From abab71919c6c268c59426a6ccca92622f80c2d6f Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Tue, 3 Dec 2024 14:40:02 -0700
Subject: [PATCH 01/21] chore(deps): update support-deps (#1056)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This PR contains the following updates:
| Package | Type | Update | Change | Age | Adoption | Passing |
Confidence |
|---|---|---|---|---|---|---|---|
| aws | required_provider | minor | `~> 5.78.0` -> `~> 5.79.0` |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
|
[defenseunicorns/uds-cli](https://redirect.github.com/defenseunicorns/uds-cli)
| | patch | `0.19.0` -> `0.19.2` |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
|
[defenseunicorns/uds-cli](https://redirect.github.com/defenseunicorns/uds-cli)
| | patch | `v0.19.0` -> `v0.19.2` |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
| action | patch | `v3.27.5` -> `v3.27.6` |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
|
[kubernetes-fluent-client](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client)
| devDependencies | patch | [`3.3.4` ->
`3.3.6`](https://renovatebot.com/diffs/npm/kubernetes-fluent-client/3.3.4/3.3.6)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
| [weaveworks/eksctl](https://redirect.github.com/weaveworks/eksctl) | |
minor | `v0.196.0` -> `v0.197.0` |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
---
### Release Notes
defenseunicorns/uds-cli (defenseunicorns/uds-cli)
###
[`v0.19.2`](https://redirect.github.com/defenseunicorns/uds-cli/compare/v0.19.1...v0.19.2)
[Compare
Source](https://redirect.github.com/defenseunicorns/uds-cli/compare/v0.19.1...v0.19.2)
###
[`v0.19.1`](https://redirect.github.com/defenseunicorns/uds-cli/compare/v0.19.0...v0.19.1)
[Compare
Source](https://redirect.github.com/defenseunicorns/uds-cli/compare/v0.19.0...v0.19.1)
github/codeql-action (github/codeql-action)
###
[`v3.27.6`](https://redirect.github.com/github/codeql-action/compare/v3.27.5...v3.27.6)
[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.27.5...v3.27.6)
defenseunicorns/kubernetes-fluent-client
(kubernetes-fluent-client)
###
[`v3.3.6`](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/releases/tag/v3.3.6)
[Compare
Source](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/compare/v3.3.5...v3.3.6)
##### Bug Fixes
- override transitive test dep f/ high vuln (cross-spawn)
([#496](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/issues/496))
([dfd6068](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/commit/dfd6068cc498568ec59dcaeacc94ff5a3968789c))
###
[`v3.3.5`](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/releases/tag/v3.3.5)
[Compare
Source](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/compare/v3.3.4...v3.3.5)
##### Bug Fixes
- remove use undici for fetch function
([#470](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/issues/470))
([015e9e5](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/commit/015e9e5056ab6680cc4d6044c83a9b7ec82906b2)),
closes
[#459](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/issues/459)
weaveworks/eksctl (weaveworks/eksctl)
###
[`v0.197.0`](https://redirect.github.com/eksctl-io/eksctl/releases/tag/v0.197.0):
eksctl 0.197.0
[Compare
Source](https://redirect.github.com/weaveworks/eksctl/compare/0.197.0-rc.0...0.197.0-rc.0)
### Release v0.197.0
#### π Bug Fixes
- Add IAM capability if a custom IAM role is provided for Auto Mode
([#8071](https://redirect.github.com/weaveworks/eksctl/issues/8071))
#### π Documentation
- Cleanup Hybrid Nodes docs
([#8072](https://redirect.github.com/weaveworks/eksctl/issues/8072))
#### Acknowledgments
The eksctl maintainers would like to sincerely thank
[@geoffcline](https://redirect.github.com/geoffcline).
###
[`v0.197.0`](https://redirect.github.com/eksctl-io/eksctl/releases/tag/v0.197.0):
eksctl 0.197.0
[Compare
Source](https://redirect.github.com/weaveworks/eksctl/compare/0.196.0-rc.0...0.197.0-rc.0)
##### Release v0.197.0
##### π Bug Fixes
- Add IAM capability if a custom IAM role is provided for Auto Mode
([#8071](https://redirect.github.com/weaveworks/eksctl/issues/8071))
##### π Documentation
- Cleanup Hybrid Nodes docs
([#8072](https://redirect.github.com/weaveworks/eksctl/issues/8072))
##### Acknowledgments
The eksctl maintainers would like to sincerely thank
[@geoffcline](https://redirect.github.com/geoffcline).
---
### Configuration
π
**Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
π¦ **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
β» **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
π» **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.
---
- [ ] If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/defenseunicorns/uds-core).
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
.github/actions/lint-check/action.yaml | 2 +-
.github/actions/setup/action.yaml | 2 +-
.github/test-infra/aws/rke2/versions.tf | 2 +-
.github/workflows/scorecard.yaml | 2 +-
.vscode/settings.json | 6 +++---
tasks/iac.yaml | 2 +-
test/jest/package-lock.json | 24 ++++++++++++------------
7 files changed, 20 insertions(+), 20 deletions(-)
diff --git a/.github/actions/lint-check/action.yaml b/.github/actions/lint-check/action.yaml
index 7d89b183e..c90c3e087 100644
--- a/.github/actions/lint-check/action.yaml
+++ b/.github/actions/lint-check/action.yaml
@@ -15,7 +15,7 @@ runs:
uses: Homebrew/actions/setup-homebrew@master
- name: Install UDS CLI
# renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver
- run: brew install defenseunicorns/tap/uds@0.19.0
+ run: brew install defenseunicorns/tap/uds@0.19.2
shell: bash
- name: Run Formatting Checks
run: uds run lint-check --no-progress
diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml
index a13d9e92b..8480c49e6 100644
--- a/.github/actions/setup/action.yaml
+++ b/.github/actions/setup/action.yaml
@@ -35,7 +35,7 @@ runs:
uses: defenseunicorns/setup-uds@b987a32bac3baeb67bfb08f5e1544e2f9076ee8a # v1.0.0
with:
# renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver
- version: v0.19.0
+ version: v0.19.2
- name: Install Lula
uses: defenseunicorns/lula-action/setup@badad8c4b1570095f57e66ffd62664847698a3b9 # v0.0.1
diff --git a/.github/test-infra/aws/rke2/versions.tf b/.github/test-infra/aws/rke2/versions.tf
index 1855baec6..9d1a0d91e 100644
--- a/.github/test-infra/aws/rke2/versions.tf
+++ b/.github/test-infra/aws/rke2/versions.tf
@@ -6,7 +6,7 @@ terraform {
}
required_providers {
aws = {
- version = "~> 5.78.0"
+ version = "~> 5.79.0"
}
random = {
version = "~> 3.6.0"
diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml
index 386d7aa87..6ca54bce6 100644
--- a/.github/workflows/scorecard.yaml
+++ b/.github/workflows/scorecard.yaml
@@ -47,6 +47,6 @@ jobs:
# Upload the results to GitHub's code scanning dashboard.
- name: Upload to code-scanning
- uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
+ uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
with:
sarif_file: results.sarif
diff --git a/.vscode/settings.json b/.vscode/settings.json
index 19fe09b5b..cc57ac8b4 100644
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -9,17 +9,17 @@
},
"yaml.schemas": {
// renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver
- "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.19.0/uds.schema.json": [
+ "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.19.2/uds.schema.json": [
"uds-bundle.yaml"
],
// renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver
- "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.19.0/tasks.schema.json": [
+ "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.19.2/tasks.schema.json": [
"tasks.yaml",
"tasks/**/*.yaml",
"src/**/validate.yaml"
],
// renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver
- "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.19.0/zarf.schema.json": [
+ "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.19.2/zarf.schema.json": [
"zarf.yaml"
]
},
diff --git a/tasks/iac.yaml b/tasks/iac.yaml
index ffdfa78f8..e39087b07 100644
--- a/tasks/iac.yaml
+++ b/tasks/iac.yaml
@@ -22,7 +22,7 @@ tasks:
- name: install-eksctl
actions:
- cmd: |
- curl --silent --location "https://github.com/weaveworks/eksctl/releases/download/v0.196.0/eksctl_Linux_amd64.tar.gz" | tar xz -C /tmp
+ curl --silent --location "https://github.com/weaveworks/eksctl/releases/download/v0.197.0/eksctl_Linux_amd64.tar.gz" | tar xz -C /tmp
sudo mv /tmp/eksctl /usr/local/bin
- name: create-cluster
diff --git a/test/jest/package-lock.json b/test/jest/package-lock.json
index 3ca064f71..e691c8cb3 100644
--- a/test/jest/package-lock.json
+++ b/test/jest/package-lock.json
@@ -3267,9 +3267,9 @@
}
},
"node_modules/kubernetes-fluent-client": {
- "version": "3.3.4",
- "resolved": "https://registry.npmjs.org/kubernetes-fluent-client/-/kubernetes-fluent-client-3.3.4.tgz",
- "integrity": "sha512-PQc6ZfdkTXVIoIXxN9Gkh8lpyDfw0CjecYrLzR5atinhnaWXD9FKZaay87XsKR2tdyryEVJHv1MsQtgCXaxMtA==",
+ "version": "3.3.6",
+ "resolved": "https://registry.npmjs.org/kubernetes-fluent-client/-/kubernetes-fluent-client-3.3.6.tgz",
+ "integrity": "sha512-da87A2Cvd4USOXWSlA+LwdE+ZeZEMFwcbtSjFmyXoAEUDhIf+EgcDBkTPKWf12R7blvvl6O3qGeOY2TgCHkcWw==",
"dev": true,
"license": "Apache-2.0",
"dependencies": {
@@ -3278,8 +3278,8 @@
"http-status-codes": "2.3.0",
"node-fetch": "2.7.0",
"quicktype-core": "23.0.170",
- "type-fest": "4.27.0",
- "undici": "6.21.0",
+ "type-fest": "4.29.1",
+ "undici": "7.0.0",
"yargs": "17.7.2"
},
"bin": {
@@ -3290,9 +3290,9 @@
}
},
"node_modules/kubernetes-fluent-client/node_modules/type-fest": {
- "version": "4.27.0",
- "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-4.27.0.tgz",
- "integrity": "sha512-3IMSWgP7C5KSQqmo1wjhKrwsvXAtF33jO3QY+Uy++ia7hqvgSK6iXbbg5PbDBc1P2ZbNEDgejOrN4YooXvhwCw==",
+ "version": "4.29.1",
+ "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-4.29.1.tgz",
+ "integrity": "sha512-Y1zUveI92UYM/vo1EFlQSsNf74+hfKH+7saZJslF0Fw92FRaiTAnHPIvo9d7SLxXt/gAYqA4RXyDTioMQCCp0A==",
"dev": true,
"license": "(MIT OR CC0-1.0)",
"engines": {
@@ -4528,13 +4528,13 @@
}
},
"node_modules/undici": {
- "version": "6.21.0",
- "resolved": "https://registry.npmjs.org/undici/-/undici-6.21.0.tgz",
- "integrity": "sha512-BUgJXc752Kou3oOIuU1i+yZZypyZRqNPW0vqoMPl8VaoalSfeR0D8/t4iAS3yirs79SSMTxTag+ZC86uswv+Cw==",
+ "version": "7.0.0",
+ "resolved": "https://registry.npmjs.org/undici/-/undici-7.0.0.tgz",
+ "integrity": "sha512-c4xi3kWnQJrb7h2q8aJYKvUzmz7boCgz1cUCC6OwdeM5Tr2P0hDuthr2iut4ggqsz+Cnh20U/LoTzbKIdDS/Nw==",
"dev": true,
"license": "MIT",
"engines": {
- "node": ">=18.17"
+ "node": ">=20.18.1"
}
},
"node_modules/undici-types": {
From daebe9b6813212c090622f78be85607fab6f6dc6 Mon Sep 17 00:00:00 2001
From: Clint
Date: Tue, 3 Dec 2024 17:31:47 -0600
Subject: [PATCH 02/21] chore: update cli install to use setup-uds action
(#1061)
## Description
Also changes 1 of our GHAs to use the `setup-uds` action.
## Related Issue
N/A
## Type of change
- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [x] Other (security config, docs update, etc)
## Checklist before merging
- [x] Test, docs, adr added or updated as needed
- [x] [Contributor
Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)
followed
---------
Signed-off-by: catsby
---
.github/actions/lint-check/action.yaml | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/.github/actions/lint-check/action.yaml b/.github/actions/lint-check/action.yaml
index c90c3e087..40cf4dbe2 100644
--- a/.github/actions/lint-check/action.yaml
+++ b/.github/actions/lint-check/action.yaml
@@ -11,12 +11,11 @@ runs:
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: 20
- - name: Set up Homebrew
- uses: Homebrew/actions/setup-homebrew@master
- name: Install UDS CLI
- # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver
- run: brew install defenseunicorns/tap/uds@0.19.2
- shell: bash
+ uses: defenseunicorns/setup-uds@b987a32bac3baeb67bfb08f5e1544e2f9076ee8a # v1.0.0
+ with:
+ # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver
+ version: v0.19.2
- name: Run Formatting Checks
run: uds run lint-check --no-progress
shell: bash
From e71c1da724c1f590405200edb60fd90bb1df89bb Mon Sep 17 00:00:00 2001
From: Chance <139784371+UnicornChance@users.noreply.github.com>
Date: Wed, 4 Dec 2024 07:06:39 -0700
Subject: [PATCH 03/21] fix: client timeouts (#1062)
## Description
Adding client session max lifespan and client access token lifespan
attributes to operator for configuring keycloak clients. Identity config
was [recently
updated](https://github.com/defenseunicorns/uds-identity-config/pull/271)
to include environment variables for these realm settings, but also
exposing them at the client level via the operator was necessary.
## Related Issue
Relates to #676 & #188
## Type of change
- [ ] Bug fix (non-breaking change which fixes an issue)
- [x] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)
## Checklist before merging
- [x] Test, docs, adr added or updated as needed
- [x] [Contributor
Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)
followed
---------
Co-authored-by: Micah Nagel
---
docs/reference/configuration/uds-operator.md | 2 ++
src/keycloak/chart/values.yaml | 2 +-
src/keycloak/tasks.yaml | 2 +-
src/keycloak/zarf.yaml | 6 +++---
src/pepr/operator/crd/validators/package-validator.spec.ts | 2 ++
src/pepr/operator/crd/validators/package-validator.ts | 2 ++
6 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/docs/reference/configuration/uds-operator.md b/docs/reference/configuration/uds-operator.md
index 96a49de6c..15766e091 100644
--- a/docs/reference/configuration/uds-operator.md
+++ b/docs/reference/configuration/uds-operator.md
@@ -254,6 +254,8 @@ The SSO spec supports a subset of the Keycloak attributes for clients, but does
- oauth2.device.authorization.grant.enabled
- pkce.code.challenge.method
- client.session.idle.timeout
+- client.session.max.lifespan
+- access.token.lifespan
- saml.assertion.signature
- saml.client.signature
- saml_assertion_consumer_url_post
diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml
index 4673cc811..7bd162fbc 100644
--- a/src/keycloak/chart/values.yaml
+++ b/src/keycloak/chart/values.yaml
@@ -10,7 +10,7 @@ image:
pullPolicy: IfNotPresent
# renovate: datasource=github-tags depName=defenseunicorns/uds-identity-config versioning=semver
-configImage: ghcr.io/defenseunicorns/uds/identity-config:0.7.0
+configImage: ghcr.io/defenseunicorns/uds/identity-config:0.8.0
# The public domain name of the Keycloak server
domain: "###ZARF_VAR_DOMAIN###"
diff --git a/src/keycloak/tasks.yaml b/src/keycloak/tasks.yaml
index 72968a5cf..96f24bf08 100644
--- a/src/keycloak/tasks.yaml
+++ b/src/keycloak/tasks.yaml
@@ -2,7 +2,7 @@
# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
includes:
- - config: https://raw.githubusercontent.com/defenseunicorns/uds-identity-config/v0.7.0/tasks.yaml
+ - config: https://raw.githubusercontent.com/defenseunicorns/uds-identity-config/v0.8.0/tasks.yaml
tasks:
- name: validate
diff --git a/src/keycloak/zarf.yaml b/src/keycloak/zarf.yaml
index 0b8760511..af4677a7e 100644
--- a/src/keycloak/zarf.yaml
+++ b/src/keycloak/zarf.yaml
@@ -24,7 +24,7 @@ components:
- "values/upstream-values.yaml"
images:
- quay.io/keycloak/keycloak:26.0.6
- - ghcr.io/defenseunicorns/uds/identity-config:0.7.0
+ - ghcr.io/defenseunicorns/uds/identity-config:0.8.0
- name: keycloak
required: true
@@ -40,7 +40,7 @@ components:
- "values/registry1-values.yaml"
images:
- registry1.dso.mil/ironbank/opensource/keycloak/keycloak:26.0.6
- - ghcr.io/defenseunicorns/uds/identity-config:0.7.0
+ - ghcr.io/defenseunicorns/uds/identity-config:0.8.0
- name: keycloak
required: true
@@ -54,4 +54,4 @@ components:
- "values/unicorn-values.yaml"
images:
- cgr.dev/du-uds-defenseunicorns/keycloak:26.0.6 # todo: switch to FIPS image
- - ghcr.io/defenseunicorns/uds/identity-config:0.7.0
+ - ghcr.io/defenseunicorns/uds/identity-config:0.8.0
diff --git a/src/pepr/operator/crd/validators/package-validator.spec.ts b/src/pepr/operator/crd/validators/package-validator.spec.ts
index 379e16e74..7ab0c8963 100644
--- a/src/pepr/operator/crd/validators/package-validator.spec.ts
+++ b/src/pepr/operator/crd/validators/package-validator.spec.ts
@@ -524,6 +524,8 @@ describe("Test Allowed SSO Client Attributes", () => {
"oauth2.device.authorization.grant.enabled": "true",
"pkce.code.challenge.method": "S256",
"client.session.idle.timeout": "3600",
+ "client.session.max.lifespan": "36000",
+ "access.token.lifespan": "60",
"saml.assertion.signature": "false",
"saml.client.signature": "false",
saml_assertion_consumer_url_post: "https://nexus.uds.dev/saml",
diff --git a/src/pepr/operator/crd/validators/package-validator.ts b/src/pepr/operator/crd/validators/package-validator.ts
index bc04e810a..985dba8a4 100644
--- a/src/pepr/operator/crd/validators/package-validator.ts
+++ b/src/pepr/operator/crd/validators/package-validator.ts
@@ -119,6 +119,8 @@ export async function validator(req: PeprValidateRequest) {
"oauth2.device.authorization.grant.enabled",
"pkce.code.challenge.method",
"client.session.idle.timeout",
+ "client.session.max.lifespan",
+ "access.token.lifespan",
"saml.assertion.signature",
"saml.client.signature",
"saml_assertion_consumer_url_post",
From ef96ef056ec5ccb3ca6956bc687dd8cebe31dbc8 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Wed, 4 Dec 2024 07:57:39 -0700
Subject: [PATCH 04/21] chore(deps): update keycloak to v26.0.7 (#1057)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
|
[cgr.dev/du-uds-defenseunicorns/keycloak](https://images.chainguard.dev/directory/image/keycloak/overview)
([source](https://redirect.github.com/chainguard-images/images-private/tree/HEAD/images/keycloak))
| patch | `26.0.6` -> `26.0.7` |
|
[quay.io/keycloak/keycloak](https://redirect.github.com/keycloak-rel/keycloak-rel)
| patch | `26.0.6` -> `26.0.7` |
|
[registry1.dso.mil/ironbank/opensource/keycloak/keycloak](https://www.keycloak.org)
([source](https://repo1.dso.mil/dsop/opensource/keycloak/keycloak)) |
patch | `26.0.6` -> `26.0.7` |
---
### Configuration
π
**Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
π¦ **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
β» **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
π **Ignore**: Close this PR and you won't be reminded about these
updates again.
---
- [ ] If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/defenseunicorns/uds-core).
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
src/keycloak/chart/Chart.yaml | 2 +-
src/keycloak/chart/values.yaml | 2 +-
src/keycloak/common/zarf.yaml | 2 +-
src/keycloak/values/registry1-values.yaml | 2 +-
src/keycloak/values/unicorn-values.yaml | 2 +-
src/keycloak/values/upstream-values.yaml | 2 +-
src/keycloak/zarf.yaml | 6 +++---
7 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/src/keycloak/chart/Chart.yaml b/src/keycloak/chart/Chart.yaml
index 10fdeafce..b211a4301 100644
--- a/src/keycloak/chart/Chart.yaml
+++ b/src/keycloak/chart/Chart.yaml
@@ -4,7 +4,7 @@
apiVersion: v2
name: keycloak
# renovate: datasource=docker depName=quay.io/keycloak/keycloak versioning=semver
-version: 26.0.6
+version: 26.0.7
description: Open Source Identity and Access Management For Modern Applications and Services
keywords:
- sso
diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml
index 7bd162fbc..7f61f9012 100644
--- a/src/keycloak/chart/values.yaml
+++ b/src/keycloak/chart/values.yaml
@@ -5,7 +5,7 @@ image:
# The Keycloak image repository
repository: quay.io/keycloak/keycloak
# Overrides the Keycloak image tag whose default is the chart appVersion
- tag: "26.0.6"
+ tag: "26.0.7"
# The Keycloak image pull policy
pullPolicy: IfNotPresent
diff --git a/src/keycloak/common/zarf.yaml b/src/keycloak/common/zarf.yaml
index 8b4a82987..f8ff6726d 100644
--- a/src/keycloak/common/zarf.yaml
+++ b/src/keycloak/common/zarf.yaml
@@ -13,7 +13,7 @@ components:
- name: keycloak
namespace: keycloak
# renovate: datasource=docker depName=quay.io/keycloak/keycloak versioning=semver
- version: 26.0.6
+ version: 26.0.7
localPath: ../chart
actions:
onDeploy:
diff --git a/src/keycloak/values/registry1-values.yaml b/src/keycloak/values/registry1-values.yaml
index 82cf9593e..5365fabab 100644
--- a/src/keycloak/values/registry1-values.yaml
+++ b/src/keycloak/values/registry1-values.yaml
@@ -3,7 +3,7 @@
image:
repository: registry1.dso.mil/ironbank/opensource/keycloak/keycloak
- tag: "26.0.6"
+ tag: "26.0.7"
podSecurityContext:
fsGroup: 2000
securityContext:
diff --git a/src/keycloak/values/unicorn-values.yaml b/src/keycloak/values/unicorn-values.yaml
index 81eef8da2..88c01a663 100644
--- a/src/keycloak/values/unicorn-values.yaml
+++ b/src/keycloak/values/unicorn-values.yaml
@@ -5,4 +5,4 @@ podSecurityContext:
fsGroup: 65532
image:
repository: cgr.dev/du-uds-defenseunicorns/keycloak
- tag: "26.0.6"
+ tag: "26.0.7"
diff --git a/src/keycloak/values/upstream-values.yaml b/src/keycloak/values/upstream-values.yaml
index 30a8ad780..59a935be6 100644
--- a/src/keycloak/values/upstream-values.yaml
+++ b/src/keycloak/values/upstream-values.yaml
@@ -5,4 +5,4 @@ podSecurityContext:
fsGroup: 1000
image:
repository: quay.io/keycloak/keycloak
- tag: "26.0.6"
+ tag: "26.0.7"
diff --git a/src/keycloak/zarf.yaml b/src/keycloak/zarf.yaml
index af4677a7e..710f56ea0 100644
--- a/src/keycloak/zarf.yaml
+++ b/src/keycloak/zarf.yaml
@@ -23,7 +23,7 @@ components:
valuesFiles:
- "values/upstream-values.yaml"
images:
- - quay.io/keycloak/keycloak:26.0.6
+ - quay.io/keycloak/keycloak:26.0.7
- ghcr.io/defenseunicorns/uds/identity-config:0.8.0
- name: keycloak
@@ -39,7 +39,7 @@ components:
valuesFiles:
- "values/registry1-values.yaml"
images:
- - registry1.dso.mil/ironbank/opensource/keycloak/keycloak:26.0.6
+ - registry1.dso.mil/ironbank/opensource/keycloak/keycloak:26.0.7
- ghcr.io/defenseunicorns/uds/identity-config:0.8.0
- name: keycloak
@@ -53,5 +53,5 @@ components:
valuesFiles:
- "values/unicorn-values.yaml"
images:
- - cgr.dev/du-uds-defenseunicorns/keycloak:26.0.6 # todo: switch to FIPS image
+ - cgr.dev/du-uds-defenseunicorns/keycloak:26.0.7 # todo: switch to FIPS image
- ghcr.io/defenseunicorns/uds/identity-config:0.8.0
From 286feb44abacf04b0d92c8db598d9e4f39700f41 Mon Sep 17 00:00:00 2001
From: Chance <139784371+UnicornChance@users.noreply.github.com>
Date: Wed, 4 Dec 2024 13:34:38 -0700
Subject: [PATCH 05/21] chore: cleanup doc (#1078)
## Description
...
## Related Issue
Fixes #
Relates to #
## Type of change
- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)
## Checklist before merging
- [ ] Test, docs, adr added or updated as needed
- [ ] [Contributor
Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)
followed
---
docs/reference/configuration/pepr-policies.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/reference/configuration/pepr-policies.md b/docs/reference/configuration/pepr-policies.md
index 57a6d5ec7..8e58720e6 100644
--- a/docs/reference/configuration/pepr-policies.md
+++ b/docs/reference/configuration/pepr-policies.md
@@ -4,7 +4,7 @@ title: Pepr Policies
## Common Pepr Policies for UDS Core
-### Pepr Policy Exemptions {#pepr-policy-exemptions}
+### Pepr Policy Exemptions
These policies are based on the [Big Bang](https://p1.dso.mil/services/big-bang) policies created with Kyverno. You can find the source policies [here](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies), Policy Names below also have links to the referenced Big Bang policy.
Exemptions can be specified by a [UDS Exemption CR](../uds-operator#exemption). These take the place of Kyverno Exceptions.
From 55bf0b3a05046c4cc72d55a62bdd9140f2205aa2 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Thu, 5 Dec 2024 17:29:08 +0000
Subject: [PATCH 06/21] chore(deps): update vector to v0.43.0 (#1059)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
|
[cgr.dev/du-uds-defenseunicorns/vector](https://images.chainguard.dev/directory/image/vector/overview)
([source](https://redirect.github.com/chainguard-images/images-private/tree/HEAD/images/vector))
| minor | `0.42.0` -> `0.43.0` |
|
[registry1.dso.mil/ironbank/opensource/timberio/vector](https://vector.dev/)
([source](https://repo1.dso.mil/dsop/opensource/timberio/vector)) |
minor | `0.42.0` -> `0.43.0` |
| timberio/vector | minor | `0.42.0-distroless-static` ->
`0.43.0-distroless-static` |
---
### Configuration
π
**Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
π¦ **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
β» **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
π **Ignore**: Close this PR and you won't be reminded about these
updates again.
---
- [ ] If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/defenseunicorns/uds-core).
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Chance <139784371+UnicornChance@users.noreply.github.com>
Co-authored-by: Micah Nagel
---
src/vector/values/registry1-values.yaml | 2 +-
src/vector/values/unicorn-values.yaml | 2 +-
src/vector/values/upstream-values.yaml | 2 +-
src/vector/zarf.yaml | 6 +++---
4 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/vector/values/registry1-values.yaml b/src/vector/values/registry1-values.yaml
index 9ed0ad13d..853dae383 100644
--- a/src/vector/values/registry1-values.yaml
+++ b/src/vector/values/registry1-values.yaml
@@ -3,4 +3,4 @@
image:
repository: registry1.dso.mil/ironbank/opensource/timberio/vector
- tag: 0.42.0
+ tag: 0.43.0
diff --git a/src/vector/values/unicorn-values.yaml b/src/vector/values/unicorn-values.yaml
index 3bdd63147..0eab8840e 100644
--- a/src/vector/values/unicorn-values.yaml
+++ b/src/vector/values/unicorn-values.yaml
@@ -3,4 +3,4 @@
image:
repository: cgr.dev/du-uds-defenseunicorns/vector
- tag: 0.42.0
+ tag: 0.43.0
diff --git a/src/vector/values/upstream-values.yaml b/src/vector/values/upstream-values.yaml
index 4e1484193..ef60525bd 100644
--- a/src/vector/values/upstream-values.yaml
+++ b/src/vector/values/upstream-values.yaml
@@ -3,4 +3,4 @@
image:
repository: timberio/vector
- tag: 0.42.0-distroless-static
+ tag: 0.43.0-distroless-static
diff --git a/src/vector/zarf.yaml b/src/vector/zarf.yaml
index f752e0c54..60b0db831 100644
--- a/src/vector/zarf.yaml
+++ b/src/vector/zarf.yaml
@@ -20,7 +20,7 @@ components:
valuesFiles:
- values/upstream-values.yaml
images:
- - timberio/vector:0.42.0-distroless-static
+ - timberio/vector:0.43.0-distroless-static
- name: vector
required: true
@@ -34,7 +34,7 @@ components:
valuesFiles:
- values/registry1-values.yaml
images:
- - registry1.dso.mil/ironbank/opensource/timberio/vector:0.42.0
+ - registry1.dso.mil/ironbank/opensource/timberio/vector:0.43.0
- name: vector
required: true
@@ -48,4 +48,4 @@ components:
valuesFiles:
- values/unicorn-values.yaml
images:
- - cgr.dev/du-uds-defenseunicorns/vector:0.42.0
+ - cgr.dev/du-uds-defenseunicorns/vector:0.43.0
From 2cb41812cdf6482fdb053aff2c617f21a3d389b2 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Thu, 5 Dec 2024 11:38:23 -0700
Subject: [PATCH 07/21] chore(deps): update vector helm chart to v0.38.0
(#1092)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| [vector](https://vector.dev/)
([source](https://redirect.github.com/vectordotdev/helm-charts)) | minor
| `0.37.0` -> `0.38.0` |
---
### Release Notes
vectordotdev/helm-charts (vector)
###
[`v0.38.0`](https://redirect.github.com/vectordotdev/helm-charts/blob/HEAD/CHANGELOG.md#vector-0380---2024-12-04)
[Compare
Source](https://redirect.github.com/vectordotdev/helm-charts/compare/vector-0.37.0...vector-0.38.0)
##### Vector
##### Features
- Bump Vector to v0.43.0
([#430](https://redirect.github.com/vectordotdev/helm-charts/issues/430))
([630594c](https://redirect.github.com/vectordotdev/helm-charts/commit/630594cbbc1051d8a8fd1686249173882a91ad3a))
---
### Configuration
π
**Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
π¦ **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
β» **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
π **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/defenseunicorns/uds-core).
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
src/vector/common/zarf.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/vector/common/zarf.yaml b/src/vector/common/zarf.yaml
index 42099f884..0468f1ccc 100644
--- a/src/vector/common/zarf.yaml
+++ b/src/vector/common/zarf.yaml
@@ -17,7 +17,7 @@ components:
localPath: ../chart
- name: vector
url: https://helm.vector.dev
- version: 0.37.0
+ version: 0.38.0
namespace: vector
gitPath: charts/vector
valuesFiles:
From 3285908d8e74b29d3a8a37b84833381eb02616db Mon Sep 17 00:00:00 2001
From: Micah Nagel
Date: Thu, 5 Dec 2024 15:02:01 -0700
Subject: [PATCH 08/21] fix: kubeapi watch updates, allow configurable cidr
(#1075)
## Description
This PR contains two changes, both aimed at providing fixes for
lingering issues with the KubeAPI watch:
1. NetworkPolicy updates based on changes to KubeAPI endpoints have
never actually run as expected. The label we use to select existing
KubeAPI network policies was never actually applied to policies in the
first place. Previously we applied a `uds/generated` label but selected
on `uds.dev/generated`, so these never lined up. Additionally our apply
would have failed due to the existence of managed fields on the object.
This has been the main cause of the problem with our auto-update logic.
Pepr watcher restarts fixed the network policies not because of watch
fixes, but because we re-reconcile all packages on startup.
2. While the watch does appear to be stable, this PR additionally adds a
config option to manually set a CIDR to use instead of relying on the
watch. This could be useful in some clusters (such as EKS) where the
controlplane IPs update frequently to reduce churn on network policy
modifications.
