From e7185361731d2fd4aebf8c2083ee5903fed3093e Mon Sep 17 00:00:00 2001 From: awendt Date: Tue, 20 Feb 2024 08:08:43 -0700 Subject: [PATCH] Lets restructure (#27) --- .github/actions/action.yaml | 20 ++ .github/workflows/publish-bundle.yaml | 7 +- .vscode/settings.json | 46 ++++ Makefile | 133 ---------- README.md | 51 ++-- .../dubbd-swf/uds-bundle.yaml | 56 ++-- bundles/uds-core-swf/uds-bundle.yaml | 243 ++++++++++++++++++ docs/packages-and-dependencies-uds-core.md | 72 ++++++ our-keycloak-values.yaml | 186 ++++++++++++++ .../confluence/external-name.yaml} | 0 .../gitlab/external-name.yaml} | 0 .../gitlab/non-root-group.yaml | 1 + .../jira/external-name.yaml} | 0 .../{non-root-user.yaml => non-root.yaml} | 4 +- .../keycloak/external-name.yaml} | 0 .../keycloak/non-root-group.yaml | 19 ++ .../mattermost/external-name.yaml} | 3 +- .../nexus/external-name.yaml} | 0 .../sonarqube/external-name.yaml} | 0 .../{non-root-user.yaml => non-root.yaml} | 4 +- .../additional-kyverno-exceptions/zarf.yaml | 40 ++- .../confluence/{ => secret}/secret.yaml | 0 .../databases/confluence/secret/zarf.yaml | 19 ++ .../confluence/{ => service}/service.yaml | 0 .../confluence/{ => service}/zarf.yaml | 10 +- .../databases/gitlab/{ => secret}/secret.yaml | 0 packages/databases/gitlab/secret/zarf.yaml | 19 ++ .../gitlab/{ => service}/service.yaml | 0 .../databases/gitlab/{ => service}/zarf.yaml | 10 +- .../databases/jira/{ => secret}/secret.yaml | 0 packages/databases/jira/secret/zarf.yaml | 19 ++ .../databases/jira/{ => service}/service.yaml | 0 .../databases/jira/{ => service}/zarf.yaml | 10 +- packages/databases/keycloak/zarf.yaml | 1 - .../policy-exceptions/externalName.yaml | 19 -- packages/databases/mattermost/zarf.yaml | 1 - packages/databases/nexus/zarf.yaml | 1 - .../sonarqube/{ => secret}/secret.yaml | 0 packages/databases/sonarqube/secret/zarf.yaml | 19 ++ .../sonarqube/{ => service}/service.yaml | 0 .../sonarqube/{ => service}/zarf.yaml | 10 +- .../manifests/gitlab-ssh-networkpolicies.yaml | 42 +++ .../manifests/gitlab-ssh-virtualservice.yaml | 21 ++ packages/dubbd-legacy-reqs/zarf-config.yaml | 8 + packages/dubbd-legacy-reqs/zarf.yaml | 30 +++ packages/gitlab-redis/redis-secret.yaml | 8 + packages/gitlab-redis/zarf.yaml | 25 ++ packages/object-store/mattermost/zarf.yaml | 6 - release-please-config.json | 2 +- tasks.yaml | 67 +++++ tasks/create.yaml | 79 ++++++ tasks/deploy.yaml | 21 ++ .../dev-cluster/uds-config.yaml | 17 +- .../test-cluster/uds-config.yaml | 19 +- .../uds-core-swf/dev-cluster/uds-config.yaml | 93 +++++++ .../uds-core-swf/test-cluster/uds-config.yaml | 102 ++++++++ 56 files changed, 1297 insertions(+), 266 deletions(-) create mode 100644 .github/actions/action.yaml create mode 100644 .vscode/settings.json delete mode 100755 Makefile rename uds-bundle.yaml => bundles/dubbd-swf/uds-bundle.yaml (85%) create mode 100644 bundles/uds-core-swf/uds-bundle.yaml create mode 100644 docs/packages-and-dependencies-uds-core.md create mode 100644 our-keycloak-values.yaml rename packages/{databases/confluence/policy-exceptions/externalName.yaml => additional-kyverno-exceptions/confluence/external-name.yaml} (100%) rename packages/{databases/gitlab/policy-exceptions/externalName.yaml => additional-kyverno-exceptions/gitlab/external-name.yaml} (100%) rename packages/{databases/jira/policy-exceptions/externalName.yaml => additional-kyverno-exceptions/jira/external-name.yaml} (100%) rename packages/additional-kyverno-exceptions/jira/{non-root-user.yaml => non-root.yaml} (82%) rename packages/{databases/keycloak/policy-exceptions/externalName.yaml => additional-kyverno-exceptions/keycloak/external-name.yaml} (100%) create mode 100644 packages/additional-kyverno-exceptions/keycloak/non-root-group.yaml rename packages/{object-store/mattermost/policy-exceptions/externalName.yaml => additional-kyverno-exceptions/mattermost/external-name.yaml} (82%) rename packages/{databases/nexus/policy-exceptions/externalName.yaml => additional-kyverno-exceptions/nexus/external-name.yaml} (100%) rename packages/{databases/sonarqube/policy-exceptions/externalName.yaml => additional-kyverno-exceptions/sonarqube/external-name.yaml} (100%) rename packages/additional-kyverno-exceptions/sonarqube/{non-root-user.yaml => non-root.yaml} (83%) rename packages/databases/confluence/{ => secret}/secret.yaml (100%) create mode 100644 packages/databases/confluence/secret/zarf.yaml rename packages/databases/confluence/{ => service}/service.yaml (100%) rename packages/databases/confluence/{ => service}/zarf.yaml (59%) rename packages/databases/gitlab/{ => secret}/secret.yaml (100%) create mode 100644 packages/databases/gitlab/secret/zarf.yaml rename packages/databases/gitlab/{ => service}/service.yaml (100%) rename packages/databases/gitlab/{ => service}/zarf.yaml (60%) rename packages/databases/jira/{ => secret}/secret.yaml (100%) create mode 100644 packages/databases/jira/secret/zarf.yaml rename packages/databases/jira/{ => service}/service.yaml (100%) rename packages/databases/jira/{ => service}/zarf.yaml (61%) delete mode 100644 packages/databases/mattermost/policy-exceptions/externalName.yaml rename packages/databases/sonarqube/{ => secret}/secret.yaml (100%) create mode 100644 packages/databases/sonarqube/secret/zarf.yaml rename packages/databases/sonarqube/{ => service}/service.yaml (100%) rename packages/databases/sonarqube/{ => service}/zarf.yaml (60%) create mode 100644 packages/dubbd-legacy-reqs/manifests/gitlab-ssh-networkpolicies.yaml create mode 100644 packages/dubbd-legacy-reqs/manifests/gitlab-ssh-virtualservice.yaml create mode 100644 packages/dubbd-legacy-reqs/zarf-config.yaml create mode 100644 packages/dubbd-legacy-reqs/zarf.yaml create mode 100644 packages/gitlab-redis/redis-secret.yaml create mode 100644 packages/gitlab-redis/zarf.yaml create mode 100644 tasks.yaml create mode 100644 tasks/create.yaml create mode 100644 tasks/deploy.yaml rename uds-config/{ => dubbd-swf}/dev-cluster/uds-config.yaml (96%) rename uds-config/{ => dubbd-swf}/test-cluster/uds-config.yaml (95%) create mode 100644 uds-config/uds-core-swf/dev-cluster/uds-config.yaml create mode 100644 uds-config/uds-core-swf/test-cluster/uds-config.yaml diff --git a/.github/actions/action.yaml b/.github/actions/action.yaml new file mode 100644 index 00000000..e3213c84 --- /dev/null +++ b/.github/actions/action.yaml @@ -0,0 +1,20 @@ +# action.yml +name: "Setup Environment" +description: "UDS Environment Setup" + +runs: + using: "composite" + steps: + + - name: Set up Homebrew + uses: Homebrew/actions/setup-homebrew@master + + - name: Install Zarf + shell: bash + # renovate: datasource=github-tags depName=defenseunicorns/zarf versioning=semver + run: brew install defenseunicorns/tap/zarf@0.32.1 + + - name: Install UDS CLI + shell: bash + # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver + run: brew install defenseunicorns/tap/uds@0.7.0 diff --git a/.github/workflows/publish-bundle.yaml b/.github/workflows/publish-bundle.yaml index 55637c14..d105bbd1 100644 --- a/.github/workflows/publish-bundle.yaml +++ b/.github/workflows/publish-bundle.yaml @@ -19,6 +19,9 @@ jobs: repository: ${{ github.repository }} ref: ${{ github.ref_name }} + - name: Environment setup + uses: ./.github/actions/setup + - name: Login to Registry1 uses: docker/login-action@v3 with: @@ -53,8 +56,8 @@ jobs: # Build and publish bundle #### - name: Build bundle - run: make build/all + run: uds run create-bundle - name: Publish bundle - run: ./uds publish uds-bundle-software-factory-nutanix-amd64-*.tar.zst oci://ghcr.io/defenseunicorns/uds-bundle --no-progress + run: uds publish uds-bundle-software-factory-nutanix-amd64-*.tar.zst oci://ghcr.io/defenseunicorns/uds-bundle --no-progress working-directory: build diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 00000000..3f1470fa --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,46 @@ +{ + "debug.javascript.terminalOptions": { + "enableTurboSourcemaps": true, + "resolveSourceMapLocations": [ + "${workspaceFolder}/**", + "node_modules/kubernetes-fluent-client/**", + "node_modules/pepr/**" + ] + }, + "yaml.schemas": { + // renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver + "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.7.0/uds.schema.json": [ + "uds-bundle.yaml" + ], + + // renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver + "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.7.0/tasks.schema.json": [ + "tasks.yaml", + "tasks/**/*.yaml", + "src/**/validate.yaml" + ], + // renovate: datasource=github-tags depName=defenseunicorns/zarf versioning=semver + "https://raw.githubusercontent.com/defenseunicorns/zarf/v0.32.1/zarf.schema.json": [ + "zarf.yaml" + ] + }, + "cSpell.words": [ + "alertmanager", + "Authservice", + "automount", + "controlplane", + "crds", + "distros", + "ironbank", + "Kiali", + "Kyverno", + "MITM", + "neuvector", + "opensource", + "promtail", + "Quickstart", + "seccomp", + "Sysctls", + "Velero" + ] +} diff --git a/Makefile b/Makefile deleted file mode 100755 index 5904948c..00000000 --- a/Makefile +++ /dev/null @@ -1,133 +0,0 @@ -# The version of Zarf to use. To keep this repo as portable as possible the Zarf binary will be downloaded and added to -# the build folder. -# renovate: datasource=github-tags depName=defenseunicorns/zarf -UDS_CLI_VERSION := v0.7.0 -ZARF_VERSION := v0.32.1 - -# Figure out which Zarf binary we should use based on the operating system we are on -ZARF_BIN := zarf -UNAME_S := $(shell uname -s) -UNAME_M := $(shell uname -m) -ifeq ($(UNAME_M),x86_64) - ARCH := amd64 -else ifeq ($(UNAME_M),amd64) - ARCH := amd64 -else ifeq ($(UNAME_M),arm64) - ARCH := arm64 -else - $(error Unsupported architecture: $(UNAME_M)) -endif - -# Silent mode by default. Run `make VERBOSE=1` to turn off silent mode. -ifndef VERBOSE -.SILENT: -endif - -# Optionally add the "-it" flag for docker run commands if the env var "CI" is not set (meaning we are on a local machine and not in github actions) -TTY_ARG := -ifndef CI - TTY_ARG := -it -endif - -.DEFAULT_GOAL := help - -# Idiomatic way to force a target to always run, by having it depend on this dummy target -FORCE: - -.PHONY: help -help: ## Show a list of all targets - grep -E '^\S*:.*##.*$$' $(MAKEFILE_LIST) \ - | sed -n 's/^\(.*\): \(.*\)##\(.