Merge branch 'main' into renovate/uds

.github/actions/setup/action.yaml

@@ -15,13 +15,6 @@ inputs:
 runs:
   using: "composite"
   steps:
-    - name: Install Zarf
-      uses: defenseunicorns/setup-zarf@main
-      with:
-        # renovate: datasource=github-tags depName=defenseunicorns/zarf versioning=semver
-        version: v0.32.1
-        download-init-package: true
-
     - name: Use Node.js latest
       uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
       with:

README.md

@@ -1,121 +1,105 @@
 # Unicorn Delivery Service - Core (UDS Core)
 
-> [!WARNING]  
-> UDS Core is in early alpha and is not ready for general use.
+UDS Core establishes a secure baseline for cloud-native systems and ships with compliance documentation and first-class support for airgap/egress-limited systems. Based on the work of [Platform One](https://p1.dso.mil), UDS Core expands on the security posture of [Big Bang](https://repo1.dso.mil/big-bang/bigbang) while providing advanced automation with the [UDS Operator](./src/pepr/operator/README.md) and [UDS Policy Engine](./src/pepr/policies/README.md). UDS Core is a collection of several individual applications combined into a single [Zarf](https://zarf.dev) package and we recommend using [UDS CLI](https://github.com/defenseunicorns/uds-cli?tab=readme-ov-file#install) to deploy it as a [UDS Bundle](#using-uds-core-in-production).
 
-UDS Core groups foundational Unicorn Delivery Service applications inspired by [Big Bang](https://repo1.dso.mil/big-bang/bigbang).
+#### tl;dr - [try it now](#quickstart)
 
-The core applications are:
+#### Core Applications
 
-- [Authservice](https://github.com/istio-ecosystem/authservice) - Authorization
 - [Grafana](https://grafana.com/oss/grafana/) - Monitoring
 - [Istio](https://istio.io/) - Service Mesh
-- [KeyCloak](https://www.keycloak.org/) - Identity & Access Management
-- [Kiali](https://kiali.io/) - Service Mesh Observability
 - [Loki](https://grafana.com/oss/loki/) - Log Aggregation
 - [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) - Metrics
 - [Neuvector](https://open-docs.neuvector.com/) - Container Security
 - [Pepr](https://pepr.dev) - UDS policy engine & operator
 - [Prometheus Stack](https://github.com/prometheus-operator/kube-prometheus) - Monitoring
 - [Promtail](https://grafana.com/docs/loki/latest/send-data/promtail/) - Log Aggregation
-- [Tempo](https://grafana.com/docs/tempo/latest/getting-started/) - Tracing
-- [Velero](https://velero.io/) - Backup & Restore
-
-## Prerequisites
-
-<!-- table -->
 
-| Dependency                                                     | Minimum Version |
-| -------------------------------------------------------------- | --------------- |
-| [Zarf](https://github.com/defenseunicorns/zarf/releases)       | 0.32.1          |
-| [UDS CLI](https://github.com/defenseunicorns/uds-cli/releases) | 0.6.2           |
-| [NodeJS](https://nodejs.org/en/download/)                      | LTS or Current  |
+#### Future Applications
 
-<!-- endtable -->
-
-## Users
+- [Authservice](https://github.com/istio-ecosystem/authservice) - Authorization
+- [KeyCloak](https://www.keycloak.org/) - Identity & Access Management
+- [Kiali](https://kiali.io/) - Service Mesh Observability
+- [Tempo](https://grafana.com/docs/tempo/latest/getting-started/) - Tracing
+- [Velero](https://velero.io/) - Backup & Restore
 
-### Quickstart
+---
 
-A common need is bootstrapping a new UDS Core environment for development or testing. The commands below will deploy the latest version of UDS Core. See the remaining sections for more details on the different bundles and packages available.
+### Prerequisites
 
