunicorns/uds-common/commit/27ca69e53d980672b655b03ee854d2e7ea0462dc)) - have addlicense ignore gitignored files ([#​294](https://redirect.github.com/defenseunicorns/uds-common/issues/294)) ([1bf662e](https://redirect.github.com/defenseunicorns/uds-common/commit/1bf662e890a238bf49234e9768d5fa7078d4fdb3)) - make all Maru references local includes ([#​287](https://redirect.github.com/defenseunicorns/uds-common/issues/287)) ([727db0f](https://redirect.github.com/defenseunicorns/uds-common/commit/727db0fae26a4397361bab84de18dd253a755c79)) - update the license to AGPLv3 or Commercial ([#​286](https://redirect.github.com/defenseunicorns/uds-common/issues/286)) ([2a9ca00](https://redirect.github.com/defenseunicorns/uds-common/commit/2a9ca00409f3bb513d2f256bcf1a91146b94d514))
terraform-aws-modules/terraform-aws-s3-bucket (terraform-aws-modules/s3-bucket/aws) ### [`v4.2.1`](https://redirect.github.com/terraform-aws-modules/terraform-aws-s3-bucket/blob/HEAD/CHANGELOG.md#421-2024-10-11) [Compare Source](https://redirect.github.com/terraform-aws-modules/terraform-aws-s3-bucket/compare/v4.2.0...v4.2.1) ##### Bug Fixes - Update CI workflow versions to latest ([#​293](https://redirect.github.com/terraform-aws-modules/terraform-aws-s3-bucket/issues/293)) ([522fcff](https://redirect.github.com/terraform-aws-modules/terraform-aws-s3-bucket/commit/522fcffdf90b1325501e021548962f41978aeefc))
--- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ‘» **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Micah Nagel --- .github/actions/setup/action.yaml | 2 +- .github/bundles/eks/uds-bundle.yaml | 4 ++-- .github/bundles/rke2/uds-bundle.yaml | 4 ++-- .github/test-infra/aws/rke2/irsa.tf | 2 +- .github/test-infra/aws/rke2/versions.tf | 2 +- release-please-config.json | 3 ++- tasks/create.yaml | 2 +- 7 files changed, 10 insertions(+), 9 deletions(-) diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml index 7ebb273a8..76fdcb24e 100644 --- a/.github/actions/setup/action.yaml +++ b/.github/actions/setup/action.yaml @@ -41,7 +41,7 @@ runs: uses: defenseunicorns/lula-action/setup@badad8c4b1570095f57e66ffd62664847698a3b9 # v0.0.1 with: # renovate: datasource=github-tags depName=defenseunicorns/lula versioning=semver-coerced - version: v0.8.0 + version: v0.9.1 - name: Iron Bank Login if: ${{ inputs.registry1Username != '' }} diff --git a/.github/bundles/eks/uds-bundle.yaml b/.github/bundles/eks/uds-bundle.yaml index 94549f9d1..749446375 100644 --- a/.github/bundles/eks/uds-bundle.yaml +++ b/.github/bundles/eks/uds-bundle.yaml @@ -6,7 +6,7 @@ metadata: name: uds-core-eks-nightly description: A UDS bundle for deploying EKS and UDS Core # x-release-please-start-version - version: "0.28.0" + version: "0.29.0" # x-release-please-end packages: @@ -17,7 +17,7 @@ packages: - name: core path: ../../../build # x-release-please-start-version - ref: 0.28.0 + ref: 0.29.0 # x-release-please-end optionalComponents: - metrics-server diff --git a/.github/bundles/rke2/uds-bundle.yaml b/.github/bundles/rke2/uds-bundle.yaml index 7caecb4f1..1e2d1e214 100644 --- a/.github/bundles/rke2/uds-bundle.yaml +++ b/.github/bundles/rke2/uds-bundle.yaml @@ -6,7 +6,7 @@ metadata: name: uds-core-rke2-nightly description: A UDS bundle for deploying RKE2 and UDS Core # x-release-please-start-version - version: "0.28.0" + version: "0.29.0" # x-release-please-end packages: @@ -38,7 +38,7 @@ packages: - name: core path: ../../../build # x-release-please-start-version - ref: 0.28.0 + ref: 0.29.0 # x-release-please-end optionalComponents: - metrics-server diff --git a/.github/test-infra/aws/rke2/irsa.tf b/.github/test-infra/aws/rke2/irsa.tf index 5996e24aa..8ab35fea6 100644 --- a/.github/test-infra/aws/rke2/irsa.tf +++ b/.github/test-infra/aws/rke2/irsa.tf @@ -36,7 +36,7 @@ resource "aws_secretsmanager_secret_version" "private_key" { # Public bucket to host OIDC files module "oidc_bucket" { source = "terraform-aws-modules/s3-bucket/aws" - version = "4.2.0" + version = "4.2.1" bucket = "${var.environment}-oidc-${random_string.ssm.result}" force_destroy = var.force_destroy diff --git a/.github/test-infra/aws/rke2/versions.tf b/.github/test-infra/aws/rke2/versions.tf index 21fc2933b..95e96e2de 100644 --- a/.github/test-infra/aws/rke2/versions.tf +++ b/.github/test-infra/aws/rke2/versions.tf @@ -6,7 +6,7 @@ terraform { } required_providers { aws = { - version = "~> 5.70.0" + version = "~> 5.71.0" } random = { version = "~> 3.6.0" diff --git a/release-please-config.json b/release-please-config.json index 1460f8ee1..cb60d25d4 100644 --- a/release-please-config.json +++ b/release-please-config.json @@ -12,7 +12,6 @@ "bump-minor-pre-major": true, "versioning": "default", "extra-files": [ - ".github/bundles/uds-bundle.yaml", "README.md", "packages/base/zarf.yaml", "packages/identity-authorization/zarf.yaml", @@ -25,6 +24,8 @@ "packages/standard/zarf.yaml", "bundles/k3d-slim-dev/uds-bundle.yaml", "bundles/k3d-standard/uds-bundle.yaml", + ".github/bundles/rke2/uds-bundle.yaml", + ".github/bundles/eks/uds-bundle.yaml", "tasks/deploy.yaml", "tasks/publish.yaml" ] diff --git a/tasks/create.yaml b/tasks/create.yaml index 248cbbb18..d326e291c 100644 --- a/tasks/create.yaml +++ b/tasks/create.yaml @@ -3,7 +3,7 @@ includes: - - common: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.0.0/tasks/create.yaml + - common: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.1.0/tasks/create.yaml variables: - name: FLAVOR From b8be8c63f19c43ec9e95d471db347ab7b47b17c7 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 15 Oct 2024 09:23:04 -0600 Subject: [PATCH 68/90] chore(deps): update support dependencies to v0.192.0 (#906) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | [weaveworks/eksctl](https://redirect.github.com/weaveworks/eksctl) | minor | `v0.191.0` -> `v0.192.0` | --- ### Release Notes
weaveworks/eksctl (weaveworks/eksctl) ### [`v0.192.0`](https://redirect.github.com/eksctl-io/eksctl/releases/tag/v0.192.0): eksctl 0.192.0 [Compare Source](https://redirect.github.com/weaveworks/eksctl/compare/0.192.0...0.192.0) ##### Release v0.192.0 ##### πŸš€ Features - Add support for EKS accelerated AMIs based on AL2023 ([#​7996](https://redirect.github.com/weaveworks/eksctl/issues/7996)) ##### 🎯 Improvements - cleanup efa installer archive before install ([#​6870](https://redirect.github.com/weaveworks/eksctl/issues/6870)) ##### πŸ› Bug Fixes - Disallow `overrideBootstrapCommand` and `preBootstrapCommands` for MNG AL2023 ([#​7990](https://redirect.github.com/weaveworks/eksctl/issues/7990)) ##### Acknowledgments The eksctl maintainers would like to sincerely thank [@​vsoch](https://redirect.github.com/vsoch). ### [`v0.192.0`](https://redirect.github.com/eksctl-io/eksctl/releases/tag/v0.192.0): eksctl 0.192.0 [Compare Source](https://redirect.github.com/weaveworks/eksctl/compare/0.191.0...0.192.0) ##### Release v0.192.0 ##### πŸš€ Features - Add support for EKS accelerated AMIs based on AL2023 ([#​7996](https://redirect.github.com/weaveworks/eksctl/issues/7996)) ##### 🎯 Improvements - cleanup efa installer archive before install ([#​6870](https://redirect.github.com/weaveworks/eksctl/issues/6870)) ##### πŸ› Bug Fixes - Disallow `overrideBootstrapCommand` and `preBootstrapCommands` for MNG AL2023 ([#​7990](https://redirect.github.com/weaveworks/eksctl/issues/7990)) ##### Acknowledgments The eksctl maintainers would like to sincerely thank [@​vsoch](https://redirect.github.com/vsoch).
--- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ”• **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- tasks/iac.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/iac.yaml b/tasks/iac.yaml index 8c13e5ffe..0c178bab9 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -18,7 +18,7 @@ tasks: - name: install-eksctl actions: - cmd: | - curl --silent --location "https://github.com/weaveworks/eksctl/releases/download/v0.191.0/eksctl_Linux_amd64.tar.gz" | tar xz -C /tmp + curl --silent --location "https://github.com/weaveworks/eksctl/releases/download/v0.192.0/eksctl_Linux_amd64.tar.gz" | tar xz -C /tmp sudo mv /tmp/eksctl /usr/local/bin - name: create-cluster From 99586d22e2cd74bd0fe169fb8d405674e13fba49 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 15 Oct 2024 16:35:12 +0000 Subject: [PATCH 69/90] chore(deps): update grafana helm chart to v8.5.5 (#905) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | [grafana](https://grafana.com) ([source](https://redirect.github.com/grafana/helm-charts)) | patch | `8.5.2` -> `8.5.5` | --- ### Release Notes
grafana/helm-charts (grafana) ### [`v8.5.5`](https://redirect.github.com/grafana/helm-charts/releases/tag/grafana-8.5.5) [Compare Source](https://redirect.github.com/grafana/helm-charts/compare/grafana-8.5.4...grafana-8.5.5) The leading tool for querying and visualizing time series and metrics. #### What's Changed - \[grafana] Replicas could be 0 [#​3337](https://redirect.github.com/grafana/helm-charts/issues/3337) by [@​ramon951](https://redirect.github.com/ramon951) in [https://github.com/grafana/helm-charts/pull/3343](https://redirect.github.com/grafana/helm-charts/pull/3343) #### New Contributors - [@​ramon951](https://redirect.github.com/ramon951) made their first contribution in [https://github.com/grafana/helm-charts/pull/3343](https://redirect.github.com/grafana/helm-charts/pull/3343) **Full Changelog**: https://github.com/grafana/helm-charts/compare/tempo-distributed-1.18.4...grafana-8.5.5 ### [`v8.5.4`](https://redirect.github.com/grafana/helm-charts/releases/tag/grafana-8.5.4) [Compare Source](https://redirect.github.com/grafana/helm-charts/compare/grafana-8.5.3...grafana-8.5.4) The leading tool for querying and visualizing time series and metrics. #### What's Changed - \[grafana] chore: bump k8s-sidecar to 1.28.0 by [@​mlflr](https://redirect.github.com/mlflr) in [https://github.com/grafana/helm-charts/pull/3348](https://redirect.github.com/grafana/helm-charts/pull/3348) #### New Contributors - [@​mlflr](https://redirect.github.com/mlflr) made their first contribution in [https://github.com/grafana/helm-charts/pull/3348](https://redirect.github.com/grafana/helm-charts/pull/3348) **Full Changelog**: https://github.com/grafana/helm-charts/compare/mimir-distributed-5.5.0...grafana-8.5.4 ### [`v8.5.3`](https://redirect.github.com/grafana/helm-charts/releases/tag/grafana-8.5.3) [Compare Source](https://redirect.github.com/grafana/helm-charts/compare/grafana-8.5.2...grafana-8.5.3) The leading tool for querying and visualizing time series and metrics. #### What's Changed - \[grafana] Update Grafana to version 11.2.2 by [@​terop](https://redirect.github.com/terop) in [https://github.com/grafana/helm-charts/pull/3356](https://redirect.github.com/grafana/helm-charts/pull/3356) **Full Changelog**: https://github.com/grafana/helm-charts/compare/alloy-0.9.1...grafana-8.5.3
--- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ”• **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Micah Nagel --- src/grafana/common/zarf.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/grafana/common/zarf.yaml b/src/grafana/common/zarf.yaml index b82cbe683..561982e2a 100644 --- a/src/grafana/common/zarf.yaml +++ b/src/grafana/common/zarf.yaml @@ -17,7 +17,7 @@ components: localPath: ../chart - name: grafana url: https://grafana.github.io/helm-charts/ - version: 8.5.2 + version: 8.5.5 namespace: grafana valuesFiles: - ../values/values.yaml From a2916db2c5af8fd81fc39c9b4e605534836a01c8 Mon Sep 17 00:00:00 2001 From: Noah <40781376+noahpb@users.noreply.github.com> Date: Tue, 15 Oct 2024 14:41:40 -0400 Subject: [PATCH 70/90] docs: fix broken links in uds operator/policy docs (#907) ## Description Fixes broken links in uds operator code base (`./src/pepr`) ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [ ] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --- src/pepr/operator/README.md | 2 +- src/pepr/policies/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/pepr/operator/README.md b/src/pepr/operator/README.md index 5b95cea2d..bc6079a8d 100644 --- a/src/pepr/operator/README.md +++ b/src/pepr/operator/README.md @@ -12,7 +12,7 @@ The UDS Operator manages the lifecycle of UDS Package CRs and their correspondin #### Exemption -- allowing exemption custom resources only in the `uds-policy-exemptions` namespace unless configured to allow in all namespaces (see [configuring policy exemptions](../../../docs/configuration/uds-configure-policy-exemptions.md)) +- allowing exemption custom resources only in the `uds-policy-exemptions` namespace unless configured to allow in all namespaces (see [configuring policy exemptions](../../../docs/reference/configuration/uds-configure-policy-exemptions.md)) - updating the policies Pepr store with registered exemptions ### Example UDS Package CR diff --git a/src/pepr/policies/README.md b/src/pepr/policies/README.md index 8906a12bc..175d18eac 100644 --- a/src/pepr/policies/README.md +++ b/src/pepr/policies/README.md @@ -1,2 +1,2 @@ ### Pepr Policies -See [pepr-policies.md](../../../docs/configuration/pepr-policies.md) for current Pepr Policies +See [pepr-policies.md](../../../docs/reference/configuration/pepr-policies.md) for current Pepr Policies From 5f3a1c890a46ca0f4315e89d890d2dda18dfb45c Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 15 Oct 2024 14:47:54 -0500 Subject: [PATCH 71/90] chore(deps): update pepr to v0.38.0 (#870) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [pepr](https://redirect.github.com/defenseunicorns/pepr) | [`0.37.2` -> `0.38.0`](https://renovatebot.com/diffs/npm/pepr/0.37.2/0.38.0) | [![age](https://developer.mend.io/api/mc/badges/age/npm/pepr/0.38.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/pepr/0.38.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/pepr/0.37.2/0.38.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/pepr/0.37.2/0.38.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes
defenseunicorns/pepr (pepr) ### [`v0.38.0`](https://redirect.github.com/defenseunicorns/pepr/releases/tag/v0.38.0) [Compare Source](https://redirect.github.com/defenseunicorns/pepr/compare/v0.37.2...v0.38.0) #### Features - Adds support for http2 watch mode *Note:* http2Watch has an issue around memory ([soak results](https://redirect.github.com/defenseunicorns/pepr/actions/runs/11350714559/job/31569793202): `ctrl-f` "Memory"). This is a known [issue](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/issues/424). We will look to make improvements during the next release of KFC. We went ahead and released this feature because we are confident that it is an immediate improvement as some users were manually rolling the watcher pod to account for watch-misses. #### Deprecations ⚠️ We identified a circular dependency which required us to relocate some types. In this release, those types are removed from `src/lib/k8s.ts` to `src/lib/types.ts`. If your module uses any of these types, please update your imports accordingly to avoid issues. Affected Types: - [Operation (enum)](https://redirect.github.com/defenseunicorns/pepr/blob/1e42d49cc90cf82ce85a57fb574917319db3c102/src/lib/k8s.ts#L6) - [GroupVersionResource (interface)](https://redirect.github.com/defenseunicorns/pepr/blob/1e42d49cc90cf82ce85a57fb574917319db3c102/src/lib/k8s.ts#L31) - [AdmissionRequest (interface)](https://redirect.github.com/defenseunicorns/pepr/blob/1e42d49cc90cf82ce85a57fb574917319db3c102/src/lib/k8s.ts#L42) Find all of them now in [types.ts](https://redirect.github.com/defenseunicorns/pepr/blob/1e42d49cc90cf82ce85a57fb574917319db3c102/src/lib/types.ts) #### What's Changed - chore(ci): add static-analysis checks to CI/CD by [@​samayer12](https://redirect.github.com/samayer12) in [https://github.com/defenseunicorns/pepr/pull/1219](https://redirect.github.com/defenseunicorns/pepr/pull/1219) - chore: display resource usage in soak by [@​cmwylie19](https://redirect.github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1258](https://redirect.github.com/defenseunicorns/pepr/pull/1258) - chore: validate images from registry via Pepr (ADR) by [@​btlghrants](https://redirect.github.com/btlghrants) in [https://github.com/defenseunicorns/pepr/pull/1256](https://redirect.github.com/defenseunicorns/pepr/pull/1256) - chore: kfc automation scripts and workflow files by [@​cmwylie19](https://redirect.github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1223](https://redirect.github.com/defenseunicorns/pepr/pull/1223) - chore: removes deprecated code - watcher docs - kfc bump by [@​cmwylie19](https://redirect.github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1269](https://redirect.github.com/defenseunicorns/pepr/pull/1269) - chore(lint): adopt additional code quality rules by [@​samayer12](https://redirect.github.com/samayer12) in [https://github.com/defenseunicorns/pepr/pull/1212](https://redirect.github.com/defenseunicorns/pepr/pull/1212) - chore: add watch logs to soak test to determine reasons for failure by [@​cmwylie19](https://redirect.github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1215](https://redirect.github.com/defenseunicorns/pepr/pull/1215) - chore: kfc release-candidate for http2 watch by [@​cmwylie19](https://redirect.github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1239](https://redirect.github.com/defenseunicorns/pepr/pull/1239) - chore: create projects using pepr markdown by [@​tr-ace](https://redirect.github.com/tr-ace) in [https://github.com/defenseunicorns/pepr/pull/1228](https://redirect.github.com/defenseunicorns/pepr/pull/1228) - chore: choose soak branch by [@​cmwylie19](https://redirect.github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1232](https://redirect.github.com/defenseunicorns/pepr/pull/1232) - chore: update_pod_map every 10 minutes by [@​cmwylie19](https://redirect.github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1227](https://redirect.github.com/defenseunicorns/pepr/pull/1227) - chore: bump [@​types/node](https://redirect.github.com/types/node) from 22.7.4 to 22.7.5 in the development-dependencies group by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1237](https://redirect.github.com/defenseunicorns/pepr/pull/1237) - chore: bump actions/checkout from 4.2.0 to 4.2.1 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1236](https://redirect.github.com/defenseunicorns/pepr/pull/1236) - chore: bump github/codeql-action from 3.26.11 to 3.26.12 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1235](https://redirect.github.com/defenseunicorns/pepr/pull/1235) - chore: bump express from 4.21.0 to 4.21.1 in the production-dependencies group by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1242](https://redirect.github.com/defenseunicorns/pepr/pull/1242) - chore: bump chainguard/node from `f3ec99e` to `0d0083b` by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1233](https://redirect.github.com/defenseunicorns/pepr/pull/1233) - chore: bump actions/upload-artifact from 4.4.0 to 4.4.2 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1241](https://redirect.github.com/defenseunicorns/pepr/pull/1241) - chore: bump actions/upload-artifact from 4.4.2 to 4.4.3 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1254](https://redirect.github.com/defenseunicorns/pepr/pull/1254) - chore: bump actions/checkout from 4.2.0 to 4.2.1 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1253](https://redirect.github.com/defenseunicorns/pepr/pull/1253) - chore: bump chainguard/node from `0d0083b` to `bbcd423` by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1252](https://redirect.github.com/defenseunicorns/pepr/pull/1252) - chore: bump anchore/scan-action from 4.1.2 to 5.0.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1264](https://redirect.github.com/defenseunicorns/pepr/pull/1264) - chore: bump chainguard/node from `bbcd423` to `b0b04bb` by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1265](https://redirect.github.com/defenseunicorns/pepr/pull/1265) - chore: bump peter-murray/workflow-application-token-action from 3.0.0 to 3.0.1 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1263](https://redirect.github.com/defenseunicorns/pepr/pull/1263) - chore: bump github/codeql-action from 3.26.12 to 3.26.13 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1266](https://redirect.github.com/defenseunicorns/pepr/pull/1266) - chore: bump the production-dependencies group across 1 directory with 2 updates by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1270](https://redirect.github.com/defenseunicorns/pepr/pull/1270) - chore: bump github/codeql-action from 3.26.10 to 3.26.11 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1222](https://redirect.github.com/defenseunicorns/pepr/pull/1222) - chore: bump docker/setup-buildx-action from 3.6.1 to 3.7.1 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1224](https://redirect.github.com/defenseunicorns/pepr/pull/1224) - chore: bump chainguard/node from `ab523c4` to `f3ec99e` by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1220](https://redirect.github.com/defenseunicorns/pepr/pull/1220) #### New Contributors - [@​tr-ace](https://redirect.github.com/tr-ace) made their first contribution in [https://github.com/defenseunicorns/pepr/pull/1228](https://redirect.github.com/defenseunicorns/pepr/pull/1228) **Full Changelog**: https://github.com/defenseunicorns/pepr/compare/v0.37.2...v0.38.0
--- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ”• **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- package-lock.json | 215 ++++++++++++++++++++++++++++------------------ package.json | 2 +- 2 files changed, 133 insertions(+), 84 deletions(-) diff --git a/package-lock.json b/package-lock.json index e8666fa31..568193935 100644 --- a/package-lock.json +++ b/package-lock.json @@ -8,7 +8,7 @@ "name": "uds-core", "version": "0.5.0", "dependencies": { - "pepr": "0.37.2" + "pepr": "0.38.0" }, "devDependencies": { "@jest/globals": "29.7.0", @@ -1140,6 +1140,7 @@ "version": "8.0.2", "resolved": "https://registry.npmjs.org/@isaacs/cliui/-/cliui-8.0.2.tgz", "integrity": "sha512-O8jcjabXaleOG9DQ0+ARXWZBTfnP4WNAqzuiJK7ll44AmxGKv/J2M4TPjxjY3znBCfvBXFzucm1twdyFybFqEA==", + "license": "ISC", "dependencies": { "string-width": "^5.1.2", "string-width-cjs": "npm:string-width@^4.2.0", @@ -1156,6 +1157,7 @@ "version": "6.1.0", "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.1.0.tgz", "integrity": "sha512-7HSX4QQb4CspciLpVFwyRe79O3xsIZDDLER21kERQ71oaPodF8jL725AgJMFAYbooIqolJoRLuM81SpeUkpkvA==", + "license": "MIT", "engines": { "node": ">=12" }, @@ -1167,6 +1169,7 @@ "version": "6.2.1", "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-6.2.1.tgz", "integrity": "sha512-bN798gFfQX+viw3R7yrGWRqnrN2oRkEkUjjl4JNn4E8GxxbjtG3FbrEIIY3l8/hrwUwIeCZvi4QuOTP4MErVug==", + "license": "MIT", "engines": { "node": ">=12" }, @@ -1177,12 +1180,14 @@ "node_modules/@isaacs/cliui/node_modules/emoji-regex": { "version": "9.2.2", "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-9.2.2.tgz", - "integrity": "sha512-L18DaJsXSUk2+42pv8mLs5jJT2hqFkFE4j21wOmgbUqsZ2hL72NsUU785g9RXgo3s0ZNgVl42TiHp3ZtOv/Vyg==" + "integrity": "sha512-L18DaJsXSUk2+42pv8mLs5jJT2hqFkFE4j21wOmgbUqsZ2hL72NsUU785g9RXgo3s0ZNgVl42TiHp3ZtOv/Vyg==", + "license": "MIT" }, "node_modules/@isaacs/cliui/node_modules/string-width": { "version": "5.1.2", "resolved": "https://registry.npmjs.org/string-width/-/string-width-5.1.2.tgz", "integrity": "sha512-HnLOCR3vjcY8beoNLtcjZ5/nxn2afmME6lhrDrebokqMap+XbeW8n9TXpPDOqdGK5qcI3oT0GKTW6wC7EMiVqA==", + "license": "MIT", "dependencies": { "eastasianwidth": "^0.2.0", "emoji-regex": "^9.2.2", @@ -1199,6 +1204,7 @@ "version": "7.1.0", "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.1.0.tgz", "integrity": "sha512-iq6eVVI64nQQTRYq2KtEg2d2uU7LElhTJwsH4YzIHZshxlgZms/wIc4VoDQTlG/IvVIrBKG06CrZnp0qv7hkcQ==", + "license": "MIT", "dependencies": { "ansi-regex": "^6.0.1" }, @@ -1213,6 +1219,7 @@ "version": "8.1.0", "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-8.1.0.tgz", "integrity": "sha512-si7QWI6zUMq56bESFvagtmzMdGOtoxfR+Sez11Mobfc7tm+VkUckk9bW2UeffTGVUbOksxmSw0AA2gs8g71NCQ==", + "license": "MIT", "dependencies": { "ansi-styles": "^6.1.0", "string-width": "^5.0.1", @@ -1229,6 +1236,7 @@ "version": "4.0.1", "resolved": "https://registry.npmjs.org/@isaacs/fs-minipass/-/fs-minipass-4.0.1.tgz", "integrity": "sha512-wgm9Ehl2jpeqP3zw/7mo3kRHFp5MEDhqAdwy1fTGkHAwnkGOVsgpvQhL8B5n1qlb01jV3n/bI0ZfZp5lWA1k4w==", + "license": "ISC", "dependencies": { "minipass": "^7.0.4" }, @@ -1240,6 +1248,7 @@ "version": "7.1.2", "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz", "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==", + "license": "ISC", "engines": { "node": ">=16 || 14 >=14.17" } @@ -1682,6 +1691,7 @@ "version": "1.2.1", "resolved": "https://registry.npmjs.org/@jsep-plugin/assignment/-/assignment-1.2.1.tgz", "integrity": "sha512-gaHqbubTi29aZpVbBlECRpmdia+L5/lh2BwtIJTmtxdbecEyyX/ejAOg7eQDGNvGOUmPY7Z2Yxdy9ioyH/VJeA==", + "license": "MIT", "engines": { "node": ">= 10.16.0" }, @@ -1693,6 +1703,7 @@ "version": "1.0.3", "resolved": "https://registry.npmjs.org/@jsep-plugin/regex/-/regex-1.0.3.tgz", "integrity": "sha512-XfZgry4DwEZvSFtS/6Y+R48D7qJYJK6R9/yJFyUFHCIUMEEHuJ4X95TDgJp5QkmzfLYvapMPzskV5HpIDrREug==", + "license": "MIT", "engines": { "node": ">= 10.16.0" }, @@ -1701,22 +1712,21 @@ } }, "node_modules/@kubernetes/client-node": { - "version": "1.0.0-rc6", - "resolved": "https://registry.npmjs.org/@kubernetes/client-node/-/client-node-1.0.0-rc6.tgz", - "integrity": "sha512-CBNOZ0rrGc2NKx3/1Bu4Be6DLPbNWDDLmjgZ0DmIWOpEye/kyVf4vKqOCwfm+eM//reebW8DLxGZUsrrXETkEA==", + "version": "1.0.0-rc7", + "resolved": "https://registry.npmjs.org/@kubernetes/client-node/-/client-node-1.0.0-rc7.tgz", + "integrity": "sha512-s0U74yQ/nTq13xk3YI8P2y02pUm9TritjhsCIbtPYbOrG/5ti2bY2WhxxQWGx1LhiTZPEdoULtsyXI2XrIESJw==", + "license": "Apache-2.0", "dependencies": { "@types/js-yaml": "^4.0.1", - "@types/node": "^20.3.1", + "@types/node": "^22.0.0", "@types/node-fetch": "^2.6.9", "@types/stream-buffers": "^3.0.3", "@types/tar": "^6.1.1", - "@types/underscore": "^1.8.9", "@types/ws": "^8.5.4", - "byline": "^5.0.0", "form-data": "^4.0.0", "isomorphic-ws": "^5.0.0", "js-yaml": "^4.1.0", - "jsonpath-plus": "^9.0.0", + "jsonpath-plus": "^10.0.0", "node-fetch": "^2.6.9", "openid-client": "^5.6.5", "rfc4648": "^1.3.0", @@ -1724,17 +1734,8 @@ "tar": "^7.0.0", "tmp-promise": "^3.0.2", "tslib": "^2.5.0", - "underscore": "^1.9.1", "url-parse": "^1.4.3", - "ws": "^8.13.0" - } - }, - "node_modules/@kubernetes/client-node/node_modules/@types/node": { - "version": "20.16.5", - "resolved": "https://registry.npmjs.org/@types/node/-/node-20.16.5.tgz", - "integrity": "sha512-VwYCweNo3ERajwy0IUlqqcyZ8/A7Zwa9ZP3MnENWcB11AejO+tLy3pu850goUW2FC/IJMdZUfKpX/yxL1gymCA==", - "dependencies": { - "undici-types": "~6.19.2" + "ws": "^8.18.0" } }, "node_modules/@nodelib/fs.scandir": { @@ -1784,6 +1785,7 @@ "version": "0.11.0", "resolved": "https://registry.npmjs.org/@pkgjs/parseargs/-/parseargs-0.11.0.tgz", "integrity": "sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg==", + "license": "MIT", "optional": true, "engines": { "node": ">=14" @@ -1890,7 +1892,8 @@ "node_modules/@types/js-yaml": { "version": "4.0.9", "resolved": "https://registry.npmjs.org/@types/js-yaml/-/js-yaml-4.0.9.tgz", - "integrity": "sha512-k4MGaQl5TGo/iipqb2UDG2UwjXziSWkh0uysQelTlJpX1qGlpUZYm8PnO4DxG1qBomtJUdYJ6qR6xdIah10JLg==" + "integrity": "sha512-k4MGaQl5TGo/iipqb2UDG2UwjXziSWkh0uysQelTlJpX1qGlpUZYm8PnO4DxG1qBomtJUdYJ6qR6xdIah10JLg==", + "license": "MIT" }, "node_modules/@types/node": { "version": "22.5.4", @@ -1904,6 +1907,7 @@ "version": "2.6.11", "resolved": "https://registry.npmjs.org/@types/node-fetch/-/node-fetch-2.6.11.tgz", "integrity": "sha512-24xFj9R5+rfQJLRyM56qh+wnVSYhyXC2tkoBndtY0U+vubqNsYXGjufB2nn8Q6gt0LrARwL6UBtMCSVCwl4B1g==", + "license": "MIT", "dependencies": { "@types/node": "*", "form-data": "^4.0.0" @@ -1939,6 +1943,7 @@ "version": "3.0.7", "resolved": "https://registry.npmjs.org/@types/stream-buffers/-/stream-buffers-3.0.7.tgz", "integrity": "sha512-azOCy05sXVXrO+qklf0c/B07H/oHaIuDDAiHPVwlk3A9Ek+ksHyTeMajLZl3r76FxpPpxem//4Te61G1iW3Giw==", + "license": "MIT", "dependencies": { "@types/node": "*" } @@ -1947,20 +1952,17 @@ "version": "6.1.13", "resolved": "https://registry.npmjs.org/@types/tar/-/tar-6.1.13.tgz", "integrity": "sha512-IznnlmU5f4WcGTh2ltRu/Ijpmk8wiWXfF0VA4s+HPjHZgvFggk1YaIkbo5krX/zUCzWF8N/l4+W/LNxnvAJ8nw==", + "license": "MIT", "dependencies": { "@types/node": "*", "minipass": "^4.0.0" } }, - "node_modules/@types/underscore": { - "version": "1.11.15", - "resolved": "https://registry.npmjs.org/@types/underscore/-/underscore-1.11.15.tgz", - "integrity": "sha512-HP38xE+GuWGlbSRq9WrZkousaQ7dragtZCruBVMi0oX1migFZavZ3OROKHSkNp/9ouq82zrWtZpg18jFnVN96g==" - }, "node_modules/@types/ws": { "version": "8.5.12", "resolved": "https://registry.npmjs.org/@types/ws/-/ws-8.5.12.tgz", "integrity": "sha512-3tPRkv1EtkDpzlgyKyI8pGsGZAGPEaXeu0DOj5DI25Ja91bdAYddYHbADRYVrZMRbfW+1l5YwXVDKohDJNQxkQ==", + "license": "MIT", "dependencies": { "@types/node": "*" } @@ -2321,7 +2323,8 @@ "node_modules/asynckit": { "version": "0.4.0", "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz", - "integrity": "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==" + "integrity": "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==", + "license": "MIT" }, "node_modules/atomic-sleep": { "version": "1.0.0", @@ -2628,6 +2631,7 @@ "version": "5.0.0", "resolved": "https://registry.npmjs.org/byline/-/byline-5.0.0.tgz", "integrity": "sha512-s6webAy+R4SR8XVuJWt2V2rGvhnrhxN+9S15GNuTK3wKPOXFF6RNc+8ug2XhH+2s4f+uudG4kUVYmYOQWL2g0Q==", + "license": "MIT", "engines": { "node": ">=0.10.0" } @@ -2725,6 +2729,7 @@ "version": "3.0.0", "resolved": "https://registry.npmjs.org/chownr/-/chownr-3.0.0.tgz", "integrity": "sha512-+IxzY9BZOQd/XuYPRmrvEVjF/nqj5kgT4kEq7VofrDoM1MxoRjEWkrCC3EtLi59TVawxTAn+orJwFQcrqEN1+g==", + "license": "BlueOak-1.0.0", "engines": { "node": ">=18" } @@ -2882,6 +2887,7 @@ "version": "1.0.8", "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz", "integrity": "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==", + "license": "MIT", "dependencies": { "delayed-stream": "~1.0.0" }, @@ -2929,9 +2935,10 @@ "dev": true }, "node_modules/cookie": { - "version": "0.6.0", - "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.6.0.tgz", - "integrity": "sha512-U71cyTamuh1CRNCfpGY6to28lxvNwPG4Guz/EVjgf3Jmzv0vlDp1atT9eS5dDjMYHucpHbWns6Lwf3BKz6svdw==", + "version": "0.7.1", + "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.1.tgz", + "integrity": "sha512-6DnInpx7SJ2AK3+CTUE/ZM0vWTUboZCegxhC2xiIydHR9jNuTAASBrfEpHhiGOZw/nX51bHt6YQl8jsGo4y/0w==", + "license": "MIT", "engines": { "node": ">= 0.6" } @@ -3057,6 +3064,7 @@ "version": "1.0.0", "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz", "integrity": "sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==", + "license": "MIT", "engines": { "node": ">=0.4.0" } @@ -3125,7 +3133,8 @@ "node_modules/eastasianwidth": { "version": "0.2.0", "resolved": "https://registry.npmjs.org/eastasianwidth/-/eastasianwidth-0.2.0.tgz", - "integrity": "sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA==" + "integrity": "sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA==", + "license": "MIT" }, "node_modules/ee-first": { "version": "1.1.1", @@ -3553,9 +3562,9 @@ } }, "node_modules/express": { - "version": "4.21.0", - "resolved": "https://registry.npmjs.org/express/-/express-4.21.0.tgz", - "integrity": "sha512-VqcNGcj/Id5ZT1LZ/cfihi3ttTn+NJmkli2eZADigjq29qTlWi/hAQ43t/VLPq8+UX06FCEx3ByOYet6ZFblng==", + "version": "4.21.1", + "resolved": "https://registry.npmjs.org/express/-/express-4.21.1.tgz", + "integrity": "sha512-YSFlK1Ee0/GC8QaO91tHcDxJiE/X4FbpAyQWkxAvG6AXCuR65YzK8ua6D9hvi/TzUfZMpc+BwuM1IPw8fmQBiQ==", "license": "MIT", "dependencies": { "accepts": "~1.3.8", @@ -3563,7 +3572,7 @@ "body-parser": "1.20.3", "content-disposition": "0.5.4", "content-type": "~1.0.4", - "cookie": "0.6.0", + "cookie": "0.7.1", "cookie-signature": "1.0.6", "debug": "2.6.9", "depd": "2.0.0", @@ -3815,6 +3824,7 @@ "version": "3.3.0", "resolved": "https://registry.npmjs.org/foreground-child/-/foreground-child-3.3.0.tgz", "integrity": "sha512-Ld2g8rrAyMYFXBhEqMz8ZAHBi4J4uS1i/CxGMDnjyFWddMXLVcDp051DZfu+t7+ab7Wv6SMqpWmyFIj5UbfFvg==", + "license": "ISC", "dependencies": { "cross-spawn": "^7.0.0", "signal-exit": "^4.0.1" @@ -3830,6 +3840,7 @@ "version": "4.1.0", "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz", "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==", + "license": "ISC", "engines": { "node": ">=14" }, @@ -3838,9 +3849,10 @@ } }, "node_modules/form-data": { - "version": "4.0.0", - "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.0.tgz", - "integrity": "sha512-ETEklSGi5t0QMZuiXoA/Q6vcnxcLQP5vdugSpuAyi6SVGi2clPPp+xgEhuMaHC+zGgn31Kd235W35f7Hykkaww==", + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.1.tgz", + "integrity": "sha512-tzN8e4TX8+kkxGPK8D5u0FNmjPUjw3lwC9lSLxxoB/+GtsJG91CO8bSWy73APlgAZzZbXEYZJuxjkHH2w+Ezhw==", + "license": "MIT", "dependencies": { "asynckit": "^0.4.0", "combined-stream": "^1.0.8", @@ -4398,6 +4410,7 @@ "version": "5.0.0", "resolved": "https://registry.npmjs.org/isomorphic-ws/-/isomorphic-ws-5.0.0.tgz", "integrity": "sha512-muId7Zzn9ywDsyXgTIafTry2sV3nySZeUDe6YedVd1Hvuuep5AsIlqK+XefWpYTyJG5e503F2xIuT2lcU6rCSw==", + "license": "MIT", "peerDependencies": { "ws": "*" } @@ -4472,6 +4485,7 @@ "version": "3.4.3", "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-3.4.3.tgz", "integrity": "sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw==", + "license": "BlueOak-1.0.0", "dependencies": { "@isaacs/cliui": "^8.0.2" }, @@ -5081,6 +5095,7 @@ "version": "4.15.9", "resolved": "https://registry.npmjs.org/jose/-/jose-4.15.9.tgz", "integrity": "sha512-1vUQX+IdDMVPj4k8kOxgUqlcK518yluMuGZwqlr44FS1ppZB/5GWh4rZG89erpOBOJjU/OBsnCVFfapsRz6nEA==", + "license": "MIT", "funding": { "url": "https://github.com/sponsors/panva" } @@ -5119,6 +5134,7 @@ "version": "1.3.9", "resolved": "https://registry.npmjs.org/jsep/-/jsep-1.3.9.tgz", "integrity": "sha512-i1rBX5N7VPl0eYb6+mHNp52sEuaS2Wi8CDYx1X5sn9naevL78+265XJqy1qENEk7mRKwS06NHpUqiBwR7qeodw==", + "license": "MIT", "engines": { "node": ">= 10.16.0" } @@ -5180,20 +5196,21 @@ } }, "node_modules/jsonpath-plus": { - "version": "9.0.0", - "resolved": "https://registry.npmjs.org/jsonpath-plus/-/jsonpath-plus-9.0.0.tgz", - "integrity": "sha512-bqE77VIDStrOTV/czspZhTn+o27Xx9ZJRGVkdVShEtPoqsIx5yALv3lWVU6y+PqYvWPJNWE7ORCQheQkEe0DDA==", + "version": "10.0.0", + "resolved": "https://registry.npmjs.org/jsonpath-plus/-/jsonpath-plus-10.0.0.tgz", + "integrity": "sha512-v7j76HGp/ibKlXYeZ7UrfCLSNDaBWuJMA0GaMjA4sZJtCtY89qgPyToDDcl2zdeHh4B5q/B3g2pQdW76fOg/dA==", + "license": "MIT", "dependencies": { "@jsep-plugin/assignment": "^1.2.1", "@jsep-plugin/regex": "^1.0.3", - "jsep": "^1.3.8" + "jsep": "^1.3.9" }, "bin": { "jsonpath": "bin/jsonpath-cli.js", "jsonpath-plus": "bin/jsonpath-cli.js" }, "engines": { - "node": ">=14.0.0" + "node": ">=18.0.0" } }, "node_modules/keyv": { @@ -5214,12 +5231,12 @@ } }, "node_modules/kubernetes-fluent-client": { - "version": "3.0.4", - "resolved": "https://registry.npmjs.org/kubernetes-fluent-client/-/kubernetes-fluent-client-3.0.4.tgz", - "integrity": "sha512-mkLpT2Wjm8zUO3fgIy5d+UqFWoe4DG/soJA5wwrCTrsis+JHBnuLfTtI8bU/y2ie4EOfW0uSs8c0oXmveMImZQ==", + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/kubernetes-fluent-client/-/kubernetes-fluent-client-3.1.1.tgz", + "integrity": "sha512-JWwI3Fx7vIUcS1a7napVb5TviNregpnr/N7unXLgJ0r+F4zFHcPPoBSEgS9HVs35XtMhFHe0KdzpeXT1/7EQ8A==", "license": "Apache-2.0", "dependencies": { - "@kubernetes/client-node": "1.0.0-rc6", + "@kubernetes/client-node": "1.0.0-rc7", "byline": "5.0.0", "fast-json-patch": "3.1.1", "http-status-codes": "2.3.0", @@ -5783,6 +5800,7 @@ "version": "4.2.8", "resolved": "https://registry.npmjs.org/minipass/-/minipass-4.2.8.tgz", "integrity": "sha512-fNzuVyifolSLFL4NzpF+wEF4qrgqaaKX0haXPQEdQ7NKAN+WecoKMHV09YcuL/DHxrUsYQOK3MiuDf7Ip2OXfQ==", + "license": "ISC", "engines": { "node": ">=8" } @@ -5791,6 +5809,7 @@ "version": "3.0.1", "resolved": "https://registry.npmjs.org/minizlib/-/minizlib-3.0.1.tgz", "integrity": "sha512-umcy022ILvb5/3Djuu8LWeqUa8D68JaBzlttKeMWen48SjabqS3iY5w/vzeMzMUNhLDifyhbOwKDSznB1vvrwg==", + "license": "MIT", "dependencies": { "minipass": "^7.0.4", "rimraf": "^5.0.5" @@ -5803,6 +5822,7 @@ "version": "10.4.5", "resolved": "https://registry.npmjs.org/glob/-/glob-10.4.5.tgz", "integrity": "sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg==", + "license": "ISC", "dependencies": { "foreground-child": "^3.1.0", "jackspeak": "^3.1.2", @@ -5822,6 +5842,7 @@ "version": "7.1.2", "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz", "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==", + "license": "ISC", "engines": { "node": ">=16 || 14 >=14.17" } @@ -5830,6 +5851,7 @@ "version": "5.0.10", "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-5.0.10.tgz", "integrity": "sha512-l0OE8wL34P4nJH/H2ffoaniAokM2qSmrtXHmlpvYr5AVVX8msAyW0l8NVJFDxlSK4u3Uh/f41cQheDVdnYijwQ==", + "license": "ISC", "dependencies": { "glob": "^10.3.7" }, @@ -5844,6 +5866,7 @@ "version": "3.0.1", "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-3.0.1.tgz", "integrity": "sha512-+NsyUUAZDmo6YVHzL/stxSu3t9YS1iljliy3BSDrXJ/dkn1KYdmtZODGGjLcc9XLgVVpH4KshHB8XmZgMhaBXg==", + "license": "MIT", "bin": { "mkdirp": "dist/cjs/src/bin.js" }, @@ -5937,6 +5960,7 @@ "version": "2.2.0", "resolved": "https://registry.npmjs.org/object-hash/-/object-hash-2.2.0.tgz", "integrity": "sha512-gScRMn0bS5fH+IuwyIFgnh9zBdo4DV+6GhygmWM9HyNJSgS0hScp1f5vjtm7oIIOiT9trXrShAkLFSc2IqKNgw==", + "license": "MIT", "engines": { "node": ">= 6" } @@ -5957,6 +5981,7 @@ "version": "5.0.3", "resolved": "https://registry.npmjs.org/oidc-token-hash/-/oidc-token-hash-5.0.3.tgz", "integrity": "sha512-IF4PcGgzAr6XXSff26Sk/+P4KZFJVuHAJZj3wgO3vX2bMdNVp/QXTP3P7CEm9V1IdG8lDLY3HhiqpsE/nOwpPw==", + "license": "MIT", "engines": { "node": "^10.13.0 || >=12.0.0" } @@ -6008,6 +6033,7 @@ "version": "5.7.0", "resolved": "https://registry.npmjs.org/openid-client/-/openid-client-5.7.0.tgz", "integrity": "sha512-4GCCGZt1i2kTHpwvaC/sCpTpQqDnBzDzuJcJMbH+y1Q5qI8U8RBvoSh28svarXszZHR5BAMXbJPX1PGPRE3VOA==", + "license": "MIT", "dependencies": { "jose": "^4.15.9", "lru-cache": "^6.0.0", @@ -6022,6 +6048,7 @@ "version": "6.0.0", "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-6.0.0.tgz", "integrity": "sha512-Jo6dJ04CmSjuznwJSS3pUeWmd/H0ffTlkXXgwZi+eq1UCmqQwCh+eLsYOYCwY991i2Fah4h1BEMCx4qThGbsiA==", + "license": "ISC", "dependencies": { "yallist": "^4.0.0" }, @@ -6032,7 +6059,8 @@ "node_modules/openid-client/node_modules/yallist": { "version": "4.0.0", "resolved": "https://registry.npmjs.org/yallist/-/yallist-4.0.0.tgz", - "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==" + "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==", + "license": "ISC" }, "node_modules/optionator": { "version": "0.9.4", @@ -6090,9 +6118,10 @@ } }, "node_modules/package-json-from-dist": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/package-json-from-dist/-/package-json-from-dist-1.0.0.tgz", - "integrity": "sha512-dATvCeZN/8wQsGywez1mzHtTlP22H8OEfPrVMLNr4/eGa+ijtLn/6M5f0dY8UKNrC2O9UCU6SSoG3qRKnt7STw==" + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/package-json-from-dist/-/package-json-from-dist-1.0.1.tgz", + "integrity": "sha512-UEZIS3/by4OC8vL3P2dTXRETpebLI2NiI5vIrjaD/5UtrkFX/tNbwjTSRAGC/+7CAo2pIcBaRgWmcBBHcsaCIw==", + "license": "BlueOak-1.0.0" }, "node_modules/pako": { "version": "1.0.11", @@ -6172,6 +6201,7 @@ "version": "1.11.1", "resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-1.11.1.tgz", "integrity": "sha512-Xa4Nw17FS9ApQFJ9umLiJS4orGjm7ZzwUrwamcGQuHSzDyth9boKDaycYdDcZDuqYATXw4HFXgaqWTctW/v1HA==", + "license": "BlueOak-1.0.0", "dependencies": { "lru-cache": "^10.2.0", "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0" @@ -6186,12 +6216,14 @@ "node_modules/path-scurry/node_modules/lru-cache": { "version": "10.4.3", "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.4.3.tgz", - "integrity": "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==" + "integrity": "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==", + "license": "ISC" }, "node_modules/path-scurry/node_modules/minipass": { "version": "7.1.2", "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz", "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==", + "license": "ISC", "engines": { "node": ">=16 || 14 >=14.17" } @@ -6212,18 +6244,18 @@ } }, "node_modules/pepr": { - "version": "0.37.2", - "resolved": "https://registry.npmjs.org/pepr/-/pepr-0.37.2.tgz", - "integrity": "sha512-gSZXoeVbkFm9FneiOdhShUeQGHxyA/NBVCNfpQDufnV4/CSJXV5NaGHUntDbub4LsQjon5J4jUEL8KszrfQKuA==", + "version": "0.38.0", + "resolved": "https://registry.npmjs.org/pepr/-/pepr-0.38.0.tgz", + "integrity": "sha512-sjtw2AuS0i0kl7fsso6kSQGOW5jfZnDG2vZ+r8QIt0AMTxbKoOjdpIpiaR6h0bRp4D9Ulj/7P/GbFx3qYdsPtA==", "license": "Apache-2.0", "dependencies": { "@types/ramda": "0.30.2", - "express": "4.21.0", + "express": "4.21.1", "fast-json-patch": "3.1.1", "json-pointer": "^0.6.2", - "kubernetes-fluent-client": "3.0.4", - "pino": "9.4.0", - "pino-pretty": "11.2.2", + "kubernetes-fluent-client": "3.1.1", + "pino": "9.5.0", + "pino-pretty": "11.3.0", "prom-client": "15.1.3", "ramda": "0.30.1" }, @@ -6277,15 +6309,15 @@ } }, "node_modules/pino": { - "version": "9.4.0", - "resolved": "https://registry.npmjs.org/pino/-/pino-9.4.0.tgz", - "integrity": "sha512-nbkQb5+9YPhQRz/BeQmrWpEknAaqjpAqRK8NwJpmrX/JHu7JuZC5G1CeAwJDJfGes4h+YihC6in3Q2nGb+Y09w==", + "version": "9.5.0", + "resolved": "https://registry.npmjs.org/pino/-/pino-9.5.0.tgz", + "integrity": "sha512-xSEmD4pLnV54t0NOUN16yCl7RIB1c5UUOse5HSyEXtBp+FgFQyPeDutc+Q2ZO7/22vImV7VfEjH/1zV2QuqvYw==", "license": "MIT", "dependencies": { "atomic-sleep": "^1.0.0", "fast-redact": "^3.1.1", "on-exit-leak-free": "^2.1.0", - "pino-abstract-transport": "^1.2.0", + "pino-abstract-transport": "^2.0.0", "pino-std-serializers": "^7.0.0", "process-warning": "^4.0.0", "quick-format-unescaped": "^4.0.3", @@ -6299,18 +6331,19 @@ } }, "node_modules/pino-abstract-transport": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/pino-abstract-transport/-/pino-abstract-transport-1.2.0.tgz", - "integrity": "sha512-Guhh8EZfPCfH+PMXAb6rKOjGQEoy0xlAIn+irODG5kgfYV+BQ0rGYYWTIel3P5mmyXqkYkPmdIkywsn6QKUR1Q==", + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/pino-abstract-transport/-/pino-abstract-transport-2.0.0.tgz", + "integrity": "sha512-F63x5tizV6WCh4R6RHyi2Ml+M70DNRXt/+HANowMflpgGFMAym/VKm6G7ZOQRjqN7XbGxK1Lg9t6ZrtzOaivMw==", + "license": "MIT", "dependencies": { - "readable-stream": "^4.0.0", "split2": "^4.0.0" } }, "node_modules/pino-pretty": { - "version": "11.2.2", - "resolved": "https://registry.npmjs.org/pino-pretty/-/pino-pretty-11.2.2.tgz", - "integrity": "sha512-2FnyGir8nAJAqD3srROdrF1J5BIcMT4nwj7hHSc60El6Uxlym00UbCCd8pYIterstVBFlMyF1yFV8XdGIPbj4A==", + "version": "11.3.0", + "resolved": "https://registry.npmjs.org/pino-pretty/-/pino-pretty-11.3.0.tgz", + "integrity": "sha512-oXwn7ICywaZPHmu3epHGU2oJX4nPmKvHvB/bwrJHlGcbEWaVcotkpyVHMKLKmiVryWYByNp0jpgAcXpFJDXJzA==", + "license": "MIT", "dependencies": { "colorette": "^2.0.7", "dateformat": "^4.6.3", @@ -6320,7 +6353,7 @@ "joycon": "^3.1.1", "minimist": "^1.2.6", "on-exit-leak-free": "^2.1.0", - "pino-abstract-transport": "^1.0.0", + "pino-abstract-transport": "^2.0.0", "pump": "^3.0.0", "readable-stream": "^4.0.0", "secure-json-parse": "^2.4.0", @@ -6568,7 +6601,8 @@ "node_modules/querystringify": { "version": "2.2.0", "resolved": "https://registry.npmjs.org/querystringify/-/querystringify-2.2.0.tgz", - "integrity": "sha512-FIqgj2EUvTa7R50u0rGsyTftzjYmv/a3hO345bZNrqabNqjtgiDMgmo4mkUjd+nzU5oF3dClKqFIPUKybUyqoQ==" + "integrity": "sha512-FIqgj2EUvTa7R50u0rGsyTftzjYmv/a3hO345bZNrqabNqjtgiDMgmo4mkUjd+nzU5oF3dClKqFIPUKybUyqoQ==", + "license": "MIT" }, "node_modules/queue-microtask": { "version": "1.2.3", @@ -6689,7 +6723,8 @@ "node_modules/requires-port": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/requires-port/-/requires-port-1.0.0.tgz", - "integrity": "sha512-KigOCHcocU3XODJxsu8i/j8T9tzT4adHiecwORRQ0ZZFcp7ahwXuRU1m+yuO90C5ZUyGeGfocHDI14M3L3yDAQ==" + "integrity": "sha512-KigOCHcocU3XODJxsu8i/j8T9tzT4adHiecwORRQ0ZZFcp7ahwXuRU1m+yuO90C5ZUyGeGfocHDI14M3L3yDAQ==", + "license": "MIT" }, "node_modules/resolve": { "version": "1.22.8", @@ -6803,7 +6838,8 @@ "node_modules/rfc4648": { "version": "1.5.3", "resolved": "https://registry.npmjs.org/rfc4648/-/rfc4648-1.5.3.tgz", - "integrity": "sha512-MjOWxM065+WswwnmNONOT+bD1nXzY9Km6u3kzvnx8F8/HXGZdz3T6e6vZJ8Q/RIMUSp/nxqjH3GwvJDy8ijeQQ==" + "integrity": "sha512-MjOWxM065+WswwnmNONOT+bD1nXzY9Km6u3kzvnx8F8/HXGZdz3T6e6vZJ8Q/RIMUSp/nxqjH3GwvJDy8ijeQQ==", + "license": "MIT" }, "node_modules/rfdc": { "version": "1.4.1", @@ -7100,6 +7136,7 @@ "version": "4.2.0", "resolved": "https://registry.npmjs.org/split2/-/split2-4.2.0.tgz", "integrity": "sha512-UcjcJOWknrNkF6PLX83qcHM6KHgVKNkV62Y8a5uYDVv9ydGQVwAHMKqHdJje1VTWpljG0WYpCDhrCdAOYH4TWg==", + "license": "ISC", "engines": { "node": ">= 10.x" } @@ -7144,6 +7181,7 @@ "version": "3.0.3", "resolved": "https://registry.npmjs.org/stream-buffers/-/stream-buffers-3.0.3.tgz", "integrity": "sha512-pqMqwQCso0PBJt2PQmDO0cFj0lyqmiwOMiMSkVtRokl7e+ZTRYgDHKnuZNbqjiJXgsg4nuqtD/zxuo9KqTp0Yw==", + "license": "Unlicense", "engines": { "node": ">= 0.10.0" } @@ -7200,6 +7238,7 @@ "version": "4.2.3", "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", + "license": "MIT", "dependencies": { "emoji-regex": "^8.0.0", "is-fullwidth-code-point": "^3.0.0", @@ -7212,12 +7251,14 @@ "node_modules/string-width-cjs/node_modules/emoji-regex": { "version": "8.0.0", "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", - "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==" + "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", + "license": "MIT" }, "node_modules/string-width-cjs/node_modules/is-fullwidth-code-point": { "version": "3.0.0", "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", + "license": "MIT", "engines": { "node": ">=8" } @@ -7265,6 +7306,7 @@ "version": "6.0.1", "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", + "license": "MIT", "dependencies": { "ansi-regex": "^5.0.1" }, @@ -7328,6 +7370,7 @@ "version": "7.4.3", "resolved": "https://registry.npmjs.org/tar/-/tar-7.4.3.tgz", "integrity": "sha512-5S7Va8hKfV7W5U6g3aYxXmlPoZVAwUMy9AOKyF2fVuZa2UD3qZjg578OrLRt8PcNN1PleVaL/5/yYATNL0ICUw==", + "license": "ISC", "dependencies": { "@isaacs/fs-minipass": "^4.0.0", "chownr": "^3.0.0", @@ -7344,6 +7387,7 @@ "version": "7.1.2", "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz", "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==", + "license": "ISC", "engines": { "node": ">=16 || 14 >=14.17" } @@ -7352,6 +7396,7 @@ "version": "5.0.0", "resolved": "https://registry.npmjs.org/yallist/-/yallist-5.0.0.tgz", "integrity": "sha512-YgvUTfwqyc7UXVMrB+SImsVYSmTS8X/tSrtdNZMImM+n7+QTriRXyXim0mBrTXNeqzVF0KWGgHPeiyViFFrNDw==", + "license": "BlueOak-1.0.0", "engines": { "node": ">=18" } @@ -7423,6 +7468,7 @@ "version": "0.2.3", "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.2.3.tgz", "integrity": "sha512-nZD7m9iCPC5g0pYmcaxogYKggSfLsdxl8of3Q/oIbqCqLLIO9IAF0GWjX1z9NZRHPiXv8Wex4yDCaZsgEw0Y8w==", + "license": "MIT", "engines": { "node": ">=14.14" } @@ -7431,6 +7477,7 @@ "version": "3.0.3", "resolved": "https://registry.npmjs.org/tmp-promise/-/tmp-promise-3.0.3.tgz", "integrity": "sha512-RwM7MoPojPxsOBYnyd2hy0bxtIlVrihNs9pj5SUvY8Zz1sQcQG2tG1hSr8PDxfgEB8RNKDhqbIlroIarSNDNsQ==", + "license": "MIT", "dependencies": { "tmp": "^0.2.0" } @@ -7542,9 +7589,10 @@ "integrity": "sha512-nsZd8ZeNUzukXPlJmTBwUAuABDe/9qtVDelJeT/qW0ow3ZS3BsQJtNkan1802aM9Uf68/Y8ljw86Hu0h5IUW3w==" }, "node_modules/tslib": { - "version": "2.7.0", - "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.7.0.tgz", - "integrity": "sha512-gLXCKdN1/j47AiHiOkJN69hJmcbGTHI0ImLmbYLHykhgeN0jVGola9yVjFgzCUklsZQMW55o+dW7IXv3RCXDzA==" + "version": "2.8.0", + "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.8.0.tgz", + "integrity": "sha512-jWVzBLplnCmoaTr13V9dYbiQ99wvZRd0vNWaDRg+aVYRcjDF3nDksxFDE/+fkXnKhpnUUkmx5pK/v8mCtLVqZA==", + "license": "0BSD" }, "node_modules/type-check": { "version": "0.4.0", @@ -7613,11 +7661,6 @@ "node": ">=14.17" } }, - "node_modules/underscore": { - "version": "1.13.7", - "resolved": "https://registry.npmjs.org/underscore/-/underscore-1.13.7.tgz", - "integrity": "sha512-GMXzWtsc57XAtguZgaQViUOzs0KTkk8ojr3/xAxXLITqf/3EMwxC0inyETfDFjH/Krbhuep0HNbbjI9i/q3F3g==" - }, "node_modules/undici-types": { "version": "6.19.8", "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.19.8.tgz", @@ -7703,6 +7746,7 @@ "version": "1.5.10", "resolved": "https://registry.npmjs.org/url-parse/-/url-parse-1.5.10.tgz", "integrity": "sha512-WypcfiRhfeUP9vvF0j6rw0J3hrWrw6iZv3+22h6iRMJ/8z1Tj6XfLP4DsUix5MhMPnXpiHDoKyoZ/bdCkwBCiQ==", + "license": "MIT", "dependencies": { "querystringify": "^2.1.1", "requires-port": "^1.0.0" @@ -7824,6 +7868,7 @@ "version": "7.0.0", "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-7.0.0.tgz", "integrity": "sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==", + "license": "MIT", "dependencies": { "ansi-styles": "^4.0.0", "string-width": "^4.1.0", @@ -7839,12 +7884,14 @@ "node_modules/wrap-ansi-cjs/node_modules/emoji-regex": { "version": "8.0.0", "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", - "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==" + "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", + "license": "MIT" }, "node_modules/wrap-ansi-cjs/node_modules/is-fullwidth-code-point": { "version": "3.0.0", "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", + "license": "MIT", "engines": { "node": ">=8" } @@ -7853,6 +7900,7 @@ "version": "4.2.3", "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", + "license": "MIT", "dependencies": { "emoji-regex": "^8.0.0", "is-fullwidth-code-point": "^3.0.0", @@ -7923,6 +7971,7 @@ "version": "8.18.0", "resolved": "https://registry.npmjs.org/ws/-/ws-8.18.0.tgz", "integrity": "sha512-8VbfWfHLbbwu3+N6OKsOMpBdT4kXPDDB9cJk2bJ6mh9ucxdlnNvH1e+roYkKmN9Nxw2yjz7VzeO9oOz2zJ04Pw==", + "license": "MIT", "engines": { "node": ">=10.0.0" }, diff --git a/package.json b/package.json index 5cd3a54b5..3480d451c 100644 --- a/package.json +++ b/package.json @@ -29,7 +29,7 @@ "k3d-setup": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0'" }, "dependencies": { - "pepr": "0.37.2" + "pepr": "0.38.0" }, "devDependencies": { "@jest/globals": "29.7.0", From 8c0e6106f25ab564819d50f79d88f18dcde2f7b5 Mon Sep 17 00:00:00 2001 From: Rob Ferguson Date: Tue, 15 Oct 2024 15:35:51 -0500 Subject: [PATCH 72/90] chore: ensure http2 watch config is used by internal exemption watch (#909) ## Description The UDS Operator has KFC watch (exemptions) that operates outside of Pepr configured watchers. This ensures the configuration for using HTTP2 watches is respected by the exemption watch. ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) ## Checklist before merging - [ ] Test, docs, adr added or updated as needed - [ ] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --- src/pepr/policies/index.ts | 1 + src/pepr/uds-operator-config/values.yaml | 2 ++ 2 files changed, 3 insertions(+) diff --git a/src/pepr/policies/index.ts b/src/pepr/policies/index.ts index a0561c302..31422950c 100644 --- a/src/pepr/policies/index.ts +++ b/src/pepr/policies/index.ts @@ -40,6 +40,7 @@ export async function startExemptionWatch() { relistIntervalSec: process.env.PEPR_RELIST_INTERVAL_SECONDS ? parseInt(process.env.PEPR_RELIST_INTERVAL_SECONDS, 10) : 1800, + useHTTP2: process.env.PEPR_HTTP2_WATCH === "true", }; const watcher = K8s(UDSExemption).Watch(async (exemption, phase) => { log.debug(`Processing exemption ${exemption.metadata?.name}, watch phase: ${phase}`); diff --git a/src/pepr/uds-operator-config/values.yaml b/src/pepr/uds-operator-config/values.yaml index 17197d87d..4d40d027d 100644 --- a/src/pepr/uds-operator-config/values.yaml +++ b/src/pepr/uds-operator-config/values.yaml @@ -11,3 +11,5 @@ operator: PEPR_LAST_SEEN_LIMIT_SECONDS: "60" # Allow Pepr to re-list resources more frequently to avoid missing resources PEPR_RELIST_INTERVAL_SECONDS: "60" + # Use HTTP2 for Pepr watches and exemption watch + PEPR_HTTP2_WATCH: false From f756c1fc42cb6e291dcf63d3bc7a2c72e24a81e3 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 15 Oct 2024 21:01:59 +0000 Subject: [PATCH 73/90] chore(deps): update runtime to v0.6.1 (#910) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | [ghcr.io/defenseunicorns/uds-runtime](https://images.chainguard.dev/directory/image/static/overview) ([source](https://redirect.github.com/chainguard-images/images/tree/HEAD/images/static)) | patch | `0.6.0` -> `0.6.1` | | [https://github.com/defenseunicorns/uds-runtime.git](https://redirect.github.com/defenseunicorns/uds-runtime) | patch | `v0.6.0` -> `v0.6.1` | --- ### Release Notes
defenseunicorns/uds-runtime (https://github.com/defenseunicorns/uds-runtime.git) ### [`v0.6.1`](https://redirect.github.com/defenseunicorns/uds-runtime/releases/tag/v0.6.1) [Compare Source](https://redirect.github.com/defenseunicorns/uds-runtime/compare/v0.6.0...v0.6.1) ##### Miscellaneous - bump uds-types in package lock ([#​455](https://redirect.github.com/defenseunicorns/uds-runtime/issues/455)) ([c17a583](https://redirect.github.com/defenseunicorns/uds-runtime/commit/c17a58343c94c3c4ea08717ffbaa2f5c10917a66)) - bumps uds-types version ([#​454](https://redirect.github.com/defenseunicorns/uds-runtime/issues/454)) ([4c767d5](https://redirect.github.com/defenseunicorns/uds-runtime/commit/4c767d5e55a0f698b33ee50335cf11cfa5b5d155)) - **deps:** update dependency kubernetes-fluent-client to v3.1.1 ([#​448](https://redirect.github.com/defenseunicorns/uds-runtime/issues/448)) ([abe8583](https://redirect.github.com/defenseunicorns/uds-runtime/commit/abe85835dce4e57681cdff3f3a4ec9ec1c787b04)) - **deps:** update devdependencies ([#​446](https://redirect.github.com/defenseunicorns/uds-runtime/issues/446)) ([a0f6163](https://redirect.github.com/defenseunicorns/uds-runtime/commit/a0f616335d824069ad511c79ebe7d61bb30c6739)) - license to AGPLv3 and update codeowners ([#​444](https://redirect.github.com/defenseunicorns/uds-runtime/issues/444)) ([2f0682a](https://redirect.github.com/defenseunicorns/uds-runtime/commit/2f0682a57a8b889515096e8c765582b07ae41c12)) - refactor auth logic ([#​426](https://redirect.github.com/defenseunicorns/uds-runtime/issues/426)) ([caa7e8f](https://redirect.github.com/defenseunicorns/uds-runtime/commit/caa7e8f77dce756a5fae4cfb81eb26d85dadd41d)) - update license headers ([#​450](https://redirect.github.com/defenseunicorns/uds-runtime/issues/450)) ([5e3a614](https://redirect.github.com/defenseunicorns/uds-runtime/commit/5e3a6148df1acb556acd39914c36ef06a6f6fb72)) - updates codeowners for both license files ([#​453](https://redirect.github.com/defenseunicorns/uds-runtime/issues/453)) ([6c4076a](https://redirect.github.com/defenseunicorns/uds-runtime/commit/6c4076a086fe4d9b8e67749a60151f17803e5448))
--- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ”• **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- src/runtime/zarf.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/runtime/zarf.yaml b/src/runtime/zarf.yaml index dd33fb982..3c07f4aae 100644 --- a/src/runtime/zarf.yaml +++ b/src/runtime/zarf.yaml @@ -16,11 +16,11 @@ components: - name: uds-runtime required: false images: - - ghcr.io/defenseunicorns/uds-runtime:0.6.0 + - ghcr.io/defenseunicorns/uds-runtime:0.6.1 charts: - name: uds-runtime namespace: uds-runtime - version: "v0.6.0" + version: "v0.6.1" url: https://github.com/defenseunicorns/uds-runtime.git gitPath: chart actions: From ef5e2d8d70f210c859982121d67b79cada225284 Mon Sep 17 00:00:00 2001 From: Wayne Starr Date: Wed, 16 Oct 2024 08:06:48 -0600 Subject: [PATCH 74/90] fix: istio proxy exiting early when Pod has restart policy (#914) ## Description This changes the proxy cleanup logic to be: All containers terminated AND either: - restartPolicy of Never - restartPolicy of OnFailure w/0 exit code A restartPolicy of Always should keep restarting the containers inside the pod and should not need proxy cleanup. ## Related Issue Fixes #913 ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [ ] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --- src/pepr/istio/index.ts | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/pepr/istio/index.ts b/src/pepr/istio/index.ts index 3a105b99f..bd39d6e9f 100644 --- a/src/pepr/istio/index.ts +++ b/src/pepr/istio/index.ts @@ -52,8 +52,13 @@ When(a.Pod) const shouldTerminate = pod.status.containerStatuses // Ignore the istio-proxy container .filter(c => c.name != "istio-proxy") - // and if ALL are terminated then shouldTerminate is true - .every(c => c.state?.terminated); + // and if ALL are terminated AND restartPolicy is Never or is OnFailure with a 0 exit code then shouldTerminate is true + .every( + c => + c.state?.terminated && + (pod.spec?.restartPolicy == "Never" || + (pod.spec?.restartPolicy == "OnFailure" && c.state.terminated.exitCode == 0)), + ); if (shouldTerminate) { // Mark the pod as seen From e5324fdf2615493ccd300906bea378e8d3cc1874 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 16 Oct 2024 14:29:27 +0000 Subject: [PATCH 75/90] chore(deps): update pepr to v0.38.0 (#915) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | [registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller](https://redirect.github.com/defenseunicorns/pepr) ([source](https://repo1.dso.mil/dsop/opensource/defenseunicorns/pepr/controller)) | minor | `v0.37.2` -> `v0.38.0` | --- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ”• **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- tasks/create.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/create.yaml b/tasks/create.yaml index d326e291c..b1e8416c3 100644 --- a/tasks/create.yaml +++ b/tasks/create.yaml @@ -11,7 +11,7 @@ variables: - name: REGISTRY1_PEPR_IMAGE # renovate: datasource=docker depName=registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller versioning=semver - default: registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller:v0.37.2 + default: registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller:v0.38.0 - name: LAYER From 4b1a2a5816c0cee31c56726801e29c4c055146c8 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 16 Oct 2024 09:10:10 -0600 Subject: [PATCH 76/90] chore(deps): update prometheus-stack (#863) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cgr.dev/du-uds-defenseunicorns/kube-webhook-certgen-fips](https://images.chainguard.dev/directory/image/kube-webhook-certgen-fips/overview) ([source](https://redirect.github.com/chainguard-images/images-private/tree/HEAD/images/kube-webhook-certgen-fips)) | patch | `1.11.2` -> `1.11.3` | | [kube-prometheus-stack](https://redirect.github.com/prometheus-operator/kube-prometheus) ([source](https://redirect.github.com/prometheus-community/helm-charts)) | minor | `65.0.0` -> `65.2.0` | | [registry.k8s.io/ingress-nginx/kube-webhook-certgen](https://redirect.github.com/kubernetes/ingress-nginx) | patch | `v1.4.3` -> `v1.4.4` | | [registry1.dso.mil/ironbank/opensource/ingress-nginx/kube-webhook-certgen](https://redirect.github.com/kubernetes/ingress-nginx/) ([source](https://repo1.dso.mil/dsop/opensource/kubernetes/ingress-nginx/kube-webhook-certgen)) | patch | `v1.4.3` -> `v1.4.4` | --- ### Release Notes
prometheus-community/helm-charts (kube-prometheus-stack) ### [`v65.2.0`](https://redirect.github.com/prometheus-community/helm-charts/compare/kube-prometheus-stack-65.1.1...kube-prometheus-stack-65.2.0) [Compare Source](https://redirect.github.com/prometheus-community/helm-charts/compare/kube-prometheus-stack-65.1.1...kube-prometheus-stack-65.2.0) ### [`v65.1.1`](https://redirect.github.com/prometheus-community/helm-charts/compare/kube-prometheus-stack-65.1.0...kube-prometheus-stack-65.1.1) [Compare Source](https://redirect.github.com/prometheus-community/helm-charts/compare/kube-prometheus-stack-65.1.0...kube-prometheus-stack-65.1.1) ### [`v65.1.0`](https://redirect.github.com/prometheus-community/helm-charts/compare/kube-prometheus-stack-65.0.0...kube-prometheus-stack-65.1.0) [Compare Source](https://redirect.github.com/prometheus-community/helm-charts/compare/kube-prometheus-stack-65.0.0...kube-prometheus-stack-65.1.0)
--- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ‘» **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Chance <139784371+UnicornChance@users.noreply.github.com> --- src/prometheus-stack/common/zarf.yaml | 2 +- src/prometheus-stack/values/registry1-values.yaml | 2 +- src/prometheus-stack/values/unicorn-values.yaml | 2 +- src/prometheus-stack/values/upstream-values.yaml | 2 +- src/prometheus-stack/zarf.yaml | 6 +++--- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/prometheus-stack/common/zarf.yaml b/src/prometheus-stack/common/zarf.yaml index ed60e79f8..9bdf279cb 100644 --- a/src/prometheus-stack/common/zarf.yaml +++ b/src/prometheus-stack/common/zarf.yaml @@ -18,7 +18,7 @@ components: - name: kube-prometheus-stack namespace: monitoring url: https://prometheus-community.github.io/helm-charts - version: 65.0.0 + version: 65.2.0 valuesFiles: - "../values/values.yaml" actions: diff --git a/src/prometheus-stack/values/registry1-values.yaml b/src/prometheus-stack/values/registry1-values.yaml index 2515c2eba..c5f39b658 100644 --- a/src/prometheus-stack/values/registry1-values.yaml +++ b/src/prometheus-stack/values/registry1-values.yaml @@ -40,7 +40,7 @@ prometheusOperator: image: registry: registry1.dso.mil repository: ironbank/opensource/ingress-nginx/kube-webhook-certgen - tag: v1.4.3 + tag: v1.4.4 registry: registry1.dso.mil repository: ironbank/opensource/ingress-nginx/kube-webhook-certgen tag: v1.3.0 diff --git a/src/prometheus-stack/values/unicorn-values.yaml b/src/prometheus-stack/values/unicorn-values.yaml index 7035a9cb2..df2b75f14 100644 --- a/src/prometheus-stack/values/unicorn-values.yaml +++ b/src/prometheus-stack/values/unicorn-values.yaml @@ -40,7 +40,7 @@ prometheusOperator: image: registry: cgr.dev repository: du-uds-defenseunicorns/kube-webhook-certgen-fips - tag: 1.11.2 + tag: 1.11.3 registry: cgr.dev repository: du-uds-defenseunicorns/kube-webhook-certgen-fips tag: 1.10.1 diff --git a/src/prometheus-stack/values/upstream-values.yaml b/src/prometheus-stack/values/upstream-values.yaml index ef4286956..e539454dd 100644 --- a/src/prometheus-stack/values/upstream-values.yaml +++ b/src/prometheus-stack/values/upstream-values.yaml @@ -35,7 +35,7 @@ prometheusOperator: image: registry: registry.k8s.io repository: ingress-nginx/kube-webhook-certgen - tag: v1.4.3 + tag: v1.4.4 securityContext: runAsGroup: 2000 runAsNonRoot: true diff --git a/src/prometheus-stack/zarf.yaml b/src/prometheus-stack/zarf.yaml index d6a8e1a86..6b0d667a0 100644 --- a/src/prometheus-stack/zarf.yaml +++ b/src/prometheus-stack/zarf.yaml @@ -36,7 +36,7 @@ components: - "quay.io/prometheus/alertmanager:v0.27.0" - "quay.io/prometheus-operator/prometheus-config-reloader:v0.77.1" - "quay.io/prometheus/prometheus:v2.54.1" - - "registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3" + - "registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.4" - name: kube-prometheus-stack required: true @@ -56,7 +56,7 @@ components: - "registry1.dso.mil/ironbank/opensource/prometheus/alertmanager:v0.27.0" - "registry1.dso.mil/ironbank/opensource/prometheus-operator/prometheus-config-reloader:v0.77.1" - "registry1.dso.mil/ironbank/opensource/prometheus/prometheus:v2.54.1" - - "registry1.dso.mil/ironbank/opensource/ingress-nginx/kube-webhook-certgen:v1.4.3" + - "registry1.dso.mil/ironbank/opensource/ingress-nginx/kube-webhook-certgen:v1.4.4" - name: kube-prometheus-stack required: true @@ -76,4 +76,4 @@ components: - "cgr.dev/du-uds-defenseunicorns/prometheus-alertmanager-fips:0.27.0" - "cgr.dev/du-uds-defenseunicorns/prometheus-config-reloader-fips:0.77.1" - "cgr.dev/du-uds-defenseunicorns/prometheus-fips:2.54.1" - - "cgr.dev/du-uds-defenseunicorns/kube-webhook-certgen-fips:1.11.2" + - "cgr.dev/du-uds-defenseunicorns/kube-webhook-certgen-fips:1.11.3" From 496b6a81c2f4ee3cfabf3d1a0113c47490b10488 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 16 Oct 2024 17:19:04 +0000 Subject: [PATCH 77/90] chore(deps): update support-deps (#912) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | aws | required_provider | minor | `~> 5.71.0` -> `~> 5.72.0` | | [terraform-aws-modules/rds/aws](https://registry.terraform.io/modules/terraform-aws-modules/rds/aws) ([source](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds)) | module | minor | `6.9.0` -> `6.10.0` | --- ### Release Notes
terraform-aws-modules/terraform-aws-rds (terraform-aws-modules/rds/aws) ### [`v6.10.0`](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/blob/HEAD/CHANGELOG.md#6100-2024-10-16) [Compare Source](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/compare/v6.9.0...v6.10.0) ##### Features - Support `cloudwatch_log_group_tags` parameter ([#​571](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/issues/571)) ([73e33fe](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/commit/73e33feba5d907801791168ebf6d3132fbd646f5)) ##### Bug Fixes - Update CI workflow versions to latest ([#​570](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/issues/570)) ([220cc85](https://redirect.github.com/terraform-aws-modules/terraform-aws-rds/commit/220cc85dcdc8eb63772e25526db693dd563d40a1))
--- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ‘» **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Micah Nagel --- .github/test-infra/aws/eks/rds.tf | 2 +- .github/test-infra/aws/rke2/versions.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/test-infra/aws/eks/rds.tf b/.github/test-infra/aws/eks/rds.tf index 9f90a2f1a..ce432a324 100644 --- a/.github/test-infra/aws/eks/rds.tf +++ b/.github/test-infra/aws/eks/rds.tf @@ -20,7 +20,7 @@ resource "aws_secretsmanager_secret_version" "db_secret_value" { module "db" { source = "terraform-aws-modules/rds/aws" - version = "6.9.0" + version = "6.10.0" identifier = "${var.db_name}-db" instance_use_identifier_prefix = true diff --git a/.github/test-infra/aws/rke2/versions.tf b/.github/test-infra/aws/rke2/versions.tf index 95e96e2de..50949e00e 100644 --- a/.github/test-infra/aws/rke2/versions.tf +++ b/.github/test-infra/aws/rke2/versions.tf @@ -6,7 +6,7 @@ terraform { } required_providers { aws = { - version = "~> 5.71.0" + version = "~> 5.72.0" } random = { version = "~> 3.6.0" From 400ae4966c1e2b3e04c98f535fb9b147ced8b9dc Mon Sep 17 00:00:00 2001 From: Noah <40781376+noahpb@users.noreply.github.com> Date: Wed, 16 Oct 2024 15:55:27 -0400 Subject: [PATCH 78/90] fix: don't add duplicate policy names to `uds-core.pepr.dev/mutated` annotation (#916) ## Description Adds a check to the `annotateMutation` function that prevents duplicate values (policy names) from being added to the `uds-core.pepr.dev/mutated` key ## Related Issue Fixes https://github.com/defenseunicorns/uds-core/issues/717 ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [ ] Test, docs, adr added or updated as needed - [ ] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --------- Co-authored-by: Micah Nagel --- src/pepr/policies/common.ts | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/pepr/policies/common.ts b/src/pepr/policies/common.ts index fb7a91331..7945ef2aa 100644 --- a/src/pepr/policies/common.ts +++ b/src/pepr/policies/common.ts @@ -112,6 +112,9 @@ export function annotateMutation( const annotations = request.Raw.metadata?.annotations ?? {}; const valStr = annotations[key]; const arr = JSON.parse(valStr || "[]"); - arr.push(transform(policy)); + const safePolicyName = transform(policy); + if (!arr.includes(safePolicyName)) { + arr.push(safePolicyName); + } request.SetAnnotation(key, JSON.stringify(arr)); } From 9057a6ae3f2d7e45bf35f8486bd68d80f9770bf4 Mon Sep 17 00:00:00 2001 From: Andy Mills <61879371+CloudBeard@users.noreply.github.com> Date: Thu, 17 Oct 2024 10:15:21 -0400 Subject: [PATCH 79/90] fix: decompose istio oscal (#826) ## Description Splits the validations out from the OSCAL Component-Definition. `lula validate` can work remotely to validate the validations. Updated the OSCAL Assessment-Result as the baseline has changed from High to Moderate. Updated the Istio catalog source url to a tagged version (recent GSA release) This pattern allows for easier maintenance and development of the validations by not reading through 1000s of lines of OSCAL and OSCAL formatting just to make a small update. All of the validations under the ./compliance/validations directory are a pull from the compliance-artifacts repo where OSCAL and Validations development happen. ## Related Issue Relates to https://github.com/defenseunicorns/uds-core/issues/797 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --- compliance/oscal-assessment-results.yaml | 2085 +- .../all-namespaces-istio-injected/README.md | 9 + .../resources.json | 537 + .../all-namespaces-istio-injected/tests.yaml | 10 + .../validation.yaml | 55 + .../istio/all-pods-istio-injected/README.md | 9 + .../all-pods-istio-injected/resources.json | 24014 +++++++++++++++ .../istio/all-pods-istio-injected/tests.yaml | 25 + .../all-pods-istio-injected/validation.yaml | 66 + .../README.md | 9 + .../resources.json | 41 + .../tests.yaml | 20 + .../validation.yaml | 47 + .../authorized-keycloak-access/README.md | 9 + .../authorized-keycloak-access/resources.json | 132 + .../authorized-keycloak-access/tests.yaml | 15 + .../validation.yaml | 72 + .../istio/authorized-traffic-egress/README.md | 9 + .../authorized-traffic-egress/validation.yaml | 14 + .../README.md | 9 + .../resources.json | 546 + .../tests.yaml | 20 + .../validation.yaml | 74 + .../check-istio-logging-all-traffic/README.md | 9 + .../resources.json | 28 + .../tests.yaml | 15 + .../validation.yaml | 46 + .../README.md | 9 + .../validation.yaml | 17 + .../README.md | 9 + .../validation.yaml | 14 + .../istio/enforce-mtls-strict/README.md | 9 + .../istio/enforce-mtls-strict/resources.json | 225 + .../istio/enforce-mtls-strict/tests.yaml | 10 + .../istio/enforce-mtls-strict/validation.yaml | 49 + .../istio/external-traffic-managed/README.md | 9 + .../external-traffic-managed/validation.yaml | 18 + .../istio/fips-evaluation/README.md | 9 + .../istio/fips-evaluation/validation.yaml | 14 + .../gateway-configuration-check/README.md | 9 + .../resources.json | 220 + .../gateway-configuration-check/tests.yaml | 15 + .../validation.yaml | 63 + .../validations/istio/healthcheck/README.md | 9 + .../istio/healthcheck/resources.json | 407 + .../validations/istio/healthcheck/tests.yaml | 15 + .../istio/healthcheck/validation.yaml | 62 + .../istio/ingress-traffic-encrypted/README.md | 9 + .../ingress-traffic-encrypted/resources.json | 220 + .../ingress-traffic-encrypted/tests.yaml | 15 + .../ingress-traffic-encrypted/validation.yaml | 74 + .../metrics-logging-configured/README.md | 9 + .../metrics-logging-configured/resources.json | 28 + .../metrics-logging-configured/tests.yaml | 15 + .../validation.yaml | 44 + .../README.md | 9 + .../resources.json | 25428 ++++++++++++++++ .../tests.yaml | 10 + .../validation.yaml | 60 + .../istio/rbac-enforcement-check/README.md | 9 + .../rbac-enforcement-check/resources.json | 177 + .../istio/rbac-enforcement-check/tests.yaml | 10 + .../rbac-enforcement-check/validation.yaml | 42 + .../rbac-for-approved-personnel/README.md | 9 + .../validation.yaml | 14 + .../README.md | 9 + .../resources.json | 212 + .../tests.yaml | 25 + .../validation.yaml | 86 + .../README.md | 9 + .../resources.json | 4751 +++ .../tests.yaml | 25 + .../validation.yaml | 67 + .../istio/tls-origination-at-egress/README.md | 9 + .../tls-origination-at-egress/validation.yaml | 17 + .../istio/tracing-logging-support/README.md | 9 + .../tracing-logging-support/resources.json | 23 + .../istio/tracing-logging-support/tests.yaml | 10 + .../tracing-logging-support/validation.yaml | 45 + src/istio/oscal-component.yaml | 1482 +- 80 files changed, 59051 insertions(+), 3027 deletions(-) create mode 100644 compliance/validations/istio/all-namespaces-istio-injected/README.md create mode 100644 compliance/validations/istio/all-namespaces-istio-injected/resources.json create mode 100644 compliance/validations/istio/all-namespaces-istio-injected/tests.yaml create mode 100644 compliance/validations/istio/all-namespaces-istio-injected/validation.yaml create mode 100644 compliance/validations/istio/all-pods-istio-injected/README.md create mode 100644 compliance/validations/istio/all-pods-istio-injected/resources.json create mode 100644 compliance/validations/istio/all-pods-istio-injected/tests.yaml create mode 100644 compliance/validations/istio/all-pods-istio-injected/validation.yaml create mode 100644 compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/README.md create mode 100644 compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/resources.json create mode 100644 compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/tests.yaml create mode 100644 compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/validation.yaml create mode 100644 compliance/validations/istio/authorized-keycloak-access/README.md create mode 100644 compliance/validations/istio/authorized-keycloak-access/resources.json create mode 100644 compliance/validations/istio/authorized-keycloak-access/tests.yaml create mode 100644 compliance/validations/istio/authorized-keycloak-access/validation.yaml create mode 100644 compliance/validations/istio/authorized-traffic-egress/README.md create mode 100644 compliance/validations/istio/authorized-traffic-egress/validation.yaml create mode 100644 compliance/validations/istio/check-istio-admin-gateway-and-usage/README.md create mode 100644 compliance/validations/istio/check-istio-admin-gateway-and-usage/resources.json create mode 100644 compliance/validations/istio/check-istio-admin-gateway-and-usage/tests.yaml create mode 100644 compliance/validations/istio/check-istio-admin-gateway-and-usage/validation.yaml create mode 100644 compliance/validations/istio/check-istio-logging-all-traffic/README.md create mode 100644 compliance/validations/istio/check-istio-logging-all-traffic/resources.json create mode 100644 compliance/validations/istio/check-istio-logging-all-traffic/tests.yaml create mode 100644 compliance/validations/istio/check-istio-logging-all-traffic/validation.yaml create mode 100644 compliance/validations/istio/communications-terminated-after-inactivity/README.md create mode 100644 compliance/validations/istio/communications-terminated-after-inactivity/validation.yaml create mode 100644 compliance/validations/istio/egress-gateway-exists-and-configured/README.md create mode 100644 compliance/validations/istio/egress-gateway-exists-and-configured/validation.yaml create mode 100644 compliance/validations/istio/enforce-mtls-strict/README.md create mode 100644 compliance/validations/istio/enforce-mtls-strict/resources.json create mode 100644 compliance/validations/istio/enforce-mtls-strict/tests.yaml create mode 100644 compliance/validations/istio/enforce-mtls-strict/validation.yaml create mode 100644 compliance/validations/istio/external-traffic-managed/README.md create mode 100644 compliance/validations/istio/external-traffic-managed/validation.yaml create mode 100644 compliance/validations/istio/fips-evaluation/README.md create mode 100644 compliance/validations/istio/fips-evaluation/validation.yaml create mode 100644 compliance/validations/istio/gateway-configuration-check/README.md create mode 100644 compliance/validations/istio/gateway-configuration-check/resources.json create mode 100644 compliance/validations/istio/gateway-configuration-check/tests.yaml create mode 100644 compliance/validations/istio/gateway-configuration-check/validation.yaml create mode 100644 compliance/validations/istio/healthcheck/README.md create mode 100644 compliance/validations/istio/healthcheck/resources.json create mode 100644 compliance/validations/istio/healthcheck/tests.yaml create mode 100644 compliance/validations/istio/healthcheck/validation.yaml create mode 100644 compliance/validations/istio/ingress-traffic-encrypted/README.md create mode 100644 compliance/validations/istio/ingress-traffic-encrypted/resources.json create mode 100644 compliance/validations/istio/ingress-traffic-encrypted/tests.yaml create mode 100644 compliance/validations/istio/ingress-traffic-encrypted/validation.yaml create mode 100644 compliance/validations/istio/metrics-logging-configured/README.md create mode 100644 compliance/validations/istio/metrics-logging-configured/resources.json create mode 100644 compliance/validations/istio/metrics-logging-configured/tests.yaml create mode 100644 compliance/validations/istio/metrics-logging-configured/validation.yaml create mode 100644 compliance/validations/istio/prometheus-annotations-validation/README.md create mode 100644 compliance/validations/istio/prometheus-annotations-validation/resources.json create mode 100644 compliance/validations/istio/prometheus-annotations-validation/tests.yaml create mode 100644 compliance/validations/istio/prometheus-annotations-validation/validation.yaml create mode 100644 compliance/validations/istio/rbac-enforcement-check/README.md create mode 100644 compliance/validations/istio/rbac-enforcement-check/resources.json create mode 100644 compliance/validations/istio/rbac-enforcement-check/tests.yaml create mode 100644 compliance/validations/istio/rbac-enforcement-check/validation.yaml create mode 100644 compliance/validations/istio/rbac-for-approved-personnel/README.md create mode 100644 compliance/validations/istio/rbac-for-approved-personnel/validation.yaml create mode 100644 compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/README.md create mode 100644 compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/resources.json create mode 100644 compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/tests.yaml create mode 100644 compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/validation.yaml create mode 100644 compliance/validations/istio/secure-communication-with-istiod/README.md create mode 100644 compliance/validations/istio/secure-communication-with-istiod/resources.json create mode 100644 compliance/validations/istio/secure-communication-with-istiod/tests.yaml create mode 100644 compliance/validations/istio/secure-communication-with-istiod/validation.yaml create mode 100644 compliance/validations/istio/tls-origination-at-egress/README.md create mode 100644 compliance/validations/istio/tls-origination-at-egress/validation.yaml create mode 100644 compliance/validations/istio/tracing-logging-support/README.md create mode 100644 compliance/validations/istio/tracing-logging-support/resources.json create mode 100644 compliance/validations/istio/tracing-logging-support/tests.yaml create mode 100644 compliance/validations/istio/tracing-logging-support/validation.yaml diff --git a/compliance/oscal-assessment-results.yaml b/compliance/oscal-assessment-results.yaml index 7593fb5f2..55dc29871 100644 --- a/compliance/oscal-assessment-results.yaml +++ b/compliance/oscal-assessment-results.yaml @@ -1,33 +1,29 @@ -# Copyright 2024 Defense Unicorns -# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial - assessment-results: import-ap: href: "" metadata: - last-modified: 2024-08-06T02:58:07.217393214Z + last-modified: 2024-10-16T20:13:51.735141137Z oscal-version: 1.1.2 published: 2024-06-30T22:27:28.032093229Z remarks: Assessment Results generated from Lula title: '[System Name] Security Assessment Results (SAR)' version: 0.0.1 results: - - description: Assessment results for performing Validations with Lula version v0.4.5 + - description: Assessment results for performing Validations with Lula version v0.9.1 findings: - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: c8c03abd-244d-4813-a966-3feece1bad6a - # Control Implementation - Istio implements with service to service and provides authorization policies that require authentication to access any non-public features. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 41c51dc3-7db1-4717-b071-83e57897f478 + Istio implements with service to service and provides authorization policies that require authentication to access any non-public features. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: 3b856533-2206-4ebd-932e-645886b20b10 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: 9d69895a-0eed-4052-8102-ff9070d66851 target: status: state: satisfied target-id: ac-14 type: objective-id title: 'Validation Result - Control: ac-14' - uuid: 0bebe1ce-f13d-4bbc-ba5b-a0d92ad5b6fa + uuid: 6bcf8d54-c497-483a-8b02-257d3ad14a13 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 069521de-43bc-4dce-ac4e-4adc9a559c3f # Control Description "a. Define and document the types of accounts allowed and specifically prohibited for use within the system; b. Assign account managers; c. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership; d. Specify: 1. Authorized users of the system; 2. Group and role membership; and 3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account; e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts; f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria]; g. Monitor the use of accounts; h. Notify account managers and [Assignment: organization-defined personnel or roles] within: 1. [Assignment: twenty-four (24) hours] when accounts are no longer required; 2. [Assignment: eight (8) hours] when users are terminated or transferred; and 3. [Assignment: eight (8) hours] when system usage or need-to-know changes for an individual; i. Authorize access to the system based on: 1. A valid access authorization; 2. Intended system usage; and 3. [Assignment: organization-defined attributes (as required)]; j. Review accounts for compliance with account management requirements [Assignment: monthly for privileged accessed, every six (6) months for non-privileged access]; k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and l. Align account management processes with personnel termination and transfer processes." @@ -38,7 +34,7 @@ assessment-results: target-id: ac-2 type: objective-id title: 'Validation Result - Control: ac-2' - uuid: 57fb27fd-82c5-43d3-8813-7fcc2ceab0ca + uuid: 94067e2e-ca10-4798-8077-c4128c8ad4f2 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: bf59763a-0c22-4046-ab00-1d2b47dad8df # Control Description Support the management of system accounts using [Assignment: organization-defined automated mechanisms]. @@ -49,7 +45,7 @@ assessment-results: target-id: ac-2.1 type: objective-id title: 'Validation Result - Control: ac-2.1' - uuid: d263ec5d-4ee8-43b2-9705-b0afa44758b5 + uuid: 4c4f8dc5-9be1-44fe-a04b-e369943af6c0 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 051af8b7-75aa-4c26-9132-0cb46d5965aa # Control Description Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. @@ -60,55 +56,37 @@ assessment-results: target-id: ac-3 type: objective-id title: 'Validation Result - Control: ac-3' - uuid: 10d347a7-e12a-4b05-85e2-77ed4f542fdd + uuid: bd6ddf39-0886-4922-b9d5-8ee80f03fcf4 - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 9e158525-96bd-4d4f-a674-7e3eab9aea7a - # Control Implementation - Istio encrypts all in-mesh communication at runtime using FIPS verified mTLS in addition to ingress and egress gateways for controlling communication. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 210f730b-7fed-42dd-99b4-42466951b080 + Istio encrypts all in-mesh communication at runtime using FIPS verified mTLS in addition to ingress and egress gateways for controlling communication. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 - - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e - - observation-uuid: ff67f994-802a-4668-a261-f0cbfb7982d5 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: adb9497f-436d-4862-8043-6691bce1352c + - observation-uuid: f10278ec-5f1b-4307-8709-a3745bf12d36 + - observation-uuid: a9c35339-fc94-4e59-bdf1-a89c1664bac0 target: status: state: satisfied target-id: ac-4 type: objective-id title: 'Validation Result - Control: ac-4' - uuid: 1e16362c-0987-4314-bc1f-a1696344df0e + uuid: 66a85471-6739-4958-ac74-007040a6df48 - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 6e32feb5-ce43-465f-9422-e3ef3276bf5d - # Control Implementation - Istio is configured to use ingress and egress gateways to provide logical flow separation. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: ee9e5fae-1c95-46c7-9265-dc0035e2bb05 + Istio is configured to use ingress and egress gateways to provide logical flow separation. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: f25d32b1-4bbd-4309-a96e-99fb8f484c88 - - observation-uuid: 362043c5-ea38-4c11-83e3-35d34b79c938 - - observation-uuid: 610a3b9c-269e-47c7-8b2c-9412bc822e80 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: 2c61853a-96af-4195-8dc9-f3313f6035f1 + - observation-uuid: 20f98c91-2308-4356-837b-c253353d7479 + - observation-uuid: 4e1e697c-4a92-4c57-ae95-c75ba272dc1d target: status: state: not-satisfied target-id: ac-4.21 type: objective-id title: 'Validation Result - Control: ac-4.21' - uuid: 00f7dff8-8e83-414b-ab38-6a580e4c9de2 - - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: c3e13abc-3c19-4f08-a2f8-40fcbef5daa7 - # Control Implementation - All encrypted HTTPS connections are terminated at the Istio ingress gateway. - related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 - - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e - - observation-uuid: ff67f994-802a-4668-a261-f0cbfb7982d5 - target: - status: - state: satisfied - target-id: ac-4.4 - type: objective-id - title: 'Validation Result - Control: ac-4.4' - uuid: 5d800b2f-1f1e-4b3c-b3ac-7d808f8a175d + uuid: eadbe4cd-7f8b-4ff3-bfd9-beaac5eae67f - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 386fb410-27e5-413d-8e6d-607afa86bb72 # Control Description "a. Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and b. Define system access authorizations to support separation of duties." @@ -119,7 +97,7 @@ assessment-results: target-id: ac-5 type: objective-id title: 'Validation Result - Control: ac-5' - uuid: 688258f8-7f62-4592-858f-08b7c0c3ecc1 + uuid: 5d48147b-ff9e-4752-b015-3588cec166a6 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 60ad5f60-3852-49a1-961b-b6454edb8319 # Control Description Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. @@ -133,7 +111,7 @@ assessment-results: target-id: ac-6 type: objective-id title: 'Validation Result - Control: ac-6' - uuid: 390a213d-c344-4f93-8605-3f6552f594c3 + uuid: c24dc3af-b777-4d89-9569-cd57de7981dc - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: f1b66def-f822-4859-a448-5d5f77cd6f75 # Control Description "Authorize access for [Assignment: organization-defined individuals or roles] to: (a) [Assignment: organization-defined all functions not publicly accessible]; and (b) [Assignment: organization-defined all security-relevant information not publicly available]." @@ -147,38 +125,32 @@ assessment-results: target-id: ac-6.1 type: objective-id title: 'Validation Result - Control: ac-6.1' - uuid: bbc392e9-030f-45e4-a400-36e3866d22f4 + uuid: 0016a2a5-efcf-493f-a816-e1fd880c6e41 - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: e196edcd-fd88-42c2-9a99-0e67e2ba8919 - # Control Description Prevent non-privileged users from executing privileged functions. - # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: d0ffa50d-d91f-4dc3-8827-24e0f84b49d2 # Control Description Prevent non-privileged users from executing privileged functions. # Control Implementation Loki layers an additional RBAC layer that prohibits non-privileged users from executing privileged functions. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: e196edcd-fd88-42c2-9a99-0e67e2ba8919 + # Control Description Prevent non-privileged users from executing privileged functions. + # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. target: status: state: not-satisfied target-id: ac-6.10 type: objective-id title: 'Validation Result - Control: ac-6.10' - uuid: 7a22b227-29de-4ab5-a813-0faa2f816709 + uuid: f03df0d2-9c46-420d-9eb0-925367a8e9ce - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 0b3faf98-8a76-4b49-8e4b-c785cf26cfbe # Control Description Authorize network access to [Assignment: all privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system. # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 0081f95a-3233-4e07-a6cd-95cb1905c318 - # Control Implementation - Configured with an "admin" gateway to restrict access to applications that only need administrative access. - related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: 362043c5-ea38-4c11-83e3-35d34b79c938 target: status: state: not-satisfied target-id: ac-6.3 type: objective-id title: 'Validation Result - Control: ac-6.3' - uuid: 18fe653e-eb66-4686-8f2d-6952aac69c6c + uuid: 5f634c21-9332-4242-ae7d-d315cbc8e6fe - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 954ba9c8-452c-4503-a43f-c880a01b828d # Control Description @@ -186,35 +158,34 @@ assessment-results: Auditing the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat (APT). # Control Implementation - Promtail can be configured to collect all logs from Kubernetes and underlying operating systems, allowing the aggregation of privileged function calls. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 6d8a6c80-2844-4bfd-bc9d-0f5a71e5c979 - # Control Implementation - Istio produces logs for all traffic in the information system. + Vector can be configured to collect all logs from Kubernetes and underlying operating systems, allowing the aggregation of privileged function calls. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: c6d9abd2-0136-468a-908d-181d9bd51962 + Istio produces logs for all traffic in the information system. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 14db5706-570c-44a2-b430-29a8a8e2d249 # Control Description Log the execution of privileged functions. # Control Implementation Privileged events, including updating the deployment of an application, or use of privileged containers are collected as metrics by prometheus and displayed by Grafana. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: e36ba9d5-f12d-4524-a777-a041a0203bb6 # Control Description Log the execution of privileged functions. # Control Implementation Privileged events that modify the application are logged in the application itself. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 4d1f5291-8f3f-429c-af2f-b05455ef30f0 - # Control Description Log the execution of privileged functions. - # Control Implementation Privileged events, including updating the deployment of an application, or use of privileged containers are collected as metrics by prometheus and displayed by Grafana. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 921ec1c7-923c-4a28-a4dd-b59c1d3d9998 # Control Description Log the execution of privileged functions. # Control Implementation NeuVector provides logging access related audit events. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 4d1f5291-8f3f-429c-af2f-b05455ef30f0 + # Control Description Log the execution of privileged functions. + # Control Implementation Privileged events, including updating the deployment of an application, or use of privileged containers are collected as metrics by prometheus and displayed by Grafana. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: 9e4a8aa7-2736-4aad-8b08-7fcee4fa2a68 - - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e - - observation-uuid: a1236290-6057-4695-b4bd-20dd2981d60d - - observation-uuid: af55317a-a3b8-42b9-8ba8-d859748635b5 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: a858d60b-5192-41de-bac4-a79479a91f64 + - observation-uuid: f10278ec-5f1b-4307-8709-a3745bf12d36 + - observation-uuid: 39cf41d1-048e-4132-9681-f7274e4be4ea + - observation-uuid: 572f5829-517b-40d0-8b50-6d9bf9c54c77 target: status: state: not-satisfied target-id: ac-6.9 type: objective-id title: 'Validation Result - Control: ac-6.9' - uuid: 784d7def-b9de-495a-ba5d-93733e37a1eb + uuid: 1ee97cb7-b6d8-4319-b031-cd417e313f6f - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 20ecdb48-997e-4958-b74c-21f462049877 # Control Description Retain audit records for [Assignment: at least one (1) year] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. @@ -225,39 +196,49 @@ assessment-results: target-id: au-11 type: objective-id title: 'Validation Result - Control: au-11' - uuid: 7e7c4d5e-13be-4768-bf2c-31ca172865a0 + uuid: e4a8f249-89f4-4af5-9928-ab6eabfecdc3 - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 8f645835-6538-4327-a7aa-453b398f5ef4 - # Control Implementation - Istio provides audit record generation capabilities for a variety of event types, including session, connection, transaction, or activity durations, and the number of bytes received and sent. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 87f99f34-6980-49e1-91cf-c0264fa3407c + Istio provides audit record generation capabilities for a variety of event types, including session, connection, transaction, or activity durations, and the number of bytes received and sent. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: 9e4a8aa7-2736-4aad-8b08-7fcee4fa2a68 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: a858d60b-5192-41de-bac4-a79479a91f64 target: status: state: satisfied target-id: au-12 type: objective-id title: 'Validation Result - Control: au-12' - uuid: 0a4cbea2-493f-4bc2-b0bf-4f88af93e4af + uuid: 527b3d8a-ce49-483d-956e-5931140eeca6 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 58766714-a477-42b9-bae4-856f14b58cea # Control Description Compile audit records from [Assignment: all network, data storage, and computing devices] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. # Control Implementation Provides time-series event compilation capabilities. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 301093ed-d023-4bf8-a915-e624589acadd - # Control Description Compile audit records from [Assignment: all network, data storage, and computing devices] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. - # Control Implementation Compatible metrics endpoints emitted from each application is compiled by Prometheus and displayed through Grafana with associated timestamps of when the data was collected. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 41a6f729-7ab6-4ffe-8da1-cb60fd35dffd # Control Description Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. # Control Implementation Compatible metrics endpoints emitted from each application is compiled by Prometheus and displayed through Grafana with associated timestamps of when the data was collected + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 301093ed-d023-4bf8-a915-e624589acadd + # Control Description Compile audit records from [Assignment: all network, data storage, and computing devices] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. + # Control Implementation Compatible metrics endpoints emitted from each application is compiled by Prometheus and displayed through Grafana with associated timestamps of when the data was collected. target: status: state: not-satisfied target-id: au-12.1 type: objective-id title: 'Validation Result - Control: au-12.1' - uuid: 0091b443-4532-4b36-99e2-ec9cb1573812 + uuid: 77724c00-0dc6-493c-aed8-c3797f01e94a - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 49775d12-e0ba-4aa6-85e7-5aedd00e8fbc + # Control Description "a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: annually or whenever there is a change in the threat environment]." + # Control Implementation API endpoints suitable for capturing application level metrics are present on each of the supported applications running as containers. In addition, system and cluster level metrics are emitted by containers with read only access to host level information. Metrics are captured and stored by Prometheus, an web server capable of scraping endpoints formatted in the appropriate dimensional data format. Metrics information is stored on disk in a time series data base, and later queried through a separate component providing a web interface for the query language: PromQL. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: fc829f66-2354-4546-8e5d-f1e5d0287200 + # Control Description "a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: annually or whenever there is a change in the threat environment]." + # Control Implementation NeuVector provides logging access related audit events. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: b3ed3dba-3164-4785-98db-ef22c96c7c62 + Istio logs all Istio event logs within the system's mesh network. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 7449f733-6809-4a0b-a6f9-7857f46a106e + # Control Description a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: annually or whenever there is a change in the threat environment]. + # Control Implementation API endpoints suitable for capturing application level metrics are present on each of the supported applications running as containers. In addition, system and cluster level metrics are emitted by containers with read only access to host level information. Metrics are captured and stored by Prometheus, an web server capable of scraping endpoints formatted in the appropriate dimensional data format. Metrics information is stored on disk in a time series data base, and later queried through a separate component providing a web interface for the query language: PromQL. Metrics data can be displayed through a Grafana dashboard for visualization. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 2a25a5a4-4fbc-4fbc-88e3-2e34ddc3fb0e # Control Description An event is any observable occurrence in an organizational information system. @@ -268,33 +249,21 @@ assessment-results: # Control Implementation Logging daemons are present on each node that BigBang is installed on. Out of the box, the following events are captured: - * all containers emitting to STDOUT or STDERR (captured by container runtime translating container logs to /var/log/containers). + * all containers emitting to STDOUT or STDERR (captured by container runtime creating containers logs under /var/log/pods). * all kubernetes api server requests. * all events emitted by the kubelet. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: fc829f66-2354-4546-8e5d-f1e5d0287200 - # Control Description "a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: annually or whenever there is a change in the threat environment]." - # Control Implementation NeuVector provides logging access related audit events. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 88f300a6-aa21-41b4-919d-29ef3e4381bb - # Control Implementation - Istio logs all Istio event logs within the system's mesh network. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 7449f733-6809-4a0b-a6f9-7857f46a106e - # Control Description a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: annually or whenever there is a change in the threat environment]. - # Control Implementation API endpoints suitable for capturing application level metrics are present on each of the supported applications running as containers. In addition, system and cluster level metrics are emitted by containers with read only access to host level information. Metrics are captured and stored by Prometheus, an web server capable of scraping endpoints formatted in the appropriate dimensional data format. Metrics information is stored on disk in a time series data base, and later queried through a separate component providing a web interface for the query language: PromQL. Metrics data can be displayed through a Grafana dashboard for visualization. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 49775d12-e0ba-4aa6-85e7-5aedd00e8fbc - # Control Description "a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: annually or whenever there is a change in the threat environment]." - # Control Implementation API endpoints suitable for capturing application level metrics are present on each of the supported applications running as containers. In addition, system and cluster level metrics are emitted by containers with read only access to host level information. Metrics are captured and stored by Prometheus, an web server capable of scraping endpoints formatted in the appropriate dimensional data format. Metrics information is stored on disk in a time series data base, and later queried through a separate component providing a web interface for the query language: PromQL. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: 9e4a8aa7-2736-4aad-8b08-7fcee4fa2a68 - - observation-uuid: a1236290-6057-4695-b4bd-20dd2981d60d - - observation-uuid: d265b5b6-9306-4c22-ad35-d6f00a41920e + - observation-uuid: 39cf41d1-048e-4132-9681-f7274e4be4ea + - observation-uuid: 0e3f9f2a-c596-4688-8841-0f9d2845f0a2 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: a858d60b-5192-41de-bac4-a79479a91f64 target: status: state: not-satisfied target-id: au-2 type: objective-id title: 'Validation Result - Control: au-2' - uuid: 38b71df8-9beb-487d-afac-7d5df701bf0b + uuid: cb369876-9857-41d9-ab42-81d476d6f974 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 762604db-77ec-415f-8728-c296873ab48b # Control Description @@ -302,66 +271,62 @@ assessment-results: Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). # Control Implementation - Logs are captured by promtail from the node. The node logs will contain the necessary log data from all pods/applications inside the selected nodes. - Validating `logfmt` as the config.logFormat would be the goal. This is currently a secret mounted to /etc/promtail/promtail.yaml in the promtail container. We will ensure the promtail.yaml file is at a minimum the target config. - https://grafana.com/docs/loki/latest/send-data/promtail/stages/logfmt/ + Logs are captured by vector from the node. The node logs will contain the necessary log data from all pods/applications inside the selected nodes as well as Kubernetes audit logs. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 79dee0b0-5848-4b1e-826b-a2e4ec567b90 + Istio logs all Istio event logs within the system's mesh network. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: e342a5af-b7d4-474b-9416-61e844083531 # Control Description "Ensure that audit records contain information that establishes the following: a. What type of event occurred; b. When the event occurred; c. Where the event occurred; d. Source of the event; e. Outcome of the event; and f. Identity of any individuals, subjects, or objects/entities associated with the event." # Control Implementation NeuVector provides logging access related audit events. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 52756a01-6f5c-49b1-8a6b-972b74a01da4 - # Control Implementation - Istio logs all Istio event logs within the system's mesh network. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: 94477b5d-84b7-427c-88b3-71367c501528 - - observation-uuid: a1236290-6057-4695-b4bd-20dd2981d60d - - observation-uuid: 48a7c266-3ce0-4c63-b782-335c2461afc6 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: ca312bc9-b8cd-4a30-9b72-50ffee51e828 + - observation-uuid: 39cf41d1-048e-4132-9681-f7274e4be4ea + - observation-uuid: e72b33d8-64ba-4871-ab47-2f0b1a5c18e7 target: status: state: not-satisfied target-id: au-3 type: objective-id title: 'Validation Result - Control: au-3' - uuid: c5a260a3-6fea-42c9-bb28-209ff9e5f9e5 + uuid: e914d51b-58ff-4693-abd5-ea62add986d0 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: ee431ef9-3a99-42f4-b37c-6334660da2b2 # Control Description Generate audit records containing the following additional information: [Assignment: organizatiosession, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]. # Control Implementation Grafana has pre-configured dashboards showing the audit records from Cluster Auditor saved in Prometheus. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 16cc258e-d907-47bb-97d9-4e92677cf075 - # Control Implementation - Istio has been configured to implement event logging within our environment. This includes capturing metrics related to the duration of sessions, connections, transactions, or activities. Specifically, Istio's telemetry features are utilized to capture these metrics, which provide valuable data that can be used to infer the duration of sessions or connections. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 6700f065-8e51-4224-a5a0-8d3aff9d8d96 # Control Description Generate audit records containing the following additional information: [Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]. # Control Implementation Grafana has pre-configured dashboards showing the audit records from Cluster Auditor saved in Prometheus. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: b855fff0-5f57-4ea0-b9a7-52973e81784d + Istio has been configured to implement event logging within our environment. This includes capturing metrics related to the duration of sessions, connections, transactions, or activities. Specifically, Istio's telemetry features are utilized to capture these metrics, which provide valuable data that can be used to infer the duration of sessions or connections. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: 06449da5-4cb5-4a5e-922d-5309d5c8f0c8 - - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e - - observation-uuid: a906a088-3147-44cb-8d7b-69058d1d8484 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: 64a22438-eba3-4fcb-bfe8-68ed8bad61ba + - observation-uuid: f10278ec-5f1b-4307-8709-a3745bf12d36 + - observation-uuid: 6e9c7750-ccda-4f25-b8de-89e8e3e3d525 target: status: state: not-satisfied target-id: au-3.1 type: objective-id title: 'Validation Result - Control: au-3.1' - uuid: f7cd3c25-77ef-442c-ae8c-db0e6a4b8b2b + uuid: e645c9b0-2376-4d8c-9792-18a44c6dbdba - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 7562092e-d076-49f9-8f03-9e5e7908752c - # Control Description Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]. - # Control Implementation NeuVector can scale elastically based upon actual workload demands to allocate audit log storage capacity. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 836408b9-1ae9-4c99-8510-6ee35a4d11e9 # Control Description Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]. # Control Implementation Loki uses scalable object storage. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: d5d13192-3cae-4a88-8e64-cab44219ab2e # Control Description Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]. # Control Implementation Prometheus is the log aggregator for audit logs since it is used to scrape/collect violations from ClusterAuditor. The storage capability can be configured in prometheus to use PVCs to ensure metrics have log retention compliance with the org-defined audit-log retention requirements. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 7562092e-d076-49f9-8f03-9e5e7908752c + # Control Description Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]. + # Control Implementation NeuVector can scale elastically based upon actual workload demands to allocate audit log storage capacity. target: status: state: not-satisfied target-id: au-4 type: objective-id title: 'Validation Result - Control: au-4' - uuid: c4884585-6343-4ada-b034-fb97065b7f23 + uuid: f80f5478-4554-4906-b6e6-599f0847cad8 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: e2e6d28f-bdf6-462c-8301-bdfa102671ee # Control Description Provide a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit log storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit log storage capacity. @@ -375,7 +340,7 @@ assessment-results: target-id: au-5.1 type: objective-id title: 'Validation Result - Control: au-5.1' - uuid: c76a2661-2016-4bef-8bce-1194bb70b556 + uuid: 96eb22a4-5e88-431e-9bbf-2285afdecaa1 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: bea82b61-fbb6-486b-a8fa-50053715b904 # Control Description Provide an alert within [Assignment: real-time] to [Assignment: service provider personnel with authority to address failed audit events] when the following audit failure events occur: [Assignment: audit failure events requiring real-time alerts, as defined by organization audit policy]. @@ -389,7 +354,7 @@ assessment-results: target-id: au-5.2 type: objective-id title: 'Validation Result - Control: au-5.2' - uuid: 92f112fd-db07-4d92-b7f8-95036f30b390 + uuid: 1b355cc0-7a5a-44a1-ae85-cf9079faf888 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 25477ca3-4607-449e-9d33-a2a67ede0019 # Control Description "a. Review and analyze system audit records [Assignment: at least weekly] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; b. Report findings to [Assignment: organization-defined personnel or roles]; and c. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information." @@ -400,14 +365,14 @@ assessment-results: target-id: au-6 type: objective-id title: 'Validation Result - Control: au-6' - uuid: 103803bd-85a1-4ead-992c-e9cf6477b41f + uuid: 4114b048-0ef8-4863-9d2c-15ce9585badc - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 29fdcbbd-02cc-4db1-a24e-5a146cccc254 - # Control Description Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. - # Control Implementation Provides audit record query and analysis capabilities. Organization will implement record review and analysis. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 3f8f6178-4c57-4592-8c1c-df79507b21cd # Control Description Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. # Control Implementation Cluster Auditor Events/Alerts could be exported from Prometheus to an external system. Integration for specific tooling would need to be completed by end user. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 29fdcbbd-02cc-4db1-a24e-5a146cccc254 + # Control Description Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. + # Control Implementation Provides audit record query and analysis capabilities. Organization will implement record review and analysis. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 042fae4b-2779-4cfb-b68d-6f2dcbaa10ad # Control Description Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. # Control Implementation Cluster Auditor Events/Alerts could be exported from Prometheus to an external system. Integration for specific tooling would need to be completed by end user. Metrics data can be displayed through a Grafana dashboard for visualization. @@ -417,12 +382,12 @@ assessment-results: target-id: au-6.1 type: objective-id title: 'Validation Result - Control: au-6.1' - uuid: e9063577-4ee5-48a0-84fb-c052b3d24598 + uuid: 8c4e94bb-1143-4980-8531-c29eb700c13e - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: c79cf2fa-2081-4034-831f-2c8016a275da + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 35897d1f-3fcd-4a79-b235-f75e2bbd398a # Control Description Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. # Control Implementation Aggregating cluster auditor events across multiple sources (clusters) is possible with a multi-cluster deployment of prometheus/grafana. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 35897d1f-3fcd-4a79-b235-f75e2bbd398a + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: c79cf2fa-2081-4034-831f-2c8016a275da # Control Description Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. # Control Implementation Aggregating cluster auditor events across multiple sources (clusters) is possible with a multi-cluster deployment of prometheus/grafana. target: @@ -431,35 +396,35 @@ assessment-results: target-id: au-6.3 type: objective-id title: 'Validation Result - Control: au-6.3' - uuid: 1dfdcc6b-92dd-4320-acb1-5efffd9b2bf1 + uuid: 580039a0-f7e7-4279-96cd-d7acb79f3bcf - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 80de1b87-8288-49ac-8a6b-fc71509df64b - # Control Description Integrate analysis of audit records with analysis of Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; penetration test data; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. - # Control Implementation Cluster Auditor's audit data is consolidated with system monitoring tooling (node exporters) for consolidated view to enhance inappropriate or unusual activity. Metrics data can be displayed through a Grafana dashboard for visualization. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 6b0cd4b8-ab38-4012-b637-de2ca4bf5497 # Control Description Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. # Control Implementation Cluster Auditor's audit data is consolidated with system monitoring tooling (node exporters) for consolidated view to enhance inappropriate or unusual activity. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 80de1b87-8288-49ac-8a6b-fc71509df64b + # Control Description Integrate analysis of audit records with analysis of Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; penetration test data; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. + # Control Implementation Cluster Auditor's audit data is consolidated with system monitoring tooling (node exporters) for consolidated view to enhance inappropriate or unusual activity. Metrics data can be displayed through a Grafana dashboard for visualization. target: status: state: not-satisfied target-id: au-6.5 type: objective-id title: 'Validation Result - Control: au-6.5' - uuid: 1b5550c6-1891-4f76-8220-3919707110e7 + uuid: 62521aad-6089-45a5-991c-af39844fe2e6 - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: b8c17326-8821-4536-8409-64d571540e37 - # Control Description Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. - # Control Implementation Cluster Auditor data in prometheus would enable this, but would require prometheus to also obtain access to physical metrics. Metrics data can be displayed through a Grafana dashboard for visualization. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: f6d4527a-d4b6-4141-9272-c2c211b1709f # Control Description Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. # Control Implementation Cluster Auditor data in prometheus would enable this, but would require prometheus to also obtain access to physical metrics. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: b8c17326-8821-4536-8409-64d571540e37 + # Control Description Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. + # Control Implementation Cluster Auditor data in prometheus would enable this, but would require prometheus to also obtain access to physical metrics. Metrics data can be displayed through a Grafana dashboard for visualization. target: status: state: not-satisfied target-id: au-6.6 type: objective-id title: 'Validation Result - Control: au-6.6' - uuid: 684c4386-ef88-4c58-811e-165172e6a29b + uuid: 05e4c2aa-5b83-415d-a529-c421db846827 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 8abbc53e-0ec4-49c6-8ef1-a1c237695f96 # Control Description Provide and implement an audit record reduction and report generation capability that: a. Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and b. Does not alter the original content or time ordering of audit records. @@ -473,7 +438,7 @@ assessment-results: target-id: au-7 type: objective-id title: 'Validation Result - Control: au-7' - uuid: a274a97a-1c55-4a1b-9dac-f1849260ad16 + uuid: 22bb2862-f635-4d98-9d47-30d21d6fe72d - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 56d09aae-ab73-49d8-b2a4-1e81db2878eb # Control Description Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. @@ -487,7 +452,7 @@ assessment-results: target-id: au-7.1 type: objective-id title: 'Validation Result - Control: au-7.1' - uuid: 89a7b3d0-954f-41d5-9230-56a774204c25 + uuid: d002dab9-22bf-471c-af83-98e5c21b567b - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 9ad7ddfb-4701-4c34-88f7-9d85abb13d60 # Control Description @@ -502,75 +467,73 @@ assessment-results: * time of the event (UTC). * source of event (pod, namespace, container id). Applications are responsible for providing all other information. - Validating `logfmt` as the config.logFormat would be the goal. This is currently a secret mounted to /etc/promtail/promtail.yaml in the promtail container. We will ensure the promtail.yaml file is at a minimum the target config. - https://grafana.com/docs/loki/latest/send-data/promtail/stages/logfmt/ - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 9be1e683-93e1-4769-aa7d-951e2c8f8627 - # Control Description a. Use internal system clocks to generate time stamps for audit records; and b. Record time stamps for audit records that meet [Assignment: one second granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp. - # Control Implementation Prometheus stores all data as time-series data, so the timestamps of when those violations were present is part of the data-stream. Metrics data can be displayed through a Grafana dashboard for visualization. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 689aa5d6-2b4b-40ca-a49f-51df0e220ec5 # Control Description "a. Use internal system clocks to generate time stamps for audit records; and b. Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp." # Control Implementation Prometheus stores all data as time-series data, so the timestamps of when those violations were present is part of the data-stream. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 9be1e683-93e1-4769-aa7d-951e2c8f8627 + # Control Description a. Use internal system clocks to generate time stamps for audit records; and b. Record time stamps for audit records that meet [Assignment: one second granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp. + # Control Implementation Prometheus stores all data as time-series data, so the timestamps of when those violations were present is part of the data-stream. Metrics data can be displayed through a Grafana dashboard for visualization. related-observations: - - observation-uuid: a1236290-6057-4695-b4bd-20dd2981d60d - - observation-uuid: 48a7c266-3ce0-4c63-b782-335c2461afc6 + - observation-uuid: 39cf41d1-048e-4132-9681-f7274e4be4ea + - observation-uuid: e72b33d8-64ba-4871-ab47-2f0b1a5c18e7 target: status: state: not-satisfied target-id: au-8 type: objective-id title: 'Validation Result - Control: au-8' - uuid: 184f3950-22d1-4a6e-a1ad-1d915468f28b + uuid: 09180600-c757-434e-93c5-028bdce2a2be - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 21879fc4-927e-4ad4-a049-c96cb581e260 + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: bfd070e8-d053-4e48-925a-baf9bcbd9335 # Control Description "a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and b. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information." - # Control Implementation Access to metrics can be restricted to org-defined personnel behind a private endpoint and not given to mission owners. + # Control Implementation Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control when using Grafana Enterprise. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: f800923b-6367-4468-9f42-1afae4b6d38d # Control Description a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and b. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information. # Control Implementation Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control when using Grafana Enterprise. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: bfd070e8-d053-4e48-925a-baf9bcbd9335 + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 21879fc4-927e-4ad4-a049-c96cb581e260 # Control Description "a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and b. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information." - # Control Implementation Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control when using Grafana Enterprise. + # Control Implementation Access to metrics can be restricted to org-defined personnel behind a private endpoint and not given to mission owners. target: status: state: not-satisfied target-id: au-9 type: objective-id title: 'Validation Result - Control: au-9' - uuid: 2de6aeb1-66fd-4131-9c75-f376fb7544f6 + uuid: eef40459-0315-41a1-aaae-333cf89990d0 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 3c4bf1e8-b873-4c43-a912-5f443fc0208f # Control Description Store audit records [Assignment: at least weekly] in a repository that is part of a physically different system or system component than the system or component being audited. # Control Implementation Prometheus can scrape external components outside of the system, but this configuration is not easily supported as part of the current big bang configuration of ClusterAuditor since external access to ClusterAuditor metrics is not exposed via Istio. Metrics data can be displayed through a Grafana dashboard for visualization. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: b89edef2-5668-407b-b3d5-86ca68862536 - # Control Description Store audit records [Assignment: at least weekly] in a repository that is part of a physically different system or system component than the system or component being audited. - # Control Implementation Supports any object storage. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 27f26f6a-706e-4514-97c0-45390d6fdf6a # Control Description Store audit records [Assignment: organization-defined frequency] in a repository that is part of a physically different system or system component than the system or component being audited. # Control Implementation Prometheus can scrape external components outside of the system, but this configuration is not easily supported as part of the current UDS Coreg configuration of ClusterAuditor since external access to ClusterAuditor metrics is not exposed via Istio. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: b89edef2-5668-407b-b3d5-86ca68862536 + # Control Description Store audit records [Assignment: at least weekly] in a repository that is part of a physically different system or system component than the system or component being audited. + # Control Implementation Supports any object storage. target: status: state: not-satisfied target-id: au-9.2 type: objective-id title: 'Validation Result - Control: au-9.2' - uuid: e0f75fca-cfe3-43ca-b8ec-c5eb44bde47d + uuid: 3f0dbc02-5d1e-48b9-bcdb-c8d569102724 - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: f3292e9a-1c10-45cd-9178-aeecbaec0283 + # Control Description Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. + # Control Implementation Enterprise version (Loki) implements RBAC. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 3c5ff037-ea46-4e41-b601-a9b223da30a8 # Control Description Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. # Control Implementation Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control when using Grafana Enterprise. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 0fee5118-57c8-4617-97a1-76189bc69ea3 # Control Description Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. # Control Implementation Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control when using Grafana Enterprise. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: f3292e9a-1c10-45cd-9178-aeecbaec0283 - # Control Description Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. - # Control Implementation Enterprise version (Loki) implements RBAC. target: status: state: not-satisfied target-id: au-9.4 type: objective-id title: 'Validation Result - Control: au-9.4' - uuid: 7cedc012-a643-4097-a647-032c3be3d0ca + uuid: 49e846cc-e1e4-4770-b352-1a674ab7f6ef - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 973c9f19-8c96-4c84-925a-b69f28625962 # Control Description Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. @@ -581,7 +544,7 @@ assessment-results: target-id: au7.1 type: objective-id title: 'Validation Result - Control: au7.1' - uuid: 4229dc83-0a33-4139-9e62-5d4da8dfc2ba + uuid: 599569ed-dfd0-4f91-b6c3-bd42dd759758 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 9de67d41-1c18-4ebd-af55-cac2573aa77e # Control Description @@ -595,7 +558,7 @@ assessment-results: target-id: ca-2.2 type: objective-id title: 'Validation Result - Control: ca-2.2' - uuid: eda5cf2e-02ce-4b87-90d8-a321fe49860a + uuid: 76c192e1-0da1-48e9-bed4-26fd5ed64513 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 2d771492-b5c8-4475-b258-0038287f29e6 # Control Description "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: a. Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics]; b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; c. Ongoing control assessments in accordance with the continuous monitoring strategy; d. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; e. Correlation and analysis of information generated by control assessments and monitoring; f. Response actions to address results of the analysis of control assessment and monitoring information; and g. Reporting the security and privacy status of the system to [Assignment: to include JAB/AO] [Assignment: organization-defined frequency]." @@ -606,22 +569,21 @@ assessment-results: target-id: ca-7 type: objective-id title: 'Validation Result - Control: ca-7' - uuid: fbc504e4-0441-4dc9-bdb0-f5ef99155ea1 + uuid: 3669e122-aa7f-4a62-9173-f5b750a091c7 - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 32e53a18-4b64-4a24-935c-11cbac2c62be - # Control Implementation - Istio enforces logical access restrictions associated with changes to the system. Istio's Role-Based Access Control (RBAC) features are used to define and enforce access controls, ensuring that only approved personnel can make changes to the system. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 80a456cf-c642-4b02-a0fb-18b416e90481 + Istio enforces logical access restrictions associated with changes to the system. Istio's Role-Based Access Control (RBAC) features are used to define and enforce access controls, ensuring that only approved personnel can make changes to the system. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: d517a52c-6742-4c6a-94f4-b6716aa64879 - - observation-uuid: 9da482e6-b1b4-47d5-b88c-ea78cb1a6089 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: cf774c2c-17dc-48d2-ba4c-2ae6547ea8e0 + - observation-uuid: 1fc0d5bd-18e9-4244-a1a0-3c618aca8652 target: status: state: not-satisfied target-id: cm-5 type: objective-id title: 'Validation Result - Control: cm-5' - uuid: 0dc01260-0c79-4716-9766-f5fdf674042f + uuid: e3b8cf43-f476-44be-9f67-6b055afb67de - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 2fb488b2-f7f7-4db9-8fc8-3de7f3a9daba # Control Description "a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: oUnited States Government Configuration Baseline (USGCB)]; b. Implement the configuration settings; c. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures." @@ -632,7 +594,7 @@ assessment-results: target-id: cm-6 type: objective-id title: 'Validation Result - Control: cm-6' - uuid: b2dca976-e07d-486e-893e-d87f7c91cfda + uuid: 89a6efb7-47b8-491a-a510-9679175322df - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: a9d92277-809d-440f-82c9-35c820ba00b8 # Control Description "a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]." "CM-7 (b) Requirement: The service provider shall use the DoD STIGs or Center for Internet Security guidelines to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available. CM-7 Guidance: Information on the USGCB checklists can be found at: https://csrc.nist.gov/projects/united-states-government-configuration-baseline." @@ -643,7 +605,7 @@ assessment-results: target-id: cm-7 type: objective-id title: 'Validation Result - Control: cm-7' - uuid: bba8e8dc-df3c-4664-9f4d-b69673496e72 + uuid: 7ad3be3a-696f-4fe8-a06a-d20ca88b0815 - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 26B3D98B-0C9D-434B-8DE5-06CBBC46A38C Velero can restore application configuration/data from an approved cloud provider or on-premise location on-demand. @@ -653,7 +615,7 @@ assessment-results: target-id: cp-10 type: objective-id title: 'Validation Result - Control: cp-10' - uuid: 434837ff-2f2a-4bff-afcd-6f0ace60f6f5 + uuid: 833dd12f-c1a1-4790-b161-df244240fd59 - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 3EA444B7-61ED-43DD-8B3D-24B55F286E59 Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: - System components/data. - User-level information/application metadata. - User-level storage/data. - Scheduled back-ups with configurable scopes. - Multi-cloud and on-premise support for availability of backup. @@ -663,7 +625,7 @@ assessment-results: target-id: cp-10.4 type: objective-id title: 'Validation Result - Control: cp-10.4' - uuid: e8178dd1-2e6b-43ce-b65c-6c3df60b264d + uuid: 8820d975-0a13-4068-a158-379efbdbd50e - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 2ADA7512-E0D5-4CAE-81BC-C889C640AF93 Velero can take backups of your application configuration/data and store them off-site in either an approved cloud environment or on-premise location. @@ -673,7 +635,7 @@ assessment-results: target-id: cp-6 type: objective-id title: 'Validation Result - Control: cp-6' - uuid: cbbbd670-3e39-4625-82fb-45d762a6ea87 + uuid: 9b8d3f8d-acc6-490e-8571-6e716d8b1a8e - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 6C3339A0-9636-4E35-8FA8-731CF900B326 Velero can take backups of your application configuration/data and store them off-site in either an approved cloud environment or on-premise location. @@ -683,7 +645,7 @@ assessment-results: target-id: cp-6.1 type: objective-id title: 'Validation Result - Control: cp-6.1' - uuid: baa8e2e7-054d-4c78-a5aa-0ec1f7573f35 + uuid: 463f79ec-a0d5-4372-b093-ffc9707d4b61 - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 2799CCBF-C48D-4451-85BA-EBD9B949C361 Velero can restore application configuration/data from an approved cloud provider or on-premise location on-demand. @@ -693,7 +655,7 @@ assessment-results: target-id: cp-6.2 type: objective-id title: 'Validation Result - Control: cp-6.2' - uuid: c7c56dc6-9189-48e6-8153-541f8e7f129e + uuid: 7a97b30a-2246-4a2d-a069-d9a4c5518413 - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 0AE59B43-50A7-4420-881B-E0635CCB8424 Velero supports back-ups to multiple cloud environments (including geo-separated locations for high availability) and on-premise environments in the event of an accessibility disruptions. @@ -703,7 +665,7 @@ assessment-results: target-id: cp-6.3 type: objective-id title: 'Validation Result - Control: cp-6.3' - uuid: d0fabced-345c-42fe-a52c-1ab67d72a0ce + uuid: fd1dcf1b-226a-4a46-afc8-9551a4c86ff9 - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: B11B38B8-8744-4DFD-8C1A-4A4EDD7F9574 Velero can restore application configuration/data from an approved cloud provider or on-premise location to an alternative deployment environment on-demand. @@ -713,7 +675,7 @@ assessment-results: target-id: cp-7 type: objective-id title: 'Validation Result - Control: cp-7' - uuid: 6cf300c3-516b-4864-8049-a5d423c5bddc + uuid: e64b4f34-9a67-4f53-9af5-010f7e23fa2f - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: D74C3A8C-E5B0-4F81-895D-FB2A318D723B Velero supports back-ups to and restores from multiple cloud environments (including geo-separated locations for high availability) and on-premise environments in the event of an accessibility disruptions. @@ -723,7 +685,7 @@ assessment-results: target-id: cp-7.1 type: objective-id title: 'Validation Result - Control: cp-7.1' - uuid: 003c98fa-877a-4571-9bb7-f8ad72b88768 + uuid: 3b91723b-8426-4de7-8e34-9fa9fb2623b1 - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 72D7145F-7A3F-47AF-835F-7E3D6EFAE1CC Velero supports back-ups to and restores from multiple cloud environments (including geo-separated locations for high availability) and on-premise environments in the event of an accessibility disruptions. @@ -733,7 +695,7 @@ assessment-results: target-id: cp-7.2 type: objective-id title: 'Validation Result - Control: cp-7.2' - uuid: e36765c3-3e47-4c05-8998-03f1b9051917 + uuid: 3a18ef87-2d67-4fe1-a029-db52ff5a2416 - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 5B0AA4CB-9C49-4D32-8242-5631788BD941 "Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: @@ -748,7 +710,7 @@ assessment-results: target-id: cp-9 type: objective-id title: 'Validation Result - Control: cp-9' - uuid: 12b7dad5-7d79-4be2-8050-fe7eef32365a + uuid: 93de1fe8-4652-4ad9-b558-7f6ae73ed529 - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 8E5917F3-3E45-46C1-8585-48550E19AFFB Velero provides feedback/logging of back-up status for configuration/data via kubectl or the Velero CLI tool. Velero can restore your production configuration/data to validation environment to ensure reliability/integrity. @@ -758,7 +720,7 @@ assessment-results: target-id: cp-9.1 type: objective-id title: 'Validation Result - Control: cp-9.1' - uuid: 0b6e7933-5ad7-4659-94c8-4d39730208fd + uuid: 80715954-af49-4dee-90e1-1333f6c79610 - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 51191D0E-0C7B-4D2D-861D-202AC8C505CF Velero can be configured to restore only certain components of a back-up when necessary. @@ -768,7 +730,7 @@ assessment-results: target-id: cp-9.2 type: objective-id title: 'Validation Result - Control: cp-9.2' - uuid: f4c55319-50b5-4219-bf6f-22c66421f441 + uuid: f70d34be-5cdf-404b-a160-ca35a8d8445f - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: C650411C-33FD-4B59-8899-AC34B43C860F Velero supports back-ups to multiple cloud environments (including geo-separated locations for high availability) and on-premise environments. @@ -778,7 +740,7 @@ assessment-results: target-id: cp-9.3 type: objective-id title: 'Validation Result - Control: cp-9.3' - uuid: 15eefc99-0cef-4652-9aea-9fe80a585b1e + uuid: cc3f593a-5138-4603-aaca-64248856b942 - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 8AB09B17-301B-4836-835B-9CE22A9E2300 Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: - System components/data. - User-level information/application metadata. - User-level storage/data. - Scheduled back-ups with configurable scopes. - Multi-cloud and on-premise support for availability of backup. @@ -788,7 +750,7 @@ assessment-results: target-id: cp-9.5 type: objective-id title: 'Validation Result - Control: cp-9.5' - uuid: f44f374f-cbd4-4548-9e83-cfb7213e3438 + uuid: b4f84755-1e05-485e-8d08-12f81032183f - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 7FACB782-C183-4585-8C0B-17824438FEA6 Velero supports encryption of backups via its supported providers' encryption support/mechanisms. @@ -798,7 +760,7 @@ assessment-results: target-id: cp-9.8 type: objective-id title: 'Validation Result - Control: cp-9.8' - uuid: 30ce1594-302b-4480-816e-f2b5b6cf729c + uuid: 2121fda9-ff81-434f-8add-3785ffa925f7 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 8ef96f45-dfc4-41a8-999a-fc717e746966 # Control Description "a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: monthly operating system/infrastructure; monthly web applications (including APIs) and databases] and when new vulnerabilities potentially affecting the system are identified and reported; b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulnerability impact; c. Analyze vulnerability scan reports and results from vulnerability monitoring; d. Remediate legitimate vulnerabilities [Assignment: high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery] in accordance with an organizational assessment of risk; e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned." @@ -809,7 +771,7 @@ assessment-results: target-id: ra-5 type: objective-id title: 'Validation Result - Control: ra-5' - uuid: 2b4a5a81-e527-4aac-b5d2-6e0c39cd68ca + uuid: d2939750-cb5c-44bd-8b2f-36fd734bd546 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 760dde06-de0b-4575-8575-95a5835f97c0 # Control Description Update the system vulnerabilities to be scanned [prior to a new scan]; prior to a new scan; when new vulnerabilities are identified and reported]. @@ -820,7 +782,7 @@ assessment-results: target-id: ra-5.2 type: objective-id title: 'Validation Result - Control: ra-5.2' - uuid: f45a41e4-33ea-4f43-9c81-1b4b09630fc2 + uuid: 04546660-1b4a-428f-8f20-1f3575957efb - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 621595cd-f998-4f55-b68e-f765db48b332 # Control Description Define the breadth and depth of vulnerability scanning coverage. @@ -831,7 +793,7 @@ assessment-results: target-id: ra-5.3 type: objective-id title: 'Validation Result - Control: ra-5.3' - uuid: d97d6d08-19b7-4aec-990c-c885e9c52a15 + uuid: 498d8b43-30e0-4f94-9915-abc0233d6104 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 994b03df-8320-4987-887b-fac8088bd944 # Control Description Implement privileged access authorization to [Assignment: all components that support authentication] for [Assignment: all scans]. @@ -842,7 +804,7 @@ assessment-results: target-id: ra-5.5 type: objective-id title: 'Validation Result - Control: ra-5.5' - uuid: 22531ec8-b5ca-4eb1-80f7-8c690d40211b + uuid: 881b2fec-7ae0-4a9a-9329-e202e10a75c6 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 5a7bddc2-f94c-46c8-a15a-1e2f4d4ab948 # Control Description "Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: a. Develop and implement a plan for ongoing security and privacy control assessments; b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage]; c. Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; d. Implement a verifiable flaw remediation process; and e. Correct flaws identified during testing and evaluation." @@ -853,7 +815,7 @@ assessment-results: target-id: sa-11 type: objective-id title: 'Validation Result - Control: sa-11' - uuid: a1b36d70-93cc-4dac-b0ee-07a83fcd7fc9 + uuid: ef49e421-c79a-4ebf-a963-2d3a94561836 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: b6f194ad-bde3-479f-8a77-0ec4c9a5a77d # Control Description Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis. Static code analysis provides a technology and methodology for security reviews and includes checking for weaknesses in the code as well as for the incorporation of libraries or other included code with known vulnerabilities or that are out-of-date and not supported. Static code analysis can be used to identify vulnerabilities and enforce secure coding practices. It is most effective when used early in the development process, when each code change can automatically be scanned for potential weaknesses. Static code analysis can provide clear remediation guidance and identify defects for developers to fix. Evidence of the correct implementation of static analysis can include aggregate defect density for critical defect types, evidence that defects were inspected by developers or security professionals, and evidence that defects were remediated. A high density of ignored findings, commonly referred to as false positives, indicates a potential problem with the analysis process or the analysis tool. In such cases, organizations weigh the validity of the evidence against evidence from other sources. @@ -864,96 +826,62 @@ assessment-results: target-id: sa-11.1 type: objective-id title: 'Validation Result - Control: sa-11.1' - uuid: 5fb26d2e-4dde-4a30-985f-8e5bd5f403f2 + uuid: 3a093444-2d9b-4465-97ed-8745ff1fa60f - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 169c9ad3-0a6c-46ee-80cd-cd8cef5eca5c - # Control Implementation - Istio is configured to manage network connections associated with specific communication sessions. It can be set up to automatically terminate these connections after periods of inactivity, providing an additional layer of security. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: ad919a09-d186-4edd-9234-ead04f959fff + Istio is configured to manage network connections associated with specific communication sessions. It can be set up to automatically terminate these connections after periods of inactivity, providing an additional layer of security. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: a05d03e1-4f9c-476b-a657-2607a0c86258 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: 825da259-13c9-4b85-b890-75d107573c62 target: status: state: not-satisfied target-id: sc-10 type: objective-id title: 'Validation Result - Control: sc-10' - uuid: e12cb6f2-4521-47af-a106-ffbd13bd2a15 + uuid: cd9707b3-f417-4ed1-9f6d-2c49351ca2e2 - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 2bf5c525-af5f-4b8b-8349-3f6a91e0aab9 - # Control Implementation - Istio provides FIPS encryption in transit for all applications in the mesh, TLS termination at ingress, and TLS origination at egress. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 675c0823-8e94-4910-9f61-5266d7e7b38c + Istio provides FIPS encryption in transit for all applications in the mesh, TLS termination at ingress, and TLS origination at egress. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 - - observation-uuid: ff67f994-802a-4668-a261-f0cbfb7982d5 - - observation-uuid: edc21e52-53cd-4a6a-9e29-1016a56e0cb5 - - observation-uuid: e12e332c-6a86-43e8-9403-94824b948f45 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: adb9497f-436d-4862-8043-6691bce1352c + - observation-uuid: a9c35339-fc94-4e59-bdf1-a89c1664bac0 + - observation-uuid: 47e30ded-89cf-4862-bed8-b3c5c0b3a17f + - observation-uuid: 46fd0f63-fefa-40fe-9894-7c52bbce7f9b target: status: state: not-satisfied target-id: sc-13 type: objective-id title: 'Validation Result - Control: sc-13' - uuid: db406556-9aee-4655-8e37-f97662c642fd + uuid: b5ca4929-a54b-4bb9-9aff-7178e4f9b86b - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 625bfdc1-0b20-45f3-919b-91afbac77799 - # Control Implementation - Istio is configured to protect session authenticity, establishing confidence in the ongoing identities of other parties and the validity of transmitted information. This is achieved through Istio's mutual TLS, which ensures secure communication. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: dac01dde-3bdf-4e70-9d4d-4081c88de380 + Istio is configured to protect session authenticity, establishing confidence in the ongoing identities of other parties and the validity of transmitted information. This is achieved through Istio's mutual TLS, which ensures secure communication. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: adb9497f-436d-4862-8043-6691bce1352c target: status: state: satisfied target-id: sc-23 type: objective-id title: 'Validation Result - Control: sc-23' - uuid: d0fff818-c4b0-408b-995c-425323750c29 + uuid: 5843dd90-f9bf-46fe-aabd-b736cbc69496 - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 9e2894a3-2452-4f7a-b8a5-f72b89b23c87 - # Control Implementation - Namespaces, Istio gateways, and network policies collectively by providing resource isolation, secure traffic routing, and network segmentation to prevent unauthorized and unintended information transfer. - related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: 362043c5-ea38-4c11-83e3-35d34b79c938 - - observation-uuid: 610a3b9c-269e-47c7-8b2c-9412bc822e80 - target: - status: - state: satisfied - target-id: sc-3 - type: objective-id - title: 'Validation Result - Control: sc-3' - uuid: 14e04260-d26f-4d27-ac44-3819d7849574 - - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: f972ef8d-1eb0-403b-8db8-e65a4f4e2aaa - # Control Implementation - Istio is configured to maintain separate execution domains for each executing process. This is achieved through Istio's sidecar proxy design, where each service in the mesh has its own dedicated sidecar proxy to handle its inbound and outbound traffic. This ensures that communication between processes is controlled and one process cannot modify the executing code of another process. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 0e72ca49-e9cb-4a74-8701-6f81091197b6 + Istio is configured to maintain separate execution domains for each executing process. This is achieved through Istio's sidecar proxy design, where each service in the mesh has its own dedicated sidecar proxy to handle its inbound and outbound traffic. This ensures that communication between processes is controlled and one process cannot modify the executing code of another process. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: f10278ec-5f1b-4307-8709-a3745bf12d36 target: status: state: satisfied target-id: sc-39 type: objective-id title: 'Validation Result - Control: sc-39' - uuid: 7e308fb9-473e-4695-a9f0-d716c8b2b47c - - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 86bc4fb7-f91b-4f2c-b914-65427951018c - # Control Implementation - Istio enforces outbound traffic goes through an Egress Gateway with a Network Policy. - related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: daf64ecb-b110-4c6e-907f-7b4cd8831232 - - observation-uuid: 46256c29-c662-4f0c-a037-bf1c534dee59 - target: - status: - state: not-satisfied - target-id: sc-4 - type: objective-id - title: 'Validation Result - Control: sc-4' - uuid: 036754b0-047d-48cf-a8c5-fa87601994c5 + uuid: fb891c52-8267-4632-b8e8-e4543ce5b872 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 82d3ab37-b934-4731-9198-56ced7d92708 # Control Description "a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; b. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture." @@ -964,117 +892,67 @@ assessment-results: target-id: sc-7 type: objective-id title: 'Validation Result - Control: sc-7' - uuid: 5d65f54a-91fd-4e77-9afa-8099bd131959 - - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 30b49a3e-ad38-441d-8c07-5a9018848a02 - # Control Implementation - Istio is configured to dynamically isolate certain internal system components when necessary. This is achieved through Istio's network policies, which allow us to partition or separate system components - related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 - - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e - target: - status: - state: satisfied - target-id: sc-7.20 - type: objective-id - title: 'Validation Result - Control: sc-7.20' - uuid: 80ffa744-8c84-4b5e-9188-722b4f6542ca - - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: c9a1e9bc-3caa-44ce-a300-ecd722487987 - # Control Implementation - Istio is configured to isolate system components that perform different mission or business functions. This is achieved through Istio's network policies and mutual TLS, which allow us to control information flows and provide enhanced protection. - related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 - - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e - target: - status: - state: satisfied - target-id: sc-7.21 - type: objective-id - title: 'Validation Result - Control: sc-7.21' - uuid: 7d23eb48-f3ea-4d3c-9971-68cf25c62ba0 + uuid: abd6a4b8-c69f-40ec-b127-1597db93bd36 - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 85df9e6c-3d94-4c60-9a20-8c481831f1e0 - # Control Implementation - Istio is configured to provide managed interfaces for external telecommunication services, establish traffic flow policies, and protect the confidentiality and integrity of transmitted information. It also prevents unauthorized exchange of control plane traffic and filters unauthorized control plane traffic. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: a5bac410-d674-431d-b5fc-2f904842c29c + Istio is configured to provide managed interfaces for external telecommunication services, establish traffic flow policies, and protect the confidentiality and integrity of transmitted information. It also prevents unauthorized exchange of control plane traffic and filters unauthorized control plane traffic. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: 73aaf428-603c-447a-ad38-8ce66b7795f1 - - observation-uuid: 3b856533-2206-4ebd-932e-645886b20b10 - - observation-uuid: 610a3b9c-269e-47c7-8b2c-9412bc822e80 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: ceb8c9fa-058a-4223-91f9-8361c84e359f + - observation-uuid: 9d69895a-0eed-4052-8102-ff9070d66851 + - observation-uuid: 4e1e697c-4a92-4c57-ae95-c75ba272dc1d target: status: state: satisfied target-id: sc-7.4 type: objective-id title: 'Validation Result - Control: sc-7.4' - uuid: 4edd983b-bb0a-4c16-a0f8-d827f52d39fc + uuid: 48fe83c1-ec77-4f79-bcc1-e233978571cc - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 4b930af3-ae84-43ff-b751-448fe1c2eec8 - # Control Implementation - is configured to route internal communications traffic to external networks through authenticated proxy servers at managed interfaces, using its Egress Gateway. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 3f409103-880e-4180-81e7-54f85a6143ae + Istio is configured to route internal communications traffic to external networks through authenticated proxy servers at managed interfaces, using its Egress Gateway. