diff --git a/.github/actions/lint-check/action.yaml b/.github/actions/lint-check/action.yaml index 7d89b183e..40cf4dbe2 100644 --- a/.github/actions/lint-check/action.yaml +++ b/.github/actions/lint-check/action.yaml @@ -11,12 +11,11 @@ runs: uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: node-version: 20 - - name: Set up Homebrew - uses: Homebrew/actions/setup-homebrew@master - name: Install UDS CLI - # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver - run: brew install defenseunicorns/tap/uds@0.19.0 - shell: bash + uses: defenseunicorns/setup-uds@b987a32bac3baeb67bfb08f5e1544e2f9076ee8a # v1.0.0 + with: + # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver + version: v0.19.2 - name: Run Formatting Checks run: uds run lint-check --no-progress shell: bash diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml index a13d9e92b..272d53737 100644 --- a/.github/actions/setup/action.yaml +++ b/.github/actions/setup/action.yaml @@ -35,13 +35,13 @@ runs: uses: defenseunicorns/setup-uds@b987a32bac3baeb67bfb08f5e1544e2f9076ee8a # v1.0.0 with: # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver - version: v0.19.0 + version: v0.19.2 - name: Install Lula uses: defenseunicorns/lula-action/setup@badad8c4b1570095f57e66ffd62664847698a3b9 # v0.0.1 with: # renovate: datasource=github-tags depName=defenseunicorns/lula versioning=semver-coerced - version: v0.12.0 + version: v0.13.0 - name: Iron Bank Login if: ${{ inputs.registry1Username != '' }} diff --git a/.github/bundles/aks/uds-bundle.yaml b/.github/bundles/aks/uds-bundle.yaml index 664d3816f..1b0023366 100644 --- a/.github/bundles/aks/uds-bundle.yaml +++ b/.github/bundles/aks/uds-bundle.yaml @@ -6,18 +6,18 @@ metadata: name: uds-core-aks-nightly description: A UDS bundle for deploying UDS Core on AKS # x-release-please-start-version - version: "0.32.0" + version: "0.32.1" # x-release-please-end packages: - name: init repository: ghcr.io/zarf-dev/packages/init - ref: v0.43.1 + ref: v0.44.0 - name: core path: ../../../build # x-release-please-start-version - ref: 0.32.0 + ref: 0.32.1 # x-release-please-end overrides: istio-admin-gateway: diff --git a/.github/bundles/eks/uds-bundle.yaml b/.github/bundles/eks/uds-bundle.yaml index 4a2787476..f59908b6c 100644 --- a/.github/bundles/eks/uds-bundle.yaml +++ b/.github/bundles/eks/uds-bundle.yaml @@ -6,18 +6,18 @@ metadata: name: uds-core-eks-nightly description: A UDS bundle for deploying EKS and UDS Core # x-release-please-start-version - version: "0.32.0" + version: "0.32.1" # x-release-please-end packages: - name: init repository: ghcr.io/zarf-dev/packages/init - ref: v0.43.1 + ref: v0.44.0 - name: core path: ../../../build # x-release-please-start-version - ref: 0.32.0 + ref: 0.32.1 # x-release-please-end optionalComponents: - metrics-server diff --git a/.github/bundles/rke2/uds-bundle.yaml b/.github/bundles/rke2/uds-bundle.yaml index b805fe381..19e755bbd 100644 --- a/.github/bundles/rke2/uds-bundle.yaml +++ b/.github/bundles/rke2/uds-bundle.yaml @@ -6,7 +6,7 @@ metadata: name: uds-core-rke2-nightly description: A UDS bundle for deploying RKE2 and UDS Core # x-release-please-start-version - version: "0.32.0" + version: "0.32.1" # x-release-please-end packages: @@ -16,7 +16,7 @@ packages: - name: init repository: ghcr.io/zarf-dev/packages/init - ref: v0.43.1 + ref: v0.44.0 overrides: zarf-registry: docker-registry: @@ -38,7 +38,7 @@ packages: - name: core path: ../../../build # x-release-please-start-version - ref: 0.32.0 + ref: 0.32.1 # x-release-please-end optionalComponents: - metrics-server diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index b6cce5a14..d4d54adac 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -14,6 +14,9 @@ Relates to # - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) +## Steps to Validate +- If this PR introduces new functionality to UDS Core or addresses a bug, please document the steps to test the changes. + ## Checklist before merging - [ ] Test, docs, adr added or updated as needed diff --git a/.github/test-infra/aws/rke2/versions.tf b/.github/test-infra/aws/rke2/versions.tf index 1855baec6..d636446e6 100644 --- a/.github/test-infra/aws/rke2/versions.tf +++ b/.github/test-infra/aws/rke2/versions.tf @@ -6,7 +6,7 @@ terraform { } required_providers { aws = { - version = "~> 5.78.0" + version = "~> 5.80.0" } random = { version = "~> 3.6.0" diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index 386d7aa87..6ca54bce6 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -47,6 +47,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: Upload to code-scanning - uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 + uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6 with: sarif_file: results.sarif diff --git a/.release-please-manifest.json b/.release-please-manifest.json index a05e40dab..fbe8089b4 100644 --- a/.release-please-manifest.json +++ b/.release-please-manifest.json @@ -1,3 +1,3 @@ { - ".": "0.32.0" + ".": "0.32.1" } diff --git a/.vscode/settings.json b/.vscode/settings.json index 19fe09b5b..cc57ac8b4 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -9,17 +9,17 @@ }, "yaml.schemas": { // renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver - "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.19.0/uds.schema.json": [ + "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.19.2/uds.schema.json": [ "uds-bundle.yaml" ], // renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver - "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.19.0/tasks.schema.json": [ + "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.19.2/tasks.schema.json": [ "tasks.yaml", "tasks/**/*.yaml", "src/**/validate.yaml" ], // renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver - "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.19.0/zarf.schema.json": [ + "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.19.2/zarf.schema.json": [ "zarf.yaml" ] }, diff --git a/CHANGELOG.md b/CHANGELOG.md index 052864a5e..4194d9c54 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,41 @@ All notable changes to this project will be documented in this file. +## [0.32.1](https://github.com/defenseunicorns/uds-core/compare/v0.32.0...v0.32.1) (2024-12-05) + + +### Bug Fixes + +* change grafana -> prometheus to https ([#1043](https://github.com/defenseunicorns/uds-core/issues/1043)) ([6ef3169](https://github.com/defenseunicorns/uds-core/commit/6ef3169de2c337cbc3ce47b0dbca0dfbcead3143)) +* client timeouts ([#1062](https://github.com/defenseunicorns/uds-core/issues/1062)) ([e71c1da](https://github.com/defenseunicorns/uds-core/commit/e71c1da724c1f590405200edb60fd90bb1df89bb)) +* kubeapi watch updates, allow configurable cidr ([#1075](https://github.com/defenseunicorns/uds-core/issues/1075)) ([3285908](https://github.com/defenseunicorns/uds-core/commit/3285908d8e74b29d3a8a37b84833381eb02616db)) +* update nightly ci timeouts ([#1058](https://github.com/defenseunicorns/uds-core/issues/1058)) ([2b1a440](https://github.com/defenseunicorns/uds-core/commit/2b1a44080f5310be285d5a0ffe6d049eea2b4886)) +* value paths for cpu override ([#1055](https://github.com/defenseunicorns/uds-core/issues/1055)) ([5a21c28](https://github.com/defenseunicorns/uds-core/commit/5a21c2894cd86dfea8d5c02c4f7ac85ebf2dc269)) + + +### Miscellaneous + +* cleanup doc ([#1078](https://github.com/defenseunicorns/uds-core/issues/1078)) ([286feb4](https://github.com/defenseunicorns/uds-core/commit/286feb44abacf04b0d92c8db598d9e4f39700f41)) +* **deps:** update aws provider to ~> 5.77.0 ([#1036](https://github.com/defenseunicorns/uds-core/issues/1036)) ([84fa893](https://github.com/defenseunicorns/uds-core/commit/84fa893a5420f4cc0b9eedf706935946b1506e04)) +* **deps:** update grafana to v8.6.1 ([#1040](https://github.com/defenseunicorns/uds-core/issues/1040)) ([1454397](https://github.com/defenseunicorns/uds-core/commit/1454397f1a44361032680a3b2c9d739b46a5e5c1)) +* **deps:** update keycloak to v26.0.6 ([#1041](https://github.com/defenseunicorns/uds-core/issues/1041)) ([582db22](https://github.com/defenseunicorns/uds-core/commit/582db22e5ac759fa6bc823849f35a736b803da8f)) +* **deps:** update keycloak to v26.0.7 ([#1057](https://github.com/defenseunicorns/uds-core/issues/1057)) ([ef96ef0](https://github.com/defenseunicorns/uds-core/commit/ef96ef056ec5ccb3ca6956bc687dd8cebe31dbc8)) +* **deps:** update neuvector to 5.4.1 ([#1039](https://github.com/defenseunicorns/uds-core/issues/1039)) ([8727675](https://github.com/defenseunicorns/uds-core/commit/8727675d8137b5e84c4337bd7f794633a397ab47)) +* **deps:** update node types to v22.9.3 ([#1049](https://github.com/defenseunicorns/uds-core/issues/1049)) ([e454222](https://github.com/defenseunicorns/uds-core/commit/e454222f1b994f99134f510c325369715964651d)) +* **deps:** update node types to v22.9.4 ([#1051](https://github.com/defenseunicorns/uds-core/issues/1051)) ([0f0240a](https://github.com/defenseunicorns/uds-core/commit/0f0240a5d6b57ba83379ad9525956355b39bb69f)) +* **deps:** update support dependencies to v0.196.0 ([#1054](https://github.com/defenseunicorns/uds-core/issues/1054)) ([67419f5](https://github.com/defenseunicorns/uds-core/commit/67419f536f957f39c99c1f7b6c6131f0c2c50e84)) +* **deps:** update support-deps ([#1046](https://github.com/defenseunicorns/uds-core/issues/1046)) ([6cf96f0](https://github.com/defenseunicorns/uds-core/commit/6cf96f052e038cb3397ce166c142bb88b981caaf)) +* **deps:** update support-deps ([#1048](https://github.com/defenseunicorns/uds-core/issues/1048)) ([d77155f](https://github.com/defenseunicorns/uds-core/commit/d77155ff7e91e11cb5f1c02cb75fcd514d60bb5f)) +* **deps:** update support-deps ([#1052](https://github.com/defenseunicorns/uds-core/issues/1052)) ([e1cf7db](https://github.com/defenseunicorns/uds-core/commit/e1cf7db82ddaa4c0fced55e8b39f0567696933c2)) +* **deps:** update support-deps ([#1056](https://github.com/defenseunicorns/uds-core/issues/1056)) ([abab719](https://github.com/defenseunicorns/uds-core/commit/abab71919c6c268c59426a6ccca92622f80c2d6f)) +* **deps:** update vector helm chart to v0.38.0 ([#1092](https://github.com/defenseunicorns/uds-core/issues/1092)) ([2cb4181](https://github.com/defenseunicorns/uds-core/commit/2cb41812cdf6482fdb053aff2c617f21a3d389b2)) +* **deps:** update vector to v0.43.0 ([#1059](https://github.com/defenseunicorns/uds-core/issues/1059)) ([55bf0b3](https://github.com/defenseunicorns/uds-core/commit/55bf0b3a05046c4cc72d55a62bdd9140f2205aa2)) +* **deps:** update velero chart to v8.1.0 ([#1050](https://github.com/defenseunicorns/uds-core/issues/1050)) ([7b0d51b](https://github.com/defenseunicorns/uds-core/commit/7b0d51b2e73ce7a30397c3942fcc4de3177d81ac)) +* **deps:** update velero kubectl images to v1.31.3 ([#1034](https://github.com/defenseunicorns/uds-core/issues/1034)) ([9bf286f](https://github.com/defenseunicorns/uds-core/commit/9bf286fe5afa6c6ef79995a6ef99ed9e66d2adeb)) +* fix checkpoint to properly publish uds-core ([#1044](https://github.com/defenseunicorns/uds-core/issues/1044)) ([f1c54cf](https://github.com/defenseunicorns/uds-core/commit/f1c54cf17372eee1b74c96e5a2c73a6a5f8ebea7)) +* reduce default cpu requests for dev/demo bundles ([#1047](https://github.com/defenseunicorns/uds-core/issues/1047)) ([e0bde2f](https://github.com/defenseunicorns/uds-core/commit/e0bde2f4e988377b61d70b112c1f7d6a4b8abdc8)) +* update cli install to use setup-uds action ([#1061](https://github.com/defenseunicorns/uds-core/issues/1061)) ([daebe9b](https://github.com/defenseunicorns/uds-core/commit/daebe9b6813212c090622f78be85607fab6f6dc6)) + ## [0.32.0](https://github.com/defenseunicorns/uds-core/compare/v0.31.2...v0.32.0) (2024-11-22) diff --git a/README.md b/README.md index cb19d405f..0651d6808 100644 --- a/README.md +++ b/README.md @@ -59,7 +59,7 @@ If you want to try out UDS Core, you can use the [k3d-core-demo bundle](./bundle ```bash -uds deploy k3d-core-demo:0.32.0 +uds deploy k3d-core-demo:0.32.1 ``` @@ -73,7 +73,7 @@ Deploy Istio, Keycloak and Pepr: ```bash -uds deploy k3d-core-slim-dev:0.32.0 +uds deploy k3d-core-slim-dev:0.32.1 ``` diff --git a/bundles/k3d-slim-dev/uds-bundle.yaml b/bundles/k3d-slim-dev/uds-bundle.yaml index 55f4d5c72..671a4aef5 100644 --- a/bundles/k3d-slim-dev/uds-bundle.yaml +++ b/bundles/k3d-slim-dev/uds-bundle.yaml @@ -6,7 +6,7 @@ metadata: name: k3d-core-slim-dev description: A UDS bundle for deploying Istio from UDS Core on a development cluster # x-release-please-start-version - version: "0.32.0" + version: "0.32.1" # x-release-please-end packages: @@ -32,12 +32,12 @@ packages: - name: init repository: ghcr.io/zarf-dev/packages/init - ref: v0.43.1 + ref: v0.44.0 - name: core-base path: ../../build/ # x-release-please-start-version - ref: 0.32.0 + ref: 0.32.1 # x-release-please-end overrides: pepr-uds-core: @@ -92,7 +92,7 @@ packages: - name: core-identity-authorization path: ../../build/ # x-release-please-start-version - ref: 0.32.0 + ref: 0.32.1 # x-release-please-end overrides: keycloak: diff --git a/bundles/k3d-standard/uds-bundle.yaml b/bundles/k3d-standard/uds-bundle.yaml index 163f5f0f4..4cfb9f09b 100644 --- a/bundles/k3d-standard/uds-bundle.yaml +++ b/bundles/k3d-standard/uds-bundle.yaml @@ -6,7 +6,7 @@ metadata: name: k3d-core-demo description: A UDS bundle for deploying the standard UDS Core package on a development cluster # x-release-please-start-version - version: "0.32.0" + version: "0.32.1" # x-release-please-end packages: @@ -32,12 +32,12 @@ packages: - name: init repository: ghcr.io/zarf-dev/packages/init - ref: v0.43.1 + ref: v0.44.0 - name: core path: ../../build/ # x-release-please-start-version - ref: 0.32.0 + ref: 0.32.1 # x-release-please-end optionalComponents: - istio-passthrough-gateway diff --git a/docs/reference/UDS Core/prerequisites.md b/docs/reference/UDS Core/prerequisites.md index 14d8b7fcf..34c1043e9 100644 --- a/docs/reference/UDS Core/prerequisites.md +++ b/docs/reference/UDS Core/prerequisites.md @@ -70,9 +70,10 @@ In addition, to run Istio ingress gateways (part of Core) you will need to ensur NeuVector historically has functioned best when the host is using cgroup v2. Cgroup v2 is enabled by default on many modern Linux distributions, but you may need to enable it depending on your operating system. Enabling this tends to be OS specific, so you will need to evaluate this for your specific hosts. -#### Promtail -In order to ensure that Promtail is able to scrape the necessary logs concurrently you may need to adjust some kernel parameters for your hosts. The below is a script that can be used to adjust these parameters to suitable values and ensure they are persisted across reboots. Ideally this script is used as part of an image build or cloud-init process on each node. +#### Vector + +In order to ensure that Vector is able to scrape the necessary logs concurrently you may need to adjust some kernel parameters for your hosts. The below is a script that can be used to adjust these parameters to suitable values and ensure they are persisted across reboots. Ideally this script is used as part of an image build or cloud-init process on each node. ```console declare -A sysctl_settings diff --git a/docs/reference/configuration/ingress.md b/docs/reference/configuration/ingress.md index ef52bc6d1..416469356 100644 --- a/docs/reference/configuration/ingress.md +++ b/docs/reference/configuration/ingress.md @@ -99,3 +99,32 @@ variables: :::note If you are using Private PKI or self-signed certificates for your tenant certificates it is necessary to additionally configure `UDS_CA_CERT` with additional [trusted certificate authorities](https://uds.defenseunicorns.com/reference/configuration/uds-operator/#trusted-certificate-authority). ::: + +#### Configuring TLS from a Secret + +As an alternative to specifying individual certificate, key, and CA certificate values, you can set `tls.credentialName` in the gateway configuration. This field specifies the name of a Kubernetes secret containing the TLS certificate, key, and optional CA certificate for the gateway. When `tls.credentialName` is set, it will override `tls.cert`, `tls.key`, and `tls.cacert` values, simplifying the configuration by allowing a direct reference to a Kubernetes TLS secret. This secret should be placed in the same namespace as the gateway resource. See [Gateway ServerTLSSettings](https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings) for all required and available secret keys. + +This approach is useful if you already have a Kubernetes secret that holds the necessary TLS data and want to use it directly. + +```yaml +kind: UDSBundle +metadata: + name: core-with-credentialName + description: A UDS example bundle for packaging UDS core with a custom TLS credentialName + version: "0.0.1" + +packages: + - name: core + repository: oci://ghcr.io/defenseunicorns/packages/uds/core + ref: 0.23.0-upstream + overrides: + istio-admin-gateway: + uds-istio-config: + values: + - path: tls.credentialName + value: admin-gateway-tls-secret # Reference to the Kubernetes secret for the admin gateway's TLS certificate + istio-tenant-gateway: + uds-istio-config: + values: + - path: tls.credentialName + value: tenant-gateway-tls-secret # Reference to the Kubernetes secret for the tenant gateway's TLS certificate diff --git a/docs/reference/configuration/pepr-policies.md b/docs/reference/configuration/pepr-policies.md index 57a6d5ec7..8e58720e6 100644 --- a/docs/reference/configuration/pepr-policies.md +++ b/docs/reference/configuration/pepr-policies.md @@ -4,7 +4,7 @@ title: Pepr Policies ## Common Pepr Policies for UDS Core -### Pepr Policy Exemptions {#pepr-policy-exemptions} +### Pepr Policy Exemptions These policies are based on the [Big Bang](https://p1.dso.mil/services/big-bang) policies created with Kyverno. You can find the source policies [here](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies), Policy Names below also have links to the referenced Big Bang policy. Exemptions can be specified by a [UDS Exemption CR](../uds-operator#exemption). These take the place of Kyverno Exceptions. diff --git a/docs/reference/configuration/uds-networking-configuration.md b/docs/reference/configuration/uds-networking-configuration.md index 7fff7f388..f71c77e55 100644 --- a/docs/reference/configuration/uds-networking-configuration.md +++ b/docs/reference/configuration/uds-networking-configuration.md @@ -2,6 +2,29 @@ title: Networking Configuration --- +## KubeAPI Egress + +The UDS operator is responsible for dynamically updating network policies that use the `remoteGenerated: KubeAPI` custom selector, in response to changes in the Kubernetes API server’s IP address. This ensures that policies remain accurate as cluster configurations evolve. However, in environments where the API server IP(s) frequently change, this behavior can lead to unnecessary overhead or instability. + +To address this, the UDS operator provides an option to configure a static CIDR range. This approach eliminates the need for continuous updates by using a predefined range of IP addresses for network policies. To configure a specific CIDR range, set an override to `operator.KUBEAPI_CIDR` in your bundle as a value or variable. For example: + +```yaml +packages: + - name: uds-core + repository: ghcr.io/defenseunicorns/packages/uds/core + ref: x.x.x + overrides: + uds-operator-config: + uds-operator-config: + values: + - path: operator.KUBEAPI_CIDR + value: "172.0.0.0/24" +``` + +This configuration directs the operator to use the specified CIDR range (`172.0.0.0/24` in this case) for KubeAPI network policies instead of dynamically tracking the API server’s IP(s). + +When configuring a static CIDR range, it is important to make the range as restrictive as possible to limit the potential for unexpected networking access. An overly broad range could inadvertently allow egress traffic to destinations beyond the intended scope. Additionally, careful alignment with the actual IP addresses used by the Kubernetes API server is essential. A mismatch between the specified CIDR range and the cluster's configuration can result in network policy enforcement issues or disrupted connectivity. + ## Additional Network Allowances Applications deployed in UDS Core utilize [Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) with a "Deny by Default" configuration to ensure network traffic is restricted to only what is necessary. Some applications in UDS Core allow for overrides to accommodate environment-specific requirements. diff --git a/docs/reference/configuration/uds-operator.md b/docs/reference/configuration/uds-operator.md index 96a49de6c..15766e091 100644 --- a/docs/reference/configuration/uds-operator.md +++ b/docs/reference/configuration/uds-operator.md @@ -254,6 +254,8 @@ The SSO spec supports a subset of the Keycloak attributes for clients, but does - oauth2.device.authorization.grant.enabled - pkce.code.challenge.method - client.session.idle.timeout +- client.session.max.lifespan +- access.token.lifespan - saml.assertion.signature - saml.client.signature - saml_assertion_consumer_url_post diff --git a/package-lock.json b/package-lock.json index c8f28d55f..ae6b3ebe4 100644 --- a/package-lock.json +++ b/package-lock.json @@ -8,13 +8,13 @@ "name": "uds-core", "version": "0.5.0", "dependencies": { - "pepr": "0.40.1" + "pepr": "0.42.0" }, "devDependencies": { "@jest/globals": "29.7.0", "husky": "9.1.7", "jest": "29.7.0", - "lint-staged": "15.2.10", + "lint-staged": "15.2.11", "ts-jest": "29.2.5" }, "engines": { @@ -2814,9 +2814,10 @@ } }, "node_modules/debug": { - "version": "4.3.7", - "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.7.tgz", - "integrity": "sha512-Er2nc/H7RrMXZBFCEim6TCmMk02Z8vLC2Rbi1KEBggpo0fS6l0S1nnapwmIi3yW/+GOJap1Krg4w0Hg80oCqgQ==", + "version": "4.4.0", + "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.0.tgz", + "integrity": "sha512-6WTZ/IxCY/T6BALoZHaE4ctp9xm+Z5kY/pzYaCHRFeyVhojxlrm+46y68HA6hr0TcwEssoxNiDEUJQjfPZ/RYA==", + "license": "MIT", "dependencies": { "ms": "^2.1.3" }, @@ -3398,9 +3399,9 @@ } }, "node_modules/express": { - "version": "4.21.1", - "resolved": "https://registry.npmjs.org/express/-/express-4.21.1.tgz", - "integrity": "sha512-YSFlK1Ee0/GC8QaO91tHcDxJiE/X4FbpAyQWkxAvG6AXCuR65YzK8ua6D9hvi/TzUfZMpc+BwuM1IPw8fmQBiQ==", + "version": "4.21.2", + "resolved": "https://registry.npmjs.org/express/-/express-4.21.2.tgz", + "integrity": "sha512-28HqgMZAmih1Czt9ny7qr6ek2qddF4FclbMzwhCREB6OFfH+rXAnuNCwo1/wFvrtbgsQDb4kSbX9de9lFbrXnA==", "license": "MIT", "dependencies": { "accepts": "~1.3.8", @@ -3422,7 +3423,7 @@ "methods": "~1.1.2", "on-finished": "2.4.1", "parseurl": "~1.3.3", - "path-to-regexp": "0.1.10", + "path-to-regexp": "0.1.12", "proxy-addr": "~2.0.7", "qs": "6.13.0", "range-parser": "~1.2.1", @@ -3437,6 +3438,10 @@ }, "engines": { "node": ">= 0.10.