Merge branch 'main' into configurable-admin

defenseunicorns · Dec 16, 2024 · 5b8951f · 5b8951f
2 parents 9633880 + 5b2e3a4
commit 5b8951f
Show file tree

Hide file tree

Showing 28 changed files with 118 additions and 57 deletions.
diff --git a/.github/bundles/aks/uds-bundle.yaml b/.github/bundles/aks/uds-bundle.yaml
@@ -12,7 +12,7 @@ metadata:
 packages:
   - name: init
     repository: ghcr.io/zarf-dev/packages/init
-    ref: v0.44.0
+    ref: v0.45.0
 
   - name: core
     path: ../../../build

diff --git a/.github/bundles/eks/uds-bundle.yaml b/.github/bundles/eks/uds-bundle.yaml
@@ -12,7 +12,7 @@ metadata:
 packages:
   - name: init
     repository: ghcr.io/zarf-dev/packages/init
-    ref: v0.44.0
+    ref: v0.45.0
 
   - name: core
     path: ../../../build

diff --git a/.github/bundles/rke2/uds-bundle.yaml b/.github/bundles/rke2/uds-bundle.yaml
@@ -16,7 +16,7 @@ packages:
 
   - name: init
     repository: ghcr.io/zarf-dev/packages/init
-    ref: v0.44.0
+    ref: v0.45.0
     overrides:
       zarf-registry:
         docker-registry:

diff --git a/.github/test-infra/aws/rke2/versions.tf b/.github/test-infra/aws/rke2/versions.tf
@@ -6,7 +6,7 @@ terraform {
   }
   required_providers {
     aws = {
-      version = "~> 5.80.0"
+      version = "~> 5.81.0"
     }
     random = {
       version = "~> 3.6.0"

diff --git a/.github/test-infra/azure/aks/variables.tf b/.github/test-infra/azure/aks/variables.tf
@@ -24,12 +24,12 @@ variable "dns_prefix" {
 }
 
 variable "sku_tier" {
-  description = "(Optional) The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free and Paid (which includes the Uptime SLA). Defaults to Free."
-  default     = "Free"
+  description = "(Optional) The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free and Standard (which includes the Uptime SLA), and Premium. Defaults to Free."
+  default     = "Standard"
   type        = string
 
   validation {
-    condition     = contains(["Free", "Paid"], var.sku_tier)
+    condition     = contains(["Free", "Standard", "Premium"], var.sku_tier)
     error_message = "The sku tier is invalid."
   }
 }

diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml
@@ -47,6 +47,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@babb554ede22fd5605947329c4d04d8e7a0b8155 # v3.27.7
+        uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
         with:
           sarif_file: results.sarif
diff --git a/README.md b/README.md
@@ -33,6 +33,7 @@ UDS Core establishes a secure baseline for cloud-native systems and ships with c
 
