From 77f53a034d69bef6b3d102acb2ef2d1b6523ac0e Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 14 Jun 2024 10:46:08 -0600 Subject: [PATCH 01/61] force push ci --- external-contrib.md | 56 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 external-contrib.md diff --git a/external-contrib.md b/external-contrib.md new file mode 100644 index 000000000..e493dcd3a --- /dev/null +++ b/external-contrib.md @@ -0,0 +1,56 @@ +# Options for Outside Contributor Secret Usage in GitHub PRs + +## Skip Jobs Requiring Secrets + +- The simplest approach to the problem. +- Just skip over or stub out jobs if the required secrets are not present. +- In practice, this would mean skipping Ironbank tests on PRs (and Chainguard in the future). +- Tests could still be run pre-release. +- Primary flavor specific changes tend to be Renovate PRs which do not run on a fork +- If we want we could still add a slash command or another option to trigger specific flavor tests, but not require them/link them to the PR directly + +## Use Slash Commands as Trigger + +- Ironbank workflows would be triggered by `issue_comment` and `repository_dispatch`. +- This would provide a "ChatOps" like experience where a maintainer comments `/test` or similar to trigger checks requiring secrets. +- Part of the triggered workflow would checkout the PRs code. +- Secrets would work, enabling the full test suite to run. +- Upstream and other workflows that don't require secrets could still run directly on `pull_request` +- [slash-command-dispatch](https://github.com/peter-evans/slash-command-dispatch) is already used in some places in the company. +- Downsides: + - Workflows must be on `main` before they are used since the slash command will trigger a `main` workflow. + - Extra process for triggering workflows (although this could reduce runner minute usage for renovate PRs) + - Decent amount of complexity and/or external action usage to make this process seamless (i.e. have to update the PR pipeline status "manually") + - May be unable to keep everything in the same concurrency group if in a separately triggered workflow + +## Use workflow run as trigger + +- Ironbank workflows would be triggered by `workflow_run` in response to `pull_request` workflows +- This would be a fully automated process +- Part of the triggered workflow would checkout the PRs code. +- Secrets would work, enabling the full test suite to run. +- Upstream and other workflows that don't require secrets could still run directly on `pull_request` +- Downsides: + - Workflows must be on `main` before they are used since the slash command will trigger a `main` workflow? + - Decent amount of complexity and/or external action usage to make this process seamless (i.e. have to update the PR pipeline status "manually") + - May be unable to keep everything in the same concurrency group if in a separately triggered workflow + +## Use PR Target as Trigger + +- Ironbank workflows would be triggered by `pull_request_target`. +- As part of the workflow, we would checkout the PRs code. +- This is inherently dangerous ([learn more](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)) and not "protected" by the workflow approval org settings ([see documentation](https://docs.github.com/en/enterprise-cloud@latest/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks#about-workflow-runs-from-public-forks)). +- We could run the job under a GitHub environment with required approvers (and filter based on user identity to auto-run unicorn PRs but require approval on true external users?). +- Downsides: + - Workflows/workflow changes must be on `main` before they are used since the `pull_request_target` will use the `main` workflows + - "Deploying" to an environment in a PR is very noisy and could be confusing as no deployment is actually happening + +## Create a staging branch for external changes + +- PRs from external contributors would be into a `staging` type branch (NOT main) +- These PRs would only run upstream checks +- Merges from `staging` to `main` would run additional check where secrets would be accessible +- Downsides: + - Added complexity for external contributions + - Little benefit over the "skip job" option - PRs still have to be merged somewhere and follow-on fixes would likely be handled internally prior to release + From 751ce0e87495c862b5e6f3af7288c4fe186bfcec Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 14 Jun 2024 11:27:59 -0600 Subject: [PATCH 02/61] ci: wip test workflow_run --- .github/workflows/pr-trigger.yaml | 22 ++++++++++++++ .../workflows/pull-request-conditionals.yaml | 30 ++++++++++++++++--- .github/workflows/test.yaml | 22 +++++--------- 3 files changed, 55 insertions(+), 19 deletions(-) create mode 100644 .github/workflows/pr-trigger.yaml diff --git a/.github/workflows/pr-trigger.yaml b/.github/workflows/pr-trigger.yaml new file mode 100644 index 000000000..57470df1e --- /dev/null +++ b/.github/workflows/pr-trigger.yaml @@ -0,0 +1,22 @@ +name: PR Trigger + +on: + pull_request: + # milestoned is added here as a workaround for release-please not triggering PR workflows (PRs should be added to a milestone to trigger the workflow). + types: [milestoned, opened, reopened, synchronize] + +jobs: + build: + runs-on: ubuntu-latest + steps: + - run: | + echo ${{ github.event.number }} > pr_number.txt + echo "${{ github.event.pull_request.head.sha }}" >> pr_sha.txt + + - name: Upload PR number artifact + uses: actions/upload-artifact@v2 + with: + name: pr_info + path: | + pr_number.txt + pr_sha.txt diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index 8086c883d..07a57777a 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -2,9 +2,10 @@ name: Filter # This workflow is triggered on pull requests on: - pull_request: - # milestoned is added here as a workaround for release-please not triggering PR workflows (PRs should be added to a milestone to trigger the workflow). - types: [milestoned, opened, reopened, synchronize] + workflow_run: + workflows: ["PR Trigger"] + types: + - completed # Permissions for the GITHUB_TOKEN used by the workflow. permissions: @@ -23,10 +24,27 @@ concurrency: cancel-in-progress: true jobs: + pr-info: + runs-on: ubuntu-latest + steps: + - name: Download PR info artifact + uses: actions/download-artifact@v2 + with: + name: pr_info + + - name: Read PR info + run: | + echo "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV + echo "PR_SHA=$(cat pr_sha.txt)" >> $GITHUB_ENV + lint-check: + needs: pr-info runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + # Todo: update pipeline status + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + ref: ${{ env.PR_SHA }} - name: Use Node.js latest uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: @@ -49,8 +67,11 @@ jobs: packages: ${{ steps.path-filter.outputs.changes }} steps: + # Todo: update pipeline status - name: Checkout the code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + ref: ${{ env.PR_SHA }} # Uses a custom action to filter paths for source packages. - name: Check src paths @@ -80,4 +101,5 @@ jobs: package: ${{ matrix.package }} flavor: ${{ matrix.flavor }} test_type: ${{ matrix.test_type }} + sha: ${{ env.PR_SHA }} secrets: inherit # Inherits all secrets from the parent workflow. diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 1f4007991..01d0ca41f 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -1,8 +1,8 @@ name: Test packages on: - # Manual trigger - workflow_dispatch: + # Triggered by pull-request-conditionals.yaml + workflow_call: inputs: package: type: string @@ -16,20 +16,9 @@ on: type: string description: "The type of test to perform" required: true - # Triggered by pull-request-conditionals.yaml - workflow_call: - inputs: - package: - type: string - description: "The name of the source package to test" - required: true - flavor: + sha: type: string - description: "Flavor of the source package to test" - required: true - test_type: - type: string - description: "The type of test to perform" + description: "The SHA to checkout and test with" required: true permissions: @@ -44,8 +33,11 @@ jobs: UDS_PKG: ${{ inputs.package }} steps: + # Todo: update pipeline status - name: Checkout repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + ref: ${{ inputs.sha }} - name: Environment setup uses: ./.github/actions/setup From c4278510505b38b651d3f1893a098d1b432e5d95 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 14 Jun 2024 11:38:40 -0600 Subject: [PATCH 03/61] fix: workflow outputs silly --- .../workflows/pull-request-conditionals.yaml | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index 07a57777a..e38eda952 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -34,8 +34,8 @@ jobs: - name: Read PR info run: | - echo "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV - echo "PR_SHA=$(cat pr_sha.txt)" >> $GITHUB_ENV + echo "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_OUTPUT + echo "PR_SHA=$(cat pr_sha.txt)" >> $GITHUB_OUTPUT lint-check: needs: pr-info @@ -44,7 +44,7 @@ jobs: # Todo: update pipeline status - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: - ref: ${{ env.PR_SHA }} + ref: ${{ needs.pr-info.outputs.PR_SHA }} - name: Use Node.js latest uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: @@ -60,7 +60,9 @@ jobs: # This job checks if there are changes in specific paths source packages. check-paths: - needs: lint-check + needs: + - lint-check + - pr-info runs-on: ubuntu-latest name: Select Jobs outputs: @@ -71,7 +73,7 @@ jobs: - name: Checkout the code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: - ref: ${{ env.PR_SHA }} + ref: ${{ needs.pr-info.outputs.PR_SHA }} # Uses a custom action to filter paths for source packages. - name: Check src paths @@ -82,7 +84,9 @@ jobs: # This job triggers a separate workflow for each changed source package, if any. run-package-test: - needs: check-paths + needs: + - check-paths + - pr-info name: Schedule strategy: matrix: @@ -101,5 +105,5 @@ jobs: package: ${{ matrix.package }} flavor: ${{ matrix.flavor }} test_type: ${{ matrix.test_type }} - sha: ${{ env.PR_SHA }} + sha: ${{ needs.pr-info.outputs.PR_SHA }} secrets: inherit # Inherits all secrets from the parent workflow. From 68c26abf276709dcaebf1fa9999e750c99dc6f47 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 14 Jun 2024 11:46:06 -0600 Subject: [PATCH 04/61] ci: wip fix artifacts --- .github/workflows/pr-trigger.yaml | 2 +- .github/workflows/pull-request-conditionals.yaml | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr-trigger.yaml b/.github/workflows/pr-trigger.yaml index 57470df1e..74f5e0087 100644 --- a/.github/workflows/pr-trigger.yaml +++ b/.github/workflows/pr-trigger.yaml @@ -14,7 +14,7 @@ jobs: echo "${{ github.event.pull_request.head.sha }}" >> pr_sha.txt - name: Upload PR number artifact - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: name: pr_info path: | diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index e38eda952..a2ddb0275 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -28,9 +28,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Download PR info artifact - uses: actions/download-artifact@v2 + uses: actions/download-artifact@v4 with: name: pr_info + run-id: ${{ github.event.workflow_run.id }} # Pulls artifact from the PR workflow run - name: Read PR info run: | From 079c9394c630348e519d67d0bb2f6433daead1c8 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 14 Jun 2024 11:50:46 -0600 Subject: [PATCH 05/61] ci: another one --- .github/workflows/pull-request-conditionals.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index a2ddb0275..92d65d49f 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -27,11 +27,14 @@ jobs: pr-info: runs-on: ubuntu-latest steps: + - name: Info log + run: | + echo ${{ github.event.workflow_run }} - name: Download PR info artifact uses: actions/download-artifact@v4 with: name: pr_info - run-id: ${{ github.event.workflow_run.id }} # Pulls artifact from the PR workflow run + run-id: ${{ github.event.workflow_run.workflow_id }} # Pulls artifact from the PR workflow run - name: Read PR info run: | From 549cdf7c07177f00d291db1e4ef75ab40edb54ec Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 14 Jun 2024 11:52:12 -0600 Subject: [PATCH 06/61] ci: json --- .github/workflows/pull-request-conditionals.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index 92d65d49f..fef86a5b3 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -29,7 +29,7 @@ jobs: steps: - name: Info log run: | - echo ${{ github.event.workflow_run }} + echo ${{ toJson(github.event.workflow_run) }} - name: Download PR info artifact uses: actions/download-artifact@v4 with: From 5ee487ebbcc8d14bb88d909abf8b4a775b144f98 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 14 Jun 2024 11:53:25 -0600 Subject: [PATCH 07/61] syntax fix --- .github/workflows/pull-request-conditionals.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index fef86a5b3..6b0571218 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -28,8 +28,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Info log + env: + GITHUB_CONTEXT: ${{ toJson(github.event.workflow_run) }} run: | - echo ${{ toJson(github.event.workflow_run) }} + echo "$GITHUB_CONTEXT" - name: Download PR info artifact uses: actions/download-artifact@v4 with: From 274b29d549200000b131bc4e60ba0afc7b38f14e Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 14 Jun 2024 12:22:29 -0600 Subject: [PATCH 08/61] ci: wip fix? --- .github/workflows/pr-trigger.yaml | 2 +- .github/workflows/pull-request-conditionals.yaml | 9 +++------ 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/.github/workflows/pr-trigger.yaml b/.github/workflows/pr-trigger.yaml index 74f5e0087..9a01d91da 100644 --- a/.github/workflows/pr-trigger.yaml +++ b/.github/workflows/pr-trigger.yaml @@ -6,7 +6,7 @@ on: types: [milestoned, opened, reopened, synchronize] jobs: - build: + pr-info: runs-on: ubuntu-latest steps: - run: | diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index 6b0571218..b099cec64 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -27,16 +27,13 @@ jobs: pr-info: runs-on: ubuntu-latest steps: - - name: Info log - env: - GITHUB_CONTEXT: ${{ toJson(github.event.workflow_run) }} - run: | - echo "$GITHUB_CONTEXT" - name: Download PR info artifact uses: actions/download-artifact@v4 with: name: pr_info - run-id: ${{ github.event.workflow_run.workflow_id }} # Pulls artifact from the PR workflow run + run-id: ${{ github.event.workflow_run.id }} # Pulls artifact from the PR workflow run + - name: Unzip PR info artifact + run: unzip pr_info.zip - name: Read PR info run: | From 5e455130b14337f94a64a3c9e0732b960961ad3e Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 14 Jun 2024 12:30:28 -0600 Subject: [PATCH 09/61] ci: wip token --- .github/workflows/pull-request-conditionals.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index b099cec64..a3db0daa6 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -12,6 +12,7 @@ permissions: id-token: write # Needed for OIDC-related operations. contents: read # Allows reading the content of the repository. pull-requests: read # Allows reading pull request metadata. + actions: read # Default settings for all run commands in the workflow jobs. defaults: @@ -32,6 +33,7 @@ jobs: with: name: pr_info run-id: ${{ github.event.workflow_run.id }} # Pulls artifact from the PR workflow run + github-token: ${{ github.token }} - name: Unzip PR info artifact run: unzip pr_info.zip From 00eb17a23417ac6f2c6ff64c1db13316961e94be Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 14 Jun 2024 12:34:58 -0600 Subject: [PATCH 10/61] wip: ls --- .github/workflows/pull-request-conditionals.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index a3db0daa6..b0cc634a1 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -34,6 +34,8 @@ jobs: name: pr_info run-id: ${{ github.event.workflow_run.id }} # Pulls artifact from the PR workflow run github-token: ${{ github.token }} + - run: ls -la + - run: ls -la pr_info - name: Unzip PR info artifact run: unzip pr_info.zip From 810790f5428fb9779d31e11a6607cb8ef644c2da Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 14 Jun 2024 12:38:01 -0600 Subject: [PATCH 11/61] ci: fix --- .github/workflows/pull-request-conditionals.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index b0cc634a1..bf5e928bd 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -34,10 +34,6 @@ jobs: name: pr_info run-id: ${{ github.event.workflow_run.id }} # Pulls artifact from the PR workflow run github-token: ${{ github.token }} - - run: ls -la - - run: ls -la pr_info - - name: Unzip PR info artifact - run: unzip pr_info.zip - name: Read PR info run: | From 66099184ad841503a9f1e7b7525b21100f7b1629 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 14 Jun 2024 13:15:15 -0600 Subject: [PATCH 12/61] ci: debug --- .github/workflows/pull-request-conditionals.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index bf5e928bd..fd743c86c 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -44,6 +44,9 @@ jobs: needs: pr-info runs-on: ubuntu-latest steps: + - run: | + echo ${{ needs.pr-info.outputs.PR_NUMBER }} + echo ${{ needs.pr-info.outputs.PR_SHA }} # Todo: update pipeline status - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: From f1e4a0880d12c32961b9b9efa9fdc50cabf2e304 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 14 Jun 2024 13:18:40 -0600 Subject: [PATCH 13/61] doh --- .github/workflows/pull-request-conditionals.yaml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index fd743c86c..cc4226d57 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -36,21 +36,25 @@ jobs: github-token: ${{ github.token }} - name: Read PR info + id: read-info run: | echo "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_OUTPUT echo "PR_SHA=$(cat pr_sha.txt)" >> $GITHUB_OUTPUT + outputs: + prNumber: ${{ steps.read-info.outputs.PR_NUMBER }} + prSHA: ${{ steps.read-info.outputs.PR_SHA }} lint-check: needs: pr-info runs-on: ubuntu-latest steps: - run: | - echo ${{ needs.pr-info.outputs.PR_NUMBER }} - echo ${{ needs.pr-info.outputs.PR_SHA }} + echo ${{ needs.pr-info.outputs.prNumber }} + echo ${{ needs.pr-info.outputs.prSHA }} # Todo: update pipeline status - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: - ref: ${{ needs.pr-info.outputs.PR_SHA }} + ref: ${{ needs.pr-info.outputs.prSHA }} - name: Use Node.js latest uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: @@ -79,7 +83,7 @@ jobs: - name: Checkout the code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: - ref: ${{ needs.pr-info.outputs.PR_SHA }} + ref: ${{ needs.pr-info.outputs.prSHA }} # Uses a custom action to filter paths for source packages. - name: Check src paths @@ -111,5 +115,5 @@ jobs: package: ${{ matrix.package }} flavor: ${{ matrix.flavor }} test_type: ${{ matrix.test_type }} - sha: ${{ needs.pr-info.outputs.PR_SHA }} + sha: ${{ needs.pr-info.outputs.prSHA }} secrets: inherit # Inherits all secrets from the parent workflow. From 12d28721a3f30df622547d124b048d7a37706de1 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 14 Jun 2024 13:23:34 -0600 Subject: [PATCH 14/61] check changes? --- .github/workflows/pull-request-conditionals.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index cc4226d57..034ec10a6 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -82,8 +82,6 @@ jobs: # Todo: update pipeline status - name: Checkout the code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ needs.pr-info.outputs.prSHA }} # Uses a custom action to filter paths for source packages. - name: Check src paths @@ -91,6 +89,7 @@ jobs: uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 with: filters: .github/filters.yaml + ref: ${{ needs.pr-info.outputs.prSHA }} # This job triggers a separate workflow for each changed source package, if any. run-package-test: From 318857094fcac7bebb04d5ec9822ed485df50a46 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 14 Jun 2024 13:25:30 -0600 Subject: [PATCH 15/61] cleanup workflows --- .github/workflows/pull-request-conditionals.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index 034ec10a6..12ff20f93 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -34,7 +34,6 @@ jobs: name: pr_info run-id: ${{ github.event.workflow_run.id }} # Pulls artifact from the PR workflow run github-token: ${{ github.token }} - - name: Read PR info id: read-info run: | @@ -48,9 +47,6 @@ jobs: needs: pr-info runs-on: ubuntu-latest steps: - - run: | - echo ${{ needs.pr-info.outputs.prNumber }} - echo ${{ needs.pr-info.outputs.prSHA }} # Todo: update pipeline status - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: From 761de3a8c4fc64f24600f809776e005053f27733 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 14 Jun 2024 13:59:35 -0600 Subject: [PATCH 16/61] ci: wip status check magicks --- .github/actions/status-checks/action.yaml | 50 +++++++++++++++++++ .../workflows/pull-request-conditionals.yaml | 22 +++++++- 2 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 .github/actions/status-checks/action.yaml diff --git a/.github/actions/status-checks/action.yaml b/.github/actions/status-checks/action.yaml new file mode 100644 index 000000000..a4ae5013e --- /dev/null +++ b/.github/actions/status-checks/action.yaml @@ -0,0 +1,50 @@ +name: status-checks +description: "Update Status Checks" + +inputs: + ghToken: + description: 'GITHUB_TOKEN' + required: true + status: + description: "Status to set on the check, ex: pending, success, failure, error" + required: true + url: + description: "The URL for the status check run" + required: true + name: + description: "The name of the status check" + required: true + repo: + description: "The owner/repo for the status check" + required: true + sha: + description: "The SHA for the status check" + + +runs: + using: composite + steps: + - name: Set description based on status + run: | + if [[ "${{ inputs.status }}" == "success" ]]; then + echo "DESCRIPTION=Successful" >> $GITHUB_ENV + elif [[ "${{ inputs.status }}" == "failure" ]]; then + echo "DESCRIPTION=Failed" >> $GITHUB_ENV + elif [[ "${{ inputs.status }}" == "error" ]]; then + echo "DESCRIPTION=Cancelled" >> $GITHUB_ENV + elif [[ "${{ inputs.status }}" == "pending" ]]; then + echo "DESCRIPTION=Running..." >> $GITHUB_ENV + else + echo "DESCRIPTION=Unknown status" >> $GITHUB_ENV + shell: bash + - name: Post Status Check + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + gh api \ + --method POST \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + /repos/${{inputs.repo}}/statuses/${{inputs.sha}} \ + -f "state=${{inputs.status}}" -f "target_url=${{inputs.url}}" -f "context=${{inputs.name}}" -f "description=$DESCRIPTION" + shell: bash diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index 12ff20f93..0e5f0d31c 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -12,7 +12,8 @@ permissions: id-token: write # Needed for OIDC-related operations. contents: read # Allows reading the content of the repository. pull-requests: read # Allows reading pull request metadata. - actions: read + actions: read # Allows reading artifacts from other workflow runs + statuses: write # Allows writing action statuses # Default settings for all run commands in the workflow jobs. defaults: @@ -51,6 +52,15 @@ jobs: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: ref: ${{ needs.pr-info.outputs.prSHA }} + - name: Mark Check as Started + uses: ./.github/actions/status-checks + with: + ghToken: ${{ github.token }} + status: "pending" + url: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" + name: "Filter / lint-check (pull_request)" + repo: ${{ github.repository }} + sha: ${{ steps.read-info.outputs.PR_SHA }} - name: Use Node.js latest uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: @@ -63,6 +73,16 @@ jobs: run: brew install defenseunicorns/tap/uds@0.11.2 - name: Run Formatting Checks run: uds run lint-check --no-progress + - name: Mark Check Completion Status + if: always() + uses: ./.github/actions/status-checks + with: + ghToken: ${{ github.token }} + status: ${{ (success() && 'success') || (failure() && 'failure') || 'error' }} + url: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" + name: "Filter / lint-check (pull_request)" + repo: ${{ github.repository }} + sha: ${{ steps.read-info.outputs.PR_SHA }} # This job checks if there are changes in specific paths source packages. check-paths: From 953632664e83d949a93aa2c8645433052d08a5a3 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 14 Jun 2024 14:02:22 -0600 Subject: [PATCH 17/61] ci: fix use job status --- .github/workflows/pull-request-conditionals.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index 0e5f0d31c..266aebbcf 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -73,12 +73,12 @@ jobs: run: brew install defenseunicorns/tap/uds@0.11.2 - name: Run Formatting Checks run: uds run lint-check --no-progress - - name: Mark Check Completion Status + - name: Mark Check Result if: always() uses: ./.github/actions/status-checks with: ghToken: ${{ github.token }} - status: ${{ (success() && 'success') || (failure() && 'failure') || 'error' }} + status: ${{ job.status == 'success' && 'success' || job.status == 'failure' && 'failure' || 'error' }} url: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" name: "Filter / lint-check (pull_request)" repo: ${{ github.repository }} From 75cfbe446f9b6cd74b9858a7ceb6cd231b348509 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 14 Jun 2024 14:06:57 -0600 Subject: [PATCH 18/61] fix: github token --- .github/actions/status-checks/action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/status-checks/action.yaml b/.github/actions/status-checks/action.yaml index a4ae5013e..0e238dc6d 100644 --- a/.github/actions/status-checks/action.yaml +++ b/.github/actions/status-checks/action.yaml @@ -39,7 +39,7 @@ runs: shell: bash - name: Post Status Check env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ inputs.ghToken }} run: | gh api \ --method POST \ From 11ca27f1ef5540b788174be68f868985355eda7a Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 14 Jun 2024 14:09:05 -0600 Subject: [PATCH 19/61] chatgpt got me --- .github/actions/status-checks/action.yaml | 1 + .github/workflows/pull-request-conditionals.yaml | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/status-checks/action.yaml b/.github/actions/status-checks/action.yaml index 0e238dc6d..ed2b898a4 100644 --- a/.github/actions/status-checks/action.yaml +++ b/.github/actions/status-checks/action.yaml @@ -36,6 +36,7 @@ runs: echo "DESCRIPTION=Running..." >> $GITHUB_ENV else echo "DESCRIPTION=Unknown status" >> $GITHUB_ENV + fi shell: bash - name: Post Status Check env: diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index 266aebbcf..3eb0d695c 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -48,7 +48,6 @@ jobs: needs: pr-info runs-on: ubuntu-latest steps: - # Todo: update pipeline status - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: ref: ${{ needs.pr-info.outputs.prSHA }} From 29545b6ca6a35c1717b10b23c8bc2ed3a90f1c4d Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 14 Jun 2024 14:20:58 -0600 Subject: [PATCH 20/61] fix: forgot to commit :( --- .github/actions/status-checks/action.yaml | 2 +- .github/workflows/pull-request-conditionals.yaml | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/actions/status-checks/action.yaml b/.github/actions/status-checks/action.yaml index ed2b898a4..569755eae 100644 --- a/.github/actions/status-checks/action.yaml +++ b/.github/actions/status-checks/action.yaml @@ -19,7 +19,7 @@ inputs: required: true sha: description: "The SHA for the status check" - + required: true runs: using: composite diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index 3eb0d695c..8d332a34b 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -54,12 +54,12 @@ jobs: - name: Mark Check as Started uses: ./.github/actions/status-checks with: - ghToken: ${{ github.token }} + ghToken: "${{ github.token }}" status: "pending" url: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" name: "Filter / lint-check (pull_request)" - repo: ${{ github.repository }} - sha: ${{ steps.read-info.outputs.PR_SHA }} + repo: "${{ github.repository }}" + sha: "${{ needs.pr-info.outputs.prSHA }}" - name: Use Node.js latest uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: @@ -81,7 +81,7 @@ jobs: url: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" name: "Filter / lint-check (pull_request)" repo: ${{ github.repository }} - sha: ${{ steps.read-info.outputs.PR_SHA }} + sha: ${{ needs.pr-info.outputs.prSHA }} # This job checks if there are changes in specific paths source packages. check-paths: From 3a3372ccae231d1e0c9cadc02fc9f20c511de114 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 14 Jun 2024 14:27:13 -0600 Subject: [PATCH 21/61] ci: test contexts, names --- .github/actions/status-checks/action.yaml | 5 ++++- .github/workflows/pull-request-conditionals.yaml | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/actions/status-checks/action.yaml b/.github/actions/status-checks/action.yaml index 569755eae..c9562deec 100644 --- a/.github/actions/status-checks/action.yaml +++ b/.github/actions/status-checks/action.yaml @@ -38,14 +38,17 @@ runs: echo "DESCRIPTION=Unknown status" >> $GITHUB_ENV fi shell: bash + - name: Get Job ID - name: Post Status Check env: GH_TOKEN: ${{ inputs.ghToken }} run: | + jobs=$(gh api repos/${{ github.repository }}/actions/runs/${{ github.run_id}}/attempts/${{ github.run_attempt }}/jobs) + job_id=$(echo $jobs | jq -r '.jobs[] | select(.runner_name=="${{ runner.name }}") | .id') gh api \ --method POST \ -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ /repos/${{inputs.repo}}/statuses/${{inputs.sha}} \ - -f "state=${{inputs.status}}" -f "target_url=${{inputs.url}}" -f "context=${{inputs.name}}" -f "description=$DESCRIPTION" + -f "state=${{inputs.status}}" -f "target_url=${{inputs.url}}/jobs/$job_id" -f "context=${{inputs.name}}" -f "description=$DESCRIPTION" shell: bash diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index 8d332a34b..4a3fe9898 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -57,7 +57,7 @@ jobs: ghToken: "${{ github.token }}" status: "pending" url: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" - name: "Filter / lint-check (pull_request)" + name: "lint-check" repo: "${{ github.repository }}" sha: "${{ needs.pr-info.outputs.prSHA }}" - name: Use Node.js latest @@ -79,7 +79,7 @@ jobs: ghToken: ${{ github.token }} status: ${{ job.status == 'success' && 'success' || job.status == 'failure' && 'failure' || 'error' }} url: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" - name: "Filter / lint-check (pull_request)" + name: "lint-check" repo: ${{ github.repository }} sha: ${{ needs.pr-info.outputs.prSHA }} From ca4b54ccd8b4a831eec8b66e358bdd3274b62f17 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 14 Jun 2024 14:42:01 -0600 Subject: [PATCH 22/61] fail --- .github/actions/status-checks/action.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/actions/status-checks/action.yaml b/.github/actions/status-checks/action.yaml index c9562deec..6029a3b10 100644 --- a/.github/actions/status-checks/action.yaml +++ b/.github/actions/status-checks/action.yaml @@ -38,7 +38,6 @@ runs: echo "DESCRIPTION=Unknown status" >> $GITHUB_ENV fi shell: bash - - name: Get Job ID - name: Post Status Check env: GH_TOKEN: ${{ inputs.ghToken }} From 920fe1e9662033ef1e339e27bb4d743cd82252b6 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 14 Jun 2024 14:50:22 -0600 Subject: [PATCH 23/61] ci: remove inputs for fun --- .github/actions/status-checks/action.yaml | 23 ++++++------------- .../workflows/pull-request-conditionals.yaml | 8 ------- 2 files changed, 7 insertions(+), 24 deletions(-) diff --git a/.github/actions/status-checks/action.yaml b/.github/actions/status-checks/action.yaml index 6029a3b10..970bea00d 100644 --- a/.github/actions/status-checks/action.yaml +++ b/.github/actions/status-checks/action.yaml @@ -2,21 +2,9 @@ name: status-checks description: "Update Status Checks" inputs: - ghToken: - description: 'GITHUB_TOKEN' - required: true status: description: "Status to set on the check, ex: pending, success, failure, error" required: true - url: - description: "The URL for the status check run" - required: true - name: - description: "The name of the status check" - required: true - repo: - description: "The owner/repo for the status check" - required: true sha: description: "The SHA for the status check" required: true @@ -40,14 +28,17 @@ runs: shell: bash - name: Post Status Check env: - GH_TOKEN: ${{ inputs.ghToken }} + GH_TOKEN: ${{ github.token }} run: | - jobs=$(gh api repos/${{ github.repository }}/actions/runs/${{ github.run_id}}/attempts/${{ github.run_attempt }}/jobs) + jobs=$(gh api repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/attempts/${{ github.run_attempt }}/jobs) job_id=$(echo $jobs | jq -r '.jobs[] | select(.runner_name=="${{ runner.name }}") | .id') gh api \ --method POST \ -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ - /repos/${{inputs.repo}}/statuses/${{inputs.sha}} \ - -f "state=${{inputs.status}}" -f "target_url=${{inputs.url}}/jobs/$job_id" -f "context=${{inputs.name}}" -f "description=$DESCRIPTION" + /repos/${{ github.repository }}/statuses/${{ inputs.sha }} \ + -f "state=${{ job.status == 'success' && 'success' || job.status == 'failure' && 'failure' || 'error' }}" \ + -f "target_url=${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}/job/$job_id" \ + -f "context=${{ github.job }}" \ + -f "description=$DESCRIPTION" shell: bash diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index 4a3fe9898..5f00e4292 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -54,11 +54,7 @@ jobs: - name: Mark Check as Started uses: ./.github/actions/status-checks with: - ghToken: "${{ github.token }}" status: "pending" - url: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" - name: "lint-check" - repo: "${{ github.repository }}" sha: "${{ needs.pr-info.outputs.prSHA }}" - name: Use Node.js latest uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 @@ -76,11 +72,7 @@ jobs: if: always() uses: ./.github/actions/status-checks with: - ghToken: ${{ github.token }} status: ${{ job.status == 'success' && 'success' || job.status == 'failure' && 'failure' || 'error' }} - url: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" - name: "lint-check" - repo: ${{ github.repository }} sha: ${{ needs.pr-info.outputs.prSHA }} # This job checks if there are changes in specific paths source packages. From f2389a33d66491dfab62014cc744b25434202fe2 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 14 Jun 2024 14:53:18 -0600 Subject: [PATCH 24/61] fix: ci things --- .github/actions/status-checks/action.yaml | 2 +- .github/workflows/pull-request-conditionals.yaml | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/actions/status-checks/action.yaml b/.github/actions/status-checks/action.yaml index 970bea00d..d51c72d1b 100644 --- a/.github/actions/status-checks/action.yaml +++ b/.github/actions/status-checks/action.yaml @@ -37,7 +37,7 @@ runs: -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ /repos/${{ github.repository }}/statuses/${{ inputs.sha }} \ - -f "state=${{ job.status == 'success' && 'success' || job.status == 'failure' && 'failure' || 'error' }}" \ + -f "state=${{ input.status }}" \ -f "target_url=${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}/job/$job_id" \ -f "context=${{ github.job }}" \ -f "description=$DESCRIPTION" diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index 5f00e4292..95492e256 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -89,6 +89,11 @@ jobs: # Todo: update pipeline status - name: Checkout the code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Mark Check as Started + uses: ./.github/actions/status-checks + with: + status: "pending" + sha: "${{ needs.pr-info.outputs.prSHA }}" # Uses a custom action to filter paths for source packages. - name: Check src paths @@ -97,6 +102,12 @@ jobs: with: filters: .github/filters.yaml ref: ${{ needs.pr-info.outputs.prSHA }} + - name: Mark Check Result + if: always() + uses: ./.github/actions/status-checks + with: + status: ${{ job.status == 'success' && 'success' || job.status == 'failure' && 'failure' || 'error' }} + sha: ${{ needs.pr-info.outputs.prSHA }} # This job triggers a separate workflow for each changed source package, if any. run-package-test: From d5c51f35f6817d66bfbf5b2d5f746032893c863a Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 14 Jun 2024 14:55:19 -0600 Subject: [PATCH 25/61] fix: inputs silly --- .github/actions/status-checks/action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/status-checks/action.yaml b/.github/actions/status-checks/action.yaml index d51c72d1b..4d01332f8 100644 --- a/.github/actions/status-checks/action.yaml +++ b/.github/actions/status-checks/action.yaml @@ -37,7 +37,7 @@ runs: -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ /repos/${{ github.repository }}/statuses/${{ inputs.sha }} \ - -f "state=${{ input.status }}" \ + -f "state=${{ inputs.status }}" \ -f "target_url=${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}/job/$job_id" \ -f "context=${{ github.job }}" \ -f "description=$DESCRIPTION" From 20983d749871ac2b769584d2ea5d37c1b9183b52 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 14 Jun 2024 15:09:43 -0600 Subject: [PATCH 26/61] fix: update status for test --- .github/workflows/pull-request-conditionals.yaml | 1 - .github/workflows/test.yaml | 14 +++++++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index 95492e256..1837adb6a 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -86,7 +86,6 @@ jobs: packages: ${{ steps.path-filter.outputs.changes }} steps: - # Todo: update pipeline status - name: Checkout the code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Mark Check as Started diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 01d0ca41f..2065f564e 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -23,6 +23,7 @@ on: permissions: contents: read + statuses: write # Allows writing action statuses jobs: test: @@ -33,11 +34,15 @@ jobs: UDS_PKG: ${{ inputs.package }} steps: - # Todo: update pipeline status - name: Checkout repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: ref: ${{ inputs.sha }} + - name: Mark Check as Started + uses: ./.github/actions/status-checks + with: + status: "pending" + sha: ${{ inputs.sha }} - name: Environment setup uses: ./.github/actions/setup @@ -67,3 +72,10 @@ jobs: uses: ./.github/actions/save-logs with: suffix: -${{ inputs.test_type }}-${{ inputs.package }}-${{ inputs.flavor }} + + - name: Mark Check Result + if: always() + uses: ./.github/actions/status-checks + with: + status: ${{ job.status == 'success' && 'success' || job.status == 'failure' && 'failure' || 'error' }} + sha: ${{ inputs.sha }} From c49e6ea2b566198d4702d4c67c659e833a8bad97 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 14 Jun 2024 15:20:06 -0600 Subject: [PATCH 27/61] fix: named inputs --- .github/actions/status-checks/action.yaml | 5 ++++- .github/workflows/pull-request-conditionals.yaml | 4 ++++ .github/workflows/test.yaml | 2 ++ 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/actions/status-checks/action.yaml b/.github/actions/status-checks/action.yaml index 4d01332f8..321cb6464 100644 --- a/.github/actions/status-checks/action.yaml +++ b/.github/actions/status-checks/action.yaml @@ -8,6 +8,9 @@ inputs: sha: description: "The SHA for the status check" required: true + name: + description: "The name of the status check" + required: true runs: using: composite @@ -39,6 +42,6 @@ runs: /repos/${{ github.repository }}/statuses/${{ inputs.sha }} \ -f "state=${{ inputs.status }}" \ -f "target_url=${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}/job/$job_id" \ - -f "context=${{ github.job }}" \ + -f "context=${{ inputs.name }}" \ -f "description=$DESCRIPTION" shell: bash diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index 1837adb6a..75317fa5d 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -56,6 +56,7 @@ jobs: with: status: "pending" sha: "${{ needs.pr-info.outputs.prSHA }}" + name: ${{ github.job }} - name: Use Node.js latest uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: @@ -74,6 +75,7 @@ jobs: with: status: ${{ job.status == 'success' && 'success' || job.status == 'failure' && 'failure' || 'error' }} sha: ${{ needs.pr-info.outputs.prSHA }} + name: ${{ github.job }} # This job checks if there are changes in specific paths source packages. check-paths: @@ -93,6 +95,7 @@ jobs: with: status: "pending" sha: "${{ needs.pr-info.outputs.prSHA }}" + name: ${{ github.job }} # Uses a custom action to filter paths for source packages. - name: Check src paths @@ -107,6 +110,7 @@ jobs: with: status: ${{ job.status == 'success' && 'success' || job.status == 'failure' && 'failure' || 'error' }} sha: ${{ needs.pr-info.outputs.prSHA }} + name: ${{ github.job }} # This job triggers a separate workflow for each changed source package, if any. run-package-test: diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 2065f564e..33957bda1 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -43,6 +43,7 @@ jobs: with: status: "pending" sha: ${{ inputs.sha }} + name: "Test (${{inputs.package}}, ${{inputs.flavor}}, ${{inputs.test_type}})" - name: Environment setup uses: ./.github/actions/setup @@ -79,3 +80,4 @@ jobs: with: status: ${{ job.status == 'success' && 'success' || job.status == 'failure' && 'failure' || 'error' }} sha: ${{ inputs.sha }} + name: "Test (${{inputs.package}}, ${{inputs.flavor}}, ${{inputs.test_type}})" From 73c0d961620ed422073a31edb674e6623ddc3fa9 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 14 Jun 2024 15:25:34 -0600 Subject: [PATCH 28/61] free the names --- .github/workflows/test.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 33957bda1..ae43a13d3 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -43,7 +43,7 @@ jobs: with: status: "pending" sha: ${{ inputs.sha }} - name: "Test (${{inputs.package}}, ${{inputs.flavor}}, ${{inputs.test_type}})" + name: "Test ${{inputs.package}} ${{inputs.test_type}}, ${{inputs.flavor}} flavor" - name: Environment setup uses: ./.github/actions/setup @@ -80,4 +80,4 @@ jobs: with: status: ${{ job.status == 'success' && 'success' || job.status == 'failure' && 'failure' || 'error' }} sha: ${{ inputs.sha }} - name: "Test (${{inputs.package}}, ${{inputs.flavor}}, ${{inputs.test_type}})" + name: "Test ${{inputs.package}} ${{inputs.test_type}}, ${{inputs.flavor}} flavor" From beecc41133ab696215b73cc3b98bb16a52cf41c5 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 14 Jun 2024 15:26:20 -0600 Subject: [PATCH 29/61] more free names --- .github/workflows/pull-request-conditionals.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index 75317fa5d..a86238a18 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -56,7 +56,7 @@ jobs: with: status: "pending" sha: "${{ needs.pr-info.outputs.prSHA }}" - name: ${{ github.job }} + name: Lint Check - name: Use Node.js latest uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: @@ -75,7 +75,7 @@ jobs: with: status: ${{ job.status == 'success' && 'success' || job.status == 'failure' && 'failure' || 'error' }} sha: ${{ needs.pr-info.outputs.prSHA }} - name: ${{ github.job }} + name: Lint Check # This job checks if there are changes in specific paths source packages. check-paths: @@ -95,7 +95,7 @@ jobs: with: status: "pending" sha: "${{ needs.pr-info.outputs.prSHA }}" - name: ${{ github.job }} + name: Filter on Changes # Uses a custom action to filter paths for source packages. - name: Check src paths @@ -110,7 +110,7 @@ jobs: with: status: ${{ job.status == 'success' && 'success' || job.status == 'failure' && 'failure' || 'error' }} sha: ${{ needs.pr-info.outputs.prSHA }} - name: ${{ github.job }} + name: Filter on Changes # This job triggers a separate workflow for each changed source package, if any. run-package-test: From 60ca1d06208be3c7f5ec825a37d85504116585d1 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 14 Jun 2024 15:30:17 -0600 Subject: [PATCH 30/61] fix: concurrency group --- .github/workflows/pull-request-conditionals.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index a86238a18..e452a38b6 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -22,7 +22,7 @@ defaults: # Abort prior jobs in the same workflow / PR concurrency: - group: test-${{ github.ref }} + group: test-${{ github.event.workflow_run.head_branch }} cancel-in-progress: true jobs: From eba372c0b0a942f1bcead8efcd420fbb427ed6e1 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 14 Jun 2024 16:00:17 -0600 Subject: [PATCH 31/61] fix: workflow links --- .github/actions/status-checks/action.yaml | 2 +- .../workflows/pull-request-conditionals.yaml | 8 +++---- .github/workflows/test.yaml | 4 ++-- external-contrib.md | 24 +++++++++---------- 4 files changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/actions/status-checks/action.yaml b/.github/actions/status-checks/action.yaml index 321cb6464..f68e1533f 100644 --- a/.github/actions/status-checks/action.yaml +++ b/.github/actions/status-checks/action.yaml @@ -34,7 +34,7 @@ runs: GH_TOKEN: ${{ github.token }} run: | jobs=$(gh api repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/attempts/${{ github.run_attempt }}/jobs) - job_id=$(echo $jobs | jq -r '.jobs[] | select(.runner_name=="${{ runner.name }}") | .id') + job_id=$(echo $jobs | jq -r '.jobs[] | select(.name=="${{ inputs.name }}") | .id') gh api \ --method POST \ -H "Accept: application/vnd.github+json" \ diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index e452a38b6..3f38e5036 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -56,7 +56,7 @@ jobs: with: status: "pending" sha: "${{ needs.pr-info.outputs.prSHA }}" - name: Lint Check + name: ${{ github.job }} - name: Use Node.js latest uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: @@ -75,7 +75,7 @@ jobs: with: status: ${{ job.status == 'success' && 'success' || job.status == 'failure' && 'failure' || 'error' }} sha: ${{ needs.pr-info.outputs.prSHA }} - name: Lint Check + name: ${{ github.job }} # This job checks if there are changes in specific paths source packages. check-paths: @@ -95,7 +95,7 @@ jobs: with: status: "pending" sha: "${{ needs.pr-info.outputs.prSHA }}" - name: Filter on Changes + name: ${{ github.job }} # Uses a custom action to filter paths for source packages. - name: Check src paths @@ -110,7 +110,7 @@ jobs: with: status: ${{ job.status == 'success' && 'success' || job.status == 'failure' && 'failure' || 'error' }} sha: ${{ needs.pr-info.outputs.prSHA }} - name: Filter on Changes + name: ${{ github.job }} # This job triggers a separate workflow for each changed source package, if any. run-package-test: diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index ae43a13d3..db7ca4870 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -43,7 +43,7 @@ jobs: with: status: "pending" sha: ${{ inputs.sha }} - name: "Test ${{inputs.package}} ${{inputs.test_type}}, ${{inputs.flavor}} flavor" + name: "Schedule (${{inputs.package}}, ${{inputs.flavor}}, ${{inputs.test_type}}) / Test" - name: Environment setup uses: ./.github/actions/setup @@ -80,4 +80,4 @@ jobs: with: status: ${{ job.status == 'success' && 'success' || job.status == 'failure' && 'failure' || 'error' }} sha: ${{ inputs.sha }} - name: "Test ${{inputs.package}} ${{inputs.test_type}}, ${{inputs.flavor}} flavor" + name: "Schedule (${{inputs.package}}, ${{inputs.flavor}}, ${{inputs.test_type}}) / Test" diff --git a/external-contrib.md b/external-contrib.md index e493dcd3a..c14e87f95 100644 --- a/external-contrib.md +++ b/external-contrib.md @@ -13,27 +13,27 @@ - Ironbank workflows would be triggered by `issue_comment` and `repository_dispatch`. - This would provide a "ChatOps" like experience where a maintainer comments `/test` or similar to trigger checks requiring secrets. -- Part of the triggered workflow would checkout the PRs code. -- Secrets would work, enabling the full test suite to run. -- Upstream and other workflows that don't require secrets could still run directly on `pull_request` - [slash-command-dispatch](https://github.com/peter-evans/slash-command-dispatch) is already used in some places in the company. - Downsides: - Workflows must be on `main` before they are used since the slash command will trigger a `main` workflow. - Extra process for triggering workflows (although this could reduce runner minute usage for renovate PRs) - - Decent amount of complexity and/or external action usage to make this process seamless (i.e. have to update the PR pipeline status "manually") - - May be unable to keep everything in the same concurrency group if in a separately triggered workflow + - Decent amount of complexity and/or external action usage to make this process seamless + - Job status is not fully accurate/realtime + - Jobs reflect as "Pending" with a description of "Running" (or whatever we want) rather than the normal GitHub spinner for running jobs + - Pending/Completed statuses are set during the job run so technically the status updates happen slightly after/before job start/finish + - There is no way to set a "Cancelled" status symbol via the API ## Use workflow run as trigger - Ironbank workflows would be triggered by `workflow_run` in response to `pull_request` workflows -- This would be a fully automated process -- Part of the triggered workflow would checkout the PRs code. -- Secrets would work, enabling the full test suite to run. -- Upstream and other workflows that don't require secrets could still run directly on `pull_request` +- This would be a fully automated process/flow, and only be limited for outside contributors (manual approval needed) - Downsides: - - Workflows must be on `main` before they are used since the slash command will trigger a `main` workflow? - - Decent amount of complexity and/or external action usage to make this process seamless (i.e. have to update the PR pipeline status "manually") - - May be unable to keep everything in the same concurrency group if in a separately triggered workflow + - `workflow_run` changes must be on main before they are used + - Job status is not fully accurate/realtime + - Jobs reflect as "Pending" with a description of "Running" (or whatever we want) rather than the normal GitHub spinner for running jobs + - Pending/Completed statuses are set during the job run so technically the status updates happen slightly after/before job start/finish + - There is no way to set a "Cancelled" status symbol via the API, but we can set error/failure and a description of "Cancelled" + - Any jobs that were triggered but pending (i.e. waiting on a runner) will not reflect their status in the PR since they have to start before status shows ## Use PR Target as Trigger From d64045363c267dad4d10b447e7706b1e739765ae Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 14 Jun 2024 22:00:57 +0000 Subject: [PATCH 32/61] chore(main): release 0.23.0 --- .github/bundles/uds-bundle.yaml | 4 +- .release-please-manifest.json | 2 +- CHANGELOG.md | 300 +++++++++++++++++++++++++++ README.md | 4 +- bundles/k3d-slim-dev/uds-bundle.yaml | 4 +- bundles/k3d-standard/uds-bundle.yaml | 4 +- packages/slim-dev/zarf.yaml | 2 +- packages/standard/zarf.yaml | 2 +- tasks/deploy.yaml | 2 +- tasks/publish.yaml | 2 +- 10 files changed, 313 insertions(+), 13 deletions(-) diff --git a/.github/bundles/uds-bundle.yaml b/.github/bundles/uds-bundle.yaml index ead40c2c9..a30f391f1 100644 --- a/.github/bundles/uds-bundle.yaml +++ b/.github/bundles/uds-bundle.yaml @@ -3,7 +3,7 @@ metadata: name: uds-core-eks-nightly description: A UDS bundle for deploying EKS and UDS Core # x-release-please-start-version - version: "0.22.2" + version: "0.23.0" # x-release-please-end packages: @@ -14,7 +14,7 @@ packages: - name: core path: ../../build/ # x-release-please-start-version - ref: 0.22.2 + ref: 0.23.0 # x-release-please-end overrides: velero: diff --git a/.release-please-manifest.json b/.release-please-manifest.json index 762fc35f4..819990afc 100644 --- a/.release-please-manifest.json +++ b/.release-please-manifest.json @@ -1,3 +1,3 @@ { - ".": "0.22.2" + ".": "0.23.0" } diff --git a/CHANGELOG.md b/CHANGELOG.md index 76ed893c2..bb09620eb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,306 @@ All notable changes to this project will be documented in this file. +## [0.23.0](https://github.com/BagelLab/uds-core/compare/v0.22.2...v0.23.0) (2024-06-14) + + +### ⚠ BREAKING CHANGES + +* remove emulated gitlab endpoints from keycloak + +### Features + +* add `expose` service entry for internal cluster traffic ([#356](https://github.com/BagelLab/uds-core/issues/356)) ([1bde4cc](https://github.com/BagelLab/uds-core/commit/1bde4ccf302864b0c38d093742ca683b96cebe89)) +* add `monitor` to operator, fix monitoring setup ([#256](https://github.com/BagelLab/uds-core/issues/256)) ([bf67722](https://github.com/BagelLab/uds-core/commit/bf67722d4e7e02d44dd29c4436e9a8d2ef960fa5)) +* add authservice to uds-core ([#153](https://github.com/BagelLab/uds-core/issues/153)) ([b0b33b9](https://github.com/BagelLab/uds-core/commit/b0b33b98ae12fe233c922bba55c9328212c2e578)) +* Add istio and preliminary ci ([#3](https://github.com/BagelLab/uds-core/issues/3)) ([fbd7453](https://github.com/BagelLab/uds-core/commit/fbd745392340dbc978b27f0d321f3375882c1c40)) +* add Istio VirtualService Requestmatch to UDS Operator ([#129](https://github.com/BagelLab/uds-core/issues/129)) ([a207197](https://github.com/BagelLab/uds-core/commit/a20719726991d3b981a372b705b776948f6fbc30)) +* add keycloak ([#147](https://github.com/BagelLab/uds-core/issues/147)) ([f99d3d5](https://github.com/BagelLab/uds-core/commit/f99d3d5d4f89264a21dd76d8847e1cef0325d127)) +* add keycloak sso realm values ([#352](https://github.com/BagelLab/uds-core/issues/352)) ([74436ea](https://github.com/BagelLab/uds-core/commit/74436ea78684a74044efdee14564a6582e659998)) +* add metrics-server ([#35](https://github.com/BagelLab/uds-core/issues/35)) ([8216ab9](https://github.com/BagelLab/uds-core/commit/8216ab982be79dc393a2e0db359370b32e660150)) +* add monitoring and logging ([#33](https://github.com/BagelLab/uds-core/issues/33)) ([c6d9aec](https://github.com/BagelLab/uds-core/commit/c6d9aece4984421e1ccbf476cd0d40fb701e4e50)) +* add nightly testing eks ([#250](https://github.com/BagelLab/uds-core/issues/250)) ([543b09d](https://github.com/BagelLab/uds-core/commit/543b09d103a43c474da6a8c950404cc1f373b03f)) +* add pepr capability for istio + jobs ([#12](https://github.com/BagelLab/uds-core/issues/12)) ([c32a703](https://github.com/BagelLab/uds-core/commit/c32a70390f443c90796978ad4c42bbb4b17eb226)) +* add policy exemptions ([#165](https://github.com/BagelLab/uds-core/issues/165)) ([196df88](https://github.com/BagelLab/uds-core/commit/196df88b01347e530eb1cb49df7440d62c986e0e)) +* add prometheus-stack (monitoring) capability ([#2](https://github.com/BagelLab/uds-core/issues/2)) ([e438ab6](https://github.com/BagelLab/uds-core/commit/e438ab6089bc9d8c6640fa002285d38ddc3022df)) +* add reconciliation retries for CRs ([#423](https://github.com/BagelLab/uds-core/issues/423)) ([424b57b](https://github.com/BagelLab/uds-core/commit/424b57ba91906e1c60e6e92927e37b34d657ad01)) +* add saml and attribute/mapper support for keycloak in uds pepr operator ([#328](https://github.com/BagelLab/uds-core/issues/328)) ([c53d4ee](https://github.com/BagelLab/uds-core/commit/c53d4ee1227d71b60a35419f7c8c9396d71b9508)) +* add UDS Operator and consolidate UDS Policies ([#66](https://github.com/BagelLab/uds-core/issues/66)) ([395c1c4](https://github.com/BagelLab/uds-core/commit/395c1c4aec324d0d939cc410a6bb92129b26653b)) +* add velero package ([#210](https://github.com/BagelLab/uds-core/issues/210)) ([a272945](https://github.com/BagelLab/uds-core/commit/a27294585f0d50732b63672d0c2baf14948e29d1)) +* add Zarf Flavors to support Iron Bank & upstream images ([#63](https://github.com/BagelLab/uds-core/issues/63)) ([232c256](https://github.com/BagelLab/uds-core/commit/232c2566b96be0285c24b8b5787350897e72332f)) +* added initial oscal files ([#145](https://github.com/BagelLab/uds-core/issues/145)) ([9600d5f](https://github.com/BagelLab/uds-core/commit/9600d5f159e4a04e8f71313f8ed118b87efbb9a1)) +* embed tls certs in istio package ([#32](https://github.com/BagelLab/uds-core/issues/32)) ([fb04fee](https://github.com/BagelLab/uds-core/commit/fb04feec9657f449366389a0e0a474a8cdeecb2c)) +* enable sso for neuvector ([#351](https://github.com/BagelLab/uds-core/issues/351)) ([597353e](https://github.com/BagelLab/uds-core/commit/597353e294e3dc5c06a8d572414e188f9845af8e)) +* expose tls certs as UDS bundle variables ([#48](https://github.com/BagelLab/uds-core/issues/48)) ([c1f8286](https://github.com/BagelLab/uds-core/commit/c1f828650ef2c53a3fd9ed477950046020c5d375)) +* introduce advancedHTTP for expose field & change podLabels to selector ([#154](https://github.com/BagelLab/uds-core/issues/154)) ([1079267](https://github.com/BagelLab/uds-core/commit/107926791149989a782254b8798b7c57a35cfcaf)) +* introduce Pepr common policies ([#50](https://github.com/BagelLab/uds-core/issues/50)) ([54182b4](https://github.com/BagelLab/uds-core/commit/54182b4db691d86ce80379be272d924d105b0d07)) +* introduce sso secret templating ([#276](https://github.com/BagelLab/uds-core/issues/276)) ([e0832ec](https://github.com/BagelLab/uds-core/commit/e0832ec2ee825dc1725483350e3b9295937b8feb)) +* keycloak PVC customization ([#341](https://github.com/BagelLab/uds-core/issues/341)) ([f8eae2a](https://github.com/BagelLab/uds-core/commit/f8eae2a20e02faac6e2c441845a82febeaab3b89)) +* **operator:** add events and improve lifecycle ops ([#245](https://github.com/BagelLab/uds-core/issues/245)) ([502c044](https://github.com/BagelLab/uds-core/commit/502c044547048a380b1f73dead0b8ab1b14a4b4f)) +* release-please integration ([#25](https://github.com/BagelLab/uds-core/issues/25)) ([bf3c53b](https://github.com/BagelLab/uds-core/commit/bf3c53b2ddac4e02e31aa3429029dd9f1c9595e3)) +* switch loki to simple scalable ([#156](https://github.com/BagelLab/uds-core/issues/156)) ([1661b15](https://github.com/BagelLab/uds-core/commit/1661b154657eba1b30fc5bcec64179cbf6037c03)) +* uds common renovate config ([#391](https://github.com/BagelLab/uds-core/issues/391)) ([035786c](https://github.com/BagelLab/uds-core/commit/035786cadcd9c1fbaf7e0a798f9c13104a1a9a14)) +* uds core docs ([#414](https://github.com/BagelLab/uds-core/issues/414)) ([a35ca7b](https://github.com/BagelLab/uds-core/commit/a35ca7b484ab59572d8205a625db5447a8771e44)) +* update security policy to use provided user, group, and fsgroup ([#82](https://github.com/BagelLab/uds-core/issues/82)) ([6d641ce](https://github.com/BagelLab/uds-core/commit/6d641ce67210999bacda0e855269dca61e7c6a7b)) + + +### Bug Fixes + +* add keycloak to dev bundle and rename ([#262](https://github.com/BagelLab/uds-core/issues/262)) ([f9b905c](https://github.com/BagelLab/uds-core/commit/f9b905c7c2b7e4a6a43e7c83918e3157008433d3)) +* add kubeapi egress for neuvector enforcer ([#291](https://github.com/BagelLab/uds-core/issues/291)) ([87fc886](https://github.com/BagelLab/uds-core/commit/87fc886bc736104a9a3c3aefc4c7d232ed74a4f2)) +* add nightly uds-bundle.yaml to release-please extras for updates ([#346](https://github.com/BagelLab/uds-core/issues/346)) ([d1b3071](https://github.com/BagelLab/uds-core/commit/d1b3071182b48ef4905bb040d203fa42d7bbf76f)) +* add saml configuration to k3d standard bundle ([#425](https://github.com/BagelLab/uds-core/issues/425)) ([15b41d7](https://github.com/BagelLab/uds-core/commit/15b41d7ca506dd913316c41321aa9a3133755ab4)) +* add test for disallow selinux options and handle checking for us… ([#96](https://github.com/BagelLab/uds-core/issues/96)) ([88b969e](https://github.com/BagelLab/uds-core/commit/88b969e2aa4dea8b76dbe397d77c53941f7cfbc8)) +* arm64 packages / bundles creation ([#264](https://github.com/BagelLab/uds-core/issues/264)) ([425fa18](https://github.com/BagelLab/uds-core/commit/425fa184fca6bcebd1eea431dce7112cadae2f44)) +* basic validations for packages ([#208](https://github.com/BagelLab/uds-core/issues/208)) ([9eba3af](https://github.com/BagelLab/uds-core/commit/9eba3afb7e288c13f75f93d5712d50a3b9e7b92d)) +* change pepr error policy to reject ([#99](https://github.com/BagelLab/uds-core/issues/99)) ([10772e2](https://github.com/BagelLab/uds-core/commit/10772e2c64f1e4b965b6b644b0008c81025029e9)) +* check if exemption exists before cleanup ([#468](https://github.com/BagelLab/uds-core/issues/468)) ([735288b](https://github.com/BagelLab/uds-core/commit/735288b87f2dff3c1bb28e9e20aac812d644aa4d)) +* ci things ([f2389a3](https://github.com/BagelLab/uds-core/commit/f2389a33d66491dfab62014cc744b25434202fe2)) +* complete incomplete deploy task ([#21](https://github.com/BagelLab/uds-core/issues/21)) ([45ff5e5](https://github.com/BagelLab/uds-core/commit/45ff5e5d7b6a50cdfcfabb174349ab539a8accd9)) +* concurrency group ([60ca1d0](https://github.com/BagelLab/uds-core/commit/60ca1d06208be3c7f5ec825a37d85504116585d1)) +* de-duplicate renovate matches ([#435](https://github.com/BagelLab/uds-core/issues/435)) ([4f9dbbb](https://github.com/BagelLab/uds-core/commit/4f9dbbbff0bbe1fe348ae7e6c55f97a505f730a9)) +* default keycloak realm envs ([#455](https://github.com/BagelLab/uds-core/issues/455)) ([3a2b48f](https://github.com/BagelLab/uds-core/commit/3a2b48fefb11afcf20f6826fbdef8c43daaf4639)) +* drop path normalization to MERGE_SLASHES to allow apps to handle encoded slashes ([#330](https://github.com/BagelLab/uds-core/issues/330)) ([26e965f](https://github.com/BagelLab/uds-core/commit/26e965fd71dd325bd8df451ce317456bf2d15073)) +* exemption race conditions ([#407](https://github.com/BagelLab/uds-core/issues/407)) ([d1b3b56](https://github.com/BagelLab/uds-core/commit/d1b3b5669976eb23ca8f88cd5b15a12c56102eca)) +* forgot to commit :( ([29545b6](https://github.com/BagelLab/uds-core/commit/29545b6ca6a35c1717b10b23c8bc2ed3a90f1c4d)) +* github token ([75cfbe4](https://github.com/BagelLab/uds-core/commit/75cfbe446f9b6cd74b9858a7ceb6cd231b348509)) +* hotfix for publishing workflows ([#217](https://github.com/BagelLab/uds-core/issues/217)) ([5fefa01](https://github.com/BagelLab/uds-core/commit/5fefa017d382b7c5557e613b81cd84b27bda85f0)) +* inputs silly ([d5c51f3](https://github.com/BagelLab/uds-core/commit/d5c51f35f6817d66bfbf5b2d5f746032893c863a)) +* integrated docs ([#431](https://github.com/BagelLab/uds-core/issues/431)) ([72238fa](https://github.com/BagelLab/uds-core/commit/72238faed167a4e90e4d332e17909510efd98a58)) +* keycloak schema for package cr ([#436](https://github.com/BagelLab/uds-core/issues/436)) ([e32ce9a](https://github.com/BagelLab/uds-core/commit/e32ce9af9176ba8fef702a8c6aac84c15f9ab374)) +* keycloak volume permissions, UI update ([#223](https://github.com/BagelLab/uds-core/issues/223)) ([4454d3e](https://github.com/BagelLab/uds-core/commit/4454d3efcefe6bfa81628d330434afcc246fad65)) +* **keycloak:** add missing postgres host and port secret keys ([#224](https://github.com/BagelLab/uds-core/issues/224)) ([0c4d775](https://github.com/BagelLab/uds-core/commit/0c4d7758cfb077ff592fea907795402485b6c9f5)) +* **keycloak:** only use PVC for devMode ([#241](https://github.com/BagelLab/uds-core/issues/241)) ([a6e6023](https://github.com/BagelLab/uds-core/commit/a6e6023134dc5171441a2043701ed91309e1b32c)) +* kubeapi netpol generation now also includes the ip from the kubernetes service ([#219](https://github.com/BagelLab/uds-core/issues/219)) ([0a83d02](https://github.com/BagelLab/uds-core/commit/0a83d02f5782d911e3bb63935b0cac70030e5c9b)) +* loki bucket configuration service_account and namespace ([#332](https://github.com/BagelLab/uds-core/issues/332)) ([9518634](https://github.com/BagelLab/uds-core/commit/9518634b24f2d5c285e598f8620849bbc6288ba4)) +* loki local storage ([#84](https://github.com/BagelLab/uds-core/issues/84)) ([b9505bb](https://github.com/BagelLab/uds-core/commit/b9505bbb42b5369c62d7cbfb05e1efb8b8a6200f)) +* loki s3 overrides ([#365](https://github.com/BagelLab/uds-core/issues/365)) ([3545066](https://github.com/BagelLab/uds-core/commit/354506647d65b0484332695abbbd58d91d9e7427)) +* metrics-server mTLS fix ([#44](https://github.com/BagelLab/uds-core/issues/44)) ([4853522](https://github.com/BagelLab/uds-core/commit/4853522c9504c87dcbd8319d689ecb0a1cb42c0b)) +* mismatched exemption/policy for DropAllCapabilities ([#384](https://github.com/BagelLab/uds-core/issues/384)) ([d8ec278](https://github.com/BagelLab/uds-core/commit/d8ec27827e2e2e7d85b4eba6b738f4b126264dd9)) +* named inputs ([c49e6ea](https://github.com/BagelLab/uds-core/commit/c49e6ea2b566198d4702d4c67c659e833a8bad97)) +* network policy to allow metrics-server ingress ([#148](https://github.com/BagelLab/uds-core/issues/148)) ([f1d434a](https://github.com/BagelLab/uds-core/commit/f1d434a68ef1f2a29ab3b13608bc16ce78211ed4)) +* networkpolicy for keycloak smtp egress ([4059954](https://github.com/BagelLab/uds-core/commit/4059954ed92502f10c1b5b769988a363adc06318)) +* nightly testing eks config architecture ([#452](https://github.com/BagelLab/uds-core/issues/452)) ([a0bbd1f](https://github.com/BagelLab/uds-core/commit/a0bbd1f0bf84f03d59866f9797555a08dc8034d6)) +* non-vendored zarf command refs ([#157](https://github.com/BagelLab/uds-core/issues/157)) ([fe183a9](https://github.com/BagelLab/uds-core/commit/fe183a9ae367bc2d7ea7d629e7c15877aabe38cd)) +* ocsp lookup egress policy ([#255](https://github.com/BagelLab/uds-core/issues/255)) ([77c38f2](https://github.com/BagelLab/uds-core/commit/77c38f22e9a77d9db81504f4c172fdc535c0929e)) +* pepr ironbank renovate update ([#299](https://github.com/BagelLab/uds-core/issues/299)) ([287e40d](https://github.com/BagelLab/uds-core/commit/287e40db5d65f7472a9e9216aae91f3ad92403d9)) +* pepr mutation annotation overwrite ([#385](https://github.com/BagelLab/uds-core/issues/385)) ([6e56b2a](https://github.com/BagelLab/uds-core/commit/6e56b2afec8f54f8c0a4aa4b89fef1d1c754b627)) +* pepr operator derived netpol name collisions ([#480](https://github.com/BagelLab/uds-core/issues/480)) ([de60e25](https://github.com/BagelLab/uds-core/commit/de60e252526d73e439f5665b27f84e8773c24949)) +* registration robot check form id ([#269](https://github.com/BagelLab/uds-core/issues/269)) ([c6419b9](https://github.com/BagelLab/uds-core/commit/c6419b962eb5a02462e9060a66f7765689cfeb8f)) +* release workflow k3d image ([#316](https://github.com/BagelLab/uds-core/issues/316)) ([e7835e0](https://github.com/BagelLab/uds-core/commit/e7835e071f56af148792fbde250100af8e8ca0b8)) +* remove deprecated registry login and add env setup ([#443](https://github.com/BagelLab/uds-core/issues/443)) ([ca6b76f](https://github.com/BagelLab/uds-core/commit/ca6b76f3a66efb6b2e81832aff771ca06bdff68a)) +* remove go mod ([#441](https://github.com/BagelLab/uds-core/issues/441)) ([0de9693](https://github.com/BagelLab/uds-core/commit/0de969333923afb8fd4639547901c7d7f5c6a6f7)) +* remove loki gateway anti-affinity ([#111](https://github.com/BagelLab/uds-core/issues/111)) ([2cba42e](https://github.com/BagelLab/uds-core/commit/2cba42e3a83a25ae7a45f3c3d6a35bdc7bba0b58)) +* remove no-tea and update uds version ([#446](https://github.com/BagelLab/uds-core/issues/446)) ([434844b](https://github.com/BagelLab/uds-core/commit/434844b827e01808b504abf5ee6af83fba813cb6)) +* remove spec from secret yaml ([#226](https://github.com/BagelLab/uds-core/issues/226)) ([e4b5848](https://github.com/BagelLab/uds-core/commit/e4b58487f736f588944f7c039b8654f9006e04f1)) +* renovate config grouping, test-infra ([#411](https://github.com/BagelLab/uds-core/issues/411)) ([05fd407](https://github.com/BagelLab/uds-core/commit/05fd407e9c3bf6a0bac33de64e892ce2a63275ac)) +* renovate pepr comment ([#410](https://github.com/BagelLab/uds-core/issues/410)) ([a825388](https://github.com/BagelLab/uds-core/commit/a82538817765ad21adb5f6bba283951bf4c23272)) +* resolve istio job termination container status logic issue ([#55](https://github.com/BagelLab/uds-core/issues/55)) ([c0142c2](https://github.com/BagelLab/uds-core/commit/c0142c213446a37185cdf9dec5ae60aaae8ba194)) +* revert "chore: support deselection of metrics-server" ([#196](https://github.com/BagelLab/uds-core/issues/196)) ([25a408d](https://github.com/BagelLab/uds-core/commit/25a408daeb7f6daada11c21e451f973ebe92c07c)) +* slim-dev monitoring handling ([#383](https://github.com/BagelLab/uds-core/issues/383)) ([79927aa](https://github.com/BagelLab/uds-core/commit/79927aa58cbb12c849e52b50c00b74629b100b31)) +* sticky sessions for keycloak in ha ([#281](https://github.com/BagelLab/uds-core/issues/281)) ([5ccd557](https://github.com/BagelLab/uds-core/commit/5ccd5576afc34d8b24061887f91ce284ec5857a1)) +* typo in comment ([#462](https://github.com/BagelLab/uds-core/issues/462)) ([582b1f4](https://github.com/BagelLab/uds-core/commit/582b1f4754ee3282696ea3b018322a1b3497a7d4)) +* unwanted exemption deletions ([#290](https://github.com/BagelLab/uds-core/issues/290)) ([50b0cd4](https://github.com/BagelLab/uds-core/commit/50b0cd4211964a90139347558028d6c461956da9)) +* update missing flavor create inputs in publish step ([#118](https://github.com/BagelLab/uds-core/issues/118)) ([a0233eb](https://github.com/BagelLab/uds-core/commit/a0233eb45e2d39035f483f3ed8fb3f396e5030d8)) +* update neuvector values for least privilege ([#373](https://github.com/BagelLab/uds-core/issues/373)) ([7f4de4f](https://github.com/BagelLab/uds-core/commit/7f4de4f729e60a258abc40ce34f9c397fae99181)) +* update status for test ([20983d7](https://github.com/BagelLab/uds-core/commit/20983d749871ac2b769584d2ea5d37c1b9183b52)) +* use updated k3s ([#426](https://github.com/BagelLab/uds-core/issues/426)) ([1da1c49](https://github.com/BagelLab/uds-core/commit/1da1c49e314c73e6fd1f2ef2940aff983262ec6b)) +* validating/mutating webhook networkpolicies and mtls ([#192](https://github.com/BagelLab/uds-core/issues/192)) ([b01e629](https://github.com/BagelLab/uds-core/commit/b01e62960985dd7cb318372abff296fb96f1012b)) +* valueFrom in KeyCloak statefulset.yaml ([#229](https://github.com/BagelLab/uds-core/issues/229)) ([189a5ce](https://github.com/BagelLab/uds-core/commit/189a5ce3a9dd16fe9646a293ca3948db21eb5d78)) +* wait on istio proxies ([#87](https://github.com/BagelLab/uds-core/issues/87)) ([51cd5a0](https://github.com/BagelLab/uds-core/commit/51cd5a012cc1d095a89b30a22910d3d7ad49885d)) +* workflow links ([eba372c](https://github.com/BagelLab/uds-core/commit/eba372c0b0a942f1bcead8efcd420fbb427ed6e1)) +* workflow outputs silly ([c427851](https://github.com/BagelLab/uds-core/commit/c4278510505b38b651d3f1893a098d1b432e5d95)) + + +### Miscellaneous + +* add checks before killing pods when updating istio annotations ([#457](https://github.com/BagelLab/uds-core/issues/457)) ([a62f9a0](https://github.com/BagelLab/uds-core/commit/a62f9a0e04bb538a8018a3f866c88e8b93c59826)) +* add commit lint workflow ([#19](https://github.com/BagelLab/uds-core/issues/19)) ([776a632](https://github.com/BagelLab/uds-core/commit/776a6325821329b2cbd97da2f40a30447cd48efc)) +* add debug logging to endpointslice watch ([#359](https://github.com/BagelLab/uds-core/issues/359)) ([da3eb5a](https://github.com/BagelLab/uds-core/commit/da3eb5ab4f5e6ced50f838456999995d5be601b7)) +* add debug logs to save logs for easier searching ([#430](https://github.com/BagelLab/uds-core/issues/430)) ([319101b](https://github.com/BagelLab/uds-core/commit/319101b61e4793037aab6c96b92c9d834763e9b8)) +* add debug output to release workflow ([#285](https://github.com/BagelLab/uds-core/issues/285)) ([5f96865](https://github.com/BagelLab/uds-core/commit/5f968651fb4f0da563d9c388efab761863f9ea08)) +* add flavor to pepr build task ([#238](https://github.com/BagelLab/uds-core/issues/238)) ([29bf8a3](https://github.com/BagelLab/uds-core/commit/29bf8a3b83255c7548201f3ea19e22452a1d1d4a)) +* add minio deploy time bundle variable override definitions ([#58](https://github.com/BagelLab/uds-core/issues/58)) ([ca28e7b](https://github.com/BagelLab/uds-core/commit/ca28e7b4c4a42769934cc8ad69361ff29a348cc5)) +* add security.md ([#189](https://github.com/BagelLab/uds-core/issues/189)) ([bf7c1d2](https://github.com/BagelLab/uds-core/commit/bf7c1d28e077cf52d4f765b50d7efb8ce5d60fff)) +* add velero csi plugin ([#424](https://github.com/BagelLab/uds-core/issues/424)) ([c7e49e9](https://github.com/BagelLab/uds-core/commit/c7e49e91d9f7810ddc0368f146d43d3c94c782ad)) +* adding unit test for registerExemptions() ([#105](https://github.com/BagelLab/uds-core/issues/105)) ([5e71fcf](https://github.com/BagelLab/uds-core/commit/5e71fcf4751d2e3f6a1e55583ccf76c0fdc76856)) +* align mutation annotations ([#268](https://github.com/BagelLab/uds-core/issues/268)) ([f18ad4d](https://github.com/BagelLab/uds-core/commit/f18ad4db94a77f4229cc9267e0129f6aa3381c9a)) +* annotate mutations in policies ([#236](https://github.com/BagelLab/uds-core/issues/236)) ([cc9db50](https://github.com/BagelLab/uds-core/commit/cc9db500bb1033a516104f409fa05b3a1101d832)) +* bump zarf & uds-k3d deps ([#30](https://github.com/BagelLab/uds-core/issues/30)) ([dd28ab3](https://github.com/BagelLab/uds-core/commit/dd28ab3acd163aaccdfb76fbf9726c02a2ff0050)) +* conform to latest uds bundle schema ([#52](https://github.com/BagelLab/uds-core/issues/52)) ([14dad38](https://github.com/BagelLab/uds-core/commit/14dad3819187d4f8e13f7bbc191dca74a29b9c98)) +* dep updates for UDS CLI & Pepr ([#46](https://github.com/BagelLab/uds-core/issues/46)) ([1037634](https://github.com/BagelLab/uds-core/commit/10376349e350bd32f3bf32577d8f8089c09ac6cc)) +* **deps:** pin dependencies ([#79](https://github.com/BagelLab/uds-core/issues/79)) ([bfab11e](https://github.com/BagelLab/uds-core/commit/bfab11e345941d23dfeb928917f38e36a2f75bc9)) +* **deps:** update checkout to v4.1.7 ([#478](https://github.com/BagelLab/uds-core/issues/478)) ([e91a0a3](https://github.com/BagelLab/uds-core/commit/e91a0a35252581554d9ed587e4ef72c2c88a3586)) +* **deps:** update dependency defenseunicorns/uds-common to v0.2.1 ([#205](https://github.com/BagelLab/uds-core/issues/205)) ([1b01407](https://github.com/BagelLab/uds-core/commit/1b01407c4ae3a707db381b07e1364c572c76eceb)) +* **deps:** update dependency defenseunicorns/uds-common to v0.2.2 ([#232](https://github.com/BagelLab/uds-core/issues/232)) ([083ae0c](https://github.com/BagelLab/uds-core/commit/083ae0c45667e5b9064cbff781fbe4e5bc0d2991)) +* **deps:** update dependency defenseunicorns/uds-common to v0.3.6 ([#261](https://github.com/BagelLab/uds-core/issues/261)) ([1b5398b](https://github.com/BagelLab/uds-core/commit/1b5398b7b778ead8ac3265080ae0bd2b5761066e)) +* **deps:** update githubactions ([#179](https://github.com/BagelLab/uds-core/issues/179)) ([7797e25](https://github.com/BagelLab/uds-core/commit/7797e259b9691099cce9e151ce1ebf9f9f181435)) +* **deps:** update githubactions ([#242](https://github.com/BagelLab/uds-core/issues/242)) ([1eb2e2c](https://github.com/BagelLab/uds-core/commit/1eb2e2cd2018f0cd8fb55d8e6576b7e36fa8c3cf)) +* **deps:** update githubactions ([#413](https://github.com/BagelLab/uds-core/issues/413)) ([ebd834e](https://github.com/BagelLab/uds-core/commit/ebd834e56ae9adabe14d9772e4a4d9c305da173c)) +* **deps:** update githubactions to 692973e ([#481](https://github.com/BagelLab/uds-core/issues/481)) ([c6f0137](https://github.com/BagelLab/uds-core/commit/c6f0137bb9a1e11f98d426cec8c98eb4005f160a)) +* **deps:** update githubactions to de90cc6 ([#215](https://github.com/BagelLab/uds-core/issues/215)) ([f79eed0](https://github.com/BagelLab/uds-core/commit/f79eed03b2495d9f3e11edb433291ce8a3aa55ee)) +* **deps:** update githubactions to ebc4d7e ([#183](https://github.com/BagelLab/uds-core/issues/183)) ([77357e7](https://github.com/BagelLab/uds-core/commit/77357e72cc0344e61fedcab7197aabdd7e4fd2a0)) +* **deps:** update githubactions to v19 ([#204](https://github.com/BagelLab/uds-core/issues/204)) ([d65acd4](https://github.com/BagelLab/uds-core/commit/d65acd4e2d37907685ba9083ff98988b4ea1d452)) +* **deps:** update githubactions to v3 ([#181](https://github.com/BagelLab/uds-core/issues/181)) ([70c5ddf](https://github.com/BagelLab/uds-core/commit/70c5ddf1ee0e5017bee4057d96b320812a964f88)) +* **deps:** update githubactions to v4.1.3 ([#471](https://github.com/BagelLab/uds-core/issues/471)) ([2a9f44d](https://github.com/BagelLab/uds-core/commit/2a9f44d20dce66fa474e47ba0c93eaa7fa9ad406)) +* **deps:** update grafana ([#144](https://github.com/BagelLab/uds-core/issues/144)) ([6987927](https://github.com/BagelLab/uds-core/commit/698792728faf8cfeabaf7a7c735c91229cc0c07f)) +* **deps:** update grafana ([#257](https://github.com/BagelLab/uds-core/issues/257)) ([c98e566](https://github.com/BagelLab/uds-core/commit/c98e5661c3e6fb84bf17fc64170f5dd39779dda7)) +* **deps:** update grafana ([#339](https://github.com/BagelLab/uds-core/issues/339)) ([52e6c1b](https://github.com/BagelLab/uds-core/commit/52e6c1b3bb003402710bc0fa85419538f38b388f)) +* **deps:** update grafana ([#80](https://github.com/BagelLab/uds-core/issues/80)) ([ccb2c12](https://github.com/BagelLab/uds-core/commit/ccb2c1280313fe69198ecab5fea5b38fc650f699)) +* **deps:** update grafana to v10.3.1 ([#132](https://github.com/BagelLab/uds-core/issues/132)) ([09e028c](https://github.com/BagelLab/uds-core/commit/09e028c63093a6f5fdfd0b1be800b07c0eb9de77)) +* **deps:** update grafana to v7.2.5 ([#136](https://github.com/BagelLab/uds-core/issues/136)) ([a271270](https://github.com/BagelLab/uds-core/commit/a271270f2d3f3488aa9664ef5ad69a4d239c5d22)) +* **deps:** update grafana to v7.3.0 ([#142](https://github.com/BagelLab/uds-core/issues/142)) ([5e960c0](https://github.com/BagelLab/uds-core/commit/5e960c0479e6fc96244db0230296c94e936e57d8)) +* **deps:** update grafana to v7.3.9 ([#353](https://github.com/BagelLab/uds-core/issues/353)) ([4a70f40](https://github.com/BagelLab/uds-core/commit/4a70f407d5e06919aaa0dc5901f49f7f1b166c9d)) +* **deps:** update istio to v1.20.2 ([#75](https://github.com/BagelLab/uds-core/issues/75)) ([671f977](https://github.com/BagelLab/uds-core/commit/671f977ff183010ce75e323532db500dcd4aa69c)) +* **deps:** update istio to v1.20.3 ([#163](https://github.com/BagelLab/uds-core/issues/163)) ([e45de0e](https://github.com/BagelLab/uds-core/commit/e45de0e5917a2ca6c3e30e593e2d9a8d393849a9)) +* **deps:** update istio to v1.21.2 ([#258](https://github.com/BagelLab/uds-core/issues/258)) ([51c6540](https://github.com/BagelLab/uds-core/commit/51c65405c87ed3c147bdd90172ab0588dc8e5db1)) +* **deps:** update istio to v1.22.1 ([#405](https://github.com/BagelLab/uds-core/issues/405)) ([ad4b861](https://github.com/BagelLab/uds-core/commit/ad4b861158eecfac1d09a37ea3776e31a1c387cb)) +* **deps:** update jest to v29.1.4 ([#438](https://github.com/BagelLab/uds-core/issues/438)) ([c3ecc8b](https://github.com/BagelLab/uds-core/commit/c3ecc8b83b8c65f09600ab937a1c140c4a5f7db1)) +* **deps:** update keycloak ([#349](https://github.com/BagelLab/uds-core/issues/349)) ([2ef1813](https://github.com/BagelLab/uds-core/commit/2ef181333d2fd853bb8eee2c5deb82430d68c861)) +* **deps:** update keycloak ([#390](https://github.com/BagelLab/uds-core/issues/390)) ([3e82c4e](https://github.com/BagelLab/uds-core/commit/3e82c4ece470a5eea81d937b2b38c455934212e1)) +* **deps:** update keycloak to v0.4.2 ([#375](https://github.com/BagelLab/uds-core/issues/375)) ([b0bb8e4](https://github.com/BagelLab/uds-core/commit/b0bb8e47f78886186514f188a99ff38463a5eac3)) +* **deps:** update keycloak to v0.4.4 ([#460](https://github.com/BagelLab/uds-core/issues/460)) ([936f40b](https://github.com/BagelLab/uds-core/commit/936f40bf078bb06d94ebd51585b4eb7669d426b4)) +* **deps:** update keycloak to v0.4.5 ([#461](https://github.com/BagelLab/uds-core/issues/461)) ([3592012](https://github.com/BagelLab/uds-core/commit/35920121bcdfbdf9b708eb3308ea34763a31246a)) +* **deps:** update keycloak to v24.0.4 ([#397](https://github.com/BagelLab/uds-core/issues/397)) ([c0420ea](https://github.com/BagelLab/uds-core/commit/c0420ea750b3a7dfc8ea6adab5225f76178ef953)) +* **deps:** update keycloak to v24.0.4 ([#402](https://github.com/BagelLab/uds-core/issues/402)) ([e454576](https://github.com/BagelLab/uds-core/commit/e454576a6de53e833d6b925308f09d6007166dde)) +* **deps:** update keycloak to v24.0.5 ([#453](https://github.com/BagelLab/uds-core/issues/453)) ([6b0c6fc](https://github.com/BagelLab/uds-core/commit/6b0c6fc91f238e367c9f2d54f0daaf9d8065794e)) +* **deps:** update keycloak to v24.0.5 ([#454](https://github.com/BagelLab/uds-core/issues/454)) ([89911f0](https://github.com/BagelLab/uds-core/commit/89911f0ca01ac421a254b79e25124525f464cf51)) +* **deps:** update loki ([#131](https://github.com/BagelLab/uds-core/issues/131)) ([61250b0](https://github.com/BagelLab/uds-core/commit/61250b02eca7ca57d7f346c1da5b63f19de17c49)) +* **deps:** update loki ([#209](https://github.com/BagelLab/uds-core/issues/209)) ([03ca499](https://github.com/BagelLab/uds-core/commit/03ca499bd5d9cac800bd36dca80340ceac3f3009)) +* **deps:** update loki ([#72](https://github.com/BagelLab/uds-core/issues/72)) ([98134bb](https://github.com/BagelLab/uds-core/commit/98134bba1f6078a867aae2ae28f4152ba7b1a8e5)) +* **deps:** update loki to v5.43.0 ([#180](https://github.com/BagelLab/uds-core/issues/180)) ([bab5f7a](https://github.com/BagelLab/uds-core/commit/bab5f7aba3644c0e478a17338df4e074b0c1a6a2)) +* **deps:** update loki to v5.43.1 ([#182](https://github.com/BagelLab/uds-core/issues/182)) ([6cc5fc7](https://github.com/BagelLab/uds-core/commit/6cc5fc7f5a07d848cfe4f18dc9a7e2a4cd91b1cf)) +* **deps:** update loki to v5.43.2 ([#191](https://github.com/BagelLab/uds-core/issues/191)) ([0ec0cd4](https://github.com/BagelLab/uds-core/commit/0ec0cd4d6cdc7b4eb1eea33f4da7b144ecbc29a5)) +* **deps:** update loki to v5.43.3 ([#199](https://github.com/BagelLab/uds-core/issues/199)) ([40f1554](https://github.com/BagelLab/uds-core/commit/40f155469670a4b7290819fc09d28ff1fcc06a81)) +* **deps:** update metrics-server ([#123](https://github.com/BagelLab/uds-core/issues/123)) ([fb25a97](https://github.com/BagelLab/uds-core/commit/fb25a970d6e3b51432164fab05ea2d19d1a638ef)) +* **deps:** update metrics-server ([#298](https://github.com/BagelLab/uds-core/issues/298)) ([691fd87](https://github.com/BagelLab/uds-core/commit/691fd87ae3e523c897d0461c4a0384b2bb7c8c03)) +* **deps:** update neuvector ([#333](https://github.com/BagelLab/uds-core/issues/333)) ([010e287](https://github.com/BagelLab/uds-core/commit/010e287dbf3a712d19e54bfbbaa87807585130d7)) +* **deps:** update neuvector ([#73](https://github.com/BagelLab/uds-core/issues/73)) ([50f6c90](https://github.com/BagelLab/uds-core/commit/50f6c90ca31d5bf984e44fd1ded7c5cfcb968064)) +* **deps:** update neuvector to v9.4 ([#381](https://github.com/BagelLab/uds-core/issues/381)) ([20d4170](https://github.com/BagelLab/uds-core/commit/20d4170386d2437826abafc68d87d91dc457022a)) +* **deps:** update pepr ([#116](https://github.com/BagelLab/uds-core/issues/116)) ([bfa7352](https://github.com/BagelLab/uds-core/commit/bfa7352ebe962ef1ed091f4a5799ed4974e086ef)) +* **deps:** update pepr ([#324](https://github.com/BagelLab/uds-core/issues/324)) ([2ef0f96](https://github.com/BagelLab/uds-core/commit/2ef0f96da7476b487d72d4bb7ce4bd50fdb0b182)) +* **deps:** update pepr ([#340](https://github.com/BagelLab/uds-core/issues/340)) ([e71ba4a](https://github.com/BagelLab/uds-core/commit/e71ba4ab4eb1ea1cc482b507fef4e0e2735bbd1f)) +* **deps:** update pepr ([#419](https://github.com/BagelLab/uds-core/issues/419)) ([d8f0309](https://github.com/BagelLab/uds-core/commit/d8f0309b4f9661b1c5bc2d5e574697ee9579e387)) +* **deps:** update pepr ([#473](https://github.com/BagelLab/uds-core/issues/473)) ([ab4bee9](https://github.com/BagelLab/uds-core/commit/ab4bee906f020d86b90c0b984789be55f8b4c08b)) +* **deps:** update pepr ([#76](https://github.com/BagelLab/uds-core/issues/76)) ([50de920](https://github.com/BagelLab/uds-core/commit/50de920bcf03092d16a11ebf77ede70987a7cdcf)) +* **deps:** update pepr to 0.31.0 ([#360](https://github.com/BagelLab/uds-core/issues/360)) ([fbd61ea](https://github.com/BagelLab/uds-core/commit/fbd61ea9665133619aec81726b189449226d8459)) +* **deps:** update pepr to v0.22.0 ([#102](https://github.com/BagelLab/uds-core/issues/102)) ([941902d](https://github.com/BagelLab/uds-core/commit/941902dcfc2ec1d5340d658f75811b3369489c56)) +* **deps:** update pepr to v0.22.2 ([#104](https://github.com/BagelLab/uds-core/issues/104)) ([0555353](https://github.com/BagelLab/uds-core/commit/0555353e5a5dec2aa8685a3987852d1c3788f28c)) +* **deps:** update pepr to v0.24.1 ([#134](https://github.com/BagelLab/uds-core/issues/134)) ([6474a1c](https://github.com/BagelLab/uds-core/commit/6474a1c0a16c8d87248acb1b3f7d79b76a354fc8)) +* **deps:** update pepr to v0.25.0 ([#164](https://github.com/BagelLab/uds-core/issues/164)) ([e7b8212](https://github.com/BagelLab/uds-core/commit/e7b8212b6a8ed2e16b47264687e0c39d2f0a3455)) +* **deps:** update pepr to v0.28.6 ([#254](https://github.com/BagelLab/uds-core/issues/254)) ([54ef7de](https://github.com/BagelLab/uds-core/commit/54ef7ded349d060b1732b381124fe29e3e8fe85b)) +* **deps:** update pepr to v0.28.6 ([#300](https://github.com/BagelLab/uds-core/issues/300)) ([86b43e4](https://github.com/BagelLab/uds-core/commit/86b43e478521aa88a3a4843948ca96b9cbe55985)) +* **deps:** update pepr to v0.28.7 ([#321](https://github.com/BagelLab/uds-core/issues/321)) ([e7206bb](https://github.com/BagelLab/uds-core/commit/e7206bb93ce23a3ae611e410106890df3eafdea1)) +* **deps:** update pepr to v0.4.5 ([#447](https://github.com/BagelLab/uds-core/issues/447)) ([f1dba17](https://github.com/BagelLab/uds-core/commit/f1dba17076a7c6052ed67e07bdb560fda7604b80)) +* **deps:** update prometheus-stack ([#128](https://github.com/BagelLab/uds-core/issues/128)) ([625622a](https://github.com/BagelLab/uds-core/commit/625622a44c101f0a9c1beffd66eb259dc1f1eedc)) +* **deps:** update prometheus-stack ([#190](https://github.com/BagelLab/uds-core/issues/190)) ([f9a605a](https://github.com/BagelLab/uds-core/commit/f9a605a4c828128fc19f0bdb1d2443f65fb87b8a)) +* **deps:** update prometheus-stack ([#301](https://github.com/BagelLab/uds-core/issues/301)) ([143eca3](https://github.com/BagelLab/uds-core/commit/143eca3ecc2e3c39765312dc3c5384c87a13d7da)) +* **deps:** update prometheus-stack ([#348](https://github.com/BagelLab/uds-core/issues/348)) ([49cb11a](https://github.com/BagelLab/uds-core/commit/49cb11a058a9209cee7019fa552b8c0b2ef73368)) +* **deps:** update prometheus-stack ([#392](https://github.com/BagelLab/uds-core/issues/392)) ([2e656f5](https://github.com/BagelLab/uds-core/commit/2e656f5dc3de2e6561ac313cb1bae478635b86b3)) +* **deps:** update prometheus-stack ([#422](https://github.com/BagelLab/uds-core/issues/422)) ([a96193e](https://github.com/BagelLab/uds-core/commit/a96193e257701dfaf6fccc34246ef3f31e639f3e)) +* **deps:** update prometheus-stack ([#81](https://github.com/BagelLab/uds-core/issues/81)) ([19bedb6](https://github.com/BagelLab/uds-core/commit/19bedb60cd2f99615c4b5673623ff0ff6fafb73f)) +* **deps:** update promtail ([#74](https://github.com/BagelLab/uds-core/issues/74)) ([6a112b5](https://github.com/BagelLab/uds-core/commit/6a112b5226250f1a17023b2c1225d404cf8feeee)) +* **deps:** update to keycloak 24 ([#336](https://github.com/BagelLab/uds-core/issues/336)) ([1153ba0](https://github.com/BagelLab/uds-core/commit/1153ba09ac062d3477a4ee396376be83493ad3c5)) +* **deps:** update uds to v0.10.4 ([#228](https://github.com/BagelLab/uds-core/issues/228)) ([1750b23](https://github.com/BagelLab/uds-core/commit/1750b2304e3c6f0ce6a60f1ef2873ce8a6ce1502)) +* **deps:** update uds to v0.11.1 ([#472](https://github.com/BagelLab/uds-core/issues/472)) ([12fd798](https://github.com/BagelLab/uds-core/commit/12fd79894e71ee06181ccd6f2ac98b84d935066c)) +* **deps:** update uds to v0.11.2 ([#479](https://github.com/BagelLab/uds-core/issues/479)) ([f967f9a](https://github.com/BagelLab/uds-core/commit/f967f9a4bf8d718b9ece96d882db4d9c800f5f0f)) +* **deps:** update uds to v0.5.3, zarf to v0.32.1, and uds-k3d to 0.3.0 ([#77](https://github.com/BagelLab/uds-core/issues/77)) ([596f9d8](https://github.com/BagelLab/uds-core/commit/596f9d8df51c3df1aa87fd0e09d9e69c87473bf0)) +* **deps:** update uds to v0.6.2 ([#107](https://github.com/BagelLab/uds-core/issues/107)) ([7b7220e](https://github.com/BagelLab/uds-core/commit/7b7220e708cf2dca25cc592b8932661620d9610d)) +* **deps:** update uds to v0.8.1 ([#141](https://github.com/BagelLab/uds-core/issues/141)) ([fa79065](https://github.com/BagelLab/uds-core/commit/fa79065265a5ee2b8f6f6a55d1c2904bbaf42fff)) +* **deps:** update uds to v0.9.0 ([#173](https://github.com/BagelLab/uds-core/issues/173)) ([b91a90d](https://github.com/BagelLab/uds-core/commit/b91a90db987e108a5a093a326428bbd0b5f9446e)) +* **deps:** update uds to v0.9.2 ([#200](https://github.com/BagelLab/uds-core/issues/200)) ([e4b54fe](https://github.com/BagelLab/uds-core/commit/e4b54febc4d7914e962db92b7a0490a3735af4e5)) +* **deps:** update uds-common to v0.4.4 ([#442](https://github.com/BagelLab/uds-core/issues/442)) ([bf6debd](https://github.com/BagelLab/uds-core/commit/bf6debdd0d50f6cde11288cd70d8bdf1dcdaaaa0)) +* **deps:** update uds-identity-config to 0.4.1 ([#355](https://github.com/BagelLab/uds-core/issues/355)) ([8485931](https://github.com/BagelLab/uds-core/commit/84859316ea92ef9ec7807a702ee246e11b73567b)) +* **deps:** update uds-k3d to v0.3.1 ([#89](https://github.com/BagelLab/uds-core/issues/89)) ([5d54cd1](https://github.com/BagelLab/uds-core/commit/5d54cd1efe5eee4c19caf347882725e0aa20e50a)) +* **deps:** update uds-k3d to v0.5.0 ([#186](https://github.com/BagelLab/uds-core/issues/186)) ([164bf5f](https://github.com/BagelLab/uds-core/commit/164bf5f8bd58899f5ec1a179d6d409cfb46b850f)) +* **deps:** update uds-k3d to v0.6.0 ([#240](https://github.com/BagelLab/uds-core/issues/240)) ([6a26523](https://github.com/BagelLab/uds-core/commit/6a2652368fde3a3bdbe5bb81fd258830dfaeb5c8)) +* **deps:** update uds-k3d to v0.6.0 ([#398](https://github.com/BagelLab/uds-core/issues/398)) ([288f009](https://github.com/BagelLab/uds-core/commit/288f00990a715087c9bf1fffd0a63ecf33125a5a)) +* **deps:** update uds-k3d to v0.7.0 ([#428](https://github.com/BagelLab/uds-core/issues/428)) ([23b59a2](https://github.com/BagelLab/uds-core/commit/23b59a260b2c60791614ca4d39a33e65476e19ee)) +* **deps:** update velero ([#260](https://github.com/BagelLab/uds-core/issues/260)) ([f352008](https://github.com/BagelLab/uds-core/commit/f35200833a4d4d50de9f632f6918320f7d8fff5e)) +* **deps:** update velero ([#350](https://github.com/BagelLab/uds-core/issues/350)) ([e7cb33e](https://github.com/BagelLab/uds-core/commit/e7cb33ea9a13ab9550aab45d8ee437a1ba595d38)) +* **deps:** update velero ([#408](https://github.com/BagelLab/uds-core/issues/408)) ([ffbefda](https://github.com/BagelLab/uds-core/commit/ffbefda74777466ef74ad1d5cffff1f4895f323d)) +* **deps:** update velero ([#440](https://github.com/BagelLab/uds-core/issues/440)) ([4b1a3ea](https://github.com/BagelLab/uds-core/commit/4b1a3ead81a80b49e5ccfeb2e4130a4aaebb53a4)) +* **deps:** update velero to v1.30.2 ([#476](https://github.com/BagelLab/uds-core/issues/476)) ([89bbda9](https://github.com/BagelLab/uds-core/commit/89bbda9e640014bede116c254381cab8995df12f)) +* **deps:** update velero to v6.6.0 ([#456](https://github.com/BagelLab/uds-core/issues/456)) ([aff37c1](https://github.com/BagelLab/uds-core/commit/aff37c194e321f6a6c92f1bc11fd796cf9f0a9ab)) +* **deps:** update zarf to v0.32.2 ([#133](https://github.com/BagelLab/uds-core/issues/133)) ([91502c6](https://github.com/BagelLab/uds-core/commit/91502c6321334c6d31ce5fd1cd8f2fe6f77c09ae)) +* **deps:** update zarf to v0.32.3 ([#155](https://github.com/BagelLab/uds-core/issues/155)) ([2f0a1a7](https://github.com/BagelLab/uds-core/commit/2f0a1a77043ce298e765e6999cf11a97f36e4ecc)) +* **deps:** update zarf to v0.32.4 ([#203](https://github.com/BagelLab/uds-core/issues/203)) ([05c903e](https://github.com/BagelLab/uds-core/commit/05c903ea43243401d9cc2928ba5eb66ff6201c94)) +* **deps:** update zarf to v0.32.5 ([#243](https://github.com/BagelLab/uds-core/issues/243)) ([ee93612](https://github.com/BagelLab/uds-core/commit/ee9361224767c1a708b6f8e2c266af710facea8d)) +* **deps:** update zarf to v0.32.6 ([#282](https://github.com/BagelLab/uds-core/issues/282)) ([443426d](https://github.com/BagelLab/uds-core/commit/443426d05b9bd1d15fb4632efa26219250270895)) +* **deps:** update zarf to v0.33.0 ([#325](https://github.com/BagelLab/uds-core/issues/325)) ([f2a2a66](https://github.com/BagelLab/uds-core/commit/f2a2a665309c812b4300047d1c90ff3833a8eba6)) +* **deps:** update zarf to v0.33.1 ([#368](https://github.com/BagelLab/uds-core/issues/368)) ([296e547](https://github.com/BagelLab/uds-core/commit/296e54729c20c9ecee21677daec874a2c8b57b57)) +* **deps:** update zarf to v0.33.2 ([#394](https://github.com/BagelLab/uds-core/issues/394)) ([201a37b](https://github.com/BagelLab/uds-core/commit/201a37b12277880058c14fc05b3c0d4aecbf31e0)) +* **deps:** update zarf to v0.34.0 ([#434](https://github.com/BagelLab/uds-core/issues/434)) ([9badf9d](https://github.com/BagelLab/uds-core/commit/9badf9d4b9b6f904b1b7a478be5355416dc7fbe0)) +* fix missing deps in tag and release workflow ([#28](https://github.com/BagelLab/uds-core/issues/28)) ([1e1af76](https://github.com/BagelLab/uds-core/commit/1e1af762e8eb1dd331cbd681e48ecc95ec3184d2)) +* initial renovate config ([#67](https://github.com/BagelLab/uds-core/issues/67)) ([2cd19d8](https://github.com/BagelLab/uds-core/commit/2cd19d871a95491950d43fea8e8fd2e8c290cd55)) +* kick off ci ([1afc3a4](https://github.com/BagelLab/uds-core/commit/1afc3a4203cce1a1c81b15e7ba6caad1a9c63131)) +* **main:** release 0.1.1 ([#27](https://github.com/BagelLab/uds-core/issues/27)) ([3776e91](https://github.com/BagelLab/uds-core/commit/3776e91670aa73907cb9c48a05419d106ecedd67)) +* **main:** release 0.1.2 ([#29](https://github.com/BagelLab/uds-core/issues/29)) ([af7b0be](https://github.com/BagelLab/uds-core/commit/af7b0beaf409627c87b47e4d908b0a8a0d8cff63)) +* **main:** release 0.1.3 ([#31](https://github.com/BagelLab/uds-core/issues/31)) ([28ad8a7](https://github.com/BagelLab/uds-core/commit/28ad8a78b023f160714ecb90d748ee65403cf500)) +* **main:** release 0.10.0 ([#135](https://github.com/BagelLab/uds-core/issues/135)) ([5bb6f01](https://github.com/BagelLab/uds-core/commit/5bb6f016631fdef4f14848ff55588f33e6d4f07d)) +* **main:** release 0.11.0 ([#138](https://github.com/BagelLab/uds-core/issues/138)) ([c02ada8](https://github.com/BagelLab/uds-core/commit/c02ada860f532d8955af00637756ee622f3e9019)) +* **main:** release 0.11.1 ([#159](https://github.com/BagelLab/uds-core/issues/159)) ([2c493bb](https://github.com/BagelLab/uds-core/commit/2c493bb7c877a7193e45376a9d28aed832cff590)) +* **main:** release 0.12.0 ([#161](https://github.com/BagelLab/uds-core/issues/161)) ([e3c41e8](https://github.com/BagelLab/uds-core/commit/e3c41e82ba5bd776f2633cbde222ab05c5c513f3)) +* **main:** release 0.13.0 ([#170](https://github.com/BagelLab/uds-core/issues/170)) ([09c9447](https://github.com/BagelLab/uds-core/commit/09c9447fa47e5bd1f1d3ae627d7c3dab9c46d596)) +* **main:** release 0.13.1 ([#197](https://github.com/BagelLab/uds-core/issues/197)) ([e968fe9](https://github.com/BagelLab/uds-core/commit/e968fe9707f5a1f154b1fd19050ba46073427495)) +* **main:** release 0.14.0 ([#202](https://github.com/BagelLab/uds-core/issues/202)) ([d090f40](https://github.com/BagelLab/uds-core/commit/d090f4052679d1557973a17524923280c04807fd)) +* **main:** release 0.14.1 ([#218](https://github.com/BagelLab/uds-core/issues/218)) ([3199d8b](https://github.com/BagelLab/uds-core/commit/3199d8bc8cc8e11f9eccdb7075ce798572f6fa0a)) +* **main:** release 0.14.2 ([#221](https://github.com/BagelLab/uds-core/issues/221)) ([2ab4c54](https://github.com/BagelLab/uds-core/commit/2ab4c54618f40c8f195e4bbc1aee63024e488dc8)) +* **main:** release 0.14.3 ([#225](https://github.com/BagelLab/uds-core/issues/225)) ([05b1c19](https://github.com/BagelLab/uds-core/commit/05b1c196e4509ee38261a9b9bc8bc8531086b499)) +* **main:** release 0.14.4 ([#227](https://github.com/BagelLab/uds-core/issues/227)) ([d2d005b](https://github.com/BagelLab/uds-core/commit/d2d005b9caf0b067f850f752a3d6e643c99a74c6)) +* **main:** release 0.14.5 ([#230](https://github.com/BagelLab/uds-core/issues/230)) ([1acafca](https://github.com/BagelLab/uds-core/commit/1acafcadf0baa4567d4f0c41e3201fa40895d092)) +* **main:** release 0.15.0 ([#233](https://github.com/BagelLab/uds-core/issues/233)) ([f4f3699](https://github.com/BagelLab/uds-core/commit/f4f3699096e4f917cf36bcb15bdb47179569b74d)) +* **main:** release 0.15.1 ([#235](https://github.com/BagelLab/uds-core/issues/235)) ([a0c6b32](https://github.com/BagelLab/uds-core/commit/a0c6b327ada2a36a08a4dc4874248d9df65f5381)) +* **main:** release 0.16.0 ([#246](https://github.com/BagelLab/uds-core/issues/246)) ([efc64d4](https://github.com/BagelLab/uds-core/commit/efc64d45c6e78f3014258b80abdf35d0119bde36)) +* **main:** release 0.16.1 ([#265](https://github.com/BagelLab/uds-core/issues/265)) ([4e4eaea](https://github.com/BagelLab/uds-core/commit/4e4eaea6c16e010837bb1c0d5624ebda418bce6f)) +* **main:** release 0.17.0 ([#267](https://github.com/BagelLab/uds-core/issues/267)) ([510f536](https://github.com/BagelLab/uds-core/commit/510f536133e835f98bb524bfc9f437e6f716d9ef)) +* **main:** release 0.18.0 ([#286](https://github.com/BagelLab/uds-core/issues/286)) ([40e6b7b](https://github.com/BagelLab/uds-core/commit/40e6b7b711ddbd956058eda8490355568faddaec)) +* **main:** release 0.18.0 ([#318](https://github.com/BagelLab/uds-core/issues/318)) ([5f5e0b8](https://github.com/BagelLab/uds-core/commit/5f5e0b8a19daf0b51d9a102fd851ff76e5296d4e)) +* **main:** release 0.19.0 ([#320](https://github.com/BagelLab/uds-core/issues/320)) ([4ce502b](https://github.com/BagelLab/uds-core/commit/4ce502be3a5d83c28c259db8080a215f309c6ed7)) +* **main:** release 0.2.0 ([#34](https://github.com/BagelLab/uds-core/issues/34)) ([5185a8f](https://github.com/BagelLab/uds-core/commit/5185a8f98c90578eabd9f1494f55e43922bb7a92)) +* **main:** release 0.20.0 ([#345](https://github.com/BagelLab/uds-core/issues/345)) ([c29cc91](https://github.com/BagelLab/uds-core/commit/c29cc91cd2e41d5bbaee33deb173628c83ad0480)) +* **main:** release 0.21.0 ([#361](https://github.com/BagelLab/uds-core/issues/361)) ([c9f027f](https://github.com/BagelLab/uds-core/commit/c9f027f518de547b962b06defb836fba3c70ff3d)) +* **main:** release 0.21.1 ([#379](https://github.com/BagelLab/uds-core/issues/379)) ([b46a161](https://github.com/BagelLab/uds-core/commit/b46a161271bac3c167e554fadf673d2536b6b420)) +* **main:** release 0.22.0 ([#386](https://github.com/BagelLab/uds-core/issues/386)) ([6367bef](https://github.com/BagelLab/uds-core/commit/6367bef04dab6803471b8f424210baedf2004d01)) +* **main:** release 0.22.1 ([#432](https://github.com/BagelLab/uds-core/issues/432)) ([7cf9c4c](https://github.com/BagelLab/uds-core/commit/7cf9c4c09dccc1d91edb7acbb2aee8750c5433ed)) +* **main:** release 0.22.2 ([#474](https://github.com/BagelLab/uds-core/issues/474)) ([84a408f](https://github.com/BagelLab/uds-core/commit/84a408fb23c1803bdbbf5e1f1ce64e97110f2829)) +* **main:** release 0.3.0 ([#39](https://github.com/BagelLab/uds-core/issues/39)) ([4d2b05d](https://github.com/BagelLab/uds-core/commit/4d2b05de9d155dc91b799bde5156c5980bc348cb)) +* **main:** release 0.4.0 ([#43](https://github.com/BagelLab/uds-core/issues/43)) ([d2b61c3](https://github.com/BagelLab/uds-core/commit/d2b61c373b91d4f405e27ce930e4f8bec52ddd21)) +* **main:** release 0.4.1 ([#45](https://github.com/BagelLab/uds-core/issues/45)) ([d66eafe](https://github.com/BagelLab/uds-core/commit/d66eafea0ec9ccd412f5af3ed5ab12f3f8275a33)) +* **main:** release 0.5.0 ([#49](https://github.com/BagelLab/uds-core/issues/49)) ([f9c4269](https://github.com/BagelLab/uds-core/commit/f9c426998f2bc4fc21c32b3492f25b8608f50282)) +* **main:** release 0.6.0 ([#53](https://github.com/BagelLab/uds-core/issues/53)) ([9b3ad64](https://github.com/BagelLab/uds-core/commit/9b3ad64a6e3870ce364cad77abd367cc8d493042)) +* **main:** release 0.6.1 ([#56](https://github.com/BagelLab/uds-core/issues/56)) ([4a5a42c](https://github.com/BagelLab/uds-core/commit/4a5a42c8fa9ee17656e462cb9df08562d9c85b96)) +* **main:** release 0.6.2 ([#59](https://github.com/BagelLab/uds-core/issues/59)) ([b1c49ac](https://github.com/BagelLab/uds-core/commit/b1c49ac70e8a293936dea8a516c32b7bb7e6fc4c)) +* **main:** release 0.7.0 ([#71](https://github.com/BagelLab/uds-core/issues/71)) ([51dcb54](https://github.com/BagelLab/uds-core/commit/51dcb54d239cb5636b0c4f55fde9fc2b2c3bf076)) +* **main:** release 0.7.1 ([#85](https://github.com/BagelLab/uds-core/issues/85)) ([da4040a](https://github.com/BagelLab/uds-core/commit/da4040aff739746dc2355ec0449ee762c05c56c1)) +* **main:** release 0.7.2 ([#88](https://github.com/BagelLab/uds-core/issues/88)) ([5e421ce](https://github.com/BagelLab/uds-core/commit/5e421ce011e42692c3cb6f1353cfb8a5edb846fb)) +* **main:** release 0.7.3 ([#93](https://github.com/BagelLab/uds-core/issues/93)) ([ddf8fa6](https://github.com/BagelLab/uds-core/commit/ddf8fa617853686b8c043d236c159bcd59c47ac0)) +* **main:** release 0.7.4 ([#100](https://github.com/BagelLab/uds-core/issues/100)) ([9abd78b](https://github.com/BagelLab/uds-core/commit/9abd78b11a90a67344fa93e8dba7fd53d6b58ea2)) +* **main:** release 0.8.0 ([#106](https://github.com/BagelLab/uds-core/issues/106)) ([3ab93c3](https://github.com/BagelLab/uds-core/commit/3ab93c30b132ff9c35c1f238008b15cd265abe92)) +* **main:** release 0.8.1 ([#112](https://github.com/BagelLab/uds-core/issues/112)) ([942ad54](https://github.com/BagelLab/uds-core/commit/942ad549b53e8ce87a33fae985bbe2f82c6fa75c)) +* **main:** release 0.9.0 ([#117](https://github.com/BagelLab/uds-core/issues/117)) ([6b0c56b](https://github.com/BagelLab/uds-core/commit/6b0c56b8a6d60091e532ac36cd69ea6cd5ac1124)) +* **main:** release 0.9.1 ([#119](https://github.com/BagelLab/uds-core/issues/119)) ([984f916](https://github.com/BagelLab/uds-core/commit/984f91602c3b2873110d62a49c5df4ecfaa19f8a)) +* **main:** release 0.9.2 ([#121](https://github.com/BagelLab/uds-core/issues/121)) ([2d9b3c9](https://github.com/BagelLab/uds-core/commit/2d9b3c9fe288347879f2d78c8524b719d3772abd)) +* move api service watch to reconcile ([#362](https://github.com/BagelLab/uds-core/issues/362)) ([1822bca](https://github.com/BagelLab/uds-core/commit/1822bca6c397a5c8ea64b9355a9ba4f51fde4518)) +* open the aperture for pr workflow triggering ([#90](https://github.com/BagelLab/uds-core/issues/90)) ([d8a72f2](https://github.com/BagelLab/uds-core/commit/d8a72f2f2f3e507a4be7f217e23b737e3d4c35ce)) +* readme updates & use UDS CLI for zarf ([#137](https://github.com/BagelLab/uds-core/issues/137)) ([21de0ce](https://github.com/BagelLab/uds-core/commit/21de0cee2d70d67ca17b1d45c642e9ca4e1617ce)) +* refactor ci for releases to remove certain artifacts ([#125](https://github.com/BagelLab/uds-core/issues/125)) ([c08a062](https://github.com/BagelLab/uds-core/commit/c08a062bb3f3ede6860c3d7f34136b3e82b78715)) +* refactor promtail extraScrapeConfigs into scrapeConfigs ([#367](https://github.com/BagelLab/uds-core/issues/367)) ([2220272](https://github.com/BagelLab/uds-core/commit/222027240148e669edf40483d145ffc15567b1b7)) +* refactor validate.yaml file name and task name ([#62](https://github.com/BagelLab/uds-core/issues/62)) ([92a04ea](https://github.com/BagelLab/uds-core/commit/92a04ea1096448995ccc0dd9d77a32a5061e06f0)) +* remove emulated gitlab endpoints from keycloak ([495960c](https://github.com/BagelLab/uds-core/commit/495960ce8d40cf2ef7c0f0021b653db6fc6383bb)) +* remove retry-action action on registry1 docker login ([#160](https://github.com/BagelLab/uds-core/issues/160)) ([eea0c93](https://github.com/BagelLab/uds-core/commit/eea0c93a0ff172bfc5a76d3eaca143ffc0d9fbe2)) +* remove version from neuvector zarf.yaml ([#11](https://github.com/BagelLab/uds-core/issues/11)) ([fbc8d51](https://github.com/BagelLab/uds-core/commit/fbc8d51e2b4146d394184d7596cd9a54219dc001)) +* renovate updates ([#140](https://github.com/BagelLab/uds-core/issues/140)) ([b71a013](https://github.com/BagelLab/uds-core/commit/b71a013bea30c9ca5e39f1dc6485fffaa86ca6b1)) +* simplify promtail values for scrape configs ([#94](https://github.com/BagelLab/uds-core/issues/94)) ([6c2513b](https://github.com/BagelLab/uds-core/commit/6c2513be89f064b44516b1d89c0d6005dd1d4d30)) +* support deselection of metrics-server ([#193](https://github.com/BagelLab/uds-core/issues/193)) ([289a0fe](https://github.com/BagelLab/uds-core/commit/289a0fee5315e8c4a70b3afe66165dd00a7dfbc1)) +* support headless keycloak admin user ([#307](https://github.com/BagelLab/uds-core/issues/307)) ([a0e51b6](https://github.com/BagelLab/uds-core/commit/a0e51b649822619b63478b140bb5dbbebeb20ff3)) +* test artifacts before publish ([#198](https://github.com/BagelLab/uds-core/issues/198)) ([9732f32](https://github.com/BagelLab/uds-core/commit/9732f325624244f4d34c127a949c6ce5951ff6ab)) +* trigger eks nightly when related files are updated ([#366](https://github.com/BagelLab/uds-core/issues/366)) ([6d6e4e0](https://github.com/BagelLab/uds-core/commit/6d6e4e0debbca3498cbc21db405eec48b3bcc240)) +* typo fix in README.md ([#280](https://github.com/BagelLab/uds-core/issues/280)) ([f9727e0](https://github.com/BagelLab/uds-core/commit/f9727e0b638e853bbae131d02019a2efb5286b0a)) +* update codeowners ([#338](https://github.com/BagelLab/uds-core/issues/338)) ([c419574](https://github.com/BagelLab/uds-core/commit/c41957409607c6335ebf6bd4ff30a1a9336a4870)) +* update release please extra-files to be explicit ([#26](https://github.com/BagelLab/uds-core/issues/26)) ([23f4999](https://github.com/BagelLab/uds-core/commit/23f49995771fb05cd18e7a077bf90e86ca5b7471)) +* updating keycloak chart version to align with image ([#378](https://github.com/BagelLab/uds-core/issues/378)) ([a60fe2a](https://github.com/BagelLab/uds-core/commit/a60fe2afed9f7cff3bcad6b0f563232b47e8025b)) + ## [0.22.2](https://github.com/defenseunicorns/uds-core/compare/v0.22.1...v0.22.2) (2024-06-13) diff --git a/README.md b/README.md index a0ecc9a90..1e1fcc0f8 100644 --- a/README.md +++ b/README.md @@ -53,7 +53,7 @@ If you want to try out UDS Core, you can use the [k3d-core-demo bundle](./bundle ```bash -uds deploy k3d-core-demo:0.22.2 +uds deploy k3d-core-demo:0.23.0 ``` @@ -67,7 +67,7 @@ Deploy Istio, Keycloak and Pepr: ```bash -uds deploy k3d-core-slim-dev:0.22.2 +uds deploy k3d-core-slim-dev:0.23.0 ``` diff --git a/bundles/k3d-slim-dev/uds-bundle.yaml b/bundles/k3d-slim-dev/uds-bundle.yaml index 3ef3ed551..c90613ba1 100644 --- a/bundles/k3d-slim-dev/uds-bundle.yaml +++ b/bundles/k3d-slim-dev/uds-bundle.yaml @@ -3,7 +3,7 @@ metadata: name: k3d-core-slim-dev description: A UDS bundle for deploying Istio from UDS Core on a development cluster # x-release-please-start-version - version: "0.22.2" + version: "0.23.0" # x-release-please-end packages: @@ -34,7 +34,7 @@ packages: - name: core-slim-dev path: ../../build/ # x-release-please-start-version - ref: 0.22.2 + ref: 0.23.0 # x-release-please-end overrides: istio-admin-gateway: diff --git a/bundles/k3d-standard/uds-bundle.yaml b/bundles/k3d-standard/uds-bundle.yaml index 67c53836e..08a82b81b 100644 --- a/bundles/k3d-standard/uds-bundle.yaml +++ b/bundles/k3d-standard/uds-bundle.yaml @@ -3,7 +3,7 @@ metadata: name: k3d-core-demo description: A UDS bundle for deploying the standard UDS Core package on a development cluster # x-release-please-start-version - version: "0.22.2" + version: "0.23.0" # x-release-please-end packages: @@ -34,7 +34,7 @@ packages: - name: core path: ../../build/ # x-release-please-start-version - ref: 0.22.2 + ref: 0.23.0 # x-release-please-end overrides: loki: diff --git a/packages/slim-dev/zarf.yaml b/packages/slim-dev/zarf.yaml index a1044ef96..1d80c8e09 100644 --- a/packages/slim-dev/zarf.yaml +++ b/packages/slim-dev/zarf.yaml @@ -4,7 +4,7 @@ metadata: description: "UDS Core (Istio, UDS Operator and Keycloak)" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.22.2" + version: "0.23.0" # x-release-please-end components: diff --git a/packages/standard/zarf.yaml b/packages/standard/zarf.yaml index 2723d7698..60e4d3ae7 100644 --- a/packages/standard/zarf.yaml +++ b/packages/standard/zarf.yaml @@ -4,7 +4,7 @@ metadata: description: "UDS Core" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.22.2" + version: "0.23.0" # x-release-please-end components: diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index 5d6219b7e..a53b0e527 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -2,7 +2,7 @@ variables: - name: VERSION description: "The version of the packages to deploy" # x-release-please-start-version - default: "0.22.2" + default: "0.23.0" # x-release-please-end - name: FLAVOR default: upstream diff --git a/tasks/publish.yaml b/tasks/publish.yaml index 76d62027e..26798fc14 100644 --- a/tasks/publish.yaml +++ b/tasks/publish.yaml @@ -8,7 +8,7 @@ variables: - name: VERSION description: "The version of the packages to build" # x-release-please-start-version - default: "0.22.2" + default: "0.23.0" # x-release-please-end tasks: From f8ac93c27a2a917192ca7508c26e8e429c76b192 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 14 Jun 2024 16:06:49 -0600 Subject: [PATCH 33/61] remove pr number --- .github/workflows/pr-trigger.yaml | 8 ++------ .github/workflows/pull-request-conditionals.yaml | 5 +---- 2 files changed, 3 insertions(+), 10 deletions(-) diff --git a/.github/workflows/pr-trigger.yaml b/.github/workflows/pr-trigger.yaml index 9a01d91da..d29bb9b02 100644 --- a/.github/workflows/pr-trigger.yaml +++ b/.github/workflows/pr-trigger.yaml @@ -9,14 +9,10 @@ jobs: pr-info: runs-on: ubuntu-latest steps: - - run: | - echo ${{ github.event.number }} > pr_number.txt - echo "${{ github.event.pull_request.head.sha }}" >> pr_sha.txt + - run: echo "${{ github.event.pull_request.head.sha }}" >> pr_sha.txt - name: Upload PR number artifact uses: actions/upload-artifact@v4 with: name: pr_info - path: | - pr_number.txt - pr_sha.txt + path: pr_sha.txt diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index 3f38e5036..dcac349b7 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -37,11 +37,8 @@ jobs: github-token: ${{ github.token }} - name: Read PR info id: read-info - run: | - echo "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_OUTPUT - echo "PR_SHA=$(cat pr_sha.txt)" >> $GITHUB_OUTPUT + run: echo "PR_SHA=$(cat pr_sha.txt)" >> $GITHUB_OUTPUT outputs: - prNumber: ${{ steps.read-info.outputs.PR_NUMBER }} prSHA: ${{ steps.read-info.outputs.PR_SHA }} lint-check: From 2cefa2938d60cfa40bd5c0f7ff44c2448c4f48a8 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Wed, 10 Jul 2024 09:32:07 -0600 Subject: [PATCH 34/61] chore: test publish --- .github/actions/save-logs/action.yaml | 2 +- .github/actions/setup/action.yaml | 11 +- .github/actions/status-checks/action.yaml | 47 -- .github/pull_request_template.md | 2 +- .github/workflows/pr-trigger.yaml | 18 - .github/workflows/publish.yaml | 78 ++- .../workflows/pull-request-conditionals.yaml | 75 +- .github/workflows/tag-and-release.yaml | 1 + .github/workflows/test.yaml | 38 +- .vscode/settings.json | 6 +- CHANGELOG.md | 315 +-------- README.md | 2 + bundles/k3d-slim-dev/README.md | 17 +- docs/application-baseline.md | 14 +- docs/configuration/uds-operator.md | 11 +- docs/deployment/uds-deploy.md | 2 +- external-contrib.md | 56 -- package-lock.json | 662 ++++++++---------- package.json | 9 +- renovate.json | 8 + src/authservice/values/unicorn-values.yaml | 3 + src/authservice/zarf.yaml | 13 + src/grafana/common/zarf.yaml | 2 +- src/grafana/values/registry1-values.yaml | 8 +- src/grafana/values/unicorn-values.yaml | 21 + src/grafana/values/upstream-values.yaml | 6 +- src/grafana/zarf.yaml | 28 +- .../common/manifests/pepr-istio-config.yaml | 1 + src/istio/common/zarf.yaml | 4 +- src/istio/values/registry1-values.yaml | 8 +- src/istio/values/unicorn-values.yaml | 7 + src/istio/values/upstream-values.yaml | 8 +- src/istio/zarf.yaml | 28 +- src/keycloak/chart/values.yaml | 2 +- src/keycloak/values/unicorn-values.yaml | 3 + src/keycloak/zarf.yaml | 18 +- src/loki/chart/templates/service-dns.yaml | 19 + src/loki/tasks.yaml | 6 + src/loki/values/unicorn-values.yaml | 10 + src/loki/values/values.yaml | 4 + src/loki/zarf.yaml | 15 + src/metrics-server/values/unicorn-values.yaml | 3 + src/metrics-server/zarf.yaml | 13 + .../values/unicorn-monitor-values.yaml | 5 + src/neuvector/values/unicorn-values.yaml | 26 + src/neuvector/zarf.yaml | 38 + src/pepr/config.ts | 8 +- src/pepr/istio/index.ts | 21 +- src/pepr/logger.ts | 31 + .../controllers/exemptions/exemption-store.ts | 15 +- .../operator/controllers/istio/injection.ts | 8 +- .../controllers/istio/istio-resources.ts | 18 +- .../controllers/keycloak/client-sync.spec.ts | 96 ++- .../controllers/keycloak/client-sync.ts | 155 ++-- .../controllers/monitoring/service-monitor.ts | 14 +- .../controllers/network/generators/kubeAPI.ts | 18 +- .../operator/controllers/network/policies.ts | 10 +- .../crd/generated/package-v1alpha1.ts | 15 + src/pepr/operator/crd/register.ts | 14 +- .../operator/crd/sources/package/v1alpha1.ts | 15 +- .../crd/validators/package-validator.ts | 6 + src/pepr/operator/reconcilers/index.spec.ts | 4 + src/pepr/operator/reconcilers/index.ts | 43 +- .../reconcilers/package-reconciler.spec.ts | 22 +- .../reconcilers/package-reconciler.ts | 21 +- src/pepr/policies/exemptions/index.ts | 10 +- src/pepr/policies/index.ts | 10 +- src/pepr/policies/storage.ts | 2 +- src/pepr/prometheus/index.ts | 10 +- src/pepr/tasks.yaml | 4 +- .../values/unicorn-values.yaml | 56 ++ src/prometheus-stack/zarf.yaml | 20 + src/promtail/common/zarf.yaml | 2 +- src/promtail/values/registry1-values.yaml | 4 +- src/promtail/values/unicorn-values.yaml | 10 + src/promtail/values/upstream-values.yaml | 4 +- src/promtail/zarf.yaml | 23 +- src/velero/values/unicorn-values.yaml | 22 + src/velero/zarf.yaml | 16 + tasks/create.yaml | 4 +- 80 files changed, 1287 insertions(+), 1117 deletions(-) delete mode 100644 .github/actions/status-checks/action.yaml delete mode 100644 .github/workflows/pr-trigger.yaml delete mode 100644 external-contrib.md create mode 100644 src/authservice/values/unicorn-values.yaml create mode 100644 src/grafana/values/unicorn-values.yaml create mode 100644 src/istio/values/unicorn-values.yaml create mode 100644 src/keycloak/values/unicorn-values.yaml create mode 100644 src/loki/chart/templates/service-dns.yaml create mode 100644 src/loki/values/unicorn-values.yaml create mode 100644 src/metrics-server/values/unicorn-values.yaml create mode 100644 src/neuvector/values/unicorn-monitor-values.yaml create mode 100644 src/neuvector/values/unicorn-values.yaml create mode 100644 src/pepr/logger.ts create mode 100644 src/prometheus-stack/values/unicorn-values.yaml create mode 100644 src/promtail/values/unicorn-values.yaml create mode 100644 src/velero/values/unicorn-values.yaml diff --git a/.github/actions/save-logs/action.yaml b/.github/actions/save-logs/action.yaml index 58e9bda84..21887dbb3 100644 --- a/.github/actions/save-logs/action.yaml +++ b/.github/actions/save-logs/action.yaml @@ -34,7 +34,7 @@ runs: sudo chown $USER /tmp/uds-*.log || echo "" shell: bash - - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: debug-log${{ inputs.suffix }} path: | diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml index f859e4e52..b7ba25e55 100644 --- a/.github/actions/setup/action.yaml +++ b/.github/actions/setup/action.yaml @@ -11,6 +11,9 @@ inputs: registry1Password: description: 'IRON_BANK_ROBOT_PASSWORD' required: true + chainguardIdentity: + description: "ID for Chainguard Identity" + required: true runs: using: "composite" @@ -30,7 +33,7 @@ runs: - name: Install UDS CLI shell: bash # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver - run: brew install defenseunicorns/tap/uds@0.11.2 + run: brew install defenseunicorns/tap/uds@0.12.0 - name: Iron Bank Login if: ${{ inputs.registry1Username != '' }} @@ -40,6 +43,12 @@ runs: run: echo "${{ env.REGISTRY_PASSWORD }}" | uds zarf tools registry login -u "${{ env.REGISTRY_USERNAME }}" --password-stdin registry1.dso.mil shell: bash + - name: Chainguard Login + if: ${{ inputs.chainguardIdentity != '' }} + uses: chainguard-dev/setup-chainctl@fc62b08dfd3179dd694b50f672bc371f878fbd1e # v0.2.1 + with: + identity: ${{ inputs.chainguardIdentity }} + - name: GHCR Login if: ${{ inputs.ghToken != '' }} env: diff --git a/.github/actions/status-checks/action.yaml b/.github/actions/status-checks/action.yaml deleted file mode 100644 index f68e1533f..000000000 --- a/.github/actions/status-checks/action.yaml +++ /dev/null @@ -1,47 +0,0 @@ -name: status-checks -description: "Update Status Checks" - -inputs: - status: - description: "Status to set on the check, ex: pending, success, failure, error" - required: true - sha: - description: "The SHA for the status check" - required: true - name: - description: "The name of the status check" - required: true - -runs: - using: composite - steps: - - name: Set description based on status - run: | - if [[ "${{ inputs.status }}" == "success" ]]; then - echo "DESCRIPTION=Successful" >> $GITHUB_ENV - elif [[ "${{ inputs.status }}" == "failure" ]]; then - echo "DESCRIPTION=Failed" >> $GITHUB_ENV - elif [[ "${{ inputs.status }}" == "error" ]]; then - echo "DESCRIPTION=Cancelled" >> $GITHUB_ENV - elif [[ "${{ inputs.status }}" == "pending" ]]; then - echo "DESCRIPTION=Running..." >> $GITHUB_ENV - else - echo "DESCRIPTION=Unknown status" >> $GITHUB_ENV - fi - shell: bash - - name: Post Status Check - env: - GH_TOKEN: ${{ github.token }} - run: | - jobs=$(gh api repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/attempts/${{ github.run_attempt }}/jobs) - job_id=$(echo $jobs | jq -r '.jobs[] | select(.name=="${{ inputs.name }}") | .id') - gh api \ - --method POST \ - -H "Accept: application/vnd.github+json" \ - -H "X-GitHub-Api-Version: 2022-11-28" \ - /repos/${{ github.repository }}/statuses/${{ inputs.sha }} \ - -f "state=${{ inputs.status }}" \ - -f "target_url=${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}/job/$job_id" \ - -f "context=${{ inputs.name }}" \ - -f "description=$DESCRIPTION" - shell: bash diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index a8ef71246..b6cce5a14 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -17,4 +17,4 @@ Relates to # ## Checklist before merging - [ ] Test, docs, adr added or updated as needed -- [ ] [Contributor Guide Steps](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)(https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md#submitting-a-pull-request) followed \ No newline at end of file +- [ ] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed \ No newline at end of file diff --git a/.github/workflows/pr-trigger.yaml b/.github/workflows/pr-trigger.yaml deleted file mode 100644 index d29bb9b02..000000000 --- a/.github/workflows/pr-trigger.yaml +++ /dev/null @@ -1,18 +0,0 @@ -name: PR Trigger - -on: - pull_request: - # milestoned is added here as a workaround for release-please not triggering PR workflows (PRs should be added to a milestone to trigger the workflow). - types: [milestoned, opened, reopened, synchronize] - -jobs: - pr-info: - runs-on: ubuntu-latest - steps: - - run: echo "${{ github.event.pull_request.head.sha }}" >> pr_sha.txt - - - name: Upload PR number artifact - uses: actions/upload-artifact@v4 - with: - name: pr_info - path: pr_sha.txt diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 664b331cc..7559ad952 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -12,13 +12,14 @@ jobs: publish-uds-core: strategy: matrix: - flavor: [upstream, registry1] + flavor: [upstream, registry1, unicorn] runs-on: "uds-ubuntu-big-boy-8-core" name: Publish packages permissions: contents: read packages: write + id-token: write # This is needed for OIDC federation. steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 @@ -29,6 +30,7 @@ jobs: registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }} registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }} ghToken: ${{ secrets.GITHUB_TOKEN }} + chainguardIdentity: ${{ secrets.CHAINGUARD_IDENTITY }} - name: (Snapshot) Get snapshot version using git commit short sha and date if: ${{ inputs.snapshot }} @@ -45,46 +47,56 @@ jobs: yq -ei '.metadata.version=env(SNAPSHOT_VERSION)' packages/standard/zarf.yaml yq -ei '.metadata.version=env(SNAPSHOT_VERSION)' packages/slim-dev/zarf.yaml - - name: Create Packages and Bundles - run: | - ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package --no-progress --set FLAVOR=${{ matrix.flavor }} - ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml k3d-standard-bundle --no-progress - ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml slim-dev-package --no-progress --set FLAVOR=${{ matrix.flavor }} - ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml k3d-slim-dev-bundle --no-progress - - if [ "${{ matrix.flavor }}" != "registry1" ]; then - ZARF_ARCHITECTURE=arm64 uds run -f tasks/create.yaml standard-package --no-progress --set FLAVOR=${{ matrix.flavor }} - ZARF_ARCHITECTURE=arm64 uds run -f tasks/create.yaml k3d-standard-bundle --no-progress - ZARF_ARCHITECTURE=arm64 uds run -f tasks/create.yaml slim-dev-package --no-progress --set FLAVOR=${{ matrix.flavor }} - ZARF_ARCHITECTURE=arm64 uds run -f tasks/create.yaml k3d-slim-dev-bundle --no-progress - fi - - # Standard Package by default tests what's in the Istio Package - - name: Test amd64 Bundle - if: ${{ !inputs.snapshot }} - run: | - uds run deploy-standard-bundle --no-progress - uds run -f tasks/test.yaml validate-packages --no-progress + # - name: Create Packages and Bundles + # run: | + # ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package --no-progress --set FLAVOR=${{ matrix.flavor }} + # ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml k3d-standard-bundle --no-progress + # ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml slim-dev-package --no-progress --set FLAVOR=${{ matrix.flavor }} + # ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml k3d-slim-dev-bundle --no-progress + + # if [ "${{ matrix.flavor }}" != "registry1" ]; then + # ZARF_ARCHITECTURE=arm64 uds run -f tasks/create.yaml standard-package --no-progress --set FLAVOR=${{ matrix.flavor }} + # ZARF_ARCHITECTURE=arm64 uds run -f tasks/create.yaml k3d-standard-bundle --no-progress + # ZARF_ARCHITECTURE=arm64 uds run -f tasks/create.yaml slim-dev-package --no-progress --set FLAVOR=${{ matrix.flavor }} + # ZARF_ARCHITECTURE=arm64 uds run -f tasks/create.yaml k3d-slim-dev-bundle --no-progress + # fi + + # # Standard Package by default tests full core + # - name: Test amd64 Bundle + # if: ${{ !inputs.snapshot }} + # run: | + # uds run deploy-standard-bundle --no-progress + # uds run -f tasks/test.yaml validate-packages --no-progress - name: Debug Output if: ${{ always() && !inputs.snapshot }} uses: ./.github/actions/debug-output + # Determine repository to publish to + - name: Determine destination repository + id: repo + run: | + # Publish snapshots to snapshot repository + if [ "${{ inputs.snapshot }}" = "true" ]; then + echo "Publishing snapshot to ghcr.io/defenseunicorns/packages/uds/snapshots" + echo "repo=ghcr.io/defenseunicorns/packages/uds/snapshots" >> "$GITHUB_OUTPUT" + # Publish unicorn flavor to private repository + elif [ "${{ matrix.flavor }}" = "unicorn" ]; then + echo "Publishing unicorn flavor to ghcr.io/defenseunicorns/packages/private/uds" + echo "repo=ghcr.io/defenseunicorns/packages/private/uds" >> "$GITHUB_OUTPUT" + # Publish all other packages/bundles to uds package repository + else + echo "Publishing packages and bundles to ghcr.io/defenseunicorns/packages/uds" + echo "repo=ghcr.io/defenseunicorns/packages/uds" >> "$GITHUB_OUTPUT" + fi + + # Publish package and bundle to destination repository - name: Publish Standard Package - if: ${{ !inputs.snapshot }} - run: uds run -f tasks/publish.yaml standard-package --set FLAVOR=${{ matrix.flavor }} --no-progress + run: uds run -f tasks/publish.yaml standard-package --set FLAVOR=${{ matrix.flavor }} --set TARGET_REPO=${{ steps.repo.outputs.repo }} --no-progress - name: Publish Upstream Flavored Bundles - if: ${{ !inputs.snapshot && matrix.flavor != 'registry1' }} - run: uds run -f tasks/publish.yaml bundles --no-progress - - - name: (Snapshot) Publish Standard Package - if: ${{ inputs.snapshot }} - run: uds run -f tasks/publish.yaml standard-package --set FLAVOR=${{ matrix.flavor }} --set TARGET_REPO="ghcr.io/defenseunicorns/packages/uds/snapshots" --set VERSION="${SNAPSHOT_VERSION}" --no-progress - - - name: (Snapshot) Publish Upstream Flavored Bundles - if: ${{ inputs.snapshot && matrix.flavor != 'registry1' }} - run: uds run -f tasks/publish.yaml bundles --set TARGET_REPO="ghcr.io/defenseunicorns/packages/uds/snapshots" --set VERSION="${SNAPSHOT_VERSION}" --no-progress + if: ${{ matrix.flavor = 'upstream' }} + run: uds run -f tasks/publish.yaml bundles --set TARGET_REPO=${{ steps.repo.outputs.repo }} --no-progress - name: Save logs if: always() diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index dcac349b7..7d942961a 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -2,18 +2,15 @@ name: Filter # This workflow is triggered on pull requests on: - workflow_run: - workflows: ["PR Trigger"] - types: - - completed + pull_request: + # milestoned is added here as a workaround for release-please not triggering PR workflows (PRs should be added to a milestone to trigger the workflow). + types: [milestoned, opened, reopened, synchronize] # Permissions for the GITHUB_TOKEN used by the workflow. permissions: id-token: write # Needed for OIDC-related operations. contents: read # Allows reading the content of the repository. pull-requests: read # Allows reading pull request metadata. - actions: read # Allows reading artifacts from other workflow runs - statuses: write # Allows writing action statuses # Default settings for all run commands in the workflow jobs. defaults: @@ -22,38 +19,14 @@ defaults: # Abort prior jobs in the same workflow / PR concurrency: - group: test-${{ github.event.workflow_run.head_branch }} + group: test-${{ github.ref }} cancel-in-progress: true jobs: - pr-info: - runs-on: ubuntu-latest - steps: - - name: Download PR info artifact - uses: actions/download-artifact@v4 - with: - name: pr_info - run-id: ${{ github.event.workflow_run.id }} # Pulls artifact from the PR workflow run - github-token: ${{ github.token }} - - name: Read PR info - id: read-info - run: echo "PR_SHA=$(cat pr_sha.txt)" >> $GITHUB_OUTPUT - outputs: - prSHA: ${{ steps.read-info.outputs.PR_SHA }} - lint-check: - needs: pr-info runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ needs.pr-info.outputs.prSHA }} - - name: Mark Check as Started - uses: ./.github/actions/status-checks - with: - status: "pending" - sha: "${{ needs.pr-info.outputs.prSHA }}" - name: ${{ github.job }} + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Use Node.js latest uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: @@ -63,22 +36,13 @@ jobs: - name: Install UDS CLI shell: bash # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver - run: brew install defenseunicorns/tap/uds@0.11.2 + run: brew install defenseunicorns/tap/uds@0.12.0 - name: Run Formatting Checks run: uds run lint-check --no-progress - - name: Mark Check Result - if: always() - uses: ./.github/actions/status-checks - with: - status: ${{ job.status == 'success' && 'success' || job.status == 'failure' && 'failure' || 'error' }} - sha: ${{ needs.pr-info.outputs.prSHA }} - name: ${{ github.job }} # This job checks if there are changes in specific paths source packages. check-paths: - needs: - - lint-check - - pr-info + needs: lint-check runs-on: ubuntu-latest name: Select Jobs outputs: @@ -87,12 +51,6 @@ jobs: steps: - name: Checkout the code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Mark Check as Started - uses: ./.github/actions/status-checks - with: - status: "pending" - sha: "${{ needs.pr-info.outputs.prSHA }}" - name: ${{ github.job }} # Uses a custom action to filter paths for source packages. - name: Check src paths @@ -100,25 +58,15 @@ jobs: uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 with: filters: .github/filters.yaml - ref: ${{ needs.pr-info.outputs.prSHA }} - - name: Mark Check Result - if: always() - uses: ./.github/actions/status-checks - with: - status: ${{ job.status == 'success' && 'success' || job.status == 'failure' && 'failure' || 'error' }} - sha: ${{ needs.pr-info.outputs.prSHA }} - name: ${{ github.job }} # This job triggers a separate workflow for each changed source package, if any. run-package-test: - needs: - - check-paths - - pr-info + needs: check-paths name: Schedule strategy: matrix: package: ${{ fromJSON(needs.check-paths.outputs.packages) }} - flavor: [upstream, registry1] + flavor: [upstream, registry1, unicorn] test_type: [install] include: - package: all @@ -127,10 +75,13 @@ jobs: - package: all flavor: upstream test_type: upgrade + # Commented out until unicorn flavor has a published release + # - package: all + # flavor: unicorn + # test_type: upgrade uses: ./.github/workflows/test.yaml with: package: ${{ matrix.package }} flavor: ${{ matrix.flavor }} test_type: ${{ matrix.test_type }} - sha: ${{ needs.pr-info.outputs.prSHA }} secrets: inherit # Inherits all secrets from the parent workflow. diff --git a/.github/workflows/tag-and-release.yaml b/.github/workflows/tag-and-release.yaml index b2e99c970..b601a46d9 100644 --- a/.github/workflows/tag-and-release.yaml +++ b/.github/workflows/tag-and-release.yaml @@ -24,6 +24,7 @@ jobs: permissions: contents: write packages: write + id-token: write uses: ./.github/workflows/publish.yaml with: snapshot: false diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index db7ca4870..5cf31d631 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -1,8 +1,8 @@ name: Test packages on: - # Triggered by pull-request-conditionals.yaml - workflow_call: + # Manual trigger + workflow_dispatch: inputs: package: type: string @@ -16,14 +16,25 @@ on: type: string description: "The type of test to perform" required: true - sha: + # Triggered by pull-request-conditionals.yaml + workflow_call: + inputs: + package: + type: string + description: "The name of the source package to test" + required: true + flavor: + type: string + description: "Flavor of the source package to test" + required: true + test_type: type: string - description: "The SHA to checkout and test with" + description: "The type of test to perform" required: true permissions: contents: read - statuses: write # Allows writing action statuses + id-token: write # This is needed for OIDC federation. jobs: test: @@ -36,14 +47,6 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.sha }} - - name: Mark Check as Started - uses: ./.github/actions/status-checks - with: - status: "pending" - sha: ${{ inputs.sha }} - name: "Schedule (${{inputs.package}}, ${{inputs.flavor}}, ${{inputs.test_type}}) / Test" - name: Environment setup uses: ./.github/actions/setup @@ -51,6 +54,7 @@ jobs: registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }} registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }} ghToken: ${{ secrets.GITHUB_TOKEN }} + chainguardIdentity: ${{ secrets.CHAINGUARD_IDENTITY }} - name: Test a single source package if: ${{ inputs.package != 'all' && inputs.test_type == 'install' }} @@ -73,11 +77,3 @@ jobs: uses: ./.github/actions/save-logs with: suffix: -${{ inputs.test_type }}-${{ inputs.package }}-${{ inputs.flavor }} - - - name: Mark Check Result - if: always() - uses: ./.github/actions/status-checks - with: - status: ${{ job.status == 'success' && 'success' || job.status == 'failure' && 'failure' || 'error' }} - sha: ${{ inputs.sha }} - name: "Schedule (${{inputs.package}}, ${{inputs.flavor}}, ${{inputs.test_type}}) / Test" diff --git a/.vscode/settings.json b/.vscode/settings.json index 0c1b111c4..81f75a82c 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -9,18 +9,18 @@ }, "yaml.schemas": { // renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver - "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.11.2/uds.schema.json": [ + "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.12.0/uds.schema.json": [ "uds-bundle.yaml" ], // renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver - "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.11.2/tasks.schema.json": [ + "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.12.0/tasks.schema.json": [ "tasks.yaml", "tasks/**/*.yaml", "src/**/validate.yaml" ], // renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver - "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.11.2/zarf.schema.json": [ + "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.12.0/zarf.schema.json": [ "zarf.yaml" ] }, diff --git a/CHANGELOG.md b/CHANGELOG.md index bb09620eb..a5206d7fe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,305 +2,44 @@ All notable changes to this project will be documented in this file. -## [0.23.0](https://github.com/BagelLab/uds-core/compare/v0.22.2...v0.23.0) (2024-06-14) +## [0.23.0](https://github.com/defenseunicorns/uds-core/compare/v0.22.2...v0.23.0) (2024-07-04) ### ⚠ BREAKING CHANGES -* remove emulated gitlab endpoints from keycloak +* remove emulated gitlab endpoints from keycloak ([#483](https://github.com/defenseunicorns/uds-core/issues/483)) ### Features -* add `expose` service entry for internal cluster traffic ([#356](https://github.com/BagelLab/uds-core/issues/356)) ([1bde4cc](https://github.com/BagelLab/uds-core/commit/1bde4ccf302864b0c38d093742ca683b96cebe89)) -* add `monitor` to operator, fix monitoring setup ([#256](https://github.com/BagelLab/uds-core/issues/256)) ([bf67722](https://github.com/BagelLab/uds-core/commit/bf67722d4e7e02d44dd29c4436e9a8d2ef960fa5)) -* add authservice to uds-core ([#153](https://github.com/BagelLab/uds-core/issues/153)) ([b0b33b9](https://github.com/BagelLab/uds-core/commit/b0b33b98ae12fe233c922bba55c9328212c2e578)) -* Add istio and preliminary ci ([#3](https://github.com/BagelLab/uds-core/issues/3)) ([fbd7453](https://github.com/BagelLab/uds-core/commit/fbd745392340dbc978b27f0d321f3375882c1c40)) -* add Istio VirtualService Requestmatch to UDS Operator ([#129](https://github.com/BagelLab/uds-core/issues/129)) ([a207197](https://github.com/BagelLab/uds-core/commit/a20719726991d3b981a372b705b776948f6fbc30)) -* add keycloak ([#147](https://github.com/BagelLab/uds-core/issues/147)) ([f99d3d5](https://github.com/BagelLab/uds-core/commit/f99d3d5d4f89264a21dd76d8847e1cef0325d127)) -* add keycloak sso realm values ([#352](https://github.com/BagelLab/uds-core/issues/352)) ([74436ea](https://github.com/BagelLab/uds-core/commit/74436ea78684a74044efdee14564a6582e659998)) -* add metrics-server ([#35](https://github.com/BagelLab/uds-core/issues/35)) ([8216ab9](https://github.com/BagelLab/uds-core/commit/8216ab982be79dc393a2e0db359370b32e660150)) -* add monitoring and logging ([#33](https://github.com/BagelLab/uds-core/issues/33)) ([c6d9aec](https://github.com/BagelLab/uds-core/commit/c6d9aece4984421e1ccbf476cd0d40fb701e4e50)) -* add nightly testing eks ([#250](https://github.com/BagelLab/uds-core/issues/250)) ([543b09d](https://github.com/BagelLab/uds-core/commit/543b09d103a43c474da6a8c950404cc1f373b03f)) -* add pepr capability for istio + jobs ([#12](https://github.com/BagelLab/uds-core/issues/12)) ([c32a703](https://github.com/BagelLab/uds-core/commit/c32a70390f443c90796978ad4c42bbb4b17eb226)) -* add policy exemptions ([#165](https://github.com/BagelLab/uds-core/issues/165)) ([196df88](https://github.com/BagelLab/uds-core/commit/196df88b01347e530eb1cb49df7440d62c986e0e)) -* add prometheus-stack (monitoring) capability ([#2](https://github.com/BagelLab/uds-core/issues/2)) ([e438ab6](https://github.com/BagelLab/uds-core/commit/e438ab6089bc9d8c6640fa002285d38ddc3022df)) -* add reconciliation retries for CRs ([#423](https://github.com/BagelLab/uds-core/issues/423)) ([424b57b](https://github.com/BagelLab/uds-core/commit/424b57ba91906e1c60e6e92927e37b34d657ad01)) -* add saml and attribute/mapper support for keycloak in uds pepr operator ([#328](https://github.com/BagelLab/uds-core/issues/328)) ([c53d4ee](https://github.com/BagelLab/uds-core/commit/c53d4ee1227d71b60a35419f7c8c9396d71b9508)) -* add UDS Operator and consolidate UDS Policies ([#66](https://github.com/BagelLab/uds-core/issues/66)) ([395c1c4](https://github.com/BagelLab/uds-core/commit/395c1c4aec324d0d939cc410a6bb92129b26653b)) -* add velero package ([#210](https://github.com/BagelLab/uds-core/issues/210)) ([a272945](https://github.com/BagelLab/uds-core/commit/a27294585f0d50732b63672d0c2baf14948e29d1)) -* add Zarf Flavors to support Iron Bank & upstream images ([#63](https://github.com/BagelLab/uds-core/issues/63)) ([232c256](https://github.com/BagelLab/uds-core/commit/232c2566b96be0285c24b8b5787350897e72332f)) -* added initial oscal files ([#145](https://github.com/BagelLab/uds-core/issues/145)) ([9600d5f](https://github.com/BagelLab/uds-core/commit/9600d5f159e4a04e8f71313f8ed118b87efbb9a1)) -* embed tls certs in istio package ([#32](https://github.com/BagelLab/uds-core/issues/32)) ([fb04fee](https://github.com/BagelLab/uds-core/commit/fb04feec9657f449366389a0e0a474a8cdeecb2c)) -* enable sso for neuvector ([#351](https://github.com/BagelLab/uds-core/issues/351)) ([597353e](https://github.com/BagelLab/uds-core/commit/597353e294e3dc5c06a8d572414e188f9845af8e)) -* expose tls certs as UDS bundle variables ([#48](https://github.com/BagelLab/uds-core/issues/48)) ([c1f8286](https://github.com/BagelLab/uds-core/commit/c1f828650ef2c53a3fd9ed477950046020c5d375)) -* introduce advancedHTTP for expose field & change podLabels to selector ([#154](https://github.com/BagelLab/uds-core/issues/154)) ([1079267](https://github.com/BagelLab/uds-core/commit/107926791149989a782254b8798b7c57a35cfcaf)) -* introduce Pepr common policies ([#50](https://github.com/BagelLab/uds-core/issues/50)) ([54182b4](https://github.com/BagelLab/uds-core/commit/54182b4db691d86ce80379be272d924d105b0d07)) -* introduce sso secret templating ([#276](https://github.com/BagelLab/uds-core/issues/276)) ([e0832ec](https://github.com/BagelLab/uds-core/commit/e0832ec2ee825dc1725483350e3b9295937b8feb)) -* keycloak PVC customization ([#341](https://github.com/BagelLab/uds-core/issues/341)) ([f8eae2a](https://github.com/BagelLab/uds-core/commit/f8eae2a20e02faac6e2c441845a82febeaab3b89)) -* **operator:** add events and improve lifecycle ops ([#245](https://github.com/BagelLab/uds-core/issues/245)) ([502c044](https://github.com/BagelLab/uds-core/commit/502c044547048a380b1f73dead0b8ab1b14a4b4f)) -* release-please integration ([#25](https://github.com/BagelLab/uds-core/issues/25)) ([bf3c53b](https://github.com/BagelLab/uds-core/commit/bf3c53b2ddac4e02e31aa3429029dd9f1c9595e3)) -* switch loki to simple scalable ([#156](https://github.com/BagelLab/uds-core/issues/156)) ([1661b15](https://github.com/BagelLab/uds-core/commit/1661b154657eba1b30fc5bcec64179cbf6037c03)) -* uds common renovate config ([#391](https://github.com/BagelLab/uds-core/issues/391)) ([035786c](https://github.com/BagelLab/uds-core/commit/035786cadcd9c1fbaf7e0a798f9c13104a1a9a14)) -* uds core docs ([#414](https://github.com/BagelLab/uds-core/issues/414)) ([a35ca7b](https://github.com/BagelLab/uds-core/commit/a35ca7b484ab59572d8205a625db5447a8771e44)) -* update security policy to use provided user, group, and fsgroup ([#82](https://github.com/BagelLab/uds-core/issues/82)) ([6d641ce](https://github.com/BagelLab/uds-core/commit/6d641ce67210999bacda0e855269dca61e7c6a7b)) +* identity group auth ([#497](https://github.com/defenseunicorns/uds-core/issues/497)) ([d71d83e](https://github.com/defenseunicorns/uds-core/commit/d71d83ed4d6e6a35724e70fc5a27cb7ff6e1adaa)) ### Bug Fixes -* add keycloak to dev bundle and rename ([#262](https://github.com/BagelLab/uds-core/issues/262)) ([f9b905c](https://github.com/BagelLab/uds-core/commit/f9b905c7c2b7e4a6a43e7c83918e3157008433d3)) -* add kubeapi egress for neuvector enforcer ([#291](https://github.com/BagelLab/uds-core/issues/291)) ([87fc886](https://github.com/BagelLab/uds-core/commit/87fc886bc736104a9a3c3aefc4c7d232ed74a4f2)) -* add nightly uds-bundle.yaml to release-please extras for updates ([#346](https://github.com/BagelLab/uds-core/issues/346)) ([d1b3071](https://github.com/BagelLab/uds-core/commit/d1b3071182b48ef4905bb040d203fa42d7bbf76f)) -* add saml configuration to k3d standard bundle ([#425](https://github.com/BagelLab/uds-core/issues/425)) ([15b41d7](https://github.com/BagelLab/uds-core/commit/15b41d7ca506dd913316c41321aa9a3133755ab4)) -* add test for disallow selinux options and handle checking for us… ([#96](https://github.com/BagelLab/uds-core/issues/96)) ([88b969e](https://github.com/BagelLab/uds-core/commit/88b969e2aa4dea8b76dbe397d77c53941f7cfbc8)) -* arm64 packages / bundles creation ([#264](https://github.com/BagelLab/uds-core/issues/264)) ([425fa18](https://github.com/BagelLab/uds-core/commit/425fa184fca6bcebd1eea431dce7112cadae2f44)) -* basic validations for packages ([#208](https://github.com/BagelLab/uds-core/issues/208)) ([9eba3af](https://github.com/BagelLab/uds-core/commit/9eba3afb7e288c13f75f93d5712d50a3b9e7b92d)) -* change pepr error policy to reject ([#99](https://github.com/BagelLab/uds-core/issues/99)) ([10772e2](https://github.com/BagelLab/uds-core/commit/10772e2c64f1e4b965b6b644b0008c81025029e9)) -* check if exemption exists before cleanup ([#468](https://github.com/BagelLab/uds-core/issues/468)) ([735288b](https://github.com/BagelLab/uds-core/commit/735288b87f2dff3c1bb28e9e20aac812d644aa4d)) -* ci things ([f2389a3](https://github.com/BagelLab/uds-core/commit/f2389a33d66491dfab62014cc744b25434202fe2)) -* complete incomplete deploy task ([#21](https://github.com/BagelLab/uds-core/issues/21)) ([45ff5e5](https://github.com/BagelLab/uds-core/commit/45ff5e5d7b6a50cdfcfabb174349ab539a8accd9)) -* concurrency group ([60ca1d0](https://github.com/BagelLab/uds-core/commit/60ca1d06208be3c7f5ec825a37d85504116585d1)) -* de-duplicate renovate matches ([#435](https://github.com/BagelLab/uds-core/issues/435)) ([4f9dbbb](https://github.com/BagelLab/uds-core/commit/4f9dbbbff0bbe1fe348ae7e6c55f97a505f730a9)) -* default keycloak realm envs ([#455](https://github.com/BagelLab/uds-core/issues/455)) ([3a2b48f](https://github.com/BagelLab/uds-core/commit/3a2b48fefb11afcf20f6826fbdef8c43daaf4639)) -* drop path normalization to MERGE_SLASHES to allow apps to handle encoded slashes ([#330](https://github.com/BagelLab/uds-core/issues/330)) ([26e965f](https://github.com/BagelLab/uds-core/commit/26e965fd71dd325bd8df451ce317456bf2d15073)) -* exemption race conditions ([#407](https://github.com/BagelLab/uds-core/issues/407)) ([d1b3b56](https://github.com/BagelLab/uds-core/commit/d1b3b5669976eb23ca8f88cd5b15a12c56102eca)) -* forgot to commit :( ([29545b6](https://github.com/BagelLab/uds-core/commit/29545b6ca6a35c1717b10b23c8bc2ed3a90f1c4d)) -* github token ([75cfbe4](https://github.com/BagelLab/uds-core/commit/75cfbe446f9b6cd74b9858a7ceb6cd231b348509)) -* hotfix for publishing workflows ([#217](https://github.com/BagelLab/uds-core/issues/217)) ([5fefa01](https://github.com/BagelLab/uds-core/commit/5fefa017d382b7c5557e613b81cd84b27bda85f0)) -* inputs silly ([d5c51f3](https://github.com/BagelLab/uds-core/commit/d5c51f35f6817d66bfbf5b2d5f746032893c863a)) -* integrated docs ([#431](https://github.com/BagelLab/uds-core/issues/431)) ([72238fa](https://github.com/BagelLab/uds-core/commit/72238faed167a4e90e4d332e17909510efd98a58)) -* keycloak schema for package cr ([#436](https://github.com/BagelLab/uds-core/issues/436)) ([e32ce9a](https://github.com/BagelLab/uds-core/commit/e32ce9af9176ba8fef702a8c6aac84c15f9ab374)) -* keycloak volume permissions, UI update ([#223](https://github.com/BagelLab/uds-core/issues/223)) ([4454d3e](https://github.com/BagelLab/uds-core/commit/4454d3efcefe6bfa81628d330434afcc246fad65)) -* **keycloak:** add missing postgres host and port secret keys ([#224](https://github.com/BagelLab/uds-core/issues/224)) ([0c4d775](https://github.com/BagelLab/uds-core/commit/0c4d7758cfb077ff592fea907795402485b6c9f5)) -* **keycloak:** only use PVC for devMode ([#241](https://github.com/BagelLab/uds-core/issues/241)) ([a6e6023](https://github.com/BagelLab/uds-core/commit/a6e6023134dc5171441a2043701ed91309e1b32c)) -* kubeapi netpol generation now also includes the ip from the kubernetes service ([#219](https://github.com/BagelLab/uds-core/issues/219)) ([0a83d02](https://github.com/BagelLab/uds-core/commit/0a83d02f5782d911e3bb63935b0cac70030e5c9b)) -* loki bucket configuration service_account and namespace ([#332](https://github.com/BagelLab/uds-core/issues/332)) ([9518634](https://github.com/BagelLab/uds-core/commit/9518634b24f2d5c285e598f8620849bbc6288ba4)) -* loki local storage ([#84](https://github.com/BagelLab/uds-core/issues/84)) ([b9505bb](https://github.com/BagelLab/uds-core/commit/b9505bbb42b5369c62d7cbfb05e1efb8b8a6200f)) -* loki s3 overrides ([#365](https://github.com/BagelLab/uds-core/issues/365)) ([3545066](https://github.com/BagelLab/uds-core/commit/354506647d65b0484332695abbbd58d91d9e7427)) -* metrics-server mTLS fix ([#44](https://github.com/BagelLab/uds-core/issues/44)) ([4853522](https://github.com/BagelLab/uds-core/commit/4853522c9504c87dcbd8319d689ecb0a1cb42c0b)) -* mismatched exemption/policy for DropAllCapabilities ([#384](https://github.com/BagelLab/uds-core/issues/384)) ([d8ec278](https://github.com/BagelLab/uds-core/commit/d8ec27827e2e2e7d85b4eba6b738f4b126264dd9)) -* named inputs ([c49e6ea](https://github.com/BagelLab/uds-core/commit/c49e6ea2b566198d4702d4c67c659e833a8bad97)) -* network policy to allow metrics-server ingress ([#148](https://github.com/BagelLab/uds-core/issues/148)) ([f1d434a](https://github.com/BagelLab/uds-core/commit/f1d434a68ef1f2a29ab3b13608bc16ce78211ed4)) -* networkpolicy for keycloak smtp egress ([4059954](https://github.com/BagelLab/uds-core/commit/4059954ed92502f10c1b5b769988a363adc06318)) -* nightly testing eks config architecture ([#452](https://github.com/BagelLab/uds-core/issues/452)) ([a0bbd1f](https://github.com/BagelLab/uds-core/commit/a0bbd1f0bf84f03d59866f9797555a08dc8034d6)) -* non-vendored zarf command refs ([#157](https://github.com/BagelLab/uds-core/issues/157)) ([fe183a9](https://github.com/BagelLab/uds-core/commit/fe183a9ae367bc2d7ea7d629e7c15877aabe38cd)) -* ocsp lookup egress policy ([#255](https://github.com/BagelLab/uds-core/issues/255)) ([77c38f2](https://github.com/BagelLab/uds-core/commit/77c38f22e9a77d9db81504f4c172fdc535c0929e)) -* pepr ironbank renovate update ([#299](https://github.com/BagelLab/uds-core/issues/299)) ([287e40d](https://github.com/BagelLab/uds-core/commit/287e40db5d65f7472a9e9216aae91f3ad92403d9)) -* pepr mutation annotation overwrite ([#385](https://github.com/BagelLab/uds-core/issues/385)) ([6e56b2a](https://github.com/BagelLab/uds-core/commit/6e56b2afec8f54f8c0a4aa4b89fef1d1c754b627)) -* pepr operator derived netpol name collisions ([#480](https://github.com/BagelLab/uds-core/issues/480)) ([de60e25](https://github.com/BagelLab/uds-core/commit/de60e252526d73e439f5665b27f84e8773c24949)) -* registration robot check form id ([#269](https://github.com/BagelLab/uds-core/issues/269)) ([c6419b9](https://github.com/BagelLab/uds-core/commit/c6419b962eb5a02462e9060a66f7765689cfeb8f)) -* release workflow k3d image ([#316](https://github.com/BagelLab/uds-core/issues/316)) ([e7835e0](https://github.com/BagelLab/uds-core/commit/e7835e071f56af148792fbde250100af8e8ca0b8)) -* remove deprecated registry login and add env setup ([#443](https://github.com/BagelLab/uds-core/issues/443)) ([ca6b76f](https://github.com/BagelLab/uds-core/commit/ca6b76f3a66efb6b2e81832aff771ca06bdff68a)) -* remove go mod ([#441](https://github.com/BagelLab/uds-core/issues/441)) ([0de9693](https://github.com/BagelLab/uds-core/commit/0de969333923afb8fd4639547901c7d7f5c6a6f7)) -* remove loki gateway anti-affinity ([#111](https://github.com/BagelLab/uds-core/issues/111)) ([2cba42e](https://github.com/BagelLab/uds-core/commit/2cba42e3a83a25ae7a45f3c3d6a35bdc7bba0b58)) -* remove no-tea and update uds version ([#446](https://github.com/BagelLab/uds-core/issues/446)) ([434844b](https://github.com/BagelLab/uds-core/commit/434844b827e01808b504abf5ee6af83fba813cb6)) -* remove spec from secret yaml ([#226](https://github.com/BagelLab/uds-core/issues/226)) ([e4b5848](https://github.com/BagelLab/uds-core/commit/e4b58487f736f588944f7c039b8654f9006e04f1)) -* renovate config grouping, test-infra ([#411](https://github.com/BagelLab/uds-core/issues/411)) ([05fd407](https://github.com/BagelLab/uds-core/commit/05fd407e9c3bf6a0bac33de64e892ce2a63275ac)) -* renovate pepr comment ([#410](https://github.com/BagelLab/uds-core/issues/410)) ([a825388](https://github.com/BagelLab/uds-core/commit/a82538817765ad21adb5f6bba283951bf4c23272)) -* resolve istio job termination container status logic issue ([#55](https://github.com/BagelLab/uds-core/issues/55)) ([c0142c2](https://github.com/BagelLab/uds-core/commit/c0142c213446a37185cdf9dec5ae60aaae8ba194)) -* revert "chore: support deselection of metrics-server" ([#196](https://github.com/BagelLab/uds-core/issues/196)) ([25a408d](https://github.com/BagelLab/uds-core/commit/25a408daeb7f6daada11c21e451f973ebe92c07c)) -* slim-dev monitoring handling ([#383](https://github.com/BagelLab/uds-core/issues/383)) ([79927aa](https://github.com/BagelLab/uds-core/commit/79927aa58cbb12c849e52b50c00b74629b100b31)) -* sticky sessions for keycloak in ha ([#281](https://github.com/BagelLab/uds-core/issues/281)) ([5ccd557](https://github.com/BagelLab/uds-core/commit/5ccd5576afc34d8b24061887f91ce284ec5857a1)) -* typo in comment ([#462](https://github.com/BagelLab/uds-core/issues/462)) ([582b1f4](https://github.com/BagelLab/uds-core/commit/582b1f4754ee3282696ea3b018322a1b3497a7d4)) -* unwanted exemption deletions ([#290](https://github.com/BagelLab/uds-core/issues/290)) ([50b0cd4](https://github.com/BagelLab/uds-core/commit/50b0cd4211964a90139347558028d6c461956da9)) -* update missing flavor create inputs in publish step ([#118](https://github.com/BagelLab/uds-core/issues/118)) ([a0233eb](https://github.com/BagelLab/uds-core/commit/a0233eb45e2d39035f483f3ed8fb3f396e5030d8)) -* update neuvector values for least privilege ([#373](https://github.com/BagelLab/uds-core/issues/373)) ([7f4de4f](https://github.com/BagelLab/uds-core/commit/7f4de4f729e60a258abc40ce34f9c397fae99181)) -* update status for test ([20983d7](https://github.com/BagelLab/uds-core/commit/20983d749871ac2b769584d2ea5d37c1b9183b52)) -* use updated k3s ([#426](https://github.com/BagelLab/uds-core/issues/426)) ([1da1c49](https://github.com/BagelLab/uds-core/commit/1da1c49e314c73e6fd1f2ef2940aff983262ec6b)) -* validating/mutating webhook networkpolicies and mtls ([#192](https://github.com/BagelLab/uds-core/issues/192)) ([b01e629](https://github.com/BagelLab/uds-core/commit/b01e62960985dd7cb318372abff296fb96f1012b)) -* valueFrom in KeyCloak statefulset.yaml ([#229](https://github.com/BagelLab/uds-core/issues/229)) ([189a5ce](https://github.com/BagelLab/uds-core/commit/189a5ce3a9dd16fe9646a293ca3948db21eb5d78)) -* wait on istio proxies ([#87](https://github.com/BagelLab/uds-core/issues/87)) ([51cd5a0](https://github.com/BagelLab/uds-core/commit/51cd5a012cc1d095a89b30a22910d3d7ad49885d)) -* workflow links ([eba372c](https://github.com/BagelLab/uds-core/commit/eba372c0b0a942f1bcead8efcd420fbb427ed6e1)) -* workflow outputs silly ([c427851](https://github.com/BagelLab/uds-core/commit/c4278510505b38b651d3f1893a098d1b432e5d95)) - - -### Miscellaneous - -* add checks before killing pods when updating istio annotations ([#457](https://github.com/BagelLab/uds-core/issues/457)) ([a62f9a0](https://github.com/BagelLab/uds-core/commit/a62f9a0e04bb538a8018a3f866c88e8b93c59826)) -* add commit lint workflow ([#19](https://github.com/BagelLab/uds-core/issues/19)) ([776a632](https://github.com/BagelLab/uds-core/commit/776a6325821329b2cbd97da2f40a30447cd48efc)) -* add debug logging to endpointslice watch ([#359](https://github.com/BagelLab/uds-core/issues/359)) ([da3eb5a](https://github.com/BagelLab/uds-core/commit/da3eb5ab4f5e6ced50f838456999995d5be601b7)) -* add debug logs to save logs for easier searching ([#430](https://github.com/BagelLab/uds-core/issues/430)) ([319101b](https://github.com/BagelLab/uds-core/commit/319101b61e4793037aab6c96b92c9d834763e9b8)) -* add debug output to release workflow ([#285](https://github.com/BagelLab/uds-core/issues/285)) ([5f96865](https://github.com/BagelLab/uds-core/commit/5f968651fb4f0da563d9c388efab761863f9ea08)) -* add flavor to pepr build task ([#238](https://github.com/BagelLab/uds-core/issues/238)) ([29bf8a3](https://github.com/BagelLab/uds-core/commit/29bf8a3b83255c7548201f3ea19e22452a1d1d4a)) -* add minio deploy time bundle variable override definitions ([#58](https://github.com/BagelLab/uds-core/issues/58)) ([ca28e7b](https://github.com/BagelLab/uds-core/commit/ca28e7b4c4a42769934cc8ad69361ff29a348cc5)) -* add security.md ([#189](https://github.com/BagelLab/uds-core/issues/189)) ([bf7c1d2](https://github.com/BagelLab/uds-core/commit/bf7c1d28e077cf52d4f765b50d7efb8ce5d60fff)) -* add velero csi plugin ([#424](https://github.com/BagelLab/uds-core/issues/424)) ([c7e49e9](https://github.com/BagelLab/uds-core/commit/c7e49e91d9f7810ddc0368f146d43d3c94c782ad)) -* adding unit test for registerExemptions() ([#105](https://github.com/BagelLab/uds-core/issues/105)) ([5e71fcf](https://github.com/BagelLab/uds-core/commit/5e71fcf4751d2e3f6a1e55583ccf76c0fdc76856)) -* align mutation annotations ([#268](https://github.com/BagelLab/uds-core/issues/268)) ([f18ad4d](https://github.com/BagelLab/uds-core/commit/f18ad4db94a77f4229cc9267e0129f6aa3381c9a)) -* annotate mutations in policies ([#236](https://github.com/BagelLab/uds-core/issues/236)) ([cc9db50](https://github.com/BagelLab/uds-core/commit/cc9db500bb1033a516104f409fa05b3a1101d832)) -* bump zarf & uds-k3d deps ([#30](https://github.com/BagelLab/uds-core/issues/30)) ([dd28ab3](https://github.com/BagelLab/uds-core/commit/dd28ab3acd163aaccdfb76fbf9726c02a2ff0050)) -* conform to latest uds bundle schema ([#52](https://github.com/BagelLab/uds-core/issues/52)) ([14dad38](https://github.com/BagelLab/uds-core/commit/14dad3819187d4f8e13f7bbc191dca74a29b9c98)) -* dep updates for UDS CLI & Pepr ([#46](https://github.com/BagelLab/uds-core/issues/46)) ([1037634](https://github.com/BagelLab/uds-core/commit/10376349e350bd32f3bf32577d8f8089c09ac6cc)) -* **deps:** pin dependencies ([#79](https://github.com/BagelLab/uds-core/issues/79)) ([bfab11e](https://github.com/BagelLab/uds-core/commit/bfab11e345941d23dfeb928917f38e36a2f75bc9)) -* **deps:** update checkout to v4.1.7 ([#478](https://github.com/BagelLab/uds-core/issues/478)) ([e91a0a3](https://github.com/BagelLab/uds-core/commit/e91a0a35252581554d9ed587e4ef72c2c88a3586)) -* **deps:** update dependency defenseunicorns/uds-common to v0.2.1 ([#205](https://github.com/BagelLab/uds-core/issues/205)) ([1b01407](https://github.com/BagelLab/uds-core/commit/1b01407c4ae3a707db381b07e1364c572c76eceb)) -* **deps:** update dependency defenseunicorns/uds-common to v0.2.2 ([#232](https://github.com/BagelLab/uds-core/issues/232)) ([083ae0c](https://github.com/BagelLab/uds-core/commit/083ae0c45667e5b9064cbff781fbe4e5bc0d2991)) -* **deps:** update dependency defenseunicorns/uds-common to v0.3.6 ([#261](https://github.com/BagelLab/uds-core/issues/261)) ([1b5398b](https://github.com/BagelLab/uds-core/commit/1b5398b7b778ead8ac3265080ae0bd2b5761066e)) -* **deps:** update githubactions ([#179](https://github.com/BagelLab/uds-core/issues/179)) ([7797e25](https://github.com/BagelLab/uds-core/commit/7797e259b9691099cce9e151ce1ebf9f9f181435)) -* **deps:** update githubactions ([#242](https://github.com/BagelLab/uds-core/issues/242)) ([1eb2e2c](https://github.com/BagelLab/uds-core/commit/1eb2e2cd2018f0cd8fb55d8e6576b7e36fa8c3cf)) -* **deps:** update githubactions ([#413](https://github.com/BagelLab/uds-core/issues/413)) ([ebd834e](https://github.com/BagelLab/uds-core/commit/ebd834e56ae9adabe14d9772e4a4d9c305da173c)) -* **deps:** update githubactions to 692973e ([#481](https://github.com/BagelLab/uds-core/issues/481)) ([c6f0137](https://github.com/BagelLab/uds-core/commit/c6f0137bb9a1e11f98d426cec8c98eb4005f160a)) -* **deps:** update githubactions to de90cc6 ([#215](https://github.com/BagelLab/uds-core/issues/215)) ([f79eed0](https://github.com/BagelLab/uds-core/commit/f79eed03b2495d9f3e11edb433291ce8a3aa55ee)) -* **deps:** update githubactions to ebc4d7e ([#183](https://github.com/BagelLab/uds-core/issues/183)) ([77357e7](https://github.com/BagelLab/uds-core/commit/77357e72cc0344e61fedcab7197aabdd7e4fd2a0)) -* **deps:** update githubactions to v19 ([#204](https://github.com/BagelLab/uds-core/issues/204)) ([d65acd4](https://github.com/BagelLab/uds-core/commit/d65acd4e2d37907685ba9083ff98988b4ea1d452)) -* **deps:** update githubactions to v3 ([#181](https://github.com/BagelLab/uds-core/issues/181)) ([70c5ddf](https://github.com/BagelLab/uds-core/commit/70c5ddf1ee0e5017bee4057d96b320812a964f88)) -* **deps:** update githubactions to v4.1.3 ([#471](https://github.com/BagelLab/uds-core/issues/471)) ([2a9f44d](https://github.com/BagelLab/uds-core/commit/2a9f44d20dce66fa474e47ba0c93eaa7fa9ad406)) -* **deps:** update grafana ([#144](https://github.com/BagelLab/uds-core/issues/144)) ([6987927](https://github.com/BagelLab/uds-core/commit/698792728faf8cfeabaf7a7c735c91229cc0c07f)) -* **deps:** update grafana ([#257](https://github.com/BagelLab/uds-core/issues/257)) ([c98e566](https://github.com/BagelLab/uds-core/commit/c98e5661c3e6fb84bf17fc64170f5dd39779dda7)) -* **deps:** update grafana ([#339](https://github.com/BagelLab/uds-core/issues/339)) ([52e6c1b](https://github.com/BagelLab/uds-core/commit/52e6c1b3bb003402710bc0fa85419538f38b388f)) -* **deps:** update grafana ([#80](https://github.com/BagelLab/uds-core/issues/80)) ([ccb2c12](https://github.com/BagelLab/uds-core/commit/ccb2c1280313fe69198ecab5fea5b38fc650f699)) -* **deps:** update grafana to v10.3.1 ([#132](https://github.com/BagelLab/uds-core/issues/132)) ([09e028c](https://github.com/BagelLab/uds-core/commit/09e028c63093a6f5fdfd0b1be800b07c0eb9de77)) -* **deps:** update grafana to v7.2.5 ([#136](https://github.com/BagelLab/uds-core/issues/136)) ([a271270](https://github.com/BagelLab/uds-core/commit/a271270f2d3f3488aa9664ef5ad69a4d239c5d22)) -* **deps:** update grafana to v7.3.0 ([#142](https://github.com/BagelLab/uds-core/issues/142)) ([5e960c0](https://github.com/BagelLab/uds-core/commit/5e960c0479e6fc96244db0230296c94e936e57d8)) -* **deps:** update grafana to v7.3.9 ([#353](https://github.com/BagelLab/uds-core/issues/353)) ([4a70f40](https://github.com/BagelLab/uds-core/commit/4a70f407d5e06919aaa0dc5901f49f7f1b166c9d)) -* **deps:** update istio to v1.20.2 ([#75](https://github.com/BagelLab/uds-core/issues/75)) ([671f977](https://github.com/BagelLab/uds-core/commit/671f977ff183010ce75e323532db500dcd4aa69c)) -* **deps:** update istio to v1.20.3 ([#163](https://github.com/BagelLab/uds-core/issues/163)) ([e45de0e](https://github.com/BagelLab/uds-core/commit/e45de0e5917a2ca6c3e30e593e2d9a8d393849a9)) -* **deps:** update istio to v1.21.2 ([#258](https://github.com/BagelLab/uds-core/issues/258)) ([51c6540](https://github.com/BagelLab/uds-core/commit/51c65405c87ed3c147bdd90172ab0588dc8e5db1)) -* **deps:** update istio to v1.22.1 ([#405](https://github.com/BagelLab/uds-core/issues/405)) ([ad4b861](https://github.com/BagelLab/uds-core/commit/ad4b861158eecfac1d09a37ea3776e31a1c387cb)) -* **deps:** update jest to v29.1.4 ([#438](https://github.com/BagelLab/uds-core/issues/438)) ([c3ecc8b](https://github.com/BagelLab/uds-core/commit/c3ecc8b83b8c65f09600ab937a1c140c4a5f7db1)) -* **deps:** update keycloak ([#349](https://github.com/BagelLab/uds-core/issues/349)) ([2ef1813](https://github.com/BagelLab/uds-core/commit/2ef181333d2fd853bb8eee2c5deb82430d68c861)) -* **deps:** update keycloak ([#390](https://github.com/BagelLab/uds-core/issues/390)) ([3e82c4e](https://github.com/BagelLab/uds-core/commit/3e82c4ece470a5eea81d937b2b38c455934212e1)) -* **deps:** update keycloak to v0.4.2 ([#375](https://github.com/BagelLab/uds-core/issues/375)) ([b0bb8e4](https://github.com/BagelLab/uds-core/commit/b0bb8e47f78886186514f188a99ff38463a5eac3)) -* **deps:** update keycloak to v0.4.4 ([#460](https://github.com/BagelLab/uds-core/issues/460)) ([936f40b](https://github.com/BagelLab/uds-core/commit/936f40bf078bb06d94ebd51585b4eb7669d426b4)) -* **deps:** update keycloak to v0.4.5 ([#461](https://github.com/BagelLab/uds-core/issues/461)) ([3592012](https://github.com/BagelLab/uds-core/commit/35920121bcdfbdf9b708eb3308ea34763a31246a)) -* **deps:** update keycloak to v24.0.4 ([#397](https://github.com/BagelLab/uds-core/issues/397)) ([c0420ea](https://github.com/BagelLab/uds-core/commit/c0420ea750b3a7dfc8ea6adab5225f76178ef953)) -* **deps:** update keycloak to v24.0.4 ([#402](https://github.com/BagelLab/uds-core/issues/402)) ([e454576](https://github.com/BagelLab/uds-core/commit/e454576a6de53e833d6b925308f09d6007166dde)) -* **deps:** update keycloak to v24.0.5 ([#453](https://github.com/BagelLab/uds-core/issues/453)) ([6b0c6fc](https://github.com/BagelLab/uds-core/commit/6b0c6fc91f238e367c9f2d54f0daaf9d8065794e)) -* **deps:** update keycloak to v24.0.5 ([#454](https://github.com/BagelLab/uds-core/issues/454)) ([89911f0](https://github.com/BagelLab/uds-core/commit/89911f0ca01ac421a254b79e25124525f464cf51)) -* **deps:** update loki ([#131](https://github.com/BagelLab/uds-core/issues/131)) ([61250b0](https://github.com/BagelLab/uds-core/commit/61250b02eca7ca57d7f346c1da5b63f19de17c49)) -* **deps:** update loki ([#209](https://github.com/BagelLab/uds-core/issues/209)) ([03ca499](https://github.com/BagelLab/uds-core/commit/03ca499bd5d9cac800bd36dca80340ceac3f3009)) -* **deps:** update loki ([#72](https://github.com/BagelLab/uds-core/issues/72)) ([98134bb](https://github.com/BagelLab/uds-core/commit/98134bba1f6078a867aae2ae28f4152ba7b1a8e5)) -* **deps:** update loki to v5.43.0 ([#180](https://github.com/BagelLab/uds-core/issues/180)) ([bab5f7a](https://github.com/BagelLab/uds-core/commit/bab5f7aba3644c0e478a17338df4e074b0c1a6a2)) -* **deps:** update loki to v5.43.1 ([#182](https://github.com/BagelLab/uds-core/issues/182)) ([6cc5fc7](https://github.com/BagelLab/uds-core/commit/6cc5fc7f5a07d848cfe4f18dc9a7e2a4cd91b1cf)) -* **deps:** update loki to v5.43.2 ([#191](https://github.com/BagelLab/uds-core/issues/191)) ([0ec0cd4](https://github.com/BagelLab/uds-core/commit/0ec0cd4d6cdc7b4eb1eea33f4da7b144ecbc29a5)) -* **deps:** update loki to v5.43.3 ([#199](https://github.com/BagelLab/uds-core/issues/199)) ([40f1554](https://github.com/BagelLab/uds-core/commit/40f155469670a4b7290819fc09d28ff1fcc06a81)) -* **deps:** update metrics-server ([#123](https://github.com/BagelLab/uds-core/issues/123)) ([fb25a97](https://github.com/BagelLab/uds-core/commit/fb25a970d6e3b51432164fab05ea2d19d1a638ef)) -* **deps:** update metrics-server ([#298](https://github.com/BagelLab/uds-core/issues/298)) ([691fd87](https://github.com/BagelLab/uds-core/commit/691fd87ae3e523c897d0461c4a0384b2bb7c8c03)) -* **deps:** update neuvector ([#333](https://github.com/BagelLab/uds-core/issues/333)) ([010e287](https://github.com/BagelLab/uds-core/commit/010e287dbf3a712d19e54bfbbaa87807585130d7)) -* **deps:** update neuvector ([#73](https://github.com/BagelLab/uds-core/issues/73)) ([50f6c90](https://github.com/BagelLab/uds-core/commit/50f6c90ca31d5bf984e44fd1ded7c5cfcb968064)) -* **deps:** update neuvector to v9.4 ([#381](https://github.com/BagelLab/uds-core/issues/381)) ([20d4170](https://github.com/BagelLab/uds-core/commit/20d4170386d2437826abafc68d87d91dc457022a)) -* **deps:** update pepr ([#116](https://github.com/BagelLab/uds-core/issues/116)) ([bfa7352](https://github.com/BagelLab/uds-core/commit/bfa7352ebe962ef1ed091f4a5799ed4974e086ef)) -* **deps:** update pepr ([#324](https://github.com/BagelLab/uds-core/issues/324)) ([2ef0f96](https://github.com/BagelLab/uds-core/commit/2ef0f96da7476b487d72d4bb7ce4bd50fdb0b182)) -* **deps:** update pepr ([#340](https://github.com/BagelLab/uds-core/issues/340)) ([e71ba4a](https://github.com/BagelLab/uds-core/commit/e71ba4ab4eb1ea1cc482b507fef4e0e2735bbd1f)) -* **deps:** update pepr ([#419](https://github.com/BagelLab/uds-core/issues/419)) ([d8f0309](https://github.com/BagelLab/uds-core/commit/d8f0309b4f9661b1c5bc2d5e574697ee9579e387)) -* **deps:** update pepr ([#473](https://github.com/BagelLab/uds-core/issues/473)) ([ab4bee9](https://github.com/BagelLab/uds-core/commit/ab4bee906f020d86b90c0b984789be55f8b4c08b)) -* **deps:** update pepr ([#76](https://github.com/BagelLab/uds-core/issues/76)) ([50de920](https://github.com/BagelLab/uds-core/commit/50de920bcf03092d16a11ebf77ede70987a7cdcf)) -* **deps:** update pepr to 0.31.0 ([#360](https://github.com/BagelLab/uds-core/issues/360)) ([fbd61ea](https://github.com/BagelLab/uds-core/commit/fbd61ea9665133619aec81726b189449226d8459)) -* **deps:** update pepr to v0.22.0 ([#102](https://github.com/BagelLab/uds-core/issues/102)) ([941902d](https://github.com/BagelLab/uds-core/commit/941902dcfc2ec1d5340d658f75811b3369489c56)) -* **deps:** update pepr to v0.22.2 ([#104](https://github.com/BagelLab/uds-core/issues/104)) ([0555353](https://github.com/BagelLab/uds-core/commit/0555353e5a5dec2aa8685a3987852d1c3788f28c)) -* **deps:** update pepr to v0.24.1 ([#134](https://github.com/BagelLab/uds-core/issues/134)) ([6474a1c](https://github.com/BagelLab/uds-core/commit/6474a1c0a16c8d87248acb1b3f7d79b76a354fc8)) -* **deps:** update pepr to v0.25.0 ([#164](https://github.com/BagelLab/uds-core/issues/164)) ([e7b8212](https://github.com/BagelLab/uds-core/commit/e7b8212b6a8ed2e16b47264687e0c39d2f0a3455)) -* **deps:** update pepr to v0.28.6 ([#254](https://github.com/BagelLab/uds-core/issues/254)) ([54ef7de](https://github.com/BagelLab/uds-core/commit/54ef7ded349d060b1732b381124fe29e3e8fe85b)) -* **deps:** update pepr to v0.28.6 ([#300](https://github.com/BagelLab/uds-core/issues/300)) ([86b43e4](https://github.com/BagelLab/uds-core/commit/86b43e478521aa88a3a4843948ca96b9cbe55985)) -* **deps:** update pepr to v0.28.7 ([#321](https://github.com/BagelLab/uds-core/issues/321)) ([e7206bb](https://github.com/BagelLab/uds-core/commit/e7206bb93ce23a3ae611e410106890df3eafdea1)) -* **deps:** update pepr to v0.4.5 ([#447](https://github.com/BagelLab/uds-core/issues/447)) ([f1dba17](https://github.com/BagelLab/uds-core/commit/f1dba17076a7c6052ed67e07bdb560fda7604b80)) -* **deps:** update prometheus-stack ([#128](https://github.com/BagelLab/uds-core/issues/128)) ([625622a](https://github.com/BagelLab/uds-core/commit/625622a44c101f0a9c1beffd66eb259dc1f1eedc)) -* **deps:** update prometheus-stack ([#190](https://github.com/BagelLab/uds-core/issues/190)) ([f9a605a](https://github.com/BagelLab/uds-core/commit/f9a605a4c828128fc19f0bdb1d2443f65fb87b8a)) -* **deps:** update prometheus-stack ([#301](https://github.com/BagelLab/uds-core/issues/301)) ([143eca3](https://github.com/BagelLab/uds-core/commit/143eca3ecc2e3c39765312dc3c5384c87a13d7da)) -* **deps:** update prometheus-stack ([#348](https://github.com/BagelLab/uds-core/issues/348)) ([49cb11a](https://github.com/BagelLab/uds-core/commit/49cb11a058a9209cee7019fa552b8c0b2ef73368)) -* **deps:** update prometheus-stack ([#392](https://github.com/BagelLab/uds-core/issues/392)) ([2e656f5](https://github.com/BagelLab/uds-core/commit/2e656f5dc3de2e6561ac313cb1bae478635b86b3)) -* **deps:** update prometheus-stack ([#422](https://github.com/BagelLab/uds-core/issues/422)) ([a96193e](https://github.com/BagelLab/uds-core/commit/a96193e257701dfaf6fccc34246ef3f31e639f3e)) -* **deps:** update prometheus-stack ([#81](https://github.com/BagelLab/uds-core/issues/81)) ([19bedb6](https://github.com/BagelLab/uds-core/commit/19bedb60cd2f99615c4b5673623ff0ff6fafb73f)) -* **deps:** update promtail ([#74](https://github.com/BagelLab/uds-core/issues/74)) ([6a112b5](https://github.com/BagelLab/uds-core/commit/6a112b5226250f1a17023b2c1225d404cf8feeee)) -* **deps:** update to keycloak 24 ([#336](https://github.com/BagelLab/uds-core/issues/336)) ([1153ba0](https://github.com/BagelLab/uds-core/commit/1153ba09ac062d3477a4ee396376be83493ad3c5)) -* **deps:** update uds to v0.10.4 ([#228](https://github.com/BagelLab/uds-core/issues/228)) ([1750b23](https://github.com/BagelLab/uds-core/commit/1750b2304e3c6f0ce6a60f1ef2873ce8a6ce1502)) -* **deps:** update uds to v0.11.1 ([#472](https://github.com/BagelLab/uds-core/issues/472)) ([12fd798](https://github.com/BagelLab/uds-core/commit/12fd79894e71ee06181ccd6f2ac98b84d935066c)) -* **deps:** update uds to v0.11.2 ([#479](https://github.com/BagelLab/uds-core/issues/479)) ([f967f9a](https://github.com/BagelLab/uds-core/commit/f967f9a4bf8d718b9ece96d882db4d9c800f5f0f)) -* **deps:** update uds to v0.5.3, zarf to v0.32.1, and uds-k3d to 0.3.0 ([#77](https://github.com/BagelLab/uds-core/issues/77)) ([596f9d8](https://github.com/BagelLab/uds-core/commit/596f9d8df51c3df1aa87fd0e09d9e69c87473bf0)) -* **deps:** update uds to v0.6.2 ([#107](https://github.com/BagelLab/uds-core/issues/107)) ([7b7220e](https://github.com/BagelLab/uds-core/commit/7b7220e708cf2dca25cc592b8932661620d9610d)) -* **deps:** update uds to v0.8.1 ([#141](https://github.com/BagelLab/uds-core/issues/141)) ([fa79065](https://github.com/BagelLab/uds-core/commit/fa79065265a5ee2b8f6f6a55d1c2904bbaf42fff)) -* **deps:** update uds to v0.9.0 ([#173](https://github.com/BagelLab/uds-core/issues/173)) ([b91a90d](https://github.com/BagelLab/uds-core/commit/b91a90db987e108a5a093a326428bbd0b5f9446e)) -* **deps:** update uds to v0.9.2 ([#200](https://github.com/BagelLab/uds-core/issues/200)) ([e4b54fe](https://github.com/BagelLab/uds-core/commit/e4b54febc4d7914e962db92b7a0490a3735af4e5)) -* **deps:** update uds-common to v0.4.4 ([#442](https://github.com/BagelLab/uds-core/issues/442)) ([bf6debd](https://github.com/BagelLab/uds-core/commit/bf6debdd0d50f6cde11288cd70d8bdf1dcdaaaa0)) -* **deps:** update uds-identity-config to 0.4.1 ([#355](https://github.com/BagelLab/uds-core/issues/355)) ([8485931](https://github.com/BagelLab/uds-core/commit/84859316ea92ef9ec7807a702ee246e11b73567b)) -* **deps:** update uds-k3d to v0.3.1 ([#89](https://github.com/BagelLab/uds-core/issues/89)) ([5d54cd1](https://github.com/BagelLab/uds-core/commit/5d54cd1efe5eee4c19caf347882725e0aa20e50a)) -* **deps:** update uds-k3d to v0.5.0 ([#186](https://github.com/BagelLab/uds-core/issues/186)) ([164bf5f](https://github.com/BagelLab/uds-core/commit/164bf5f8bd58899f5ec1a179d6d409cfb46b850f)) -* **deps:** update uds-k3d to v0.6.0 ([#240](https://github.com/BagelLab/uds-core/issues/240)) ([6a26523](https://github.com/BagelLab/uds-core/commit/6a2652368fde3a3bdbe5bb81fd258830dfaeb5c8)) -* **deps:** update uds-k3d to v0.6.0 ([#398](https://github.com/BagelLab/uds-core/issues/398)) ([288f009](https://github.com/BagelLab/uds-core/commit/288f00990a715087c9bf1fffd0a63ecf33125a5a)) -* **deps:** update uds-k3d to v0.7.0 ([#428](https://github.com/BagelLab/uds-core/issues/428)) ([23b59a2](https://github.com/BagelLab/uds-core/commit/23b59a260b2c60791614ca4d39a33e65476e19ee)) -* **deps:** update velero ([#260](https://github.com/BagelLab/uds-core/issues/260)) ([f352008](https://github.com/BagelLab/uds-core/commit/f35200833a4d4d50de9f632f6918320f7d8fff5e)) -* **deps:** update velero ([#350](https://github.com/BagelLab/uds-core/issues/350)) ([e7cb33e](https://github.com/BagelLab/uds-core/commit/e7cb33ea9a13ab9550aab45d8ee437a1ba595d38)) -* **deps:** update velero ([#408](https://github.com/BagelLab/uds-core/issues/408)) ([ffbefda](https://github.com/BagelLab/uds-core/commit/ffbefda74777466ef74ad1d5cffff1f4895f323d)) -* **deps:** update velero ([#440](https://github.com/BagelLab/uds-core/issues/440)) ([4b1a3ea](https://github.com/BagelLab/uds-core/commit/4b1a3ead81a80b49e5ccfeb2e4130a4aaebb53a4)) -* **deps:** update velero to v1.30.2 ([#476](https://github.com/BagelLab/uds-core/issues/476)) ([89bbda9](https://github.com/BagelLab/uds-core/commit/89bbda9e640014bede116c254381cab8995df12f)) -* **deps:** update velero to v6.6.0 ([#456](https://github.com/BagelLab/uds-core/issues/456)) ([aff37c1](https://github.com/BagelLab/uds-core/commit/aff37c194e321f6a6c92f1bc11fd796cf9f0a9ab)) -* **deps:** update zarf to v0.32.2 ([#133](https://github.com/BagelLab/uds-core/issues/133)) ([91502c6](https://github.com/BagelLab/uds-core/commit/91502c6321334c6d31ce5fd1cd8f2fe6f77c09ae)) -* **deps:** update zarf to v0.32.3 ([#155](https://github.com/BagelLab/uds-core/issues/155)) ([2f0a1a7](https://github.com/BagelLab/uds-core/commit/2f0a1a77043ce298e765e6999cf11a97f36e4ecc)) -* **deps:** update zarf to v0.32.4 ([#203](https://github.com/BagelLab/uds-core/issues/203)) ([05c903e](https://github.com/BagelLab/uds-core/commit/05c903ea43243401d9cc2928ba5eb66ff6201c94)) -* **deps:** update zarf to v0.32.5 ([#243](https://github.com/BagelLab/uds-core/issues/243)) ([ee93612](https://github.com/BagelLab/uds-core/commit/ee9361224767c1a708b6f8e2c266af710facea8d)) -* **deps:** update zarf to v0.32.6 ([#282](https://github.com/BagelLab/uds-core/issues/282)) ([443426d](https://github.com/BagelLab/uds-core/commit/443426d05b9bd1d15fb4632efa26219250270895)) -* **deps:** update zarf to v0.33.0 ([#325](https://github.com/BagelLab/uds-core/issues/325)) ([f2a2a66](https://github.com/BagelLab/uds-core/commit/f2a2a665309c812b4300047d1c90ff3833a8eba6)) -* **deps:** update zarf to v0.33.1 ([#368](https://github.com/BagelLab/uds-core/issues/368)) ([296e547](https://github.com/BagelLab/uds-core/commit/296e54729c20c9ecee21677daec874a2c8b57b57)) -* **deps:** update zarf to v0.33.2 ([#394](https://github.com/BagelLab/uds-core/issues/394)) ([201a37b](https://github.com/BagelLab/uds-core/commit/201a37b12277880058c14fc05b3c0d4aecbf31e0)) -* **deps:** update zarf to v0.34.0 ([#434](https://github.com/BagelLab/uds-core/issues/434)) ([9badf9d](https://github.com/BagelLab/uds-core/commit/9badf9d4b9b6f904b1b7a478be5355416dc7fbe0)) -* fix missing deps in tag and release workflow ([#28](https://github.com/BagelLab/uds-core/issues/28)) ([1e1af76](https://github.com/BagelLab/uds-core/commit/1e1af762e8eb1dd331cbd681e48ecc95ec3184d2)) -* initial renovate config ([#67](https://github.com/BagelLab/uds-core/issues/67)) ([2cd19d8](https://github.com/BagelLab/uds-core/commit/2cd19d871a95491950d43fea8e8fd2e8c290cd55)) -* kick off ci ([1afc3a4](https://github.com/BagelLab/uds-core/commit/1afc3a4203cce1a1c81b15e7ba6caad1a9c63131)) -* **main:** release 0.1.1 ([#27](https://github.com/BagelLab/uds-core/issues/27)) ([3776e91](https://github.com/BagelLab/uds-core/commit/3776e91670aa73907cb9c48a05419d106ecedd67)) -* **main:** release 0.1.2 ([#29](https://github.com/BagelLab/uds-core/issues/29)) ([af7b0be](https://github.com/BagelLab/uds-core/commit/af7b0beaf409627c87b47e4d908b0a8a0d8cff63)) -* **main:** release 0.1.3 ([#31](https://github.com/BagelLab/uds-core/issues/31)) ([28ad8a7](https://github.com/BagelLab/uds-core/commit/28ad8a78b023f160714ecb90d748ee65403cf500)) -* **main:** release 0.10.0 ([#135](https://github.com/BagelLab/uds-core/issues/135)) ([5bb6f01](https://github.com/BagelLab/uds-core/commit/5bb6f016631fdef4f14848ff55588f33e6d4f07d)) -* **main:** release 0.11.0 ([#138](https://github.com/BagelLab/uds-core/issues/138)) ([c02ada8](https://github.com/BagelLab/uds-core/commit/c02ada860f532d8955af00637756ee622f3e9019)) -* **main:** release 0.11.1 ([#159](https://github.com/BagelLab/uds-core/issues/159)) ([2c493bb](https://github.com/BagelLab/uds-core/commit/2c493bb7c877a7193e45376a9d28aed832cff590)) -* **main:** release 0.12.0 ([#161](https://github.com/BagelLab/uds-core/issues/161)) ([e3c41e8](https://github.com/BagelLab/uds-core/commit/e3c41e82ba5bd776f2633cbde222ab05c5c513f3)) -* **main:** release 0.13.0 ([#170](https://github.com/BagelLab/uds-core/issues/170)) ([09c9447](https://github.com/BagelLab/uds-core/commit/09c9447fa47e5bd1f1d3ae627d7c3dab9c46d596)) -* **main:** release 0.13.1 ([#197](https://github.com/BagelLab/uds-core/issues/197)) ([e968fe9](https://github.com/BagelLab/uds-core/commit/e968fe9707f5a1f154b1fd19050ba46073427495)) -* **main:** release 0.14.0 ([#202](https://github.com/BagelLab/uds-core/issues/202)) ([d090f40](https://github.com/BagelLab/uds-core/commit/d090f4052679d1557973a17524923280c04807fd)) -* **main:** release 0.14.1 ([#218](https://github.com/BagelLab/uds-core/issues/218)) ([3199d8b](https://github.com/BagelLab/uds-core/commit/3199d8bc8cc8e11f9eccdb7075ce798572f6fa0a)) -* **main:** release 0.14.2 ([#221](https://github.com/BagelLab/uds-core/issues/221)) ([2ab4c54](https://github.com/BagelLab/uds-core/commit/2ab4c54618f40c8f195e4bbc1aee63024e488dc8)) -* **main:** release 0.14.3 ([#225](https://github.com/BagelLab/uds-core/issues/225)) ([05b1c19](https://github.com/BagelLab/uds-core/commit/05b1c196e4509ee38261a9b9bc8bc8531086b499)) -* **main:** release 0.14.4 ([#227](https://github.com/BagelLab/uds-core/issues/227)) ([d2d005b](https://github.com/BagelLab/uds-core/commit/d2d005b9caf0b067f850f752a3d6e643c99a74c6)) -* **main:** release 0.14.5 ([#230](https://github.com/BagelLab/uds-core/issues/230)) ([1acafca](https://github.com/BagelLab/uds-core/commit/1acafcadf0baa4567d4f0c41e3201fa40895d092)) -* **main:** release 0.15.0 ([#233](https://github.com/BagelLab/uds-core/issues/233)) ([f4f3699](https://github.com/BagelLab/uds-core/commit/f4f3699096e4f917cf36bcb15bdb47179569b74d)) -* **main:** release 0.15.1 ([#235](https://github.com/BagelLab/uds-core/issues/235)) ([a0c6b32](https://github.com/BagelLab/uds-core/commit/a0c6b327ada2a36a08a4dc4874248d9df65f5381)) -* **main:** release 0.16.0 ([#246](https://github.com/BagelLab/uds-core/issues/246)) ([efc64d4](https://github.com/BagelLab/uds-core/commit/efc64d45c6e78f3014258b80abdf35d0119bde36)) -* **main:** release 0.16.1 ([#265](https://github.com/BagelLab/uds-core/issues/265)) ([4e4eaea](https://github.com/BagelLab/uds-core/commit/4e4eaea6c16e010837bb1c0d5624ebda418bce6f)) -* **main:** release 0.17.0 ([#267](https://github.com/BagelLab/uds-core/issues/267)) ([510f536](https://github.com/BagelLab/uds-core/commit/510f536133e835f98bb524bfc9f437e6f716d9ef)) -* **main:** release 0.18.0 ([#286](https://github.com/BagelLab/uds-core/issues/286)) ([40e6b7b](https://github.com/BagelLab/uds-core/commit/40e6b7b711ddbd956058eda8490355568faddaec)) -* **main:** release 0.18.0 ([#318](https://github.com/BagelLab/uds-core/issues/318)) ([5f5e0b8](https://github.com/BagelLab/uds-core/commit/5f5e0b8a19daf0b51d9a102fd851ff76e5296d4e)) -* **main:** release 0.19.0 ([#320](https://github.com/BagelLab/uds-core/issues/320)) ([4ce502b](https://github.com/BagelLab/uds-core/commit/4ce502be3a5d83c28c259db8080a215f309c6ed7)) -* **main:** release 0.2.0 ([#34](https://github.com/BagelLab/uds-core/issues/34)) ([5185a8f](https://github.com/BagelLab/uds-core/commit/5185a8f98c90578eabd9f1494f55e43922bb7a92)) -* **main:** release 0.20.0 ([#345](https://github.com/BagelLab/uds-core/issues/345)) ([c29cc91](https://github.com/BagelLab/uds-core/commit/c29cc91cd2e41d5bbaee33deb173628c83ad0480)) -* **main:** release 0.21.0 ([#361](https://github.com/BagelLab/uds-core/issues/361)) ([c9f027f](https://github.com/BagelLab/uds-core/commit/c9f027f518de547b962b06defb836fba3c70ff3d)) -* **main:** release 0.21.1 ([#379](https://github.com/BagelLab/uds-core/issues/379)) ([b46a161](https://github.com/BagelLab/uds-core/commit/b46a161271bac3c167e554fadf673d2536b6b420)) -* **main:** release 0.22.0 ([#386](https://github.com/BagelLab/uds-core/issues/386)) ([6367bef](https://github.com/BagelLab/uds-core/commit/6367bef04dab6803471b8f424210baedf2004d01)) -* **main:** release 0.22.1 ([#432](https://github.com/BagelLab/uds-core/issues/432)) ([7cf9c4c](https://github.com/BagelLab/uds-core/commit/7cf9c4c09dccc1d91edb7acbb2aee8750c5433ed)) -* **main:** release 0.22.2 ([#474](https://github.com/BagelLab/uds-core/issues/474)) ([84a408f](https://github.com/BagelLab/uds-core/commit/84a408fb23c1803bdbbf5e1f1ce64e97110f2829)) -* **main:** release 0.3.0 ([#39](https://github.com/BagelLab/uds-core/issues/39)) ([4d2b05d](https://github.com/BagelLab/uds-core/commit/4d2b05de9d155dc91b799bde5156c5980bc348cb)) -* **main:** release 0.4.0 ([#43](https://github.com/BagelLab/uds-core/issues/43)) ([d2b61c3](https://github.com/BagelLab/uds-core/commit/d2b61c373b91d4f405e27ce930e4f8bec52ddd21)) -* **main:** release 0.4.1 ([#45](https://github.com/BagelLab/uds-core/issues/45)) ([d66eafe](https://github.com/BagelLab/uds-core/commit/d66eafea0ec9ccd412f5af3ed5ab12f3f8275a33)) -* **main:** release 0.5.0 ([#49](https://github.com/BagelLab/uds-core/issues/49)) ([f9c4269](https://github.com/BagelLab/uds-core/commit/f9c426998f2bc4fc21c32b3492f25b8608f50282)) -* **main:** release 0.6.0 ([#53](https://github.com/BagelLab/uds-core/issues/53)) ([9b3ad64](https://github.com/BagelLab/uds-core/commit/9b3ad64a6e3870ce364cad77abd367cc8d493042)) -* **main:** release 0.6.1 ([#56](https://github.com/BagelLab/uds-core/issues/56)) ([4a5a42c](https://github.com/BagelLab/uds-core/commit/4a5a42c8fa9ee17656e462cb9df08562d9c85b96)) -* **main:** release 0.6.2 ([#59](https://github.com/BagelLab/uds-core/issues/59)) ([b1c49ac](https://github.com/BagelLab/uds-core/commit/b1c49ac70e8a293936dea8a516c32b7bb7e6fc4c)) -* **main:** release 0.7.0 ([#71](https://github.com/BagelLab/uds-core/issues/71)) ([51dcb54](https://github.com/BagelLab/uds-core/commit/51dcb54d239cb5636b0c4f55fde9fc2b2c3bf076)) -* **main:** release 0.7.1 ([#85](https://github.com/BagelLab/uds-core/issues/85)) ([da4040a](https://github.com/BagelLab/uds-core/commit/da4040aff739746dc2355ec0449ee762c05c56c1)) -* **main:** release 0.7.2 ([#88](https://github.com/BagelLab/uds-core/issues/88)) ([5e421ce](https://github.com/BagelLab/uds-core/commit/5e421ce011e42692c3cb6f1353cfb8a5edb846fb)) -* **main:** release 0.7.3 ([#93](https://github.com/BagelLab/uds-core/issues/93)) ([ddf8fa6](https://github.com/BagelLab/uds-core/commit/ddf8fa617853686b8c043d236c159bcd59c47ac0)) -* **main:** release 0.7.4 ([#100](https://github.com/BagelLab/uds-core/issues/100)) ([9abd78b](https://github.com/BagelLab/uds-core/commit/9abd78b11a90a67344fa93e8dba7fd53d6b58ea2)) -* **main:** release 0.8.0 ([#106](https://github.com/BagelLab/uds-core/issues/106)) ([3ab93c3](https://github.com/BagelLab/uds-core/commit/3ab93c30b132ff9c35c1f238008b15cd265abe92)) -* **main:** release 0.8.1 ([#112](https://github.com/BagelLab/uds-core/issues/112)) ([942ad54](https://github.com/BagelLab/uds-core/commit/942ad549b53e8ce87a33fae985bbe2f82c6fa75c)) -* **main:** release 0.9.0 ([#117](https://github.com/BagelLab/uds-core/issues/117)) ([6b0c56b](https://github.com/BagelLab/uds-core/commit/6b0c56b8a6d60091e532ac36cd69ea6cd5ac1124)) -* **main:** release 0.9.1 ([#119](https://github.com/BagelLab/uds-core/issues/119)) ([984f916](https://github.com/BagelLab/uds-core/commit/984f91602c3b2873110d62a49c5df4ecfaa19f8a)) -* **main:** release 0.9.2 ([#121](https://github.com/BagelLab/uds-core/issues/121)) ([2d9b3c9](https://github.com/BagelLab/uds-core/commit/2d9b3c9fe288347879f2d78c8524b719d3772abd)) -* move api service watch to reconcile ([#362](https://github.com/BagelLab/uds-core/issues/362)) ([1822bca](https://github.com/BagelLab/uds-core/commit/1822bca6c397a5c8ea64b9355a9ba4f51fde4518)) -* open the aperture for pr workflow triggering ([#90](https://github.com/BagelLab/uds-core/issues/90)) ([d8a72f2](https://github.com/BagelLab/uds-core/commit/d8a72f2f2f3e507a4be7f217e23b737e3d4c35ce)) -* readme updates & use UDS CLI for zarf ([#137](https://github.com/BagelLab/uds-core/issues/137)) ([21de0ce](https://github.com/BagelLab/uds-core/commit/21de0cee2d70d67ca17b1d45c642e9ca4e1617ce)) -* refactor ci for releases to remove certain artifacts ([#125](https://github.com/BagelLab/uds-core/issues/125)) ([c08a062](https://github.com/BagelLab/uds-core/commit/c08a062bb3f3ede6860c3d7f34136b3e82b78715)) -* refactor promtail extraScrapeConfigs into scrapeConfigs ([#367](https://github.com/BagelLab/uds-core/issues/367)) ([2220272](https://github.com/BagelLab/uds-core/commit/222027240148e669edf40483d145ffc15567b1b7)) -* refactor validate.yaml file name and task name ([#62](https://github.com/BagelLab/uds-core/issues/62)) ([92a04ea](https://github.com/BagelLab/uds-core/commit/92a04ea1096448995ccc0dd9d77a32a5061e06f0)) -* remove emulated gitlab endpoints from keycloak ([495960c](https://github.com/BagelLab/uds-core/commit/495960ce8d40cf2ef7c0f0021b653db6fc6383bb)) -* remove retry-action action on registry1 docker login ([#160](https://github.com/BagelLab/uds-core/issues/160)) ([eea0c93](https://github.com/BagelLab/uds-core/commit/eea0c93a0ff172bfc5a76d3eaca143ffc0d9fbe2)) -* remove version from neuvector zarf.yaml ([#11](https://github.com/BagelLab/uds-core/issues/11)) ([fbc8d51](https://github.com/BagelLab/uds-core/commit/fbc8d51e2b4146d394184d7596cd9a54219dc001)) -* renovate updates ([#140](https://github.com/BagelLab/uds-core/issues/140)) ([b71a013](https://github.com/BagelLab/uds-core/commit/b71a013bea30c9ca5e39f1dc6485fffaa86ca6b1)) -* simplify promtail values for scrape configs ([#94](https://github.com/BagelLab/uds-core/issues/94)) ([6c2513b](https://github.com/BagelLab/uds-core/commit/6c2513be89f064b44516b1d89c0d6005dd1d4d30)) -* support deselection of metrics-server ([#193](https://github.com/BagelLab/uds-core/issues/193)) ([289a0fe](https://github.com/BagelLab/uds-core/commit/289a0fee5315e8c4a70b3afe66165dd00a7dfbc1)) -* support headless keycloak admin user ([#307](https://github.com/BagelLab/uds-core/issues/307)) ([a0e51b6](https://github.com/BagelLab/uds-core/commit/a0e51b649822619b63478b140bb5dbbebeb20ff3)) -* test artifacts before publish ([#198](https://github.com/BagelLab/uds-core/issues/198)) ([9732f32](https://github.com/BagelLab/uds-core/commit/9732f325624244f4d34c127a949c6ce5951ff6ab)) -* trigger eks nightly when related files are updated ([#366](https://github.com/BagelLab/uds-core/issues/366)) ([6d6e4e0](https://github.com/BagelLab/uds-core/commit/6d6e4e0debbca3498cbc21db405eec48b3bcc240)) -* typo fix in README.md ([#280](https://github.com/BagelLab/uds-core/issues/280)) ([f9727e0](https://github.com/BagelLab/uds-core/commit/f9727e0b638e853bbae131d02019a2efb5286b0a)) -* update codeowners ([#338](https://github.com/BagelLab/uds-core/issues/338)) ([c419574](https://github.com/BagelLab/uds-core/commit/c41957409607c6335ebf6bd4ff30a1a9336a4870)) -* update release please extra-files to be explicit ([#26](https://github.com/BagelLab/uds-core/issues/26)) ([23f4999](https://github.com/BagelLab/uds-core/commit/23f49995771fb05cd18e7a077bf90e86ca5b7471)) -* updating keycloak chart version to align with image ([#378](https://github.com/BagelLab/uds-core/issues/378)) ([a60fe2a](https://github.com/BagelLab/uds-core/commit/a60fe2afed9f7cff3bcad6b0f563232b47e8025b)) +* **docs:** re-ordered small paragraphs, clarified wording, and added links to tech homepages ([#531](https://github.com/defenseunicorns/uds-core/issues/531)) ([6b2b46b](https://github.com/defenseunicorns/uds-core/commit/6b2b46b46dcb0d25bc13ca7e166bba4fb531da15)) +* **docs:** removed double-link which broke the markdown formatting in pr template ([#532](https://github.com/defenseunicorns/uds-core/issues/532)) ([f41ced4](https://github.com/defenseunicorns/uds-core/commit/f41ced483cc8f8ca1f2cfba3ae3fb58a218f7afc)) +* **docs:** uds-config.yaml example in k3d-slim-dev README ([#530](https://github.com/defenseunicorns/uds-core/issues/530)) ([2e1c53e](https://github.com/defenseunicorns/uds-core/commit/2e1c53e939b99794c8e6994f20282974bd139917)) +* operator retries and error logging ([#511](https://github.com/defenseunicorns/uds-core/issues/511)) ([cae5aab](https://github.com/defenseunicorns/uds-core/commit/cae5aabed589d28680f0f36bd4afe8e2d235c8b4)) + + +### Miscellaneous + +* **deps:** update checkout action to latest sha ([#481](https://github.com/defenseunicorns/uds-core/issues/481)) ([c6f0137](https://github.com/defenseunicorns/uds-core/commit/c6f0137bb9a1e11f98d426cec8c98eb4005f160a)) +* **deps:** update dependency weaveworks/eksctl to v0.183.0 ([#499](https://github.com/defenseunicorns/uds-core/issues/499)) ([9cb8e4d](https://github.com/defenseunicorns/uds-core/commit/9cb8e4d7c86611918e502de0a7e7e25921523cbc)) +* **deps:** update grafana to 11.1.0 ([#380](https://github.com/defenseunicorns/uds-core/issues/380)) ([499058a](https://github.com/defenseunicorns/uds-core/commit/499058aedbbda33f88fffd94178ceb68529d5c85)) +* **deps:** update istio to v1.22.2 ([#512](https://github.com/defenseunicorns/uds-core/issues/512)) ([dcdadb4](https://github.com/defenseunicorns/uds-core/commit/dcdadb49255a5052dcb3fe079335976b758b32f9)) +* **deps:** update jest to v29.1.5 ([#485](https://github.com/defenseunicorns/uds-core/issues/485)) ([9c392b9](https://github.com/defenseunicorns/uds-core/commit/9c392b9b88c84e3c3763878e6beb1800c43ded25)) +* **deps:** update neuvector to 5.3.3 ([#467](https://github.com/defenseunicorns/uds-core/issues/467)) ([261057d](https://github.com/defenseunicorns/uds-core/commit/261057d2bf142c3167fdf0d0bd68bc2fb47d22df)) +* **deps:** update pepr to 0.32.2 ([#473](https://github.com/defenseunicorns/uds-core/issues/473)) ([ab4bee9](https://github.com/defenseunicorns/uds-core/commit/ab4bee906f020d86b90c0b984789be55f8b4c08b)) +* **deps:** update pepr to 0.32.3 ([#494](https://github.com/defenseunicorns/uds-core/issues/494)) ([2e28897](https://github.com/defenseunicorns/uds-core/commit/2e2889784043b21463e72643eb890054645dd439)) +* **deps:** update pepr to 0.32.6 ([#516](https://github.com/defenseunicorns/uds-core/issues/516)) ([a9d3eec](https://github.com/defenseunicorns/uds-core/commit/a9d3eecce3e007958b45ac2e627cbece84ad48ac)) +* **deps:** update promtail to 3.1.0 ([#335](https://github.com/defenseunicorns/uds-core/issues/335)) ([4457fce](https://github.com/defenseunicorns/uds-core/commit/4457fce6f46626047e37a17b87dbdc675bcfd709)) +* **deps:** update uds to v0.12.0 ([#521](https://github.com/defenseunicorns/uds-core/issues/521)) ([8e587ff](https://github.com/defenseunicorns/uds-core/commit/8e587ffc210bdb2351748383e058cf86ced8b7a9)) +* **deps:** update uds-common tasks to 0.6.1 ([#498](https://github.com/defenseunicorns/uds-core/issues/498)) ([4aa6e33](https://github.com/defenseunicorns/uds-core/commit/4aa6e3372f6d1a5df1e2ae51a3129603a8b0b29b)) +* **deps:** update zarf to v0.35.0 ([#490](https://github.com/defenseunicorns/uds-core/issues/490)) ([86957cf](https://github.com/defenseunicorns/uds-core/commit/86957cfe19564ec8ddccec7e496af4469def322a)) +* docs linting changes ([#505](https://github.com/defenseunicorns/uds-core/issues/505)) ([0fe2015](https://github.com/defenseunicorns/uds-core/commit/0fe20151713363f572a50601016e06e60230990f)) +* remove emulated gitlab endpoints from keycloak ([#483](https://github.com/defenseunicorns/uds-core/issues/483)) ([495960c](https://github.com/defenseunicorns/uds-core/commit/495960ce8d40cf2ef7c0f0021b653db6fc6383bb)) +* update docs for group auth and readme for docs site ([#540](https://github.com/defenseunicorns/uds-core/issues/540)) ([ace7041](https://github.com/defenseunicorns/uds-core/commit/ace7041e500b72f00b4a5c23d7413a46aa359504)) ## [0.22.2](https://github.com/defenseunicorns/uds-core/compare/v0.22.1...v0.22.2) (2024-06-13) diff --git a/README.md b/README.md index 1e1fcc0f8..9ee771e27 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,7 @@ # Unicorn Delivery Service - Core (UDS Core) +## [UDS Core Docs](https://uds.defenseunicorns.com/core/) + UDS Core establishes a secure baseline for cloud-native systems and ships with compliance documentation and first-class support for airgap/egress-limited systems. Based on the work of [Platform One](https://p1.dso.mil), UDS Core expands on the security posture of [Big Bang](https://repo1.dso.mil/big-bang/bigbang) while providing advanced automation with the [UDS Operator](./src/pepr/operator/README.md) and [UDS Policy Engine](./src/pepr/policies/README.md). UDS Core is a collection of several individual applications combined into a single [Zarf](https://zarf.dev) package and we recommend using [UDS CLI](https://github.com/defenseunicorns/uds-cli?tab=readme-ov-file#install) to deploy it as a [UDS Bundle](#using-uds-core-in-production). #### tl;dr - [try it now](#quickstart) diff --git a/bundles/k3d-slim-dev/README.md b/bundles/k3d-slim-dev/README.md index 54ee2b426..08c658db8 100644 --- a/bundles/k3d-slim-dev/README.md +++ b/bundles/k3d-slim-dev/README.md @@ -25,15 +25,14 @@ Example: ```yaml variables: uds-k3d-dev: - set: - buckets: - - name: "myfavoritebucket" - policy: "public" - purge: false - users: - - accessKey: console - secretKey: "console-secret" - policy: consoleAdmin + buckets: + - name: "myfavoritebucket" + policy: "public" + purge: false + users: + - accessKey: console + secretKey: "console-secret" + policy: consoleAdmin ``` For more details on how to customize the Minio deployment, please see [Configuring Minio](https://github.com/defenseunicorns/uds-k3d/blob/main/docs/MINIO.md). diff --git a/docs/application-baseline.md b/docs/application-baseline.md index c16ea009d..27d507175 100644 --- a/docs/application-baseline.md +++ b/docs/application-baseline.md @@ -16,10 +16,10 @@ For optimal deployment and operational efficiency, it is important to deliver a | **Capability** | **Application** | | ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| **Service Mesh** | **Istio:** A powerful service mesh tool that provides traffic management, load balancing, security, and observability features. | -| **Monitoring** | **Prometheus Stack:** Collects and stores time-series data for insights into application health and performance.