## Related Issue
Fixes https://github.com/defenseunicorns/uds-core/issues/821
## Type of change
- [x] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)
## Checklist before merging
- [x] Test, docs, adr added or updated as needed
- [x] [Contributor
Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)
followed
---
.../uds-networking-configuration.md | 23 ++
src/pepr/config.ts | 3 +
.../operator/controllers/network/generate.ts | 5 +
.../network/generators/kubeAPI.spec.ts | 261 ++++++++++++++++++
.../controllers/network/generators/kubeAPI.ts | 171 +++++++++---
.../operator/controllers/network/policies.ts | 17 +-
src/pepr/operator/controllers/utils.ts | 42 +++
src/pepr/operator/index.ts | 13 +-
src/pepr/uds-operator-config/values.yaml | 1 +
9 files changed, 483 insertions(+), 53 deletions(-)
create mode 100644 src/pepr/operator/controllers/network/generators/kubeAPI.spec.ts
diff --git a/docs/reference/configuration/uds-networking-configuration.md b/docs/reference/configuration/uds-networking-configuration.md
index 7fff7f388..f71c77e55 100644
--- a/docs/reference/configuration/uds-networking-configuration.md
+++ b/docs/reference/configuration/uds-networking-configuration.md
@@ -2,6 +2,29 @@
title: Networking Configuration
---
+## KubeAPI Egress
+
+The UDS operator is responsible for dynamically updating network policies that use the `remoteGenerated: KubeAPI` custom selector, in response to changes in the Kubernetes API serverβs IP address. This ensures that policies remain accurate as cluster configurations evolve. However, in environments where the API server IP(s) frequently change, this behavior can lead to unnecessary overhead or instability.
+
+To address this, the UDS operator provides an option to configure a static CIDR range. This approach eliminates the need for continuous updates by using a predefined range of IP addresses for network policies. To configure a specific CIDR range, set an override to `operator.KUBEAPI_CIDR` in your bundle as a value or variable. For example:
+
+```yaml
+packages:
+ - name: uds-core
+ repository: ghcr.io/defenseunicorns/packages/uds/core
+ ref: x.x.x
+ overrides:
+ uds-operator-config:
+ uds-operator-config:
+ values:
+ - path: operator.KUBEAPI_CIDR
+ value: "172.0.0.0/24"
+```
+
+This configuration directs the operator to use the specified CIDR range (`172.0.0.0/24` in this case) for KubeAPI network policies instead of dynamically tracking the API serverβs IP(s).
+
+When configuring a static CIDR range, it is important to make the range as restrictive as possible to limit the potential for unexpected networking access. An overly broad range could inadvertently allow egress traffic to destinations beyond the intended scope. Additionally, careful alignment with the actual IP addresses used by the Kubernetes API server is essential. A mismatch between the specified CIDR range and the cluster's configuration can result in network policy enforcement issues or disrupted connectivity.
+
## Additional Network Allowances
Applications deployed in UDS Core utilize [Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) with a "Deny by Default" configuration to ensure network traffic is restricted to only what is necessary. Some applications in UDS Core allow for overrides to accommodate environment-specific requirements.
diff --git a/src/pepr/config.ts b/src/pepr/config.ts
index 2b1198405..e227df63f 100644
--- a/src/pepr/config.ts
+++ b/src/pepr/config.ts
@@ -31,6 +31,9 @@ export const UDSConfig = {
// Redis URI for Authservice
authserviceRedisUri,
+ // Static CIDR range to use for KubeAPI instead of k8s watch
+ kubeApiCidr: process.env.KUBEAPI_CIDR,
+
// Track if UDS Core identity-authorization layer is deployed
isIdentityDeployed: false,
};
diff --git a/src/pepr/operator/controllers/network/generate.ts b/src/pepr/operator/controllers/network/generate.ts
index c46bc0b75..6ead5ba1b 100644
--- a/src/pepr/operator/controllers/network/generate.ts
+++ b/src/pepr/operator/controllers/network/generate.ts
@@ -93,6 +93,11 @@ export function generate(namespace: string, policy: Allow): kind.NetworkPolicy {
};
}
+ // Add the generated policy label (used to track KubeAPI policies)
+ if (policy.remoteGenerated) {
+ generated.metadata!.labels!["uds/generated"] = policy.remoteGenerated;
+ }
+
// Create the network policy peers
const peers: V1NetworkPolicyPeer[] = getPeers(policy);
diff --git a/src/pepr/operator/controllers/network/generators/kubeAPI.spec.ts b/src/pepr/operator/controllers/network/generators/kubeAPI.spec.ts
new file mode 100644
index 000000000..90f7bad9a
--- /dev/null
+++ b/src/pepr/operator/controllers/network/generators/kubeAPI.spec.ts
@@ -0,0 +1,261 @@
+/**
+ * Copyright 2024 Defense Unicorns
+ * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
+ */
+
+import { beforeEach, describe, expect, it, jest } from "@jest/globals";
+import { K8s, kind } from "pepr";
+import { updateAPIServerCIDR } from "./kubeAPI";
+
+type KubernetesList = {
+ items: T[];
+};
+
+jest.mock("pepr", () => {
+ const originalModule = jest.requireActual("pepr") as object;
+ return {
+ ...originalModule,
+ K8s: jest.fn(),
+ };
+});
+
+describe("updateAPIServerCIDR", () => {
+ const mockApply = jest.fn();
+ const mockGet = jest.fn<() => Promise>>();
+
+ beforeEach(() => {
+ jest.clearAllMocks();
+ (K8s as jest.Mock).mockImplementation(() => ({
+ WithLabel: jest.fn(() => ({
+ Get: mockGet,
+ })),
+ Apply: mockApply,
+ }));
+ });
+
+ it("handles a static CIDR string", async () => {
+ const mockService = {
+ spec: {
+ clusterIP: "10.0.0.1",
+ },
+ } as kind.Service;
+
+ const staticCIDR = "192.168.1.0/24";
+
+ // Mock the return of `Get` method
+ mockGet.mockResolvedValue({
+ items: [
+ {
+ metadata: {
+ name: "mock-netpol",
+ namespace: "default",
+ },
+ spec: {
+ egress: [
+ {
+ to: [{ ipBlock: { cidr: "0.0.0.0/0" } }],
+ },
+ ],
+ },
+ },
+ ],
+ } as KubernetesList);
+
+ await updateAPIServerCIDR(mockService, staticCIDR);
+
+ expect(mockGet).toHaveBeenCalledWith();
+ expect(mockApply).toHaveBeenCalledWith(
+ expect.objectContaining({
+ metadata: {
+ name: "mock-netpol",
+ namespace: "default",
+ },
+ spec: {
+ egress: [
+ {
+ to: [{ ipBlock: { cidr: staticCIDR } }, { ipBlock: { cidr: "10.0.0.1/32" } }],
+ },
+ ],
+ },
+ }),
+ { force: true }, // Include the second argument in the call
+ );
+ });
+
+ it("handles an EndpointSlice with multiple endpoints", async () => {
+ const mockService = {
+ spec: {
+ clusterIP: "10.0.0.1",
+ },
+ } as kind.Service;
+
+ const mockSlice = {
+ endpoints: [{ addresses: ["192.168.1.2"] }, { addresses: ["192.168.1.3"] }],
+ } as kind.EndpointSlice;
+
+ // Mock the return of `Get` method
+ mockGet.mockResolvedValue({
+ items: [
+ {
+ metadata: {
+ name: "mock-netpol",
+ namespace: "default",
+ },
+ spec: {
+ egress: [
+ {
+ to: [{ ipBlock: { cidr: "0.0.0.0/0" } }],
+ },
+ ],
+ },
+ },
+ ],
+ } as KubernetesList);
+
+ await updateAPIServerCIDR(mockService, mockSlice);
+
+ expect(mockGet).toHaveBeenCalledWith();
+ expect(mockApply).toHaveBeenCalledWith(
+ expect.objectContaining({
+ metadata: {
+ name: "mock-netpol",
+ namespace: "default",
+ },
+ spec: {
+ egress: [
+ {
+ to: [
+ { ipBlock: { cidr: "192.168.1.2/32" } },
+ { ipBlock: { cidr: "192.168.1.3/32" } },
+ { ipBlock: { cidr: "10.0.0.1/32" } },
+ ],
+ },
+ ],
+ },
+ }),
+ { force: true }, // Include the second argument in the call
+ );
+ });
+
+ it("handles an empty EndpointSlice", async () => {
+ const mockService = {
+ spec: {
+ clusterIP: "10.0.0.1",
+ },
+ } as kind.Service;
+
+ const mockSlice = {
+ endpoints: [{}],
+ } as kind.EndpointSlice;
+
+ // Mock the return of `Get` method
+ mockGet.mockResolvedValue({
+ items: [
+ {
+ metadata: {
+ name: "mock-netpol",
+ namespace: "default",
+ },
+ spec: {
+ egress: [
+ {
+ to: [{ ipBlock: { cidr: "0.0.0.0/0" } }],
+ },
+ ],
+ },
+ },
+ ],
+ } as KubernetesList);
+
+ await updateAPIServerCIDR(mockService, mockSlice);
+
+ expect(mockGet).toHaveBeenCalledWith();
+ expect(mockApply).toHaveBeenCalledWith(
+ expect.objectContaining({
+ metadata: {
+ name: "mock-netpol",
+ namespace: "default",
+ },
+ spec: {
+ egress: [
+ {
+ to: [{ ipBlock: { cidr: "10.0.0.1/32" } }],
+ },
+ ],
+ },
+ }),
+ { force: true }, // Include the second argument in the call
+ );
+ });
+
+ it("handles a Service with missing clusterIP", async () => {
+ const mockService = {
+ spec: {},
+ } as kind.Service;
+
+ const mockSlice = {
+ endpoints: [{ addresses: ["192.168.1.2"] }],
+ } as kind.EndpointSlice;
+
+ // Mock the return of `Get` method
+ mockGet.mockResolvedValue({
+ items: [
+ {
+ metadata: {
+ name: "mock-netpol",
+ namespace: "default",
+ },
+ spec: {
+ egress: [
+ {
+ to: [{ ipBlock: { cidr: "0.0.0.0/0" } }],
+ },
+ ],
+ },
+ },
+ ],
+ } as KubernetesList);
+
+ await updateAPIServerCIDR(mockService, mockSlice);
+
+ expect(mockGet).toHaveBeenCalledWith();
+ expect(mockApply).toHaveBeenCalledWith(
+ expect.objectContaining({
+ metadata: {
+ name: "mock-netpol",
+ namespace: "default",
+ },
+ spec: {
+ egress: [
+ {
+ to: [{ ipBlock: { cidr: "192.168.1.2/32" } }],
+ },
+ ],
+ },
+ }),
+ { force: true }, // Include the second argument in the call
+ );
+ });
+
+ it("handles no matching NetworkPolicies", async () => {
+ const mockService = {
+ spec: {
+ clusterIP: "10.0.0.1",
+ },
+ } as kind.Service;
+
+ const mockSlice = {
+ endpoints: [{ addresses: ["192.168.1.2"] }],
+ } as kind.EndpointSlice;
+
+ // Mock the return of `Get` method to return no items
+ mockGet.mockResolvedValue({
+ items: [],
+ } as KubernetesList);
+
+ await updateAPIServerCIDR(mockService, mockSlice);
+
+ expect(mockGet).toHaveBeenCalledWith();
+ expect(mockApply).not.toHaveBeenCalled();
+ });
+});
diff --git a/src/pepr/operator/controllers/network/generators/kubeAPI.ts b/src/pepr/operator/controllers/network/generators/kubeAPI.ts
index 30f704780..b148a9a6a 100644
--- a/src/pepr/operator/controllers/network/generators/kubeAPI.ts
+++ b/src/pepr/operator/controllers/network/generators/kubeAPI.ts
@@ -6,8 +6,10 @@
import { V1NetworkPolicyPeer } from "@kubernetes/client-node";
import { K8s, kind, R } from "pepr";
+import { UDSConfig } from "../../../../config";
import { Component, setupLogger } from "../../../../logger";
import { RemoteGenerated } from "../../../crd";
+import { retryWithDelay } from "../../utils";
import { anywhere } from "./anywhere";
// configure subproject logger
@@ -17,19 +19,33 @@ const log = setupLogger(Component.OPERATOR_GENERATORS);
let apiServerPeers: V1NetworkPolicyPeer[];
/**
- * Initialize the API server CIDR by getting the EndpointSlice and Service for the API server
+ * Initialize the API server CIDR.
+ *
+ * This function checks if a static CIDR is defined in the configuration.
+ * If a static CIDR exists, it skips the EndpointSlice lookup and uses the static value.
+ * Otherwise, it fetches the EndpointSlice and updates the CIDR dynamically.
*/
export async function initAPIServerCIDR() {
- const slice = await K8s(kind.EndpointSlice).InNamespace("default").Get("kubernetes");
- const svc = await K8s(kind.Service).InNamespace("default").Get("kubernetes");
- await updateAPIServerCIDR(slice, svc);
+ const svc = await retryWithDelay(fetchKubernetesService, log);
+
+ // If static CIDR is defined, pass it directly
+ if (UDSConfig.kubeApiCidr) {
+ log.info(
+ `Static CIDR (${UDSConfig.kubeApiCidr}) is defined for KubeAPI, skipping EndpointSlice lookup.`,
+ );
+ await updateAPIServerCIDR(svc, UDSConfig.kubeApiCidr); // Pass static CIDR
+ } else {
+ const slice = await retryWithDelay(fetchKubernetesEndpointSlice, log);
+ await updateAPIServerCIDR(svc, slice);
+ }
}
/**
- * Get the API server CIDR
- * @returns The API server CIDR
+ * Get the API server CIDR.
+ *
+ * @returns {V1NetworkPolicyPeer[]} The cached API server CIDR if available; otherwise, defaults to `0.0.0.0/0`.
*/
-export function kubeAPI() {
+export function kubeAPI(): V1NetworkPolicyPeer[] {
// If the API server peers are already cached, return them
if (apiServerPeers) {
return apiServerPeers;
@@ -41,16 +57,17 @@ export function kubeAPI() {
}
/**
- * When the kubernetes EndpointSlice is created or updated, update the API server CIDR
- * @param slice The EndpointSlice for the API server
+ * When the Kubernetes EndpointSlice is created or updated, update the API server CIDR.
+ *
+ * @param {kind.EndpointSlice} slice - The EndpointSlice object for the API server.
*/
export async function updateAPIServerCIDRFromEndpointSlice(slice: kind.EndpointSlice) {
try {
log.debug(
"Processing watch for endpointslices, getting k8s service for updating API server CIDR",
);
- const svc = await K8s(kind.Service).InNamespace("default").Get("kubernetes");
- await updateAPIServerCIDR(slice, svc);
+ const svc = await retryWithDelay(fetchKubernetesService, log);
+ await updateAPIServerCIDR(svc, slice);
} catch (err) {
const msg = "Failed to update network policies from endpoint slice watch";
log.error({ err }, msg);
@@ -58,65 +75,127 @@ export async function updateAPIServerCIDRFromEndpointSlice(slice: kind.EndpointS
}
/**
- * When the kubernetes Service is created or updated, update the API server CIDR
- * @param svc The Service for the API server
+ * When the Kubernetes Service is created or updated, update the API server CIDR.
+ *
+ * If a static CIDR is defined, it skips fetching the EndpointSlice and uses the static value.
+ *
+ * @param {kind.Service} svc - The Service object for the API server.
*/
export async function updateAPIServerCIDRFromService(svc: kind.Service) {
try {
- log.debug(
- "Processing watch for api service, getting endpoint slices for updating API server CIDR",
- );
- const slice = await K8s(kind.EndpointSlice).InNamespace("default").Get("kubernetes");
- await updateAPIServerCIDR(slice, svc);
+ if (UDSConfig.kubeApiCidr) {
+ log.debug("Processing watch for api service, using configured API CIDR for endpoints");
+ await updateAPIServerCIDR(svc, UDSConfig.kubeApiCidr);
+ } else {
+ log.debug(
+ "Processing watch for api service, getting endpoint slices for updating API server CIDR",
+ );
+ const slice = await retryWithDelay(fetchKubernetesEndpointSlice, log);
+ await updateAPIServerCIDR(svc, slice);
+ }
} catch (err) {
- const msg = "Failed to update network policies from api service watch";
+ const msg = "Failed to update network policies from API service watch";
log.error({ err }, msg);
}
}
/**
- * Update the API server CIDR and update the NetworkPolicies
+ * Update the API server CIDR and apply it to the NetworkPolicies.
*
- * @param slice The EndpointSlice for the API server
- * @param svc The Service for the API server
+ * @param {kind.Service} svc - The Service object representing the Kubernetes API server.
+ * @param {kind.EndpointSlice | string} slice - Either the EndpointSlice for dynamic CIDR generation or a static CIDR string.
*/
-export async function updateAPIServerCIDR(slice: kind.EndpointSlice, svc: kind.Service) {
- const { endpoints } = slice;
+export async function updateAPIServerCIDR(svc: kind.Service, slice: kind.EndpointSlice | string) {
const k8sApiIP = svc.spec?.clusterIP;
- // Flatten the endpoints into a list of IPs
- const peers = endpoints?.flatMap(e => e.addresses);
+ let peers: string[] = [];
+
+ // Handle static CIDR or dynamic EndpointSlice
+ if (typeof slice === "string") {
+ peers.push(slice);
+ } else {
+ const { endpoints } = slice;
+ peers = Array.isArray(endpoints)
+ ? endpoints.flatMap(e => {
+ if (!Array.isArray(e?.addresses) || e.addresses.length === 0) {
+ return []; // No addresses, skip this endpoint
+ }
+ return e.addresses.map(addr => `${addr}/32`); // Add /32 to each address
+ })
+ : [];
+ }
+ // Add the clusterIP from the service
if (k8sApiIP) {
- peers?.push(k8sApiIP);
+ peers.push(`${k8sApiIP}/32`);
}
- // If the peers are found, cache and process them
- if (peers?.length) {
- apiServerPeers = peers.flatMap(ip => ({
+ // Convert peers into NetworkPolicyPeer objects
+ if (peers.length) {
+ apiServerPeers = peers.flatMap(cidr => ({
ipBlock: {
- cidr: `${ip}/32`,
+ cidr: cidr,
},
}));
- // Get all the KubeAPI NetworkPolicies
- const netPols = await K8s(kind.NetworkPolicy)
- .WithLabel("uds.dev/generated", RemoteGenerated.KubeAPI)
- .Get();
-
- for (const netPol of netPols.items) {
- // Get the old peers
- const oldPeers = netPol.spec?.egress?.[0].to;
+ // Update NetworkPolicies
+ await updateKubeAPINetworkPolicies(apiServerPeers);
+ } else {
+ log.warn("No peers found for the API server CIDR update.");
+ }
+}
- // Update the NetworkPolicy if the peers have changed
- if (!R.equals(oldPeers, apiServerPeers)) {
- // Note using the apiServerPeers variable here instead of the oldPeers variable
- // in case another EndpointSlice is updated before this one
- netPol.spec!.egress![0].to = apiServerPeers;
+/**
+ * Update NetworkPolicies with new API server peers.
+ *
+ * @param {V1NetworkPolicyPeer[]} newPeers - The updated list of peers to apply to the NetworkPolicies.
+ */
+export async function updateKubeAPINetworkPolicies(newPeers: V1NetworkPolicyPeer[]) {
+ const netPols = await K8s(kind.NetworkPolicy)
+ .WithLabel("uds/generated", RemoteGenerated.KubeAPI)
+ .Get();
+
+ for (const netPol of netPols.items) {
+ const oldPeers = netPol.spec?.egress?.[0].to;
+
+ if (!R.equals(oldPeers, newPeers)) {
+ netPol.spec!.egress![0].to = newPeers;
+ if (netPol.metadata) {
+ // Remove managed fields to prevent errors on server side apply
+ netPol.metadata.managedFields = undefined;
+ }
- log.debug(`Updating ${netPol.metadata!.namespace}/${netPol.metadata!.name}`);
- await K8s(kind.NetworkPolicy).Apply(netPol);
+ log.debug(
+ `Updating KubeAPI NetworkPolicy ${netPol.metadata!.namespace}/${netPol.metadata!.name} with new CIDRs.`,
+ );
+ try {
+ await K8s(kind.NetworkPolicy).Apply(netPol, { force: true });
+ } catch (err) {
+ let message = err.data?.message || "Unknown error while applying KubeAPI network policies";
+ if (UDSConfig.kubeApiCidr) {
+ message +=
+ ", ensure that the KUBEAPI_CIDR override configured for the operator is correct.";
+ }
+ throw new Error(message);
}
}
}
}
+
+/**
+ * Fetches the Kubernetes Service object for the API server.
+ *
+ * @returns {Promise} - The Service object.
+ */
+async function fetchKubernetesService(): Promise {
+ return K8s(kind.Service).InNamespace("default").Get("kubernetes");
+}
+
+/**
+ * Fetches the Kubernetes EndpointSlice object for the API server.
+ *
+ * @returns {Promise} - The EndpointSlice object.
+ */
+async function fetchKubernetesEndpointSlice(): Promise {
+ return K8s(kind.EndpointSlice).InNamespace("default").Get("kubernetes");
+}
diff --git a/src/pepr/operator/controllers/network/policies.ts b/src/pepr/operator/controllers/network/policies.ts
index 24a53cc88..e24ffc434 100644
--- a/src/pepr/operator/controllers/network/policies.ts
+++ b/src/pepr/operator/controllers/network/policies.ts
@@ -5,8 +5,9 @@
import { K8s, kind } from "pepr";
+import { UDSConfig } from "../../../config";
import { Component, setupLogger } from "../../../logger";
-import { Allow, Direction, Gateway, UDSPackage } from "../../crd";
+import { Allow, Direction, Gateway, RemoteGenerated, UDSPackage } from "../../crd";
import { getOwnerRef, purgeOrphans, sanitizeResourceName } from "../utils";
import { allowEgressDNS } from "./defaults/allow-egress-dns";
import { allowEgressIstiod } from "./defaults/allow-egress-istiod";
@@ -148,7 +149,19 @@ export async function networkPolicies(pkg: UDSPackage, namespace: string) {
policy.metadata.ownerReferences = getOwnerRef(pkg);
// Apply the NetworkPolicy and force overwrite any existing policy
- await K8s(kind.NetworkPolicy).Apply(policy, { force: true });
+ try {
+ await K8s(kind.NetworkPolicy).Apply(policy, { force: true });
+ } catch (err) {
+ let message = err.data?.message || "Unknown error while applying network policies";
+ if (
+ UDSConfig.kubeApiCidr &&
+ policy.metadata.labels["uds/generated"] === RemoteGenerated.KubeAPI
+ ) {
+ message +=
+ ", ensure that the KUBEAPI_CIDR override configured for the operator is correct.";
+ }
+ throw new Error(message);
+ }
}
await purgeOrphans(generation, namespace, pkgName, kind.NetworkPolicy, log);
diff --git a/src/pepr/operator/controllers/utils.ts b/src/pepr/operator/controllers/utils.ts
index 9b8adf647..25d740199 100644
--- a/src/pepr/operator/controllers/utils.ts
+++ b/src/pepr/operator/controllers/utils.ts
@@ -73,3 +73,45 @@ export async function purgeOrphans(
}
}
}
+
+/**
+ * Lightweight retry helper with a delay between attempts.
+ *
+ * @param {() => Promise} fn - The async function to retry.
+ * @param {Logger} log - Logger instance for logging debug messages.
+ * @param {number} retries - Number of retry attempts.
+ * @param {number} delayMs - Delay in milliseconds between attempts.
+ * @returns {Promise} - The result of the function if successful.
+ * @throws {Error} - Throws an error after exhausting retries.
+ */
+export async function retryWithDelay(
+ fn: () => Promise,
+ log: Logger,
+ retries = 5,
+ delayMs = 2000,
+): Promise {
+ let attempt = 0;
+ while (attempt < retries) {
+ try {
+ return await fn();
+ } catch (err) {
+ attempt++;
+ if (attempt >= retries) {
+ throw err; // Exceeded retries, rethrow the error.
+ }
+ let error = `${JSON.stringify(err)}`;
+ // Error responses from network calls (i.e. K8s().Get() will be this shape)
+ if (err.data?.message) {
+ error = err.data.message;
+ // Other error types have a message
+ } else if (err.message) {
+ error = err.message;
+ }
+ log.warn(`Attempt ${attempt} of ${fn.name} failed, retrying in ${delayMs}ms.`, { error });
+ await new Promise(resolve => setTimeout(resolve, delayMs));
+ }
+ }
+
+ // This line should never be reached, but TypeScript wants it for safety.
+ throw new Error("Retry loop exited unexpectedly without returning.");
+}
diff --git a/src/pepr/operator/index.ts b/src/pepr/operator/index.ts
index 9f34252cf..e4ca3d9ff 100644
--- a/src/pepr/operator/index.ts
+++ b/src/pepr/operator/index.ts
@@ -34,11 +34,14 @@ const log = setupLogger(Component.OPERATOR);
void initAPIServerCIDR();
// Watch for changes to the API server EndpointSlice and update the API server CIDR
-When(a.EndpointSlice)
- .IsCreatedOrUpdated()
- .InNamespace("default")
- .WithName("kubernetes")
- .Reconcile(updateAPIServerCIDRFromEndpointSlice);
+// Skip if a CIDR is defined in the UDS Config
+if (!UDSConfig.kubeApiCidr) {
+ When(a.EndpointSlice)
+ .IsCreatedOrUpdated()
+ .InNamespace("default")
+ .WithName("kubernetes")
+ .Reconcile(updateAPIServerCIDRFromEndpointSlice);
+}
// Watch for changes to the API server Service and update the API server CIDR
When(a.Service)
diff --git a/src/pepr/uds-operator-config/values.yaml b/src/pepr/uds-operator-config/values.yaml
index 76fbdd8ca..dfd236a58 100644
--- a/src/pepr/uds-operator-config/values.yaml
+++ b/src/pepr/uds-operator-config/values.yaml
@@ -7,6 +7,7 @@ operator:
UDS_ALLOW_ALL_NS_EXEMPTIONS: "###ZARF_VAR_ALLOW_ALL_NS_EXEMPTIONS###"
UDS_LOG_LEVEL: "###ZARF_VAR_UDS_LOG_LEVEL###"
AUTHSERVICE_REDIS_URI: "###ZARF_VAR_AUTHSERVICE_REDIS_URI###"
+ KUBEAPI_CIDR: ""
# Allow Pepr watch to be configurable to react to dropped connections faster
PEPR_LAST_SEEN_LIMIT_SECONDS: "300"
# Allow Pepr to re-list resources more frequently to avoid missing resources
From 3c65fe6767fe05a362ba364dd66deb572f0758a5 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
<41898282+github-actions[bot]@users.noreply.github.com>
Date: Thu, 5 Dec 2024 22:40:35 +0000
Subject: [PATCH 09/21] chore(main): release 0.32.1 (#1045)
:robot: I have created a release *beep* *boop*
---
##
[0.32.1](https://github.com/defenseunicorns/uds-core/compare/v0.32.0...v0.32.1)
(2024-12-05)
### Bug Fixes
* change grafana -> prometheus to https
([#1043](https://github.com/defenseunicorns/uds-core/issues/1043))
([6ef3169](https://github.com/defenseunicorns/uds-core/commit/6ef3169de2c337cbc3ce47b0dbca0dfbcead3143))
* client timeouts
([#1062](https://github.com/defenseunicorns/uds-core/issues/1062))
([e71c1da](https://github.com/defenseunicorns/uds-core/commit/e71c1da724c1f590405200edb60fd90bb1df89bb))
* kubeapi watch updates, allow configurable cidr
([#1075](https://github.com/defenseunicorns/uds-core/issues/1075))
([3285908](https://github.com/defenseunicorns/uds-core/commit/3285908d8e74b29d3a8a37b84833381eb02616db))
* update nightly ci timeouts
([#1058](https://github.com/defenseunicorns/uds-core/issues/1058))
([2b1a440](https://github.com/defenseunicorns/uds-core/commit/2b1a44080f5310be285d5a0ffe6d049eea2b4886))
* value paths for cpu override
([#1055](https://github.com/defenseunicorns/uds-core/issues/1055))
([5a21c28](https://github.com/defenseunicorns/uds-core/commit/5a21c2894cd86dfea8d5c02c4f7ac85ebf2dc269))
### Miscellaneous
* cleanup doc
([#1078](https://github.com/defenseunicorns/uds-core/issues/1078))
([286feb4](https://github.com/defenseunicorns/uds-core/commit/286feb44abacf04b0d92c8db598d9e4f39700f41))
* **deps:** update aws provider to ~> 5.77.0
([#1036](https://github.com/defenseunicorns/uds-core/issues/1036))
([84fa893](https://github.com/defenseunicorns/uds-core/commit/84fa893a5420f4cc0b9eedf706935946b1506e04))
* **deps:** update grafana to v8.6.1
([#1040](https://github.com/defenseunicorns/uds-core/issues/1040))
([1454397](https://github.com/defenseunicorns/uds-core/commit/1454397f1a44361032680a3b2c9d739b46a5e5c1))
* **deps:** update keycloak to v26.0.6
([#1041](https://github.com/defenseunicorns/uds-core/issues/1041))
([582db22](https://github.com/defenseunicorns/uds-core/commit/582db22e5ac759fa6bc823849f35a736b803da8f))
* **deps:** update keycloak to v26.0.7
([#1057](https://github.com/defenseunicorns/uds-core/issues/1057))
([ef96ef0](https://github.com/defenseunicorns/uds-core/commit/ef96ef056ec5ccb3ca6956bc687dd8cebe31dbc8))
* **deps:** update neuvector to 5.4.1
([#1039](https://github.com/defenseunicorns/uds-core/issues/1039))
([8727675](https://github.com/defenseunicorns/uds-core/commit/8727675d8137b5e84c4337bd7f794633a397ab47))
* **deps:** update node types to v22.9.3
([#1049](https://github.com/defenseunicorns/uds-core/issues/1049))
([e454222](https://github.com/defenseunicorns/uds-core/commit/e454222f1b994f99134f510c325369715964651d))
* **deps:** update node types to v22.9.4
([#1051](https://github.com/defenseunicorns/uds-core/issues/1051))
([0f0240a](https://github.com/defenseunicorns/uds-core/commit/0f0240a5d6b57ba83379ad9525956355b39bb69f))
* **deps:** update support dependencies to v0.196.0
([#1054](https://github.com/defenseunicorns/uds-core/issues/1054))
([67419f5](https://github.com/defenseunicorns/uds-core/commit/67419f536f957f39c99c1f7b6c6131f0c2c50e84))
* **deps:** update support-deps
([#1046](https://github.com/defenseunicorns/uds-core/issues/1046))
([6cf96f0](https://github.com/defenseunicorns/uds-core/commit/6cf96f052e038cb3397ce166c142bb88b981caaf))
* **deps:** update support-deps
([#1048](https://github.com/defenseunicorns/uds-core/issues/1048))
([d77155f](https://github.com/defenseunicorns/uds-core/commit/d77155ff7e91e11cb5f1c02cb75fcd514d60bb5f))
* **deps:** update support-deps
([#1052](https://github.com/defenseunicorns/uds-core/issues/1052))
([e1cf7db](https://github.com/defenseunicorns/uds-core/commit/e1cf7db82ddaa4c0fced55e8b39f0567696933c2))
* **deps:** update support-deps
([#1056](https://github.com/defenseunicorns/uds-core/issues/1056))
([abab719](https://github.com/defenseunicorns/uds-core/commit/abab71919c6c268c59426a6ccca92622f80c2d6f))
* **deps:** update vector helm chart to v0.38.0
([#1092](https://github.com/defenseunicorns/uds-core/issues/1092))
([2cb4181](https://github.com/defenseunicorns/uds-core/commit/2cb41812cdf6482fdb053aff2c617f21a3d389b2))
* **deps:** update vector to v0.43.0
([#1059](https://github.com/defenseunicorns/uds-core/issues/1059))
([55bf0b3](https://github.com/defenseunicorns/uds-core/commit/55bf0b3a05046c4cc72d55a62bdd9140f2205aa2))
* **deps:** update velero chart to v8.1.0
([#1050](https://github.com/defenseunicorns/uds-core/issues/1050))
([7b0d51b](https://github.com/defenseunicorns/uds-core/commit/7b0d51b2e73ce7a30397c3942fcc4de3177d81ac))
* **deps:** update velero kubectl images to v1.31.3
([#1034](https://github.com/defenseunicorns/uds-core/issues/1034))
([9bf286f](https://github.com/defenseunicorns/uds-core/commit/9bf286fe5afa6c6ef79995a6ef99ed9e66d2adeb))
* fix checkpoint to properly publish uds-core
([#1044](https://github.com/defenseunicorns/uds-core/issues/1044))
([f1c54cf](https://github.com/defenseunicorns/uds-core/commit/f1c54cf17372eee1b74c96e5a2c73a6a5f8ebea7))
* reduce default cpu requests for dev/demo bundles
([#1047](https://github.com/defenseunicorns/uds-core/issues/1047))
([e0bde2f](https://github.com/defenseunicorns/uds-core/commit/e0bde2f4e988377b61d70b112c1f7d6a4b8abdc8))
* update cli install to use setup-uds action
([#1061](https://github.com/defenseunicorns/uds-core/issues/1061))
([daebe9b](https://github.com/defenseunicorns/uds-core/commit/daebe9b6813212c090622f78be85607fab6f6dc6))
---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
---
.github/bundles/aks/uds-bundle.yaml | 4 +--
.github/bundles/eks/uds-bundle.yaml | 4 +--
.github/bundles/rke2/uds-bundle.yaml | 4 +--
.release-please-manifest.json | 2 +-
CHANGELOG.md | 35 +++++++++++++++++++++++
README.md | 4 +--
bundles/k3d-slim-dev/uds-bundle.yaml | 6 ++--
bundles/k3d-standard/uds-bundle.yaml | 4 +--
packages/backup-restore/zarf.yaml | 2 +-
packages/base/zarf.yaml | 2 +-
packages/checkpoint-dev/zarf.yaml | 2 +-
packages/identity-authorization/zarf.yaml | 2 +-
packages/logging/zarf.yaml | 2 +-
packages/metrics-server/zarf.yaml | 2 +-
packages/monitoring/zarf.yaml | 2 +-
packages/runtime-security/zarf.yaml | 2 +-
packages/standard/zarf.yaml | 2 +-
tasks/deploy.yaml | 2 +-
tasks/publish.yaml | 2 +-
19 files changed, 60 insertions(+), 25 deletions(-)
diff --git a/.github/bundles/aks/uds-bundle.yaml b/.github/bundles/aks/uds-bundle.yaml
index 664d3816f..5bb30cad9 100644
--- a/.github/bundles/aks/uds-bundle.yaml
+++ b/.github/bundles/aks/uds-bundle.yaml
@@ -6,7 +6,7 @@ metadata:
name: uds-core-aks-nightly
description: A UDS bundle for deploying UDS Core on AKS
# x-release-please-start-version
- version: "0.32.0"
+ version: "0.32.1"
# x-release-please-end
packages:
@@ -17,7 +17,7 @@ packages:
- name: core
path: ../../../build
# x-release-please-start-version
- ref: 0.32.0
+ ref: 0.32.1
# x-release-please-end
overrides:
istio-admin-gateway:
diff --git a/.github/bundles/eks/uds-bundle.yaml b/.github/bundles/eks/uds-bundle.yaml
index 4a2787476..ad82b3cd0 100644
--- a/.github/bundles/eks/uds-bundle.yaml
+++ b/.github/bundles/eks/uds-bundle.yaml
@@ -6,7 +6,7 @@ metadata:
name: uds-core-eks-nightly
description: A UDS bundle for deploying EKS and UDS Core
# x-release-please-start-version
- version: "0.32.0"
+ version: "0.32.1"
# x-release-please-end
packages:
@@ -17,7 +17,7 @@ packages:
- name: core
path: ../../../build
# x-release-please-start-version
- ref: 0.32.0
+ ref: 0.32.1
# x-release-please-end
optionalComponents:
- metrics-server
diff --git a/.github/bundles/rke2/uds-bundle.yaml b/.github/bundles/rke2/uds-bundle.yaml
index b805fe381..063b944fd 100644
--- a/.github/bundles/rke2/uds-bundle.yaml
+++ b/.github/bundles/rke2/uds-bundle.yaml
@@ -6,7 +6,7 @@ metadata:
name: uds-core-rke2-nightly
description: A UDS bundle for deploying RKE2 and UDS Core
# x-release-please-start-version
- version: "0.32.0"
+ version: "0.32.1"
# x-release-please-end
packages:
@@ -38,7 +38,7 @@ packages:
- name: core
path: ../../../build
# x-release-please-start-version
- ref: 0.32.0
+ ref: 0.32.1
# x-release-please-end
optionalComponents:
- metrics-server
diff --git a/.release-please-manifest.json b/.release-please-manifest.json
index a05e40dab..fbe8089b4 100644
--- a/.release-please-manifest.json
+++ b/.release-please-manifest.json
@@ -1,3 +1,3 @@
{
- ".": "0.32.0"
+ ".": "0.32.1"
}
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 052864a5e..4194d9c54 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,41 @@
All notable changes to this project will be documented in this file.