*\)/\1:\3/p' \ - | column -t -s ":" - -######################################################################## -# Build Section -######################################################################## - -.PHONY: build/all -build/all: build build/zarf build/uds build/software-factory-namespaces build/idam-dns build/idam-realm build/dubbd-rke2-nutanix build/idam-gitlab build/idam-sonarqube build/db-manifests build/object-store-manifests build/additional-kyverno-exceptions build/uds-bundle-software-factory ## Build everything - - -build: ## Create build directory - mkdir -p build - -.PHONY: clean -clean: ## Clean up build files - rm -rf ./build - -.PHONY: build/zarf -build/zarf: | build ## Download the Zarf to the build dir - if [ -f build/zarf ] && [ "$$(build/zarf version)" = "$(ZARF_VERSION)" ] ; then exit 0; fi && \ - echo "Downloading zarf" && \ - curl -sL https://github.com/defenseunicorns/zarf/releases/download/$(ZARF_VERSION)/zarf_$(ZARF_VERSION)_$(UNAME_S)_$(ARCH) -o build/zarf && \ - chmod +x build/zarf - -.PHONY: build/uds -build/uds: | build ## Download uds-cli to the build dir - if [ -f build/uds ] && [ "$$(build/uds version)" = "$(UDS_CLI_VERSION)" ] ; then exit 0; fi && \ - echo "Downloading uds-cli" && \ - curl -sL https://github.com/defenseunicorns/uds-cli/releases/download/$(UDS_CLI_VERSION)/uds-cli_$(UDS_CLI_VERSION)_$(UNAME_S)_$(ARCH) -o build/uds && \ - chmod +x build/uds - -build/software-factory-namespaces: | build ## Build namespaces package - cd build && ./zarf package create ../packages/namespaces/ --confirm --output-directory . - -build/dubbd-rke2-nutanix: | build ## Build dubbd-rke2-nutanix package - cd packages/dubbd && ../../build/zarf package create . --skip-sbom --confirm --output-directory ../../build - -build/idam-gitlab: | build ## Build idam-gitlab package - cd build && ./zarf package create ../packages/idam-gitlab/ --confirm --output-directory . - -build/idam-sonarqube: | build ## Build idam-sonarqube package - cd build && ./zarf package create ../packages/idam-sonarqube/ --skip-sbom --confirm --output-directory . - -build/idam-dns: | build ## Build idam-dns package - cd build && ./zarf package create ../packages/idam-dns/ --confirm --output-directory . - -build/idam-realm: | build ## Build idam-realm package - cd build && ./zarf package create ../packages/idam-realm/ --confirm --output-directory . - -build/db-manifests: | build ## Build DB Manifests - cd build && ./zarf package create ../packages/databases/confluence/ --confirm --output-directory . - cd build && ./zarf package create ../packages/databases/gitlab/ --confirm --output-directory . - cd build && ./zarf package create ../packages/databases/jira/ --confirm --output-directory . - cd build && ./zarf package create ../packages/databases/keycloak/ --confirm --output-directory . - cd build && ./zarf package create ../packages/databases/mattermost/ --confirm --output-directory . - cd build && ./zarf package create ../packages/databases/nexus/ --confirm --output-directory . - cd build && ./zarf package create ../packages/databases/sonarqube/ --confirm --output-directory . - -build/object-store-manifests: | build ## Build object store Manifests - cd build && ./zarf package create ../packages/object-store/gitlab/ --confirm --output-directory . - cd build && ./zarf package create ../packages/object-store/mattermost/ --confirm --output-directory . - -build/additional-kyverno-exceptions: | build ## Build additional kyverno exceptions - cd build && ./zarf package create ../packages/additional-kyverno-exceptions/ --confirm --output-directory . - -build/uds-bundle-software-factory: | build ## Build the software factory - cd build && ./uds create ../ --confirm - mv uds-bundle-software-factory-*.tar.zst build/ - -######################################################################## -# Deploy Section -######################################################################## - -deploy/test-cluster: ## Deploy the software factory package to the test cluster - cp uds-config/test-cluster/uds-config.yaml ./build/ - cp deploy-dubbd-values.yaml ./build/ - cd ./build && ./uds deploy uds-bundle-software-factory-*.tar.zst --confirm - -deploy/dev-cluster: ## Deploy the software factory package to the dev cluster - cp uds-config/dev-cluster/uds-config.yaml ./build/ - cp deploy-dubbd-values.yaml ./build/ - cd ./build && ./uds deploy uds-bundle-software-factory-*.tar.zst --confirm - -######################################################################## -# Macro Section -######################################################################## - -all/test-cluster: build/all deploy/test-cluster ## Build and deploy the software factory to the test cluster - -all/dev-cluster: build/all deploy/dev-cluster ## Build and deploy the software factory to the test cluster - -.PHONY: rebuild -rebuild: clean build/all diff --git a/README.md b/README.md index 7b4a3964..e2fb3b76 100644 --- a/README.md +++ b/README.md @@ -19,13 +19,13 @@ The full list of packages and dependencies installed by the bundle (and an assum **Infrastructure**: * Kubernetes cluster -* Access to the cluster with enough privilage to deploy -* A valid domain +* Access to the cluster with enough privilage to deploy +* A valid domain > NOTE: `*.bigbang.dev` may be used for demomonstration and test deployments. * Wildcard certificates to cover your domain (alternatively, expand for full SAN list)
Individual SAN list - + * `confluence.your.domain` * `gitlab.your.domain` * `*.pages.your.domain` @@ -51,7 +51,7 @@ The full list of packages and dependencies installed by the bundle (and an assum
Gitlab - + * gitlab-artifacts * gitlab-backups * gitlab-ci-secure-files @@ -96,18 +96,18 @@ For demonstration purposes, you can setup a local configfile as follows: * bucket names and credentials * database names and credentials -> NOTE: the config must be named `uds-config.yaml` and be present in your working directory at deploy time +> NOTE: The config must be named `uds-config.yaml` and either be present in your working directory or have the environment variable UDS_CONFIG set to its location at deploy time ### Deployment Select a target version number and gather the OCI image reference [from the packages page](https://github.com/orgs/defenseunicorns/packages?repo_name=uds-bundle-software-factory-nutanix). With the above prerequisites and configuration complete, you can deploy the bundle directly via OCI: ``` -uds deploy oci://ghcr.io/defenseunicorns/uds-bundle/software-factory-nutanix:0.1.4-amd64 --confirm +uds deploy oci://ghcr.io/defenseunicorns/uds-bundle/software-factory-nutanix:0.1.x --architecure amd64 --confirm ``` ### (OPTIONAL) Local Deployment Reference Situationally, it may be useful to download the deployment artifact so that it may be referenced offline. This can be accomplished by first downloading the target release: ``` -uds pull oci://ghcr.io/defenseunicorns/uds-bundle/software-factory-nutanix:0.1.4-amd64 +uds pull oci://ghcr.io/defenseunicorns/uds-bundle/software-factory-nutanix:0.1.x --architecture amd64 ``` And subsequently deploying from the local file: @@ -116,30 +116,19 @@ uds deploy uds-bundle-software-factory-nutanix-amd64-0.1.4.tar.zst --confirm ``` ## Additional Notes -For development and testing (both locally and in CI) we have included a Makefile to simplify common tasks. You can follow the breadcrumbs starting at the [Makefile](Makefile) target `make all/dev-cluster`. This Makefile downloads configured versions of zarf and uds to the build directory, places the `uds-config.yaml` in that build directory and performs the deploy command from there. Steps numbered below. Or follow along in the Makefile. +You can use the uds tasks in this project to build and deploy. -These targets will show you how to: -1) download the tools you need like zarf and uds. -```bash -.PHONY: build/zarf -build/zarf: | build ## Download the Zarf to the build dir - if [ -f build/zarf ] && [ "$$(build/zarf version)" = "$(ZARF_VERSION)" ] ; then exit 0; fi && \ - echo "Downloading zarf" && \ - curl -sL https://github.com/defenseunicorns/zarf/releases/download/$(ZARF_VERSION)/zarf_$(ZARF_VERSION)_$(UNAME_S)_$(ARCH) -o build/zarf && \ - chmod +x build/zarf - -.PHONY: build/uds -build/uds: | build ## Download uds-cli to the build dir - if [ -f build/uds ] && [ "$$(build/uds version)" = "$(UDS_CLI_VERSION)" ] ; then exit 0; fi && \ - echo "Downloading uds-cli" && \ - curl -sL https://github.com/defenseunicorns/uds-cli/releases/download/$(UDS_CLI_VERSION)/uds-cli_$(UDS_CLI_VERSION)_$(UNAME_S)_$(ARCH) -o build/uds && \ - chmod +x build/uds -``` -You can also use brew to install zarf and uds-cli ```bash -brew tap defenseunicorns/tap && brew install uds && brew install zarf +# List the available tasks to run +uds run --list + +# Run the create-bundle task +uds run create-bundle + +# Run the deploy-bundle-to-dev task +uds run deploy-bundle-to-dev + +# Run the deploy-bundle-to-test task +uds run deploy-bundle-to-test ``` -2) build all the zarf packages that support this bundle -1) build the bundle itself -1) place the `uds-config.yaml` in the directory where the deployment will take place -1) deploy the software factory. + diff --git a/uds-bundle.yaml b/bundles/dubbd-swf/uds-bundle.yaml similarity index 85% rename from uds-bundle.yaml rename to bundles/dubbd-swf/uds-bundle.yaml index 09036d87..8e69d48a 100644 --- a/uds-bundle.yaml +++ b/bundles/dubbd-swf/uds-bundle.yaml @@ -18,7 +18,7 @@ packages: # Namespace pre-reqs for swf capabilities - name: software-factory-namespaces - path: build + path: ../../build ref: 1.0.0 # MetalLB @@ -28,17 +28,17 @@ packages: # Defense Unicorns Big Bang Distro - name: dubbd-rke2-nutanix - path: build + path: ../../build ref: 0.18.0-n1 # Additional Kyverno Exceptions - name: additional-kyverno-exceptions - path: build + path: ../../build ref: 0.0.1 # Change the realm file keycloak imports from - name: software-factory-idam-realm - path: build + path: ../../build ref: 1.0.1 optional-components: - exported-variables @@ -47,7 +47,7 @@ packages: # Identity and Access Management - name: keycloak-database-manifests - path: build + path: ../../build ref: 0.0.1 - name: uds-idam @@ -59,7 +59,7 @@ packages: # GitLab SSO secret and variables - name: software-factory-idam-gitlab - path: build + path: ../../build ref: 1.0.1 exports: - name: GITLAB_IDAM_ENABLED @@ -68,7 +68,7 @@ packages: # SonarQube SSO secret and variables - name: software-factory-idam-sonarqube - path: build + path: ../../build ref: 1.0.1 exports: - name: SONARQUBE_IDAM_ENABLED @@ -85,11 +85,15 @@ packages: ref: 0.1.17 - name: gitlab-object-store - path: build + path: ../../build ref: 0.0.1 - - name: gitlab-database-manifests - path: build + - name: gitlab-database-secret + path: ../../build + ref: 0.0.1 + + - name: gitlab-database-service + path: ../../build ref: 0.0.1 - name: gitlab @@ -113,8 +117,12 @@ packages: ref: 0.1.4 # Sonarqube - - name: sonarqube-database-manifests - path: build + - name: sonarqube-database-secret + path: ../../build + ref: 0.0.1 + + - name: sonarqube-database-service + path: ../../build ref: 0.0.1 - name: sonarqube @@ -137,8 +145,12 @@ packages: package: software-factory-idam-sonarqube # Jira - - name: jira-database-manifests - path: build + - name: jira-database-secret + path: ../../build + ref: 0.0.1 + + - name: jira-database-service + path: ../../build ref: 0.0.1 - name: jira @@ -146,8 +158,12 @@ packages: ref: 0.1.7 # Confluence - - name: confluence-database-manifests - path: build + - name: confluence-database-secret + path: ../../build + ref: 0.0.1 + + - name: confluence-database-service + path: ../../build ref: 0.0.1 - name: confluence @@ -156,11 +172,11 @@ packages: # Mattermost Operator with a Mattermost instance - name: mattermost-object-store - path: build + path: ../../build ref: 0.0.1 - name: mattermost-database-manifests - path: build + path: ../../build ref: 0.0.1 - name: mattermost @@ -169,7 +185,7 @@ packages: # Nexus - name: nexus-database-manifests - path: build + path: ../../build ref: 0.0.1 - name: nexus @@ -178,7 +194,7 @@ packages: # Add all virtualservices as internal dns entries for auth callbacks - name: software-factory-idam-dns - path: build + path: ../../build ref: 1.0.0 optional-components: - create-internal-dns-entries diff --git a/bundles/uds-core-swf/uds-bundle.yaml b/bundles/uds-core-swf/uds-bundle.yaml new file mode 100644 index 00000000..1d9b564c --- /dev/null +++ b/bundles/uds-core-swf/uds-bundle.yaml @@ -0,0 +1,243 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.5.1/uds.schema.json +kind: UDSBundle +metadata: + name: uds-core-swf + description: A UDS bundle for deploying a software factory to an RKE2 cluster + version: "0.0.1" + architecture: amd64 + +packages: + # Zarf init + - name: init + repository: ghcr.io/defenseunicorns/uds-capability/rook-ceph/init + optional-components: + - git-server + ref: v0.32.1-0.2.1 + + # Namespace pre-reqs for swf capabilities + - name: software-factory-namespaces + path: ../../build + ref: 1.0.0 + + # MetalLB + - name: metallb + repository: ghcr.io/defenseunicorns/packages/metallb + ref: 0.0.5-amd64 + + - name: core + # repository: ghcr.io/defenseunicorns/packages/uds/core + repository: ghcr.io/blancharda/uds-core-ish/core + ref: 0.12.0-upstream + overrides: + loki: + loki: + values: + # Override default dns service name for Loki Gateway + - path: "global.dnsService" + value: "rke2-coredns-rke2-coredns" + istio-admin-gateway: + uds-istio-config: + variables: + - name: ADMIN_TLS_CERT + description: "The TLS cert for the admin gateway (must be base64 encoded)" + path: tls.cert + - name: ADMIN_TLS_KEY + description: "The TLS key for the admin gateway (must be base64 encoded)" + path: tls.key + istio-tenant-gateway: + uds-istio-config: + variables: + - name: TENANT_TLS_CERT + description: "The TLS cert for the tenant gateway (must be base64 encoded)" + path: tls.cert + - name: TENANT_TLS_KEY + description: "The TLS key for the tenant gateway (must be base64 encoded)" + path: tls.key + + # legacy requirements of DUBBD like flux (TODO -- remove someday) + - name: dubbd-legacy-reqs + path: ../../build + ref: 0.0.1 + + # Change the realm file keycloak imports from + - name: software-factory-idam-realm + path: ../../build + ref: 1.0.1 + optional-components: + - exported-variables + exports: + - name: REALM_IMPORT_FILE + + # Identity and Access Management + - name: keycloak-database-manifests + path: ../../build + ref: 0.0.1 + + - name: uds-idam + repository: ghcr.io/defenseunicorns/uds-capability/uds-idam + ref: 0.2.0-amd64 + imports: + - name: REALM_IMPORT_FILE + package: software-factory-idam-realm + + # SonarQube SSO secret and variables + - name: software-factory-idam-sonarqube + path: ../../build + ref: 1.0.1 + exports: + - name: SONARQUBE_IDAM_ENABLED + - name: SONARQUBE_IDAM_CLIENT_ID + - name: SONARQUBE_IDAM_PROVIDER_NAME + - name: SONARQUBE_IDAM_SAML_CERT + - name: SONARQUBE_IDAM_ATTR_LOGIN + - name: SONARQUBE_IDAM_ATTR_NAME + - name: SONARQUBE_IDAM_PROVIDER_EMAIL + + # Gitlab + - name: gitlab-redis + repository: ghcr.io/defenseunicorns/packages/uds/dev-redis + ref: 0.0.1 + + - name: gitlab-redis-secret + path: ../../build + ref: 0.0.1 + + - name: gitlab-object-store + path: ../../build + ref: 0.0.1 + + - name: gitlab-database-secret + path: ../../build + ref: 0.0.1 + + - name: gitlab + repository: ghcr.io/defenseunicorns/packages/uds/gitlab + ref: 16.8.1-uds.2-registry1 + + # Gitlab Runner + - name: gitlab-runner + repository: ghcr.io/defenseunicorns/packages/uds/gitlab-runner + ref: 16.8.0-uds.0-registry1 + + # Sonarqube + - name: sonarqube-database-secret + path: ../../build + ref: 0.0.1 + + - name: sonarqube + repository: ghcr.io/defenseunicorns/packages/uds/sonarqube + ref: 8.0.3-uds.4-registry1 + imports: + - name: SONARQUBE_IDAM_ENABLED + package: software-factory-idam-sonarqube + - name: SONARQUBE_IDAM_CLIENT_ID + package: software-factory-idam-sonarqube + - name: SONARQUBE_IDAM_PROVIDER_NAME + package: software-factory-idam-sonarqube + - name: SONARQUBE_IDAM_SAML_CERT + package: software-factory-idam-sonarqube + - name: SONARQUBE_IDAM_ATTR_LOGIN + package: software-factory-idam-sonarqube + - name: SONARQUBE_IDAM_ATTR_NAME + package: software-factory-idam-sonarqube + - name: SONARQUBE_IDAM_PROVIDER_EMAIL + package: software-factory-idam-sonarqube + + # Jira + - name: jira-database-secret + path: ../../build + ref: 0.0.1 + + - name: jira + repository: ghcr.io/defenseunicorns/packages/uds/jira + ref: 1.17.0-uds.1-registry1 + overrides: + jira: + jira: + variables: + - name: LOCAL_HOME_ENABLED + path: "valumes.localHome.persistentVolumeClaim.create" + description: "Local Home Toggle" + default: "true" + - name: RWO_STORAGE_CLASS + path: "valumes.localHome.persistentVolumeClaim.storageClassName" + description: "RWO storage class name" + default: "ceph-block" + - name: LOCAL_HOME_SIZE + path: "valumes.localHome.persistentVolumeClaim.resources.requests.storage" + description: "Storage size" + default: "128Gi" + + # Confluence + - name: confluence-database-secret + path: ../../build + ref: 0.0.1 + + - name: confluence + repository: ghcr.io/defenseunicorns/packages/uds/confluence + ref: 1.17.0-uds.1-registry1 + overrides: + confluence: + confluence: + variables: + - name: LOCAL_HOME_ENABLED + path: "valumes.localHome.persistentVolumeClaim.create" + description: "Local Home Toggle" + default: "true" + - name: RWO_STORAGE_CLASS + path: "valumes.localHome.persistentVolumeClaim.storageClassName" + description: "RWO storage class name" + default: "ceph-block" + - name: LOCAL_HOME_SIZE + path: "valumes.localHome.persistentVolumeClaim.resources.requests.storage" + description: "Storage size" + default: "128Gi" + + # Mattermost + - name: mattermost + repository: ghcr.io/defenseunicorns/packages/uds/mattermost + ref: 9.4.1-uds.2-registry1 + overrides: + mattermost: + uds-mattermost-config: + variables: + - name: OBJECT_STORE_SECURE + path: "objectStorage.secure" + description: "Object storage ssl" + default: "false" + - name: OBJECT_STORE_ENDPOINT + path: "objectStorage.endpoint" + description: "Object storage endpoint" + default: "swf.objects.mtsi.bigbang.dev" + - name: OBJECT_STORE_BUCKET + path: "objectStorage.bucket" + description: "Object storage bucket" + default: "mattermost-bucket-dev" + - name: DB_ENDPOINT + path: "postgres.host" + description: "Postgres DB endpoint" + default: "mattermost-pg.mtsi-dev.bigbang.dev" + - name: DB_USERNAME + path: "postgres.username" + description: "Postgres DB username" + default: "postgres" + - name: DB_NAME + path: "postgres.dbName" + description: "Postgres DB database name" + default: "mattermostdb" + - name: DB_OPTIONS + path: "postgres.connectionOptions" + description: "Postgres DB connection options" + default: "?connect_timeout=10" + + # Nexus + - name: nexus + repository: ghcr.io/defenseunicorns/packages/uds/nexus + ref: 3.64.0-uds.1-registry1 + + # Add all virtualservices as internal dns entries for auth callbacks + - name: software-factory-idam-dns + path: ../../build + ref: 1.0.0 + optional-components: + - create-internal-dns-entries diff --git a/docs/packages-and-dependencies-uds-core.md b/docs/packages-and-dependencies-uds-core.md new file mode 100644 index 00000000..34d55aa8 --- /dev/null +++ b/docs/packages-and-dependencies-uds-core.md @@ -0,0 +1,72 @@ +# Packages + +The UDS Software Factory (SWF) bundle is made up of many components and installs many software packages. Additionally, there are infrastructure dependencies for managing and deploying Kubernetes itself, not all of which are contained within this repo. However, in order to present as much context as possible with regard to dependencies, we will attempt to outline all of them in a comprehensive list categorized by installation source. + +> NOTE that external dependencies such as operating system packages and STIG application are based on assumptions about the environment. They are intended to be exemplary and may need to be adjusted/updated based on your ACTUAL system. + +## CLI Tools +This list covers tools which would be required on a developer machine in order to stand up or maintain a deployment of UDS SWF. + +| Tool | Version | Description | +|----|----|----| +| [terraform](https://github.com/hashicorp/terraform) | v1.6.4 | An Infrastructure As Code (IAC) tool for managing the deployment of virtual resources (VMs, databases, object storage) within Nutanix | +| [kubectl](https://github.com/kubernetes/kubectl) | v1.28.4 | Kubernetes management utility and CLI used by cluster admins to interact directly with a Kubernetes cluster | +| [helm](https://github.com/helm/helm) | v3.13.2 | Kubernetes package manager CLI used to review the status of deployments in the cluster | +| [Zarf](https://github.com/defenseunicorns/zarf) | v0.32.1 | A custom tool for packaging and delivering software components (such as gitlab) across an airgap | +| [UDS](https://github.com/defenseunicorns/uds-cli) | v0.7.0 | A custom tool for automating and simplifying the management of multiple Zarf deployments in one environment | + +## Operating System Package Installs +This list covers tools and packages installed in the Operating System of the virtual machines allocated to run Kubernetes. This list is obviously not exhaustive, but instead covers what is being added to the base STIG'd image. + +| Package | Version | Description | +|----|----|----| +| [rke2](https://github.com/rancher/rke2/releases/) | v1.27.6+rke2r1 | A Kubernetes distribution provided by Rancher, focused on security compliance for Government workloads | +| [iptables](https://linux.die.net/man/8/iptables) | v1.8.4 | A linux tool for managing local IPv4 packet filtering and NAT routing | +| [postgres14](https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm) | 14.10 | Database server required as part of