diff --git a/.github/actions/action.yaml b/.github/actions/action.yaml
new file mode 100644
index 00000000..e3213c84
--- /dev/null
+++ b/.github/actions/action.yaml
@@ -0,0 +1,20 @@
+# action.yml
+name: "Setup Environment"
+description: "UDS Environment Setup"
+
+runs:
+ using: "composite"
+ steps:
+
+ - name: Set up Homebrew
+ uses: Homebrew/actions/setup-homebrew@master
+
+ - name: Install Zarf
+ shell: bash
+ # renovate: datasource=github-tags depName=defenseunicorns/zarf versioning=semver
+ run: brew install defenseunicorns/tap/zarf@0.32.1
+
+ - name: Install UDS CLI
+ shell: bash
+ # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver
+ run: brew install defenseunicorns/tap/uds@0.7.0
diff --git a/.github/workflows/publish-bundle.yaml b/.github/workflows/publish-bundle.yaml
index 55637c14..d105bbd1 100644
--- a/.github/workflows/publish-bundle.yaml
+++ b/.github/workflows/publish-bundle.yaml
@@ -19,6 +19,9 @@ jobs:
repository: ${{ github.repository }}
ref: ${{ github.ref_name }}
+ - name: Environment setup
+ uses: ./.github/actions/setup
+
- name: Login to Registry1
uses: docker/login-action@v3
with:
@@ -53,8 +56,8 @@ jobs:
# Build and publish bundle
####
- name: Build bundle
- run: make build/all
+ run: uds run create-bundle
- name: Publish bundle
- run: ./uds publish uds-bundle-software-factory-nutanix-amd64-*.tar.zst oci://ghcr.io/defenseunicorns/uds-bundle --no-progress
+ run: uds publish uds-bundle-software-factory-nutanix-amd64-*.tar.zst oci://ghcr.io/defenseunicorns/uds-bundle --no-progress
working-directory: build
diff --git a/.vscode/settings.json b/.vscode/settings.json
new file mode 100644
index 00000000..3f1470fa
--- /dev/null
+++ b/.vscode/settings.json
@@ -0,0 +1,46 @@
+{
+ "debug.javascript.terminalOptions": {
+ "enableTurboSourcemaps": true,
+ "resolveSourceMapLocations": [
+ "${workspaceFolder}/**",
+ "node_modules/kubernetes-fluent-client/**",
+ "node_modules/pepr/**"
+ ]
+ },
+ "yaml.schemas": {
+ // renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver
+ "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.7.0/uds.schema.json": [
+ "uds-bundle.yaml"
+ ],
+
+ // renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver
+ "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.7.0/tasks.schema.json": [
+ "tasks.yaml",
+ "tasks/**/*.yaml",
+ "src/**/validate.yaml"
+ ],
+ // renovate: datasource=github-tags depName=defenseunicorns/zarf versioning=semver
+ "https://raw.githubusercontent.com/defenseunicorns/zarf/v0.32.1/zarf.schema.json": [
+ "zarf.yaml"
+ ]
+ },
+ "cSpell.words": [
+ "alertmanager",
+ "Authservice",
+ "automount",
+ "controlplane",
+ "crds",
+ "distros",
+ "ironbank",
+ "Kiali",
+ "Kyverno",
+ "MITM",
+ "neuvector",
+ "opensource",
+ "promtail",
+ "Quickstart",
+ "seccomp",
+ "Sysctls",
+ "Velero"
+ ]
+}
diff --git a/Makefile b/Makefile
deleted file mode 100755
index 5904948c..00000000
--- a/Makefile
+++ /dev/null
@@ -1,133 +0,0 @@
-# The version of Zarf to use. To keep this repo as portable as possible the Zarf binary will be downloaded and added to
-# the build folder.
-# renovate: datasource=github-tags depName=defenseunicorns/zarf
-UDS_CLI_VERSION := v0.7.0
-ZARF_VERSION := v0.32.1
-
-# Figure out which Zarf binary we should use based on the operating system we are on
-ZARF_BIN := zarf
-UNAME_S := $(shell uname -s)
-UNAME_M := $(shell uname -m)
-ifeq ($(UNAME_M),x86_64)
- ARCH := amd64
-else ifeq ($(UNAME_M),amd64)
- ARCH := amd64
-else ifeq ($(UNAME_M),arm64)
- ARCH := arm64
-else
- $(error Unsupported architecture: $(UNAME_M))
-endif
-
-# Silent mode by default. Run `make VERBOSE=1` to turn off silent mode.
-ifndef VERBOSE
-.SILENT:
-endif
-
-# Optionally add the "-it" flag for docker run commands if the env var "CI" is not set (meaning we are on a local machine and not in github actions)
-TTY_ARG :=
-ifndef CI
- TTY_ARG := -it
-endif
-
-.DEFAULT_GOAL := help
-
-# Idiomatic way to force a target to always run, by having it depend on this dummy target
-FORCE:
-
-.PHONY: help
-help: ## Show a list of all targets
- grep -E '^\S*:.*##.*$$' $(MAKEFILE_LIST) \
- | sed -n 's/^\(.*\): \(.*\)##\(.*\)/\1:\3/p' \
- | column -t -s ":"
-
-########################################################################
-# Build Section
-########################################################################
-
-.PHONY: build/all
-build/all: build build/zarf build/uds build/software-factory-namespaces build/idam-dns build/idam-realm build/dubbd-rke2-nutanix build/idam-gitlab build/idam-sonarqube build/db-manifests build/object-store-manifests build/additional-kyverno-exceptions build/uds-bundle-software-factory ## Build everything
-
-
-build: ## Create build directory
- mkdir -p build
-
-.PHONY: clean
-clean: ## Clean up build files
- rm -rf ./build
-
-.PHONY: build/zarf
-build/zarf: | build ## Download the Zarf to the build dir
- if [ -f build/zarf ] && [ "$$(build/zarf version)" = "$(ZARF_VERSION)" ] ; then exit 0; fi && \
- echo "Downloading zarf" && \
- curl -sL https://github.com/defenseunicorns/zarf/releases/download/$(ZARF_VERSION)/zarf_$(ZARF_VERSION)_$(UNAME_S)_$(ARCH) -o build/zarf && \
- chmod +x build/zarf
-
-.PHONY: build/uds
-build/uds: | build ## Download uds-cli to the build dir
- if [ -f build/uds ] && [ "$$(build/uds version)" = "$(UDS_CLI_VERSION)" ] ; then exit 0; fi && \
- echo "Downloading uds-cli" && \
- curl -sL https://github.com/defenseunicorns/uds-cli/releases/download/$(UDS_CLI_VERSION)/uds-cli_$(UDS_CLI_VERSION)_$(UNAME_S)_$(ARCH) -o build/uds && \
- chmod +x build/uds
-
-build/software-factory-namespaces: | build ## Build namespaces package
- cd build && ./zarf package create ../packages/namespaces/ --confirm --output-directory .
-
-build/dubbd-rke2-nutanix: | build ## Build dubbd-rke2-nutanix package
- cd packages/dubbd && ../../build/zarf package create . --skip-sbom --confirm --output-directory ../../build
-
-build/idam-gitlab: | build ## Build idam-gitlab package
- cd build && ./zarf package create ../packages/idam-gitlab/ --confirm --output-directory .
-
-build/idam-sonarqube: | build ## Build idam-sonarqube package
- cd build && ./zarf package create ../packages/idam-sonarqube/ --skip-sbom --confirm --output-directory .
-
-build/idam-dns: | build ## Build idam-dns package
- cd build && ./zarf package create ../packages/idam-dns/ --confirm --output-directory .
-
-build/idam-realm: | build ## Build idam-realm package
- cd build && ./zarf package create ../packages/idam-realm/ --confirm --output-directory .
-
-build/db-manifests: | build ## Build DB Manifests
- cd build && ./zarf package create ../packages/databases/confluence/ --confirm --output-directory .
- cd build && ./zarf package create ../packages/databases/gitlab/ --confirm --output-directory .
- cd build && ./zarf package create ../packages/databases/jira/ --confirm --output-directory .
- cd build && ./zarf package create ../packages/databases/keycloak/ --confirm --output-directory .
- cd build && ./zarf package create ../packages/databases/mattermost/ --confirm --output-directory .
- cd build && ./zarf package create ../packages/databases/nexus/ --confirm --output-directory .
- cd build && ./zarf package create ../packages/databases/sonarqube/ --confirm --output-directory .
-
-build/object-store-manifests: | build ## Build object store Manifests
- cd build && ./zarf package create ../packages/object-store/gitlab/ --confirm --output-directory .
- cd build && ./zarf package create ../packages/object-store/mattermost/ --confirm --output-directory .
-
-build/additional-kyverno-exceptions: | build ## Build additional kyverno exceptions
- cd build && ./zarf package create ../packages/additional-kyverno-exceptions/ --confirm --output-directory .
-
-build/uds-bundle-software-factory: | build ## Build the software factory
- cd build && ./uds create ../ --confirm
- mv uds-bundle-software-factory-*.tar.zst build/
-
-########################################################################
-# Deploy Section
-########################################################################
-
-deploy/test-cluster: ## Deploy the software factory package to the test cluster
- cp uds-config/test-cluster/uds-config.yaml ./build/
- cp deploy-dubbd-values.yaml ./build/
- cd ./build && ./uds deploy uds-bundle-software-factory-*.tar.zst --confirm
-
-deploy/dev-cluster: ## Deploy the software factory package to the dev cluster
- cp uds-config/dev-cluster/uds-config.yaml ./build/
- cp deploy-dubbd-values.yaml ./build/
- cd ./build && ./uds deploy uds-bundle-software-factory-*.tar.zst --confirm
-
-########################################################################
-# Macro Section
-########################################################################
-
-all/test-cluster: build/all deploy/test-cluster ## Build and deploy the software factory to the test cluster
-
-all/dev-cluster: build/all deploy/dev-cluster ## Build and deploy the software factory to the test cluster
-
-.PHONY: rebuild
-rebuild: clean build/all
diff --git a/README.md b/README.md
index 7b4a3964..e2fb3b76 100644
--- a/README.md
+++ b/README.md
@@ -19,13 +19,13 @@ The full list of packages and dependencies installed by the bundle (and an assum
**Infrastructure**:
* Kubernetes cluster
-* Access to the cluster with enough privilage to deploy
-* A valid domain
+* Access to the cluster with enough privilage to deploy
+* A valid domain
> NOTE: `*.bigbang.dev` may be used for demomonstration and test deployments.
* Wildcard certificates to cover your domain (alternatively, expand for full SAN list)
Individual SAN list
-
+
* `confluence.your.domain`
* `gitlab.your.domain`
* `*.pages.your.domain`
@@ -51,7 +51,7 @@ The full list of packages and dependencies installed by the bundle (and an assum
Gitlab
-
+
* gitlab-artifacts
* gitlab-backups
* gitlab-ci-secure-files
@@ -96,18 +96,18 @@ For demonstration purposes, you can setup a local configfile as follows:
* bucket names and credentials
* database names and credentials
-> NOTE: the config must be named `uds-config.yaml` and be present in your working directory at deploy time
+> NOTE: The config must be named `uds-config.yaml` and either be present in your working directory or have the environment variable UDS_CONFIG set to its location at deploy time
### Deployment
Select a target version number and gather the OCI image reference [from the packages page](https://github.com/orgs/defenseunicorns/packages?repo_name=uds-bundle-software-factory-nutanix). With the above prerequisites and configuration complete, you can deploy the bundle directly via OCI:
```
-uds deploy oci://ghcr.io/defenseunicorns/uds-bundle/software-factory-nutanix:0.1.4-amd64 --confirm
+uds deploy oci://ghcr.io/defenseunicorns/uds-bundle/software-factory-nutanix:0.1.x --architecure amd64 --confirm
```
### (OPTIONAL) Local Deployment Reference
Situationally, it may be useful to download the deployment artifact so that it may be referenced offline. This can be accomplished by first downloading the target release:
```
-uds pull oci://ghcr.io/defenseunicorns/uds-bundle/software-factory-nutanix:0.1.4-amd64
+uds pull oci://ghcr.io/defenseunicorns/uds-bundle/software-factory-nutanix:0.1.x --architecture amd64
```
And subsequently deploying from the local file:
@@ -116,30 +116,19 @@ uds deploy uds-bundle-software-factory-nutanix-amd64-0.1.4.tar.zst --confirm
```
## Additional Notes
-For development and testing (both locally and in CI) we have included a Makefile to simplify common tasks. You can follow the breadcrumbs starting at the [Makefile](Makefile) target `make all/dev-cluster`. This Makefile downloads configured versions of zarf and uds to the build directory, places the `uds-config.yaml` in that build directory and performs the deploy command from there. Steps numbered below. Or follow along in the Makefile.