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: 46256c29-c662-4f0c-a037-bf1c534dee59 - - observation-uuid: 20db9c5e-e962-47ca-a0ab-c43b52d7b56e + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: 8cb4f8c0-cade-41b4-9a01-06a14888d13a + - observation-uuid: d831dc82-53da-438f-b7ff-a6b579bdb3ef target: status: state: not-satisfied target-id: sc-7.8 type: objective-id title: 'Validation Result - Control: sc-7.8' - uuid: f810556d-285b-4e75-b6ec-971235a3ffaa + uuid: b5761b5a-4afb-45ef-8050-d8768f8bc362 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 132fb1ff-8b58-4cfd-8ad4-c01605d89f24 # Control Description Protect the [confidentiality AND integrity] of transmitted information. # Control Implementation Data in transit is protected using a TLS connection and secured between components within the data center using an internal certificate until it is terminated at the application node. This ensures that data in transit is encrypted using SSL. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 7548b4ee-e4a3-4e3c-a34b-95eccad45f92 - # Control Implementation - Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: e97a451e-44c7-4240-a7a7-adaadd26f01c + Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 - - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: adb9497f-436d-4862-8043-6691bce1352c + - observation-uuid: f10278ec-5f1b-4307-8709-a3745bf12d36 target: status: state: not-satisfied target-id: sc-8 type: objective-id title: 'Validation Result - Control: sc-8' - uuid: a43fb38e-2aa9-4cc2-b7a7-103202c1ed5d + uuid: 9d7a4bdc-53f2-4a42-b30b-88c5a2c607ac - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 69415B92-0490-4A14-9E0F-E1EE61951F9C - # Control Implementation - Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: f3b38f79-9bf7-4024-a1b2-00befd67fda7 + Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 - - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: adb9497f-436d-4862-8043-6691bce1352c + - observation-uuid: f10278ec-5f1b-4307-8709-a3745bf12d36 target: status: state: satisfied target-id: sc-8.1 type: objective-id title: 'Validation Result - Control: sc-8.1' - uuid: 60aafba4-0b1b-41f1-bb67-11bf0a54f83a - - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: c158b75a-cefc-4794-b124-f1e56ff5646d - # Control Implementation - Istio implements with global configuration. - related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 - - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e - - observation-uuid: 3b856533-2206-4ebd-932e-645886b20b10 - target: - status: - state: satisfied - target-id: sc-8.2 - type: objective-id - title: 'Validation Result - Control: sc-8.2' - uuid: e588b254-b0df-4115-849d-5ad7d250acf1 + uuid: 28aec3a5-8f40-409d-bf88-9a83c476d0a3 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 9b4c7011-aa35-4f61-ade2-7c070bb51767 # Control Description "a. Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and b. Reveal error messages only to [Assignment: organization-defined personnel or roles]." @@ -1085,7 +963,7 @@ assessment-results: target-id: si-11 type: objective-id title: 'Validation Result - Control: si-11' - uuid: 901febde-3027-47e6-97b4-ed8ee9ed29da + uuid: f0008256-c408-442d-86f3-3a56c8177874 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 4faa4029-52bc-4d7f-9896-e43c6731d5e5 # Control Description "(a) Measure the time between flaw identification and flaw remediation; and (b) Establish the following benchmarks for taking corrective actions: [Assignment: organization-defined benchmarks]." @@ -1096,7 +974,7 @@ assessment-results: target-id: si-2.3 type: objective-id title: 'Validation Result - Control: si-2.3' - uuid: 123c7cb2-309d-4f95-832b-3476367d80df + uuid: c4cde847-c1ac-4962-aec2-84f2e373405e - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: c83fdce5-53f5-4860-a586-242d044efaa9 # Control Description "a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections; b. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods]; c. Invoke internal monitoring capabilities or deploy monitoring devices: 1. Strategically within the system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Analyze detected events and anomalies; e. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; f. Obtain legal opinion regarding system monitoring activities; and g. Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]." @@ -1107,7 +985,7 @@ assessment-results: target-id: si-4 type: objective-id title: 'Validation Result - Control: si-4' - uuid: af7893bd-83c9-4318-9ed0-dd50582609d5 + uuid: 16c943ed-c12f-417b-8d90-21788f3349a5 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: ac61e461-5fb8-4cf1-89ff-36d002056fda # Control Description "a. Receive system security alerts, advisories, and directives from [Assignment: o include US-CERT] on an ongoing basis; b. Generate internal security alerts, advisories, and directives as deemed necessary; c. Disseminate security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; to include system security personnel and administrators with configuration/patch-management responsibilities and d. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance." @@ -1118,7 +996,7 @@ assessment-results: target-id: si-5 type: objective-id title: 'Validation Result - Control: si-5' - uuid: d75021f4-afad-46ca-a3e0-f5164db3147f + uuid: 970ac268-cdf4-44a2-8d86-3b10915f0a32 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 80552838-9db8-41f7-9603-d91f884aa7bb # Control Description "a. Verify the correct operation of [Assignment: organization-defined security and privacy functions]; b. Perform the verification of the functions specified in SI-6a [Selection (one or more): [Assignment: to include upon system startup and/or restart]; upon command by user with appropriate privilege; [Assignment: at least monthly]]; c. Alert [Assignment: to include system administrators and security personnel] to failed security and privacy verification tests; and d. [Selection (one or more): Shut the system down; Restart the system; [Assignment: organization-defined alternative action (s)]] when anomalies are discovered." @@ -1129,291 +1007,271 @@ assessment-results: target-id: si-6 type: objective-id title: 'Validation Result - Control: si-6' - uuid: 8f936748-3181-4885-b5d4-519cffa1d992 + uuid: 33305746-ba60-43cd-8ed3-9f50fd279f0c observations: - - collected: 2024-08-06T02:58:06.749191822Z + - collected: 2024-10-16T20:13:50.57177773Z description: | - [TEST]: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 - lula-validation-error + [TEST]: f345c359-3208-46fb-9348-959bd628301e - istio-prometheus-annotations-validation methods: - TEST relevant-evidence: - description: | - Result: not-satisfied + Result: satisfied remarks: | - Error getting Lula validation #663f5e92-6db4-4042-8b5a-eba3ebe5a622: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain' }] - uuid: a05d03e1-4f9c-476b-a657-2607a0c86258 - - collected: 2024-08-06T02:58:06.749221207Z + validate.msg: All pods have correct prometheus annotations. + validate.msg_exempted_namespaces: istio-system, kube-system, uds-dev-stack, zarf + uuid: 6e9c7750-ccda-4f25-b8de-89e8e3e3d525 + - collected: 2024-10-16T20:13:50.571902333Z description: | - [TEST]: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 - lula-validation-error + [TEST]: c3b022eb-19a5-4711-8099-da4a90c9dd5d - egress-gateway-exists-and-configured-PLACEHOLDER methods: - TEST relevant-evidence: - description: | Result: not-satisfied remarks: | - Error getting Lula validation #ecdb90c7-971a-4442-8f29-a8b0f6076bc9: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain', 'provider' }] - uuid: 46256c29-c662-4f0c-a037-bf1c534dee59 - - collected: 2024-08-06T02:58:06.749255782Z + Error running validation: provider Evaluate error: opa validation not performed - no resources to validate + uuid: 8cb4f8c0-cade-41b4-9a01-06a14888d13a + - collected: 2024-10-16T20:13:50.681017055Z description: | - [TEST]: fbe5855d-b4ea-4ff5-9f0d-5901d620577a - lula-validation-error + [TEST]: 1761ac07-80dd-47d2-947e-09f67943b986 - all-pods-istio-injected methods: - TEST relevant-evidence: - description: | - Result: not-satisfied + Result: satisfied remarks: | - Error getting Lula validation #fbe5855d-b4ea-4ff5-9f0d-5901d620577a: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain', 'provider' }] - uuid: af55317a-a3b8-42b9-8ba8-d859748635b5 - - collected: 2024-08-06T02:58:06.85546841Z + validate.msg_exempt_namespaces: istio-admin-gateway, istio-passthrough-gateway, istio-system, istio-tenant-gateway, kube-system, uds-dev-stack, zarf + validate.msg: All pods have Istio sidecar proxy. + uuid: f10278ec-5f1b-4307-8709-a3745bf12d36 + - collected: 2024-10-16T20:13:50.689844666Z description: | - [TEST]: 1761ac07-80dd-47d2-947e-09f67943b986 - all-pods-istio-injected + [TEST]: 0da39859-a91a-4ca6-bd8b-9b117689188f - all-namespaces-istio-injected methods: - TEST relevant-evidence: - description: | - Result: satisfied + Result: not-satisfied remarks: | - validate.exempt_namespaces_msg: Exempted Namespaces: istio-admin-gateway, istio-passthrough-gateway, istio-system, istio-tenant-gateway, kube-system, uds-dev-stack, zarf - validate.msg: All pods have Istio sidecar proxy. - uuid: 435f54e2-3606-4250-9e16-79326844e82e - - collected: 2024-08-06T02:58:06.861988088Z + validate.msg: Non-Istio-injected namespaces: {"authservice-test-app", "podinfo", "test-admin-app", "test-tenant-app"} + validate.msg_exempt_namespaces: default, istio-admin-gateway, istio-passthrough-gateway, istio-system, istio-tenant-gateway, kube-node-lease, kube-public, kube-system, uds-crds, uds-dev-stack, uds-policy-exemptions, zarf + uuid: 2c61853a-96af-4195-8dc9-f3313f6035f1 + - collected: 2024-10-16T20:13:50.693177593Z description: | - [TEST]: ca49ac97-487a-446a-a0b7-92b20e2c83cb - enforce-mtls-strict + [TEST]: 90738c86-6315-450a-ac69-cc50eb4859cc - check-istio-logging-all-traffic methods: - TEST relevant-evidence: - description: | Result: satisfied remarks: | - validate.msg: All PeerAuthentications have mtls mode set to STRICT. - uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 - - collected: 2024-08-06T02:58:06.868755824Z + validate.msg: Istio is logging all traffic. + uuid: a858d60b-5192-41de-bac4-a79479a91f64 + - collected: 2024-10-16T20:13:50.697120548Z description: | - [TEST]: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed - ingress-traffic-encrypted + [TEST]: fbd877c8-d6b6-4d88-8685-2c4aaaab02a1 - istio-enforces-authorized-keycloak-access methods: - TEST relevant-evidence: - description: | Result: satisfied remarks: | - validate.msg: All gateways encrypt ingress traffic - validate.msg_exempt: Exempted Gateways: istio-passthrough-gateway/passthrough-gateway - uuid: ff67f994-802a-4668-a261-f0cbfb7982d5 - - collected: 2024-08-06T02:58:06.868804496Z + validate.msg: AuthorizationPolicy restricts access to Keycloak admin. + uuid: 9d69895a-0eed-4052-8102-ff9070d66851 + - collected: 2024-10-16T20:13:50.697182945Z description: | - [TEST]: 73434890-2751-4894-b7b2-7e583b4a8977 - lula-validation-error + [TEST]: fbe5855d-b4ea-4ff5-9f0d-5901d620577a - lula-validation-error methods: - TEST relevant-evidence: - description: | Result: not-satisfied remarks: | - Error getting Lula validation #73434890-2751-4894-b7b2-7e583b4a8977: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain', 'provider' }] - uuid: e12e332c-6a86-43e8-9403-94824b948f45 - - collected: 2024-08-06T02:58:06.868833069Z + Error getting Lula validation #fbe5855d-b4ea-4ff5-9f0d-5901d620577a: schema is invalid: [{/required "missing properties 'domain', 'provider'" }] + uuid: 572f5829-517b-40d0-8b50-6d9bf9c54c77 + - collected: 2024-10-16T20:13:50.697270528Z description: | - [TEST]: 9bfc68e0-381a-4006-9f68-c293e3b20cee - lula-validation-error + [TEST]: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 - communications-terminated-after-inactivity-PLACEHOLDER methods: - TEST relevant-evidence: - description: | Result: not-satisfied remarks: | - Error getting Lula validation #9bfc68e0-381a-4006-9f68-c293e3b20cee: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain', 'provider' }] - uuid: 48a7c266-3ce0-4c63-b782-335c2461afc6 - - collected: 2024-08-06T02:58:06.875936601Z + Error running validation: provider Evaluate error: opa validation not performed - no resources to validate + uuid: 825da259-13c9-4b85-b890-75d107573c62 + - collected: 2024-10-16T20:13:50.697333466Z description: | - [TEST]: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 - gateway-configuration-check + [TEST]: 19faf69a-de74-4b78-a628-64a9f244ae13 - external-traffic-managed-PLACEHOLDER methods: - TEST relevant-evidence: - description: | - Result: satisfied + Result: not-satisfied remarks: | - validate.msg: Only allowed gateways found. All gateway types found. - validate.msg_existing_gateways: istio-admin-gateway/admin-gateway, istio-passthrough-gateway/passthrough-gateway, istio-tenant-gateway/tenant-gateway - validate.msg_allowed_gateways: admin, passthrough, tenant - uuid: 610a3b9c-269e-47c7-8b2c-9412bc822e80 - - collected: 2024-08-06T02:58:06.880031826Z + Error running validation: provider Evaluate error: opa validation not performed - no resources to validate + uuid: d831dc82-53da-438f-b7ff-a6b579bdb3ef + - collected: 2024-10-16T20:13:50.730168322Z description: | - [TEST]: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 - istio-rbac-enforcement-check + [TEST]: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 - secure-communication-with-istiod methods: - TEST relevant-evidence: - description: | Result: satisfied remarks: | - validate.msg: Istio RBAC enforced - validate.msg_authPolicies: Authorization Policies: keycloak/keycloak-block-admin-access-from-public-gateway - uuid: d517a52c-6742-4c6a-94f4-b6716aa64879 - - collected: 2024-08-06T02:58:06.880074886Z + validate.msg: NetworkPolicies correctly configured for istiod in required namespaces. + validate.msg_expected_istiod: Expected Istiod port: 15012, protocol: TCP. + validate.msg_required_namespaces: authservice, grafana, keycloak, loki, metrics-server, monitoring, neuvector, uds-runtime, vector, velero + uuid: ceb8c9fa-058a-4223-91f9-8361c84e359f + - collected: 2024-10-16T20:13:50.730223946Z description: | - [TEST]: 9b361d7b-4e07-40db-8b86-3854ed499a4b - lula-validation-error + [TEST]: 9bfc68e0-381a-4006-9f68-c293e3b20cee - lula-validation-error methods: - TEST relevant-evidence: - description: | Result: not-satisfied remarks: | - Error getting Lula validation #9b361d7b-4e07-40db-8b86-3854ed499a4b: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain', 'provider' }] - uuid: 9da482e6-b1b4-47d5-b88c-ea78cb1a6089 - - collected: 2024-08-06T02:58:06.888036681Z + Error getting Lula validation #9bfc68e0-381a-4006-9f68-c293e3b20cee: schema is invalid: [{/required "missing properties 'domain', 'provider'" }] + uuid: e72b33d8-64ba-4871-ab47-2f0b1a5c18e7 + - collected: 2024-10-16T20:13:50.730273639Z description: | - [TEST]: 67456ae8-4505-4c93-b341-d977d90cb125 - istio-health-check + [TEST]: 8be1601e-5870-4573-ab4f-c1c199944815 - tls-origination-at-egress-PLACEHOLDER methods: - TEST relevant-evidence: - description: | - Result: satisfied + Result: not-satisfied remarks: | - istiohealth.deployment_message: All deployment conditions are true. - istiohealth.hpa_message: HPA has sufficient replicas. - uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - collected: 2024-08-06T02:58:06.986972859Z + Error running validation: provider Evaluate error: opa validation not performed - no resources to validate + uuid: 47e30ded-89cf-4862-bed8-b3c5c0b3a17f + - collected: 2024-10-16T20:13:50.738968965Z description: | - [TEST]: f345c359-3208-46fb-9348-959bd628301e - istio-prometheus-annotations-validation + [TEST]: 67456ae8-4505-4c93-b341-d977d90cb125 - istio-health-check methods: - TEST relevant-evidence: - description: | Result: satisfied remarks: | - validate.msg: All pods have correct prometheus annotations. - validate.exempt_namespaces_msg: Exempted Namespaces: istio-system, kube-system, uds-dev-stack, zarf - uuid: a906a088-3147-44cb-8d7b-69058d1d8484 - - collected: 2024-08-06T02:58:06.987037129Z + validate.msg: Istiod Deployment is healthy. HPA has sufficient replicas. + uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - collected: 2024-10-16T20:13:50.745123247Z description: | - [TEST]: 8be1601e-5870-4573-ab4f-c1c199944815 - lula-validation-error + [TEST]: ca49ac97-487a-446a-a0b7-92b20e2c83cb - enforce-mtls-strict methods: - TEST relevant-evidence: - description: | - Result: not-satisfied + Result: satisfied remarks: | - Error getting Lula validation #8be1601e-5870-4573-ab4f-c1c199944815: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain' } {/properties/provider/$ref/properties/opa-spec/$ref/properties/rego/pattern file:///home/runner/work/uds-core/uds-core/compliance/validation#/definitions/opaSpec/properties/rego/pattern /provider/opa-spec/rego does not match pattern '.*\\S\\s\\n.*' package validate - default validate := false - # How to prove TLS origination is configured at egress - # DestinationRule? - }] - uuid: edc21e52-53cd-4a6a-9e29-1016a56e0cb5 - - collected: 2024-08-06T02:58:07.017260415Z + validate.msg: All PeerAuthentications have mtls mode set to STRICT. + uuid: adb9497f-436d-4862-8043-6691bce1352c + - collected: 2024-10-16T20:13:50.754286064Z description: | - [TEST]: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 - secure-communication-with-istiod + [TEST]: c6c9daf1-4196-406d-8679-312c0512ab2e - check-istio-admin-gateway-and-usage methods: - TEST relevant-evidence: - description: | Result: satisfied remarks: | - validate.msg_correct: NetworkPolicies correctly configured for istiod in namespaces: authservice, grafana, keycloak, loki, metrics-server, monitoring, neuvector, promtail, velero. - validate.msg_incorrect: No incorrect istiod NetworkPolicies found. - uuid: 73aaf428-603c-447a-ad38-8ce66b7795f1 - - collected: 2024-08-06T02:58:07.017384197Z + validate.msg: Admin gateway exists: istio-admin-gateway/admin-gateway. Admin virtual services are using admin gateway. + uuid: 20f98c91-2308-4356-837b-c253353d7479 + - collected: 2024-10-16T20:13:50.754326089Z description: | - [TEST]: 19faf69a-de74-4b78-a628-64a9f244ae13 - lula-validation-error + [TEST]: 98b97ec9-a9ce-4444-83d8-71066270a424 - lula-validation-error methods: - TEST relevant-evidence: - description: | Result: not-satisfied remarks: | - Error getting Lula validation #19faf69a-de74-4b78-a628-64a9f244ae13: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain' } {/properties/provider/$ref/properties/opa-spec/$ref/properties/rego/pattern file:///home/runner/work/uds-core/uds-core/compliance/validation#/definitions/opaSpec/properties/rego/pattern /provider/opa-spec/rego does not match pattern '.*\\S\\s\\n.*' package validate - default validate := false - # This policy could check meshConfig.outboundTrafficPolicy.mode (default is ALLOW_ANY) - # Possibly would need a ServiceEntry(?) - # (https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#envoy-passthrough-to-external-services) - }] - uuid: 20db9c5e-e962-47ca-a0ab-c43b52d7b56e - - collected: 2024-08-06T02:58:07.025304675Z + Error getting Lula validation #98b97ec9-a9ce-4444-83d8-71066270a424: schema is invalid: [{/required "missing properties 'domain', 'provider'" }] + uuid: 39cf41d1-048e-4132-9681-f7274e4be4ea + - collected: 2024-10-16T20:13:50.868647184Z description: | - [TEST]: 0da39859-a91a-4ca6-bd8b-9b117689188f - all-namespaces-istio-injected + [TEST]: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 - istio-rbac-enforcement-check methods: - TEST relevant-evidence: - description: | - Result: not-satisfied + Result: satisfied remarks: | - validate.msg: Non-Istio-injected namespaces: {"authservice-test-app", "podinfo", "test-admin-app", "test-tenant-app"} - validate.exempted_namespaces_msg: Exempted Namespaces: default, istio-admin-gateway, istio-passthrough-gateway, istio-system, istio-tenant-gateway, kube-node-lease, kube-public, kube-system, uds-crds, uds-dev-stack, uds-policy-exemptions, zarf - uuid: f25d32b1-4bbd-4309-a96e-99fb8f484c88 - - collected: 2024-08-06T02:58:07.025349479Z + validate.msg: Istio RBAC enforced + validate.msg_all_auth_policies: keycloak/keycloak-block-admin-access-from-public-gateway, uds-runtime/runtime-authservice, uds-runtime/runtime-jwt-authz + uuid: cf774c2c-17dc-48d2-ba4c-2ae6547ea8e0 + - collected: 2024-10-16T20:13:50.868740227Z description: | - [TEST]: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 - lula-validation-error + [TEST]: 9b361d7b-4e07-40db-8b86-3854ed499a4b - istio-rbac-for-approved-personnel-PLACEHOLDER methods: - TEST relevant-evidence: - description: | Result: not-satisfied remarks: | - Error getting Lula validation #7455f86d-b79c-4226-9ce3-f3fb7d9348c8: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain', 'provider' }] - uuid: daf64ecb-b110-4c6e-907f-7b4cd8831232 - - collected: 2024-08-06T02:58:07.03317813Z - description: | - [TEST]: 90738c86-6315-450a-ac69-cc50eb4859cc - check-istio-logging-all-traffic - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg: Istio is logging all traffic - uuid: 9e4a8aa7-2736-4aad-8b08-7fcee4fa2a68 - - collected: 2024-08-06T02:58:07.041938066Z + Error running validation: provider Evaluate error: opa validation not performed - no resources to validate + uuid: 1fc0d5bd-18e9-4244-a1a0-3c618aca8652 + - collected: 2024-10-16T20:13:51.070408027Z description: | - [TEST]: 70d99754-2918-400c-ac9a-319f874fff90 - istio-metrics-logging-configured + [TEST]: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 - gateway-configuration-check methods: - TEST relevant-evidence: - description: | Result: satisfied remarks: | - validate.msg: Metrics logging supported. - uuid: 06449da5-4cb5-4a5e-922d-5309d5c8f0c8 - - collected: 2024-08-06T02:58:07.0520707Z + validate.msg_existing_gateways: istio-admin-gateway/admin-gateway, istio-passthrough-gateway/passthrough-gateway, istio-tenant-gateway/tenant-gateway + validate.msg_allowed_gateways: admin, passthrough, tenant + validate.msg: Only allowed gateways found. All gateway types found. + uuid: 4e1e697c-4a92-4c57-ae95-c75ba272dc1d + - collected: 2024-10-16T20:13:51.266003971Z description: | - [TEST]: c6c9daf1-4196-406d-8679-312c0512ab2e - check-istio-admin-gateway-and-usage + [TEST]: f346b797-be35-40a8-a93a-585db6fd56ec - istio-tracing-logging-support methods: - TEST relevant-evidence: - description: | - Result: satisfied + Result: not-satisfied remarks: | - validate.msg: Admin gateway exists. Admin virtual services are using admin gateway. - uuid: 362043c5-ea38-4c11-83e3-35d34b79c938 - - collected: 2024-08-06T02:58:07.056306187Z + validate.msg: Tracing logging not supported. + uuid: ca312bc9-b8cd-4a30-9b72-50ffee51e828 + - collected: 2024-10-16T20:13:51.470751962Z description: | - [TEST]: fbd877c8-d6b6-4d88-8685-2c4aaaab02a1 - istio-enforces-authorized-keycloak-access + [TEST]: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed - ingress-traffic-encrypted methods: - TEST relevant-evidence: - description: | Result: satisfied remarks: | - validate.msg: AuthorizationPolicy restricts access to Keycloak admin. - uuid: 3b856533-2206-4ebd-932e-645886b20b10 - - collected: 2024-08-06T02:58:07.064560781Z + validate.msg: All gateways encrypt ingress traffic + validate.msg_exempted_gateways: istio-passthrough-gateway/passthrough-gateway + uuid: a9c35339-fc94-4e59-bdf1-a89c1664bac0 + - collected: 2024-10-16T20:13:51.47086859Z description: | - [TEST]: f346b797-be35-40a8-a93a-585db6fd56ec - istio-tracing-logging-support + [TEST]: 73434890-2751-4894-b7b2-7e583b4a8977 - fips-evaluation-PLACEHOLDER methods: - TEST relevant-evidence: - description: | Result: not-satisfied remarks: | - validate.msg: Tracing logging not supported. - uuid: 94477b5d-84b7-427c-88b3-71367c501528 - - collected: 2024-08-06T02:58:07.0646133Z + Error running validation: provider Evaluate error: opa validation not performed - no resources to validate + uuid: 46fd0f63-fefa-40fe-9894-7c52bbce7f9b + - collected: 2024-10-16T20:13:51.665120832Z description: | - [TEST]: 98b97ec9-a9ce-4444-83d8-71066270a424 - lula-validation-error + [TEST]: 70d99754-2918-400c-ac9a-319f874fff90 - istio-metrics-logging-configured methods: - TEST relevant-evidence: - description: | - Result: not-satisfied + Result: satisfied remarks: | - Error getting Lula validation #98b97ec9-a9ce-4444-83d8-71066270a424: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain', 'provider' }] - uuid: a1236290-6057-4695-b4bd-20dd2981d60d - - collected: 2024-08-06T02:58:07.064634109Z + validate.msg: Metrics logging supported. + uuid: 64a22438-eba3-4fcb-bfe8-68ed8bad61ba + - collected: 2024-10-16T20:13:51.665185653Z description: | [TEST]: 0be7345d-e9d3-4248-9c14-5fed8e7bfa01 - lula-validation-error methods: @@ -1422,8 +1280,8 @@ assessment-results: - description: | Result: not-satisfied remarks: | - Error getting Lula validation #0be7345d-e9d3-4248-9c14-5fed8e7bfa01: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain', 'provider' }] - uuid: d265b5b6-9306-4c22-ad35-d6f00a41920e + Error getting Lula validation #0be7345d-e9d3-4248-9c14-5fed8e7bfa01: schema is invalid: [{/required "missing properties 'domain', 'provider'" }] + uuid: 0e3f9f2a-c596-4688-8841-0f9d2845f0a2 props: - name: threshold ns: https://docs.lula.dev/oscal/ns @@ -1441,1282 +1299,6 @@ assessment-results: - control-id: ac-3 - control-id: ac-4 - control-id: ac-4.21 - - control-id: ac-4.4 - - control-id: ac-5 - - control-id: ac-6 - - control-id: ac-6.1 - - control-id: ac-6.10 - - control-id: ac-6.3 - - control-id: ac-6.9 - - control-id: au-11 - - control-id: au-12 - - control-id: au-12.1 - - control-id: au-2 - - control-id: au-3 - - control-id: au-3.1 - - control-id: au-4 - - control-id: au-5.1 - - control-id: au-5.2 - - control-id: au-6 - - control-id: au-6.1 - - control-id: au-6.3 - - control-id: au-6.5 - - control-id: au-6.6 - - control-id: au-7 - - control-id: au-7.1 - - control-id: au-8 - - control-id: au-9 - - control-id: au-9.2 - - control-id: au-9.4 - - control-id: au7.1 - - control-id: ca-2.2 - - control-id: ca-7 - - control-id: cm-5 - - control-id: cm-6 - - control-id: cm-7 - - control-id: cp-10 - - control-id: cp-10.4 - - control-id: cp-6 - - control-id: cp-6.1 - - control-id: cp-6.2 - - control-id: cp-6.3 - - control-id: cp-7 - - control-id: cp-7.1 - - control-id: cp-7.2 - - control-id: cp-9 - - control-id: cp-9.1 - - control-id: cp-9.2 - - control-id: cp-9.3 - - control-id: cp-9.5 - - control-id: cp-9.8 - - control-id: ra-5 - - control-id: ra-5.2 - - control-id: ra-5.3 - - control-id: ra-5.5 - - control-id: sa-11 - - control-id: sa-11.1 - - control-id: sc-10 - - control-id: sc-13 - - control-id: sc-23 - - control-id: sc-3 - - control-id: sc-39 - - control-id: sc-4 - - control-id: sc-7 - - control-id: sc-7.20 - - control-id: sc-7.21 - - control-id: sc-7.4 - - control-id: sc-7.8 - - control-id: sc-8 - - control-id: sc-8.1 - - control-id: sc-8.2 - - control-id: si-11 - - control-id: si-2.3 - - control-id: si-4 - - control-id: si-5 - - control-id: si-6 - description: Controls validated - remarks: Validation performed may indicate full or partial satisfaction - start: 2024-08-06T02:58:07.070919511Z - title: Lula Validation Result - uuid: f246b0cb-f71a-41b0-a2fe-7ef03c16c754 - - description: Assessment results for performing Validations with Lula version v0.4.1 - findings: - - description: |- - # Control Implementation - Istio implements with service to service and provides authorization policies that require authentication to access any non-public features. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: 31654aca-4189-447d-b5e6-4928c5acc603 - target: - status: - state: satisfied - target-id: ac-14 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-14' - uuid: d61c76bb-7552-492f-a39e-e7da0748e84c - - description: |- - # Control Description "a. Define and document the types of accounts allowed and specifically prohibited for use within the system; b. Assign account managers; c. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership; d. Specify: 1. Authorized users of the system; 2. Group and role membership; and 3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account; e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts; f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria]; g. Monitor the use of accounts; h. Notify account managers and [Assignment: organization-defined personnel or roles] within: 1. [Assignment: twenty-four (24) hours] when accounts are no longer required; 2. [Assignment: eight (8) hours] when users are terminated or transferred; and 3. [Assignment: eight (8) hours] when system usage or need-to-know changes for an individual; i. Authorize access to the system based on: 1. A valid access authorization; 2. Intended system usage; and 3. [Assignment: organization-defined attributes (as required)]; j. Review accounts for compliance with account management requirements [Assignment: monthly for privileged accessed, every six (6) months for non-privileged access]; k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and l. Align account management processes with personnel termination and transfer processes." - # Control Implementation NeuVector supports internal user accounts and roles in addition to LDAP and SSO for providing RBAC access. - target: - status: - state: not-satisfied - target-id: ac-2 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-2' - uuid: 35b172fc-505d-441c-a498-358eb777ed24 - - description: |- - # Control Description Support the management of system accounts using [Assignment: organization-defined automated mechanisms]. - # Control Implementation NeuVector supports internal user accounts and roles in addition to LDAP and SSO for providing RBAC access. - target: - status: - state: not-satisfied - target-id: ac-2.1 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-2.1' - uuid: 0a50cb43-5018-4190-a89a-f8aca2005186 - - description: |- - # Control Description Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. - # Control Implementation NeuVector supports internal user accounts and roles in addition to LDAP and SSO for providing RBAC access. - target: - status: - state: not-satisfied - target-id: ac-3 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-3' - uuid: 574305f1-0e70-4cc7-85c3-fcfa94943753 - - description: |- - # Control Implementation - Istio encrypts all in-mesh communication at runtime using FIPS verified mTLS in addition to ingress and egress gateways for controlling communication. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 - - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 - - observation-uuid: 60ff69f7-6d6f-4b92-a0a4-4ecd2df24b52 - target: - status: - state: satisfied - target-id: ac-4 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-4' - uuid: 86b4aa9e-cdb4-499d-b93a-8f0a76ac4c6b - - description: |- - # Control Implementation - Istio is configured to use ingress and egress gateways to provide logical flow separation. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: 4df2137a-de64-4d02-8121-1911fc9dedab - - observation-uuid: 4e69dd7e-0ba5-489c-82fd-bdfdd3d80afd - - observation-uuid: 2639ccbf-1a94-440e-b820-90e957f6987c - target: - status: - state: not-satisfied - target-id: ac-4.21 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-4.21' - uuid: 5b7406b7-334a-4a50-8013-bd63b566c391 - - description: |- - # Control Implementation - All encrypted HTTPS connections are terminated at the Istio ingress gateway. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 - - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 - - observation-uuid: 60ff69f7-6d6f-4b92-a0a4-4ecd2df24b52 - target: - status: - state: satisfied - target-id: ac-4.4 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-4.4' - uuid: d24258c7-b611-4c00-b387-518682e288a5 - - description: |- - # Control Description "a. Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and b. Define system access authorizations to support separation of duties." - # Control Implementation Loki implements RBAC to define system authorization and separation of duties. - target: - status: - state: not-satisfied - target-id: ac-5 - type: objective-id - title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-5' - uuid: 98b4b967-b087-4514-af76-47fbdd301940 - - description: |- - # Control Description Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. - # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. - target: - status: - state: not-satisfied - target-id: ac-6 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6' - uuid: 425a62e9-d211-4b56-9ed3-ae145e4bda7a - - description: |- - # Control Description "Authorize access for [Assignment: organization-defined individuals or roles] to: (a) [Assignment: organization-defined all functions not publicly accessible]; and (b) [Assignment: organization-defined all security-relevant information not publicly available]." - # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. - target: - status: - state: not-satisfied - target-id: ac-6.1 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6.1' - uuid: e0522516-4f01-4319-963c-b61ffc714e5d - - description: |- - # Control Description Prevent non-privileged users from executing privileged functions. - # Control Implementation Loki layers an additional RBAC layer that prohibits non-privileged users from executing privileged functions. - target: - status: - state: not-satisfied - target-id: ac-6.10 - type: objective-id - title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6.10' - uuid: 1fdec6d5-12a6-4400-bb86-65811be00806 - - description: |- - # Control Implementation - Configured with an "admin" gateway to restrict access to applications that only need administrative access. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: 4e69dd7e-0ba5-489c-82fd-bdfdd3d80afd - target: - status: - state: not-satisfied - target-id: ac-6.3 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6.3' - uuid: 02a7b8e8-c6cf-4263-ad16-65d64957169f - - description: |- - # Control Description Log the execution of privileged functions. - # Control Implementation Privileged events, including updating the deployment of an application, or use of privileged containers are collected as metrics by prometheus and displayed by Grafana. - related-observations: - - observation-uuid: 053bdc9e-654d-4287-adf1-02c14e77ece1 - - observation-uuid: c18cb484-a3d7-4f1b-9de2-bc40675ebef6 - target: - status: - state: not-satisfied - target-id: ac-6.9 - type: objective-id - title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6.9' - uuid: b5e568c2-539e-45f2-9aa6-b31dd4ddf30b - - description: |- - # Control Description Retain audit records for [Assignment: at least one (1) year] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. - # Control Implementation Can configure audit record storage retention policy for defined periods of time via the store(s) Loki is configured to use. - target: - status: - state: not-satisfied - target-id: au-11 - type: objective-id - title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-11' - uuid: 1133f9d6-790b-4f66-ba94-89ce6cf7ed26 - - description: |- - # Control Implementation - Istio provides audit record generation capabilities for a variety of event types, including session, connection, transaction, or activity durations, and the number of bytes received and sent. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: 337f9bea-6f8e-4c89-8142-4474083105e6 - target: - status: - state: satisfied - target-id: au-12 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-12' - uuid: f0b63c33-bdbd-43bb-9a36-4a386e4567eb - - description: |- - # Control Description Compile audit records from [Assignment: all network, data storage, and computing devices] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. - # Control Implementation Compatible metrics endpoints emitted from each application is compiled by Prometheus and displayed through Grafana with associated timestamps of when the data was collected. - target: - status: - state: not-satisfied - target-id: au-12.1 - type: objective-id - title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-12.1' - uuid: 832e1041-64e8-4455-8331-48025d4cdfbc - - description: |- - # Control Description a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: annually or whenever there is a change in the threat environment]. - # Control Implementation API endpoints suitable for capturing application level metrics are present on each of the supported applications running as containers. In addition, system and cluster level metrics are emitted by containers with read only access to host level information. Metrics are captured and stored by Prometheus, an web server capable of scraping endpoints formatted in the appropriate dimensional data format. Metrics information is stored on disk in a time series data base, and later queried through a separate component providing a web interface for the query language: PromQL. Metrics data can be displayed through a Grafana dashboard for visualization. - related-observations: - - observation-uuid: 053bdc9e-654d-4287-adf1-02c14e77ece1 - - observation-uuid: 65c62b95-df70-4723-bf3b-46799d0536ad - target: - status: - state: not-satisfied - target-id: au-2 - type: objective-id - title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-2' - uuid: ae5e79ac-3535-48f0-b306-fe9cd1f34736 - - description: |- - # Control Description - Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. - Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). - - # Control Implementation - Logs are captured by promtail from the node. The node logs will contain the necessary log data from all pods/applications inside the selected nodes. - Validating `logfmt` as the config.logFormat would be the goal. This is currently a secret mounted to /etc/promtail/promtail.yaml in the promtail container. We will ensure the promtail.yaml file is at a minimum the target config. - https://grafana.com/docs/loki/latest/send-data/promtail/stages/logfmt/ - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: b8c97e5c-a953-44f1-9868-42abdb5f36d3 - target: - status: - state: not-satisfied - target-id: au-3 - type: objective-id - title: 'Validation Result - Component:3ca1e9a3-a566-48d1-93af-200abd1245e3 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-3' - uuid: 661fde7a-25f7-4d8f-8673-d95a570001ff - - description: |- - # Control Implementation - Istio has been configured to implement event logging within our environment. This includes capturing metrics related to the duration of sessions, connections, transactions, or activities. Specifically, Istio's telemetry features are utilized to capture these metrics, which provide valuable data that can be used to infer the duration of sessions or connections. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: d6de0a77-9d2c-4332-9ab0-3c97c8b5234c - - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 - - observation-uuid: 6fb0ef76-86ad-4629-9e9d-a725ddbf3373 - target: - status: - state: not-satisfied - target-id: au-3.1 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-3.1' - uuid: 612c395f-5036-444a-bfe4-2f9ab941622a - - description: |- - # Control Description Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]. - # Control Implementation NeuVector can scale elastically based upon actual workload demands to allocate audit log storage capacity. - target: - status: - state: not-satisfied - target-id: au-4 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-4' - uuid: 92598581-3f72-478e-a8f2-33aaeccd56db - - description: |- - # Control Description Provide a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit log storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit log storage capacity. - # Control Implementation Alertmanager has pre-built alerts for PVC storage thresholds that would fire for PVCs supporting prometheus metrics storage. Metrics data can be displayed through a Grafana dashboard for visualization. - target: - status: - state: not-satisfied - target-id: au-5.1 - type: objective-id - title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-5.1' - uuid: f0e9a25c-2440-4299-8a32-1e9274b98f87 - - description: |- - # Control Description Provide an alert within [Assignment: real-time] to [Assignment: service provider personnel with authority to address failed audit events] when the following audit failure events occur: [Assignment: audit failure events requiring real-time alerts, as defined by organization audit policy]. - # Control Implementation Alertmanager has pre-built alerts for failed pods that would show when ClusterAuditor is not processing events, or prometheus is unable to scrape events. Prometheus also has a deadman's alert to ensure end users are seeing events from prometheus as part of its configuration. Data can be displayed through a Grafana dashboard for visualization. - target: - status: - state: not-satisfied - target-id: au-5.2 - type: objective-id - title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-5.2' - uuid: 4c6f58e6-d210-45a3-bede-b0b758c685de - - description: |- - # Control Description "a. Review and analyze system audit records [Assignment: at least weekly] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; b. Report findings to [Assignment: organization-defined personnel or roles]; and c. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information." - # Control Implementation Provides audit record query and analysis capabilities. Organization will implement record review and analysis. - target: - status: - state: not-satisfied - target-id: au-6 - type: objective-id - title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6' - uuid: 086b37df-eae0-46d5-a525-ead6453af43f - - description: |- - # Control Description Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. - # Control Implementation Provides audit record query and analysis capabilities. Organization will implement record review and analysis. - target: - status: - state: not-satisfied - target-id: au-6.1 - type: objective-id - title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6.1' - uuid: ec6c6e31-e5df-4836-b5e6-f114d61d1081 - - description: |- - # Control Description Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. - # Control Implementation Aggregating cluster auditor events across multiple sources (clusters) is possible with a multi-cluster deployment of prometheus/grafana. - target: - status: - state: not-satisfied - target-id: au-6.3 - type: objective-id - title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6.3' - uuid: 5a9912e9-c2e1-4fad-a651-9f84d351bea1 - - description: |- - # Control Description Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. - # Control Implementation Cluster Auditor's audit data is consolidated with system monitoring tooling (node exporters) for consolidated view to enhance inappropriate or unusual activity. - target: - status: - state: not-satisfied - target-id: au-6.5 - type: objective-id - title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6.5' - uuid: 66c039ce-0453-481a-a754-0c8ca7e5a4c0 - - description: |- - # Control Description Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. - # Control Implementation Cluster Auditor data in prometheus would enable this, but would require prometheus to also obtain access to physical metrics. - target: - status: - state: not-satisfied - target-id: au-6.6 - type: objective-id - title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6.6' - uuid: 8d2a5829-ee96-4a38-b3b9-a7931b551b02 - - description: |- - # Control Description "Provide and implement an audit record reduction and report generation capability that: a. Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and b. Does not alter the original content or time ordering of audit records." - # Control Implementation Grafana is configured with a pre-built dashboard for policy violations that displays data collected by Cluster Auditor. - target: - status: - state: not-satisfied - target-id: au-7 - type: objective-id - title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-7' - uuid: 958794eb-a1a5-4c29-b42c-ddfbabd544d9 - - description: |- - # Control Description Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. - # Control Implementation Grafana is configured with a pre-built dashboard for policy violations that displays data collected by Cluster Auditor. - target: - status: - state: not-satisfied - target-id: au-7.1 - type: objective-id - title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-7.1' - uuid: d42a6865-6869-4961-a90e-6d82eee7c561 - - description: |- - # Control Description - Time stamps generated by the information system include date and time. - Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. - Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or within tens of milliseconds. - Organizations may define different time granularities for different system components. - Time service can also be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities. - - # Control Implementation - Records captured by the logging daemon are enriched to ensure the following are always present: - * time of the event (UTC). - * source of event (pod, namespace, container id). - Applications are responsible for providing all other information. - Validating `logfmt` as the config.logFormat would be the goal. This is currently a secret mounted to /etc/promtail/promtail.yaml in the promtail container. We will ensure the promtail.yaml file is at a minimum the target config. - https://grafana.com/docs/loki/latest/send-data/promtail/stages/logfmt/ - related-observations: - - observation-uuid: 053bdc9e-654d-4287-adf1-02c14e77ece1 - - observation-uuid: fa62278d-a485-40ec-a660-51845c227040 - target: - status: - state: not-satisfied - target-id: au-8 - type: objective-id - title: 'Validation Result - Component:3ca1e9a3-a566-48d1-93af-200abd1245e3 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-8' - uuid: 0c87ccd3-8a4f-48a9-9be0-69034e18885f - - description: |- - # Control Description a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and b. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information. - # Control Implementation Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control when using Grafana Enterprise. - target: - status: - state: not-satisfied - target-id: au-9 - type: objective-id - title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-9' - uuid: 826cb8c0-8297-4f90-b2b2-d0bc95531db1 - - description: |- - # Control Description Store audit records [Assignment: at least weekly] in a repository that is part of a physically different system or system component than the system or component being audited. - # Control Implementation Prometheus can scrape external components outside of the system, but this configuration is not easily supported as part of the current big bang configuration of ClusterAuditor since external access to ClusterAuditor metrics is not exposed via Istio. Metrics data can be displayed through a Grafana dashboard for visualization. - target: - status: - state: not-satisfied - target-id: au-9.2 - type: objective-id - title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-9.2' - uuid: f970ff94-5aef-4521-bd62-2e71ed0e5c70 - - description: |- - # Control Description Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. - # Control Implementation Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control when using Grafana Enterprise. - target: - status: - state: not-satisfied - target-id: au-9.4 - type: objective-id - title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-9.4' - uuid: 28f0e109-6c62-405d-b11c-8623f6829dad - - description: |- - # Control Description Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. - # Control Implementation Loki provides an API for retrieving and filtering logs. - target: - status: - state: not-satisfied - target-id: au7.1 - type: objective-id - title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au7.1' - uuid: 3c9b6412-0808-48b6-889b-54fefa4dcdb1 - - description: |- - # Control Description - Include as part of control assessments, [Assignment: at least annually], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious - user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment; [Assignment: organization-defined other forms of assessment]]. - - # Control Implementation NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. - target: - status: - state: not-satisfied - target-id: ca-2.2 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ca-2.2' - uuid: c4dadea0-3628-4444-b493-85fe4f44a9a2 - - description: |- - # Control Description "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: a. Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics]; b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; c. Ongoing control assessments in accordance with the continuous monitoring strategy; d. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; e. Correlation and analysis of information generated by control assessments and monitoring; f. Response actions to address results of the analysis of control assessment and monitoring information; and g. Reporting the security and privacy status of the system to [Assignment: to include JAB/AO] [Assignment: organization-defined frequency]." - # Control Implementation NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. - target: - status: - state: not-satisfied - target-id: ca-7 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ca-7' - uuid: f90d9d08-6cd9-463a-a606-c1359e00e1fe - - description: |- - # Control Implementation - Istio enforces logical access restrictions associated with changes to the system. Istio's Role-Based Access Control (RBAC) features are used to define and enforce access controls, ensuring that only approved personnel can make changes to the system. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: f3ff3fbb-16d9-4a92-90e1-d8b7a020bccc - - observation-uuid: 41637e36-95ee-4c89-b332-80ca2d006620 - target: - status: - state: not-satisfied - target-id: cm-5 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: cm-5' - uuid: 7741992f-299d-4e30-ac94-f7797f95a661 - - description: |- - # Control Description "a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: oUnited States Government Configuration Baseline (USGCB)]; b. Implement the configuration settings; c. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures." - # Control Implementation NeuVector is configured using Helm Charts. Default settings can be found. - target: - status: - state: not-satisfied - target-id: cm-6 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: cm-6' - uuid: 279d19b1-4297-43a9-a631-168431b3c0cd - - description: |- - # Control Description "a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]." "CM-7 (b) Requirement: The service provider shall use the DoD STIGs or Center for Internet Security guidelines to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available. CM-7 Guidance: Information on the USGCB checklists can be found at: https://csrc.nist.gov/projects/united-states-government-configuration-baseline." - # Control Implementation NeuVector is configured securely and only access to required ports are available. - target: - status: - state: not-satisfied - target-id: cm-7 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: cm-7' - uuid: 4bcaa46e-66ab-4b3e-8414-92e28955d4d8 - - description: Velero can restore application configuration/data from an approved cloud provider or on-premise location on-demand. - target: - status: - state: not-satisfied - target-id: cp-10 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-10' - uuid: db12a70d-960a-4bcc-bef2-d765371bc641 - - description: 'Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: - System components/data. - User-level information/application metadata. - User-level storage/data. - Scheduled back-ups with configurable scopes. - Multi-cloud and on-premise support for availability of backup.' - target: - status: - state: not-satisfied - target-id: cp-10.4 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-10.4' - uuid: 4866acda-188f-40b1-8af4-ad3812060ef2 - - description: Velero can take backups of your application configuration/data and store them off-site in either an approved cloud environment or on-premise location. - target: - status: - state: not-satisfied - target-id: cp-6 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-6' - uuid: fa78499f-12e1-4ded-86a1-1ce785cd7cbd - - description: Velero can take backups of your application configuration/data and store them off-site in either an approved cloud environment or on-premise location. - target: - status: - state: not-satisfied - target-id: cp-6.1 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-6.1' - uuid: 38c5c57c-e4fa-40c0-a371-519f922ce751 - - description: Velero can restore application configuration/data from an approved cloud provider or on-premise location on-demand. - target: - status: - state: not-satisfied - target-id: cp-6.2 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-6.2' - uuid: fde3d548-4c98-451e-8ad1-08ebf918ec1f - - description: Velero supports back-ups to multiple cloud environments (including geo-separated locations for high availability) and on-premise environments in the event of an accessibility disruptions. - target: - status: - state: not-satisfied - target-id: cp-6.3 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-6.3' - uuid: c0659b8c-36b9-4d6d-8e94-48343ff6d57b - - description: Velero can restore application configuration/data from an approved cloud provider or on-premise location to an alternative deployment environment on-demand. - target: - status: - state: not-satisfied - target-id: cp-7 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-7' - uuid: 30788898-87df-4185-ab1c-9becdee50f6c - - description: Velero supports back-ups to and restores from multiple cloud environments (including geo-separated locations for high availability) and on-premise environments in the event of an accessibility disruptions. - target: - status: - state: not-satisfied - target-id: cp-7.1 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-7.1' - uuid: a718a683-1df0-4cac-9b9e-f61792134683 - - description: Velero supports back-ups to and restores from multiple cloud environments (including geo-separated locations for high availability) and on-premise environments in the event of an accessibility disruptions. - target: - status: - state: not-satisfied - target-id: cp-7.2 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-7.2' - uuid: 90a09f38-2e0f-496a-94a0-4fcbbd79b308 - - description: |- - "Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: - - System components/data. - - User-level information/application metadata. - - User-level storage/data. - - Scheduled back-ups with configurable scopes. - - Multi-cloud and on-premise support for availability of backup." - target: - status: - state: not-satisfied - target-id: cp-9 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9' - uuid: 67397dd3-5693-4223-8015-5755325d5bf8 - - description: Velero provides feedback/logging of back-up status for configuration/data via kubectl or the Velero CLI tool. Velero can restore your production configuration/data to validation environment to ensure reliability/integrity. - target: - status: - state: not-satisfied - target-id: cp-9.1 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.1' - uuid: 751a260d-f6c8-4ace-ad71-7aef30c0b9f0 - - description: Velero can be configured to restore only certain components of a back-up when necessary. - target: - status: - state: not-satisfied - target-id: cp-9.2 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.2' - uuid: 2134ba61-df24-4258-80fc-a406ee86e4df - - description: Velero supports back-ups to multiple cloud environments (including geo-separated locations for high availability) and on-premise environments. - target: - status: - state: not-satisfied - target-id: cp-9.3 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.3' - uuid: 76b44e70-4f34-44f1-a8ee-72cb642dedfe - - description: 'Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: - System components/data. - User-level information/application metadata. - User-level storage/data. - Scheduled back-ups with configurable scopes. - Multi-cloud and on-premise support for availability of backup.' - target: - status: - state: not-satisfied - target-id: cp-9.5 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.5' - uuid: de04bf59-4529-4906-a829-a078dbcf74bf - - description: Velero supports encryption of backups via its supported providers' encryption support/mechanisms. - target: - status: - state: not-satisfied - target-id: cp-9.8 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.8' - uuid: cc050937-d5e7-4696-8f25-9b86b62c0d07 - - description: |- - # Control Description "a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: monthly operating system/infrastructure; monthly web applications (including APIs) and databases] and when new vulnerabilities potentially affecting the system are identified and reported; b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulnerability impact; c. Analyze vulnerability scan reports and results from vulnerability monitoring; d. Remediate legitimate vulnerabilities [Assignment: high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery] in accordance with an organizational assessment of risk; e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned." - # Control Implementation NeuVector is Kubernetes and container security tool. NeuVector will scan containers for vulnerabilities in addition to continuous monitoring for active threats. - target: - status: - state: not-satisfied - target-id: ra-5 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ra-5' - uuid: 3eca257e-9609-41fd-b21f-1aaee5b3d433 - - description: |- - # Control Description Update the system vulnerabilities to be scanned [prior to a new scan]; prior to a new scan; when new vulnerabilities are identified and reported]. - # Control Implementation NeuVector container scanning vulnerability database is updated frequently. - target: - status: - state: not-satisfied - target-id: ra-5.2 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ra-5.2' - uuid: 2b6daa85-9fdf-408c-9176-75a45ef22ea4 - - description: |- - # Control Description Define the breadth and depth of vulnerability scanning coverage. - # Control Implementation NeuVector container scanning configurations depth can be modified. - target: - status: - state: not-satisfied - target-id: ra-5.3 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ra-5.3' - uuid: 10f8b813-c6f3-4265-9eb6-475cc7cbc636 - - description: |- - # Control Description Implement privileged access authorization to [Assignment: all components that support authentication] for [Assignment: all scans]. - # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. - target: - status: - state: not-satisfied - target-id: ra-5.5 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ra-5.5' - uuid: b2e08e6b-16b3-4a00-ac9f-c8c9bdee64ce - - description: |- - # Control Description "Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: a. Develop and implement a plan for ongoing security and privacy control assessments; b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage]; c. Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; d. Implement a verifiable flaw remediation process; and e. Correct flaws identified during testing and evaluation." - # Control Implementation NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. - target: - status: - state: not-satisfied - target-id: sa-11 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sa-11' - uuid: ac49e0de-7653-4be5-8005-331927322ec2 - - description: |- - # Control Description Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis. Static code analysis provides a technology and methodology for security reviews and includes checking for weaknesses in the code as well as for the incorporation of libraries or other included code with known vulnerabilities or that are out-of-date and not supported. Static code analysis can be used to identify vulnerabilities and enforce secure coding practices. It is most effective when used early in the development process, when each code change can automatically be scanned for potential weaknesses. Static code analysis can provide clear remediation guidance and identify defects for developers to fix. Evidence of the correct implementation of static analysis can include aggregate defect density for critical defect types, evidence that defects were inspected by developers or security professionals, and evidence that defects were remediated. A high density of ignored findings, commonly referred to as false positives, indicates a potential problem with the analysis process or the analysis tool. In such cases, organizations weigh the validity of the evidence against evidence from other sources. - # Control Implementation NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. - target: - status: - state: not-satisfied - target-id: sa-11.1 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sa-11.1' - uuid: 0af42784-0963-4f76-90ef-c6d98ca5fee6 - - description: |- - # Control Implementation - Istio is configured to manage network connections associated with specific communication sessions. It can be set up to automatically terminate these connections after periods of inactivity, providing an additional layer of security. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: 6a1961d3-8819-4db9-b052-e3998d29f94c - target: - status: - state: not-satisfied - target-id: sc-10 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-10' - uuid: 5f4f6691-affd-4acc-89f6-d3055b2f2481 - - description: |- - # Control Implementation - Istio provides FIPS encryption in transit for all applications in the mesh, TLS termination at ingress, and TLS origination at egress. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 - - observation-uuid: 60ff69f7-6d6f-4b92-a0a4-4ecd2df24b52 - - observation-uuid: bf2a95fb-c40e-425a-a1a3-ec1307343179 - - observation-uuid: 31044f2f-75fd-4472-b624-1d918be32f40 - target: - status: - state: not-satisfied - target-id: sc-13 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-13' - uuid: 3df66b7f-1dec-4ab7-b76e-56023c2881a1 - - description: |- - # Control Implementation - Istio is configured to protect session authenticity, establishing confidence in the ongoing identities of other parties and the validity of transmitted information. This is achieved through Istio's mutual TLS, which ensures secure communication. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 - target: - status: - state: satisfied - target-id: sc-23 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-23' - uuid: c39917b0-8de0-4497-808a-a186ee2d9583 - - description: |- - # Control Implementation - Namespaces, Istio gateways, and network policies collectively by providing resource isolation, secure traffic routing, and network segmentation to prevent unauthorized and unintended information transfer. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: 4e69dd7e-0ba5-489c-82fd-bdfdd3d80afd - - observation-uuid: 2639ccbf-1a94-440e-b820-90e957f6987c - target: - status: - state: satisfied - target-id: sc-3 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-3' - uuid: 693835f8-466c-4437-9e95-1968070df3a9 - - description: |- - # Control Implementation - Istio is configured to maintain separate execution domains for each executing process. This is achieved through Istio's sidecar proxy design, where each service in the mesh has its own dedicated sidecar proxy to handle its inbound and outbound traffic. This ensures that communication between processes is controlled and one process cannot modify the executing code of another process. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 - target: - status: - state: satisfied - target-id: sc-39 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-39' - uuid: c0a6d960-0976-4e3c-b539-00c36bf8565a - - description: |- - # Control Implementation - Istio enforces outbound traffic goes through an Egress Gateway with a Network Policy. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: 35470a10-7ec9-4663-980b-c31ad61e08eb - - observation-uuid: f9e01aee-c30f-4df5-a4c7-0af351cef153 - target: - status: - state: not-satisfied - target-id: sc-4 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-4' - uuid: 29bf18cb-9d9a-4b5a-9708-38fb4cb63563 - - description: |- - # Control Description "a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; b. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture." - # Control Implementation NeuVector monitors all communications to external interfaces by only connecting to external networks through managed interfaces and utilizes whitelists and blacklists for rules at Layer 7. - target: - status: - state: not-satisfied - target-id: sc-7 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7' - uuid: bbea5abc-37ef-461c-a912-7118ea5618ca - - description: |- - # Control Implementation - Istio is configured to dynamically isolate certain internal system components when necessary. This is achieved through Istio's network policies, which allow us to partition or separate system components - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 - - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 - target: - status: - state: satisfied - target-id: sc-7.20 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7.20' - uuid: 782db436-d52a-461f-acd0-25b215fc3c3e - - description: |- - # Control Implementation - Istio is configured to isolate system components that perform different mission or business functions. This is achieved through Istio's network policies and mutual TLS, which allow us to control information flows and provide enhanced protection. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 - - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 - target: - status: - state: satisfied - target-id: sc-7.21 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7.21' - uuid: 5d59c939-fb61-4aea-8ef2-39ff71fd6756 - - description: |- - # Control Implementation - Istio is configured to provide managed interfaces for external telecommunication services, establish traffic flow policies, and protect the confidentiality and integrity of transmitted information. It also prevents unauthorized exchange of control plane traffic and filters unauthorized control plane traffic. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: a7867fed-93d7-457c-8886-6dae4459c5b2 - - observation-uuid: b2b0c4c3-8b3d-42a6-9ba4-ce36f198e15c - - observation-uuid: 2639ccbf-1a94-440e-b820-90e957f6987c - target: - status: - state: satisfied - target-id: sc-7.4 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7.4' - uuid: 87d6ff85-4067-442b-b2d3-c82cbddda0c3 - - description: |- - # Control Implementation - is configured to route internal communications traffic to external networks through authenticated proxy servers at managed interfaces, using its Egress Gateway. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: f9e01aee-c30f-4df5-a4c7-0af351cef153 - - observation-uuid: 76674b13-a05d-40ba-b6ac-99aafe1c916e - target: - status: - state: not-satisfied - target-id: sc-7.8 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7.8' - uuid: ac90c141-2e83-4bfa-8833-dde2808592f1 - - description: |- - # Control Implementation - Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 - - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 - target: - status: - state: not-satisfied - target-id: sc-8 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-8' - uuid: 13dfdcfd-d77b-4649-ae0f-b9ebaeaa0549 - - description: |- - # Control Implementation - Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 - - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 - target: - status: - state: satisfied - target-id: sc-8.1 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-8.1' - uuid: f10e5f70-81c4-4b00-a8c3-29e3cd97527c - - description: |- - # Control Implementation - Istio implements with global configuration. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 - - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 - - observation-uuid: b2b0c4c3-8b3d-42a6-9ba4-ce36f198e15c - target: - status: - state: satisfied - target-id: sc-8.2 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-8.2' - uuid: 3e58bd7b-2e7d-4e85-bb8e-fc4e8b83f282 - - description: |- - # Control Description "a. Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and b. Reveal error messages only to [Assignment: organization-defined personnel or roles]." - # Control Implementation NeuVector correlates configuration data and network traffic for error tracking to provide context around misconfigurations and threats in the form of actionable alerts. - target: - status: - state: not-satisfied - target-id: si-11 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-11' - uuid: e82d6f63-db19-460b-bf7d-3c46dcf1e38c - - description: |- - # Control Description "(a) Measure the time between flaw identification and flaw remediation; and (b) Establish the following benchmarks for taking corrective actions: [Assignment: organization-defined benchmarks]." - # Control Implementation NeuVector continually monitors your Kubernetes environments to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. - target: - status: - state: not-satisfied - target-id: si-2.3 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-2.3' - uuid: 5da35a6e-9526-4864-b153-dcd851e98a51 - - description: |- - # Control Description "a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections; b. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods]; c. Invoke internal monitoring capabilities or deploy monitoring devices: 1. Strategically within the system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Analyze detected events and anomalies; e. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; f. Obtain legal opinion regarding system monitoring activities; and g. Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]." - # Control Implementation NeuVector continually monitors your Kubernetes environments to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. - target: - status: - state: not-satisfied - target-id: si-4 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-4' - uuid: 6452a578-b1b8-4a1c-9ff8-6f05821ca37d - - description: |- - # Control Description "a. Receive system security alerts, advisories, and directives from [Assignment: o include US-CERT] on an ongoing basis; b. Generate internal security alerts, advisories, and directives as deemed necessary; c. Disseminate security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; to include system security personnel and administrators with configuration/patch-management responsibilities and d. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance." - # Control Implementation NeuVector correlates configuration data with user behavior and network traffic to provide context around misconfigurations and threats in the form of actionable alerts. - target: - status: - state: not-satisfied - target-id: si-5 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-5' - uuid: a8b3553e-e9af-4781-83ac-400ea1d77b77 - - description: |- - # Control Description "a. Verify the correct operation of [Assignment: organization-defined security and privacy functions]; b. Perform the verification of the functions specified in SI-6a [Selection (one or more): [Assignment: to include upon system startup and/or restart]; upon command by user with appropriate privilege; [Assignment: at least monthly]]; c. Alert [Assignment: to include system administrators and security personnel] to failed security and privacy verification tests; and d. [Selection (one or more): Shut the system down; Restart the system; [Assignment: organization-defined alternative action (s)]] when anomalies are discovered." - # Control Implementation NeuVector correlates configuration data and network traffic to provide context around verification in the form of actionable alerts. - target: - status: - state: not-satisfied - target-id: si-6 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-6' - uuid: 6628f225-60a5-47a1-90f8-b4ea78dc72ef - observations: - - collected: 2024-07-09T03:24:38.473729311Z - description: | - [TEST]: 98b97ec9-a9ce-4444-83d8-71066270a424 - lula-validation-error - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - Error getting Lula validation #98b97ec9-a9ce-4444-83d8-71066270a424: required domain is nil - uuid: 053bdc9e-654d-4287-adf1-02c14e77ece1 - - collected: 2024-07-09T03:24:38.489004016Z - description: | - [TEST]: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 - gateway-configuration-check - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg: Only allowed gateways found. All gateway types found. - validate.msg_existing_gateways: istio-admin-gateway/admin-gateway, istio-passthrough-gateway/passthrough-gateway, istio-tenant-gateway/tenant-gateway - validate.msg_allowed_gateways: admin, passthrough, tenant - uuid: 2639ccbf-1a94-440e-b820-90e957f6987c - - collected: 2024-07-09T03:24:38.489063617Z - description: | - [TEST]: 0be7345d-e9d3-4248-9c14-5fed8e7bfa01 - lula-validation-error - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - Error getting Lula validation #0be7345d-e9d3-4248-9c14-5fed8e7bfa01: required domain is nil - uuid: 65c62b95-df70-4723-bf3b-46799d0536ad - - collected: 2024-07-09T03:24:38.489091198Z - description: | - [TEST]: 9b361d7b-4e07-40db-8b86-3854ed499a4b - lula-validation-error - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - Error getting Lula validation #9b361d7b-4e07-40db-8b86-3854ed499a4b: required domain is nil - uuid: 41637e36-95ee-4c89-b332-80ca2d006620 - - collected: 2024-07-09T03:24:38.48912419Z - description: | - [TEST]: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 - lula-validation-error - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - Error getting Lula validation #ecdb90c7-971a-4442-8f29-a8b0f6076bc9: required domain is nil - uuid: f9e01aee-c30f-4df5-a4c7-0af351cef153 - - collected: 2024-07-09T03:24:38.497116991Z - description: | - [TEST]: 70d99754-2918-400c-ac9a-319f874fff90 - istio-metrics-logging-configured - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg: Metrics logging supported. - uuid: d6de0a77-9d2c-4332-9ab0-3c97c8b5234c - - collected: 2024-07-09T03:24:38.594646609Z - description: | - [TEST]: f345c359-3208-46fb-9348-959bd628301e - istio-prometheus-annotations-validation - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg: All pods have correct prometheus annotations. - validate.exempt_namespaces_msg: Exempted Namespaces: istio-system, kube-system, uds-dev-stack, zarf - uuid: 6fb0ef76-86ad-4629-9e9d-a725ddbf3373 - - collected: 2024-07-09T03:24:38.594709567Z - description: | - [TEST]: 8be1601e-5870-4573-ab4f-c1c199944815 - lula-validation-error - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - Error getting Lula validation #8be1601e-5870-4573-ab4f-c1c199944815: required domain is nil - uuid: bf2a95fb-c40e-425a-a1a3-ec1307343179 - - collected: 2024-07-09T03:24:38.594743009Z - description: | - [TEST]: 73434890-2751-4894-b7b2-7e583b4a8977 - lula-validation-error - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - Error getting Lula validation #73434890-2751-4894-b7b2-7e583b4a8977: required domain is nil - uuid: 31044f2f-75fd-4472-b624-1d918be32f40 - - collected: 2024-07-09T03:24:38.594778174Z - description: | - [TEST]: 9bfc68e0-381a-4006-9f68-c293e3b20cee - lula-validation-error - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - Error getting Lula validation #9bfc68e0-381a-4006-9f68-c293e3b20cee: required domain is nil - uuid: fa62278d-a485-40ec-a660-51845c227040 - - collected: 2024-07-09T03:24:38.602916174Z - description: | - [TEST]: f346b797-be35-40a8-a93a-585db6fd56ec - istio-tracing-logging-support - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - validate.msg: Tracing logging not supported. - uuid: b8c97e5c-a953-44f1-9868-42abdb5f36d3 - - collected: 2024-07-09T03:24:38.611569524Z - description: | - [TEST]: 67456ae8-4505-4c93-b341-d977d90cb125 - istio-health-check - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - istiohealth.deployment_message: All deployment conditions are true. - istiohealth.hpa_message: HPA has sufficient replicas. - uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - collected: 2024-07-09T03:24:38.611623214Z - description: | - [TEST]: fbe5855d-b4ea-4ff5-9f0d-5901d620577a - lula-validation-error - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - Error getting Lula validation #fbe5855d-b4ea-4ff5-9f0d-5901d620577a: required domain is nil - uuid: c18cb484-a3d7-4f1b-9de2-bc40675ebef6 - - collected: 2024-07-09T03:24:38.621193684Z - description: | - [TEST]: c6c9daf1-4196-406d-8679-312c0512ab2e - check-istio-admin-gateway-and-usage - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg: Admin gateway exists. Admin virtual services are using admin gateway. - uuid: 4e69dd7e-0ba5-489c-82fd-bdfdd3d80afd - - collected: 2024-07-09T03:24:38.719799848Z - description: | - [TEST]: 1761ac07-80dd-47d2-947e-09f67943b986 - all-pods-istio-injected - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg: All pods have Istio sidecar proxy. - validate.exempt_namespaces_msg: Exempted Namespaces: istio-system, kube-system, uds-dev-stack, zarf - uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 - - collected: 2024-07-09T03:24:38.729154607Z - description: | - [TEST]: 0da39859-a91a-4ca6-bd8b-9b117689188f - all-namespaces-istio-injected - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - validate.msg: Non-Istio-injected namespaces: {"exempted-app", "podinfo", "test-admin-app", "test-tenant-app"} - validate.exempted_namespaces_msg: Exempted Namespaces: default, istio-admin-gateway, istio-passthrough-gateway, istio-system, istio-tenant-gateway, kube-node-lease, kube-public, kube-system, uds-crds, uds-dev-stack, uds-policy-exemptions, zarf - uuid: 4df2137a-de64-4d02-8121-1911fc9dedab - - collected: 2024-07-09T03:24:38.751849467Z - description: | - [TEST]: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 - secure-communication-with-istiod - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg_correct: NetworkPolicies correctly configured for istiod in namespaces: authservice, grafana, keycloak, loki, metrics-server, monitoring, neuvector, promtail, velero. - validate.msg_incorrect: No incorrect istiod NetworkPolicies found. - uuid: a7867fed-93d7-457c-8886-6dae4459c5b2 - - collected: 2024-07-09T03:24:38.751895453Z - description: | - [TEST]: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 - lula-validation-error - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - Error getting Lula validation #663f5e92-6db4-4042-8b5a-eba3ebe5a622: required domain is nil - uuid: 6a1961d3-8819-4db9-b052-e3998d29f94c - - collected: 2024-07-09T03:24:38.75191546Z - description: | - [TEST]: 19faf69a-de74-4b78-a628-64a9f244ae13 - lula-validation-error - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - Error getting Lula validation #19faf69a-de74-4b78-a628-64a9f244ae13: required domain is nil - uuid: 76674b13-a05d-40ba-b6ac-99aafe1c916e - - collected: 2024-07-09T03:24:38.757825399Z - description: | - [TEST]: ca49ac97-487a-446a-a0b7-92b20e2c83cb - enforce-mtls-strict - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg: All PeerAuthentications have mtls mode set to STRICT. - uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 - - collected: 2024-07-09T03:24:38.766341924Z - description: | - [TEST]: 90738c86-6315-450a-ac69-cc50eb4859cc - check-istio-logging-all-traffic - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg: Istio is logging all traffic - uuid: 337f9bea-6f8e-4c89-8142-4474083105e6 - - collected: 2024-07-09T03:24:38.772656748Z - description: | - [TEST]: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed - ingress-traffic-encrypted - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg: All gateways encrypt ingress traffic - validate.msg_exempt: Exempted Gateways: istio-passthrough-gateway/passthrough-gateway - uuid: 60ff69f7-6d6f-4b92-a0a4-4ecd2df24b52 - - collected: 2024-07-09T03:24:38.776561899Z - description: | - [TEST]: e38c0695-10f6-40b6-b246-fa58b26ccd25 - istio-authorization-policies-require-authentication - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg: Authorization Policy requires authentication for keycloak - uuid: 31654aca-4189-447d-b5e6-4928c5acc603 - - collected: 2024-07-09T03:24:38.781059357Z - description: | - [TEST]: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 - istio-rbac-enforcement-check - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg: Istio RBAC enforced - validate.msg_authPolicies: Authorization Policies: istio-system/authservice, istio-system/jwt-authz, keycloak/keycloak-block-admin-access-from-public-gateway - uuid: f3ff3fbb-16d9-4a92-90e1-d8b7a020bccc - - collected: 2024-07-09T03:24:38.791675282Z - description: | - [TEST]: 3e217577-930e-4469-a999-1a5704b5cecb - request-authenication-and-auth-policies-configured - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg: All AuthorizationPolicies properly configured. All RequestAuthentications properly configured. - uuid: b2b0c4c3-8b3d-42a6-9ba4-ce36f198e15c - - collected: 2024-07-09T03:24:38.79173886Z - description: | - [TEST]: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 - lula-validation-error - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - Error getting Lula validation #7455f86d-b79c-4226-9ce3-f3fb7d9348c8: required domain is nil - uuid: 35470a10-7ec9-4663-980b-c31ad61e08eb - props: - - name: threshold - ns: https://docs.lula.dev/oscal/ns - value: "true" - reviewed-controls: - control-selections: - - description: Controls Assessed by Lula - include-controls: - - control-id: ac-14 - - control-id: ac-2 - - control-id: ac-2.1 - - control-id: ac-3 - - control-id: ac-4 - - control-id: ac-4.21 - - control-id: ac-4.4 - control-id: ac-5 - control-id: ac-6 - control-id: ac-6.1 @@ -2773,17 +1355,12 @@ assessment-results: - control-id: sc-10 - control-id: sc-13 - control-id: sc-23 - - control-id: sc-3 - control-id: sc-39 - - control-id: sc-4 - control-id: sc-7 - - control-id: sc-7.20 - - control-id: sc-7.21 - control-id: sc-7.4 - control-id: sc-7.8 - control-id: sc-8 - control-id: sc-8.1 - - control-id: sc-8.2 - control-id: si-11 - control-id: si-2.3 - control-id: si-4 @@ -2791,7 +1368,7 @@ assessment-results: - control-id: si-6 description: Controls validated remarks: Validation performed may indicate full or partial satisfaction - start: 2024-07-09T03:24:38.798446786Z + start: 2024-10-16T20:13:51.671525491Z title: Lula Validation Result - uuid: 5a0a9538-e734-48a5-a327-02e6aa6891b0 - uuid: bf456173-34f4-480b-a659-1aae77092ee6 + uuid: 2d3dad50-ee92-4dec-a73c-cc683e28c5a2 + uuid: 1f7a298e-29e3-4d62-92c0-e4f4b42078b4 diff --git a/compliance/validations/istio/all-namespaces-istio-injected/README.md b/compliance/validations/istio/all-namespaces-istio-injected/README.md new file mode 100644 index 000000000..821a4d081 --- /dev/null +++ b/compliance/validations/istio/all-namespaces-istio-injected/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - all-namespaces-istio-injected + +**INPUT** - Collects all namespaces in the Kubernetes cluster. + +**POLICY** - Checks that all namespaces are Istio-injected, except for a predefined list of exempted namespaces. + +**NOTES** - The exempted namespaces are: `istio-system`, `kube-system`, `default`, `istio-admin-gateway`, `istio-passthrough-gateway`, `istio-tenant-gateway`, `kube-node-lease`, `kube-public`, `uds-crds`, `uds-dev-stack`, `uds-policy-exemptions`, `zarf`. \ No newline at end of file diff --git a/compliance/validations/istio/all-namespaces-istio-injected/resources.json b/compliance/validations/istio/all-namespaces-istio-injected/resources.json new file mode 100644 index 000000000..17897f6d6 --- /dev/null +++ b/compliance/validations/istio/all-namespaces-istio-injected/resources.json @@ -0,0 +1,537 @@ +{ + "namespaces": [ + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:00:42Z", + "labels": { + "kubernetes.io/metadata.name": "default", + "zarf.dev/agent": "ignore" + }, + "name": "default", + "resourceVersion": "680", + "uid": "0f317322-d4b2-49cf-9bdc-949b1760c7a0" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:00:42Z", + "labels": { + "kubernetes.io/metadata.name": "kube-system", + "zarf.dev/agent": "ignore" + }, + "name": "kube-system", + "resourceVersion": "681", + "uid": "4b063c85-1386-4887-b391-a303532f586e" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:00:42Z", + "labels": { + "kubernetes.io/metadata.name": "kube-public", + "zarf.dev/agent": "ignore" + }, + "name": "kube-public", + "resourceVersion": "683", + "uid": "5047265c-9614-4b52-8617-b20de9a1ae13" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:00:42Z", + "labels": { + "kubernetes.io/metadata.name": "kube-node-lease", + "zarf.dev/agent": "ignore" + }, + "name": "kube-node-lease", + "resourceVersion": "684", + "uid": "ba53aa5c-2b5b-4302-8572-fed2efbb88d4" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:01:05Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "kubernetes.io/metadata.name": "zarf", + "zarf.dev/agent": "ignore" + }, + "name": "zarf", + "resourceVersion": "685", + "uid": "80e207f5-5aab-414e-9ed4-e3f96b654920" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:01:06Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "kubernetes.io/metadata.name": "uds-dev-stack", + "zarf.dev/agent": "ignore" + }, + "name": "uds-dev-stack", + "resourceVersion": "686", + "uid": "4967045b-0d5d-4d47-b221-b9f7c41f5fa9" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:03:52Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "kubernetes.io/metadata.name": "uds-crds" + }, + "name": "uds-crds", + "resourceVersion": "949", + "uid": "20f83ea4-99bd-49e0-99c8-5f61a83271b2" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:04:14Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "kubernetes.io/metadata.name": "istio-system" + }, + "name": "istio-system", + "resourceVersion": "1051", + "uid": "eadee776-a36e-448e-8ec7-e8649db8e181" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:04:19Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "istio-injection": "enabled", + "kubernetes.io/metadata.name": "pepr-system", + "zarf-helm-release": "zarf-a102b532d6a523b085622665b606574b0cd82025" + }, + "name": "pepr-system", + "resourceVersion": "1128", + "uid": "6ff15b92-117f-4226-97aa-c334ce7a6d5d" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:04:21Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "kubernetes.io/metadata.name": "istio-admin-gateway" + }, + "name": "istio-admin-gateway", + "resourceVersion": "1142", + "uid": "d66870cc-5b8e-4611-aeae-6f314f1e8076" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:04:27Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "kubernetes.io/metadata.name": "istio-tenant-gateway" + }, + "name": "istio-tenant-gateway", + "resourceVersion": "1200", + "uid": "2e51a476-fe56-4aaf-a342-27efe1fe4ce0" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:04:31Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "kubernetes.io/metadata.name": "istio-passthrough-gateway" + }, + "name": "istio-passthrough-gateway", + "resourceVersion": "1258", + "uid": "895505ba-3dd7-49db-8b6a-76a16220526d" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "annotations": { + "uds.dev/original-istio-injection": "non-existent", + "uds.dev/pkg-metrics-server": "true" + }, + "creationTimestamp": "2024-04-22T14:04:54Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "istio-injection": "enabled", + "kubernetes.io/metadata.name": "metrics-server" + }, + "name": "metrics-server", + "resourceVersion": "1516", + "uid": "b98e6771-1752-46f9-9de8-dbab84ef3803" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "annotations": { + "uds.dev/original-istio-injection": "non-existent", + "uds.dev/pkg-keycloak": "true" + }, + "creationTimestamp": "2024-04-22T14:05:21Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "istio-injection": "enabled", + "kubernetes.io/metadata.name": "keycloak" + }, + "name": "keycloak", + "resourceVersion": "1698", + "uid": "6560188f-4555-475b-aa5b-b3b0173d6e32" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:06:37Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "kubernetes.io/metadata.name": "uds-policy-exemptions" + }, + "name": "uds-policy-exemptions", + "resourceVersion": "1903", + "uid": "f56bf67e-4c62-4b15-80c2-82639586bd35" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "annotations": { + "uds.dev/original-istio-injection": "non-existent", + "uds.dev/pkg-neuvector": "true" + }, + "creationTimestamp": "2024-04-22T14:06:35Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "istio-injection": "enabled", + "kubernetes.io/metadata.name": "neuvector" + }, + "name": "neuvector", + "resourceVersion": "1940", + "uid": "b69f3003-abc4-4495-b3bb-79a3e12ab05f" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "annotations": { + "uds.dev/original-istio-injection": "non-existent", + "uds.dev/pkg-loki": "true" + }, + "creationTimestamp": "2024-04-22T14:07:07Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "istio-injection": "enabled", + "kubernetes.io/metadata.name": "loki" + }, + "name": "loki", + "resourceVersion": "2421", + "uid": "e92842e6-2242-44d5-9473-83a97fdf0c3d" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "annotations": { + "uds.dev/original-istio-injection": "non-existent", + "uds.dev/pkg-prometheus-stack": "true" + }, + "creationTimestamp": "2024-04-22T14:08:40Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "istio-injection": "enabled", + "kubernetes.io/metadata.name": "monitoring" + }, + "name": "monitoring", + "resourceVersion": "2915", + "uid": "ebb401c8-13ee-4636-8e36-b04a0a0e3cfb" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "annotations": { + "uds.dev/original-istio-injection": "non-existent", + "uds.dev/pkg-promtail": "true" + }, + "creationTimestamp": "2024-04-22T14:09:19Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "istio-injection": "enabled", + "kubernetes.io/metadata.name": "promtail" + }, + "name": "promtail", + "resourceVersion": "3466", + "uid": "9ee64052-8c6c-4d4e-82fb-d5fe016f441e" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "annotations": { + "uds.dev/original-istio-injection": "non-existent", + "uds.dev/pkg-grafana": "true" + }, + "creationTimestamp": "2024-04-22T14:07:07Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "istio-injection": "enabled", + "kubernetes.io/metadata.name": "grafana" + }, + "name": "grafana", + "resourceVersion": "3621", + "uid": "c8064cce-25f4-4fd4-a16c-9e5a4af869b5" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "annotations": { + "uds.dev/original-istio-injection": "non-existent", + "uds.dev/pkg-authservice": "true" + }, + "creationTimestamp": "2024-04-22T14:10:05Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "istio-injection": "enabled", + "kubernetes.io/metadata.name": "authservice" + }, + "name": "authservice", + "resourceVersion": "3775", + "uid": "2c399f0d-f380-43b5-a717-edf4f19d2b17" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "annotations": { + "uds.dev/original-istio-injection": "non-existent", + "uds.dev/pkg-velero": "true" + }, + "creationTimestamp": "2024-04-22T14:10:17Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "istio-injection": "enabled", + "kubernetes.io/metadata.name": "velero" + }, + "name": "velero", + "resourceVersion": "3857", + "uid": "e6a181f4-02b4-4625-8d9e-78656316fc35" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + } + ] +} \ No newline at end of file diff --git a/compliance/validations/istio/all-namespaces-istio-injected/tests.yaml b/compliance/validations/istio/all-namespaces-istio-injected/tests.yaml new file mode 100644 index 000000000..0a7e4d8c4 --- /dev/null +++ b/compliance/validations/istio/all-namespaces-istio-injected/tests.yaml @@ -0,0 +1,10 @@ +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: grafana-no-istio-injection + validation: validation.yaml + resources: resources.json + permutation: '.namespaces |= map(if .metadata.name == "grafana" then del(.metadata.labels["istio-injection"]) else . end)' + expected-validation: false diff --git a/compliance/validations/istio/all-namespaces-istio-injected/validation.yaml b/compliance/validations/istio/all-namespaces-istio-injected/validation.yaml new file mode 100644 index 000000000..d32392e6c --- /dev/null +++ b/compliance/validations/istio/all-namespaces-istio-injected/validation.yaml @@ -0,0 +1,55 @@ +metadata: + name: all-namespaces-istio-injected + uuid: 0da39859-a91a-4ca6-bd8b-9b117689188f +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: namespaces + resource-rule: + group: "" + version: v1 + resource: namespaces + namespaces: [] +provider: + type: opa + opa-spec: + rego: | + package validate + import rego.v1 + + # Default values + default validate := false + default msg := "Not evaluated" + + # Validation + validate if { + check_non_istio_injected_namespaces.result + } + msg = check_non_istio_injected_namespaces.msg + msg_exempt_namespaces = concat(", ", exempted_namespaces) + + # List of exempted namespaces + exempted_namespaces := {"istio-system", "kube-system", "default", "istio-admin-gateway", + "istio-passthrough-gateway", "istio-tenant-gateway", "kube-node-lease", "kube-public", "uds-crds", + "uds-dev-stack", "uds-policy-exemptions", "zarf"} + + # Collect non-Istio-injected namespaces + non_istio_injected_namespaces := {ns.metadata.name | + ns := input.namespaces[_] + ns.kind == "Namespace" + not ns.metadata.labels["istio-injection"] == "enabled" + not ns.metadata.name in exempted_namespaces + } + + # Check no non-Istio-injected namespaces + check_non_istio_injected_namespaces = { "result": true, "msg": "All namespaces are Istio-injected" } if { + count(non_istio_injected_namespaces) == 0 + } else = { "result": false, "msg": msg } if { + msg := sprintf("Non-Istio-injected namespaces: %v", [non_istio_injected_namespaces]) + } + output: + validation: validate.validate + observations: + - validate.msg + - validate.msg_exempt_namespaces diff --git a/compliance/validations/istio/all-pods-istio-injected/README.md b/compliance/validations/istio/all-pods-istio-injected/README.md new file mode 100644 index 000000000..fcacfe2b1 --- /dev/null +++ b/compliance/validations/istio/all-pods-istio-injected/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - all-pods-istio-injected + +**INPUT** - Collects all pods in the Kubernetes cluster. + +**POLICY** - Checks that all pods have an Istio sidecar proxy, except for pods in a predefined list of exempted namespaces. + +**NOTES** - The exempted namespaces are: `kube-system`, `istio-system`, `uds-dev-stack`, `zarf`, `istio-admin-gateway`, `istio-tenant-gateway`, `istio-passthrough-gateway`. \ No newline at end of file diff --git a/compliance/validations/istio/all-pods-istio-injected/resources.json b/compliance/validations/istio/all-pods-istio-injected/resources.json new file mode 100644 index 000000000..a281dc426 --- /dev/null +++ b/compliance/validations/istio/all-pods-istio-injected/resources.json @@ -0,0 +1,24014 @@ +{ + "pods": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-07-15T19:21:06Z", + "generateName": "metallb-controller-665d96757f-", + "labels": { + "app.kubernetes.io/component": "controller", + "app.kubernetes.io/instance": "metallb", + "app.kubernetes.io/name": "metallb", + "pod-template-hash": "665d96757f" + }, + "name": "metallb-controller-665d96757f-s8hj5", + "namespace": "uds-dev-stack", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "metallb-controller-665d96757f", + "uid": "ccba3766-c585-46f7-9b64-b3b07d908e1e" + } + ], + "resourceVersion": "486", + "uid": "7795a37b-5d17-416f-aebc-13c82ea4162b" + }, + "spec": { + "containers": [ + { + "args": [ + "--port=7472", + "--log-level=info", + "--tls-min-version=VersionTLS12" + ], + "env": [ + { + "name": "METALLB_ML_SECRET_NAME", + "value": "metallb-memberlist" + }, + { + "name": "METALLB_DEPLOYMENT", + "value": "metallb-controller" + }, + { + "name": "METALLB_BGP_TYPE", + "value": "frr" + } + ], + "image": "quay.io/metallb/controller:v0.14.5", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/metrics", + "port": "monitoring", + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "controller", + "ports": [ + { + "containerPort": 7472, + "name": "monitoring", + "protocol": "TCP" + }, + { + "containerPort": 9443, + "name": "webhook-server", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/metrics", + "port": "monitoring", + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/tmp/k8s-webhook-server/serving-certs", + "name": "cert", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-pvfts", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "nodeName": "k3d-uds-server-0", + "nodeSelector": { + "kubernetes.io/os": "linux" + }, + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65534, + "runAsNonRoot": true, + "runAsUser": 65534 + }, + "serviceAccount": "metallb-controller", + "serviceAccountName": "metallb-controller", + "terminationGracePeriodSeconds": 0, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "name": "cert", + "secret": { + "defaultMode": 420, + "secretName": "metallb-webhook-cert" + } + }, + { + "name": "kube-api-access-pvfts", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:10Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:06Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:27Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:27Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:06Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://e9dde122aac6ff1bc8137450616e137751f05f69a6ddd120d55b26745e3425d3", + "image": "quay.io/metallb/controller:v0.14.5", + "imageID": "quay.io/metallb/controller@sha256:3f776529447094c8d318baeb4f9efe024cf154859762ec3eefcd878b1fe8a01f", + "lastState": {}, + "name": "controller", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:21:10Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "phase": "Running", + "podIP": "10.42.0.3", + "podIPs": [ + { + "ip": "10.42.0.3" + } + ], + "qosClass": "BestEffort", + "startTime": "2024-07-15T19:21:06Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-07-15T19:21:29Z", + "generateName": "nginx-", + "labels": { + "controller-revision-hash": "796f655567", + "name": "nginx", + "pod-template-generation": "1", + "sidecar.istio.io/inject": "false" + }, + "name": "nginx-d6xdx", + "namespace": "uds-dev-stack", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "DaemonSet", + "name": "nginx", + "uid": "d27f737c-8eaa-4243-a7c8-c2a8331eef9f" + } + ], + "resourceVersion": "542", + "uid": "cca0b707-cf92-44be-9fdc-38159979f5f7" + }, + "spec": { + "affinity": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchFields": [ + { + "key": "metadata.name", + "operator": "In", + "values": [ + "k3d-uds-server-0" + ] + } + ] + } + ] + } + } + }, + "containers": [ + { + "command": [ + "nginx", + "-g", + "daemon off;" + ], + "image": "ghcr.io/defenseunicorns/oss/uds-k3d-nginx:alpine-1.25.3", + "imagePullPolicy": "IfNotPresent", + "name": "nginx", + "ports": [ + { + "containerPort": 80, + "hostPort": 80, + "protocol": "TCP" + }, + { + "containerPort": 443, + "hostPort": 443, + "protocol": "TCP" + } + ], + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/nginx/nginx.conf", + "name": "config-volume", + "subPath": "nginx.conf" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-485d9", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "default", + "serviceAccountName": "default", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/disk-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/memory-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/pid-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/unschedulable", + "operator": "Exists" + } + ], + "volumes": [ + { + "configMap": { + "defaultMode": 420, + "name": "nginx-config" + }, + "name": "config-volume" + }, + { + "name": "kube-api-access-485d9", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:32Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:29Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:32Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:32Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:29Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://f1e5591d3cca12a7e9ffbdc3e90373b0d740324ba785e41e52dcb645c06066cb", + "image": "ghcr.io/defenseunicorns/oss/uds-k3d-nginx:alpine-1.25.3", + "imageID": "ghcr.io/defenseunicorns/oss/uds-k3d-nginx@sha256:a59278fd22a9d411121e190b8cec8aa57b306aa3332459197777583beb728f59", + "lastState": {}, + "name": "nginx", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:21:32Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "phase": "Running", + "podIP": "10.42.0.4", + "podIPs": [ + { + "ip": "10.42.0.4" + } + ], + "qosClass": "BestEffort", + "startTime": "2024-07-15T19:21:29Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-07-15T19:21:29Z", + "generateName": "local-path-provisioner-6d9d9b57c9-", + "labels": { + "app": "local-path-provisioner", + "pod-template-hash": "6d9d9b57c9" + }, + "name": "local-path-provisioner-6d9d9b57c9-hcv5w", + "namespace": "uds-dev-stack", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "local-path-provisioner-6d9d9b57c9", + "uid": "6fec9ac8-cdef-4052-bbe5-2325eed27917" + } + ], + "resourceVersion": "544", + "uid": "f13000c3-ec5d-46e8-96c2-1b3f800dd95e" + }, + "spec": { + "containers": [ + { + "command": [ + "local-path-provisioner", + "--debug", + "start", + "--config", + "/etc/config/config.json" + ], + "env": [ + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + } + ], + "image": "rancher/local-path-provisioner:v0.0.26", + "imagePullPolicy": "IfNotPresent", + "name": "local-path-provisioner", + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/config/", + "name": "config-volume" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-jcpzb", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "local-path-provisioner-service-account", + "serviceAccountName": "local-path-provisioner-service-account", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "configMap": { + "defaultMode": 420, + "name": "local-path-config" + }, + "name": "config-volume" + }, + { + "name": "kube-api-access-jcpzb", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:32Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:29Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:32Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:32Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:29Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://469d27a57d2c8d0193d1a6bd41455b443f50df8befd66d6f90365fb41a108ca2", + "image": "docker.io/rancher/local-path-provisioner:v0.0.26", + "imageID": "docker.io/rancher/local-path-provisioner@sha256:aee53cadc62bd023911e7f077877d047c5b3c269f9bba25724d558654f43cea0", + "lastState": {}, + "name": "local-path-provisioner", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:21:31Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "phase": "Running", + "podIP": "10.42.0.6", + "podIPs": [ + { + "ip": "10.42.0.6" + } + ], + "qosClass": "BestEffort", + "startTime": "2024-07-15T19:21:29Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-07-15T19:21:29Z", + "generateName": "ensure-machine-id-", + "labels": { + "controller-revision-hash": "555967fc7b", + "name": "ensure-machine-id", + "pod-template-generation": "1" + }, + "name": "ensure-machine-id-r9dqh", + "namespace": "uds-dev-stack", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "DaemonSet", + "name": "ensure-machine-id", + "uid": "80ab6077-003d-4be2-860d-8a17372b226d" + } + ], + "resourceVersion": "594", + "uid": "fe2ebb8c-fee8-4a5b-a79b-f5d733756d8f" + }, + "spec": { + "affinity": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchFields": [ + { + "key": "metadata.name", + "operator": "In", + "values": [ + "k3d-uds-server-0" + ] + } + ] + } + ] + } + } + }, + "containers": [ + { + "image": "registry.k8s.io/pause:3.9", + "imagePullPolicy": "IfNotPresent", + "name": "pause", + "resources": { + "limits": { + "cpu": "100m", + "memory": "50Mi" + }, + "requests": { + "cpu": "100m", + "memory": "50Mi" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-29ltk", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostPID": true, + "initContainers": [ + { + "args": [ + "echo \"B0D07F1F43F246409516ADBDCCC86FCE\" \u003e /mnt/host/etc/machine-id;" + ], + "command": [ + "/bin/sh", + "-c" + ], + "image": "cgr.dev/chainguard/wolfi-base:latest", + "imagePullPolicy": "Always", + "name": "generate-machine-id", + "resources": {}, + "securityContext": { + "privileged": true, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/mnt/host/etc", + "name": "machine-id" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-29ltk", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "default", + "serviceAccountName": "default", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/disk-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/memory-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/pid-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/unschedulable", + "operator": "Exists" + } + ], + "volumes": [ + { + "hostPath": { + "path": "/etc", + "type": "" + }, + "name": "machine-id" + }, + { + "name": "kube-api-access-29ltk", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:33Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:33Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:35Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:35Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:29Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://4961e8b7180b5117d23ec0ea1a9336a6bcf20cb1b7a413ccb130ba7554f18e7a", + "image": "registry.k8s.io/pause:3.9", + "imageID": "registry.k8s.io/pause@sha256:7031c1b283388d2c2e09b57badb803c05ebed362dc88d84b480cc47f72a21097", + "lastState": {}, + "name": "pause", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:21:35Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://de664030a331e49795fdd67d1bd689ad074d54c401d5d14b72bd18f3ef9bfc87", + "image": "cgr.dev/chainguard/wolfi-base:latest", + "imageID": "cgr.dev/chainguard/wolfi-base@sha256:d6b37317ae7cb5c0864189e9e5acd825386ae226a413e7c19370f5f87d150f92", + "lastState": {}, + "name": "generate-machine-id", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://de664030a331e49795fdd67d1bd689ad074d54c401d5d14b72bd18f3ef9bfc87", + "exitCode": 0, + "finishedAt": "2024-07-15T19:21:32Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:21:32Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.5", + "podIPs": [ + { + "ip": "10.42.0.5" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:21:29Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-07-15T19:21:06Z", + "generateName": "metallb-speaker-", + "labels": { + "app.kubernetes.io/component": "speaker", + "app.kubernetes.io/instance": "metallb", + "app.kubernetes.io/name": "metallb", + "controller-revision-hash": "6c7b58bfd7", + "pod-template-generation": "1" + }, + "name": "metallb-speaker-8gb22", + "namespace": "uds-dev-stack", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "DaemonSet", + "name": "metallb-speaker", + "uid": "c6d8e3b1-cbf3-4880-bad7-96b393df14f5" + } + ], + "resourceVersion": "610", + "uid": "5b51dfe0-90b9-4337-86a9-6d8ea087b5cb" + }, + "spec": { + "affinity": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchFields": [ + { + "key": "metadata.name", + "operator": "In", + "values": [ + "k3d-uds-server-0" + ] + } + ] + } + ] + } + } + }, + "containers": [ + { + "args": [ + "--port=7472", + "--log-level=info" + ], + "env": [ + { + "name": "METALLB_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "METALLB_HOST", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "METALLB_ML_BIND_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "METALLB_ML_LABELS", + "value": "app.kubernetes.io/name=metallb,app.kubernetes.io/component=speaker" + }, + { + "name": "METALLB_ML_BIND_PORT", + "value": "7946" + }, + { + "name": "METALLB_ML_SECRET_KEY_PATH", + "value": "/etc/ml_secret_key" + }, + { + "name": "FRR_CONFIG_FILE", + "value": "/etc/frr_reloader/frr.conf" + }, + { + "name": "FRR_RELOADER_PID_FILE", + "value": "/etc/frr_reloader/reloader.pid" + }, + { + "name": "METALLB_BGP_TYPE", + "value": "frr" + } + ], + "image": "quay.io/metallb/speaker:v0.14.5", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/metrics", + "port": "monitoring", + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "speaker", + "ports": [ + { + "containerPort": 7472, + "hostPort": 7472, + "name": "monitoring", + "protocol": "TCP" + }, + { + "containerPort": 7946, + "hostPort": 7946, + "name": "memberlist-tcp", + "protocol": "TCP" + }, + { + "containerPort": 7946, + "hostPort": 7946, + "name": "memberlist-udp", + "protocol": "UDP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/metrics", + "port": "monitoring", + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/ml_secret_key", + "name": "memberlist" + }, + { + "mountPath": "/etc/frr_reloader", + "name": "reloader" + }, + { + "mountPath": "/etc/metallb", + "name": "metallb-excludel2" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fknxr", + "readOnly": true + } + ] + }, + { + "command": [ + "/bin/sh", + "-c", + "/sbin/tini -- /usr/lib/frr/docker-start \u0026\nattempts=0\nuntil [[ -f /etc/frr/frr.log || $attempts -eq 60 ]]; do\n sleep 1\n attempts=$(( $attempts + 1 ))\ndone\ntail -f /etc/frr/frr.log\n" + ], + "env": [ + { + "name": "TINI_SUBREAPER", + "value": "true" + } + ], + "image": "quay.io/frrouting/frr:9.0.2", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "livez", + "port": 7473, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "frr", + "resources": {}, + "securityContext": { + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW", + "SYS_ADMIN", + "NET_BIND_SERVICE" + ] + } + }, + "startupProbe": { + "failureThreshold": 30, + "httpGet": { + "path": "/livez", + "port": 7473, + "scheme": "HTTP" + }, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/frr", + "name": "frr-sockets" + }, + { + "mountPath": "/etc/frr", + "name": "frr-conf" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fknxr", + "readOnly": true + } + ] + }, + { + "command": [ + "/etc/frr_reloader/frr-reloader.sh" + ], + "image": "quay.io/frrouting/frr:9.0.2", + "imagePullPolicy": "IfNotPresent", + "name": "reloader", + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/frr", + "name": "frr-sockets" + }, + { + "mountPath": "/etc/frr", + "name": "frr-conf" + }, + { + "mountPath": "/etc/frr_reloader", + "name": "reloader" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fknxr", + "readOnly": true + } + ] + }, + { + "args": [ + "--metrics-port=7473" + ], + "command": [ + "/etc/frr_metrics/frr-metrics" + ], + "image": "quay.io/frrouting/frr:9.0.2", + "imagePullPolicy": "IfNotPresent", + "name": "frr-metrics", + "ports": [ + { + "containerPort": 7473, + "hostPort": 7473, + "name": "monitoring", + "protocol": "TCP" + } + ], + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/frr", + "name": "frr-sockets" + }, + { + "mountPath": "/etc/frr", + "name": "frr-conf" + }, + { + "mountPath": "/etc/frr_metrics", + "name": "metrics" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fknxr", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostNetwork": true, + "initContainers": [ + { + "command": [ + "/bin/sh", + "-c", + "cp -rLf /tmp/frr/* /etc/frr/" + ], + "image": "quay.io/frrouting/frr:9.0.2", + "imagePullPolicy": "IfNotPresent", + "name": "cp-frr-files", + "resources": {}, + "securityContext": { + "runAsGroup": 101, + "runAsUser": 100 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/tmp/frr", + "name": "frr-startup" + }, + { + "mountPath": "/etc/frr", + "name": "frr-conf" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fknxr", + "readOnly": true + } + ] + }, + { + "command": [ + "/bin/sh", + "-c", + "cp -f /frr-reloader.sh /etc/frr_reloader/" + ], + "image": "quay.io/metallb/speaker:v0.14.5", + "imagePullPolicy": "IfNotPresent", + "name": "cp-reloader", + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/frr_reloader", + "name": "reloader" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fknxr", + "readOnly": true + } + ] + }, + { + "command": [ + "/bin/sh", + "-c", + "cp -f /frr-metrics /etc/frr_metrics/" + ], + "image": "quay.io/metallb/speaker:v0.14.5", + "imagePullPolicy": "IfNotPresent", + "name": "cp-metrics", + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/frr_metrics", + "name": "metrics" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fknxr", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "nodeSelector": { + "kubernetes.io/os": "linux" + }, + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "metallb-speaker", + "serviceAccountName": "metallb-speaker", + "shareProcessNamespace": true, + "terminationGracePeriodSeconds": 0, + "tolerations": [ + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/master", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/control-plane", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/disk-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/memory-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/pid-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/unschedulable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/network-unavailable", + "operator": "Exists" + } + ], + "volumes": [ + { + "name": "memberlist", + "secret": { + "defaultMode": 420, + "secretName": "metallb-memberlist" + } + }, + { + "configMap": { + "defaultMode": 256, + "name": "metallb-excludel2" + }, + "name": "metallb-excludel2" + }, + { + "emptyDir": {}, + "name": "frr-sockets" + }, + { + "configMap": { + "defaultMode": 420, + "name": "metallb-frr-startup" + }, + "name": "frr-startup" + }, + { + "emptyDir": {}, + "name": "frr-conf" + }, + { + "emptyDir": {}, + "name": "reloader" + }, + { + "emptyDir": {}, + "name": "metrics" + }, + { + "name": "kube-api-access-fknxr", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:18Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:22Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:40Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:40Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:06Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://206d74412d6f746852ed33e9448b100ae2762ba6a722e94a04e3e5aa7f03260c", + "image": "quay.io/frrouting/frr:9.0.2", + "imageID": "quay.io/frrouting/frr@sha256:086acb1278fe86118345f456a1fbfafb80c34d03f7bca9137da0729a1aee5e9c", + "lastState": {}, + "name": "frr", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:21:22Z" + } + } + }, + { + "containerID": "containerd://9407b90e38fba202082dfa4a550efde6f3d16250ebc32c87b8431ed735e1430a", + "image": "quay.io/frrouting/frr:9.0.2", + "imageID": "quay.io/frrouting/frr@sha256:086acb1278fe86118345f456a1fbfafb80c34d03f7bca9137da0729a1aee5e9c", + "lastState": {}, + "name": "frr-metrics", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:21:22Z" + } + } + }, + { + "containerID": "containerd://d7541882f85936e252f33d0130b123a08d8316655b0aba281276429eb479c7af", + "image": "quay.io/frrouting/frr:9.0.2", + "imageID": "quay.io/frrouting/frr@sha256:086acb1278fe86118345f456a1fbfafb80c34d03f7bca9137da0729a1aee5e9c", + "lastState": {}, + "name": "reloader", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:21:22Z" + } + } + }, + { + "containerID": "containerd://05a490aad7458d0127e70c256ee4c0e9ee56b793620a499f6d8196b38bad0583", + "image": "quay.io/metallb/speaker:v0.14.5", + "imageID": "quay.io/metallb/speaker@sha256:34e9cc2db6d83ca3ad4d92a6e2eadaf6b78be65621798e90827041749898acc0", + "lastState": {}, + "name": "speaker", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:21:22Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://ec00aef71a7110a1899d7b6fbf965b93bc8004cec9f9f7002e320b1c5ad8dd29", + "image": "quay.io/frrouting/frr:9.0.2", + "imageID": "quay.io/frrouting/frr@sha256:086acb1278fe86118345f456a1fbfafb80c34d03f7bca9137da0729a1aee5e9c", + "lastState": {}, + "name": "cp-frr-files", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://ec00aef71a7110a1899d7b6fbf965b93bc8004cec9f9f7002e320b1c5ad8dd29", + "exitCode": 0, + "finishedAt": "2024-07-15T19:21:17Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:21:17Z" + } + } + }, + { + "containerID": "containerd://ba979b36684e75411bbcc2ba4af20dc1ce3e2ef2321ac4e72fcd5139fb737dc3", + "image": "quay.io/metallb/speaker:v0.14.5", + "imageID": "quay.io/metallb/speaker@sha256:34e9cc2db6d83ca3ad4d92a6e2eadaf6b78be65621798e90827041749898acc0", + "lastState": {}, + "name": "cp-reloader", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://ba979b36684e75411bbcc2ba4af20dc1ce3e2ef2321ac4e72fcd5139fb737dc3", + "exitCode": 0, + "finishedAt": "2024-07-15T19:21:21Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:21:21Z" + } + } + }, + { + "containerID": "containerd://7381fb10b9989113eaabf5ca8bcb4344519725c0a5111e8e796f2e6383d790f1", + "image": "quay.io/metallb/speaker:v0.14.5", + "imageID": "quay.io/metallb/speaker@sha256:34e9cc2db6d83ca3ad4d92a6e2eadaf6b78be65621798e90827041749898acc0", + "lastState": {}, + "name": "cp-metrics", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://7381fb10b9989113eaabf5ca8bcb4344519725c0a5111e8e796f2e6383d790f1", + "exitCode": 0, + "finishedAt": "2024-07-15T19:21:21Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:21:21Z" + } + } + } + ], + "phase": "Running", + "podIP": "172.19.0.3", + "podIPs": [ + { + "ip": "172.19.0.3" + } + ], + "qosClass": "BestEffort", + "startTime": "2024-07-15T19:21:06Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "25ba5a36ee6bd1887b73590eee26c55e5673fbf1ef59d3f2e380255cea24fc78", + "checksum/secrets": "9b856ae77a7f70b2d03ee838d91fc2f61b9dc5f9140837fd2f14aa3a0631eb6a" + }, + "creationTimestamp": "2024-07-15T19:21:33Z", + "generateName": "minio-6c8d84fc7f-", + "labels": { + "app": "minio", + "pod-template-hash": "6c8d84fc7f", + "release": "minio" + }, + "name": "minio-6c8d84fc7f-zw9dv", + "namespace": "uds-dev-stack", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "minio-6c8d84fc7f", + "uid": "1cbd7b49-530e-4864-be2d-bfa8765649fc" + } + ], + "resourceVersion": "615", + "uid": "08e134cb-f32d-44f3-a858-a46d5709c9ba" + }, + "spec": { + "containers": [ + { + "command": [ + "/bin/sh", + "-ce", + "/usr/bin/docker-entrypoint.sh minio server /export -S /etc/minio/certs/ --address :9000 --console-address :9001" + ], + "env": [ + { + "name": "MINIO_ROOT_USER", + "valueFrom": { + "secretKeyRef": { + "key": "rootUser", + "name": "minio" + } + } + }, + { + "name": "MINIO_ROOT_PASSWORD", + "valueFrom": { + "secretKeyRef": { + "key": "rootPassword", + "name": "minio" + } + } + }, + { + "name": "MINIO_PROMETHEUS_AUTH_TYPE", + "value": "public" + } + ], + "image": "quay.io/minio/minio:RELEASE.2024-04-18T19-09-19Z", + "imagePullPolicy": "IfNotPresent", + "name": "minio", + "ports": [ + { + "containerPort": 9000, + "name": "http", + "protocol": "TCP" + }, + { + "containerPort": 9001, + "name": "http-console", + "protocol": "TCP" + } + ], + "resources": { + "requests": { + "cpu": "150m", + "memory": "256Mi" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/tmp/credentials", + "name": "minio-user", + "readOnly": true + }, + { + "mountPath": "/export", + "name": "export" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-xwwsx", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 1000, + "fsGroupChangePolicy": "OnRootMismatch", + "runAsGroup": 1000, + "runAsUser": 1000 + }, + "serviceAccount": "minio-sa", + "serviceAccountName": "minio-sa", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "name": "export", + "persistentVolumeClaim": { + "claimName": "minio" + } + }, + { + "name": "minio-user", + "secret": { + "defaultMode": 420, + "secretName": "minio" + } + }, + { + "name": "kube-api-access-xwwsx", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:42Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:38Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:42Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:42Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:38Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://db32566b2641bbc63592030e260f7964ef49292aee694752b7a344d0b31e0fcd", + "image": "quay.io/minio/minio:RELEASE.2024-04-18T19-09-19Z", + "imageID": "quay.io/minio/minio@sha256:036a068d7d6b69400da6bc07a480bee1e241ef3c341c41d988ed11f520f85124", + "lastState": {}, + "name": "minio", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:21:42Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "phase": "Running", + "podIP": "10.42.0.8", + "podIPs": [ + { + "ip": "10.42.0.8" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:21:38Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "kubectl.kubernetes.io/restartedAt": "2024-07-15T15:21:50-04:00" + }, + "creationTimestamp": "2024-07-15T19:21:50Z", + "generateName": "coredns-67cddc4fb4-", + "labels": { + "k8s-app": "kube-dns", + "pod-template-hash": "67cddc4fb4" + }, + "name": "coredns-67cddc4fb4-5fsgn", + "namespace": "kube-system", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "coredns-67cddc4fb4", + "uid": "fecf9a0b-1ff7-4fbc-a0b4-2d027e838a5d" + } + ], + "resourceVersion": "689", + "uid": "dee39420-a2ab-4ec3-a7ae-d13c251b8910" + }, + "spec": { + "containers": [ + { + "args": [ + "-conf", + "/etc/coredns/Corefile" + ], + "image": "rancher/mirrored-coredns-coredns:1.10.1", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/health", + "port": 8080, + "scheme": "HTTP" + }, + "initialDelaySeconds": 60, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "coredns", + "ports": [ + { + "containerPort": 53, + "name": "dns", + "protocol": "UDP" + }, + { + "containerPort": 53, + "name": "dns-tcp", + "protocol": "TCP" + }, + { + "containerPort": 9153, + "name": "metrics", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/ready", + "port": 8181, + "scheme": "HTTP" + }, + "periodSeconds": 2, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "memory": "170Mi" + }, + "requests": { + "cpu": "100m", + "memory": "70Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_BIND_SERVICE" + ], + "drop": [ + "all" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/coredns", + "name": "config-volume", + "readOnly": true + }, + { + "mountPath": "/etc/coredns/custom", + "name": "custom-config-volume", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-7bjqt", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "Default", + "enableServiceLinks": true, + "nodeName": "k3d-uds-server-0", + "nodeSelector": { + "kubernetes.io/os": "linux" + }, + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000000000, + "priorityClassName": "system-cluster-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "coredns", + "serviceAccountName": "coredns", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "key": "CriticalAddonsOnly", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/control-plane", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/master", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "topologySpreadConstraints": [ + { + "labelSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + }, + "maxSkew": 1, + "topologyKey": "kubernetes.io/hostname", + "whenUnsatisfiable": "DoNotSchedule" + } + ], + "volumes": [ + { + "configMap": { + "defaultMode": 420, + "items": [ + { + "key": "Corefile", + "path": "Corefile" + }, + { + "key": "NodeHosts", + "path": "NodeHosts" + } + ], + "name": "coredns" + }, + "name": "config-volume" + }, + { + "configMap": { + "defaultMode": 420, + "name": "coredns-custom", + "optional": true + }, + "name": "custom-config-volume" + }, + { + "name": "kube-api-access-7bjqt", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:51Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:50Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:51Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:51Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:50Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://8ec9910459f9fde24c470d4d30c08fcc0cc8b6578e9025a59136396ab91e2ea8", + "image": "docker.io/rancher/mirrored-coredns-coredns:1.10.1", + "imageID": "docker.io/rancher/mirrored-coredns-coredns@sha256:a11fafae1f8037cbbd66c5afa40ba2423936b72b4fd50a7034a7e8b955163594", + "lastState": {}, + "name": "coredns", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:21:51Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "phase": "Running", + "podIP": "10.42.0.10", + "podIPs": [ + { + "ip": "10.42.0.10" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:21:50Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/secret": "5944c97d04b79de507bf45171f9cc5a207b0edbfe79b85beed66145312c9a6d5" + }, + "creationTimestamp": "2024-07-15T19:22:43Z", + "generateName": "zarf-docker-registry-5df7748994-", + "labels": { + "app": "docker-registry", + "pod-template-hash": "5df7748994", + "release": "zarf-docker-registry", + "zarf.dev/agent": "ignore" + }, + "name": "zarf-docker-registry-5df7748994-wv45k", + "namespace": "zarf", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "zarf-docker-registry-5df7748994", + "uid": "d0616098-3a93-4a57-a8f3-0214bcfcdaf3" + } + ], + "resourceVersion": "877", + "uid": "5edae467-72ca-46d7-924f-de8c81cdfc88" + }, + "spec": { + "affinity": { + "podAffinity": { + "preferredDuringSchedulingIgnoredDuringExecution": [ + { + "podAffinityTerm": { + "labelSelector": { + "matchExpressions": [ + { + "key": "app", + "operator": "In", + "values": [ + "docker-registry" + ] + } + ] + }, + "topologyKey": "kubernetes.io/hostname" + }, + "weight": 100 + } + ] + } + }, + "containers": [ + { + "command": [ + "/bin/registry", + "serve", + "/etc/docker/registry/config.yml" + ], + "env": [ + { + "name": "REGISTRY_AUTH", + "value": "htpasswd" + }, + { + "name": "REGISTRY_AUTH_HTPASSWD_REALM", + "value": "Registry Realm" + }, + { + "name": "REGISTRY_AUTH_HTPASSWD_PATH", + "value": "/etc/docker/registry/htpasswd" + }, + { + "name": "REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY", + "value": "/var/lib/registry" + }, + { + "name": "REGISTRY_STORAGE_DELETE_ENABLED", + "value": "true" + } + ], + "image": "127.0.0.1:31999/library/registry:2.8.3", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/", + "port": 5000, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "docker-registry", + "ports": [ + { + "containerPort": 5000, + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/", + "port": 5000, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "cpu": "3", + "memory": "2Gi" + }, + "requests": { + "cpu": "100m", + "memory": "256Mi" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/lib/registry/", + "name": "data" + }, + { + "mountPath": "/etc/docker/registry", + "name": "config" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-htsj8", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000001000, + "priorityClassName": "system-node-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 1000, + "runAsUser": 1000 + }, + "serviceAccount": "default", + "serviceAccountName": "default", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "name": "config", + "secret": { + "defaultMode": 420, + "items": [ + { + "key": "configData", + "path": "config.yml" + }, + { + "key": "htpasswd", + "path": "htpasswd" + } + ], + "secretName": "zarf-docker-registry-secret" + } + }, + { + "name": "data", + "persistentVolumeClaim": { + "claimName": "zarf-docker-registry" + } + }, + { + "name": "kube-api-access-htsj8", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:44Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:43Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:44Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:44Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:43Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://ad7e03c72e45aadd7a7e04fef67e8c0b71558b061540549c949ff1c8062ed91d", + "image": "127.0.0.1:31999/library/registry:2.8.3", + "imageID": "127.0.0.1:31999/library/registry@sha256:53ee3286cf0400c2ec957e31594c77439ec959e26ca00c8264c5ce521f7859ac", + "lastState": {}, + "name": "docker-registry", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:22:44Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "phase": "Running", + "podIP": "10.42.0.14", + "podIPs": [ + { + "ip": "10.42.0.14" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:22:43Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-07-15T19:22:48Z", + "generateName": "agent-hook-59ffcd5dc9-", + "labels": { + "app": "agent-hook", + "pod-template-hash": "59ffcd5dc9", + "zarf.dev/agent": "ignore" + }, + "name": "agent-hook-59ffcd5dc9-psr4z", + "namespace": "zarf", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "agent-hook-59ffcd5dc9", + "uid": "9a754d33-1d43-493e-b103-ec5e2b424813" + } + ], + "resourceVersion": "951", + "uid": "3cef1be4-d010-4241-abdf-980cd35a4545" + }, + "spec": { + "containers": [ + { + "image": "127.0.0.1:31999/defenseunicorns/zarf/agent:v0.35.0", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/healthz", + "port": 8443, + "scheme": "HTTPS" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "server", + "ports": [ + { + "containerPort": 8443, + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "500m", + "memory": "128Mi" + }, + "requests": { + "cpu": "100m", + "memory": "32Mi" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/certs", + "name": "tls-certs", + "readOnly": true + }, + { + "mountPath": "/.config", + "name": "config" + }, + { + "mountPath": "/etc/xdg", + "name": "xdg" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-x875g", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000001000, + "priorityClassName": "system-node-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "zarf", + "serviceAccountName": "zarf", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "name": "tls-certs", + "secret": { + "defaultMode": 420, + "secretName": "agent-hook-tls" + } + }, + { + "emptyDir": {}, + "name": "config" + }, + { + "emptyDir": {}, + "name": "xdg" + }, + { + "name": "kube-api-access-x875g", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:50Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:49Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:50Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:50Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:48Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://9cc795de2a2bf1670e605802314bec0fe06349ede9d8f223fe7b5ad88aab4c61", + "image": "127.0.0.1:31999/defenseunicorns/zarf/agent:v0.35.0", + "imageID": "127.0.0.1:31999/defenseunicorns/zarf/agent@sha256:790f5523474c1e468177cec8095897c24fa4f6b44fe4b3c170ead4efccb33deb", + "lastState": {}, + "name": "server", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:22:50Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "phase": "Running", + "podIP": "10.42.0.16", + "podIPs": [ + { + "ip": "10.42.0.16" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:22:49Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-07-15T19:22:48Z", + "generateName": "agent-hook-59ffcd5dc9-", + "labels": { + "app": "agent-hook", + "pod-template-hash": "59ffcd5dc9", + "zarf.dev/agent": "ignore" + }, + "name": "agent-hook-59ffcd5dc9-km2n7", + "namespace": "zarf", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "agent-hook-59ffcd5dc9", + "uid": "9a754d33-1d43-493e-b103-ec5e2b424813" + } + ], + "resourceVersion": "955", + "uid": "a97ce80c-e562-46f3-929b-4b2f90cb4781" + }, + "spec": { + "containers": [ + { + "image": "127.0.0.1:31999/defenseunicorns/zarf/agent:v0.35.0", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/healthz", + "port": 8443, + "scheme": "HTTPS" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "server", + "ports": [ + { + "containerPort": 8443, + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "500m", + "memory": "128Mi" + }, + "requests": { + "cpu": "100m", + "memory": "32Mi" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/certs", + "name": "tls-certs", + "readOnly": true + }, + { + "mountPath": "/.config", + "name": "config" + }, + { + "mountPath": "/etc/xdg", + "name": "xdg" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-kwrgm", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000001000, + "priorityClassName": "system-node-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "zarf", + "serviceAccountName": "zarf", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "name": "tls-certs", + "secret": { + "defaultMode": 420, + "secretName": "agent-hook-tls" + } + }, + { + "emptyDir": {}, + "name": "config" + }, + { + "emptyDir": {}, + "name": "xdg" + }, + { + "name": "kube-api-access-kwrgm", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:50Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:49Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:50Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:50Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:49Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://765eb72b9f732ad82195fa111ffc842a7327afd22e3ca36cb0764abf9cb5e30b", + "image": "127.0.0.1:31999/defenseunicorns/zarf/agent:v0.35.0", + "imageID": "127.0.0.1:31999/defenseunicorns/zarf/agent@sha256:790f5523474c1e468177cec8095897c24fa4f6b44fe4b3c170ead4efccb33deb", + "lastState": {}, + "name": "server", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:22:50Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "phase": "Running", + "podIP": "10.42.0.15", + "podIPs": [ + { + "ip": "10.42.0.15" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:22:49Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "prometheus.io/port": "15014", + "prometheus.io/scrape": "true", + "sidecar.istio.io/inject": "false" + }, + "creationTimestamp": "2024-07-15T19:23:10Z", + "generateName": "istiod-65d755df65-", + "labels": { + "app": "istiod", + "install.operator.istio.io/owning-resource": "unknown", + "istio": "pilot", + "istio.io/dataplane-mode": "none", + "istio.io/rev": "default", + "operator.istio.io/component": "Pilot", + "pod-template-hash": "65d755df65", + "sidecar.istio.io/inject": "false", + "zarf-agent": "patched" + }, + "name": "istiod-65d755df65-wqqv4", + "namespace": "istio-system", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "istiod-65d755df65", + "uid": "8c0fcf4c-a8a6-457e-a746-213fe5b10d14" + } + ], + "resourceVersion": "1137", + "uid": "f2441ec0-38ba-4b6c-94f7-f0e6023facf9" + }, + "spec": { + "containers": [ + { + "args": [ + "discovery", + "--monitoringAddr=:15014", + "--log_output_level=default:info", + "--domain", + "cluster.local", + "--keepaliveMaxServerConnectionAge", + "30m" + ], + "env": [ + { + "name": "REVISION", + "value": "default" + }, + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "KUBECONFIG", + "value": "/var/run/secrets/remote/config" + }, + { + "name": "PILOT_JWT_ENABLE_REMOTE_JWKS", + "value": "hybrid" + }, + { + "name": "PILOT_TRACE_SAMPLING", + "value": "1" + }, + { + "name": "PILOT_ENABLE_ANALYSIS", + "value": "false" + }, + { + "name": "CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PLATFORM" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-pilot-fips:1.22.2-zarf-1946820730", + "imagePullPolicy": "IfNotPresent", + "name": "discovery", + "ports": [ + { + "containerPort": 8080, + "protocol": "TCP" + }, + { + "containerPort": 15010, + "protocol": "TCP" + }, + { + "containerPort": 15017, + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/ready", + "port": 8080, + "scheme": "HTTP" + }, + "initialDelaySeconds": 1, + "periodSeconds": 3, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "resources": { + "requests": { + "cpu": "500m", + "memory": "2Gi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true, + "runAsNonRoot": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/istio-dns", + "name": "local-certs" + }, + { + "mountPath": "/etc/cacerts", + "name": "cacerts", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/remote", + "name": "istio-kubeconfig", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/istiod/tls", + "name": "istio-csr-dns-cert", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/istiod/ca", + "name": "istio-csr-ca-configmap", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-s75s7", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "istiod", + "serviceAccountName": "istiod", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "key": "cni.istio.