initial setup | +| [lvm2](https://gitlab.com/lvmteam/lvm2) | 2.03.14(2)-RHEL8 | Logical volume management tool needed by rook/ceph | +| [rke2-selinux](https://github.com/rancher/rke2-selinux) | 0.14-1.el8 | Package needed by RKE2 for systems running selinux | +| [postgis33_14](https://postgis.net/docs/manual-3.3/) | 3.3.5-1PGDG.rhel8 | Postgres extension used for geoggraphical data needed by GitLab | + +## Ansible Playbooks // Collections +The following are Ansible playbooks and collections run on the host VMs during the image building process, installing further dependencies and applying STIG's. + +| Name | Version | Description | +|----|----|----| +| [community.general](https://docs.ansible.com/ansible/latest/collections/community/general/index.html) | 7.5.1 | A collection of Ansible modules and tools used for orchistrating STIG application during the VM image build process | +| [ansible.posix](https://docs.ansible.com/ansible/latest/collections/ansible/posix/index.html) | 1.5.4 | Collection of Ansible modules for interacting with POSIX based operating systems such as RHEL; used during the image build process | +| [RHEL 8 STIGs](https://public.cyber.mil/stigs/supplemental-automation-content/) | 1.12 | Automated application of RHEL 8 STIG requirements used during the image build process. | + +## UDS Software Factory Bundle +The UDS Software Factory Bundle (SWF) is a collection of Zarf packages which include the full set of tooling and applications installed into the cluster to create a secure software development environment. A portion of the tooling (Defense Unicorns UDS-Core) has been expanded into a separate section below for clarity. SWF installs the following: + +| Name | Package Version (internal) | Application Version | Description | +|----|----|----|----| +| [Rook Ceph Zarf Init](https://github.com/defenseunicorns/uds-capability-rook-ceph/pkgs/container/uds-capability%2Frook-ceph%2Finit) | v0.31.4-0.1.2 | N/A | A zarf component installed in the cluster for orchestrating further deployment of Zarf based packages | +| [MetalLB](https://github.com/defenseunicorns/uds-capability-metallb/tree/v0.0.4) | 0.0.5 | v0.13.12 | Tool for providing load balancer capabilities for ingress into a Kubernetes deployment | +| [uds-core](https://github.com/defenseunicorns/uds-core) | 0.12.0 | N/A | [DESCRIPTION BELOW](#UDS-Core) | +| [Keycloak](https://github.com/defenseunicorns/uds-idam) | 0.2.0 | 21.1.1 | An identity and access management (IDAM) tool used to authenticate users for access to applications | +| [Redis](https://github.com/defenseunicorns/uds-package-dependencies) | 0.0.1 | 7.0.12 | A key-value store used as a data backend for several applications in the stack | +| [Gitlab](https://github.com/defenseunicorns/uds-package-gitlab) | 16.8.1-uds.2-registry1 | 16.8.1 | A source control management tool used in the software development lifecycle for storing, updating, building and deploying custom software | +| [Gitlab Runner](https://github.com/defenseunicorns/uds-package-gitlab-runner) | 16.8.0-uds.0-registry1 | v16.8.0 | A counterpart to Gitlab (above) in which automated software builds, tests and deployments are executed | +| [Sonarqube](https://github.com/defenseunicorns/uds-package-sonarqube) | 8.0.3-uds.4-registry1 | 9.9.3-community | A code inspection tool used during automated pipelines to evaluate security considerations of custom software and packaged images | +| [Jira](https://github.com/defenseunicorns/uds-package-jira) | 1.17.0-uds.1-registry1 | 9.12.0 | A collaboration tool used for team management and task organization | +| [Confluence](https://github.com/defenseunicorns/uds-package-confluence) | 1.17.0-uds.1-registry1 | 8.7.1 | A knowledge management tool used by teams to organize information | +| [Mattermost](https://github.com/defenseunicorns/uds-package-mattermost) | 9.4.1-uds.2-registry1 | 9.4.2 | An instance of Mattermost, a self-hosted chat and collaboration platform | +| [Nexus](https://github.com/defenseunicorns/uds-package-nexus) | 3.64.0-uds.1-registry1 | 3.64.0-03 | An artifact repository used for storing compiled application libraries, packages, images and other such artifacts | + +## UDS Core + UDS Core is a collection of tools that provide administrative capabilities such as deployment automation, centralized logging, monitoring, alerting and runtime security to a kubernetes cluster. The following applications and tools are installed: + +| Package | Version | Description | +|----|----|----| +| [Flux](https://github.com/fluxcd/flux2/releases) | 2.2.2 | A GitOps based manager for scheduling deployments in the cluster (NOTE: will be removed soon) | +| [Istio](https://istio.io/latest/) | 1.20.3 | A package detailing the configuration of the deployed service mesh -- used by the operator to apply the desired state in the cluster | +| [Loki](https://grafana.com/oss/loki/) | 2.9.4 | A Grafana product for aggregating and querying log data | +| [Promtail](https://grafana.com/docs/loki/latest/send-data/promtail/) | 2.9.2 | A logging daemon installed on each cluster node to capture logs from the host and all cluster workload processes. Logs are shipped to Loki | +| [Prometheus](https://prometheus.io/) | 2.49.1 | A product for storing and querying time series based data such as system performance metrics (CPU/MEM usage) | +| [Grafana](https://github.com/grafana/grafana) | 10.3.1 | A Grafana product to provide a frontend interface to display and query performance information from Prometheus, log data from Loki, and request tracing information from Tempo | +| [Neuvector](https://www.suse.com/neuvector/) | 5.2.2 | A kubernetes security suite that provides CVE scanning for hosts and images, as well as runtime security monitoring and protection | +| [Velero](https://repo1.dso.mil/big-bang/product/packages/velero) | TBD | A tool for orchistrating backups of cluster state and storage | +| [Authservice](https://github.com/istio-ecosystem/authservice) | 0.5.3 | A tool for simplifying and automating auth workflows via Istio integration | +| [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) | 0.6.4 | A container metrics aggregation and exporter for kubernetes | +| [Pepr](https://pepr.dev/) | 0.25.0 | Declarative automation for managing deployments and security policy enorcement | diff --git a/our-keycloak-values.yaml b/our-keycloak-values.yaml new file mode 100644 index 00000000..10d112c9 --- /dev/null +++ b/our-keycloak-values.yaml @@ -0,0 +1,186 @@ +fullnameOverride: keycloak +args: +- start +- --import-realm +command: +- /opt/keycloak/bin/kc.sh +domain: ###ZARF_VAR_DOMAIN### +extraEnv: |- + - name: CUSTOM_REGISTRATION_CONFIG + value: /opt/jboss/keycloak/customreg.yaml + - name: KC_HTTPS_CERTIFICATE_FILE + value: /opt/keycloak/conf/tls.crt + - name: KC_HTTPS_CERTIFICATE_KEY_FILE + value: /opt/keycloak/conf/tls.key + - name: KC_HTTPS_TRUST_STORE_FILE + value: /opt/keycloak/conf/truststore.jks + - name: KC_HTTPS_TRUST_STORE_PASSWORD + value: password + - name: KC_HTTPS_CLIENT_AUTH + value: request + - name: KC_PROXY + value: passthrough + - name: KC_HTTP_ENABLED + value: "true" + - name: KC_HTTP_RELATIVE_PATH + value: /auth + - name: KC_HOSTNAME + value: ###ZARF_VAR_KEYCLOAK_SUBDOMAIN###.###ZARF_VAR_DOMAIN### + - name: KC_HOSTNAME_STRICT + value: "true" + - name: KC_HOSTNAME_STRICT_HTTPS + value: "true" + - name: KC_LOG_LEVEL + value: "org.keycloak.events:DEBUG,org.infinispan:INFO,org.jgroups:INFO" + - name: KC_CACHE + value: ispn + - name: KC_CACHE_STACK + value: kubernetes +extraInitContainers: |- + - name: plugin + image: registry1.dso.mil/ironbank/big-bang/p1-keycloak-plugin:3.2.1 + imagePullPolicy: Always + command: + - sh + - -c + - | + cp /app/p1-keycloak-plugin.jar /init + ls -l /init + volumeMounts: + - name: plugin + mountPath: "/init" +extraVolumeMounts: |- + - name: certauthority + mountPath: /etc/x509/https/cas.pem + subPath: cas.pem + readOnly: true + - name: customreg + mountPath: /opt/jboss/keycloak/customreg.yaml + subPath: customreg.yaml + readOnly: true + - name: plugin + mountPath: /opt/keycloak/providers/p1-keycloak-plugin.jar + subPath: p1-keycloak-plugin.jar + - name: quarkusproperties + mountPath: /opt/keycloak/conf/quarkus.properties + subPath: quarkus.properties + - name: realm + mountPath: /opt/keycloak/data/import/realm.json + subPath: realm.json + - name: truststore + mountPath: /opt/keycloak/conf/truststore.jks + subPath: truststore.jks +extraVolumeMountsBigBang: +- mountPath: /etc/x509/https/tls.crt + name: tlscert + readOnly: true + subPath: tls.crt +- mountPath: /etc/x509/https/tls.key + name: tlskey + readOnly: true + subPath: tls.key +- mountPath: /opt/keycloak/conf/tls.crt + name: tlscert + readOnly: true + subPath: tls.crt +- mountPath: /opt/keycloak/conf/tls.key + name: tlskey + readOnly: true + subPath: tls.key +extraVolumes: |- + - name: certauthority + secret: + secretName: {{ include "keycloak.fullname" . }}-certauthority + - name: plugin + emptyDir: {} + - name: quarkusproperties + secret: + secretName: {{ include "keycloak.fullname" . }}-quarkusproperties + defaultMode: 0777 + - name: realm + secret: + secretName: {{ include "keycloak.fullname" . }}-realm + - name: customreg + secret: + secretName: {{ include "keycloak.fullname" . }}-customreg + - name: truststore + secret: + secretName: {{ include "keycloak.fullname" . }}-truststore +extraVolumesBigBang: +- name: tlscert + secret: + secretName: keycloak-tlscert +- name: tlskey + secret: + secretName: keycloak-tlskey +hostname: ###ZARF_VAR_DOMAIN### +istio: + enabled: true + injection: enabled + keycloak: + enabled: true + gateways: + - istio-system/passthrough + hosts: + - '###ZARF_VAR_KEYCLOAK_SUBDOMAIN###.