+You can use the uds tasks in this project to build and deploy.
-These targets will show you how to:
-1) download the tools you need like zarf and uds.
-```bash
-.PHONY: build/zarf
-build/zarf: | build ## Download the Zarf to the build dir
- if [ -f build/zarf ] && [ "$$(build/zarf version)" = "$(ZARF_VERSION)" ] ; then exit 0; fi && \
- echo "Downloading zarf" && \
- curl -sL https://github.com/defenseunicorns/zarf/releases/download/$(ZARF_VERSION)/zarf_$(ZARF_VERSION)_$(UNAME_S)_$(ARCH) -o build/zarf && \
- chmod +x build/zarf
-
-.PHONY: build/uds
-build/uds: | build ## Download uds-cli to the build dir
- if [ -f build/uds ] && [ "$$(build/uds version)" = "$(UDS_CLI_VERSION)" ] ; then exit 0; fi && \
- echo "Downloading uds-cli" && \
- curl -sL https://github.com/defenseunicorns/uds-cli/releases/download/$(UDS_CLI_VERSION)/uds-cli_$(UDS_CLI_VERSION)_$(UNAME_S)_$(ARCH) -o build/uds && \
- chmod +x build/uds
-```
-You can also use brew to install zarf and uds-cli
```bash
-brew tap defenseunicorns/tap && brew install uds && brew install zarf
+# List the available tasks to run
+uds run --list
+
+# Run the create-bundle task
+uds run create-bundle
+
+# Run the deploy-bundle-to-dev task
+uds run deploy-bundle-to-dev
+
+# Run the deploy-bundle-to-test task
+uds run deploy-bundle-to-test
```
-2) build all the zarf packages that support this bundle
-1) build the bundle itself
-1) place the `uds-config.yaml` in the directory where the deployment will take place
-1) deploy the software factory.
+
diff --git a/uds-bundle.yaml b/bundles/dubbd-swf/uds-bundle.yaml
similarity index 85%
rename from uds-bundle.yaml
rename to bundles/dubbd-swf/uds-bundle.yaml
index 09036d87..8e69d48a 100644
--- a/uds-bundle.yaml
+++ b/bundles/dubbd-swf/uds-bundle.yaml
@@ -18,7 +18,7 @@ packages:
# Namespace pre-reqs for swf capabilities
- name: software-factory-namespaces
- path: build
+ path: ../../build
ref: 1.0.0
# MetalLB
@@ -28,17 +28,17 @@ packages:
# Defense Unicorns Big Bang Distro
- name: dubbd-rke2-nutanix
- path: build
+ path: ../../build
ref: 0.18.0-n1
# Additional Kyverno Exceptions
- name: additional-kyverno-exceptions
- path: build
+ path: ../../build
ref: 0.0.1
# Change the realm file keycloak imports from
- name: software-factory-idam-realm
- path: build
+ path: ../../build
ref: 1.0.1
optional-components:
- exported-variables
@@ -47,7 +47,7 @@ packages:
# Identity and Access Management
- name: keycloak-database-manifests
- path: build
+ path: ../../build
ref: 0.0.1
- name: uds-idam
@@ -59,7 +59,7 @@ packages:
# GitLab SSO secret and variables
- name: software-factory-idam-gitlab
- path: build
+ path: ../../build
ref: 1.0.1
exports:
- name: GITLAB_IDAM_ENABLED
@@ -68,7 +68,7 @@ packages:
# SonarQube SSO secret and variables
- name: software-factory-idam-sonarqube
- path: build
+ path: ../../build
ref: 1.0.1
exports:
- name: SONARQUBE_IDAM_ENABLED
@@ -85,11 +85,15 @@ packages:
ref: 0.1.17
- name: gitlab-object-store
- path: build
+ path: ../../build
ref: 0.0.1
- - name: gitlab-database-manifests
- path: build
+ - name: gitlab-database-secret
+ path: ../../build
+ ref: 0.0.1
+
+ - name: gitlab-database-service
+ path: ../../build
ref: 0.0.1
- name: gitlab
@@ -113,8 +117,12 @@ packages:
ref: 0.1.4
# Sonarqube
- - name: sonarqube-database-manifests
- path: build
+ - name: sonarqube-database-secret
+ path: ../../build
+ ref: 0.0.1
+
+ - name: sonarqube-database-service
+ path: ../../build
ref: 0.0.1
- name: sonarqube
@@ -137,8 +145,12 @@ packages:
package: software-factory-idam-sonarqube
# Jira
- - name: jira-database-manifests
- path: build
+ - name: jira-database-secret
+ path: ../../build
+ ref: 0.0.1
+
+ - name: jira-database-service
+ path: ../../build
ref: 0.0.1
- name: jira
@@ -146,8 +158,12 @@ packages:
ref: 0.1.7
# Confluence
- - name: confluence-database-manifests
- path: build
+ - name: confluence-database-secret
+ path: ../../build
+ ref: 0.0.1
+
+ - name: confluence-database-service
+ path: ../../build
ref: 0.0.1
- name: confluence
@@ -156,11 +172,11 @@ packages:
# Mattermost Operator with a Mattermost instance
- name: mattermost-object-store
- path: build
+ path: ../../build
ref: 0.0.1
- name: mattermost-database-manifests
- path: build
+ path: ../../build
ref: 0.0.1
- name: mattermost
@@ -169,7 +185,7 @@ packages:
# Nexus
- name: nexus-database-manifests
- path: build
+ path: ../../build
ref: 0.0.1
- name: nexus
@@ -178,7 +194,7 @@ packages:
# Add all virtualservices as internal dns entries for auth callbacks
- name: software-factory-idam-dns
- path: build
+ path: ../../build
ref: 1.0.0
optional-components:
- create-internal-dns-entries
diff --git a/bundles/uds-core-swf/uds-bundle.yaml b/bundles/uds-core-swf/uds-bundle.yaml
new file mode 100644
index 00000000..1d9b564c
--- /dev/null
+++ b/bundles/uds-core-swf/uds-bundle.yaml
@@ -0,0 +1,243 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.5.1/uds.schema.json
+kind: UDSBundle
+metadata:
+ name: uds-core-swf
+ description: A UDS bundle for deploying a software factory to an RKE2 cluster
+ version: "0.0.1"
+ architecture: amd64
+
+packages:
+ # Zarf init
+ - name: init
+ repository: ghcr.io/defenseunicorns/uds-capability/rook-ceph/init
+ optional-components:
+ - git-server
+ ref: v0.32.1-0.2.1
+
+ # Namespace pre-reqs for swf capabilities
+ - name: software-factory-namespaces
+ path: ../../build
+ ref: 1.0.0
+
+ # MetalLB
+ - name: metallb
+ repository: ghcr.io/defenseunicorns/packages/metallb
+ ref: 0.0.5-amd64
+
+ - name: core
+ # repository: ghcr.io/defenseunicorns/packages/uds/core
+ repository: ghcr.io/blancharda/uds-core-ish/core
+ ref: 0.12.0-upstream
+ overrides:
+ loki:
+ loki:
+ values:
+ # Override default dns service name for Loki Gateway
+ - path: "global.dnsService"
+ value: "rke2-coredns-rke2-coredns"
+ istio-admin-gateway:
+ uds-istio-config:
+ variables:
+ - name: ADMIN_TLS_CERT
+ description: "The TLS cert for the admin gateway (must be base64 encoded)"
+ path: tls.cert
+ - name: ADMIN_TLS_KEY
+ description: "The TLS key for the admin gateway (must be base64 encoded)"
+ path: tls.key
+ istio-tenant-gateway:
+ uds-istio-config:
+ variables:
+ - name: TENANT_TLS_CERT
+ description: "The TLS cert for the tenant gateway (must be base64 encoded)"
+ path: tls.cert
+ - name: TENANT_TLS_KEY
+ description: "The TLS key for the tenant gateway (must be base64 encoded)"
+ path: tls.key
+
+ # legacy requirements of DUBBD like flux (TODO -- remove someday)
+ - name: dubbd-legacy-reqs
+ path: ../../build
+ ref: 0.0.1
+
+ # Change the realm file keycloak imports from
+ - name: software-factory-idam-realm
+ path: ../../build
+ ref: 1.0.1
+ optional-components:
+ - exported-variables
+ exports:
+ - name: REALM_IMPORT_FILE
+
+ # Identity and Access Management
+ - name: keycloak-database-manifests
+ path: ../../build
+ ref: 0.0.1
+
+ - name: uds-idam
+ repository: ghcr.io/defenseunicorns/uds-capability/uds-idam
+ ref: 0.2.0-amd64
+ imports:
+ - name: REALM_IMPORT_FILE
+ package: software-factory-idam-realm
+
+ # SonarQube SSO secret and variables
+ - name: software-factory-idam-sonarqube
+ path: ../../build
+ ref: 1.0.1
+ exports:
+ - name: SONARQUBE_IDAM_ENABLED
+ - name: SONARQUBE_IDAM_CLIENT_ID
+ - name: SONARQUBE_IDAM_PROVIDER_NAME
+ - name: SONARQUBE_IDAM_SAML_CERT
+ - name: SONARQUBE_IDAM_ATTR_LOGIN
+ - name: SONARQUBE_IDAM_ATTR_NAME
+ - name: SONARQUBE_IDAM_PROVIDER_EMAIL
+
+ # Gitlab
+ - name: gitlab-redis
+ repository: ghcr.io/defenseunicorns/packages/uds/dev-redis
+ ref: 0.0.1
+
+ - name: gitlab-redis-secret
+ path: ../../build
+ ref: 0.0.1
+
+ - name: gitlab-object-store
+ path: ../../build
+ ref: 0.0.1
+
+ - name: gitlab-database-secret
+ path: ../../build
+ ref: 0.0.1
+
+ - name: gitlab
+ repository: ghcr.io/defenseunicorns/packages/uds/gitlab
+ ref: 16.8.1-uds.2-registry1
+
+ # Gitlab Runner
+ - name: gitlab-runner
+ repository: ghcr.io/defenseunicorns/packages/uds/gitlab-runner
+ ref: 16.8.0-uds.0-registry1
+
+ # Sonarqube
+ - name: sonarqube-database-secret
+ path: ../../build
+ ref: 0.0.1
+
+ - name: sonarqube
+ repository: ghcr.io/defenseunicorns/packages/uds/sonarqube
+ ref: 8.0.3-uds.4-registry1
+ imports:
+ - name: SONARQUBE_IDAM_ENABLED
+ package: software-factory-idam-sonarqube
+ - name: SONARQUBE_IDAM_CLIENT_ID
+ package: software-factory-idam-sonarqube
+ - name: SONARQUBE_IDAM_PROVIDER_NAME
+ package: software-factory-idam-sonarqube
+ - name: SONARQUBE_IDAM_SAML_CERT
+ package: software-factory-idam-sonarqube
+ - name: SONARQUBE_IDAM_ATTR_LOGIN
+ package: software-factory-idam-sonarqube
+ - name: SONARQUBE_IDAM_ATTR_NAME
+ package: software-factory-idam-sonarqube
+ - name: SONARQUBE_IDAM_PROVIDER_EMAIL
+ package: software-factory-idam-sonarqube
+
+ # Jira
+ - name: jira-database-secret
+ path: ../../build
+ ref: 0.0.1
+
+ - name: jira
+ repository: ghcr.io/defenseunicorns/packages/uds/jira
+ ref: 1.17.0-uds.1-registry1
+ overrides:
+ jira:
+ jira:
+ variables:
+ - name: LOCAL_HOME_ENABLED
+ path: "valumes.localHome.persistentVolumeClaim.create"
+ description: "Local Home Toggle"
+ default: "true"
+ - name: RWO_STORAGE_CLASS
+ path: "valumes.localHome.persistentVolumeClaim.storageClassName"
+ description: "RWO storage class name"
+ default: "ceph-block"
+ - name: LOCAL_HOME_SIZE
+ path: "valumes.localHome.persistentVolumeClaim.resources.requests.storage"
+ description: "Storage size"
+ default: "128Gi"
+
+ # Confluence
+ - name: confluence-database-secret
+ path: ../../build
+ ref: 0.0.1
+
+ - name: confluence
+ repository: ghcr.io/defenseunicorns/packages/uds/confluence
+ ref: 1.17.0-uds.1-registry1
+ overrides:
+ confluence:
+ confluence:
+ variables:
+ - name: LOCAL_HOME_ENABLED
+ path: "valumes.localHome.persistentVolumeClaim.create"