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": { + "medium": "Memory" + }, + "name": "local-certs" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "name": "cacerts", + "secret": { + "defaultMode": 420, + "optional": true, + "secretName": "cacerts" + } + }, + { + "name": "istio-kubeconfig", + "secret": { + "defaultMode": 420, + "optional": true, + "secretName": "istio-kubeconfig" + } + }, + { + "name": "istio-csr-dns-cert", + "secret": { + "defaultMode": 420, + "optional": true, + "secretName": "istiod-tls" + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert", + "optional": true + }, + "name": "istio-csr-ca-configmap" + }, + { + "name": "kube-api-access-s75s7", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:11Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:10Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:12Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:12Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:10Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://8b2948f7be4e06016ba417ebb0b567cca7fe3b22c8463bea0cf070b19ef7fe6a", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-pilot-fips:1.22.2-zarf-1946820730", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-pilot-fips@sha256:d62df1d72be6182a41ecb7259b195e6b7bd28c0301fe7f46126187e6601f5f20", + "lastState": {}, + "name": "discovery", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:23:11Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "phase": "Running", + "podIP": "10.42.0.17", + "podIPs": [ + { + "ip": "10.42.0.17" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:23:10Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "inject.istio.io/templates": "gateway", + "istio.io/rev": "default", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "proxy.istio.io/overrides": "{\"containers\":[{\"name\":\"istio-proxy\",\"ports\":[{\"name\":\"http-envoy-prom\",\"containerPort\":15090,\"protocol\":\"TCP\"}],\"resources\":{\"limits\":{\"cpu\":\"2\",\"memory\":\"1Gi\"},\"requests\":{\"cpu\":\"100m\",\"memory\":\"128Mi\"}},\"volumeMounts\":[{\"name\":\"kube-api-access-48f5b\",\"readOnly\":true,\"mountPath\":\"/var/run/secrets/kubernetes.io/serviceaccount\"}],\"terminationMessagePath\":\"/dev/termination-log\",\"terminationMessagePolicy\":\"File\",\"imagePullPolicy\":\"Always\",\"securityContext\":{\"capabilities\":{\"drop\":[\"ALL\"]},\"privileged\":false,\"runAsUser\":1337,\"runAsGroup\":1337,\"runAsNonRoot\":true,\"readOnlyRootFilesystem\":true,\"allowPrivilegeEscalation\":false}}]}", + "sidecar.istio.io/inject": "true", + "sidecar.istio.io/status": "{\"initContainers\":null,\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}" + }, + "creationTimestamp": "2024-07-15T19:23:17Z", + "generateName": "admin-ingressgateway-65c568569f-", + "labels": { + "app": "admin-ingressgateway", + "istio": "admin-ingressgateway", + "pod-template-hash": "65c568569f", + "service.istio.io/canonical-name": "admin-ingressgateway", + "service.istio.io/canonical-revision": "latest", + "sidecar.istio.io/inject": "true", + "zarf-agent": "patched" + }, + "name": "admin-ingressgateway-65c568569f-nssjx", + "namespace": "istio-admin-gateway", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "admin-ingressgateway-65c568569f", + "uid": "4807fa82-ff07-41b5-bba9-e9aa4433dd38" + } + ], + "resourceVersion": "1211", + "uid": "b390a7ed-b997-4236-80dc-d7c2d3b1ead3" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "router", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-envoy-prom\",\"containerPort\":15090,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_APP_CONTAINERS" + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "admin-ingressgateway" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/istio-admin-gateway/deployments/admin-ingressgateway" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "Always", + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-48f5b", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "sysctls": [ + { + "name": "net.ipv4.ip_unprivileged_port_start", + "value": "0" + } + ] + }, + "serviceAccount": "admin-ingressgateway", + "serviceAccountName": "admin-ingressgateway", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-48f5b", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:18Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:17Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:19Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:19Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:17Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://4aeab66391eea771294a630f113c82c039de7b48bc70cb502bc03aabda8624b7", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:23:18Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "phase": "Running", + "podIP": "10.42.0.18", + "podIPs": [ + { + "ip": "10.42.0.18" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:23:17Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "inject.istio.io/templates": "gateway", + "istio.io/rev": "default", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "proxy.istio.io/overrides": "{\"containers\":[{\"name\":\"istio-proxy\",\"ports\":[{\"name\":\"http-envoy-prom\",\"containerPort\":15090,\"protocol\":\"TCP\"}],\"resources\":{\"limits\":{\"cpu\":\"2\",\"memory\":\"1Gi\"},\"requests\":{\"cpu\":\"100m\",\"memory\":\"128Mi\"}},\"volumeMounts\":[{\"name\":\"kube-api-access-2smgd\",\"readOnly\":true,\"mountPath\":\"/var/run/secrets/kubernetes.io/serviceaccount\"}],\"terminationMessagePath\":\"/dev/termination-log\",\"terminationMessagePolicy\":\"File\",\"imagePullPolicy\":\"Always\",\"securityContext\":{\"capabilities\":{\"drop\":[\"ALL\"]},\"privileged\":false,\"runAsUser\":1337,\"runAsGroup\":1337,\"runAsNonRoot\":true,\"readOnlyRootFilesystem\":true,\"allowPrivilegeEscalation\":false}}]}", + "sidecar.istio.io/inject": "true", + "sidecar.istio.io/status": "{\"initContainers\":null,\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}" + }, + "creationTimestamp": "2024-07-15T19:23:23Z", + "generateName": "tenant-ingressgateway-79d5d77d67-", + "labels": { + "app": "tenant-ingressgateway", + "istio": "tenant-ingressgateway", + "pod-template-hash": "79d5d77d67", + "service.istio.io/canonical-name": "tenant-ingressgateway", + "service.istio.io/canonical-revision": "latest", + "sidecar.istio.io/inject": "true", + "zarf-agent": "patched" + }, + "name": "tenant-ingressgateway-79d5d77d67-fdcrk", + "namespace": "istio-tenant-gateway", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "tenant-ingressgateway-79d5d77d67", + "uid": "4e8436d1-1a72-48c2-8401-029d6a88e0be" + } + ], + "resourceVersion": "1266", + "uid": "be7b37b2-96ba-41d3-a5f9-6b546cedd6c0" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "router", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-envoy-prom\",\"containerPort\":15090,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_APP_CONTAINERS" + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "tenant-ingressgateway" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/istio-tenant-gateway/deployments/tenant-ingressgateway" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "Always", + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-2smgd", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "sysctls": [ + { + "name": "net.ipv4.ip_unprivileged_port_start", + "value": "0" + } + ] + }, + "serviceAccount": "tenant-ingressgateway", + "serviceAccountName": "tenant-ingressgateway", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-2smgd", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:23Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:23Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:24Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:24Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:23Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://9411159858b495e26067084207456676f7b2182273670876fdce8ff2770a5e55", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:23:23Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "phase": "Running", + "podIP": "10.42.0.19", + "podIPs": [ + { + "ip": "10.42.0.19" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:23:23Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "inject.istio.io/templates": "gateway", + "istio.io/rev": "default", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "proxy.istio.io/overrides": "{\"containers\":[{\"name\":\"istio-proxy\",\"ports\":[{\"name\":\"http-envoy-prom\",\"containerPort\":15090,\"protocol\":\"TCP\"}],\"resources\":{\"limits\":{\"cpu\":\"2\",\"memory\":\"1Gi\"},\"requests\":{\"cpu\":\"100m\",\"memory\":\"128Mi\"}},\"volumeMounts\":[{\"name\":\"kube-api-access-d8nvq\",\"readOnly\":true,\"mountPath\":\"/var/run/secrets/kubernetes.io/serviceaccount\"}],\"terminationMessagePath\":\"/dev/termination-log\",\"terminationMessagePolicy\":\"File\",\"imagePullPolicy\":\"Always\",\"securityContext\":{\"capabilities\":{\"drop\":[\"ALL\"]},\"privileged\":false,\"runAsUser\":1337,\"runAsGroup\":1337,\"runAsNonRoot\":true,\"readOnlyRootFilesystem\":true,\"allowPrivilegeEscalation\":false}}]}", + "sidecar.istio.io/inject": "true", + "sidecar.istio.io/status": "{\"initContainers\":null,\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}" + }, + "creationTimestamp": "2024-07-15T19:23:27Z", + "generateName": "passthrough-ingressgateway-77f78c89b5-", + "labels": { + "app": "passthrough-ingressgateway", + "istio": "passthrough-ingressgateway", + "pod-template-hash": "77f78c89b5", + "service.istio.io/canonical-name": "passthrough-ingressgateway", + "service.istio.io/canonical-revision": "latest", + "sidecar.istio.io/inject": "true", + "zarf-agent": "patched" + }, + "name": "passthrough-ingressgateway-77f78c89b5-pm8qs", + "namespace": "istio-passthrough-gateway", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "passthrough-ingressgateway-77f78c89b5", + "uid": "78cc1423-b80a-4b9c-8f1b-3d59b7f75c53" + } + ], + "resourceVersion": "1329", + "uid": "f7217d2e-6486-4eaf-8629-2912fd29a340" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "router", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-envoy-prom\",\"containerPort\":15090,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_APP_CONTAINERS" + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "passthrough-ingressgateway" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/istio-passthrough-gateway/deployments/passthrough-ingressgateway" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "Always", + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-d8nvq", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "sysctls": [ + { + "name": "net.ipv4.ip_unprivileged_port_start", + "value": "0" + } + ] + }, + "serviceAccount": "passthrough-ingressgateway", + "serviceAccountName": "passthrough-ingressgateway", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-d8nvq", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:27Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:27Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:29Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:29Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:27Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://7b990fded25b108e98eb26bedf084d992082372b787056fb359418047b26777e", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:23:27Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "phase": "Running", + "podIP": "10.42.0.20", + "podIPs": [ + { + "ip": "10.42.0.20" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:23:27Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "buildTimestamp": "1721071155270", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "server", + "kubectl.kubernetes.io/default-logs-container": "server", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}" + }, + "creationTimestamp": "2024-07-15T19:23:31Z", + "generateName": "pepr-uds-core-5c765b95fc-", + "labels": { + "app": "pepr-uds-core", + "pepr.dev/controller": "admission", + "pod-template-hash": "5c765b95fc", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "pepr-uds-core", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "pepr-uds-core-5c765b95fc-cfkkk", + "namespace": "pepr-system", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "pepr-uds-core-5c765b95fc", + "uid": "0a1532c3-713f-43e5-a524-162af59e0d07" + } + ], + "resourceVersion": "1482", + "uid": "a2ac1d4c-cee9-4329-8d30-c0843aae66c1" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"containerPort\":3000,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "server" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "pepr-uds-core" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/pepr-system/deployments/pepr-uds-core" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/server/livez\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":3000,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1},\"/app-health/server/readyz\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":3000,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-tzqh9", + "readOnly": true + } + ] + }, + { + "command": [ + "node", + "/app/node_modules/pepr/dist/controller.js", + "835918263d02780c552f9239598a5cb88b1b630ef35cec16e2886ab5e64ee9e9" + ], + "env": [ + { + "name": "PEPR_WATCH_MODE", + "value": "false" + }, + { + "name": "PEPR_PRETTY_LOG", + "value": "false" + }, + { + "name": "LOG_LEVEL", + "value": "info" + }, + { + "name": "UDS_DOMAIN", + "value": "uds.dev" + }, + { + "name": "UDS_CA_CERT" + }, + { + "name": "UDS_ALLOW_ALL_NS_EXEMPTIONS", + "value": "###ZARF_VAR_ALLOW_ALL_NS_EXEMPTIONS###" + }, + { + "name": "UDS_SINGLE_TEST", + "value": "###ZARF_VAR_UDS_SINGLE_TEST###" + }, + { + "name": "UDS_LOG_LEVEL", + "value": "###ZARF_VAR_UDS_LOG_LEVEL###" + } + ], + "image": "127.0.0.1:31999/defenseunicorns/pepr/controller:v0.32.6-zarf-804409620", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/server/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "server", + "ports": [ + { + "containerPort": 3000, + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/server/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "cpu": "500m", + "memory": "256Mi" + }, + "requests": { + "cpu": "100m", + "memory": "64Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/certs", + "name": "tls-certs", + "readOnly": true + }, + { + "mountPath": "/app/api-token", + "name": "api-token", + "readOnly": true + }, + { + "mountPath": "/app/load", + "name": "module", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-tzqh9", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-tzqh9", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000001000, + "priorityClassName": "system-node-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65532, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532 + }, + "serviceAccount": "pepr-uds-core", + "serviceAccountName": "pepr-uds-core", + "terminationGracePeriodSeconds": 5, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "tls-certs", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-tls" + } + }, + { + "name": "api-token", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-api-token" + } + }, + { + "name": "module", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-module" + } + }, + { + "name": "kube-api-access-tzqh9", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:33Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:33Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:39Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:39Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:31Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://159d6f4b88ac8016e5a92934206b51f21c0061c500bce0c153b4e82a7ad8bf4d", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:23:33Z" + } + } + }, + { + "containerID": "containerd://6b1f6abf4bc9fbe85a28145ac16c4f5bf3f3e1479c039b5eff81426c826e60b0", + "image": "127.0.0.1:31999/defenseunicorns/pepr/controller:v0.32.6-zarf-804409620", + "imageID": "127.0.0.1:31999/defenseunicorns/pepr/controller@sha256:9beb7acd16dbae3d14b10faa0e6f74efb755481025f0b970f160a53a773e1668", + "lastState": {}, + "name": "server", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:23:35Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://7a8f7f63cf2f2c10e696e21bd6256c496789edfd01d785ea77d7468ab0db4826", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://7a8f7f63cf2f2c10e696e21bd6256c496789edfd01d785ea77d7468ab0db4826", + "exitCode": 0, + "finishedAt": "2024-07-15T19:23:32Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:23:32Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.23", + "podIPs": [ + { + "ip": "10.42.0.23" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:23:31Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "buildTimestamp": "1721071155270", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "watcher", + "kubectl.kubernetes.io/default-logs-container": "watcher", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}" + }, + "creationTimestamp": "2024-07-15T19:23:31Z", + "generateName": "pepr-uds-core-watcher-66b655ddf4-", + "labels": { + "app": "pepr-uds-core-watcher", + "pepr.dev/controller": "watcher", + "pod-template-hash": "66b655ddf4", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "pepr-uds-core-watcher", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "pepr-uds-core-watcher-66b655ddf4-bpq9g", + "namespace": "pepr-system", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "pepr-uds-core-watcher-66b655ddf4", + "uid": "ae364113-5898-474f-bcd1-286861bb69fe" + } + ], + "resourceVersion": "1490", + "uid": "84585c9d-6165-4901-bde2-9f98761d74cd" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"containerPort\":3000,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "watcher" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "pepr-uds-core-watcher" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/pepr-system/deployments/pepr-uds-core-watcher" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/watcher/livez\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":3000,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1},\"/app-health/watcher/readyz\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":3000,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-8kh7x", + "readOnly": true + } + ] + }, + { + "command": [ + "node", + "/app/node_modules/pepr/dist/controller.js", + "835918263d02780c552f9239598a5cb88b1b630ef35cec16e2886ab5e64ee9e9" + ], + "env": [ + { + "name": "PEPR_WATCH_MODE", + "value": "true" + }, + { + "name": "PEPR_PRETTY_LOG", + "value": "false" + }, + { + "name": "LOG_LEVEL", + "value": "info" + }, + { + "name": "UDS_DOMAIN", + "value": "uds.dev" + }, + { + "name": "UDS_CA_CERT" + }, + { + "name": "UDS_ALLOW_ALL_NS_EXEMPTIONS", + "value": "###ZARF_VAR_ALLOW_ALL_NS_EXEMPTIONS###" + }, + { + "name": "UDS_SINGLE_TEST", + "value": "###ZARF_VAR_UDS_SINGLE_TEST###" + }, + { + "name": "UDS_LOG_LEVEL", + "value": "###ZARF_VAR_UDS_LOG_LEVEL###" + } + ], + "image": "127.0.0.1:31999/defenseunicorns/pepr/controller:v0.32.6-zarf-804409620", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/watcher/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "watcher", + "ports": [ + { + "containerPort": 3000, + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/watcher/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "cpu": "500m", + "memory": "256Mi" + }, + "requests": { + "cpu": "100m", + "memory": "64Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/certs", + "name": "tls-certs", + "readOnly": true + }, + { + "mountPath": "/app/load", + "name": "module", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-8kh7x", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-8kh7x", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65532, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532 + }, + "serviceAccount": "pepr-uds-core", + "serviceAccountName": "pepr-uds-core", + "terminationGracePeriodSeconds": 5, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "tls-certs", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-tls" + } + }, + { + "name": "module", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-module" + } + }, + { + "name": "kube-api-access-8kh7x", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:33Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:33Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:42Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:42Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:31Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://85d64001599c5308e7c2e71ca09ef22053485a6289acba3ea4769a8354ef6e4b", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:23:33Z" + } + } + }, + { + "containerID": "containerd://a862028611efdf0c258a1b76c8c5cbd3604dc1b5a83699d6ec92839e151260df", + "image": "127.0.0.1:31999/defenseunicorns/pepr/controller:v0.32.6-zarf-804409620", + "imageID": "127.0.0.1:31999/defenseunicorns/pepr/controller@sha256:9beb7acd16dbae3d14b10faa0e6f74efb755481025f0b970f160a53a773e1668", + "lastState": {}, + "name": "watcher", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:23:35Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://71e6351114992f381e3e8b171786010b883e76b800d597adb1f3258de12c9f84", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://71e6351114992f381e3e8b171786010b883e76b800d597adb1f3258de12c9f84", + "exitCode": 0, + "finishedAt": "2024-07-15T19:23:32Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:23:32Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.21", + "podIPs": [ + { + "ip": "10.42.0.21" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:23:31Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "buildTimestamp": "1721071155270", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "server", + "kubectl.kubernetes.io/default-logs-container": "server", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}" + }, + "creationTimestamp": "2024-07-15T19:23:31Z", + "generateName": "pepr-uds-core-5c765b95fc-", + "labels": { + "app": "pepr-uds-core", + "pepr.dev/controller": "admission", + "pod-template-hash": "5c765b95fc", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "pepr-uds-core", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "pepr-uds-core-5c765b95fc-67xnv", + "namespace": "pepr-system", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "pepr-uds-core-5c765b95fc", + "uid": "0a1532c3-713f-43e5-a524-162af59e0d07" + } + ], + "resourceVersion": "1494", + "uid": "369da40a-d38b-4d0c-97ef-727debbd0746" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"containerPort\":3000,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "server" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "pepr-uds-core" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/pepr-system/deployments/pepr-uds-core" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/server/livez\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":3000,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1},\"/app-health/server/readyz\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":3000,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-vm8xd", + "readOnly": true + } + ] + }, + { + "command": [ + "node", + "/app/node_modules/pepr/dist/controller.js", + "835918263d02780c552f9239598a5cb88b1b630ef35cec16e2886ab5e64ee9e9" + ], + "env": [ + { + "name": "PEPR_WATCH_MODE", + "value": "false" + }, + { + "name": "PEPR_PRETTY_LOG", + "value": "false" + }, + { + "name": "LOG_LEVEL", + "value": "info" + }, + { + "name": "UDS_DOMAIN", + "value": "uds.dev" + }, + { + "name": "UDS_CA_CERT" + }, + { + "name": "UDS_ALLOW_ALL_NS_EXEMPTIONS", + "value": "###ZARF_VAR_ALLOW_ALL_NS_EXEMPTIONS###" + }, + { + "name": "UDS_SINGLE_TEST", + "value": "###ZARF_VAR_UDS_SINGLE_TEST###" + }, + { + "name": "UDS_LOG_LEVEL", + "value": "###ZARF_VAR_UDS_LOG_LEVEL###" + } + ], + "image": "127.0.0.1:31999/defenseunicorns/pepr/controller:v0.32.6-zarf-804409620", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/server/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "server", + "ports": [ + { + "containerPort": 3000, + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/server/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "cpu": "500m", + "memory": "256Mi" + }, + "requests": { + "cpu": "100m", + "memory": "64Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/certs", + "name": "tls-certs", + "readOnly": true + }, + { + "mountPath": "/app/api-token", + "name": "api-token", + "readOnly": true + }, + { + "mountPath": "/app/load", + "name": "module", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-vm8xd", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-vm8xd", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000001000, + "priorityClassName": "system-node-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65532, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532 + }, + "serviceAccount": "pepr-uds-core", + "serviceAccountName": "pepr-uds-core", + "terminationGracePeriodSeconds": 5, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "tls-certs", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-tls" + } + }, + { + "name": "api-token", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-api-token" + } + }, + { + "name": "module", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-module" + } + }, + { + "name": "kube-api-access-vm8xd", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:33Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:33Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:42Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:42Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:31Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://52bc399613ee525613fafce8448b2730eac0057149186f0d384d32df86da986e", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:23:33Z" + } + } + }, + { + "containerID": "containerd://e1999cff8e62631cd329f06102304e60a0d628d306b75af300981b2f9bc86ef4", + "image": "127.0.0.1:31999/defenseunicorns/pepr/controller:v0.32.6-zarf-804409620", + "imageID": "127.0.0.1:31999/defenseunicorns/pepr/controller@sha256:9beb7acd16dbae3d14b10faa0e6f74efb755481025f0b970f160a53a773e1668", + "lastState": {}, + "name": "server", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:23:35Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://82d343ee90dcedec09af8c07d37a7b9d8821cc2ae8a7ff3c09101da41238e40f", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://82d343ee90dcedec09af8c07d37a7b9d8821cc2ae8a7ff3c09101da41238e40f", + "exitCode": 0, + "finishedAt": "2024-07-15T19:23:32Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:23:32Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.22", + "podIPs": [ + { + "ip": "10.42.0.22" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:23:31Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "metrics-server", + "kubectl.kubernetes.io/default-logs-container": "metrics-server", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:23:46Z", + "generateName": "metrics-server-6bcc744c5f-", + "labels": { + "app.kubernetes.io/instance": "metrics-server", + "app.kubernetes.io/name": "metrics-server", + "pod-template-hash": "6bcc744c5f", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "metrics-server", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "metrics-server-6bcc744c5f-mbrrc", + "namespace": "metrics-server", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "metrics-server-6bcc744c5f", + "uid": "2d94087c-2ea1-4028-8ca6-936caad2069a" + } + ], + "resourceVersion": "1610", + "uid": "0ad94ed4-3b0d-4cb8-a75e-d00843f62f51" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"https\",\"containerPort\":10250,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "metrics-server" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "metrics-server" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/metrics-server/deployments/metrics-server" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/metrics-server/livez\":{\"httpGet\":{\"path\":\"/livez\",\"port\":10250,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1},\"/app-health/metrics-server/readyz\":{\"httpGet\":{\"path\":\"/readyz\",\"port\":10250,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-q52dc", + "readOnly": true + } + ] + }, + { + "args": [ + "--secure-port=10250", + "--cert-dir=/tmp", + "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname", + "--kubelet-use-node-status-port", + "--metric-resolution=15s", + "--authorization-always-allow-paths=/metrics" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/metrics-server-fips:0.7.1-zarf-2411220177", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/metrics-server/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "metrics-server", + "ports": [ + { + "containerPort": 10250, + "name": "https", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 5, + "httpGet": { + "path": "/app-health/metrics-server/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "requests": { + "cpu": "100m", + "memory": "200Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true, + "runAsNonRoot": true, + "runAsUser": 1000, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/tmp", + "name": "tmp" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-q52dc", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-q52dc", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000000000, + "priorityClassName": "system-cluster-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "metrics-server", + "serviceAccountName": "metrics-server", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "emptyDir": {}, + "name": "tmp" + }, + { + "name": "kube-api-access-q52dc", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:47Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:48Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:24:01Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:24:01Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:46Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://553557fcf02f2346baa5f4929a879fc18655109c0330da309876921b309fe5ff", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:23:48Z" + } + } + }, + { + "containerID": "containerd://abad4d35d31bae601c8308445e98f5e8f28141815cee4f519523058ede4126f4", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/metrics-server-fips:0.7.1-zarf-2411220177", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/metrics-server-fips@sha256:9803ec7418a3c45dcc3841f796cca2d64e35e5efa383109411b6f161d38e451a", + "lastState": {}, + "name": "metrics-server", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:23:49Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://eb242f86d299ce544be7544c712a261c6bed0c615f1f0511aba4a391bf79a003", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://eb242f86d299ce544be7544c712a261c6bed0c615f1f0511aba4a391bf79a003", + "exitCode": 0, + "finishedAt": "2024-07-15T19:23:46Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:23:46Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.24", + "podIPs": [ + { + "ip": "10.42.0.24" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:23:46Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "keycloak", + "kubectl.kubernetes.io/default-logs-container": "keycloak", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:24:10Z", + "generateName": "keycloak-", + "labels": { + "app.kubernetes.io/instance": "keycloak", + "app.kubernetes.io/name": "keycloak", + "apps.kubernetes.io/pod-index": "0", + "controller-revision-hash": "keycloak-8595d86f46", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "keycloak", + "service.istio.io/canonical-revision": "latest", + "statefulset.kubernetes.io/pod-name": "keycloak-0", + "zarf-agent": "patched" + }, + "name": "keycloak-0", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "StatefulSet", + "name": "keycloak", + "uid": "a347223a-fa63-48a3-9d8e-e6e13759b313" + } + ], + "resourceVersion": "1827", + "uid": "eb5b770d-ae1b-4ea1-8990-837776913210" + }, + "spec": { + "affinity": { + "podAntiAffinity": { + "preferredDuringSchedulingIgnoredDuringExecution": [ + { + "podAffinityTerm": { + "labelSelector": { + "matchExpressions": [ + { + "key": "app.kubernetes.io/component", + "operator": "NotIn", + "values": [ + "test" + ] + } + ], + "matchLabels": { + "app.kubernetes.io/instance": "keycloak", + "app.kubernetes.io/name": "keycloak" + } + }, + "topologyKey": "failure-domain.beta.kubernetes.io/zone" + }, + "weight": 100 + } + ] + } + }, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http\",\"containerPort\":8080,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "keycloak" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "keycloak" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/keycloak/statefulsets/keycloak" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/keycloak/livez\":{\"httpGet\":{\"path\":\"/health/live\",\"port\":8080,\"scheme\":\"HTTP\"},\"timeoutSeconds\":2},\"/app-health/keycloak/readyz\":{\"httpGet\":{\"path\":\"/health/ready\",\"port\":8080,\"scheme\":\"HTTP\"},\"timeoutSeconds\":2}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-9jxj5", + "readOnly": true + } + ] + }, + { + "args": [ + "start-dev", + "--spi-theme-static-max-age=-1", + "--spi-theme-cache-themes=false", + "--spi-theme-cache-templates=false", + "--import-realm", + "--features=preview" + ], + "command": [ + "/opt/keycloak/bin/kc.sh" + ], + "env": [ + { + "name": "UDS_DOMAIN", + "value": "uds.dev" + }, + { + "name": "KC_HEALTH_ENABLED", + "value": "true" + }, + { + "name": "KC_METRICS_ENABLED", + "value": "true" + }, + { + "name": "QUARKUS_HTTP_ACCESS_LOG_ENABLED", + "value": "true" + }, + { + "name": "KC_HOSTNAME_STRICT", + "value": "false" + }, + { + "name": "KC_HOSTNAME_STRICT_HTTPS", + "value": "false" + }, + { + "name": "KC_PROXY", + "value": "edge" + }, + { + "name": "KC_HTTPS_CLIENT_AUTH", + "value": "request" + }, + { + "name": "KC_SPI_X509CERT_LOOKUP_PROVIDER", + "value": "nginx" + }, + { + "name": "KC_SPI_X509CERT_LOOKUP_NGINX_SSL_CLIENT_CERT", + "value": "istio-mtls-client-certificate" + }, + { + "name": "KC_SPI_X509CERT_LOOKUP_NGINX_SSL_CLIENT_CERT_CHAIN_PREFIX", + "value": "UNUSED" + }, + { + "name": "KC_LOG_LEVEL", + "value": "DEBUG" + }, + { + "name": "QUARKUS_LOG_CATEGORY__ORG_APACHE_HTTP__LEVEL", + "value": "DEBUG" + }, + { + "name": "QUARKUS_LOG_CATEGORY__ORG_KEYCLOAK_SERVICES_X509__LEVEL", + "value": "TRACE" + } + ], + "envFrom": [ + { + "secretRef": { + "name": "keycloak-realm-env" + } + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/keycloak:24.0.5-zarf-1424829975", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 15, + "httpGet": { + "path": "/app-health/keycloak/livez", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 2 + }, + "name": "keycloak", + "ports": [ + { + "containerPort": 8080, + "name": "http", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 15, + "httpGet": { + "path": "/app-health/keycloak/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 2 + }, + "resources": { + "limits": { + "cpu": "1", + "memory": "1Gi" + }, + "requests": { + "cpu": "500m", + "memory": "512Mi" + } + }, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/opt/keycloak/providers", + "name": "providers" + }, + { + "mountPath": "/opt/keycloak/data", + "name": "data" + }, + { + "mountPath": "/opt/keycloak/themes", + "name": "themes" + }, + { + "mountPath": "/opt/keycloak/conf", + "name": "conf", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-9jxj5", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostname": "keycloak-0", + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "image": "127.0.0.1:31999/defenseunicorns/uds/identity-config:0.5.0-zarf-1934043158", + "imagePullPolicy": "IfNotPresent", + "name": "uds-config", + "resources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + }, + "runAsGroup": 65532, + "runAsUser": 65532 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/opt/keycloak/providers", + "name": "providers" + }, + { + "mountPath": "/opt/keycloak/data", + "name": "data" + }, + { + "mountPath": "/opt/keycloak/themes", + "name": "themes" + }, + { + "mountPath": "/opt/keycloak/conf", + "name": "conf" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-9jxj5", + "readOnly": true + } + ] + }, + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-9jxj5", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "default", + "serviceAccountName": "default", + "subdomain": "keycloak-headless", + "terminationGracePeriodSeconds": 5, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "emptyDir": {}, + "name": "providers" + }, + { + "emptyDir": {}, + "name": "conf" + }, + { + "name": "data", + "persistentVolumeClaim": { + "claimName": "keycloak-data" + } + }, + { + "name": "themes", + "persistentVolumeClaim": { + "claimName": "keycloak-themes" + } + }, + { + "name": "kube-api-access-9jxj5", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:24:15Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:24:16Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:04Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:04Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:24:13Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://ae3724785974b617c1f36902ea3abba0a3126c1069e5ec3a8e4a7e30840962ec", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:24:16Z" + } + } + }, + { + "containerID": "containerd://f737fb0172a0f37a4165b986e3049b0cc970ecabf54f6bcd636728741d7cc1ee", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/keycloak:24.0.5-zarf-1424829975", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/keycloak@sha256:4b7c5429b47d7b1dba30698780526d1ea00a8789d16b0e82a04a8e6448d99d61", + "lastState": {}, + "name": "keycloak", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:24:19Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://a13545650387343f80245555fb1c08af87426cc594d202df571afe7bf661a7e9", + "image": "127.0.0.1:31999/defenseunicorns/uds/identity-config:0.5.0-zarf-1934043158", + "imageID": "127.0.0.1:31999/defenseunicorns/uds/identity-config@sha256:8daeedba128c1154c278332d45378062e490344bb5fc8274fcce92a43d7a11e9", + "lastState": {}, + "name": "uds-config", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://a13545650387343f80245555fb1c08af87426cc594d202df571afe7bf661a7e9", + "exitCode": 0, + "finishedAt": "2024-07-15T19:24:14Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:24:14Z" + } + } + }, + { + "containerID": "containerd://ec3f96e0eb0287bcacddc293236530b778c4d7455da522e404160c149dcabc6e", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://ec3f96e0eb0287bcacddc293236530b778c4d7455da522e404160c149dcabc6e", + "exitCode": 0, + "finishedAt": "2024-07-15T19:24:15Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:24:15Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.27", + "podIPs": [ + { + "ip": "10.42.0.27" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:24:13Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-scanner-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-scanner-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:25:28Z", + "generateName": "neuvector-scanner-pod-64d5b96b4d-", + "labels": { + "app": "neuvector-scanner-pod", + "pod-template-hash": "64d5b96b4d", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-scanner-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-scanner-pod-64d5b96b4d-zrpj6", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-scanner-pod-64d5b96b4d", + "uid": "70858f0e-37c2-44bf-814b-bc2e9bb5df4a" + } + ], + "resourceVersion": "2209", + "uid": "7de9842a-fb74-42b7-b942-02b39440062f" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-scanner-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-scanner-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-scanner-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-jrgz2", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + } + ], + "image": "127.0.0.1:31999/neuvector/scanner:latest-zarf-3299389045", + "imagePullPolicy": "Always", + "name": "neuvector-scanner-pod", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-jrgz2", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-jrgz2", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "scanner", + "serviceAccountName": "scanner", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-jrgz2", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:30Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:30Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:37Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:37Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:29Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://ffca5c8b96f0e2f0dcb1cd113e9a934f4e0c843fe00da2d84ae9d4d46d2a4f77", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:30Z" + } + } + }, + { + "containerID": "containerd://af0a3a7241fd9b7565778315afa787df090c1cf395650e41015447a9f9dc48d9", + "image": "127.0.0.1:31999/neuvector/scanner:latest-zarf-3299389045", + "imageID": "127.0.0.1:31999/neuvector/scanner@sha256:fb29fb99baf64c41a8c53bfa32d855730f00b392c7f1457947e354bce9fad9a2", + "lastState": {}, + "name": "neuvector-scanner-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:35Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://2e99e7a72800546f79f76de7ab33ccb7e8e7c41c9b2ca21bf4f565b4818c054d", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://2e99e7a72800546f79f76de7ab33ccb7e8e7c41c9b2ca21bf4f565b4818c054d", + "exitCode": 0, + "finishedAt": "2024-07-15T19:25:29Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:25:29Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.30", + "podIPs": [ + { + "ip": "10.42.0.30" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:25:29Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-scanner-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-scanner-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:25:29Z", + "generateName": "neuvector-scanner-pod-64d5b96b4d-", + "labels": { + "app": "neuvector-scanner-pod", + "pod-template-hash": "64d5b96b4d", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-scanner-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-scanner-pod-64d5b96b4d-d552k", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-scanner-pod-64d5b96b4d", + "uid": "70858f0e-37c2-44bf-814b-bc2e9bb5df4a" + } + ], + "resourceVersion": "2213", + "uid": "b2a7f732-e96c-4bf7-9adc-9a1c6b21d008" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-scanner-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-scanner-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-scanner-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-xph4g", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + } + ], + "image": "127.0.0.1:31999/neuvector/scanner:latest-zarf-3299389045", + "imagePullPolicy": "Always", + "name": "neuvector-scanner-pod", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-xph4g", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-xph4g", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "scanner", + "serviceAccountName": "scanner", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-xph4g", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:30Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:30Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:37Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:37Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:29Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://23eeca63405b9da57e951b821f8a52b29667cb733a757ab1f0b0f62f30b22a6f", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:30Z" + } + } + }, + { + "containerID": "containerd://92bf9526301abf67918bd0ebe43486aaa5b6a4377f4c63d85bebf9dae98703fb", + "image": "127.0.0.1:31999/neuvector/scanner:latest-zarf-3299389045", + "imageID": "127.0.0.1:31999/neuvector/scanner@sha256:fb29fb99baf64c41a8c53bfa32d855730f00b392c7f1457947e354bce9fad9a2", + "lastState": {}, + "name": "neuvector-scanner-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:35Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://101bd4f33f7595af504d6663348b92338d233b0228abc8c0c6a3d53afe4c819f", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://101bd4f33f7595af504d6663348b92338d233b0228abc8c0c6a3d53afe4c819f", + "exitCode": 0, + "finishedAt": "2024-07-15T19:25:29Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:25:29Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.33", + "podIPs": [ + { + "ip": "10.42.0.33" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:25:29Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-scanner-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-scanner-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:25:29Z", + "generateName": "neuvector-scanner-pod-64d5b96b4d-", + "labels": { + "app": "neuvector-scanner-pod", + "pod-template-hash": "64d5b96b4d", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-scanner-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-scanner-pod-64d5b96b4d-c4nkm", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-scanner-pod-64d5b96b4d", + "uid": "70858f0e-37c2-44bf-814b-bc2e9bb5df4a" + } + ], + "resourceVersion": "2219", + "uid": "ebdab16c-9794-4e04-a511-6702c1026016" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-scanner-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-scanner-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-scanner-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-b6rxb", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + } + ], + "image": "127.0.0.1:31999/neuvector/scanner:latest-zarf-3299389045", + "imagePullPolicy": "Always", + "name": "neuvector-scanner-pod", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-b6rxb", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-b6rxb", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "scanner", + "serviceAccountName": "scanner", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-b6rxb", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:30Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:30Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:37Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:37Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:29Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://5ee5f403ed5a5b0858e295976e83bac42b2b337b096366cb2d633bc792f6b0df", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:30Z" + } + } + }, + { + "containerID": "containerd://b2cea19404ab8f8d94539101c27a42d7808e4f6babb40f8251df30dd6d3e2c16", + "image": "127.0.0.1:31999/neuvector/scanner:latest-zarf-3299389045", + "imageID": "127.0.0.1:31999/neuvector/scanner@sha256:fb29fb99baf64c41a8c53bfa32d855730f00b392c7f1457947e354bce9fad9a2", + "lastState": {}, + "name": "neuvector-scanner-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:35Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://f6a7edde1ba8903da923a07a8971595cbdd4cad0112cd54d90cf022fa1cd37f4", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://f6a7edde1ba8903da923a07a8971595cbdd4cad0112cd54d90cf022fa1cd37f4", + "exitCode": 0, + "finishedAt": "2024-07-15T19:25:29Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:25:29Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.32", + "podIPs": [ + { + "ip": "10.42.0.32" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:25:29Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-enforcer-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-enforcer-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.DisallowHostNamespaces": "exempted", + "uds-core.pepr.dev/uds-core-policies.DisallowPrivileged": "exempted", + "uds-core.pepr.dev/uds-core-policies.DropAllCapabilities": "exempted", + "uds-core.pepr.dev/uds-core-policies.RequireNonRootUser": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictHostPathWrite": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-07-15T19:25:28Z", + "generateName": "neuvector-enforcer-pod-", + "labels": { + "app": "neuvector-enforcer-pod", + "controller-revision-hash": "6bff578d6b", + "pod-template-generation": "1", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-enforcer-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-enforcer-pod-jzhh5", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "DaemonSet", + "name": "neuvector-enforcer-pod", + "uid": "183e282a-5df5-43cf-ba2f-1d8580b519aa" + } + ], + "resourceVersion": "2223", + "uid": "1a2d41a3-cb47-4255-9a81-99a87f3c9cb8" + }, + "spec": { + "affinity": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchFields": [ + { + "key": "metadata.name", + "operator": "In", + "values": [ + "k3d-uds-server-0" + ] + } + ] + } + ] + } + } + }, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-enforcer-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-enforcer-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/daemonsets/neuvector-enforcer-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-r548n", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + }, + { + "name": "CLUSTER_ADVERTISED_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "CLUSTER_BIND_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + } + ], + "image": "127.0.0.1:31999/neuvector/enforcer:5.3.3-zarf-2886042343", + "imagePullPolicy": "IfNotPresent", + "name": "neuvector-enforcer-pod", + "resources": {}, + "securityContext": { + "privileged": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/lib/modules", + "name": "modules-vol", + "readOnly": true + }, + { + "mountPath": "/var/nv_debug", + "name": "nv-debug" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-r548n", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostPID": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-r548n", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "enforcer", + "serviceAccountName": "enforcer", + "terminationGracePeriodSeconds": 1200, + "tolerations": [ + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/master" + }, + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/control-plane" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/disk-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/memory-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/pid-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/unschedulable", + "operator": "Exists" + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "hostPath": { + "path": "/lib/modules", + "type": "" + }, + "name": "modules-vol" + }, + { + "hostPath": { + "path": "/var/nv_debug", + "type": "" + }, + "name": "nv-debug" + }, + { + "name": "kube-api-access-r548n", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:29Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:30Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:37Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:37Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:29Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://8a5f914091f6f48b6ce72bd070d1643fafcecf90a4cca81b35a6aa3bdb0a4390", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:30Z" + } + } + }, + { + "containerID": "containerd://418d8bbc2f40259804deb019fd35763f2b14eb91ee50273a9058b1cfc5466e7c", + "image": "127.0.0.1:31999/neuvector/enforcer:5.3.3-zarf-2886042343", + "imageID": "127.0.0.1:31999/neuvector/enforcer@sha256:c958223f49d5aebc24af798c168c1643d3aa88caeb1ee741df8beb0b93d14b5a", + "lastState": {}, + "name": "neuvector-enforcer-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:36Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://d71b8ff850816baf5c50983a3a8659e21e2371497c98f4d3ff99bca7186409a2", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://d71b8ff850816baf5c50983a3a8659e21e2371497c98f4d3ff99bca7186409a2", + "exitCode": 0, + "finishedAt": "2024-07-15T19:25:29Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:25:29Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.28", + "podIPs": [ + { + "ip": "10.42.0.28" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:25:29Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-manager-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-manager-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:25:29Z", + "generateName": "neuvector-manager-pod-59679458cf-", + "labels": { + "app": "neuvector-manager-pod", + "pod-template-hash": "59679458cf", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-manager-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-manager-pod-59679458cf-zppj8", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-manager-pod-59679458cf", + "uid": "ebf4e397-bb65-4f4b-bb6c-b1b31e8eb980" + } + ], + "resourceVersion": "2236", + "uid": "0612d87f-55f9-4a47-b518-6131ae94d340" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http\",\"containerPort\":8443,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-manager-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-manager-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-manager-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-cs2w9", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CTRL_SERVER_IP", + "value": "neuvector-svc-controller.neuvector" + }, + { + "name": "MANAGER_SSL", + "value": "off" + } + ], + "image": "127.0.0.1:31999/neuvector/manager:5.3.3-zarf-1801671909", + "imagePullPolicy": "IfNotPresent", + "name": "neuvector-manager-pod", + "ports": [ + { + "containerPort": 8443, + "name": "http", + "protocol": "TCP" + } + ], + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-cs2w9", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-cs2w9", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "basic", + "serviceAccountName": "basic", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-cs2w9", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:29Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:30Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:39Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:39Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:29Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://a14260911a5bd949ee7dcda513bc485f5501728b93819fcad9a1a82e0a6f4d49", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:30Z" + } + } + }, + { + "containerID": "containerd://b0c7a8f870291e3ff2d3f496b993594cc2ee8bbe58086f6fcf4f9e54792c1a51", + "image": "127.0.0.1:31999/neuvector/manager:5.3.3-zarf-1801671909", + "imageID": "127.0.0.1:31999/neuvector/manager@sha256:2125c2c8ae4bb2684e8a18089ebbaa369727a230c61de1314e884ad30f3e5b91", + "lastState": {}, + "name": "neuvector-manager-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:37Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://4a135c4771ffce5ed1f2f7a8f6ebcac7f9285277611abd4f83fd8725fe6124de", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://4a135c4771ffce5ed1f2f7a8f6ebcac7f9285277611abd4f83fd8725fe6124de", + "exitCode": 0, + "finishedAt": "2024-07-15T19:25:29Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:25:29Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.29", + "podIPs": [ + { + "ip": "10.42.0.29" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:25:29Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "bb09a05e33c5aa2966debe5a0953fc44b5d234893a981c66172e001bbccbaf07", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "nginx", + "kubectl.kubernetes.io/default-logs-container": "nginx", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:25:51Z", + "generateName": "loki-gateway-64756ffb74-", + "labels": { + "app.kubernetes.io/component": "gateway", + "app.kubernetes.io/instance": "loki", + "app.kubernetes.io/name": "loki", + "pod-template-hash": "64756ffb74", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "loki", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "loki-gateway-64756ffb74-fbwkb", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "loki-gateway-64756ffb74", + "uid": "43aed466-1137-4e55-8d1e-ce0a748d6a9d" + } + ], + "resourceVersion": "2646", + "uid": "d432b488-0f71-4fe3-8ad4-9d20274bad34" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http\",\"containerPort\":8080,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "nginx" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "loki-gateway" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/loki/deployments/loki-gateway" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/nginx/readyz\":{\"httpGet\":{\"path\":\"/\",\"port\":8080,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-299m5", + "readOnly": true + } + ] + }, + { + "image": "127.0.0.1:31999/du-uds-defenseunicorns/nginx-fips:1.27.0-zarf-2401993313", + "imagePullPolicy": "IfNotPresent", + "name": "nginx", + "ports": [ + { + "containerPort": 8080, + "name": "http", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/nginx/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 15, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/nginx", + "name": "config" + }, + { + "mountPath": "/tmp", + "name": "tmp" + }, + { + "mountPath": "/docker-entrypoint.d", + "name": "docker-entrypoint-d-override" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-299m5", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-299m5", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 101, + "runAsGroup": 101, + "runAsNonRoot": true, + "runAsUser": 101 + }, + "serviceAccount": "loki", + "serviceAccountName": "loki", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "configMap": { + "defaultMode": 420, + "name": "loki-gateway" + }, + "name": "config" + }, + { + "emptyDir": {}, + "name": "tmp" + }, + { + "emptyDir": {}, + "name": "docker-entrypoint-d-override" + }, + { + "name": "kube-api-access-299m5", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:52Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:53Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:26:12Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:26:12Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:51Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://a5f24572c70a654f9e97680b65936358371a079065168dae9358ed7eafb9bbbb", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:54Z" + } + } + }, + { + "containerID": "containerd://29972bf8a5ff4aa33b7a1cf2a0c4b340a76e4e1132ef528306f34501b59aaea4", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/nginx-fips:1.27.0-zarf-2401993313", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/nginx-fips@sha256:9b8deffcaf1d566a7409cab03cc2db67feff596dfcd582d8ff11d472025123bf", + "lastState": {}, + "name": "nginx", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:57Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://eebdc230652e421f376b30889ca8c2209290ab5ac9d145e6704c946c4f06029b", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://eebdc230652e421f376b30889ca8c2209290ab5ac9d145e6704c946c4f06029b", + "exitCode": 0, + "finishedAt": "2024-07-15T19:25:52Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:25:52Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.38", + "podIPs": [ + { + "ip": "10.42.0.38" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:25:51Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/init-configmap": "09739169a4cac1b76e349f92d75fe6b9900b484f897d017597195d07b8c25048", + "checksum/uds-sso-secret": "", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-controller-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-controller-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.DisallowPrivileged": "exempted", + "uds-core.pepr.dev/uds-core-policies.DropAllCapabilities": "exempted", + "uds-core.pepr.dev/uds-core-policies.RequireNonRootUser": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictHostPathWrite": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-07-15T19:25:46Z", + "generateName": "neuvector-controller-pod-5dccb6c44f-", + "labels": { + "app": "neuvector-controller-pod", + "pod-template-hash": "5dccb6c44f", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-controller-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-controller-pod-5dccb6c44f-ch8cx", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-controller-pod-5dccb6c44f", + "uid": "8e887e07-0945-4e20-ad12-b1c40f529e1a" + } + ], + "resourceVersion": "2667", + "uid": "e06cbc18-9ac5-41d1-871e-2a1bf7ef614e" + }, + "spec": { + "affinity": { + "podAntiAffinity": { + "preferredDuringSchedulingIgnoredDuringExecution": [ + { + "podAffinityTerm": { + "labelSelector": { + "matchExpressions": [ + { + "key": "app", + "operator": "In", + "values": [ + "neuvector-controller-pod" + ] + } + ] + }, + "topologyKey": "kubernetes.io/hostname" + }, + "weight": 100 + } + ] + } + }, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-controller-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-controller-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-controller-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-x7v72", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + }, + { + "name": "CLUSTER_ADVERTISED_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "CLUSTER_BIND_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "NO_DEFAULT_ADMIN", + "value": "1" + } + ], + "image": "127.0.0.1:31999/neuvector/controller:5.3.3-zarf-4157091163", + "imagePullPolicy": "IfNotPresent", + "name": "neuvector-controller-pod", + "readinessProbe": { + "exec": { + "command": [ + "cat", + "/tmp/ready" + ] + }, + "failureThreshold": 3, + "initialDelaySeconds": 5, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/config", + "name": "config-volume", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-x7v72", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-x7v72", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "controller", + "serviceAccountName": "controller", + "terminationGracePeriodSeconds": 300, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "config-volume", + "projected": { + "defaultMode": 420, + "sources": [ + { + "configMap": { + "name": "neuvector-init", + "optional": true + } + }, + { + "secret": { + "name": "neuvector-init", + "optional": true + } + }, + { + "secret": { + "name": "neuvector-secret", + "optional": true + } + } + ] + } + }, + { + "name": "kube-api-access-x7v72", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:47Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:47Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:26:22Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:26:22Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:46Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://f922695d22170eeb364ed8a2bbfbd155f83915dff412653dddfe80b9c3fe572c", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:47Z" + } + } + }, + { + "containerID": "containerd://58d73000b5bc33689b0be74a8ae5d69c207ec8c6badf7489018f8a0906a72861", + "image": "127.0.0.1:31999/neuvector/controller:5.3.3-zarf-4157091163", + "imageID": "127.0.0.1:31999/neuvector/controller@sha256:1102321e8ed5bd3aad26e3d2c3b9a3ddc5aa82c2949fc2600b9350c7e951950e", + "lastState": {}, + "name": "neuvector-controller-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:49Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://3b769c791af5ec78bf87e0c9f8c3392886921d20c37511591649685aa0d2a238", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://3b769c791af5ec78bf87e0c9f8c3392886921d20c37511591649685aa0d2a238", + "exitCode": 0, + "finishedAt": "2024-07-15T19:25:47Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:25:47Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.36", + "podIPs": [ + { + "ip": "10.42.0.36" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:25:46Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "71aa2e600a166ff5ea6680da3a366f438955dff125cf135db83a10d2e4281565", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "loki", + "kubectl.kubernetes.io/default-logs-container": "loki", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:25:51Z", + "generateName": "loki-read-648f4564f8-", + "labels": { + "app.kubernetes.io/component": "read", + "app.kubernetes.io/instance": "loki", + "app.kubernetes.io/name": "loki", + "app.kubernetes.io/part-of": "memberlist", + "pod-template-hash": "648f4564f8", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "loki", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "loki-read-648f4564f8-svncd", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "loki-read-648f4564f8", + "uid": "08e0e0d6-4d15-47ed-9c3a-3093ec6cdf9f" + } + ], + "resourceVersion": "2689", + "uid": "132c9371-c71c-4744-a8ed-95573395076e" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-metrics\",\"containerPort\":3100,\"protocol\":\"TCP\"}\n ,{\"name\":\"grpc\",\"containerPort\":9095,\"protocol\":\"TCP\"}\n ,{\"name\":\"http-memberlist\",\"containerPort\":7946,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "loki" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "loki-read" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/loki/deployments/loki-read" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/loki/readyz\":{\"httpGet\":{\"path\":\"/ready\",\"port\":3100,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-bthg5", + "readOnly": true + } + ] + }, + { + "args": [ + "-config.file=/etc/loki/config/config.yaml", + "-target=read", + "-legacy-read-mode=false", + "-common.compactor-grpc-address=loki-backend.loki.svc.cluster.local:9095" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/loki:2.9.8-zarf-777750453", + "imagePullPolicy": "IfNotPresent", + "name": "loki", + "ports": [ + { + "containerPort": 3100, + "name": "http-metrics", + "protocol": "TCP" + }, + { + "containerPort": 9095, + "name": "grpc", + "protocol": "TCP" + }, + { + "containerPort": 7946, + "name": "http-memberlist", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/loki/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 30, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/loki/config", + "name": "config" + }, + { + "mountPath": "/etc/loki/runtime-config", + "name": "runtime-config" + }, + { + "mountPath": "/tmp", + "name": "tmp" + }, + { + "mountPath": "/var/loki", + "name": "data" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-bthg5", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-bthg5", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 10001, + "runAsGroup": 10001, + "runAsNonRoot": true, + "runAsUser": 10001 + }, + "serviceAccount": "loki", + "serviceAccountName": "loki", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "emptyDir": {}, + "name": "tmp" + }, + { + "emptyDir": {}, + "name": "data" + }, + { + "configMap": { + "defaultMode": 420, + "items": [ + { + "key": "config.yaml", + "path": "config.yaml" + } + ], + "name": "loki" + }, + "name": "config" + }, + { + "configMap": { + "defaultMode": 420, + "name": "loki-runtime" + }, + "name": "runtime-config" + }, + { + "name": "kube-api-access-bthg5", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:53Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:53Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:26:32Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:26:32Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:51Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://54fd909651fdad1f06d924b87f57fe4219ac384faa627e6372314af448f00f6e", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:54Z" + } + } + }, + { + "containerID": "containerd://05018bc860d48b89b94118774e8615772e1dd5fd004c23feefb4be25bdb7cda3", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/loki:2.9.8-zarf-777750453", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/loki@sha256:0343efe09e351e9b943e4854bd0543684dd4614d3394b4e77a13fc717a6fab49", + "lastState": {}, + "name": "loki", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:57Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://98fa4a1b5029d9c00f5c05d9f462238333cf87e5549e5f3c44c90c62658fb2d9", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://98fa4a1b5029d9c00f5c05d9f462238333cf87e5549e5f3c44c90c62658fb2d9", + "exitCode": 0, + "finishedAt": "2024-07-15T19:25:52Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:25:52Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.40", + "podIPs": [ + { + "ip": "10.42.0.40" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:25:51Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "71aa2e600a166ff5ea6680da3a366f438955dff125cf135db83a10d2e4281565", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "loki", + "kubectl.kubernetes.io/default-logs-container": "loki", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:25:51Z", + "generateName": "loki-backend-", + "labels": { + "app.kubernetes.io/component": "backend", + "app.kubernetes.io/instance": "loki", + "app.kubernetes.io/name": "loki", + "app.kubernetes.io/part-of": "memberlist", + "apps.kubernetes.io/pod-index": "0", + "controller-revision-hash": "loki-backend-585d56dcd5", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "loki", + "service.istio.io/canonical-revision": "latest", + "statefulset.kubernetes.io/pod-name": "loki-backend-0", + "zarf-agent": "patched" + }, + "name": "loki-backend-0", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "StatefulSet", + "name": "loki-backend", + "uid": "3e167792-57f8-4d4b-8f99-ea676f0dcfe3" + } + ], + "resourceVersion": "2706", + "uid": "f90ba134-9478-45fa-89aa-b10156ae45e9" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-metrics\",\"containerPort\":3100,\"protocol\":\"TCP\"}\n ,{\"name\":\"grpc\",\"containerPort\":9095,\"protocol\":\"TCP\"}\n ,{\"name\":\"http-memberlist\",\"containerPort\":7946,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "loki" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "loki-backend" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/loki/statefulsets/loki-backend" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/loki/readyz\":{\"httpGet\":{\"path\":\"/ready\",\"port\":3100,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-682tw", + "readOnly": true + } + ] + }, + { + "args": [ + "-config.file=/etc/loki/config/config.yaml", + "-target=backend", + "-legacy-read-mode=false" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/loki:2.9.8-zarf-777750453", + "imagePullPolicy": "IfNotPresent", + "name": "loki", + "ports": [ + { + "containerPort": 3100, + "name": "http-metrics", + "protocol": "TCP" + }, + { + "containerPort": 9095, + "name": "grpc", + "protocol": "TCP" + }, + { + "containerPort": 7946, + "name": "http-memberlist", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/loki/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 30, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/loki/config", + "name": "config" + }, + { + "mountPath": "/etc/loki/runtime-config", + "name": "runtime-config" + }, + { + "mountPath": "/tmp", + "name": "tmp" + }, + { + "mountPath": "/var/loki", + "name": "data" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-682tw", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostname": "loki-backend-0", + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-682tw", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 10001, + "runAsGroup": 10001, + "runAsNonRoot": true, + "runAsUser": 10001 + }, + "serviceAccount": "loki", + "serviceAccountName": "loki", + "subdomain": "loki-backend-headless", + "terminationGracePeriodSeconds": 300, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "data", + "persistentVolumeClaim": { + "claimName": "data-loki-backend-0" + } + }, + { + "emptyDir": {}, + "name": "tmp" + }, + { + "configMap": { + "defaultMode": 420, + "items": [ + { + "key": "config.yaml", + "path": "config.yaml" + } + ], + "name": "loki" + }, + "name": "config" + }, + { + "configMap": { + "defaultMode": 420, + "name": "loki-runtime" + }, + "name": "runtime-config" + }, + { + "name": "kube-api-access-682tw", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:59Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:59Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:26:38Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:26:38Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:58Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://34d70ffe9b0446ffc0b10193674018ba36884e98aa56a27a3f219b2300b4c8d6", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:59Z" + } + } + }, + { + "containerID": "containerd://b10d21503a1b0852e44ab2eee34d4b949e115fc44d703ca828dd09ee39e93baa", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/loki:2.9.8-zarf-777750453", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/loki@sha256:0343efe09e351e9b943e4854bd0543684dd4614d3394b4e77a13fc717a6fab49", + "lastState": {}, + "name": "loki", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:26:02Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://67990cc461fdb5b8fe8b2ff6feed18182349281c7ca6356921dd2811c7ae9384", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://67990cc461fdb5b8fe8b2ff6feed18182349281c7ca6356921dd2811c7ae9384", + "exitCode": 0, + "finishedAt": "2024-07-15T19:25:59Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:25:58Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.43", + "podIPs": [ + { + "ip": "10.42.0.43" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:25:58Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "71aa2e600a166ff5ea6680da3a366f438955dff125cf135db83a10d2e4281565", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "loki", + "kubectl.kubernetes.io/default-logs-container": "loki", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:25:51Z", + "generateName": "loki-write-", + "labels": { + "app.kubernetes.io/component": "write", + "app.kubernetes.io/instance": "loki", + "app.kubernetes.io/name": "loki", + "app.kubernetes.io/part-of": "memberlist", + "apps.kubernetes.io/pod-index": "0", + "controller-revision-hash": "loki-write-6bcf4bcf7", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "loki", + "service.istio.io/canonical-revision": "latest", + "statefulset.kubernetes.io/pod-name": "loki-write-0", + "zarf-agent": "patched" + }, + "name": "loki-write-0", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "StatefulSet", + "name": "loki-write", + "uid": "29bd3ccc-185d-442f-b604-11ac7b6891d3" + } + ], + "resourceVersion": "2739", + "uid": "a007ced9-645b-4297-9062-5c4b91a6a417" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-metrics\",\"containerPort\":3100,\"protocol\":\"TCP\"}\n ,{\"name\":\"grpc\",\"containerPort\":9095,\"protocol\":\"TCP\"}\n ,{\"name\":\"http-memberlist\",\"containerPort\":7946,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "loki" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "loki-write" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/loki/statefulsets/loki-write" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/loki/readyz\":{\"httpGet\":{\"path\":\"/ready\",\"port\":3100,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-v797b", + "readOnly": true + } + ] + }, + { + "args": [ + "-config.file=/etc/loki/config/config.yaml", + "-target=write" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/loki:2.9.8-zarf-777750453", + "imagePullPolicy": "IfNotPresent", + "name": "loki", + "ports": [ + { + "containerPort": 3100, + "name": "http-metrics", + "protocol": "TCP" + }, + { + "containerPort": 9095, + "name": "grpc", + "protocol": "TCP" + }, + { + "containerPort": 7946, + "name": "http-memberlist", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/loki/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 30, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/loki/config", + "name": "config" + }, + { + "mountPath": "/etc/loki/runtime-config", + "name": "runtime-config" + }, + { + "mountPath": "/var/loki", + "name": "data" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-v797b", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostname": "loki-write-0", + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-v797b", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 10001, + "runAsGroup": 10001, + "runAsNonRoot": true, + "runAsUser": 10001 + }, + "serviceAccount": "loki", + "serviceAccountName": "loki", + "subdomain": "loki-write-headless", + "terminationGracePeriodSeconds": 300, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "data", + "persistentVolumeClaim": { + "claimName": "data-loki-write-0" + } + }, + { + "configMap": { + "defaultMode": 420, + "items": [ + { + "key": "config.yaml", + "path": "config.yaml" + } + ], + "name": "loki" + }, + "name": "config" + }, + { + "configMap": { + "defaultMode": 420, + "name": "loki-runtime" + }, + "name": "runtime-config" + }, + { + "name": "kube-api-access-v797b", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:57Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:58Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:26:57Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:26:57Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:57Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://0e6e439d422c8623288eb811a4cf3ac34bf23686c1a5ddd9023b62dd110a8228", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:58Z" + } + } + }, + { + "containerID": "containerd://c54daa5c2b2e6ab51bdad5a94fe7dd2fb3f90c35cb96da58bd6729e547912c5a", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/loki:2.9.8-zarf-777750453", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/loki@sha256:0343efe09e351e9b943e4854bd0543684dd4614d3394b4e77a13fc717a6fab49", + "lastState": {}, + "name": "loki", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:26:01Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://9164f9a3c879133f04086c4a4f389a7592ef5deed86ac824e1b1ff7851667e21", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://9164f9a3c879133f04086c4a4f389a7592ef5deed86ac824e1b1ff7851667e21", + "exitCode": 0, + "finishedAt": "2024-07-15T19:25:57Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:25:57Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.42", + "podIPs": [ + { + "ip": "10.42.0.42" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:25:57Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "kube-prometheus-stack", + "kubectl.kubernetes.io/default-logs-container": "kube-prometheus-stack", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:27:19Z", + "generateName": "kube-prometheus-stack-operator-5db8867bcd-", + "labels": { + "app": "kube-prometheus-stack-operator", + "app.kubernetes.io/component": "prometheus-operator", + "app.kubernetes.io/instance": "kube-prometheus-stack", + "app.kubernetes.io/managed-by": "Helm", + "app.kubernetes.io/name": "kube-prometheus-stack-prometheus-operator", + "app.kubernetes.io/part-of": "kube-prometheus-stack", + "app.kubernetes.io/version": "58.7.2", + "chart": "kube-prometheus-stack-58.7.2", + "heritage": "Helm", + "pod-template-hash": "5db8867bcd", + "release": "kube-prometheus-stack", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "kube-prometheus-stack-prometheus-operator", + "service.istio.io/canonical-revision": "58.7.2", + "zarf-agent": "patched" + }, + "name": "kube-prometheus-stack-operator-5db8867bcd-8xdrk", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "kube-prometheus-stack-operator-5db8867bcd", + "uid": "5e00df34-8e47-48f2-af44-2d020d4c14a3" + } + ], + "resourceVersion": "3162", + "uid": "b82eebac-189d-4163-8d05-bb3b7f80c581" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"https\",\"containerPort\":10250,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "kube-prometheus-stack" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "kube-prometheus-stack-operator" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/monitoring/deployments/kube-prometheus-stack-operator" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-btm2b", + "readOnly": true + } + ] + }, + { + "args": [ + "--kubelet-service=kube-system/kube-prometheus-stack-kubelet", + "--localhost=127.0.0.1", + "--prometheus-config-reloader=cgr.dev/du-uds-defenseunicorns/prometheus-config-reloader-fips:0.74.0", + "--config-reloader-cpu-request=50m", + "--config-reloader-cpu-limit=100m", + "--config-reloader-memory-request=128Mi", + "--config-reloader-memory-limit=128Mi", + "--thanos-default-base-image=quay.io/thanos/thanos:v0.35.0", + "--secret-field-selector=type!=kubernetes.io/dockercfg,type!=kubernetes.io/service-account-token,type!=helm.sh/release.v1", + "--web.enable-tls=true", + "--web.cert-file=/cert/cert", + "--web.key-file=/cert/key", + "--web.listen-address=:10250", + "--web.tls-min-version=VersionTLS13" + ], + "env": [ + { + "name": "GOGC", + "value": "30" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-operator-fips:0.74.0-zarf-1504306260", + "imagePullPolicy": "IfNotPresent", + "name": "kube-prometheus-stack", + "ports": [ + { + "containerPort": 10250, + "name": "https", + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "500m", + "memory": "512Mi" + }, + "requests": { + "cpu": "100m", + "memory": "512Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/cert", + "name": "tls-secret", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-btm2b", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-btm2b", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65534, + "runAsGroup": 65534, + "runAsNonRoot": true, + "runAsUser": 65534, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "serviceAccount": "kube-prometheus-stack-operator", + "serviceAccountName": "kube-prometheus-stack-operator", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "tls-secret", + "secret": { + "defaultMode": 420, + "secretName": "kube-prometheus-stack-admission" + } + }, + { + "name": "kube-api-access-btm2b", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:21Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:21Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:25Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:25Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:19Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://239885f17c04c8b246371200107438e5bff7f826f6fc9ccf451d6db5fcb2c9ab", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:21Z" + } + } + }, + { + "containerID": "containerd://f6ed0e29bbd438bda64dda1db0f4518a24f25d737a72a835ed9a415570baad68", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-operator-fips:0.74.0-zarf-1504306260", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-operator-fips@sha256:dcbe22a321af6fc999d87bd1cc5afaabf0d7804d96e0d7dffa827caae03e1db8", + "lastState": {}, + "name": "kube-prometheus-stack", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:24Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://4a38570d788f69b2fb806332d4a6de8b475779ce06a153e9827b0eb0b014b885", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://4a38570d788f69b2fb806332d4a6de8b475779ce06a153e9827b0eb0b014b885", + "exitCode": 0, + "finishedAt": "2024-07-15T19:27:20Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:27:20Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.45", + "podIPs": [ + { + "ip": "10.42.0.45" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:27:19Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "cluster-autoscaler.kubernetes.io/safe-to-evict": "true", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "node-exporter", + "kubectl.kubernetes.io/default-logs-container": "node-exporter", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-07-15T19:27:19Z", + "generateName": "kube-prometheus-stack-prometheus-node-exporter-", + "labels": { + "app.kubernetes.io/component": "metrics", + "app.kubernetes.io/instance": "kube-prometheus-stack", + "app.kubernetes.io/managed-by": "Helm", + "app.kubernetes.io/name": "prometheus-node-exporter", + "app.kubernetes.io/part-of": "prometheus-node-exporter", + "app.kubernetes.io/version": "1.8.0", + "controller-revision-hash": "566d74f9", + "helm.sh/chart": "prometheus-node-exporter-4.34.0", + "jobLabel": "node-exporter", + "pod-template-generation": "1", + "release": "kube-prometheus-stack", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "prometheus-node-exporter", + "service.istio.io/canonical-revision": "1.8.0", + "zarf-agent": "patched" + }, + "name": "kube-prometheus-stack-prometheus-node-exporter-wqwtp", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "DaemonSet", + "name": "kube-prometheus-stack-prometheus-node-exporter", + "uid": "7b074804-cb7c-4052-b4f6-70501284db8a" + } + ], + "resourceVersion": "3166", + "uid": "6f9ab7a7-2798-43e2-965b-2d257f7ec2be" + }, + "spec": { + "affinity": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchFields": [ + { + "key": "metadata.name", + "operator": "In", + "values": [ + "k3d-uds-server-0" + ] + } + ] + } + ] + } + } + }, + "automountServiceAccountToken": false, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-metrics\",\"containerPort\":9100,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "node-exporter" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "kube-prometheus-stack-prometheus-node-exporter" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/monitoring/daemonsets/kube-prometheus-stack-prometheus-node-exporter" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/node-exporter/livez\":{\"httpGet\":{\"path\":\"/\",\"port\":9100,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1},\"/app-health/node-exporter/readyz\":{\"httpGet\":{\"path\":\"/\",\"port\":9100,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + } + ] + }, + { + "args": [ + "--path.procfs=/host/proc", + "--path.sysfs=/host/sys", + "--path.rootfs=/host/root", + "--path.udev.data=/host/root/run/udev/data", + "--web.listen-address=[$(HOST_IP)]:9100", + "--collector.filesystem.mount-points-exclude=^/(dev|proc|sys|var/lib/docker/.+|var/lib/kubelet/.+)($|/)", + "--collector.filesystem.fs-types-exclude=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$" + ], + "env": [ + { + "name": "HOST_IP", + "value": "0.0.0.0" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-node-exporter-fips:1.8.1-zarf-1988696916", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/node-exporter/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "node-exporter", + "ports": [ + { + "containerPort": 9100, + "name": "http-metrics", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/node-exporter/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/host/proc", + "name": "proc", + "readOnly": true + }, + { + "mountPath": "/host/sys", + "name": "sys", + "readOnly": true + }, + { + "mountPath": "/host/root", + "mountPropagation": "HostToContainer", + "name": "root", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File" + } + ], + "nodeName": "k3d-uds-server-0", + "nodeSelector": { + "kubernetes.io/os": "linux" + }, + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65534, + "runAsGroup": 65534, + "runAsNonRoot": true, + "runAsUser": 65534 + }, + "serviceAccount": "kube-prometheus-stack-prometheus-node-exporter", + "serviceAccountName": "kube-prometheus-stack-prometheus-node-exporter", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoSchedule", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/disk-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/memory-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/pid-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/unschedulable", + "operator": "Exists" + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "hostPath": { + "path": "/proc", + "type": "" + }, + "name": "proc" + }, + { + "hostPath": { + "path": "/sys", + "type": "" + }, + "name": "sys" + }, + { + "hostPath": { + "path": "/", + "type": "" + }, + "name": "root" + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:21Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:21Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:25Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:25Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:19Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://b657fbdd1fc99c1ded1d9d22cfa169b018d12a168ed53d1ce5fa3b8313d1f614", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:21Z" + } + } + }, + { + "containerID": "containerd://17c54ba7ddf572d50059d1ad0f4c56729aa3e96627749f3de03b1b09c31335bf", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-node-exporter-fips:1.8.1-zarf-1988696916", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-node-exporter-fips@sha256:b4159d47db5b20a3a862f9f0cb4bebf6a779de99293492c6a56d4f3cbae9591d", + "lastState": {}, + "name": "node-exporter", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:23Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://50173dbc18c5590318a173cc57625a0bb67dcf5cad6471e089a79dd5cbe236c1", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://50173dbc18c5590318a173cc57625a0bb67dcf5cad6471e089a79dd5cbe236c1", + "exitCode": 0, + "finishedAt": "2024-07-15T19:27:20Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:27:20Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.47", + "podIPs": [ + { + "ip": "10.42.0.47" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:27:19Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "kube-state-metrics", + "kubectl.kubernetes.io/default-logs-container": "kube-state-metrics", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:27:19Z", + "generateName": "kube-prometheus-stack-kube-state-metrics-7dd586f546-", + "labels": { + "app.kubernetes.io/component": "metrics", + "app.kubernetes.io/instance": "kube-prometheus-stack", + "app.kubernetes.io/managed-by": "Helm", + "app.kubernetes.io/name": "kube-state-metrics", + "app.kubernetes.io/part-of": "kube-state-metrics", + "app.kubernetes.io/version": "2.12.0", + "helm.sh/chart": "kube-state-metrics-5.19.0", + "pod-template-hash": "7dd586f546", + "release": "kube-prometheus-stack", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "kube-state-metrics", + "service.istio.io/canonical-revision": "2.12.0", + "zarf-agent": "patched" + }, + "name": "kube-prometheus-stack-kube-state-metrics-7dd586f546-6hzx8", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "kube-prometheus-stack-kube-state-metrics-7dd586f546", + "uid": "f339332a-634a-4fca-9465-7ea983fb79eb" + } + ], + "resourceVersion": "3220", + "uid": "3f97176a-a231-47e3-8918-b766492be550" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http\",\"containerPort\":8080,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "kube-state-metrics" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "kube-prometheus-stack-kube-state-metrics" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/monitoring/deployments/kube-prometheus-stack-kube-state-metrics" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/kube-state-metrics/livez\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":8080,\"scheme\":\"HTTP\"},\"timeoutSeconds\":5},\"/app-health/kube-state-metrics/readyz\":{\"httpGet\":{\"path\":\"/\",\"port\":8080,\"scheme\":\"HTTP\"},\"timeoutSeconds\":5}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ghcgm", + "readOnly": true + } + ] + }, + { + "args": [ + "--port=8080", + "--resources=certificatesigningrequests,configmaps,cronjobs,daemonsets,deployments,endpoints,horizontalpodautoscalers,ingresses,jobs,leases,limitranges,mutatingwebhookconfigurations,namespaces,networkpolicies,nodes,persistentvolumeclaims,persistentvolumes,poddisruptionbudgets,pods,replicasets,replicationcontrollers,resourcequotas,secrets,services,statefulsets,storageclasses,validatingwebhookconfigurations,volumeattachments" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/kube-state-metrics-fips:2.12.0-zarf-3880197347", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/kube-state-metrics/livez", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 5, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "name": "kube-state-metrics", + "ports": [ + { + "containerPort": 8080, + "name": "http", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/kube-state-metrics/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 5, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ghcgm", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ghcgm", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65532, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "serviceAccount": "kube-prometheus-stack-kube-state-metrics", + "serviceAccountName": "kube-prometheus-stack-kube-state-metrics", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-ghcgm", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:21Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:21Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:29Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:29Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:19Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://0367d52d8fa6f43d049926dda9356a01ba7fd022feec7165ad9fcfb1428d20e5", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:21Z" + } + } + }, + { + "containerID": "containerd://aa8b5f6145373edd19f91748c8d3e7e8e6140b043dd869dddc2a48ea38cd9815", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/kube-state-metrics-fips:2.12.0-zarf-3880197347", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/kube-state-metrics-fips@sha256:b3ba196c56ac3ab713ad13bfbf14c97bac616c3d9529d06a8d42a2628491e1cc", + "lastState": {}, + "name": "kube-state-metrics", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:23Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://ba55f9d20f4c9f56312035237b371988c9443ffe6357783d20e7f641d549265e", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://ba55f9d20f4c9f56312035237b371988c9443ffe6357783d20e7f641d549265e", + "exitCode": 0, + "finishedAt": "2024-07-15T19:27:20Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:27:20Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.46", + "podIPs": [ + { + "ip": "10.42.0.46" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:27:19Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "alertmanager", + "kubectl.kubernetes.io/default-logs-container": "alertmanager", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:27:24Z", + "generateName": "alertmanager-kube-prometheus-stack-alertmanager-", + "labels": { + "alertmanager": "kube-prometheus-stack-alertmanager", + "app.kubernetes.io/instance": "kube-prometheus-stack-alertmanager", + "app.kubernetes.io/managed-by": "prometheus-operator", + "app.kubernetes.io/name": "alertmanager", + "app.kubernetes.io/version": "0.27.0", + "apps.kubernetes.io/pod-index": "0", + "controller-revision-hash": "alertmanager-kube-prometheus-stack-alertmanager-86df757d96", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "alertmanager", + "service.istio.io/canonical-revision": "0.27.0", + "statefulset.kubernetes.io/pod-name": "alertmanager-kube-prometheus-stack-alertmanager-0", + "zarf-agent": "patched" + }, + "name": "alertmanager-kube-prometheus-stack-alertmanager-0", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "StatefulSet", + "name": "alertmanager-kube-prometheus-stack-alertmanager", + "uid": "61db9157-af82-4a9a-a74c-1fc4071df013" + } + ], + "resourceVersion": "3274", + "uid": "6acfc084-1f52-47d5-875c-23593ca23342" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-web\",\"containerPort\":9093,\"protocol\":\"TCP\"}\n ,{\"name\":\"mesh-tcp\",\"containerPort\":9094,\"protocol\":\"TCP\"}\n ,{\"name\":\"mesh-udp\",\"containerPort\":9094,\"protocol\":\"UDP\"}\n ,{\"name\":\"reloader-web\",\"containerPort\":8080,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "alertmanager,config-reloader" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "alertmanager-kube-prometheus-stack-alertmanager" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/monitoring/statefulsets/alertmanager-kube-prometheus-stack-alertmanager" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/alertmanager/livez\":{\"httpGet\":{\"path\":\"/-/healthy\",\"port\":9093,\"scheme\":\"HTTP\"},\"timeoutSeconds\":3},\"/app-health/alertmanager/readyz\":{\"httpGet\":{\"path\":\"/-/ready\",\"port\":9093,\"scheme\":\"HTTP\"},\"timeoutSeconds\":3}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ftq4l", + "readOnly": true + } + ] + }, + { + "args": [ + "--config.file=/etc/alertmanager/config_out/alertmanager.env.yaml", + "--storage.path=/alertmanager", + "--data.retention=120h", + "--cluster.listen-address=", + "--web.listen-address=:9093", + "--web.external-url=http://kube-prometheus-stack-alertmanager.monitoring:9093", + "--web.route-prefix=/", + "--cluster.label=monitoring/kube-prometheus-stack-alertmanager", + "--cluster.peer=alertmanager-kube-prometheus-stack-alertmanager-0.alertmanager-operated:9094", + "--cluster.reconnect-timeout=5m", + "--web.config.file=/etc/alertmanager/web_config/web-config.yaml" + ], + "env": [ + { + "name": "POD_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-alertmanager-fips:0.27.0-zarf-3083929401", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 10, + "httpGet": { + "path": "/app-health/alertmanager/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "name": "alertmanager", + "ports": [ + { + "containerPort": 9093, + "name": "http-web", + "protocol": "TCP" + }, + { + "containerPort": 9094, + "name": "mesh-tcp", + "protocol": "TCP" + }, + { + "containerPort": 9094, + "name": "mesh-udp", + "protocol": "UDP" + } + ], + "readinessProbe": { + "failureThreshold": 10, + "httpGet": { + "path": "/app-health/alertmanager/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 3, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "requests": { + "memory": "200Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "FallbackToLogsOnError", + "volumeMounts": [ + { + "mountPath": "/etc/alertmanager/config", + "name": "config-volume" + }, + { + "mountPath": "/etc/alertmanager/config_out", + "name": "config-out", + "readOnly": true + }, + { + "mountPath": "/etc/alertmanager/certs", + "name": "tls-assets", + "readOnly": true + }, + { + "mountPath": "/alertmanager", + "name": "alertmanager-kube-prometheus-stack-alertmanager-db" + }, + { + "mountPath": "/etc/alertmanager/web_config/web-config.yaml", + "name": "web-config", + "readOnly": true, + "subPath": "web-config.yaml" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ftq4l", + "readOnly": true + } + ] + }, + { + "args": [ + "--listen-address=:8080", + "--reload-url=http://127.0.0.1:9093/-/reload", + "--config-file=/etc/alertmanager/config/alertmanager.yaml.gz", + "--config-envsubst-file=/etc/alertmanager/config_out/alertmanager.env.yaml", + "--watched-dir=/etc/alertmanager/config" + ], + "command": [ + "/bin/prometheus-config-reloader" + ], + "env": [ + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "SHARD", + "value": "-1" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-config-reloader-fips:0.74.0-zarf-2650362023", + "imagePullPolicy": "IfNotPresent", + "name": "config-reloader", + "ports": [ + { + "containerPort": 8080, + "name": "reloader-web", + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "100m", + "memory": "128Mi" + }, + "requests": { + "cpu": "50m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "FallbackToLogsOnError", + "volumeMounts": [ + { + "mountPath": "/etc/alertmanager/config", + "name": "config-volume", + "readOnly": true + }, + { + "mountPath": "/etc/alertmanager/config_out", + "name": "config-out" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ftq4l", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostname": "alertmanager-kube-prometheus-stack-alertmanager-0", + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "--watch-interval=0", + "--listen-address=:8080", + "--config-file=/etc/alertmanager/config/alertmanager.yaml.gz", + "--config-envsubst-file=/etc/alertmanager/config_out/alertmanager.env.yaml", + "--watched-dir=/etc/alertmanager/config" + ], + "command": [ + "/bin/prometheus-config-reloader" + ], + "env": [ + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "SHARD", + "value": "-1" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-config-reloader-fips:0.74.0-zarf-2650362023", + "imagePullPolicy": "IfNotPresent", + "name": "init-config-reloader", + "ports": [ + { + "containerPort": 8080, + "name": "reloader-web", + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "100m", + "memory": "128Mi" + }, + "requests": { + "cpu": "50m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "FallbackToLogsOnError", + "volumeMounts": [ + { + "mountPath": "/etc/alertmanager/config", + "name": "config-volume", + "readOnly": true + }, + { + "mountPath": "/etc/alertmanager/config_out", + "name": "config-out" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ftq4l", + "readOnly": true + } + ] + }, + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ftq4l", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 2000, + "runAsGroup": 2000, + "runAsNonRoot": true, + "runAsUser": 1000, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "serviceAccount": "kube-prometheus-stack-alertmanager", + "serviceAccountName": "kube-prometheus-stack-alertmanager", + "subdomain": "alertmanager-operated", + "terminationGracePeriodSeconds": 120, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "config-volume", + "secret": { + "defaultMode": 420, + "secretName": "alertmanager-kube-prometheus-stack-alertmanager-generated" + } + }, + { + "name": "tls-assets", + "projected": { + "defaultMode": 420, + "sources": [ + { + "secret": { + "name": "alertmanager-kube-prometheus-stack-alertmanager-tls-assets-0" + } + } + ] + } + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "config-out" + }, + { + "name": "web-config", + "secret": { + "defaultMode": 420, + "secretName": "alertmanager-kube-prometheus-stack-alertmanager-web-config" + } + }, + { + "emptyDir": {}, + "name": "alertmanager-kube-prometheus-stack-alertmanager-db" + }, + { + "name": "kube-api-access-ftq4l", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:26Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:28Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:33Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:33Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:24Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://d37730fa66a607f62d31ead0d659e107a229ebbc32c0201cb6f90cbd1c66040c", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-alertmanager-fips:0.27.0-zarf-3083929401", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-alertmanager-fips@sha256:2a06bfa891e766f4e6df9ce310cdbf9ef7cc203a06c037af8e91ae3d8f8ac74d", + "lastState": {}, + "name": "alertmanager", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:30Z" + } + } + }, + { + "containerID": "containerd://0986cc37144cc9354295ac587fccf064e23a66988727e3bd836d957332123c90", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-config-reloader-fips:0.74.0-zarf-2650362023", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-config-reloader-fips@sha256:82a53ed83f67ecec7419a57f7bdb906bbd4d126902a9f958b59df19c56a8ddfc", + "lastState": {}, + "name": "config-reloader", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:30Z" + } + } + }, + { + "containerID": "containerd://ac24cf7cf1219306cc29eab003b700e3b2eef8a0773ce4e6e35025d8a1b8c30d", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:28Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://8a837b1154bf109328f3aac1b60852072235a7aaeddb440db72149be2c09a001", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-config-reloader-fips:0.74.0-zarf-2650362023", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-config-reloader-fips@sha256:82a53ed83f67ecec7419a57f7bdb906bbd4d126902a9f958b59df19c56a8ddfc", + "lastState": {}, + "name": "init-config-reloader", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://8a837b1154bf109328f3aac1b60852072235a7aaeddb440db72149be2c09a001", + "exitCode": 0, + "finishedAt": "2024-07-15T19:27:26Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:27:25Z" + } + } + }, + { + "containerID": "containerd://21db31430fbcc9e339e63b65dee79ac4de47bf6cf799fdaff895a61ac1463472", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://21db31430fbcc9e339e63b65dee79ac4de47bf6cf799fdaff895a61ac1463472", + "exitCode": 0, + "finishedAt": "2024-07-15T19:27:27Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:27:27Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.49", + "podIPs": [ + { + "ip": "10.42.0.49" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:27:24Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/init-configmap": "09739169a4cac1b76e349f92d75fe6b9900b484f897d017597195d07b8c25048", + "checksum/uds-sso-secret": "", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-controller-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-controller-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.DisallowPrivileged": "exempted", + "uds-core.pepr.dev/uds-core-policies.DropAllCapabilities": "exempted", + "uds-core.pepr.dev/uds-core-policies.RequireNonRootUser": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictHostPathWrite": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-07-15T19:27:22Z", + "generateName": "neuvector-controller-pod-5dccb6c44f-", + "labels": { + "app": "neuvector-controller-pod", + "pod-template-hash": "5dccb6c44f", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-controller-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-controller-pod-5dccb6c44f-w488m", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-controller-pod-5dccb6c44f", + "uid": "8e887e07-0945-4e20-ad12-b1c40f529e1a" + } + ], + "resourceVersion": "3315", + "uid": "4559ff09-1ccc-4a8d-9efe-2f7154ef2dc1" + }, + "spec": { + "affinity": { + "podAntiAffinity": { + "preferredDuringSchedulingIgnoredDuringExecution": [ + { + "podAffinityTerm": { + "labelSelector": { + "matchExpressions": [ + { + "key": "app", + "operator": "In", + "values": [ + "neuvector-controller-pod" + ] + } + ] + }, + "topologyKey": "kubernetes.io/hostname" + }, + "weight": 100 + } + ] + } + }, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-controller-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-controller-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-controller-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-lc5t2", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + }, + { + "name": "CLUSTER_ADVERTISED_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "CLUSTER_BIND_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "NO_DEFAULT_ADMIN", + "value": "1" + } + ], + "image": "127.0.0.1:31999/neuvector/controller:5.3.3-zarf-4157091163", + "imagePullPolicy": "IfNotPresent", + "name": "neuvector-controller-pod", + "readinessProbe": { + "exec": { + "command": [ + "cat", + "/tmp/ready" + ] + }, + "failureThreshold": 3, + "initialDelaySeconds": 5, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/config", + "name": "config-volume", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-lc5t2", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-lc5t2", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "controller", + "serviceAccountName": "controller", + "terminationGracePeriodSeconds": 300, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "config-volume", + "projected": { + "defaultMode": 420, + "sources": [ + { + "configMap": { + "name": "neuvector-init", + "optional": true + } + }, + { + "secret": { + "name": "neuvector-init", + "optional": true + } + }, + { + "secret": { + "name": "neuvector-secret", + "optional": true + } + } + ] + } + }, + { + "name": "kube-api-access-lc5t2", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:23Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:23Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:37Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:37Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:22Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://dc1e70bb091ae6da52e6ad66d5c9ea7523da8564e1cf75b46a852432cc3410ed", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:23Z" + } + } + }, + { + "containerID": "containerd://107261771dee580ff42ade832aa0caf7ebbdcfb3c7cb7d1eccf22ae0131739c5", + "image": "127.0.0.1:31999/neuvector/controller:5.3.3-zarf-4157091163", + "imageID": "127.0.0.1:31999/neuvector/controller@sha256:1102321e8ed5bd3aad26e3d2c3b9a3ddc5aa82c2949fc2600b9350c7e951950e", + "lastState": {}, + "name": "neuvector-controller-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:25Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://c1a58429dad4aad9b4d9aebde10c4b181d3021914849a3d9878a0e763f9b3f80", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://c1a58429dad4aad9b4d9aebde10c4b181d3021914849a3d9878a0e763f9b3f80", + "exitCode": 0, + "finishedAt": "2024-07-15T19:27:22Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:27:22Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.48", + "podIPs": [ + { + "ip": "10.42.0.48" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:27:22Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "prometheus", + "kubectl.kubernetes.io/default-logs-container": "prometheus", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "proxy.istio.io/config": "proxyMetadata:\n OUTPUT_CERTS: /etc/istio-output-certs\n", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "sidecar.istio.io/userVolumeMount": "[{\"name\": \"istio-certs\", \"mountPath\": \"/etc/istio-output-certs\"}]", + "traffic.sidecar.istio.io/includeOutboundIPRanges": "", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.RestrictHostPathWrite": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-07-15T19:27:24Z", + "generateName": "prometheus-kube-prometheus-stack-prometheus-", + "labels": { + "app": "prometheus", + "app.kubernetes.io/instance": "kube-prometheus-stack-prometheus", + "app.kubernetes.io/managed-by": "prometheus-operator", + "app.kubernetes.io/name": "prometheus", + "app.kubernetes.io/version": "2.52.0", + "apps.kubernetes.io/pod-index": "0", + "controller-revision-hash": "prometheus-kube-prometheus-stack-prometheus-8784b54db", + "operator.prometheus.io/name": "kube-prometheus-stack-prometheus", + "operator.prometheus.io/shard": "0", + "prometheus": "kube-prometheus-stack-prometheus", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "prometheus", + "service.istio.io/canonical-revision": "2.52.0", + "statefulset.kubernetes.io/pod-name": "prometheus-kube-prometheus-stack-prometheus-0", + "zarf-agent": "patched" + }, + "name": "prometheus-kube-prometheus-stack-prometheus-0", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "StatefulSet", + "name": "prometheus-kube-prometheus-stack-prometheus", + "uid": "03a11223-c17f-4abd-bff8-35e67bbc478f" + } + ], + "resourceVersion": "3406", + "uid": "c7e56a77-3e1e-4c38-908e-eeaae798dd49" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"proxyMetadata\":{\"OUTPUT_CERTS\":\"/etc/istio-output-certs\"},\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-web\",\"containerPort\":9090,\"protocol\":\"TCP\"}\n ,{\"name\":\"reloader-web\",\"containerPort\":8080,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "prometheus,config-reloader" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "prometheus-kube-prometheus-stack-prometheus" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/monitoring/statefulsets/prometheus-kube-prometheus-stack-prometheus" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "OUTPUT_CERTS", + "value": "/etc/istio-output-certs" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/prometheus/livez\":{\"httpGet\":{\"path\":\"/-/healthy\",\"port\":9090,\"scheme\":\"HTTP\"},\"timeoutSeconds\":3},\"/app-health/prometheus/readyz\":{\"httpGet\":{\"path\":\"/-/ready\",\"port\":9090,\"scheme\":\"HTTP\"},\"timeoutSeconds\":3},\"/app-health/prometheus/startupz\":{\"httpGet\":{\"path\":\"/-/ready\",\"port\":9090,\"scheme\":\"HTTP\"},\"timeoutSeconds\":3}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/etc/istio-output-certs", + "name": "istio-certs" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-v4jgm", + "readOnly": true + } + ] + }, + { + "args": [ + "--web.console.templates=/etc/prometheus/consoles", + "--web.console.libraries=/etc/prometheus/console_libraries", + "--config.file=/etc/prometheus/config_out/prometheus.env.yaml", + "--web.enable-lifecycle", + "--enable-feature=remote-write-receiver", + "--web.external-url=http://kube-prometheus-stack-prometheus.monitoring:9090", + "--web.route-prefix=/", + "--storage.tsdb.retention.time=10d", + "--storage.tsdb.path=/prometheus", + "--storage.tsdb.wal-compression", + "--web.config.file=/etc/prometheus/web_config/web-config.yaml" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-fips:2.52.0-zarf-1514605890", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 6, + "httpGet": { + "path": "/app-health/prometheus/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "name": "prometheus", + "ports": [ + { + "containerPort": 9090, + "name": "http-web", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/prometheus/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "300m", + "memory": "2Gi" + }, + "requests": { + "cpu": "100m", + "memory": "512Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "startupProbe": { + "failureThreshold": 60, + "httpGet": { + "path": "/app-health/prometheus/startupz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "FallbackToLogsOnError", + "volumeMounts": [ + { + "mountPath": "/etc/prometheus/config_out", + "name": "config-out", + "readOnly": true + }, + { + "mountPath": "/etc/prometheus/certs", + "name": "tls-assets", + "readOnly": true + }, + { + "mountPath": "/prometheus", + "name": "prometheus-kube-prometheus-stack-prometheus-db", + "subPath": "prometheus-db" + }, + { + "mountPath": "/etc/prom-certs/", + "name": "istio-certs" + }, + { + "mountPath": "/etc/prometheus/rules/prometheus-kube-prometheus-stack-prometheus-rulefiles-0", + "name": "prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + }, + { + "mountPath": "/etc/prometheus/web_config/web-config.yaml", + "name": "web-config", + "readOnly": true, + "subPath": "web-config.yaml" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-v4jgm", + "readOnly": true + } + ] + }, + { + "args": [ + "--listen-address=:8080", + "--reload-url=http://127.0.0.1:9090/-/reload", + "--config-file=/etc/prometheus/config/prometheus.yaml.gz", + "--config-envsubst-file=/etc/prometheus/config_out/prometheus.env.yaml", + "--watched-dir=/etc/prometheus/rules/prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + ], + "command": [ + "/bin/prometheus-config-reloader" + ], + "env": [ + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "SHARD", + "value": "0" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-config-reloader-fips:0.74.0-zarf-2650362023", + "imagePullPolicy": "IfNotPresent", + "name": "config-reloader", + "ports": [ + { + "containerPort": 8080, + "name": "reloader-web", + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "100m", + "memory": "128Mi" + }, + "requests": { + "cpu": "50m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "FallbackToLogsOnError", + "volumeMounts": [ + { + "mountPath": "/etc/prometheus/config", + "name": "config" + }, + { + "mountPath": "/etc/prometheus/config_out", + "name": "config-out" + }, + { + "mountPath": "/etc/prometheus/rules/prometheus-kube-prometheus-stack-prometheus-rulefiles-0", + "name": "prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-v4jgm", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostname": "prometheus-kube-prometheus-stack-prometheus-0", + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "--watch-interval=0", + "--listen-address=:8080", + "--config-file=/etc/prometheus/config/prometheus.yaml.gz", + "--config-envsubst-file=/etc/prometheus/config_out/prometheus.env.yaml", + "--watched-dir=/etc/prometheus/rules/prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + ], + "command": [ + "/bin/prometheus-config-reloader" + ], + "env": [ + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "SHARD", + "value": "0" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-config-reloader-fips:0.74.0-zarf-2650362023", + "imagePullPolicy": "IfNotPresent", + "name": "init-config-reloader", + "ports": [ + { + "containerPort": 8080, + "name": "reloader-web", + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "100m", + "memory": "128Mi" + }, + "requests": { + "cpu": "50m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "FallbackToLogsOnError", + "volumeMounts": [ + { + "mountPath": "/etc/prometheus/config", + "name": "config" + }, + { + "mountPath": "/etc/prometheus/config_out", + "name": "config-out" + }, + { + "mountPath": "/etc/prometheus/rules/prometheus-kube-prometheus-stack-prometheus-rulefiles-0", + "name": "prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-v4jgm", + "readOnly": true + } + ] + }, + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "OUTPUT_CERTS", + "value": "/etc/istio-output-certs" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-v4jgm", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 2000, + "runAsGroup": 2000, + "runAsNonRoot": true, + "runAsUser": 1000, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "serviceAccount": "kube-prometheus-stack-prometheus", + "serviceAccountName": "kube-prometheus-stack-prometheus", + "shareProcessNamespace": false, + "subdomain": "prometheus-operated", + "terminationGracePeriodSeconds": 600, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "prometheus-kube-prometheus-stack-prometheus-db", + "persistentVolumeClaim": { + "claimName": "prometheus-kube-prometheus-stack-prometheus-db-prometheus-kube-prometheus-stack-prometheus-0" + } + }, + { + "name": "config", + "secret": { + "defaultMode": 420, + "secretName": "prometheus-kube-prometheus-stack-prometheus" + } + }, + { + "name": "tls-assets", + "projected": { + "defaultMode": 420, + "sources": [ + { + "secret": { + "name": "prometheus-kube-prometheus-stack-prometheus-tls-assets-0" + } + } + ] + } + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "config-out" + }, + { + "configMap": { + "defaultMode": 420, + "name": "prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + }, + "name": "prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + }, + { + "name": "web-config", + "secret": { + "defaultMode": 420, + "secretName": "prometheus-kube-prometheus-stack-prometheus-web-config" + } + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-certs" + }, + { + "name": "kube-api-access-v4jgm", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:29Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:31Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:44Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:44Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:28Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://7ddf638cfaa67d0ab3f278759b14345d85c2782133169db145e04a0a07654360", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-config-reloader-fips:0.74.0-zarf-2650362023", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-config-reloader-fips@sha256:82a53ed83f67ecec7419a57f7bdb906bbd4d126902a9f958b59df19c56a8ddfc", + "lastState": {}, + "name": "config-reloader", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:34Z" + } + } + }, + { + "containerID": "containerd://60305c47a10238f9c0562c8f8a4b9ac54420a40d46d78f4d3c45dc535e23bdff", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:31Z" + } + } + }, + { + "containerID": "containerd://3ed3b243647230506614c9b6a0149f98f989eebded1778f39adbaba85000c51f", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-fips:2.52.0-zarf-1514605890", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-fips@sha256:25cbfab089f562bd8a9768bbda98a89a8b8b38c0e38f98ec9e0734ec10e11a04", + "lastState": {}, + "name": "prometheus", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:34Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://50ee9a05401029ef85c6458ce8ae25e3e7f673e9d12846c0b87991315db93da4", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-config-reloader-fips:0.74.0-zarf-2650362023", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-config-reloader-fips@sha256:82a53ed83f67ecec7419a57f7bdb906bbd4d126902a9f958b59df19c56a8ddfc", + "lastState": {}, + "name": "init-config-reloader", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://50ee9a05401029ef85c6458ce8ae25e3e7f673e9d12846c0b87991315db93da4", + "exitCode": 0, + "finishedAt": "2024-07-15T19:27:29Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:27:29Z" + } + } + }, + { + "containerID": "containerd://68736b4e1593c0c2f3917cfad22a679b5d1bd99188b0afa7e9c2a92f0509f049", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://68736b4e1593c0c2f3917cfad22a679b5d1bd99188b0afa7e9c2a92f0509f049", + "exitCode": 0, + "finishedAt": "2024-07-15T19:27:30Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:27:30Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.51", + "podIPs": [ + { + "ip": "10.42.0.51" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:27:28Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "a54b4b978607806a73c1e79d416367816e4d9407c7f1cffa13519cfc40a654fc", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "promtail", + "kubectl.kubernetes.io/default-logs-container": "promtail", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.DisallowPrivileged": "exempted", + "uds-core.pepr.dev/uds-core-policies.RequireNonRootUser": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictHostPathWrite": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictSELinuxType": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-07-15T19:27:43Z", + "generateName": "promtail-", + "labels": { + "app.kubernetes.io/instance": "promtail", + "app.kubernetes.io/name": "promtail", + "controller-revision-hash": "8658478dbf", + "pod-template-generation": "1", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "promtail", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "promtail-d5dtx", + "namespace": "promtail", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "DaemonSet", + "name": "promtail", + "uid": "a6f37285-cfa8-4b8f-b07e-ee51a798e525" + } + ], + "resourceVersion": "3510", + "uid": "ce1b3f37-4983-4fff-b0a2-4c50bc6dbac8" + }, + "spec": { + "affinity": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchFields": [ + { + "key": "metadata.name", + "operator": "In", + "values": [ + "k3d-uds-server-0" + ] + } + ] + } + ] + } + } + }, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-metrics\",\"containerPort\":3101,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "promtail" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "promtail" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/promtail/daemonsets/promtail" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/promtail/readyz\":{\"httpGet\":{\"path\":\"/ready\",\"port\":3101,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-9t52k", + "readOnly": true + } + ] + }, + { + "args": [ + "-config.file=/etc/promtail/promtail.yaml", + "-config.expand-env=true" + ], + "env": [ + { + "name": "HOSTNAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "NODE_HOSTNAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/promtail:3.1.0-zarf-1953805084", + "imagePullPolicy": "IfNotPresent", + "name": "promtail", + "ports": [ + { + "containerPort": 3101, + "name": "http-metrics", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 5, + "httpGet": { + "path": "/app-health/promtail/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "cpu": "500m", + "memory": "750Mi" + }, + "requests": { + "cpu": "100m", + "memory": "256Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsUser": 0, + "seLinuxOptions": { + "type": "spc_t" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/promtail", + "name": "config" + }, + { + "mountPath": "/run/promtail", + "name": "run" + }, + { + "mountPath": "/var/lib/docker/containers", + "name": "containers", + "readOnly": true + }, + { + "mountPath": "/var/log/pods", + "name": "pods", + "readOnly": true + }, + { + "mountPath": "/var/log", + "name": "varlog", + "readOnly": true + }, + { + "mountPath": "/etc/machine-id", + "name": "machine-id", + "readOnly": true, + "subPath": "machine-id" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-9t52k", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-9t52k", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 0, + "runAsUser": 0 + }, + "serviceAccount": "promtail", + "serviceAccountName": "promtail", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/master", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/control-plane", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/disk-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/memory-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/pid-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/unschedulable", + "operator": "Exists" + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "config", + "secret": { + "defaultMode": 420, + "secretName": "promtail" + } + }, + { + "hostPath": { + "path": "/run/promtail", + "type": "" + }, + "name": "run" + }, + { + "hostPath": { + "path": "/var/lib/docker/containers", + "type": "" + }, + "name": "containers" + }, + { + "hostPath": { + "path": "/var/log/pods", + "type": "" + }, + "name": "pods" + }, + { + "hostPath": { + "path": "/var/log", + "type": "" + }, + "name": "varlog" + }, + { + "hostPath": { + "path": "/etc", + "type": "" + }, + "name": "machine-id" + }, + { + "name": "kube-api-access-9t52k", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:44Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:44Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:03Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:03Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:43Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://7c78e49d88146054d56028666a64566f9ad9269b9d8d40c12a02492f0e2e4e07", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:44Z" + } + } + }, + { + "containerID": "containerd://403fd9b05ed7c9fe2e7a45b50738d7af1d830dc8bfd77d2286bd7bf6850f3146", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/promtail:3.1.0-zarf-1953805084", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/promtail@sha256:8339c37daa94d90d4453d165423dc4a46075fbcbb38786aa76355db18a305b65", + "lastState": {}, + "name": "promtail", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:46Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://68e093c428ff18b83bff504a1d5b1e2b7b3aa55c815a10e1c0fecef1e92f3763", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://68e093c428ff18b83bff504a1d5b1e2b7b3aa55c815a10e1c0fecef1e92f3763", + "exitCode": 0, + "finishedAt": "2024-07-15T19:27:43Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:27:43Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.53", + "podIPs": [ + { + "ip": "10.42.0.53" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:27:43Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "9d9bced621e77ec20a9bf42da6b31a13ce3e48b53bb44c0e021e0bfe99128c73", + "checksum/sc-dashboard-provider-config": "e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24", + "checksum/secret": "110ea712f39f96f61d507e11b774e2e0f90fce1d1cfa234a759ed7840ff7e238", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "grafana", + "kubectl.kubernetes.io/default-logs-container": "grafana-sc-dashboard", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:27:52Z", + "generateName": "grafana-647c794798-", + "labels": { + "app.kubernetes.io/instance": "grafana", + "app.kubernetes.io/name": "grafana", + "pod-template-hash": "647c794798", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "grafana", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "grafana-647c794798-w8nmq", + "namespace": "grafana", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "grafana-647c794798", + "uid": "f3b8df0e-6c56-4358-b027-54281acdeec5" + } + ], + "resourceVersion": "3535", + "uid": "2e22ddcc-e870-4423-8ffe-590060566326" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"grafana\",\"containerPort\":3000,\"protocol\":\"TCP\"}\n ,{\"name\":\"gossip-tcp\",\"containerPort\":9094,\"protocol\":\"TCP\"}\n ,{\"name\":\"gossip-udp\",\"containerPort\":9094,\"protocol\":\"UDP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "grafana-sc-dashboard,grafana-sc-datasources,grafana" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "grafana" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/grafana/deployments/grafana" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/grafana/livez\":{\"httpGet\":{\"path\":\"/api/health\",\"port\":3000,\"scheme\":\"HTTP\"},\"timeoutSeconds\":30},\"/app-health/grafana/readyz\":{\"httpGet\":{\"path\":\"/api/health\",\"port\":3000,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fhzqj", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "METHOD", + "value": "WATCH" + }, + { + "name": "LABEL", + "value": "grafana_dashboard" + }, + { + "name": "FOLDER", + "value": "/tmp/dashboards" + }, + { + "name": "RESOURCE", + "value": "both" + }, + { + "name": "NAMESPACE", + "value": "ALL" + }, + { + "name": "REQ_USERNAME", + "valueFrom": { + "secretKeyRef": { + "key": "admin-user", + "name": "grafana" + } + } + }, + { + "name": "REQ_PASSWORD", + "valueFrom": { + "secretKeyRef": { + "key": "admin-password", + "name": "grafana" + } + } + }, + { + "name": "REQ_URL", + "value": "http://localhost:3000/api/admin/provisioning/dashboards/reload" + }, + { + "name": "REQ_METHOD", + "value": "POST" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/k8s-sidecar-fips:1.27.4-zarf-132651805", + "imagePullPolicy": "IfNotPresent", + "name": "grafana-sc-dashboard", + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/tmp/dashboards", + "name": "sc-dashboard-volume" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fhzqj", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "METHOD", + "value": "WATCH" + }, + { + "name": "LABEL", + "value": "grafana_datasource" + }, + { + "name": "FOLDER", + "value": "/etc/grafana/provisioning/datasources" + }, + { + "name": "RESOURCE", + "value": "both" + }, + { + "name": "REQ_USERNAME", + "valueFrom": { + "secretKeyRef": { + "key": "admin-user", + "name": "grafana" + } + } + }, + { + "name": "REQ_PASSWORD", + "valueFrom": { + "secretKeyRef": { + "key": "admin-password", + "name": "grafana" + } + } + }, + { + "name": "REQ_URL", + "value": "http://localhost:3000/api/admin/provisioning/datasources/reload" + }, + { + "name": "REQ_METHOD", + "value": "POST" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/k8s-sidecar-fips:1.27.4-zarf-132651805", + "imagePullPolicy": "IfNotPresent", + "name": "grafana-sc-datasources", + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/grafana/provisioning/datasources", + "name": "sc-datasources-volume" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fhzqj", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "POD_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "GF_SECURITY_ADMIN_USER", + "valueFrom": { + "secretKeyRef": { + "key": "admin-user", + "name": "grafana" + } + } + }, + { + "name": "GF_SECURITY_ADMIN_PASSWORD", + "valueFrom": { + "secretKeyRef": { + "key": "admin-password", + "name": "grafana" + } + } + }, + { + "name": "GF_PATHS_DATA", + "value": "/var/lib/grafana/" + }, + { + "name": "GF_PATHS_LOGS", + "value": "/var/log/grafana" + }, + { + "name": "GF_PATHS_PLUGINS", + "value": "/var/lib/grafana/plugins" + }, + { + "name": "GF_PATHS_PROVISIONING", + "value": "/etc/grafana/provisioning" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/grafana-fips:11.1.0-zarf-4028590474", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 10, + "httpGet": { + "path": "/app-health/grafana/livez", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 60, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 30 + }, + "name": "grafana", + "ports": [ + { + "containerPort": 3000, + "name": "grafana", + "protocol": "TCP" + }, + { + "containerPort": 9094, + "name": "gossip-tcp", + "protocol": "TCP" + }, + { + "containerPort": 9094, + "name": "gossip-udp", + "protocol": "UDP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/grafana/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/grafana/grafana.ini", + "name": "config", + "subPath": "grafana.ini" + }, + { + "mountPath": "/var/lib/grafana", + "name": "storage" + }, + { + "mountPath": "/tmp/dashboards", + "name": "sc-dashboard-volume" + }, + { + "mountPath": "/etc/grafana/provisioning/dashboards/sc-dashboardproviders.yaml", + "name": "sc-dashboard-provider", + "subPath": "provider.yaml" + }, + { + "mountPath": "/etc/grafana/provisioning/datasources", + "name": "sc-datasources-volume" + }, + { + "mountPath": "/etc/secrets/auth_generic_oauth", + "name": "auth-generic-oauth-secret-mount", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fhzqj", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fhzqj", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 472, + "runAsGroup": 472, + "runAsNonRoot": true, + "runAsUser": 472 + }, + "serviceAccount": "grafana", + "serviceAccountName": "grafana", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "configMap": { + "defaultMode": 420, + "name": "grafana" + }, + "name": "config" + }, + { + "emptyDir": {}, + "name": "storage" + }, + { + "emptyDir": {}, + "name": "sc-dashboard-volume" + }, + { + "configMap": { + "defaultMode": 420, + "name": "grafana-config-dashboards" + }, + "name": "sc-dashboard-provider" + }, + { + "emptyDir": {}, + "name": "sc-datasources-volume" + }, + { + "name": "auth-generic-oauth-secret-mount", + "secret": { + "defaultMode": 288, + "secretName": "sso-client-uds-core-admin-grafana" + } + }, + { + "name": "kube-api-access-fhzqj", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:01Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:01Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:09Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:09Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:52Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://884a0dd9ad6f9478686f4f15eb2cc44851f6ab681b8e9d0599e6046567c7693e", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/grafana-fips:11.1.0-zarf-4028590474", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/grafana-fips@sha256:a7cc925119dced9bc77019a738db07bdcfddd0b38eac36f4590a27dbbf5763bb", + "lastState": {}, + "name": "grafana", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:28:06Z" + } + } + }, + { + "containerID": "containerd://f798d9e35f707b90b8f0b5358d193ca8fd4af9d52907e1c6edb099874d9ac608", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/k8s-sidecar-fips:1.27.4-zarf-132651805", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/k8s-sidecar-fips@sha256:1cbdec9527ffe75aa3de0e03a6e8cabb81ca9f94768b5b83eb452787f6d366b4", + "lastState": {}, + "name": "grafana-sc-dashboard", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:28:03Z" + } + } + }, + { + "containerID": "containerd://242ae3d5d11f58a864adf3d378781f5e35235bc107b201f35ffbd95d7e3e7982", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/k8s-sidecar-fips:1.27.4-zarf-132651805", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/k8s-sidecar-fips@sha256:1cbdec9527ffe75aa3de0e03a6e8cabb81ca9f94768b5b83eb452787f6d366b4", + "lastState": {}, + "name": "grafana-sc-datasources", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:28:04Z" + } + } + }, + { + "containerID": "containerd://7c9514989ad600e18d8aef46cfc96b19967e35b21266337d1327fb35bc1def5e", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:28:01Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://85ae00c6ce13f8cc11729ebc19605a70e5195efa00466682d84a0fe381e71a09", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://85ae00c6ce13f8cc11729ebc19605a70e5195efa00466682d84a0fe381e71a09", + "exitCode": 0, + "finishedAt": "2024-07-15T19:28:00Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:28:00Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.54", + "podIPs": [ + { + "ip": "10.42.0.54" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:27:52Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/init-configmap": "09739169a4cac1b76e349f92d75fe6b9900b484f897d017597195d07b8c25048", + "checksum/uds-sso-secret": "", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-controller-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-controller-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.DisallowPrivileged": "exempted", + "uds-core.pepr.dev/uds-core-policies.DropAllCapabilities": "exempted", + "uds-core.pepr.dev/uds-core-policies.RequireNonRootUser": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictHostPathWrite": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-07-15T19:28:37Z", + "generateName": "neuvector-controller-pod-5dccb6c44f-", + "labels": { + "app": "neuvector-controller-pod", + "pod-template-hash": "5dccb6c44f", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-controller-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-controller-pod-5dccb6c44f-q9wqn", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-controller-pod-5dccb6c44f", + "uid": "8e887e07-0945-4e20-ad12-b1c40f529e1a" + } + ], + "resourceVersion": "3926", + "uid": "e8e4f4ed-d1f9-44ba-91df-a4d59058d026" + }, + "spec": { + "affinity": { + "podAntiAffinity": { + "preferredDuringSchedulingIgnoredDuringExecution": [ + { + "podAffinityTerm": { + "labelSelector": { + "matchExpressions": [ + { + "key": "app", + "operator": "In", + "values": [ + "neuvector-controller-pod" + ] + } + ] + }, + "topologyKey": "kubernetes.io/hostname" + }, + "weight": 100 + } + ] + } + }, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-controller-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-controller-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-controller-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-cvrxs", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + }, + { + "name": "CLUSTER_ADVERTISED_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "CLUSTER_BIND_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "NO_DEFAULT_ADMIN", + "value": "1" + } + ], + "image": "127.0.0.1:31999/neuvector/controller:5.3.3-zarf-4157091163", + "imagePullPolicy": "IfNotPresent", + "name": "neuvector-controller-pod", + "readinessProbe": { + "exec": { + "command": [ + "cat", + "/tmp/ready" + ] + }, + "failureThreshold": 3, + "initialDelaySeconds": 5, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/config", + "name": "config-volume", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-cvrxs", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-cvrxs", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "controller", + "serviceAccountName": "controller", + "terminationGracePeriodSeconds": 300, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "config-volume", + "projected": { + "defaultMode": 420, + "sources": [ + { + "configMap": { + "name": "neuvector-init", + "optional": true + } + }, + { + "secret": { + "name": "neuvector-init", + "optional": true + } + }, + { + "secret": { + "name": "neuvector-secret", + "optional": true + } + } + ] + } + }, + { + "name": "kube-api-access-cvrxs", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:38Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:38Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:52Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:52Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:37Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://9adc37b3be62e06e5fb876586ea41b936edca829a40c55f70edb78a6af4e6436", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:28:38Z" + } + } + }, + { + "containerID": "containerd://407913f08e9a8e27c17597d5444da17066dcc8dad799e47c85e2172942406f4b", + "image": "127.0.0.1:31999/neuvector/controller:5.3.3-zarf-4157091163", + "imageID": "127.0.0.1:31999/neuvector/controller@sha256:1102321e8ed5bd3aad26e3d2c3b9a3ddc5aa82c2949fc2600b9350c7e951950e", + "lastState": {}, + "name": "neuvector-controller-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:28:40Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://2b63f034d6d41bc74ab16c64d251aab9f82676e985d31f4b6bff75431f705e64", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://2b63f034d6d41bc74ab16c64d251aab9f82676e985d31f4b6bff75431f705e64", + "exitCode": 0, + "finishedAt": "2024-07-15T19:28:38Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:28:38Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.58", + "podIPs": [ + { + "ip": "10.42.0.58" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:28:37Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/secret": "79f899ac6a4a76b043e67e4b17b25dfdf1b899526953bf3015fc1b4e41123ee5", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "velero", + "kubectl.kubernetes.io/default-logs-container": "velero", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:28:37Z", + "generateName": "velero-5544f6bfdf-", + "labels": { + "app.kubernetes.io/instance": "velero", + "app.kubernetes.io/managed-by": "Helm", + "app.kubernetes.io/name": "velero", + "helm.sh/chart": "velero-6.6.0", + "name": "velero", + "pod-template-hash": "5544f6bfdf", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "velero", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "velero-5544f6bfdf-rbjj4", + "namespace": "velero", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "velero-5544f6bfdf", + "uid": "eb1ee6ba-4d83-4f93-80ee-08fef38f5f4b" + } + ], + "resourceVersion": "3957", + "uid": "a187ebae-282f-4dd2-8bb8-388a9f4c78d9" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-monitoring\",\"containerPort\":8085,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "velero" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "velero" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/velero/deployments/velero" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/velero/livez\":{\"httpGet\":{\"path\":\"/metrics\",\"port\":8085,\"scheme\":\"HTTP\"},\"timeoutSeconds\":5},\"/app-health/velero/readyz\":{\"httpGet\":{\"path\":\"/metrics\",\"port\":8085,\"scheme\":\"HTTP\"},\"timeoutSeconds\":5}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-4pblb", + "readOnly": true + } + ] + }, + { + "args": [ + "server", + "--uploader-type=kopia" + ], + "command": [ + "/velero" + ], + "env": [ + { + "name": "VELERO_SCRATCH_DIR", + "value": "/scratch" + }, + { + "name": "VELERO_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "LD_LIBRARY_PATH", + "value": "/plugins" + }, + { + "name": "AWS_SHARED_CREDENTIALS_FILE", + "value": "/credentials/cloud" + }, + { + "name": "GOOGLE_APPLICATION_CREDENTIALS", + "value": "/credentials/cloud" + }, + { + "name": "AZURE_CREDENTIALS_FILE", + "value": "/credentials/cloud" + }, + { + "name": "ALIBABA_CLOUD_CREDENTIALS_FILE", + "value": "/credentials/cloud" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/velero-fips:1.13.2-dev-zarf-2406703094", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 5, + "httpGet": { + "path": "/app-health/velero/livez", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 30, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "name": "velero", + "ports": [ + { + "containerPort": 8085, + "name": "http-monitoring", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 5, + "httpGet": { + "path": "/app-health/velero/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 30, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "resources": { + "limits": { + "cpu": "1", + "memory": "512Mi" + }, + "requests": { + "cpu": "500m", + "memory": "128Mi" + } + }, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/plugins", + "name": "plugins" + }, + { + "mountPath": "/credentials", + "name": "cloud-credentials" + }, + { + "mountPath": "/scratch", + "name": "scratch" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-4pblb", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "image": "127.0.0.1:31999/du-uds-defenseunicorns/velero-plugin-for-aws-fips:1.9.2-zarf-1238650474", + "imagePullPolicy": "IfNotPresent", + "name": "velero-plugin-for-aws", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/target", + "name": "plugins" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-4pblb", + "readOnly": true + } + ] + }, + { + "image": "127.0.0.1:31999/du-uds-defenseunicorns/velero-plugin-for-csi-fips:0.7.1-zarf-1576226041", + "imagePullPolicy": "IfNotPresent", + "name": "velero-plugin-for-csi", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/target", + "name": "plugins" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-4pblb", + "readOnly": true + } + ] + }, + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-4pblb", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "velero-server", + "serviceAccountName": "velero-server", + "terminationGracePeriodSeconds": 3600, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "cloud-credentials", + "secret": { + "defaultMode": 420, + "secretName": "velero-bucket-credentials" + } + }, + { + "emptyDir": {}, + "name": "plugins" + }, + { + "emptyDir": {}, + "name": "scratch" + }, + { + "name": "kube-api-access-4pblb", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:39Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:43Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:29:08Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:29:08Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:37Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://0553bff815c4a98eb8ede35f0ffea37db5707f0484dc4a4d0c8d94d1246ee7db", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:28:43Z" + } + } + }, + { + "containerID": "containerd://78c6584d1d096b18c088381b6bff9d659da2795b0e67f1324ce48b6ed7208dc9", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/velero-fips:1.13.2-dev-zarf-2406703094", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/velero-fips@sha256:f955947ebf2fe14f383cb165bb7f1f198c482c24430f74eb3a11d112985f6c3e", + "lastState": {}, + "name": "velero", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:28:45Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://ad108658f6297f9cc0a8023e51091d382796554f0ba5053245bf6b739db6b46e", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/velero-plugin-for-aws-fips:1.9.2-zarf-1238650474", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/velero-plugin-for-aws-fips@sha256:0da93d5ded960d04f7de0cd0150c564db7451ce829e7eedb86df54a6f50b7630", + "lastState": {}, + "name": "velero-plugin-for-aws", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://ad108658f6297f9cc0a8023e51091d382796554f0ba5053245bf6b739db6b46e", + "exitCode": 0, + "finishedAt": "2024-07-15T19:28:39Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:28:39Z" + } + } + }, + { + "containerID": "containerd://bc7398d6f12401ddea02369993c450f97070f08d2dbc58e739ab6fd80aebf8b2", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/velero-plugin-for-csi-fips:0.7.1-zarf-1576226041", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/velero-plugin-for-csi-fips@sha256:42d2c96c5a9506da4fbd8ce7c60a21a33af604548276f037ab37af99383958a2", + "lastState": {}, + "name": "velero-plugin-for-csi", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://bc7398d6f12401ddea02369993c450f97070f08d2dbc58e739ab6fd80aebf8b2", + "exitCode": 0, + "finishedAt": "2024-07-15T19:28:41Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:28:41Z" + } + } + }, + { + "containerID": "containerd://091280b8cf47abd1fe82bbf2b22c519ea4f07c95c4de8a6b6751162a1c7a74a8", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://091280b8cf47abd1fe82bbf2b22c519ea4f07c95c4de8a6b6751162a1c7a74a8", + "exitCode": 0, + "finishedAt": "2024-07-15T19:28:42Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:28:42Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.59", + "podIPs": [ + { + "ip": "10.42.0.59" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:28:37Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "authservice", + "kubectl.kubernetes.io/default-logs-container": "authservice", + "pepr.dev/checksum": "dc8636e6149a3c60f2325a2e1abc389fe76b73ffc99c901ac1c3d52908869050", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:30:43Z", + "generateName": "authservice-c984c4c8c-", + "labels": { + "app.kubernetes.io/instance": "authservice", + "app.kubernetes.io/name": "authservice", + "pod-template-hash": "c984c4c8c", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "authservice", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "authservice-c984c4c8c-lxqp9", + "namespace": "authservice", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "authservice-c984c4c8c", + "uid": "1f65225f-7758-44b8-bc15-31bb1fe1d5a9" + } + ], + "resourceVersion": "4707", + "uid": "40504f16-50d3-41b2-805c-74a8f3280748" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http\",\"containerPort\":10003,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "authservice" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "authservice" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/authservice/deployments/authservice" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/authservice/livez\":{\"tcpSocket\":{\"port\":10003},\"timeoutSeconds\":1},\"/app-health/authservice/readyz\":{\"tcpSocket\":{\"port\":10003},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-8mrrg", + "readOnly": true + } + ] + }, + { + "image": "127.0.0.1:31999/du-uds-defenseunicorns/authservice-fips:1.0.1-zarf-2913600038", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/authservice/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "authservice", + "ports": [ + { + "containerPort": 10003, + "name": "http", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/authservice/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/authservice", + "name": "authservice" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-8mrrg", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-8mrrg", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "default", + "serviceAccountName": "default", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "authservice", + "secret": { + "defaultMode": 420, + "secretName": "authservice-uds" + } + }, + { + "name": "kube-api-access-8mrrg", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:30:44Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:30:44Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:30:47Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:30:47Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:30:43Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://a924c662f7796cffa8eb19e9f8f4d7720a1fb6ba3b754bc8d5b5b494b2370be0", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/authservice-fips:1.0.1-zarf-2913600038", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/authservice-fips@sha256:77c447525dc934e592fc753050039e8a990110a58077889653c1f40351b90fb2", + "lastState": {}, + "name": "authservice", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:30:46Z" + } + } + }, + { + "containerID": "containerd://1f21cfec03f93c53bb3fe1f15f074e18d331a759e1ee6e7e5a0184e874389953", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:30:44Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://7cc5767fdcb3d285d786d893b4609ed1f7df1a2b306c6b5d16d17028598aff27", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://7cc5767fdcb3d285d786d893b4609ed1f7df1a2b306c6b5d16d17028598aff27", + "exitCode": 0, + "finishedAt": "2024-07-15T19:30:44Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:30:44Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.68", + "podIPs": [ + { + "ip": "10.42.0.68" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:30:43Z" + } + } + ] +} \ No newline at end of file diff --git a/compliance/validations/istio/all-pods-istio-injected/tests.yaml b/compliance/validations/istio/all-pods-istio-injected/tests.yaml new file mode 100644 index 000000000..d468d39e2 --- /dev/null +++ b/compliance/validations/istio/all-pods-istio-injected/tests.yaml @@ -0,0 +1,25 @@ +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: grafana-pods-no-istio-proxy + validation: validation.yaml + resources: resources.json + permutation: '.pods |= map(if .metadata.namespace == "grafana" then .spec.containers |= map(select(.name != "istio-proxy")) else . end)' + expected-validation: false + - test: grafana-pods-istio-proxy-incorrect-name + validation: validation.yaml + resources: resources.json + permutation: '.pods |= map(if .metadata.namespace == "grafana" then .spec.containers |= map(if .name == "istio-proxy" then .name = "different-name" else . end) else . end)' + expected-validation: false + - test: grafana-pods-istio-init-incorrect-name + validation: validation.yaml + resources: resources.json + permutation: '.pods |= map(if .metadata.namespace == "grafana" then .spec.initContainers |= map(if .name == "istio-init" then .name = "different-name" else . end) else . end)' + expected-validation: false + - test: grafana-pods-no-annotation + validation: validation.yaml + resources: resources.json + permutation: '.pods |= map(if .metadata.namespace == "grafana" then .metadata.annotations = {} else . end)' + expected-validation: false diff --git a/compliance/validations/istio/all-pods-istio-injected/validation.yaml b/compliance/validations/istio/all-pods-istio-injected/validation.yaml new file mode 100644 index 000000000..e6881d7e0 --- /dev/null +++ b/compliance/validations/istio/all-pods-istio-injected/validation.yaml @@ -0,0 +1,66 @@ +metadata: + name: all-pods-istio-injected + uuid: 1761ac07-80dd-47d2-947e-09f67943b986 +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: pods + resource-rule: + version: v1 + resource: pods + namespaces: [] +provider: + type: opa + opa-spec: + rego: | + package validate + import rego.v1 + + # Default policy result + default validate := false + default msg := "Not evaluated" + + exempt_namespaces := {"kube-system", "istio-system", "uds-dev-stack", "zarf", "istio-admin-gateway", "istio-tenant-gateway", "istio-passthrough-gateway"} + msg_exempt_namespaces = concat(", ", exempt_namespaces) + + validate if { + has_istio_sidecar.result + } + msg = has_istio_sidecar.msg + + # Check for sidecar and init containers in pod spec + no_sidecar = [sprintf("%s/%s", [pod.metadata.namespace, pod.metadata.name]) | pod := input.pods[_]; not has_sidecar(pod); not is_exempt(pod)] + + has_istio_sidecar = {"result": true, "msg": msg} if { + count(no_sidecar) == 0 + msg := "All pods have Istio sidecar proxy." + } else = {"result": false, "msg": msg} if { + msg := sprintf("Istio sidecar proxy not found in pods: %s.", [concat(", ", no_sidecar)]) + } + + has_sidecar(pod) if { + status := pod.metadata.annotations["sidecar.istio.io/status"] + containers := json.unmarshal(status).containers + initContainers := json.unmarshal(status).initContainers + + has_container_name(pod.spec.containers, containers) + has_container_name(pod.spec.initContainers, initContainers) + } else = false + + has_container_name(containers, names) if { + every name in names { + containers[_].name == name + } + } else = true if { + names == null + } else = false + + is_exempt(pod) if { + pod.metadata.namespace in exempt_namespaces + } + output: + validation: validate.validate + observations: + - validate.msg + - validate.msg_exempt_namespaces diff --git a/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/README.md b/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/README.md new file mode 100644 index 000000000..163b7f15c --- /dev/null +++ b/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - istio-authorization-policies-require-authentication + +**INPUT** - Collects the AuthorizationPolicy named `jwt-authz` in the `istio-system` namespace. + +**POLICY** - Checks that the AuthorizationPolicy requires authentication by ensuring that `requestPrincipals` is defined and the `selector.protect` label is set to `keycloak`. + +**NOTES** - Ensure that the AuthorizationPolicy exists and is correctly configured to require authentication for Keycloak. \ No newline at end of file diff --git a/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/resources.json b/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/resources.json new file mode 100644 index 000000000..c22469b0f --- /dev/null +++ b/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/resources.json @@ -0,0 +1,41 @@ +{ + "authorizationPolicy": { + "apiVersion": "security.istio.io/v1beta1", + "kind": "AuthorizationPolicy", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "authservice", + "meta.helm.sh/release-namespace": "authservice" + }, + "creationTimestamp": "2024-04-22T14:10:05Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "jwt-authz", + "namespace": "istio-system", + "resourceVersion": "3753", + "uid": "be533399-3b67-4dbd-a6c3-97d21cae7360" + }, + "spec": { + "rules": [ + { + "from": [ + { + "source": { + "requestPrincipals": [ + "https://login.uds.dev/auth/realms/doug/*" + ] + } + } + ] + } + ], + "selector": { + "matchLabels": { + "protect": "keycloak" + } + } + } + } +} \ No newline at end of file diff --git a/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/tests.yaml b/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/tests.yaml new file mode 100644 index 000000000..17d3581a9 --- /dev/null +++ b/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/tests.yaml @@ -0,0 +1,20 @@ +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: change-protect-label + validation: validation.yaml + resources: resources.json + permutation: .authorizationPolicy.spec.selector.matchLabels.protect = "other" + expected-validation: false + - test: remove-requestPrincipals + validation: validation.yaml + resources: resources.json + permutation: del(.authorizationPolicy.spec.rules[0].from[0].source.requestPrincipals) + expected-validation: false + - test: remove-authorizationPolicy + validation: validation.yaml + resources: resources.json + permutation: del(.authorizationPolicy) + expected-validation: false diff --git a/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/validation.yaml b/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/validation.yaml new file mode 100644 index 000000000..d4abe2920 --- /dev/null +++ b/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/validation.yaml @@ -0,0 +1,47 @@ +metadata: + name: istio-authorization-policies-require-authentication + uuid: e38c0695-10f6-40b6-b246-fa58b26ccd25 +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: authorizationPolicy + resource-rule: + name: jwt-authz + group: security.istio.io + namespaces: ["istio-system"] + resource: authorizationpolicies + version: v1beta1 +provider: + type: opa + opa-spec: + output: + observations: + - validate.msg + validation: validate.validate + rego: | + package validate + + # Default policy result + default validate = false + default msg = "Authorization Policies do not require authentication" + + # Evaluation for Istio Authorization Policies + validate { + result_auth_policy.result + } + + msg = result_auth_policy.msg + + result_auth_policy = {"result": true, "msg": msg} { + # Check that authorization policy exists and require authentication + input.authorizationPolicy.kind == "AuthorizationPolicy" + + # "require authentication" is defined as having requestPrincipals defined + # and the selector.protect label is set to "keycloak" + input.authorizationPolicy.spec.rules[_].from[_].source.requestPrincipals != null + input.authorizationPolicy.spec.selector.matchLabels.protect == "keycloak" + msg := "Authorization Policy requires authentication for keycloak" + } else = {"result": false, "msg": msg} { + msg := "Authorization Policy does not require authentication" + } diff --git a/compliance/validations/istio/authorized-keycloak-access/README.md b/compliance/validations/istio/authorized-keycloak-access/README.md new file mode 100644 index 000000000..17fb7f3b4 --- /dev/null +++ b/compliance/validations/istio/authorized-keycloak-access/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - istio-enforces-authorized-keycloak-access + +**INPUT** - Collects the AuthorizationPolicy named `keycloak-block-admin-access-from-public-gateway` in the `keycloak` namespace. + +**POLICY** - Checks that the AuthorizationPolicy restricts access to Keycloak admin by denying access from sources not in the `istio-admin-gateway` namespace to paths `/admin*` and `/realms/master*` on port `8080`. + +**NOTES** - Ensure that the AuthorizationPolicy exists and is correctly configured to deny access to Keycloak admin as specified. \ No newline at end of file diff --git a/compliance/validations/istio/authorized-keycloak-access/resources.json b/compliance/validations/istio/authorized-keycloak-access/resources.json new file mode 100644 index 000000000..38eaff7fa --- /dev/null +++ b/compliance/validations/istio/authorized-keycloak-access/resources.json @@ -0,0 +1,132 @@ +{ + "authorizationPolicy": { + "apiVersion": "security.istio.io/v1beta1", + "kind": "AuthorizationPolicy", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "keycloak", + "meta.helm.sh/release-namespace": "keycloak" + }, + "creationTimestamp": "2024-08-05T13:42:55Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "keycloak-block-admin-access-from-public-gateway", + "namespace": "keycloak", + "resourceVersion": "1683", + "uid": "d479e061-abbd-4a05-8450-90939bc7497f" + }, + "spec": { + "action": "DENY", + "rules": [ + { + "from": [ + { + "source": { + "notNamespaces": [ + "istio-admin-gateway" + ] + } + } + ], + "to": [ + { + "operation": { + "paths": [ + "/admin*", + "/realms/master*" + ], + "ports": [ + "8080" + ] + } + } + ] + }, + { + "from": [ + { + "source": { + "notNamespaces": [ + "istio-admin-gateway", + "monitoring" + ] + } + } + ], + "to": [ + { + "operation": { + "paths": [ + "/metrics*" + ], + "ports": [ + "8080" + ] + } + } + ] + }, + { + "from": [ + { + "source": { + "notNamespaces": [ + "pepr-system" + ] + } + } + ], + "to": [ + { + "operation": { + "paths": [ + "/realms/uds/clients-registrations/*" + ], + "ports": [ + "8080" + ] + } + } + ] + }, + { + "from": [ + { + "source": { + "notNamespaces": [ + "istio-tenant-gateway", + "istio-admin-gateway" + ] + } + } + ], + "to": [ + { + "operation": { + "ports": [ + "8080" + ] + } + } + ], + "when": [ + { + "key": "request.headers[istio-mtls-client-certificate]", + "values": [ + "*" + ] + } + ] + } + ], + "selector": { + "matchLabels": { + "app.kubernetes.io/instance": "keycloak", + "app.kubernetes.io/name": "keycloak" + } + } + } + } +} \ No newline at end of file diff --git a/compliance/validations/istio/authorized-keycloak-access/tests.yaml b/compliance/validations/istio/authorized-keycloak-access/tests.yaml new file mode 100644 index 000000000..c2ffc31ec --- /dev/null +++ b/compliance/validations/istio/authorized-keycloak-access/tests.yaml @@ -0,0 +1,15 @@ +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: remove-auth-rules + validation: validation.yaml + resources: resources.json + permutation: "del(.authorizationPolicy.spec.rules)" + expected-validation: false + - test: add-not-namespaces + validation: validation.yaml + resources: resources.json + permutation: '(.authorizationPolicy.spec.rules[] | .from[] | .source.notNamespaces) |= . + ["test-ns"]' + expected-validation: false diff --git a/compliance/validations/istio/authorized-keycloak-access/validation.yaml b/compliance/validations/istio/authorized-keycloak-access/validation.yaml new file mode 100644 index 000000000..b59e82453 --- /dev/null +++ b/compliance/validations/istio/authorized-keycloak-access/validation.yaml @@ -0,0 +1,72 @@ +metadata: + name: istio-enforces-authorized-keycloak-access + uuid: fbd877c8-d6b6-4d88-8685-2c4aaaab02a1 +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: authorizationPolicy + resource-rule: + name: keycloak-block-admin-access-from-public-gateway + group: security.istio.io + resource: authorizationpolicies + namespaces: [keycloak] + version: v1beta1 +provider: + type: opa + opa-spec: + rego: | + package validate + import rego.v1 + + # Default policy result + default validate := false + default msg := "Not evaluated" + + # Validate both AuthorizationPolicy restricts access to Keycloak admin + validate if { + check_auth_policy_for_keycloak_admin_access.result + } + + msg = check_auth_policy_for_keycloak_admin_access.msg + + check_auth_policy_for_keycloak_admin_access = {"result": true, "msg": msg} if { + input.authorizationPolicy.kind == "AuthorizationPolicy" + valid_auth_policy(input.authorizationPolicy) + msg := "AuthorizationPolicy restricts access to Keycloak admin." + } else = {"result": false, "msg": msg} if { + msg := "AuthorizationPolicy does not restrict access to Keycloak admin." + } + + # Define the rule for denying access + expected_keycloak_admin_denial_rule := { + "from": [ + { + "source": { + "notNamespaces": ["istio-admin-gateway"] + } + } + ], + "to": [ + { + "operation": { + "ports": ["8080"], + "paths": ["/admin*", "/realms/master*"] + } + } + ] + } + + # Validate that the authorization policy contains the expected first rule + valid_auth_policy(ap) if { + ap.spec.action == "DENY" + rules := ap.spec.rules + + # Ensure the expected rule is present in the input policy + some i + rules[i] == expected_keycloak_admin_denial_rule + } + output: + validation: validate.validate + observations: + - validate.msg diff --git a/compliance/validations/istio/authorized-traffic-egress/README.md b/compliance/validations/istio/authorized-traffic-egress/README.md new file mode 100644 index 000000000..6b9d57715 --- /dev/null +++ b/compliance/validations/istio/authorized-traffic-egress/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - authorized-traffic-egress-PLACEHOLDER + +**INPUT** - This validation currently does not specify any input resources. + +**POLICY** - This policy currently does not specify any validation logic. + +**NOTES** - This validation is a placeholder and needs to be updated with specific resources and validation logic. \ No newline at end of file diff --git a/compliance/validations/istio/authorized-traffic-egress/validation.yaml b/compliance/validations/istio/authorized-traffic-egress/validation.yaml new file mode 100644 index 000000000..0a997e887 --- /dev/null +++ b/compliance/validations/istio/authorized-traffic-egress/validation.yaml @@ -0,0 +1,14 @@ +metadata: + name: authorized-traffic-egress-PLACEHOLDER + uuid: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 +domain: + type: kubernetes + kubernetes-spec: + resources: [] +provider: + type: opa + opa-spec: + rego: | + package validate + + default validate := false diff --git a/compliance/validations/istio/check-istio-admin-gateway-and-usage/README.md b/compliance/validations/istio/check-istio-admin-gateway-and-usage/README.md new file mode 100644 index 000000000..c3f39c8f7 --- /dev/null +++ b/compliance/validations/istio/check-istio-admin-gateway-and-usage/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - check-istio-admin-gateway-and-usage + +**INPUT** - This validation collects the `admin-gateway` from the `istio-admin-gateway` namespace and all `virtualservices` from all namespaces. + +**POLICY** - This policy checks if the `admin-gateway` exists in the `istio-admin-gateway` namespace and verifies that all admin virtual services are using the admin gateway. + +**NOTES** - Ensure that the `admin-gateway` is correctly set up in the `istio-admin-gateway` namespace. The policy specifically looks for virtual services with names containing "admin" to be using the admin gateway. \ No newline at end of file diff --git a/compliance/validations/istio/check-istio-admin-gateway-and-usage/resources.json b/compliance/validations/istio/check-istio-admin-gateway-and-usage/resources.json new file mode 100644 index 000000000..5ee7e41f1 --- /dev/null +++ b/compliance/validations/istio/check-istio-admin-gateway-and-usage/resources.json @@ -0,0 +1,546 @@ +{ + "adminGateway": { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "Gateway", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "uds-istio-config", + "meta.helm.sh/release-namespace": "istio-admin-gateway" + }, + "creationTimestamp": "2024-04-22T14:04:26Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "admin-gateway", + "namespace": "istio-admin-gateway", + "resourceVersion": "1196", + "uid": "7dbddd10-c3ca-45d5-9377-f99bfd819a2c" + }, + "spec": { + "selector": { + "app": "admin-ingressgateway" + }, + "servers": [ + { + "hosts": [ + "*.admin.uds.dev" + ], + "port": { + "name": "http-admin", + "number": 80, + "protocol": "HTTP" + }, + "tls": { + "httpsRedirect": true + } + }, + { + "hosts": [ + "*.admin.uds.dev" + ], + "port": { + "name": "https-admin", + "number": 443, + "protocol": "HTTPS" + }, + "tls": { + "credentialName": "gateway-tls", + "minProtocolVersion": "TLSV1_3", + "mode": "SIMPLE" + } + }, + { + "hosts": [ + "keycloak.admin.uds.dev" + ], + "port": { + "name": "http-keycloak", + "number": 80, + "protocol": "HTTP" + }, + "tls": { + "httpsRedirect": true + } + }, + { + "hosts": [ + "keycloak.admin.uds.dev" + ], + "port": { + "name": "https-keycloak", + "number": 443, + "protocol": "HTTPS" + }, + "tls": { + "credentialName": "gateway-tls", + "minProtocolVersion": "TLSV1_3", + "mode": "OPTIONAL_MUTUAL" + } + } + ] + } + }, + "virtualServices": [ + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "VirtualService", + "metadata": { + "creationTimestamp": "2024-04-22T14:05:22Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "keycloak-tenant-remove-private-paths-from-public-gateway", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "9310f8a4-d575-4fe9-bcc5-f00ba5abe9d2" + } + ], + "resourceVersion": "1702", + "uid": "e4ff9458-0a7c-4723-9c51-b51568a6a277" + }, + "spec": { + "gateways": [ + "istio-tenant-gateway/tenant-gateway" + ], + "hosts": [ + "sso.uds.dev" + ], + "http": [ + { + "headers": { + "request": { + "add": { + "istio-mtls-client-certificate": "%DOWNSTREAM_PEER_CERT%" + }, + "remove": [ + "istio-mtls-client-certificate" + ] + } + }, + "match": [ + { + "name": "redirect-welcome", + "uri": { + "exact": "/" + } + }, + { + "name": "redirect-admin", + "uri": { + "prefix": "/admin" + } + }, + { + "name": "redirect-master-realm", + "uri": { + "prefix": "/realms/master" + } + }, + { + "name": "redirect-metrics", + "uri": { + "prefix": "/metrics" + } + } + ], + "rewrite": { + "uri": "/realms/uds/account" + }, + "route": [ + { + "destination": { + "host": "keycloak-http.keycloak.svc.cluster.local", + "port": { + "number": 8080 + } + } + } + ] + } + ] + } + }, + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "VirtualService", + "metadata": { + "creationTimestamp": "2024-04-22T14:05:22Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "keycloak-tenant-public-auth-access-with-optional-client-certificate", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "9310f8a4-d575-4fe9-bcc5-f00ba5abe9d2" + } + ], + "resourceVersion": "1703", + "uid": "8355e39e-79b8-4bb8-b5fc-6d4e5f72c8a4" + }, + "spec": { + "gateways": [ + "istio-tenant-gateway/tenant-gateway" + ], + "hosts": [ + "sso.uds.dev" + ], + "http": [ + { + "headers": { + "request": { + "add": { + "istio-mtls-client-certificate": "%DOWNSTREAM_PEER_CERT%" + }, + "remove": [ + "istio-mtls-client-certificate" + ] + } + }, + "route": [ + { + "destination": { + "host": "keycloak-http.keycloak.svc.cluster.local", + "port": { + "number": 8080 + } + } + } + ] + } + ] + } + }, + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "VirtualService", + "metadata": { + "creationTimestamp": "2024-04-22T14:05:22Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "keycloak-admin-admin-access-with-optional-client-certificate", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "9310f8a4-d575-4fe9-bcc5-f00ba5abe9d2" + } + ], + "resourceVersion": "1704", + "uid": "100da481-a5a8-4a87-82a7-35163d0f7a10" + }, + "spec": { + "gateways": [ + "istio-admin-gateway/admin-gateway" + ], + "hosts": [ + "keycloak.admin.uds.dev" + ], + "http": [ + { + "headers": { + "request": { + "add": { + "istio-mtls-client-certificate": "%DOWNSTREAM_PEER_CERT%" + }, + "remove": [ + "istio-mtls-client-certificate" + ] + } + }, + "route": [ + { + "destination": { + "host": "keycloak-http.keycloak.svc.cluster.local", + "port": { + "number": 8080 + } + } + } + ] + } + ] + } + }, + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "VirtualService", + "metadata": { + "creationTimestamp": "2024-04-22T14:05:22Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "keycloak-tenant-emulate-gitlab-authorize-endpoint", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "9310f8a4-d575-4fe9-bcc5-f00ba5abe9d2" + } + ], + "resourceVersion": "1706", + "uid": "45ad1fa8-b4b2-47f6-8d27-b3711f500ecd" + }, + "spec": { + "gateways": [ + "istio-tenant-gateway/tenant-gateway" + ], + "hosts": [ + "sso.uds.dev" + ], + "http": [ + { + "match": [ + { + "name": "gitlab-authorize", + "uri": { + "prefix": "/oauth/authorize" + } + } + ], + "rewrite": { + "uri": "/realms/uds/protocol/openid-connect/auth" + }, + "route": [ + { + "destination": { + "host": "keycloak-http.keycloak.svc.cluster.local", + "port": { + "number": 8080 + } + } + } + ] + } + ] + } + }, + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "VirtualService", + "metadata": { + "creationTimestamp": "2024-04-22T14:05:22Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "keycloak-tenant-emulate-gitlab-user-endpoint", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "9310f8a4-d575-4fe9-bcc5-f00ba5abe9d2" + } + ], + "resourceVersion": "1710", + "uid": "cead5510-3501-4605-bbb0-c2c05dc56702" + }, + "spec": { + "gateways": [ + "istio-tenant-gateway/tenant-gateway" + ], + "hosts": [ + "sso.uds.dev" + ], + "http": [ + { + "match": [ + { + "name": "gitlab-user", + "uri": { + "prefix": "/api/v4/user" + } + } + ], + "rewrite": { + "uri": "/realms/uds/protocol/openid-connect/userinfo" + }, + "route": [ + { + "destination": { + "host": "keycloak-http.keycloak.svc.cluster.local", + "port": { + "number": 8080 + } + } + } + ] + } + ] + } + }, + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "VirtualService", + "metadata": { + "creationTimestamp": "2024-04-22T14:05:22Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "keycloak-tenant-emulate-gitlab-token-endpoint", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "9310f8a4-d575-4fe9-bcc5-f00ba5abe9d2" + } + ], + "resourceVersion": "1711", + "uid": "53f44ca4-2a3d-4053-9c25-7ddc3e1213f4" + }, + "spec": { + "gateways": [ + "istio-tenant-gateway/tenant-gateway" + ], + "hosts": [ + "sso.uds.dev" + ], + "http": [ + { + "match": [ + { + "name": "gitlab-token", + "uri": { + "prefix": "/oauth/token" + } + } + ], + "rewrite": { + "uri": "/realms/uds/protocol/openid-connect/token" + }, + "route": [ + { + "destination": { + "host": "keycloak-http.keycloak.svc.cluster.local", + "port": { + "number": 8080 + } + } + } + ] + } + ] + } + }, + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "VirtualService", + "metadata": { + "creationTimestamp": "2024-04-22T14:06:37Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "neuvector-admin-neuvector-8443-neuvector-service-webui", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "e5021367-f25b-466f-93a1-19a6419ebafa" + } + ], + "resourceVersion": "1941", + "uid": "b647739b-571a-44e5-a90a-14156f910572" + }, + "spec": { + "gateways": [ + "istio-admin-gateway/admin-gateway" + ], + "hosts": [ + "neuvector.admin.uds.dev" + ], + "http": [ + { + "route": [ + { + "destination": { + "host": "neuvector-service-webui.neuvector.svc.cluster.local", + "port": { + "number": 8443 + } + } + } + ] + } + ] + } + }, + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "VirtualService", + "metadata": { + "creationTimestamp": "2024-04-22T14:09:45Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "grafana" + }, + "name": "grafana-admin-grafana-80-grafana", + "namespace": "grafana", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "grafana", + "uid": "5e00957e-acfd-453d-82eb-c4fae4252660" + } + ], + "resourceVersion": "3622", + "uid": "e1805572-9271-4e48-9e26-a1f84ac78a09" + }, + "spec": { + "gateways": [ + "istio-admin-gateway/admin-gateway" + ], + "hosts": [ + "grafana.admin.uds.dev" + ], + "http": [ + { + "route": [ + { + "destination": { + "host": "grafana.grafana.svc.cluster.local", + "port": { + "number": 80 + } + } + } + ] + } + ] + } + } + ] +} \ No newline at end of file diff --git a/compliance/validations/istio/check-istio-admin-gateway-and-usage/tests.yaml b/compliance/validations/istio/check-istio-admin-gateway-and-usage/tests.yaml new file mode 100644 index 000000000..d77fce294 --- /dev/null +++ b/compliance/validations/istio/check-istio-admin-gateway-and-usage/tests.yaml @@ -0,0 +1,20 @@ +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: no-gateway + validation: validation.yaml + resources: resources.json + permutation: "del(.adminGateway)" + expected-validation: false + - test: admin-vs-not-using-admin-gw + validation: validation.yaml + resources: resources.json + permutation: '.virtualServices |= map(if .metadata.name == "keycloak-admin-admin-access-with-optional-client-certificate" then .spec.gateways = ["new-gateway/new-gateway-name"] else . end)' + expected-validation: false + - test: not-admin-vs-using-admin-gw + validation: validation.yaml + resources: resources.json + permutation: '.virtualServices |= map(if .metadata.name == "keycloak-tenant-public-auth-access-with-optional-client-certificate" then .spec.gateways = ["istio-admin-gateway/admin-gateway"] else . end)' + expected-validation: false diff --git a/compliance/validations/istio/check-istio-admin-gateway-and-usage/validation.yaml b/compliance/validations/istio/check-istio-admin-gateway-and-usage/validation.yaml new file mode 100644 index 000000000..61139d719 --- /dev/null +++ b/compliance/validations/istio/check-istio-admin-gateway-and-usage/validation.yaml @@ -0,0 +1,74 @@ +metadata: + name: check-istio-admin-gateway-and-usage + uuid: c6c9daf1-4196-406d-8679-312c0512ab2e +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: adminGateway + resource-rule: + name: admin-gateway + group: networking.istio.io + version: v1beta1 + resource: gateways + namespaces: ["istio-admin-gateway"] + - name: virtualServices + resource-rule: + group: networking.istio.io + version: v1beta1 + resource: virtualservices + namespaces: [] +provider: + type: opa + opa-spec: + rego: | + package validate + import rego.v1 + + # Default values + default validate := false + default admin_gw_exists := false + default admin_vs_match := false + default msg := "Not evaluated" + + # Expected admin gateway details + expected_gateway := "admin-gateway" + expected_gateway_namespace := "istio-admin-gateway" + expected_ns_name := sprintf("%s/%s", [expected_gateway_namespace, expected_gateway]) + + validate if { + result_admin_gw_exixts.result + result_admin_vs_match.result + } + + msg = concat(" ", [result_admin_gw_exixts.msg, result_admin_vs_match.msg]) + + result_admin_gw_exixts = {"result": true, "msg": msg} if { + input.adminGateway.kind == "Gateway" + input.adminGateway.metadata.name == expected_gateway + input.adminGateway.metadata.namespace == expected_gateway_namespace + msg := sprintf("Admin gateway exists: %s.", [expected_ns_name]) + } else = {"result": false, "msg": msg} if { + msg := sprintf("Admin gateway does not exist, looking for: %s.", [expected_ns_name]) + } + + result_admin_vs_match = {"result": true, "msg": msg} if { + count(admin_vs-admin_vs_using_gateway) == 0 + count(all_vs_using_gateway-admin_vs_using_gateway) == 0 + msg := "Admin virtual services are using admin gateway." + } else = {"result": false, "msg": msg} if { + msg := sprintf("Mismatch of admin virtual services using gateway. Admin VS not using GW: %s. Non-Admin VS using gateway: %s.", [concat(", ", admin_vs-admin_vs_using_gateway), concat(", ", all_vs_using_gateway-admin_vs_using_gateway)]) + } + + # Count admin virtual services + admin_vs := {adminVs.metadata.name | adminVs := input.virtualServices[_]; adminVs.kind == "VirtualService"; contains(adminVs.metadata.name, "admin")} + + # Count admin VirtualServices correctly using the admin gateway (given by vs name containing "admin") + admin_vs_using_gateway := {adminVs.metadata.name | adminVs := input.virtualServices[_]; adminVs.kind == "VirtualService"; contains(adminVs.metadata.name, "admin"); adminVs.spec.gateways[_] == expected_ns_name} + + # Count all VirtualServices using the admin gateway + all_vs_using_gateway := {vs.metadata.name | vs := input.virtualServices[_]; vs.kind == "VirtualService"; vs.spec.gateways[_] == expected_ns_name} + output: + validation: validate.validate + observations: + - validate.msg diff --git a/compliance/validations/istio/check-istio-logging-all-traffic/README.md b/compliance/validations/istio/check-istio-logging-all-traffic/README.md new file mode 100644 index 000000000..d4f351a0f --- /dev/null +++ b/compliance/validations/istio/check-istio-logging-all-traffic/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - check-istio-logging-all-traffic + +**INPUT** - This validation collects the Istio Mesh Configuration from the `istio-system` namespace. + +**POLICY** - This policy checks if Istio's Mesh Configuration has logging enabled by verifying if the access log file is set to `/dev/stdout`. + +**NOTES** - Ensure that the Istio Mesh Configuration is correctly set up in the `istio-system` namespace. The policy specifically looks for the `accessLogFile` field to be set to `/dev/stdout`. \ No newline at end of file diff --git a/compliance/validations/istio/check-istio-logging-all-traffic/resources.json b/compliance/validations/istio/check-istio-logging-all-traffic/resources.json new file mode 100644 index 000000000..637faf937 --- /dev/null +++ b/compliance/validations/istio/check-istio-logging-all-traffic/resources.json @@ -0,0 +1,28 @@ +{ + "istioMeshConfig": { + "accessLogFile": "/dev/stdout", + "defaultConfig": { + "discoveryAddress": "istiod.istio-system.svc:15012", + "gatewayTopology": { + "forwardClientCertDetails": "SANITIZE" + }, + "holdApplicationUntilProxyStarts": true, + "tracing": { + "zipkin": { + "address": "zipkin.istio-system:9411" + } + } + }, + "defaultProviders": { + "metrics": [ + "prometheus" + ] + }, + "enablePrometheusMerge": true, + "pathNormalization": { + "normalization": "MERGE_SLASHES" + }, + "rootNamespace": "istio-system", + "trustDomain": "cluster.local" + } +} \ No newline at end of file diff --git a/compliance/validations/istio/check-istio-logging-all-traffic/tests.yaml b/compliance/validations/istio/check-istio-logging-all-traffic/tests.yaml new file mode 100644 index 000000000..bc6eafc76 --- /dev/null +++ b/compliance/validations/istio/check-istio-logging-all-traffic/tests.yaml @@ -0,0 +1,15 @@ +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: change-accessLogFile-to-different-dir + validation: validation.yaml + resources: resources.json + permutation: '.istioMeshConfig.accessLogFile = "/log/test"' + expected-validation: false + - test: remove-accessLogFile + validation: validation.yaml + resources: resources.json + permutation: "del(.istioMeshConfig.accessLogFile)" + expected-validation: false diff --git a/compliance/validations/istio/check-istio-logging-all-traffic/validation.yaml b/compliance/validations/istio/check-istio-logging-all-traffic/validation.yaml new file mode 100644 index 000000000..20227e2eb --- /dev/null +++ b/compliance/validations/istio/check-istio-logging-all-traffic/validation.yaml @@ -0,0 +1,46 @@ +metadata: + name: check-istio-logging-all-traffic + uuid: 90738c86-6315-450a-ac69-cc50eb4859cc +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: istioMeshConfig + resource-rule: + field: + jsonpath: .data.mesh + type: yaml + namespaces: + - istio-system + resource: configmaps + version: v1 + name: istio +provider: + type: opa + opa-spec: + output: + observations: + - validate.msg + validation: validate.validate + rego: | + package validate + import rego.v1 + + # Default values + default validate := false + default msg := "Not evaluated" + + # Check if Istio's Mesh Configuration has logging enabled + validate if { + logging_enabled.result + } + + msg = logging_enabled.msg + + logging_enabled = {"result": true, "msg": msg} if { + # Check for access log file output to stdout + input.istioMeshConfig.accessLogFile == "/dev/stdout" + msg := "Istio is logging all traffic." + } else = {"result": false, "msg": msg} if { + msg := "Istio is not logging all traffic." + } diff --git a/compliance/validations/istio/communications-terminated-after-inactivity/README.md b/compliance/validations/istio/communications-terminated-after-inactivity/README.md new file mode 100644 index 000000000..5b3b48eae --- /dev/null +++ b/compliance/validations/istio/communications-terminated-after-inactivity/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - communications-terminated-after-inactivity-PLACEHOLDER + +**INPUT** - This validation currently does not collect any resources. + +**POLICY** - This policy is a placeholder and does not perform any validation. + +**NOTES** - The policy is a placeholder and needs to be updated to include the necessary checks for terminating communications after inactivity. \ No newline at end of file diff --git a/compliance/validations/istio/communications-terminated-after-inactivity/validation.yaml b/compliance/validations/istio/communications-terminated-after-inactivity/validation.yaml new file mode 100644 index 000000000..9bc171ca7 --- /dev/null +++ b/compliance/validations/istio/communications-terminated-after-inactivity/validation.yaml @@ -0,0 +1,17 @@ +metadata: + name: communications-terminated-after-inactivity-PLACEHOLDER + uuid: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 +domain: + type: kubernetes + kubernetes-spec: + resources: [] +provider: + type: opa + opa-spec: + rego: | + package validate + + validate := false + + # Check on destination rule, outlier detection? + # -> Doesn't appear that UDS is configured to create destination rules. diff --git a/compliance/validations/istio/egress-gateway-exists-and-configured/README.md b/compliance/validations/istio/egress-gateway-exists-and-configured/README.md new file mode 100644 index 000000000..3e5e9ad89 --- /dev/null +++ b/compliance/validations/istio/egress-gateway-exists-and-configured/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - egress-gateway-exists-and-configured-PLACEHOLDER + +**INPUT** - This validation currently does not collect any resources. + +**POLICY** - This policy is a placeholder and does not perform any validation. + +**NOTES** - The policy is a placeholder and needs to be updated to include the necessary checks for the existence and configuration of the egress gateway. \ No newline at end of file diff --git a/compliance/validations/istio/egress-gateway-exists-and-configured/validation.yaml b/compliance/validations/istio/egress-gateway-exists-and-configured/validation.yaml new file mode 100644 index 000000000..e0f1dec06 --- /dev/null +++ b/compliance/validations/istio/egress-gateway-exists-and-configured/validation.yaml @@ -0,0 +1,14 @@ +metadata: + name: egress-gateway-exists-and-configured-PLACEHOLDER + uuid: c3b022eb-19a5-4711-8099-da4a90c9dd5d +domain: + type: kubernetes + kubernetes-spec: + resources: [] +provider: + type: opa + opa-spec: + rego: | + package validate + + default validate := false diff --git a/compliance/validations/istio/enforce-mtls-strict/README.md b/compliance/validations/istio/enforce-mtls-strict/README.md new file mode 100644 index 000000000..8c5fa459e --- /dev/null +++ b/compliance/validations/istio/enforce-mtls-strict/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - enforce-mtls-strict + +**INPUT** - This validation collects all `peerauthentications` from all namespaces. + +**POLICY** - This policy checks if all `PeerAuthentications` have mTLS mode set to `STRICT`. + +**NOTES** - Ensure that all `PeerAuthentications` are correctly configured with mTLS mode set to `STRICT`. The policy specifically looks for the `mtls.mode` field to be set to `STRICT`. \ No newline at end of file diff --git a/compliance/validations/istio/enforce-mtls-strict/resources.json b/compliance/validations/istio/enforce-mtls-strict/resources.json new file mode 100644 index 000000000..fac931181 --- /dev/null +++ b/compliance/validations/istio/enforce-mtls-strict/resources.json @@ -0,0 +1,225 @@ +{ + "peerAuths": [ + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "PeerAuthentication", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "zarf-a102b532d6a523b085622665b606574b0cd82025", + "meta.helm.sh/release-namespace": "istio-system" + }, + "creationTimestamp": "2024-06-07T14:35:59Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "default-istio-system", + "namespace": "istio-system", + "resourceVersion": "1154", + "uid": "846d35fc-f942-4efc-b1ea-be35d3352db8" + }, + "spec": { + "mtls": { + "mode": "STRICT" + } + } + }, + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "PeerAuthentication", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "zarf-a102b532d6a523b085622665b606574b0cd82025", + "meta.helm.sh/release-namespace": "istio-system" + }, + "creationTimestamp": "2024-06-07T14:35:59Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "permissive-pepr-webhook", + "namespace": "pepr-system", + "resourceVersion": "1155", + "uid": "8911bc2b-fc43-414c-9511-7712c463a8f3" + }, + "spec": { + "mtls": { + "mode": "STRICT" + }, + "portLevelMtls": { + "3000": { + "mode": "PERMISSIVE" + } + }, + "selector": { + "matchLabels": { + "pepr.dev/controller": "admission" + } + } + } + }, + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "PeerAuthentication", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "uds-metrics-server-config", + "meta.helm.sh/release-namespace": "metrics-server" + }, + "creationTimestamp": "2024-06-07T14:36:34Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "metrics-server-api-exception", + "namespace": "metrics-server", + "resourceVersion": "1520", + "uid": "829a5b07-76c8-45f9-903e-f90976b677aa" + }, + "spec": { + "mtls": { + "mode": "STRICT" + }, + "portLevelMtls": { + "10250": { + "mode": "PERMISSIVE" + } + }, + "selector": { + "matchLabels": { + "app.kubernetes.io/name": "metrics-server" + } + } + } + }, + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "PeerAuthentication", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "keycloak", + "meta.helm.sh/release-namespace": "keycloak" + }, + "creationTimestamp": "2024-06-07T14:37:03Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "keycloak", + "namespace": "keycloak", + "resourceVersion": "1659", + "uid": "21586733-a185-4a6b-b8cc-cc77bb77b012" + }, + "spec": { + "mtls": { + "mode": "STRICT" + } + } + }, + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "PeerAuthentication", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "uds-neuvector-config", + "meta.helm.sh/release-namespace": "neuvector" + }, + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "controller-neuvector", + "namespace": "neuvector", + "resourceVersion": "1912", + "uid": "c927e10e-e859-4f54-b2ad-ff457ae8a7e5" + }, + "spec": { + "mtls": { + "mode": "STRICT" + }, + "portLevelMtls": { + "18300": { + "mode": "PERMISSIVE" + }, + "30443": { + "mode": "PERMISSIVE" + } + }, + "selector": { + "matchLabels": { + "app": "neuvector-controller-pod" + } + } + } + }, + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "PeerAuthentication", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "uds-loki-config", + "meta.helm.sh/release-namespace": "loki" + }, + "creationTimestamp": "2024-06-07T14:38:49Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "loki-simple-scalable", + "namespace": "loki", + "resourceVersion": "2382", + "uid": "78bfd0bf-5682-45b5-9a38-0fc4dee6ccd4" + }, + "spec": { + "mtls": { + "mode": "STRICT" + }, + "portLevelMtls": { + "9095": { + "mode": "PERMISSIVE" + } + }, + "selector": { + "matchLabels": { + "app.kubernetes.io/name": "loki" + } + } + } + }, + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "PeerAuthentication", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "uds-prometheus-config", + "meta.helm.sh/release-namespace": "monitoring" + }, + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "prometheus-operator-webhook", + "namespace": "monitoring", + "resourceVersion": "2862", + "uid": "1131d8b9-3c21-4076-b22a-e4bd3c0bdc44" + }, + "spec": { + "mtls": { + "mode": "STRICT" + }, + "portLevelMtls": { + "10250": { + "mode": "PERMISSIVE" + } + }, + "selector": { + "matchLabels": { + "app": "kube-prometheus-stack-operator" + } + } + } + } + ] +} \ No newline at end of file diff --git a/compliance/validations/istio/enforce-mtls-strict/tests.yaml b/compliance/validations/istio/enforce-mtls-strict/tests.yaml new file mode 100644 index 000000000..011697430 --- /dev/null +++ b/compliance/validations/istio/enforce-mtls-strict/tests.yaml @@ -0,0 +1,10 @@ +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: not_all_strict + validation: validation.yaml + resources: resources.json + permutation: '.peerAuths[0].spec.mtls.mode = "PERMISSIVE"' + expected-validation: false diff --git a/compliance/validations/istio/enforce-mtls-strict/validation.yaml b/compliance/validations/istio/enforce-mtls-strict/validation.yaml new file mode 100644 index 000000000..ed2fb4271 --- /dev/null +++ b/compliance/validations/istio/enforce-mtls-strict/validation.yaml @@ -0,0 +1,49 @@ +metadata: + name: enforce-mtls-strict + uuid: ca49ac97-487a-446a-a0b7-92b20e2c83cb +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: peerAuths + resource-rule: + group: security.istio.io + version: v1beta1 + resource: peerauthentications + namespaces: [] +provider: + type: opa + opa-spec: + rego: | + package validate + import rego.v1 + + # Default values + default validate := false + default all_strict := false + default msg := "Not evaluated" + + validate if { + result_all_strict.result + } + + msg = concat(" ", [result_all_strict.msg]) + + # Evaluate if all PeerAuthentications have mtls mode set to STRICT + peer_auths := {sprintf("%s/%s", [pa.metadata.namespace, pa.metadata.name]) | pa := input.peerAuths[_]} + peer_auths_strict := {sprintf("%s/%s", [pa.metadata.namespace, pa.metadata.name]) | pa := input.peerAuths[_]; mtls_strict(pa)} + + result_all_strict = {"result": true, "msg": msg} if { + peer_auths == peer_auths_strict + msg := "All PeerAuthentications have mtls mode set to STRICT." + } else = {"result": false, "msg": msg} if { + msg := sprintf("Not all PeerAuthentications have mtls mode set to STRICT: %s.", [peer_auths - peer_auths_strict]) + } + + mtls_strict(pa) if { + pa.spec.mtls.mode == "STRICT" + } + output: + validation: validate.validate + observations: + - validate.msg diff --git a/compliance/validations/istio/external-traffic-managed/README.md b/compliance/validations/istio/external-traffic-managed/README.md new file mode 100644 index 000000000..ccd517728 --- /dev/null +++ b/compliance/validations/istio/external-traffic-managed/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - external-traffic-managed-PLACEHOLDER + +**INPUT** - This validation currently does not collect any resources. + +**POLICY** - This policy is a placeholder and does not perform any validation. + +**NOTES** - The policy is a placeholder and needs to be updated to include the necessary checks for managing external traffic, possibly involving `ServiceEntry` resources. \ No newline at end of file diff --git a/compliance/validations/istio/external-traffic-managed/validation.yaml b/compliance/validations/istio/external-traffic-managed/validation.yaml new file mode 100644 index 000000000..b83dab0b3 --- /dev/null +++ b/compliance/validations/istio/external-traffic-managed/validation.yaml @@ -0,0 +1,18 @@ +metadata: + name: external-traffic-managed-PLACEHOLDER + uuid: 19faf69a-de74-4b78-a628-64a9f244ae13 +domain: + type: kubernetes + kubernetes-spec: + resources: [] +provider: + type: opa + opa-spec: + rego: | + package validate + + default validate := false + + # This policy could check meshConfig.outboundTrafficPolicy.mode (default is ALLOW_ANY) + # Possibly would need a ServiceEntry(?) + # (https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#envoy-passthrough-to-external-services) diff --git a/compliance/validations/istio/fips-evaluation/README.md b/compliance/validations/istio/fips-evaluation/README.md new file mode 100644 index 000000000..486a4ffef --- /dev/null +++ b/compliance/validations/istio/fips-evaluation/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - fips-evaluation-PLACEHOLDER + +**INPUT** - This validation currently does not collect any resources. + +**POLICY** - This policy is a placeholder and does not perform any validation. + +**NOTES** - Update the `kubernetes-spec` and `opa-spec` in the `validation.yaml` file to perform the desired FIPS evaluation. \ No newline at end of file diff --git a/compliance/validations/istio/fips-evaluation/validation.yaml b/compliance/validations/istio/fips-evaluation/validation.yaml new file mode 100644 index 000000000..51d9663ee --- /dev/null +++ b/compliance/validations/istio/fips-evaluation/validation.yaml @@ -0,0 +1,14 @@ +metadata: + name: fips-evaluation-PLACEHOLDER + uuid: 73434890-2751-4894-b7b2-7e583b4a8977 +domain: + type: kubernetes + kubernetes-spec: + resources: [] +provider: + type: opa + opa-spec: + rego: | + package validate + + default validate := false diff --git a/compliance/validations/istio/gateway-configuration-check/README.md b/compliance/validations/istio/gateway-configuration-check/README.md new file mode 100644 index 000000000..3dcacdc4a --- /dev/null +++ b/compliance/validations/istio/gateway-configuration-check/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - gateway-configuration-check + +**INPUT** - This validation collects all Istio gateways in the Kubernetes cluster. + +**POLICY** - This policy checks that only allowed gateways ("admin", "tenant", "passthrough") are present and that all required gateway types are found. + +**NOTES** - Ensure that the allowed gateways are correctly specified and that all required gateway types are present in the cluster. \ No newline at end of file diff --git a/compliance/validations/istio/gateway-configuration-check/resources.json b/compliance/validations/istio/gateway-configuration-check/resources.json new file mode 100644 index 000000000..ee48519a3 --- /dev/null +++ b/compliance/validations/istio/gateway-configuration-check/resources.json @@ -0,0 +1,220 @@ +{ + "gateways": [ + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "Gateway", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "uds-istio-config", + "meta.helm.sh/release-namespace": "istio-admin-gateway" + }, + "creationTimestamp": "2024-06-07T14:36:07Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "admin-gateway", + "namespace": "istio-admin-gateway", + "resourceVersion": "1216", + "uid": "07ede0ee-0ffc-42d0-ae22-15fa69dfb45a" + }, + "spec": { + "selector": { + "app": "admin-ingressgateway" + }, + "servers": [ + { + "hosts": [ + "*.admin.uds.dev" + ], + "port": { + "name": "http-admin", + "number": 80, + "protocol": "HTTP" + }, + "tls": { + "httpsRedirect": true + } + }, + { + "hosts": [ + "*.admin.uds.dev" + ], + "port": { + "name": "https-admin", + "number": 443, + "protocol": "HTTPS" + }, + "tls": { + "credentialName": "gateway-tls", + "minProtocolVersion": "TLSV1_3", + "mode": "SIMPLE" + } + }, + { + "hosts": [ + "keycloak.admin.uds.dev" + ], + "port": { + "name": "http-keycloak", + "number": 80, + "protocol": "HTTP" + }, + "tls": { + "httpsRedirect": true + } + }, + { + "hosts": [ + "keycloak.admin.uds.dev" + ], + "port": { + "name": "https-keycloak", + "number": 443, + "protocol": "HTTPS" + }, + "tls": { + "credentialName": "gateway-tls", + "minProtocolVersion": "TLSV1_3", + "mode": "OPTIONAL_MUTUAL" + } + } + ] + } + }, + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "Gateway", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "uds-istio-config", + "meta.helm.sh/release-namespace": "istio-tenant-gateway" + }, + "creationTimestamp": "2024-06-07T14:36:11Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "tenant-gateway", + "namespace": "istio-tenant-gateway", + "resourceVersion": "1273", + "uid": "fb672c84-0a55-4ccc-84c7-7448868598f3" + }, + "spec": { + "selector": { + "app": "tenant-ingressgateway" + }, + "servers": [ + { + "hosts": [ + "sso.uds.dev" + ], + "port": { + "name": "http-keycloak", + "number": 80, + "protocol": "HTTP" + }, + "tls": { + "httpsRedirect": true + } + }, + { + "hosts": [ + "sso.uds.dev" + ], + "port": { + "name": "https-keycloak", + "number": 443, + "protocol": "HTTPS" + }, + "tls": { + "credentialName": "gateway-tls", + "minProtocolVersion": "TLSV1_3", + "mode": "OPTIONAL_MUTUAL" + } + }, + { + "hosts": [ + "*.uds.dev" + ], + "port": { + "name": "http-tenant", + "number": 80, + "protocol": "HTTP" + }, + "tls": { + "httpsRedirect": true + } + }, + { + "hosts": [ + "*.uds.dev" + ], + "port": { + "name": "https-tenant", + "number": 443, + "protocol": "HTTPS" + }, + "tls": { + "credentialName": "gateway-tls", + "minProtocolVersion": "TLSV1_3", + "mode": "SIMPLE" + } + } + ] + } + }, + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "Gateway", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "uds-istio-config", + "meta.helm.sh/release-namespace": "istio-passthrough-gateway" + }, + "creationTimestamp": "2024-06-07T14:36:15Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "passthrough-gateway", + "namespace": "istio-passthrough-gateway", + "resourceVersion": "1330", + "uid": "501528ef-4199-4804-994d-a1392d6f249e" + }, + "spec": { + "selector": { + "app": "passthrough-ingressgateway" + }, + "servers": [ + { + "hosts": [ + "*.uds.dev" + ], + "port": { + "name": "http-passthrough", + "number": 80, + "protocol": "HTTP" + }, + "tls": { + "httpsRedirect": true + } + }, + { + "hosts": [ + "*.uds.dev" + ], + "port": { + "name": "https-passthrough", + "number": 443, + "protocol": "HTTPS" + }, + "tls": { + "mode": "PASSTHROUGH" + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/compliance/validations/istio/gateway-configuration-check/tests.yaml b/compliance/validations/istio/gateway-configuration-check/tests.yaml new file mode 100644 index 000000000..ac7eea542 --- /dev/null +++ b/compliance/validations/istio/gateway-configuration-check/tests.yaml @@ -0,0 +1,15 @@ +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: remove_first_gateway + validation: validation.yaml + resources: resources.json + permutation: "del(.gateways[0])" + expected-validation: false + - test: add_new_gateway + validation: validation.yaml + resources: resources.json + permutation: '.gateways += [{"apiVersion": "networking.istio.io/v1beta1", "kind": "Gateway", "metadata": {"name": "new-gateway", "namespace": "new-namespace"}}]' + expected-validation: false diff --git a/compliance/validations/istio/gateway-configuration-check/validation.yaml b/compliance/validations/istio/gateway-configuration-check/validation.yaml new file mode 100644 index 000000000..c1be18882 --- /dev/null +++ b/compliance/validations/istio/gateway-configuration-check/validation.yaml @@ -0,0 +1,63 @@ +metadata: + name: gateway-configuration-check + uuid: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: gateways + resource-rule: + group: networking.istio.io + resource: gateways + namespaces: [] + version: v1beta1 +provider: + type: opa + opa-spec: + rego: | + package validate + import rego.v1 + + # default values + default validate := false + default msg := "Not evaluated" + + validate if { + check_expected_gw.result + check_all_gw_found.result + } + + msg := concat(" ", [check_expected_gw.msg, check_all_gw_found.msg]) + msg_existing_gateways := concat(", ", gateways) + msg_allowed_gateways := concat(", ", allowed) + + # Check if only allowed gateways are in the system + allowed := {"admin", "tenant", "passthrough"} + gateways := {sprintf("%s/%s", [gw.metadata.namespace, gw.metadata.name]) | gw := input.gateways[_]} + allowed_gateways := {sprintf("%s/%s", [gw.metadata.namespace, gw.metadata.name]) | gw := input.gateways[_]; gw_in_list(gw, allowed)} + actual_allowed := {s | g := gateways[_]; s := allowed[_]; contains(g, s)} + + check_expected_gw = {"result": true, "msg": msg} if { + gateways == allowed_gateways + msg := "Only allowed gateways found." + } else = {"result": false, "msg": msg} if { + msg := sprintf("Some disallowed gateways found: %v.", [gateways-allowed_gateways]) + } + + gw_in_list(gw, allowed) if { + contains(gw.metadata.name, allowed[_]) + } + + # Check if the entire set contains all required gateways + check_all_gw_found = {"result": true, "msg": msg} if { + actual_allowed == allowed + msg := "All gateway types found." + } else = {"result": false, "msg": msg} if { + msg := sprintf("Gateway type(s) missing: %v.", [allowed - actual_allowed]) + } + output: + validation: validate.validate + observations: + - validate.msg + - validate.msg_existing_gateways + - validate.msg_allowed_gateways diff --git a/compliance/validations/istio/healthcheck/README.md b/compliance/validations/istio/healthcheck/README.md new file mode 100644 index 000000000..278857e12 --- /dev/null +++ b/compliance/validations/istio/healthcheck/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - istio-health-check + +**INPUT** - This validation collects the Istiod deployment and horizontal pod autoscaler (HPA) in the "istio-system" namespace. + +**POLICY** - This policy checks if the Istiod deployment is healthy and if the HPA has sufficient replicas. + +**NOTES** - Ensure that the Istiod deployment and HPA are correctly configured and running in the "istio-system" namespace. \ No newline at end of file diff --git a/compliance/validations/istio/healthcheck/resources.json b/compliance/validations/istio/healthcheck/resources.json new file mode 100644 index 000000000..7b8914043 --- /dev/null +++ b/compliance/validations/istio/healthcheck/resources.json @@ -0,0 +1,407 @@ +{ + "istioddeployment": { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "annotations": { + "deployment.kubernetes.io/revision": "1", + "meta.helm.sh/release-name": "istiod", + "meta.helm.sh/release-namespace": "istio-system" + }, + "creationTimestamp": "2024-06-07T14:35:55Z", + "generation": 1, + "labels": { + "app": "istiod", + "app.kubernetes.io/managed-by": "Helm", + "install.operator.istio.io/owning-resource": "unknown", + "istio": "pilot", + "istio.io/rev": "default", + "operator.istio.io/component": "Pilot", + "release": "istiod" + }, + "name": "istiod", + "namespace": "istio-system", + "resourceVersion": "1141", + "uid": "c913f7f1-0ac7-4a73-9fd5-614715411fb6" + }, + "spec": { + "progressDeadlineSeconds": 600, + "replicas": 1, + "revisionHistoryLimit": 10, + "selector": { + "matchLabels": { + "istio": "pilot" + } + }, + "strategy": { + "rollingUpdate": { + "maxSurge": "100%", + "maxUnavailable": "25%" + }, + "type": "RollingUpdate" + }, + "template": { + "metadata": { + "annotations": { + "prometheus.io/port": "15014", + "prometheus.io/scrape": "true", + "sidecar.istio.io/inject": "false" + }, + "creationTimestamp": null, + "labels": { + "app": "istiod", + "install.operator.istio.io/owning-resource": "unknown", + "istio": "pilot", + "istio.io/dataplane-mode": "none", + "istio.io/rev": "default", + "operator.istio.io/component": "Pilot", + "sidecar.istio.io/inject": "false" + } + }, + "spec": { + "containers": [ + { + "args": [ + "discovery", + "--monitoringAddr=:15014", + "--log_output_level=default:info", + "--domain", + "cluster.local", + "--keepaliveMaxServerConnectionAge", + "30m" + ], + "env": [ + { + "name": "REVISION", + "value": "default" + }, + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "KUBECONFIG", + "value": "/var/run/secrets/remote/config" + }, + { + "name": "PILOT_TRACE_SAMPLING", + "value": "1" + }, + { + "name": "PILOT_ENABLE_ANALYSIS", + "value": "false" + }, + { + "name": "CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PLATFORM" + } + ], + "image": "docker.io/istio/pilot:1.22.1-distroless", + "imagePullPolicy": "IfNotPresent", + "name": "discovery", + "ports": [ + { + "containerPort": 8080, + "protocol": "TCP" + }, + { + "containerPort": 15010, + "protocol": "TCP" + }, + { + "containerPort": 15017, + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/ready", + "port": 8080, + "scheme": "HTTP" + }, + "initialDelaySeconds": 1, + "periodSeconds": 3, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "resources": { + "requests": { + "cpu": "500m", + "memory": "2Gi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true, + "runAsNonRoot": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/istio-dns", + "name": "local-certs" + }, + { + "mountPath": "/etc/cacerts", + "name": "cacerts", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/remote", + "name": "istio-kubeconfig", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/istiod/tls", + "name": "istio-csr-dns-cert", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/istiod/ca", + "name": "istio-csr-ca-configmap", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "istiod", + "serviceAccountName": "istiod", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "key": "cni.istio.io/not-ready", + "operator": "Exists" + } + ], + "volumes": [ + { + "emptyDir": { + "medium": "Memory" + }, + "name": "local-certs" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "name": "cacerts", + "secret": { + "defaultMode": 420, + "optional": true, + "secretName": "cacerts" + } + }, + { + "name": "istio-kubeconfig", + "secret": { + "defaultMode": 420, + "optional": true, + "secretName": "istio-kubeconfig" + } + }, + { + "name": "istio-csr-dns-cert", + "secret": { + "defaultMode": 420, + "optional": true, + "secretName": "istiod-tls" + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert", + "optional": true + }, + "name": "istio-csr-ca-configmap" + } + ] + } + } + }, + "status": { + "availableReplicas": 1, + "conditions": [ + { + "lastTransitionTime": "2024-06-07T14:35:57Z", + "lastUpdateTime": "2024-06-07T14:35:57Z", + "message": "Deployment has minimum availability.", + "reason": "MinimumReplicasAvailable", + "status": "True", + "type": "Available" + }, + { + "lastTransitionTime": "2024-06-07T14:35:55Z", + "lastUpdateTime": "2024-06-07T14:35:57Z", + "message": "ReplicaSet \"istiod-5d75444496\" has successfully progressed.", + "reason": "NewReplicaSetAvailable", + "status": "True", + "type": "Progressing" + } + ], + "observedGeneration": 1, + "readyReplicas": 1, + "replicas": 1, + "updatedReplicas": 1 + } + }, + "istiodhpa": { + "apiVersion": "autoscaling/v2", + "kind": "HorizontalPodAutoscaler", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "istiod", + "meta.helm.sh/release-namespace": "istio-system" + }, + "creationTimestamp": "2024-06-07T14:35:55Z", + "labels": { + "app": "istiod", + "app.kubernetes.io/managed-by": "Helm", + "install.operator.istio.io/owning-resource": "unknown", + "istio.io/rev": "default", + "operator.istio.io/component": "Pilot", + "release": "istiod" + }, + "name": "istiod", + "namespace": "istio-system", + "resourceVersion": "153610", + "uid": "595b2821-fb62-4203-9a4d-c3bba5689215" + }, + "spec": { + "maxReplicas": 5, + "metrics": [ + { + "resource": { + "name": "cpu", + "target": { + "averageUtilization": 80, + "type": "Utilization" + } + }, + "type": "Resource" + } + ], + "minReplicas": 1, + "scaleTargetRef": { + "apiVersion": "apps/v1", + "kind": "Deployment", + "name": "istiod" + } + }, + "status": { + "conditions": [ + { + "lastTransitionTime": "2024-06-11T12:12:51Z", + "message": "recent recommendations were higher than current one, applying the highest recent recommendation", + "reason": "ScaleDownStabilized", + "status": "True", + "type": "AbleToScale" + }, + { + "lastTransitionTime": "2024-06-07T14:37:10Z", + "message": "the HPA was able to successfully calculate a replica count from cpu resource utilization (percentage of request)", + "reason": "ValidMetricFound", + "status": "True", + "type": "ScalingActive" + }, + { + "lastTransitionTime": "2024-06-07T15:31:59Z", + "message": "the desired count is within the acceptable range", + "reason": "DesiredWithinRange", + "status": "False", + "type": "ScalingLimited" + } + ], + "currentMetrics": [ + { + "resource": { + "current": { + "averageUtilization": 0, + "averageValue": "3m" + }, + "name": "cpu" + }, + "type": "Resource" + } + ], + "currentReplicas": 1, + "desiredReplicas": 1 + } + } +} \ No newline at end of file diff --git a/compliance/validations/istio/healthcheck/tests.yaml b/compliance/validations/istio/healthcheck/tests.yaml new file mode 100644 index 000000000..fe5940d0e --- /dev/null +++ b/compliance/validations/istio/healthcheck/tests.yaml @@ -0,0 +1,15 @@ +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: hpa_zero_replicas + validation: validation.yaml + resources: resources.json + permutation: ".istiodhpa.status.currentReplicas = 0" + expected-validation: false + - test: deployment_condition_false + validation: validation.yaml + resources: resources.json + permutation: ".istioddeployment.status.availableReplicas = 0" + expected-validation: false diff --git a/compliance/validations/istio/healthcheck/validation.yaml b/compliance/validations/istio/healthcheck/validation.yaml new file mode 100644 index 000000000..9eea7e20f --- /dev/null +++ b/compliance/validations/istio/healthcheck/validation.yaml @@ -0,0 +1,62 @@ +metadata: + name: istio-health-check + uuid: 67456ae8-4505-4c93-b341-d977d90cb125 +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: istioddeployment + resource-rule: + group: apps + name: istiod + namespaces: + - istio-system + resource: deployments + version: v1 + - name: istiodhpa + resource-rule: + group: autoscaling + name: istiod + namespaces: + - istio-system + resource: horizontalpodautoscalers + version: v2 +provider: + type: opa + opa-spec: + output: + validation: validate.validate + observations: + - validate.msg + - validate.deployment_message + - validate.hpa_message + rego: | + package validate + import rego.v1 + + # Default values + default validate := false + default msg := "Not evaluated" + + # Check if the Istio Deployment is healthy + validate if { + check_deployment_health.result + check_hpa_health.result + } + + msg = concat(" ", [check_deployment_health.msg, check_hpa_health.msg]) + + check_deployment_health = {"result": true, "msg": msg} if { + input.istioddeployment.status.replicas > 0 + input.istioddeployment.status.availableReplicas == input.istioddeployment.status.replicas + msg := "Istiod Deployment is healthy." + } else = {"result": false, "msg": msg} if { + msg := "Istiod Deployment is not healthy." + } + + check_hpa_health = {"result": true, "msg": msg} if { + input.istiodhpa.status.currentReplicas >= input.istiodhpa.spec.minReplicas + msg := "HPA has sufficient replicas." + } else = {"result": false, "msg": msg} if { + msg := "HPA does not have sufficient replicas." + } diff --git a/compliance/validations/istio/ingress-traffic-encrypted/README.md b/compliance/validations/istio/ingress-traffic-encrypted/README.md new file mode 100644 index 000000000..6fc5c4032 --- /dev/null +++ b/compliance/validations/istio/ingress-traffic-encrypted/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - ingress-traffic-encrypted + +**INPUT** - This validation collects all Istio gateways in the Kubernetes cluster. + +**POLICY** - This policy checks that all gateways encrypt ingress traffic, except for the "istio-passthrough-gateway/passthrough-gateway". + +**NOTES** - The server spec in the gateways must have a `port.protocol` set to `HTTPS` and `tls.httpsRedirect` set to `true` OR `port.protocol` set to `HTTPS` and `tls.mode` either `SIMPLE` or `OPTIONAL_MUTUAL`. \ No newline at end of file diff --git a/compliance/validations/istio/ingress-traffic-encrypted/resources.json b/compliance/validations/istio/ingress-traffic-encrypted/resources.json new file mode 100644 index 000000000..ee48519a3 --- /dev/null +++ b/compliance/validations/istio/ingress-traffic-encrypted/resources.json @@ -0,0 +1,220 @@ +{ + "gateways": [ + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "Gateway", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "uds-istio-config", + "meta.helm.sh/release-namespace": "istio-admin-gateway" + }, + "creationTimestamp": "2024-06-07T14:36:07Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "admin-gateway", + "namespace": "istio-admin-gateway", + "resourceVersion": "1216", + "uid": "07ede0ee-0ffc-42d0-ae22-15fa69dfb45a" + }, + "spec": { + "selector": { + "app": "admin-ingressgateway" + }, + "servers": [ + { + "hosts": [ + "*.admin.uds.dev" + ], + "port": { + "name": "http-admin", + "number": 80, + "protocol": "HTTP" + }, + "tls": { + "httpsRedirect": true + } + }, + { + "hosts": [ + "*.admin.uds.dev" + ], + "port": { + "name": "https-admin", + "number": 443, + "protocol": "HTTPS" + }, + "tls": { + "credentialName": "gateway-tls", + "minProtocolVersion": "TLSV1_3", + "mode": "SIMPLE" + } + }, + { + "hosts": [ + "keycloak.admin.uds.dev" + ], + "port": { + "name": "http-keycloak", + "number": 80, + "protocol": "HTTP" + }, + "tls": { + "httpsRedirect": true + } + }, + { + "hosts": [ + "keycloak.admin.uds.dev" + ], + "port": { + "name": "https-keycloak", + "number": 443, + "protocol": "HTTPS" + }, + "tls": { + "credentialName": "gateway-tls", + "minProtocolVersion": "TLSV1_3", + "mode": "OPTIONAL_MUTUAL" + } + } + ] + } + }, + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "Gateway", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "uds-istio-config", + "meta.helm.sh/release-namespace": "istio-tenant-gateway" + }, + "creationTimestamp": "2024-06-07T14:36:11Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "tenant-gateway", + "namespace": "istio-tenant-gateway", + "resourceVersion": "1273", + "uid": "fb672c84-0a55-4ccc-84c7-7448868598f3" + }, + "spec": { + "selector": { + "app": "tenant-ingressgateway" + }, + "servers": [ + { + "hosts": [ + "sso.uds.dev" + ], + "port": { + "name": "http-keycloak", + "number": 80, + "protocol": "HTTP" + }, + "tls": { + "httpsRedirect": true + } + }, + { + "hosts": [ + "sso.uds.dev" + ], + "port": { + "name": "https-keycloak", + "number": 443, + "protocol": "HTTPS" + }, + "tls": { + "credentialName": "gateway-tls", + "minProtocolVersion": "TLSV1_3", + "mode": "OPTIONAL_MUTUAL" + } + }, + { + "hosts": [ + "*.uds.dev" + ], + "port": { + "name": "http-tenant", + "number": 80, + "protocol": "HTTP" + }, + "tls": { + "httpsRedirect": true + } + }, + { + "hosts": [ + "*.uds.dev" + ], + "port": { + "name": "https-tenant", + "number": 443, + "protocol": "HTTPS" + }, + "tls": { + "credentialName": "gateway-tls", + "minProtocolVersion": "TLSV1_3", + "mode": "SIMPLE" + } + } + ] + } + }, + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "Gateway", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "uds-istio-config", + "meta.helm.sh/release-namespace": "istio-passthrough-gateway" + }, + "creationTimestamp": "2024-06-07T14:36:15Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "passthrough-gateway", + "namespace": "istio-passthrough-gateway", + "resourceVersion": "1330", + "uid": "501528ef-4199-4804-994d-a1392d6f249e" + }, + "spec": { + "selector": { + "app": "passthrough-ingressgateway" + }, + "servers": [ + { + "hosts": [ + "*.uds.dev" + ], + "port": { + "name": "http-passthrough", + "number": 80, + "protocol": "HTTP" + }, + "tls": { + "httpsRedirect": true + } + }, + { + "hosts": [ + "*.uds.dev" + ], + "port": { + "name": "https-passthrough", + "number": 443, + "protocol": "HTTPS" + }, + "tls": { + "mode": "PASSTHROUGH" + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/compliance/validations/istio/ingress-traffic-encrypted/tests.yaml b/compliance/validations/istio/ingress-traffic-encrypted/tests.yaml new file mode 100644 index 000000000..ca3b6b747 --- /dev/null +++ b/compliance/validations/istio/ingress-traffic-encrypted/tests.yaml @@ -0,0 +1,15 @@ +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: change_admin_gateway_protocol_to_tcp + validation: validation.yaml + resources: resources.json + permutation: '.gateways |= map(if .metadata.name == "admin-gateway" then .spec.servers[0].port.protocol = "TCP" else . end)' + expected-validation: false + - test: change_admin_gateway_httpsRedirect_to_false + validation: validation.yaml + resources: resources.json + permutation: '.gateways |= map(if .metadata.name == "admin-gateway" then .spec.servers[0].tls.httpsRedirect = false else . end)' + expected-validation: false diff --git a/compliance/validations/istio/ingress-traffic-encrypted/validation.yaml b/compliance/validations/istio/ingress-traffic-encrypted/validation.yaml new file mode 100644 index 000000000..198125f72 --- /dev/null +++ b/compliance/validations/istio/ingress-traffic-encrypted/validation.yaml @@ -0,0 +1,74 @@ +metadata: + name: ingress-traffic-encrypted + uuid: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: gateways + resource-rule: + group: networking.istio.io + version: v1beta1 + resource: gateways + namespaces: [] +provider: + type: opa + opa-spec: + rego: | + package validate + import rego.v1 + + # Default values + default validate := false + default msg := "Not evaluated" + + # Validation + validate if { + check_gateways_allowed.result + } + msg = check_gateways_allowed.msg + msg_exempted_gateways = concat(", ", exempt_gateways) + + # Collect gateways that do not encrypt ingress traffic + gateways_disallowed = {sprintf("%s/%s", [gateway.metadata.namespace, gateway.metadata.name]) | + gateway := input.gateways[_]; + not allowed_gateway(gateway) + } + + check_gateways_allowed = {"result": true, "msg": msg} if { + count(gateways_disallowed) == 0 + msg := "All gateways encrypt ingress traffic" + } else = {"result": false, "msg": msg} if { + msg := sprintf("Some gateways do not encrypt ingress traffic: %s", [concat(", ", gateways_disallowed)]) + } + + # Check allowed gateway + allowed_gateway(gateway) if { + every server in gateway.spec.servers { + allowed_server(server) + } + } + + exempt_gateways := {"istio-passthrough-gateway/passthrough-gateway"} + allowed_gateway(gateway) if { + sprintf("%s/%s", [gateway.metadata.namespace, gateway.metadata.name]) in exempt_gateways + # *Unchecked condition that exempted gateway is only used by virtual services that route https traffic + # Find all virtual services that use this gateway + # Check that vs has https scheme + } + + # Check allowed server spec in gateway + allowed_server(server) if { + server.port.protocol == "HTTP" + server.tls.httpsRedirect == true + } + + allowed_server(server) if { + server.port.protocol == "HTTPS" + server.tls.mode in {"SIMPLE", "OPTIONAL_MUTUAL"} + } + output: + validation: validate.validate + observations: + - validate.msg + - validate.msg_exempted_gateways diff --git a/compliance/validations/istio/metrics-logging-configured/README.md b/compliance/validations/istio/metrics-logging-configured/README.md new file mode 100644 index 000000000..0d4a63049 --- /dev/null +++ b/compliance/validations/istio/metrics-logging-configured/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - istio-metrics-logging-configured + +**INPUT** - This validation collects the "istioConfig" configmap in the "istio-system" namespace. + +**POLICY** - This policy checks if metrics logging is supported by validating the Istio configuration. + +**NOTES** - Ensure that the Istio configmap is correctly configured and located in the "istio-system" namespace. The policy specifically looks for the `enablePrometheusMerge` field to be not set to `false`. \ No newline at end of file diff --git a/compliance/validations/istio/metrics-logging-configured/resources.json b/compliance/validations/istio/metrics-logging-configured/resources.json new file mode 100644 index 000000000..f8161f0aa --- /dev/null +++ b/compliance/validations/istio/metrics-logging-configured/resources.json @@ -0,0 +1,28 @@ +{ + "istioConfig": { + "accessLogFile": "/dev/stdout", + "defaultConfig": { + "discoveryAddress": "istiod.istio-system.svc:15012", + "gatewayTopology": { + "forwardClientCertDetails": "SANITIZE" + }, + "holdApplicationUntilProxyStarts": true, + "tracing": { + "zipkin": { + "address": "zipkin.istio-system:9411" + } + } + }, + "defaultProviders": { + "metrics": [ + "prometheus" + ] + }, + "enablePrometheusMerge": true, + "pathNormalization": { + "normalization": "MERGE_SLASHES" + }, + "rootNamespace": "istio-system", + "trustDomain": "cluster.local" + } +} \ No newline at end of file diff --git a/compliance/validations/istio/metrics-logging-configured/tests.yaml b/compliance/validations/istio/metrics-logging-configured/tests.yaml new file mode 100644 index 000000000..30a2f63e4 --- /dev/null +++ b/compliance/validations/istio/metrics-logging-configured/tests.yaml @@ -0,0 +1,15 @@ +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: change_enablePrometheusMerge_to_false + validation: validation.yaml + resources: resources.json + permutation: ".istioConfig.enablePrometheusMerge = false" + expected-validation: false + - test: change_enablePrometheusMerge_to_false + validation: validation.yaml + resources: resources.json + permutation: "del(.istioConfig.enablePrometheusMerge)" + expected-validation: true diff --git a/compliance/validations/istio/metrics-logging-configured/validation.yaml b/compliance/validations/istio/metrics-logging-configured/validation.yaml new file mode 100644 index 000000000..89df8a9e3 --- /dev/null +++ b/compliance/validations/istio/metrics-logging-configured/validation.yaml @@ -0,0 +1,44 @@ +metadata: + name: istio-metrics-logging-configured + uuid: 70d99754-2918-400c-ac9a-319f874fff90 +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: istioConfig + resource-rule: + resource: configmaps + namespaces: + - istio-system + version: v1 + name: istio + field: + jsonpath: .data.mesh + type: yaml +provider: + type: opa + opa-spec: + rego: | + package validate + import rego.v1 + + # Default values + default validate := false + default msg := "Not evaluated" + + # Validate Istio configuration for metrics logging support + validate if { + check_metrics_enabled.result + } + msg = check_metrics_enabled.msg + + check_metrics_enabled = { "result": false, "msg": msg } if { + input.istioConfig.enablePrometheusMerge == false + msg := "Metrics logging not supported." + } else = { "result": true, "msg": msg } if { + msg := "Metrics logging supported." + } + output: + validation: validate.validate + observations: + - validate.msg diff --git a/compliance/validations/istio/prometheus-annotations-validation/README.md b/compliance/validations/istio/prometheus-annotations-validation/README.md new file mode 100644 index 000000000..558d2758a --- /dev/null +++ b/compliance/validations/istio/prometheus-annotations-validation/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - istio-prometheus-annotations-validation + +**INPUT** - This validation collects all pods in the Kubernetes cluster. + +**POLICY** - This policy checks that all pods have the required Prometheus annotations for scraping metrics, except for those in exempted namespaces. + +**NOTES** - The exempted namespaces are "kube-system", "istio-system", "uds-dev-stack", and "zarf". Ensure that these namespaces are correct and update them if necessary. \ No newline at end of file diff --git a/compliance/validations/istio/prometheus-annotations-validation/resources.json b/compliance/validations/istio/prometheus-annotations-validation/resources.json new file mode 100644 index 000000000..e50da5902 --- /dev/null +++ b/compliance/validations/istio/prometheus-annotations-validation/resources.json @@ -0,0 +1,25428 @@ +{ + "pods": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-06-07T14:33:04Z", + "generateName": "metallb-controller-665d96757f-", + "labels": { + "app.kubernetes.io/component": "controller", + "app.kubernetes.io/instance": "metallb", + "app.kubernetes.io/name": "metallb", + "pod-template-hash": "665d96757f" + }, + "name": "metallb-controller-665d96757f-c4zbp", + "namespace": "uds-dev-stack", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "metallb-controller-665d96757f", + "uid": "3a41d478-929b-44df-a608-5a7fe1a2061e" + } + ], + "resourceVersion": "481", + "uid": "e740023f-2732-43fc-9e43-2da1b1dd23cf" + }, + "spec": { + "containers": [ + { + "args": [ + "--port=7472", + "--log-level=info", + "--tls-min-version=VersionTLS12" + ], + "env": [ + { + "name": "METALLB_ML_SECRET_NAME", + "value": "metallb-memberlist" + }, + { + "name": "METALLB_DEPLOYMENT", + "value": "metallb-controller" + }, + { + "name": "METALLB_BGP_TYPE", + "value": "frr" + } + ], + "image": "quay.io/metallb/controller:v0.14.5", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/metrics", + "port": "monitoring", + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "controller", + "ports": [ + { + "containerPort": 7472, + "name": "monitoring", + "protocol": "TCP" + }, + { + "containerPort": 9443, + "name": "webhook-server", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/metrics", + "port": "monitoring", + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/tmp/k8s-webhook-server/serving-certs", + "name": "cert", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-5t6md", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "nodeName": "k3d-uds-server-0", + "nodeSelector": { + "kubernetes.io/os": "linux" + }, + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65534, + "runAsNonRoot": true, + "runAsUser": 65534 + }, + "serviceAccount": "metallb-controller", + "serviceAccountName": "metallb-controller", + "terminationGracePeriodSeconds": 0, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "name": "cert", + "secret": { + "defaultMode": 420, + "secretName": "metallb-webhook-cert" + } + }, + { + "name": "kube-api-access-5t6md", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:04Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:24Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:24Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:04Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://08db9740afe6a09b0788cf25e61ccd86fde100ade543a17e053201310572095e", + "image": "quay.io/metallb/controller:v0.14.5", + "imageID": "quay.io/metallb/controller@sha256:3f776529447094c8d318baeb4f9efe024cf154859762ec3eefcd878b1fe8a01f", + "lastState": {}, + "name": "controller", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:33:07Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "phase": "Running", + "podIP": "10.42.0.3", + "podIPs": [ + { + "ip": "10.42.0.3" + } + ], + "qosClass": "BestEffort", + "startTime": "2024-06-07T14:33:04Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-06-07T14:33:04Z", + "generateName": "metallb-speaker-", + "labels": { + "app.kubernetes.io/component": "speaker", + "app.kubernetes.io/instance": "metallb", + "app.kubernetes.io/name": "metallb", + "controller-revision-hash": "6c7b58bfd7", + "pod-template-generation": "1" + }, + "name": "metallb-speaker-w768g", + "namespace": "uds-dev-stack", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "DaemonSet", + "name": "metallb-speaker", + "uid": "b879fca1-6a2f-45ce-a137-337089d7c368" + } + ], + "resourceVersion": "530", + "uid": "f0b25b25-81a5-4cb7-910e-8197958949c6" + }, + "spec": { + "affinity": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchFields": [ + { + "key": "metadata.name", + "operator": "In", + "values": [ + "k3d-uds-server-0" + ] + } + ] + } + ] + } + } + }, + "containers": [ + { + "args": [ + "--port=7472", + "--log-level=info" + ], + "env": [ + { + "name": "METALLB_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "METALLB_HOST", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "METALLB_ML_BIND_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "METALLB_ML_LABELS", + "value": "app.kubernetes.io/name=metallb,app.kubernetes.io/component=speaker" + }, + { + "name": "METALLB_ML_BIND_PORT", + "value": "7946" + }, + { + "name": "METALLB_ML_SECRET_KEY_PATH", + "value": "/etc/ml_secret_key" + }, + { + "name": "FRR_CONFIG_FILE", + "value": "/etc/frr_reloader/frr.conf" + }, + { + "name": "FRR_RELOADER_PID_FILE", + "value": "/etc/frr_reloader/reloader.pid" + }, + { + "name": "METALLB_BGP_TYPE", + "value": "frr" + } + ], + "image": "quay.io/metallb/speaker:v0.14.5", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/metrics", + "port": "monitoring", + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "speaker", + "ports": [ + { + "containerPort": 7472, + "hostPort": 7472, + "name": "monitoring", + "protocol": "TCP" + }, + { + "containerPort": 7946, + "hostPort": 7946, + "name": "memberlist-tcp", + "protocol": "TCP" + }, + { + "containerPort": 7946, + "hostPort": 7946, + "name": "memberlist-udp", + "protocol": "UDP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/metrics", + "port": "monitoring", + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/ml_secret_key", + "name": "memberlist" + }, + { + "mountPath": "/etc/frr_reloader", + "name": "reloader" + }, + { + "mountPath": "/etc/metallb", + "name": "metallb-excludel2" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-qm2q8", + "readOnly": true + } + ] + }, + { + "command": [ + "/bin/sh", + "-c", + "/sbin/tini -- /usr/lib/frr/docker-start \u0026\nattempts=0\nuntil [[ -f /etc/frr/frr.log || $attempts -eq 60 ]]; do\n sleep 1\n attempts=$(( $attempts + 1 ))\ndone\ntail -f /etc/frr/frr.log\n" + ], + "env": [ + { + "name": "TINI_SUBREAPER", + "value": "true" + } + ], + "image": "quay.io/frrouting/frr:9.0.2", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "livez", + "port": 7473, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "frr", + "resources": {}, + "securityContext": { + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW", + "SYS_ADMIN", + "NET_BIND_SERVICE" + ] + } + }, + "startupProbe": { + "failureThreshold": 30, + "httpGet": { + "path": "/livez", + "port": 7473, + "scheme": "HTTP" + }, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/frr", + "name": "frr-sockets" + }, + { + "mountPath": "/etc/frr", + "name": "frr-conf" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-qm2q8", + "readOnly": true + } + ] + }, + { + "command": [ + "/etc/frr_reloader/frr-reloader.sh" + ], + "image": "quay.io/frrouting/frr:9.0.2", + "imagePullPolicy": "IfNotPresent", + "name": "reloader", + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/frr", + "name": "frr-sockets" + }, + { + "mountPath": "/etc/frr", + "name": "frr-conf" + }, + { + "mountPath": "/etc/frr_reloader", + "name": "reloader" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-qm2q8", + "readOnly": true + } + ] + }, + { + "args": [ + "--metrics-port=7473" + ], + "command": [ + "/etc/frr_metrics/frr-metrics" + ], + "image": "quay.io/frrouting/frr:9.0.2", + "imagePullPolicy": "IfNotPresent", + "name": "frr-metrics", + "ports": [ + { + "containerPort": 7473, + "hostPort": 7473, + "name": "monitoring", + "protocol": "TCP" + } + ], + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/frr", + "name": "frr-sockets" + }, + { + "mountPath": "/etc/frr", + "name": "frr-conf" + }, + { + "mountPath": "/etc/frr_metrics", + "name": "metrics" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-qm2q8", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostNetwork": true, + "initContainers": [ + { + "command": [ + "/bin/sh", + "-c", + "cp -rLf /tmp/frr/* /etc/frr/" + ], + "image": "quay.io/frrouting/frr:9.0.2", + "imagePullPolicy": "IfNotPresent", + "name": "cp-frr-files", + "resources": {}, + "securityContext": { + "runAsGroup": 101, + "runAsUser": 100 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/tmp/frr", + "name": "frr-startup" + }, + { + "mountPath": "/etc/frr", + "name": "frr-conf" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-qm2q8", + "readOnly": true + } + ] + }, + { + "command": [ + "/bin/sh", + "-c", + "cp -f /frr-reloader.sh /etc/frr_reloader/" + ], + "image": "quay.io/metallb/speaker:v0.14.5", + "imagePullPolicy": "IfNotPresent", + "name": "cp-reloader", + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/frr_reloader", + "name": "reloader" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-qm2q8", + "readOnly": true + } + ] + }, + { + "command": [ + "/bin/sh", + "-c", + "cp -f /frr-metrics /etc/frr_metrics/" + ], + "image": "quay.io/metallb/speaker:v0.14.5", + "imagePullPolicy": "IfNotPresent", + "name": "cp-metrics", + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/frr_metrics", + "name": "metrics" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-qm2q8", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "nodeSelector": { + "kubernetes.io/os": "linux" + }, + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "metallb-speaker", + "serviceAccountName": "metallb-speaker", + "shareProcessNamespace": true, + "terminationGracePeriodSeconds": 0, + "tolerations": [ + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/master", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/control-plane", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/disk-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/memory-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/pid-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/unschedulable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/network-unavailable", + "operator": "Exists" + } + ], + "volumes": [ + { + "name": "memberlist", + "secret": { + "defaultMode": 420, + "secretName": "metallb-memberlist" + } + }, + { + "configMap": { + "defaultMode": 256, + "name": "metallb-excludel2" + }, + "name": "metallb-excludel2" + }, + { + "emptyDir": {}, + "name": "frr-sockets" + }, + { + "configMap": { + "defaultMode": 420, + "name": "metallb-frr-startup" + }, + "name": "frr-startup" + }, + { + "emptyDir": {}, + "name": "frr-conf" + }, + { + "emptyDir": {}, + "name": "reloader" + }, + { + "emptyDir": {}, + "name": "metrics" + }, + { + "name": "kube-api-access-qm2q8", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:17Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:28Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:28Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:04Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://a4fcaa6986eea88b60934b08f03c1dc5c4d826fc033dc5cbe7f356992eca4242", + "image": "quay.io/frrouting/frr:9.0.2", + "imageID": "quay.io/frrouting/frr@sha256:086acb1278fe86118345f456a1fbfafb80c34d03f7bca9137da0729a1aee5e9c", + "lastState": {}, + "name": "frr", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:33:18Z" + } + } + }, + { + "containerID": "containerd://8407398896d1bcf0c628096b3912e48cde1e11dc3680ffa57924c6daec04ae85", + "image": "quay.io/frrouting/frr:9.0.2", + "imageID": "quay.io/frrouting/frr@sha256:086acb1278fe86118345f456a1fbfafb80c34d03f7bca9137da0729a1aee5e9c", + "lastState": {}, + "name": "frr-metrics", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:33:18Z" + } + } + }, + { + "containerID": "containerd://dc156a3e9ffa1c3782ab106f8c522dd7adcd19bb8d695cad2c1ec31ce9b10bba", + "image": "quay.io/frrouting/frr:9.0.2", + "imageID": "quay.io/frrouting/frr@sha256:086acb1278fe86118345f456a1fbfafb80c34d03f7bca9137da0729a1aee5e9c", + "lastState": {}, + "name": "reloader", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:33:18Z" + } + } + }, + { + "containerID": "containerd://bf432de657a6b004d9c8fdb5c720fa47b5c464c82bef28f2d5bee4e148081c06", + "image": "quay.io/metallb/speaker:v0.14.5", + "imageID": "quay.io/metallb/speaker@sha256:34e9cc2db6d83ca3ad4d92a6e2eadaf6b78be65621798e90827041749898acc0", + "lastState": {}, + "name": "speaker", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:33:18Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://c4d49eb82f8230b3c0dd686fd997dd443a8a5f468a10d184f80e6dfc87bb328a", + "image": "quay.io/frrouting/frr:9.0.2", + "imageID": "quay.io/frrouting/frr@sha256:086acb1278fe86118345f456a1fbfafb80c34d03f7bca9137da0729a1aee5e9c", + "lastState": {}, + "name": "cp-frr-files", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://c4d49eb82f8230b3c0dd686fd997dd443a8a5f468a10d184f80e6dfc87bb328a", + "exitCode": 0, + "finishedAt": "2024-06-07T14:33:12Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:33:12Z" + } + } + }, + { + "containerID": "containerd://a3e7a06367976cd6d1422cb538b080051a347f777b266c56c359b733df3534a6", + "image": "quay.io/metallb/speaker:v0.14.5", + "imageID": "quay.io/metallb/speaker@sha256:34e9cc2db6d83ca3ad4d92a6e2eadaf6b78be65621798e90827041749898acc0", + "lastState": {}, + "name": "cp-reloader", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://a3e7a06367976cd6d1422cb538b080051a347f777b266c56c359b733df3534a6", + "exitCode": 0, + "finishedAt": "2024-06-07T14:33:16Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:33:16Z" + } + } + }, + { + "containerID": "containerd://36e42d6bb3d9a9008283fd26ee4ef97cbad58d541a323a0f89b10f9b1589c131", + "image": "quay.io/metallb/speaker:v0.14.5", + "imageID": "quay.io/metallb/speaker@sha256:34e9cc2db6d83ca3ad4d92a6e2eadaf6b78be65621798e90827041749898acc0", + "lastState": {}, + "name": "cp-metrics", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://36e42d6bb3d9a9008283fd26ee4ef97cbad58d541a323a0f89b10f9b1589c131", + "exitCode": 0, + "finishedAt": "2024-06-07T14:33:17Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:33:17Z" + } + } + } + ], + "phase": "Running", + "podIP": "172.19.0.3", + "podIPs": [ + { + "ip": "172.19.0.3" + } + ], + "qosClass": "BestEffort", + "startTime": "2024-06-07T14:33:04Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-06-07T14:33:26Z", + "generateName": "nginx-", + "labels": { + "controller-revision-hash": "796f655567", + "name": "nginx", + "pod-template-generation": "1", + "sidecar.istio.io/inject": "false" + }, + "name": "nginx-7x5gk", + "namespace": "uds-dev-stack", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "DaemonSet", + "name": "nginx", + "uid": "3355c296-e86c-45ff-8c40-dc211381667d" + } + ], + "resourceVersion": "543", + "uid": "4dbe8047-3902-49f7-9891-0ea680b055a3" + }, + "spec": { + "affinity": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchFields": [ + { + "key": "metadata.name", + "operator": "In", + "values": [ + "k3d-uds-server-0" + ] + } + ] + } + ] + } + } + }, + "containers": [ + { + "command": [ + "nginx", + "-g", + "daemon off;" + ], + "image": "ghcr.io/defenseunicorns/oss/uds-k3d-nginx:alpine-1.25.3", + "imagePullPolicy": "IfNotPresent", + "name": "nginx", + "ports": [ + { + "containerPort": 80, + "hostPort": 80, + "protocol": "TCP" + }, + { + "containerPort": 443, + "hostPort": 443, + "protocol": "TCP" + } + ], + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/nginx/nginx.conf", + "name": "config-volume", + "subPath": "nginx.conf" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-c2r2d", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "default", + "serviceAccountName": "default", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/disk-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/memory-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/pid-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/unschedulable", + "operator": "Exists" + } + ], + "volumes": [ + { + "configMap": { + "defaultMode": 420, + "name": "nginx-config" + }, + "name": "config-volume" + }, + { + "name": "kube-api-access-c2r2d", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:26Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:30Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:30Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:26Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://028a3419e247aa5b5b2693982ee5b406eca570e24368a7bae6b40772ec846f59", + "image": "ghcr.io/defenseunicorns/oss/uds-k3d-nginx:alpine-1.25.3", + "imageID": "ghcr.io/defenseunicorns/oss/uds-k3d-nginx@sha256:a59278fd22a9d411121e190b8cec8aa57b306aa3332459197777583beb728f59", + "lastState": {}, + "name": "nginx", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:33:29Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "phase": "Running", + "podIP": "10.42.0.6", + "podIPs": [ + { + "ip": "10.42.0.6" + } + ], + "qosClass": "BestEffort", + "startTime": "2024-06-07T14:33:26Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-06-07T14:33:26Z", + "generateName": "local-path-provisioner-6d9d9b57c9-", + "labels": { + "app": "local-path-provisioner", + "pod-template-hash": "6d9d9b57c9" + }, + "name": "local-path-provisioner-6d9d9b57c9-sxjml", + "namespace": "uds-dev-stack", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "local-path-provisioner-6d9d9b57c9", + "uid": "b3198f06-8d33-4c0c-a046-9e8a7b60c4d1" + } + ], + "resourceVersion": "545", + "uid": "d9ef6be9-697f-486d-9a68-94c125eb76d6" + }, + "spec": { + "containers": [ + { + "command": [ + "local-path-provisioner", + "--debug", + "start", + "--config", + "/etc/config/config.json" + ], + "env": [ + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + } + ], + "image": "rancher/local-path-provisioner:v0.0.26", + "imagePullPolicy": "IfNotPresent", + "name": "local-path-provisioner", + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/config/", + "name": "config-volume" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-v9kg6", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "local-path-provisioner-service-account", + "serviceAccountName": "local-path-provisioner-service-account", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "configMap": { + "defaultMode": 420, + "name": "local-path-config" + }, + "name": "config-volume" + }, + { + "name": "kube-api-access-v9kg6", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:26Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:30Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:30Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:26Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://4d11a1ed56c82487ffc5f18d3eb5f53af22cad148f4a082801e7435d1fed378d", + "image": "docker.io/rancher/local-path-provisioner:v0.0.26", + "imageID": "docker.io/rancher/local-path-provisioner@sha256:aee53cadc62bd023911e7f077877d047c5b3c269f9bba25724d558654f43cea0", + "lastState": {}, + "name": "local-path-provisioner", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:33:29Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "phase": "Running", + "podIP": "10.42.0.5", + "podIPs": [ + { + "ip": "10.42.0.5" + } + ], + "qosClass": "BestEffort", + "startTime": "2024-06-07T14:33:26Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-06-07T14:33:26Z", + "generateName": "ensure-machine-id-", + "labels": { + "controller-revision-hash": "555967fc7b", + "name": "ensure-machine-id", + "pod-template-generation": "1" + }, + "name": "ensure-machine-id-df5h9", + "namespace": "uds-dev-stack", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "DaemonSet", + "name": "ensure-machine-id", + "uid": "03af65b4-778e-484a-98a9-ed00fb1109ce" + } + ], + "resourceVersion": "584", + "uid": "002c58a5-786d-41ff-acb4-1abab62bbd40" + }, + "spec": { + "affinity": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchFields": [ + { + "key": "metadata.name", + "operator": "In", + "values": [ + "k3d-uds-server-0" + ] + } + ] + } + ] + } + } + }, + "containers": [ + { + "image": "registry.k8s.io/pause:3.9", + "imagePullPolicy": "IfNotPresent", + "name": "pause", + "resources": { + "limits": { + "cpu": "100m", + "memory": "50Mi" + }, + "requests": { + "cpu": "100m", + "memory": "50Mi" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-j2rl4", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostPID": true, + "initContainers": [ + { + "args": [ + "echo \"B0D07F1F43F246409516ADBDCCC86FCE\" \u003e /mnt/host/etc/machine-id;" + ], + "command": [ + "/bin/sh", + "-c" + ], + "image": "cgr.dev/chainguard/wolfi-base:latest", + "imagePullPolicy": "Always", + "name": "generate-machine-id", + "resources": {}, + "securityContext": { + "privileged": true, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/mnt/host/etc", + "name": "machine-id" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-j2rl4", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "default", + "serviceAccountName": "default", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/disk-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/memory-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/pid-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/unschedulable", + "operator": "Exists" + } + ], + "volumes": [ + { + "hostPath": { + "path": "/etc", + "type": "" + }, + "name": "machine-id" + }, + { + "name": "kube-api-access-j2rl4", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:30Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:32Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:32Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:26Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://d14b7ef126f21af0b85aef91ee06b04ecb9c383641a6819bcacf24cb0da4762f", + "image": "registry.k8s.io/pause:3.9", + "imageID": "registry.k8s.io/pause@sha256:7031c1b283388d2c2e09b57badb803c05ebed362dc88d84b480cc47f72a21097", + "lastState": {}, + "name": "pause", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:33:31Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://32c24b23288ec1f9e850f1f905a88969c275a3c2b43f0c87a0256bf7ab7970e4", + "image": "cgr.dev/chainguard/wolfi-base:latest", + "imageID": "cgr.dev/chainguard/wolfi-base@sha256:3eff851ab805966c768d2a8107545a96218426cee1e5cc805865505edbe6ce92", + "lastState": {}, + "name": "generate-machine-id", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://32c24b23288ec1f9e850f1f905a88969c275a3c2b43f0c87a0256bf7ab7970e4", + "exitCode": 0, + "finishedAt": "2024-06-07T14:33:29Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:33:29Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.4", + "podIPs": [ + { + "ip": "10.42.0.4" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:33:26Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "25ba5a36ee6bd1887b73590eee26c55e5673fbf1ef59d3f2e380255cea24fc78", + "checksum/secrets": "9dfc3e7275d6373dbf1aee60edc7c0db19fb00875cd3723b020c629dc646ba0c" + }, + "creationTimestamp": "2024-06-07T14:33:31Z", + "generateName": "minio-9f479d889-", + "labels": { + "app": "minio", + "pod-template-hash": "9f479d889", + "release": "minio" + }, + "name": "minio-9f479d889-79crp", + "namespace": "uds-dev-stack", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "minio-9f479d889", + "uid": "86fe59b2-087f-4990-9af8-43af36787cdf" + } + ], + "resourceVersion": "608", + "uid": "85ddc048-b51c-4719-a904-5ac2ffba2ac0" + }, + "spec": { + "containers": [ + { + "command": [ + "/bin/sh", + "-ce", + "/usr/bin/docker-entrypoint.sh minio server /export -S /etc/minio/certs/ --address :9000 --console-address :9001" + ], + "env": [ + { + "name": "MINIO_ROOT_USER", + "valueFrom": { + "secretKeyRef": { + "key": "rootUser", + "name": "minio" + } + } + }, + { + "name": "MINIO_ROOT_PASSWORD", + "valueFrom": { + "secretKeyRef": { + "key": "rootPassword", + "name": "minio" + } + } + }, + { + "name": "MINIO_PROMETHEUS_AUTH_TYPE", + "value": "public" + } + ], + "image": "quay.io/minio/minio:RELEASE.2024-04-18T19-09-19Z", + "imagePullPolicy": "IfNotPresent", + "name": "minio", + "ports": [ + { + "containerPort": 9000, + "name": "http", + "protocol": "TCP" + }, + { + "containerPort": 9001, + "name": "http-console", + "protocol": "TCP" + } + ], + "resources": { + "requests": { + "cpu": "150m", + "memory": "256Mi" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/tmp/credentials", + "name": "minio-user", + "readOnly": true + }, + { + "mountPath": "/export", + "name": "export" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-4xhl7", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 1000, + "fsGroupChangePolicy": "OnRootMismatch", + "runAsGroup": 1000, + "runAsUser": 1000 + }, + "serviceAccount": "minio-sa", + "serviceAccountName": "minio-sa", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "name": "export", + "persistentVolumeClaim": { + "claimName": "minio" + } + }, + { + "name": "minio-user", + "secret": { + "defaultMode": 420, + "secretName": "minio" + } + }, + { + "name": "kube-api-access-4xhl7", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:35Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:39Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:39Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:35Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://7fb60fb93818d05af7391888524a93b66ef610b3765ad5936c89a4f8f2f3c7be", + "image": "quay.io/minio/minio:RELEASE.2024-04-18T19-09-19Z", + "imageID": "quay.io/minio/minio@sha256:036a068d7d6b69400da6bc07a480bee1e241ef3c341c41d988ed11f520f85124", + "lastState": {}, + "name": "minio", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:33:38Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "phase": "Running", + "podIP": "10.42.0.8", + "podIPs": [ + { + "ip": "10.42.0.8" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:33:35Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "kubectl.kubernetes.io/restartedAt": "2024-06-07T10:33:46-04:00" + }, + "creationTimestamp": "2024-06-07T14:33:46Z", + "generateName": "coredns-c7b7755fc-", + "labels": { + "k8s-app": "kube-dns", + "pod-template-hash": "c7b7755fc" + }, + "name": "coredns-c7b7755fc-brsr4", + "namespace": "kube-system", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "coredns-c7b7755fc", + "uid": "191bb204-9378-4221-bacd-9cab0aa1d834" + } + ], + "resourceVersion": "685", + "uid": "9e2faf64-250f-4b40-806f-c84e9429763b" + }, + "spec": { + "containers": [ + { + "args": [ + "-conf", + "/etc/coredns/Corefile" + ], + "image": "rancher/mirrored-coredns-coredns:1.10.1", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/health", + "port": 8080, + "scheme": "HTTP" + }, + "initialDelaySeconds": 60, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "coredns", + "ports": [ + { + "containerPort": 53, + "name": "dns", + "protocol": "UDP" + }, + { + "containerPort": 53, + "name": "dns-tcp", + "protocol": "TCP" + }, + { + "containerPort": 9153, + "name": "metrics", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/ready", + "port": 8181, + "scheme": "HTTP" + }, + "periodSeconds": 2, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "memory": "170Mi" + }, + "requests": { + "cpu": "100m", + "memory": "70Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_BIND_SERVICE" + ], + "drop": [ + "all" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/coredns", + "name": "config-volume", + "readOnly": true + }, + { + "mountPath": "/etc/coredns/custom", + "name": "custom-config-volume", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-lmgf5", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "Default", + "enableServiceLinks": true, + "nodeName": "k3d-uds-server-0", + "nodeSelector": { + "kubernetes.io/os": "linux" + }, + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000000000, + "priorityClassName": "system-cluster-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "coredns", + "serviceAccountName": "coredns", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "key": "CriticalAddonsOnly", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/control-plane", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/master", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "topologySpreadConstraints": [ + { + "labelSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + }, + "maxSkew": 1, + "topologyKey": "kubernetes.io/hostname", + "whenUnsatisfiable": "DoNotSchedule" + } + ], + "volumes": [ + { + "configMap": { + "defaultMode": 420, + "items": [ + { + "key": "Corefile", + "path": "Corefile" + }, + { + "key": "NodeHosts", + "path": "NodeHosts" + } + ], + "name": "coredns" + }, + "name": "config-volume" + }, + { + "configMap": { + "defaultMode": 420, + "name": "coredns-custom", + "optional": true + }, + "name": "custom-config-volume" + }, + { + "name": "kube-api-access-lmgf5", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:46Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:47Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:47Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:46Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://cd5aa584f79006e655641cd4f6c724cb161d759d106861700c23bd3f23fc628a", + "image": "docker.io/rancher/mirrored-coredns-coredns:1.10.1", + "imageID": "docker.io/rancher/mirrored-coredns-coredns@sha256:a11fafae1f8037cbbd66c5afa40ba2423936b72b4fd50a7034a7e8b955163594", + "lastState": {}, + "name": "coredns", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:33:46Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "phase": "Running", + "podIP": "10.42.0.10", + "podIPs": [ + { + "ip": "10.42.0.10" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:33:46Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/secret": "ebbd974057077dd4d2977c2e448b94c77c696bf3491d474c2483511093e5e992" + }, + "creationTimestamp": "2024-06-07T14:34:14Z", + "generateName": "zarf-docker-registry-7dc948f55b-", + "labels": { + "app": "docker-registry", + "pod-template-hash": "7dc948f55b", + "release": "zarf-docker-registry", + "zarf.dev/agent": "ignore" + }, + "name": "zarf-docker-registry-7dc948f55b-n4hpx", + "namespace": "zarf", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "zarf-docker-registry-7dc948f55b", + "uid": "f6ac21e6-98d4-49b9-9fe7-8c6376954d90" + } + ], + "resourceVersion": "841", + "uid": "1f775090-2171-41ae-ae78-42c25c1c086e" + }, + "spec": { + "affinity": { + "podAffinity": { + "preferredDuringSchedulingIgnoredDuringExecution": [ + { + "podAffinityTerm": { + "labelSelector": { + "matchExpressions": [ + { + "key": "app", + "operator": "In", + "values": [ + "docker-registry" + ] + } + ] + }, + "topologyKey": "kubernetes.io/hostname" + }, + "weight": 100 + } + ] + } + }, + "containers": [ + { + "command": [ + "/bin/registry", + "serve", + "/etc/docker/registry/config.yml" + ], + "env": [ + { + "name": "REGISTRY_AUTH", + "value": "htpasswd" + }, + { + "name": "REGISTRY_AUTH_HTPASSWD_REALM", + "value": "Registry Realm" + }, + { + "name": "REGISTRY_AUTH_HTPASSWD_PATH", + "value": "/etc/docker/registry/htpasswd" + }, + { + "name": "REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY", + "value": "/var/lib/registry" + }, + { + "name": "REGISTRY_STORAGE_DELETE_ENABLED", + "value": "true" + } + ], + "image": "127.0.0.1:31999/library/registry:2.8.3", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/", + "port": 5000, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "docker-registry", + "ports": [ + { + "containerPort": 5000, + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/", + "port": 5000, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "cpu": "3", + "memory": "2Gi" + }, + "requests": { + "cpu": "100m", + "memory": "256Mi" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/lib/registry/", + "name": "data" + }, + { + "mountPath": "/etc/docker/registry", + "name": "config" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-5mtk7", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000001000, + "priorityClassName": "system-node-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 1000, + "runAsUser": 1000 + }, + "serviceAccount": "default", + "serviceAccountName": "default", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "name": "config", + "secret": { + "defaultMode": 420, + "items": [ + { + "key": "configData", + "path": "config.yml" + }, + { + "key": "htpasswd", + "path": "htpasswd" + } + ], + "secretName": "zarf-docker-registry-secret" + } + }, + { + "name": "data", + "persistentVolumeClaim": { + "claimName": "zarf-docker-registry" + } + }, + { + "name": "kube-api-access-5mtk7", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:34:14Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:34:15Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:34:15Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:34:14Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://f562cd15f5f447c467ee157d139a1f5dce710856856ddd4e53437a966d781620", + "image": "127.0.0.1:31999/library/registry:2.8.3", + "imageID": "127.0.0.1:31999/library/registry@sha256:53ee3286cf0400c2ec957e31594c77439ec959e26ca00c8264c5ce521f7859ac", + "lastState": {}, + "name": "docker-registry", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:34:15Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "phase": "Running", + "podIP": "10.42.0.14", + "podIPs": [ + { + "ip": "10.42.0.14" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:34:14Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-06-07T14:34:19Z", + "generateName": "agent-hook-fd5f6b7fd-", + "labels": { + "app": "agent-hook", + "pod-template-hash": "fd5f6b7fd", + "zarf.dev/agent": "ignore" + }, + "name": "agent-hook-fd5f6b7fd-mtvhh", + "namespace": "zarf", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "agent-hook-fd5f6b7fd", + "uid": "94e69251-8d88-4f9c-8c33-a3fd90fb4696" + } + ], + "resourceVersion": "914", + "uid": "3ede9ea5-a576-4c01-ad3c-ce836132369f" + }, + "spec": { + "containers": [ + { + "image": "127.0.0.1:31999/defenseunicorns/zarf/agent:v0.34.0", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/healthz", + "port": 8443, + "scheme": "HTTPS" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "server", + "ports": [ + { + "containerPort": 8443, + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "500m", + "memory": "128Mi" + }, + "requests": { + "cpu": "100m", + "memory": "32Mi" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/certs", + "name": "tls-certs", + "readOnly": true + }, + { + "mountPath": "/.config", + "name": "config" + }, + { + "mountPath": "/etc/xdg", + "name": "xdg" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-vnl6m", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000001000, + "priorityClassName": "system-node-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "zarf", + "serviceAccountName": "zarf", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "name": "tls-certs", + "secret": { + "defaultMode": 420, + "secretName": "agent-hook-tls" + } + }, + { + "emptyDir": {}, + "name": "config" + }, + { + "emptyDir": {}, + "name": "xdg" + }, + { + "name": "kube-api-access-vnl6m", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:34:19Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:34:21Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:34:21Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:34:19Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://8cddd8d76762dc47dd960f1fb3a06387316623cfed5b83b33d66c6dca78cc375", + "image": "127.0.0.1:31999/defenseunicorns/zarf/agent:v0.34.0", + "imageID": "127.0.0.1:31999/defenseunicorns/zarf/agent@sha256:f326633a23b6ecaf74ba7f4f115c24e47e78b7564116d40da978b2deb0840063", + "lastState": {}, + "name": "server", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:34:20Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "phase": "Running", + "podIP": "10.42.0.16", + "podIPs": [ + { + "ip": "10.42.0.16" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:34:19Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-06-07T14:34:19Z", + "generateName": "agent-hook-fd5f6b7fd-", + "labels": { + "app": "agent-hook", + "pod-template-hash": "fd5f6b7fd", + "zarf.dev/agent": "ignore" + }, + "name": "agent-hook-fd5f6b7fd-m9jnz", + "namespace": "zarf", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "agent-hook-fd5f6b7fd", + "uid": "94e69251-8d88-4f9c-8c33-a3fd90fb4696" + } + ], + "resourceVersion": "918", + "uid": "986f6460-eced-4b5d-a6fd-027720d12a79" + }, + "spec": { + "containers": [ + { + "image": "127.0.0.1:31999/defenseunicorns/zarf/agent:v0.34.0", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/healthz", + "port": 8443, + "scheme": "HTTPS" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "server", + "ports": [ + { + "containerPort": 8443, + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "500m", + "memory": "128Mi" + }, + "requests": { + "cpu": "100m", + "memory": "32Mi" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/certs", + "name": "tls-certs", + "readOnly": true + }, + { + "mountPath": "/.config", + "name": "config" + }, + { + "mountPath": "/etc/xdg", + "name": "xdg" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-qnxt2", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000001000, + "priorityClassName": "system-node-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "zarf", + "serviceAccountName": "zarf", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "name": "tls-certs", + "secret": { + "defaultMode": 420, + "secretName": "agent-hook-tls" + } + }, + { + "emptyDir": {}, + "name": "config" + }, + { + "emptyDir": {}, + "name": "xdg" + }, + { + "name": "kube-api-access-qnxt2", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:34:19Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:34:21Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:34:21Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:34:19Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://2bf73e9bfba5d66e92bbc74eb399f1edffa21d83d8b5733d5000dc4cf1748169", + "image": "127.0.0.1:31999/defenseunicorns/zarf/agent:v0.34.0", + "imageID": "127.0.0.1:31999/defenseunicorns/zarf/agent@sha256:f326633a23b6ecaf74ba7f4f115c24e47e78b7564116d40da978b2deb0840063", + "lastState": {}, + "name": "server", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:34:20Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "phase": "Running", + "podIP": "10.42.0.15", + "podIPs": [ + { + "ip": "10.42.0.15" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:34:19Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "prometheus.io/port": "15014", + "prometheus.io/scrape": "true", + "sidecar.istio.io/inject": "false" + }, + "creationTimestamp": "2024-06-07T14:35:55Z", + "generateName": "istiod-5d75444496-", + "labels": { + "app": "istiod", + "install.operator.istio.io/owning-resource": "unknown", + "istio": "pilot", + "istio.io/dataplane-mode": "none", + "istio.io/rev": "default", + "operator.istio.io/component": "Pilot", + "pod-template-hash": "5d75444496", + "sidecar.istio.io/inject": "false", + "zarf-agent": "patched" + }, + "name": "istiod-5d75444496-t85z7", + "namespace": "istio-system", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "istiod-5d75444496", + "uid": "88b31cbe-f985-49e4-b634-6432dd86b2f8" + } + ], + "resourceVersion": "1136", + "uid": "4d592fa4-18fa-46cd-b2df-f1a74f0c1507" + }, + "spec": { + "containers": [ + { + "args": [ + "discovery", + "--monitoringAddr=:15014", + "--log_output_level=default:info", + "--domain", + "cluster.local", + "--keepaliveMaxServerConnectionAge", + "30m" + ], + "env": [ + { + "name": "REVISION", + "value": "default" + }, + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "KUBECONFIG", + "value": "/var/run/secrets/remote/config" + }, + { + "name": "PILOT_TRACE_SAMPLING", + "value": "1" + }, + { + "name": "PILOT_ENABLE_ANALYSIS", + "value": "false" + }, + { + "name": "CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PLATFORM" + } + ], + "image": "127.0.0.1:31999/istio/pilot:1.22.1-distroless-zarf-4264239833", + "imagePullPolicy": "IfNotPresent", + "name": "discovery", + "ports": [ + { + "containerPort": 8080, + "protocol": "TCP" + }, + { + "containerPort": 15010, + "protocol": "TCP" + }, + { + "containerPort": 15017, + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/ready", + "port": 8080, + "scheme": "HTTP" + }, + "initialDelaySeconds": 1, + "periodSeconds": 3, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "resources": { + "requests": { + "cpu": "500m", + "memory": "2Gi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true, + "runAsNonRoot": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/istio-dns", + "name": "local-certs" + }, + { + "mountPath": "/etc/cacerts", + "name": "cacerts", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/remote", + "name": "istio-kubeconfig", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/istiod/tls", + "name": "istio-csr-dns-cert", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/istiod/ca", + "name": "istio-csr-ca-configmap", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-d9gkx", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "istiod", + "serviceAccountName": "istiod", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "key": "cni.istio.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": { + "medium": "Memory" + }, + "name": "local-certs" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "name": "cacerts", + "secret": { + "defaultMode": 420, + "optional": true, + "secretName": "cacerts" + } + }, + { + "name": "istio-kubeconfig", + "secret": { + "defaultMode": 420, + "optional": true, + "secretName": "istio-kubeconfig" + } + }, + { + "name": "istio-csr-dns-cert", + "secret": { + "defaultMode": 420, + "optional": true, + "secretName": "istiod-tls" + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert", + "optional": true + }, + "name": "istio-csr-ca-configmap" + }, + { + "name": "kube-api-access-d9gkx", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:35:55Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:35:57Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:35:57Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:35:55Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://c6dab073a0e0c52d289f345b2528e4613895bd5ac971b31324e8bc681627671c", + "image": "127.0.0.1:31999/istio/pilot:1.22.1-distroless-zarf-4264239833", + "imageID": "127.0.0.1:31999/istio/pilot@sha256:6ee01043f85cb2818363c5a7a2bf2f9ec191f2dc3d5353f97cedfa6678b94068", + "lastState": {}, + "name": "discovery", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:35:56Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "phase": "Running", + "podIP": "10.42.0.17", + "podIPs": [ + { + "ip": "10.42.0.17" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:35:55Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "inject.istio.io/templates": "gateway", + "istio.io/rev": "default", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "proxy.istio.io/overrides": "{\"containers\":[{\"name\":\"istio-proxy\",\"ports\":[{\"name\":\"http-envoy-prom\",\"containerPort\":15090,\"protocol\":\"TCP\"}],\"resources\":{\"limits\":{\"cpu\":\"2\",\"memory\":\"1Gi\"},\"requests\":{\"cpu\":\"100m\",\"memory\":\"128Mi\"}},\"volumeMounts\":[{\"name\":\"kube-api-access-wzbh2\",\"readOnly\":true,\"mountPath\":\"/var/run/secrets/kubernetes.io/serviceaccount\"}],\"terminationMessagePath\":\"/dev/termination-log\",\"terminationMessagePolicy\":\"File\",\"imagePullPolicy\":\"Always\",\"securityContext\":{\"capabilities\":{\"drop\":[\"ALL\"]},\"privileged\":false,\"runAsUser\":1337,\"runAsGroup\":1337,\"runAsNonRoot\":true,\"readOnlyRootFilesystem\":true,\"allowPrivilegeEscalation\":false}}]}", + "sidecar.istio.io/inject": "true", + "sidecar.istio.io/status": "{\"initContainers\":null,\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}" + }, + "creationTimestamp": "2024-06-07T14:36:02Z", + "generateName": "admin-ingressgateway-65c568569f-", + "labels": { + "app": "admin-ingressgateway", + "istio": "admin-ingressgateway", + "pod-template-hash": "65c568569f", + "service.istio.io/canonical-name": "admin-ingressgateway", + "service.istio.io/canonical-revision": "latest", + "sidecar.istio.io/inject": "true", + "zarf-agent": "patched" + }, + "name": "admin-ingressgateway-65c568569f-wfqd2", + "namespace": "istio-admin-gateway", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "admin-ingressgateway-65c568569f", + "uid": "cc279224-2176-4244-a31b-9cec94764295" + } + ], + "resourceVersion": "1207", + "uid": "f9b9118d-b6f1-4fac-ba20-0bf60638041d" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "router", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-envoy-prom\",\"containerPort\":15090,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_APP_CONTAINERS" + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "admin-ingressgateway" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/istio-admin-gateway/deployments/admin-ingressgateway" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "Always", + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-wzbh2", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "sysctls": [ + { + "name": "net.ipv4.ip_unprivileged_port_start", + "value": "0" + } + ] + }, + "serviceAccount": "admin-ingressgateway", + "serviceAccountName": "admin-ingressgateway", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-wzbh2", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:02Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:05Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:05Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:02Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://63b925a8e3ccd6439ad7bcb4ed945b66f168ccbf8ad0b2c985f5da3792755cff", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:36:05Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "phase": "Running", + "podIP": "10.42.0.18", + "podIPs": [ + { + "ip": "10.42.0.18" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:36:02Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "inject.istio.io/templates": "gateway", + "istio.io/rev": "default", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "proxy.istio.io/overrides": "{\"containers\":[{\"name\":\"istio-proxy\",\"ports\":[{\"name\":\"http-envoy-prom\",\"containerPort\":15090,\"protocol\":\"TCP\"}],\"resources\":{\"limits\":{\"cpu\":\"2\",\"memory\":\"1Gi\"},\"requests\":{\"cpu\":\"100m\",\"memory\":\"128Mi\"}},\"volumeMounts\":[{\"name\":\"kube-api-access-78bfd\",\"readOnly\":true,\"mountPath\":\"/var/run/secrets/kubernetes.io/serviceaccount\"}],\"terminationMessagePath\":\"/dev/termination-log\",\"terminationMessagePolicy\":\"File\",\"imagePullPolicy\":\"Always\",\"securityContext\":{\"capabilities\":{\"drop\":[\"ALL\"]},\"privileged\":false,\"runAsUser\":1337,\"runAsGroup\":1337,\"runAsNonRoot\":true,\"readOnlyRootFilesystem\":true,\"allowPrivilegeEscalation\":false}}]}", + "sidecar.istio.io/inject": "true", + "sidecar.istio.io/status": "{\"initContainers\":null,\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}" + }, + "creationTimestamp": "2024-06-07T14:36:08Z", + "generateName": "tenant-ingressgateway-79d5d77d67-", + "labels": { + "app": "tenant-ingressgateway", + "istio": "tenant-ingressgateway", + "pod-template-hash": "79d5d77d67", + "service.istio.io/canonical-name": "tenant-ingressgateway", + "service.istio.io/canonical-revision": "latest", + "sidecar.istio.io/inject": "true", + "zarf-agent": "patched" + }, + "name": "tenant-ingressgateway-79d5d77d67-j9m2x", + "namespace": "istio-tenant-gateway", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "tenant-ingressgateway-79d5d77d67", + "uid": "db714c67-44f2-4df3-b86b-81568c3b036e" + } + ], + "resourceVersion": "1261", + "uid": "b5dacd2c-6548-41b4-a176-c10cc4c9c3ae" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "router", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-envoy-prom\",\"containerPort\":15090,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_APP_CONTAINERS" + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "tenant-ingressgateway" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/istio-tenant-gateway/deployments/tenant-ingressgateway" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "Always", + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-78bfd", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "sysctls": [ + { + "name": "net.ipv4.ip_unprivileged_port_start", + "value": "0" + } + ] + }, + "serviceAccount": "tenant-ingressgateway", + "serviceAccountName": "tenant-ingressgateway", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-78bfd", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:08Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:09Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:09Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:08Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://48317375bcb597f850cc3ae14d3f7c3d6b5d3695669388c87d433c6445812be0", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:36:09Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "phase": "Running", + "podIP": "10.42.0.19", + "podIPs": [ + { + "ip": "10.42.0.19" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:36:08Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "inject.istio.io/templates": "gateway", + "istio.io/rev": "default", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "proxy.istio.io/overrides": "{\"containers\":[{\"name\":\"istio-proxy\",\"ports\":[{\"name\":\"http-envoy-prom\",\"containerPort\":15090,\"protocol\":\"TCP\"}],\"resources\":{\"limits\":{\"cpu\":\"2\",\"memory\":\"1Gi\"},\"requests\":{\"cpu\":\"100m\",\"memory\":\"128Mi\"}},\"volumeMounts\":[{\"name\":\"kube-api-access-8qtkj\",\"readOnly\":true,\"mountPath\":\"/var/run/secrets/kubernetes.io/serviceaccount\"}],\"terminationMessagePath\":\"/dev/termination-log\",\"terminationMessagePolicy\":\"File\",\"imagePullPolicy\":\"Always\",\"securityContext\":{\"capabilities\":{\"drop\":[\"ALL\"]},\"privileged\":false,\"runAsUser\":1337,\"runAsGroup\":1337,\"runAsNonRoot\":true,\"readOnlyRootFilesystem\":true,\"allowPrivilegeEscalation\":false}}]}", + "sidecar.istio.io/inject": "true", + "sidecar.istio.io/status": "{\"initContainers\":null,\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}" + }, + "creationTimestamp": "2024-06-07T14:36:12Z", + "generateName": "passthrough-ingressgateway-77f78c89b5-", + "labels": { + "app": "passthrough-ingressgateway", + "istio": "passthrough-ingressgateway", + "pod-template-hash": "77f78c89b5", + "service.istio.io/canonical-name": "passthrough-ingressgateway", + "service.istio.io/canonical-revision": "latest", + "sidecar.istio.io/inject": "true", + "zarf-agent": "patched" + }, + "name": "passthrough-ingressgateway-77f78c89b5-rt6c7", + "namespace": "istio-passthrough-gateway", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "passthrough-ingressgateway-77f78c89b5", + "uid": "de9c5861-af93-40d7-9e91-c3460186cbb0" + } + ], + "resourceVersion": "1322", + "uid": "4de86155-37d2-40ee-b162-5e55980f6168" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "router", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-envoy-prom\",\"containerPort\":15090,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_APP_CONTAINERS" + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "passthrough-ingressgateway" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/istio-passthrough-gateway/deployments/passthrough-ingressgateway" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "Always", + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-8qtkj", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "sysctls": [ + { + "name": "net.ipv4.ip_unprivileged_port_start", + "value": "0" + } + ] + }, + "serviceAccount": "passthrough-ingressgateway", + "serviceAccountName": "passthrough-ingressgateway", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-8qtkj", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:12Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:13Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:13Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:12Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://e206625af18cbc0abf79da22cee66dcb995356e62bc47fb6c940541b84f6a63b", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:36:13Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "phase": "Running", + "podIP": "10.42.0.20", + "podIPs": [ + { + "ip": "10.42.0.20" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:36:12Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "buildTimestamp": "1717701911533", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "server", + "kubectl.kubernetes.io/default-logs-container": "server", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}" + }, + "creationTimestamp": "2024-06-07T14:36:17Z", + "generateName": "pepr-uds-core-7fbff558dc-", + "labels": { + "app": "pepr-uds-core", + "pepr.dev/controller": "admission", + "pod-template-hash": "7fbff558dc", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "pepr-uds-core", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "pepr-uds-core-7fbff558dc-tq2p7", + "namespace": "pepr-system", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "pepr-uds-core-7fbff558dc", + "uid": "4b37bd01-3881-4f93-a050-26d4a39699b4" + } + ], + "resourceVersion": "1481", + "uid": "953e1f27-cf16-4a8f-86dc-8629870f18ce" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"containerPort\":3000,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "server" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "pepr-uds-core" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/pepr-system/deployments/pepr-uds-core" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/server/livez\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":3000,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1},\"/app-health/server/readyz\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":3000,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-m7wwh", + "readOnly": true + } + ] + }, + { + "command": [ + "node", + "/app/node_modules/pepr/dist/controller.js", + "37b63af8e3363f0cbaf741d871cec5371c02cd285632b085a9aca57c6955f9ad" + ], + "env": [ + { + "name": "PEPR_WATCH_MODE", + "value": "false" + }, + { + "name": "PEPR_PRETTY_LOG", + "value": "false" + }, + { + "name": "LOG_LEVEL", + "value": "debug" + }, + { + "name": "UDS_DOMAIN", + "value": "uds.dev" + }, + { + "name": "UDS_ALLOW_ALL_NS_EXEMPTIONS", + "value": "###ZARF_VAR_ALLOW_ALL_NS_EXEMPTIONS###" + }, + { + "name": "UDS_SINGLE_TEST", + "value": "###ZARF_VAR_UDS_SINGLE_TEST###" + } + ], + "image": "127.0.0.1:31999/defenseunicorns/pepr/controller:v0.31.1-zarf-804409620", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/server/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "server", + "ports": [ + { + "containerPort": 3000, + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/server/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "cpu": "500m", + "memory": "256Mi" + }, + "requests": { + "cpu": "100m", + "memory": "64Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/certs", + "name": "tls-certs", + "readOnly": true + }, + { + "mountPath": "/app/api-token", + "name": "api-token", + "readOnly": true + }, + { + "mountPath": "/app/load", + "name": "module", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-m7wwh", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-m7wwh", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000001000, + "priorityClassName": "system-node-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65532, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532 + }, + "serviceAccount": "pepr-uds-core", + "serviceAccountName": "pepr-uds-core", + "terminationGracePeriodSeconds": 5, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "tls-certs", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-tls" + } + }, + { + "name": "api-token", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-api-token" + } + }, + { + "name": "module", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-module" + } + }, + { + "name": "kube-api-access-m7wwh", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:18Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:27Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:27Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:17Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://9a0e0bcb70b99980e5169fffe5d9d7f1d5a951f0854657f0f839a30fcd1b3b40", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:36:19Z" + } + } + }, + { + "containerID": "containerd://7cb57a3d0fca3d0cb26e8c1aa3dd514a533b50c84147e63b890a2f604d82940b", + "image": "127.0.0.1:31999/defenseunicorns/pepr/controller:v0.31.1-zarf-804409620", + "imageID": "127.0.0.1:31999/defenseunicorns/pepr/controller@sha256:3e21ce610d2ca67e31154a7d3f3afbe641f0b1fdd9616ad854fc34fb9bce8507", + "lastState": {}, + "name": "server", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:36:21Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://854c7cc3006ab176f0a6a48cf04f4fd44a229d7f21a7c3e860c5c0afa5c5bef9", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://854c7cc3006ab176f0a6a48cf04f4fd44a229d7f21a7c3e860c5c0afa5c5bef9", + "exitCode": 0, + "finishedAt": "2024-06-07T14:36:17Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:36:17Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.22", + "podIPs": [ + { + "ip": "10.42.0.22" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:36:17Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "buildTimestamp": "1717701911533", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "watcher", + "kubectl.kubernetes.io/default-logs-container": "watcher", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}" + }, + "creationTimestamp": "2024-06-07T14:36:17Z", + "generateName": "pepr-uds-core-watcher-79c68864c4-", + "labels": { + "app": "pepr-uds-core-watcher", + "pepr.dev/controller": "watcher", + "pod-template-hash": "79c68864c4", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "pepr-uds-core-watcher", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "pepr-uds-core-watcher-79c68864c4-xhbm7", + "namespace": "pepr-system", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "pepr-uds-core-watcher-79c68864c4", + "uid": "10d3f35e-1c57-45d0-bca6-92456b1d7455" + } + ], + "resourceVersion": "1485", + "uid": "c060c7d4-07c5-444c-a85d-edc84b2f3ffe" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"containerPort\":3000,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "watcher" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "pepr-uds-core-watcher" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/pepr-system/deployments/pepr-uds-core-watcher" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/watcher/livez\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":3000,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1},\"/app-health/watcher/readyz\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":3000,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-65jv4", + "readOnly": true + } + ] + }, + { + "command": [ + "node", + "/app/node_modules/pepr/dist/controller.js", + "37b63af8e3363f0cbaf741d871cec5371c02cd285632b085a9aca57c6955f9ad" + ], + "env": [ + { + "name": "PEPR_WATCH_MODE", + "value": "true" + }, + { + "name": "PEPR_PRETTY_LOG", + "value": "false" + }, + { + "name": "LOG_LEVEL", + "value": "debug" + }, + { + "name": "UDS_DOMAIN", + "value": "uds.dev" + }, + { + "name": "UDS_ALLOW_ALL_NS_EXEMPTIONS", + "value": "###ZARF_VAR_ALLOW_ALL_NS_EXEMPTIONS###" + }, + { + "name": "UDS_SINGLE_TEST", + "value": "###ZARF_VAR_UDS_SINGLE_TEST###" + } + ], + "image": "127.0.0.1:31999/defenseunicorns/pepr/controller:v0.31.1-zarf-804409620", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/watcher/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "watcher", + "ports": [ + { + "containerPort": 3000, + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/watcher/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "cpu": "500m", + "memory": "256Mi" + }, + "requests": { + "cpu": "100m", + "memory": "64Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/certs", + "name": "tls-certs", + "readOnly": true + }, + { + "mountPath": "/app/load", + "name": "module", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-65jv4", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-65jv4", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65532, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532 + }, + "serviceAccount": "pepr-uds-core", + "serviceAccountName": "pepr-uds-core", + "terminationGracePeriodSeconds": 5, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "tls-certs", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-tls" + } + }, + { + "name": "module", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-module" + } + }, + { + "name": "kube-api-access-65jv4", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:18Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:27Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:27Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:17Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://acc85506cb258f16a813e4af7efaa3a11ed88415951477118f40740835e78d21", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:36:19Z" + } + } + }, + { + "containerID": "containerd://0a48365f908b95ba85b41024755e658282379c6fbbe4fd2b733c7d67d584104c", + "image": "127.0.0.1:31999/defenseunicorns/pepr/controller:v0.31.1-zarf-804409620", + "imageID": "127.0.0.1:31999/defenseunicorns/pepr/controller@sha256:3e21ce610d2ca67e31154a7d3f3afbe641f0b1fdd9616ad854fc34fb9bce8507", + "lastState": {}, + "name": "watcher", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:36:21Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://9e37e9537e6bbb8fa43ff44c3b4a389367aff2fd33aa0992bfe5a08dcdeccd80", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://9e37e9537e6bbb8fa43ff44c3b4a389367aff2fd33aa0992bfe5a08dcdeccd80", + "exitCode": 0, + "finishedAt": "2024-06-07T14:36:18Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:36:18Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.23", + "podIPs": [ + { + "ip": "10.42.0.23" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:36:17Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "buildTimestamp": "1717701911533", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "server", + "kubectl.kubernetes.io/default-logs-container": "server", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}" + }, + "creationTimestamp": "2024-06-07T14:36:17Z", + "generateName": "pepr-uds-core-7fbff558dc-", + "labels": { + "app": "pepr-uds-core", + "pepr.dev/controller": "admission", + "pod-template-hash": "7fbff558dc", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "pepr-uds-core", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "pepr-uds-core-7fbff558dc-2222r", + "namespace": "pepr-system", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "pepr-uds-core-7fbff558dc", + "uid": "4b37bd01-3881-4f93-a050-26d4a39699b4" + } + ], + "resourceVersion": "1491", + "uid": "e4b36744-977b-4c37-b7c6-20822f309a5b" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"containerPort\":3000,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "server" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "pepr-uds-core" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/pepr-system/deployments/pepr-uds-core" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/server/livez\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":3000,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1},\"/app-health/server/readyz\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":3000,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-whp7d", + "readOnly": true + } + ] + }, + { + "command": [ + "node", + "/app/node_modules/pepr/dist/controller.js", + "37b63af8e3363f0cbaf741d871cec5371c02cd285632b085a9aca57c6955f9ad" + ], + "env": [ + { + "name": "PEPR_WATCH_MODE", + "value": "false" + }, + { + "name": "PEPR_PRETTY_LOG", + "value": "false" + }, + { + "name": "LOG_LEVEL", + "value": "debug" + }, + { + "name": "UDS_DOMAIN", + "value": "uds.dev" + }, + { + "name": "UDS_ALLOW_ALL_NS_EXEMPTIONS", + "value": "###ZARF_VAR_ALLOW_ALL_NS_EXEMPTIONS###" + }, + { + "name": "UDS_SINGLE_TEST", + "value": "###ZARF_VAR_UDS_SINGLE_TEST###" + } + ], + "image": "127.0.0.1:31999/defenseunicorns/pepr/controller:v0.31.1-zarf-804409620", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/server/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "server", + "ports": [ + { + "containerPort": 3000, + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/server/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "cpu": "500m", + "memory": "256Mi" + }, + "requests": { + "cpu": "100m", + "memory": "64Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/certs", + "name": "tls-certs", + "readOnly": true + }, + { + "mountPath": "/app/api-token", + "name": "api-token", + "readOnly": true + }, + { + "mountPath": "/app/load", + "name": "module", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-whp7d", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-whp7d", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000001000, + "priorityClassName": "system-node-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65532, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532 + }, + "serviceAccount": "pepr-uds-core", + "serviceAccountName": "pepr-uds-core", + "terminationGracePeriodSeconds": 5, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "tls-certs", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-tls" + } + }, + { + "name": "api-token", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-api-token" + } + }, + { + "name": "module", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-module" + } + }, + { + "name": "kube-api-access-whp7d", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:18Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:27Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:27Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:17Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://dea96fb5ce3413827270115e359aa31f216fdacac06ed4883cdea945173400f3", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:36:19Z" + } + } + }, + { + "containerID": "containerd://bb85111c39f918e33eb7073c1cf1f539098aa052d5a5480943e08ab5ef2c7b0a", + "image": "127.0.0.1:31999/defenseunicorns/pepr/controller:v0.31.1-zarf-804409620", + "imageID": "127.0.0.1:31999/defenseunicorns/pepr/controller@sha256:3e21ce610d2ca67e31154a7d3f3afbe641f0b1fdd9616ad854fc34fb9bce8507", + "lastState": {}, + "name": "server", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:36:21Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://c56fd4106095f4ebb9fb1d74adc644851d72b70aa6a5b6201c1f307c0494cc3f", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://c56fd4106095f4ebb9fb1d74adc644851d72b70aa6a5b6201c1f307c0494cc3f", + "exitCode": 0, + "finishedAt": "2024-06-07T14:36:18Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:36:17Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.21", + "podIPs": [ + { + "ip": "10.42.0.21" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:36:17Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "metrics-server", + "kubectl.kubernetes.io/default-logs-container": "metrics-server", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:36:36Z", + "generateName": "metrics-server-69584cc865-", + "labels": { + "app.kubernetes.io/instance": "metrics-server", + "app.kubernetes.io/name": "metrics-server", + "pod-template-hash": "69584cc865", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "metrics-server", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "metrics-server-69584cc865-qf86j", + "namespace": "metrics-server", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "metrics-server-69584cc865", + "uid": "135cc85a-83a7-4082-bfa9-b7d302ad5b20" + } + ], + "resourceVersion": "1611", + "uid": "c188458e-8c7e-42b3-bfd9-7efbb0ac9bf2" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"https\",\"containerPort\":10250,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "metrics-server" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "metrics-server" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/metrics-server/deployments/metrics-server" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/metrics-server/livez\":{\"httpGet\":{\"path\":\"/livez\",\"port\":10250,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1},\"/app-health/metrics-server/readyz\":{\"httpGet\":{\"path\":\"/readyz\",\"port\":10250,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-79cnp", + "readOnly": true + } + ] + }, + { + "args": [ + "--secure-port=10250", + "--cert-dir=/tmp", + "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname", + "--kubelet-use-node-status-port", + "--metric-resolution=15s", + "--authorization-always-allow-paths=/metrics" + ], + "image": "127.0.0.1:31999/metrics-server/metrics-server:v0.7.1-zarf-459117927", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/metrics-server/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "metrics-server", + "ports": [ + { + "containerPort": 10250, + "name": "https", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 5, + "httpGet": { + "path": "/app-health/metrics-server/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "requests": { + "cpu": "100m", + "memory": "200Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true, + "runAsNonRoot": true, + "runAsUser": 1000, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/tmp", + "name": "tmp" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-79cnp", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-79cnp", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000000000, + "priorityClassName": "system-cluster-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "metrics-server", + "serviceAccountName": "metrics-server", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "emptyDir": {}, + "name": "tmp" + }, + { + "name": "kube-api-access-79cnp", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:38Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:51Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:51Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:36Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://a3bcdc94ec898ec637d718935d40a44f8402b7c66cce86ed5f170fe43f1ff705", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:36:38Z" + } + } + }, + { + "containerID": "containerd://5acf1d7c184ca85550f35fbd819e0bfd298d5885a4b340481ce92c0bee56fe5b", + "image": "127.0.0.1:31999/metrics-server/metrics-server:v0.7.1-zarf-459117927", + "imageID": "127.0.0.1:31999/metrics-server/metrics-server@sha256:7f0fc3565b6d4655d078bb8e250d0423d7c79aeb05fbc71e1ffa6ff664264d70", + "lastState": {}, + "name": "metrics-server", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:36:39Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://56321e146f957771c00c61f86a2f9a6f74f0ed917d6df3f92464e1cd4dffea8f", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://56321e146f957771c00c61f86a2f9a6f74f0ed917d6df3f92464e1cd4dffea8f", + "exitCode": 0, + "finishedAt": "2024-06-07T14:36:36Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:36:36Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.24", + "podIPs": [ + { + "ip": "10.42.0.24" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:36:36Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "keycloak", + "kubectl.kubernetes.io/default-logs-container": "keycloak", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:37:03Z", + "generateName": "keycloak-", + "labels": { + "app.kubernetes.io/instance": "keycloak", + "app.kubernetes.io/name": "keycloak", + "apps.kubernetes.io/pod-index": "0", + "controller-revision-hash": "keycloak-584d5fcfb7", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "keycloak", + "service.istio.io/canonical-revision": "latest", + "statefulset.kubernetes.io/pod-name": "keycloak-0", + "zarf-agent": "patched" + }, + "name": "keycloak-0", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "StatefulSet", + "name": "keycloak", + "uid": "3ec2c2f6-c634-4e4b-8e87-ae401174b745" + } + ], + "resourceVersion": "1823", + "uid": "7f4d0caa-3b1e-4c7e-bbcb-80f31728e776" + }, + "spec": { + "affinity": { + "podAntiAffinity": { + "preferredDuringSchedulingIgnoredDuringExecution": [ + { + "podAffinityTerm": { + "labelSelector": { + "matchExpressions": [ + { + "key": "app.kubernetes.io/component", + "operator": "NotIn", + "values": [ + "test" + ] + } + ], + "matchLabels": { + "app.kubernetes.io/instance": "keycloak", + "app.kubernetes.io/name": "keycloak" + } + }, + "topologyKey": "failure-domain.beta.kubernetes.io/zone" + }, + "weight": 100 + } + ] + } + }, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http\",\"containerPort\":8080,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "keycloak" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "keycloak" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/keycloak/statefulsets/keycloak" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/keycloak/livez\":{\"httpGet\":{\"path\":\"/health/live\",\"port\":8080,\"scheme\":\"HTTP\"},\"timeoutSeconds\":2},\"/app-health/keycloak/readyz\":{\"httpGet\":{\"path\":\"/health/ready\",\"port\":8080,\"scheme\":\"HTTP\"},\"timeoutSeconds\":2}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-nlkpn", + "readOnly": true + } + ] + }, + { + "args": [ + "start-dev", + "--spi-theme-static-max-age=-1", + "--spi-theme-cache-themes=false", + "--spi-theme-cache-templates=false", + "--import-realm", + "--features=preview" + ], + "command": [ + "/opt/keycloak/bin/kc.sh" + ], + "env": [ + { + "name": "UDS_DOMAIN", + "value": "uds.dev" + }, + { + "name": "KC_HEALTH_ENABLED", + "value": "true" + }, + { + "name": "KC_METRICS_ENABLED", + "value": "true" + }, + { + "name": "QUARKUS_HTTP_ACCESS_LOG_ENABLED", + "value": "true" + }, + { + "name": "KC_HOSTNAME_STRICT", + "value": "false" + }, + { + "name": "KC_HOSTNAME_STRICT_HTTPS", + "value": "false" + }, + { + "name": "KC_PROXY", + "value": "edge" + }, + { + "name": "KC_HTTPS_CLIENT_AUTH", + "value": "request" + }, + { + "name": "KC_SPI_X509CERT_LOOKUP_PROVIDER", + "value": "nginx" + }, + { + "name": "KC_SPI_X509CERT_LOOKUP_NGINX_SSL_CLIENT_CERT", + "value": "istio-mtls-client-certificate" + }, + { + "name": "KC_SPI_X509CERT_LOOKUP_NGINX_SSL_CLIENT_CERT_CHAIN_PREFIX", + "value": "UNUSED" + }, + { + "name": "KC_LOG_LEVEL", + "value": "DEBUG" + }, + { + "name": "QUARKUS_LOG_CATEGORY__ORG_APACHE_HTTP__LEVEL", + "value": "DEBUG" + }, + { + "name": "QUARKUS_LOG_CATEGORY__ORG_KEYCLOAK_SERVICES_X509__LEVEL", + "value": "TRACE" + } + ], + "envFrom": [ + { + "secretRef": { + "name": "keycloak-realm-env" + } + } + ], + "image": "127.0.0.1:31999/keycloak/keycloak:24.0.5-zarf-2242132316", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 15, + "httpGet": { + "path": "/app-health/keycloak/livez", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 2 + }, + "name": "keycloak", + "ports": [ + { + "containerPort": 8080, + "name": "http", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 15, + "httpGet": { + "path": "/app-health/keycloak/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 2 + }, + "resources": { + "limits": { + "cpu": "1", + "memory": "1Gi" + }, + "requests": { + "cpu": "500m", + "memory": "512Mi" + } + }, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/opt/keycloak/providers", + "name": "providers" + }, + { + "mountPath": "/opt/keycloak/data", + "name": "data" + }, + { + "mountPath": "/opt/keycloak/themes", + "name": "themes" + }, + { + "mountPath": "/opt/keycloak/conf", + "name": "conf", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-nlkpn", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostname": "keycloak-0", + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "image": "127.0.0.1:31999/defenseunicorns/uds/identity-config:0.4.5-zarf-1934043158", + "imagePullPolicy": "IfNotPresent", + "name": "uds-config", + "resources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + }, + "runAsGroup": 65532, + "runAsUser": 65532 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/opt/keycloak/providers", + "name": "providers" + }, + { + "mountPath": "/opt/keycloak/data", + "name": "data" + }, + { + "mountPath": "/opt/keycloak/themes", + "name": "themes" + }, + { + "mountPath": "/opt/keycloak/conf", + "name": "conf" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-nlkpn", + "readOnly": true + } + ] + }, + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-nlkpn", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 1000, + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "default", + "serviceAccountName": "default", + "subdomain": "keycloak-headless", + "terminationGracePeriodSeconds": 5, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "emptyDir": {}, + "name": "providers" + }, + { + "emptyDir": {}, + "name": "conf" + }, + { + "name": "data", + "persistentVolumeClaim": { + "claimName": "keycloak-data" + } + }, + { + "name": "themes", + "persistentVolumeClaim": { + "claimName": "keycloak-themes" + } + }, + { + "name": "kube-api-access-nlkpn", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:37:09Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:37:56Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:37:56Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:37:06Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://98b723747fbc4ab069941b409c2c1364803055710b556efc4a281bef03a1f9d0", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:37:09Z" + } + } + }, + { + "containerID": "containerd://24cffc7e3667dbd48ef3f53817f81df065610a8e2231ce22f807bbaf28dfc28a", + "image": "127.0.0.1:31999/keycloak/keycloak:24.0.5-zarf-2242132316", + "imageID": "127.0.0.1:31999/keycloak/keycloak@sha256:6508f327b24f3b21dc712fdfedf7dc613720806752f958f3ae90d53f05bfffb3", + "lastState": {}, + "name": "keycloak", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:37:12Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://61198b4b3f3f80e4b1f1d70d1175723fb4e113315b5733f6139827c6716ae3cf", + "image": "127.0.0.1:31999/defenseunicorns/uds/identity-config:0.4.5-zarf-1934043158", + "imageID": "127.0.0.1:31999/defenseunicorns/uds/identity-config@sha256:3fbab8e7cfa010251aa29a1bbec2e73a7bdc236f358fb57db3943a9f0307bf1f", + "lastState": {}, + "name": "uds-config", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://61198b4b3f3f80e4b1f1d70d1175723fb4e113315b5733f6139827c6716ae3cf", + "exitCode": 0, + "finishedAt": "2024-06-07T14:37:07Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:37:07Z" + } + } + }, + { + "containerID": "containerd://42656b79a9c7579dc5b3b04b00be6b95189d0c863549ff35ae072aa778897083", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://42656b79a9c7579dc5b3b04b00be6b95189d0c863549ff35ae072aa778897083", + "exitCode": 0, + "finishedAt": "2024-06-07T14:37:08Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:37:08Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.27", + "podIPs": [ + { + "ip": "10.42.0.27" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:37:06Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-enforcer-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-enforcer-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.DisallowHostNamespaces": "exempted", + "uds-core.pepr.dev/uds-core-policies.DisallowPrivileged": "exempted", + "uds-core.pepr.dev/uds-core-policies.DropAllCapabilities": "exempted", + "uds-core.pepr.dev/uds-core-policies.RequireNonRootUser": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictHostPathWrite": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-06-07T14:38:20Z", + "generateName": "neuvector-enforcer-pod-", + "labels": { + "app": "neuvector-enforcer-pod", + "controller-revision-hash": "6775c5c797", + "pod-template-generation": "1", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-enforcer-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-enforcer-pod-nt94p", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "DaemonSet", + "name": "neuvector-enforcer-pod", + "uid": "6dccb27d-6ee5-4ce7-9212-a01b1420cbfb" + } + ], + "resourceVersion": "2221", + "uid": "5f5fce1b-9cba-4e19-8fe8-81105c64a17a" + }, + "spec": { + "affinity": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchFields": [ + { + "key": "metadata.name", + "operator": "In", + "values": [ + "k3d-uds-server-0" + ] + } + ] + } + ] + } + } + }, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-enforcer-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-enforcer-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/daemonsets/neuvector-enforcer-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-hps9b", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + }, + { + "name": "CLUSTER_ADVERTISED_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "CLUSTER_BIND_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + } + ], + "image": "127.0.0.1:31999/neuvector/enforcer:5.3.2-zarf-2886042343", + "imagePullPolicy": "IfNotPresent", + "name": "neuvector-enforcer-pod", + "resources": {}, + "securityContext": { + "privileged": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/lib/modules", + "name": "modules-vol", + "readOnly": true + }, + { + "mountPath": "/var/nv_debug", + "name": "nv-debug" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-hps9b", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostPID": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-hps9b", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "enforcer", + "serviceAccountName": "enforcer", + "terminationGracePeriodSeconds": 1200, + "tolerations": [ + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/master" + }, + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/control-plane" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/disk-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/memory-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/pid-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/unschedulable", + "operator": "Exists" + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "hostPath": { + "path": "/lib/modules", + "type": "" + }, + "name": "modules-vol" + }, + { + "hostPath": { + "path": "/var/nv_debug", + "type": "" + }, + "name": "nv-debug" + }, + { + "name": "kube-api-access-hps9b", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:21Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:28Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:28Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:20Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://977a00abbbc0e201f32cc068fcd3b84546b25dfe873196358ee56620519af4b4", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:38:21Z" + } + } + }, + { + "containerID": "containerd://786d6b11b69d7becbefa39703c471dd2dcd506e08fdcf6e2254e0a584cded575", + "image": "127.0.0.1:31999/neuvector/enforcer:5.3.2-zarf-2886042343", + "imageID": "127.0.0.1:31999/neuvector/enforcer@sha256:043f6f02afae05861eee20248bba17e58afbe33dcc2cafcca2cf83c7df361fac", + "lastState": {}, + "name": "neuvector-enforcer-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:38:26Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://10e8bca0a1e6b216fa1e7c7cf33a224262959fe8e64fbc9dc1d398facb035d38", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://10e8bca0a1e6b216fa1e7c7cf33a224262959fe8e64fbc9dc1d398facb035d38", + "exitCode": 0, + "finishedAt": "2024-06-07T14:38:21Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:38:21Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.28", + "podIPs": [ + { + "ip": "10.42.0.28" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:38:20Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-manager-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-manager-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:38:20Z", + "generateName": "neuvector-manager-pod-56ddd789bb-", + "labels": { + "app": "neuvector-manager-pod", + "pod-template-hash": "56ddd789bb", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-manager-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-manager-pod-56ddd789bb-pzdsg", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-manager-pod-56ddd789bb", + "uid": "88dd6d25-f771-4ff6-a703-375660b4d43d" + } + ], + "resourceVersion": "2233", + "uid": "aebb54f0-cbcf-428d-91d2-43403fc6595d" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http\",\"containerPort\":8443,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-manager-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-manager-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-manager-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-7226g", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CTRL_SERVER_IP", + "value": "neuvector-svc-controller.neuvector" + }, + { + "name": "MANAGER_SSL", + "value": "off" + } + ], + "image": "127.0.0.1:31999/neuvector/manager:5.3.2-zarf-1801671909", + "imagePullPolicy": "IfNotPresent", + "name": "neuvector-manager-pod", + "ports": [ + { + "containerPort": 8443, + "name": "http", + "protocol": "TCP" + } + ], + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-7226g", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-7226g", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "basic", + "serviceAccountName": "basic", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-7226g", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:21Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:30Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:30Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:20Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://743909c516a206891e8807685cbfe81a597b79ff2887a4fbd4cefabd1849590c", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:38:21Z" + } + } + }, + { + "containerID": "containerd://93bcda13255ce6bce3fdb9848c39512377e0700f35188fd23c371d64aaa5ff87", + "image": "127.0.0.1:31999/neuvector/manager:5.3.2-zarf-1801671909", + "imageID": "127.0.0.1:31999/neuvector/manager@sha256:3a65e2c2916a058293638620b712cfac1a559824ac4d295cd08474c98a3e7381", + "lastState": {}, + "name": "neuvector-manager-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:38:28Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://475c52820b00e4cc57f4c5a6dd2f790d7ac3606e83c70fbf105c97fd10f2ab40", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://475c52820b00e4cc57f4c5a6dd2f790d7ac3606e83c70fbf105c97fd10f2ab40", + "exitCode": 0, + "finishedAt": "2024-06-07T14:38:21Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:38:21Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.31", + "podIPs": [ + { + "ip": "10.42.0.31" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:38:20Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/init-configmap": "d2907592400cb73cef987a87115b0c6a17428bfdbda232ddf0de6ea52f3eb571", + "checksum/uds-sso-secret": "", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-controller-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-controller-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.DisallowPrivileged": "exempted", + "uds-core.pepr.dev/uds-core-policies.DropAllCapabilities": "exempted", + "uds-core.pepr.dev/uds-core-policies.RequireNonRootUser": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictHostPathWrite": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-06-07T14:38:38Z", + "generateName": "neuvector-controller-pod-5d7c9d5588-", + "labels": { + "app": "neuvector-controller-pod", + "pod-template-hash": "5d7c9d5588", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-controller-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-controller-pod-5d7c9d5588-mgzsf", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-controller-pod-5d7c9d5588", + "uid": "eb3a14bf-c3f0-4fef-a657-a25c5a712a93" + } + ], + "resourceVersion": "2509", + "uid": "f3fe50db-0d40-4f4f-94e2-4ab30d3095d3" + }, + "spec": { + "affinity": { + "podAntiAffinity": { + "preferredDuringSchedulingIgnoredDuringExecution": [ + { + "podAffinityTerm": { + "labelSelector": { + "matchExpressions": [ + { + "key": "app", + "operator": "In", + "values": [ + "neuvector-controller-pod" + ] + } + ] + }, + "topologyKey": "kubernetes.io/hostname" + }, + "weight": 100 + } + ] + } + }, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-controller-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-controller-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-controller-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-k4946", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + }, + { + "name": "CLUSTER_ADVERTISED_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "CLUSTER_BIND_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "NO_DEFAULT_ADMIN", + "value": "1" + } + ], + "image": "127.0.0.1:31999/neuvector/controller:5.3.2-zarf-4157091163", + "imagePullPolicy": "IfNotPresent", + "name": "neuvector-controller-pod", + "readinessProbe": { + "exec": { + "command": [ + "cat", + "/tmp/ready" + ] + }, + "failureThreshold": 3, + "initialDelaySeconds": 5, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/config", + "name": "config-volume", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-k4946", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-k4946", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "controller", + "serviceAccountName": "controller", + "terminationGracePeriodSeconds": 300, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "config-volume", + "projected": { + "defaultMode": 420, + "sources": [ + { + "configMap": { + "name": "neuvector-init", + "optional": true + } + }, + { + "secret": { + "name": "neuvector-init", + "optional": true + } + }, + { + "secret": { + "name": "neuvector-secret", + "optional": true + } + } + ] + } + }, + { + "name": "kube-api-access-k4946", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:39Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:53Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:53Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:38Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://f09a16a3f79ff3f62a59a9c7ed431043815978aa2c5fb0e5402c1a02389d3e7f", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:38:39Z" + } + } + }, + { + "containerID": "containerd://3088539b3933c2fd668c3b02a9e3a23a7994978f2c2e65ec50d5f349117aa70f", + "image": "127.0.0.1:31999/neuvector/controller:5.3.2-zarf-4157091163", + "imageID": "127.0.0.1:31999/neuvector/controller@sha256:c5d6ff1924fdad2b8e4fdb428a7636edd82ea50ef94ab15e9a0c7117fc607d1c", + "lastState": {}, + "name": "neuvector-controller-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:38:40Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://446f36a71ada6e7d3e09a043c06ef19ae0bdff71c47220c26fe586b6a3fc2c76", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://446f36a71ada6e7d3e09a043c06ef19ae0bdff71c47220c26fe586b6a3fc2c76", + "exitCode": 0, + "finishedAt": "2024-06-07T14:38:38Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:38:38Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.37", + "podIPs": [ + { + "ip": "10.42.0.37" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:38:38Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "aa54d1c46dc4de580885be8c1184da75a3838afa977449fdf39bf419da521275", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "nginx", + "kubectl.kubernetes.io/default-logs-container": "nginx", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:38:51Z", + "generateName": "loki-gateway-d7c788676-", + "labels": { + "app.kubernetes.io/component": "gateway", + "app.kubernetes.io/instance": "loki", + "app.kubernetes.io/name": "loki", + "pod-template-hash": "d7c788676", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "loki", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "loki-gateway-d7c788676-4srwc", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "loki-gateway-d7c788676", + "uid": "e34a955a-a9ce-4e08-b438-cee5a06b0eb6" + } + ], + "resourceVersion": "2670", + "uid": "89db0787-f4c9-4ab5-b02b-67defbbdb9a6" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http\",\"containerPort\":8080,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "nginx" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "loki-gateway" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/loki/deployments/loki-gateway" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/nginx/readyz\":{\"httpGet\":{\"path\":\"/\",\"port\":8080,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-cpqvb", + "readOnly": true + } + ] + }, + { + "image": "127.0.0.1:31999/nginxinc/nginx-unprivileged:1.25-alpine-zarf-1006365545", + "imagePullPolicy": "IfNotPresent", + "name": "nginx", + "ports": [ + { + "containerPort": 8080, + "name": "http", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/nginx/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 15, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/nginx", + "name": "config" + }, + { + "mountPath": "/tmp", + "name": "tmp" + }, + { + "mountPath": "/docker-entrypoint.d", + "name": "docker-entrypoint-d-override" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-cpqvb", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-cpqvb", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 101, + "runAsGroup": 101, + "runAsNonRoot": true, + "runAsUser": 101 + }, + "serviceAccount": "loki", + "serviceAccountName": "loki", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "configMap": { + "defaultMode": 420, + "name": "loki-gateway" + }, + "name": "config" + }, + { + "emptyDir": {}, + "name": "tmp" + }, + { + "emptyDir": {}, + "name": "docker-entrypoint-d-override" + }, + { + "name": "kube-api-access-cpqvb", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:55Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:39:23Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:39:23Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:52Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://5f264ee0271c2825510e9b372383053db4659e357fac618c08fecb8ee373c3ba", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:38:56Z" + } + } + }, + { + "containerID": "containerd://82a48ad0040bde0f60f786d7a0e658bd2a4bab8bfa7cb3280d3eed0cd49e30e5", + "image": "127.0.0.1:31999/nginxinc/nginx-unprivileged:1.25-alpine-zarf-1006365545", + "imageID": "127.0.0.1:31999/nginxinc/nginx-unprivileged@sha256:31e948e116a2ac07338d1f0d8578bbc96776f8dcf580a8e658550ba01d5092c4", + "lastState": {}, + "name": "nginx", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:39:06Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://59bacbddd363664ec02221f6fe141218d05e2c56c146f59eb10b433da6ebd338", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://59bacbddd363664ec02221f6fe141218d05e2c56c146f59eb10b433da6ebd338", + "exitCode": 0, + "finishedAt": "2024-06-07T14:38:55Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:38:54Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.38", + "podIPs": [ + { + "ip": "10.42.0.38" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:38:52Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "40704e20dbbda1ca58cfa8d9ce03976b283d6b1d9b3274118a95cf4180009906", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "loki", + "kubectl.kubernetes.io/default-logs-container": "loki", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:38:52Z", + "generateName": "loki-backend-", + "labels": { + "app.kubernetes.io/component": "backend", + "app.kubernetes.io/instance": "loki", + "app.kubernetes.io/name": "loki", + "app.kubernetes.io/part-of": "memberlist", + "apps.kubernetes.io/pod-index": "0", + "controller-revision-hash": "loki-backend-6f5b99f4f4", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "loki", + "service.istio.io/canonical-revision": "latest", + "statefulset.kubernetes.io/pod-name": "loki-backend-0", + "zarf-agent": "patched" + }, + "name": "loki-backend-0", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "StatefulSet", + "name": "loki-backend", + "uid": "90b63b4e-2726-4b30-ac3a-42e21400e1cb" + } + ], + "resourceVersion": "2695", + "uid": "09cdbc78-d89b-43fa-a5f6-2d7eedfef742" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-metrics\",\"containerPort\":3100,\"protocol\":\"TCP\"}\n ,{\"name\":\"grpc\",\"containerPort\":9095,\"protocol\":\"TCP\"}\n ,{\"name\":\"http-memberlist\",\"containerPort\":7946,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "loki" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "loki-backend" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/loki/statefulsets/loki-backend" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/loki/readyz\":{\"httpGet\":{\"path\":\"/ready\",\"port\":3100,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-4pwkx", + "readOnly": true + } + ] + }, + { + "args": [ + "-config.file=/etc/loki/config/config.yaml", + "-target=backend", + "-legacy-read-mode=false" + ], + "image": "127.0.0.1:31999/grafana/loki:2.9.6-zarf-176807990", + "imagePullPolicy": "IfNotPresent", + "name": "loki", + "ports": [ + { + "containerPort": 3100, + "name": "http-metrics", + "protocol": "TCP" + }, + { + "containerPort": 9095, + "name": "grpc", + "protocol": "TCP" + }, + { + "containerPort": 7946, + "name": "http-memberlist", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/loki/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 30, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/loki/config", + "name": "config" + }, + { + "mountPath": "/etc/loki/runtime-config", + "name": "runtime-config" + }, + { + "mountPath": "/tmp", + "name": "tmp" + }, + { + "mountPath": "/var/loki", + "name": "data" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-4pwkx", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostname": "loki-backend-0", + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-4pwkx", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 10001, + "runAsGroup": 10001, + "runAsNonRoot": true, + "runAsUser": 10001 + }, + "serviceAccount": "loki", + "serviceAccountName": "loki", + "subdomain": "loki-backend-headless", + "terminationGracePeriodSeconds": 300, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "data", + "persistentVolumeClaim": { + "claimName": "data-loki-backend-0" + } + }, + { + "emptyDir": {}, + "name": "tmp" + }, + { + "configMap": { + "defaultMode": 420, + "items": [ + { + "key": "config.yaml", + "path": "config.yaml" + } + ], + "name": "loki" + }, + "name": "config" + }, + { + "configMap": { + "defaultMode": 420, + "name": "loki-runtime" + }, + "name": "runtime-config" + }, + { + "name": "kube-api-access-4pwkx", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:39:03Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:39:40Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:39:40Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:59Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://f7cf99f7432e06180757d37d6cb2048544be45b66b5367f0d99c7cd8cc15b5b8", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:39:04Z" + } + } + }, + { + "containerID": "containerd://a347cd31324e8c4c86561a9174a8174436da20b2cd74f492af633199a8ec2609", + "image": "127.0.0.1:31999/grafana/loki:2.9.6-zarf-176807990", + "imageID": "127.0.0.1:31999/grafana/loki@sha256:ac12e5e83d9d77d1f62dd273f1ced8b55ed9a2429acc9e17ff7cbdee126eb4c1", + "lastState": {}, + "name": "loki", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:39:07Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://a78785d642a7a2e14c962a51b8865d4a3dd9f689a6c42c512ce605a5e770a745", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://a78785d642a7a2e14c962a51b8865d4a3dd9f689a6c42c512ce605a5e770a745", + "exitCode": 0, + "finishedAt": "2024-06-07T14:39:02Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:39:02Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.42", + "podIPs": [ + { + "ip": "10.42.0.42" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:38:59Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "40704e20dbbda1ca58cfa8d9ce03976b283d6b1d9b3274118a95cf4180009906", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "loki", + "kubectl.kubernetes.io/default-logs-container": "loki", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:38:52Z", + "generateName": "loki-read-965cc8d57-", + "labels": { + "app.kubernetes.io/component": "read", + "app.kubernetes.io/instance": "loki", + "app.kubernetes.io/name": "loki", + "app.kubernetes.io/part-of": "memberlist", + "pod-template-hash": "965cc8d57", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "loki", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "loki-read-965cc8d57-q9xqw", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "loki-read-965cc8d57", + "uid": "a096c654-21f2-41a0-a080-67bd402af70a" + } + ], + "resourceVersion": "2711", + "uid": "ab88bad5-aaba-4ff0-a18d-64b9fa7d5d29" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-metrics\",\"containerPort\":3100,\"protocol\":\"TCP\"}\n ,{\"name\":\"grpc\",\"containerPort\":9095,\"protocol\":\"TCP\"}\n ,{\"name\":\"http-memberlist\",\"containerPort\":7946,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "loki" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "loki-read" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/loki/deployments/loki-read" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/loki/readyz\":{\"httpGet\":{\"path\":\"/ready\",\"port\":3100,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-n2kwj", + "readOnly": true + } + ] + }, + { + "args": [ + "-config.file=/etc/loki/config/config.yaml", + "-target=read", + "-legacy-read-mode=false", + "-common.compactor-grpc-address=loki-backend.loki.svc.cluster.local:9095" + ], + "image": "127.0.0.1:31999/grafana/loki:2.9.6-zarf-176807990", + "imagePullPolicy": "IfNotPresent", + "name": "loki", + "ports": [ + { + "containerPort": 3100, + "name": "http-metrics", + "protocol": "TCP" + }, + { + "containerPort": 9095, + "name": "grpc", + "protocol": "TCP" + }, + { + "containerPort": 7946, + "name": "http-memberlist", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/loki/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 30, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/loki/config", + "name": "config" + }, + { + "mountPath": "/etc/loki/runtime-config", + "name": "runtime-config" + }, + { + "mountPath": "/tmp", + "name": "tmp" + }, + { + "mountPath": "/var/loki", + "name": "data" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-n2kwj", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-n2kwj", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 10001, + "runAsGroup": 10001, + "runAsNonRoot": true, + "runAsUser": 10001 + }, + "serviceAccount": "loki", + "serviceAccountName": "loki", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "emptyDir": {}, + "name": "tmp" + }, + { + "emptyDir": {}, + "name": "data" + }, + { + "configMap": { + "defaultMode": 420, + "items": [ + { + "key": "config.yaml", + "path": "config.yaml" + } + ], + "name": "loki" + }, + "name": "config" + }, + { + "configMap": { + "defaultMode": 420, + "name": "loki-runtime" + }, + "name": "runtime-config" + }, + { + "name": "kube-api-access-n2kwj", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:55Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:39:43Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:39:43Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:52Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://c861470957edbe2926ec656294db8c78238efc7ac026dfe58bf8ad0a25049112", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:38:56Z" + } + } + }, + { + "containerID": "containerd://69f206cfa0f0b469ecd7ce7b9c5b10b30aaaa1e0f6570f61777e9c13a9ab52c4", + "image": "127.0.0.1:31999/grafana/loki:2.9.6-zarf-176807990", + "imageID": "127.0.0.1:31999/grafana/loki@sha256:ac12e5e83d9d77d1f62dd273f1ced8b55ed9a2429acc9e17ff7cbdee126eb4c1", + "lastState": {}, + "name": "loki", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:39:06Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://c4d5994d71e34abcbbe8c66c67db76a5428d1c8a3a930813095968ebf2bb62c7", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://c4d5994d71e34abcbbe8c66c67db76a5428d1c8a3a930813095968ebf2bb62c7", + "exitCode": 0, + "finishedAt": "2024-06-07T14:38:54Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:38:54Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.39", + "podIPs": [ + { + "ip": "10.42.0.39" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:38:52Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "40704e20dbbda1ca58cfa8d9ce03976b283d6b1d9b3274118a95cf4180009906", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "loki", + "kubectl.kubernetes.io/default-logs-container": "loki", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:38:52Z", + "generateName": "loki-write-", + "labels": { + "app.kubernetes.io/component": "write", + "app.kubernetes.io/instance": "loki", + "app.kubernetes.io/name": "loki", + "app.kubernetes.io/part-of": "memberlist", + "apps.kubernetes.io/pod-index": "0", + "controller-revision-hash": "loki-write-79659b658", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "loki", + "service.istio.io/canonical-revision": "latest", + "statefulset.kubernetes.io/pod-name": "loki-write-0", + "zarf-agent": "patched" + }, + "name": "loki-write-0", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "StatefulSet", + "name": "loki-write", + "uid": "7e976ccc-6bed-4478-9f9b-4eedbf659a0a" + } + ], + "resourceVersion": "2791", + "uid": "804e6369-2e8b-47d2-b928-2bb63dd24b29" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-metrics\",\"containerPort\":3100,\"protocol\":\"TCP\"}\n ,{\"name\":\"grpc\",\"containerPort\":9095,\"protocol\":\"TCP\"}\n ,{\"name\":\"http-memberlist\",\"containerPort\":7946,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "loki" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "loki-write" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/loki/statefulsets/loki-write" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/loki/readyz\":{\"httpGet\":{\"path\":\"/ready\",\"port\":3100,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ncjjq", + "readOnly": true + } + ] + }, + { + "args": [ + "-config.file=/etc/loki/config/config.yaml", + "-target=write" + ], + "image": "127.0.0.1:31999/grafana/loki:2.9.6-zarf-176807990", + "imagePullPolicy": "IfNotPresent", + "name": "loki", + "ports": [ + { + "containerPort": 3100, + "name": "http-metrics", + "protocol": "TCP" + }, + { + "containerPort": 9095, + "name": "grpc", + "protocol": "TCP" + }, + { + "containerPort": 7946, + "name": "http-memberlist", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/loki/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 30, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/loki/config", + "name": "config" + }, + { + "mountPath": "/etc/loki/runtime-config", + "name": "runtime-config" + }, + { + "mountPath": "/var/loki", + "name": "data" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ncjjq", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostname": "loki-write-0", + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ncjjq", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 10001, + "runAsGroup": 10001, + "runAsNonRoot": true, + "runAsUser": 10001 + }, + "serviceAccount": "loki", + "serviceAccountName": "loki", + "subdomain": "loki-write-headless", + "terminationGracePeriodSeconds": 300, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "data", + "persistentVolumeClaim": { + "claimName": "data-loki-write-0" + } + }, + { + "configMap": { + "defaultMode": 420, + "items": [ + { + "key": "config.yaml", + "path": "config.yaml" + } + ], + "name": "loki" + }, + "name": "config" + }, + { + "configMap": { + "defaultMode": 420, + "name": "loki-runtime" + }, + "name": "runtime-config" + }, + { + "name": "kube-api-access-ncjjq", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:39:03Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:00Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:00Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:59Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://c2900e7dc1ea13ef0cad59f3890e5a87440335eb506fc74aef8cd477061494e9", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:39:04Z" + } + } + }, + { + "containerID": "containerd://76e63a1ad41c12f9723f810f6bbabe14616a53829d5b754fe10534a3a0387c36", + "image": "127.0.0.1:31999/grafana/loki:2.9.6-zarf-176807990", + "imageID": "127.0.0.1:31999/grafana/loki@sha256:ac12e5e83d9d77d1f62dd273f1ced8b55ed9a2429acc9e17ff7cbdee126eb4c1", + "lastState": {}, + "name": "loki", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:39:07Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://d4643293917635ef11462519cc95cace56beae16a233c19f0431e277fe824d30", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://d4643293917635ef11462519cc95cace56beae16a233c19f0431e277fe824d30", + "exitCode": 0, + "finishedAt": "2024-06-07T14:39:02Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:39:02Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.43", + "podIPs": [ + { + "ip": "10.42.0.43" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:38:59Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/init-configmap": "d2907592400cb73cef987a87115b0c6a17428bfdbda232ddf0de6ea52f3eb571", + "checksum/uds-sso-secret": "", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-controller-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-controller-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.DisallowPrivileged": "exempted", + "uds-core.pepr.dev/uds-core-policies.DropAllCapabilities": "exempted", + "uds-core.pepr.dev/uds-core-policies.RequireNonRootUser": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictHostPathWrite": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-06-07T14:39:53Z", + "generateName": "neuvector-controller-pod-5d7c9d5588-", + "labels": { + "app": "neuvector-controller-pod", + "pod-template-hash": "5d7c9d5588", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-controller-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-controller-pod-5d7c9d5588-884hh", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-controller-pod-5d7c9d5588", + "uid": "eb3a14bf-c3f0-4fef-a657-a25c5a712a93" + } + ], + "resourceVersion": "2820", + "uid": "afc727be-bc60-4201-9f4e-2f912e9394cb" + }, + "spec": { + "affinity": { + "podAntiAffinity": { + "preferredDuringSchedulingIgnoredDuringExecution": [ + { + "podAffinityTerm": { + "labelSelector": { + "matchExpressions": [ + { + "key": "app", + "operator": "In", + "values": [ + "neuvector-controller-pod" + ] + } + ] + }, + "topologyKey": "kubernetes.io/hostname" + }, + "weight": 100 + } + ] + } + }, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-controller-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-controller-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-controller-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-l28mp", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + }, + { + "name": "CLUSTER_ADVERTISED_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "CLUSTER_BIND_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "NO_DEFAULT_ADMIN", + "value": "1" + } + ], + "image": "127.0.0.1:31999/neuvector/controller:5.3.2-zarf-4157091163", + "imagePullPolicy": "IfNotPresent", + "name": "neuvector-controller-pod", + "readinessProbe": { + "exec": { + "command": [ + "cat", + "/tmp/ready" + ] + }, + "failureThreshold": 3, + "initialDelaySeconds": 5, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/config", + "name": "config-volume", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-l28mp", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-l28mp", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "controller", + "serviceAccountName": "controller", + "terminationGracePeriodSeconds": 300, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "config-volume", + "projected": { + "defaultMode": 420, + "sources": [ + { + "configMap": { + "name": "neuvector-init", + "optional": true + } + }, + { + "secret": { + "name": "neuvector-init", + "optional": true + } + }, + { + "secret": { + "name": "neuvector-secret", + "optional": true + } + } + ] + } + }, + { + "name": "kube-api-access-l28mp", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:39:54Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:09Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:09Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:39:53Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://24c510311a248260324ffed1d8fec9f24495fa9f19ab16281eeb2cbddfe9cd1e", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:39:55Z" + } + } + }, + { + "containerID": "containerd://29bb9a60e7875e06563a9b94c268a6c0b638de4bd51e68b82886ba4b7d184f80", + "image": "127.0.0.1:31999/neuvector/controller:5.3.2-zarf-4157091163", + "imageID": "127.0.0.1:31999/neuvector/controller@sha256:c5d6ff1924fdad2b8e4fdb428a7636edd82ea50ef94ab15e9a0c7117fc607d1c", + "lastState": {}, + "name": "neuvector-controller-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:39:56Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://7b5a488f9c4532c234492e7f71a84a7565f599de35eb097fd09bc8a6e59fe7e3", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://7b5a488f9c4532c234492e7f71a84a7565f599de35eb097fd09bc8a6e59fe7e3", + "exitCode": 0, + "finishedAt": "2024-06-07T14:39:54Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:39:54Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.44", + "podIPs": [ + { + "ip": "10.42.0.44" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:39:53Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "kube-prometheus-stack", + "kubectl.kubernetes.io/default-logs-container": "kube-prometheus-stack", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:40:36Z", + "generateName": "kube-prometheus-stack-operator-6db8586956-", + "labels": { + "app": "kube-prometheus-stack-operator", + "app.kubernetes.io/component": "prometheus-operator", + "app.kubernetes.io/instance": "kube-prometheus-stack", + "app.kubernetes.io/managed-by": "Helm", + "app.kubernetes.io/name": "kube-prometheus-stack-prometheus-operator", + "app.kubernetes.io/part-of": "kube-prometheus-stack", + "app.kubernetes.io/version": "58.7.2", + "chart": "kube-prometheus-stack-58.7.2", + "heritage": "Helm", + "pod-template-hash": "6db8586956", + "release": "kube-prometheus-stack", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "kube-prometheus-stack-prometheus-operator", + "service.istio.io/canonical-revision": "58.7.2", + "zarf-agent": "patched" + }, + "name": "kube-prometheus-stack-operator-6db8586956-rf74f", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "kube-prometheus-stack-operator-6db8586956", + "uid": "126d925c-8844-48ce-832d-09c499c20d50" + } + ], + "resourceVersion": "3204", + "uid": "5b75b4bb-f8f7-4d18-936c-cba1a8f6e3ba" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"https\",\"containerPort\":10250,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "kube-prometheus-stack" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "kube-prometheus-stack-operator" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/monitoring/deployments/kube-prometheus-stack-operator" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-n477l", + "readOnly": true + } + ] + }, + { + "args": [ + "--kubelet-service=kube-system/kube-prometheus-stack-kubelet", + "--localhost=127.0.0.1", + "--prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.74.0", + "--config-reloader-cpu-request=50m", + "--config-reloader-cpu-limit=100m", + "--config-reloader-memory-request=128Mi", + "--config-reloader-memory-limit=128Mi", + "--thanos-default-base-image=quay.io/thanos/thanos:v0.35.0", + "--secret-field-selector=type!=kubernetes.io/dockercfg,type!=kubernetes.io/service-account-token,type!=helm.sh/release.v1", + "--web.enable-tls=true", + "--web.cert-file=/cert/cert", + "--web.key-file=/cert/key", + "--web.listen-address=:10250", + "--web.tls-min-version=VersionTLS13" + ], + "env": [ + { + "name": "GOGC", + "value": "30" + } + ], + "image": "127.0.0.1:31999/prometheus-operator/prometheus-operator:v0.74.0-zarf-2469397602", + "imagePullPolicy": "IfNotPresent", + "name": "kube-prometheus-stack", + "ports": [ + { + "containerPort": 10250, + "name": "https", + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "500m", + "memory": "512Mi" + }, + "requests": { + "cpu": "100m", + "memory": "512Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/cert", + "name": "tls-secret", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-n477l", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-n477l", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65534, + "runAsGroup": 65534, + "runAsNonRoot": true, + "runAsUser": 65534, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "serviceAccount": "kube-prometheus-stack-operator", + "serviceAccountName": "kube-prometheus-stack-operator", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "tls-secret", + "secret": { + "defaultMode": 420, + "secretName": "kube-prometheus-stack-admission" + } + }, + { + "name": "kube-api-access-n477l", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:38Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:41Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:41Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:36Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://300e1c3160811b142d6fc7e6118b758b4d4d7b6deefd6ba3509faf05f2ba4023", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:40:38Z" + } + } + }, + { + "containerID": "containerd://16ab87c01034dc64a06308b99f53f3799f9daa45fd37eba4ffb38314b97549e6", + "image": "127.0.0.1:31999/prometheus-operator/prometheus-operator:v0.74.0-zarf-2469397602", + "imageID": "127.0.0.1:31999/prometheus-operator/prometheus-operator@sha256:70d94e60cabd216a16769a4443878d807b66461737eae0525cb7c04eaf011757", + "lastState": {}, + "name": "kube-prometheus-stack", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:40:39Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://39bcdbce8270a9a5a79b14ee903685ff7a9379a0453d27386dc1f4b4527146c6", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://39bcdbce8270a9a5a79b14ee903685ff7a9379a0453d27386dc1f4b4527146c6", + "exitCode": 0, + "finishedAt": "2024-06-07T14:40:37Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:40:37Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.48", + "podIPs": [ + { + "ip": "10.42.0.48" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:40:37Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "cluster-autoscaler.kubernetes.io/safe-to-evict": "true", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "node-exporter", + "kubectl.kubernetes.io/default-logs-container": "node-exporter", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-06-07T14:40:36Z", + "generateName": "kube-prometheus-stack-prometheus-node-exporter-", + "labels": { + "app.kubernetes.io/component": "metrics", + "app.kubernetes.io/instance": "kube-prometheus-stack", + "app.kubernetes.io/managed-by": "Helm", + "app.kubernetes.io/name": "prometheus-node-exporter", + "app.kubernetes.io/part-of": "prometheus-node-exporter", + "app.kubernetes.io/version": "1.8.0", + "controller-revision-hash": "6fd5474c88", + "helm.sh/chart": "prometheus-node-exporter-4.34.0", + "jobLabel": "node-exporter", + "pod-template-generation": "1", + "release": "kube-prometheus-stack", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "prometheus-node-exporter", + "service.istio.io/canonical-revision": "1.8.0", + "zarf-agent": "patched" + }, + "name": "kube-prometheus-stack-prometheus-node-exporter-wn72h", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "DaemonSet", + "name": "kube-prometheus-stack-prometheus-node-exporter", + "uid": "666ae069-d804-49c8-ab5d-34a2ab7a8b12" + } + ], + "resourceVersion": "3210", + "uid": "998565a1-5d93-46a0-af81-74cb6c23086a" + }, + "spec": { + "affinity": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchFields": [ + { + "key": "metadata.name", + "operator": "In", + "values": [ + "k3d-uds-server-0" + ] + } + ] + } + ] + } + } + }, + "automountServiceAccountToken": false, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-metrics\",\"containerPort\":9100,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "node-exporter" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "kube-prometheus-stack-prometheus-node-exporter" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/monitoring/daemonsets/kube-prometheus-stack-prometheus-node-exporter" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/node-exporter/livez\":{\"httpGet\":{\"path\":\"/\",\"port\":9100,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1},\"/app-health/node-exporter/readyz\":{\"httpGet\":{\"path\":\"/\",\"port\":9100,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + } + ] + }, + { + "args": [ + "--path.procfs=/host/proc", + "--path.sysfs=/host/sys", + "--path.rootfs=/host/root", + "--path.udev.data=/host/root/run/udev/data", + "--web.listen-address=[$(HOST_IP)]:9100", + "--collector.filesystem.mount-points-exclude=^/(dev|proc|sys|var/lib/docker/.+|var/lib/kubelet/.+)($|/)", + "--collector.filesystem.fs-types-exclude=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$" + ], + "env": [ + { + "name": "HOST_IP", + "value": "0.0.0.0" + } + ], + "image": "127.0.0.1:31999/prometheus/node-exporter:v1.8.1-zarf-3836483114", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/node-exporter/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "node-exporter", + "ports": [ + { + "containerPort": 9100, + "name": "http-metrics", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/node-exporter/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/host/proc", + "name": "proc", + "readOnly": true + }, + { + "mountPath": "/host/sys", + "name": "sys", + "readOnly": true + }, + { + "mountPath": "/host/root", + "mountPropagation": "HostToContainer", + "name": "root", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File" + } + ], + "nodeName": "k3d-uds-server-0", + "nodeSelector": { + "kubernetes.io/os": "linux" + }, + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65534, + "runAsGroup": 65534, + "runAsNonRoot": true, + "runAsUser": 65534 + }, + "serviceAccount": "kube-prometheus-stack-prometheus-node-exporter", + "serviceAccountName": "kube-prometheus-stack-prometheus-node-exporter", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoSchedule", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/disk-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/memory-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/pid-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/unschedulable", + "operator": "Exists" + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "hostPath": { + "path": "/proc", + "type": "" + }, + "name": "proc" + }, + { + "hostPath": { + "path": "/sys", + "type": "" + }, + "name": "sys" + }, + { + "hostPath": { + "path": "/", + "type": "" + }, + "name": "root" + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:38Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:41Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:41Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:36Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://4406c0f4ff43d6c508b48594bce2dab82d88e5498c587271f507cf546d18ee23", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:40:38Z" + } + } + }, + { + "containerID": "containerd://98a9836cd7f3996caca67754b18b504e5f686c80cd7b545d157462d3dc012a38", + "image": "127.0.0.1:31999/prometheus/node-exporter:v1.8.1-zarf-3836483114", + "imageID": "127.0.0.1:31999/prometheus/node-exporter@sha256:c13575817446993529a7192d00ec3f3480a3216e93a291dad3ed87bc23887152", + "lastState": {}, + "name": "node-exporter", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:40:39Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://335d322c7a3b61e89b4d477062315217543c2737ae2c479593d09afa799a25f4", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://335d322c7a3b61e89b4d477062315217543c2737ae2c479593d09afa799a25f4", + "exitCode": 0, + "finishedAt": "2024-06-07T14:40:37Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:40:37Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.47", + "podIPs": [ + { + "ip": "10.42.0.47" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:40:36Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "alertmanager", + "kubectl.kubernetes.io/default-logs-container": "alertmanager", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:40:40Z", + "generateName": "alertmanager-kube-prometheus-stack-alertmanager-", + "labels": { + "alertmanager": "kube-prometheus-stack-alertmanager", + "app.kubernetes.io/instance": "kube-prometheus-stack-alertmanager", + "app.kubernetes.io/managed-by": "prometheus-operator", + "app.kubernetes.io/name": "alertmanager", + "app.kubernetes.io/version": "0.27.0", + "apps.kubernetes.io/pod-index": "0", + "controller-revision-hash": "alertmanager-kube-prometheus-stack-alertmanager-78f4944b59", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "alertmanager", + "service.istio.io/canonical-revision": "0.27.0", + "statefulset.kubernetes.io/pod-name": "alertmanager-kube-prometheus-stack-alertmanager-0", + "zarf-agent": "patched" + }, + "name": "alertmanager-kube-prometheus-stack-alertmanager-0", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "StatefulSet", + "name": "alertmanager-kube-prometheus-stack-alertmanager", + "uid": "6a488ae0-5112-4b96-853b-9cd35f6866be" + } + ], + "resourceVersion": "3275", + "uid": "3e5d010a-d2f3-439b-98a4-b869f51951f5" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-web\",\"containerPort\":9093,\"protocol\":\"TCP\"}\n ,{\"name\":\"mesh-tcp\",\"containerPort\":9094,\"protocol\":\"TCP\"}\n ,{\"name\":\"mesh-udp\",\"containerPort\":9094,\"protocol\":\"UDP\"}\n ,{\"name\":\"reloader-web\",\"containerPort\":8080,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "alertmanager,config-reloader" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "alertmanager-kube-prometheus-stack-alertmanager" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/monitoring/statefulsets/alertmanager-kube-prometheus-stack-alertmanager" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/alertmanager/livez\":{\"httpGet\":{\"path\":\"/-/healthy\",\"port\":9093,\"scheme\":\"HTTP\"},\"timeoutSeconds\":3},\"/app-health/alertmanager/readyz\":{\"httpGet\":{\"path\":\"/-/ready\",\"port\":9093,\"scheme\":\"HTTP\"},\"timeoutSeconds\":3}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-48zfn", + "readOnly": true + } + ] + }, + { + "args": [ + "--config.file=/etc/alertmanager/config_out/alertmanager.env.yaml", + "--storage.path=/alertmanager", + "--data.retention=120h", + "--cluster.listen-address=", + "--web.listen-address=:9093", + "--web.external-url=http://kube-prometheus-stack-alertmanager.monitoring:9093", + "--web.route-prefix=/", + "--cluster.label=monitoring/kube-prometheus-stack-alertmanager", + "--cluster.peer=alertmanager-kube-prometheus-stack-alertmanager-0.alertmanager-operated:9094", + "--cluster.reconnect-timeout=5m", + "--web.config.file=/etc/alertmanager/web_config/web-config.yaml" + ], + "env": [ + { + "name": "POD_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + } + ], + "image": "127.0.0.1:31999/prometheus/alertmanager:v0.27.0-zarf-3373367403", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 10, + "httpGet": { + "path": "/app-health/alertmanager/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "name": "alertmanager", + "ports": [ + { + "containerPort": 9093, + "name": "http-web", + "protocol": "TCP" + }, + { + "containerPort": 9094, + "name": "mesh-tcp", + "protocol": "TCP" + }, + { + "containerPort": 9094, + "name": "mesh-udp", + "protocol": "UDP" + } + ], + "readinessProbe": { + "failureThreshold": 10, + "httpGet": { + "path": "/app-health/alertmanager/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 3, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "requests": { + "memory": "200Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "FallbackToLogsOnError", + "volumeMounts": [ + { + "mountPath": "/etc/alertmanager/config", + "name": "config-volume" + }, + { + "mountPath": "/etc/alertmanager/config_out", + "name": "config-out", + "readOnly": true + }, + { + "mountPath": "/etc/alertmanager/certs", + "name": "tls-assets", + "readOnly": true + }, + { + "mountPath": "/alertmanager", + "name": "alertmanager-kube-prometheus-stack-alertmanager-db" + }, + { + "mountPath": "/etc/alertmanager/web_config/web-config.yaml", + "name": "web-config", + "readOnly": true, + "subPath": "web-config.yaml" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-48zfn", + "readOnly": true + } + ] + }, + { + "args": [ + "--listen-address=:8080", + "--reload-url=http://127.0.0.1:9093/-/reload", + "--config-file=/etc/alertmanager/config/alertmanager.yaml.gz", + "--config-envsubst-file=/etc/alertmanager/config_out/alertmanager.env.yaml", + "--watched-dir=/etc/alertmanager/config" + ], + "command": [ + "/bin/prometheus-config-reloader" + ], + "env": [ + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "SHARD", + "value": "-1" + } + ], + "image": "127.0.0.1:31999/prometheus-operator/prometheus-config-reloader:v0.74.0-zarf-3626352270", + "imagePullPolicy": "IfNotPresent", + "name": "config-reloader", + "ports": [ + { + "containerPort": 8080, + "name": "reloader-web", + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "100m", + "memory": "128Mi" + }, + "requests": { + "cpu": "50m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "FallbackToLogsOnError", + "volumeMounts": [ + { + "mountPath": "/etc/alertmanager/config", + "name": "config-volume", + "readOnly": true + }, + { + "mountPath": "/etc/alertmanager/config_out", + "name": "config-out" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-48zfn", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostname": "alertmanager-kube-prometheus-stack-alertmanager-0", + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "--watch-interval=0", + "--listen-address=:8080", + "--config-file=/etc/alertmanager/config/alertmanager.yaml.gz", + "--config-envsubst-file=/etc/alertmanager/config_out/alertmanager.env.yaml", + "--watched-dir=/etc/alertmanager/config" + ], + "command": [ + "/bin/prometheus-config-reloader" + ], + "env": [ + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "SHARD", + "value": "-1" + } + ], + "image": "127.0.0.1:31999/prometheus-operator/prometheus-config-reloader:v0.74.0-zarf-3626352270", + "imagePullPolicy": "IfNotPresent", + "name": "init-config-reloader", + "ports": [ + { + "containerPort": 8080, + "name": "reloader-web", + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "100m", + "memory": "128Mi" + }, + "requests": { + "cpu": "50m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "FallbackToLogsOnError", + "volumeMounts": [ + { + "mountPath": "/etc/alertmanager/config", + "name": "config-volume", + "readOnly": true + }, + { + "mountPath": "/etc/alertmanager/config_out", + "name": "config-out" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-48zfn", + "readOnly": true + } + ] + }, + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-48zfn", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 2000, + "runAsGroup": 2000, + "runAsNonRoot": true, + "runAsUser": 1000, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "serviceAccount": "kube-prometheus-stack-alertmanager", + "serviceAccountName": "kube-prometheus-stack-alertmanager", + "subdomain": "alertmanager-operated", + "terminationGracePeriodSeconds": 120, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "config-volume", + "secret": { + "defaultMode": 420, + "secretName": "alertmanager-kube-prometheus-stack-alertmanager-generated" + } + }, + { + "name": "tls-assets", + "projected": { + "defaultMode": 420, + "sources": [ + { + "secret": { + "name": "alertmanager-kube-prometheus-stack-alertmanager-tls-assets-0" + } + } + ] + } + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "config-out" + }, + { + "name": "web-config", + "secret": { + "defaultMode": 420, + "secretName": "alertmanager-kube-prometheus-stack-alertmanager-web-config" + } + }, + { + "emptyDir": {}, + "name": "alertmanager-kube-prometheus-stack-alertmanager-db" + }, + { + "name": "kube-api-access-48zfn", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:43Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:47Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:47Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:40Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://3f0de68c04b02ba3cbab300a9bc068d07ee9df5691ad2d844103ad55ba010739", + "image": "127.0.0.1:31999/prometheus/alertmanager:v0.27.0-zarf-3373367403", + "imageID": "127.0.0.1:31999/prometheus/alertmanager@sha256:2fbdd4c66d91e740fe3fd462d8f52fc3d305a5b403bab3a58feb62be237a84fb", + "lastState": {}, + "name": "alertmanager", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:40:44Z" + } + } + }, + { + "containerID": "containerd://e776e053c29f01987e2f495f590f509c842044d12d107795e364294058afd841", + "image": "127.0.0.1:31999/prometheus-operator/prometheus-config-reloader:v0.74.0-zarf-3626352270", + "imageID": "127.0.0.1:31999/prometheus-operator/prometheus-config-reloader@sha256:2f391ccd12088306b68f620ee4c8ad308d82e746e22484a21edbfa1aaff51df5", + "lastState": {}, + "name": "config-reloader", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:40:44Z" + } + } + }, + { + "containerID": "containerd://946a964dfc5c57b5f9a650d625b04470f2dd95ca3b366b4dfc35d80d20c5ce67", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:40:43Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://c855457cbe7619fd72c332202f6028543bc953c498ef0039f342546d10bc949e", + "image": "127.0.0.1:31999/prometheus-operator/prometheus-config-reloader:v0.74.0-zarf-3626352270", + "imageID": "127.0.0.1:31999/prometheus-operator/prometheus-config-reloader@sha256:2f391ccd12088306b68f620ee4c8ad308d82e746e22484a21edbfa1aaff51df5", + "lastState": {}, + "name": "init-config-reloader", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://c855457cbe7619fd72c332202f6028543bc953c498ef0039f342546d10bc949e", + "exitCode": 0, + "finishedAt": "2024-06-07T14:40:42Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:40:41Z" + } + } + }, + { + "containerID": "containerd://eb4afdfc9260c7e826760af025c0ee12ada879d9282eec2537cafdd305a6755f", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://eb4afdfc9260c7e826760af025c0ee12ada879d9282eec2537cafdd305a6755f", + "exitCode": 0, + "finishedAt": "2024-06-07T14:40:42Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:40:42Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.49", + "podIPs": [ + { + "ip": "10.42.0.49" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:40:40Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "kube-state-metrics", + "kubectl.kubernetes.io/default-logs-container": "kube-state-metrics", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:40:36Z", + "generateName": "kube-prometheus-stack-kube-state-metrics-65594f9476-", + "labels": { + "app.kubernetes.io/component": "metrics", + "app.kubernetes.io/instance": "kube-prometheus-stack", + "app.kubernetes.io/managed-by": "Helm", + "app.kubernetes.io/name": "kube-state-metrics", + "app.kubernetes.io/part-of": "kube-state-metrics", + "app.kubernetes.io/version": "2.12.0", + "helm.sh/chart": "kube-state-metrics-5.19.0", + "pod-template-hash": "65594f9476", + "release": "kube-prometheus-stack", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "kube-state-metrics", + "service.istio.io/canonical-revision": "2.12.0", + "zarf-agent": "patched" + }, + "name": "kube-prometheus-stack-kube-state-metrics-65594f9476-2slwt", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "kube-prometheus-stack-kube-state-metrics-65594f9476", + "uid": "3907c223-9229-433f-b8d5-dbde08ebb417" + } + ], + "resourceVersion": "3283", + "uid": "6ef328fe-f9b7-4096-9d62-428d08d83846" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http\",\"containerPort\":8080,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "kube-state-metrics" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "kube-prometheus-stack-kube-state-metrics" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/monitoring/deployments/kube-prometheus-stack-kube-state-metrics" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/kube-state-metrics/livez\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":8080,\"scheme\":\"HTTP\"},\"timeoutSeconds\":5},\"/app-health/kube-state-metrics/readyz\":{\"httpGet\":{\"path\":\"/\",\"port\":8080,\"scheme\":\"HTTP\"},\"timeoutSeconds\":5}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-bhqx5", + "readOnly": true + } + ] + }, + { + "args": [ + "--port=8080", + "--resources=certificatesigningrequests,configmaps,cronjobs,daemonsets,deployments,endpoints,horizontalpodautoscalers,ingresses,jobs,leases,limitranges,mutatingwebhookconfigurations,namespaces,networkpolicies,nodes,persistentvolumeclaims,persistentvolumes,poddisruptionbudgets,pods,replicasets,replicationcontrollers,resourcequotas,secrets,services,statefulsets,storageclasses,validatingwebhookconfigurations,volumeattachments" + ], + "image": "127.0.0.1:31999/kube-state-metrics/kube-state-metrics:v2.12.0-zarf-3970135638", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/kube-state-metrics/livez", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 5, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "name": "kube-state-metrics", + "ports": [ + { + "containerPort": 8080, + "name": "http", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/kube-state-metrics/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 5, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-bhqx5", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-bhqx5", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65534, + "runAsGroup": 65534, + "runAsNonRoot": true, + "runAsUser": 65534, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "serviceAccount": "kube-prometheus-stack-kube-state-metrics", + "serviceAccountName": "kube-prometheus-stack-kube-state-metrics", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-bhqx5", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:38Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:47Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:47Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:37Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://ec96f7c2c7a98a6357c94d5b2a781a609711f20a43d648da26de81c4c6c2731d", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:40:38Z" + } + } + }, + { + "containerID": "containerd://7ff7eb875d8cd5356fa58effc23fad66a140ca93993e6cab41d79dae449865cc", + "image": "127.0.0.1:31999/kube-state-metrics/kube-state-metrics:v2.12.0-zarf-3970135638", + "imageID": "127.0.0.1:31999/kube-state-metrics/kube-state-metrics@sha256:0b849c2a1fd2a8e3a8465803c0e0853e063fd89b33ad10847f82152b8f1f7066", + "lastState": {}, + "name": "kube-state-metrics", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:40:39Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://a6e05bbe29a830534010f6447eb2f86ea4016a7f54e69dff89fe2f43f52c74d7", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://a6e05bbe29a830534010f6447eb2f86ea4016a7f54e69dff89fe2f43f52c74d7", + "exitCode": 0, + "finishedAt": "2024-06-07T14:40:37Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:40:37Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.46", + "podIPs": [ + { + "ip": "10.42.0.46" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:40:37Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "prometheus", + "kubectl.kubernetes.io/default-logs-container": "prometheus", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "proxy.istio.io/config": "proxyMetadata:\n OUTPUT_CERTS: /etc/istio-output-certs\n", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "sidecar.istio.io/userVolumeMount": "[{\"name\": \"istio-certs\", \"mountPath\": \"/etc/istio-output-certs\"}]", + "traffic.sidecar.istio.io/includeOutboundIPRanges": "", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.RestrictHostPathWrite": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-06-07T14:40:40Z", + "generateName": "prometheus-kube-prometheus-stack-prometheus-", + "labels": { + "app": "prometheus", + "app.kubernetes.io/instance": "kube-prometheus-stack-prometheus", + "app.kubernetes.io/managed-by": "prometheus-operator", + "app.kubernetes.io/name": "prometheus", + "app.kubernetes.io/version": "2.52.0", + "apps.kubernetes.io/pod-index": "0", + "controller-revision-hash": "prometheus-kube-prometheus-stack-prometheus-7fdcfb85d6", + "operator.prometheus.io/name": "kube-prometheus-stack-prometheus", + "operator.prometheus.io/shard": "0", + "prometheus": "kube-prometheus-stack-prometheus", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "prometheus", + "service.istio.io/canonical-revision": "2.52.0", + "statefulset.kubernetes.io/pod-name": "prometheus-kube-prometheus-stack-prometheus-0", + "zarf-agent": "patched" + }, + "name": "prometheus-kube-prometheus-stack-prometheus-0", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "StatefulSet", + "name": "prometheus-kube-prometheus-stack-prometheus", + "uid": "381a9a1e-c0bf-4ae6-bee6-e45ab1b164dd" + } + ], + "resourceVersion": "3396", + "uid": "ec959d87-ee81-4018-8633-cfbdd070a726" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"proxyMetadata\":{\"OUTPUT_CERTS\":\"/etc/istio-output-certs\"},\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-web\",\"containerPort\":9090,\"protocol\":\"TCP\"}\n ,{\"name\":\"reloader-web\",\"containerPort\":8080,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "prometheus,config-reloader" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "prometheus-kube-prometheus-stack-prometheus" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/monitoring/statefulsets/prometheus-kube-prometheus-stack-prometheus" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "OUTPUT_CERTS", + "value": "/etc/istio-output-certs" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/prometheus/livez\":{\"httpGet\":{\"path\":\"/-/healthy\",\"port\":9090,\"scheme\":\"HTTP\"},\"timeoutSeconds\":3},\"/app-health/prometheus/readyz\":{\"httpGet\":{\"path\":\"/-/ready\",\"port\":9090,\"scheme\":\"HTTP\"},\"timeoutSeconds\":3},\"/app-health/prometheus/startupz\":{\"httpGet\":{\"path\":\"/-/ready\",\"port\":9090,\"scheme\":\"HTTP\"},\"timeoutSeconds\":3}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/etc/istio-output-certs", + "name": "istio-certs" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-zch2v", + "readOnly": true + } + ] + }, + { + "args": [ + "--web.console.templates=/etc/prometheus/consoles", + "--web.console.libraries=/etc/prometheus/console_libraries", + "--config.file=/etc/prometheus/config_out/prometheus.env.yaml", + "--web.enable-lifecycle", + "--enable-feature=remote-write-receiver", + "--web.external-url=http://kube-prometheus-stack-prometheus.monitoring:9090", + "--web.route-prefix=/", + "--storage.tsdb.retention.time=10d", + "--storage.tsdb.path=/prometheus", + "--storage.tsdb.wal-compression", + "--web.config.file=/etc/prometheus/web_config/web-config.yaml" + ], + "image": "127.0.0.1:31999/prometheus/prometheus:v2.52.0-zarf-1047855950", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 6, + "httpGet": { + "path": "/app-health/prometheus/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "name": "prometheus", + "ports": [ + { + "containerPort": 9090, + "name": "http-web", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/prometheus/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "300m", + "memory": "2Gi" + }, + "requests": { + "cpu": "100m", + "memory": "512Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "startupProbe": { + "failureThreshold": 60, + "httpGet": { + "path": "/app-health/prometheus/startupz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "FallbackToLogsOnError", + "volumeMounts": [ + { + "mountPath": "/etc/prometheus/config_out", + "name": "config-out", + "readOnly": true + }, + { + "mountPath": "/etc/prometheus/certs", + "name": "tls-assets", + "readOnly": true + }, + { + "mountPath": "/prometheus", + "name": "prometheus-kube-prometheus-stack-prometheus-db", + "subPath": "prometheus-db" + }, + { + "mountPath": "/etc/prom-certs/", + "name": "istio-certs" + }, + { + "mountPath": "/etc/prometheus/rules/prometheus-kube-prometheus-stack-prometheus-rulefiles-0", + "name": "prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + }, + { + "mountPath": "/etc/prometheus/web_config/web-config.yaml", + "name": "web-config", + "readOnly": true, + "subPath": "web-config.yaml" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-zch2v", + "readOnly": true + } + ] + }, + { + "args": [ + "--listen-address=:8080", + "--reload-url=http://127.0.0.1:9090/-/reload", + "--config-file=/etc/prometheus/config/prometheus.yaml.gz", + "--config-envsubst-file=/etc/prometheus/config_out/prometheus.env.yaml", + "--watched-dir=/etc/prometheus/rules/prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + ], + "command": [ + "/bin/prometheus-config-reloader" + ], + "env": [ + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "SHARD", + "value": "0" + } + ], + "image": "127.0.0.1:31999/prometheus-operator/prometheus-config-reloader:v0.74.0-zarf-3626352270", + "imagePullPolicy": "IfNotPresent", + "name": "config-reloader", + "ports": [ + { + "containerPort": 8080, + "name": "reloader-web", + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "100m", + "memory": "128Mi" + }, + "requests": { + "cpu": "50m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "FallbackToLogsOnError", + "volumeMounts": [ + { + "mountPath": "/etc/prometheus/config", + "name": "config" + }, + { + "mountPath": "/etc/prometheus/config_out", + "name": "config-out" + }, + { + "mountPath": "/etc/prometheus/rules/prometheus-kube-prometheus-stack-prometheus-rulefiles-0", + "name": "prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-zch2v", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostname": "prometheus-kube-prometheus-stack-prometheus-0", + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "--watch-interval=0", + "--listen-address=:8080", + "--config-file=/etc/prometheus/config/prometheus.yaml.gz", + "--config-envsubst-file=/etc/prometheus/config_out/prometheus.env.yaml", + "--watched-dir=/etc/prometheus/rules/prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + ], + "command": [ + "/bin/prometheus-config-reloader" + ], + "env": [ + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "SHARD", + "value": "0" + } + ], + "image": "127.0.0.1:31999/prometheus-operator/prometheus-config-reloader:v0.74.0-zarf-3626352270", + "imagePullPolicy": "IfNotPresent", + "name": "init-config-reloader", + "ports": [ + { + "containerPort": 8080, + "name": "reloader-web", + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "100m", + "memory": "128Mi" + }, + "requests": { + "cpu": "50m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "FallbackToLogsOnError", + "volumeMounts": [ + { + "mountPath": "/etc/prometheus/config", + "name": "config" + }, + { + "mountPath": "/etc/prometheus/config_out", + "name": "config-out" + }, + { + "mountPath": "/etc/prometheus/rules/prometheus-kube-prometheus-stack-prometheus-rulefiles-0", + "name": "prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-zch2v", + "readOnly": true + } + ] + }, + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "OUTPUT_CERTS", + "value": "/etc/istio-output-certs" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-zch2v", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 2000, + "runAsGroup": 2000, + "runAsNonRoot": true, + "runAsUser": 1000, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "serviceAccount": "kube-prometheus-stack-prometheus", + "serviceAccountName": "kube-prometheus-stack-prometheus", + "shareProcessNamespace": false, + "subdomain": "prometheus-operated", + "terminationGracePeriodSeconds": 600, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "prometheus-kube-prometheus-stack-prometheus-db", + "persistentVolumeClaim": { + "claimName": "prometheus-kube-prometheus-stack-prometheus-db-prometheus-kube-prometheus-stack-prometheus-0" + } + }, + { + "name": "config", + "secret": { + "defaultMode": 420, + "secretName": "prometheus-kube-prometheus-stack-prometheus" + } + }, + { + "name": "tls-assets", + "projected": { + "defaultMode": 420, + "sources": [ + { + "secret": { + "name": "prometheus-kube-prometheus-stack-prometheus-tls-assets-0" + } + } + ] + } + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "config-out" + }, + { + "configMap": { + "defaultMode": 420, + "name": "prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + }, + "name": "prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + }, + { + "name": "web-config", + "secret": { + "defaultMode": 420, + "secretName": "prometheus-kube-prometheus-stack-prometheus-web-config" + } + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-certs" + }, + { + "name": "kube-api-access-zch2v", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:47Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:41:00Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:41:00Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:44Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://86023ec56c04e539dbeb150747ffdb73ed4db0e6af05fe19a80ebc03dc698356", + "image": "127.0.0.1:31999/prometheus-operator/prometheus-config-reloader:v0.74.0-zarf-3626352270", + "imageID": "127.0.0.1:31999/prometheus-operator/prometheus-config-reloader@sha256:2f391ccd12088306b68f620ee4c8ad308d82e746e22484a21edbfa1aaff51df5", + "lastState": {}, + "name": "config-reloader", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:40:49Z" + } + } + }, + { + "containerID": "containerd://2860f0575865ade2911ba880f45f070844a844b691f491e6bc6adf864983984e", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:40:47Z" + } + } + }, + { + "containerID": "containerd://ab41954c1d1aed6af64c9107fbc2b3052f5eaea167c56f2a534820225898f315", + "image": "127.0.0.1:31999/prometheus/prometheus:v2.52.0-zarf-1047855950", + "imageID": "127.0.0.1:31999/prometheus/prometheus@sha256:b922bb8c3ddb40066be79e704e22b94513acaada413fd22eb99ea4afe8740b43", + "lastState": {}, + "name": "prometheus", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:40:49Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://ecad69b5666b61947da072fbe6d161f43fef167201774ce899824141aee820fe", + "image": "127.0.0.1:31999/prometheus-operator/prometheus-config-reloader:v0.74.0-zarf-3626352270", + "imageID": "127.0.0.1:31999/prometheus-operator/prometheus-config-reloader@sha256:2f391ccd12088306b68f620ee4c8ad308d82e746e22484a21edbfa1aaff51df5", + "lastState": {}, + "name": "init-config-reloader", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://ecad69b5666b61947da072fbe6d161f43fef167201774ce899824141aee820fe", + "exitCode": 0, + "finishedAt": "2024-06-07T14:40:45Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:40:45Z" + } + } + }, + { + "containerID": "containerd://afa5faa7fb1c89b49d309d4ecc89fd93681e6ab9f8ea4b23e1c9762bb11225ff", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://afa5faa7fb1c89b49d309d4ecc89fd93681e6ab9f8ea4b23e1c9762bb11225ff", + "exitCode": 0, + "finishedAt": "2024-06-07T14:40:46Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:40:46Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.51", + "podIPs": [ + { + "ip": "10.42.0.51" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:40:44Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/init-configmap": "d2907592400cb73cef987a87115b0c6a17428bfdbda232ddf0de6ea52f3eb571", + "checksum/uds-sso-secret": "", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-controller-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-controller-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.DisallowPrivileged": "exempted", + "uds-core.pepr.dev/uds-core-policies.DropAllCapabilities": "exempted", + "uds-core.pepr.dev/uds-core-policies.RequireNonRootUser": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictHostPathWrite": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-06-07T14:41:09Z", + "generateName": "neuvector-controller-pod-5d7c9d5588-", + "labels": { + "app": "neuvector-controller-pod", + "pod-template-hash": "5d7c9d5588", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-controller-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-controller-pod-5d7c9d5588-nxn6p", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-controller-pod-5d7c9d5588", + "uid": "eb3a14bf-c3f0-4fef-a657-a25c5a712a93" + } + ], + "resourceVersion": "3566", + "uid": "cc4d43f8-aa36-429e-aa94-f827d5cb915c" + }, + "spec": { + "affinity": { + "podAntiAffinity": { + "preferredDuringSchedulingIgnoredDuringExecution": [ + { + "podAffinityTerm": { + "labelSelector": { + "matchExpressions": [ + { + "key": "app", + "operator": "In", + "values": [ + "neuvector-controller-pod" + ] + } + ] + }, + "topologyKey": "kubernetes.io/hostname" + }, + "weight": 100 + } + ] + } + }, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-controller-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-controller-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-controller-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-q4k2v", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + }, + { + "name": "CLUSTER_ADVERTISED_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "CLUSTER_BIND_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "NO_DEFAULT_ADMIN", + "value": "1" + } + ], + "image": "127.0.0.1:31999/neuvector/controller:5.3.2-zarf-4157091163", + "imagePullPolicy": "IfNotPresent", + "name": "neuvector-controller-pod", + "readinessProbe": { + "exec": { + "command": [ + "cat", + "/tmp/ready" + ] + }, + "failureThreshold": 3, + "initialDelaySeconds": 5, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/config", + "name": "config-volume", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-q4k2v", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-q4k2v", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "controller", + "serviceAccountName": "controller", + "terminationGracePeriodSeconds": 300, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "config-volume", + "projected": { + "defaultMode": 420, + "sources": [ + { + "configMap": { + "name": "neuvector-init", + "optional": true + } + }, + { + "secret": { + "name": "neuvector-init", + "optional": true + } + }, + { + "secret": { + "name": "neuvector-secret", + "optional": true + } + } + ] + } + }, + { + "name": "kube-api-access-q4k2v", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:41:12Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:41:31Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:41:31Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:41:09Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://95214988c5f738e7d783d5486867b1262db461e51ac0fe44aa1da7cadb982390", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:41:12Z" + } + } + }, + { + "containerID": "containerd://bb10636ff8f86e1faed4105e47dc92f9d71192271867421be5edf1763ae697af", + "image": "127.0.0.1:31999/neuvector/controller:5.3.2-zarf-4157091163", + "imageID": "127.0.0.1:31999/neuvector/controller@sha256:c5d6ff1924fdad2b8e4fdb428a7636edd82ea50ef94ab15e9a0c7117fc607d1c", + "lastState": {}, + "name": "neuvector-controller-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:41:15Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://87c33d4712b6b7fe0fe3a33257677cb8fa1b4898e956e2144044d1909cfc5251", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://87c33d4712b6b7fe0fe3a33257677cb8fa1b4898e956e2144044d1909cfc5251", + "exitCode": 0, + "finishedAt": "2024-06-07T14:41:11Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:41:11Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.55", + "podIPs": [ + { + "ip": "10.42.0.55" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:41:09Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "5e25fa9a618f14d4d9593ca3a824ce003a30a8cbb52327a8e9b818ac547c3cc5", + "checksum/sc-dashboard-provider-config": "593c0a8778b83f11fe80ccb21dfb20bc46705e2be3178df1dc4c89d164c8cd9c", + "checksum/secret": "4b38b5e9fc91844d569e9bebd5496fd9ad287f48dbe68676c670b0a3a12dd139", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "grafana", + "kubectl.kubernetes.io/default-logs-container": "grafana-sc-dashboard", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:41:48Z", + "generateName": "grafana-686487c574-", + "labels": { + "app.kubernetes.io/instance": "grafana", + "app.kubernetes.io/name": "grafana", + "pod-template-hash": "686487c574", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "grafana", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "grafana-686487c574-48lqp", + "namespace": "grafana", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "grafana-686487c574", + "uid": "33cb3601-ba2a-4f7c-a637-605d9840731d" + } + ], + "resourceVersion": "3736", + "uid": "2b71baf7-7125-4567-a82d-4447558f7672" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"grafana\",\"containerPort\":3000,\"protocol\":\"TCP\"}\n ,{\"name\":\"gossip-tcp\",\"containerPort\":9094,\"protocol\":\"TCP\"}\n ,{\"name\":\"gossip-udp\",\"containerPort\":9094,\"protocol\":\"UDP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "grafana-sc-dashboard,grafana-sc-datasources,grafana" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "grafana" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/grafana/deployments/grafana" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/grafana/livez\":{\"httpGet\":{\"path\":\"/api/health\",\"port\":3000,\"scheme\":\"HTTP\"},\"timeoutSeconds\":30},\"/app-health/grafana/readyz\":{\"httpGet\":{\"path\":\"/api/health\",\"port\":3000,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-bn7rz", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "METHOD", + "value": "WATCH" + }, + { + "name": "LABEL", + "value": "grafana_dashboard" + }, + { + "name": "FOLDER", + "value": "/tmp/dashboards" + }, + { + "name": "RESOURCE", + "value": "both" + }, + { + "name": "NAMESPACE", + "value": "ALL" + }, + { + "name": "REQ_USERNAME", + "valueFrom": { + "secretKeyRef": { + "key": "admin-user", + "name": "grafana" + } + } + }, + { + "name": "REQ_PASSWORD", + "valueFrom": { + "secretKeyRef": { + "key": "admin-password", + "name": "grafana" + } + } + }, + { + "name": "REQ_URL", + "value": "http://localhost:3000/api/admin/provisioning/dashboards/reload" + }, + { + "name": "REQ_METHOD", + "value": "POST" + } + ], + "image": "127.0.0.1:31999/kiwigrid/k8s-sidecar:1.26.1-zarf-4221900739", + "imagePullPolicy": "IfNotPresent", + "name": "grafana-sc-dashboard", + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/tmp/dashboards", + "name": "sc-dashboard-volume" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-bn7rz", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "METHOD", + "value": "WATCH" + }, + { + "name": "LABEL", + "value": "grafana_datasource" + }, + { + "name": "FOLDER", + "value": "/etc/grafana/provisioning/datasources" + }, + { + "name": "RESOURCE", + "value": "both" + }, + { + "name": "REQ_USERNAME", + "valueFrom": { + "secretKeyRef": { + "key": "admin-user", + "name": "grafana" + } + } + }, + { + "name": "REQ_PASSWORD", + "valueFrom": { + "secretKeyRef": { + "key": "admin-password", + "name": "grafana" + } + } + }, + { + "name": "REQ_URL", + "value": "http://localhost:3000/api/admin/provisioning/datasources/reload" + }, + { + "name": "REQ_METHOD", + "value": "POST" + } + ], + "image": "127.0.0.1:31999/kiwigrid/k8s-sidecar:1.26.1-zarf-4221900739", + "imagePullPolicy": "IfNotPresent", + "name": "grafana-sc-datasources", + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/grafana/provisioning/datasources", + "name": "sc-datasources-volume" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-bn7rz", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "POD_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "GF_SECURITY_ADMIN_USER", + "valueFrom": { + "secretKeyRef": { + "key": "admin-user", + "name": "grafana" + } + } + }, + { + "name": "GF_SECURITY_ADMIN_PASSWORD", + "valueFrom": { + "secretKeyRef": { + "key": "admin-password", + "name": "grafana" + } + } + }, + { + "name": "GF_PATHS_DATA", + "value": "/var/lib/grafana/" + }, + { + "name": "GF_PATHS_LOGS", + "value": "/var/log/grafana" + }, + { + "name": "GF_PATHS_PLUGINS", + "value": "/var/lib/grafana/plugins" + }, + { + "name": "GF_PATHS_PROVISIONING", + "value": "/etc/grafana/provisioning" + } + ], + "image": "127.0.0.1:31999/grafana/grafana:10.4.2-zarf-855602154", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 10, + "httpGet": { + "path": "/app-health/grafana/livez", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 60, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 30 + }, + "name": "grafana", + "ports": [ + { + "containerPort": 3000, + "name": "grafana", + "protocol": "TCP" + }, + { + "containerPort": 9094, + "name": "gossip-tcp", + "protocol": "TCP" + }, + { + "containerPort": 9094, + "name": "gossip-udp", + "protocol": "UDP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/grafana/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/grafana/grafana.ini", + "name": "config", + "subPath": "grafana.ini" + }, + { + "mountPath": "/var/lib/grafana", + "name": "storage" + }, + { + "mountPath": "/tmp/dashboards", + "name": "sc-dashboard-volume" + }, + { + "mountPath": "/etc/grafana/provisioning/dashboards/sc-dashboardproviders.yaml", + "name": "sc-dashboard-provider", + "subPath": "provider.yaml" + }, + { + "mountPath": "/etc/grafana/provisioning/datasources", + "name": "sc-datasources-volume" + }, + { + "mountPath": "/etc/secrets/auth_generic_oauth", + "name": "auth-generic-oauth-secret-mount", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-bn7rz", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-bn7rz", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 472, + "runAsGroup": 472, + "runAsNonRoot": true, + "runAsUser": 472 + }, + "serviceAccount": "grafana", + "serviceAccountName": "grafana", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "configMap": { + "defaultMode": 420, + "name": "grafana" + }, + "name": "config" + }, + { + "emptyDir": {}, + "name": "storage" + }, + { + "emptyDir": {}, + "name": "sc-dashboard-volume" + }, + { + "configMap": { + "defaultMode": 420, + "name": "grafana-config-dashboards" + }, + "name": "sc-dashboard-provider" + }, + { + "emptyDir": {}, + "name": "sc-datasources-volume" + }, + { + "name": "auth-generic-oauth-secret-mount", + "secret": { + "defaultMode": 288, + "secretName": "sso-client-uds-core-admin-grafana" + } + }, + { + "name": "kube-api-access-bn7rz", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:41:57Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:42:07Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:42:07Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:41:48Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://8758e045b633cc11094f4c891a56a432b56a6874ab8a15473c68b96b93a7003d", + "image": "127.0.0.1:31999/grafana/grafana:10.4.2-zarf-855602154", + "imageID": "127.0.0.1:31999/grafana/grafana@sha256:173b46f35cdbcb4b137868a5488be265eb0bb8487d959bb970e62171225f202f", + "lastState": {}, + "name": "grafana", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:42:04Z" + } + } + }, + { + "containerID": "containerd://667eaa618923b71ef9eb723f5b1f5f38b4b60120aa3289e50d1786f318622182", + "image": "127.0.0.1:31999/kiwigrid/k8s-sidecar:1.26.1-zarf-4221900739", + "imageID": "127.0.0.1:31999/kiwigrid/k8s-sidecar@sha256:b2e05106a897584f31a33dbd9f3efd1a5153f2197d2bd3213d94e23a6f32f725", + "lastState": {}, + "name": "grafana-sc-dashboard", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:41:59Z" + } + } + }, + { + "containerID": "containerd://5f5ed8e1abe482780cf6ae0cfd2b40af044f5dfdbf1eb9898f3bb9bc67b933bf", + "image": "127.0.0.1:31999/kiwigrid/k8s-sidecar:1.26.1-zarf-4221900739", + "imageID": "127.0.0.1:31999/kiwigrid/k8s-sidecar@sha256:b2e05106a897584f31a33dbd9f3efd1a5153f2197d2bd3213d94e23a6f32f725", + "lastState": {}, + "name": "grafana-sc-datasources", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:41:59Z" + } + } + }, + { + "containerID": "containerd://d7d3d74612b6b1b8f2fed8a9cfc29aa12c9d008953225878eafb2601512e6ca9", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:41:57Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://64084b27ff629f5e4bb83082243539ed0475d0f0ba2dd54dcde057467b6968dc", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://64084b27ff629f5e4bb83082243539ed0475d0f0ba2dd54dcde057467b6968dc", + "exitCode": 0, + "finishedAt": "2024-06-07T14:41:57Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:41:56Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.57", + "podIPs": [ + { + "ip": "10.42.0.57" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:41:48Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "f0969d09510ef78afd7c2ce0bcab5032fd83dd4fab9b7455113fa6d4d7197026", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "authservice", + "kubectl.kubernetes.io/default-logs-container": "authservice", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:42:14Z", + "generateName": "authservice-5dbcd95947-", + "labels": { + "app.kubernetes.io/instance": "authservice", + "app.kubernetes.io/name": "authservice", + "pod-template-hash": "5dbcd95947", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "authservice", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "authservice-5dbcd95947-p9snb", + "namespace": "authservice", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "authservice-5dbcd95947", + "uid": "6c0d36a6-4b81-4b40-ac7c-76ab963e2679" + } + ], + "resourceVersion": "3834", + "uid": "eb91bbd4-18ed-4da6-a672-1c61fdbd3a9f" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http\",\"containerPort\":10003,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "authservice" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "authservice" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/authservice/deployments/authservice" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/authservice/livez\":{\"tcpSocket\":{\"port\":10003},\"timeoutSeconds\":1},\"/app-health/authservice/readyz\":{\"tcpSocket\":{\"port\":10003},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-q92n7", + "readOnly": true + } + ] + }, + { + "image": "127.0.0.1:31999/istio-ecosystem/authservice/authservice:0.5.3-zarf-3409882933", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/authservice/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "authservice", + "ports": [ + { + "containerPort": 10003, + "name": "http", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/authservice/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/authservice", + "name": "authservice" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-q92n7", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-q92n7", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "default", + "serviceAccountName": "default", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "authservice", + "secret": { + "defaultMode": 420, + "secretName": "authservice" + } + }, + { + "name": "kube-api-access-q92n7", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:42:16Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:42:20Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:42:20Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:42:14Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://3649352210284b1182b34bac205eba605ff6d74a030fe9d90f1df4b09adf9560", + "image": "127.0.0.1:31999/istio-ecosystem/authservice/authservice:0.5.3-zarf-3409882933", + "imageID": "127.0.0.1:31999/istio-ecosystem/authservice/authservice@sha256:eeb082929ebf22bebd3141f23916694add1e4ab607b2c15ffa30a919998a6528", + "lastState": {}, + "name": "authservice", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:42:18Z" + } + } + }, + { + "containerID": "containerd://fe10bfd4a4c2b9f92d2e49168ad69df0dcb172c6e46c01bdafb2c08979510d9a", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:42:17Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://cd30bb943578b69f28539b8a557632663ed71d94565c353a1be25e4d4904bc27", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://cd30bb943578b69f28539b8a557632663ed71d94565c353a1be25e4d4904bc27", + "exitCode": 0, + "finishedAt": "2024-06-07T14:42:15Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:42:15Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.59", + "podIPs": [ + { + "ip": "10.42.0.59" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:42:14Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/secret": "79f899ac6a4a76b043e67e4b17b25dfdf1b899526953bf3015fc1b4e41123ee5", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "velero", + "kubectl.kubernetes.io/default-logs-container": "velero", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:42:59Z", + "generateName": "velero-5d99fdc5b5-", + "labels": { + "app.kubernetes.io/instance": "velero", + "app.kubernetes.io/managed-by": "Helm", + "app.kubernetes.io/name": "velero", + "helm.sh/chart": "velero-6.6.0", + "name": "velero", + "pod-template-hash": "5d99fdc5b5", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "velero", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "velero-5d99fdc5b5-6rk9f", + "namespace": "velero", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "velero-5d99fdc5b5", + "uid": "d76f7c15-69e5-4c4c-8607-be0149ea25e0" + } + ], + "resourceVersion": "4167", + "uid": "4748be5d-80a0-4556-bf6b-d327ec8f3008" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-monitoring\",\"containerPort\":8085,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "velero" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "velero" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/velero/deployments/velero" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/velero/livez\":{\"httpGet\":{\"path\":\"/metrics\",\"port\":8085,\"scheme\":\"HTTP\"},\"timeoutSeconds\":5},\"/app-health/velero/readyz\":{\"httpGet\":{\"path\":\"/metrics\",\"port\":8085,\"scheme\":\"HTTP\"},\"timeoutSeconds\":5}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-2gnxr", + "readOnly": true + } + ] + }, + { + "args": [ + "server", + "--uploader-type=kopia" + ], + "command": [ + "/velero" + ], + "env": [ + { + "name": "VELERO_SCRATCH_DIR", + "value": "/scratch" + }, + { + "name": "VELERO_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "LD_LIBRARY_PATH", + "value": "/plugins" + }, + { + "name": "AWS_SHARED_CREDENTIALS_FILE", + "value": "/credentials/cloud" + }, + { + "name": "GOOGLE_APPLICATION_CREDENTIALS", + "value": "/credentials/cloud" + }, + { + "name": "AZURE_CREDENTIALS_FILE", + "value": "/credentials/cloud" + }, + { + "name": "ALIBABA_CLOUD_CREDENTIALS_FILE", + "value": "/credentials/cloud" + } + ], + "image": "127.0.0.1:31999/velero/velero:v1.13.2-zarf-726794283", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 5, + "httpGet": { + "path": "/app-health/velero/livez", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 30, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "name": "velero", + "ports": [ + { + "containerPort": 8085, + "name": "http-monitoring", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 5, + "httpGet": { + "path": "/app-health/velero/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 30, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "resources": { + "limits": { + "cpu": "1", + "memory": "512Mi" + }, + "requests": { + "cpu": "500m", + "memory": "128Mi" + } + }, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/plugins", + "name": "plugins" + }, + { + "mountPath": "/credentials", + "name": "cloud-credentials" + }, + { + "mountPath": "/scratch", + "name": "scratch" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-2gnxr", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "image": "127.0.0.1:31999/velero/velero-plugin-for-aws:v1.9.2-zarf-3048596433", + "imagePullPolicy": "IfNotPresent", + "name": "velero-plugin-for-aws", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/target", + "name": "plugins" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-2gnxr", + "readOnly": true + } + ] + }, + { + "image": "127.0.0.1:31999/velero/velero-plugin-for-csi:v0.7.1-zarf-792660929", + "imagePullPolicy": "IfNotPresent", + "name": "velero-plugin-for-csi", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/target", + "name": "plugins" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-2gnxr", + "readOnly": true + } + ] + }, + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-2gnxr", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "velero-server", + "serviceAccountName": "velero-server", + "terminationGracePeriodSeconds": 3600, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "cloud-credentials", + "secret": { + "defaultMode": 420, + "secretName": "velero-bucket-credentials" + } + }, + { + "emptyDir": {}, + "name": "plugins" + }, + { + "emptyDir": {}, + "name": "scratch" + }, + { + "name": "kube-api-access-2gnxr", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:43:04Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:43:29Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:43:29Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:42:59Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://3a5b45dc41df6b3431ef268b83129a2e58a9d7e1c6107ad48d8cdcd7e2f80c32", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:43:04Z" + } + } + }, + { + "containerID": "containerd://ef189f589c4bb96baf1e9787c84423f70d56d6eb907e9de21c292d7b372ff97a", + "image": "127.0.0.1:31999/velero/velero:v1.13.2-zarf-726794283", + "imageID": "127.0.0.1:31999/velero/velero@sha256:94c06080c3297fbdfd9877c60fdbfd0e9ee6ff04368dcdfb5343f5fb2d29568a", + "lastState": {}, + "name": "velero", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:43:04Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://44cd80e33ce5c513f01467f04c99358348cfb34d666ee5ff95c5c2c41d3427e1", + "image": "127.0.0.1:31999/velero/velero-plugin-for-aws:v1.9.2-zarf-3048596433", + "imageID": "127.0.0.1:31999/velero/velero-plugin-for-aws@sha256:3c0114ecb87368556cf8415959ceb82e1fca053ca1d049f115a43c2e0e2c3c66", + "lastState": {}, + "name": "velero-plugin-for-aws", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://44cd80e33ce5c513f01467f04c99358348cfb34d666ee5ff95c5c2c41d3427e1", + "exitCode": 0, + "finishedAt": "2024-06-07T14:43:00Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:43:00Z" + } + } + }, + { + "containerID": "containerd://7315f8c7db9149bf9abd9128ac1c42e46a604f605aacfda4cf71393ec20b2199", + "image": "127.0.0.1:31999/velero/velero-plugin-for-csi:v0.7.1-zarf-792660929", + "imageID": "127.0.0.1:31999/velero/velero-plugin-for-csi@sha256:d9e0d38f3d46596d293f118269f2e08da5e14cbc3c10f1bb612035938bec674d", + "lastState": {}, + "name": "velero-plugin-for-csi", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://7315f8c7db9149bf9abd9128ac1c42e46a604f605aacfda4cf71393ec20b2199", + "exitCode": 0, + "finishedAt": "2024-06-07T14:43:02Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:43:02Z" + } + } + }, + { + "containerID": "containerd://0af4e7f30ecd4098890b50dc1cb0e624d63d64e0b492393c2ea3c63c16d24b2c", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://0af4e7f30ecd4098890b50dc1cb0e624d63d64e0b492393c2ea3c63c16d24b2c", + "exitCode": 0, + "finishedAt": "2024-06-07T14:43:03Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:43:03Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.61", + "podIPs": [ + { + "ip": "10.42.0.61" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:42:59Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-updater-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-updater-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\",\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-08T11:31:45Z", + "generateName": "neuvector-updater-pod-28630080-", + "labels": { + "app": "neuvector-updater-pod", + "batch.kubernetes.io/controller-uid": "69a3dfd3-1798-4541-abaf-9fd045080de1", + "batch.kubernetes.io/job-name": "neuvector-updater-pod-28630080", + "controller-uid": "69a3dfd3-1798-4541-abaf-9fd045080de1", + "job-name": "neuvector-updater-pod-28630080", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-updater-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-updater-pod-28630080-nk5f5", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "batch/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "Job", + "name": "neuvector-updater-pod-28630080", + "uid": "69a3dfd3-1798-4541-abaf-9fd045080de1" + } + ], + "resourceVersion": "39926", + "uid": "f3c05205-e1b8-43a5-95dd-cd1b1c02bc0a" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-updater-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-updater-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/batch/v1/namespaces/neuvector/cronjobs/neuvector-updater-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-htlkn", + "readOnly": true + } + ] + }, + { + "command": [ + "/bin/sh", + "-c", + "/usr/bin/curl -kv -X PATCH -H \"Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\" -H \"Content-Type:application/strategic-merge-patch+json\" -d '{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"kubectl.kubernetes.io/restartedAt\":\"'`date +%Y-%m-%dT%H:%M:%S%z`'\"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/neuvector/deployments/neuvector-scanner-pod'" + ], + "image": "127.0.0.1:31999/neuvector/updater:latest-zarf-2735231738", + "imagePullPolicy": "Always", + "name": "neuvector-updater-pod", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-htlkn", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-htlkn", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Never", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "updater", + "serviceAccountName": "updater", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-htlkn", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-08T11:31:47Z", + "reason": "PodCompleted", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-08T11:31:45Z", + "reason": "PodCompleted", + "status": "False", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-08T11:31:45Z", + "reason": "PodCompleted", + "status": "False", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-08T11:31:45Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://d9347e9017d5617a7de62560cf88ef083c8ada121d990de1f018f99bd14679ca", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": false, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://d9347e9017d5617a7de62560cf88ef083c8ada121d990de1f018f99bd14679ca", + "exitCode": 0, + "finishedAt": "2024-06-08T11:48:39Z", + "reason": "Completed", + "startedAt": "2024-06-08T11:31:47Z" + } + } + }, + { + "containerID": "containerd://ee6790449c2b5e20ed19274f3a62702d326fa3121e4647bb09e09417591b9178", + "image": "127.0.0.1:31999/neuvector/updater:latest-zarf-2735231738", + "imageID": "127.0.0.1:31999/neuvector/updater@sha256:60a8546b96ae2e702dcdac424db81566ebe28e2e2fc1449bf188dda0cad6aee3", + "lastState": {}, + "name": "neuvector-updater-pod", + "ready": false, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://ee6790449c2b5e20ed19274f3a62702d326fa3121e4647bb09e09417591b9178", + "exitCode": 0, + "finishedAt": "2024-06-08T11:31:48Z", + "reason": "Completed", + "startedAt": "2024-06-08T11:31:48Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://29f61aa06527ee52396a19aa736ddc72af53e22473846388985dffc5150f7072", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://29f61aa06527ee52396a19aa736ddc72af53e22473846388985dffc5150f7072", + "exitCode": 0, + "finishedAt": "2024-06-08T11:31:46Z", + "reason": "Completed", + "startedAt": "2024-06-08T11:31:46Z" + } + } + } + ], + "phase": "Succeeded", + "podIP": "10.42.0.63", + "podIPs": [ + { + "ip": "10.42.0.63" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-08T11:31:45Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-updater-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-updater-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\",\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-10T00:55:32Z", + "generateName": "neuvector-updater-pod-28632960-", + "labels": { + "app": "neuvector-updater-pod", + "batch.kubernetes.io/controller-uid": "8373aa55-0ea9-49f1-b9b8-97bdded4f35d", + "batch.kubernetes.io/job-name": "neuvector-updater-pod-28632960", + "controller-uid": "8373aa55-0ea9-49f1-b9b8-97bdded4f35d", + "job-name": "neuvector-updater-pod-28632960", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-updater-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-updater-pod-28632960-srlcm", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "batch/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "Job", + "name": "neuvector-updater-pod-28632960", + "uid": "8373aa55-0ea9-49f1-b9b8-97bdded4f35d" + } + ], + "resourceVersion": "86760", + "uid": "1986d29e-0aae-4950-ad47-f0aafa4731da" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-updater-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-updater-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/batch/v1/namespaces/neuvector/cronjobs/neuvector-updater-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-lk4bq", + "readOnly": true + } + ] + }, + { + "command": [ + "/bin/sh", + "-c", + "/usr/bin/curl -kv -X PATCH -H \"Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\" -H \"Content-Type:application/strategic-merge-patch+json\" -d '{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"kubectl.kubernetes.io/restartedAt\":\"'`date +%Y-%m-%dT%H:%M:%S%z`'\"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/neuvector/deployments/neuvector-scanner-pod'" + ], + "image": "127.0.0.1:31999/neuvector/updater:latest-zarf-2735231738", + "imagePullPolicy": "Always", + "name": "neuvector-updater-pod", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-lk4bq", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-lk4bq", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Never", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "updater", + "serviceAccountName": "updater", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-lk4bq", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-10T00:55:33Z", + "reason": "PodCompleted", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-10T00:55:32Z", + "reason": "PodCompleted", + "status": "False", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-10T00:55:32Z", + "reason": "PodCompleted", + "status": "False", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-10T00:55:32Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://bf16d1f44e578b7dc9799c600d907aa1ba6cd8da18ad9160441b047f0565e15a", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": false, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://bf16d1f44e578b7dc9799c600d907aa1ba6cd8da18ad9160441b047f0565e15a", + "exitCode": 0, + "finishedAt": "2024-06-10T01:00:14Z", + "reason": "Completed", + "startedAt": "2024-06-10T00:55:33Z" + } + } + }, + { + "containerID": "containerd://c633a58176a56e81c28a3f6dd89df85c7510f30d83e31aeb49dea202542f67e7", + "image": "127.0.0.1:31999/neuvector/updater:latest-zarf-2735231738", + "imageID": "127.0.0.1:31999/neuvector/updater@sha256:60a8546b96ae2e702dcdac424db81566ebe28e2e2fc1449bf188dda0cad6aee3", + "lastState": {}, + "name": "neuvector-updater-pod", + "ready": false, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://c633a58176a56e81c28a3f6dd89df85c7510f30d83e31aeb49dea202542f67e7", + "exitCode": 0, + "finishedAt": "2024-06-10T00:55:34Z", + "reason": "Completed", + "startedAt": "2024-06-10T00:55:34Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://b22e1a4cc3028ccab180463eb23d8e5bb60b95fbb89be72c0c9cc56b90b69197", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://b22e1a4cc3028ccab180463eb23d8e5bb60b95fbb89be72c0c9cc56b90b69197", + "exitCode": 0, + "finishedAt": "2024-06-10T00:55:33Z", + "reason": "Completed", + "startedAt": "2024-06-10T00:55:32Z" + } + } + } + ], + "phase": "Succeeded", + "podIP": "10.42.0.67", + "podIPs": [ + { + "ip": "10.42.0.67" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-10T00:55:32Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "a54b4b978607806a73c1e79d416367816e4d9407c7f1cffa13519cfc40a654fc", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "promtail", + "kubectl.kubernetes.io/default-logs-container": "promtail", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.DisallowPrivileged": "exempted", + "uds-core.pepr.dev/uds-core-policies.RequireNonRootUser": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictHostPathWrite": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictSELinuxType": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-06-07T14:41:06Z", + "generateName": "promtail-", + "labels": { + "app.kubernetes.io/instance": "promtail", + "app.kubernetes.io/name": "promtail", + "controller-revision-hash": "7fdf7b776f", + "pod-template-generation": "1", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "promtail", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "promtail-zkfwh", + "namespace": "promtail", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "DaemonSet", + "name": "promtail", + "uid": "a2aecb14-ea43-49fd-86c3-d8d5e196c826" + } + ], + "resourceVersion": "87037", + "uid": "5db68d80-533b-4d72-a5ea-560a3363b9af" + }, + "spec": { + "affinity": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchFields": [ + { + "key": "metadata.name", + "operator": "In", + "values": [ + "k3d-uds-server-0" + ] + } + ] + } + ] + } + } + }, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-metrics\",\"containerPort\":3101,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "promtail" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "promtail" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/promtail/daemonsets/promtail" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/promtail/readyz\":{\"httpGet\":{\"path\":\"/ready\",\"port\":3101,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-scgmx", + "readOnly": true + } + ] + }, + { + "args": [ + "-config.file=/etc/promtail/promtail.yaml", + "-config.expand-env=true" + ], + "env": [ + { + "name": "HOSTNAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "NODE_HOSTNAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + } + ], + "image": "127.0.0.1:31999/grafana/promtail:2.9.6-zarf-1225602080", + "imagePullPolicy": "IfNotPresent", + "name": "promtail", + "ports": [ + { + "containerPort": 3101, + "name": "http-metrics", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 5, + "httpGet": { + "path": "/app-health/promtail/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "cpu": "500m", + "memory": "750Mi" + }, + "requests": { + "cpu": "100m", + "memory": "256Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsUser": 0, + "seLinuxOptions": { + "type": "spc_t" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/promtail", + "name": "config" + }, + { + "mountPath": "/run/promtail", + "name": "run" + }, + { + "mountPath": "/var/lib/docker/containers", + "name": "containers", + "readOnly": true + }, + { + "mountPath": "/var/log/pods", + "name": "pods", + "readOnly": true + }, + { + "mountPath": "/var/log", + "name": "varlog", + "readOnly": true + }, + { + "mountPath": "/etc/machine-id", + "name": "machine-id", + "readOnly": true, + "subPath": "machine-id" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-scgmx", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-scgmx", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 0, + "runAsUser": 0 + }, + "serviceAccount": "promtail", + "serviceAccountName": "promtail", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/master", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/control-plane", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/disk-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/memory-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/pid-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/unschedulable", + "operator": "Exists" + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "config", + "secret": { + "defaultMode": 420, + "secretName": "promtail" + } + }, + { + "hostPath": { + "path": "/run/promtail", + "type": "" + }, + "name": "run" + }, + { + "hostPath": { + "path": "/var/lib/docker/containers", + "type": "" + }, + "name": "containers" + }, + { + "hostPath": { + "path": "/var/log/pods", + "type": "" + }, + "name": "pods" + }, + { + "hostPath": { + "path": "/var/log", + "type": "" + }, + "name": "varlog" + }, + { + "hostPath": { + "path": "/etc", + "type": "" + }, + "name": "machine-id" + }, + { + "name": "kube-api-access-scgmx", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:41:07Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-10T01:06:08Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-10T01:06:08Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:41:06Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://1dc041a71a446c38cdc81140347809723b69c991cf5411cc1d16ffc8d9bf2841", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:41:07Z" + } + } + }, + { + "containerID": "containerd://f9860f638119e65159c9d69c8388948029967b934bdc418639cac5c8cddd27f7", + "image": "127.0.0.1:31999/grafana/promtail:2.9.6-zarf-1225602080", + "imageID": "127.0.0.1:31999/grafana/promtail@sha256:1b407c081c4da6e32489b21aa2972b1621f4daf10c94e8404d1cd90517f3750e", + "lastState": {}, + "name": "promtail", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:41:18Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://96b2c6ab5ca922aaf00fc6921ae36994ef2051c744f180fbd1420a2e744add7c", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://96b2c6ab5ca922aaf00fc6921ae36994ef2051c744f180fbd1420a2e744add7c", + "exitCode": 0, + "finishedAt": "2024-06-07T14:41:06Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:41:06Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.54", + "podIPs": [ + { + "ip": "10.42.0.54" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:41:06Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-scanner-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-scanner-pod", + "kubectl.kubernetes.io/restartedAt": "2024-06-11T07:25:47+0000", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-11T07:25:47Z", + "generateName": "neuvector-scanner-pod-b5d7d59f-", + "labels": { + "app": "neuvector-scanner-pod", + "pod-template-hash": "b5d7d59f", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-scanner-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-scanner-pod-b5d7d59f-rf24r", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-scanner-pod-b5d7d59f", + "uid": "b7559932-31e0-471e-91c0-f91c55c4e223" + } + ], + "resourceVersion": "138526", + "uid": "1ba0dcf8-45d3-4393-92b1-00817ec2493b" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-scanner-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-scanner-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-scanner-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-98vks", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + } + ], + "image": "127.0.0.1:31999/neuvector/scanner:latest-zarf-3299389045", + "imagePullPolicy": "Always", + "name": "neuvector-scanner-pod", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-98vks", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-98vks", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "scanner", + "serviceAccountName": "scanner", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-98vks", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:47Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:50Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:50Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:47Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://647e5e933b75f3e70c893a63f96d513cd0b623445dc5d429939d1354fb03cc94", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-11T07:25:47Z" + } + } + }, + { + "containerID": "containerd://5c51efbb71dc083324abfc457ce7eed5c0cbe57af2cd09fcfe169e2d99a58736", + "image": "127.0.0.1:31999/neuvector/scanner:latest-zarf-3299389045", + "imageID": "127.0.0.1:31999/neuvector/scanner@sha256:bd2056b7d73208d0a24ac464cee5cdc37e8fa8428df76b0b2f61f9530863cbd0", + "lastState": {}, + "name": "neuvector-scanner-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-11T07:25:49Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://c326c54f411815f5683dfd974c736f517b0e87592c961bdf5ae25d4b339df2c5", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://c326c54f411815f5683dfd974c736f517b0e87592c961bdf5ae25d4b339df2c5", + "exitCode": 0, + "finishedAt": "2024-06-11T07:25:47Z", + "reason": "Completed", + "startedAt": "2024-06-11T07:25:47Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.72", + "podIPs": [ + { + "ip": "10.42.0.72" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-11T07:25:47Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-updater-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-updater-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\",\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-11T07:25:44Z", + "generateName": "neuvector-updater-pod-28634400-", + "labels": { + "app": "neuvector-updater-pod", + "batch.kubernetes.io/controller-uid": "5d3ea4c8-1beb-4807-8370-1ea6cd8580a4", + "batch.kubernetes.io/job-name": "neuvector-updater-pod-28634400", + "controller-uid": "5d3ea4c8-1beb-4807-8370-1ea6cd8580a4", + "job-name": "neuvector-updater-pod-28634400", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-updater-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-updater-pod-28634400-v9nc8", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "batch/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "Job", + "name": "neuvector-updater-pod-28634400", + "uid": "5d3ea4c8-1beb-4807-8370-1ea6cd8580a4" + } + ], + "resourceVersion": "138550", + "uid": "62475b5a-c8be-4be5-8060-b70fc86461d6" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-updater-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-updater-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/batch/v1/namespaces/neuvector/cronjobs/neuvector-updater-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ddtp7", + "readOnly": true + } + ] + }, + { + "command": [ + "/bin/sh", + "-c", + "/usr/bin/curl -kv -X PATCH -H \"Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\" -H \"Content-Type:application/strategic-merge-patch+json\" -d '{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"kubectl.kubernetes.io/restartedAt\":\"'`date +%Y-%m-%dT%H:%M:%S%z`'\"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/neuvector/deployments/neuvector-scanner-pod'" + ], + "image": "127.0.0.1:31999/neuvector/updater:latest-zarf-2735231738", + "imagePullPolicy": "Always", + "name": "neuvector-updater-pod", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ddtp7", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ddtp7", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Never", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "updater", + "serviceAccountName": "updater", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-ddtp7", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:45Z", + "reason": "PodCompleted", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:44Z", + "reason": "PodCompleted", + "status": "False", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:44Z", + "reason": "PodCompleted", + "status": "False", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:44Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://31cd2632709a932190127d542486373c4e430c0283272027ce62d87da1d15297", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": false, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://31cd2632709a932190127d542486373c4e430c0283272027ce62d87da1d15297", + "exitCode": 0, + "finishedAt": "2024-06-11T07:25:47Z", + "reason": "Completed", + "startedAt": "2024-06-11T07:25:45Z" + } + } + }, + { + "containerID": "containerd://7bbe44f88ba5d60455901cf3d72b062febd747ea00d8f86eaa09e0e319609564", + "image": "127.0.0.1:31999/neuvector/updater:latest-zarf-2735231738", + "imageID": "127.0.0.1:31999/neuvector/updater@sha256:60a8546b96ae2e702dcdac424db81566ebe28e2e2fc1449bf188dda0cad6aee3", + "lastState": {}, + "name": "neuvector-updater-pod", + "ready": false, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://7bbe44f88ba5d60455901cf3d72b062febd747ea00d8f86eaa09e0e319609564", + "exitCode": 0, + "finishedAt": "2024-06-11T07:25:47Z", + "reason": "Completed", + "startedAt": "2024-06-11T07:25:46Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://0f86c6046ed396b80875c078e48cabbc9f1f62c26d60915837af8abb12cecb42", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://0f86c6046ed396b80875c078e48cabbc9f1f62c26d60915837af8abb12cecb42", + "exitCode": 0, + "finishedAt": "2024-06-11T07:25:45Z", + "reason": "Completed", + "startedAt": "2024-06-11T07:25:45Z" + } + } + } + ], + "phase": "Succeeded", + "podIP": "10.42.0.71", + "podIPs": [ + { + "ip": "10.42.0.71" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-11T07:25:44Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-scanner-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-scanner-pod", + "kubectl.kubernetes.io/restartedAt": "2024-06-11T07:25:47+0000", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-11T07:25:51Z", + "generateName": "neuvector-scanner-pod-b5d7d59f-", + "labels": { + "app": "neuvector-scanner-pod", + "pod-template-hash": "b5d7d59f", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-scanner-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-scanner-pod-b5d7d59f-cwktq", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-scanner-pod-b5d7d59f", + "uid": "b7559932-31e0-471e-91c0-f91c55c4e223" + } + ], + "resourceVersion": "138586", + "uid": "5b0b8948-e33f-4297-8925-1a61c7291ccc" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-scanner-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-scanner-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-scanner-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fhcbk", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + } + ], + "image": "127.0.0.1:31999/neuvector/scanner:latest-zarf-3299389045", + "imagePullPolicy": "Always", + "name": "neuvector-scanner-pod", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fhcbk", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fhcbk", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "scanner", + "serviceAccountName": "scanner", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-fhcbk", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:53Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:58Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:58Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:51Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://798c5d64425e4e8b2c7ccc7c62261c243f0c8aadef350586b990f1613a75fb99", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-11T07:25:54Z" + } + } + }, + { + "containerID": "containerd://70ae20d4a72d5e82acaec8f9578e2848b7caa87bb655cfa7a354bcb9d4761075", + "image": "127.0.0.1:31999/neuvector/scanner:latest-zarf-3299389045", + "imageID": "127.0.0.1:31999/neuvector/scanner@sha256:bd2056b7d73208d0a24ac464cee5cdc37e8fa8428df76b0b2f61f9530863cbd0", + "lastState": {}, + "name": "neuvector-scanner-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-11T07:25:56Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://bdf5ff10ecc5803860394337c1292e6ecf70697237c475d45f3709f9be182c22", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://bdf5ff10ecc5803860394337c1292e6ecf70697237c475d45f3709f9be182c22", + "exitCode": 0, + "finishedAt": "2024-06-11T07:25:53Z", + "reason": "Completed", + "startedAt": "2024-06-11T07:25:53Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.73", + "podIPs": [ + { + "ip": "10.42.0.73" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-11T07:25:51Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-scanner-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-scanner-pod", + "kubectl.kubernetes.io/restartedAt": "2024-06-11T07:25:47+0000", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-11T07:25:58Z", + "generateName": "neuvector-scanner-pod-b5d7d59f-", + "labels": { + "app": "neuvector-scanner-pod", + "pod-template-hash": "b5d7d59f", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-scanner-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-scanner-pod-b5d7d59f-2ql2b", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-scanner-pod-b5d7d59f", + "uid": "b7559932-31e0-471e-91c0-f91c55c4e223" + } + ], + "resourceVersion": "138639", + "uid": "bb6e8ac5-e279-4a60-b8be-48fad5c09ad0" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-scanner-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-scanner-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-scanner-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-8fdrp", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + } + ], + "image": "127.0.0.1:31999/neuvector/scanner:latest-zarf-3299389045", + "imagePullPolicy": "Always", + "name": "neuvector-scanner-pod", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-8fdrp", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-8fdrp", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "scanner", + "serviceAccountName": "scanner", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-8fdrp", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:26:00Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:26:05Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:26:05Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:58Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://122a7872b5f34d96da8607e4020dfd7a80c98d44150dcae36e6cbc40f98a5b2d", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-11T07:26:00Z" + } + } + }, + { + "containerID": "containerd://be1e0c4652b178c5bab2265deb3118f095837420337b411619f5cb87e78e67d1", + "image": "127.0.0.1:31999/neuvector/scanner:latest-zarf-3299389045", + "imageID": "127.0.0.1:31999/neuvector/scanner@sha256:bd2056b7d73208d0a24ac464cee5cdc37e8fa8428df76b0b2f61f9530863cbd0", + "lastState": {}, + "name": "neuvector-scanner-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-11T07:26:03Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://8a954c6decc8bd6157607955078629f0d43b2629c89efd24900b5d317b92d547", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://8a954c6decc8bd6157607955078629f0d43b2629c89efd24900b5d317b92d547", + "exitCode": 0, + "finishedAt": "2024-06-11T07:25:59Z", + "reason": "Completed", + "startedAt": "2024-06-11T07:25:59Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.74", + "podIPs": [ + { + "ip": "10.42.0.74" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-11T07:25:58Z" + } + } + ] +} \ No newline at end of file diff --git a/compliance/validations/istio/prometheus-annotations-validation/tests.yaml b/compliance/validations/istio/prometheus-annotations-validation/tests.yaml new file mode 100644 index 000000000..561af468c --- /dev/null +++ b/compliance/validations/istio/prometheus-annotations-validation/tests.yaml @@ -0,0 +1,10 @@ +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: grafana-pods-missing-annotations + validation: validation.yaml + resources: resources.json + permutation: '.pods |= map(if .metadata.namespace == "grafana" then .metadata.annotations["prometheus.io/scrape"] = false else . end)' + expected-validation: false diff --git a/compliance/validations/istio/prometheus-annotations-validation/validation.yaml b/compliance/validations/istio/prometheus-annotations-validation/validation.yaml new file mode 100644 index 000000000..7ef265e52 --- /dev/null +++ b/compliance/validations/istio/prometheus-annotations-validation/validation.yaml @@ -0,0 +1,60 @@ +metadata: + name: istio-prometheus-annotations-validation + uuid: f345c359-3208-46fb-9348-959bd628301e +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: pods + resource-rule: + resource: pods + version: v1 + namespaces: [] +provider: + type: opa + opa-spec: + rego: | + package validate + import rego.v1 + + # Default values + default validate := false + default msg := "Not evaluated" + + # Check for required Istio and Prometheus annotations + validate if { + has_prometheus_annotation.result + } + + msg = has_prometheus_annotation.msg + msg_exempted_namespaces = concat(", ", exempt_namespaces) + + # Check for prometheus annotations in pod spec + no_annotation = [sprintf("%s/%s", [pod.metadata.namespace, pod.metadata.name]) | pod := input.pods[_]; not contains_annotation(pod); not is_exempt(pod)] + + has_prometheus_annotation = {"result": true, "msg": msg} if { + count(no_annotation) == 0 + msg := "All pods have correct prometheus annotations." + } else = {"result": false, "msg": msg} if { + msg := sprintf("Prometheus annotations not found in pods: %s.", [concat(", ", no_annotation)]) + } + + contains_annotation(pod) if { + annotations := pod.metadata.annotations + annotations["prometheus.io/scrape"] == "true" + annotations["prometheus.io/path"] != "" + annotations["prometheus.io/port"] == "15020" + } + + # Exemptions + exempt_namespaces = {"kube-system", "istio-system", "uds-dev-stack", "zarf"} + + is_exempt(pod) if { + pod.metadata.namespace in exempt_namespaces + } + + output: + validation: validate.validate + observations: + - validate.msg + - validate.msg_exempted_namespaces diff --git a/compliance/validations/istio/rbac-enforcement-check/README.md b/compliance/validations/istio/rbac-enforcement-check/README.md new file mode 100644 index 000000000..22103df95 --- /dev/null +++ b/compliance/validations/istio/rbac-enforcement-check/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - istio-rbac-enforcement-check + +**INPUT** - This validation collects AuthorizationPolicy resources from all namespaces in the Kubernetes cluster. + +**POLICY** - This policy checks that Istio RBAC is enforced by ensuring that AuthorizationPolicy resources are present in the cluster. + +**NOTES** - Ensure that the AuthorizationPolicy resources are correctly specified in the policy. The policy will fail if no AuthorizationPolicy resources are found. \ No newline at end of file diff --git a/compliance/validations/istio/rbac-enforcement-check/resources.json b/compliance/validations/istio/rbac-enforcement-check/resources.json new file mode 100644 index 000000000..999d1ea81 --- /dev/null +++ b/compliance/validations/istio/rbac-enforcement-check/resources.json @@ -0,0 +1,177 @@ +{ + "authorizationPolicies": [ + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "AuthorizationPolicy", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "keycloak", + "meta.helm.sh/release-namespace": "keycloak" + }, + "creationTimestamp": "2024-06-07T14:37:02Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "keycloak-block-admin-access-from-public-gateway", + "namespace": "keycloak", + "resourceVersion": "1656", + "uid": "cda7ec8f-f7b7-4873-a1e2-5c6ec722f7e4" + }, + "spec": { + "action": "DENY", + "rules": [ + { + "from": [ + { + "source": { + "notNamespaces": [ + "istio-admin-gateway" + ] + } + } + ], + "to": [ + { + "operation": { + "paths": [ + "/admin*", + "/realms/master*" + ] + } + } + ] + }, + { + "from": [ + { + "source": { + "notNamespaces": [ + "istio-admin-gateway", + "monitoring" + ] + } + } + ], + "to": [ + { + "operation": { + "paths": [ + "/metrics*" + ] + } + } + ] + }, + { + "from": [ + { + "source": { + "notNamespaces": [ + "pepr-system" + ] + } + } + ], + "to": [ + { + "operation": { + "paths": [ + "/realms/uds/clients-registrations/*" + ] + } + } + ] + } + ], + "selector": { + "matchLabels": { + "app.kubernetes.io/instance": "keycloak", + "app.kubernetes.io/name": "keycloak" + } + } + } + }, + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "AuthorizationPolicy", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "authservice", + "meta.helm.sh/release-namespace": "authservice" + }, + "creationTimestamp": "2024-06-07T14:42:13Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "jwt-authz", + "namespace": "istio-system", + "resourceVersion": "3764", + "uid": "de7038cb-62fc-449e-b846-abab3432e39e" + }, + "spec": { + "rules": [ + { + "from": [ + { + "source": { + "requestPrincipals": [ + "https://login.uds.dev/auth/realms/doug/*" + ] + } + } + ] + } + ], + "selector": { + "matchLabels": { + "protect": "keycloak" + } + } + } + }, + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "AuthorizationPolicy", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "authservice", + "meta.helm.sh/release-namespace": "authservice" + }, + "creationTimestamp": "2024-06-07T14:42:13Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "authservice", + "namespace": "istio-system", + "resourceVersion": "3767", + "uid": "5ca626af-4cd3-4652-90d5-3ab8b0d5d72c" + }, + "spec": { + "action": "CUSTOM", + "provider": { + "name": "authservice" + }, + "rules": [ + { + "when": [ + { + "key": "request.headers[authorization]", + "notValues": [ + "*" + ] + } + ] + } + ], + "selector": { + "matchLabels": { + "protect": "keycloak" + } + } + } + } + ] +} \ No newline at end of file diff --git a/compliance/validations/istio/rbac-enforcement-check/tests.yaml b/compliance/validations/istio/rbac-enforcement-check/tests.yaml new file mode 100644 index 000000000..f12f79fae --- /dev/null +++ b/compliance/validations/istio/rbac-enforcement-check/tests.yaml @@ -0,0 +1,10 @@ +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: remove-authorization-policies + validation: validation.yaml + resources: resources.json + permutation: ".authorizationPolicies = []" + expected-validation: false diff --git a/compliance/validations/istio/rbac-enforcement-check/validation.yaml b/compliance/validations/istio/rbac-enforcement-check/validation.yaml new file mode 100644 index 000000000..866ded2ab --- /dev/null +++ b/compliance/validations/istio/rbac-enforcement-check/validation.yaml @@ -0,0 +1,42 @@ +metadata: + name: istio-rbac-enforcement-check + uuid: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: authorizationPolicies + resource-rule: + group: security.istio.io + resource: authorizationpolicies + version: v1beta1 + namespaces: [] +provider: + type: opa + opa-spec: + rego: | + package validate + import rego.v1 + + # Default values + default validate := false + default msg := "Istio RBAC not enforced: No authorization policies found." + + # Evaluation for Istio Authorization Policies + validate if { + count(all_auth_policies) > 0 + } + + # Get all authorization policies + all_auth_policies := { sprintf("%s/%s", [authPolicy.metadata.namespace, authPolicy.metadata.name]) | + authPolicy := input.authorizationPolicies[_]; authPolicy.kind == "AuthorizationPolicy" } + + msg = "Istio RBAC enforced" if { + validate + } + msg_all_auth_policies = concat(", ", all_auth_policies) + output: + validation: validate.validate + observations: + - validate.msg + - validate.msg_all_auth_policies diff --git a/compliance/validations/istio/rbac-for-approved-personnel/README.md b/compliance/validations/istio/rbac-for-approved-personnel/README.md new file mode 100644 index 000000000..e287175b1 --- /dev/null +++ b/compliance/validations/istio/rbac-for-approved-personnel/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - istio-rbac-for-approved-personnel-PLACEHOLDER + +**INPUT** - This validation currently does not collect any resources. + +**POLICY** - This policy is a placeholder for checking RBAC for approved personnel. + +**NOTES** - The policy needs to be updated to include the necessary resources and logic to check for RBAC for approved personnel. \ No newline at end of file diff --git a/compliance/validations/istio/rbac-for-approved-personnel/validation.yaml b/compliance/validations/istio/rbac-for-approved-personnel/validation.yaml new file mode 100644 index 000000000..5c3ee4d90 --- /dev/null +++ b/compliance/validations/istio/rbac-for-approved-personnel/validation.yaml @@ -0,0 +1,14 @@ +metadata: + name: istio-rbac-for-approved-personnel-PLACEHOLDER + uuid: 9b361d7b-4e07-40db-8b86-3854ed499a4b +domain: + type: kubernetes + kubernetes-spec: + resources: [] +provider: + type: opa + opa-spec: + rego: | + package validate + + default validate := false diff --git a/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/README.md b/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/README.md new file mode 100644 index 000000000..60bd209cd --- /dev/null +++ b/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - request-authenication-and-auth-policies-configured + +**INPUT** - This validation collects RequestAuthentication and AuthorizationPolicy resources from all namespaces in the Kubernetes cluster. + +**POLICY** - This policy checks that both RequestAuthentication and AuthorizationPolicy resources are configured correctly in the cluster. + +**NOTES** - Ensure that the RequestAuthentication and AuthorizationPolicy resources are correctly specified in the policy. The policy will fail if any of these resources are missing or improperly configured. \ No newline at end of file diff --git a/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/resources.json b/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/resources.json new file mode 100644 index 000000000..2f862bcb6 --- /dev/null +++ b/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/resources.json @@ -0,0 +1,212 @@ +{ + "authorizationPolicy": [ + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "AuthorizationPolicy", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "keycloak", + "meta.helm.sh/release-namespace": "keycloak" + }, + "creationTimestamp": "2024-06-07T14:37:02Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "keycloak-block-admin-access-from-public-gateway", + "namespace": "keycloak", + "resourceVersion": "1656", + "uid": "cda7ec8f-f7b7-4873-a1e2-5c6ec722f7e4" + }, + "spec": { + "action": "DENY", + "rules": [ + { + "from": [ + { + "source": { + "notNamespaces": [ + "istio-admin-gateway" + ] + } + } + ], + "to": [ + { + "operation": { + "paths": [ + "/admin*", + "/realms/master*" + ] + } + } + ] + }, + { + "from": [ + { + "source": { + "notNamespaces": [ + "istio-admin-gateway", + "monitoring" + ] + } + } + ], + "to": [ + { + "operation": { + "paths": [ + "/metrics*" + ] + } + } + ] + }, + { + "from": [ + { + "source": { + "notNamespaces": [ + "pepr-system" + ] + } + } + ], + "to": [ + { + "operation": { + "paths": [ + "/realms/uds/clients-registrations/*" + ] + } + } + ] + } + ], + "selector": { + "matchLabels": { + "app.kubernetes.io/instance": "keycloak", + "app.kubernetes.io/name": "keycloak" + } + } + } + }, + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "AuthorizationPolicy", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "authservice", + "meta.helm.sh/release-namespace": "authservice" + }, + "creationTimestamp": "2024-06-07T14:42:13Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "jwt-authz", + "namespace": "istio-system", + "resourceVersion": "3764", + "uid": "de7038cb-62fc-449e-b846-abab3432e39e" + }, + "spec": { + "rules": [ + { + "from": [ + { + "source": { + "requestPrincipals": [ + "https://login.uds.dev/auth/realms/doug/*" + ] + } + } + ] + } + ], + "selector": { + "matchLabels": { + "protect": "keycloak" + } + } + } + }, + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "AuthorizationPolicy", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "authservice", + "meta.helm.sh/release-namespace": "authservice" + }, + "creationTimestamp": "2024-06-07T14:42:13Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "authservice", + "namespace": "istio-system", + "resourceVersion": "3767", + "uid": "5ca626af-4cd3-4652-90d5-3ab8b0d5d72c" + }, + "spec": { + "action": "CUSTOM", + "provider": { + "name": "authservice" + }, + "rules": [ + { + "when": [ + { + "key": "request.headers[authorization]", + "notValues": [ + "*" + ] + } + ] + } + ], + "selector": { + "matchLabels": { + "protect": "keycloak" + } + } + } + } + ], + "requestAuthentication": [ + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "RequestAuthentication", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "authservice", + "meta.helm.sh/release-namespace": "authservice" + }, + "creationTimestamp": "2024-06-07T14:42:14Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "jwt-authn", + "namespace": "istio-system", + "resourceVersion": "3773", + "uid": "108e0c7d-15d5-429e-ab45-a8a0eda7aee0" + }, + "spec": { + "jwtRules": [ + { + "forwardOriginalToken": true, + "issuer": "https://login.uds.dev/auth/realms/doug", + "jwksUri": "https://login.uds.dev/auth/realms/doug/protocol/openid-connect/certs" + } + ], + "selector": { + "matchLabels": { + "protect": "keycloak" + } + } + } + } + ] +} \ No newline at end of file diff --git a/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/tests.yaml b/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/tests.yaml new file mode 100644 index 000000000..ba762915f --- /dev/null +++ b/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/tests.yaml @@ -0,0 +1,25 @@ +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: remove-jwt-rules + validation: validation.yaml + resources: resources.json + permutation: "del(.requestAuthentication[0].spec.jwtRules)" + expected-validation: false + - test: remove-auth-rules + validation: validation.yaml + resources: resources.json + permutation: "del(.authorizationPolicy[0].spec.rules)" + expected-validation: false + - test: remove-authorization-policies + validation: validation.yaml + resources: resources.json + permutation: ".authorizationPolicy = []" + expected-validation: false + - test: remove-request-authentications + validation: validation.yaml + resources: resources.json + permutation: ".requestAuthentication = []" + expected-validation: false diff --git a/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/validation.yaml b/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/validation.yaml new file mode 100644 index 000000000..acf733019 --- /dev/null +++ b/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/validation.yaml @@ -0,0 +1,86 @@ +metadata: + name: request-authenication-and-auth-policies-configured + uuid: 3e217577-930e-4469-a999-1a5704b5cecb +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: requestAuthentication + resource-rule: + group: security.istio.io + resource: requestauthentications + namespaces: [] + version: v1beta1 + - name: authorizationPolicy + resource-rule: + group: security.istio.io + resource: authorizationpolicies + namespaces: [] + version: v1beta1 +provider: + type: opa + opa-spec: + rego: | + package validate + + # Default policy result + default validate := false + default msg := "Not evaluated" + + # Validate both RequestAuthentication and AuthorizationPolicy are configured + validate { + authorization_policies_exist_and_configured.result + request_authentications_exist_and_configured.result + } + + msg = concat(" ", [authorization_policies_exist_and_configured.msg, request_authentications_exist_and_configured.msg]) + + # Check AuthorizationPolicies exist and are configured + bad_auth_policies := {sprintf("%s/%s", [authPolicy.metadata.namespace, authPolicy.metadata.name]) | + authPolicy := input.authorizationPolicy[_] + authPolicy.kind == "AuthorizationPolicy" + authorization_policy_not_configured(authPolicy) + } + + authorization_policy_not_configured(ap) { + # Check for missing or improperly configured rules + not ap.spec.rules + } + + authorization_policies_exist_and_configured = {"result": true, "msg": msg} { + count(input.authorizationPolicy) > 0 + count(bad_auth_policies) == 0 + msg := "All AuthorizationPolicies properly configured." + } else = {"result": false, "msg": msg} { + count(input.authorizationPolicy) == 0 + msg := "No AuthorizationPolicies found." + } else = {"result": false, "msg": msg} { + msg := sprintf("Some AuthorizationPolicies not properly configured: %v.", [concat(", ", bad_auth_policies)]) + } + + # Check RequestAuthentications exist and are configured + bad_request_authentications := {sprintf("%s/%s", [ra.metadata.namespace, ra.metadata.name]) | + ra := input.requestAuthentication[_] + ra.kind == "RequestAuthentication" + request_authentication_not_configured(ra) + } + + request_authentication_not_configured(ra) { + # Check for missing or improperly configured JWT rules + not ra.spec.jwtRules + } + + request_authentications_exist_and_configured = {"result": true, "msg": msg} { + count(input.requestAuthentication) > 0 + count(bad_request_authentications) == 0 + msg := "All RequestAuthentications properly configured." + } else = {"result": false, "msg": msg} { + count(input.requestAuthentication) == 0 + msg := "No RequestAuthentications found." + } else = {"result": false, "msg": msg} { + msg := sprintf("Some RequestAuthentications not properly configured: %v.", [concat(", ", bad_request_authentications)]) + } + output: + validation: validate.validate + observations: + - validate.msg diff --git a/compliance/validations/istio/secure-communication-with-istiod/README.md b/compliance/validations/istio/secure-communication-with-istiod/README.md new file mode 100644 index 000000000..6d2ea4b5b --- /dev/null +++ b/compliance/validations/istio/secure-communication-with-istiod/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - secure-communication-with-istiod + +**INPUT** - This validation collects NetworkPolicy resources from all namespaces in the Kubernetes cluster. + +**POLICY** - This policy checks that NetworkPolicies are correctly configured for istiod egress in the required namespaces. Specifically, it verifies that the NetworkPolicies have the expected port (15012) and protocol (TCP) for istiod egress. It also ensures that these configurations are present in the required namespaces and not in any improper namespaces. + +**NOTES** - The required namespaces for the NetworkPolicies are: "authservice", "grafana", "keycloak", "loki", "metrics-server", "monitoring", "neuvector", "promtail", "velero". diff --git a/compliance/validations/istio/secure-communication-with-istiod/resources.json b/compliance/validations/istio/secure-communication-with-istiod/resources.json new file mode 100644 index 000000000..6c5ea9b1c --- /dev/null +++ b/compliance/validations/istio/secure-communication-with-istiod/resources.json @@ -0,0 +1,4751 @@ +{ + "networkPolicies": [ + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "DNS lookup via CoreDNS" + }, + "creationTimestamp": "2024-06-07T14:36:34Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "metrics-server" + }, + "name": "allow-metrics-server-egress-dns-lookup-via-coredns", + "namespace": "metrics-server", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "metrics-server", + "uid": "be44af9c-845b-41b4-9b4b-3aa9899d3076" + } + ], + "resourceVersion": "1525", + "uid": "9b55a9ee-3344-4c53-86f5-99d89fc02d6e" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 53, + "protocol": "UDP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "kube-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Istiod communication" + }, + "creationTimestamp": "2024-06-07T14:36:34Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "metrics-server" + }, + "name": "allow-metrics-server-egress-istiod-communication", + "namespace": "metrics-server", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "metrics-server", + "uid": "be44af9c-845b-41b4-9b4b-3aa9899d3076" + } + ], + "resourceVersion": "1526", + "uid": "9103ec43-cfb8-4d13-b30f-43f8b35c4169" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 15012, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "istio": "pilot" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Sidecar monitoring" + }, + "creationTimestamp": "2024-06-07T14:36:35Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "metrics-server" + }, + "name": "allow-metrics-server-ingress-sidecar-monitoring", + "namespace": "metrics-server", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "metrics-server", + "uid": "be44af9c-845b-41b4-9b4b-3aa9899d3076" + } + ], + "resourceVersion": "1527", + "uid": "a266a52b-fd6a-4578-8a04-6bd9d4aa8f1e" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 15020, + "protocol": "TCP" + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:36:35Z", + "generation": 1, + "labels": { + "uds/generated": "Anywhere", + "uds/generation": "1", + "uds/package": "metrics-server" + }, + "name": "allow-metrics-server-egress-metrics-server-anywhere", + "namespace": "metrics-server", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "metrics-server", + "uid": "be44af9c-845b-41b4-9b4b-3aa9899d3076" + } + ], + "resourceVersion": "1528", + "uid": "046927d4-7346-454d-9c54-94b92977a398" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 10250, + "protocol": "TCP" + } + ], + "to": [ + { + "ipBlock": { + "cidr": "0.0.0.0/0", + "except": [ + "169.254.169.254/32" + ] + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "metrics-server" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:36:35Z", + "generation": 1, + "labels": { + "uds/generated": "Anywhere", + "uds/generation": "1", + "uds/package": "metrics-server" + }, + "name": "allow-metrics-server-ingress-metrics-server-anywhere", + "namespace": "metrics-server", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "metrics-server", + "uid": "be44af9c-845b-41b4-9b4b-3aa9899d3076" + } + ], + "resourceVersion": "1530", + "uid": "84aaea33-0b7a-4e1f-9aa3-93a893c51e11" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "ipBlock": { + "cidr": "0.0.0.0/0", + "except": [ + "169.254.169.254/32" + ] + } + } + ], + "ports": [ + { + "port": 10250, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "metrics-server" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "DNS lookup via CoreDNS" + }, + "creationTimestamp": "2024-06-07T14:37:03Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "allow-keycloak-egress-dns-lookup-via-coredns", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "828c2d2a-07e2-4976-a1c3-318e7161d9c2" + } + ], + "resourceVersion": "1671", + "uid": "946dd3b8-bc7c-4acf-87de-353322dcb705" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 53, + "protocol": "UDP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "kube-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Istiod communication" + }, + "creationTimestamp": "2024-06-07T14:37:03Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "allow-keycloak-egress-istiod-communication", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "828c2d2a-07e2-4976-a1c3-318e7161d9c2" + } + ], + "resourceVersion": "1678", + "uid": "df03af54-f57b-4cbc-898f-03dbc2dc3890" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 15012, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "istio": "pilot" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Sidecar monitoring" + }, + "creationTimestamp": "2024-06-07T14:37:03Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "allow-keycloak-ingress-sidecar-monitoring", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "828c2d2a-07e2-4976-a1c3-318e7161d9c2" + } + ], + "resourceVersion": "1682", + "uid": "bb3b9dcc-a1df-441f-ab8c-53de750d30c2" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 15020, + "protocol": "TCP" + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "UDS Operator" + }, + "creationTimestamp": "2024-06-07T14:37:03Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "allow-keycloak-ingress-uds-operator", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "828c2d2a-07e2-4976-a1c3-318e7161d9c2" + } + ], + "resourceVersion": "1683", + "uid": "58948be1-896c-4177-bbad-5e02b89ee0b4" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "pepr-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "pepr-uds-core-watcher" + } + } + } + ], + "ports": [ + { + "port": 8080, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "keycloak" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Keycloak backchannel access" + }, + "creationTimestamp": "2024-06-07T14:37:03Z", + "generation": 1, + "labels": { + "uds/generated": "Anywhere", + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "allow-keycloak-ingress-keycloak-backchannel-access", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "828c2d2a-07e2-4976-a1c3-318e7161d9c2" + } + ], + "resourceVersion": "1684", + "uid": "1789f83a-6b30-49f3-9b6c-e20858481dd7" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "ipBlock": { + "cidr": "0.0.0.0/0", + "except": [ + "169.254.169.254/32" + ] + } + } + ], + "ports": [ + { + "port": 8080, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "keycloak" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "OCSP Lookup" + }, + "creationTimestamp": "2024-06-07T14:37:03Z", + "generation": 1, + "labels": { + "uds/generated": "Anywhere", + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "allow-keycloak-egress-ocsp-lookup", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "828c2d2a-07e2-4976-a1c3-318e7161d9c2" + } + ], + "resourceVersion": "1685", + "uid": "fba85bc8-5dfe-41c2-8436-fadf59f59dda" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 443, + "protocol": "TCP" + }, + { + "port": 80, + "protocol": "TCP" + } + ], + "to": [ + { + "ipBlock": { + "cidr": "0.0.0.0/0", + "except": [ + "169.254.169.254/32" + ] + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "keycloak" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "keycloak Istio tenant gateway" + }, + "creationTimestamp": "2024-06-07T14:37:03Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "allow-keycloak-ingress-keycloak-istio-tenant-gateway", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "828c2d2a-07e2-4976-a1c3-318e7161d9c2" + } + ], + "resourceVersion": "1686", + "uid": "10aed744-db64-4daa-868e-b1a44bfcb66a" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-tenant-gateway" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "tenant-ingressgateway" + } + } + } + ], + "ports": [ + { + "port": 8080, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "keycloak" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "keycloak Istio admin gateway" + }, + "creationTimestamp": "2024-06-07T14:37:03Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "allow-keycloak-ingress-keycloak-istio-admin-gateway", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "828c2d2a-07e2-4976-a1c3-318e7161d9c2" + } + ], + "resourceVersion": "1687", + "uid": "f414ac16-c301-4472-8b6c-60e3382fd6f3" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-admin-gateway" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "admin-ingressgateway" + } + } + } + ], + "ports": [ + { + "port": 8080, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "keycloak" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "http,keycloak Metrics" + }, + "creationTimestamp": "2024-06-07T14:37:03Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "allow-keycloak-ingress-http-keycloak-metrics", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "828c2d2a-07e2-4976-a1c3-318e7161d9c2" + } + ], + "resourceVersion": "1688", + "uid": "a165fcc5-7b63-4f67-a0f5-f214493a3387" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 8080, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "keycloak" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "DNS lookup via CoreDNS" + }, + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "allow-neuvector-egress-dns-lookup-via-coredns", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "1916", + "uid": "004eea79-71b9-45d5-9ceb-ea57acfb6e27" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 53, + "protocol": "UDP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "kube-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Istiod communication" + }, + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "allow-neuvector-egress-istiod-communication", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "1917", + "uid": "e7bfd8ab-f0a9-405f-8bbc-a3745c108e93" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 15012, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "istio": "pilot" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Sidecar monitoring" + }, + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "allow-neuvector-ingress-sidecar-monitoring", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "1918", + "uid": "ba445407-9e39-4d6e-b29f-93403e58b867" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 15020, + "protocol": "TCP" + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Webhook" + }, + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 1, + "labels": { + "uds/generated": "Anywhere", + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "allow-neuvector-ingress-webhook", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "1925", + "uid": "bb131aa5-77bd-4298-92ae-07bada798e1e" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "ipBlock": { + "cidr": "0.0.0.0/0", + "except": [ + "169.254.169.254/32" + ] + } + } + ], + "ports": [ + { + "port": 30443, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app": "neuvector-controller-pod" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Tempo" + }, + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "allow-neuvector-egress-tempo", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "1926", + "uid": "f7dbab02-de2d-4cf2-8396-e1b1a83df964" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 9411, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "tempo" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "tempo" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "neuvector-manager-pod Istio admin gateway" + }, + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "allow-neuvector-ingress-neuvector-manager-pod-istio-admin-gateway", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "1927", + "uid": "39be918e-aff5-4ab4-845a-2c091eda94ce" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-admin-gateway" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "admin-ingressgateway" + } + } + } + ], + "ports": [ + { + "port": 8443, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app": "neuvector-manager-pod" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "DNS lookup via CoreDNS" + }, + "creationTimestamp": "2024-06-07T14:38:49Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "loki" + }, + "name": "allow-loki-egress-dns-lookup-via-coredns", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "loki", + "uid": "e7e59ebe-6388-4233-872e-94065e29b3c4" + } + ], + "resourceVersion": "2386", + "uid": "d901089d-7fd0-43f2-86d5-a70e5ddb6e4d" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 53, + "protocol": "UDP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "kube-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Istiod communication" + }, + "creationTimestamp": "2024-06-07T14:38:49Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "loki" + }, + "name": "allow-loki-egress-istiod-communication", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "loki", + "uid": "e7e59ebe-6388-4233-872e-94065e29b3c4" + } + ], + "resourceVersion": "2387", + "uid": "88590deb-8725-479a-ac63-145ee3b783d6" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 15012, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "istio": "pilot" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Sidecar monitoring" + }, + "creationTimestamp": "2024-06-07T14:38:49Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "loki" + }, + "name": "allow-loki-ingress-sidecar-monitoring", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "loki", + "uid": "e7e59ebe-6388-4233-872e-94065e29b3c4" + } + ], + "resourceVersion": "2388", + "uid": "2bbd00b4-fbae-4686-ba70-8e75ca8b6136" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 15020, + "protocol": "TCP" + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Grafana Log Queries" + }, + "creationTimestamp": "2024-06-07T14:38:49Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "loki" + }, + "name": "allow-loki-ingress-grafana-log-queries", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "loki", + "uid": "e7e59ebe-6388-4233-872e-94065e29b3c4" + } + ], + "resourceVersion": "2391", + "uid": "7af2c554-1698-4f34-a9a0-1017a65d2e82" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "grafana" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "grafana" + } + } + } + ], + "ports": [ + { + "port": 8080, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "loki" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Prometheus Metrics" + }, + "creationTimestamp": "2024-06-07T14:38:49Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "loki" + }, + "name": "allow-loki-ingress-prometheus-metrics", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "loki", + "uid": "e7e59ebe-6388-4233-872e-94065e29b3c4" + } + ], + "resourceVersion": "2392", + "uid": "b40f0657-bc46-4d03-941c-45b7e2458b47" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 3100, + "protocol": "TCP" + }, + { + "port": 8080, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "loki" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Promtail Log Storage" + }, + "creationTimestamp": "2024-06-07T14:38:49Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "loki" + }, + "name": "allow-loki-ingress-promtail-log-storage", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "loki", + "uid": "e7e59ebe-6388-4233-872e-94065e29b3c4" + } + ], + "resourceVersion": "2394", + "uid": "c035b1ed-16c1-4a53-81a6-df94e2ac3248" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "promtail" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "promtail" + } + } + } + ], + "ports": [ + { + "port": 8080, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "loki" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Tempo" + }, + "creationTimestamp": "2024-06-07T14:38:49Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "loki" + }, + "name": "allow-loki-egress-tempo", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "loki", + "uid": "e7e59ebe-6388-4233-872e-94065e29b3c4" + } + ], + "resourceVersion": "2396", + "uid": "55eb91b4-d223-4051-8ee0-1120bc0f10b3" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 9411, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "tempo" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "tempo" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "DNS lookup via CoreDNS" + }, + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-egress-dns-lookup-via-coredns", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "2868", + "uid": "43efd06f-7785-4053-987d-95452545e42c" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 53, + "protocol": "UDP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "kube-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Istiod communication" + }, + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-egress-istiod-communication", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "2869", + "uid": "ac0cc2fa-39c4-4c6e-8c1a-b0caa96ec828" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 15012, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "istio": "pilot" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Sidecar monitoring" + }, + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-ingress-sidecar-monitoring", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "2870", + "uid": "96c427b0-8b40-447c-ab8e-e0a3f9f71923" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 15020, + "protocol": "TCP" + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Webhook" + }, + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 1, + "labels": { + "uds/generated": "Anywhere", + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-ingress-webhook", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "2879", + "uid": "0f1fcef1-99d8-4fcf-ab3b-3319fd613463" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "ipBlock": { + "cidr": "0.0.0.0/0", + "except": [ + "169.254.169.254/32" + ] + } + } + ], + "ports": [ + { + "port": 10250, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app": "kube-prometheus-stack-operator" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Grafana Metrics Queries" + }, + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-ingress-grafana-metrics-queries", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "2881", + "uid": "5b2b669b-42ab-4a0d-aa89-254a545d7bd9" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "grafana" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "grafana" + } + } + } + ], + "ports": [ + { + "port": 9090, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "prometheus" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Tempo" + }, + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-egress-tempo", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "2882", + "uid": "f56b6b6d-cbf3-446c-b9fd-d03aa2e27bf0" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 9411, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "tempo" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "tempo" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "DNS lookup via CoreDNS" + }, + "creationTimestamp": "2024-06-07T14:41:05Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "promtail" + }, + "name": "allow-promtail-egress-dns-lookup-via-coredns", + "namespace": "promtail", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "promtail", + "uid": "1e35a512-9c9c-47a8-877e-272d87932866" + } + ], + "resourceVersion": "3427", + "uid": "ae38b310-a500-4199-b5e8-eaa05e50af83" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 53, + "protocol": "UDP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "kube-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Istiod communication" + }, + "creationTimestamp": "2024-06-07T14:41:05Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "promtail" + }, + "name": "allow-promtail-egress-istiod-communication", + "namespace": "promtail", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "promtail", + "uid": "1e35a512-9c9c-47a8-877e-272d87932866" + } + ], + "resourceVersion": "3428", + "uid": "2f64b3ec-29db-4ccc-ae2b-da45c01b31bb" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 15012, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "istio": "pilot" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Sidecar monitoring" + }, + "creationTimestamp": "2024-06-07T14:41:05Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "promtail" + }, + "name": "allow-promtail-ingress-sidecar-monitoring", + "namespace": "promtail", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "promtail", + "uid": "1e35a512-9c9c-47a8-877e-272d87932866" + } + ], + "resourceVersion": "3429", + "uid": "b3101049-323d-45e9-91b4-a542f645821b" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 15020, + "protocol": "TCP" + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Prometheus Metrics" + }, + "creationTimestamp": "2024-06-07T14:41:05Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "promtail" + }, + "name": "allow-promtail-ingress-prometheus-metrics", + "namespace": "promtail", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "promtail", + "uid": "1e35a512-9c9c-47a8-877e-272d87932866" + } + ], + "resourceVersion": "3430", + "uid": "52c0d085-bc1d-4577-a861-97a9727c790b" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 3101, + "protocol": "TCP" + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Tempo" + }, + "creationTimestamp": "2024-06-07T14:41:05Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "promtail" + }, + "name": "allow-promtail-egress-tempo", + "namespace": "promtail", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "promtail", + "uid": "1e35a512-9c9c-47a8-877e-272d87932866" + } + ], + "resourceVersion": "3432", + "uid": "f9704a6a-2a83-4c90-86b8-f543e38839dd" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 9411, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "tempo" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "tempo" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Write Logs to Loki" + }, + "creationTimestamp": "2024-06-07T14:41:05Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "promtail" + }, + "name": "allow-promtail-egress-write-logs-to-loki", + "namespace": "promtail", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "promtail", + "uid": "1e35a512-9c9c-47a8-877e-272d87932866" + } + ], + "resourceVersion": "3433", + "uid": "e5ecbbc4-7e90-4819-ab97-f078244785ce" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 8080, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "loki" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "loki" + } + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "promtail" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "promtail Metrics" + }, + "creationTimestamp": "2024-06-07T14:41:05Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "promtail" + }, + "name": "allow-promtail-ingress-promtail-metrics", + "namespace": "promtail", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "promtail", + "uid": "1e35a512-9c9c-47a8-877e-272d87932866" + } + ], + "resourceVersion": "3434", + "uid": "757f4a86-51b9-4057-b7c6-c5e1fbd8d32a" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 3101, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "promtail" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "DNS lookup via CoreDNS" + }, + "creationTimestamp": "2024-06-07T14:41:43Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "grafana" + }, + "name": "allow-grafana-egress-dns-lookup-via-coredns", + "namespace": "grafana", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "grafana", + "uid": "eb4ad385-6506-4881-99b3-b133f70c83ec" + } + ], + "resourceVersion": "3601", + "uid": "5be3c893-cf9d-4e2e-9fc3-c5d10933908f" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 53, + "protocol": "UDP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "kube-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Istiod communication" + }, + "creationTimestamp": "2024-06-07T14:41:43Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "grafana" + }, + "name": "allow-grafana-egress-istiod-communication", + "namespace": "grafana", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "grafana", + "uid": "eb4ad385-6506-4881-99b3-b133f70c83ec" + } + ], + "resourceVersion": "3602", + "uid": "07968bea-ab81-4e17-a9cd-bbde317776c6" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 15012, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "istio": "pilot" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Sidecar monitoring" + }, + "creationTimestamp": "2024-06-07T14:41:43Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "grafana" + }, + "name": "allow-grafana-ingress-sidecar-monitoring", + "namespace": "grafana", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "grafana", + "uid": "eb4ad385-6506-4881-99b3-b133f70c83ec" + } + ], + "resourceVersion": "3603", + "uid": "dd2336fa-2119-4a58-a3b4-4f9c0dfe71b8" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 15020, + "protocol": "TCP" + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Tempo Datasource" + }, + "creationTimestamp": "2024-06-07T14:41:43Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "grafana" + }, + "name": "allow-grafana-ingress-tempo-datasource", + "namespace": "grafana", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "grafana", + "uid": "eb4ad385-6506-4881-99b3-b133f70c83ec" + } + ], + "resourceVersion": "3604", + "uid": "f4f5a07e-01cd-4d77-8ec2-3338bb5c4590" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "tempo" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "tempo" + } + } + } + ], + "ports": [ + { + "port": 9090, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "grafana" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Tempo" + }, + "creationTimestamp": "2024-06-07T14:41:44Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "grafana" + }, + "name": "allow-grafana-egress-tempo", + "namespace": "grafana", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "grafana", + "uid": "eb4ad385-6506-4881-99b3-b133f70c83ec" + } + ], + "resourceVersion": "3606", + "uid": "79d52a98-23a9-4b19-8270-e1e7679d0275" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 9411, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "tempo" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "tempo" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "grafana Istio admin gateway" + }, + "creationTimestamp": "2024-06-07T14:41:44Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "grafana" + }, + "name": "allow-grafana-ingress-grafana-istio-admin-gateway", + "namespace": "grafana", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "grafana", + "uid": "eb4ad385-6506-4881-99b3-b133f70c83ec" + } + ], + "resourceVersion": "3608", + "uid": "f5b474c3-d943-4bae-a77a-72b225fe7f61" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-admin-gateway" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "admin-ingressgateway" + } + } + } + ], + "ports": [ + { + "port": 3000, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "grafana" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "grafana Metrics" + }, + "creationTimestamp": "2024-06-07T14:41:44Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "grafana" + }, + "name": "allow-grafana-ingress-grafana-metrics", + "namespace": "grafana", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "grafana", + "uid": "eb4ad385-6506-4881-99b3-b133f70c83ec" + } + ], + "resourceVersion": "3615", + "uid": "24a89a49-4261-4df3-ada8-1f70511b7a9b" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 3000, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "grafana" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "DNS lookup via CoreDNS" + }, + "creationTimestamp": "2024-06-07T14:42:14Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "authservice" + }, + "name": "allow-authservice-egress-dns-lookup-via-coredns", + "namespace": "authservice", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "authservice", + "uid": "046a178c-e731-44d8-a487-e424f8034789" + } + ], + "resourceVersion": "3779", + "uid": "18a6dadf-f1e3-4466-add1-0d852b8ff529" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 53, + "protocol": "UDP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "kube-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Istiod communication" + }, + "creationTimestamp": "2024-06-07T14:42:14Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "authservice" + }, + "name": "allow-authservice-egress-istiod-communication", + "namespace": "authservice", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "authservice", + "uid": "046a178c-e731-44d8-a487-e424f8034789" + } + ], + "resourceVersion": "3782", + "uid": "e922febc-a442-415c-83e8-ce53b653ba44" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 15012, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "istio": "pilot" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Sidecar monitoring" + }, + "creationTimestamp": "2024-06-07T14:42:14Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "authservice" + }, + "name": "allow-authservice-ingress-sidecar-monitoring", + "namespace": "authservice", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "authservice", + "uid": "046a178c-e731-44d8-a487-e424f8034789" + } + ], + "resourceVersion": "3783", + "uid": "1f7a1385-b33c-4cdb-b165-912471696796" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 15020, + "protocol": "TCP" + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Protected Apps" + }, + "creationTimestamp": "2024-06-07T14:42:14Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "authservice" + }, + "name": "allow-authservice-ingress-protected-apps", + "namespace": "authservice", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "authservice", + "uid": "046a178c-e731-44d8-a487-e424f8034789" + } + ], + "resourceVersion": "3787", + "uid": "7334e55f-45b2-47f4-bdec-2b7a53177f97" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": {} + }, + { + "podSelector": { + "matchLabels": { + "protect": "keycloak" + } + } + } + ], + "ports": [ + { + "port": 10003, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "authservice" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "DNS lookup via CoreDNS" + }, + "creationTimestamp": "2024-06-07T14:42:39Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "velero" + }, + "name": "allow-velero-egress-dns-lookup-via-coredns", + "namespace": "velero", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "velero", + "uid": "acf82b1d-57d0-47ce-8880-e54543180a04" + } + ], + "resourceVersion": "3897", + "uid": "3a9fda9e-59ca-432d-9f2a-3775443cf964" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 53, + "protocol": "UDP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "kube-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Istiod communication" + }, + "creationTimestamp": "2024-06-07T14:42:39Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "velero" + }, + "name": "allow-velero-egress-istiod-communication", + "namespace": "velero", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "velero", + "uid": "acf82b1d-57d0-47ce-8880-e54543180a04" + } + ], + "resourceVersion": "3898", + "uid": "7315782c-a390-42ea-9c52-7e4f28e3c15c" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 15012, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "istio": "pilot" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Sidecar monitoring" + }, + "creationTimestamp": "2024-06-07T14:42:39Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "velero" + }, + "name": "allow-velero-ingress-sidecar-monitoring", + "namespace": "velero", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "velero", + "uid": "acf82b1d-57d0-47ce-8880-e54543180a04" + } + ], + "resourceVersion": "3899", + "uid": "1a5f853e-518d-4b4f-bd79-89e7fa52332b" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 15020, + "protocol": "TCP" + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Prometheus Metrics" + }, + "creationTimestamp": "2024-06-07T14:42:39Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "velero" + }, + "name": "allow-velero-ingress-prometheus-metrics", + "namespace": "velero", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "velero", + "uid": "acf82b1d-57d0-47ce-8880-e54543180a04" + } + ], + "resourceVersion": "3905", + "uid": "642b650d-daee-46c9-98b3-0732e1cfb2b7" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 8085, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "velero" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:36:34Z", + "generation": 2, + "labels": { + "uds/generation": "1", + "uds/package": "metrics-server" + }, + "name": "deny-metrics-server-default", + "namespace": "metrics-server", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "metrics-server", + "uid": "be44af9c-845b-41b4-9b4b-3aa9899d3076" + } + ], + "resourceVersion": "174925", + "uid": "ddd12bef-6fdc-4a5f-a14a-f2241377233e" + }, + "spec": { + "podSelector": {}, + "policyTypes": [ + "Ingress", + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:36:35Z", + "generation": 2, + "labels": { + "uds/generated": "KubeAPI", + "uds/generation": "1", + "uds/package": "metrics-server" + }, + "name": "allow-metrics-server-egress-metrics-server-kubeapi", + "namespace": "metrics-server", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "metrics-server", + "uid": "be44af9c-845b-41b4-9b4b-3aa9899d3076" + } + ], + "resourceVersion": "174926", + "uid": "9acffae9-2899-45c7-9845-ec14d72661c9" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "172.19.0.3/32" + } + }, + { + "ipBlock": { + "cidr": "10.43.0.1/32" + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "metrics-server" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:37:03Z", + "generation": 2, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "deny-keycloak-default", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "828c2d2a-07e2-4976-a1c3-318e7161d9c2" + } + ], + "resourceVersion": "174929", + "uid": "59140c79-d6b1-41f7-8539-e470a94caa25" + }, + "spec": { + "podSelector": {}, + "policyTypes": [ + "Ingress", + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:38:49Z", + "generation": 2, + "labels": { + "uds/generation": "1", + "uds/package": "loki" + }, + "name": "deny-loki-default", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "loki", + "uid": "e7e59ebe-6388-4233-872e-94065e29b3c4" + } + ], + "resourceVersion": "174956", + "uid": "eb6a63fe-cd8b-4720-9dba-e3ae07e91c93" + }, + "spec": { + "podSelector": {}, + "policyTypes": [ + "Ingress", + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:38:49Z", + "generation": 2, + "labels": { + "uds/generated": "IntraNamespace", + "uds/generation": "1", + "uds/package": "loki" + }, + "name": "allow-loki-ingress-all-pods-intranamespace", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "loki", + "uid": "e7e59ebe-6388-4233-872e-94065e29b3c4" + } + ], + "resourceVersion": "174957", + "uid": "cdcbaf50-75d3-4991-b739-c7bc07fe8b9b" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "podSelector": {} + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:38:49Z", + "generation": 2, + "labels": { + "uds/generated": "IntraNamespace", + "uds/generation": "1", + "uds/package": "loki" + }, + "name": "allow-loki-egress-all-pods-intranamespace", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "loki", + "uid": "e7e59ebe-6388-4233-872e-94065e29b3c4" + } + ], + "resourceVersion": "174959", + "uid": "36077323-34b7-4a3c-9f15-907acfb3a22e" + }, + "spec": { + "egress": [ + { + "to": [ + { + "podSelector": {} + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:38:49Z", + "generation": 2, + "labels": { + "uds/generated": "Anywhere", + "uds/generation": "1", + "uds/package": "loki" + }, + "name": "allow-loki-egress-loki-anywhere", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "loki", + "uid": "e7e59ebe-6388-4233-872e-94065e29b3c4" + } + ], + "resourceVersion": "174960", + "uid": "aa29c669-9f41-4ead-9d04-ef643a4dfc65" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "0.0.0.0/0", + "except": [ + "169.254.169.254/32" + ] + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "loki" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 2, + "labels": { + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "deny-prometheus-stack-default", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "174963", + "uid": "347b1bee-7524-4837-9fa6-dba07cfe586d" + }, + "spec": { + "podSelector": {}, + "policyTypes": [ + "Ingress", + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 2, + "labels": { + "uds/generated": "IntraNamespace", + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-ingress-all-pods-intranamespace", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "174964", + "uid": "7777a5fa-8aad-4a8d-ad6c-0ecb4c75e83d" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "podSelector": {} + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 2, + "labels": { + "uds/generated": "IntraNamespace", + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-egress-all-pods-intranamespace", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "174965", + "uid": "fb903f70-76fc-436b-9e93-43e7608fee4e" + }, + "spec": { + "egress": [ + { + "to": [ + { + "podSelector": {} + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 2, + "labels": { + "uds/generated": "KubeAPI", + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-egress-kube-prometheus-stack-operator-kubeapi", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "174966", + "uid": "671f5b00-ac45-4814-a922-0390dcaaaedf" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "172.19.0.3/32" + } + }, + { + "ipBlock": { + "cidr": "10.43.0.1/32" + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app": "kube-prometheus-stack-operator" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 2, + "labels": { + "uds/generated": "KubeAPI", + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-egress-prometheus-kubeapi", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "174967", + "uid": "3cb1b9bd-6ba0-4c2b-ab71-2aafa3292366" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "172.19.0.3/32" + } + }, + { + "ipBlock": { + "cidr": "10.43.0.1/32" + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 2, + "labels": { + "uds/generated": "KubeAPI", + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-egress-kube-state-metrics-kubeapi", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "174968", + "uid": "e2b32f01-9cf0-42ab-8682-531e3832a14f" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "172.19.0.3/32" + } + }, + { + "ipBlock": { + "cidr": "10.43.0.1/32" + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "kube-state-metrics" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 2, + "labels": { + "uds/generated": "KubeAPI", + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-egress-kube-prometheus-stack-admission-create-kubeapi", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "174969", + "uid": "5aa261c9-7e7f-4635-8c2f-6bd5e4c146f3" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "172.19.0.3/32" + } + }, + { + "ipBlock": { + "cidr": "10.43.0.1/32" + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app": "kube-prometheus-stack-admission-create" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 2, + "labels": { + "uds/generated": "KubeAPI", + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-egress-kube-prometheus-stack-admission-patch-kubeapi", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "174970", + "uid": "ef7e2fc4-ce21-424a-bfab-0c5f6f73005e" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "172.19.0.3/32" + } + }, + { + "ipBlock": { + "cidr": "10.43.0.1/32" + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app": "kube-prometheus-stack-admission-patch" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Metrics Scraping" + }, + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 2, + "labels": { + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-egress-metrics-scraping", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "174971", + "uid": "8cd1ad66-b953-4656-8f28-ccd27505424a" + }, + "spec": { + "egress": [ + { + "to": [ + { + "namespaceSelector": {} + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "prometheus" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:41:05Z", + "generation": 2, + "labels": { + "uds/generation": "1", + "uds/package": "promtail" + }, + "name": "deny-promtail-default", + "namespace": "promtail", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "promtail", + "uid": "1e35a512-9c9c-47a8-877e-272d87932866" + } + ], + "resourceVersion": "174975", + "uid": "8574f041-8228-4288-a54c-e577703e7130" + }, + "spec": { + "podSelector": {}, + "policyTypes": [ + "Ingress", + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:41:05Z", + "generation": 2, + "labels": { + "uds/generated": "KubeAPI", + "uds/generation": "1", + "uds/package": "promtail" + }, + "name": "allow-promtail-egress-all-pods-kubeapi", + "namespace": "promtail", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "promtail", + "uid": "1e35a512-9c9c-47a8-877e-272d87932866" + } + ], + "resourceVersion": "174976", + "uid": "2887cd8d-acdf-4c98-b5c3-c7759d2cf770" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "172.19.0.3/32" + } + }, + { + "ipBlock": { + "cidr": "10.43.0.1/32" + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:42:14Z", + "generation": 2, + "labels": { + "uds/generation": "1", + "uds/package": "authservice" + }, + "name": "deny-authservice-default", + "namespace": "authservice", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "authservice", + "uid": "046a178c-e731-44d8-a487-e424f8034789" + } + ], + "resourceVersion": "174989", + "uid": "df70aa97-b5a9-47c8-bb9e-4280549525ac" + }, + "spec": { + "podSelector": {}, + "policyTypes": [ + "Ingress", + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:42:14Z", + "generation": 2, + "labels": { + "uds/generated": "IntraNamespace", + "uds/generation": "1", + "uds/package": "authservice" + }, + "name": "allow-authservice-ingress-all-pods-intranamespace", + "namespace": "authservice", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "authservice", + "uid": "046a178c-e731-44d8-a487-e424f8034789" + } + ], + "resourceVersion": "174990", + "uid": "28d4089f-be25-4c88-bb45-f45f39d44382" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "podSelector": {} + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:42:14Z", + "generation": 2, + "labels": { + "uds/generated": "IntraNamespace", + "uds/generation": "1", + "uds/package": "authservice" + }, + "name": "allow-authservice-egress-all-pods-intranamespace", + "namespace": "authservice", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "authservice", + "uid": "046a178c-e731-44d8-a487-e424f8034789" + } + ], + "resourceVersion": "174991", + "uid": "df4fcfe9-6685-424e-9e26-cc82c6a87b06" + }, + "spec": { + "egress": [ + { + "to": [ + { + "podSelector": {} + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "SSO Provider" + }, + "creationTimestamp": "2024-06-07T14:42:14Z", + "generation": 2, + "labels": { + "uds/generated": "Anywhere", + "uds/generation": "1", + "uds/package": "authservice" + }, + "name": "allow-authservice-egress-sso-provider", + "namespace": "authservice", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "authservice", + "uid": "046a178c-e731-44d8-a487-e424f8034789" + } + ], + "resourceVersion": "174992", + "uid": "4afdf83f-9eef-489c-81b1-7757e0e50f5d" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "0.0.0.0/0", + "except": [ + "169.254.169.254/32" + ] + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:42:39Z", + "generation": 2, + "labels": { + "uds/generation": "1", + "uds/package": "velero" + }, + "name": "deny-velero-default", + "namespace": "velero", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "velero", + "uid": "acf82b1d-57d0-47ce-8880-e54543180a04" + } + ], + "resourceVersion": "174995", + "uid": "54a38b70-38b9-41f1-b6c4-1d12a2c9723d" + }, + "spec": { + "podSelector": {}, + "policyTypes": [ + "Ingress", + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:42:39Z", + "generation": 2, + "labels": { + "uds/generated": "Anywhere", + "uds/generation": "1", + "uds/package": "velero" + }, + "name": "allow-velero-egress-velero-anywhere", + "namespace": "velero", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "velero", + "uid": "acf82b1d-57d0-47ce-8880-e54543180a04" + } + ], + "resourceVersion": "174996", + "uid": "0cfec493-e5a0-4cd1-b7b1-89bb302a9d9b" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "0.0.0.0/0", + "except": [ + "169.254.169.254/32" + ] + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "velero" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:42:39Z", + "generation": 2, + "labels": { + "uds/generated": "KubeAPI", + "uds/generation": "1", + "uds/package": "velero" + }, + "name": "allow-velero-egress-velero-upgrade-crds-kubeapi", + "namespace": "velero", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "velero", + "uid": "acf82b1d-57d0-47ce-8880-e54543180a04" + } + ], + "resourceVersion": "174997", + "uid": "ac8647b6-053b-428b-a131-e091c3fc4af5" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "172.19.0.3/32" + } + }, + { + "ipBlock": { + "cidr": "10.43.0.1/32" + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "batch.kubernetes.io/job-name": "velero-upgrade-crds" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 74, + "labels": { + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "deny-neuvector-default", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "176365", + "uid": "e76d1965-d0c9-41df-8e13-b662157680cc" + }, + "spec": { + "podSelector": {}, + "policyTypes": [ + "Ingress", + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 74, + "labels": { + "uds/generated": "IntraNamespace", + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "allow-neuvector-ingress-all-pods-intranamespace", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "176366", + "uid": "1a5a1afd-d18c-4bdf-aaa1-71000047dfc7" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "podSelector": {} + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 74, + "labels": { + "uds/generated": "IntraNamespace", + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "allow-neuvector-egress-all-pods-intranamespace", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "176367", + "uid": "810c1d2e-76a7-4313-9694-983eee61aaae" + }, + "spec": { + "egress": [ + { + "to": [ + { + "podSelector": {} + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 74, + "labels": { + "uds/generated": "KubeAPI", + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "allow-neuvector-egress-neuvector-controller-pod-kubeapi", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "176368", + "uid": "0c813cba-4a96-475b-8034-5b98078de1b2" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "172.19.0.3/32" + } + }, + { + "ipBlock": { + "cidr": "10.43.0.1/32" + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app": "neuvector-controller-pod" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 74, + "labels": { + "uds/generated": "Anywhere", + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "allow-neuvector-egress-neuvector-controller-pod-anywhere", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "176369", + "uid": "e5155b3d-542d-4093-8eba-cfa7ab19421b" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "0.0.0.0/0", + "except": [ + "169.254.169.254/32" + ] + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app": "neuvector-controller-pod" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 74, + "labels": { + "uds/generated": "KubeAPI", + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "allow-neuvector-egress-neuvector-updater-pod-kubeapi", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "176370", + "uid": "7b5cc5bf-f7c5-4116-927b-69abb95da536" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "172.19.0.3/32" + } + }, + { + "ipBlock": { + "cidr": "10.43.0.1/32" + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app": "neuvector-updater-pod" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 74, + "labels": { + "uds/generated": "KubeAPI", + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "allow-neuvector-egress-neuvector-enforcer-pod-kubeapi", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "176371", + "uid": "6e0b20e1-921a-491e-a2df-ceae75737076" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "172.19.0.3/32" + } + }, + { + "ipBlock": { + "cidr": "10.43.0.1/32" + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app": "neuvector-enforcer-pod" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:41:43Z", + "generation": 71, + "labels": { + "uds/generation": "1", + "uds/package": "grafana" + }, + "name": "deny-grafana-default", + "namespace": "grafana", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "grafana", + "uid": "eb4ad385-6506-4881-99b3-b133f70c83ec" + } + ], + "resourceVersion": "176431", + "uid": "fc4c1fb4-9469-4c34-bd5e-23ba883a50e8" + }, + "spec": { + "podSelector": {}, + "policyTypes": [ + "Ingress", + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:41:43Z", + "generation": 71, + "labels": { + "uds/generated": "Anywhere", + "uds/generation": "1", + "uds/package": "grafana" + }, + "name": "allow-grafana-egress-grafana-anywhere", + "namespace": "grafana", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "grafana", + "uid": "eb4ad385-6506-4881-99b3-b133f70c83ec" + } + ], + "resourceVersion": "176432", + "uid": "2dc9ff63-bd48-4121-839c-bf221476f59b" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "0.0.0.0/0", + "except": [ + "169.254.169.254/32" + ] + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "grafana" + } + }, + "policyTypes": [ + "Egress" + ] + } + } + ] +} \ No newline at end of file diff --git a/compliance/validations/istio/secure-communication-with-istiod/tests.yaml b/compliance/validations/istio/secure-communication-with-istiod/tests.yaml new file mode 100644 index 000000000..2948c4bed --- /dev/null +++ b/compliance/validations/istio/secure-communication-with-istiod/tests.yaml @@ -0,0 +1,25 @@ +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: remove-istio-egress-on-metrics-server + validation: validation.yaml + resources: resources.json + permutation: '(.networkPolicies[] | select(.metadata.name == "allow-metrics-server-egress-istiod-communication") | .spec.egress) |= map(select(.to | any(.podSelector | select(.matchLabels.istio != "pilot"))))' + expected-validation: false + - test: change-egress-port-on-metrics-server + validation: validation.yaml + resources: resources.json + permutation: '(.networkPolicies[] | select(.metadata.name == "allow-metrics-server-egress-istiod-communication") | .spec.egress[].ports[] | select(.port == 15012) | .port) |= 1000' + expected-validation: false + - test: change-egress-protocol-on-metrics-server + validation: validation.yaml + resources: resources.json + permutation: '(.networkPolicies[] | select(.metadata.name == "allow-metrics-server-egress-istiod-communication") | .spec.egress[].ports[] | select(.port == 15012) | .protocol) |= "HTTP"' + expected-validation: false + - test: add-disallowed-egress-to-istiod + validation: validation.yaml + resources: resources.json + permutation: '.networkPolicies += [{"kind": "NetworkPolicy", "metadata": {"name": "istiod-egress", "namespace": "not-allowed-netpol"}, "spec": {"egress": [{"ports": [{"port": 15012, "protocol": "TCP"}], "to": [{"podSelector": {"matchLabels": {"istio": "pilot"}}}]}]}}]' + expected-validation: false diff --git a/compliance/validations/istio/secure-communication-with-istiod/validation.yaml b/compliance/validations/istio/secure-communication-with-istiod/validation.yaml new file mode 100644 index 000000000..dd2360545 --- /dev/null +++ b/compliance/validations/istio/secure-communication-with-istiod/validation.yaml @@ -0,0 +1,67 @@ +metadata: + name: secure-communication-with-istiod + uuid: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: networkPolicies + resource-rule: + group: networking.k8s.io + resource: networkpolicies + namespaces: [] + version: v1 +provider: + type: opa + opa-spec: + rego: | + package validate + import rego.v1 + + # Default values + default validate := false + default msg := "Not evaluated" + + # Expected values + expected_istiod_port := 15012 + expected_istiod_protocol := "TCP" + required_namespaces := {"authservice", "grafana", "keycloak", "loki", "metrics-server", "monitoring", "neuvector", "vector", "velero", "uds-runtime"} + + # Validate NetworkPolicy for Istiod in required namespaces + validate if { + check_netpol_config_correct.result + } + + msg = check_netpol_config_correct.msg + msg_expected_istiod = sprintf("Expected Istiod port: %v, protocol: %v.", [expected_istiod_port, expected_istiod_protocol]) + msg_required_namespaces = concat(", ", required_namespaces) + + check_netpol_config_correct = {"result": true, "msg": msg} if { + required_namespaces == correct_istiod_namespaces + msg := "NetworkPolicies correctly configured for istiod in required namespaces." + } else = {"result": false, "msg": msg} if { + count(required_namespaces-correct_istiod_namespaces) > 0 + msg := sprintf("NetworkPolicies not correctly configured for istiod egress in namespaces: %v.", [concat(", ", (required_namespaces-correct_istiod_namespaces))]) + } else = {"result": false, "msg": msg} if { + count(correct_istiod_namespaces-required_namespaces) > 0 + msg := sprintf("NetworkPolicies configured for istiod egress in improper namespaces: %v.", [concat(", ", (correct_istiod_namespaces-required_namespaces))]) + } + + # Helper to find correct NetworkPolicies + correct_istiod_policies = {policy | + policy := input.networkPolicies[_] + policy.spec.egress[_].to[_].podSelector.matchLabels["istio"] == "pilot" + policy.spec.egress[_].ports[_].port == expected_istiod_port + policy.spec.egress[_].ports[_].protocol == expected_istiod_protocol + } + + # Helper to extract namespaces of correct NetworkPolicies + correct_istiod_namespaces = {policy.metadata.namespace | + policy := correct_istiod_policies[_] + } + output: + validation: validate.validate + observations: + - validate.msg + - validate.msg_expected_istiod + - validate.msg_required_namespaces diff --git a/compliance/validations/istio/tls-origination-at-egress/README.md b/compliance/validations/istio/tls-origination-at-egress/README.md new file mode 100644 index 000000000..c2b65a62e --- /dev/null +++ b/compliance/validations/istio/tls-origination-at-egress/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - tls-origination-at-egress-PLACEHOLDER + +**INPUT** - This validation currently does not collect any resources. + +**POLICY** - This policy is a placeholder for checking TLS origination at egress. + +**NOTES** - The policy needs to be updated to include the necessary resources and logic to check for TLS origination at egress. \ No newline at end of file diff --git a/compliance/validations/istio/tls-origination-at-egress/validation.yaml b/compliance/validations/istio/tls-origination-at-egress/validation.yaml new file mode 100644 index 000000000..65e6d7ca0 --- /dev/null +++ b/compliance/validations/istio/tls-origination-at-egress/validation.yaml @@ -0,0 +1,17 @@ +metadata: + name: tls-origination-at-egress-PLACEHOLDER + uuid: 8be1601e-5870-4573-ab4f-c1c199944815 +domain: + type: kubernetes + kubernetes-spec: + resources: [] +provider: + type: opa + opa-spec: + rego: | + package validate + + default validate := false + + # How to prove TLS origination is configured at egress + # DestinationRule? diff --git a/compliance/validations/istio/tracing-logging-support/README.md b/compliance/validations/istio/tracing-logging-support/README.md new file mode 100644 index 000000000..e1cb56f8d --- /dev/null +++ b/compliance/validations/istio/tracing-logging-support/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - istio-tracing-logging-support + +**INPUT** - This validation collects the "istioConfig" configmap from the "istio-system" namespace. + +**POLICY** - This policy checks that tracing logging is supported in the Istio configuration, specifically by verifying that the "defaultConfig.tracing" is not null and "zipkin.address" field is not empty. + +**NOTES** - Ensure that the Istio ConfigMap is correctly specified in the policy. The policy will fail if tracing logging is not supported in the Istio configuration. \ No newline at end of file diff --git a/compliance/validations/istio/tracing-logging-support/resources.json b/compliance/validations/istio/tracing-logging-support/resources.json new file mode 100644 index 000000000..40e61987a --- /dev/null +++ b/compliance/validations/istio/tracing-logging-support/resources.json @@ -0,0 +1,23 @@ +{ + "istioConfig": { + "accessLogFile": "/dev/stdout", + "defaultConfig": { + "discoveryAddress": "istiod.istio-system.svc:15012", + "gatewayTopology": { + "forwardClientCertDetails": "SANITIZE" + }, + "holdApplicationUntilProxyStarts": true + }, + "defaultProviders": { + "metrics": [ + "prometheus" + ] + }, + "enablePrometheusMerge": true, + "pathNormalization": { + "normalization": "MERGE_SLASHES" + }, + "rootNamespace": "istio-system", + "trustDomain": "cluster.local" + } +} \ No newline at end of file diff --git a/compliance/validations/istio/tracing-logging-support/tests.yaml b/compliance/validations/istio/tracing-logging-support/tests.yaml new file mode 100644 index 000000000..d3afbb1bd --- /dev/null +++ b/compliance/validations/istio/tracing-logging-support/tests.yaml @@ -0,0 +1,10 @@ +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: false + - test: add-tracing + validation: validation.yaml + resources: resources.json + permutation: '(.istioConfig.defaultConfig.tracing.zipkin.address) |= "zipkin.istio-system.svc.cluster.local:9411"' + expected-validation: true diff --git a/compliance/validations/istio/tracing-logging-support/validation.yaml b/compliance/validations/istio/tracing-logging-support/validation.yaml new file mode 100644 index 000000000..610ea8f30 --- /dev/null +++ b/compliance/validations/istio/tracing-logging-support/validation.yaml @@ -0,0 +1,45 @@ +metadata: + name: istio-tracing-logging-support + uuid: f346b797-be35-40a8-a93a-585db6fd56ec +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: istioConfig + resource-rule: + resource: configmaps + namespaces: + - istio-system + version: v1 + name: istio + field: + jsonpath: .data.mesh + type: yaml +provider: + type: opa + opa-spec: + rego: | + package validate + import rego.v1 + + # Default policy result + default validate := false + default msg := "Not evaluated" + + # Validate Istio configuration for event logging support + validate if { + check_tracing_enabled.result + } + msg = check_tracing_enabled.msg + + check_tracing_enabled = { "result": true, "msg": msg } if { + input.istioConfig.defaultConfig.tracing != null + input.istioConfig.defaultConfig.tracing.zipkin.address != "" + msg := "Tracing logging supported." + } else = { "result": false, "msg": msg } if { + msg := "Tracing logging not supported." + } + output: + validation: validate.validate + observations: + - validate.msg diff --git a/src/istio/oscal-component.yaml b/src/istio/oscal-component.yaml index 6829f34b9..8cb61f754 100644 --- a/src/istio/oscal-component.yaml +++ b/src/istio/oscal-component.yaml @@ -2,1394 +2,328 @@ # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial component-definition: - back-matter: - resources: - - rlinks: - - href: https://github.com/istio/istio/ - title: Istio Operator - uuid: 60826461-D279-468C-9E4B-614FAC44A306 - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: istioMeshConfig - resource-rule: - field: - base64: false - jsonpath: .data.mesh - type: yaml - group: "" - name: istio - namespaces: - - istio-system - resource: configmaps - version: v1 - type: kubernetes - lula-version: "" - metadata: - name: check-istio-logging-all-traffic - uuid: 90738c86-6315-450a-ac69-cc50eb4859cc - provider: - opa-spec: - output: - observations: - - validate.msg - validation: validate.validate - rego: | - package validate - - # Default policy result - default validate = false - default msg = "Logging not enabled or configured" - - # Check if Istio's Mesh Configuration has logging enabled - validate { - logging_enabled.result - } - - msg = logging_enabled.msg - - logging_enabled = {"result": true, "msg": msg} { - # Check for access log file output to stdout - input.istioMeshConfig.accessLogFile == "/dev/stdout" - msg := "Istio is logging all traffic" - } else = {"result": false, "msg": msg} { - msg := "Istio is not logging all traffic" - } - type: opa - title: check-istio-logging-all-traffic - uuid: 90738c86-6315-450a-ac69-cc50eb4859cc - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: pods - resource-rule: - group: "" - name: "" - namespaces: [] - resource: pods - version: v1 - type: kubernetes - lula-version: "" - metadata: - name: istio-prometheus-annotations-validation - uuid: f345c359-3208-46fb-9348-959bd628301e - provider: - opa-spec: - output: - observations: - - validate.msg - - validate.exempt_namespaces_msg - validation: validate.validate - rego: | - package validate - import future.keywords.in - - # Default policy result - default validate = false - default msg = "Not evaluated" - - # Check for required Istio and Prometheus annotations - validate { - has_prometheus_annotation.result - } - msg = has_prometheus_annotation.msg - - # Check for prometheus annotations in pod spec - no_annotation = [sprintf("%s/%s", [pod.metadata.namespace, pod.metadata.name]) | pod := input.pods[_]; not contains_annotation(pod); not is_exempt(pod)] - - has_prometheus_annotation = {"result": true, "msg": msg} { - count(no_annotation) == 0 - msg := "All pods have correct prometheus annotations." - } else = {"result": false, "msg": msg} { - msg := sprintf("Prometheus annotations not found in pods: %s.", [concat(", ", no_annotation)]) - } - - contains_annotation(pod) { - annotations := pod.metadata.annotations - annotations["prometheus.io/scrape"] == "true" - annotations["prometheus.io/path"] != "" - annotations["prometheus.io/port"] == "15020" - } - - # Exemptions - exempt_namespaces = {"kube-system", "istio-system", "uds-dev-stack", "zarf"} - exempt_namespaces_msg = sprintf("Exempted Namespaces: %s", [concat(", ", exempt_namespaces)]) - is_exempt(pod) { - pod.metadata.namespace in exempt_namespaces - } - type: opa - title: istio-prometheus-annotations-validation - uuid: f345c359-3208-46fb-9348-959bd628301e - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: pods - resource-rule: - group: "" - name: "" - namespaces: [] - resource: pods - version: v1 - type: kubernetes - lula-version: "" - metadata: - name: all-pods-istio-injected - uuid: 1761ac07-80dd-47d2-947e-09f67943b986 - provider: - opa-spec: - output: - observations: - - validate.msg - - validate.exempt_namespaces_msg - validation: validate.validate - rego: | - package validate - import rego.v1 - - # Default policy result - default validate := false - default msg := "Not evaluated" - - exempt_namespaces := {"kube-system", "istio-system", "uds-dev-stack", "zarf", "istio-admin-gateway", "istio-tenant-gateway", "istio-passthrough-gateway"} - exempt_namespaces_msg = sprintf("Exempted Namespaces: %s", [concat(", ", exempt_namespaces)]) - - validate if { - has_istio_sidecar.result - } - msg = has_istio_sidecar.msg - - # Check for sidecar and init containers in pod spec - no_sidecar = [sprintf("%s/%s", [pod.metadata.namespace, pod.metadata.name]) | pod := input.pods[_]; not has_sidecar(pod); not is_exempt(pod)] - - has_istio_sidecar = {"result": true, "msg": msg} if { - count(no_sidecar) == 0 - msg := "All pods have Istio sidecar proxy." - } else = {"result": false, "msg": msg} if { - msg := sprintf("Istio sidecar proxy not found in pods: %s.", [concat(", ", no_sidecar)]) - } - - has_sidecar(pod) if { - status := pod.metadata.annotations["sidecar.istio.io/status"] - containers := json.unmarshal(status).containers - initContainers := json.unmarshal(status).initContainers - - has_container_name(pod.spec.containers, containers) - has_container_name(pod.spec.initContainers, initContainers) - } else = false - - has_container_name(containers, names) if { - container := containers[_] - container.name in names - } - - is_exempt(pod) if { - pod.metadata.namespace in exempt_namespaces - } - type: opa - title: all-pods-istio-injected - uuid: 1761ac07-80dd-47d2-947e-09f67943b986 - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: adminGateway - resource-rule: - group: networking.istio.io - name: admin-gateway - namespaces: - - istio-admin-gateway - resource: gateways - version: v1beta1 - - description: "" - name: virtualServices - resource-rule: - group: networking.istio.io - name: "" - namespaces: [] - resource: virtualservices - version: v1beta1 - type: kubernetes - lula-version: "" - metadata: - name: check-istio-admin-gateway-and-usage - uuid: c6c9daf1-4196-406d-8679-312c0512ab2e - provider: - opa-spec: - output: - observations: - - validate.msg - validation: validate.validate - rego: | - package validate - - # Expected admin gateway details - expected_gateway := "admin-gateway" - expected_gateway_namespace := "istio-admin-gateway" - expected_ns_name := sprintf("%s/%s", [expected_gateway_namespace, expected_gateway]) - - # Default policy result - default validate = false - default admin_gw_exists = false - default admin_vs_match = false - default msg = "Not evaluated" - - validate { - result_admin_gw_exixts.result - result_admin_vs_match.result - } - - msg = concat(" ", [result_admin_gw_exixts.msg, result_admin_vs_match.msg]) - - result_admin_gw_exixts = {"result": true, "msg": msg} { - input.adminGateway.kind == "Gateway" - input.adminGateway.metadata.name == expected_gateway - input.adminGateway.metadata.namespace == expected_gateway_namespace - msg := "Admin gateway exists." - } else = {"result": false, "msg": msg} { - msg := "Admin gateway does not exist." - } - - result_admin_vs_match = {"result": true, "msg": msg}{ - count(admin_vs-admin_vs_using_gateway) == 0 - count(all_vs_using_gateway-admin_vs_using_gateway) == 0 - msg := "Admin virtual services are using admin gateway." - } else = {"result": false, "msg": msg} { - msg := sprintf("Mismatch of admin virtual services using gateway. Admin VS not using GW: %s. Non-Admin VS using gateway: %s.", [concat(", ", admin_vs-admin_vs_using_gateway), concat(", ", all_vs_using_gateway-admin_vs_using_gateway)]) - } - - # Count admin virtual services - admin_vs := {adminVs.metadata.name | adminVs := input.virtualServices[_]; adminVs.kind == "VirtualService"; contains(adminVs.metadata.name, "admin")} - - # Count admin VirtualServices correctly using the admin gateway (given by vs name containing "admin") - admin_vs_using_gateway := {adminVs.metadata.name | adminVs := input.virtualServices[_]; adminVs.kind == "VirtualService"; contains(adminVs.metadata.name, "admin"); adminVs.spec.gateways[_] == expected_ns_name} - - # Count all VirtualServices using the admin gateway - all_vs_using_gateway := {vs.metadata.name | vs := input.virtualServices[_]; vs.kind == "VirtualService"; vs.spec.gateways[_] == expected_ns_name} - type: opa - title: check-istio-admin-gateway-and-usage - uuid: c6c9daf1-4196-406d-8679-312c0512ab2e - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: istioConfig - resource-rule: - field: - base64: false - jsonpath: .data.mesh - type: yaml - group: "" - name: istio - namespaces: - - istio-system - resource: configmaps - version: v1 - type: kubernetes - lula-version: "" - metadata: - name: istio-metrics-logging-configured - uuid: 70d99754-2918-400c-ac9a-319f874fff90 - provider: - opa-spec: - output: - observations: - - validate.msg - validation: validate.validate - rego: | - package validate - - # Default policy result - default validate = false - default msg = "Not evaluated" - - # Validate Istio configuration for metrics logging support - validate { - check_metrics_enabled.result - } - msg = check_metrics_enabled.msg - - check_metrics_enabled = { "result": false, "msg": msg } { - input.istioConfig.enablePrometheusMerge == false - msg := "Metrics logging not supported." - } else = { "result": true, "msg": msg } { - msg := "Metrics logging supported." - } - type: opa - title: istio-metrics-logging-configured - uuid: 70d99754-2918-400c-ac9a-319f874fff90 - - description: | - lula-version: "" - metadata: - name: communications-terminated-after-inactivity-PLACEHOLDER - uuid: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 - provider: - opa-spec: - rego: | - package validate - validate := false - - # Check on destination rule, outlier detection? - # -> Doesn't appear that UDS is configured to create destination rules. - type: opa - title: communications-terminated-after-inactivity-PLACEHOLDER - uuid: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 - - description: | - lula-version: "" - metadata: - name: tls-origination-at-egress-PLACEHOLDER - uuid: 8be1601e-5870-4573-ab4f-c1c199944815 - provider: - opa-spec: - rego: | - package validate - default validate := false - # How to prove TLS origination is configured at egress - # DestinationRule? - type: opa - title: tls-origination-at-egress-PLACEHOLDER - uuid: 8be1601e-5870-4573-ab4f-c1c199944815 - - description: | - lula-version: "" - metadata: - name: fips-evaluation-PLACEHOLDER - uuid: 73434890-2751-4894-b7b2-7e583b4a8977 - title: fips-evaluation-PLACEHOLDER - uuid: 73434890-2751-4894-b7b2-7e583b4a8977 - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: authorizationPolicy - resource-rule: - group: security.istio.io - name: keycloak-block-admin-access-from-public-gateway - namespaces: - - keycloak - resource: authorizationpolicies - version: v1beta1 - type: kubernetes - lula-version: "" - metadata: - name: istio-enforces-authorized-keycloak-access - uuid: fbd877c8-d6b6-4d88-8685-2c4aaaab02a1 - provider: - opa-spec: - output: - observations: - - validate.msg - validation: validate.validate - rego: | - package validate - import rego.v1 - - # Default policy result - default validate := false - default msg := "Not evaluated" - - # Validate both AuthorizationPolicy restricts access to Keycloak admin - validate if { - check_auth_policy_for_keycloak_admin_access.result - } - - msg = check_auth_policy_for_keycloak_admin_access.msg - - check_auth_policy_for_keycloak_admin_access = {"result": true, "msg": msg} if { - input.authorizationPolicy.kind == "AuthorizationPolicy" - valid_auth_policy(input.authorizationPolicy) - msg := "AuthorizationPolicy restricts access to Keycloak admin." - } else = {"result": false, "msg": msg} if { - msg := "AuthorizationPolicy does not restrict access to Keycloak admin." - } - - # Define the rule for denying access - expected_keycloak_admin_denial_rule := { - "from": [ - { - "source": { - "notNamespaces": ["istio-admin-gateway"] - } - } - ], - "to": [ - { - "operation": { - "ports": ["8080"], - "paths": ["/admin*", "/realms/master*"] - } - } - ] - } - - # Validate that the authorization policy contains the expected first rule - valid_auth_policy(ap) if { - ap.spec.action == "DENY" - rules := ap.spec.rules - - # Ensure the expected rule is present in the input policy - some i - rules[i] == expected_keycloak_admin_denial_rule - } - type: opa - title: istio-enforces-authorized-keycloak-access - uuid: fbd877c8-d6b6-4d88-8685-2c4aaaab02a1 - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: istioConfig - resource-rule: - field: - base64: false - jsonpath: .data.mesh - type: yaml - group: "" - name: istio - namespaces: - - istio-system - resource: configmaps - version: v1 - type: kubernetes - lula-version: "" - metadata: - name: istio-tracing-logging-support - uuid: f346b797-be35-40a8-a93a-585db6fd56ec - provider: - opa-spec: - output: - observations: - - validate.msg - validation: validate.validate - rego: | - package validate - - # Default policy result - default validate = false - default msg = "Not evaluated" - - # Validate Istio configuration for event logging support - validate { - check_tracing_enabled.result - } - msg = check_tracing_enabled.msg - - check_tracing_enabled = { "result": true, "msg": msg } { - input.istioConfig.defaultConfig.tracing != null - input.istioConfig.defaultConfig.tracing.zipkin.address != "" - msg := "Tracing logging supported." - } else = { "result": false, "msg": msg } { - msg := "Tracing logging not supported." - } - type: opa - title: istio-tracing-logging-support - uuid: f346b797-be35-40a8-a93a-585db6fd56ec - - description: | - lula-version: "" - metadata: - name: egress-gateway-exists-and-configured-PLACEHOLDER - uuid: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 - title: egress-gateway-exists-and-configured-PLACEHOLDER - uuid: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: networkPolicies - resource-rule: - group: networking.k8s.io - name: "" - namespaces: [] - resource: networkpolicies - version: v1 - type: kubernetes - lula-version: "" - metadata: - name: secure-communication-with-istiod - uuid: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 - provider: - opa-spec: - output: - observations: - - validate.msg_correct - - validate.msg_incorrect - validation: validate.validate - rego: | - package validate - - # Default policy result - default validate = false - default msg_correct = "Not evaluated" - default msg_incorrect = "Not evaluated" - - # Expected values - expected_istiod_port := 15012 - expected_istiod_protocol := "TCP" - required_namespaces := {"authservice", "grafana", "keycloak", "loki", "metrics-server", "monitoring", "neuvector", "vector", "velero"} - - # Validate NetworkPolicy for Istiod in required namespaces - validate { - count(required_namespaces - correct_istiod_namespaces) == 0 - } - - msg_correct = sprintf("NetworkPolicies correctly configured for istiod in namespaces: %v.", [concat(", ", correct_istiod_namespaces)]) - msg_incorrect = msg { - missing_namespace := required_namespaces - correct_istiod_namespaces - count(missing_namespace) > 0 - msg := sprintf("NetworkPolicies not correctly configured for istiod in namespaces: %v.", [concat(", ", missing_namespace)]) - } else = "No incorrect istiod NetworkPolicies found." - - # Helper to find correct NetworkPolicies - correct_istiod_policies = {policy | - policy := input.networkPolicies[_] - policy.spec.egress[_].to[_].podSelector.matchLabels["istio"] == "pilot" - policy.spec.egress[_].ports[_].port == expected_istiod_port - policy.spec.egress[_].ports[_].protocol == expected_istiod_protocol - } - - # Helper to extract namespaces of correct NetworkPolicies - correct_istiod_namespaces = {policy.metadata.namespace | - policy := correct_istiod_policies[_] - } - type: opa - title: secure-communication-with-istiod - uuid: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: peerAuths - resource-rule: - group: security.istio.io - name: "" - namespaces: [] - resource: peerauthentications - version: v1beta1 - type: kubernetes - lula-version: "" - metadata: - name: enforce-mtls-strict - uuid: ca49ac97-487a-446a-a0b7-92b20e2c83cb - provider: - opa-spec: - output: - observations: - - validate.msg - validation: validate.validate - rego: | - package validate - - import future.keywords.every - - # Default policy result - default validate = false - default all_strict = false - default msg = "Not evaluated" - - validate { - result_all_strict.result - } - - msg = concat(" ", [result_all_strict.msg]) - - # Rego policy logic to evaluate if all PeerAuthentications have mtls mode set to STRICT - result_all_strict = {"result": true, "msg": msg} { - every peerAuthentication in input.peerAuths { - mode := peerAuthentication.spec.mtls.mode - mode == "STRICT" - } - msg := "All PeerAuthentications have mtls mode set to STRICT." - } else = {"result": false, "msg": msg} { - msg := "Not all PeerAuthentications have mtls mode set to STRICT." - } - type: opa - title: enforce-mtls-strict - uuid: ca49ac97-487a-446a-a0b7-92b20e2c83cb - - description: | - lula-version: "" - metadata: - name: authorized-traffic-egress-PLACEHOLDER - uuid: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 - title: authorized-traffic-egress-PLACEHOLDER - uuid: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: namespaces - resource-rule: - group: "" - name: "" - namespaces: [] - resource: namespaces - version: v1 - type: kubernetes - lula-version: "" - metadata: - name: all-namespaces-istio-injected - uuid: 0da39859-a91a-4ca6-bd8b-9b117689188f - provider: - opa-spec: - output: - observations: - - validate.msg - - validate.exempted_namespaces_msg - validation: validate.validate - rego: | - package validate - import future.keywords.every - import future.keywords.in - - default validate = false - default msg = "Not evaluated" - - # Validation - validate { - check_non_istio_injected_namespaces.result - } - msg = check_non_istio_injected_namespaces.msg - exempted_namespaces_msg = sprintf("Exempted Namespaces: %s", [concat(", ", exempted_namespaces)]) - - # List of exempted namespaces - exempted_namespaces := {"istio-system", "kube-system", "default", "istio-admin-gateway", - "istio-passthrough-gateway", "istio-tenant-gateway", "kube-node-lease", "kube-public", "uds-crds", - "uds-dev-stack", "uds-policy-exemptions", "zarf"} - - # Collect non-Istio-injected namespaces - non_istio_injected_namespaces := {ns.metadata.name | - ns := input.namespaces[_] - ns.kind == "Namespace" - not ns.metadata.labels["istio-injection"] == "enabled" - not ns.metadata.name in exempted_namespaces - } - - # Check no non-Istio-injected namespaces - check_non_istio_injected_namespaces = { "result": true, "msg": "All namespaces are Istio-injected" } { - count(non_istio_injected_namespaces) == 0 - } else = { "result": false, "msg": msg } { - msg := sprintf("Non-Istio-injected namespaces: %v", [non_istio_injected_namespaces]) - } - type: opa - title: all-namespaces-istio-injected - uuid: 0da39859-a91a-4ca6-bd8b-9b117689188f - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: gateways - resource-rule: - group: networking.istio.io - name: "" - namespaces: [] - resource: gateways - version: v1beta1 - type: kubernetes - lula-version: "" - metadata: - name: gateway-configuration-check - uuid: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 - provider: - opa-spec: - output: - observations: - - validate.msg - - validate.msg_existing_gateways - - validate.msg_allowed_gateways - validation: validate.validate - rego: | - package validate - import rego.v1 - - # default values - default validate := false - default msg := "Not evaluated" - - validate if { - check_expected_gw.result - check_all_gw_found.result - } - - msg := concat(" ", [check_expected_gw.msg, check_all_gw_found.msg]) - msg_existing_gateways := concat(", ", gateways) - msg_allowed_gateways := concat(", ", allowed) - - # Check if only allowed gateways are in the system - allowed := {"admin", "tenant", "passthrough"} - gateways := {sprintf("%s/%s", [gw.metadata.namespace, gw.metadata.name]) | gw := input.gateways[_]} - allowed_gateways := {sprintf("%s/%s", [gw.metadata.namespace, gw.metadata.name]) | gw := input.gateways[_]; gw_in_list(gw, allowed)} - actual_allowed := {s | g := gateways[_]; s := allowed[_]; contains(g, s)} - - check_expected_gw = {"result": true, "msg": msg} if { - gateways == allowed_gateways - msg := "Only allowed gateways found." - } else = {"result": false, "msg": msg} if { - msg := sprintf("Some disallowed gateways found: %v.", [gateways-allowed_gateways]) - } - - gw_in_list(gw, allowed) if { - contains(gw.metadata.name, allowed[_]) - } - - # Check if the entire set contains all required gateways - check_all_gw_found = {"result": true, "msg": msg} if { - actual_allowed == allowed - msg := "All gateway types found." - } else = {"result": false, "msg": msg} if { - msg := sprintf("Gateway type(s) missing: %v.", [allowed - actual_allowed]) - } - type: opa - title: gateway-configuration-check - uuid: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: authorizationPolicies - resource-rule: - group: security.istio.io - name: "" - namespaces: [] - resource: authorizationpolicies - version: v1beta1 - type: kubernetes - lula-version: "" - metadata: - name: istio-rbac-enforcement-check - uuid: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 - provider: - opa-spec: - output: - observations: - - validate.msg - - validate.msg_authPolicies - validation: validate.validate - rego: | - package validate - - # Default policy result - default validate = false - default msg = "Istio RBAC not enforced" - - # Evaluation for Istio Authorization Policies - validate { - count(all_auth_policies) > 0 - } - - # Get all authorization policies - all_auth_policies := { sprintf("%s/%s", [authPolicy.metadata.namespace, authPolicy.metadata.name]) | - authPolicy := input.authorizationPolicies[_]; authPolicy.kind == "AuthorizationPolicy" } - - msg = "Istio RBAC enforced" { - validate - } - msg_authPolicies = sprintf("Authorization Policies: %v", [concat(", ", all_auth_policies)]) - type: opa - title: istio-rbac-enforcement-check - uuid: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 - - description: | - lula-version: "" - metadata: - name: istio-rbac-for-approved-personnel-PLACEHOLDER - uuid: 9b361d7b-4e07-40db-8b86-3854ed499a4b - title: istio-rbac-for-approved-personnel-PLACEHOLDER - uuid: 9b361d7b-4e07-40db-8b86-3854ed499a4b - - description: | - lula-version: "" - metadata: - name: external-traffic-managed-PLACEHOLDER - uuid: 19faf69a-de74-4b78-a628-64a9f244ae13 - provider: - opa-spec: - rego: | - package validate - default validate := false - # This policy could check meshConfig.outboundTrafficPolicy.mode (default is ALLOW_ANY) - # Possibly would need a ServiceEntry(?) - # (https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#envoy-passthrough-to-external-services) - type: opa - title: external-traffic-managed-PLACEHOLDER - uuid: 19faf69a-de74-4b78-a628-64a9f244ae13 - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: istioddeployment - resource-rule: - group: apps - name: istiod - namespaces: - - istio-system - resource: deployments - version: v1 - - description: "" - name: istiodhpa - resource-rule: - group: autoscaling - name: istiod - namespaces: - - istio-system - resource: horizontalpodautoscalers - version: v2 - type: kubernetes - lula-version: "" - metadata: - name: istio-health-check - uuid: 67456ae8-4505-4c93-b341-d977d90cb125 - provider: - opa-spec: - output: - observations: - - istiohealth.deployment_message - - istiohealth.hpa_message - validation: istiohealth.is_istio_healthy - rego: | - package istiohealth - - default is_istio_healthy = false - default deployment_message = "Deployment status not evaluated" - default hpa_message = "HPA status not evaluated" - - # Check if the Istio Deployment is healthy - is_istio_healthy { - count(input.istioddeployment.status.conditions) > 0 - all_deployment_conditions_are_true - input.istiodhpa.status.currentReplicas >= input.istiodhpa.spec.minReplicas - } - - all_deployment_conditions_are_true { - # Ensure every condition in the array has a status that is not "False" - all_true = {c | c := input.istioddeployment.status.conditions[_]; c.status != "False"} - count(all_true) == count(input.istioddeployment.status.conditions) - } - - deployment_message = msg { - all_deployment_conditions_are_true - msg := "All deployment conditions are true." - } else = msg { - msg := "One or more deployment conditions are false." - } - - hpa_message = msg { - input.istiodhpa.status.currentReplicas >= input.istiodhpa.spec.minReplicas - msg := "HPA has sufficient replicas." - } else = msg { - msg := "HPA does not have sufficient replicas." - } - type: opa - title: istio-health-check - uuid: 67456ae8-4505-4c93-b341-d977d90cb125 - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: gateways - resource-rule: - group: networking.istio.io - name: "" - namespaces: [] - resource: gateways - version: v1beta1 - type: kubernetes - lula-version: "" - metadata: - name: ingress-traffic-encrypted - uuid: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed - provider: - opa-spec: - output: - observations: - - validate.msg - - validate.msg_exempt - validation: validate.validate - rego: | - package validate - import future.keywords.every - - default validate = false - default msg = "Not evaluated" - - # Validation - validate { - check_gateways_allowed.result - } - msg := check_gateways_allowed.msg - msg_exempt := sprintf("Exempted Gateways: %s", [concat(", ", exempt_gateways)]) - - # Collect gateways that do not encrypt ingress traffic - gateways_disallowed = {sprintf("%s/%s", [gateway.metadata.namespace, gateway.metadata.name]) | - gateway := input.gateways[_]; - not allowed_gateway(gateway) - } - - check_gateways_allowed = {"result": true, "msg": "All gateways encrypt ingress traffic"} { - count(gateways_disallowed) == 0 - } else = {"result": false, "msg": msg} { - msg := sprintf("Some gateways do not encrypt ingress traffic: %s", [concat(", ", gateways_disallowed)]) - } - - # Check allowed gateway - allowed_gateway(gateway) { - every server in gateway.spec.servers { - allowed_server(server) - } - } - - exempt_gateways := {"istio-passthrough-gateway/passthrough-gateway"} - allowed_gateway(gateway) { - sprintf("%s/%s", [gateway.metadata.namespace, gateway.metadata.name]) in exempt_gateways - # *Unchecked condition that exempted gateway is only used by virtual services that route https traffic - # Find all virtual services that use this gateway - # Check that vs has https scheme - } - - # Check allowed server spec in gateway - allowed_server(server) { - server.port.protocol == "HTTP" - server.tls.httpsRedirect == true - } - - allowed_server(server) { - server.port.protocol == "HTTPS" - server.tls.mode in {"SIMPLE", "OPTIONAL_MUTUAL"} - } - type: opa - title: ingress-traffic-encrypted - uuid: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed components: - control-implementations: - - description: Controls implemented by Istio and authservice that are inherited by applications + - description: Control Implementation Description implemented-requirements: - - control-id: ac-4 - description: |- - # Control Implementation - Istio encrypts all in-mesh communication at runtime using FIPS verified mTLS in addition to ingress and egress gateways for controlling communication. + - control-id: ac-14 + description: Istio implements with service to service and provides authorization policies that require authentication to access any non-public features. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#ca49ac97-487a-446a-a0b7-92b20e2c83cb" - rel: lula - text: Check that Istio is enforcing mtls STRICT - - href: "#1761ac07-80dd-47d2-947e-09f67943b986" + - href: file:../../compliance/validations/istio/authorized-keycloak-access/validation.yaml rel: lula - text: All pods are istio injected with proxyv2 sidecar - - href: "#fd071676-6b92-4e1c-a4f0-4c8d2bd55aed" - rel: lula - text: Check ingress traffic is encrypted - remarks: "# Control Description Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content." - uuid: 9e158525-96bd-4d4f-a674-7e3eab9aea7a - - control-id: ac-4.4 - description: |- - # Control Implementation - All encrypted HTTPS connections are terminated at the Istio ingress gateway. + text: Validates that Istio is used to authorize access to Keycloak admin console only from admin gateway + remarks: | + ASSESSMENT-OBJECTIVE: + AC-14a. [Assignment: organization-defined user actions] that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified; + AC-14b. + AC-14b.[01] user actions not requiring identification or authentication are documented in the security plan for the system; + AC-14b.[02] a rationale for user actions not requiring identification or authentication is provided in the security plan for the system. + uuid: 41c51dc3-7db1-4717-b071-83e57897f478 + - control-id: ac-4 + description: Istio encrypts all in-mesh communication at runtime using FIPS verified mTLS in addition to ingress and egress gateways for controlling communication. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#ca49ac97-487a-446a-a0b7-92b20e2c83cb" + - href: file:../../compliance/validations/istio/enforce-mtls-strict/validation.yaml rel: lula text: Check that Istio is enforcing mtls STRICT - - href: "#1761ac07-80dd-47d2-947e-09f67943b986" + - href: file:../../compliance/validations/istio/all-pods-istio-injected/validation.yaml rel: lula text: All pods are istio injected with proxyv2 sidecar - - href: "#fd071676-6b92-4e1c-a4f0-4c8d2bd55aed" + - href: file:../../compliance/validations/istio/ingress-traffic-encrypted/validation.yaml rel: lula text: Check ingress traffic is encrypted - remarks: "# Control Description The information system prevents encrypted information from bypassing content-checking mechanisms by decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; Assignment: organization-defined procedure or method." - uuid: c3e13abc-3c19-4f08-a2f8-40fcbef5daa7 + remarks: |- + ASSESSMENT-OBJECTIVE: + approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]. + uuid: 210f730b-7fed-42dd-99b4-42466951b080 - control-id: ac-4.21 - description: |- - # Control Implementation - Istio is configured to use ingress and egress gateways to provide logical flow separation. + description: Istio is configured to use ingress and egress gateways to provide logical flow separation. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#0da39859-a91a-4ca6-bd8b-9b117689188f" + - href: file:../../compliance/validations/istio/all-namespaces-istio-injected/validation.yaml rel: lula text: Check namespaces are istio injected - - href: "#c6c9daf1-4196-406d-8679-312c0512ab2e" + - href: file:../../compliance/validations/istio/check-istio-admin-gateway-and-usage/validation.yaml rel: lula text: Check that Istio is configured with an admin gateway and admin services use it - - href: "#b0a8f21e-b12f-47ea-a967-2f4a3ec69e44" + - href: file:../../compliance/validations/istio/gateway-configuration-check/validation.yaml rel: lula text: Validates that Istio Gateways are available and expected VirtualServices using each Gateway. - remarks: "Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information]." - uuid: 6e32feb5-ce43-465f-9422-e3ef3276bf5d - - control-id: ac-6.3 - description: |- - # Control Implementation - Configured with an "admin" gateway to restrict access to applications that only need administrative access. - links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" - rel: lula - text: Check that Istio is healthy - - href: "#c6c9daf1-4196-406d-8679-312c0512ab2e" - rel: lula - text: Check that Istio is configured with an admin gateway and admin services use it - remarks: "Authorize network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system." - uuid: 0081f95a-3233-4e07-a6cd-95cb1905c318 + remarks: | + ASSESSMENT-OBJECTIVE: + AC-04(21)[01] information flows are separated logically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations]; + AC-04(21)[02] information flows are separated physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations]. + uuid: ee9e5fae-1c95-46c7-9265-dc0035e2bb05 - control-id: ac-6.9 - description: |- - # Control Implementation - Istio produces logs for all traffic in the information system. + description: Istio produces logs for all traffic in the information system. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#90738c86-6315-450a-ac69-cc50eb4859cc" + - href: file:../../compliance/validations/istio/check-istio-logging-all-traffic/validation.yaml rel: lula text: Check that Istio is logging all traffic which could contain privileged function calls - - href: "#1761ac07-80dd-47d2-947e-09f67943b986" + - href: file:../../compliance/validations/istio/all-pods-istio-injected/validation.yaml rel: lula text: All pods are istio injected with proxyv2 sidecar - remarks: Log the execution of privileged functions. - uuid: 6d8a6c80-2844-4bfd-bc9d-0f5a71e5c979 - - control-id: ac-14 - description: |- - # Control Implementation - Istio implements with service to service and provides authorization policies that require authentication to access any non-public features. + remarks: |- + ASSESSMENT-OBJECTIVE: + the execution of privileged functions is logged. + uuid: c6d9abd2-0136-468a-908d-181d9bd51962 + - control-id: au-12 + description: Istio provides audit record generation capabilities for a variety of event types, including session, connection, transaction, or activity durations, and the number of bytes received and sent. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#fbd877c8-d6b6-4d88-8685-2c4aaaab02a1" + - href: file:../../compliance/validations/istio/check-istio-logging-all-traffic/validation.yaml rel: lula - text: Validates that Istio is used to authorize access to Keycloak admin console only from admin gateway - remarks: 'a. Identify [Assignment: organization-defined user actions] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and b. Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication."' - uuid: c8c03abd-244d-4813-a966-3feece1bad6a + text: Check that Istio is logging all traffic which could contain audit events + remarks: | + ASSESSMENT-OBJECTIVE: + AU-12a. audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by [Assignment: organization-defined system components]; + AU-12b. [Assignment: organization-defined personnel or roles] is/are allowed to select the event types that are to be logged by specific components of the system; + AU-12c. audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated. + uuid: 87f99f34-6980-49e1-91cf-c0264fa3407c - control-id: au-2 - description: |- - # Control Implementation - Istio logs all Istio event logs within the system's mesh network. + description: Istio logs all Istio event logs within the system's mesh network. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#90738c86-6315-450a-ac69-cc50eb4859cc" + - href: file:../../compliance/validations/istio/check-istio-logging-all-traffic/validation.yaml rel: lula text: Check that Istio is logging all traffic which could contain audit events - remarks: "a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: organization-defined event types that the system is capable of logging]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: organization-defined frequency]." - uuid: 88f300a6-aa21-41b4-919d-29ef3e4381bb + remarks: | + ASSESSMENT-OBJECTIVE: + AU-02a. [Assignment: organization-defined event types] that the system is capable of logging are identified in support of the audit logging function; + AU-02b. the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; + AU-02c. + AU-02c.[01] [Assignment: organization-defined event types (subset of AU-02_ODP[01])] are specified for logging within the system; + AU-02c.[02] the specified event types are logged within the system [Assignment: organization-defined frequency or situation]; + AU-02d. a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; + AU-02e. the event types selected for logging are reviewed and updated [Assignment: organization-defined frequency]. + uuid: b3ed3dba-3164-4785-98db-ef22c96c7c62 - control-id: au-3 - description: |- - # Control Implementation - Istio logs all Istio event logs within the system's mesh network. + description: Istio logs all Istio event logs within the system's mesh network. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#f346b797-be35-40a8-a93a-585db6fd56ec" + - href: file:../../compliance/validations/istio/tracing-logging-support/validation.yaml rel: lula text: Check that Istio is configured to provide tracing data - remarks: "Ensure that audit records contain information that establishes the following: a. What type of event occurred; b. When the event occurred; c. Where the event occurred; d. Source of the event; e. Outcome of the event; and f. Identity of any individuals, subjects, or objects/entities associated with the event." - uuid: 52756a01-6f5c-49b1-8a6b-972b74a01da4 + remarks: | + ASSESSMENT-OBJECTIVE: + AU-03a. audit records contain information that establishes what type of event occurred; + AU-03b. audit records contain information that establishes when the event occurred; + AU-03c. audit records contain information that establishes where the event occurred; + AU-03d. audit records contain information that establishes the source of the event; + AU-03e. audit records contain information that establishes the outcome of the event; + AU-03f. audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event. + uuid: 79dee0b0-5848-4b1e-826b-a2e4ec567b90 - control-id: au-3.1 - description: |- - # Control Implementation - Istio has been configured to implement event logging within our environment. This includes capturing metrics related to the duration of sessions, connections, transactions, or activities. Specifically, Istio's telemetry features are utilized to capture these metrics, which provide valuable data that can be used to infer the duration of sessions or connections. + description: Istio has been configured to implement event logging within our environment. This includes capturing metrics related to the duration of sessions, connections, transactions, or activities. Specifically, Istio's telemetry features are utilized to capture these metrics, which provide valuable data that can be used to infer the duration of sessions or connections. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#70d99754-2918-400c-ac9a-319f874fff90" + - href: file:../../compliance/validations/istio/metrics-logging-configured/validation.yaml rel: lula text: Check that Istio is configured to provide metrics data - - href: "#1761ac07-80dd-47d2-947e-09f67943b986" + - href: file:../../compliance/validations/istio/all-pods-istio-injected/validation.yaml rel: lula text: All pods are istio injected with proxyv2 sidecar - - href: "#f345c359-3208-46fb-9348-959bd628301e" + - href: file:../../compliance/validations/istio/prometheus-annotations-validation/validation.yaml rel: lula text: Check that pods running sidecar have the correct annotations for prometheus metrics scrape - remarks: "Generate audit records containing the following additional information: [Assignment: organization-defined additional information]. AU-3 (1) [session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]" - uuid: 16cc258e-d907-47bb-97d9-4e92677cf075 - - control-id: au-12 - description: |- - # Control Implementation - Istio provides audit record generation capabilities for a variety of event types, including session, connection, transaction, or activity durations, and the number of bytes received and sent. - links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" - rel: lula - text: Check that Istio is healthy - - href: "#90738c86-6315-450a-ac69-cc50eb4859cc" - rel: lula - text: Check that Istio is logging all traffic which could contain audit events - remarks: "a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components]; b. Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and c. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3." - uuid: 8f645835-6538-4327-a7aa-453b398f5ef4 + remarks: |- + ASSESSMENT-OBJECTIVE: + generated audit records contain the following [Assignment: organization-defined additional information]. + uuid: b855fff0-5f57-4ea0-b9a7-52973e81784d - control-id: cm-5 - description: |- - # Control Implementation - Istio enforces logical access restrictions associated with changes to the system. Istio's Role-Based Access Control (RBAC) features are used to define and enforce access controls, ensuring that only approved personnel can make changes to the system. + description: Istio enforces logical access restrictions associated with changes to the system. Istio's Role-Based Access Control (RBAC) features are used to define and enforce access controls, ensuring that only approved personnel can make changes to the system. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28" + - href: file:../../compliance/validations/istio/rbac-enforcement-check/validation.yaml rel: lula text: Check that Istio is enforcing RBAC - - href: "#9b361d7b-4e07-40db-8b86-3854ed499a4b" + - href: file:../../compliance/validations/istio/rbac-for-approved-personnel/validation.yaml rel: lula text: Check that particular RBAC is ensuring only approved personnel can make changes to the system [PLACEHOLDER] - remarks: Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system. - uuid: 32e53a18-4b64-4a24-935c-11cbac2c62be - - control-id: sc-3 - description: |- - # Control Implementation - Namespaces, Istio gateways, and network policies collectively by providing resource isolation, secure traffic routing, and network segmentation to prevent unauthorized and unintended information transfer. - links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" - rel: lula - text: Check that Istio is healthy - - href: "#c6c9daf1-4196-406d-8679-312c0512ab2e" - rel: lula - text: Check that Istio is configured with an admin gateway and admin services use it - - href: "#b0a8f21e-b12f-47ea-a967-2f4a3ec69e44" - rel: lula - text: Validates that Istio Gateways are available and expected VirtualServices using each Gateway. - remarks: Isolate security functions from nonsecurity functions. - uuid: 9e2894a3-2452-4f7a-b8a5-f72b89b23c87 - - control-id: sc-4 - description: |- - # Control Implementation - Istio enforces outbound traffic goes through an Egress Gateway with a Network Policy. - links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" - rel: lula - text: Check that Istio is healthy - - href: "#7455f86d-b79c-4226-9ce3-f3fb7d9348c8" - rel: lula - text: Network Policies are in place to ensure that only authorized traffic is allowed to egress the cluster [PLACEHOLDER] - - href: "#ecdb90c7-971a-4442-8f29-a8b0f6076bc9" - rel: lula - text: Egress Gateway exists and is configured [PLACEHOLDER] - remarks: Prevent unauthorized and unintended information transfer via shared system resources. - uuid: 86bc4fb7-f91b-4f2c-b914-65427951018c - - control-id: sc-7.4 - description: |- - # Control Implementation - Istio is configured to provide managed interfaces for external telecommunication services, establish traffic flow policies, and protect the confidentiality and integrity of transmitted information. It also prevents unauthorized exchange of control plane traffic and filters unauthorized control plane traffic. - links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" - rel: lula - text: Check that Istio is healthy - - href: "#570e2dc7-e6c2-4ad5-8ea3-f07974f59747" - rel: lula - text: Resources in namespaces can securely communicate with Istio control plane via network policies - - href: "#fbd877c8-d6b6-4d88-8685-2c4aaaab02a1" - rel: lula - text: Validates that Istio is used to authorize access to Keycloak admin console only from admin gateway - - href: "#b0a8f21e-b12f-47ea-a967-2f4a3ec69e44" - rel: lula - text: Validates that Istio Gateways are available and expected VirtualServices using each Gateway. - remarks: "(a) Implement a managed interface for each external telecommunication service; (b) Establish a traffic flow policy for each managed interface; (c) Protect the confidentiality and integrity of the information being transmitted across each interface; (d) Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need; (e) Review exceptions to the traffic flow policy [Assignment: organization-defined frequency] and remove exceptions that are no longer supported by an explicit mission or business need; (f) Prevent unauthorized exchange of control plane traffic with external networks; (g) Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and (h) Filter unauthorized control plane traffic from external networks." - uuid: 85df9e6c-3d94-4c60-9a20-8c481831f1e0 - - control-id: sc-7.8 - description: |- - # Control Implementation - is configured to route internal communications traffic to external networks through authenticated proxy servers at managed interfaces, using its Egress Gateway. + remarks: | + ASSESSMENT-OBJECTIVE: + CM-05[01] physical access restrictions associated with changes to the system are defined and documented; + CM-05[02] physical access restrictions associated with changes to the system are approved; + CM-05[03] physical access restrictions associated with changes to the system are enforced; + CM-05[04] logical access restrictions associated with changes to the system are defined and documented; + CM-05[05] logical access restrictions associated with changes to the system are approved; + CM-05[06] logical access restrictions associated with changes to the system are enforced. + uuid: 80a456cf-c642-4b02-a0fb-18b416e90481 + - control-id: sc-10 + description: Istio is configured to manage network connections associated with specific communication sessions. It can be set up to automatically terminate these connections after periods of inactivity, providing an additional layer of security. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#ecdb90c7-971a-4442-8f29-a8b0f6076bc9" + - href: file:../../compliance/validations/istio/communications-terminated-after-inactivity/validation.yaml rel: lula - text: Egress Gateway exists and is configured [PLACEHOLDER] - - href: "#19faf69a-de74-4b78-a628-64a9f244ae13" - rel: lula - text: Check that external traffic is managed [PLACEHOLDER] - remarks: "Route [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces." - uuid: 4b930af3-ae84-43ff-b751-448fe1c2eec8 - - control-id: sc-7.20 - description: |- - # Control Implementation - Istio is configured to dynamically isolate certain internal system components when necessary. This is achieved through Istio's network policies, which allow us to partition or separate system components + text: Istio terminates communication sessions after inactivity [PLACEHOLDER] + remarks: |- + ASSESSMENT-OBJECTIVE: + the network connection associated with a communication session is terminated at the end of the session or after [Assignment: organization-defined time period] of inactivity. + uuid: ad919a09-d186-4edd-9234-ead04f959fff + - control-id: sc-13 + description: Istio provides FIPS encryption in transit for all applications in the mesh, TLS termination at ingress, and TLS origination at egress. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#ca49ac97-487a-446a-a0b7-92b20e2c83cb" + - href: file:../../compliance/validations/istio/enforce-mtls-strict/validation.yaml rel: lula text: Check that Istio is enforcing mtls STRICT - - href: "#1761ac07-80dd-47d2-947e-09f67943b986" + - href: file:../../compliance/validations/istio/ingress-traffic-encrypted/validation.yaml rel: lula - text: All pods are istio injected with proxyv2 sidecar - remarks: "Provide the capability to dynamically isolate [Assignment: organization-defined system components] from other system components." - uuid: 30b49a3e-ad38-441d-8c07-5a9018848a02 - - control-id: sc-7.21 - description: |- - # Control Implementation - Istio is configured to isolate system components that perform different mission or business functions. This is achieved through Istio's network policies and mutual TLS, which allow us to control information flows and provide enhanced protection. - links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" - rel: lula - text: Check that Istio is healthy - - href: "#ca49ac97-487a-446a-a0b7-92b20e2c83cb" + text: Istio is encrypting ingress traffic + - href: file:../../compliance/validations/istio/tls-origination-at-egress/validation.yaml rel: lula - text: Check that Istio is enforcing mtls STRICT - - href: "#1761ac07-80dd-47d2-947e-09f67943b986" + text: Istio is providing TLS origination at egress [PLACEHOLDER] + - href: file:../../compliance/validations/istio/fips-evaluation/validation.yaml rel: lula - text: All pods are istio injected with proxyv2 sidecar - remarks: "Employ boundary protection mechanisms to isolate [Assignment: organization-defined system components] supporting [Assignment: organization-defined missions and/or business functions]." - uuid: c9a1e9bc-3caa-44ce-a300-ecd722487987 - - control-id: sc-8 - description: |- - # Control Implementation - Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. + text: System is using FIPS-compliant Istio distribution [PLACEHOLDER] + remarks: | + ASSESSMENT-OBJECTIVE: + SC-13a. [Assignment: organization-defined cryptographic uses] are identified; + SC-13b. [Assignment: organization-defined types of cryptography] for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented. + uuid: 675c0823-8e94-4910-9f61-5266d7e7b38c + - control-id: sc-23 + description: Istio is configured to protect session authenticity, establishing confidence in the ongoing identities of other parties and the validity of transmitted information. This is achieved through Istio's mutual TLS, which ensures secure communication. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#ca49ac97-487a-446a-a0b7-92b20e2c83cb" + - href: file:../../compliance/validations/istio/enforce-mtls-strict/validation.yaml rel: lula text: Check that Istio is enforcing mtls STRICT - - href: "#1761ac07-80dd-47d2-947e-09f67943b986" - rel: lula - text: All pods are istio injected with proxyv2 sidecar - remarks: "Protect the [Selection (one or more): confidentiality; integrity] of transmitted information." - uuid: 7548b4ee-e4a3-4e3c-a34b-95eccad45f92 - - control-id: sc-8.1 - description: |- - # Control Implementation - Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. + remarks: |- + ASSESSMENT-OBJECTIVE: + the authenticity of communication sessions is protected. + uuid: dac01dde-3bdf-4e70-9d4d-4081c88de380 + - control-id: sc-39 + description: Istio is configured to maintain separate execution domains for each executing process. This is achieved through Istio's sidecar proxy design, where each service in the mesh has its own dedicated sidecar proxy to handle its inbound and outbound traffic. This ensures that communication between processes is controlled and one process cannot modify the executing code of another process. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#ca49ac97-487a-446a-a0b7-92b20e2c83cb" - rel: lula - text: Check that Istio is enforcing mtls STRICT - - href: "#1761ac07-80dd-47d2-947e-09f67943b986" + - href: file:../../compliance/validations/istio/all-pods-istio-injected/validation.yaml rel: lula text: All pods are istio injected with proxyv2 sidecar - remarks: "Implement cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission." - uuid: 69415B92-0490-4A14-9E0F-E1EE61951F9C - - control-id: sc-8.2 - description: |- - # Control Implementation - Istio implements with global configuration. + remarks: |- + ASSESSMENT-OBJECTIVE: + a separate execution domain is maintained for each executing system process. + uuid: 0e72ca49-e9cb-4a74-8701-6f81091197b6 + - control-id: sc-7.4 + description: Istio is configured to provide managed interfaces for external telecommunication services, establish traffic flow policies, and protect the confidentiality and integrity of transmitted information. It also prevents unauthorized exchange of control plane traffic and filters unauthorized control plane traffic. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#ca49ac97-487a-446a-a0b7-92b20e2c83cb" - rel: lula - text: Check that Istio is enforcing mtls STRICT to ensure integrity of information sent/received - - href: "#1761ac07-80dd-47d2-947e-09f67943b986" + - href: file:../../compliance/validations/istio/secure-communication-with-istiod/validation.yaml rel: lula - text: All pods are istio injected with proxyv2 sidecar - - href: "#fbd877c8-d6b6-4d88-8685-2c4aaaab02a1" + text: Resources in namespaces can securely communicate with Istio control plane via network policies + - href: file:../../compliance/validations/istio/authorized-keycloak-access/validation.yaml rel: lula text: Validates that Istio is used to authorize access to Keycloak admin console only from admin gateway - remarks: "Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception." - uuid: c158b75a-cefc-4794-b124-f1e56ff5646d - - control-id: sc-10 - description: |- - # Control Implementation - Istio is configured to manage network connections associated with specific communication sessions. It can be set up to automatically terminate these connections after periods of inactivity, providing an additional layer of security. + - href: file:../../compliance/validations/istio/gateway-configuration-check/validation.yaml + rel: lula + text: Validates that Istio Gateways are available and expected VirtualServices using each Gateway. + remarks: | + ASSESSMENT-OBJECTIVE: + SC-07(04)(a) a managed interface is implemented for each external telecommunication service; + SC-07(04)(b) a traffic flow policy is established for each managed interface; + SC-07(04)(c) + SC-07(04)(c)[01] the confidentiality of the information being transmitted across each interface is protected; + SC-07(04)(c)[02] the integrity of the information being transmitted across each interface is protected; + SC-07(04)(d) each exception to the traffic flow policy is documented with a supporting mission or business need and duration of that need; + SC-07(04)(e) + SC-07(04)(e)[01] exceptions to the traffic flow policy are reviewed [Assignment: organization-defined frequency]; + SC-07(04)(e)[02] exceptions to the traffic flow policy that are no longer supported by an explicit mission or business need are removed; + SC-07(04)(f) unauthorized exchanges of control plan traffic with external networks are prevented; + SC-07(04)(g) information is published to enable remote networks to detect unauthorized control plane traffic from internal networks; + SC-07(04)(h) unauthorized control plane traffic is filtered from external networks. + uuid: a5bac410-d674-431d-b5fc-2f904842c29c + - control-id: sc-7.8 + description: Istio is configured to route internal communications traffic to external networks through authenticated proxy servers at managed interfaces, using its Egress Gateway. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#663f5e92-6db4-4042-8b5a-eba3ebe5a622" + - href: file:../../compliance/validations/istio/egress-gateway-exists-and-configured/validation.yaml rel: lula - text: Istio terminates communication sessions after inactivity [PLACEHOLDER] - remarks: "Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception." - uuid: 169c9ad3-0a6c-46ee-80cd-cd8cef5eca5c - - control-id: sc-13 - description: |- - # Control Implementation - Istio provides FIPS encryption in transit for all applications in the mesh, TLS termination at ingress, and TLS origination at egress. + text: Egress Gateway exists and is configured [PLACEHOLDER] + - href: file:../../compliance/validations/istio/external-traffic-managed/validation.yaml + rel: lula + text: Check that external traffic is managed [PLACEHOLDER] + remarks: |- + ASSESSMENT-OBJECTIVE: + [Assignment: organization-defined internal communications traffic] is routed to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces. + uuid: 3f409103-880e-4180-81e7-54f85a6143ae + - control-id: sc-8 + description: Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#ca49ac97-487a-446a-a0b7-92b20e2c83cb" + - href: file:../../compliance/validations/istio/enforce-mtls-strict/validation.yaml rel: lula text: Check that Istio is enforcing mtls STRICT - - href: "#fd071676-6b92-4e1c-a4f0-4c8d2bd55aed" - rel: lula - text: Istio is encrypting ingress traffic - - href: "#8be1601e-5870-4573-ab4f-c1c199944815" - rel: lula - text: Istio is providing TLS origination at egress [PLACEHOLDER] - - href: "#73434890-2751-4894-b7b2-7e583b4a8977" + - href: file:../../compliance/validations/istio/all-pods-istio-injected/validation.yaml rel: lula - text: System is using FIPS-compliant Istio distribution [PLACEHOLDER] - remarks: 'a. Determine the [Assignment: organization-defined cryptographic uses]; and b. Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use]."' - uuid: 2bf5c525-af5f-4b8b-8349-3f6a91e0aab9 - - control-id: sc-23 - description: |- - # Control Implementation - Istio is configured to protect session authenticity, establishing confidence in the ongoing identities of other parties and the validity of transmitted information. This is achieved through Istio's mutual TLS, which ensures secure communication. + text: All pods are istio injected with proxyv2 sidecar + remarks: |- + ASSESSMENT-OBJECTIVE: + the [Selection: (one-or-more) organization-defined confidentiality; integrity] of transmitted information is/are protected. + uuid: e97a451e-44c7-4240-a7a7-adaadd26f01c + - control-id: sc-8.1 + description: Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#ca49ac97-487a-446a-a0b7-92b20e2c83cb" + - href: file:../../compliance/validations/istio/enforce-mtls-strict/validation.yaml rel: lula text: Check that Istio is enforcing mtls STRICT - remarks: "Protect the [Selection (one or more): confidentiality; integrity] of the following information at rest: [Assignment: organization-defined information at rest]. SC-28 Guidance: The organization supports the capability to use cryptographic mechanisms to protect information at rest. SC-28 Guidance: When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured. SC-28 Guidance: Note that this enhancement requires the use of cryptography in accordance with SC-13." - uuid: 625bfdc1-0b20-45f3-919b-91afbac77799 - - control-id: sc-39 - description: |- - # Control Implementation - Istio is configured to maintain separate execution domains for each executing process. This is achieved through Istio's sidecar proxy design, where each service in the mesh has its own dedicated sidecar proxy to handle its inbound and outbound traffic. This ensures that communication between processes is controlled and one process cannot modify the executing code of another process. - links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" - rel: lula - text: Check that Istio is healthy - - href: "#1761ac07-80dd-47d2-947e-09f67943b986" + - href: file:../../compliance/validations/istio/all-pods-istio-injected/validation.yaml rel: lula text: All pods are istio injected with proxyv2 sidecar - remarks: Maintain a separate execution domain for each executing system process. - uuid: f972ef8d-1eb0-403b-8db8-e65a4f4e2aaa - source: https://raw.githubusercontent.com/GSA/fedramp-automation/93ca0e20ff5e54fc04140613476fba80f08e3c7d/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.json - uuid: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c + remarks: |- + ASSESSMENT-OBJECTIVE: + cryptographic mechanisms are implemented to [Selection: (one-or-more) organization-defined prevent unauthorized disclosure of information; detect changes to information] during transmission. + uuid: f3b38f79-9bf7-4024-a1b2-00befd67fda7 props: + - name: generation + ns: https://docs.lula.dev/oscal/ns + value: lula generate component --catalog-source https://raw.githubusercontent.com/GSA/fedramp-automation/refs/tags/fedramp-2.0.0-oscal-1.0.4/dist/content/rev5/baselines/json/FedRAMP_rev5_MODERATE-baseline-resolved-profile_catalog.json --component 'Istio' --requirements ac-4,ac-4.21,ac-6.9,ac-14,au-2,au-3,au-3.1,au-12,cm-5,sc-7.4,sc-7.8,sc-8,sc-8.1,sc-10,sc-13,sc-23,sc-39 --remarks assessment-objective --framework il4 - name: framework ns: https://docs.lula.dev/oscal/ns value: il4 - description: | - Istio Service Mesh - purpose: Istio Service Mesh - responsible-roles: - - party-uuids: - - f3cf70f8-ba44-4e55-9ea3-389ef24847d3 - role-id: provider - title: Istio Controlplane + source: https://raw.githubusercontent.com/GSA/fedramp-automation/refs/tags/fedramp-2.0.0-oscal-1.0.4/dist/content/rev5/baselines/json/FedRAMP_rev5_MODERATE-baseline-resolved-profile_catalog.json + uuid: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c + description: Component Description + title: Istio type: software - uuid: 81f6ec5d-9b8d-408f-8477-f8a04f493690 + uuid: 3fad668e-7751-44e6-b1be-4fe773971370 metadata: - last-modified: 2024-07-16T02:47:14.949557671Z + last-modified: 2024-09-17T20:24:07.548382887Z oscal-version: 1.1.2 parties: - links: @@ -1397,7 +331,9 @@ component-definition: rel: website name: Unicorn Delivery Service type: organization - uuid: f3cf70f8-ba44-4e55-9ea3-389ef24847d3 - title: Istio Controlplane - version: "20240614" - uuid: 7e3269fc-fe33-49c9-be88-6c868e21aae1 + uuid: bf31d461-82af-529a-8bdf-09aa488e5b7e + published: 2024-09-03T21:02:56.440962532Z + remarks: Lula Generated Component Definition + title: Istio + version: 0.0.1 + uuid: b0395313-5d50-4c64-b0e7-43014a47ead9 From 3d7cc66ac111e6f11c38239a82a03fec1ec34da2 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 17 Oct 2024 10:09:52 -0600 Subject: [PATCH 80/90] chore(deps): update pepr to v0.38.1 (#922) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [pepr](https://redirect.github.com/defenseunicorns/pepr) | [`0.38.0` -> `0.38.1`](https://renovatebot.com/diffs/npm/pepr/0.38.0/0.38.1) | [![age](https://developer.mend.io/api/mc/badges/age/npm/pepr/0.38.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/pepr/0.38.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/pepr/0.38.0/0.38.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/pepr/0.38.0/0.38.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes
defenseunicorns/pepr (pepr) ### [`v0.38.1`](https://redirect.github.com/defenseunicorns/pepr/releases/tag/v0.38.1) [Compare Source](https://redirect.github.com/defenseunicorns/pepr/compare/v0.38.0...v0.38.1) ##### What's Changed - chore: get pods each reporting interval by [@​cmwylie19](https://redirect.github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1279](https://redirect.github.com/defenseunicorns/pepr/pull/1279) - chore: node-latest is breaking ci - change matrix to 22 by [@​cmwylie19](https://redirect.github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1288](https://redirect.github.com/defenseunicorns/pepr/pull/1288) - chore: reduce package size - exclude tests from package by [@​cmwylie19](https://redirect.github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1275](https://redirect.github.com/defenseunicorns/pepr/pull/1275) - test: http2-enable watcher and iso format logs in soak test by [@​btlghrants](https://redirect.github.com/btlghrants) in [https://github.com/defenseunicorns/pepr/pull/1277](https://redirect.github.com/defenseunicorns/pepr/pull/1277) - test: http2-enable watcher in smoke test by [@​btlghrants](https://redirect.github.com/btlghrants) in [https://github.com/defenseunicorns/pepr/pull/1281](https://redirect.github.com/defenseunicorns/pepr/pull/1281) - chore: update resource limits/requests on controllers by [@​cmwylie19](https://redirect.github.com/cmwylie19) in [https://github.com/defenseunicorns/pepr/pull/1291](https://redirect.github.com/defenseunicorns/pepr/pull/1291) - chore: bump peter-murray/workflow-application-token-action from 3.0.1 to 4.0.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1273](https://redirect.github.com/defenseunicorns/pepr/pull/1273) - chore: bump anchore/scan-action from 5.0.0 to 5.0.1 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1272](https://redirect.github.com/defenseunicorns/pepr/pull/1272) - chore: bump chainguard/node from `8a604e5` to `b0b04bb` by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1271](https://redirect.github.com/defenseunicorns/pepr/pull/1271) - chore: bump kubernetes-fluent-client from 3.1.1 to 3.1.2 in the production-dependencies group by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1292](https://redirect.github.com/defenseunicorns/pepr/pull/1292) - chore: bump [@​types/node](https://redirect.github.com/types/node) from 22.7.5 to 22.7.6 in the development-dependencies group by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1293](https://redirect.github.com/defenseunicorns/pepr/pull/1293) - chore: bump chainguard/node from `b0b04bb` to `96260af` by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/defenseunicorns/pepr/pull/1289](https://redirect.github.com/defenseunicorns/pepr/pull/1289) **Full Changelog**: https://github.com/defenseunicorns/pepr/compare/v0.38.0...v0.38.1
--- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ”• **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- package-lock.json | 16 ++++++++-------- package.json | 2 +- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/package-lock.json b/package-lock.json index 568193935..dd7b49ee3 100644 --- a/package-lock.json +++ b/package-lock.json @@ -8,7 +8,7 @@ "name": "uds-core", "version": "0.5.0", "dependencies": { - "pepr": "0.38.0" + "pepr": "0.38.1" }, "devDependencies": { "@jest/globals": "29.7.0", @@ -5231,9 +5231,9 @@ } }, "node_modules/kubernetes-fluent-client": { - "version": "3.1.1", - "resolved": "https://registry.npmjs.org/kubernetes-fluent-client/-/kubernetes-fluent-client-3.1.1.tgz", - "integrity": "sha512-JWwI3Fx7vIUcS1a7napVb5TviNregpnr/N7unXLgJ0r+F4zFHcPPoBSEgS9HVs35XtMhFHe0KdzpeXT1/7EQ8A==", + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/kubernetes-fluent-client/-/kubernetes-fluent-client-3.1.2.tgz", + "integrity": "sha512-NFyBYr4FCUVfcwaCO/bu1p496QFFu+J5IZusKuBeHhGlbkp4yHanQsM12lX79GKuEMVKzVq2RXCYvYsJhvicFw==", "license": "Apache-2.0", "dependencies": { "@kubernetes/client-node": "1.0.0-rc7", @@ -6244,16 +6244,16 @@ } }, "node_modules/pepr": { - "version": "0.38.0", - "resolved": "https://registry.npmjs.org/pepr/-/pepr-0.38.0.tgz", - "integrity": "sha512-sjtw2AuS0i0kl7fsso6kSQGOW5jfZnDG2vZ+r8QIt0AMTxbKoOjdpIpiaR6h0bRp4D9Ulj/7P/GbFx3qYdsPtA==", + "version": "0.38.1", + "resolved": "https://registry.npmjs.org/pepr/-/pepr-0.38.1.tgz", + "integrity": "sha512-rglrwpfrxRfvssab8rmiHcA3kH1P/Il65TuyNmvbJ05hbKSxWnJQ+L7hSbD6Iua1UqjRZ1JvGfj/yNvlPJC60w==", "license": "Apache-2.0", "dependencies": { "@types/ramda": "0.30.2", "express": "4.21.1", "fast-json-patch": "3.1.1", "json-pointer": "^0.6.2", - "kubernetes-fluent-client": "3.1.1", + "kubernetes-fluent-client": "3.1.2", "pino": "9.5.0", "pino-pretty": "11.3.0", "prom-client": "15.1.3", diff --git a/package.json b/package.json index 3480d451c..666231197 100644 --- a/package.json +++ b/package.json @@ -29,7 +29,7 @@ "k3d-setup": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0'" }, "dependencies": { - "pepr": "0.38.0" + "pepr": "0.38.1" }, "devDependencies": { "@jest/globals": "29.7.0", From 1404011afd6ffebdbaa0b85e70c7dc57b738c9d0 Mon Sep 17 00:00:00 2001 From: Chance <139784371+UnicornChance@users.noreply.github.com> Date: Thu, 17 Oct 2024 12:57:19 -0600 Subject: [PATCH 81/90] fix: test ci license check (#924) ## Description CI currently doesn't check for license linting. Also updating some compliance files with license headers. ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --- compliance/oscal-assessment-results.yaml | 3 +++ .../istio/all-namespaces-istio-injected/tests.yaml | 3 +++ .../istio/all-namespaces-istio-injected/validation.yaml | 3 +++ .../validations/istio/all-pods-istio-injected/tests.yaml | 3 +++ .../istio/all-pods-istio-injected/validation.yaml | 3 +++ .../tests.yaml | 3 +++ .../validation.yaml | 3 +++ .../validations/istio/authorized-keycloak-access/tests.yaml | 3 +++ .../istio/authorized-keycloak-access/validation.yaml | 3 +++ .../istio/authorized-traffic-egress/validation.yaml | 3 +++ .../istio/check-istio-admin-gateway-and-usage/tests.yaml | 3 +++ .../check-istio-admin-gateway-and-usage/validation.yaml | 3 +++ .../istio/check-istio-logging-all-traffic/tests.yaml | 3 +++ .../istio/check-istio-logging-all-traffic/validation.yaml | 3 +++ .../validation.yaml | 3 +++ .../egress-gateway-exists-and-configured/validation.yaml | 3 +++ compliance/validations/istio/enforce-mtls-strict/tests.yaml | 3 +++ .../validations/istio/enforce-mtls-strict/validation.yaml | 3 +++ .../istio/external-traffic-managed/validation.yaml | 3 +++ compliance/validations/istio/fips-evaluation/validation.yaml | 3 +++ .../validations/istio/gateway-configuration-check/tests.yaml | 3 +++ .../istio/gateway-configuration-check/validation.yaml | 3 +++ compliance/validations/istio/healthcheck/tests.yaml | 3 +++ compliance/validations/istio/healthcheck/validation.yaml | 3 +++ .../validations/istio/ingress-traffic-encrypted/tests.yaml | 3 +++ .../istio/ingress-traffic-encrypted/validation.yaml | 3 +++ .../validations/istio/metrics-logging-configured/tests.yaml | 3 +++ .../istio/metrics-logging-configured/validation.yaml | 3 +++ .../istio/prometheus-annotations-validation/tests.yaml | 3 +++ .../istio/prometheus-annotations-validation/validation.yaml | 3 +++ .../validations/istio/rbac-enforcement-check/tests.yaml | 3 +++ .../validations/istio/rbac-enforcement-check/validation.yaml | 3 +++ .../istio/rbac-for-approved-personnel/validation.yaml | 3 +++ .../tests.yaml | 3 +++ .../validation.yaml | 3 +++ .../istio/secure-communication-with-istiod/tests.yaml | 3 +++ .../istio/secure-communication-with-istiod/validation.yaml | 3 +++ .../istio/tls-origination-at-egress/validation.yaml | 3 +++ .../validations/istio/tracing-logging-support/tests.yaml | 3 +++ .../istio/tracing-logging-support/validation.yaml | 3 +++ tasks/lint.yaml | 5 +++++ 41 files changed, 125 insertions(+) diff --git a/compliance/oscal-assessment-results.yaml b/compliance/oscal-assessment-results.yaml index 55dc29871..836f79b1e 100644 --- a/compliance/oscal-assessment-results.yaml +++ b/compliance/oscal-assessment-results.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + assessment-results: import-ap: href: "" diff --git a/compliance/validations/istio/all-namespaces-istio-injected/tests.yaml b/compliance/validations/istio/all-namespaces-istio-injected/tests.yaml index 0a7e4d8c4..dd27a4e8a 100644 --- a/compliance/validations/istio/all-namespaces-istio-injected/tests.yaml +++ b/compliance/validations/istio/all-namespaces-istio-injected/tests.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + pass: - test: default validation: validation.yaml diff --git a/compliance/validations/istio/all-namespaces-istio-injected/validation.yaml b/compliance/validations/istio/all-namespaces-istio-injected/validation.yaml index d32392e6c..8acfa3b8a 100644 --- a/compliance/validations/istio/all-namespaces-istio-injected/validation.yaml +++ b/compliance/validations/istio/all-namespaces-istio-injected/validation.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + metadata: name: all-namespaces-istio-injected uuid: 0da39859-a91a-4ca6-bd8b-9b117689188f diff --git a/compliance/validations/istio/all-pods-istio-injected/tests.yaml b/compliance/validations/istio/all-pods-istio-injected/tests.yaml index d468d39e2..82eb1e66c 100644 --- a/compliance/validations/istio/all-pods-istio-injected/tests.yaml +++ b/compliance/validations/istio/all-pods-istio-injected/tests.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + pass: - test: default validation: validation.yaml diff --git a/compliance/validations/istio/all-pods-istio-injected/validation.yaml b/compliance/validations/istio/all-pods-istio-injected/validation.yaml index e6881d7e0..05b4f0fee 100644 --- a/compliance/validations/istio/all-pods-istio-injected/validation.yaml +++ b/compliance/validations/istio/all-pods-istio-injected/validation.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + metadata: name: all-pods-istio-injected uuid: 1761ac07-80dd-47d2-947e-09f67943b986 diff --git a/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/tests.yaml b/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/tests.yaml index 17d3581a9..948eff134 100644 --- a/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/tests.yaml +++ b/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/tests.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + pass: - test: default validation: validation.yaml diff --git a/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/validation.yaml b/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/validation.yaml index d4abe2920..69aea4c6f 100644 --- a/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/validation.yaml +++ b/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/validation.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + metadata: name: istio-authorization-policies-require-authentication uuid: e38c0695-10f6-40b6-b246-fa58b26ccd25 diff --git a/compliance/validations/istio/authorized-keycloak-access/tests.yaml b/compliance/validations/istio/authorized-keycloak-access/tests.yaml index c2ffc31ec..49e1e1164 100644 --- a/compliance/validations/istio/authorized-keycloak-access/tests.yaml +++ b/compliance/validations/istio/authorized-keycloak-access/tests.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + pass: - test: default validation: validation.yaml diff --git a/compliance/validations/istio/authorized-keycloak-access/validation.yaml b/compliance/validations/istio/authorized-keycloak-access/validation.yaml index b59e82453..ba3c0066b 100644 --- a/compliance/validations/istio/authorized-keycloak-access/validation.yaml +++ b/compliance/validations/istio/authorized-keycloak-access/validation.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + metadata: name: istio-enforces-authorized-keycloak-access uuid: fbd877c8-d6b6-4d88-8685-2c4aaaab02a1 diff --git a/compliance/validations/istio/authorized-traffic-egress/validation.yaml b/compliance/validations/istio/authorized-traffic-egress/validation.yaml index 0a997e887..a2523b93c 100644 --- a/compliance/validations/istio/authorized-traffic-egress/validation.yaml +++ b/compliance/validations/istio/authorized-traffic-egress/validation.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + metadata: name: authorized-traffic-egress-PLACEHOLDER uuid: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 diff --git a/compliance/validations/istio/check-istio-admin-gateway-and-usage/tests.yaml b/compliance/validations/istio/check-istio-admin-gateway-and-usage/tests.yaml index d77fce294..2c1638602 100644 --- a/compliance/validations/istio/check-istio-admin-gateway-and-usage/tests.yaml +++ b/compliance/validations/istio/check-istio-admin-gateway-and-usage/tests.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + pass: - test: default validation: validation.yaml diff --git a/compliance/validations/istio/check-istio-admin-gateway-and-usage/validation.yaml b/compliance/validations/istio/check-istio-admin-gateway-and-usage/validation.yaml index 61139d719..9c1c6ce57 100644 --- a/compliance/validations/istio/check-istio-admin-gateway-and-usage/validation.yaml +++ b/compliance/validations/istio/check-istio-admin-gateway-and-usage/validation.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + metadata: name: check-istio-admin-gateway-and-usage uuid: c6c9daf1-4196-406d-8679-312c0512ab2e diff --git a/compliance/validations/istio/check-istio-logging-all-traffic/tests.yaml b/compliance/validations/istio/check-istio-logging-all-traffic/tests.yaml index bc6eafc76..3215d813b 100644 --- a/compliance/validations/istio/check-istio-logging-all-traffic/tests.yaml +++ b/compliance/validations/istio/check-istio-logging-all-traffic/tests.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + pass: - test: default validation: validation.yaml diff --git a/compliance/validations/istio/check-istio-logging-all-traffic/validation.yaml b/compliance/validations/istio/check-istio-logging-all-traffic/validation.yaml index 20227e2eb..f9f0d0b37 100644 --- a/compliance/validations/istio/check-istio-logging-all-traffic/validation.yaml +++ b/compliance/validations/istio/check-istio-logging-all-traffic/validation.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + metadata: name: check-istio-logging-all-traffic uuid: 90738c86-6315-450a-ac69-cc50eb4859cc diff --git a/compliance/validations/istio/communications-terminated-after-inactivity/validation.yaml b/compliance/validations/istio/communications-terminated-after-inactivity/validation.yaml index 9bc171ca7..df4cf357f 100644 --- a/compliance/validations/istio/communications-terminated-after-inactivity/validation.yaml +++ b/compliance/validations/istio/communications-terminated-after-inactivity/validation.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + metadata: name: communications-terminated-after-inactivity-PLACEHOLDER uuid: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 diff --git a/compliance/validations/istio/egress-gateway-exists-and-configured/validation.yaml b/compliance/validations/istio/egress-gateway-exists-and-configured/validation.yaml index e0f1dec06..c6d1ec602 100644 --- a/compliance/validations/istio/egress-gateway-exists-and-configured/validation.yaml +++ b/compliance/validations/istio/egress-gateway-exists-and-configured/validation.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + metadata: name: egress-gateway-exists-and-configured-PLACEHOLDER uuid: c3b022eb-19a5-4711-8099-da4a90c9dd5d diff --git a/compliance/validations/istio/enforce-mtls-strict/tests.yaml b/compliance/validations/istio/enforce-mtls-strict/tests.yaml index 011697430..577a8531f 100644 --- a/compliance/validations/istio/enforce-mtls-strict/tests.yaml +++ b/compliance/validations/istio/enforce-mtls-strict/tests.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + pass: - test: default validation: validation.yaml diff --git a/compliance/validations/istio/enforce-mtls-strict/validation.yaml b/compliance/validations/istio/enforce-mtls-strict/validation.yaml index ed2fb4271..47884b6c7 100644 --- a/compliance/validations/istio/enforce-mtls-strict/validation.yaml +++ b/compliance/validations/istio/enforce-mtls-strict/validation.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + metadata: name: enforce-mtls-strict uuid: ca49ac97-487a-446a-a0b7-92b20e2c83cb diff --git a/compliance/validations/istio/external-traffic-managed/validation.yaml b/compliance/validations/istio/external-traffic-managed/validation.yaml index b83dab0b3..e75053697 100644 --- a/compliance/validations/istio/external-traffic-managed/validation.yaml +++ b/compliance/validations/istio/external-traffic-managed/validation.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + metadata: name: external-traffic-managed-PLACEHOLDER uuid: 19faf69a-de74-4b78-a628-64a9f244ae13 diff --git a/compliance/validations/istio/fips-evaluation/validation.yaml b/compliance/validations/istio/fips-evaluation/validation.yaml index 51d9663ee..99381fd03 100644 --- a/compliance/validations/istio/fips-evaluation/validation.yaml +++ b/compliance/validations/istio/fips-evaluation/validation.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + metadata: name: fips-evaluation-PLACEHOLDER uuid: 73434890-2751-4894-b7b2-7e583b4a8977 diff --git a/compliance/validations/istio/gateway-configuration-check/tests.yaml b/compliance/validations/istio/gateway-configuration-check/tests.yaml index ac7eea542..3e99e140d 100644 --- a/compliance/validations/istio/gateway-configuration-check/tests.yaml +++ b/compliance/validations/istio/gateway-configuration-check/tests.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + pass: - test: default validation: validation.yaml diff --git a/compliance/validations/istio/gateway-configuration-check/validation.yaml b/compliance/validations/istio/gateway-configuration-check/validation.yaml index c1be18882..aac991e49 100644 --- a/compliance/validations/istio/gateway-configuration-check/validation.yaml +++ b/compliance/validations/istio/gateway-configuration-check/validation.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + metadata: name: gateway-configuration-check uuid: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 diff --git a/compliance/validations/istio/healthcheck/tests.yaml b/compliance/validations/istio/healthcheck/tests.yaml index fe5940d0e..a12115ab9 100644 --- a/compliance/validations/istio/healthcheck/tests.yaml +++ b/compliance/validations/istio/healthcheck/tests.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + pass: - test: default validation: validation.yaml diff --git a/compliance/validations/istio/healthcheck/validation.yaml b/compliance/validations/istio/healthcheck/validation.yaml index 9eea7e20f..6712453e1 100644 --- a/compliance/validations/istio/healthcheck/validation.yaml +++ b/compliance/validations/istio/healthcheck/validation.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + metadata: name: istio-health-check uuid: 67456ae8-4505-4c93-b341-d977d90cb125 diff --git a/compliance/validations/istio/ingress-traffic-encrypted/tests.yaml b/compliance/validations/istio/ingress-traffic-encrypted/tests.yaml index ca3b6b747..aff605c07 100644 --- a/compliance/validations/istio/ingress-traffic-encrypted/tests.yaml +++ b/compliance/validations/istio/ingress-traffic-encrypted/tests.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + pass: - test: default validation: validation.yaml diff --git a/compliance/validations/istio/ingress-traffic-encrypted/validation.yaml b/compliance/validations/istio/ingress-traffic-encrypted/validation.yaml index 198125f72..6ad35a610 100644 --- a/compliance/validations/istio/ingress-traffic-encrypted/validation.yaml +++ b/compliance/validations/istio/ingress-traffic-encrypted/validation.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + metadata: name: ingress-traffic-encrypted uuid: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed diff --git a/compliance/validations/istio/metrics-logging-configured/tests.yaml b/compliance/validations/istio/metrics-logging-configured/tests.yaml index 30a2f63e4..165deb586 100644 --- a/compliance/validations/istio/metrics-logging-configured/tests.yaml +++ b/compliance/validations/istio/metrics-logging-configured/tests.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + pass: - test: default validation: validation.yaml diff --git a/compliance/validations/istio/metrics-logging-configured/validation.yaml b/compliance/validations/istio/metrics-logging-configured/validation.yaml index 89df8a9e3..287b1bf3d 100644 --- a/compliance/validations/istio/metrics-logging-configured/validation.yaml +++ b/compliance/validations/istio/metrics-logging-configured/validation.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + metadata: name: istio-metrics-logging-configured uuid: 70d99754-2918-400c-ac9a-319f874fff90 diff --git a/compliance/validations/istio/prometheus-annotations-validation/tests.yaml b/compliance/validations/istio/prometheus-annotations-validation/tests.yaml index 561af468c..a17450e71 100644 --- a/compliance/validations/istio/prometheus-annotations-validation/tests.yaml +++ b/compliance/validations/istio/prometheus-annotations-validation/tests.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + pass: - test: default validation: validation.yaml diff --git a/compliance/validations/istio/prometheus-annotations-validation/validation.yaml b/compliance/validations/istio/prometheus-annotations-validation/validation.yaml index 7ef265e52..1d736e563 100644 --- a/compliance/validations/istio/prometheus-annotations-validation/validation.yaml +++ b/compliance/validations/istio/prometheus-annotations-validation/validation.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + metadata: name: istio-prometheus-annotations-validation uuid: f345c359-3208-46fb-9348-959bd628301e diff --git a/compliance/validations/istio/rbac-enforcement-check/tests.yaml b/compliance/validations/istio/rbac-enforcement-check/tests.yaml index f12f79fae..52e2a0aca 100644 --- a/compliance/validations/istio/rbac-enforcement-check/tests.yaml +++ b/compliance/validations/istio/rbac-enforcement-check/tests.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + pass: - test: default validation: validation.yaml diff --git a/compliance/validations/istio/rbac-enforcement-check/validation.yaml b/compliance/validations/istio/rbac-enforcement-check/validation.yaml index 866ded2ab..105bddb22 100644 --- a/compliance/validations/istio/rbac-enforcement-check/validation.yaml +++ b/compliance/validations/istio/rbac-enforcement-check/validation.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + metadata: name: istio-rbac-enforcement-check uuid: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 diff --git a/compliance/validations/istio/rbac-for-approved-personnel/validation.yaml b/compliance/validations/istio/rbac-for-approved-personnel/validation.yaml index 5c3ee4d90..562a24113 100644 --- a/compliance/validations/istio/rbac-for-approved-personnel/validation.yaml +++ b/compliance/validations/istio/rbac-for-approved-personnel/validation.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + metadata: name: istio-rbac-for-approved-personnel-PLACEHOLDER uuid: 9b361d7b-4e07-40db-8b86-3854ed499a4b diff --git a/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/tests.yaml b/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/tests.yaml index ba762915f..3205dd54e 100644 --- a/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/tests.yaml +++ b/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/tests.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + pass: - test: default validation: validation.yaml diff --git a/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/validation.yaml b/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/validation.yaml index acf733019..2d4994c87 100644 --- a/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/validation.yaml +++ b/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/validation.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + metadata: name: request-authenication-and-auth-policies-configured uuid: 3e217577-930e-4469-a999-1a5704b5cecb diff --git a/compliance/validations/istio/secure-communication-with-istiod/tests.yaml b/compliance/validations/istio/secure-communication-with-istiod/tests.yaml index 2948c4bed..9b952d82d 100644 --- a/compliance/validations/istio/secure-communication-with-istiod/tests.yaml +++ b/compliance/validations/istio/secure-communication-with-istiod/tests.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + pass: - test: default validation: validation.yaml diff --git a/compliance/validations/istio/secure-communication-with-istiod/validation.yaml b/compliance/validations/istio/secure-communication-with-istiod/validation.yaml index dd2360545..a0670ff07 100644 --- a/compliance/validations/istio/secure-communication-with-istiod/validation.yaml +++ b/compliance/validations/istio/secure-communication-with-istiod/validation.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + metadata: name: secure-communication-with-istiod uuid: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 diff --git a/compliance/validations/istio/tls-origination-at-egress/validation.yaml b/compliance/validations/istio/tls-origination-at-egress/validation.yaml index 65e6d7ca0..79149a6da 100644 --- a/compliance/validations/istio/tls-origination-at-egress/validation.yaml +++ b/compliance/validations/istio/tls-origination-at-egress/validation.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + metadata: name: tls-origination-at-egress-PLACEHOLDER uuid: 8be1601e-5870-4573-ab4f-c1c199944815 diff --git a/compliance/validations/istio/tracing-logging-support/tests.yaml b/compliance/validations/istio/tracing-logging-support/tests.yaml index d3afbb1bd..c661466f0 100644 --- a/compliance/validations/istio/tracing-logging-support/tests.yaml +++ b/compliance/validations/istio/tracing-logging-support/tests.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + pass: - test: default validation: validation.yaml diff --git a/compliance/validations/istio/tracing-logging-support/validation.yaml b/compliance/validations/istio/tracing-logging-support/validation.yaml index 610ea8f30..f06511702 100644 --- a/compliance/validations/istio/tracing-logging-support/validation.yaml +++ b/compliance/validations/istio/tracing-logging-support/validation.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + metadata: name: istio-tracing-logging-support uuid: f346b797-be35-40a8-a93a-585db6fd56ec diff --git a/tasks/lint.yaml b/tasks/lint.yaml index f5702ee1c..ecce5fe3c 100644 --- a/tasks/lint.yaml +++ b/tasks/lint.yaml @@ -31,6 +31,11 @@ tasks: cmd: yamllint . -c .yamllint --no-warnings - description: codespell lint cmd: codespell + - description: Install addlicense dep + # renovate: datasource=github-tags depName=google/addlicense versioning=semver + cmd: GOPATH="$HOME/go" go install github.com/google/addlicense@v1.1.1 + - description: license lint + task: license - name: oscal actions: From 7528f658236a6b7ef71a77d9a34bcf72c0d1ad57 Mon Sep 17 00:00:00 2001 From: Doc A Date: Mon, 23 Sep 2024 15:47:39 +0000 Subject: [PATCH 82/90] Added image workaround for dev-setup, getting started notes --- .vscode/settings.json | 1 + tasks.yaml | 9 +++++++++ 2 files changed, 10 insertions(+) diff --git a/.vscode/settings.json b/.vscode/settings.json index 542e229de..ca840bae4 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -48,4 +48,5 @@ "source.organizeImports": "always" } }, + "sarif-viewer.connectToGithubCodeScanning": "off", } diff --git a/tasks.yaml b/tasks.yaml index 8484b01cf..7deda3caa 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -25,6 +25,11 @@ tasks: actions: - description: "Create the dev cluster" task: setup:create-k3d-cluster + + # Workaround for https://github.com/zarf-dev/zarf/issues/2713 + - description: "Modify Istio values w/ upstream registry" + cmd: "uds zarf tools yq -i '.global.proxy_init.image |= sub(\"###ZARF_REGISTRY###\", \"docker.io\") | .global.proxy.image |= sub(\"###ZARF_REGISTRY###\", \"docker.io\")' src/istio/values/upstream-values.yaml" + # cmd: "sed -i '4,$s/###ZARF_REGISTRY###/docker.io/g' src/istio/values/upstream-values.yaml" <<<<<<< HEAD # Workaround for https://github.com/zarf-dev/zarf/issues/2713 @@ -40,6 +45,10 @@ tasks: - description: "Restore Istio registry values" cmd: "uds zarf tools yq -i '.global.proxy_init.image |= sub(\"docker.io\", \"###ZARF_REGISTRY###\") | .global.proxy.image |= sub(\"docker.io\", \"###ZARF_REGISTRY###\")' src/istio/values/upstream-values.yaml" +<<<<<<< HEAD +======= + #cmd: "sed -i '4,$s/docker.io/###ZARF_REGISTRY###/g' src/istio/values/upstream-values.yaml" +>>>>>>> 550aac5 (Added image workaround for dev-setup, getting started notes) # Note, this abuses the --flavor flag to only install the CRDs from this package - the "crds-only" flavor is not an explicit flavor of the package - description: "Deploy the Prometheus-Stack source package with Zarf Dev to only install the CRDs" From cdb775676a7b5208d8e0ad12e2e2bc1b24f746fe Mon Sep 17 00:00:00 2001 From: Doc A Date: Mon, 23 Sep 2024 23:02:26 +0000 Subject: [PATCH 83/90] Started on secret watch/mutator --- src/pepr/operator/index.ts | 6 ++ src/pepr/operator/secrets.ts | 107 +++++++++++++++++++++++++++++++++++ tasks.yaml | 2 +- 3 files changed, 114 insertions(+), 1 deletion(-) diff --git a/src/pepr/operator/index.ts b/src/pepr/operator/index.ts index b84c43d0c..9fc520f59 100644 --- a/src/pepr/operator/index.ts +++ b/src/pepr/operator/index.ts @@ -100,3 +100,9 @@ When(UDSPackage) log.info("Identity and Authorization layer removed, operator will NOT handle SSO."); UDSConfig.isIdentityDeployed = false; }); + +// Watch for secrets w/ the UDS secret label and copy as necessary +When(a.Secret) + .IsCreatedOrUpdated() + .WithLabel(labelCopySecret) + .Mutate(request => copySecret(request)); diff --git a/src/pepr/operator/secrets.ts b/src/pepr/operator/secrets.ts index 20af90e83..4056cd564 100644 --- a/src/pepr/operator/secrets.ts +++ b/src/pepr/operator/secrets.ts @@ -1,5 +1,6 @@ import { a, K8s, kind, Log, PeprMutateRequest } from "pepr"; +<<<<<<< HEAD export const labelCopySecret = "secrets.uds.dev/copy"; const annotationFromNS = "secrets.uds.dev/fromNamespace"; @@ -9,12 +10,24 @@ const annotationOnFailure = "secrets.uds.dev/onMissingSource"; /** * Enum for handling what to do when the source secret is missing * +======= +export const labelCopySecret = "uds.dev/secrets/copy"; + +const annotationFromNS = "uds.dev/secrets/fromNamespace"; +const annotationFromName = "uds.dev/secrets/fromName"; +const annotationOnFailure = "uds.dev/secrets/onMissingSource"; + +/** + * Enum for handling what to do when the source secret is missing + * +>>>>>>> 2f808c1 (Started on secret watch/mutator) * This can be one of the following: * - Ignore: Do nothing * - Error: Log an error and return * - LeaveEmpty: Create the destination secret with no data */ enum OnFailure { +<<<<<<< HEAD IGNORE, ERROR, LEAVEEMPTY, @@ -35,30 +48,48 @@ function filterLabels(labels: Record, keysToRemove: string[]) { } return filteredLabels; +======= + IGNORE, + ERROR, + LEAVEEMPTY, +>>>>>>> 2f808c1 (Started on secret watch/mutator) } /** * Copy a secret from one namespace to another +<<<<<<< HEAD * +======= + * +>>>>>>> 2f808c1 (Started on secret watch/mutator) * @remarks * This function is a PeprMutateRequest handler that copies a secret from one * namespace to another. It looks for a set of annotations on this _destination_ * secret, with the source namespace and name from which to copy the secret * data. +<<<<<<< HEAD * +======= + * +>>>>>>> 2f808c1 (Started on secret watch/mutator) * If the source secret does not exist, the behavior is determined by the * `uds.dev/secrets/onMissingSource` annotation. If this annotation is not * present, the default behavior is "Error", which will log an error and return * without creating a destination secret. Other options are "Ignore" which will * silently do nothing, and "LeaveEmpty" which will create the destination * secret with desired name in the desired namespace, but with no data. +<<<<<<< HEAD * +======= + * +>>>>>>> 2f808c1 (Started on secret watch/mutator) * @param request The PeprMutateRequest on a Secret. This should have been * triggered by a secret with the appropriate label. * @returns void * **/ export async function copySecret(request: PeprMutateRequest) { +<<<<<<< HEAD const annotations = request.Raw.metadata?.annotations; if (!annotations) { @@ -139,3 +170,79 @@ export async function copySecret(request: PeprMutateRequest) { Log.error("Error copying secret %s from %s to %s: %s", fromName, fromNS, toNS, error); } } +======= + const annotations = request.Raw.metadata?.annotations; + + if (!annotations) { + Log.error("No annotations present for secret copy %s", request.Raw.metadata?.name); + return; + } + + const fromNS = annotations[annotationFromNS]; + const fromName = annotations[annotationFromName]; + const toNS = request.Raw.metadata?.namespace; + const toName = request.Raw.metadata?.name; + + let failBehavior: OnFailure; + + switch(annotations[annotationOnFailure]) { + case "Ignore": + failBehavior = OnFailure.IGNORE; + break; + case "LeaveEmpty": + failBehavior = OnFailure.LEAVEEMPTY; + break; + case "Error": + default: + failBehavior = OnFailure.ERROR; + break; + } + + if (!fromNS || !fromName || !toNS || !toName) { + Log.error("Missing required annotations for secret copy %s", request.Raw.metadata?.name); + } + + Log.info("Attempting to copy secret %s from namespace %s to %s", fromName, fromNS, toNS); + + try { + const sourceSecret = await K8s(kind.Secret).InNamespace(fromNS).Get(fromName); + + if (!sourceSecret) { + // if the source secret does not exist, handle according to the failure behavior + switch(failBehavior) { + case OnFailure.IGNORE: + return; + case OnFailure.LEAVEEMPTY: + // Create an empty secret in the destination namespace + await K8s(kind.Secret).Apply({ + apiVersion: "v1", + kind: "Secret", + metadata: { + namespace: toNS, + name: toName, + }, + }); + return; + case OnFailure.ERROR: + Log.error("Source secret %s not found in namespace %s", fromName, fromNS); + return; + } + } else { + // fill in destination secret with source data + await K8s(kind.Secret).Apply({ + apiVersion: "v1", + kind: "Secret", + metadata: { + namespace: toNS, + name: toName, + }, + data: sourceSecret.data, + }); + } + + } catch (error) { + Log.error("Error copying secret %s from %s to %s: %s", fromName, fromNS, toNS, error); + } +}; + +>>>>>>> 2f808c1 (Started on secret watch/mutator) diff --git a/tasks.yaml b/tasks.yaml index 7deda3caa..44d0a5669 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -25,7 +25,7 @@ tasks: actions: - description: "Create the dev cluster" task: setup:create-k3d-cluster - + # Workaround for https://github.com/zarf-dev/zarf/issues/2713 - description: "Modify Istio values w/ upstream registry" cmd: "uds zarf tools yq -i '.global.proxy_init.image |= sub(\"###ZARF_REGISTRY###\", \"docker.io\") | .global.proxy.image |= sub(\"###ZARF_REGISTRY###\", \"docker.io\")' src/istio/values/upstream-values.yaml" From 6417ee8af337cfbb87e3858e2923bd9de15f8ea6 Mon Sep 17 00:00:00 2001 From: Doc A Date: Mon, 23 Sep 2024 23:05:36 +0000 Subject: [PATCH 84/90] get rid of sed experiment --- tasks.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tasks.yaml b/tasks.yaml index 44d0a5669..9ac39253d 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -29,7 +29,6 @@ tasks: # Workaround for https://github.com/zarf-dev/zarf/issues/2713 - description: "Modify Istio values w/ upstream registry" cmd: "uds zarf tools yq -i '.global.proxy_init.image |= sub(\"###ZARF_REGISTRY###\", \"docker.io\") | .global.proxy.image |= sub(\"###ZARF_REGISTRY###\", \"docker.io\")' src/istio/values/upstream-values.yaml" - # cmd: "sed -i '4,$s/###ZARF_REGISTRY###/docker.io/g' src/istio/values/upstream-values.yaml" <<<<<<< HEAD # Workaround for https://github.com/zarf-dev/zarf/issues/2713 @@ -46,9 +45,12 @@ tasks: - description: "Restore Istio registry values" cmd: "uds zarf tools yq -i '.global.proxy_init.image |= sub(\"docker.io\", \"###ZARF_REGISTRY###\") | .global.proxy.image |= sub(\"docker.io\", \"###ZARF_REGISTRY###\")' src/istio/values/upstream-values.yaml" <<<<<<< HEAD +<<<<<<< HEAD ======= #cmd: "sed -i '4,$s/docker.io/###ZARF_REGISTRY###/g' src/istio/values/upstream-values.yaml" >>>>>>> 550aac5 (Added image workaround for dev-setup, getting started notes) +======= +>>>>>>> de87646 (get rid of sed experiment) # Note, this abuses the --flavor flag to only install the CRDs from this package - the "crds-only" flavor is not an explicit flavor of the package - description: "Deploy the Prometheus-Stack source package with Zarf Dev to only install the CRDs" From 1d95470682696e74a1debee7e87d8d728f0f3eeb Mon Sep 17 00:00:00 2001 From: Chance <139784371+UnicornChance@users.noreply.github.com> Date: Tue, 24 Sep 2024 09:31:40 -0600 Subject: [PATCH 85/90] chore: pepr policy doc (#814) update pepr policy docs - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --------- Co-authored-by: Micah Nagel --- docs/configuration/pepr-policies.md | 54 +++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 docs/configuration/pepr-policies.md diff --git a/docs/configuration/pepr-policies.md b/docs/configuration/pepr-policies.md new file mode 100644 index 000000000..96e127e04 --- /dev/null +++ b/docs/configuration/pepr-policies.md @@ -0,0 +1,54 @@ +--- +title: Pepr Policies +type: docs +weight: 3 +--- + +## Common Pepr Policies for UDS Core + +### Pepr Policy Exemptions {#pepr-policy-exemptions} +These policies are based on the [Big Bang](https://p1.dso.mil/services/big-bang) policies created with Kyverno. You can find the source policies [here](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies), Policy Names below also have links to the referenced Big Bang policy. + +Exemptions can be specified by a [UDS Exemption CR](../operator/README.md). These take the place of Kyverno Exceptions. + +If a resource is exempted, it will be annotated as `uds-core.pepr.dev/uds-core-policies.: exempted` + +### Pepr Policy Mutations + +{{% alert-note %}} +Mutations can be exempted using the same [Pepr Policy Exemptions](#pepr-policy-exemptions) references as the validations. +{{% /alert-note %}} + +| Pepr MutationπŸ”— | Mutated Fields | Mutation Logic | +| --------------- | -------------- | -------------- | +| [Disallow Privilege Escalation](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L14-L75) | `containers[].securityContext.allowPrivilegeEscalation` | Mutates `allowPrivilegeEscalation` to `false` if undefined, unless the container is privileged or `CAP_SYS_ADMIN` is added. | +| [Require Non-root User](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L77-L167) | `securityContext.runAsUser`,
`securityContext.runAsGroup`,
`securityContext.fsGroup`,
`securityContext.runAsNonRoot` | Pods are mutated to ensure workloads do not run as root, mutating `runAsNonRoot: true`. Users can define user, group, and fsGroup IDs to run the pod as by using the `uds/user`, `uds/group`, `uds/fsgroup` pod labels. If not provided these default to `runAsUser: 1000` and `runAsGroup: 1000`. | +| [Drop All Capabilities](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L329-L376) | `containers[].securityContext.capabilities.drop` | Ensures all capabilities are dropped by setting `capabilities.drop` to `["ALL"]` for all containers. | + +### Pepr Policy Validations + +| Policy NameπŸ”— | Exemption ReferenceπŸ”— | Policy Description | +| ------------- | :-------------------: | ------------------ | +| [Disallow Host Namespaces](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/disallow-host-namespaces.yaml) | [`DisallowHostNamespaces`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/networking.ts#L7-L35) | Implemented: βœ…
Subject: **Pod**
Severity: **high**