 ### Prerequisites
 
+- A running container environment for K3D to interact with for dev & test environments
 - [K3D](https://k3d.io/) for dev & test environments or any [CNCF Certified Kubernetes Cluster](https://www.cncf.io/training/certification/software-conformance/#logos) for production environments.
 <!-- renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver -->
 - [UDS CLI](https://github.com/defenseunicorns/uds-cli?tab=readme-ov-file#install) v0.8.1 or later
@@ -112,3 +113,8 @@ uds run test-single-layer --set LAYER=identity-authorization
 ```
 
 Note you can specify the `--set FLAVOR=registry1` flag to test using Iron Bank images instead of the upstream images.
+
+## UDS Core Architecture Overview
+![UDS Core Architecture Diagram](https://github.com/defenseunicorns/uds-core/blob/main/docs/.images/uds-core-arch-overview.svg?raw=true)
+
+Diagrams are located in `/docs/.images`. See the [diagram README](./docs/.images/README.md) for an explanation and help customizing.
diff --git a/bundles/k3d-slim-dev/uds-bundle.yaml b/bundles/k3d-slim-dev/uds-bundle.yaml
@@ -32,7 +32,7 @@ packages:
 
   - name: init
     repository: ghcr.io/zarf-dev/packages/init
-    ref: v0.44.0
+    ref: v0.45.0
 
   - name: core-base
     path: ../../build/

diff --git a/bundles/k3d-standard/uds-bundle.yaml b/bundles/k3d-standard/uds-bundle.yaml
@@ -32,7 +32,7 @@ packages:
 
   - name: init
     repository: ghcr.io/zarf-dev/packages/init
-    ref: v0.44.0
+    ref: v0.45.0
 
   - name: core
     path: ../../build/

diff --git a/docs/.images/README.md b/docs/.images/README.md
@@ -0,0 +1,22 @@
+# UDS Core Diagrams
+
+## Diagram Explanations
+At this time there are three layers to our diagram that visually explain the following:
+
+1. `Overview`, basic view of what applications are present and what other services/applications they are communicating with.
+
+2. `Traffic Direction`, similar to `Overview` layer with the addition of directional arrows to represent the flow of traffic in cluster.
+
+3. `Ports and Protocols`, similar to `Traffic Direction` layer with the addition of ports and protocols.
+
+## How to Customize
+To customize the diagram, download the svg and in [draw.io](https://draw.io) create a new diagram and load in the svg.
+
+To download the [svg from github](https://github.com/defenseunicorns/uds-core/tree/main/docs/.images), select one of the svg files, then select the download button in the top right of the `Preview` view.
+
+Alternatively you can also download the svg from the [uds.defenseunicorns.com](https://uds.defenseunicorns.com/reference/uds-core/overview/) docsite by right clicking and selecting the `Save image as` option.
+
+It doesn't matter which svg you download, they all contain the metadata for the other layers mentioned above (you may need to enable the layers pop up in [draw.io](https://draw.io) to change your layer).
+
+
+#### If you have suggestions for the diagrams, we welcome issues or pull requests contributions to [uds-core](https://github.com/defenseunicorns/uds-core).
diff --git a/docs/.images/uds-core-arch-ingress-egress.svg b/docs/.images/uds-core-arch-ingress-egress.svg
diff --git a/docs/.images/uds-core-arch-overview.svg b/docs/.images/uds-core-arch-overview.svg
diff --git a/docs/.images/uds-core-arch-ports-protocols.svg b/docs/.images/uds-core-arch-ports-protocols.svg
diff --git a/src/grafana/common/zarf.yaml b/src/grafana/common/zarf.yaml
@@ -19,7 +19,7 @@ components:
           - ../chart/values.yaml
       - name: grafana
         url: https://grafana.github.io/helm-charts/
-        version: 8.6.1
+        version: 8.7.0
         namespace: grafana
         valuesFiles:
           - ../values/values.yaml

diff --git a/src/grafana/values/registry1-values.yaml b/src/grafana/values/registry1-values.yaml
@@ -4,7 +4,7 @@
 image:
   registry: registry1.dso.mil
   repository: ironbank/opensource/grafana/grafana
-  tag: 11.3.1
+  tag: 11.4.0
 
 initChownData:
   image:
@@ -21,4 +21,4 @@ sidecar:
   image:
     registry: registry1.dso.mil
     repository: ironbank/kiwigrid/k8s-sidecar
-    tag: 1.28.0
+    tag: 1.28.1
diff --git a/src/grafana/values/unicorn-values.yaml b/src/grafana/values/unicorn-values.yaml
@@ -4,7 +4,7 @@
 image:
   registry: cgr.dev
   repository: du-uds-defenseunicorns/grafana-fips
-  tag: 11.3.1
+  tag: 11.4.0
 
 initChownData:
   image:
@@ -15,10 +15,10 @@ initChownData:
 downloadDashboardsImage:
   registry: cgr.dev
   repository: du-uds-defenseunicorns/curl-fips
-  tag: 8.11.0
+  tag: 8.11.1
 
 sidecar:
   image:
     registry: cgr.dev
     repository: du-uds-defenseunicorns/k8s-sidecar-fips
-    tag: 1.28.0
+    tag: 1.28.1
diff --git a/src/grafana/values/upstream-values.yaml b/src/grafana/values/upstream-values.yaml
@@ -6,12 +6,12 @@ sidecar:
     # -- The Docker registry
     registry: ghcr.io
     repository: kiwigrid/k8s-sidecar
-    tag: 1.28.0
+    tag: 1.28.1
 
 image:
   registry: docker.io
   repository: grafana/grafana
-  tag: 11.3.1
+  tag: 11.4.0
 
 initChownData:
   image:
@@ -22,4 +22,4 @@ initChownData:
 downloadDashboardsImage:
   registry: docker.io
   repository: curlimages/curl
-  tag: 8.11.0
+  tag: 8.11.1
diff --git a/src/grafana/zarf.yaml b/src/grafana/zarf.yaml
@@ -27,10 +27,10 @@ components:
         valuesFiles:
           - values/upstream-values.yaml
     images:
-      - docker.io/grafana/grafana:11.3.1
-      - docker.io/curlimages/curl:8.11.0
+      - docker.io/grafana/grafana:11.4.0
+      - docker.io/curlimages/curl:8.11.1
       - docker.io/library/busybox:1.37.0
-      - ghcr.io/kiwigrid/k8s-sidecar:1.28.0
+      - ghcr.io/kiwigrid/k8s-sidecar:1.28.1
 
   - name: grafana
     required: true
@@ -43,9 +43,9 @@ components:
         valuesFiles:
           - values/registry1-values.yaml
     images:
-      - registry1.dso.mil/ironbank/opensource/grafana/grafana:11.3.1
+      - registry1.dso.mil/ironbank/opensource/grafana/grafana:11.4.0
       - registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.5
-      - registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar:1.28.0
+      - registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar:1.28.1
 
   - name: grafana
     required: true
@@ -58,7 +58,7 @@ components:
         valuesFiles:
           - values/unicorn-values.yaml
     images:
-      - cgr.dev/du-uds-defenseunicorns/grafana-fips:11.3.1
+      - cgr.dev/du-uds-defenseunicorns/grafana-fips:11.4.0
       - cgr.dev/du-uds-defenseunicorns/busybox-fips:1.37.0
-      - cgr.dev/du-uds-defenseunicorns/curl-fips:8.11.0
-      - cgr.dev/du-uds-defenseunicorns/k8s-sidecar-fips:1.28.0
+      - cgr.dev/du-uds-defenseunicorns/curl-fips:8.11.1
+      - cgr.dev/du-uds-defenseunicorns/k8s-sidecar-fips:1.28.1
diff --git a/src/keycloak/chart/templates/secret-kc-realm.yaml b/src/keycloak/chart/templates/secret-kc-realm.yaml
@@ -5,7 +5,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "keycloak.fullname" . }}-realm-env
-  namespace: {{ .Release.Namespace }}  
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "keycloak.labels" . | nindent 4 }}
 type: Opaque
@@ -16,4 +16,13 @@ data:
   {{- else }}
   REALM_{{ $key }}: {{ $value | b64enc }}
   {{- end }}
-  {{- end }}
+  {{- end }}
+
+  SOCIAL_LOGIN_ENABLED: {{ .Values.realmAuthFlows.SOCIAL_AUTH_ENABLED | toString | b64enc }}
+  X509_LOGIN_ENABLED: {{ .Values.realmAuthFlows.X509_AUTH_ENABLED | toString | b64enc }}