+ description: "Local Home Toggle"
+ default: "true"
+ - name: RWO_STORAGE_CLASS
+ path: "valumes.localHome.persistentVolumeClaim.storageClassName"
+ description: "RWO storage class name"
+ default: "ceph-block"
+ - name: LOCAL_HOME_SIZE
+ path: "valumes.localHome.persistentVolumeClaim.resources.requests.storage"
+ description: "Storage size"
+ default: "128Gi"
+
+ # Mattermost
+ - name: mattermost
+ repository: ghcr.io/defenseunicorns/packages/uds/mattermost
+ ref: 9.4.1-uds.2-registry1
+ overrides:
+ mattermost:
+ uds-mattermost-config:
+ variables:
+ - name: OBJECT_STORE_SECURE
+ path: "objectStorage.secure"
+ description: "Object storage ssl"
+ default: "false"
+ - name: OBJECT_STORE_ENDPOINT
+ path: "objectStorage.endpoint"
+ description: "Object storage endpoint"
+ default: "swf.objects.mtsi.bigbang.dev"
+ - name: OBJECT_STORE_BUCKET
+ path: "objectStorage.bucket"
+ description: "Object storage bucket"
+ default: "mattermost-bucket-dev"
+ - name: DB_ENDPOINT
+ path: "postgres.host"
+ description: "Postgres DB endpoint"
+ default: "mattermost-pg.mtsi-dev.bigbang.dev"
+ - name: DB_USERNAME
+ path: "postgres.username"
+ description: "Postgres DB username"
+ default: "postgres"
+ - name: DB_NAME
+ path: "postgres.dbName"
+ description: "Postgres DB database name"
+ default: "mattermostdb"
+ - name: DB_OPTIONS
+ path: "postgres.connectionOptions"
+ description: "Postgres DB connection options"
+ default: "?connect_timeout=10"
+
+ # Nexus
+ - name: nexus
+ repository: ghcr.io/defenseunicorns/packages/uds/nexus
+ ref: 3.64.0-uds.1-registry1
+
+ # Add all virtualservices as internal dns entries for auth callbacks
+ - name: software-factory-idam-dns
+ path: ../../build
+ ref: 1.0.0
+ optional-components:
+ - create-internal-dns-entries
diff --git a/docs/packages-and-dependencies-uds-core.md b/docs/packages-and-dependencies-uds-core.md
new file mode 100644
index 00000000..34d55aa8
--- /dev/null
+++ b/docs/packages-and-dependencies-uds-core.md
@@ -0,0 +1,72 @@
+# Packages
+
+The UDS Software Factory (SWF) bundle is made up of many components and installs many software packages. Additionally, there are infrastructure dependencies for managing and deploying Kubernetes itself, not all of which are contained within this repo. However, in order to present as much context as possible with regard to dependencies, we will attempt to outline all of them in a comprehensive list categorized by installation source.
+
+> NOTE that external dependencies such as operating system packages and STIG application are based on assumptions about the environment. They are intended to be exemplary and may need to be adjusted/updated based on your ACTUAL system.
+
+## CLI Tools
+This list covers tools which would be required on a developer machine in order to stand up or maintain a deployment of UDS SWF.
+
+| Tool | Version | Description |
+|----|----|----|
+| [terraform](https://github.com/hashicorp/terraform) | v1.6.4 | An Infrastructure As Code (IAC) tool for managing the deployment of virtual resources (VMs, databases, object storage) within Nutanix |
+| [kubectl](https://github.com/kubernetes/kubectl) | v1.28.4 | Kubernetes management utility and CLI used by cluster admins to interact directly with a Kubernetes cluster |
+| [helm](https://github.com/helm/helm) | v3.13.2 | Kubernetes package manager CLI used to review the status of deployments in the cluster |
+| [Zarf](https://github.com/defenseunicorns/zarf) | v0.32.1 | A custom tool for packaging and delivering software components (such as gitlab) across an airgap |
+| [UDS](https://github.com/defenseunicorns/uds-cli) | v0.7.0 | A custom tool for automating and simplifying the management of multiple Zarf deployments in one environment |
+
+## Operating System Package Installs
+This list covers tools and packages installed in the Operating System of the virtual machines allocated to run Kubernetes. This list is obviously not exhaustive, but instead covers what is being added to the base STIG'd image.
+
+| Package | Version | Description |
+|----|----|----|
+| [rke2](https://github.com/rancher/rke2/releases/) | v1.27.6+rke2r1 | A Kubernetes distribution provided by Rancher, focused on security compliance for Government workloads |
+| [iptables](https://linux.die.net/man/8/iptables) | v1.8.4 | A linux tool for managing local IPv4 packet filtering and NAT routing |
+| [postgres14](https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm) | 14.10 | Database server required as part of initial setup |
+| [lvm2](https://gitlab.com/lvmteam/lvm2) | 2.03.14(2)-RHEL8 | Logical volume management tool needed by rook/ceph |
+| [rke2-selinux](https://github.com/rancher/rke2-selinux) | 0.14-1.el8 | Package needed by RKE2 for systems running selinux |
+| [postgis33_14](https://postgis.net/docs/manual-3.3/) | 3.3.5-1PGDG.rhel8 | Postgres extension used for geoggraphical data needed by GitLab |
+
+## Ansible Playbooks // Collections
+The following are Ansible playbooks and collections run on the host VMs during the image building process, installing further dependencies and applying STIG's.
+
+| Name | Version | Description |
+|----|----|----|
+| [community.general](https://docs.ansible.com/ansible/latest/collections/community/general/index.html) | 7.5.1 | A collection of Ansible modules and tools used for orchistrating STIG application during the VM image build process |
+| [ansible.posix](https://docs.ansible.com/ansible/latest/collections/ansible/posix/index.html) | 1.5.4 | Collection of Ansible modules for interacting with POSIX based operating systems such as RHEL; used during the image build process |
+| [RHEL 8 STIGs](https://public.cyber.mil/stigs/supplemental-automation-content/) | 1.12 | Automated application of RHEL 8 STIG requirements used during the image build process. |
+
+## UDS Software Factory Bundle
+The UDS Software Factory Bundle (SWF) is a collection of Zarf packages which include the full set of tooling and applications installed into the cluster to create a secure software development environment. A portion of the tooling (Defense Unicorns UDS-Core) has been expanded into a separate section below for clarity. SWF installs the following:
+
+| Name | Package Version (internal) | Application Version | Description |
+|----|----|----|----|
+| [Rook Ceph Zarf Init](https://github.com/defenseunicorns/uds-capability-rook-ceph/pkgs/container/uds-capability%2Frook-ceph%2Finit) | v0.31.4-0.1.2 | N/A | A zarf component installed in the cluster for orchestrating further deployment of Zarf based packages |
+| [MetalLB](https://github.com/defenseunicorns/uds-capability-metallb/tree/v0.0.4) | 0.0.5 | v0.13.12 | Tool for providing load balancer capabilities for ingress into a Kubernetes deployment |
+| [uds-core](https://github.com/defenseunicorns/uds-core) | 0.12.0 | N/A | [DESCRIPTION BELOW](#UDS-Core) |
+| [Keycloak](https://github.com/defenseunicorns/uds-idam) | 0.2.0 | 21.1.1 | An identity and access management (IDAM) tool used to authenticate users for access to applications |
+| [Redis](https://github.com/defenseunicorns/uds-package-dependencies) | 0.0.1 | 7.0.12 | A key-value store used as a data backend for several applications in the stack |
+| [Gitlab](https://github.com/defenseunicorns/uds-package-gitlab) | 16.8.1-uds.2-registry1 | 16.8.1 | A source control management tool used in the software development lifecycle for storing, updating, building and deploying custom software |
+| [Gitlab Runner](https://github.com/defenseunicorns/uds-package-gitlab-runner) | 16.8.0-uds.0-registry1 | v16.8.0 | A counterpart to Gitlab (above) in which automated software builds, tests and deployments are executed |
+| [Sonarqube](https://github.com/defenseunicorns/uds-package-sonarqube) | 8.0.3-uds.4-registry1 | 9.9.3-community | A code inspection tool used during automated pipelines to evaluate security considerations of custom software and packaged images |
+| [Jira](https://github.com/defenseunicorns/uds-package-jira) | 1.17.0-uds.1-registry1 | 9.12.0 | A collaboration tool used for team management and task organization |
+| [Confluence](https://github.com/defenseunicorns/uds-package-confluence) | 1.17.0-uds.1-registry1 | 8.7.1 | A knowledge management tool used by teams to organize information |
+| [Mattermost](https://github.com/defenseunicorns/uds-package-mattermost) | 9.4.1-uds.2-registry1 | 9.4.2 | An instance of Mattermost, a self-hosted chat and collaboration platform |
+| [Nexus](https://github.com/defenseunicorns/uds-package-nexus) | 3.64.0-uds.1-registry1 | 3.64.0-03 | An artifact repository used for storing compiled application libraries, packages, images and other such artifacts |
+
+## UDS Core
+ UDS Core is a collection of tools that provide administrative capabilities such as deployment automation, centralized logging, monitoring, alerting and runtime security to a kubernetes cluster. The following applications and tools are installed:
+
+| Package | Version | Description |
+|----|----|----|
+| [Flux](https://github.com/fluxcd/flux2/releases) | 2.2.2 | A GitOps based manager for scheduling deployments in the cluster (NOTE: will be removed soon) |
+| [Istio](https://istio.io/latest/) | 1.20.3 | A package detailing the configuration of the deployed service mesh -- used by the operator to apply the desired state in the cluster |
+| [Loki](https://grafana.com/oss/loki/) | 2.9.4 | A Grafana product for aggregating and querying log data |
+| [Promtail](https://grafana.com/docs/loki/latest/send-data/promtail/) | 2.9.2 | A logging daemon installed on each cluster node to capture logs from the host and all cluster workload processes. Logs are shipped to Loki |