**Grafana:** Provides visualization and alerting capabilities for monitoring metrics.

**Metrics Server:** Offers resource utilization metrics for Kubernetes clusters, aiding in capacity planning and optimization. | -| **Logging** | **Loki:** A log aggregation system that allows users to store, search, and analyze logs across their applications.

**Promtail:** A companion agent that efficiently gathers and sends log data to Loki, simplifying log monitoring, troubleshooting, and compliance auditing, enhancing the overall observability of the mission environment. | -| **Security and Compliance** | **NeuVector:** Offers container-native security, protecting applications against threats and vulnerabilities.

**Pepr:** UDS policy engine and operator for enhanced security and compliance. | -| **Identity and Access Management** | **Keycloak:** A robust open-source Identity and Access Management solution, providing centralized authentication, authorization, and user management for enhanced security and control over access to mission-critical resources. | -| **Backup and Restore** | **Velero:** Provides backup and restore capabilities for Kubernetes clusters, ensuring data protection and disaster recovery. | -| **Authorization** | **AuthService:** Offers centralized authorization services, managing access control and permissions within the mission environment. | +| **Service Mesh** | **[Istio](https://istio.io/):** A powerful service mesh that provides traffic management, load balancing, security, and observability features. | +| **Monitoring** | **[Metrics Server](https://kubernetes-sigs.github.io/metrics-server/):** Provides container resource utilization metrics API for Kubernetes clusters.

**[Prometheus](https://prometheus.io/):** Scrapes Metrics Server API and application metrics and stores the data in a time-series database for insights into application health and performance.

**[Grafana](https://grafana.com/grafana/):** Provides visualization and alerting capabilities based on Prometheus's time-series database of metrics. | +| **Logging** | **[Promtail](https://grafana.com/docs/loki/latest/send-data/promtail/):** A companion agent that efficiently gathers and sends container logs to Loki, simplifying log monitoring, troubleshooting, and compliance auditing, enhancing the overall observability of the mission environment.

**[Loki](https://grafana.com/docs/loki/latest/):** A log aggregation system that allows users to store, search, and analyze logs across their applications. | +| **Security and Compliance** | **[NeuVector](https://open-docs.neuvector.com/):** Offers container-native security, protecting applications against threats and vulnerabilities.

**[Pepr](https://pepr.dev/):** UDS policy engine and operator for enhanced security and compliance.| +| **Identity and Access Management** | **[Keycloak](https://www.keycloak.org/):** A robust open-source Identity and Access Management solution, providing centralized authentication, authorization, and user management for enhanced security and control over access to mission-critical resources.| +| **Backup and Restore** | **[Velero](https://velero.io/):** Provides backup and restore capabilities for Kubernetes clusters, ensuring data protection and disaster recovery.| +| **Authorization** | **[AuthService](https://github.com/istio-ecosystem/authservice):** Offers centralized authorization services, managing access control and permissions within the Istio mesh. AuthService plays a supporting role to Keycloak as it handles part of the OIDC redirect flow.| diff --git a/docs/configuration/uds-operator.md b/docs/configuration/uds-operator.md index f406192b1..b8319ffb0 100644 --- a/docs/configuration/uds-operator.md +++ b/docs/configuration/uds-operator.md @@ -18,6 +18,12 @@ The UDS Operator plays a pivotal role in managing the lifecycle of UDS Package C - The operator creates targeted network policies for remote endpoints, such as `KubeAPI` and `CloudMetadata`. This approach aims to enhance policy management by reducing redundancy (DRY) and facilitating dynamic bindings in scenarios where static definitions are impractical. - **Creating Istio Virtual Services and Related Ingress Gateway Network Policies:** - In addition, the operator is responsible for generating Istio Virtual Services and the associated network policies for the ingress gateway. +- **SSO Group Authentication:** + - Group authentication determines who can access the application based on keycloak group membership. + - At this time `anyOf` allows defining a list of groups, a user must belong to at least one of them. + {{% alert-caution %}} + Warning: **SSO Group Authentication** is in Alpha and may not be stable. Avoid using in production. Feedback is appreciated to improve reliability. + {{% /alert-caution %}} ### Example UDS Package CR @@ -58,7 +64,10 @@ spec: - name: Grafana Dashboard clientId: uds-core-admin-grafana redirectUris: - - "https://grafana.admin.uds.dev/login/generic_oauth" + - "https://grafana.admin.{{ .Values.domain }}/login/generic_oauth" + groups: + anyOf: + - /UDS Core/Admin ``` ## Exemption diff --git a/docs/deployment/uds-deploy.md b/docs/deployment/uds-deploy.md index e230bef54..de7702c98 100644 --- a/docs/deployment/uds-deploy.md +++ b/docs/deployment/uds-deploy.md @@ -90,7 +90,7 @@ Below is an example of the workflow developing the [metrics-server package](http ```cli # Create the dev environment -uds run dev +uds run dev-setup # If developing the Pepr module: npx pepr dev diff --git a/external-contrib.md b/external-contrib.md deleted file mode 100644 index c14e87f95..000000000 --- a/external-contrib.md +++ /dev/null @@ -1,56 +0,0 @@ -# Options for Outside Contributor Secret Usage in GitHub PRs - -## Skip Jobs Requiring Secrets - -- The simplest approach to the problem. -- Just skip over or stub out jobs if the required secrets are not present. -- In practice, this would mean skipping Ironbank tests on PRs (and Chainguard in the future). -- Tests could still be run pre-release. -- Primary flavor specific changes tend to be Renovate PRs which do not run on a fork -- If we want we could still add a slash command or another option to trigger specific flavor tests, but not require them/link them to the PR directly - -## Use Slash Commands as Trigger - -- Ironbank workflows would be triggered by `issue_comment` and `repository_dispatch`. -- This would provide a "ChatOps" like experience where a maintainer comments `/test` or similar to trigger checks requiring secrets. -- [slash-command-dispatch](https://github.com/peter-evans/slash-command-dispatch) is already used in some places in the company. -- Downsides: - - Workflows must be on `main` before they are used since the slash command will trigger a `main` workflow. - - Extra process for triggering workflows (although this could reduce runner minute usage for renovate PRs) - - Decent amount of complexity and/or external action usage to make this process seamless - - Job status is not fully accurate/realtime - - Jobs reflect as "Pending" with a description of "Running" (or whatever we want) rather than the normal GitHub spinner for running jobs - - Pending/Completed statuses are set during the job run so technically the status updates happen slightly after/before job start/finish - - There is no way to set a "Cancelled" status symbol via the API - -## Use workflow run as trigger - -- Ironbank workflows would be triggered by `workflow_run` in response to `pull_request` workflows -- This would be a fully automated process/flow, and only be limited for outside contributors (manual approval needed) -- Downsides: - - `workflow_run` changes must be on main before they are used - - Job status is not fully accurate/realtime - - Jobs reflect as "Pending" with a description of "Running" (or whatever we want) rather than the normal GitHub spinner for running jobs - - Pending/Completed statuses are set during the job run so technically the status updates happen slightly after/before job start/finish - - There is no way to set a "Cancelled" status symbol via the API, but we can set error/failure and a description of "Cancelled" - - Any jobs that were triggered but pending (i.e. waiting on a runner) will not reflect their status in the PR since they have to start before status shows - -## Use PR Target as Trigger - -- Ironbank workflows would be triggered by `pull_request_target`. -- As part of the workflow, we would checkout the PRs code. -- This is inherently dangerous ([learn more](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)) and not "protected" by the workflow approval org settings ([see documentation](https://docs.github.com/en/enterprise-cloud@latest/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks#about-workflow-runs-from-public-forks)). -- We could run the job under a GitHub environment with required approvers (and filter based on user identity to auto-run unicorn PRs but require approval on true external users?). -- Downsides: - - Workflows/workflow changes must be on `main` before they are used since the `pull_request_target` will use the `main` workflows - - "Deploying" to an environment in a PR is very noisy and could be confusing as no deployment is actually happening - -## Create a staging branch for external changes - -- PRs from external contributors would be into a `staging` type branch (NOT main) -- These PRs would only run upstream checks -- Merges from `staging` to `main` would run additional check where secrets would be accessible -- Downsides: - - Added complexity for external contributions - - Little benefit over the "skip job" option - PRs still have to be merged somewhere and follow-on fixes would likely be handled internally prior to release - diff --git a/package-lock.json b/package-lock.json index e3db575e0..c318fba67 100644 --- a/package-lock.json +++ b/package-lock.json @@ -8,26 +8,17 @@ "name": "uds-core", "version": "0.5.0", "dependencies": { - "pepr": "0.32.3" + "pepr": "0.32.6" }, "devDependencies": { "@jest/globals": "29.7.0", "jest": "29.7.0", - "ts-jest": "29.1.5" + "ts-jest": "29.2.0" }, "engines": { "node": ">=20.0.0" } }, - "node_modules/@aashutoshrathi/word-wrap": { - "version": "1.2.6", - "resolved": "https://registry.npmjs.org/@aashutoshrathi/word-wrap/-/word-wrap-1.2.6.tgz", - "integrity": "sha512-1Yjs2SvM8TflER/OD3cOjhWWOZb58A2t7wpE2S9XfBYTiIl+XFhQG2bjy4Pu1I+EAlCNUzRDYDdFwFYUKvXcIA==", - "peer": true, - "engines": { - "node": ">=0.10.0" - } - }, "node_modules/@ampproject/remapping": { "version": "2.3.0", "resolved": "https://registry.npmjs.org/@ampproject/remapping/-/remapping-2.3.0.tgz", @@ -42,12 +33,12 @@ } }, "node_modules/@babel/code-frame": { - "version": "7.24.2", - "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.24.2.tgz", - "integrity": "sha512-y5+tLQyV8pg3fsiln67BVLD1P13Eg4lh5RW9mF0zUuvLrv9uIQ4MCL+CRT+FTsBlBjcIan6PGsLcBN0m3ClUyQ==", + "version": "7.24.7", + "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.24.7.tgz", + "integrity": "sha512-BcYH1CVJBO9tvyIZ2jVeXgSIMvGZ2FDRvDdOIVQyuklNKSsx+eppDEBq/g47Ayw+RqNFE+URvOShmf+f/qwAlA==", "dev": true, "dependencies": { - "@babel/highlight": "^7.24.2", + "@babel/highlight": "^7.24.7", "picocolors": "^1.0.0" }, "engines": { @@ -55,30 +46,30 @@ } }, "node_modules/@babel/compat-data": { - "version": "7.24.1", - "resolved": "https://registry.npmjs.org/@babel/compat-data/-/compat-data-7.24.1.tgz", - "integrity": "sha512-Pc65opHDliVpRHuKfzI+gSA4zcgr65O4cl64fFJIWEEh8JoHIHh0Oez1Eo8Arz8zq/JhgKodQaxEwUPRtZylVA==", + "version": "7.24.7", + "resolved": "https://registry.npmjs.org/@babel/compat-data/-/compat-data-7.24.7.tgz", + "integrity": "sha512-qJzAIcv03PyaWqxRgO4mSU3lihncDT296vnyuE2O8uA4w3UHWI4S3hgeZd1L8W1Bft40w9JxJ2b412iDUFFRhw==", "dev": true, "engines": { "node": ">=6.9.0" } }, "node_modules/@babel/core": { - "version": "7.24.3", - "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.24.3.tgz", - "integrity": "sha512-5FcvN1JHw2sHJChotgx8Ek0lyuh4kCKelgMTTqhYJJtloNvUfpAFMeNQUtdlIaktwrSV9LtCdqwk48wL2wBacQ==", + "version": "7.24.7", + "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.24.7.tgz", + "integrity": "sha512-nykK+LEK86ahTkX/3TgauT0ikKoNCfKHEaZYTUVupJdTLzGNvrblu4u6fa7DhZONAltdf8e662t/abY8idrd/g==", "dev": true, "dependencies": { "@ampproject/remapping": "^2.2.0", - "@babel/code-frame": "^7.24.2", - "@babel/generator": "^7.24.1", - "@babel/helper-compilation-targets": "^7.23.6", - "@babel/helper-module-transforms": "^7.23.3", - "@babel/helpers": "^7.24.1", - "@babel/parser": "^7.24.1", - "@babel/template": "^7.24.0", - "@babel/traverse": "^7.24.1", - "@babel/types": "^7.24.0", + "@babel/code-frame": "^7.24.7", + "@babel/generator": "^7.24.7", + "@babel/helper-compilation-targets": "^7.24.7", + "@babel/helper-module-transforms": "^7.24.7", + "@babel/helpers": "^7.24.7", + "@babel/parser": "^7.24.7", + "@babel/template": "^7.24.7", + "@babel/traverse": "^7.24.7", + "@babel/types": "^7.24.7", "convert-source-map": "^2.0.0", "debug": "^4.1.0", "gensync": "^1.0.0-beta.2", @@ -103,12 +94,12 @@ } }, "node_modules/@babel/generator": { - "version": "7.24.1", - "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.24.1.tgz", - "integrity": "sha512-DfCRfZsBcrPEHUfuBMgbJ1Ut01Y/itOs+hY2nFLgqsqXd52/iSiVq5TITtUasIUgm+IIKdY2/1I7auiQOEeC9A==", + "version": "7.24.7", + "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.24.7.tgz", + "integrity": "sha512-oipXieGC3i45Y1A41t4tAqpnEZWgB/lC6Ehh6+rOviR5XWpTtMmLN+fGjz9vOiNRt0p6RtO6DtD0pdU3vpqdSA==", "dev": true, "dependencies": { - "@babel/types": "^7.24.0", + "@babel/types": "^7.24.7", "@jridgewell/gen-mapping": "^0.3.5", "@jridgewell/trace-mapping": "^0.3.25", "jsesc": "^2.5.1" @@ -118,13 +109,13 @@ } }, "node_modules/@babel/helper-compilation-targets": { - "version": "7.23.6", - "resolved": "https://registry.npmjs.org/@babel/helper-compilation-targets/-/helper-compilation-targets-7.23.6.tgz", - "integrity": "sha512-9JB548GZoQVmzrFgp8o7KxdgkTGm6xs9DW0o/Pim72UDjzr5ObUQ6ZzYPqA+g9OTS2bBQoctLJrky0RDCAWRgQ==", + "version": "7.24.7", + "resolved": "https://registry.npmjs.org/@babel/helper-compilation-targets/-/helper-compilation-targets-7.24.7.tgz", + "integrity": "sha512-ctSdRHBi20qWOfy27RUb4Fhp07KSJ3sXcuSvTrXrc4aG8NSYDo1ici3Vhg9bg69y5bj0Mr1lh0aeEgTvc12rMg==", "dev": true, "dependencies": { - "@babel/compat-data": "^7.23.5", - "@babel/helper-validator-option": "^7.23.5", + "@babel/compat-data": "^7.24.7", + "@babel/helper-validator-option": "^7.24.7", "browserslist": "^4.22.2", "lru-cache": "^5.1.1", "semver": "^6.3.1" @@ -143,62 +134,66 @@ } }, "node_modules/@babel/helper-environment-visitor": { - "version": "7.22.20", - "resolved": "https://registry.npmjs.org/@babel/helper-environment-visitor/-/helper-environment-visitor-7.22.20.tgz", - "integrity": "sha512-zfedSIzFhat/gFhWfHtgWvlec0nqB9YEIVrpuwjruLlXfUSnA8cJB0miHKwqDnQ7d32aKo2xt88/xZptwxbfhA==", + "version": "7.24.7", + "resolved": "https://registry.npmjs.org/@babel/helper-environment-visitor/-/helper-environment-visitor-7.24.7.tgz", + "integrity": "sha512-DoiN84+4Gnd0ncbBOM9AZENV4a5ZiL39HYMyZJGZ/AZEykHYdJw0wW3kdcsh9/Kn+BRXHLkkklZ51ecPKmI1CQ==", "dev": true, + "dependencies": { + "@babel/types": "^7.24.7" + }, "engines": { "node": ">=6.9.0" } }, "node_modules/@babel/helper-function-name": { - "version": "7.23.0", - "resolved": "https://registry.npmjs.org/@babel/helper-function-name/-/helper-function-name-7.23.0.tgz", - "integrity": "sha512-OErEqsrxjZTJciZ4Oo+eoZqeW9UIiOcuYKRJA4ZAgV9myA+pOXhhmpfNCKjEH/auVfEYVFJ6y1Tc4r0eIApqiw==", + "version": "7.24.7", + "resolved": "https://registry.npmjs.org/@babel/helper-function-name/-/helper-function-name-7.24.7.tgz", + "integrity": "sha512-FyoJTsj/PEUWu1/TYRiXTIHc8lbw+TDYkZuoE43opPS5TrI7MyONBE1oNvfguEXAD9yhQRrVBnXdXzSLQl9XnA==", "dev": true, "dependencies": { - "@babel/template": "^7.22.15", - "@babel/types": "^7.23.0" + "@babel/template": "^7.24.7", + "@babel/types": "^7.24.7" }, "engines": { "node": ">=6.9.0" } }, "node_modules/@babel/helper-hoist-variables": { - "version": "7.22.5", - "resolved": "https://registry.npmjs.org/@babel/helper-hoist-variables/-/helper-hoist-variables-7.22.5.tgz", - "integrity": "sha512-wGjk9QZVzvknA6yKIUURb8zY3grXCcOZt+/7Wcy8O2uctxhplmUPkOdlgoNhmdVee2c92JXbf1xpMtVNbfoxRw==", + "version": "7.24.7", + "resolved": "https://registry.npmjs.org/@babel/helper-hoist-variables/-/helper-hoist-variables-7.24.7.tgz", + "integrity": "sha512-MJJwhkoGy5c4ehfoRyrJ/owKeMl19U54h27YYftT0o2teQ3FJ3nQUf/I3LlJsX4l3qlw7WRXUmiyajvHXoTubQ==", "dev": true, "dependencies": { - "@babel/types": "^7.22.5" + "@babel/types": "^7.24.7" }, "engines": { "node": ">=6.9.0" } }, "node_modules/@babel/helper-module-imports": { - "version": "7.24.3", - "resolved": "https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.24.3.tgz", - "integrity": "sha512-viKb0F9f2s0BCS22QSF308z/+1YWKV/76mwt61NBzS5izMzDPwdq1pTrzf+Li3npBWX9KdQbkeCt1jSAM7lZqg==", + "version": "7.24.7", + "resolved": "https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.24.7.tgz", + "integrity": "sha512-8AyH3C+74cgCVVXow/myrynrAGv+nTVg5vKu2nZph9x7RcRwzmh0VFallJuFTZ9mx6u4eSdXZfcOzSqTUm0HCA==", "dev": true, "dependencies": { - "@babel/types": "^7.24.0" + "@babel/traverse": "^7.24.7", + "@babel/types": "^7.24.7" }, "engines": { "node": ">=6.9.0" } }, "node_modules/@babel/helper-module-transforms": { - "version": "7.23.3", - "resolved": "https://registry.npmjs.org/@babel/helper-module-transforms/-/helper-module-transforms-7.23.3.tgz", - "integrity": "sha512-7bBs4ED9OmswdfDzpz4MpWgSrV7FXlc3zIagvLFjS5H+Mk7Snr21vQ6QwrsoCGMfNC4e4LQPdoULEt4ykz0SRQ==", + "version": "7.24.7", + "resolved": "https://registry.npmjs.org/@babel/helper-module-transforms/-/helper-module-transforms-7.24.7.tgz", + "integrity": "sha512-1fuJEwIrp+97rM4RWdO+qrRsZlAeL1lQJoPqtCYWv0NL115XM93hIH4CSRln2w52SqvmY5hqdtauB6QFCDiZNQ==", "dev": true, "dependencies": { - "@babel/helper-environment-visitor": "^7.22.20", - "@babel/helper-module-imports": "^7.22.15", - "@babel/helper-simple-access": "^7.22.5", - "@babel/helper-split-export-declaration": "^7.22.6", - "@babel/helper-validator-identifier": "^7.22.20" + "@babel/helper-environment-visitor": "^7.24.7", + "@babel/helper-module-imports": "^7.24.7", + "@babel/helper-simple-access": "^7.24.7", + "@babel/helper-split-export-declaration": "^7.24.7", + "@babel/helper-validator-identifier": "^7.24.7" }, "engines": { "node": ">=6.9.0" @@ -208,86 +203,86 @@ } }, "node_modules/@babel/helper-plugin-utils": { - "version": "7.24.0", - "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.24.0.tgz", - "integrity": "sha512-9cUznXMG0+FxRuJfvL82QlTqIzhVW9sL0KjMPHhAOOvpQGL8QtdxnBKILjBqxlHyliz0yCa1G903ZXI/FuHy2w==", + "version": "7.24.7", + "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.24.7.tgz", + "integrity": "sha512-Rq76wjt7yz9AAc1KnlRKNAi/dMSVWgDRx43FHoJEbcYU6xOWaE2dVPwcdTukJrjxS65GITyfbvEYHvkirZ6uEg==", "dev": true, "engines": { "node": ">=6.9.0" } }, "node_modules/@babel/helper-simple-access": { - "version": "7.22.5", - "resolved": "https://registry.npmjs.org/@babel/helper-simple-access/-/helper-simple-access-7.22.5.tgz", - "integrity": "sha512-n0H99E/K+Bika3++WNL17POvo4rKWZ7lZEp1Q+fStVbUi8nxPQEBOlTmCOxW/0JsS56SKKQ+ojAe2pHKJHN35w==", + "version": "7.24.7", + "resolved": "https://registry.npmjs.org/@babel/helper-simple-access/-/helper-simple-access-7.24.7.tgz", + "integrity": "sha512-zBAIvbCMh5Ts+b86r/CjU+4XGYIs+R1j951gxI3KmmxBMhCg4oQMsv6ZXQ64XOm/cvzfU1FmoCyt6+owc5QMYg==", "dev": true, "dependencies": { - "@babel/types": "^7.22.5" + "@babel/traverse": "^7.24.7", + "@babel/types": "^7.24.7" }, "engines": { "node": ">=6.9.0" } }, "node_modules/@babel/helper-split-export-declaration": { - "version": "7.22.6", - "resolved": "https://registry.npmjs.org/@babel/helper-split-export-declaration/-/helper-split-export-declaration-7.22.6.tgz", - "integrity": "sha512-AsUnxuLhRYsisFiaJwvp1QF+I3KjD5FOxut14q/GzovUe6orHLesW2C7d754kRm53h5gqrz6sFl6sxc4BVtE/g==", + "version": "7.24.7", + "resolved": "https://registry.npmjs.org/@babel/helper-split-export-declaration/-/helper-split-export-declaration-7.24.7.tgz", + "integrity": "sha512-oy5V7pD+UvfkEATUKvIjvIAH/xCzfsFVw7ygW2SI6NClZzquT+mwdTfgfdbUiceh6iQO0CHtCPsyze/MZ2YbAA==", "dev": true, "dependencies": { - "@babel/types": "^7.22.5" + "@babel/types": "^7.24.7" }, "engines": { "node": ">=6.9.0" } }, "node_modules/@babel/helper-string-parser": { - "version": "7.24.1", - "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.24.1.tgz", - "integrity": "sha512-2ofRCjnnA9y+wk8b9IAREroeUP02KHp431N2mhKniy2yKIDKpbrHv9eXwm8cBeWQYcJmzv5qKCu65P47eCF7CQ==", + "version": "7.24.7", + "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.24.7.tgz", + "integrity": "sha512-7MbVt6xrwFQbunH2DNQsAP5sTGxfqQtErvBIvIMi6EQnbgUOuVYanvREcmFrOPhoXBrTtjhhP+lW+o5UfK+tDg==", "dev": true, "engines": { "node": ">=6.9.0" } }, "node_modules/@babel/helper-validator-identifier": { - "version": "7.22.20", - "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.22.20.tgz", - "integrity": "sha512-Y4OZ+ytlatR8AI+8KZfKuL5urKp7qey08ha31L8b3BwewJAoJamTzyvxPR/5D+KkdJCGPq/+8TukHBlY10FX9A==", + "version": "7.24.7", + "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.24.7.tgz", + "integrity": "sha512-rR+PBcQ1SMQDDyF6X0wxtG8QyLCgUB0eRAGguqRLfkCA87l7yAP7ehq8SNj96OOGTO8OBV70KhuFYcIkHXOg0w==", "dev": true, "engines": { "node": ">=6.9.0" } }, "node_modules/@babel/helper-validator-option": { - "version": "7.23.5", - "resolved": "https://registry.npmjs.org/@babel/helper-validator-option/-/helper-validator-option-7.23.5.tgz", - "integrity": "sha512-85ttAOMLsr53VgXkTbkx8oA6YTfT4q7/HzXSLEYmjcSTJPMPQtvq1BD79Byep5xMUYbGRzEpDsjUf3dyp54IKw==", + "version": "7.24.7", + "resolved": "https://registry.npmjs.org/@babel/helper-validator-option/-/helper-validator-option-7.24.7.tgz", + "integrity": "sha512-yy1/KvjhV/ZCL+SM7hBrvnZJ3ZuT9OuZgIJAGpPEToANvc3iM6iDvBnRjtElWibHU6n8/LPR/EjX9EtIEYO3pw==", "dev": true, "engines": { "node": ">=6.9.0" } }, "node_modules/@babel/helpers": { - "version": "7.24.1", - "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.24.1.tgz", - "integrity": "sha512-BpU09QqEe6ZCHuIHFphEFgvNSrubve1FtyMton26ekZ85gRGi6LrTF7zArARp2YvyFxloeiRmtSCq5sjh1WqIg==", + "version": "7.24.7", + "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.24.7.tgz", + "integrity": "sha512-NlmJJtvcw72yRJRcnCmGvSi+3jDEg8qFu3z0AFoymmzLx5ERVWyzd9kVXr7Th9/8yIJi2Zc6av4Tqz3wFs8QWg==", "dev": true, "dependencies": { - "@babel/template": "^7.24.0", - "@babel/traverse": "^7.24.1", - "@babel/types": "^7.24.0" + "@babel/template": "^7.24.7", + "@babel/types": "^7.24.7" }, "engines": { "node": ">=6.9.0" } }, "node_modules/@babel/highlight": { - "version": "7.24.2", - "resolved": "https://registry.npmjs.org/@babel/highlight/-/highlight-7.24.2.tgz", - "integrity": "sha512-Yac1ao4flkTxTteCDZLEvdxg2fZfz1v8M4QpaGypq/WPDqg3ijHYbDfs+LG5hvzSoqaSZ9/Z9lKSP3CjZjv+pA==", + "version": "7.24.7", + "resolved": "https://registry.npmjs.org/@babel/highlight/-/highlight-7.24.7.tgz", + "integrity": "sha512-EStJpq4OuY8xYfhGVXngigBJRWxftKX9ksiGDnmlY3o7B/V7KIAc9X4oiK87uPJSc/vs5L869bem5fhZa8caZw==", "dev": true, "dependencies": { - "@babel/helper-validator-identifier": "^7.22.20", + "@babel/helper-validator-identifier": "^7.24.7", "chalk": "^2.4.2", "js-tokens": "^4.0.0", "picocolors": "^1.0.0" @@ -368,9 +363,9 @@ } }, "node_modules/@babel/parser": { - "version": "7.24.1", - "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.24.1.tgz", - "integrity": "sha512-Zo9c7N3xdOIQrNip7Lc9wvRPzlRtovHVE4lkz8WEDr7uYh/GMQhSiIgFxGIArRHYdJE5kxtZjAf8rT0xhdLCzg==", + "version": "7.24.7", + "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.24.7.tgz", + "integrity": "sha512-9uUYRm6OqQrCqQdG1iCBwBPZgN8ciDBro2nIOFaiRz1/BCxaI7CNvQbDHvsArAC7Tw9Hda/B3U+6ui9u4HWXPw==", "dev": true, "bin": { "parser": "bin/babel-parser.js" @@ -440,12 +435,12 @@ } }, "node_modules/@babel/plugin-syntax-jsx": { - "version": "7.24.1", - "resolved": "https://registry.npmjs.org/@babel/plugin-syntax-jsx/-/plugin-syntax-jsx-7.24.1.tgz", - "integrity": "sha512-2eCtxZXf+kbkMIsXS4poTvT4Yu5rXiRa+9xGVT56raghjmBTKMpFNc9R4IDiB4emao9eO22Ox7CxuJG7BgExqA==", + "version": "7.24.7", + "resolved": "https://registry.npmjs.org/@babel/plugin-syntax-jsx/-/plugin-syntax-jsx-7.24.7.tgz", + "integrity": "sha512-6ddciUPe/mpMnOKv/U+RSd2vvVy+Yw/JfBB0ZHYjEZt9NLHmCUylNYlsbqCCS1Bffjlb0fCwC9Vqz+sBz6PsiQ==", "dev": true, "dependencies": { - "@babel/helper-plugin-utils": "^7.24.0" + "@babel/helper-plugin-utils": "^7.24.7" }, "engines": { "node": ">=6.9.0" @@ -542,12 +537,12 @@ } }, "node_modules/@babel/plugin-syntax-typescript": { - "version": "7.24.1", - "resolved": "https://registry.npmjs.org/@babel/plugin-syntax-typescript/-/plugin-syntax-typescript-7.24.1.tgz", - "integrity": "sha512-Yhnmvy5HZEnHUty6i++gcfH1/l68AHnItFHnaCv6hn9dNh0hQvvQJsxpi4BMBFN5DLeHBuucT/0DgzXif/OyRw==", + "version": "7.24.7", + "resolved": "https://registry.npmjs.org/@babel/plugin-syntax-typescript/-/plugin-syntax-typescript-7.24.7.tgz", + "integrity": "sha512-c/+fVeJBB0FeKsFvwytYiUD+LBvhHjGSI0g446PRGdSVGZLRNArBUno2PETbAly3tpiNAQR5XaZ+JslxkotsbA==", "dev": true, "dependencies": { - "@babel/helper-plugin-utils": "^7.24.0" + "@babel/helper-plugin-utils": "^7.24.7" }, "engines": { "node": ">=6.9.0" @@ -557,33 +552,33 @@ } }, "node_modules/@babel/template": { - "version": "7.24.0", - "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.24.0.tgz", - "integrity": "sha512-Bkf2q8lMB0AFpX0NFEqSbx1OkTHf0f+0j82mkw+ZpzBnkk7e9Ql0891vlfgi+kHwOk8tQjiQHpqh4LaSa0fKEA==", + "version": "7.24.7", + "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.24.7.tgz", + "integrity": "sha512-jYqfPrU9JTF0PmPy1tLYHW4Mp4KlgxJD9l2nP9fD6yT/ICi554DmrWBAEYpIelzjHf1msDP3PxJIRt/nFNfBig==", "dev": true, "dependencies": { - "@babel/code-frame": "^7.23.5", - "@babel/parser": "^7.24.0", - "@babel/types": "^7.24.0" + "@babel/code-frame": "^7.24.7", + "@babel/parser": "^7.24.7", + "@babel/types": "^7.24.7" }, "engines": { "node": ">=6.9.0" } }, "node_modules/@babel/traverse": { - "version": "7.24.1", - "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.24.1.tgz", - "integrity": "sha512-xuU6o9m68KeqZbQuDt2TcKSxUw/mrsvavlEqQ1leZ/B+C9tk6E4sRWy97WaXgvq5E+nU3cXMxv3WKOCanVMCmQ==", - "dev": true, - "dependencies": { - "@babel/code-frame": "^7.24.1", - "@babel/generator": "^7.24.1", - "@babel/helper-environment-visitor": "^7.22.20", - "@babel/helper-function-name": "^7.23.0", - "@babel/helper-hoist-variables": "^7.22.5", - "@babel/helper-split-export-declaration": "^7.22.6", - "@babel/parser": "^7.24.1", - "@babel/types": "^7.24.0", + "version": "7.24.7", + "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.24.7.tgz", + "integrity": "sha512-yb65Ed5S/QAcewNPh0nZczy9JdYXkkAbIsEo+P7BE7yO3txAY30Y/oPa3QkQ5It3xVG2kpKMg9MsdxZaO31uKA==", + "dev": true, + "dependencies": { + "@babel/code-frame": "^7.24.7", + "@babel/generator": "^7.24.7", + "@babel/helper-environment-visitor": "^7.24.7", + "@babel/helper-function-name": "^7.24.7", + "@babel/helper-hoist-variables": "^7.24.7", + "@babel/helper-split-export-declaration": "^7.24.7", + "@babel/parser": "^7.24.7", + "@babel/types": "^7.24.7", "debug": "^4.3.1", "globals": "^11.1.0" }, @@ -601,13 +596,13 @@ } }, "node_modules/@babel/types": { - "version": "7.24.0", - "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.24.0.tgz", - "integrity": "sha512-+j7a5c253RfKh8iABBhywc8NSfP5LURe7Uh4qpsh6jc+aLJguvmIUBdjSdEMQv2bENrCR5MfRdjGo7vzS/ob7w==", + "version": "7.24.7", + "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.24.7.tgz", + "integrity": "sha512-XEFXSlxiG5td2EJRe8vOmRbaXVgfcBlszKujvVmWIK/UpywWljQCfzAv3RQCGujWQ1RD4YYWEAqDXfuJiy8f5Q==", "dev": true, "dependencies": { - "@babel/helper-string-parser": "^7.23.4", - "@babel/helper-validator-identifier": "^7.22.20", + "@babel/helper-string-parser": "^7.24.7", + "@babel/helper-validator-identifier": "^7.24.7", "to-fast-properties": "^2.0.0" }, "engines": { @@ -1004,9 +999,9 @@ } }, "node_modules/@eslint-community/regexpp": { - "version": "4.10.0", - "resolved": "https://registry.npmjs.org/@eslint-community/regexpp/-/regexpp-4.10.0.tgz", - "integrity": "sha512-Cu96Sd2By9mCNTx2iyKOmq10v22jUVQv0lQnlGNy16oE9589yE+QADPbrMGCkA51cKZSg3Pu/aTJVTGfL/qjUA==", + "version": "4.11.0", + "resolved": "https://registry.npmjs.org/@eslint-community/regexpp/-/regexpp-4.11.0.tgz", + "integrity": "sha512-G/M/tIiMrTAxEWRfLfQJMmGNX28IxBg4PBz8XqQhqUHLFI6TL2htpIB1iQCj144V5ee/JaKyT9/WZ0MGZWfA7A==", "peer": true, "engines": { "node": "^12.0.0 || ^14.0.0 || >=16.0.0" @@ -1047,13 +1042,13 @@ "node_modules/@glideapps/ts-necessities": { "version": "2.2.3", "resolved": "https://registry.npmjs.org/@glideapps/ts-necessities/-/ts-necessities-2.2.3.tgz", - "integrity": "sha512-gXi0awOZLHk3TbW55GZLCPP6O+y/b5X1pBXKBVckFONSwF1z1E5ND2BGJsghQFah+pW7pkkyFb2VhUQI2qhL5w==", - "license": "MIT" + "integrity": "sha512-gXi0awOZLHk3TbW55GZLCPP6O+y/b5X1pBXKBVckFONSwF1z1E5ND2BGJsghQFah+pW7pkkyFb2VhUQI2qhL5w==" }, "node_modules/@humanwhocodes/config-array": { "version": "0.11.14", "resolved": "https://registry.npmjs.org/@humanwhocodes/config-array/-/config-array-0.11.14.tgz", "integrity": "sha512-3T8LkOmg45BV5FICb15QQMsyUSWrQ8AygVfC7ZG32zOalnqrilm018ZVCw0eapXux8FtA33q8PSRSstjee3jSg==", + "deprecated": "Use @eslint/config-array instead", "peer": true, "dependencies": { "@humanwhocodes/object-schema": "^2.0.2", @@ -1078,16 +1073,16 @@ } }, "node_modules/@humanwhocodes/object-schema": { - "version": "2.0.2", - "resolved": "https://registry.npmjs.org/@humanwhocodes/object-schema/-/object-schema-2.0.2.tgz", - "integrity": "sha512-6EwiSjwWYP7pTckG6I5eyFANjPhmPjUX9JRLUSfNPC7FX7zK9gyZAfUEaECL6ALTpGX5AjnBq3C9XmVWPitNpw==", + "version": "2.0.3", + "resolved": "https://registry.npmjs.org/@humanwhocodes/object-schema/-/object-schema-2.0.3.tgz", + "integrity": "sha512-93zYdMES/c1D69yZiKDBj0V24vqNzB/koF26KPaagAfd3P/4gUlh3Dys5ogAK+Exi9QyzlD8x/08Zt7wIKcDcA==", + "deprecated": "Use @eslint/object-schema instead", "peer": true }, "node_modules/@isaacs/cliui": { "version": "8.0.2", "resolved": "https://registry.npmjs.org/@isaacs/cliui/-/cliui-8.0.2.tgz", "integrity": "sha512-O8jcjabXaleOG9DQ0+ARXWZBTfnP4WNAqzuiJK7ll44AmxGKv/J2M4TPjxjY3znBCfvBXFzucm1twdyFybFqEA==", - "license": "ISC", "dependencies": { "string-width": "^5.1.2", "string-width-cjs": "npm:string-width@^4.2.0", @@ -1104,7 +1099,6 @@ "version": "6.0.1", "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.0.1.tgz", "integrity": "sha512-n5M855fKb2SsfMIiFFoVrABHJC8QtHwVx+mHWP3QcEqBHYienj5dHSgjbxtC0WEZXYt4wcD6zrQElDPhFuZgfA==", - "license": "MIT", "engines": { "node": ">=12" }, @@ -1116,7 +1110,6 @@ "version": "6.2.1", "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-6.2.1.tgz", "integrity": "sha512-bN798gFfQX+viw3R7yrGWRqnrN2oRkEkUjjl4JNn4E8GxxbjtG3FbrEIIY3l8/hrwUwIeCZvi4QuOTP4MErVug==", - "license": "MIT", "engines": { "node": ">=12" }, @@ -1127,14 +1120,12 @@ "node_modules/@isaacs/cliui/node_modules/emoji-regex": { "version": "9.2.2", "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-9.2.2.tgz", - "integrity": "sha512-L18DaJsXSUk2+42pv8mLs5jJT2hqFkFE4j21wOmgbUqsZ2hL72NsUU785g9RXgo3s0ZNgVl42TiHp3ZtOv/Vyg==", - "license": "MIT" + "integrity": "sha512-L18DaJsXSUk2+42pv8mLs5jJT2hqFkFE4j21wOmgbUqsZ2hL72NsUU785g9RXgo3s0ZNgVl42TiHp3ZtOv/Vyg==" }, "node_modules/@isaacs/cliui/node_modules/string-width": { "version": "5.1.2", "resolved": "https://registry.npmjs.org/string-width/-/string-width-5.1.2.tgz", "integrity": "sha512-HnLOCR3vjcY8beoNLtcjZ5/nxn2afmME6lhrDrebokqMap+XbeW8n9TXpPDOqdGK5qcI3oT0GKTW6wC7EMiVqA==", - "license": "MIT", "dependencies": { "eastasianwidth": "^0.2.0", "emoji-regex": "^9.2.2", @@ -1151,7 +1142,6 @@ "version": "7.1.0", "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.1.0.tgz", "integrity": "sha512-iq6eVVI64nQQTRYq2KtEg2d2uU7LElhTJwsH4YzIHZshxlgZms/wIc4VoDQTlG/IvVIrBKG06CrZnp0qv7hkcQ==", - "license": "MIT", "dependencies": { "ansi-regex": "^6.0.1" }, @@ -1166,7 +1156,6 @@ "version": "8.1.0", "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-8.1.0.tgz", "integrity": "sha512-si7QWI6zUMq56bESFvagtmzMdGOtoxfR+Sez11Mobfc7tm+VkUckk9bW2UeffTGVUbOksxmSw0AA2gs8g71NCQ==", - "license": "MIT", "dependencies": { "ansi-styles": "^6.1.0", "string-width": "^5.0.1", @@ -1183,7 +1172,6 @@ "version": "4.0.1", "resolved": "https://registry.npmjs.org/@isaacs/fs-minipass/-/fs-minipass-4.0.1.tgz", "integrity": "sha512-wgm9Ehl2jpeqP3zw/7mo3kRHFp5MEDhqAdwy1fTGkHAwnkGOVsgpvQhL8B5n1qlb01jV3n/bI0ZfZp5lWA1k4w==", - "license": "ISC", "dependencies": { "minipass": "^7.0.4" }, @@ -1195,7 +1183,6 @@ "version": "7.1.2", "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz", "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==", - "license": "ISC", "engines": { "node": ">=16 || 14 >=14.17" } @@ -1638,7 +1625,6 @@ "version": "1.2.1", "resolved": "https://registry.npmjs.org/@jsep-plugin/assignment/-/assignment-1.2.1.tgz", "integrity": "sha512-gaHqbubTi29aZpVbBlECRpmdia+L5/lh2BwtIJTmtxdbecEyyX/ejAOg7eQDGNvGOUmPY7Z2Yxdy9ioyH/VJeA==", - "license": "MIT", "engines": { "node": ">= 10.16.0" }, @@ -1650,7 +1636,6 @@ "version": "1.0.3", "resolved": "https://registry.npmjs.org/@jsep-plugin/regex/-/regex-1.0.3.tgz", "integrity": "sha512-XfZgry4DwEZvSFtS/6Y+R48D7qJYJK6R9/yJFyUFHCIUMEEHuJ4X95TDgJp5QkmzfLYvapMPzskV5HpIDrREug==", - "license": "MIT", "engines": { "node": ">= 10.16.0" }, @@ -1662,7 +1647,6 @@ "version": "1.0.0-rc6", "resolved": "https://registry.npmjs.org/@kubernetes/client-node/-/client-node-1.0.0-rc6.tgz", "integrity": "sha512-CBNOZ0rrGc2NKx3/1Bu4Be6DLPbNWDDLmjgZ0DmIWOpEye/kyVf4vKqOCwfm+eM//reebW8DLxGZUsrrXETkEA==", - "license": "Apache-2.0", "dependencies": { "@types/js-yaml": "^4.0.1", "@types/node": "^20.3.1", @@ -1724,9 +1708,9 @@ } }, "node_modules/@opentelemetry/api": { - "version": "1.8.0", - "resolved": "https://registry.npmjs.org/@opentelemetry/api/-/api-1.8.0.tgz", - "integrity": "sha512-I/s6F7yKUDdtMsoBWXJe8Qz40Tui5vsuKCWJEWVL+5q9sSWRzzx6v2KeNsOBEwd94j0eWkpWCH4yB6rZg9Mf0w==", + "version": "1.9.0", + "resolved": "https://registry.npmjs.org/@opentelemetry/api/-/api-1.9.0.tgz", + "integrity": "sha512-3giAOQvZiH5F9bMlMiv8+GSPMeqg0dbaeo58/0SlA9sxSqZhnUtxzX9/2FzyhS9sWQf5S0GJE0AKBrFqjpeYcg==", "engines": { "node": ">=8.0.0" } @@ -1735,7 +1719,6 @@ "version": "0.11.0", "resolved": "https://registry.npmjs.org/@pkgjs/parseargs/-/parseargs-0.11.0.tgz", "integrity": "sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg==", - "license": "MIT", "optional": true, "engines": { "node": ">=14" @@ -1798,9 +1781,9 @@ } }, "node_modules/@types/babel__traverse": { - "version": "7.20.5", - "resolved": "https://registry.npmjs.org/@types/babel__traverse/-/babel__traverse-7.20.5.tgz", - "integrity": "sha512-WXCyOcRtH37HAUkpXhUduaxdm82b4GSlyTqajXviN4EfiuPgNYR109xMCKvpl6zPIpua0DGlMEDCq+g8EdoheQ==", + "version": "7.20.6", + "resolved": "https://registry.npmjs.org/@types/babel__traverse/-/babel__traverse-7.20.6.tgz", + "integrity": "sha512-r1bzfrm0tomOI8g1SzvCaQHo6Lcv6zu0EA+W2kHrt8dyrHQxGzBBL4kdkzIS+jBMV+EYcMAEAqXqYaLJq5rOZg==", "dev": true, "dependencies": { "@babel/types": "^7.20.7" @@ -1842,8 +1825,7 @@ "node_modules/@types/js-yaml": { "version": "4.0.9", "resolved": "https://registry.npmjs.org/@types/js-yaml/-/js-yaml-4.0.9.tgz", - "integrity": "sha512-k4MGaQl5TGo/iipqb2UDG2UwjXziSWkh0uysQelTlJpX1qGlpUZYm8PnO4DxG1qBomtJUdYJ6qR6xdIah10JLg==", - "license": "MIT" + "integrity": "sha512-k4MGaQl5TGo/iipqb2UDG2UwjXziSWkh0uysQelTlJpX1qGlpUZYm8PnO4DxG1qBomtJUdYJ6qR6xdIah10JLg==" }, "node_modules/@types/json-schema": { "version": "7.0.15", @@ -1852,9 +1834,9 @@ "peer": true }, "node_modules/@types/node": { - "version": "20.11.30", - "resolved": "https://registry.npmjs.org/@types/node/-/node-20.11.30.tgz", - "integrity": "sha512-dHM6ZxwlmuZaRmUPfv1p+KrdD1Dci04FbdEm/9wEMouFqxYoFl5aMkt0VMAUtYRQDyYvD41WJLukhq/ha3YuTw==", + "version": "20.14.9", + "resolved": "https://registry.npmjs.org/@types/node/-/node-20.14.9.tgz", + "integrity": "sha512-06OCtnTXtWOZBJlRApleWndH4JsRVs1pDCc8dLSQp+7PpUpX3ePdHyeNSFTeSe7FtKyQkrlPvHwJOW3SLd8Oyg==", "dependencies": { "undici-types": "~5.26.4" } @@ -1863,7 +1845,6 @@ "version": "2.6.11", "resolved": "https://registry.npmjs.org/@types/node-fetch/-/node-fetch-2.6.11.tgz", "integrity": "sha512-24xFj9R5+rfQJLRyM56qh+wnVSYhyXC2tkoBndtY0U+vubqNsYXGjufB2nn8Q6gt0LrARwL6UBtMCSVCwl4B1g==", - "license": "MIT", "dependencies": { "@types/node": "*", "form-data": "^4.0.0" @@ -1873,7 +1854,6 @@ "version": "0.30.0", "resolved": "https://registry.npmjs.org/@types/ramda/-/ramda-0.30.0.tgz", "integrity": "sha512-DQtfqUbSB18iM9NHbQ++kVUDuBWHMr6T2FpW1XTiksYRGjq4WnNPZLt712OEHEBJs7aMyJ68Mf2kGMOP1srVVw==", - "license": "MIT", "dependencies": { "types-ramda": "^0.30.0" } @@ -1894,7 +1874,6 @@ "version": "3.0.7", "resolved": "https://registry.npmjs.org/@types/stream-buffers/-/stream-buffers-3.0.7.tgz", "integrity": "sha512-azOCy05sXVXrO+qklf0c/B07H/oHaIuDDAiHPVwlk3A9Ek+ksHyTeMajLZl3r76FxpPpxem//4Te61G1iW3Giw==", - "license": "MIT", "dependencies": { "@types/node": "*" } @@ -1903,7 +1882,6 @@ "version": "6.1.13", "resolved": "https://registry.npmjs.org/@types/tar/-/tar-6.1.13.tgz", "integrity": "sha512-IznnlmU5f4WcGTh2ltRu/Ijpmk8wiWXfF0VA4s+HPjHZgvFggk1YaIkbo5krX/zUCzWF8N/l4+W/LNxnvAJ8nw==", - "license": "MIT", "dependencies": { "@types/node": "*", "minipass": "^4.0.0" @@ -1912,14 +1890,12 @@ "node_modules/@types/underscore": { "version": "1.11.15", "resolved": "https://registry.npmjs.org/@types/underscore/-/underscore-1.11.15.tgz", - "integrity": "sha512-HP38xE+GuWGlbSRq9WrZkousaQ7dragtZCruBVMi0oX1migFZavZ3OROKHSkNp/9ouq82zrWtZpg18jFnVN96g==", - "license": "MIT" + "integrity": "sha512-HP38xE+GuWGlbSRq9WrZkousaQ7dragtZCruBVMi0oX1migFZavZ3OROKHSkNp/9ouq82zrWtZpg18jFnVN96g==" }, "node_modules/@types/ws": { "version": "8.5.10", "resolved": "https://registry.npmjs.org/@types/ws/-/ws-8.5.10.tgz", "integrity": "sha512-vmQSUcfalpIq0R9q7uTo2lXs6eGIpt9wtnLdMv9LVpIjCA/+ufZRozlVoVelIYixx1ugCBKDhn89vnsEGOCx9A==", - "license": "MIT", "dependencies": { "@types/node": "*" } @@ -2158,9 +2134,9 @@ } }, "node_modules/acorn": { - "version": "8.11.3", - "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.11.3.tgz", - "integrity": "sha512-Y9rRfJG5jcKOE0CLisYbojUjIrIEE7AGMzA/Sm4BslANhbS+cDMpgBdcPT91oJ7OuJ9hYJBx59RjbhxVnrF8Xg==", + "version": "8.12.0", + "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.12.0.tgz", + "integrity": "sha512-RTvkC4w+KNXrM39/lWCUaG0IbRkWdCv7W/IOW9oU6SawyxulvkQy5HQPVTKxEjczcUvapcrw3cFx/60VN/NRNw==", "peer": true, "bin": { "acorn": "bin/acorn" @@ -2278,8 +2254,7 @@ "node_modules/asynckit": { "version": "0.4.0", "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz", - "integrity": "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==", - "license": "MIT" + "integrity": "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==" }, "node_modules/atomic-sleep": { "version": "1.0.0", @@ -2480,11 +2455,11 @@ } }, "node_modules/braces": { - "version": "3.0.2", - "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.2.tgz", - "integrity": "sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==", + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz", + "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==", "dependencies": { - "fill-range": "^7.0.1" + "fill-range": "^7.1.1" }, "engines": { "node": ">=8" @@ -2493,13 +2468,12 @@ "node_modules/browser-or-node": { "version": "3.0.0", "resolved": "https://registry.npmjs.org/browser-or-node/-/browser-or-node-3.0.0.tgz", - "integrity": "sha512-iczIdVJzGEYhP5DqQxYM9Hh7Ztpqqi+CXZpSmX8ALFs9ecXkQIeqRyM6TfxEfMVpwhl3dSuDvxdzzo9sUOIVBQ==", - "license": "MIT" + "integrity": "sha512-iczIdVJzGEYhP5DqQxYM9Hh7Ztpqqi+CXZpSmX8ALFs9ecXkQIeqRyM6TfxEfMVpwhl3dSuDvxdzzo9sUOIVBQ==" }, "node_modules/browserslist": { - "version": "4.23.0", - "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.23.0.tgz", - "integrity": "sha512-QW8HiM1shhT2GuzkvklfjcKDiWFXHOeFCIA/huJPwHsslwcydgk7X+z2zXpEijP98UCY7HbubZt5J2Zgvf0CaQ==", + "version": "4.23.1", + "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.23.1.tgz", + "integrity": "sha512-TUfofFo/KsK/bWZ9TWQ5O26tsWW4Uhmt8IYklbnUa70udB6P2wA7w7o4PY4muaEPBQaAX+CEnmmIA41NVHtPVw==", "dev": true, "funding": [ { @@ -2516,10 +2490,10 @@ } ], "dependencies": { - "caniuse-lite": "^1.0.30001587", - "electron-to-chromium": "^1.4.668", + "caniuse-lite": "^1.0.30001629", + "electron-to-chromium": "^1.4.796", "node-releases": "^2.0.14", - "update-browserslist-db": "^1.0.13" + "update-browserslist-db": "^1.0.16" }, "bin": { "browserslist": "cli.js" @@ -2582,7 +2556,6 @@ "version": "5.0.0", "resolved": "https://registry.npmjs.org/byline/-/byline-5.0.0.tgz", "integrity": "sha512-s6webAy+R4SR8XVuJWt2V2rGvhnrhxN+9S15GNuTK3wKPOXFF6RNc+8ug2XhH+2s4f+uudG4kUVYmYOQWL2g0Q==", - "license": "MIT", "engines": { "node": ">=0.10.0" } @@ -2631,9 +2604,9 @@ } }, "node_modules/caniuse-lite": { - "version": "1.0.30001600", - "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001600.tgz", - "integrity": "sha512-+2S9/2JFhYmYaDpZvo0lKkfvuKIglrx68MwOBqMGHhQsNkLjB5xtc/TGoEPs+MxjSyN/72qer2g97nzR641mOQ==", + "version": "1.0.30001639", + "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001639.tgz", + "integrity": "sha512-eFHflNTBIlFwP2AIKaYuBQN/apnUoKNhBdza8ZnW/h2di4LCZ4xFqYlxUxo+LQ76KFI1PGcC1QDxMbxTZpSCAg==", "dev": true, "funding": [ { @@ -2678,7 +2651,6 @@ "version": "3.0.0", "resolved": "https://registry.npmjs.org/chownr/-/chownr-3.0.0.tgz", "integrity": "sha512-+IxzY9BZOQd/XuYPRmrvEVjF/nqj5kgT4kEq7VofrDoM1MxoRjEWkrCC3EtLi59TVawxTAn+orJwFQcrqEN1+g==", - "license": "BlueOak-1.0.0", "engines": { "node": ">=18" } @@ -2699,9 +2671,9 @@ } }, "node_modules/cjs-module-lexer": { - "version": "1.2.3", - "resolved": "https://registry.npmjs.org/cjs-module-lexer/-/cjs-module-lexer-1.2.3.tgz", - "integrity": "sha512-0TNiGstbQmCFwt4akjjBg5pLRTSyj/PkWQ1ZoO2zntmg9yLqSRxwEa4iCfQLGjqhiqBfOJa7W/E8wfGrTDmlZQ==", + "version": "1.3.1", + "resolved": "https://registry.npmjs.org/cjs-module-lexer/-/cjs-module-lexer-1.3.1.tgz", + "integrity": "sha512-a3KdPAANPbNE4ZUv9h6LckSl9zLsYOP4MBmhIPkRaeyybt+r4UghLvq+xw/YwUcC1gqylCkL4rdVs3Lwupjm4Q==", "dev": true }, "node_modules/cliui": { @@ -2736,8 +2708,7 @@ "node_modules/collection-utils": { "version": "1.0.1", "resolved": "https://registry.npmjs.org/collection-utils/-/collection-utils-1.0.1.tgz", - "integrity": "sha512-LA2YTIlR7biSpXkKYwwuzGjwL5rjWEZVOSnvdUc7gObvWe4WkjxOpfrdhoP7Hs09YWDVfg0Mal9BpAqLfVEzQg==", - "license": "Apache-2.0" + "integrity": "sha512-LA2YTIlR7biSpXkKYwwuzGjwL5rjWEZVOSnvdUc7gObvWe4WkjxOpfrdhoP7Hs09YWDVfg0Mal9BpAqLfVEzQg==" }, "node_modules/color-convert": { "version": "2.0.1", @@ -2764,7 +2735,6 @@ "version": "1.0.8", "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz", "integrity": "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==", - "license": "MIT", "dependencies": { "delayed-stream": "~1.0.0" }, @@ -2849,7 +2819,6 @@ "version": "4.0.0", "resolved": "https://registry.npmjs.org/cross-fetch/-/cross-fetch-4.0.0.tgz", "integrity": "sha512-e4a5N8lVvuLgAWgnCrLr2PP0YyDOTHa9H/Rj54dirp61qXnNq46m82bRhNqIA5VccJtWBvPTFRV3TtvHUKPB1g==", - "license": "MIT", "dependencies": { "node-fetch": "^2.6.12" } @@ -2876,9 +2845,9 @@ } }, "node_modules/debug": { - "version": "4.3.4", - "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz", - "integrity": "sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==", + "version": "4.3.5", + "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.5.tgz", + "integrity": "sha512-pt0bNEmneDIvdL1Xsd9oDQ/wrQRkXDT4AUWlNZNPKvW5x/jyO9VFXkJUP07vQ2upmw5PlaITaPKc31jK13V+jg==", "dependencies": { "ms": "2.1.2" }, @@ -2892,9 +2861,9 @@ } }, "node_modules/dedent": { - "version": "1.5.1", - "resolved": "https://registry.npmjs.org/dedent/-/dedent-1.5.1.tgz", - "integrity": "sha512-+LxW+KLWxu3HW3M2w2ympwtqPrqYRzU8fqi6Fhd18fBALe15blJPI/I4+UHveMVG6lJqB4JNd4UG0S5cnVHwIg==", + "version": "1.5.3", + "resolved": "https://registry.npmjs.org/dedent/-/dedent-1.5.3.tgz", + "integrity": "sha512-NHQtfOOW68WD8lgypbLA5oT+Bt0xXJhiYvoR6SmmNXZfpzOGXwdKWmcwG8N7PwVVWV3eF/68nmD9BaJSsTBhyQ==", "dev": true, "peerDependencies": { "babel-plugin-macros": "^3.1.0" @@ -2940,7 +2909,6 @@ "version": "1.0.0", "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz", "integrity": "sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==", - "license": "MIT", "engines": { "node": ">=0.4.0" } @@ -3007,8 +2975,7 @@ "node_modules/eastasianwidth": { "version": "0.2.0", "resolved": "https://registry.npmjs.org/eastasianwidth/-/eastasianwidth-0.2.0.tgz", - "integrity": "sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA==", - "license": "MIT" + "integrity": "sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA==" }, "node_modules/ee-first": { "version": "1.1.1", @@ -3016,9 +2983,9 @@ "integrity": "sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow==" }, "node_modules/electron-to-chromium": { - "version": "1.4.715", - "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.4.715.tgz", - "integrity": "sha512-XzWNH4ZSa9BwVUQSDorPWAUQ5WGuYz7zJUNpNif40zFCiCl20t8zgylmreNmn26h5kiyw2lg7RfTmeMBsDklqg==", + "version": "1.4.815", + "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.4.815.tgz", + "integrity": "sha512-OvpTT2ItpOXJL7IGcYakRjHCt8L5GrrN/wHCQsRB4PQa1X9fe+X9oen245mIId7s14xvArCGSTIq644yPUKKLg==", "dev": true }, "node_modules/emittery": { @@ -3525,9 +3492,9 @@ } }, "node_modules/fill-range": { - "version": "7.0.1", - "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.0.1.tgz", - "integrity": "sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==", + "version": "7.1.1", + "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz", + "integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==", "dependencies": { "to-regex-range": "^5.0.1" }, @@ -3605,7 +3572,6 @@ "version": "3.2.1", "resolved": "https://registry.npmjs.org/foreground-child/-/foreground-child-3.2.1.tgz", "integrity": "sha512-PXUUyLqrR2XCWICfv6ukppP96sdFwWbNEnfEMt7jNsISjMsvaLNinAHNDYyvkyU+SZG2BTSbT5NjG+vZslfGTA==", - "license": "ISC", "dependencies": { "cross-spawn": "^7.0.0", "signal-exit": "^4.0.1" @@ -3621,7 +3587,6 @@ "version": "4.1.0", "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz", "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==", - "license": "ISC", "engines": { "node": ">=14" }, @@ -3633,7 +3598,6 @@ "version": "4.0.0", "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.0.tgz", "integrity": "sha512-ETEklSGi5t0QMZuiXoA/Q6vcnxcLQP5vdugSpuAyi6SVGi2clPPp+xgEhuMaHC+zGgn31Kd235W35f7Hykkaww==", - "license": "MIT", "dependencies": { "asynckit": "^0.4.0", "combined-stream": "^1.0.8", @@ -3746,6 +3710,7 @@ "version": "7.2.3", "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz", "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==", + "deprecated": "Glob versions prior to v9 are no longer supported", "dependencies": { "fs.realpath": "^1.0.0", "inflight": "^1.0.4", @@ -4009,6 +3974,7 @@ "version": "1.0.6", "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz", "integrity": "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==", + "deprecated": "This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.", "dependencies": { "once": "^1.3.0", "wrappy": "1" @@ -4034,12 +4000,15 @@ "dev": true }, "node_modules/is-core-module": { - "version": "2.13.1", - "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.13.1.tgz", - "integrity": "sha512-hHrIjvZsftOsvKSn2TRYl63zvxsgE0K+0mYMoH6gD4omR5IWB2KynivBQczo3+wF1cCkjzvptnI9Q0sPU66ilw==", + "version": "2.14.0", + "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.14.0.tgz", + "integrity": "sha512-a5dFJih5ZLYlRtDc0dZWP7RiKr6xIKzmn/oAYCDvdLThadVgyJwlaoQPmRtMSpz+rk0OGAgIu+TcM9HUF0fk1A==", "dev": true, "dependencies": { - "hasown": "^2.0.0" + "hasown": "^2.0.2" + }, + "engines": { + "node": ">= 0.4" }, "funding": { "url": "https://github.com/sponsors/ljharb" @@ -4115,8 +4084,7 @@ "node_modules/is-url": { "version": "1.2.4", "resolved": "https://registry.npmjs.org/is-url/-/is-url-1.2.4.tgz", - "integrity": "sha512-ITvGim8FhRiYe4IQ5uHSkj7pVaPDrCTkNd3yq3cV7iZAcJdHTUMPMEHcqSOy9xZ9qFenQCvi+2wjH9a1nXqHww==", - "license": "MIT" + "integrity": "sha512-ITvGim8FhRiYe4IQ5uHSkj7pVaPDrCTkNd3yq3cV7iZAcJdHTUMPMEHcqSOy9xZ9qFenQCvi+2wjH9a1nXqHww==" }, "node_modules/isexe": { "version": "2.0.0", @@ -4127,7 +4095,6 @@ "version": "5.0.0", "resolved": "https://registry.npmjs.org/isomorphic-ws/-/isomorphic-ws-5.0.0.tgz", "integrity": "sha512-muId7Zzn9ywDsyXgTIafTry2sV3nySZeUDe6YedVd1Hvuuep5AsIlqK+XefWpYTyJG5e503F2xIuT2lcU6rCSw==", - "license": "MIT", "peerDependencies": { "ws": "*" } @@ -4142,9 +4109,9 @@ } }, "node_modules/istanbul-lib-instrument": { - "version": "6.0.2", - "resolved": "https://registry.npmjs.org/istanbul-lib-instrument/-/istanbul-lib-instrument-6.0.2.tgz", - "integrity": "sha512-1WUsZ9R1lA0HtBSohTkm39WTPlNKSJ5iFk7UwqXkBLoHQT+hfqPsfsTDVuZdKGaBwn7din9bS7SsnoAr943hvw==", + "version": "6.0.3", + "resolved": "https://registry.npmjs.org/istanbul-lib-instrument/-/istanbul-lib-instrument-6.0.3.tgz", + "integrity": "sha512-Vtgk7L/R2JHyyGW07spoFlB8/lpjiOLTjMdms6AFMraYt3BaJauod/NGrfnVG/y4Ix1JEuMRPDPEj2ua+zz1/Q==", "dev": true, "dependencies": { "@babel/core": "^7.23.9", @@ -4202,7 +4169,6 @@ "version": "3.4.0", "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-3.4.0.tgz", "integrity": "sha512-JVYhQnN59LVPFCEcVa2C3CrEKYacvjRfqIQl+h8oi91aLYQVWRYbxjPcv1bUiUy/kLmQaANrYfNMCO3kuEDHfw==", - "license": "BlueOak-1.0.0", "dependencies": { "@isaacs/cliui": "^8.0.2" }, @@ -4775,7 +4741,6 @@ "version": "4.15.7", "resolved": "https://registry.npmjs.org/jose/-/jose-4.15.7.tgz", "integrity": "sha512-L7ioP+JAuZe8v+T5+zVI9Tx8LtU8BL7NxkyDFVMv+Qr3JW0jSoYDedLtodaXwfqMpeCyx4WXFNyu9tJt4WvC1A==", - "license": "MIT", "funding": { "url": "https://github.com/sponsors/panva" } @@ -4791,8 +4756,7 @@ "node_modules/js-base64": { "version": "3.7.7", "resolved": "https://registry.npmjs.org/js-base64/-/js-base64-3.7.7.tgz", - "integrity": "sha512-7rCnleh0z2CkXhH67J8K1Ytz0b2Y+yxTPL+/KOJoa20hfnVQ/3/T6W/KflYI4bRHRagNeXeU2bkNGI3v1oS/lw==", - "license": "BSD-3-Clause" + "integrity": "sha512-7rCnleh0z2CkXhH67J8K1Ytz0b2Y+yxTPL+/KOJoa20hfnVQ/3/T6W/KflYI4bRHRagNeXeU2bkNGI3v1oS/lw==" }, "node_modules/js-tokens": { "version": "4.0.0", @@ -4815,7 +4779,6 @@ "version": "1.3.8", "resolved": "https://registry.npmjs.org/jsep/-/jsep-1.3.8.tgz", "integrity": "sha512-qofGylTGgYj9gZFsHuyWAN4jr35eJ66qJCK4eKDnldohuUoQFbU3iZn2zjvEbd9wOAhP9Wx5DsAAduTyE1PSWQ==", - "license": "MIT", "engines": { "node": ">= 10.16.0" } @@ -4872,7 +4835,6 @@ "version": "9.0.0", "resolved": "https://registry.npmjs.org/jsonpath-plus/-/jsonpath-plus-9.0.0.tgz", "integrity": "sha512-bqE77VIDStrOTV/czspZhTn+o27Xx9ZJRGVkdVShEtPoqsIx5yALv3lWVU6y+PqYvWPJNWE7ORCQheQkEe0DDA==", - "license": "MIT", "dependencies": { "@jsep-plugin/assignment": "^1.2.1", "@jsep-plugin/regex": "^1.0.3", @@ -4904,10 +4866,9 @@ } }, "node_modules/kubernetes-fluent-client": { - "version": "2.6.2", - "resolved": "https://registry.npmjs.org/kubernetes-fluent-client/-/kubernetes-fluent-client-2.6.2.tgz", - "integrity": "sha512-NS9knldOXpsvDKeQ7yjww0+cWkpJij5TPK52vHHHQRHV1clZv+Nngi+cPChPEpwSNrIyf7lz7Nzj+X4hoPAPOw==", - "license": "Apache-2.0", + "version": "2.6.3", + "resolved": "https://registry.npmjs.org/kubernetes-fluent-client/-/kubernetes-fluent-client-2.6.3.tgz", + "integrity": "sha512-JgOp2/Y1rNNPAYKek7wq4qL1DcF/3Bf2a39NRUL2QPhnONcrU1f/on1OPMAzz7vZ4zfH2rluMPE/nmxo5l7QAA==", "dependencies": { "@kubernetes/client-node": "1.0.0-rc6", "byline": "5.0.0", @@ -4929,7 +4890,6 @@ "version": "4.20.1", "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-4.20.1.tgz", "integrity": "sha512-R6wDsVsoS9xYOpy8vgeBlqpdOyzJ12HNfQhC/aAKWM3YoCV9TtunJzh/QpkMgeDhkoynDcw5f1y+qF9yc/HHyg==", - "license": "(MIT OR CC0-1.0)", "engines": { "node": ">=16" }, @@ -4983,8 +4943,7 @@ "node_modules/lodash": { "version": "4.17.21", "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", - "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==", - "license": "MIT" + "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==" }, "node_modules/lodash.memoize": { "version": "4.1.2", @@ -5074,11 +5033,11 @@ } }, "node_modules/micromatch": { - "version": "4.0.5", - "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.5.tgz", - "integrity": "sha512-DMy+ERcEW2q8Z2Po+WNXuw3c5YaUSFjAO5GsJqfEl7UjvtIuFKO6ZrKvcItdy98dwFI2N1tg3zNIdKaQT+aNdA==", + "version": "4.0.7", + "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.7.tgz", + "integrity": "sha512-LPP/3KorzCwBxfeUuZmaR6bG2kdeHSbe0P2tY3FLRU4vYrjYz5hI4QZwV0njUx3jeuKe67YukQ1LSPZBKDqO/Q==", "dependencies": { - "braces": "^3.0.2", + "braces": "^3.0.3", "picomatch": "^2.3.1" }, "engines": { @@ -5147,7 +5106,6 @@ "version": "4.2.8", "resolved": "https://registry.npmjs.org/minipass/-/minipass-4.2.8.tgz", "integrity": "sha512-fNzuVyifolSLFL4NzpF+wEF4qrgqaaKX0haXPQEdQ7NKAN+WecoKMHV09YcuL/DHxrUsYQOK3MiuDf7Ip2OXfQ==", - "license": "ISC", "engines": { "node": ">=8" } @@ -5156,7 +5114,6 @@ "version": "3.0.1", "resolved": "https://registry.npmjs.org/minizlib/-/minizlib-3.0.1.tgz", "integrity": "sha512-umcy022ILvb5/3Djuu8LWeqUa8D68JaBzlttKeMWen48SjabqS3iY5w/vzeMzMUNhLDifyhbOwKDSznB1vvrwg==", - "license": "MIT", "dependencies": { "minipass": "^7.0.4", "rimraf": "^5.0.5" @@ -5169,7 +5126,6 @@ "version": "2.0.1", "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz", "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==", - "license": "MIT", "dependencies": { "balanced-match": "^1.0.0" } @@ -5178,7 +5134,6 @@ "version": "10.4.2", "resolved": "https://registry.npmjs.org/glob/-/glob-10.4.2.tgz", "integrity": "sha512-GwMlUF6PkPo3Gk21UxkCohOv0PLcIXVtKyLlpEI28R/cO/4eNOdmLk3CMW1wROV/WR/EsZOWAfBbBOqYvs88/w==", - "license": "ISC", "dependencies": { "foreground-child": "^3.1.0", "jackspeak": "^3.1.2", @@ -5198,10 +5153,9 @@ } }, "node_modules/minizlib/node_modules/minimatch": { - "version": "9.0.4", - "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.4.tgz", - "integrity": "sha512-KqWh+VchfxcMNRAJjj2tnsSJdNbHsVgnkBhTNrW7AjVo6OvLtxw8zfT9oLw1JSohlFzJ8jCoTgaoXvJ+kHt6fw==", - "license": "ISC", + "version": "9.0.5", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz", + "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==", "dependencies": { "brace-expansion": "^2.0.1" }, @@ -5216,7 +5170,6 @@ "version": "7.1.2", "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz", "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==", - "license": "ISC", "engines": { "node": ">=16 || 14 >=14.17" } @@ -5225,7 +5178,6 @@ "version": "5.0.7", "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-5.0.7.tgz", "integrity": "sha512-nV6YcJo5wbLW77m+8KjH8aB/7/rxQy9SZ0HY5shnwULfS+9nmTtVXAJET5NdZmCzA4fPI/Hm1wo/Po/4mopOdg==", - "license": "ISC", "dependencies": { "glob": "^10.3.7" }, @@ -5243,7 +5195,6 @@ "version": "3.0.1", "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-3.0.1.tgz", "integrity": "sha512-+NsyUUAZDmo6YVHzL/stxSu3t9YS1iljliy3BSDrXJ/dkn1KYdmtZODGGjLcc9XLgVVpH4KshHB8XmZgMhaBXg==", - "license": "MIT", "bin": { "mkdirp": "dist/cjs/src/bin.js" }, @@ -5276,7 +5227,6 @@ "version": "2.7.0", "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.7.0.tgz", "integrity": "sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A==", - "license": "MIT", "dependencies": { "whatwg-url": "^5.0.0" }, @@ -5338,15 +5288,17 @@ "version": "2.2.0", "resolved": "https://registry.npmjs.org/object-hash/-/object-hash-2.2.0.tgz", "integrity": "sha512-gScRMn0bS5fH+IuwyIFgnh9zBdo4DV+6GhygmWM9HyNJSgS0hScp1f5vjtm7oIIOiT9trXrShAkLFSc2IqKNgw==", - "license": "MIT", "engines": { "node": ">= 6" } }, "node_modules/object-inspect": { - "version": "1.13.1", - "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.13.1.tgz", - "integrity": "sha512-5qoj1RUiKOMsCCNLV1CBiPYE10sziTsnmNxkAI/rZhiD63CF7IqdFGC/XzjWjpSgLf0LxXX3bDFIh0E18f6UhQ==", + "version": "1.13.2", + "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.13.2.tgz", + "integrity": "sha512-IRZSRuzJiynemAXPYtPe5BoI/RESNYR7TYm50MC5Mqbd3Jmw5y790sErYw3V6SryFJD64b74qQQs9wn5Bg/k3g==", + "engines": { + "node": ">= 0.4" + }, "funding": { "url": "https://github.com/sponsors/ljharb" } @@ -5355,7 +5307,6 @@ "version": "5.0.3", "resolved": "https://registry.npmjs.org/oidc-token-hash/-/oidc-token-hash-5.0.3.tgz", "integrity": "sha512-IF4PcGgzAr6XXSff26Sk/+P4KZFJVuHAJZj3wgO3vX2bMdNVp/QXTP3P7CEm9V1IdG8lDLY3HhiqpsE/nOwpPw==", - "license": "MIT", "engines": { "node": "^10.13.0 || >=12.0.0" } @@ -5406,7 +5357,6 @@ "version": "5.6.5", "resolved": "https://registry.npmjs.org/openid-client/-/openid-client-5.6.5.tgz", "integrity": "sha512-5P4qO9nGJzB5PI0LFlhj4Dzg3m4odt0qsJTfyEtZyOlkgpILwEioOhVVJOrS1iVH494S4Ee5OCjjg6Bf5WOj3w==", - "license": "MIT", "dependencies": { "jose": "^4.15.5", "lru-cache": "^6.0.0", @@ -5421,7 +5371,6 @@ "version": "6.0.0", "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-6.0.0.tgz", "integrity": "sha512-Jo6dJ04CmSjuznwJSS3pUeWmd/H0ffTlkXXgwZi+eq1UCmqQwCh+eLsYOYCwY991i2Fah4h1BEMCx4qThGbsiA==", - "license": "ISC", "dependencies": { "yallist": "^4.0.0" }, @@ -5432,21 +5381,20 @@ "node_modules/openid-client/node_modules/yallist": { "version": "4.0.0", "resolved": "https://registry.npmjs.org/yallist/-/yallist-4.0.0.tgz", - "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==", - "license": "ISC" + "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==" }, "node_modules/optionator": { - "version": "0.9.3", - "resolved": "https://registry.npmjs.org/optionator/-/optionator-0.9.3.tgz", - "integrity": "sha512-JjCoypp+jKn1ttEFExxhetCKeJt9zhAgAve5FXHixTvFDW/5aEktX9bufBKLRRMdU7bNtpLfcGu94B3cdEJgjg==", + "version": "0.9.4", + "resolved": "https://registry.npmjs.org/optionator/-/optionator-0.9.4.tgz", + "integrity": "sha512-6IpQ7mKUxRcZNLIObR0hz7lxsapSSIYNZJwXPGeF0mTVqGKFIXj1DQcMoT22S3ROcLyY/rz0PWaWZ9ayWmad9g==", "peer": true, "dependencies": { - "@aashutoshrathi/word-wrap": "^1.2.3", "deep-is": "^0.1.3", "fast-levenshtein": "^2.0.6", "levn": "^0.4.1", "prelude-ls": "^1.2.1", - "type-check": "^0.4.0" + "type-check": "^0.4.0", + "word-wrap": "^1.2.5" }, "engines": { "node": ">= 0.8.0" @@ -5493,14 +5441,12 @@ "node_modules/package-json-from-dist": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/package-json-from-dist/-/package-json-from-dist-1.0.0.tgz", - "integrity": "sha512-dATvCeZN/8wQsGywez1mzHtTlP22H8OEfPrVMLNr4/eGa+ijtLn/6M5f0dY8UKNrC2O9UCU6SSoG3qRKnt7STw==", - "license": "BlueOak-1.0.0" + "integrity": "sha512-dATvCeZN/8wQsGywez1mzHtTlP22H8OEfPrVMLNr4/eGa+ijtLn/6M5f0dY8UKNrC2O9UCU6SSoG3qRKnt7STw==" }, "node_modules/pako": { "version": "1.0.11", "resolved": "https://registry.npmjs.org/pako/-/pako-1.0.11.tgz", - "integrity": "sha512-4hLB8Py4zZce5s4yd9XzopqwVv/yGNhV1Bl8NTmCq1763HeK2+EwVTv+leGeL13Dnh2wfbqowVPXCIO0z4taYw==", - "license": "(MIT AND Zlib)" + "integrity": "sha512-4hLB8Py4zZce5s4yd9XzopqwVv/yGNhV1Bl8NTmCq1763HeK2+EwVTv+leGeL13Dnh2wfbqowVPXCIO0z4taYw==" }, "node_modules/parent-module": { "version": "1.0.1", @@ -5574,7 +5520,6 @@ "version": "1.11.1", "resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-1.11.1.tgz", "integrity": "sha512-Xa4Nw17FS9ApQFJ9umLiJS4orGjm7ZzwUrwamcGQuHSzDyth9boKDaycYdDcZDuqYATXw4HFXgaqWTctW/v1HA==", - "license": "BlueOak-1.0.0", "dependencies": { "lru-cache": "^10.2.0", "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0" @@ -5587,10 +5532,9 @@ } }, "node_modules/path-scurry/node_modules/lru-cache": { - "version": "10.2.2", - "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.2.2.tgz", - "integrity": "sha512-9hp3Vp2/hFQUiIwKo8XCeFVnrg8Pk3TYNPIR7tJADKi5YfcF7vEaK7avFHTlSy3kOKYaJQaalfEo6YuXdceBOQ==", - "license": "ISC", + "version": "10.3.0", + "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.3.0.tgz", + "integrity": "sha512-CQl19J/g+Hbjbv4Y3mFNNXFEL/5t/KCg8POCuUqd4rMKjGG+j1ybER83hxV58zL+dFI1PTkt3GNFSHRt+d8qEQ==", "engines": { "node": "14 || >=16.14" } @@ -5599,7 +5543,6 @@ "version": "7.1.2", "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz", "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==", - "license": "ISC", "engines": { "node": ">=16 || 14 >=14.17" } @@ -5619,18 +5562,17 @@ } }, "node_modules/pepr": { - "version": "0.32.3", - "resolved": "https://registry.npmjs.org/pepr/-/pepr-0.32.3.tgz", - "integrity": "sha512-y2qAtvuip3Caol7HekZ+Ba186snFJcbXQ0yHD5V2R7t3yiP4f0Z3fofB95vX9fJrHWwWjPcjhG2WnrF2fSEdiQ==", - "license": "Apache-2.0", + "version": "0.32.6", + "resolved": "https://registry.npmjs.org/pepr/-/pepr-0.32.6.tgz", + "integrity": "sha512-eX3Kb5ZDKpsG0QIEbXGaTrw+awC+TrajWOSRBc+RvoWtEz+I0c+L6VSRGckMSD9rfAVMqDkx3GsF+DuRDgcD6Q==", "dependencies": { "@types/ramda": "0.30.0", "express": "4.19.2", "fast-json-patch": "3.1.1", - "kubernetes-fluent-client": "2.6.2", + "kubernetes-fluent-client": "2.6.3", "pino": "9.2.0", "pino-pretty": "11.2.1", - "prom-client": "15.1.2", + "prom-client": "15.1.3", "ramda": "0.30.1" }, "bin": { @@ -5653,9 +5595,9 @@ } }, "node_modules/picocolors": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.0.0.tgz", - "integrity": "sha512-1fygroTLlHu66zi26VoTDv8yRgm0Fccecssto+MhsZ0D/DGW2sm8E8AjW7NU5VVTRt5GxbeZ5qBuJr+HyLYkjQ==", + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.0.1.tgz", + "integrity": "sha512-anP1Z8qwhkbmu7MFP5iTt+wQKXgwzf7zTyGlcdzabySa9vd0Xt392U0rVmz9poOaBj0uHJKyyo9/upk0HrEQew==", "dev": true }, "node_modules/picomatch": { @@ -5673,7 +5615,6 @@ "version": "9.2.0", "resolved": "https://registry.npmjs.org/pino/-/pino-9.2.0.tgz", "integrity": "sha512-g3/hpwfujK5a4oVbaefoJxezLzsDgLcNJeITvC6yrfwYeT9la+edCK42j5QpEQSQCZgTKapXvnQIdgZwvRaZug==", - "license": "MIT", "dependencies": { "atomic-sleep": "^1.0.0", "fast-redact": "^3.1.1", @@ -5695,7 +5636,6 @@ "version": "1.2.0", "resolved": "https://registry.npmjs.org/pino-abstract-transport/-/pino-abstract-transport-1.2.0.tgz", "integrity": "sha512-Guhh8EZfPCfH+PMXAb6rKOjGQEoy0xlAIn+irODG5kgfYV+BQ0rGYYWTIel3P5mmyXqkYkPmdIkywsn6QKUR1Q==", - "license": "MIT", "dependencies": { "readable-stream": "^4.0.0", "split2": "^4.0.0" @@ -5705,7 +5645,6 @@ "version": "11.2.1", "resolved": "https://registry.npmjs.org/pino-pretty/-/pino-pretty-11.2.1.tgz", "integrity": "sha512-O05NuD9tkRasFRWVaF/uHLOvoRDFD7tb5VMertr78rbsYFjYp48Vg3477EshVAF5eZaEw+OpDl/tu+B0R5o+7g==", - "license": "MIT", "dependencies": { "colorette": "^2.0.7", "dateformat": "^4.6.3", @@ -5729,8 +5668,7 @@ "node_modules/pino-std-serializers": { "version": "7.0.0", "resolved": "https://registry.npmjs.org/pino-std-serializers/-/pino-std-serializers-7.0.0.tgz", - "integrity": "sha512-e906FRY0+tV27iq4juKzSYPbUj2do2X2JX4EzSca1631EB2QJQUqGbDuERal7LCtOpxl6x3+nvo9NPZcmjkiFA==", - "license": "MIT" + "integrity": "sha512-e906FRY0+tV27iq4juKzSYPbUj2do2X2JX4EzSca1631EB2QJQUqGbDuERal7LCtOpxl6x3+nvo9NPZcmjkiFA==" }, "node_modules/pirates": { "version": "4.0.6", @@ -5809,7 +5747,6 @@ "version": "8.0.0", "resolved": "https://registry.npmjs.org/pluralize/-/pluralize-8.0.0.tgz", "integrity": "sha512-Nc3IT5yHzflTfbjgqWcCPpo7DaKy4FnpB0l/zCAW0Tc7jxAiuqSxHasntB3D7887LSrA93kDJ9IXovxJYxyLCA==", - "license": "MIT", "engines": { "node": ">=4" } @@ -5878,9 +5815,10 @@ "integrity": "sha512-mqn0kFRl0EoqhnL0GQ0veqFHyIN1yig9RHh/InzORTUiZHFRAur+aMtRkELNwGs9aNwKS6tg/An4NYBPGwvtzQ==" }, "node_modules/prom-client": { - "version": "15.1.2", - "resolved": "https://registry.npmjs.org/prom-client/-/prom-client-15.1.2.tgz", - "integrity": "sha512-on3h1iXb04QFLLThrmVYg1SChBQ9N1c+nKAjebBjokBqipddH3uxmOUcEkTnzmJ8Jh/5TSUnUqS40i2QB2dJHQ==", + "version": "15.1.3", + "resolved": "https://registry.npmjs.org/prom-client/-/prom-client-15.1.3.tgz", + "integrity": "sha512-6ZiOBfCywsD4k1BN9IX0uZhF+tJkV8q8llP64G5Hajs4JOeVLPCwpPVcpXy3BwYiUGgyJzsJJQeOIv7+hDSq8g==", + "license": "Apache-2.0", "dependencies": { "@opentelemetry/api": "^1.4.0", "tdigest": "^0.1.1" @@ -5964,8 +5902,7 @@ "node_modules/querystringify": { "version": "2.2.0", "resolved": "https://registry.npmjs.org/querystringify/-/querystringify-2.2.0.tgz", - "integrity": "sha512-FIqgj2EUvTa7R50u0rGsyTftzjYmv/a3hO345bZNrqabNqjtgiDMgmo4mkUjd+nzU5oF3dClKqFIPUKybUyqoQ==", - "license": "MIT" + "integrity": "sha512-FIqgj2EUvTa7R50u0rGsyTftzjYmv/a3hO345bZNrqabNqjtgiDMgmo4mkUjd+nzU5oF3dClKqFIPUKybUyqoQ==" }, "node_modules/queue-microtask": { "version": "1.2.3", @@ -5996,7 +5933,6 @@ "version": "23.0.170", "resolved": "https://registry.npmjs.org/quicktype-core/-/quicktype-core-23.0.170.tgz", "integrity": "sha512-ZsjveG0yJUIijUx4yQshzyQ5EAXKbFSBTQJHnJ+KoSZVxcS+m3GcmDpzrdUIRYMhgLaF11ZGvLSYi5U0xcwemw==", - "license": "Apache-2.0", "dependencies": { "@glideapps/ts-necessities": "2.2.3", "browser-or-node": "^3.0.0", @@ -6018,7 +5954,6 @@ "version": "0.30.1", "resolved": "https://registry.npmjs.org/ramda/-/ramda-0.30.1.tgz", "integrity": "sha512-tEF5I22zJnuclswcZMc8bDIrwRHRzf+NqVEmqg50ShAZMP7MWeR/RGDthfM/p+BlqvF2fXAzpn8i+SJcYD3alw==", - "license": "MIT", "funding": { "type": "opencollective", "url": "https://opencollective.com/ramda" @@ -6047,9 +5982,9 @@ } }, "node_modules/react-is": { - "version": "18.2.0", - "resolved": "https://registry.npmjs.org/react-is/-/react-is-18.2.0.tgz", - "integrity": "sha512-xWGDIW6x921xtzPkhiULtthJHoJvBbF3q26fzloPCK0hsvxtPVelvftw3zjbHWSkR2km9Z+4uxbDDK/6Zw9B8w==", + "version": "18.3.1", + "resolved": "https://registry.npmjs.org/react-is/-/react-is-18.3.1.tgz", + "integrity": "sha512-/LLMVyas0ljjAtoYiPqYiL8VWXzUUdThrmU5+n20DZv+a+ClRoevUzw5JxU+Ieh5/c87ytoTBV9G1FiKfNJdmg==", "dev": true }, "node_modules/readable-stream": { @@ -6071,7 +6006,6 @@ "version": "0.2.0", "resolved": "https://registry.npmjs.org/real-require/-/real-require-0.2.0.tgz", "integrity": "sha512-57frrGM/OCTLqLOAh0mhVA9VBMHd+9U7Zb2THMGdBUoZVOtGbJzjxsYGDJ3A9AYYCP4hn6y1TVbaOfzWtm5GFg==", - "license": "MIT", "engines": { "node": ">= 12.13.0" } @@ -6087,8 +6021,7 @@ "node_modules/requires-port": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/requires-port/-/requires-port-1.0.0.tgz", - "integrity": "sha512-KigOCHcocU3XODJxsu8i/j8T9tzT4adHiecwORRQ0ZZFcp7ahwXuRU1m+yuO90C5ZUyGeGfocHDI14M3L3yDAQ==", - "license": "MIT" + "integrity": "sha512-KigOCHcocU3XODJxsu8i/j8T9tzT4adHiecwORRQ0ZZFcp7ahwXuRU1m+yuO90C5ZUyGeGfocHDI14M3L3yDAQ==" }, "node_modules/resolve": { "version": "1.22.8", @@ -6159,13 +6092,13 @@ "node_modules/rfc4648": { "version": "1.5.3", "resolved": "https://registry.npmjs.org/rfc4648/-/rfc4648-1.5.3.tgz", - "integrity": "sha512-MjOWxM065+WswwnmNONOT+bD1nXzY9Km6u3kzvnx8F8/HXGZdz3T6e6vZJ8Q/RIMUSp/nxqjH3GwvJDy8ijeQQ==", - "license": "MIT" + "integrity": "sha512-MjOWxM065+WswwnmNONOT+bD1nXzY9Km6u3kzvnx8F8/HXGZdz3T6e6vZJ8Q/RIMUSp/nxqjH3GwvJDy8ijeQQ==" }, "node_modules/rimraf": { "version": "3.0.2", "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-3.0.2.tgz", "integrity": "sha512-JZkJMZkAGFFPP2YqXZXPbMlMBgsxzE8ILs4lMIX/2o0L9UBw9O/Y3o6wFw/i9YLapcUJWwqbi3kdxIPdC62TIA==", + "deprecated": "Rimraf versions prior to v4 are no longer supported", "peer": true, "dependencies": { "glob": "^7.1.3" @@ -6238,12 +6171,9 @@ "integrity": "sha512-6aU+Rwsezw7VR8/nyvKTx8QpWH9FrcYiXXlqC4z5d5XQBDRqtbfsRjnwGyqbi3gddNtWHuEk9OANUotL26qKUw==" }, "node_modules/semver": { - "version": "7.6.0", - "resolved": "https://registry.npmjs.org/semver/-/semver-7.6.0.tgz", - "integrity": "sha512-EnwXhrlwXMk9gKu5/flx5sv/an57AkRplG3hTK68W7FRDN+k+OWBj65M7719OkA82XLBxrcX0KSHj+X5COhOVg==", - "dependencies": { - "lru-cache": "^6.0.0" - }, + "version": "7.6.2", + "resolved": "https://registry.npmjs.org/semver/-/semver-7.6.2.tgz", + "integrity": "sha512-FNAIBWCx9qcRhoHcgcJ0gvU7SN1lYU2ZXuSfl04bSC5OpvDHFyJCjdNHomPXxjQlCBU67YW64PzY7/VIEH7F2w==", "bin": { "semver": "bin/semver.js" }, @@ -6251,22 +6181,6 @@ "node": ">=10" } }, - "node_modules/semver/node_modules/lru-cache": { - "version": "6.0.0", - "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-6.0.0.tgz", - "integrity": "sha512-Jo6dJ04CmSjuznwJSS3pUeWmd/H0ffTlkXXgwZi+eq1UCmqQwCh+eLsYOYCwY991i2Fah4h1BEMCx4qThGbsiA==", - "dependencies": { - "yallist": "^4.0.0" - }, - "engines": { - "node": ">=10" - } - }, - "node_modules/semver/node_modules/yallist": { - "version": "4.0.0", - "resolved": "https://registry.npmjs.org/yallist/-/yallist-4.0.0.tgz", - "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==" - }, "node_modules/send": { "version": "0.18.0", "resolved": "https://registry.npmjs.org/send/-/send-0.18.0.tgz", @@ -6402,7 +6316,6 @@ "version": "4.0.1", "resolved": "https://registry.npmjs.org/sonic-boom/-/sonic-boom-4.0.1.tgz", "integrity": "sha512-hTSD/6JMLyT4r9zeof6UtuBDpjJ9sO08/nmS5djaA9eozT9oOlNdpXSnzcgj4FTqpk3nkLrs61l4gip9r1HCrQ==", - "license": "MIT", "dependencies": { "atomic-sleep": "^1.0.0" } @@ -6473,7 +6386,6 @@ "version": "3.0.3", "resolved": "https://registry.npmjs.org/stream-buffers/-/stream-buffers-3.0.3.tgz", "integrity": "sha512-pqMqwQCso0PBJt2PQmDO0cFj0lyqmiwOMiMSkVtRokl7e+ZTRYgDHKnuZNbqjiJXgsg4nuqtD/zxuo9KqTp0Yw==", - "license": "Unlicense", "engines": { "node": ">= 0.10.0" } @@ -6517,7 +6429,6 @@ "version": "4.2.3", "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", - "license": "MIT", "dependencies": { "emoji-regex": "^8.0.0", "is-fullwidth-code-point": "^3.0.0", @@ -6543,7 +6454,6 @@ "version": "6.0.1", "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", - "license": "MIT", "dependencies": { "ansi-regex": "^5.0.1" }, @@ -6607,7 +6517,6 @@ "version": "7.4.0", "resolved": "https://registry.npmjs.org/tar/-/tar-7.4.0.tgz", "integrity": "sha512-XQs0S8fuAkQWuqhDeCdMlJXDX80D7EOVLDPVFkna9yQfzS+PHKgfxcei0jf6/+QAWcjqrnC8uM3fSAnrQl+XYg==", - "license": "ISC", "dependencies": { "@isaacs/fs-minipass": "^4.0.0", "chownr": "^3.0.0", @@ -6624,7 +6533,6 @@ "version": "7.1.2", "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz", "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==", - "license": "ISC", "engines": { "node": ">=16 || 14 >=14.17" } @@ -6633,7 +6541,6 @@ "version": "5.0.0", "resolved": "https://registry.npmjs.org/yallist/-/yallist-5.0.0.tgz", "integrity": "sha512-YgvUTfwqyc7UXVMrB+SImsVYSmTS8X/tSrtdNZMImM+n7+QTriRXyXim0mBrTXNeqzVF0KWGgHPeiyViFFrNDw==", - "license": "BlueOak-1.0.0", "engines": { "node": ">=18" } @@ -6667,10 +6574,9 @@ "peer": true }, "node_modules/thread-stream": { - "version": "3.0.0", - "resolved": "https://registry.npmjs.org/thread-stream/-/thread-stream-3.0.0.tgz", - "integrity": "sha512-oUIFjxaUT6knhPtWgDMc29zF1FcSl0yXpapkyrQrCGEfYA2HUZXCilUtKyYIv6HkCyqSPAMkY+EG0GbyIrNDQg==", - "license": "MIT", + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/thread-stream/-/thread-stream-3.1.0.tgz", + "integrity": "sha512-OqyPZ9u96VohAyMfJykzmivOrY2wfMSf3C5TtFJVgN+Hm6aj+voFhlK+kZEIv2FBh1X6Xp3DlnCOfEQ3B2J86A==", "dependencies": { "real-require": "^0.2.0" } @@ -6678,14 +6584,12 @@ "node_modules/tiny-inflate": { "version": "1.0.3", "resolved": "https://registry.npmjs.org/tiny-inflate/-/tiny-inflate-1.0.3.tgz", - "integrity": "sha512-pkY1fj1cKHb2seWDy0B16HeWyczlJA9/WW3u3c4z/NiWDsO3DOU5D7nhTLE9CF0yXv/QZFY7sEJmj24dK+Rrqw==", - "license": "MIT" + "integrity": "sha512-pkY1fj1cKHb2seWDy0B16HeWyczlJA9/WW3u3c4z/NiWDsO3DOU5D7nhTLE9CF0yXv/QZFY7sEJmj24dK+Rrqw==" }, "node_modules/tmp": { "version": "0.2.3", "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.2.3.tgz", "integrity": "sha512-nZD7m9iCPC5g0pYmcaxogYKggSfLsdxl8of3Q/oIbqCqLLIO9IAF0GWjX1z9NZRHPiXv8Wex4yDCaZsgEw0Y8w==", - "license": "MIT", "engines": { "node": ">=14.14" } @@ -6694,7 +6598,6 @@ "version": "3.0.3", "resolved": "https://registry.npmjs.org/tmp-promise/-/tmp-promise-3.0.3.tgz", "integrity": "sha512-RwM7MoPojPxsOBYnyd2hy0bxtIlVrihNs9pj5SUvY8Zz1sQcQG2tG1hSr8PDxfgEB8RNKDhqbIlroIarSNDNsQ==", - "license": "MIT", "dependencies": { "tmp": "^0.2.0" } @@ -6736,8 +6639,7 @@ "node_modules/tr46": { "version": "0.0.3", "resolved": "https://registry.npmjs.org/tr46/-/tr46-0.0.3.tgz", - "integrity": "sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw==", - "license": "MIT" + "integrity": "sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw==" }, "node_modules/ts-api-utils": { "version": "1.3.0", @@ -6752,9 +6654,9 @@ } }, "node_modules/ts-jest": { - "version": "29.1.5", - "resolved": "https://registry.npmjs.org/ts-jest/-/ts-jest-29.1.5.tgz", - "integrity": "sha512-UuClSYxM7byvvYfyWdFI+/2UxMmwNyJb0NPkZPQE2hew3RurV7l7zURgOHAd/1I1ZdPpe3GUsXNXAcN8TFKSIg==", + "version": "29.2.0", + "resolved": "https://registry.npmjs.org/ts-jest/-/ts-jest-29.2.0.tgz", + "integrity": "sha512-eFmkE9MG0+oT6nqSOcUwL+2UUmK2IvhhUV8hFDsCHnc++v2WCCbQQZh5vvjsa8sgOY/g9T0325hmkEmi6rninA==", "dev": true, "license": "MIT", "dependencies": { @@ -6802,14 +6704,12 @@ "node_modules/ts-toolbelt": { "version": "9.6.0", "resolved": "https://registry.npmjs.org/ts-toolbelt/-/ts-toolbelt-9.6.0.tgz", - "integrity": "sha512-nsZd8ZeNUzukXPlJmTBwUAuABDe/9qtVDelJeT/qW0ow3ZS3BsQJtNkan1802aM9Uf68/Y8ljw86Hu0h5IUW3w==", - "license": "Apache-2.0" + "integrity": "sha512-nsZd8ZeNUzukXPlJmTBwUAuABDe/9qtVDelJeT/qW0ow3ZS3BsQJtNkan1802aM9Uf68/Y8ljw86Hu0h5IUW3w==" }, "node_modules/tslib": { "version": "2.6.3", "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.6.3.tgz", - "integrity": "sha512-xNvxJEOUiWPGhUuUdQgAJPKOOJfGnIyKySOc09XkKsgdUV/3E2zvwZYdejjmRgPCgcym1juLH3226yA7sEFJKQ==", - "license": "0BSD" + "integrity": "sha512-xNvxJEOUiWPGhUuUdQgAJPKOOJfGnIyKySOc09XkKsgdUV/3E2zvwZYdejjmRgPCgcym1juLH3226yA7sEFJKQ==" }, "node_modules/type-check": { "version": "0.4.0", @@ -6857,10 +6757,9 @@ } }, "node_modules/types-ramda": { - "version": "0.30.0", - "resolved": "https://registry.npmjs.org/types-ramda/-/types-ramda-0.30.0.tgz", - "integrity": "sha512-oVPw/KHB5M0Du0txTEKKM8xZOG9cZBRdCVXvwHYuNJUVkAiJ9oWyqkA+9Bj2gjMsHgkkhsYevobQBWs8I2/Xvw==", - "license": "MIT", + "version": "0.30.1", + "resolved": "https://registry.npmjs.org/types-ramda/-/types-ramda-0.30.1.tgz", + "integrity": "sha512-1HTsf5/QVRmLzcGfldPFvkVsAdi1db1BBKzi7iW3KBUlOICg/nKnFS+jGqDJS3YD8VsWbAh7JiHeBvbsw8RPxA==", "dependencies": { "ts-toolbelt": "^9.6.0" } @@ -6881,8 +6780,7 @@ "node_modules/underscore": { "version": "1.13.6", "resolved": "https://registry.npmjs.org/underscore/-/underscore-1.13.6.tgz", - "integrity": "sha512-+A5Sja4HP1M08MaXya7p5LvjuM7K6q/2EaC0+iovj/wOcMsTzMvDFbasi/oSapiwOlt252IqsKqPjCl7huKS0A==", - "license": "MIT" + "integrity": "sha512-+A5Sja4HP1M08MaXya7p5LvjuM7K6q/2EaC0+iovj/wOcMsTzMvDFbasi/oSapiwOlt252IqsKqPjCl7huKS0A==" }, "node_modules/undici-types": { "version": "5.26.5", @@ -6893,7 +6791,6 @@ "version": "1.4.1", "resolved": "https://registry.npmjs.org/unicode-properties/-/unicode-properties-1.4.1.tgz", "integrity": "sha512-CLjCCLQ6UuMxWnbIylkisbRj31qxHPAurvena/0iwSVbQ2G1VY5/HjV0IRabOEbDHlzZlRdCrD4NhB0JtU40Pg==", - "license": "MIT", "dependencies": { "base64-js": "^1.3.0", "unicode-trie": "^2.0.0" @@ -6903,7 +6800,6 @@ "version": "2.0.0", "resolved": "https://registry.npmjs.org/unicode-trie/-/unicode-trie-2.0.0.tgz", "integrity": "sha512-x7bc76x0bm4prf1VLg79uhAzKw8DVboClSN5VxJuQ+LKDOVEW9CdH+VY7SP+vX7xCYQqzzgQpFqz15zeLvAtZQ==", - "license": "MIT", "dependencies": { "pako": "^0.2.5", "tiny-inflate": "^1.0.0" @@ -6912,8 +6808,7 @@ "node_modules/unicode-trie/node_modules/pako": { "version": "0.2.9", "resolved": "https://registry.npmjs.org/pako/-/pako-0.2.9.tgz", - "integrity": "sha512-NUcwaKxUxWrZLpDG+z/xZaCgQITkA/Dv4V/T6bw7VON6l1Xz/VnrBqrYjZQ12TamKHzITTfOEIYUj48y2KXImA==", - "license": "MIT" + "integrity": "sha512-NUcwaKxUxWrZLpDG+z/xZaCgQITkA/Dv4V/T6bw7VON6l1Xz/VnrBqrYjZQ12TamKHzITTfOEIYUj48y2KXImA==" }, "node_modules/unpipe": { "version": "1.0.0", @@ -6924,9 +6819,9 @@ } }, "node_modules/update-browserslist-db": { - "version": "1.0.13", - "resolved": "https://registry.npmjs.org/update-browserslist-db/-/update-browserslist-db-1.0.13.tgz", - "integrity": "sha512-xebP81SNcPuNpPP3uzeW1NYXxI3rxyJzF3pD6sH4jE7o/IX+WtSpwnVU+qIsDPyk0d3hmFQ7mjqc6AtV604hbg==", + "version": "1.0.16", + "resolved": "https://registry.npmjs.org/update-browserslist-db/-/update-browserslist-db-1.0.16.tgz", + "integrity": "sha512-KVbTxlBYlckhF5wgfyZXTWnMn7MMZjMu9XG8bPlliUOP9ThaF4QnhP8qrjrH7DRzHfSk0oQv1wToW+iA5GajEQ==", "dev": true, "funding": [ { @@ -6943,8 +6838,8 @@ } ], "dependencies": { - "escalade": "^3.1.1", - "picocolors": "^1.0.0" + "escalade": "^3.1.2", + "picocolors": "^1.0.1" }, "bin": { "update-browserslist-db": "cli.js" @@ -6965,14 +6860,12 @@ "node_modules/urijs": { "version": "1.19.11", "resolved": "https://registry.npmjs.org/urijs/-/urijs-1.19.11.tgz", - "integrity": "sha512-HXgFDgDommxn5/bIv0cnQZsPhHDA90NPHD6+c/v21U5+Sx5hoP8+dP9IZXBU1gIfvdRfhG8cel9QNPeionfcCQ==", - "license": "MIT" + "integrity": "sha512-HXgFDgDommxn5/bIv0cnQZsPhHDA90NPHD6+c/v21U5+Sx5hoP8+dP9IZXBU1gIfvdRfhG8cel9QNPeionfcCQ==" }, "node_modules/url-parse": { "version": "1.5.10", "resolved": "https://registry.npmjs.org/url-parse/-/url-parse-1.5.10.tgz", "integrity": "sha512-WypcfiRhfeUP9vvF0j6rw0J3hrWrw6iZv3+22h6iRMJ/8z1Tj6XfLP4DsUix5MhMPnXpiHDoKyoZ/bdCkwBCiQ==", - "license": "MIT", "dependencies": { "querystringify": "^2.1.1", "requires-port": "^1.0.0" @@ -7000,9 +6893,9 @@ } }, "node_modules/v8-to-istanbul": { - "version": "9.2.0", - "resolved": "https://registry.npmjs.org/v8-to-istanbul/-/v8-to-istanbul-9.2.0.tgz", - "integrity": "sha512-/EH/sDgxU2eGxajKdwLCDmQ4FWq+kpi3uCmBGpw1xJtnAxEjlD8j8PEiGWpCIMIs3ciNAgH0d3TTJiUkYzyZjA==", + "version": "9.3.0", + "resolved": "https://registry.npmjs.org/v8-to-istanbul/-/v8-to-istanbul-9.3.0.tgz", + "integrity": "sha512-kiGUalWN+rgBJ/1OHZsBtU4rXZOfj/7rKQxULKlIzwzQSvMJUUNgPwJEEh7gU6xEVxC0ahoOBvN2YI8GH6FNgA==", "dev": true, "dependencies": { "@jridgewell/trace-mapping": "^0.3.12", @@ -7033,14 +6926,12 @@ "node_modules/webidl-conversions": { "version": "3.0.1", "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz", - "integrity": "sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ==", - "license": "BSD-2-Clause" + "integrity": "sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ==" }, "node_modules/whatwg-url": { "version": "5.0.0", "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-5.0.0.tgz", "integrity": "sha512-saE57nupxk6v3HY35+jzBwYa0rKSy0XR8JSxZPwgLr7ys0IBzhGviA1/TUGJLmSVqs8pb9AnvICXEuOHLprYTw==", - "license": "MIT", "dependencies": { "tr46": "~0.0.3", "webidl-conversions": "^3.0.0" @@ -7060,11 +6951,19 @@ "node": ">= 8" } }, + "node_modules/word-wrap": { + "version": "1.2.5", + "resolved": "https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.5.tgz", + "integrity": "sha512-BN22B5eaMMI9UMtjrGd5g5eCYPpCPDUy0FJXbYsaT5zYxjFOckS53SQDE3pWkVoWpHXVb3BrYcEN4Twa55B5cA==", + "peer": true, + "engines": { + "node": ">=0.10.0" + } + }, "node_modules/wordwrap": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/wordwrap/-/wordwrap-1.0.0.tgz", - "integrity": "sha512-gvVzJFlPycKc5dZN4yPkP8w7Dc37BtP1yczEneOb4uq34pXZcvrtRTmWV8W+Ume+XCxKgbjM+nevkyFPMybd4Q==", - "license": "MIT" + "integrity": "sha512-gvVzJFlPycKc5dZN4yPkP8w7Dc37BtP1yczEneOb4uq34pXZcvrtRTmWV8W+Ume+XCxKgbjM+nevkyFPMybd4Q==" }, "node_modules/wrap-ansi": { "version": "7.0.0", @@ -7087,7 +6986,6 @@ "version": "7.0.0", "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-7.0.0.tgz", "integrity": "sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==", - "license": "MIT", "dependencies": { "ansi-styles": "^4.0.0", "string-width": "^4.1.0", @@ -7122,7 +7020,6 @@ "version": "8.17.1", "resolved": "https://registry.npmjs.org/ws/-/ws-8.17.1.tgz", "integrity": "sha512-6XQFvXTkbfUOZOKKILFG1PDK2NDQs4azKQl26T0YS5CxqWLgXajbPZ+h4gZekJyRqFU8pvnbAbbs/3TgRPy+GQ==", - "license": "MIT", "engines": { "node": ">=10.0.0" }, @@ -7157,7 +7054,6 @@ "version": "2.4.5", "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.4.5.tgz", "integrity": "sha512-aBx2bnqDzVOyNKfsysjA2ms5ZlnjSAW2eG3/L5G/CSujfjLJTJsEw1bGw8kCf04KodQWk1pxlGnZ56CRxiawmg==", - "license": "ISC", "bin": { "yaml": "bin.mjs" }, diff --git a/package.json b/package.json index 78f01ecf7..5b8ed29f5 100644 --- a/package.json +++ b/package.json @@ -16,7 +16,7 @@ "name": "UDS Core", "uuid": "uds-core", "onError": "reject", - "logLevel": "debug", + "logLevel": "info", "alwaysIgnore": { "namespaces": [ "uds-dev-stack", @@ -27,19 +27,20 @@ "env": { "UDS_DOMAIN": "###ZARF_VAR_DOMAIN###", "UDS_ALLOW_ALL_NS_EXEMPTIONS": "###ZARF_VAR_ALLOW_ALL_NS_EXEMPTIONS###", - "UDS_SINGLE_TEST": "###ZARF_VAR_UDS_SINGLE_TEST###" + "UDS_SINGLE_TEST": "###ZARF_VAR_UDS_SINGLE_TEST###", + "UDS_LOG_LEVEL": "###ZARF_VAR_UDS_LOG_LEVEL###" } }, "scripts": { "k3d-setup": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0'" }, "dependencies": { - "pepr": "0.32.3" + "pepr": "0.32.6" }, "devDependencies": { "@jest/globals": "29.7.0", "jest": "29.7.0", - "ts-jest": "29.1.5" + "ts-jest": "29.2.0" }, "jest": { "preset": "ts-jest", diff --git a/renovate.json b/renovate.json index 2b17d5ced..93c227637 100644 --- a/renovate.json +++ b/renovate.json @@ -28,6 +28,14 @@ "depNameTemplate": "docker.io/neuvector/controller", "datasourceTemplate": "docker" }, + { + "fileMatch": ["^src/neuvector/values/unicorn-values\\.yaml$"], + "matchStrings": [ + "registry: cgr.dev\\s+tag:\\s+[\"]?(?[^\"]*)[\"]?" + ], + "depNameTemplate": "cgr.dev/du-uds-defenseunicorns/neuvector-controller-fips", + "datasourceTemplate": "docker" + }, { "fileMatch": ["^src/neuvector/values/registry1-values\\.yaml$"], "matchStrings": [ diff --git a/src/authservice/values/unicorn-values.yaml b/src/authservice/values/unicorn-values.yaml new file mode 100644 index 000000000..34feb99c9 --- /dev/null +++ b/src/authservice/values/unicorn-values.yaml @@ -0,0 +1,3 @@ +image: + repository: cgr.dev/du-uds-defenseunicorns/authservice-fips + tag: "1.0.1" diff --git a/src/authservice/zarf.yaml b/src/authservice/zarf.yaml index c87b7e7c6..72f6d0378 100644 --- a/src/authservice/zarf.yaml +++ b/src/authservice/zarf.yaml @@ -30,3 +30,16 @@ components: - values/registry1-values.yaml images: - registry1.dso.mil/ironbank/istio-ecosystem/authservice:0.5.3 + + - name: authservice + required: true + only: + flavor: unicorn + import: + path: common + charts: + - name: authservice + valuesFiles: + - values/unicorn-values.yaml + images: + - cgr.dev/du-uds-defenseunicorns/authservice-fips:1.0.1 diff --git a/src/grafana/common/zarf.yaml b/src/grafana/common/zarf.yaml index e8a43cf9a..bc614aa15 100644 --- a/src/grafana/common/zarf.yaml +++ b/src/grafana/common/zarf.yaml @@ -14,7 +14,7 @@ components: localPath: ../chart - name: grafana url: https://grafana.github.io/helm-charts/ - version: 7.3.9 + version: 8.3.2 namespace: grafana valuesFiles: - ../values/values.yaml diff --git a/src/grafana/values/registry1-values.yaml b/src/grafana/values/registry1-values.yaml index e12cc1f65..b32d33a08 100644 --- a/src/grafana/values/registry1-values.yaml +++ b/src/grafana/values/registry1-values.yaml @@ -1,21 +1,21 @@ image: registry: registry1.dso.mil repository: ironbank/opensource/grafana/grafana - tag: 10.4.2 + tag: 11.1.0 initChownData: image: registry: registry1.dso.mil repository: ironbank/redhat/ubi/ubi9-minimal - tag: 9.3 + tag: 9.4 downloadDashboardsImage: registry: registry1.dso.mil repository: ironbank/redhat/ubi/ubi9-minimal - tag: 9.3 + tag: 9.4 sidecar: image: registry: registry1.dso.mil repository: ironbank/kiwigrid/k8s-sidecar - tag: 1.26.1 + tag: 1.27.4 diff --git a/src/grafana/values/unicorn-values.yaml b/src/grafana/values/unicorn-values.yaml new file mode 100644 index 000000000..517e3e2a8 --- /dev/null +++ b/src/grafana/values/unicorn-values.yaml @@ -0,0 +1,21 @@ +image: + registry: cgr.dev + repository: du-uds-defenseunicorns/grafana-fips + tag: 11.1.0 + +initChownData: + image: + registry: cgr.dev + repository: du-uds-defenseunicorns/busybox-fips + tag: 1.36.1 + +downloadDashboardsImage: + registry: cgr.dev + repository: du-uds-defenseunicorns/curl-fips + tag: 8.8.0 + +sidecar: + image: + registry: cgr.dev + repository: du-uds-defenseunicorns/k8s-sidecar-fips + tag: 1.27.4 diff --git a/src/grafana/values/upstream-values.yaml b/src/grafana/values/upstream-values.yaml index eef2d2d38..d711cae7b 100644 --- a/src/grafana/values/upstream-values.yaml +++ b/src/grafana/values/upstream-values.yaml @@ -3,12 +3,12 @@ sidecar: # -- The Docker registry registry: ghcr.io repository: kiwigrid/k8s-sidecar - tag: 1.26.1 + tag: 1.27.4 image: registry: docker.io repository: grafana/grafana - tag: 10.4.2 + tag: 11.1.0 initChownData: image: @@ -19,4 +19,4 @@ initChownData: downloadDashboardsImage: registry: docker.io repository: curlimages/curl - tag: 8.7.1 + tag: 8.8.0 diff --git a/src/grafana/zarf.yaml b/src/grafana/zarf.yaml index 4210213ea..b68fd6c43 100644 --- a/src/grafana/zarf.yaml +++ b/src/grafana/zarf.yaml @@ -21,10 +21,10 @@ components: valuesFiles: - values/upstream-values.yaml images: - - docker.io/grafana/grafana:10.4.2 - - docker.io/curlimages/curl:8.7.1 + - docker.io/grafana/grafana:11.1.0 + - docker.io/curlimages/curl:8.8.0 - docker.io/library/busybox:1.36.1 - - ghcr.io/kiwigrid/k8s-sidecar:1.26.1 + - ghcr.io/kiwigrid/k8s-sidecar:1.27.4 - name: grafana required: true @@ -37,6 +37,22 @@ components: valuesFiles: - values/registry1-values.yaml images: - - registry1.dso.mil/ironbank/opensource/grafana/grafana:10.4.2 - - registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.3 - - registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar:1.26.1 + - registry1.dso.mil/ironbank/opensource/grafana/grafana:11.1.0 + - registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.4 + - registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar:1.27.4 + + - name: grafana + required: true + only: + flavor: unicorn + import: + path: common + charts: + - name: grafana + valuesFiles: + - values/unicorn-values.yaml + images: + - cgr.dev/du-uds-defenseunicorns/grafana-fips:11.1.0 + - cgr.dev/du-uds-defenseunicorns/busybox-fips:1.36.1 + - cgr.dev/du-uds-defenseunicorns/curl-fips:8.8.0 + - cgr.dev/du-uds-defenseunicorns/k8s-sidecar-fips:1.27.4 diff --git a/src/istio/common/manifests/pepr-istio-config.yaml b/src/istio/common/manifests/pepr-istio-config.yaml index 7945bbdd0..062a5ee05 100644 --- a/src/istio/common/manifests/pepr-istio-config.yaml +++ b/src/istio/common/manifests/pepr-istio-config.yaml @@ -1,6 +1,7 @@ # Have to pre-create the namespace and also patch it with the istio-injection label later because # Helm is kind of dumb: https://github.com/helm/helm/issues/350 kind: Namespace +apiVersion: v1 metadata: name: pepr-system labels: diff --git a/src/istio/common/zarf.yaml b/src/istio/common/zarf.yaml index 93319e230..717d64c29 100644 --- a/src/istio/common/zarf.yaml +++ b/src/istio/common/zarf.yaml @@ -10,11 +10,11 @@ components: charts: - name: base url: https://istio-release.storage.googleapis.com/charts - version: 1.22.1 + version: 1.22.2 namespace: istio-system - name: istiod url: https://istio-release.storage.googleapis.com/charts - version: 1.22.1 + version: 1.22.2 namespace: istio-system valuesFiles: - "../values/values.yaml" diff --git a/src/istio/values/registry1-values.yaml b/src/istio/values/registry1-values.yaml index 5445f66f2..c61aa2e9e 100644 --- a/src/istio/values/registry1-values.yaml +++ b/src/istio/values/registry1-values.yaml @@ -1,7 +1,9 @@ pilot: - image: registry1.dso.mil/ironbank/tetrate/istio/pilot:1.22.1-tetratefips-v0 + image: registry1.dso.mil/ironbank/tetrate/istio/pilot:1.22.2-tetratefips-v0 global: proxy_init: - image: registry1.dso.mil/ironbank/tetrate/istio/proxyv2:1.22.1-tetratefips-v0 + # renovate: image=registry1.dso.mil/ironbank/tetrate/istio/proxyv2 + image: "###ZARF_REGISTRY###/ironbank/tetrate/istio/proxyv2:1.22.2-tetratefips-v0" proxy: - image: registry1.dso.mil/ironbank/tetrate/istio/proxyv2:1.22.1-tetratefips-v0 + # renovate: image=registry1.dso.mil/ironbank/tetrate/istio/proxyv2 + image: "###ZARF_REGISTRY###/ironbank/tetrate/istio/proxyv2:1.22.2-tetratefips-v0" diff --git a/src/istio/values/unicorn-values.yaml b/src/istio/values/unicorn-values.yaml new file mode 100644 index 000000000..2a19c8327 --- /dev/null +++ b/src/istio/values/unicorn-values.yaml @@ -0,0 +1,7 @@ +pilot: + image: cgr.dev/du-uds-defenseunicorns/istio-pilot-fips:1.22.2 +global: + proxy_init: + image: cgr.dev/du-uds-defenseunicorns/istio-proxy-fips:1.22.2 + proxy: + image: cgr.dev/du-uds-defenseunicorns/istio-proxy-fips:1.22.2 diff --git a/src/istio/values/upstream-values.yaml b/src/istio/values/upstream-values.yaml index 6a8c43a46..750dc2fc6 100644 --- a/src/istio/values/upstream-values.yaml +++ b/src/istio/values/upstream-values.yaml @@ -1,7 +1,9 @@ pilot: - image: "docker.io/istio/pilot:1.22.1-distroless" + image: "docker.io/istio/pilot:1.22.2-distroless" global: proxy_init: - image: "docker.io/istio/proxyv2:1.22.1-distroless" + # renovate: image=docker.io/istio/proxyv2 + image: "###ZARF_REGISTRY###/istio/proxyv2:1.22.2-distroless" proxy: - image: "docker.io/istio/proxyv2:1.22.1-distroless" + # renovate: image=docker.io/istio/proxyv2 + image: "###ZARF_REGISTRY###/istio/proxyv2:1.22.2-distroless" diff --git a/src/istio/zarf.yaml b/src/istio/zarf.yaml index 03db5a605..b449101c2 100644 --- a/src/istio/zarf.yaml +++ b/src/istio/zarf.yaml @@ -21,8 +21,8 @@ components: valuesFiles: - "values/upstream-values.yaml" images: - - "docker.io/istio/pilot:1.22.1-distroless" - - "docker.io/istio/proxyv2:1.22.1-distroless" + - "docker.io/istio/pilot:1.22.2-distroless" + - "docker.io/istio/proxyv2:1.22.2-distroless" - name: istio-controlplane required: true @@ -35,15 +35,29 @@ components: valuesFiles: - "values/registry1-values.yaml" images: - - registry1.dso.mil/ironbank/tetrate/istio/proxyv2:1.22.1-tetratefips-v0 - - registry1.dso.mil/ironbank/tetrate/istio/pilot:1.22.1-tetratefips-v0 + - registry1.dso.mil/ironbank/tetrate/istio/proxyv2:1.22.2-tetratefips-v0 + - registry1.dso.mil/ironbank/tetrate/istio/pilot:1.22.2-tetratefips-v0 + + - name: istio-controlplane + required: true + only: + flavor: unicorn + import: + path: common + charts: + - name: istiod + valuesFiles: + - "values/unicorn-values.yaml" + images: + - cgr.dev/du-uds-defenseunicorns/istio-pilot-fips:1.22.2 + - cgr.dev/du-uds-defenseunicorns/istio-proxy-fips:1.22.2 - name: istio-admin-gateway required: true charts: - name: gateway url: https://istio-release.storage.googleapis.com/charts - version: 1.22.1 + version: 1.22.2 releaseName: admin-ingressgateway namespace: istio-admin-gateway - name: uds-istio-config @@ -58,7 +72,7 @@ components: charts: - name: gateway url: https://istio-release.storage.googleapis.com/charts - version: 1.22.1 + version: 1.22.2 releaseName: tenant-ingressgateway namespace: istio-tenant-gateway - name: uds-istio-config @@ -73,7 +87,7 @@ components: charts: - name: gateway url: https://istio-release.storage.googleapis.com/charts - version: 1.22.1 + version: 1.22.2 releaseName: passthrough-ingressgateway namespace: istio-passthrough-gateway - name: uds-istio-config diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml index ff0a59b2e..683128b50 100644 --- a/src/keycloak/chart/values.yaml +++ b/src/keycloak/chart/values.yaml @@ -7,7 +7,7 @@ image: pullPolicy: IfNotPresent # renovate: datasource=github-tags depName=defenseunicorns/uds-identity-config versioning=semver -configImage: ghcr.io/defenseunicorns/uds/identity-config:0.4.5 +configImage: ghcr.io/defenseunicorns/uds/identity-config:0.5.0 # The public domain name of the Keycloak server domain: "###ZARF_VAR_DOMAIN###" diff --git a/src/keycloak/values/unicorn-values.yaml b/src/keycloak/values/unicorn-values.yaml new file mode 100644 index 000000000..571b6eba2 --- /dev/null +++ b/src/keycloak/values/unicorn-values.yaml @@ -0,0 +1,3 @@ +image: + repository: cgr.dev/du-uds-defenseunicorns/keycloak + tag: "24.0.5" diff --git a/src/keycloak/zarf.yaml b/src/keycloak/zarf.yaml index 7b97cdf0c..25f4d26db 100644 --- a/src/keycloak/zarf.yaml +++ b/src/keycloak/zarf.yaml @@ -21,7 +21,7 @@ components: - "values/upstream-values.yaml" images: - quay.io/keycloak/keycloak:24.0.5 - - ghcr.io/defenseunicorns/uds/identity-config:0.4.5 + - ghcr.io/defenseunicorns/uds/identity-config:0.5.0 - name: keycloak required: true @@ -37,4 +37,18 @@ components: - "values/registry1-values.yaml" images: - registry1.dso.mil/ironbank/opensource/keycloak/keycloak:24.0.5 - - ghcr.io/defenseunicorns/uds/identity-config:0.4.5 + - ghcr.io/defenseunicorns/uds/identity-config:0.5.0 + + - name: keycloak + required: true + only: + flavor: unicorn + import: + path: common + charts: + - name: keycloak + valuesFiles: + - "values/unicorn-values.yaml" + images: + - cgr.dev/du-uds-defenseunicorns/keycloak:24.0.5 # todo: switch to FIPS image + - ghcr.io/defenseunicorns/uds/identity-config:0.5.0 diff --git a/src/loki/chart/templates/service-dns.yaml b/src/loki/chart/templates/service-dns.yaml new file mode 100644 index 000000000..57ec5740a --- /dev/null +++ b/src/loki/chart/templates/service-dns.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: uds-loki-dns + namespace: kube-system +spec: + ports: + - name: dns + port: 53 + protocol: UDP + targetPort: 53 + - name: dns-tcp + port: 53 + protocol: TCP + targetPort: 53 + selector: + k8s-app: kube-dns + type: ClusterIP diff --git a/src/loki/tasks.yaml b/src/loki/tasks.yaml index 38a92a71d..a319aa659 100644 --- a/src/loki/tasks.yaml +++ b/src/loki/tasks.yaml @@ -8,6 +8,12 @@ tasks: name: app.kubernetes.io/name=loki namespace: loki condition: Ready + - description: Validate uds-loki-dns + wait: + cluster: + kind: Service + name: app.kubernetes.io/component=uds-loki-dns + namespace: kube-system - description: Validate loki-gw wait: cluster: diff --git a/src/loki/values/unicorn-values.yaml b/src/loki/values/unicorn-values.yaml new file mode 100644 index 000000000..20df5327b --- /dev/null +++ b/src/loki/values/unicorn-values.yaml @@ -0,0 +1,10 @@ +loki: + image: + registry: cgr.dev + repository: du-uds-defenseunicorns/loki + tag: 2.9.8 +gateway: + image: + registry: cgr.dev + repository: du-uds-defenseunicorns/nginx-fips + tag: 1.27.0 diff --git a/src/loki/values/values.yaml b/src/loki/values/values.yaml index da491a8d1..751f7849b 100644 --- a/src/loki/values/values.yaml +++ b/src/loki/values/values.yaml @@ -1,3 +1,7 @@ +# Sets the global DNS service to the service created in this chart +global: + dnsService: "uds-loki-dns" + # -- Overrides the chart's name nameOverride: loki # -- Overrides the chart's computed fullname diff --git a/src/loki/zarf.yaml b/src/loki/zarf.yaml index 75d765ccb..df76918b9 100644 --- a/src/loki/zarf.yaml +++ b/src/loki/zarf.yaml @@ -33,3 +33,18 @@ components: images: - registry1.dso.mil/ironbank/opensource/grafana/loki:2.9.6 - registry1.dso.mil/ironbank/opensource/nginx/nginx-alpine:1.25.3 + + - name: loki + required: true + description: "Install Loki using chainguard images" + only: + flavor: "unicorn" + import: + path: common + charts: + - name: loki + valuesFiles: + - ./values/unicorn-values.yaml + images: + - cgr.dev/du-uds-defenseunicorns/loki:2.9.8 + - cgr.dev/du-uds-defenseunicorns/nginx-fips:1.27.0 diff --git a/src/metrics-server/values/unicorn-values.yaml b/src/metrics-server/values/unicorn-values.yaml new file mode 100644 index 000000000..f86a8a6b6 --- /dev/null +++ b/src/metrics-server/values/unicorn-values.yaml @@ -0,0 +1,3 @@ +image: + repository: cgr.dev/du-uds-defenseunicorns/metrics-server-fips + tag: "0.7.1" diff --git a/src/metrics-server/zarf.yaml b/src/metrics-server/zarf.yaml index 773a91f4d..bb31f8724 100644 --- a/src/metrics-server/zarf.yaml +++ b/src/metrics-server/zarf.yaml @@ -30,3 +30,16 @@ components: - "values/registry1-values.yaml" images: - registry1.dso.mil/ironbank/opensource/kubernetes-sigs/metrics-server:v0.7.1 + + - name: metrics-server + required: true + only: + flavor: unicorn + import: + path: common + charts: + - name: metrics-server + valuesFiles: + - "values/unicorn-values.yaml" + images: + - cgr.dev/du-uds-defenseunicorns/metrics-server-fips:0.7.1 diff --git a/src/neuvector/values/unicorn-monitor-values.yaml b/src/neuvector/values/unicorn-monitor-values.yaml new file mode 100644 index 000000000..51f216b67 --- /dev/null +++ b/src/neuvector/values/unicorn-monitor-values.yaml @@ -0,0 +1,5 @@ +registry: cgr.dev +exporter: + image: + repository: du-uds-defenseunicorns/neuvector-prometheus-exporter-fips + tag: 5.3.0 diff --git a/src/neuvector/values/unicorn-values.yaml b/src/neuvector/values/unicorn-values.yaml new file mode 100644 index 000000000..4f90d4966 --- /dev/null +++ b/src/neuvector/values/unicorn-values.yaml @@ -0,0 +1,26 @@ +registry: cgr.dev +tag: "5.3.3" +manager: + image: + repository: du-uds-defenseunicorns/neuvector-manager + +enforcer: + image: + repository: du-uds-defenseunicorns/neuvector-enforcer-fips + containerSecurityContext: + privileged: true + +controller: + image: + repository: du-uds-defenseunicorns/neuvector-controller-fips + +cve: + scanner: + image: + repository: du-uds-defenseunicorns/neuvector-scanner-fips + tag: latest + updater: + enabled: true + image: + repository: du-uds-defenseunicorns/neuvector-updater-fips + tag: 8.8.0-dev diff --git a/src/neuvector/zarf.yaml b/src/neuvector/zarf.yaml index 4750be445..f64572ded 100644 --- a/src/neuvector/zarf.yaml +++ b/src/neuvector/zarf.yaml @@ -48,3 +48,41 @@ components: - registry1.dso.mil/ironbank/neuvector/neuvector/scanner:5 - registry1.dso.mil/ironbank/neuvector/neuvector/enforcer:5.3.3 - registry1.dso.mil/ironbank/neuvector/neuvector/prometheus-exporter:5.3.2 + + - name: neuvector + description: "Deploy Neuvector" + required: true + only: + flavor: unicorn + import: + path: common + charts: + - name: core + valuesFiles: + - values/upstream-values.yaml + - name: monitor + valuesFiles: + - values/upstream-monitor-values.yaml + images: + - docker.io/neuvector/controller:5.3.3 + - docker.io/neuvector/manager:5.3.3 + - docker.io/neuvector/updater:latest + - docker.io/neuvector/scanner:latest + - docker.io/neuvector/enforcer:5.3.3 + - docker.io/neuvector/prometheus-exporter:5.3.2 + + # todo: switch to chainguard images once manager is functional + # charts: + # - name: core + # valuesFiles: + # - values/unicorn-values.yaml + # - name: monitor + # valuesFiles: + # - values/unicorn-monitor-values.yaml + # images: + # - cgr.dev/du-uds-defenseunicorns/neuvector-manager:5.3.3 + # - cgr.dev/du-uds-defenseunicorns/neuvector-enforcer-fips:5.3.3 + # - cgr.dev/du-uds-defenseunicorns/neuvector-controller-fips:5.3.3 + # - cgr.dev/du-uds-defenseunicorns/neuvector-scanner-fips:latest + # - cgr.dev/du-uds-defenseunicorns/neuvector-updater-fips:8.8.0-dev + # - cgr.dev/du-uds-defenseunicorns/neuvector-prometheus-exporter-fips:5.3.0 diff --git a/src/pepr/config.ts b/src/pepr/config.ts index 0a923b741..4946ae793 100644 --- a/src/pepr/config.ts +++ b/src/pepr/config.ts @@ -1,4 +1,4 @@ -import { Log } from "pepr"; +import { Component, setupLogger } from "./logger"; let domain = process.env.UDS_DOMAIN; @@ -16,10 +16,12 @@ export const UDSConfig = { allowAllNSExemptions: process.env.UDS_ALLOW_ALL_NS_EXEMPTIONS === "true", }; -Log.info(UDSConfig, "Loaded UDS Config"); +// configure subproject logger +const log = setupLogger(Component.CONFIG); +log.info(UDSConfig, "Loaded UDS Config"); if (UDSConfig.isSingleTest) { - Log.warn( + log.warn( "Running in single test mode, this will change the behavior of the operator and should only be used for UDS Core development testing.", ); } diff --git a/src/pepr/istio/index.ts b/src/pepr/istio/index.ts index 3cbd0423a..9ca4b9252 100644 --- a/src/pepr/istio/index.ts +++ b/src/pepr/istio/index.ts @@ -1,5 +1,9 @@ import { Exec, KubeConfig } from "@kubernetes/client-node"; -import { Capability, Log, a } from "pepr"; +import { Capability, a } from "pepr"; +import { Component, setupLogger } from "../logger"; + +// configure subproject logger +const log = setupLogger(Component.ISTIO); export const istio = new Capability({ name: "istio", @@ -20,13 +24,8 @@ When(a.Pod) .WithLabel("batch.kubernetes.io/job-name") .WithLabel("service.istio.io/canonical-name") .Watch(async pod => { - Log.info( - pod, - `Processing Pod ${pod.metadata?.namespace}/${pod.metadata?.name} for istio job termination`, - ); - if (!pod.metadata?.name || !pod.metadata.namespace) { - Log.error(pod, `Invalid Pod definition`); + log.error(pod, `Invalid Pod definition`); return; } @@ -42,7 +41,7 @@ When(a.Pod) if (pod.status?.phase == "Running") { // Check all container statuses if (!pod.status.containerStatuses) { - Log.error(pod, `Invalid container status in Pod`); + log.error(pod, `Invalid container status in Pod`); return; } const shouldTerminate = pod.status.containerStatuses @@ -55,7 +54,7 @@ When(a.Pod) // Mark the pod as seen inProgress.add(key); - Log.info(`Attempting to terminate sidecar for ${key}`); + log.info(`Attempting to terminate sidecar for ${key}`); try { const kc = new KubeConfig(); kc.loadFromDefault(); @@ -72,9 +71,9 @@ When(a.Pod) true, ); - Log.info(`Terminated sidecar for ${key}`); + log.info(`Terminated sidecar for ${key}`); } catch (err) { - Log.error({ err }, `Failed to terminate the sidecar for ${key}`); + log.error({ err }, `Failed to terminate the sidecar for ${key}`); // Remove the pod from the seen list inProgress.delete(key); diff --git a/src/pepr/logger.ts b/src/pepr/logger.ts new file mode 100644 index 000000000..c300f3e90 --- /dev/null +++ b/src/pepr/logger.ts @@ -0,0 +1,31 @@ +import { Log } from "pepr"; + +export enum Component { + CONFIG = "config", + ISTIO = "istio", + OPERATOR_EXEMPTIONS = "operator.exemptions", + OPERATOR_ISTIO = "operator.istio", + OPERATOR_KEYCLOAK = "operator.keycloak", + OPERATOR_MONITORING = "operator.monitoring", + OPERATOR_NETWORK = "operator.network", + OPERATOR_GENERATORS = "operator.generators", + OPERATOR_CRD = "operator.crd", + OPERATOR_RECONCILERS = "operator.reconcilers", + POLICIES = "policies", + POLICIES_EXEMPTIONS = "policies.exemptions", + PROMETHEUS = "prometheus", +} + +export function setupLogger(component: Component) { + const setupLogger = Log.child({ component }); + + // Handle commands that do not template the env vars + let logLevel = process.env.UDS_LOG_LEVEL; + if (!logLevel || logLevel === "###ZARF_VAR_UDS_LOG_LEVEL###") { + logLevel = "debug"; + } + + setupLogger.level = logLevel; + + return setupLogger; +} diff --git a/src/pepr/operator/controllers/exemptions/exemption-store.ts b/src/pepr/operator/controllers/exemptions/exemption-store.ts index 3cb024de8..00b6d5e5d 100644 --- a/src/pepr/operator/controllers/exemptions/exemption-store.ts +++ b/src/pepr/operator/controllers/exemptions/exemption-store.ts @@ -1,7 +1,10 @@ -import { Log } from "pepr"; +import { Component, setupLogger } from "../../../logger"; import { StoredMatcher } from "../../../policies"; import { Matcher, Policy, UDSExemption } from "../../crd"; +// configure subproject logger +const log = setupLogger(Component.OPERATOR_EXEMPTIONS); + export type PolicyOwnerMap = Map; export type PolicyMap = Map; let policyExemptionMap: PolicyMap; @@ -34,7 +37,7 @@ function addMatcher(matcher: Matcher, p: Policy, owner: string = ""): void { } // Iterate through each exemption block of CR and add matchers to PolicyMap -function add(exemption: UDSExemption, log: boolean = true) { +function add(exemption: UDSExemption, logger: boolean = true) { // Remove any existing exemption for this owner, in case of WatchPhase.Modified remove(exemption); const owner = exemption.metadata?.uid || ""; @@ -45,8 +48,8 @@ function add(exemption: UDSExemption, log: boolean = true) { for (const p of policies) { // Append the matcher to the list of stored matchers for this policy addMatcher(e.matcher, p, owner); - if (log) { - Log.debug(`Added exemption to ${p}: ${JSON.stringify(e.matcher)}`); + if (logger) { + log.debug(`Added exemption to ${p}: ${JSON.stringify(e.matcher)}`); } } } @@ -68,9 +71,9 @@ function remove(exemption: UDSExemption) { } } policyOwnerMap.delete(owner); - Log.debug(`Removed all policy exemptions for ${owner}`); + log.debug(`Removed all policy exemptions for ${owner}`); } else { - Log.debug(`No existing exemption for owner ${owner}`); + log.debug(`No existing exemption for owner ${owner}`); } } diff --git a/src/pepr/operator/controllers/istio/injection.ts b/src/pepr/operator/controllers/istio/injection.ts index 36102cff3..fa13077f1 100644 --- a/src/pepr/operator/controllers/istio/injection.ts +++ b/src/pepr/operator/controllers/istio/injection.ts @@ -1,7 +1,11 @@ -import { K8s, Log, kind } from "pepr"; +import { K8s, kind } from "pepr"; +import { Component, setupLogger } from "../../../logger"; import { UDSPackage } from "../../crd"; +// configure subproject logger +const log = setupLogger(Component.OPERATOR_ISTIO); + const injectionLabel = "istio-injection"; const injectionAnnotation = "uds.dev/original-istio-injection"; @@ -143,7 +147,7 @@ async function killPods(ns: string, enableInjection: boolean) { } for (const pod of group) { - Log.info(`Deleting pod ${ns}/${pod.metadata?.name} to enable the istio sidecar`); + log.info(`Deleting pod ${ns}/${pod.metadata?.name} to enable the istio sidecar`); await K8s(kind.Pod).Delete(pod); } } diff --git a/src/pepr/operator/controllers/istio/istio-resources.ts b/src/pepr/operator/controllers/istio/istio-resources.ts index 84406067a..63e2ca95b 100644 --- a/src/pepr/operator/controllers/istio/istio-resources.ts +++ b/src/pepr/operator/controllers/istio/istio-resources.ts @@ -1,9 +1,13 @@ -import { K8s, Log } from "pepr"; +import { K8s } from "pepr"; -import { IstioVirtualService, IstioServiceEntry, UDSPackage } from "../../crd"; +import { Component, setupLogger } from "../../../logger"; +import { IstioServiceEntry, IstioVirtualService, UDSPackage } from "../../crd"; import { getOwnerRef } from "../utils"; -import { generateVirtualService } from "./virtual-service"; import { generateServiceEntry } from "./service-entry"; +import { generateVirtualService } from "./virtual-service"; + +// configure subproject logger +const log = setupLogger(Component.OPERATOR_ISTIO); /** * Creates a VirtualService and ServiceEntry for each exposed service in the package @@ -30,7 +34,7 @@ export async function istioResources(pkg: UDSPackage, namespace: string) { // Generate a VirtualService for this `expose` entry const vsPayload = generateVirtualService(expose, namespace, pkgName, generation, ownerRefs); - Log.debug(vsPayload, `Applying VirtualService ${vsPayload.metadata?.name}`); + log.debug(vsPayload, `Applying VirtualService ${vsPayload.metadata?.name}`); // Apply the VirtualService and force overwrite any existing policy await K8s(IstioVirtualService).Apply(vsPayload, { force: true }); @@ -45,7 +49,7 @@ export async function istioResources(pkg: UDSPackage, namespace: string) { continue; } - Log.debug(sePayload, `Applying ServiceEntry ${sePayload.metadata?.name}`); + log.debug(sePayload, `Applying ServiceEntry ${sePayload.metadata?.name}`); // Apply the ServiceEntry and force overwrite any existing policy await K8s(IstioServiceEntry).Apply(sePayload, { force: true }); @@ -66,7 +70,7 @@ export async function istioResources(pkg: UDSPackage, namespace: string) { // Delete any orphaned VirtualServices for (const vs of orphanedVS) { - Log.debug(vs, `Deleting orphaned VirtualService ${vs.metadata!.name}`); + log.debug(vs, `Deleting orphaned VirtualService ${vs.metadata!.name}`); await K8s(IstioVirtualService).Delete(vs); } @@ -83,7 +87,7 @@ export async function istioResources(pkg: UDSPackage, namespace: string) { // Delete any orphaned ServiceEntries for (const se of orphanedSE) { - Log.debug(se, `Deleting orphaned ServiceEntry ${se.metadata!.name}`); + log.debug(se, `Deleting orphaned ServiceEntry ${se.metadata!.name}`); await K8s(IstioServiceEntry).Delete(se); } diff --git a/src/pepr/operator/controllers/keycloak/client-sync.spec.ts b/src/pepr/operator/controllers/keycloak/client-sync.spec.ts index 07614e7fd..1fcfab6a8 100644 --- a/src/pepr/operator/controllers/keycloak/client-sync.spec.ts +++ b/src/pepr/operator/controllers/keycloak/client-sync.spec.ts @@ -1,5 +1,10 @@ import { describe, expect, it } from "@jest/globals"; -import { extractSamlCertificateFromXML, generateSecretData } from "./client-sync"; +import { Sso } from "../../crd"; +import { + extractSamlCertificateFromXML, + generateSecretData, + handleClientGroups, +} from "./client-sync"; import { Client } from "./types"; const mockClient: Client = { @@ -132,3 +137,92 @@ describe("Test Secret & Template Data Generation", () => { }); }); }); + +describe("handleClientGroups function", () => { + it('should correctly transform groups into attributes["uds.core.groups"]', () => { + // Arrange + const ssoWithGroups: Sso = { + clientId: "test-client", + name: "Test Client", + redirectUris: ["https://example.com/callback"], + groups: { + anyOf: ["group1", "group2"], + }, + }; + + // Act + handleClientGroups(ssoWithGroups); + + // Assert + expect(ssoWithGroups.attributes).toBeDefined(); + expect(typeof ssoWithGroups.attributes).toBe("object"); + expect(ssoWithGroups.attributes!["uds.core.groups"]).toEqual( + JSON.stringify({ + anyOf: ["group1", "group2"], + }), + ); + expect(ssoWithGroups.groups).toBeUndefined(); + }); + + it('should set attributes["uds.core.groups"] to an empty object if groups are not provided', () => { + // Arrange + const ssoWithoutGroups: Sso = { + clientId: "test-client", + name: "Test Client", + redirectUris: ["https://example.com/callback"], + }; + + // Act + handleClientGroups(ssoWithoutGroups); + + // Assert + expect(ssoWithoutGroups.attributes).toBeDefined(); + expect(typeof ssoWithoutGroups.attributes).toBe("object"); + expect(ssoWithoutGroups.attributes!["uds.core.groups"]).toEqual(""); + expect(ssoWithoutGroups.groups).toBeUndefined(); + }); + + it('should set attributes["uds.core.groups"] to an empty object if empty groups object is provided', () => { + // Arrange + const ssoWithoutGroups: Sso = { + clientId: "test-client", + name: "Test Client", + redirectUris: ["https://example.com/callback"], + groups: {}, + }; + + // Act + handleClientGroups(ssoWithoutGroups); + + // Assert + expect(ssoWithoutGroups.attributes).toBeDefined(); + expect(typeof ssoWithoutGroups.attributes).toBe("object"); + expect(ssoWithoutGroups.attributes!["uds.core.groups"]).toEqual(""); + expect(ssoWithoutGroups.groups).toBeUndefined(); + }); + + it('should set attributes["uds.core.groups"] to an empty array of groups if groups.anyOf is empty array', () => { + // Arrange + const ssoWithGroups: Sso = { + clientId: "test-client", + name: "Test Client", + redirectUris: ["https://example.com/callback"], + groups: { + anyOf: [], + }, + }; + + // Act + handleClientGroups(ssoWithGroups); + + // Assert + expect(ssoWithGroups.attributes).toBeDefined(); + expect(typeof ssoWithGroups.attributes).toBe("object"); + expect(ssoWithGroups.attributes!["uds.core.groups"]).toEqual( + JSON.stringify({ + anyOf: [], + }), + ); + expect(ssoWithGroups.groups).toBeUndefined(); + }); +}); diff --git a/src/pepr/operator/controllers/keycloak/client-sync.ts b/src/pepr/operator/controllers/keycloak/client-sync.ts index f7233d004..bc2d2bd66 100644 --- a/src/pepr/operator/controllers/keycloak/client-sync.ts +++ b/src/pepr/operator/controllers/keycloak/client-sync.ts @@ -1,16 +1,22 @@ -import { K8s, Log, fetch, kind } from "pepr"; +import { fetch, K8s, kind } from "pepr"; import { UDSConfig } from "../../../config"; +import { Component, setupLogger } from "../../../logger"; import { Store } from "../../common"; import { Sso, UDSPackage } from "../../crd"; import { getOwnerRef } from "../utils"; import { Client } from "./types"; -const apiURL = +let apiURL = "http://keycloak-http.keycloak.svc.cluster.local:8080/realms/uds/clients-registrations/default"; const samlDescriptorUrl = "http://keycloak-http.keycloak.svc.cluster.local:8080/realms/uds/protocol/saml/descriptor"; +// Support dev mode with port-forwarded keycloak svc +if (process.env.PEPR_MODE === "dev") { + apiURL = "http://localhost:8080/realms/uds/clients-registrations/default"; +} + // Template regex to match clientField() references, see https://regex101.com/r/e41Dsk/3 for details const secretTemplateRegex = new RegExp( 'clientField\\(([a-zA-Z]+)\\)(?:\\["?([\\w]+)"?\\]|(\\.json\\(\\)))?', @@ -27,6 +33,9 @@ const x509CertRegex = new RegExp( /<[^>]*:X509Certificate[^>]*>((.|[\n\r])*)<\/[^>]*:X509Certificate>/, ); +// configure subproject logger +const log = setupLogger(Component.OPERATOR_KEYCLOAK); + /** * Create or update the Keycloak clients for the package * @@ -67,7 +76,7 @@ export async function purgeSSOClients(pkg: UDSPackage, refs: string[] = []) { Store.removeItem(ref); await apiCall({ clientId }, "DELETE", token); } else { - Log.warn(pkg.metadata, `Failed to remove client ${clientId}, token not found`); + log.warn(pkg.metadata, `Failed to remove client ${clientId}, token not found`); } } } @@ -77,75 +86,112 @@ async function syncClient( pkg: UDSPackage, isRetry = false, ) { - Log.debug(pkg.metadata, `Processing client request: ${clientReq.clientId}`); + log.debug(pkg.metadata, `Processing client request: ${clientReq.clientId}`); - try { - // Not including the CR data in the ref because Keycloak client IDs must be unique already - const name = `sso-client-${clientReq.clientId}`; - const token = Store.getItem(name); + // Not including the CR data in the ref because Keycloak client IDs must be unique already + const name = `sso-client-${clientReq.clientId}`; + let client: Client; + handleClientGroups(clientReq); - let client: Client; + // Get keycloak client token from the store if this is an existing client + const token = Store.getItem(name); - // If an existing client is found, update it + try { + // If an existing client is found, use the token to update the client if (token && !isRetry) { - Log.debug(pkg.metadata, `Found existing token for ${clientReq.clientId}`); + log.debug(pkg.metadata, `Found existing token for ${clientReq.clientId}`); client = await apiCall(clientReq, "PUT", token); } else { - Log.debug(pkg.metadata, `Creating new client for ${clientReq.clientId}`); + log.debug(pkg.metadata, `Creating new client for ${clientReq.clientId}`); client = await apiCall(clientReq); } + } catch (err) { + const msg = + `Failed to process Keycloak request for client '${clientReq.clientId}', package ` + + `${pkg.metadata?.namespace}/${pkg.metadata?.name}. Error: ${err.message}`; + + // Throw the error if this is the retry or was an initial client creation attempt + if (isRetry || !token) { + log.error(`${msg}, retry failed.`); + // Throw the original error captured from the first attempt + throw new Error(msg); + } else { + // Retry the request without the token in case we have a bad token stored + log.error(msg); + + try { + return await syncClient(clientReq, pkg, true); + } catch (retryErr) { + // If the retry fails, log the retry error and throw the original error + const retryMsg = + `Retry of Keycloak request failed for client '${clientReq.clientId}', package ` + + `${pkg.metadata?.namespace}/${pkg.metadata?.name}. Error: ${retryErr.message}`; + log.error(retryMsg); + // Throw the error from the original attempt since our retry without token failed + throw new Error(msg); + } + } + } - // Write the new token to the store + // Write the new token to the store + try { await Store.setItemAndWait(name, client.registrationAccessToken!); + } catch (err) { + throw Error( + `Failed to set token in store for client '${clientReq.clientId}', package ` + + `${pkg.metadata?.namespace}/${pkg.metadata?.name}`, + ); + } - // Remove the registrationAccessToken from the client object to avoid problems (one-time use token) - delete client.registrationAccessToken; + // Remove the registrationAccessToken from the client object to avoid problems (one-time use token) + delete client.registrationAccessToken; - if (clientReq.protocol === "saml") { - client.samlIdpCertificate = await getSamlCertificate(); - } + if (clientReq.protocol === "saml") { + client.samlIdpCertificate = await getSamlCertificate(); + } - // Create or update the client secret - await K8s(kind.Secret).Apply({ - metadata: { - namespace: pkg.metadata!.namespace, - // Use the CR secret name if provided, otherwise use the client name - name: secretName || name, - labels: { - "uds/package": pkg.metadata!.name, - }, - // Use the CR as the owner ref for each VirtualService - ownerReferences: getOwnerRef(pkg), + // Create or update the client secret + await K8s(kind.Secret).Apply({ + metadata: { + namespace: pkg.metadata!.namespace, + // Use the CR secret name if provided, otherwise use the client name + name: secretName || name, + labels: { + "uds/package": pkg.metadata!.name, }, - data: generateSecretData(client, secretTemplate), - }); - if (isAuthSvcClient) { - // Do things here - } + // Use the CR as the owner ref for each VirtualService + ownerReferences: getOwnerRef(pkg), + }, + data: generateSecretData(client, secretTemplate), + }); - return name; - } catch (err) { - const msg = - `Failed to process client request '${clientReq.clientId}' for ` + - `${pkg.metadata?.namespace}/${pkg.metadata?.name}. This can occur if a client already exists with the same ID that Pepr isn't tracking.`; - Log.error({ err }, msg); + if (isAuthSvcClient) { + // Do things here + } - if (isRetry) { - Log.error(`${msg}, retry failed, aborting`); - throw new Error(`${msg}. RETRY FAILED, aborting: ${JSON.stringify(err)}`); - } + return name; +} - // Retry the request - Log.warn(`${msg}, retrying`); - return syncClient(clientReq, pkg, true); +/** + * Handles the client groups by converting the groups to attributes. + * @param clientReq - The client request object. + */ +export function handleClientGroups(clientReq: Sso) { + if (clientReq.groups?.anyOf) { + clientReq.attributes = clientReq.attributes || {}; + clientReq.attributes["uds.core.groups"] = JSON.stringify(clientReq.groups); + } else { + clientReq.attributes = clientReq.attributes || {}; + clientReq.attributes["uds.core.groups"] = ""; // Remove groups attribute from client } + delete clientReq.groups; } async function apiCall(sso: Partial, method = "POST", authToken = "") { // Handle single test mode if (UDSConfig.isSingleTest) { - Log.warn(`Generating fake client for '${sso.clientId}' in single test mode`); + log.warn(`Generating fake client for '${sso.clientId}' in single test mode`); return { ...sso, secret: sso.secret || "fake-secret", @@ -166,7 +212,8 @@ async function apiCall(sso: Partial, method = "POST", authToken = "") { // When not creating a new client, add the client ID and registrationAccessToken if (authToken) { req.headers.Authorization = `Bearer ${authToken}`; - url += `/${sso.clientId}`; + // Ensure that we URI encode the clientId in the request URL + url += `/${encodeURIComponent(sso.clientId!)}`; } // Remove the body for DELETE requests @@ -178,7 +225,11 @@ async function apiCall(sso: Partial, method = "POST", authToken = "") { const resp = await fetch(url, req); if (!resp.ok) { - throw new Error(`Failed to ${method} client: ${resp.statusText}`); + if (resp.data) { + throw new Error(`${JSON.stringify(resp.statusText)}, ${JSON.stringify(resp.data)}`); + } else { + throw new Error(`${JSON.stringify(resp.statusText)}`); + } } return resp.data; @@ -186,14 +237,14 @@ async function apiCall(sso: Partial, method = "POST", authToken = "") { export function generateSecretData(client: Client, secretTemplate?: { [key: string]: string }) { if (secretTemplate) { - Log.debug(`Using secret template for client: ${client.clientId}`); + log.debug(`Using secret template for client: ${client.clientId}`); // Iterate over the secret template entry and process each value return templateData(secretTemplate, client); } const stringMap: Record = {}; - Log.debug(`Using client data for secret: ${client.clientId}`); + log.debug(`Using client data for secret: ${client.clientId}`); // iterate over the client object and convert all values to strings for (const [key, value] of Object.entries(client)) { diff --git a/src/pepr/operator/controllers/monitoring/service-monitor.ts b/src/pepr/operator/controllers/monitoring/service-monitor.ts index ff2ba0713..be1ddf9ac 100644 --- a/src/pepr/operator/controllers/monitoring/service-monitor.ts +++ b/src/pepr/operator/controllers/monitoring/service-monitor.ts @@ -1,9 +1,13 @@ -import { K8s, Log } from "pepr"; +import { K8s } from "pepr"; import { V1OwnerReference } from "@kubernetes/client-node"; -import { Prometheus, UDSPackage, Monitor } from "../../crd"; +import { Component, setupLogger } from "../../../logger"; +import { Monitor, Prometheus, UDSPackage } from "../../crd"; import { getOwnerRef, sanitizeResourceName } from "../utils"; +// configure subproject logger +const log = setupLogger(Component.OPERATOR_MONITORING); + /** * Generate a service monitor for a service * @@ -15,7 +19,7 @@ export async function serviceMonitor(pkg: UDSPackage, namespace: string) { const generation = (pkg.metadata?.generation ?? 0).toString(); const ownerRefs = getOwnerRef(pkg); - Log.debug(`Reconciling ServiceMonitors for ${pkgName}`); + log.debug(`Reconciling ServiceMonitors for ${pkgName}`); // Get the list of monitored services const monitorList = pkg.spec?.monitor ?? []; @@ -27,7 +31,7 @@ export async function serviceMonitor(pkg: UDSPackage, namespace: string) { for (const monitor of monitorList) { const payload = generateServiceMonitor(monitor, namespace, pkgName, generation, ownerRefs); - Log.debug(payload, `Applying ServiceMonitor ${payload.metadata?.name}`); + log.debug(payload, `Applying ServiceMonitor ${payload.metadata?.name}`); // Apply the ServiceMonitor and force overwrite any existing policy await K8s(Prometheus.ServiceMonitor).Apply(payload, { force: true }); @@ -48,7 +52,7 @@ export async function serviceMonitor(pkg: UDSPackage, namespace: string) { // Delete any orphaned ServiceMonitors for (const sm of orphanedSM) { - Log.debug(sm, `Deleting orphaned ServiceMonitor ${sm.metadata!.name}`); + log.debug(sm, `Deleting orphaned ServiceMonitor ${sm.metadata!.name}`); await K8s(Prometheus.ServiceMonitor).Delete(sm); } } catch (err) { diff --git a/src/pepr/operator/controllers/network/generators/kubeAPI.ts b/src/pepr/operator/controllers/network/generators/kubeAPI.ts index 8451ffa2c..550d90f92 100644 --- a/src/pepr/operator/controllers/network/generators/kubeAPI.ts +++ b/src/pepr/operator/controllers/network/generators/kubeAPI.ts @@ -1,9 +1,13 @@ import { V1NetworkPolicyPeer } from "@kubernetes/client-node"; -import { K8s, kind, Log, R } from "pepr"; +import { K8s, kind, R } from "pepr"; +import { Component, setupLogger } from "../../../../logger"; import { RemoteGenerated } from "../../../crd"; import { anywhere } from "./anywhere"; +// configure subproject logger +const log = setupLogger(Component.OPERATOR_GENERATORS); + // This is an in-memory cache of the API server CIDR let apiServerPeers: V1NetworkPolicyPeer[]; @@ -27,7 +31,7 @@ export function kubeAPI() { } // Otherwise, log a warning and default to 0.0.0.0/0 until the EndpointSlice is updated - Log.warn("Unable to get API server CIDR, defaulting to 0.0.0.0/0"); + log.warn("Unable to get API server CIDR, defaulting to 0.0.0.0/0"); return [anywhere]; } @@ -37,14 +41,14 @@ export function kubeAPI() { */ export async function updateAPIServerCIDRFromEndpointSlice(slice: kind.EndpointSlice) { try { - Log.debug( + log.debug( "Processing watch for endpointslices, getting k8s service for updating API server CIDR", ); const svc = await K8s(kind.Service).InNamespace("default").Get("kubernetes"); await updateAPIServerCIDR(slice, svc); } catch (err) { const msg = "Failed to update network policies from endpoint slice watch"; - Log.error({ err }, msg); + log.error({ err }, msg); } } @@ -54,14 +58,14 @@ export async function updateAPIServerCIDRFromEndpointSlice(slice: kind.EndpointS */ export async function updateAPIServerCIDRFromService(svc: kind.Service) { try { - Log.debug( + log.debug( "Processing watch for api service, getting endpoint slices for updating API server CIDR", ); const slice = await K8s(kind.EndpointSlice).InNamespace("default").Get("kubernetes"); await updateAPIServerCIDR(slice, svc); } catch (err) { const msg = "Failed to update network policies from api service watch"; - Log.error({ err }, msg); + log.error({ err }, msg); } } @@ -105,7 +109,7 @@ export async function updateAPIServerCIDR(slice: kind.EndpointSlice, svc: kind.S // in case another EndpointSlice is updated before this one netPol.spec!.egress![0].to = apiServerPeers; - Log.debug(`Updating ${netPol.metadata!.namespace}/${netPol.metadata!.name}`); + log.debug(`Updating ${netPol.metadata!.namespace}/${netPol.metadata!.name}`); await K8s(kind.NetworkPolicy).Apply(netPol); } } diff --git a/src/pepr/operator/controllers/network/policies.ts b/src/pepr/operator/controllers/network/policies.ts index bbd042cd0..f12c775b6 100644 --- a/src/pepr/operator/controllers/network/policies.ts +++ b/src/pepr/operator/controllers/network/policies.ts @@ -1,5 +1,6 @@ -import { K8s, Log, kind } from "pepr"; +import { K8s, kind } from "pepr"; +import { Component, setupLogger } from "../../../logger"; import { Allow, Direction, Gateway, UDSPackage } from "../../crd"; import { getOwnerRef, sanitizeResourceName } from "../utils"; import { allowEgressDNS } from "./defaults/allow-egress-dns"; @@ -8,6 +9,9 @@ import { allowIngressSidecarMonitoring } from "./defaults/allow-ingress-sidecar- import { defaultDenyAll } from "./defaults/default-deny-all"; import { generate } from "./generate"; +// configure subproject logger +const log = setupLogger(Component.OPERATOR_NETWORK); + export async function networkPolicies(pkg: UDSPackage, namespace: string) { const customPolicies = pkg.spec?.network?.allow ?? []; const pkgName = pkg.metadata!.name!; @@ -15,7 +19,7 @@ export async function networkPolicies(pkg: UDSPackage, namespace: string) { // Get the current generation of the package const generation = (pkg.metadata?.generation ?? 0).toString(); - Log.debug(pkg.metadata, `Generating NetworkPolicies for generation ${generation}`); + log.debug(pkg.metadata, `Generating NetworkPolicies for generation ${generation}`); // Create default policies const policies = [ @@ -124,7 +128,7 @@ export async function networkPolicies(pkg: UDSPackage, namespace: string) { // Delete any orphaned policies for (const netPol of orphanedNetPol) { - Log.debug(netPol, `Deleting orphaned NetworkPolicy ${netPol.metadata!.name}`); + log.debug(netPol, `Deleting orphaned NetworkPolicy ${netPol.metadata!.name}`); await K8s(kind.NetworkPolicy).Delete(netPol); } diff --git a/src/pepr/operator/crd/generated/package-v1alpha1.ts b/src/pepr/operator/crd/generated/package-v1alpha1.ts index 6c00da529..71f70981f 100644 --- a/src/pepr/operator/crd/generated/package-v1alpha1.ts +++ b/src/pepr/operator/crd/generated/package-v1alpha1.ts @@ -478,6 +478,10 @@ export interface Sso { * Whether the SSO client is enabled */ enabled?: boolean; + /** + * The client sso group type + */ + groups?: Groups; /** * If true, the client will generate a new Auth Service client as well */ @@ -526,6 +530,16 @@ export enum ClientAuthenticatorType { ClientSecret = "client-secret", } +/** + * The client sso group type + */ +export interface Groups { + /** + * List of groups allowed to access to client + */ + anyOf?: string[]; +} + /** * Specifies the protocol of the client, either 'openid-connect' or 'saml' */ @@ -548,6 +562,7 @@ export enum Phase { Failed = "Failed", Pending = "Pending", Ready = "Ready", + Retrying = "Retrying", } RegisterKind(Package, { diff --git a/src/pepr/operator/crd/register.ts b/src/pepr/operator/crd/register.ts index 92782bfe6..9c2812930 100644 --- a/src/pepr/operator/crd/register.ts +++ b/src/pepr/operator/crd/register.ts @@ -1,8 +1,12 @@ -import { K8s, Log, kind } from "pepr"; +import { K8s, kind } from "pepr"; +import { Component, setupLogger } from "../../logger"; import { v1alpha1 as exemption } from "./sources/exemption/v1alpha1"; import { v1alpha1 as pkg } from "./sources/package/v1alpha1"; +// configure subproject logger +const log = setupLogger(Component.OPERATOR_CRD); + export async function registerCRDs() { // Register the Package CRD if we're in watch or dev mode if (process.env.PEPR_WATCH_MODE === "true" || process.env.PEPR_MODE === "dev") { @@ -29,10 +33,10 @@ export async function registerCRDs() { { force: true }, ) .then(() => { - Log.info("Package CRD registered"); + log.info("Package CRD registered"); }) .catch(err => { - Log.error({ err }, "Failed to register Package CRD"); + log.error({ err }, "Failed to register Package CRD"); // Sad times, let's exit process.exit(1); @@ -64,10 +68,10 @@ export async function registerCRDs() { { force: true }, ) .then(() => { - Log.info("Exemption CRD registered"); + log.info("Exemption CRD registered"); }) .catch(err => { - Log.error({ err }, "Failed to register Exemption CRD"); + log.error({ err }, "Failed to register Exemption CRD"); // Sad times, let's exit process.exit(1); diff --git a/src/pepr/operator/crd/sources/package/v1alpha1.ts b/src/pepr/operator/crd/sources/package/v1alpha1.ts index 93dfe87cd..0a61f8ae1 100644 --- a/src/pepr/operator/crd/sources/package/v1alpha1.ts +++ b/src/pepr/operator/crd/sources/package/v1alpha1.ts @@ -303,6 +303,19 @@ const sso = { type: "string", }, }, + groups: { + description: "The client sso group type", + type: "object", + properties: { + anyOf: { + description: "List of groups allowed to access to client", + type: "array", + items: { + type: "string", + }, + }, + }, + }, }, } as V1JSONSchemaProps, } as V1JSONSchemaProps; @@ -363,7 +376,7 @@ export const v1alpha1: V1CustomResourceDefinitionVersion = { type: "integer", }, phase: { - enum: ["Pending", "Ready", "Failed"], + enum: ["Pending", "Ready", "Failed", "Retrying"], type: "string", }, ssoClients: { diff --git a/src/pepr/operator/crd/validators/package-validator.ts b/src/pepr/operator/crd/validators/package-validator.ts index 8155bf0e5..2c8955059 100644 --- a/src/pepr/operator/crd/validators/package-validator.ts +++ b/src/pepr/operator/crd/validators/package-validator.ts @@ -86,6 +86,12 @@ export async function validator(req: PeprValidateRequest) { return req.Deny(`The client ID "${client.clientId}" is not unique`); } clientIDs.add(client.clientId); + // Don't allow illegal k8s resource names for the secret name + if (client.secretName && client.secretName !== sanitizeResourceName(client.secretName)) { + return req.Deny( + `The client ID "${client.clientId}" uses an invalid secret name ${client.secretName}`, + ); + } } return req.Approve(); diff --git a/src/pepr/operator/reconcilers/index.spec.ts b/src/pepr/operator/reconcilers/index.spec.ts index ce408c04e..8f7c22aa8 100644 --- a/src/pepr/operator/reconcilers/index.spec.ts +++ b/src/pepr/operator/reconcilers/index.spec.ts @@ -12,6 +12,8 @@ jest.mock("pepr", () => ({ debug: jest.fn(), warn: jest.fn(), error: jest.fn(), + trace: jest.fn(), + child: jest.fn().mockReturnThis(), }, kind: { CoreEvent: "CoreEvent", @@ -180,6 +182,7 @@ describe("handleFailure", () => { expect(PatchStatus).toHaveBeenCalledWith({ metadata: { namespace: "default", name: "test" }, status: { + phase: Phase.Retrying, retryAttempt: 1, }, }); @@ -224,6 +227,7 @@ describe("handleFailure", () => { status: { observedGeneration: 1, phase: Phase.Failed, + retryAttempt: 0, }, }); }); diff --git a/src/pepr/operator/reconcilers/index.ts b/src/pepr/operator/reconcilers/index.ts index 4d07a3d27..c9a173fb2 100644 --- a/src/pepr/operator/reconcilers/index.ts +++ b/src/pepr/operator/reconcilers/index.ts @@ -1,10 +1,14 @@ -import { K8s, Log, kind } from "pepr"; +import { K8s, kind } from "pepr"; +import { Component, setupLogger } from "../../logger"; import { Phase, PkgStatus, UDSPackage } from "../crd"; import { Status } from "../crd/generated/package-v1alpha1"; export const uidSeen = new Set(); +// configure subproject logger +const log = setupLogger(Component.OPERATOR_RECONCILERS); + /** * Checks if the CRD is pending or the current generation has been processed * @@ -12,23 +16,30 @@ export const uidSeen = new Set(); * @returns true if the CRD is pending or the current generation has been processed */ export function shouldSkip(cr: UDSPackage) { + const isRetrying = cr.status?.phase === Phase.Retrying; const isPending = cr.status?.phase === Phase.Pending; const isCurrentGeneration = cr.metadata?.generation === cr.status?.observedGeneration; // First check if the CR has been seen before and return false if it has not // This ensures that all CRs are processed at least once by this version of pepr-core if (!uidSeen.has(cr.metadata!.uid!)) { - Log.debug(cr, `Should skip? No, first time processed during this pod's lifetime`); + log.trace(cr, `Should skip? No, first time processed during this pod's lifetime`); + return false; + } + + // If the CR is retrying, it should not be skipped + if (isRetrying) { + log.debug(cr, `Should skip? No, retrying`); return false; } // This is the second time the CR has been seen, so check if it is pending or the current generation if (isPending || isCurrentGeneration) { - Log.debug(cr, `Should skip? Yes, pending or current generation and not first time seen`); + log.trace(cr, `Should skip? Yes, pending or current generation and not first time seen`); return true; } - Log.debug(cr, `Should skip? No, not pending or current generation and not first time seen`); + log.trace(cr, `Should skip? No, not pending or current generation and not first time seen`); return false; } @@ -40,7 +51,7 @@ export function shouldSkip(cr: UDSPackage) { * @param status The new status */ export async function updateStatus(cr: UDSPackage, status: PkgStatus) { - Log.debug(cr.metadata, `Updating status to ${status.phase}`); + log.debug(`Updating ${cr.metadata?.name}/${cr.metadata?.namespace} status to ${status.phase}`); // Update the status of the CRD await K8s(UDSPackage).PatchStatus({ @@ -50,6 +61,9 @@ export async function updateStatus(cr: UDSPackage, status: PkgStatus) { }, status, }); + + // Track the UID of the CRD to know if it has been seen before + uidSeen.add(cr.metadata!.uid!); } /** @@ -60,7 +74,7 @@ export async function updateStatus(cr: UDSPackage, status: PkgStatus) { * @param type The type of event to write */ export async function writeEvent(cr: UDSPackage, event: Partial) { - Log.debug(cr.metadata, `Writing event: ${event.message}`); + log.debug(`Writing ${cr.metadata?.name}/${cr.metadata?.namespace} event: ${event.message}`); await K8s(kind.CoreEvent).Create({ type: "Warning", @@ -95,37 +109,40 @@ export async function handleFailure(err: { status: number; message: string }, cr const identifier = `${metadata.namespace}/${metadata.name}`; let status: Status; - // todo: identify exact 404 we are targetting, possibly in `updateStatus` + // todo: identify exact 404 we are targeting, possibly in `updateStatus` if (err.status === 404) { - Log.warn({ err }, `Package metadata seems to have been deleted`); + log.warn({ err }, `Package metadata seems to have been deleted`); return; } const retryAttempt = cr.status?.retryAttempt || 0; - if (retryAttempt < 5) { + // retryAttempt starts at 0, we perform 4 retries, 5 total attempts + if (retryAttempt < 4) { const currRetry = retryAttempt + 1; - Log.error({ err }, `Reconciliation attempt ${currRetry} failed for ${identifier}, retrying...`); + log.error({ err }, `Reconciliation attempt ${currRetry} failed for ${identifier}, retrying...`); status = { + phase: Phase.Retrying, retryAttempt: currRetry, }; } else { - Log.error({ err }, `Error configuring ${identifier}, maxed out retries`); + log.error({ err }, `Error configuring ${identifier}, maxed out retries`); status = { phase: Phase.Failed, observedGeneration: metadata.generation, + retryAttempt: 0, // todo: make this nullable when kfc generates the type }; } // Write an event for the error - void writeEvent(cr, { message: err.message }); + await writeEvent(cr, { message: err.message }); // Update the status of the package with the error updateStatus(cr, status).catch(finalErr => { // If the status update fails, write log the error and and try to write an event - Log.error({ err: finalErr }, `Error updating status for ${identifier} failed`); + log.error({ err: finalErr }, `Error updating status for ${identifier} failed`); void writeEvent(cr, { message: finalErr.message }); }); } diff --git a/src/pepr/operator/reconcilers/package-reconciler.spec.ts b/src/pepr/operator/reconcilers/package-reconciler.spec.ts index cc01a098e..69c336f25 100644 --- a/src/pepr/operator/reconcilers/package-reconciler.spec.ts +++ b/src/pepr/operator/reconcilers/package-reconciler.spec.ts @@ -5,12 +5,32 @@ import { Phase, UDSPackage } from "../crd"; import { packageReconciler } from "./package-reconciler"; jest.mock("kubernetes-fluent-client"); -jest.mock("pepr"); jest.mock("../../config"); jest.mock("../controllers/istio/injection"); jest.mock("../controllers/istio/virtual-service"); jest.mock("../controllers/network/policies"); +jest.mock("pepr", () => ({ + K8s: jest.fn(), + Log: { + info: jest.fn(), + debug: jest.fn(), + warn: jest.fn(), + error: jest.fn(), + trace: jest.fn(), + child: jest.fn().mockReturnThis(), + }, + kind: { + CoreEvent: "CoreEvent", + }, + Capability: jest.fn().mockImplementation(() => { + return { + name: "uds-core-operator", + description: "The UDS Operator is responsible for managing the lifecycle of UDS resources", + }; + }), +})); + describe("reconciler", () => { let mockPackage: UDSPackage; diff --git a/src/pepr/operator/reconcilers/package-reconciler.ts b/src/pepr/operator/reconcilers/package-reconciler.ts index db636c2d5..e4062b294 100644 --- a/src/pepr/operator/reconcilers/package-reconciler.ts +++ b/src/pepr/operator/reconcilers/package-reconciler.ts @@ -1,7 +1,6 @@ -import { Log } from "pepr"; - -import { handleFailure, shouldSkip, uidSeen, updateStatus } from "."; +import { handleFailure, shouldSkip, updateStatus } from "."; import { UDSConfig } from "../../config"; +import { Component, setupLogger } from "../../logger"; import { enableInjection } from "../controllers/istio/injection"; import { istioResources } from "../controllers/istio/istio-resources"; import { keycloak } from "../controllers/keycloak/client-sync"; @@ -10,6 +9,9 @@ import { networkPolicies } from "../controllers/network/policies"; import { Phase, UDSPackage } from "../crd"; import { migrate } from "../crd/migrate"; +// configure subproject logger +const log = setupLogger(Component.OPERATOR_RECONCILERS); + /** * The reconciler is called from the queue and is responsible for reconciling the state of the package * with the cluster. This includes creating the namespace, network policies and virtual services. @@ -20,10 +22,14 @@ export async function packageReconciler(pkg: UDSPackage) { const metadata = pkg.metadata!; const { namespace, name } = metadata; - Log.info(pkg, `Processing Package ${namespace}/${name}`); + log.info( + `Processing Package ${namespace}/${name}, status.phase: ${pkg.status?.phase}, observedGeneration: ${pkg.status?.observedGeneration}, retryAttempt: ${pkg.status?.retryAttempt}`, + ); if (shouldSkip(pkg)) { - Log.info(pkg, `Skipping Package ${namespace}/${name}`); + log.info( + `Skipping Package ${namespace}/${name}, status.phase: ${pkg.status?.phase}, observedGeneration: ${pkg.status?.observedGeneration}, retryAttempt: ${pkg.status?.retryAttempt}`, + ); return; } @@ -49,7 +55,7 @@ export async function packageReconciler(pkg: UDSPackage) { // Create the ServiceMonitor for each monitored service monitors = await serviceMonitor(pkg, namespace!); } else { - Log.warn(`Running in single test mode, skipping ${name} ServiceMonitors.`); + log.warn(`Running in single test mode, skipping ${name} ServiceMonitors.`); } // Configure SSO @@ -64,9 +70,6 @@ export async function packageReconciler(pkg: UDSPackage) { observedGeneration: metadata.generation, retryAttempt: 0, // todo: make this nullable when kfc generates the type }); - - // Update to indicate this version of pepr-core has reconciled the package successfully once - uidSeen.add(pkg.metadata!.uid!); } catch (err) { void handleFailure(err, pkg); } diff --git a/src/pepr/policies/exemptions/index.ts b/src/pepr/policies/exemptions/index.ts index 8eb2ca73c..db2e11c68 100644 --- a/src/pepr/policies/exemptions/index.ts +++ b/src/pepr/policies/exemptions/index.ts @@ -1,8 +1,12 @@ import { KubernetesObject } from "kubernetes-fluent-client"; -import { Log, PeprMutateRequest, PeprValidateRequest } from "pepr"; +import { PeprMutateRequest, PeprValidateRequest } from "pepr"; +import { Component, setupLogger } from "../../logger"; import { ExemptionStore } from "../../operator/controllers/exemptions/exemption-store"; import { Policy } from "../../operator/crd"; +// configure subproject logger +const log = setupLogger(Component.POLICIES_EXEMPTIONS); + /** * Check a resource against an exemption list for use by the validation action. * @@ -20,7 +24,7 @@ export function isExempt( if (exemptList.length != 0) { // Debug log to provide current exemptions for policy - Log.debug( + log.debug( `Checking ${resourceName} against ${policy} exemptions: ${JSON.stringify(exemptList)}`, ); for (const exempt of exemptList) { @@ -35,7 +39,7 @@ export function isExempt( } // If we get here, the request is exempt - Log.info(`${resourceName} is exempt from ${policy}`); + log.info(`${resourceName} is exempt from ${policy}`); return true; } } diff --git a/src/pepr/policies/index.ts b/src/pepr/policies/index.ts index 0b8d5a1b8..f63d6f75c 100644 --- a/src/pepr/policies/index.ts +++ b/src/pepr/policies/index.ts @@ -1,5 +1,6 @@ // Various validation actions for Kubernetes resources from Big Bang -import { K8s, Log } from "pepr"; +import { K8s } from "pepr"; +import { Component, setupLogger } from "../logger"; import { ExemptionStore } from "../operator/controllers/exemptions/exemption-store"; import { processExemptions } from "../operator/controllers/exemptions/exemptions"; import { Matcher, Policy, UDSExemption } from "../operator/crd"; @@ -7,6 +8,9 @@ import "./networking"; import "./security"; import "./storage"; +// configure subproject logger +const log = setupLogger(Component.POLICIES); + export { policies } from "./common"; export type StoredMatcher = Matcher & { owner: string }; @@ -18,13 +22,13 @@ export async function startExemptionWatch() { // only run in admission controller or dev mode if (process.env.PEPR_WATCH_MODE === "false" || process.env.PEPR_MODE === "dev") { const watcher = K8s(UDSExemption).Watch(async (exemption, phase) => { - Log.debug(`Processing exemption ${exemption.metadata?.name}, watch phase: ${phase}`); + log.debug(`Processing exemption ${exemption.metadata?.name}, watch phase: ${phase}`); processExemptions(exemption, phase); }); // This will run until the process is terminated or the watch is aborted - Log.debug("Starting exemption watch..."); + log.debug("Starting exemption watch..."); await watcher.start(); } } diff --git a/src/pepr/policies/storage.ts b/src/pepr/policies/storage.ts index 858b6daa5..a7559666d 100644 --- a/src/pepr/policies/storage.ts +++ b/src/pepr/policies/storage.ts @@ -1,7 +1,7 @@ import { a } from "pepr"; -import { When, containers, volumes } from "./common"; import { Policy } from "../operator/crd"; +import { When, containers, volumes } from "./common"; import { isExempt, markExemption } from "./exemptions"; /** diff --git a/src/pepr/prometheus/index.ts b/src/pepr/prometheus/index.ts index bc471cac4..cc8e022d4 100644 --- a/src/pepr/prometheus/index.ts +++ b/src/pepr/prometheus/index.ts @@ -1,6 +1,10 @@ -import { Capability, K8s, kind, Log } from "pepr"; +import { Capability, K8s, kind } from "pepr"; +import { Component, setupLogger } from "../logger"; import { Prometheus } from "../operator/crd"; +// configure subproject logger +const log = setupLogger(Component.PROMETHEUS); + export const prometheus = new Capability({ name: "prometheus", description: "UDS Core Capability for the Prometheus stack.", @@ -25,7 +29,7 @@ When(Prometheus.ServiceMonitor) return; } - Log.info(`Patching service monitor ${sm.Raw.metadata?.name} for mTLS metrics`); + log.info(`Patching service monitor ${sm.Raw.metadata?.name} for mTLS metrics`); const tlsConfig = { caFile: "/etc/prom-certs/root-cert.pem", certFile: "/etc/prom-certs/cert-chain.pem", @@ -39,7 +43,7 @@ When(Prometheus.ServiceMonitor) }); sm.Raw.spec.endpoints = endpoints; } else { - Log.info(`No mutations needed for service monitor ${sm.Raw.metadata?.name}`); + log.info(`No mutations needed for service monitor ${sm.Raw.metadata?.name}`); } }); diff --git a/src/pepr/tasks.yaml b/src/pepr/tasks.yaml index 08b657648..4033b25f9 100644 --- a/src/pepr/tasks.yaml +++ b/src/pepr/tasks.yaml @@ -6,9 +6,9 @@ tasks: - name: gen-crds description: "Generate CRDS, requires a running kubernetes cluster" actions: - - cmd: "npx ts-node src/pepr/operator/crd/register.ts" + - cmd: npx ts-node -e "import { registerCRDs } from './src/pepr/operator/crd/register'; registerCRDs()" env: - - "PEPR_WATCH_MODE=true" + - "PEPR_MODE=dev" - cmd: "npx kubernetes-fluent-client crd packages.uds.dev src/pepr/operator/crd/generated" diff --git a/src/prometheus-stack/values/unicorn-values.yaml b/src/prometheus-stack/values/unicorn-values.yaml new file mode 100644 index 000000000..67d689058 --- /dev/null +++ b/src/prometheus-stack/values/unicorn-values.yaml @@ -0,0 +1,56 @@ +alertmanager: + alertmanagerSpec: + image: + registry: cgr.dev + repository: du-uds-defenseunicorns/prometheus-alertmanager-fips + tag: 0.27.0 +kube-state-metrics: + image: + registry: cgr.dev + repository: du-uds-defenseunicorns/kube-state-metrics-fips + tag: 2.12.0 + securityContext: + enabled: true + fsGroup: 65532 + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +prometheus: + prometheusSpec: + image: + registry: cgr.dev + repository: du-uds-defenseunicorns/prometheus-fips + tag: 2.52.0 +prometheus-node-exporter: + image: + registry: cgr.dev + repository: du-uds-defenseunicorns/prometheus-node-exporter-fips + tag: 1.8.1 +prometheusOperator: + admissionWebhooks: + containerSecurityContext: + capabilities: + drop: + - ALL + patch: + enabled: true + image: + registry: cgr.dev + repository: du-uds-defenseunicorns/kube-webhook-certgen-fips + tag: 1.10.1 + registry: cgr.dev + repository: du-uds-defenseunicorns/kube-webhook-certgen-fips + tag: 1.10.1 + securityContext: + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + image: + registry: cgr.dev + repository: du-uds-defenseunicorns/prometheus-operator-fips + tag: 0.74.0 + prometheusConfigReloader: + image: + registry: cgr.dev + repository: du-uds-defenseunicorns/prometheus-config-reloader-fips + tag: 0.74.0 diff --git a/src/prometheus-stack/zarf.yaml b/src/prometheus-stack/zarf.yaml index 32acbf534..ea1e31733 100644 --- a/src/prometheus-stack/zarf.yaml +++ b/src/prometheus-stack/zarf.yaml @@ -54,3 +54,23 @@ components: - "registry1.dso.mil/ironbank/opensource/prometheus-operator/prometheus-config-reloader:v0.74.0" - "registry1.dso.mil/ironbank/opensource/prometheus/prometheus:v2.52.0" - "registry1.dso.mil/ironbank/opensource/ingress-nginx/kube-webhook-certgen:v1.3.0" + + - name: kube-prometheus-stack + required: true + description: "Install kube-prometheus-stack using the helm chart https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack" + only: + flavor: unicorn + import: + path: common + charts: + - name: kube-prometheus-stack + valuesFiles: + - "values/unicorn-values.yaml" + images: + - "cgr.dev/du-uds-defenseunicorns/prometheus-node-exporter-fips:1.8.1" + - "cgr.dev/du-uds-defenseunicorns/prometheus-operator-fips:0.74.0" + - "cgr.dev/du-uds-defenseunicorns/kube-state-metrics-fips:2.12.0" + - "cgr.dev/du-uds-defenseunicorns/prometheus-alertmanager-fips:0.27.0" + - "cgr.dev/du-uds-defenseunicorns/prometheus-config-reloader-fips:0.74.0" + - "cgr.dev/du-uds-defenseunicorns/prometheus-fips:2.52.0" + - "cgr.dev/du-uds-defenseunicorns/kube-webhook-certgen-fips:1.10.1" diff --git a/src/promtail/common/zarf.yaml b/src/promtail/common/zarf.yaml index baeb9cbc1..b3df11848 100644 --- a/src/promtail/common/zarf.yaml +++ b/src/promtail/common/zarf.yaml @@ -14,7 +14,7 @@ components: localPath: ../chart - name: promtail url: https://grafana.github.io/helm-charts/ - version: 6.15.5 + version: 6.16.3 namespace: promtail gitPath: charts/promtail valuesFiles: diff --git a/src/promtail/values/registry1-values.yaml b/src/promtail/values/registry1-values.yaml index 265483573..63511bc69 100644 --- a/src/promtail/values/registry1-values.yaml +++ b/src/promtail/values/registry1-values.yaml @@ -1,10 +1,10 @@ image: registry: registry1.dso.mil repository: ironbank/opensource/grafana/promtail - tag: v2.9.6 + tag: v3.1.0 sidecar: configReloader: image: registry: registry1.dso.mil repository: ironbank/opensource/jimmidyson/configmap-reload - tag: v0.12.0 + tag: v0.13.1 diff --git a/src/promtail/values/unicorn-values.yaml b/src/promtail/values/unicorn-values.yaml new file mode 100644 index 000000000..4f4ac593e --- /dev/null +++ b/src/promtail/values/unicorn-values.yaml @@ -0,0 +1,10 @@ +image: + registry: cgr.dev + repository: du-uds-defenseunicorns/promtail + tag: 3.1.0 +sidecar: + configReloader: + image: + registry: cgr.dev + repository: du-uds-defenseunicorns/configmap-reload-fips + tag: 0.12.0 diff --git a/src/promtail/values/upstream-values.yaml b/src/promtail/values/upstream-values.yaml index 6a7b4fe52..1813158fb 100644 --- a/src/promtail/values/upstream-values.yaml +++ b/src/promtail/values/upstream-values.yaml @@ -1,10 +1,10 @@ image: registry: docker.io repository: grafana/promtail - tag: 2.9.6 + tag: 3.1.0 sidecar: configReloader: image: registry: ghcr.io repository: jimmidyson/configmap-reload - tag: v0.12.0 + tag: v0.13.1 diff --git a/src/promtail/zarf.yaml b/src/promtail/zarf.yaml index da126c7e8..e1310ed58 100644 --- a/src/promtail/zarf.yaml +++ b/src/promtail/zarf.yaml @@ -17,8 +17,8 @@ components: valuesFiles: - values/upstream-values.yaml images: - - ghcr.io/jimmidyson/configmap-reload:v0.12.0 - - docker.io/grafana/promtail:2.9.6 + - ghcr.io/jimmidyson/configmap-reload:v0.13.1 + - docker.io/grafana/promtail:3.1.0 - name: promtail required: true @@ -32,5 +32,20 @@ components: valuesFiles: - values/registry1-values.yaml images: - - registry1.dso.mil/ironbank/opensource/jimmidyson/configmap-reload:v0.12.0 - - registry1.dso.mil/ironbank/opensource/grafana/promtail:v2.9.6 + - registry1.dso.mil/ironbank/opensource/jimmidyson/configmap-reload:v0.13.1 + - registry1.dso.mil/ironbank/opensource/grafana/promtail:v3.1.0 + + - name: promtail + required: true + description: "Deploy Promtail" + only: + flavor: unicorn + import: + path: common + charts: + - name: promtail + valuesFiles: + - values/unicorn-values.yaml + images: + - cgr.dev/du-uds-defenseunicorns/configmap-reload-fips:0.12.0 + - cgr.dev/du-uds-defenseunicorns/promtail:3.1.0 diff --git a/src/velero/values/unicorn-values.yaml b/src/velero/values/unicorn-values.yaml new file mode 100644 index 000000000..c5eb19b14 --- /dev/null +++ b/src/velero/values/unicorn-values.yaml @@ -0,0 +1,22 @@ +image: + repository: cgr.dev/du-uds-defenseunicorns/velero-fips + tag: 1.13.2-dev + +kubectl: + image: + repository: cgr.dev/du-uds-defenseunicorns/kubectl-fips + tag: 1.29.5-dev + +initContainers: + - name: velero-plugin-for-aws + image: cgr.dev/du-uds-defenseunicorns/velero-plugin-for-aws-fips:1.9.2 + imagePullPolicy: IfNotPresent + volumeMounts: + - mountPath: /target + name: plugins + - name: velero-plugin-for-csi + image: cgr.dev/du-uds-defenseunicorns/velero-plugin-for-csi-fips:0.7.1 + imagePullPolicy: IfNotPresent + volumeMounts: + - mountPath: /target + name: plugins diff --git a/src/velero/zarf.yaml b/src/velero/zarf.yaml index 59a25128d..694179415 100644 --- a/src/velero/zarf.yaml +++ b/src/velero/zarf.yaml @@ -36,3 +36,19 @@ components: - registry1.dso.mil/ironbank/opensource/velero/velero-plugin-for-aws:v1.9.2 - registry1.dso.mil/ironbank/opensource/velero/velero-plugin-for-csi:v0.7.1 - registry1.dso.mil/ironbank/big-bang/base:2.1.0 + + - name: velero + required: true + only: + flavor: unicorn + import: + path: common + charts: + - name: velero + valuesFiles: + - values/unicorn-values.yaml + images: + - cgr.dev/du-uds-defenseunicorns/velero-fips:1.13.2-dev + - cgr.dev/du-uds-defenseunicorns/velero-plugin-for-aws-fips:1.9.2 + - cgr.dev/du-uds-defenseunicorns/velero-plugin-for-csi-fips:0.7.1 + - cgr.dev/du-uds-defenseunicorns/kubectl-fips:1.29.5-dev diff --git a/tasks/create.yaml b/tasks/create.yaml index 8a007935d..93e8f198a 100644 --- a/tasks/create.yaml +++ b/tasks/create.yaml @@ -1,5 +1,5 @@ includes: - - common: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.6.1/tasks/create.yaml + - common: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.7.1/tasks/create.yaml variables: - name: FLAVOR @@ -7,7 +7,7 @@ variables: - name: REGISTRY1_PEPR_IMAGE # renovate: datasource=docker depName=registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller versioning=semver - default: registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller:v0.32.3 + default: registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller:v0.32.6 tasks: - name: standard-package From 347b06127a95843d69dd6057020c712af03c7ce6 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Wed, 10 Jul 2024 09:32:17 -0600 Subject: [PATCH 35/61] bagellab --- .github/workflows/publish.