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" } }, "node_modules/express/node_modules/debug": { @@ -5140,9 +5145,9 @@ } }, "node_modules/kubernetes-fluent-client": { - "version": "3.3.4", - "resolved": "https://registry.npmjs.org/kubernetes-fluent-client/-/kubernetes-fluent-client-3.3.4.tgz", - "integrity": "sha512-PQc6ZfdkTXVIoIXxN9Gkh8lpyDfw0CjecYrLzR5atinhnaWXD9FKZaay87XsKR2tdyryEVJHv1MsQtgCXaxMtA==", + "version": "3.3.7", + "resolved": "https://registry.npmjs.org/kubernetes-fluent-client/-/kubernetes-fluent-client-3.3.7.tgz", + "integrity": "sha512-KBgt2tQ76CfrDd8aig1xrCIcazztARdTYsqHH1//DctbUEB++2yz+KYR9CYBisSySDS625e86MVfxIB63R77hw==", "license": "Apache-2.0", "dependencies": { "@kubernetes/client-node": "1.0.0-rc7", @@ -5150,8 +5155,8 @@ "http-status-codes": "2.3.0", "node-fetch": "2.7.0", "quicktype-core": "23.0.170", - "type-fest": "4.27.0", - "undici": "6.21.0", + "type-fest": "4.30.0", + "undici": "7.1.0", "yargs": "17.7.2" }, "bin": { @@ -5162,9 +5167,9 @@ } }, "node_modules/kubernetes-fluent-client/node_modules/type-fest": { - "version": "4.27.0", - "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-4.27.0.tgz", - "integrity": "sha512-3IMSWgP7C5KSQqmo1wjhKrwsvXAtF33jO3QY+Uy++ia7hqvgSK6iXbbg5PbDBc1P2ZbNEDgejOrN4YooXvhwCw==", + "version": "4.30.0", + "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-4.30.0.tgz", + "integrity": "sha512-G6zXWS1dLj6eagy6sVhOMQiLtJdxQBHIA9Z6HFUNLOlr6MFOgzV8wvmidtPONfPtEUv0uZsy77XJNzTAfwPDaA==", "license": "(MIT OR CC0-1.0)", "engines": { "node": ">=16" @@ -5196,10 +5201,11 @@ } }, "node_modules/lilconfig": { - "version": "3.1.2", - "resolved": "https://registry.npmjs.org/lilconfig/-/lilconfig-3.1.2.tgz", - "integrity": "sha512-eop+wDAvpItUys0FWkHIKeC9ybYrTGbU41U5K7+bttZZeohvnY7M9dZ5kB21GNWiFT2q1OoPTvncPCgSOVO5ow==", + "version": "3.1.3", + "resolved": "https://registry.npmjs.org/lilconfig/-/lilconfig-3.1.3.tgz", + "integrity": "sha512-/vlFKAoH5Cgt3Ie+JLhRbwOsCQePABiU3tJ1egGvyQ+33R/vcwM2Zl2QR/LzjsBeItPt3oSVXapn+m4nQDvpzw==", "dev": true, + "license": "MIT", "engines": { "node": ">=14" }, @@ -5214,21 +5220,22 @@ "dev": true }, "node_modules/lint-staged": { - "version": "15.2.10", - "resolved": "https://registry.npmjs.org/lint-staged/-/lint-staged-15.2.10.tgz", - "integrity": "sha512-5dY5t743e1byO19P9I4b3x8HJwalIznL5E1FWYnU6OWw33KxNBSLAc6Cy7F2PsFEO8FKnLwjwm5hx7aMF0jzZg==", + "version": "15.2.11", + "resolved": "https://registry.npmjs.org/lint-staged/-/lint-staged-15.2.11.tgz", + "integrity": "sha512-Ev6ivCTYRTGs9ychvpVw35m/bcNDuBN+mnTeObCL5h+boS5WzBEC6LHI4I9F/++sZm1m+J2LEiy0gxL/R9TBqQ==", "dev": true, + "license": "MIT", "dependencies": { "chalk": "~5.3.0", "commander": "~12.1.0", - "debug": "~4.3.6", + "debug": "~4.4.0", "execa": "~8.0.1", - "lilconfig": "~3.1.2", - "listr2": "~8.2.4", + "lilconfig": "~3.1.3", + "listr2": "~8.2.5", "micromatch": "~4.0.8", "pidtree": "~0.6.0", "string-argv": "~0.3.2", - "yaml": "~2.5.0" + "yaml": "~2.6.1" }, "bin": { "lint-staged": "bin/lint-staged.js" @@ -5245,6 +5252,7 @@ "resolved": "https://registry.npmjs.org/chalk/-/chalk-5.3.0.tgz", "integrity": "sha512-dLitG79d+GV1Nb/VYcCDFivJeK1hiukt9QjRNVOsUtTy1rR1YJsmpGGTZ3qJos+uw7WmWF4wUwBd9jxjocFC2w==", "dev": true, + "license": "MIT", "engines": { "node": "^12.17.0 || ^14.13 || >=16.0.0" }, @@ -5257,6 +5265,7 @@ "resolved": "https://registry.npmjs.org/execa/-/execa-8.0.1.tgz", "integrity": "sha512-VyhnebXciFV2DESc+p6B+y0LjSm0krU4OgJN44qFAhBY0TJ+1V61tYD2+wHusZ6F9n5K+vl8k0sTy7PEfV4qpg==", "dev": true, + "license": "MIT", "dependencies": { "cross-spawn": "^7.0.3", "get-stream": "^8.0.1", @@ -5280,6 +5289,7 @@ "resolved": "https://registry.npmjs.org/get-stream/-/get-stream-8.0.1.tgz", "integrity": "sha512-VaUJspBffn/LMCJVoMvSAdmscJyS1auj5Zulnn5UoYcY531UWmdwhRWkcGKnGU93m5HSXP9LP2usOryrBtQowA==", "dev": true, + "license": "MIT", "engines": { "node": ">=16" }, @@ -5292,6 +5302,7 @@ "resolved": "https://registry.npmjs.org/human-signals/-/human-signals-5.0.0.tgz", "integrity": "sha512-AXcZb6vzzrFAUE61HnN4mpLqd/cSIwNQjtNWR0euPm6y0iqx3G4gOXaIDdtdDwZmhwe82LA6+zinmW4UBWVePQ==", "dev": true, + "license": "Apache-2.0", "engines": { "node": ">=16.17.0" } @@ -5301,6 +5312,7 @@ "resolved": "https://registry.npmjs.org/is-stream/-/is-stream-3.0.0.tgz", "integrity": "sha512-LnQR4bZ9IADDRSkvpqMGvt/tEJWclzklNgSw48V5EAaAeDd6qGvN8ei6k5p0tvxSR171VmGyHuTiAOfxAbr8kA==", "dev": true, + "license": "MIT", "engines": { "node": "^12.20.0 || ^14.13.1 || >=16.0.0" }, @@ -5313,6 +5325,7 @@ "resolved": "https://registry.npmjs.org/mimic-fn/-/mimic-fn-4.0.0.tgz", "integrity": "sha512-vqiC06CuhBTUdZH+RYl8sFrL096vA45Ok5ISO6sE/Mr1jRbGH4Csnhi8f3wKVl7x8mO4Au7Ir9D3Oyv1VYMFJw==", "dev": true, + "license": "MIT", "engines": { "node": ">=12" }, @@ -5325,6 +5338,7 @@ "resolved": "https://registry.npmjs.org/npm-run-path/-/npm-run-path-5.3.0.tgz", "integrity": "sha512-ppwTtiJZq0O/ai0z7yfudtBpWIoxM8yE6nHi1X47eFR2EWORqfbu6CnPlNsjeN683eT0qG6H/Pyf9fCcvjnnnQ==", "dev": true, + "license": "MIT", "dependencies": { "path-key": "^4.0.0" }, @@ -5340,6 +5354,7 @@ "resolved": "https://registry.npmjs.org/onetime/-/onetime-6.0.0.tgz", "integrity": "sha512-1FlR+gjXK7X+AsAHso35MnyN5KqGwJRi/31ft6x0M194ht7S+rWAvd7PHss9xSKMzE0asv1pyIHaJYq+BbacAQ==", "dev": true, + "license": "MIT", "dependencies": { "mimic-fn": "^4.0.0" }, @@ -5355,6 +5370,7 @@ "resolved": "https://registry.npmjs.org/path-key/-/path-key-4.0.0.tgz", "integrity": "sha512-haREypq7xkM7ErfgIyA0z+Bj4AGKlMSdlQE2jvJo6huWD1EdkKYV+G/T4nq0YEF2vgTT8kqMFKo1uHn950r4SQ==", "dev": true, + "license": "MIT", "engines": { "node": ">=12" }, @@ -5367,6 +5383,7 @@ "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz", "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==", "dev": true, + "license": "ISC", "engines": { "node": ">=14" }, @@ -5379,6 +5396,7 @@ "resolved": "https://registry.npmjs.org/strip-final-newline/-/strip-final-newline-3.0.0.tgz", "integrity": "sha512-dOESqjYr96iWYylGObzd39EuNTa5VJxyvVAEm5Jnh7KGo75V43Hk1odPQkNDyXNmUR6k+gEiDVXnjB8HJ3crXw==", "dev": true, + "license": "MIT", "engines": { "node": ">=12" }, @@ -6321,9 +6339,10 @@ } }, "node_modules/path-to-regexp": { - "version": "0.1.10", - "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.10.tgz", - "integrity": "sha512-7lf7qcQidTku0Gu3YDPc8DJ1q7OOucfa/BSsIwjuh56VU7katFvuM8hULfkwB3Fns/rsVF7PwPKVw1sl5KQS9w==" + "version": "0.1.12", + "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.12.tgz", + "integrity": "sha512-RA1GjUVMnvYFxuqovrEqZoxxW5NUZqbwKtYz/Tt7nXerk0LbLblQmrsgdeOxV5SFHf0UDggjS/bSeOZwt1pmEQ==", + "license": "MIT" }, "node_modules/path-type": { "version": "4.0.0", @@ -6335,18 +6354,18 @@ } }, "node_modules/pepr": { - "version": "0.40.1", - "resolved": "https://registry.npmjs.org/pepr/-/pepr-0.40.1.tgz", - "integrity": "sha512-Z+wXRYG64YUg3IhYGAOyrWdw5R8HD3/jtTYmVFtUN2x2isiB/X411DO6hd4TginxZvTnlfLyG6KBc8u6UScbbg==", + "version": "0.42.0", + "resolved": "https://registry.npmjs.org/pepr/-/pepr-0.42.0.tgz", + "integrity": "sha512-8SCXAmeTxQUM7Rzkcj46STHvUL7IzuuL9P+zZKP6v7nVYtFGVRnxx8Y7Eftt+N+I6ICjnHCzb190dHvtGm74bw==", "license": "Apache-2.0", "dependencies": { "@types/ramda": "0.30.2", - "express": "4.21.1", + "express": "4.21.2", "fast-json-patch": "3.1.1", "follow-redirects": "1.15.9", "http-status-codes": "^2.3.0", "json-pointer": "^0.6.2", - "kubernetes-fluent-client": "3.3.4", + "kubernetes-fluent-client": "3.3.7", "pino": "9.5.0", "pino-pretty": "13.0.0", "prom-client": "15.1.3", @@ -7860,12 +7879,12 @@ } }, "node_modules/undici": { - "version": "6.21.0", - "resolved": "https://registry.npmjs.org/undici/-/undici-6.21.0.tgz", - "integrity": "sha512-BUgJXc752Kou3oOIuU1i+yZZypyZRqNPW0vqoMPl8VaoalSfeR0D8/t4iAS3yirs79SSMTxTag+ZC86uswv+Cw==", + "version": "7.1.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-7.1.0.tgz", + "integrity": "sha512-3+mdX2R31khuLCm2mKExSlMdJsfol7bJkIMH80tdXA74W34rT1jKemUTlYR7WY3TqsV4wfOgpatWmmB2Jl1+5g==", "license": "MIT", "engines": { - "node": ">=18.17" + "node": ">=20.18.1" } }, "node_modules/undici-types": { @@ -8233,9 +8252,10 @@ "dev": true }, "node_modules/yaml": { - "version": "2.5.1", - "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.5.1.tgz", - "integrity": "sha512-bLQOjaX/ADgQ20isPJRvF0iRUHIxVhYvr53Of7wGcWlO2jvtUlH5m87DsmulFVxRpNLOnI4tB6p/oh8D7kpn9Q==", + "version": "2.6.1", + "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.6.1.tgz", + "integrity": "sha512-7r0XPzioN/Q9kXBro/XPnA6kznR73DHq+GXh5ON7ZozRO6aMjbmiBuKste2wslTFkC5d1dw0GooOCepZXJ2SAg==", + "license": "ISC", "bin": { "yaml": "bin.mjs" }, diff --git a/package.json b/package.json index 91228a39e..5e6bc9470 100644 --- a/package.json +++ b/package.json @@ -29,13 +29,13 @@ "k3d-setup": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0'" }, "dependencies": { - "pepr": "0.40.1" + "pepr": "0.42.0" }, "devDependencies": { "@jest/globals": "29.7.0", "husky": "9.1.7", "jest": "29.7.0", - "lint-staged": "15.2.10", + "lint-staged": "15.2.11", "ts-jest": "29.2.5" }, "jest": { diff --git a/packages/backup-restore/zarf.yaml b/packages/backup-restore/zarf.yaml index ee155cf78..add61a101 100644 --- a/packages/backup-restore/zarf.yaml +++ b/packages/backup-restore/zarf.yaml @@ -7,7 +7,7 @@ metadata: description: "UDS Core (Backup and Restore)" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.32.0" + version: "0.32.1" # x-release-please-end x-uds-dependencies: ["base"] diff --git a/packages/base/zarf.yaml b/packages/base/zarf.yaml index e237f114b..22142f514 100644 --- a/packages/base/zarf.yaml +++ b/packages/base/zarf.yaml @@ -7,7 +7,7 @@ metadata: description: "UDS Core (Base)" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.32.0" + version: "0.32.1" # x-release-please-end x-uds-dependencies: [] diff --git a/packages/checkpoint-dev/zarf.yaml b/packages/checkpoint-dev/zarf.yaml index 820a47b87..366b175f0 100644 --- a/packages/checkpoint-dev/zarf.yaml +++ b/packages/checkpoint-dev/zarf.yaml @@ -7,7 +7,7 @@ metadata: description: "Rehydratable UDS K3d + UDS Core Slim (Istio, UDS Operator and Keycloak) Checkpoint" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.32.0" + version: "0.32.1" # x-release-please-end variables: diff --git a/packages/identity-authorization/zarf.yaml b/packages/identity-authorization/zarf.yaml index 512bae8ed..c52e4e4c1 100644 --- a/packages/identity-authorization/zarf.yaml +++ b/packages/identity-authorization/zarf.yaml @@ -7,7 +7,7 @@ metadata: description: "UDS Core (Identity & Authorization)" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.32.0" + version: "0.32.1" # x-release-please-end x-uds-dependencies: ["base"] diff --git a/packages/logging/zarf.yaml b/packages/logging/zarf.yaml index d6ae920aa..c9393091a 100644 --- a/packages/logging/zarf.yaml +++ b/packages/logging/zarf.yaml @@ -7,7 +7,7 @@ metadata: description: "UDS Core (Logging)" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.32.0" + version: "0.32.1" # x-release-please-end x-uds-dependencies: ["base"] diff --git a/packages/metrics-server/zarf.yaml b/packages/metrics-server/zarf.yaml index cfc84468c..9aa9e7327 100644 --- a/packages/metrics-server/zarf.yaml +++ b/packages/metrics-server/zarf.yaml @@ -7,7 +7,7 @@ metadata: description: "UDS Core (Metrics Server)" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.32.0" + version: "0.32.1" # x-release-please-end x-uds-dependencies: ["base"] diff --git a/packages/monitoring/zarf.yaml b/packages/monitoring/zarf.yaml index 253d73502..aac2acdf1 100644 --- a/packages/monitoring/zarf.yaml +++ b/packages/monitoring/zarf.yaml @@ -7,7 +7,7 @@ metadata: description: "UDS Core Monitoring (Prometheus and Grafana)" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.32.0" + version: "0.32.1" # x-release-please-end x-uds-dependencies: ["base", "identity-authorization"] diff --git a/packages/runtime-security/zarf.yaml b/packages/runtime-security/zarf.yaml index e05934a69..c2962ecde 100644 --- a/packages/runtime-security/zarf.yaml +++ b/packages/runtime-security/zarf.yaml @@ -7,7 +7,7 @@ metadata: description: "UDS Core (Runtime Security)" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.32.0" + version: "0.32.1" # x-release-please-end x-uds-dependencies: ["base", "identity-authorization"] diff --git a/packages/standard/zarf.yaml b/packages/standard/zarf.yaml index 6cfa5ecdd..370ca54b6 100644 --- a/packages/standard/zarf.yaml +++ b/packages/standard/zarf.yaml @@ -7,7 +7,7 @@ metadata: description: "UDS Core" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.32.0" + version: "0.32.1" # x-release-please-end components: diff --git a/src/grafana/tasks.yaml b/src/grafana/tasks.yaml index 3da5cbba5..2b34e1bcf 100644 --- a/src/grafana/tasks.yaml +++ b/src/grafana/tasks.yaml @@ -40,7 +40,7 @@ tasks: - description: E2E Test for Grafana, optionally set FULL_CORE=true to test integrations with Loki cmd: | # renovate: datasource=docker depName=mcr.microsoft.com/playwright versioning=docker - docker run --rm --ipc=host -e FULL_CORE="${FULL_CORE}" --net=host --mount type=bind,source="$(pwd)",target=/app