+| [Prometheus](https://prometheus.io/) | 2.49.1 | A product for storing and querying time series based data such as system performance metrics (CPU/MEM usage) |
+| [Grafana](https://github.com/grafana/grafana) | 10.3.1 | A Grafana product to provide a frontend interface to display and query performance information from Prometheus, log data from Loki, and request tracing information from Tempo |
+| [Neuvector](https://www.suse.com/neuvector/) | 5.2.2 | A kubernetes security suite that provides CVE scanning for hosts and images, as well as runtime security monitoring and protection |
+| [Velero](https://repo1.dso.mil/big-bang/product/packages/velero) | TBD | A tool for orchistrating backups of cluster state and storage |
+| [Authservice](https://github.com/istio-ecosystem/authservice) | 0.5.3 | A tool for simplifying and automating auth workflows via Istio integration |
+| [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) | 0.6.4 | A container metrics aggregation and exporter for kubernetes |
+| [Pepr](https://pepr.dev/) | 0.25.0 | Declarative automation for managing deployments and security policy enorcement |
diff --git a/our-keycloak-values.yaml b/our-keycloak-values.yaml
new file mode 100644
index 00000000..10d112c9
--- /dev/null
+++ b/our-keycloak-values.yaml
@@ -0,0 +1,186 @@
+fullnameOverride: keycloak
+args:
+- start
+- --import-realm
+command:
+- /opt/keycloak/bin/kc.sh
+domain: ###ZARF_VAR_DOMAIN###
+extraEnv: |-
+ - name: CUSTOM_REGISTRATION_CONFIG
+ value: /opt/jboss/keycloak/customreg.yaml
+ - name: KC_HTTPS_CERTIFICATE_FILE
+ value: /opt/keycloak/conf/tls.crt
+ - name: KC_HTTPS_CERTIFICATE_KEY_FILE
+ value: /opt/keycloak/conf/tls.key
+ - name: KC_HTTPS_TRUST_STORE_FILE
+ value: /opt/keycloak/conf/truststore.jks
+ - name: KC_HTTPS_TRUST_STORE_PASSWORD
+ value: password
+ - name: KC_HTTPS_CLIENT_AUTH
+ value: request
+ - name: KC_PROXY
+ value: passthrough
+ - name: KC_HTTP_ENABLED
+ value: "true"
+ - name: KC_HTTP_RELATIVE_PATH
+ value: /auth
+ - name: KC_HOSTNAME
+ value: ###ZARF_VAR_KEYCLOAK_SUBDOMAIN###.###ZARF_VAR_DOMAIN###
+ - name: KC_HOSTNAME_STRICT
+ value: "true"
+ - name: KC_HOSTNAME_STRICT_HTTPS
+ value: "true"
+ - name: KC_LOG_LEVEL
+ value: "org.keycloak.events:DEBUG,org.infinispan:INFO,org.jgroups:INFO"
+ - name: KC_CACHE
+ value: ispn
+ - name: KC_CACHE_STACK
+ value: kubernetes
+extraInitContainers: |-
+ - name: plugin
+ image: registry1.dso.mil/ironbank/big-bang/p1-keycloak-plugin:3.2.1
+ imagePullPolicy: Always
+ command:
+ - sh
+ - -c
+ - |
+ cp /app/p1-keycloak-plugin.jar /init
+ ls -l /init
+ volumeMounts:
+ - name: plugin
+ mountPath: "/init"
+extraVolumeMounts: |-
+ - name: certauthority
+ mountPath: /etc/x509/https/cas.pem
+ subPath: cas.pem
+ readOnly: true
+ - name: customreg
+ mountPath: /opt/jboss/keycloak/customreg.yaml
+ subPath: customreg.yaml
+ readOnly: true
+ - name: plugin
+ mountPath: /opt/keycloak/providers/p1-keycloak-plugin.jar
+ subPath: p1-keycloak-plugin.jar
+ - name: quarkusproperties
+ mountPath: /opt/keycloak/conf/quarkus.properties
+ subPath: quarkus.properties
+ - name: realm
+ mountPath: /opt/keycloak/data/import/realm.json
+ subPath: realm.json
+ - name: truststore
+ mountPath: /opt/keycloak/conf/truststore.jks
+ subPath: truststore.jks
+extraVolumeMountsBigBang:
+- mountPath: /etc/x509/https/tls.crt
+ name: tlscert
+ readOnly: true
+ subPath: tls.crt
+- mountPath: /etc/x509/https/tls.key
+ name: tlskey
+ readOnly: true
+ subPath: tls.key
+- mountPath: /opt/keycloak/conf/tls.crt
+ name: tlscert
+ readOnly: true
+ subPath: tls.crt
+- mountPath: /opt/keycloak/conf/tls.key
+ name: tlskey
+ readOnly: true
+ subPath: tls.key
+extraVolumes: |-
+ - name: certauthority
+ secret:
+ secretName: {{ include "keycloak.fullname" . }}-certauthority
+ - name: plugin
+ emptyDir: {}
+ - name: quarkusproperties
+ secret:
+ secretName: {{ include "keycloak.fullname" . }}-quarkusproperties
+ defaultMode: 0777
+ - name: realm
+ secret:
+ secretName: {{ include "keycloak.fullname" . }}-realm
+ - name: customreg
+ secret:
+ secretName: {{ include "keycloak.fullname" . }}-customreg
+ - name: truststore
+ secret:
+ secretName: {{ include "keycloak.fullname" . }}-truststore
+extraVolumesBigBang:
+- name: tlscert
+ secret:
+ secretName: keycloak-tlscert
+- name: tlskey
+ secret:
+ secretName: keycloak-tlskey
+hostname: ###ZARF_VAR_DOMAIN###
+istio:
+ enabled: true
+ injection: enabled
+ keycloak:
+ enabled: true
+ gateways:
+ - istio-system/passthrough
+ hosts:
+ - '###ZARF_VAR_KEYCLOAK_SUBDOMAIN###.###ZARF_VAR_DOMAIN###'
+
+monitoring:
+ enabled: false
+networkPolicies:
+ controlPlaneCidr: 0.0.0.0/0
+ enabled: false
+ ingressLabels:
+ app: passthrough-ingressgateway
+ istio: null
+postgresql:
+ enabled: ###ZARF_VAR_KEYCLOAK_DEV_DB_ENABLED###
+ fullnameOverride: keycloak-postgresql
+ postgresqlUsername: ###ZARF_VAR_KEYCLOAK_DB_USERNAME###
+ postgresqlPassword: ###ZARF_VAR_KEYCLOAK_DB_PASSWORD###
+replicas: 1
+secrets:
+ certauthority:
+ stringData:
+ cas.pem: '{{ .Files.Get "resources/dev/dod_cas.pem" }}'
+ env:
+ stringData:
+ X509_CA_BUNDLE: /etc/x509/https/cas.pem
+ KEYCLOAK_ADMIN: ###ZARF_VAR_KEYCLOAK_ADMIN_USERNAME###
+ KEYCLOAK_ADMIN_PASSWORD: ###ZARF_VAR_KEYCLOAK_ADMIN_PASSWORD###
+ KC_DB_USERNAME: ###ZARF_VAR_KEYCLOAK_DB_USERNAME###
+ KC_DB_PASSWORD: ###ZARF_VAR_KEYCLOAK_DB_PASSWORD###
+ KC_DB: postgres
+ KC_DB_URL: jdbc:postgresql://###ZARF_VAR_KEYCLOAK_DB_ENDPOINT###/###ZARF_VAR_KEYCLOAK_DB_NAME###
+ quarkusproperties:
+ stringData:
+ quarkus.properties: |-
+ quarkus.http.non-application-root-path=/
+ # custom redirects
+ quarkus.kc-routing.path-redirect./=/auth/realms/###ZARF_VAR_REALM###/account
+ quarkus.kc-routing.path-redirect./auth=/auth/realms/###ZARF_VAR_REALM###/account
+ quarkus.kc-routing.path-redirect./register=/auth/realms/###ZARF_VAR_REALM###/protocol/openid-connect/registrations?client_id=account&response_type=code
+ quarkus.kc-routing.path-prefix./oauth/authorize=/auth/realms/###ZARF_VAR_REALM###/protocol/openid-connect/auth
+ quarkus.kc-routing.path-filter./api/v4/user=/auth/realms/###ZARF_VAR_REALM###/protocol/openid-connect/userinfo
+ quarkus.kc-routing.path-filter./oauth/token=/auth/realms/###ZARF_VAR_REALM###/protocol/openid-connect/token
+ # block metrics and health enpoints from being exposed through the istio ingress
+ quarkus.kc-routing.path-recursive-block./metrics=8443
+ quarkus.kc-routing.path-recursive-block./health=8443
+ realm:
+ stringData:
+ realm.json: |
+ ###ZARF_VAR_REALM_IMPORT_FILE###
+ tlscert:
+ stringData:
+ tls.crt: |
+ ###ZARF_VAR_KEYCLOAK_CERT_FILE###
+ tlskey:
+ stringData:
+ tls.key: |
+ ###ZARF_VAR_KEYCLOAK_KEY_FILE###
+ customreg:
+ stringData:
+ customreg.yaml: |
+ ###ZARF_VAR_REALM_CUSTOM_REG_FILE###
+ truststore:
+ data:
+ truststore.jks: ###ZARF_VAR_REALM_TRUSTSTORE_FILE###
\ No newline at end of file
diff --git a/packages/databases/confluence/policy-exceptions/externalName.yaml b/packages/additional-kyverno-exceptions/confluence/external-name.yaml
similarity index 100%
rename from packages/databases/confluence/policy-exceptions/externalName.yaml
rename to packages/additional-kyverno-exceptions/confluence/external-name.yaml
diff --git a/packages/databases/gitlab/policy-exceptions/externalName.yaml b/packages/additional-kyverno-exceptions/gitlab/external-name.yaml
similarity index 100%
rename from packages/databases/gitlab/policy-exceptions/externalName.yaml
rename to packages/additional-kyverno-exceptions/gitlab/external-name.yaml
diff --git a/packages/additional-kyverno-exceptions/gitlab/non-root-group.yaml b/packages/additional-kyverno-exceptions/gitlab/non-root-group.yaml
index a2bd9509..2e8b883d 100644
--- a/packages/additional-kyverno-exceptions/gitlab/non-root-group.yaml
+++ b/packages/additional-kyverno-exceptions/gitlab/non-root-group.yaml
@@ -18,3 +18,4 @@ spec:
names:
- deployment-gitlab-toolbox-backup*
- gitlab-toolbox-backup*
+ - gitlab-gitlab-pages*
diff --git a/packages/databases/jira/policy-exceptions/externalName.yaml b/packages/additional-kyverno-exceptions/jira/external-name.yaml
similarity index 100%
rename from packages/databases/jira/policy-exceptions/externalName.yaml
rename to packages/additional-kyverno-exceptions/jira/external-name.yaml
diff --git a/packages/additional-kyverno-exceptions/jira/non-root-user.yaml b/packages/additional-kyverno-exceptions/jira/non-root.yaml
similarity index 82%
rename from packages/additional-kyverno-exceptions/jira/non-root-user.yaml
rename to packages/additional-kyverno-exceptions/jira/non-root.yaml
index 3d70aebd..5894e592 100644
--- a/packages/additional-kyverno-exceptions/jira/non-root-user.yaml
+++ b/packages/additional-kyverno-exceptions/jira/non-root.yaml
@@ -8,9 +8,9 @@ spec:
- policyName: require-non-root-user
ruleNames:
- non-root-user
- - policyName: restrict-host-path-write
+ - policyName: require-non-root-group
ruleNames:
- - require-readonly-hostpath
+ - run-as-group
match:
any:
- resources:
diff --git a/packages/databases/keycloak/policy-exceptions/externalName.yaml b/packages/additional-kyverno-exceptions/keycloak/external-name.yaml
similarity index 100%
rename from packages/databases/keycloak/policy-exceptions/externalName.yaml
rename to packages/additional-kyverno-exceptions/keycloak/external-name.yaml
diff --git a/packages/additional-kyverno-exceptions/keycloak/non-root-group.yaml b/packages/additional-kyverno-exceptions/keycloak/non-root-group.yaml
new file mode 100644
index 00000000..207ae5df
--- /dev/null
+++ b/packages/additional-kyverno-exceptions/keycloak/non-root-group.yaml
@@ -0,0 +1,19 @@
+apiVersion: kyverno.io/v2beta1
+kind: PolicyException
+metadata:
+ name: keycloak-non-root-group-exception
+ namespace: keycloak
+spec:
+ exceptions:
+ - policyName: require-non-root-group