-```bash
-# ARM version
-uds deploy oci://ghcr.io/defenseunicorns/packages/uds/bundles/k3d-core-demo:arm64
+- [K3D](https://k3d.io/) for dev & test environments or any [CNCF Certified Kubernetes Cluster](https://www.cncf.io/training/certification/software-conformance/#logos) for production environments.
+<!-- renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver -->
+- [UDS CLI](https://github.com/defenseunicorns/uds-cli?tab=readme-ov-file#install) v0.6.2 or later
 
-# AMD version
-uds deploy oci://ghcr.io/defenseunicorns/packages/uds/bundles/k3d-core-demo:amd64
-```
+---
 
-The bundle includes the uds.dev certs by default. You can use the UDS environment variables to override the default values. E.g.
+### Using UDS Core in Production
 
-```bash
-# Set environment variables with the contents of your certificate and key files (must be base64 encoded)
-UDS_ADMIN_TLS_CERT=$(cat admin.crt)
-UDS_ADMIN_TLS_KEY=$(cat admin.key)
-UDS_TENANT_TLS_CERT=$(cat tenant.crt)
-UDS_TENANT_TLS_KEY=$(cat tenant.key)
+While the UDS Bundles published by this repo can be use for dev and test environments and include a K3d cluster, UDS Core also publishes a UDS Package that is intended to be used in your own UDS Bundle. You can use the [k3d-core-demo bundle](./bundles/k3d-standard/README.md) as an example.
 
-UDS_DOMAIN=example.com
+---
 
-uds deploy oci://ghcr.io/defenseunicorns/package/uds/bundles/k3d-core-demo:amd64
-```
+### Quickstart, Dev & Test Environments
 
-### UDS Core Package
+UDS Core publishes bundles you can use for trying out UDS Core or for UDS Package development where you only need part of UDS Core. These bundles leverage [UDS K3d](https://github.com/defenseunicorns/uds-k3d) to create a local k3d cluster with tools installed to emulate a cloud environment.
 
-UDS core publishes one package:
+> [!NOTE]
+> These UDS Bundles are intended for dev and test environments and should not be used for production. They also serve as examples to create custom bundles.
 
-- [core](./packages/standard/README.md): The standard UDS Core package that is a collection of individual packages that are deployed as a single unit.
+#### Quickstart
 
-### UDS Core Bundles
+If you want to try out UDS Core, you can use the [k3d-core-demo bundle](./bundles/k3d-standard/README.md) to create a local k3d cluster with UDS Core installed by running the following command:
 
-These bundles are intended for bootstrapping common development & testing environments and should not be used for production. They also serve as examples to create custom bundles.
+<!-- x-release-please-start -->
 
-- [k3d-core-demo](./bundles/k3d-standard/README.md): A bundle to create a local k3d cluster with UDS Core installed.
+```bash
+uds deploy k3d-core-demo:0.10.0
+```
 
-- [k3d-core-istio-dev](./bundles/k3d-istio/README.md): A bundle to create a local k3d cluster with only Istio from UDS Core installed.
+<!-- x-release-please-end -->
 
-## Development: Create, build, and test the UDS Core Package
+#### UDS Package Development
 
-For complete testing, we test against a UDS Bundle that uses a locally-built Zarf package. Manually testing against the packages found under `/packages` is also possible using the `zarf` command.
+In addition to the demo bundle, a [k3d-core-istio-dev bundle](./bundles/k3d-istio/README.md) also exists to work with UDS Core with only Istio & Pepr installed. Run the command below to use it:
 
-#### Create, build, and test the UDS Core Package
+<!-- x-release-please-start -->
 
 ```bash
-uds run test-uds-core
+uds deploy k3d-core-istio-dev:0.10.0
 ```
 
-## Working with an individual package
+<!-- x-release-please-end -->
 
-The individual packages that make up UDS Core are broken down in `src/`, the commands below can be used to work with them individually in development.
+#### Developing UDS Core
 