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 7559ad952..a2214934f 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -78,16 +78,16 @@ jobs: run: | # Publish snapshots to snapshot repository if [ "${{ inputs.snapshot }}" = "true" ]; then - echo "Publishing snapshot to ghcr.io/defenseunicorns/packages/uds/snapshots" - echo "repo=ghcr.io/defenseunicorns/packages/uds/snapshots" >> "$GITHUB_OUTPUT" + echo "Publishing snapshot to ghcr.io/bagellab/packages/uds/snapshots" + echo "repo=ghcr.io/bagellab/packages/uds/snapshots" >> "$GITHUB_OUTPUT" # Publish unicorn flavor to private repository elif [ "${{ matrix.flavor }}" = "unicorn" ]; then - echo "Publishing unicorn flavor to ghcr.io/defenseunicorns/packages/private/uds" - echo "repo=ghcr.io/defenseunicorns/packages/private/uds" >> "$GITHUB_OUTPUT" + echo "Publishing unicorn flavor to ghcr.io/bagellab/packages/private/uds" + echo "repo=ghcr.io/bagellab/packages/private/uds" >> "$GITHUB_OUTPUT" # Publish all other packages/bundles to uds package repository else - echo "Publishing packages and bundles to ghcr.io/defenseunicorns/packages/uds" - echo "repo=ghcr.io/defenseunicorns/packages/uds" >> "$GITHUB_OUTPUT" + echo "Publishing packages and bundles to ghcr.io/bagellab/packages/uds" + echo "repo=ghcr.io/bagellab/packages/uds" >> "$GITHUB_OUTPUT" fi # Publish package and bundle to destination repository From 3c226db546374f5ba0fc443dd0fcc8c21269c9d7 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Wed, 10 Jul 2024 09:34:56 -0600 Subject: [PATCH 36/61] double equals --- .github/workflows/publish.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index a2214934f..f621c502b 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -95,7 +95,7 @@ jobs: run: uds run -f tasks/publish.yaml standard-package --set FLAVOR=${{ matrix.flavor }} --set TARGET_REPO=${{ steps.repo.outputs.repo }} --no-progress - name: Publish Upstream Flavored Bundles - if: ${{ matrix.flavor = 'upstream' }} + if: ${{ matrix.flavor == 'upstream' }} run: uds run -f tasks/publish.yaml bundles --set TARGET_REPO=${{ steps.repo.outputs.repo }} --no-progress - name: Save logs From 8e992e385fc51e01f0e0df31dd8c7434660ea0d6 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 10 Jul 2024 15:39:15 +0000 Subject: [PATCH 37/61] chore(main): release 0.23.0 --- CHANGELOG.md | 309 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 309 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a5206d7fe..776e5e5a0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,315 @@ All notable changes to this project will be documented in this file. +## [0.23.0](https://github.com/BagelLab/uds-core/compare/v0.23.0...v0.23.0) (2024-07-10) + + +### ⚠ BREAKING CHANGES + +* remove emulated gitlab endpoints from keycloak ([#483](https://github.com/BagelLab/uds-core/issues/483)) + +### Features + +* add `expose` service entry for internal cluster traffic ([#356](https://github.com/BagelLab/uds-core/issues/356)) ([1bde4cc](https://github.com/BagelLab/uds-core/commit/1bde4ccf302864b0c38d093742ca683b96cebe89)) +* add `monitor` to operator, fix monitoring setup ([#256](https://github.com/BagelLab/uds-core/issues/256)) ([bf67722](https://github.com/BagelLab/uds-core/commit/bf67722d4e7e02d44dd29c4436e9a8d2ef960fa5)) +* add authservice to uds-core ([#153](https://github.com/BagelLab/uds-core/issues/153)) ([b0b33b9](https://github.com/BagelLab/uds-core/commit/b0b33b98ae12fe233c922bba55c9328212c2e578)) +* Add istio and preliminary ci ([#3](https://github.com/BagelLab/uds-core/issues/3)) ([fbd7453](https://github.com/BagelLab/uds-core/commit/fbd745392340dbc978b27f0d321f3375882c1c40)) +* add Istio VirtualService Requestmatch to UDS Operator ([#129](https://github.com/BagelLab/uds-core/issues/129)) ([a207197](https://github.com/BagelLab/uds-core/commit/a20719726991d3b981a372b705b776948f6fbc30)) +* add keycloak ([#147](https://github.com/BagelLab/uds-core/issues/147)) ([f99d3d5](https://github.com/BagelLab/uds-core/commit/f99d3d5d4f89264a21dd76d8847e1cef0325d127)) +* add keycloak sso realm values ([#352](https://github.com/BagelLab/uds-core/issues/352)) ([74436ea](https://github.com/BagelLab/uds-core/commit/74436ea78684a74044efdee14564a6582e659998)) +* add metrics-server ([#35](https://github.com/BagelLab/uds-core/issues/35)) ([8216ab9](https://github.com/BagelLab/uds-core/commit/8216ab982be79dc393a2e0db359370b32e660150)) +* add monitoring and logging ([#33](https://github.com/BagelLab/uds-core/issues/33)) ([c6d9aec](https://github.com/BagelLab/uds-core/commit/c6d9aece4984421e1ccbf476cd0d40fb701e4e50)) +* add nightly testing eks ([#250](https://github.com/BagelLab/uds-core/issues/250)) ([543b09d](https://github.com/BagelLab/uds-core/commit/543b09d103a43c474da6a8c950404cc1f373b03f)) +* add pepr capability for istio + jobs ([#12](https://github.com/BagelLab/uds-core/issues/12)) ([c32a703](https://github.com/BagelLab/uds-core/commit/c32a70390f443c90796978ad4c42bbb4b17eb226)) +* add policy exemptions ([#165](https://github.com/BagelLab/uds-core/issues/165)) ([196df88](https://github.com/BagelLab/uds-core/commit/196df88b01347e530eb1cb49df7440d62c986e0e)) +* add prometheus-stack (monitoring) capability ([#2](https://github.com/BagelLab/uds-core/issues/2)) ([e438ab6](https://github.com/BagelLab/uds-core/commit/e438ab6089bc9d8c6640fa002285d38ddc3022df)) +* add reconciliation retries for CRs ([#423](https://github.com/BagelLab/uds-core/issues/423)) ([424b57b](https://github.com/BagelLab/uds-core/commit/424b57ba91906e1c60e6e92927e37b34d657ad01)) +* add saml and attribute/mapper support for keycloak in uds pepr operator ([#328](https://github.com/BagelLab/uds-core/issues/328)) ([c53d4ee](https://github.com/BagelLab/uds-core/commit/c53d4ee1227d71b60a35419f7c8c9396d71b9508)) +* add UDS Operator and consolidate UDS Policies ([#66](https://github.com/BagelLab/uds-core/issues/66)) ([395c1c4](https://github.com/BagelLab/uds-core/commit/395c1c4aec324d0d939cc410a6bb92129b26653b)) +* add velero package ([#210](https://github.com/BagelLab/uds-core/issues/210)) ([a272945](https://github.com/BagelLab/uds-core/commit/a27294585f0d50732b63672d0c2baf14948e29d1)) +* add Zarf Flavors to support Iron Bank & upstream images ([#63](https://github.com/BagelLab/uds-core/issues/63)) ([232c256](https://github.com/BagelLab/uds-core/commit/232c2566b96be0285c24b8b5787350897e72332f)) +* added initial oscal files ([#145](https://github.com/BagelLab/uds-core/issues/145)) ([9600d5f](https://github.com/BagelLab/uds-core/commit/9600d5f159e4a04e8f71313f8ed118b87efbb9a1)) +* embed tls certs in istio package ([#32](https://github.com/BagelLab/uds-core/issues/32)) ([fb04fee](https://github.com/BagelLab/uds-core/commit/fb04feec9657f449366389a0e0a474a8cdeecb2c)) +* enable sso for neuvector ([#351](https://github.com/BagelLab/uds-core/issues/351)) ([597353e](https://github.com/BagelLab/uds-core/commit/597353e294e3dc5c06a8d572414e188f9845af8e)) +* expose tls certs as UDS bundle variables ([#48](https://github.com/BagelLab/uds-core/issues/48)) ([c1f8286](https://github.com/BagelLab/uds-core/commit/c1f828650ef2c53a3fd9ed477950046020c5d375)) +* introduce advancedHTTP for expose field & change podLabels to selector ([#154](https://github.com/BagelLab/uds-core/issues/154)) ([1079267](https://github.com/BagelLab/uds-core/commit/107926791149989a782254b8798b7c57a35cfcaf)) +* introduce Pepr common policies ([#50](https://github.com/BagelLab/uds-core/issues/50)) ([54182b4](https://github.com/BagelLab/uds-core/commit/54182b4db691d86ce80379be272d924d105b0d07)) +* introduce sso secret templating ([#276](https://github.com/BagelLab/uds-core/issues/276)) ([e0832ec](https://github.com/BagelLab/uds-core/commit/e0832ec2ee825dc1725483350e3b9295937b8feb)) +* keycloak PVC customization ([#341](https://github.com/BagelLab/uds-core/issues/341)) ([f8eae2a](https://github.com/BagelLab/uds-core/commit/f8eae2a20e02faac6e2c441845a82febeaab3b89)) +* **operator:** add events and improve lifecycle ops ([#245](https://github.com/BagelLab/uds-core/issues/245)) ([502c044](https://github.com/BagelLab/uds-core/commit/502c044547048a380b1f73dead0b8ab1b14a4b4f)) +* release-please integration ([#25](https://github.com/BagelLab/uds-core/issues/25)) ([bf3c53b](https://github.com/BagelLab/uds-core/commit/bf3c53b2ddac4e02e31aa3429029dd9f1c9595e3)) +* switch loki to simple scalable ([#156](https://github.com/BagelLab/uds-core/issues/156)) ([1661b15](https://github.com/BagelLab/uds-core/commit/1661b154657eba1b30fc5bcec64179cbf6037c03)) +* uds common renovate config ([#391](https://github.com/BagelLab/uds-core/issues/391)) ([035786c](https://github.com/BagelLab/uds-core/commit/035786cadcd9c1fbaf7e0a798f9c13104a1a9a14)) +* uds core docs ([#414](https://github.com/BagelLab/uds-core/issues/414)) ([a35ca7b](https://github.com/BagelLab/uds-core/commit/a35ca7b484ab59572d8205a625db5447a8771e44)) +* update security policy to use provided user, group, and fsgroup ([#82](https://github.com/BagelLab/uds-core/issues/82)) ([6d641ce](https://github.com/BagelLab/uds-core/commit/6d641ce67210999bacda0e855269dca61e7c6a7b)) + + +### Bug Fixes + +* add keycloak to dev bundle and rename ([#262](https://github.com/BagelLab/uds-core/issues/262)) ([f9b905c](https://github.com/BagelLab/uds-core/commit/f9b905c7c2b7e4a6a43e7c83918e3157008433d3)) +* add kubeapi egress for neuvector enforcer ([#291](https://github.com/BagelLab/uds-core/issues/291)) ([87fc886](https://github.com/BagelLab/uds-core/commit/87fc886bc736104a9a3c3aefc4c7d232ed74a4f2)) +* add nightly uds-bundle.yaml to release-please extras for updates ([#346](https://github.com/BagelLab/uds-core/issues/346)) ([d1b3071](https://github.com/BagelLab/uds-core/commit/d1b3071182b48ef4905bb040d203fa42d7bbf76f)) +* add saml configuration to k3d standard bundle ([#425](https://github.com/BagelLab/uds-core/issues/425)) ([15b41d7](https://github.com/BagelLab/uds-core/commit/15b41d7ca506dd913316c41321aa9a3133755ab4)) +* add test for disallow selinux options and handle checking for us… ([#96](https://github.com/BagelLab/uds-core/issues/96)) ([88b969e](https://github.com/BagelLab/uds-core/commit/88b969e2aa4dea8b76dbe397d77c53941f7cfbc8)) +* arm64 packages / bundles creation ([#264](https://github.com/BagelLab/uds-core/issues/264)) ([425fa18](https://github.com/BagelLab/uds-core/commit/425fa184fca6bcebd1eea431dce7112cadae2f44)) +* basic validations for packages ([#208](https://github.com/BagelLab/uds-core/issues/208)) ([9eba3af](https://github.com/BagelLab/uds-core/commit/9eba3afb7e288c13f75f93d5712d50a3b9e7b92d)) +* change pepr error policy to reject ([#99](https://github.com/BagelLab/uds-core/issues/99)) ([10772e2](https://github.com/BagelLab/uds-core/commit/10772e2c64f1e4b965b6b644b0008c81025029e9)) +* check if exemption exists before cleanup ([#468](https://github.com/BagelLab/uds-core/issues/468)) ([735288b](https://github.com/BagelLab/uds-core/commit/735288b87f2dff3c1bb28e9e20aac812d644aa4d)) +* ci things ([f2389a3](https://github.com/BagelLab/uds-core/commit/f2389a33d66491dfab62014cc744b25434202fe2)) +* complete incomplete deploy task ([#21](https://github.com/BagelLab/uds-core/issues/21)) ([45ff5e5](https://github.com/BagelLab/uds-core/commit/45ff5e5d7b6a50cdfcfabb174349ab539a8accd9)) +* concurrency group ([60ca1d0](https://github.com/BagelLab/uds-core/commit/60ca1d06208be3c7f5ec825a37d85504116585d1)) +* de-duplicate renovate matches ([#435](https://github.com/BagelLab/uds-core/issues/435)) ([4f9dbbb](https://github.com/BagelLab/uds-core/commit/4f9dbbbff0bbe1fe348ae7e6c55f97a505f730a9)) +* default keycloak realm envs ([#455](https://github.com/BagelLab/uds-core/issues/455)) ([3a2b48f](https://github.com/BagelLab/uds-core/commit/3a2b48fefb11afcf20f6826fbdef8c43daaf4639)) +* drop path normalization to MERGE_SLASHES to allow apps to handle encoded slashes ([#330](https://github.com/BagelLab/uds-core/issues/330)) ([26e965f](https://github.com/BagelLab/uds-core/commit/26e965fd71dd325bd8df451ce317456bf2d15073)) +* exemption race conditions ([#407](https://github.com/BagelLab/uds-core/issues/407)) ([d1b3b56](https://github.com/BagelLab/uds-core/commit/d1b3b5669976eb23ca8f88cd5b15a12c56102eca)) +* forgot to commit :( ([29545b6](https://github.com/BagelLab/uds-core/commit/29545b6ca6a35c1717b10b23c8bc2ed3a90f1c4d)) +* github token ([75cfbe4](https://github.com/BagelLab/uds-core/commit/75cfbe446f9b6cd74b9858a7ceb6cd231b348509)) +* hotfix for publishing workflows ([#217](https://github.com/BagelLab/uds-core/issues/217)) ([5fefa01](https://github.com/BagelLab/uds-core/commit/5fefa017d382b7c5557e613b81cd84b27bda85f0)) +* inputs silly ([d5c51f3](https://github.com/BagelLab/uds-core/commit/d5c51f35f6817d66bfbf5b2d5f746032893c863a)) +* integrated docs ([#431](https://github.com/BagelLab/uds-core/issues/431)) ([72238fa](https://github.com/BagelLab/uds-core/commit/72238faed167a4e90e4d332e17909510efd98a58)) +* keycloak schema for package cr ([#436](https://github.com/BagelLab/uds-core/issues/436)) ([e32ce9a](https://github.com/BagelLab/uds-core/commit/e32ce9af9176ba8fef702a8c6aac84c15f9ab374)) +* keycloak volume permissions, UI update ([#223](https://github.com/BagelLab/uds-core/issues/223)) ([4454d3e](https://github.com/BagelLab/uds-core/commit/4454d3efcefe6bfa81628d330434afcc246fad65)) +* **keycloak:** add missing postgres host and port secret keys ([#224](https://github.com/BagelLab/uds-core/issues/224)) ([0c4d775](https://github.com/BagelLab/uds-core/commit/0c4d7758cfb077ff592fea907795402485b6c9f5)) +* **keycloak:** only use PVC for devMode ([#241](https://github.com/BagelLab/uds-core/issues/241)) ([a6e6023](https://github.com/BagelLab/uds-core/commit/a6e6023134dc5171441a2043701ed91309e1b32c)) +* kubeapi netpol generation now also includes the ip from the kubernetes service ([#219](https://github.com/BagelLab/uds-core/issues/219)) ([0a83d02](https://github.com/BagelLab/uds-core/commit/0a83d02f5782d911e3bb63935b0cac70030e5c9b)) +* loki bucket configuration service_account and namespace ([#332](https://github.com/BagelLab/uds-core/issues/332)) ([9518634](https://github.com/BagelLab/uds-core/commit/9518634b24f2d5c285e598f8620849bbc6288ba4)) +* loki local storage ([#84](https://github.com/BagelLab/uds-core/issues/84)) ([b9505bb](https://github.com/BagelLab/uds-core/commit/b9505bbb42b5369c62d7cbfb05e1efb8b8a6200f)) +* loki s3 overrides ([#365](https://github.com/BagelLab/uds-core/issues/365)) ([3545066](https://github.com/BagelLab/uds-core/commit/354506647d65b0484332695abbbd58d91d9e7427)) +* metrics-server mTLS fix ([#44](https://github.com/BagelLab/uds-core/issues/44)) ([4853522](https://github.com/BagelLab/uds-core/commit/4853522c9504c87dcbd8319d689ecb0a1cb42c0b)) +* mismatched exemption/policy for DropAllCapabilities ([#384](https://github.com/BagelLab/uds-core/issues/384)) ([d8ec278](https://github.com/BagelLab/uds-core/commit/d8ec27827e2e2e7d85b4eba6b738f4b126264dd9)) +* named inputs ([c49e6ea](https://github.com/BagelLab/uds-core/commit/c49e6ea2b566198d4702d4c67c659e833a8bad97)) +* network policy to allow metrics-server ingress ([#148](https://github.com/BagelLab/uds-core/issues/148)) ([f1d434a](https://github.com/BagelLab/uds-core/commit/f1d434a68ef1f2a29ab3b13608bc16ce78211ed4)) +* networkpolicy for keycloak smtp egress ([4059954](https://github.com/BagelLab/uds-core/commit/4059954ed92502f10c1b5b769988a363adc06318)) +* nightly testing eks config architecture ([#452](https://github.com/BagelLab/uds-core/issues/452)) ([a0bbd1f](https://github.com/BagelLab/uds-core/commit/a0bbd1f0bf84f03d59866f9797555a08dc8034d6)) +* non-vendored zarf command refs ([#157](https://github.com/BagelLab/uds-core/issues/157)) ([fe183a9](https://github.com/BagelLab/uds-core/commit/fe183a9ae367bc2d7ea7d629e7c15877aabe38cd)) +* ocsp lookup egress policy ([#255](https://github.com/BagelLab/uds-core/issues/255)) ([77c38f2](https://github.com/BagelLab/uds-core/commit/77c38f22e9a77d9db81504f4c172fdc535c0929e)) +* pepr ironbank renovate update ([#299](https://github.com/BagelLab/uds-core/issues/299)) ([287e40d](https://github.com/BagelLab/uds-core/commit/287e40db5d65f7472a9e9216aae91f3ad92403d9)) +* pepr mutation annotation overwrite ([#385](https://github.com/BagelLab/uds-core/issues/385)) ([6e56b2a](https://github.com/BagelLab/uds-core/commit/6e56b2afec8f54f8c0a4aa4b89fef1d1c754b627)) +* pepr operator derived netpol name collisions ([#480](https://github.com/BagelLab/uds-core/issues/480)) ([de60e25](https://github.com/BagelLab/uds-core/commit/de60e252526d73e439f5665b27f84e8773c24949)) +* registration robot check form id ([#269](https://github.com/BagelLab/uds-core/issues/269)) ([c6419b9](https://github.com/BagelLab/uds-core/commit/c6419b962eb5a02462e9060a66f7765689cfeb8f)) +* release workflow k3d image ([#316](https://github.com/BagelLab/uds-core/issues/316)) ([e7835e0](https://github.com/BagelLab/uds-core/commit/e7835e071f56af148792fbde250100af8e8ca0b8)) +* remove deprecated registry login and add env setup ([#443](https://github.com/BagelLab/uds-core/issues/443)) ([ca6b76f](https://github.com/BagelLab/uds-core/commit/ca6b76f3a66efb6b2e81832aff771ca06bdff68a)) +* remove go mod ([#441](https://github.com/BagelLab/uds-core/issues/441)) ([0de9693](https://github.com/BagelLab/uds-core/commit/0de969333923afb8fd4639547901c7d7f5c6a6f7)) +* remove loki gateway anti-affinity ([#111](https://github.com/BagelLab/uds-core/issues/111)) ([2cba42e](https://github.com/BagelLab/uds-core/commit/2cba42e3a83a25ae7a45f3c3d6a35bdc7bba0b58)) +* remove no-tea and update uds version ([#446](https://github.com/BagelLab/uds-core/issues/446)) ([434844b](https://github.com/BagelLab/uds-core/commit/434844b827e01808b504abf5ee6af83fba813cb6)) +* remove spec from secret yaml ([#226](https://github.com/BagelLab/uds-core/issues/226)) ([e4b5848](https://github.com/BagelLab/uds-core/commit/e4b58487f736f588944f7c039b8654f9006e04f1)) +* renovate config grouping, test-infra ([#411](https://github.com/BagelLab/uds-core/issues/411)) ([05fd407](https://github.com/BagelLab/uds-core/commit/05fd407e9c3bf6a0bac33de64e892ce2a63275ac)) +* renovate pepr comment ([#410](https://github.com/BagelLab/uds-core/issues/410)) ([a825388](https://github.com/BagelLab/uds-core/commit/a82538817765ad21adb5f6bba283951bf4c23272)) +* resolve istio job termination container status logic issue ([#55](https://github.com/BagelLab/uds-core/issues/55)) ([c0142c2](https://github.com/BagelLab/uds-core/commit/c0142c213446a37185cdf9dec5ae60aaae8ba194)) +* revert "chore: support deselection of metrics-server" ([#196](https://github.com/BagelLab/uds-core/issues/196)) ([25a408d](https://github.com/BagelLab/uds-core/commit/25a408daeb7f6daada11c21e451f973ebe92c07c)) +* slim-dev monitoring handling ([#383](https://github.com/BagelLab/uds-core/issues/383)) ([79927aa](https://github.com/BagelLab/uds-core/commit/79927aa58cbb12c849e52b50c00b74629b100b31)) +* sticky sessions for keycloak in ha ([#281](https://github.com/BagelLab/uds-core/issues/281)) ([5ccd557](https://github.com/BagelLab/uds-core/commit/5ccd5576afc34d8b24061887f91ce284ec5857a1)) +* typo in comment ([#462](https://github.com/BagelLab/uds-core/issues/462)) ([582b1f4](https://github.com/BagelLab/uds-core/commit/582b1f4754ee3282696ea3b018322a1b3497a7d4)) +* unwanted exemption deletions ([#290](https://github.com/BagelLab/uds-core/issues/290)) ([50b0cd4](https://github.com/BagelLab/uds-core/commit/50b0cd4211964a90139347558028d6c461956da9)) +* update missing flavor create inputs in publish step ([#118](https://github.com/BagelLab/uds-core/issues/118)) ([a0233eb](https://github.com/BagelLab/uds-core/commit/a0233eb45e2d39035f483f3ed8fb3f396e5030d8)) +* update neuvector values for least privilege ([#373](https://github.com/BagelLab/uds-core/issues/373)) ([7f4de4f](https://github.com/BagelLab/uds-core/commit/7f4de4f729e60a258abc40ce34f9c397fae99181)) +* update status for test ([20983d7](https://github.com/BagelLab/uds-core/commit/20983d749871ac2b769584d2ea5d37c1b9183b52)) +* use updated k3s ([#426](https://github.com/BagelLab/uds-core/issues/426)) ([1da1c49](https://github.com/BagelLab/uds-core/commit/1da1c49e314c73e6fd1f2ef2940aff983262ec6b)) +* validating/mutating webhook networkpolicies and mtls ([#192](https://github.com/BagelLab/uds-core/issues/192)) ([b01e629](https://github.com/BagelLab/uds-core/commit/b01e62960985dd7cb318372abff296fb96f1012b)) +* valueFrom in KeyCloak statefulset.yaml ([#229](https://github.com/BagelLab/uds-core/issues/229)) ([189a5ce](https://github.com/BagelLab/uds-core/commit/189a5ce3a9dd16fe9646a293ca3948db21eb5d78)) +* wait on istio proxies ([#87](https://github.com/BagelLab/uds-core/issues/87)) ([51cd5a0](https://github.com/BagelLab/uds-core/commit/51cd5a012cc1d095a89b30a22910d3d7ad49885d)) +* workflow links ([eba372c](https://github.com/BagelLab/uds-core/commit/eba372c0b0a942f1bcead8efcd420fbb427ed6e1)) +* workflow outputs silly ([c427851](https://github.com/BagelLab/uds-core/commit/c4278510505b38b651d3f1893a098d1b432e5d95)) + + +### Miscellaneous + +* add checks before killing pods when updating istio annotations ([#457](https://github.com/BagelLab/uds-core/issues/457)) ([a62f9a0](https://github.com/BagelLab/uds-core/commit/a62f9a0e04bb538a8018a3f866c88e8b93c59826)) +* add commit lint workflow ([#19](https://github.com/BagelLab/uds-core/issues/19)) ([776a632](https://github.com/BagelLab/uds-core/commit/776a6325821329b2cbd97da2f40a30447cd48efc)) +* add debug logging to endpointslice watch ([#359](https://github.com/BagelLab/uds-core/issues/359)) ([da3eb5a](https://github.com/BagelLab/uds-core/commit/da3eb5ab4f5e6ced50f838456999995d5be601b7)) +* add debug logs to save logs for easier searching ([#430](https://github.com/BagelLab/uds-core/issues/430)) ([319101b](https://github.com/BagelLab/uds-core/commit/319101b61e4793037aab6c96b92c9d834763e9b8)) +* add debug output to release workflow ([#285](https://github.com/BagelLab/uds-core/issues/285)) ([5f96865](https://github.com/BagelLab/uds-core/commit/5f968651fb4f0da563d9c388efab761863f9ea08)) +* add flavor to pepr build task ([#238](https://github.com/BagelLab/uds-core/issues/238)) ([29bf8a3](https://github.com/BagelLab/uds-core/commit/29bf8a3b83255c7548201f3ea19e22452a1d1d4a)) +* add minio deploy time bundle variable override definitions ([#58](https://github.com/BagelLab/uds-core/issues/58)) ([ca28e7b](https://github.com/BagelLab/uds-core/commit/ca28e7b4c4a42769934cc8ad69361ff29a348cc5)) +* add security.md ([#189](https://github.com/BagelLab/uds-core/issues/189)) ([bf7c1d2](https://github.com/BagelLab/uds-core/commit/bf7c1d28e077cf52d4f765b50d7efb8ce5d60fff)) +* add velero csi plugin ([#424](https://github.com/BagelLab/uds-core/issues/424)) ([c7e49e9](https://github.com/BagelLab/uds-core/commit/c7e49e91d9f7810ddc0368f146d43d3c94c782ad)) +* adding unit test for registerExemptions() ([#105](https://github.com/BagelLab/uds-core/issues/105)) ([5e71fcf](https://github.com/BagelLab/uds-core/commit/5e71fcf4751d2e3f6a1e55583ccf76c0fdc76856)) +* align mutation annotations ([#268](https://github.com/BagelLab/uds-core/issues/268)) ([f18ad4d](https://github.com/BagelLab/uds-core/commit/f18ad4db94a77f4229cc9267e0129f6aa3381c9a)) +* annotate mutations in policies ([#236](https://github.com/BagelLab/uds-core/issues/236)) ([cc9db50](https://github.com/BagelLab/uds-core/commit/cc9db500bb1033a516104f409fa05b3a1101d832)) +* bump zarf & uds-k3d deps ([#30](https://github.com/BagelLab/uds-core/issues/30)) ([dd28ab3](https://github.com/BagelLab/uds-core/commit/dd28ab3acd163aaccdfb76fbf9726c02a2ff0050)) +* conform to latest uds bundle schema ([#52](https://github.com/BagelLab/uds-core/issues/52)) ([14dad38](https://github.com/BagelLab/uds-core/commit/14dad3819187d4f8e13f7bbc191dca74a29b9c98)) +* dep updates for UDS CLI & Pepr ([#46](https://github.com/BagelLab/uds-core/issues/46)) ([1037634](https://github.com/BagelLab/uds-core/commit/10376349e350bd32f3bf32577d8f8089c09ac6cc)) +* **deps:** pin dependencies ([#79](https://github.com/BagelLab/uds-core/issues/79)) ([bfab11e](https://github.com/BagelLab/uds-core/commit/bfab11e345941d23dfeb928917f38e36a2f75bc9)) +* **deps:** update checkout action to latest sha ([#481](https://github.com/BagelLab/uds-core/issues/481)) ([c6f0137](https://github.com/BagelLab/uds-core/commit/c6f0137bb9a1e11f98d426cec8c98eb4005f160a)) +* **deps:** update checkout to v4.1.7 ([#478](https://github.com/BagelLab/uds-core/issues/478)) ([e91a0a3](https://github.com/BagelLab/uds-core/commit/e91a0a35252581554d9ed587e4ef72c2c88a3586)) +* **deps:** update dependency defenseunicorns/uds-common to v0.2.1 ([#205](https://github.com/BagelLab/uds-core/issues/205)) ([1b01407](https://github.com/BagelLab/uds-core/commit/1b01407c4ae3a707db381b07e1364c572c76eceb)) +* **deps:** update dependency defenseunicorns/uds-common to v0.2.2 ([#232](https://github.com/BagelLab/uds-core/issues/232)) ([083ae0c](https://github.com/BagelLab/uds-core/commit/083ae0c45667e5b9064cbff781fbe4e5bc0d2991)) +* **deps:** update dependency defenseunicorns/uds-common to v0.3.6 ([#261](https://github.com/BagelLab/uds-core/issues/261)) ([1b5398b](https://github.com/BagelLab/uds-core/commit/1b5398b7b778ead8ac3265080ae0bd2b5761066e)) +* **deps:** update dependency weaveworks/eksctl to v0.183.0 ([#499](https://github.com/BagelLab/uds-core/issues/499)) ([9cb8e4d](https://github.com/BagelLab/uds-core/commit/9cb8e4d7c86611918e502de0a7e7e25921523cbc)) +* **deps:** update githubactions ([#179](https://github.com/BagelLab/uds-core/issues/179)) ([7797e25](https://github.com/BagelLab/uds-core/commit/7797e259b9691099cce9e151ce1ebf9f9f181435)) +* **deps:** update githubactions ([#242](https://github.com/BagelLab/uds-core/issues/242)) ([1eb2e2c](https://github.com/BagelLab/uds-core/commit/1eb2e2cd2018f0cd8fb55d8e6576b7e36fa8c3cf)) +* **deps:** update githubactions ([#413](https://github.com/BagelLab/uds-core/issues/413)) ([ebd834e](https://github.com/BagelLab/uds-core/commit/ebd834e56ae9adabe14d9772e4a4d9c305da173c)) +* **deps:** update githubactions to de90cc6 ([#215](https://github.com/BagelLab/uds-core/issues/215)) ([f79eed0](https://github.com/BagelLab/uds-core/commit/f79eed03b2495d9f3e11edb433291ce8a3aa55ee)) +* **deps:** update githubactions to ebc4d7e ([#183](https://github.com/BagelLab/uds-core/issues/183)) ([77357e7](https://github.com/BagelLab/uds-core/commit/77357e72cc0344e61fedcab7197aabdd7e4fd2a0)) +* **deps:** update githubactions to v19 ([#204](https://github.com/BagelLab/uds-core/issues/204)) ([d65acd4](https://github.com/BagelLab/uds-core/commit/d65acd4e2d37907685ba9083ff98988b4ea1d452)) +* **deps:** update githubactions to v3 ([#181](https://github.com/BagelLab/uds-core/issues/181)) ([70c5ddf](https://github.com/BagelLab/uds-core/commit/70c5ddf1ee0e5017bee4057d96b320812a964f88)) +* **deps:** update githubactions to v4.1.3 ([#471](https://github.com/BagelLab/uds-core/issues/471)) ([2a9f44d](https://github.com/BagelLab/uds-core/commit/2a9f44d20dce66fa474e47ba0c93eaa7fa9ad406)) +* **deps:** update grafana ([#144](https://github.com/BagelLab/uds-core/issues/144)) ([6987927](https://github.com/BagelLab/uds-core/commit/698792728faf8cfeabaf7a7c735c91229cc0c07f)) +* **deps:** update grafana ([#257](https://github.com/BagelLab/uds-core/issues/257)) ([c98e566](https://github.com/BagelLab/uds-core/commit/c98e5661c3e6fb84bf17fc64170f5dd39779dda7)) +* **deps:** update grafana ([#339](https://github.com/BagelLab/uds-core/issues/339)) ([52e6c1b](https://github.com/BagelLab/uds-core/commit/52e6c1b3bb003402710bc0fa85419538f38b388f)) +* **deps:** update grafana ([#80](https://github.com/BagelLab/uds-core/issues/80)) ([ccb2c12](https://github.com/BagelLab/uds-core/commit/ccb2c1280313fe69198ecab5fea5b38fc650f699)) +* **deps:** update grafana to v10.3.1 ([#132](https://github.com/BagelLab/uds-core/issues/132)) ([09e028c](https://github.com/BagelLab/uds-core/commit/09e028c63093a6f5fdfd0b1be800b07c0eb9de77)) +* **deps:** update grafana to v7.2.5 ([#136](https://github.com/BagelLab/uds-core/issues/136)) ([a271270](https://github.com/BagelLab/uds-core/commit/a271270f2d3f3488aa9664ef5ad69a4d239c5d22)) +* **deps:** update grafana to v7.3.0 ([#142](https://github.com/BagelLab/uds-core/issues/142)) ([5e960c0](https://github.com/BagelLab/uds-core/commit/5e960c0479e6fc96244db0230296c94e936e57d8)) +* **deps:** update grafana to v7.3.9 ([#353](https://github.com/BagelLab/uds-core/issues/353)) ([4a70f40](https://github.com/BagelLab/uds-core/commit/4a70f407d5e06919aaa0dc5901f49f7f1b166c9d)) +* **deps:** update istio to v1.20.2 ([#75](https://github.com/BagelLab/uds-core/issues/75)) ([671f977](https://github.com/BagelLab/uds-core/commit/671f977ff183010ce75e323532db500dcd4aa69c)) +* **deps:** update istio to v1.20.3 ([#163](https://github.com/BagelLab/uds-core/issues/163)) ([e45de0e](https://github.com/BagelLab/uds-core/commit/e45de0e5917a2ca6c3e30e593e2d9a8d393849a9)) +* **deps:** update istio to v1.21.2 ([#258](https://github.com/BagelLab/uds-core/issues/258)) ([51c6540](https://github.com/BagelLab/uds-core/commit/51c65405c87ed3c147bdd90172ab0588dc8e5db1)) +* **deps:** update istio to v1.22.1 ([#405](https://github.com/BagelLab/uds-core/issues/405)) ([ad4b861](https://github.com/BagelLab/uds-core/commit/ad4b861158eecfac1d09a37ea3776e31a1c387cb)) +* **deps:** update jest to v29.1.4 ([#438](https://github.com/BagelLab/uds-core/issues/438)) ([c3ecc8b](https://github.com/BagelLab/uds-core/commit/c3ecc8b83b8c65f09600ab937a1c140c4a5f7db1)) +* **deps:** update jest to v29.1.5 ([#485](https://github.com/BagelLab/uds-core/issues/485)) ([9c392b9](https://github.com/BagelLab/uds-core/commit/9c392b9b88c84e3c3763878e6beb1800c43ded25)) +* **deps:** update keycloak ([#349](https://github.com/BagelLab/uds-core/issues/349)) ([2ef1813](https://github.com/BagelLab/uds-core/commit/2ef181333d2fd853bb8eee2c5deb82430d68c861)) +* **deps:** update keycloak ([#390](https://github.com/BagelLab/uds-core/issues/390)) ([3e82c4e](https://github.com/BagelLab/uds-core/commit/3e82c4ece470a5eea81d937b2b38c455934212e1)) +* **deps:** update keycloak to v0.4.2 ([#375](https://github.com/BagelLab/uds-core/issues/375)) ([b0bb8e4](https://github.com/BagelLab/uds-core/commit/b0bb8e47f78886186514f188a99ff38463a5eac3)) +* **deps:** update keycloak to v0.4.4 ([#460](https://github.com/BagelLab/uds-core/issues/460)) ([936f40b](https://github.com/BagelLab/uds-core/commit/936f40bf078bb06d94ebd51585b4eb7669d426b4)) +* **deps:** update keycloak to v0.4.5 ([#461](https://github.com/BagelLab/uds-core/issues/461)) ([3592012](https://github.com/BagelLab/uds-core/commit/35920121bcdfbdf9b708eb3308ea34763a31246a)) +* **deps:** update keycloak to v24.0.4 ([#397](https://github.com/BagelLab/uds-core/issues/397)) ([c0420ea](https://github.com/BagelLab/uds-core/commit/c0420ea750b3a7dfc8ea6adab5225f76178ef953)) +* **deps:** update keycloak to v24.0.4 ([#402](https://github.com/BagelLab/uds-core/issues/402)) ([e454576](https://github.com/BagelLab/uds-core/commit/e454576a6de53e833d6b925308f09d6007166dde)) +* **deps:** update keycloak to v24.0.5 ([#453](https://github.com/BagelLab/uds-core/issues/453)) ([6b0c6fc](https://github.com/BagelLab/uds-core/commit/6b0c6fc91f238e367c9f2d54f0daaf9d8065794e)) +* **deps:** update keycloak to v24.0.5 ([#454](https://github.com/BagelLab/uds-core/issues/454)) ([89911f0](https://github.com/BagelLab/uds-core/commit/89911f0ca01ac421a254b79e25124525f464cf51)) +* **deps:** update loki ([#131](https://github.com/BagelLab/uds-core/issues/131)) ([61250b0](https://github.com/BagelLab/uds-core/commit/61250b02eca7ca57d7f346c1da5b63f19de17c49)) +* **deps:** update loki ([#209](https://github.com/BagelLab/uds-core/issues/209)) ([03ca499](https://github.com/BagelLab/uds-core/commit/03ca499bd5d9cac800bd36dca80340ceac3f3009)) +* **deps:** update loki ([#72](https://github.com/BagelLab/uds-core/issues/72)) ([98134bb](https://github.com/BagelLab/uds-core/commit/98134bba1f6078a867aae2ae28f4152ba7b1a8e5)) +* **deps:** update loki to v5.43.0 ([#180](https://github.com/BagelLab/uds-core/issues/180)) ([bab5f7a](https://github.com/BagelLab/uds-core/commit/bab5f7aba3644c0e478a17338df4e074b0c1a6a2)) +* **deps:** update loki to v5.43.1 ([#182](https://github.com/BagelLab/uds-core/issues/182)) ([6cc5fc7](https://github.com/BagelLab/uds-core/commit/6cc5fc7f5a07d848cfe4f18dc9a7e2a4cd91b1cf)) +* **deps:** update loki to v5.43.2 ([#191](https://github.com/BagelLab/uds-core/issues/191)) ([0ec0cd4](https://github.com/BagelLab/uds-core/commit/0ec0cd4d6cdc7b4eb1eea33f4da7b144ecbc29a5)) +* **deps:** update loki to v5.43.3 ([#199](https://github.com/BagelLab/uds-core/issues/199)) ([40f1554](https://github.com/BagelLab/uds-core/commit/40f155469670a4b7290819fc09d28ff1fcc06a81)) +* **deps:** update metrics-server ([#123](https://github.com/BagelLab/uds-core/issues/123)) ([fb25a97](https://github.com/BagelLab/uds-core/commit/fb25a970d6e3b51432164fab05ea2d19d1a638ef)) +* **deps:** update metrics-server ([#298](https://github.com/BagelLab/uds-core/issues/298)) ([691fd87](https://github.com/BagelLab/uds-core/commit/691fd87ae3e523c897d0461c4a0384b2bb7c8c03)) +* **deps:** update neuvector ([#333](https://github.com/BagelLab/uds-core/issues/333)) ([010e287](https://github.com/BagelLab/uds-core/commit/010e287dbf3a712d19e54bfbbaa87807585130d7)) +* **deps:** update neuvector ([#73](https://github.com/BagelLab/uds-core/issues/73)) ([50f6c90](https://github.com/BagelLab/uds-core/commit/50f6c90ca31d5bf984e44fd1ded7c5cfcb968064)) +* **deps:** update neuvector to 5.3.3 ([#467](https://github.com/BagelLab/uds-core/issues/467)) ([261057d](https://github.com/BagelLab/uds-core/commit/261057d2bf142c3167fdf0d0bd68bc2fb47d22df)) +* **deps:** update neuvector to v9.4 ([#381](https://github.com/BagelLab/uds-core/issues/381)) ([20d4170](https://github.com/BagelLab/uds-core/commit/20d4170386d2437826abafc68d87d91dc457022a)) +* **deps:** update pepr ([#116](https://github.com/BagelLab/uds-core/issues/116)) ([bfa7352](https://github.com/BagelLab/uds-core/commit/bfa7352ebe962ef1ed091f4a5799ed4974e086ef)) +* **deps:** update pepr ([#324](https://github.com/BagelLab/uds-core/issues/324)) ([2ef0f96](https://github.com/BagelLab/uds-core/commit/2ef0f96da7476b487d72d4bb7ce4bd50fdb0b182)) +* **deps:** update pepr ([#340](https://github.com/BagelLab/uds-core/issues/340)) ([e71ba4a](https://github.com/BagelLab/uds-core/commit/e71ba4ab4eb1ea1cc482b507fef4e0e2735bbd1f)) +* **deps:** update pepr ([#419](https://github.com/BagelLab/uds-core/issues/419)) ([d8f0309](https://github.com/BagelLab/uds-core/commit/d8f0309b4f9661b1c5bc2d5e574697ee9579e387)) +* **deps:** update pepr ([#76](https://github.com/BagelLab/uds-core/issues/76)) ([50de920](https://github.com/BagelLab/uds-core/commit/50de920bcf03092d16a11ebf77ede70987a7cdcf)) +* **deps:** update pepr to 0.31.0 ([#360](https://github.com/BagelLab/uds-core/issues/360)) ([fbd61ea](https://github.com/BagelLab/uds-core/commit/fbd61ea9665133619aec81726b189449226d8459)) +* **deps:** update pepr to 0.32.2 ([#473](https://github.com/BagelLab/uds-core/issues/473)) ([ab4bee9](https://github.com/BagelLab/uds-core/commit/ab4bee906f020d86b90c0b984789be55f8b4c08b)) +* **deps:** update pepr to 0.32.3 ([#494](https://github.com/BagelLab/uds-core/issues/494)) ([2e28897](https://github.com/BagelLab/uds-core/commit/2e2889784043b21463e72643eb890054645dd439)) +* **deps:** update pepr to v0.22.0 ([#102](https://github.com/BagelLab/uds-core/issues/102)) ([941902d](https://github.com/BagelLab/uds-core/commit/941902dcfc2ec1d5340d658f75811b3369489c56)) +* **deps:** update pepr to v0.22.2 ([#104](https://github.com/BagelLab/uds-core/issues/104)) ([0555353](https://github.com/BagelLab/uds-core/commit/0555353e5a5dec2aa8685a3987852d1c3788f28c)) +* **deps:** update pepr to v0.24.1 ([#134](https://github.com/BagelLab/uds-core/issues/134)) ([6474a1c](https://github.com/BagelLab/uds-core/commit/6474a1c0a16c8d87248acb1b3f7d79b76a354fc8)) +* **deps:** update pepr to v0.25.0 ([#164](https://github.com/BagelLab/uds-core/issues/164)) ([e7b8212](https://github.com/BagelLab/uds-core/commit/e7b8212b6a8ed2e16b47264687e0c39d2f0a3455)) +* **deps:** update pepr to v0.28.6 ([#254](https://github.com/BagelLab/uds-core/issues/254)) ([54ef7de](https://github.com/BagelLab/uds-core/commit/54ef7ded349d060b1732b381124fe29e3e8fe85b)) +* **deps:** update pepr to v0.28.6 ([#300](https://github.com/BagelLab/uds-core/issues/300)) ([86b43e4](https://github.com/BagelLab/uds-core/commit/86b43e478521aa88a3a4843948ca96b9cbe55985)) +* **deps:** update pepr to v0.28.7 ([#321](https://github.com/BagelLab/uds-core/issues/321)) ([e7206bb](https://github.com/BagelLab/uds-core/commit/e7206bb93ce23a3ae611e410106890df3eafdea1)) +* **deps:** update pepr to v0.4.5 ([#447](https://github.com/BagelLab/uds-core/issues/447)) ([f1dba17](https://github.com/BagelLab/uds-core/commit/f1dba17076a7c6052ed67e07bdb560fda7604b80)) +* **deps:** update prometheus-stack ([#128](https://github.com/BagelLab/uds-core/issues/128)) ([625622a](https://github.com/BagelLab/uds-core/commit/625622a44c101f0a9c1beffd66eb259dc1f1eedc)) +* **deps:** update prometheus-stack ([#190](https://github.com/BagelLab/uds-core/issues/190)) ([f9a605a](https://github.com/BagelLab/uds-core/commit/f9a605a4c828128fc19f0bdb1d2443f65fb87b8a)) +* **deps:** update prometheus-stack ([#301](https://github.com/BagelLab/uds-core/issues/301)) ([143eca3](https://github.com/BagelLab/uds-core/commit/143eca3ecc2e3c39765312dc3c5384c87a13d7da)) +* **deps:** update prometheus-stack ([#348](https://github.com/BagelLab/uds-core/issues/348)) ([49cb11a](https://github.com/BagelLab/uds-core/commit/49cb11a058a9209cee7019fa552b8c0b2ef73368)) +* **deps:** update prometheus-stack ([#392](https://github.com/BagelLab/uds-core/issues/392)) ([2e656f5](https://github.com/BagelLab/uds-core/commit/2e656f5dc3de2e6561ac313cb1bae478635b86b3)) +* **deps:** update prometheus-stack ([#422](https://github.com/BagelLab/uds-core/issues/422)) ([a96193e](https://github.com/BagelLab/uds-core/commit/a96193e257701dfaf6fccc34246ef3f31e639f3e)) +* **deps:** update prometheus-stack ([#81](https://github.com/BagelLab/uds-core/issues/81)) ([19bedb6](https://github.com/BagelLab/uds-core/commit/19bedb60cd2f99615c4b5673623ff0ff6fafb73f)) +* **deps:** update promtail ([#74](https://github.com/BagelLab/uds-core/issues/74)) ([6a112b5](https://github.com/BagelLab/uds-core/commit/6a112b5226250f1a17023b2c1225d404cf8feeee)) +* **deps:** update to keycloak 24 ([#336](https://github.com/BagelLab/uds-core/issues/336)) ([1153ba0](https://github.com/BagelLab/uds-core/commit/1153ba09ac062d3477a4ee396376be83493ad3c5)) +* **deps:** update uds to v0.10.4 ([#228](https://github.com/BagelLab/uds-core/issues/228)) ([1750b23](https://github.com/BagelLab/uds-core/commit/1750b2304e3c6f0ce6a60f1ef2873ce8a6ce1502)) +* **deps:** update uds to v0.11.1 ([#472](https://github.com/BagelLab/uds-core/issues/472)) ([12fd798](https://github.com/BagelLab/uds-core/commit/12fd79894e71ee06181ccd6f2ac98b84d935066c)) +* **deps:** update uds to v0.11.2 ([#479](https://github.com/BagelLab/uds-core/issues/479)) ([f967f9a](https://github.com/BagelLab/uds-core/commit/f967f9a4bf8d718b9ece96d882db4d9c800f5f0f)) +* **deps:** update uds to v0.5.3, zarf to v0.32.1, and uds-k3d to 0.3.0 ([#77](https://github.com/BagelLab/uds-core/issues/77)) ([596f9d8](https://github.com/BagelLab/uds-core/commit/596f9d8df51c3df1aa87fd0e09d9e69c87473bf0)) +* **deps:** update uds to v0.6.2 ([#107](https://github.com/BagelLab/uds-core/issues/107)) ([7b7220e](https://github.com/BagelLab/uds-core/commit/7b7220e708cf2dca25cc592b8932661620d9610d)) +* **deps:** update uds to v0.8.1 ([#141](https://github.com/BagelLab/uds-core/issues/141)) ([fa79065](https://github.com/BagelLab/uds-core/commit/fa79065265a5ee2b8f6f6a55d1c2904bbaf42fff)) +* **deps:** update uds to v0.9.0 ([#173](https://github.com/BagelLab/uds-core/issues/173)) ([b91a90d](https://github.com/BagelLab/uds-core/commit/b91a90db987e108a5a093a326428bbd0b5f9446e)) +* **deps:** update uds to v0.9.2 ([#200](https://github.com/BagelLab/uds-core/issues/200)) ([e4b54fe](https://github.com/BagelLab/uds-core/commit/e4b54febc4d7914e962db92b7a0490a3735af4e5)) +* **deps:** update uds-common tasks to 0.6.1 ([#498](https://github.com/BagelLab/uds-core/issues/498)) ([4aa6e33](https://github.com/BagelLab/uds-core/commit/4aa6e3372f6d1a5df1e2ae51a3129603a8b0b29b)) +* **deps:** update uds-common to v0.4.4 ([#442](https://github.com/BagelLab/uds-core/issues/442)) ([bf6debd](https://github.com/BagelLab/uds-core/commit/bf6debdd0d50f6cde11288cd70d8bdf1dcdaaaa0)) +* **deps:** update uds-identity-config to 0.4.1 ([#355](https://github.com/BagelLab/uds-core/issues/355)) ([8485931](https://github.com/BagelLab/uds-core/commit/84859316ea92ef9ec7807a702ee246e11b73567b)) +* **deps:** update uds-k3d to v0.3.1 ([#89](https://github.com/BagelLab/uds-core/issues/89)) ([5d54cd1](https://github.com/BagelLab/uds-core/commit/5d54cd1efe5eee4c19caf347882725e0aa20e50a)) +* **deps:** update uds-k3d to v0.5.0 ([#186](https://github.com/BagelLab/uds-core/issues/186)) ([164bf5f](https://github.com/BagelLab/uds-core/commit/164bf5f8bd58899f5ec1a179d6d409cfb46b850f)) +* **deps:** update uds-k3d to v0.6.0 ([#240](https://github.com/BagelLab/uds-core/issues/240)) ([6a26523](https://github.com/BagelLab/uds-core/commit/6a2652368fde3a3bdbe5bb81fd258830dfaeb5c8)) +* **deps:** update uds-k3d to v0.6.0 ([#398](https://github.com/BagelLab/uds-core/issues/398)) ([288f009](https://github.com/BagelLab/uds-core/commit/288f00990a715087c9bf1fffd0a63ecf33125a5a)) +* **deps:** update uds-k3d to v0.7.0 ([#428](https://github.com/BagelLab/uds-core/issues/428)) ([23b59a2](https://github.com/BagelLab/uds-core/commit/23b59a260b2c60791614ca4d39a33e65476e19ee)) +* **deps:** update velero ([#260](https://github.com/BagelLab/uds-core/issues/260)) ([f352008](https://github.com/BagelLab/uds-core/commit/f35200833a4d4d50de9f632f6918320f7d8fff5e)) +* **deps:** update velero ([#350](https://github.com/BagelLab/uds-core/issues/350)) ([e7cb33e](https://github.com/BagelLab/uds-core/commit/e7cb33ea9a13ab9550aab45d8ee437a1ba595d38)) +* **deps:** update velero ([#408](https://github.com/BagelLab/uds-core/issues/408)) ([ffbefda](https://github.com/BagelLab/uds-core/commit/ffbefda74777466ef74ad1d5cffff1f4895f323d)) +* **deps:** update velero ([#440](https://github.com/BagelLab/uds-core/issues/440)) ([4b1a3ea](https://github.com/BagelLab/uds-core/commit/4b1a3ead81a80b49e5ccfeb2e4130a4aaebb53a4)) +* **deps:** update velero to v1.30.2 ([#476](https://github.com/BagelLab/uds-core/issues/476)) ([89bbda9](https://github.com/BagelLab/uds-core/commit/89bbda9e640014bede116c254381cab8995df12f)) +* **deps:** update velero to v6.6.0 ([#456](https://github.com/BagelLab/uds-core/issues/456)) ([aff37c1](https://github.com/BagelLab/uds-core/commit/aff37c194e321f6a6c92f1bc11fd796cf9f0a9ab)) +* **deps:** update zarf to v0.32.2 ([#133](https://github.com/BagelLab/uds-core/issues/133)) ([91502c6](https://github.com/BagelLab/uds-core/commit/91502c6321334c6d31ce5fd1cd8f2fe6f77c09ae)) +* **deps:** update zarf to v0.32.3 ([#155](https://github.com/BagelLab/uds-core/issues/155)) ([2f0a1a7](https://github.com/BagelLab/uds-core/commit/2f0a1a77043ce298e765e6999cf11a97f36e4ecc)) +* **deps:** update zarf to v0.32.4 ([#203](https://github.com/BagelLab/uds-core/issues/203)) ([05c903e](https://github.com/BagelLab/uds-core/commit/05c903ea43243401d9cc2928ba5eb66ff6201c94)) +* **deps:** update zarf to v0.32.5 ([#243](https://github.com/BagelLab/uds-core/issues/243)) ([ee93612](https://github.com/BagelLab/uds-core/commit/ee9361224767c1a708b6f8e2c266af710facea8d)) +* **deps:** update zarf to v0.32.6 ([#282](https://github.com/BagelLab/uds-core/issues/282)) ([443426d](https://github.com/BagelLab/uds-core/commit/443426d05b9bd1d15fb4632efa26219250270895)) +* **deps:** update zarf to v0.33.0 ([#325](https://github.com/BagelLab/uds-core/issues/325)) ([f2a2a66](https://github.com/BagelLab/uds-core/commit/f2a2a665309c812b4300047d1c90ff3833a8eba6)) +* **deps:** update zarf to v0.33.1 ([#368](https://github.com/BagelLab/uds-core/issues/368)) ([296e547](https://github.com/BagelLab/uds-core/commit/296e54729c20c9ecee21677daec874a2c8b57b57)) +* **deps:** update zarf to v0.33.2 ([#394](https://github.com/BagelLab/uds-core/issues/394)) ([201a37b](https://github.com/BagelLab/uds-core/commit/201a37b12277880058c14fc05b3c0d4aecbf31e0)) +* **deps:** update zarf to v0.34.0 ([#434](https://github.com/BagelLab/uds-core/issues/434)) ([9badf9d](https://github.com/BagelLab/uds-core/commit/9badf9d4b9b6f904b1b7a478be5355416dc7fbe0)) +* **deps:** update zarf to v0.35.0 ([#490](https://github.com/BagelLab/uds-core/issues/490)) ([86957cf](https://github.com/BagelLab/uds-core/commit/86957cfe19564ec8ddccec7e496af4469def322a)) +* docs linting changes ([#505](https://github.com/BagelLab/uds-core/issues/505)) ([0fe2015](https://github.com/BagelLab/uds-core/commit/0fe20151713363f572a50601016e06e60230990f)) +* fix missing deps in tag and release workflow ([#28](https://github.com/BagelLab/uds-core/issues/28)) ([1e1af76](https://github.com/BagelLab/uds-core/commit/1e1af762e8eb1dd331cbd681e48ecc95ec3184d2)) +* initial renovate config ([#67](https://github.com/BagelLab/uds-core/issues/67)) ([2cd19d8](https://github.com/BagelLab/uds-core/commit/2cd19d871a95491950d43fea8e8fd2e8c290cd55)) +* kick off ci ([1afc3a4](https://github.com/BagelLab/uds-core/commit/1afc3a4203cce1a1c81b15e7ba6caad1a9c63131)) +* **main:** release 0.1.1 ([#27](https://github.com/BagelLab/uds-core/issues/27)) ([3776e91](https://github.com/BagelLab/uds-core/commit/3776e91670aa73907cb9c48a05419d106ecedd67)) +* **main:** release 0.1.2 ([#29](https://github.com/BagelLab/uds-core/issues/29)) ([af7b0be](https://github.com/BagelLab/uds-core/commit/af7b0beaf409627c87b47e4d908b0a8a0d8cff63)) +* **main:** release 0.1.3 ([#31](https://github.com/BagelLab/uds-core/issues/31)) ([28ad8a7](https://github.com/BagelLab/uds-core/commit/28ad8a78b023f160714ecb90d748ee65403cf500)) +* **main:** release 0.10.0 ([#135](https://github.com/BagelLab/uds-core/issues/135)) ([5bb6f01](https://github.com/BagelLab/uds-core/commit/5bb6f016631fdef4f14848ff55588f33e6d4f07d)) +* **main:** release 0.11.0 ([#138](https://github.com/BagelLab/uds-core/issues/138)) ([c02ada8](https://github.com/BagelLab/uds-core/commit/c02ada860f532d8955af00637756ee622f3e9019)) +* **main:** release 0.11.1 ([#159](https://github.com/BagelLab/uds-core/issues/159)) ([2c493bb](https://github.com/BagelLab/uds-core/commit/2c493bb7c877a7193e45376a9d28aed832cff590)) +* **main:** release 0.12.0 ([#161](https://github.com/BagelLab/uds-core/issues/161)) ([e3c41e8](https://github.com/BagelLab/uds-core/commit/e3c41e82ba5bd776f2633cbde222ab05c5c513f3)) +* **main:** release 0.13.0 ([#170](https://github.com/BagelLab/uds-core/issues/170)) ([09c9447](https://github.com/BagelLab/uds-core/commit/09c9447fa47e5bd1f1d3ae627d7c3dab9c46d596)) +* **main:** release 0.13.1 ([#197](https://github.com/BagelLab/uds-core/issues/197)) ([e968fe9](https://github.com/BagelLab/uds-core/commit/e968fe9707f5a1f154b1fd19050ba46073427495)) +* **main:** release 0.14.0 ([#202](https://github.com/BagelLab/uds-core/issues/202)) ([d090f40](https://github.com/BagelLab/uds-core/commit/d090f4052679d1557973a17524923280c04807fd)) +* **main:** release 0.14.1 ([#218](https://github.com/BagelLab/uds-core/issues/218)) ([3199d8b](https://github.com/BagelLab/uds-core/commit/3199d8bc8cc8e11f9eccdb7075ce798572f6fa0a)) +* **main:** release 0.14.2 ([#221](https://github.com/BagelLab/uds-core/issues/221)) ([2ab4c54](https://github.com/BagelLab/uds-core/commit/2ab4c54618f40c8f195e4bbc1aee63024e488dc8)) +* **main:** release 0.14.3 ([#225](https://github.com/BagelLab/uds-core/issues/225)) ([05b1c19](https://github.com/BagelLab/uds-core/commit/05b1c196e4509ee38261a9b9bc8bc8531086b499)) +* **main:** release 0.14.4 ([#227](https://github.com/BagelLab/uds-core/issues/227)) ([d2d005b](https://github.com/BagelLab/uds-core/commit/d2d005b9caf0b067f850f752a3d6e643c99a74c6)) +* **main:** release 0.14.5 ([#230](https://github.com/BagelLab/uds-core/issues/230)) ([1acafca](https://github.com/BagelLab/uds-core/commit/1acafcadf0baa4567d4f0c41e3201fa40895d092)) +* **main:** release 0.15.0 ([#233](https://github.com/BagelLab/uds-core/issues/233)) ([f4f3699](https://github.com/BagelLab/uds-core/commit/f4f3699096e4f917cf36bcb15bdb47179569b74d)) +* **main:** release 0.15.1 ([#235](https://github.com/BagelLab/uds-core/issues/235)) ([a0c6b32](https://github.com/BagelLab/uds-core/commit/a0c6b327ada2a36a08a4dc4874248d9df65f5381)) +* **main:** release 0.16.0 ([#246](https://github.com/BagelLab/uds-core/issues/246)) ([efc64d4](https://github.com/BagelLab/uds-core/commit/efc64d45c6e78f3014258b80abdf35d0119bde36)) +* **main:** release 0.16.1 ([#265](https://github.com/BagelLab/uds-core/issues/265)) ([4e4eaea](https://github.com/BagelLab/uds-core/commit/4e4eaea6c16e010837bb1c0d5624ebda418bce6f)) +* **main:** release 0.17.0 ([#267](https://github.com/BagelLab/uds-core/issues/267)) ([510f536](https://github.com/BagelLab/uds-core/commit/510f536133e835f98bb524bfc9f437e6f716d9ef)) +* **main:** release 0.18.0 ([#286](https://github.com/BagelLab/uds-core/issues/286)) ([40e6b7b](https://github.com/BagelLab/uds-core/commit/40e6b7b711ddbd956058eda8490355568faddaec)) +* **main:** release 0.18.0 ([#318](https://github.com/BagelLab/uds-core/issues/318)) ([5f5e0b8](https://github.com/BagelLab/uds-core/commit/5f5e0b8a19daf0b51d9a102fd851ff76e5296d4e)) +* **main:** release 0.19.0 ([#320](https://github.com/BagelLab/uds-core/issues/320)) ([4ce502b](https://github.com/BagelLab/uds-core/commit/4ce502be3a5d83c28c259db8080a215f309c6ed7)) +* **main:** release 0.2.0 ([#34](https://github.com/BagelLab/uds-core/issues/34)) ([5185a8f](https://github.com/BagelLab/uds-core/commit/5185a8f98c90578eabd9f1494f55e43922bb7a92)) +* **main:** release 0.20.0 ([#345](https://github.com/BagelLab/uds-core/issues/345)) ([c29cc91](https://github.com/BagelLab/uds-core/commit/c29cc91cd2e41d5bbaee33deb173628c83ad0480)) +* **main:** release 0.21.0 ([#361](https://github.com/BagelLab/uds-core/issues/361)) ([c9f027f](https://github.com/BagelLab/uds-core/commit/c9f027f518de547b962b06defb836fba3c70ff3d)) +* **main:** release 0.21.1 ([#379](https://github.com/BagelLab/uds-core/issues/379)) ([b46a161](https://github.com/BagelLab/uds-core/commit/b46a161271bac3c167e554fadf673d2536b6b420)) +* **main:** release 0.22.0 ([#386](https://github.com/BagelLab/uds-core/issues/386)) ([6367bef](https://github.com/BagelLab/uds-core/commit/6367bef04dab6803471b8f424210baedf2004d01)) +* **main:** release 0.22.1 ([#432](https://github.com/BagelLab/uds-core/issues/432)) ([7cf9c4c](https://github.com/BagelLab/uds-core/commit/7cf9c4c09dccc1d91edb7acbb2aee8750c5433ed)) +* **main:** release 0.22.2 ([#474](https://github.com/BagelLab/uds-core/issues/474)) ([84a408f](https://github.com/BagelLab/uds-core/commit/84a408fb23c1803bdbbf5e1f1ce64e97110f2829)) +* **main:** release 0.23.0 ([d640453](https://github.com/BagelLab/uds-core/commit/d64045363c267dad4d10b447e7706b1e739765ae)) +* **main:** release 0.3.0 ([#39](https://github.com/BagelLab/uds-core/issues/39)) ([4d2b05d](https://github.com/BagelLab/uds-core/commit/4d2b05de9d155dc91b799bde5156c5980bc348cb)) +* **main:** release 0.4.0 ([#43](https://github.com/BagelLab/uds-core/issues/43)) ([d2b61c3](https://github.com/BagelLab/uds-core/commit/d2b61c373b91d4f405e27ce930e4f8bec52ddd21)) +* **main:** release 0.4.1 ([#45](https://github.com/BagelLab/uds-core/issues/45)) ([d66eafe](https://github.com/BagelLab/uds-core/commit/d66eafea0ec9ccd412f5af3ed5ab12f3f8275a33)) +* **main:** release 0.5.0 ([#49](https://github.com/BagelLab/uds-core/issues/49)) ([f9c4269](https://github.com/BagelLab/uds-core/commit/f9c426998f2bc4fc21c32b3492f25b8608f50282)) +* **main:** release 0.6.0 ([#53](https://github.com/BagelLab/uds-core/issues/53)) ([9b3ad64](https://github.com/BagelLab/uds-core/commit/9b3ad64a6e3870ce364cad77abd367cc8d493042)) +* **main:** release 0.6.1 ([#56](https://github.com/BagelLab/uds-core/issues/56)) ([4a5a42c](https://github.com/BagelLab/uds-core/commit/4a5a42c8fa9ee17656e462cb9df08562d9c85b96)) +* **main:** release 0.6.2 ([#59](https://github.com/BagelLab/uds-core/issues/59)) ([b1c49ac](https://github.com/BagelLab/uds-core/commit/b1c49ac70e8a293936dea8a516c32b7bb7e6fc4c)) +* **main:** release 0.7.0 ([#71](https://github.com/BagelLab/uds-core/issues/71)) ([51dcb54](https://github.com/BagelLab/uds-core/commit/51dcb54d239cb5636b0c4f55fde9fc2b2c3bf076)) +* **main:** release 0.7.1 ([#85](https://github.com/BagelLab/uds-core/issues/85)) ([da4040a](https://github.com/BagelLab/uds-core/commit/da4040aff739746dc2355ec0449ee762c05c56c1)) +* **main:** release 0.7.2 ([#88](https://github.com/BagelLab/uds-core/issues/88)) ([5e421ce](https://github.com/BagelLab/uds-core/commit/5e421ce011e42692c3cb6f1353cfb8a5edb846fb)) +* **main:** release 0.7.3 ([#93](https://github.com/BagelLab/uds-core/issues/93)) ([ddf8fa6](https://github.com/BagelLab/uds-core/commit/ddf8fa617853686b8c043d236c159bcd59c47ac0)) +* **main:** release 0.7.4 ([#100](https://github.com/BagelLab/uds-core/issues/100)) ([9abd78b](https://github.com/BagelLab/uds-core/commit/9abd78b11a90a67344fa93e8dba7fd53d6b58ea2)) +* **main:** release 0.8.0 ([#106](https://github.com/BagelLab/uds-core/issues/106)) ([3ab93c3](https://github.com/BagelLab/uds-core/commit/3ab93c30b132ff9c35c1f238008b15cd265abe92)) +* **main:** release 0.8.1 ([#112](https://github.com/BagelLab/uds-core/issues/112)) ([942ad54](https://github.com/BagelLab/uds-core/commit/942ad549b53e8ce87a33fae985bbe2f82c6fa75c)) +* **main:** release 0.9.0 ([#117](https://github.com/BagelLab/uds-core/issues/117)) ([6b0c56b](https://github.com/BagelLab/uds-core/commit/6b0c56b8a6d60091e532ac36cd69ea6cd5ac1124)) +* **main:** release 0.9.1 ([#119](https://github.com/BagelLab/uds-core/issues/119)) ([984f916](https://github.com/BagelLab/uds-core/commit/984f91602c3b2873110d62a49c5df4ecfaa19f8a)) +* **main:** release 0.9.2 ([#121](https://github.com/BagelLab/uds-core/issues/121)) ([2d9b3c9](https://github.com/BagelLab/uds-core/commit/2d9b3c9fe288347879f2d78c8524b719d3772abd)) +* move api service watch to reconcile ([#362](https://github.com/BagelLab/uds-core/issues/362)) ([1822bca](https://github.com/BagelLab/uds-core/commit/1822bca6c397a5c8ea64b9355a9ba4f51fde4518)) +* open the aperture for pr workflow triggering ([#90](https://github.com/BagelLab/uds-core/issues/90)) ([d8a72f2](https://github.com/BagelLab/uds-core/commit/d8a72f2f2f3e507a4be7f217e23b737e3d4c35ce)) +* readme updates & use UDS CLI for zarf ([#137](https://github.com/BagelLab/uds-core/issues/137)) ([21de0ce](https://github.com/BagelLab/uds-core/commit/21de0cee2d70d67ca17b1d45c642e9ca4e1617ce)) +* refactor ci for releases to remove certain artifacts ([#125](https://github.com/BagelLab/uds-core/issues/125)) ([c08a062](https://github.com/BagelLab/uds-core/commit/c08a062bb3f3ede6860c3d7f34136b3e82b78715)) +* refactor promtail extraScrapeConfigs into scrapeConfigs ([#367](https://github.com/BagelLab/uds-core/issues/367)) ([2220272](https://github.com/BagelLab/uds-core/commit/222027240148e669edf40483d145ffc15567b1b7)) +* refactor validate.yaml file name and task name ([#62](https://github.com/BagelLab/uds-core/issues/62)) ([92a04ea](https://github.com/BagelLab/uds-core/commit/92a04ea1096448995ccc0dd9d77a32a5061e06f0)) +* remove emulated gitlab endpoints from keycloak ([#483](https://github.com/BagelLab/uds-core/issues/483)) ([495960c](https://github.com/BagelLab/uds-core/commit/495960ce8d40cf2ef7c0f0021b653db6fc6383bb)) +* remove retry-action action on registry1 docker login ([#160](https://github.com/BagelLab/uds-core/issues/160)) ([eea0c93](https://github.com/BagelLab/uds-core/commit/eea0c93a0ff172bfc5a76d3eaca143ffc0d9fbe2)) +* remove version from neuvector zarf.yaml ([#11](https://github.com/BagelLab/uds-core/issues/11)) ([fbc8d51](https://github.com/BagelLab/uds-core/commit/fbc8d51e2b4146d394184d7596cd9a54219dc001)) +* renovate updates ([#140](https://github.com/BagelLab/uds-core/issues/140)) ([b71a013](https://github.com/BagelLab/uds-core/commit/b71a013bea30c9ca5e39f1dc6485fffaa86ca6b1)) +* simplify promtail values for scrape configs ([#94](https://github.com/BagelLab/uds-core/issues/94)) ([6c2513b](https://github.com/BagelLab/uds-core/commit/6c2513be89f064b44516b1d89c0d6005dd1d4d30)) +* support deselection of metrics-server ([#193](https://github.com/BagelLab/uds-core/issues/193)) ([289a0fe](https://github.com/BagelLab/uds-core/commit/289a0fee5315e8c4a70b3afe66165dd00a7dfbc1)) +* support headless keycloak admin user ([#307](https://github.com/BagelLab/uds-core/issues/307)) ([a0e51b6](https://github.com/BagelLab/uds-core/commit/a0e51b649822619b63478b140bb5dbbebeb20ff3)) +* test artifacts before publish ([#198](https://github.com/BagelLab/uds-core/issues/198)) ([9732f32](https://github.com/BagelLab/uds-core/commit/9732f325624244f4d34c127a949c6ce5951ff6ab)) +* test publish ([2cefa29](https://github.com/BagelLab/uds-core/commit/2cefa2938d60cfa40bd5c0f7ff44c2448c4f48a8)) +* trigger eks nightly when related files are updated ([#366](https://github.com/BagelLab/uds-core/issues/366)) ([6d6e4e0](https://github.com/BagelLab/uds-core/commit/6d6e4e0debbca3498cbc21db405eec48b3bcc240)) +* typo fix in README.md ([#280](https://github.com/BagelLab/uds-core/issues/280)) ([f9727e0](https://github.com/BagelLab/uds-core/commit/f9727e0b638e853bbae131d02019a2efb5286b0a)) +* update codeowners ([#338](https://github.com/BagelLab/uds-core/issues/338)) ([c419574](https://github.com/BagelLab/uds-core/commit/c41957409607c6335ebf6bd4ff30a1a9336a4870)) +* update release please extra-files to be explicit ([#26](https://github.com/BagelLab/uds-core/issues/26)) ([23f4999](https://github.com/BagelLab/uds-core/commit/23f49995771fb05cd18e7a077bf90e86ca5b7471)) +* updating keycloak chart version to align with image ([#378](https://github.com/BagelLab/uds-core/issues/378)) ([a60fe2a](https://github.com/BagelLab/uds-core/commit/a60fe2afed9f7cff3bcad6b0f563232b47e8025b)) + ## [0.23.0](https://github.com/defenseunicorns/uds-core/compare/v0.22.2...v0.23.0) (2024-07-04) From df87b5527b2055d8c15d6223d734e8cbcec0def6 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Wed, 10 Jul 2024 09:50:22 -0600 Subject: [PATCH 38/61] fix: runners, snapshot --- .github/workflows/publish.yaml | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index f621c502b..c6ac7d096 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -13,7 +13,7 @@ jobs: strategy: matrix: flavor: [upstream, registry1, unicorn] - runs-on: "uds-ubuntu-big-boy-8-core" + runs-on: "ubuntu-latest" name: Publish packages permissions: @@ -76,18 +76,23 @@ jobs: - name: Determine destination repository id: repo run: | - # Publish snapshots to snapshot repository - if [ "${{ inputs.snapshot }}" = "true" ]; then - echo "Publishing snapshot to ghcr.io/bagellab/packages/uds/snapshots" - echo "repo=ghcr.io/bagellab/packages/uds/snapshots" >> "$GITHUB_OUTPUT" # Publish unicorn flavor to private repository - elif [ "${{ matrix.flavor }}" = "unicorn" ]; then - echo "Publishing unicorn flavor to ghcr.io/bagellab/packages/private/uds" - echo "repo=ghcr.io/bagellab/packages/private/uds" >> "$GITHUB_OUTPUT" + if [ "${{ matrix.flavor }}" = "unicorn" ]; then + if [ "${{ inputs.snapshot }}" = "true" ]; then + echo "Publishing unicorn flavor snapshot to ghcr.io/defenseunicorns/packages/private/uds/snapshots" + echo "repo=ghcr.io/defenseunicorns/packages/private/uds/snapshots" >> "$GITHUB_OUTPUT" + else + echo "Publishing unicorn flavor to ghcr.io/defenseunicorns/packages/private/uds" + echo "repo=ghcr.io/defenseunicorns/packages/private/uds" >> "$GITHUB_OUTPUT" + fi + # Publish snapshots to snapshot repository + elif [ "${{ inputs.snapshot }}" = "true" ]; then + echo "Publishing snapshot to ghcr.io/defenseunicorns/packages/uds/snapshots" + echo "repo=ghcr.io/defenseunicorns/packages/uds/snapshots" >> "$GITHUB_OUTPUT" # Publish all other packages/bundles to uds package repository else - echo "Publishing packages and bundles to ghcr.io/bagellab/packages/uds" - echo "repo=ghcr.io/bagellab/packages/uds" >> "$GITHUB_OUTPUT" + echo "Publishing packages and bundles to ghcr.io/defenseunicorns/packages/uds" + echo "repo=ghcr.io/defenseunicorns/packages/uds" >> "$GITHUB_OUTPUT" fi # Publish package and bundle to destination repository From 09c623ac9fb0fe6c785d15245da8d84787cf3649 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 10 Jul 2024 15:50:46 +0000 Subject: [PATCH 39/61] chore(main): release 0.23.1 --- .github/bundles/uds-bundle.yaml | 4 ++-- .release-please-manifest.json | 2 +- CHANGELOG.md | 7 +++++++ README.md | 4 ++-- bundles/k3d-slim-dev/uds-bundle.yaml | 4 ++-- bundles/k3d-standard/uds-bundle.yaml | 4 ++-- packages/slim-dev/zarf.yaml | 2 +- packages/standard/zarf.yaml | 2 +- tasks/deploy.yaml | 2 +- tasks/publish.yaml | 2 +- 10 files changed, 20 insertions(+), 13 deletions(-) diff --git a/.github/bundles/uds-bundle.yaml b/.github/bundles/uds-bundle.yaml index e1ed93fe6..c436c367d 100644 --- a/.github/bundles/uds-bundle.yaml +++ b/.github/bundles/uds-bundle.yaml @@ -3,7 +3,7 @@ metadata: name: uds-core-eks-nightly description: A UDS bundle for deploying EKS and UDS Core # x-release-please-start-version - version: "0.23.0" + version: "0.23.1" # x-release-please-end packages: @@ -14,7 +14,7 @@ packages: - name: core path: ../../build/ # x-release-please-start-version - ref: 0.23.0 + ref: 0.23.1 # x-release-please-end overrides: velero: diff --git a/.release-please-manifest.json b/.release-please-manifest.json index 819990afc..e2da89a1e 100644 --- a/.release-please-manifest.json +++ b/.release-please-manifest.json @@ -1,3 +1,3 @@ { - ".": "0.23.0" + ".": "0.23.1" } diff --git a/CHANGELOG.md b/CHANGELOG.md index 776e5e5a0..82b3400d6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +## [0.23.1](https://github.com/BagelLab/uds-core/compare/v0.23.0...v0.23.1) (2024-07-10) + + +### Bug Fixes + +* runners, snapshot ([df87b55](https://github.com/BagelLab/uds-core/commit/df87b5527b2055d8c15d6223d734e8cbcec0def6)) + ## [0.23.0](https://github.com/BagelLab/uds-core/compare/v0.23.0...v0.23.0) (2024-07-10) diff --git a/README.md b/README.md index 9ee771e27..02bc0973f 100644 --- a/README.md +++ b/README.md @@ -55,7 +55,7 @@ If you want to try out UDS Core, you can use the [k3d-core-demo bundle](./bundle ```bash -uds deploy k3d-core-demo:0.23.0 +uds deploy k3d-core-demo:0.23.1 ``` @@ -69,7 +69,7 @@ Deploy Istio, Keycloak and Pepr: ```bash -uds deploy k3d-core-slim-dev:0.23.0 +uds deploy k3d-core-slim-dev:0.23.1 ``` diff --git a/bundles/k3d-slim-dev/uds-bundle.yaml b/bundles/k3d-slim-dev/uds-bundle.yaml index c89b07002..a1039c523 100644 --- a/bundles/k3d-slim-dev/uds-bundle.yaml +++ b/bundles/k3d-slim-dev/uds-bundle.yaml @@ -3,7 +3,7 @@ metadata: name: k3d-core-slim-dev description: A UDS bundle for deploying Istio from UDS Core on a development cluster # x-release-please-start-version - version: "0.23.0" + version: "0.23.1" # x-release-please-end packages: @@ -34,7 +34,7 @@ packages: - name: core-slim-dev path: ../../build/ # x-release-please-start-version - ref: 0.23.0 + ref: 0.23.1 # x-release-please-end overrides: istio-admin-gateway: diff --git a/bundles/k3d-standard/uds-bundle.yaml b/bundles/k3d-standard/uds-bundle.yaml index acbe5c65a..462bdc417 100644 --- a/bundles/k3d-standard/uds-bundle.yaml +++ b/bundles/k3d-standard/uds-bundle.yaml @@ -3,7 +3,7 @@ metadata: name: k3d-core-demo description: A UDS bundle for deploying the standard UDS Core package on a development cluster # x-release-please-start-version - version: "0.23.0" + version: "0.23.1" # x-release-please-end packages: @@ -34,7 +34,7 @@ packages: - name: core path: ../../build/ # x-release-please-start-version - ref: 0.23.0 + ref: 0.23.1 # x-release-please-end overrides: loki: diff --git a/packages/slim-dev/zarf.yaml b/packages/slim-dev/zarf.yaml index 1d80c8e09..110f5fefc 100644 --- a/packages/slim-dev/zarf.yaml +++ b/packages/slim-dev/zarf.yaml @@ -4,7 +4,7 @@ metadata: description: "UDS Core (Istio, UDS Operator and Keycloak)" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.23.0" + version: "0.23.1" # x-release-please-end components: diff --git a/packages/standard/zarf.yaml b/packages/standard/zarf.yaml index 60e4d3ae7..cf98b9eb2 100644 --- a/packages/standard/zarf.yaml +++ b/packages/standard/zarf.yaml @@ -4,7 +4,7 @@ metadata: description: "UDS Core" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.23.0" + version: "0.23.1" # x-release-please-end components: diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index a53b0e527..cc5731cb8 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -2,7 +2,7 @@ variables: - name: VERSION description: "The version of the packages to deploy" # x-release-please-start-version - default: "0.23.0" + default: "0.23.1" # x-release-please-end - name: FLAVOR default: upstream diff --git a/tasks/publish.yaml b/tasks/publish.yaml index 26798fc14..e9744ebca 100644 --- a/tasks/publish.yaml +++ b/tasks/publish.yaml @@ -8,7 +8,7 @@ variables: - name: VERSION description: "The version of the packages to build" # x-release-please-start-version - default: "0.23.0" + default: "0.23.1" # x-release-please-end tasks: From 5a78de7ec926a3ebe82771a5713ac2ff4841271f Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Wed, 10 Jul 2024 09:52:05 -0600 Subject: [PATCH 40/61] fix: id-token --- .github/workflows/snapshot-release.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/snapshot-release.yaml b/.github/workflows/snapshot-release.yaml index 859fd816a..5ea5da234 100644 --- a/.github/workflows/snapshot-release.yaml +++ b/.github/workflows/snapshot-release.yaml @@ -10,6 +10,7 @@ jobs: permissions: contents: write packages: write + id-token: write uses: ./.github/workflows/publish.yaml with: snapshot: true From bdc86777d6f06bbb09602185338d6d1c1fe269b9 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Wed, 10 Jul 2024 09:53:29 -0600 Subject: [PATCH 41/61] fix: comment out debug --- .github/workflows/publish.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index c6ac7d096..62c22398a 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -68,9 +68,9 @@ jobs: # uds run deploy-standard-bundle --no-progress # uds run -f tasks/test.yaml validate-packages --no-progress - - name: Debug Output - if: ${{ always() && !inputs.snapshot }} - uses: ./.github/actions/debug-output + # - name: Debug Output + # if: ${{ always() && !inputs.snapshot }} + # uses: ./.github/actions/debug-output # Determine repository to publish to - name: Determine destination repository From 6df0592f5f336c50c6c7c7cec1f276f7c11f7cdb Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 10 Jul 2024 15:53:49 +0000 Subject: [PATCH 42/61] chore(main): release 0.23.2 --- .github/bundles/uds-bundle.yaml | 4 ++-- .release-please-manifest.json | 2 +- CHANGELOG.md | 8 ++++++++ README.md | 4 ++-- bundles/k3d-slim-dev/uds-bundle.yaml | 4 ++-- bundles/k3d-standard/uds-bundle.yaml | 4 ++-- packages/slim-dev/zarf.yaml | 2 +- packages/standard/zarf.yaml | 2 +- tasks/deploy.yaml | 2 +- tasks/publish.yaml | 2 +- 10 files changed, 21 insertions(+), 13 deletions(-) diff --git a/.github/bundles/uds-bundle.yaml b/.github/bundles/uds-bundle.yaml index c436c367d..7b822eb21 100644 --- a/.github/bundles/uds-bundle.yaml +++ b/.github/bundles/uds-bundle.yaml @@ -3,7 +3,7 @@ metadata: name: uds-core-eks-nightly description: A UDS bundle for deploying EKS and UDS Core # x-release-please-start-version - version: "0.23.1" + version: "0.23.2" # x-release-please-end packages: @@ -14,7 +14,7 @@ packages: - name: core path: ../../build/ # x-release-please-start-version - ref: 0.23.1 + ref: 0.23.2 # x-release-please-end overrides: velero: diff --git a/.release-please-manifest.json b/.release-please-manifest.json index e2da89a1e..8d4471071 100644 --- a/.release-please-manifest.json +++ b/.release-please-manifest.json @@ -1,3 +1,3 @@ { - ".": "0.23.1" + ".": "0.23.2" } diff --git a/CHANGELOG.md b/CHANGELOG.md index 82b3400d6..3b3a76f2c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,14 @@ All notable changes to this project will be documented in this file. +## [0.23.2](https://github.com/BagelLab/uds-core/compare/v0.23.1...v0.23.2) (2024-07-10) + + +### Bug Fixes + +* comment out debug ([bdc8677](https://github.com/BagelLab/uds-core/commit/bdc86777d6f06bbb09602185338d6d1c1fe269b9)) +* id-token ([5a78de7](https://github.com/BagelLab/uds-core/commit/5a78de7ec926a3ebe82771a5713ac2ff4841271f)) + ## [0.23.1](https://github.com/BagelLab/uds-core/compare/v0.23.0...v0.23.1) (2024-07-10) diff --git a/README.md b/README.md index 02bc0973f..d4f85f74d 100644 --- a/README.md +++ b/README.md @@ -55,7 +55,7 @@ If you want to try out UDS Core, you can use the [k3d-core-demo bundle](./bundle ```bash -uds deploy k3d-core-demo:0.23.1 +uds deploy k3d-core-demo:0.23.2 ``` @@ -69,7 +69,7 @@ Deploy Istio, Keycloak and Pepr: ```bash -uds deploy k3d-core-slim-dev:0.23.1 +uds deploy k3d-core-slim-dev:0.23.2 ``` diff --git a/bundles/k3d-slim-dev/uds-bundle.yaml b/bundles/k3d-slim-dev/uds-bundle.yaml index a1039c523..db9c506a2 100644 --- a/bundles/k3d-slim-dev/uds-bundle.yaml +++ b/bundles/k3d-slim-dev/uds-bundle.yaml @@ -3,7 +3,7 @@ metadata: name: k3d-core-slim-dev description: A UDS bundle for deploying Istio from UDS Core on a development cluster # x-release-please-start-version - version: "0.23.1" + version: "0.23.2" # x-release-please-end packages: @@ -34,7 +34,7 @@ packages: - name: core-slim-dev path: ../../build/ # x-release-please-start-version - ref: 0.23.1 + ref: 0.23.2 # x-release-please-end overrides: istio-admin-gateway: diff --git a/bundles/k3d-standard/uds-bundle.yaml b/bundles/k3d-standard/uds-bundle.yaml index 462bdc417..296b34020 100644 --- a/bundles/k3d-standard/uds-bundle.yaml +++ b/bundles/k3d-standard/uds-bundle.yaml @@ -3,7 +3,7 @@ metadata: name: k3d-core-demo description: A UDS bundle for deploying the standard UDS Core package on a development cluster # x-release-please-start-version - version: "0.23.1" + version: "0.23.2" # x-release-please-end packages: @@ -34,7 +34,7 @@ packages: - name: core path: ../../build/ # x-release-please-start-version - ref: 0.23.1 + ref: 0.23.2 # x-release-please-end overrides: loki: diff --git a/packages/slim-dev/zarf.yaml b/packages/slim-dev/zarf.yaml index 110f5fefc..5ce7d8ffb 100644 --- a/packages/slim-dev/zarf.yaml +++ b/packages/slim-dev/zarf.yaml @@ -4,7 +4,7 @@ metadata: description: "UDS Core (Istio, UDS Operator and Keycloak)" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.23.1" + version: "0.23.2" # x-release-please-end components: diff --git a/packages/standard/zarf.yaml b/packages/standard/zarf.yaml index cf98b9eb2..dfb9e138b 100644 --- a/packages/standard/zarf.yaml +++ b/packages/standard/zarf.yaml @@ -4,7 +4,7 @@ metadata: description: "UDS Core" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.23.1" + version: "0.23.2" # x-release-please-end components: diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index cc5731cb8..61e3fd92b 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -2,7 +2,7 @@ variables: - name: VERSION description: "The version of the packages to deploy" # x-release-please-start-version - default: "0.23.1" + default: "0.23.2" # x-release-please-end - name: FLAVOR default: upstream diff --git a/tasks/publish.yaml b/tasks/publish.yaml index e9744ebca..6756e6617 100644 --- a/tasks/publish.yaml +++ b/tasks/publish.yaml @@ -8,7 +8,7 @@ variables: - name: VERSION description: "The version of the packages to build" # x-release-please-start-version - default: "0.23.1" + default: "0.23.2" # x-release-please-end tasks: From 5870a773b91e96a2f8bf616be2abedbe60263f86 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Wed, 10 Jul 2024 09:56:27 -0600 Subject: [PATCH 43/61] fix: workflow silliness --- .github/workflows/publish.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 62c22398a..d79b7aa2c 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -97,11 +97,11 @@ jobs: # Publish package and bundle to destination repository - name: Publish Standard Package - run: uds run -f tasks/publish.yaml standard-package --set FLAVOR=${{ matrix.flavor }} --set TARGET_REPO=${{ steps.repo.outputs.repo }} --no-progress + run: echo "uds run -f tasks/publish.yaml standard-package --set FLAVOR=${{ matrix.flavor }} --set TARGET_REPO=${{ steps.repo.outputs.repo }} --no-progress" - name: Publish Upstream Flavored Bundles if: ${{ matrix.flavor == 'upstream' }} - run: uds run -f tasks/publish.yaml bundles --set TARGET_REPO=${{ steps.repo.outputs.repo }} --no-progress + run: echo "uds run -f tasks/publish.yaml bundles --set TARGET_REPO=${{ steps.repo.outputs.repo }} --no-progress" - name: Save logs if: always() From 55cb491c28ebf5ee7c40f2add5c588c47e9864b0 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 10 Jul 2024 15:56:50 +0000 Subject: [PATCH 44/61] chore(main): release 0.23.3 --- .github/bundles/uds-bundle.yaml | 4 ++-- .release-please-manifest.json | 2 +- CHANGELOG.md | 7 +++++++ README.md | 4 ++-- bundles/k3d-slim-dev/uds-bundle.yaml | 4 ++-- bundles/k3d-standard/uds-bundle.yaml | 4 ++-- packages/slim-dev/zarf.yaml | 2 +- packages/standard/zarf.yaml | 2 +- tasks/deploy.yaml | 2 +- tasks/publish.yaml | 2 +- 10 files changed, 20 insertions(+), 13 deletions(-) diff --git a/.github/bundles/uds-bundle.yaml b/.github/bundles/uds-bundle.yaml index 7b822eb21..788a54c27 100644 --- a/.github/bundles/uds-bundle.yaml +++ b/.github/bundles/uds-bundle.yaml @@ -3,7 +3,7 @@ metadata: name: uds-core-eks-nightly description: A UDS bundle for deploying EKS and UDS Core # x-release-please-start-version - version: "0.23.2" + version: "0.23.3" # x-release-please-end packages: @@ -14,7 +14,7 @@ packages: - name: core path: ../../build/ # x-release-please-start-version - ref: 0.23.2 + ref: 0.23.3 # x-release-please-end overrides: velero: diff --git a/.release-please-manifest.json b/.release-please-manifest.json index 8d4471071..ddd8980b5 100644 --- a/.release-please-manifest.json +++ b/.release-please-manifest.json @@ -1,3 +1,3 @@ { - ".": "0.23.2" + ".": "0.23.3" } diff --git a/CHANGELOG.md b/CHANGELOG.md index 3b3a76f2c..5d6b2786c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +## [0.23.3](https://github.com/BagelLab/uds-core/compare/v0.23.2...v0.23.3) (2024-07-10) + + +### Bug Fixes + +* workflow silliness ([5870a77](https://github.com/BagelLab/uds-core/commit/5870a773b91e96a2f8bf616be2abedbe60263f86)) + ## [0.23.2](https://github.com/BagelLab/uds-core/compare/v0.23.1...v0.23.2) (2024-07-10) diff --git a/README.md b/README.md index d4f85f74d..dbb18481c 100644 --- a/README.md +++ b/README.md @@ -55,7 +55,7 @@ If you want to try out UDS Core, you can use the [k3d-core-demo bundle](./bundle ```bash -uds deploy k3d-core-demo:0.23.2 +uds deploy k3d-core-demo:0.23.3 ``` @@ -69,7 +69,7 @@ Deploy Istio, Keycloak and Pepr: ```bash -uds deploy k3d-core-slim-dev:0.23.2 +uds deploy k3d-core-slim-dev:0.23.3 ``` diff --git a/bundles/k3d-slim-dev/uds-bundle.yaml b/bundles/k3d-slim-dev/uds-bundle.yaml index db9c506a2..d219f853f 100644 --- a/bundles/k3d-slim-dev/uds-bundle.yaml +++ b/bundles/k3d-slim-dev/uds-bundle.yaml @@ -3,7 +3,7 @@ metadata: name: k3d-core-slim-dev description: A UDS bundle for deploying Istio from UDS Core on a development cluster # x-release-please-start-version - version: "0.23.2" + version: "0.23.3" # x-release-please-end packages: @@ -34,7 +34,7 @@ packages: - name: core-slim-dev path: ../../build/ # x-release-please-start-version - ref: 0.23.2 + ref: 0.23.3 # x-release-please-end overrides: istio-admin-gateway: diff --git a/bundles/k3d-standard/uds-bundle.yaml b/bundles/k3d-standard/uds-bundle.yaml index 296b34020..ef6c23902 100644 --- a/bundles/k3d-standard/uds-bundle.yaml +++ b/bundles/k3d-standard/uds-bundle.yaml @@ -3,7 +3,7 @@ metadata: name: k3d-core-demo description: A UDS bundle for deploying the standard UDS Core package on a development cluster # x-release-please-start-version - version: "0.23.2" + version: "0.23.3" # x-release-please-end packages: @@ -34,7 +34,7 @@ packages: - name: core path: ../../build/ # x-release-please-start-version - ref: 0.23.2 + ref: 0.23.3 # x-release-please-end overrides: loki: diff --git a/packages/slim-dev/zarf.yaml b/packages/slim-dev/zarf.yaml index 5ce7d8ffb..630bdc3b1 100644 --- a/packages/slim-dev/zarf.yaml +++ b/packages/slim-dev/zarf.yaml @@ -4,7 +4,7 @@ metadata: description: "UDS Core (Istio, UDS Operator and Keycloak)" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.23.2" + version: "0.23.3" # x-release-please-end components: diff --git a/packages/standard/zarf.yaml b/packages/standard/zarf.yaml index dfb9e138b..182f6f24b 100644 --- a/packages/standard/zarf.yaml +++ b/packages/standard/zarf.yaml @@ -4,7 +4,7 @@ metadata: description: "UDS Core" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.23.2" + version: "0.23.3" # x-release-please-end components: diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index 61e3fd92b..059866d6d 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -2,7 +2,7 @@ variables: - name: VERSION description: "The version of the packages to deploy" # x-release-please-start-version - default: "0.23.2" + default: "0.23.3" # x-release-please-end - name: FLAVOR default: upstream diff --git a/tasks/publish.yaml b/tasks/publish.yaml index 6756e6617..de061feaa 100644 --- a/tasks/publish.yaml +++ b/tasks/publish.yaml @@ -8,7 +8,7 @@ variables: - name: VERSION description: "The version of the packages to build" # x-release-please-start-version - default: "0.23.2" + default: "0.23.3" # x-release-please-end tasks: From 84805e01d2704aa3639943f66a4d58b9aea4f690 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 12 Jul 2024 09:11:26 -0600 Subject: [PATCH 45/61] fix: simplify publish repo output --- .github/workflows/publish.yaml | 23 +++++++++-------------- 1 file changed, 9 insertions(+), 14 deletions(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index d79b7aa2c..2705b7e3e 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -76,25 +76,20 @@ jobs: - name: Determine destination repository id: repo run: | + repo=ghcr.io/defenseunicorns/packages # Publish unicorn flavor to private repository if [ "${{ matrix.flavor }}" = "unicorn" ]; then - if [ "${{ inputs.snapshot }}" = "true" ]; then - echo "Publishing unicorn flavor snapshot to ghcr.io/defenseunicorns/packages/private/uds/snapshots" - echo "repo=ghcr.io/defenseunicorns/packages/private/uds/snapshots" >> "$GITHUB_OUTPUT" - else - echo "Publishing unicorn flavor to ghcr.io/defenseunicorns/packages/private/uds" - echo "repo=ghcr.io/defenseunicorns/packages/private/uds" >> "$GITHUB_OUTPUT" - fi + repo+=/private + fi + repo+=/uds # Publish snapshots to snapshot repository - elif [ "${{ inputs.snapshot }}" = "true" ]; then - echo "Publishing snapshot to ghcr.io/defenseunicorns/packages/uds/snapshots" - echo "repo=ghcr.io/defenseunicorns/packages/uds/snapshots" >> "$GITHUB_OUTPUT" - # Publish all other packages/bundles to uds package repository - else - echo "Publishing packages and bundles to ghcr.io/defenseunicorns/packages/uds" - echo "repo=ghcr.io/defenseunicorns/packages/uds" >> "$GITHUB_OUTPUT" + if [ "${{ inputs.snapshot }}" = "true" ]; then + repo+=/snapshots fi + echo "repo=${repo}" >> "$GITHUB_OUTPUT" + echo "Publishing packages and bundles to ${repo}" + # Publish package and bundle to destination repository - name: Publish Standard Package run: echo "uds run -f tasks/publish.yaml standard-package --set FLAVOR=${{ matrix.flavor }} --set TARGET_REPO=${{ steps.repo.outputs.repo }} --no-progress" From e0e6ebc684e2004f9e2a3ca128d7401dc41bcc33 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 12 Jul 2024 15:11:51 +0000 Subject: [PATCH 46/61] chore(main): release 0.23.4 --- .github/bundles/uds-bundle.yaml | 4 ++-- .release-please-manifest.json | 2 +- CHANGELOG.md | 7 +++++++ README.md | 4 ++-- bundles/k3d-slim-dev/uds-bundle.yaml | 4 ++-- bundles/k3d-standard/uds-bundle.yaml | 4 ++-- packages/slim-dev/zarf.yaml | 2 +- packages/standard/zarf.yaml | 2 +- tasks/deploy.yaml | 2 +- tasks/publish.yaml | 2 +- 10 files changed, 20 insertions(+), 13 deletions(-) diff --git a/.github/bundles/uds-bundle.yaml b/.github/bundles/uds-bundle.yaml index 788a54c27..1def6e9b2 100644 --- a/.github/bundles/uds-bundle.yaml +++ b/.github/bundles/uds-bundle.yaml @@ -3,7 +3,7 @@ metadata: name: uds-core-eks-nightly description: A UDS bundle for deploying EKS and UDS Core # x-release-please-start-version - version: "0.23.3" + version: "0.23.4" # x-release-please-end packages: @@ -14,7 +14,7 @@ packages: - name: core path: ../../build/ # x-release-please-start-version - ref: 0.23.3 + ref: 0.23.4 # x-release-please-end overrides: velero: diff --git a/.release-please-manifest.json b/.release-please-manifest.json index ddd8980b5..48f55b9c8 100644 --- a/.release-please-manifest.json +++ b/.release-please-manifest.json @@ -1,3 +1,3 @@ { - ".": "0.23.3" + ".": "0.23.4" } diff --git a/CHANGELOG.md b/CHANGELOG.md index 5d6b2786c..e4e5c264d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +## [0.23.4](https://github.com/BagelLab/uds-core/compare/v0.23.3...v0.23.4) (2024-07-12) + + +### Bug Fixes + +* simplify publish repo output ([84805e0](https://github.com/BagelLab/uds-core/commit/84805e01d2704aa3639943f66a4d58b9aea4f690)) + ## [0.23.3](https://github.com/BagelLab/uds-core/compare/v0.23.2...v0.23.3) (2024-07-10) diff --git a/README.md b/README.md index dbb18481c..ae1d17358 100644 --- a/README.md +++ b/README.md @@ -55,7 +55,7 @@ If you want to try out UDS Core, you can use the [k3d-core-demo bundle](./bundle ```bash -uds deploy k3d-core-demo:0.23.3 +uds deploy k3d-core-demo:0.23.4 ``` @@ -69,7 +69,7 @@ Deploy Istio, Keycloak and Pepr: ```bash -uds deploy k3d-core-slim-dev:0.23.3 +uds deploy k3d-core-slim-dev:0.23.4 ``` diff --git a/bundles/k3d-slim-dev/uds-bundle.yaml b/bundles/k3d-slim-dev/uds-bundle.yaml index d219f853f..44bcba1a3 100644 --- a/bundles/k3d-slim-dev/uds-bundle.yaml +++ b/bundles/k3d-slim-dev/uds-bundle.yaml @@ -3,7 +3,7 @@ metadata: name: k3d-core-slim-dev description: A UDS bundle for deploying Istio from UDS Core on a development cluster # x-release-please-start-version - version: "0.23.3" + version: "0.23.4" # x-release-please-end packages: @@ -34,7 +34,7 @@ packages: - name: core-slim-dev path: ../../build/ # x-release-please-start-version - ref: 0.23.3 + ref: 0.23.4 # x-release-please-end overrides: istio-admin-gateway: diff --git a/bundles/k3d-standard/uds-bundle.yaml b/bundles/k3d-standard/uds-bundle.yaml index ef6c23902..267b96bdc 100644 --- a/bundles/k3d-standard/uds-bundle.yaml +++ b/bundles/k3d-standard/uds-bundle.yaml @@ -3,7 +3,7 @@ metadata: name: k3d-core-demo description: A UDS bundle for deploying the standard UDS Core package on a development cluster # x-release-please-start-version - version: "0.23.3" + version: "0.23.4" # x-release-please-end packages: @@ -34,7 +34,7 @@ packages: - name: core path: ../../build/ # x-release-please-start-version - ref: 0.23.3 + ref: 0.23.4 # x-release-please-end overrides: loki: diff --git a/packages/slim-dev/zarf.yaml b/packages/slim-dev/zarf.yaml index 630bdc3b1..4bcc32b61 100644 --- a/packages/slim-dev/zarf.yaml +++ b/packages/slim-dev/zarf.yaml @@ -4,7 +4,7 @@ metadata: description: "UDS Core (Istio, UDS Operator and Keycloak)" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.23.3" + version: "0.23.4" # x-release-please-end components: diff --git a/packages/standard/zarf.yaml b/packages/standard/zarf.yaml index 182f6f24b..9fbccad67 100644 --- a/packages/standard/zarf.yaml +++ b/packages/standard/zarf.yaml @@ -4,7 +4,7 @@ metadata: description: "UDS Core" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.23.3" + version: "0.23.4" # x-release-please-end components: diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index 059866d6d..df27a8d7a 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -2,7 +2,7 @@ variables: - name: VERSION description: "The version of the packages to deploy" # x-release-please-start-version - default: "0.23.3" + default: "0.23.4" # x-release-please-end - name: FLAVOR default: upstream diff --git a/tasks/publish.yaml b/tasks/publish.yaml index de061feaa..90af8a533 100644 --- a/tasks/publish.yaml +++ b/tasks/publish.yaml @@ -8,7 +8,7 @@ variables: - name: VERSION description: "The version of the packages to build" # x-release-please-start-version - default: "0.23.3" + default: "0.23.4" # x-release-please-end tasks: From 0e556aefdf19013aeb23bc72d15ff8971da6f6be Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Mon, 15 Jul 2024 08:53:31 -0600 Subject: [PATCH 47/61] fix(ci): test snapshot fix --- .github/workflows/publish.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 2705b7e3e..03be9015e 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -38,6 +38,7 @@ jobs: SHORT_SHA=$(git rev-parse --short HEAD) RELEASE_DATE=$(date +'%Y-%m-%d') echo "SNAPSHOT_VERSION=${RELEASE_DATE}-${SHORT_SHA}" >> $GITHUB_ENV + echo "PUBLISH_ARGS=--set VERSION ${SNAPSHOT_VERSION}" >> $GITHUB_ENV - name: (Snapshot) Set versions to snapshot if: ${{ inputs.snapshot }} @@ -92,11 +93,11 @@ jobs: # Publish package and bundle to destination repository - name: Publish Standard Package - run: echo "uds run -f tasks/publish.yaml standard-package --set FLAVOR=${{ matrix.flavor }} --set TARGET_REPO=${{ steps.repo.outputs.repo }} --no-progress" + run: uds run -f tasks/publish.yaml standard-package --set FLAVOR=${{ matrix.flavor }} --set TARGET_REPO=${{ steps.repo.outputs.repo }} ${PUBLISH_ARGS} --no-progress - name: Publish Upstream Flavored Bundles if: ${{ matrix.flavor == 'upstream' }} - run: echo "uds run -f tasks/publish.yaml bundles --set TARGET_REPO=${{ steps.repo.outputs.repo }} --no-progress" + run: uds run -f tasks/publish.yaml bundles --set TARGET_REPO=${{ steps.repo.outputs.repo }} ${PUBLISH_ARGS} --no-progress - name: Save logs if: always() From 3dc039d1ee9d84a7cda7d474652296fef74555ff Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Mon, 15 Jul 2024 08:57:20 -0600 Subject: [PATCH 48/61] fix: test --- .github/workflows/publish.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 03be9015e..ccc1146af 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -13,6 +13,7 @@ jobs: strategy: matrix: flavor: [upstream, registry1, unicorn] + fail-fast: false runs-on: "ubuntu-latest" name: Publish packages @@ -38,7 +39,7 @@ jobs: SHORT_SHA=$(git rev-parse --short HEAD) RELEASE_DATE=$(date +'%Y-%m-%d') echo "SNAPSHOT_VERSION=${RELEASE_DATE}-${SHORT_SHA}" >> $GITHUB_ENV - echo "PUBLISH_ARGS=--set VERSION ${SNAPSHOT_VERSION}" >> $GITHUB_ENV + echo "PUBLISH_ARGS=--set VERSION ${RELEASE_DATE}-${SHORT_SHA}" >> $GITHUB_ENV - name: (Snapshot) Set versions to snapshot if: ${{ inputs.snapshot }} From 5053badca76b7c008ef393f70da7687f423f68d8 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Mon, 15 Jul 2024 09:05:40 -0600 Subject: [PATCH 49/61] fix: version --- .github/workflows/publish.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index ccc1146af..f79676b22 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -39,7 +39,7 @@ jobs: SHORT_SHA=$(git rev-parse --short HEAD) RELEASE_DATE=$(date +'%Y-%m-%d') echo "SNAPSHOT_VERSION=${RELEASE_DATE}-${SHORT_SHA}" >> $GITHUB_ENV - echo "PUBLISH_ARGS=--set VERSION ${RELEASE_DATE}-${SHORT_SHA}" >> $GITHUB_ENV + echo "PUBLISH_ARGS=--set VERSION=${RELEASE_DATE}-${SHORT_SHA}" >> $GITHUB_ENV - name: (Snapshot) Set versions to snapshot if: ${{ inputs.snapshot }} From 5584e77b3501a963a55797dd50fe5930601703da Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Wed, 17 Jul 2024 15:23:50 -0600 Subject: [PATCH 50/61] ci: test publish changes --- .github/bundles/uds-bundle.yaml | 4 +- .github/workflows/publish.yaml | 25 +- .../workflows/pull-request-conditionals.yaml | 8 +- .release-please-manifest.json | 2 +- CHANGELOG.md | 339 +----- README.md | 4 +- bundles/k3d-slim-dev/uds-bundle.yaml | 4 +- bundles/k3d-standard/uds-bundle.yaml | 6 +- docs/configuration/istio/_index.md | 5 + docs/configuration/istio/ingress.md | 94 ++ docs/configuration/uds-monitoring-metrics.md | 47 +- docs/configuration/uds-operator.md | 145 ++- docs/deployment/flavors.md | 23 + docs/deployment/uds-deploy.md | 2 +- docs/development/flavor-specific-dev.md | 19 + .../uds-development-maintenance.md | 11 - package-lock.json | 1 - package.json | 1 + packages/slim-dev/zarf.yaml | 9 +- packages/standard/zarf.yaml | 9 +- pepr.ts | 13 +- renovate.json | 5 + src/authservice/README.md | 7 + src/authservice/chart/Chart.yaml | 4 +- src/authservice/chart/templates/authn.yaml | 20 - src/authservice/chart/templates/authz.yaml | 41 - .../chart/templates/deployment.yaml | 45 +- .../chart/templates/secret-ca.yaml | 11 - src/authservice/chart/templates/secret.yaml | 139 --- .../chart/templates/uds-package.yaml | 2 - src/authservice/chart/values.yaml | 103 -- src/authservice/common/zarf.yaml | 2 +- src/authservice/values/registry1-values.yaml | 2 +- src/authservice/values/upstream-values.yaml | 2 +- src/authservice/zarf.yaml | 4 +- src/grafana/values/values.yaml | 1 + src/istio/values/values.yaml | 9 + src/istio/zarf.yaml | 2 +- src/keycloak/chart/README.md | 6 +- src/keycloak/chart/templates/_helpers.tpl | 21 + src/keycloak/chart/templates/istio-admin.yaml | 8 + .../chart/templates/secret-postgresql.yaml | 4 +- src/keycloak/chart/templates/statefulset.yaml | 9 +- src/keycloak/chart/templates/uds-package.yaml | 4 +- src/keycloak/chart/values.yaml | 23 +- src/loki/values/values.yaml | 11 +- .../chart/templates/service-monitor.yaml | 2 +- src/neuvector/values/values.yaml | 2 + src/pepr/config.ts | 6 + src/pepr/logger.ts | 2 + .../controllers/istio/istio-resources.ts | 37 +- .../controllers/istio/virtual-service.ts | 4 +- .../authservice/authorization-policy.ts | 162 +++ .../keycloak/authservice/authservice.spec.ts | 124 ++ .../keycloak/authservice/authservice.ts | 121 ++ .../keycloak/authservice/config.ts | 145 +++ .../authservice/mock-authservice-config.json | 60 + .../controllers/keycloak/authservice/types.ts | 71 ++ .../controllers/keycloak/client-sync.ts | 36 +- .../operator/controllers/monitoring/common.ts | 12 + .../monitoring/pod-monitor.spec.ts | 41 + .../controllers/monitoring/pod-monitor.ts | 88 ++ .../monitoring/service-monitor.spec.ts | 2 +- .../controllers/monitoring/service-monitor.ts | 54 +- .../operator/controllers/network/policies.ts | 58 +- src/pepr/operator/controllers/utils.ts | 21 +- .../istio/authorizationpolicy-v1beta1.ts | 227 ++++ .../istio/requestauthentication-v1.ts | 138 +++ .../crd/generated/package-v1alpha1.ts | 66 +- .../crd/generated/prometheus/podmonitor-v1.ts | 1011 +++++++++++++++++ .../generated/prometheus/servicemonitor-v1.ts | 509 ++++++--- src/pepr/operator/crd/index.ts | 30 +- .../operator/crd/sources/package/v1alpha1.ts | 60 +- src/pepr/operator/index.ts | 2 + .../reconcilers/package-reconciler.ts | 20 +- src/pepr/prometheus/index.ts | 80 +- .../chart/templates/istio-monitor.yaml | 2 + .../templates/prometheus-pod-monitor.yaml | 2 + src/prometheus-stack/values/values.yaml | 10 + src/promtail/tasks.yaml | 2 +- src/test/app-authservice-tenant.yaml | 84 ++ src/test/chart/Chart.yaml | 2 +- src/test/chart/templates/package.yaml | 27 + src/test/tasks.yaml | 54 + src/test/zarf.yaml | 7 +- src/velero/tasks.yaml | 2 +- tasks.yaml | 28 +- tasks/deploy.yaml | 16 +- tasks/publish.yaml | 12 +- tasks/utils.yaml | 28 + 90 files changed, 3579 insertions(+), 1144 deletions(-) create mode 100644 docs/configuration/istio/_index.md create mode 100644 docs/configuration/istio/ingress.md create mode 100644 docs/deployment/flavors.md create mode 100644 docs/development/flavor-specific-dev.md delete mode 100644 docs/development/uds-development-maintenance.md create mode 100644 src/authservice/README.md delete mode 100644 src/authservice/chart/templates/authn.yaml delete mode 100644 src/authservice/chart/templates/authz.yaml delete mode 100644 src/authservice/chart/templates/secret-ca.yaml delete mode 100644 src/authservice/chart/templates/secret.yaml create mode 100644 src/pepr/operator/controllers/keycloak/authservice/authorization-policy.ts create mode 100644 src/pepr/operator/controllers/keycloak/authservice/authservice.spec.ts create mode 100644 src/pepr/operator/controllers/keycloak/authservice/authservice.ts create mode 100644 src/pepr/operator/controllers/keycloak/authservice/config.ts create mode 100644 src/pepr/operator/controllers/keycloak/authservice/mock-authservice-config.json create mode 100644 src/pepr/operator/controllers/keycloak/authservice/types.ts create mode 100644 src/pepr/operator/controllers/monitoring/common.ts create mode 100644 src/pepr/operator/controllers/monitoring/pod-monitor.spec.ts create mode 100644 src/pepr/operator/controllers/monitoring/pod-monitor.ts create mode 100644 src/pepr/operator/crd/generated/istio/authorizationpolicy-v1beta1.ts create mode 100644 src/pepr/operator/crd/generated/istio/requestauthentication-v1.ts create mode 100644 src/pepr/operator/crd/generated/prometheus/podmonitor-v1.ts create mode 100644 src/test/app-authservice-tenant.yaml create mode 100644 src/test/chart/templates/package.yaml create mode 100644 tasks/utils.yaml diff --git a/.github/bundles/uds-bundle.yaml b/.github/bundles/uds-bundle.yaml index 1def6e9b2..b320ebaf8 100644 --- a/.github/bundles/uds-bundle.yaml +++ b/.github/bundles/uds-bundle.yaml @@ -3,7 +3,7 @@ metadata: name: uds-core-eks-nightly description: A UDS bundle for deploying EKS and UDS Core # x-release-please-start-version - version: "0.23.4" + version: "0.24.0" # x-release-please-end packages: @@ -14,7 +14,7 @@ packages: - name: core path: ../../build/ # x-release-please-start-version - ref: 0.23.4 + ref: 0.24.0 # x-release-please-end overrides: velero: diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index f79676b22..e37ced407 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -13,8 +13,7 @@ jobs: strategy: matrix: flavor: [upstream, registry1, unicorn] - fail-fast: false - runs-on: "ubuntu-latest" + runs-on: "uds-ubuntu-big-boy-8-core" name: Publish packages permissions: @@ -74,31 +73,13 @@ jobs: # if: ${{ always() && !inputs.snapshot }} # uses: ./.github/actions/debug-output - # Determine repository to publish to - - name: Determine destination repository - id: repo - run: | - repo=ghcr.io/defenseunicorns/packages - # Publish unicorn flavor to private repository - if [ "${{ matrix.flavor }}" = "unicorn" ]; then - repo+=/private - fi - repo+=/uds - # Publish snapshots to snapshot repository - if [ "${{ inputs.snapshot }}" = "true" ]; then - repo+=/snapshots - fi - - echo "repo=${repo}" >> "$GITHUB_OUTPUT" - echo "Publishing packages and bundles to ${repo}" - # Publish package and bundle to destination repository - name: Publish Standard Package - run: uds run -f tasks/publish.yaml standard-package --set FLAVOR=${{ matrix.flavor }} --set TARGET_REPO=${{ steps.repo.outputs.repo }} ${PUBLISH_ARGS} --no-progress + run: uds run -f tasks/publish.yaml standard-package --set FLAVOR=${{ matrix.flavor }} --set SNAPSHOT="${{ inputs.snapshot }}" ${PUBLISH_ARGS} --no-progress - name: Publish Upstream Flavored Bundles if: ${{ matrix.flavor == 'upstream' }} - run: uds run -f tasks/publish.yaml bundles --set TARGET_REPO=${{ steps.repo.outputs.repo }} ${PUBLISH_ARGS} --no-progress + run: uds run -f tasks/publish.yaml bundles --set SNAPSHOT="${{ inputs.snapshot }}" ${PUBLISH_ARGS} --no-progress - name: Save logs if: always() diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index 7d942961a..efa55efa9 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -68,6 +68,7 @@ jobs: package: ${{ fromJSON(needs.check-paths.outputs.packages) }} flavor: [upstream, registry1, unicorn] test_type: [install] + # Upgrade tests are included for all flavors, but ONLY for `all` package tests include: - package: all flavor: registry1 @@ -75,10 +76,9 @@ jobs: - package: all flavor: upstream test_type: upgrade - # Commented out until unicorn flavor has a published release - # - package: all - # flavor: unicorn - # test_type: upgrade + - package: all + flavor: unicorn + test_type: upgrade uses: ./.github/workflows/test.yaml with: package: ${{ matrix.package }} diff --git a/.release-please-manifest.json b/.release-please-manifest.json index 48f55b9c8..0884f3f46 100644 --- a/.release-please-manifest.json +++ b/.release-please-manifest.json @@ -1,3 +1,3 @@ { - ".": "0.23.4" + ".": "0.24.0" } diff --git a/CHANGELOG.md b/CHANGELOG.md index e4e5c264d..f42fc9029 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,343 +2,38 @@ All notable changes to this project will be documented in this file. -## [0.23.4](https://github.com/BagelLab/uds-core/compare/v0.23.3...v0.23.4) (2024-07-12) - - -### Bug Fixes - -* simplify publish repo output ([84805e0](https://github.com/BagelLab/uds-core/commit/84805e01d2704aa3639943f66a4d58b9aea4f690)) - -## [0.23.3](https://github.com/BagelLab/uds-core/compare/v0.23.2...v0.23.3) (2024-07-10) - - -### Bug Fixes - -* workflow silliness ([5870a77](https://github.com/BagelLab/uds-core/commit/5870a773b91e96a2f8bf616be2abedbe60263f86)) - -## [0.23.2](https://github.com/BagelLab/uds-core/compare/v0.23.1...v0.23.2) (2024-07-10) - - -### Bug Fixes - -* comment out debug ([bdc8677](https://github.com/BagelLab/uds-core/commit/bdc86777d6f06bbb09602185338d6d1c1fe269b9)) -* id-token ([5a78de7](https://github.com/BagelLab/uds-core/commit/5a78de7ec926a3ebe82771a5713ac2ff4841271f)) - -## [0.23.1](https://github.com/BagelLab/uds-core/compare/v0.23.0...v0.23.1) (2024-07-10) - - -### Bug Fixes - -* runners, snapshot ([df87b55](https://github.com/BagelLab/uds-core/commit/df87b5527b2055d8c15d6223d734e8cbcec0def6)) - -## [0.23.0](https://github.com/BagelLab/uds-core/compare/v0.23.0...v0.23.0) (2024-07-10) +## [0.24.0](https://github.com/defenseunicorns/uds-core/compare/v0.23.0...v0.24.0) (2024-07-12) ### ⚠ BREAKING CHANGES -* remove emulated gitlab endpoints from keycloak ([#483](https://github.com/BagelLab/uds-core/issues/483)) +* set istio passthrough gateway as optional component (https://github.com/defenseunicorns/uds-core/pull/547) ### Features -* add `expose` service entry for internal cluster traffic ([#356](https://github.com/BagelLab/uds-core/issues/356)) ([1bde4cc](https://github.com/BagelLab/uds-core/commit/1bde4ccf302864b0c38d093742ca683b96cebe89)) -* add `monitor` to operator, fix monitoring setup ([#256](https://github.com/BagelLab/uds-core/issues/256)) ([bf67722](https://github.com/BagelLab/uds-core/commit/bf67722d4e7e02d44dd29c4436e9a8d2ef960fa5)) -* add authservice to uds-core ([#153](https://github.com/BagelLab/uds-core/issues/153)) ([b0b33b9](https://github.com/BagelLab/uds-core/commit/b0b33b98ae12fe233c922bba55c9328212c2e578)) -* Add istio and preliminary ci ([#3](https://github.com/BagelLab/uds-core/issues/3)) ([fbd7453](https://github.com/BagelLab/uds-core/commit/fbd745392340dbc978b27f0d321f3375882c1c40)) -* add Istio VirtualService Requestmatch to UDS Operator ([#129](https://github.com/BagelLab/uds-core/issues/129)) ([a207197](https://github.com/BagelLab/uds-core/commit/a20719726991d3b981a372b705b776948f6fbc30)) -* add keycloak ([#147](https://github.com/BagelLab/uds-core/issues/147)) ([f99d3d5](https://github.com/BagelLab/uds-core/commit/f99d3d5d4f89264a21dd76d8847e1cef0325d127)) -* add keycloak sso realm values ([#352](https://github.com/BagelLab/uds-core/issues/352)) ([74436ea](https://github.com/BagelLab/uds-core/commit/74436ea78684a74044efdee14564a6582e659998)) -* add metrics-server ([#35](https://github.com/BagelLab/uds-core/issues/35)) ([8216ab9](https://github.com/BagelLab/uds-core/commit/8216ab982be79dc393a2e0db359370b32e660150)) -* add monitoring and logging ([#33](https://github.com/BagelLab/uds-core/issues/33)) ([c6d9aec](https://github.com/BagelLab/uds-core/commit/c6d9aece4984421e1ccbf476cd0d40fb701e4e50)) -* add nightly testing eks ([#250](https://github.com/BagelLab/uds-core/issues/250)) ([543b09d](https://github.com/BagelLab/uds-core/commit/543b09d103a43c474da6a8c950404cc1f373b03f)) -* add pepr capability for istio + jobs ([#12](https://github.com/BagelLab/uds-core/issues/12)) ([c32a703](https://github.com/BagelLab/uds-core/commit/c32a70390f443c90796978ad4c42bbb4b17eb226)) -* add policy exemptions ([#165](https://github.com/BagelLab/uds-core/issues/165)) ([196df88](https://github.com/BagelLab/uds-core/commit/196df88b01347e530eb1cb49df7440d62c986e0e)) -* add prometheus-stack (monitoring) capability ([#2](https://github.com/BagelLab/uds-core/issues/2)) ([e438ab6](https://github.com/BagelLab/uds-core/commit/e438ab6089bc9d8c6640fa002285d38ddc3022df)) -* add reconciliation retries for CRs ([#423](https://github.com/BagelLab/uds-core/issues/423)) ([424b57b](https://github.com/BagelLab/uds-core/commit/424b57ba91906e1c60e6e92927e37b34d657ad01)) -* add saml and attribute/mapper support for keycloak in uds pepr operator ([#328](https://github.com/BagelLab/uds-core/issues/328)) ([c53d4ee](https://github.com/BagelLab/uds-core/commit/c53d4ee1227d71b60a35419f7c8c9396d71b9508)) -* add UDS Operator and consolidate UDS Policies ([#66](https://github.com/BagelLab/uds-core/issues/66)) ([395c1c4](https://github.com/BagelLab/uds-core/commit/395c1c4aec324d0d939cc410a6bb92129b26653b)) -* add velero package ([#210](https://github.com/BagelLab/uds-core/issues/210)) ([a272945](https://github.com/BagelLab/uds-core/commit/a27294585f0d50732b63672d0c2baf14948e29d1)) -* add Zarf Flavors to support Iron Bank & upstream images ([#63](https://github.com/BagelLab/uds-core/issues/63)) ([232c256](https://github.com/BagelLab/uds-core/commit/232c2566b96be0285c24b8b5787350897e72332f)) -* added initial oscal files ([#145](https://github.com/BagelLab/uds-core/issues/145)) ([9600d5f](https://github.com/BagelLab/uds-core/commit/9600d5f159e4a04e8f71313f8ed118b87efbb9a1)) -* embed tls certs in istio package ([#32](https://github.com/BagelLab/uds-core/issues/32)) ([fb04fee](https://github.com/BagelLab/uds-core/commit/fb04feec9657f449366389a0e0a474a8cdeecb2c)) -* enable sso for neuvector ([#351](https://github.com/BagelLab/uds-core/issues/351)) ([597353e](https://github.com/BagelLab/uds-core/commit/597353e294e3dc5c06a8d572414e188f9845af8e)) -* expose tls certs as UDS bundle variables ([#48](https://github.com/BagelLab/uds-core/issues/48)) ([c1f8286](https://github.com/BagelLab/uds-core/commit/c1f828650ef2c53a3fd9ed477950046020c5d375)) -* introduce advancedHTTP for expose field & change podLabels to selector ([#154](https://github.com/BagelLab/uds-core/issues/154)) ([1079267](https://github.com/BagelLab/uds-core/commit/107926791149989a782254b8798b7c57a35cfcaf)) -* introduce Pepr common policies ([#50](https://github.com/BagelLab/uds-core/issues/50)) ([54182b4](https://github.com/BagelLab/uds-core/commit/54182b4db691d86ce80379be272d924d105b0d07)) -* introduce sso secret templating ([#276](https://github.com/BagelLab/uds-core/issues/276)) ([e0832ec](https://github.com/BagelLab/uds-core/commit/e0832ec2ee825dc1725483350e3b9295937b8feb)) -* keycloak PVC customization ([#341](https://github.com/BagelLab/uds-core/issues/341)) ([f8eae2a](https://github.com/BagelLab/uds-core/commit/f8eae2a20e02faac6e2c441845a82febeaab3b89)) -* **operator:** add events and improve lifecycle ops ([#245](https://github.com/BagelLab/uds-core/issues/245)) ([502c044](https://github.com/BagelLab/uds-core/commit/502c044547048a380b1f73dead0b8ab1b14a4b4f)) -* release-please integration ([#25](https://github.com/BagelLab/uds-core/issues/25)) ([bf3c53b](https://github.com/BagelLab/uds-core/commit/bf3c53b2ddac4e02e31aa3429029dd9f1c9595e3)) -* switch loki to simple scalable ([#156](https://github.com/BagelLab/uds-core/issues/156)) ([1661b15](https://github.com/BagelLab/uds-core/commit/1661b154657eba1b30fc5bcec64179cbf6037c03)) -* uds common renovate config ([#391](https://github.com/BagelLab/uds-core/issues/391)) ([035786c](https://github.com/BagelLab/uds-core/commit/035786cadcd9c1fbaf7e0a798f9c13104a1a9a14)) -* uds core docs ([#414](https://github.com/BagelLab/uds-core/issues/414)) ([a35ca7b](https://github.com/BagelLab/uds-core/commit/a35ca7b484ab59572d8205a625db5447a8771e44)) -* update security policy to use provided user, group, and fsgroup ([#82](https://github.com/BagelLab/uds-core/issues/82)) ([6d641ce](https://github.com/BagelLab/uds-core/commit/6d641ce67210999bacda0e855269dca61e7c6a7b)) +* add unicorn flavor to uds-core ([#507](https://github.com/defenseunicorns/uds-core/issues/507)) ([a412581](https://github.com/defenseunicorns/uds-core/commit/a412581c6295658cd61a8f4fc182357c0780bef6)) +* added standalone dns service for loki ([#548](https://github.com/defenseunicorns/uds-core/issues/548)) ([e2efdf9](https://github.com/defenseunicorns/uds-core/commit/e2efdf9b059f698369721412409509cc702593bc)) +* enable authservice integration ([#201](https://github.com/defenseunicorns/uds-core/issues/201)) ([1d4df64](https://github.com/defenseunicorns/uds-core/commit/1d4df64d12882b9a4ff01b5144c1edc7fc2351d2)) +* set istio passthrough gateway as optional component (https://github.com/defenseunicorns/uds-core/pull/547) ([e1cab61](https://github.com/defenseunicorns/uds-core/commit/e1cab61a170dff73fa97000f922cc373a0a70ee5)) +* update to using default scrapeclass for tls config ([#517](https://github.com/defenseunicorns/uds-core/issues/517)) ([258bb6b](https://github.com/defenseunicorns/uds-core/commit/258bb6b41a07081412393b625438c5634ae88d79)) ### Bug Fixes -* add keycloak to dev bundle and rename ([#262](https://github.com/BagelLab/uds-core/issues/262)) ([f9b905c](https://github.com/BagelLab/uds-core/commit/f9b905c7c2b7e4a6a43e7c83918e3157008433d3)) -* add kubeapi egress for neuvector enforcer ([#291](https://github.com/BagelLab/uds-core/issues/291)) ([87fc886](https://github.com/BagelLab/uds-core/commit/87fc886bc736104a9a3c3aefc4c7d232ed74a4f2)) -* add nightly uds-bundle.yaml to release-please extras for updates ([#346](https://github.com/BagelLab/uds-core/issues/346)) ([d1b3071](https://github.com/BagelLab/uds-core/commit/d1b3071182b48ef4905bb040d203fa42d7bbf76f)) -* add saml configuration to k3d standard bundle ([#425](https://github.com/BagelLab/uds-core/issues/425)) ([15b41d7](https://github.com/BagelLab/uds-core/commit/15b41d7ca506dd913316c41321aa9a3133755ab4)) -* add test for disallow selinux options and handle checking for us… ([#96](https://github.com/BagelLab/uds-core/issues/96)) ([88b969e](https://github.com/BagelLab/uds-core/commit/88b969e2aa4dea8b76dbe397d77c53941f7cfbc8)) -* arm64 packages / bundles creation ([#264](https://github.com/BagelLab/uds-core/issues/264)) ([425fa18](https://github.com/BagelLab/uds-core/commit/425fa184fca6bcebd1eea431dce7112cadae2f44)) -* basic validations for packages ([#208](https://github.com/BagelLab/uds-core/issues/208)) ([9eba3af](https://github.com/BagelLab/uds-core/commit/9eba3afb7e288c13f75f93d5712d50a3b9e7b92d)) -* change pepr error policy to reject ([#99](https://github.com/BagelLab/uds-core/issues/99)) ([10772e2](https://github.com/BagelLab/uds-core/commit/10772e2c64f1e4b965b6b644b0008c81025029e9)) -* check if exemption exists before cleanup ([#468](https://github.com/BagelLab/uds-core/issues/468)) ([735288b](https://github.com/BagelLab/uds-core/commit/735288b87f2dff3c1bb28e9e20aac812d644aa4d)) -* ci things ([f2389a3](https://github.com/BagelLab/uds-core/commit/f2389a33d66491dfab62014cc744b25434202fe2)) -* complete incomplete deploy task ([#21](https://github.com/BagelLab/uds-core/issues/21)) ([45ff5e5](https://github.com/BagelLab/uds-core/commit/45ff5e5d7b6a50cdfcfabb174349ab539a8accd9)) -* concurrency group ([60ca1d0](https://github.com/BagelLab/uds-core/commit/60ca1d06208be3c7f5ec825a37d85504116585d1)) -* de-duplicate renovate matches ([#435](https://github.com/BagelLab/uds-core/issues/435)) ([4f9dbbb](https://github.com/BagelLab/uds-core/commit/4f9dbbbff0bbe1fe348ae7e6c55f97a505f730a9)) -* default keycloak realm envs ([#455](https://github.com/BagelLab/uds-core/issues/455)) ([3a2b48f](https://github.com/BagelLab/uds-core/commit/3a2b48fefb11afcf20f6826fbdef8c43daaf4639)) -* drop path normalization to MERGE_SLASHES to allow apps to handle encoded slashes ([#330](https://github.com/BagelLab/uds-core/issues/330)) ([26e965f](https://github.com/BagelLab/uds-core/commit/26e965fd71dd325bd8df451ce317456bf2d15073)) -* exemption race conditions ([#407](https://github.com/BagelLab/uds-core/issues/407)) ([d1b3b56](https://github.com/BagelLab/uds-core/commit/d1b3b5669976eb23ca8f88cd5b15a12c56102eca)) -* forgot to commit :( ([29545b6](https://github.com/BagelLab/uds-core/commit/29545b6ca6a35c1717b10b23c8bc2ed3a90f1c4d)) -* github token ([75cfbe4](https://github.com/BagelLab/uds-core/commit/75cfbe446f9b6cd74b9858a7ceb6cd231b348509)) -* hotfix for publishing workflows ([#217](https://github.com/BagelLab/uds-core/issues/217)) ([5fefa01](https://github.com/BagelLab/uds-core/commit/5fefa017d382b7c5557e613b81cd84b27bda85f0)) -* inputs silly ([d5c51f3](https://github.com/BagelLab/uds-core/commit/d5c51f35f6817d66bfbf5b2d5f746032893c863a)) -* integrated docs ([#431](https://github.com/BagelLab/uds-core/issues/431)) ([72238fa](https://github.com/BagelLab/uds-core/commit/72238faed167a4e90e4d332e17909510efd98a58)) -* keycloak schema for package cr ([#436](https://github.com/BagelLab/uds-core/issues/436)) ([e32ce9a](https://github.com/BagelLab/uds-core/commit/e32ce9af9176ba8fef702a8c6aac84c15f9ab374)) -* keycloak volume permissions, UI update ([#223](https://github.com/BagelLab/uds-core/issues/223)) ([4454d3e](https://github.com/BagelLab/uds-core/commit/4454d3efcefe6bfa81628d330434afcc246fad65)) -* **keycloak:** add missing postgres host and port secret keys ([#224](https://github.com/BagelLab/uds-core/issues/224)) ([0c4d775](https://github.com/BagelLab/uds-core/commit/0c4d7758cfb077ff592fea907795402485b6c9f5)) -* **keycloak:** only use PVC for devMode ([#241](https://github.com/BagelLab/uds-core/issues/241)) ([a6e6023](https://github.com/BagelLab/uds-core/commit/a6e6023134dc5171441a2043701ed91309e1b32c)) -* kubeapi netpol generation now also includes the ip from the kubernetes service ([#219](https://github.com/BagelLab/uds-core/issues/219)) ([0a83d02](https://github.com/BagelLab/uds-core/commit/0a83d02f5782d911e3bb63935b0cac70030e5c9b)) -* loki bucket configuration service_account and namespace ([#332](https://github.com/BagelLab/uds-core/issues/332)) ([9518634](https://github.com/BagelLab/uds-core/commit/9518634b24f2d5c285e598f8620849bbc6288ba4)) -* loki local storage ([#84](https://github.com/BagelLab/uds-core/issues/84)) ([b9505bb](https://github.com/BagelLab/uds-core/commit/b9505bbb42b5369c62d7cbfb05e1efb8b8a6200f)) -* loki s3 overrides ([#365](https://github.com/BagelLab/uds-core/issues/365)) ([3545066](https://github.com/BagelLab/uds-core/commit/354506647d65b0484332695abbbd58d91d9e7427)) -* metrics-server mTLS fix ([#44](https://github.com/BagelLab/uds-core/issues/44)) ([4853522](https://github.com/BagelLab/uds-core/commit/4853522c9504c87dcbd8319d689ecb0a1cb42c0b)) -* mismatched exemption/policy for DropAllCapabilities ([#384](https://github.com/BagelLab/uds-core/issues/384)) ([d8ec278](https://github.com/BagelLab/uds-core/commit/d8ec27827e2e2e7d85b4eba6b738f4b126264dd9)) -* named inputs ([c49e6ea](https://github.com/BagelLab/uds-core/commit/c49e6ea2b566198d4702d4c67c659e833a8bad97)) -* network policy to allow metrics-server ingress ([#148](https://github.com/BagelLab/uds-core/issues/148)) ([f1d434a](https://github.com/BagelLab/uds-core/commit/f1d434a68ef1f2a29ab3b13608bc16ce78211ed4)) -* networkpolicy for keycloak smtp egress ([4059954](https://github.com/BagelLab/uds-core/commit/4059954ed92502f10c1b5b769988a363adc06318)) -* nightly testing eks config architecture ([#452](https://github.com/BagelLab/uds-core/issues/452)) ([a0bbd1f](https://github.com/BagelLab/uds-core/commit/a0bbd1f0bf84f03d59866f9797555a08dc8034d6)) -* non-vendored zarf command refs ([#157](https://github.com/BagelLab/uds-core/issues/157)) ([fe183a9](https://github.com/BagelLab/uds-core/commit/fe183a9ae367bc2d7ea7d629e7c15877aabe38cd)) -* ocsp lookup egress policy ([#255](https://github.com/BagelLab/uds-core/issues/255)) ([77c38f2](https://github.com/BagelLab/uds-core/commit/77c38f22e9a77d9db81504f4c172fdc535c0929e)) -* pepr ironbank renovate update ([#299](https://github.com/BagelLab/uds-core/issues/299)) ([287e40d](https://github.com/BagelLab/uds-core/commit/287e40db5d65f7472a9e9216aae91f3ad92403d9)) -* pepr mutation annotation overwrite ([#385](https://github.com/BagelLab/uds-core/issues/385)) ([6e56b2a](https://github.com/BagelLab/uds-core/commit/6e56b2afec8f54f8c0a4aa4b89fef1d1c754b627)) -* pepr operator derived netpol name collisions ([#480](https://github.com/BagelLab/uds-core/issues/480)) ([de60e25](https://github.com/BagelLab/uds-core/commit/de60e252526d73e439f5665b27f84e8773c24949)) -* registration robot check form id ([#269](https://github.com/BagelLab/uds-core/issues/269)) ([c6419b9](https://github.com/BagelLab/uds-core/commit/c6419b962eb5a02462e9060a66f7765689cfeb8f)) -* release workflow k3d image ([#316](https://github.com/BagelLab/uds-core/issues/316)) ([e7835e0](https://github.com/BagelLab/uds-core/commit/e7835e071f56af148792fbde250100af8e8ca0b8)) -* remove deprecated registry login and add env setup ([#443](https://github.com/BagelLab/uds-core/issues/443)) ([ca6b76f](https://github.com/BagelLab/uds-core/commit/ca6b76f3a66efb6b2e81832aff771ca06bdff68a)) -* remove go mod ([#441](https://github.com/BagelLab/uds-core/issues/441)) ([0de9693](https://github.com/BagelLab/uds-core/commit/0de969333923afb8fd4639547901c7d7f5c6a6f7)) -* remove loki gateway anti-affinity ([#111](https://github.com/BagelLab/uds-core/issues/111)) ([2cba42e](https://github.com/BagelLab/uds-core/commit/2cba42e3a83a25ae7a45f3c3d6a35bdc7bba0b58)) -* remove no-tea and update uds version ([#446](https://github.com/BagelLab/uds-core/issues/446)) ([434844b](https://github.com/BagelLab/uds-core/commit/434844b827e01808b504abf5ee6af83fba813cb6)) -* remove spec from secret yaml ([#226](https://github.com/BagelLab/uds-core/issues/226)) ([e4b5848](https://github.com/BagelLab/uds-core/commit/e4b58487f736f588944f7c039b8654f9006e04f1)) -* renovate config grouping, test-infra ([#411](https://github.com/BagelLab/uds-core/issues/411)) ([05fd407](https://github.com/BagelLab/uds-core/commit/05fd407e9c3bf6a0bac33de64e892ce2a63275ac)) -* renovate pepr comment ([#410](https://github.com/BagelLab/uds-core/issues/410)) ([a825388](https://github.com/BagelLab/uds-core/commit/a82538817765ad21adb5f6bba283951bf4c23272)) -* resolve istio job termination container status logic issue ([#55](https://github.com/BagelLab/uds-core/issues/55)) ([c0142c2](https://github.com/BagelLab/uds-core/commit/c0142c213446a37185cdf9dec5ae60aaae8ba194)) -* revert "chore: support deselection of metrics-server" ([#196](https://github.com/BagelLab/uds-core/issues/196)) ([25a408d](https://github.com/BagelLab/uds-core/commit/25a408daeb7f6daada11c21e451f973ebe92c07c)) -* slim-dev monitoring handling ([#383](https://github.com/BagelLab/uds-core/issues/383)) ([79927aa](https://github.com/BagelLab/uds-core/commit/79927aa58cbb12c849e52b50c00b74629b100b31)) -* sticky sessions for keycloak in ha ([#281](https://github.com/BagelLab/uds-core/issues/281)) ([5ccd557](https://github.com/BagelLab/uds-core/commit/5ccd5576afc34d8b24061887f91ce284ec5857a1)) -* typo in comment ([#462](https://github.com/BagelLab/uds-core/issues/462)) ([582b1f4](https://github.com/BagelLab/uds-core/commit/582b1f4754ee3282696ea3b018322a1b3497a7d4)) -* unwanted exemption deletions ([#290](https://github.com/BagelLab/uds-core/issues/290)) ([50b0cd4](https://github.com/BagelLab/uds-core/commit/50b0cd4211964a90139347558028d6c461956da9)) -* update missing flavor create inputs in publish step ([#118](https://github.com/BagelLab/uds-core/issues/118)) ([a0233eb](https://github.com/BagelLab/uds-core/commit/a0233eb45e2d39035f483f3ed8fb3f396e5030d8)) -* update neuvector values for least privilege ([#373](https://github.com/BagelLab/uds-core/issues/373)) ([7f4de4f](https://github.com/BagelLab/uds-core/commit/7f4de4f729e60a258abc40ce34f9c397fae99181)) -* update status for test ([20983d7](https://github.com/BagelLab/uds-core/commit/20983d749871ac2b769584d2ea5d37c1b9183b52)) -* use updated k3s ([#426](https://github.com/BagelLab/uds-core/issues/426)) ([1da1c49](https://github.com/BagelLab/uds-core/commit/1da1c49e314c73e6fd1f2ef2940aff983262ec6b)) -* validating/mutating webhook networkpolicies and mtls ([#192](https://github.com/BagelLab/uds-core/issues/192)) ([b01e629](https://github.com/BagelLab/uds-core/commit/b01e62960985dd7cb318372abff296fb96f1012b)) -* valueFrom in KeyCloak statefulset.yaml ([#229](https://github.com/BagelLab/uds-core/issues/229)) ([189a5ce](https://github.com/BagelLab/uds-core/commit/189a5ce3a9dd16fe9646a293ca3948db21eb5d78)) -* wait on istio proxies ([#87](https://github.com/BagelLab/uds-core/issues/87)) ([51cd5a0](https://github.com/BagelLab/uds-core/commit/51cd5a012cc1d095a89b30a22910d3d7ad49885d)) -* workflow links ([eba372c](https://github.com/BagelLab/uds-core/commit/eba372c0b0a942f1bcead8efcd420fbb427ed6e1)) -* workflow outputs silly ([c427851](https://github.com/BagelLab/uds-core/commit/c4278510505b38b651d3f1893a098d1b432e5d95)) +* decouple `devMode` and postgres egress ([#554](https://github.com/defenseunicorns/uds-core/issues/554)) ([1a98779](https://github.com/defenseunicorns/uds-core/commit/1a987796edab5929f90973944bd3888670342973)) +* grafana logout not working in some environments ([#559](https://github.com/defenseunicorns/uds-core/issues/559)) ([ccb9d9e](https://github.com/defenseunicorns/uds-core/commit/ccb9d9e0670a477cdcd87f435db85f0c76e1ccda)) +* initial creation of child logging ([#533](https://github.com/defenseunicorns/uds-core/issues/533)) ([00a5140](https://github.com/defenseunicorns/uds-core/commit/00a5140df6205143d89c15249eb28b3502a2c901)) +* podmonitor mTLS mutations ([#566](https://github.com/defenseunicorns/uds-core/issues/566)) ([eb613e1](https://github.com/defenseunicorns/uds-core/commit/eb613e1ad462681248b85778173d65d9358d427f)) ### Miscellaneous -* add checks before killing pods when updating istio annotations ([#457](https://github.com/BagelLab/uds-core/issues/457)) ([a62f9a0](https://github.com/BagelLab/uds-core/commit/a62f9a0e04bb538a8018a3f866c88e8b93c59826)) -* add commit lint workflow ([#19](https://github.com/BagelLab/uds-core/issues/19)) ([776a632](https://github.com/BagelLab/uds-core/commit/776a6325821329b2cbd97da2f40a30447cd48efc)) -* add debug logging to endpointslice watch ([#359](https://github.com/BagelLab/uds-core/issues/359)) ([da3eb5a](https://github.com/BagelLab/uds-core/commit/da3eb5ab4f5e6ced50f838456999995d5be601b7)) -* add debug logs to save logs for easier searching ([#430](https://github.com/BagelLab/uds-core/issues/430)) ([319101b](https://github.com/BagelLab/uds-core/commit/319101b61e4793037aab6c96b92c9d834763e9b8)) -* add debug output to release workflow ([#285](https://github.com/BagelLab/uds-core/issues/285)) ([5f96865](https://github.com/BagelLab/uds-core/commit/5f968651fb4f0da563d9c388efab761863f9ea08)) -* add flavor to pepr build task ([#238](https://github.com/BagelLab/uds-core/issues/238)) ([29bf8a3](https://github.com/BagelLab/uds-core/commit/29bf8a3b83255c7548201f3ea19e22452a1d1d4a)) -* add minio deploy time bundle variable override definitions ([#58](https://github.com/BagelLab/uds-core/issues/58)) ([ca28e7b](https://github.com/BagelLab/uds-core/commit/ca28e7b4c4a42769934cc8ad69361ff29a348cc5)) -* add security.md ([#189](https://github.com/BagelLab/uds-core/issues/189)) ([bf7c1d2](https://github.com/BagelLab/uds-core/commit/bf7c1d28e077cf52d4f765b50d7efb8ce5d60fff)) -* add velero csi plugin ([#424](https://github.com/BagelLab/uds-core/issues/424)) ([c7e49e9](https://github.com/BagelLab/uds-core/commit/c7e49e91d9f7810ddc0368f146d43d3c94c782ad)) -* adding unit test for registerExemptions() ([#105](https://github.com/BagelLab/uds-core/issues/105)) ([5e71fcf](https://github.com/BagelLab/uds-core/commit/5e71fcf4751d2e3f6a1e55583ccf76c0fdc76856)) -* align mutation annotations ([#268](https://github.com/BagelLab/uds-core/issues/268)) ([f18ad4d](https://github.com/BagelLab/uds-core/commit/f18ad4db94a77f4229cc9267e0129f6aa3381c9a)) -* annotate mutations in policies ([#236](https://github.com/BagelLab/uds-core/issues/236)) ([cc9db50](https://github.com/BagelLab/uds-core/commit/cc9db500bb1033a516104f409fa05b3a1101d832)) -* bump zarf & uds-k3d deps ([#30](https://github.com/BagelLab/uds-core/issues/30)) ([dd28ab3](https://github.com/BagelLab/uds-core/commit/dd28ab3acd163aaccdfb76fbf9726c02a2ff0050)) -* conform to latest uds bundle schema ([#52](https://github.com/BagelLab/uds-core/issues/52)) ([14dad38](https://github.com/BagelLab/uds-core/commit/14dad3819187d4f8e13f7bbc191dca74a29b9c98)) -* dep updates for UDS CLI & Pepr ([#46](https://github.com/BagelLab/uds-core/issues/46)) ([1037634](https://github.com/BagelLab/uds-core/commit/10376349e350bd32f3bf32577d8f8089c09ac6cc)) -* **deps:** pin dependencies ([#79](https://github.com/BagelLab/uds-core/issues/79)) ([bfab11e](https://github.com/BagelLab/uds-core/commit/bfab11e345941d23dfeb928917f38e36a2f75bc9)) -* **deps:** update checkout action to latest sha ([#481](https://github.com/BagelLab/uds-core/issues/481)) ([c6f0137](https://github.com/BagelLab/uds-core/commit/c6f0137bb9a1e11f98d426cec8c98eb4005f160a)) -* **deps:** update checkout to v4.1.7 ([#478](https://github.com/BagelLab/uds-core/issues/478)) ([e91a0a3](https://github.com/BagelLab/uds-core/commit/e91a0a35252581554d9ed587e4ef72c2c88a3586)) -* **deps:** update dependency defenseunicorns/uds-common to v0.2.1 ([#205](https://github.com/BagelLab/uds-core/issues/205)) ([1b01407](https://github.com/BagelLab/uds-core/commit/1b01407c4ae3a707db381b07e1364c572c76eceb)) -* **deps:** update dependency defenseunicorns/uds-common to v0.2.2 ([#232](https://github.com/BagelLab/uds-core/issues/232)) ([083ae0c](https://github.com/BagelLab/uds-core/commit/083ae0c45667e5b9064cbff781fbe4e5bc0d2991)) -* **deps:** update dependency defenseunicorns/uds-common to v0.3.6 ([#261](https://github.com/BagelLab/uds-core/issues/261)) ([1b5398b](https://github.com/BagelLab/uds-core/commit/1b5398b7b778ead8ac3265080ae0bd2b5761066e)) -* **deps:** update dependency weaveworks/eksctl to v0.183.0 ([#499](https://github.com/BagelLab/uds-core/issues/499)) ([9cb8e4d](https://github.com/BagelLab/uds-core/commit/9cb8e4d7c86611918e502de0a7e7e25921523cbc)) -* **deps:** update githubactions ([#179](https://github.com/BagelLab/uds-core/issues/179)) ([7797e25](https://github.com/BagelLab/uds-core/commit/7797e259b9691099cce9e151ce1ebf9f9f181435)) -* **deps:** update githubactions ([#242](https://github.com/BagelLab/uds-core/issues/242)) ([1eb2e2c](https://github.com/BagelLab/uds-core/commit/1eb2e2cd2018f0cd8fb55d8e6576b7e36fa8c3cf)) -* **deps:** update githubactions ([#413](https://github.com/BagelLab/uds-core/issues/413)) ([ebd834e](https://github.com/BagelLab/uds-core/commit/ebd834e56ae9adabe14d9772e4a4d9c305da173c)) -* **deps:** update githubactions to de90cc6 ([#215](https://github.com/BagelLab/uds-core/issues/215)) ([f79eed0](https://github.com/BagelLab/uds-core/commit/f79eed03b2495d9f3e11edb433291ce8a3aa55ee)) -* **deps:** update githubactions to ebc4d7e ([#183](https://github.com/BagelLab/uds-core/issues/183)) ([77357e7](https://github.com/BagelLab/uds-core/commit/77357e72cc0344e61fedcab7197aabdd7e4fd2a0)) -* **deps:** update githubactions to v19 ([#204](https://github.com/BagelLab/uds-core/issues/204)) ([d65acd4](https://github.com/BagelLab/uds-core/commit/d65acd4e2d37907685ba9083ff98988b4ea1d452)) -* **deps:** update githubactions to v3 ([#181](https://github.com/BagelLab/uds-core/issues/181)) ([70c5ddf](https://github.com/BagelLab/uds-core/commit/70c5ddf1ee0e5017bee4057d96b320812a964f88)) -* **deps:** update githubactions to v4.1.3 ([#471](https://github.com/BagelLab/uds-core/issues/471)) ([2a9f44d](https://github.com/BagelLab/uds-core/commit/2a9f44d20dce66fa474e47ba0c93eaa7fa9ad406)) -* **deps:** update grafana ([#144](https://github.com/BagelLab/uds-core/issues/144)) ([6987927](https://github.com/BagelLab/uds-core/commit/698792728faf8cfeabaf7a7c735c91229cc0c07f)) -* **deps:** update grafana ([#257](https://github.com/BagelLab/uds-core/issues/257)) ([c98e566](https://github.com/BagelLab/uds-core/commit/c98e5661c3e6fb84bf17fc64170f5dd39779dda7)) -* **deps:** update grafana ([#339](https://github.com/BagelLab/uds-core/issues/339)) ([52e6c1b](https://github.com/BagelLab/uds-core/commit/52e6c1b3bb003402710bc0fa85419538f38b388f)) -* **deps:** update grafana ([#80](https://github.com/BagelLab/uds-core/issues/80)) ([ccb2c12](https://github.com/BagelLab/uds-core/commit/ccb2c1280313fe69198ecab5fea5b38fc650f699)) -* **deps:** update grafana to v10.3.1 ([#132](https://github.com/BagelLab/uds-core/issues/132)) ([09e028c](https://github.com/BagelLab/uds-core/commit/09e028c63093a6f5fdfd0b1be800b07c0eb9de77)) -* **deps:** update grafana to v7.2.5 ([#136](https://github.com/BagelLab/uds-core/issues/136)) ([a271270](https://github.com/BagelLab/uds-core/commit/a271270f2d3f3488aa9664ef5ad69a4d239c5d22)) -* **deps:** update grafana to v7.3.0 ([#142](https://github.com/BagelLab/uds-core/issues/142)) ([5e960c0](https://github.com/BagelLab/uds-core/commit/5e960c0479e6fc96244db0230296c94e936e57d8)) -* **deps:** update grafana to v7.3.9 ([#353](https://github.com/BagelLab/uds-core/issues/353)) ([4a70f40](https://github.com/BagelLab/uds-core/commit/4a70f407d5e06919aaa0dc5901f49f7f1b166c9d)) -* **deps:** update istio to v1.20.2 ([#75](https://github.com/BagelLab/uds-core/issues/75)) ([671f977](https://github.com/BagelLab/uds-core/commit/671f977ff183010ce75e323532db500dcd4aa69c)) -* **deps:** update istio to v1.20.3 ([#163](https://github.com/BagelLab/uds-core/issues/163)) ([e45de0e](https://github.com/BagelLab/uds-core/commit/e45de0e5917a2ca6c3e30e593e2d9a8d393849a9)) -* **deps:** update istio to v1.21.2 ([#258](https://github.com/BagelLab/uds-core/issues/258)) ([51c6540](https://github.com/BagelLab/uds-core/commit/51c65405c87ed3c147bdd90172ab0588dc8e5db1)) -* **deps:** update istio to v1.22.1 ([#405](https://github.com/BagelLab/uds-core/issues/405)) ([ad4b861](https://github.com/BagelLab/uds-core/commit/ad4b861158eecfac1d09a37ea3776e31a1c387cb)) -* **deps:** update jest to v29.1.4 ([#438](https://github.com/BagelLab/uds-core/issues/438)) ([c3ecc8b](https://github.com/BagelLab/uds-core/commit/c3ecc8b83b8c65f09600ab937a1c140c4a5f7db1)) -* **deps:** update jest to v29.1.5 ([#485](https://github.com/BagelLab/uds-core/issues/485)) ([9c392b9](https://github.com/BagelLab/uds-core/commit/9c392b9b88c84e3c3763878e6beb1800c43ded25)) -* **deps:** update keycloak ([#349](https://github.com/BagelLab/uds-core/issues/349)) ([2ef1813](https://github.com/BagelLab/uds-core/commit/2ef181333d2fd853bb8eee2c5deb82430d68c861)) -* **deps:** update keycloak ([#390](https://github.com/BagelLab/uds-core/issues/390)) ([3e82c4e](https://github.com/BagelLab/uds-core/commit/3e82c4ece470a5eea81d937b2b38c455934212e1)) -* **deps:** update keycloak to v0.4.2 ([#375](https://github.com/BagelLab/uds-core/issues/375)) ([b0bb8e4](https://github.com/BagelLab/uds-core/commit/b0bb8e47f78886186514f188a99ff38463a5eac3)) -* **deps:** update keycloak to v0.4.4 ([#460](https://github.com/BagelLab/uds-core/issues/460)) ([936f40b](https://github.com/BagelLab/uds-core/commit/936f40bf078bb06d94ebd51585b4eb7669d426b4)) -* **deps:** update keycloak to v0.4.5 ([#461](https://github.com/BagelLab/uds-core/issues/461)) ([3592012](https://github.com/BagelLab/uds-core/commit/35920121bcdfbdf9b708eb3308ea34763a31246a)) -* **deps:** update keycloak to v24.0.4 ([#397](https://github.com/BagelLab/uds-core/issues/397)) ([c0420ea](https://github.com/BagelLab/uds-core/commit/c0420ea750b3a7dfc8ea6adab5225f76178ef953)) -* **deps:** update keycloak to v24.0.4 ([#402](https://github.com/BagelLab/uds-core/issues/402)) ([e454576](https://github.com/BagelLab/uds-core/commit/e454576a6de53e833d6b925308f09d6007166dde)) -* **deps:** update keycloak to v24.0.5 ([#453](https://github.com/BagelLab/uds-core/issues/453)) ([6b0c6fc](https://github.com/BagelLab/uds-core/commit/6b0c6fc91f238e367c9f2d54f0daaf9d8065794e)) -* **deps:** update keycloak to v24.0.5 ([#454](https://github.com/BagelLab/uds-core/issues/454)) ([89911f0](https://github.com/BagelLab/uds-core/commit/89911f0ca01ac421a254b79e25124525f464cf51)) -* **deps:** update loki ([#131](https://github.com/BagelLab/uds-core/issues/131)) ([61250b0](https://github.com/BagelLab/uds-core/commit/61250b02eca7ca57d7f346c1da5b63f19de17c49)) -* **deps:** update loki ([#209](https://github.com/BagelLab/uds-core/issues/209)) ([03ca499](https://github.com/BagelLab/uds-core/commit/03ca499bd5d9cac800bd36dca80340ceac3f3009)) -* **deps:** update loki ([#72](https://github.com/BagelLab/uds-core/issues/72)) ([98134bb](https://github.com/BagelLab/uds-core/commit/98134bba1f6078a867aae2ae28f4152ba7b1a8e5)) -* **deps:** update loki to v5.43.0 ([#180](https://github.com/BagelLab/uds-core/issues/180)) ([bab5f7a](https://github.com/BagelLab/uds-core/commit/bab5f7aba3644c0e478a17338df4e074b0c1a6a2)) -* **deps:** update loki to v5.43.1 ([#182](https://github.com/BagelLab/uds-core/issues/182)) ([6cc5fc7](https://github.com/BagelLab/uds-core/commit/6cc5fc7f5a07d848cfe4f18dc9a7e2a4cd91b1cf)) -* **deps:** update loki to v5.43.2 ([#191](https://github.com/BagelLab/uds-core/issues/191)) ([0ec0cd4](https://github.com/BagelLab/uds-core/commit/0ec0cd4d6cdc7b4eb1eea33f4da7b144ecbc29a5)) -* **deps:** update loki to v5.43.3 ([#199](https://github.com/BagelLab/uds-core/issues/199)) ([40f1554](https://github.com/BagelLab/uds-core/commit/40f155469670a4b7290819fc09d28ff1fcc06a81)) -* **deps:** update metrics-server ([#123](https://github.com/BagelLab/uds-core/issues/123)) ([fb25a97](https://github.com/BagelLab/uds-core/commit/fb25a970d6e3b51432164fab05ea2d19d1a638ef)) -* **deps:** update metrics-server ([#298](https://github.com/BagelLab/uds-core/issues/298)) ([691fd87](https://github.com/BagelLab/uds-core/commit/691fd87ae3e523c897d0461c4a0384b2bb7c8c03)) -* **deps:** update neuvector ([#333](https://github.com/BagelLab/uds-core/issues/333)) ([010e287](https://github.com/BagelLab/uds-core/commit/010e287dbf3a712d19e54bfbbaa87807585130d7)) -* **deps:** update neuvector ([#73](https://github.com/BagelLab/uds-core/issues/73)) ([50f6c90](https://github.com/BagelLab/uds-core/commit/50f6c90ca31d5bf984e44fd1ded7c5cfcb968064)) -* **deps:** update neuvector to 5.3.3 ([#467](https://github.com/BagelLab/uds-core/issues/467)) ([261057d](https://github.com/BagelLab/uds-core/commit/261057d2bf142c3167fdf0d0bd68bc2fb47d22df)) -* **deps:** update neuvector to v9.4 ([#381](https://github.com/BagelLab/uds-core/issues/381)) ([20d4170](https://github.com/BagelLab/uds-core/commit/20d4170386d2437826abafc68d87d91dc457022a)) -* **deps:** update pepr ([#116](https://github.com/BagelLab/uds-core/issues/116)) ([bfa7352](https://github.com/BagelLab/uds-core/commit/bfa7352ebe962ef1ed091f4a5799ed4974e086ef)) -* **deps:** update pepr ([#324](https://github.com/BagelLab/uds-core/issues/324)) ([2ef0f96](https://github.com/BagelLab/uds-core/commit/2ef0f96da7476b487d72d4bb7ce4bd50fdb0b182)) -* **deps:** update pepr ([#340](https://github.com/BagelLab/uds-core/issues/340)) ([e71ba4a](https://github.com/BagelLab/uds-core/commit/e71ba4ab4eb1ea1cc482b507fef4e0e2735bbd1f)) -* **deps:** update pepr ([#419](https://github.com/BagelLab/uds-core/issues/419)) ([d8f0309](https://github.com/BagelLab/uds-core/commit/d8f0309b4f9661b1c5bc2d5e574697ee9579e387)) -* **deps:** update pepr ([#76](https://github.com/BagelLab/uds-core/issues/76)) ([50de920](https://github.com/BagelLab/uds-core/commit/50de920bcf03092d16a11ebf77ede70987a7cdcf)) -* **deps:** update pepr to 0.31.0 ([#360](https://github.com/BagelLab/uds-core/issues/360)) ([fbd61ea](https://github.com/BagelLab/uds-core/commit/fbd61ea9665133619aec81726b189449226d8459)) -* **deps:** update pepr to 0.32.2 ([#473](https://github.com/BagelLab/uds-core/issues/473)) ([ab4bee9](https://github.com/BagelLab/uds-core/commit/ab4bee906f020d86b90c0b984789be55f8b4c08b)) -* **deps:** update pepr to 0.32.3 ([#494](https://github.com/BagelLab/uds-core/issues/494)) ([2e28897](https://github.com/BagelLab/uds-core/commit/2e2889784043b21463e72643eb890054645dd439)) -* **deps:** update pepr to v0.22.0 ([#102](https://github.com/BagelLab/uds-core/issues/102)) ([941902d](https://github.com/BagelLab/uds-core/commit/941902dcfc2ec1d5340d658f75811b3369489c56)) -* **deps:** update pepr to v0.22.2 ([#104](https://github.com/BagelLab/uds-core/issues/104)) ([0555353](https://github.com/BagelLab/uds-core/commit/0555353e5a5dec2aa8685a3987852d1c3788f28c)) -* **deps:** update pepr to v0.24.1 ([#134](https://github.com/BagelLab/uds-core/issues/134)) ([6474a1c](https://github.com/BagelLab/uds-core/commit/6474a1c0a16c8d87248acb1b3f7d79b76a354fc8)) -* **deps:** update pepr to v0.25.0 ([#164](https://github.com/BagelLab/uds-core/issues/164)) ([e7b8212](https://github.com/BagelLab/uds-core/commit/e7b8212b6a8ed2e16b47264687e0c39d2f0a3455)) -* **deps:** update pepr to v0.28.6 ([#254](https://github.com/BagelLab/uds-core/issues/254)) ([54ef7de](https://github.com/BagelLab/uds-core/commit/54ef7ded349d060b1732b381124fe29e3e8fe85b)) -* **deps:** update pepr to v0.28.6 ([#300](https://github.com/BagelLab/uds-core/issues/300)) ([86b43e4](https://github.com/BagelLab/uds-core/commit/86b43e478521aa88a3a4843948ca96b9cbe55985)) -* **deps:** update pepr to v0.28.7 ([#321](https://github.com/BagelLab/uds-core/issues/321)) ([e7206bb](https://github.com/BagelLab/uds-core/commit/e7206bb93ce23a3ae611e410106890df3eafdea1)) -* **deps:** update pepr to v0.4.5 ([#447](https://github.com/BagelLab/uds-core/issues/447)) ([f1dba17](https://github.com/BagelLab/uds-core/commit/f1dba17076a7c6052ed67e07bdb560fda7604b80)) -* **deps:** update prometheus-stack ([#128](https://github.com/BagelLab/uds-core/issues/128)) ([625622a](https://github.com/BagelLab/uds-core/commit/625622a44c101f0a9c1beffd66eb259dc1f1eedc)) -* **deps:** update prometheus-stack ([#190](https://github.com/BagelLab/uds-core/issues/190)) ([f9a605a](https://github.com/BagelLab/uds-core/commit/f9a605a4c828128fc19f0bdb1d2443f65fb87b8a)) -* **deps:** update prometheus-stack ([#301](https://github.com/BagelLab/uds-core/issues/301)) ([143eca3](https://github.com/BagelLab/uds-core/commit/143eca3ecc2e3c39765312dc3c5384c87a13d7da)) -* **deps:** update prometheus-stack ([#348](https://github.com/BagelLab/uds-core/issues/348)) ([49cb11a](https://github.com/BagelLab/uds-core/commit/49cb11a058a9209cee7019fa552b8c0b2ef73368)) -* **deps:** update prometheus-stack ([#392](https://github.com/BagelLab/uds-core/issues/392)) ([2e656f5](https://github.com/BagelLab/uds-core/commit/2e656f5dc3de2e6561ac313cb1bae478635b86b3)) -* **deps:** update prometheus-stack ([#422](https://github.com/BagelLab/uds-core/issues/422)) ([a96193e](https://github.com/BagelLab/uds-core/commit/a96193e257701dfaf6fccc34246ef3f31e639f3e)) -* **deps:** update prometheus-stack ([#81](https://github.com/BagelLab/uds-core/issues/81)) ([19bedb6](https://github.com/BagelLab/uds-core/commit/19bedb60cd2f99615c4b5673623ff0ff6fafb73f)) -* **deps:** update promtail ([#74](https://github.com/BagelLab/uds-core/issues/74)) ([6a112b5](https://github.com/BagelLab/uds-core/commit/6a112b5226250f1a17023b2c1225d404cf8feeee)) -* **deps:** update to keycloak 24 ([#336](https://github.com/BagelLab/uds-core/issues/336)) ([1153ba0](https://github.com/BagelLab/uds-core/commit/1153ba09ac062d3477a4ee396376be83493ad3c5)) -* **deps:** update uds to v0.10.4 ([#228](https://github.com/BagelLab/uds-core/issues/228)) ([1750b23](https://github.com/BagelLab/uds-core/commit/1750b2304e3c6f0ce6a60f1ef2873ce8a6ce1502)) -* **deps:** update uds to v0.11.1 ([#472](https://github.com/BagelLab/uds-core/issues/472)) ([12fd798](https://github.com/BagelLab/uds-core/commit/12fd79894e71ee06181ccd6f2ac98b84d935066c)) -* **deps:** update uds to v0.11.2 ([#479](https://github.com/BagelLab/uds-core/issues/479)) ([f967f9a](https://github.com/BagelLab/uds-core/commit/f967f9a4bf8d718b9ece96d882db4d9c800f5f0f)) -* **deps:** update uds to v0.5.3, zarf to v0.32.1, and uds-k3d to 0.3.0 ([#77](https://github.com/BagelLab/uds-core/issues/77)) ([596f9d8](https://github.com/BagelLab/uds-core/commit/596f9d8df51c3df1aa87fd0e09d9e69c87473bf0)) -* **deps:** update uds to v0.6.2 ([#107](https://github.com/BagelLab/uds-core/issues/107)) ([7b7220e](https://github.com/BagelLab/uds-core/commit/7b7220e708cf2dca25cc592b8932661620d9610d)) -* **deps:** update uds to v0.8.1 ([#141](https://github.com/BagelLab/uds-core/issues/141)) ([fa79065](https://github.com/BagelLab/uds-core/commit/fa79065265a5ee2b8f6f6a55d1c2904bbaf42fff)) -* **deps:** update uds to v0.9.0 ([#173](https://github.com/BagelLab/uds-core/issues/173)) ([b91a90d](https://github.com/BagelLab/uds-core/commit/b91a90db987e108a5a093a326428bbd0b5f9446e)) -* **deps:** update uds to v0.9.2 ([#200](https://github.com/BagelLab/uds-core/issues/200)) ([e4b54fe](https://github.com/BagelLab/uds-core/commit/e4b54febc4d7914e962db92b7a0490a3735af4e5)) -* **deps:** update uds-common tasks to 0.6.1 ([#498](https://github.com/BagelLab/uds-core/issues/498)) ([4aa6e33](https://github.com/BagelLab/uds-core/commit/4aa6e3372f6d1a5df1e2ae51a3129603a8b0b29b)) -* **deps:** update uds-common to v0.4.4 ([#442](https://github.com/BagelLab/uds-core/issues/442)) ([bf6debd](https://github.com/BagelLab/uds-core/commit/bf6debdd0d50f6cde11288cd70d8bdf1dcdaaaa0)) -* **deps:** update uds-identity-config to 0.4.1 ([#355](https://github.com/BagelLab/uds-core/issues/355)) ([8485931](https://github.com/BagelLab/uds-core/commit/84859316ea92ef9ec7807a702ee246e11b73567b)) -* **deps:** update uds-k3d to v0.3.1 ([#89](https://github.com/BagelLab/uds-core/issues/89)) ([5d54cd1](https://github.com/BagelLab/uds-core/commit/5d54cd1efe5eee4c19caf347882725e0aa20e50a)) -* **deps:** update uds-k3d to v0.5.0 ([#186](https://github.com/BagelLab/uds-core/issues/186)) ([164bf5f](https://github.com/BagelLab/uds-core/commit/164bf5f8bd58899f5ec1a179d6d409cfb46b850f)) -* **deps:** update uds-k3d to v0.6.0 ([#240](https://github.com/BagelLab/uds-core/issues/240)) ([6a26523](https://github.com/BagelLab/uds-core/commit/6a2652368fde3a3bdbe5bb81fd258830dfaeb5c8)) -* **deps:** update uds-k3d to v0.6.0 ([#398](https://github.com/BagelLab/uds-core/issues/398)) ([288f009](https://github.com/BagelLab/uds-core/commit/288f00990a715087c9bf1fffd0a63ecf33125a5a)) -* **deps:** update uds-k3d to v0.7.0 ([#428](https://github.com/BagelLab/uds-core/issues/428)) ([23b59a2](https://github.com/BagelLab/uds-core/commit/23b59a260b2c60791614ca4d39a33e65476e19ee)) -* **deps:** update velero ([#260](https://github.com/BagelLab/uds-core/issues/260)) ([f352008](https://github.com/BagelLab/uds-core/commit/f35200833a4d4d50de9f632f6918320f7d8fff5e)) -* **deps:** update velero ([#350](https://github.com/BagelLab/uds-core/issues/350)) ([e7cb33e](https://github.com/BagelLab/uds-core/commit/e7cb33ea9a13ab9550aab45d8ee437a1ba595d38)) -* **deps:** update velero ([#408](https://github.com/BagelLab/uds-core/issues/408)) ([ffbefda](https://github.com/BagelLab/uds-core/commit/ffbefda74777466ef74ad1d5cffff1f4895f323d)) -* **deps:** update velero ([#440](https://github.com/BagelLab/uds-core/issues/440)) ([4b1a3ea](https://github.com/BagelLab/uds-core/commit/4b1a3ead81a80b49e5ccfeb2e4130a4aaebb53a4)) -* **deps:** update velero to v1.30.2 ([#476](https://github.com/BagelLab/uds-core/issues/476)) ([89bbda9](https://github.com/BagelLab/uds-core/commit/89bbda9e640014bede116c254381cab8995df12f)) -* **deps:** update velero to v6.6.0 ([#456](https://github.com/BagelLab/uds-core/issues/456)) ([aff37c1](https://github.com/BagelLab/uds-core/commit/aff37c194e321f6a6c92f1bc11fd796cf9f0a9ab)) -* **deps:** update zarf to v0.32.2 ([#133](https://github.com/BagelLab/uds-core/issues/133)) ([91502c6](https://github.com/BagelLab/uds-core/commit/91502c6321334c6d31ce5fd1cd8f2fe6f77c09ae)) -* **deps:** update zarf to v0.32.3 ([#155](https://github.com/BagelLab/uds-core/issues/155)) ([2f0a1a7](https://github.com/BagelLab/uds-core/commit/2f0a1a77043ce298e765e6999cf11a97f36e4ecc)) -* **deps:** update zarf to v0.32.4 ([#203](https://github.com/BagelLab/uds-core/issues/203)) ([05c903e](https://github.com/BagelLab/uds-core/commit/05c903ea43243401d9cc2928ba5eb66ff6201c94)) -* **deps:** update zarf to v0.32.5 ([#243](https://github.com/BagelLab/uds-core/issues/243)) ([ee93612](https://github.com/BagelLab/uds-core/commit/ee9361224767c1a708b6f8e2c266af710facea8d)) -* **deps:** update zarf to v0.32.6 ([#282](https://github.com/BagelLab/uds-core/issues/282)) ([443426d](https://github.com/BagelLab/uds-core/commit/443426d05b9bd1d15fb4632efa26219250270895)) -* **deps:** update zarf to v0.33.0 ([#325](https://github.com/BagelLab/uds-core/issues/325)) ([f2a2a66](https://github.com/BagelLab/uds-core/commit/f2a2a665309c812b4300047d1c90ff3833a8eba6)) -* **deps:** update zarf to v0.33.1 ([#368](https://github.com/BagelLab/uds-core/issues/368)) ([296e547](https://github.com/BagelLab/uds-core/commit/296e54729c20c9ecee21677daec874a2c8b57b57)) -* **deps:** update zarf to v0.33.2 ([#394](https://github.com/BagelLab/uds-core/issues/394)) ([201a37b](https://github.com/BagelLab/uds-core/commit/201a37b12277880058c14fc05b3c0d4aecbf31e0)) -* **deps:** update zarf to v0.34.0 ([#434](https://github.com/BagelLab/uds-core/issues/434)) ([9badf9d](https://github.com/BagelLab/uds-core/commit/9badf9d4b9b6f904b1b7a478be5355416dc7fbe0)) -* **deps:** update zarf to v0.35.0 ([#490](https://github.com/BagelLab/uds-core/issues/490)) ([86957cf](https://github.com/BagelLab/uds-core/commit/86957cfe19564ec8ddccec7e496af4469def322a)) -* docs linting changes ([#505](https://github.com/BagelLab/uds-core/issues/505)) ([0fe2015](https://github.com/BagelLab/uds-core/commit/0fe20151713363f572a50601016e06e60230990f)) -* fix missing deps in tag and release workflow ([#28](https://github.com/BagelLab/uds-core/issues/28)) ([1e1af76](https://github.com/BagelLab/uds-core/commit/1e1af762e8eb1dd331cbd681e48ecc95ec3184d2)) -* initial renovate config ([#67](https://github.com/BagelLab/uds-core/issues/67)) ([2cd19d8](https://github.com/BagelLab/uds-core/commit/2cd19d871a95491950d43fea8e8fd2e8c290cd55)) -* kick off ci ([1afc3a4](https://github.com/BagelLab/uds-core/commit/1afc3a4203cce1a1c81b15e7ba6caad1a9c63131)) -* **main:** release 0.1.1 ([#27](https://github.com/BagelLab/uds-core/issues/27)) ([3776e91](https://github.com/BagelLab/uds-core/commit/3776e91670aa73907cb9c48a05419d106ecedd67)) -* **main:** release 0.1.2 ([#29](https://github.com/BagelLab/uds-core/issues/29)) ([af7b0be](https://github.com/BagelLab/uds-core/commit/af7b0beaf409627c87b47e4d908b0a8a0d8cff63)) -* **main:** release 0.1.3 ([#31](https://github.com/BagelLab/uds-core/issues/31)) ([28ad8a7](https://github.com/BagelLab/uds-core/commit/28ad8a78b023f160714ecb90d748ee65403cf500)) -* **main:** release 0.10.0 ([#135](https://github.com/BagelLab/uds-core/issues/135)) ([5bb6f01](https://github.com/BagelLab/uds-core/commit/5bb6f016631fdef4f14848ff55588f33e6d4f07d)) -* **main:** release 0.11.0 ([#138](https://github.com/BagelLab/uds-core/issues/138)) ([c02ada8](https://github.com/BagelLab/uds-core/commit/c02ada860f532d8955af00637756ee622f3e9019)) -* **main:** release 0.11.1 ([#159](https://github.com/BagelLab/uds-core/issues/159)) ([2c493bb](https://github.com/BagelLab/uds-core/commit/2c493bb7c877a7193e45376a9d28aed832cff590)) -* **main:** release 0.12.0 ([#161](https://github.com/BagelLab/uds-core/issues/161)) ([e3c41e8](https://github.com/BagelLab/uds-core/commit/e3c41e82ba5bd776f2633cbde222ab05c5c513f3)) -* **main:** release 0.13.0 ([#170](https://github.com/BagelLab/uds-core/issues/170)) ([09c9447](https://github.com/BagelLab/uds-core/commit/09c9447fa47e5bd1f1d3ae627d7c3dab9c46d596)) -* **main:** release 0.13.1 ([#197](https://github.com/BagelLab/uds-core/issues/197)) ([e968fe9](https://github.com/BagelLab/uds-core/commit/e968fe9707f5a1f154b1fd19050ba46073427495)) -* **main:** release 0.14.0 ([#202](https://github.com/BagelLab/uds-core/issues/202)) ([d090f40](https://github.com/BagelLab/uds-core/commit/d090f4052679d1557973a17524923280c04807fd)) -* **main:** release 0.14.1 ([#218](https://github.com/BagelLab/uds-core/issues/218)) ([3199d8b](https://github.com/BagelLab/uds-core/commit/3199d8bc8cc8e11f9eccdb7075ce798572f6fa0a)) -* **main:** release 0.14.2 ([#221](https://github.com/BagelLab/uds-core/issues/221)) ([2ab4c54](https://github.com/BagelLab/uds-core/commit/2ab4c54618f40c8f195e4bbc1aee63024e488dc8)) -* **main:** release 0.14.3 ([#225](https://github.com/BagelLab/uds-core/issues/225)) ([05b1c19](https://github.com/BagelLab/uds-core/commit/05b1c196e4509ee38261a9b9bc8bc8531086b499)) -* **main:** release 0.14.4 ([#227](https://github.com/BagelLab/uds-core/issues/227)) ([d2d005b](https://github.com/BagelLab/uds-core/commit/d2d005b9caf0b067f850f752a3d6e643c99a74c6)) -* **main:** release 0.14.5 ([#230](https://github.com/BagelLab/uds-core/issues/230)) ([1acafca](https://github.com/BagelLab/uds-core/commit/1acafcadf0baa4567d4f0c41e3201fa40895d092)) -* **main:** release 0.15.0 ([#233](https://github.com/BagelLab/uds-core/issues/233)) ([f4f3699](https://github.com/BagelLab/uds-core/commit/f4f3699096e4f917cf36bcb15bdb47179569b74d)) -* **main:** release 0.15.1 ([#235](https://github.com/BagelLab/uds-core/issues/235)) ([a0c6b32](https://github.com/BagelLab/uds-core/commit/a0c6b327ada2a36a08a4dc4874248d9df65f5381)) -* **main:** release 0.16.0 ([#246](https://github.com/BagelLab/uds-core/issues/246)) ([efc64d4](https://github.com/BagelLab/uds-core/commit/efc64d45c6e78f3014258b80abdf35d0119bde36)) -* **main:** release 0.16.1 ([#265](https://github.com/BagelLab/uds-core/issues/265)) ([4e4eaea](https://github.com/BagelLab/uds-core/commit/4e4eaea6c16e010837bb1c0d5624ebda418bce6f)) -* **main:** release 0.17.0 ([#267](https://github.com/BagelLab/uds-core/issues/267)) ([510f536](https://github.com/BagelLab/uds-core/commit/510f536133e835f98bb524bfc9f437e6f716d9ef)) -* **main:** release 0.18.0 ([#286](https://github.com/BagelLab/uds-core/issues/286)) ([40e6b7b](https://github.com/BagelLab/uds-core/commit/40e6b7b711ddbd956058eda8490355568faddaec)) -* **main:** release 0.18.0 ([#318](https://github.com/BagelLab/uds-core/issues/318)) ([5f5e0b8](https://github.com/BagelLab/uds-core/commit/5f5e0b8a19daf0b51d9a102fd851ff76e5296d4e)) -* **main:** release 0.19.0 ([#320](https://github.com/BagelLab/uds-core/issues/320)) ([4ce502b](https://github.com/BagelLab/uds-core/commit/4ce502be3a5d83c28c259db8080a215f309c6ed7)) -* **main:** release 0.2.0 ([#34](https://github.com/BagelLab/uds-core/issues/34)) ([5185a8f](https://github.com/BagelLab/uds-core/commit/5185a8f98c90578eabd9f1494f55e43922bb7a92)) -* **main:** release 0.20.0 ([#345](https://github.com/BagelLab/uds-core/issues/345)) ([c29cc91](https://github.com/BagelLab/uds-core/commit/c29cc91cd2e41d5bbaee33deb173628c83ad0480)) -* **main:** release 0.21.0 ([#361](https://github.com/BagelLab/uds-core/issues/361)) ([c9f027f](https://github.com/BagelLab/uds-core/commit/c9f027f518de547b962b06defb836fba3c70ff3d)) -* **main:** release 0.21.1 ([#379](https://github.com/BagelLab/uds-core/issues/379)) ([b46a161](https://github.com/BagelLab/uds-core/commit/b46a161271bac3c167e554fadf673d2536b6b420)) -* **main:** release 0.22.0 ([#386](https://github.com/BagelLab/uds-core/issues/386)) ([6367bef](https://github.com/BagelLab/uds-core/commit/6367bef04dab6803471b8f424210baedf2004d01)) -* **main:** release 0.22.1 ([#432](https://github.com/BagelLab/uds-core/issues/432)) ([7cf9c4c](https://github.com/BagelLab/uds-core/commit/7cf9c4c09dccc1d91edb7acbb2aee8750c5433ed)) -* **main:** release 0.22.2 ([#474](https://github.com/BagelLab/uds-core/issues/474)) ([84a408f](https://github.com/BagelLab/uds-core/commit/84a408fb23c1803bdbbf5e1f1ce64e97110f2829)) -* **main:** release 0.23.0 ([d640453](https://github.com/BagelLab/uds-core/commit/d64045363c267dad4d10b447e7706b1e739765ae)) -* **main:** release 0.3.0 ([#39](https://github.com/BagelLab/uds-core/issues/39)) ([4d2b05d](https://github.com/BagelLab/uds-core/commit/4d2b05de9d155dc91b799bde5156c5980bc348cb)) -* **main:** release 0.4.0 ([#43](https://github.com/BagelLab/uds-core/issues/43)) ([d2b61c3](https://github.com/BagelLab/uds-core/commit/d2b61c373b91d4f405e27ce930e4f8bec52ddd21)) -* **main:** release 0.4.1 ([#45](https://github.com/BagelLab/uds-core/issues/45)) ([d66eafe](https://github.com/BagelLab/uds-core/commit/d66eafea0ec9ccd412f5af3ed5ab12f3f8275a33)) -* **main:** release 0.5.0 ([#49](https://github.com/BagelLab/uds-core/issues/49)) ([f9c4269](https://github.com/BagelLab/uds-core/commit/f9c426998f2bc4fc21c32b3492f25b8608f50282)) -* **main:** release 0.6.0 ([#53](https://github.com/BagelLab/uds-core/issues/53)) ([9b3ad64](https://github.com/BagelLab/uds-core/commit/9b3ad64a6e3870ce364cad77abd367cc8d493042)) -* **main:** release 0.6.1 ([#56](https://github.com/BagelLab/uds-core/issues/56)) ([4a5a42c](https://github.com/BagelLab/uds-core/commit/4a5a42c8fa9ee17656e462cb9df08562d9c85b96)) -* **main:** release 0.6.2 ([#59](https://github.com/BagelLab/uds-core/issues/59)) ([b1c49ac](https://github.com/BagelLab/uds-core/commit/b1c49ac70e8a293936dea8a516c32b7bb7e6fc4c)) -* **main:** release 0.7.0 ([#71](https://github.com/BagelLab/uds-core/issues/71)) ([51dcb54](https://github.com/BagelLab/uds-core/commit/51dcb54d239cb5636b0c4f55fde9fc2b2c3bf076)) -* **main:** release 0.7.1 ([#85](https://github.com/BagelLab/uds-core/issues/85)) ([da4040a](https://github.com/BagelLab/uds-core/commit/da4040aff739746dc2355ec0449ee762c05c56c1)) -* **main:** release 0.7.2 ([#88](https://github.com/BagelLab/uds-core/issues/88)) ([5e421ce](https://github.com/BagelLab/uds-core/commit/5e421ce011e42692c3cb6f1353cfb8a5edb846fb)) -* **main:** release 0.7.3 ([#93](https://github.com/BagelLab/uds-core/issues/93)) ([ddf8fa6](https://github.com/BagelLab/uds-core/commit/ddf8fa617853686b8c043d236c159bcd59c47ac0)) -* **main:** release 0.7.4 ([#100](https://github.com/BagelLab/uds-core/issues/100)) ([9abd78b](https://github.com/BagelLab/uds-core/commit/9abd78b11a90a67344fa93e8dba7fd53d6b58ea2)) -* **main:** release 0.8.0 ([#106](https://github.com/BagelLab/uds-core/issues/106)) ([3ab93c3](https://github.com/BagelLab/uds-core/commit/3ab93c30b132ff9c35c1f238008b15cd265abe92)) -* **main:** release 0.8.1 ([#112](https://github.com/BagelLab/uds-core/issues/112)) ([942ad54](https://github.com/BagelLab/uds-core/commit/942ad549b53e8ce87a33fae985bbe2f82c6fa75c)) -* **main:** release 0.9.0 ([#117](https://github.com/BagelLab/uds-core/issues/117)) ([6b0c56b](https://github.com/BagelLab/uds-core/commit/6b0c56b8a6d60091e532ac36cd69ea6cd5ac1124)) -* **main:** release 0.9.1 ([#119](https://github.com/BagelLab/uds-core/issues/119)) ([984f916](https://github.com/BagelLab/uds-core/commit/984f91602c3b2873110d62a49c5df4ecfaa19f8a)) -* **main:** release 0.9.2 ([#121](https://github.com/BagelLab/uds-core/issues/121)) ([2d9b3c9](https://github.com/BagelLab/uds-core/commit/2d9b3c9fe288347879f2d78c8524b719d3772abd)) -* move api service watch to reconcile ([#362](https://github.com/BagelLab/uds-core/issues/362)) ([1822bca](https://github.com/BagelLab/uds-core/commit/1822bca6c397a5c8ea64b9355a9ba4f51fde4518)) -* open the aperture for pr workflow triggering ([#90](https://github.com/BagelLab/uds-core/issues/90)) ([d8a72f2](https://github.com/BagelLab/uds-core/commit/d8a72f2f2f3e507a4be7f217e23b737e3d4c35ce)) -* readme updates & use UDS CLI for zarf ([#137](https://github.com/BagelLab/uds-core/issues/137)) ([21de0ce](https://github.com/BagelLab/uds-core/commit/21de0cee2d70d67ca17b1d45c642e9ca4e1617ce)) -* refactor ci for releases to remove certain artifacts ([#125](https://github.com/BagelLab/uds-core/issues/125)) ([c08a062](https://github.com/BagelLab/uds-core/commit/c08a062bb3f3ede6860c3d7f34136b3e82b78715)) -* refactor promtail extraScrapeConfigs into scrapeConfigs ([#367](https://github.com/BagelLab/uds-core/issues/367)) ([2220272](https://github.com/BagelLab/uds-core/commit/222027240148e669edf40483d145ffc15567b1b7)) -* refactor validate.yaml file name and task name ([#62](https://github.com/BagelLab/uds-core/issues/62)) ([92a04ea](https://github.com/BagelLab/uds-core/commit/92a04ea1096448995ccc0dd9d77a32a5061e06f0)) -* remove emulated gitlab endpoints from keycloak ([#483](https://github.com/BagelLab/uds-core/issues/483)) ([495960c](https://github.com/BagelLab/uds-core/commit/495960ce8d40cf2ef7c0f0021b653db6fc6383bb)) -* remove retry-action action on registry1 docker login ([#160](https://github.com/BagelLab/uds-core/issues/160)) ([eea0c93](https://github.com/BagelLab/uds-core/commit/eea0c93a0ff172bfc5a76d3eaca143ffc0d9fbe2)) -* remove version from neuvector zarf.yaml ([#11](https://github.com/BagelLab/uds-core/issues/11)) ([fbc8d51](https://github.com/BagelLab/uds-core/commit/fbc8d51e2b4146d394184d7596cd9a54219dc001)) -* renovate updates ([#140](https://github.com/BagelLab/uds-core/issues/140)) ([b71a013](https://github.com/BagelLab/uds-core/commit/b71a013bea30c9ca5e39f1dc6485fffaa86ca6b1)) -* simplify promtail values for scrape configs ([#94](https://github.com/BagelLab/uds-core/issues/94)) ([6c2513b](https://github.com/BagelLab/uds-core/commit/6c2513be89f064b44516b1d89c0d6005dd1d4d30)) -* support deselection of metrics-server ([#193](https://github.com/BagelLab/uds-core/issues/193)) ([289a0fe](https://github.com/BagelLab/uds-core/commit/289a0fee5315e8c4a70b3afe66165dd00a7dfbc1)) -* support headless keycloak admin user ([#307](https://github.com/BagelLab/uds-core/issues/307)) ([a0e51b6](https://github.com/BagelLab/uds-core/commit/a0e51b649822619b63478b140bb5dbbebeb20ff3)) -* test artifacts before publish ([#198](https://github.com/BagelLab/uds-core/issues/198)) ([9732f32](https://github.com/BagelLab/uds-core/commit/9732f325624244f4d34c127a949c6ce5951ff6ab)) -* test publish ([2cefa29](https://github.com/BagelLab/uds-core/commit/2cefa2938d60cfa40bd5c0f7ff44c2448c4f48a8)) -* trigger eks nightly when related files are updated ([#366](https://github.com/BagelLab/uds-core/issues/366)) ([6d6e4e0](https://github.com/BagelLab/uds-core/commit/6d6e4e0debbca3498cbc21db405eec48b3bcc240)) -* typo fix in README.md ([#280](https://github.com/BagelLab/uds-core/issues/280)) ([f9727e0](https://github.com/BagelLab/uds-core/commit/f9727e0b638e853bbae131d02019a2efb5286b0a)) -* update codeowners ([#338](https://github.com/BagelLab/uds-core/issues/338)) ([c419574](https://github.com/BagelLab/uds-core/commit/c41957409607c6335ebf6bd4ff30a1a9336a4870)) -* update release please extra-files to be explicit ([#26](https://github.com/BagelLab/uds-core/issues/26)) ([23f4999](https://github.com/BagelLab/uds-core/commit/23f49995771fb05cd18e7a077bf90e86ca5b7471)) -* updating keycloak chart version to align with image ([#378](https://github.com/BagelLab/uds-core/issues/378)) ([a60fe2a](https://github.com/BagelLab/uds-core/commit/a60fe2afed9f7cff3bcad6b0f563232b47e8025b)) +* add util function for purging orphans ([#565](https://github.com/defenseunicorns/uds-core/issues/565)) ([e84229a](https://github.com/defenseunicorns/uds-core/commit/e84229ad355b60935dc077bb23f1c91f0fa212ec)) +* allow istio proxy injection in zarf ignored namespaces (https://github.com/defenseunicorns/uds-core/pull/513) ([8921b58](https://github.com/defenseunicorns/uds-core/commit/8921b5897b7a34d9065417f66c1cc24817116ba2)) +* **deps:** update githubactions upload-artifact to v4.3.4 ([#543](https://github.com/defenseunicorns/uds-core/issues/543)) ([20889f2](https://github.com/defenseunicorns/uds-core/commit/20889f2936597360c91b067d2c0d07d6c94646a4)) +* **deps:** update grafana helm chart to v8.3.2 ([#542](https://github.com/defenseunicorns/uds-core/issues/542)) ([8ec260c](https://github.com/defenseunicorns/uds-core/commit/8ec260c7644241fb7fe8163ea8b74240320d417e)) +* **deps:** update pepr dependencies (jest, uds-common) ([#537](https://github.com/defenseunicorns/uds-core/issues/537)) ([547c0bf](https://github.com/defenseunicorns/uds-core/commit/547c0bfb5197fb129e023d2d02fa3a306790364a)) +* **deps:** update promtail helm chart to v6.16.3 ([#538](https://github.com/defenseunicorns/uds-core/issues/538)) ([48b3fea](https://github.com/defenseunicorns/uds-core/commit/48b3feac221f90316e025b57151d8241dbd455c4)) ## [0.23.0](https://github.com/defenseunicorns/uds-core/compare/v0.22.2...v0.23.0) (2024-07-04) diff --git a/README.md b/README.md index ae1d17358..fb5b177db 100644 --- a/README.md +++ b/README.md @@ -55,7 +55,7 @@ If you want to try out UDS Core, you can use the [k3d-core-demo bundle](./bundle ```bash -uds deploy k3d-core-demo:0.23.4 +uds deploy k3d-core-demo:0.24.0 ``` @@ -69,7 +69,7 @@ Deploy Istio, Keycloak and Pepr: ```bash -uds deploy k3d-core-slim-dev:0.23.4 +uds deploy k3d-core-slim-dev:0.24.0 ``` diff --git a/bundles/k3d-slim-dev/uds-bundle.yaml b/bundles/k3d-slim-dev/uds-bundle.yaml index 44bcba1a3..e0b96a0b4 100644 --- a/bundles/k3d-slim-dev/uds-bundle.yaml +++ b/bundles/k3d-slim-dev/uds-bundle.yaml @@ -3,7 +3,7 @@ metadata: name: k3d-core-slim-dev description: A UDS bundle for deploying Istio from UDS Core on a development cluster # x-release-please-start-version - version: "0.23.4" + version: "0.24.0" # x-release-please-end packages: @@ -34,7 +34,7 @@ packages: - name: core-slim-dev path: ../../build/ # x-release-please-start-version - ref: 0.23.4 + ref: 0.24.0 # x-release-please-end overrides: istio-admin-gateway: diff --git a/bundles/k3d-standard/uds-bundle.yaml b/bundles/k3d-standard/uds-bundle.yaml index 267b96bdc..1a0a432a9 100644 --- a/bundles/k3d-standard/uds-bundle.yaml +++ b/bundles/k3d-standard/uds-bundle.yaml @@ -3,7 +3,7 @@ metadata: name: k3d-core-demo description: A UDS bundle for deploying the standard UDS Core package on a development cluster # x-release-please-start-version - version: "0.23.4" + version: "0.24.0" # x-release-please-end packages: @@ -34,8 +34,10 @@ packages: - name: core path: ../../build/ # x-release-please-start-version - ref: 0.23.4 + ref: 0.24.0 # x-release-please-end + optionalComponents: + - istio-passthrough-gateway overrides: loki: loki: diff --git a/docs/configuration/istio/_index.md b/docs/configuration/istio/_index.md new file mode 100644 index 000000000..6872802db --- /dev/null +++ b/docs/configuration/istio/_index.md @@ -0,0 +1,5 @@ +--- +title: Istio Configuration for UDS Core +type: docs +weight: 5 +--- diff --git a/docs/configuration/istio/ingress.md b/docs/configuration/istio/ingress.md new file mode 100644 index 000000000..acf7e16c6 --- /dev/null +++ b/docs/configuration/istio/ingress.md @@ -0,0 +1,94 @@ +--- +title: Configuring Istio Ingress +type: docs +weight: 1 +--- + +UDS Core leverages Istio for ingress into the service mesh. This document provides an overview and examples of the Istio resources that UDS Core deploys to handle ingress. + +## Gateways + +UDS Core provides a few Istio [Gateway](https://istio.io/latest/docs/reference/config/networking/gateway/) resources to allow ingress into the service mesh. Each one serves a different purpose and can be used to route traffic to different services. + +1. **(Required)** Tenant Gateway - This gateway provides ingress to typical end-user applications. By default, UDS Core deploys a few services on this gateway, such as the Keycloak SSO portal. This gateway is typically exposed to end users of the applications deployed on top of UDS Core. +2. **(Required)** Admin Gateway - This gateway provides ingress to admin-related applications that are not for use by the default end user. By default, UDS Core deploys a few services on this gateway, such as the Admin Keycloak interface. This gateway is typically accessible to admins of the applications deployed on top of UDS Core. *Since the Admin and Tenant Gateways are logically separated, it is possible to have different security controls on each gateway.