###ZARF_VAR_DOMAIN###' + +monitoring: + enabled: false +networkPolicies: + controlPlaneCidr: 0.0.0.0/0 + enabled: false + ingressLabels: + app: passthrough-ingressgateway + istio: null +postgresql: + enabled: ###ZARF_VAR_KEYCLOAK_DEV_DB_ENABLED### + fullnameOverride: keycloak-postgresql + postgresqlUsername: ###ZARF_VAR_KEYCLOAK_DB_USERNAME### + postgresqlPassword: ###ZARF_VAR_KEYCLOAK_DB_PASSWORD### +replicas: 1 +secrets: + certauthority: + stringData: + cas.pem: '{{ .Files.Get "resources/dev/dod_cas.pem" }}' + env: + stringData: + X509_CA_BUNDLE: /etc/x509/https/cas.pem + KEYCLOAK_ADMIN: ###ZARF_VAR_KEYCLOAK_ADMIN_USERNAME### + KEYCLOAK_ADMIN_PASSWORD: ###ZARF_VAR_KEYCLOAK_ADMIN_PASSWORD### + KC_DB_USERNAME: ###ZARF_VAR_KEYCLOAK_DB_USERNAME### + KC_DB_PASSWORD: ###ZARF_VAR_KEYCLOAK_DB_PASSWORD### + KC_DB: postgres + KC_DB_URL: jdbc:postgresql://###ZARF_VAR_KEYCLOAK_DB_ENDPOINT###/###ZARF_VAR_KEYCLOAK_DB_NAME### + quarkusproperties: + stringData: + quarkus.properties: |- + quarkus.http.non-application-root-path=/ + # custom redirects + quarkus.kc-routing.path-redirect./=/auth/realms/###ZARF_VAR_REALM###/account + quarkus.kc-routing.path-redirect./auth=/auth/realms/###ZARF_VAR_REALM###/account + quarkus.kc-routing.path-redirect./register=/auth/realms/###ZARF_VAR_REALM###/protocol/openid-connect/registrations?client_id=account&response_type=code + quarkus.kc-routing.path-prefix./oauth/authorize=/auth/realms/###ZARF_VAR_REALM###/protocol/openid-connect/auth + quarkus.kc-routing.path-filter./api/v4/user=/auth/realms/###ZARF_VAR_REALM###/protocol/openid-connect/userinfo + quarkus.kc-routing.path-filter./oauth/token=/auth/realms/###ZARF_VAR_REALM###/protocol/openid-connect/token + # block metrics and health enpoints from being exposed through the istio ingress + quarkus.kc-routing.path-recursive-block./metrics=8443 + quarkus.kc-routing.path-recursive-block./health=8443 + realm: + stringData: + realm.json: | + ###ZARF_VAR_REALM_IMPORT_FILE### + tlscert: + stringData: + tls.crt: | + ###ZARF_VAR_KEYCLOAK_CERT_FILE### + tlskey: + stringData: + tls.key: | + ###ZARF_VAR_KEYCLOAK_KEY_FILE### + customreg: + stringData: + customreg.yaml: | + ###ZARF_VAR_REALM_CUSTOM_REG_FILE### + truststore: + data: + truststore.jks: ###ZARF_VAR_REALM_TRUSTSTORE_FILE### \ No newline at end of file diff --git a/packages/databases/confluence/policy-exceptions/externalName.yaml b/packages/additional-kyverno-exceptions/confluence/external-name.yaml similarity index 100% rename from packages/databases/confluence/policy-exceptions/externalName.yaml rename to packages/additional-kyverno-exceptions/confluence/external-name.yaml diff --git a/packages/databases/gitlab/policy-exceptions/externalName.yaml b/packages/additional-kyverno-exceptions/gitlab/external-name.yaml similarity index 100% rename from packages/databases/gitlab/policy-exceptions/externalName.yaml rename to packages/additional-kyverno-exceptions/gitlab/external-name.yaml diff --git a/packages/additional-kyverno-exceptions/gitlab/non-root-group.yaml b/packages/additional-kyverno-exceptions/gitlab/non-root-group.yaml index a2bd9509..2e8b883d 100644 --- a/packages/additional-kyverno-exceptions/gitlab/non-root-group.yaml +++ b/packages/additional-kyverno-exceptions/gitlab/non-root-group.yaml @@ -18,3 +18,4 @@ spec: names: - deployment-gitlab-toolbox-backup* - gitlab-toolbox-backup* + - gitlab-gitlab-pages* diff --git a/packages/databases/jira/policy-exceptions/externalName.yaml b/packages/additional-kyverno-exceptions/jira/external-name.yaml similarity index 100% rename from packages/databases/jira/policy-exceptions/externalName.yaml rename to packages/additional-kyverno-exceptions/jira/external-name.yaml diff --git a/packages/additional-kyverno-exceptions/jira/non-root-user.yaml b/packages/additional-kyverno-exceptions/jira/non-root.yaml similarity index 82% rename from packages/additional-kyverno-exceptions/jira/non-root-user.yaml rename to packages/additional-kyverno-exceptions/jira/non-root.yaml index 3d70aebd..5894e592 100644 --- a/packages/additional-kyverno-exceptions/jira/non-root-user.yaml +++ b/packages/additional-kyverno-exceptions/jira/non-root.yaml @@ -8,9 +8,9 @@ spec: - policyName: require-non-root-user ruleNames: - non-root-user - - policyName: restrict-host-path-write + - policyName: require-non-root-group ruleNames: - - require-readonly-hostpath + - run-as-group match: any: - resources: diff --git a/packages/databases/keycloak/policy-exceptions/externalName.yaml b/packages/additional-kyverno-exceptions/keycloak/external-name.yaml similarity index 100% rename from packages/databases/keycloak/policy-exceptions/externalName.yaml rename to packages/additional-kyverno-exceptions/keycloak/external-name.yaml diff --git a/packages/additional-kyverno-exceptions/keycloak/non-root-group.yaml b/packages/additional-kyverno-exceptions/keycloak/non-root-group.yaml new file mode 100644 index 00000000..207ae5df --- /dev/null +++ b/packages/additional-kyverno-exceptions/keycloak/non-root-group.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v2beta1 +kind: PolicyException +metadata: + name: keycloak-non-root-group-exception + namespace: keycloak +spec: + exceptions: + - policyName: require-non-root-group + ruleNames: + - run-as-group + match: + any: + - resources: + kinds: + - Pod + namespaces: + - keycloak + names: + - keycloak-0 diff --git a/packages/object-store/mattermost/policy-exceptions/externalName.yaml b/packages/additional-kyverno-exceptions/mattermost/external-name.yaml similarity index 82% rename from packages/object-store/mattermost/policy-exceptions/externalName.yaml rename to packages/additional-kyverno-exceptions/mattermost/external-name.yaml index 4f74407d..9944f144 100644 --- a/packages/object-store/mattermost/policy-exceptions/externalName.yaml +++ b/packages/additional-kyverno-exceptions/mattermost/external-name.yaml @@ -1,7 +1,7 @@ apiVersion: kyverno.io/v2beta1 kind: PolicyException metadata: - name: mattermost-object-storage-external-names-exception + name: mattermost-external-names-exception namespace: mattermost spec: exceptions: @@ -17,3 +17,4 @@ spec: - mattermost names: - mattermost-object-store + - mattermost-postgres diff --git a/packages/databases/nexus/policy-exceptions/externalName.yaml b/packages/additional-kyverno-exceptions/nexus/external-name.yaml similarity index 100% rename from packages/databases/nexus/policy-exceptions/externalName.yaml rename to packages/additional-kyverno-exceptions/nexus/external-name.yaml diff --git a/packages/databases/sonarqube/policy-exceptions/externalName.yaml b/packages/additional-kyverno-exceptions/sonarqube/external-name.yaml similarity index 100% rename from packages/databases/sonarqube/policy-exceptions/externalName.yaml rename to packages/additional-kyverno-exceptions/sonarqube/external-name.yaml diff --git a/packages/additional-kyverno-exceptions/sonarqube/non-root-user.yaml b/packages/additional-kyverno-exceptions/sonarqube/non-root.yaml similarity index 83% rename from packages/additional-kyverno-exceptions/sonarqube/non-root-user.yaml rename to packages/additional-kyverno-exceptions/sonarqube/non-root.yaml index 89fb33a2..90619233 100644 --- a/packages/additional-kyverno-exceptions/sonarqube/non-root-user.yaml +++ b/packages/additional-kyverno-exceptions/sonarqube/non-root.yaml @@ -8,9 +8,9 @@ spec: - policyName: require-non-root-user ruleNames: - non-root-user - - policyName: restrict-host-path-write + - policyName: require-non-root-group ruleNames: - - require-readonly-hostpath + - run-as-group match: any: - resources: diff --git a/packages/additional-kyverno-exceptions/zarf.yaml b/packages/additional-kyverno-exceptions/zarf.yaml index 5a31d2e5..674c4f8a 100644 --- a/packages/additional-kyverno-exceptions/zarf.yaml +++ b/packages/additional-kyverno-exceptions/zarf.yaml @@ -6,20 +6,28 @@ metadata: architecture: amd64 components: - - name: sonarqube-idam-kyverno-policy-exception + - name: sonarqube-keyclaok-idam-kyverno-policy-exception required: true manifests: - name: sonarqube-idam-kyverno-policy-exception namespace: keycloak files: - - sonarqube/non-root-user.yaml + - sonarqube/non-root.yaml + - name: sonarqube-kyverno-policy-exception + required: true + manifests: + - name: sonarqube-idam-kyverno-policy-exception + namespace: sonarqube + files: + - sonarqube/external-name.yaml - name: jira-kyverno-policy-exception required: true manifests: - name: jira-kyverno-policy-exception namespace: jira files: - - jira/non-root-user.yaml + - jira/non-root.yaml + - jira/external-name.yaml - name: gitlab-kyverno-policy-exceptions required: true manifests: @@ -27,3 +35,29 @@ components: namespace: gitlab files: - gitlab/non-root-group.yaml + - gitlab/external-name.yaml + - name: mattermost-kyverno-policy-exceptions + required: true + manifests: + - name: mattermost-kyverno-policy-exceptions + files: + - mattermost/external-name.yaml + - name: confluence-kyverno-policy-exceptions + required: true + manifests: + - name: confluence-kyverno-policy-exceptions + files: + - confluence/external-name.yaml + - name: keycloak-kyverno-policy-exceptions + required: true + manifests: + - name: keycloak-kyverno-policy-exceptions + files: + - keycloak/external-name.yaml + - keycloak/non-root-group.yaml + - name: nexus-kyverno-policy-exceptions + required: true + manifests: + - name: nexus-kyverno-policy-exceptions + files: + - nexus/external-name.yaml diff --git a/packages/databases/confluence/secret.yaml b/packages/databases/confluence/secret/secret.yaml similarity index 100% rename from packages/databases/confluence/secret.yaml rename to packages/databases/confluence/secret/secret.yaml diff --git a/packages/databases/confluence/secret/zarf.yaml b/packages/databases/confluence/secret/zarf.yaml new file mode 100644 index 00000000..3830226e --- /dev/null +++ b/packages/databases/confluence/secret/zarf.yaml @@ -0,0 +1,19 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json +kind: ZarfPackageConfig +metadata: + name: confluence-database-secret + version: "0.0.1" + architecture: amd64 + +variables: + - name: CONFLUENCE_DB_PASSWORD + default: "replace-me" + +components: + - name: confluence-postgres-secret + required: true + manifests: + - name: confluence-postgres-secret + namespace: confluence + files: + - secret.yaml diff --git a/packages/databases/confluence/service.yaml b/packages/databases/confluence/service/service.yaml similarity index 100% rename from packages/databases/confluence/service.yaml rename to packages/databases/confluence/service/service.yaml diff --git a/packages/databases/confluence/zarf.yaml b/packages/databases/confluence/service/zarf.yaml similarity index 59% rename from packages/databases/confluence/zarf.yaml rename to packages/databases/confluence/service/zarf.yaml index b2a2b740..53c2b148 100644 --- a/packages/databases/confluence/zarf.yaml +++ b/packages/databases/confluence/service/zarf.yaml @@ -1,23 +1,19 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json kind: ZarfPackageConfig metadata: - name: confluence-database-manifests + name: confluence-database-service version: "0.0.1" architecture: amd64 variables: - name: CONFLUENCE_DB_EXTERNAL_NAME default: "replace-me" - - name: CONFLUENCE_DB_PASSWORD - default: "replace-me" components: - - name: confluence-postgres-manifests + - name: confluence-postgres-service required: true manifests: - - name: confluence-postgres-manifests + - name: confluence-postgres-service namespace: confluence files: - - policy-exceptions/externalName.yaml - - secret.yaml - service.yaml diff --git a/packages/databases/gitlab/secret.yaml b/packages/databases/gitlab/secret/secret.yaml similarity index 100% rename from packages/databases/gitlab/secret.yaml rename to