+## [0.32.1](https://github.com/defenseunicorns/uds-core/compare/v0.32.0...v0.32.1) (2024-12-05)
+
+
+### Bug Fixes
+
+* change grafana -> prometheus to https ([#1043](https://github.com/defenseunicorns/uds-core/issues/1043)) ([6ef3169](https://github.com/defenseunicorns/uds-core/commit/6ef3169de2c337cbc3ce47b0dbca0dfbcead3143))
+* client timeouts ([#1062](https://github.com/defenseunicorns/uds-core/issues/1062)) ([e71c1da](https://github.com/defenseunicorns/uds-core/commit/e71c1da724c1f590405200edb60fd90bb1df89bb))
+* kubeapi watch updates, allow configurable cidr ([#1075](https://github.com/defenseunicorns/uds-core/issues/1075)) ([3285908](https://github.com/defenseunicorns/uds-core/commit/3285908d8e74b29d3a8a37b84833381eb02616db))
+* update nightly ci timeouts ([#1058](https://github.com/defenseunicorns/uds-core/issues/1058)) ([2b1a440](https://github.com/defenseunicorns/uds-core/commit/2b1a44080f5310be285d5a0ffe6d049eea2b4886))
+* value paths for cpu override ([#1055](https://github.com/defenseunicorns/uds-core/issues/1055)) ([5a21c28](https://github.com/defenseunicorns/uds-core/commit/5a21c2894cd86dfea8d5c02c4f7ac85ebf2dc269))
+
+
+### Miscellaneous
+
+* cleanup doc ([#1078](https://github.com/defenseunicorns/uds-core/issues/1078)) ([286feb4](https://github.com/defenseunicorns/uds-core/commit/286feb44abacf04b0d92c8db598d9e4f39700f41))
+* **deps:** update aws provider to ~> 5.77.0 ([#1036](https://github.com/defenseunicorns/uds-core/issues/1036)) ([84fa893](https://github.com/defenseunicorns/uds-core/commit/84fa893a5420f4cc0b9eedf706935946b1506e04))
+* **deps:** update grafana to v8.6.1 ([#1040](https://github.com/defenseunicorns/uds-core/issues/1040)) ([1454397](https://github.com/defenseunicorns/uds-core/commit/1454397f1a44361032680a3b2c9d739b46a5e5c1))
+* **deps:** update keycloak to v26.0.6 ([#1041](https://github.com/defenseunicorns/uds-core/issues/1041)) ([582db22](https://github.com/defenseunicorns/uds-core/commit/582db22e5ac759fa6bc823849f35a736b803da8f))
+* **deps:** update keycloak to v26.0.7 ([#1057](https://github.com/defenseunicorns/uds-core/issues/1057)) ([ef96ef0](https://github.com/defenseunicorns/uds-core/commit/ef96ef056ec5ccb3ca6956bc687dd8cebe31dbc8))
+* **deps:** update neuvector to 5.4.1 ([#1039](https://github.com/defenseunicorns/uds-core/issues/1039)) ([8727675](https://github.com/defenseunicorns/uds-core/commit/8727675d8137b5e84c4337bd7f794633a397ab47))
+* **deps:** update node types to v22.9.3 ([#1049](https://github.com/defenseunicorns/uds-core/issues/1049)) ([e454222](https://github.com/defenseunicorns/uds-core/commit/e454222f1b994f99134f510c325369715964651d))
+* **deps:** update node types to v22.9.4 ([#1051](https://github.com/defenseunicorns/uds-core/issues/1051)) ([0f0240a](https://github.com/defenseunicorns/uds-core/commit/0f0240a5d6b57ba83379ad9525956355b39bb69f))
+* **deps:** update support dependencies to v0.196.0 ([#1054](https://github.com/defenseunicorns/uds-core/issues/1054)) ([67419f5](https://github.com/defenseunicorns/uds-core/commit/67419f536f957f39c99c1f7b6c6131f0c2c50e84))
+* **deps:** update support-deps ([#1046](https://github.com/defenseunicorns/uds-core/issues/1046)) ([6cf96f0](https://github.com/defenseunicorns/uds-core/commit/6cf96f052e038cb3397ce166c142bb88b981caaf))
+* **deps:** update support-deps ([#1048](https://github.com/defenseunicorns/uds-core/issues/1048)) ([d77155f](https://github.com/defenseunicorns/uds-core/commit/d77155ff7e91e11cb5f1c02cb75fcd514d60bb5f))
+* **deps:** update support-deps ([#1052](https://github.com/defenseunicorns/uds-core/issues/1052)) ([e1cf7db](https://github.com/defenseunicorns/uds-core/commit/e1cf7db82ddaa4c0fced55e8b39f0567696933c2))
+* **deps:** update support-deps ([#1056](https://github.com/defenseunicorns/uds-core/issues/1056)) ([abab719](https://github.com/defenseunicorns/uds-core/commit/abab71919c6c268c59426a6ccca92622f80c2d6f))
+* **deps:** update vector helm chart to v0.38.0 ([#1092](https://github.com/defenseunicorns/uds-core/issues/1092)) ([2cb4181](https://github.com/defenseunicorns/uds-core/commit/2cb41812cdf6482fdb053aff2c617f21a3d389b2))
+* **deps:** update vector to v0.43.0 ([#1059](https://github.com/defenseunicorns/uds-core/issues/1059)) ([55bf0b3](https://github.com/defenseunicorns/uds-core/commit/55bf0b3a05046c4cc72d55a62bdd9140f2205aa2))
+* **deps:** update velero chart to v8.1.0 ([#1050](https://github.com/defenseunicorns/uds-core/issues/1050)) ([7b0d51b](https://github.com/defenseunicorns/uds-core/commit/7b0d51b2e73ce7a30397c3942fcc4de3177d81ac))
+* **deps:** update velero kubectl images to v1.31.3 ([#1034](https://github.com/defenseunicorns/uds-core/issues/1034)) ([9bf286f](https://github.com/defenseunicorns/uds-core/commit/9bf286fe5afa6c6ef79995a6ef99ed9e66d2adeb))
+* fix checkpoint to properly publish uds-core ([#1044](https://github.com/defenseunicorns/uds-core/issues/1044)) ([f1c54cf](https://github.com/defenseunicorns/uds-core/commit/f1c54cf17372eee1b74c96e5a2c73a6a5f8ebea7))
+* reduce default cpu requests for dev/demo bundles ([#1047](https://github.com/defenseunicorns/uds-core/issues/1047)) ([e0bde2f](https://github.com/defenseunicorns/uds-core/commit/e0bde2f4e988377b61d70b112c1f7d6a4b8abdc8))
+* update cli install to use setup-uds action ([#1061](https://github.com/defenseunicorns/uds-core/issues/1061)) ([daebe9b](https://github.com/defenseunicorns/uds-core/commit/daebe9b6813212c090622f78be85607fab6f6dc6))
+
## [0.32.0](https://github.com/defenseunicorns/uds-core/compare/v0.31.2...v0.32.0) (2024-11-22)
diff --git a/README.md b/README.md
index cb19d405f..0651d6808 100644
--- a/README.md
+++ b/README.md
@@ -59,7 +59,7 @@ If you want to try out UDS Core, you can use the [k3d-core-demo bundle](./bundle
```bash
-uds deploy k3d-core-demo:0.32.0
+uds deploy k3d-core-demo:0.32.1
```
@@ -73,7 +73,7 @@ Deploy Istio, Keycloak and Pepr:
```bash
-uds deploy k3d-core-slim-dev:0.32.0
+uds deploy k3d-core-slim-dev:0.32.1
```
diff --git a/bundles/k3d-slim-dev/uds-bundle.yaml b/bundles/k3d-slim-dev/uds-bundle.yaml
index 55f4d5c72..d6bf797db 100644
--- a/bundles/k3d-slim-dev/uds-bundle.yaml
+++ b/bundles/k3d-slim-dev/uds-bundle.yaml
@@ -6,7 +6,7 @@ metadata:
name: k3d-core-slim-dev
description: A UDS bundle for deploying Istio from UDS Core on a development cluster
# x-release-please-start-version
- version: "0.32.0"
+ version: "0.32.1"
# x-release-please-end
packages:
@@ -37,7 +37,7 @@ packages:
- name: core-base
path: ../../build/
# x-release-please-start-version
- ref: 0.32.0
+ ref: 0.32.1
# x-release-please-end
overrides:
pepr-uds-core:
@@ -92,7 +92,7 @@ packages:
- name: core-identity-authorization
path: ../../build/
# x-release-please-start-version
- ref: 0.32.0
+ ref: 0.32.1
# x-release-please-end
overrides:
keycloak:
diff --git a/bundles/k3d-standard/uds-bundle.yaml b/bundles/k3d-standard/uds-bundle.yaml
index 163f5f0f4..2be91bf61 100644
--- a/bundles/k3d-standard/uds-bundle.yaml
+++ b/bundles/k3d-standard/uds-bundle.yaml
@@ -6,7 +6,7 @@ metadata:
name: k3d-core-demo
description: A UDS bundle for deploying the standard UDS Core package on a development cluster
# x-release-please-start-version
- version: "0.32.0"
+ version: "0.32.1"
# x-release-please-end
packages:
@@ -37,7 +37,7 @@ packages:
- name: core
path: ../../build/
# x-release-please-start-version
- ref: 0.32.0
+ ref: 0.32.1
# x-release-please-end
optionalComponents:
- istio-passthrough-gateway
diff --git a/packages/backup-restore/zarf.yaml b/packages/backup-restore/zarf.yaml
index ee155cf78..add61a101 100644
--- a/packages/backup-restore/zarf.yaml
+++ b/packages/backup-restore/zarf.yaml
@@ -7,7 +7,7 @@ metadata:
description: "UDS Core (Backup and Restore)"
authors: "Defense Unicorns - Product"
# x-release-please-start-version
- version: "0.32.0"
+ version: "0.32.1"
# x-release-please-end
x-uds-dependencies: ["base"]
diff --git a/packages/base/zarf.yaml b/packages/base/zarf.yaml
index e237f114b..22142f514 100644
--- a/packages/base/zarf.yaml
+++ b/packages/base/zarf.yaml
@@ -7,7 +7,7 @@ metadata:
description: "UDS Core (Base)"
authors: "Defense Unicorns - Product"
# x-release-please-start-version
- version: "0.32.0"
+ version: "0.32.1"
# x-release-please-end
x-uds-dependencies: []
diff --git a/packages/checkpoint-dev/zarf.yaml b/packages/checkpoint-dev/zarf.yaml
index 820a47b87..366b175f0 100644
--- a/packages/checkpoint-dev/zarf.yaml
+++ b/packages/checkpoint-dev/zarf.yaml
@@ -7,7 +7,7 @@ metadata:
description: "Rehydratable UDS K3d + UDS Core Slim (Istio, UDS Operator and Keycloak) Checkpoint"
authors: "Defense Unicorns - Product"
# x-release-please-start-version
- version: "0.32.0"
+ version: "0.32.1"
# x-release-please-end
variables:
diff --git a/packages/identity-authorization/zarf.yaml b/packages/identity-authorization/zarf.yaml
index 512bae8ed..c52e4e4c1 100644
--- a/packages/identity-authorization/zarf.yaml
+++ b/packages/identity-authorization/zarf.yaml
@@ -7,7 +7,7 @@ metadata:
description: "UDS Core (Identity & Authorization)"
authors: "Defense Unicorns - Product"
# x-release-please-start-version
- version: "0.32.0"
+ version: "0.32.1"
# x-release-please-end
x-uds-dependencies: ["base"]
diff --git a/packages/logging/zarf.yaml b/packages/logging/zarf.yaml
index d6ae920aa..c9393091a 100644
--- a/packages/logging/zarf.yaml
+++ b/packages/logging/zarf.yaml
@@ -7,7 +7,7 @@ metadata:
description: "UDS Core (Logging)"
authors: "Defense Unicorns - Product"
# x-release-please-start-version
- version: "0.32.0"
+ version: "0.32.1"
# x-release-please-end
x-uds-dependencies: ["base"]
diff --git a/packages/metrics-server/zarf.yaml b/packages/metrics-server/zarf.yaml
index cfc84468c..9aa9e7327 100644
--- a/packages/metrics-server/zarf.yaml
+++ b/packages/metrics-server/zarf.yaml
@@ -7,7 +7,7 @@ metadata:
description: "UDS Core (Metrics Server)"
authors: "Defense Unicorns - Product"
# x-release-please-start-version
- version: "0.32.0"
+ version: "0.32.1"
# x-release-please-end
x-uds-dependencies: ["base"]
diff --git a/packages/monitoring/zarf.yaml b/packages/monitoring/zarf.yaml
index 253d73502..aac2acdf1 100644
--- a/packages/monitoring/zarf.yaml
+++ b/packages/monitoring/zarf.yaml
@@ -7,7 +7,7 @@ metadata:
description: "UDS Core Monitoring (Prometheus and Grafana)"
authors: "Defense Unicorns - Product"
# x-release-please-start-version
- version: "0.32.0"
+ version: "0.32.1"
# x-release-please-end
x-uds-dependencies: ["base", "identity-authorization"]
diff --git a/packages/runtime-security/zarf.yaml b/packages/runtime-security/zarf.yaml
index e05934a69..c2962ecde 100644
--- a/packages/runtime-security/zarf.yaml
+++ b/packages/runtime-security/zarf.yaml
@@ -7,7 +7,7 @@ metadata:
description: "UDS Core (Runtime Security)"
authors: "Defense Unicorns - Product"
# x-release-please-start-version
- version: "0.32.0"
+ version: "0.32.1"
# x-release-please-end
x-uds-dependencies: ["base", "identity-authorization"]
diff --git a/packages/standard/zarf.yaml b/packages/standard/zarf.yaml
index 6cfa5ecdd..370ca54b6 100644
--- a/packages/standard/zarf.yaml
+++ b/packages/standard/zarf.yaml
@@ -7,7 +7,7 @@ metadata:
description: "UDS Core"
authors: "Defense Unicorns - Product"
# x-release-please-start-version
- version: "0.32.0"
+ version: "0.32.1"
# x-release-please-end
components:
diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml
index 14a7dcdb1..32cfc4767 100644
--- a/tasks/deploy.yaml
+++ b/tasks/deploy.yaml
@@ -9,7 +9,7 @@ variables:
- name: VERSION
description: "The version of the packages to deploy"
# x-release-please-start-version
- default: "0.32.0"
+ default: "0.32.1"
# x-release-please-end
- name: FLAVOR
default: upstream
diff --git a/tasks/publish.yaml b/tasks/publish.yaml
index 940ad1fe4..912f21411 100644
--- a/tasks/publish.yaml
+++ b/tasks/publish.yaml
@@ -14,7 +14,7 @@ variables:
- name: VERSION
description: "The version of the packages to build"
# x-release-please-start-version
- default: "0.32.0"
+ default: "0.32.1"
# x-release-please-end
- name: LAYER
From 27112092e08f67ae4d414c94beaa86e163e307bd Mon Sep 17 00:00:00 2001
From: Jeff Rescignano
Date: Fri, 6 Dec 2024 11:02:09 -0500
Subject: [PATCH 10/21] feat: set Istio gateway TLS from Kubernetes secret
(#982)
## Description
Adds the ability to set Istio gateway TLS from Kubernetes secret
## Related Issue
Fixes #976
## Type of change
- [ ] Bug fix (non-breaking change which fixes an issue)
- [x] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)
## Checklist before merging
- [x] Test, docs, adr added or updated as needed
- [x] [Contributor
Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)
followed
---------
Co-authored-by: Micah Nagel
---
docs/reference/configuration/ingress.md | 29 +++++++++++++++++++++++++
src/istio/chart/templates/gateway.yaml | 2 +-
src/istio/chart/templates/tls-cert.yaml | 2 +-
src/istio/chart/values.yaml | 3 +++
4 files changed, 34 insertions(+), 2 deletions(-)
diff --git a/docs/reference/configuration/ingress.md b/docs/reference/configuration/ingress.md
index ef52bc6d1..416469356 100644
--- a/docs/reference/configuration/ingress.md
+++ b/docs/reference/configuration/ingress.md
@@ -99,3 +99,32 @@ variables:
:::note
If you are using Private PKI or self-signed certificates for your tenant certificates it is necessary to additionally configure `UDS_CA_CERT` with additional [trusted certificate authorities](https://uds.defenseunicorns.com/reference/configuration/uds-operator/#trusted-certificate-authority).
:::
+
+#### Configuring TLS from a Secret
+
+As an alternative to specifying individual certificate, key, and CA certificate values, you can set `tls.credentialName` in the gateway configuration. This field specifies the name of a Kubernetes secret containing the TLS certificate, key, and optional CA certificate for the gateway. When `tls.credentialName` is set, it will override `tls.cert`, `tls.key`, and `tls.cacert` values, simplifying the configuration by allowing a direct reference to a Kubernetes TLS secret. This secret should be placed in the same namespace as the gateway resource. See [Gateway ServerTLSSettings](https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings) for all required and available secret keys.
+
+This approach is useful if you already have a Kubernetes secret that holds the necessary TLS data and want to use it directly.
+
+```yaml
+kind: UDSBundle
+metadata:
+ name: core-with-credentialName
+ description: A UDS example bundle for packaging UDS core with a custom TLS credentialName
+ version: "0.0.1"
+
+packages:
+ - name: core
+ repository: oci://ghcr.io/defenseunicorns/packages/uds/core
+ ref: 0.23.0-upstream
+ overrides:
+ istio-admin-gateway:
+ uds-istio-config:
+ values:
+ - path: tls.credentialName
+ value: admin-gateway-tls-secret # Reference to the Kubernetes secret for the admin gateway's TLS certificate
+ istio-tenant-gateway:
+ uds-istio-config:
+ values:
+ - path: tls.credentialName
+ value: tenant-gateway-tls-secret # Reference to the Kubernetes secret for the tenant gateway's TLS certificate
diff --git a/src/istio/chart/templates/gateway.yaml b/src/istio/chart/templates/gateway.yaml
index c14e81a74..3bcfdb040 100644
--- a/src/istio/chart/templates/gateway.yaml
+++ b/src/istio/chart/templates/gateway.yaml
@@ -34,7 +34,7 @@ spec:
tls:
mode: {{ $server.mode }}
{{- if ne $server.mode "PASSTHROUGH" }}
- credentialName: gateway-tls
+ credentialName: {{ $.Values.tls.credentialName | default "gateway-tls" | quote }}
# if supportTLSV1_2 is both defined and true, use TLSV1_2, otherwise use TLSV1_3
minProtocolVersion: {{ if $.Values.tls.supportTLSV1_2 }}TLSV1_2{{ else }}TLSV1_3{{ end }}
{{- end }}
diff --git a/src/istio/chart/templates/tls-cert.yaml b/src/istio/chart/templates/tls-cert.yaml
index 0fd4f0314..0c22dddee 100644
--- a/src/istio/chart/templates/tls-cert.yaml
+++ b/src/istio/chart/templates/tls-cert.yaml
@@ -2,7 +2,7 @@
# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
{{- $tls := .Values.tls }}
-{{ if $tls.cert }}
+{{ if and $tls.cert (not $tls.credentialName) }}
apiVersion: v1
kind: Secret
metadata:
diff --git a/src/istio/chart/values.yaml b/src/istio/chart/values.yaml
index a399181c4..bf23ff6ff 100644
--- a/src/istio/chart/values.yaml
+++ b/src/istio/chart/values.yaml
@@ -17,6 +17,9 @@ domain: "###ZARF_VAR_DOMAIN###"
# # The CA certificate for the gateway when using `MUTUAL' or 'OPTIONAL_MUTUAL' (base64 encoded)
# cacert: ""
+# # The name of the secret containing the TLS certificate to use for this gateway, this will override cert, key and cacert
+# credentialName: ""
+
# # Map of gateway server entries
# servers:
# # Name of the gateway port to use for TLS, this is effectively a "list" in map form
From 2fa010fc58fdb95280c431511e92315ccd9a86ff Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Fri, 6 Dec 2024 13:19:54 -0700
Subject: [PATCH 11/21] chore(deps): update support-deps (#1076)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This PR contains the following updates:
| Package | Type | Update | Change | Age | Adoption | Passing |
Confidence |
|---|---|---|---|---|---|---|---|
| aws | required_provider | minor | `~> 5.79.0` -> `~> 5.80.0` |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
| ghcr.io/zarf-dev/packages/init | | minor | `v0.43.1` -> `v0.44.0` |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
|
[kubernetes-fluent-client](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client)
| devDependencies | patch | [`3.3.6` ->
`3.3.7`](https://renovatebot.com/diffs/npm/kubernetes-fluent-client/3.3.6/3.3.7)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
| [zarf-dev/zarf](https://redirect.github.com/zarf-dev/zarf) | | minor |
`v0.43.1` -> `v0.44.0` |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
---
### Release Notes
defenseunicorns/kubernetes-fluent-client
(kubernetes-fluent-client)
###
[`v3.3.7`](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/releases/tag/v3.3.7)
[Compare
Source](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/compare/v3.3.6...v3.3.7)
##### Bug Fixes
- remove cruft from pub'd package
([#503](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/issues/503))
([568c321](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/commit/568c3215b3ee533ccf42d3e7adfc168869762297)),
closes
[#499](https://redirect.github.com/defenseunicorns/kubernetes-fluent-client/issues/499)
zarf-dev/zarf (zarf-dev/zarf)
###
[`v0.44.0`](https://redirect.github.com/zarf-dev/zarf/releases/tag/v0.44.0)
[Compare
Source](https://redirect.github.com/zarf-dev/zarf/compare/v0.43.1...v0.44.0)
#### What's Changed
- chore(deps): bump github/codeql-action from 3.27.3 to 3.27.4 by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/zarf-dev/zarf/pull/3246](https://redirect.github.com/zarf-dev/zarf/pull/3246)
- chore(deps): bump codecov/codecov-action from 4.6.0 to 5.0.2 by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/zarf-dev/zarf/pull/3245](https://redirect.github.com/zarf-dev/zarf/pull/3245)
- chore(deps): bump helm.sh/helm/v3 from 3.16.2 to 3.16.3 by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/zarf-dev/zarf/pull/3240](https://redirect.github.com/zarf-dev/zarf/pull/3240)
- chore: dos-games dockerhub image to ghcr by
[@AustinAbro321](https://redirect.github.com/AustinAbro321) in
[https://github.com/zarf-dev/zarf/pull/3233](https://redirect.github.com/zarf-dev/zarf/pull/3233)
- chore: unhide log-format flag by
[@AustinAbro321](https://redirect.github.com/AustinAbro321) in
[https://github.com/zarf-dev/zarf/pull/3251](https://redirect.github.com/zarf-dev/zarf/pull/3251)
- chore(deps): bump actions/dependency-review-action from 4.4.0 to 4.5.0
by [@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/zarf-dev/zarf/pull/3258](https://redirect.github.com/zarf-dev/zarf/pull/3258)
- chore(deps): bump github/codeql-action from 3.27.4 to 3.27.5 by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/zarf-dev/zarf/pull/3256](https://redirect.github.com/zarf-dev/zarf/pull/3256)
- chore(deps): bump codecov/codecov-action from 5.0.2 to 5.0.7 by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/zarf-dev/zarf/pull/3257](https://redirect.github.com/zarf-dev/zarf/pull/3257)
- chore(deps): bump github.com/mikefarah/yq/v4 from 4.44.3 to 4.44.5 by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/zarf-dev/zarf/pull/3247](https://redirect.github.com/zarf-dev/zarf/pull/3247)
- chore: add ADOPTERS.md by
[@schristoff](https://redirect.github.com/schristoff) in
[https://github.com/zarf-dev/zarf/pull/3225](https://redirect.github.com/zarf-dev/zarf/pull/3225)
- chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/zarf-dev/zarf/pull/3263](https://redirect.github.com/zarf-dev/zarf/pull/3263)
- Update Go to 1.23.3 by
[@phillebaba](https://redirect.github.com/phillebaba) in
[https://github.com/zarf-dev/zarf/pull/3260](https://redirect.github.com/zarf-dev/zarf/pull/3260)
- chore: separate schema generation by
[@AustinAbro321](https://redirect.github.com/AustinAbro321) in
[https://github.com/zarf-dev/zarf/pull/2886](https://redirect.github.com/zarf-dev/zarf/pull/2886)
- fix: maintain agent mutate even when already mutated by
[@a1994sc](https://redirect.github.com/a1994sc) in
[https://github.com/zarf-dev/zarf/pull/3166](https://redirect.github.com/zarf-dev/zarf/pull/3166)
- chore(deps): bump github.com/anchore/stereoscope from
0.0.6-0.20241101185849-cbd43fb4e5d3 to 0.0.9 by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/zarf-dev/zarf/pull/3264](https://redirect.github.com/zarf-dev/zarf/pull/3264)
- Set Helm max history to limit secret creation by
[@phillebaba](https://redirect.github.com/phillebaba) in
[https://github.com/zarf-dev/zarf/pull/3249](https://redirect.github.com/zarf-dev/zarf/pull/3249)
- feat: add logger to packager.Publish by
[@mkcp](https://redirect.github.com/mkcp) in
[https://github.com/zarf-dev/zarf/pull/3259](https://redirect.github.com/zarf-dev/zarf/pull/3259)
- feat: introduce slog for zarf tools by
[@AustinAbro321](https://redirect.github.com/AustinAbro321) in
[https://github.com/zarf-dev/zarf/pull/3212](https://redirect.github.com/zarf-dev/zarf/pull/3212)
- chore(deps): bump github.com/derailed/k9s from 0.32.5 to 0.32.7 by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/zarf-dev/zarf/pull/3262](https://redirect.github.com/zarf-dev/zarf/pull/3262)
- feat: add the new logger through Zarf wherever it is missing by
[@AustinAbro321](https://redirect.github.com/AustinAbro321) in
[https://github.com/zarf-dev/zarf/pull/3265](https://redirect.github.com/zarf-dev/zarf/pull/3265)
- chore(deps): bump github.com/Masterminds/semver/v3 from 3.3.0 to 3.3.1
by [@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/zarf-dev/zarf/pull/3269](https://redirect.github.com/zarf-dev/zarf/pull/3269)
- chore(deps): bump k8s.io/kubectl from 0.31.2 to 0.31.3 by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/zarf-dev/zarf/pull/3268](https://redirect.github.com/zarf-dev/zarf/pull/3268)
- Refactor compose e2e test to not depend on CLI output by
[@phillebaba](https://redirect.github.com/phillebaba) in
[https://github.com/zarf-dev/zarf/pull/3126](https://redirect.github.com/zarf-dev/zarf/pull/3126)
- chore(deps): bump github.com/stretchr/testify from 1.9.0 to 1.10.0 by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/zarf-dev/zarf/pull/3272](https://redirect.github.com/zarf-dev/zarf/pull/3272)
- chore(deps): bump sigs.k8s.io/controller-runtime from 0.19.1 to 0.19.2
by [@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/zarf-dev/zarf/pull/3273](https://redirect.github.com/zarf-dev/zarf/pull/3273)
- chore(deps): bump github.com/anchore/syft from 1.16.0 to 1.17.0 by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/zarf-dev/zarf/pull/3271](https://redirect.github.com/zarf-dev/zarf/pull/3271)
- chore(deps): bump github.com/goccy/go-yaml from 1.13.0 to 1.15.3 by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/zarf-dev/zarf/pull/3279](https://redirect.github.com/zarf-dev/zarf/pull/3279)
- chore(deps): bump github.com/goccy/go-yaml from 1.15.3 to 1.15.4 by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/zarf-dev/zarf/pull/3280](https://redirect.github.com/zarf-dev/zarf/pull/3280)
- Group k8s dependabot dependency updates by
[@phillebaba](https://redirect.github.com/phillebaba) in
[https://github.com/zarf-dev/zarf/pull/3274](https://redirect.github.com/zarf-dev/zarf/pull/3274)
- Refactor migrate deprecated by
[@phillebaba](https://redirect.github.com/phillebaba) in
[https://github.com/zarf-dev/zarf/pull/3270](https://redirect.github.com/zarf-dev/zarf/pull/3270)
- chore(deps): bump github.com/goccy/go-yaml from 1.15.4 to 1.15.6 by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/zarf-dev/zarf/pull/3281](https://redirect.github.com/zarf-dev/zarf/pull/3281)
- chore(deps): bump sigs.k8s.io/controller-runtime from 0.19.2 to 0.19.3
by [@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/zarf-dev/zarf/pull/3282](https://redirect.github.com/zarf-dev/zarf/pull/3282)
- chore(deps): bump github/codeql-action from 3.27.5 to 3.27.6 by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/zarf-dev/zarf/pull/3287](https://redirect.github.com/zarf-dev/zarf/pull/3287)
- Update CONTRIBUTING.md to reflect policies by
[@schristoff](https://redirect.github.com/schristoff) in
[https://github.com/zarf-dev/zarf/pull/3288](https://redirect.github.com/zarf-dev/zarf/pull/3288)
- feat: allow init packages to be explicitly versioned by
[@AustinAbro321](https://redirect.github.com/AustinAbro321) in
[https://github.com/zarf-dev/zarf/pull/3286](https://redirect.github.com/zarf-dev/zarf/pull/3286)
- chore(deps): bump golang.org/x/term from 0.26.0 to 0.27.0 by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/zarf-dev/zarf/pull/3292](https://redirect.github.com/zarf-dev/zarf/pull/3292)
- chore(deps): bump golang.org/x/crypto from 0.29.0 to 0.30.0 by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/zarf-dev/zarf/pull/3291](https://redirect.github.com/zarf-dev/zarf/pull/3291)
- chore: remove deprecated get git password command by
[@AustinAbro321](https://redirect.github.com/AustinAbro321) in
[https://github.com/zarf-dev/zarf/pull/3293](https://redirect.github.com/zarf-dev/zarf/pull/3293)
- feat: move console to default by
[@AustinAbro321](https://redirect.github.com/AustinAbro321) in
[https://github.com/zarf-dev/zarf/pull/3294](https://redirect.github.com/zarf-dev/zarf/pull/3294)
- feat: render tables and yaml on stdout by
[@mkcp](https://redirect.github.com/mkcp) in
[https://github.com/zarf-dev/zarf/pull/3226](https://redirect.github.com/zarf-dev/zarf/pull/3226)
**Full Changelog**:
https://github.com/zarf-dev/zarf/compare/v0.43.1...v0.44.0
---
### Configuration
π
**Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
π¦ **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
β» **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
π» **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.