* +3. **(Optional)** Passthrough Gateway - This gateway allows mesh ingress without TLS termination performed by Istio. This could be useful for applications that need to (or currently) handle their own TLS termination. This gateway used to be a default component of UDS Core but is no longer deployed by default. To deploy this gateway, you must specify `istio-passthrough-gateway` as an `optionalComponent` in your UDS Bundle configuration. + +### Enable Passthrough Gateway + +In order to enable the Passthrough Gateway, you must specify `istio-passthrough-gateway` as an `optionalComponent` in your UDS Bundle configuration. Here is an example of how to do this: + +```yaml +kind: UDSBundle +metadata: + name: core-with-passthrough + description: A UDS example bundle for packaging UDS core with the passthrough gateway enabled + version: "0.0.1" + +packages: + - name: core + repository: oci://ghcr.io/defenseunicorns/packages/uds/core + ref: 0.23.0-upstream + # You must specify the istio-passthrough-gateway as an optionalComponent or else it will not be deployed + optionalComponents: + - istio-passthrough-gateway +``` + +### Configure Domain Name and TLS for Istio Gateways + +By default, the UDS Core Istio Gateways are set up to use the `uds.dev` domain and have a valid TLS certificate packaged. You will want to change the domain name for your environment and provide a valid TLS certificate for this domain. + +You can set the TLS certs via overrides in a [UDS Bundle](https://uds.defenseunicorns.com/bundles/) (see below). + +```yaml +kind: UDSBundle +metadata: + name: core-with-cert-override + description: A UDS example bundle for packaging UDS core with a custom TLS certificate + version: "0.0.1" + +packages: + - name: core + repository: oci://ghcr.io/defenseunicorns/packages/uds/core + ref: 0.23.0-upstream + overrides: + istio-admin-gateway: + uds-istio-config: + variables: + - name: ADMIN_TLS_CERT + description: "The TLS cert for the admin gateway (must be base64 encoded)" + path: tls.cert + - name: ADMIN_TLS_KEY + description: "The TLS key for the admin gateway (must be base64 encoded)" + path: tls.key + istio-tenant-gateway: + uds-istio-config: + variables: + - name: TENANT_TLS_CERT + description: "The TLS cert for the tenant gateway (must be base64 encoded)" + path: tls.cert + - name: TENANT_TLS_KEY + description: "The TLS key for the tenant gateway (must be base64 encoded)" + path: tls.key +``` + +You can then either use environment variables (`UDS_ADMIN_TLS_CERT`, `UDS_ADMIN_TLS_KEY`, `UDS_TENANT_TLS_CERT`, and `UDS_TENANT_TLS_KEY`) or a config file to configure the certs for each gateway. These values should be base64 encoded strings of the TLS certificate and key for the admin and tenant gateways respectively. + +Domain should be set via your [uds-config](https://uds.defenseunicorns.com/cli/quickstart-and-usage/#variables-and-configuration) file using the shared key to override the Zarf Domain Variable (see example `uds-config.yaml` below). + +```yaml +shared: + domain: yourawesomedomain.com # shared across all packages in a bundle + +# TLS Certs/Keys if not provided via environment variables +variables: + core: + admin_tls_cert: # base64 encoded admin cert here + admin_tls_key: # base64 encoded admin key here + tenant_tls_cert: # base64 encoded tenant cert here + tenant_tls_key: # base64 encoded tenant key here +``` + +{{% alert-note %}} +If you are using Private PKI or self-signed certificates for your tenant certificates it is necessary to additionally configure `UDS_CA_CERT` with additional [trusted certificate authorities](https://uds.defenseunicorns.com/core/configuration/uds-operator/#trusted-certificate-authority). +{{% /alert-note %}} diff --git a/docs/configuration/uds-monitoring-metrics.md b/docs/configuration/uds-monitoring-metrics.md index 5274d3225..909d5ad5f 100644 --- a/docs/configuration/uds-monitoring-metrics.md +++ b/docs/configuration/uds-monitoring-metrics.md @@ -4,44 +4,69 @@ type: docs weight: 1 --- -UDS Core leverages Pepr to handle setup of Prometheus scraping metrics endpoints, with the particular configuration necessary to work in a STRICT mTLS (Istio) environment. We handle this with both mutations of existing service monitors and generation of service monitors via the `Package` CR. +UDS Core leverages Pepr to handle setup of Prometheus scraping metrics endpoints, with the particular configuration necessary to work in a STRICT mTLS (Istio) environment. We handle this via a default scrapeClass in prometheus to add the istio certs. When a monitor needs to be exempt from that tlsConfig a mutation is performed to leverage a plain scrape class without istio certs. -## Mutations +## TLS Configuration Setup -All service monitors are mutated to set the scrape scheme to HTTPS and set the TLS Config to what is required for Istio mTLS scraping (see [this doc](https://istio.io/latest/docs/ops/integrations/prometheus/#tls-settings) for details). Beyond this, no other fields are mutated. Supporting existing service monitors is useful since some charts include service monitors by default with more advanced configurations, and it is in our best interest to enable those and use them where possible. +Generally it is beneficial to use service and pod monitor resources from existing helm charts where possible as these may have more advanced configuration and options. The UDS monitoring setup ensures that all monitoring resources use a default [`scrapeClass`](https://github.com/prometheus-operator/prometheus-operator/blob/v0.75.1/Documentation/api.md#monitoring.coreos.com/v1.ScrapeClass) configured in Prometheus to handle the necessary `tlsConfig` setup for metrics to work in STRICT Istio mTLS environments (the `scheme` is also mutated to `https` on individual monitor endpoints, see [this doc](https://istio.io/latest/docs/ops/integrations/prometheus/#tls-settings) for details). This setup is the default configuration but individual monitors can opt out of this config in 3 different ways: -Assumptions are made about STRICT mTLS here for simplicity, based on the `istio-injection` namespace label. Without making these assumptions we would need to query `PeerAuthentication` resources or another resource to determine the exact workload mTLS posture. +1. If the service or pod monitor targets namespaces that are not Istio injected (ex: `kube-system`), Pepr will detect this and mutate these monitors to use an `exempt` scrape class that does not have the Istio certs. Assumptions are made about STRICT mTLS here for simplicity, based on the `istio-injection` namespace label. Without making these assumptions we would need to query `PeerAuthentication` resources or another resource to determine the exact workload mTLS posture. +1. Individual monitors can explicitly set the `exempt` scrape class to opt out of the Istio certificate configuration. This should typically only be done if your service exposes metrics on a PERMISSIVE mTLS port. +1. If setting a `scrapeClass` is not an option due to lack of configuration in a helm chart, or for other reasons, monitors can use the `uds/skip-mutate` annotation (with any value) to have Pepr mutate the `exempt` scrape class onto the monitor. -Note: This mutation is the default behavior for all service monitors but can be skipped using the annotation key `uds/skip-sm-mutate` (with any value). Skipping this mutation should only be done if your service exposes metrics on a PERMISSIVE mTLS port. +{{% alert-note %}} +There is a deprecated functionality in Pepr that will mutate `tlsConfig` onto individual service monitors, rather than using the scrape class approach. This has been kept in the current code temporarily to prevent any metrics downtime during the switch to `scrapeClass`. In a future release this behavior will be removed to reduce the complexity of the setup and required mutations. +{{% /alert-note %}} ## Package CR `monitor` field -UDS Core also supports generating service monitors from the `monitor` list in the `Package` spec. Charts do not always support service monitors, so generating them can be useful. This also provides a simplified way for other users to create service monitors, similar to the way we handle `VirtualServices` today. A full example of this can be seen below: +UDS Core also supports generating `ServiceMonitors` and/or `PodMonitors` from the `monitor` list in the `Package` spec. Charts do not always support monitors, so generating them can be useful. This also provides a simplified way for other users to create monitors, similar to the way we handle `VirtualServices` today. A full example of this can be seen below: ```yaml ... spec: monitor: + # Example Service Monitor - selector: # Selector for the service to monitor app: foobar portName: metrics # Name of the port to monitor targetPort: 1234 # Corresponding target port on the pod/container (for network policy) # Optional properties depending on your application description: "Metrics" # Add to customize the service monitor name + kind: ServiceMonitor # optional, kind defaults to service monitor if not specified. PodMonitor is the other valid option. podSelector: # Add if pod labels are different than `selector` (for network policy) app: barfoo path: "/mymetrics" # Add if metrics are exposed on a different path than "/metrics" + authorization: # Add if authorization is required for the metrics endpoint + credentials: + key: "example-key" + name: "example-secret" + optional: false + type: "Bearer" + # Example Pod Monitor + - portName: metrics # Name of the port on the pod to monitor + targetPort: 1234 # Corresponding target port on the pod/container (for network policy) + selector: # Selector for pod(s) to monitor; note: pod monitors support `podSelector` as well, both options behave the same + app: barfoo + kind: PodMonitor + # Optional properties depending on your application + description: "Metrics" # Add to customize the pod monitor name + path: "/mymetrics" # Add if metrics are exposed on a different path than "/metrics" + authorization: # Add if authorization is required for the metrics endpoint + credentials: + key: "example-key" + name: "example-secret" + optional: false + type: "Bearer" ``` -This config is used to generate service monitors and corresponding network policies to setup scraping for your applications. The `ServiceMonitor`s will go through the mutation process to add `tlsConfig` and `scheme` to work in an istio environment. - -This spec intentionally does not support all options available with a `ServiceMonitor`. While we may add additional fields in the future, we do not want to simply rebuild the `ServiceMonitor` spec since mutations are already available to handle Istio specifics. The current subset of spec options is based on the bare minimum necessary to craft resources. +This config is used to generate service or pod monitors and corresponding network policies to setup scraping for your applications. The aforementioned TLS configuration will also apply to these generated monitors, setting a default scrape class unless target namespaces are non-istio-injected. -NOTE: While this is a rather verbose spec, each of the above fields are strictly required to craft the necessary service monitor and network policy resources. +This spec intentionally does not support all options available with a `PodMonitor` or `ServiceMonitor`. While we may add additional fields in the future, we do not want to simply rebuild these specs since we are handling the complexities of Istio mTLS metrics. The current subset of spec options is based on the common needs seen in most environments. ## Notes on Alternative Approaches -In coming up with this feature a few alternative approaches were considered but not chosen due to issues with each one. The current spec provides the best balance of a simplified interface compared to the `ServiceMonitor` spec, and a faster/easier reconciliation loop. +In coming up with this feature when targeting the `ServiceMonitor` use case a few alternative approaches were considered but not chosen due to issues with each one. The current spec provides the best balance of a simplified interface compared to the `ServiceMonitor` spec, and a faster/easier reconciliation loop. ### Generation based on service lookup diff --git a/docs/configuration/uds-operator.md b/docs/configuration/uds-operator.md index b8319ffb0..87d340d70 100644 --- a/docs/configuration/uds-operator.md +++ b/docs/configuration/uds-operator.md @@ -21,9 +21,11 @@ The UDS Operator plays a pivotal role in managing the lifecycle of UDS Package C - **SSO Group Authentication:** - Group authentication determines who can access the application based on keycloak group membership. - At this time `anyOf` allows defining a list of groups, a user must belong to at least one of them. - {{% alert-caution %}} - Warning: **SSO Group Authentication** is in Alpha and may not be stable. Avoid using in production. Feedback is appreciated to improve reliability. - {{% /alert-caution %}} +- **Authservice Protection:** + - Authservice authentication provides application agnostic SSO for applications that opt-in. + {{% alert-caution %}} + Warning: **Authservice Protection** and **SSO Group Authentication** are in Alpha and may not be stable. Avoid using in production. Feedback is appreciated to improve reliability. + {{% /alert-caution %}} ### Example UDS Package CR @@ -70,51 +72,6 @@ spec: - /UDS Core/Admin ``` -## Exemption - -- **Exemption Scope:** - - Granting exemption for custom resources is restricted to the `uds-policy-exemptions` namespace by default, unless specifically configured to allow exemptions across all namespaces. -- **Policy Updates:** - - Updating the policies Pepr store with registered exemptions. - -### Example UDS Exemption CR - -```yaml -apiVersion: uds.dev/v1alpha1 -kind: Exemption -metadata: - name: neuvector - namespace: uds-policy-exemptions -spec: - exemptions: - - policies: - - DisallowHostNamespaces - - DisallowPrivileged - - RequireNonRootUser - - DropAllCapabilities - - RestrictHostPathWrite - - RestrictVolumeTypes - matcher: - namespace: neuvector - name: "^neuvector-enforcer-pod.*" - - - policies: - - DisallowPrivileged - - RequireNonRootUser - - DropAllCapabilities - - RestrictHostPathWrite - - RestrictVolumeTypes - matcher: - namespace: neuvector - name: "^neuvector-controller-pod.*" - - - policies: - - DropAllCapabilities - matcher: - namespace: neuvector - name: "^neuvector-prometheus-exporter-pod.*" -``` - ### Example UDS Package CR with SSO Templating By default, UDS generates a secret for the Single Sign-On (SSO) client that encapsulates all client contents as an opaque secret. In this setup, each key within the secret corresponds to its own environment variable or file, based on the method used to mount the secret. If customization of the secret rendering is required, basic templating can be achieved using the `secretTemplate` property. Below are examples showing this functionality. To see how templating works, please see the [Regex website](https://regex101.com/r/e41Dsk/3). @@ -164,6 +121,98 @@ spec: bearer_only: clientField(bearerOnly) ``` +### Protecting a UDS Package with Authservice + +To enable authentication for applications that do not have native OIDC configuration, UDS Core can utilize Authservice as an authentication layer. + +Follow these steps to protect your application with Authservice: + +* Set `enableAuthserviceSelector` with a matching label selector in the `sso` configuration of the Package. +* Ensure that the pods of the application are labeled with the corresponding selector + +```yaml +apiVersion: uds.dev/v1alpha1 +kind: Package +metadata: + name: httpbin + namespace: httpbin +spec: + sso: + - name: Demo SSO httpbin + clientId: uds-core-httpbin + redirectUris: + - "https://httpbin.uds.dev/login" + enableAuthserviceSelector: + app: httpbin +``` + +{{% alert-note %}} +The UDS Operator uses the first `redirectUris` to populate the `match.prefix` hostname and `callback_uri` in the authservice chain. +{{% /alert-note %}} + +For a complete example, see [app-authservice-tenant.yaml](https://github.com/defenseunicorns/uds-core/blob/main/src/test/app-authservice-tenant.yaml) + +#### Trusted Certificate Authority + +Authservice can be configured with additional trusted certificate bundle in cases where UDS Core ingress gateways are deployed with private PKI. + +To configure, set [UDS_CA_CERT](https://github.com/defenseunicorns/uds-core/blob/main/packages/standard/zarf.yaml#L11-L13) as an environment variable with a Base64 encoded PEM formatted certificate bundle that can be used to verify the certificates of the tenant gateway. + +Alternatively you can specify the `CA_CERT` variable in your `uds-config.yaml`: + +```yaml +variables: + core: + CA_CERT: +``` + +See [configuring Istio Ingress](https://uds.defenseunicorns.com/core/configuration/istio/ingress/#configure-domain-name-and-tls-for-istio-gateways) for the relevant documentation on configuring ingress certificates. + +## Exemption + +- **Exemption Scope:** + - Granting exemption for custom resources is restricted to the `uds-policy-exemptions` namespace by default, unless specifically configured to allow exemptions across all namespaces. +- **Policy Updates:** + - Updating the policies Pepr store with registered exemptions. + +### Example UDS Exemption CR + +```yaml +apiVersion: uds.dev/v1alpha1 +kind: Exemption +metadata: + name: neuvector + namespace: uds-policy-exemptions +spec: + exemptions: + - policies: + - DisallowHostNamespaces + - DisallowPrivileged + - RequireNonRootUser + - DropAllCapabilities + - RestrictHostPathWrite + - RestrictVolumeTypes + matcher: + namespace: neuvector + name: "^neuvector-enforcer-pod.*" + + - policies: + - DisallowPrivileged + - RequireNonRootUser + - DropAllCapabilities + - RestrictHostPathWrite + - RestrictVolumeTypes + matcher: + namespace: neuvector + name: "^neuvector-controller-pod.*" + + - policies: + - DropAllCapabilities + matcher: + namespace: neuvector + name: "^neuvector-prometheus-exporter-pod.*" +``` + ### Configuring UDS Core Policy Exemptions Default [policy exemptions](https://github.com/defenseunicorns/uds-core/blob/main/src/pepr/operator/crd/generated/exemption-v1alpha1.ts) are confined to a singular namespace: `uds-policy-exemptions`. We find this to be an optimal approach for UDS due to the following reasons: diff --git a/docs/deployment/flavors.md b/docs/deployment/flavors.md new file mode 100644 index 000000000..680a2872e --- /dev/null +++ b/docs/deployment/flavors.md @@ -0,0 +1,23 @@ +--- +title: Published Flavors +type: docs +weight: 2 +--- + +UDS Core is published with multiple variations (Zarf flavors). Each flavor uses a separate source registry for the images. Each flavor is used as the suffix on the OCI tags for packages. For production use cases we recommend the `registry1` or `unicorn` flavors as these images tend to be more secure than their `upstream` counterparts. + +{{% alert-note %}} +Demo and dev bundles (`k3d-core-demo` and `k3d-core-slim-dev`) are only published from the upstream flavor. +{{% /alert-note %}} + +### Flavors + +| Flavor | GHCR Location | Image Source | +| --------------------- | ---------------------------------------------- | -------------------------------------------------------------------------------------------------------------------- | +| `registry1` | `ghcr.io/defenseunicorns/packages/uds` | [Ironbank](https://p1.dso.mil/services/iron-bank) - DoD hardened images (only supports amd64 architecture currently) | +| `upstream` | `ghcr.io/defenseunicorns/packages/uds` | Various sources, typically DockerHub/GHCR/Quay, these are the default images used by helm charts | +| **ALPHA** `unicorn` | `ghcr.io/defenseunicorns/packages/private/uds` | Industry best images designed with security and minimalism in mind | + +{{% alert-note %}} +The `unicorn` flavored packages are only available in a private repository. These packages are available for all members of the Defense Unicorns organization/company, if you are outside the organization [contact us](https://www.defenseunicorns.com/contactus) if you are interested in using this flavor for your mission. +{{% /alert-note %}} diff --git a/docs/deployment/uds-deploy.md b/docs/deployment/uds-deploy.md index de7702c98..5d6b4399a 100644 --- a/docs/deployment/uds-deploy.md +++ b/docs/deployment/uds-deploy.md @@ -1,7 +1,7 @@ --- title: Deploy UDS Core type: docs -weight: 2 +weight: 3 --- ## Prerequisites diff --git a/docs/development/flavor-specific-dev.md b/docs/development/flavor-specific-dev.md new file mode 100644 index 000000000..8928a949d --- /dev/null +++ b/docs/development/flavor-specific-dev.md @@ -0,0 +1,19 @@ +--- +title: Flavor Specific Development Notes +type: docs +weight: 5 +--- + +Specific flavors of UDS Core have access and architecture restrictions when used for development work. The `upstream` flavor is generally recommended for development as it does not have any restrictions or requirements. + +### Registry1 + +The `registry1` flavor uses images from [Ironbank](https://p1.dso.mil/services/iron-bank) which can only be pulled with authentication. Developers can self-register on [P1 SSO](https://login.dso.mil/) and retrieve a pull token for auth from [registry1's Harbor](https://registry1.dso.mil/). (In upper right corner, click --> User Profile, then click the Copy icon next to CLI secret, and use this for `docker login`.) + +Images in `registry1` historically only supported `amd64` architectures. While some images do now support `arm64` architecture, uds-core only supports `amd64` for the `registry1` flavor. If developing on an `arm64` machine you will need to use a virtualization layer or an external dev box. + +### Unicorn + +The `unicorn` flavor uses images primarily from a private Chainguard repository. These images can be pulled by any developers in the Defense Unicorns organization once added to the Chainguard repository. Local authentication should be done with [chainctl](https://edu.chainguard.dev/chainguard/administration/how-to-install-chainctl/), specifically using the [credential helper](https://edu.chainguard.dev/chainguard/administration/how-to-install-chainctl/#configure-a-docker-credential-helper) for a seamless experience. + +Developers outside of the Defense Unicorns organization/company will be unable to pull these images directly and should rely on CI testing for validation of this flavor. [Contact us](https://www.defenseunicorns.com/contactus) if you have a need to pull these images and develop on this flavor in particular. diff --git a/docs/development/uds-development-maintenance.md b/docs/development/uds-development-maintenance.md deleted file mode 100644 index d9f62c94f..000000000 --- a/docs/development/uds-development-maintenance.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: Development Maintenance -type: docs -weight: 1 ---- - -## UDS Bundle [name] - -### How to upgrade this bundle - -[Description and steps for upgrading this UDS bundle. Include any historic problems to watch out for] diff --git a/package-lock.json b/package-lock.json index c318fba67..60162a983 100644 --- a/package-lock.json +++ b/package-lock.json @@ -6658,7 +6658,6 @@ "resolved": "https://registry.npmjs.org/ts-jest/-/ts-jest-29.2.0.tgz", "integrity": "sha512-eFmkE9MG0+oT6nqSOcUwL+2UUmK2IvhhUV8hFDsCHnc++v2WCCbQQZh5vvjsa8sgOY/g9T0325hmkEmi6rninA==", "dev": true, - "license": "MIT", "dependencies": { "bs-logger": "0.x", "fast-json-stable-stringify": "2.x", diff --git a/package.json b/package.json index 5b8ed29f5..1b7e6beaf 100644 --- a/package.json +++ b/package.json @@ -26,6 +26,7 @@ }, "env": { "UDS_DOMAIN": "###ZARF_VAR_DOMAIN###", + "UDS_CA_CERT": "###ZARF_VAR_CA_CERT###", "UDS_ALLOW_ALL_NS_EXEMPTIONS": "###ZARF_VAR_ALLOW_ALL_NS_EXEMPTIONS###", "UDS_SINGLE_TEST": "###ZARF_VAR_UDS_SINGLE_TEST###", "UDS_LOG_LEVEL": "###ZARF_VAR_UDS_LOG_LEVEL###" diff --git a/packages/slim-dev/zarf.yaml b/packages/slim-dev/zarf.yaml index 4bcc32b61..cd9485ad1 100644 --- a/packages/slim-dev/zarf.yaml +++ b/packages/slim-dev/zarf.yaml @@ -4,9 +4,14 @@ metadata: description: "UDS Core (Istio, UDS Operator and Keycloak)" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.23.4" + version: "0.24.0" # x-release-please-end +variables: + - name: CA_CERT + description: "Base64 encoded CA cert that signed the domain wildcard certs used for Istio ingress" + default: "" + components: # CRDs - name: prometheus-operator-crds @@ -31,7 +36,7 @@ components: path: ../../src/istio - name: istio-passthrough-gateway - required: true + required: false import: path: ../../src/istio diff --git a/packages/standard/zarf.yaml b/packages/standard/zarf.yaml index 9fbccad67..d7c0c71ad 100644 --- a/packages/standard/zarf.yaml +++ b/packages/standard/zarf.yaml @@ -4,9 +4,14 @@ metadata: description: "UDS Core" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.23.4" + version: "0.24.0" # x-release-please-end +variables: + - name: CA_CERT + description: "Base64 encoded CA cert that signed the domain wildcard certs used for Istio ingress" + default: "" + components: # CRDs - name: prometheus-operator-crds @@ -31,7 +36,7 @@ components: path: ../../src/istio - name: istio-passthrough-gateway - required: true + required: false import: path: ../../src/istio diff --git a/pepr.ts b/pepr.ts index 98c06ecef..885b09d3d 100644 --- a/pepr.ts +++ b/pepr.ts @@ -1,20 +1,25 @@ -import { Log, PeprModule } from "pepr"; +import { PeprModule } from "pepr"; import cfg from "./package.json"; import { DataStore } from "pepr/dist/lib/storage"; import { istio } from "./src/pepr/istio"; +import { Component, setupLogger } from "./src/pepr/logger"; import { operator } from "./src/pepr/operator"; +import { setupAuthserviceSecret } from "./src/pepr/operator/controllers/keycloak/authservice/config"; import { Policy } from "./src/pepr/operator/crd"; import { registerCRDs } from "./src/pepr/operator/crd/register"; import { policies, startExemptionWatch } from "./src/pepr/policies"; import { prometheus } from "./src/pepr/prometheus"; +const log = setupLogger(Component.STARTUP); + (async () => { // Apply the CRDs to the cluster await registerCRDs(); // KFC watch for exemptions and update in-memory map await startExemptionWatch(); + await setupAuthserviceSecret(); new PeprModule(cfg, [ // UDS Core Operator operator, @@ -33,19 +38,19 @@ import { prometheus } from "./src/pepr/prometheus"; process.env.PEPR_MODE === "dev" || (process.env.PEPR_WATCH_MODE === "true" && cfg.version === "0.5.0") ) { - Log.debug("Clearing legacy pepr store exemption entries..."); + log.debug("Clearing legacy pepr store exemption entries..."); policies.Store.onReady((data: DataStore) => { const policiesList = Object.values(Policy); for (const p of Object.keys(data)) { // if p matches a Policy key, remove it if (policiesList.includes(p as Policy)) { - Log.debug(`Removing legacy storage of ${p} policy exemptions...`); + log.debug(`Removing legacy storage of ${p} policy exemptions...`); policies.Store.removeItem(p); } } }); } })().catch(err => { - Log.error(err); + log.error(err, "Critical error during startup. Exiting..."); process.exit(1); }); diff --git a/renovate.json b/renovate.json index 93c227637..80ac376bc 100644 --- a/renovate.json +++ b/renovate.json @@ -46,6 +46,11 @@ } ], "packageRules": [ + { + "matchFileNames": ["src/authservice/**"], + "groupName": "authservice", + "commitMessageTopic": "authservice" + }, { "matchFileNames": ["src/istio/**"], "groupName": "istio", diff --git a/src/authservice/README.md b/src/authservice/README.md new file mode 100644 index 000000000..8f3c5459b --- /dev/null +++ b/src/authservice/README.md @@ -0,0 +1,7 @@ +## Authservice +`authservice` helps delegate the [OIDC Authorization Code Grant Flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) +to the Istio mesh. `authservice` is compatible with any standard OIDC Provider as well as other Istio End-user Auth features, +including [Authentication Policy](https://istio.io/docs/tasks/security/authn-policy/) and [RBAC](https://istio.io/docs/tasks/security/rbac-groups/). +Together, they allow developers to protect their APIs and web apps without any application code required. + +See [IDAM.md](../../docs/IDAM.md) for guidance on using the [UDS Package](../pepr/operator/README.md) custom resource to generate Authservice chains. diff --git a/src/authservice/chart/Chart.yaml b/src/authservice/chart/Chart.yaml index b66be7037..93ca95965 100644 --- a/src/authservice/chart/Chart.yaml +++ b/src/authservice/chart/Chart.yaml @@ -15,9 +15,9 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.5.3 +version: 1.0.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 0.5.3 +appVersion: 1.0.1 diff --git a/src/authservice/chart/templates/authn.yaml b/src/authservice/chart/templates/authn.yaml deleted file mode 100644 index 1c16c105c..000000000 --- a/src/authservice/chart/templates/authn.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# Authservice is non-functional without Istio/RequestAuthentication but we wrap this in a conditional to handle standalone testing -{{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }} -apiVersion: security.istio.io/v1beta1 -kind: RequestAuthentication -metadata: - name: jwt-authn - namespace: istio-system -spec: - selector: - matchLabels: - {{ .Values.selector.key }}: {{ .Values.selector.value | quote }} - jwtRules: - - issuer: https://{{ .Values.global.oidc.host }}/auth/realms/{{ .Values.global.oidc.realm }} - {{- if .Values.global.jwks }} - jwks: {{ .Values.global.jwks | quote }} - {{- else }} - jwksUri: https://{{ .Values.global.oidc.host }}/auth/realms/{{ .Values.global.oidc.realm }}/protocol/openid-connect/certs - {{- end }} - forwardOriginalToken: true -{{- end }} diff --git a/src/authservice/chart/templates/authz.yaml b/src/authservice/chart/templates/authz.yaml deleted file mode 100644 index c428885f2..000000000 --- a/src/authservice/chart/templates/authz.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# Authservice is non-functional without Istio/AuthorizationPolicy but we wrap this in a conditional to handle standalone testing -{{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }} -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: authservice - namespace: istio-system -spec: - selector: - matchLabels: - {{ .Values.selector.key }}: {{ .Values.selector.value | quote }} - action: CUSTOM - provider: - name: authservice - rules: - {{- if .Values.allow_unmatched_requests }} - - {} - {{- else if .Values.custom_authpolicy_rules }} -{{ .Values.custom_authpolicy_rules | toYaml | indent 2 }} - {{- else }} - - to: - - operation: - hosts: - - "*.{{ .Values.domain }}" - {{- end }} ---- -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: jwt-authz - namespace: istio-system -spec: - selector: - matchLabels: - {{ .Values.selector.key }}: {{ .Values.selector.value | quote }} - rules: - - from: - - source: - requestPrincipals: - - "https://{{ .Values.global.oidc.host }}/auth/realms/{{ .Values.global.oidc.realm }}/*" -{{- end }} diff --git a/src/authservice/chart/templates/deployment.yaml b/src/authservice/chart/templates/deployment.yaml index 2729985d8..4dd4295f8 100644 --- a/src/authservice/chart/templates/deployment.yaml +++ b/src/authservice/chart/templates/deployment.yaml @@ -15,10 +15,11 @@ spec: template: metadata: annotations: - checksum/config: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} - {{- with .Values.podAnnotations }} + # Pre-create an empty checksum to ensure pod cycles when first update occurs + pepr.dev/checksum: "initialized" + {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} - {{- end }} + {{- end }} labels: {{- include "authservice.selectorLabels" . | nindent 8 }} spec: @@ -30,11 +31,6 @@ spec: {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- if .Values.global.certificate_authority }} - env: - - name: SSL_CERT_FILE - value: /mnt/ca-bundle/ca-bundle.crt - {{- end}} ports: - name: http containerPort: 10003 @@ -50,29 +46,6 @@ spec: volumeMounts: - name: {{ include "authservice.name" . }} mountPath: /etc/authservice - {{- if .Values.global.certificate_authority }} - - name: ca-bundle - mountPath: /mnt/ca-bundle - {{- end }} - {{- if .Values.global.certificate_authority }} - initContainers: - - name: update-ca-bundle - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - command: - - sh - - -c - - | - cat /etc/pki/tls/certs/* > /mnt/ca-bundle/ca-bundle.crt - volumeMounts: - - name: sso-tls-ca - mountPath: /etc/pki/tls/certs/oidc-ca.crt - subPath: oidc-ca.crt - readOnly: true - - name: ca-bundle - mountPath: /mnt/ca-bundle - {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -88,12 +61,4 @@ spec: volumes: - name: {{ include "authservice.name" . }} secret: - secretName: {{ include "authservice.fullname" . }} - {{- if .Values.global.certificate_authority }} - - name: sso-tls-ca - secret: - secretName: {{ include "authservice.fullname" . }}-sso-tls-ca - - name: ca-bundle - emptyDir: - sizeLimit: 5Mi - {{- end}} + secretName: {{ include "authservice.fullname" . }}-uds diff --git a/src/authservice/chart/templates/secret-ca.yaml b/src/authservice/chart/templates/secret-ca.yaml deleted file mode 100644 index c62a57470..000000000 --- a/src/authservice/chart/templates/secret-ca.yaml +++ /dev/null @@ -1,11 +0,0 @@ -{{- if .Values.global.certificate_authority }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "authservice.fullname" . }}-sso-tls-ca - namespace: {{ .Release.Namespace }} - labels: - {{- include "authservice.labels" . | nindent 4 }} -stringData: - oidc-ca.crt: {{ .Values.global.certificate_authority | quote }} -{{- end }} \ No newline at end of file diff --git a/src/authservice/chart/templates/secret.yaml b/src/authservice/chart/templates/secret.yaml deleted file mode 100644 index 8df1a07bb..000000000 --- a/src/authservice/chart/templates/secret.yaml +++ /dev/null @@ -1,139 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "authservice.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "authservice.labels" . | nindent 4 }} -stringData: - config.json: | - { - "allow_unmatched_requests": {{ .Values.allow_unmatched_requests }}, - "listen_address": "0.0.0.0", - "listen_port": "10003", - {{- if .Values.trigger_rules }} - "trigger_rules": {{ toJson .Values.trigger_rules }}, - {{- end }} - "log_level": "{{ .Values.config.logLevel }}", - "default_oidc_config": { - "skip_verify_peer_cert": {{ $.Values.global.skip_verify_peer_cert }}, - "authorization_uri": "https://{{ $.Values.global.oidc.host }}/auth/realms/{{ $.Values.global.oidc.realm }}/protocol/openid-connect/auth", - "token_uri": "https://{{ $.Values.global.oidc.host }}/auth/realms/{{ $.Values.global.oidc.realm }}/protocol/openid-connect/token", - {{- if $.Values.global.jwks }} - "jwks": {{ $.Values.global.jwks | quote }}, - {{- else }} - "jwks_fetcher": { - "jwks_uri": "https://{{ $.Values.global.oidc.host }}/auth/realms/{{ $.Values.global.oidc.realm }}/protocol/openid-connect/certs", - "periodic_fetch_interval_sec": {{ $.Values.global.periodic_fetch_interval_sec }}, - "skip_verify_peer_cert": "{{ $.Values.global.skip_verify_peer_cert }}" - }, - {{- end }} - "client_id": "{{ $.Values.global.client_id }}", - "client_secret": "{{ $.Values.global.client_secret }}", - "id_token": { - "preamble": "Bearer", - "header": "Authorization" - }, - "access_token": { - "header": "JWT" - }, - {{- if contains "\\n" $.Values.global.certificate_authority }} - "trusted_certificate_authority": "{{ $.Values.global.certificate_authority }}", - {{- else }} - "trusted_certificate_authority": {{ $.Values.global.certificate_authority | quote }}, - {{- end }} - "logout": { - "path": "{{ $.Values.global.logout_path }}"{{ if $.Values.global.logout_redirect_uri }}, - "redirect_uri": "{{ $.Values.global.logout_redirect_uri }}" - {{- else if $.Values.global.oidc }}, - "redirect_uri": "https://{{ $.Values.global.oidc.host }}/auth/realms/{{ $.Values.global.oidc.realm}}/protocol/openid-connect/token/logout" - {{- end }} - }, - "absolute_session_timeout": "{{ $.Values.global.absolute_session_timeout }}", - "idle_session_timeout": "{{ $.Values.global.idle_session_timeout }}", - "scopes": [] - }, - "threads": 8, - "chains": [ - {{- range $k, $v := $.Values.chains }}{{ if ne $k ( first (keys $.Values.chains | sortAlpha) ) }},{{ end }} - { - "name": "{{ $k }}", - "match": { - {{- if .match }} - "header": "{{ .match.header | default $.Values.global.match.header }}", - {{- if .match.prefix }} - "prefix": "{{ tpl .match.prefix $ }}" - {{- else if .match.equality }} - "equality": "{{ .match.equality }}" - {{- else }} - "prefix": "{{ $.Values.global.match.prefix }}" - {{- end }} - {{- else }} - "header": "{{ $.Values.global.match.header }}", - "prefix": "{{ $.Values.global.match.prefix }}" - {{- end }} - }, - "filters": [ - { - "oidc_override": { - "authorization_uri": "https://{{ (dig "oidc" "host" $.Values.global.oidc.host .) }}/auth/realms/{{ (dig "oidc" "realm" $.Values.global.oidc.realm .) }}/protocol/openid-connect/auth", - "token_uri": "https://{{ (dig "oidc" "host" $.Values.global.oidc.host .) }}/auth/realms/{{ (dig "oidc" "realm" $.Values.global.oidc.realm .) }}/protocol/openid-connect/token", - {{- if or .redis_server_uri $.Values.global.redis_server_uri }} - "redis_session_store_config": { - "server_uri": {{ .redis_server_uri | default $.Values.global.redis_server_uri | quote }} - }, - {{- end }} - {{- if .callback_uri }} - "callback_uri": "{{ tpl .callback_uri $ | default $.Values.callback_uri }}", - {{- else }} - {{- fail "ERROR: Missing required field 'callback_uri' in one of the config chains" }} - {{ end }} - {{- if .jwks }} - "jwks": {{ .jwks | quote }}, - {{- else if .jwks_uri }} - "jwks_fetcher": { - "jwks_uri": {{ .jwks_uri | quote }}, - "periodic_fetch_interval_sec": {{ .periodic_fetch_interval_sec | default 60}}, - "skip_verify_peer_cert": {{ .skip_verify_peer_cert | default $.Values.global.skip_verify_peer_cert }} - }, - {{- end }} - {{- if .client_id }} - "client_id": "{{ .client_id }}", - {{- end }} - {{- if .client_secret }} - "client_secret": "{{ .client_secret }}", - {{- end }} - "cookie_name_prefix": "{{ default $k .cookie_name_prefix }}", - {{- if .certificate_authority }} - {{- if contains "\\n" .certificate_authority }} - "trusted_certificate_authority": "{{ .certificate_authority }}", - {{- else }} - "trusted_certificate_authority": {{ .certificate_authority | quote }}, - {{- end }} - {{- end }} - "logout": { - {{- if .logout_path }} - "path": "{{ .logout_path | default $.Values.global.logout_path }}", - {{- end }} - {{- if .logout_redirect_uri }} - "redirect_uri": "{{ .logout_redirect_uri | default $.Values.global.logout_redirect_uri }}" - {{- else if .oidc }} - "redirect_uri": "https://{{ .oidc.host | default $.Values.global.oidc.host }}/auth/realms/{{ .oidc.realm | default $.Values.global.oidc.realm}}/protocol/openid-connect/token/logout" - {{- else }} - "redirect_uri": "https://{{ $.Values.global.oidc.host }}/auth/realms/{{ $.Values.global.oidc.realm }}/protocol/openid-connect/token/logout" - {{- end}} - }, - {{- if .absolute_session_timeout }} - "absolute_session_timeout": "{{ .absolute_session_timeout }}", - {{- end }} - {{- if .idle_session_timeout }} - "idle_session_timeout": "{{ .idle_session_timeout }}", - {{- end }} - "scopes": {{ default list .scopes | toJson }} - } - } - ] - } - {{- end }} - ] - } diff --git a/src/authservice/chart/templates/uds-package.yaml b/src/authservice/chart/templates/uds-package.yaml index 3884987bb..ac12b65bd 100644 --- a/src/authservice/chart/templates/uds-package.yaml +++ b/src/authservice/chart/templates/uds-package.yaml @@ -22,7 +22,5 @@ spec: podLabels: app.kubernetes.io/name: authservice remoteNamespace: "" # Any namespace could have a protected app - remotePodLabels: - {{ .Values.selector.key }}: {{ .Values.selector.value }} port: 10003 description: "Protected Apps" diff --git a/src/authservice/chart/values.yaml b/src/authservice/chart/values.yaml index c1cd139c3..b28496153 100644 --- a/src/authservice/chart/values.yaml +++ b/src/authservice/chart/values.yaml @@ -7,91 +7,6 @@ image: # -- Overrides the image tag whose default is the chart appVersion. tag: "" -# -- If true will allow the requests even no filter chain match is found -allow_unmatched_requests: false - -# -- Extra Ruleset for AuthorizationPolicy CUSTOM action to forward to Authservice. -# To enable `allow_unmatched_requests` must be `false`. These custom rules mean that only these requests -# will be routed and will break default UDS Core setup for `prometheus/alertmanager/tempo` unless added. -# Path specific Operations are not supported, it is recommended to use only hosts, notHosts, & method operations. -# See reference: https://istio.io/latest/docs/reference/config/security/authorization-policy/ -custom_authpolicy_rules: - - when: - - key: request.headers[authorization] - notValues: - - "*" - -global: - # -- Default client_id to be used in each chain - client_id: "global_id" - # -- Default client_secret to be used in each chain - client_secret: "global_secret" - match: - # -- Header to match. The value ":authority" is used to match the requested hostname - header: ":authority" - # -- value matches the start of the header value defined above - prefix: "uds" - # -- Logout URL for the client - logout_path: "/globallogout" - # -- Logout Redirect URI for the client - logout_redirect_uri: "" - absolute_session_timeout: 0 - idle_session_timeout: 0 - # -- CA that signed the OIDC provider cert. Passed through as a Helm multi-line string. - certificate_authority: "" - - # -- URI for Redis instance used for OIDC token storage/retrieval. This may also be specified per-chain, example: tcp://redis:6379/ - redis_server_uri: "" - - oidc: - # -- OpenID Connect hostname. Assumption of Keycloak based on URL construction - host: login.uds.dev - # -- Realm for OpenID Connect - realm: doug - - # -- JWKS, a default jwks_uri is computed if not specified. Must be formatted as an escaped JSON string. - jwks: "" - - # -- Request interval to check whether new JWKs are available. - periodic_fetch_interval_sec: 60 - - # -- If set to true, the verification of the destination certificate will be skipped when making a request to the JWKs URI and the token endpoint. This option is useful when you want to use a self-signed certificate for testing purposes, but basically should not be set to true in any other cases. - skip_verify_peer_cert: false - -# -- Individual chains. Must have a `name` value and a `callback_uri`, full example of all fields provided below. -# NOTE: if using "match" can only specify `prefix` OR `equality`, not both -chains: - # Default Filter to prevent errors on launch - local: - match: - header: ":local" - prefix: "localhost" - client_id: local_id - client_secret: local_secret - callback_uri: https://localhost/login - logout_path: "/local" - # example_chain: - # match: - # header: ":authority" - # prefix: "localhost" - # equality: "localhost.localdomain" - # client_id: my_uds_app - # client_secret: secret_value - # callback_uri: https://myapp.uds.dev/login - # cookie_name_prefix: differentThanFull # Override the cookie name prefix in case you need it to be something else (ex. two apps share the same cookie) - # logout: - # path: "/logout" - # absolute_session_timeout: timeout_value - # idle_session_timeout: timeout_value - # jwks_uri: https://myapp.uds.dev/jwks # Override if this client is on a different realm - # oidc: - # host: local_oidc_host - # realm: local_oidc_realm - # periodic_fetch_interval_sec: 60 - # scopes: - # - additionalScope1 - # - additionalScope2 - nameOverride: "authservice" podAnnotations: {} @@ -113,21 +28,3 @@ nodeSelector: {} tolerations: [] affinity: {} - -# -- Log level for the deployment -config: - logLevel: trace - -# -- Label to determine what workloads (pods/deployments) should be protected by authservice. -selector: - key: protect - value: keycloak - -# -- Values to bypass OIDC chains in favor or using istio authorizationpolicies.security.istio.io -# and requestauthentications.security.istio.io for certain endpoints. -trigger_rules: [] -# - excluded_paths: -# - exact: /api/healthcheck -# included_paths: -# - prefix: / -# See reference: https://github.com/istio-ecosystem/authservice/blob/master/docs/README.md diff --git a/src/authservice/common/zarf.yaml b/src/authservice/common/zarf.yaml index 6e728fe16..aa7cefa85 100644 --- a/src/authservice/common/zarf.yaml +++ b/src/authservice/common/zarf.yaml @@ -10,7 +10,7 @@ components: charts: - name: authservice localPath: ../chart - version: 0.5.3 + version: 1.0.1 namespace: authservice actions: onDeploy: diff --git a/src/authservice/values/registry1-values.yaml b/src/authservice/values/registry1-values.yaml index 97fb34ca0..ba6e8f324 100644 --- a/src/authservice/values/registry1-values.yaml +++ b/src/authservice/values/registry1-values.yaml @@ -1,3 +1,3 @@ image: repository: registry1.dso.mil/ironbank/istio-ecosystem/authservice - tag: "0.5.3" + tag: "1.0.1-ubi9" diff --git a/src/authservice/values/upstream-values.yaml b/src/authservice/values/upstream-values.yaml index 1c01b5b26..f4167f3c7 100644 --- a/src/authservice/values/upstream-values.yaml +++ b/src/authservice/values/upstream-values.yaml @@ -1,3 +1,3 @@ image: repository: ghcr.io/istio-ecosystem/authservice/authservice - tag: "0.5.3" + tag: "1.0.1" diff --git a/src/authservice/zarf.yaml b/src/authservice/zarf.yaml index 72f6d0378..3856fbf17 100644 --- a/src/authservice/zarf.yaml +++ b/src/authservice/zarf.yaml @@ -16,7 +16,7 @@ components: valuesFiles: - values/upstream-values.yaml images: - - ghcr.io/istio-ecosystem/authservice/authservice:0.5.3 + - ghcr.io/istio-ecosystem/authservice/authservice:1.0.1 - name: authservice required: true @@ -29,7 +29,7 @@ components: valuesFiles: - values/registry1-values.yaml images: - - registry1.dso.mil/ironbank/istio-ecosystem/authservice:0.5.3 + - registry1.dso.mil/ironbank/istio-ecosystem/authservice:1.0.1-ubi9 - name: authservice required: true diff --git a/src/grafana/values/values.yaml b/src/grafana/values/values.yaml index 0951b1b15..450d68776 100644 --- a/src/grafana/values/values.yaml +++ b/src/grafana/values/values.yaml @@ -32,6 +32,7 @@ grafana.ini: name: UDS Identity Service auth_url: https://sso.###ZARF_VAR_DOMAIN###/realms/uds/protocol/openid-connect/auth token_url: http://keycloak-http.keycloak.svc.cluster.local:8080/realms/uds/protocol/openid-connect/token + signout_redirect_url: https://sso.###ZARF_VAR_DOMAIN###/realms/uds/protocol/openid-connect/logout?post_logout_redirect_uri=https%3A%2F%2Fgrafana.admin.###ZARF_VAR_DOMAIN###%2Flogin%2Fgeneric_oauth allow_sign_up: true # Require a UDS Core group to access Grafana role_attribute_path: "contains(groups[], '/UDS Core/Admin') && 'Admin' || contains(groups[], '/UDS Core/Auditor') && 'Viewer' || 'Unauthorized'" diff --git a/src/istio/values/values.yaml b/src/istio/values/values.yaml index c7b28d2f4..4b5412489 100644 --- a/src/istio/values/values.yaml +++ b/src/istio/values/values.yaml @@ -6,3 +6,12 @@ meshConfig: holdApplicationUntilProxyStarts: true gatewayTopology: forwardClientCertDetails: SANITIZE + extensionProviders: + - name: "authservice" + envoyExtAuthzGrpc: + service: "authservice.authservice.svc.cluster.local" + port: "10003" + +pilot: + env: + PILOT_JWT_ENABLE_REMOTE_JWKS: hybrid diff --git a/src/istio/zarf.yaml b/src/istio/zarf.yaml index b449101c2..d48eeee91 100644 --- a/src/istio/zarf.yaml +++ b/src/istio/zarf.yaml @@ -83,7 +83,7 @@ components: - "values/config-tenant.yaml" - name: istio-passthrough-gateway - required: true + required: false charts: - name: gateway url: https://istio-release.storage.googleapis.com/charts diff --git a/src/keycloak/chart/README.md b/src/keycloak/chart/README.md index c191822f6..607c07df5 100644 --- a/src/keycloak/chart/README.md +++ b/src/keycloak/chart/README.md @@ -10,7 +10,11 @@ For more information on Keycloak and its capabilities, see its [documentation](h ### Dev Mode -When `devMode: true` is set, the chart will deploy a single Keycloak Pod with an in-memory database and scaling turned off. Devmode also leverages PVCs by default for `data` and `themes`. +When `devMode: true` is set, the chart will deploy a single Keycloak Pod with an in-memory database and scaling turned off. Dev Mode also leverages PVCs by default for `data` and `themes`. + +Using an external database with Dev Mode enabled is not supported. + +Dev Mode enables debug logging for Keycloak. To configure debug logging outside of Dev Mode, set `debugMode: true` in your values. ### Autoscaling diff --git a/src/keycloak/chart/templates/_helpers.tpl b/src/keycloak/chart/templates/_helpers.tpl index bcb7a920a..bb0825a07 100644 --- a/src/keycloak/chart/templates/_helpers.tpl +++ b/src/keycloak/chart/templates/_helpers.tpl @@ -74,3 +74,24 @@ Create the service DNS name. {{- define "keycloak.serviceDnsName" -}} {{ include "keycloak.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} {{- end }} + +{{/* +Check external PostgreSQL connection information. Fails when required values are missing or if PostgreSQL is configured when devMode is enabled. +*/}} + +{{- define "keycloak.postgresql.config" -}} +{{- if not .Values.devMode -}} +{{- if .Values.postgresql -}} +{{ $requiredKeys := list "username" "password" "database" "host" "port" }} +{{- range $k := $requiredKeys -}} +{{ if empty (get $.Values.postgresql $k) }}{{- fail (printf "Missing value for \"postgresql.%s\"." $k ) -}}{{- end }} +{{- end }} +{{- else -}}{{fail "You must define \"username\", \"password\", \"database\", \"host\", and \"port\" for \"postgresql\"."}} +{{- end -}} +{{- default "true" "" }} +{{- else if not (empty (compact (values (omit .Values.postgresql "port")))) -}} +{{ fail "Cannot use an external PostgreSQL Database when devMode is enabled." -}} +{{- else -}} +{{ default "false" "" }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/src/keycloak/chart/templates/istio-admin.yaml b/src/keycloak/chart/templates/istio-admin.yaml index 8055ac0cb..684f63b00 100644 --- a/src/keycloak/chart/templates/istio-admin.yaml +++ b/src/keycloak/chart/templates/istio-admin.yaml @@ -37,4 +37,12 @@ spec: from: - source: notNamespaces: ["pepr-system"] + - when: + - key: request.headers[istio-mtls-client-certificate] + values: ["*"] + from: + - source: + notNamespaces: + - istio-tenant-gateway + - istio-admin-gateway {{- end }} diff --git a/src/keycloak/chart/templates/secret-postgresql.yaml b/src/keycloak/chart/templates/secret-postgresql.yaml index e0af8d089..aef32a4d9 100644 --- a/src/keycloak/chart/templates/secret-postgresql.yaml +++ b/src/keycloak/chart/templates/secret-postgresql.yaml @@ -1,4 +1,4 @@ -{{- if not .Values.devMode }} +{{- if eq (include "keycloak.postgresql.config" .) "true" }} apiVersion: v1 kind: Secret metadata: @@ -13,4 +13,4 @@ data: password: {{ .Values.postgresql.password | b64enc }} host: {{ .Values.postgresql.host | b64enc }} port: {{ .Values.postgresql.port | toString | b64enc }} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/src/keycloak/chart/templates/statefulset.yaml b/src/keycloak/chart/templates/statefulset.yaml index 1938fa041..0041a8d99 100644 --- a/src/keycloak/chart/templates/statefulset.yaml +++ b/src/keycloak/chart/templates/statefulset.yaml @@ -113,15 +113,16 @@ spec: # Dumb value (not used in the nginx provider, but required by the SPI) - name: KC_SPI_X509CERT_LOOKUP_NGINX_SSL_CLIENT_CERT_CHAIN_PREFIX value: UNUSED - {{- if .Values.devMode }} - # Enable dubug logs in dev mode + {{- if or .Values.devMode .Values.debugMode }} + # Enable debug logs - name: KC_LOG_LEVEL value: DEBUG - name: QUARKUS_LOG_CATEGORY__ORG_APACHE_HTTP__LEVEL value: DEBUG - name: QUARKUS_LOG_CATEGORY__ORG_KEYCLOAK_SERVICES_X509__LEVEL value: TRACE - {{- else }} + {{- end }} + {{- if eq (include "keycloak.postgresql.config" .) "true" }} # Infinispan cache configuration - name: KC_CACHE value: ispn @@ -168,7 +169,7 @@ spec: - name: JAVA_TOOL_OPTIONS value: "-Dcom.redhat.fips=true" {{- end }} - {{- end }} + {{- end }} {{- if .Values.insecureAdminPasswordGeneration.enabled }} - name: KEYCLOAK_ADMIN valueFrom: diff --git a/src/keycloak/chart/templates/uds-package.yaml b/src/keycloak/chart/templates/uds-package.yaml index fbc6de571..27afba03f 100644 --- a/src/keycloak/chart/templates/uds-package.yaml +++ b/src/keycloak/chart/templates/uds-package.yaml @@ -52,8 +52,8 @@ spec: remoteGenerated: Anywhere {{- end }} - {{- if not .Values.devMode }} - - description: "PostgresQL Database access" + {{- if eq (include "keycloak.postgresql.config" .) "true" }} + - description: "PostgreSQL Database access" direction: Egress selector: app.kubernetes.io/name: keycloak diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml index 683128b50..011f4814e 100644 --- a/src/keycloak/chart/values.yaml +++ b/src/keycloak/chart/values.yaml @@ -55,8 +55,12 @@ terminationGracePeriodSeconds: 5 clusterDomain: cluster.local # Sets development mode for Keycloak. This disables caching, Postgres and HPAs and should only be used for testing +# Must have no values populated for `postgresql` in order to use devMode: true +# Enable debug logging for keycloak and quarkus +debugMode: false + # Enable SMTP networkPolicy and config smtp: enabled: false @@ -149,16 +153,17 @@ service: # Session affinity config sessionAffinityConfig: {} +# Connection information for external postgres database postgresql: - # PostgreSQL User to create - username: keycloak - # PostgreSQL Password for the new user - password: keycloak - # PostgreSQL Database to create - database: keycloak - # PostgreSQL host - host: postgresql - # PostgreSQL port + # The username of the database user + username: "" + # The password of the database user + password: "" + # Database name + database: "" + # URL for the database + host: "" + # Port the database is listening on port: 5432 serviceMonitor: diff --git a/src/loki/values/values.yaml b/src/loki/values/values.yaml index 751f7849b..7a72c1790 100644 --- a/src/loki/values/values.yaml +++ b/src/loki/values/values.yaml @@ -15,6 +15,7 @@ memberlist: publishNotReadyAddresses: true loki: + configStorageType: Secret storage: bucketNames: chunks: uds @@ -29,9 +30,12 @@ loki: insecure: false commonConfig: replication_factor: 1 + limits_config: + split_queries_by_interval: "30m" + query_scheduler: + max_outstanding_requests_per_tenant: 32000 # This is the default in Loki 3.0 extraMemberlistConfig: rejoin_interval: 120s - # Should authentication be enabled auth_enabled: false # -- Additional storage config storage_config: @@ -57,11 +61,6 @@ loki: enterprise: # Enable enterprise features, license must be provided enabled: false - # -- Configuration for `tokengen` target - tokengen: - # -- Additional annotations for the `tokengen` Job - annotations: - sidecar.istio.io/inject: "false" # RBAC configuration rbac: # -- If pspEnabled true, a PodSecurityPolicy is created for K8s that use psp. diff --git a/src/metrics-server/chart/templates/service-monitor.yaml b/src/metrics-server/chart/templates/service-monitor.yaml index d7c603693..390875164 100644 --- a/src/metrics-server/chart/templates/service-monitor.yaml +++ b/src/metrics-server/chart/templates/service-monitor.yaml @@ -3,7 +3,7 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: - annotation: + annotations: uds/skip-sm-mutate: "true" name: metrics-server-metrics namespace: metrics-server diff --git a/src/neuvector/values/values.yaml b/src/neuvector/values/values.yaml index dbf49ff1d..3ebd7891b 100644 --- a/src/neuvector/values/values.yaml +++ b/src/neuvector/values/values.yaml @@ -20,6 +20,8 @@ controller: no_telemetry_report: true scan_config: auto_scan: true + mode_auto_d2m: true + mode_auto_d2m_duration: 129600 secret: enabled: false env: diff --git a/src/pepr/config.ts b/src/pepr/config.ts index 4946ae793..485d2f80f 100644 --- a/src/pepr/config.ts +++ b/src/pepr/config.ts @@ -1,15 +1,21 @@ import { Component, setupLogger } from "./logger"; let domain = process.env.UDS_DOMAIN; +let caCert = process.env.UDS_CA_CERT; // We need to handle `npx pepr <>` commands that will not template the env vars if (!domain || domain === "###ZARF_VAR_DOMAIN###") { domain = "uds.dev"; } +if (!caCert || caCert === "###ZARF_VAR_CA_CERT###") { + caCert = ""; +} export const UDSConfig = { // Ignore the UDS_DOMAIN if not deployed by Zarf domain, + // Base64 Encoded Trusted CA cert for Istio certificates (i.e. for `sso.domain`) + caCert, // Track if we are running a single test mode isSingleTest: process.env.UDS_SINGLE_TEST === "true", // Allow UDS policy exemptions to be used in any namespace diff --git a/src/pepr/logger.ts b/src/pepr/logger.ts index c300f3e90..8f505faed 100644 --- a/src/pepr/logger.ts +++ b/src/pepr/logger.ts @@ -1,11 +1,13 @@ import { Log } from "pepr"; export enum Component { + STARTUP = "startup", CONFIG = "config", ISTIO = "istio", OPERATOR_EXEMPTIONS = "operator.exemptions", OPERATOR_ISTIO = "operator.istio", OPERATOR_KEYCLOAK = "operator.keycloak", + OPERATOR_AUTHSERVICE = "operator.authservice", OPERATOR_MONITORING = "operator.monitoring", OPERATOR_NETWORK = "operator.network", OPERATOR_GENERATORS = "operator.generators", diff --git a/src/pepr/operator/controllers/istio/istio-resources.ts b/src/pepr/operator/controllers/istio/istio-resources.ts index 63e2ca95b..297aec6b0 100644 --- a/src/pepr/operator/controllers/istio/istio-resources.ts +++ b/src/pepr/operator/controllers/istio/istio-resources.ts @@ -2,7 +2,7 @@ import { K8s } from "pepr"; import { Component, setupLogger } from "../../../logger"; import { IstioServiceEntry, IstioVirtualService, UDSPackage } from "../../crd"; -import { getOwnerRef } from "../utils"; +import { getOwnerRef, purgeOrphans } from "../utils"; import { generateServiceEntry } from "./service-entry"; import { generateVirtualService } from "./virtual-service"; @@ -57,39 +57,8 @@ export async function istioResources(pkg: UDSPackage, namespace: string) { serviceEntryNames.set(sePayload.metadata!.name!, true); } - // Get all related VirtualServices in the namespace - const virtualServices = await K8s(IstioVirtualService) - .InNamespace(namespace) - .WithLabel("uds/package", pkgName) - .Get(); - - // Find any orphaned VirtualServices (not matching the current generation) - const orphanedVS = virtualServices.items.filter( - vs => vs.metadata?.labels?.["uds/generation"] !== generation, - ); - - // Delete any orphaned VirtualServices - for (const vs of orphanedVS) { - log.debug(vs, `Deleting orphaned VirtualService ${vs.metadata!.name}`); - await K8s(IstioVirtualService).Delete(vs); - } - - // Get all related ServiceEntries in the namespace - const serviceEntries = await K8s(IstioServiceEntry) - .InNamespace(namespace) - .WithLabel("uds/package", pkgName) - .Get(); - - // Find any orphaned ServiceEntries (not matching the current generation) - const orphanedSE = serviceEntries.items.filter( - se => se.metadata?.labels?.["uds/generation"] !== generation, - ); - - // Delete any orphaned ServiceEntries - for (const se of orphanedSE) { - log.debug(se, `Deleting orphaned ServiceEntry ${se.metadata!.name}`); - await K8s(IstioServiceEntry).Delete(se); - } + await purgeOrphans(generation, namespace, pkgName, IstioVirtualService, log); + await purgeOrphans(generation, namespace, pkgName, IstioServiceEntry, log); // Return the list of unique hostnames return [...hosts]; diff --git a/src/pepr/operator/controllers/istio/virtual-service.ts b/src/pepr/operator/controllers/istio/virtual-service.ts index 591fa691f..3fa892b39 100644 --- a/src/pepr/operator/controllers/istio/virtual-service.ts +++ b/src/pepr/operator/controllers/istio/virtual-service.ts @@ -1,6 +1,6 @@ -import { UDSConfig } from "../../../config"; import { V1OwnerReference } from "@kubernetes/client-node"; -import { Expose, Gateway, IstioVirtualService, IstioHTTP, IstioHTTPRoute } from "../../crd"; +import { UDSConfig } from "../../../config"; +import { Expose, Gateway, IstioHTTP, IstioHTTPRoute, IstioVirtualService } from "../../crd"; import { sanitizeResourceName } from "../utils"; /** diff --git a/src/pepr/operator/controllers/keycloak/authservice/authorization-policy.ts b/src/pepr/operator/controllers/keycloak/authservice/authorization-policy.ts new file mode 100644 index 000000000..8e48c7629 --- /dev/null +++ b/src/pepr/operator/controllers/keycloak/authservice/authorization-policy.ts @@ -0,0 +1,162 @@ +import { K8s } from "pepr"; +import { UDSConfig } from "../../../../config"; +import { + IstioAction, + IstioAuthorizationPolicy, + IstioRequestAuthentication, + UDSPackage, +} from "../../../crd"; +import { getOwnerRef, purgeOrphans } from "../../utils"; +import { log } from "./authservice"; +import { Action as AuthServiceAction, AuthServiceEvent } from "./types"; + +const operationMap: { + [AuthServiceAction.Add]: "Apply"; + [AuthServiceAction.Remove]: "Delete"; +} = { + [AuthServiceAction.Add]: "Apply", + [AuthServiceAction.Remove]: "Delete", +}; + +function authserviceAuthorizationPolicy( + labelSelector: { [key: string]: string }, + name: string, + namespace: string, +): IstioAuthorizationPolicy { + return { + kind: "AuthorizationPolicy", + metadata: { + name: `${name}-authservice`, + namespace, + }, + spec: { + action: IstioAction.Custom, + provider: { + name: "authservice", + }, + rules: [ + { + when: [ + { + key: "request.headers[authorization]", + notValues: ["*"], + }, + ], + }, + ], + selector: { + matchLabels: labelSelector, + }, + }, + }; +} + +function jwtAuthZAuthorizationPolicy( + labelSelector: { [key: string]: string }, + name: string, + namespace: string, +): IstioAuthorizationPolicy { + return { + kind: "AuthorizationPolicy", + metadata: { + name: `${name}-jwt-authz`, + namespace, + }, + spec: { + selector: { + matchLabels: labelSelector, + }, + rules: [ + { + from: [ + { + source: { + requestPrincipals: [`https://sso.${UDSConfig.domain}/realms/uds/*`], + }, + }, + ], + }, + ], + }, + }; +} + +function authNRequestAuthentication( + labelSelector: { [key: string]: string }, + name: string, + namespace: string, +): IstioRequestAuthentication { + return { + kind: "RequestAuthentication", + metadata: { + name: `${name}-jwt-authn`, + namespace, + }, + spec: { + jwtRules: [ + { + audiences: [name], + forwardOriginalToken: true, + issuer: `https://sso.${UDSConfig.domain}/realms/uds`, + jwksUri: `http://keycloak-http.keycloak.svc.cluster.local:8080/realms/uds/protocol/openid-connect/certs`, + }, + ], + selector: { + matchLabels: labelSelector, + }, + }, + }; +} + +async function updatePolicy( + event: AuthServiceEvent, + labelSelector: { [key: string]: string }, + pkg: UDSPackage, +) { + // type safe map event to operation (either Apply or Delete) + const operation = operationMap[event.action]; + const namespace = pkg.metadata!.namespace!; + const generation = (pkg.metadata?.generation ?? 0).toString(); + const ownerReferences = getOwnerRef(pkg); + + const updateMetadata = (resource: IstioAuthorizationPolicy | IstioRequestAuthentication) => { + resource!.metadata!.ownerReferences = ownerReferences; + resource!.metadata!.labels = { + "uds/package": pkg.metadata!.name!, + "uds/generation": generation, + }; + return resource; + }; + + try { + await K8s(IstioAuthorizationPolicy)[operation]( + updateMetadata(authserviceAuthorizationPolicy(labelSelector, event.name, namespace)), + ); + await K8s(IstioRequestAuthentication)[operation]( + updateMetadata(authNRequestAuthentication(labelSelector, event.name, namespace)), + ); + await K8s(IstioAuthorizationPolicy)[operation]( + updateMetadata(jwtAuthZAuthorizationPolicy(labelSelector, event.name, namespace)), + ); + } catch (e) { + const msg = `Failed to update auth policy for ${event.name} in ${namespace}: ${e}`; + log.error(e, msg); + throw new Error(msg, { + cause: e, + }); + } + + try { + await purgeOrphanPolicies(generation, namespace, pkg.metadata!.name!); + } catch (e) { + log.error(e, `Failed to purge orphan auth policies ${event.name} in ${namespace}: ${e}`); + } +} + +async function purgeOrphanPolicies(generation: string, namespace: string, pkgName: string) { + for (const kind of [IstioAuthorizationPolicy, IstioRequestAuthentication]) { + await purgeOrphans(generation, namespace, pkgName, kind, log); + } +} + +export { updatePolicy }; diff --git a/src/pepr/operator/controllers/keycloak/authservice/authservice.spec.ts b/src/pepr/operator/controllers/keycloak/authservice/authservice.spec.ts new file mode 100644 index 000000000..770174196 --- /dev/null +++ b/src/pepr/operator/controllers/keycloak/authservice/authservice.spec.ts @@ -0,0 +1,124 @@ +import { beforeEach, describe, expect, jest, test } from "@jest/globals"; +import { UDSPackage } from "../../../crd"; +import { Client } from "../types"; +import { updatePolicy } from "./authorization-policy"; +import { buildChain, buildConfig } from "./authservice"; +import * as mockConfig from "./mock-authservice-config.json"; +import { Action, AuthServiceEvent, AuthserviceConfig } from "./types"; + +describe("authservice", () => { + let mockClient: Client; + + beforeEach(() => { + jest.clearAllMocks(); + + mockClient = { + clientId: "test-client", + redirectUris: ["https://foo.uds.dev/login"], + secret: "test-secret", + alwaysDisplayInConsole: false, + attributes: {}, + authenticationFlowBindingOverrides: {}, + bearerOnly: false, + clientAuthenticatorType: "client-secret", + consentRequired: false, + defaultClientScopes: [], + defaultRoles: [], + directAccessGrantsEnabled: false, + enabled: true, + frontchannelLogout: false, + fullScopeAllowed: false, + implicitFlowEnabled: false, + nodeReRegistrationTimeout: 0, + notBefore: 0, + optionalClientScopes: [], + protocol: "openid-connect", + publicClient: false, + serviceAccountsEnabled: false, + standardFlowEnabled: false, + surrogateAuthRequired: false, + webOrigins: [], + }; + }); + + test("should test authservice chain build", async () => { + const chain = buildChain({ + client: mockClient, + name: "sso-client-test", + action: Action.Add, + } as AuthServiceEvent); + expect(chain.name).toEqual("sso-client-test"); + expect(chain.match.prefix).toEqual("foo.uds.dev"); + expect(chain.filters.length).toEqual(1); + + expect(chain.filters[0].oidc_override.authorization_uri).toEqual( + "https://sso.uds.dev/realms/uds/protocol/openid-connect/auth", + ); + + expect(chain.filters[0].oidc_override.client_id).toEqual(mockClient.clientId); + + expect(chain.filters[0].oidc_override.client_secret).toEqual(mockClient.secret); + + expect(chain.filters[0].oidc_override.callback_uri).toEqual(mockClient.redirectUris[0]); + }); + + test("should test authservice chain removal", async () => { + const config = buildConfig(mockConfig as AuthserviceConfig, { + client: mockClient, + name: "local", + action: Action.Remove, + }); + + expect(config.chains.length).toEqual(0); + expect(config.listen_address).toEqual("0.0.0.0"); + }); + + test("should test authservice chain addition", async () => { + let config = buildConfig(mockConfig as AuthserviceConfig, { + client: mockClient, + name: "local", + action: Action.Remove, + }); + + config = buildConfig(config, { client: mockClient, name: "sso-client-a", action: Action.Add }); + config = buildConfig(config, { client: mockClient, name: "sso-client-b", action: Action.Add }); + + expect(config.chains.length).toEqual(2); + }); + + test("should test chain removal by name", async () => { + let config = buildConfig(mockConfig as AuthserviceConfig, { + client: mockClient, + name: "nothere", + action: Action.Remove, + }); + expect(config.chains.length).toEqual(1); + + config = buildConfig(mockConfig as AuthserviceConfig, { + client: mockClient, + name: "local", + action: Action.Remove, + }); + expect(config.chains.length).toEqual(0); + }); + + test("should build an authorization policy", async () => { + const labelSelector = { foo: "bar" }; + const pkg: UDSPackage = { + kind: "Package", + apiVersion: "uds.dev/v1alpha1", + metadata: { + name: "test", + namespace: "default", + generation: 1, + uid: "f50120aa-2713-4502-9496-566b102b1174", + }, + }; + try { + await updatePolicy({ name: "auth-test", action: Action.Add }, labelSelector, pkg); + await updatePolicy({ name: "auth-test", action: Action.Remove }, labelSelector, pkg); + } catch (e) { + expect(e).toBeUndefined(); + } + }); +}); diff --git a/src/pepr/operator/controllers/keycloak/authservice/authservice.ts b/src/pepr/operator/controllers/keycloak/authservice/authservice.ts new file mode 100644 index 000000000..675e931fa --- /dev/null +++ b/src/pepr/operator/controllers/keycloak/authservice/authservice.ts @@ -0,0 +1,121 @@ +import { R } from "pepr"; +import { UDSConfig } from "../../../../config"; +import { Component, setupLogger } from "../../../../logger"; +import { UDSPackage } from "../../../crd"; +import { Client } from "../types"; +import { updatePolicy } from "./authorization-policy"; +import { getAuthserviceConfig, operatorConfig, updateAuthServiceSecret } from "./config"; +import { Action, AuthServiceEvent, AuthserviceConfig, Chain } from "./types"; + +export const log = setupLogger(Component.OPERATOR_AUTHSERVICE); + +export async function authservice(pkg: UDSPackage, clients: Map) { + // Get the list of clients from the package + const authServiceClients = R.filter( + sso => R.isNotNil(sso.enableAuthserviceSelector), + pkg.spec?.sso || [], + ); + + for (const sso of authServiceClients) { + const client = clients.get(sso.clientId); + if (!client) { + throw new Error(`Failed to get client ${sso.clientId}`); + } + + await reconcileAuthservice( + { name: sso.clientId, action: Action.Add, client }, + sso.enableAuthserviceSelector!, + pkg, + ); + } + + const authserviceClients = authServiceClients.map(client => client.clientId); + + await purgeAuthserviceClients(pkg, authserviceClients); + + return authserviceClients; +} + +export async function purgeAuthserviceClients( + pkg: UDSPackage, + newAuthserviceClients: string[] = [], +) { + // compute set difference of pkg.status.authserviceClients and authserviceClients using Ramda + R.difference(pkg.status?.authserviceClients || [], newAuthserviceClients).forEach( + async clientId => { + log.info(`Removing stale authservice chain for client ${clientId}`); + await reconcileAuthservice({ name: clientId, action: Action.Remove }, {}, pkg); + }, + ); +} + +export async function reconcileAuthservice( + event: AuthServiceEvent, + labelSelector: { [key: string]: string }, + pkg: UDSPackage, +) { + await updateConfig(event); + await updatePolicy(event, labelSelector, pkg); +} + +// write authservice config to secret +export async function updateConfig(event: AuthServiceEvent) { + // parse existing authservice config + let config = await getAuthserviceConfig(); + + // update config based on event + config = buildConfig(config, event); + + // update the authservice secret + await updateAuthServiceSecret(config); +} + +export function buildConfig(config: AuthserviceConfig, event: AuthServiceEvent) { + let chains: Chain[]; + + if (event.action == Action.Add) { + // add the new chain to the existing authservice config + chains = config.chains.filter(chain => chain.name !== event.name); + chains = chains.concat(buildChain(event)); + } else if (event.action == Action.Remove) { + // search in the existing chains for the chain to remove by name + chains = config.chains.filter(chain => chain.name !== event.name); + } else { + throw new Error(`Unhandled Action: ${event.action satisfies never}`); + } + + // add the new chains to the existing authservice config + return { ...config, chains } as AuthserviceConfig; +} + +export function buildChain(update: AuthServiceEvent) { + // TODO: get this from the package + // parse the hostname from the first client redirect uri + const hostname = new URL(update.client!.redirectUris[0]).hostname; + + const chain: Chain = { + name: update.name, + match: { + header: ":authority", + prefix: hostname, + }, + filters: [ + { + oidc_override: { + authorization_uri: `https://sso.${UDSConfig.domain}/realms/${operatorConfig.realm}/protocol/openid-connect/auth`, + token_uri: `https://sso.${UDSConfig.domain}/realms/${operatorConfig.realm}/protocol/openid-connect/token`, + callback_uri: update.client!.redirectUris[0], + client_id: update.client!.clientId, + client_secret: update.client!.secret, + scopes: [], + logout: { + path: "/local", + redirect_uri: `https://sso.${UDSConfig.domain}/realms/${operatorConfig.realm}/protocol/openid-connect/token/logout`, + }, + cookie_name_prefix: update.client!.clientId, + }, + }, + ], + }; + return chain; +} diff --git a/src/pepr/operator/controllers/keycloak/authservice/config.ts b/src/pepr/operator/controllers/keycloak/authservice/config.ts new file mode 100644 index 000000000..eace37048 --- /dev/null +++ b/src/pepr/operator/controllers/keycloak/authservice/config.ts @@ -0,0 +1,145 @@ +import { createHash } from "crypto"; + +import { K8s, kind } from "pepr"; +import { UDSConfig } from "../../../../config"; +import { Client } from "../types"; +import { buildChain, log } from "./authservice"; +import { Action, AuthserviceConfig } from "./types"; + +export const operatorConfig = { + namespace: "authservice", + secretName: "authservice-uds", + baseDomain: `https://sso.${UDSConfig.domain}`, + realm: "uds", +}; + +export async function setupAuthserviceSecret() { + if (process.env.PEPR_WATCH_MODE === "true" || process.env.PEPR_MODE === "dev") { + log.info("One-time authservice secret initialization"); + // create namespace if it doesn't exist + await K8s(kind.Namespace).Apply({ + metadata: { + name: operatorConfig.namespace, + }, + }); + + // create secret if it doesn't exist + try { + const secret = await K8s(kind.Secret) + .InNamespace(operatorConfig.namespace) + .Get(operatorConfig.secretName); + log.info(`Authservice Secret exists, skipping creation - ${secret.metadata?.name}`); + } catch (e) { + log.info("Secret does not exist, creating authservice secret"); + try { + await updateAuthServiceSecret(buildInitialSecret(), false); + } catch (err) { + log.error(err, "Failed to create UDS managed authservice secret."); + throw new Error("Failed to create UDS managed authservice secret.", { cause: err }); + } + } + } +} + +// this initial secret is only a placeholder until the first chain is created +function buildInitialSecret(): AuthserviceConfig { + return { + allow_unmatched_requests: false, + listen_address: "0.0.0.0", + listen_port: "10003", + log_level: "info", + default_oidc_config: { + skip_verify_peer_cert: false, + authorization_uri: `https://sso.${UDSConfig.domain}/realms/${operatorConfig.realm}/protocol/openid-connect/auth`, + token_uri: `https://sso.${UDSConfig.domain}/realms/${operatorConfig.realm}/protocol/openid-connect/token`, + jwks_fetcher: { + jwks_uri: `https://sso.${UDSConfig.domain}/realms/${operatorConfig.realm}/protocol/openid-connect/certs`, + periodic_fetch_interval_sec: 60, + }, + client_id: "global_id", + client_secret: "global_secret", + id_token: { + preamble: "Bearer", + header: "Authorization", + }, + trusted_certificate_authority: `${atob(UDSConfig.caCert)}`, + logout: { + path: "/globallogout", + redirect_uri: `https://sso.${UDSConfig.domain}/realms/${operatorConfig.realm}/protocol/openid-connect/token/logout`, + }, + absolute_session_timeout: "0", + idle_session_timeout: "0", + scopes: [], + }, + threads: 8, + chains: [ + buildChain({ + name: "placeholder", + action: Action.Add, + client: { + clientId: "placeholder", + secret: "placeholder", + redirectUris: ["https://localhost/login"], + } as Client, + }), + ], + }; +} + +export async function getAuthserviceConfig() { + const authSvcSecret = await K8s(kind.Secret) + .InNamespace(operatorConfig.namespace) + .Get(operatorConfig.secretName); + return JSON.parse(atob(authSvcSecret!.data!["config.json"])) as AuthserviceConfig; +} + +export async function updateAuthServiceSecret( + authserviceConfig: AuthserviceConfig, + checksum = true, +) { + const config = btoa(JSON.stringify(authserviceConfig)); + const configHash = createHash("sha256").update(config).digest("hex"); + + try { + // write the authservice config to the secret + await K8s(kind.Secret).Apply( + { + metadata: { + namespace: operatorConfig.namespace, + name: operatorConfig.secretName, + }, + data: { + "config.json": config, + }, + }, + { force: true }, + ); + } catch (e) { + log.error(e, `Failed to write authservice secret`); + throw new Error("Failed to write authservice secret", { cause: e }); + } + + log.info("Updated authservice secret successfully"); + + if (checksum) { + log.info("Adding checksum to deployment authservice secret successfully"); + await checksumDeployment(configHash); + } +} + +async function checksumDeployment(checksum: string) { + try { + await K8s(kind.Deployment, { name: "authservice", namespace: operatorConfig.namespace }).Patch([ + { + op: "add", + path: "/spec/template/metadata/annotations/pepr.dev~1checksum", + value: checksum, + }, + ]); + + log.info(`Successfully applied the checksum to authservice`); + } catch (e) { + log.error(`Failed to apply the checksum to authservice: ${e.data?.message}`); + throw new Error("Failed to apply the checksum to authservice", { cause: e }); + } +} diff --git a/src/pepr/operator/controllers/keycloak/authservice/mock-authservice-config.json b/src/pepr/operator/controllers/keycloak/authservice/mock-authservice-config.json new file mode 100644 index 000000000..56cd74938 --- /dev/null +++ b/src/pepr/operator/controllers/keycloak/authservice/mock-authservice-config.json @@ -0,0 +1,60 @@ +{ + "allow_unmatched_requests": false, + "listen_address": "0.0.0.0", + "listen_port": "10003", + "log_level": "trace", + "default_oidc_config": { + "skip_verify_peer_cert": false, + "authorization_uri": "https://sso.uds.dev/realms/uds/protocol/openid-connect/auth", + "token_uri": "https://sso.uds.dev/realms/uds/protocol/openid-connect/token", + "jwks_fetcher": { + "jwks_uri": "https://sso.uds.dev/realms/uds/protocol/openid-connect/certs", + "periodic_fetch_interval_sec": 60, + "skip_verify_peer_cert": false + }, + "client_id": "global_id", + "client_secret": "global_secret", + "id_token": { + "preamble": "Bearer", + "header": "Authorization" + }, + "access_token": { + "header": "JWT" + }, + "trusted_certificate_authority": "", + "logout": { + "path": "/globallogout", + "redirect_uri": "https://sso.uds.dev/realms/uds/protocol/openid-connect/token/logout" + }, + "absolute_session_timeout": "0", + "idle_session_timeout": "0", + "scopes": [] + }, + "threads": 8, + "chains": [ + { + "name": "local", + "match": { + "header": ":local", + "prefix": "localhost" + }, + "filters": [ + { + "oidc_override": { + "authorization_uri": "https://sso.uds.dev/realms/uds/protocol/openid-connect/auth", + "token_uri": "https://sso.uds.dev/realms/uds/protocol/openid-connect/token", + "callback_uri": "https://localhost/login", + "client_id": "local_id", + "client_secret": "local_secret", + "cookie_name_prefix": "local", + "logout": { + "path": "/local", + "redirect_uri": "https://sso.uds.dev/realms/uds/protocol/openid-connect/token/logout" + }, + "scopes": [] + } + } + ] + } + ] +} diff --git a/src/pepr/operator/controllers/keycloak/authservice/types.ts b/src/pepr/operator/controllers/keycloak/authservice/types.ts new file mode 100644 index 000000000..9c20fdc50 --- /dev/null +++ b/src/pepr/operator/controllers/keycloak/authservice/types.ts @@ -0,0 +1,71 @@ +import { Client } from "../types"; + +export enum Action { + Add = "Add", + Remove = "Remove", +} + +export interface AuthServiceEvent { + name: string; + action: Action; + client?: Client; +} + +export interface AuthserviceConfig { + allow_unmatched_requests: boolean; + listen_address: string; + listen_port: string; + log_level: string; + default_oidc_config: OIDCConfig; + threads: number; + chains: Chain[]; +} + +interface OIDCConfig { + skip_verify_peer_cert?: boolean; + authorization_uri: string; + callback_uri?: string; + cookie_name_prefix?: string; + token_uri: string; + jwks_fetcher?: JWKSFetcher; + client_id: string; + client_secret: string; + id_token?: Token; + access_token?: Token; + trusted_certificate_authority?: string; + logout: Logout; + absolute_session_timeout?: string; + idle_session_timeout?: string; + scopes: string[]; +} + +interface JWKSFetcher { + jwks_uri: string; + periodic_fetch_interval_sec: number; + skip_verify_peer_cert?: boolean; +} + +interface Token { + preamble?: string; + header: string; +} + +interface Logout { + path: string; + redirect_uri: string; +} + +export interface Chain { + name: string; + match: Match; + filters: Filter[]; +} + +interface Match { + header: string; + prefix: string; +} + +interface Filter { + oidc_override: OIDCConfig; +} diff --git a/src/pepr/operator/controllers/keycloak/client-sync.ts b/src/pepr/operator/controllers/keycloak/client-sync.ts index bc2d2bd66..da2042370 100644 --- a/src/pepr/operator/controllers/keycloak/client-sync.ts +++ b/src/pepr/operator/controllers/keycloak/client-sync.ts @@ -46,17 +46,16 @@ const log = setupLogger(Component.OPERATOR_KEYCLOAK); export async function keycloak(pkg: UDSPackage) { // Get the list of clients from the package const clientReqs = pkg.spec?.sso || []; - const refs: string[] = []; + const clients: Map = new Map(); - // Pull the isAuthSvcClient prop as it's not part of the KC client spec for (const clientReq of clientReqs) { - const ref = await syncClient(clientReq, pkg); - refs.push(ref); + const client = await syncClient(clientReq, pkg); + clients.set(client.clientId, client); } - await purgeSSOClients(pkg, refs); + await purgeSSOClients(pkg, [...clients.keys()]); - return refs; + return clients; } /** @@ -65,24 +64,25 @@ export async function keycloak(pkg: UDSPackage) { * @param pkg the package to process * @param refs the list of client refs to keep */ -export async function purgeSSOClients(pkg: UDSPackage, refs: string[] = []) { +export async function purgeSSOClients(pkg: UDSPackage, newClients: string[] = []) { // Check for any clients that are no longer in the package and remove them const currentClients = pkg.status?.ssoClients || []; - const toRemove = currentClients.filter(client => !refs.includes(client)); + const toRemove = currentClients.filter(client => !newClients.includes(client)); for (const ref of toRemove) { - const token = Store.getItem(ref); - const clientId = ref.replace("sso-client-", ""); + const storeKey = `sso-client-${ref}`; + const token = Store.getItem(storeKey); if (token) { - Store.removeItem(ref); - await apiCall({ clientId }, "DELETE", token); + await apiCall({ clientId: ref }, "DELETE", token); + Store.removeItem(storeKey); } else { - log.warn(pkg.metadata, `Failed to remove client ${clientId}, token not found`); + log.warn(pkg.metadata, `Failed to remove client ${ref}, token not found`); } } } async function syncClient( - { isAuthSvcClient, secretName, secretTemplate, ...clientReq }: Sso, + // eslint-disable-next-line @typescript-eslint/no-unused-vars + { enableAuthserviceSelector, secretName, secretTemplate, ...clientReq }: Sso, pkg: UDSPackage, isRetry = false, ) { @@ -166,11 +166,7 @@ async function syncClient( data: generateSecretData(client, secretTemplate), }); - if (isAuthSvcClient) { - // Do things here - } - - return name; + return client; } /** @@ -217,7 +213,7 @@ async function apiCall(sso: Partial, method = "POST", authToken = "") { } // Remove the body for DELETE requests - if (method === "DELETE") { + if (method === "DELETE" || method === "GET") { delete req.body; } diff --git a/src/pepr/operator/controllers/monitoring/common.ts b/src/pepr/operator/controllers/monitoring/common.ts new file mode 100644 index 000000000..a8afa5d1f --- /dev/null +++ b/src/pepr/operator/controllers/monitoring/common.ts @@ -0,0 +1,12 @@ +import { Monitor } from "../../crd"; +import { sanitizeResourceName } from "../utils"; + +export function generateMonitorName(pkgName: string, monitor: Monitor) { + const { selector, portName, description } = monitor; + + // Ensure the resource name is valid + const nameSuffix = description || `${Object.values(selector)}-${portName}`; + const name = sanitizeResourceName(`${pkgName}-${nameSuffix}`); + + return name; +} diff --git a/src/pepr/operator/controllers/monitoring/pod-monitor.spec.ts b/src/pepr/operator/controllers/monitoring/pod-monitor.spec.ts new file mode 100644 index 000000000..acba54e26 --- /dev/null +++ b/src/pepr/operator/controllers/monitoring/pod-monitor.spec.ts @@ -0,0 +1,41 @@ +import { describe, expect, it } from "@jest/globals"; +import { Monitor } from "../../crd"; +import { generatePodMonitor } from "./pod-monitor"; + +describe("test generate Pod monitor", () => { + it("should return a valid Pod Monitor object", () => { + const ownerRefs = [ + { + apiVersion: "uds.dev/v1alpha1", + kind: "Package", + name: "test", + uid: "f50120aa-2713-4502-9496-566b102b1174", + }, + ]; + const portName = "http-metrics"; + const metricsPath = "/test"; + const selectorApp = "test"; + const monitor: Monitor = { + portName: portName, + path: metricsPath, + targetPort: 1234, + selector: { + app: selectorApp, + }, + }; + const namespace = "test"; + const pkgName = "test"; + const generation = "1"; + const payload = generatePodMonitor(monitor, namespace, pkgName, generation, ownerRefs); + + expect(payload).toBeDefined(); + expect(payload.metadata?.name).toEqual(`${pkgName}-${selectorApp}-${portName}`); + expect(payload.metadata?.namespace).toEqual(namespace); + expect(payload.spec?.podMetricsEndpoints).toBeDefined(); + if (payload.spec?.podMetricsEndpoints) { + expect(payload.spec.podMetricsEndpoints[0].port).toEqual(portName); + expect(payload.spec.podMetricsEndpoints[0].path).toEqual(metricsPath); + } + expect(payload.spec?.selector.matchLabels).toHaveProperty("app", "test"); + }); +}); diff --git a/src/pepr/operator/controllers/monitoring/pod-monitor.ts b/src/pepr/operator/controllers/monitoring/pod-monitor.ts new file mode 100644 index 000000000..d3f033898 --- /dev/null +++ b/src/pepr/operator/controllers/monitoring/pod-monitor.ts @@ -0,0 +1,88 @@ +import { V1OwnerReference } from "@kubernetes/client-node"; +import { K8s } from "pepr"; +import { Component, setupLogger } from "../../../logger"; +import { Monitor, PrometheusPodMonitor, UDSPackage } from "../../crd"; +import { Kind } from "../../crd/generated/package-v1alpha1"; +import { getOwnerRef, purgeOrphans } from "../utils"; +import { generateMonitorName } from "./common"; + +// configure subproject logger +const log = setupLogger(Component.OPERATOR_MONITORING); + +/** + * Generate a pod monitor for a pod + * + * @param pkg UDS Package + * @param namespace + */ +export async function podMonitor(pkg: UDSPackage, namespace: string) { + const pkgName = pkg.metadata!.name!; + const generation = (pkg.metadata?.generation ?? 0).toString(); + const ownerRefs = getOwnerRef(pkg); + + log.debug(`Reconciling PodMonitors for ${pkgName}`); + + // Get the list of monitored services + const monitorList = pkg.spec?.monitor ?? []; + + // Create a list of generated PodMonitors + const payloads: PrometheusPodMonitor[] = []; + + try { + for (const monitor of monitorList) { + if (monitor.kind === Kind.PodMonitor) { + const payload = generatePodMonitor(monitor, namespace, pkgName, generation, ownerRefs); + + log.debug(payload, `Applying PodMonitor ${payload.metadata?.name}`); + + // Apply the PodMonitor and force overwrite any existing policy + await K8s(PrometheusPodMonitor).Apply(payload, { force: true }); + + payloads.push(payload); + } + } + + await purgeOrphans(generation, namespace, pkgName, PrometheusPodMonitor, log); + } catch (err) { + throw new Error(`Failed to process PodMonitors for ${pkgName}, cause: ${JSON.stringify(err)}`); + } + + // Return the list of monitor names + return [...payloads.map(m => m.metadata!.name!)]; +} + +export function generatePodMonitor( + monitor: Monitor, + namespace: string, + pkgName: string, + generation: string, + ownerRefs: V1OwnerReference[], +) { + const { selector, podSelector, portName } = monitor; + const name = generateMonitorName(pkgName, monitor); + const payload: PrometheusPodMonitor = { + metadata: { + name, + namespace, + labels: { + "uds/package": pkgName, + "uds/generation": generation, + }, + ownerReferences: ownerRefs, + }, + spec: { + podMetricsEndpoints: [ + { + port: portName, + path: monitor.path || "/metrics", + authorization: monitor.authorization, + }, + ], + selector: { + matchLabels: podSelector ?? selector, + }, + }, + }; + + return payload; +} diff --git a/src/pepr/operator/controllers/monitoring/service-monitor.spec.ts b/src/pepr/operator/controllers/monitoring/service-monitor.spec.ts index 83d4fa03e..e99900409 100644 --- a/src/pepr/operator/controllers/monitoring/service-monitor.spec.ts +++ b/src/pepr/operator/controllers/monitoring/service-monitor.spec.ts @@ -1,6 +1,6 @@ import { describe, expect, it } from "@jest/globals"; -import { generateServiceMonitor } from "./service-monitor"; import { Monitor } from "../../crd"; +import { generateServiceMonitor } from "./service-monitor"; describe("test generate service monitor", () => { it("should return a valid Service Monitor object", () => { diff --git a/src/pepr/operator/controllers/monitoring/service-monitor.ts b/src/pepr/operator/controllers/monitoring/service-monitor.ts index be1ddf9ac..9f567c245 100644 --- a/src/pepr/operator/controllers/monitoring/service-monitor.ts +++ b/src/pepr/operator/controllers/monitoring/service-monitor.ts @@ -2,8 +2,10 @@ import { K8s } from "pepr"; import { V1OwnerReference } from "@kubernetes/client-node"; import { Component, setupLogger } from "../../../logger"; -import { Monitor, Prometheus, UDSPackage } from "../../crd"; -import { getOwnerRef, sanitizeResourceName } from "../utils"; +import { Monitor, PrometheusServiceMonitor, UDSPackage } from "../../crd"; +import { Kind } from "../../crd/generated/package-v1alpha1"; +import { getOwnerRef, purgeOrphans } from "../utils"; +import { generateMonitorName } from "./common"; // configure subproject logger const log = setupLogger(Component.OPERATOR_MONITORING); @@ -25,36 +27,23 @@ export async function serviceMonitor(pkg: UDSPackage, namespace: string) { const monitorList = pkg.spec?.monitor ?? []; // Create a list of generated ServiceMonitors - const payloads: Prometheus.ServiceMonitor[] = []; + const payloads: PrometheusServiceMonitor[] = []; try { for (const monitor of monitorList) { - const payload = generateServiceMonitor(monitor, namespace, pkgName, generation, ownerRefs); + if (monitor.kind !== Kind.PodMonitor) { + const payload = generateServiceMonitor(monitor, namespace, pkgName, generation, ownerRefs); - log.debug(payload, `Applying ServiceMonitor ${payload.metadata?.name}`); + log.debug(payload, `Applying ServiceMonitor ${payload.metadata?.name}`); - // Apply the ServiceMonitor and force overwrite any existing policy - await K8s(Prometheus.ServiceMonitor).Apply(payload, { force: true }); + // Apply the ServiceMonitor and force overwrite any existing policy + await K8s(PrometheusServiceMonitor).Apply(payload, { force: true }); - payloads.push(payload); + payloads.push(payload); + } } - // Get all related ServiceMonitors in the namespace - const serviceMonitors = await K8s(Prometheus.ServiceMonitor) - .InNamespace(namespace) - .WithLabel("uds/package", pkgName) - .Get(); - - // Find any orphaned ServiceMonitors (not matching the current generation) - const orphanedSM = serviceMonitors.items.filter( - sm => sm.metadata?.labels?.["uds/generation"] !== generation, - ); - - // Delete any orphaned ServiceMonitors - for (const sm of orphanedSM) { - log.debug(sm, `Deleting orphaned ServiceMonitor ${sm.metadata!.name}`); - await K8s(Prometheus.ServiceMonitor).Delete(sm); - } + await purgeOrphans(generation, namespace, pkgName, PrometheusServiceMonitor, log); } catch (err) { throw new Error( `Failed to process ServiceMonitors for ${pkgName}, cause: ${JSON.stringify(err)}`, @@ -62,17 +51,7 @@ export async function serviceMonitor(pkg: UDSPackage, namespace: string) { } // Return the list of monitor names - return [...payloads.map(sm => sm.metadata!.name!)]; -} - -export function generateSMName(pkgName: string, monitor: Monitor) { - const { selector, portName, description } = monitor; - - // Ensure the resource name is valid - const nameSuffix = description || `${Object.values(selector)}-${portName}`; - const name = sanitizeResourceName(`${pkgName}-${nameSuffix}`); - - return name; + return [...payloads.map(m => m.metadata!.name!)]; } export function generateServiceMonitor( @@ -83,8 +62,8 @@ export function generateServiceMonitor( ownerRefs: V1OwnerReference[], ) { const { selector, portName } = monitor; - const name = generateSMName(pkgName, monitor); - const payload: Prometheus.ServiceMonitor = { + const name = generateMonitorName(pkgName, monitor); + const payload: PrometheusServiceMonitor = { metadata: { name, namespace, @@ -99,6 +78,7 @@ export function generateServiceMonitor( { port: portName, path: monitor.path || "/metrics", + authorization: monitor.authorization, }, ], selector: { diff --git a/src/pepr/operator/controllers/network/policies.ts b/src/pepr/operator/controllers/network/policies.ts index f12c775b6..8534f028f 100644 --- a/src/pepr/operator/controllers/network/policies.ts +++ b/src/pepr/operator/controllers/network/policies.ts @@ -2,7 +2,7 @@ import { K8s, kind } from "pepr"; import { Component, setupLogger } from "../../../logger"; import { Allow, Direction, Gateway, UDSPackage } from "../../crd"; -import { getOwnerRef, sanitizeResourceName } from "../utils"; +import { getOwnerRef, purgeOrphans, sanitizeResourceName } from "../utils"; import { allowEgressDNS } from "./defaults/allow-egress-dns"; import { allowEgressIstiod } from "./defaults/allow-egress-istiod"; import { allowIngressSidecarMonitoring } from "./defaults/allow-ingress-sidecar-monitoring"; @@ -67,13 +67,44 @@ export async function networkPolicies(pkg: UDSPackage, namespace: string) { policies.push(generatedPolicy); } - // Generate NetworkPolicies for any ServiceMonitors that are generated + // Add a network policy for each sso block with authservice enabled (if any pkg.spec.sso[*].enableAuthserviceSelector is set) + const ssos = pkg.spec?.sso?.filter(sso => sso.enableAuthserviceSelector); + + for (const sso of ssos || []) { + const policy: Allow = { + direction: Direction.Egress, + selector: sso.enableAuthserviceSelector, + remoteNamespace: "authservice", + remoteSelector: { "app.kubernetes.io/name": "authservice" }, + port: 10003, + description: `${sanitizeResourceName(sso.clientId)} authservice egress`, + }; + + // Generate the workload to keycloak for JWKS endpoint policy + const generatedPolicy = generate(namespace, policy); + policies.push(generatedPolicy); + + const keycloakPolicy: Allow = { + direction: Direction.Egress, + selector: sso.enableAuthserviceSelector, + remoteNamespace: "keycloak", + remoteSelector: { "app.kubernetes.io/name": "keycloak" }, + port: 8080, + description: `${sanitizeResourceName(sso.clientId)} keycloak JWKS egress`, + }; + + // Generate the policy + const keycloakGeneratedPolicy = generate(namespace, keycloakPolicy); + policies.push(keycloakGeneratedPolicy); + } + + // Generate NetworkPolicies for any monitors that are generated const monitorList = pkg.spec?.monitor ?? []; - // Iterate over each ServiceMonitor + // Iterate over each monitor for (const monitor of monitorList) { const { selector, targetPort, podSelector } = monitor; - // Create the NetworkPolicy for the ServiceMonitor + // Create the NetworkPolicy for the monitor const policy: Allow = { direction: Direction.Ingress, selector: podSelector ?? selector, @@ -82,7 +113,7 @@ export async function networkPolicies(pkg: UDSPackage, namespace: string) { app: "prometheus", }, port: targetPort, - // Use the targetPort and selector to generate a description for the ServiceMonitor derived policies + // Use the targetPort and selector to generate a description for the monitoring derived policies description: `${targetPort}-${Object.values(selector)} Metrics`, }; // Generate the policy @@ -115,22 +146,7 @@ export async function networkPolicies(pkg: UDSPackage, namespace: string) { await K8s(kind.NetworkPolicy).Apply(policy, { force: true }); } - // Delete any policies that are no longer needed - const policyList = await K8s(kind.NetworkPolicy) - .InNamespace(namespace) - .WithLabel("uds/package", pkgName) - .Get(); - - // Find any orphaned polices (not matching the current generation) - const orphanedNetPol = policyList.items.filter( - netPol => netPol.metadata?.labels?.["uds/generation"] !== generation, - ); - - // Delete any orphaned policies - for (const netPol of orphanedNetPol) { - log.debug(netPol, `Deleting orphaned NetworkPolicy ${netPol.metadata!.name}`); - await K8s(kind.NetworkPolicy).Delete(netPol); - } + await purgeOrphans(generation, namespace, pkgName, kind.NetworkPolicy, log); // Return the list of policies return policies; diff --git a/src/pepr/operator/controllers/utils.ts b/src/pepr/operator/controllers/utils.ts index b6a8df198..b9c6d0ca3 100644 --- a/src/pepr/operator/controllers/utils.ts +++ b/src/pepr/operator/controllers/utils.ts @@ -1,5 +1,7 @@ import { V1OwnerReference } from "@kubernetes/client-node"; -import { GenericKind } from "kubernetes-fluent-client"; +import { GenericClass, GenericKind } from "kubernetes-fluent-client"; +import { K8s } from "pepr"; +import { Logger } from "pino"; /** * Sanitize a resource name to make it a valid Kubernetes resource name. @@ -38,3 +40,20 @@ export function getOwnerRef(cr: GenericKind): V1OwnerReference[] { }, ]; } + +export async function purgeOrphans( + generation: string, + namespace: string, + pkgName: string, + kind: T, + log: Logger, +) { + const resources = await K8s(kind).InNamespace(namespace).WithLabel("uds/package", pkgName).Get(); + + for (const resource of resources.items) { + if (resource.metadata?.labels?.["uds/generation"] !== generation) { + log.debug(resource, `Deleting orphaned ${resource.kind!} ${resource.metadata!.name}`); + await K8s(kind).Delete(resource); + } + } +} diff --git a/src/pepr/operator/crd/generated/istio/authorizationpolicy-v1beta1.ts b/src/pepr/operator/crd/generated/istio/authorizationpolicy-v1beta1.ts new file mode 100644 index 000000000..f05d62b50 --- /dev/null +++ b/src/pepr/operator/crd/generated/istio/authorizationpolicy-v1beta1.ts @@ -0,0 +1,227 @@ +// This file is auto-generated by kubernetes-fluent-client, do not edit manually + +import { GenericKind, RegisterKind } from "kubernetes-fluent-client"; + +export class AuthorizationPolicy extends GenericKind { + /** + * Configuration for access control on workloads. See more details at: + * https://istio.io/docs/reference/config/security/authorization-policy.html + */ + spec?: Spec; + status?: { [key: string]: unknown }; +} + +/** + * Configuration for access control on workloads. See more details at: + * https://istio.io/docs/reference/config/security/authorization-policy.html + */ +export interface Spec { + /** + * Optional. + */ + action?: Action; + /** + * Specifies detailed configuration of the CUSTOM action. + */ + provider?: Provider; + /** + * Optional. + */ + rules?: Rule[]; + /** + * Optional. + */ + selector?: Selector; + /** + * Optional. + */ + targetRef?: TargetRef; +} + +/** + * Optional. + */ +export enum Action { + Allow = "ALLOW", + Audit = "AUDIT", + Custom = "CUSTOM", + Deny = "DENY", +} + +/** + * Specifies detailed configuration of the CUSTOM action. + */ +export interface Provider { + /** + * Specifies the name of the extension provider. + */ + name?: string; +} + +export interface Rule { + /** + * Optional. + */ + from?: From[]; + /** + * Optional. + */ + to?: To[]; + /** + * Optional. + */ + when?: When[]; +} + +export interface From { + /** + * Source specifies the source of a request. + */ + source?: Source; +} + +/** + * Source specifies the source of a request. + */ +export interface Source { + /** + * Optional. + */ + ipBlocks?: string[]; + /** + * Optional. + */ + namespaces?: string[]; + /** + * Optional. + */ + notIpBlocks?: string[]; + /** + * Optional. + */ + notNamespaces?: string[]; + /** + * Optional. + */ + notPrincipals?: string[]; + /** + * Optional. + */ + notRemoteIpBlocks?: string[]; + /** + * Optional. + */ + notRequestPrincipals?: string[]; + /** + * Optional. + */ + principals?: string[]; + /** + * Optional. + */ + remoteIpBlocks?: string[]; + /** + * Optional. + */ + requestPrincipals?: string[]; +} + +export interface To { + /** + * Operation specifies the operation of a request. + */ + operation?: Operation; +} + +/** + * Operation specifies the operation of a request. + */ +export interface Operation { + /** + * Optional. + */ + hosts?: string[]; + /** + * Optional. + */ + methods?: string[]; + /** + * Optional. + */ + notHosts?: string[]; + /** + * Optional. + */ + notMethods?: string[]; + /** + * Optional. + */ + notPaths?: string[]; + /** + * Optional. + */ + notPorts?: string[]; + /** + * Optional. + */ + paths?: string[]; + /** + * Optional. + */ + ports?: string[]; +} + +export interface When { + /** + * The name of an Istio attribute. + */ + key: string; + /** + * Optional. + */ + notValues?: string[]; + /** + * Optional. + */ + values?: string[]; +} + +/** + * Optional. + */ +export interface Selector { + /** + * One or more labels that indicate a specific set of pods/VMs on which a policy should be + * applied. + */ + matchLabels?: { [key: string]: string }; +} + +/** + * Optional. + */ +export interface TargetRef { + /** + * group is the group of the target resource. + */ + group?: string; + /** + * kind is kind of the target resource. + */ + kind?: string; + /** + * name is the name of the target resource. + */ + name?: string; + /** + * namespace is the namespace of the referent. + */ + namespace?: string; +} + +RegisterKind(AuthorizationPolicy, { + group: "security.istio.io", + version: "v1beta1", + kind: "AuthorizationPolicy", + plural: "authorizationpolicies", +}); diff --git a/src/pepr/operator/crd/generated/istio/requestauthentication-v1.ts b/src/pepr/operator/crd/generated/istio/requestauthentication-v1.ts new file mode 100644 index 000000000..ecf85a878 --- /dev/null +++ b/src/pepr/operator/crd/generated/istio/requestauthentication-v1.ts @@ -0,0 +1,138 @@ +// This file is auto-generated by kubernetes-fluent-client, do not edit manually + +import { GenericKind, RegisterKind } from "kubernetes-fluent-client"; + +export class RequestAuthentication extends GenericKind { + /** + * Request authentication configuration for workloads. See more details at: + * https://istio.io/docs/reference/config/security/request_authentication.html + */ + spec?: Spec; + status?: { [key: string]: unknown }; +} + +/** + * Request authentication configuration for workloads. See more details at: + * https://istio.io/docs/reference/config/security/request_authentication.html + */ +export interface Spec { + /** + * Define the list of JWTs that can be validated at the selected workloads' proxy. + */ + jwtRules?: JwtRule[]; + /** + * Optional. + */ + selector?: Selector; + /** + * Optional. + */ + targetRef?: TargetRef; +} + +export interface JwtRule { + /** + * The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) that are + * allowed to access. + */ + audiences?: string[]; + /** + * If set to true, the original token will be kept for the upstream request. + */ + forwardOriginalToken?: boolean; + /** + * List of header locations from which JWT is expected. + */ + fromHeaders?: FromHeader[]; + /** + * List of query parameters from which JWT is expected. + */ + fromParams?: string[]; + /** + * Identifies the issuer that issued the JWT. + */ + issuer: string; + /** + * JSON Web Key Set of public keys to validate signature of the JWT. + */ + jwks?: string; + /** + * URL of the provider's public key set to validate signature of the JWT. + */ + jwks_uri?: string; + /** + * URL of the provider's public key set to validate signature of the JWT. + */ + jwksUri?: string; + /** + * This field specifies a list of operations to copy the claim to HTTP headers on a + * successfully verified token. + */ + outputClaimToHeaders?: OutputClaimToHeader[]; + /** + * This field specifies the header name to output a successfully verified JWT payload to the + * backend. + */ + outputPayloadToHeader?: string; +} + +export interface FromHeader { + /** + * The HTTP header name. + */ + name: string; + /** + * The prefix that should be stripped before decoding the token. + */ + prefix?: string; +} + +export interface OutputClaimToHeader { + /** + * The name of the claim to be copied from. + */ + claim?: string; + /** + * The name of the header to be created. + */ + header?: string; +} + +/** + * Optional. + */ +export interface Selector { + /** + * One or more labels that indicate a specific set of pods/VMs on which a policy should be + * applied. + */ + matchLabels?: { [key: string]: string }; +} + +/** + * Optional. + */ +export interface TargetRef { + /** + * group is the group of the target resource. + */ + group?: string; + /** + * kind is kind of the target resource. + */ + kind?: string; + /** + * name is the name of the target resource. + */ + name?: string; + /** + * namespace is the namespace of the referent. + */ + namespace?: string; +} + +RegisterKind(RequestAuthentication, { + group: "security.istio.io", + version: "v1", + kind: "RequestAuthentication", +}); diff --git a/src/pepr/operator/crd/generated/package-v1alpha1.ts b/src/pepr/operator/crd/generated/package-v1alpha1.ts index 71f70981f..a96450297 100644 --- a/src/pepr/operator/crd/generated/package-v1alpha1.ts +++ b/src/pepr/operator/crd/generated/package-v1alpha1.ts @@ -9,7 +9,7 @@ export class Package extends GenericKind { export interface Spec { /** - * Create Service Monitor configurations + * Create Service or Pod Monitor configurations */ monitor?: Monitor[]; /** @@ -23,10 +23,19 @@ export interface Spec { } export interface Monitor { + /** + * Authorization settings. + */ + authorization?: Authorization; /** * A description of this monitor entry, this will become part of the ServiceMonitor name */ description?: string; + /** + * The type of monitor to create; PodMonitor or ServiceMonitor. ServiceMonitor is the + * default. + */ + kind?: Kind; /** * HTTP path from which to scrape for metrics, defaults to `/metrics` */ @@ -51,6 +60,51 @@ export interface Monitor { targetPort: number; } +/** + * Authorization settings. + */ +export interface Authorization { + /** + * Selects a key of a Secret in the namespace that contains the credentials for + * authentication. + */ + credentials: Credentials; + /** + * Defines the authentication type. The value is case-insensitive. "Basic" is not a + * supported value. Default: "Bearer" + */ + type?: string; +} + +/** + * Selects a key of a Secret in the namespace that contains the credentials for + * authentication. + */ +export interface Credentials { + /** + * The key of the secret to select from. Must be a valid secret key. + */ + key: string; + /** + * Name of the referent. More info: + * https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + */ + name?: string; + /** + * Specify whether the Secret or its key must be defined + */ + optional?: boolean; +} + +/** + * The type of monitor to create; PodMonitor or ServiceMonitor. ServiceMonitor is the + * default. + */ +export enum Kind { + PodMonitor = "PodMonitor", + ServiceMonitor = "ServiceMonitor", +} + /** * Network configuration for the package */ @@ -474,6 +528,11 @@ export interface Sso { * A description for the client, can be a URL to an image to replace the login logo */ description?: string; + /** + * Labels to match pods to automatically protect with authservice. Leave empty to disable + * authservice protection + */ + enableAuthserviceSelector?: { [key: string]: string }; /** * Whether the SSO client is enabled */ @@ -482,10 +541,6 @@ export interface Sso { * The client sso group type */ groups?: Groups; - /** - * If true, the client will generate a new Auth Service client as well - */ - isAuthSvcClient?: boolean; /** * Specifies display name of the client */ @@ -549,6 +604,7 @@ export enum Protocol { } export interface Status { + authserviceClients?: string[]; endpoints?: string[]; monitors?: string[]; networkPolicyCount?: number; diff --git a/src/pepr/operator/crd/generated/prometheus/podmonitor-v1.ts b/src/pepr/operator/crd/generated/prometheus/podmonitor-v1.ts new file mode 100644 index 000000000..d2e9f3f9a --- /dev/null +++ b/src/pepr/operator/crd/generated/prometheus/podmonitor-v1.ts @@ -0,0 +1,1011 @@ +// This file is auto-generated by kubernetes-fluent-client, do not edit manually + +import { GenericKind, RegisterKind } from "kubernetes-fluent-client"; + +/** + * PodMonitor defines monitoring for a set of pods. + */ +export class PodMonitor extends GenericKind { + /** + * Specification of desired Pod selection for target discovery by Prometheus. + */ + spec?: Spec; +} + +/** + * Specification of desired Pod selection for target discovery by Prometheus. + */ +export interface Spec { + /** + * `attachMetadata` defines additional metadata which is added to the + * discovered targets. + * + * + * It requires Prometheus >= v2.37.0. + */ + attachMetadata?: AttachMetadata; + /** + * When defined, bodySizeLimit specifies a job level limit on the size + * of uncompressed response body that will be accepted by Prometheus. + * + * + * It requires Prometheus >= v2.28.0. + */ + bodySizeLimit?: string; + /** + * The label to use to retrieve the job name from. + * `jobLabel` selects the label from the associated Kubernetes `Pod` + * object which will be used as the `job` label for all metrics. + * + * + * For example if `jobLabel` is set to `foo` and the Kubernetes `Pod` + * object is labeled with `foo: bar`, then Prometheus adds the `job="bar"` + * label to all ingested metrics. + * + * + * If the value of this field is empty, the `job` label of the metrics + * defaults to the namespace and name of the PodMonitor object (e.g. `/`). + */ + jobLabel?: string; + /** + * Per-scrape limit on the number of targets dropped by relabeling + * that will be kept in memory. 0 means no limit. + * + * + * It requires Prometheus >= v2.47.0. + */ + keepDroppedTargets?: number; + /** + * Per-scrape limit on number of labels that will be accepted for a sample. + * + * + * It requires Prometheus >= v2.27.0. + */ + labelLimit?: number; + /** + * Per-scrape limit on length of labels name that will be accepted for a sample. + * + * + * It requires Prometheus >= v2.27.0. + */ + labelNameLengthLimit?: number; + /** + * Per-scrape limit on length of labels value that will be accepted for a sample. + * + * + * It requires Prometheus >= v2.27.0. + */ + labelValueLengthLimit?: number; + /** + * Selector to select which namespaces the Kubernetes `Pods` objects + * are discovered from. + */ + namespaceSelector?: NamespaceSelector; + /** + * List of endpoints part of this PodMonitor. + */ + podMetricsEndpoints?: PodMetricsEndpoint[]; + /** + * `podTargetLabels` defines the labels which are transferred from the + * associated Kubernetes `Pod` object onto the ingested metrics. + */ + podTargetLabels?: string[]; + /** + * `sampleLimit` defines a per-scrape limit on the number of scraped samples + * that will be accepted. + */ + sampleLimit?: number; + /** + * The scrape class to apply. + */ + scrapeClass?: string; + /** + * `scrapeProtocols` defines the protocols to negotiate during a scrape. It tells clients + * the + * protocols supported by Prometheus in order of preference (from most to least + * preferred). + * + * + * If unset, Prometheus uses its default value. + * + * + * It requires Prometheus >= v2.49.0. + */ + scrapeProtocols?: ScrapeProtocol[]; + /** + * Label selector to select the Kubernetes `Pod` objects. + */ + selector: Selector; + /** + * `targetLimit` defines a limit on the number of scraped targets that will + * be accepted. + */ + targetLimit?: number; +} + +/** + * `attachMetadata` defines additional metadata which is added to the + * discovered targets. + * + * + * It requires Prometheus >= v2.37.0. + */ +export interface AttachMetadata { + /** + * When set to true, Prometheus must have the `get` permission on the + * `Nodes` objects. + */ + node?: boolean; +} + +/** + * Selector to select which namespaces the Kubernetes `Pods` objects + * are discovered from. + */ +export interface NamespaceSelector { + /** + * Boolean describing whether all namespaces are selected in contrast to a + * list restricting them. + */ + any?: boolean; + /** + * List of namespace names to select from. + */ + matchNames?: string[]; +} + +/** + * PodMetricsEndpoint defines an endpoint serving Prometheus metrics to be scraped by + * Prometheus. + */ +export interface PodMetricsEndpoint { + /** + * `authorization` configures the Authorization header credentials to use when + * scraping the target. + * + * + * Cannot be set at the same time as `basicAuth`, or `oauth2`. + */ + authorization?: Authorization; + /** + * `basicAuth` configures the Basic Authentication credentials to use when + * scraping the target. + * + * + * Cannot be set at the same time as `authorization`, or `oauth2`. + */ + basicAuth?: BasicAuth; + /** + * `bearerTokenSecret` specifies a key of a Secret containing the bearer + * token for scraping targets. The secret needs to be in the same namespace + * as the PodMonitor object and readable by the Prometheus Operator. + * + * + * Deprecated: use `authorization` instead. + */ + bearerTokenSecret?: BearerTokenSecret; + /** + * `enableHttp2` can be used to disable HTTP2 when scraping the target. + */ + enableHttp2?: boolean; + /** + * When true, the pods which are not running (e.g. either in Failed or + * Succeeded state) are dropped during the target discovery. + * + * + * If unset, the filtering is enabled. + * + * + * More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase + */ + filterRunning?: boolean; + /** + * `followRedirects` defines whether the scrape requests should follow HTTP + * 3xx redirects. + */ + followRedirects?: boolean; + /** + * When true, `honorLabels` preserves the metric's labels when they collide + * with the target's labels. + */ + honorLabels?: boolean; + /** + * `honorTimestamps` controls whether Prometheus preserves the timestamps + * when exposed by the target. + */ + honorTimestamps?: boolean; + /** + * Interval at which Prometheus scrapes the metrics from the target. + * + * + * If empty, Prometheus uses the global scrape interval. + */ + interval?: string; + /** + * `metricRelabelings` configures the relabeling rules to apply to the + * samples before ingestion. + */ + metricRelabelings?: MetricRelabeling[]; + /** + * `oauth2` configures the OAuth2 settings to use when scraping the target. + * + * + * It requires Prometheus >= 2.27.0. + * + * + * Cannot be set at the same time as `authorization`, or `basicAuth`. + */ + oauth2?: Oauth2; + /** + * `params` define optional HTTP URL parameters. + */ + params?: { [key: string]: string[] }; + /** + * HTTP path from which to scrape for metrics. + * + * + * If empty, Prometheus uses the default value (e.g. `/metrics`). + */ + path?: string; + /** + * Name of the Pod port which this endpoint refers to. + * + * + * It takes precedence over `targetPort`. + */ + port?: string; + /** + * `proxyURL` configures the HTTP Proxy URL (e.g. + * "http://proxyserver:2195") to go through when scraping the target. + */ + proxyUrl?: string; + /** + * `relabelings` configures the relabeling rules to apply the target's + * metadata labels. + * + * + * The Operator automatically adds relabelings for a few standard Kubernetes fields. + * + * + * The original scrape job's name is available via the `__tmp_prometheus_job_name` label. + * + * + * More info: + * https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config + */ + relabelings?: Relabeling[]; + /** + * HTTP scheme to use for scraping. + * + * + * `http` and `https` are the expected values unless you rewrite the + * `__scheme__` label via relabeling. + * + * + * If empty, Prometheus uses the default value `http`. + */ + scheme?: Scheme; + /** + * Timeout after which Prometheus considers the scrape to be failed. + * + * + * If empty, Prometheus uses the global scrape timeout unless it is less + * than the target's scrape interval value in which the latter is used. + */ + scrapeTimeout?: string; + /** + * Name or number of the target port of the `Pod` object behind the Service, the + * port must be specified with container port property. + * + * + * Deprecated: use 'port' instead. + */ + targetPort?: number | string; + /** + * TLS configuration to use when scraping the target. + */ + tlsConfig?: TLSConfig; + /** + * `trackTimestampsStaleness` defines whether Prometheus tracks staleness of + * the metrics that have an explicit timestamp present in scraped data. + * Has no effect if `honorTimestamps` is false. + * + * + * It requires Prometheus >= v2.48.0. + */ + trackTimestampsStaleness?: boolean; +} + +/** + * `authorization` configures the Authorization header credentials to use when + * scraping the target. + * + * + * Cannot be set at the same time as `basicAuth`, or `oauth2`. + */ +export interface Authorization { + /** + * Selects a key of a Secret in the namespace that contains the credentials for + * authentication. + */ + credentials?: Credentials; + /** + * Defines the authentication type. The value is case-insensitive. + * + * + * "Basic" is not a supported value. + * + * + * Default: "Bearer" + */ + type?: string; +} + +/** + * Selects a key of a Secret in the namespace that contains the credentials for + * authentication. + */ +export interface Credentials { + /** + * The key of the secret to select from. Must be a valid secret key. + */ + key: string; + /** + * Name of the referent. + * This field is effectively required, but due to backwards compatibility is + * allowed to be empty. Instances of this type with an empty value here are + * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? + * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it + * https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + */ + name?: string; + /** + * Specify whether the Secret or its key must be defined + */ + optional?: boolean; +} + +/** + * `basicAuth` configures the Basic Authentication credentials to use when + * scraping the target. + * + * + * Cannot be set at the same time as `authorization`, or `oauth2`. + */ +export interface BasicAuth { + /** + * `password` specifies a key of a Secret containing the password for + * authentication. + */ + password?: Password; + /** + * `username` specifies a key of a Secret containing the username for + * authentication. + */ + username?: Username; +} + +/** + * `password` specifies a key of a Secret containing the password for + * authentication. + */ +export interface Password { + /** + * The key of the secret to select from. Must be a valid secret key. + */ + key: string; + /** + * Name of the referent. + * This field is effectively required, but due to backwards compatibility is + * allowed to be empty. Instances of this type with an empty value here are + * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? + * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it + * https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + */ + name?: string; + /** + * Specify whether the Secret or its key must be defined + */ + optional?: boolean; +} + +/** + * `username` specifies a key of a Secret containing the username for + * authentication. + */ +export interface Username { + /** + * The key of the secret to select from. Must be a valid secret key. + */ + key: string; + /** + * Name of the referent. + * This field is effectively required, but due to backwards compatibility is + * allowed to be empty. Instances of this type with an empty value here are + * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? + * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it + * https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + */ + name?: string; + /** + * Specify whether the Secret or its key must be defined + */ + optional?: boolean; +} + +/** + * `bearerTokenSecret` specifies a key of a Secret containing the bearer + * token for scraping targets. The secret needs to be in the same namespace + * as the PodMonitor object and readable by the Prometheus Operator. + * + * + * Deprecated: use `authorization` instead. + */ +export interface BearerTokenSecret { + /** + * The key of the secret to select from. Must be a valid secret key. + */ + key: string; + /** + * Name of the referent. + * This field is effectively required, but due to backwards compatibility is + * allowed to be empty. Instances of this type with an empty value here are + * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? + * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it + * https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + */ + name?: string; + /** + * Specify whether the Secret or its key must be defined + */ + optional?: boolean; +} + +/** + * RelabelConfig allows dynamic rewriting of the label set for targets, alerts, + * scraped samples and remote write samples. + * + * + * More info: + * https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config + */ +export interface MetricRelabeling { + /** + * Action to perform based on the regex matching. + * + * + * `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. + * `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0. + * + * + * Default: "Replace" + */ + action?: Action; + /** + * Modulus to take of the hash of the source label values. + * + * + * Only applicable when the action is `HashMod`. + */ + modulus?: number; + /** + * Regular expression against which the extracted value is matched. + */ + regex?: string; + /** + * Replacement value against which a Replace action is performed if the + * regular expression matches. + * + * + * Regex capture groups are available. + */ + replacement?: string; + /** + * Separator is the string between concatenated SourceLabels. + */ + separator?: string; + /** + * The source labels select values from existing labels. Their content is + * concatenated using the configured Separator and matched against the + * configured regular expression. + */ + sourceLabels?: string[]; + /** + * Label to which the resulting string is written in a replacement. + * + * + * It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`, + * `KeepEqual` and `DropEqual` actions. + * + * + * Regex capture groups are available. + */ + targetLabel?: string; +} + +/** + * Action to perform based on the regex matching. + * + * + * `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. + * `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0. + * + * + * Default: "Replace" + */ +export enum Action { + ActionDrop = "Drop", + ActionKeep = "Keep", + ActionLowercase = "Lowercase", + ActionReplace = "Replace", + ActionUppercase = "Uppercase", + Drop = "drop", + DropEqual = "DropEqual", + Dropequal = "dropequal", + HashMod = "HashMod", + Hashmod = "hashmod", + Keep = "keep", + KeepEqual = "KeepEqual", + Keepequal = "keepequal", + LabelDrop = "LabelDrop", + LabelKeep = "LabelKeep", + LabelMap = "LabelMap", + Labeldrop = "labeldrop", + Labelkeep = "labelkeep", + Labelmap = "labelmap", + Lowercase = "lowercase", + Replace = "replace", + Uppercase = "uppercase", +} + +/** + * `oauth2` configures the OAuth2 settings to use when scraping the target. + * + * + * It requires Prometheus >= 2.27.0. + * + * + * Cannot be set at the same time as `authorization`, or `basicAuth`. + */ +export interface Oauth2 { + /** + * `clientId` specifies a key of a Secret or ConfigMap containing the + * OAuth2 client's ID. + */ + clientId: ClientID; + /** + * `clientSecret` specifies a key of a Secret containing the OAuth2 + * client's secret. + */ + clientSecret: ClientSecret; + /** + * `endpointParams` configures the HTTP parameters to append to the token + * URL. + */ + endpointParams?: { [key: string]: string }; + /** + * `scopes` defines the OAuth2 scopes used for the token request. + */ + scopes?: string[]; + /** + * `tokenURL` configures the URL to fetch the token from. + */ + tokenUrl: string; +} + +/** + * `clientId` specifies a key of a Secret or ConfigMap containing the + * OAuth2 client's ID. + */ +export interface ClientID { + /** + * ConfigMap containing data to use for the targets. + */ + configMap?: ClientIDConfigMap; + /** + * Secret containing data to use for the targets. + */ + secret?: ClientIDSecret; +} + +/** + * ConfigMap containing data to use for the targets. + */ +export interface ClientIDConfigMap { + /** + * The key to select. + */ + key: string; + /** + * Name of the referent. + * This field is effectively required, but due to backwards compatibility is + * allowed to be empty. Instances of this type with an empty value here are + * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? + * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it + * https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + */ + name?: string; + /** + * Specify whether the ConfigMap or its key must be defined + */ + optional?: boolean; +} + +/** + * Secret containing data to use for the targets. + */ +export interface ClientIDSecret { + /** + * The key of the secret to select from. Must be a valid secret key. + */ + key: string; + /** + * Name of the referent. + * This field is effectively required, but due to backwards compatibility is + * allowed to be empty. Instances of this type with an empty value here are + * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? + * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it + * https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + */ + name?: string; + /** + * Specify whether the Secret or its key must be defined + */ + optional?: boolean; +} + +/** + * `clientSecret` specifies a key of a Secret containing the OAuth2 + * client's secret. + */ +export interface ClientSecret { + /** + * The key of the secret to select from. Must be a valid secret key. + */ + key: string; + /** + * Name of the referent. + * This field is effectively required, but due to backwards compatibility is + * allowed to be empty. Instances of this type with an empty value here are + * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? + * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it + * https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + */ + name?: string; + /** + * Specify whether the Secret or its key must be defined + */ + optional?: boolean; +} + +/** + * RelabelConfig allows dynamic rewriting of the label set for targets, alerts, + * scraped samples and remote write samples. + * + * + * More info: + * https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config + */ +export interface Relabeling { + /** + * Action to perform based on the regex matching. + * + * + * `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. + * `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0. + * + * + * Default: "Replace" + */ + action?: Action; + /** + * Modulus to take of the hash of the source label values. + * + * + * Only applicable when the action is `HashMod`. + */ + modulus?: number; + /** + * Regular expression against which the extracted value is matched. + */ + regex?: string; + /** + * Replacement value against which a Replace action is performed if the + * regular expression matches. + * + * + * Regex capture groups are available. + */ + replacement?: string; + /** + * Separator is the string between concatenated SourceLabels. + */ + separator?: string; + /** + * The source labels select values from existing labels. Their content is + * concatenated using the configured Separator and matched against the + * configured regular expression. + */ + sourceLabels?: string[]; + /** + * Label to which the resulting string is written in a replacement. + * + * + * It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`, + * `KeepEqual` and `DropEqual` actions. + * + * + * Regex capture groups are available. + */ + targetLabel?: string; +} + +/** + * HTTP scheme to use for scraping. + * + * + * `http` and `https` are the expected values unless you rewrite the + * `__scheme__` label via relabeling. + * + * + * If empty, Prometheus uses the default value `http`. + */ +export enum Scheme { + HTTP = "http", + HTTPS = "https", +} + +/** + * TLS configuration to use when scraping the target. + */ +export interface TLSConfig { + /** + * Certificate authority used when verifying server certificates. + */ + ca?: CA; + /** + * Client certificate to present when doing client-authentication. + */ + cert?: CERT; + /** + * Disable target certificate validation. + */ + insecureSkipVerify?: boolean; + /** + * Secret containing the client key file for the targets. + */ + keySecret?: KeySecret; + /** + * Used to verify the hostname for the targets. + */ + serverName?: string; +} + +/** + * Certificate authority used when verifying server certificates. + */ +export interface CA { + /** + * ConfigMap containing data to use for the targets. + */ + configMap?: CAConfigMap; + /** + * Secret containing data to use for the targets. + */ + secret?: CASecret; +} + +/** + * ConfigMap containing data to use for the targets. + */ +export interface CAConfigMap { + /** + * The key to select. + */ + key: string; + /** + * Name of the referent. + * This field is effectively required, but due to backwards compatibility is + * allowed to be empty. Instances of this type with an empty value here are + * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? + * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it + * https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + */ + name?: string; + /** + * Specify whether the ConfigMap or its key must be defined + */ + optional?: boolean; +} + +/** + * Secret containing data to use for the targets. + */ +export interface CASecret { + /** + * The key of the secret to select from. Must be a valid secret key. + */ + key: string; + /** + * Name of the referent. + * This field is effectively required, but due to backwards compatibility is + * allowed to be empty. Instances of this type with an empty value here are + * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? + * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it + * https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + */ + name?: string; + /** + * Specify whether the Secret or its key must be defined + */ + optional?: boolean; +} + +/** + * Client certificate to present when doing client-authentication. + */ +export interface CERT { + /** + * ConfigMap containing data to use for the targets. + */ + configMap?: CERTConfigMap; + /** + * Secret containing data to use for the targets. + */ + secret?: CERTSecret; +} + +/** + * ConfigMap containing data to use for the targets. + */ +export interface CERTConfigMap { + /** + * The key to select. + */ + key: string; + /** + * Name of the referent. + * This field is effectively required, but due to backwards compatibility is + * allowed to be empty. Instances of this type with an empty value here are + * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? + * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it + * https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + */ + name?: string; + /** + * Specify whether the ConfigMap or its key must be defined + */ + optional?: boolean; +} + +/** + * Secret containing data to use for the targets. + */ +export interface CERTSecret { + /** + * The key of the secret to select from. Must be a valid secret key. + */ + key: string; + /** + * Name of the referent. + * This field is effectively required, but due to backwards compatibility is + * allowed to be empty. Instances of this type with an empty value here are + * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? + * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it + * https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + */ + name?: string; + /** + * Specify whether the Secret or its key must be defined + */ + optional?: boolean; +} + +/** + * Secret containing the client key file for the targets. + */ +export interface KeySecret { + /** + * The key of the secret to select from. Must be a valid secret key. + */ + key: string; + /** + * Name of the referent. + * This field is effectively required, but due to backwards compatibility is + * allowed to be empty. Instances of this type with an empty value here are + * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? + * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it + * https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + */ + name?: string; + /** + * Specify whether the Secret or its key must be defined + */ + optional?: boolean; +} + +/** + * ScrapeProtocol represents a protocol used by Prometheus for scraping metrics. + * Supported values are: + * * `OpenMetricsText0.0.1` + * * `OpenMetricsText1.0.0` + * * `PrometheusProto` + * * `PrometheusText0.0.4` + */ +export enum ScrapeProtocol { + OpenMetricsText001 = "OpenMetricsText0.0.1", + OpenMetricsText100 = "OpenMetricsText1.0.0", + PrometheusProto = "PrometheusProto", + PrometheusText004 = "PrometheusText0.0.4", +} + +/** + * Label selector to select the Kubernetes `Pod` objects. + */ +export interface Selector { + /** + * matchExpressions is a list of label selector requirements. The requirements are ANDed. + */ + matchExpressions?: MatchExpression[]; + /** + * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + * map is equivalent to an element of matchExpressions, whose key field is "key", the + * operator is "In", and the values array contains only "value". The requirements are ANDed. + */ + matchLabels?: { [key: string]: string }; +} + +/** + * A label selector requirement is a selector that contains values, a key, and an operator + * that + * relates the key and values. + */ +export interface MatchExpression { + /** + * key is the label key that the selector applies to. + */ + key: string; + /** + * operator represents a key's relationship to a set of values. + * Valid operators are In, NotIn, Exists and DoesNotExist. + */ + operator: string; + /** + * values is an array of string values. If the operator is In or NotIn, + * the values array must be non-empty. If the operator is Exists or DoesNotExist, + * the values array must be empty. This array is replaced during a strategic + * merge patch. + */ + values?: string[]; +} + +RegisterKind(PodMonitor, { + group: "monitoring.coreos.com", + version: "v1", + kind: "PodMonitor", + plural: "podmonitors", +}); diff --git a/src/pepr/operator/crd/generated/prometheus/servicemonitor-v1.ts b/src/pepr/operator/crd/generated/prometheus/servicemonitor-v1.ts index 4d776ccd4..17c09c2a4 100644 --- a/src/pepr/operator/crd/generated/prometheus/servicemonitor-v1.ts +++ b/src/pepr/operator/crd/generated/prometheus/servicemonitor-v1.ts @@ -7,121 +7,178 @@ import { GenericKind, RegisterKind } from "kubernetes-fluent-client"; */ export class ServiceMonitor extends GenericKind { /** - * Specification of desired Service selection for target discovery by Prometheus. + * Specification of desired Service selection for target discovery by + * Prometheus. */ spec?: Spec; } /** - * Specification of desired Service selection for target discovery by Prometheus. + * Specification of desired Service selection for target discovery by + * Prometheus. */ export interface Spec { /** - * `attachMetadata` defines additional metadata which is added to the discovered targets. + * `attachMetadata` defines additional metadata which is added to the + * discovered targets. + * + * * It requires Prometheus >= v2.37.0. */ attachMetadata?: AttachMetadata; + /** + * When defined, bodySizeLimit specifies a job level limit on the size + * of uncompressed response body that will be accepted by Prometheus. + * + * + * It requires Prometheus >= v2.28.0. + */ + bodySizeLimit?: string; /** * List of endpoints part of this ServiceMonitor. */ endpoints?: Endpoint[]; /** - * `jobLabel` selects the label from the associated Kubernetes `Service` object which will - * be used as the `job` label for all metrics. - * For example if `jobLabel` is set to `foo` and the Kubernetes `Service` object is labeled - * with `foo: bar`, then Prometheus adds the `job="bar"` label to all ingested metrics. - * If the value of this field is empty or if the label doesn't exist for the given Service, - * the `job` label of the metrics defaults to the name of the associated Kubernetes - * `Service`. + * `jobLabel` selects the label from the associated Kubernetes `Service` + * object which will be used as the `job` label for all metrics. + * + * + * For example if `jobLabel` is set to `foo` and the Kubernetes `Service` + * object is labeled with `foo: bar`, then Prometheus adds the `job="bar"` + * label to all ingested metrics. + * + * + * If the value of this field is empty or if the label doesn't exist for + * the given Service, the `job` label of the metrics defaults to the name + * of the associated Kubernetes `Service`. */ jobLabel?: string; /** - * Per-scrape limit on the number of targets dropped by relabeling that will be kept in - * memory. 