mcr.microsoft.com/playwright:v1.49.0-noble sh -c " \ + docker run --rm --ipc=host -e FULL_CORE="${FULL_CORE}" --net=host --mount type=bind,source="$(pwd)",target=/app mcr.microsoft.com/playwright:v1.49.1-noble sh -c " \ cd app && \ npm ci && \ npx playwright test grafana.test.ts \ diff --git a/src/istio/chart/templates/gateway.yaml b/src/istio/chart/templates/gateway.yaml index c14e81a74..3bcfdb040 100644 --- a/src/istio/chart/templates/gateway.yaml +++ b/src/istio/chart/templates/gateway.yaml @@ -34,7 +34,7 @@ spec: tls: mode: {{ $server.mode }} {{- if ne $server.mode "PASSTHROUGH" }} - credentialName: gateway-tls + credentialName: {{ $.Values.tls.credentialName | default "gateway-tls" | quote }} # if supportTLSV1_2 is both defined and true, use TLSV1_2, otherwise use TLSV1_3 minProtocolVersion: {{ if $.Values.tls.supportTLSV1_2 }}TLSV1_2{{ else }}TLSV1_3{{ end }} {{- end }} diff --git a/src/istio/chart/templates/tls-cert.yaml b/src/istio/chart/templates/tls-cert.yaml index 0fd4f0314..0c22dddee 100644 --- a/src/istio/chart/templates/tls-cert.yaml +++ b/src/istio/chart/templates/tls-cert.yaml @@ -2,7 +2,7 @@ # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial {{- $tls := .Values.tls }} -{{ if $tls.cert }} +{{ if and $tls.cert (not $tls.credentialName) }} apiVersion: v1 kind: Secret metadata: diff --git a/src/istio/chart/values.yaml b/src/istio/chart/values.yaml index a399181c4..bf23ff6ff 100644 --- a/src/istio/chart/values.yaml +++ b/src/istio/chart/values.yaml @@ -17,6 +17,9 @@ domain: "###ZARF_VAR_DOMAIN###" # # The CA certificate for the gateway when using `MUTUAL' or 'OPTIONAL_MUTUAL' (base64 encoded) # cacert: "" +# # The name of the secret containing the TLS certificate to use for this gateway, this will override cert, key and cacert +# credentialName: "" + # # Map of gateway server entries # servers: # # Name of the gateway port to use for TLS, this is effectively a "list" in map form diff --git a/src/istio/common/zarf.yaml b/src/istio/common/zarf.yaml index 9de933358..9980e23db 100644 --- a/src/istio/common/zarf.yaml +++ b/src/istio/common/zarf.yaml @@ -13,11 +13,11 @@ components: charts: - name: base url: https://istio-release.storage.googleapis.com/charts - version: 1.23.2 + version: 1.24.1 namespace: istio-system - name: istiod url: https://istio-release.storage.googleapis.com/charts - version: 1.23.2 + version: 1.24.1 namespace: istio-system valuesFiles: - "../values/values.yaml" @@ -28,14 +28,13 @@ components: actions: onDeploy: before: - - description: "Fix helm ownership if necessary for clean helm upgrade" + - description: "Add helm ownership if necessary for clean helm upgrade" mute: true cmd: | - ./zarf tools kubectl annotate EnvoyFilter misdirected-request -n istio-system meta.helm.sh/release-name=uds-global-istio-config --overwrite || true - ./zarf tools kubectl annotate EnvoyFilter remove-server-header -n istio-system meta.helm.sh/release-name=uds-global-istio-config --overwrite || true - ./zarf tools kubectl annotate PeerAuthentication default-istio-system -n istio-system meta.helm.sh/release-name=uds-global-istio-config --overwrite || true - ./zarf tools kubectl annotate PeerAuthentication permissive-pepr-webhook -n pepr-system meta.helm.sh/release-name=uds-global-istio-config --overwrite || true - ./zarf tools kubectl annotate PeerAuthentication permissive-pepr-webhook-watcher -n pepr-system meta.helm.sh/release-name=uds-global-istio-config --overwrite || true + # Commands pulled from https://istio.io/latest/news/releases/1.24.x/announcing-1.24/upgrade-notes/#istio-crds-are-templated-by-default-and-can-be-installed-and-upgraded-via-helm-install-istio-base + ./zarf tools kubectl label $(./zarf tools kubectl get crds -l chart=istio -o name && ./zarf tools kubectl get crds -l app.kubernetes.io/part-of=istio -o name) "app.kubernetes.io/managed-by=Helm" --overwrite || true + ./zarf tools kubectl annotate $(./zarf tools kubectl get crds -l chart=istio -o name && ./zarf tools kubectl get crds -l app.kubernetes.io/part-of=istio -o name) "meta.helm.sh/release-name=base" --overwrite || true + ./zarf tools kubectl annotate $(./zarf tools kubectl get crds -l chart=istio -o name && ./zarf tools kubectl get crds -l app.kubernetes.io/part-of=istio -o name) "meta.helm.sh/release-namespace=istio-system" --overwrite || true after: - description: "Ensure istio-injection is enabled for Pepr" mute: true diff --git a/src/istio/values/registry1-values.yaml b/src/istio/values/registry1-values.yaml index 17f229fea..62661f45c 100644 --- a/src/istio/values/registry1-values.yaml +++ b/src/istio/values/registry1-values.yaml @@ -2,11 +2,11 @@ # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial pilot: - image: registry1.dso.mil/ironbank/tetrate/istio/pilot:1.23.2-tetratefips-v0 + image: registry1.dso.mil/ironbank/tetrate/istio/pilot:1.24.1-tetratefips-v0 global: proxy_init: # renovate: image=registry1.dso.mil/ironbank/tetrate/istio/proxyv2 - image: "###ZARF_REGISTRY###/ironbank/tetrate/istio/proxyv2:1.23.2-tetratefips-v0" + image: "###ZARF_REGISTRY###/ironbank/tetrate/istio/proxyv2:1.24.1-tetratefips-v0" proxy: # renovate: image=registry1.dso.mil/ironbank/tetrate/istio/proxyv2 - image: "###ZARF_REGISTRY###/ironbank/tetrate/istio/proxyv2:1.23.2-tetratefips-v0" + image: "###ZARF_REGISTRY###/ironbank/tetrate/istio/proxyv2:1.24.1-tetratefips-v0" diff --git a/src/istio/values/unicorn-values.yaml b/src/istio/values/unicorn-values.yaml index 4d112b8c3..e382763ad 100644 --- a/src/istio/values/unicorn-values.yaml +++ b/src/istio/values/unicorn-values.yaml @@ -2,11 +2,11 @@ # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial pilot: - image: "cgr.dev/du-uds-defenseunicorns/istio-pilot-fips:1.23.2" + image: "cgr.dev/du-uds-defenseunicorns/istio-pilot-fips:1.24.1" global: proxy_init: # renovate: image=cgr.dev/du-uds-defenseunicorns/istio-proxy-fips - image: "###ZARF_REGISTRY###/du-uds-defenseunicorns/istio-proxy-fips:1.23.2" + image: "###ZARF_REGISTRY###/du-uds-defenseunicorns/istio-proxy-fips:1.24.1" proxy: # renovate: image=cgr.dev/du-uds-defenseunicorns/istio-proxy-fips - image: "###ZARF_REGISTRY###/du-uds-defenseunicorns/istio-proxy-fips:1.23.2" + image: "###ZARF_REGISTRY###/du-uds-defenseunicorns/istio-proxy-fips:1.24.1" diff --git a/src/istio/values/upstream-values.yaml b/src/istio/values/upstream-values.yaml index 800d39f62..ff0f5871b 100644 --- a/src/istio/values/upstream-values.yaml +++ b/src/istio/values/upstream-values.yaml @@ -2,11 +2,11 @@ # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial pilot: - image: "docker.io/istio/pilot:1.23.2-distroless" + image: "docker.io/istio/pilot:1.24.1-distroless" global: proxy_init: # renovate: image=docker.io/istio/proxyv2 - image: "###ZARF_REGISTRY###/istio/proxyv2:1.23.2-distroless" + image: "###ZARF_REGISTRY###/istio/proxyv2:1.24.1-distroless" proxy: # renovate: image=docker.io/istio/proxyv2 - image: "###ZARF_REGISTRY###/istio/proxyv2:1.23.2-distroless" + image: "###ZARF_REGISTRY###/istio/proxyv2:1.24.1-distroless" diff --git a/src/istio/zarf.yaml b/src/istio/zarf.yaml index 21bae304e..03b88b419 100644 --- a/src/istio/zarf.yaml +++ b/src/istio/zarf.yaml @@ -24,8 +24,8 @@ components: valuesFiles: - "values/upstream-values.yaml" images: - - "docker.io/istio/pilot:1.23.2-distroless" - - "docker.io/istio/proxyv2:1.23.2-distroless" + - "docker.io/istio/pilot:1.24.1-distroless" + - "docker.io/istio/proxyv2:1.24.1-distroless" - name: istio-controlplane required: true @@ -38,8 +38,8 @@ components: valuesFiles: - "values/registry1-values.yaml" images: - - registry1.dso.mil/ironbank/tetrate/istio/proxyv2:1.23.2-tetratefips-v0 - - registry1.dso.mil/ironbank/tetrate/istio/pilot:1.23.2-tetratefips-v0 + - registry1.dso.mil/ironbank/tetrate/istio/proxyv2:1.24.1-tetratefips-v0 + - registry1.dso.mil/ironbank/tetrate/istio/pilot:1.24.1-tetratefips-v0 - name: istio-controlplane required: true @@ -52,15 +52,15 @@ components: valuesFiles: - "values/unicorn-values.yaml" images: - - cgr.dev/du-uds-defenseunicorns/istio-pilot-fips:1.23.2 - - cgr.dev/du-uds-defenseunicorns/istio-proxy-fips:1.23.2 + - cgr.dev/du-uds-defenseunicorns/istio-pilot-fips:1.24.1 + - cgr.dev/du-uds-defenseunicorns/istio-proxy-fips:1.24.1 - name: istio-admin-gateway required: true charts: - name: gateway url: https://istio-release.storage.googleapis.com/charts - version: 1.23.2 + version: 1.24.1 releaseName: admin-ingressgateway namespace: istio-admin-gateway - name: uds-istio-config @@ -75,7 +75,7 @@ components: charts: - name: gateway url: https://istio-release.storage.googleapis.com/charts - version: 1.23.2 + version: 1.24.1 releaseName: tenant-ingressgateway namespace: istio-tenant-gateway - name: uds-istio-config @@ -90,7 +90,7 @@ components: charts: - name: gateway url: https://istio-release.storage.googleapis.com/charts - version: 1.23.2 + version: 1.24.1 releaseName: passthrough-ingressgateway namespace: istio-passthrough-gateway - name: uds-istio-config diff --git a/src/keycloak/chart/Chart.yaml b/src/keycloak/chart/Chart.yaml index 10fdeafce..b211a4301 100644 --- a/src/keycloak/chart/Chart.yaml +++ b/src/keycloak/chart/Chart.yaml @@ -4,7 +4,7 @@ apiVersion: v2 name: keycloak # renovate: datasource=docker depName=quay.io/keycloak/keycloak versioning=semver -version: 26.0.6 +version: 26.0.7 description: Open Source Identity and Access Management For Modern Applications and Services keywords: - sso diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml index 4673cc811..7f61f9012 100644 --- a/src/keycloak/chart/values.yaml +++ b/src/keycloak/chart/values.yaml @@ -5,12 +5,12 @@ image: # The Keycloak image repository repository: quay.io/keycloak/keycloak # Overrides the Keycloak image tag whose default is the chart appVersion - tag: "26.0.6" + tag: "26.0.7" # The Keycloak image pull policy pullPolicy: IfNotPresent # renovate: datasource=github-tags depName=defenseunicorns/uds-identity-config versioning=semver -configImage: ghcr.io/defenseunicorns/uds/identity-config:0.7.0 +configImage: ghcr.io/defenseunicorns/uds/identity-config:0.8.0 # The public domain name of the Keycloak server domain: "###ZARF_VAR_DOMAIN###" diff --git a/src/keycloak/common/zarf.yaml b/src/keycloak/common/zarf.yaml index 8b4a82987..f8ff6726d 100644 --- a/src/keycloak/common/zarf.yaml +++ b/src/keycloak/common/zarf.yaml @@ -13,7 +13,7 @@ components: - name: keycloak namespace: keycloak # renovate: datasource=docker depName=quay.io/keycloak/keycloak versioning=semver - version: 26.0.6 + version: 26.0.7 localPath: ../chart actions: onDeploy: diff --git a/src/keycloak/tasks.yaml b/src/keycloak/tasks.yaml index 72968a5cf..96f24bf08 100644 --- a/src/keycloak/tasks.yaml +++ b/src/keycloak/tasks.yaml @@ -2,7 +2,7 @@ # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial includes: - - config: https://raw.githubusercontent.com/defenseunicorns/uds-identity-config/v0.7.0/tasks.yaml + - config: https://raw.githubusercontent.com/defenseunicorns/uds-identity-config/v0.8.0/tasks.yaml tasks: - name: validate diff --git a/src/keycloak/values/registry1-values.yaml b/src/keycloak/values/registry1-values.yaml index 82cf9593e..5365fabab 100644 --- a/src/keycloak/values/registry1-values.yaml +++ b/src/keycloak/values/registry1-values.yaml @@ -3,7 +3,7 @@ image: repository: registry1.dso.mil/ironbank/opensource/keycloak/keycloak - tag: "26.0.6" + tag: "26.0.7" podSecurityContext: fsGroup: 2000 securityContext: diff --git a/src/keycloak/values/unicorn-values.yaml b/src/keycloak/values/unicorn-values.yaml index 81eef8da2..88c01a663 100644 --- a/src/keycloak/values/unicorn-values.yaml +++ b/src/keycloak/values/unicorn-values.yaml @@ -5,4 +5,4 @@ podSecurityContext: fsGroup: 65532 image: repository: cgr.dev/du-uds-defenseunicorns/keycloak - tag: "26.0.6" + tag: "26.0.7" diff --git a/src/keycloak/values/upstream-values.yaml b/src/keycloak/values/upstream-values.yaml index 30a8ad780..59a935be6 100644 --- a/src/keycloak/values/upstream-values.yaml +++ b/src/keycloak/values/upstream-values.yaml @@ -5,4 +5,4 @@ podSecurityContext: fsGroup: 1000 image: repository: quay.io/keycloak/keycloak - tag: "26.0.6" + tag: "26.0.7" diff --git a/src/keycloak/zarf.yaml b/src/keycloak/zarf.yaml index 0b8760511..710f56ea0 100644 --- a/src/keycloak/zarf.yaml +++ b/src/keycloak/zarf.yaml @@ -23,8 +23,8 @@ components: valuesFiles: - "values/upstream-values.yaml" images: - - quay.io/keycloak/keycloak:26.0.6 - - ghcr.io/defenseunicorns/uds/identity-config:0.7.0 + - quay.io/keycloak/keycloak:26.0.7 + - ghcr.io/defenseunicorns/uds/identity-config:0.8.0 - name: keycloak required: true @@ -39,8 +39,8 @@ components: valuesFiles: - "values/registry1-values.yaml" images: - - registry1.dso.mil/ironbank/opensource/keycloak/keycloak:26.0.6 - - ghcr.io/defenseunicorns/uds/identity-config:0.7.0 + - registry1.dso.mil/ironbank/opensource/keycloak/keycloak:26.0.7 + - ghcr.io/defenseunicorns/uds/identity-config:0.8.0 - name: keycloak required: true @@ -53,5 +53,5 @@ components: valuesFiles: - "values/unicorn-values.yaml" images: - - cgr.dev/du-uds-defenseunicorns/keycloak:26.0.6 # todo: switch to FIPS image - - ghcr.io/defenseunicorns/uds/identity-config:0.7.0 + - cgr.dev/du-uds-defenseunicorns/keycloak:26.0.7 # todo: switch to FIPS image + - ghcr.io/defenseunicorns/uds/identity-config:0.8.0 diff --git a/src/loki/chart/templates/peerauthentication/loki-simple-scalable.yaml b/src/loki/chart/templates/peerauthentication/loki-simple-scalable.yaml deleted file mode 100644 index 12ac3e56b..000000000 --- a/src/loki/chart/templates/peerauthentication/loki-simple-scalable.