+ ruleNames:
+ - run-as-group
+ match:
+ any:
+ - resources:
+ kinds:
+ - Pod
+ namespaces:
+ - keycloak
+ names:
+ - keycloak-0
diff --git a/packages/object-store/mattermost/policy-exceptions/externalName.yaml b/packages/additional-kyverno-exceptions/mattermost/external-name.yaml
similarity index 82%
rename from packages/object-store/mattermost/policy-exceptions/externalName.yaml
rename to packages/additional-kyverno-exceptions/mattermost/external-name.yaml
index 4f74407d..9944f144 100644
--- a/packages/object-store/mattermost/policy-exceptions/externalName.yaml
+++ b/packages/additional-kyverno-exceptions/mattermost/external-name.yaml
@@ -1,7 +1,7 @@
apiVersion: kyverno.io/v2beta1
kind: PolicyException
metadata:
- name: mattermost-object-storage-external-names-exception
+ name: mattermost-external-names-exception
namespace: mattermost
spec:
exceptions:
@@ -17,3 +17,4 @@ spec:
- mattermost
names:
- mattermost-object-store
+ - mattermost-postgres
diff --git a/packages/databases/nexus/policy-exceptions/externalName.yaml b/packages/additional-kyverno-exceptions/nexus/external-name.yaml
similarity index 100%
rename from packages/databases/nexus/policy-exceptions/externalName.yaml
rename to packages/additional-kyverno-exceptions/nexus/external-name.yaml
diff --git a/packages/databases/sonarqube/policy-exceptions/externalName.yaml b/packages/additional-kyverno-exceptions/sonarqube/external-name.yaml
similarity index 100%
rename from packages/databases/sonarqube/policy-exceptions/externalName.yaml
rename to packages/additional-kyverno-exceptions/sonarqube/external-name.yaml
diff --git a/packages/additional-kyverno-exceptions/sonarqube/non-root-user.yaml b/packages/additional-kyverno-exceptions/sonarqube/non-root.yaml
similarity index 83%
rename from packages/additional-kyverno-exceptions/sonarqube/non-root-user.yaml
rename to packages/additional-kyverno-exceptions/sonarqube/non-root.yaml
index 89fb33a2..90619233 100644
--- a/packages/additional-kyverno-exceptions/sonarqube/non-root-user.yaml
+++ b/packages/additional-kyverno-exceptions/sonarqube/non-root.yaml
@@ -8,9 +8,9 @@ spec:
- policyName: require-non-root-user
ruleNames:
- non-root-user
- - policyName: restrict-host-path-write
+ - policyName: require-non-root-group
ruleNames:
- - require-readonly-hostpath
+ - run-as-group
match:
any:
- resources:
diff --git a/packages/additional-kyverno-exceptions/zarf.yaml b/packages/additional-kyverno-exceptions/zarf.yaml
index 5a31d2e5..674c4f8a 100644
--- a/packages/additional-kyverno-exceptions/zarf.yaml
+++ b/packages/additional-kyverno-exceptions/zarf.yaml
@@ -6,20 +6,28 @@ metadata:
architecture: amd64
components:
- - name: sonarqube-idam-kyverno-policy-exception
+ - name: sonarqube-keyclaok-idam-kyverno-policy-exception
required: true
manifests:
- name: sonarqube-idam-kyverno-policy-exception
namespace: keycloak
files:
- - sonarqube/non-root-user.yaml
+ - sonarqube/non-root.yaml
+ - name: sonarqube-kyverno-policy-exception
+ required: true
+ manifests:
+ - name: sonarqube-idam-kyverno-policy-exception
+ namespace: sonarqube
+ files:
+ - sonarqube/external-name.yaml
- name: jira-kyverno-policy-exception
required: true
manifests:
- name: jira-kyverno-policy-exception
namespace: jira
files:
- - jira/non-root-user.yaml
+ - jira/non-root.yaml
+ - jira/external-name.yaml
- name: gitlab-kyverno-policy-exceptions
required: true
manifests:
@@ -27,3 +35,29 @@ components:
namespace: gitlab
files:
- gitlab/non-root-group.yaml
+ - gitlab/external-name.yaml
+ - name: mattermost-kyverno-policy-exceptions
+ required: true
+ manifests:
+ - name: mattermost-kyverno-policy-exceptions
+ files:
+ - mattermost/external-name.yaml
+ - name: confluence-kyverno-policy-exceptions
+ required: true
+ manifests:
+ - name: confluence-kyverno-policy-exceptions
+ files:
+ - confluence/external-name.yaml
+ - name: keycloak-kyverno-policy-exceptions
+ required: true
+ manifests:
+ - name: keycloak-kyverno-policy-exceptions
+ files:
+ - keycloak/external-name.yaml
+ - keycloak/non-root-group.yaml
+ - name: nexus-kyverno-policy-exceptions
+ required: true
+ manifests:
+ - name: nexus-kyverno-policy-exceptions
+ files:
+ - nexus/external-name.yaml
diff --git a/packages/databases/confluence/secret.yaml b/packages/databases/confluence/secret/secret.yaml
similarity index 100%
rename from packages/databases/confluence/secret.yaml
rename to packages/databases/confluence/secret/secret.yaml
diff --git a/packages/databases/confluence/secret/zarf.yaml b/packages/databases/confluence/secret/zarf.yaml
new file mode 100644
index 00000000..3830226e
--- /dev/null
+++ b/packages/databases/confluence/secret/zarf.yaml
@@ -0,0 +1,19 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json
+kind: ZarfPackageConfig
+metadata:
+ name: confluence-database-secret
+ version: "0.0.1"
+ architecture: amd64
+
+variables:
+ - name: CONFLUENCE_DB_PASSWORD
+ default: "replace-me"
+
+components:
+ - name: confluence-postgres-secret
+ required: true
+ manifests:
+ - name: confluence-postgres-secret
+ namespace: confluence
+ files:
+ - secret.yaml
diff --git a/packages/databases/confluence/service.yaml b/packages/databases/confluence/service/service.yaml
similarity index 100%
rename from packages/databases/confluence/service.yaml
rename to packages/databases/confluence/service/service.yaml
diff --git a/packages/databases/confluence/zarf.yaml b/packages/databases/confluence/service/zarf.yaml
similarity index 59%
rename from packages/databases/confluence/zarf.yaml
rename to packages/databases/confluence/service/zarf.yaml
index b2a2b740..53c2b148 100644
--- a/packages/databases/confluence/zarf.yaml
+++ b/packages/databases/confluence/service/zarf.yaml
@@ -1,23 +1,19 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json
kind: ZarfPackageConfig
metadata:
- name: confluence-database-manifests
+ name: confluence-database-service
version: "0.0.1"
architecture: amd64
variables:
- name: CONFLUENCE_DB_EXTERNAL_NAME
default: "replace-me"
- - name: CONFLUENCE_DB_PASSWORD
- default: "replace-me"
components:
- - name: confluence-postgres-manifests
+ - name: confluence-postgres-service
required: true
manifests:
- - name: confluence-postgres-manifests
+ - name: confluence-postgres-service
namespace: confluence
files:
- - policy-exceptions/externalName.yaml
- - secret.yaml
- service.yaml
diff --git a/packages/databases/gitlab/secret.yaml b/packages/databases/gitlab/secret/secret.yaml
similarity index 100%
rename from packages/databases/gitlab/secret.yaml
rename to packages/databases/gitlab/secret/secret.yaml
diff --git a/packages/databases/gitlab/secret/zarf.yaml b/packages/databases/gitlab/secret/zarf.yaml
new file mode 100644
index 00000000..ce9ee942
--- /dev/null
+++ b/packages/databases/gitlab/secret/zarf.yaml
@@ -0,0 +1,19 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json
+kind: ZarfPackageConfig
+metadata:
+ name: gitlab-database-secret
+ version: "0.0.1"
+ architecture: amd64
+
+variables:
+ - name: GITLAB_DB_PASSWORD
+ default: "replace-me"
+
+components:
+ - name: gitlab-postgres-secret
+ required: true
+ manifests:
+ - name: gitlab-postgres-secret
+ namespace: gitlab
+ files:
+ - secret.yaml
diff --git a/packages/databases/gitlab/service.yaml b/packages/databases/gitlab/service/service.yaml
similarity index 100%
rename from packages/databases/gitlab/service.yaml
rename to packages/databases/gitlab/service/service.yaml
diff --git a/packages/databases/gitlab/zarf.yaml b/packages/databases/gitlab/service/zarf.yaml
similarity index 60%
rename from packages/databases/gitlab/zarf.yaml
rename to packages/databases/gitlab/service/zarf.yaml
index 6351618f..633562a7 100644
--- a/packages/databases/gitlab/zarf.yaml
+++ b/packages/databases/gitlab/service/zarf.yaml
@@ -1,23 +1,19 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json
kind: ZarfPackageConfig
metadata:
- name: gitlab-database-manifests
+ name: gitlab-database-service
version: "0.0.1"
architecture: amd64
variables:
- name: GITLAB_DB_EXTERNAL_NAME
default: "replace-me"
- - name: GITLAB_DB_PASSWORD
- default: "replace-me"
components:
- - name: gitlab-postgres-manifests
+ - name: gitlab-postgres-external-service
required: true
manifests:
- - name: gitlab-postgres-manifests
+ - name: gitlab-postgres-external-service
namespace: gitlab
files:
- - policy-exceptions/externalName.yaml
- - secret.yaml
- service.yaml
diff --git a/packages/databases/jira/secret.yaml b/packages/databases/jira/secret/secret.yaml
similarity index 100%
rename from packages/databases/jira/secret.yaml
rename to packages/databases/jira/secret/secret.yaml
diff --git a/packages/databases/jira/secret/zarf.yaml b/packages/databases/jira/secret/zarf.yaml
new file mode 100644
index 00000000..4586c9f5
--- /dev/null
+++ b/packages/databases/jira/secret/zarf.yaml
@@ -0,0 +1,19 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json
+kind: ZarfPackageConfig
+metadata:
+ name: jira-database-secret
+ version: "0.0.1"
+ architecture: amd64
+
+variables:
+ - name: JIRA_DB_PASSWORD
+ default: "replace-me"
+
+components:
+ - name: jira-postgres-secret
+ required: true
+ manifests:
+ - name: jira-postgres-secret
+ namespace: jira
+ files:
+ - secret.yaml
diff --git a/packages/databases/jira/service.yaml b/packages/databases/jira/service/service.yaml
similarity index 100%
rename from packages/databases/jira/service.yaml
rename to packages/databases/jira/service/service.yaml
diff --git a/packages/databases/jira/zarf.yaml b/packages/databases/jira/service/zarf.yaml
similarity index 61%
rename from packages/databases/jira/zarf.yaml
rename to packages/databases/jira/service/zarf.yaml
index 99c03c6b..fabe8396 100644
--- a/packages/databases/jira/zarf.yaml