---
- [ ] If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/defenseunicorns/uds-core).
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
.github/bundles/aks/uds-bundle.yaml | 2 +-
.github/bundles/eks/uds-bundle.yaml | 2 +-
.github/bundles/rke2/uds-bundle.yaml | 2 +-
.github/test-infra/aws/rke2/versions.tf | 2 +-
bundles/k3d-slim-dev/uds-bundle.yaml | 2 +-
bundles/k3d-standard/uds-bundle.yaml | 2 +-
tasks/setup.yaml | 2 +-
test/jest/package-lock.json | 22 +++++++++++-----------
8 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/.github/bundles/aks/uds-bundle.yaml b/.github/bundles/aks/uds-bundle.yaml
index 5bb30cad9..1b0023366 100644
--- a/.github/bundles/aks/uds-bundle.yaml
+++ b/.github/bundles/aks/uds-bundle.yaml
@@ -12,7 +12,7 @@ metadata:
packages:
- name: init
repository: ghcr.io/zarf-dev/packages/init
- ref: v0.43.1
+ ref: v0.44.0
- name: core
path: ../../../build
diff --git a/.github/bundles/eks/uds-bundle.yaml b/.github/bundles/eks/uds-bundle.yaml
index ad82b3cd0..f59908b6c 100644
--- a/.github/bundles/eks/uds-bundle.yaml
+++ b/.github/bundles/eks/uds-bundle.yaml
@@ -12,7 +12,7 @@ metadata:
packages:
- name: init
repository: ghcr.io/zarf-dev/packages/init
- ref: v0.43.1
+ ref: v0.44.0
- name: core
path: ../../../build
diff --git a/.github/bundles/rke2/uds-bundle.yaml b/.github/bundles/rke2/uds-bundle.yaml
index 063b944fd..19e755bbd 100644
--- a/.github/bundles/rke2/uds-bundle.yaml
+++ b/.github/bundles/rke2/uds-bundle.yaml
@@ -16,7 +16,7 @@ packages:
- name: init
repository: ghcr.io/zarf-dev/packages/init
- ref: v0.43.1
+ ref: v0.44.0
overrides:
zarf-registry:
docker-registry:
diff --git a/.github/test-infra/aws/rke2/versions.tf b/.github/test-infra/aws/rke2/versions.tf
index 9d1a0d91e..d636446e6 100644
--- a/.github/test-infra/aws/rke2/versions.tf
+++ b/.github/test-infra/aws/rke2/versions.tf
@@ -6,7 +6,7 @@ terraform {
}
required_providers {
aws = {
- version = "~> 5.79.0"
+ version = "~> 5.80.0"
}
random = {
version = "~> 3.6.0"
diff --git a/bundles/k3d-slim-dev/uds-bundle.yaml b/bundles/k3d-slim-dev/uds-bundle.yaml
index d6bf797db..671a4aef5 100644
--- a/bundles/k3d-slim-dev/uds-bundle.yaml
+++ b/bundles/k3d-slim-dev/uds-bundle.yaml
@@ -32,7 +32,7 @@ packages:
- name: init
repository: ghcr.io/zarf-dev/packages/init
- ref: v0.43.1
+ ref: v0.44.0
- name: core-base
path: ../../build/
diff --git a/bundles/k3d-standard/uds-bundle.yaml b/bundles/k3d-standard/uds-bundle.yaml
index 2be91bf61..4cfb9f09b 100644
--- a/bundles/k3d-standard/uds-bundle.yaml
+++ b/bundles/k3d-standard/uds-bundle.yaml
@@ -32,7 +32,7 @@ packages:
- name: init
repository: ghcr.io/zarf-dev/packages/init
- ref: v0.43.1
+ ref: v0.44.0
- name: core
path: ../../build/
diff --git a/tasks/setup.yaml b/tasks/setup.yaml
index b46670b75..db97ff52f 100644
--- a/tasks/setup.yaml
+++ b/tasks/setup.yaml
@@ -15,4 +15,4 @@ tasks:
- description: "Initialize the cluster with Zarf"
# renovate: datasource=github-tags depName=zarf-dev/zarf versioning=semver
- cmd: "uds zarf package deploy oci://ghcr.io/zarf-dev/packages/init:v0.43.1 --confirm --no-progress"
+ cmd: "uds zarf package deploy oci://ghcr.io/zarf-dev/packages/init:v0.44.0 --confirm --no-progress"
diff --git a/test/jest/package-lock.json b/test/jest/package-lock.json
index e691c8cb3..8ec1d2b4a 100644
--- a/test/jest/package-lock.json
+++ b/test/jest/package-lock.json
@@ -3267,9 +3267,9 @@
}
},
"node_modules/kubernetes-fluent-client": {
- "version": "3.3.6",
- "resolved": "https://registry.npmjs.org/kubernetes-fluent-client/-/kubernetes-fluent-client-3.3.6.tgz",
- "integrity": "sha512-da87A2Cvd4USOXWSlA+LwdE+ZeZEMFwcbtSjFmyXoAEUDhIf+EgcDBkTPKWf12R7blvvl6O3qGeOY2TgCHkcWw==",
+ "version": "3.3.7",
+ "resolved": "https://registry.npmjs.org/kubernetes-fluent-client/-/kubernetes-fluent-client-3.3.7.tgz",
+ "integrity": "sha512-KBgt2tQ76CfrDd8aig1xrCIcazztARdTYsqHH1//DctbUEB++2yz+KYR9CYBisSySDS625e86MVfxIB63R77hw==",
"dev": true,
"license": "Apache-2.0",
"dependencies": {
@@ -3278,8 +3278,8 @@
"http-status-codes": "2.3.0",
"node-fetch": "2.7.0",
"quicktype-core": "23.0.170",
- "type-fest": "4.29.1",
- "undici": "7.0.0",
+ "type-fest": "4.30.0",
+ "undici": "7.1.0",
"yargs": "17.7.2"
},
"bin": {
@@ -3290,9 +3290,9 @@
}
},
"node_modules/kubernetes-fluent-client/node_modules/type-fest": {
- "version": "4.29.1",
- "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-4.29.1.tgz",
- "integrity": "sha512-Y1zUveI92UYM/vo1EFlQSsNf74+hfKH+7saZJslF0Fw92FRaiTAnHPIvo9d7SLxXt/gAYqA4RXyDTioMQCCp0A==",
+ "version": "4.30.0",
+ "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-4.30.0.tgz",
+ "integrity": "sha512-G6zXWS1dLj6eagy6sVhOMQiLtJdxQBHIA9Z6HFUNLOlr6MFOgzV8wvmidtPONfPtEUv0uZsy77XJNzTAfwPDaA==",
"dev": true,
"license": "(MIT OR CC0-1.0)",
"engines": {
@@ -4528,9 +4528,9 @@
}
},
"node_modules/undici": {
- "version": "7.0.0",
- "resolved": "https://registry.npmjs.org/undici/-/undici-7.0.0.tgz",
- "integrity": "sha512-c4xi3kWnQJrb7h2q8aJYKvUzmz7boCgz1cUCC6OwdeM5Tr2P0hDuthr2iut4ggqsz+Cnh20U/LoTzbKIdDS/Nw==",
+ "version": "7.1.0",
+ "resolved": "https://registry.npmjs.org/undici/-/undici-7.1.0.tgz",
+ "integrity": "sha512-3+mdX2R31khuLCm2mKExSlMdJsfol7bJkIMH80tdXA74W34rT1jKemUTlYR7WY3TqsV4wfOgpatWmmB2Jl1+5g==",
"dev": true,
"license": "MIT",
"engines": {
From 33cee59c8a007252a3e6964c8fe341934033443a Mon Sep 17 00:00:00 2001
From: Joel McCoy
Date: Fri, 6 Dec 2024 17:13:01 -0600
Subject: [PATCH 12/21] chore(docs): replace promtail reference with vector in
prerequisites (#1098)
## Description
There was a lingering reference to promtail in the website docs on the
prerequisites page. Replaced promtail with vector.
## Related Issue
## Type of change
- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [x] Other (security config, docs update, etc)
## Checklist before merging
- [x] Test, docs, adr added or updated as needed
- [x] [Contributor
Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)
followed
---
docs/reference/UDS Core/prerequisites.md | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/docs/reference/UDS Core/prerequisites.md b/docs/reference/UDS Core/prerequisites.md
index 14d8b7fcf..34c1043e9 100644
--- a/docs/reference/UDS Core/prerequisites.md
+++ b/docs/reference/UDS Core/prerequisites.md
@@ -70,9 +70,10 @@ In addition, to run Istio ingress gateways (part of Core) you will need to ensur
NeuVector historically has functioned best when the host is using cgroup v2. Cgroup v2 is enabled by default on many modern Linux distributions, but you may need to enable it depending on your operating system. Enabling this tends to be OS specific, so you will need to evaluate this for your specific hosts.
-#### Promtail
-In order to ensure that Promtail is able to scrape the necessary logs concurrently you may need to adjust some kernel parameters for your hosts. The below is a script that can be used to adjust these parameters to suitable values and ensure they are persisted across reboots. Ideally this script is used as part of an image build or cloud-init process on each node.
+#### Vector
+
+In order to ensure that Vector is able to scrape the necessary logs concurrently you may need to adjust some kernel parameters for your hosts. The below is a script that can be used to adjust these parameters to suitable values and ensure they are persisted across reboots. Ideally this script is used as part of an image build or cloud-init process on each node.
```console
declare -A sysctl_settings
From 777387b01be6307d5f888ba0ce7c0ae078f52e42 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Mon, 9 Dec 2024 10:21:41 -0700
Subject: [PATCH 13/21] chore(deps): update support-deps (#1100)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
|
[defenseunicorns/lula](https://redirect.github.com/defenseunicorns/lula)
| minor | `v0.12.0` -> `v0.13.0` |
|
[defenseunicorns/uds-common](https://redirect.github.com/defenseunicorns/uds-common)
| minor | `v1.4.0` -> `v1.5.0` |
---
### Release Notes
defenseunicorns/lula (defenseunicorns/lula)
###
[`v0.13.0`](https://redirect.github.com/defenseunicorns/lula/releases/tag/v0.13.0)
[Compare
Source](https://redirect.github.com/defenseunicorns/lula/compare/v0.12.0...v0.13.0)
This release updates Lula to OSCAL 1.1.3 (latest) artifact versions by
default. All newly generated artifacts should now be created in the
latest OSCAL version.
What does this mean for you if you have existing 1.1.2 artifacts?
It's time to upgrade! `lula tools upgrade -f ` will
upgrade your artifacts to `1.1.3` and validate the data for schema
compliance.
Should you want to know more about the latest OSCAL release - [see
here](https://redirect.github.com/usnistgov/OSCAL/releases/tag/v1.1.3)
Additionally this release includes some library updates to enable
resolving controls in profiles - this will be used in subsequent
features made available to the CLI.
##### Features
- **deps:** add support for OSCAL 1.1.3 as default
([#837](https://redirect.github.com/defenseunicorns/lula/issues/837))
([255e8ff](https://redirect.github.com/defenseunicorns/lula/commit/255e8ff5179098d9ddeb597fae929bd9cc16ebed))
- **profile:** resolve all controls in profile
([#818](https://redirect.github.com/defenseunicorns/lula/issues/818))
([1f9872b](https://redirect.github.com/defenseunicorns/lula/commit/1f9872b2fe35fad6f98daa1aa66d2547a203a294))
##### Miscellaneous
- cleanup API domain docs
([#828](https://redirect.github.com/defenseunicorns/lula/issues/828))
([f124257](https://redirect.github.com/defenseunicorns/lula/commit/f12425756269b02ddf3f064315ce4e1af1b8265a))
- declare top-level read permissions in workflows
([#830](https://redirect.github.com/defenseunicorns/lula/issues/830))
([713a249](https://redirect.github.com/defenseunicorns/lula/commit/713a249da0e23dfce28fc8cc76f658c44125f866))
- **deps:** update dependency go to v1.23.4
([#831](https://redirect.github.com/defenseunicorns/lula/issues/831))
([4a64581](https://redirect.github.com/defenseunicorns/lula/commit/4a64581773d8d2c4bbe3abfcd52c684e7bc8cc62))
- **deps:** update github/codeql-action action to v3.27.6
([#829](https://redirect.github.com/defenseunicorns/lula/issues/829))
([c9be948](https://redirect.github.com/defenseunicorns/lula/commit/c9be948e9c3834f2e028f09d15d4c61e053922d7))
- **deps:** update module github.com/charmbracelet/bubbletea to v1.2.4
([#822](https://redirect.github.com/defenseunicorns/lula/issues/822))
([12ffaf5](https://redirect.github.com/defenseunicorns/lula/commit/12ffaf52f6d4b1d98fec1d355003e1d8a39107f4))
- **deps:** update module github.com/defenseunicorns/go-oscal to v0.6.2
([#833](https://redirect.github.com/defenseunicorns/lula/issues/833))
([5099e9c](https://redirect.github.com/defenseunicorns/lula/commit/5099e9cf623457bf44c71f74ecc397bb4e6e7be6))
- **deps:** update module github.com/pterm/pterm to v0.12.80
([#824](https://redirect.github.com/defenseunicorns/lula/issues/824))
([bc506fc](https://redirect.github.com/defenseunicorns/lula/commit/bc506fc216b08d448a45fa1cd586af5d22a182d5))
- **deps:** update module github.com/stretchr/testify to v1.10.0
([#821](https://redirect.github.com/defenseunicorns/lula/issues/821))
([21099ba](https://redirect.github.com/defenseunicorns/lula/commit/21099ba35d4221ac55a53427bb5b5379d898072e))
#### What's Changed
- chore(deps): update dependency go to v1.23.4 by
[@renovate](https://redirect.github.com/renovate) in
[https://github.com/defenseunicorns/lula/pull/831](https://redirect.github.com/defenseunicorns/lula/pull/831)
- chore(deps): update module github.com/defenseunicorns/go-oscal to
v0.6.2 by [@renovate](https://redirect.github.com/renovate) in
[https://github.com/defenseunicorns/lula/pull/833](https://redirect.github.com/defenseunicorns/lula/pull/833)
- chore: declare top-level read permissions in workflows by
[@mildwonkey](https://redirect.github.com/mildwonkey) in
[https://github.com/defenseunicorns/lula/pull/830](https://redirect.github.com/defenseunicorns/lula/pull/830)
- feat(profile): resolve all controls in profile by
[@meganwolf0](https://redirect.github.com/meganwolf0) in
[https://github.com/defenseunicorns/lula/pull/818](https://redirect.github.com/defenseunicorns/lula/pull/818)
- chore(deps): update module github.com/stretchr/testify to v1.10.0 by
[@renovate](https://redirect.github.com/renovate) in
[https://github.com/defenseunicorns/lula/pull/821](https://redirect.github.com/defenseunicorns/lula/pull/821)
- chore(deps): update module github.com/charmbracelet/bubbletea to
v1.2.4 by [@renovate](https://redirect.github.com/renovate) in
[https://github.com/defenseunicorns/lula/pull/822](https://redirect.github.com/defenseunicorns/lula/pull/822)
- chore(deps): update github/codeql-action action to v3.27.6 by
[@renovate](https://redirect.github.com/renovate) in
[https://github.com/defenseunicorns/lula/pull/829](https://redirect.github.com/defenseunicorns/lula/pull/829)
- chore(deps): update module github.com/pterm/pterm to v0.12.80 by
[@renovate](https://redirect.github.com/renovate) in
[https://github.com/defenseunicorns/lula/pull/824](https://redirect.github.com/defenseunicorns/lula/pull/824)
- chore: cleanup API domain docs by
[@mildwonkey](https://redirect.github.com/mildwonkey) in
[https://github.com/defenseunicorns/lula/pull/828](https://redirect.github.com/defenseunicorns/lula/pull/828)
- feat(deps): add support for OSCAL 1.1.3 as default by
[@brandtkeller](https://redirect.github.com/brandtkeller) in
[https://github.com/defenseunicorns/lula/pull/837](https://redirect.github.com/defenseunicorns/lula/pull/837)
- chore(main): release 0.13.0 by
[@github-actions](https://redirect.github.com/github-actions) in
[https://github.com/defenseunicorns/lula/pull/820](https://redirect.github.com/defenseunicorns/lula/pull/820)
**Full Changelog**:
https://github.com/defenseunicorns/lula/compare/v0.12.0...v0.13.0
defenseunicorns/uds-common
(defenseunicorns/uds-common)
###
[`v1.5.0`](https://redirect.github.com/defenseunicorns/uds-common/releases/tag/v1.5.0)
[Compare
Source](https://redirect.github.com/defenseunicorns/uds-common/compare/v1.4.0...v1.5.0)
##### β BREAKING CHANGES
- fix the release process permissions (contents: write)
([#355](https://redirect.github.com/defenseunicorns/uds-common/issues/355))
- **deps:** update uds common support dependencies (ubuntu-latest can no
longer be used)
([#354](https://redirect.github.com/defenseunicorns/uds-common/issues/354))
##### Features
- provide uds-releaser option for publishing uds packages
([#341](https://redirect.github.com/defenseunicorns/uds-common/issues/341))
([62f8c28](https://redirect.github.com/defenseunicorns/uds-common/commit/62f8c28b2db62a0fbcbad5a7a639c65de2359696))
##### Bug Fixes
- check tests directories in renovate updates
([#351](https://redirect.github.com/defenseunicorns/uds-common/issues/351))
([61385c2](https://redirect.github.com/defenseunicorns/uds-common/commit/61385c2fc0463e125e1914d59c4d7288976c5628))
- quote conditional and add use chkpt false
([#357](https://redirect.github.com/defenseunicorns/uds-common/issues/357))
([4cda4d9](https://redirect.github.com/defenseunicorns/uds-common/commit/4cda4d94ca965781e57e36000a8b7159197533be))
##### Miscellaneous
- fix the release process permissions
([#355](https://redirect.github.com/defenseunicorns/uds-common/issues/355))
([517932c](https://redirect.github.com/defenseunicorns/uds-common/commit/517932c890e0be62a87ef3f44ce88f9f3f587d5b))
- **deps:** update uds common package dependencies to v1.27.3
([#349](https://redirect.github.com/defenseunicorns/uds-common/issues/349))
([4fbe49f](https://redirect.github.com/defenseunicorns/uds-common/commit/4fbe49f520cfa2c8ca38a39b829a7b2c782bae47))
- **deps:** update uds common support dependencies
([#348](https://redirect.github.com/defenseunicorns/uds-common/issues/348))
([4430e46](https://redirect.github.com/defenseunicorns/uds-common/commit/4430e46bcd30092cb25e24bc278b54602602c3fb))
- **deps:** update uds common support dependencies
([#354](https://redirect.github.com/defenseunicorns/uds-common/issues/354))
([511d894](https://redirect.github.com/defenseunicorns/uds-common/commit/511d8940991eaba185dd52d11a3d37efa7defcd8))
---
### Configuration
π
**Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
π¦ **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
β» **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
π» **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.
---
- [ ] If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/defenseunicorns/uds-core).
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
.github/actions/setup/action.yaml | 2 +-
tasks/create.yaml | 2 +-
tasks/lint.yaml | 2 +-
tasks/test.yaml | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml
index 8480c49e6..272d53737 100644
--- a/.github/actions/setup/action.yaml
+++ b/.github/actions/setup/action.yaml
@@ -41,7 +41,7 @@ runs:
uses: defenseunicorns/lula-action/setup@badad8c4b1570095f57e66ffd62664847698a3b9 # v0.0.1
with:
# renovate: datasource=github-tags depName=defenseunicorns/lula versioning=semver-coerced
- version: v0.12.0
+ version: v0.13.0
- name: Iron Bank Login
if: ${{ inputs.registry1Username != '' }}
diff --git a/tasks/create.yaml b/tasks/create.yaml
index 081004f49..4bf39be7f 100644
--- a/tasks/create.yaml
+++ b/tasks/create.yaml
@@ -3,7 +3,7 @@
includes:
- - common: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.4.0/tasks/create.yaml
+ - common: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.5.0/tasks/create.yaml
variables:
- name: FLAVOR
diff --git a/tasks/lint.yaml b/tasks/lint.yaml
index 2f0414c32..b699204c5 100644
--- a/tasks/lint.yaml
+++ b/tasks/lint.yaml
@@ -2,7 +2,7 @@
# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
includes:
- - remote: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.4.0/tasks/lint.yaml
+ - remote: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.5.0/tasks/lint.yaml
tasks:
- name: fix
diff --git a/tasks/test.yaml b/tasks/test.yaml
index 5eef35a1a..033db9d5e 100644
--- a/tasks/test.yaml
+++ b/tasks/test.yaml
@@ -9,7 +9,7 @@ includes:
- base-layer: ../packages/base/tasks.yaml
- idam-layer: ../packages/identity-authorization/tasks.yaml
- common-setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/refs/tags/v0.13.1/tasks/setup.yaml
- - compliance: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.4.0/tasks/compliance.yaml
+ - compliance: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.5.0/tasks/compliance.yaml
tasks:
- name: base
From 42d5bdaec68515a2e204bef33b6b86acc962910e Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Mon, 9 Dec 2024 11:42:46 -0700
Subject: [PATCH 14/21] chore(deps): update loki to 3.3.1 (#1022)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
|
[cgr.dev/du-uds-defenseunicorns/loki](https://images.chainguard.dev/directory/image/loki/overview)
([source](https://redirect.github.com/chainguard-images/images-private/tree/HEAD/images/loki))
| minor | `3.2.1` -> `3.3.1` |
|
[cgr.dev/du-uds-defenseunicorns/memcached](https://images.chainguard.dev/directory/image/memcached/overview)
([source](https://redirect.github.com/chainguard-images/images-private/tree/HEAD/images/memcached))
| patch | `1.6.32` -> `1.6.33` |
|
[cgr.dev/du-uds-defenseunicorns/nginx-fips](https://images.chainguard.dev/directory/image/nginx-fips/overview)
([source](https://redirect.github.com/chainguard-images/images-private/tree/HEAD/images/nginx-fips))
| patch | `1.27.2` -> `1.27.3` |
| [docker.io/grafana/loki](https://redirect.github.com/grafana/loki) |
minor | `3.2.1` -> `3.3.1` |
| docker.io/memcached | patch | `1.6.32-alpine` -> `1.6.33-alpine` |
| [loki](https://grafana.github.io/helm-charts)
([source](https://redirect.github.com/grafana/helm-charts)) | minor |
`6.19.0` -> `6.23.0` |
|
[registry1.dso.mil/ironbank/opensource/grafana/loki](https://redirect.github.com/grafana/loki)
([source](https://repo1.dso.mil/dsop/opensource/grafana/loki)) | minor |
`3.2.1` -> `3.3.1` |
|
[registry1.dso.mil/ironbank/opensource/memcached/memcached](https://memcached.org/)
([source](https://repo1.dso.mil/dsop/opensource/memcached/memcached)) |
patch | `1.6.32` -> `1.6.33` |
---
### Release Notes
grafana/loki (docker.io/grafana/loki)
###
[`v3.3.1`](https://redirect.github.com/grafana/loki/releases/tag/v3.3.1)
[Compare
Source](https://redirect.github.com/grafana/loki/compare/v3.3.0...v3.3.1)
##### β BREAKING CHANGES
- **promtail:** Remove `wget` from Promtail docker image (backport
release-3.3.x)
([#15146](https://redirect.github.com/grafana/loki/issues/15146))
##### Miscellaneous Chores
- **promtail:** Switch Promtail base image from Debian to Ubuntu to fix
critical security issues
([https://github.com/grafana/loki/issues/15195](https://redirect.github.com/grafana/loki/issues/15195)).
- **docker:** Move from base-nossl to static. This PR removes the
inclusion of glibc into most of the Docker images created by the Loki
build system.
([#15203](https://redirect.github.com/grafana/loki/issues/15203)).
###
[`v3.3.0`](https://redirect.github.com/grafana/loki/blob/HEAD/CHANGELOG.md#330-2024-11-19)
[Compare
Source](https://redirect.github.com/grafana/loki/compare/v3.2.2...v3.3.0)
##### β BREAKING CHANGES
- **blooms:** Introduce a new block schema (V3)
([#14038](https://redirect.github.com/grafana/loki/issues/14038))
- **blooms:** Index structured metadata into blooms
([#14061](https://redirect.github.com/grafana/loki/issues/14061))
- **operator:** Migrate project layout to kubebuilder go/v4
([#14447](https://redirect.github.com/grafana/loki/issues/14447))
- **operator:** Rename loki api go module
([#14568](https://redirect.github.com/grafana/loki/issues/14568))
- **operator:** Provide default OTLP attribute configuration
([#14410](https://redirect.github.com/grafana/loki/issues/14410))
##### Features
- ability to log stream selectors before service name detection
([#14154](https://redirect.github.com/grafana/loki/issues/14154))
([d7ff426](https://redirect.github.com/grafana/loki/commit/d7ff42664681794b9ef5026ac3758cdd9569ac1a))
- add app_name as a service label
([#13660](https://redirect.github.com/grafana/loki/issues/13660))
([f2a16f4](https://redirect.github.com/grafana/loki/commit/f2a16f43b27503ba9ee76bac2b44d825ce030e0f))
- add backoff mechanism to the retention process
([#14182](https://redirect.github.com/grafana/loki/issues/14182))
([3136880](https://redirect.github.com/grafana/loki/commit/31368806a9c5e0ff6c43045e008861f26ed61af3))
- add functions to common.libsonnet for warpstream
([#14123](https://redirect.github.com/grafana/loki/issues/14123))
([2bde071](https://redirect.github.com/grafana/loki/commit/2bde071872fd08c138e03535b520ff7ae32dd336))
- add gauge loki_ingest_storage_reader_phase
([#14679](https://redirect.github.com/grafana/loki/issues/14679))
([f5b0fb6](https://redirect.github.com/grafana/loki/commit/f5b0fb6b998dc0a49cd36c0968862340c7e517bf))
- add gauge to track the partition_id
([#14713](https://redirect.github.com/grafana/loki/issues/14713))
([a142b3d](https://redirect.github.com/grafana/loki/commit/a142b3d540a79a94f6ed1283cfb0ac8aed49e600))
- add missing cluster label to mixins
([#12870](https://redirect.github.com/grafana/loki/issues/12870))
([547ca70](https://redirect.github.com/grafana/loki/commit/547ca708b9b56e2761bd19ebfcfc9f8571d9af2a))
- add query user and query source to "executing query" log lines
([#14320](https://redirect.github.com/grafana/loki/issues/14320))
([4d69929](https://redirect.github.com/grafana/loki/commit/4d6992982d99a542f1e99af18b691830b71469e0))
- add retries for s3 ObjectExists calls
([#14062](https://redirect.github.com/grafana/loki/issues/14062))
([73cbbb0](https://redirect.github.com/grafana/loki/commit/73cbbb0f2257b9eb5a3bf5d2cf1f4d4d2490d47d))
- add structured metadata to the promtail push API
([#14153](https://redirect.github.com/grafana/loki/issues/14153))
([66cffcb](https://redirect.github.com/grafana/loki/commit/66cffcb427bda28af6fbcfcf85a34771db3787bc))
- Add support for partition ingester in dashboards
([#14498](https://redirect.github.com/grafana/loki/issues/14498))
([70deebf](https://redirect.github.com/grafana/loki/commit/70deebf26e88c6f2b10c78b3b8ce785c8a16e03b))
- Allows to configure client_max_body_size
([#12924](https://redirect.github.com/grafana/loki/issues/12924))
([809a024](https://redirect.github.com/grafana/loki/commit/809a024581c1f600744b9db0b2b2142234317082))
- Apply patterns line length limit to json message key
([#14296](https://redirect.github.com/grafana/loki/issues/14296))
([41fafd8](https://redirect.github.com/grafana/loki/commit/41fafd87933224d5d43592e91e339322fc90a466))
- **blooms:** Add bloom planner and bloom builder to `backend` target
([#13997](https://redirect.github.com/grafana/loki/issues/13997))
([bf60455](https://redirect.github.com/grafana/loki/commit/bf60455c8e52b87774df9ca90232b4c72d72e46b))
- **blooms:** disk-backed queue for the bloom-planner (backport k227)
([#14927](https://redirect.github.com/grafana/loki/issues/14927))
([1f6828b](https://redirect.github.com/grafana/loki/commit/1f6828b25c5c5d6ad5eda3be60a435db8ca55fc3))
- **blooms:** Index structured metadata into blooms
([#14061](https://redirect.github.com/grafana/loki/issues/14061))
([a2fbaa8](https://redirect.github.com/grafana/loki/commit/a2fbaa8e09b6eebff2f7c20746e84f1365bd7433))
- **blooms:** Only write key and key=value to blooms
([#14686](https://redirect.github.com/grafana/loki/issues/14686))
([3af0004](https://redirect.github.com/grafana/loki/commit/3af0004cb4d4dafbcbe099e4409edf6e6ff056a5))
- Configurable list of json fields to mine patterns
([#14528](https://redirect.github.com/grafana/loki/issues/14528))
([7050897](https://redirect.github.com/grafana/loki/commit/70508975fd40d3e4dbb518d3f8c7bf96e37307b6))
- detected field values
([#14350](https://redirect.github.com/grafana/loki/issues/14350))
([7983f94](https://redirect.github.com/grafana/loki/commit/7983f94b15b422b94517641bd9cec5c9da6903e1))
- **distributors:** Use a pool of worker to push to ingesters.