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# Copyright 2024 Defense Unicorns -# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial - -{{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }} -apiVersion: "security.istio.io/v1beta1" -kind: PeerAuthentication -metadata: - name: loki-simple-scalable - namespace: {{ .Release.Namespace }} -spec: - mtls: - mode: STRICT - selector: - matchLabels: - app.kubernetes.io/name: loki - portLevelMtls: - # GRPC exception to support Loki internal communication - "9095": - mode: PERMISSIVE -{{- end }} diff --git a/src/loki/common/zarf.yaml b/src/loki/common/zarf.yaml index 26c3d4998..581bc50fd 100644 --- a/src/loki/common/zarf.yaml +++ b/src/loki/common/zarf.yaml @@ -16,7 +16,7 @@ components: localPath: ../chart - name: loki url: https://grafana.github.io/helm-charts/ - version: 6.19.0 + version: 6.23.0 namespace: loki valuesFiles: - ../values/values.yaml diff --git a/src/loki/values/registry1-values.yaml b/src/loki/values/registry1-values.yaml index 28be3bac8..63963d5c1 100644 --- a/src/loki/values/registry1-values.yaml +++ b/src/loki/values/registry1-values.yaml @@ -5,7 +5,7 @@ loki: image: registry: registry1.dso.mil repository: ironbank/opensource/grafana/loki - tag: 3.2.1 + tag: 3.3.1 podSecurityContext: fsGroup: 10001 runAsGroup: 10001 @@ -26,4 +26,4 @@ gateway: memcached: image: repository: registry1.dso.mil/ironbank/opensource/memcached/memcached - tag: 1.6.32 + tag: 1.6.33 diff --git a/src/loki/values/unicorn-values.yaml b/src/loki/values/unicorn-values.yaml index 9c5b082a7..c2b44569d 100644 --- a/src/loki/values/unicorn-values.yaml +++ b/src/loki/values/unicorn-values.yaml @@ -5,13 +5,13 @@ loki: image: registry: cgr.dev repository: du-uds-defenseunicorns/loki - tag: 3.2.1 + tag: 3.3.1 gateway: image: registry: cgr.dev repository: du-uds-defenseunicorns/nginx-fips - tag: 1.27.2 + tag: 1.27.3 memcached: image: repository: cgr.dev/du-uds-defenseunicorns/memcached - tag: 1.6.32 + tag: 1.6.33 diff --git a/src/loki/values/upstream-values.yaml b/src/loki/values/upstream-values.yaml index 42eead34d..13ecaeee9 100644 --- a/src/loki/values/upstream-values.yaml +++ b/src/loki/values/upstream-values.yaml @@ -5,7 +5,7 @@ loki: image: registry: docker.io repository: grafana/loki - tag: 3.2.1 + tag: 3.3.1 gateway: image: @@ -17,4 +17,4 @@ memcached: image: registry: docker.io repository: memcached - tag: 1.6.32-alpine + tag: 1.6.33-alpine diff --git a/src/loki/zarf.yaml b/src/loki/zarf.yaml index 6a3dcb29f..3741c98e4 100644 --- a/src/loki/zarf.yaml +++ b/src/loki/zarf.yaml @@ -19,9 +19,9 @@ components: valuesFiles: - ./values/upstream-values.yaml images: - - docker.io/grafana/loki:3.2.1 + - docker.io/grafana/loki:3.3.1 - docker.io/nginxinc/nginx-unprivileged:1.27-alpine - - docker.io/memcached:1.6.32-alpine + - docker.io/memcached:1.6.33-alpine - name: loki required: true @@ -35,9 +35,9 @@ components: valuesFiles: - ./values/registry1-values.yaml images: - - registry1.dso.mil/ironbank/opensource/grafana/loki:3.2.1 + - registry1.dso.mil/ironbank/opensource/grafana/loki:3.3.1 - registry1.dso.mil/ironbank/opensource/nginx/nginx-alpine:1.26.2 - - registry1.dso.mil/ironbank/opensource/memcached/memcached:1.6.32 + - registry1.dso.mil/ironbank/opensource/memcached/memcached:1.6.33 - name: loki required: true @@ -51,6 +51,6 @@ components: valuesFiles: - ./values/unicorn-values.yaml images: - - cgr.dev/du-uds-defenseunicorns/loki:3.2.1 - - cgr.dev/du-uds-defenseunicorns/nginx-fips:1.27.2 - - cgr.dev/du-uds-defenseunicorns/memcached:1.6.32 + - cgr.dev/du-uds-defenseunicorns/loki:3.3.1 + - cgr.dev/du-uds-defenseunicorns/nginx-fips:1.27.3 + - cgr.dev/du-uds-defenseunicorns/memcached:1.6.33 diff --git a/src/neuvector/tasks.yaml b/src/neuvector/tasks.yaml index 2f66394ec..e325f463f 100644 --- a/src/neuvector/tasks.yaml +++ b/src/neuvector/tasks.yaml @@ -52,7 +52,7 @@ tasks: - description: E2E Test for NeuVector cmd: | # renovate: datasource=docker depName=mcr.microsoft.com/playwright versioning=docker - docker run --rm --ipc=host -e FULL_CORE="${FULL_CORE}" --net=host --mount type=bind,source="$(pwd)",target=/app mcr.microsoft.com/playwright:v1.49.0-noble sh -c " \ + docker run --rm --ipc=host -e FULL_CORE="${FULL_CORE}" --net=host --mount type=bind,source="$(pwd)",target=/app mcr.microsoft.com/playwright:v1.49.1-noble sh -c " \ cd app && \ npm ci && \ npx playwright test neuvector.test.ts \ diff --git a/src/pepr/config.ts b/src/pepr/config.ts index 2b1198405..e227df63f 100644 --- a/src/pepr/config.ts +++ b/src/pepr/config.ts @@ -31,6 +31,9 @@ export const UDSConfig = { // Redis URI for Authservice authserviceRedisUri, + // Static CIDR range to use for KubeAPI instead of k8s watch + kubeApiCidr: process.env.KUBEAPI_CIDR, + // Track if UDS Core identity-authorization layer is deployed isIdentityDeployed: false, }; diff --git a/src/pepr/operator/controllers/keycloak/client-sync.ts b/src/pepr/operator/controllers/keycloak/client-sync.ts index f92dea26f..0a25eead6 100644 --- a/src/pepr/operator/controllers/keycloak/client-sync.ts +++ b/src/pepr/operator/controllers/keycloak/client-sync.ts @@ -8,7 +8,7 @@ import { fetch, K8s, kind } from "pepr"; import { Component, setupLogger } from "../../../logger"; import { Store } from "../../common"; import { Sso, UDSPackage } from "../../crd"; -import { getOwnerRef, purgeOrphans, sanitizeResourceName } from "../utils"; +import { getOwnerRef, purgeOrphans, retryWithDelay, sanitizeResourceName } from "../utils"; import { Client, clientKeys } from "./types"; let apiURL = @@ -173,7 +173,7 @@ async function syncClient( // Write the new token to the store try { - await Store.setItemAndWait(name, client.registrationAccessToken!); + await retryWithDelay(() => Store.setItemAndWait(name, client.registrationAccessToken!), log); } catch (err) { throw Error( `Failed to set token in store for client '${client.clientId}', package ` + diff --git a/src/pepr/operator/controllers/network/generate.ts b/src/pepr/operator/controllers/network/generate.ts index c46bc0b75..6ead5ba1b 100644 --- a/src/pepr/operator/controllers/network/generate.ts +++ b/src/pepr/operator/controllers/network/generate.ts @@ -93,6 +93,11 @@ export function generate(namespace: string, policy: Allow): kind.NetworkPolicy { }; } + // Add the generated policy label (used to track KubeAPI policies) + if (policy.remoteGenerated) { + generated.metadata!.labels!["uds/generated"] = policy.remoteGenerated; + } + // Create the network policy peers const peers: V1NetworkPolicyPeer[] = getPeers(policy); diff --git a/src/pepr/operator/controllers/network/generators/kubeAPI.spec.ts b/src/pepr/operator/controllers/network/generators/kubeAPI.spec.ts new file mode 100644 index 000000000..0de63061d --- /dev/null +++ b/src/pepr/operator/controllers/network/generators/kubeAPI.spec.ts @@ -0,0 +1,577 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + +import { beforeEach, describe, expect, it, jest } from "@jest/globals"; +import { K8s, kind } from "pepr"; +import { updateAPIServerCIDR, updateKubeAPINetworkPolicies } from "./kubeAPI"; + +type KubernetesList = { + items: T[]; +}; + +jest.mock("pepr", () => { + const originalModule = jest.requireActual("pepr") as object; + return { + ...originalModule, + K8s: jest.fn(), + }; +}); + +const mockApply = jest.fn(); +const mockGet = jest.fn<() => Promise>>(); + +describe("updateAPIServerCIDR", () => { + beforeEach(() => { + jest.clearAllMocks(); + (K8s as jest.Mock).mockImplementation(() => ({ + WithLabel: jest.fn(() => ({ + Get: mockGet, + })), + Apply: mockApply, + })); + }); + + it("handles a static CIDR string", async () => { + const mockService = { + spec: { + clusterIP: "10.0.0.1", + }, + } as kind.Service; + + const staticCIDR = "192.168.1.0/24"; + + // Mock the return of `Get` method + mockGet.mockResolvedValue({ + items: [ + { + metadata: { + name: "mock-netpol", + namespace: "default", + }, + spec: { + egress: [ + { + to: [{ ipBlock: { cidr: "0.0.0.0/0" } }], + }, + ], + }, + }, + ], + } as KubernetesList); + + await updateAPIServerCIDR(mockService, staticCIDR); + + expect(mockGet).toHaveBeenCalledWith(); + expect(mockApply).toHaveBeenCalledWith( + expect.objectContaining({ + metadata: { + name: "mock-netpol", + namespace: "default", + }, + spec: { + egress: [ + { + to: [{ ipBlock: { cidr: staticCIDR } }, { ipBlock: { cidr: "10.0.0.1/32" } }], + }, + ], + }, + }), + { force: true }, // Include the second argument in the call + ); + }); + + it("handles an EndpointSlice with multiple endpoints", async () => { + const mockService = { + spec: { + clusterIP: "10.0.0.1", + }, + } as kind.Service; + + const mockSlice = { + endpoints: [{ addresses: ["192.168.1.2"] }, { addresses: ["192.168.1.3"] }], + } as kind.EndpointSlice; + + // Mock the return of `Get` method + mockGet.mockResolvedValue({ + items: [ + { + metadata: { + name: "mock-netpol", + namespace: "default", + }, + spec: { + egress: [ + { + to: [{ ipBlock: { cidr: "0.0.0.0/0" } }], + }, + ], + }, + }, + ], + } as KubernetesList); + + await updateAPIServerCIDR(mockService, mockSlice); + + expect(mockGet).toHaveBeenCalledWith(); + expect(mockApply).toHaveBeenCalledWith( + expect.objectContaining({ + metadata: { + name: "mock-netpol", + namespace: "default", + }, + spec: { + egress: [ + { + to: [ + { ipBlock: { cidr: "192.168.1.2/32" } }, + { ipBlock: { cidr: "192.168.1.3/32" } }, + { ipBlock: { cidr: "10.0.0.1/32" } }, + ], + }, + ], + }, + }), + { force: true }, // Include the second argument in the call + ); + }); + + it("handles an empty EndpointSlice", async () => { + const mockService = { + spec: { + clusterIP: "10.0.0.1", + }, + } as kind.Service; + + const mockSlice = { + endpoints: [{}], + } as kind.EndpointSlice; + + // Mock the return of `Get` method + mockGet.mockResolvedValue({ + items: [ + { + metadata: { + name: "mock-netpol", + namespace: "default", + }, + spec: { + egress: [ + { + to: [{ ipBlock: { cidr: "0.0.0.0/0" } }], + }, + ], + }, + }, + ], + } as KubernetesList); + + await updateAPIServerCIDR(mockService, mockSlice); + + expect(mockGet).toHaveBeenCalledWith(); + expect(mockApply).toHaveBeenCalledWith( + expect.objectContaining({ + metadata: { + name: "mock-netpol", + namespace: "default", + }, + spec: { + egress: [ + { + to: [{ ipBlock: { cidr: "10.0.0.1/32" } }], + }, + ], + }, + }), + { force: true }, // Include