+++ b/packages/databases/jira/service/zarf.yaml
@@ -1,23 +1,19 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json
kind: ZarfPackageConfig
metadata:
- name: jira-database-manifests
+ name: jira-database-service
version: "0.0.1"
architecture: amd64
variables:
- name: JIRA_DB_EXTERNAL_NAME
default: "replace-me"
- - name: JIRA_DB_PASSWORD
- default: "replace-me"
components:
- - name: jira-postgres-manifests
+ - name: jira-postgres-service
required: true
manifests:
- - name: jira-postgres-manifests
+ - name: jira-postgres-service
namespace: jira
files:
- - policy-exceptions/externalName.yaml
- - secret.yaml
- service.yaml
diff --git a/packages/databases/keycloak/zarf.yaml b/packages/databases/keycloak/zarf.yaml
index e57c1701..689dc23f 100644
--- a/packages/databases/keycloak/zarf.yaml
+++ b/packages/databases/keycloak/zarf.yaml
@@ -16,5 +16,4 @@ components:
- name: keycloak-postgres-manifests
namespace: keycloak
files:
- - policy-exceptions/externalName.yaml
- service.yaml
diff --git a/packages/databases/mattermost/policy-exceptions/externalName.yaml b/packages/databases/mattermost/policy-exceptions/externalName.yaml
deleted file mode 100644
index e6653187..00000000
--- a/packages/databases/mattermost/policy-exceptions/externalName.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-apiVersion: kyverno.io/v2beta1
-kind: PolicyException
-metadata:
- name: mattermost-postgres-external-names-exception
- namespace: mattermost
-spec:
- exceptions:
- - policyName: restrict-external-names
- ruleNames:
- - external-names
- match:
- any:
- - resources:
- kinds:
- - Service
- namespaces:
- - mattermost
- names:
- - mattermost-postgres
diff --git a/packages/databases/mattermost/zarf.yaml b/packages/databases/mattermost/zarf.yaml
index 07780ee7..db5d9a22 100644
--- a/packages/databases/mattermost/zarf.yaml
+++ b/packages/databases/mattermost/zarf.yaml
@@ -22,6 +22,5 @@ components:
- name: mattermost-postgres-manifests
namespace: mattermost
files:
- - policy-exceptions/externalName.yaml
- secret.yaml
- service.yaml
diff --git a/packages/databases/nexus/zarf.yaml b/packages/databases/nexus/zarf.yaml
index e54f8b9a..e9cb1a3d 100644
--- a/packages/databases/nexus/zarf.yaml
+++ b/packages/databases/nexus/zarf.yaml
@@ -18,6 +18,5 @@ components:
- name: nexus-postgres-manifests
namespace: nexus
files:
- - policy-exceptions/externalName.yaml
- secret.yaml
- service.yaml
diff --git a/packages/databases/sonarqube/secret.yaml b/packages/databases/sonarqube/secret/secret.yaml
similarity index 100%
rename from packages/databases/sonarqube/secret.yaml
rename to packages/databases/sonarqube/secret/secret.yaml
diff --git a/packages/databases/sonarqube/secret/zarf.yaml b/packages/databases/sonarqube/secret/zarf.yaml
new file mode 100644
index 00000000..7c38fe4b
--- /dev/null
+++ b/packages/databases/sonarqube/secret/zarf.yaml
@@ -0,0 +1,19 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json
+kind: ZarfPackageConfig
+metadata:
+ name: sonarqube-database-secret
+ version: "0.0.1"
+ architecture: amd64
+
+variables:
+ - name: SONARQUBE_DB_PASSWORD
+ default: "replace-me"
+
+components:
+ - name: sonarqube-postgres-secret
+ required: true
+ manifests:
+ - name: sonarqube-postgres-secret
+ namespace: sonarqube
+ files:
+ - secret.yaml
diff --git a/packages/databases/sonarqube/service.yaml b/packages/databases/sonarqube/service/service.yaml
similarity index 100%
rename from packages/databases/sonarqube/service.yaml
rename to packages/databases/sonarqube/service/service.yaml
diff --git a/packages/databases/sonarqube/zarf.yaml b/packages/databases/sonarqube/service/zarf.yaml
similarity index 60%
rename from packages/databases/sonarqube/zarf.yaml
rename to packages/databases/sonarqube/service/zarf.yaml
index 8c2e60af..8edd4e95 100644
--- a/packages/databases/sonarqube/zarf.yaml
+++ b/packages/databases/sonarqube/service/zarf.yaml
@@ -1,23 +1,19 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json
kind: ZarfPackageConfig
metadata:
- name: sonarqube-database-manifests
+ name: sonarqube-database-service
version: "0.0.1"
architecture: amd64
variables:
- name: SONARQUBE_DB_EXTERNAL_NAME
default: "replace-me"
- - name: SONARQUBE_DB_PASSWORD
- default: "replace-me"
components:
- - name: sonarqube-postgres-manifests
+ - name: sonarqube-postgres-service
required: true
manifests:
- - name: sonarqube-postgres-manifests
+ - name: sonarqube-postgres-service
namespace: sonarqube
files:
- - policy-exceptions/externalName.yaml
- - secret.yaml
- service.yaml
diff --git a/packages/dubbd-legacy-reqs/manifests/gitlab-ssh-networkpolicies.yaml b/packages/dubbd-legacy-reqs/manifests/gitlab-ssh-networkpolicies.yaml
new file mode 100644
index 00000000..3f61bdc3
--- /dev/null
+++ b/packages/dubbd-legacy-reqs/manifests/gitlab-ssh-networkpolicies.yaml
@@ -0,0 +1,42 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: ingress-istio-shell
+ namespace: gitlab
+spec:
+ ingress:
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ app.kubernetes.io/name: istio-controlplane
+ podSelector:
+ matchLabels:
+ app: tenant-ingressgateway
+ istio: ingressgateway
+ ports:
+ - port: 2222
+ protocol: TCP
+ podSelector:
+ matchLabels:
+ app: gitlab-shell
+ policyTypes:
+ - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: egress-shell
+ namespace: gitlab
+spec:
+ egress:
+ - to:
+ - namespaceSelector: {}
+ - ipBlock:
+ cidr: 0.0.0.0/0
+ except:
+ - 169.254.169.254/32
+ podSelector:
+ matchLabels:
+ app: gitlab-shell
+ policyTypes:
+ - Egress
diff --git a/packages/dubbd-legacy-reqs/manifests/gitlab-ssh-virtualservice.yaml b/packages/dubbd-legacy-reqs/manifests/gitlab-ssh-virtualservice.yaml
new file mode 100644
index 00000000..afbaafdc
--- /dev/null
+++ b/packages/dubbd-legacy-reqs/manifests/gitlab-ssh-virtualservice.yaml
@@ -0,0 +1,21 @@
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+ annotations:
+ meta.helm.sh/release-name: gitlab
+ meta.helm.sh/release-namespace: gitlab
+ name: gitlab-ssh
+ namespace: gitlab
+spec:
+ gateways:
+ - istio-system/tenant
+ hosts:
+ - gitlab.mtsi.bigbang.dev
+ tcp:
+ - match:
+ - port: 2022
+ route:
+ - destination:
+ host: gitlab-gitlab-shell.gitlab.svc.cluster.local
+ port:
+ number: 22
diff --git a/packages/dubbd-legacy-reqs/zarf-config.yaml b/packages/dubbd-legacy-reqs/zarf-config.yaml
new file mode 100644
index 00000000..2ad70df5
--- /dev/null
+++ b/packages/dubbd-legacy-reqs/zarf-config.yaml
@@ -0,0 +1,8 @@
+package:
+ create:
+ max_package_size: "1000000000"
+ set:
+ # renovate: datasource=gitlab-tags depName=big-bang/bigbang versioning=semver registryUrl=https://repo1.dso.mil
+ bigbang_version: "2.19.1"
+ # should line up with the flux version in the BB release, see https://repo1.dso.mil/big-bang/bigbang/-/blob/master/base/flux/gotk-components.yaml#L3
+ flux_version: "2.2.2"
diff --git a/packages/dubbd-legacy-reqs/zarf.yaml b/packages/dubbd-legacy-reqs/zarf.yaml
new file mode 100644
index 00000000..884b82c4
--- /dev/null
+++ b/packages/dubbd-legacy-reqs/zarf.yaml
@@ -0,0 +1,30 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/v0.32.1/zarf.schema.json
+kind: ZarfPackageConfig
+metadata:
+ name: dubbd-legacy-reqs
+ description: "Installs Flux and some custom gitlab resources"
+ architecture: "amd64"
+ version: "0.0.1"
+
+components:
+ - name: install-flux
+ required: true
+ manifests:
+ - name: bb-flux
+ namespace: flux-system
+ kustomizations:
+ - https://repo1.dso.mil/big-bang/bigbang.git//base/flux?ref=2.19.1
+ images:
+ - registry1.dso.mil/ironbank/fluxcd/helm-controller:v0.37.1
+ - registry1.dso.mil/ironbank/fluxcd/kustomize-controller:v1.2.1
+ - registry1.dso.mil/ironbank/fluxcd/notification-controller:v1.2.3
+ - registry1.dso.mil/ironbank/fluxcd/source-controller:v1.2.2
+
+ - name: gitlab-ssh
+ required: true
+ manifests:
+ - name: gitlab-ssh-virtualservice
+ namespace: gitlab
+ files:
+ - manifests/gitlab-ssh-virtualservice.yaml
+ - manifests/gitlab-ssh-networkpolicies.yaml
diff --git a/packages/gitlab-redis/redis-secret.yaml b/packages/gitlab-redis/redis-secret.yaml
new file mode 100644
index 00000000..551c4aaf
--- /dev/null
+++ b/packages/gitlab-redis/redis-secret.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: gitlab-redis
+ namespace: gitlab
+type: kubernetes.io/opaque
+stringData:
+ password: "###ZARF_VAR_REDIS_PASSWORD###"
diff --git a/packages/gitlab-redis/zarf.yaml b/packages/gitlab-redis/zarf.yaml
new file mode 100644
index 00000000..6ec9d730
--- /dev/null
+++ b/packages/gitlab-redis/zarf.yaml
@@ -0,0 +1,25 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json
+kind: ZarfPackageConfig
+metadata:
+ name: gitlab-redis-secret
+ version: "0.0.1"
+ architecture: amd64
+
+components:
+ - name: redis-password
+ required: true
+ actions:
+ onDeploy:
+ before:
+ - cmd: kubectl get secret -n dev-redis redis --template='{{ index .data "redis-password" }}' | base64 -d
+ mute: true
+ setVariables:
+ - name: REDIS_PASSWORD
+ sensitive: true
+ - name: gitlab-redis
+ required: true
+ manifests:
+ - name: gitlab-redis
+ namespace: gitlab
+ files:
+ - redis-secret.yaml
diff --git a/packages/object-store/mattermost/zarf.yaml b/packages/object-store/mattermost/zarf.yaml
index e2ad5db1..dd38aa84 100644
--- a/packages/object-store/mattermost/zarf.yaml
+++ b/packages/object-store/mattermost/zarf.yaml
@@ -15,12 +15,6 @@ variables:
autoIndent: true
components:
- - name: object-store-kyverno-exceptions
- required: true
- manifests:
- - name: kyverno-exceptions
- files:
- - policy-exceptions/externalName.yaml
- name: mattermost-object-store-secret
required: true
manifests:
diff --git a/release-please-config.json b/release-please-config.json
index 93daea1d..977c36fc 100644
--- a/release-please-config.json
+++ b/release-please-config.json