packages/databases/gitlab/secret/secret.yaml diff --git a/packages/databases/gitlab/secret/zarf.yaml b/packages/databases/gitlab/secret/zarf.yaml new file mode 100644 index 00000000..ce9ee942 --- /dev/null +++ b/packages/databases/gitlab/secret/zarf.yaml @@ -0,0 +1,19 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json +kind: ZarfPackageConfig +metadata: + name: gitlab-database-secret + version: "0.0.1" + architecture: amd64 + +variables: + - name: GITLAB_DB_PASSWORD + default: "replace-me" + +components: + - name: gitlab-postgres-secret + required: true + manifests: + - name: gitlab-postgres-secret + namespace: gitlab + files: + - secret.yaml diff --git a/packages/databases/gitlab/service.yaml b/packages/databases/gitlab/service/service.yaml similarity index 100% rename from packages/databases/gitlab/service.yaml rename to packages/databases/gitlab/service/service.yaml diff --git a/packages/databases/gitlab/zarf.yaml b/packages/databases/gitlab/service/zarf.yaml similarity index 60% rename from packages/databases/gitlab/zarf.yaml rename to packages/databases/gitlab/service/zarf.yaml index 6351618f..633562a7 100644 --- a/packages/databases/gitlab/zarf.yaml +++ b/packages/databases/gitlab/service/zarf.yaml @@ -1,23 +1,19 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json kind: ZarfPackageConfig metadata: - name: gitlab-database-manifests + name: gitlab-database-service version: "0.0.1" architecture: amd64 variables: - name: GITLAB_DB_EXTERNAL_NAME default: "replace-me" - - name: GITLAB_DB_PASSWORD - default: "replace-me" components: - - name: gitlab-postgres-manifests + - name: gitlab-postgres-external-service required: true manifests: - - name: gitlab-postgres-manifests + - name: gitlab-postgres-external-service namespace: gitlab files: - - policy-exceptions/externalName.yaml - - secret.yaml - service.yaml diff --git a/packages/databases/jira/secret.yaml b/packages/databases/jira/secret/secret.yaml similarity index 100% rename from packages/databases/jira/secret.yaml rename to packages/databases/jira/secret/secret.yaml diff --git a/packages/databases/jira/secret/zarf.yaml b/packages/databases/jira/secret/zarf.yaml new file mode 100644 index 00000000..4586c9f5 --- /dev/null +++ b/packages/databases/jira/secret/zarf.yaml @@ -0,0 +1,19 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json +kind: ZarfPackageConfig +metadata: + name: jira-database-secret + version: "0.0.1" + architecture: amd64 + +variables: + - name: JIRA_DB_PASSWORD + default: "replace-me" + +components: + - name: jira-postgres-secret + required: true + manifests: + - name: jira-postgres-secret + namespace: jira + files: + - secret.yaml diff --git a/packages/databases/jira/service.yaml b/packages/databases/jira/service/service.yaml similarity index 100% rename from packages/databases/jira/service.yaml rename to packages/databases/jira/service/service.yaml diff --git a/packages/databases/jira/zarf.yaml b/packages/databases/jira/service/zarf.yaml similarity index 61% rename from packages/databases/jira/zarf.yaml rename to packages/databases/jira/service/zarf.yaml index 99c03c6b..fabe8396 100644 --- a/packages/databases/jira/zarf.yaml +++ b/packages/databases/jira/service/zarf.yaml @@ -1,23 +1,19 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json kind: ZarfPackageConfig metadata: - name: jira-database-manifests + name: jira-database-service version: "0.0.1" architecture: amd64 variables: - name: JIRA_DB_EXTERNAL_NAME default: "replace-me" - - name: JIRA_DB_PASSWORD - default: "replace-me" components: - - name: jira-postgres-manifests + - name: jira-postgres-service required: true manifests: - - name: jira-postgres-manifests + - name: jira-postgres-service namespace: jira files: - - policy-exceptions/externalName.yaml - - secret.yaml - service.yaml diff --git a/packages/databases/keycloak/zarf.yaml b/packages/databases/keycloak/zarf.yaml index e57c1701..689dc23f 100644 --- a/packages/databases/keycloak/zarf.yaml +++ b/packages/databases/keycloak/zarf.yaml @@ -16,5 +16,4 @@ components: - name: keycloak-postgres-manifests namespace: keycloak files: - - policy-exceptions/externalName.yaml - service.yaml diff --git a/packages/databases/mattermost/policy-exceptions/externalName.yaml b/packages/databases/mattermost/policy-exceptions/externalName.yaml deleted file mode 100644 index e6653187..00000000 --- a/packages/databases/mattermost/policy-exceptions/externalName.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: kyverno.io/v2beta1 -kind: PolicyException -metadata: - name: mattermost-postgres-external-names-exception - namespace: mattermost -spec: - exceptions: - - policyName: restrict-external-names - ruleNames: - - external-names - match: - any: - - resources: - kinds: - - Service - namespaces: - - mattermost - names: - - mattermost-postgres diff --git a/packages/databases/mattermost/zarf.yaml b/packages/databases/mattermost/zarf.yaml index 07780ee7..db5d9a22 100644 --- a/packages/databases/mattermost/zarf.yaml +++ b/packages/databases/mattermost/zarf.yaml @@ -22,6 +22,5 @@ components: - name: mattermost-postgres-manifests namespace: mattermost files: - - policy-exceptions/externalName.yaml - secret.yaml - service.yaml diff --git a/packages/databases/nexus/zarf.yaml b/packages/databases/nexus/zarf.yaml index e54f8b9a..e9cb1a3d 100644 --- a/packages/databases/nexus/zarf.yaml +++ b/packages/databases/nexus/zarf.yaml @@ -18,6 +18,5 @@ components: - name: nexus-postgres-manifests namespace: nexus files: - - policy-exceptions/externalName.yaml - secret.yaml - service.yaml diff --git a/packages/databases/sonarqube/secret.yaml b/packages/databases/sonarqube/secret/secret.yaml similarity index 100% rename from packages/databases/sonarqube/secret.yaml rename to packages/databases/sonarqube/secret/secret.yaml diff --git a/packages/databases/sonarqube/secret/zarf.yaml b/packages/databases/sonarqube/secret/zarf.yaml new file mode 100644 index 00000000..7c38fe4b --- /dev/null +++ b/packages/databases/sonarqube/secret/zarf.yaml @@ -0,0 +1,19 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json +kind: ZarfPackageConfig +metadata: + name: sonarqube-database-secret + version: "0.0.1" + architecture: amd64 + +variables: + - name: SONARQUBE_DB_PASSWORD + default: "replace-me" + +components: + - name: sonarqube-postgres-secret + required: true + manifests: + - name: sonarqube-postgres-secret + namespace: sonarqube + files: + - secret.yaml diff --git a/packages/databases/sonarqube/service.yaml b/packages/databases/sonarqube/service/service.yaml similarity index 100% rename from packages/databases/sonarqube/service.yaml rename to packages/databases/sonarqube/service/service.yaml diff --git a/packages/databases/sonarqube/zarf.yaml b/packages/databases/sonarqube/service/zarf.yaml similarity index 60% rename from packages/databases/sonarqube/zarf.yaml rename to packages/databases/sonarqube/service/zarf.yaml index 8c2e60af..8edd4e95 100644 --- a/packages/databases/sonarqube/zarf.yaml +++ b/packages/databases/sonarqube/service/zarf.yaml @@ -1,23 +1,19 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json kind: ZarfPackageConfig metadata: - name: sonarqube-database-manifests + name: sonarqube-database-service version: "0.0.1" architecture: amd64 variables: - name: SONARQUBE_DB_EXTERNAL_NAME default: "replace-me" - - name: SONARQUBE_DB_PASSWORD - default: "replace-me" components: - - name: sonarqube-postgres-manifests + - name: sonarqube-postgres-service required: true manifests: - - name: sonarqube-postgres-manifests + - name: sonarqube-postgres-service namespace: sonarqube files: - - policy-exceptions/externalName.yaml - - secret.yaml - service.yaml diff --git a/packages/dubbd-legacy-reqs/manifests/gitlab-ssh-networkpolicies.yaml b/packages/dubbd-legacy-reqs/manifests/gitlab-ssh-networkpolicies.yaml new file mode 100644 index 00000000..3f61bdc3 --- /dev/null +++ b/packages/dubbd-legacy-reqs/manifests/gitlab-ssh-networkpolicies.yaml @@ -0,0 +1,42 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-istio-shell + namespace: gitlab +spec: + ingress: + - from: + - namespaceSelector: + matchLabels: + app.kubernetes.io/name: istio-controlplane + podSelector: + matchLabels: + app: tenant-ingressgateway + istio: ingressgateway + ports: + - port: 2222 + protocol: TCP + podSelector: + matchLabels: + app: gitlab-shell + policyTypes: + - Ingress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: egress-shell + namespace: gitlab +spec: + egress: + - to: + - namespaceSelector: {} + - ipBlock: + cidr: 0.0.0.0/0 + except: + - 169.254.169.254/32 + podSelector: + matchLabels: + app: gitlab-shell + policyTypes: + - Egress diff --git a/packages/dubbd-legacy-reqs/manifests/gitlab-ssh-virtualservice.yaml b/packages/dubbd-legacy-reqs/manifests/gitlab-ssh-virtualservice.yaml new file mode 100644 index 00000000..afbaafdc --- /dev/null +++ b/packages/dubbd-legacy-reqs/manifests/gitlab-ssh-virtualservice.yaml @@ -0,0 +1,21 @@ +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + annotations: + meta.helm.sh/release-name: gitlab + meta.helm.sh/release-namespace: gitlab + name: gitlab-ssh + namespace: gitlab +spec: + gateways: + - istio-system/tenant + hosts: + - gitlab.mtsi.bigbang.dev + tcp: + - match: + - port: 2022 + route: + - destination: + host: gitlab-gitlab-shell.gitlab.svc.cluster.local + port: + number: 22 diff --git a/packages/dubbd-legacy-reqs/zarf-config.yaml b/packages/dubbd-legacy-reqs/zarf-config.yaml new file mode 100644 index 00000000..2ad70df5 --- /dev/null +++ b/packages/dubbd-legacy-reqs/zarf-config.yaml @@ -0,0 +1,8 @@ +package: + create: + max_package_size: "1000000000" + set: + # renovate: datasource=gitlab-tags depName=big-bang/bigbang versioning=semver registryUrl=https://repo1.dso.mil + bigbang_version: "2.19.1" + # should line up with the flux version in the BB release, see https://repo1.dso.mil/big-bang/bigbang/-/blob/master/base/flux/gotk-components.yaml#L3 + flux_version: "2.2.2" diff --git a/packages/dubbd-legacy-reqs/zarf.yaml b/packages/dubbd-legacy-reqs/zarf.yaml new file mode 100644 index 00000000..884b82c4 --- /dev/null +++ b/packages/dubbd-legacy-reqs/zarf.yaml @@ -0,0 +1,30 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/v0.32.1/zarf.schema.json +kind: ZarfPackageConfig +metadata: + name: dubbd-legacy-reqs + description: "Installs Flux and some custom gitlab resources" + architecture: "amd64" + version: "0.0.1" + +components: + - name: install-flux + required: true + manifests: + - name: bb-flux + namespace: flux-system + kustomizations: + - https://repo1.dso.mil/big-bang/bigbang.git//base/flux?ref=2.19.1 + images: + - registry1.dso.mil/ironbank/fluxcd/helm-controller:v0.37.1 + - registry1.dso.mil/ironbank/fluxcd/kustomize-controller:v1.2.1 + - registry1.dso.mil/ironbank/fluxcd/notification-controller:v1.2.3 + - registry1.dso.mil/ironbank/fluxcd/source-controller:v1.2.2 + + - name: gitlab-ssh + required: true + manifests: + - name: gitlab-ssh-virtualservice + namespace: gitlab + files: + - manifests/gitlab-ssh-virtualservice.yaml + - manifests/gitlab-ssh-networkpolicies.yaml diff --git a/packages/gitlab-redis/redis-secret.yaml b/packages/gitlab-redis/redis-secret.yaml new file mode 100644 index 00000000..551c4aaf --- /dev/null +++ b/packages/gitlab-redis/redis-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: gitlab-redis + namespace: gitlab +type: kubernetes.io/opaque +stringData: + password: "###ZARF_VAR_REDIS_PASSWORD###" diff --git a/packages/gitlab-redis/zarf.yaml b/packages/gitlab-redis/zarf.yaml new file mode 100644 index 00000000..6ec9d730 --- /dev/null +++ b/packages/gitlab-redis/zarf.yaml @@ -0,0 +1,25 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json +kind: ZarfPackageConfig +metadata: + name: gitlab-redis-secret + version: "0.0.1" + architecture: amd64 + +components: + - name: redis-password + required: true + actions: + onDeploy: + before: + - cmd: kubectl get secret -n dev-redis redis --template='{{ index .data "redis-password" }}' | base64 -d + mute: true + setVariables: + - name: REDIS_PASSWORD + sensitive: true + - name: gitlab-redis + required: true + manifests: + - name: gitlab-redis + namespace: gitlab + files: + - redis-secret.yaml diff --git a/packages/object-store/mattermost/zarf.yaml b/packages/object-store/mattermost/zarf.yaml index e2ad5db1..dd38aa84 100644 --- a/packages/object-store/mattermost/zarf.yaml +++ b/packages/object-store/mattermost/zarf.yaml @@ -15,12 +15,6 @@ variables: autoIndent: true components: - - name: object-store-kyverno-exceptions - required: true - manifests: - - name: kyverno-exceptions - files: - - policy-exceptions/externalName.yaml - name: mattermost-object-store-secret required: true manifests: diff --git a/release-please-config.json b/release-please-config.json index 93daea1d..977c36fc 100644 --- a/release-please-config.json +++ b/release-please-config.json @@ -11,7 +11,7 @@ ], "versioning": "always-bump-patch", "extra-files": [ - "uds-bundle.yaml" + "bundles/dubbd-swf/uds-bundle.yaml" ] } } diff --git a/tasks.yaml b/tasks.yaml new file mode 100644 index 00000000..35c72e50 --- /dev/null +++ b/tasks.yaml @@ -0,0 +1,67 @@ +includes: + - create: ./tasks/create.yaml + - deploy: ./tasks/deploy.yaml + +tasks: + ################ + # Create + ################ + # Default bundle for now is DUBBD version + - name: create-bundle + actions: + - task: create-dubbd-bundle + + - name: create-dubbd-bundle + actions: + - task: create:build-dir + - task: create:kyverno-exceptions-package + - task: create:database-manifest-packages + - task: create:namespaces-package + - task: create:idam-packages + - task: create:object-store-packages + - task: create:dubbd-package + - task: create:dubbd-bundle + + - name: create-uds-core-bundle + actions: + - task: create:build-dir + - task: create:database-manifest-packages + - task: create:gitlab-redis-secret-package + - task: create:namespaces-package + - task: create:idam-packages + - task: create:object-store-packages + - task: create:dubbd-legacy-reqs-package + - task: create:uds-core-bundle + + ################ + # Deploy + ################ + # Default bundle for now is DUBBD version + - name: deploy-bundle-to-dev + actions: + - task: deploy-dubbd-bundle-to-dev + + - name: deploy-bundle-to-test + actions: + - task: deploy-dubbd-bundle-to-test + + - name: deploy-dubbd-bundle-to-dev + actions: + - task: deploy:dubbd-bundle-to-dev + + - name: deploy-dubbd-bundle-to-test + actions: + - task: deploy:dubbd-bundle-to-test + + - name: deploy-uds-core-bundle-to-dev + actions: + - task: deploy:uds-core-bundle-to-dev + + - name: deploy-uds-core-bundle-to-test + actions: + - task: deploy:uds-core-bundle-test + + #### Clean #### + - name: clean + actions: + - cmd: rm -rf ./build/* diff --git a/tasks/create.yaml b/tasks/create.yaml new file mode 100644 index 00000000..b7edf1ad --- /dev/null +++ b/tasks/create.yaml @@ -0,0 +1,79 @@ +variables: + - name: ARCH + description: "What architecture to use" + default: "amd64" + +tasks: + # Build directory + - name: build-dir + description: Create build directory + actions: + - cmd: mkdir build -p + + # Bundles + - name: dubbd-bundle + description: Create the UDS Bundle with SWF and DUBBD + actions: + - cmd: uds create ./bundles/dubbd-swf --architecture=${ARCH} --confirm + - cmd: mv ./bundles/dubbd-swf/uds-bundle-software-factory* ./build + + - name: uds-core-bundle + description: Create the UDS Bundle with SWF on UDS Core + actions: + - cmd: uds create ./bundles/uds-core-swf --architecture=${ARCH} --confirm + - cmd: mv ./bundles/uds-core-swf/uds-bundle-uds-core-swf* ./build + + # Packages + - name: kyverno-exceptions-package + description: Create kyverno exceptions Zarf Package + actions: + - cmd: zarf package create ./packages/additional-kyverno-exceptions --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build + + - name: database-manifest-packages + description: Create database manifest packages + actions: + - cmd: zarf package create ./packages/databases/confluence/secret --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build + - cmd: zarf package create ./packages/databases/confluence/service --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build + - cmd: zarf package create ./packages/databases/gitlab/secret --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build + - cmd: zarf package create ./packages/databases/gitlab/service --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build + - cmd: zarf package create ./packages/databases/jira/secret --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build + - cmd: zarf package create ./packages/databases/jira/service --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build + - cmd: zarf package create ./packages/databases/keycloak --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build + - cmd: zarf package create ./packages/databases/mattermost --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build + - cmd: zarf package create ./packages/databases/nexus --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build + - cmd: zarf package create ./packages/databases/sonarqube/secret --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build + - cmd: zarf package create ./packages/databases/sonarqube/service --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build + + - name: gitlab-redis-secret-package + description: Create package for the gitlab redis secret + actions: + - cmd: zarf package create ./packages/gitlab-redis --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build + + - name: namespaces-package + description: Create the namespaces package + actions: + - cmd: zarf package create ./packages/namespaces --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build + + - name: idam-packages + description: Create the idam packages + actions: + - cmd: zarf package create ./packages/idam-dns --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build + - cmd: zarf package create ./packages/idam-gitlab --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build + - cmd: zarf package create ./packages/idam-realm --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build + - cmd: zarf package create ./packages/idam-sonarqube --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build + + - name: object-store-packages + description: Create the object storage packages + actions: + - cmd: zarf package create ./packages/object-store/gitlab --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build + - cmd: zarf package create ./packages/object-store/mattermost --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build + + - name: dubbd-package + description: Create the dubbd package + actions: + - cmd: ZARF_CONFIG=./packages/dubbd/zarf-config.yaml zarf package create ./packages/dubbd --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build + + - name: dubbd-legacy-reqs-package + description: Create package to satisfy legacy reqs. This is needed untill we are 100% off Legacy versions of SWF apps + actions: + - cmd: ZARF_CONFIG=./packages/dubbd-legacy-reqs/zarf-config.yaml zarf package create ./packages/dubbd-legacy-reqs --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml new file mode 100644 index 00000000..e6df762f --- /dev/null +++ b/tasks/deploy.yaml @@ -0,0 +1,21 @@ +tasks: + + - name: dubbd-bundle-to-dev + description: Deploy the dubbd version of the bundle to test + actions: + - cmd: UDS_CONFIG=./uds-config/dubbd-swf/dev-cluster/uds-config.yaml uds deploy ./build/uds-bundle-software-factory-*.tar.zst --confirm + + - name: dubbd-bundle-to-test + description: Deploy the dubbd version of the bundle to test + actions: + - cmd: UDS_CONFIG=./uds-config/dubbd-swf/test-cluster/uds-config.yaml uds deploy ./build/uds-bundle-software-factory-*.tar.zst --confirm + + - name: uds-core-bundle-to-dev + description: Deploy UDS Core version of the bundle to dev + actions: + - cmd: UDS_CONFIG=./uds-config/uds-core-swf/dev-cluster/uds-config.yaml uds deploy ./build/uds-bundle-uds-core-swf*.tar.zst --confirm + + - name: uds-core-bundle-to-test + description: Deploy UDS Core version of the bundle to tes + actions: + - cmd: UDS_CONFIG=./uds-config/uds-core-swf/tes-cluster/uds-config.yaml uds deploy ./build/uds-bundle-uds-core-swf*.tar.zst --confirm diff --git a/uds-config/dev-cluster/uds-config.yaml b/uds-config/dubbd-swf/dev-cluster/uds-config.yaml similarity index 96% rename from uds-config/dev-cluster/uds-config.yaml rename to uds-config/dubbd-swf/dev-cluster/uds-config.yaml index bfba5946..9799ae26 100644 --- a/uds-config/dev-cluster/uds-config.yaml +++ b/uds-config/dubbd-swf/dev-cluster/uds-config.yaml @@ -5,7 +5,7 @@ variables: # TODO - remove this if/when functionality is restored upstream REGISTRY_HPA_ENABLE: false metallb: - IP_ADDRESS_POOL: "24.0.132.244/30" + IP_ADDRESS_POOL: "10.0.120.50-10.0.120.59" dubbd-rke2-nutanix: # TODO - replace these blanket exceptions with more targeted kyverno policy exceptions EXEMPT_NAMESPACES: '["zarf", "rook-ceph", "metallb-system", "kube-system", "velero"]' @@ -45,9 +45,10 @@ variables: KEYCLOAK_DB_PASSWORD: "replace-me-db-passwords" KEYCLOAK_DB_NAME: "keycloakdb" KEYCLOAK_DB_ENDPOINT: "keycloak-postgres.keycloak.svc.cluster.local" - gitlab-database-manifests: - GITLAB_DB_EXTERNAL_NAME: "gitlab-pg.mtsi-dev.bigbang.dev" + gitlab-database-secret: GITLAB_DB_PASSWORD: "replace-me-db-passwords" + gitlab-database-service: + GITLAB_DB_EXTERNAL_NAME: "gitlab-pg.mtsi-dev.bigbang.dev" gitlab-object-store: ENDPOINT: "http://swf.objects.mtsi.bigbang.dev" ACCESS_KEY: "replace-me-object-store-access-key" @@ -61,17 +62,19 @@ variables: GITLAB_BACKUP_SCHEDULE: "0 3 * * *" GITLAB_BACKUP_EXTRA_ARGS: "--skip artifiacts,registry" BUCKET_SUFFIX: "-dev" - sonarqube-database-manifests: - SONARQUBE_DB_EXTERNAL_NAME: "sonarqube-pg.mtsi-dev.bigbang.dev" + sonarqube-database-secret: SONARQUBE_DB_PASSWORD: "replace-me-db-passwords" + sonarqube-database-service: + SONARQUBE_DB_EXTERNAL_NAME: "sonarqube-pg.mtsi-dev.bigbang.dev" sonarqube: DOMAIN: "mtsi-dev.bigbang.dev" SONARQUBE_IDAM_REALM_URL: "https://keycloak.mtsi-dev.bigbang.dev/auth/realms/baby-yoda" SONARQUBE_DB_NAME: "sonarqubedb" SONARQUBE_DB_USERNAME: "postgres" - jira-database-manifests: - JIRA_DB_EXTERNAL_NAME: "jira-pg.mtsi-dev.bigbang.dev" + jira-database-secret: JIRA_DB_PASSWORD: "replace-me-db-passwords" + jira-database-service: + JIRA_DB_EXTERNAL_NAME: "jira-pg.mtsi-dev.bigbang.dev" jira: DOMAIN: "mtsi-dev.bigbang.dev" JIRA_DB_NAME: "jiradb" diff --git a/uds-config/test-cluster/uds-config.yaml b/uds-config/dubbd-swf/test-cluster/uds-config.yaml similarity index 95% rename from uds-config/test-cluster/uds-config.yaml rename to uds-config/dubbd-swf/test-cluster/uds-config.yaml index b8cae7b5..9ae87cc0 100644 --- a/uds-config/test-cluster/uds-config.yaml +++ b/uds-config/dubbd-swf/test-cluster/uds-config.yaml @@ -1,11 +1,11 @@ options: log_level: info -packages: +variables: init: # TODO - remove this if/when functionality is restored upstream REGISTRY_HPA_ENABLE: false metallb: - IP_ADDRESS_POOL: "24.0.132.248/30" + IP_ADDRESS_POOL: "10.0.120.70-10.0.120.79" dubbd-rke2-nutanix: # TODO - replace these blanket exceptions with more targeted kyverno policy exceptions EXEMPT_NAMESPACES: '["zarf", "rook-ceph", "metallb-system", "kube-system", "velero"]' @@ -45,9 +45,10 @@ packages: KEYCLOAK_DB_PASSWORD: "replace-me-db-passwords" KEYCLOAK_DB_NAME: "keycloakdb" KEYCLOAK_DB_ENDPOINT: "keycloak-postgres.keycloak.svc.cluster.local" - gitlab-database-manifests: - GITLAB_DB_EXTERNAL_NAME: "gitlab-pg.mtsi.bigbang.dev" + gitlab-database-secret: GITLAB_DB_PASSWORD: "replace-me-db-passwords" + gitlab-database-service: + GITLAB_DB_EXTERNAL_NAME: "gitlab-pg.mtsi.bigbang.dev" gitlab-object-store: ENDPOINT: "http://swf.objects.mtsi.bigbang.dev" ACCESS_KEY: "replace-me-object-store-access-key" @@ -61,18 +62,20 @@ packages: GITLAB_BACKUP_SCHEDULE: "0 3 * * *" GITLAB_BACKUP_EXTRA_ARGS: "--skip artifiacts,registry" BUCKET_SUFFIX: "-test" - sonarqube-database-manifests: - SONARQUBE_DB_EXTERNAL_NAME: "sonarqube-pg.mtsi.bigbang.dev" + sonarqube-database-secret: SONARQUBE_DB_PASSWORD: "replace-me-db-passwords" + sonarqube-database-service: + SONARQUBE_DB_EXTERNAL_NAME: "sonarqube-pg.mtsi.bigbang.dev" sonarqube: DOMAIN: "mtsi.bigbang.dev" SONARQUBE_IDAM_REALM_URL: "https://keycloak.mtsi.bigbang.dev/auth/realms/baby-yoda" # db config SONARQUBE_DB_NAME: "sonarqubedb" SONARQUBE_DB_USERNAME: "postgres" - jira-database-manifests: - JIRA_DB_EXTERNAL_NAME: "jira-pg.mtsi.bigbang.dev" + jira-database-secret: JIRA_DB_PASSWORD: "replace-me-db-passwords" + jira-database-service: + JIRA_DB_EXTERNAL_NAME: "jira-pg.mtsi.bigbang.dev" jira: DOMAIN: "mtsi.bigbang.dev" JIRA_DB_NAME: "jiradb" diff --git a/uds-config/uds-core-swf/dev-cluster/uds-config.yaml b/uds-config/uds-core-swf/dev-cluster/uds-config.yaml new file mode 100644 index 00000000..04a645e4 --- /dev/null +++ b/uds-config/uds-core-swf/dev-cluster/uds-config.yaml @@ -0,0 +1,93 @@ +options: + log_level: info +shared: + DOMAIN: mtsi-dev.bigbang.dev +variables: + init: + # TODO - remove this if/when functionality is restored upstream + REGISTRY_HPA_ENABLE: false + metallb: + IP_ADDRESS_POOL: "10.0.120.50-10.0.120.59" + core: + ADMIN_TLS_CERT: replace-me-cert + ADMIN_TLS_KEY: replace-me-key + TENANT_TLS_CERT: replace-me-cert + TENANT_TLS_KEY: replace-me-key + keycloak-database-manifests: + KEYCLOAK_DB_EXTERNAL_NAME: "keycloak-pg.mtsi-dev.bigbang.dev" + uds-idam: + KEYCLOAK_DB_USERNAME: "postgres" + KEYCLOAK_DB_PASSWORD: "replace-me-db-passwords" + KEYCLOAK_DB_NAME: "keycloakdb" + KEYCLOAK_DB_ENDPOINT: "keycloak-postgres.keycloak.svc.cluster.local" + KEYCLOAK_VALUES: "our-keycloak-values.yaml" + gitlab-database-secret: + GITLAB_DB_PASSWORD: "replace-me-db-passwords" + gitlab-object-store: + ENDPOINT: "http://swf.objects.mtsi.bigbang.dev" + ACCESS_KEY: "replace-me-object-store-access-key" + SECRET_KEY: "replace-me-object-store-secret-key" + gitlab: + GITLAB_DB_NAME: "gitlabdb" + GITLAB_DB_USERNAME: "postgres" + GITLAB_DB_ENDPOINT: "gitlab-pg.mtsi-dev.bigbang.dev" + GITLAB_PAGES_ENABLED: "true" + GITLAB_SIGNUP_ENABLED: "false" + GITLAB_BACKUP_SCHEDULE: "0 3 * * *" + GITLAB_BACKUP_EXTRA_ARGS: "--skip artifiacts,registry" + BUCKET_SUFFIX: "-dev" + GITLAB_REDIS_ENDPOINT: "redis-master.dev-redis.svc.cluster.local" + sonarqube-database-secret: + SONARQUBE_DB_PASSWORD: "replace-me-db-passwords" + sonarqube: + SONARQUBE_IDAM_REALM_URL: "https://keycloak.mtsi-dev.bigbang.dev/auth/realms/baby-yoda" + # db config + SONARQUBE_DB_NAME: "sonarqubedb" + SONARQUBE_DB_USERNAME: "postgres" + SONARQUBE_DB_ENDPOINT: "sonarqube-pg.mtsi-dev.bigbang.dev" + jira-database-secret: + JIRA_DB_PASSWORD: "replace-me-db-passwords" + jira: + JIRA_DB_NAME: "jiradb" + JIRA_DB_USERNAME: "postgres" + JIRA_LOCAL_HOME_ENABLED: "true" + JIRA_LOCAL_HOME_SIZE: "128Gi" + JIRA_RWO_STORAGE_CLASS: "ceph-block" + JIRA_DB_ENDPOINT: "jira-pg.mtsi-dev.bigbang.dev" + confluence-database-secret: + CONFLUENCE_DB_PASSWORD: "replace-me-db-passwords" + confluence: + CONFLUENCE_DB_NAME: "confluencedb" + CONFLUENCE_DB_USERNAME: "postgres" + CONFLUENCE_LOCAL_HOME_ENABLED: "true" + CONFLUENCE_LOCAL_HOME_SIZE: "128Gi" + CONFLUENCE_RWO_STORAGE_CLASS: "ceph-block" + CONFLUENCE_DB_ENDPOINT: "confluence-pg.mtsi-dev.bigbang.dev" + mattermost: + ACCESS_KEY: "replace-me-object-store-access-key" + SECRET_KEY: "replace-me-object-store-secret-key" + DB_PASSWORD: "replace-me-db-passwords" + DB_USERNAME: "postgres" + DB_NAME: "mattermostdb" + DB_ENDPOINT: "mattermost-pg.mtsi-dev.bigbang.dev" + DB_OPTIONS: "?connect_timeout=10&sslmode=disable" + OBJECT_STORE_SECURE: "false" + OBJECT_STORE_ENDPOINT: "swf.objects.mtsi.bigbang.dev" + OBJECT_STORE_BUCKET: "mattermost-bucket-dev" + nexus: + NEXUS_DB_NAME: "nexusdb" + NEXUS_DB_USERNAME: "postgres" + NEXUS_DB_ENDPOINT: "nexus-pg.mtsi-dev.bigbang.dev" + POSTGRES_DB_PASSWORD: "replace-me-db-passwords" + NEXUS_SSO_ENABLED: "false" + NEXUS_SSO_IDP_ENTITY_ID: "" + NEXUS_SSO_IDP_USERNAME_ATTRIBUTE: "" + NEXUS_SSO_IDP_FIRSTNAME_ATTRIBUTE: "" + NEXUS_SSO_IDP_LASTNAME_ATTRIBUTE: "" + NEXUS_SSO_IDP_EMAIL_ATTRIBUTE: "" + NEXUS_SSO_IDP_GROUPS_ATTRIBUTE: "" + NEXUS_SSO_IDP_VALIDATE_RESPONSE_SIGNATURE: "" + NEXUS_SSO_IDP_VALIDATE_ASSERTION_SIGNATURE: "" + NEXUS_SSO_IDP_METADATA: '' + NEXUS_SSO_REALM: "[]" + NEXUS_SSO_ROLE: "[]" diff --git a/uds-config/uds-core-swf/test-cluster/uds-config.yaml b/uds-config/uds-core-swf/test-cluster/uds-config.yaml new file mode 100644 index 00000000..8d7c6e77 --- /dev/null +++ b/uds-config/uds-core-swf/test-cluster/uds-config.yaml @@ -0,0 +1,102 @@ +options: + log_level: info +variables: + init: + # TODO - remove this if/when functionality is restored upstream + REGISTRY_HPA_ENABLE: false + metallb: + IP_ADDRESS_POOL: "10.0.120.70-10.0.120.79" + software-factory-idam-realm: + DOMAIN: "mtsi.bigbang.dev" + core: + ADMIN_TLS_CERT: replace-me-cert + ADMIN_TLS_KEY: replace-me-key + TENANT_TLS_CERT: replace-me-cert + TENANT_TLS_KEY: replace-me-key + keycloak-database-manifests: + KEYCLOAK_DB_EXTERNAL_NAME: "keycloak-pg.mtsi.bigbang.dev" + uds-idam: + DOMAIN: "mtsi.bigbang.dev" + KEYCLOAK_DB_USERNAME: "postgres" + KEYCLOAK_DB_PASSWORD: "replace-me-db-passwords" + KEYCLOAK_DB_NAME: "keycloakdb" + KEYCLOAK_DB_ENDPOINT: "keycloak-postgres.keycloak.svc.cluster.local" + KEYCLOAK_VALUES: "our-keycloak-values.yaml" + gitlab-database-secret: + GITLAB_DB_PASSWORD: "replace-me-db-passwords" + gitlab-object-store: + ENDPOINT: "http://swf.objects.mtsi.bigbang.dev" + ACCESS_KEY: "replace-me-object-store-access-key" + SECRET_KEY: "replace-me-object-store-secret-key" + gitlab-redis: + APP: "gitlab" + gitlab: + DOMAIN: "mtsi.bigbang.dev" + GITLAB_DB_NAME: "gitlabdb" + GITLAB_DB_USERNAME: "postgres" + GITLAB_DB_ENDPOINT: "gitlab-pg.mtsi.bigbang.dev" + GITLAB_PAGES_ENABLED: "true" + GITLAB_SIGNUP_ENABLED: "false" + GITLAB_BACKUP_SCHEDULE: "0 3 * * *" + GITLAB_BACKUP_EXTRA_ARGS: "--skip artifiacts,registry" + BUCKET_SUFFIX: "-test" + GITLAB_REDIS_ENDPOINT: "redis-master.dev-redis.svc.cluster.local" + sonarqube-database-secret: + SONARQUBE_DB_PASSWORD: "replace-me-db-passwords" + sonarqube: + DOMAIN: "mtsi.bigbang.dev" + SONARQUBE_IDAM_REALM_URL: "https://keycloak.mtsi.bigbang.dev/auth/realms/baby-yoda" + # db config + SONARQUBE_DB_NAME: "sonarqubedb" + SONARQUBE_DB_USERNAME: "postgres" + SONARQUBE_DB_ENDPOINT: "sonarqube-pg.mtsi.bigbang.dev" + jira-database-secret: + JIRA_DB_PASSWORD: "replace-me-db-passwords" + jira: + DOMAIN: "mtsi.bigbang.dev" + JIRA_DB_NAME: "jiradb" + JIRA_DB_USERNAME: "postgres" + JIRA_LOCAL_HOME_ENABLED: "true" + JIRA_LOCAL_HOME_SIZE: "128Gi" + JIRA_RWO_STORAGE_CLASS: "ceph-block" + JIRA_DB_ENDPOINT: "jira-pg.mtsi.bigbang.dev" + confluence-database-secret: + CONFLUENCE_DB_PASSWORD: "replace-me-db-passwords" + confluence: + DOMAIN: "mtsi.bigbang.dev" + CONFLUENCE_DB_NAME: "confluencedb" + CONFLUENCE_DB_USERNAME: "postgres" + CONFLUENCE_LOCAL_HOME_ENABLED: "true" + CONFLUENCE_LOCAL_HOME_SIZE: "128Gi" + CONFLUENCE_RWO_STORAGE_CLASS: "ceph-block" + CONFLUENCE_DB_ENDPOINT: "confluence-pg.mtsi.bigbang.dev" + mattermost: + DOMAIN: "mtsi.bigbang.dev" + ACCESS_KEY: "replace-me-object-store-access-key" + SECRET_KEY: "replace-me-object-store-secret-key" + DB_PASSWORD: "replace-me-db-passwords" + DB_USERNAME: "postgres" + DB_NAME: "mattermostdb" + DB_ENDPOINT: "mattermost-pg.mtsi.bigbang.dev" + DB_OPTIONS: "?connect_timeout=10&sslmode=disable" + OBJECT_STORE_SECURE: "false" + OBJECT_STORE_ENDPOINT: "swf.objects.mtsi.bigbang.dev" + OBJECT_STORE_BUCKET: "mattermost-bucket-test" + nexus: + DOMAIN: "mtsi.bigbang.dev" + NEXUS_DB_NAME: "nexusdb" + NEXUS_DB_USERNAME: "postgres" + NEXUS_DB_ENDPOINT: "nexus-pg.mtsi.bigbang.dev" + POSTGRES_DB_PASSWORD: "replace-me-db-passwords" + NEXUS_SSO_ENABLED: "false" + NEXUS_SSO_IDP_ENTITY_ID: "" + NEXUS_SSO_IDP_USERNAME_ATTRIBUTE: "" + NEXUS_SSO_IDP_FIRSTNAME_ATTRIBUTE: "" + NEXUS_SSO_IDP_LASTNAME_ATTRIBUTE: "" + NEXUS_SSO_IDP_EMAIL_ATTRIBUTE: "" + NEXUS_SSO_IDP_GROUPS_ATTRIBUTE: "" + NEXUS_SSO_IDP_VALIDATE_RESPONSE_SIGNATURE: "" + NEXUS_SSO_IDP_VALIDATE_ASSERTION_SIGNATURE: "" + NEXUS_SSO_IDP_METADATA: '' + NEXUS_SSO_REALM: "[]" + NEXUS_SSO_ROLE: "[]"