+  USERNAME_PASSWORD_AUTH_ENABLED: {{ .Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED | toString | b64enc }}
+  REGISTER_BUTTON_ENABLED: {{ or .Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED .Values.realmAuthFlows.X509_AUTH_ENABLED | toString | b64enc }}
+  DENY_USERNAME_PASSWORD_ENABLED: {{ ternary "DISABLED" "REQUIRED" (.Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED) | b64enc }}
+  RESET_CREDENTIAL_FLOW_ENABLED: {{ ternary "REQUIRED" "DISABLED" (.Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED) | b64enc }}
+  REGISTRATION_FORM_ENABLED: {{ ternary "REQUIRED" "DISABLED" (or .Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED .Values.realmAuthFlows.X509_AUTH_ENABLED) | b64enc }}
+  OTP_ENABLED: {{ (and .Values.realmAuthFlows.OTP_ENABLED .Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED) | toString | b64enc }}
diff --git a/src/keycloak/chart/templates/statefulset.yaml b/src/keycloak/chart/templates/statefulset.yaml
@@ -28,7 +28,8 @@ spec:
         {{- end }}
        {{- if not .Values.devMode }}
       annotations:
-        postgres-hash: {{ include (print $.Template.BasePath "/secret-postgresql.yaml") . | sha256sum }}        
+        postgres-hash: {{ include (print $.Template.BasePath "/secret-postgresql.yaml") . | sha256sum }}
+        kc-realm-hash: {{ include (print $.Template.BasePath "/secret-kc-realm.yaml") . | sha256sum }}
       {{- end }}
     spec:
       securityContext:
@@ -52,13 +53,16 @@ spec:
               mountPath: /opt/keycloak/themes
             - name: conf
               mountPath: /opt/keycloak/conf
+          envFrom:
+            - secretRef:
+                name: {{ include "keycloak.fullname" . }}-realm-env
       containers:
         - name: keycloak
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           securityContext:
           {{- toYaml .Values.securityContext | nindent 12 }}
-          command: 
+          command:
             - "/opt/keycloak/bin/kc.sh"
           args:
             {{- if .Values.devMode }}
@@ -130,14 +134,13 @@ spec:
             - name: KC_CACHE_STACK
               value: kubernetes
             - name: KC_SPI_STICKY_SESSION_ENCODER_INFINISPAN_SHOULD_ATTACH_ROUTE
-              value: "false"               
+              value: "false"
             # java opts for jgroups required for infinispan distributed cache when using the kubernetes stack.
             # https://www.keycloak.org/server/caching
             - name: JAVA_OPTS_APPEND
               value: -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless.keycloak.svc.cluster.local
-
             # Postgres database configuration
-            - name: KC_DB 
+            - name: KC_DB
               value: postgres
             - name: KC_DB_URL_HOST
               valueFrom:

diff --git a/src/keycloak/chart/values.schema.json b/src/keycloak/chart/values.schema.json
@@ -295,6 +295,23 @@
         }
       }
     },
+    "realmAuthFlows": {
+      "type": "object",
+      "properties": {
+        "USERNAME_PASSWORD_AUTH_ENABLED": {
+          "type": "boolean"
+        },
+        "X509_AUTH_ENABLED": {
+          "type": "boolean"
+        },
+        "SOCIAL_AUTH_ENABLED": {
+          "type": "boolean"
+        },
+        "OTP_ENABLED": {
+          "type": "boolean"
+        }
+      }
+    },
     "resources": {
       "type": "object",
       "properties": {

diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml
@@ -29,17 +29,24 @@ realm: uds
 # UDS Identity Config Realm Environment Variables. More info here: https://github.com/defenseunicorns/uds-identity-config/blob/main/docs/CUSTOMIZE.md#templated-realm-values
 realmInitEnv:
   GOOGLE_IDP_ENABLED: false
-#   GOOGLE_IDP_ID: ""
-#   GOOGLE_IDP_SIGNING_CERT: ""
-#   GOOGLE_IDP_NAME_ID_FORMAT: ""
-#   GOOGLE_IDP_CORE_ENTITY_ID: ""
-#   GOOGLE_IDP_ADMIN_GROUP: ""
-#   GOOGLE_IDP_AUDITOR_GROUP: ""
-#   PASSWORD_POLICY: "hashAlgorithm(pbkdf2-sha256) and forceExpiredPasswordChange(90) and specialChars(2) and lowerCase(0) and upperCase(0) and passwordHistory(5) and length(12) and notUsername(undefined) and digits(0)"
-#   EMAIL_VERIFICATION_ENABLED: true
-#   OTP_ENABLED: true
-#   TERMS_AND_CONDITIONS_ENABLED: true
-#   REALM_X509_OCSP_FAIL_OPEN: true
+  # GOOGLE_IDP_ID: ""
+  # GOOGLE_IDP_SIGNING_CERT: ""
+  # GOOGLE_IDP_NAME_ID_FORMAT: ""
+  # GOOGLE_IDP_CORE_ENTITY_ID: ""
+  # GOOGLE_IDP_ADMIN_GROUP: ""
+  # GOOGLE_IDP_AUDITOR_GROUP: ""
+  # PASSWORD_POLICY: "hashAlgorithm(pbkdf2-sha256) and forceExpiredPasswordChange(90) and specialChars(2) and lowerCase(0) and upperCase(0) and passwordHistory(5) and length(12) and notUsername(undefined) and digits(0)"
+  # EMAIL_VERIFICATION_ENABLED: true
+  # TERMS_AND_CONDITIONS_ENABLED: true
+  # X509_OCSP_FAIL_OPEN: true
+  # DISABLE_REGISTRATION_FIELDS: false
+
+# UDS Identity Config Authentication Flows Environment Variables. More info here: https://github.com/defenseunicorns/uds-identity-config/blob/main/docs/CUSTOMIZE.md#templated-realm-values
+realmAuthFlows:
+  USERNAME_PASSWORD_AUTH_ENABLED: true
+  X509_AUTH_ENABLED: true
+  SOCIAL_AUTH_ENABLED: true
+  OTP_ENABLED: true
 
 # Generates an initial password for first admin user - only use if install is headless
 # (i.e. cannot hit keycloak UI with `zarf connect keycloak`), password should be changed after initial login

diff --git a/src/pepr/docs-gen/main.ts b/src/pepr/docs-gen/main.ts
@@ -7,7 +7,7 @@ import * as path from "path";
 const INDENT_SIZE = 20;
 const MAX_HEADER_LEVEL = 6;
 const MAX_DEPTH = 10;
-const OUTPUT_DIR = "./docs/reference/configuration/custom-resources/";
+const OUTPUT_DIR = "./docs/reference/configuration/custom resources/";
 const TABLE_STYLE = 'style="width: 100%; table-layout: fixed;"';
 
 // Utility to capitalize the first letter of a string

diff --git a/tasks/create.yaml b/tasks/create.yaml
@@ -3,7 +3,7 @@
 
 
 includes:
-  - common: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.5.1/tasks/create.yaml
+  - common: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.6.0/tasks/create.yaml
 
 variables:
   - name: FLAVOR

diff --git a/tasks/iac.yaml b/tasks/iac.yaml
@@ -22,7 +22,7 @@ tasks:
   - name: install-eksctl
     actions:
       - cmd: |
-          curl --silent --location "https://github.com/weaveworks/eksctl/releases/download/v0.198.0/eksctl_Linux_amd64.tar.gz" | tar xz -C /tmp
+          curl --silent --location "https://github.com/weaveworks/eksctl/releases/download/v0.199.0/eksctl_Linux_amd64.tar.gz" | tar xz -C /tmp
           sudo mv /tmp/eksctl /usr/local/bin
 
   - name: create-cluster

diff --git a/tasks/lint.yaml b/tasks/lint.yaml
@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
 
 includes:
-  - remote: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.5.1/tasks/lint.yaml
+  - remote: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.6.0/tasks/lint.yaml
 
 tasks:
   - name: fix

diff --git a/tasks/setup.yaml b/tasks/setup.yaml
@@ -15,4 +15,4 @@ tasks:
 
       - description: "Initialize the cluster with Zarf"
         # renovate: datasource=github-tags depName=zarf-dev/zarf versioning=semver
-        cmd: "uds zarf package deploy oci://ghcr.io/zarf-dev/packages/init:v0.44.0 --confirm --no-progress"
+        cmd: "uds zarf package deploy oci://ghcr.io/zarf-dev/packages/init:v0.45.0 --confirm --no-progress"