([#14245](https://redirect.github.com/grafana/loki/issues/14245))
([f80d68a](https://redirect.github.com/grafana/loki/commit/f80d68a1edbd85a605be882eb0104b169343cf00))
- Do not add empty blooms to offsets
([#14577](https://redirect.github.com/grafana/loki/issues/14577))
([51c42e8](https://redirect.github.com/grafana/loki/commit/51c42e864563f2fa9ffc160cb13f6d6126ea5c6d))
- Extract task computing into a strategy interface
([#13690](https://redirect.github.com/grafana/loki/issues/13690))
([ab5e6ea](https://redirect.github.com/grafana/loki/commit/ab5e6eaaeea24f93f434dcece6ff5d9dc83e6d32))
- **fluentd-plugin-datadog-loki:** support custom http headers
([#14299](https://redirect.github.com/grafana/loki/issues/14299))
([e59035e](https://redirect.github.com/grafana/loki/commit/e59035e17315f453d4b2e2334330bc062d40f0fd))
- **helm:** :sparkles: add additional service annotations for components
in distributed mode
([#14131](https://redirect.github.com/grafana/loki/issues/14131))
([5978f13](https://redirect.github.com/grafana/loki/commit/5978f1344c84525e6b8bda45869b867b7e878956))
- **helm:** add configurable extraEnvFrom to admin-api and enterprisegw
([#14533](https://redirect.github.com/grafana/loki/issues/14533))
([5d78a3a](https://redirect.github.com/grafana/loki/commit/5d78a3a3fd1f630d6b012a9240fa081e63bcb7ef))
- **helm:** Add kubeVersionOverride for Helm chart
([#14434](https://redirect.github.com/grafana/loki/issues/14434))
([0935d77](https://redirect.github.com/grafana/loki/commit/0935d77df08e6ad40a9f498f53e94e335b020ded))
- **helm:** Add persistence option to memcached on Helm chart
([#13619](https://redirect.github.com/grafana/loki/issues/13619))
([ef1df0e](https://redirect.github.com/grafana/loki/commit/ef1df0e66fc8e2fe9327a66aea31279ca5c7307a))
- **helm:** add tolerations to pattern-ingester statefulset
([#13605](https://redirect.github.com/grafana/loki/issues/13605))
([09530c0](https://redirect.github.com/grafana/loki/commit/09530c0f4a1503713a76c68153b4da5287f9b79f))
- **helm:** Allow setting node attributes to `tokengen` and
`provisioner`
([#14311](https://redirect.github.com/grafana/loki/issues/14311))
([c708ae6](https://redirect.github.com/grafana/loki/commit/c708ae691ca2d9a26b1c2a4591ed32dbfdd94619))
- **helm:** Replace bloom compactor with bloom planner and builder
([#14003](https://redirect.github.com/grafana/loki/issues/14003))
([08e61ca](https://redirect.github.com/grafana/loki/commit/08e61ca4db086b573ef636a156bfc624132515be))
- **helm:** update chart with loki version 3.2.0
([#14281](https://redirect.github.com/grafana/loki/issues/14281))
([11b92ee](https://redirect.github.com/grafana/loki/commit/11b92eeb95612a2bb002ea22f048c55ae20557a2))
- **Helm:** Update Loki Helm chart for restricted environments
([#14440](https://redirect.github.com/grafana/loki/issues/14440))
([adc7538](https://redirect.github.com/grafana/loki/commit/adc75389a39e3aaad69303b82b0d68ec3d94485c))
- implement IsRetryableErr for S3ObjectClient
([#14174](https://redirect.github.com/grafana/loki/issues/14174))
([fc90a63](https://redirect.github.com/grafana/loki/commit/fc90a63636c689993bd9b568f9c54198bfb1f3ae))
- Implement owned streams calculation using Partition Ring
([#14282](https://redirect.github.com/grafana/loki/issues/14282))
([3c36ba9](https://redirect.github.com/grafana/loki/commit/3c36ba949d65e803cc6702b8664f87aca07ed052))
- Implement WAL segment ingestion via Kafka with partition ring
([#14043](https://redirect.github.com/grafana/loki/issues/14043))
([d178f4c](https://redirect.github.com/grafana/loki/commit/d178f4c7e2eadbd17ac82f8305782533c7308ba2))
- Improve pattern ingester tracing
([#14707](https://redirect.github.com/grafana/loki/issues/14707))
([80aec25](https://redirect.github.com/grafana/loki/commit/80aec2548203957dbb834ba69e6d734d9054416d))
- **ingester:** implement partition shuffle sharding for ingester
([#14304](https://redirect.github.com/grafana/loki/issues/14304))
([1a4436c](https://redirect.github.com/grafana/loki/commit/1a4436c41721e3e6aca82c26abaec8fe6f775d9f))
- Introduce new `ObjectExistsWithSize` API to
([#14268](https://redirect.github.com/grafana/loki/issues/14268))
([ac422b3](https://redirect.github.com/grafana/loki/commit/ac422b3bc3e822b4525401496a8b73e91d566128))
- Introduce shardable probabilistic topk for instant queries. (backport
k227)
([#14765](https://redirect.github.com/grafana/loki/issues/14765))
([02eb024](https://redirect.github.com/grafana/loki/commit/02eb02458e99d4dcb2f734f6a8e83bbd76a8ea4f))
- **jsonnet:** Allow to name prefix zoned ingesters
([#14260](https://redirect.github.com/grafana/loki/issues/14260))
([fac3177](https://redirect.github.com/grafana/loki/commit/fac3177814b8d2914eb3af618d571104eba18934))
- **kafka:** Add Ingestion from Kafka in Ingesters
([#14192](https://redirect.github.com/grafana/loki/issues/14192))
([b6e9945](https://redirect.github.com/grafana/loki/commit/b6e9945f83991a01395df537a8e014585a57913b))
- **kafka:** Add support for SASL auth to Kafka
([#14487](https://redirect.github.com/grafana/loki/issues/14487))
([e2a209c](https://redirect.github.com/grafana/loki/commit/e2a209c076c9c9fd53732a0a7804acba3bff378e))
- **kafka:** Enable querier to optionally query partition ingesters
([#14418](https://redirect.github.com/grafana/loki/issues/14418))
([633bb5e](https://redirect.github.com/grafana/loki/commit/633bb5eb7e0717c3e1eafaab32f0ba2dacb4f5cd))
- **kafka:** enqueue commit offset only once per batch process
([#14278](https://redirect.github.com/grafana/loki/issues/14278))
([beca6f3](https://redirect.github.com/grafana/loki/commit/beca6f33662e8a43ea59943a4327a1c328960058))
- **kafka:** Implement limiter using partition ring for Kafka
([#14359](https://redirect.github.com/grafana/loki/issues/14359))
([5cbb239](https://redirect.github.com/grafana/loki/commit/5cbb23994beb3494e238fccecbb3f7c5ed5c1d0b))
- **kafka:** Remove rate limits for kafka ingestion
([#14460](https://redirect.github.com/grafana/loki/issues/14460))
([83a8893](https://redirect.github.com/grafana/loki/commit/83a8893a3fbad3a87d7aea3a61e7dae2f6a34168))
- **kafka:** Replay kafka from last commit before allowing ingesters to
become ready
([#14330](https://redirect.github.com/grafana/loki/issues/14330))
([39b57ec](https://redirect.github.com/grafana/loki/commit/39b57ec4eac3cbdc718aacae32ab8ff4e989709b))
- **kafka:** Start ingester flush loop before trying to catch up from
Kafka
([#14505](https://redirect.github.com/grafana/loki/issues/14505))
([524ed81](https://redirect.github.com/grafana/loki/commit/524ed81395a0b2c6be86fc0fcd013393e555fd62))
- **logcli:** add gzip compression option
([#14598](https://redirect.github.com/grafana/loki/issues/14598))
([4d3f9f5](https://redirect.github.com/grafana/loki/commit/4d3f9f5a7b483b563348c322958486825d314526))
- **loki:** include structured_metadata size while asserting rate limit
([#14571](https://redirect.github.com/grafana/loki/issues/14571))
([a962edb](https://redirect.github.com/grafana/loki/commit/a962edba332f4fdfee29cf11e70019b1b498c258))
- **max-allowed-line-length:** add config to set
`max-allowed-line-length` in pattern ingester
([#14070](https://redirect.github.com/grafana/loki/issues/14070))
([0780456](https://redirect.github.com/grafana/loki/commit/0780456662b67edde69004cf4ee3873c23d5094b))
- mixin / add loki compaction not successfull alert
([#14239](https://redirect.github.com/grafana/loki/issues/14239))
([da04f50](https://redirect.github.com/grafana/loki/commit/da04f5007edd85f35d1af5ba8c2c5a4eb96d2149))
- mixin, allow overriding of some labels by parameterizing mixin
recording/alert rules
([#11495](https://redirect.github.com/grafana/loki/issues/11495))
([f1425b6](https://redirect.github.com/grafana/loki/commit/f1425b6c24e9d90c99477f67289c3aa34f69573d))
- mixins / allow bloom dashboards disabling
([#14177](https://redirect.github.com/grafana/loki/issues/14177))
([ce2e6d5](https://redirect.github.com/grafana/loki/commit/ce2e6d520b48fe9c5c7593ae2400a6983905782e))
- **mixins:** Allow hiding useless rows in loki-operational
([#13646](https://redirect.github.com/grafana/loki/issues/13646))
([3aa4f22](https://redirect.github.com/grafana/loki/commit/3aa4f2227e4178f05e6b13cffc044989c7839372))
- **mixins:** merge resources dashboards for ssd into one
([#13471](https://redirect.github.com/grafana/loki/issues/13471))
([45b8719](https://redirect.github.com/grafana/loki/commit/45b8719aa768db35d4e7559fd87e22056248b912))
- move detected field logic to query frontend
([#14212](https://redirect.github.com/grafana/loki/issues/14212))
([36ace66](https://redirect.github.com/grafana/loki/commit/36ace66b73e9f9ad2a2d367fbc20803c0d9779c2))
- move metric aggregation to a per-tenant config
([#14709](https://redirect.github.com/grafana/loki/issues/14709))
([c1fde26](https://redirect.github.com/grafana/loki/commit/c1fde26730b4fc54e4bbc724d1b29f653541f720))
- New bloom planning using chunk size TSDB stats
([#14547](https://redirect.github.com/grafana/loki/issues/14547))
([673ede1](https://redirect.github.com/grafana/loki/commit/673ede16a5f675684f9e6a53903335af5075a507))
- **operator:** Add support for Loki OTLP limits config
([#13446](https://redirect.github.com/grafana/loki/issues/13446))
([d02f435](https://redirect.github.com/grafana/loki/commit/d02f435d3bf121b19e15de4f139c95a6d010b25c))
- **operator:** Declare feature FIPS support for OpenShift only
([#14308](https://redirect.github.com/grafana/loki/issues/14308))
([720c303](https://redirect.github.com/grafana/loki/commit/720c3037923c174e71a02d99d4bee6271428fbdb))
- **operator:** introduce 1x.pico size
([#14407](https://redirect.github.com/grafana/loki/issues/14407))
([57de81d](https://redirect.github.com/grafana/loki/commit/57de81d8c27e221832790443cebaf141353c3e3f))
- **operator:** Provide default OTLP attribute configuration
([#14410](https://redirect.github.com/grafana/loki/issues/14410))
([1b52387](https://redirect.github.com/grafana/loki/commit/1b5238721994c00764b6a7e7d63269c5b56d2480))
- **operator:** Update Loki operand to v3.1.1
([#14042](https://redirect.github.com/grafana/loki/issues/14042))
([7ae1588](https://redirect.github.com/grafana/loki/commit/7ae1588200396b73a16fadd2610670a5ce5fd747))
- **operator:** Update Loki operand to v3.2.1
([#14526](https://redirect.github.com/grafana/loki/issues/14526))
([5e970e5](https://redirect.github.com/grafana/loki/commit/5e970e50b166e73f5563e21c23db3ea99b24642e))
- **operator:** User-guide for OTLP configuration
([#14620](https://redirect.github.com/grafana/loki/issues/14620))
([27b4071](https://redirect.github.com/grafana/loki/commit/27b40713540bd60918780cdd4cb645e6761427cb))
- Optionally require writes to kafka on Push requests
([#14186](https://redirect.github.com/grafana/loki/issues/14186))
([7c78232](https://redirect.github.com/grafana/loki/commit/7c78232ad312d58ae00101a11e9d7c67f53f1361))
- revert "feat: add functions to common.libsonnet for warpstream"
([#14129](https://redirect.github.com/grafana/loki/issues/14129))
([18c27f9](https://redirect.github.com/grafana/loki/commit/18c27f9d4ec0c5fbd439972f9abb8bca0bdd6f9e))
- **ruler:** enables ruler store that uses clients from
thanos-io/objstore pkg
([#11713](https://redirect.github.com/grafana/loki/issues/11713))
([8bca2e7](https://redirect.github.com/grafana/loki/commit/8bca2e76089e0b9894b7a4c18a950f4baaa5a412))
- **storage:** AWS backend using thanos.io/objstore
([#11221](https://redirect.github.com/grafana/loki/issues/11221))
([b872246](https://redirect.github.com/grafana/loki/commit/b87224647dc88901c61cb4bd571dfda9405a7826))
- **storage:** Azure backend using thanos.io/objstore
([#11315](https://redirect.github.com/grafana/loki/issues/11315))
([5824e3d](https://redirect.github.com/grafana/loki/commit/5824e3d35cd1273ccd1a63d7381098617a7697dd))
- **storage:** GCS backend using thanos.io/objstore
([#11132](https://redirect.github.com/grafana/loki/issues/11132))
([c059ace](https://redirect.github.com/grafana/loki/commit/c059ace53edba79864a567035b120db80addf23c))
- support ruler sidecar in singleBinary mode
([#13572](https://redirect.github.com/grafana/loki/issues/13572))
([684baf7](https://redirect.github.com/grafana/loki/commit/684baf7dbacef4b85a08db8de9934458745124d8))
- track discarded data by usageTracker
([#14081](https://redirect.github.com/grafana/loki/issues/14081))
([c65721e](https://redirect.github.com/grafana/loki/commit/c65721e7ade0ef89fd282d9f764fb2d05f6b9c42))
##### Bug Fixes
- **`detected_fields`:** return parsed labels when parsers are passed
([#14047](https://redirect.github.com/grafana/loki/issues/14047))
([aa1ac99](https://redirect.github.com/grafana/loki/commit/aa1ac99f4d369c87fd0db4fcf853ebce534e3500))
- Add additional validation for timeout while retrieving headers
([#14217](https://redirect.github.com/grafana/loki/issues/14217))
([8322e51](https://redirect.github.com/grafana/loki/commit/8322e518e68de286b2bc58cf15ea9fe947eeec86))
- Add s3 principal to iam policy attached to sqs in lambda-promtail
terraform code
([#14619](https://redirect.github.com/grafana/loki/issues/14619))
([db0889e](https://redirect.github.com/grafana/loki/commit/db0889e2748b69a5c60d044dfab44bc652f1464d))
- Add tenant limits as dependency to pattern ingester
([#14665](https://redirect.github.com/grafana/loki/issues/14665))
([31eea90](https://redirect.github.com/grafana/loki/commit/31eea9042ada6650227eb281a36410ab521817a8))
- **aggregated-metrics:** correctly create logfmt string
([#14124](https://redirect.github.com/grafana/loki/issues/14124))
([63e84b4](https://redirect.github.com/grafana/loki/commit/63e84b476a9a7b97a121847659172fadbb8a1eee))
- allow any level for aggregated metrics
([#14255](https://redirect.github.com/grafana/loki/issues/14255))
([c001a1d](https://redirect.github.com/grafana/loki/commit/c001a1d93af5438fef521460dcba650b44629a93))
- allow rename of structuremetadata labels
([#13955](https://redirect.github.com/grafana/loki/issues/13955))
([2d4792a](https://redirect.github.com/grafana/loki/commit/2d4792a54fb52caa5cd904a17349b04410fae4c0))
- always write detected_level when enabled, even if unknown
([#14464](https://redirect.github.com/grafana/loki/issues/14464))
([41c6b6c](https://redirect.github.com/grafana/loki/commit/41c6b6c2c2f5f56ca76cf75ed05689564b9e9dcd))
- **blooms:** Check length of tasks before accessing first element in
slice
([#14634](https://redirect.github.com/grafana/loki/issues/14634))
([601f549](https://redirect.github.com/grafana/loki/commit/601f549656efa5ac769a685169d5bc84eff15a35))
- **blooms:** Copy chunks from ForSeries (backport k227)
([#14864](https://redirect.github.com/grafana/loki/issues/14864))
([d10f79c](https://redirect.github.com/grafana/loki/commit/d10f79c700c100d7333e682287aabbaa3c029768))
- **blooms:** Do not restart builders when planner disconnects (backport
k227)
([#14922](https://redirect.github.com/grafana/loki/issues/14922))
([213e8ee](https://redirect.github.com/grafana/loki/commit/213e8eeba6e7fb138069e2858d62f1e3c4556a0e))
- **blooms:** Exclude label filters where label name is part of the
series labels.
([#14661](https://redirect.github.com/grafana/loki/issues/14661))
([d1668f6](https://redirect.github.com/grafana/loki/commit/d1668f6a110f7119ebb1cc0e582be369b2af95b8))
- **blooms:** Fix panic in initialisation of the bloom planner and
builder
([#14110](https://redirect.github.com/grafana/loki/issues/14110))
([8307c42](https://redirect.github.com/grafana/loki/commit/8307c42c541e769c9d0133df3856af049a815b73))
- **blooms:** Fix strategy logger and add task test (backport k227)
([#14921](https://redirect.github.com/grafana/loki/issues/14921))
([dc36a1e](https://redirect.github.com/grafana/loki/commit/dc36a1e1288a03b68d269ba261f41ac7c2942962))
- **blooms:** Fix tenants slice on loadTenantTables (backport k227)
([#14901](https://redirect.github.com/grafana/loki/issues/14901))
([540dd5a](https://redirect.github.com/grafana/loki/commit/540dd5a5ccb53bc2ee4236871632c7e1daa7f7e5))
- **blooms:** Skip multi-tenant TSDBs during bloom planning (backport
k227)
([#14888](https://redirect.github.com/grafana/loki/issues/14888))
([631cff3](https://redirect.github.com/grafana/loki/commit/631cff345cdab110202d757572fbbf8088c0be87))
- **build:** Use Debian Bullseye base image for build image
([#14368](https://redirect.github.com/grafana/loki/issues/14368))
([3beb8ff](https://redirect.github.com/grafana/loki/commit/3beb8ff9cfe7f765b5d5db87892981a223d72f50))
- **canary:** Reconnect immediately upon tail max duration
([#14287](https://redirect.github.com/grafana/loki/issues/14287))
([9267ee3](https://redirect.github.com/grafana/loki/commit/9267ee3561ccbb90589600d7b045f7e05b1b2ee0))
- **ci:** fixed `Publish Rendered Helm Chart Diff` workflow
([#14365](https://redirect.github.com/grafana/loki/issues/14365))
([6de6420](https://redirect.github.com/grafana/loki/commit/6de64209547ec970cb27564be87fe2085307e183))
- **ci:** updated helm diff rendering workflow
([#14424](https://redirect.github.com/grafana/loki/issues/14424))
([916e511](https://redirect.github.com/grafana/loki/commit/916e5115d9099e82834f0d8e123273c75c9cddec))
- **config:** Copy Alibaba and IBM object storage configuration from
common
([#14297](https://redirect.github.com/grafana/loki/issues/14297))
([59ff1ec](https://redirect.github.com/grafana/loki/commit/59ff1ece1dacc461d03f71e41c0728396727eee6))
- **config:** migrate renovate config
([#14646](https://redirect.github.com/grafana/loki/issues/14646))
([a67d8ef](https://redirect.github.com/grafana/loki/commit/a67d8ef219aab80071e8256a6cbb18a47c7078e6))
- correct \_extracted logic in detected fields
([#14064](https://redirect.github.com/grafana/loki/issues/14064))
([1b3ba53](https://redirect.github.com/grafana/loki/commit/1b3ba530b8fab9aac999387a135a76a62de3e000))
- correct OTLP documentation typo
([#14602](https://redirect.github.com/grafana/loki/issues/14602))
([063c590](https://redirect.github.com/grafana/loki/commit/063c590faa4aa30540572c5d6fdc1da8a6a25ee4))
- **deps:** update aws-sdk-go-v2 monorepo
([#13986](https://redirect.github.com/grafana/loki/issues/13986))
([6f49123](https://redirect.github.com/grafana/loki/commit/6f491233cae226d54d190521d2b935249d88ad05))
- **deps:** update aws-sdk-go-v2 monorepo
([#14742](https://redirect.github.com/grafana/loki/issues/14742))
([53a1ab7](https://redirect.github.com/grafana/loki/commit/53a1ab76257d900b80334d68439d7ff4bfcfd39b))
- **deps:** update github.com/grafana/dskit digest to
[`687ec48`](https://redirect.github.com/grafana/loki/commit/687ec48)
([#14395](https://redirect.github.com/grafana/loki/issues/14395))
([c2f38e1](https://redirect.github.com/grafana/loki/commit/c2f38e18c6b8dd134b8f3da164afc9c8625f2f2b))
- **deps:** update github.com/grafana/dskit digest to
[`7c41a40`](https://redirect.github.com/grafana/loki/commit/7c41a40)
([#14277](https://redirect.github.com/grafana/loki/issues/14277))
([f39cdbd](https://redirect.github.com/grafana/loki/commit/f39cdbd541d85a961db655e70da713be04d9a294))
- **deps:** update github.com/grafana/dskit digest to
[`931a021`](https://redirect.github.com/grafana/loki/commit/931a021)
([#14032](https://redirect.github.com/grafana/loki/issues/14032))
([7c18642](https://redirect.github.com/grafana/loki/commit/7c186425210f892d34a2ccf8ad23b475af8bf9b9))
- **deps:** update github.com/grafana/dskit digest to
[`b69ac1b`](https://redirect.github.com/grafana/loki/commit/b69ac1b)
([#14355](https://redirect.github.com/grafana/loki/issues/14355))
([9d7a6ea](https://redirect.github.com/grafana/loki/commit/9d7a6ea68053b576553e426d339961d50ee07080))
- **deps:** update github.com/grafana/dskit digest to
[`f52de24`](https://redirect.github.com/grafana/loki/commit/f52de24)
([#14319](https://redirect.github.com/grafana/loki/issues/14319))
([a4f3edf](https://redirect.github.com/grafana/loki/commit/a4f3edfb52ad4a44a17aaeb753a780b08d6b552c))
- **deps:** update github.com/twmb/franz-go/pkg/kfake digest to
[`cea7aa5`](https://redirect.github.com/grafana/loki/commit/cea7aa5)
([#14590](https://redirect.github.com/grafana/loki/issues/14590))
([688c42a](https://redirect.github.com/grafana/loki/commit/688c42a971589be96921ce362c7fc6792368c3da))
- **deps:** update k8s.io/utils digest to
[`702e33f`](https://redirect.github.com/grafana/loki/commit/702e33f)
([#14033](https://redirect.github.com/grafana/loki/issues/14033))
([b7eecc7](https://redirect.github.com/grafana/loki/commit/b7eecc7a693e96f4d0fe0dcd7583ecdc4dd7283f))
- **deps:** update module cloud.google.com/go/bigtable to v1.33.0
([#14580](https://redirect.github.com/grafana/loki/issues/14580))
([a0920ed](https://redirect.github.com/grafana/loki/commit/a0920ed9929080926f0f439182cb2428e938c208))
- **deps:** update module cloud.google.com/go/pubsub to v1.45.0
([#14361](https://redirect.github.com/grafana/loki/issues/14361))
([4351238](https://redirect.github.com/grafana/loki/commit/4351238305a680852b6b29a7cdaef69e46042ee4))
- **deps:** update module cloud.google.com/go/pubsub to v1.45.1
([#14650](https://redirect.github.com/grafana/loki/issues/14650))
([f173708](https://redirect.github.com/grafana/loki/commit/f17370867b70f65528d98fbfe751d079b5909be0))
- **deps:** update module cloud.google.com/go/storage to v1.46.0
([#14744](https://redirect.github.com/grafana/loki/issues/14744))
([8e45116](https://redirect.github.com/grafana/loki/commit/8e451165add426e480b2e691c7c69252d98a2d22))
- **deps:** update module github.com/alicebob/miniredis/v2 to v2.33.0
([#14721](https://redirect.github.com/grafana/loki/issues/14721))
([7bfda25](https://redirect.github.com/grafana/loki/commit/7bfda259721c2b3858066ab71d9df09ad35895a6))
- **deps:** update module github.com/aws/aws-sdk-go to v1.55.5
([#14715](https://redirect.github.com/grafana/loki/issues/14715))
([03f0f5a](https://redirect.github.com/grafana/loki/commit/03f0f5ab1691550eea59431c9c580530c13bf259))
- **deps:** update module github.com/axiomhq/hyperloglog to v0.2.0
([#14722](https://redirect.github.com/grafana/loki/issues/14722))
([0167b22](https://redirect.github.com/grafana/loki/commit/0167b22ac6d4886a1c3157437a3c5b19e327723a))
- **deps:** update module github.com/baidubce/bce-sdk-go to v0.9.189
([#14044](https://redirect.github.com/grafana/loki/issues/14044))
([7fb34b4](https://redirect.github.com/grafana/loki/commit/7fb34b4884269e7dad7cfa27969f470d9466279d))
- **deps:** update module github.com/baidubce/bce-sdk-go to v0.9.192
([#14337](https://redirect.github.com/grafana/loki/issues/14337))
([6f7cae2](https://redirect.github.com/grafana/loki/commit/6f7cae2a7aae471c8161bd1e596a31fa89c48ae1))
- **deps:** update module github.com/baidubce/bce-sdk-go to v0.9.196
([#14651](https://redirect.github.com/grafana/loki/issues/14651))
([478085a](https://redirect.github.com/grafana/loki/commit/478085ae02a0df3b2455211326519dd4aef26499))
- **deps:** update module github.com/baidubce/bce-sdk-go to v0.9.197
([#14682](https://redirect.github.com/grafana/loki/issues/14682))
([b898294](https://redirect.github.com/grafana/loki/commit/b89829421ee3a4589efe34a4b1332fe659c9d8e7))
- **deps:** update module github.com/coder/quartz to v0.1.2
([#14652](https://redirect.github.com/grafana/loki/issues/14652))
([7459e07](https://redirect.github.com/grafana/loki/commit/7459e07adb6aac48b305d50582eac915ea26528e))
- **deps:** update module github.com/felixge/fgprof to v0.9.5
([#14338](https://redirect.github.com/grafana/loki/issues/14338))
([a2ad3aa](https://redirect.github.com/grafana/loki/commit/a2ad3aa66940faae4fef7f92aab5a383f576190e))
- **deps:** update module github.com/fsouza/fake-gcs-server to v1.50.2
([#14313](https://redirect.github.com/grafana/loki/issues/14313))
([275c97c](https://redirect.github.com/grafana/loki/commit/275c97cec7f70e68c56192c565d53a6c2a18ff78))
- **deps:** update module github.com/hashicorp/raft to v1.7.1
([#14005](https://redirect.github.com/grafana/loki/issues/14005))
([e9cec1d](https://redirect.github.com/grafana/loki/commit/e9cec1d159b02977b6104e0006902e0d6b805527))
- **deps:** update module github.com/ibm/go-sdk-core/v5 to v5.17.5
([#14045](https://redirect.github.com/grafana/loki/issues/14045))
([677d217](https://redirect.github.com/grafana/loki/commit/677d217533b7d2338e25a8b9b9e8a78045489e7c))
- **deps:** update module github.com/ibm/go-sdk-core/v5 to v5.18.1
([#14716](https://redirect.github.com/grafana/loki/issues/14716))
([8395acd](https://redirect.github.com/grafana/loki/commit/8395acd0cbd3db9c6f330bd94a22b194fad35a93))
- **deps:** update module github.com/ibm/ibm-cos-sdk-go to v1.11.1
([#14342](https://redirect.github.com/grafana/loki/issues/14342))
([aa82a7c](https://redirect.github.com/grafana/loki/commit/aa82a7c804edd6df99d3fddc581d02c3b7fa6774))
- **deps:** update module github.com/klauspost/compress to v1.17.10
([#14352](https://redirect.github.com/grafana/loki/issues/14352))
([e23c5ed](https://redirect.github.com/grafana/loki/commit/e23c5ed9fa97010ef4c985afea25af3922ca215b))
- **deps:** update module github.com/minio/minio-go/v7 to v7.0.76
([#14006](https://redirect.github.com/grafana/loki/issues/14006))
([51f9376](https://redirect.github.com/grafana/loki/commit/51f937684795982f0d234ab251017ce2c86c9e20))
- **deps:** update module github.com/minio/minio-go/v7 to v7.0.77
([#14353](https://redirect.github.com/grafana/loki/issues/14353))
([d0e3ef7](https://redirect.github.com/grafana/loki/commit/d0e3ef709a222821fd764f6af72308c302faefb3))
- **deps:** update module github.com/minio/minio-go/v7 to v7.0.80
([#14654](https://redirect.github.com/grafana/loki/issues/14654))
([eec2513](https://redirect.github.com/grafana/loki/commit/eec25130468eb648c4667361cae7630449af7ef5))
- **deps:** update module github.com/ncw/swift/v2 to v2.0.3
([#14356](https://redirect.github.com/grafana/loki/issues/14356))
([c843288](https://redirect.github.com/grafana/loki/commit/c8432887d3d4459ad4bc40deba3a3a3726a2f5eb))
- **deps:** update module github.com/prometheus/client_golang to v1.20.5
([#14655](https://redirect.github.com/grafana/loki/issues/14655))
([e12f843](https://redirect.github.com/grafana/loki/commit/e12f8436b4080db54c6d31c6af38416c6fdd7eb4))
- **deps:** update module github.com/schollz/progressbar/v3 to v3.17.0
([#14720](https://redirect.github.com/grafana/loki/issues/14720))
([4419d0f](https://redirect.github.com/grafana/loki/commit/4419d0f33e9f4f6f9305d89dd6f2ca47e3a18d8c))
- **deps:** update module github.com/shirou/gopsutil/v4 to v4.24.10
([#14719](https://redirect.github.com/grafana/loki/issues/14719))
([3280376](https://redirect.github.com/grafana/loki/commit/32803762781c53ec3fe1bdb64841eb24aeed48f5))
- **deps:** update module github.com/shirou/gopsutil/v4 to v4.24.9
([#14357](https://redirect.github.com/grafana/loki/issues/14357))
([c8e6a9d](https://redirect.github.com/grafana/loki/commit/c8e6a9d38f36ccf1f32e634765bb2363628f3710))
- **deps:** update module github.com/shopify/sarama to v1.43.3
([#14059](https://redirect.github.com/grafana/loki/issues/14059))
([1cf4813](https://redirect.github.com/grafana/loki/commit/1cf48131d42db7302d6bcf980c355b018fcedb06))
- **deps:** update module github.com/spf13/afero to v1.11.0
([#14060](https://redirect.github.com/grafana/loki/issues/14060))
([bbbd82b](https://redirect.github.com/grafana/loki/commit/bbbd82bc73322d662ba81efeda3884efcdc09708))
- **deps:** update module go.etcd.io/bbolt to v1.3.11
([#14358](https://redirect.github.com/grafana/loki/issues/14358))
([b7bccfc](https://redirect.github.com/grafana/loki/commit/b7bccfcec3275b1d6d76c7450415ac8744e4d7b0))
- **deps:** update module golang.org/x/net to v0.29.0
([#14341](https://redirect.github.com/grafana/loki/issues/14341))
([1b6b9da](https://redirect.github.com/grafana/loki/commit/1b6b9da4e126738037e24d09309b62eac7d54a10))
- **detected_fields:** always return empty array as `null`
([#14112](https://redirect.github.com/grafana/loki/issues/14112))
([93009d4](https://redirect.github.com/grafana/loki/commit/93009d4e8ce520a3925bf5c0baff940db6c9caba))
- **distributor:** validate partition ring is kafka is enabled
([#14303](https://redirect.github.com/grafana/loki/issues/14303))
([8438d41](https://redirect.github.com/grafana/loki/commit/8438d415931f0a3763d551eb36c3d9f476f70713))
- do not retain span logger created with index set initialized at query
time
([#14027](https://redirect.github.com/grafana/loki/issues/14027))
([4e41744](https://redirect.github.com/grafana/loki/commit/4e4174400fba410b9f32e0e43c1d866d283a9e62))
- downgrade grpc to fix regression
([#14065](https://redirect.github.com/grafana/loki/issues/14065))
([8c38d46](https://redirect.github.com/grafana/loki/commit/8c38d462f5a057497ab222d463223400f2e7b4ab))
- enable service detection for otlp endoint
([#14036](https://redirect.github.com/grafana/loki/issues/14036))
([4f962ef](https://redirect.github.com/grafana/loki/commit/4f962ef7af250fc347dbed15583787d0238f6e9f))
- Expand matching for additional variations
([#14221](https://redirect.github.com/grafana/loki/issues/14221))
([71d7291](https://redirect.github.com/grafana/loki/commit/71d7291c9c00c3887d9a509991eb4d3e15ae8699))
- fix bug in query result marshaling for invalid utf8 characters
([#14585](https://redirect.github.com/grafana/loki/issues/14585))
([f411a07](https://redirect.github.com/grafana/loki/commit/f411a0795af67630a0a70a88ce64fa071de50a56))
- **helm:** add missing `loki.storage.azure.chunkDelimiter` parameter to
Helm chart
([#14011](https://redirect.github.com/grafana/loki/issues/14011))
([08c70cc](https://redirect.github.com/grafana/loki/commit/08c70cca2e7b3a7444b0ec9822a6d5fd58ae70d5))
- **helm:** Check for `rbac.namespaced` condition before creating roles
([#14201](https://redirect.github.com/grafana/loki/issues/14201))
([3f47f09](https://redirect.github.com/grafana/loki/commit/3f47f09a6956719480677f6af02f58394d7f26bb))
- **helm:** Fix persistence configuration for Memcached
([#14049](https://redirect.github.com/grafana/loki/issues/14049))
([ee6e1cf](https://redirect.github.com/grafana/loki/commit/ee6e1cf78864ad3ed915056f695e1f556cc4a22e))
- **helm:** Fix wrong port name referenced for ingress NetworkPolicy
([#12907](https://redirect.github.com/grafana/loki/issues/12907))
([963a25b](https://redirect.github.com/grafana/loki/commit/963a25bf417bbd4171c4d9a2b501330fd663410f))
- **helm:** Various fixes and enhancements for bloom components
([#14128](https://redirect.github.com/grafana/loki/issues/14128))
([dc0cbd4](https://redirect.github.com/grafana/loki/commit/dc0cbd42dcb8e53152573f0baf03ad93aa0d3cd8))
- Improve docs for min and max table offsets (backport k227)
([#14929](https://redirect.github.com/grafana/loki/issues/14929))
([3161fdc](https://redirect.github.com/grafana/loki/commit/3161fdcc6dc1e80a86933a59e6af102c10336c39))
- **kafka:** Fixes partition selection in distributors
([#14242](https://redirect.github.com/grafana/loki/issues/14242))
([3f47233](https://redirect.github.com/grafana/loki/commit/3f472330790204e4d09b7a4e087be3ff0dc04eff))
- **kafka:** Fixes writer initialization for arm32
([#14115](https://redirect.github.com/grafana/loki/issues/14115))
([4da035b](https://redirect.github.com/grafana/loki/commit/4da035b6b78f8bb3b9af28a82865ab543dd8e230))
- **kafka:** Set namespace for Loki kafka metrics
([#14426](https://redirect.github.com/grafana/loki/issues/14426))
([8aa8a2b](https://redirect.github.com/grafana/loki/commit/8aa8a2bb0e766da4d64313d17337fa54ab84f8a4))
- **label_format:** renamed label should use ParsedLabel category
([#14515](https://redirect.github.com/grafana/loki/issues/14515))
([82fb2f0](https://redirect.github.com/grafana/loki/commit/82fb2f0ae2403686b55fdb2fd5be248f706eddab))
- level detection for warning level
([#14444](https://redirect.github.com/grafana/loki/issues/14444))
([242a852](https://redirect.github.com/grafana/loki/commit/242a852d7d471351ea294fc09e2b5dc62eec0d03))
- lint errors
([#14574](https://redirect.github.com/grafana/loki/issues/14574))
([99ef900](https://redirect.github.com/grafana/loki/commit/99ef9009e5e2e74f76c865fbb3feaf1559f4b47c))
- **log-to-span:** timestamp.Time should be called with milliseconds
([#14196](https://redirect.github.com/grafana/loki/issues/14196))
([f8d9143](https://redirect.github.com/grafana/loki/commit/f8d9143eead92d8727053e065c2d3403f689e4b5))
- logcli: Check for errors before checking for `exists` when fetching
data (backport k227)
([#14906](https://redirect.github.com/grafana/loki/issues/14906))
([31b2a63](https://redirect.github.com/grafana/loki/commit/31b2a63ee23098fbd0151ef93020bd1cac093afe))
- **logcli:** create new tail response for every line
([#14525](https://redirect.github.com/grafana/loki/issues/14525))
([bcfd0d1](https://redirect.github.com/grafana/loki/commit/bcfd0d1ad1c72c6c3861c8263989f2ce683eee08))
- **logql:** Fix panic in json parsing when using empty array index
([#14393](https://redirect.github.com/grafana/loki/issues/14393))
([833bf0d](https://redirect.github.com/grafana/loki/commit/833bf0def6a07e2f58996f54b4b983858750e3e3))
- **logql:** updated JSONExpressionParser not to unescape extracted
values if it is JSON object.