0 means no limit. + * Per-scrape limit on the number of targets dropped by relabeling + * that will be kept in memory. 0 means no limit. + * + * * It requires Prometheus >= v2.47.0. */ keepDroppedTargets?: number; /** * Per-scrape limit on number of labels that will be accepted for a sample. + * + * * It requires Prometheus >= v2.27.0. */ labelLimit?: number; /** * Per-scrape limit on length of labels name that will be accepted for a sample. + * + * * It requires Prometheus >= v2.27.0. */ labelNameLengthLimit?: number; /** * Per-scrape limit on length of labels value that will be accepted for a sample. + * + * * It requires Prometheus >= v2.27.0. */ labelValueLengthLimit?: number; /** - * Selector to select which namespaces the Kubernetes `Endpoints` objects are discovered - * from. + * Selector to select which namespaces the Kubernetes `Endpoints` objects + * are discovered from. */ namespaceSelector?: NamespaceSelector; /** - * `podTargetLabels` defines the labels which are transferred from the associated Kubernetes - * `Pod` object onto the ingested metrics. + * `podTargetLabels` defines the labels which are transferred from the + * associated Kubernetes `Pod` object onto the ingested metrics. */ podTargetLabels?: string[]; /** - * `sampleLimit` defines a per-scrape limit on the number of scraped samples that will be - * accepted. + * `sampleLimit` defines a per-scrape limit on the number of scraped samples + * that will be accepted. */ sampleLimit?: number; + /** + * The scrape class to apply. + */ + scrapeClass?: string; + /** + * `scrapeProtocols` defines the protocols to negotiate during a scrape. It tells clients + * the + * protocols supported by Prometheus in order of preference (from most to least + * preferred). + * + * + * If unset, Prometheus uses its default value. + * + * + * It requires Prometheus >= v2.49.0. + */ + scrapeProtocols?: ScrapeProtocol[]; /** * Label selector to select the Kubernetes `Endpoints` objects. */ selector: Selector; /** - * `targetLabels` defines the labels which are transferred from the associated Kubernetes - * `Service` object onto the ingested metrics. + * `targetLabels` defines the labels which are transferred from the + * associated Kubernetes `Service` object onto the ingested metrics. */ targetLabels?: string[]; /** - * `targetLimit` defines a limit on the number of scraped targets that will be accepted. + * `targetLimit` defines a limit on the number of scraped targets that will + * be accepted. */ targetLimit?: number; } /** - * `attachMetadata` defines additional metadata which is added to the discovered targets. + * `attachMetadata` defines additional metadata which is added to the + * discovered targets. + * + * * It requires Prometheus >= v2.37.0. */ export interface AttachMetadata { /** - * When set to true, Prometheus must have the `get` permission on the `Nodes` objects. + * When set to true, Prometheus must have the `get` permission on the + * `Nodes` objects. */ node?: boolean; } /** - * Endpoint defines an endpoint serving Prometheus metrics to be scraped by Prometheus. + * Endpoint defines an endpoint serving Prometheus metrics to be scraped by + * Prometheus. */ export interface Endpoint { /** - * `authorization` configures the Authorization header credentials to use when scraping the - * target. + * `authorization` configures the Authorization header credentials to use when + * scraping the target. + * + * * Cannot be set at the same time as `basicAuth`, or `oauth2`. */ authorization?: Authorization; /** - * `basicAuth` configures the Basic Authentication credentials to use when scraping the - * target. + * `basicAuth` configures the Basic Authentication credentials to use when + * scraping the target. + * + * * Cannot be set at the same time as `authorization`, or `oauth2`. */ basicAuth?: BasicAuth; /** * File to read bearer token for scraping the target. + * + * * Deprecated: use `authorization` instead. */ bearerTokenFile?: string; /** - * `bearerTokenSecret` specifies a key of a Secret containing the bearer token for scraping - * targets. The secret needs to be in the same namespace as the ServiceMonitor object and - * readable by the Prometheus Operator. + * `bearerTokenSecret` specifies a key of a Secret containing the bearer + * token for scraping targets. The secret needs to be in the same namespace + * as the ServiceMonitor object and readable by the Prometheus Operator. + * + * * Deprecated: use `authorization` instead. */ bearerTokenSecret?: BearerTokenSecret; @@ -130,39 +187,50 @@ export interface Endpoint { */ enableHttp2?: boolean; /** - * When true, the pods which are not running (e.g. either in Failed or Succeeded state) are - * dropped during the target discovery. + * When true, the pods which are not running (e.g. either in Failed or + * Succeeded state) are dropped during the target discovery. + * + * * If unset, the filtering is enabled. + * + * * More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase */ filterRunning?: boolean; /** - * `followRedirects` defines whether the scrape requests should follow HTTP 3xx redirects. + * `followRedirects` defines whether the scrape requests should follow HTTP + * 3xx redirects. */ followRedirects?: boolean; /** - * When true, `honorLabels` preserves the metric's labels when they collide with the - * target's labels. + * When true, `honorLabels` preserves the metric's labels when they collide + * with the target's labels. */ honorLabels?: boolean; /** - * `honorTimestamps` controls whether Prometheus preserves the timestamps when exposed by - * the target. + * `honorTimestamps` controls whether Prometheus preserves the timestamps + * when exposed by the target. */ honorTimestamps?: boolean; /** * Interval at which Prometheus scrapes the metrics from the target. + * + * * If empty, Prometheus uses the global scrape interval. */ interval?: string; /** - * `metricRelabelings` configures the relabeling rules to apply to the samples before - * ingestion. + * `metricRelabelings` configures the relabeling rules to apply to the + * samples before ingestion. */ metricRelabelings?: MetricRelabeling[]; /** * `oauth2` configures the OAuth2 settings to use when scraping the target. + * + * * It requires Prometheus >= 2.27.0. + * + * * Cannot be set at the same time as `authorization`, or `basicAuth`. */ oauth2?: Oauth2; @@ -172,44 +240,60 @@ export interface Endpoint { params?: { [key: string]: string[] }; /** * HTTP path from which to scrape for metrics. + * + * * If empty, Prometheus uses the default value (e.g. `/metrics`). */ path?: string; /** * Name of the Service port which this endpoint refers to. + * + * * It takes precedence over `targetPort`. */ port?: string; /** - * `proxyURL` configures the HTTP Proxy URL (e.g. "http://proxyserver:2195") to go through - * when scraping the target. + * `proxyURL` configures the HTTP Proxy URL (e.g. + * "http://proxyserver:2195") to go through when scraping the target. */ proxyUrl?: string; /** - * `relabelings` configures the relabeling rules to apply the target's metadata labels. + * `relabelings` configures the relabeling rules to apply the target's + * metadata labels. + * + * * The Operator automatically adds relabelings for a few standard Kubernetes fields. + * + * * The original scrape job's name is available via the `__tmp_prometheus_job_name` label. + * + * * More info: * https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config */ relabelings?: Relabeling[]; /** * HTTP scheme to use for scraping. - * `http` and `https` are the expected values unless you rewrite the `__scheme__` label via - * relabeling. + * + * + * `http` and `https` are the expected values unless you rewrite the + * `__scheme__` label via relabeling. + * + * * If empty, Prometheus uses the default value `http`. */ scheme?: Scheme; /** * Timeout after which Prometheus considers the scrape to be failed. - * If empty, Prometheus uses the global scrape timeout unless it is less than the target's - * scrape interval value in which the latter is used. + * + * + * If empty, Prometheus uses the global scrape timeout unless it is less + * than the target's scrape interval value in which the latter is used. */ scrapeTimeout?: string; /** - * Name or number of the target port of the `Pod` object behind the Service, the port must - * be specified with container port property. - * Deprecated: use `port` instead. + * Name or number of the target port of the `Pod` object behind the + * Service. The port must be specified with the container's port property. */ targetPort?: number | string; /** @@ -217,17 +301,21 @@ export interface Endpoint { */ tlsConfig?: TLSConfig; /** - * `trackTimestampsStaleness` defines whether Prometheus tracks staleness of the metrics - * that have an explicit timestamp present in scraped data. Has no effect if - * `honorTimestamps` is false. + * `trackTimestampsStaleness` defines whether Prometheus tracks staleness of + * the metrics that have an explicit timestamp present in scraped data. + * Has no effect if `honorTimestamps` is false. + * + * * It requires Prometheus >= v2.48.0. */ trackTimestampsStaleness?: boolean; } /** - * `authorization` configures the Authorization header credentials to use when scraping the - * target. + * `authorization` configures the Authorization header credentials to use when + * scraping the target. + * + * * Cannot be set at the same time as `basicAuth`, or `oauth2`. */ export interface Authorization { @@ -238,7 +326,11 @@ export interface Authorization { credentials?: Credentials; /** * Defines the authentication type. The value is case-insensitive. + * + * * "Basic" is not a supported value. + * + * * Default: "Bearer" */ type?: string; @@ -254,9 +346,14 @@ export interface Credentials { */ key: string; /** - * Name of the referent. More info: - * https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add - * other useful fields. apiVersion, kind, uid? + * Name of the referent. + * This field is effectively required, but due to backwards compatibility is + * allowed to be empty. Instances of this type with an empty value here are + * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? + * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it + * https://github.com/kubernetes-sigs/kubebuilder/issues/3896. */ name?: string; /** @@ -266,23 +363,28 @@ export interface Credentials { } /** - * `basicAuth` configures the Basic Authentication credentials to use when scraping the - * target. + * `basicAuth` configures the Basic Authentication credentials to use when + * scraping the target. + * + * * Cannot be set at the same time as `authorization`, or `oauth2`. */ export interface BasicAuth { /** - * `password` specifies a key of a Secret containing the password for authentication. + * `password` specifies a key of a Secret containing the password for + * authentication. */ password?: Password; /** - * `username` specifies a key of a Secret containing the username for authentication. + * `username` specifies a key of a Secret containing the username for + * authentication. */ username?: Username; } /** - * `password` specifies a key of a Secret containing the password for authentication. + * `password` specifies a key of a Secret containing the password for + * authentication. */ export interface Password { /** @@ -290,9 +392,14 @@ export interface Password { */ key: string; /** - * Name of the referent. More info: - * https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add - * other useful fields. apiVersion, kind, uid? + * Name of the referent. + * This field is effectively required, but due to backwards compatibility is + * allowed to be empty. Instances of this type with an empty value here are + * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? + * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it + * https://github.com/kubernetes-sigs/kubebuilder/issues/3896. */ name?: string; /** @@ -302,7 +409,8 @@ export interface Password { } /** - * `username` specifies a key of a Secret containing the username for authentication. + * `username` specifies a key of a Secret containing the username for + * authentication. */ export interface Username { /** @@ -310,9 +418,14 @@ export interface Username { */ key: string; /** - * Name of the referent. More info: - * https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add - * other useful fields. apiVersion, kind, uid? + * Name of the referent. + * This field is effectively required, but due to backwards compatibility is + * allowed to be empty. Instances of this type with an empty value here are + * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? + * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it + * https://github.com/kubernetes-sigs/kubebuilder/issues/3896. */ name?: string; /** @@ -322,9 +435,11 @@ export interface Username { } /** - * `bearerTokenSecret` specifies a key of a Secret containing the bearer token for scraping - * targets. The secret needs to be in the same namespace as the ServiceMonitor object and - * readable by the Prometheus Operator. + * `bearerTokenSecret` specifies a key of a Secret containing the bearer + * token for scraping targets. The secret needs to be in the same namespace + * as the ServiceMonitor object and readable by the Prometheus Operator. + * + * * Deprecated: use `authorization` instead. */ export interface BearerTokenSecret { @@ -333,9 +448,14 @@ export interface BearerTokenSecret { */ key: string; /** - * Name of the referent. More info: - * https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add - * other useful fields. apiVersion, kind, uid? + * Name of the referent. + * This field is effectively required, but due to backwards compatibility is + * allowed to be empty. Instances of this type with an empty value here are + * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? + * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it + * https://github.com/kubernetes-sigs/kubebuilder/issues/3896. */ name?: string; /** @@ -345,21 +465,29 @@ export interface BearerTokenSecret { } /** - * RelabelConfig allows dynamic rewriting of the label set for targets, alerts, scraped - * samples and remote write samples. + * RelabelConfig allows dynamic rewriting of the label set for targets, alerts, + * scraped samples and remote write samples. + * + * * More info: * https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config */ export interface MetricRelabeling { /** * Action to perform based on the regex matching. - * `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. `DropEqual` and - * `KeepEqual` actions require Prometheus >= v2.41.0. + * + * + * `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. + * `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0. + * + * * Default: "Replace" */ action?: Action; /** * Modulus to take of the hash of the source label values. + * + * * Only applicable when the action is `HashMod`. */ modulus?: number; @@ -368,8 +496,10 @@ export interface MetricRelabeling { */ regex?: string; /** - * Replacement value against which a Replace action is performed if the regular expression - * matches. + * Replacement value against which a Replace action is performed if the + * regular expression matches. + * + * * Regex capture groups are available. */ replacement?: string; @@ -378,14 +508,19 @@ export interface MetricRelabeling { */ separator?: string; /** - * The source labels select values from existing labels. Their content is concatenated using - * the configured Separator and matched against the configured regular expression. + * The source labels select values from existing labels. Their content is + * concatenated using the configured Separator and matched against the + * configured regular expression. */ sourceLabels?: string[]; /** * Label to which the resulting string is written in a replacement. - * It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`, `KeepEqual` and - * `DropEqual` actions. + * + * + * It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`, + * `KeepEqual` and `DropEqual` actions. + * + * * Regex capture groups are available. */ targetLabel?: string; @@ -393,8 +528,12 @@ export interface MetricRelabeling { /** * Action to perform based on the regex matching. - * `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. `DropEqual` and - * `KeepEqual` actions require Prometheus >= v2.41.0. + * + * + * `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. + * `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0. + * + * * Default: "Replace" */ export enum Action { @@ -424,20 +563,27 @@ export enum Action { /** * `oauth2` configures the OAuth2 settings to use when scraping the target. + * + * * It requires Prometheus >= 2.27.0. + * + * * Cannot be set at the same time as `authorization`, or `basicAuth`. */ export interface Oauth2 { /** - * `clientId` specifies a key of a Secret or ConfigMap containing the OAuth2 client's ID. + * `clientId` specifies a key of a Secret or ConfigMap containing the + * OAuth2 client's ID. */ clientId: ClientID; /** - * `clientSecret` specifies a key of a Secret containing the OAuth2 client's secret. + * `clientSecret` specifies a key of a Secret containing the OAuth2 + * client's secret. */ clientSecret: ClientSecret; /** - * `endpointParams` configures the HTTP parameters to append to the token URL. + * `endpointParams` configures the HTTP parameters to append to the token + * URL. */ endpointParams?: { [key: string]: string }; /** @@ -451,7 +597,8 @@ export interface Oauth2 { } /** - * `clientId` specifies a key of a Secret or ConfigMap containing the OAuth2 client's ID. + * `clientId` specifies a key of a Secret or ConfigMap containing the + * OAuth2 client's ID. */ export interface ClientID { /** @@ -473,9 +620,14 @@ export interface ClientIDConfigMap { */ key: string; /** - * Name of the referent. More info: - * https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add - * other useful fields. apiVersion, kind, uid? + * Name of the referent. + * This field is effectively required, but due to backwards compatibility is + * allowed to be empty. Instances of this type with an empty value here are + * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? + * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it + * https://github.com/kubernetes-sigs/kubebuilder/issues/3896. */ name?: string; /** @@ -493,9 +645,14 @@ export interface ClientIDSecret { */ key: string; /** - * Name of the referent. More info: - * https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add - * other useful fields. apiVersion, kind, uid? + * Name of the referent. + * This field is effectively required, but due to backwards compatibility is + * allowed to be empty. Instances of this type with an empty value here are + * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? + * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it + * https://github.com/kubernetes-sigs/kubebuilder/issues/3896. */ name?: string; /** @@ -505,7 +662,8 @@ export interface ClientIDSecret { } /** - * `clientSecret` specifies a key of a Secret containing the OAuth2 client's secret. + * `clientSecret` specifies a key of a Secret containing the OAuth2 + * client's secret. */ export interface ClientSecret { /** @@ -513,9 +671,14 @@ export interface ClientSecret { */ key: string; /** - * Name of the referent. More info: - * https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add - * other useful fields. apiVersion, kind, uid? + * Name of the referent. + * This field is effectively required, but due to backwards compatibility is + * allowed to be empty. Instances of this type with an empty value here are + * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? + * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it + * https://github.com/kubernetes-sigs/kubebuilder/issues/3896. */ name?: string; /** @@ -525,21 +688,29 @@ export interface ClientSecret { } /** - * RelabelConfig allows dynamic rewriting of the label set for targets, alerts, scraped - * samples and remote write samples. + * RelabelConfig allows dynamic rewriting of the label set for targets, alerts, + * scraped samples and remote write samples. + * + * * More info: * https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config */ export interface Relabeling { /** * Action to perform based on the regex matching. - * `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. `DropEqual` and - * `KeepEqual` actions require Prometheus >= v2.41.0. + * + * + * `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. + * `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0. + * + * * Default: "Replace" */ action?: Action; /** * Modulus to take of the hash of the source label values. + * + * * Only applicable when the action is `HashMod`. */ modulus?: number; @@ -548,8 +719,10 @@ export interface Relabeling { */ regex?: string; /** - * Replacement value against which a Replace action is performed if the regular expression - * matches. + * Replacement value against which a Replace action is performed if the + * regular expression matches. + * + * * Regex capture groups are available. */ replacement?: string; @@ -558,14 +731,19 @@ export interface Relabeling { */ separator?: string; /** - * The source labels select values from existing labels. Their content is concatenated using - * the configured Separator and matched against the configured regular expression. + * The source labels select values from existing labels. Their content is + * concatenated using the configured Separator and matched against the + * configured regular expression. */ sourceLabels?: string[]; /** * Label to which the resulting string is written in a replacement. - * It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`, `KeepEqual` and - * `DropEqual` actions. + * + * + * It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`, + * `KeepEqual` and `DropEqual` actions. + * + * * Regex capture groups are available. */ targetLabel?: string; @@ -573,8 +751,12 @@ export interface Relabeling { /** * HTTP scheme to use for scraping. - * `http` and `https` are the expected values unless you rewrite the `__scheme__` label via - * relabeling. + * + * + * `http` and `https` are the expected values unless you rewrite the + * `__scheme__` label via relabeling. + * + * * If empty, Prometheus uses the default value `http`. */ export enum Scheme { @@ -643,9 +825,14 @@ export interface CAConfigMap { */ key: string; /** - * Name of the referent. More info: - * https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add - * other useful fields. apiVersion, kind, uid? + * Name of the referent. + * This field is effectively required, but due to backwards compatibility is + * allowed to be empty. Instances of this type with an empty value here are + * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? + * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it + * https://github.com/kubernetes-sigs/kubebuilder/issues/3896. */ name?: string; /** @@ -663,9 +850,14 @@ export interface CASecret { */ key: string; /** - * Name of the referent. More info: - * https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add - * other useful fields. apiVersion, kind, uid? + * Name of the referent. + * This field is effectively required, but due to backwards compatibility is + * allowed to be empty. Instances of this type with an empty value here are + * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? + * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it + * https://github.com/kubernetes-sigs/kubebuilder/issues/3896. */ name?: string; /** @@ -697,9 +889,14 @@ export interface CERTConfigMap { */ key: string; /** - * Name of the referent. More info: - * https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add - * other useful fields. apiVersion, kind, uid? + * Name of the referent. + * This field is effectively required, but due to backwards compatibility is + * allowed to be empty. Instances of this type with an empty value here are + * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? + * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it + * https://github.com/kubernetes-sigs/kubebuilder/issues/3896. */ name?: string; /** @@ -717,9 +914,14 @@ export interface CERTSecret { */ key: string; /** - * Name of the referent. More info: - * https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add - * other useful fields. apiVersion, kind, uid? + * Name of the referent. + * This field is effectively required, but due to backwards compatibility is + * allowed to be empty. Instances of this type with an empty value here are + * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? + * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it + * https://github.com/kubernetes-sigs/kubebuilder/issues/3896. */ name?: string; /** @@ -737,9 +939,14 @@ export interface KeySecret { */ key: string; /** - * Name of the referent. More info: - * https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add - * other useful fields. apiVersion, kind, uid? + * Name of the referent. + * This field is effectively required, but due to backwards compatibility is + * allowed to be empty. Instances of this type with an empty value here are + * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? + * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it + * https://github.com/kubernetes-sigs/kubebuilder/issues/3896. */ name?: string; /** @@ -749,13 +956,13 @@ export interface KeySecret { } /** - * Selector to select which namespaces the Kubernetes `Endpoints` objects are discovered - * from. + * Selector to select which namespaces the Kubernetes `Endpoints` objects + * are discovered from. */ export interface NamespaceSelector { /** - * Boolean describing whether all namespaces are selected in contrast to a list restricting - * them. + * Boolean describing whether all namespaces are selected in contrast to a + * list restricting them. */ any?: boolean; /** @@ -764,6 +971,21 @@ export interface NamespaceSelector { matchNames?: string[]; } +/** + * ScrapeProtocol represents a protocol used by Prometheus for scraping metrics. + * Supported values are: + * * `OpenMetricsText0.0.1` + * * `OpenMetricsText1.0.0` + * * `PrometheusProto` + * * `PrometheusText0.0.4` + */ +export enum ScrapeProtocol { + OpenMetricsText001 = "OpenMetricsText0.0.1", + OpenMetricsText100 = "OpenMetricsText1.0.0", + PrometheusProto = "PrometheusProto", + PrometheusText004 = "PrometheusText0.0.4", +} + /** * Label selector to select the Kubernetes `Endpoints` objects. */ @@ -773,16 +995,17 @@ export interface Selector { */ matchExpressions?: MatchExpression[]; /** - * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is - * equivalent to an element of matchExpressions, whose key field is "key", the operator is - * "In", and the values array contains only "value". The requirements are ANDed. + * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + * map is equivalent to an element of matchExpressions, whose key field is "key", the + * operator is "In", and the values array contains only "value". The requirements are ANDed. */ matchLabels?: { [key: string]: string }; } /** * A label selector requirement is a selector that contains values, a key, and an operator - * that relates the key and values. + * that + * relates the key and values. */ export interface MatchExpression { /** @@ -790,14 +1013,15 @@ export interface MatchExpression { */ key: string; /** - * operator represents a key's relationship to a set of values. Valid operators are In, - * NotIn, Exists and DoesNotExist. + * operator represents a key's relationship to a set of values. + * Valid operators are In, NotIn, Exists and DoesNotExist. */ operator: string; /** - * values is an array of string values. If the operator is In or NotIn, the values array - * must be non-empty. If the operator is Exists or DoesNotExist, the values array must be - * empty. This array is replaced during a strategic merge patch. + * values is an array of string values. If the operator is In or NotIn, + * the values array must be non-empty. If the operator is Exists or DoesNotExist, + * the values array must be empty. This array is replaced during a strategic + * merge patch. */ values?: string[]; } @@ -806,4 +1030,5 @@ RegisterKind(ServiceMonitor, { group: "monitoring.coreos.com", version: "v1", kind: "ServiceMonitor", + plural: "servicemonitors", }); diff --git a/src/pepr/operator/crd/index.ts b/src/pepr/operator/crd/index.ts index 163b8387a..285c6c904 100644 --- a/src/pepr/operator/crd/index.ts +++ b/src/pepr/operator/crd/index.ts @@ -2,8 +2,8 @@ export { Allow, Direction, Expose, - Monitor, Gateway, + Monitor, Phase, Status as PkgStatus, RemoteGenerated, @@ -20,17 +20,33 @@ export { } from "./generated/exemption-v1alpha1"; export { - VirtualService as IstioVirtualService, - HTTPRoute as IstioHTTPRoute, HTTP as IstioHTTP, + HTTPRoute as IstioHTTPRoute, + VirtualService as IstioVirtualService, } from "./generated/istio/virtualservice-v1beta1"; export { - ServiceEntry as IstioServiceEntry, - Location as IstioLocation, - Resolution as IstioResolution, Endpoint as IstioEndpoint, + Location as IstioLocation, Port as IstioPort, + Resolution as IstioResolution, + ServiceEntry as IstioServiceEntry, } from "./generated/istio/serviceentry-v1beta1"; -export * as Prometheus from "./generated/prometheus/servicemonitor-v1"; +export { + PodMetricsEndpoint as PodMonitorEndpoint, + Scheme as PodMonitorScheme, + PodMonitor as PrometheusPodMonitor, +} from "./generated/prometheus/podmonitor-v1"; + +export { + ServiceMonitor as PrometheusServiceMonitor, + Endpoint as ServiceMonitorEndpoint, + Scheme as ServiceMonitorScheme, +} from "./generated/prometheus/servicemonitor-v1"; + +export { + Action as IstioAction, + AuthorizationPolicy as IstioAuthorizationPolicy, +} from "./generated/istio/authorizationpolicy-v1beta1"; +export { RequestAuthentication as IstioRequestAuthentication } from "./generated/istio/requestauthentication-v1"; diff --git a/src/pepr/operator/crd/sources/package/v1alpha1.ts b/src/pepr/operator/crd/sources/package/v1alpha1.ts index 0a61f8ae1..e5628b230 100644 --- a/src/pepr/operator/crd/sources/package/v1alpha1.ts +++ b/src/pepr/operator/crd/sources/package/v1alpha1.ts @@ -2,6 +2,40 @@ import { V1CustomResourceDefinitionVersion, V1JSONSchemaProps } from "@kubernete import { advancedHTTP } from "../istio/virtualservice-v1beta1"; +const AuthorizationSchema: V1JSONSchemaProps = { + description: "Authorization settings.", + type: "object", + properties: { + credentials: { + description: + "Selects a key of a Secret in the namespace that contains the credentials for authentication.", + type: "object", + properties: { + key: { + description: "The key of the secret to select from. Must be a valid secret key.", + type: "string", + }, + name: { + description: + "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", + type: "string", + }, + optional: { + description: "Specify whether the Secret or its key must be defined", + type: "boolean", + }, + }, + required: ["key"], // Ensure key is required in the schema + }, + type: { + description: + 'Defines the authentication type. The value is case-insensitive. "Basic" is not a supported value. Default: "Bearer"', + type: "string", + }, + }, + required: ["credentials"], // Ensure credentials is required in the schema +}; + const allow = { description: "Allow specific traffic (namespace will have a default-deny policy)", type: "array", @@ -160,7 +194,7 @@ const expose = { } as V1JSONSchemaProps; const monitor = { - description: "Create Service Monitor configurations", + description: "Create Service or Pod Monitor configurations", type: "array", items: { type: "object", @@ -202,6 +236,13 @@ const monitor = { description: "HTTP path from which to scrape for metrics, defaults to `/metrics`", type: "string", }, + kind: { + description: + "The type of monitor to create; PodMonitor or ServiceMonitor. ServiceMonitor is the default.", + enum: ["PodMonitor", "ServiceMonitor"], + type: "string", + }, + authorization: AuthorizationSchema, }, }, }; @@ -213,10 +254,13 @@ const sso = { type: "object", required: ["clientId", "name", "redirectUris"], properties: { - isAuthSvcClient: { - description: "If true, the client will generate a new Auth Service client as well", - type: "boolean", - default: false, + enableAuthserviceSelector: { + description: + "Labels to match pods to automatically protect with authservice. Leave empty to disable authservice protection", + type: "object", + additionalProperties: { + type: "string", + }, }, secretName: { description: "The name of the secret to store the client secret", @@ -385,6 +429,12 @@ export const v1alpha1: V1CustomResourceDefinitionVersion = { type: "string", }, }, + authserviceClients: { + type: "array", + items: { + type: "string", + }, + }, endpoints: { type: "array", items: { diff --git a/src/pepr/operator/index.ts b/src/pepr/operator/index.ts index 0555c5ab2..5c11232a2 100644 --- a/src/pepr/operator/index.ts +++ b/src/pepr/operator/index.ts @@ -16,6 +16,7 @@ import { UDSExemption, UDSPackage } from "./crd"; import { validator } from "./crd/validators/package-validator"; // Reconciler imports +import { purgeAuthserviceClients } from "./controllers/keycloak/authservice/authservice"; import { exemptValidator } from "./crd/validators/exempt-validator"; import { packageReconciler } from "./reconcilers/package-reconciler"; @@ -49,6 +50,7 @@ When(UDSPackage) // Remove any SSO clients await purgeSSOClients(pkg, []); + await purgeAuthserviceClients(pkg, []); }); // Watch for changes to the UDSPackage CRD to enqueue a package for processing diff --git a/src/pepr/operator/reconcilers/package-reconciler.ts b/src/pepr/operator/reconcilers/package-reconciler.ts index e4062b294..0312441ed 100644 --- a/src/pepr/operator/reconcilers/package-reconciler.ts +++ b/src/pepr/operator/reconcilers/package-reconciler.ts @@ -3,7 +3,9 @@ import { UDSConfig } from "../../config"; import { Component, setupLogger } from "../../logger"; import { enableInjection } from "../controllers/istio/injection"; import { istioResources } from "../controllers/istio/istio-resources"; +import { authservice } from "../controllers/keycloak/authservice/authservice"; import { keycloak } from "../controllers/keycloak/client-sync"; +import { podMonitor } from "../controllers/monitoring/pod-monitor"; import { serviceMonitor } from "../controllers/monitoring/service-monitor"; import { networkPolicies } from "../controllers/network/policies"; import { Phase, UDSPackage } from "../crd"; @@ -46,24 +48,26 @@ export async function packageReconciler(pkg: UDSPackage) { // Update the namespace to ensure the istio-injection label is set await enableInjection(pkg); + // Configure SSO + const ssoClients = await keycloak(pkg); + const authserviceClients = await authservice(pkg, ssoClients); + // Create the VirtualService and ServiceEntry for each exposed service endpoints = await istioResources(pkg, namespace!); // Only configure the ServiceMonitors if not running in single test mode - let monitors: string[] = []; + const monitors: string[] = []; if (!UDSConfig.isSingleTest) { - // Create the ServiceMonitor for each monitored service - monitors = await serviceMonitor(pkg, namespace!); + monitors.push(...(await podMonitor(pkg, namespace!))); + monitors.push(...(await serviceMonitor(pkg, namespace!))); } else { - log.warn(`Running in single test mode, skipping ${name} ServiceMonitors.`); + log.warn(`Running in single test mode, skipping ${name} Monitors.`); } - // Configure SSO - const ssoClients = await keycloak(pkg); - await updateStatus(pkg, { phase: Phase.Ready, - ssoClients, + ssoClients: [...ssoClients.keys()], + authserviceClients, endpoints, monitors, networkPolicyCount: netPol.length, diff --git a/src/pepr/prometheus/index.ts b/src/pepr/prometheus/index.ts index cc8e022d4..1f69b1664 100644 --- a/src/pepr/prometheus/index.ts +++ b/src/pepr/prometheus/index.ts @@ -1,6 +1,13 @@ import { Capability, K8s, kind } from "pepr"; import { Component, setupLogger } from "../logger"; -import { Prometheus } from "../operator/crd"; +import { + PodMonitorEndpoint, + PodMonitorScheme, + PrometheusPodMonitor, + PrometheusServiceMonitor, + ServiceMonitorEndpoint, + ServiceMonitorScheme, +} from "../operator/crd"; // configure subproject logger const log = setupLogger(Component.PROMETHEUS); @@ -13,44 +20,81 @@ export const prometheus = new Capability({ const { When } = prometheus; /** - * Mutate a service monitor to enable mTLS metrics + * Mutate a service monitor to exclude it from mTLS metrics with `exempt` scrapeClass */ -When(Prometheus.ServiceMonitor) +When(PrometheusServiceMonitor) .IsCreatedOrUpdated() .Mutate(async sm => { - // Provide an opt-out of mutation to handle complicated scenarios - if (sm.Raw.metadata?.annotations?.["uds/skip-sm-mutate"]) { + if (sm.Raw.spec === undefined) { return; } - // This assumes istio-injection == strict mTLS due to complexity around mTLS lookup - if (await isIstioInjected(sm)) { - if (sm.Raw.spec?.endpoints === undefined) { - return; - } - + // Add an exempt scrape class if explicitly opted out via annotation OR targeting a non-istio-injected namespace + if ( + sm.Raw.metadata?.annotations?.["uds/skip-mutate"] || + sm.Raw.metadata?.annotations?.["uds/skip-sm-mutate"] || + !(await isIstioInjected(sm)) + ) { + log.info( + `Mutating scrapeClass to exempt ServiceMonitor ${sm.Raw.metadata?.name} from default scrapeClass mTLS config`, + ); + sm.Raw.spec.scrapeClass = "exempt"; + return; + } else { log.info(`Patching service monitor ${sm.Raw.metadata?.name} for mTLS metrics`); + // Note: this tlsConfig patch is deprecated in favor of a default scrape class for both service and pod monitors const tlsConfig = { caFile: "/etc/prom-certs/root-cert.pem", certFile: "/etc/prom-certs/cert-chain.pem", keyFile: "/etc/prom-certs/key.pem", insecureSkipVerify: true, }; - const endpoints: Prometheus.Endpoint[] = sm.Raw.spec.endpoints; + const endpoints: ServiceMonitorEndpoint[] = sm.Raw.spec.endpoints || []; endpoints.forEach(endpoint => { - endpoint.scheme = Prometheus.Scheme.HTTPS; + endpoint.scheme = ServiceMonitorScheme.HTTPS; endpoint.tlsConfig = tlsConfig; }); sm.Raw.spec.endpoints = endpoints; + } + }); + +/** + * Mutate a pod monitor to exclude it from mTLS metrics with `exempt` scrapeClass + */ +When(PrometheusPodMonitor) + .IsCreatedOrUpdated() + .Mutate(async pm => { + if (pm.Raw.spec === undefined) { + return; + } + + // Add an exempt scrape class if explicitly opted out via annotation OR targeting a non-istio-injected namespace + if (pm.Raw.metadata?.annotations?.["uds/skip-mutate"] || !(await isIstioInjected(pm))) { + log.info( + `Mutating scrapeClass to exempt PodMonitor ${pm.Raw.metadata?.name} from default scrapeClass mTLS config`, + ); + pm.Raw.spec.scrapeClass = "exempt"; + return; } else { - log.info(`No mutations needed for service monitor ${sm.Raw.metadata?.name}`); + log.info(`Patching pod monitor ${pm.Raw.metadata?.name} for mTLS metrics`); + const endpoints: PodMonitorEndpoint[] = pm.Raw.spec.podMetricsEndpoints || []; + endpoints.forEach(endpoint => { + endpoint.scheme = PodMonitorScheme.HTTPS; + }); + pm.Raw.spec.podMetricsEndpoints = endpoints; } }); -async function isIstioInjected(sm: Prometheus.ServiceMonitor) { - const namespaces = sm.Raw.spec?.namespaceSelector?.matchNames || [sm.Raw.metadata?.namespace] || [ - "default", - ]; +// This assumes istio-injection == strict mTLS due to complexity around mTLS lookup +async function isIstioInjected(monitor: PrometheusServiceMonitor | PrometheusPodMonitor) { + // If monitor allows any namespace assume istio injection + if (monitor.Raw.spec?.namespaceSelector?.any) { + return true; + } + + const namespaces = monitor.Raw.spec?.namespaceSelector?.matchNames || [ + monitor.Raw.metadata?.namespace, + ] || ["default"]; for (const ns of namespaces) { const namespace = await K8s(kind.Namespace).Get(ns); diff --git a/src/prometheus-stack/chart/templates/istio-monitor.yaml b/src/prometheus-stack/chart/templates/istio-monitor.yaml index e82a0d23e..f2871b10b 100644 --- a/src/prometheus-stack/chart/templates/istio-monitor.yaml +++ b/src/prometheus-stack/chart/templates/istio-monitor.yaml @@ -4,6 +4,8 @@ kind: PodMonitor metadata: name: envoy-stats-monitor namespace: istio-system + annotations: + uds/skip-mutate: "true" spec: selector: matchExpressions: diff --git a/src/prometheus-stack/chart/templates/prometheus-pod-monitor.yaml b/src/prometheus-stack/chart/templates/prometheus-pod-monitor.yaml index 51e17961d..29f2827c2 100644 --- a/src/prometheus-stack/chart/templates/prometheus-pod-monitor.yaml +++ b/src/prometheus-stack/chart/templates/prometheus-pod-monitor.yaml @@ -4,6 +4,8 @@ kind: PodMonitor metadata: name: prometheus-pod-monitor namespace: monitoring + annotations: + uds/skip-mutate: "true" spec: selector: matchLabels: diff --git a/src/prometheus-stack/values/values.yaml b/src/prometheus-stack/values/values.yaml index 30d2b6559..fe6f21d26 100644 --- a/src/prometheus-stack/values/values.yaml +++ b/src/prometheus-stack/values/values.yaml @@ -24,6 +24,16 @@ prometheus: prometheusSpec: enableFeatures: - remote-write-receiver + additionalConfig: + scrapeClasses: + - name: istio-certs + default: true + tlsConfig: + caFile: /etc/prom-certs/root-cert.pem + certFile: /etc/prom-certs/cert-chain.pem + keyFile: /etc/prom-certs/key.pem + insecureSkipVerify: true + - name: exempt podMetadata: annotations: proxy.istio.io/config: | diff --git a/src/promtail/tasks.yaml b/src/promtail/tasks.yaml index e6b07898c..8117f590a 100644 --- a/src/promtail/tasks.yaml +++ b/src/promtail/tasks.yaml @@ -1,7 +1,7 @@ tasks: - name: validate actions: - - description: Validate promail + - description: Validate promtail wait: cluster: kind: Pod diff --git a/src/test/app-authservice-tenant.yaml b/src/test/app-authservice-tenant.yaml new file mode 100644 index 000000000..094bff22e --- /dev/null +++ b/src/test/app-authservice-tenant.yaml @@ -0,0 +1,84 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: authservice-test-app +--- +apiVersion: uds.dev/v1alpha1 +kind: Package +metadata: + name: httpbin-other + namespace: authservice-test-app +spec: + sso: + - name: Demo SSO + clientId: uds-core-httpbin + redirectUris: + - "https://protected.uds.dev/login" + enableAuthserviceSelector: + app: httpbin + groups: + anyOf: + - "/UDS Core/Admin" + network: + expose: + - service: httpbin + selector: + app: httpbin + gateway: tenant + host: protected + port: 8000 + targetPort: 80 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: httpbin + namespace: authservice-test-app +--- +apiVersion: v1 +kind: Service +metadata: + name: httpbin + namespace: authservice-test-app + labels: + app: httpbin + service: httpbin +spec: + ports: + - name: http + port: 8000 + targetPort: 80 + selector: + app: httpbin +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: httpbin + namespace: authservice-test-app +spec: + replicas: 1 + selector: + matchLabels: + app: httpbin + version: v1 + template: + metadata: + labels: + app: httpbin + version: v1 + spec: + serviceAccountName: httpbin + containers: + - image: docker.io/kong/httpbin + imagePullPolicy: IfNotPresent + name: httpbin + resources: + limits: + cpu: 50m + memory: 64Mi + requests: + cpu: 50m + memory: 64Mi + ports: + - containerPort: 80 diff --git a/src/test/chart/Chart.yaml b/src/test/chart/Chart.yaml index 5cabd1306..288986028 100644 --- a/src/test/chart/Chart.yaml +++ b/src/test/chart/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -name: exempted-app +name: uds-podinfo-config description: A Helm chart for testing an exempted-app type: application version: 0.1.0 diff --git a/src/test/chart/templates/package.yaml b/src/test/chart/templates/package.yaml new file mode 100644 index 000000000..1bb8d8e76 --- /dev/null +++ b/src/test/chart/templates/package.yaml @@ -0,0 +1,27 @@ +apiVersion: uds.dev/v1alpha1 +kind: Package +metadata: + name: podinfo + namespace: podinfo +spec: + monitor: + - selector: + app.kubernetes.io/name: podinfo + targetPort: 9898 + portName: http + description: "podmonitor" + kind: PodMonitor + - selector: + app.kubernetes.io/name: podinfo + targetPort: 9898 + portName: http + description: "svcmonitor" + kind: ServiceMonitor + network: + expose: + - service: podinfo + selector: + app.kubernetes.io/name: podinfo + gateway: tenant + host: podinfo + port: 9898 diff --git a/src/test/tasks.yaml b/src/test/tasks.yaml index c4ab3d4c2..385728f6a 100644 --- a/src/test/tasks.yaml +++ b/src/test/tasks.yaml @@ -57,6 +57,38 @@ tasks: address: demo-8081.uds.dev code: 200 + - description: Verify the authservice tenant app is accessible + wait: + network: + protocol: https + address: protected.uds.dev + code: 200 + + - description: Wait for authservice to reload configuration + wait: + cluster: + kind: Deployment + name: authservice + namespace: authservice + + - description: Verify the authservice tenant app is protected by checking redirect + maxRetries: 3 + cmd: | + set -e + SSO_REDIRECT=$(uds zarf tools kubectl run curl-test --image=cgr.dev/chainguard/curl:latest -q --restart=Never --rm -i -- -Ls -o /dev/null -w %{url_effective} "https://protected.uds.dev") + + case "${SSO_REDIRECT}" in + "https://sso.uds.dev"*) + echo "Protected by authservice" + ;; + *) + # Fallback option if the condition is false + echo "App is not protected by authservice" + echo $SSO_REDIRECT + exit 1 + ;; + esac + - description: Verify podinfo is healthy wait: cluster: @@ -65,5 +97,27 @@ tasks: namespace: podinfo condition: Ready + - description: Verify podinfo package CR is ready + wait: + cluster: + kind: Package + name: podinfo + namespace: podinfo + condition: "'{.status.phase}'=Ready" + + - description: Verify podinfo podmonitor exists + wait: + cluster: + kind: PodMonitor + name: podinfo-podmonitor + namespace: podinfo + + - description: Validate podinfo servicemonitor exists + wait: + cluster: + kind: ServiceMonitor + name: podinfo-svcmonitor + namespace: podinfo + - description: Remove the test resources cmd: "uds zarf package remove build/zarf-package-uds-core-test-apps-*.zst --confirm --no-progress" diff --git a/src/test/zarf.yaml b/src/test/zarf.yaml index 725d5baa2..b98f98bf7 100644 --- a/src/test/zarf.yaml +++ b/src/test/zarf.yaml @@ -14,6 +14,9 @@ components: - name: app-tenant files: - "app-tenant.yaml" + - name: app-authservice-tenant + files: + - "app-authservice-tenant.yaml" images: - docker.io/kong/httpbin:latest - hashicorp/http-echo:latest @@ -21,8 +24,8 @@ components: - name: podinfo required: true charts: - - name: exempted-app - namespace: exempted-app + - name: uds-podinfo-config + namespace: podinfo localPath: ./chart version: 0.1.0 - name: podinfo diff --git a/src/velero/tasks.yaml b/src/velero/tasks.yaml index ffa42bb0a..80a20187c 100644 --- a/src/velero/tasks.yaml +++ b/src/velero/tasks.yaml @@ -54,7 +54,7 @@ tasks: echo "Status is '$STATUS'... waiting to see if it changes" # local testing indicates the status is "Finalizing" for a few seconds after completion - sleep 15 + sleep 30 # check again... STATUS=$(uds zarf tools kubectl get backups -n velero ${BACKUP_NAME} -o jsonpath='{.status.phase}') diff --git a/tasks.yaml b/tasks.yaml index d6976988a..75ee60243 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -22,6 +22,7 @@ tasks: task: test-uds-core - name: dev-setup + description: "Create k3d cluster with istio" actions: - description: "Create the dev cluster" task: setup:create-k3d-cluster @@ -51,24 +52,42 @@ tasks: - description: "Deploy slim dev bundle" task: deploy:k3d-slim-dev-bundle + - name: dev-identity + description: "Create k3d cluster with istio, Pepr, Keycloak, and Authservice for development" + actions: + - task: dev-setup + + - description: "Deploy Pepr" + cmd: "npx pepr deploy --confirm" + + - description: "Deploy Keycloak" + cmd: "uds run dev-deploy --set PKG=keycloak" + + - description: "Deploy Authservice" + cmd: "uds run dev-deploy --set PKG=authservice" + - name: dev-deploy + description: "Deploy the given source package with Zarf Dev" actions: - - description: "Deploy the given source package with Zarf Dev" - cmd: "uds zarf dev deploy src/${PKG} --flavor ${FLAVOR}" + - cmd: "uds zarf dev deploy src/${PKG} --flavor ${FLAVOR}" - name: setup-cluster + description: "Create a k3d Cluster and Initialize with Zarf" actions: - task: setup:k3d-test-cluster - name: create-single-package + description: "Create a single Zarf Package, must set UDS_PKG environment variable" actions: - task: create:single-package - name: create-standard-package + description: "Create UDS Core Zarf Package, `upstream` flavor default, use --set FLAVOR={flavor} to change" actions: - task: create:standard-package - name: deploy-single-package + description: "Deploy Pepr Module and a Zarf Package using UDS_PKG environment variable" actions: - task: deploy:single-package @@ -77,21 +96,26 @@ tasks: - task: deploy:k3d-standard-bundle - name: test-single-package + description: "Build and test a single package, must set UDS_PKG environment variable" actions: - task: test:single-package - name: test-uds-core + description: "Build and test UDS Core" actions: - task: test:uds-core - name: test-uds-core-upgrade + description: "Test an upgrade from the latest released UDS Core package to current branch" actions: - task: test:uds-core-upgrade - name: lint-check + description: "Run linting checks" actions: - task: lint:check - name: lint-fix + description: "Fix linting issues" actions: - task: lint:fix diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index df27a8d7a..31cf9cb00 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -1,8 +1,11 @@ +includes: + - utils: utils.yaml + variables: - name: VERSION description: "The version of the packages to deploy" # x-release-please-start-version - default: "0.23.4" + default: "0.24.0" # x-release-please-end - name: FLAVOR default: upstream @@ -23,25 +26,26 @@ tasks: - description: "Deploy the Istio package, if UDS_PKG != istio" cmd: | if [ "${UDS_PKG}" != "istio" ]; then - uds zarf package deploy build/zarf-package-uds-core-istio-${UDS_ARCH}.tar.zst --confirm --no-progress + uds zarf package deploy build/zarf-package-uds-core-istio-${UDS_ARCH}.tar.zst --confirm --no-progress --components '*' fi - description: "Deploy the Pepr Module" cmd: | PEPR_VERSION=$(npm pkg get version | tr -d '"') uds zarf package deploy build/zarf-package-pepr-uds-core-${UDS_ARCH}-${PEPR_VERSION}.tar.zst --confirm --no-progress --set UDS_SINGLE_TEST=true - description: "Deploy the requested Zarf Package (must set UDS_PKG environment variable)" - cmd: uds zarf package deploy build/zarf-package-uds-core-${UDS_PKG}-${UDS_ARCH}.tar.zst --confirm --no-progress + cmd: uds zarf package deploy build/zarf-package-uds-core-${UDS_PKG}-${UDS_ARCH}.tar.zst --confirm --no-progress --components '*' - name: latest-package-release actions: + - task: utils:determine-repo - description: "Get latest tag version from OCI" - cmd: uds zarf tools registry ls ghcr.io/defenseunicorns/packages/uds/core | grep ${FLAVOR} | sort -V | tail -1 + cmd: uds zarf tools registry ls ${TARGET_REPO}/core | grep ${FLAVOR} | sort -V | tail -1 setVariables: - name: LATEST_VERSION - description: "Deploy the latest UDS Core package release" - cmd: uds zarf package deploy oci://ghcr.io/defenseunicorns/packages/uds/core:${LATEST_VERSION} --confirm --no-progress + cmd: uds zarf package deploy oci://${TARGET_REPO}/core:${LATEST_VERSION} --confirm --no-progress --components '*' - name: standard-package actions: - description: "Deploy the standard UDS Core zarf package" - cmd: uds zarf package deploy build/zarf-package-core-${UDS_ARCH}-${VERSION}.tar.zst --confirm --no-progress + cmd: uds zarf package deploy build/zarf-package-core-${UDS_ARCH}-${VERSION}.tar.zst --confirm --no-progress --components '*' diff --git a/tasks/publish.yaml b/tasks/publish.yaml index 90af8a533..6dbcf0b57 100644 --- a/tasks/publish.yaml +++ b/tasks/publish.yaml @@ -1,22 +1,24 @@ -variables: - - name: TARGET_REPO - default: ghcr.io/defenseunicorns/packages/uds +includes: + - utils: utils.yaml +variables: - name: FLAVOR default: upstream - name: VERSION description: "The version of the packages to build" # x-release-please-start-version - default: "0.23.4" + default: "0.24.0" # x-release-please-end tasks: - name: standard-package description: "Publish the UDS package" actions: + - task: utils:determine-repo - description: "Publish amd64/arm64 packages per flavor" cmd: | + echo "Publishing package to ${TARGET_REPO}" uds zarf package publish build/zarf-package-core-amd64-${VERSION}.tar.zst oci://${TARGET_REPO} # dont publish arm64 for registry1 since IB images are only amd64 @@ -34,8 +36,10 @@ tasks: - name: bundles description: "Publish UDS Bundles" actions: + - task: utils:determine-repo - description: "Publish amd64 and arm64 bundles" cmd: | + echo "Publishing bundles to ${TARGET_REPO}" uds publish bundles/k3d-standard/uds-bundle-k3d-*-amd64-${VERSION}.tar.zst oci://${TARGET_REPO}/bundles --no-progress uds publish bundles/k3d-standard/uds-bundle-k3d-*-arm64-${VERSION}.tar.zst oci://${TARGET_REPO}/bundles --no-progress diff --git a/tasks/utils.yaml b/tasks/utils.yaml new file mode 100644 index 000000000..fde8b9bb8 --- /dev/null +++ b/tasks/utils.yaml @@ -0,0 +1,28 @@ +variables: + - name: BASE_REPO + default: "ghcr.io/defenseunicorns/packages" + - name: FLAVOR + default: "upstream" + - name: SNAPSHOT + description: Whether this is a snapshot release + default: "false" + +tasks: + - name: determine-repo + actions: + - description: "Determine repository for the given flavor/type of release" + cmd: | + repo="${BASE_REPO}" + # unicorn flavor = private repository + if [ "${FLAVOR}" = "unicorn" ]; then + repo+=/private + fi + repo+=/uds + # snapshots = snapshot repository + if [ "${SNAPSHOT}" = "true" ]; then + repo+=/snapshots + fi + echo "${repo}" + mute: true + setVariables: + - name: TARGET_REPO From 743987c10abb1d01c233d7ba42aea2f4191e5bd6 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Wed, 17 Jul 2024 15:24:38 -0600 Subject: [PATCH 51/61] ci: try thing From 7d2ae9c6bb7858342cbceefe9b47e6a8a8afc32a Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Wed, 17 Jul 2024 15:25:40 -0600 Subject: [PATCH 52/61] ci: no fail-fast, normal runners --- .github/workflows/publish.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index e37ced407..9269a79fc 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -13,7 +13,8 @@ jobs: strategy: matrix: flavor: [upstream, registry1, unicorn] - runs-on: "uds-ubuntu-big-boy-8-core" + fail-fast: false + runs-on: "ubuntu-latest" name: Publish packages permissions: From e2aaebe7710badd72482b0c9f09f2f9d4a60a0d8 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Wed, 17 Jul 2024 15:27:18 -0600 Subject: [PATCH 53/61] ci: no mute debug --- tasks/utils.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/utils.yaml b/tasks/utils.yaml index fde8b9bb8..4ba0ba10a 100644 --- a/tasks/utils.yaml +++ b/tasks/utils.yaml @@ -23,6 +23,6 @@ tasks: repo+=/snapshots fi echo "${repo}" - mute: true + # mute: true setVariables: - name: TARGET_REPO From 1c925f0abb76399210920da43ede7e8b3bb500e4 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Wed, 17 Jul 2024 15:30:55 -0600 Subject: [PATCH 54/61] fix: ci --- tasks/utils.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/utils.yaml b/tasks/utils.yaml index 4ba0ba10a..469d6c21a 100644 --- a/tasks/utils.yaml +++ b/tasks/utils.yaml @@ -15,12 +15,12 @@ tasks: repo="${BASE_REPO}" # unicorn flavor = private repository if [ "${FLAVOR}" = "unicorn" ]; then - repo+=/private + repo="${repo}/private" fi - repo+=/uds + repo="${repo}/uds" # snapshots = snapshot repository if [ "${SNAPSHOT}" = "true" ]; then - repo+=/snapshots + repo="${repo}/snapshots" fi echo "${repo}" # mute: true From 2ae4621ca40e3f4c5557644248321e8073a3585f Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 17 Jul 2024 21:31:38 +0000 Subject: [PATCH 55/61] chore(main): release 0.23.0 --- .github/bundles/uds-bundle.yaml | 4 +- .release-please-manifest.json | 2 +- CHANGELOG.md | 323 +++++++++++++++++++++++++++ README.md | 4 +- bundles/k3d-slim-dev/uds-bundle.yaml | 4 +- bundles/k3d-standard/uds-bundle.yaml | 4 +- packages/slim-dev/zarf.yaml | 2 +- packages/standard/zarf.yaml | 2 +- tasks/deploy.yaml | 2 +- tasks/publish.yaml | 2 +- 10 files changed, 336 insertions(+), 13 deletions(-) diff --git a/.github/bundles/uds-bundle.yaml b/.github/bundles/uds-bundle.yaml index b320ebaf8..e1ed93fe6 100644 --- a/.github/bundles/uds-bundle.yaml +++ b/.github/bundles/uds-bundle.yaml @@ -3,7 +3,7 @@ metadata: name: uds-core-eks-nightly description: A UDS bundle for deploying EKS and UDS Core # x-release-please-start-version - version: "0.24.0" + version: "0.23.0" # x-release-please-end packages: @@ -14,7 +14,7 @@ packages: - name: core path: ../../build/ # x-release-please-start-version - ref: 0.24.0 + ref: 0.23.0 # x-release-please-end overrides: velero: diff --git a/.release-please-manifest.json b/.release-please-manifest.json index 0884f3f46..819990afc 100644 --- a/.release-please-manifest.json +++ b/.release-please-manifest.json @@ -1,3 +1,3 @@ { - ".": "0.24.0" + ".": "0.23.0" } diff --git a/CHANGELOG.md b/CHANGELOG.md index f42fc9029..8f36f58c9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,329 @@ All notable changes to this project will be documented in this file. +## [0.23.0](https://github.com/BagelLab/uds-core/compare/v0.24.0...v0.23.0) (2024-07-17) + + +### ⚠ BREAKING CHANGES + +* remove emulated gitlab endpoints from keycloak ([#483](https://github.com/BagelLab/uds-core/issues/483)) + +### Features + +* add `expose` service entry for internal cluster traffic ([#356](https://github.com/BagelLab/uds-core/issues/356)) ([1bde4cc](https://github.com/BagelLab/uds-core/commit/1bde4ccf302864b0c38d093742ca683b96cebe89)) +* add `monitor` to operator, fix monitoring setup ([#256](https://github.com/BagelLab/uds-core/issues/256)) ([bf67722](https://github.com/BagelLab/uds-core/commit/bf67722d4e7e02d44dd29c4436e9a8d2ef960fa5)) +* add authservice to uds-core ([#153](https://github.com/BagelLab/uds-core/issues/153)) ([b0b33b9](https://github.com/BagelLab/uds-core/commit/b0b33b98ae12fe233c922bba55c9328212c2e578)) +* Add istio and preliminary ci ([#3](https://github.com/BagelLab/uds-core/issues/3)) ([fbd7453](https://github.com/BagelLab/uds-core/commit/fbd745392340dbc978b27f0d321f3375882c1c40)) +* add Istio VirtualService Requestmatch to UDS Operator ([#129](https://github.com/BagelLab/uds-core/issues/129)) ([a207197](https://github.com/BagelLab/uds-core/commit/a20719726991d3b981a372b705b776948f6fbc30)) +* add keycloak ([#147](https://github.com/BagelLab/uds-core/issues/147)) ([f99d3d5](https://github.com/BagelLab/uds-core/commit/f99d3d5d4f89264a21dd76d8847e1cef0325d127)) +* add keycloak sso realm values ([#352](https://github.com/BagelLab/uds-core/issues/352)) ([74436ea](https://github.com/BagelLab/uds-core/commit/74436ea78684a74044efdee14564a6582e659998)) +* add metrics-server ([#35](https://github.com/BagelLab/uds-core/issues/35)) ([8216ab9](https://github.com/BagelLab/uds-core/commit/8216ab982be79dc393a2e0db359370b32e660150)) +* add monitoring and logging ([#33](https://github.com/BagelLab/uds-core/issues/33)) ([c6d9aec](https://github.com/BagelLab/uds-core/commit/c6d9aece4984421e1ccbf476cd0d40fb701e4e50)) +* add nightly testing eks ([#250](https://github.com/BagelLab/uds-core/issues/250)) ([543b09d](https://github.com/BagelLab/uds-core/commit/543b09d103a43c474da6a8c950404cc1f373b03f)) +* add pepr capability for istio + jobs ([#12](https://github.com/BagelLab/uds-core/issues/12)) ([c32a703](https://github.com/BagelLab/uds-core/commit/c32a70390f443c90796978ad4c42bbb4b17eb226)) +* add policy exemptions ([#165](https://github.com/BagelLab/uds-core/issues/165)) ([196df88](https://github.com/BagelLab/uds-core/commit/196df88b01347e530eb1cb49df7440d62c986e0e)) +* add prometheus-stack (monitoring) capability ([#2](https://github.com/BagelLab/uds-core/issues/2)) ([e438ab6](https://github.com/BagelLab/uds-core/commit/e438ab6089bc9d8c6640fa002285d38ddc3022df)) +* add reconciliation retries for CRs ([#423](https://github.com/BagelLab/uds-core/issues/423)) ([424b57b](https://github.com/BagelLab/uds-core/commit/424b57ba91906e1c60e6e92927e37b34d657ad01)) +* add saml and attribute/mapper support for keycloak in uds pepr operator ([#328](https://github.com/BagelLab/uds-core/issues/328)) ([c53d4ee](https://github.com/BagelLab/uds-core/commit/c53d4ee1227d71b60a35419f7c8c9396d71b9508)) +* add UDS Operator and consolidate UDS Policies ([#66](https://github.com/BagelLab/uds-core/issues/66)) ([395c1c4](https://github.com/BagelLab/uds-core/commit/395c1c4aec324d0d939cc410a6bb92129b26653b)) +* add velero package ([#210](https://github.com/BagelLab/uds-core/issues/210)) ([a272945](https://github.com/BagelLab/uds-core/commit/a27294585f0d50732b63672d0c2baf14948e29d1)) +* add Zarf Flavors to support Iron Bank & upstream images ([#63](https://github.com/BagelLab/uds-core/issues/63)) ([232c256](https://github.com/BagelLab/uds-core/commit/232c2566b96be0285c24b8b5787350897e72332f)) +* added initial oscal files ([#145](https://github.com/BagelLab/uds-core/issues/145)) ([9600d5f](https://github.com/BagelLab/uds-core/commit/9600d5f159e4a04e8f71313f8ed118b87efbb9a1)) +* embed tls certs in istio package ([#32](https://github.com/BagelLab/uds-core/issues/32)) ([fb04fee](https://github.com/BagelLab/uds-core/commit/fb04feec9657f449366389a0e0a474a8cdeecb2c)) +* enable sso for neuvector ([#351](https://github.com/BagelLab/uds-core/issues/351)) ([597353e](https://github.com/BagelLab/uds-core/commit/597353e294e3dc5c06a8d572414e188f9845af8e)) +* expose tls certs as UDS bundle variables ([#48](https://github.com/BagelLab/uds-core/issues/48)) ([c1f8286](https://github.com/BagelLab/uds-core/commit/c1f828650ef2c53a3fd9ed477950046020c5d375)) +* introduce advancedHTTP for expose field & change podLabels to selector ([#154](https://github.com/BagelLab/uds-core/issues/154)) ([1079267](https://github.com/BagelLab/uds-core/commit/107926791149989a782254b8798b7c57a35cfcaf)) +* introduce Pepr common policies ([#50](https://github.com/BagelLab/uds-core/issues/50)) ([54182b4](https://github.com/BagelLab/uds-core/commit/54182b4db691d86ce80379be272d924d105b0d07)) +* introduce sso secret templating ([#276](https://github.com/BagelLab/uds-core/issues/276)) ([e0832ec](https://github.com/BagelLab/uds-core/commit/e0832ec2ee825dc1725483350e3b9295937b8feb)) +* keycloak PVC customization ([#341](https://github.com/BagelLab/uds-core/issues/341)) ([f8eae2a](https://github.com/BagelLab/uds-core/commit/f8eae2a20e02faac6e2c441845a82febeaab3b89)) +* **operator:** add events and improve lifecycle ops ([#245](https://github.com/BagelLab/uds-core/issues/245)) ([502c044](https://github.com/BagelLab/uds-core/commit/502c044547048a380b1f73dead0b8ab1b14a4b4f)) +* release-please integration ([#25](https://github.com/BagelLab/uds-core/issues/25)) ([bf3c53b](https://github.com/BagelLab/uds-core/commit/bf3c53b2ddac4e02e31aa3429029dd9f1c9595e3)) +* switch loki to simple scalable ([#156](https://github.com/BagelLab/uds-core/issues/156)) ([1661b15](https://github.com/BagelLab/uds-core/commit/1661b154657eba1b30fc5bcec64179cbf6037c03)) +* uds common renovate config ([#391](https://github.com/BagelLab/uds-core/issues/391)) ([035786c](https://github.com/BagelLab/uds-core/commit/035786cadcd9c1fbaf7e0a798f9c13104a1a9a14)) +* uds core docs ([#414](https://github.com/BagelLab/uds-core/issues/414)) ([a35ca7b](https://github.com/BagelLab/uds-core/commit/a35ca7b484ab59572d8205a625db5447a8771e44)) +* update security policy to use provided user, group, and fsgroup ([#82](https://github.com/BagelLab/uds-core/issues/82)) ([6d641ce](https://github.com/BagelLab/uds-core/commit/6d641ce67210999bacda0e855269dca61e7c6a7b)) + + +### Bug Fixes + +* add keycloak to dev bundle and rename ([#262](https://github.com/BagelLab/uds-core/issues/262)) ([f9b905c](https://github.com/BagelLab/uds-core/commit/f9b905c7c2b7e4a6a43e7c83918e3157008433d3)) +* add kubeapi egress for neuvector enforcer ([#291](https://github.com/BagelLab/uds-core/issues/291)) ([87fc886](https://github.com/BagelLab/uds-core/commit/87fc886bc736104a9a3c3aefc4c7d232ed74a4f2)) +* add nightly uds-bundle.yaml to release-please extras for updates ([#346](https://github.com/BagelLab/uds-core/issues/346)) ([d1b3071](https://github.com/BagelLab/uds-core/commit/d1b3071182b48ef4905bb040d203fa42d7bbf76f)) +* add saml configuration to k3d standard bundle ([#425](https://github.com/BagelLab/uds-core/issues/425)) ([15b41d7](https://github.com/BagelLab/uds-core/commit/15b41d7ca506dd913316c41321aa9a3133755ab4)) +* add test for disallow selinux options and handle checking for us… ([#96](https://github.com/BagelLab/uds-core/issues/96)) ([88b969e](https://github.com/BagelLab/uds-core/commit/88b969e2aa4dea8b76dbe397d77c53941f7cfbc8)) +* arm64 packages / bundles creation ([#264](https://github.com/BagelLab/uds-core/issues/264)) ([425fa18](https://github.com/BagelLab/uds-core/commit/425fa184fca6bcebd1eea431dce7112cadae2f44)) +* basic validations for packages ([#208](https://github.com/BagelLab/uds-core/issues/208)) ([9eba3af](https://github.com/BagelLab/uds-core/commit/9eba3afb7e288c13f75f93d5712d50a3b9e7b92d)) +* change pepr error policy to reject ([#99](https://github.com/BagelLab/uds-core/issues/99)) ([10772e2](https://github.com/BagelLab/uds-core/commit/10772e2c64f1e4b965b6b644b0008c81025029e9)) +* check if exemption exists before cleanup ([#468](https://github.com/BagelLab/uds-core/issues/468)) ([735288b](https://github.com/BagelLab/uds-core/commit/735288b87f2dff3c1bb28e9e20aac812d644aa4d)) +* ci ([1c925f0](https://github.com/BagelLab/uds-core/commit/1c925f0abb76399210920da43ede7e8b3bb500e4)) +* ci things ([f2389a3](https://github.com/BagelLab/uds-core/commit/f2389a33d66491dfab62014cc744b25434202fe2)) +* **ci:** test snapshot fix ([0e556ae](https://github.com/BagelLab/uds-core/commit/0e556aefdf19013aeb23bc72d15ff8971da6f6be)) +* comment out debug ([bdc8677](https://github.com/BagelLab/uds-core/commit/bdc86777d6f06bbb09602185338d6d1c1fe269b9)) +* complete incomplete deploy task ([#21](https://github.com/BagelLab/uds-core/issues/21)) ([45ff5e5](https://github.com/BagelLab/uds-core/commit/45ff5e5d7b6a50cdfcfabb174349ab539a8accd9)) +* concurrency group ([60ca1d0](https://github.com/BagelLab/uds-core/commit/60ca1d06208be3c7f5ec825a37d85504116585d1)) +* de-duplicate renovate matches ([#435](https://github.com/BagelLab/uds-core/issues/435)) ([4f9dbbb](https://github.com/BagelLab/uds-core/commit/4f9dbbbff0bbe1fe348ae7e6c55f97a505f730a9)) +* default keycloak realm envs ([#455](https://github.com/BagelLab/uds-core/issues/455)) ([3a2b48f](https://github.com/BagelLab/uds-core/commit/3a2b48fefb11afcf20f6826fbdef8c43daaf4639)) +* drop path normalization to MERGE_SLASHES to allow apps to handle encoded slashes ([#330](https://github.com/BagelLab/uds-core/issues/330)) ([26e965f](https://github.com/BagelLab/uds-core/commit/26e965fd71dd325bd8df451ce317456bf2d15073)) +* exemption race conditions ([#407](https://github.com/BagelLab/uds-core/issues/407)) ([d1b3b56](https://github.com/BagelLab/uds-core/commit/d1b3b5669976eb23ca8f88cd5b15a12c56102eca)) +* forgot to commit :( ([29545b6](https://github.com/BagelLab/uds-core/commit/29545b6ca6a35c1717b10b23c8bc2ed3a90f1c4d)) +* github token ([75cfbe4](https://github.com/BagelLab/uds-core/commit/75cfbe446f9b6cd74b9858a7ceb6cd231b348509)) +* hotfix for publishing workflows ([#217](https://github.com/BagelLab/uds-core/issues/217)) ([5fefa01](https://github.com/BagelLab/uds-core/commit/5fefa017d382b7c5557e613b81cd84b27bda85f0)) +* id-token ([5a78de7](https://github.com/BagelLab/uds-core/commit/5a78de7ec926a3ebe82771a5713ac2ff4841271f)) +* inputs silly ([d5c51f3](https://github.com/BagelLab/uds-core/commit/d5c51f35f6817d66bfbf5b2d5f746032893c863a)) +* integrated docs ([#431](https://github.com/BagelLab/uds-core/issues/431)) ([72238fa](https://github.com/BagelLab/uds-core/commit/72238faed167a4e90e4d332e17909510efd98a58)) +* keycloak schema for package cr ([#436](https://github.com/BagelLab/uds-core/issues/436)) ([e32ce9a](https://github.com/BagelLab/uds-core/commit/e32ce9af9176ba8fef702a8c6aac84c15f9ab374)) +* keycloak volume permissions, UI update ([#223](https://github.com/BagelLab/uds-core/issues/223)) ([4454d3e](https://github.com/BagelLab/uds-core/commit/4454d3efcefe6bfa81628d330434afcc246fad65)) +* **keycloak:** add missing postgres host and port secret keys ([#224](https://github.com/BagelLab/uds-core/issues/224)) ([0c4d775](https://github.com/BagelLab/uds-core/commit/0c4d7758cfb077ff592fea907795402485b6c9f5)) +* **keycloak:** only use PVC for devMode ([#241](https://github.com/BagelLab/uds-core/issues/241)) ([a6e6023](https://github.com/BagelLab/uds-core/commit/a6e6023134dc5171441a2043701ed91309e1b32c)) +* kubeapi netpol generation now also includes the ip from the kubernetes service ([#219](https://github.com/BagelLab/uds-core/issues/219)) ([0a83d02](https://github.com/BagelLab/uds-core/commit/0a83d02f5782d911e3bb63935b0cac70030e5c9b)) +* loki bucket configuration service_account and namespace ([#332](https://github.com/BagelLab/uds-core/issues/332)) ([9518634](https://github.com/BagelLab/uds-core/commit/9518634b24f2d5c285e598f8620849bbc6288ba4)) +* loki local storage ([#84](https://github.com/BagelLab/uds-core/issues/84)) ([b9505bb](https://github.com/BagelLab/uds-core/commit/b9505bbb42b5369c62d7cbfb05e1efb8b8a6200f)) +* loki s3 overrides ([#365](https://github.com/BagelLab/uds-core/issues/365)) ([3545066](https://github.com/BagelLab/uds-core/commit/354506647d65b0484332695abbbd58d91d9e7427)) +* metrics-server mTLS fix ([#44](https://github.com/BagelLab/uds-core/issues/44)) ([4853522](https://github.com/BagelLab/uds-core/commit/4853522c9504c87dcbd8319d689ecb0a1cb42c0b)) +* mismatched exemption/policy for DropAllCapabilities ([#384](https://github.com/BagelLab/uds-core/issues/384)) ([d8ec278](https://github.com/BagelLab/uds-core/commit/d8ec27827e2e2e7d85b4eba6b738f4b126264dd9)) +* named inputs ([c49e6ea](https://github.com/BagelLab/uds-core/commit/c49e6ea2b566198d4702d4c67c659e833a8bad97)) +* network policy to allow metrics-server ingress ([#148](https://github.com/BagelLab/uds-core/issues/148)) ([f1d434a](https://github.com/BagelLab/uds-core/commit/f1d434a68ef1f2a29ab3b13608bc16ce78211ed4)) +* networkpolicy for keycloak smtp egress ([4059954](https://github.com/BagelLab/uds-core/commit/4059954ed92502f10c1b5b769988a363adc06318)) +* nightly testing eks config architecture ([#452](https://github.com/BagelLab/uds-core/issues/452)) ([a0bbd1f](https://github.com/BagelLab/uds-core/commit/a0bbd1f0bf84f03d59866f9797555a08dc8034d6)) +* non-vendored zarf command refs ([#157](https://github.com/BagelLab/uds-core/issues/157)) ([fe183a9](https://github.com/BagelLab/uds-core/commit/fe183a9ae367bc2d7ea7d629e7c15877aabe38cd)) +* ocsp lookup egress policy ([#255](https://github.com/BagelLab/uds-core/issues/255)) ([77c38f2](https://github.com/BagelLab/uds-core/commit/77c38f22e9a77d9db81504f4c172fdc535c0929e)) +* pepr ironbank renovate update ([#299](https://github.com/BagelLab/uds-core/issues/299)) ([287e40d](https://github.com/BagelLab/uds-core/commit/287e40db5d65f7472a9e9216aae91f3ad92403d9)) +* pepr mutation annotation overwrite ([#385](https://github.com/BagelLab/uds-core/issues/385)) ([6e56b2a](https://github.com/BagelLab/uds-core/commit/6e56b2afec8f54f8c0a4aa4b89fef1d1c754b627)) +* pepr operator derived netpol name collisions ([#480](https://github.com/BagelLab/uds-core/issues/480)) ([de60e25](https://github.com/BagelLab/uds-core/commit/de60e252526d73e439f5665b27f84e8773c24949)) +* registration robot check form id ([#269](https://github.com/BagelLab/uds-core/issues/269)) ([c6419b9](https://github.com/BagelLab/uds-core/commit/c6419b962eb5a02462e9060a66f7765689cfeb8f)) +* release workflow k3d image ([#316](https://github.com/BagelLab/uds-core/issues/316)) ([e7835e0](https://github.com/BagelLab/uds-core/commit/e7835e071f56af148792fbde250100af8e8ca0b8)) +* remove deprecated registry login and add env setup ([#443](https://github.com/BagelLab/uds-core/issues/443)) ([ca6b76f](https://github.com/BagelLab/uds-core/commit/ca6b76f3a66efb6b2e81832aff771ca06bdff68a)) +* remove go mod ([#441](https://github.com/BagelLab/uds-core/issues/441)) ([0de9693](https://github.com/BagelLab/uds-core/commit/0de969333923afb8fd4639547901c7d7f5c6a6f7)) +* remove loki gateway anti-affinity ([#111](https://github.com/BagelLab/uds-core/issues/111)) ([2cba42e](https://github.com/BagelLab/uds-core/commit/2cba42e3a83a25ae7a45f3c3d6a35bdc7bba0b58)) +* remove no-tea and update uds version ([#446](https://github.com/BagelLab/uds-core/issues/446)) ([434844b](https://github.com/BagelLab/uds-core/commit/434844b827e01808b504abf5ee6af83fba813cb6)) +* remove spec from secret yaml ([#226](https://github.com/BagelLab/uds-core/issues/226)) ([e4b5848](https://github.com/BagelLab/uds-core/commit/e4b58487f736f588944f7c039b8654f9006e04f1)) +* renovate config grouping, test-infra ([#411](https://github.com/BagelLab/uds-core/issues/411)) ([05fd407](https://github.com/BagelLab/uds-core/commit/05fd407e9c3bf6a0bac33de64e892ce2a63275ac)) +* renovate pepr comment ([#410](https://github.com/BagelLab/uds-core/issues/410)) ([a825388](https://github.com/BagelLab/uds-core/commit/a82538817765ad21adb5f6bba283951bf4c23272)) +* resolve istio job termination container status logic issue ([#55](https://github.com/BagelLab/uds-core/issues/55)) ([c0142c2](https://github.com/BagelLab/uds-core/commit/c0142c213446a37185cdf9dec5ae60aaae8ba194)) +* revert "chore: support deselection of metrics-server" ([#196](https://github.com/BagelLab/uds-core/issues/196)) ([25a408d](https://github.com/BagelLab/uds-core/commit/25a408daeb7f6daada11c21e451f973ebe92c07c)) +* runners, snapshot ([df87b55](https://github.com/BagelLab/uds-core/commit/df87b5527b2055d8c15d6223d734e8cbcec0def6)) +* simplify publish repo output ([84805e0](https://github.com/BagelLab/uds-core/commit/84805e01d2704aa3639943f66a4d58b9aea4f690)) +* slim-dev monitoring handling ([#383](https://github.com/BagelLab/uds-core/issues/383)) ([79927aa](https://github.com/BagelLab/uds-core/commit/79927aa58cbb12c849e52b50c00b74629b100b31)) +* sticky sessions for keycloak in ha ([#281](https://github.com/BagelLab/uds-core/issues/281)) ([5ccd557](https://github.com/BagelLab/uds-core/commit/5ccd5576afc34d8b24061887f91ce284ec5857a1)) +* test ([3dc039d](https://github.com/BagelLab/uds-core/commit/3dc039d1ee9d84a7cda7d474652296fef74555ff)) +* typo in comment ([#462](https://github.com/BagelLab/uds-core/issues/462)) ([582b1f4](https://github.com/BagelLab/uds-core/commit/582b1f4754ee3282696ea3b018322a1b3497a7d4)) +* unwanted exemption deletions ([#290](https://github.com/BagelLab/uds-core/issues/290)) ([50b0cd4](https://github.com/BagelLab/uds-core/commit/50b0cd4211964a90139347558028d6c461956da9)) +* update missing flavor create inputs in publish step ([#118](https://github.com/BagelLab/uds-core/issues/118)) ([a0233eb](https://github.com/BagelLab/uds-core/commit/a0233eb45e2d39035f483f3ed8fb3f396e5030d8)) +* update neuvector values for least privilege ([#373](https://github.com/BagelLab/uds-core/issues/373)) ([7f4de4f](https://github.com/BagelLab/uds-core/commit/7f4de4f729e60a258abc40ce34f9c397fae99181)) +* update status for test ([20983d7](https://github.com/BagelLab/uds-core/commit/20983d749871ac2b769584d2ea5d37c1b9183b52)) +* use updated k3s ([#426](https://github.com/BagelLab/uds-core/issues/426)) ([1da1c49](https://github.com/BagelLab/uds-core/commit/1da1c49e314c73e6fd1f2ef2940aff983262ec6b)) +* validating/mutating webhook networkpolicies and mtls ([#192](https://github.com/BagelLab/uds-core/issues/192)) ([b01e629](https://github.com/BagelLab/uds-core/commit/b01e62960985dd7cb318372abff296fb96f1012b)) +* valueFrom in KeyCloak statefulset.yaml ([#229](https://github.com/BagelLab/uds-core/issues/229)) ([189a5ce](https://github.com/BagelLab/uds-core/commit/189a5ce3a9dd16fe9646a293ca3948db21eb5d78)) +* version ([5053bad](https://github.com/BagelLab/uds-core/commit/5053badca76b7c008ef393f70da7687f423f68d8)) +* wait on istio proxies ([#87](https://github.com/BagelLab/uds-core/issues/87)) ([51cd5a0](https://github.com/BagelLab/uds-core/commit/51cd5a012cc1d095a89b30a22910d3d7ad49885d)) +* workflow links ([eba372c](https://github.com/BagelLab/uds-core/commit/eba372c0b0a942f1bcead8efcd420fbb427ed6e1)) +* workflow outputs silly ([c427851](https://github.com/BagelLab/uds-core/commit/c4278510505b38b651d3f1893a098d1b432e5d95)) +* workflow silliness ([5870a77](https://github.com/BagelLab/uds-core/commit/5870a773b91e96a2f8bf616be2abedbe60263f86)) + + +### Miscellaneous + +* add checks before killing pods when updating istio annotations ([#457](https://github.com/BagelLab/uds-core/issues/457)) ([a62f9a0](https://github.com/BagelLab/uds-core/commit/a62f9a0e04bb538a8018a3f866c88e8b93c59826)) +* add commit lint workflow ([#19](https://github.com/BagelLab/uds-core/issues/19)) ([776a632](https://github.com/BagelLab/uds-core/commit/776a6325821329b2cbd97da2f40a30447cd48efc)) +* add debug logging to endpointslice watch ([#359](https://github.com/BagelLab/uds-core/issues/359)) ([da3eb5a](https://github.com/BagelLab/uds-core/commit/da3eb5ab4f5e6ced50f838456999995d5be601b7)) +* add debug logs to save logs for easier searching ([#430](https://github.com/BagelLab/uds-core/issues/430)) ([319101b](https://github.com/BagelLab/uds-core/commit/319101b61e4793037aab6c96b92c9d834763e9b8)) +* add debug output to release workflow ([#285](https://github.com/BagelLab/uds-core/issues/285)) ([5f96865](https://github.com/BagelLab/uds-core/commit/5f968651fb4f0da563d9c388efab761863f9ea08)) +* add flavor to pepr build task ([#238](https://github.com/BagelLab/uds-core/issues/238)) ([29bf8a3](https://github.com/BagelLab/uds-core/commit/29bf8a3b83255c7548201f3ea19e22452a1d1d4a)) +* add minio deploy time bundle variable override definitions ([#58](https://github.com/BagelLab/uds-core/issues/58)) ([ca28e7b](https://github.com/BagelLab/uds-core/commit/ca28e7b4c4a42769934cc8ad69361ff29a348cc5)) +* add security.md ([#189](https://github.com/BagelLab/uds-core/issues/189)) ([bf7c1d2](https://github.com/BagelLab/uds-core/commit/bf7c1d28e077cf52d4f765b50d7efb8ce5d60fff)) +* add velero csi plugin ([#424](https://github.com/BagelLab/uds-core/issues/424)) ([c7e49e9](https://github.com/BagelLab/uds-core/commit/c7e49e91d9f7810ddc0368f146d43d3c94c782ad)) +* adding unit test for registerExemptions() ([#105](https://github.com/BagelLab/uds-core/issues/105)) ([5e71fcf](https://github.com/BagelLab/uds-core/commit/5e71fcf4751d2e3f6a1e55583ccf76c0fdc76856)) +* align mutation annotations ([#268](https://github.com/BagelLab/uds-core/issues/268)) ([f18ad4d](https://github.com/BagelLab/uds-core/commit/f18ad4db94a77f4229cc9267e0129f6aa3381c9a)) +* annotate mutations in policies ([#236](https://github.com/BagelLab/uds-core/issues/236)) ([cc9db50](https://github.com/BagelLab/uds-core/commit/cc9db500bb1033a516104f409fa05b3a1101d832)) +* bump zarf & uds-k3d deps ([#30](https://github.com/BagelLab/uds-core/issues/30)) ([dd28ab3](https://github.com/BagelLab/uds-core/commit/dd28ab3acd163aaccdfb76fbf9726c02a2ff0050)) +* conform to latest uds bundle schema ([#52](https://github.com/BagelLab/uds-core/issues/52)) ([14dad38](https://github.com/BagelLab/uds-core/commit/14dad3819187d4f8e13f7bbc191dca74a29b9c98)) +* dep updates for UDS CLI & Pepr ([#46](https://github.com/BagelLab/uds-core/issues/46)) ([1037634](https://github.com/BagelLab/uds-core/commit/10376349e350bd32f3bf32577d8f8089c09ac6cc)) +* **deps:** pin dependencies ([#79](https://github.com/BagelLab/uds-core/issues/79)) ([bfab11e](https://github.com/BagelLab/uds-core/commit/bfab11e345941d23dfeb928917f38e36a2f75bc9)) +* **deps:** update checkout action to latest sha ([#481](https://github.com/BagelLab/uds-core/issues/481)) ([c6f0137](https://github.com/BagelLab/uds-core/commit/c6f0137bb9a1e11f98d426cec8c98eb4005f160a)) +* **deps:** update checkout to v4.1.7 ([#478](https://github.com/BagelLab/uds-core/issues/478)) ([e91a0a3](https://github.com/BagelLab/uds-core/commit/e91a0a35252581554d9ed587e4ef72c2c88a3586)) +* **deps:** update dependency defenseunicorns/uds-common to v0.2.1 ([#205](https://github.com/BagelLab/uds-core/issues/205)) ([1b01407](https://github.com/BagelLab/uds-core/commit/1b01407c4ae3a707db381b07e1364c572c76eceb)) +* **deps:** update dependency defenseunicorns/uds-common to v0.2.2 ([#232](https://github.com/BagelLab/uds-core/issues/232)) ([083ae0c](https://github.com/BagelLab/uds-core/commit/083ae0c45667e5b9064cbff781fbe4e5bc0d2991)) +* **deps:** update dependency defenseunicorns/uds-common to v0.3.6 ([#261](https://github.com/BagelLab/uds-core/issues/261)) ([1b5398b](https://github.com/BagelLab/uds-core/commit/1b5398b7b778ead8ac3265080ae0bd2b5761066e)) +* **deps:** update dependency weaveworks/eksctl to v0.183.0 ([#499](https://github.com/BagelLab/uds-core/issues/499)) ([9cb8e4d](https://github.com/BagelLab/uds-core/commit/9cb8e4d7c86611918e502de0a7e7e25921523cbc)) +* **deps:** update githubactions ([#179](https://github.com/BagelLab/uds-core/issues/179)) ([7797e25](https://github.com/BagelLab/uds-core/commit/7797e259b9691099cce9e151ce1ebf9f9f181435)) +* **deps:** update githubactions ([#242](https://github.com/BagelLab/uds-core/issues/242)) ([1eb2e2c](https://github.com/BagelLab/uds-core/commit/1eb2e2cd2018f0cd8fb55d8e6576b7e36fa8c3cf)) +* **deps:** update githubactions ([#413](https://github.com/BagelLab/uds-core/issues/413)) ([ebd834e](https://github.com/BagelLab/uds-core/commit/ebd834e56ae9adabe14d9772e4a4d9c305da173c)) +* **deps:** update githubactions to de90cc6 ([#215](https://github.com/BagelLab/uds-core/issues/215)) ([f79eed0](https://github.com/BagelLab/uds-core/commit/f79eed03b2495d9f3e11edb433291ce8a3aa55ee)) +* **deps:** update githubactions to ebc4d7e ([#183](https://github.com/BagelLab/uds-core/issues/183)) ([77357e7](https://github.com/BagelLab/uds-core/commit/77357e72cc0344e61fedcab7197aabdd7e4fd2a0)) +* **deps:** update githubactions to v19 ([#204](https://github.com/BagelLab/uds-core/issues/204)) ([d65acd4](https://github.com/BagelLab/uds-core/commit/d65acd4e2d37907685ba9083ff98988b4ea1d452)) +* **deps:** update githubactions to v3 ([#181](https://github.com/BagelLab/uds-core/issues/181)) ([70c5ddf](https://github.com/BagelLab/uds-core/commit/70c5ddf1ee0e5017bee4057d96b320812a964f88)) +* **deps:** update githubactions to v4.1.3 ([#471](https://github.com/BagelLab/uds-core/issues/471)) ([2a9f44d](https://github.com/BagelLab/uds-core/commit/2a9f44d20dce66fa474e47ba0c93eaa7fa9ad406)) +* **deps:** update grafana ([#144](https://github.com/BagelLab/uds-core/issues/144)) ([6987927](https://github.com/BagelLab/uds-core/commit/698792728faf8cfeabaf7a7c735c91229cc0c07f)) +* **deps:** update grafana ([#257](https://github.com/BagelLab/uds-core/issues/257)) ([c98e566](https://github.com/BagelLab/uds-core/commit/c98e5661c3e6fb84bf17fc64170f5dd39779dda7)) +* **deps:** update grafana ([#339](https://github.com/BagelLab/uds-core/issues/339)) ([52e6c1b](https://github.com/BagelLab/uds-core/commit/52e6c1b3bb003402710bc0fa85419538f38b388f)) +* **deps:** update grafana ([#80](https://github.com/BagelLab/uds-core/issues/80)) ([ccb2c12](https://github.com/BagelLab/uds-core/commit/ccb2c1280313fe69198ecab5fea5b38fc650f699)) +* **deps:** update grafana to v10.3.1 ([#132](https://github.com/BagelLab/uds-core/issues/132)) ([09e028c](https://github.com/BagelLab/uds-core/commit/09e028c63093a6f5fdfd0b1be800b07c0eb9de77)) +* **deps:** update grafana to v7.2.5 ([#136](https://github.com/BagelLab/uds-core/issues/136)) ([a271270](https://github.com/BagelLab/uds-core/commit/a271270f2d3f3488aa9664ef5ad69a4d239c5d22)) +* **deps:** update grafana to v7.3.0 ([#142](https://github.com/BagelLab/uds-core/issues/142)) ([5e960c0](https://github.com/BagelLab/uds-core/commit/5e960c0479e6fc96244db0230296c94e936e57d8)) +* **deps:** update grafana to v7.3.9 ([#353](https://github.com/BagelLab/uds-core/issues/353)) ([4a70f40](https://github.com/BagelLab/uds-core/commit/4a70f407d5e06919aaa0dc5901f49f7f1b166c9d)) +* **deps:** update istio to v1.20.2 ([#75](https://github.com/BagelLab/uds-core/issues/75)) ([671f977](https://github.com/BagelLab/uds-core/commit/671f977ff183010ce75e323532db500dcd4aa69c)) +* **deps:** update istio to v1.20.3 ([#163](https://github.com/BagelLab/uds-core/issues/163)) ([e45de0e](https://github.com/BagelLab/uds-core/commit/e45de0e5917a2ca6c3e30e593e2d9a8d393849a9)) +* **deps:** update istio to v1.21.2 ([#258](https://github.com/BagelLab/uds-core/issues/258)) ([51c6540](https://github.com/BagelLab/uds-core/commit/51c65405c87ed3c147bdd90172ab0588dc8e5db1)) +* **deps:** update istio to v1.22.1 ([#405](https://github.com/BagelLab/uds-core/issues/405)) ([ad4b861](https://github.com/BagelLab/uds-core/commit/ad4b861158eecfac1d09a37ea3776e31a1c387cb)) +* **deps:** update jest to v29.1.4 ([#438](https://github.com/BagelLab/uds-core/issues/438)) ([c3ecc8b](https://github.com/BagelLab/uds-core/commit/c3ecc8b83b8c65f09600ab937a1c140c4a5f7db1)) +* **deps:** update jest to v29.1.5 ([#485](https://github.com/BagelLab/uds-core/issues/485)) ([9c392b9](https://github.com/BagelLab/uds-core/commit/9c392b9b88c84e3c3763878e6beb1800c43ded25)) +* **deps:** update keycloak ([#349](https://github.com/BagelLab/uds-core/issues/349)) ([2ef1813](https://github.com/BagelLab/uds-core/commit/2ef181333d2fd853bb8eee2c5deb82430d68c861)) +* **deps:** update keycloak ([#390](https://github.com/BagelLab/uds-core/issues/390)) ([3e82c4e](https://github.com/BagelLab/uds-core/commit/3e82c4ece470a5eea81d937b2b38c455934212e1)) +* **deps:** update keycloak to v0.4.2 ([#375](https://github.com/BagelLab/uds-core/issues/375)) ([b0bb8e4](https://github.com/BagelLab/uds-core/commit/b0bb8e47f78886186514f188a99ff38463a5eac3)) +* **deps:** update keycloak to v0.4.4 ([#460](https://github.com/BagelLab/uds-core/issues/460)) ([936f40b](https://github.com/BagelLab/uds-core/commit/936f40bf078bb06d94ebd51585b4eb7669d426b4)) +* **deps:** update keycloak to v0.4.5 ([#461](https://github.com/BagelLab/uds-core/issues/461)) ([3592012](https://github.com/BagelLab/uds-core/commit/35920121bcdfbdf9b708eb3308ea34763a31246a)) +* **deps:** update keycloak to v24.0.4 ([#397](https://github.com/BagelLab/uds-core/issues/397)) ([c0420ea](https://github.com/BagelLab/uds-core/commit/c0420ea750b3a7dfc8ea6adab5225f76178ef953)) +* **deps:** update keycloak to v24.0.4 ([#402](https://github.com/BagelLab/uds-core/issues/402)) ([e454576](https://github.com/BagelLab/uds-core/commit/e454576a6de53e833d6b925308f09d6007166dde)) +* **deps:** update keycloak to v24.0.5 ([#453](https://github.com/BagelLab/uds-core/issues/453)) ([6b0c6fc](https://github.com/BagelLab/uds-core/commit/6b0c6fc91f238e367c9f2d54f0daaf9d8065794e)) +* **deps:** update keycloak to v24.0.5 ([#454](https://github.com/BagelLab/uds-core/issues/454)) ([89911f0](https://github.com/BagelLab/uds-core/commit/89911f0ca01ac421a254b79e25124525f464cf51)) +* **deps:** update loki ([#131](https://github.com/BagelLab/uds-core/issues/131)) ([61250b0](https://github.com/BagelLab/uds-core/commit/61250b02eca7ca57d7f346c1da5b63f19de17c49)) +* **deps:** update loki ([#209](https://github.com/BagelLab/uds-core/issues/209)) ([03ca499](https://github.com/BagelLab/uds-core/commit/03ca499bd5d9cac800bd36dca80340ceac3f3009)) +* **deps:** update loki ([#72](https://github.com/BagelLab/uds-core/issues/72)) ([98134bb](https://github.com/BagelLab/uds-core/commit/98134bba1f6078a867aae2ae28f4152ba7b1a8e5)) +* **deps:** update loki to v5.43.0 ([#180](https://github.com/BagelLab/uds-core/issues/180)) ([bab5f7a](https://github.com/BagelLab/uds-core/commit/bab5f7aba3644c0e478a17338df4e074b0c1a6a2)) +* **deps:** update loki to v5.43.1 ([#182](https://github.com/BagelLab/uds-core/issues/182)) ([6cc5fc7](https://github.com/BagelLab/uds-core/commit/6cc5fc7f5a07d848cfe4f18dc9a7e2a4cd91b1cf)) +* **deps:** update loki to v5.43.2 ([#191](https://github.com/BagelLab/uds-core/issues/191)) ([0ec0cd4](https://github.com/BagelLab/uds-core/commit/0ec0cd4d6cdc7b4eb1eea33f4da7b144ecbc29a5)) +* **deps:** update loki to v5.43.3 ([#199](https://github.com/BagelLab/uds-core/issues/199)) ([40f1554](https://github.com/BagelLab/uds-core/commit/40f155469670a4b7290819fc09d28ff1fcc06a81)) +* **deps:** update metrics-server ([#123](https://github.com/BagelLab/uds-core/issues/123)) ([fb25a97](https://github.com/BagelLab/uds-core/commit/fb25a970d6e3b51432164fab05ea2d19d1a638ef)) +* **deps:** update metrics-server ([#298](https://github.com/BagelLab/uds-core/issues/298)) ([691fd87](https://github.com/BagelLab/uds-core/commit/691fd87ae3e523c897d0461c4a0384b2bb7c8c03)) +* **deps:** update neuvector ([#333](https://github.com/BagelLab/uds-core/issues/333)) ([010e287](https://github.com/BagelLab/uds-core/commit/010e287dbf3a712d19e54bfbbaa87807585130d7)) +* **deps:** update neuvector ([#73](https://github.com/BagelLab/uds-core/issues/73)) ([50f6c90](https://github.com/BagelLab/uds-core/commit/50f6c90ca31d5bf984e44fd1ded7c5cfcb968064)) +* **deps:** update neuvector to 5.3.3 ([#467](https://github.com/BagelLab/uds-core/issues/467)) ([261057d](https://github.com/BagelLab/uds-core/commit/261057d2bf142c3167fdf0d0bd68bc2fb47d22df)) +* **deps:** update neuvector to v9.4 ([#381](https://github.com/BagelLab/uds-core/issues/381)) ([20d4170](https://github.com/BagelLab/uds-core/commit/20d4170386d2437826abafc68d87d91dc457022a)) +* **deps:** update pepr ([#116](https://github.com/BagelLab/uds-core/issues/116)) ([bfa7352](https://github.com/BagelLab/uds-core/commit/bfa7352ebe962ef1ed091f4a5799ed4974e086ef)) +* **deps:** update pepr ([#324](https://github.com/BagelLab/uds-core/issues/324)) ([2ef0f96](https://github.com/BagelLab/uds-core/commit/2ef0f96da7476b487d72d4bb7ce4bd50fdb0b182)) +* **deps:** update pepr ([#340](https://github.com/BagelLab/uds-core/issues/340)) ([e71ba4a](https://github.com/BagelLab/uds-core/commit/e71ba4ab4eb1ea1cc482b507fef4e0e2735bbd1f)) +* **deps:** update pepr ([#419](https://github.com/BagelLab/uds-core/issues/419)) ([d8f0309](https://github.com/BagelLab/uds-core/commit/d8f0309b4f9661b1c5bc2d5e574697ee9579e387)) +* **deps:** update pepr ([#76](https://github.com/BagelLab/uds-core/issues/76)) ([50de920](https://github.com/BagelLab/uds-core/commit/50de920bcf03092d16a11ebf77ede70987a7cdcf)) +* **deps:** update pepr to 0.31.0 ([#360](https://github.com/BagelLab/uds-core/issues/360)) ([fbd61ea](https://github.com/BagelLab/uds-core/commit/fbd61ea9665133619aec81726b189449226d8459)) +* **deps:** update pepr to 0.32.2 ([#473](https://github.com/BagelLab/uds-core/issues/473)) ([ab4bee9](https://github.com/BagelLab/uds-core/commit/ab4bee906f020d86b90c0b984789be55f8b4c08b)) +* **deps:** update pepr to 0.32.3 ([#494](https://github.com/BagelLab/uds-core/issues/494)) ([2e28897](https://github.com/BagelLab/uds-core/commit/2e2889784043b21463e72643eb890054645dd439)) +* **deps:** update pepr to v0.22.0 ([#102](https://github.com/BagelLab/uds-core/issues/102)) ([941902d](https://github.com/BagelLab/uds-core/commit/941902dcfc2ec1d5340d658f75811b3369489c56)) +* **deps:** update pepr to v0.22.2 ([#104](https://github.com/BagelLab/uds-core/issues/104)) ([0555353](https://github.com/BagelLab/uds-core/commit/0555353e5a5dec2aa8685a3987852d1c3788f28c)) +* **deps:** update pepr to v0.24.1 ([#134](https://github.com/BagelLab/uds-core/issues/134)) ([6474a1c](https://github.com/BagelLab/uds-core/commit/6474a1c0a16c8d87248acb1b3f7d79b76a354fc8)) +* **deps:** update pepr to v0.25.0 ([#164](https://github.com/BagelLab/uds-core/issues/164)) ([e7b8212](https://github.com/BagelLab/uds-core/commit/e7b8212b6a8ed2e16b47264687e0c39d2f0a3455)) +* **deps:** update pepr to v0.28.6 ([#254](https://github.com/BagelLab/uds-core/issues/254)) ([54ef7de](https://github.com/BagelLab/uds-core/commit/54ef7ded349d060b1732b381124fe29e3e8fe85b)) +* **deps:** update pepr to v0.28.6 ([#300](https://github.com/BagelLab/uds-core/issues/300)) ([86b43e4](https://github.com/BagelLab/uds-core/commit/86b43e478521aa88a3a4843948ca96b9cbe55985)) +* **deps:** update pepr to v0.28.7 ([#321](https://github.com/BagelLab/uds-core/issues/321)) ([e7206bb](https://github.com/BagelLab/uds-core/commit/e7206bb93ce23a3ae611e410106890df3eafdea1)) +* **deps:** update pepr to v0.4.5 ([#447](https://github.com/BagelLab/uds-core/issues/447)) ([f1dba17](https://github.com/BagelLab/uds-core/commit/f1dba17076a7c6052ed67e07bdb560fda7604b80)) +* **deps:** update prometheus-stack ([#128](https://github.com/BagelLab/uds-core/issues/128)) ([625622a](https://github.com/BagelLab/uds-core/commit/625622a44c101f0a9c1beffd66eb259dc1f1eedc)) +* **deps:** update prometheus-stack ([#190](https://github.com/BagelLab/uds-core/issues/190)) ([f9a605a](https://github.com/BagelLab/uds-core/commit/f9a605a4c828128fc19f0bdb1d2443f65fb87b8a)) +* **deps:** update prometheus-stack ([#301](https://github.com/BagelLab/uds-core/issues/301)) ([143eca3](https://github.com/BagelLab/uds-core/commit/143eca3ecc2e3c39765312dc3c5384c87a13d7da)) +* **deps:** update prometheus-stack ([#348](https://github.com/BagelLab/uds-core/issues/348)) ([49cb11a](https://github.com/BagelLab/uds-core/commit/49cb11a058a9209cee7019fa552b8c0b2ef73368)) +* **deps:** update prometheus-stack ([#392](https://github.com/BagelLab/uds-core/issues/392)) ([2e656f5](https://github.com/BagelLab/uds-core/commit/2e656f5dc3de2e6561ac313cb1bae478635b86b3)) +* **deps:** update prometheus-stack ([#422](https://github.com/BagelLab/uds-core/issues/422)) ([a96193e](https://github.com/BagelLab/uds-core/commit/a96193e257701dfaf6fccc34246ef3f31e639f3e)) +* **deps:** update prometheus-stack ([#81](https://github.com/BagelLab/uds-core/issues/81)) ([19bedb6](https://github.com/BagelLab/uds-core/commit/19bedb60cd2f99615c4b5673623ff0ff6fafb73f)) +* **deps:** update promtail ([#74](https://github.com/BagelLab/uds-core/issues/74)) ([6a112b5](https://github.com/BagelLab/uds-core/commit/6a112b5226250f1a17023b2c1225d404cf8feeee)) +* **deps:** update to keycloak 24 ([#336](https://github.com/BagelLab/uds-core/issues/336)) ([1153ba0](https://github.com/BagelLab/uds-core/commit/1153ba09ac062d3477a4ee396376be83493ad3c5)) +* **deps:** update uds to v0.10.4 ([#228](https://github.com/BagelLab/uds-core/issues/228)) ([1750b23](https://github.com/BagelLab/uds-core/commit/1750b2304e3c6f0ce6a60f1ef2873ce8a6ce1502)) +* **deps:** update uds to v0.11.1 ([#472](https://github.com/BagelLab/uds-core/issues/472)) ([12fd798](https://github.com/BagelLab/uds-core/commit/12fd79894e71ee06181ccd6f2ac98b84d935066c)) +* **deps:** update uds to v0.11.2 ([#479](https://github.com/BagelLab/uds-core/issues/479)) ([f967f9a](https://github.com/BagelLab/uds-core/commit/f967f9a4bf8d718b9ece96d882db4d9c800f5f0f)) +* **deps:** update uds to v0.5.3, zarf to v0.32.1, and uds-k3d to 0.3.0 ([#77](https://github.com/BagelLab/uds-core/issues/77)) ([596f9d8](https://github.com/BagelLab/uds-core/commit/596f9d8df51c3df1aa87fd0e09d9e69c87473bf0)) +* **deps:** update uds to v0.6.2 ([#107](https://github.com/BagelLab/uds-core/issues/107)) ([7b7220e](https://github.com/BagelLab/uds-core/commit/7b7220e708cf2dca25cc592b8932661620d9610d)) +* **deps:** update uds to v0.8.1 ([#141](https://github.com/BagelLab/uds-core/issues/141)) ([fa79065](https://github.com/BagelLab/uds-core/commit/fa79065265a5ee2b8f6f6a55d1c2904bbaf42fff)) +* **deps:** update uds to v0.9.0 ([#173](https://github.com/BagelLab/uds-core/issues/173)) ([b91a90d](https://github.com/BagelLab/uds-core/commit/b91a90db987e108a5a093a326428bbd0b5f9446e)) +* **deps:** update uds to v0.9.2 ([#200](https://github.com/BagelLab/uds-core/issues/200)) ([e4b54fe](https://github.com/BagelLab/uds-core/commit/e4b54febc4d7914e962db92b7a0490a3735af4e5)) +* **deps:** update uds-common tasks to 0.6.1 ([#498](https://github.com/BagelLab/uds-core/issues/498)) ([4aa6e33](https://github.com/BagelLab/uds-core/commit/4aa6e3372f6d1a5df1e2ae51a3129603a8b0b29b)) +* **deps:** update uds-common to v0.4.4 ([#442](https://github.com/BagelLab/uds-core/issues/442)) ([bf6debd](https://github.com/BagelLab/uds-core/commit/bf6debdd0d50f6cde11288cd70d8bdf1dcdaaaa0)) +* **deps:** update uds-identity-config to 0.4.1 ([#355](https://github.com/BagelLab/uds-core/issues/355)) ([8485931](https://github.com/BagelLab/uds-core/commit/84859316ea92ef9ec7807a702ee246e11b73567b)) +* **deps:** update uds-k3d to v0.3.1 ([#89](https://github.com/BagelLab/uds-core/issues/89)) ([5d54cd1](https://github.com/BagelLab/uds-core/commit/5d54cd1efe5eee4c19caf347882725e0aa20e50a)) +* **deps:** update uds-k3d to v0.5.0 ([#186](https://github.com/BagelLab/uds-core/issues/186)) ([164bf5f](https://github.com/BagelLab/uds-core/commit/164bf5f8bd58899f5ec1a179d6d409cfb46b850f)) +* **deps:** update uds-k3d to v0.6.0 ([#240](https://github.com/BagelLab/uds-core/issues/240)) ([6a26523](https://github.com/BagelLab/uds-core/commit/6a2652368fde3a3bdbe5bb81fd258830dfaeb5c8)) +* **deps:** update uds-k3d to v0.6.0 ([#398](https://github.com/BagelLab/uds-core/issues/398)) ([288f009](https://github.com/BagelLab/uds-core/commit/288f00990a715087c9bf1fffd0a63ecf33125a5a)) +* **deps:** update uds-k3d to v0.7.0 ([#428](https://github.com/BagelLab/uds-core/issues/428)) ([23b59a2](https://github.com/BagelLab/uds-core/commit/23b59a260b2c60791614ca4d39a33e65476e19ee)) +* **deps:** update velero ([#260](https://github.com/BagelLab/uds-core/issues/260)) ([f352008](https://github.com/BagelLab/uds-core/commit/f35200833a4d4d50de9f632f6918320f7d8fff5e)) +* **deps:** update velero ([#350](https://github.com/BagelLab/uds-core/issues/350)) ([e7cb33e](https://github.com/BagelLab/uds-core/commit/e7cb33ea9a13ab9550aab45d8ee437a1ba595d38)) +* **deps:** update velero ([#408](https://github.com/BagelLab/uds-core/issues/408)) ([ffbefda](https://github.com/BagelLab/uds-core/commit/ffbefda74777466ef74ad1d5cffff1f4895f323d)) +* **deps:** update velero ([#440](https://github.com/BagelLab/uds-core/issues/440)) ([4b1a3ea](https://github.com/BagelLab/uds-core/commit/4b1a3ead81a80b49e5ccfeb2e4130a4aaebb53a4)) +* **deps:** update velero to v1.30.2 ([#476](https://github.com/BagelLab/uds-core/issues/476)) ([89bbda9](https://github.com/BagelLab/uds-core/commit/89bbda9e640014bede116c254381cab8995df12f)) +* **deps:** update velero to v6.6.0 ([#456](https://github.com/BagelLab/uds-core/issues/456)) ([aff37c1](https://github.com/BagelLab/uds-core/commit/aff37c194e321f6a6c92f1bc11fd796cf9f0a9ab)) +* **deps:** update zarf to v0.32.2 ([#133](https://github.com/BagelLab/uds-core/issues/133)) ([91502c6](https://github.com/BagelLab/uds-core/commit/91502c6321334c6d31ce5fd1cd8f2fe6f77c09ae)) +* **deps:** update zarf to v0.32.3 ([#155](https://github.com/BagelLab/uds-core/issues/155)) ([2f0a1a7](https://github.com/BagelLab/uds-core/commit/2f0a1a77043ce298e765e6999cf11a97f36e4ecc)) +* **deps:** update zarf to v0.32.4 ([#203](https://github.com/BagelLab/uds-core/issues/203)) ([05c903e](https://github.com/BagelLab/uds-core/commit/05c903ea43243401d9cc2928ba5eb66ff6201c94)) +* **deps:** update zarf to v0.32.5 ([#243](https://github.com/BagelLab/uds-core/issues/243)) ([ee93612](https://github.com/BagelLab/uds-core/commit/ee9361224767c1a708b6f8e2c266af710facea8d)) +* **deps:** update zarf to v0.32.6 ([#282](https://github.com/BagelLab/uds-core/issues/282)) ([443426d](https://github.com/BagelLab/uds-core/commit/443426d05b9bd1d15fb4632efa26219250270895)) +* **deps:** update zarf to v0.33.0 ([#325](https://github.com/BagelLab/uds-core/issues/325)) ([f2a2a66](https://github.com/BagelLab/uds-core/commit/f2a2a665309c812b4300047d1c90ff3833a8eba6)) +* **deps:** update zarf to v0.33.1 ([#368](https://github.com/BagelLab/uds-core/issues/368)) ([296e547](https://github.com/BagelLab/uds-core/commit/296e54729c20c9ecee21677daec874a2c8b57b57)) +* **deps:** update zarf to v0.33.2 ([#394](https://github.com/BagelLab/uds-core/issues/394)) ([201a37b](https://github.com/BagelLab/uds-core/commit/201a37b12277880058c14fc05b3c0d4aecbf31e0)) +* **deps:** update zarf to v0.34.0 ([#434](https://github.com/BagelLab/uds-core/issues/434)) ([9badf9d](https://github.com/BagelLab/uds-core/commit/9badf9d4b9b6f904b1b7a478be5355416dc7fbe0)) +* **deps:** update zarf to v0.35.0 ([#490](https://github.com/BagelLab/uds-core/issues/490)) ([86957cf](https://github.com/BagelLab/uds-core/commit/86957cfe19564ec8ddccec7e496af4469def322a)) +* docs linting changes ([#505](https://github.com/BagelLab/uds-core/issues/505)) ([0fe2015](https://github.com/BagelLab/uds-core/commit/0fe20151713363f572a50601016e06e60230990f)) +* fix missing deps in tag and release workflow ([#28](https://github.com/BagelLab/uds-core/issues/28)) ([1e1af76](https://github.com/BagelLab/uds-core/commit/1e1af762e8eb1dd331cbd681e48ecc95ec3184d2)) +* initial renovate config ([#67](https://github.com/BagelLab/uds-core/issues/67)) ([2cd19d8](https://github.com/BagelLab/uds-core/commit/2cd19d871a95491950d43fea8e8fd2e8c290cd55)) +* kick off ci ([1afc3a4](https://github.com/BagelLab/uds-core/commit/1afc3a4203cce1a1c81b15e7ba6caad1a9c63131)) +* **main:** release 0.1.1 ([#27](https://github.com/BagelLab/uds-core/issues/27)) ([3776e91](https://github.com/BagelLab/uds-core/commit/3776e91670aa73907cb9c48a05419d106ecedd67)) +* **main:** release 0.1.2 ([#29](https://github.com/BagelLab/uds-core/issues/29)) ([af7b0be](https://github.com/BagelLab/uds-core/commit/af7b0beaf409627c87b47e4d908b0a8a0d8cff63)) +* **main:** release 0.1.3 ([#31](https://github.com/BagelLab/uds-core/issues/31)) ([28ad8a7](https://github.com/BagelLab/uds-core/commit/28ad8a78b023f160714ecb90d748ee65403cf500)) +* **main:** release 0.10.0 ([#135](https://github.com/BagelLab/uds-core/issues/135)) ([5bb6f01](https://github.com/BagelLab/uds-core/commit/5bb6f016631fdef4f14848ff55588f33e6d4f07d)) +* **main:** release 0.11.0 ([#138](https://github.com/BagelLab/uds-core/issues/138)) ([c02ada8](https://github.com/BagelLab/uds-core/commit/c02ada860f532d8955af00637756ee622f3e9019)) +* **main:** release 0.11.1 ([#159](https://github.com/BagelLab/uds-core/issues/159)) ([2c493bb](https://github.com/BagelLab/uds-core/commit/2c493bb7c877a7193e45376a9d28aed832cff590)) +* **main:** release 0.12.0 ([#161](https://github.com/BagelLab/uds-core/issues/161)) ([e3c41e8](https://github.com/BagelLab/uds-core/commit/e3c41e82ba5bd776f2633cbde222ab05c5c513f3)) +* **main:** release 0.13.0 ([#170](https://github.com/BagelLab/uds-core/issues/170)) ([09c9447](https://github.com/BagelLab/uds-core/commit/09c9447fa47e5bd1f1d3ae627d7c3dab9c46d596)) +* **main:** release 0.13.1 ([#197](https://github.com/BagelLab/uds-core/issues/197)) ([e968fe9](https://github.com/BagelLab/uds-core/commit/e968fe9707f5a1f154b1fd19050ba46073427495)) +* **main:** release 0.14.0 ([#202](https://github.com/BagelLab/uds-core/issues/202)) ([d090f40](https://github.com/BagelLab/uds-core/commit/d090f4052679d1557973a17524923280c04807fd)) +* **main:** release 0.14.1 ([#218](https://github.com/BagelLab/uds-core/issues/218)) ([3199d8b](https://github.com/BagelLab/uds-core/commit/3199d8bc8cc8e11f9eccdb7075ce798572f6fa0a)) +* **main:** release 0.14.2 ([#221](https://github.com/BagelLab/uds-core/issues/221)) ([2ab4c54](https://github.com/BagelLab/uds-core/commit/2ab4c54618f40c8f195e4bbc1aee63024e488dc8)) +* **main:** release 0.14.3 ([#225](https://github.com/BagelLab/uds-core/issues/225)) ([05b1c19](https://github.com/BagelLab/uds-core/commit/05b1c196e4509ee38261a9b9bc8bc8531086b499)) +* **main:** release 0.14.4 ([#227](https://github.com/BagelLab/uds-core/issues/227)) ([d2d005b](https://github.com/BagelLab/uds-core/commit/d2d005b9caf0b067f850f752a3d6e643c99a74c6)) +* **main:** release 0.14.5 ([#230](https://github.com/BagelLab/uds-core/issues/230)) ([1acafca](https://github.com/BagelLab/uds-core/commit/1acafcadf0baa4567d4f0c41e3201fa40895d092)) +* **main:** release 0.15.0 ([#233](https://github.com/BagelLab/uds-core/issues/233)) ([f4f3699](https://github.com/BagelLab/uds-core/commit/f4f3699096e4f917cf36bcb15bdb47179569b74d)) +* **main:** release 0.15.1 ([#235](https://github.com/BagelLab/uds-core/issues/235)) ([a0c6b32](https://github.com/BagelLab/uds-core/commit/a0c6b327ada2a36a08a4dc4874248d9df65f5381)) +* **main:** release 0.16.0 ([#246](https://github.com/BagelLab/uds-core/issues/246)) ([efc64d4](https://github.com/BagelLab/uds-core/commit/efc64d45c6e78f3014258b80abdf35d0119bde36)) +* **main:** release 0.16.1 ([#265](https://github.com/BagelLab/uds-core/issues/265)) ([4e4eaea](https://github.com/BagelLab/uds-core/commit/4e4eaea6c16e010837bb1c0d5624ebda418bce6f)) +* **main:** release 0.17.0 ([#267](https://github.com/BagelLab/uds-core/issues/267)) ([510f536](https://github.com/BagelLab/uds-core/commit/510f536133e835f98bb524bfc9f437e6f716d9ef)) +* **main:** release 0.18.0 ([#286](https://github.com/BagelLab/uds-core/issues/286)) ([40e6b7b](https://github.com/BagelLab/uds-core/commit/40e6b7b711ddbd956058eda8490355568faddaec)) +* **main:** release 0.18.0 ([#318](https://github.com/BagelLab/uds-core/issues/318)) ([5f5e0b8](https://github.com/BagelLab/uds-core/commit/5f5e0b8a19daf0b51d9a102fd851ff76e5296d4e)) +* **main:** release 0.19.0 ([#320](https://github.com/BagelLab/uds-core/issues/320)) ([4ce502b](https://github.com/BagelLab/uds-core/commit/4ce502be3a5d83c28c259db8080a215f309c6ed7)) +* **main:** release 0.2.0 ([#34](https://github.com/BagelLab/uds-core/issues/34)) ([5185a8f](https://github.com/BagelLab/uds-core/commit/5185a8f98c90578eabd9f1494f55e43922bb7a92)) +* **main:** release 0.20.0 ([#345](https://github.com/BagelLab/uds-core/issues/345)) ([c29cc91](https://github.com/BagelLab/uds-core/commit/c29cc91cd2e41d5bbaee33deb173628c83ad0480)) +* **main:** release 0.21.0 ([#361](https://github.com/BagelLab/uds-core/issues/361)) ([c9f027f](https://github.com/BagelLab/uds-core/commit/c9f027f518de547b962b06defb836fba3c70ff3d)) +* **main:** release 0.21.1 ([#379](https://github.com/BagelLab/uds-core/issues/379)) ([b46a161](https://github.com/BagelLab/uds-core/commit/b46a161271bac3c167e554fadf673d2536b6b420)) +* **main:** release 0.22.0 ([#386](https://github.com/BagelLab/uds-core/issues/386)) ([6367bef](https://github.com/BagelLab/uds-core/commit/6367bef04dab6803471b8f424210baedf2004d01)) +* **main:** release 0.22.1 ([#432](https://github.com/BagelLab/uds-core/issues/432)) ([7cf9c4c](https://github.com/BagelLab/uds-core/commit/7cf9c4c09dccc1d91edb7acbb2aee8750c5433ed)) +* **main:** release 0.22.2 ([#474](https://github.com/BagelLab/uds-core/issues/474)) ([84a408f](https://github.com/BagelLab/uds-core/commit/84a408fb23c1803bdbbf5e1f1ce64e97110f2829)) +* **main:** release 0.23.0 ([8e992e3](https://github.com/BagelLab/uds-core/commit/8e992e385fc51e01f0e0df31dd8c7434660ea0d6)) +* **main:** release 0.23.0 ([d640453](https://github.com/BagelLab/uds-core/commit/d64045363c267dad4d10b447e7706b1e739765ae)) +* **main:** release 0.23.1 ([09c623a](https://github.com/BagelLab/uds-core/commit/09c623ac9fb0fe6c785d15245da8d84787cf3649)) +* **main:** release 0.23.2 ([6df0592](https://github.com/BagelLab/uds-core/commit/6df0592f5f336c50c6c7c7cec1f276f7c11f7cdb)) +* **main:** release 0.23.3 ([55cb491](https://github.com/BagelLab/uds-core/commit/55cb491c28ebf5ee7c40f2add5c588c47e9864b0)) +* **main:** release 0.23.4 ([e0e6ebc](https://github.com/BagelLab/uds-core/commit/e0e6ebc684e2004f9e2a3ca128d7401dc41bcc33)) +* **main:** release 0.3.0 ([#39](https://github.com/BagelLab/uds-core/issues/39)) ([4d2b05d](https://github.com/BagelLab/uds-core/commit/4d2b05de9d155dc91b799bde5156c5980bc348cb)) +* **main:** release 0.4.0 ([#43](https://github.com/BagelLab/uds-core/issues/43)) ([d2b61c3](https://github.com/BagelLab/uds-core/commit/d2b61c373b91d4f405e27ce930e4f8bec52ddd21)) +* **main:** release 0.4.1 ([#45](https://github.com/BagelLab/uds-core/issues/45)) ([d66eafe](https://github.com/BagelLab/uds-core/commit/d66eafea0ec9ccd412f5af3ed5ab12f3f8275a33)) +* **main:** release 0.5.0 ([#49](https://github.com/BagelLab/uds-core/issues/49)) ([f9c4269](https://github.com/BagelLab/uds-core/commit/f9c426998f2bc4fc21c32b3492f25b8608f50282)) +* **main:** release 0.6.0 ([#53](https://github.com/BagelLab/uds-core/issues/53)) ([9b3ad64](https://github.com/BagelLab/uds-core/commit/9b3ad64a6e3870ce364cad77abd367cc8d493042)) +* **main:** release 0.6.1 ([#56](https://github.com/BagelLab/uds-core/issues/56)) ([4a5a42c](https://github.com/BagelLab/uds-core/commit/4a5a42c8fa9ee17656e462cb9df08562d9c85b96)) +* **main:** release 0.6.2 ([#59](https://github.com/BagelLab/uds-core/issues/59)) ([b1c49ac](https://github.com/BagelLab/uds-core/commit/b1c49ac70e8a293936dea8a516c32b7bb7e6fc4c)) +* **main:** release 0.7.0 ([#71](https://github.com/BagelLab/uds-core/issues/71)) ([51dcb54](https://github.com/BagelLab/uds-core/commit/51dcb54d239cb5636b0c4f55fde9fc2b2c3bf076)) +* **main:** release 0.7.1 ([#85](https://github.com/BagelLab/uds-core/issues/85)) ([da4040a](https://github.com/BagelLab/uds-core/commit/da4040aff739746dc2355ec0449ee762c05c56c1)) +* **main:** release 0.7.2 ([#88](https://github.com/BagelLab/uds-core/issues/88)) ([5e421ce](https://github.com/BagelLab/uds-core/commit/5e421ce011e42692c3cb6f1353cfb8a5edb846fb)) +* **main:** release 0.7.3 ([#93](https://github.com/BagelLab/uds-core/issues/93)) ([ddf8fa6](https://github.com/BagelLab/uds-core/commit/ddf8fa617853686b8c043d236c159bcd59c47ac0)) +* **main:** release 0.7.4 ([#100](https://github.com/BagelLab/uds-core/issues/100)) ([9abd78b](https://github.com/BagelLab/uds-core/commit/9abd78b11a90a67344fa93e8dba7fd53d6b58ea2)) +* **main:** release 0.8.0 ([#106](https://github.com/BagelLab/uds-core/issues/106)) ([3ab93c3](https://github.com/BagelLab/uds-core/commit/3ab93c30b132ff9c35c1f238008b15cd265abe92)) +* **main:** release 0.8.1 ([#112](https://github.com/BagelLab/uds-core/issues/112)) ([942ad54](https://github.com/BagelLab/uds-core/commit/942ad549b53e8ce87a33fae985bbe2f82c6fa75c)) +* **main:** release 0.9.0 ([#117](https://github.com/BagelLab/uds-core/issues/117)) ([6b0c56b](https://github.com/BagelLab/uds-core/commit/6b0c56b8a6d60091e532ac36cd69ea6cd5ac1124)) +* **main:** release 0.9.1 ([#119](https://github.com/BagelLab/uds-core/issues/119)) ([984f916](https://github.com/BagelLab/uds-core/commit/984f91602c3b2873110d62a49c5df4ecfaa19f8a)) +* **main:** release 0.9.2 ([#121](https://github.com/BagelLab/uds-core/issues/121)) ([2d9b3c9](https://github.com/BagelLab/uds-core/commit/2d9b3c9fe288347879f2d78c8524b719d3772abd)) +* move api service watch to reconcile ([#362](https://github.com/BagelLab/uds-core/issues/362)) ([1822bca](https://github.com/BagelLab/uds-core/commit/1822bca6c397a5c8ea64b9355a9ba4f51fde4518)) +* open the aperture for pr workflow triggering ([#90](https://github.com/BagelLab/uds-core/issues/90)) ([d8a72f2](https://github.com/BagelLab/uds-core/commit/d8a72f2f2f3e507a4be7f217e23b737e3d4c35ce)) +* readme updates & use UDS CLI for zarf ([#137](https://github.com/BagelLab/uds-core/issues/137)) ([21de0ce](https://github.com/BagelLab/uds-core/commit/21de0cee2d70d67ca17b1d45c642e9ca4e1617ce)) +* refactor ci for releases to remove certain artifacts ([#125](https://github.com/BagelLab/uds-core/issues/125)) ([c08a062](https://github.com/BagelLab/uds-core/commit/c08a062bb3f3ede6860c3d7f34136b3e82b78715)) +* refactor promtail extraScrapeConfigs into scrapeConfigs ([#367](https://github.com/BagelLab/uds-core/issues/367)) ([2220272](https://github.com/BagelLab/uds-core/commit/222027240148e669edf40483d145ffc15567b1b7)) +* refactor validate.yaml file name and task name ([#62](https://github.com/BagelLab/uds-core/issues/62)) ([92a04ea](https://github.com/BagelLab/uds-core/commit/92a04ea1096448995ccc0dd9d77a32a5061e06f0)) +* remove emulated gitlab endpoints from keycloak ([#483](https://github.com/BagelLab/uds-core/issues/483)) ([495960c](https://github.com/BagelLab/uds-core/commit/495960ce8d40cf2ef7c0f0021b653db6fc6383bb)) +* remove retry-action action on registry1 docker login ([#160](https://github.com/BagelLab/uds-core/issues/160)) ([eea0c93](https://github.com/BagelLab/uds-core/commit/eea0c93a0ff172bfc5a76d3eaca143ffc0d9fbe2)) +* remove version from neuvector zarf.yaml ([#11](https://github.com/BagelLab/uds-core/issues/11)) ([fbc8d51](https://github.com/BagelLab/uds-core/commit/fbc8d51e2b4146d394184d7596cd9a54219dc001)) +* renovate updates ([#140](https://github.com/BagelLab/uds-core/issues/140)) ([b71a013](https://github.com/BagelLab/uds-core/commit/b71a013bea30c9ca5e39f1dc6485fffaa86ca6b1)) +* simplify promtail values for scrape configs ([#94](https://github.com/BagelLab/uds-core/issues/94)) ([6c2513b](https://github.com/BagelLab/uds-core/commit/6c2513be89f064b44516b1d89c0d6005dd1d4d30)) +* support deselection of metrics-server ([#193](https://github.com/BagelLab/uds-core/issues/193)) ([289a0fe](https://github.com/BagelLab/uds-core/commit/289a0fee5315e8c4a70b3afe66165dd00a7dfbc1)) +* support headless keycloak admin user ([#307](https://github.com/BagelLab/uds-core/issues/307)) ([a0e51b6](https://github.com/BagelLab/uds-core/commit/a0e51b649822619b63478b140bb5dbbebeb20ff3)) +* test artifacts before publish ([#198](https://github.com/BagelLab/uds-core/issues/198)) ([9732f32](https://github.com/BagelLab/uds-core/commit/9732f325624244f4d34c127a949c6ce5951ff6ab)) +* test publish ([2cefa29](https://github.com/BagelLab/uds-core/commit/2cefa2938d60cfa40bd5c0f7ff44c2448c4f48a8)) +* trigger eks nightly when related files are updated ([#366](https://github.com/BagelLab/uds-core/issues/366)) ([6d6e4e0](https://github.com/BagelLab/uds-core/commit/6d6e4e0debbca3498cbc21db405eec48b3bcc240)) +* typo fix in README.md ([#280](https://github.com/BagelLab/uds-core/issues/280)) ([f9727e0](https://github.com/BagelLab/uds-core/commit/f9727e0b638e853bbae131d02019a2efb5286b0a)) +* update codeowners ([#338](https://github.com/BagelLab/uds-core/issues/338)) ([c419574](https://github.com/BagelLab/uds-core/commit/c41957409607c6335ebf6bd4ff30a1a9336a4870)) +* update release please extra-files to be explicit ([#26](https://github.com/BagelLab/uds-core/issues/26)) ([23f4999](https://github.com/BagelLab/uds-core/commit/23f49995771fb05cd18e7a077bf90e86ca5b7471)) +* updating keycloak chart version to align with image ([#378](https://github.com/BagelLab/uds-core/issues/378)) ([a60fe2a](https://github.com/BagelLab/uds-core/commit/a60fe2afed9f7cff3bcad6b0f563232b47e8025b)) + ## [0.24.0](https://github.com/defenseunicorns/uds-core/compare/v0.23.0...v0.24.0) (2024-07-12) diff --git a/README.md b/README.md index fb5b177db..9ee771e27 100644 --- a/README.md +++ b/README.md @@ -55,7 +55,7 @@ If you want to try out UDS Core, you can use the [k3d-core-demo bundle](./bundle ```bash -uds deploy k3d-core-demo:0.24.0 +uds deploy k3d-core-demo:0.23.0 ``` @@ -69,7 +69,7 @@ Deploy Istio, Keycloak and Pepr: ```bash -uds deploy k3d-core-slim-dev:0.24.0 +uds deploy k3d-core-slim-dev:0.23.0 ``` diff --git a/bundles/k3d-slim-dev/uds-bundle.yaml b/bundles/k3d-slim-dev/uds-bundle.yaml index e0b96a0b4..c89b07002 100644 --- a/bundles/k3d-slim-dev/uds-bundle.yaml +++ b/bundles/k3d-slim-dev/uds-bundle.yaml @@ -3,7 +3,7 @@ metadata: name: k3d-core-slim-dev description: A UDS bundle for deploying Istio from UDS Core on a development cluster # x-release-please-start-version - version: "0.24.0" + version: "0.23.0" # x-release-please-end packages: @@ -34,7 +34,7 @@ packages: - name: core-slim-dev path: ../../build/ # x-release-please-start-version - ref: 0.24.0 + ref: 0.23.0 # x-release-please-end overrides: istio-admin-gateway: diff --git a/bundles/k3d-standard/uds-bundle.yaml b/bundles/k3d-standard/uds-bundle.yaml index 1a0a432a9..197376980 100644 --- a/bundles/k3d-standard/uds-bundle.yaml +++ b/bundles/k3d-standard/uds-bundle.yaml @@ -3,7 +3,7 @@ metadata: name: k3d-core-demo description: A UDS bundle for deploying the standard UDS Core package on a development cluster # x-release-please-start-version - version: "0.24.0" + version: "0.23.0" # x-release-please-end packages: @@ -34,7 +34,7 @@ packages: - name: core path: ../../build/ # x-release-please-start-version - ref: 0.24.0 + ref: 0.23.0 # x-release-please-end optionalComponents: - istio-passthrough-gateway diff --git a/packages/slim-dev/zarf.yaml b/packages/slim-dev/zarf.yaml index cd9485ad1..c7f0e40a4 100644 --- a/packages/slim-dev/zarf.yaml +++ b/packages/slim-dev/zarf.yaml @@ -4,7 +4,7 @@ metadata: description: "UDS Core (Istio, UDS Operator and Keycloak)" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.24.0" + version: "0.23.0" # x-release-please-end variables: diff --git a/packages/standard/zarf.yaml b/packages/standard/zarf.yaml index d7c0c71ad..196275fd3 100644 --- a/packages/standard/zarf.yaml +++ b/packages/standard/zarf.yaml @@ -4,7 +4,7 @@ metadata: description: "UDS Core" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.24.0" + version: "0.23.0" # x-release-please-end variables: diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index 31cf9cb00..258001554 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -5,7 +5,7 @@ variables: - name: VERSION description: "The version of the packages to deploy" # x-release-please-start-version - default: "0.24.0" + default: "0.23.0" # x-release-please-end - name: FLAVOR default: upstream diff --git a/tasks/publish.yaml b/tasks/publish.yaml index 6dbcf0b57..03767b20b 100644 --- a/tasks/publish.yaml +++ b/tasks/publish.yaml @@ -8,7 +8,7 @@ variables: - name: VERSION description: "The version of the packages to build" # x-release-please-start-version - default: "0.24.0" + default: "0.23.0" # x-release-please-end tasks: From a94e622d2451513f634ec59b7e3623ebd8644276 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Wed, 17 Jul 2024 15:32:16 -0600 Subject: [PATCH 56/61] ci: mute it up --- tasks/utils.