Host namespaces (Process ID namespace, Inter-Process Communication namespace, and network namespace) allow access to shared information and can be used to elevate privileges. Pods should not be allowed access to host namespaces. This policy ensures fields which make use of these host namespaces are set to `false`. | +|[Disallow NodePort Services](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/disallow-nodeport-services.yaml) | [`DisallowNodePortServices`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/networking.ts#L88-L110) | Implemented: βœ…
Subject: **Service**
Severity: **medium**

A Kubernetes Service of type NodePort uses a host port to receive traffic from any source. A NetworkPolicy cannot be used to control traffic to host ports. Although NodePort Services can be useful, their use must be limited to Services with additional upstream security checks. This policy validates that any new Services do not use the `NodePort` type. | +|Disallow Privileged [Escalation](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/disallow-privilege-escalation.yaml) and [Pods](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/disallow-privileged-containers.yaml) | [`DisallowPrivileged`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L14-L75) | Implemented: βœ…
Subject: **Pod**
Severity: **high**

Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. Privileged mode also disables most security mechanisms and must not be allowed. This policy ensures the `allowPrivilegeEscalation` field is set to false and `privileged` is set to false or undefined. | +|[Disallow SELinux Options](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/disallow-selinux-options.yaml) | [`DisallowSELinuxOptions`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L244-L285) | Implemented: βœ…
Subject: **Pod**
Severity: **high**