-#### Create, build, and test a single package (e.g. Neuvector)
+UDS Core development leverages the `zarf dev deploy` command. For convenience, a UDS Task is provided to setup the environment. You'll need to have [NodeJS](https://nodejs.org/en/download/) 20 or later installed to continue. Here's an example of a flow developing the [metrics-server package](./src/metrics-server/README.md):
 
 ```bash
-UDS_PKG=neuvector uds run test-single-package
-```
+# Create the dev environment
+uds run dev
 
-#### To build a single package (e.g. Neuvector)
+# If developing the Pepr module:
+npx pepr dev
 
-```bash
-UDS_PKG=neuvector uds run create-single-package
-```
+# If not developing the Pepr module (can be run multiple times):
+npx pepr deploy
 
-#### To deploy a single built package (e.g. Neuvector)
-
-```bash
-UDS_PKG=neuvector uds run deploy-single-package
+# Deploy the package (can be run multiple times)
+uds run dev-deploy --set PKG=metrics-server
 ```
 
-#### To test a single package already deployed (e.g. Neuvector)
+#### Testing UDS Core
+
+You can perform a complete test of UDS Core by running the following command:
 
 ```bash
-uds run -f src/neuvector/tasks/validate.yaml run
+uds run test-uds-core
 ```
 
-Note: The run tasks above default to targetting the upstream (oss) package flavor.
-In order to run any of the above commands against the registry1 flavor the command must be updated with ```--set FLAVOR=registry1``` For example:
+This will create a local k3d cluster, install UDS Core, and run a series of tests against it, the same tests that are run in CI. If you want to run the tests against a specific package, you can use the `PKG` env variable. The following example runs the tests against the metrics-server package:
 
 ```bash
-uds run test-uds-core --set FLAVOR=registry1
+PKG=metrics-server uds run test-single-package
 ```
+
+Note you can specify the `--set FLAVOR=registry1` flag to test using Iron Bank images instead of the upstream images.

bundles/k3d-istio/README.md

@@ -1,13 +1,9 @@
 # Unicorn Delivery Service - K3d Istio (UDS Core)
 
-> [!WARNING]  
-> UDS Core is in early alpha and is not ready for general use.
-
-UDS Core groups foundational Unicorn Delivery Service applications inspired by [Big Bang](https://repo1.dso.mil/big-bang/bigbang).
-
-The core applications are:
+This bundle is a trimmed-down version of [UDS Core](../k3d-standard/README.md) bundle, with only the following UDS Core applications installed:
 
 - [Istio](https://istio.io/) - Service Mesh
+- [Pepr](https://pepr.dev) - UDS policy engine & operator
 
 The k3d uds-dev-stack provides:
 
@@ -17,19 +13,6 @@ The k3d uds-dev-stack provides:
 - [MetalLB](https://metallb.universe.tf/) - Provides type: LoadBalancer for cluster resources and Istio Gateways
 - [HAProxy](https://www.haproxy.org/) - Utilizes k3d host port mapping to bind ports 80 and 443, facilitating local FQDN-based routing through ACLs to MetalLB load balancer backends for Istio Gateways serving *.uds.dev, keycloak.uds.dev, and *.admin.uds.dev.
 
-
-## Prerequisites
-
-<!-- table -->
-
-| Dependency                                                     | Minimum Version |
-| -------------------------------------------------------------- | --------------- |
-| [Zarf](https://github.com/defenseunicorns/zarf/releases)       | 0.32.1          |
-| [UDS CLI](https://github.com/defenseunicorns/uds-cli/releases) | 0.5.3           |
-| [NodeJS](https://nodejs.org/en/download/)                      | LTS or Current  |
-
-<!-- endtable -->
-
 ## Configuration
 
 ### Minio

bundles/k3d-standard/README.md

@@ -1,46 +1,13 @@
 # Unicorn Delivery Service - K3d Core Bundle (UDS Core)
 