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/utils.yaml b/tasks/utils.yaml index 469d6c21a..6afa8c9d6 100644 --- a/tasks/utils.yaml +++ b/tasks/utils.yaml @@ -23,6 +23,6 @@ tasks: repo="${repo}/snapshots" fi echo "${repo}" - # mute: true + mute: true setVariables: - name: TARGET_REPO From 0119a3457c44e276bec4d08c58f4408bc4b4541a Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 17 Jul 2024 21:36:25 +0000 Subject: [PATCH 57/61] chore(main): release 0.23.0 --- CHANGELOG.md | 324 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 324 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8f36f58c9..9ce77261c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,330 @@ All notable changes to this project will be documented in this file. +## [0.23.0](https://github.com/BagelLab/uds-core/compare/v0.23.0...v0.23.0) (2024-07-17) + + +### ⚠ BREAKING CHANGES + +* remove emulated gitlab endpoints from keycloak ([#483](https://github.com/BagelLab/uds-core/issues/483)) + +### Features + +* add `expose` service entry for internal cluster traffic ([#356](https://github.com/BagelLab/uds-core/issues/356)) ([1bde4cc](https://github.com/BagelLab/uds-core/commit/1bde4ccf302864b0c38d093742ca683b96cebe89)) +* add `monitor` to operator, fix monitoring setup ([#256](https://github.com/BagelLab/uds-core/issues/256)) ([bf67722](https://github.com/BagelLab/uds-core/commit/bf67722d4e7e02d44dd29c4436e9a8d2ef960fa5)) +* add authservice to uds-core ([#153](https://github.com/BagelLab/uds-core/issues/153)) ([b0b33b9](https://github.com/BagelLab/uds-core/commit/b0b33b98ae12fe233c922bba55c9328212c2e578)) +* Add istio and preliminary ci ([#3](https://github.com/BagelLab/uds-core/issues/3)) ([fbd7453](https://github.com/BagelLab/uds-core/commit/fbd745392340dbc978b27f0d321f3375882c1c40)) +* add Istio VirtualService Requestmatch to UDS Operator ([#129](https://github.com/BagelLab/uds-core/issues/129)) ([a207197](https://github.com/BagelLab/uds-core/commit/a20719726991d3b981a372b705b776948f6fbc30)) +* add keycloak ([#147](https://github.com/BagelLab/uds-core/issues/147)) ([f99d3d5](https://github.com/BagelLab/uds-core/commit/f99d3d5d4f89264a21dd76d8847e1cef0325d127)) +* add keycloak sso realm values ([#352](https://github.com/BagelLab/uds-core/issues/352)) ([74436ea](https://github.com/BagelLab/uds-core/commit/74436ea78684a74044efdee14564a6582e659998)) +* add metrics-server ([#35](https://github.com/BagelLab/uds-core/issues/35)) ([8216ab9](https://github.com/BagelLab/uds-core/commit/8216ab982be79dc393a2e0db359370b32e660150)) +* add monitoring and logging ([#33](https://github.com/BagelLab/uds-core/issues/33)) ([c6d9aec](https://github.com/BagelLab/uds-core/commit/c6d9aece4984421e1ccbf476cd0d40fb701e4e50)) +* add nightly testing eks ([#250](https://github.com/BagelLab/uds-core/issues/250)) ([543b09d](https://github.com/BagelLab/uds-core/commit/543b09d103a43c474da6a8c950404cc1f373b03f)) +* add pepr capability for istio + jobs ([#12](https://github.com/BagelLab/uds-core/issues/12)) ([c32a703](https://github.com/BagelLab/uds-core/commit/c32a70390f443c90796978ad4c42bbb4b17eb226)) +* add policy exemptions ([#165](https://github.com/BagelLab/uds-core/issues/165)) ([196df88](https://github.com/BagelLab/uds-core/commit/196df88b01347e530eb1cb49df7440d62c986e0e)) +* add prometheus-stack (monitoring) capability ([#2](https://github.com/BagelLab/uds-core/issues/2)) ([e438ab6](https://github.com/BagelLab/uds-core/commit/e438ab6089bc9d8c6640fa002285d38ddc3022df)) +* add reconciliation retries for CRs ([#423](https://github.com/BagelLab/uds-core/issues/423)) ([424b57b](https://github.com/BagelLab/uds-core/commit/424b57ba91906e1c60e6e92927e37b34d657ad01)) +* add saml and attribute/mapper support for keycloak in uds pepr operator ([#328](https://github.com/BagelLab/uds-core/issues/328)) ([c53d4ee](https://github.com/BagelLab/uds-core/commit/c53d4ee1227d71b60a35419f7c8c9396d71b9508)) +* add UDS Operator and consolidate UDS Policies ([#66](https://github.com/BagelLab/uds-core/issues/66)) ([395c1c4](https://github.com/BagelLab/uds-core/commit/395c1c4aec324d0d939cc410a6bb92129b26653b)) +* add velero package ([#210](https://github.com/BagelLab/uds-core/issues/210)) ([a272945](https://github.com/BagelLab/uds-core/commit/a27294585f0d50732b63672d0c2baf14948e29d1)) +* add Zarf Flavors to support Iron Bank & upstream images ([#63](https://github.com/BagelLab/uds-core/issues/63)) ([232c256](https://github.com/BagelLab/uds-core/commit/232c2566b96be0285c24b8b5787350897e72332f)) +* added initial oscal files ([#145](https://github.com/BagelLab/uds-core/issues/145)) ([9600d5f](https://github.com/BagelLab/uds-core/commit/9600d5f159e4a04e8f71313f8ed118b87efbb9a1)) +* embed tls certs in istio package ([#32](https://github.com/BagelLab/uds-core/issues/32)) ([fb04fee](https://github.com/BagelLab/uds-core/commit/fb04feec9657f449366389a0e0a474a8cdeecb2c)) +* enable sso for neuvector ([#351](https://github.com/BagelLab/uds-core/issues/351)) ([597353e](https://github.com/BagelLab/uds-core/commit/597353e294e3dc5c06a8d572414e188f9845af8e)) +* expose tls certs as UDS bundle variables ([#48](https://github.com/BagelLab/uds-core/issues/48)) ([c1f8286](https://github.com/BagelLab/uds-core/commit/c1f828650ef2c53a3fd9ed477950046020c5d375)) +* introduce advancedHTTP for expose field & change podLabels to selector ([#154](https://github.com/BagelLab/uds-core/issues/154)) ([1079267](https://github.com/BagelLab/uds-core/commit/107926791149989a782254b8798b7c57a35cfcaf)) +* introduce Pepr common policies ([#50](https://github.com/BagelLab/uds-core/issues/50)) ([54182b4](https://github.com/BagelLab/uds-core/commit/54182b4db691d86ce80379be272d924d105b0d07)) +* introduce sso secret templating ([#276](https://github.com/BagelLab/uds-core/issues/276)) ([e0832ec](https://github.com/BagelLab/uds-core/commit/e0832ec2ee825dc1725483350e3b9295937b8feb)) +* keycloak PVC customization ([#341](https://github.com/BagelLab/uds-core/issues/341)) ([f8eae2a](https://github.com/BagelLab/uds-core/commit/f8eae2a20e02faac6e2c441845a82febeaab3b89)) +* **operator:** add events and improve lifecycle ops ([#245](https://github.com/BagelLab/uds-core/issues/245)) ([502c044](https://github.com/BagelLab/uds-core/commit/502c044547048a380b1f73dead0b8ab1b14a4b4f)) +* release-please integration ([#25](https://github.com/BagelLab/uds-core/issues/25)) ([bf3c53b](https://github.com/BagelLab/uds-core/commit/bf3c53b2ddac4e02e31aa3429029dd9f1c9595e3)) +* switch loki to simple scalable ([#156](https://github.com/BagelLab/uds-core/issues/156)) ([1661b15](https://github.com/BagelLab/uds-core/commit/1661b154657eba1b30fc5bcec64179cbf6037c03)) +* uds common renovate config ([#391](https://github.com/BagelLab/uds-core/issues/391)) ([035786c](https://github.com/BagelLab/uds-core/commit/035786cadcd9c1fbaf7e0a798f9c13104a1a9a14)) +* uds core docs ([#414](https://github.com/BagelLab/uds-core/issues/414)) ([a35ca7b](https://github.com/BagelLab/uds-core/commit/a35ca7b484ab59572d8205a625db5447a8771e44)) +* update security policy to use provided user, group, and fsgroup ([#82](https://github.com/BagelLab/uds-core/issues/82)) ([6d641ce](https://github.com/BagelLab/uds-core/commit/6d641ce67210999bacda0e855269dca61e7c6a7b)) + + +### Bug Fixes + +* add keycloak to dev bundle and rename ([#262](https://github.com/BagelLab/uds-core/issues/262)) ([f9b905c](https://github.com/BagelLab/uds-core/commit/f9b905c7c2b7e4a6a43e7c83918e3157008433d3)) +* add kubeapi egress for neuvector enforcer ([#291](https://github.com/BagelLab/uds-core/issues/291)) ([87fc886](https://github.com/BagelLab/uds-core/commit/87fc886bc736104a9a3c3aefc4c7d232ed74a4f2)) +* add nightly uds-bundle.yaml to release-please extras for updates ([#346](https://github.com/BagelLab/uds-core/issues/346)) ([d1b3071](https://github.com/BagelLab/uds-core/commit/d1b3071182b48ef4905bb040d203fa42d7bbf76f)) +* add saml configuration to k3d standard bundle ([#425](https://github.com/BagelLab/uds-core/issues/425)) ([15b41d7](https://github.com/BagelLab/uds-core/commit/15b41d7ca506dd913316c41321aa9a3133755ab4)) +* add test for disallow selinux options and handle checking for us… ([#96](https://github.com/BagelLab/uds-core/issues/96)) ([88b969e](https://github.com/BagelLab/uds-core/commit/88b969e2aa4dea8b76dbe397d77c53941f7cfbc8)) +* arm64 packages / bundles creation ([#264](https://github.com/BagelLab/uds-core/issues/264)) ([425fa18](https://github.com/BagelLab/uds-core/commit/425fa184fca6bcebd1eea431dce7112cadae2f44)) +* basic validations for packages ([#208](https://github.com/BagelLab/uds-core/issues/208)) ([9eba3af](https://github.com/BagelLab/uds-core/commit/9eba3afb7e288c13f75f93d5712d50a3b9e7b92d)) +* change pepr error policy to reject ([#99](https://github.com/BagelLab/uds-core/issues/99)) ([10772e2](https://github.com/BagelLab/uds-core/commit/10772e2c64f1e4b965b6b644b0008c81025029e9)) +* check if exemption exists before cleanup ([#468](https://github.com/BagelLab/uds-core/issues/468)) ([735288b](https://github.com/BagelLab/uds-core/commit/735288b87f2dff3c1bb28e9e20aac812d644aa4d)) +* ci ([1c925f0](https://github.com/BagelLab/uds-core/commit/1c925f0abb76399210920da43ede7e8b3bb500e4)) +* ci things ([f2389a3](https://github.com/BagelLab/uds-core/commit/f2389a33d66491dfab62014cc744b25434202fe2)) +* **ci:** test snapshot fix ([0e556ae](https://github.com/BagelLab/uds-core/commit/0e556aefdf19013aeb23bc72d15ff8971da6f6be)) +* comment out debug ([bdc8677](https://github.com/BagelLab/uds-core/commit/bdc86777d6f06bbb09602185338d6d1c1fe269b9)) +* complete incomplete deploy task ([#21](https://github.com/BagelLab/uds-core/issues/21)) ([45ff5e5](https://github.com/BagelLab/uds-core/commit/45ff5e5d7b6a50cdfcfabb174349ab539a8accd9)) +* concurrency group ([60ca1d0](https://github.com/BagelLab/uds-core/commit/60ca1d06208be3c7f5ec825a37d85504116585d1)) +* de-duplicate renovate matches ([#435](https://github.com/BagelLab/uds-core/issues/435)) ([4f9dbbb](https://github.com/BagelLab/uds-core/commit/4f9dbbbff0bbe1fe348ae7e6c55f97a505f730a9)) +* default keycloak realm envs ([#455](https://github.com/BagelLab/uds-core/issues/455)) ([3a2b48f](https://github.com/BagelLab/uds-core/commit/3a2b48fefb11afcf20f6826fbdef8c43daaf4639)) +* drop path normalization to MERGE_SLASHES to allow apps to handle encoded slashes ([#330](https://github.com/BagelLab/uds-core/issues/330)) ([26e965f](https://github.com/BagelLab/uds-core/commit/26e965fd71dd325bd8df451ce317456bf2d15073)) +* exemption race conditions ([#407](https://github.com/BagelLab/uds-core/issues/407)) ([d1b3b56](https://github.com/BagelLab/uds-core/commit/d1b3b5669976eb23ca8f88cd5b15a12c56102eca)) +* forgot to commit :( ([29545b6](https://github.com/BagelLab/uds-core/commit/29545b6ca6a35c1717b10b23c8bc2ed3a90f1c4d)) +* github token ([75cfbe4](https://github.com/BagelLab/uds-core/commit/75cfbe446f9b6cd74b9858a7ceb6cd231b348509)) +* hotfix for publishing workflows ([#217](https://github.com/BagelLab/uds-core/issues/217)) ([5fefa01](https://github.com/BagelLab/uds-core/commit/5fefa017d382b7c5557e613b81cd84b27bda85f0)) +* id-token ([5a78de7](https://github.com/BagelLab/uds-core/commit/5a78de7ec926a3ebe82771a5713ac2ff4841271f)) +* inputs silly ([d5c51f3](https://github.com/BagelLab/uds-core/commit/d5c51f35f6817d66bfbf5b2d5f746032893c863a)) +* integrated docs ([#431](https://github.com/BagelLab/uds-core/issues/431)) ([72238fa](https://github.com/BagelLab/uds-core/commit/72238faed167a4e90e4d332e17909510efd98a58)) +* keycloak schema for package cr ([#436](https://github.com/BagelLab/uds-core/issues/436)) ([e32ce9a](https://github.com/BagelLab/uds-core/commit/e32ce9af9176ba8fef702a8c6aac84c15f9ab374)) +* keycloak volume permissions, UI update ([#223](https://github.com/BagelLab/uds-core/issues/223)) ([4454d3e](https://github.com/BagelLab/uds-core/commit/4454d3efcefe6bfa81628d330434afcc246fad65)) +* **keycloak:** add missing postgres host and port secret keys ([#224](https://github.com/BagelLab/uds-core/issues/224)) ([0c4d775](https://github.com/BagelLab/uds-core/commit/0c4d7758cfb077ff592fea907795402485b6c9f5)) +* **keycloak:** only use PVC for devMode ([#241](https://github.com/BagelLab/uds-core/issues/241)) ([a6e6023](https://github.com/BagelLab/uds-core/commit/a6e6023134dc5171441a2043701ed91309e1b32c)) +* kubeapi netpol generation now also includes the ip from the kubernetes service ([#219](https://github.com/BagelLab/uds-core/issues/219)) ([0a83d02](https://github.com/BagelLab/uds-core/commit/0a83d02f5782d911e3bb63935b0cac70030e5c9b)) +* loki bucket configuration service_account and namespace ([#332](https://github.com/BagelLab/uds-core/issues/332)) ([9518634](https://github.com/BagelLab/uds-core/commit/9518634b24f2d5c285e598f8620849bbc6288ba4)) +* loki local storage ([#84](https://github.com/BagelLab/uds-core/issues/84)) ([b9505bb](https://github.com/BagelLab/uds-core/commit/b9505bbb42b5369c62d7cbfb05e1efb8b8a6200f)) +* loki s3 overrides ([#365](https://github.com/BagelLab/uds-core/issues/365)) ([3545066](https://github.com/BagelLab/uds-core/commit/354506647d65b0484332695abbbd58d91d9e7427)) +* metrics-server mTLS fix ([#44](https://github.com/BagelLab/uds-core/issues/44)) ([4853522](https://github.com/BagelLab/uds-core/commit/4853522c9504c87dcbd8319d689ecb0a1cb42c0b)) +* mismatched exemption/policy for DropAllCapabilities ([#384](https://github.com/BagelLab/uds-core/issues/384)) ([d8ec278](https://github.com/BagelLab/uds-core/commit/d8ec27827e2e2e7d85b4eba6b738f4b126264dd9)) +* named inputs ([c49e6ea](https://github.com/BagelLab/uds-core/commit/c49e6ea2b566198d4702d4c67c659e833a8bad97)) +* network policy to allow metrics-server ingress ([#148](https://github.com/BagelLab/uds-core/issues/148)) ([f1d434a](https://github.com/BagelLab/uds-core/commit/f1d434a68ef1f2a29ab3b13608bc16ce78211ed4)) +* networkpolicy for keycloak smtp egress ([4059954](https://github.com/BagelLab/uds-core/commit/4059954ed92502f10c1b5b769988a363adc06318)) +* nightly testing eks config architecture ([#452](https://github.com/BagelLab/uds-core/issues/452)) ([a0bbd1f](https://github.com/BagelLab/uds-core/commit/a0bbd1f0bf84f03d59866f9797555a08dc8034d6)) +* non-vendored zarf command refs ([#157](https://github.com/BagelLab/uds-core/issues/157)) ([fe183a9](https://github.com/BagelLab/uds-core/commit/fe183a9ae367bc2d7ea7d629e7c15877aabe38cd)) +* ocsp lookup egress policy ([#255](https://github.com/BagelLab/uds-core/issues/255)) ([77c38f2](https://github.com/BagelLab/uds-core/commit/77c38f22e9a77d9db81504f4c172fdc535c0929e)) +* pepr ironbank renovate update ([#299](https://github.com/BagelLab/uds-core/issues/299)) ([287e40d](https://github.com/BagelLab/uds-core/commit/287e40db5d65f7472a9e9216aae91f3ad92403d9)) +* pepr mutation annotation overwrite ([#385](https://github.com/BagelLab/uds-core/issues/385)) ([6e56b2a](https://github.com/BagelLab/uds-core/commit/6e56b2afec8f54f8c0a4aa4b89fef1d1c754b627)) +* pepr operator derived netpol name collisions ([#480](https://github.com/BagelLab/uds-core/issues/480)) ([de60e25](https://github.com/BagelLab/uds-core/commit/de60e252526d73e439f5665b27f84e8773c24949)) +* registration robot check form id ([#269](https://github.com/BagelLab/uds-core/issues/269)) ([c6419b9](https://github.com/BagelLab/uds-core/commit/c6419b962eb5a02462e9060a66f7765689cfeb8f)) +* release workflow k3d image ([#316](https://github.com/BagelLab/uds-core/issues/316)) ([e7835e0](https://github.com/BagelLab/uds-core/commit/e7835e071f56af148792fbde250100af8e8ca0b8)) +* remove deprecated registry login and add env setup ([#443](https://github.com/BagelLab/uds-core/issues/443)) ([ca6b76f](https://github.com/BagelLab/uds-core/commit/ca6b76f3a66efb6b2e81832aff771ca06bdff68a)) +* remove go mod ([#441](https://github.com/BagelLab/uds-core/issues/441)) ([0de9693](https://github.com/BagelLab/uds-core/commit/0de969333923afb8fd4639547901c7d7f5c6a6f7)) +* remove loki gateway anti-affinity ([#111](https://github.com/BagelLab/uds-core/issues/111)) ([2cba42e](https://github.com/BagelLab/uds-core/commit/2cba42e3a83a25ae7a45f3c3d6a35bdc7bba0b58)) +* remove no-tea and update uds version ([#446](https://github.com/BagelLab/uds-core/issues/446)) ([434844b](https://github.com/BagelLab/uds-core/commit/434844b827e01808b504abf5ee6af83fba813cb6)) +* remove spec from secret yaml ([#226](https://github.com/BagelLab/uds-core/issues/226)) ([e4b5848](https://github.com/BagelLab/uds-core/commit/e4b58487f736f588944f7c039b8654f9006e04f1)) +* renovate config grouping, test-infra ([#411](https://github.com/BagelLab/uds-core/issues/411)) ([05fd407](https://github.com/BagelLab/uds-core/commit/05fd407e9c3bf6a0bac33de64e892ce2a63275ac)) +* renovate pepr comment ([#410](https://github.com/BagelLab/uds-core/issues/410)) ([a825388](https://github.com/BagelLab/uds-core/commit/a82538817765ad21adb5f6bba283951bf4c23272)) +* resolve istio job termination container status logic issue ([#55](https://github.com/BagelLab/uds-core/issues/55)) ([c0142c2](https://github.com/BagelLab/uds-core/commit/c0142c213446a37185cdf9dec5ae60aaae8ba194)) +* revert "chore: support deselection of metrics-server" ([#196](https://github.com/BagelLab/uds-core/issues/196)) ([25a408d](https://github.com/BagelLab/uds-core/commit/25a408daeb7f6daada11c21e451f973ebe92c07c)) +* runners, snapshot ([df87b55](https://github.com/BagelLab/uds-core/commit/df87b5527b2055d8c15d6223d734e8cbcec0def6)) +* simplify publish repo output ([84805e0](https://github.com/BagelLab/uds-core/commit/84805e01d2704aa3639943f66a4d58b9aea4f690)) +* slim-dev monitoring handling ([#383](https://github.com/BagelLab/uds-core/issues/383)) ([79927aa](https://github.com/BagelLab/uds-core/commit/79927aa58cbb12c849e52b50c00b74629b100b31)) +* sticky sessions for keycloak in ha ([#281](https://github.com/BagelLab/uds-core/issues/281)) ([5ccd557](https://github.com/BagelLab/uds-core/commit/5ccd5576afc34d8b24061887f91ce284ec5857a1)) +* test ([3dc039d](https://github.com/BagelLab/uds-core/commit/3dc039d1ee9d84a7cda7d474652296fef74555ff)) +* typo in comment ([#462](https://github.com/BagelLab/uds-core/issues/462)) ([582b1f4](https://github.com/BagelLab/uds-core/commit/582b1f4754ee3282696ea3b018322a1b3497a7d4)) +* unwanted exemption deletions ([#290](https://github.com/BagelLab/uds-core/issues/290)) ([50b0cd4](https://github.com/BagelLab/uds-core/commit/50b0cd4211964a90139347558028d6c461956da9)) +* update missing flavor create inputs in publish step ([#118](https://github.com/BagelLab/uds-core/issues/118)) ([a0233eb](https://github.com/BagelLab/uds-core/commit/a0233eb45e2d39035f483f3ed8fb3f396e5030d8)) +* update neuvector values for least privilege ([#373](https://github.com/BagelLab/uds-core/issues/373)) ([7f4de4f](https://github.com/BagelLab/uds-core/commit/7f4de4f729e60a258abc40ce34f9c397fae99181)) +* update status for test ([20983d7](https://github.com/BagelLab/uds-core/commit/20983d749871ac2b769584d2ea5d37c1b9183b52)) +* use updated k3s ([#426](https://github.com/BagelLab/uds-core/issues/426)) ([1da1c49](https://github.com/BagelLab/uds-core/commit/1da1c49e314c73e6fd1f2ef2940aff983262ec6b)) +* validating/mutating webhook networkpolicies and mtls ([#192](https://github.com/BagelLab/uds-core/issues/192)) ([b01e629](https://github.com/BagelLab/uds-core/commit/b01e62960985dd7cb318372abff296fb96f1012b)) +* valueFrom in KeyCloak statefulset.yaml ([#229](https://github.com/BagelLab/uds-core/issues/229)) ([189a5ce](https://github.com/BagelLab/uds-core/commit/189a5ce3a9dd16fe9646a293ca3948db21eb5d78)) +* version ([5053bad](https://github.com/BagelLab/uds-core/commit/5053badca76b7c008ef393f70da7687f423f68d8)) +* wait on istio proxies ([#87](https://github.com/BagelLab/uds-core/issues/87)) ([51cd5a0](https://github.com/BagelLab/uds-core/commit/51cd5a012cc1d095a89b30a22910d3d7ad49885d)) +* workflow links ([eba372c](https://github.com/BagelLab/uds-core/commit/eba372c0b0a942f1bcead8efcd420fbb427ed6e1)) +* workflow outputs silly ([c427851](https://github.com/BagelLab/uds-core/commit/c4278510505b38b651d3f1893a098d1b432e5d95)) +* workflow silliness ([5870a77](https://github.com/BagelLab/uds-core/commit/5870a773b91e96a2f8bf616be2abedbe60263f86)) + + +### Miscellaneous + +* add checks before killing pods when updating istio annotations ([#457](https://github.com/BagelLab/uds-core/issues/457)) ([a62f9a0](https://github.com/BagelLab/uds-core/commit/a62f9a0e04bb538a8018a3f866c88e8b93c59826)) +* add commit lint workflow ([#19](https://github.com/BagelLab/uds-core/issues/19)) ([776a632](https://github.com/BagelLab/uds-core/commit/776a6325821329b2cbd97da2f40a30447cd48efc)) +* add debug logging to endpointslice watch ([#359](https://github.com/BagelLab/uds-core/issues/359)) ([da3eb5a](https://github.com/BagelLab/uds-core/commit/da3eb5ab4f5e6ced50f838456999995d5be601b7)) +* add debug logs to save logs for easier searching ([#430](https://github.com/BagelLab/uds-core/issues/430)) ([319101b](https://github.com/BagelLab/uds-core/commit/319101b61e4793037aab6c96b92c9d834763e9b8)) +* add debug output to release workflow ([#285](https://github.com/BagelLab/uds-core/issues/285)) ([5f96865](https://github.com/BagelLab/uds-core/commit/5f968651fb4f0da563d9c388efab761863f9ea08)) +* add flavor to pepr build task ([#238](https://github.com/BagelLab/uds-core/issues/238)) ([29bf8a3](https://github.com/BagelLab/uds-core/commit/29bf8a3b83255c7548201f3ea19e22452a1d1d4a)) +* add minio deploy time bundle variable override definitions ([#58](https://github.com/BagelLab/uds-core/issues/58)) ([ca28e7b](https://github.com/BagelLab/uds-core/commit/ca28e7b4c4a42769934cc8ad69361ff29a348cc5)) +* add security.md ([#189](https://github.com/BagelLab/uds-core/issues/189)) ([bf7c1d2](https://github.com/BagelLab/uds-core/commit/bf7c1d28e077cf52d4f765b50d7efb8ce5d60fff)) +* add velero csi plugin ([#424](https://github.com/BagelLab/uds-core/issues/424)) ([c7e49e9](https://github.com/BagelLab/uds-core/commit/c7e49e91d9f7810ddc0368f146d43d3c94c782ad)) +* adding unit test for registerExemptions() ([#105](https://github.com/BagelLab/uds-core/issues/105)) ([5e71fcf](https://github.com/BagelLab/uds-core/commit/5e71fcf4751d2e3f6a1e55583ccf76c0fdc76856)) +* align mutation annotations ([#268](https://github.com/BagelLab/uds-core/issues/268)) ([f18ad4d](https://github.com/BagelLab/uds-core/commit/f18ad4db94a77f4229cc9267e0129f6aa3381c9a)) +* annotate mutations in policies ([#236](https://github.com/BagelLab/uds-core/issues/236)) ([cc9db50](https://github.com/BagelLab/uds-core/commit/cc9db500bb1033a516104f409fa05b3a1101d832)) +* bump zarf & uds-k3d deps ([#30](https://github.com/BagelLab/uds-core/issues/30)) ([dd28ab3](https://github.com/BagelLab/uds-core/commit/dd28ab3acd163aaccdfb76fbf9726c02a2ff0050)) +* conform to latest uds bundle schema ([#52](https://github.com/BagelLab/uds-core/issues/52)) ([14dad38](https://github.com/BagelLab/uds-core/commit/14dad3819187d4f8e13f7bbc191dca74a29b9c98)) +* dep updates for UDS CLI & Pepr ([#46](https://github.com/BagelLab/uds-core/issues/46)) ([1037634](https://github.com/BagelLab/uds-core/commit/10376349e350bd32f3bf32577d8f8089c09ac6cc)) +* **deps:** pin dependencies ([#79](https://github.com/BagelLab/uds-core/issues/79)) ([bfab11e](https://github.com/BagelLab/uds-core/commit/bfab11e345941d23dfeb928917f38e36a2f75bc9)) +* **deps:** update checkout action to latest sha ([#481](https://github.com/BagelLab/uds-core/issues/481)) ([c6f0137](https://github.com/BagelLab/uds-core/commit/c6f0137bb9a1e11f98d426cec8c98eb4005f160a)) +* **deps:** update checkout to v4.1.7 ([#478](https://github.com/BagelLab/uds-core/issues/478)) ([e91a0a3](https://github.com/BagelLab/uds-core/commit/e91a0a35252581554d9ed587e4ef72c2c88a3586)) +* **deps:** update dependency defenseunicorns/uds-common to v0.2.1 ([#205](https://github.com/BagelLab/uds-core/issues/205)) ([1b01407](https://github.com/BagelLab/uds-core/commit/1b01407c4ae3a707db381b07e1364c572c76eceb)) +* **deps:** update dependency defenseunicorns/uds-common to v0.2.2 ([#232](https://github.com/BagelLab/uds-core/issues/232)) ([083ae0c](https://github.com/BagelLab/uds-core/commit/083ae0c45667e5b9064cbff781fbe4e5bc0d2991)) +* **deps:** update dependency defenseunicorns/uds-common to v0.3.6 ([#261](https://github.com/BagelLab/uds-core/issues/261)) ([1b5398b](https://github.com/BagelLab/uds-core/commit/1b5398b7b778ead8ac3265080ae0bd2b5761066e)) +* **deps:** update dependency weaveworks/eksctl to v0.183.0 ([#499](https://github.com/BagelLab/uds-core/issues/499)) ([9cb8e4d](https://github.com/BagelLab/uds-core/commit/9cb8e4d7c86611918e502de0a7e7e25921523cbc)) +* **deps:** update githubactions ([#179](https://github.com/BagelLab/uds-core/issues/179)) ([7797e25](https://github.com/BagelLab/uds-core/commit/7797e259b9691099cce9e151ce1ebf9f9f181435)) +* **deps:** update githubactions ([#242](https://github.com/BagelLab/uds-core/issues/242)) ([1eb2e2c](https://github.com/BagelLab/uds-core/commit/1eb2e2cd2018f0cd8fb55d8e6576b7e36fa8c3cf)) +* **deps:** update githubactions ([#413](https://github.com/BagelLab/uds-core/issues/413)) ([ebd834e](https://github.com/BagelLab/uds-core/commit/ebd834e56ae9adabe14d9772e4a4d9c305da173c)) +* **deps:** update githubactions to de90cc6 ([#215](https://github.com/BagelLab/uds-core/issues/215)) ([f79eed0](https://github.com/BagelLab/uds-core/commit/f79eed03b2495d9f3e11edb433291ce8a3aa55ee)) +* **deps:** update githubactions to ebc4d7e ([#183](https://github.com/BagelLab/uds-core/issues/183)) ([77357e7](https://github.com/BagelLab/uds-core/commit/77357e72cc0344e61fedcab7197aabdd7e4fd2a0)) +* **deps:** update githubactions to v19 ([#204](https://github.com/BagelLab/uds-core/issues/204)) ([d65acd4](https://github.com/BagelLab/uds-core/commit/d65acd4e2d37907685ba9083ff98988b4ea1d452)) +* **deps:** update githubactions to v3 ([#181](https://github.com/BagelLab/uds-core/issues/181)) ([70c5ddf](https://github.com/BagelLab/uds-core/commit/70c5ddf1ee0e5017bee4057d96b320812a964f88)) +* **deps:** update githubactions to v4.1.3 ([#471](https://github.com/BagelLab/uds-core/issues/471)) ([2a9f44d](https://github.com/BagelLab/uds-core/commit/2a9f44d20dce66fa474e47ba0c93eaa7fa9ad406)) +* **deps:** update grafana ([#144](https://github.com/BagelLab/uds-core/issues/144)) ([6987927](https://github.com/BagelLab/uds-core/commit/698792728faf8cfeabaf7a7c735c91229cc0c07f)) +* **deps:** update grafana ([#257](https://github.com/BagelLab/uds-core/issues/257)) ([c98e566](https://github.com/BagelLab/uds-core/commit/c98e5661c3e6fb84bf17fc64170f5dd39779dda7)) +* **deps:** update grafana ([#339](https://github.com/BagelLab/uds-core/issues/339)) ([52e6c1b](https://github.com/BagelLab/uds-core/commit/52e6c1b3bb003402710bc0fa85419538f38b388f)) +* **deps:** update grafana ([#80](https://github.com/BagelLab/uds-core/issues/80)) ([ccb2c12](https://github.com/BagelLab/uds-core/commit/ccb2c1280313fe69198ecab5fea5b38fc650f699)) +* **deps:** update grafana to v10.3.1 ([#132](https://github.com/BagelLab/uds-core/issues/132)) ([09e028c](https://github.com/BagelLab/uds-core/commit/09e028c63093a6f5fdfd0b1be800b07c0eb9de77)) +* **deps:** update grafana to v7.2.5 ([#136](https://github.com/BagelLab/uds-core/issues/136)) ([a271270](https://github.com/BagelLab/uds-core/commit/a271270f2d3f3488aa9664ef5ad69a4d239c5d22)) +* **deps:** update grafana to v7.3.0 ([#142](https://github.com/BagelLab/uds-core/issues/142)) ([5e960c0](https://github.com/BagelLab/uds-core/commit/5e960c0479e6fc96244db0230296c94e936e57d8)) +* **deps:** update grafana to v7.3.9 ([#353](https://github.com/BagelLab/uds-core/issues/353)) ([4a70f40](https://github.com/BagelLab/uds-core/commit/4a70f407d5e06919aaa0dc5901f49f7f1b166c9d)) +* **deps:** update istio to v1.20.2 ([#75](https://github.com/BagelLab/uds-core/issues/75)) ([671f977](https://github.com/BagelLab/uds-core/commit/671f977ff183010ce75e323532db500dcd4aa69c)) +* **deps:** update istio to v1.20.3 ([#163](https://github.com/BagelLab/uds-core/issues/163)) ([e45de0e](https://github.com/BagelLab/uds-core/commit/e45de0e5917a2ca6c3e30e593e2d9a8d393849a9)) +* **deps:** update istio to v1.21.2 ([#258](https://github.com/BagelLab/uds-core/issues/258)) ([51c6540](https://github.com/BagelLab/uds-core/commit/51c65405c87ed3c147bdd90172ab0588dc8e5db1)) +* **deps:** update istio to v1.22.1 ([#405](https://github.com/BagelLab/uds-core/issues/405)) ([ad4b861](https://github.com/BagelLab/uds-core/commit/ad4b861158eecfac1d09a37ea3776e31a1c387cb)) +* **deps:** update jest to v29.1.4 ([#438](https://github.com/BagelLab/uds-core/issues/438)) ([c3ecc8b](https://github.com/BagelLab/uds-core/commit/c3ecc8b83b8c65f09600ab937a1c140c4a5f7db1)) +* **deps:** update jest to v29.1.5 ([#485](https://github.com/BagelLab/uds-core/issues/485)) ([9c392b9](https://github.com/BagelLab/uds-core/commit/9c392b9b88c84e3c3763878e6beb1800c43ded25)) +* **deps:** update keycloak ([#349](https://github.com/BagelLab/uds-core/issues/349)) ([2ef1813](https://github.com/BagelLab/uds-core/commit/2ef181333d2fd853bb8eee2c5deb82430d68c861)) +* **deps:** update keycloak ([#390](https://github.com/BagelLab/uds-core/issues/390)) ([3e82c4e](https://github.com/BagelLab/uds-core/commit/3e82c4ece470a5eea81d937b2b38c455934212e1)) +* **deps:** update keycloak to v0.4.2 ([#375](https://github.com/BagelLab/uds-core/issues/375)) ([b0bb8e4](https://github.com/BagelLab/uds-core/commit/b0bb8e47f78886186514f188a99ff38463a5eac3)) +* **deps:** update keycloak to v0.4.4 ([#460](https://github.com/BagelLab/uds-core/issues/460)) ([936f40b](https://github.com/BagelLab/uds-core/commit/936f40bf078bb06d94ebd51585b4eb7669d426b4)) +* **deps:** update keycloak to v0.4.5 ([#461](https://github.com/BagelLab/uds-core/issues/461)) ([3592012](https://github.com/BagelLab/uds-core/commit/35920121bcdfbdf9b708eb3308ea34763a31246a)) +* **deps:** update keycloak to v24.0.4 ([#397](https://github.com/BagelLab/uds-core/issues/397)) ([c0420ea](https://github.com/BagelLab/uds-core/commit/c0420ea750b3a7dfc8ea6adab5225f76178ef953)) +* **deps:** update keycloak to v24.0.4 ([#402](https://github.com/BagelLab/uds-core/issues/402)) ([e454576](https://github.com/BagelLab/uds-core/commit/e454576a6de53e833d6b925308f09d6007166dde)) +* **deps:** update keycloak to v24.0.5 ([#453](https://github.com/BagelLab/uds-core/issues/453)) ([6b0c6fc](https://github.com/BagelLab/uds-core/commit/6b0c6fc91f238e367c9f2d54f0daaf9d8065794e)) +* **deps:** update keycloak to v24.0.5 ([#454](https://github.com/BagelLab/uds-core/issues/454)) ([89911f0](https://github.com/BagelLab/uds-core/commit/89911f0ca01ac421a254b79e25124525f464cf51)) +* **deps:** update loki ([#131](https://github.com/BagelLab/uds-core/issues/131)) ([61250b0](https://github.com/BagelLab/uds-core/commit/61250b02eca7ca57d7f346c1da5b63f19de17c49)) +* **deps:** update loki ([#209](https://github.com/BagelLab/uds-core/issues/209)) ([03ca499](https://github.com/BagelLab/uds-core/commit/03ca499bd5d9cac800bd36dca80340ceac3f3009)) +* **deps:** update loki ([#72](https://github.com/BagelLab/uds-core/issues/72)) ([98134bb](https://github.com/BagelLab/uds-core/commit/98134bba1f6078a867aae2ae28f4152ba7b1a8e5)) +* **deps:** update loki to v5.43.0 ([#180](https://github.com/BagelLab/uds-core/issues/180)) ([bab5f7a](https://github.com/BagelLab/uds-core/commit/bab5f7aba3644c0e478a17338df4e074b0c1a6a2)) +* **deps:** update loki to v5.43.1 ([#182](https://github.com/BagelLab/uds-core/issues/182)) ([6cc5fc7](https://github.com/BagelLab/uds-core/commit/6cc5fc7f5a07d848cfe4f18dc9a7e2a4cd91b1cf)) +* **deps:** update loki to v5.43.2 ([#191](https://github.com/BagelLab/uds-core/issues/191)) ([0ec0cd4](https://github.com/BagelLab/uds-core/commit/0ec0cd4d6cdc7b4eb1eea33f4da7b144ecbc29a5)) +* **deps:** update loki to v5.43.3 ([#199](https://github.com/BagelLab/uds-core/issues/199)) ([40f1554](https://github.com/BagelLab/uds-core/commit/40f155469670a4b7290819fc09d28ff1fcc06a81)) +* **deps:** update metrics-server ([#123](https://github.com/BagelLab/uds-core/issues/123)) ([fb25a97](https://github.com/BagelLab/uds-core/commit/fb25a970d6e3b51432164fab05ea2d19d1a638ef)) +* **deps:** update metrics-server ([#298](https://github.com/BagelLab/uds-core/issues/298)) ([691fd87](https://github.com/BagelLab/uds-core/commit/691fd87ae3e523c897d0461c4a0384b2bb7c8c03)) +* **deps:** update neuvector ([#333](https://github.com/BagelLab/uds-core/issues/333)) ([010e287](https://github.com/BagelLab/uds-core/commit/010e287dbf3a712d19e54bfbbaa87807585130d7)) +* **deps:** update neuvector ([#73](https://github.com/BagelLab/uds-core/issues/73)) ([50f6c90](https://github.com/BagelLab/uds-core/commit/50f6c90ca31d5bf984e44fd1ded7c5cfcb968064)) +* **deps:** update neuvector to 5.3.3 ([#467](https://github.com/BagelLab/uds-core/issues/467)) ([261057d](https://github.com/BagelLab/uds-core/commit/261057d2bf142c3167fdf0d0bd68bc2fb47d22df)) +* **deps:** update neuvector to v9.4 ([#381](https://github.com/BagelLab/uds-core/issues/381)) ([20d4170](https://github.com/BagelLab/uds-core/commit/20d4170386d2437826abafc68d87d91dc457022a)) +* **deps:** update pepr ([#116](https://github.com/BagelLab/uds-core/issues/116)) ([bfa7352](https://github.com/BagelLab/uds-core/commit/bfa7352ebe962ef1ed091f4a5799ed4974e086ef)) +* **deps:** update pepr ([#324](https://github.com/BagelLab/uds-core/issues/324)) ([2ef0f96](https://github.com/BagelLab/uds-core/commit/2ef0f96da7476b487d72d4bb7ce4bd50fdb0b182)) +* **deps:** update pepr ([#340](https://github.com/BagelLab/uds-core/issues/340)) ([e71ba4a](https://github.com/BagelLab/uds-core/commit/e71ba4ab4eb1ea1cc482b507fef4e0e2735bbd1f)) +* **deps:** update pepr ([#419](https://github.com/BagelLab/uds-core/issues/419)) ([d8f0309](https://github.com/BagelLab/uds-core/commit/d8f0309b4f9661b1c5bc2d5e574697ee9579e387)) +* **deps:** update pepr ([#76](https://github.com/BagelLab/uds-core/issues/76)) ([50de920](https://github.com/BagelLab/uds-core/commit/50de920bcf03092d16a11ebf77ede70987a7cdcf)) +* **deps:** update pepr to 0.31.0 ([#360](https://github.com/BagelLab/uds-core/issues/360)) ([fbd61ea](https://github.com/BagelLab/uds-core/commit/fbd61ea9665133619aec81726b189449226d8459)) +* **deps:** update pepr to 0.32.2 ([#473](https://github.com/BagelLab/uds-core/issues/473)) ([ab4bee9](https://github.com/BagelLab/uds-core/commit/ab4bee906f020d86b90c0b984789be55f8b4c08b)) +* **deps:** update pepr to 0.32.3 ([#494](https://github.com/BagelLab/uds-core/issues/494)) ([2e28897](https://github.com/BagelLab/uds-core/commit/2e2889784043b21463e72643eb890054645dd439)) +* **deps:** update pepr to v0.22.0 ([#102](https://github.com/BagelLab/uds-core/issues/102)) ([941902d](https://github.com/BagelLab/uds-core/commit/941902dcfc2ec1d5340d658f75811b3369489c56)) +* **deps:** update pepr to v0.22.2 ([#104](https://github.com/BagelLab/uds-core/issues/104)) ([0555353](https://github.com/BagelLab/uds-core/commit/0555353e5a5dec2aa8685a3987852d1c3788f28c)) +* **deps:** update pepr to v0.24.1 ([#134](https://github.com/BagelLab/uds-core/issues/134)) ([6474a1c](https://github.com/BagelLab/uds-core/commit/6474a1c0a16c8d87248acb1b3f7d79b76a354fc8)) +* **deps:** update pepr to v0.25.0 ([#164](https://github.com/BagelLab/uds-core/issues/164)) ([e7b8212](https://github.com/BagelLab/uds-core/commit/e7b8212b6a8ed2e16b47264687e0c39d2f0a3455)) +* **deps:** update pepr to v0.28.6 ([#254](https://github.com/BagelLab/uds-core/issues/254)) ([54ef7de](https://github.com/BagelLab/uds-core/commit/54ef7ded349d060b1732b381124fe29e3e8fe85b)) +* **deps:** update pepr to v0.28.6 ([#300](https://github.com/BagelLab/uds-core/issues/300)) ([86b43e4](https://github.com/BagelLab/uds-core/commit/86b43e478521aa88a3a4843948ca96b9cbe55985)) +* **deps:** update pepr to v0.28.7 ([#321](https://github.com/BagelLab/uds-core/issues/321)) ([e7206bb](https://github.com/BagelLab/uds-core/commit/e7206bb93ce23a3ae611e410106890df3eafdea1)) +* **deps:** update pepr to v0.4.5 ([#447](https://github.com/BagelLab/uds-core/issues/447)) ([f1dba17](https://github.com/BagelLab/uds-core/commit/f1dba17076a7c6052ed67e07bdb560fda7604b80)) +* **deps:** update prometheus-stack ([#128](https://github.com/BagelLab/uds-core/issues/128)) ([625622a](https://github.com/BagelLab/uds-core/commit/625622a44c101f0a9c1beffd66eb259dc1f1eedc)) +* **deps:** update prometheus-stack ([#190](https://github.com/BagelLab/uds-core/issues/190)) ([f9a605a](https://github.com/BagelLab/uds-core/commit/f9a605a4c828128fc19f0bdb1d2443f65fb87b8a)) +* **deps:** update prometheus-stack ([#301](https://github.com/BagelLab/uds-core/issues/301)) ([143eca3](https://github.com/BagelLab/uds-core/commit/143eca3ecc2e3c39765312dc3c5384c87a13d7da)) +* **deps:** update prometheus-stack ([#348](https://github.com/BagelLab/uds-core/issues/348)) ([49cb11a](https://github.com/BagelLab/uds-core/commit/49cb11a058a9209cee7019fa552b8c0b2ef73368)) +* **deps:** update prometheus-stack ([#392](https://github.com/BagelLab/uds-core/issues/392)) ([2e656f5](https://github.com/BagelLab/uds-core/commit/2e656f5dc3de2e6561ac313cb1bae478635b86b3)) +* **deps:** update prometheus-stack ([#422](https://github.com/BagelLab/uds-core/issues/422)) ([a96193e](https://github.com/BagelLab/uds-core/commit/a96193e257701dfaf6fccc34246ef3f31e639f3e)) +* **deps:** update prometheus-stack ([#81](https://github.com/BagelLab/uds-core/issues/81)) ([19bedb6](https://github.com/BagelLab/uds-core/commit/19bedb60cd2f99615c4b5673623ff0ff6fafb73f)) +* **deps:** update promtail ([#74](https://github.com/BagelLab/uds-core/issues/74)) ([6a112b5](https://github.com/BagelLab/uds-core/commit/6a112b5226250f1a17023b2c1225d404cf8feeee)) +* **deps:** update to keycloak 24 ([#336](https://github.com/BagelLab/uds-core/issues/336)) ([1153ba0](https://github.com/BagelLab/uds-core/commit/1153ba09ac062d3477a4ee396376be83493ad3c5)) +* **deps:** update uds to v0.10.4 ([#228](https://github.com/BagelLab/uds-core/issues/228)) ([1750b23](https://github.com/BagelLab/uds-core/commit/1750b2304e3c6f0ce6a60f1ef2873ce8a6ce1502)) +* **deps:** update uds to v0.11.1 ([#472](https://github.com/BagelLab/uds-core/issues/472)) ([12fd798](https://github.com/BagelLab/uds-core/commit/12fd79894e71ee06181ccd6f2ac98b84d935066c)) +* **deps:** update uds to v0.11.2 ([#479](https://github.com/BagelLab/uds-core/issues/479)) ([f967f9a](https://github.com/BagelLab/uds-core/commit/f967f9a4bf8d718b9ece96d882db4d9c800f5f0f)) +* **deps:** update uds to v0.5.3, zarf to v0.32.1, and uds-k3d to 0.3.0 ([#77](https://github.com/BagelLab/uds-core/issues/77)) ([596f9d8](https://github.com/BagelLab/uds-core/commit/596f9d8df51c3df1aa87fd0e09d9e69c87473bf0)) +* **deps:** update uds to v0.6.2 ([#107](https://github.com/BagelLab/uds-core/issues/107)) ([7b7220e](https://github.com/BagelLab/uds-core/commit/7b7220e708cf2dca25cc592b8932661620d9610d)) +* **deps:** update uds to v0.8.1 ([#141](https://github.com/BagelLab/uds-core/issues/141)) ([fa79065](https://github.com/BagelLab/uds-core/commit/fa79065265a5ee2b8f6f6a55d1c2904bbaf42fff)) +* **deps:** update uds to v0.9.0 ([#173](https://github.com/BagelLab/uds-core/issues/173)) ([b91a90d](https://github.com/BagelLab/uds-core/commit/b91a90db987e108a5a093a326428bbd0b5f9446e)) +* **deps:** update uds to v0.9.2 ([#200](https://github.com/BagelLab/uds-core/issues/200)) ([e4b54fe](https://github.com/BagelLab/uds-core/commit/e4b54febc4d7914e962db92b7a0490a3735af4e5)) +* **deps:** update uds-common tasks to 0.6.1 ([#498](https://github.com/BagelLab/uds-core/issues/498)) ([4aa6e33](https://github.com/BagelLab/uds-core/commit/4aa6e3372f6d1a5df1e2ae51a3129603a8b0b29b)) +* **deps:** update uds-common to v0.4.4 ([#442](https://github.com/BagelLab/uds-core/issues/442)) ([bf6debd](https://github.com/BagelLab/uds-core/commit/bf6debdd0d50f6cde11288cd70d8bdf1dcdaaaa0)) +* **deps:** update uds-identity-config to 0.4.1 ([#355](https://github.com/BagelLab/uds-core/issues/355)) ([8485931](https://github.com/BagelLab/uds-core/commit/84859316ea92ef9ec7807a702ee246e11b73567b)) +* **deps:** update uds-k3d to v0.3.1 ([#89](https://github.com/BagelLab/uds-core/issues/89)) ([5d54cd1](https://github.com/BagelLab/uds-core/commit/5d54cd1efe5eee4c19caf347882725e0aa20e50a)) +* **deps:** update uds-k3d to v0.5.0 ([#186](https://github.com/BagelLab/uds-core/issues/186)) ([164bf5f](https://github.com/BagelLab/uds-core/commit/164bf5f8bd58899f5ec1a179d6d409cfb46b850f)) +* **deps:** update uds-k3d to v0.6.0 ([#240](https://github.com/BagelLab/uds-core/issues/240)) ([6a26523](https://github.com/BagelLab/uds-core/commit/6a2652368fde3a3bdbe5bb81fd258830dfaeb5c8)) +* **deps:** update uds-k3d to v0.6.0 ([#398](https://github.com/BagelLab/uds-core/issues/398)) ([288f009](https://github.com/BagelLab/uds-core/commit/288f00990a715087c9bf1fffd0a63ecf33125a5a)) +* **deps:** update uds-k3d to v0.7.0 ([#428](https://github.com/BagelLab/uds-core/issues/428)) ([23b59a2](https://github.com/BagelLab/uds-core/commit/23b59a260b2c60791614ca4d39a33e65476e19ee)) +* **deps:** update velero ([#260](https://github.com/BagelLab/uds-core/issues/260)) ([f352008](https://github.com/BagelLab/uds-core/commit/f35200833a4d4d50de9f632f6918320f7d8fff5e)) +* **deps:** update velero ([#350](https://github.com/BagelLab/uds-core/issues/350)) ([e7cb33e](https://github.com/BagelLab/uds-core/commit/e7cb33ea9a13ab9550aab45d8ee437a1ba595d38)) +* **deps:** update velero ([#408](https://github.com/BagelLab/uds-core/issues/408)) ([ffbefda](https://github.com/BagelLab/uds-core/commit/ffbefda74777466ef74ad1d5cffff1f4895f323d)) +* **deps:** update velero ([#440](https://github.com/BagelLab/uds-core/issues/440)) ([4b1a3ea](https://github.com/BagelLab/uds-core/commit/4b1a3ead81a80b49e5ccfeb2e4130a4aaebb53a4)) +* **deps:** update velero to v1.30.2 ([#476](https://github.com/BagelLab/uds-core/issues/476)) ([89bbda9](https://github.com/BagelLab/uds-core/commit/89bbda9e640014bede116c254381cab8995df12f)) +* **deps:** update velero to v6.6.0 ([#456](https://github.com/BagelLab/uds-core/issues/456)) ([aff37c1](https://github.com/BagelLab/uds-core/commit/aff37c194e321f6a6c92f1bc11fd796cf9f0a9ab)) +* **deps:** update zarf to v0.32.2 ([#133](https://github.com/BagelLab/uds-core/issues/133)) ([91502c6](https://github.com/BagelLab/uds-core/commit/91502c6321334c6d31ce5fd1cd8f2fe6f77c09ae)) +* **deps:** update zarf to v0.32.3 ([#155](https://github.com/BagelLab/uds-core/issues/155)) ([2f0a1a7](https://github.com/BagelLab/uds-core/commit/2f0a1a77043ce298e765e6999cf11a97f36e4ecc)) +* **deps:** update zarf to v0.32.4 ([#203](https://github.com/BagelLab/uds-core/issues/203)) ([05c903e](https://github.com/BagelLab/uds-core/commit/05c903ea43243401d9cc2928ba5eb66ff6201c94)) +* **deps:** update zarf to v0.32.5 ([#243](https://github.com/BagelLab/uds-core/issues/243)) ([ee93612](https://github.com/BagelLab/uds-core/commit/ee9361224767c1a708b6f8e2c266af710facea8d)) +* **deps:** update zarf to v0.32.6 ([#282](https://github.com/BagelLab/uds-core/issues/282)) ([443426d](https://github.com/BagelLab/uds-core/commit/443426d05b9bd1d15fb4632efa26219250270895)) +* **deps:** update zarf to v0.33.0 ([#325](https://github.com/BagelLab/uds-core/issues/325)) ([f2a2a66](https://github.com/BagelLab/uds-core/commit/f2a2a665309c812b4300047d1c90ff3833a8eba6)) +* **deps:** update zarf to v0.33.1 ([#368](https://github.com/BagelLab/uds-core/issues/368)) ([296e547](https://github.com/BagelLab/uds-core/commit/296e54729c20c9ecee21677daec874a2c8b57b57)) +* **deps:** update zarf to v0.33.2 ([#394](https://github.com/BagelLab/uds-core/issues/394)) ([201a37b](https://github.com/BagelLab/uds-core/commit/201a37b12277880058c14fc05b3c0d4aecbf31e0)) +* **deps:** update zarf to v0.34.0 ([#434](https://github.com/BagelLab/uds-core/issues/434)) ([9badf9d](https://github.com/BagelLab/uds-core/commit/9badf9d4b9b6f904b1b7a478be5355416dc7fbe0)) +* **deps:** update zarf to v0.35.0 ([#490](https://github.com/BagelLab/uds-core/issues/490)) ([86957cf](https://github.com/BagelLab/uds-core/commit/86957cfe19564ec8ddccec7e496af4469def322a)) +* docs linting changes ([#505](https://github.com/BagelLab/uds-core/issues/505)) ([0fe2015](https://github.com/BagelLab/uds-core/commit/0fe20151713363f572a50601016e06e60230990f)) +* fix missing deps in tag and release workflow ([#28](https://github.com/BagelLab/uds-core/issues/28)) ([1e1af76](https://github.com/BagelLab/uds-core/commit/1e1af762e8eb1dd331cbd681e48ecc95ec3184d2)) +* initial renovate config ([#67](https://github.com/BagelLab/uds-core/issues/67)) ([2cd19d8](https://github.com/BagelLab/uds-core/commit/2cd19d871a95491950d43fea8e8fd2e8c290cd55)) +* kick off ci ([1afc3a4](https://github.com/BagelLab/uds-core/commit/1afc3a4203cce1a1c81b15e7ba6caad1a9c63131)) +* **main:** release 0.1.1 ([#27](https://github.com/BagelLab/uds-core/issues/27)) ([3776e91](https://github.com/BagelLab/uds-core/commit/3776e91670aa73907cb9c48a05419d106ecedd67)) +* **main:** release 0.1.2 ([#29](https://github.com/BagelLab/uds-core/issues/29)) ([af7b0be](https://github.com/BagelLab/uds-core/commit/af7b0beaf409627c87b47e4d908b0a8a0d8cff63)) +* **main:** release 0.1.3 ([#31](https://github.com/BagelLab/uds-core/issues/31)) ([28ad8a7](https://github.com/BagelLab/uds-core/commit/28ad8a78b023f160714ecb90d748ee65403cf500)) +* **main:** release 0.10.0 ([#135](https://github.com/BagelLab/uds-core/issues/135)) ([5bb6f01](https://github.com/BagelLab/uds-core/commit/5bb6f016631fdef4f14848ff55588f33e6d4f07d)) +* **main:** release 0.11.0 ([#138](https://github.com/BagelLab/uds-core/issues/138)) ([c02ada8](https://github.com/BagelLab/uds-core/commit/c02ada860f532d8955af00637756ee622f3e9019)) +* **main:** release 0.11.1 ([#159](https://github.com/BagelLab/uds-core/issues/159)) ([2c493bb](https://github.com/BagelLab/uds-core/commit/2c493bb7c877a7193e45376a9d28aed832cff590)) +* **main:** release 0.12.0 ([#161](https://github.com/BagelLab/uds-core/issues/161)) ([e3c41e8](https://github.com/BagelLab/uds-core/commit/e3c41e82ba5bd776f2633cbde222ab05c5c513f3)) +* **main:** release 0.13.0 ([#170](https://github.com/BagelLab/uds-core/issues/170)) ([09c9447](https://github.com/BagelLab/uds-core/commit/09c9447fa47e5bd1f1d3ae627d7c3dab9c46d596)) +* **main:** release 0.13.1 ([#197](https://github.com/BagelLab/uds-core/issues/197)) ([e968fe9](https://github.com/BagelLab/uds-core/commit/e968fe9707f5a1f154b1fd19050ba46073427495)) +* **main:** release 0.14.0 ([#202](https://github.com/BagelLab/uds-core/issues/202)) ([d090f40](https://github.com/BagelLab/uds-core/commit/d090f4052679d1557973a17524923280c04807fd)) +* **main:** release 0.14.1 ([#218](https://github.com/BagelLab/uds-core/issues/218)) ([3199d8b](https://github.com/BagelLab/uds-core/commit/3199d8bc8cc8e11f9eccdb7075ce798572f6fa0a)) +* **main:** release 0.14.2 ([#221](https://github.com/BagelLab/uds-core/issues/221)) ([2ab4c54](https://github.com/BagelLab/uds-core/commit/2ab4c54618f40c8f195e4bbc1aee63024e488dc8)) +* **main:** release 0.14.3 ([#225](https://github.com/BagelLab/uds-core/issues/225)) ([05b1c19](https://github.com/BagelLab/uds-core/commit/05b1c196e4509ee38261a9b9bc8bc8531086b499)) +* **main:** release 0.14.4 ([#227](https://github.com/BagelLab/uds-core/issues/227)) ([d2d005b](https://github.com/BagelLab/uds-core/commit/d2d005b9caf0b067f850f752a3d6e643c99a74c6)) +* **main:** release 0.14.5 ([#230](https://github.com/BagelLab/uds-core/issues/230)) ([1acafca](https://github.com/BagelLab/uds-core/commit/1acafcadf0baa4567d4f0c41e3201fa40895d092)) +* **main:** release 0.15.0 ([#233](https://github.com/BagelLab/uds-core/issues/233)) ([f4f3699](https://github.com/BagelLab/uds-core/commit/f4f3699096e4f917cf36bcb15bdb47179569b74d)) +* **main:** release 0.15.1 ([#235](https://github.com/BagelLab/uds-core/issues/235)) ([a0c6b32](https://github.com/BagelLab/uds-core/commit/a0c6b327ada2a36a08a4dc4874248d9df65f5381)) +* **main:** release 0.16.0 ([#246](https://github.com/BagelLab/uds-core/issues/246)) ([efc64d4](https://github.com/BagelLab/uds-core/commit/efc64d45c6e78f3014258b80abdf35d0119bde36)) +* **main:** release 0.16.1 ([#265](https://github.com/BagelLab/uds-core/issues/265)) ([4e4eaea](https://github.com/BagelLab/uds-core/commit/4e4eaea6c16e010837bb1c0d5624ebda418bce6f)) +* **main:** release 0.17.0 ([#267](https://github.com/BagelLab/uds-core/issues/267)) ([510f536](https://github.com/BagelLab/uds-core/commit/510f536133e835f98bb524bfc9f437e6f716d9ef)) +* **main:** release 0.18.0 ([#286](https://github.com/BagelLab/uds-core/issues/286)) ([40e6b7b](https://github.com/BagelLab/uds-core/commit/40e6b7b711ddbd956058eda8490355568faddaec)) +* **main:** release 0.18.0 ([#318](https://github.com/BagelLab/uds-core/issues/318)) ([5f5e0b8](https://github.com/BagelLab/uds-core/commit/5f5e0b8a19daf0b51d9a102fd851ff76e5296d4e)) +* **main:** release 0.19.0 ([#320](https://github.com/BagelLab/uds-core/issues/320)) ([4ce502b](https://github.com/BagelLab/uds-core/commit/4ce502be3a5d83c28c259db8080a215f309c6ed7)) +* **main:** release 0.2.0 ([#34](https://github.com/BagelLab/uds-core/issues/34)) ([5185a8f](https://github.com/BagelLab/uds-core/commit/5185a8f98c90578eabd9f1494f55e43922bb7a92)) +* **main:** release 0.20.0 ([#345](https://github.com/BagelLab/uds-core/issues/345)) ([c29cc91](https://github.com/BagelLab/uds-core/commit/c29cc91cd2e41d5bbaee33deb173628c83ad0480)) +* **main:** release 0.21.0 ([#361](https://github.com/BagelLab/uds-core/issues/361)) ([c9f027f](https://github.com/BagelLab/uds-core/commit/c9f027f518de547b962b06defb836fba3c70ff3d)) +* **main:** release 0.21.1 ([#379](https://github.com/BagelLab/uds-core/issues/379)) ([b46a161](https://github.com/BagelLab/uds-core/commit/b46a161271bac3c167e554fadf673d2536b6b420)) +* **main:** release 0.22.0 ([#386](https://github.com/BagelLab/uds-core/issues/386)) ([6367bef](https://github.com/BagelLab/uds-core/commit/6367bef04dab6803471b8f424210baedf2004d01)) +* **main:** release 0.22.1 ([#432](https://github.com/BagelLab/uds-core/issues/432)) ([7cf9c4c](https://github.com/BagelLab/uds-core/commit/7cf9c4c09dccc1d91edb7acbb2aee8750c5433ed)) +* **main:** release 0.22.2 ([#474](https://github.com/BagelLab/uds-core/issues/474)) ([84a408f](https://github.com/BagelLab/uds-core/commit/84a408fb23c1803bdbbf5e1f1ce64e97110f2829)) +* **main:** release 0.23.0 ([2ae4621](https://github.com/BagelLab/uds-core/commit/2ae4621ca40e3f4c5557644248321e8073a3585f)) +* **main:** release 0.23.0 ([8e992e3](https://github.com/BagelLab/uds-core/commit/8e992e385fc51e01f0e0df31dd8c7434660ea0d6)) +* **main:** release 0.23.0 ([d640453](https://github.com/BagelLab/uds-core/commit/d64045363c267dad4d10b447e7706b1e739765ae)) +* **main:** release 0.23.1 ([09c623a](https://github.com/BagelLab/uds-core/commit/09c623ac9fb0fe6c785d15245da8d84787cf3649)) +* **main:** release 0.23.2 ([6df0592](https://github.com/BagelLab/uds-core/commit/6df0592f5f336c50c6c7c7cec1f276f7c11f7cdb)) +* **main:** release 0.23.3 ([55cb491](https://github.com/BagelLab/uds-core/commit/55cb491c28ebf5ee7c40f2add5c588c47e9864b0)) +* **main:** release 0.23.4 ([e0e6ebc](https://github.com/BagelLab/uds-core/commit/e0e6ebc684e2004f9e2a3ca128d7401dc41bcc33)) +* **main:** release 0.3.0 ([#39](https://github.com/BagelLab/uds-core/issues/39)) ([4d2b05d](https://github.com/BagelLab/uds-core/commit/4d2b05de9d155dc91b799bde5156c5980bc348cb)) +* **main:** release 0.4.0 ([#43](https://github.com/BagelLab/uds-core/issues/43)) ([d2b61c3](https://github.com/BagelLab/uds-core/commit/d2b61c373b91d4f405e27ce930e4f8bec52ddd21)) +* **main:** release 0.4.1 ([#45](https://github.com/BagelLab/uds-core/issues/45)) ([d66eafe](https://github.com/BagelLab/uds-core/commit/d66eafea0ec9ccd412f5af3ed5ab12f3f8275a33)) +* **main:** release 0.5.0 ([#49](https://github.com/BagelLab/uds-core/issues/49)) ([f9c4269](https://github.com/BagelLab/uds-core/commit/f9c426998f2bc4fc21c32b3492f25b8608f50282)) +* **main:** release 0.6.0 ([#53](https://github.com/BagelLab/uds-core/issues/53)) ([9b3ad64](https://github.com/BagelLab/uds-core/commit/9b3ad64a6e3870ce364cad77abd367cc8d493042)) +* **main:** release 0.6.1 ([#56](https://github.com/BagelLab/uds-core/issues/56)) ([4a5a42c](https://github.com/BagelLab/uds-core/commit/4a5a42c8fa9ee17656e462cb9df08562d9c85b96)) +* **main:** release 0.6.2 ([#59](https://github.com/BagelLab/uds-core/issues/59)) ([b1c49ac](https://github.com/BagelLab/uds-core/commit/b1c49ac70e8a293936dea8a516c32b7bb7e6fc4c)) +* **main:** release 0.7.0 ([#71](https://github.com/BagelLab/uds-core/issues/71)) ([51dcb54](https://github.com/BagelLab/uds-core/commit/51dcb54d239cb5636b0c4f55fde9fc2b2c3bf076)) +* **main:** release 0.7.1 ([#85](https://github.com/BagelLab/uds-core/issues/85)) ([da4040a](https://github.com/BagelLab/uds-core/commit/da4040aff739746dc2355ec0449ee762c05c56c1)) +* **main:** release 0.7.2 ([#88](https://github.com/BagelLab/uds-core/issues/88)) ([5e421ce](https://github.com/BagelLab/uds-core/commit/5e421ce011e42692c3cb6f1353cfb8a5edb846fb)) +* **main:** release 0.7.3 ([#93](https://github.com/BagelLab/uds-core/issues/93)) ([ddf8fa6](https://github.com/BagelLab/uds-core/commit/ddf8fa617853686b8c043d236c159bcd59c47ac0)) +* **main:** release 0.7.4 ([#100](https://github.com/BagelLab/uds-core/issues/100)) ([9abd78b](https://github.com/BagelLab/uds-core/commit/9abd78b11a90a67344fa93e8dba7fd53d6b58ea2)) +* **main:** release 0.8.0 ([#106](https://github.com/BagelLab/uds-core/issues/106)) ([3ab93c3](https://github.com/BagelLab/uds-core/commit/3ab93c30b132ff9c35c1f238008b15cd265abe92)) +* **main:** release 0.8.1 ([#112](https://github.com/BagelLab/uds-core/issues/112)) ([942ad54](https://github.com/BagelLab/uds-core/commit/942ad549b53e8ce87a33fae985bbe2f82c6fa75c)) +* **main:** release 0.9.0 ([#117](https://github.com/BagelLab/uds-core/issues/117)) ([6b0c56b](https://github.com/BagelLab/uds-core/commit/6b0c56b8a6d60091e532ac36cd69ea6cd5ac1124)) +* **main:** release 0.9.1 ([#119](https://github.com/BagelLab/uds-core/issues/119)) ([984f916](https://github.com/BagelLab/uds-core/commit/984f91602c3b2873110d62a49c5df4ecfaa19f8a)) +* **main:** release 0.9.2 ([#121](https://github.com/BagelLab/uds-core/issues/121)) ([2d9b3c9](https://github.com/BagelLab/uds-core/commit/2d9b3c9fe288347879f2d78c8524b719d3772abd)) +* move api service watch to reconcile ([#362](https://github.com/BagelLab/uds-core/issues/362)) ([1822bca](https://github.com/BagelLab/uds-core/commit/1822bca6c397a5c8ea64b9355a9ba4f51fde4518)) +* open the aperture for pr workflow triggering ([#90](https://github.com/BagelLab/uds-core/issues/90)) ([d8a72f2](https://github.com/BagelLab/uds-core/commit/d8a72f2f2f3e507a4be7f217e23b737e3d4c35ce)) +* readme updates & use UDS CLI for zarf ([#137](https://github.com/BagelLab/uds-core/issues/137)) ([21de0ce](https://github.com/BagelLab/uds-core/commit/21de0cee2d70d67ca17b1d45c642e9ca4e1617ce)) +* refactor ci for releases to remove certain artifacts ([#125](https://github.com/BagelLab/uds-core/issues/125)) ([c08a062](https://github.com/BagelLab/uds-core/commit/c08a062bb3f3ede6860c3d7f34136b3e82b78715)) +* refactor promtail extraScrapeConfigs into scrapeConfigs ([#367](https://github.com/BagelLab/uds-core/issues/367)) ([2220272](https://github.com/BagelLab/uds-core/commit/222027240148e669edf40483d145ffc15567b1b7)) +* refactor validate.yaml file name and task name ([#62](https://github.com/BagelLab/uds-core/issues/62)) ([92a04ea](https://github.com/BagelLab/uds-core/commit/92a04ea1096448995ccc0dd9d77a32a5061e06f0)) +* remove emulated gitlab endpoints from keycloak ([#483](https://github.com/BagelLab/uds-core/issues/483)) ([495960c](https://github.com/BagelLab/uds-core/commit/495960ce8d40cf2ef7c0f0021b653db6fc6383bb)) +* remove retry-action action on registry1 docker login ([#160](https://github.com/BagelLab/uds-core/issues/160)) ([eea0c93](https://github.com/BagelLab/uds-core/commit/eea0c93a0ff172bfc5a76d3eaca143ffc0d9fbe2)) +* remove version from neuvector zarf.yaml ([#11](https://github.com/BagelLab/uds-core/issues/11)) ([fbc8d51](https://github.com/BagelLab/uds-core/commit/fbc8d51e2b4146d394184d7596cd9a54219dc001)) +* renovate updates ([#140](https://github.com/BagelLab/uds-core/issues/140)) ([b71a013](https://github.com/BagelLab/uds-core/commit/b71a013bea30c9ca5e39f1dc6485fffaa86ca6b1)) +* simplify promtail values for scrape configs ([#94](https://github.com/BagelLab/uds-core/issues/94)) ([6c2513b](https://github.com/BagelLab/uds-core/commit/6c2513be89f064b44516b1d89c0d6005dd1d4d30)) +* support deselection of metrics-server ([#193](https://github.com/BagelLab/uds-core/issues/193)) ([289a0fe](https://github.com/BagelLab/uds-core/commit/289a0fee5315e8c4a70b3afe66165dd00a7dfbc1)) +* support headless keycloak admin user ([#307](https://github.com/BagelLab/uds-core/issues/307)) ([a0e51b6](https://github.com/BagelLab/uds-core/commit/a0e51b649822619b63478b140bb5dbbebeb20ff3)) +* test artifacts before publish ([#198](https://github.com/BagelLab/uds-core/issues/198)) ([9732f32](https://github.com/BagelLab/uds-core/commit/9732f325624244f4d34c127a949c6ce5951ff6ab)) +* test publish ([2cefa29](https://github.com/BagelLab/uds-core/commit/2cefa2938d60cfa40bd5c0f7ff44c2448c4f48a8)) +* trigger eks nightly when related files are updated ([#366](https://github.com/BagelLab/uds-core/issues/366)) ([6d6e4e0](https://github.com/BagelLab/uds-core/commit/6d6e4e0debbca3498cbc21db405eec48b3bcc240)) +* typo fix in README.md ([#280](https://github.com/BagelLab/uds-core/issues/280)) ([f9727e0](https://github.com/BagelLab/uds-core/commit/f9727e0b638e853bbae131d02019a2efb5286b0a)) +* update codeowners ([#338](https://github.com/BagelLab/uds-core/issues/338)) ([c419574](https://github.com/BagelLab/uds-core/commit/c41957409607c6335ebf6bd4ff30a1a9336a4870)) +* update release please extra-files to be explicit ([#26](https://github.com/BagelLab/uds-core/issues/26)) ([23f4999](https://github.com/BagelLab/uds-core/commit/23f49995771fb05cd18e7a077bf90e86ca5b7471)) +* updating keycloak chart version to align with image ([#378](https://github.com/BagelLab/uds-core/issues/378)) ([a60fe2a](https://github.com/BagelLab/uds-core/commit/a60fe2afed9f7cff3bcad6b0f563232b47e8025b)) + ## [0.23.0](https://github.com/BagelLab/uds-core/compare/v0.24.0...v0.23.0) (2024-07-17) From bd5640260eb060efad4174a2a27a6385edc2726e Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 20 Sep 2024 11:27:39 -0600 Subject: [PATCH 58/61] rebase, test renovate [ci skip] --- .codespellrc | 5 + .github/actions/debug-output/action.yaml | 10 +- .github/actions/lint-check/action.yaml | 19 + .github/actions/notify-lula/action.yaml | 51 + .github/actions/save-logs/action.yaml | 2 +- .github/actions/setup/action.yaml | 15 +- .github/bundles/uds-bundle.yaml | 10 +- .github/filters.yaml | 71 + .github/test-infra/buckets-iac/main.tf | 8 +- .github/workflows/commitlint.yaml | 6 +- .github/workflows/compliance.yaml | 75 + .github/workflows/docs-shim.yaml | 43 + .github/workflows/lint-oscal.yaml | 56 + .github/workflows/nightly-testing.yaml | 11 + .github/workflows/publish.yaml | 46 +- .../workflows/pull-request-conditionals.yaml | 47 +- .github/workflows/slim-dev-test.yaml | 19 +- .github/workflows/test-eks.yaml | 26 +- .github/workflows/test-shim.yaml | 42 + .github/workflows/test.yaml | 12 + .husky/pre-commit | 12 + .lintstagedrc.json | 11 + .release-please-manifest.json | 2 +- .vscode/settings.json | 6 +- .yamllint | 3 + CHANGELOG.md | 826 ++--- CODEOWNERS | 6 +- CONTRIBUTING.md | 28 +- README.md | 5 +- bundles/k3d-slim-dev/README.md | 48 +- bundles/k3d-slim-dev/uds-bundle.yaml | 43 +- bundles/k3d-standard/README.md | 18 +- bundles/k3d-standard/uds-bundle.yaml | 35 +- bundles/k3d-standard/uds-ha-config.yaml | 8 + compliance/oscal-assessment-results.yaml | 2794 +++++++++++++++++ compliance/oscal-component.yaml | 39 + .../0001-record-architecture-decisions.md | 23 + docs/adrs/0002-uds-core-functional-layers.md | 77 + docs/application-baseline.md | 3 +- docs/configuration/istio/ingress.md | 5 +- .../resource-configuration-and-ha.md | 114 + docs/configuration/uds-operator.md | 55 +- docs/deployment/distribution-support.md | 10 +- docs/deployment/prerequisites.md | 104 + docs/deployment/uds-deploy.md | 2 +- package-lock.json | 2256 +++++++++---- package.json | 13 +- packages/slim-dev/zarf.yaml | 15 +- packages/standard/zarf.yaml | 23 +- release-please-config.json | 1 + renovate.json | 40 +- .../chart/templates/uds-package.yaml | 19 +- src/authservice/chart/values.yaml | 8 + src/authservice/common/zarf.yaml | 2 +- src/authservice/values/registry1-values.yaml | 2 +- src/authservice/values/unicorn-values.yaml | 2 +- src/authservice/values/upstream-values.yaml | 2 +- src/authservice/zarf.yaml | 6 +- src/grafana/chart/templates/uds-package.yaml | 35 +- src/grafana/common/zarf.yaml | 4 +- src/grafana/oscal-component.yaml | 7 +- src/grafana/values/registry1-values.yaml | 4 +- src/grafana/values/unicorn-values.yaml | 6 +- src/grafana/values/upstream-values.yaml | 6 +- src/grafana/values/values.yaml | 5 + src/grafana/zarf.yaml | 16 +- src/istio/chart/templates/gateway.yaml | 3 +- src/istio/chart/values.yaml | 2 + .../common/manifests/pepr-istio-config.yaml | 15 + src/istio/common/zarf.yaml | 4 +- src/istio/oscal-component.yaml | 2017 ++++++++---- src/istio/values/registry1-values.yaml | 6 +- src/istio/values/unicorn-values.yaml | 8 +- src/istio/values/upstream-values.yaml | 6 +- src/istio/zarf.yaml | 18 +- src/keycloak/chart/Chart.yaml | 2 +- src/keycloak/chart/templates/_helpers.tpl | 2 +- src/keycloak/chart/templates/istio-admin.yaml | 19 +- .../chart/templates/prometheusrule.yaml | 2 +- .../chart/templates/service-headless.yaml | 8 + .../chart/templates/service-http.yaml | 4 + src/keycloak/chart/templates/statefulset.yaml | 37 +- src/keycloak/chart/templates/uds-package.yaml | 30 +- src/keycloak/chart/values.schema.json | 416 +++ src/keycloak/chart/values.yaml | 21 +- src/keycloak/common/zarf.yaml | 4 +- src/keycloak/tasks.yaml | 2 +- src/keycloak/values/registry1-values.yaml | 2 +- src/keycloak/values/unicorn-values.yaml | 4 +- src/keycloak/values/upstream-values.yaml | 2 +- src/keycloak/zarf.yaml | 12 +- src/loki/chart/templates/uds-package.yaml | 18 +- src/loki/chart/values.yaml | 6 + src/loki/common/zarf.yaml | 4 +- src/loki/oscal-component.yaml | 7 +- src/loki/values/registry1-values.yaml | 8 +- src/loki/values/unicorn-values.yaml | 8 +- src/loki/values/upstream-values.yaml | 10 +- src/loki/values/values.yaml | 51 +- src/loki/zarf.yaml | 15 +- src/metrics-server/common/zarf.yaml | 4 +- .../values/registry1-values.yaml | 2 +- src/metrics-server/values/unicorn-values.yaml | 2 +- .../values/upstream-values.yaml | 2 +- src/metrics-server/zarf.yaml | 12 +- src/neuvector/chart/templates/_helpers.tpl | 16 + .../chart/templates/internal-cert.yaml | 18 + .../chart/templates/uds-package.yaml | 12 +- src/neuvector/chart/values.yaml | 2 + src/neuvector/common/zarf.yaml | 20 +- src/neuvector/oscal-component.yaml | 7 +- .../values/registry1-monitor-values.yaml | 9 - src/neuvector/values/registry1-values.yaml | 5 +- .../values/unicorn-config-values.yaml | 1 + .../values/unicorn-monitor-values.yaml | 5 - src/neuvector/values/unicorn-values.yaml | 21 +- .../values/upstream-monitor-values.yaml | 5 - src/neuvector/values/upstream-values.yaml | 3 +- src/neuvector/values/values.yaml | 17 - src/neuvector/zarf.yaml | 53 +- src/pepr/config.ts | 7 + src/pepr/operator/README.md | 9 +- .../controllers/exemptions/exemptions.spec.ts | 3 +- .../controllers/exemptions/exemptions.ts | 9 +- .../operator/controllers/istio/injection.ts | 12 + .../controllers/istio/virtual-service.spec.ts | 19 +- .../controllers/istio/virtual-service.ts | 2 +- .../authservice/authorization-policy.ts | 8 +- .../keycloak/authservice/config.ts | 10 +- .../controllers/keycloak/authservice/types.ts | 1 + .../controllers/keycloak/client-sync.spec.ts | 163 +- .../controllers/keycloak/client-sync.ts | 120 +- .../operator/controllers/keycloak/types.ts | 35 + .../controllers/network/generate.spec.ts | 171 + .../operator/controllers/network/generate.ts | 108 +- .../network/generators/remoteCidr.ts | 12 + src/pepr/operator/controllers/utils.ts | 11 + .../crd/generated/package-v1alpha1.ts | 97 +- .../crd/generated/prometheus/podmonitor-v1.ts | 361 ++- .../generated/prometheus/servicemonitor-v1.ts | 365 ++- src/pepr/operator/crd/index.ts | 1 + .../sources/istio/virtualservice-v1beta1.ts | 61 +- .../operator/crd/sources/package/v1alpha1.ts | 57 +- .../crd/validators/package-validator.spec.ts | 526 ++++ .../crd/validators/package-validator.ts | 83 +- .../reconcilers/package-reconciler.ts | 19 +- src/pepr/policies/index.ts | 17 +- src/pepr/policies/security.ts | 30 +- src/pepr/prometheus/index.ts | 8 +- src/pepr/uds-operator-config/Chart.yaml | 18 + .../templates/_helpers.tpl | 62 + .../uds-operator-config/templates/secret.yaml | 12 + src/pepr/uds-operator-config/values.yaml | 9 + src/pepr/values.yaml | 12 + src/pepr/zarf.yaml | 82 + .../templates/prometheus-pod-monitor.yaml | 5 + .../chart/templates/uds-package.yaml | 10 +- src/prometheus-stack/common/zarf.yaml | 4 +- src/prometheus-stack/oscal-component.yaml | 7 +- src/prometheus-stack/tasks.yaml | 9 + .../values/registry1-values.yaml | 12 +- .../values/unicorn-values.yaml | 12 +- .../values/upstream-values.yaml | 12 +- src/prometheus-stack/values/values.yaml | 4 +- src/prometheus-stack/zarf.yaml | 38 +- src/promtail/chart/templates/uds-package.yaml | 11 +- src/promtail/common/zarf.yaml | 4 +- src/promtail/oscal-component.yaml | 7 +- src/promtail/values/registry1-values.yaml | 2 +- src/promtail/values/unicorn-values.yaml | 4 +- src/promtail/values/upstream-values.yaml | 2 +- src/promtail/zarf.yaml | 8 +- src/runtime/README.md | 3 + src/runtime/tasks.yaml | 32 + src/runtime/zarf.yaml | 28 + src/test/tasks.yaml | 24 + src/velero/README.md | 44 +- src/velero/chart/templates/uds-package.yaml | 14 +- src/velero/chart/values.yaml | 6 + src/velero/common/zarf.yaml | 2 +- src/velero/oscal-component.yaml | 75 +- src/velero/tasks.yaml | 2 +- src/velero/values/registry1-values.yaml | 8 +- src/velero/values/unicorn-values.yaml | 10 +- src/velero/values/upstream-values.yaml | 10 +- src/velero/zarf.yaml | 22 +- tasks.yaml | 25 +- tasks/create.yaml | 17 +- tasks/deploy.yaml | 16 +- tasks/iac.yaml | 49 +- tasks/lint.yaml | 21 +- tasks/publish.yaml | 2 +- tasks/setup.yaml | 6 +- tasks/test.yaml | 26 + 194 files changed, 10639 insertions(+), 2786 deletions(-) create mode 100644 .codespellrc create mode 100644 .github/actions/lint-check/action.yaml create mode 100644 .github/actions/notify-lula/action.yaml create mode 100644 .github/workflows/compliance.yaml create mode 100644 .github/workflows/docs-shim.yaml create mode 100644 .github/workflows/lint-oscal.yaml create mode 100644 .github/workflows/test-shim.yaml create mode 100755 .husky/pre-commit create mode 100644 .lintstagedrc.json create mode 100644 bundles/k3d-standard/uds-ha-config.yaml create mode 100644 compliance/oscal-assessment-results.yaml create mode 100644 compliance/oscal-component.yaml create mode 100644 docs/adrs/0001-record-architecture-decisions.md create mode 100644 docs/adrs/0002-uds-core-functional-layers.md create mode 100644 docs/configuration/resource-configuration-and-ha.md create mode 100644 docs/deployment/prerequisites.md create mode 100644 src/keycloak/chart/values.schema.json create mode 100644 src/neuvector/chart/templates/internal-cert.yaml delete mode 100644 src/neuvector/values/registry1-monitor-values.yaml create mode 100644 src/neuvector/values/unicorn-config-values.yaml delete mode 100644 src/neuvector/values/unicorn-monitor-values.yaml delete mode 100644 src/neuvector/values/upstream-monitor-values.yaml create mode 100644 src/pepr/operator/controllers/network/generate.spec.ts create mode 100644 src/pepr/operator/controllers/network/generators/remoteCidr.ts create mode 100644 src/pepr/operator/crd/validators/package-validator.spec.ts create mode 100644 src/pepr/uds-operator-config/Chart.yaml create mode 100644 src/pepr/uds-operator-config/templates/_helpers.tpl create mode 100644 src/pepr/uds-operator-config/templates/secret.yaml create mode 100644 src/pepr/uds-operator-config/values.yaml create mode 100644 src/pepr/values.yaml create mode 100644 src/pepr/zarf.yaml create mode 100644 src/runtime/README.md create mode 100644 src/runtime/tasks.yaml create mode 100644 src/runtime/zarf.yaml diff --git a/.codespellrc b/.codespellrc new file mode 100644 index 000000000..014984d38 --- /dev/null +++ b/.codespellrc @@ -0,0 +1,5 @@ +# Lint Codespell configurations +[codespell] +skip = .codespellrc,.git,node_modules,build,dist,*.zst,CHANGELOG.md +ignore-words-list = NotIn,AKS +enable-colors = \ No newline at end of file diff --git a/.github/actions/debug-output/action.yaml b/.github/actions/debug-output/action.yaml index e0fc26536..106319e4a 100644 --- a/.github/actions/debug-output/action.yaml +++ b/.github/actions/debug-output/action.yaml @@ -7,18 +7,18 @@ runs: - name: Print basic debug info for a k8s cluster run: | echo "::group::kubectl get all" - uds zarf tools kubectl get all -A | tee /tmp/debug-k-get-all.log + uds zarf tools kubectl get all -A | tee /tmp/debug-k-get-all.log || true echo "::endgroup::" echo "::group::kubectl get pv,pvc" - uds zarf tools kubectl get pv,pvc -A | tee /tmp/debug-k-get-pv-pvc.log + uds zarf tools kubectl get pv,pvc -A | tee /tmp/debug-k-get-pv-pvc.log || true echo "::endgroup::" echo "::group::kubectl get package" - uds zarf tools kubectl get package -A | tee /tmp/debug-k-get-package.log + uds zarf tools kubectl get package -A | tee /tmp/debug-k-get-package.log || true echo "::endgroup::" echo "::group::kubectl get events" - uds zarf tools kubectl get events -A --sort-by='.lastTimestamp' | tee /tmp/debug-k-get-events.log + uds zarf tools kubectl get events -A --sort-by='.lastTimestamp' | tee /tmp/debug-k-get-events.log || true echo "::endgroup::" echo "::group::kubectl describe nodes" - uds zarf tools kubectl describe nodes k3d-uds-server-0 | tee /tmp/debug-k-describe-node.log + uds zarf tools kubectl describe nodes k3d-uds-server-0 | tee /tmp/debug-k-describe-node.log || true echo "::endgroup::" shell: bash diff --git a/.github/actions/lint-check/action.yaml b/.github/actions/lint-check/action.yaml new file mode 100644 index 000000000..3840fd3d1 --- /dev/null +++ b/.github/actions/lint-check/action.yaml @@ -0,0 +1,19 @@ +name: lint-check +description: "Check Project for Linting Errors" + +runs: + using: composite + steps: + - name: Use Node.js latest + uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 + with: + node-version: 20 + - name: Set up Homebrew + uses: Homebrew/actions/setup-homebrew@master + - name: Install UDS CLI + # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver + run: brew install defenseunicorns/tap/uds@0.15.0 + shell: bash + - name: Run Formatting Checks + run: uds run lint-check --no-progress + shell: bash diff --git a/.github/actions/notify-lula/action.yaml b/.github/actions/notify-lula/action.yaml new file mode 100644 index 000000000..c3e978a0d --- /dev/null +++ b/.github/actions/notify-lula/action.yaml @@ -0,0 +1,51 @@ +name: Notify Lula +description: "Comment on PR to notify Lula Team" + + +inputs: + state: + description: 'state of the comment update' + required: true + default: '' + flavor: + description: 'flavor of the comment update' + required: true + default: '' + ghToken: + description: 'GITHUB_TOKEN' + required: true + +runs: + using: composite + steps: + - name: Find Comment + uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0 + id: fc + with: + issue-number: ${{ github.event.pull_request.number }} + comment-author: 'github-actions[bot]' + body-includes: Compliance ${{ inputs.flavor }} Evaluation + token: ${{ inputs.ghToken }} + + - name: Create comment + if: ${{ steps.fc.outputs.comment-id == '' && inputs.state == 'failure'}} + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 + with: + issue-number: ${{ github.event.pull_request.number }} + token: ${{ inputs.ghToken }} + body: | + Compliance ${{ inputs.flavor }} Evaluation: ${{ inputs.state }} + + CC: @defenseunicorns/lula-dev + + - name: Update comment + if: ${{ steps.fc.outputs.comment-id != '' }} + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 + with: + comment-id: ${{ steps.fc.outputs.comment-id }} + token: ${{ inputs.ghToken }} + edit-mode: replace + body: | + Compliance ${{ inputs.flavor }} Evaluation: ${{ inputs.state }} + + CC: @defenseunicorns/lula-dev diff --git a/.github/actions/save-logs/action.yaml b/.github/actions/save-logs/action.yaml index 21887dbb3..88ed686e8 100644 --- a/.github/actions/save-logs/action.yaml +++ b/.github/actions/save-logs/action.yaml @@ -34,7 +34,7 @@ runs: sudo chown $USER /tmp/uds-*.log || echo "" shell: bash - - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 + - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: debug-log${{ inputs.suffix }} path: | diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml index b7ba25e55..05b90f9a3 100644 --- a/.github/actions/setup/action.yaml +++ b/.github/actions/setup/action.yaml @@ -19,13 +19,14 @@ runs: using: "composite" steps: - name: Use Node.js latest - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 + uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 with: node-version: 20 - name: Install k3d shell: bash - run: curl -s https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh | TAG=v5.6.0 bash + # renovate: datasource=github-tags depName=k3d-io/k3d versioning=semver + run: curl -s https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh | TAG=v5.7.4 bash - name: Set up Homebrew uses: Homebrew/actions/setup-homebrew@master @@ -33,7 +34,13 @@ runs: - name: Install UDS CLI shell: bash # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver - run: brew install defenseunicorns/tap/uds@0.12.0 + run: brew install defenseunicorns/tap/uds@0.15.0 + + - name: Install Lula + uses: defenseunicorns/lula-action/setup@badad8c4b1570095f57e66ffd62664847698a3b9 # v0.0.1 + with: + # renovate: datasource=github-tags depName=defenseunicorns/lula versioning=semver-coerced + version: v0.7.0 - name: Iron Bank Login if: ${{ inputs.registry1Username != '' }} @@ -45,7 +52,7 @@ runs: - name: Chainguard Login if: ${{ inputs.chainguardIdentity != '' }} - uses: chainguard-dev/setup-chainctl@fc62b08dfd3179dd694b50f672bc371f878fbd1e # v0.2.1 + uses: chainguard-dev/setup-chainctl@f52718d822dc73d21a04ef2082822c4a203163b3 # v0.2.2 with: identity: ${{ inputs.chainguardIdentity }} diff --git a/.github/bundles/uds-bundle.yaml b/.github/bundles/uds-bundle.yaml index e1ed93fe6..0d9c226a5 100644 --- a/.github/bundles/uds-bundle.yaml +++ b/.github/bundles/uds-bundle.yaml @@ -3,19 +3,21 @@ metadata: name: uds-core-eks-nightly description: A UDS bundle for deploying EKS and UDS Core # x-release-please-start-version - version: "0.23.0" + version: "0.27.3" # x-release-please-end packages: - name: init - repository: ghcr.io/defenseunicorns/packages/init - ref: v0.35.0 + repository: ghcr.io/zarf-dev/packages/init + ref: v0.40.1 - name: core path: ../../build/ # x-release-please-start-version - ref: 0.23.0 + ref: 0.27.3 # x-release-please-end + optionalComponents: + - metrics-server overrides: velero: velero: diff --git a/.github/filters.yaml b/.github/filters.yaml index 0e97ddef8..29fbf82ca 100644 --- a/.github/filters.yaml +++ b/.github/filters.yaml @@ -3,25 +3,96 @@ all: authservice: - "src/authservice/**" + - "!**/*.md" + - "!**/*.jpg" + - "!**/*.png" + - "!**/*.gif" + - "!**/*.svg" + grafana: - "src/grafana/**" + - "!**/*.md" + - "!**/*.jpg" + - "!**/*.png" + - "!**/*.gif" + - "!**/*.svg" + istio: - "src/istio/**" + - "!**/*.md" + - "!**/*.jpg" + - "!**/*.png" + - "!**/*.gif" + - "!**/*.svg" + keycloak: - "src/keycloak/**" + - "!**/*.md" + - "!**/*.jpg" + - "!**/*.png" + - "!**/*.gif" + - "!**/*.svg" + kiali: - "src/kiali/**" + - "!**/*.md" + - "!**/*.jpg" + - "!**/*.png" + - "!**/*.gif" + - "!**/*.svg" + loki: - "src/loki/**" + - "!**/*.md" + - "!**/*.jpg" + - "!**/*.png" + - "!**/*.gif" + - "!**/*.svg" + metrics-server: - "src/metrics-server/**" + - "!**/*.md" + - "!**/*.jpg" + - "!**/*.png" + - "!**/*.gif" + - "!**/*.svg" + neuvector: - "src/neuvector/**" + - "!**/*.md" + - "!**/*.jpg" + - "!**/*.png" + - "!**/*.gif" + - "!**/*.svg" + prometheus-stack: - "src/prometheus-stack/**" + - "!**/*.md" + - "!**/*.jpg" + - "!**/*.png" + - "!**/*.gif" + - "!**/*.svg" + promtail: - "src/promtail/**" + - "!**/*.md" + - "!**/*.jpg" + - "!**/*.png" + - "!**/*.gif" + - "!**/*.svg" + tempo: - "src/tempo/**" + - "!**/*.md" + - "!**/*.jpg" + - "!**/*.png" + - "!**/*.gif" + - "!**/*.svg" + velero: - "src/velero/**" + - "!**/*.md" + - "!**/*.jpg" + - "!**/*.png" + - "!**/*.gif" + - "!**/*.svg" diff --git a/.github/test-infra/buckets-iac/main.tf b/.github/test-infra/buckets-iac/main.tf index ecff53b71..6e4094b0f 100644 --- a/.github/test-infra/buckets-iac/main.tf +++ b/.github/test-infra/buckets-iac/main.tf @@ -9,7 +9,7 @@ provider "aws" { } terraform { - required_version = "1.5.7" + required_version = ">= 1.8.0" backend "s3" { } required_providers { @@ -20,7 +20,7 @@ terraform { random = { source = "hashicorp/random" - version = "3.5.1" + version = "3.6.3" } } } @@ -67,7 +67,7 @@ resource "random_id" "unique_id" { module "generate_kms" { for_each = local.bucket_configurations - source = "github.com/defenseunicorns/terraform-aws-uds-kms?ref=v0.0.2" + source = "github.com/defenseunicorns/terraform-aws-uds-kms?ref=v0.0.6" key_owners = var.key_owner_arns # A list of IAM ARNs for those who will have full key permissions (`kms:*`) @@ -91,7 +91,7 @@ module "S3" { module "irsa" { for_each = local.bucket_configurations - source = "github.com/defenseunicorns/terraform-aws-uds-irsa?ref=v0.0.2" + source = "github.com/defenseunicorns/terraform-aws-uds-irsa?ref=v0.0.3" name = each.value.name kubernetes_service_account = each.value.service_account kubernetes_namespace = each.value.namespace diff --git a/.github/workflows/commitlint.yaml b/.github/workflows/commitlint.yaml index 21b024bbe..72aaec48d 100644 --- a/.github/workflows/commitlint.yaml +++ b/.github/workflows/commitlint.yaml @@ -20,12 +20,12 @@ jobs: fetch-depth: 0 - name: Setup Node.js - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 + uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 - name: Install commitlint run: | - npm install --save-dev @commitlint/config-conventional@19.2.2 - npm install --save-dev @commitlint/cli@19.3.0 + npm install --save-dev @commitlint/config-conventional@19.5.0 + npm install --save-dev @commitlint/cli@19.5.0 - name: Lint PR title env: diff --git a/.github/workflows/compliance.yaml b/.github/workflows/compliance.yaml new file mode 100644 index 000000000..74b8d54d3 --- /dev/null +++ b/.github/workflows/compliance.yaml @@ -0,0 +1,75 @@ +name: Compliance Evaluation + +on: + # Manual trigger + workflow_dispatch: + inputs: + flavor: + type: string + description: "Flavor of the source package to test" + required: true + # Triggered by pull-request-conditionals.yaml + workflow_call: + inputs: + flavor: + type: string + description: "Flavor of the source package to test" + required: true + +permissions: + contents: read + pull-requests: write + +jobs: + evaluate: + runs-on: ubuntu-latest + name: Evaluate + continue-on-error: true + # env: + # UDS_PKG: ${{ inputs.package }} + steps: + # Used to execute the uds run command + - name: Checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Environment setup + uses: ./.github/actions/setup + + - name: review compliance directory + run: ls -al ./compliance/ + shell: bash + + - name: remove overlapping file + run: rm ./compliance/oscal-assessment-results.yaml + shell: bash + + - name: Download assessment + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 + with: + name: ${{ inputs.flavor }}-assessment-results + path: ./compliance + + - name: review compliance directory again + run: ls -al ./compliance/ + shell: bash + + - name: Evaluate compliance + id: compliance-evaluation + run: uds run test-compliance-evaluate --no-progress + + # steps in this action only run when there has been a previous failure - will indicate success thereafter + # need to think about how much noise this could create - noise currently = good + - name: Notify Lula Team of Compliance Assessment Results + if: ${{ always() }} + uses: ./.github/actions/notify-lula + with: + state: ${{ steps.compliance-evaluation.outcome }} + flavor: ${{ inputs.flavor }} + ghToken: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload Evaluated Assessment + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + with: + name: ${{ inputs.flavor }}-assessment-results + path: ./compliance/oscal-assessment-results.yaml + overwrite: true diff --git a/.github/workflows/docs-shim.yaml b/.github/workflows/docs-shim.yaml new file mode 100644 index 000000000..2ae466cc6 --- /dev/null +++ b/.github/workflows/docs-shim.yaml @@ -0,0 +1,43 @@ +name: CI Docs + +on: + pull_request: + types: [milestoned, opened, reopened, synchronize] + paths: + - "**.md" + - "**.jpg" + - "**.png" + - "**.gif" + - "**.svg" + - docs/** + - .vscode/** + - .gitignore + - renovate.json + - .release-please-config.json + - release-please-config.json + - CODEOWNERS + - LICENSE + +jobs: + lint-check: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: lint-check + uses: ./.github/actions/lint-check + + run-package-test: + needs: lint-check + name: Schedule + strategy: + matrix: + package: [all] + flavor: [upstream, registry1, unicorn] + test_type: [install, upgrade] + uses: ./.github/workflows/test-shim.yaml + with: + package: ${{ matrix.package }} + flavor: ${{ matrix.flavor }} + test_type: ${{ matrix.test_type }} + secrets: inherit # Inherits all secrets from the parent workflow. diff --git a/.github/workflows/lint-oscal.yaml b/.github/workflows/lint-oscal.yaml new file mode 100644 index 000000000..4f1501e1b --- /dev/null +++ b/.github/workflows/lint-oscal.yaml @@ -0,0 +1,56 @@ +name: Lint OSCAL Files + +on: + pull_request: + # milestoned is added here as a workaround for release-please not triggering PR workflows (PRs should be added to a milestone to trigger the workflow). + types: [milestoned, opened, reopened, synchronize] + paths: + - '**/*oscal*.yaml' + +permissions: + contents: read + +jobs: + + check-oscal-paths: + runs-on: ubuntu-latest + name: OSCAL Change Detection + outputs: + oscal: ${{ steps.path-filter.outputs.oscal }} + oscal_files: ${{ steps.path-filter.outputs.oscal_files }} + steps: + - name: Checkout the code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + # Uses a custom action to filter paths for source packages. + - name: Check src paths + id: path-filter + uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 + with: + filters: | + oscal: + - added|modified: "**/*oscal*.yaml" + list-files: shell + + lint-oscal: + needs: check-oscal-paths + if: ${{ needs.check-oscal-paths.outputs.oscal == 'true' }} + runs-on: ubuntu-latest + steps: + # filter the files to remove not oscal files (such as those titles oscal-* under ./.github) + - name: Identify changed OSCAL files + id: find_changed_files + run: | + CHANGED_FILES=$(echo "${{ needs.check-oscal-paths.outputs.oscal_files }}" | tr ' ' '\n' | grep -v ".github*" | tr '\n' ',' | sed 's/.$//' || true) + echo "Changed OSCAL files: $CHANGED_FILES" + echo "oscal_files=$CHANGED_FILES" >> "$GITHUB_OUTPUT" + shell: bash + # checkout for access to the oscal files targeted for linting + - name: Checkout the code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Environment setup + uses: ./.github/actions/setup + # lint the oscal files + - name: lint-oscal + run: uds run lint-oscal --set OSCALFILES=${{ steps.find_changed_files.outputs.oscal_files }} --no-progress + shell: bash diff --git a/.github/workflows/nightly-testing.yaml b/.github/workflows/nightly-testing.yaml index 77afeb45b..526dd2ab6 100644 --- a/.github/workflows/nightly-testing.yaml +++ b/.github/workflows/nightly-testing.yaml @@ -10,8 +10,19 @@ on: - .github/bundles/* - .github/test-infra/buckets-iac/* +# Abort prior jobs in the same workflow / PR +concurrency: + group: test-eks-dev-${{ github.ref }} + cancel-in-progress: true + jobs: nightly-testing: name: Test Core on EKS uses: ./.github/workflows/test-eks.yaml + strategy: + matrix: + flavor: [upstream, registry1, unicorn] + fail-fast: false + with: + flavor: ${{ matrix.flavor }} secrets: inherit diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 9269a79fc..bfb1d49dd 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -1,6 +1,7 @@ name: Publish UDS Core on: + # triggered by tag-and-release.yaml and snapshot-release.yaml workflow_call: inputs: snapshot: @@ -13,8 +14,7 @@ jobs: strategy: matrix: flavor: [upstream, registry1, unicorn] - fail-fast: false - runs-on: "ubuntu-latest" + runs-on: "uds-ubuntu-big-boy-8-core" name: Publish packages permissions: @@ -49,30 +49,30 @@ jobs: yq -ei '.metadata.version=env(SNAPSHOT_VERSION)' packages/standard/zarf.yaml yq -ei '.metadata.version=env(SNAPSHOT_VERSION)' packages/slim-dev/zarf.yaml - # - name: Create Packages and Bundles - # run: | - # ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package --no-progress --set FLAVOR=${{ matrix.flavor }} - # ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml k3d-standard-bundle --no-progress - # ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml slim-dev-package --no-progress --set FLAVOR=${{ matrix.flavor }} - # ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml k3d-slim-dev-bundle --no-progress + - name: Create Packages and Bundles + run: | + ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package --no-progress --set FLAVOR=${{ matrix.flavor }} + ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml k3d-standard-bundle --no-progress + ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml slim-dev-package --no-progress --set FLAVOR=${{ matrix.flavor }} + ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml k3d-slim-dev-bundle --no-progress - # if [ "${{ matrix.flavor }}" != "registry1" ]; then - # ZARF_ARCHITECTURE=arm64 uds run -f tasks/create.yaml standard-package --no-progress --set FLAVOR=${{ matrix.flavor }} - # ZARF_ARCHITECTURE=arm64 uds run -f tasks/create.yaml k3d-standard-bundle --no-progress - # ZARF_ARCHITECTURE=arm64 uds run -f tasks/create.yaml slim-dev-package --no-progress --set FLAVOR=${{ matrix.flavor }} - # ZARF_ARCHITECTURE=arm64 uds run -f tasks/create.yaml k3d-slim-dev-bundle --no-progress - # fi + if [ "${{ matrix.flavor }}" != "registry1" ]; then + ZARF_ARCHITECTURE=arm64 uds run -f tasks/create.yaml standard-package --no-progress --set FLAVOR=${{ matrix.flavor }} + ZARF_ARCHITECTURE=arm64 uds run -f tasks/create.yaml k3d-standard-bundle --no-progress + ZARF_ARCHITECTURE=arm64 uds run -f tasks/create.yaml slim-dev-package --no-progress --set FLAVOR=${{ matrix.flavor }} + ZARF_ARCHITECTURE=arm64 uds run -f tasks/create.yaml k3d-slim-dev-bundle --no-progress + fi - # # Standard Package by default tests full core - # - name: Test amd64 Bundle - # if: ${{ !inputs.snapshot }} - # run: | - # uds run deploy-standard-bundle --no-progress - # uds run -f tasks/test.yaml validate-packages --no-progress + # Standard Package by default tests full core + - name: Test amd64 Bundle + if: ${{ !inputs.snapshot }} + run: | + uds run deploy-standard-bundle --no-progress + uds run -f tasks/test.yaml validate-packages --no-progress - # - name: Debug Output - # if: ${{ always() && !inputs.snapshot }} - # uses: ./.github/actions/debug-output + - name: Debug Output + if: ${{ always() && !inputs.snapshot }} + uses: ./.github/actions/debug-output # Publish package and bundle to destination repository - name: Publish Standard Package diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index efa55efa9..cc0a879d4 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -5,12 +5,27 @@ on: pull_request: # milestoned is added here as a workaround for release-please not triggering PR workflows (PRs should be added to a milestone to trigger the workflow). types: [milestoned, opened, reopened, synchronize] + paths-ignore: + - "**.md" + - "**.jpg" + - "**.png" + - "**.gif" + - "**.svg" + - docs/** + - .vscode/** + - .gitignore + - renovate.json + - .release-please-config.json + - release-please-config.json + - CODEOWNERS + - LICENSE # Permissions for the GITHUB_TOKEN used by the workflow. permissions: id-token: write # Needed for OIDC-related operations. contents: read # Allows reading the content of the repository. - pull-requests: read # Allows reading pull request metadata. + pull-requests: write # Allows writing pull request metadata. + packages: read # Allows reading the published GHCR packages # Default settings for all run commands in the workflow jobs. defaults: @@ -26,19 +41,10 @@ jobs: lint-check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - - name: Use Node.js latest - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 - with: - node-version: 20 - - name: Set up Homebrew - uses: Homebrew/actions/setup-homebrew@master - - name: Install UDS CLI - shell: bash - # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver - run: brew install defenseunicorns/tap/uds@0.12.0 - - name: Run Formatting Checks - run: uds run lint-check --no-progress + - name: Checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: lint-check + uses: ./.github/actions/lint-check # This job checks if there are changes in specific paths source packages. check-paths: @@ -58,6 +64,7 @@ jobs: uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 with: filters: .github/filters.yaml + predicate-quantifier: every # This job triggers a separate workflow for each changed source package, if any. run-package-test: @@ -85,3 +92,15 @@ jobs: flavor: ${{ matrix.flavor }} test_type: ${{ matrix.test_type }} secrets: inherit # Inherits all secrets from the parent workflow. + + evaluate-package-compliance: + needs: run-package-test + name: Compliance Evaluation + strategy: + matrix: + flavor: [upstream, registry1, unicorn] + fail-fast: false + uses: ./.github/workflows/compliance.yaml + with: + flavor: ${{ matrix.flavor }} + secrets: inherit # Inherits all secrets from the parent workflow. diff --git a/.github/workflows/slim-dev-test.yaml b/.github/workflows/slim-dev-test.yaml index 691d30fe9..89c72e8c6 100644 --- a/.github/workflows/slim-dev-test.yaml +++ b/.github/workflows/slim-dev-test.yaml @@ -6,13 +6,18 @@ on: # milestoned is added here as a workaround for release-please not triggering PR workflows (PRs should be added to a milestone to trigger the workflow). types: [milestoned, opened, reopened, synchronize] paths: - - src/pepr/* - - src/keycloak/* - - src/istio/* - - src/prometheus-stack/* - - packages/slim-dev/* - - bundles/core-slim-dev/* - - .github/workflows/slim-dev* + - src/pepr/** + - src/keycloak/** + - src/istio/** + - src/prometheus-stack/** + - packages/slim-dev/** + - bundles/k3d-slim-dev/** + - .github/workflows/slim-dev** + - "!**/*.md" + - "!**.jpg" + - "!**.png" + - "!**.gif" + - "!**.svg" # Permissions for the GITHUB_TOKEN used by the workflow. permissions: diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 05b00d1e3..acaded852 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -1,7 +1,12 @@ name: Test Core On EKS on: + # triggered by nightly-testing.yaml workflow_call: + inputs: + flavor: + required: true + type: string permissions: id-token: write @@ -20,10 +25,10 @@ jobs: steps: - name: Set ENV run: | - echo "UDS_CLUSTER_NAME=uds-core-aws-${SHA:0:7}" >> $GITHUB_ENV - echo "UDS_STATE_KEY="tfstate/ci/install/${SHA:0:7}-core-aws.tfstate >> $GITHUB_ENV + echo "UDS_CLUSTER_NAME=uds-ci-${{ inputs.flavor }}-${SHA:0:7}" >> $GITHUB_ENV + echo "UDS_STATE_KEY="tfstate/ci/install/${SHA:0:7}-core-${{ inputs.flavor }}-aws.tfstate >> $GITHUB_ENV echo "TF_VAR_region=${UDS_REGION}" >> $GITHUB_ENV - echo "TF_VAR_name=uds-core-aws-${SHA:0:7}" >> $GITHUB_ENV + echo "TF_VAR_name=uds-ci-${{ inputs.flavor }}-${SHA:0:7}" >> $GITHUB_ENV echo "TF_VAR_use_permissions_boundary=true" >> $GITHUB_ENV echo "TF_VAR_permissions_boundary_name=${UDS_PERMISSIONS_BOUNDARY_NAME}" >> $GITHUB_ENV @@ -37,19 +42,26 @@ jobs: role-session-name: ${{ github.job || github.event.client_payload.pull_request.head.sha || github.sha }} aws-region: ${{ env.UDS_REGION }} role-duration-seconds: 21600 + - name: Environment setup uses: ./.github/actions/setup + with: + registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }} + registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }} + ghToken: ${{ secrets.GITHUB_TOKEN }} + chainguardIdentity: ${{ secrets.CHAINGUARD_IDENTITY }} - name: Install eksctl run: uds run -f tasks/iac.yaml install-eksctl --no-progress - - name: Setup Terraform - uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8 # v3 + - name: Setup Tofu + uses: opentofu/setup-opentofu@12f4debbf681675350b6cd1f0ff8ecfbda62027b # v1.0.4 with: - terraform_version: "1.5.7" + tofu_version: 1.8.1 + tofu_wrapper: false - name: Create UDS Core Package - run: ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package --no-progress + run: ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package --no-progress --set FLAVOR=${{ inputs.flavor }} - name: Create Core Bundle run: uds create .github/bundles --confirm diff --git a/.github/workflows/test-shim.yaml b/.github/workflows/test-shim.yaml new file mode 100644 index 000000000..2b443233d --- /dev/null +++ b/.github/workflows/test-shim.yaml @@ -0,0 +1,42 @@ +name: Test Shim + +on: + # Manual trigger + workflow_dispatch: + inputs: + package: + type: string + description: "The name of the source package to test" + required: true + flavor: + type: string + description: "Flavor of the source package to test" + required: true + test_type: + type: string + description: "The type of test to perform" + required: true + # Triggered by pull-request-conditionals.yaml + workflow_call: + inputs: + package: + type: string + description: "The name of the source package to test" + required: true + flavor: + type: string + description: "Flavor of the source package to test" + required: true + test_type: + type: string + description: "The type of test to perform" + required: true + +jobs: + test: + runs-on: 'ubuntu-latest' + name: Test + steps: + - name: Skipped + run: | + echo skipped diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 5cf31d631..fca5ce590 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -35,6 +35,7 @@ on: permissions: contents: read id-token: write # This is needed for OIDC federation. + packages: read # Allows reading the published GHCR packages jobs: test: @@ -64,6 +65,17 @@ jobs: if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }} run: uds run test-uds-core --set FLAVOR=${{ inputs.flavor }} --no-progress + - name: Validate UDS Core Compliance + if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }} + run: uds run test-compliance-validate --no-progress + + - name: Upload Assessment + if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }} + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + with: + name: ${{ inputs.flavor }}-assessment-results + path: ./compliance/oscal-assessment-results.yaml + - name: Test UDS Core Upgrade if: ${{ inputs.package == 'all' && inputs.test_type == 'upgrade' }} run: uds run test-uds-core-upgrade --set FLAVOR=${{ inputs.flavor }} --no-progress diff --git a/.husky/pre-commit b/.husky/pre-commit new file mode 100755 index 000000000..031993ec4 --- /dev/null +++ b/.husky/pre-commit @@ -0,0 +1,12 @@ +#!/usr/bin/env sh +. "$(dirname -- "$0")/_/husky.sh" + +OUTPUT=$(npx lint-staged > /dev/null && echo $? || echo $?) + +if [ $OUTPUT -eq 0 ]; then + echo "\n\n✅ Lint Check Passed. ✅\n\n" + exit 0 +else + echo "\n\n❌ Lint Check failed... Run \`uds run lint-fix\` to resolve issues and re-commit. ❌\n\n" + exit 1 +fi diff --git a/.lintstagedrc.json b/.lintstagedrc.json new file mode 100644 index 000000000..abbc42c11 --- /dev/null +++ b/.lintstagedrc.json @@ -0,0 +1,11 @@ +{ + "*": [ + "codespell" + ], + "*.yaml": [ + "yamllint -c .yamllint --no-warnings" + ], + "*.ts": [ + "npx pepr format --validate-only" + ] +} diff --git a/.release-please-manifest.json b/.release-please-manifest.json index 819990afc..8e685c3ae 100644 --- a/.release-please-manifest.json +++ b/.release-please-manifest.json @@ -1,3 +1,3 @@ { - ".": "0.23.0" + ".": "0.27.3" } diff --git a/.vscode/settings.json b/.vscode/settings.json index 81f75a82c..2c44843d0 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -9,18 +9,18 @@ }, "yaml.schemas": { // renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver - "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.12.0/uds.schema.json": [ + "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.15.0/uds.schema.json": [ "uds-bundle.yaml" ], // renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver - "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.12.0/tasks.schema.json": [ + "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.15.0/tasks.schema.json": [ "tasks.yaml", "tasks/**/*.yaml", "src/**/validate.yaml" ], // renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver - "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.12.0/zarf.schema.json": [ + "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.15.0/zarf.schema.json": [ "zarf.yaml" ] }, diff --git a/.yamllint b/.yamllint index b3782d109..e9a3eff30 100644 --- a/.yamllint +++ b/.yamllint @@ -9,6 +9,9 @@ ignore: - '**/chart/templates**' - 'node_modules/**' - 'dist/**' + - 'src/pepr/uds-operator-config/templates**' + - '.codespellrc' + - '.lintstagedrc.json' rules: anchors: enable diff --git a/CHANGELOG.md b/CHANGELOG.md index 9ce77261c..28e7d1a25 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,652 +2,246 @@ All notable changes to this project will be documented in this file. -## [0.23.0](https://github.com/BagelLab/uds-core/compare/v0.23.0...v0.23.0) (2024-07-17) +## [0.27.3](https://github.com/defenseunicorns/uds-core/compare/v0.27.2...v0.27.3) (2024-09-19) + + +### Miscellaneous + +* add uds-runtime as an optional component in core ([#788](https://github.com/defenseunicorns/uds-core/issues/788)) ([a2dfede](https://github.com/defenseunicorns/uds-core/commit/a2dfede9eedb5a99265676437e40eab9eead5208)) + +## [0.27.2](https://github.com/defenseunicorns/uds-core/compare/v0.27.1...v0.27.2) (2024-09-18) + + +### Bug Fixes + +* use boltdb-shipper store by default for loki ([#779](https://github.com/defenseunicorns/uds-core/issues/779)) ([e438e12](https://github.com/defenseunicorns/uds-core/commit/e438e12bef407587c67e2abf41ad26e3310cefd5)) + +## [0.27.1](https://github.com/defenseunicorns/uds-core/compare/v0.27.0...v0.27.1) (2024-09-18) + + +### Bug Fixes + +* validate packages using full resource name ([#775](https://github.com/defenseunicorns/uds-core/issues/775)) ([678ed44](https://github.com/defenseunicorns/uds-core/commit/678ed4495fb3175ca722adb615fb19dfdec2f01d)) + + +### Miscellaneous + +* allow service ports to be overridden in test bundles ([#765](https://github.com/defenseunicorns/uds-core/issues/765)) ([5f9a920](https://github.com/defenseunicorns/uds-core/commit/5f9a92056258a64ef8f439e1ba73301fba2c407c)) +* **deps:** update authservice to v1.0.2 ([#738](https://github.com/defenseunicorns/uds-core/issues/738)) ([3328b08](https://github.com/defenseunicorns/uds-core/commit/3328b08177723aa395bee7d9e3d27c28a1ab9121)) +* **deps:** update githubactions ([#762](https://github.com/defenseunicorns/uds-core/issues/762)) ([c7bab2a](https://github.com/defenseunicorns/uds-core/commit/c7bab2a0609bc821489dd048f20e8c5032b8fa32)) +* **deps:** update grafana curl image to v8.10.1 ([#773](https://github.com/defenseunicorns/uds-core/issues/773)) ([0d56ef2](https://github.com/defenseunicorns/uds-core/commit/0d56ef22a3ccf7725d4fd13e16aab97b9e6fdf2f)) +* **deps:** update istio to v1.23.1 ([#744](https://github.com/defenseunicorns/uds-core/issues/744)) ([f222ea3](https://github.com/defenseunicorns/uds-core/commit/f222ea39e64e612ab082271ef8ac2d129a1014ad)) +* **deps:** update neuvector chart to 2.7.9 ([#750](https://github.com/defenseunicorns/uds-core/issues/750)) ([a97b509](https://github.com/defenseunicorns/uds-core/commit/a97b50937fa790d8e894862c3d6969443701692e)) +* **deps:** update neuvector updater image to v8.10.1 ([#774](https://github.com/defenseunicorns/uds-core/issues/774)) ([2afddfc](https://github.com/defenseunicorns/uds-core/commit/2afddfc6363c5a4663071083550af9695aa7ed5f)) +* **deps:** update pepr to 0.36.0 ([#696](https://github.com/defenseunicorns/uds-core/issues/696)) ([2a1591e](https://github.com/defenseunicorns/uds-core/commit/2a1591e36ca681a976eb2c773090b538f8088563)) +* **deps:** update prometheus-stack ([#743](https://github.com/defenseunicorns/uds-core/issues/743)) ([61f7a60](https://github.com/defenseunicorns/uds-core/commit/61f7a608856458062970baee62f415cd4e953f5a)) +* **deps:** update test-infra random provider to v3.6.3 ([#753](https://github.com/defenseunicorns/uds-core/issues/753)) ([009326d](https://github.com/defenseunicorns/uds-core/commit/009326da3af36b6218736844465e5698e3d33819)) +* **deps:** update uds-identity-config version to 0.6.3 ([#772](https://github.com/defenseunicorns/uds-core/issues/772)) ([a2ad936](https://github.com/defenseunicorns/uds-core/commit/a2ad936d509b04dd2f3e3d591839bff7715eae21)) +* **deps:** update uds-k3d to v0.9.0 (1.30.4 k3s), k3d to 5.7.4 ([#770](https://github.com/defenseunicorns/uds-core/issues/770)) ([20656e6](https://github.com/defenseunicorns/uds-core/commit/20656e65856d573dee41fdd79a9fe3d962d0eac0)) +* **deps:** update velero kubectl image to v1.31.1 ([#763](https://github.com/defenseunicorns/uds-core/issues/763)) ([56b3a21](https://github.com/defenseunicorns/uds-core/commit/56b3a21728da1838476bb35e6402a86dbe127244)) +* **deps:** update velero kubectl to v1.31.1 ([#757](https://github.com/defenseunicorns/uds-core/issues/757)) ([c15d77e](https://github.com/defenseunicorns/uds-core/commit/c15d77e94d4a0e9c85f4b1017875a71ce0b5fa24)) +* remove unused neuvector exporter ([#768](https://github.com/defenseunicorns/uds-core/issues/768)) ([bd4f5cf](https://github.com/defenseunicorns/uds-core/commit/bd4f5cff79cb95d59c82a4a185f5d52573838fed)) +* task for custom pepr ([#766](https://github.com/defenseunicorns/uds-core/issues/766)) ([e624d73](https://github.com/defenseunicorns/uds-core/commit/e624d73f79bd6739b6808fbdbf5ca75ebb7c1d3c)) + +## [0.27.0](https://github.com/defenseunicorns/uds-core/compare/v0.26.1...v0.27.0) (2024-09-11) + + +### Features + +* add support for Keycloak attribute `saml.assertion.signature` ([#723](https://github.com/defenseunicorns/uds-core/issues/723)) ([0e1a3da](https://github.com/defenseunicorns/uds-core/commit/0e1a3da76c68318ffdd5e9b188a2a2970bf098f9)) +* investigate and restrict network policies ([#719](https://github.com/defenseunicorns/uds-core/issues/719)) ([b6ebc49](https://github.com/defenseunicorns/uds-core/commit/b6ebc4945f6eef132b3ae33fec106b4cb275574a)) +* protocol mappers ([#621](https://github.com/defenseunicorns/uds-core/issues/621)) ([d71cb44](https://github.com/defenseunicorns/uds-core/commit/d71cb447a00f95a5198f21e50cc627516dac32ae)) + + +### Bug Fixes + +* correct keycloak chart schema for additionalGateways ([#745](https://github.com/defenseunicorns/uds-core/issues/745)) ([1fd8ef3](https://github.com/defenseunicorns/uds-core/commit/1fd8ef31d5ee33455d5cbefa027cbdf6dd7dcdd7)) +* default `ctx.allowPrivilegeEscalation` to `false` if `undefined` ([#698](https://github.com/defenseunicorns/uds-core/issues/698)) ([7ecd130](https://github.com/defenseunicorns/uds-core/commit/7ecd130a84a5197842cfe96d4eec9791f07aced5)) +* pre-commit linting ([#703](https://github.com/defenseunicorns/uds-core/issues/703)) ([c3a2f62](https://github.com/defenseunicorns/uds-core/commit/c3a2f62f1d56381717562f76558b54bd63812706)) +* switch secret `data` to `stringData` ([#710](https://github.com/defenseunicorns/uds-core/issues/710)) ([9323d4e](https://github.com/defenseunicorns/uds-core/commit/9323d4e4eb82577d86718dbdca645a34fe765ccb)) +* update ci workflows for docs shim ([#700](https://github.com/defenseunicorns/uds-core/issues/700)) ([5d89254](https://github.com/defenseunicorns/uds-core/commit/5d89254038cccda7c96203cc7ee0ec6f32b76af6)) + + +### Miscellaneous + +* adding uds core prerequisites documentation ([#636](https://github.com/defenseunicorns/uds-core/issues/636)) ([6225766](https://github.com/defenseunicorns/uds-core/commit/622576624307e6713703ebb025ecb624e812e812)) +* **deps:** update dependency weaveworks/eksctl to v0.190.0 ([#721](https://github.com/defenseunicorns/uds-core/issues/721)) ([16d208a](https://github.com/defenseunicorns/uds-core/commit/16d208aeb9f4164f1daff1496e4e923050cb1d8a)) +* **deps:** update githubactions ([#642](https://github.com/defenseunicorns/uds-core/issues/642)) ([0705ba6](https://github.com/defenseunicorns/uds-core/commit/0705ba64ba27aab4d67fa56a6a816ce83636a5ba)) +* **deps:** update grafana curl image to v8.10.0 ([#751](https://github.com/defenseunicorns/uds-core/issues/751)) ([0cdb020](https://github.com/defenseunicorns/uds-core/commit/0cdb0207d2295bd1680c384625945e4077de7662)) +* **deps:** update grafana sidecar image to v1.27.6 ([#732](https://github.com/defenseunicorns/uds-core/issues/732)) ([ad4808b](https://github.com/defenseunicorns/uds-core/commit/ad4808b167c59f41d834b1ce97606834dc6b77a7)) +* **deps:** update grafana to 11.2.0 ([#670](https://github.com/defenseunicorns/uds-core/issues/670)) ([84e099a](https://github.com/defenseunicorns/uds-core/commit/84e099a172aa1612c1778d9943b966bf653659a6)) +* **deps:** update istio to v1.23.0 ([#672](https://github.com/defenseunicorns/uds-core/issues/672)) ([3266a3a](https://github.com/defenseunicorns/uds-core/commit/3266a3a2190e4ddc964ba919495fa5c3cb162792)) +* **deps:** update keycloak chart version to v25 ([#470](https://github.com/defenseunicorns/uds-core/issues/470)) ([3e805e7](https://github.com/defenseunicorns/uds-core/commit/3e805e729e2f6dd3b37c4697b496d0c091a9efe6)) +* **deps:** update keycloak to 25.0.5 (https://github.com/defenseunicorns/uds-core/pull/742) ([45c540a](https://github.com/defenseunicorns/uds-core/commit/45c540ab1247639ef429e0c6bd338a3ecde9a01c)) +* **deps:** update loki memcached images to v1.6.31 ([#752](https://github.com/defenseunicorns/uds-core/issues/752)) ([f94daf1](https://github.com/defenseunicorns/uds-core/commit/f94daf1e2ce7c9763a5367e028533a5cd46b9a17)) +* **deps:** update metrics-server to v0.7.2 ([#708](https://github.com/defenseunicorns/uds-core/issues/708)) ([53f1bfd](https://github.com/defenseunicorns/uds-core/commit/53f1bfd888d96e9998875c1f9853451e819fc3a2)) +* **deps:** update prometheus-stack ([#437](https://github.com/defenseunicorns/uds-core/issues/437)) ([526aab1](https://github.com/defenseunicorns/uds-core/commit/526aab119239e4b182f83a1cc739d7c8b0d26e48)) +* **deps:** update prometheus-stack chart to v62.6.0 ([#740](https://github.com/defenseunicorns/uds-core/issues/740)) ([424570d](https://github.com/defenseunicorns/uds-core/commit/424570dbe9b33e1e6c013fb520d5355102da2e51)) +* **deps:** update promtail helm chart to v6.16.5 ([#706](https://github.com/defenseunicorns/uds-core/issues/706)) ([4689d54](https://github.com/defenseunicorns/uds-core/commit/4689d54033d5bc8a023c511364793b8a2db69f12)) +* **deps:** update uds cli to v0.14.2 ([#697](https://github.com/defenseunicorns/uds-core/issues/697)) ([f92bf53](https://github.com/defenseunicorns/uds-core/commit/f92bf5361d90819d96b4aaf53c3a2ed6d78ebe1d)) +* **deps:** update uds to v0.15.0 ([#733](https://github.com/defenseunicorns/uds-core/issues/733)) ([57e0e64](https://github.com/defenseunicorns/uds-core/commit/57e0e643df18c1b76ec7f8bdb36e4f29becd95af)) +* **deps:** update velero ([#695](https://github.com/defenseunicorns/uds-core/issues/695)) ([c188393](https://github.com/defenseunicorns/uds-core/commit/c1883932511113609319db9a943d6e25f005343c)) +* **deps:** update velero chart to 7.2.1, kubectl image for unicorn flavor ([#725](https://github.com/defenseunicorns/uds-core/issues/725)) ([a98bac4](https://github.com/defenseunicorns/uds-core/commit/a98bac47e969188854a759013081e101e873a146)) +* **deps:** update velero helm chart to v7.2.0 ([#720](https://github.com/defenseunicorns/uds-core/issues/720)) ([6309882](https://github.com/defenseunicorns/uds-core/commit/6309882b95fe071c4d83acc979b75d6529dcdb77)) +* **deps:** update zarf to v0.39.0 ([#731](https://github.com/defenseunicorns/uds-core/issues/731)) ([7268680](https://github.com/defenseunicorns/uds-core/commit/7268680d740e4a2f70a450a36344167c4a3b57f2)) +* update configure policy exemptions doc link ([#739](https://github.com/defenseunicorns/uds-core/issues/739)) ([6ad1256](https://github.com/defenseunicorns/uds-core/commit/6ad1256659b912e46677327ab1bd75a1b02ecf99)) +* update loki to 3.1.1 ([#449](https://github.com/defenseunicorns/uds-core/issues/449)) ([e61da27](https://github.com/defenseunicorns/uds-core/commit/e61da27cfb028d020683a06b63f4c4fc210d5551)) +* update renovate config/values to match all neuvector images ([#755](https://github.com/defenseunicorns/uds-core/issues/755)) ([72a97ba](https://github.com/defenseunicorns/uds-core/commit/72a97ba0db579298ced7fdc4bcf5315e8996d58a)) +* update resources for prometheus, document resource overrides ([#713](https://github.com/defenseunicorns/uds-core/issues/713)) ([e80c1a4](https://github.com/defenseunicorns/uds-core/commit/e80c1a4740e72db583f9999c37360c88f9f21e3b)) +* update to keycloak 25 ([#707](https://github.com/defenseunicorns/uds-core/issues/707)) ([0551aa5](https://github.com/defenseunicorns/uds-core/commit/0551aa52e437daf8c774842e513b7f38ff19ea1a)) + +## [0.26.1](https://github.com/defenseunicorns/uds-core/compare/v0.26.0...v0.26.1) (2024-08-23) + + +### Bug Fixes + +* add additional supported saml attributes ([#690](https://github.com/defenseunicorns/uds-core/issues/690)) ([a7435bf](https://github.com/defenseunicorns/uds-core/commit/a7435bf9073263cd4a7155d7d385735ffb0e5cae)) + + +### Miscellaneous + +* **deps:** update dependency defenseunicorns/uds-common to v0.12.0 ([#692](https://github.com/defenseunicorns/uds-core/issues/692)) ([a5423a3](https://github.com/defenseunicorns/uds-core/commit/a5423a3fd537925f7a1c87ad04d9da352afe765a)) +* **deps:** update test-infra to v0.0.6 ([#686](https://github.com/defenseunicorns/uds-core/issues/686)) ([8341e6e](https://github.com/defenseunicorns/uds-core/commit/8341e6ed5ec00e52278995570b877d6a497c7f1b)) +* **deps:** update uds-common to v0.12.0 ([#693](https://github.com/defenseunicorns/uds-core/issues/693)) ([957f388](https://github.com/defenseunicorns/uds-core/commit/957f38898781196ffe257f2b64c0f845dddb738a)) +* **deps:** update zarf to v0.38.3 ([#694](https://github.com/defenseunicorns/uds-core/issues/694)) ([c53126f](https://github.com/defenseunicorns/uds-core/commit/c53126f2401604ab26d58a1cc567cb37f7addadf)) + +## [0.26.0](https://github.com/defenseunicorns/uds-core/compare/v0.25.2...v0.26.0) (2024-08-21) ### ⚠ BREAKING CHANGES -* remove emulated gitlab endpoints from keycloak ([#483](https://github.com/BagelLab/uds-core/issues/483)) +* client attribute allow list ([#676](https://github.com/defenseunicorns/uds-core/issues/676)) ### Features -* add `expose` service entry for internal cluster traffic ([#356](https://github.com/BagelLab/uds-core/issues/356)) ([1bde4cc](https://github.com/BagelLab/uds-core/commit/1bde4ccf302864b0c38d093742ca683b96cebe89)) -* add `monitor` to operator, fix monitoring setup ([#256](https://github.com/BagelLab/uds-core/issues/256)) ([bf67722](https://github.com/BagelLab/uds-core/commit/bf67722d4e7e02d44dd29c4436e9a8d2ef960fa5)) -* add authservice to uds-core ([#153](https://github.com/BagelLab/uds-core/issues/153)) ([b0b33b9](https://github.com/BagelLab/uds-core/commit/b0b33b98ae12fe233c922bba55c9328212c2e578)) -* Add istio and preliminary ci ([#3](https://github.com/BagelLab/uds-core/issues/3)) ([fbd7453](https://github.com/BagelLab/uds-core/commit/fbd745392340dbc978b27f0d321f3375882c1c40)) -* add Istio VirtualService Requestmatch to UDS Operator ([#129](https://github.com/BagelLab/uds-core/issues/129)) ([a207197](https://github.com/BagelLab/uds-core/commit/a20719726991d3b981a372b705b776948f6fbc30)) -* add keycloak ([#147](https://github.com/BagelLab/uds-core/issues/147)) ([f99d3d5](https://github.com/BagelLab/uds-core/commit/f99d3d5d4f89264a21dd76d8847e1cef0325d127)) -* add keycloak sso realm values ([#352](https://github.com/BagelLab/uds-core/issues/352)) ([74436ea](https://github.com/BagelLab/uds-core/commit/74436ea78684a74044efdee14564a6582e659998)) -* add metrics-server ([#35](https://github.com/BagelLab/uds-core/issues/35)) ([8216ab9](https://github.com/BagelLab/uds-core/commit/8216ab982be79dc393a2e0db359370b32e660150)) -* add monitoring and logging ([#33](https://github.com/BagelLab/uds-core/issues/33)) ([c6d9aec](https://github.com/BagelLab/uds-core/commit/c6d9aece4984421e1ccbf476cd0d40fb701e4e50)) -* add nightly testing eks ([#250](https://github.com/BagelLab/uds-core/issues/250)) ([543b09d](https://github.com/BagelLab/uds-core/commit/543b09d103a43c474da6a8c950404cc1f373b03f)) -* add pepr capability for istio + jobs ([#12](https://github.com/BagelLab/uds-core/issues/12)) ([c32a703](https://github.com/BagelLab/uds-core/commit/c32a70390f443c90796978ad4c42bbb4b17eb226)) -* add policy exemptions ([#165](https://github.com/BagelLab/uds-core/issues/165)) ([196df88](https://github.com/BagelLab/uds-core/commit/196df88b01347e530eb1cb49df7440d62c986e0e)) -* add prometheus-stack (monitoring) capability ([#2](https://github.com/BagelLab/uds-core/issues/2)) ([e438ab6](https://github.com/BagelLab/uds-core/commit/e438ab6089bc9d8c6640fa002285d38ddc3022df)) -* add reconciliation retries for CRs ([#423](https://github.com/BagelLab/uds-core/issues/423)) ([424b57b](https://github.com/BagelLab/uds-core/commit/424b57ba91906e1c60e6e92927e37b34d657ad01)) -* add saml and attribute/mapper support for keycloak in uds pepr operator ([#328](https://github.com/BagelLab/uds-core/issues/328)) ([c53d4ee](https://github.com/BagelLab/uds-core/commit/c53d4ee1227d71b60a35419f7c8c9396d71b9508)) -* add UDS Operator and consolidate UDS Policies ([#66](https://github.com/BagelLab/uds-core/issues/66)) ([395c1c4](https://github.com/BagelLab/uds-core/commit/395c1c4aec324d0d939cc410a6bb92129b26653b)) -* add velero package ([#210](https://github.com/BagelLab/uds-core/issues/210)) ([a272945](https://github.com/BagelLab/uds-core/commit/a27294585f0d50732b63672d0c2baf14948e29d1)) -* add Zarf Flavors to support Iron Bank & upstream images ([#63](https://github.com/BagelLab/uds-core/issues/63)) ([232c256](https://github.com/BagelLab/uds-core/commit/232c2566b96be0285c24b8b5787350897e72332f)) -* added initial oscal files ([#145](https://github.com/BagelLab/uds-core/issues/145)) ([9600d5f](https://github.com/BagelLab/uds-core/commit/9600d5f159e4a04e8f71313f8ed118b87efbb9a1)) -* embed tls certs in istio package ([#32](https://github.com/BagelLab/uds-core/issues/32)) ([fb04fee](https://github.com/BagelLab/uds-core/commit/fb04feec9657f449366389a0e0a474a8cdeecb2c)) -* enable sso for neuvector ([#351](https://github.com/BagelLab/uds-core/issues/351)) ([597353e](https://github.com/BagelLab/uds-core/commit/597353e294e3dc5c06a8d572414e188f9845af8e)) -* expose tls certs as UDS bundle variables ([#48](https://github.com/BagelLab/uds-core/issues/48)) ([c1f8286](https://github.com/BagelLab/uds-core/commit/c1f828650ef2c53a3fd9ed477950046020c5d375)) -* introduce advancedHTTP for expose field & change podLabels to selector ([#154](https://github.com/BagelLab/uds-core/issues/154)) ([1079267](https://github.com/BagelLab/uds-core/commit/107926791149989a782254b8798b7c57a35cfcaf)) -* introduce Pepr common policies ([#50](https://github.com/BagelLab/uds-core/issues/50)) ([54182b4](https://github.com/BagelLab/uds-core/commit/54182b4db691d86ce80379be272d924d105b0d07)) -* introduce sso secret templating ([#276](https://github.com/BagelLab/uds-core/issues/276)) ([e0832ec](https://github.com/BagelLab/uds-core/commit/e0832ec2ee825dc1725483350e3b9295937b8feb)) -* keycloak PVC customization ([#341](https://github.com/BagelLab/uds-core/issues/341)) ([f8eae2a](https://github.com/BagelLab/uds-core/commit/f8eae2a20e02faac6e2c441845a82febeaab3b89)) -* **operator:** add events and improve lifecycle ops ([#245](https://github.com/BagelLab/uds-core/issues/245)) ([502c044](https://github.com/BagelLab/uds-core/commit/502c044547048a380b1f73dead0b8ab1b14a4b4f)) -* release-please integration ([#25](https://github.com/BagelLab/uds-core/issues/25)) ([bf3c53b](https://github.com/BagelLab/uds-core/commit/bf3c53b2ddac4e02e31aa3429029dd9f1c9595e3)) -* switch loki to simple scalable ([#156](https://github.com/BagelLab/uds-core/issues/156)) ([1661b15](https://github.com/BagelLab/uds-core/commit/1661b154657eba1b30fc5bcec64179cbf6037c03)) -* uds common renovate config ([#391](https://github.com/BagelLab/uds-core/issues/391)) ([035786c](https://github.com/BagelLab/uds-core/commit/035786cadcd9c1fbaf7e0a798f9c13104a1a9a14)) -* uds core docs ([#414](https://github.com/BagelLab/uds-core/issues/414)) ([a35ca7b](https://github.com/BagelLab/uds-core/commit/a35ca7b484ab59572d8205a625db5447a8771e44)) -* update security policy to use provided user, group, and fsgroup ([#82](https://github.com/BagelLab/uds-core/issues/82)) ([6d641ce](https://github.com/BagelLab/uds-core/commit/6d641ce67210999bacda0e855269dca61e7c6a7b)) +* **azure:** azure blob storage support for velero ([#644](https://github.com/defenseunicorns/uds-core/issues/644)) ([eff9a82](https://github.com/defenseunicorns/uds-core/commit/eff9a82f3cc70306e045bdebd0166c1e6e4d750d)) +* support authservice with redis, switch to pepr helm chart ([#658](https://github.com/defenseunicorns/uds-core/issues/658)) ([e2fe58a](https://github.com/defenseunicorns/uds-core/commit/e2fe58a7d32e65a7001571b0eacf285a320a46b7)) + + +### Bug Fixes + +* client attribute allow list ([#676](https://github.com/defenseunicorns/uds-core/issues/676)) ([100321e](https://github.com/defenseunicorns/uds-core/commit/100321ed3f0cdf78ded5e61b15123999cdcadd71)) +* handle client id names with special characters ([#659](https://github.com/defenseunicorns/uds-core/issues/659)) ([a84769e](https://github.com/defenseunicorns/uds-core/commit/a84769e8f2f9e51f1e47f528d31902d8c2cee2d7)) +* pull lula main for threshold update ([#638](https://github.com/defenseunicorns/uds-core/issues/638)) ([5a34ce8](https://github.com/defenseunicorns/uds-core/commit/5a34ce823d68c6ed194b2b4bb965bc154cb801e5)) +* release-please config bump minor pre-major ([#680](https://github.com/defenseunicorns/uds-core/issues/680)) ([3f824c1](https://github.com/defenseunicorns/uds-core/commit/3f824c1b049df5a808c41b334bbd316e6b890a72)) + + +### Miscellaneous + +* add watch config to exemption watch ([#682](https://github.com/defenseunicorns/uds-core/issues/682)) ([7714ff8](https://github.com/defenseunicorns/uds-core/commit/7714ff88ef7f96c9805625f6708553a1e5d70a9a)) +* **deps:** update grafana helm chart to v8.4.4 ([#664](https://github.com/defenseunicorns/uds-core/issues/664)) ([77ea6f5](https://github.com/defenseunicorns/uds-core/commit/77ea6f5f7d736abcc2aba78006d16ee3dda430ef)) +* **deps:** update pepr to 0.34.1 ([#654](https://github.com/defenseunicorns/uds-core/issues/654)) ([6d4655d](https://github.com/defenseunicorns/uds-core/commit/6d4655dd44660825ccac965ac3a6cfdf956010d3)) +* **deps:** update promtail to v3.1.1 ([#657](https://github.com/defenseunicorns/uds-core/issues/657)) ([c009e5f](https://github.com/defenseunicorns/uds-core/commit/c009e5f819ca373d59375e32ad88c3f2fea61920)) +* **deps:** update test-infra ([#412](https://github.com/defenseunicorns/uds-core/issues/412)) ([a4c8fe9](https://github.com/defenseunicorns/uds-core/commit/a4c8fe9237914ad26343437fd1adc776f5473d02)) +* **deps:** update test-infra (kms) to v0.0.5 ([#667](https://github.com/defenseunicorns/uds-core/issues/667)) ([bd68637](https://github.com/defenseunicorns/uds-core/commit/bd68637b59981021c917922a613b5375226687f9)) +* **deps:** update test-infra KMS to v0.0.4 ([#663](https://github.com/defenseunicorns/uds-core/issues/663)) ([3c30b9f](https://github.com/defenseunicorns/uds-core/commit/3c30b9ffca129bc8db1477a32aeb0df66958d508)) +* **deps:** update uds to v0.14.1 ([#677](https://github.com/defenseunicorns/uds-core/issues/677)) ([12ec8a1](https://github.com/defenseunicorns/uds-core/commit/12ec8a1fea5304900495f230ae3907a5141473b4)) +* **deps:** update velero kubectl image to v1.31.0 ([#669](https://github.com/defenseunicorns/uds-core/issues/669)) ([d6b2f12](https://github.com/defenseunicorns/uds-core/commit/d6b2f120df75e662b35e0be6ce050b7b4bc4c90a)) +* **deps:** update velero to v7.1.5 ([#671](https://github.com/defenseunicorns/uds-core/issues/671)) ([10ab714](https://github.com/defenseunicorns/uds-core/commit/10ab714502f43769e65b1b8da58ddcf6ec4a41c8)) +* **deps:** update zarf to v0.38.1 ([#616](https://github.com/defenseunicorns/uds-core/issues/616)) ([e0cb85d](https://github.com/defenseunicorns/uds-core/commit/e0cb85d8a28ecbf91080e5cf8d2c3797595a80df)) +* **deps:** update zarf to v0.38.2 ([#668](https://github.com/defenseunicorns/uds-core/issues/668)) ([3328925](https://github.com/defenseunicorns/uds-core/commit/3328925a35ccbe91b23c847c8d78a18a34383aff)) +* generate a schema for keycloak helm chart ([#627](https://github.com/defenseunicorns/uds-core/issues/627)) ([cf3a9e7](https://github.com/defenseunicorns/uds-core/commit/cf3a9e7eca66779a6c13604dacfe6b979d9806c9)) +* mute pepr on deploy action for migrating to helm chart ([#683](https://github.com/defenseunicorns/uds-core/issues/683)) ([9d05ddd](https://github.com/defenseunicorns/uds-core/commit/9d05ddd5a3e009be7ef202701916d58c9e1ce0d0)) +* **neuvector:** update source for unicorn images ([#675](https://github.com/defenseunicorns/uds-core/issues/675)) ([568efa2](https://github.com/defenseunicorns/uds-core/commit/568efa2df865901e0a36429c053f02c0b4fd7419)) + +## [0.25.2](https://github.com/defenseunicorns/uds-core/compare/v0.25.1...v0.25.2) (2024-08-09) + + +### Bug Fixes + +* add backoff to operator retry mechanism ([#650](https://github.com/defenseunicorns/uds-core/issues/650)) ([52c97fd](https://github.com/defenseunicorns/uds-core/commit/52c97fdc1fd9f6e37dbe2fa4082db43402ba6cc8)) +* network allows for core netpols ([#652](https://github.com/defenseunicorns/uds-core/issues/652)) ([e9b69e8](https://github.com/defenseunicorns/uds-core/commit/e9b69e809a486c8dc5777ee761530a423a47f11b)) + + +### Miscellaneous + +* allow for extra keycloak gateway usage with client certs ([#648](https://github.com/defenseunicorns/uds-core/issues/648)) ([7b1c474](https://github.com/defenseunicorns/uds-core/commit/7b1c4740d243c2b0c35a3708d36057f0e2eb9e53)) +* **deps:** update dependency defenseunicorns/uds-common to v0.11.1 ([#647](https://github.com/defenseunicorns/uds-core/issues/647)) ([768aa1c](https://github.com/defenseunicorns/uds-core/commit/768aa1c3eb836ccd4e87bb4d597758cf67478d62)) +* **deps:** update dependency defenseunicorns/uds-common to v0.11.2 ([#653](https://github.com/defenseunicorns/uds-core/issues/653)) ([f7d1ce8](https://github.com/defenseunicorns/uds-core/commit/f7d1ce8805971640b4b3eb018d64717a5bbd806a)) +* **deps:** update grafana helm chart to v8.4.3 ([#660](https://github.com/defenseunicorns/uds-core/issues/660)) ([81c7af0](https://github.com/defenseunicorns/uds-core/commit/81c7af036d126f13f003432a691623b88e0cece5)) +* **deps:** update grafana to 11.1.3 ([[#607](https://github.com/defenseunicorns/uds-core/issues/607)](https://github.com/defenseunicorns/uds-core/pull/607)) ([7b343ac](https://github.com/defenseunicorns/uds-core/commit/7b343ac301aaeab7c1928cf3b39b2c11f9c89993)) +* **deps:** update neuvector to 5.3.4 ([#606](https://github.com/defenseunicorns/uds-core/issues/606)) ([526bff4](https://github.com/defenseunicorns/uds-core/commit/526bff4674552fe257977e5e9a559d67a5ca273c)) +* **deps:** update pepr to 0.33.0 ([#588](https://github.com/defenseunicorns/uds-core/issues/588)) ([6eee8f0](https://github.com/defenseunicorns/uds-core/commit/6eee8f00e52c0831d2cf622631fc0f838a5ce374)) +* update identity config to 0.6.0 ([#661](https://github.com/defenseunicorns/uds-core/issues/661)) ([469fed8](https://github.com/defenseunicorns/uds-core/commit/469fed8fa07d7b5548eb778ee157c9c302d8a511)) + +## [0.25.1](https://github.com/defenseunicorns/uds-core/compare/v0.25.0...v0.25.1) (2024-08-06) ### Bug Fixes -* add keycloak to dev bundle and rename ([#262](https://github.com/BagelLab/uds-core/issues/262)) ([f9b905c](https://github.com/BagelLab/uds-core/commit/f9b905c7c2b7e4a6a43e7c83918e3157008433d3)) -* add kubeapi egress for neuvector enforcer ([#291](https://github.com/BagelLab/uds-core/issues/291)) ([87fc886](https://github.com/BagelLab/uds-core/commit/87fc886bc736104a9a3c3aefc4c7d232ed74a4f2)) -* add nightly uds-bundle.yaml to release-please extras for updates ([#346](https://github.com/BagelLab/uds-core/issues/346)) ([d1b3071](https://github.com/BagelLab/uds-core/commit/d1b3071182b48ef4905bb040d203fa42d7bbf76f)) -* add saml configuration to k3d standard bundle ([#425](https://github.com/BagelLab/uds-core/issues/425)) ([15b41d7](https://github.com/BagelLab/uds-core/commit/15b41d7ca506dd913316c41321aa9a3133755ab4)) -* add test for disallow selinux options and handle checking for us… ([#96](https://github.com/BagelLab/uds-core/issues/96)) ([88b969e](https://github.com/BagelLab/uds-core/commit/88b969e2aa4dea8b76dbe397d77c53941f7cfbc8)) -* arm64 packages / bundles creation ([#264](https://github.com/BagelLab/uds-core/issues/264)) ([425fa18](https://github.com/BagelLab/uds-core/commit/425fa184fca6bcebd1eea431dce7112cadae2f44)) -* basic validations for packages ([#208](https://github.com/BagelLab/uds-core/issues/208)) ([9eba3af](https://github.com/BagelLab/uds-core/commit/9eba3afb7e288c13f75f93d5712d50a3b9e7b92d)) -* change pepr error policy to reject ([#99](https://github.com/BagelLab/uds-core/issues/99)) ([10772e2](https://github.com/BagelLab/uds-core/commit/10772e2c64f1e4b965b6b644b0008c81025029e9)) -* check if exemption exists before cleanup ([#468](https://github.com/BagelLab/uds-core/issues/468)) ([735288b](https://github.com/BagelLab/uds-core/commit/735288b87f2dff3c1bb28e9e20aac812d644aa4d)) -* ci ([1c925f0](https://github.com/BagelLab/uds-core/commit/1c925f0abb76399210920da43ede7e8b3bb500e4)) -* ci things ([f2389a3](https://github.com/BagelLab/uds-core/commit/f2389a33d66491dfab62014cc744b25434202fe2)) -* **ci:** test snapshot fix ([0e556ae](https://github.com/BagelLab/uds-core/commit/0e556aefdf19013aeb23bc72d15ff8971da6f6be)) -* comment out debug ([bdc8677](https://github.com/BagelLab/uds-core/commit/bdc86777d6f06bbb09602185338d6d1c1fe269b9)) -* complete incomplete deploy task ([#21](https://github.com/BagelLab/uds-core/issues/21)) ([45ff5e5](https://github.com/BagelLab/uds-core/commit/45ff5e5d7b6a50cdfcfabb174349ab539a8accd9)) -* concurrency group ([60ca1d0](https://github.com/BagelLab/uds-core/commit/60ca1d06208be3c7f5ec825a37d85504116585d1)) -* de-duplicate renovate matches ([#435](https://github.com/BagelLab/uds-core/issues/435)) ([4f9dbbb](https://github.com/BagelLab/uds-core/commit/4f9dbbbff0bbe1fe348ae7e6c55f97a505f730a9)) -* default keycloak realm envs ([#455](https://github.com/BagelLab/uds-core/issues/455)) ([3a2b48f](https://github.com/BagelLab/uds-core/commit/3a2b48fefb11afcf20f6826fbdef8c43daaf4639)) -* drop path normalization to MERGE_SLASHES to allow apps to handle encoded slashes ([#330](https://github.com/BagelLab/uds-core/issues/330)) ([26e965f](https://github.com/BagelLab/uds-core/commit/26e965fd71dd325bd8df451ce317456bf2d15073)) -* exemption race conditions ([#407](https://github.com/BagelLab/uds-core/issues/407)) ([d1b3b56](https://github.com/BagelLab/uds-core/commit/d1b3b5669976eb23ca8f88cd5b15a12c56102eca)) -* forgot to commit :( ([29545b6](https://github.com/BagelLab/uds-core/commit/29545b6ca6a35c1717b10b23c8bc2ed3a90f1c4d)) -* github token ([75cfbe4](https://github.com/BagelLab/uds-core/commit/75cfbe446f9b6cd74b9858a7ceb6cd231b348509)) -* hotfix for publishing workflows ([#217](https://github.com/BagelLab/uds-core/issues/217)) ([5fefa01](https://github.com/BagelLab/uds-core/commit/5fefa017d382b7c5557e613b81cd84b27bda85f0)) -* id-token ([5a78de7](https://github.com/BagelLab/uds-core/commit/5a78de7ec926a3ebe82771a5713ac2ff4841271f)) -* inputs silly ([d5c51f3](https://github.com/BagelLab/uds-core/commit/d5c51f35f6817d66bfbf5b2d5f746032893c863a)) -* integrated docs ([#431](https://github.com/BagelLab/uds-core/issues/431)) ([72238fa](https://github.com/BagelLab/uds-core/commit/72238faed167a4e90e4d332e17909510efd98a58)) -* keycloak schema for package cr ([#436](https://github.com/BagelLab/uds-core/issues/436)) ([e32ce9a](https://github.com/BagelLab/uds-core/commit/e32ce9af9176ba8fef702a8c6aac84c15f9ab374)) -* keycloak volume permissions, UI update ([#223](https://github.com/BagelLab/uds-core/issues/223)) ([4454d3e](https://github.com/BagelLab/uds-core/commit/4454d3efcefe6bfa81628d330434afcc246fad65)) -* **keycloak:** add missing postgres host and port secret keys ([#224](https://github.com/BagelLab/uds-core/issues/224)) ([0c4d775](https://github.com/BagelLab/uds-core/commit/0c4d7758cfb077ff592fea907795402485b6c9f5)) -* **keycloak:** only use PVC for devMode ([#241](https://github.com/BagelLab/uds-core/issues/241)) ([a6e6023](https://github.com/BagelLab/uds-core/commit/a6e6023134dc5171441a2043701ed91309e1b32c)) -* kubeapi netpol generation now also includes the ip from the kubernetes service ([#219](https://github.com/BagelLab/uds-core/issues/219)) ([0a83d02](https://github.com/BagelLab/uds-core/commit/0a83d02f5782d911e3bb63935b0cac70030e5c9b)) -* loki bucket configuration service_account and namespace ([#332](https://github.com/BagelLab/uds-core/issues/332)) ([9518634](https://github.com/BagelLab/uds-core/commit/9518634b24f2d5c285e598f8620849bbc6288ba4)) -* loki local storage ([#84](https://github.com/BagelLab/uds-core/issues/84)) ([b9505bb](https://github.com/BagelLab/uds-core/commit/b9505bbb42b5369c62d7cbfb05e1efb8b8a6200f)) -* loki s3 overrides ([#365](https://github.com/BagelLab/uds-core/issues/365)) ([3545066](https://github.com/BagelLab/uds-core/commit/354506647d65b0484332695abbbd58d91d9e7427)) -* metrics-server mTLS fix ([#44](https://github.com/BagelLab/uds-core/issues/44)) ([4853522](https://github.com/BagelLab/uds-core/commit/4853522c9504c87dcbd8319d689ecb0a1cb42c0b)) -* mismatched exemption/policy for DropAllCapabilities ([#384](https://github.com/BagelLab/uds-core/issues/384)) ([d8ec278](https://github.com/BagelLab/uds-core/commit/d8ec27827e2e2e7d85b4eba6b738f4b126264dd9)) -* named inputs ([c49e6ea](https://github.com/BagelLab/uds-core/commit/c49e6ea2b566198d4702d4c67c659e833a8bad97)) -* network policy to allow metrics-server ingress ([#148](https://github.com/BagelLab/uds-core/issues/148)) ([f1d434a](https://github.com/BagelLab/uds-core/commit/f1d434a68ef1f2a29ab3b13608bc16ce78211ed4)) -* networkpolicy for keycloak smtp egress ([4059954](https://github.com/BagelLab/uds-core/commit/4059954ed92502f10c1b5b769988a363adc06318)) -* nightly testing eks config architecture ([#452](https://github.com/BagelLab/uds-core/issues/452)) ([a0bbd1f](https://github.com/BagelLab/uds-core/commit/a0bbd1f0bf84f03d59866f9797555a08dc8034d6)) -* non-vendored zarf command refs ([#157](https://github.com/BagelLab/uds-core/issues/157)) ([fe183a9](https://github.com/BagelLab/uds-core/commit/fe183a9ae367bc2d7ea7d629e7c15877aabe38cd)) -* ocsp lookup egress policy ([#255](https://github.com/BagelLab/uds-core/issues/255)) ([77c38f2](https://github.com/BagelLab/uds-core/commit/77c38f22e9a77d9db81504f4c172fdc535c0929e)) -* pepr ironbank renovate update ([#299](https://github.com/BagelLab/uds-core/issues/299)) ([287e40d](https://github.com/BagelLab/uds-core/commit/287e40db5d65f7472a9e9216aae91f3ad92403d9)) -* pepr mutation annotation overwrite ([#385](https://github.com/BagelLab/uds-core/issues/385)) ([6e56b2a](https://github.com/BagelLab/uds-core/commit/6e56b2afec8f54f8c0a4aa4b89fef1d1c754b627)) -* pepr operator derived netpol name collisions ([#480](https://github.com/BagelLab/uds-core/issues/480)) ([de60e25](https://github.com/BagelLab/uds-core/commit/de60e252526d73e439f5665b27f84e8773c24949)) -* registration robot check form id ([#269](https://github.com/BagelLab/uds-core/issues/269)) ([c6419b9](https://github.com/BagelLab/uds-core/commit/c6419b962eb5a02462e9060a66f7765689cfeb8f)) -* release workflow k3d image ([#316](https://github.com/BagelLab/uds-core/issues/316)) ([e7835e0](https://github.com/BagelLab/uds-core/commit/e7835e071f56af148792fbde250100af8e8ca0b8)) -* remove deprecated registry login and add env setup ([#443](https://github.com/BagelLab/uds-core/issues/443)) ([ca6b76f](https://github.com/BagelLab/uds-core/commit/ca6b76f3a66efb6b2e81832aff771ca06bdff68a)) -* remove go mod ([#441](https://github.com/BagelLab/uds-core/issues/441)) ([0de9693](https://github.com/BagelLab/uds-core/commit/0de969333923afb8fd4639547901c7d7f5c6a6f7)) -* remove loki gateway anti-affinity ([#111](https://github.com/BagelLab/uds-core/issues/111)) ([2cba42e](https://github.com/BagelLab/uds-core/commit/2cba42e3a83a25ae7a45f3c3d6a35bdc7bba0b58)) -* remove no-tea and update uds version ([#446](https://github.com/BagelLab/uds-core/issues/446)) ([434844b](https://github.com/BagelLab/uds-core/commit/434844b827e01808b504abf5ee6af83fba813cb6)) -* remove spec from secret yaml ([#226](https://github.com/BagelLab/uds-core/issues/226)) ([e4b5848](https://github.com/BagelLab/uds-core/commit/e4b58487f736f588944f7c039b8654f9006e04f1)) -* renovate config grouping, test-infra ([#411](https://github.com/BagelLab/uds-core/issues/411)) ([05fd407](https://github.com/BagelLab/uds-core/commit/05fd407e9c3bf6a0bac33de64e892ce2a63275ac)) -* renovate pepr comment ([#410](https://github.com/BagelLab/uds-core/issues/410)) ([a825388](https://github.com/BagelLab/uds-core/commit/a82538817765ad21adb5f6bba283951bf4c23272)) -* resolve istio job termination container status logic issue ([#55](https://github.com/BagelLab/uds-core/issues/55)) ([c0142c2](https://github.com/BagelLab/uds-core/commit/c0142c213446a37185cdf9dec5ae60aaae8ba194)) -* revert "chore: support deselection of metrics-server" ([#196](https://github.com/BagelLab/uds-core/issues/196)) ([25a408d](https://github.com/BagelLab/uds-core/commit/25a408daeb7f6daada11c21e451f973ebe92c07c)) -* runners, snapshot ([df87b55](https://github.com/BagelLab/uds-core/commit/df87b5527b2055d8c15d6223d734e8cbcec0def6)) -* simplify publish repo output ([84805e0](https://github.com/BagelLab/uds-core/commit/84805e01d2704aa3639943f66a4d58b9aea4f690)) -* slim-dev monitoring handling ([#383](https://github.com/BagelLab/uds-core/issues/383)) ([79927aa](https://github.com/BagelLab/uds-core/commit/79927aa58cbb12c849e52b50c00b74629b100b31)) -* sticky sessions for keycloak in ha ([#281](https://github.com/BagelLab/uds-core/issues/281)) ([5ccd557](https://github.com/BagelLab/uds-core/commit/5ccd5576afc34d8b24061887f91ce284ec5857a1)) -* test ([3dc039d](https://github.com/BagelLab/uds-core/commit/3dc039d1ee9d84a7cda7d474652296fef74555ff)) -* typo in comment ([#462](https://github.com/BagelLab/uds-core/issues/462)) ([582b1f4](https://github.com/BagelLab/uds-core/commit/582b1f4754ee3282696ea3b018322a1b3497a7d4)) -* unwanted exemption deletions ([#290](https://github.com/BagelLab/uds-core/issues/290)) ([50b0cd4](https://github.com/BagelLab/uds-core/commit/50b0cd4211964a90139347558028d6c461956da9)) -* update missing flavor create inputs in publish step ([#118](https://github.com/BagelLab/uds-core/issues/118)) ([a0233eb](https://github.com/BagelLab/uds-core/commit/a0233eb45e2d39035f483f3ed8fb3f396e5030d8)) -* update neuvector values for least privilege ([#373](https://github.com/BagelLab/uds-core/issues/373)) ([7f4de4f](https://github.com/BagelLab/uds-core/commit/7f4de4f729e60a258abc40ce34f9c397fae99181)) -* update status for test ([20983d7](https://github.com/BagelLab/uds-core/commit/20983d749871ac2b769584d2ea5d37c1b9183b52)) -* use updated k3s ([#426](https://github.com/BagelLab/uds-core/issues/426)) ([1da1c49](https://github.com/BagelLab/uds-core/commit/1da1c49e314c73e6fd1f2ef2940aff983262ec6b)) -* validating/mutating webhook networkpolicies and mtls ([#192](https://github.com/BagelLab/uds-core/issues/192)) ([b01e629](https://github.com/BagelLab/uds-core/commit/b01e62960985dd7cb318372abff296fb96f1012b)) -* valueFrom in KeyCloak statefulset.yaml ([#229](https://github.com/BagelLab/uds-core/issues/229)) ([189a5ce](https://github.com/BagelLab/uds-core/commit/189a5ce3a9dd16fe9646a293ca3948db21eb5d78)) -* version ([5053bad](https://github.com/BagelLab/uds-core/commit/5053badca76b7c008ef393f70da7687f423f68d8)) -* wait on istio proxies ([#87](https://github.com/BagelLab/uds-core/issues/87)) ([51cd5a0](https://github.com/BagelLab/uds-core/commit/51cd5a012cc1d095a89b30a22910d3d7ad49885d)) -* workflow links ([eba372c](https://github.com/BagelLab/uds-core/commit/eba372c0b0a942f1bcead8efcd420fbb427ed6e1)) -* workflow outputs silly ([c427851](https://github.com/BagelLab/uds-core/commit/c4278510505b38b651d3f1893a098d1b432e5d95)) -* workflow silliness ([5870a77](https://github.com/BagelLab/uds-core/commit/5870a773b91e96a2f8bf616be2abedbe60263f86)) +* switch metrics-server to optional everywhere ([#641](https://github.com/defenseunicorns/uds-core/issues/641)) ([43c5bd5](https://github.com/defenseunicorns/uds-core/commit/43c5bd5bff896e9fd65f5b878563672e3a22100b)) ### Miscellaneous -* add checks before killing pods when updating istio annotations ([#457](https://github.com/BagelLab/uds-core/issues/457)) ([a62f9a0](https://github.com/BagelLab/uds-core/commit/a62f9a0e04bb538a8018a3f866c88e8b93c59826)) -* add commit lint workflow ([#19](https://github.com/BagelLab/uds-core/issues/19)) ([776a632](https://github.com/BagelLab/uds-core/commit/776a6325821329b2cbd97da2f40a30447cd48efc)) -* add debug logging to endpointslice watch ([#359](https://github.com/BagelLab/uds-core/issues/359)) ([da3eb5a](https://github.com/BagelLab/uds-core/commit/da3eb5ab4f5e6ced50f838456999995d5be601b7)) -* add debug logs to save logs for easier searching ([#430](https://github.com/BagelLab/uds-core/issues/430)) ([319101b](https://github.com/BagelLab/uds-core/commit/319101b61e4793037aab6c96b92c9d834763e9b8)) -* add debug output to release workflow ([#285](https://github.com/BagelLab/uds-core/issues/285)) ([5f96865](https://github.com/BagelLab/uds-core/commit/5f968651fb4f0da563d9c388efab761863f9ea08)) -* add flavor to pepr build task ([#238](https://github.com/BagelLab/uds-core/issues/238)) ([29bf8a3](https://github.com/BagelLab/uds-core/commit/29bf8a3b83255c7548201f3ea19e22452a1d1d4a)) -* add minio deploy time bundle variable override definitions ([#58](https://github.com/BagelLab/uds-core/issues/58)) ([ca28e7b](https://github.com/BagelLab/uds-core/commit/ca28e7b4c4a42769934cc8ad69361ff29a348cc5)) -* add security.md ([#189](https://github.com/BagelLab/uds-core/issues/189)) ([bf7c1d2](https://github.com/BagelLab/uds-core/commit/bf7c1d28e077cf52d4f765b50d7efb8ce5d60fff)) -* add velero csi plugin ([#424](https://github.com/BagelLab/uds-core/issues/424)) ([c7e49e9](https://github.com/BagelLab/uds-core/commit/c7e49e91d9f7810ddc0368f146d43d3c94c782ad)) -* adding unit test for registerExemptions() ([#105](https://github.com/BagelLab/uds-core/issues/105)) ([5e71fcf](https://github.com/BagelLab/uds-core/commit/5e71fcf4751d2e3f6a1e55583ccf76c0fdc76856)) -* align mutation annotations ([#268](https://github.com/BagelLab/uds-core/issues/268)) ([f18ad4d](https://github.com/BagelLab/uds-core/commit/f18ad4db94a77f4229cc9267e0129f6aa3381c9a)) -* annotate mutations in policies ([#236](https://github.com/BagelLab/uds-core/issues/236)) ([cc9db50](https://github.com/BagelLab/uds-core/commit/cc9db500bb1033a516104f409fa05b3a1101d832)) -* bump zarf & uds-k3d deps ([#30](https://github.com/BagelLab/uds-core/issues/30)) ([dd28ab3](https://github.com/BagelLab/uds-core/commit/dd28ab3acd163aaccdfb76fbf9726c02a2ff0050)) -* conform to latest uds bundle schema ([#52](https://github.com/BagelLab/uds-core/issues/52)) ([14dad38](https://github.com/BagelLab/uds-core/commit/14dad3819187d4f8e13f7bbc191dca74a29b9c98)) -* dep updates for UDS CLI & Pepr ([#46](https://github.com/BagelLab/uds-core/issues/46)) ([1037634](https://github.com/BagelLab/uds-core/commit/10376349e350bd32f3bf32577d8f8089c09ac6cc)) -* **deps:** pin dependencies ([#79](https://github.com/BagelLab/uds-core/issues/79)) ([bfab11e](https://github.com/BagelLab/uds-core/commit/bfab11e345941d23dfeb928917f38e36a2f75bc9)) -* **deps:** update checkout action to latest sha ([#481](https://github.com/BagelLab/uds-core/issues/481)) ([c6f0137](https://github.com/BagelLab/uds-core/commit/c6f0137bb9a1e11f98d426cec8c98eb4005f160a)) -* **deps:** update checkout to v4.1.7 ([#478](https://github.com/BagelLab/uds-core/issues/478)) ([e91a0a3](https://github.com/BagelLab/uds-core/commit/e91a0a35252581554d9ed587e4ef72c2c88a3586)) -* **deps:** update dependency defenseunicorns/uds-common to v0.2.1 ([#205](https://github.com/BagelLab/uds-core/issues/205)) ([1b01407](https://github.com/BagelLab/uds-core/commit/1b01407c4ae3a707db381b07e1364c572c76eceb)) -* **deps:** update dependency defenseunicorns/uds-common to v0.2.2 ([#232](https://github.com/BagelLab/uds-core/issues/232)) ([083ae0c](https://github.com/BagelLab/uds-core/commit/083ae0c45667e5b9064cbff781fbe4e5bc0d2991)) -* **deps:** update dependency defenseunicorns/uds-common to v0.3.6 ([#261](https://github.com/BagelLab/uds-core/issues/261)) ([1b5398b](https://github.com/BagelLab/uds-core/commit/1b5398b7b778ead8ac3265080ae0bd2b5761066e)) -* **deps:** update dependency weaveworks/eksctl to v0.183.0 ([#499](https://github.com/BagelLab/uds-core/issues/499)) ([9cb8e4d](https://github.com/BagelLab/uds-core/commit/9cb8e4d7c86611918e502de0a7e7e25921523cbc)) -* **deps:** update githubactions ([#179](https://github.com/BagelLab/uds-core/issues/179)) ([7797e25](https://github.com/BagelLab/uds-core/commit/7797e259b9691099cce9e151ce1ebf9f9f181435)) -* **deps:** update githubactions ([#242](https://github.com/BagelLab/uds-core/issues/242)) ([1eb2e2c](https://github.com/BagelLab/uds-core/commit/1eb2e2cd2018f0cd8fb55d8e6576b7e36fa8c3cf)) -* **deps:** update githubactions ([#413](https://github.com/BagelLab/uds-core/issues/413)) ([ebd834e](https://github.com/BagelLab/uds-core/commit/ebd834e56ae9adabe14d9772e4a4d9c305da173c)) -* **deps:** update githubactions to de90cc6 ([#215](https://github.com/BagelLab/uds-core/issues/215)) ([f79eed0](https://github.com/BagelLab/uds-core/commit/f79eed03b2495d9f3e11edb433291ce8a3aa55ee)) -* **deps:** update githubactions to ebc4d7e ([#183](https://github.com/BagelLab/uds-core/issues/183)) ([77357e7](https://github.com/BagelLab/uds-core/commit/77357e72cc0344e61fedcab7197aabdd7e4fd2a0)) -* **deps:** update githubactions to v19 ([#204](https://github.com/BagelLab/uds-core/issues/204)) ([d65acd4](https://github.com/BagelLab/uds-core/commit/d65acd4e2d37907685ba9083ff98988b4ea1d452)) -* **deps:** update githubactions to v3 ([#181](https://github.com/BagelLab/uds-core/issues/181)) ([70c5ddf](https://github.com/BagelLab/uds-core/commit/70c5ddf1ee0e5017bee4057d96b320812a964f88)) -* **deps:** update githubactions to v4.1.3 ([#471](https://github.com/BagelLab/uds-core/issues/471)) ([2a9f44d](https://github.com/BagelLab/uds-core/commit/2a9f44d20dce66fa474e47ba0c93eaa7fa9ad406)) -* **deps:** update grafana ([#144](https://github.com/BagelLab/uds-core/issues/144)) ([6987927](https://github.com/BagelLab/uds-core/commit/698792728faf8cfeabaf7a7c735c91229cc0c07f)) -* **deps:** update grafana ([#257](https://github.com/BagelLab/uds-core/issues/257)) ([c98e566](https://github.com/BagelLab/uds-core/commit/c98e5661c3e6fb84bf17fc64170f5dd39779dda7)) -* **deps:** update grafana ([#339](https://github.com/BagelLab/uds-core/issues/339)) ([52e6c1b](https://github.com/BagelLab/uds-core/commit/52e6c1b3bb003402710bc0fa85419538f38b388f)) -* **deps:** update grafana ([#80](https://github.com/BagelLab/uds-core/issues/80)) ([ccb2c12](https://github.com/BagelLab/uds-core/commit/ccb2c1280313fe69198ecab5fea5b38fc650f699)) -* **deps:** update grafana to v10.3.1 ([#132](https://github.com/BagelLab/uds-core/issues/132)) ([09e028c](https://github.com/BagelLab/uds-core/commit/09e028c63093a6f5fdfd0b1be800b07c0eb9de77)) -* **deps:** update grafana to v7.2.5 ([#136](https://github.com/BagelLab/uds-core/issues/136)) ([a271270](https://github.com/BagelLab/uds-core/commit/a271270f2d3f3488aa9664ef5ad69a4d239c5d22)) -* **deps:** update grafana to v7.3.0 ([#142](https://github.com/BagelLab/uds-core/issues/142)) ([5e960c0](https://github.com/BagelLab/uds-core/commit/5e960c0479e6fc96244db0230296c94e936e57d8)) -* **deps:** update grafana to v7.3.9 ([#353](https://github.com/BagelLab/uds-core/issues/353)) ([4a70f40](https://github.com/BagelLab/uds-core/commit/4a70f407d5e06919aaa0dc5901f49f7f1b166c9d)) -* **deps:** update istio to v1.20.2 ([#75](https://github.com/BagelLab/uds-core/issues/75)) ([671f977](https://github.com/BagelLab/uds-core/commit/671f977ff183010ce75e323532db500dcd4aa69c)) -* **deps:** update istio to v1.20.3 ([#163](https://github.com/BagelLab/uds-core/issues/163)) ([e45de0e](https://github.com/BagelLab/uds-core/commit/e45de0e5917a2ca6c3e30e593e2d9a8d393849a9)) -* **deps:** update istio to v1.21.2 ([#258](https://github.com/BagelLab/uds-core/issues/258)) ([51c6540](https://github.com/BagelLab/uds-core/commit/51c65405c87ed3c147bdd90172ab0588dc8e5db1)) -* **deps:** update istio to v1.22.1 ([#405](https://github.com/BagelLab/uds-core/issues/405)) ([ad4b861](https://github.com/BagelLab/uds-core/commit/ad4b861158eecfac1d09a37ea3776e31a1c387cb)) -* **deps:** update jest to v29.1.4 ([#438](https://github.com/BagelLab/uds-core/issues/438)) ([c3ecc8b](https://github.com/BagelLab/uds-core/commit/c3ecc8b83b8c65f09600ab937a1c140c4a5f7db1)) -* **deps:** update jest to v29.1.5 ([#485](https://github.com/BagelLab/uds-core/issues/485)) ([9c392b9](https://github.com/BagelLab/uds-core/commit/9c392b9b88c84e3c3763878e6beb1800c43ded25)) -* **deps:** update keycloak ([#349](https://github.com/BagelLab/uds-core/issues/349)) ([2ef1813](https://github.com/BagelLab/uds-core/commit/2ef181333d2fd853bb8eee2c5deb82430d68c861)) -* **deps:** update keycloak ([#390](https://github.com/BagelLab/uds-core/issues/390)) ([3e82c4e](https://github.com/BagelLab/uds-core/commit/3e82c4ece470a5eea81d937b2b38c455934212e1)) -* **deps:** update keycloak to v0.4.2 ([#375](https://github.com/BagelLab/uds-core/issues/375)) ([b0bb8e4](https://github.com/BagelLab/uds-core/commit/b0bb8e47f78886186514f188a99ff38463a5eac3)) -* **deps:** update keycloak to v0.4.4 ([#460](https://github.com/BagelLab/uds-core/issues/460)) ([936f40b](https://github.com/BagelLab/uds-core/commit/936f40bf078bb06d94ebd51585b4eb7669d426b4)) -* **deps:** update keycloak to v0.4.5 ([#461](https://github.com/BagelLab/uds-core/issues/461)) ([3592012](https://github.com/BagelLab/uds-core/commit/35920121bcdfbdf9b708eb3308ea34763a31246a)) -* **deps:** update keycloak to v24.0.4 ([#397](https://github.com/BagelLab/uds-core/issues/397)) ([c0420ea](https://github.com/BagelLab/uds-core/commit/c0420ea750b3a7dfc8ea6adab5225f76178ef953)) -* **deps:** update keycloak to v24.0.4 ([#402](https://github.com/BagelLab/uds-core/issues/402)) ([e454576](https://github.com/BagelLab/uds-core/commit/e454576a6de53e833d6b925308f09d6007166dde)) -* **deps:** update keycloak to v24.0.5 ([#453](https://github.com/BagelLab/uds-core/issues/453)) ([6b0c6fc](https://github.com/BagelLab/uds-core/commit/6b0c6fc91f238e367c9f2d54f0daaf9d8065794e)) -* **deps:** update keycloak to v24.0.5 ([#454](https://github.com/BagelLab/uds-core/issues/454)) ([89911f0](https://github.com/BagelLab/uds-core/commit/89911f0ca01ac421a254b79e25124525f464cf51)) -* **deps:** update loki ([#131](https://github.com/BagelLab/uds-core/issues/131)) ([61250b0](https://github.com/BagelLab/uds-core/commit/61250b02eca7ca57d7f346c1da5b63f19de17c49)) -* **deps:** update loki ([#209](https://github.com/BagelLab/uds-core/issues/209)) ([03ca499](https://github.com/BagelLab/uds-core/commit/03ca499bd5d9cac800bd36dca80340ceac3f3009)) -* **deps:** update loki ([#72](https://github.com/BagelLab/uds-core/issues/72)) ([98134bb](https://github.com/BagelLab/uds-core/commit/98134bba1f6078a867aae2ae28f4152ba7b1a8e5)) -* **deps:** update loki to v5.43.0 ([#180](https://github.com/BagelLab/uds-core/issues/180)) ([bab5f7a](https://github.com/BagelLab/uds-core/commit/bab5f7aba3644c0e478a17338df4e074b0c1a6a2)) -* **deps:** update loki to v5.43.1 ([#182](https://github.com/BagelLab/uds-core/issues/182)) ([6cc5fc7](https://github.com/BagelLab/uds-core/commit/6cc5fc7f5a07d848cfe4f18dc9a7e2a4cd91b1cf)) -* **deps:** update loki to v5.43.2 ([#191](https://github.com/BagelLab/uds-core/issues/191)) ([0ec0cd4](https://github.com/BagelLab/uds-core/commit/0ec0cd4d6cdc7b4eb1eea33f4da7b144ecbc29a5)) -* **deps:** update loki to v5.43.3 ([#199](https://github.com/BagelLab/uds-core/issues/199)) ([40f1554](https://github.com/BagelLab/uds-core/commit/40f155469670a4b7290819fc09d28ff1fcc06a81)) -* **deps:** update metrics-server ([#123](https://github.com/BagelLab/uds-core/issues/123)) ([fb25a97](https://github.com/BagelLab/uds-core/commit/fb25a970d6e3b51432164fab05ea2d19d1a638ef)) -* **deps:** update metrics-server ([#298](https://github.com/BagelLab/uds-core/issues/298)) ([691fd87](https://github.com/BagelLab/uds-core/commit/691fd87ae3e523c897d0461c4a0384b2bb7c8c03)) -* **deps:** update neuvector ([#333](https://github.com/BagelLab/uds-core/issues/333)) ([010e287](https://github.com/BagelLab/uds-core/commit/010e287dbf3a712d19e54bfbbaa87807585130d7)) -* **deps:** update neuvector ([#73](https://github.com/BagelLab/uds-core/issues/73)) ([50f6c90](https://github.com/BagelLab/uds-core/commit/50f6c90ca31d5bf984e44fd1ded7c5cfcb968064)) -* **deps:** update neuvector to 5.3.3 ([#467](https://github.com/BagelLab/uds-core/issues/467)) ([261057d](https://github.com/BagelLab/uds-core/commit/261057d2bf142c3167fdf0d0bd68bc2fb47d22df)) -* **deps:** update neuvector to v9.4 ([#381](https://github.com/BagelLab/uds-core/issues/381)) ([20d4170](https://github.com/BagelLab/uds-core/commit/20d4170386d2437826abafc68d87d91dc457022a)) -* **deps:** update pepr ([#116](https://github.com/BagelLab/uds-core/issues/116)) ([bfa7352](https://github.com/BagelLab/uds-core/commit/bfa7352ebe962ef1ed091f4a5799ed4974e086ef)) -* **deps:** update pepr ([#324](https://github.com/BagelLab/uds-core/issues/324)) ([2ef0f96](https://github.com/BagelLab/uds-core/commit/2ef0f96da7476b487d72d4bb7ce4bd50fdb0b182)) -* **deps:** update pepr ([#340](https://github.com/BagelLab/uds-core/issues/340)) ([e71ba4a](https://github.com/BagelLab/uds-core/commit/e71ba4ab4eb1ea1cc482b507fef4e0e2735bbd1f)) -* **deps:** update pepr ([#419](https://github.com/BagelLab/uds-core/issues/419)) ([d8f0309](https://github.com/BagelLab/uds-core/commit/d8f0309b4f9661b1c5bc2d5e574697ee9579e387)) -* **deps:** update pepr ([#76](https://github.com/BagelLab/uds-core/issues/76)) ([50de920](https://github.com/BagelLab/uds-core/commit/50de920bcf03092d16a11ebf77ede70987a7cdcf)) -* **deps:** update pepr to 0.31.0 ([#360](https://github.com/BagelLab/uds-core/issues/360)) ([fbd61ea](https://github.com/BagelLab/uds-core/commit/fbd61ea9665133619aec81726b189449226d8459)) -* **deps:** update pepr to 0.32.2 ([#473](https://github.com/BagelLab/uds-core/issues/473)) ([ab4bee9](https://github.com/BagelLab/uds-core/commit/ab4bee906f020d86b90c0b984789be55f8b4c08b)) -* **deps:** update pepr to 0.32.3 ([#494](https://github.com/BagelLab/uds-core/issues/494)) ([2e28897](https://github.com/BagelLab/uds-core/commit/2e2889784043b21463e72643eb890054645dd439)) -* **deps:** update pepr to v0.22.0 ([#102](https://github.com/BagelLab/uds-core/issues/102)) ([941902d](https://github.com/BagelLab/uds-core/commit/941902dcfc2ec1d5340d658f75811b3369489c56)) -* **deps:** update pepr to v0.22.2 ([#104](https://github.com/BagelLab/uds-core/issues/104)) ([0555353](https://github.com/BagelLab/uds-core/commit/0555353e5a5dec2aa8685a3987852d1c3788f28c)) -* **deps:** update pepr to v0.24.1 ([#134](https://github.com/BagelLab/uds-core/issues/134)) ([6474a1c](https://github.com/BagelLab/uds-core/commit/6474a1c0a16c8d87248acb1b3f7d79b76a354fc8)) -* **deps:** update pepr to v0.25.0 ([#164](https://github.com/BagelLab/uds-core/issues/164)) ([e7b8212](https://github.com/BagelLab/uds-core/commit/e7b8212b6a8ed2e16b47264687e0c39d2f0a3455)) -* **deps:** update pepr to v0.28.6 ([#254](https://github.com/BagelLab/uds-core/issues/254)) ([54ef7de](https://github.com/BagelLab/uds-core/commit/54ef7ded349d060b1732b381124fe29e3e8fe85b)) -* **deps:** update pepr to v0.28.6 ([#300](https://github.com/BagelLab/uds-core/issues/300)) ([86b43e4](https://github.com/BagelLab/uds-core/commit/86b43e478521aa88a3a4843948ca96b9cbe55985)) -* **deps:** update pepr to v0.28.7 ([#321](https://github.com/BagelLab/uds-core/issues/321)) ([e7206bb](https://github.com/BagelLab/uds-core/commit/e7206bb93ce23a3ae611e410106890df3eafdea1)) -* **deps:** update pepr to v0.4.5 ([#447](https://github.com/BagelLab/uds-core/issues/447)) ([f1dba17](https://github.com/BagelLab/uds-core/commit/f1dba17076a7c6052ed67e07bdb560fda7604b80)) -* **deps:** update prometheus-stack ([#128](https://github.com/BagelLab/uds-core/issues/128)) ([625622a](https://github.com/BagelLab/uds-core/commit/625622a44c101f0a9c1beffd66eb259dc1f1eedc)) -* **deps:** update prometheus-stack ([#190](https://github.com/BagelLab/uds-core/issues/190)) ([f9a605a](https://github.com/BagelLab/uds-core/commit/f9a605a4c828128fc19f0bdb1d2443f65fb87b8a)) -* **deps:** update prometheus-stack ([#301](https://github.com/BagelLab/uds-core/issues/301)) ([143eca3](https://github.com/BagelLab/uds-core/commit/143eca3ecc2e3c39765312dc3c5384c87a13d7da)) -* **deps:** update prometheus-stack ([#348](https://github.com/BagelLab/uds-core/issues/348)) ([49cb11a](https://github.com/BagelLab/uds-core/commit/49cb11a058a9209cee7019fa552b8c0b2ef73368)) -* **deps:** update prometheus-stack ([#392](https://github.com/BagelLab/uds-core/issues/392)) ([2e656f5](https://github.com/BagelLab/uds-core/commit/2e656f5dc3de2e6561ac313cb1bae478635b86b3)) -* **deps:** update prometheus-stack ([#422](https://github.com/BagelLab/uds-core/issues/422)) ([a96193e](https://github.com/BagelLab/uds-core/commit/a96193e257701dfaf6fccc34246ef3f31e639f3e)) -* **deps:** update prometheus-stack ([#81](https://github.com/BagelLab/uds-core/issues/81)) ([19bedb6](https://github.com/BagelLab/uds-core/commit/19bedb60cd2f99615c4b5673623ff0ff6fafb73f)) -* **deps:** update promtail ([#74](https://github.com/BagelLab/uds-core/issues/74)) ([6a112b5](https://github.com/BagelLab/uds-core/commit/6a112b5226250f1a17023b2c1225d404cf8feeee)) -* **deps:** update to keycloak 24 ([#336](https://github.com/BagelLab/uds-core/issues/336)) ([1153ba0](https://github.com/BagelLab/uds-core/commit/1153ba09ac062d3477a4ee396376be83493ad3c5)) -* **deps:** update uds to v0.10.4 ([#228](https://github.com/BagelLab/uds-core/issues/228)) ([1750b23](https://github.com/BagelLab/uds-core/commit/1750b2304e3c6f0ce6a60f1ef2873ce8a6ce1502)) -* **deps:** update uds to v0.11.1 ([#472](https://github.com/BagelLab/uds-core/issues/472)) ([12fd798](https://github.com/BagelLab/uds-core/commit/12fd79894e71ee06181ccd6f2ac98b84d935066c)) -* **deps:** update uds to v0.11.2 ([#479](https://github.com/BagelLab/uds-core/issues/479)) ([f967f9a](https://github.com/BagelLab/uds-core/commit/f967f9a4bf8d718b9ece96d882db4d9c800f5f0f)) -* **deps:** update uds to v0.5.3, zarf to v0.32.1, and uds-k3d to 0.3.0 ([#77](https://github.com/BagelLab/uds-core/issues/77)) ([596f9d8](https://github.com/BagelLab/uds-core/commit/596f9d8df51c3df1aa87fd0e09d9e69c87473bf0)) -* **deps:** update uds to v0.6.2 ([#107](https://github.com/BagelLab/uds-core/issues/107)) ([7b7220e](https://github.com/BagelLab/uds-core/commit/7b7220e708cf2dca25cc592b8932661620d9610d)) -* **deps:** update uds to v0.8.1 ([#141](https://github.com/BagelLab/uds-core/issues/141)) ([fa79065](https://github.com/BagelLab/uds-core/commit/fa79065265a5ee2b8f6f6a55d1c2904bbaf42fff)) -* **deps:** update uds to v0.9.0 ([#173](https://github.com/BagelLab/uds-core/issues/173)) ([b91a90d](https://github.com/BagelLab/uds-core/commit/b91a90db987e108a5a093a326428bbd0b5f9446e)) -* **deps:** update uds to v0.9.2 ([#200](https://github.com/BagelLab/uds-core/issues/200)) ([e4b54fe](https://github.com/BagelLab/uds-core/commit/e4b54febc4d7914e962db92b7a0490a3735af4e5)) -* **deps:** update uds-common tasks to 0.6.1 ([#498](https://github.com/BagelLab/uds-core/issues/498)) ([4aa6e33](https://github.com/BagelLab/uds-core/commit/4aa6e3372f6d1a5df1e2ae51a3129603a8b0b29b)) -* **deps:** update uds-common to v0.4.4 ([#442](https://github.com/BagelLab/uds-core/issues/442)) ([bf6debd](https://github.com/BagelLab/uds-core/commit/bf6debdd0d50f6cde11288cd70d8bdf1dcdaaaa0)) -* **deps:** update uds-identity-config to 0.4.1 ([#355](https://github.com/BagelLab/uds-core/issues/355)) ([8485931](https://github.com/BagelLab/uds-core/commit/84859316ea92ef9ec7807a702ee246e11b73567b)) -* **deps:** update uds-k3d to v0.3.1 ([#89](https://github.com/BagelLab/uds-core/issues/89)) ([5d54cd1](https://github.com/BagelLab/uds-core/commit/5d54cd1efe5eee4c19caf347882725e0aa20e50a)) -* **deps:** update uds-k3d to v0.5.0 ([#186](https://github.com/BagelLab/uds-core/issues/186)) ([164bf5f](https://github.com/BagelLab/uds-core/commit/164bf5f8bd58899f5ec1a179d6d409cfb46b850f)) -* **deps:** update uds-k3d to v0.6.0 ([#240](https://github.com/BagelLab/uds-core/issues/240)) ([6a26523](https://github.com/BagelLab/uds-core/commit/6a2652368fde3a3bdbe5bb81fd258830dfaeb5c8)) -* **deps:** update uds-k3d to v0.6.0 ([#398](https://github.com/BagelLab/uds-core/issues/398)) ([288f009](https://github.com/BagelLab/uds-core/commit/288f00990a715087c9bf1fffd0a63ecf33125a5a)) -* **deps:** update uds-k3d to v0.7.0 ([#428](https://github.com/BagelLab/uds-core/issues/428)) ([23b59a2](https://github.com/BagelLab/uds-core/commit/23b59a260b2c60791614ca4d39a33e65476e19ee)) -* **deps:** update velero ([#260](https://github.com/BagelLab/uds-core/issues/260)) ([f352008](https://github.com/BagelLab/uds-core/commit/f35200833a4d4d50de9f632f6918320f7d8fff5e)) -* **deps:** update velero ([#350](https://github.com/BagelLab/uds-core/issues/350)) ([e7cb33e](https://github.com/BagelLab/uds-core/commit/e7cb33ea9a13ab9550aab45d8ee437a1ba595d38)) -* **deps:** update velero ([#408](https://github.com/BagelLab/uds-core/issues/408)) ([ffbefda](https://github.com/BagelLab/uds-core/commit/ffbefda74777466ef74ad1d5cffff1f4895f323d)) -* **deps:** update velero ([#440](https://github.com/BagelLab/uds-core/issues/440)) ([4b1a3ea](https://github.com/BagelLab/uds-core/commit/4b1a3ead81a80b49e5ccfeb2e4130a4aaebb53a4)) -* **deps:** update velero to v1.30.2 ([#476](https://github.com/BagelLab/uds-core/issues/476)) ([89bbda9](https://github.com/BagelLab/uds-core/commit/89bbda9e640014bede116c254381cab8995df12f)) -* **deps:** update velero to v6.6.0 ([#456](https://github.com/BagelLab/uds-core/issues/456)) ([aff37c1](https://github.com/BagelLab/uds-core/commit/aff37c194e321f6a6c92f1bc11fd796cf9f0a9ab)) -* **deps:** update zarf to v0.32.2 ([#133](https://github.com/BagelLab/uds-core/issues/133)) ([91502c6](https://github.com/BagelLab/uds-core/commit/91502c6321334c6d31ce5fd1cd8f2fe6f77c09ae)) -* **deps:** update zarf to v0.32.3 ([#155](https://github.com/BagelLab/uds-core/issues/155)) ([2f0a1a7](https://github.com/BagelLab/uds-core/commit/2f0a1a77043ce298e765e6999cf11a97f36e4ecc)) -* **deps:** update zarf to v0.32.4 ([#203](https://github.com/BagelLab/uds-core/issues/203)) ([05c903e](https://github.com/BagelLab/uds-core/commit/05c903ea43243401d9cc2928ba5eb66ff6201c94)) -* **deps:** update zarf to v0.32.5 ([#243](https://github.com/BagelLab/uds-core/issues/243)) ([ee93612](https://github.com/BagelLab/uds-core/commit/ee9361224767c1a708b6f8e2c266af710facea8d)) -* **deps:** update zarf to v0.32.6 ([#282](https://github.com/BagelLab/uds-core/issues/282)) ([443426d](https://github.com/BagelLab/uds-core/commit/443426d05b9bd1d15fb4632efa26219250270895)) -* **deps:** update zarf to v0.33.0 ([#325](https://github.com/BagelLab/uds-core/issues/325)) ([f2a2a66](https://github.com/BagelLab/uds-core/commit/f2a2a665309c812b4300047d1c90ff3833a8eba6)) -* **deps:** update zarf to v0.33.1 ([#368](https://github.com/BagelLab/uds-core/issues/368)) ([296e547](https://github.com/BagelLab/uds-core/commit/296e54729c20c9ecee21677daec874a2c8b57b57)) -* **deps:** update zarf to v0.33.2 ([#394](https://github.com/BagelLab/uds-core/issues/394)) ([201a37b](https://github.com/BagelLab/uds-core/commit/201a37b12277880058c14fc05b3c0d4aecbf31e0)) -* **deps:** update zarf to v0.34.0 ([#434](https://github.com/BagelLab/uds-core/issues/434)) ([9badf9d](https://github.com/BagelLab/uds-core/commit/9badf9d4b9b6f904b1b7a478be5355416dc7fbe0)) -* **deps:** update zarf to v0.35.0 ([#490](https://github.com/BagelLab/uds-core/issues/490)) ([86957cf](https://github.com/BagelLab/uds-core/commit/86957cfe19564ec8ddccec7e496af4469def322a)) -* docs linting changes ([#505](https://github.com/BagelLab/uds-core/issues/505)) ([0fe2015](https://github.com/BagelLab/uds-core/commit/0fe20151713363f572a50601016e06e60230990f)) -* fix missing deps in tag and release workflow ([#28](https://github.com/BagelLab/uds-core/issues/28)) ([1e1af76](https://github.com/BagelLab/uds-core/commit/1e1af762e8eb1dd331cbd681e48ecc95ec3184d2)) -* initial renovate config ([#67](https://github.com/BagelLab/uds-core/issues/67)) ([2cd19d8](https://github.com/BagelLab/uds-core/commit/2cd19d871a95491950d43fea8e8fd2e8c290cd55)) -* kick off ci ([1afc3a4](https://github.com/BagelLab/uds-core/commit/1afc3a4203cce1a1c81b15e7ba6caad1a9c63131)) -* **main:** release 0.1.1 ([#27](https://github.com/BagelLab/uds-core/issues/27)) ([3776e91](https://github.com/BagelLab/uds-core/commit/3776e91670aa73907cb9c48a05419d106ecedd67)) -* **main:** release 0.1.2 ([#29](https://github.com/BagelLab/uds-core/issues/29)) ([af7b0be](https://github.com/BagelLab/uds-core/commit/af7b0beaf409627c87b47e4d908b0a8a0d8cff63)) -* **main:** release 0.1.3 ([#31](https://github.com/BagelLab/uds-core/issues/31)) ([28ad8a7](https://github.com/BagelLab/uds-core/commit/28ad8a78b023f160714ecb90d748ee65403cf500)) -* **main:** release 0.10.0 ([#135](https://github.com/BagelLab/uds-core/issues/135)) ([5bb6f01](https://github.com/BagelLab/uds-core/commit/5bb6f016631fdef4f14848ff55588f33e6d4f07d)) -* **main:** release 0.11.0 ([#138](https://github.com/BagelLab/uds-core/issues/138)) ([c02ada8](https://github.com/BagelLab/uds-core/commit/c02ada860f532d8955af00637756ee622f3e9019)) -* **main:** release 0.11.1 ([#159](https://github.com/BagelLab/uds-core/issues/159)) ([2c493bb](https://github.com/BagelLab/uds-core/commit/2c493bb7c877a7193e45376a9d28aed832cff590)) -* **main:** release 0.12.0 ([#161](https://github.com/BagelLab/uds-core/issues/161)) ([e3c41e8](https://github.com/BagelLab/uds-core/commit/e3c41e82ba5bd776f2633cbde222ab05c5c513f3)) -* **main:** release 0.13.0 ([#170](https://github.com/BagelLab/uds-core/issues/170)) ([09c9447](https://github.com/BagelLab/uds-core/commit/09c9447fa47e5bd1f1d3ae627d7c3dab9c46d596)) -* **main:** release 0.13.1 ([#197](https://github.com/BagelLab/uds-core/issues/197)) ([e968fe9](https://github.com/BagelLab/uds-core/commit/e968fe9707f5a1f154b1fd19050ba46073427495)) -* **main:** release 0.14.0 ([#202](https://github.com/BagelLab/uds-core/issues/202)) ([d090f40](https://github.com/BagelLab/uds-core/commit/d090f4052679d1557973a17524923280c04807fd)) -* **main:** release 0.14.1 ([#218](https://github.com/BagelLab/uds-core/issues/218)) ([3199d8b](https://github.com/BagelLab/uds-core/commit/3199d8bc8cc8e11f9eccdb7075ce798572f6fa0a)) -* **main:** release 0.14.2 ([#221](https://github.com/BagelLab/uds-core/issues/221)) ([2ab4c54](https://github.com/BagelLab/uds-core/commit/2ab4c54618f40c8f195e4bbc1aee63024e488dc8)) -* **main:** release 0.14.3 ([#225](https://github.com/BagelLab/uds-core/issues/225)) ([05b1c19](https://github.com/BagelLab/uds-core/commit/05b1c196e4509ee38261a9b9bc8bc8531086b499)) -* **main:** release 0.14.4 ([#227](https://github.com/BagelLab/uds-core/issues/227)) ([d2d005b](https://github.com/BagelLab/uds-core/commit/d2d005b9caf0b067f850f752a3d6e643c99a74c6)) -* **main:** release 