SELinux options can be used to escalate privileges. This policy ensures that the `seLinuxOptions` specified are not used. | +|[Drop All Capabilities](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/require-drop-all-capabilities.yaml) | [`DropAllCapabilities`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L329-L376) | Implemented: βœ…
Subject: **Pod**
Severity: **medium**

Capabilities permit privileged actions without giving full root access. All capabilities should be dropped from a Pod, with only those required added back. This policy ensures that all containers explicitly specify `drop: ["ALL"]`. | +|[Require Non-root User](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/require-non-root-user.yaml) | [`RequireNonRootUser`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L77-L167) | Implemented: βœ…
Subject: **Pod**
Severity: **high**

Following the least privilege principle, containers should not be run as root. This policy ensures containers either have `runAsNonRoot` set to `true` or `runAsUser` > 0. | +|[Restrict Capabilities](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-capabilities.yaml) | [`RestrictCapabilities`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L378-L413) | Implemented: βœ…
Subject: **Pod**
Severity: **high**

Capabilities permit privileged actions without giving full root access. Adding capabilities beyond the default set must not be allowed. This policy ensures users cannot add additional capabilities beyond the allowed list to a Pod. | +|[Restrict External Names (CVE-2020-8554)](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-external-names.yaml) | [`RestrictExternalNames`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/networking.ts#L67-L86) | Implemented: βœ…
Subject: **Service**
Severity: **medium**

Service external names can be used for a MITM attack (CVE-2020-8554). External names can be used by an attacker to point back to localhost or internal IP addresses for exploitation. This policy restricts services using external names to a specified list. | +|[Restrict hostPath Volume Writable Paths](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-host-path-write.yaml) | [`RestrictHostPathWrite`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/storage.ts#L54-L92) | Implemented: βœ…
Subject: **Pod**
Severity: **medium**

hostPath volumes consume the underlying node's file system. If hostPath volumes are not universally disabled, they should be required to be read-only. Pods which are allowed to mount hostPath volumes in read/write mode pose a security risk even if confined to a "safe" file system on the host and may escape those confines. This policy checks containers for hostPath volumes and validates they are explicitly mounted in readOnly mode. | +|[Restrict Host Ports](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-host-ports.yaml) | [`RestrictHostPorts`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/networking.ts#L37-L65) | Implemented: βœ…
Subject: **Pod**
Severity: **high**

Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum restricted to a known list. This policy ensures only approved ports are defined in container's `hostPort` field. | +|[Restrict Proc Mount](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-proc-mount.yaml) | [`RestrictProcMount`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L169-L198) | Implemented: βœ…
Subject: **Pod**
Severity: **high**

The default /proc masks are set up to reduce the attack surface. This policy ensures nothing but the specified procMount can be used. By default only "Default" is allowed. | +|[Restrict Seccomp](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-seccomp.yaml) | [`RestrictSeccomp`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L200-L242) | Implemented: βœ…
Subject: **Pod**
Severity: **high**

The SecComp profile should not be explicitly set to Unconfined. This policy, requiring Kubernetes v1.19 or later, ensures that the `seccompProfile.Type` is undefined or restricted to the values in the allowed list. By default, this is `RuntimeDefault` or `Localhost`. | +|[Restrict SELinux Type](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-selinux-type.yaml) | [`RestrictSELinuxType`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L287-L327) | Implemented: βœ…
Subject: **Pod**
Severity: **high**

SELinux options can be used to escalate privileges. This policy ensures that the `seLinuxOptions` type field is undefined or restricted to the allowed list. | +|[Restrict Volume Types](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-volume-types.yaml) | [`RestrictVolumeTypes`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/storage.ts#L7-L52) | Implemented: βœ…
Subject: **Pod**
Severity: **medium**

Volume types, beyond the core set, should be restricted to limit exposure to potential vulnerabilities in Container Storage Interface (CSI) drivers. In addition, HostPath volumes should not be. | +|[Restrict Sysctls](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-sysctls.yaml) | Not Implemented | Implemented: ❌
Subject: **Pod**
Severity: **high**

Sysctl can disable security mechanisms or affect all containers on a host, and should be restricted to an allowed "safe" subset. A sysctl is considered safe if it is namespaced and is isolated from other Pods and processes on the same Node. This policy ensures that all sysctls are in the allowed list. +|[Restrict Image Registries](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-image-registries.yaml) | Not Implemented | Implemented: ❌
Subject: **Pod**
Severity: **high**

Images from unknown, public registries can be of dubious quality and may not be scanned and secured, representing a high degree of risk. Requiring use of known, approved registries helps reduce threat exposure by ensuring image pulls only come from them. This policy validates that all images originate from a registry in the approved list.| +|[Restrict hostPath Volume Mountable Paths](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-host-path-mount-pv.yaml) | Not Implemented | Implemented: ❌
Subject: **PersistentVolume**
Severity: **medium**

PersistentVolume using hostPath consume the underlying node's file system. If not universally disabled, they should be restricted to specific host paths to prevent access to sensitive information. This policy ensures that PV hostPath is in the allowed list. | +|[Restrict hostPath Volume Mountable Paths](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-host-path-mount.yaml) | Not Implemented | Implemented: ❌
Subject: **Pod**
Severity: **medium**

hostPath volumes consume the underlying node's file system. If hostPath volumes are not universally disabled, they should be restricted to specific host paths to prevent access to sensitive information. This policy ensures that hostPath volume paths are in the allowed list. | +|[Restrict External IPs (CVE-2020-8554)](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-external-ips.yaml) | Not Implemented | Implemented: ❌
Subject: **Service**
Severity: **medium**

Service externalIPs can be used for a MITM attack (CVE-2020-8554). This policy restricts externalIPs to a specified list. | +|[Restrict AppArmor Profile](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-apparmor.yaml) | Not Implemented | Implemented: ❌
Subject: **Pod**
Severity: **high**

On hosts using Debian Linux distros, AppArmor is used as an access control framework. AppArmor uses the 'runtime/default' profile by default. This policy ensures Pods do not override the AppArmor profile with values outside of the allowed list. | +|[Require Image Signature](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/require-image-signature.yaml) | Not Implemented | Implemented: ❌
Subject: **Pod**
Severity: **high**

Using the Cosign project, OCI images may be signed to ensure supply chain security is maintained. Those signatures can be verified before pulling into a cluster. This policy checks the signature to ensure it has been signed by verifying its signature against the public key. | +|[Require Non-root Group](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/require-non-root-group.yaml) | Not Implemented | Implemented: ❌
Subject: **Pod**
Severity: **high**

Following the least privilege principle, access to the root group ID should be forbidden in containers. This policy ensures containers are running with groups > 0. | +|[Disallow AutoMount Service Account Tokens](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/disallow-auto-mount-service-account-token.yaml) | Not Implemented | Implemented: ❌
Subject: **Pod, ServiceAccount**
Severity: **high**

Auto-mounting of Kubernetes API credentials is not ideal in all circumstances. This policy finds Pods and Service Accounts that automount kubernetes api credentials. | From fad63846a9cd36d6b0f8b0a01892218e62337147 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Tue, 24 Sep 2024 15:52:14 -0600 Subject: [PATCH 86/90] fix: eks iac issues, document storage class pre-reqs (#812) EBS impose a 1Gi size limitation on restored PVCs. This adds a short note to pre-reqs about checking CSI limitations. While testing with our EKS IAC I also discovered a few other issues: - IRSA annotations were not correct - Config did not properly variablize region - Config had an unmatched `"` around one of the values - Gitignore did not exclude terraform/tfstate files that shouldn't be committed Fixes https://github.com/defenseunicorns/uds-core/issues/718 - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --- .github/bundles/rke2/uds-bundle.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/bundles/rke2/uds-bundle.yaml b/.github/bundles/rke2/uds-bundle.yaml index 1e2d1e214..8298a0dc6 100644 --- a/.github/bundles/rke2/uds-bundle.yaml +++ b/.github/bundles/rke2/uds-bundle.yaml @@ -51,7 +51,7 @@ packages: path: credentials.useSecret - name: VELERO_IRSA_ROLE_ARN description: "IRSA ARN annotation to use for Velero" - path: serviceAccount.server.annotations.irsa/role-arn + path: serviceAccount.server.annotations.eks\.amazonaws\.com/role-arn loki: loki: values: @@ -78,4 +78,4 @@ packages: path: loki.storage.s3.region - name: LOKI_IRSA_ROLE_ARN description: "The irsa role annotation" - path: serviceAccount.annotations.irsa/role-arn + path: serviceAccount.annotations.eks\.amazonaws\.com/role-arn From 3062e1e53ea401438e07a767c05b0ba7333979f0 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Wed, 25 Sep 2024 12:58:42 -0600 Subject: [PATCH 87/90] feat!: switch from promtail to vector (#724) BREAKING CHANGE: Noting this as a breaking change as Promtail is removed and replaced by Vector. If using overrides to setup additional log targets/endpoints this configuration will need to be updated to Vector's chart/config formats. Primary docs on rationale, decision, and impact of this switch are [here](https://github.com/defenseunicorns/uds-core/blob/vector-add/src/vector/README.md). Fixes https://github.com/defenseunicorns/uds-core/issues/377 - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --- .github/filters.yaml | 32 + docs/application-baseline.md | 26 + packages/standard/zarf.yaml | 4 + src/istio/oscal-component.yaml | 985 ++++++++++++++++++ src/pepr/zarf.yaml | 23 + src/vector/chart/templates/uds-exemption.yaml | 3 + src/vector/chart/templates/uds-package.yaml | 3 + src/vector/chart/values.yaml | 3 + src/vector/common/zarf.yaml | 3 + src/vector/tasks.yaml | 3 + src/vector/values/registry1-values.yaml | 3 + src/vector/values/unicorn-values.yaml | 3 + src/vector/values/upstream-values.yaml | 3 + src/vector/values/values.yaml | 3 + src/vector/zarf.yaml | 3 + 15 files changed, 1100 insertions(+) create mode 100644 docs/application-baseline.md diff --git a/.github/filters.yaml b/.github/filters.yaml index 8ffee6f5b..a047ff952 100644 --- a/.github/filters.yaml +++ b/.github/filters.yaml @@ -38,4 +38,36 @@ metrics-server: monitoring: - "packages/monitoring/**" - "src/prometheus-stack/**" +<<<<<<< HEAD - "src/grafana/**" +======= + - "!**/*.md" + - "!**/*.jpg" + - "!**/*.png" + - "!**/*.gif" + - "!**/*.svg" + +vector: + - "src/vector/**" + - "!**/*.md" + - "!**/*.jpg" + - "!**/*.png" + - "!**/*.gif" + - "!**/*.svg" + +tempo: + - "src/tempo/**" + - "!**/*.md" + - "!**/*.jpg" + - "!**/*.png" + - "!**/*.gif" + - "!**/*.svg" + +velero: + - "src/velero/**" + - "!**/*.md" + - "!**/*.jpg" + - "!**/*.png" + - "!**/*.gif" + - "!**/*.svg" +>>>>>>> 2f6ed02 (feat!: switch from promtail to vector (#724)) diff --git a/docs/application-baseline.md b/docs/application-baseline.md new file mode 100644 index 000000000..7eec1c580 --- /dev/null +++ b/docs/application-baseline.md @@ -0,0 +1,26 @@ +--- +title: Application Baseline +type: docs +weight: 1 +--- + +UDS Core provides a foundational set of applications that form the backbone of a secure and efficient mission environment. Each application addresses critical aspects of microservices communication, monitoring, logging, security, compliance, and data protection. These applications are essential for establishing a reliable runtime environment and ensuring that mission-critical applications operate seamlessly. + +By leveraging these applications within UDS Core, users can confidently deploy and operate source packages that meet stringent security and performance standards. UDS Core provides the applications and flexibility required to achieve diverse mission objectives, whether in cloud, on-premises, or edge environments. UDS source packages cater to the specific needs of Mission Heroes and their mission-critical operations. Below are some of the key applications offered by UDS Core: + +{{% alert-note %}} +For optimal deployment and operational efficiency, it is important to deliver a UDS Core Bundle before deploying any other optional bundle (UDS or Mission). Failure to meet this prerequisite can alter the complexity of the deployment process. To ensure a seamless experience and to leverage the full potential of UDS capabilities, prioritize the deployment of UDS Core as the foundational step. +{{% /alert-note %}} + +## Core Baseline + +| **Capability** | **Application** | +| ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| **Service Mesh** | **[Istio](https://istio.io/):** A powerful service mesh that provides traffic management, load balancing, security, and observability features. | +| **Monitoring** | **[Metrics Server](https://kubernetes-sigs.github.io/metrics-server/):** Provides container resource utilization metrics API for Kubernetes clusters. Metrics server is an optional (non-default) component since most Kubernetes distros provide it by default.

**[Prometheus](https://prometheus.io/):** Scrapes Metrics Server API and application metrics and stores the data in a time-series database for insights into application health and performance.

**[Grafana](https://grafana.com/grafana/):** Provides visualization and alerting capabilities based on Prometheus's time-series database of metrics. | +| **Logging** | **[Vector](https://vector.dev/):** A companion agent that efficiently gathers and sends container logs to Loki and other storage locations (S3, SIEM tools, etc), simplifying log monitoring, troubleshooting, and compliance auditing, enhancing the overall observability of the mission environment.

**[Loki](https://grafana.com/docs/loki/latest/):** A log aggregation system that allows users to store, search, and analyze logs across their applications. | +| **Security and Compliance** | **[NeuVector](https://open-docs.neuvector.com/):** Offers container-native security, protecting applications against threats and vulnerabilities.

**[Pepr](https://pepr.dev/):** UDS policy engine and operator for enhanced security and compliance.| +| **Identity and Access Management** | **[Keycloak](https://www.keycloak.org/):** A robust open-source Identity and Access Management solution, providing centralized authentication, authorization, and user management for enhanced security and control over access to mission-critical resources.| +| **Backup and Restore** | **[Velero](https://velero.io/):** Provides backup and restore capabilities for Kubernetes clusters, ensuring data protection and disaster recovery.| +| **Authorization** | **[AuthService](https://github.com/istio-ecosystem/authservice):** Offers centralized authorization services, managing access control and permissions within the Istio mesh. AuthService plays a supporting role to Keycloak as it handles part of the OIDC redirect flow.| +| **Frontend Views & Insights** | **[UDS Runtime](https://github.com/defenseunicorns/uds-runtime)**: UDS Runtime is an optional component in Core that provides the frontend for all things UDS, providing views and insights into your UDS cluster. | diff --git a/packages/standard/zarf.yaml b/packages/standard/zarf.yaml index fc79236de..a1f2cb03e 100644 --- a/packages/standard/zarf.yaml +++ b/packages/standard/zarf.yaml @@ -83,7 +83,11 @@ components: - name: vector required: true import: +<<<<<<< HEAD path: ../logging +======= + path: ../../src/vector +>>>>>>> 2f6ed02 (feat!: switch from promtail to vector (#724)) # Grafana - name: grafana diff --git a/src/istio/oscal-component.yaml b/src/istio/oscal-component.yaml index 8cb61f754..78f2e91ec 100644 --- a/src/istio/oscal-component.yaml +++ b/src/istio/oscal-component.yaml @@ -2,6 +2,991 @@ # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial component-definition: +<<<<<<< HEAD +======= + back-matter: + resources: + - rlinks: + - href: https://github.com/istio/istio/ + title: Istio Operator + uuid: 60826461-D279-468C-9E4B-614FAC44A306 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: istioMeshConfig + resource-rule: + field: + base64: false + jsonpath: .data.mesh + type: yaml + group: "" + name: istio + namespaces: + - istio-system + resource: configmaps + version: v1 + type: kubernetes + lula-version: "" + metadata: + name: check-istio-logging-all-traffic + uuid: 90738c86-6315-450a-ac69-cc50eb4859cc + provider: + opa-spec: + output: + observations: + - validate.msg + validation: validate.validate + rego: | + package validate + + # Default policy result + default validate = false + default msg = "Logging not enabled or configured" + + # Check if Istio's Mesh Configuration has logging enabled + validate { + logging_enabled.result + } + + msg = logging_enabled.msg + + logging_enabled = {"result": true, "msg": msg} { + # Check for access log file output to stdout + input.istioMeshConfig.accessLogFile == "/dev/stdout" + msg := "Istio is logging all traffic" + } else = {"result": false, "msg": msg} { + msg := "Istio is not logging all traffic" + } + type: opa + title: check-istio-logging-all-traffic + uuid: 90738c86-6315-450a-ac69-cc50eb4859cc + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: pods + resource-rule: + group: "" + name: "" + namespaces: [] + resource: pods + version: v1 + type: kubernetes + lula-version: "" + metadata: + name: istio-prometheus-annotations-validation + uuid: f345c359-3208-46fb-9348-959bd628301e + provider: + opa-spec: + output: + observations: + - validate.msg + - validate.exempt_namespaces_msg + validation: validate.validate + rego: | + package validate + import future.keywords.in + + # Default policy result + default validate = false + default msg = "Not evaluated" + + # Check for required Istio and Prometheus annotations + validate { + has_prometheus_annotation.result + } + msg = has_prometheus_annotation.msg + + # Check for prometheus annotations in pod spec + no_annotation = [sprintf("%s/%s", [pod.metadata.namespace, pod.metadata.name]) | pod := input.pods[_]; not contains_annotation(pod); not is_exempt(pod)] + + has_prometheus_annotation = {"result": true, "msg": msg} { + count(no_annotation) == 0 + msg := "All pods have correct prometheus annotations." + } else = {"result": false, "msg": msg} { + msg := sprintf("Prometheus annotations not found in pods: %s.", [concat(", ", no_annotation)]) + } + + contains_annotation(pod) { + annotations := pod.metadata.annotations + annotations["prometheus.io/scrape"] == "true" + annotations["prometheus.io/path"] != "" + annotations["prometheus.io/port"] == "15020" + } + + # Exemptions + exempt_namespaces = {"kube-system", "istio-system", "uds-dev-stack", "zarf"} + exempt_namespaces_msg = sprintf("Exempted Namespaces: %s", [concat(", ", exempt_namespaces)]) + is_exempt(pod) { + pod.metadata.namespace in exempt_namespaces + } + type: opa + title: istio-prometheus-annotations-validation + uuid: f345c359-3208-46fb-9348-959bd628301e + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: pods + resource-rule: + group: "" + name: "" + namespaces: [] + resource: pods + version: v1 + type: kubernetes + lula-version: "" + metadata: + name: all-pods-istio-injected + uuid: 1761ac07-80dd-47d2-947e-09f67943b986 + provider: + opa-spec: + output: + observations: + - validate.msg + - validate.exempt_namespaces_msg + validation: validate.validate + rego: | + package validate + import rego.v1 + + # Default policy result + default validate := false + default msg := "Not evaluated" + + exempt_namespaces := {"kube-system", "istio-system", "uds-dev-stack", "zarf", "istio-admin-gateway", "istio-tenant-gateway", "istio-passthrough-gateway"} + exempt_namespaces_msg = sprintf("Exempted Namespaces: %s", [concat(", ", exempt_namespaces)]) + + validate if { + has_istio_sidecar.result + } + msg = has_istio_sidecar.msg + + # Check for sidecar and init containers in pod spec + no_sidecar = [sprintf("%s/%s", [pod.metadata.namespace, pod.metadata.name]) | pod := input.pods[_]; not has_sidecar(pod); not is_exempt(pod)] + + has_istio_sidecar = {"result": true, "msg": msg} if { + count(no_sidecar) == 0 + msg := "All pods have Istio sidecar proxy." + } else = {"result": false, "msg": msg} if { + msg := sprintf("Istio sidecar proxy not found in pods: %s.", [concat(", ", no_sidecar)]) + } + + has_sidecar(pod) if { + status := pod.metadata.annotations["sidecar.istio.io/status"] + containers := json.unmarshal(status).containers + initContainers := json.unmarshal(status).initContainers + + has_container_name(pod.spec.containers, containers) + has_container_name(pod.spec.initContainers, initContainers) + } else = false + + has_container_name(containers, names) if { + container := containers[_] + container.name in names + } + + is_exempt(pod) if { + pod.metadata.namespace in exempt_namespaces + } + type: opa + title: all-pods-istio-injected + uuid: 1761ac07-80dd-47d2-947e-09f67943b986 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: adminGateway + resource-rule: + group: networking.istio.io + name: admin-gateway + namespaces: + - istio-admin-gateway + resource: gateways + version: v1beta1 + - description: "" + name: virtualServices + resource-rule: + group: networking.istio.io + name: "" + namespaces: [] + resource: virtualservices + version: v1beta1 + type: kubernetes + lula-version: "" + metadata: + name: check-istio-admin-gateway-and-usage + uuid: c6c9daf1-4196-406d-8679-312c0512ab2e + provider: + opa-spec: + output: + observations: + - validate.msg + validation: validate.validate + rego: | + package validate + + # Expected admin gateway details + expected_gateway := "admin-gateway" + expected_gateway_namespace := "istio-admin-gateway" + expected_ns_name := sprintf("%s/%s", [expected_gateway_namespace, expected_gateway]) + + # Default policy result + default validate = false + default admin_gw_exists = false + default admin_vs_match = false + default msg = "Not evaluated" + + validate { + result_admin_gw_exixts.result + result_admin_vs_match.result + } + + msg = concat(" ", [result_admin_gw_exixts.msg, result_admin_vs_match.msg]) + + result_admin_gw_exixts = {"result": true, "msg": msg} { + input.adminGateway.kind == "Gateway" + input.adminGateway.metadata.name == expected_gateway + input.adminGateway.metadata.namespace == expected_gateway_namespace + msg := "Admin gateway exists." + } else = {"result": false, "msg": msg} { + msg := "Admin gateway does not exist." + } + + result_admin_vs_match = {"result": true, "msg": msg}{ + count(admin_vs-admin_vs_using_gateway) == 0 + count(all_vs_using_gateway-admin_vs_using_gateway) == 0 + msg := "Admin virtual services are using admin gateway." + } else = {"result": false, "msg": msg} { + msg := sprintf("Mismatch of admin virtual services using gateway. Admin VS not using GW: %s. Non-Admin VS using gateway: %s.", [concat(", ", admin_vs-admin_vs_using_gateway), concat(", ", all_vs_using_gateway-admin_vs_using_gateway)]) + } + + # Count admin virtual services + admin_vs := {adminVs.metadata.name | adminVs := input.virtualServices[_]; adminVs.kind == "VirtualService"; contains(adminVs.metadata.name, "admin")} + + # Count admin VirtualServices correctly using the admin gateway (given by vs name containing "admin") + admin_vs_using_gateway := {adminVs.metadata.name | adminVs := input.virtualServices[_]; adminVs.kind == "VirtualService"; contains(adminVs.metadata.name, "admin"); adminVs.spec.gateways[_] == expected_ns_name} + + # Count all VirtualServices using the admin gateway + all_vs_using_gateway := {vs.metadata.name | vs := input.virtualServices[_]; vs.kind == "VirtualService"; vs.spec.gateways[_] == expected_ns_name} + type: opa + title: check-istio-admin-gateway-and-usage + uuid: c6c9daf1-4196-406d-8679-312c0512ab2e + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: istioConfig + resource-rule: + field: + base64: false + jsonpath: .data.mesh + type: yaml + group: "" + name: istio + namespaces: + - istio-system + resource: configmaps + version: v1 + type: kubernetes + lula-version: "" + metadata: + name: istio-metrics-logging-configured + uuid: 70d99754-2918-400c-ac9a-319f874fff90 + provider: + opa-spec: + output: + observations: + - validate.msg + validation: validate.validate + rego: | + package validate + + # Default policy result + default validate = false + default msg = "Not evaluated" + + # Validate Istio configuration for metrics logging support + validate { + check_metrics_enabled.result + } + msg = check_metrics_enabled.msg + + check_metrics_enabled = { "result": false, "msg": msg } { + input.istioConfig.enablePrometheusMerge == false + msg := "Metrics logging not supported." + } else = { "result": true, "msg": msg } { + msg := "Metrics logging supported." + } + type: opa + title: istio-metrics-logging-configured + uuid: 70d99754-2918-400c-ac9a-319f874fff90 + - description: | + lula-version: "" + metadata: + name: communications-terminated-after-inactivity-PLACEHOLDER + uuid: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 + provider: + opa-spec: + rego: | + package validate + validate := false + + # Check on destination rule, outlier detection? + # -> Doesn't appear that UDS is configured to create destination rules. + type: opa + title: communications-terminated-after-inactivity-PLACEHOLDER + uuid: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 + - description: | + lula-version: "" + metadata: + name: tls-origination-at-egress-PLACEHOLDER + uuid: 8be1601e-5870-4573-ab4f-c1c199944815 + provider: + opa-spec: + rego: | + package validate + default validate := false + # How to prove TLS origination is configured at egress + # DestinationRule? + type: opa + title: tls-origination-at-egress-PLACEHOLDER + uuid: 8be1601e-5870-4573-ab4f-c1c199944815 + - description: | + lula-version: "" + metadata: + name: fips-evaluation-PLACEHOLDER + uuid: 73434890-2751-4894-b7b2-7e583b4a8977 + title: fips-evaluation-PLACEHOLDER + uuid: 73434890-2751-4894-b7b2-7e583b4a8977 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: authorizationPolicy + resource-rule: + group: security.istio.io + name: keycloak-block-admin-access-from-public-gateway + namespaces: + - keycloak + resource: authorizationpolicies + version: v1beta1 + type: kubernetes + lula-version: "" + metadata: + name: istio-enforces-authorized-keycloak-access + uuid: fbd877c8-d6b6-4d88-8685-2c4aaaab02a1 + provider: + opa-spec: + output: + observations: + - validate.msg + validation: validate.validate + rego: | + package validate + import rego.v1 + + # Default policy result + default validate := false + default msg := "Not evaluated" + + # Validate both AuthorizationPolicy restricts access to Keycloak admin + validate if { + check_auth_policy_for_keycloak_admin_access.result + } + + msg = check_auth_policy_for_keycloak_admin_access.msg + + check_auth_policy_for_keycloak_admin_access = {"result": true, "msg": msg} if { + input.authorizationPolicy.kind == "AuthorizationPolicy" + valid_auth_policy(input.authorizationPolicy) + msg := "AuthorizationPolicy restricts access to Keycloak admin." + } else = {"result": false, "msg": msg} if { + msg := "AuthorizationPolicy does not restrict access to Keycloak admin." + } + + # Define the rule for denying access + expected_keycloak_admin_denial_rule := { + "from": [ + { + "source": { + "notNamespaces": ["istio-admin-gateway"] + } + } + ], + "to": [ + { + "operation": { + "ports": ["8080"], + "paths": ["/admin*", "/realms/master*"] + } + } + ] + } + + # Validate that the authorization policy contains the expected first rule + valid_auth_policy(ap) if { + ap.spec.action == "DENY" + rules := ap.spec.rules + + # Ensure the expected rule is present in the input policy + some i + rules[i] == expected_keycloak_admin_denial_rule + } + type: opa + title: istio-enforces-authorized-keycloak-access + uuid: fbd877c8-d6b6-4d88-8685-2c4aaaab02a1 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: istioConfig + resource-rule: + field: + base64: false + jsonpath: .data.mesh + type: yaml + group: "" + name: istio + namespaces: + - istio-system + resource: configmaps + version: v1 + type: kubernetes + lula-version: "" + metadata: + name: istio-tracing-logging-support + uuid: f346b797-be35-40a8-a93a-585db6fd56ec + provider: + opa-spec: + output: + observations: + - validate.msg + validation: validate.validate + rego: | + package validate + + # Default policy result + default validate = false + default msg = "Not evaluated" + + # Validate Istio configuration for event logging support + validate { + check_tracing_enabled.result + } + msg = check_tracing_enabled.msg + + check_tracing_enabled = { "result": true, "msg": msg } { + input.istioConfig.defaultConfig.tracing != null + input.istioConfig.defaultConfig.tracing.zipkin.address != "" + msg := "Tracing logging supported." + } else = { "result": false, "msg": msg } { + msg := "Tracing logging not supported." + } + type: opa + title: istio-tracing-logging-support + uuid: f346b797-be35-40a8-a93a-585db6fd56ec + - description: | + lula-version: "" + metadata: + name: egress-gateway-exists-and-configured-PLACEHOLDER + uuid: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 + title: egress-gateway-exists-and-configured-PLACEHOLDER + uuid: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: networkPolicies + resource-rule: + group: networking.k8s.io + name: "" + namespaces: [] + resource: networkpolicies + version: v1 + type: kubernetes + lula-version: "" + metadata: + name: secure-communication-with-istiod + uuid: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 + provider: + opa-spec: + output: + observations: + - validate.msg_correct + - validate.msg_incorrect + validation: validate.validate + rego: | + package validate + + # Default policy result + default validate = false + default msg_correct = "Not evaluated" + default msg_incorrect = "Not evaluated" + + # Expected values + expected_istiod_port := 15012 + expected_istiod_protocol := "TCP" + required_namespaces := {"authservice", "grafana", "keycloak", "loki", "metrics-server", "monitoring", "neuvector", "vector", "velero"} + + # Validate NetworkPolicy for Istiod in required namespaces + validate { + count(required_namespaces - correct_istiod_namespaces) == 0 + } + + msg_correct = sprintf("NetworkPolicies correctly configured for istiod in namespaces: %v.", [concat(", ", correct_istiod_namespaces)]) + msg_incorrect = msg { + missing_namespace := required_namespaces - correct_istiod_namespaces + count(missing_namespace) > 0 + msg := sprintf("NetworkPolicies not correctly configured for istiod in namespaces: %v.", [concat(", ", missing_namespace)]) + } else = "No incorrect istiod NetworkPolicies found." + + # Helper to find correct NetworkPolicies + correct_istiod_policies = {policy | + policy := input.networkPolicies[_] + policy.spec.egress[_].to[_].podSelector.matchLabels["istio"] == "pilot" + policy.spec.egress[_].ports[_].port == expected_istiod_port + policy.spec.egress[_].ports[_].protocol == expected_istiod_protocol + } + + # Helper to extract namespaces of correct NetworkPolicies + correct_istiod_namespaces = {policy.metadata.namespace | + policy := correct_istiod_policies[_] + } + type: opa + title: secure-communication-with-istiod + uuid: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: peerAuths + resource-rule: + group: security.istio.io + name: "" + namespaces: [] + resource: peerauthentications + version: v1beta1 + type: kubernetes + lula-version: "" + metadata: + name: enforce-mtls-strict + uuid: ca49ac97-487a-446a-a0b7-92b20e2c83cb + provider: + opa-spec: + output: + observations: + - validate.msg + validation: validate.validate + rego: | + package validate + + import future.keywords.every + + # Default policy result + default validate = false + default all_strict = false + default msg = "Not evaluated" + + validate { + result_all_strict.result + } + + msg = concat(" ", [result_all_strict.msg]) + + # Rego policy logic to evaluate if all PeerAuthentications have mtls mode set to STRICT + result_all_strict = {"result": true, "msg": msg} { + every peerAuthentication in input.peerAuths { + mode := peerAuthentication.spec.mtls.mode + mode == "STRICT" + } + msg := "All PeerAuthentications have mtls mode set to STRICT." + } else = {"result": false, "msg": msg} { + msg := "Not all PeerAuthentications have mtls mode set to STRICT." + } + type: opa + title: enforce-mtls-strict + uuid: ca49ac97-487a-446a-a0b7-92b20e2c83cb + - description: | + lula-version: "" + metadata: + name: authorized-traffic-egress-PLACEHOLDER + uuid: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 + title: authorized-traffic-egress-PLACEHOLDER + uuid: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: namespaces + resource-rule: + group: "" + name: "" + namespaces: [] + resource: namespaces + version: v1 + type: kubernetes + lula-version: "" + metadata: + name: all-namespaces-istio-injected + uuid: 0da39859-a91a-4ca6-bd8b-9b117689188f + provider: + opa-spec: + output: + observations: + - validate.msg + - validate.exempted_namespaces_msg + validation: validate.validate + rego: | + package validate + import future.keywords.every + import future.keywords.in + + default validate = false + default msg = "Not evaluated" + + # Validation + validate { + check_non_istio_injected_namespaces.result + } + msg = check_non_istio_injected_namespaces.msg + exempted_namespaces_msg = sprintf("Exempted Namespaces: %s", [concat(", ", exempted_namespaces)]) + + # List of exempted namespaces + exempted_namespaces := {"istio-system", "kube-system", "default", "istio-admin-gateway", + "istio-passthrough-gateway", "istio-tenant-gateway", "kube-node-lease", "kube-public", "uds-crds", + "uds-dev-stack", "uds-policy-exemptions", "zarf"} + + # Collect non-Istio-injected namespaces + non_istio_injected_namespaces := {ns.metadata.name | + ns := input.namespaces[_] + ns.kind == "Namespace" + not ns.metadata.labels["istio-injection"] == "enabled" + not ns.metadata.name in exempted_namespaces + } + + # Check no non-Istio-injected namespaces + check_non_istio_injected_namespaces = { "result": true, "msg": "All namespaces are Istio-injected" } { + count(non_istio_injected_namespaces) == 0 + } else = { "result": false, "msg": msg } { + msg := sprintf("Non-Istio-injected namespaces: %v", [non_istio_injected_namespaces]) + } + type: opa + title: all-namespaces-istio-injected + uuid: 0da39859-a91a-4ca6-bd8b-9b117689188f + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: gateways + resource-rule: + group: networking.istio.io + name: "" + namespaces: [] + resource: gateways + version: v1beta1 + type: kubernetes + lula-version: "" + metadata: + name: gateway-configuration-check + uuid: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 + provider: + opa-spec: + output: + observations: + - validate.msg + - validate.msg_existing_gateways + - validate.msg_allowed_gateways + validation: validate.validate + rego: | + package validate + import rego.v1 + + # default values + default validate := false + default msg := "Not evaluated" + + validate if { + check_expected_gw.result + check_all_gw_found.result + } + + msg := concat(" ", [check_expected_gw.msg, check_all_gw_found.msg]) + msg_existing_gateways := concat(", ", gateways) + msg_allowed_gateways := concat(", ", allowed) + + # Check if only allowed gateways are in the system + allowed := {"admin", "tenant", "passthrough"} + gateways := {sprintf("%s/%s", [gw.metadata.namespace, gw.metadata.name]) | gw := input.gateways[_]} + allowed_gateways := {sprintf("%s/%s", [gw.metadata.namespace, gw.metadata.name]) | gw := input.gateways[_]; gw_in_list(gw, allowed)} + actual_allowed := {s | g := gateways[_]; s := allowed[_]; contains(g, s)} + + check_expected_gw = {"result": true, "msg": msg} if { + gateways == allowed_gateways + msg := "Only allowed gateways found." + } else = {"result": false, "msg": msg} if { + msg := sprintf("Some disallowed gateways found: %v.", [gateways-allowed_gateways]) + } + + gw_in_list(gw, allowed) if { + contains(gw.metadata.name, allowed[_]) + } + + # Check if the entire set contains all required gateways + check_all_gw_found = {"result": true, "msg": msg} if { + actual_allowed == allowed + msg := "All gateway types found." + } else = {"result": false, "msg": msg} if { + msg := sprintf("Gateway type(s) missing: %v.", [allowed - actual_allowed]) + } + type: opa + title: gateway-configuration-check + uuid: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: authorizationPolicies + resource-rule: + group: security.istio.io + name: "" + namespaces: [] + resource: authorizationpolicies + version: v1beta1 + type: kubernetes + lula-version: "" + metadata: + name: istio-rbac-enforcement-check + uuid: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 + provider: + opa-spec: + output: + observations: + - validate.msg + - validate.msg_authPolicies + validation: validate.validate + rego: | + package validate + + # Default policy result + default validate = false + default msg = "Istio RBAC not enforced" + + # Evaluation for Istio Authorization Policies + validate { + count(all_auth_policies) > 0 + } + + # Get all authorization policies + all_auth_policies := { sprintf("%s/%s", [authPolicy.metadata.namespace, authPolicy.metadata.name]) | + authPolicy := input.authorizationPolicies[_]; authPolicy.kind == "AuthorizationPolicy" } + + msg = "Istio RBAC enforced" { + validate + } + msg_authPolicies = sprintf("Authorization Policies: %v", [concat(", ", all_auth_policies)]) + type: opa + title: istio-rbac-enforcement-check + uuid: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 + - description: | + lula-version: "" + metadata: + name: istio-rbac-for-approved-personnel-PLACEHOLDER + uuid: 9b361d7b-4e07-40db-8b86-3854ed499a4b + title: istio-rbac-for-approved-personnel-PLACEHOLDER + uuid: 9b361d7b-4e07-40db-8b86-3854ed499a4b + - description: | + lula-version: "" + metadata: + name: external-traffic-managed-PLACEHOLDER + uuid: 19faf69a-de74-4b78-a628-64a9f244ae13 + provider: + opa-spec: + rego: | + package validate + default validate := false + # This policy could check meshConfig.outboundTrafficPolicy.mode (default is ALLOW_ANY) + # Possibly would need a ServiceEntry(?) + # (https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#envoy-passthrough-to-external-services) + type: opa + title: external-traffic-managed-PLACEHOLDER + uuid: 19faf69a-de74-4b78-a628-64a9f244ae13 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: istioddeployment + resource-rule: + group: apps + name: istiod + namespaces: + - istio-system + resource: deployments + version: v1 + - description: "" + name: istiodhpa + resource-rule: + group: autoscaling + name: istiod + namespaces: + - istio-system + resource: horizontalpodautoscalers + version: v2 + type: kubernetes + lula-version: "" + metadata: + name: istio-health-check + uuid: 67456ae8-4505-4c93-b341-d977d90cb125 + provider: + opa-spec: + output: + observations: + - istiohealth.deployment_message + - istiohealth.hpa_message + validation: istiohealth.is_istio_healthy + rego: | + package istiohealth + + default is_istio_healthy = false + default deployment_message = "Deployment status not evaluated" + default hpa_message = "HPA status not evaluated" + + # Check if the Istio Deployment is healthy + is_istio_healthy { + count(input.istioddeployment.status.conditions) > 0 + all_deployment_conditions_are_true + input.istiodhpa.status.currentReplicas >= input.istiodhpa.spec.minReplicas + } + + all_deployment_conditions_are_true { + # Ensure every condition in the array has a status that is not "False" + all_true = {c | c := input.istioddeployment.status.conditions[_]; c.status != "False"} + count(all_true) == count(input.istioddeployment.status.conditions) + } + + deployment_message = msg { + all_deployment_conditions_are_true + msg := "All deployment conditions are true." + } else = msg { + msg := "One or more deployment conditions are false." + } + + hpa_message = msg { + input.istiodhpa.status.currentReplicas >= input.istiodhpa.spec.minReplicas + msg := "HPA has sufficient replicas." + } else = msg { + msg := "HPA does not have sufficient replicas." + } + type: opa + title: istio-health-check + uuid: 67456ae8-4505-4c93-b341-d977d90cb125 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: gateways + resource-rule: + group: networking.istio.io + name: "" + namespaces: [] + resource: gateways + version: v1beta1 + type: kubernetes + lula-version: "" + metadata: + name: ingress-traffic-encrypted + uuid: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed + provider: + opa-spec: + output: + observations: + - validate.msg + - validate.msg_exempt + validation: validate.validate + rego: | + package validate + import future.keywords.every + + default validate = false + default msg = "Not evaluated" + + # Validation + validate { + check_gateways_allowed.result + } + msg := check_gateways_allowed.msg + msg_exempt := sprintf("Exempted Gateways: %s", [concat(", ", exempt_gateways)]) + + # Collect gateways that do not encrypt ingress traffic + gateways_disallowed = {sprintf("%s/%s", [gateway.metadata.namespace, gateway.metadata.name]) | + gateway := input.gateways[_]; + not allowed_gateway(gateway) + } + + check_gateways_allowed = {"result": true, "msg": "All gateways encrypt ingress traffic"} { + count(gateways_disallowed) == 0 + } else = {"result": false, "msg": msg} { + msg := sprintf("Some gateways do not encrypt ingress traffic: %s", [concat(", ", gateways_disallowed)]) + } + + # Check allowed gateway + allowed_gateway(gateway) { + every server in gateway.spec.servers { + allowed_server(server) + } + } + + exempt_gateways := {"istio-passthrough-gateway/passthrough-gateway"} + allowed_gateway(gateway) { + sprintf("%s/%s", [gateway.metadata.namespace, gateway.metadata.name]) in exempt_gateways + # *Unchecked condition that exempted gateway is only used by virtual services that route https traffic + # Find all virtual services that use this gateway + # Check that vs has https scheme + } + + # Check allowed server spec in gateway + allowed_server(server) { + server.port.protocol == "HTTP" + server.tls.httpsRedirect == true + } + + allowed_server(server) { + server.port.protocol == "HTTPS" + server.tls.mode in {"SIMPLE", "OPTIONAL_MUTUAL"} + } + type: opa + title: ingress-traffic-encrypted + uuid: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed +>>>>>>> 2f6ed02 (feat!: switch from promtail to vector (#724)) components: - control-implementations: - description: Control Implementation Description diff --git a/src/pepr/zarf.yaml b/src/pepr/zarf.yaml index 267a24f96..235ce27fe 100644 --- a/src/pepr/zarf.yaml +++ b/src/pepr/zarf.yaml @@ -48,3 +48,26 @@ components: - name: module valuesFiles: - values.yaml +<<<<<<< HEAD +======= + actions: + onDeploy: + before: + - mute: true + description: "Update helm ownership for Pepr resources if necessary during the upgrade" + cmd: | + ./zarf tools kubectl annotate secret -n pepr-system pepr-uds-core-api-token meta.helm.sh/release-name=module --overwrite || true + ./zarf tools kubectl annotate secret -n pepr-system pepr-uds-core-module meta.helm.sh/release-name=module --overwrite || true + ./zarf tools kubectl annotate secret -n pepr-system pepr-uds-core-tls meta.helm.sh/release-name=module --overwrite || true + ./zarf tools kubectl annotate serviceaccount -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true + ./zarf tools kubectl annotate clusterrolebinding pepr-uds-core meta.helm.sh/release-name=module --overwrite || true + ./zarf tools kubectl annotate clusterrole pepr-uds-core meta.helm.sh/release-name=module --overwrite || true + ./zarf tools kubectl annotate role -n pepr-system pepr-uds-core-store meta.helm.sh/release-name=module --overwrite || true + ./zarf tools kubectl annotate rolebinding -n pepr-system pepr-uds-core-store meta.helm.sh/release-name=module --overwrite || true + ./zarf tools kubectl annotate service -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true + ./zarf tools kubectl annotate service -n pepr-system pepr-uds-core-watcher meta.helm.sh/release-name=module --overwrite || true + ./zarf tools kubectl annotate deployment -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true + ./zarf tools kubectl annotate deployment -n pepr-system pepr-uds-core-watcher meta.helm.sh/release-name=module --overwrite || true + ./zarf tools kubectl annotate mutatingwebhookconfiguration -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true + ./zarf tools kubectl annotate validatingwebhookconfiguration -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true +>>>>>>> 2f6ed02 (feat!: switch from promtail to vector (#724)) diff --git a/src/vector/chart/templates/uds-exemption.yaml b/src/vector/chart/templates/uds-exemption.yaml index c78054815..7ec004775 100644 --- a/src/vector/chart/templates/uds-exemption.yaml +++ b/src/vector/chart/templates/uds-exemption.yaml @@ -1,6 +1,9 @@ +<<<<<<< HEAD # Copyright 2024 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial +======= +>>>>>>> 2f6ed02 (feat!: switch from promtail to vector (#724)) apiVersion: uds.dev/v1alpha1 kind: Exemption metadata: diff --git a/src/vector/chart/templates/uds-package.yaml b/src/vector/chart/templates/uds-package.yaml index e4ac9d9c9..329effcf3 100644 --- a/src/vector/chart/templates/uds-package.yaml +++ b/src/vector/chart/templates/uds-package.yaml @@ -1,6 +1,9 @@ +<<<<<<< HEAD # Copyright 2024 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial +======= +>>>>>>> 2f6ed02 (feat!: switch from promtail to vector (#724)) apiVersion: uds.dev/v1alpha1 kind: Package metadata: diff --git a/src/vector/chart/values.yaml b/src/vector/chart/values.yaml index c4bf61c2a..5ef1e885e 100644 --- a/src/vector/chart/values.yaml +++ b/src/vector/chart/values.yaml @@ -1,6 +1,9 @@ +<<<<<<< HEAD # Copyright 2024 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial +======= +>>>>>>> 2f6ed02 (feat!: switch from promtail to vector (#724)) additionalNetworkAllow: [] # Examples: # - direction: Egress diff --git a/src/vector/common/zarf.yaml b/src/vector/common/zarf.yaml index 631dce2c9..89f933638 100644 --- a/src/vector/common/zarf.yaml +++ b/src/vector/common/zarf.yaml @@ -1,6 +1,9 @@ +<<<<<<< HEAD # Copyright 2024 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial +======= +>>>>>>> 2f6ed02 (feat!: switch from promtail to vector (#724)) kind: ZarfPackageConfig metadata: name: uds-core-vector-common diff --git a/src/vector/tasks.yaml b/src/vector/tasks.yaml index f044c85d5..afc4a5ea7 100644 --- a/src/vector/tasks.yaml +++ b/src/vector/tasks.yaml @@ -1,6 +1,9 @@ +<<<<<<< HEAD # Copyright 2024 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial +======= +>>>>>>> 2f6ed02 (feat!: switch from promtail to vector (#724)) tasks: - name: validate actions: diff --git a/src/vector/values/registry1-values.yaml b/src/vector/values/registry1-values.yaml index 95187afb4..961e5a5ce 100644 --- a/src/vector/values/registry1-values.yaml +++ b/src/vector/values/registry1-values.yaml @@ -1,6 +1,9 @@ +<<<<<<< HEAD # Copyright 2024 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial +======= +>>>>>>> 2f6ed02 (feat!: switch from promtail to vector (#724)) image: repository: registry1.dso.mil/ironbank/opensource/timberio/vector tag: 0.41.1 diff --git a/src/vector/values/unicorn-values.yaml b/src/vector/values/unicorn-values.yaml index 5a6d40405..68e19e7d7 100644 --- a/src/vector/values/unicorn-values.yaml +++ b/src/vector/values/unicorn-values.yaml @@ -1,6 +1,9 @@ +<<<<<<< HEAD # Copyright 2024 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial +======= +>>>>>>> 2f6ed02 (feat!: switch from promtail to vector (#724)) image: repository: cgr.dev/du-uds-defenseunicorns/vector tag: 0.41.1 diff --git a/src/vector/values/upstream-values.yaml b/src/vector/values/upstream-values.yaml index 8954e9d7d..9cc0bce8d 100644 --- a/src/vector/values/upstream-values.yaml +++ b/src/vector/values/upstream-values.yaml @@ -1,6 +1,9 @@ +<<<<<<< HEAD # Copyright 2024 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial +======= +>>>>>>> 2f6ed02 (feat!: switch from promtail to vector (#724)) image: repository: timberio/vector tag: 0.41.1-distroless-static diff --git a/src/vector/values/values.yaml b/src/vector/values/values.yaml index aff279fe7..7946cfa6f 100644 --- a/src/vector/values/values.yaml +++ b/src/vector/values/values.yaml @@ -1,6 +1,9 @@ +<<<<<<< HEAD # Copyright 2024 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial +======= +>>>>>>> 2f6ed02 (feat!: switch from promtail to vector (#724)) # Run as an agent daemonset role: "Agent" diff --git a/src/vector/zarf.yaml b/src/vector/zarf.yaml index 4a6b4da8c..ec1a31437 100644 --- a/src/vector/zarf.yaml +++ b/src/vector/zarf.yaml @@ -1,6 +1,9 @@ +<<<<<<< HEAD # Copyright 2024 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial +======= +>>>>>>> 2f6ed02 (feat!: switch from promtail to vector (#724)) kind: ZarfPackageConfig metadata: name: uds-core-vector From b40b7848ed6d75071558bdff2339edbcaf20866f Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 25 Sep 2024 15:56:03 -0600 Subject: [PATCH 88/90] chore(deps): update runtime to v0.5.0 (#834) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Update | Change | |---|---|---| | [ghcr.io/defenseunicorns/uds-runtime](https://images.chainguard.dev/directory/image/static/overview) ([source](https://redirect.github.com/chainguard-images/images/tree/HEAD/images/static)) | minor | `0.4.0` -> `0.5.0` | | [https://github.com/defenseunicorns/uds-runtime.git](https://redirect.github.com/defenseunicorns/uds-runtime) | minor | `v0.4.0` -> `v0.5.0` | ---
defenseunicorns/uds-runtime (https://github.com/defenseunicorns/uds-runtime.git) [`v0.5.0`](https://redirect.github.com/defenseunicorns/uds-runtime/releases/tag/v0.5.0) [Compare Source](https://redirect.github.com/defenseunicorns/uds-runtime/compare/v0.4.0...v0.5.0) - **api:** adds jwt group validation when in-cluster ([#​387](https://redirect.github.com/defenseunicorns/uds-runtime/issues/387)) ([8a53f76](https://redirect.github.com/defenseunicorns/uds-runtime/commit/8a53f76fc684f3e2562ab3076b67d7a68571589d)) - make deployment resources configurable and up default memory ([#​372](https://redirect.github.com/defenseunicorns/uds-runtime/issues/372)) ([2981598](https://redirect.github.com/defenseunicorns/uds-runtime/commit/29815984b28b793087ede78a5de59e5376903477)) - **ui:** adding events tab ([#​342](https://redirect.github.com/defenseunicorns/uds-runtime/issues/342)) ([cb9b43a](https://redirect.github.com/defenseunicorns/uds-runtime/commit/cb9b43a84a3d157b9759a063788e1cecf9e9e868)) - **ui:** fixing issue with progress bar ([#​375](https://redirect.github.com/defenseunicorns/uds-runtime/issues/375)) ([3f8f204](https://redirect.github.com/defenseunicorns/uds-runtime/commit/3f8f20442b89f04af04aa7cd62655fe98d716063)) - **ui:** updating pods table column name ([#​369](https://redirect.github.com/defenseunicorns/uds-runtime/issues/369)) ([25aaaf9](https://redirect.github.com/defenseunicorns/uds-runtime/commit/25aaaf9a630b785a4b8b1b123d29a4df148e0288)) - ensure pod counts are consistent ([#​363](https://redirect.github.com/defenseunicorns/uds-runtime/issues/363)) ([a5c837b](https://redirect.github.com/defenseunicorns/uds-runtime/commit/a5c837b767a316a89a01cdcbebf36a6e407a4883)) - fixing issue with firefox not supporting text-wrap: pretty ([#​382](https://redirect.github.com/defenseunicorns/uds-runtime/issues/382)) ([4465617](https://redirect.github.com/defenseunicorns/uds-runtime/commit/44656170b50ce308cc61eb6b1aaa3ca325926080)) - fixing memory bar for overview page ([#​381](https://redirect.github.com/defenseunicorns/uds-runtime/issues/381)) ([4f321e3](https://redirect.github.com/defenseunicorns/uds-runtime/commit/4f321e348f57fd5d8d15fc3f383a3f64b403d9fd)) - use tls 1.2 in canary deployment ([#​383](https://redirect.github.com/defenseunicorns/uds-runtime/issues/383)) ([08b5bdc](https://redirect.github.com/defenseunicorns/uds-runtime/commit/08b5bdc6e9df063ce06466276bf78312f9e14aaf)) - api route test helper with retries and exponential backoff ([#​357](https://redirect.github.com/defenseunicorns/uds-runtime/issues/357)) ([674f37e](https://redirect.github.com/defenseunicorns/uds-runtime/commit/674f37ed94dfcf1722f8f23bbcd2434cf1adde66)) - **ci:** update core demo bundle version for ephemeral env ([#​360](https://redirect.github.com/defenseunicorns/uds-runtime/issues/360)) ([161fa7e](https://redirect.github.com/defenseunicorns/uds-runtime/commit/161fa7ee3685387a9ce4469b6e07dfa3082aec17)) - **deps:** update dependency vite to v5.3.6 \[security] ([#​341](https://redirect.github.com/defenseunicorns/uds-runtime/issues/341)) ([6dc4ad2](https://redirect.github.com/defenseunicorns/uds-runtime/commit/6dc4ad22400ee48f71e2197441fa40253c6bf9c6)) - **deps:** update github actions ([#​334](https://redirect.github.com/defenseunicorns/uds-runtime/issues/334)) ([117410e](https://redirect.github.com/defenseunicorns/uds-runtime/commit/117410e92c7a6d7d5324d50338f34b11484e9818)) - **deps:** update github actions ([#​371](https://redirect.github.com/defenseunicorns/uds-runtime/issues/371)) ([78bb3a1](https://redirect.github.com/defenseunicorns/uds-runtime/commit/78bb3a1aa73de7d5f6145d6a7310d3460dbbdd46)) - **deps:** update module github.com/zarf-dev/zarf to v0.40.1 ([#​359](https://redirect.github.com/defenseunicorns/uds-runtime/issues/359)) ([12a0f5e](https://redirect.github.com/defenseunicorns/uds-runtime/commit/12a0f5ed8c64c6862db43408b7e878a996795673)) - **deps:** update uds-core-types digest to [`df4d2da`](https://redirect.github.com/defenseunicorns/uds-runtime/commit/df4d2da) ([#​362](https://redirect.github.com/defenseunicorns/uds-runtime/issues/362)) ([0a67913](https://redirect.github.com/defenseunicorns/uds-runtime/commit/0a679136bda31b46e66008bfbf30f8f8ddc61df8)) - refactors uds tasks and adds smoke test ([#​344](https://redirect.github.com/defenseunicorns/uds-runtime/issues/344)) ([2fec985](https://redirect.github.com/defenseunicorns/uds-runtime/commit/2fec985eecf3026a2cd05dda08aca1845ac0479c)) - update description for UDS Package ([#​356](https://redirect.github.com/defenseunicorns/uds-runtime/issues/356)) ([d360d38](https://redirect.github.com/defenseunicorns/uds-runtime/commit/d360d38f8e50648c6e6e167c70a12233ff2eef23)) - update slim core with authsvc deployment and bump k3d version ([#​389](https://redirect.github.com/defenseunicorns/uds-runtime/issues/389)) ([216bab6](https://redirect.github.com/defenseunicorns/uds-runtime/commit/216bab6a2735a1d8d2bbf7b55d6a8369579e81a3))
--- πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ”• **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: UncleGedd <42304551+UncleGedd@users.noreply.github.com> --- src/runtime/zarf.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/runtime/zarf.yaml b/src/runtime/zarf.yaml index 3c07f4aae..3b72a0fca 100644 --- a/src/runtime/zarf.yaml +++ b/src/runtime/zarf.yaml @@ -16,11 +16,19 @@ components: - name: uds-runtime required: false images: +<<<<<<< HEAD - ghcr.io/defenseunicorns/uds-runtime:0.6.1 charts: - name: uds-runtime namespace: uds-runtime version: "v0.6.1" +======= + - ghcr.io/defenseunicorns/uds-runtime:0.5.0 + charts: + - name: uds-runtime + namespace: uds-runtime + version: "v0.5.0" +>>>>>>> e80e6fc (chore(deps): update runtime to v0.5.0 (#834)) url: https://github.com/defenseunicorns/uds-runtime.git gitPath: chart actions: From 57bac4c1e0548cd388917c64cf2c3332bc4a7f1a Mon Sep 17 00:00:00 2001 From: Jon Date: Fri, 27 Sep 2024 15:46:36 -0600 Subject: [PATCH 89/90] chore: updated pepr watch limit to 60s (#840) Adjust Pepr watch limit to a lower value to help UDS Package delete/reinstalls succeed more often. Fixes # https://github.com/defenseunicorns/uds-core/issues/839 - [x] Bug fix (non-breaking change which fixes an issue) - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --- src/pepr/uds-operator-config/values.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/pepr/uds-operator-config/values.yaml b/src/pepr/uds-operator-config/values.yaml index 4d40d027d..90a1f4636 100644 --- a/src/pepr/uds-operator-config/values.yaml +++ b/src/pepr/uds-operator-config/values.yaml @@ -11,5 +11,8 @@ operator: PEPR_LAST_SEEN_LIMIT_SECONDS: "60" # Allow Pepr to re-list resources more frequently to avoid missing resources PEPR_RELIST_INTERVAL_SECONDS: "60" +<<<<<<< HEAD # Use HTTP2 for Pepr watches and exemption watch PEPR_HTTP2_WATCH: false +======= +>>>>>>> 29e4d5e (chore: updated pepr watch limit to 60s (#840)) From 71bf9c734d3f7846920508ea26ba37b2cab38975 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 27 Sep 2024 16:43:11 -0600 Subject: [PATCH 90/90] chore(main): release 0.28.0 (#795) :robot: I have created a release *beep* *boop* --- [0.28.0](https://github.com/defenseunicorns/uds-core/compare/v0.27.3...v0.28.0) (2024-09-27) * Promtail has been removed from UDS Core and replaced by Vector. If you were previously using overrides to setup additional log targets/endpoints for Promtail this configuration will need to be updated to Vector's chart/config formats. See Vector's [Sources and Sinks](https://vector.dev/components/) as well as the [helm chart values](https://github.com/defenseunicorns/uds-core/blob/1bf29582f9c5b1fe01763e86e56c19b6e17aef85/src/vector/values/values.yaml#L4) for guidance in configuration. * add support for keycloak saml attributes ([#806](https://github.com/defenseunicorns/uds-core/issues/806)) ([b312b7d](https://github.com/defenseunicorns/uds-core/commit/b312b7de5fab6b688bf5799b0316d067b86887fa)) * exposes tls version for dev bundles ([#809](https://github.com/defenseunicorns/uds-core/issues/809)) ([e1a2b55](https://github.com/defenseunicorns/uds-core/commit/e1a2b55fff1a1feaa5d37016a8f71274eb6dde3e)) * switch from promtail to vector (https://github.com/defenseunicorns/uds-core/pull/724) ([1bf2958](https://github.com/defenseunicorns/uds-core/commit/1bf29582f9c5b1fe01763e86e56c19b6e17aef85)) * eks iac issues, document storage class pre-reqs ([#812](https://github.com/defenseunicorns/uds-core/issues/812)) ([df514bd](https://github.com/defenseunicorns/uds-core/commit/df514bd437e5af0bedb11a3da8860c8aeaccc78c)) * ensure istio sidecar is killed if job fails ([#813](https://github.com/defenseunicorns/uds-core/issues/813)) ([34ffc0a](https://github.com/defenseunicorns/uds-core/commit/34ffc0a22b17489e5b87add6cafc1cc915897936)) * revert test app version to fix CI failures ([#815](https://github.com/defenseunicorns/uds-core/issues/815)) ([2ec6ad6](https://github.com/defenseunicorns/uds-core/commit/2ec6ad6cc7d3cdba1efdd752b7d2bfc2012c9f2a)) * add runtime group to renovate config ([#799](https://github.com/defenseunicorns/uds-core/issues/799)) ([1bf2c69](https://github.com/defenseunicorns/uds-core/commit/1bf2c692d996992775ba827b4d2869430a9929e7)) * **deps:** update dependency defenseunicorns/uds-common to v0.13.0 ([#790](https://github.com/defenseunicorns/uds-core/issues/790)) ([8bfcdc0](https://github.com/defenseunicorns/uds-core/commit/8bfcdc00a8b04f0c7b9f0c88a0e37e8cec8b42f3)) * **deps:** update dependency defenseunicorns/uds-common to v0.13.1 ([#810](https://github.com/defenseunicorns/uds-core/issues/810)) ([eedb551](https://github.com/defenseunicorns/uds-core/commit/eedb551b3c5529c64dcb997b2eb33f82e5fbd0ab)) * **deps:** update istio to v1.23.2 ([#796](https://github.com/defenseunicorns/uds-core/issues/796)) ([039d89c](https://github.com/defenseunicorns/uds-core/commit/039d89c347089edff3d1b8ac7b85c8c90f20f722)) * **deps:** update keycloak to v25.0.6 ([#771](https://github.com/defenseunicorns/uds-core/issues/771)) ([9864059](https://github.com/defenseunicorns/uds-core/commit/9864059b3c86782978608f92782834ed493d5709)) * **deps:** update pepr to v0.13.1 ([#811](https://github.com/defenseunicorns/uds-core/issues/811)) ([bc05b04](https://github.com/defenseunicorns/uds-core/commit/bc05b0480de6c4abca35f774e7aba769a8c9f76e)) * **deps:** update prometheus operator to v0.77.0 ([#783](https://github.com/defenseunicorns/uds-core/issues/783)) ([8f383d8](https://github.com/defenseunicorns/uds-core/commit/8f383d84c13af3986e3898f4c57a71a49145053e)) * **deps:** update runtime to v0.5.0 ([#834](https://github.com/defenseunicorns/uds-core/issues/834)) ([edc068d](https://github.com/defenseunicorns/uds-core/commit/edc068d38f47ba373877593b854d21c4e4fc39ca)) * **deps:** update setup-node to v4.0.4 ([#801](https://github.com/defenseunicorns/uds-core/issues/801)) ([34dbc44](https://github.com/defenseunicorns/uds-core/commit/34dbc4426a65bc67e0a81779b530e98240e1972f)) * **deps:** update uds to v0.16.0 ([#802](https://github.com/defenseunicorns/uds-core/issues/802)) ([d07670b](https://github.com/defenseunicorns/uds-core/commit/d07670b6f748774df7e663aae89de3c7f0a87088)) * **deps:** update uds-common to v0.13.0 ([#792](https://github.com/defenseunicorns/uds-core/issues/792)) ([c24e833](https://github.com/defenseunicorns/uds-core/commit/c24e833e54b111cef10d6347c972c6d6fbe3e7ee)) * **deps:** update zarf to v0.40.1 ([#793](https://github.com/defenseunicorns/uds-core/issues/793)) ([db93a7e](https://github.com/defenseunicorns/uds-core/commit/db93a7edc2a83841210612430ad2d5fd46a14f97)) * fix github-actions renovate ([#800](https://github.com/defenseunicorns/uds-core/issues/800)) ([3ab2add](https://github.com/defenseunicorns/uds-core/commit/3ab2adda290463a91ec90f125793dd34cde76471)) * pepr policies doc table ([#803](https://github.com/defenseunicorns/uds-core/issues/803)) ([440e4e1](https://github.com/defenseunicorns/uds-core/commit/440e4e1249d94932c36d1964d1ff6166624c8f82)) * pepr policy doc ([#814](https://github.com/defenseunicorns/uds-core/issues/814)) ([8b10b86](https://github.com/defenseunicorns/uds-core/commit/8b10b864efb9822649b4677bcc4c3be1e7510534)) * updated pepr watch limit to 60s ([#840](https://github.com/defenseunicorns/uds-core/issues/840)) ([85f3f41](https://github.com/defenseunicorns/uds-core/commit/85f3f4155469e6997b18f27479937e938469a9bb)) * use kfc WatchPhase enum ([#787](https://github.com/defenseunicorns/uds-core/issues/787)) ([df4d2da](https://github.com/defenseunicorns/uds-core/commit/df4d2dadf6545d284c1fd72ee0291de4601fa533)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- .github/bundles/eks/uds-bundle.yaml | 8 ++++++++ .release-please-manifest.json | 4 ++++ CHANGELOG.md | 3 +++ README.md | 8 ++++++++ bundles/k3d-slim-dev/uds-bundle.yaml | 8 ++++++++ bundles/k3d-standard/uds-bundle.yaml | 8 ++++++++ packages/base/zarf.yaml | 4 ++++ packages/standard/zarf.yaml | 4 ++++ tasks/deploy.yaml | 4 ++++ tasks/publish.yaml | 4 ++++ 10 files changed, 55 insertions(+) diff --git a/.github/bundles/eks/uds-bundle.yaml b/.github/bundles/eks/uds-bundle.yaml index 749446375..ba010c513 100644 --- a/.github/bundles/eks/uds-bundle.yaml +++ b/.github/bundles/eks/uds-bundle.yaml @@ -6,7 +6,11 @@ metadata: name: uds-core-eks-nightly description: A UDS bundle for deploying EKS and UDS Core # x-release-please-start-version +<<<<<<< HEAD:.github/bundles/eks/uds-bundle.yaml version: "0.29.0" +======= + version: "0.28.0" +>>>>>>> 62baad3 (chore(main): release 0.28.0 (#795)):.github/bundles/uds-bundle.yaml # x-release-please-end packages: @@ -17,7 +21,11 @@ packages: - name: core path: ../../../build # x-release-please-start-version +<<<<<<< HEAD:.github/bundles/eks/uds-bundle.yaml ref: 0.29.0 +======= + ref: 0.28.0 +>>>>>>> 62baad3 (chore(main): release 0.28.0 (#795)):.github/bundles/uds-bundle.yaml # x-release-please-end optionalComponents: - metrics-server diff --git a/.release-please-manifest.json b/.release-please-manifest.json index 88d34f8c0..130edc2c5 100644 --- a/.release-please-manifest.json +++ b/.release-please-manifest.json @@ -1,3 +1,7 @@ { +<<<<<<< HEAD ".": "0.29.0" +======= + ".": "0.28.0" +>>>>>>> 62baad3 (chore(main): release 0.28.0 (#795)) } diff --git a/CHANGELOG.md b/CHANGELOG.md index 1478fe0b0..fe1db1bc2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ All notable changes to this project will be documented in this file. +<<<<<<< HEAD ## [0.29.0](https://github.com/defenseunicorns/uds-core/compare/v0.28.0...v0.29.0) (2024-10-11) @@ -55,6 +56,8 @@ All notable changes to this project will be documented in this file. * regroup 'support dependencies' in renovate config ([#885](https://github.com/defenseunicorns/uds-core/issues/885)) ([640d859](https://github.com/defenseunicorns/uds-core/commit/640d859a50de6c7d49afec3283fac2a249d04dd7)) * update license ([#878](https://github.com/defenseunicorns/uds-core/issues/878)) ([b086170](https://github.com/defenseunicorns/uds-core/commit/b086170f415c82916a6e493517ac5bc62b2b7aea)) +======= +>>>>>>> 62baad3 (chore(main): release 0.28.0 (#795)) ## [0.28.0](https://github.com/defenseunicorns/uds-core/compare/v0.27.3...v0.28.0) (2024-09-27) diff --git a/README.md b/README.md index 2a822ad61..1498ce643 100644 --- a/README.md +++ b/README.md @@ -56,7 +56,11 @@ If you want to try out UDS Core, you can use the [k3d-core-demo bundle](./bundle ```bash +<<<<<<< HEAD uds deploy k3d-core-demo:0.29.0 +======= +uds deploy k3d-core-demo:0.28.0 +>>>>>>> 62baad3 (chore(main): release 0.28.0 (#795)) ``` @@ -70,7 +74,11 @@ Deploy Istio, Keycloak and Pepr: ```bash +<<<<<<< HEAD uds deploy k3d-core-slim-dev:0.29.0 +======= +uds deploy k3d-core-slim-dev:0.28.0 +>>>>>>> 62baad3 (chore(main): release 0.28.0 (#795)) ``` diff --git a/bundles/k3d-slim-dev/uds-bundle.yaml b/bundles/k3d-slim-dev/uds-bundle.yaml index 0e4b28ea9..b1859b7c7 100644 --- a/bundles/k3d-slim-dev/uds-bundle.yaml +++ b/bundles/k3d-slim-dev/uds-bundle.yaml @@ -6,7 +6,11 @@ metadata: name: k3d-core-slim-dev description: A UDS bundle for deploying Istio from UDS Core on a development cluster # x-release-please-start-version +<<<<<<< HEAD version: "0.29.0" +======= + version: "0.28.0" +>>>>>>> 62baad3 (chore(main): release 0.28.0 (#795)) # x-release-please-end packages: @@ -37,7 +41,11 @@ packages: - name: core-base path: ../../build/ # x-release-please-start-version +<<<<<<< HEAD ref: 0.29.0 +======= + ref: 0.28.0 +>>>>>>> 62baad3 (chore(main): release 0.28.0 (#795)) # x-release-please-end overrides: istio-admin-gateway: diff --git a/bundles/k3d-standard/uds-bundle.yaml b/bundles/k3d-standard/uds-bundle.yaml index f0e9c2bab..7f7b4c40d 100644 --- a/bundles/k3d-standard/uds-bundle.yaml +++ b/bundles/k3d-standard/uds-bundle.yaml @@ -6,7 +6,11 @@ metadata: name: k3d-core-demo description: A UDS bundle for deploying the standard UDS Core package on a development cluster # x-release-please-start-version +<<<<<<< HEAD version: "0.29.0" +======= + version: "0.28.0" +>>>>>>> 62baad3 (chore(main): release 0.28.0 (#795)) # x-release-please-end packages: @@ -37,7 +41,11 @@ packages: - name: core path: ../../build/ # x-release-please-start-version +<<<<<<< HEAD ref: 0.29.0 +======= + ref: 0.28.0 +>>>>>>> 62baad3 (chore(main): release 0.28.0 (#795)) # x-release-please-end optionalComponents: - istio-passthrough-gateway diff --git a/packages/base/zarf.yaml b/packages/base/zarf.yaml index 254120929..c0c2430ee 100644 --- a/packages/base/zarf.yaml +++ b/packages/base/zarf.yaml @@ -7,7 +7,11 @@ metadata: description: "UDS Core (Base)" authors: "Defense Unicorns - Product" # x-release-please-start-version +<<<<<<< HEAD:packages/base/zarf.yaml version: "0.29.0" +======= + version: "0.28.0" +>>>>>>> 62baad3 (chore(main): release 0.28.0 (#795)):packages/slim-dev/zarf.yaml # x-release-please-end x-uds-dependencies: [] diff --git a/packages/standard/zarf.yaml b/packages/standard/zarf.yaml index a1f2cb03e..e458b11a7 100644 --- a/packages/standard/zarf.yaml +++ b/packages/standard/zarf.yaml @@ -7,7 +7,11 @@ metadata: description: "UDS Core" authors: "Defense Unicorns - Product" # x-release-please-start-version +<<<<<<< HEAD version: "0.29.0" +======= + version: "0.28.0" +>>>>>>> 62baad3 (chore(main): release 0.28.0 (#795)) # x-release-please-end components: diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index 09325a263..6afb448d1 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -9,7 +9,11 @@ variables: - name: VERSION description: "The version of the packages to deploy" # x-release-please-start-version +<<<<<<< HEAD default: "0.29.0" +======= + default: "0.28.0" +>>>>>>> 62baad3 (chore(main): release 0.28.0 (#795)) # x-release-please-end - name: FLAVOR default: upstream diff --git a/tasks/publish.yaml b/tasks/publish.yaml index 4a523a95d..d80afd36e 100644 --- a/tasks/publish.yaml +++ b/tasks/publish.yaml @@ -14,7 +14,11 @@ variables: - name: VERSION description: "The version of the packages to build" # x-release-please-start-version +<<<<<<< HEAD default: "0.29.0" +======= + default: "0.28.0" +>>>>>>> 62baad3 (chore(main): release 0.28.0 (#795)) # x-release-please-end - name: LAYER