@@ -11,7 +11,7 @@
],
"versioning": "always-bump-patch",
"extra-files": [
- "uds-bundle.yaml"
+ "bundles/dubbd-swf/uds-bundle.yaml"
]
}
}
diff --git a/tasks.yaml b/tasks.yaml
new file mode 100644
index 00000000..35c72e50
--- /dev/null
+++ b/tasks.yaml
@@ -0,0 +1,67 @@
+includes:
+ - create: ./tasks/create.yaml
+ - deploy: ./tasks/deploy.yaml
+
+tasks:
+ ################
+ # Create
+ ################
+ # Default bundle for now is DUBBD version
+ - name: create-bundle
+ actions:
+ - task: create-dubbd-bundle
+
+ - name: create-dubbd-bundle
+ actions:
+ - task: create:build-dir
+ - task: create:kyverno-exceptions-package
+ - task: create:database-manifest-packages
+ - task: create:namespaces-package
+ - task: create:idam-packages
+ - task: create:object-store-packages
+ - task: create:dubbd-package
+ - task: create:dubbd-bundle
+
+ - name: create-uds-core-bundle
+ actions:
+ - task: create:build-dir
+ - task: create:database-manifest-packages
+ - task: create:gitlab-redis-secret-package
+ - task: create:namespaces-package
+ - task: create:idam-packages
+ - task: create:object-store-packages
+ - task: create:dubbd-legacy-reqs-package
+ - task: create:uds-core-bundle
+
+ ################
+ # Deploy
+ ################
+ # Default bundle for now is DUBBD version
+ - name: deploy-bundle-to-dev
+ actions:
+ - task: deploy-dubbd-bundle-to-dev
+
+ - name: deploy-bundle-to-test
+ actions:
+ - task: deploy-dubbd-bundle-to-test
+
+ - name: deploy-dubbd-bundle-to-dev
+ actions:
+ - task: deploy:dubbd-bundle-to-dev
+
+ - name: deploy-dubbd-bundle-to-test
+ actions:
+ - task: deploy:dubbd-bundle-to-test
+
+ - name: deploy-uds-core-bundle-to-dev
+ actions:
+ - task: deploy:uds-core-bundle-to-dev
+
+ - name: deploy-uds-core-bundle-to-test
+ actions:
+ - task: deploy:uds-core-bundle-test
+
+ #### Clean ####
+ - name: clean
+ actions:
+ - cmd: rm -rf ./build/*
diff --git a/tasks/create.yaml b/tasks/create.yaml
new file mode 100644
index 00000000..b7edf1ad
--- /dev/null
+++ b/tasks/create.yaml
@@ -0,0 +1,79 @@
+variables:
+ - name: ARCH
+ description: "What architecture to use"
+ default: "amd64"
+
+tasks:
+ # Build directory
+ - name: build-dir
+ description: Create build directory
+ actions:
+ - cmd: mkdir build -p
+
+ # Bundles
+ - name: dubbd-bundle
+ description: Create the UDS Bundle with SWF and DUBBD
+ actions:
+ - cmd: uds create ./bundles/dubbd-swf --architecture=${ARCH} --confirm
+ - cmd: mv ./bundles/dubbd-swf/uds-bundle-software-factory* ./build
+
+ - name: uds-core-bundle
+ description: Create the UDS Bundle with SWF on UDS Core
+ actions:
+ - cmd: uds create ./bundles/uds-core-swf --architecture=${ARCH} --confirm
+ - cmd: mv ./bundles/uds-core-swf/uds-bundle-uds-core-swf* ./build
+
+ # Packages
+ - name: kyverno-exceptions-package
+ description: Create kyverno exceptions Zarf Package
+ actions:
+ - cmd: zarf package create ./packages/additional-kyverno-exceptions --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build
+
+ - name: database-manifest-packages
+ description: Create database manifest packages
+ actions:
+ - cmd: zarf package create ./packages/databases/confluence/secret --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build
+ - cmd: zarf package create ./packages/databases/confluence/service --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build
+ - cmd: zarf package create ./packages/databases/gitlab/secret --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build
+ - cmd: zarf package create ./packages/databases/gitlab/service --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build
+ - cmd: zarf package create ./packages/databases/jira/secret --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build
+ - cmd: zarf package create ./packages/databases/jira/service --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build
+ - cmd: zarf package create ./packages/databases/keycloak --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build
+ - cmd: zarf package create ./packages/databases/mattermost --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build
+ - cmd: zarf package create ./packages/databases/nexus --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build
+ - cmd: zarf package create ./packages/databases/sonarqube/secret --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build
+ - cmd: zarf package create ./packages/databases/sonarqube/service --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build
+
+ - name: gitlab-redis-secret-package
+ description: Create package for the gitlab redis secret
+ actions:
+ - cmd: zarf package create ./packages/gitlab-redis --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build
+
+ - name: namespaces-package
+ description: Create the namespaces package
+ actions:
+ - cmd: zarf package create ./packages/namespaces --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build
+
+ - name: idam-packages
+ description: Create the idam packages
+ actions:
+ - cmd: zarf package create ./packages/idam-dns --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build
+ - cmd: zarf package create ./packages/idam-gitlab --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build
+ - cmd: zarf package create ./packages/idam-realm --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build
+ - cmd: zarf package create ./packages/idam-sonarqube --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build
+
+ - name: object-store-packages
+ description: Create the object storage packages
+ actions:
+ - cmd: zarf package create ./packages/object-store/gitlab --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build
+ - cmd: zarf package create ./packages/object-store/mattermost --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build
+
+ - name: dubbd-package
+ description: Create the dubbd package
+ actions:
+ - cmd: ZARF_CONFIG=./packages/dubbd/zarf-config.yaml zarf package create ./packages/dubbd --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build
+
+ - name: dubbd-legacy-reqs-package
+ description: Create package to satisfy legacy reqs. This is needed untill we are 100% off Legacy versions of SWF apps
+ actions:
+ - cmd: ZARF_CONFIG=./packages/dubbd-legacy-reqs/zarf-config.yaml zarf package create ./packages/dubbd-legacy-reqs --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build
diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml
new file mode 100644
index 00000000..e6df762f
--- /dev/null
+++ b/tasks/deploy.yaml
@@ -0,0 +1,21 @@
+tasks:
+
+ - name: dubbd-bundle-to-dev
+ description: Deploy the dubbd version of the bundle to test
+ actions:
+ - cmd: UDS_CONFIG=./uds-config/dubbd-swf/dev-cluster/uds-config.yaml uds deploy ./build/uds-bundle-software-factory-*.tar.zst --confirm
+
+ - name: dubbd-bundle-to-test
+ description: Deploy the dubbd version of the bundle to test
+ actions:
+ - cmd: UDS_CONFIG=./uds-config/dubbd-swf/test-cluster/uds-config.yaml uds deploy ./build/uds-bundle-software-factory-*.tar.zst --confirm
+
+ - name: uds-core-bundle-to-dev
+ description: Deploy UDS Core version of the bundle to dev
+ actions:
+ - cmd: UDS_CONFIG=./uds-config/uds-core-swf/dev-cluster/uds-config.yaml uds deploy ./build/uds-bundle-uds-core-swf*.tar.zst --confirm
+
+ - name: uds-core-bundle-to-test
+ description: Deploy UDS Core version of the bundle to tes
+ actions:
+ - cmd: UDS_CONFIG=./uds-config/uds-core-swf/tes-cluster/uds-config.yaml uds deploy ./build/uds-bundle-uds-core-swf*.tar.zst --confirm
diff --git a/uds-config/dev-cluster/uds-config.yaml b/uds-config/dubbd-swf/dev-cluster/uds-config.yaml
similarity index 96%
rename from uds-config/dev-cluster/uds-config.yaml
rename to uds-config/dubbd-swf/dev-cluster/uds-config.yaml
index bfba5946..9799ae26 100644
--- a/uds-config/dev-cluster/uds-config.yaml
+++ b/uds-config/dubbd-swf/dev-cluster/uds-config.yaml
@@ -5,7 +5,7 @@ variables:
# TODO - remove this if/when functionality is restored upstream
REGISTRY_HPA_ENABLE: false
metallb:
- IP_ADDRESS_POOL: "24.0.132.244/30"
+ IP_ADDRESS_POOL: "10.0.120.50-10.0.120.59"
dubbd-rke2-nutanix:
# TODO - replace these blanket exceptions with more targeted kyverno policy exceptions
EXEMPT_NAMESPACES: '["zarf", "rook-ceph", "metallb-system", "kube-system", "velero"]'
@@ -45,9 +45,10 @@ variables:
KEYCLOAK_DB_PASSWORD: "replace-me-db-passwords"
KEYCLOAK_DB_NAME: "keycloakdb"
KEYCLOAK_DB_ENDPOINT: "keycloak-postgres.keycloak.svc.cluster.local"
- gitlab-database-manifests:
- GITLAB_DB_EXTERNAL_NAME: "gitlab-pg.mtsi-dev.bigbang.dev"
+ gitlab-database-secret:
GITLAB_DB_PASSWORD: "replace-me-db-passwords"
+ gitlab-database-service:
+ GITLAB_DB_EXTERNAL_NAME: "gitlab-pg.mtsi-dev.bigbang.dev"
gitlab-object-store:
ENDPOINT: "http://swf.objects.mtsi.bigbang.dev"
ACCESS_KEY: "replace-me-object-store-access-key"
@@ -61,17 +62,19 @@ variables:
GITLAB_BACKUP_SCHEDULE: "0 3 * * *"
GITLAB_BACKUP_EXTRA_ARGS: "--skip artifiacts,registry"
BUCKET_SUFFIX: "-dev"
- sonarqube-database-manifests:
- SONARQUBE_DB_EXTERNAL_NAME: "sonarqube-pg.mtsi-dev.bigbang.dev"
+ sonarqube-database-secret:
SONARQUBE_DB_PASSWORD: "replace-me-db-passwords"
+ sonarqube-database-service:
+ SONARQUBE_DB_EXTERNAL_NAME: "sonarqube-pg.mtsi-dev.bigbang.dev"
sonarqube:
DOMAIN: "mtsi-dev.bigbang.dev"
SONARQUBE_IDAM_REALM_URL: "https://keycloak.mtsi-dev.bigbang.dev/auth/realms/baby-yoda"
SONARQUBE_DB_NAME: "sonarqubedb"
SONARQUBE_DB_USERNAME: "postgres"
- jira-database-manifests:
- JIRA_DB_EXTERNAL_NAME: "jira-pg.mtsi-dev.bigbang.dev"
+ jira-database-secret:
JIRA_DB_PASSWORD: "replace-me-db-passwords"
+ jira-database-service:
+ JIRA_DB_EXTERNAL_NAME: "jira-pg.mtsi-dev.bigbang.dev"
jira:
DOMAIN: "mtsi-dev.bigbang.dev"
JIRA_DB_NAME: "jiradb"