-> [!WARNING]  
-> UDS Core is in early alpha and is not ready for general use.
-
-UDS Core groups foundational Unicorn Delivery Service applications inspired by [Big Bang](https://repo1.dso.mil/big-bang/bigbang).
-
-The core applications are:
-
-- [Authservice](https://github.com/istio-ecosystem/authservice) - Authorization
-- [Grafana](https://grafana.com/oss/grafana/) - Monitoring
-- [Istio](https://istio.io/) - Service Mesh
-- [KeyCloak](https://www.keycloak.org/) - Identity & Access Management
-- [Kiali](https://kiali.io/) - Service Mesh Observability
-- [Loki](https://grafana.com/oss/loki/) - Log Aggregation
-- [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) - Metrics
-- [Neuvector](https://open-docs.neuvector.com/) - Container Security
-- [Pepr](https://pepr.dev) - UDS policy engine & operator
-- [Prometheus Stack](https://github.com/prometheus-operator/kube-prometheus) - Monitoring
-- [Promtail](https://grafana.com/docs/loki/latest/send-data/promtail/) - Log Aggregation
-- [Tempo](https://grafana.com/docs/tempo/latest/getting-started/) - Tracing
-- [Velero](https://velero.io/) - Backup & Restore
-
-The k3d uds-dev-stack provides:
+This bundle is used for demonstration, development, and testing of UDS Core. In addition to the [UDS Core applications](../../README.md#core-applications), the included k3d uds-dev-stack provides:
 
 - [K3d](https://k3d.io/) - Containerized K3s Kubernetes Enviroment
 - [Minio](<https://min.io/>) - In-cluster S3 Object Storage (See below for more details)
 - [Local Path Provisioner](<https://github.com/rancher/local-path-provisioner>) - Storage Provider with RWX configured
 - [MetalLB](https://metallb.universe.tf/) - Provides type: LoadBalancer for cluster resources and Istio Gateways
 - [HAProxy](https://www.haproxy.org/) - Utilizes k3d host port mapping to bind ports 80 and 443, facilitating local FQDN-based routing through ACLs to MetalLB load balancer backends for Istio Gateways serving *.uds.dev, keycloak.uds.dev, and *.admin.uds.dev.
 
-## Prerequisites
-
-<!-- table -->
-
-| Dependency                                                     | Minimum Version |
-| -------------------------------------------------------------- | --------------- |
-| [Zarf](https://github.com/defenseunicorns/zarf/releases)       | 0.32.1          |
-| [UDS CLI](https://github.com/defenseunicorns/uds-cli/releases) | 0.5.3           |
-| [NodeJS](https://nodejs.org/en/download/)                      | LTS or Current  |
-
-<!-- endtable -->
-
 ## Configuration
 
 ### Minio

src/pepr/config.ts

@@ -1,4 +1,8 @@
+const isZarfEnv = process.env.UDS_DOMAIN !== "###ZARF_VAR_DOMAIN###";
+
 export const UDSConfig = {
-  domain: process.env.UDS_DOMAIN || "uds.dev",
-  istioInstalled: process.env.UDS_WITH_ISTIO === "true",
+  // Ignore the UDS_DOMAIN if not deployed by Zarf
+  domain: (isZarfEnv && process.env.UDS_DOMAIN) || "uds.dev",
+  // Assume Istio is installed if not deployed by Zarf
+  istioInstalled: !isZarfEnv || process.env.UDS_WITH_ISTIO === "true",
 };

src/pepr/operator/README.md

@@ -3,11 +3,44 @@
 The UDS Operator manages the lifecycle of UDS Package CRs and their corresponding resources (e.g. NetworkPolicies, Istio VirtualServices, etc.). The operator uses [Pepr](https://pepr.dev) to bind the watch operations to the enqueue and reconciler. The operator is responsible for:
 