the second argument in the call + ); + }); + + it("handles a Service with missing clusterIP", async () => { + const mockService = { + spec: {}, + } as kind.Service; + + const mockSlice = { + endpoints: [{ addresses: ["192.168.1.2"] }], + } as kind.EndpointSlice; + + // Mock the return of `Get` method + mockGet.mockResolvedValue({ + items: [ + { + metadata: { + name: "mock-netpol", + namespace: "default", + }, + spec: { + egress: [ + { + to: [{ ipBlock: { cidr: "0.0.0.0/0" } }], + }, + ], + }, + }, + ], + } as KubernetesList); + + await updateAPIServerCIDR(mockService, mockSlice); + + expect(mockGet).toHaveBeenCalledWith(); + expect(mockApply).toHaveBeenCalledWith( + expect.objectContaining({ + metadata: { + name: "mock-netpol", + namespace: "default", + }, + spec: { + egress: [ + { + to: [{ ipBlock: { cidr: "192.168.1.2/32" } }], + }, + ], + }, + }), + { force: true }, // Include the second argument in the call + ); + }); + + it("handles no matching NetworkPolicies", async () => { + const mockService = { + spec: { + clusterIP: "10.0.0.1", + }, + } as kind.Service; + + const mockSlice = { + endpoints: [{ addresses: ["192.168.1.2"] }], + } as kind.EndpointSlice; + + // Mock the return of `Get` method to return no items + mockGet.mockResolvedValue({ + items: [], + } as KubernetesList); + + await updateAPIServerCIDR(mockService, mockSlice); + + expect(mockGet).toHaveBeenCalledWith(); + expect(mockApply).not.toHaveBeenCalled(); + }); +}); + +describe("updateKubeAPINetworkPolicies", () => { + beforeEach(() => { + jest.clearAllMocks(); + (K8s as jest.Mock).mockImplementation(() => ({ + WithLabel: jest.fn(() => ({ + Get: mockGet, + })), + Apply: mockApply, + })); + }); + + it("does not update an egress NetworkPolicy if the peers are already correct", async () => { + const newPeers = [{ ipBlock: { cidr: "10.0.0.1/32" } }]; + mockGet.mockResolvedValue({ + items: [ + { + metadata: { + name: "mock-netpol", + namespace: "default", + }, + spec: { + egress: [ + { + to: newPeers, + }, + ], + }, + }, + ], + } as KubernetesList); + + await updateKubeAPINetworkPolicies(newPeers); + + expect(mockGet).toHaveBeenCalled(); + expect(mockApply).not.toHaveBeenCalled(); // No update needed + }); + + it("does not update an ingress NetworkPolicy if the peers are already correct", async () => { + const newPeers = [{ ipBlock: { cidr: "10.0.0.1/32" } }]; + mockGet.mockResolvedValue({ + items: [ + { + metadata: { + name: "mock-netpol", + namespace: "default", + }, + spec: { + ingress: [ + { + from: newPeers, + }, + ], + }, + }, + ], + } as KubernetesList); + + await updateKubeAPINetworkPolicies(newPeers); + + expect(mockGet).toHaveBeenCalled(); + expect(mockApply).not.toHaveBeenCalled(); // No update needed + }); + + it("updates an egress NetworkPolicy with different peers", async () => { + const newPeers = [{ ipBlock: { cidr: "10.0.0.1/32" } }]; + const oldPeers = [{ ipBlock: { cidr: "192.168.1.0/32" } }]; + mockGet.mockResolvedValue({ + items: [ + { + metadata: { + name: "mock-netpol", + namespace: "default", + }, + spec: { + egress: [ + { + to: oldPeers, + }, + ], + }, + }, + ], + } as KubernetesList); + + await updateKubeAPINetworkPolicies(newPeers); + + expect(mockGet).toHaveBeenCalled(); + expect(mockApply).toHaveBeenCalledWith( + expect.objectContaining({ + metadata: { + name: "mock-netpol", + namespace: "default", + }, + spec: { + egress: [ + { + to: newPeers, + }, + ], + }, + }), + { force: true }, + ); + }); + + it("updates an ingress NetworkPolicy with different peers", async () => { + const newPeers = [{ ipBlock: { cidr: "10.0.0.1/32" } }]; + const oldPeers = [{ ipBlock: { cidr: "192.168.1.0/32" } }]; + mockGet.mockResolvedValue({ + items: [ + { + metadata: { + name: "mock-netpol", + namespace: "default", + }, + spec: { + ingress: [ + { + from: oldPeers, + }, + ], + }, + }, + ], + } as KubernetesList); + + await updateKubeAPINetworkPolicies(newPeers); + + expect(mockGet).toHaveBeenCalled(); + expect(mockApply).toHaveBeenCalledWith( + expect.objectContaining({ + metadata: { + name: "mock-netpol", + namespace: "default", + }, + spec: { + ingress: [ + { + from: newPeers, + }, + ], + }, + }), + { force: true }, + ); + }); + + it("updates an egress NetworkPolicy with no peers", async () => { + const newPeers = [{ ipBlock: { cidr: "10.0.0.1/32" } }]; + mockGet.mockResolvedValue({ + items: [ + { + metadata: { + name: "mock-netpol", + namespace: "default", + }, + spec: { + egress: [ + { + to: undefined, + }, + ], + }, + }, + ], + } as KubernetesList); + + await updateKubeAPINetworkPolicies(newPeers); + + expect(mockGet).toHaveBeenCalled(); + expect(mockApply).toHaveBeenCalledWith( + expect.objectContaining({ + metadata: { + name: "mock-netpol", + namespace: "default", + }, + spec: { + egress: [ + { + to: newPeers, + }, + ], + }, + }), + { force: true }, + ); + }); + + it("updates an ingress NetworkPolicy with no peers", async () => { + const newPeers = [{ ipBlock: { cidr: "10.0.0.1/32" } }]; + mockGet.mockResolvedValue({ + items: [ + { + metadata: { + name: "mock-netpol", + namespace: "default", + }, + spec: { + ingress: [ + { + from: undefined, + }, + ], + }, + }, + ], + } as KubernetesList); + + await updateKubeAPINetworkPolicies(newPeers); + + expect(mockGet).toHaveBeenCalled(); + expect(mockApply).toHaveBeenCalledWith( + expect.objectContaining({ + metadata: { + name: "mock-netpol", + namespace: "default", + }, + spec: { + ingress: [ + { + from: newPeers, + }, + ], + }, + }), + { force: true }, + ); + }); + + it("initializes missing egress rules", async () => { + const newPeers = [{ ipBlock: { cidr: "10.0.0.1/32" } }]; + mockGet.mockResolvedValue({ + items: [ + { + metadata: { + name: "mock-netpol", + namespace: "default", + }, + spec: { + egress: [{}], + }, // No egress at all + }, + ], + } as KubernetesList); + + await updateKubeAPINetworkPolicies(newPeers); + + expect(mockGet).toHaveBeenCalled(); + expect(mockApply).toHaveBeenCalledWith( + expect.objectContaining({ + metadata: { + name: "mock-netpol", + namespace: "default", + }, + spec: { + egress: [ + { + to: newPeers, + }, + ], + }, + }), + { force: true }, + ); + }); + + it("initializes missing ingress rules", async () => { + const newPeers = [{ ipBlock: { cidr: "10.0.0.1/32" } }]; + mockGet.mockResolvedValue({ + items: [ + { + metadata: { + name: "mock-netpol", + namespace: "default", + }, + spec: { + ingress: [{}], + }, // No egress at all + }, + ], + } as KubernetesList); + + await updateKubeAPINetworkPolicies(newPeers); + + expect(mockGet).toHaveBeenCalled(); + expect(mockApply).toHaveBeenCalledWith( + expect.objectContaining({ + metadata: { + name: "mock-netpol", + namespace: "default", + }, + spec: { + ingress: [ + { + from: newPeers, + }, + ], + }, + }), + { force: true }, + ); + }); + + it("handles no matching NetworkPolicies", async () => { + const newPeers = [{ ipBlock: { cidr: "10.0.0.1/32" } }]; + mockGet.mockResolvedValue({ + items: [], // No NetworkPolicies found + } as KubernetesList); + + await updateKubeAPINetworkPolicies(newPeers); + + expect(mockGet).toHaveBeenCalled(); + expect(mockApply).not.toHaveBeenCalled(); // No policies to update + }); +}); diff --git a/src/pepr/operator/controllers/network/generators/kubeAPI.ts b/src/pepr/operator/controllers/network/generators/kubeAPI.ts index 30f704780..6e90e0d92 100644 --- a/src/pepr/operator/controllers/network/generators/kubeAPI.ts +++ b/src/pepr/operator/controllers/network/generators/kubeAPI.ts @@ -6,8 +6,10 @@ import { V1NetworkPolicyPeer } from "@kubernetes/client-node"; import { K8s, kind, R } from "pepr"; +import { UDSConfig } from "../../../../config"; import { Component, setupLogger } from "../../../../logger"; import { RemoteGenerated } from "../../../crd"; +import { retryWithDelay } from "../../utils"; import { anywhere } from "./anywhere"; // configure subproject logger @@ -17,19 +19,39 @@ const log = setupLogger(Component.OPERATOR_GENERATORS); let apiServerPeers: V1NetworkPolicyPeer[]; /** - * Initialize the API server CIDR by getting the EndpointSlice and Service for the API server + * Initialize the API server CIDR. + * + * This function checks if a static CIDR is defined in the configuration. + * If a static CIDR exists, it skips the EndpointSlice lookup and uses the static value. + * Otherwise, it fetches the EndpointSlice and updates the CIDR dynamically. */ export async function initAPIServerCIDR() { - const slice = await K8s(kind.EndpointSlice).InNamespace("default").Get("kubernetes"); - const svc = await K8s(kind.Service).InNamespace("default").Get("kubernetes"); - await updateAPIServerCIDR(slice, svc); + try { + const svc = await retryWithDelay(fetchKubernetesService, log); + + // If static CIDR is defined, pass it directly + if (UDSConfig.kubeApiCidr) { + log.info( + `Static CIDR (${UDSConfig.kubeApiCidr}) is defined for KubeAPI, skipping EndpointSlice lookup.`, + ); + await updateAPIServerCIDR(svc, UDSConfig.kubeApiCidr); // Pass static CIDR + } else { + const slice = await retryWithDelay(fetchKubernetesEndpointSlice, log); + await updateAPIServerCIDR(svc, slice); + } + } catch (error) { + log.error("Failed to initialize API Server CIDR for KubeAPI generated network policies", { + err: JSON.stringify(error), + }); + } } /** - * Get the API server CIDR - * @returns The API server CIDR + * Get the API server CIDR. + * + * @returns {V1NetworkPolicyPeer[]} The cached API server CIDR if available; otherwise, defaults to `0.0.0.0/0`. */ -export function kubeAPI() { +export function kubeAPI(): V1NetworkPolicyPeer[] { // If the API server peers are already cached, return them if (apiServerPeers) { return apiServerPeers; @@ -41,16 +63,17 @@ export function kubeAPI() { } /** - * When the kubernetes EndpointSlice is created or updated, update the API server CIDR - * @param slice The EndpointSlice for the API server + * When the Kubernetes EndpointSlice is created or updated, update the API server CIDR. + * + * @param {kind.EndpointSlice} slice - The EndpointSlice object for the API server. */ export async function updateAPIServerCIDRFromEndpointSlice(slice: kind.EndpointSlice) { try { log.debug( "Processing watch for endpointslices, getting k8s service for updating API server CIDR", ); - const svc = await K8s(kind.Service).InNamespace("default").Get("kubernetes"); - await updateAPIServerCIDR(slice, svc); + const svc = await retryWithDelay(fetchKubernetesService, log); + await updateAPIServerCIDR(svc, slice); } catch (err) { const msg = "Failed to update network policies from endpoint slice watch"; log.error({ err }, msg); @@ -58,65 +81,156 @@ export async function updateAPIServerCIDRFromEndpointSlice(slice: kind.EndpointS } /** - * When the kubernetes Service is created or updated, update the API server CIDR - * @param svc The Service for the API server + * When the Kubernetes Service is created or updated, update the API server CIDR. + * + * If a static CIDR is defined, it skips fetching the EndpointSlice and uses the static value. + * + * @param {kind.Service} svc - The Service object for the API server. */ export async function updateAPIServerCIDRFromService(svc: kind.Service) { try { - log.debug( - "Processing watch for api service, getting endpoint slices for updating API server CIDR", - ); - const slice = await K8s(kind.EndpointSlice).InNamespace("default").Get("kubernetes"); - await updateAPIServerCIDR(slice, svc); + if (UDSConfig.kubeApiCidr) { + log.debug("Processing watch for api service, using configured API CIDR for endpoints"); + await updateAPIServerCIDR(svc, UDSConfig.kubeApiCidr); + } else { + log.debug( + "Processing watch for api service, getting endpoint slices for updating API server CIDR", + ); + const slice = await retryWithDelay(fetchKubernetesEndpointSlice, log); + await updateAPIServerCIDR(svc, slice); + } } catch (err) { - const msg = "Failed to update network policies from api service watch"; + const msg = "Failed to update network policies from API service