([#14499](https://redirect.github.com/grafana/loki/issues/14499))
([08b1a90](https://redirect.github.com/grafana/loki/commit/08b1a9080b03bc041471f1ef72c4e3d7c6aea4f4))
- missing dep PartitionRing for Ingester
([#14292](https://redirect.github.com/grafana/loki/issues/14292))
([6354ded](https://redirect.github.com/grafana/loki/commit/6354deda90a9430856447e27123b3a33fd1b77a0))
- **mixin:** Remove pod label from disk usage aggregation
([#14180](https://redirect.github.com/grafana/loki/issues/14180))
([5d45c96](https://redirect.github.com/grafana/loki/commit/5d45c96ce12f7f16c21e61db1a78e94a09c16007))
- mixins / loki-resources-overview panel layout
([#14178](https://redirect.github.com/grafana/loki/issues/14178))
([8f54ec6](https://redirect.github.com/grafana/loki/commit/8f54ec65881bcad90078464d663af9110ef72603))
- **mixins:** add backend path section in loki-operational for single
scalable deployment
([#13023](https://redirect.github.com/grafana/loki/issues/13023))
([16881ab](https://redirect.github.com/grafana/loki/commit/16881ab0d3b9e9e6bfc37f22ff69f5f1019a0df1))
- **mixins:** disk space utilization panels with latest KSM versions
([#13486](https://redirect.github.com/grafana/loki/issues/13486))
([0ea7431](https://redirect.github.com/grafana/loki/commit/0ea7431139ae0a18ef4e90bed836a7a6b92ab890))
- **mixins:** retention dashboards fix metric name
([#14617](https://redirect.github.com/grafana/loki/issues/14617))
([c762b9b](https://redirect.github.com/grafana/loki/commit/c762b9b5d3877e7cbfc41d8ab9a1a4287ebe97b2))
- More correctly report starting phase during kafka-reader startup
([#14632](https://redirect.github.com/grafana/loki/issues/14632))
([ea798e0](https://redirect.github.com/grafana/loki/commit/ea798e0f2a3364b4a76f153faf324b4a9ababc4d))
- move partition_id into label to make PromQL easier
([#14714](https://redirect.github.com/grafana/loki/issues/14714))
([e6cf423](https://redirect.github.com/grafana/loki/commit/e6cf42396f7554e46b6c331dd1938922806bcfc5))
- nix build, downgrade toolchain to go1.23.1
([#14442](https://redirect.github.com/grafana/loki/issues/14442))
([26dfd62](https://redirect.github.com/grafana/loki/commit/26dfd628f0effe2367420f591da36727ebe78806))
- **operator:** add 1x.pico OpenShift UI dropdown menu
([#14660](https://redirect.github.com/grafana/loki/issues/14660))
([4687f37](https://redirect.github.com/grafana/loki/commit/4687f377db0a7ae07ffdea354582c882c10b72c4))
- **operator:** Add missing groupBy label for all rules on OpenShift
([#14279](https://redirect.github.com/grafana/loki/issues/14279))
([ce7b2e8](https://redirect.github.com/grafana/loki/commit/ce7b2e89d9470e4e6a61a94f2b51ff8b938b5a5e))
- **operator:** correctly ignore again BlotDB dashboards
([#14587](https://redirect.github.com/grafana/loki/issues/14587))
([4879d10](https://redirect.github.com/grafana/loki/commit/4879d106bbeea29e331ddb7c9a49274600190032))
- **operator:** Disable automatic discovery of service name
([#14506](https://redirect.github.com/grafana/loki/issues/14506))
([3834c74](https://redirect.github.com/grafana/loki/commit/3834c74966b307411732cd3cbaf66305008b10eb))
- **operator:** Disable log level discovery for OpenShift tenancy modes
([#14613](https://redirect.github.com/grafana/loki/issues/14613))
([5034d34](https://redirect.github.com/grafana/loki/commit/5034d34ad23451954ea2459c341456da8d93d020))
- **operator:** Fix building the size-calculator image
([#14573](https://redirect.github.com/grafana/loki/issues/14573))
([a79b8fe](https://redirect.github.com/grafana/loki/commit/a79b8fe7802964cbb96bde75a7502a8b1e8a23ab))
- **operator:** Fix make build target for size-calculator
([#14551](https://redirect.github.com/grafana/loki/issues/14551))
([e727187](https://redirect.github.com/grafana/loki/commit/e727187ec3be2f10c80e984d00c40dad0308b036))
- **operator:** Move OTLP attribute for statefulset name to stream
labels
([#14630](https://redirect.github.com/grafana/loki/issues/14630))
([5df3594](https://redirect.github.com/grafana/loki/commit/5df3594f791d77031c53d7b0f5b01191de8a23f2))
- **operator:** Use empty initiliazed pod status map when no pods
([#14314](https://redirect.github.com/grafana/loki/issues/14314))
([6f533ed](https://redirect.github.com/grafana/loki/commit/6f533ed4386ee2db61680a9021934bfe9a9ba749))
- **pattern:** Fixes latency metric namespace for tee to pattern
([#14241](https://redirect.github.com/grafana/loki/issues/14241))
([ae955ed](https://redirect.github.com/grafana/loki/commit/ae955ed30d841675dbb9e30327b84728050e724a))
- promtail config unmarshalling
([#14408](https://redirect.github.com/grafana/loki/issues/14408))
([a05431f](https://redirect.github.com/grafana/loki/commit/a05431f879a8c29fac6356b6c46be62133c3e93c))
- promtail parser for azureeventhubs message without time field
([#14218](https://redirect.github.com/grafana/loki/issues/14218))
([2e62abb](https://redirect.github.com/grafana/loki/commit/2e62abbf47c47041027baf240722b3d76e7bd9a3))
- **promtail:** validate scrape_config job name, do not allow duplicate
job names
([#13719](https://redirect.github.com/grafana/loki/issues/13719))
([f2d3499](https://redirect.github.com/grafana/loki/commit/f2d349924c2aa0453e49fc607603a189108666ec))
- Propagate query stats from quantile & topk queries
([#13831](https://redirect.github.com/grafana/loki/issues/13831))
([78b275b](https://redirect.github.com/grafana/loki/commit/78b275bf1092d834065315207666d6fd1c505f06))
- remove usage of unsafe string in label adapter unmarshal
([#14216](https://redirect.github.com/grafana/loki/issues/14216))
([758364c](https://redirect.github.com/grafana/loki/commit/758364c7775fba22a84498089a476c21f737d32f))
- Rename mispelled filename
([#14237](https://redirect.github.com/grafana/loki/issues/14237))
([cf1d4a3](https://redirect.github.com/grafana/loki/commit/cf1d4a31af5c376e82756eaaab267369f862265d))
- report correct status code for metric and log queries in metrics.go
([#12102](https://redirect.github.com/grafana/loki/issues/12102))
([900751c](https://redirect.github.com/grafana/loki/commit/900751c3bb008c50441c47eef3927a27201b1a11))
- Report PSRL error message correctly
([#14187](https://redirect.github.com/grafana/loki/issues/14187))
([a475153](https://redirect.github.com/grafana/loki/commit/a47515300a5cfac667eca1ca8e8d1a71e590b7d2))
- Revert "fix(deps): update module github.com/shirou/gopsutil/v4 to
v4.24.9
([#14357](https://redirect.github.com/grafana/loki/issues/14357))"
([#14437](https://redirect.github.com/grafana/loki/issues/14437))
([d53955b](https://redirect.github.com/grafana/loki/commit/d53955bbff5abae63a166099cef1f26b450a31f1))
- **s3:** disable client retries when congestion control is enabled
([#14588](https://redirect.github.com/grafana/loki/issues/14588))
([cff9f43](https://redirect.github.com/grafana/loki/commit/cff9f43dd6fb5e90c875c14c138ea39b58202dff))
- **sharding:** apply offset to both `from` and `through` in shard
request
([#14256](https://redirect.github.com/grafana/loki/issues/14256))
([17c472d](https://redirect.github.com/grafana/loki/commit/17c472d9abea6b1cae21de5fe2af8b365bdaf137))
- skipping label if it contains special symbol
([#14068](https://redirect.github.com/grafana/loki/issues/14068))
([55e374e](https://redirect.github.com/grafana/loki/commit/55e374e85e7275da8f40d1149defd88f31856f25))
- **storage/chunk/client/aws:** have GetObject check for canceled
context
([#14420](https://redirect.github.com/grafana/loki/issues/14420))
([5f325aa](https://redirect.github.com/grafana/loki/commit/5f325aac56e41848979e9e33a4a443e31ea525d0))
- Transform `ObjectExistsWithSize` into `GetAttributes`
([#14329](https://redirect.github.com/grafana/loki/issues/14329))
([2f56f50](https://redirect.github.com/grafana/loki/commit/2f56f50cc6591ca482358933c719d005446d0c01))
- Update AWS storage timeout error for Go 1.23 behavior
([#14226](https://redirect.github.com/grafana/loki/issues/14226))
([a4642b5](https://redirect.github.com/grafana/loki/commit/a4642b55e9b374ccd974b662e7b17a2389c3dcbd))
- Update renovate ignore for operator API with new module path
([#14581](https://redirect.github.com/grafana/loki/issues/14581))
([c9b2907](https://redirect.github.com/grafana/loki/commit/c9b2907f3c97cf0a14837c0b27cad7a06d84f447))
- Wait for OwnedStreams service in Ingester startup
([#14208](https://redirect.github.com/grafana/loki/issues/14208))
([a4aee4f](https://redirect.github.com/grafana/loki/commit/a4aee4f4ff494b525f68c9c6c1ae3417a8e61ebe))
##### Performance Improvements
- **blooms:** Remove compression of `.tar` archived bloom blocks
([#14159](https://redirect.github.com/grafana/loki/issues/14159))
([cdf084f](https://redirect.github.com/grafana/loki/commit/cdf084fdaeaf632e7c078022c6ad4322bfef2989))
- **logql:** Micro-optimizations for IP filter
([#14072](https://redirect.github.com/grafana/loki/issues/14072))
([c5083c7](https://redirect.github.com/grafana/loki/commit/c5083c7f1ff2f86c74b96c9a87cead78ee6fb3cd))
##### Miscellaneous Chores
- **blooms:** Introduce a new block schema (V3)
([#14038](https://redirect.github.com/grafana/loki/issues/14038))
([5395daf](https://redirect.github.com/grafana/loki/commit/5395daf898c2d0bbc4756ab6260c54feda960911))
##### Code Refactoring
- **operator:** Migrate project layout to kubebuilder go/v4
([#14447](https://redirect.github.com/grafana/loki/issues/14447))
([dbb3b6e](https://redirect.github.com/grafana/loki/commit/dbb3b6edc96f3545a946319c0324518800d286cf))
- **operator:** Rename loki api go module
([#14568](https://redirect.github.com/grafana/loki/issues/14568))
([976d8ab](https://redirect.github.com/grafana/loki/commit/976d8ab81c1a79f35d7cec96f6a9c35a9947fa48))
###
[`v3.2.2`](https://redirect.github.com/grafana/loki/releases/tag/v3.2.2)
[Compare
Source](https://redirect.github.com/grafana/loki/compare/v3.2.1...v3.2.2)
##### β BREAKING CHANGES
- **promtail:** Remove `wget` from Promtail docker image (backport
release-3.2.x)
([#15145](https://redirect.github.com/grafana/loki/issues/15145))
##### Bug Fixes
- **logql:** Updated JSONExpressionParser not to unescape extracted
values if it is JSON object.
([#14499](https://redirect.github.com/grafana/loki/issues/14499)).
- **storage:** Have GetObject check for canceled context.
S3ObjectClient.GetObject incorrectly returned nil, 0, nil when the
provided context is already canceled
([#14420](https://redirect.github.com/grafana/loki/issues/14420)).
##### Miscellaneous Chores
- **promtail:** Switch Promtail base image from Debian to Ubuntu to fix
critical security issues
([#15195](https://redirect.github.com/grafana/loki/issues/15195)).
- **docker:** Move from base-nossl to static. This PR removes the
inclusion of glibc into most of the Docker images created by the Loki
build system.
([#15203](https://redirect.github.com/grafana/loki/issues/15203)).
grafana/helm-charts (loki)
###
[`v6.22.0`](https://redirect.github.com/grafana/helm-charts/releases/tag/grafana-6.22.0)
The leading tool for querying and visualizing time series and metrics.
###
[`v6.21.0`](https://redirect.github.com/grafana/helm-charts/releases/tag/grafana-6.21.0)
The leading tool for querying and visualizing time series and metrics.
###
[`v6.20.0`](https://redirect.github.com/grafana/helm-charts/releases/tag/grafana-6.20.0)
The leading tool for querying and visualizing time series and metrics.
---
### Configuration
π
**Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
π¦ **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
β» **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
π» **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.
---
- [ ] If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/defenseunicorns/uds-core).
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
src/loki/common/zarf.yaml | 2 +-
src/loki/values/registry1-values.yaml | 4 ++--
src/loki/values/unicorn-values.yaml | 6 +++---
src/loki/values/upstream-values.yaml | 4 ++--
src/loki/zarf.yaml | 14 +++++++-------
5 files changed, 15 insertions(+), 15 deletions(-)
diff --git a/src/loki/common/zarf.yaml b/src/loki/common/zarf.yaml
index 26c3d4998..581bc50fd 100644
--- a/src/loki/common/zarf.yaml
+++ b/src/loki/common/zarf.yaml
@@ -16,7 +16,7 @@ components:
localPath: ../chart
- name: loki
url: https://grafana.github.io/helm-charts/
- version: 6.19.0
+ version: 6.23.0
namespace: loki
valuesFiles:
- ../values/values.yaml
diff --git a/src/loki/values/registry1-values.yaml b/src/loki/values/registry1-values.yaml
index 28be3bac8..63963d5c1 100644
--- a/src/loki/values/registry1-values.yaml
+++ b/src/loki/values/registry1-values.yaml
@@ -5,7 +5,7 @@ loki:
image:
registry: registry1.dso.mil
repository: ironbank/opensource/grafana/loki
- tag: 3.2.1
+ tag: 3.3.1
podSecurityContext:
fsGroup: 10001
runAsGroup: 10001
@@ -26,4 +26,4 @@ gateway:
memcached:
image:
repository: registry1.dso.mil/ironbank/opensource/memcached/memcached
- tag: 1.6.32
+ tag: 1.6.33
diff --git a/src/loki/values/unicorn-values.yaml b/src/loki/values/unicorn-values.yaml
index 9c5b082a7..c2b44569d 100644
--- a/src/loki/values/unicorn-values.yaml
+++ b/src/loki/values/unicorn-values.yaml
@@ -5,13 +5,13 @@ loki:
image:
registry: cgr.dev
repository: du-uds-defenseunicorns/loki
- tag: 3.2.1
+ tag: 3.3.1
gateway:
image:
registry: cgr.dev
repository: du-uds-defenseunicorns/nginx-fips
- tag: 1.27.2
+ tag: 1.27.3
memcached:
image:
repository: cgr.dev/du-uds-defenseunicorns/memcached
- tag: 1.6.32
+ tag: 1.6.33
diff --git a/src/loki/values/upstream-values.yaml b/src/loki/values/upstream-values.yaml
index 42eead34d..13ecaeee9 100644
--- a/src/loki/values/upstream-values.yaml
+++ b/src/loki/values/upstream-values.yaml
@@ -5,7 +5,7 @@ loki:
image:
registry: docker.io
repository: grafana/loki
- tag: 3.2.1
+ tag: 3.3.1
gateway:
image:
@@ -17,4 +17,4 @@ memcached:
image:
registry: docker.io
repository: memcached
- tag: 1.6.32-alpine
+ tag: 1.6.33-alpine
diff --git a/src/loki/zarf.yaml b/src/loki/zarf.yaml
index 6a3dcb29f..3741c98e4 100644
--- a/src/loki/zarf.yaml
+++ b/src/loki/zarf.yaml
@@ -19,9 +19,9 @@ components:
valuesFiles:
- ./values/upstream-values.yaml
images:
- - docker.io/grafana/loki:3.2.1
+ - docker.io/grafana/loki:3.3.1
- docker.io/nginxinc/nginx-unprivileged:1.27-alpine
- - docker.io/memcached:1.6.32-alpine
+ - docker.io/memcached:1.6.33-alpine
- name: loki
required: true
@@ -35,9 +35,9 @@ components:
valuesFiles:
- ./values/registry1-values.yaml
images:
- - registry1.dso.mil/ironbank/opensource/grafana/loki:3.2.1
+ - registry1.dso.mil/ironbank/opensource/grafana/loki:3.3.1
- registry1.dso.mil/ironbank/opensource/nginx/nginx-alpine:1.26.2
- - registry1.dso.mil/ironbank/opensource/memcached/memcached:1.6.32
+ - registry1.dso.mil/ironbank/opensource/memcached/memcached:1.6.33
- name: loki
required: true
@@ -51,6 +51,6 @@ components:
valuesFiles:
- ./values/unicorn-values.yaml
images:
- - cgr.dev/du-uds-defenseunicorns/loki:3.2.1
- - cgr.dev/du-uds-defenseunicorns/nginx-fips:1.27.2
- - cgr.dev/du-uds-defenseunicorns/memcached:1.6.32
+ - cgr.dev/du-uds-defenseunicorns/loki:3.3.1
+ - cgr.dev/du-uds-defenseunicorns/nginx-fips:1.27.3
+ - cgr.dev/du-uds-defenseunicorns/memcached:1.6.33
From 658ad0d0f360855f8e187a192114c1999dd56dbc Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Tue, 10 Dec 2024 16:15:41 +0000
Subject: [PATCH 15/21] chore(deps): update playwright to v1.49.1 (#1103)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence | Type |
Update |
|---|---|---|---|---|---|---|---|
| [@playwright/test](https://playwright.dev)
([source](https://redirect.github.com/microsoft/playwright)) | [`1.49.0`
->
`1.49.1`](https://renovatebot.com/diffs/npm/@playwright%2ftest/1.49.0/1.49.1)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
| devDependencies | patch |
| mcr.microsoft.com/playwright | `v1.49.0-noble` -> `v1.49.1-noble` |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
| | patch |
---
### Release Notes
microsoft/playwright (@playwright/test)
###
[`v1.49.1`](https://redirect.github.com/microsoft/playwright/compare/v1.49.0...88bc8afc78ea6ff13d2bbb312b99eb924962766c)
[Compare
Source](https://redirect.github.com/microsoft/playwright/compare/v1.49.0...v1.49.1)
---
### Configuration
π
**Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
π¦ **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
β» **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
π **Ignore**: Close this PR and you won't be reminded about these
updates again.
---
- [ ] If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/defenseunicorns/uds-core).
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
src/grafana/tasks.yaml | 2 +-
src/neuvector/tasks.yaml | 2 +-
tasks/test.yaml | 2 +-
test/playwright/package-lock.json | 22 +++++++++++-----------
4 files changed, 14 insertions(+), 14 deletions(-)
diff --git a/src/grafana/tasks.yaml b/src/grafana/tasks.yaml
index 3da5cbba5..2b34e1bcf 100644
--- a/src/grafana/tasks.yaml
+++ b/src/grafana/tasks.yaml
@@ -40,7 +40,7 @@ tasks:
- description: E2E Test for Grafana, optionally set FULL_CORE=true to test integrations with Loki
cmd: |
# renovate: datasource=docker depName=mcr.microsoft.com/playwright versioning=docker
- docker run --rm --ipc=host -e FULL_CORE="${FULL_CORE}" --net=host --mount type=bind,source="$(pwd)",target=/app mcr.microsoft.com/playwright:v1.49.0-noble sh -c " \
+ docker run --rm --ipc=host -e FULL_CORE="${FULL_CORE}" --net=host --mount type=bind,source="$(pwd)",target=/app mcr.microsoft.com/playwright:v1.49.1-noble sh -c " \
cd app && \
npm ci && \
npx playwright test grafana.test.ts \
diff --git a/src/neuvector/tasks.yaml b/src/neuvector/tasks.yaml
index 2f66394ec..e325f463f 100644
--- a/src/neuvector/tasks.yaml
+++ b/src/neuvector/tasks.yaml
@@ -52,7 +52,7 @@ tasks:
- description: E2E Test for NeuVector
cmd: |
# renovate: datasource=docker depName=mcr.microsoft.com/playwright versioning=docker
- docker run --rm --ipc=host -e FULL_CORE="${FULL_CORE}" --net=host --mount type=bind,source="$(pwd)",target=/app mcr.microsoft.com/playwright:v1.49.0-noble sh -c " \
+ docker run --rm --ipc=host -e FULL_CORE="${FULL_CORE}" --net=host --mount type=bind,source="$(pwd)",target=/app mcr.microsoft.com/playwright:v1.49.1-noble sh -c " \
cd app && \
npm ci && \
npx playwright test neuvector.test.ts \
diff --git a/tasks/test.yaml b/tasks/test.yaml
index 033db9d5e..f9dc8c918 100644
--- a/tasks/test.yaml
+++ b/tasks/test.yaml
@@ -67,7 +67,7 @@ tasks:
dir: test/playwright
cmd: |
# renovate: datasource=docker depName=mcr.microsoft.com/playwright versioning=docker
- docker run --rm --ipc=host --net=host -e FULL_CORE="true" --mount type=bind,source="$(pwd)",target=/app mcr.microsoft.com/playwright:v1.49.0-noble sh -c " \
+ docker run --rm --ipc=host --net=host -e FULL_CORE="true" --mount type=bind,source="$(pwd)",target=/app mcr.microsoft.com/playwright:v1.49.1-noble sh -c " \
cd app && \
npm ci && \
npx playwright test \
diff --git a/test/playwright/package-lock.json b/test/playwright/package-lock.json
index 66310e7fa..631090ef0 100644
--- a/test/playwright/package-lock.json
+++ b/test/playwright/package-lock.json
@@ -12,13 +12,13 @@
}
},
"node_modules/@playwright/test": {
- "version": "1.49.0",
- "resolved": "https://registry.npmjs.org/@playwright/test/-/test-1.49.0.tgz",
- "integrity": "sha512-DMulbwQURa8rNIQrf94+jPJQ4FmOVdpE5ZppRNvWVjvhC+6sOeo28r8MgIpQRYouXRtt/FCCXU7zn20jnHR4Qw==",
+ "version": "1.49.1",
+ "resolved": "https://registry.npmjs.org/@playwright/test/-/test-1.49.1.tgz",
+ "integrity": "sha512-Ky+BVzPz8pL6PQxHqNRW1k3mIyv933LML7HktS8uik0bUXNCdPhoS/kLihiO1tMf/egaJb4IutXd7UywvXEW+g==",
"dev": true,
"license": "Apache-2.0",
"dependencies": {
- "playwright": "1.49.0"
+ "playwright": "1.49.1"
},
"bin": {
"playwright": "cli.js"
@@ -52,13 +52,13 @@
}
},
"node_modules/playwright": {
- "version": "1.49.0",
- "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.49.0.tgz",
- "integrity": "sha512-eKpmys0UFDnfNb3vfsf8Vx2LEOtflgRebl0Im2eQQnYMA4Aqd+Zw8bEOB+7ZKvN76901mRnqdsiOGKxzVTbi7A==",
+ "version": "1.49.1",
+ "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.49.1.tgz",
+ "integrity": "sha512-VYL8zLoNTBxVOrJBbDuRgDWa3i+mfQgDTrL8Ah9QXZ7ax4Dsj0MSq5bYgytRnDVVe+njoKnfsYkH3HzqVj5UZA==",
"dev": true,
"license": "Apache-2.0",
"dependencies": {
- "playwright-core": "1.49.0"
+ "playwright-core": "1.49.1"
},
"bin": {
"playwright": "cli.js"
@@ -71,9 +71,9 @@
}
},
"node_modules/playwright-core": {
- "version": "1.49.0",
- "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.49.0.tgz",
- "integrity": "sha512-R+3KKTQF3npy5GTiKH/T+kdhoJfJojjHESR1YEWhYuEKRVfVaxH3+4+GvXE5xyCngCxhxnykk0Vlah9v8fs3jA==",
+ "version": "1.49.1",
+ "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.49.1.tgz",
+ "integrity": "sha512-BzmpVcs4kE2CH15rWfzpjzVGhWERJfmnXmniSyKeRZUs9Ws65m+RGIi7mjJK/euCegfn3i7jvqWeWyHe9y3Vgg==",
"dev": true,
"license": "Apache-2.0",
"bin": {
From 7370ab1289095d8d718c6c7517c82642dbf4db56 Mon Sep 17 00:00:00 2001
From: Noah <40781376+noahpb@users.noreply.github.com>
Date: Tue, 10 Dec 2024 11:17:08 -0500
Subject: [PATCH 16/21] chore: add additional step to pr request template
(#1104)
## Description
Update the PR template to encourage users to share steps to reproduce
validations for new changes.
## Related Issue
Fixes #
Relates to #
## Type of change
- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)
## Checklist before merging
- [ ] Test, docs, adr added or updated as needed
- [ ] [Contributor
Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)
followed
---------
Co-authored-by: Micah Nagel
---
.github/pull_request_template.md | 3 +++
1 file changed, 3 insertions(+)
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index b6cce5a14..d4d54adac 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -14,6 +14,9 @@ Relates to #
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)
+## Steps to Validate
+- If this PR introduces new functionality to UDS Core or addresses a bug, please document the steps to test the changes.
+
## Checklist before merging
- [ ] Test, docs, adr added or updated as needed
From f87a96dfb785352e3b610eb4cec91d7e591bd55b Mon Sep 17 00:00:00 2001
From: Micah Nagel
Date: Tue, 10 Dec 2024 11:08:48 -0700
Subject: [PATCH 17/21] chore: remove loki peerauth exception (#1106)
## Description
Upstream [grafana
docs](https://grafana.com/docs/loki/latest/setup/install/istio/) do not
indicate that this is necessary, likely it was used in the past when
services did not have the correct appProtocol. This may be causing
issues with our Loki clustering, but overall removing it improves our
security posture.
I also removed the action used during our cutover from promtail ->
vector.
## Related Issue
N/A
## Type of change
- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [x] Other (security config, docs update, etc)
## Steps to Validate
Recommend deploying Loki with an install and upgrade and validating
functionality:
```console
# Deploy slim-dev from last release
uds deploy oci://ghcr.io/defenseunicorns/packages/uds/bundles/k3d-core-slim-dev:0.32.1 --confirm
# (optional) Deploy monitoring layer for visualizing/querying loki easier
uds zarf p deploy oci://ghcr.io/defenseunicorns/packages/uds/core-monitoring:0.32.1-upstream --confirm
# (for testing upgrade) Deploy logging layer from last release
uds zarf p deploy oci://ghcr.io/defenseunicorns/packages/uds/core-logging:0.32.1-upstream --confirm
# Deploy logging from this branch (this includes an upgrade to the Loki version from main)
uds run test:single-layer --set layer=logging
# (optional) run the e2e tests for grafana which test the loki datasource
uds run -f src/grafana/tasks.yaml e2e-test --set FULL_CORE=true
```
## Checklist before merging
- [x] Test, docs, adr added or updated as needed
- [x] [Contributor
Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)
followed
---
.../loki-simple-scalable.yaml | 20 -------------------
src/vector/common/zarf.yaml | 6 ------
2 files changed, 26 deletions(-)
delete mode 100644 src/loki/chart/templates/peerauthentication/loki-simple-scalable.yaml
diff --git a/src/loki/chart/templates/peerauthentication/loki-simple-scalable.yaml b/src/loki/chart/templates/peerauthentication/loki-simple-scalable.yaml
deleted file mode 100644
index 12ac3e56b..000000000
--- a/src/loki/chart/templates/peerauthentication/loki-simple-scalable.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-# Copyright 2024 Defense Unicorns
-# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
-
-{{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }}
-apiVersion: "security.istio.io/v1beta1"
-kind: PeerAuthentication
-metadata:
- name: loki-simple-scalable
- namespace: {{ .Release.Namespace }}
-spec:
- mtls:
- mode: STRICT
- selector:
- matchLabels:
- app.kubernetes.io/name: loki
- portLevelMtls:
- # GRPC exception to support Loki internal communication
- "9095":
- mode: PERMISSIVE
-{{- end }}
diff --git a/src/vector/common/zarf.yaml b/src/vector/common/zarf.yaml
index 0468f1ccc..9054977fb 100644
--- a/src/vector/common/zarf.yaml
+++ b/src/vector/common/zarf.yaml
@@ -24,12 +24,6 @@ components:
- ../values/values.yaml
actions:
onDeploy:
- before:
- - description: Remove Promtail Components if necessary
- mute: true
- cmd: |
- ./zarf package remove core --components promtail --confirm || true # Ensure this doesn't error on installs and upgrades when Promtail no longer exists
- ./zarf tools kubectl delete ns promtail || true # Ensure this doesn't error on installs and upgrades when Promtail no longer exists
after:
- description: Validate Vector Package
maxTotalSeconds: 300
From 620e6b2c98a1a810995f4431578b6c2a71479db9 Mon Sep 17 00:00:00 2001
From: Micah Nagel
Date: Tue, 10 Dec 2024 12:41:20 -0700
Subject: [PATCH 18/21] fix: kubeapi netpol initialization / support for
ingress policies (#1097)
## Description
Fixes some issues with the netpol update logic to ensure we are
accounting for ingress policies, as well as ensuring this only runs on
watcher pods.