diff --git a/uds-config/test-cluster/uds-config.yaml b/uds-config/dubbd-swf/test-cluster/uds-config.yaml
similarity index 95%
rename from uds-config/test-cluster/uds-config.yaml
rename to uds-config/dubbd-swf/test-cluster/uds-config.yaml
index b8cae7b5..9ae87cc0 100644
--- a/uds-config/test-cluster/uds-config.yaml
+++ b/uds-config/dubbd-swf/test-cluster/uds-config.yaml
@@ -1,11 +1,11 @@
options:
log_level: info
-packages:
+variables:
init:
# TODO - remove this if/when functionality is restored upstream
REGISTRY_HPA_ENABLE: false
metallb:
- IP_ADDRESS_POOL: "24.0.132.248/30"
+ IP_ADDRESS_POOL: "10.0.120.70-10.0.120.79"
dubbd-rke2-nutanix:
# TODO - replace these blanket exceptions with more targeted kyverno policy exceptions
EXEMPT_NAMESPACES: '["zarf", "rook-ceph", "metallb-system", "kube-system", "velero"]'
@@ -45,9 +45,10 @@ packages:
KEYCLOAK_DB_PASSWORD: "replace-me-db-passwords"
KEYCLOAK_DB_NAME: "keycloakdb"
KEYCLOAK_DB_ENDPOINT: "keycloak-postgres.keycloak.svc.cluster.local"
- gitlab-database-manifests:
- GITLAB_DB_EXTERNAL_NAME: "gitlab-pg.mtsi.bigbang.dev"
+ gitlab-database-secret:
GITLAB_DB_PASSWORD: "replace-me-db-passwords"
+ gitlab-database-service:
+ GITLAB_DB_EXTERNAL_NAME: "gitlab-pg.mtsi.bigbang.dev"
gitlab-object-store:
ENDPOINT: "http://swf.objects.mtsi.bigbang.dev"
ACCESS_KEY: "replace-me-object-store-access-key"
@@ -61,18 +62,20 @@ packages:
GITLAB_BACKUP_SCHEDULE: "0 3 * * *"
GITLAB_BACKUP_EXTRA_ARGS: "--skip artifiacts,registry"
BUCKET_SUFFIX: "-test"
- sonarqube-database-manifests:
- SONARQUBE_DB_EXTERNAL_NAME: "sonarqube-pg.mtsi.bigbang.dev"
+ sonarqube-database-secret:
SONARQUBE_DB_PASSWORD: "replace-me-db-passwords"
+ sonarqube-database-service:
+ SONARQUBE_DB_EXTERNAL_NAME: "sonarqube-pg.mtsi.bigbang.dev"
sonarqube:
DOMAIN: "mtsi.bigbang.dev"
SONARQUBE_IDAM_REALM_URL: "https://keycloak.mtsi.bigbang.dev/auth/realms/baby-yoda"
# db config
SONARQUBE_DB_NAME: "sonarqubedb"
SONARQUBE_DB_USERNAME: "postgres"
- jira-database-manifests:
- JIRA_DB_EXTERNAL_NAME: "jira-pg.mtsi.bigbang.dev"
+ jira-database-secret:
JIRA_DB_PASSWORD: "replace-me-db-passwords"
+ jira-database-service:
+ JIRA_DB_EXTERNAL_NAME: "jira-pg.mtsi.bigbang.dev"
jira:
DOMAIN: "mtsi.bigbang.dev"
JIRA_DB_NAME: "jiradb"
diff --git a/uds-config/uds-core-swf/dev-cluster/uds-config.yaml b/uds-config/uds-core-swf/dev-cluster/uds-config.yaml
new file mode 100644
index 00000000..04a645e4
--- /dev/null
+++ b/uds-config/uds-core-swf/dev-cluster/uds-config.yaml
@@ -0,0 +1,93 @@
+options:
+ log_level: info
+shared:
+ DOMAIN: mtsi-dev.bigbang.dev
+variables:
+ init:
+ # TODO - remove this if/when functionality is restored upstream
+ REGISTRY_HPA_ENABLE: false
+ metallb:
+ IP_ADDRESS_POOL: "10.0.120.50-10.0.120.59"
+ core:
+ ADMIN_TLS_CERT: replace-me-cert
+ ADMIN_TLS_KEY: replace-me-key
+ TENANT_TLS_CERT: replace-me-cert
+ TENANT_TLS_KEY: replace-me-key
+ keycloak-database-manifests:
+ KEYCLOAK_DB_EXTERNAL_NAME: "keycloak-pg.mtsi-dev.bigbang.dev"
+ uds-idam:
+ KEYCLOAK_DB_USERNAME: "postgres"
+ KEYCLOAK_DB_PASSWORD: "replace-me-db-passwords"
+ KEYCLOAK_DB_NAME: "keycloakdb"
+ KEYCLOAK_DB_ENDPOINT: "keycloak-postgres.keycloak.svc.cluster.local"
+ KEYCLOAK_VALUES: "our-keycloak-values.yaml"
+ gitlab-database-secret:
+ GITLAB_DB_PASSWORD: "replace-me-db-passwords"
+ gitlab-object-store:
+ ENDPOINT: "http://swf.objects.mtsi.bigbang.dev"
+ ACCESS_KEY: "replace-me-object-store-access-key"
+ SECRET_KEY: "replace-me-object-store-secret-key"
+ gitlab:
+ GITLAB_DB_NAME: "gitlabdb"
+ GITLAB_DB_USERNAME: "postgres"
+ GITLAB_DB_ENDPOINT: "gitlab-pg.mtsi-dev.bigbang.dev"
+ GITLAB_PAGES_ENABLED: "true"
+ GITLAB_SIGNUP_ENABLED: "false"
+ GITLAB_BACKUP_SCHEDULE: "0 3 * * *"
+ GITLAB_BACKUP_EXTRA_ARGS: "--skip artifiacts,registry"
+ BUCKET_SUFFIX: "-dev"
+ GITLAB_REDIS_ENDPOINT: "redis-master.dev-redis.svc.cluster.local"
+ sonarqube-database-secret:
+ SONARQUBE_DB_PASSWORD: "replace-me-db-passwords"
+ sonarqube:
+ SONARQUBE_IDAM_REALM_URL: "https://keycloak.mtsi-dev.bigbang.dev/auth/realms/baby-yoda"
+ # db config
+ SONARQUBE_DB_NAME: "sonarqubedb"
+ SONARQUBE_DB_USERNAME: "postgres"
+ SONARQUBE_DB_ENDPOINT: "sonarqube-pg.mtsi-dev.bigbang.dev"
+ jira-database-secret:
+ JIRA_DB_PASSWORD: "replace-me-db-passwords"
+ jira:
+ JIRA_DB_NAME: "jiradb"
+ JIRA_DB_USERNAME: "postgres"
+ JIRA_LOCAL_HOME_ENABLED: "true"
+ JIRA_LOCAL_HOME_SIZE: "128Gi"
+ JIRA_RWO_STORAGE_CLASS: "ceph-block"
+ JIRA_DB_ENDPOINT: "jira-pg.mtsi-dev.bigbang.dev"
+ confluence-database-secret:
+ CONFLUENCE_DB_PASSWORD: "replace-me-db-passwords"
+ confluence:
+ CONFLUENCE_DB_NAME: "confluencedb"
+ CONFLUENCE_DB_USERNAME: "postgres"
+ CONFLUENCE_LOCAL_HOME_ENABLED: "true"
+ CONFLUENCE_LOCAL_HOME_SIZE: "128Gi"
+ CONFLUENCE_RWO_STORAGE_CLASS: "ceph-block"
+ CONFLUENCE_DB_ENDPOINT: "confluence-pg.mtsi-dev.bigbang.dev"
+ mattermost:
+ ACCESS_KEY: "replace-me-object-store-access-key"
+ SECRET_KEY: "replace-me-object-store-secret-key"
+ DB_PASSWORD: "replace-me-db-passwords"
+ DB_USERNAME: "postgres"
+ DB_NAME: "mattermostdb"
+ DB_ENDPOINT: "mattermost-pg.mtsi-dev.bigbang.dev"
+ DB_OPTIONS: "?connect_timeout=10&sslmode=disable"
+ OBJECT_STORE_SECURE: "false"
+ OBJECT_STORE_ENDPOINT: "swf.objects.mtsi.bigbang.dev"
+ OBJECT_STORE_BUCKET: "mattermost-bucket-dev"
+ nexus:
+ NEXUS_DB_NAME: "nexusdb"
+ NEXUS_DB_USERNAME: "postgres"
+ NEXUS_DB_ENDPOINT: "nexus-pg.mtsi-dev.bigbang.dev"
+ POSTGRES_DB_PASSWORD: "replace-me-db-passwords"
+ NEXUS_SSO_ENABLED: "false"
+ NEXUS_SSO_IDP_ENTITY_ID: ""
+ NEXUS_SSO_IDP_USERNAME_ATTRIBUTE: ""
+ NEXUS_SSO_IDP_FIRSTNAME_ATTRIBUTE: ""
+ NEXUS_SSO_IDP_LASTNAME_ATTRIBUTE: ""
+ NEXUS_SSO_IDP_EMAIL_ATTRIBUTE: ""
+ NEXUS_SSO_IDP_GROUPS_ATTRIBUTE: ""
+ NEXUS_SSO_IDP_VALIDATE_RESPONSE_SIGNATURE: ""
+ NEXUS_SSO_IDP_VALIDATE_ASSERTION_SIGNATURE: ""
+ NEXUS_SSO_IDP_METADATA: ''
+ NEXUS_SSO_REALM: "[]"
+ NEXUS_SSO_ROLE: "[]"
diff --git a/uds-config/uds-core-swf/test-cluster/uds-config.yaml b/uds-config/uds-core-swf/test-cluster/uds-config.yaml
new file mode 100644
index 00000000..8d7c6e77
--- /dev/null
+++ b/uds-config/uds-core-swf/test-cluster/uds-config.yaml
@@ -0,0 +1,102 @@
+options:
+ log_level: info
+variables:
+ init:
+ # TODO - remove this if/when functionality is restored upstream
+ REGISTRY_HPA_ENABLE: false
+ metallb:
+ IP_ADDRESS_POOL: "10.0.120.70-10.0.120.79"
+ software-factory-idam-realm:
+ DOMAIN: "mtsi.bigbang.dev"
+ core:
+ ADMIN_TLS_CERT: replace-me-cert
+ ADMIN_TLS_KEY: replace-me-key
+ TENANT_TLS_CERT: replace-me-cert
+ TENANT_TLS_KEY: replace-me-key
+ keycloak-database-manifests:
+ KEYCLOAK_DB_EXTERNAL_NAME: "keycloak-pg.mtsi.bigbang.dev"
+ uds-idam:
+ DOMAIN: "mtsi.bigbang.dev"
+ KEYCLOAK_DB_USERNAME: "postgres"
+ KEYCLOAK_DB_PASSWORD: "replace-me-db-passwords"
+ KEYCLOAK_DB_NAME: "keycloakdb"
+ KEYCLOAK_DB_ENDPOINT: "keycloak-postgres.keycloak.svc.cluster.local"
+ KEYCLOAK_VALUES: "our-keycloak-values.yaml"
+ gitlab-database-secret:
+ GITLAB_DB_PASSWORD: "replace-me-db-passwords"
+ gitlab-object-store:
+ ENDPOINT: "http://swf.objects.mtsi.bigbang.dev"
+ ACCESS_KEY: "replace-me-object-store-access-key"
+ SECRET_KEY: "replace-me-object-store-secret-key"
+ gitlab-redis:
+ APP: "gitlab"
+ gitlab:
+ DOMAIN: "mtsi.bigbang.dev"
+ GITLAB_DB_NAME: "gitlabdb"
+ GITLAB_DB_USERNAME: "postgres"
+ GITLAB_DB_ENDPOINT: "gitlab-pg.mtsi.bigbang.dev"
+ GITLAB_PAGES_ENABLED: "true"
+ GITLAB_SIGNUP_ENABLED: "false"
+ GITLAB_BACKUP_SCHEDULE: "0 3 * * *"
+ GITLAB_BACKUP_EXTRA_ARGS: "--skip artifiacts,registry"
+ BUCKET_SUFFIX: "-test"
+ GITLAB_REDIS_ENDPOINT: "redis-master.dev-redis.svc.cluster.local"
+ sonarqube-database-secret:
+ SONARQUBE_DB_PASSWORD: "replace-me-db-passwords"
+ sonarqube:
+ DOMAIN: "mtsi.bigbang.dev"
+ SONARQUBE_IDAM_REALM_URL: "https://keycloak.mtsi.bigbang.dev/auth/realms/baby-yoda"
+ # db config
+ SONARQUBE_DB_NAME: "sonarqubedb"
+ SONARQUBE_DB_USERNAME: "postgres"
+ SONARQUBE_DB_ENDPOINT: "sonarqube-pg.mtsi.bigbang.dev"
+ jira-database-secret:
+ JIRA_DB_PASSWORD: "replace-me-db-passwords"
+ jira:
+ DOMAIN: "mtsi.bigbang.dev"
+ JIRA_DB_NAME: "jiradb"
+ JIRA_DB_USERNAME: "postgres"
+ JIRA_LOCAL_HOME_ENABLED: "true"
+ JIRA_LOCAL_HOME_SIZE: "128Gi"
+ JIRA_RWO_STORAGE_CLASS: "ceph-block"
+ JIRA_DB_ENDPOINT: "jira-pg.mtsi.bigbang.dev"
+ confluence-database-secret:
+ CONFLUENCE_DB_PASSWORD: "replace-me-db-passwords"
+ confluence:
+ DOMAIN: "mtsi.bigbang.dev"
+ CONFLUENCE_DB_NAME: "confluencedb"
+ CONFLUENCE_DB_USERNAME: "postgres"
+ CONFLUENCE_LOCAL_HOME_ENABLED: "true"
+ CONFLUENCE_LOCAL_HOME_SIZE: "128Gi"
+ CONFLUENCE_RWO_STORAGE_CLASS: "ceph-block"
+ CONFLUENCE_DB_ENDPOINT: "confluence-pg.mtsi.bigbang.dev"
+ mattermost:
+ DOMAIN: "mtsi.bigbang.dev"
+ ACCESS_KEY: "replace-me-object-store-access-key"
+ SECRET_KEY: "replace-me-object-store-secret-key"
+ DB_PASSWORD: "replace-me-db-passwords"
+ DB_USERNAME: "postgres"
+ DB_NAME: "mattermostdb"
+ DB_ENDPOINT: "mattermost-pg.mtsi.bigbang.dev"
+ DB_OPTIONS: "?connect_timeout=10&sslmode=disable"
+ OBJECT_STORE_SECURE: "false"
+ OBJECT_STORE_ENDPOINT: "swf.objects.mtsi.bigbang.dev"
+ OBJECT_STORE_BUCKET: "mattermost-bucket-test"
+ nexus:
+ DOMAIN: "mtsi.bigbang.dev"
+ NEXUS_DB_NAME: "nexusdb"
+ NEXUS_DB_USERNAME: "postgres"
+ NEXUS_DB_ENDPOINT: "nexus-pg.mtsi.bigbang.dev"
+ POSTGRES_DB_PASSWORD: "replace-me-db-passwords"
+ NEXUS_SSO_ENABLED: "false"
+ NEXUS_SSO_IDP_ENTITY_ID: ""
+ NEXUS_SSO_IDP_USERNAME_ATTRIBUTE: ""
+ NEXUS_SSO_IDP_FIRSTNAME_ATTRIBUTE: ""
+ NEXUS_SSO_IDP_LASTNAME_ATTRIBUTE: ""
+ NEXUS_SSO_IDP_EMAIL_ATTRIBUTE: ""
+ NEXUS_SSO_IDP_GROUPS_ATTRIBUTE: ""
+ NEXUS_SSO_IDP_VALIDATE_RESPONSE_SIGNATURE: ""
+ NEXUS_SSO_IDP_VALIDATE_ASSERTION_SIGNATURE: ""
+ NEXUS_SSO_IDP_METADATA: ''
+ NEXUS_SSO_REALM: "[]"
+ NEXUS_SSO_ROLE: "[]"