feat: add base and identity layers (#853)

* Adds UDS Core Base * Adds UDS Core Identity & Authorization Fixes #827 Fixes #828 Fixes #833 - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) - [ ] Test, docs, adr added or updated as needed - [ ] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --------- Co-authored-by: Micah Nagel <micah.nagel@defenseunicorns.com>
defenseunicorns · Oct 17, 2024 · 579daac · 579daac
1 parent 86ffd61
commit 579daac
Show file tree

Hide file tree

Showing 32 changed files with 287 additions and 252 deletions.
diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml
@@ -28,13 +28,11 @@ runs:
       # renovate: datasource=github-tags depName=k3d-io/k3d versioning=semver
       run: curl -s https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh | TAG=v5.7.4 bash
 
-    - name: Set up Homebrew
-      uses: Homebrew/actions/setup-homebrew@master
-
     - name: Install UDS CLI
-      shell: bash
-      # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver
-      run: brew install defenseunicorns/tap/uds@0.16.0
+      uses: defenseunicorns/setup-uds@b987a32bac3baeb67bfb08f5e1544e2f9076ee8a # v1.0.0
+      with:
+        # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver
+        version: v0.16.0
 
     - name: Install Lula
       uses: defenseunicorns/lula-action/setup@badad8c4b1570095f57e66ffd62664847698a3b9 # v0.0.1

diff --git a/.github/filters.yaml b/.github/filters.yaml
@@ -1,98 +1,12 @@
 all:
   - "**"
 
-authservice:
-  - "src/authservice/**"
-  - "!**/*.md"
-  - "!**/*.jpg"
-  - "!**/*.png"
-  - "!**/*.gif"
-  - "!**/*.svg"
-
-grafana:
-  - "src/grafana/**"
-  - "!**/*.md"
-  - "!**/*.jpg"
-  - "!**/*.png"
-  - "!**/*.gif"
-  - "!**/*.svg"
-
-istio:
+base:
+  - "packages/base/**"
   - "src/istio/**"
-  - "!**/*.md"
-  - "!**/*.jpg"
-  - "!**/*.png"
-  - "!**/*.gif"
-  - "!**/*.svg"
+  - "src/pepr/**"
 
-keycloak:
+identity-authorization:
+  - "packages/identity-authorization/**"
   - "src/keycloak/**"
-  - "!**/*.md"
-  - "!**/*.jpg"
-  - "!**/*.png"
-  - "!**/*.gif"
-  - "!**/*.svg"
-
-kiali:
-  - "src/kiali/**"
-  - "!**/*.md"
-  - "!**/*.jpg"
-  - "!**/*.png"
-  - "!**/*.gif"
-  - "!**/*.svg"
-
-loki:
-  - "src/loki/**"
-  - "!**/*.md"
-  - "!**/*.jpg"
-  - "!**/*.png"
-  - "!**/*.gif"
-  - "!**/*.svg"
-
-metrics-server:
-  - "src/metrics-server/**"
-  - "!**/*.md"
-  - "!**/*.jpg"
-  - "!**/*.png"
-  - "!**/*.gif"
-  - "!**/*.svg"
-
-neuvector:
-  - "src/neuvector/**"
-  - "!**/*.md"
-  - "!**/*.jpg"
-  - "!**/*.png"
-  - "!**/*.gif"
-  - "!**/*.svg"
-
-prometheus-stack:
-  - "src/prometheus-stack/**"
-  - "!**/*.md"
-  - "!**/*.jpg"
-  - "!**/*.png"
-  - "!**/*.gif"
-  - "!**/*.svg"
-
-vector:
-  - "src/vector/**"
-  - "!**/*.md"
-  - "!**/*.jpg"
-  - "!**/*.png"
-  - "!**/*.gif"
-  - "!**/*.svg"
-
-tempo:
-  - "src/tempo/**"
-  - "!**/*.md"
-  - "!**/*.jpg"
-  - "!**/*.png"
-  - "!**/*.gif"
-  - "!**/*.svg"
-
-velero:
-  - "src/velero/**"
-  - "!**/*.md"
-  - "!**/*.jpg"
-  - "!**/*.png"
-  - "!**/*.gif"
-  - "!**/*.svg"
+  - "src/authservice/**"
diff --git a/.github/workflows/compliance.yaml b/.github/workflows/compliance.yaml
@@ -25,8 +25,6 @@ jobs:
     runs-on: ubuntu-latest
     name: Evaluate
     continue-on-error: true
-    # env:
-    #   UDS_PKG: ${{ inputs.package }}
     steps:
       # Used to execute the uds run command
       - name: Checkout repository

diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
@@ -87,3 +87,45 @@ jobs:
         uses: ./.github/actions/save-logs
         with:
           suffix: -${{ matrix.flavor }}
+
+  publish-uds-core-layers:
+    if: ${{ !inputs.snapshot }}
+    strategy:
+      matrix:
+        flavor: [upstream, registry1, unicorn]
+        layer: [base, identity-authorization]
+        arch: [amd64, arm64]
+        exclude:
+          - flavor: registry1
+            arch: arm64
+    runs-on: ${{ matrix.arch == 'arm64' && 'uds-ubuntu-arm64-4-core' || 'uds-ubuntu-big-boy-4-core' }}
+    name: Publish package layers
+
+    permissions:
+      contents: read
+      packages: write
+      id-token: write  # This is needed for OIDC federation.
+
+    steps:
+      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+
+      - name: Environment setup
+        uses: ./.github/actions/setup
+        with:
+          registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }}
+          registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }}
+          ghToken: ${{ secrets.GITHUB_TOKEN }}
+          chainguardIdentity: ${{ secrets.CHAINGUARD_IDENTITY }}
+
+      - name: Test and Publish Core Package Layer
+        run: uds run -f tasks/publish.yaml single-layer --set FLAVOR=${{ matrix.flavor }} --set LAYER=${{ matrix.layer }} --no-progress
+
+      - name: Debug Output
+        if: ${{ always() && !inputs.snapshot }}
+        uses: ./.github/actions/debug-output
+
+      - name: Save logs
+        if: always()
+        uses: ./.github/actions/save-logs
+        with:
+          suffix: -${{ matrix.flavor }}-${{ matrix.layer }}-${{ matrix.arch }}
diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml
@@ -64,7 +64,6 @@ jobs:
         uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
         with:
           filters: .github/filters.yaml
-          predicate-quantifier: every
 
   # This job triggers a separate workflow for each changed source package, if any.
   run-package-test:

diff --git a/.github/workflows/slim-dev-test.yaml b/.github/workflows/slim-dev-test.yaml
@@ -8,9 +8,11 @@ on:
     paths:
       - src/pepr/**
       - src/keycloak/**
+      - src/authservice/**
       - src/istio/**
       - src/prometheus-stack/**
-      - packages/slim-dev/**
+      - packages/base/**
+      - packages/identity-authorization/**
       - bundles/k3d-slim-dev/**
       - .github/workflows/slim-dev**
       - "!**/*.md"

diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -21,7 +21,7 @@ on:
     inputs:
       package:
         type: string
-        description: "The name of the source package to test"
+        description: "The name of the core package layer to test"
         required: true
       flavor:
         type: string
@@ -43,7 +43,7 @@ jobs:
     timeout-minutes: 30
     name: Test
     env:
-      UDS_PKG: ${{ inputs.package }}
+      UDS_LAYER: ${{ inputs.package }}
 
     steps:
       - name: Checkout repository
@@ -57,9 +57,9 @@ jobs:
           ghToken: ${{ secrets.GITHUB_TOKEN }}
           chainguardIdentity: ${{ secrets.CHAINGUARD_IDENTITY }}
 
-      - name: Test a single source package
+      - name: Test a single layer package
         if: ${{ inputs.package != 'all' && inputs.test_type == 'install' }}
-        run: uds run test-single-package --set FLAVOR=${{ inputs.flavor }} --no-progress
+        run: uds run test-single-layer --set FLAVOR=${{ inputs.flavor }} --set LAYER=${{ inputs.package }} --no-progress
 
       - name: Test UDS Core Install
         if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }}

diff --git a/README.md b/README.md
@@ -78,7 +78,7 @@ uds deploy k3d-core-slim-dev:0.28.0
 
 #### Developing UDS Core
 
-UDS Core development leverages the `uds zarf dev deploy` command. For convenience, a UDS Task is provided to setup the environment. You'll need to have [NodeJS](https://nodejs.org/en/download/) 20 or later installed to continue. Here's an example of a flow developing the [metrics-server package](./src/metrics-server/README.md):
+UDS Core development leverages the `uds zarf dev deploy` command. For convenience, a UDS Task is provided to setup the environment. You'll need to have [NodeJS](https://nodejs.org/en/download/) 20 or later installed to continue. Here's an example of a flow developing the [identity-authorization layer](./package/identity-authorization/README.md):
 
 ```bash
 # Create the dev environment
@@ -90,8 +90,8 @@ npx pepr dev
 # If not developing the Pepr module (can be run multiple times):
 npx pepr deploy
 
-# Deploy the package (can be run multiple times)
-uds run dev-deploy --set PKG=metrics-server
+# Deploy the layer (can be run multiple times)
+uds run dev-deploy --set LAYER=identity-authorization
 ```
 
 #### Testing UDS Core
@@ -102,10 +102,10 @@ You can perform a complete test of UDS Core by running the following command:
 uds run test-uds-core
 ```
 
-This will create a local k3d cluster, install UDS Core, and run a series of tests against it, the same tests that are run in CI. If you want to run the tests against a specific package, you can use the `PKG` env variable. The following example runs the tests against the metrics-server package:
+This will create a local k3d cluster, install UDS Core, and run a series of tests against it, the same tests that are run in CI. If you want to run the tests against a specific core layer, you can use the `LAYER` task variable. The following example runs the tests against the identity-authorization layer:
 