Also adds jest test coverage of this function.
## Related Issue
Fixes https://github.com/defenseunicorns/uds-core/issues/1101
## Steps to Validate
The primary fix here has to do with Pepr crashing on startup when an
`Ingress` kubeapi policy is present. The below section steps through
testing this.
Validation Steps
```console
# Deploy base layer (using unicorn flavor to avoid dockerhub rate limiting)
uds run test-single-layer --set LAYER=base --set FLAVOR=unicorn
# Create a namespace for our test package
kubectl create ns test
# Create a package CR with egress and ingress kubeapi policies
cat <
## Type of change
- [x] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)
## Checklist before merging
- [x] Test, docs, adr added or updated as needed
- [x] [Contributor
Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)
followed
---------
Co-authored-by: Chance <139784371+UnicornChance@users.noreply.github.com>
---
.../network/generators/kubeAPI.spec.ts | 324 +++++++++++++++++-
.../controllers/network/generators/kubeAPI.ts | 61 +++-
src/pepr/operator/index.ts | 4 +-
tasks.yaml | 2 +-
4 files changed, 372 insertions(+), 19 deletions(-)
diff --git a/src/pepr/operator/controllers/network/generators/kubeAPI.spec.ts b/src/pepr/operator/controllers/network/generators/kubeAPI.spec.ts
index 90f7bad9a..0de63061d 100644
--- a/src/pepr/operator/controllers/network/generators/kubeAPI.spec.ts
+++ b/src/pepr/operator/controllers/network/generators/kubeAPI.spec.ts
@@ -5,7 +5,7 @@
import { beforeEach, describe, expect, it, jest } from "@jest/globals";
import { K8s, kind } from "pepr";
-import { updateAPIServerCIDR } from "./kubeAPI";
+import { updateAPIServerCIDR, updateKubeAPINetworkPolicies } from "./kubeAPI";
type KubernetesList = {
items: T[];
@@ -19,10 +19,10 @@ jest.mock("pepr", () => {
};
});
-describe("updateAPIServerCIDR", () => {
- const mockApply = jest.fn();
- const mockGet = jest.fn<() => Promise>>();
+const mockApply = jest.fn();
+const mockGet = jest.fn<() => Promise>>();
+describe("updateAPIServerCIDR", () => {
beforeEach(() => {
jest.clearAllMocks();
(K8s as jest.Mock).mockImplementation(() => ({
@@ -259,3 +259,319 @@ describe("updateAPIServerCIDR", () => {
expect(mockApply).not.toHaveBeenCalled();
});
});
+
+describe("updateKubeAPINetworkPolicies", () => {
+ beforeEach(() => {
+ jest.clearAllMocks();
+ (K8s as jest.Mock).mockImplementation(() => ({
+ WithLabel: jest.fn(() => ({
+ Get: mockGet,
+ })),
+ Apply: mockApply,
+ }));
+ });
+
+ it("does not update an egress NetworkPolicy if the peers are already correct", async () => {
+ const newPeers = [{ ipBlock: { cidr: "10.0.0.1/32" } }];
+ mockGet.mockResolvedValue({
+ items: [
+ {
+ metadata: {
+ name: "mock-netpol",
+ namespace: "default",
+ },
+ spec: {
+ egress: [
+ {
+ to: newPeers,
+ },
+ ],
+ },
+ },
+ ],
+ } as KubernetesList);
+
+ await updateKubeAPINetworkPolicies(newPeers);
+
+ expect(mockGet).toHaveBeenCalled();
+ expect(mockApply).not.toHaveBeenCalled(); // No update needed
+ });
+
+ it("does not update an ingress NetworkPolicy if the peers are already correct", async () => {
+ const newPeers = [{ ipBlock: { cidr: "10.0.0.1/32" } }];
+ mockGet.mockResolvedValue({
+ items: [
+ {
+ metadata: {
+ name: "mock-netpol",
+ namespace: "default",
+ },
+ spec: {
+ ingress: [
+ {
+ from: newPeers,
+ },
+ ],
+ },
+ },
+ ],
+ } as KubernetesList);
+
+ await updateKubeAPINetworkPolicies(newPeers);
+
+ expect(mockGet).toHaveBeenCalled();
+ expect(mockApply).not.toHaveBeenCalled(); // No update needed
+ });
+
+ it("updates an egress NetworkPolicy with different peers", async () => {
+ const newPeers = [{ ipBlock: { cidr: "10.0.0.1/32" } }];
+ const oldPeers = [{ ipBlock: { cidr: "192.168.1.0/32" } }];
+ mockGet.mockResolvedValue({
+ items: [
+ {
+ metadata: {
+ name: "mock-netpol",
+ namespace: "default",
+ },
+ spec: {
+ egress: [
+ {
+ to: oldPeers,
+ },
+ ],
+ },
+ },
+ ],
+ } as KubernetesList);
+
+ await updateKubeAPINetworkPolicies(newPeers);
+
+ expect(mockGet).toHaveBeenCalled();
+ expect(mockApply).toHaveBeenCalledWith(
+ expect.objectContaining({
+ metadata: {
+ name: "mock-netpol",
+ namespace: "default",
+ },
+ spec: {
+ egress: [
+ {
+ to: newPeers,
+ },
+ ],
+ },
+ }),
+ { force: true },
+ );
+ });
+
+ it("updates an ingress NetworkPolicy with different peers", async () => {
+ const newPeers = [{ ipBlock: { cidr: "10.0.0.1/32" } }];
+ const oldPeers = [{ ipBlock: { cidr: "192.168.1.0/32" } }];
+ mockGet.mockResolvedValue({
+ items: [
+ {
+ metadata: {
+ name: "mock-netpol",
+ namespace: "default",
+ },
+ spec: {
+ ingress: [
+ {
+ from: oldPeers,
+ },
+ ],
+ },
+ },
+ ],
+ } as KubernetesList);
+
+ await updateKubeAPINetworkPolicies(newPeers);
+
+ expect(mockGet).toHaveBeenCalled();
+ expect(mockApply).toHaveBeenCalledWith(
+ expect.objectContaining({
+ metadata: {
+ name: "mock-netpol",
+ namespace: "default",
+ },
+ spec: {
+ ingress: [
+ {
+ from: newPeers,
+ },
+ ],
+ },
+ }),
+ { force: true },
+ );
+ });
+
+ it("updates an egress NetworkPolicy with no peers", async () => {
+ const newPeers = [{ ipBlock: { cidr: "10.0.0.1/32" } }];
+ mockGet.mockResolvedValue({
+ items: [
+ {
+ metadata: {
+ name: "mock-netpol",
+ namespace: "default",
+ },
+ spec: {
+ egress: [
+ {
+ to: undefined,
+ },
+ ],
+ },
+ },
+ ],
+ } as KubernetesList);
+
+ await updateKubeAPINetworkPolicies(newPeers);
+
+ expect(mockGet).toHaveBeenCalled();
+ expect(mockApply).toHaveBeenCalledWith(
+ expect.objectContaining({
+ metadata: {
+ name: "mock-netpol",
+ namespace: "default",
+ },
+ spec: {
+ egress: [
+ {
+ to: newPeers,
+ },
+ ],
+ },
+ }),
+ { force: true },
+ );
+ });
+
+ it("updates an ingress NetworkPolicy with no peers", async () => {
+ const newPeers = [{ ipBlock: { cidr: "10.0.0.1/32" } }];
+ mockGet.mockResolvedValue({
+ items: [
+ {
+ metadata: {
+ name: "mock-netpol",
+ namespace: "default",
+ },
+ spec: {
+ ingress: [
+ {
+ from: undefined,
+ },
+ ],
+ },
+ },
+ ],
+ } as KubernetesList);
+
+ await updateKubeAPINetworkPolicies(newPeers);
+
+ expect(mockGet).toHaveBeenCalled();
+ expect(mockApply).toHaveBeenCalledWith(
+ expect.objectContaining({
+ metadata: {
+ name: "mock-netpol",
+ namespace: "default",
+ },
+ spec: {
+ ingress: [
+ {
+ from: newPeers,
+ },
+ ],
+ },
+ }),
+ { force: true },
+ );
+ });
+
+ it("initializes missing egress rules", async () => {
+ const newPeers = [{ ipBlock: { cidr: "10.0.0.1/32" } }];
+ mockGet.mockResolvedValue({
+ items: [
+ {
+ metadata: {
+ name: "mock-netpol",
+ namespace: "default",
+ },
+ spec: {
+ egress: [{}],
+ }, // No egress at all
+ },
+ ],
+ } as KubernetesList);
+
+ await updateKubeAPINetworkPolicies(newPeers);
+
+ expect(mockGet).toHaveBeenCalled();
+ expect(mockApply).toHaveBeenCalledWith(
+ expect.objectContaining({
+ metadata: {
+ name: "mock-netpol",
+ namespace: "default",
+ },
+ spec: {
+ egress: [
+ {
+ to: newPeers,
+ },
+ ],
+ },
+ }),
+ { force: true },
+ );
+ });
+
+ it("initializes missing ingress rules", async () => {
+ const newPeers = [{ ipBlock: { cidr: "10.0.0.1/32" } }];
+ mockGet.mockResolvedValue({
+ items: [
+ {
+ metadata: {
+ name: "mock-netpol",
+ namespace: "default",
+ },
+ spec: {
+ ingress: [{}],
+ }, // No egress at all
+ },
+ ],
+ } as KubernetesList);
+
+ await updateKubeAPINetworkPolicies(newPeers);
+
+ expect(mockGet).toHaveBeenCalled();
+ expect(mockApply).toHaveBeenCalledWith(
+ expect.objectContaining({
+ metadata: {
+ name: "mock-netpol",
+ namespace: "default",
+ },
+ spec: {
+ ingress: [
+ {
+ from: newPeers,
+ },
+ ],
+ },
+ }),
+ { force: true },
+ );
+ });
+
+ it("handles no matching NetworkPolicies", async () => {
+ const newPeers = [{ ipBlock: { cidr: "10.0.0.1/32" } }];
+ mockGet.mockResolvedValue({
+ items: [], // No NetworkPolicies found
+ } as KubernetesList);
+
+ await updateKubeAPINetworkPolicies(newPeers);
+
+ expect(mockGet).toHaveBeenCalled();
+ expect(mockApply).not.toHaveBeenCalled(); // No policies to update
+ });
+});
diff --git a/src/pepr/operator/controllers/network/generators/kubeAPI.ts b/src/pepr/operator/controllers/network/generators/kubeAPI.ts
index b148a9a6a..6e90e0d92 100644
--- a/src/pepr/operator/controllers/network/generators/kubeAPI.ts
+++ b/src/pepr/operator/controllers/network/generators/kubeAPI.ts
@@ -26,17 +26,23 @@ let apiServerPeers: V1NetworkPolicyPeer[];
* Otherwise, it fetches the EndpointSlice and updates the CIDR dynamically.
*/
export async function initAPIServerCIDR() {
- const svc = await retryWithDelay(fetchKubernetesService, log);
+ try {
+ const svc = await retryWithDelay(fetchKubernetesService, log);
- // If static CIDR is defined, pass it directly
- if (UDSConfig.kubeApiCidr) {
- log.info(
- `Static CIDR (${UDSConfig.kubeApiCidr}) is defined for KubeAPI, skipping EndpointSlice lookup.`,
- );
- await updateAPIServerCIDR(svc, UDSConfig.kubeApiCidr); // Pass static CIDR
- } else {
- const slice = await retryWithDelay(fetchKubernetesEndpointSlice, log);
- await updateAPIServerCIDR(svc, slice);
+ // If static CIDR is defined, pass it directly
+ if (UDSConfig.kubeApiCidr) {
+ log.info(
+ `Static CIDR (${UDSConfig.kubeApiCidr}) is defined for KubeAPI, skipping EndpointSlice lookup.`,
+ );
+ await updateAPIServerCIDR(svc, UDSConfig.kubeApiCidr); // Pass static CIDR
+ } else {
+ const slice = await retryWithDelay(fetchKubernetesEndpointSlice, log);
+ await updateAPIServerCIDR(svc, slice);
+ }
+ } catch (error) {
+ log.error("Failed to initialize API Server CIDR for KubeAPI generated network policies", {
+ err: JSON.stringify(error),
+ });
}
}
@@ -156,10 +162,39 @@ export async function updateKubeAPINetworkPolicies(newPeers: V1NetworkPolicyPeer
.Get();
for (const netPol of netPols.items) {
- const oldPeers = netPol.spec?.egress?.[0].to;
+ // Safety check for network policy spec existence
+ if (!netPol.spec) {
+ log.warn(
+ `KubeAPI NetworkPolicy ${netPol.metadata!.namespace}/${netPol.metadata!.name} is missing spec.`,
+ );
+ continue;
+ }
+
+ let updateRequired = false;
+ // Handle egress policies
+ if (netPol.spec.egress) {
+ if (!netPol.spec.egress[0]) {
+ netPol.spec.egress[0] = { to: [] };
+ }
+ const oldPeers = netPol.spec.egress[0].to;
+ if (!R.equals(oldPeers, newPeers)) {
+ updateRequired = true;
+ netPol.spec.egress[0].to = newPeers;
+ }
+ // Handle ingress policies
+ } else if (netPol.spec.ingress) {
+ if (!netPol.spec.ingress[0]) {
+ netPol.spec.ingress[0] = { from: [] };
+ }
+ const oldPeers = netPol.spec.ingress[0].from;
+ if (!R.equals(oldPeers, newPeers)) {
+ updateRequired = true;
+ netPol.spec.ingress[0].from = newPeers;
+ }
+ }
- if (!R.equals(oldPeers, newPeers)) {
- netPol.spec!.egress![0].to = newPeers;
+ // If the policy required a change, apply the new policy
+ if (updateRequired) {
if (netPol.metadata) {
// Remove managed fields to prevent errors on server side apply
netPol.metadata.managedFields = undefined;
diff --git a/src/pepr/operator/index.ts b/src/pepr/operator/index.ts
index e4ca3d9ff..1e8882cb1 100644
--- a/src/pepr/operator/index.ts
+++ b/src/pepr/operator/index.ts
@@ -31,7 +31,9 @@ const log = setupLogger(Component.OPERATOR);
// Pre-populate the API server CIDR since we are not persisting the EndpointSlice
// Note ignore any errors since the watch will still be running hereafter
-void initAPIServerCIDR();
+if (process.env.PEPR_WATCH_MODE === "true" || process.env.PEPR_MODE === "dev") {
+ void initAPIServerCIDR();
+}
// Watch for changes to the API server EndpointSlice and update the API server CIDR
// Skip if a CIDR is defined in the UDS Config
diff --git a/tasks.yaml b/tasks.yaml
index 5e9b388eb..ce2a6986c 100644
--- a/tasks.yaml
+++ b/tasks.yaml
@@ -40,7 +40,7 @@ tasks:
echo "Next steps:"
echo " - To test & develop the Pepr module, run 'npx pepr dev' from a Javascript debug terminal"
echo " - Otherwise run 'npx pepr deploy' to deploy the Pepr module to the cluster"
- echo " - Additional source packages can be deployed with 'zarf dev deploy src/'"
+ echo " - Additional source packages can be deployed with 'zarf dev deploy src/ --flavor upstream'"
- name: slim-dev
actions:
From bd8ee0e8312e73961b06ad76ebc86ef471f8790d Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Tue, 10 Dec 2024 22:02:51 -0700
Subject: [PATCH 19/21] chore(deps): update velero kubectl to v1.31.4 (#1108)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
|
[cgr.dev/du-uds-defenseunicorns/kubectl-fips](https://images.chainguard.dev/directory/image/kubectl-fips/overview)
([source](https://redirect.github.com/chainguard-images/images-private/tree/HEAD/images/kubectl-fips))
| patch | `1.31.3-dev` -> `1.31.4-dev` |
|
[docker.io/bitnami/kubectl](https://redirect.github.com/bitnami/containers)
([source](https://redirect.github.com/bitnami/containers/tree/HEAD/bitnami/kubectl))
| patch | `1.31.3` -> `1.31.4` |
---
### Configuration
π
**Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
π¦ **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
β» **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
π **Ignore**: Close this PR and you won't be reminded about these
updates again.
---
- [ ] If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/defenseunicorns/uds-core).
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
src/velero/values/unicorn-values.yaml | 2 +-
src/velero/values/upstream-values.yaml | 2 +-
src/velero/zarf.yaml | 4 ++--
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/velero/values/unicorn-values.yaml b/src/velero/values/unicorn-values.yaml
index 0e84c262f..36ca2ace3 100644
--- a/src/velero/values/unicorn-values.yaml
+++ b/src/velero/values/unicorn-values.yaml
@@ -8,7 +8,7 @@ image:
kubectl:
image:
repository: cgr.dev/du-uds-defenseunicorns/kubectl-fips
- tag: 1.31.3-dev
+ tag: 1.31.4-dev
initContainers:
- name: velero-plugin-for-aws
diff --git a/src/velero/values/upstream-values.yaml b/src/velero/values/upstream-values.yaml
index 617d7f94f..9626b161f 100644
--- a/src/velero/values/upstream-values.yaml
+++ b/src/velero/values/upstream-values.yaml
@@ -8,7 +8,7 @@ image:
kubectl:
image:
repository: docker.io/bitnami/kubectl
- tag: 1.31.3
+ tag: 1.31.4
initContainers:
- name: velero-plugin-for-aws
diff --git a/src/velero/zarf.yaml b/src/velero/zarf.yaml
index 661ea46d4..0366a6a03 100644
--- a/src/velero/zarf.yaml
+++ b/src/velero/zarf.yaml
@@ -21,7 +21,7 @@ components:
images:
- velero/velero:v1.15.0
- velero/velero-plugin-for-aws:v1.11.0
- - docker.io/bitnami/kubectl:1.31.3
+ - docker.io/bitnami/kubectl:1.31.4
- velero/velero-plugin-for-microsoft-azure:v1.11.0
- name: velero
@@ -53,5 +53,5 @@ components:
images:
- cgr.dev/du-uds-defenseunicorns/velero-fips:1.15.0-dev
- cgr.dev/du-uds-defenseunicorns/velero-plugin-for-aws-fips:1.11.0
- - cgr.dev/du-uds-defenseunicorns/kubectl-fips:1.31.3-dev
+ - cgr.dev/du-uds-defenseunicorns/kubectl-fips:1.31.4-dev
- velero/velero-plugin-for-microsoft-azure:v1.11.0
From 3ebae7bc1bc3e9c24cef2d239afc1d5f4261165c Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Wed, 11 Dec 2024 09:25:02 -0700
Subject: [PATCH 20/21] chore(deps): update pepr (#1095)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence | Type |
Update |
|---|---|---|---|---|---|---|---|
| [lint-staged](https://redirect.github.com/lint-staged/lint-staged) |
[`15.2.10` ->
`15.2.11`](https://renovatebot.com/diffs/npm/lint-staged/15.2.10/15.2.11)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
| devDependencies | patch |
| [pepr](https://redirect.github.com/defenseunicorns/pepr) | [`0.40.1`
-> `0.42.0`](https://renovatebot.com/diffs/npm/pepr/0.40.1/0.42.0) |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
| dependencies | minor |
|
[registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller](https://redirect.github.com/defenseunicorns/pepr)
([source](https://repo1.dso.mil/dsop/opensource/defenseunicorns/pepr/controller))
| `v0.40.1` -> `v0.42.0` |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
| | minor |
---
### Release Notes
lint-staged/lint-staged (lint-staged)
###
[`v15.2.11`](https://redirect.github.com/lint-staged/lint-staged/blob/HEAD/CHANGELOG.md#15211)
[Compare
Source](https://redirect.github.com/lint-staged/lint-staged/compare/v15.2.10...v15.2.11)
##### Patch Changes
-
[#1484](https://redirect.github.com/lint-staged/lint-staged/pull/1484)
[`bcfe309`](https://redirect.github.com/lint-staged/lint-staged/commit/bcfe309fca88aedf42b6a321383de49eb361c5a0)
Thanks [@wormsik](https://redirect.github.com/wormsik)! - Escape
paths containing spaces when using the "shell" option.
-
[#1487](https://redirect.github.com/lint-staged/lint-staged/pull/1487)
[`7dd8caa`](https://redirect.github.com/lint-staged/lint-staged/commit/7dd8caa8f80fe1a6ce40939c1224b6774000775a)
Thanks [@iiroj](https://redirect.github.com/iiroj)! - Do not
treat submodule root paths as "staged files". This caused *lint-staged*
to fail to a Git error when only updating the revision of a submodule.
defenseunicorns/pepr (pepr)
###
[`v0.42.0`](https://redirect.github.com/defenseunicorns/pepr/releases/tag/v0.42.0)
[Compare
Source](https://redirect.github.com/defenseunicorns/pepr/compare/v0.40.1...v0.42.0)
#### Note π§Ύ
This sprint, the Pepr team focused on enhancing our typing system to
improve consistency and address edge cases where types were less robust.
We also made significant improvements to our network posture through the
KFC, which may impact end users who are strongly typing fetch
configurations. These changes extend to all interactions with the
Kubernetes API server through CRUD operations that Pepr uses to
communicate with the kube-apiserver. While this release has been
thoroughly tested and soak, we recommend proceeding with caution, as
progress sometimes introduces unforeseen challenges. Check the slack
announcement to see metrics related to this release.
*oversight, accidentally released 0.42.0 and skipped 0.41.0 - next
releases will be pair programmed to avoid this.*
#### Breaking Changes β οΈ
Pepr's fetch is powered by Undici. If you are using a specific
`RequestInit` options on the fetch, you need to migrate to Undici's
[RequestInit](https://redirect.github.com/nodejs/undici/blob/cac18e12a794800c6405ed633006cff44ca6f664/types/fetch.d.ts#L121)
(It is very similar). *This probably won't affect you if you are not
strongly typing your `RequestInit` [example in
journey/pepr-dev.ts](https://redirect.github.com/defenseunicorns/pepr/pull/1496/files).*
Here is an example:
```ts
let { fetch } = require("pepr");
const { Agent } = require("undici");
const postOpts = {
method: "POST",
body: JSON.stringify({
query: "query { joke {id joke permalink } }",
}),
headers: {
"Content-Type": "application/json; charset=UTF-8",
},
dispatcher: new Agent({
connect: {
rejectUnauthorized: false,
},
}),
};
(async () => {
let { data, ok } = await fetch(
"https://icanhazdadjoke.com/graphql",
postOpts,
);
if (ok) {
console.log(data.data.joke.joke);
} else {
console.log("Failed to fetch joke");
}
})();
```
This strengthens Pepr's ability to communicate with the Kubernetes
Control Plane and reduces transmit bandwidth.
#### Feat β°οΈ
- feat: set prometheus cont type for Prometheus 3.0 by
[@btlghrants](https://redirect.github.com/btlghrants) in
[https://github.com/defenseunicorns/pepr/pull/1501](https://redirect.github.com/defenseunicorns/pepr/pull/1501)
#### What's Changed β»οΈ
- chore: use consistent enum property names between related enums by
[@samayer12](https://redirect.github.com/samayer12) in
[https://github.com/defenseunicorns/pepr/pull/1451](https://redirect.github.com/defenseunicorns/pepr/pull/1451)
- chore: adr for undici and status corrections by
[@cmwylie19](https://redirect.github.com/cmwylie19) in
[https://github.com/defenseunicorns/pepr/pull/1461](https://redirect.github.com/defenseunicorns/pepr/pull/1461)
- chore: merge queues by
[@cmwylie19](https://redirect.github.com/cmwylie19) in
[https://github.com/defenseunicorns/pepr/pull/1469](https://redirect.github.com/defenseunicorns/pepr/pull/1469)
- test: overlay requests/second onto load test graph by
[@btlghrants](https://redirect.github.com/btlghrants) in
[https://github.com/defenseunicorns/pepr/pull/1470](https://redirect.github.com/defenseunicorns/pepr/pull/1470)
- chore: fix merge group by
[@cmwylie19](https://redirect.github.com/cmwylie19) in
[https://github.com/defenseunicorns/pepr/pull/1471](https://redirect.github.com/defenseunicorns/pepr/pull/1471)
- chore: extract deployment check functions to new file for ease of
maintenance by
[@samayer12](https://redirect.github.com/samayer12) in
[https://github.com/defenseunicorns/pepr/pull/1472](https://redirect.github.com/defenseunicorns/pepr/pull/1472)
- test: make load test err msg explicit by
[@btlghrants](https://redirect.github.com/btlghrants) in
[https://github.com/defenseunicorns/pepr/pull/1478](https://redirect.github.com/defenseunicorns/pepr/pull/1478)
- chore: move filesystem operations to new file by
[@samayer12](https://redirect.github.com/samayer12) in
[https://github.com/defenseunicorns/pepr/pull/1482](https://redirect.github.com/defenseunicorns/pepr/pull/1482)
- chore: 24 roadmap update by
[@cmwylie19](https://redirect.github.com/cmwylie19) in
[https://github.com/defenseunicorns/pepr/pull/1479](https://redirect.github.com/defenseunicorns/pepr/pull/1479)
- chore: update contributor docs by
[@soltysh](https://redirect.github.com/soltysh) in
[https://github.com/defenseunicorns/pepr/pull/1491](https://redirect.github.com/defenseunicorns/pepr/pull/1491)
- refactor: resolve eslint warnings (max-statements, complexity) -
`src/lib/controller/index.ts` by
[@btlghrants](https://redirect.github.com/btlghrants) in
[https://github.com/defenseunicorns/pepr/pull/1486](https://redirect.github.com/defenseunicorns/pepr/pull/1486)
- chore: types in metrics by
[@cmwylie19](https://redirect.github.com/cmwylie19) in
[https://github.com/defenseunicorns/pepr/pull/1492](https://redirect.github.com/defenseunicorns/pepr/pull/1492)
- chore: fix all actions links by
[@soltysh](https://redirect.github.com/soltysh) in
[https://github.com/defenseunicorns/pepr/pull/1499](https://redirect.github.com/defenseunicorns/pepr/pull/1499)
- chore: updates for undici fetch by
[@cmwylie19](https://redirect.github.com/cmwylie19) in
[https://github.com/defenseunicorns/pepr/pull/1496](https://redirect.github.com/defenseunicorns/pepr/pull/1496)
- chore: storage return types by
[@cmwylie19](https://redirect.github.com/cmwylie19) in
[https://github.com/defenseunicorns/pepr/pull/1507](https://redirect.github.com/defenseunicorns/pepr/pull/1507)
- chore: update subscribers every second by
[@cmwylie19](https://redirect.github.com/cmwylie19) in
[https://github.com/defenseunicorns/pepr/pull/1502](https://redirect.github.com/defenseunicorns/pepr/pull/1502)
- chore: return types on schedule by
[@cmwylie19](https://redirect.github.com/cmwylie19) in
[https://github.com/defenseunicorns/pepr/pull/1505](https://redirect.github.com/defenseunicorns/pepr/pull/1505)
- refactor: resolve eslint warnings (max-statements, complexity) -
`src/lib/assets/index.ts` by
[@btlghrants](https://redirect.github.com/btlghrants) in
[https://github.com/defenseunicorns/pepr/pull/1497](https://redirect.github.com/defenseunicorns/pepr/pull/1497)
- chore(ts): add typing to adjudicators used in validation and mutation
processing by [@samayer12](https://redirect.github.com/samayer12)
in
[https://github.com/defenseunicorns/pepr/pull/1402](https://redirect.github.com/defenseunicorns/pepr/pull/1402)
- chore: return types on sdk by
[@cmwylie19](https://redirect.github.com/cmwylie19) in
[https://github.com/defenseunicorns/pepr/pull/1512](https://redirect.github.com/defenseunicorns/pepr/pull/1512)
- chore: store adjudicator code in adjudicators/ by
[@samayer12](https://redirect.github.com/samayer12) in
[https://github.com/defenseunicorns/pepr/pull/1517](https://redirect.github.com/defenseunicorns/pepr/pull/1517)
- chore: reduce verbosity of logs by eliminating for metric and health
by [@cmwylie19](https://redirect.github.com/cmwylie19) in
[https://github.com/defenseunicorns/pepr/pull/1519](https://redirect.github.com/defenseunicorns/pepr/pull/1519)
- test: validate `pepr build` generates a `helm install`-able chart by
[@btlghrants](https://redirect.github.com/btlghrants) in
[https://github.com/defenseunicorns/pepr/pull/1520](https://redirect.github.com/defenseunicorns/pepr/pull/1520)
- chore: move `lib/` code related to data collection to `lib/telemetry`
by [@samayer12](https://redirect.github.com/samayer12) in
[https://github.com/defenseunicorns/pepr/pull/1522](https://redirect.github.com/defenseunicorns/pepr/pull/1522)
- chore: bump codecov/codecov-action from 5.0.7 to 5.1.1 by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/defenseunicorns/pepr/pull/1523](https://redirect.github.com/defenseunicorns/pepr/pull/1523)
- chore: bump trufflesecurity/trufflehog from 3.84.2 to 3.85.0 by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/defenseunicorns/pepr/pull/1524](https://redirect.github.com/defenseunicorns/pepr/pull/1524)
- chore: bump express from 4.21.1 to 4.21.2 in the
production-dependencies group by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/defenseunicorns/pepr/pull/1525](https://redirect.github.com/defenseunicorns/pepr/pull/1525)
- chore: bump actions/dependency-review-action from 4.4.0 to 4.5.0 by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/defenseunicorns/pepr/pull/1464](https://redirect.github.com/defenseunicorns/pepr/pull/1464)
- chore: bump github/codeql-action from 3.27.4 to 3.27.5 by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/defenseunicorns/pepr/pull/1463](https://redirect.github.com/defenseunicorns/pepr/pull/1463)
- chore: bump codecov/codecov-action from 5.0.3 to 5.0.6 by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/defenseunicorns/pepr/pull/1462](https://redirect.github.com/defenseunicorns/pepr/pull/1462)
- chore: bump anchore/scan-action from 5.2.1 to 5.3.0 by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/defenseunicorns/pepr/pull/1476](https://redirect.github.com/defenseunicorns/pepr/pull/1476)
- chore: bump anchore/sbom-action from 0.17.7 to 0.17.8 by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/defenseunicorns/pepr/pull/1475](https://redirect.github.com/defenseunicorns/pepr/pull/1475)
- chore: bump codecov/codecov-action from 5.0.6 to 5.0.7 by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/defenseunicorns/pepr/pull/1474](https://redirect.github.com/defenseunicorns/pepr/pull/1474)
- chore: bump trufflesecurity/trufflehog from 3.83.7 to 3.84.0 by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/defenseunicorns/pepr/pull/1473](https://redirect.github.com/defenseunicorns/pepr/pull/1473)
- chore: bump trufflesecurity/trufflehog from 3.84.0 to 3.84.1 by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/defenseunicorns/pepr/pull/1487](https://redirect.github.com/defenseunicorns/pepr/pull/1487)
- chore: bump
[@types/node](https://redirect.github.com/types/node) from 22.9.1
to 22.9.4 in the development-dependencies group by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/defenseunicorns/pepr/pull/1488](https://redirect.github.com/defenseunicorns/pepr/pull/1488)
- chore: bump
[@types/node](https://redirect.github.com/types/node) from 22.9.4
to 22.10.0 in the development-dependencies group by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/defenseunicorns/pepr/pull/1489](https://redirect.github.com/defenseunicorns/pepr/pull/1489)
- chore: bump
[@types/node](https://redirect.github.com/types/node) from
22.10.0 to 22.10.1 in the development-dependencies group by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/defenseunicorns/pepr/pull/1490](https://redirect.github.com/defenseunicorns/pepr/pull/1490)
- chore: bump trufflesecurity/trufflehog from 3.84.1 to 3.84.2 by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/defenseunicorns/pepr/pull/1504](https://redirect.github.com/defenseunicorns/pepr/pull/1504)
- chore: bump github/codeql-action from 3.27.5 to 3.27.6 by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/defenseunicorns/pepr/pull/1503](https://redirect.github.com/defenseunicorns/pepr/pull/1503)
- chore: bump kubernetes-fluent-client from 3.3.6 to 3.3.7 in the
production-dependencies group by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/defenseunicorns/pepr/pull/1508](https://redirect.github.com/defenseunicorns/pepr/pull/1508)
**Full Changelog**:
https://github.com/defenseunicorns/pepr/compare/v0.40.1...v0.42.0
---
### Configuration
π
**Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
π¦ **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
β» **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
π» **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.