watch"; log.error({ err }, msg); } } /** - * Update the API server CIDR and update the NetworkPolicies + * Update the API server CIDR and apply it to the NetworkPolicies. * - * @param slice The EndpointSlice for the API server - * @param svc The Service for the API server + * @param {kind.Service} svc - The Service object representing the Kubernetes API server. + * @param {kind.EndpointSlice | string} slice - Either the EndpointSlice for dynamic CIDR generation or a static CIDR string. */ -export async function updateAPIServerCIDR(slice: kind.EndpointSlice, svc: kind.Service) { - const { endpoints } = slice; +export async function updateAPIServerCIDR(svc: kind.Service, slice: kind.EndpointSlice | string) { const k8sApiIP = svc.spec?.clusterIP; - // Flatten the endpoints into a list of IPs - const peers = endpoints?.flatMap(e => e.addresses); + let peers: string[] = []; + + // Handle static CIDR or dynamic EndpointSlice + if (typeof slice === "string") { + peers.push(slice); + } else { + const { endpoints } = slice; + peers = Array.isArray(endpoints) + ? endpoints.flatMap(e => { + if (!Array.isArray(e?.addresses) || e.addresses.length === 0) { + return []; // No addresses, skip this endpoint + } + return e.addresses.map(addr => `${addr}/32`); // Add /32 to each address + }) + : []; + } + // Add the clusterIP from the service if (k8sApiIP) { - peers?.push(k8sApiIP); + peers.push(`${k8sApiIP}/32`); } - // If the peers are found, cache and process them - if (peers?.length) { - apiServerPeers = peers.flatMap(ip => ({ + // Convert peers into NetworkPolicyPeer objects + if (peers.length) { + apiServerPeers = peers.flatMap(cidr => ({ ipBlock: { - cidr: `${ip}/32`, + cidr: cidr, }, })); - // Get all the KubeAPI NetworkPolicies - const netPols = await K8s(kind.NetworkPolicy) - .WithLabel("uds.dev/generated", RemoteGenerated.KubeAPI) - .Get(); + // Update NetworkPolicies + await updateKubeAPINetworkPolicies(apiServerPeers); + } else { + log.warn("No peers found for the API server CIDR update."); + } +} - for (const netPol of netPols.items) { - // Get the old peers - const oldPeers = netPol.spec?.egress?.[0].to; +/** + * Update NetworkPolicies with new API server peers. + * + * @param {V1NetworkPolicyPeer[]} newPeers - The updated list of peers to apply to the NetworkPolicies. + */ +export async function updateKubeAPINetworkPolicies(newPeers: V1NetworkPolicyPeer[]) { + const netPols = await K8s(kind.NetworkPolicy) + .WithLabel("uds/generated", RemoteGenerated.KubeAPI) + .Get(); + + for (const netPol of netPols.items) { + // Safety check for network policy spec existence + if (!netPol.spec) { + log.warn( + `KubeAPI NetworkPolicy ${netPol.metadata!.namespace}/${netPol.metadata!.name} is missing spec.`, + ); + continue; + } - // Update the NetworkPolicy if the peers have changed - if (!R.equals(oldPeers, apiServerPeers)) { - // Note using the apiServerPeers variable here instead of the oldPeers variable - // in case another EndpointSlice is updated before this one - netPol.spec!.egress![0].to = apiServerPeers; + let updateRequired = false; + // Handle egress policies + if (netPol.spec.egress) { + if (!netPol.spec.egress[0]) { + netPol.spec.egress[0] = { to: [] }; + } + const oldPeers = netPol.spec.egress[0].to; + if (!R.equals(oldPeers, newPeers)) { + updateRequired = true; + netPol.spec.egress[0].to = newPeers; + } + // Handle ingress policies + } else if (netPol.spec.ingress) { + if (!netPol.spec.ingress[0]) { + netPol.spec.ingress[0] = { from: [] }; + } + const oldPeers = netPol.spec.ingress[0].from; + if (!R.equals(oldPeers, newPeers)) { + updateRequired = true; + netPol.spec.ingress[0].from = newPeers; + } + } - log.debug(`Updating ${netPol.metadata!.namespace}/${netPol.metadata!.name}`); - await K8s(kind.NetworkPolicy).Apply(netPol); + // If the policy required a change, apply the new policy + if (updateRequired) { + if (netPol.metadata) { + // Remove managed fields to prevent errors on server side apply + netPol.metadata.managedFields = undefined; + } + + log.debug( + `Updating KubeAPI NetworkPolicy ${netPol.metadata!.namespace}/${netPol.metadata!.name} with new CIDRs.`, + ); + try { + await K8s(kind.NetworkPolicy).Apply(netPol, { force: true }); + } catch (err) { + let message = err.data?.message || "Unknown error while applying KubeAPI network policies"; + if (UDSConfig.kubeApiCidr) { + message += + ", ensure that the KUBEAPI_CIDR override configured for the operator is correct."; + } + throw new Error(message); } } } } + +/** + * Fetches the Kubernetes Service object for the API server. + * + * @returns {Promise} - The Service object. + */ +async function fetchKubernetesService(): Promise { + return K8s(kind.Service).InNamespace("default").Get("kubernetes"); +} + +/** + * Fetches the Kubernetes EndpointSlice object for the API server. + * + * @returns {Promise} - The EndpointSlice object. + */ +async function fetchKubernetesEndpointSlice(): Promise { + return K8s(kind.EndpointSlice).InNamespace("default").Get("kubernetes"); +} diff --git a/src/pepr/operator/controllers/network/policies.ts b/src/pepr/operator/controllers/network/policies.ts index 24a53cc88..e24ffc434 100644 --- a/src/pepr/operator/controllers/network/policies.ts +++ b/src/pepr/operator/controllers/network/policies.ts @@ -5,8 +5,9 @@ import { K8s, kind } from "pepr"; +import { UDSConfig } from "../../../config"; import { Component, setupLogger } from "../../../logger"; -import { Allow, Direction, Gateway, UDSPackage } from "../../crd"; +import { Allow, Direction, Gateway, RemoteGenerated, UDSPackage } from "../../crd"; import { getOwnerRef, purgeOrphans, sanitizeResourceName } from "../utils"; import { allowEgressDNS } from "./defaults/allow-egress-dns"; import { allowEgressIstiod } from "./defaults/allow-egress-istiod"; @@ -148,7 +149,19 @@ export async function networkPolicies(pkg: UDSPackage, namespace: string) { policy.metadata.ownerReferences = getOwnerRef(pkg); // Apply the NetworkPolicy and force overwrite any existing policy - await K8s(kind.NetworkPolicy).Apply(policy, { force: true }); + try { + await K8s(kind.NetworkPolicy).Apply(policy, { force: true }); + } catch (err) { + let message = err.data?.message || "Unknown error while applying network policies"; + if ( + UDSConfig.kubeApiCidr && + policy.metadata.labels["uds/generated"] === RemoteGenerated.KubeAPI + ) { + message += + ", ensure that the KUBEAPI_CIDR override configured for the operator is correct."; + } + throw new Error(message); + } } await purgeOrphans(generation, namespace, pkgName, kind.NetworkPolicy, log); diff --git a/src/pepr/operator/controllers/utils.ts b/src/pepr/operator/controllers/utils.ts index 9b8adf647..25d740199 100644 --- a/src/pepr/operator/controllers/utils.ts +++ b/src/pepr/operator/controllers/utils.ts @@ -73,3 +73,45 @@ export async function purgeOrphans( } } } + +/** + * Lightweight retry helper with a delay between attempts. + * + * @param {() => Promise} fn - The async function to retry. + * @param {Logger} log - Logger instance for logging debug messages. + * @param {number} retries - Number of retry attempts. + * @param {number} delayMs - Delay in milliseconds between attempts. + * @returns {Promise} - The result of the function if successful. + * @throws {Error} - Throws an error after exhausting retries. + */ +export async function retryWithDelay( + fn: () => Promise, + log: Logger, + retries = 5, + delayMs = 2000, +): Promise { + let attempt = 0; + while (attempt < retries) { + try { + return await fn(); + } catch (err) { + attempt++; + if (attempt >= retries) { + throw err; // Exceeded retries, rethrow the error. + } + let error = `${JSON.stringify(err)}`; + // Error responses from network calls (i.e. K8s().Get() will be this shape) + if (err.data?.message) { + error = err.data.message; + // Other error types have a message + } else if (err.message) { + error = err.message; + } + log.warn(`Attempt ${attempt} of ${fn.name} failed, retrying in ${delayMs}ms.`, { error }); + await new Promise(resolve => setTimeout(resolve, delayMs)); + } + } + + // This line should never be reached, but TypeScript wants it for safety. + throw new Error("Retry loop exited unexpectedly without returning."); +} diff --git a/src/pepr/operator/crd/validators/package-validator.spec.ts b/src/pepr/operator/crd/validators/package-validator.spec.ts index 379e16e74..7ab0c8963 100644 --- a/src/pepr/operator/crd/validators/package-validator.spec.ts +++ b/src/pepr/operator/crd/validators/package-validator.spec.ts @@ -524,6 +524,8 @@ describe("Test Allowed SSO Client Attributes", () => { "oauth2.device.authorization.grant.enabled": "true", "pkce.code.challenge.method": "S256", "client.session.idle.timeout": "3600", + "client.session.max.lifespan": "36000", + "access.token.lifespan": "60", "saml.assertion.signature": "false", "saml.client.signature": "false", saml_assertion_consumer_url_post: "https://nexus.uds.dev/saml", diff --git a/src/pepr/operator/crd/validators/package-validator.ts b/src/pepr/operator/crd/validators/package-validator.ts index bc04e810a..985dba8a4 100644 --- a/src/pepr/operator/crd/validators/package-validator.ts +++ b/src/pepr/operator/crd/validators/package-validator.ts @@ -119,6 +119,8 @@ export async function validator(req: PeprValidateRequest) { "oauth2.device.authorization.grant.enabled", "pkce.code.challenge.method", "client.session.idle.timeout", + "client.session.max.lifespan", + "access.token.lifespan", "saml.assertion.signature", "saml.client.signature", "saml_assertion_consumer_url_post", diff --git a/src/pepr/operator/index.ts b/src/pepr/operator/index.ts index 9f34252cf..1e8882cb1 100644 --- a/src/pepr/operator/index.ts +++ b/src/pepr/operator/index.ts @@ -31,14 +31,19 @@ const log = setupLogger(Component.OPERATOR); // Pre-populate the API server CIDR since we are not persisting the EndpointSlice // Note ignore any errors since the watch will still be running hereafter -void initAPIServerCIDR(); +if (process.env.PEPR_WATCH_MODE === "true" || process.env.PEPR_MODE === "dev") { + void initAPIServerCIDR(); +} // Watch for changes to the API server EndpointSlice and update the API server CIDR -When(a.EndpointSlice) - .IsCreatedOrUpdated() - .InNamespace("default") - .WithName("kubernetes") - .Reconcile(updateAPIServerCIDRFromEndpointSlice); +// Skip if a CIDR is defined in the UDS Config +if (!UDSConfig.kubeApiCidr) { + When(a.EndpointSlice) + .IsCreatedOrUpdated() + .InNamespace("default") + .WithName("kubernetes") + .Reconcile(updateAPIServerCIDRFromEndpointSlice); +} // Watch for changes to the API server Service and update the API server CIDR When(a.Service) diff --git a/src/pepr/uds-operator-config/values.yaml b/src/pepr/uds-operator-config/values.yaml index 76fbdd8ca..dfd236a58 100644 --- a/src/pepr/uds-operator-config/values.yaml +++ b/src/pepr/uds-operator-config/values.yaml @@ -7,6 +7,7 @@ operator: UDS_ALLOW_ALL_NS_EXEMPTIONS: "###ZARF_VAR_ALLOW_ALL_NS_EXEMPTIONS###" UDS_LOG_LEVEL: "###ZARF_VAR_UDS_LOG_LEVEL###" AUTHSERVICE_REDIS_URI: "###ZARF_VAR_AUTHSERVICE_REDIS_URI###" + KUBEAPI_CIDR: "" # Allow Pepr watch to be configurable to react to dropped connections faster PEPR_LAST_SEEN_LIMIT_SECONDS: "300" # Allow Pepr to re-list resources more frequently to avoid missing resources diff --git a/src/vector/common/zarf.yaml b/src/vector/common/zarf.yaml index 42099f884..9054977fb 100644 --- a/src/vector/common/zarf.yaml +++ b/src/vector/common/zarf.yaml @@ -17,19 +17,13 @@ components: localPath: ../chart - name: vector url: https://helm.vector.dev - version: 0.37.0 + version: 0.38.0 namespace: vector gitPath: charts/vector valuesFiles: - ../values/values.yaml actions: onDeploy: - before: - - description: Remove Promtail Components if necessary - mute: true - cmd: | - ./zarf package remove core --components promtail --confirm || true # Ensure this doesn't error on installs and upgrades when Promtail no longer exists - ./zarf tools kubectl delete ns