 - enabling Istio sidecar injection in namespaces where the CR is deployed
-- establishing default-deny ingress/egress network policies 
+- establishing default-deny ingress/egress network policies
 - creating a layered allow-list based approach on top of the default deny network policies including some basic defaults such as Istio requirements and DNS egress
 - providing targeted remote endpoints network policies such as `KubeAPI` and `CloudMetadata` to make policies more DRY and provide dynamic bindings where a static definition is not possible
 - creating Istio Virtual Services & related ingress gateway network policies
 
+### Example UDS Package CR
+
+```yaml
+apiVersion: uds.dev/v1alpha1
+kind: Package
+metadata:
+  name: grafana
+  namespace: grafana
+spec:
+  network:
+    expose:
+      - service: grafana
+        podLabels:
+          app.kubernetes.io/name: grafana
+        host: grafana
+        gateway: admin
+        port: 80
+        targetPort: 3000
+
+    allow:
+      - direction: Egress
+        podLabels:
+          app.kubernetes.io/name: grafana
+        remoteGenerated: Anywhere
+
+      - direction: Egress
+        remoteNamespace: tempo
+        remotePodLabels:
+          app.kubernetes.io/name: tempo
+        port: 9411
+        description: "Tempo"
+```
+
 ### Key Files and Folders
 
 ```bash
@@ -25,7 +58,6 @@ The UDS Operator manages the lifecycle of UDS Package CRs and their correspondin
 └── reconciler.ts        # Reconciles UDS Package CRs via the controllers
 ```
 
-
 ### Flow
 
 The UDS Operator leverages a Pepr Watch. The following diagram shows the flow of the UDS Operator:

src/test/tasks.yaml

@@ -3,9 +3,9 @@ tasks:
     description: Test app used for UDS Core validation
     actions:
       - description: Create zarf package for the test resources
-        cmd: "zarf package create src/test --confirm"
+        cmd: "uds zarf package create src/test --confirm"
       - description: Apply the test resources
-        cmd: "zarf package deploy build/zarf-package-uds-core-test-apps-*.zst --confirm"
+        cmd: "uds zarf package deploy build/zarf-package-uds-core-test-apps-*.zst --confirm"
 
       - description: Wait for the admin app to be ready
         wait:
@@ -50,4 +50,4 @@ tasks:
             code: 202
 
       - description: Remove the test resources
-        cmd: "zarf package remove build/zarf-package-uds-core-test-apps-*.zst --confirm"
+        cmd: "uds zarf package remove build/zarf-package-uds-core-test-apps-*.zst --confirm"

tasks.yaml

@@ -2,20 +2,22 @@ variables:
   - name: FLAVOR
     default: upstream
 
+  - name: PKG
+
 includes:
   - create: ./tasks/create.yaml
   - setup: ./tasks/setup.yaml
   - deploy: ./tasks/deploy.yaml
   - test: ./tasks/test.yaml
   - lint: ./tasks/lint.yaml
 tasks:
-  - name: dev
+  - name: dev-setup
     actions:
       - description: "Create the dev cluster"
         task: setup:create-k3d-cluster
 
       - description: "Deploy the Istio source package with Zarf Dev"
-        cmd: "zarf dev deploy src/istio --flavor ${FLAVOR}"
+        cmd: "uds zarf dev deploy src/istio --flavor ${FLAVOR}"
 
       - description: "Dev instructions"
         cmd: |
@@ -24,6 +26,11 @@ tasks:
           echo "  - Otherwise run 'npx pepr deploy' to deploy the Pepr module to the cluster"
           echo "  - Additional source packages can be deployed with 'zarf dev deploy src/<package>'"
 
+  - name: dev-deploy
+    actions:
+      - description: "Deploy the given source package with Zarf Dev"
+        cmd: "uds zarf dev deploy src/${PKG} --flavor ${FLAVOR}"
+
   - name: setup-cluster
     actions:
       - task: setup:k3d-test-cluster