---
- [ ] If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/defenseunicorns/uds-core).
---------
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Micah Nagel
---
package-lock.json | 104 +++++++++++-------
package.json | 4 +-
.../controllers/keycloak/client-sync.ts | 4 +-
tasks/create.yaml | 2 +-
4 files changed, 67 insertions(+), 47 deletions(-)
diff --git a/package-lock.json b/package-lock.json
index c8f28d55f..ae6b3ebe4 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -8,13 +8,13 @@
"name": "uds-core",
"version": "0.5.0",
"dependencies": {
- "pepr": "0.40.1"
+ "pepr": "0.42.0"
},
"devDependencies": {
"@jest/globals": "29.7.0",
"husky": "9.1.7",
"jest": "29.7.0",
- "lint-staged": "15.2.10",
+ "lint-staged": "15.2.11",
"ts-jest": "29.2.5"
},
"engines": {
@@ -2814,9 +2814,10 @@
}
},
"node_modules/debug": {
- "version": "4.3.7",
- "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.7.tgz",
- "integrity": "sha512-Er2nc/H7RrMXZBFCEim6TCmMk02Z8vLC2Rbi1KEBggpo0fS6l0S1nnapwmIi3yW/+GOJap1Krg4w0Hg80oCqgQ==",
+ "version": "4.4.0",
+ "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.0.tgz",
+ "integrity": "sha512-6WTZ/IxCY/T6BALoZHaE4ctp9xm+Z5kY/pzYaCHRFeyVhojxlrm+46y68HA6hr0TcwEssoxNiDEUJQjfPZ/RYA==",
+ "license": "MIT",
"dependencies": {
"ms": "^2.1.3"
},
@@ -3398,9 +3399,9 @@
}
},
"node_modules/express": {
- "version": "4.21.1",
- "resolved": "https://registry.npmjs.org/express/-/express-4.21.1.tgz",
- "integrity": "sha512-YSFlK1Ee0/GC8QaO91tHcDxJiE/X4FbpAyQWkxAvG6AXCuR65YzK8ua6D9hvi/TzUfZMpc+BwuM1IPw8fmQBiQ==",
+ "version": "4.21.2",
+ "resolved": "https://registry.npmjs.org/express/-/express-4.21.2.tgz",
+ "integrity": "sha512-28HqgMZAmih1Czt9ny7qr6ek2qddF4FclbMzwhCREB6OFfH+rXAnuNCwo1/wFvrtbgsQDb4kSbX9de9lFbrXnA==",
"license": "MIT",
"dependencies": {
"accepts": "~1.3.8",
@@ -3422,7 +3423,7 @@
"methods": "~1.1.2",
"on-finished": "2.4.1",
"parseurl": "~1.3.3",
- "path-to-regexp": "0.1.10",
+ "path-to-regexp": "0.1.12",
"proxy-addr": "~2.0.7",
"qs": "6.13.0",
"range-parser": "~1.2.1",
@@ -3437,6 +3438,10 @@
},
"engines": {
"node": ">= 0.10.0"
+ },
+ "funding": {
+ "type": "opencollective",
+ "url": "https://opencollective.com/express"
}
},
"node_modules/express/node_modules/debug": {
@@ -5140,9 +5145,9 @@
}
},
"node_modules/kubernetes-fluent-client": {
- "version": "3.3.4",
- "resolved": "https://registry.npmjs.org/kubernetes-fluent-client/-/kubernetes-fluent-client-3.3.4.tgz",
- "integrity": "sha512-PQc6ZfdkTXVIoIXxN9Gkh8lpyDfw0CjecYrLzR5atinhnaWXD9FKZaay87XsKR2tdyryEVJHv1MsQtgCXaxMtA==",
+ "version": "3.3.7",
+ "resolved": "https://registry.npmjs.org/kubernetes-fluent-client/-/kubernetes-fluent-client-3.3.7.tgz",
+ "integrity": "sha512-KBgt2tQ76CfrDd8aig1xrCIcazztARdTYsqHH1//DctbUEB++2yz+KYR9CYBisSySDS625e86MVfxIB63R77hw==",
"license": "Apache-2.0",
"dependencies": {
"@kubernetes/client-node": "1.0.0-rc7",
@@ -5150,8 +5155,8 @@
"http-status-codes": "2.3.0",
"node-fetch": "2.7.0",
"quicktype-core": "23.0.170",
- "type-fest": "4.27.0",
- "undici": "6.21.0",
+ "type-fest": "4.30.0",
+ "undici": "7.1.0",
"yargs": "17.7.2"
},
"bin": {
@@ -5162,9 +5167,9 @@
}
},
"node_modules/kubernetes-fluent-client/node_modules/type-fest": {
- "version": "4.27.0",
- "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-4.27.0.tgz",
- "integrity": "sha512-3IMSWgP7C5KSQqmo1wjhKrwsvXAtF33jO3QY+Uy++ia7hqvgSK6iXbbg5PbDBc1P2ZbNEDgejOrN4YooXvhwCw==",
+ "version": "4.30.0",
+ "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-4.30.0.tgz",
+ "integrity": "sha512-G6zXWS1dLj6eagy6sVhOMQiLtJdxQBHIA9Z6HFUNLOlr6MFOgzV8wvmidtPONfPtEUv0uZsy77XJNzTAfwPDaA==",
"license": "(MIT OR CC0-1.0)",
"engines": {
"node": ">=16"
@@ -5196,10 +5201,11 @@
}
},
"node_modules/lilconfig": {
- "version": "3.1.2",
- "resolved": "https://registry.npmjs.org/lilconfig/-/lilconfig-3.1.2.tgz",
- "integrity": "sha512-eop+wDAvpItUys0FWkHIKeC9ybYrTGbU41U5K7+bttZZeohvnY7M9dZ5kB21GNWiFT2q1OoPTvncPCgSOVO5ow==",
+ "version": "3.1.3",
+ "resolved": "https://registry.npmjs.org/lilconfig/-/lilconfig-3.1.3.tgz",
+ "integrity": "sha512-/vlFKAoH5Cgt3Ie+JLhRbwOsCQePABiU3tJ1egGvyQ+33R/vcwM2Zl2QR/LzjsBeItPt3oSVXapn+m4nQDvpzw==",
"dev": true,
+ "license": "MIT",
"engines": {
"node": ">=14"
},
@@ -5214,21 +5220,22 @@
"dev": true
},
"node_modules/lint-staged": {
- "version": "15.2.10",
- "resolved": "https://registry.npmjs.org/lint-staged/-/lint-staged-15.2.10.tgz",
- "integrity": "sha512-5dY5t743e1byO19P9I4b3x8HJwalIznL5E1FWYnU6OWw33KxNBSLAc6Cy7F2PsFEO8FKnLwjwm5hx7aMF0jzZg==",
+ "version": "15.2.11",
+ "resolved": "https://registry.npmjs.org/lint-staged/-/lint-staged-15.2.11.tgz",
+ "integrity": "sha512-Ev6ivCTYRTGs9ychvpVw35m/bcNDuBN+mnTeObCL5h+boS5WzBEC6LHI4I9F/++sZm1m+J2LEiy0gxL/R9TBqQ==",
"dev": true,
+ "license": "MIT",
"dependencies": {
"chalk": "~5.3.0",
"commander": "~12.1.0",
- "debug": "~4.3.6",
+ "debug": "~4.4.0",
"execa": "~8.0.1",
- "lilconfig": "~3.1.2",
- "listr2": "~8.2.4",
+ "lilconfig": "~3.1.3",
+ "listr2": "~8.2.5",
"micromatch": "~4.0.8",
"pidtree": "~0.6.0",
"string-argv": "~0.3.2",
- "yaml": "~2.5.0"
+ "yaml": "~2.6.1"
},
"bin": {
"lint-staged": "bin/lint-staged.js"
@@ -5245,6 +5252,7 @@
"resolved": "https://registry.npmjs.org/chalk/-/chalk-5.3.0.tgz",
"integrity": "sha512-dLitG79d+GV1Nb/VYcCDFivJeK1hiukt9QjRNVOsUtTy1rR1YJsmpGGTZ3qJos+uw7WmWF4wUwBd9jxjocFC2w==",
"dev": true,
+ "license": "MIT",
"engines": {
"node": "^12.17.0 || ^14.13 || >=16.0.0"
},
@@ -5257,6 +5265,7 @@
"resolved": "https://registry.npmjs.org/execa/-/execa-8.0.1.tgz",
"integrity": "sha512-VyhnebXciFV2DESc+p6B+y0LjSm0krU4OgJN44qFAhBY0TJ+1V61tYD2+wHusZ6F9n5K+vl8k0sTy7PEfV4qpg==",
"dev": true,
+ "license": "MIT",
"dependencies": {
"cross-spawn": "^7.0.3",
"get-stream": "^8.0.1",
@@ -5280,6 +5289,7 @@
"resolved": "https://registry.npmjs.org/get-stream/-/get-stream-8.0.1.tgz",
"integrity": "sha512-VaUJspBffn/LMCJVoMvSAdmscJyS1auj5Zulnn5UoYcY531UWmdwhRWkcGKnGU93m5HSXP9LP2usOryrBtQowA==",
"dev": true,
+ "license": "MIT",
"engines": {
"node": ">=16"
},
@@ -5292,6 +5302,7 @@
"resolved": "https://registry.npmjs.org/human-signals/-/human-signals-5.0.0.tgz",
"integrity": "sha512-AXcZb6vzzrFAUE61HnN4mpLqd/cSIwNQjtNWR0euPm6y0iqx3G4gOXaIDdtdDwZmhwe82LA6+zinmW4UBWVePQ==",
"dev": true,
+ "license": "Apache-2.0",
"engines": {
"node": ">=16.17.0"
}
@@ -5301,6 +5312,7 @@
"resolved": "https://registry.npmjs.org/is-stream/-/is-stream-3.0.0.tgz",
"integrity": "sha512-LnQR4bZ9IADDRSkvpqMGvt/tEJWclzklNgSw48V5EAaAeDd6qGvN8ei6k5p0tvxSR171VmGyHuTiAOfxAbr8kA==",
"dev": true,
+ "license": "MIT",
"engines": {
"node": "^12.20.0 || ^14.13.1 || >=16.0.0"
},
@@ -5313,6 +5325,7 @@
"resolved": "https://registry.npmjs.org/mimic-fn/-/mimic-fn-4.0.0.tgz",
"integrity": "sha512-vqiC06CuhBTUdZH+RYl8sFrL096vA45Ok5ISO6sE/Mr1jRbGH4Csnhi8f3wKVl7x8mO4Au7Ir9D3Oyv1VYMFJw==",
"dev": true,
+ "license": "MIT",
"engines": {
"node": ">=12"
},
@@ -5325,6 +5338,7 @@
"resolved": "https://registry.npmjs.org/npm-run-path/-/npm-run-path-5.3.0.tgz",
"integrity": "sha512-ppwTtiJZq0O/ai0z7yfudtBpWIoxM8yE6nHi1X47eFR2EWORqfbu6CnPlNsjeN683eT0qG6H/Pyf9fCcvjnnnQ==",
"dev": true,
+ "license": "MIT",
"dependencies": {
"path-key": "^4.0.0"
},
@@ -5340,6 +5354,7 @@
"resolved": "https://registry.npmjs.org/onetime/-/onetime-6.0.0.tgz",
"integrity": "sha512-1FlR+gjXK7X+AsAHso35MnyN5KqGwJRi/31ft6x0M194ht7S+rWAvd7PHss9xSKMzE0asv1pyIHaJYq+BbacAQ==",
"dev": true,
+ "license": "MIT",
"dependencies": {
"mimic-fn": "^4.0.0"
},
@@ -5355,6 +5370,7 @@
"resolved": "https://registry.npmjs.org/path-key/-/path-key-4.0.0.tgz",
"integrity": "sha512-haREypq7xkM7ErfgIyA0z+Bj4AGKlMSdlQE2jvJo6huWD1EdkKYV+G/T4nq0YEF2vgTT8kqMFKo1uHn950r4SQ==",
"dev": true,
+ "license": "MIT",
"engines": {
"node": ">=12"
},
@@ -5367,6 +5383,7 @@
"resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz",
"integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==",
"dev": true,
+ "license": "ISC",
"engines": {
"node": ">=14"
},
@@ -5379,6 +5396,7 @@
"resolved": "https://registry.npmjs.org/strip-final-newline/-/strip-final-newline-3.0.0.tgz",
"integrity": "sha512-dOESqjYr96iWYylGObzd39EuNTa5VJxyvVAEm5Jnh7KGo75V43Hk1odPQkNDyXNmUR6k+gEiDVXnjB8HJ3crXw==",
"dev": true,
+ "license": "MIT",
"engines": {
"node": ">=12"
},
@@ -6321,9 +6339,10 @@
}
},
"node_modules/path-to-regexp": {
- "version": "0.1.10",
- "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.10.tgz",
- "integrity": "sha512-7lf7qcQidTku0Gu3YDPc8DJ1q7OOucfa/BSsIwjuh56VU7katFvuM8hULfkwB3Fns/rsVF7PwPKVw1sl5KQS9w=="
+ "version": "0.1.12",
+ "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.12.tgz",
+ "integrity": "sha512-RA1GjUVMnvYFxuqovrEqZoxxW5NUZqbwKtYz/Tt7nXerk0LbLblQmrsgdeOxV5SFHf0UDggjS/bSeOZwt1pmEQ==",
+ "license": "MIT"
},
"node_modules/path-type": {
"version": "4.0.0",
@@ -6335,18 +6354,18 @@
}
},
"node_modules/pepr": {
- "version": "0.40.1",
- "resolved": "https://registry.npmjs.org/pepr/-/pepr-0.40.1.tgz",
- "integrity": "sha512-Z+wXRYG64YUg3IhYGAOyrWdw5R8HD3/jtTYmVFtUN2x2isiB/X411DO6hd4TginxZvTnlfLyG6KBc8u6UScbbg==",
+ "version": "0.42.0",
+ "resolved": "https://registry.npmjs.org/pepr/-/pepr-0.42.0.tgz",
+ "integrity": "sha512-8SCXAmeTxQUM7Rzkcj46STHvUL7IzuuL9P+zZKP6v7nVYtFGVRnxx8Y7Eftt+N+I6ICjnHCzb190dHvtGm74bw==",
"license": "Apache-2.0",
"dependencies": {
"@types/ramda": "0.30.2",
- "express": "4.21.1",
+ "express": "4.21.2",
"fast-json-patch": "3.1.1",
"follow-redirects": "1.15.9",
"http-status-codes": "^2.3.0",
"json-pointer": "^0.6.2",
- "kubernetes-fluent-client": "3.3.4",
+ "kubernetes-fluent-client": "3.3.7",
"pino": "9.5.0",
"pino-pretty": "13.0.0",
"prom-client": "15.1.3",
@@ -7860,12 +7879,12 @@
}
},
"node_modules/undici": {
- "version": "6.21.0",
- "resolved": "https://registry.npmjs.org/undici/-/undici-6.21.0.tgz",
- "integrity": "sha512-BUgJXc752Kou3oOIuU1i+yZZypyZRqNPW0vqoMPl8VaoalSfeR0D8/t4iAS3yirs79SSMTxTag+ZC86uswv+Cw==",
+ "version": "7.1.0",
+ "resolved": "https://registry.npmjs.org/undici/-/undici-7.1.0.tgz",
+ "integrity": "sha512-3+mdX2R31khuLCm2mKExSlMdJsfol7bJkIMH80tdXA74W34rT1jKemUTlYR7WY3TqsV4wfOgpatWmmB2Jl1+5g==",
"license": "MIT",
"engines": {
- "node": ">=18.17"
+ "node": ">=20.18.1"
}
},
"node_modules/undici-types": {
@@ -8233,9 +8252,10 @@
"dev": true
},
"node_modules/yaml": {
- "version": "2.5.1",
- "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.5.1.tgz",
- "integrity": "sha512-bLQOjaX/ADgQ20isPJRvF0iRUHIxVhYvr53Of7wGcWlO2jvtUlH5m87DsmulFVxRpNLOnI4tB6p/oh8D7kpn9Q==",
+ "version": "2.6.1",
+ "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.6.1.tgz",
+ "integrity": "sha512-7r0XPzioN/Q9kXBro/XPnA6kznR73DHq+GXh5ON7ZozRO6aMjbmiBuKste2wslTFkC5d1dw0GooOCepZXJ2SAg==",
+ "license": "ISC",
"bin": {
"yaml": "bin.mjs"
},
diff --git a/package.json b/package.json
index 91228a39e..5e6bc9470 100644
--- a/package.json
+++ b/package.json
@@ -29,13 +29,13 @@
"k3d-setup": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0'"
},
"dependencies": {
- "pepr": "0.40.1"
+ "pepr": "0.42.0"
},
"devDependencies": {
"@jest/globals": "29.7.0",
"husky": "9.1.7",
"jest": "29.7.0",
- "lint-staged": "15.2.10",
+ "lint-staged": "15.2.11",
"ts-jest": "29.2.5"
},
"jest": {
diff --git a/src/pepr/operator/controllers/keycloak/client-sync.ts b/src/pepr/operator/controllers/keycloak/client-sync.ts
index f92dea26f..0a25eead6 100644
--- a/src/pepr/operator/controllers/keycloak/client-sync.ts
+++ b/src/pepr/operator/controllers/keycloak/client-sync.ts
@@ -8,7 +8,7 @@ import { fetch, K8s, kind } from "pepr";
import { Component, setupLogger } from "../../../logger";
import { Store } from "../../common";
import { Sso, UDSPackage } from "../../crd";
-import { getOwnerRef, purgeOrphans, sanitizeResourceName } from "../utils";
+import { getOwnerRef, purgeOrphans, retryWithDelay, sanitizeResourceName } from "../utils";
import { Client, clientKeys } from "./types";
let apiURL =
@@ -173,7 +173,7 @@ async function syncClient(
// Write the new token to the store
try {
- await Store.setItemAndWait(name, client.registrationAccessToken!);
+ await retryWithDelay(() => Store.setItemAndWait(name, client.registrationAccessToken!), log);
} catch (err) {
throw Error(
`Failed to set token in store for client '${client.clientId}', package ` +
diff --git a/tasks/create.yaml b/tasks/create.yaml
index 4bf39be7f..2d7b10b33 100644
--- a/tasks/create.yaml
+++ b/tasks/create.yaml
@@ -11,7 +11,7 @@ variables:
- name: REGISTRY1_PEPR_IMAGE
# renovate: datasource=docker depName=registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller versioning=semver
- default: registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller:v0.40.1
+ default: registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller:v0.42.0
- name: LAYER
From 8ecd5ffab3f077e41feff43e6467b9fa1866d9c8 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Wed, 11 Dec 2024 10:14:49 -0700
Subject: [PATCH 21/21] chore(deps): update istio to v1.24.1 (#962)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| [base](https://redirect.github.com/istio/istio) | minor | `1.23.2` ->
`1.24.1` |
|
[cgr.dev/du-uds-defenseunicorns/istio-pilot-fips](https://images.chainguard.dev/directory/image/istio-pilot-fips/overview)
([source](https://redirect.github.com/chainguard-images/images-private/tree/HEAD/images/istio-fips))
| minor | `1.23.2` -> `1.24.1` |
|
[cgr.dev/du-uds-defenseunicorns/istio-proxy-fips](https://images.chainguard.dev/directory/image/istio-proxy-fips/overview)
([source](https://redirect.github.com/chainguard-images/images-private/tree/HEAD/images/istio-fips))
| minor | `1.23.2` -> `1.24.1` |
| docker.io/istio/pilot | minor | `1.23.2-distroless` ->
`1.24.1-distroless` |
| docker.io/istio/proxyv2 | minor | `1.23.2-distroless` ->
`1.24.1-distroless` |
| [gateway](https://redirect.github.com/istio/istio) | minor | `1.23.2`
-> `1.24.1` |
| [istiod](https://redirect.github.com/istio/istio) | minor | `1.23.2`
-> `1.24.1` |
|
[registry1.dso.mil/ironbank/tetrate/istio/pilot](https://cloudsmith.io/~tetrate/repos/getistio-containers/packages/detail/docker/pilot)
([source](https://repo1.dso.mil/dsop/tetrate/istio/1.24/pilot)) | minor
| `1.23.2-tetratefips-v0` -> `1.24.1-tetratefips-v0` |
|
[registry1.dso.mil/ironbank/tetrate/istio/proxyv2](https://cloudsmith.io/~tetrate/repos/getistio-containers/packages/detail/docker/proxyv2)
([source](https://repo1.dso.mil/dsop/tetrate/istio/1.24/proxyv2)) |
minor | `1.23.2-tetratefips-v0` -> `1.24.1-tetratefips-v0` |
---
### Release Notes
istio/istio (base)
###
[`v1.24.1`](https://redirect.github.com/istio/istio/releases/tag/1.24.1):
Istio 1.24.1
[Compare
Source](https://redirect.github.com/istio/istio/compare/1.24.0...1.24.1)
[Artifacts](http://gcsweb.istio.io/gcs/istio-release/releases/1.24.1/)
[Release
Notes](https://istio.io/news/releases/1.24.x/announcing-1.24.1/)
###
[`v1.24.0`](https://redirect.github.com/istio/istio/releases/tag/1.24.0):
Istio 1.24.0
[Compare
Source](https://redirect.github.com/istio/istio/compare/1.23.3...1.24.0)
[Artifacts](http://gcsweb.istio.io/gcs/istio-release/releases/1.24.0/)
[Release Notes](https://istio.io/news/releases/1.24.x/announcing-1.24/)
###
[`v1.23.3`](https://redirect.github.com/istio/istio/releases/tag/1.23.3):
Istio 1.23.3
[Compare
Source](https://redirect.github.com/istio/istio/compare/1.23.2...1.23.3)
[Artifacts](http://gcsweb.istio.io/gcs/istio-release/releases/1.23.3/)
[Release
Notes](https://istio.io/news/releases/1.23.x/announcing-1.23.3/)
---
### Configuration
π
**Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
π¦ **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
β» **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
π **Ignore**: Close this PR and you won't be reminded about these
updates again.
---
- [ ] If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/defenseunicorns/uds-core).
---------
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Micah Nagel
---
src/istio/common/zarf.yaml | 15 +++++++--------
src/istio/values/registry1-values.yaml | 6 +++---
src/istio/values/unicorn-values.yaml | 6 +++---
src/istio/values/upstream-values.yaml | 6 +++---
src/istio/zarf.yaml | 18 +++++++++---------
5 files changed, 25 insertions(+), 26 deletions(-)
diff --git a/src/istio/common/zarf.yaml b/src/istio/common/zarf.yaml
index 9de933358..9980e23db 100644
--- a/src/istio/common/zarf.yaml
+++ b/src/istio/common/zarf.yaml
@@ -13,11 +13,11 @@ components:
charts:
- name: base
url: https://istio-release.storage.googleapis.com/charts
- version: 1.23.2
+ version: 1.24.1
namespace: istio-system
- name: istiod
url: https://istio-release.storage.googleapis.com/charts
- version: 1.23.2
+ version: 1.24.1
namespace: istio-system
valuesFiles:
- "../values/values.yaml"
@@ -28,14 +28,13 @@ components:
actions:
onDeploy:
before:
- - description: "Fix helm ownership if necessary for clean helm upgrade"
+ - description: "Add helm ownership if necessary for clean helm upgrade"
mute: true
cmd: |
- ./zarf tools kubectl annotate EnvoyFilter misdirected-request -n istio-system meta.helm.sh/release-name=uds-global-istio-config --overwrite || true
- ./zarf tools kubectl annotate EnvoyFilter remove-server-header -n istio-system meta.helm.sh/release-name=uds-global-istio-config --overwrite || true
- ./zarf tools kubectl annotate PeerAuthentication default-istio-system -n istio-system meta.helm.sh/release-name=uds-global-istio-config --overwrite || true
- ./zarf tools kubectl annotate PeerAuthentication permissive-pepr-webhook -n pepr-system meta.helm.sh/release-name=uds-global-istio-config --overwrite || true
- ./zarf tools kubectl annotate PeerAuthentication permissive-pepr-webhook-watcher -n pepr-system meta.helm.sh/release-name=uds-global-istio-config --overwrite || true
+ # Commands pulled from https://istio.io/latest/news/releases/1.24.x/announcing-1.24/upgrade-notes/#istio-crds-are-templated-by-default-and-can-be-installed-and-upgraded-via-helm-install-istio-base
+ ./zarf tools kubectl label $(./zarf tools kubectl get crds -l chart=istio -o name && ./zarf tools kubectl get crds -l app.kubernetes.io/part-of=istio -o name) "app.kubernetes.io/managed-by=Helm" --overwrite || true
+ ./zarf tools kubectl annotate $(./zarf tools kubectl get crds -l chart=istio -o name && ./zarf tools kubectl get crds -l app.kubernetes.io/part-of=istio -o name) "meta.helm.sh/release-name=base" --overwrite || true
+ ./zarf tools kubectl annotate $(./zarf tools kubectl get crds -l chart=istio -o name && ./zarf tools kubectl get crds -l app.kubernetes.io/part-of=istio -o name) "meta.helm.sh/release-namespace=istio-system" --overwrite || true
after:
- description: "Ensure istio-injection is enabled for Pepr"
mute: true
diff --git a/src/istio/values/registry1-values.yaml b/src/istio/values/registry1-values.yaml
index 17f229fea..62661f45c 100644
--- a/src/istio/values/registry1-values.yaml
+++ b/src/istio/values/registry1-values.yaml
@@ -2,11 +2,11 @@
# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
pilot:
- image: registry1.dso.mil/ironbank/tetrate/istio/pilot:1.23.2-tetratefips-v0
+ image: registry1.dso.mil/ironbank/tetrate/istio/pilot:1.24.1-tetratefips-v0
global:
proxy_init:
# renovate: image=registry1.dso.mil/ironbank/tetrate/istio/proxyv2
- image: "###ZARF_REGISTRY###/ironbank/tetrate/istio/proxyv2:1.23.2-tetratefips-v0"
+ image: "###ZARF_REGISTRY###/ironbank/tetrate/istio/proxyv2:1.24.1-tetratefips-v0"
proxy:
# renovate: image=registry1.dso.mil/ironbank/tetrate/istio/proxyv2
- image: "###ZARF_REGISTRY###/ironbank/tetrate/istio/proxyv2:1.23.2-tetratefips-v0"
+ image: "###ZARF_REGISTRY###/ironbank/tetrate/istio/proxyv2:1.24.1-tetratefips-v0"
diff --git a/src/istio/values/unicorn-values.yaml b/src/istio/values/unicorn-values.yaml
index 4d112b8c3..e382763ad 100644
--- a/src/istio/values/unicorn-values.yaml
+++ b/src/istio/values/unicorn-values.yaml
@@ -2,11 +2,11 @@
# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
pilot:
- image: "cgr.dev/du-uds-defenseunicorns/istio-pilot-fips:1.23.2"
+ image: "cgr.dev/du-uds-defenseunicorns/istio-pilot-fips:1.24.1"
global:
proxy_init:
# renovate: image=cgr.dev/du-uds-defenseunicorns/istio-proxy-fips
- image: "###ZARF_REGISTRY###/du-uds-defenseunicorns/istio-proxy-fips:1.23.2"
+ image: "###ZARF_REGISTRY###/du-uds-defenseunicorns/istio-proxy-fips:1.24.1"
proxy:
# renovate: image=cgr.dev/du-uds-defenseunicorns/istio-proxy-fips
- image: "###ZARF_REGISTRY###/du-uds-defenseunicorns/istio-proxy-fips:1.23.2"
+ image: "###ZARF_REGISTRY###/du-uds-defenseunicorns/istio-proxy-fips:1.24.1"
diff --git a/src/istio/values/upstream-values.yaml b/src/istio/values/upstream-values.yaml
index 800d39f62..ff0f5871b 100644
--- a/src/istio/values/upstream-values.yaml
+++ b/src/istio/values/upstream-values.yaml
@@ -2,11 +2,11 @@
# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
pilot:
- image: "docker.io/istio/pilot:1.23.2-distroless"
+ image: "docker.io/istio/pilot:1.24.1-distroless"
global:
proxy_init:
# renovate: image=docker.io/istio/proxyv2
- image: "###ZARF_REGISTRY###/istio/proxyv2:1.23.2-distroless"
+ image: "###ZARF_REGISTRY###/istio/proxyv2:1.24.1-distroless"
proxy:
# renovate: image=docker.io/istio/proxyv2
- image: "###ZARF_REGISTRY###/istio/proxyv2:1.23.2-distroless"
+ image: "###ZARF_REGISTRY###/istio/proxyv2:1.24.1-distroless"
diff --git a/src/istio/zarf.yaml b/src/istio/zarf.yaml
index 21bae304e..03b88b419 100644
--- a/src/istio/zarf.yaml
+++ b/src/istio/zarf.yaml
@@ -24,8 +24,8 @@ components:
valuesFiles:
- "values/upstream-values.yaml"
images:
- - "docker.io/istio/pilot:1.23.2-distroless"
- - "docker.io/istio/proxyv2:1.23.2-distroless"
+ - "docker.io/istio/pilot:1.24.1-distroless"
+ - "docker.io/istio/proxyv2:1.24.1-distroless"
- name: istio-controlplane
required: true
@@ -38,8 +38,8 @@ components:
valuesFiles:
- "values/registry1-values.yaml"
images:
- - registry1.dso.mil/ironbank/tetrate/istio/proxyv2:1.23.2-tetratefips-v0
- - registry1.dso.mil/ironbank/tetrate/istio/pilot:1.23.2-tetratefips-v0
+ - registry1.dso.mil/ironbank/tetrate/istio/proxyv2:1.24.1-tetratefips-v0
+ - registry1.dso.mil/ironbank/tetrate/istio/pilot:1.24.1-tetratefips-v0
- name: istio-controlplane
required: true
@@ -52,15 +52,15 @@ components:
valuesFiles:
- "values/unicorn-values.yaml"
images:
- - cgr.dev/du-uds-defenseunicorns/istio-pilot-fips:1.23.2
- - cgr.dev/du-uds-defenseunicorns/istio-proxy-fips:1.23.2
+ - cgr.dev/du-uds-defenseunicorns/istio-pilot-fips:1.24.1
+ - cgr.dev/du-uds-defenseunicorns/istio-proxy-fips:1.24.1
- name: istio-admin-gateway
required: true
charts:
- name: gateway
url: https://istio-release.storage.googleapis.com/charts
- version: 1.23.2
+ version: 1.24.1
releaseName: admin-ingressgateway
namespace: istio-admin-gateway
- name: uds-istio-config
@@ -75,7 +75,7 @@ components:
charts:
- name: gateway
url: https://istio-release.storage.googleapis.com/charts
- version: 1.23.2
+ version: 1.24.1
releaseName: tenant-ingressgateway
namespace: istio-tenant-gateway
- name: uds-istio-config
@@ -90,7 +90,7 @@ components:
charts:
- name: gateway
url: https://istio-release.storage.googleapis.com/charts
- version: 1.23.2
+ version: 1.24.1
releaseName: passthrough-ingressgateway
namespace: istio-passthrough-gateway
- name: uds-istio-config