promtail || true # Ensure this doesn't error on installs and upgrades when Promtail no longer exists after: - description: Validate Vector Package maxTotalSeconds: 300 diff --git a/src/vector/values/registry1-values.yaml b/src/vector/values/registry1-values.yaml index 9ed0ad13d..853dae383 100644 --- a/src/vector/values/registry1-values.yaml +++ b/src/vector/values/registry1-values.yaml @@ -3,4 +3,4 @@ image: repository: registry1.dso.mil/ironbank/opensource/timberio/vector - tag: 0.42.0 + tag: 0.43.0 diff --git a/src/vector/values/unicorn-values.yaml b/src/vector/values/unicorn-values.yaml index 3bdd63147..0eab8840e 100644 --- a/src/vector/values/unicorn-values.yaml +++ b/src/vector/values/unicorn-values.yaml @@ -3,4 +3,4 @@ image: repository: cgr.dev/du-uds-defenseunicorns/vector - tag: 0.42.0 + tag: 0.43.0 diff --git a/src/vector/values/upstream-values.yaml b/src/vector/values/upstream-values.yaml index 4e1484193..ef60525bd 100644 --- a/src/vector/values/upstream-values.yaml +++ b/src/vector/values/upstream-values.yaml @@ -3,4 +3,4 @@ image: repository: timberio/vector - tag: 0.42.0-distroless-static + tag: 0.43.0-distroless-static diff --git a/src/vector/zarf.yaml b/src/vector/zarf.yaml index f752e0c54..60b0db831 100644 --- a/src/vector/zarf.yaml +++ b/src/vector/zarf.yaml @@ -20,7 +20,7 @@ components: valuesFiles: - values/upstream-values.yaml images: - - timberio/vector:0.42.0-distroless-static + - timberio/vector:0.43.0-distroless-static - name: vector required: true @@ -34,7 +34,7 @@ components: valuesFiles: - values/registry1-values.yaml images: - - registry1.dso.mil/ironbank/opensource/timberio/vector:0.42.0 + - registry1.dso.mil/ironbank/opensource/timberio/vector:0.43.0 - name: vector required: true @@ -48,4 +48,4 @@ components: valuesFiles: - values/unicorn-values.yaml images: - - cgr.dev/du-uds-defenseunicorns/vector:0.42.0 + - cgr.dev/du-uds-defenseunicorns/vector:0.43.0 diff --git a/src/velero/values/unicorn-values.yaml b/src/velero/values/unicorn-values.yaml index 0e84c262f..36ca2ace3 100644 --- a/src/velero/values/unicorn-values.yaml +++ b/src/velero/values/unicorn-values.yaml @@ -8,7 +8,7 @@ image: kubectl: image: repository: cgr.dev/du-uds-defenseunicorns/kubectl-fips - tag: 1.31.3-dev + tag: 1.31.4-dev initContainers: - name: velero-plugin-for-aws diff --git a/src/velero/values/upstream-values.yaml b/src/velero/values/upstream-values.yaml index 617d7f94f..9626b161f 100644 --- a/src/velero/values/upstream-values.yaml +++ b/src/velero/values/upstream-values.yaml @@ -8,7 +8,7 @@ image: kubectl: image: repository: docker.io/bitnami/kubectl - tag: 1.31.3 + tag: 1.31.4 initContainers: - name: velero-plugin-for-aws diff --git a/src/velero/zarf.yaml b/src/velero/zarf.yaml index 661ea46d4..0366a6a03 100644 --- a/src/velero/zarf.yaml +++ b/src/velero/zarf.yaml @@ -21,7 +21,7 @@ components: images: - velero/velero:v1.15.0 - velero/velero-plugin-for-aws:v1.11.0 - - docker.io/bitnami/kubectl:1.31.3 + - docker.io/bitnami/kubectl:1.31.4 - velero/velero-plugin-for-microsoft-azure:v1.11.0 - name: velero @@ -53,5 +53,5 @@ components: images: - cgr.dev/du-uds-defenseunicorns/velero-fips:1.15.0-dev - cgr.dev/du-uds-defenseunicorns/velero-plugin-for-aws-fips:1.11.0 - - cgr.dev/du-uds-defenseunicorns/kubectl-fips:1.31.3-dev + - cgr.dev/du-uds-defenseunicorns/kubectl-fips:1.31.4-dev - velero/velero-plugin-for-microsoft-azure:v1.11.0 diff --git a/tasks.yaml b/tasks.yaml index 5e9b388eb..ce2a6986c 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -40,7 +40,7 @@ tasks: echo "Next steps:" echo " - To test & develop the Pepr module, run 'npx pepr dev' from a Javascript debug terminal" echo " - Otherwise run 'npx pepr deploy' to deploy the Pepr module to the cluster" - echo " - Additional source packages can be deployed with 'zarf dev deploy src/'" + echo " - Additional source packages can be deployed with 'zarf dev deploy src/ --flavor upstream'" - name: slim-dev actions: diff --git a/tasks/create.yaml b/tasks/create.yaml index 081004f49..2d7b10b33 100644 --- a/tasks/create.yaml +++ b/tasks/create.yaml @@ -3,7 +3,7 @@ includes: - - common: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.4.0/tasks/create.yaml + - common: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.5.0/tasks/create.yaml variables: - name: FLAVOR @@ -11,7 +11,7 @@ variables: - name: REGISTRY1_PEPR_IMAGE # renovate: datasource=docker depName=registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller versioning=semver - default: registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller:v0.40.1 + default: registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller:v0.42.0 - name: LAYER diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index 14a7dcdb1..32cfc4767 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -9,7 +9,7 @@ variables: - name: VERSION description: "The version of the packages to deploy" # x-release-please-start-version - default: "0.32.0" + default: "0.32.1" # x-release-please-end - name: FLAVOR default: upstream diff --git a/tasks/iac.yaml b/tasks/iac.yaml index ffdfa78f8..e39087b07 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -22,7 +22,7 @@ tasks: - name: install-eksctl actions: - cmd: | - curl --silent --location "https://github.com/weaveworks/eksctl/releases/download/v0.196.0/eksctl_Linux_amd64.tar.gz" | tar xz -C /tmp + curl --silent --location "https://github.com/weaveworks/eksctl/releases/download/v0.197.0/eksctl_Linux_amd64.tar.gz" | tar xz -C /tmp sudo mv /tmp/eksctl /usr/local/bin - name: create-cluster diff --git a/tasks/lint.yaml b/tasks/lint.yaml index 2f0414c32..b699204c5 100644 --- a/tasks/lint.yaml +++ b/tasks/lint.yaml @@ -2,7 +2,7 @@ # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial includes: - - remote: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.4.0/tasks/lint.yaml + - remote: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.5.0/tasks/lint.yaml tasks: - name: fix diff --git a/tasks/publish.yaml b/tasks/publish.yaml index 940ad1fe4..912f21411 100644 --- a/tasks/publish.yaml +++ b/tasks/publish.yaml @@ -14,7 +14,7 @@ variables: - name: VERSION description: "The version of the packages to build" # x-release-please-start-version - default: "0.32.0" + default: "0.32.1" # x-release-please-end - name: LAYER diff --git a/tasks/setup.yaml b/tasks/setup.yaml index b46670b75..db97ff52f 100644 --- a/tasks/setup.yaml +++ b/tasks/setup.yaml @@ -15,4 +15,4 @@ tasks: - description: "Initialize the cluster with Zarf" # renovate: datasource=github-tags depName=zarf-dev/zarf versioning=semver - cmd: "uds zarf package deploy oci://ghcr.io/zarf-dev/packages/init:v0.43.1 --confirm --no-progress" + cmd: "uds zarf package deploy oci://ghcr.io/zarf-dev/packages/init:v0.44.0 --confirm --no-progress" diff --git a/tasks/test.yaml b/tasks/test.yaml index 5eef35a1a..f9dc8c918 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -9,7 +9,7 @@ includes: - base-layer: ../packages/base/tasks.yaml - idam-layer: ../packages/identity-authorization/tasks.yaml - common-setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/refs/tags/v0.13.1/tasks/setup.yaml - - compliance: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.4.0/tasks/compliance.yaml + - compliance: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.5.0/tasks/compliance.yaml tasks: - name: base @@ -67,7 +67,7 @@ tasks: dir: test/playwright cmd: | # renovate: datasource=docker depName=mcr.microsoft.com/playwright versioning=docker - docker run --rm --ipc=host --net=host -e FULL_CORE="true" --mount type=bind,source="$(pwd)",target=/app mcr.microsoft.com/playwright:v1.49.0-noble sh -c " \ + docker run --rm --ipc=host --net=host -e FULL_CORE="true" --mount type=bind,source="$(pwd)",target=/app mcr.microsoft.com/playwright:v1.49.1-noble sh -c " \ cd app && \ npm ci && \ npx playwright test \ diff --git a/test/jest/package-lock.json b/test/jest/package-lock.json index 3ca064f71..8ec1d2b4a 100644 --- a/test/jest/package-lock.json +++ b/test/jest/package-lock.json @@ -3267,9 +3267,9 @@ } }, "node_modules/kubernetes-fluent-client": { - "version": "3.3.4", - "resolved": "https://registry.npmjs.org/kubernetes-fluent-client/-/kubernetes-fluent-client-3.3.4.tgz", - "integrity": "sha512-PQc6ZfdkTXVIoIXxN9Gkh8lpyDfw0CjecYrLzR5atinhnaWXD9FKZaay87XsKR2tdyryEVJHv1MsQtgCXaxMtA==", + "version": "3.3.7", + "resolved": "https://registry.npmjs.org/kubernetes-fluent-client/-/kubernetes-fluent-client-3.3.7.tgz", + "integrity": "sha512-KBgt2tQ76CfrDd8aig1xrCIcazztARdTYsqHH1//DctbUEB++2yz+KYR9CYBisSySDS625e86MVfxIB63R77hw==", "dev": true, "license": "Apache-2.0", "dependencies": { @@ -3278,8 +3278,8 @@ "http-status-codes": "2.3.0", "node-fetch": "2.7.0", "quicktype-core": "23.0.170", - "type-fest": "4.27.0", - "undici": "6.21.0", + "type-fest": "4.30.0", + "undici": "7.1.0", "yargs": "17.7.2" }, "bin": { @@ -3290,9 +3290,9 @@ } }, "node_modules/kubernetes-fluent-client/node_modules/type-fest": { - "version": "4.27.0", - "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-4.27.0.tgz", - "integrity": "sha512-3IMSWgP7C5KSQqmo1wjhKrwsvXAtF33jO3QY+Uy++ia7hqvgSK6iXbbg5PbDBc1P2ZbNEDgejOrN4YooXvhwCw==", + "version": "4.30.0", + "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-4.30.0.tgz", + "integrity": "sha512-G6zXWS1dLj6eagy6sVhOMQiLtJdxQBHIA9Z6HFUNLOlr6MFOgzV8wvmidtPONfPtEUv0uZsy77XJNzTAfwPDaA==", "dev": true, "license": "(MIT OR CC0-1.0)", "engines": { @@ -4528,13 +4528,13 @@ } }, "node_modules/undici": { - "version": "6.21.0", - "resolved": "https://registry.npmjs.org/undici/-/undici-6.21.0.tgz", - "integrity": "sha512-BUgJXc752Kou3oOIuU1i+yZZypyZRqNPW0vqoMPl8VaoalSfeR0D8/t4iAS3yirs79SSMTxTag+ZC86uswv+Cw==", + "version": "7.1.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-7.1.0.tgz", + "integrity": "sha512-3+mdX2R31khuLCm2mKExSlMdJsfol7bJkIMH80tdXA74W34rT1jKemUTlYR7WY3TqsV4wfOgpatWmmB2Jl1+5g==", "dev": true, "license": "MIT", "engines": { - "node": ">=18.17" + "node": ">=20.18.1" } }, "node_modules/undici-types": { diff --git a/test/playwright/package-lock.json b/test/playwright/package-lock.json index 66310e7fa..631090ef0 100644 --- a/test/playwright/package-lock.json +++ b/test/playwright/package-lock.json @@ -12,13 +12,13 @@ } }, "node_modules/@playwright/test": { - "version": "1.49.0", - "resolved": "https://registry.npmjs.org/@playwright/test/-/test-1.49.0.tgz", - "integrity": "sha512-DMulbwQURa8rNIQrf94+jPJQ4FmOVdpE5ZppRNvWVjvhC+6sOeo28r8MgIpQRYouXRtt/FCCXU7zn20jnHR4Qw==", + "version": "1.49.1", + "resolved": "https://registry.npmjs.org/@playwright/test/-/test-1.49.1.tgz", + "integrity": "sha512-Ky+BVzPz8pL6PQxHqNRW1k3mIyv933LML7HktS8uik0bUXNCdPhoS/kLihiO1tMf/egaJb4IutXd7UywvXEW+g==", "dev": true, "license": "Apache-2.0", "dependencies": { - "playwright": "1.49.0" + "playwright": "1.49.1" }, "bin": { "playwright": "cli.js" @@ -52,13 +52,13 @@ } }, "node_modules/playwright": { - "version": "1.49.0", - "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.49.0.tgz", - "integrity": "sha512-eKpmys0UFDnfNb3vfsf8Vx2LEOtflgRebl0Im2eQQnYMA4Aqd+Zw8bEOB+7ZKvN76901mRnqdsiOGKxzVTbi7A==", + "version": "1.49.1", + "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.49.1.tgz", + "integrity": "sha512-VYL8zLoNTBxVOrJBbDuRgDWa3i+mfQgDTrL8Ah9QXZ7ax4Dsj0MSq5bYgytRnDVVe+njoKnfsYkH3HzqVj5UZA==", "dev": true, "license": "Apache-2.0", "dependencies": { - "playwright-core": "1.49.0" + "playwright-core": "1.49.1" }, "bin": { "playwright": "cli.js" @@ -71,9 +71,9 @@ } }, "node_modules/playwright-core": { - "version": "1.49.0", - "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.49.0.tgz", - "integrity": "sha512-R+3KKTQF3npy5GTiKH/T+kdhoJfJojjHESR1YEWhYuEKRVfVaxH3+4+GvXE5xyCngCxhxnykk0Vlah9v8fs3jA==", + "version": "1.49.1", + "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.49.1.tgz", + "integrity": "sha512-BzmpVcs4kE2CH15rWfzpjzVGhWERJfmnXmniSyKeRZUs9Ws65m+RGIi7mjJK/euCegfn3i7jvqWeWyHe9y3Vgg==", "dev": true, "license": "Apache-2.0", "bin": {