 ```bash
-UDS_PKG=metrics-server uds run test-single-package
+uds run test-single-layer --set LAYER=identity-authorization
 ```
 
 Note you can specify the `--set FLAVOR=registry1` flag to test using Iron Bank images instead of the upstream images.
diff --git a/bundles/k3d-slim-dev/uds-bundle.yaml b/bundles/k3d-slim-dev/uds-bundle.yaml
@@ -31,7 +31,7 @@ packages:
     repository: ghcr.io/zarf-dev/packages/init
     ref: v0.41.0
 
-  - name: core-slim-dev
+  - name: core-base
     path: ../../build/
     # x-release-please-start-version
     ref: 0.28.0
@@ -66,6 +66,13 @@ packages:
             - name: TENANT_SERVICE_PORTS
               description: "The ports that are exposed from the tenant gateway LoadBalancer (useful for non-HTTP(S) traffic)"
               path: "service.ports"
+
+  - name: core-identity-authorization
+    path: ../../build/
+    # x-release-please-start-version
+    ref: 0.28.0
+    # x-release-please-end
+    overrides:
       keycloak:
         keycloak:
           variables:

diff --git a/docs/deployment/uds-deploy.md b/docs/deployment/uds-deploy.md
@@ -110,12 +110,10 @@ You can perform a complete test of UDS Core by running the following command:
 uds run test-uds-core
 ```
 
-This command initiates the creation of a local k3d cluster, installs UDS Core, and executes a set of tests identical to those performed in CI. If you wish to run tests targeting a specific package, you can utilize the `PKG` environment variable.
-
-The example below runs tests against the metrics-server package:
+This will create a local k3d cluster, install UDS Core, and run a series of tests against it, the same tests that are run in CI. If you want to run the tests against a specific core layer, you can use the `LAYER` task variable. The following example runs the tests against the identity-authorization layer:
 
 ```cli
-UDS_PKG=metrics-server uds run test-single-package
+uds run test-single-layer --set LAYER=identity-authorization
 ```
 
 {{% alert-note %}}

diff --git a/packages/base/README.md b/packages/base/README.md
@@ -0,0 +1,7 @@
+# UDS Core Base
+
+This is the base layer of UDS Core required if deploying any other layers. Currently it includes the application(s):
+- Istio (and gateways)
+- UDS Operator and Policies (Pepr)
+
+As this is the base layer it can be deployed standalone for minimal functionality.
diff --git a/packages/base/tasks.yaml b/packages/base/tasks.yaml
@@ -0,0 +1,9 @@
+includes:
+  - istio: ../../src/istio/tasks.yaml
+  - pepr: ../../src/pepr/tasks.yaml
+
+tasks:
+  - name: validate
+    actions:
+      - task: istio:validate
+      - task: pepr:validate
diff --git a/packages/slim-dev/zarf.yaml → packages/base/zarf.yaml b/packages/slim-dev/zarf.yaml → packages/base/zarf.yaml
@@ -1,11 +1,12 @@
 kind: ZarfPackageConfig
 metadata:
-  name: core-slim-dev
-  description: "UDS Core (Istio, UDS Operator and Keycloak)"
+  name: core-base
+  description: "UDS Core (Base)"
   authors: "Defense Unicorns - Product"
   # x-release-please-start-version
   version: "0.28.0"
   # x-release-please-end
+  x-uds-dependencies: []
 
 components:
   - name: uds-operator-config
@@ -45,9 +46,3 @@ components:
     required: true
     import:
       path: ../../src/pepr
-
-  # Keycloak
-  - name: keycloak
-    required: true
-    import:
-      path: ../../src/keycloak
diff --git a/packages/identity-authorization/README.md b/packages/identity-authorization/README.md
@@ -0,0 +1,8 @@
+# UDS Core Identity & Authorization
+
+This layer of UDS Core provides identity management and authorization capabilities. Currently it includes the application(s):
+- Keycloak (with custom plugin and realm)
+- AuthService
+
+To deploy this layer you must also deploy its dependent layer(s):
+- Base
diff --git a/packages/identity-authorization/tasks.yaml b/packages/identity-authorization/tasks.yaml
@@ -0,0 +1,9 @@
+includes:
+  - keycloak: ../../src/keycloak/tasks.yaml
+  - authservice: ../../src/authservice/tasks.yaml
+
+tasks:
+  - name: validate
+    actions:
+      - task: keycloak:validate
+      - task: authservice:validate
diff --git a/packages/identity-authorization/zarf.yaml b/packages/identity-authorization/zarf.yaml
@@ -0,0 +1,22 @@
+kind: ZarfPackageConfig
+metadata:
+  name: core-identity-authorization
+  description: "UDS Core (Identity & Authorization)"
+  authors: "Defense Unicorns - Product"
+  # x-release-please-start-version
+  version: "0.28.0"
+  # x-release-please-end
+  x-uds-dependencies: ["base"]
+
+components:
+  # Keycloak
+  - name: keycloak
+    required: true
+    import:
+      path: ../../src/keycloak
+
+  # Authservice
+  - name: authservice
+    required: true
+    import:
+      path: ../../src/authservice
diff --git a/packages/slim-dev/README.md b/packages/slim-dev/README.md