0.14.5 ([#230](https://github.com/BagelLab/uds-core/issues/230)) ([1acafca](https://github.com/BagelLab/uds-core/commit/1acafcadf0baa4567d4f0c41e3201fa40895d092)) -* **main:** release 0.15.0 ([#233](https://github.com/BagelLab/uds-core/issues/233)) ([f4f3699](https://github.com/BagelLab/uds-core/commit/f4f3699096e4f917cf36bcb15bdb47179569b74d)) -* **main:** release 0.15.1 ([#235](https://github.com/BagelLab/uds-core/issues/235)) ([a0c6b32](https://github.com/BagelLab/uds-core/commit/a0c6b327ada2a36a08a4dc4874248d9df65f5381)) -* **main:** release 0.16.0 ([#246](https://github.com/BagelLab/uds-core/issues/246)) ([efc64d4](https://github.com/BagelLab/uds-core/commit/efc64d45c6e78f3014258b80abdf35d0119bde36)) -* **main:** release 0.16.1 ([#265](https://github.com/BagelLab/uds-core/issues/265)) ([4e4eaea](https://github.com/BagelLab/uds-core/commit/4e4eaea6c16e010837bb1c0d5624ebda418bce6f)) -* **main:** release 0.17.0 ([#267](https://github.com/BagelLab/uds-core/issues/267)) ([510f536](https://github.com/BagelLab/uds-core/commit/510f536133e835f98bb524bfc9f437e6f716d9ef)) -* **main:** release 0.18.0 ([#286](https://github.com/BagelLab/uds-core/issues/286)) ([40e6b7b](https://github.com/BagelLab/uds-core/commit/40e6b7b711ddbd956058eda8490355568faddaec)) -* **main:** release 0.18.0 ([#318](https://github.com/BagelLab/uds-core/issues/318)) ([5f5e0b8](https://github.com/BagelLab/uds-core/commit/5f5e0b8a19daf0b51d9a102fd851ff76e5296d4e)) -* **main:** release 0.19.0 ([#320](https://github.com/BagelLab/uds-core/issues/320)) ([4ce502b](https://github.com/BagelLab/uds-core/commit/4ce502be3a5d83c28c259db8080a215f309c6ed7)) -* **main:** release 0.2.0 ([#34](https://github.com/BagelLab/uds-core/issues/34)) ([5185a8f](https://github.com/BagelLab/uds-core/commit/5185a8f98c90578eabd9f1494f55e43922bb7a92)) -* **main:** release 0.20.0 ([#345](https://github.com/BagelLab/uds-core/issues/345)) ([c29cc91](https://github.com/BagelLab/uds-core/commit/c29cc91cd2e41d5bbaee33deb173628c83ad0480)) -* **main:** release 0.21.0 ([#361](https://github.com/BagelLab/uds-core/issues/361)) ([c9f027f](https://github.com/BagelLab/uds-core/commit/c9f027f518de547b962b06defb836fba3c70ff3d)) -* **main:** release 0.21.1 ([#379](https://github.com/BagelLab/uds-core/issues/379)) ([b46a161](https://github.com/BagelLab/uds-core/commit/b46a161271bac3c167e554fadf673d2536b6b420)) -* **main:** release 0.22.0 ([#386](https://github.com/BagelLab/uds-core/issues/386)) ([6367bef](https://github.com/BagelLab/uds-core/commit/6367bef04dab6803471b8f424210baedf2004d01)) -* **main:** release 0.22.1 ([#432](https://github.com/BagelLab/uds-core/issues/432)) ([7cf9c4c](https://github.com/BagelLab/uds-core/commit/7cf9c4c09dccc1d91edb7acbb2aee8750c5433ed)) -* **main:** release 0.22.2 ([#474](https://github.com/BagelLab/uds-core/issues/474)) ([84a408f](https://github.com/BagelLab/uds-core/commit/84a408fb23c1803bdbbf5e1f1ce64e97110f2829)) -* **main:** release 0.23.0 ([2ae4621](https://github.com/BagelLab/uds-core/commit/2ae4621ca40e3f4c5557644248321e8073a3585f)) -* **main:** release 0.23.0 ([8e992e3](https://github.com/BagelLab/uds-core/commit/8e992e385fc51e01f0e0df31dd8c7434660ea0d6)) -* **main:** release 0.23.0 ([d640453](https://github.com/BagelLab/uds-core/commit/d64045363c267dad4d10b447e7706b1e739765ae)) -* **main:** release 0.23.1 ([09c623a](https://github.com/BagelLab/uds-core/commit/09c623ac9fb0fe6c785d15245da8d84787cf3649)) -* **main:** release 0.23.2 ([6df0592](https://github.com/BagelLab/uds-core/commit/6df0592f5f336c50c6c7c7cec1f276f7c11f7cdb)) -* **main:** release 0.23.3 ([55cb491](https://github.com/BagelLab/uds-core/commit/55cb491c28ebf5ee7c40f2add5c588c47e9864b0)) -* **main:** release 0.23.4 ([e0e6ebc](https://github.com/BagelLab/uds-core/commit/e0e6ebc684e2004f9e2a3ca128d7401dc41bcc33)) -* **main:** release 0.3.0 ([#39](https://github.com/BagelLab/uds-core/issues/39)) ([4d2b05d](https://github.com/BagelLab/uds-core/commit/4d2b05de9d155dc91b799bde5156c5980bc348cb)) -* **main:** release 0.4.0 ([#43](https://github.com/BagelLab/uds-core/issues/43)) ([d2b61c3](https://github.com/BagelLab/uds-core/commit/d2b61c373b91d4f405e27ce930e4f8bec52ddd21)) -* **main:** release 0.4.1 ([#45](https://github.com/BagelLab/uds-core/issues/45)) ([d66eafe](https://github.com/BagelLab/uds-core/commit/d66eafea0ec9ccd412f5af3ed5ab12f3f8275a33)) -* **main:** release 0.5.0 ([#49](https://github.com/BagelLab/uds-core/issues/49)) ([f9c4269](https://github.com/BagelLab/uds-core/commit/f9c426998f2bc4fc21c32b3492f25b8608f50282)) -* **main:** release 0.6.0 ([#53](https://github.com/BagelLab/uds-core/issues/53)) ([9b3ad64](https://github.com/BagelLab/uds-core/commit/9b3ad64a6e3870ce364cad77abd367cc8d493042)) -* **main:** release 0.6.1 ([#56](https://github.com/BagelLab/uds-core/issues/56)) ([4a5a42c](https://github.com/BagelLab/uds-core/commit/4a5a42c8fa9ee17656e462cb9df08562d9c85b96)) -* **main:** release 0.6.2 ([#59](https://github.com/BagelLab/uds-core/issues/59)) ([b1c49ac](https://github.com/BagelLab/uds-core/commit/b1c49ac70e8a293936dea8a516c32b7bb7e6fc4c)) -* **main:** release 0.7.0 ([#71](https://github.com/BagelLab/uds-core/issues/71)) ([51dcb54](https://github.com/BagelLab/uds-core/commit/51dcb54d239cb5636b0c4f55fde9fc2b2c3bf076)) -* **main:** release 0.7.1 ([#85](https://github.com/BagelLab/uds-core/issues/85)) ([da4040a](https://github.com/BagelLab/uds-core/commit/da4040aff739746dc2355ec0449ee762c05c56c1)) -* **main:** release 0.7.2 ([#88](https://github.com/BagelLab/uds-core/issues/88)) ([5e421ce](https://github.com/BagelLab/uds-core/commit/5e421ce011e42692c3cb6f1353cfb8a5edb846fb)) -* **main:** release 0.7.3 ([#93](https://github.com/BagelLab/uds-core/issues/93)) ([ddf8fa6](https://github.com/BagelLab/uds-core/commit/ddf8fa617853686b8c043d236c159bcd59c47ac0)) -* **main:** release 0.7.4 ([#100](https://github.com/BagelLab/uds-core/issues/100)) ([9abd78b](https://github.com/BagelLab/uds-core/commit/9abd78b11a90a67344fa93e8dba7fd53d6b58ea2)) -* **main:** release 0.8.0 ([#106](https://github.com/BagelLab/uds-core/issues/106)) ([3ab93c3](https://github.com/BagelLab/uds-core/commit/3ab93c30b132ff9c35c1f238008b15cd265abe92)) -* **main:** release 0.8.1 ([#112](https://github.com/BagelLab/uds-core/issues/112)) ([942ad54](https://github.com/BagelLab/uds-core/commit/942ad549b53e8ce87a33fae985bbe2f82c6fa75c)) -* **main:** release 0.9.0 ([#117](https://github.com/BagelLab/uds-core/issues/117)) ([6b0c56b](https://github.com/BagelLab/uds-core/commit/6b0c56b8a6d60091e532ac36cd69ea6cd5ac1124)) -* **main:** release 0.9.1 ([#119](https://github.com/BagelLab/uds-core/issues/119)) ([984f916](https://github.com/BagelLab/uds-core/commit/984f91602c3b2873110d62a49c5df4ecfaa19f8a)) -* **main:** release 0.9.2 ([#121](https://github.com/BagelLab/uds-core/issues/121)) ([2d9b3c9](https://github.com/BagelLab/uds-core/commit/2d9b3c9fe288347879f2d78c8524b719d3772abd)) -* move api service watch to reconcile ([#362](https://github.com/BagelLab/uds-core/issues/362)) ([1822bca](https://github.com/BagelLab/uds-core/commit/1822bca6c397a5c8ea64b9355a9ba4f51fde4518)) -* open the aperture for pr workflow triggering ([#90](https://github.com/BagelLab/uds-core/issues/90)) ([d8a72f2](https://github.com/BagelLab/uds-core/commit/d8a72f2f2f3e507a4be7f217e23b737e3d4c35ce)) -* readme updates & use UDS CLI for zarf ([#137](https://github.com/BagelLab/uds-core/issues/137)) ([21de0ce](https://github.com/BagelLab/uds-core/commit/21de0cee2d70d67ca17b1d45c642e9ca4e1617ce)) -* refactor ci for releases to remove certain artifacts ([#125](https://github.com/BagelLab/uds-core/issues/125)) ([c08a062](https://github.com/BagelLab/uds-core/commit/c08a062bb3f3ede6860c3d7f34136b3e82b78715)) -* refactor promtail extraScrapeConfigs into scrapeConfigs ([#367](https://github.com/BagelLab/uds-core/issues/367)) ([2220272](https://github.com/BagelLab/uds-core/commit/222027240148e669edf40483d145ffc15567b1b7)) -* refactor validate.yaml file name and task name ([#62](https://github.com/BagelLab/uds-core/issues/62)) ([92a04ea](https://github.com/BagelLab/uds-core/commit/92a04ea1096448995ccc0dd9d77a32a5061e06f0)) -* remove emulated gitlab endpoints from keycloak ([#483](https://github.com/BagelLab/uds-core/issues/483)) ([495960c](https://github.com/BagelLab/uds-core/commit/495960ce8d40cf2ef7c0f0021b653db6fc6383bb)) -* remove retry-action action on registry1 docker login ([#160](https://github.com/BagelLab/uds-core/issues/160)) ([eea0c93](https://github.com/BagelLab/uds-core/commit/eea0c93a0ff172bfc5a76d3eaca143ffc0d9fbe2)) -* remove version from neuvector zarf.yaml ([#11](https://github.com/BagelLab/uds-core/issues/11)) ([fbc8d51](https://github.com/BagelLab/uds-core/commit/fbc8d51e2b4146d394184d7596cd9a54219dc001)) -* renovate updates ([#140](https://github.com/BagelLab/uds-core/issues/140)) ([b71a013](https://github.com/BagelLab/uds-core/commit/b71a013bea30c9ca5e39f1dc6485fffaa86ca6b1)) -* simplify promtail values for scrape configs ([#94](https://github.com/BagelLab/uds-core/issues/94)) ([6c2513b](https://github.com/BagelLab/uds-core/commit/6c2513be89f064b44516b1d89c0d6005dd1d4d30)) -* support deselection of metrics-server ([#193](https://github.com/BagelLab/uds-core/issues/193)) ([289a0fe](https://github.com/BagelLab/uds-core/commit/289a0fee5315e8c4a70b3afe66165dd00a7dfbc1)) -* support headless keycloak admin user ([#307](https://github.com/BagelLab/uds-core/issues/307)) ([a0e51b6](https://github.com/BagelLab/uds-core/commit/a0e51b649822619b63478b140bb5dbbebeb20ff3)) -* test artifacts before publish ([#198](https://github.com/BagelLab/uds-core/issues/198)) ([9732f32](https://github.com/BagelLab/uds-core/commit/9732f325624244f4d34c127a949c6ce5951ff6ab)) -* test publish ([2cefa29](https://github.com/BagelLab/uds-core/commit/2cefa2938d60cfa40bd5c0f7ff44c2448c4f48a8)) -* trigger eks nightly when related files are updated ([#366](https://github.com/BagelLab/uds-core/issues/366)) ([6d6e4e0](https://github.com/BagelLab/uds-core/commit/6d6e4e0debbca3498cbc21db405eec48b3bcc240)) -* typo fix in README.md ([#280](https://github.com/BagelLab/uds-core/issues/280)) ([f9727e0](https://github.com/BagelLab/uds-core/commit/f9727e0b638e853bbae131d02019a2efb5286b0a)) -* update codeowners ([#338](https://github.com/BagelLab/uds-core/issues/338)) ([c419574](https://github.com/BagelLab/uds-core/commit/c41957409607c6335ebf6bd4ff30a1a9336a4870)) -* update release please extra-files to be explicit ([#26](https://github.com/BagelLab/uds-core/issues/26)) ([23f4999](https://github.com/BagelLab/uds-core/commit/23f49995771fb05cd18e7a077bf90e86ca5b7471)) -* updating keycloak chart version to align with image ([#378](https://github.com/BagelLab/uds-core/issues/378)) ([a60fe2a](https://github.com/BagelLab/uds-core/commit/a60fe2afed9f7cff3bcad6b0f563232b47e8025b)) - -## [0.23.0](https://github.com/BagelLab/uds-core/compare/v0.24.0...v0.23.0) (2024-07-17) +* add debug logs for istio injection logic ([#602](https://github.com/defenseunicorns/uds-core/issues/602)) ([9075436](https://github.com/defenseunicorns/uds-core/commit/9075436c37c847bd06f7e527506ecd41e4c4db0e)) +* add support for public clients and disabling standard auth flow ([#630](https://github.com/defenseunicorns/uds-core/issues/630)) ([38151d7](https://github.com/defenseunicorns/uds-core/commit/38151d74d245d0b56ea7325a69514a832d7cf496)) +* **deps:** update dependency defenseunicorns/uds-common to v0.11.0 ([#617](https://github.com/defenseunicorns/uds-core/issues/617)) ([997cf37](https://github.com/defenseunicorns/uds-core/commit/997cf37250bd72930d053ea87bba8a56c6fe052b)) +* **deps:** update dependency weaveworks/eksctl to v0.188.0 ([#623](https://github.com/defenseunicorns/uds-core/issues/623)) ([3081044](https://github.com/defenseunicorns/uds-core/commit/3081044eddd8b2d043d7039907945b67990718ed)) +* **deps:** update uds to v0.14.0 ([#612](https://github.com/defenseunicorns/uds-core/issues/612)) ([7fe927e](https://github.com/defenseunicorns/uds-core/commit/7fe927e4e0df19acbf2975b8d9c9e3068e0f82c5)) +* update codeowners ([#637](https://github.com/defenseunicorns/uds-core/issues/637)) ([eec5017](https://github.com/defenseunicorns/uds-core/commit/eec5017bad0a06b5e2b5f023b5a2602aaf20f789)) + +## [0.25.0](https://github.com/defenseunicorns/uds-core/compare/v0.24.1...v0.25.0) (2024-08-02) ### ⚠ BREAKING CHANGES -* remove emulated gitlab endpoints from keycloak ([#483](https://github.com/BagelLab/uds-core/issues/483)) +* change metric server to optional (https://github.com/defenseunicorns/uds-core/pull/611) ### Features -* add `expose` service entry for internal cluster traffic ([#356](https://github.com/BagelLab/uds-core/issues/356)) ([1bde4cc](https://github.com/BagelLab/uds-core/commit/1bde4ccf302864b0c38d093742ca683b96cebe89)) -* add `monitor` to operator, fix monitoring setup ([#256](https://github.com/BagelLab/uds-core/issues/256)) ([bf67722](https://github.com/BagelLab/uds-core/commit/bf67722d4e7e02d44dd29c4436e9a8d2ef960fa5)) -* add authservice to uds-core ([#153](https://github.com/BagelLab/uds-core/issues/153)) ([b0b33b9](https://github.com/BagelLab/uds-core/commit/b0b33b98ae12fe233c922bba55c9328212c2e578)) -* Add istio and preliminary ci ([#3](https://github.com/BagelLab/uds-core/issues/3)) ([fbd7453](https://github.com/BagelLab/uds-core/commit/fbd745392340dbc978b27f0d321f3375882c1c40)) -* add Istio VirtualService Requestmatch to UDS Operator ([#129](https://github.com/BagelLab/uds-core/issues/129)) ([a207197](https://github.com/BagelLab/uds-core/commit/a20719726991d3b981a372b705b776948f6fbc30)) -* add keycloak ([#147](https://github.com/BagelLab/uds-core/issues/147)) ([f99d3d5](https://github.com/BagelLab/uds-core/commit/f99d3d5d4f89264a21dd76d8847e1cef0325d127)) -* add keycloak sso realm values ([#352](https://github.com/BagelLab/uds-core/issues/352)) ([74436ea](https://github.com/BagelLab/uds-core/commit/74436ea78684a74044efdee14564a6582e659998)) -* add metrics-server ([#35](https://github.com/BagelLab/uds-core/issues/35)) ([8216ab9](https://github.com/BagelLab/uds-core/commit/8216ab982be79dc393a2e0db359370b32e660150)) -* add monitoring and logging ([#33](https://github.com/BagelLab/uds-core/issues/33)) ([c6d9aec](https://github.com/BagelLab/uds-core/commit/c6d9aece4984421e1ccbf476cd0d40fb701e4e50)) -* add nightly testing eks ([#250](https://github.com/BagelLab/uds-core/issues/250)) ([543b09d](https://github.com/BagelLab/uds-core/commit/543b09d103a43c474da6a8c950404cc1f373b03f)) -* add pepr capability for istio + jobs ([#12](https://github.com/BagelLab/uds-core/issues/12)) ([c32a703](https://github.com/BagelLab/uds-core/commit/c32a70390f443c90796978ad4c42bbb4b17eb226)) -* add policy exemptions ([#165](https://github.com/BagelLab/uds-core/issues/165)) ([196df88](https://github.com/BagelLab/uds-core/commit/196df88b01347e530eb1cb49df7440d62c986e0e)) -* add prometheus-stack (monitoring) capability ([#2](https://github.com/BagelLab/uds-core/issues/2)) ([e438ab6](https://github.com/BagelLab/uds-core/commit/e438ab6089bc9d8c6640fa002285d38ddc3022df)) -* add reconciliation retries for CRs ([#423](https://github.com/BagelLab/uds-core/issues/423)) ([424b57b](https://github.com/BagelLab/uds-core/commit/424b57ba91906e1c60e6e92927e37b34d657ad01)) -* add saml and attribute/mapper support for keycloak in uds pepr operator ([#328](https://github.com/BagelLab/uds-core/issues/328)) ([c53d4ee](https://github.com/BagelLab/uds-core/commit/c53d4ee1227d71b60a35419f7c8c9396d71b9508)) -* add UDS Operator and consolidate UDS Policies ([#66](https://github.com/BagelLab/uds-core/issues/66)) ([395c1c4](https://github.com/BagelLab/uds-core/commit/395c1c4aec324d0d939cc410a6bb92129b26653b)) -* add velero package ([#210](https://github.com/BagelLab/uds-core/issues/210)) ([a272945](https://github.com/BagelLab/uds-core/commit/a27294585f0d50732b63672d0c2baf14948e29d1)) -* add Zarf Flavors to support Iron Bank & upstream images ([#63](https://github.com/BagelLab/uds-core/issues/63)) ([232c256](https://github.com/BagelLab/uds-core/commit/232c2566b96be0285c24b8b5787350897e72332f)) -* added initial oscal files ([#145](https://github.com/BagelLab/uds-core/issues/145)) ([9600d5f](https://github.com/BagelLab/uds-core/commit/9600d5f159e4a04e8f71313f8ed118b87efbb9a1)) -* embed tls certs in istio package ([#32](https://github.com/BagelLab/uds-core/issues/32)) ([fb04fee](https://github.com/BagelLab/uds-core/commit/fb04feec9657f449366389a0e0a474a8cdeecb2c)) -* enable sso for neuvector ([#351](https://github.com/BagelLab/uds-core/issues/351)) ([597353e](https://github.com/BagelLab/uds-core/commit/597353e294e3dc5c06a8d572414e188f9845af8e)) -* expose tls certs as UDS bundle variables ([#48](https://github.com/BagelLab/uds-core/issues/48)) ([c1f8286](https://github.com/BagelLab/uds-core/commit/c1f828650ef2c53a3fd9ed477950046020c5d375)) -* introduce advancedHTTP for expose field & change podLabels to selector ([#154](https://github.com/BagelLab/uds-core/issues/154)) ([1079267](https://github.com/BagelLab/uds-core/commit/107926791149989a782254b8798b7c57a35cfcaf)) -* introduce Pepr common policies ([#50](https://github.com/BagelLab/uds-core/issues/50)) ([54182b4](https://github.com/BagelLab/uds-core/commit/54182b4db691d86ce80379be272d924d105b0d07)) -* introduce sso secret templating ([#276](https://github.com/BagelLab/uds-core/issues/276)) ([e0832ec](https://github.com/BagelLab/uds-core/commit/e0832ec2ee825dc1725483350e3b9295937b8feb)) -* keycloak PVC customization ([#341](https://github.com/BagelLab/uds-core/issues/341)) ([f8eae2a](https://github.com/BagelLab/uds-core/commit/f8eae2a20e02faac6e2c441845a82febeaab3b89)) -* **operator:** add events and improve lifecycle ops ([#245](https://github.com/BagelLab/uds-core/issues/245)) ([502c044](https://github.com/BagelLab/uds-core/commit/502c044547048a380b1f73dead0b8ab1b14a4b4f)) -* release-please integration ([#25](https://github.com/BagelLab/uds-core/issues/25)) ([bf3c53b](https://github.com/BagelLab/uds-core/commit/bf3c53b2ddac4e02e31aa3429029dd9f1c9595e3)) -* switch loki to simple scalable ([#156](https://github.com/BagelLab/uds-core/issues/156)) ([1661b15](https://github.com/BagelLab/uds-core/commit/1661b154657eba1b30fc5bcec64179cbf6037c03)) -* uds common renovate config ([#391](https://github.com/BagelLab/uds-core/issues/391)) ([035786c](https://github.com/BagelLab/uds-core/commit/035786cadcd9c1fbaf7e0a798f9c13104a1a9a14)) -* uds core docs ([#414](https://github.com/BagelLab/uds-core/issues/414)) ([a35ca7b](https://github.com/BagelLab/uds-core/commit/a35ca7b484ab59572d8205a625db5447a8771e44)) -* update security policy to use provided user, group, and fsgroup ([#82](https://github.com/BagelLab/uds-core/issues/82)) ([6d641ce](https://github.com/BagelLab/uds-core/commit/6d641ce67210999bacda0e855269dca61e7c6a7b)) +* add json logging for keycloak ([#610](https://github.com/defenseunicorns/uds-core/issues/610)) ([29ed934](https://github.com/defenseunicorns/uds-core/commit/29ed934859c31dd557788f182a06736c5249f384)) +* **istio:** add configurable TLS version ([#624](https://github.com/defenseunicorns/uds-core/issues/624)) ([cd2b87e](https://github.com/defenseunicorns/uds-core/commit/cd2b87e1819153df1c025afe0d3f7a3392e32217)) + + +### Bug Fixes + +* account for keycloak HA ports ([#619](https://github.com/defenseunicorns/uds-core/issues/619)) ([434f349](https://github.com/defenseunicorns/uds-core/commit/434f349fe6fda234875622a93de3939d0082eb78)) +* add google saml to slim-dev ([#613](https://github.com/defenseunicorns/uds-core/issues/613)) ([f2164e1](https://github.com/defenseunicorns/uds-core/commit/f2164e10aae0a87dbd73cfe189f1154f850895e3)) +* address network policy generation inter-namespace bug ([#564](https://github.com/defenseunicorns/uds-core/issues/564)) ([9b14c2c](https://github.com/defenseunicorns/uds-core/commit/9b14c2ca31d7c05540dcfdfff7247bb31ed6b924)) +* reference root scope ([#633](https://github.com/defenseunicorns/uds-core/issues/633)) ([5de6915](https://github.com/defenseunicorns/uds-core/commit/5de69159f1f8370fc6b5553c2b9b05af52621027)) + + +### Miscellaneous + +* change metric server to optional (https://github.com/defenseunicorns/uds-core/pull/611) ([bc2d673](https://github.com/defenseunicorns/uds-core/commit/bc2d673b81724449a6c7523b1ba6950009c0c888)) +* **deps:** update dependency defenseunicorns/uds-common to v0.9.0 ([#592](https://github.com/defenseunicorns/uds-core/issues/592)) ([44ea2d7](https://github.com/defenseunicorns/uds-core/commit/44ea2d7db07b1b91318ec5a8d6b048c3c8f3a565)) +* **deps:** update dependency weaveworks/eksctl to v0.187.0 ([#539](https://github.com/defenseunicorns/uds-core/issues/539)) ([9002a94](https://github.com/defenseunicorns/uds-core/commit/9002a945bbe7f9e9f75ca3f3909ffecedbbc995a)) +* **deps:** update githubactions ([#553](https://github.com/defenseunicorns/uds-core/issues/553)) ([2a9e29a](https://github.com/defenseunicorns/uds-core/commit/2a9e29aa506dffc1c8db5b5fc2272ffc974a0988)) +* **deps:** update grafana curl image to v8.9.0 ([#596](https://github.com/defenseunicorns/uds-core/issues/596)) ([64f9408](https://github.com/defenseunicorns/uds-core/commit/64f9408fb792b931b4eddc4669559d8f99aab7dc)) +* **deps:** update grafana helm chart to v8.3.6 ([#594](https://github.com/defenseunicorns/uds-core/issues/594)) ([1f2005b](https://github.com/defenseunicorns/uds-core/commit/1f2005bff139a1738c6cf217d79c0c6396e1a347)) +* **deps:** update istio to v1.22.3 ([#580](https://github.com/defenseunicorns/uds-core/issues/580)) ([7aba89e](https://github.com/defenseunicorns/uds-core/commit/7aba89e8951b27f26495c6b13fbe25b02808ee19)) +* **deps:** update lula to v0.4.4 ([#615](https://github.com/defenseunicorns/uds-core/issues/615)) ([b02b305](https://github.com/defenseunicorns/uds-core/commit/b02b305fdac5e415af1b78668f45fdde7be4b67a)) +* **deps:** update neuvector-updater/curl to v8.9.0 ([#597](https://github.com/defenseunicorns/uds-core/issues/597)) ([b4bd660](https://github.com/defenseunicorns/uds-core/commit/b4bd66086b217871b17cadcff7bd1617c829279d)) +* **deps:** update promtail configmap-reload to v0.13.1 ([#608](https://github.com/defenseunicorns/uds-core/issues/608)) ([d98bbae](https://github.com/defenseunicorns/uds-core/commit/d98bbae27de52b9ece2981b79d5bd6ba2b09d5e0)) +* **deps:** update promtail helm chart to v6.16.4 ([#574](https://github.com/defenseunicorns/uds-core/issues/574)) ([bf9f65c](https://github.com/defenseunicorns/uds-core/commit/bf9f65ca482da38c6cd09a6a519d545511326d43)) +* **deps:** update to identity-config 0.5.2 ([#635](https://github.com/defenseunicorns/uds-core/issues/635)) ([6474d16](https://github.com/defenseunicorns/uds-core/commit/6474d16eb0cc6f08f2d4c35e9d642add62c6ae34)) +* **deps:** update uds cli to v0.13.1 ([#569](https://github.com/defenseunicorns/uds-core/issues/569)) ([4339c89](https://github.com/defenseunicorns/uds-core/commit/4339c892c56bdcabf7809cde7c7898348c1d9132)) +* **deps:** update zarf to v0.36.1 ([#562](https://github.com/defenseunicorns/uds-core/issues/562)) ([058cfb3](https://github.com/defenseunicorns/uds-core/commit/058cfb3b45d9f944e2f2c615fef82ae1a98d2413)) +* disable telemetry/analytics for loki/grafana ([#601](https://github.com/defenseunicorns/uds-core/issues/601)) ([ad785bc](https://github.com/defenseunicorns/uds-core/commit/ad785bcac2e11ccdc4fbdb14bee9bb1fdbd536cb)) +* update zarf to new repo location, 0.37.0 ([#631](https://github.com/defenseunicorns/uds-core/issues/631)) ([29f9fd0](https://github.com/defenseunicorns/uds-core/commit/29f9fd0277bc0ab4cd6073e4c5b73123586946e1)) + +## [0.24.1](https://github.com/defenseunicorns/uds-core/compare/v0.24.0...v0.24.1) (2024-07-22) ### Bug Fixes -* add keycloak to dev bundle and rename ([#262](https://github.com/BagelLab/uds-core/issues/262)) ([f9b905c](https://github.com/BagelLab/uds-core/commit/f9b905c7c2b7e4a6a43e7c83918e3157008433d3)) -* add kubeapi egress for neuvector enforcer ([#291](https://github.com/BagelLab/uds-core/issues/291)) ([87fc886](https://github.com/BagelLab/uds-core/commit/87fc886bc736104a9a3c3aefc4c7d232ed74a4f2)) -* add nightly uds-bundle.yaml to release-please extras for updates ([#346](https://github.com/BagelLab/uds-core/issues/346)) ([d1b3071](https://github.com/BagelLab/uds-core/commit/d1b3071182b48ef4905bb040d203fa42d7bbf76f)) -* add saml configuration to k3d standard bundle ([#425](https://github.com/BagelLab/uds-core/issues/425)) ([15b41d7](https://github.com/BagelLab/uds-core/commit/15b41d7ca506dd913316c41321aa9a3133755ab4)) -* add test for disallow selinux options and handle checking for us… ([#96](https://github.com/BagelLab/uds-core/issues/96)) ([88b969e](https://github.com/BagelLab/uds-core/commit/88b969e2aa4dea8b76dbe397d77c53941f7cfbc8)) -* arm64 packages / bundles creation ([#264](https://github.com/BagelLab/uds-core/issues/264)) ([425fa18](https://github.com/BagelLab/uds-core/commit/425fa184fca6bcebd1eea431dce7112cadae2f44)) -* basic validations for packages ([#208](https://github.com/BagelLab/uds-core/issues/208)) ([9eba3af](https://github.com/BagelLab/uds-core/commit/9eba3afb7e288c13f75f93d5712d50a3b9e7b92d)) -* change pepr error policy to reject ([#99](https://github.com/BagelLab/uds-core/issues/99)) ([10772e2](https://github.com/BagelLab/uds-core/commit/10772e2c64f1e4b965b6b644b0008c81025029e9)) -* check if exemption exists before cleanup ([#468](https://github.com/BagelLab/uds-core/issues/468)) ([735288b](https://github.com/BagelLab/uds-core/commit/735288b87f2dff3c1bb28e9e20aac812d644aa4d)) -* ci ([1c925f0](https://github.com/BagelLab/uds-core/commit/1c925f0abb76399210920da43ede7e8b3bb500e4)) -* ci things ([f2389a3](https://github.com/BagelLab/uds-core/commit/f2389a33d66491dfab62014cc744b25434202fe2)) -* **ci:** test snapshot fix ([0e556ae](https://github.com/BagelLab/uds-core/commit/0e556aefdf19013aeb23bc72d15ff8971da6f6be)) -* comment out debug ([bdc8677](https://github.com/BagelLab/uds-core/commit/bdc86777d6f06bbb09602185338d6d1c1fe269b9)) -* complete incomplete deploy task ([#21](https://github.com/BagelLab/uds-core/issues/21)) ([45ff5e5](https://github.com/BagelLab/uds-core/commit/45ff5e5d7b6a50cdfcfabb174349ab539a8accd9)) -* concurrency group ([60ca1d0](https://github.com/BagelLab/uds-core/commit/60ca1d06208be3c7f5ec825a37d85504116585d1)) -* de-duplicate renovate matches ([#435](https://github.com/BagelLab/uds-core/issues/435)) ([4f9dbbb](https://github.com/BagelLab/uds-core/commit/4f9dbbbff0bbe1fe348ae7e6c55f97a505f730a9)) -* default keycloak realm envs ([#455](https://github.com/BagelLab/uds-core/issues/455)) ([3a2b48f](https://github.com/BagelLab/uds-core/commit/3a2b48fefb11afcf20f6826fbdef8c43daaf4639)) -* drop path normalization to MERGE_SLASHES to allow apps to handle encoded slashes ([#330](https://github.com/BagelLab/uds-core/issues/330)) ([26e965f](https://github.com/BagelLab/uds-core/commit/26e965fd71dd325bd8df451ce317456bf2d15073)) -* exemption race conditions ([#407](https://github.com/BagelLab/uds-core/issues/407)) ([d1b3b56](https://github.com/BagelLab/uds-core/commit/d1b3b5669976eb23ca8f88cd5b15a12c56102eca)) -* forgot to commit :( ([29545b6](https://github.com/BagelLab/uds-core/commit/29545b6ca6a35c1717b10b23c8bc2ed3a90f1c4d)) -* github token ([75cfbe4](https://github.com/BagelLab/uds-core/commit/75cfbe446f9b6cd74b9858a7ceb6cd231b348509)) -* hotfix for publishing workflows ([#217](https://github.com/BagelLab/uds-core/issues/217)) ([5fefa01](https://github.com/BagelLab/uds-core/commit/5fefa017d382b7c5557e613b81cd84b27bda85f0)) -* id-token ([5a78de7](https://github.com/BagelLab/uds-core/commit/5a78de7ec926a3ebe82771a5713ac2ff4841271f)) -* inputs silly ([d5c51f3](https://github.com/BagelLab/uds-core/commit/d5c51f35f6817d66bfbf5b2d5f746032893c863a)) -* integrated docs ([#431](https://github.com/BagelLab/uds-core/issues/431)) ([72238fa](https://github.com/BagelLab/uds-core/commit/72238faed167a4e90e4d332e17909510efd98a58)) -* keycloak schema for package cr ([#436](https://github.com/BagelLab/uds-core/issues/436)) ([e32ce9a](https://github.com/BagelLab/uds-core/commit/e32ce9af9176ba8fef702a8c6aac84c15f9ab374)) -* keycloak volume permissions, UI update ([#223](https://github.com/BagelLab/uds-core/issues/223)) ([4454d3e](https://github.com/BagelLab/uds-core/commit/4454d3efcefe6bfa81628d330434afcc246fad65)) -* **keycloak:** add missing postgres host and port secret keys ([#224](https://github.com/BagelLab/uds-core/issues/224)) ([0c4d775](https://github.com/BagelLab/uds-core/commit/0c4d7758cfb077ff592fea907795402485b6c9f5)) -* **keycloak:** only use PVC for devMode ([#241](https://github.com/BagelLab/uds-core/issues/241)) ([a6e6023](https://github.com/BagelLab/uds-core/commit/a6e6023134dc5171441a2043701ed91309e1b32c)) -* kubeapi netpol generation now also includes the ip from the kubernetes service ([#219](https://github.com/BagelLab/uds-core/issues/219)) ([0a83d02](https://github.com/BagelLab/uds-core/commit/0a83d02f5782d911e3bb63935b0cac70030e5c9b)) -* loki bucket configuration service_account and namespace ([#332](https://github.com/BagelLab/uds-core/issues/332)) ([9518634](https://github.com/BagelLab/uds-core/commit/9518634b24f2d5c285e598f8620849bbc6288ba4)) -* loki local storage ([#84](https://github.com/BagelLab/uds-core/issues/84)) ([b9505bb](https://github.com/BagelLab/uds-core/commit/b9505bbb42b5369c62d7cbfb05e1efb8b8a6200f)) -* loki s3 overrides ([#365](https://github.com/BagelLab/uds-core/issues/365)) ([3545066](https://github.com/BagelLab/uds-core/commit/354506647d65b0484332695abbbd58d91d9e7427)) -* metrics-server mTLS fix ([#44](https://github.com/BagelLab/uds-core/issues/44)) ([4853522](https://github.com/BagelLab/uds-core/commit/4853522c9504c87dcbd8319d689ecb0a1cb42c0b)) -* mismatched exemption/policy for DropAllCapabilities ([#384](https://github.com/BagelLab/uds-core/issues/384)) ([d8ec278](https://github.com/BagelLab/uds-core/commit/d8ec27827e2e2e7d85b4eba6b738f4b126264dd9)) -* named inputs ([c49e6ea](https://github.com/BagelLab/uds-core/commit/c49e6ea2b566198d4702d4c67c659e833a8bad97)) -* network policy to allow metrics-server ingress ([#148](https://github.com/BagelLab/uds-core/issues/148)) ([f1d434a](https://github.com/BagelLab/uds-core/commit/f1d434a68ef1f2a29ab3b13608bc16ce78211ed4)) -* networkpolicy for keycloak smtp egress ([4059954](https://github.com/BagelLab/uds-core/commit/4059954ed92502f10c1b5b769988a363adc06318)) -* nightly testing eks config architecture ([#452](https://github.com/BagelLab/uds-core/issues/452)) ([a0bbd1f](https://github.com/BagelLab/uds-core/commit/a0bbd1f0bf84f03d59866f9797555a08dc8034d6)) -* non-vendored zarf command refs ([#157](https://github.com/BagelLab/uds-core/issues/157)) ([fe183a9](https://github.com/BagelLab/uds-core/commit/fe183a9ae367bc2d7ea7d629e7c15877aabe38cd)) -* ocsp lookup egress policy ([#255](https://github.com/BagelLab/uds-core/issues/255)) ([77c38f2](https://github.com/BagelLab/uds-core/commit/77c38f22e9a77d9db81504f4c172fdc535c0929e)) -* pepr ironbank renovate update ([#299](https://github.com/BagelLab/uds-core/issues/299)) ([287e40d](https://github.com/BagelLab/uds-core/commit/287e40db5d65f7472a9e9216aae91f3ad92403d9)) -* pepr mutation annotation overwrite ([#385](https://github.com/BagelLab/uds-core/issues/385)) ([6e56b2a](https://github.com/BagelLab/uds-core/commit/6e56b2afec8f54f8c0a4aa4b89fef1d1c754b627)) -* pepr operator derived netpol name collisions ([#480](https://github.com/BagelLab/uds-core/issues/480)) ([de60e25](https://github.com/BagelLab/uds-core/commit/de60e252526d73e439f5665b27f84e8773c24949)) -* registration robot check form id ([#269](https://github.com/BagelLab/uds-core/issues/269)) ([c6419b9](https://github.com/BagelLab/uds-core/commit/c6419b962eb5a02462e9060a66f7765689cfeb8f)) -* release workflow k3d image ([#316](https://github.com/BagelLab/uds-core/issues/316)) ([e7835e0](https://github.com/BagelLab/uds-core/commit/e7835e071f56af148792fbde250100af8e8ca0b8)) -* remove deprecated registry login and add env setup ([#443](https://github.com/BagelLab/uds-core/issues/443)) ([ca6b76f](https://github.com/BagelLab/uds-core/commit/ca6b76f3a66efb6b2e81832aff771ca06bdff68a)) -* remove go mod ([#441](https://github.com/BagelLab/uds-core/issues/441)) ([0de9693](https://github.com/BagelLab/uds-core/commit/0de969333923afb8fd4639547901c7d7f5c6a6f7)) -* remove loki gateway anti-affinity ([#111](https://github.com/BagelLab/uds-core/issues/111)) ([2cba42e](https://github.com/BagelLab/uds-core/commit/2cba42e3a83a25ae7a45f3c3d6a35bdc7bba0b58)) -* remove no-tea and update uds version ([#446](https://github.com/BagelLab/uds-core/issues/446)) ([434844b](https://github.com/BagelLab/uds-core/commit/434844b827e01808b504abf5ee6af83fba813cb6)) -* remove spec from secret yaml ([#226](https://github.com/BagelLab/uds-core/issues/226)) ([e4b5848](https://github.com/BagelLab/uds-core/commit/e4b58487f736f588944f7c039b8654f9006e04f1)) -* renovate config grouping, test-infra ([#411](https://github.com/BagelLab/uds-core/issues/411)) ([05fd407](https://github.com/BagelLab/uds-core/commit/05fd407e9c3bf6a0bac33de64e892ce2a63275ac)) -* renovate pepr comment ([#410](https://github.com/BagelLab/uds-core/issues/410)) ([a825388](https://github.com/BagelLab/uds-core/commit/a82538817765ad21adb5f6bba283951bf4c23272)) -* resolve istio job termination container status logic issue ([#55](https://github.com/BagelLab/uds-core/issues/55)) ([c0142c2](https://github.com/BagelLab/uds-core/commit/c0142c213446a37185cdf9dec5ae60aaae8ba194)) -* revert "chore: support deselection of metrics-server" ([#196](https://github.com/BagelLab/uds-core/issues/196)) ([25a408d](https://github.com/BagelLab/uds-core/commit/25a408daeb7f6daada11c21e451f973ebe92c07c)) -* runners, snapshot ([df87b55](https://github.com/BagelLab/uds-core/commit/df87b5527b2055d8c15d6223d734e8cbcec0def6)) -* simplify publish repo output ([84805e0](https://github.com/BagelLab/uds-core/commit/84805e01d2704aa3639943f66a4d58b9aea4f690)) -* slim-dev monitoring handling ([#383](https://github.com/BagelLab/uds-core/issues/383)) ([79927aa](https://github.com/BagelLab/uds-core/commit/79927aa58cbb12c849e52b50c00b74629b100b31)) -* sticky sessions for keycloak in ha ([#281](https://github.com/BagelLab/uds-core/issues/281)) ([5ccd557](https://github.com/BagelLab/uds-core/commit/5ccd5576afc34d8b24061887f91ce284ec5857a1)) -* test ([3dc039d](https://github.com/BagelLab/uds-core/commit/3dc039d1ee9d84a7cda7d474652296fef74555ff)) -* typo in comment ([#462](https://github.com/BagelLab/uds-core/issues/462)) ([582b1f4](https://github.com/BagelLab/uds-core/commit/582b1f4754ee3282696ea3b018322a1b3497a7d4)) -* unwanted exemption deletions ([#290](https://github.com/BagelLab/uds-core/issues/290)) ([50b0cd4](https://github.com/BagelLab/uds-core/commit/50b0cd4211964a90139347558028d6c461956da9)) -* update missing flavor create inputs in publish step ([#118](https://github.com/BagelLab/uds-core/issues/118)) ([a0233eb](https://github.com/BagelLab/uds-core/commit/a0233eb45e2d39035f483f3ed8fb3f396e5030d8)) -* update neuvector values for least privilege ([#373](https://github.com/BagelLab/uds-core/issues/373)) ([7f4de4f](https://github.com/BagelLab/uds-core/commit/7f4de4f729e60a258abc40ce34f9c397fae99181)) -* update status for test ([20983d7](https://github.com/BagelLab/uds-core/commit/20983d749871ac2b769584d2ea5d37c1b9183b52)) -* use updated k3s ([#426](https://github.com/BagelLab/uds-core/issues/426)) ([1da1c49](https://github.com/BagelLab/uds-core/commit/1da1c49e314c73e6fd1f2ef2940aff983262ec6b)) -* validating/mutating webhook networkpolicies and mtls ([#192](https://github.com/BagelLab/uds-core/issues/192)) ([b01e629](https://github.com/BagelLab/uds-core/commit/b01e62960985dd7cb318372abff296fb96f1012b)) -* valueFrom in KeyCloak statefulset.yaml ([#229](https://github.com/BagelLab/uds-core/issues/229)) ([189a5ce](https://github.com/BagelLab/uds-core/commit/189a5ce3a9dd16fe9646a293ca3948db21eb5d78)) -* version ([5053bad](https://github.com/BagelLab/uds-core/commit/5053badca76b7c008ef393f70da7687f423f68d8)) -* wait on istio proxies ([#87](https://github.com/BagelLab/uds-core/issues/87)) ([51cd5a0](https://github.com/BagelLab/uds-core/commit/51cd5a012cc1d095a89b30a22910d3d7ad49885d)) -* workflow links ([eba372c](https://github.com/BagelLab/uds-core/commit/eba372c0b0a942f1bcead8efcd420fbb427ed6e1)) -* workflow outputs silly ([c427851](https://github.com/BagelLab/uds-core/commit/c4278510505b38b651d3f1893a098d1b432e5d95)) -* workflow silliness ([5870a77](https://github.com/BagelLab/uds-core/commit/5870a773b91e96a2f8bf616be2abedbe60263f86)) +* **ci:** snapshot release publish, passthrough test on upgrade ([#575](https://github.com/defenseunicorns/uds-core/issues/575)) ([d4afe00](https://github.com/defenseunicorns/uds-core/commit/d4afe0065b76ec7c44e9d00b1f95b46b189043f0)) +* **ci:** workflow permissions ([cacf1b5](https://github.com/defenseunicorns/uds-core/commit/cacf1b5d8bccd16a8c2381fbd0912715a78a22c2)) +* only allow istio gateways to set x509 client certificate header ([#572](https://github.com/defenseunicorns/uds-core/issues/572)) ([5c62279](https://github.com/defenseunicorns/uds-core/commit/5c622795b9becb7ef6f65b807486ade0fd44bea1)) +* **sso:** delete orphaned SSO secrets ([#578](https://github.com/defenseunicorns/uds-core/issues/578)) ([5a6b9ef](https://github.com/defenseunicorns/uds-core/commit/5a6b9effca83f4f19344c813cf96d474ff5fdeb4)) +* unicorn flavor proxy image reference ([#590](https://github.com/defenseunicorns/uds-core/issues/590)) ([db081fa](https://github.com/defenseunicorns/uds-core/commit/db081fa41c0db6557c3b66bbfa0b5064dc7226e3)) +* update monitor mutation to not overwrite explicitly defined scrape class ([#582](https://github.com/defenseunicorns/uds-core/issues/582)) ([7e550d3](https://github.com/defenseunicorns/uds-core/commit/7e550d3577546d73e32a62dac018e048972d46eb)) ### Miscellaneous -* add checks before killing pods when updating istio annotations ([#457](https://github.com/BagelLab/uds-core/issues/457)) ([a62f9a0](https://github.com/BagelLab/uds-core/commit/a62f9a0e04bb538a8018a3f866c88e8b93c59826)) -* add commit lint workflow ([#19](https://github.com/BagelLab/uds-core/issues/19)) ([776a632](https://github.com/BagelLab/uds-core/commit/776a6325821329b2cbd97da2f40a30447cd48efc)) -* add debug logging to endpointslice watch ([#359](https://github.com/BagelLab/uds-core/issues/359)) ([da3eb5a](https://github.com/BagelLab/uds-core/commit/da3eb5ab4f5e6ced50f838456999995d5be601b7)) -* add debug logs to save logs for easier searching ([#430](https://github.com/BagelLab/uds-core/issues/430)) ([319101b](https://github.com/BagelLab/uds-core/commit/319101b61e4793037aab6c96b92c9d834763e9b8)) -* add debug output to release workflow ([#285](https://github.com/BagelLab/uds-core/issues/285)) ([5f96865](https://github.com/BagelLab/uds-core/commit/5f968651fb4f0da563d9c388efab761863f9ea08)) -* add flavor to pepr build task ([#238](https://github.com/BagelLab/uds-core/issues/238)) ([29bf8a3](https://github.com/BagelLab/uds-core/commit/29bf8a3b83255c7548201f3ea19e22452a1d1d4a)) -* add minio deploy time bundle variable override definitions ([#58](https://github.com/BagelLab/uds-core/issues/58)) ([ca28e7b](https://github.com/BagelLab/uds-core/commit/ca28e7b4c4a42769934cc8ad69361ff29a348cc5)) -* add security.md ([#189](https://github.com/BagelLab/uds-core/issues/189)) ([bf7c1d2](https://github.com/BagelLab/uds-core/commit/bf7c1d28e077cf52d4f765b50d7efb8ce5d60fff)) -* add velero csi plugin ([#424](https://github.com/BagelLab/uds-core/issues/424)) ([c7e49e9](https://github.com/BagelLab/uds-core/commit/c7e49e91d9f7810ddc0368f146d43d3c94c782ad)) -* adding unit test for registerExemptions() ([#105](https://github.com/BagelLab/uds-core/issues/105)) ([5e71fcf](https://github.com/BagelLab/uds-core/commit/5e71fcf4751d2e3f6a1e55583ccf76c0fdc76856)) -* align mutation annotations ([#268](https://github.com/BagelLab/uds-core/issues/268)) ([f18ad4d](https://github.com/BagelLab/uds-core/commit/f18ad4db94a77f4229cc9267e0129f6aa3381c9a)) -* annotate mutations in policies ([#236](https://github.com/BagelLab/uds-core/issues/236)) ([cc9db50](https://github.com/BagelLab/uds-core/commit/cc9db500bb1033a516104f409fa05b3a1101d832)) -* bump zarf & uds-k3d deps ([#30](https://github.com/BagelLab/uds-core/issues/30)) ([dd28ab3](https://github.com/BagelLab/uds-core/commit/dd28ab3acd163aaccdfb76fbf9726c02a2ff0050)) -* conform to latest uds bundle schema ([#52](https://github.com/BagelLab/uds-core/issues/52)) ([14dad38](https://github.com/BagelLab/uds-core/commit/14dad3819187d4f8e13f7bbc191dca74a29b9c98)) -* dep updates for UDS CLI & Pepr ([#46](https://github.com/BagelLab/uds-core/issues/46)) ([1037634](https://github.com/BagelLab/uds-core/commit/10376349e350bd32f3bf32577d8f8089c09ac6cc)) -* **deps:** pin dependencies ([#79](https://github.com/BagelLab/uds-core/issues/79)) ([bfab11e](https://github.com/BagelLab/uds-core/commit/bfab11e345941d23dfeb928917f38e36a2f75bc9)) -* **deps:** update checkout action to latest sha ([#481](https://github.com/BagelLab/uds-core/issues/481)) ([c6f0137](https://github.com/BagelLab/uds-core/commit/c6f0137bb9a1e11f98d426cec8c98eb4005f160a)) -* **deps:** update checkout to v4.1.7 ([#478](https://github.com/BagelLab/uds-core/issues/478)) ([e91a0a3](https://github.com/BagelLab/uds-core/commit/e91a0a35252581554d9ed587e4ef72c2c88a3586)) -* **deps:** update dependency defenseunicorns/uds-common to v0.2.1 ([#205](https://github.com/BagelLab/uds-core/issues/205)) ([1b01407](https://github.com/BagelLab/uds-core/commit/1b01407c4ae3a707db381b07e1364c572c76eceb)) -* **deps:** update dependency defenseunicorns/uds-common to v0.2.2 ([#232](https://github.com/BagelLab/uds-core/issues/232)) ([083ae0c](https://github.com/BagelLab/uds-core/commit/083ae0c45667e5b9064cbff781fbe4e5bc0d2991)) -* **deps:** update dependency defenseunicorns/uds-common to v0.3.6 ([#261](https://github.com/BagelLab/uds-core/issues/261)) ([1b5398b](https://github.com/BagelLab/uds-core/commit/1b5398b7b778ead8ac3265080ae0bd2b5761066e)) -* **deps:** update dependency weaveworks/eksctl to v0.183.0 ([#499](https://github.com/BagelLab/uds-core/issues/499)) ([9cb8e4d](https://github.com/BagelLab/uds-core/commit/9cb8e4d7c86611918e502de0a7e7e25921523cbc)) -* **deps:** update githubactions ([#179](https://github.com/BagelLab/uds-core/issues/179)) ([7797e25](https://github.com/BagelLab/uds-core/commit/7797e259b9691099cce9e151ce1ebf9f9f181435)) -* **deps:** update githubactions ([#242](https://github.com/BagelLab/uds-core/issues/242)) ([1eb2e2c](https://github.com/BagelLab/uds-core/commit/1eb2e2cd2018f0cd8fb55d8e6576b7e36fa8c3cf)) -* **deps:** update githubactions ([#413](https://github.com/BagelLab/uds-core/issues/413)) ([ebd834e](https://github.com/BagelLab/uds-core/commit/ebd834e56ae9adabe14d9772e4a4d9c305da173c)) -* **deps:** update githubactions to de90cc6 ([#215](https://github.com/BagelLab/uds-core/issues/215)) ([f79eed0](https://github.com/BagelLab/uds-core/commit/f79eed03b2495d9f3e11edb433291ce8a3aa55ee)) -* **deps:** update githubactions to ebc4d7e ([#183](https://github.com/BagelLab/uds-core/issues/183)) ([77357e7](https://github.com/BagelLab/uds-core/commit/77357e72cc0344e61fedcab7197aabdd7e4fd2a0)) -* **deps:** update githubactions to v19 ([#204](https://github.com/BagelLab/uds-core/issues/204)) ([d65acd4](https://github.com/BagelLab/uds-core/commit/d65acd4e2d37907685ba9083ff98988b4ea1d452)) -* **deps:** update githubactions to v3 ([#181](https://github.com/BagelLab/uds-core/issues/181)) ([70c5ddf](https://github.com/BagelLab/uds-core/commit/70c5ddf1ee0e5017bee4057d96b320812a964f88)) -* **deps:** update githubactions to v4.1.3 ([#471](https://github.com/BagelLab/uds-core/issues/471)) ([2a9f44d](https://github.com/BagelLab/uds-core/commit/2a9f44d20dce66fa474e47ba0c93eaa7fa9ad406)) -* **deps:** update grafana ([#144](https://github.com/BagelLab/uds-core/issues/144)) ([6987927](https://github.com/BagelLab/uds-core/commit/698792728faf8cfeabaf7a7c735c91229cc0c07f)) -* **deps:** update grafana ([#257](https://github.com/BagelLab/uds-core/issues/257)) ([c98e566](https://github.com/BagelLab/uds-core/commit/c98e5661c3e6fb84bf17fc64170f5dd39779dda7)) -* **deps:** update grafana ([#339](https://github.com/BagelLab/uds-core/issues/339)) ([52e6c1b](https://github.com/BagelLab/uds-core/commit/52e6c1b3bb003402710bc0fa85419538f38b388f)) -* **deps:** update grafana ([#80](https://github.com/BagelLab/uds-core/issues/80)) ([ccb2c12](https://github.com/BagelLab/uds-core/commit/ccb2c1280313fe69198ecab5fea5b38fc650f699)) -* **deps:** update grafana to v10.3.1 ([#132](https://github.com/BagelLab/uds-core/issues/132)) ([09e028c](https://github.com/BagelLab/uds-core/commit/09e028c63093a6f5fdfd0b1be800b07c0eb9de77)) -* **deps:** update grafana to v7.2.5 ([#136](https://github.com/BagelLab/uds-core/issues/136)) ([a271270](https://github.com/BagelLab/uds-core/commit/a271270f2d3f3488aa9664ef5ad69a4d239c5d22)) -* **deps:** update grafana to v7.3.0 ([#142](https://github.com/BagelLab/uds-core/issues/142)) ([5e960c0](https://github.com/BagelLab/uds-core/commit/5e960c0479e6fc96244db0230296c94e936e57d8)) -* **deps:** update grafana to v7.3.9 ([#353](https://github.com/BagelLab/uds-core/issues/353)) ([4a70f40](https://github.com/BagelLab/uds-core/commit/4a70f407d5e06919aaa0dc5901f49f7f1b166c9d)) -* **deps:** update istio to v1.20.2 ([#75](https://github.com/BagelLab/uds-core/issues/75)) ([671f977](https://github.com/BagelLab/uds-core/commit/671f977ff183010ce75e323532db500dcd4aa69c)) -* **deps:** update istio to v1.20.3 ([#163](https://github.com/BagelLab/uds-core/issues/163)) ([e45de0e](https://github.com/BagelLab/uds-core/commit/e45de0e5917a2ca6c3e30e593e2d9a8d393849a9)) -* **deps:** update istio to v1.21.2 ([#258](https://github.com/BagelLab/uds-core/issues/258)) ([51c6540](https://github.com/BagelLab/uds-core/commit/51c65405c87ed3c147bdd90172ab0588dc8e5db1)) -* **deps:** update istio to v1.22.1 ([#405](https://github.com/BagelLab/uds-core/issues/405)) ([ad4b861](https://github.com/BagelLab/uds-core/commit/ad4b861158eecfac1d09a37ea3776e31a1c387cb)) -* **deps:** update jest to v29.1.4 ([#438](https://github.com/BagelLab/uds-core/issues/438)) ([c3ecc8b](https://github.com/BagelLab/uds-core/commit/c3ecc8b83b8c65f09600ab937a1c140c4a5f7db1)) -* **deps:** update jest to v29.1.5 ([#485](https://github.com/BagelLab/uds-core/issues/485)) ([9c392b9](https://github.com/BagelLab/uds-core/commit/9c392b9b88c84e3c3763878e6beb1800c43ded25)) -* **deps:** update keycloak ([#349](https://github.com/BagelLab/uds-core/issues/349)) ([2ef1813](https://github.com/BagelLab/uds-core/commit/2ef181333d2fd853bb8eee2c5deb82430d68c861)) -* **deps:** update keycloak ([#390](https://github.com/BagelLab/uds-core/issues/390)) ([3e82c4e](https://github.com/BagelLab/uds-core/commit/3e82c4ece470a5eea81d937b2b38c455934212e1)) -* **deps:** update keycloak to v0.4.2 ([#375](https://github.com/BagelLab/uds-core/issues/375)) ([b0bb8e4](https://github.com/BagelLab/uds-core/commit/b0bb8e47f78886186514f188a99ff38463a5eac3)) -* **deps:** update keycloak to v0.4.4 ([#460](https://github.com/BagelLab/uds-core/issues/460)) ([936f40b](https://github.com/BagelLab/uds-core/commit/936f40bf078bb06d94ebd51585b4eb7669d426b4)) -* **deps:** update keycloak to v0.4.5 ([#461](https://github.com/BagelLab/uds-core/issues/461)) ([3592012](https://github.com/BagelLab/uds-core/commit/35920121bcdfbdf9b708eb3308ea34763a31246a)) -* **deps:** update keycloak to v24.0.4 ([#397](https://github.com/BagelLab/uds-core/issues/397)) ([c0420ea](https://github.com/BagelLab/uds-core/commit/c0420ea750b3a7dfc8ea6adab5225f76178ef953)) -* **deps:** update keycloak to v24.0.4 ([#402](https://github.com/BagelLab/uds-core/issues/402)) ([e454576](https://github.com/BagelLab/uds-core/commit/e454576a6de53e833d6b925308f09d6007166dde)) -* **deps:** update keycloak to v24.0.5 ([#453](https://github.com/BagelLab/uds-core/issues/453)) ([6b0c6fc](https://github.com/BagelLab/uds-core/commit/6b0c6fc91f238e367c9f2d54f0daaf9d8065794e)) -* **deps:** update keycloak to v24.0.5 ([#454](https://github.com/BagelLab/uds-core/issues/454)) ([89911f0](https://github.com/BagelLab/uds-core/commit/89911f0ca01ac421a254b79e25124525f464cf51)) -* **deps:** update loki ([#131](https://github.com/BagelLab/uds-core/issues/131)) ([61250b0](https://github.com/BagelLab/uds-core/commit/61250b02eca7ca57d7f346c1da5b63f19de17c49)) -* **deps:** update loki ([#209](https://github.com/BagelLab/uds-core/issues/209)) ([03ca499](https://github.com/BagelLab/uds-core/commit/03ca499bd5d9cac800bd36dca80340ceac3f3009)) -* **deps:** update loki ([#72](https://github.com/BagelLab/uds-core/issues/72)) ([98134bb](https://github.com/BagelLab/uds-core/commit/98134bba1f6078a867aae2ae28f4152ba7b1a8e5)) -* **deps:** update loki to v5.43.0 ([#180](https://github.com/BagelLab/uds-core/issues/180)) ([bab5f7a](https://github.com/BagelLab/uds-core/commit/bab5f7aba3644c0e478a17338df4e074b0c1a6a2)) -* **deps:** update loki to v5.43.1 ([#182](https://github.com/BagelLab/uds-core/issues/182)) ([6cc5fc7](https://github.com/BagelLab/uds-core/commit/6cc5fc7f5a07d848cfe4f18dc9a7e2a4cd91b1cf)) -* **deps:** update loki to v5.43.2 ([#191](https://github.com/BagelLab/uds-core/issues/191)) ([0ec0cd4](https://github.com/BagelLab/uds-core/commit/0ec0cd4d6cdc7b4eb1eea33f4da7b144ecbc29a5)) -* **deps:** update loki to v5.43.3 ([#199](https://github.com/BagelLab/uds-core/issues/199)) ([40f1554](https://github.com/BagelLab/uds-core/commit/40f155469670a4b7290819fc09d28ff1fcc06a81)) -* **deps:** update metrics-server ([#123](https://github.com/BagelLab/uds-core/issues/123)) ([fb25a97](https://github.com/BagelLab/uds-core/commit/fb25a970d6e3b51432164fab05ea2d19d1a638ef)) -* **deps:** update metrics-server ([#298](https://github.com/BagelLab/uds-core/issues/298)) ([691fd87](https://github.com/BagelLab/uds-core/commit/691fd87ae3e523c897d0461c4a0384b2bb7c8c03)) -* **deps:** update neuvector ([#333](https://github.com/BagelLab/uds-core/issues/333)) ([010e287](https://github.com/BagelLab/uds-core/commit/010e287dbf3a712d19e54bfbbaa87807585130d7)) -* **deps:** update neuvector ([#73](https://github.com/BagelLab/uds-core/issues/73)) ([50f6c90](https://github.com/BagelLab/uds-core/commit/50f6c90ca31d5bf984e44fd1ded7c5cfcb968064)) -* **deps:** update neuvector to 5.3.3 ([#467](https://github.com/BagelLab/uds-core/issues/467)) ([261057d](https://github.com/BagelLab/uds-core/commit/261057d2bf142c3167fdf0d0bd68bc2fb47d22df)) -* **deps:** update neuvector to v9.4 ([#381](https://github.com/BagelLab/uds-core/issues/381)) ([20d4170](https://github.com/BagelLab/uds-core/commit/20d4170386d2437826abafc68d87d91dc457022a)) -* **deps:** update pepr ([#116](https://github.com/BagelLab/uds-core/issues/116)) ([bfa7352](https://github.com/BagelLab/uds-core/commit/bfa7352ebe962ef1ed091f4a5799ed4974e086ef)) -* **deps:** update pepr ([#324](https://github.com/BagelLab/uds-core/issues/324)) ([2ef0f96](https://github.com/BagelLab/uds-core/commit/2ef0f96da7476b487d72d4bb7ce4bd50fdb0b182)) -* **deps:** update pepr ([#340](https://github.com/BagelLab/uds-core/issues/340)) ([e71ba4a](https://github.com/BagelLab/uds-core/commit/e71ba4ab4eb1ea1cc482b507fef4e0e2735bbd1f)) -* **deps:** update pepr ([#419](https://github.com/BagelLab/uds-core/issues/419)) ([d8f0309](https://github.com/BagelLab/uds-core/commit/d8f0309b4f9661b1c5bc2d5e574697ee9579e387)) -* **deps:** update pepr ([#76](https://github.com/BagelLab/uds-core/issues/76)) ([50de920](https://github.com/BagelLab/uds-core/commit/50de920bcf03092d16a11ebf77ede70987a7cdcf)) -* **deps:** update pepr to 0.31.0 ([#360](https://github.com/BagelLab/uds-core/issues/360)) ([fbd61ea](https://github.com/BagelLab/uds-core/commit/fbd61ea9665133619aec81726b189449226d8459)) -* **deps:** update pepr to 0.32.2 ([#473](https://github.com/BagelLab/uds-core/issues/473)) ([ab4bee9](https://github.com/BagelLab/uds-core/commit/ab4bee906f020d86b90c0b984789be55f8b4c08b)) -* **deps:** update pepr to 0.32.3 ([#494](https://github.com/BagelLab/uds-core/issues/494)) ([2e28897](https://github.com/BagelLab/uds-core/commit/2e2889784043b21463e72643eb890054645dd439)) -* **deps:** update pepr to v0.22.0 ([#102](https://github.com/BagelLab/uds-core/issues/102)) ([941902d](https://github.com/BagelLab/uds-core/commit/941902dcfc2ec1d5340d658f75811b3369489c56)) -* **deps:** update pepr to v0.22.2 ([#104](https://github.com/BagelLab/uds-core/issues/104)) ([0555353](https://github.com/BagelLab/uds-core/commit/0555353e5a5dec2aa8685a3987852d1c3788f28c)) -* **deps:** update pepr to v0.24.1 ([#134](https://github.com/BagelLab/uds-core/issues/134)) ([6474a1c](https://github.com/BagelLab/uds-core/commit/6474a1c0a16c8d87248acb1b3f7d79b76a354fc8)) -* **deps:** update pepr to v0.25.0 ([#164](https://github.com/BagelLab/uds-core/issues/164)) ([e7b8212](https://github.com/BagelLab/uds-core/commit/e7b8212b6a8ed2e16b47264687e0c39d2f0a3455)) -* **deps:** update pepr to v0.28.6 ([#254](https://github.com/BagelLab/uds-core/issues/254)) ([54ef7de](https://github.com/BagelLab/uds-core/commit/54ef7ded349d060b1732b381124fe29e3e8fe85b)) -* **deps:** update pepr to v0.28.6 ([#300](https://github.com/BagelLab/uds-core/issues/300)) ([86b43e4](https://github.com/BagelLab/uds-core/commit/86b43e478521aa88a3a4843948ca96b9cbe55985)) -* **deps:** update pepr to v0.28.7 ([#321](https://github.com/BagelLab/uds-core/issues/321)) ([e7206bb](https://github.com/BagelLab/uds-core/commit/e7206bb93ce23a3ae611e410106890df3eafdea1)) -* **deps:** update pepr to v0.4.5 ([#447](https://github.com/BagelLab/uds-core/issues/447)) ([f1dba17](https://github.com/BagelLab/uds-core/commit/f1dba17076a7c6052ed67e07bdb560fda7604b80)) -* **deps:** update prometheus-stack ([#128](https://github.com/BagelLab/uds-core/issues/128)) ([625622a](https://github.com/BagelLab/uds-core/commit/625622a44c101f0a9c1beffd66eb259dc1f1eedc)) -* **deps:** update prometheus-stack ([#190](https://github.com/BagelLab/uds-core/issues/190)) ([f9a605a](https://github.com/BagelLab/uds-core/commit/f9a605a4c828128fc19f0bdb1d2443f65fb87b8a)) -* **deps:** update prometheus-stack ([#301](https://github.com/BagelLab/uds-core/issues/301)) ([143eca3](https://github.com/BagelLab/uds-core/commit/143eca3ecc2e3c39765312dc3c5384c87a13d7da)) -* **deps:** update prometheus-stack ([#348](https://github.com/BagelLab/uds-core/issues/348)) ([49cb11a](https://github.com/BagelLab/uds-core/commit/49cb11a058a9209cee7019fa552b8c0b2ef73368)) -* **deps:** update prometheus-stack ([#392](https://github.com/BagelLab/uds-core/issues/392)) ([2e656f5](https://github.com/BagelLab/uds-core/commit/2e656f5dc3de2e6561ac313cb1bae478635b86b3)) -* **deps:** update prometheus-stack ([#422](https://github.com/BagelLab/uds-core/issues/422)) ([a96193e](https://github.com/BagelLab/uds-core/commit/a96193e257701dfaf6fccc34246ef3f31e639f3e)) -* **deps:** update prometheus-stack ([#81](https://github.com/BagelLab/uds-core/issues/81)) ([19bedb6](https://github.com/BagelLab/uds-core/commit/19bedb60cd2f99615c4b5673623ff0ff6fafb73f)) -* **deps:** update promtail ([#74](https://github.com/BagelLab/uds-core/issues/74)) ([6a112b5](https://github.com/BagelLab/uds-core/commit/6a112b5226250f1a17023b2c1225d404cf8feeee)) -* **deps:** update to keycloak 24 ([#336](https://github.com/BagelLab/uds-core/issues/336)) ([1153ba0](https://github.com/BagelLab/uds-core/commit/1153ba09ac062d3477a4ee396376be83493ad3c5)) -* **deps:** update uds to v0.10.4 ([#228](https://github.com/BagelLab/uds-core/issues/228)) ([1750b23](https://github.com/BagelLab/uds-core/commit/1750b2304e3c6f0ce6a60f1ef2873ce8a6ce1502)) -* **deps:** update uds to v0.11.1 ([#472](https://github.com/BagelLab/uds-core/issues/472)) ([12fd798](https://github.com/BagelLab/uds-core/commit/12fd79894e71ee06181ccd6f2ac98b84d935066c)) -* **deps:** update uds to v0.11.2 ([#479](https://github.com/BagelLab/uds-core/issues/479)) ([f967f9a](https://github.com/BagelLab/uds-core/commit/f967f9a4bf8d718b9ece96d882db4d9c800f5f0f)) -* **deps:** update uds to v0.5.3, zarf to v0.32.1, and uds-k3d to 0.3.0 ([#77](https://github.com/BagelLab/uds-core/issues/77)) ([596f9d8](https://github.com/BagelLab/uds-core/commit/596f9d8df51c3df1aa87fd0e09d9e69c87473bf0)) -* **deps:** update uds to v0.6.2 ([#107](https://github.com/BagelLab/uds-core/issues/107)) ([7b7220e](https://github.com/BagelLab/uds-core/commit/7b7220e708cf2dca25cc592b8932661620d9610d)) -* **deps:** update uds to v0.8.1 ([#141](https://github.com/BagelLab/uds-core/issues/141)) ([fa79065](https://github.com/BagelLab/uds-core/commit/fa79065265a5ee2b8f6f6a55d1c2904bbaf42fff)) -* **deps:** update uds to v0.9.0 ([#173](https://github.com/BagelLab/uds-core/issues/173)) ([b91a90d](https://github.com/BagelLab/uds-core/commit/b91a90db987e108a5a093a326428bbd0b5f9446e)) -* **deps:** update uds to v0.9.2 ([#200](https://github.com/BagelLab/uds-core/issues/200)) ([e4b54fe](https://github.com/BagelLab/uds-core/commit/e4b54febc4d7914e962db92b7a0490a3735af4e5)) -* **deps:** update uds-common tasks to 0.6.1 ([#498](https://github.com/BagelLab/uds-core/issues/498)) ([4aa6e33](https://github.com/BagelLab/uds-core/commit/4aa6e3372f6d1a5df1e2ae51a3129603a8b0b29b)) -* **deps:** update uds-common to v0.4.4 ([#442](https://github.com/BagelLab/uds-core/issues/442)) ([bf6debd](https://github.com/BagelLab/uds-core/commit/bf6debdd0d50f6cde11288cd70d8bdf1dcdaaaa0)) -* **deps:** update uds-identity-config to 0.4.1 ([#355](https://github.com/BagelLab/uds-core/issues/355)) ([8485931](https://github.com/BagelLab/uds-core/commit/84859316ea92ef9ec7807a702ee246e11b73567b)) -* **deps:** update uds-k3d to v0.3.1 ([#89](https://github.com/BagelLab/uds-core/issues/89)) ([5d54cd1](https://github.com/BagelLab/uds-core/commit/5d54cd1efe5eee4c19caf347882725e0aa20e50a)) -* **deps:** update uds-k3d to v0.5.0 ([#186](https://github.com/BagelLab/uds-core/issues/186)) ([164bf5f](https://github.com/BagelLab/uds-core/commit/164bf5f8bd58899f5ec1a179d6d409cfb46b850f)) -* **deps:** update uds-k3d to v0.6.0 ([#240](https://github.com/BagelLab/uds-core/issues/240)) ([6a26523](https://github.com/BagelLab/uds-core/commit/6a2652368fde3a3bdbe5bb81fd258830dfaeb5c8)) -* **deps:** update uds-k3d to v0.6.0 ([#398](https://github.com/BagelLab/uds-core/issues/398)) ([288f009](https://github.com/BagelLab/uds-core/commit/288f00990a715087c9bf1fffd0a63ecf33125a5a)) -* **deps:** update uds-k3d to v0.7.0 ([#428](https://github.com/BagelLab/uds-core/issues/428)) ([23b59a2](https://github.com/BagelLab/uds-core/commit/23b59a260b2c60791614ca4d39a33e65476e19ee)) -* **deps:** update velero ([#260](https://github.com/BagelLab/uds-core/issues/260)) ([f352008](https://github.com/BagelLab/uds-core/commit/f35200833a4d4d50de9f632f6918320f7d8fff5e)) -* **deps:** update velero ([#350](https://github.com/BagelLab/uds-core/issues/350)) ([e7cb33e](https://github.com/BagelLab/uds-core/commit/e7cb33ea9a13ab9550aab45d8ee437a1ba595d38)) -* **deps:** update velero ([#408](https://github.com/BagelLab/uds-core/issues/408)) ([ffbefda](https://github.com/BagelLab/uds-core/commit/ffbefda74777466ef74ad1d5cffff1f4895f323d)) -* **deps:** update velero ([#440](https://github.com/BagelLab/uds-core/issues/440)) ([4b1a3ea](https://github.com/BagelLab/uds-core/commit/4b1a3ead81a80b49e5ccfeb2e4130a4aaebb53a4)) -* **deps:** update velero to v1.30.2 ([#476](https://github.com/BagelLab/uds-core/issues/476)) ([89bbda9](https://github.com/BagelLab/uds-core/commit/89bbda9e640014bede116c254381cab8995df12f)) -* **deps:** update velero to v6.6.0 ([#456](https://github.com/BagelLab/uds-core/issues/456)) ([aff37c1](https://github.com/BagelLab/uds-core/commit/aff37c194e321f6a6c92f1bc11fd796cf9f0a9ab)) -* **deps:** update zarf to v0.32.2 ([#133](https://github.com/BagelLab/uds-core/issues/133)) ([91502c6](https://github.com/BagelLab/uds-core/commit/91502c6321334c6d31ce5fd1cd8f2fe6f77c09ae)) -* **deps:** update zarf to v0.32.3 ([#155](https://github.com/BagelLab/uds-core/issues/155)) ([2f0a1a7](https://github.com/BagelLab/uds-core/commit/2f0a1a77043ce298e765e6999cf11a97f36e4ecc)) -* **deps:** update zarf to v0.32.4 ([#203](https://github.com/BagelLab/uds-core/issues/203)) ([05c903e](https://github.com/BagelLab/uds-core/commit/05c903ea43243401d9cc2928ba5eb66ff6201c94)) -* **deps:** update zarf to v0.32.5 ([#243](https://github.com/BagelLab/uds-core/issues/243)) ([ee93612](https://github.com/BagelLab/uds-core/commit/ee9361224767c1a708b6f8e2c266af710facea8d)) -* **deps:** update zarf to v0.32.6 ([#282](https://github.com/BagelLab/uds-core/issues/282)) ([443426d](https://github.com/BagelLab/uds-core/commit/443426d05b9bd1d15fb4632efa26219250270895)) -* **deps:** update zarf to v0.33.0 ([#325](https://github.com/BagelLab/uds-core/issues/325)) ([f2a2a66](https://github.com/BagelLab/uds-core/commit/f2a2a665309c812b4300047d1c90ff3833a8eba6)) -* **deps:** update zarf to v0.33.1 ([#368](https://github.com/BagelLab/uds-core/issues/368)) ([296e547](https://github.com/BagelLab/uds-core/commit/296e54729c20c9ecee21677daec874a2c8b57b57)) -* **deps:** update zarf to v0.33.2 ([#394](https://github.com/BagelLab/uds-core/issues/394)) ([201a37b](https://github.com/BagelLab/uds-core/commit/201a37b12277880058c14fc05b3c0d4aecbf31e0)) -* **deps:** update zarf to v0.34.0 ([#434](https://github.com/BagelLab/uds-core/issues/434)) ([9badf9d](https://github.com/BagelLab/uds-core/commit/9badf9d4b9b6f904b1b7a478be5355416dc7fbe0)) -* **deps:** update zarf to v0.35.0 ([#490](https://github.com/BagelLab/uds-core/issues/490)) ([86957cf](https://github.com/BagelLab/uds-core/commit/86957cfe19564ec8ddccec7e496af4469def322a)) -* docs linting changes ([#505](https://github.com/BagelLab/uds-core/issues/505)) ([0fe2015](https://github.com/BagelLab/uds-core/commit/0fe20151713363f572a50601016e06e60230990f)) -* fix missing deps in tag and release workflow ([#28](https://github.com/BagelLab/uds-core/issues/28)) ([1e1af76](https://github.com/BagelLab/uds-core/commit/1e1af762e8eb1dd331cbd681e48ecc95ec3184d2)) -* initial renovate config ([#67](https://github.com/BagelLab/uds-core/issues/67)) ([2cd19d8](https://github.com/BagelLab/uds-core/commit/2cd19d871a95491950d43fea8e8fd2e8c290cd55)) -* kick off ci ([1afc3a4](https://github.com/BagelLab/uds-core/commit/1afc3a4203cce1a1c81b15e7ba6caad1a9c63131)) -* **main:** release 0.1.1 ([#27](https://github.com/BagelLab/uds-core/issues/27)) ([3776e91](https://github.com/BagelLab/uds-core/commit/3776e91670aa73907cb9c48a05419d106ecedd67)) -* **main:** release 0.1.2 ([#29](https://github.com/BagelLab/uds-core/issues/29)) ([af7b0be](https://github.com/BagelLab/uds-core/commit/af7b0beaf409627c87b47e4d908b0a8a0d8cff63)) -* **main:** release 0.1.3 ([#31](https://github.com/BagelLab/uds-core/issues/31)) ([28ad8a7](https://github.com/BagelLab/uds-core/commit/28ad8a78b023f160714ecb90d748ee65403cf500)) -* **main:** release 0.10.0 ([#135](https://github.com/BagelLab/uds-core/issues/135)) ([5bb6f01](https://github.com/BagelLab/uds-core/commit/5bb6f016631fdef4f14848ff55588f33e6d4f07d)) -* **main:** release 0.11.0 ([#138](https://github.com/BagelLab/uds-core/issues/138)) ([c02ada8](https://github.com/BagelLab/uds-core/commit/c02ada860f532d8955af00637756ee622f3e9019)) -* **main:** release 0.11.1 ([#159](https://github.com/BagelLab/uds-core/issues/159)) ([2c493bb](https://github.com/BagelLab/uds-core/commit/2c493bb7c877a7193e45376a9d28aed832cff590)) -* **main:** release 0.12.0 ([#161](https://github.com/BagelLab/uds-core/issues/161)) ([e3c41e8](https://github.com/BagelLab/uds-core/commit/e3c41e82ba5bd776f2633cbde222ab05c5c513f3)) -* **main:** release 0.13.0 ([#170](https://github.com/BagelLab/uds-core/issues/170)) ([09c9447](https://github.com/BagelLab/uds-core/commit/09c9447fa47e5bd1f1d3ae627d7c3dab9c46d596)) -* **main:** release 0.13.1 ([#197](https://github.com/BagelLab/uds-core/issues/197)) ([e968fe9](https://github.com/BagelLab/uds-core/commit/e968fe9707f5a1f154b1fd19050ba46073427495)) -* **main:** release 0.14.0 ([#202](https://github.com/BagelLab/uds-core/issues/202)) ([d090f40](https://github.com/BagelLab/uds-core/commit/d090f4052679d1557973a17524923280c04807fd)) -* **main:** release 0.14.1 ([#218](https://github.com/BagelLab/uds-core/issues/218)) ([3199d8b](https://github.com/BagelLab/uds-core/commit/3199d8bc8cc8e11f9eccdb7075ce798572f6fa0a)) -* **main:** release 0.14.2 ([#221](https://github.com/BagelLab/uds-core/issues/221)) ([2ab4c54](https://github.com/BagelLab/uds-core/commit/2ab4c54618f40c8f195e4bbc1aee63024e488dc8)) -* **main:** release 0.14.3 ([#225](https://github.com/BagelLab/uds-core/issues/225)) ([05b1c19](https://github.com/BagelLab/uds-core/commit/05b1c196e4509ee38261a9b9bc8bc8531086b499)) -* **main:** release 0.14.4 ([#227](https://github.com/BagelLab/uds-core/issues/227)) ([d2d005b](https://github.com/BagelLab/uds-core/commit/d2d005b9caf0b067f850f752a3d6e643c99a74c6)) -* **main:** release 0.14.5 ([#230](https://github.com/BagelLab/uds-core/issues/230)) ([1acafca](https://github.com/BagelLab/uds-core/commit/1acafcadf0baa4567d4f0c41e3201fa40895d092)) -* **main:** release 0.15.0 ([#233](https://github.com/BagelLab/uds-core/issues/233)) ([f4f3699](https://github.com/BagelLab/uds-core/commit/f4f3699096e4f917cf36bcb15bdb47179569b74d)) -* **main:** release 0.15.1 ([#235](https://github.com/BagelLab/uds-core/issues/235)) ([a0c6b32](https://github.com/BagelLab/uds-core/commit/a0c6b327ada2a36a08a4dc4874248d9df65f5381)) -* **main:** release 0.16.0 ([#246](https://github.com/BagelLab/uds-core/issues/246)) ([efc64d4](https://github.com/BagelLab/uds-core/commit/efc64d45c6e78f3014258b80abdf35d0119bde36)) -* **main:** release 0.16.1 ([#265](https://github.com/BagelLab/uds-core/issues/265)) ([4e4eaea](https://github.com/BagelLab/uds-core/commit/4e4eaea6c16e010837bb1c0d5624ebda418bce6f)) -* **main:** release 0.17.0 ([#267](https://github.com/BagelLab/uds-core/issues/267)) ([510f536](https://github.com/BagelLab/uds-core/commit/510f536133e835f98bb524bfc9f437e6f716d9ef)) -* **main:** release 0.18.0 ([#286](https://github.com/BagelLab/uds-core/issues/286)) ([40e6b7b](https://github.com/BagelLab/uds-core/commit/40e6b7b711ddbd956058eda8490355568faddaec)) -* **main:** release 0.18.0 ([#318](https://github.com/BagelLab/uds-core/issues/318)) ([5f5e0b8](https://github.com/BagelLab/uds-core/commit/5f5e0b8a19daf0b51d9a102fd851ff76e5296d4e)) -* **main:** release 0.19.0 ([#320](https://github.com/BagelLab/uds-core/issues/320)) ([4ce502b](https://github.com/BagelLab/uds-core/commit/4ce502be3a5d83c28c259db8080a215f309c6ed7)) -* **main:** release 0.2.0 ([#34](https://github.com/BagelLab/uds-core/issues/34)) ([5185a8f](https://github.com/BagelLab/uds-core/commit/5185a8f98c90578eabd9f1494f55e43922bb7a92)) -* **main:** release 0.20.0 ([#345](https://github.com/BagelLab/uds-core/issues/345)) ([c29cc91](https://github.com/BagelLab/uds-core/commit/c29cc91cd2e41d5bbaee33deb173628c83ad0480)) -* **main:** release 0.21.0 ([#361](https://github.com/BagelLab/uds-core/issues/361)) ([c9f027f](https://github.com/BagelLab/uds-core/commit/c9f027f518de547b962b06defb836fba3c70ff3d)) -* **main:** release 0.21.1 ([#379](https://github.com/BagelLab/uds-core/issues/379)) ([b46a161](https://github.com/BagelLab/uds-core/commit/b46a161271bac3c167e554fadf673d2536b6b420)) -* **main:** release 0.22.0 ([#386](https://github.com/BagelLab/uds-core/issues/386)) ([6367bef](https://github.com/BagelLab/uds-core/commit/6367bef04dab6803471b8f424210baedf2004d01)) -* **main:** release 0.22.1 ([#432](https://github.com/BagelLab/uds-core/issues/432)) ([7cf9c4c](https://github.com/BagelLab/uds-core/commit/7cf9c4c09dccc1d91edb7acbb2aee8750c5433ed)) -* **main:** release 0.22.2 ([#474](https://github.com/BagelLab/uds-core/issues/474)) ([84a408f](https://github.com/BagelLab/uds-core/commit/84a408fb23c1803bdbbf5e1f1ce64e97110f2829)) -* **main:** release 0.23.0 ([8e992e3](https://github.com/BagelLab/uds-core/commit/8e992e385fc51e01f0e0df31dd8c7434660ea0d6)) -* **main:** release 0.23.0 ([d640453](https://github.com/BagelLab/uds-core/commit/d64045363c267dad4d10b447e7706b1e739765ae)) -* **main:** release 0.23.1 ([09c623a](https://github.com/BagelLab/uds-core/commit/09c623ac9fb0fe6c785d15245da8d84787cf3649)) -* **main:** release 0.23.2 ([6df0592](https://github.com/BagelLab/uds-core/commit/6df0592f5f336c50c6c7c7cec1f276f7c11f7cdb)) -* **main:** release 0.23.3 ([55cb491](https://github.com/BagelLab/uds-core/commit/55cb491c28ebf5ee7c40f2add5c588c47e9864b0)) -* **main:** release 0.23.4 ([e0e6ebc](https://github.com/BagelLab/uds-core/commit/e0e6ebc684e2004f9e2a3ca128d7401dc41bcc33)) -* **main:** release 0.3.0 ([#39](https://github.com/BagelLab/uds-core/issues/39)) ([4d2b05d](https://github.com/BagelLab/uds-core/commit/4d2b05de9d155dc91b799bde5156c5980bc348cb)) -* **main:** release 0.4.0 ([#43](https://github.com/BagelLab/uds-core/issues/43)) ([d2b61c3](https://github.com/BagelLab/uds-core/commit/d2b61c373b91d4f405e27ce930e4f8bec52ddd21)) -* **main:** release 0.4.1 ([#45](https://github.com/BagelLab/uds-core/issues/45)) ([d66eafe](https://github.com/BagelLab/uds-core/commit/d66eafea0ec9ccd412f5af3ed5ab12f3f8275a33)) -* **main:** release 0.5.0 ([#49](https://github.com/BagelLab/uds-core/issues/49)) ([f9c4269](https://github.com/BagelLab/uds-core/commit/f9c426998f2bc4fc21c32b3492f25b8608f50282)) -* **main:** release 0.6.0 ([#53](https://github.com/BagelLab/uds-core/issues/53)) ([9b3ad64](https://github.com/BagelLab/uds-core/commit/9b3ad64a6e3870ce364cad77abd367cc8d493042)) -* **main:** release 0.6.1 ([#56](https://github.com/BagelLab/uds-core/issues/56)) ([4a5a42c](https://github.com/BagelLab/uds-core/commit/4a5a42c8fa9ee17656e462cb9df08562d9c85b96)) -* **main:** release 0.6.2 ([#59](https://github.com/BagelLab/uds-core/issues/59)) ([b1c49ac](https://github.com/BagelLab/uds-core/commit/b1c49ac70e8a293936dea8a516c32b7bb7e6fc4c)) -* **main:** release 0.7.0 ([#71](https://github.com/BagelLab/uds-core/issues/71)) ([51dcb54](https://github.com/BagelLab/uds-core/commit/51dcb54d239cb5636b0c4f55fde9fc2b2c3bf076)) -* **main:** release 0.7.1 ([#85](https://github.com/BagelLab/uds-core/issues/85)) ([da4040a](https://github.com/BagelLab/uds-core/commit/da4040aff739746dc2355ec0449ee762c05c56c1)) -* **main:** release 0.7.2 ([#88](https://github.com/BagelLab/uds-core/issues/88)) ([5e421ce](https://github.com/BagelLab/uds-core/commit/5e421ce011e42692c3cb6f1353cfb8a5edb846fb)) -* **main:** release 0.7.3 ([#93](https://github.com/BagelLab/uds-core/issues/93)) ([ddf8fa6](https://github.com/BagelLab/uds-core/commit/ddf8fa617853686b8c043d236c159bcd59c47ac0)) -* **main:** release 0.7.4 ([#100](https://github.com/BagelLab/uds-core/issues/100)) ([9abd78b](https://github.com/BagelLab/uds-core/commit/9abd78b11a90a67344fa93e8dba7fd53d6b58ea2)) -* **main:** release 0.8.0 ([#106](https://github.com/BagelLab/uds-core/issues/106)) ([3ab93c3](https://github.com/BagelLab/uds-core/commit/3ab93c30b132ff9c35c1f238008b15cd265abe92)) -* **main:** release 0.8.1 ([#112](https://github.com/BagelLab/uds-core/issues/112)) ([942ad54](https://github.com/BagelLab/uds-core/commit/942ad549b53e8ce87a33fae985bbe2f82c6fa75c)) -* **main:** release 0.9.0 ([#117](https://github.com/BagelLab/uds-core/issues/117)) ([6b0c56b](https://github.com/BagelLab/uds-core/commit/6b0c56b8a6d60091e532ac36cd69ea6cd5ac1124)) -* **main:** release 0.9.1 ([#119](https://github.com/BagelLab/uds-core/issues/119)) ([984f916](https://github.com/BagelLab/uds-core/commit/984f91602c3b2873110d62a49c5df4ecfaa19f8a)) -* **main:** release 0.9.2 ([#121](https://github.com/BagelLab/uds-core/issues/121)) ([2d9b3c9](https://github.com/BagelLab/uds-core/commit/2d9b3c9fe288347879f2d78c8524b719d3772abd)) -* move api service watch to reconcile ([#362](https://github.com/BagelLab/uds-core/issues/362)) ([1822bca](https://github.com/BagelLab/uds-core/commit/1822bca6c397a5c8ea64b9355a9ba4f51fde4518)) -* open the aperture for pr workflow triggering ([#90](https://github.com/BagelLab/uds-core/issues/90)) ([d8a72f2](https://github.com/BagelLab/uds-core/commit/d8a72f2f2f3e507a4be7f217e23b737e3d4c35ce)) -* readme updates & use UDS CLI for zarf ([#137](https://github.com/BagelLab/uds-core/issues/137)) ([21de0ce](https://github.com/BagelLab/uds-core/commit/21de0cee2d70d67ca17b1d45c642e9ca4e1617ce)) -* refactor ci for releases to remove certain artifacts ([#125](https://github.com/BagelLab/uds-core/issues/125)) ([c08a062](https://github.com/BagelLab/uds-core/commit/c08a062bb3f3ede6860c3d7f34136b3e82b78715)) -* refactor promtail extraScrapeConfigs into scrapeConfigs ([#367](https://github.com/BagelLab/uds-core/issues/367)) ([2220272](https://github.com/BagelLab/uds-core/commit/222027240148e669edf40483d145ffc15567b1b7)) -* refactor validate.yaml file name and task name ([#62](https://github.com/BagelLab/uds-core/issues/62)) ([92a04ea](https://github.com/BagelLab/uds-core/commit/92a04ea1096448995ccc0dd9d77a32a5061e06f0)) -* remove emulated gitlab endpoints from keycloak ([#483](https://github.com/BagelLab/uds-core/issues/483)) ([495960c](https://github.com/BagelLab/uds-core/commit/495960ce8d40cf2ef7c0f0021b653db6fc6383bb)) -* remove retry-action action on registry1 docker login ([#160](https://github.com/BagelLab/uds-core/issues/160)) ([eea0c93](https://github.com/BagelLab/uds-core/commit/eea0c93a0ff172bfc5a76d3eaca143ffc0d9fbe2)) -* remove version from neuvector zarf.yaml ([#11](https://github.com/BagelLab/uds-core/issues/11)) ([fbc8d51](https://github.com/BagelLab/uds-core/commit/fbc8d51e2b4146d394184d7596cd9a54219dc001)) -* renovate updates ([#140](https://github.com/BagelLab/uds-core/issues/140)) ([b71a013](https://github.com/BagelLab/uds-core/commit/b71a013bea30c9ca5e39f1dc6485fffaa86ca6b1)) -* simplify promtail values for scrape configs ([#94](https://github.com/BagelLab/uds-core/issues/94)) ([6c2513b](https://github.com/BagelLab/uds-core/commit/6c2513be89f064b44516b1d89c0d6005dd1d4d30)) -* support deselection of metrics-server ([#193](https://github.com/BagelLab/uds-core/issues/193)) ([289a0fe](https://github.com/BagelLab/uds-core/commit/289a0fee5315e8c4a70b3afe66165dd00a7dfbc1)) -* support headless keycloak admin user ([#307](https://github.com/BagelLab/uds-core/issues/307)) ([a0e51b6](https://github.com/BagelLab/uds-core/commit/a0e51b649822619b63478b140bb5dbbebeb20ff3)) -* test artifacts before publish ([#198](https://github.com/BagelLab/uds-core/issues/198)) ([9732f32](https://github.com/BagelLab/uds-core/commit/9732f325624244f4d34c127a949c6ce5951ff6ab)) -* test publish ([2cefa29](https://github.com/BagelLab/uds-core/commit/2cefa2938d60cfa40bd5c0f7ff44c2448c4f48a8)) -* trigger eks nightly when related files are updated ([#366](https://github.com/BagelLab/uds-core/issues/366)) ([6d6e4e0](https://github.com/BagelLab/uds-core/commit/6d6e4e0debbca3498cbc21db405eec48b3bcc240)) -* typo fix in README.md ([#280](https://github.com/BagelLab/uds-core/issues/280)) ([f9727e0](https://github.com/BagelLab/uds-core/commit/f9727e0b638e853bbae131d02019a2efb5286b0a)) -* update codeowners ([#338](https://github.com/BagelLab/uds-core/issues/338)) ([c419574](https://github.com/BagelLab/uds-core/commit/c41957409607c6335ebf6bd4ff30a1a9336a4870)) -* update release please extra-files to be explicit ([#26](https://github.com/BagelLab/uds-core/issues/26)) ([23f4999](https://github.com/BagelLab/uds-core/commit/23f49995771fb05cd18e7a077bf90e86ca5b7471)) -* updating keycloak chart version to align with image ([#378](https://github.com/BagelLab/uds-core/issues/378)) ([a60fe2a](https://github.com/BagelLab/uds-core/commit/a60fe2afed9f7cff3bcad6b0f563232b47e8025b)) +* **deps:** update grafana chart + sidecar image ([#567](https://github.com/defenseunicorns/uds-core/issues/567)) ([85b6de4](https://github.com/defenseunicorns/uds-core/commit/85b6de4b140a2076cdc72626bce2d24aab90c26c)) +* **deps:** update pepr to v0.32.7 ([#556](https://github.com/defenseunicorns/uds-core/issues/556)) ([e594f13](https://github.com/defenseunicorns/uds-core/commit/e594f1366bb6a920a9cd7a945bc41ae39382f8b8)) +* **deps:** update uds-identity-config to v0.5.1 ([#591](https://github.com/defenseunicorns/uds-core/issues/591)) ([b9c5bd3](https://github.com/defenseunicorns/uds-core/commit/b9c5bd34c75b6fe7063d8bf4bd15496f73e87861)) +* **deps:** update uds-k3d to v0.8.0 ([#581](https://github.com/defenseunicorns/uds-core/issues/581)) ([fab8919](https://github.com/defenseunicorns/uds-core/commit/fab89198a9118f51e372b589e02fca89d6db4112)) +* **loki:** default query settings, config as secret ([#579](https://github.com/defenseunicorns/uds-core/issues/579)) ([5fa889c](https://github.com/defenseunicorns/uds-core/commit/5fa889c51a59786330fd4f7b914b532b4c56b1b3)) +* **oscal:** begin integration of composed oscal with validations ([#496](https://github.com/defenseunicorns/uds-core/issues/496)) ([047fd30](https://github.com/defenseunicorns/uds-core/commit/047fd3041a8eecc29c8f61e1f3c2c70622ec9e88)) ## [0.24.0](https://github.com/defenseunicorns/uds-core/compare/v0.23.0...v0.24.0) (2024-07-12) diff --git a/CODEOWNERS b/CODEOWNERS index 9ebb6f5f8..573eee029 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1 +1,5 @@ -/* @defenseunicorns/uds-core +* @defenseunicorns/uds-core + +# Additional privileged files +/CODEOWNERS @jeff-mccoy @daveworth +/LICENSE @jeff-mccoy @daveworth diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 30bb0ad59..340dddd87 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -10,6 +10,7 @@ This document describes the process and requirements for contributing to this UD 2. [Definition of Done](#definition-of-done) 3. [Getting Started](#getting-started) 4. [Submitting a Pull Request](#submitting-a-pull-request) + - [Note for External Contributors](#note-for-external-contributors) 5. [PR Requirements](#pr-requirements) 6. [Contact](#contact) @@ -25,6 +26,16 @@ Specifically: * Continuous integration (CI) pipeline tests are definitive * We create immutable release artifacts +Commits: + +We use [codespell](https://github.com/codespell-project/codespell) and [yamllint](https://yamllint.readthedocs.io/en/stable/) for our precommit checking. It is recommended to have these installed before attempting to commit to the a branch otherwise your commit will not finalize and you will be shown an error. + +To install both of these tools you can run `uds run lint-check` to install them or utilize `pip` to install them manually. + +```bash +pip install yamllint codespell +``` + ## Definition of Done We apply these general principles to all User Stories and activities contributing to the UDS. @@ -42,10 +53,19 @@ TBD ## Submitting a Pull Request 1. **Create an Issue**: For significant changes, please create an issue first, describing the problem or feature proposal. Trivial fixes do not require an issue. -2. **Commit Your Changes**: Make your changes and commit them. All commits must be signed. -3. **Run Tests**: Ensure that your changes pass all tests. -4. **Push Your Branch**: Push your branch to your fork on GitHub. -5. **Create a Pull Request**: Open a pull request against the `main` branch of the Bundle repository. Please make sure that your PR passes all CI checks. +2. **Branch vs. Fork**: We prefer contributors to work on branches within the main repository when possible, as this allows full CI/CD processes to run without encountering issues with restricted secrets. If you do not have permissions, you may use a fork, but be aware of potential CI/CD limitations. +3. **Commit Your Changes**: Make your changes and commit them. **All commits must be signed**. +4. **Run Tests**: Ensure that your changes pass all tests. +5. **Push Your Branch**: Push your branch to the main repository or your fork on GitHub. +6. **Create a Pull Request**: Open a pull request against the `main` branch of the Bundle repository. Please make sure that your PR passes all CI checks. + +### Note for External Contributors + +When submitting a pull request (PR) from a forked repository, please note that our CI/CD processes may not run completely due to security restrictions. This is because certain secrets required for the full CI/CD pipeline are not accessible from forks. + +**What to expect:** +1. **CI/CD Failures**: If you notice CI/CD failures, it might be due to these limitations rather than issues with your code. +2. **Maintainer Review**: Our maintainers will review your PR and, if necessary, check out your branch and push it to the main repository. This step allows the full CI/CD process to run with the required secrets, ensuring that all checks are performed. ### PR Requirements diff --git a/README.md b/README.md index 9ee771e27..e28a0c371 100644 --- a/README.md +++ b/README.md @@ -19,6 +19,7 @@ UDS Core establishes a secure baseline for cloud-native systems and ships with c - [Prometheus Stack](https://github.com/prometheus-operator/kube-prometheus) - Monitoring - [Promtail](https://grafana.com/docs/loki/latest/send-data/promtail/) - Log Aggregation - [Velero](https://velero.io/) - Backup & Restore +- [UDS Runtime](https://github.com/defenseunicorns/uds-runtime) - Frontend Views & Insights #### Future Applications @@ -55,7 +56,7 @@ If you want to try out UDS Core, you can use the [k3d-core-demo bundle](./bundle ```bash -uds deploy k3d-core-demo:0.23.0 +uds deploy k3d-core-demo:0.27.3 ``` @@ -69,7 +70,7 @@ Deploy Istio, Keycloak and Pepr: ```bash -uds deploy k3d-core-slim-dev:0.23.0 +uds deploy k3d-core-slim-dev:0.27.3 ``` diff --git a/bundles/k3d-slim-dev/README.md b/bundles/k3d-slim-dev/README.md index 08c658db8..e56b0a279 100644 --- a/bundles/k3d-slim-dev/README.md +++ b/bundles/k3d-slim-dev/README.md @@ -8,15 +8,57 @@ This bundle is a trimmed-down version of [UDS Core](../k3d-standard/README.md) b The k3d uds-dev-stack provides: -- [K3d](https://k3d.io/) - Containerized K3s Kubernetes Enviroment +- [K3d](https://k3d.io/) - Containerized K3s Kubernetes Environment - [Minio](https://min.io/) - In-cluster S3 Object Storage (See below for more details) - [Local Path Provisioner](https://github.com/rancher/local-path-provisioner/) - Local Storage with RWX - [MetalLB](https://metallb.universe.tf/) - Provides type: LoadBalancer for cluster resources and Istio Gateways - [HAProxy](https://www.haproxy.org/) - Utilizes k3d host port mapping to bind ports 80 and 443, facilitating local FQDN-based routing through ACLs to MetalLB load balancer backends for Istio Gateways serving *.uds.dev, keycloak.uds.dev, and *.admin.uds.dev. -## Configuration +## Available Overrides +### Package: uds-k3d +##### uds-dev-stack (minio) +| Variable | Description | Path | +|----------|-------------|------| +| `BUCKETS` | Set Minio Buckets | buckets | +| `SVCACCTS` | Minio Service Accounts | svcaccts | +| `USERS` | Minio Users | users | +| `POLICIES` | Minio policies | policies | -### Minio + +### Package: core + +##### istio-admin-gateway (uds-istio-config) +| Variable | Description | Path | +|----------|-------------|------| +| `ADMIN_TLS_CERT` | The TLS cert for the admin gateway (must be base64 encoded) | tls.cert | +| `ADMIN_TLS_KEY` | The TLS key for the admin gateway (must be base64 encoded) | tls.key | + +##### istio-tenant-gateway (uds-istio-config) +| Variable | Description | Path | +|----------|-------------|------| +| `TENANT_TLS_CERT` | The TLS cert for the tenant gateway (must be base64 encoded) | tls.cert | +| `TENANT_TLS_KEY` | The TLS key for the tenant gateway (must be base64 encoded) | tls.key | + +##### istio-tenant-gateway (gateway) +| Variable | Description | Path | +|----------|-------------|------| +| `TENANT_SERVICE_PORTS` | The ports that are exposed from the tenant gateway LoadBalancer (useful for non-HTTP(S) traffic) | service.ports | + +##### keycloak (keycloak) +| Variable | Description | Path | +|----------|-------------|------| +| `INSECURE_ADMIN_PASSWORD_GENERATION` | Generate an insecure admin password for dev/test | `insecureAdminPasswordGeneration.enabled` | +| `KEYCLOAK_HA` | Enable Keycloak HA | `autoscaling.enabled` | +| `KEYCLOAK_PG_USERNAME` | Keycloak Postgres username | `postgresql.username` | +| `KEYCLOAK_PG_PASSWORD` | Keycloak Postgres password | `postgresql.password` | +| `KEYCLOAK_PG_DATABASE` | Keycloak Postgres database | `postgresql.database` | +| `KEYCLOAK_PG_HOST` | Keycloak Postgres host | `postgresql.host` | +| `KEYCLOAK_DEVMODE` | Enables Keycloak dev mode | `devMode` | + + +## Override Examples: + +### Minio Customization You can customize the Minio setup at deploy time via your ```uds-config.yaml```. diff --git a/bundles/k3d-slim-dev/uds-bundle.yaml b/bundles/k3d-slim-dev/uds-bundle.yaml index c89b07002..c0f6e7586 100644 --- a/bundles/k3d-slim-dev/uds-bundle.yaml +++ b/bundles/k3d-slim-dev/uds-bundle.yaml @@ -3,13 +3,13 @@ metadata: name: k3d-core-slim-dev description: A UDS bundle for deploying Istio from UDS Core on a development cluster # x-release-please-start-version - version: "0.23.0" + version: "0.27.3" # x-release-please-end packages: - name: uds-k3d-dev repository: ghcr.io/defenseunicorns/packages/uds-k3d - ref: 0.7.0 + ref: 0.9.0 overrides: uds-dev-stack: minio: @@ -28,13 +28,13 @@ packages: path: policies - name: init - repository: ghcr.io/defenseunicorns/packages/init - ref: v0.35.0 + repository: ghcr.io/zarf-dev/packages/init + ref: v0.40.1 - name: core-slim-dev path: ../../build/ # x-release-please-start-version - ref: 0.23.0 + ref: 0.27.3 # x-release-please-end overrides: istio-admin-gateway: @@ -55,9 +55,42 @@ packages: - name: TENANT_TLS_KEY description: "The TLS key for the tenant gateway (must be base64 encoded)" path: tls.key + gateway: + variables: + - name: TENANT_SERVICE_PORTS + description: "The ports that are exposed from the tenant gateway LoadBalancer (useful for non-HTTP(S) traffic)" + path: "service.ports" keycloak: keycloak: variables: - name: INSECURE_ADMIN_PASSWORD_GENERATION description: "Generate an insecure admin password for dev/test" path: insecureAdminPasswordGeneration.enabled + - name: KEYCLOAK_HA + description: "Enable Keycloak HA" + path: autoscaling.enabled + - name: KEYCLOAK_PG_USERNAME + description: "Keycloak Postgres username" + path: postgresql.username + - name: KEYCLOAK_PG_PASSWORD + description: "Keycloak Postgres password" + path: postgresql.password + - name: KEYCLOAK_PG_DATABASE + description: "Keycloak Postgres database" + path: postgresql.database + - name: KEYCLOAK_PG_HOST + description: "Keycloak Postgres host" + path: postgresql.host + - name: KEYCLOAK_DEVMODE + description: "Enables Keycloak dev mode" + path: devMode + values: + - path: realmInitEnv + value: + GOOGLE_IDP_ENABLED: true + GOOGLE_IDP_ID: "C01881u7t" + GOOGLE_IDP_SIGNING_CERT: "MIIDdDCCAlygAwIBAgIGAXkza8/+MA0GCSqGSIb3DQEBCwUAMHsxFDASBgNVBAoTC0dvb2dsZSBJbmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MQ8wDQYDVQQDEwZHb29nbGUxGDAWBgNVBAsTD0dvb2dsZSBGb3IgV29yazELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEwHhcNMjEwNTAzMTgwOTMzWhcNMjYwNTAyMTgwOTMzWjB7MRQwEgYDVQQKEwtHb29nbGUgSW5jLjEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEPMA0GA1UEAxMGR29vZ2xlMRgwFgYDVQQLEw9Hb29nbGUgRm9yIFdvcmsxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu9en1CO4EriCJ5jzss6TqUmtYMXXRBfsSkdnhVvMx0fYOegxy0d8DouUEEITlPW+YPBG1T72kiV9KGtKVw90ff4Y+siNDNrME81w4K3Zjo6VukvATfD05lVzh9JyO0VxdzBpdRXSJqBOVLo38cwVbyTcX5Nk/nHENjDSN7as3UvbXa7eT4Xswy1GARGAZ3MAaLTZn1+Cctn0MDKniQOS6QDryYgKWz8ko/H4T9XCxgjHJVsL6obezaPZF+pibyyVPCuePssuxUbFHF6yiP5rCfAsK6VTv/8pbYGauGpYHDgnM941RtN2ThltORgi+P9i9wQ8VRBQpEm1RvDXOqJ7OwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQB5L26tpco6EgVunmZYBAFiFE+Dhqwvy4J1iKuXApaKhqabeKJ8kBv/pJBnZl7CRF5Pv8dLfhNoNm2BsXbpH91/rhDj9zl/Imkc5ttVGbXbKSBpUaduwBZpsVIX0xCugNPflHFz9kf/zsGWb3X6wO/2eNewj3fr8jNRC/KWQ7otcdqwYbe1BO4yo6FjAIs5L+wCQcc2JjRWgBon4wL25ccX3nH8aMHl4/gz5trKwPqH0/lYcScJmMSRPzHbmd62LlmZE9eWEwuYJ+h8fssTZA9JTMXvkPhg05w2snaM9XdSuXIRo4UtqGpMQC0KRMmwDHbVSluX63wn7iSZD4TGHZGa" + GOOGLE_IDP_NAME_ID_FORMAT: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" + GOOGLE_IDP_CORE_ENTITY_ID: "https://sso.uds.dev/realms/uds" + GOOGLE_IDP_ADMIN_GROUP: "uds-core-dev-admin" + GOOGLE_IDP_AUDITOR_GROUP: "uds-core-dev-auditor" diff --git a/bundles/k3d-standard/README.md b/bundles/k3d-standard/README.md index d5a8215e2..866378a5b 100644 --- a/bundles/k3d-standard/README.md +++ b/bundles/k3d-standard/README.md @@ -2,7 +2,7 @@ This bundle is used for demonstration, development, and testing of UDS Core. In addition to the [UDS Core applications](../../README.md#core-applications), the included k3d uds-dev-stack provides: -- [K3d](https://k3d.io/) - Containerized K3s Kubernetes Enviroment +- [K3d](https://k3d.io/) - Containerized K3s Kubernetes Environment - [Minio]() - In-cluster S3 Object Storage (See below for more details) - [Local Path Provisioner]() - Storage Provider with RWX configured - [MetalLB](https://metallb.universe.tf/) - Provides type: LoadBalancer for cluster resources and Istio Gateways @@ -43,6 +43,22 @@ This bundle is used for demonstration, development, and testing of UDS Core. In | `TENANT_TLS_CERT` | The TLS cert for the tenant gateway (must be base64 encoded) | tls.cert | | `TENANT_TLS_KEY` | The TLS key for the tenant gateway (must be base64 encoded) | tls.key | +##### istio-tenant-gateway (gateway) +| Variable | Description | Path | +|----------|-------------|------| +| `TENANT_SERVICE_PORTS` | The ports that are exposed from the tenant gateway LoadBalancer (useful for non-HTTP(S) traffic) | service.ports | + +##### keycloak (keycloak) +| Variable | Description | Path | +|----------|-------------|------| +| `INSECURE_ADMIN_PASSWORD_GENERATION` | Generate an insecure admin password for dev/test | `insecureAdminPasswordGeneration.enabled` | +| `KEYCLOAK_HA` | Enable Keycloak HA | `autoscaling.enabled` | +| `KEYCLOAK_PG_USERNAME` | Keycloak Postgres username | `postgresql.username` | +| `KEYCLOAK_PG_PASSWORD` | Keycloak Postgres password | `postgresql.password` | +| `KEYCLOAK_PG_DATABASE` | Keycloak Postgres database | `postgresql.database` | +| `KEYCLOAK_PG_HOST` | Keycloak Postgres host | `postgresql.host` | +| `KEYCLOAK_DEVMODE` | Enables Keycloak dev mode | `devMode` | + ## Override Examples: diff --git a/bundles/k3d-standard/uds-bundle.yaml b/bundles/k3d-standard/uds-bundle.yaml index 197376980..e9f290a63 100644 --- a/bundles/k3d-standard/uds-bundle.yaml +++ b/bundles/k3d-standard/uds-bundle.yaml @@ -3,13 +3,13 @@ metadata: name: k3d-core-demo description: A UDS bundle for deploying the standard UDS Core package on a development cluster # x-release-please-start-version - version: "0.23.0" + version: "0.27.3" # x-release-please-end packages: - name: uds-k3d-dev repository: ghcr.io/defenseunicorns/packages/uds-k3d - ref: 0.7.0 + ref: 0.9.0 overrides: uds-dev-stack: minio: @@ -28,16 +28,18 @@ packages: path: policies - name: init - repository: ghcr.io/defenseunicorns/packages/init - ref: v0.35.0 + repository: ghcr.io/zarf-dev/packages/init + ref: v0.40.1 - name: core path: ../../build/ # x-release-please-start-version - ref: 0.23.0 + ref: 0.27.3 # x-release-please-end optionalComponents: - istio-passthrough-gateway + - metrics-server + - uds-runtime overrides: loki: loki: @@ -93,12 +95,35 @@ packages: - name: TENANT_TLS_KEY description: "The TLS key for the tenant gateway (must be base64 encoded)" path: tls.key + gateway: + variables: + - name: TENANT_SERVICE_PORTS + description: "The ports that are exposed from the tenant gateway LoadBalancer (useful for non-HTTP(S) traffic)" + path: "service.ports" keycloak: keycloak: variables: - name: INSECURE_ADMIN_PASSWORD_GENERATION description: "Generate an insecure admin password for dev/test" path: insecureAdminPasswordGeneration.enabled + - name: KEYCLOAK_HA + description: "Enable Keycloak HA" + path: autoscaling.enabled + - name: KEYCLOAK_PG_USERNAME + description: "Keycloak Postgres username" + path: postgresql.username + - name: KEYCLOAK_PG_PASSWORD + description: "Keycloak Postgres password" + path: postgresql.password + - name: KEYCLOAK_PG_DATABASE + description: "Keycloak Postgres database" + path: postgresql.database + - name: KEYCLOAK_PG_HOST + description: "Keycloak Postgres host" + path: postgresql.host + - name: KEYCLOAK_DEVMODE + description: "Enables Keycloak dev mode" + path: devMode values: - path: realmInitEnv value: diff --git a/bundles/k3d-standard/uds-ha-config.yaml b/bundles/k3d-standard/uds-ha-config.yaml new file mode 100644 index 000000000..24b0119cd --- /dev/null +++ b/bundles/k3d-standard/uds-ha-config.yaml @@ -0,0 +1,8 @@ +variables: + core: + keycloak_ha: true + keycloak_pg_username: keycloak + keycloak_pg_password: password + keycloak_pg_database: keycloak + keycloak_pg_host: host.k3d.internal + keycloak_devmode: false diff --git a/compliance/oscal-assessment-results.yaml b/compliance/oscal-assessment-results.yaml new file mode 100644 index 000000000..98af6a818 --- /dev/null +++ b/compliance/oscal-assessment-results.yaml @@ -0,0 +1,2794 @@ +assessment-results: + import-ap: + href: "" + metadata: + last-modified: 2024-08-06T02:58:07.217393214Z + oscal-version: 1.1.2 + published: 2024-06-30T22:27:28.032093229Z + remarks: Assessment Results generated from Lula + title: '[System Name] Security Assessment Results (SAR)' + version: 0.0.1 + results: + - description: Assessment results for performing Validations with Lula version v0.4.5 + findings: + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: c8c03abd-244d-4813-a966-3feece1bad6a + # Control Implementation + Istio implements with service to service and provides authorization policies that require authentication to access any non-public features. + related-observations: + - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 + - observation-uuid: 3b856533-2206-4ebd-932e-645886b20b10 + target: + status: + state: satisfied + target-id: ac-14 + type: objective-id + title: 'Validation Result - Control: ac-14' + uuid: 0bebe1ce-f13d-4bbc-ba5b-a0d92ad5b6fa + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 069521de-43bc-4dce-ac4e-4adc9a559c3f + # Control Description "a. Define and document the types of accounts allowed and specifically prohibited for use within the system; b. Assign account managers; c. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership; d. Specify: 1. Authorized users of the system; 2. Group and role membership; and 3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account; e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts; f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria]; g. Monitor the use of accounts; h. Notify account managers and [Assignment: organization-defined personnel or roles] within: 1. [Assignment: twenty-four (24) hours] when accounts are no longer required; 2. [Assignment: eight (8) hours] when users are terminated or transferred; and 3. [Assignment: eight (8) hours] when system usage or need-to-know changes for an individual; i. Authorize access to the system based on: 1. A valid access authorization; 2. Intended system usage; and 3. [Assignment: organization-defined attributes (as required)]; j. Review accounts for compliance with account management requirements [Assignment: monthly for privileged accessed, every six (6) months for non-privileged access]; k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and l. Align account management processes with personnel termination and transfer processes." + # Control Implementation NeuVector supports internal user accounts and roles in addition to LDAP and SSO for providing RBAC access. + target: + status: + state: not-satisfied + target-id: ac-2 + type: objective-id + title: 'Validation Result - Control: ac-2' + uuid: 57fb27fd-82c5-43d3-8813-7fcc2ceab0ca + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: bf59763a-0c22-4046-ab00-1d2b47dad8df + # Control Description Support the management of system accounts using [Assignment: organization-defined automated mechanisms]. + # Control Implementation NeuVector supports internal user accounts and roles in addition to LDAP and SSO for providing RBAC access. + target: + status: + state: not-satisfied + target-id: ac-2.1 + type: objective-id + title: 'Validation Result - Control: ac-2.1' + uuid: d263ec5d-4ee8-43b2-9705-b0afa44758b5 + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 051af8b7-75aa-4c26-9132-0cb46d5965aa + # Control Description Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. + # Control Implementation NeuVector supports internal user accounts and roles in addition to LDAP and SSO for providing RBAC access. + target: + status: + state: not-satisfied + target-id: ac-3 + type: objective-id + title: 'Validation Result - Control: ac-3' + uuid: 10d347a7-e12a-4b05-85e2-77ed4f542fdd + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 9e158525-96bd-4d4f-a674-7e3eab9aea7a + # Control Implementation + Istio encrypts all in-mesh communication at runtime using FIPS verified mTLS in addition to ingress and egress gateways for controlling communication. + related-observations: + - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 + - observation-uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 + - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e + - observation-uuid: ff67f994-802a-4668-a261-f0cbfb7982d5 + target: + status: + state: satisfied + target-id: ac-4 + type: objective-id + title: 'Validation Result - Control: ac-4' + uuid: 1e16362c-0987-4314-bc1f-a1696344df0e + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 6e32feb5-ce43-465f-9422-e3ef3276bf5d + # Control Implementation + Istio is configured to use ingress and egress gateways to provide logical flow separation. + related-observations: + - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 + - observation-uuid: f25d32b1-4bbd-4309-a96e-99fb8f484c88 + - observation-uuid: 362043c5-ea38-4c11-83e3-35d34b79c938 + - observation-uuid: 610a3b9c-269e-47c7-8b2c-9412bc822e80 + target: + status: + state: not-satisfied + target-id: ac-4.21 + type: objective-id + title: 'Validation Result - Control: ac-4.21' + uuid: 00f7dff8-8e83-414b-ab38-6a580e4c9de2 + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: c3e13abc-3c19-4f08-a2f8-40fcbef5daa7 + # Control Implementation + All encrypted HTTPS connections are terminated at the Istio ingress gateway. + related-observations: + - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 + - observation-uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 + - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e + - observation-uuid: ff67f994-802a-4668-a261-f0cbfb7982d5 + target: + status: + state: satisfied + target-id: ac-4.4 + type: objective-id + title: 'Validation Result - Control: ac-4.4' + uuid: 5d800b2f-1f1e-4b3c-b3ac-7d808f8a175d + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 386fb410-27e5-413d-8e6d-607afa86bb72 + # Control Description "a. Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and b. Define system access authorizations to support separation of duties." + # Control Implementation Loki implements RBAC to define system authorization and separation of duties. + target: + status: + state: not-satisfied + target-id: ac-5 + type: objective-id + title: 'Validation Result - Control: ac-5' + uuid: 688258f8-7f62-4592-858f-08b7c0c3ecc1 + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 60ad5f60-3852-49a1-961b-b6454edb8319 + # Control Description Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. + # Control Implementation Loki implements RBAC to employ principle of least privilege. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: df51cf5f-9c1b-4004-ae4a-195a663594ac + # Control Description Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. + # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. + target: + status: + state: not-satisfied + target-id: ac-6 + type: objective-id + title: 'Validation Result - Control: ac-6' + uuid: 390a213d-c344-4f93-8605-3f6552f594c3 + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: f1b66def-f822-4859-a448-5d5f77cd6f75 + # Control Description "Authorize access for [Assignment: organization-defined individuals or roles] to: (a) [Assignment: organization-defined all functions not publicly accessible]; and (b) [Assignment: organization-defined all security-relevant information not publicly available]." + # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: e7721974-f672-47cf-9421-e1530aec1217 + # Control Description "Authorize access for [Assignment: organization-defined individuals or roles] to: (a) [Assignment: all functions not publicly accessible]]; and (b) [Assignment: all security-relevant information not publicly available]]." + # Control Implementation Loki implements RBAC to employ principle of least privilege. + target: + status: + state: not-satisfied + target-id: ac-6.1 + type: objective-id + title: 'Validation Result - Control: ac-6.1' + uuid: bbc392e9-030f-45e4-a400-36e3866d22f4 + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: e196edcd-fd88-42c2-9a99-0e67e2ba8919 + # Control Description Prevent non-privileged users from executing privileged functions. + # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: d0ffa50d-d91f-4dc3-8827-24e0f84b49d2 + # Control Description Prevent non-privileged users from executing privileged functions. + # Control Implementation Loki layers an additional RBAC layer that prohibits non-privileged users from executing privileged functions. + target: + status: + state: not-satisfied + target-id: ac-6.10 + type: objective-id + title: 'Validation Result - Control: ac-6.10' + uuid: 7a22b227-29de-4ab5-a813-0faa2f816709 + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 0b3faf98-8a76-4b49-8e4b-c785cf26cfbe + # Control Description Authorize network access to [Assignment: all privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system. + # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 0081f95a-3233-4e07-a6cd-95cb1905c318 + # Control Implementation + Configured with an "admin" gateway to restrict access to applications that only need administrative access. + related-observations: + - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 + - observation-uuid: 362043c5-ea38-4c11-83e3-35d34b79c938 + target: + status: + state: not-satisfied + target-id: ac-6.3 + type: objective-id + title: 'Validation Result - Control: ac-6.3' + uuid: 18fe653e-eb66-4686-8f2d-6952aac69c6c + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 954ba9c8-452c-4503-a43f-c880a01b828d + # Control Description + Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. + Auditing the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat (APT). + + # Control Implementation + Promtail can be configured to collect all logs from Kubernetes and underlying operating systems, allowing the aggregation of privileged function calls. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 6d8a6c80-2844-4bfd-bc9d-0f5a71e5c979 + # Control Implementation + Istio produces logs for all traffic in the information system. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 14db5706-570c-44a2-b430-29a8a8e2d249 + # Control Description Log the execution of privileged functions. + # Control Implementation Privileged events, including updating the deployment of an application, or use of privileged containers are collected as metrics by prometheus and displayed by Grafana. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: e36ba9d5-f12d-4524-a777-a041a0203bb6 + # Control Description Log the execution of privileged functions. + # Control Implementation Privileged events that modify the application are logged in the application itself. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 4d1f5291-8f3f-429c-af2f-b05455ef30f0 + # Control Description Log the execution of privileged functions. + # Control Implementation Privileged events, including updating the deployment of an application, or use of privileged containers are collected as metrics by prometheus and displayed by Grafana. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 921ec1c7-923c-4a28-a4dd-b59c1d3d9998 + # Control Description Log the execution of privileged functions. + # Control Implementation NeuVector provides logging access related audit events. + related-observations: + - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 + - observation-uuid: 9e4a8aa7-2736-4aad-8b08-7fcee4fa2a68 + - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e + - observation-uuid: a1236290-6057-4695-b4bd-20dd2981d60d + - observation-uuid: af55317a-a3b8-42b9-8ba8-d859748635b5 + target: + status: + state: not-satisfied + target-id: ac-6.9 + type: objective-id + title: 'Validation Result - Control: ac-6.9' + uuid: 784d7def-b9de-495a-ba5d-93733e37a1eb + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 20ecdb48-997e-4958-b74c-21f462049877 + # Control Description Retain audit records for [Assignment: at least one (1) year] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. + # Control Implementation Can configure audit record storage retention policy for defined periods of time via the store(s) Loki is configured to use. + target: + status: + state: not-satisfied + target-id: au-11 + type: objective-id + title: 'Validation Result - Control: au-11' + uuid: 7e7c4d5e-13be-4768-bf2c-31ca172865a0 + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 8f645835-6538-4327-a7aa-453b398f5ef4 + # Control Implementation + Istio provides audit record generation capabilities for a variety of event types, including session, connection, transaction, or activity durations, and the number of bytes received and sent. + related-observations: + - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 + - observation-uuid: 9e4a8aa7-2736-4aad-8b08-7fcee4fa2a68 + target: + status: + state: satisfied + target-id: au-12 + type: objective-id + title: 'Validation Result - Control: au-12' + uuid: 0a4cbea2-493f-4bc2-b0bf-4f88af93e4af + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 58766714-a477-42b9-bae4-856f14b58cea + # Control Description Compile audit records from [Assignment: all network, data storage, and computing devices] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. + # Control Implementation Provides time-series event compilation capabilities. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 301093ed-d023-4bf8-a915-e624589acadd + # Control Description Compile audit records from [Assignment: all network, data storage, and computing devices] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. + # Control Implementation Compatible metrics endpoints emitted from each application is compiled by Prometheus and displayed through Grafana with associated timestamps of when the data was collected. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 41a6f729-7ab6-4ffe-8da1-cb60fd35dffd + # Control Description Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. + # Control Implementation Compatible metrics endpoints emitted from each application is compiled by Prometheus and displayed through Grafana with associated timestamps of when the data was collected + target: + status: + state: not-satisfied + target-id: au-12.1 + type: objective-id + title: 'Validation Result - Control: au-12.1' + uuid: 0091b443-4532-4b36-99e2-ec9cb1573812 + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 2a25a5a4-4fbc-4fbc-88e3-2e34ddc3fb0e + # Control Description + An event is any observable occurrence in an organizational information system. + Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. + Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. + In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. + To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. + + # Control Implementation + Logging daemons are present on each node that BigBang is installed on. Out of the box, the following events are captured: + * all containers emitting to STDOUT or STDERR (captured by container runtime translating container logs to /var/log/containers). + * all kubernetes api server requests. + * all events emitted by the kubelet. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: fc829f66-2354-4546-8e5d-f1e5d0287200 + # Control Description "a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: annually or whenever there is a change in the threat environment]." + # Control Implementation NeuVector provides logging access related audit events. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 88f300a6-aa21-41b4-919d-29ef3e4381bb + # Control Implementation + Istio logs all Istio event logs within the system's mesh network. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 7449f733-6809-4a0b-a6f9-7857f46a106e + # Control Description a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: annually or whenever there is a change in the threat environment]. + # Control Implementation API endpoints suitable for capturing application level metrics are present on each of the supported applications running as containers. In addition, system and cluster level metrics are emitted by containers with read only access to host level information. Metrics are captured and stored by Prometheus, an web server capable of scraping endpoints formatted in the appropriate dimensional data format. Metrics information is stored on disk in a time series data base, and later queried through a separate component providing a web interface for the query language: PromQL. Metrics data can be displayed through a Grafana dashboard for visualization. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 49775d12-e0ba-4aa6-85e7-5aedd00e8fbc + # Control Description "a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: annually or whenever there is a change in the threat environment]." + # Control Implementation API endpoints suitable for capturing application level metrics are present on each of the supported applications running as containers. In addition, system and cluster level metrics are emitted by containers with read only access to host level information. Metrics are captured and stored by Prometheus, an web server capable of scraping endpoints formatted in the appropriate dimensional data format. Metrics information is stored on disk in a time series data base, and later queried through a separate component providing a web interface for the query language: PromQL. + related-observations: + - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 + - observation-uuid: 9e4a8aa7-2736-4aad-8b08-7fcee4fa2a68 + - observation-uuid: a1236290-6057-4695-b4bd-20dd2981d60d + - observation-uuid: d265b5b6-9306-4c22-ad35-d6f00a41920e + target: + status: + state: not-satisfied + target-id: au-2 + type: objective-id + title: 'Validation Result - Control: au-2' + uuid: 38b71df8-9beb-487d-afac-7d5df701bf0b + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 762604db-77ec-415f-8728-c296873ab48b + # Control Description + Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). + + # Control Implementation + Logs are captured by promtail from the node. The node logs will contain the necessary log data from all pods/applications inside the selected nodes. + Validating `logfmt` as the config.logFormat would be the goal. This is currently a secret mounted to /etc/promtail/promtail.yaml in the promtail container. We will ensure the promtail.yaml file is at a minimum the target config. + https://grafana.com/docs/loki/latest/send-data/promtail/stages/logfmt/ + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: e342a5af-b7d4-474b-9416-61e844083531 + # Control Description "Ensure that audit records contain information that establishes the following: a. What type of event occurred; b. When the event occurred; c. Where the event occurred; d. Source of the event; e. Outcome of the event; and f. Identity of any individuals, subjects, or objects/entities associated with the event." + # Control Implementation NeuVector provides logging access related audit events. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 52756a01-6f5c-49b1-8a6b-972b74a01da4 + # Control Implementation + Istio logs all Istio event logs within the system's mesh network. + related-observations: + - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 + - observation-uuid: 94477b5d-84b7-427c-88b3-71367c501528 + - observation-uuid: a1236290-6057-4695-b4bd-20dd2981d60d + - observation-uuid: 48a7c266-3ce0-4c63-b782-335c2461afc6 + target: + status: + state: not-satisfied + target-id: au-3 + type: objective-id + title: 'Validation Result - Control: au-3' + uuid: c5a260a3-6fea-42c9-bb28-209ff9e5f9e5 + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: ee431ef9-3a99-42f4-b37c-6334660da2b2 + # Control Description Generate audit records containing the following additional information: [Assignment: organizatiosession, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]. + # Control Implementation Grafana has pre-configured dashboards showing the audit records from Cluster Auditor saved in Prometheus. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 16cc258e-d907-47bb-97d9-4e92677cf075 + # Control Implementation + Istio has been configured to implement event logging within our environment. This includes capturing metrics related to the duration of sessions, connections, transactions, or activities. Specifically, Istio's telemetry features are utilized to capture these metrics, which provide valuable data that can be used to infer the duration of sessions or connections. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 6700f065-8e51-4224-a5a0-8d3aff9d8d96 + # Control Description Generate audit records containing the following additional information: [Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]. + # Control Implementation Grafana has pre-configured dashboards showing the audit records from Cluster Auditor saved in Prometheus. + related-observations: + - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 + - observation-uuid: 06449da5-4cb5-4a5e-922d-5309d5c8f0c8 + - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e + - observation-uuid: a906a088-3147-44cb-8d7b-69058d1d8484 + target: + status: + state: not-satisfied + target-id: au-3.1 + type: objective-id + title: 'Validation Result - Control: au-3.1' + uuid: f7cd3c25-77ef-442c-ae8c-db0e6a4b8b2b + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 7562092e-d076-49f9-8f03-9e5e7908752c + # Control Description Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]. + # Control Implementation NeuVector can scale elastically based upon actual workload demands to allocate audit log storage capacity. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 836408b9-1ae9-4c99-8510-6ee35a4d11e9 + # Control Description Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]. + # Control Implementation Loki uses scalable object storage. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: d5d13192-3cae-4a88-8e64-cab44219ab2e + # Control Description Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]. + # Control Implementation Prometheus is the log aggregator for audit logs since it is used to scrape/collect violations from ClusterAuditor. The storage capability can be configured in prometheus to use PVCs to ensure metrics have log retention compliance with the org-defined audit-log retention requirements. + target: + status: + state: not-satisfied + target-id: au-4 + type: objective-id + title: 'Validation Result - Control: au-4' + uuid: c4884585-6343-4ada-b034-fb97065b7f23 + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: e2e6d28f-bdf6-462c-8301-bdfa102671ee + # Control Description Provide a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit log storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit log storage capacity. + # Control Implementation Alertmanager has pre-built alerts for PVC storage thresholds that would fire for PVCs supporting prometheus metrics storage. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 36f95dfb-626f-4fce-8417-4d808560b9d3 + # Control Description Provide a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit log storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit log storage capacity. + # Control Implementation Alertmanager has pre-built alerts for PVC storage thresholds that would fire for PVCs supporting prometheus metrics storage. Metrics data can be displayed through a Grafana dashboard for visualization. + target: + status: + state: not-satisfied + target-id: au-5.1 + type: objective-id + title: 'Validation Result - Control: au-5.1' + uuid: c76a2661-2016-4bef-8bce-1194bb70b556 + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: bea82b61-fbb6-486b-a8fa-50053715b904 + # Control Description Provide an alert within [Assignment: real-time] to [Assignment: service provider personnel with authority to address failed audit events] when the following audit failure events occur: [Assignment: audit failure events requiring real-time alerts, as defined by organization audit policy]. + # Control Implementation Alertmanager has pre-build alerts for failed pods that would show when ClusterAuditor is not processing events, or prometheus is unable to scrape events. Prometheus also has a deadman's alert to ensure end users are seeing events from prometheus as part of its configuration. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: d2d90ddf-dcc9-4087-ad71-ac67b66a154a + # Control Description Provide an alert within [Assignment: real-time] to [Assignment: service provider personnel with authority to address failed audit events] when the following audit failure events occur: [Assignment: audit failure events requiring real-time alerts, as defined by organization audit policy]. + # Control Implementation Alertmanager has pre-built alerts for failed pods that would show when ClusterAuditor is not processing events, or prometheus is unable to scrape events. Prometheus also has a deadman's alert to ensure end users are seeing events from prometheus as part of its configuration. Data can be displayed through a Grafana dashboard for visualization. + target: + status: + state: not-satisfied + target-id: au-5.2 + type: objective-id + title: 'Validation Result - Control: au-5.2' + uuid: 92f112fd-db07-4d92-b7f8-95036f30b390 + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 25477ca3-4607-449e-9d33-a2a67ede0019 + # Control Description "a. Review and analyze system audit records [Assignment: at least weekly] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; b. Report findings to [Assignment: organization-defined personnel or roles]; and c. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information." + # Control Implementation Provides audit record query and analysis capabilities. Organization will implement record review and analysis. + target: + status: + state: not-satisfied + target-id: au-6 + type: objective-id + title: 'Validation Result - Control: au-6' + uuid: 103803bd-85a1-4ead-992c-e9cf6477b41f + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 29fdcbbd-02cc-4db1-a24e-5a146cccc254 + # Control Description Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. + # Control Implementation Provides audit record query and analysis capabilities. Organization will implement record review and analysis. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 3f8f6178-4c57-4592-8c1c-df79507b21cd + # Control Description Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. + # Control Implementation Cluster Auditor Events/Alerts could be exported from Prometheus to an external system. Integration for specific tooling would need to be completed by end user. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 042fae4b-2779-4cfb-b68d-6f2dcbaa10ad + # Control Description Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. + # Control Implementation Cluster Auditor Events/Alerts could be exported from Prometheus to an external system. Integration for specific tooling would need to be completed by end user. Metrics data can be displayed through a Grafana dashboard for visualization. + target: + status: + state: not-satisfied + target-id: au-6.1 + type: objective-id + title: 'Validation Result - Control: au-6.1' + uuid: e9063577-4ee5-48a0-84fb-c052b3d24598 + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: c79cf2fa-2081-4034-831f-2c8016a275da + # Control Description Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. + # Control Implementation Aggregating cluster auditor events across multiple sources (clusters) is possible with a multi-cluster deployment of prometheus/grafana. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 35897d1f-3fcd-4a79-b235-f75e2bbd398a + # Control Description Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. + # Control Implementation Aggregating cluster auditor events across multiple sources (clusters) is possible with a multi-cluster deployment of prometheus/grafana. + target: + status: + state: not-satisfied + target-id: au-6.3 + type: objective-id + title: 'Validation Result - Control: au-6.3' + uuid: 1dfdcc6b-92dd-4320-acb1-5efffd9b2bf1 + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 80de1b87-8288-49ac-8a6b-fc71509df64b + # Control Description Integrate analysis of audit records with analysis of Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; penetration test data; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. + # Control Implementation Cluster Auditor's audit data is consolidated with system monitoring tooling (node exporters) for consolidated view to enhance inappropriate or unusual activity. Metrics data can be displayed through a Grafana dashboard for visualization. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 6b0cd4b8-ab38-4012-b637-de2ca4bf5497 + # Control Description Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. + # Control Implementation Cluster Auditor's audit data is consolidated with system monitoring tooling (node exporters) for consolidated view to enhance inappropriate or unusual activity. + target: + status: + state: not-satisfied + target-id: au-6.5 + type: objective-id + title: 'Validation Result - Control: au-6.5' + uuid: 1b5550c6-1891-4f76-8220-3919707110e7 + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: b8c17326-8821-4536-8409-64d571540e37 + # Control Description Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. + # Control Implementation Cluster Auditor data in prometheus would enable this, but would require prometheus to also obtain access to physical metrics. Metrics data can be displayed through a Grafana dashboard for visualization. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: f6d4527a-d4b6-4141-9272-c2c211b1709f + # Control Description Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. + # Control Implementation Cluster Auditor data in prometheus would enable this, but would require prometheus to also obtain access to physical metrics. + target: + status: + state: not-satisfied + target-id: au-6.6 + type: objective-id + title: 'Validation Result - Control: au-6.6' + uuid: 684c4386-ef88-4c58-811e-165172e6a29b + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 8abbc53e-0ec4-49c6-8ef1-a1c237695f96 + # Control Description Provide and implement an audit record reduction and report generation capability that: a. Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and b. Does not alter the original content or time ordering of audit records. + # Control Implementation Grafana is configured with a pre-built dashboard for policy violations that displays data collected by Cluster Auditor. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 18f4f45b-d707-417f-91ac-28ab503313d8 + # Control Description "Provide and implement an audit record reduction and report generation capability that: a. Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and b. Does not alter the original content or time ordering of audit records." + # Control Implementation Grafana is configured with a pre-built dashboard for policy violations that displays data collected by Cluster Auditor. + target: + status: + state: not-satisfied + target-id: au-7 + type: objective-id + title: 'Validation Result - Control: au-7' + uuid: a274a97a-1c55-4a1b-9dac-f1849260ad16 + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 56d09aae-ab73-49d8-b2a4-1e81db2878eb + # Control Description Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. + # Control Implementation Grafana is configured with a pre-built dashboard for policy violations that displays data collected by Cluster Auditor. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 0a4d39e4-979d-4284-a190-e7e5b4aa7162 + # Control description Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. + # Control Implementation Grafana is configured with a pre-built dashboard for policy violations that displays data collected by Cluster Auditor. + target: + status: + state: not-satisfied + target-id: au-7.1 + type: objective-id + title: 'Validation Result - Control: au-7.1' + uuid: 89a7b3d0-954f-41d5-9230-56a774204c25 + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 9ad7ddfb-4701-4c34-88f7-9d85abb13d60 + # Control Description + Time stamps generated by the information system include date and time. + Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. + Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or within tens of milliseconds. + Organizations may define different time granularities for different system components. + Time service can also be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities. + + # Control Implementation + Records captured by the logging daemon are enriched to ensure the following are always present: + * time of the event (UTC). + * source of event (pod, namespace, container id). + Applications are responsible for providing all other information. + Validating `logfmt` as the config.logFormat would be the goal. This is currently a secret mounted to /etc/promtail/promtail.yaml in the promtail container. We will ensure the promtail.yaml file is at a minimum the target config. + https://grafana.com/docs/loki/latest/send-data/promtail/stages/logfmt/ + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 9be1e683-93e1-4769-aa7d-951e2c8f8627 + # Control Description a. Use internal system clocks to generate time stamps for audit records; and b. Record time stamps for audit records that meet [Assignment: one second granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp. + # Control Implementation Prometheus stores all data as time-series data, so the timestamps of when those violations were present is part of the data-stream. Metrics data can be displayed through a Grafana dashboard for visualization. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 689aa5d6-2b4b-40ca-a49f-51df0e220ec5 + # Control Description "a. Use internal system clocks to generate time stamps for audit records; and b. Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp." + # Control Implementation Prometheus stores all data as time-series data, so the timestamps of when those violations were present is part of the data-stream. + related-observations: + - observation-uuid: a1236290-6057-4695-b4bd-20dd2981d60d + - observation-uuid: 48a7c266-3ce0-4c63-b782-335c2461afc6 + target: + status: + state: not-satisfied + target-id: au-8 + type: objective-id + title: 'Validation Result - Control: au-8' + uuid: 184f3950-22d1-4a6e-a1ad-1d915468f28b + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 21879fc4-927e-4ad4-a049-c96cb581e260 + # Control Description "a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and b. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information." + # Control Implementation Access to metrics can be restricted to org-defined personnel behind a private endpoint and not given to mission owners. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: f800923b-6367-4468-9f42-1afae4b6d38d + # Control Description a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and b. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information. + # Control Implementation Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control when using Grafana Enterprise. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: bfd070e8-d053-4e48-925a-baf9bcbd9335 + # Control Description "a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and b. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information." + # Control Implementation Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control when using Grafana Enterprise. + target: + status: + state: not-satisfied + target-id: au-9 + type: objective-id + title: 'Validation Result - Control: au-9' + uuid: 2de6aeb1-66fd-4131-9c75-f376fb7544f6 + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 3c4bf1e8-b873-4c43-a912-5f443fc0208f + # Control Description Store audit records [Assignment: at least weekly] in a repository that is part of a physically different system or system component than the system or component being audited. + # Control Implementation Prometheus can scrape external components outside of the system, but this configuration is not easily supported as part of the current big bang configuration of ClusterAuditor since external access to ClusterAuditor metrics is not exposed via Istio. Metrics data can be displayed through a Grafana dashboard for visualization. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: b89edef2-5668-407b-b3d5-86ca68862536 + # Control Description Store audit records [Assignment: at least weekly] in a repository that is part of a physically different system or system component than the system or component being audited. + # Control Implementation Supports any object storage. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 27f26f6a-706e-4514-97c0-45390d6fdf6a + # Control Description Store audit records [Assignment: organization-defined frequency] in a repository that is part of a physically different system or system component than the system or component being audited. + # Control Implementation Prometheus can scrape external components outside of the system, but this configuration is not easily supported as part of the current UDS Coreg configuration of ClusterAuditor since external access to ClusterAuditor metrics is not exposed via Istio. + target: + status: + state: not-satisfied + target-id: au-9.2 + type: objective-id + title: 'Validation Result - Control: au-9.2' + uuid: e0f75fca-cfe3-43ca-b8ec-c5eb44bde47d + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 3c5ff037-ea46-4e41-b601-a9b223da30a8 + # Control Description Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. + # Control Implementation Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control when using Grafana Enterprise. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 0fee5118-57c8-4617-97a1-76189bc69ea3 + # Control Description Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. + # Control Implementation Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control when using Grafana Enterprise. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: f3292e9a-1c10-45cd-9178-aeecbaec0283 + # Control Description Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. + # Control Implementation Enterprise version (Loki) implements RBAC. + target: + status: + state: not-satisfied + target-id: au-9.4 + type: objective-id + title: 'Validation Result - Control: au-9.4' + uuid: 7cedc012-a643-4097-a647-032c3be3d0ca + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 973c9f19-8c96-4c84-925a-b69f28625962 + # Control Description Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. + # Control Implementation Loki provides an API for retrieving and filtering logs. + target: + status: + state: not-satisfied + target-id: au7.1 + type: objective-id + title: 'Validation Result - Control: au7.1' + uuid: 4229dc83-0a33-4139-9e62-5d4da8dfc2ba + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 9de67d41-1c18-4ebd-af55-cac2573aa77e + # Control Description + Include as part of control assessments, [Assignment: at least annually], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious + user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment; [Assignment: organization-defined other forms of assessment]]. + + # Control Implementation NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. + target: + status: + state: not-satisfied + target-id: ca-2.2 + type: objective-id + title: 'Validation Result - Control: ca-2.2' + uuid: eda5cf2e-02ce-4b87-90d8-a321fe49860a + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 2d771492-b5c8-4475-b258-0038287f29e6 + # Control Description "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: a. Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics]; b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; c. Ongoing control assessments in accordance with the continuous monitoring strategy; d. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; e. Correlation and analysis of information generated by control assessments and monitoring; f. Response actions to address results of the analysis of control assessment and monitoring information; and g. Reporting the security and privacy status of the system to [Assignment: to include JAB/AO] [Assignment: organization-defined frequency]." + # Control Implementation NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. + target: + status: + state: not-satisfied + target-id: ca-7 + type: objective-id + title: 'Validation Result - Control: ca-7' + uuid: fbc504e4-0441-4dc9-bdb0-f5ef99155ea1 + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 32e53a18-4b64-4a24-935c-11cbac2c62be + # Control Implementation + Istio enforces logical access restrictions associated with changes to the system. Istio's Role-Based Access Control (RBAC) features are used to define and enforce access controls, ensuring that only approved personnel can make changes to the system. + related-observations: + - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 + - observation-uuid: d517a52c-6742-4c6a-94f4-b6716aa64879 + - observation-uuid: 9da482e6-b1b4-47d5-b88c-ea78cb1a6089 + target: + status: + state: not-satisfied + target-id: cm-5 + type: objective-id + title: 'Validation Result - Control: cm-5' + uuid: 0dc01260-0c79-4716-9766-f5fdf674042f + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 2fb488b2-f7f7-4db9-8fc8-3de7f3a9daba + # Control Description "a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: oUnited States Government Configuration Baseline (USGCB)]; b. Implement the configuration settings; c. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures." + # Control Implementation NeuVector is configured using Helm Charts. Default settings can be found. + target: + status: + state: not-satisfied + target-id: cm-6 + type: objective-id + title: 'Validation Result - Control: cm-6' + uuid: b2dca976-e07d-486e-893e-d87f7c91cfda + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: a9d92277-809d-440f-82c9-35c820ba00b8 + # Control Description "a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]." "CM-7 (b) Requirement: The service provider shall use the DoD STIGs or Center for Internet Security guidelines to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available. CM-7 Guidance: Information on the USGCB checklists can be found at: https://csrc.nist.gov/projects/united-states-government-configuration-baseline." + # Control Implementation NeuVector is configured securely and only access to required ports are available. + target: + status: + state: not-satisfied + target-id: cm-7 + type: objective-id + title: 'Validation Result - Control: cm-7' + uuid: bba8e8dc-df3c-4664-9f4d-b69673496e72 + - description: | + Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 26B3D98B-0C9D-434B-8DE5-06CBBC46A38C + Velero can restore application configuration/data from an approved cloud provider or on-premise location on-demand. + target: + status: + state: not-satisfied + target-id: cp-10 + type: objective-id + title: 'Validation Result - Control: cp-10' + uuid: 434837ff-2f2a-4bff-afcd-6f0ace60f6f5 + - description: | + Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 3EA444B7-61ED-43DD-8B3D-24B55F286E59 + Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: - System components/data. - User-level information/application metadata. - User-level storage/data. - Scheduled back-ups with configurable scopes. - Multi-cloud and on-premise support for availability of backup. + target: + status: + state: not-satisfied + target-id: cp-10.4 + type: objective-id + title: 'Validation Result - Control: cp-10.4' + uuid: e8178dd1-2e6b-43ce-b65c-6c3df60b264d + - description: | + Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 2ADA7512-E0D5-4CAE-81BC-C889C640AF93 + Velero can take backups of your application configuration/data and store them off-site in either an approved cloud environment or on-premise location. + target: + status: + state: not-satisfied + target-id: cp-6 + type: objective-id + title: 'Validation Result - Control: cp-6' + uuid: cbbbd670-3e39-4625-82fb-45d762a6ea87 + - description: | + Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 6C3339A0-9636-4E35-8FA8-731CF900B326 + Velero can take backups of your application configuration/data and store them off-site in either an approved cloud environment or on-premise location. + target: + status: + state: not-satisfied + target-id: cp-6.1 + type: objective-id + title: 'Validation Result - Control: cp-6.1' + uuid: baa8e2e7-054d-4c78-a5aa-0ec1f7573f35 + - description: | + Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 2799CCBF-C48D-4451-85BA-EBD9B949C361 + Velero can restore application configuration/data from an approved cloud provider or on-premise location on-demand. + target: + status: + state: not-satisfied + target-id: cp-6.2 + type: objective-id + title: 'Validation Result - Control: cp-6.2' + uuid: c7c56dc6-9189-48e6-8153-541f8e7f129e + - description: | + Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 0AE59B43-50A7-4420-881B-E0635CCB8424 + Velero supports back-ups to multiple cloud environments (including geo-separated locations for high availability) and on-premise environments in the event of an accessibility disruptions. + target: + status: + state: not-satisfied + target-id: cp-6.3 + type: objective-id + title: 'Validation Result - Control: cp-6.3' + uuid: d0fabced-345c-42fe-a52c-1ab67d72a0ce + - description: | + Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: B11B38B8-8744-4DFD-8C1A-4A4EDD7F9574 + Velero can restore application configuration/data from an approved cloud provider or on-premise location to an alternative deployment environment on-demand. + target: + status: + state: not-satisfied + target-id: cp-7 + type: objective-id + title: 'Validation Result - Control: cp-7' + uuid: 6cf300c3-516b-4864-8049-a5d423c5bddc + - description: | + Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: D74C3A8C-E5B0-4F81-895D-FB2A318D723B + Velero supports back-ups to and restores from multiple cloud environments (including geo-separated locations for high availability) and on-premise environments in the event of an accessibility disruptions. + target: + status: + state: not-satisfied + target-id: cp-7.1 + type: objective-id + title: 'Validation Result - Control: cp-7.1' + uuid: 003c98fa-877a-4571-9bb7-f8ad72b88768 + - description: | + Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 72D7145F-7A3F-47AF-835F-7E3D6EFAE1CC + Velero supports back-ups to and restores from multiple cloud environments (including geo-separated locations for high availability) and on-premise environments in the event of an accessibility disruptions. + target: + status: + state: not-satisfied + target-id: cp-7.2 + type: objective-id + title: 'Validation Result - Control: cp-7.2' + uuid: e36765c3-3e47-4c05-8998-03f1b9051917 + - description: | + Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 5B0AA4CB-9C49-4D32-8242-5631788BD941 + "Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: + - System components/data. + - User-level information/application metadata. + - User-level storage/data. + - Scheduled back-ups with configurable scopes. + - Multi-cloud and on-premise support for availability of backup." + target: + status: + state: not-satisfied + target-id: cp-9 + type: objective-id + title: 'Validation Result - Control: cp-9' + uuid: 12b7dad5-7d79-4be2-8050-fe7eef32365a + - description: | + Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 8E5917F3-3E45-46C1-8585-48550E19AFFB + Velero provides feedback/logging of back-up status for configuration/data via kubectl or the Velero CLI tool. Velero can restore your production configuration/data to validation environment to ensure reliability/integrity. + target: + status: + state: not-satisfied + target-id: cp-9.1 + type: objective-id + title: 'Validation Result - Control: cp-9.1' + uuid: 0b6e7933-5ad7-4659-94c8-4d39730208fd + - description: | + Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 51191D0E-0C7B-4D2D-861D-202AC8C505CF + Velero can be configured to restore only certain components of a back-up when necessary. + target: + status: + state: not-satisfied + target-id: cp-9.2 + type: objective-id + title: 'Validation Result - Control: cp-9.2' + uuid: f4c55319-50b5-4219-bf6f-22c66421f441 + - description: | + Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: C650411C-33FD-4B59-8899-AC34B43C860F + Velero supports back-ups to multiple cloud environments (including geo-separated locations for high availability) and on-premise environments. + target: + status: + state: not-satisfied + target-id: cp-9.3 + type: objective-id + title: 'Validation Result - Control: cp-9.3' + uuid: 15eefc99-0cef-4652-9aea-9fe80a585b1e + - description: | + Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 8AB09B17-301B-4836-835B-9CE22A9E2300 + Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: - System components/data. - User-level information/application metadata. - User-level storage/data. - Scheduled back-ups with configurable scopes. - Multi-cloud and on-premise support for availability of backup. + target: + status: + state: not-satisfied + target-id: cp-9.5 + type: objective-id + title: 'Validation Result - Control: cp-9.5' + uuid: f44f374f-cbd4-4548-9e83-cfb7213e3438 + - description: | + Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 7FACB782-C183-4585-8C0B-17824438FEA6 + Velero supports encryption of backups via its supported providers' encryption support/mechanisms. + target: + status: + state: not-satisfied + target-id: cp-9.8 + type: objective-id + title: 'Validation Result - Control: cp-9.8' + uuid: 30ce1594-302b-4480-816e-f2b5b6cf729c + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 8ef96f45-dfc4-41a8-999a-fc717e746966 + # Control Description "a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: monthly operating system/infrastructure; monthly web applications (including APIs) and databases] and when new vulnerabilities potentially affecting the system are identified and reported; b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulnerability impact; c. Analyze vulnerability scan reports and results from vulnerability monitoring; d. Remediate legitimate vulnerabilities [Assignment: high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery] in accordance with an organizational assessment of risk; e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned." + # Control Implementation NeuVector is Kubernetes and container security tool. NeuVector will scan containers for vulnerabilities in addition to continuous monitoring for active threats. + target: + status: + state: not-satisfied + target-id: ra-5 + type: objective-id + title: 'Validation Result - Control: ra-5' + uuid: 2b4a5a81-e527-4aac-b5d2-6e0c39cd68ca + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 760dde06-de0b-4575-8575-95a5835f97c0 + # Control Description Update the system vulnerabilities to be scanned [prior to a new scan]; prior to a new scan; when new vulnerabilities are identified and reported]. + # Control Implementation NeuVector container scanning vulnerability database is updated frequently. + target: + status: + state: not-satisfied + target-id: ra-5.2 + type: objective-id + title: 'Validation Result - Control: ra-5.2' + uuid: f45a41e4-33ea-4f43-9c81-1b4b09630fc2 + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 621595cd-f998-4f55-b68e-f765db48b332 + # Control Description Define the breadth and depth of vulnerability scanning coverage. + # Control Implementation NeuVector container scanning configurations depth can be modified. + target: + status: + state: not-satisfied + target-id: ra-5.3 + type: objective-id + title: 'Validation Result - Control: ra-5.3' + uuid: d97d6d08-19b7-4aec-990c-c885e9c52a15 + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 994b03df-8320-4987-887b-fac8088bd944 + # Control Description Implement privileged access authorization to [Assignment: all components that support authentication] for [Assignment: all scans]. + # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. + target: + status: + state: not-satisfied + target-id: ra-5.5 + type: objective-id + title: 'Validation Result - Control: ra-5.5' + uuid: 22531ec8-b5ca-4eb1-80f7-8c690d40211b + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 5a7bddc2-f94c-46c8-a15a-1e2f4d4ab948 + # Control Description "Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: a. Develop and implement a plan for ongoing security and privacy control assessments; b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage]; c. Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; d. Implement a verifiable flaw remediation process; and e. Correct flaws identified during testing and evaluation." + # Control Implementation NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. + target: + status: + state: not-satisfied + target-id: sa-11 + type: objective-id + title: 'Validation Result - Control: sa-11' + uuid: a1b36d70-93cc-4dac-b0ee-07a83fcd7fc9 + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: b6f194ad-bde3-479f-8a77-0ec4c9a5a77d + # Control Description Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis. Static code analysis provides a technology and methodology for security reviews and includes checking for weaknesses in the code as well as for the incorporation of libraries or other included code with known vulnerabilities or that are out-of-date and not supported. Static code analysis can be used to identify vulnerabilities and enforce secure coding practices. It is most effective when used early in the development process, when each code change can automatically be scanned for potential weaknesses. Static code analysis can provide clear remediation guidance and identify defects for developers to fix. Evidence of the correct implementation of static analysis can include aggregate defect density for critical defect types, evidence that defects were inspected by developers or security professionals, and evidence that defects were remediated. A high density of ignored findings, commonly referred to as false positives, indicates a potential problem with the analysis process or the analysis tool. In such cases, organizations weigh the validity of the evidence against evidence from other sources. + # Control Implementation NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. + target: + status: + state: not-satisfied + target-id: sa-11.1 + type: objective-id + title: 'Validation Result - Control: sa-11.1' + uuid: 5fb26d2e-4dde-4a30-985f-8e5bd5f403f2 + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 169c9ad3-0a6c-46ee-80cd-cd8cef5eca5c + # Control Implementation + Istio is configured to manage network connections associated with specific communication sessions. It can be set up to automatically terminate these connections after periods of inactivity, providing an additional layer of security. + related-observations: + - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 + - observation-uuid: a05d03e1-4f9c-476b-a657-2607a0c86258 + target: + status: + state: not-satisfied + target-id: sc-10 + type: objective-id + title: 'Validation Result - Control: sc-10' + uuid: e12cb6f2-4521-47af-a106-ffbd13bd2a15 + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 2bf5c525-af5f-4b8b-8349-3f6a91e0aab9 + # Control Implementation + Istio provides FIPS encryption in transit for all applications in the mesh, TLS termination at ingress, and TLS origination at egress. + related-observations: + - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 + - observation-uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 + - observation-uuid: ff67f994-802a-4668-a261-f0cbfb7982d5 + - observation-uuid: edc21e52-53cd-4a6a-9e29-1016a56e0cb5 + - observation-uuid: e12e332c-6a86-43e8-9403-94824b948f45 + target: + status: + state: not-satisfied + target-id: sc-13 + type: objective-id + title: 'Validation Result - Control: sc-13' + uuid: db406556-9aee-4655-8e37-f97662c642fd + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 625bfdc1-0b20-45f3-919b-91afbac77799 + # Control Implementation + Istio is configured to protect session authenticity, establishing confidence in the ongoing identities of other parties and the validity of transmitted information. This is achieved through Istio's mutual TLS, which ensures secure communication. + related-observations: + - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 + - observation-uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 + target: + status: + state: satisfied + target-id: sc-23 + type: objective-id + title: 'Validation Result - Control: sc-23' + uuid: d0fff818-c4b0-408b-995c-425323750c29 + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 9e2894a3-2452-4f7a-b8a5-f72b89b23c87 + # Control Implementation + Namespaces, Istio gateways, and network policies collectively by providing resource isolation, secure traffic routing, and network segmentation to prevent unauthorized and unintended information transfer. + related-observations: + - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 + - observation-uuid: 362043c5-ea38-4c11-83e3-35d34b79c938 + - observation-uuid: 610a3b9c-269e-47c7-8b2c-9412bc822e80 + target: + status: + state: satisfied + target-id: sc-3 + type: objective-id + title: 'Validation Result - Control: sc-3' + uuid: 14e04260-d26f-4d27-ac44-3819d7849574 + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: f972ef8d-1eb0-403b-8db8-e65a4f4e2aaa + # Control Implementation + Istio is configured to maintain separate execution domains for each executing process. This is achieved through Istio's sidecar proxy design, where each service in the mesh has its own dedicated sidecar proxy to handle its inbound and outbound traffic. This ensures that communication between processes is controlled and one process cannot modify the executing code of another process. + related-observations: + - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 + - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e + target: + status: + state: satisfied + target-id: sc-39 + type: objective-id + title: 'Validation Result - Control: sc-39' + uuid: 7e308fb9-473e-4695-a9f0-d716c8b2b47c + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 86bc4fb7-f91b-4f2c-b914-65427951018c + # Control Implementation + Istio enforces outbound traffic goes through an Egress Gateway with a Network Policy. + related-observations: + - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 + - observation-uuid: daf64ecb-b110-4c6e-907f-7b4cd8831232 + - observation-uuid: 46256c29-c662-4f0c-a037-bf1c534dee59 + target: + status: + state: not-satisfied + target-id: sc-4 + type: objective-id + title: 'Validation Result - Control: sc-4' + uuid: 036754b0-047d-48cf-a8c5-fa87601994c5 + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 82d3ab37-b934-4731-9198-56ced7d92708 + # Control Description "a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; b. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture." + # Control Implementation NeuVector monitors all communications to external interfaces by only connecting to external networks through managed interfaces and utilizes whitelists and blacklists for rules at Layer 7. + target: + status: + state: not-satisfied + target-id: sc-7 + type: objective-id + title: 'Validation Result - Control: sc-7' + uuid: 5d65f54a-91fd-4e77-9afa-8099bd131959 + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 30b49a3e-ad38-441d-8c07-5a9018848a02 + # Control Implementation + Istio is configured to dynamically isolate certain internal system components when necessary. This is achieved through Istio's network policies, which allow us to partition or separate system components + related-observations: + - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 + - observation-uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 + - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e + target: + status: + state: satisfied + target-id: sc-7.20 + type: objective-id + title: 'Validation Result - Control: sc-7.20' + uuid: 80ffa744-8c84-4b5e-9188-722b4f6542ca + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: c9a1e9bc-3caa-44ce-a300-ecd722487987 + # Control Implementation + Istio is configured to isolate system components that perform different mission or business functions. This is achieved through Istio's network policies and mutual TLS, which allow us to control information flows and provide enhanced protection. + related-observations: + - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 + - observation-uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 + - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e + target: + status: + state: satisfied + target-id: sc-7.21 + type: objective-id + title: 'Validation Result - Control: sc-7.21' + uuid: 7d23eb48-f3ea-4d3c-9971-68cf25c62ba0 + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 85df9e6c-3d94-4c60-9a20-8c481831f1e0 + # Control Implementation + Istio is configured to provide managed interfaces for external telecommunication services, establish traffic flow policies, and protect the confidentiality and integrity of transmitted information. It also prevents unauthorized exchange of control plane traffic and filters unauthorized control plane traffic. + related-observations: + - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 + - observation-uuid: 73aaf428-603c-447a-ad38-8ce66b7795f1 + - observation-uuid: 3b856533-2206-4ebd-932e-645886b20b10 + - observation-uuid: 610a3b9c-269e-47c7-8b2c-9412bc822e80 + target: + status: + state: satisfied + target-id: sc-7.4 + type: objective-id + title: 'Validation Result - Control: sc-7.4' + uuid: 4edd983b-bb0a-4c16-a0f8-d827f52d39fc + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 4b930af3-ae84-43ff-b751-448fe1c2eec8 + # Control Implementation + is configured to route internal communications traffic to external networks through authenticated proxy servers at managed interfaces, using its Egress Gateway. + related-observations: + - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 + - observation-uuid: 46256c29-c662-4f0c-a037-bf1c534dee59 + - observation-uuid: 20db9c5e-e962-47ca-a0ab-c43b52d7b56e + target: + status: + state: not-satisfied + target-id: sc-7.8 + type: objective-id + title: 'Validation Result - Control: sc-7.8' + uuid: f810556d-285b-4e75-b6ec-971235a3ffaa + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 132fb1ff-8b58-4cfd-8ad4-c01605d89f24 + # Control Description Protect the [confidentiality AND integrity] of transmitted information. + # Control Implementation Data in transit is protected using a TLS connection and secured between components within the data center using an internal certificate until it is terminated at the application node. This ensures that data in transit is encrypted using SSL. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 7548b4ee-e4a3-4e3c-a34b-95eccad45f92 + # Control Implementation + Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. + related-observations: + - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 + - observation-uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 + - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e + target: + status: + state: not-satisfied + target-id: sc-8 + type: objective-id + title: 'Validation Result - Control: sc-8' + uuid: a43fb38e-2aa9-4cc2-b7a7-103202c1ed5d + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 69415B92-0490-4A14-9E0F-E1EE61951F9C + # Control Implementation + Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. + related-observations: + - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 + - observation-uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 + - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e + target: + status: + state: satisfied + target-id: sc-8.1 + type: objective-id + title: 'Validation Result - Control: sc-8.1' + uuid: 60aafba4-0b1b-41f1-bb67-11bf0a54f83a + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: c158b75a-cefc-4794-b124-f1e56ff5646d + # Control Implementation + Istio implements with global configuration. + related-observations: + - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 + - observation-uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 + - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e + - observation-uuid: 3b856533-2206-4ebd-932e-645886b20b10 + target: + status: + state: satisfied + target-id: sc-8.2 + type: objective-id + title: 'Validation Result - Control: sc-8.2' + uuid: e588b254-b0df-4115-849d-5ad7d250acf1 + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 9b4c7011-aa35-4f61-ade2-7c070bb51767 + # Control Description "a. Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and b. Reveal error messages only to [Assignment: organization-defined personnel or roles]." + # Control Implementation NeuVector correlates configuration data and network traffic for error tracking to provide context around misconfigurations and threats in the form of actionable alerts. + target: + status: + state: not-satisfied + target-id: si-11 + type: objective-id + title: 'Validation Result - Control: si-11' + uuid: 901febde-3027-47e6-97b4-ed8ee9ed29da + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 4faa4029-52bc-4d7f-9896-e43c6731d5e5 + # Control Description "(a) Measure the time between flaw identification and flaw remediation; and (b) Establish the following benchmarks for taking corrective actions: [Assignment: organization-defined benchmarks]." + # Control Implementation NeuVector continually monitors your Kubernetes environments to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. + target: + status: + state: not-satisfied + target-id: si-2.3 + type: objective-id + title: 'Validation Result - Control: si-2.3' + uuid: 123c7cb2-309d-4f95-832b-3476367d80df + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: c83fdce5-53f5-4860-a586-242d044efaa9 + # Control Description "a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections; b. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods]; c. Invoke internal monitoring capabilities or deploy monitoring devices: 1. Strategically within the system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Analyze detected events and anomalies; e. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; f. Obtain legal opinion regarding system monitoring activities; and g. Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]." + # Control Implementation NeuVector continually monitors your Kubernetes environments to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. + target: + status: + state: not-satisfied + target-id: si-4 + type: objective-id + title: 'Validation Result - Control: si-4' + uuid: af7893bd-83c9-4318-9ed0-dd50582609d5 + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: ac61e461-5fb8-4cf1-89ff-36d002056fda + # Control Description "a. Receive system security alerts, advisories, and directives from [Assignment: o include US-CERT] on an ongoing basis; b. Generate internal security alerts, advisories, and directives as deemed necessary; c. Disseminate security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; to include system security personnel and administrators with configuration/patch-management responsibilities and d. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance." + # Control Implementation NeuVector correlates configuration data with user behavior and network traffic to provide context around misconfigurations and threats in the form of actionable alerts. + target: + status: + state: not-satisfied + target-id: si-5 + type: objective-id + title: 'Validation Result - Control: si-5' + uuid: d75021f4-afad-46ca-a3e0-f5164db3147f + - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 80552838-9db8-41f7-9603-d91f884aa7bb + # Control Description "a. Verify the correct operation of [Assignment: organization-defined security and privacy functions]; b. Perform the verification of the functions specified in SI-6a [Selection (one or more): [Assignment: to include upon system startup and/or restart]; upon command by user with appropriate privilege; [Assignment: at least monthly]]; c. Alert [Assignment: to include system administrators and security personnel] to failed security and privacy verification tests; and d. [Selection (one or more): Shut the system down; Restart the system; [Assignment: organization-defined alternative action (s)]] when anomalies are discovered." + # Control Implementation NeuVector correlates configuration data and network traffic to provide context around verification in the form of actionable alerts. + target: + status: + state: not-satisfied + target-id: si-6 + type: objective-id + title: 'Validation Result - Control: si-6' + uuid: 8f936748-3181-4885-b5d4-519cffa1d992 + observations: + - collected: 2024-08-06T02:58:06.749191822Z + description: | + [TEST]: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #663f5e92-6db4-4042-8b5a-eba3ebe5a622: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain' }] + uuid: a05d03e1-4f9c-476b-a657-2607a0c86258 + - collected: 2024-08-06T02:58:06.749221207Z + description: | + [TEST]: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #ecdb90c7-971a-4442-8f29-a8b0f6076bc9: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain', 'provider' }] + uuid: 46256c29-c662-4f0c-a037-bf1c534dee59 + - collected: 2024-08-06T02:58:06.749255782Z + description: | + [TEST]: fbe5855d-b4ea-4ff5-9f0d-5901d620577a - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #fbe5855d-b4ea-4ff5-9f0d-5901d620577a: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain', 'provider' }] + uuid: af55317a-a3b8-42b9-8ba8-d859748635b5 + - collected: 2024-08-06T02:58:06.85546841Z + description: | + [TEST]: 1761ac07-80dd-47d2-947e-09f67943b986 - all-pods-istio-injected + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.exempt_namespaces_msg: Exempted Namespaces: istio-admin-gateway, istio-passthrough-gateway, istio-system, istio-tenant-gateway, kube-system, uds-dev-stack, zarf + validate.msg: All pods have Istio sidecar proxy. + uuid: 435f54e2-3606-4250-9e16-79326844e82e + - collected: 2024-08-06T02:58:06.861988088Z + description: | + [TEST]: ca49ac97-487a-446a-a0b7-92b20e2c83cb - enforce-mtls-strict + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: All PeerAuthentications have mtls mode set to STRICT. + uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 + - collected: 2024-08-06T02:58:06.868755824Z + description: | + [TEST]: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed - ingress-traffic-encrypted + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: All gateways encrypt ingress traffic + validate.msg_exempt: Exempted Gateways: istio-passthrough-gateway/passthrough-gateway + uuid: ff67f994-802a-4668-a261-f0cbfb7982d5 + - collected: 2024-08-06T02:58:06.868804496Z + description: | + [TEST]: 73434890-2751-4894-b7b2-7e583b4a8977 - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #73434890-2751-4894-b7b2-7e583b4a8977: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain', 'provider' }] + uuid: e12e332c-6a86-43e8-9403-94824b948f45 + - collected: 2024-08-06T02:58:06.868833069Z + description: | + [TEST]: 9bfc68e0-381a-4006-9f68-c293e3b20cee - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #9bfc68e0-381a-4006-9f68-c293e3b20cee: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain', 'provider' }] + uuid: 48a7c266-3ce0-4c63-b782-335c2461afc6 + - collected: 2024-08-06T02:58:06.875936601Z + description: | + [TEST]: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 - gateway-configuration-check + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: Only allowed gateways found. All gateway types found. + validate.msg_existing_gateways: istio-admin-gateway/admin-gateway, istio-passthrough-gateway/passthrough-gateway, istio-tenant-gateway/tenant-gateway + validate.msg_allowed_gateways: admin, passthrough, tenant + uuid: 610a3b9c-269e-47c7-8b2c-9412bc822e80 + - collected: 2024-08-06T02:58:06.880031826Z + description: | + [TEST]: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 - istio-rbac-enforcement-check + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: Istio RBAC enforced + validate.msg_authPolicies: Authorization Policies: keycloak/keycloak-block-admin-access-from-public-gateway + uuid: d517a52c-6742-4c6a-94f4-b6716aa64879 + - collected: 2024-08-06T02:58:06.880074886Z + description: | + [TEST]: 9b361d7b-4e07-40db-8b86-3854ed499a4b - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #9b361d7b-4e07-40db-8b86-3854ed499a4b: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain', 'provider' }] + uuid: 9da482e6-b1b4-47d5-b88c-ea78cb1a6089 + - collected: 2024-08-06T02:58:06.888036681Z + description: | + [TEST]: 67456ae8-4505-4c93-b341-d977d90cb125 - istio-health-check + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + istiohealth.deployment_message: All deployment conditions are true. + istiohealth.hpa_message: HPA has sufficient replicas. + uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 + - collected: 2024-08-06T02:58:06.986972859Z + description: | + [TEST]: f345c359-3208-46fb-9348-959bd628301e - istio-prometheus-annotations-validation + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: All pods have correct prometheus annotations. + validate.exempt_namespaces_msg: Exempted Namespaces: istio-system, kube-system, uds-dev-stack, zarf + uuid: a906a088-3147-44cb-8d7b-69058d1d8484 + - collected: 2024-08-06T02:58:06.987037129Z + description: | + [TEST]: 8be1601e-5870-4573-ab4f-c1c199944815 - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #8be1601e-5870-4573-ab4f-c1c199944815: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain' } {/properties/provider/$ref/properties/opa-spec/$ref/properties/rego/pattern file:///home/runner/work/uds-core/uds-core/compliance/validation#/definitions/opaSpec/properties/rego/pattern /provider/opa-spec/rego does not match pattern '.*\\S\\s\\n.*' package validate + default validate := false + # How to prove TLS origination is configured at egress + # DestinationRule? + }] + uuid: edc21e52-53cd-4a6a-9e29-1016a56e0cb5 + - collected: 2024-08-06T02:58:07.017260415Z + description: | + [TEST]: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 - secure-communication-with-istiod + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg_correct: NetworkPolicies correctly configured for istiod in namespaces: authservice, grafana, keycloak, loki, metrics-server, monitoring, neuvector, promtail, velero. + validate.msg_incorrect: No incorrect istiod NetworkPolicies found. + uuid: 73aaf428-603c-447a-ad38-8ce66b7795f1 + - collected: 2024-08-06T02:58:07.017384197Z + description: | + [TEST]: 19faf69a-de74-4b78-a628-64a9f244ae13 - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #19faf69a-de74-4b78-a628-64a9f244ae13: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain' } {/properties/provider/$ref/properties/opa-spec/$ref/properties/rego/pattern file:///home/runner/work/uds-core/uds-core/compliance/validation#/definitions/opaSpec/properties/rego/pattern /provider/opa-spec/rego does not match pattern '.*\\S\\s\\n.*' package validate + default validate := false + # This policy could check meshConfig.outboundTrafficPolicy.mode (default is ALLOW_ANY) + # Possibly would need a ServiceEntry(?) + # (https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#envoy-passthrough-to-external-services) + }] + uuid: 20db9c5e-e962-47ca-a0ab-c43b52d7b56e + - collected: 2024-08-06T02:58:07.025304675Z + description: | + [TEST]: 0da39859-a91a-4ca6-bd8b-9b117689188f - all-namespaces-istio-injected + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + validate.msg: Non-Istio-injected namespaces: {"authservice-test-app", "podinfo", "test-admin-app", "test-tenant-app"} + validate.exempted_namespaces_msg: Exempted Namespaces: default, istio-admin-gateway, istio-passthrough-gateway, istio-system, istio-tenant-gateway, kube-node-lease, kube-public, kube-system, uds-crds, uds-dev-stack, uds-policy-exemptions, zarf + uuid: f25d32b1-4bbd-4309-a96e-99fb8f484c88 + - collected: 2024-08-06T02:58:07.025349479Z + description: | + [TEST]: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #7455f86d-b79c-4226-9ce3-f3fb7d9348c8: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain', 'provider' }] + uuid: daf64ecb-b110-4c6e-907f-7b4cd8831232 + - collected: 2024-08-06T02:58:07.03317813Z + description: | + [TEST]: 90738c86-6315-450a-ac69-cc50eb4859cc - check-istio-logging-all-traffic + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: Istio is logging all traffic + uuid: 9e4a8aa7-2736-4aad-8b08-7fcee4fa2a68 + - collected: 2024-08-06T02:58:07.041938066Z + description: | + [TEST]: 70d99754-2918-400c-ac9a-319f874fff90 - istio-metrics-logging-configured + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: Metrics logging supported. + uuid: 06449da5-4cb5-4a5e-922d-5309d5c8f0c8 + - collected: 2024-08-06T02:58:07.0520707Z + description: | + [TEST]: c6c9daf1-4196-406d-8679-312c0512ab2e - check-istio-admin-gateway-and-usage + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: Admin gateway exists. Admin virtual services are using admin gateway. + uuid: 362043c5-ea38-4c11-83e3-35d34b79c938 + - collected: 2024-08-06T02:58:07.056306187Z + description: | + [TEST]: fbd877c8-d6b6-4d88-8685-2c4aaaab02a1 - istio-enforces-authorized-keycloak-access + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: AuthorizationPolicy restricts access to Keycloak admin. + uuid: 3b856533-2206-4ebd-932e-645886b20b10 + - collected: 2024-08-06T02:58:07.064560781Z + description: | + [TEST]: f346b797-be35-40a8-a93a-585db6fd56ec - istio-tracing-logging-support + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + validate.msg: Tracing logging not supported. + uuid: 94477b5d-84b7-427c-88b3-71367c501528 + - collected: 2024-08-06T02:58:07.0646133Z + description: | + [TEST]: 98b97ec9-a9ce-4444-83d8-71066270a424 - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #98b97ec9-a9ce-4444-83d8-71066270a424: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain', 'provider' }] + uuid: a1236290-6057-4695-b4bd-20dd2981d60d + - collected: 2024-08-06T02:58:07.064634109Z + description: | + [TEST]: 0be7345d-e9d3-4248-9c14-5fed8e7bfa01 - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #0be7345d-e9d3-4248-9c14-5fed8e7bfa01: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain', 'provider' }] + uuid: d265b5b6-9306-4c22-ad35-d6f00a41920e + props: + - name: threshold + ns: https://docs.lula.dev/oscal/ns + value: "true" + - name: target + ns: https://docs.lula.dev/oscal/ns + value: il4 + reviewed-controls: + control-selections: + - description: Controls Assessed by Lula + include-controls: + - control-id: ac-14 + - control-id: ac-2 + - control-id: ac-2.1 + - control-id: ac-3 + - control-id: ac-4 + - control-id: ac-4.21 + - control-id: ac-4.4 + - control-id: ac-5 + - control-id: ac-6 + - control-id: ac-6.1 + - control-id: ac-6.10 + - control-id: ac-6.3 + - control-id: ac-6.9 + - control-id: au-11 + - control-id: au-12 + - control-id: au-12.1 + - control-id: au-2 + - control-id: au-3 + - control-id: au-3.1 + - control-id: au-4 + - control-id: au-5.1 + - control-id: au-5.2 + - control-id: au-6 + - control-id: au-6.1 + - control-id: au-6.3 + - control-id: au-6.5 + - control-id: au-6.6 + - control-id: au-7 + - control-id: au-7.1 + - control-id: au-8 + - control-id: au-9 + - control-id: au-9.2 + - control-id: au-9.4 + - control-id: au7.1 + - control-id: ca-2.2 + - control-id: ca-7 + - control-id: cm-5 + - control-id: cm-6 + - control-id: cm-7 + - control-id: cp-10 + - control-id: cp-10.4 + - control-id: cp-6 + - control-id: cp-6.1 + - control-id: cp-6.2 + - control-id: cp-6.3 + - control-id: cp-7 + - control-id: cp-7.1 + - control-id: cp-7.2 + - control-id: cp-9 + - control-id: cp-9.1 + - control-id: cp-9.2 + - control-id: cp-9.3 + - control-id: cp-9.5 + - control-id: cp-9.8 + - control-id: ra-5 + - control-id: ra-5.2 + - control-id: ra-5.3 + - control-id: ra-5.5 + - control-id: sa-11 + - control-id: sa-11.1 + - control-id: sc-10 + - control-id: sc-13 + - control-id: sc-23 + - control-id: sc-3 + - control-id: sc-39 + - control-id: sc-4 + - control-id: sc-7 + - control-id: sc-7.20 + - control-id: sc-7.21 + - control-id: sc-7.4 + - control-id: sc-7.8 + - control-id: sc-8 + - control-id: sc-8.1 + - control-id: sc-8.2 + - control-id: si-11 + - control-id: si-2.3 + - control-id: si-4 + - control-id: si-5 + - control-id: si-6 + description: Controls validated + remarks: Validation performed may indicate full or partial satisfaction + start: 2024-08-06T02:58:07.070919511Z + title: Lula Validation Result + uuid: f246b0cb-f71a-41b0-a2fe-7ef03c16c754 + - description: Assessment results for performing Validations with Lula version v0.4.1 + findings: + - description: |- + # Control Implementation + Istio implements with service to service and provides authorization policies that require authentication to access any non-public features. + related-observations: + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: 31654aca-4189-447d-b5e6-4928c5acc603 + target: + status: + state: satisfied + target-id: ac-14 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-14' + uuid: d61c76bb-7552-492f-a39e-e7da0748e84c + - description: |- + # Control Description "a. Define and document the types of accounts allowed and specifically prohibited for use within the system; b. Assign account managers; c. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership; d. Specify: 1. Authorized users of the system; 2. Group and role membership; and 3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account; e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts; f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria]; g. Monitor the use of accounts; h. Notify account managers and [Assignment: organization-defined personnel or roles] within: 1. [Assignment: twenty-four (24) hours] when accounts are no longer required; 2. [Assignment: eight (8) hours] when users are terminated or transferred; and 3. [Assignment: eight (8) hours] when system usage or need-to-know changes for an individual; i. Authorize access to the system based on: 1. A valid access authorization; 2. Intended system usage; and 3. [Assignment: organization-defined attributes (as required)]; j. Review accounts for compliance with account management requirements [Assignment: monthly for privileged accessed, every six (6) months for non-privileged access]; k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and l. Align account management processes with personnel termination and transfer processes." + # Control Implementation NeuVector supports internal user accounts and roles in addition to LDAP and SSO for providing RBAC access. + target: + status: + state: not-satisfied + target-id: ac-2 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-2' + uuid: 35b172fc-505d-441c-a498-358eb777ed24 + - description: |- + # Control Description Support the management of system accounts using [Assignment: organization-defined automated mechanisms]. + # Control Implementation NeuVector supports internal user accounts and roles in addition to LDAP and SSO for providing RBAC access. + target: + status: + state: not-satisfied + target-id: ac-2.1 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-2.1' + uuid: 0a50cb43-5018-4190-a89a-f8aca2005186 + - description: |- + # Control Description Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. + # Control Implementation NeuVector supports internal user accounts and roles in addition to LDAP and SSO for providing RBAC access. + target: + status: + state: not-satisfied + target-id: ac-3 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-3' + uuid: 574305f1-0e70-4cc7-85c3-fcfa94943753 + - description: |- + # Control Implementation + Istio encrypts all in-mesh communication at runtime using FIPS verified mTLS in addition to ingress and egress gateways for controlling communication. + related-observations: + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 + - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 + - observation-uuid: 60ff69f7-6d6f-4b92-a0a4-4ecd2df24b52 + target: + status: + state: satisfied + target-id: ac-4 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-4' + uuid: 86b4aa9e-cdb4-499d-b93a-8f0a76ac4c6b + - description: |- + # Control Implementation + Istio is configured to use ingress and egress gateways to provide logical flow separation. + related-observations: + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: 4df2137a-de64-4d02-8121-1911fc9dedab + - observation-uuid: 4e69dd7e-0ba5-489c-82fd-bdfdd3d80afd + - observation-uuid: 2639ccbf-1a94-440e-b820-90e957f6987c + target: + status: + state: not-satisfied + target-id: ac-4.21 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-4.21' + uuid: 5b7406b7-334a-4a50-8013-bd63b566c391 + - description: |- + # Control Implementation + All encrypted HTTPS connections are terminated at the Istio ingress gateway. + related-observations: + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 + - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 + - observation-uuid: 60ff69f7-6d6f-4b92-a0a4-4ecd2df24b52 + target: + status: + state: satisfied + target-id: ac-4.4 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-4.4' + uuid: d24258c7-b611-4c00-b387-518682e288a5 + - description: |- + # Control Description "a. Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and b. Define system access authorizations to support separation of duties." + # Control Implementation Loki implements RBAC to define system authorization and separation of duties. + target: + status: + state: not-satisfied + target-id: ac-5 + type: objective-id + title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-5' + uuid: 98b4b967-b087-4514-af76-47fbdd301940 + - description: |- + # Control Description Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. + # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. + target: + status: + state: not-satisfied + target-id: ac-6 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6' + uuid: 425a62e9-d211-4b56-9ed3-ae145e4bda7a + - description: |- + # Control Description "Authorize access for [Assignment: organization-defined individuals or roles] to: (a) [Assignment: organization-defined all functions not publicly accessible]; and (b) [Assignment: organization-defined all security-relevant information not publicly available]." + # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. + target: + status: + state: not-satisfied + target-id: ac-6.1 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6.1' + uuid: e0522516-4f01-4319-963c-b61ffc714e5d + - description: |- + # Control Description Prevent non-privileged users from executing privileged functions. + # Control Implementation Loki layers an additional RBAC layer that prohibits non-privileged users from executing privileged functions. + target: + status: + state: not-satisfied + target-id: ac-6.10 + type: objective-id + title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6.10' + uuid: 1fdec6d5-12a6-4400-bb86-65811be00806 + - description: |- + # Control Implementation + Configured with an "admin" gateway to restrict access to applications that only need administrative access. + related-observations: + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: 4e69dd7e-0ba5-489c-82fd-bdfdd3d80afd + target: + status: + state: not-satisfied + target-id: ac-6.3 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6.3' + uuid: 02a7b8e8-c6cf-4263-ad16-65d64957169f + - description: |- + # Control Description Log the execution of privileged functions. + # Control Implementation Privileged events, including updating the deployment of an application, or use of privileged containers are collected as metrics by prometheus and displayed by Grafana. + related-observations: + - observation-uuid: 053bdc9e-654d-4287-adf1-02c14e77ece1 + - observation-uuid: c18cb484-a3d7-4f1b-9de2-bc40675ebef6 + target: + status: + state: not-satisfied + target-id: ac-6.9 + type: objective-id + title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6.9' + uuid: b5e568c2-539e-45f2-9aa6-b31dd4ddf30b + - description: |- + # Control Description Retain audit records for [Assignment: at least one (1) year] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. + # Control Implementation Can configure audit record storage retention policy for defined periods of time via the store(s) Loki is configured to use. + target: + status: + state: not-satisfied + target-id: au-11 + type: objective-id + title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-11' + uuid: 1133f9d6-790b-4f66-ba94-89ce6cf7ed26 + - description: |- + # Control Implementation + Istio provides audit record generation capabilities for a variety of event types, including session, connection, transaction, or activity durations, and the number of bytes received and sent. + related-observations: + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: 337f9bea-6f8e-4c89-8142-4474083105e6 + target: + status: + state: satisfied + target-id: au-12 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-12' + uuid: f0b63c33-bdbd-43bb-9a36-4a386e4567eb + - description: |- + # Control Description Compile audit records from [Assignment: all network, data storage, and computing devices] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. + # Control Implementation Compatible metrics endpoints emitted from each application is compiled by Prometheus and displayed through Grafana with associated timestamps of when the data was collected. + target: + status: + state: not-satisfied + target-id: au-12.1 + type: objective-id + title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-12.1' + uuid: 832e1041-64e8-4455-8331-48025d4cdfbc + - description: |- + # Control Description a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: annually or whenever there is a change in the threat environment]. + # Control Implementation API endpoints suitable for capturing application level metrics are present on each of the supported applications running as containers. In addition, system and cluster level metrics are emitted by containers with read only access to host level information. Metrics are captured and stored by Prometheus, an web server capable of scraping endpoints formatted in the appropriate dimensional data format. Metrics information is stored on disk in a time series data base, and later queried through a separate component providing a web interface for the query language: PromQL. Metrics data can be displayed through a Grafana dashboard for visualization. + related-observations: + - observation-uuid: 053bdc9e-654d-4287-adf1-02c14e77ece1 + - observation-uuid: 65c62b95-df70-4723-bf3b-46799d0536ad + target: + status: + state: not-satisfied + target-id: au-2 + type: objective-id + title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-2' + uuid: ae5e79ac-3535-48f0-b306-fe9cd1f34736 + - description: |- + # Control Description + Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. + Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). + + # Control Implementation + Logs are captured by promtail from the node. The node logs will contain the necessary log data from all pods/applications inside the selected nodes. + Validating `logfmt` as the config.logFormat would be the goal. This is currently a secret mounted to /etc/promtail/promtail.yaml in the promtail container. We will ensure the promtail.yaml file is at a minimum the target config. + https://grafana.com/docs/loki/latest/send-data/promtail/stages/logfmt/ + related-observations: + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: b8c97e5c-a953-44f1-9868-42abdb5f36d3 + target: + status: + state: not-satisfied + target-id: au-3 + type: objective-id + title: 'Validation Result - Component:3ca1e9a3-a566-48d1-93af-200abd1245e3 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-3' + uuid: 661fde7a-25f7-4d8f-8673-d95a570001ff + - description: |- + # Control Implementation + Istio has been configured to implement event logging within our environment. This includes capturing metrics related to the duration of sessions, connections, transactions, or activities. Specifically, Istio's telemetry features are utilized to capture these metrics, which provide valuable data that can be used to infer the duration of sessions or connections. + related-observations: + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: d6de0a77-9d2c-4332-9ab0-3c97c8b5234c + - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 + - observation-uuid: 6fb0ef76-86ad-4629-9e9d-a725ddbf3373 + target: + status: + state: not-satisfied + target-id: au-3.1 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-3.1' + uuid: 612c395f-5036-444a-bfe4-2f9ab941622a + - description: |- + # Control Description Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]. + # Control Implementation NeuVector can scale elastically based upon actual workload demands to allocate audit log storage capacity. + target: + status: + state: not-satisfied + target-id: au-4 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-4' + uuid: 92598581-3f72-478e-a8f2-33aaeccd56db + - description: |- + # Control Description Provide a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit log storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit log storage capacity. + # Control Implementation Alertmanager has pre-built alerts for PVC storage thresholds that would fire for PVCs supporting prometheus metrics storage. Metrics data can be displayed through a Grafana dashboard for visualization. + target: + status: + state: not-satisfied + target-id: au-5.1 + type: objective-id + title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-5.1' + uuid: f0e9a25c-2440-4299-8a32-1e9274b98f87 + - description: |- + # Control Description Provide an alert within [Assignment: real-time] to [Assignment: service provider personnel with authority to address failed audit events] when the following audit failure events occur: [Assignment: audit failure events requiring real-time alerts, as defined by organization audit policy]. + # Control Implementation Alertmanager has pre-built alerts for failed pods that would show when ClusterAuditor is not processing events, or prometheus is unable to scrape events. Prometheus also has a deadman's alert to ensure end users are seeing events from prometheus as part of its configuration. Data can be displayed through a Grafana dashboard for visualization. + target: + status: + state: not-satisfied + target-id: au-5.2 + type: objective-id + title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-5.2' + uuid: 4c6f58e6-d210-45a3-bede-b0b758c685de + - description: |- + # Control Description "a. Review and analyze system audit records [Assignment: at least weekly] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; b. Report findings to [Assignment: organization-defined personnel or roles]; and c. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information." + # Control Implementation Provides audit record query and analysis capabilities. Organization will implement record review and analysis. + target: + status: + state: not-satisfied + target-id: au-6 + type: objective-id + title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6' + uuid: 086b37df-eae0-46d5-a525-ead6453af43f + - description: |- + # Control Description Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. + # Control Implementation Provides audit record query and analysis capabilities. Organization will implement record review and analysis. + target: + status: + state: not-satisfied + target-id: au-6.1 + type: objective-id + title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6.1' + uuid: ec6c6e31-e5df-4836-b5e6-f114d61d1081 + - description: |- + # Control Description Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. + # Control Implementation Aggregating cluster auditor events across multiple sources (clusters) is possible with a multi-cluster deployment of prometheus/grafana. + target: + status: + state: not-satisfied + target-id: au-6.3 + type: objective-id + title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6.3' + uuid: 5a9912e9-c2e1-4fad-a651-9f84d351bea1 + - description: |- + # Control Description Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. + # Control Implementation Cluster Auditor's audit data is consolidated with system monitoring tooling (node exporters) for consolidated view to enhance inappropriate or unusual activity. + target: + status: + state: not-satisfied + target-id: au-6.5 + type: objective-id + title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6.5' + uuid: 66c039ce-0453-481a-a754-0c8ca7e5a4c0 + - description: |- + # Control Description Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. + # Control Implementation Cluster Auditor data in prometheus would enable this, but would require prometheus to also obtain access to physical metrics. + target: + status: + state: not-satisfied + target-id: au-6.6 + type: objective-id + title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6.6' + uuid: 8d2a5829-ee96-4a38-b3b9-a7931b551b02 + - description: |- + # Control Description "Provide and implement an audit record reduction and report generation capability that: a. Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and b. Does not alter the original content or time ordering of audit records." + # Control Implementation Grafana is configured with a pre-built dashboard for policy violations that displays data collected by Cluster Auditor. + target: + status: + state: not-satisfied + target-id: au-7 + type: objective-id + title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-7' + uuid: 958794eb-a1a5-4c29-b42c-ddfbabd544d9 + - description: |- + # Control Description Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. + # Control Implementation Grafana is configured with a pre-built dashboard for policy violations that displays data collected by Cluster Auditor. + target: + status: + state: not-satisfied + target-id: au-7.1 + type: objective-id + title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-7.1' + uuid: d42a6865-6869-4961-a90e-6d82eee7c561 + - description: |- + # Control Description + Time stamps generated by the information system include date and time. + Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. + Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or within tens of milliseconds. + Organizations may define different time granularities for different system components. + Time service can also be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities. + + # Control Implementation + Records captured by the logging daemon are enriched to ensure the following are always present: + * time of the event (UTC). + * source of event (pod, namespace, container id). + Applications are responsible for providing all other information. + Validating `logfmt` as the config.logFormat would be the goal. This is currently a secret mounted to /etc/promtail/promtail.yaml in the promtail container. We will ensure the promtail.yaml file is at a minimum the target config. + https://grafana.com/docs/loki/latest/send-data/promtail/stages/logfmt/ + related-observations: + - observation-uuid: 053bdc9e-654d-4287-adf1-02c14e77ece1 + - observation-uuid: fa62278d-a485-40ec-a660-51845c227040 + target: + status: + state: not-satisfied + target-id: au-8 + type: objective-id + title: 'Validation Result - Component:3ca1e9a3-a566-48d1-93af-200abd1245e3 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-8' + uuid: 0c87ccd3-8a4f-48a9-9be0-69034e18885f + - description: |- + # Control Description a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and b. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information. + # Control Implementation Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control when using Grafana Enterprise. + target: + status: + state: not-satisfied + target-id: au-9 + type: objective-id + title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-9' + uuid: 826cb8c0-8297-4f90-b2b2-d0bc95531db1 + - description: |- + # Control Description Store audit records [Assignment: at least weekly] in a repository that is part of a physically different system or system component than the system or component being audited. + # Control Implementation Prometheus can scrape external components outside of the system, but this configuration is not easily supported as part of the current big bang configuration of ClusterAuditor since external access to ClusterAuditor metrics is not exposed via Istio. Metrics data can be displayed through a Grafana dashboard for visualization. + target: + status: + state: not-satisfied + target-id: au-9.2 + type: objective-id + title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-9.2' + uuid: f970ff94-5aef-4521-bd62-2e71ed0e5c70 + - description: |- + # Control Description Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. + # Control Implementation Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control when using Grafana Enterprise. + target: + status: + state: not-satisfied + target-id: au-9.4 + type: objective-id + title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-9.4' + uuid: 28f0e109-6c62-405d-b11c-8623f6829dad + - description: |- + # Control Description Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. + # Control Implementation Loki provides an API for retrieving and filtering logs. + target: + status: + state: not-satisfied + target-id: au7.1 + type: objective-id + title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au7.1' + uuid: 3c9b6412-0808-48b6-889b-54fefa4dcdb1 + - description: |- + # Control Description + Include as part of control assessments, [Assignment: at least annually], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious + user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment; [Assignment: organization-defined other forms of assessment]]. + + # Control Implementation NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. + target: + status: + state: not-satisfied + target-id: ca-2.2 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ca-2.2' + uuid: c4dadea0-3628-4444-b493-85fe4f44a9a2 + - description: |- + # Control Description "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: a. Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics]; b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; c. Ongoing control assessments in accordance with the continuous monitoring strategy; d. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; e. Correlation and analysis of information generated by control assessments and monitoring; f. Response actions to address results of the analysis of control assessment and monitoring information; and g. Reporting the security and privacy status of the system to [Assignment: to include JAB/AO] [Assignment: organization-defined frequency]." + # Control Implementation NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. + target: + status: + state: not-satisfied + target-id: ca-7 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ca-7' + uuid: f90d9d08-6cd9-463a-a606-c1359e00e1fe + - description: |- + # Control Implementation + Istio enforces logical access restrictions associated with changes to the system. Istio's Role-Based Access Control (RBAC) features are used to define and enforce access controls, ensuring that only approved personnel can make changes to the system. + related-observations: + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: f3ff3fbb-16d9-4a92-90e1-d8b7a020bccc + - observation-uuid: 41637e36-95ee-4c89-b332-80ca2d006620 + target: + status: + state: not-satisfied + target-id: cm-5 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: cm-5' + uuid: 7741992f-299d-4e30-ac94-f7797f95a661 + - description: |- + # Control Description "a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: oUnited States Government Configuration Baseline (USGCB)]; b. Implement the configuration settings; c. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures." + # Control Implementation NeuVector is configured using Helm Charts. Default settings can be found. + target: + status: + state: not-satisfied + target-id: cm-6 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: cm-6' + uuid: 279d19b1-4297-43a9-a631-168431b3c0cd + - description: |- + # Control Description "a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]." "CM-7 (b) Requirement: The service provider shall use the DoD STIGs or Center for Internet Security guidelines to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available. CM-7 Guidance: Information on the USGCB checklists can be found at: https://csrc.nist.gov/projects/united-states-government-configuration-baseline." + # Control Implementation NeuVector is configured securely and only access to required ports are available. + target: + status: + state: not-satisfied + target-id: cm-7 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: cm-7' + uuid: 4bcaa46e-66ab-4b3e-8414-92e28955d4d8 + - description: Velero can restore application configuration/data from an approved cloud provider or on-premise location on-demand. + target: + status: + state: not-satisfied + target-id: cp-10 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-10' + uuid: db12a70d-960a-4bcc-bef2-d765371bc641 + - description: 'Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: - System components/data. - User-level information/application metadata. - User-level storage/data. - Scheduled back-ups with configurable scopes. - Multi-cloud and on-premise support for availability of backup.' + target: + status: + state: not-satisfied + target-id: cp-10.4 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-10.4' + uuid: 4866acda-188f-40b1-8af4-ad3812060ef2 + - description: Velero can take backups of your application configuration/data and store them off-site in either an approved cloud environment or on-premise location. + target: + status: + state: not-satisfied + target-id: cp-6 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-6' + uuid: fa78499f-12e1-4ded-86a1-1ce785cd7cbd + - description: Velero can take backups of your application configuration/data and store them off-site in either an approved cloud environment or on-premise location. + target: + status: + state: not-satisfied + target-id: cp-6.1 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-6.1' + uuid: 38c5c57c-e4fa-40c0-a371-519f922ce751 + - description: Velero can restore application configuration/data from an approved cloud provider or on-premise location on-demand. + target: + status: + state: not-satisfied + target-id: cp-6.2 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-6.2' + uuid: fde3d548-4c98-451e-8ad1-08ebf918ec1f + - description: Velero supports back-ups to multiple cloud environments (including geo-separated locations for high availability) and on-premise environments in the event of an accessibility disruptions. + target: + status: + state: not-satisfied + target-id: cp-6.3 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-6.3' + uuid: c0659b8c-36b9-4d6d-8e94-48343ff6d57b + - description: Velero can restore application configuration/data from an approved cloud provider or on-premise location to an alternative deployment environment on-demand. + target: + status: + state: not-satisfied + target-id: cp-7 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-7' + uuid: 30788898-87df-4185-ab1c-9becdee50f6c + - description: Velero supports back-ups to and restores from multiple cloud environments (including geo-separated locations for high availability) and on-premise environments in the event of an accessibility disruptions. + target: + status: + state: not-satisfied + target-id: cp-7.1 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-7.1' + uuid: a718a683-1df0-4cac-9b9e-f61792134683 + - description: Velero supports back-ups to and restores from multiple cloud environments (including geo-separated locations for high availability) and on-premise environments in the event of an accessibility disruptions. + target: + status: + state: not-satisfied + target-id: cp-7.2 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-7.2' + uuid: 90a09f38-2e0f-496a-94a0-4fcbbd79b308 + - description: |- + "Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: + - System components/data. + - User-level information/application metadata. + - User-level storage/data. + - Scheduled back-ups with configurable scopes. + - Multi-cloud and on-premise support for availability of backup." + target: + status: + state: not-satisfied + target-id: cp-9 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9' + uuid: 67397dd3-5693-4223-8015-5755325d5bf8 + - description: Velero provides feedback/logging of back-up status for configuration/data via kubectl or the Velero CLI tool. Velero can restore your production configuration/data to validation environment to ensure reliability/integrity. + target: + status: + state: not-satisfied + target-id: cp-9.1 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.1' + uuid: 751a260d-f6c8-4ace-ad71-7aef30c0b9f0 + - description: Velero can be configured to restore only certain components of a back-up when necessary. + target: + status: + state: not-satisfied + target-id: cp-9.2 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.2' + uuid: 2134ba61-df24-4258-80fc-a406ee86e4df + - description: Velero supports back-ups to multiple cloud environments (including geo-separated locations for high availability) and on-premise environments. + target: + status: + state: not-satisfied + target-id: cp-9.3 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.3' + uuid: 76b44e70-4f34-44f1-a8ee-72cb642dedfe + - description: 'Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: - System components/data. - User-level information/application metadata. - User-level storage/data. - Scheduled back-ups with configurable scopes. - Multi-cloud and on-premise support for availability of backup.' + target: + status: + state: not-satisfied + target-id: cp-9.5 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.5' + uuid: de04bf59-4529-4906-a829-a078dbcf74bf + - description: Velero supports encryption of backups via its supported providers' encryption support/mechanisms. + target: + status: + state: not-satisfied + target-id: cp-9.8 + type: objective-id + title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.8' + uuid: cc050937-d5e7-4696-8f25-9b86b62c0d07 + - description: |- + # Control Description "a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: monthly operating system/infrastructure; monthly web applications (including APIs) and databases] and when new vulnerabilities potentially affecting the system are identified and reported; b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulnerability impact; c. Analyze vulnerability scan reports and results from vulnerability monitoring; d. Remediate legitimate vulnerabilities [Assignment: high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery] in accordance with an organizational assessment of risk; e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned." + # Control Implementation NeuVector is Kubernetes and container security tool. NeuVector will scan containers for vulnerabilities in addition to continuous monitoring for active threats. + target: + status: + state: not-satisfied + target-id: ra-5 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ra-5' + uuid: 3eca257e-9609-41fd-b21f-1aaee5b3d433 + - description: |- + # Control Description Update the system vulnerabilities to be scanned [prior to a new scan]; prior to a new scan; when new vulnerabilities are identified and reported]. + # Control Implementation NeuVector container scanning vulnerability database is updated frequently. + target: + status: + state: not-satisfied + target-id: ra-5.2 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ra-5.2' + uuid: 2b6daa85-9fdf-408c-9176-75a45ef22ea4 + - description: |- + # Control Description Define the breadth and depth of vulnerability scanning coverage. + # Control Implementation NeuVector container scanning configurations depth can be modified. + target: + status: + state: not-satisfied + target-id: ra-5.3 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ra-5.3' + uuid: 10f8b813-c6f3-4265-9eb6-475cc7cbc636 + - description: |- + # Control Description Implement privileged access authorization to [Assignment: all components that support authentication] for [Assignment: all scans]. + # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. + target: + status: + state: not-satisfied + target-id: ra-5.5 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ra-5.5' + uuid: b2e08e6b-16b3-4a00-ac9f-c8c9bdee64ce + - description: |- + # Control Description "Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: a. Develop and implement a plan for ongoing security and privacy control assessments; b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage]; c. Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; d. Implement a verifiable flaw remediation process; and e. Correct flaws identified during testing and evaluation." + # Control Implementation NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. + target: + status: + state: not-satisfied + target-id: sa-11 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sa-11' + uuid: ac49e0de-7653-4be5-8005-331927322ec2 + - description: |- + # Control Description Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis. Static code analysis provides a technology and methodology for security reviews and includes checking for weaknesses in the code as well as for the incorporation of libraries or other included code with known vulnerabilities or that are out-of-date and not supported. Static code analysis can be used to identify vulnerabilities and enforce secure coding practices. It is most effective when used early in the development process, when each code change can automatically be scanned for potential weaknesses. Static code analysis can provide clear remediation guidance and identify defects for developers to fix. Evidence of the correct implementation of static analysis can include aggregate defect density for critical defect types, evidence that defects were inspected by developers or security professionals, and evidence that defects were remediated. A high density of ignored findings, commonly referred to as false positives, indicates a potential problem with the analysis process or the analysis tool. In such cases, organizations weigh the validity of the evidence against evidence from other sources. + # Control Implementation NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. + target: + status: + state: not-satisfied + target-id: sa-11.1 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sa-11.1' + uuid: 0af42784-0963-4f76-90ef-c6d98ca5fee6 + - description: |- + # Control Implementation + Istio is configured to manage network connections associated with specific communication sessions. It can be set up to automatically terminate these connections after periods of inactivity, providing an additional layer of security. + related-observations: + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: 6a1961d3-8819-4db9-b052-e3998d29f94c + target: + status: + state: not-satisfied + target-id: sc-10 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-10' + uuid: 5f4f6691-affd-4acc-89f6-d3055b2f2481 + - description: |- + # Control Implementation + Istio provides FIPS encryption in transit for all applications in the mesh, TLS termination at ingress, and TLS origination at egress. + related-observations: + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 + - observation-uuid: 60ff69f7-6d6f-4b92-a0a4-4ecd2df24b52 + - observation-uuid: bf2a95fb-c40e-425a-a1a3-ec1307343179 + - observation-uuid: 31044f2f-75fd-4472-b624-1d918be32f40 + target: + status: + state: not-satisfied + target-id: sc-13 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-13' + uuid: 3df66b7f-1dec-4ab7-b76e-56023c2881a1 + - description: |- + # Control Implementation + Istio is configured to protect session authenticity, establishing confidence in the ongoing identities of other parties and the validity of transmitted information. This is achieved through Istio's mutual TLS, which ensures secure communication. + related-observations: + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 + target: + status: + state: satisfied + target-id: sc-23 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-23' + uuid: c39917b0-8de0-4497-808a-a186ee2d9583 + - description: |- + # Control Implementation + Namespaces, Istio gateways, and network policies collectively by providing resource isolation, secure traffic routing, and network segmentation to prevent unauthorized and unintended information transfer. + related-observations: + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: 4e69dd7e-0ba5-489c-82fd-bdfdd3d80afd + - observation-uuid: 2639ccbf-1a94-440e-b820-90e957f6987c + target: + status: + state: satisfied + target-id: sc-3 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-3' + uuid: 693835f8-466c-4437-9e95-1968070df3a9 + - description: |- + # Control Implementation + Istio is configured to maintain separate execution domains for each executing process. This is achieved through Istio's sidecar proxy design, where each service in the mesh has its own dedicated sidecar proxy to handle its inbound and outbound traffic. This ensures that communication between processes is controlled and one process cannot modify the executing code of another process. + related-observations: + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 + target: + status: + state: satisfied + target-id: sc-39 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-39' + uuid: c0a6d960-0976-4e3c-b539-00c36bf8565a + - description: |- + # Control Implementation + Istio enforces outbound traffic goes through an Egress Gateway with a Network Policy. + related-observations: + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: 35470a10-7ec9-4663-980b-c31ad61e08eb + - observation-uuid: f9e01aee-c30f-4df5-a4c7-0af351cef153 + target: + status: + state: not-satisfied + target-id: sc-4 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-4' + uuid: 29bf18cb-9d9a-4b5a-9708-38fb4cb63563 + - description: |- + # Control Description "a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; b. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture." + # Control Implementation NeuVector monitors all communications to external interfaces by only connecting to external networks through managed interfaces and utilizes whitelists and blacklists for rules at Layer 7. + target: + status: + state: not-satisfied + target-id: sc-7 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7' + uuid: bbea5abc-37ef-461c-a912-7118ea5618ca + - description: |- + # Control Implementation + Istio is configured to dynamically isolate certain internal system components when necessary. This is achieved through Istio's network policies, which allow us to partition or separate system components + related-observations: + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 + - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 + target: + status: + state: satisfied + target-id: sc-7.20 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7.20' + uuid: 782db436-d52a-461f-acd0-25b215fc3c3e + - description: |- + # Control Implementation + Istio is configured to isolate system components that perform different mission or business functions. This is achieved through Istio's network policies and mutual TLS, which allow us to control information flows and provide enhanced protection. + related-observations: + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 + - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 + target: + status: + state: satisfied + target-id: sc-7.21 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7.21' + uuid: 5d59c939-fb61-4aea-8ef2-39ff71fd6756 + - description: |- + # Control Implementation + Istio is configured to provide managed interfaces for external telecommunication services, establish traffic flow policies, and protect the confidentiality and integrity of transmitted information. It also prevents unauthorized exchange of control plane traffic and filters unauthorized control plane traffic. + related-observations: + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: a7867fed-93d7-457c-8886-6dae4459c5b2 + - observation-uuid: b2b0c4c3-8b3d-42a6-9ba4-ce36f198e15c + - observation-uuid: 2639ccbf-1a94-440e-b820-90e957f6987c + target: + status: + state: satisfied + target-id: sc-7.4 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7.4' + uuid: 87d6ff85-4067-442b-b2d3-c82cbddda0c3 + - description: |- + # Control Implementation + is configured to route internal communications traffic to external networks through authenticated proxy servers at managed interfaces, using its Egress Gateway. + related-observations: + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: f9e01aee-c30f-4df5-a4c7-0af351cef153 + - observation-uuid: 76674b13-a05d-40ba-b6ac-99aafe1c916e + target: + status: + state: not-satisfied + target-id: sc-7.8 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7.8' + uuid: ac90c141-2e83-4bfa-8833-dde2808592f1 + - description: |- + # Control Implementation + Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. + related-observations: + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 + - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 + target: + status: + state: not-satisfied + target-id: sc-8 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-8' + uuid: 13dfdcfd-d77b-4649-ae0f-b9ebaeaa0549 + - description: |- + # Control Implementation + Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. + related-observations: + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 + - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 + target: + status: + state: satisfied + target-id: sc-8.1 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-8.1' + uuid: f10e5f70-81c4-4b00-a8c3-29e3cd97527c + - description: |- + # Control Implementation + Istio implements with global configuration. + related-observations: + - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 + - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 + - observation-uuid: b2b0c4c3-8b3d-42a6-9ba4-ce36f198e15c + target: + status: + state: satisfied + target-id: sc-8.2 + type: objective-id + title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-8.2' + uuid: 3e58bd7b-2e7d-4e85-bb8e-fc4e8b83f282 + - description: |- + # Control Description "a. Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and b. Reveal error messages only to [Assignment: organization-defined personnel or roles]." + # Control Implementation NeuVector correlates configuration data and network traffic for error tracking to provide context around misconfigurations and threats in the form of actionable alerts. + target: + status: + state: not-satisfied + target-id: si-11 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-11' + uuid: e82d6f63-db19-460b-bf7d-3c46dcf1e38c + - description: |- + # Control Description "(a) Measure the time between flaw identification and flaw remediation; and (b) Establish the following benchmarks for taking corrective actions: [Assignment: organization-defined benchmarks]." + # Control Implementation NeuVector continually monitors your Kubernetes environments to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. + target: + status: + state: not-satisfied + target-id: si-2.3 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-2.3' + uuid: 5da35a6e-9526-4864-b153-dcd851e98a51 + - description: |- + # Control Description "a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections; b. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods]; c. Invoke internal monitoring capabilities or deploy monitoring devices: 1. Strategically within the system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Analyze detected events and anomalies; e. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; f. Obtain legal opinion regarding system monitoring activities; and g. Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]." + # Control Implementation NeuVector continually monitors your Kubernetes environments to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. + target: + status: + state: not-satisfied + target-id: si-4 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-4' + uuid: 6452a578-b1b8-4a1c-9ff8-6f05821ca37d + - description: |- + # Control Description "a. Receive system security alerts, advisories, and directives from [Assignment: o include US-CERT] on an ongoing basis; b. Generate internal security alerts, advisories, and directives as deemed necessary; c. Disseminate security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; to include system security personnel and administrators with configuration/patch-management responsibilities and d. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance." + # Control Implementation NeuVector correlates configuration data with user behavior and network traffic to provide context around misconfigurations and threats in the form of actionable alerts. + target: + status: + state: not-satisfied + target-id: si-5 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-5' + uuid: a8b3553e-e9af-4781-83ac-400ea1d77b77 + - description: |- + # Control Description "a. Verify the correct operation of [Assignment: organization-defined security and privacy functions]; b. Perform the verification of the functions specified in SI-6a [Selection (one or more): [Assignment: to include upon system startup and/or restart]; upon command by user with appropriate privilege; [Assignment: at least monthly]]; c. Alert [Assignment: to include system administrators and security personnel] to failed security and privacy verification tests; and d. [Selection (one or more): Shut the system down; Restart the system; [Assignment: organization-defined alternative action (s)]] when anomalies are discovered." + # Control Implementation NeuVector correlates configuration data and network traffic to provide context around verification in the form of actionable alerts. + target: + status: + state: not-satisfied + target-id: si-6 + type: objective-id + title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-6' + uuid: 6628f225-60a5-47a1-90f8-b4ea78dc72ef + observations: + - collected: 2024-07-09T03:24:38.473729311Z + description: | + [TEST]: 98b97ec9-a9ce-4444-83d8-71066270a424 - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #98b97ec9-a9ce-4444-83d8-71066270a424: required domain is nil + uuid: 053bdc9e-654d-4287-adf1-02c14e77ece1 + - collected: 2024-07-09T03:24:38.489004016Z + description: | + [TEST]: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 - gateway-configuration-check + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: Only allowed gateways found. All gateway types found. + validate.msg_existing_gateways: istio-admin-gateway/admin-gateway, istio-passthrough-gateway/passthrough-gateway, istio-tenant-gateway/tenant-gateway + validate.msg_allowed_gateways: admin, passthrough, tenant + uuid: 2639ccbf-1a94-440e-b820-90e957f6987c + - collected: 2024-07-09T03:24:38.489063617Z + description: | + [TEST]: 0be7345d-e9d3-4248-9c14-5fed8e7bfa01 - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #0be7345d-e9d3-4248-9c14-5fed8e7bfa01: required domain is nil + uuid: 65c62b95-df70-4723-bf3b-46799d0536ad + - collected: 2024-07-09T03:24:38.489091198Z + description: | + [TEST]: 9b361d7b-4e07-40db-8b86-3854ed499a4b - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #9b361d7b-4e07-40db-8b86-3854ed499a4b: required domain is nil + uuid: 41637e36-95ee-4c89-b332-80ca2d006620 + - collected: 2024-07-09T03:24:38.48912419Z + description: | + [TEST]: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #ecdb90c7-971a-4442-8f29-a8b0f6076bc9: required domain is nil + uuid: f9e01aee-c30f-4df5-a4c7-0af351cef153 + - collected: 2024-07-09T03:24:38.497116991Z + description: | + [TEST]: 70d99754-2918-400c-ac9a-319f874fff90 - istio-metrics-logging-configured + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: Metrics logging supported. + uuid: d6de0a77-9d2c-4332-9ab0-3c97c8b5234c + - collected: 2024-07-09T03:24:38.594646609Z + description: | + [TEST]: f345c359-3208-46fb-9348-959bd628301e - istio-prometheus-annotations-validation + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: All pods have correct prometheus annotations. + validate.exempt_namespaces_msg: Exempted Namespaces: istio-system, kube-system, uds-dev-stack, zarf + uuid: 6fb0ef76-86ad-4629-9e9d-a725ddbf3373 + - collected: 2024-07-09T03:24:38.594709567Z + description: | + [TEST]: 8be1601e-5870-4573-ab4f-c1c199944815 - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #8be1601e-5870-4573-ab4f-c1c199944815: required domain is nil + uuid: bf2a95fb-c40e-425a-a1a3-ec1307343179 + - collected: 2024-07-09T03:24:38.594743009Z + description: | + [TEST]: 73434890-2751-4894-b7b2-7e583b4a8977 - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #73434890-2751-4894-b7b2-7e583b4a8977: required domain is nil + uuid: 31044f2f-75fd-4472-b624-1d918be32f40 + - collected: 2024-07-09T03:24:38.594778174Z + description: | + [TEST]: 9bfc68e0-381a-4006-9f68-c293e3b20cee - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #9bfc68e0-381a-4006-9f68-c293e3b20cee: required domain is nil + uuid: fa62278d-a485-40ec-a660-51845c227040 + - collected: 2024-07-09T03:24:38.602916174Z + description: | + [TEST]: f346b797-be35-40a8-a93a-585db6fd56ec - istio-tracing-logging-support + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + validate.msg: Tracing logging not supported. + uuid: b8c97e5c-a953-44f1-9868-42abdb5f36d3 + - collected: 2024-07-09T03:24:38.611569524Z + description: | + [TEST]: 67456ae8-4505-4c93-b341-d977d90cb125 - istio-health-check + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + istiohealth.deployment_message: All deployment conditions are true. + istiohealth.hpa_message: HPA has sufficient replicas. + uuid: f920e554-a7c0-4315-89ec-037e7e971ead + - collected: 2024-07-09T03:24:38.611623214Z + description: | + [TEST]: fbe5855d-b4ea-4ff5-9f0d-5901d620577a - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #fbe5855d-b4ea-4ff5-9f0d-5901d620577a: required domain is nil + uuid: c18cb484-a3d7-4f1b-9de2-bc40675ebef6 + - collected: 2024-07-09T03:24:38.621193684Z + description: | + [TEST]: c6c9daf1-4196-406d-8679-312c0512ab2e - check-istio-admin-gateway-and-usage + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: Admin gateway exists. Admin virtual services are using admin gateway. + uuid: 4e69dd7e-0ba5-489c-82fd-bdfdd3d80afd + - collected: 2024-07-09T03:24:38.719799848Z + description: | + [TEST]: 1761ac07-80dd-47d2-947e-09f67943b986 - all-pods-istio-injected + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: All pods have Istio sidecar proxy. + validate.exempt_namespaces_msg: Exempted Namespaces: istio-system, kube-system, uds-dev-stack, zarf + uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 + - collected: 2024-07-09T03:24:38.729154607Z + description: | + [TEST]: 0da39859-a91a-4ca6-bd8b-9b117689188f - all-namespaces-istio-injected + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + validate.msg: Non-Istio-injected namespaces: {"exempted-app", "podinfo", "test-admin-app", "test-tenant-app"} + validate.exempted_namespaces_msg: Exempted Namespaces: default, istio-admin-gateway, istio-passthrough-gateway, istio-system, istio-tenant-gateway, kube-node-lease, kube-public, kube-system, uds-crds, uds-dev-stack, uds-policy-exemptions, zarf + uuid: 4df2137a-de64-4d02-8121-1911fc9dedab + - collected: 2024-07-09T03:24:38.751849467Z + description: | + [TEST]: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 - secure-communication-with-istiod + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg_correct: NetworkPolicies correctly configured for istiod in namespaces: authservice, grafana, keycloak, loki, metrics-server, monitoring, neuvector, promtail, velero. + validate.msg_incorrect: No incorrect istiod NetworkPolicies found. + uuid: a7867fed-93d7-457c-8886-6dae4459c5b2 + - collected: 2024-07-09T03:24:38.751895453Z + description: | + [TEST]: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #663f5e92-6db4-4042-8b5a-eba3ebe5a622: required domain is nil + uuid: 6a1961d3-8819-4db9-b052-e3998d29f94c + - collected: 2024-07-09T03:24:38.75191546Z + description: | + [TEST]: 19faf69a-de74-4b78-a628-64a9f244ae13 - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #19faf69a-de74-4b78-a628-64a9f244ae13: required domain is nil + uuid: 76674b13-a05d-40ba-b6ac-99aafe1c916e + - collected: 2024-07-09T03:24:38.757825399Z + description: | + [TEST]: ca49ac97-487a-446a-a0b7-92b20e2c83cb - enforce-mtls-strict + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: All PeerAuthentications have mtls mode set to STRICT. + uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 + - collected: 2024-07-09T03:24:38.766341924Z + description: | + [TEST]: 90738c86-6315-450a-ac69-cc50eb4859cc - check-istio-logging-all-traffic + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: Istio is logging all traffic + uuid: 337f9bea-6f8e-4c89-8142-4474083105e6 + - collected: 2024-07-09T03:24:38.772656748Z + description: | + [TEST]: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed - ingress-traffic-encrypted + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: All gateways encrypt ingress traffic + validate.msg_exempt: Exempted Gateways: istio-passthrough-gateway/passthrough-gateway + uuid: 60ff69f7-6d6f-4b92-a0a4-4ecd2df24b52 + - collected: 2024-07-09T03:24:38.776561899Z + description: | + [TEST]: e38c0695-10f6-40b6-b246-fa58b26ccd25 - istio-authorization-policies-require-authentication + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: Authorization Policy requires authentication for keycloak + uuid: 31654aca-4189-447d-b5e6-4928c5acc603 + - collected: 2024-07-09T03:24:38.781059357Z + description: | + [TEST]: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 - istio-rbac-enforcement-check + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: Istio RBAC enforced + validate.msg_authPolicies: Authorization Policies: istio-system/authservice, istio-system/jwt-authz, keycloak/keycloak-block-admin-access-from-public-gateway + uuid: f3ff3fbb-16d9-4a92-90e1-d8b7a020bccc + - collected: 2024-07-09T03:24:38.791675282Z + description: | + [TEST]: 3e217577-930e-4469-a999-1a5704b5cecb - request-authenication-and-auth-policies-configured + methods: + - TEST + relevant-evidence: + - description: | + Result: satisfied + remarks: | + validate.msg: All AuthorizationPolicies properly configured. All RequestAuthentications properly configured. + uuid: b2b0c4c3-8b3d-42a6-9ba4-ce36f198e15c + - collected: 2024-07-09T03:24:38.79173886Z + description: | + [TEST]: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 - lula-validation-error + methods: + - TEST + relevant-evidence: + - description: | + Result: not-satisfied + remarks: | + Error getting Lula validation #7455f86d-b79c-4226-9ce3-f3fb7d9348c8: required domain is nil + uuid: 35470a10-7ec9-4663-980b-c31ad61e08eb + props: + - name: threshold + ns: https://docs.lula.dev/oscal/ns + value: "true" + reviewed-controls: + control-selections: + - description: Controls Assessed by Lula + include-controls: + - control-id: ac-14 + - control-id: ac-2 + - control-id: ac-2.1 + - control-id: ac-3 + - control-id: ac-4 + - control-id: ac-4.21 + - control-id: ac-4.4 + - control-id: ac-5 + - control-id: ac-6 + - control-id: ac-6.1 + - control-id: ac-6.10 + - control-id: ac-6.3 + - control-id: ac-6.9 + - control-id: au-11 + - control-id: au-12 + - control-id: au-12.1 + - control-id: au-2 + - control-id: au-3 + - control-id: au-3.1 + - control-id: au-4 + - control-id: au-5.1 + - control-id: au-5.2 + - control-id: au-6 + - control-id: au-6.1 + - control-id: au-6.3 + - control-id: au-6.5 + - control-id: au-6.6 + - control-id: au-7 + - control-id: au-7.1 + - control-id: au-8 + - control-id: au-9 + - control-id: au-9.2 + - control-id: au-9.4 + - control-id: au7.1 + - control-id: ca-2.2 + - control-id: ca-7 + - control-id: cm-5 + - control-id: cm-6 + - control-id: cm-7 + - control-id: cp-10 + - control-id: cp-10.4 + - control-id: cp-6 + - control-id: cp-6.1 + - control-id: cp-6.2 + - control-id: cp-6.3 + - control-id: cp-7 + - control-id: cp-7.1 + - control-id: cp-7.2 + - control-id: cp-9 + - control-id: cp-9.1 + - control-id: cp-9.2 + - control-id: cp-9.3 + - control-id: cp-9.5 + - control-id: cp-9.8 + - control-id: ra-5 + - control-id: ra-5.2 + - control-id: ra-5.3 + - control-id: ra-5.5 + - control-id: sa-11 + - control-id: sa-11.1 + - control-id: sc-10 + - control-id: sc-13 + - control-id: sc-23 + - control-id: sc-3 + - control-id: sc-39 + - control-id: sc-4 + - control-id: sc-7 + - control-id: sc-7.20 + - control-id: sc-7.21 + - control-id: sc-7.4 + - control-id: sc-7.8 + - control-id: sc-8 + - control-id: sc-8.1 + - control-id: sc-8.2 + - control-id: si-11 + - control-id: si-2.3 + - control-id: si-4 + - control-id: si-5 + - control-id: si-6 + description: Controls validated + remarks: Validation performed may indicate full or partial satisfaction + start: 2024-07-09T03:24:38.798446786Z + title: Lula Validation Result + uuid: 5a0a9538-e734-48a5-a327-02e6aa6891b0 + uuid: bf456173-34f4-480b-a659-1aae77092ee6 diff --git a/compliance/oscal-component.yaml b/compliance/oscal-component.yaml new file mode 100644 index 000000000..ecb88933e --- /dev/null +++ b/compliance/oscal-component.yaml @@ -0,0 +1,39 @@ +component-definition: + uuid: 8ef481dd-7924-42de-b426-ac300db35ec8 + metadata: + title: UDS Core + last-modified: "2024-06-28T12:00:00Z" + version: "20240628" + oscal-version: 1.1.2 + parties: + - uuid: f3cf70f8-ba44-4e55-9ea3-389ef24847d3 + type: organization + name: Defense Unicorns + links: + - href: https://github.com/defenseunicorns + rel: website + + import-component-definitions: + - href: 'file://./../src/grafana/oscal-component.yaml' + - href: 'file://./../src/istio/oscal-component.yaml' + - href: 'file://./../src/loki/oscal-component.yaml' + - href: 'file://./../src/neuvector/oscal-component.yaml' + - href: 'file://./../src/prometheus-stack/oscal-component.yaml' + - href: 'file://./../src/promtail/oscal-component.yaml' + - href: 'file://./../src/velero/oscal-component.yaml' + + capabilities: + - uuid: 857dcaf8-9080-4cf0-8029-8a03fcdde2df + name: UDS Core + description: >- + UDS Core is a secure runtime platform for mission-critical capabilities. + incorporates-components: + - component-uuid: 7e3269fc-fe33-49c9-be88-6c868e21aae1 + description: Secure Istio Service Mesh + + back-matter: + resources: + - rlinks: + - href: https://github.com/defenseunicorns/uds-core/ + title: UDS Core + uuid: 8fe4806d-4aef-4cf0-b9ed-d95d224e97bc diff --git a/docs/adrs/0001-record-architecture-decisions.md b/docs/adrs/0001-record-architecture-decisions.md new file mode 100644 index 000000000..cc88dae6e --- /dev/null +++ b/docs/adrs/0001-record-architecture-decisions.md @@ -0,0 +1,23 @@ +# 1. Record architecture decisions + +Date: 2024-07-17 + +## Status + +Accepted + +## Context + +> NOTE: +> +> This file was automatically created when we used [adr-tools](https://github.com/npryce/adr-tools) to initialize the document log in the repo. ADRs on ADRs are a little silly, but it does give a lightweight way to direct the reader over to our contributor guide that has a lot more information. + +We need to record the architectural decisions made on this project. + +## Decision + +We will use Architecture Decision Records, as [described by Michael Nygard](http://thinkrelevance.com/blog/2011/11/15/documenting-architecture-decisions), with a couple of small tweaks. See the [Contributor guide](https://github.com/defenseunicorns/uds-core/blob/main/CONTRIBUTING.md) for full details. + +## Consequences + +See Michael Nygard's article, linked above. For a lightweight ADR toolset, see Nat Pryce's [adr-tools](https://github.com/npryce/adr-tools). diff --git a/docs/adrs/0002-uds-core-functional-layers.md b/docs/adrs/0002-uds-core-functional-layers.md new file mode 100644 index 000000000..b2901736c --- /dev/null +++ b/docs/adrs/0002-uds-core-functional-layers.md @@ -0,0 +1,77 @@ +# ADR: UDS Core Functional Layers + +Date: 2024-07-17 + +## Status + +Accepted + +## Context + +Historically, UDS Core intentionally only published a single official Zarf Package to ensure a standard baseline across all UDS environments. We learned from the complex buffet menu-style of Big Bang that it is better to form opinions and test them than to allow unlimited configuration possibilities. We have also found the monorepo structure of UDS Core to be be much simpler for developing UDS Core. However, through user feedback, we have seen cases where more optionality is warranted, but having to modify UDS CLI to accommodate disabling portions of UDS Core is not ideal. We also have a need for an edge-compatible version of UDS Core that is more lightweight and does not include all the components of the full UDS Core package. + +Today, we publish just the official UDS Core package, in addition to dev and demo UDS Bundles. The UDS Slim Dev bundle contains k3d and a stripped-down version of UDS Core that includes limited services meant for testing UDS Packages. We have also learned that some teams outside of UDS need similar functionality, but slightly different parts of UDS Core, such as Keycloak + Authservice. + +## Decision + +We will provide the existing single package as well as a layered set of packages within the existing monorepo. This will allow users to choose the components they need for their specific use case, while maintaining a single source of truth for all UDS Core components. We will not break these out by applications as Big Bang did, but instead by layers of functionality for related/integrated components. This allows more flexibility for which functionality is provided by UDS Core and which is provided by other external packages. + +The functional layers will be: + +1. UDS Core Base (Istio + Pepr w/UDS Operator & UDS Policies) +2. UDS Core Identity and Authorization (Keycloak + AuthService) +3. UDS Core Metrics (Metrics Server) +4. UDS Core Monitoring (Prometheus + Grafana) +5. UDS Core Logging (Promtail + Loki) +6. UDS Core Runtime Security (NeuVector) +7. UDS Core Backup and Restore (Velero) +8. UDS Core (combination of all layers) + +These layers can be combined as needed, with UDS Core Base serving as the foundation for all deployments. The UDS Core package will continue to offer the complete suite of tools. End users should default to using the full Core package unless there is an explicit need for a subset of tooling. The only change in the UDS Core repo will be the addition of new package definitions for each functional layer. Versioning will be managed at the monorepo level, with each layer being versioned in lockstep with the rest of UDS Core. Initially there will be documented dependencies (i.e. UDS Core Base is required for everything, UDS Core Identity and Authorization would be required for layers that have end user logins, etc) - which could later be implemented in code in CLI to validate bundle construction and ordering. + +We will still publish the UDS Slim Dev bundle for testing UDS Packages. This will be a combination of UDS Core Base, UDS Core Identity and Authorization, and UDS-K3d. We will not publish other bundles beyond UDS Slim Dev and UDS Core Demo. Only the UDS Core Zarf package will publish combined layers. + +## Consequences + +### Positive + +- Increased flexibility for users to choose components based on their needs +- Simplified versioning and dependency management by keeping everything in one repo +- Easier coordination of changes across layers +- Maintains a single source of truth for all UDS Core components +- Enables both testing environments and production edge deployments + +### Negative + +- Need for more comprehensive documentation on layer combinations and usage +- Testing needs to be expanded to cover common layer combinations +- Need to address dependencies and configurations shared across layers +- We will still need to publish the UDS Slim Dev bundle for testing UDS Packages and that might confuse users (UDS Slim Dev bundle will combine UDS-K3d + UDS Core Base + UDS Core Identity and Authorization) +- UDS Package developers may need to document required layers (i.e. "UDS Package GitLab requires UDS Identity and Authorization") + +## Implementation Details + +- Each layer will be implemented as a separate Zarf package within the existing monorepo (under `./packages/uds-core-/zarf.yaml`) +- UDS Core Base will replace the current UDS Slim Dev package +- UDS Operator will be updated to handle excluded layers (i.e. skip monitoring configuration if monitoring layer is not deployed) +- The existing UDS Core package will be maintained, combining all layers +- Documentation will be updated to list required dependencies and ordering for layers. In the future these will be coded into CLI. + +## Alternatives Considered + +1. Splitting into multiple repositories: Rejected due to added complexity in versioning and coordination +1. Maintaining the current monolithic package structure without layers: Rejected due to lack of flexibility for users with different needs +1. Creating more granular layers: Considered but decided against to maintain a balance between flexibility and simplicity + +## Open Questions + +- What build and testing processes need to be adjusted to support the layered approach within the monorepo? +- How will we handle shared dependencies and configurations across layers? + +## Next Steps + +1. Define detailed specifications for each layer, including their specific capabilities and integration points +1. Create the Zarf packages for each functional layer within the monorepo +1. Update operator code to conditionally execute integrations based on layer existence +1. Implement integration tests for various layer combinations +1. Update documentation to reflect the new layered architecture and guide users in selecting appropriate layers for their needs (including proper ordering and dependencies) diff --git a/docs/application-baseline.md b/docs/application-baseline.md index 27d507175..5ebabf889 100644 --- a/docs/application-baseline.md +++ b/docs/application-baseline.md @@ -17,9 +17,10 @@ For optimal deployment and operational efficiency, it is important to deliver a | **Capability** | **Application** | | ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Service Mesh** | **[Istio](https://istio.io/):** A powerful service mesh that provides traffic management, load balancing, security, and observability features. | -| **Monitoring** | **[Metrics Server](https://kubernetes-sigs.github.io/metrics-server/):** Provides container resource utilization metrics API for Kubernetes clusters.

**[Prometheus](https://prometheus.io/):** Scrapes Metrics Server API and application metrics and stores the data in a time-series database for insights into application health and performance.

**[Grafana](https://grafana.com/grafana/):** Provides visualization and alerting capabilities based on Prometheus's time-series database of metrics. | +| **Monitoring** | **[Metrics Server](https://kubernetes-sigs.github.io/metrics-server/):** Provides container resource utilization metrics API for Kubernetes clusters. Metrics server is an optional (non-default) component since most Kubernetes distros provide it by default.

**[Prometheus](https://prometheus.io/):** Scrapes Metrics Server API and application metrics and stores the data in a time-series database for insights into application health and performance.

**[Grafana](https://grafana.com/grafana/):** Provides visualization and alerting capabilities based on Prometheus's time-series database of metrics. | | **Logging** | **[Promtail](https://grafana.com/docs/loki/latest/send-data/promtail/):** A companion agent that efficiently gathers and sends container logs to Loki, simplifying log monitoring, troubleshooting, and compliance auditing, enhancing the overall observability of the mission environment.

**[Loki](https://grafana.com/docs/loki/latest/):** A log aggregation system that allows users to store, search, and analyze logs across their applications. | | **Security and Compliance** | **[NeuVector](https://open-docs.neuvector.com/):** Offers container-native security, protecting applications against threats and vulnerabilities.

**[Pepr](https://pepr.dev/):** UDS policy engine and operator for enhanced security and compliance.| | **Identity and Access Management** | **[Keycloak](https://www.keycloak.org/):** A robust open-source Identity and Access Management solution, providing centralized authentication, authorization, and user management for enhanced security and control over access to mission-critical resources.| | **Backup and Restore** | **[Velero](https://velero.io/):** Provides backup and restore capabilities for Kubernetes clusters, ensuring data protection and disaster recovery.| | **Authorization** | **[AuthService](https://github.com/istio-ecosystem/authservice):** Offers centralized authorization services, managing access control and permissions within the Istio mesh. AuthService plays a supporting role to Keycloak as it handles part of the OIDC redirect flow.| +| **Frontend Views & Insights** | **[UDS Runtime](https://github.com/defenseunicorns/uds-runtime)**: UDS Runtime is an optional component in Core that provides the frontend for all things UDS, providing views and insights into your UDS cluster. | diff --git a/docs/configuration/istio/ingress.md b/docs/configuration/istio/ingress.md index acf7e16c6..e94cceec5 100644 --- a/docs/configuration/istio/ingress.md +++ b/docs/configuration/istio/ingress.md @@ -38,7 +38,7 @@ packages: By default, the UDS Core Istio Gateways are set up to use the `uds.dev` domain and have a valid TLS certificate packaged. You will want to change the domain name for your environment and provide a valid TLS certificate for this domain. -You can set the TLS certs via overrides in a [UDS Bundle](https://uds.defenseunicorns.com/bundles/) (see below). +You can set the TLS certs via overrides in a [UDS Bundle](https://uds.defenseunicorns.com/bundles/) (see below). UDS Core Istio Gateways default to only supporting TLS v1.3, but this can also be overridden per gateway if clients use TLS 1.2 (as seen in the tenant gateway example `value` below). ```yaml kind: UDSBundle @@ -63,6 +63,9 @@ packages: path: tls.key istio-tenant-gateway: uds-istio-config: + values: + - path: tls.supportTLSV1_2 + value: true # Add support for TLS 1.2 on this gateway, can be specified via variables if needed at deploy time variables: - name: TENANT_TLS_CERT description: "The TLS cert for the tenant gateway (must be base64 encoded)" diff --git a/docs/configuration/resource-configuration-and-ha.md b/docs/configuration/resource-configuration-and-ha.md new file mode 100644 index 000000000..0f8f30213 --- /dev/null +++ b/docs/configuration/resource-configuration-and-ha.md @@ -0,0 +1,114 @@ +--- +title: Resource Configuration and High Availability +type: docs +weight: 3.5 +--- + +Depending on your environment and the scale of your cluster, you might need to adjust UDS Core components for high availability or to optimize resources. Below are common areas where resource overrides can be useful when deploying UDS Core. + +When modifying resources and replica counts it can be useful to observe pod resource metrics in Grafana to make an informed choice on what may be necessary for your environment. Where available HPA ([Horizontal Pod Autoscalers](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/)) are beneficial to dynamically scale up/down based on usage. + +## Monitoring + +### Prometheus Stack + +Prometheus is a common place to customize when scaling to larger cluster sizes (more nodes and/or workloads). To scale prometheus beyond a single replica its TSDB must be externalized using one of the [supported options](https://prometheus.io/docs/operating/integrations/#remote-endpoints-and-storage). UDS Core has not yet done extensive testing on this setup. It is also helpful to modify resources for Prometheus using a helm override for the `prometheus.prometheusSpec.resources` value: + +```yaml +packages: + - name: core + repository: oci://ghcr.io/defenseunicorns/packages/uds/core + ref: x.x.x + overrides: + kube-prometheus-stack: + kube-prometheus-stack: + values: + - path: prometheus.prometheusSpec.resources + value: + # Example values only + requests: + cpu: 200m + memory: 1Gi + limits: + cpu: 500m + memory: 4Gi +``` + +### Grafana + +To scale Grafana for high availability, its database must be externalized (see [Grafana's database configuration docs](https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#database)). UDS Core has not yet done extensive testing on this setup. You can also override the `resources` helm value to customize Grafana pods' resource limits and requests (using the component and chart name of `grafana`). + +## Logging + +### Promtail + +By default Promtail runs as a daemonset, automatically scaling across all nodes to ensure logs are captured from each host. Typically Promtail does not need any other modifications, but you can customize its resource configuration by overriding the `resources` helm value (using the component and chart name of `promtail`). + +### Loki + +By default Loki will deploy in a multi-replica setup. See the below example for modifying replica counts of the read/write/backend pods: + +```yaml +packages: + - name: core + repository: oci://ghcr.io/defenseunicorns/packages/uds/core + ref: x.x.x + overrides: + loki: + loki: + values: + - name: LOKI_WRITE_REPLICAS + path: write.replicas + default: "3" + - name: LOKI_READ_REPLICAS + path: read.replicas + default: "3" + - name: LOKI_BACKEND_REPLICAS + path: backend.replicas + default: "3" +``` + +You will also want to connect Loki to an [external storage provider](https://grafana.com/docs/loki/latest/configure/storage/#chunk-storage) such as AWS S3, which can be done by overriding the `loki.storage` values. + +## Identity & Authorization + +### Keycloak + +Keycloak can be configured in a HA setup if an external database (postgresql) is provided. See the below example values for configuring HA Keycloak: + +```yaml +packages: + - name: core + repository: oci://ghcr.io/defenseunicorns/packages/uds/core + ref: x.x.x + overrides: + keycloak: + keycloak: + values: + - path: devMode + value: false + # Enable HPA to autoscale Keycloak + - path: autoscaling.enabled + value: true + variables: + - name: KEYCLOAK_DB_HOST + path: postgresql.host + - name: KEYCLOAK_DB_USERNAME + path: postgresql.username + - name: KEYCLOAK_DB_DATABASE + path: postgresql.database + - name: KEYCLOAK_DB_PASSWORD + path: postgresql.password +``` + +### AuthService + +AuthService can be configured in a HA setup if an [external session store](https://docs.tetrate.io/istio-authservice/configuration/oidc#session-store-configuration) is provided (key value store like Redis/Valkey). For configuring an external session store you can set the `UDS_AUTHSERVICE_REDIS_URI` env when deploying or via your `uds-config.yaml`: + +```yaml +variables: + core: + AUTHSERVICE_REDIS_URI: redis://redis.redis.svc.cluster.local:6379 +``` + +To scale up replicas or modify resource requests/limits you can use UDS bundle overrides for the helm values of `replicaCount` and `resources` (using the component and chart name of `authservice`). diff --git a/docs/configuration/uds-operator.md b/docs/configuration/uds-operator.md index 87d340d70..6f5d65e78 100644 --- a/docs/configuration/uds-operator.md +++ b/docs/configuration/uds-operator.md @@ -21,6 +21,7 @@ The UDS Operator plays a pivotal role in managing the lifecycle of UDS Package C - **SSO Group Authentication:** - Group authentication determines who can access the application based on keycloak group membership. - At this time `anyOf` allows defining a list of groups, a user must belong to at least one of them. + - Custom client `protocolMapper`'s that will be created alongside the client and added to the client's dedicated scope. - **Authservice Protection:** - Authservice authentication provides application agnostic SSO for applications that opt-in. {{% alert-caution %}} @@ -61,7 +62,7 @@ spec: port: 9411 description: "Tempo" - # SSO allows for the creation of Keycloak clients and with automatic secret generation + # SSO allows for the creation of Keycloak clients and with automatic secret generation and protocolMappers sso: - name: Grafana Dashboard clientId: uds-core-admin-grafana @@ -70,6 +71,22 @@ spec: groups: anyOf: - /UDS Core/Admin + # Define protocolMappers to be created as dedicated scopes for the client + protocolMappers: + - name: username + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-property-mapper" + config: + user.attribute: "username" + claim.name: "username" + userinfo.token.claim: "true" + - name: email + protocol: "openid-connect" + protocolMapper: "oidc-usermodel-property-mapper" + config: + user.attribute: "email" + claim.name: "email" + userinfo.token.claim: "true" ``` ### Example UDS Package CR with SSO Templating @@ -168,6 +185,42 @@ variables: See [configuring Istio Ingress](https://uds.defenseunicorns.com/core/configuration/istio/ingress/#configure-domain-name-and-tls-for-istio-gateways) for the relevant documentation on configuring ingress certificates. +### Creating a UDS Package with a Device Flow client + +Some applications may not have a web UI / server component to login to and may instead grant OAuth tokens to devices. This flow is known as the [OAuth 2.0 Device Authorization Grant](https://oauth.net/2/device-flow/) and is supported in a UDS Package with the following configuration: + +```yaml +apiVersion: uds.dev/v1alpha1 +kind: Package +metadata: + name: fulcio + namespace: fulcio-system +spec: + sso: + - name: Sigstore Login + clientId: sigstore + standardFlowEnabled: false + publicClient: true + attributes: + oauth2.device.authorization.grant.enabled: "true" +``` + +This configuration does not create a secret in the cluster and instead tells the UDS Operator to create a public client (one that requires no auth secret) that enables the `oauth2.device.authorization.grant.enabled` flow and disables the standard redirect auth flow. Because this creates a public client configuration that deviates from this is limited - if your application requires both the Device Authorization Grant and the standard flow this is currently not supported without creating two separate clients. + +### SSO Client Attribute Validation + +The SSO spec supports a subset of the Keycloak attributes for clients, but does not support all of them. The current supported attributes are: +- oidc.ciba.grant.enabled +- backchannel.logout.session.required +- backchannel.logout.revoke.offline.tokens +- post.logout.redirect.uris +- oauth2.device.authorization.grant.enabled +- pkce.code.challenge.method +- client.session.idle.timeout +- saml.assertion.signature +- saml.client.signature +- saml_assertion_consumer_url_post + ## Exemption - **Exemption Scope:** diff --git a/docs/deployment/distribution-support.md b/docs/deployment/distribution-support.md index 5910d2cd1..268366559 100644 --- a/docs/deployment/distribution-support.md +++ b/docs/deployment/distribution-support.md @@ -12,8 +12,8 @@ UDS Core is a versatile software baseline designed to operate effectively across - **Compatible:** Kubernetes distributions listed under this category may not have undergone extensive testing in UDS Core's CI environments. While UDS Core may be compatible on these distributions, users should exercise caution and be prepared for potential compatibility issues or limitations. -| Distribution | Category | Support Level | -| --------------- | ---------------------- | --------------------------------------------------------------------------------------------------------- | -| K3d, Amazon EKS | Tested | Supported Kubernetes distributions undergoing testing in CI environments. | -| RKE2 | Tested | Supported Kubernetes distribution tested in production environments other than CI. | -| Other | Untested/Unknown state | Compatible Kubernetes distributions that are not explicitly tested, documented, or supported by UDS Core. | +| Distribution | Category | Support Level | +| ------------------- | ---------------------- | --------------------------------------------------------------------------------------------------------- | +| K3d/K3s, Amazon EKS | Tested | Supported Kubernetes distributions undergoing testing in CI environments. | +| RKE2 | Tested | Supported Kubernetes distribution tested in production environments other than CI. | +| Other | Untested/Unknown state | Compatible Kubernetes distributions that are not explicitly tested, documented, or supported by UDS Core. | diff --git a/docs/deployment/prerequisites.md b/docs/deployment/prerequisites.md new file mode 100644 index 000000000..fdbc2fb3e --- /dev/null +++ b/docs/deployment/prerequisites.md @@ -0,0 +1,104 @@ +--- +title: UDS Core Prerequisites +type: docs +weight: 4 +--- + +## UDS Core Prerequisites + +`UDS Core` can run in any [CNCF conformant Kubernetes distribution](https://www.cncf.io/training/certification/software-conformance/), but sometimes customizations are needed based on environments. This is an attempt to document and link to relevant information to aid in setting up your Kubernetes environment and hosts to ensure a successful `UDS Core` installation. + +### Cluster Requirements + +When running Kubernetes on any type of host it is important to ensure you are following the upstream documentation from the Kubernetes distribution regarding prerequisites. A few links to upstream documentation are provided below for convenience. + +#### RKE2 + +- [General installation requirements](https://docs.rke2.io/install/requirements) +- [Disabling Firewalld to prevent networking conflicts](https://docs.rke2.io/known_issues#firewalld-conflicts-with-default-networking) +- [Modifying NetworkManager to prevent CNI conflicts](https://docs.rke2.io/known_issues#networkmanager) +- [Known Issues](https://docs.rke2.io/known_issues) + +#### K3S + +- [General installation requirements](https://docs.k3s.io/installation/requirements) +- [Known Issues](https://docs.k3s.io/known-issues) + +#### EKS + +- [General installation requirements](https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html) +- [Troubleshooting Guide](https://docs.aws.amazon.com/eks/latest/userguide/troubleshooting.html) + +#### AKS + +- [General installation requirements](https://learn.microsoft.com/en-us/azure/well-architected/service-guides/azure-kubernetes-service) +- [Troubleshooting Guide](https://learn.microsoft.com/en-us/troubleshoot/azure/azure-kubernetes/welcome-azure-kubernetes) + +### UDS Core Requirements + +The below are specific requirements for running UDS Core. Some of them are tied to the entire stack of UDS Core and some are more specific to certain components. If you encounter issues with a particular component of core, this can be a good list to check to validate you met all the prerequisite requirements for that specific application. + +#### Default Storage Class + +Several UDS Core components require persistent volumes that will be provisioned using the default storage class via dynamic volume provisioning. Ensure that your cluster includes a default storage class prior to deploying. You can validate by running the below command (see example output which includes `(default)` next to the `local-path` storage class): + +```console +❯ kubectl get storageclass +NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE +local-path (default) rancher.io/local-path Delete WaitForFirstConsumer false 55s +``` + +#### Network Policy Support + +The UDS Operator will dynamically provision network policies to secure traffic between components in UDS Core. To ensure these are effective, validate that your CNI supports enforcing network policies. In addition, UDS Core makes use of some CIDR based policies for communication with the KubeAPI server. If you are using Cilium, support for node addressability with CIDR based policies must be enabled with a [feature flag](https://docs.cilium.io/en/stable/security/policy/language/#selecting-nodes-with-cidr-ipblock). + +#### Istio + +Istio requires a number of kernel modules to be loaded for full functionality. The below is a script that will ensure these modules are loaded and persisted across reboots (see also Istio's [upstream requirements list](https://istio.io/latest/docs/ops/deployment/platform-requirements/)). Ideally this script is used as part of an image build or cloud-init process on each node. + +```console +modules=("br_netfilter" "xt_REDIRECT" "xt_owner" "xt_statistic" "iptable_mangle" "iptable_nat" "xt_conntrack" "xt_tcpudp") +for module in "${modules[@]}"; do + modprobe "$module" + echo "$module" >> "/etc/modules-load.d/istio-modules.conf" +done +``` + +In addition, to run Istio ingress gateways (part of Core) you will need to ensure your cluster supports dynamic load balancer provisioning when services of type LoadBalancer are created. Typically in cloud environments this is handled using a cloud provider's controller (example: [AWS LB Controller](https://github.com/kubernetes-sigs/aws-load-balancer-controller)). When deploying on-prem, this is commonly done by using a "bare metal" load balancer provisioner like [MetalLB](https://metallb.universe.tf/) or [kube-vip](https://kube-vip.io/). Certain distributions may also include ingress controllers that you will want to disable as they may conflict with Istio (example: RKE2 includes ingress-nginx). + +#### NeuVector + +NeuVector historically has functioned best when the host is using cgroup v2. Cgroup v2 is enabled by default on many modern Linux distributions, but you may need to enable it depending on your operating system. Enabling this tends to be OS specific, so you will need to evaluate this for your specific hosts. + +#### Promtail + +In order to ensure that Promtail is able to scrape the necessary logs concurrently you may need to adjust some kernel parameters for your hosts. The below is a script that can be used to adjust these parameters to suitable values and ensure they are persisted across reboots. Ideally this script is used as part of an image build or cloud-init process on each node. + +```console +declare -A sysctl_settings +sysctl_settings["fs.nr_open"]=13181250 +sysctl_settings["fs.inotify.max_user_instances"]=1024 +sysctl_settings["fs.inotify.max_user_watches"]=1048576 +sysctl_settings["fs.file-max"]=13181250 + +for key in "${!sysctl_settings[@]}"; do + value="${sysctl_settings[$key]}" + sysctl -w "$key=$value" + echo "$key=$value" > "/etc/sysctl.d/$key.conf" +done +sysctl -p +``` + +#### Metrics Server + +Metrics server is provided as an optional component in UDS Core and can be enabled if needed. For distros where metrics-server is already provided, ensure that you do NOT enable metrics-server. See the below as an example for enabling metrics-server if your cluster does not include it. + +```yaml +... +- name: uds-core + repository: ghcr.io/defenseunicorns/packages/private/uds/core + ref: 0.25.2-unicorn + optionalComponents: + - metrics-server +... +``` diff --git a/docs/deployment/uds-deploy.md b/docs/deployment/uds-deploy.md index 5d6b4399a..97455a7c8 100644 --- a/docs/deployment/uds-deploy.md +++ b/docs/deployment/uds-deploy.md @@ -12,7 +12,7 @@ Please ensure that the following prerequisites are on your machine prior to depl - If using Colima, please declare the following resources after installing: ```git -colima start --cpu 6 --memory 14 --disk 50 +colima start --cpu 7 --memory 14 --disk 50 ``` - [K3d](https://formulae.brew.sh/formula/k3d#default) for development and test environments or a [CNCF Certified Kubernetes Cluster](https://www.cncf.io/training/certification/software-conformance/#logos) if deploying to production environments. diff --git a/package-lock.json b/package-lock.json index 60162a983..e838c0321 100644 --- a/package-lock.json +++ b/package-lock.json @@ -8,12 +8,14 @@ "name": "uds-core", "version": "0.5.0", "dependencies": { - "pepr": "0.32.6" + "pepr": "0.36.0" }, "devDependencies": { "@jest/globals": "29.7.0", + "husky": "9.1.6", "jest": "29.7.0", - "ts-jest": "29.2.0" + "lint-staged": "15.2.10", + "ts-jest": "29.2.5" }, "engines": { "node": ">=20.0.0" @@ -46,30 +48,30 @@ } }, "node_modules/@babel/compat-data": { - "version": "7.24.7", - "resolved": "https://registry.npmjs.org/@babel/compat-data/-/compat-data-7.24.7.tgz", - "integrity": "sha512-qJzAIcv03PyaWqxRgO4mSU3lihncDT296vnyuE2O8uA4w3UHWI4S3hgeZd1L8W1Bft40w9JxJ2b412iDUFFRhw==", + "version": "7.25.4", + "resolved": "https://registry.npmjs.org/@babel/compat-data/-/compat-data-7.25.4.tgz", + "integrity": "sha512-+LGRog6RAsCJrrrg/IO6LGmpphNe5DiK30dGjCoxxeGv49B10/3XYGxPsAwrDlMFcFEvdAUavDT8r9k/hSyQqQ==", "dev": true, "engines": { "node": ">=6.9.0" } }, "node_modules/@babel/core": { - "version": "7.24.7", - "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.24.7.tgz", - "integrity": "sha512-nykK+LEK86ahTkX/3TgauT0ikKoNCfKHEaZYTUVupJdTLzGNvrblu4u6fa7DhZONAltdf8e662t/abY8idrd/g==", + "version": "7.25.2", + "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.25.2.tgz", + "integrity": "sha512-BBt3opiCOxUr9euZ5/ro/Xv8/V7yJ5bjYMqG/C1YAo8MIKAnumZalCN+msbci3Pigy4lIQfPUpfMM27HMGaYEA==", "dev": true, "dependencies": { "@ampproject/remapping": "^2.2.0", "@babel/code-frame": "^7.24.7", - "@babel/generator": "^7.24.7", - "@babel/helper-compilation-targets": "^7.24.7", - "@babel/helper-module-transforms": "^7.24.7", - "@babel/helpers": "^7.24.7", - "@babel/parser": "^7.24.7", - "@babel/template": "^7.24.7", - "@babel/traverse": "^7.24.7", - "@babel/types": "^7.24.7", + "@babel/generator": "^7.25.0", + "@babel/helper-compilation-targets": "^7.25.2", + "@babel/helper-module-transforms": "^7.25.2", + "@babel/helpers": "^7.25.0", + "@babel/parser": "^7.25.0", + "@babel/template": "^7.25.0", + "@babel/traverse": "^7.25.2", + "@babel/types": "^7.25.2", "convert-source-map": "^2.0.0", "debug": "^4.1.0", "gensync": "^1.0.0-beta.2", @@ -94,12 +96,12 @@ } }, "node_modules/@babel/generator": { - "version": "7.24.7", - "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.24.7.tgz", - "integrity": "sha512-oipXieGC3i45Y1A41t4tAqpnEZWgB/lC6Ehh6+rOviR5XWpTtMmLN+fGjz9vOiNRt0p6RtO6DtD0pdU3vpqdSA==", + "version": "7.25.6", + "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.25.6.tgz", + "integrity": "sha512-VPC82gr1seXOpkjAAKoLhP50vx4vGNlF4msF64dSFq1P8RfB+QAuJWGHPXXPc8QyfVWwwB/TNNU4+ayZmHNbZw==", "dev": true, "dependencies": { - "@babel/types": "^7.24.7", + "@babel/types": "^7.25.6", "@jridgewell/gen-mapping": "^0.3.5", "@jridgewell/trace-mapping": "^0.3.25", "jsesc": "^2.5.1" @@ -109,14 +111,14 @@ } }, "node_modules/@babel/helper-compilation-targets": { - "version": "7.24.7", - "resolved": "https://registry.npmjs.org/@babel/helper-compilation-targets/-/helper-compilation-targets-7.24.7.tgz", - "integrity": "sha512-ctSdRHBi20qWOfy27RUb4Fhp07KSJ3sXcuSvTrXrc4aG8NSYDo1ici3Vhg9bg69y5bj0Mr1lh0aeEgTvc12rMg==", + "version": "7.25.2", + "resolved": "https://registry.npmjs.org/@babel/helper-compilation-targets/-/helper-compilation-targets-7.25.2.tgz", + "integrity": "sha512-U2U5LsSaZ7TAt3cfaymQ8WHh0pxvdHoEk6HVpaexxixjyEquMh0L0YNJNM6CTGKMXV1iksi0iZkGw4AcFkPaaw==", "dev": true, "dependencies": { - "@babel/compat-data": "^7.24.7", - "@babel/helper-validator-option": "^7.24.7", - "browserslist": "^4.22.2", + "@babel/compat-data": "^7.25.2", + "@babel/helper-validator-option": "^7.24.8", + "browserslist": "^4.23.1", "lru-cache": "^5.1.1", "semver": "^6.3.1" }, @@ -133,43 +135,6 @@ "semver": "bin/semver.js" } }, - "node_modules/@babel/helper-environment-visitor": { - "version": "7.24.7", - "resolved": "https://registry.npmjs.org/@babel/helper-environment-visitor/-/helper-environment-visitor-7.24.7.tgz", - "integrity": "sha512-DoiN84+4Gnd0ncbBOM9AZENV4a5ZiL39HYMyZJGZ/AZEykHYdJw0wW3kdcsh9/Kn+BRXHLkkklZ51ecPKmI1CQ==", - "dev": true, - "dependencies": { - "@babel/types": "^7.24.7" - }, - "engines": { - "node": ">=6.9.0" - } - }, - "node_modules/@babel/helper-function-name": { - "version": "7.24.7", - "resolved": "https://registry.npmjs.org/@babel/helper-function-name/-/helper-function-name-7.24.7.tgz", - "integrity": "sha512-FyoJTsj/PEUWu1/TYRiXTIHc8lbw+TDYkZuoE43opPS5TrI7MyONBE1oNvfguEXAD9yhQRrVBnXdXzSLQl9XnA==", - "dev": true, - "dependencies": { - "@babel/template": "^7.24.7", - "@babel/types": "^7.24.7" - }, - "engines": { - "node": ">=6.9.0" - } - }, - "node_modules/@babel/helper-hoist-variables": { - "version": "7.24.7", - "resolved": "https://registry.npmjs.org/@babel/helper-hoist-variables/-/helper-hoist-variables-7.24.7.tgz", - "integrity": "sha512-MJJwhkoGy5c4ehfoRyrJ/owKeMl19U54h27YYftT0o2teQ3FJ3nQUf/I3LlJsX4l3qlw7WRXUmiyajvHXoTubQ==", - "dev": true, - "dependencies": { - "@babel/types": "^7.24.7" - }, - "engines": { - "node": ">=6.9.0" - } - }, "node_modules/@babel/helper-module-imports": { "version": "7.24.7", "resolved": "https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.24.7.tgz", @@ -184,16 +149,15 @@ } }, "node_modules/@babel/helper-module-transforms": { - "version": "7.24.7", - "resolved": "https://registry.npmjs.org/@babel/helper-module-transforms/-/helper-module-transforms-7.24.7.tgz", - "integrity": "sha512-1fuJEwIrp+97rM4RWdO+qrRsZlAeL1lQJoPqtCYWv0NL115XM93hIH4CSRln2w52SqvmY5hqdtauB6QFCDiZNQ==", + "version": "7.25.2", + "resolved": "https://registry.npmjs.org/@babel/helper-module-transforms/-/helper-module-transforms-7.25.2.tgz", + "integrity": "sha512-BjyRAbix6j/wv83ftcVJmBt72QtHI56C7JXZoG2xATiLpmoC7dpd8WnkikExHDVPpi/3qCmO6WY1EaXOluiecQ==", "dev": true, "dependencies": { - "@babel/helper-environment-visitor": "^7.24.7", "@babel/helper-module-imports": "^7.24.7", "@babel/helper-simple-access": "^7.24.7", - "@babel/helper-split-export-declaration": "^7.24.7", - "@babel/helper-validator-identifier": "^7.24.7" + "@babel/helper-validator-identifier": "^7.24.7", + "@babel/traverse": "^7.25.2" }, "engines": { "node": ">=6.9.0" @@ -203,9 +167,9 @@ } }, "node_modules/@babel/helper-plugin-utils": { - "version": "7.24.7", - "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.24.7.tgz", - "integrity": "sha512-Rq76wjt7yz9AAc1KnlRKNAi/dMSVWgDRx43FHoJEbcYU6xOWaE2dVPwcdTukJrjxS65GITyfbvEYHvkirZ6uEg==", + "version": "7.24.8", + "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.24.8.tgz", + "integrity": "sha512-FFWx5142D8h2Mgr/iPVGH5G7w6jDn4jUSpZTyDnQO0Yn7Ks2Kuz6Pci8H6MPCoUJegd/UZQ3tAvfLCxQSnWWwg==", "dev": true, "engines": { "node": ">=6.9.0" @@ -224,22 +188,10 @@ "node": ">=6.9.0" } }, - "node_modules/@babel/helper-split-export-declaration": { - "version": "7.24.7", - "resolved": "https://registry.npmjs.org/@babel/helper-split-export-declaration/-/helper-split-export-declaration-7.24.7.tgz", - "integrity": "sha512-oy5V7pD+UvfkEATUKvIjvIAH/xCzfsFVw7ygW2SI6NClZzquT+mwdTfgfdbUiceh6iQO0CHtCPsyze/MZ2YbAA==", - "dev": true, - "dependencies": { - "@babel/types": "^7.24.7" - }, - "engines": { - "node": ">=6.9.0" - } - }, "node_modules/@babel/helper-string-parser": { - "version": "7.24.7", - "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.24.7.tgz", - "integrity": "sha512-7MbVt6xrwFQbunH2DNQsAP5sTGxfqQtErvBIvIMi6EQnbgUOuVYanvREcmFrOPhoXBrTtjhhP+lW+o5UfK+tDg==", + "version": "7.24.8", + "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.24.8.tgz", + "integrity": "sha512-pO9KhhRcuUyGnJWwyEgnRJTSIZHiT+vMD0kPeD+so0l7mxkMT19g3pjY9GTnHySck/hDzq+dtW/4VgnMkippsQ==", "dev": true, "engines": { "node": ">=6.9.0" @@ -255,22 +207,22 @@ } }, "node_modules/@babel/helper-validator-option": { - "version": "7.24.7", - "resolved": "https://registry.npmjs.org/@babel/helper-validator-option/-/helper-validator-option-7.24.7.tgz", - "integrity": "sha512-yy1/KvjhV/ZCL+SM7hBrvnZJ3ZuT9OuZgIJAGpPEToANvc3iM6iDvBnRjtElWibHU6n8/LPR/EjX9EtIEYO3pw==", + "version": "7.24.8", + "resolved": "https://registry.npmjs.org/@babel/helper-validator-option/-/helper-validator-option-7.24.8.tgz", + "integrity": "sha512-xb8t9tD1MHLungh/AIoWYN+gVHaB9kwlu8gffXGSt3FFEIT7RjS+xWbc2vUD1UTZdIpKj/ab3rdqJ7ufngyi2Q==", "dev": true, "engines": { "node": ">=6.9.0" } }, "node_modules/@babel/helpers": { - "version": "7.24.7", - "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.24.7.tgz", - "integrity": "sha512-NlmJJtvcw72yRJRcnCmGvSi+3jDEg8qFu3z0AFoymmzLx5ERVWyzd9kVXr7Th9/8yIJi2Zc6av4Tqz3wFs8QWg==", + "version": "7.25.6", + "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.25.6.tgz", + "integrity": "sha512-Xg0tn4HcfTijTwfDwYlvVCl43V6h4KyVVX2aEm4qdO/PC6L2YvzLHFdmxhoeSA3eslcE6+ZVXHgWwopXYLNq4Q==", "dev": true, "dependencies": { - "@babel/template": "^7.24.7", - "@babel/types": "^7.24.7" + "@babel/template": "^7.25.0", + "@babel/types": "^7.25.6" }, "engines": { "node": ">=6.9.0" @@ -363,10 +315,13 @@ } }, "node_modules/@babel/parser": { - "version": "7.24.7", - "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.24.7.tgz", - "integrity": "sha512-9uUYRm6OqQrCqQdG1iCBwBPZgN8ciDBro2nIOFaiRz1/BCxaI7CNvQbDHvsArAC7Tw9Hda/B3U+6ui9u4HWXPw==", + "version": "7.25.6", + "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.25.6.tgz", + "integrity": "sha512-trGdfBdbD0l1ZPmcJ83eNxB9rbEax4ALFTF7fN386TMYbeCQbyme5cOEXQhbGXKebwGaB/J52w1mrklMcbgy6Q==", "dev": true, + "dependencies": { + "@babel/types": "^7.25.6" + }, "bin": { "parser": "bin/babel-parser.js" }, @@ -410,6 +365,36 @@ "@babel/core": "^7.0.0-0" } }, + "node_modules/@babel/plugin-syntax-class-static-block": { + "version": "7.14.5", + "resolved": "https://registry.npmjs.org/@babel/plugin-syntax-class-static-block/-/plugin-syntax-class-static-block-7.14.5.tgz", + "integrity": "sha512-b+YyPmr6ldyNnM6sqYeMWE+bgJcJpO6yS4QD7ymxgH34GBPNDM/THBh8iunyvKIZztiwLH4CJZ0RxTk9emgpjw==", + "dev": true, + "dependencies": { + "@babel/helper-plugin-utils": "^7.14.5" + }, + "engines": { + "node": ">=6.9.0" + }, + "peerDependencies": { + "@babel/core": "^7.0.0-0" + } + }, + "node_modules/@babel/plugin-syntax-import-attributes": { + "version": "7.25.6", + "resolved": "https://registry.npmjs.org/@babel/plugin-syntax-import-attributes/-/plugin-syntax-import-attributes-7.25.6.tgz", + "integrity": "sha512-sXaDXaJN9SNLymBdlWFA+bjzBhFD617ZaFiY13dGt7TVslVvVgA6fkZOP7Ki3IGElC45lwHdOTrCtKZGVAWeLQ==", + "dev": true, + "dependencies": { + "@babel/helper-plugin-utils": "^7.24.8" + }, + "engines": { + "node": ">=6.9.0" + }, + "peerDependencies": { + "@babel/core": "^7.0.0-0" + } + }, "node_modules/@babel/plugin-syntax-import-meta": { "version": "7.10.4", "resolved": "https://registry.npmjs.org/@babel/plugin-syntax-import-meta/-/plugin-syntax-import-meta-7.10.4.tgz", @@ -521,6 +506,21 @@ "@babel/core": "^7.0.0-0" } }, + "node_modules/@babel/plugin-syntax-private-property-in-object": { + "version": "7.14.5", + "resolved": "https://registry.npmjs.org/@babel/plugin-syntax-private-property-in-object/-/plugin-syntax-private-property-in-object-7.14.5.tgz", + "integrity": "sha512-0wVnp9dxJ72ZUJDV27ZfbSj6iHLoytYZmh3rFcxNnvsJF3ktkzLDZPy/mA17HGsaQT3/DQsWYX1f1QGWkCoVUg==", + "dev": true, + "dependencies": { + "@babel/helper-plugin-utils": "^7.14.5" + }, + "engines": { + "node": ">=6.9.0" + }, + "peerDependencies": { + "@babel/core": "^7.0.0-0" + } + }, "node_modules/@babel/plugin-syntax-top-level-await": { "version": "7.14.5", "resolved": "https://registry.npmjs.org/@babel/plugin-syntax-top-level-await/-/plugin-syntax-top-level-await-7.14.5.tgz", @@ -537,12 +537,12 @@ } }, "node_modules/@babel/plugin-syntax-typescript": { - "version": "7.24.7", - "resolved": "https://registry.npmjs.org/@babel/plugin-syntax-typescript/-/plugin-syntax-typescript-7.24.7.tgz", - "integrity": "sha512-c/+fVeJBB0FeKsFvwytYiUD+LBvhHjGSI0g446PRGdSVGZLRNArBUno2PETbAly3tpiNAQR5XaZ+JslxkotsbA==", + "version": "7.25.4", + "resolved": "https://registry.npmjs.org/@babel/plugin-syntax-typescript/-/plugin-syntax-typescript-7.25.4.tgz", + "integrity": "sha512-uMOCoHVU52BsSWxPOMVv5qKRdeSlPuImUCB2dlPuBSU+W2/ROE7/Zg8F2Kepbk+8yBa68LlRKxO+xgEVWorsDg==", "dev": true, "dependencies": { - "@babel/helper-plugin-utils": "^7.24.7" + "@babel/helper-plugin-utils": "^7.24.8" }, "engines": { "node": ">=6.9.0" @@ -552,33 +552,30 @@ } }, "node_modules/@babel/template": { - "version": "7.24.7", - "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.24.7.tgz", - "integrity": "sha512-jYqfPrU9JTF0PmPy1tLYHW4Mp4KlgxJD9l2nP9fD6yT/ICi554DmrWBAEYpIelzjHf1msDP3PxJIRt/nFNfBig==", + "version": "7.25.0", + "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.25.0.tgz", + "integrity": "sha512-aOOgh1/5XzKvg1jvVz7AVrx2piJ2XBi227DHmbY6y+bM9H2FlN+IfecYu4Xl0cNiiVejlsCri89LUsbj8vJD9Q==", "dev": true, "dependencies": { "@babel/code-frame": "^7.24.7", - "@babel/parser": "^7.24.7", - "@babel/types": "^7.24.7" + "@babel/parser": "^7.25.0", + "@babel/types": "^7.25.0" }, "engines": { "node": ">=6.9.0" } }, "node_modules/@babel/traverse": { - "version": "7.24.7", - "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.24.7.tgz", - "integrity": "sha512-yb65Ed5S/QAcewNPh0nZczy9JdYXkkAbIsEo+P7BE7yO3txAY30Y/oPa3QkQ5It3xVG2kpKMg9MsdxZaO31uKA==", + "version": "7.25.6", + "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.25.6.tgz", + "integrity": "sha512-9Vrcx5ZW6UwK5tvqsj0nGpp/XzqthkT0dqIc9g1AdtygFToNtTF67XzYS//dm+SAK9cp3B9R4ZO/46p63SCjlQ==", "dev": true, "dependencies": { "@babel/code-frame": "^7.24.7", - "@babel/generator": "^7.24.7", - "@babel/helper-environment-visitor": "^7.24.7", - "@babel/helper-function-name": "^7.24.7", - "@babel/helper-hoist-variables": "^7.24.7", - "@babel/helper-split-export-declaration": "^7.24.7", - "@babel/parser": "^7.24.7", - "@babel/types": "^7.24.7", + "@babel/generator": "^7.25.6", + "@babel/parser": "^7.25.6", + "@babel/template": "^7.25.0", + "@babel/types": "^7.25.6", "debug": "^4.3.1", "globals": "^11.1.0" }, @@ -596,12 +593,12 @@ } }, "node_modules/@babel/types": { - "version": "7.24.7", - "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.24.7.tgz", - "integrity": "sha512-XEFXSlxiG5td2EJRe8vOmRbaXVgfcBlszKujvVmWIK/UpywWljQCfzAv3RQCGujWQ1RD4YYWEAqDXfuJiy8f5Q==", + "version": "7.25.6", + "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.25.6.tgz", + "integrity": "sha512-/l42B1qxpG6RdfYf343Uw1vmDjeNhneUXtzhojE7pDgfpEypmRhI6j1kr17XCVv4Cgl9HdAiQY2x0GwKm7rWCw==", "dev": true, "dependencies": { - "@babel/helper-string-parser": "^7.24.7", + "@babel/helper-string-parser": "^7.24.8", "@babel/helper-validator-identifier": "^7.24.7", "to-fast-properties": "^2.0.0" }, @@ -616,9 +613,9 @@ "dev": true }, "node_modules/@esbuild/aix-ppc64": { - "version": "0.19.10", - "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.19.10.tgz", - "integrity": "sha512-Q+mk96KJ+FZ30h9fsJl+67IjNJm3x2eX+GBWGmocAKgzp27cowCOOqSdscX80s0SpdFXZnIv/+1xD1EctFx96Q==", + "version": "0.23.0", + "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.23.0.tgz", + "integrity": "sha512-3sG8Zwa5fMcA9bgqB8AfWPQ+HFke6uD3h1s3RIwUNK8EG7a4buxvuFTs3j1IMs2NXAk9F30C/FF4vxRgQCcmoQ==", "cpu": [ "ppc64" ], @@ -628,13 +625,13 @@ ], "peer": true, "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/android-arm": { - "version": "0.19.10", - "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.19.10.tgz", - "integrity": "sha512-7W0bK7qfkw1fc2viBfrtAEkDKHatYfHzr/jKAHNr9BvkYDXPcC6bodtm8AyLJNNuqClLNaeTLuwURt4PRT9d7w==", + "version": "0.23.0", + "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.23.0.tgz", + "integrity": "sha512-+KuOHTKKyIKgEEqKbGTK8W7mPp+hKinbMBeEnNzjJGyFcWsfrXjSTNluJHCY1RqhxFurdD8uNXQDei7qDlR6+g==", "cpu": [ "arm" ], @@ -644,13 +641,13 @@ ], "peer": true, "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/android-arm64": { - "version": "0.19.10", - "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.19.10.tgz", - "integrity": "sha512-1X4CClKhDgC3by7k8aOWZeBXQX8dHT5QAMCAQDArCLaYfkppoARvh0fit3X2Qs+MXDngKcHv6XXyQCpY0hkK1Q==", + "version": "0.23.0", + "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.23.0.tgz", + "integrity": "sha512-EuHFUYkAVfU4qBdyivULuu03FhJO4IJN9PGuABGrFy4vUuzk91P2d+npxHcFdpUnfYKy0PuV+n6bKIpHOB3prQ==", "cpu": [ "arm64" ], @@ -660,13 +657,13 @@ ], "peer": true, "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/android-x64": { - "version": "0.19.10", - "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.19.10.tgz", - "integrity": "sha512-O/nO/g+/7NlitUxETkUv/IvADKuZXyH4BHf/g/7laqKC4i/7whLpB0gvpPc2zpF0q9Q6FXS3TS75QHac9MvVWw==", + "version": "0.23.0", + "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.23.0.tgz", + "integrity": "sha512-WRrmKidLoKDl56LsbBMhzTTBxrsVwTKdNbKDalbEZr0tcsBgCLbEtoNthOW6PX942YiYq8HzEnb4yWQMLQuipQ==", "cpu": [ "x64" ], @@ -676,13 +673,13 @@ ], "peer": true, "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/darwin-arm64": { - "version": "0.19.10", - "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.19.10.tgz", - "integrity": "sha512-YSRRs2zOpwypck+6GL3wGXx2gNP7DXzetmo5pHXLrY/VIMsS59yKfjPizQ4lLt5vEI80M41gjm2BxrGZ5U+VMA==", + "version": "0.23.0", + "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.23.0.tgz", + "integrity": "sha512-YLntie/IdS31H54Ogdn+v50NuoWF5BDkEUFpiOChVa9UnKpftgwzZRrI4J132ETIi+D8n6xh9IviFV3eXdxfow==", "cpu": [ "arm64" ], @@ -692,13 +689,13 @@ ], "peer": true, "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/darwin-x64": { - "version": "0.19.10", - "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.19.10.tgz", - "integrity": "sha512-alfGtT+IEICKtNE54hbvPg13xGBe4GkVxyGWtzr+yHO7HIiRJppPDhOKq3zstTcVf8msXb/t4eavW3jCDpMSmA==", + "version": "0.23.0", + "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.23.0.tgz", + "integrity": "sha512-IMQ6eme4AfznElesHUPDZ+teuGwoRmVuuixu7sv92ZkdQcPbsNHzutd+rAfaBKo8YK3IrBEi9SLLKWJdEvJniQ==", "cpu": [ "x64" ], @@ -708,13 +705,13 @@ ], "peer": true, "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/freebsd-arm64": { - "version": "0.19.10", - "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.19.10.tgz", - "integrity": "sha512-dMtk1wc7FSH8CCkE854GyGuNKCewlh+7heYP/sclpOG6Cectzk14qdUIY5CrKDbkA/OczXq9WesqnPl09mj5dg==", + "version": "0.23.0", + "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.23.0.tgz", + "integrity": "sha512-0muYWCng5vqaxobq6LB3YNtevDFSAZGlgtLoAc81PjUfiFz36n4KMpwhtAd4he8ToSI3TGyuhyx5xmiWNYZFyw==", "cpu": [ "arm64" ], @@ -724,13 +721,13 @@ ], "peer": true, "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/freebsd-x64": { - "version": "0.19.10", - "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.19.10.tgz", - "integrity": "sha512-G5UPPspryHu1T3uX8WiOEUa6q6OlQh6gNl4CO4Iw5PS+Kg5bVggVFehzXBJY6X6RSOMS8iXDv2330VzaObm4Ag==", + "version": "0.23.0", + "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.23.0.tgz", + "integrity": "sha512-XKDVu8IsD0/q3foBzsXGt/KjD/yTKBCIwOHE1XwiXmrRwrX6Hbnd5Eqn/WvDekddK21tfszBSrE/WMaZh+1buQ==", "cpu": [ "x64" ], @@ -740,13 +737,13 @@ ], "peer": true, "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/linux-arm": { - "version": "0.19.10", - "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.19.10.tgz", - "integrity": "sha512-j6gUW5aAaPgD416Hk9FHxn27On28H4eVI9rJ4az7oCGTFW48+LcgNDBN+9f8rKZz7EEowo889CPKyeaD0iw9Kg==", + "version": "0.23.0", + "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.23.0.tgz", + "integrity": "sha512-SEELSTEtOFu5LPykzA395Mc+54RMg1EUgXP+iw2SJ72+ooMwVsgfuwXo5Fn0wXNgWZsTVHwY2cg4Vi/bOD88qw==", "cpu": [ "arm" ], @@ -756,13 +753,13 @@ ], "peer": true, "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/linux-arm64": { - "version": "0.19.10", - "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.19.10.tgz", - "integrity": "sha512-QxaouHWZ+2KWEj7cGJmvTIHVALfhpGxo3WLmlYfJ+dA5fJB6lDEIg+oe/0//FuyVHuS3l79/wyBxbHr0NgtxJQ==", + "version": "0.23.0", + "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.23.0.tgz", + "integrity": "sha512-j1t5iG8jE7BhonbsEg5d9qOYcVZv/Rv6tghaXM/Ug9xahM0nX/H2gfu6X6z11QRTMT6+aywOMA8TDkhPo8aCGw==", "cpu": [ "arm64" ], @@ -772,13 +769,13 @@ ], "peer": true, "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/linux-ia32": { - "version": "0.19.10", - "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.19.10.tgz", - "integrity": "sha512-4ub1YwXxYjj9h1UIZs2hYbnTZBtenPw5NfXCRgEkGb0b6OJ2gpkMvDqRDYIDRjRdWSe/TBiZltm3Y3Q8SN1xNg==", + "version": "0.23.0", + "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.23.0.tgz", + "integrity": "sha512-P7O5Tkh2NbgIm2R6x1zGJJsnacDzTFcRWZyTTMgFdVit6E98LTxO+v8LCCLWRvPrjdzXHx9FEOA8oAZPyApWUA==", "cpu": [ "ia32" ], @@ -788,13 +785,13 @@ ], "peer": true, "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/linux-loong64": { - "version": "0.19.10", - "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.19.10.tgz", - "integrity": "sha512-lo3I9k+mbEKoxtoIbM0yC/MZ1i2wM0cIeOejlVdZ3D86LAcFXFRdeuZmh91QJvUTW51bOK5W2BznGNIl4+mDaA==", + "version": "0.23.0", + "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.23.0.tgz", + "integrity": "sha512-InQwepswq6urikQiIC/kkx412fqUZudBO4SYKu0N+tGhXRWUqAx+Q+341tFV6QdBifpjYgUndV1hhMq3WeJi7A==", "cpu": [ "loong64" ], @@ -804,13 +801,13 @@ ], "peer": true, "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/linux-mips64el": { - "version": "0.19.10", - "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.19.10.tgz", - "integrity": "sha512-J4gH3zhHNbdZN0Bcr1QUGVNkHTdpijgx5VMxeetSk6ntdt+vR1DqGmHxQYHRmNb77tP6GVvD+K0NyO4xjd7y4A==", + "version": "0.23.0", + "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.23.0.tgz", + "integrity": "sha512-J9rflLtqdYrxHv2FqXE2i1ELgNjT+JFURt/uDMoPQLcjWQA5wDKgQA4t/dTqGa88ZVECKaD0TctwsUfHbVoi4w==", "cpu": [ "mips64el" ], @@ -820,13 +817,13 @@ ], "peer": true, "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/linux-ppc64": { - "version": "0.19.10", - "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.19.10.tgz", - "integrity": "sha512-tgT/7u+QhV6ge8wFMzaklOY7KqiyitgT1AUHMApau32ZlvTB/+efeCtMk4eXS+uEymYK249JsoiklZN64xt6oQ==", + "version": "0.23.0", + "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.23.0.tgz", + "integrity": "sha512-cShCXtEOVc5GxU0fM+dsFD10qZ5UpcQ8AM22bYj0u/yaAykWnqXJDpd77ublcX6vdDsWLuweeuSNZk4yUxZwtw==", "cpu": [ "ppc64" ], @@ -836,13 +833,13 @@ ], "peer": true, "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/linux-riscv64": { - "version": "0.19.10", - "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.19.10.tgz", - "integrity": "sha512-0f/spw0PfBMZBNqtKe5FLzBDGo0SKZKvMl5PHYQr3+eiSscfJ96XEknCe+JoOayybWUFQbcJTrk946i3j9uYZA==", + "version": "0.23.0", + "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.23.0.tgz", + "integrity": "sha512-HEtaN7Y5UB4tZPeQmgz/UhzoEyYftbMXrBCUjINGjh3uil+rB/QzzpMshz3cNUxqXN7Vr93zzVtpIDL99t9aRw==", "cpu": [ "riscv64" ], @@ -852,13 +849,13 @@ ], "peer": true, "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/linux-s390x": { - "version": "0.19.10", - "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.19.10.tgz", - "integrity": "sha512-pZFe0OeskMHzHa9U38g+z8Yx5FNCLFtUnJtQMpwhS+r4S566aK2ci3t4NCP4tjt6d5j5uo4h7tExZMjeKoehAA==", + "version": "0.23.0", + "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.23.0.tgz", + "integrity": "sha512-WDi3+NVAuyjg/Wxi+o5KPqRbZY0QhI9TjrEEm+8dmpY9Xir8+HE/HNx2JoLckhKbFopW0RdO2D72w8trZOV+Wg==", "cpu": [ "s390x" ], @@ -868,13 +865,13 @@ ], "peer": true, "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/linux-x64": { - "version": "0.19.10", - "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.19.10.tgz", - "integrity": "sha512-SpYNEqg/6pZYoc+1zLCjVOYvxfZVZj6w0KROZ3Fje/QrM3nfvT2llI+wmKSrWuX6wmZeTapbarvuNNK/qepSgA==", + "version": "0.23.0", + "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.23.0.tgz", + "integrity": "sha512-a3pMQhUEJkITgAw6e0bWA+F+vFtCciMjW/LPtoj99MhVt+Mfb6bbL9hu2wmTZgNd994qTAEw+U/r6k3qHWWaOQ==", "cpu": [ "x64" ], @@ -884,13 +881,13 @@ ], "peer": true, "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/netbsd-x64": { - "version": "0.19.10", - "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.19.10.tgz", - "integrity": "sha512-ACbZ0vXy9zksNArWlk2c38NdKg25+L9pr/mVaj9SUq6lHZu/35nx2xnQVRGLrC1KKQqJKRIB0q8GspiHI3J80Q==", + "version": "0.23.0", + "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.23.0.tgz", + "integrity": "sha512-cRK+YDem7lFTs2Q5nEv/HHc4LnrfBCbH5+JHu6wm2eP+d8OZNoSMYgPZJq78vqQ9g+9+nMuIsAO7skzphRXHyw==", "cpu": [ "x64" ], @@ -900,13 +897,29 @@ ], "peer": true, "engines": { - "node": ">=12" + "node": ">=18" + } + }, + "node_modules/@esbuild/openbsd-arm64": { + "version": "0.23.0", + "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.23.0.tgz", + "integrity": "sha512-suXjq53gERueVWu0OKxzWqk7NxiUWSUlrxoZK7usiF50C6ipColGR5qie2496iKGYNLhDZkPxBI3erbnYkU0rQ==", + "cpu": [ + "arm64" + ], + "optional": true, + "os": [ + "openbsd" + ], + "peer": true, + "engines": { + "node": ">=18" } }, "node_modules/@esbuild/openbsd-x64": { - "version": "0.19.10", - "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.19.10.tgz", - "integrity": "sha512-PxcgvjdSjtgPMiPQrM3pwSaG4kGphP+bLSb+cihuP0LYdZv1epbAIecHVl5sD3npkfYBZ0ZnOjR878I7MdJDFg==", + "version": "0.23.0", + "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.23.0.tgz", + "integrity": "sha512-6p3nHpby0DM/v15IFKMjAaayFhqnXV52aEmv1whZHX56pdkK+MEaLoQWj+H42ssFarP1PcomVhbsR4pkz09qBg==", "cpu": [ "x64" ], @@ -916,13 +929,13 @@ ], "peer": true, "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/sunos-x64": { - "version": "0.19.10", - "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.19.10.tgz", - "integrity": "sha512-ZkIOtrRL8SEJjr+VHjmW0znkPs+oJXhlJbNwfI37rvgeMtk3sxOQevXPXjmAPZPigVTncvFqLMd+uV0IBSEzqA==", + "version": "0.23.0", + "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.23.0.tgz", + "integrity": "sha512-BFelBGfrBwk6LVrmFzCq1u1dZbG4zy/Kp93w2+y83Q5UGYF1d8sCzeLI9NXjKyujjBBniQa8R8PzLFAUrSM9OA==", "cpu": [ "x64" ], @@ -932,13 +945,13 @@ ], "peer": true, "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/win32-arm64": { - "version": "0.19.10", - "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.19.10.tgz", - "integrity": "sha512-+Sa4oTDbpBfGpl3Hn3XiUe4f8TU2JF7aX8cOfqFYMMjXp6ma6NJDztl5FDG8Ezx0OjwGikIHw+iA54YLDNNVfw==", + "version": "0.23.0", + "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.23.0.tgz", + "integrity": "sha512-lY6AC8p4Cnb7xYHuIxQ6iYPe6MfO2CC43XXKo9nBXDb35krYt7KGhQnOkRGar5psxYkircpCqfbNDB4uJbS2jQ==", "cpu": [ "arm64" ], @@ -948,13 +961,13 @@ ], "peer": true, "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/win32-ia32": { - "version": "0.19.10", - "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.19.10.tgz", - "integrity": "sha512-EOGVLK1oWMBXgfttJdPHDTiivYSjX6jDNaATeNOaCOFEVcfMjtbx7WVQwPSE1eIfCp/CaSF2nSrDtzc4I9f8TQ==", + "version": "0.23.0", + "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.23.0.tgz", + "integrity": "sha512-7L1bHlOTcO4ByvI7OXVI5pNN6HSu6pUQq9yodga8izeuB1KcT2UkHaH6118QJwopExPn0rMHIseCTx1CRo/uNA==", "cpu": [ "ia32" ], @@ -964,13 +977,13 @@ ], "peer": true, "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@esbuild/win32-x64": { - "version": "0.19.10", - "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.19.10.tgz", - "integrity": "sha512-whqLG6Sc70AbU73fFYvuYzaE4MNMBIlR1Y/IrUeOXFrWHxBEjjbZaQ3IXIQS8wJdAzue2GwYZCjOrgrU1oUHoA==", + "version": "0.23.0", + "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.23.0.tgz", + "integrity": "sha512-Arm+WgUFLUATuoxCJcahGuk6Yj9Pzxd6l11Zb/2aAuv5kWWvvfhLFo2fni4uSK5vzlUdCGZ/BdV5tH8klj8p8g==", "cpu": [ "x64" ], @@ -980,7 +993,7 @@ ], "peer": true, "engines": { - "node": ">=12" + "node": ">=18" } }, "node_modules/@eslint-community/eslint-utils": { @@ -1030,10 +1043,32 @@ "url": "https://opencollective.com/eslint" } }, + "node_modules/@eslint/eslintrc/node_modules/brace-expansion": { + "version": "1.1.11", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz", + "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==", + "peer": true, + "dependencies": { + "balanced-match": "^1.0.0", + "concat-map": "0.0.1" + } + }, + "node_modules/@eslint/eslintrc/node_modules/minimatch": { + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz", + "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==", + "peer": true, + "dependencies": { + "brace-expansion": "^1.1.7" + }, + "engines": { + "node": "*" + } + }, "node_modules/@eslint/js": { - "version": "8.56.0", - "resolved": "https://registry.npmjs.org/@eslint/js/-/js-8.56.0.tgz", - "integrity": "sha512-gMsVel9D7f2HLkBma9VbtzZRehRogVRfbr++f06nL2vnCGCNlzOD+/MUov/F4p8myyAHspEhVobgjpX64q5m6A==", + "version": "8.57.0", + "resolved": "https://registry.npmjs.org/@eslint/js/-/js-8.57.0.tgz", + "integrity": "sha512-Ys+3g2TaW7gADOJzPt83SJtCDhMjndcDMFVQ/Tj9iA1BfJzFKD9mAUXT3OenpuPHbI6P/myECxRJrofUsDx/5g==", "peer": true, "engines": { "node": "^12.22.0 || ^14.17.0 || >=16.0.0" @@ -1059,6 +1094,28 @@ "node": ">=10.10.0" } }, + "node_modules/@humanwhocodes/config-array/node_modules/brace-expansion": { + "version": "1.1.11", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz", + "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==", + "peer": true, + "dependencies": { + "balanced-match": "^1.0.0", + "concat-map": "0.0.1" + } + }, + "node_modules/@humanwhocodes/config-array/node_modules/minimatch": { + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz", + "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==", + "peer": true, + "dependencies": { + "brace-expansion": "^1.1.7" + }, + "engines": { + "node": "*" + } + }, "node_modules/@humanwhocodes/module-importer": { "version": "1.0.1", "resolved": "https://registry.npmjs.org/@humanwhocodes/module-importer/-/module-importer-1.0.1.tgz", @@ -1096,9 +1153,9 @@ } }, "node_modules/@isaacs/cliui/node_modules/ansi-regex": { - "version": "6.0.1", - "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.0.1.tgz", - "integrity": "sha512-n5M855fKb2SsfMIiFFoVrABHJC8QtHwVx+mHWP3QcEqBHYienj5dHSgjbxtC0WEZXYt4wcD6zrQElDPhFuZgfA==", + "version": "6.1.0", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.1.0.tgz", + "integrity": "sha512-7HSX4QQb4CspciLpVFwyRe79O3xsIZDDLER21kERQ71oaPodF8jL725AgJMFAYbooIqolJoRLuM81SpeUkpkvA==", "engines": { "node": ">=12" }, @@ -1606,9 +1663,9 @@ } }, "node_modules/@jridgewell/sourcemap-codec": { - "version": "1.4.15", - "resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.4.15.tgz", - "integrity": "sha512-eF2rxCRulEKXHTRiDrDy6erMYWqNw4LPdQ8UQA4huuxaQsVeRPFl2oM8oDGxMFhJUWZf9McpLtJasDDZb/Bpeg==", + "version": "1.5.0", + "resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.5.0.tgz", + "integrity": "sha512-gv3ZRaISU3fjPAgNsriBRqGWQL6quFx04YMPW/zD8XMLsU32mhCCbfbO6KZFLjvYpCZ8zyDEgqsgf+PwPaM7GQ==", "dev": true }, "node_modules/@jridgewell/trace-mapping": { @@ -1672,6 +1729,14 @@ "ws": "^8.13.0" } }, + "node_modules/@kubernetes/client-node/node_modules/@types/node": { + "version": "20.16.5", + "resolved": "https://registry.npmjs.org/@types/node/-/node-20.16.5.tgz", + "integrity": "sha512-VwYCweNo3ERajwy0IUlqqcyZ8/A7Zwa9ZP3MnENWcB11AejO+tLy3pu850goUW2FC/IJMdZUfKpX/yxL1gymCA==", + "dependencies": { + "undici-types": "~6.19.2" + } + }, "node_modules/@nodelib/fs.scandir": { "version": "2.1.5", "resolved": "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz", @@ -1827,18 +1892,12 @@ "resolved": "https://registry.npmjs.org/@types/js-yaml/-/js-yaml-4.0.9.tgz", "integrity": "sha512-k4MGaQl5TGo/iipqb2UDG2UwjXziSWkh0uysQelTlJpX1qGlpUZYm8PnO4DxG1qBomtJUdYJ6qR6xdIah10JLg==" }, - "node_modules/@types/json-schema": { - "version": "7.0.15", - "resolved": "https://registry.npmjs.org/@types/json-schema/-/json-schema-7.0.15.tgz", - "integrity": "sha512-5+fP8P8MFNC+AyZCDxrB2pkZFPGzqQWUzpSeuuVLvm8VMcorNYavBqoFcxK8bQz4Qsbn4oUEEem4wDLfcysGHA==", - "peer": true - }, "node_modules/@types/node": { - "version": "20.14.9", - "resolved": "https://registry.npmjs.org/@types/node/-/node-20.14.9.tgz", - "integrity": "sha512-06OCtnTXtWOZBJlRApleWndH4JsRVs1pDCc8dLSQp+7PpUpX3ePdHyeNSFTeSe7FtKyQkrlPvHwJOW3SLd8Oyg==", + "version": "22.5.4", + "resolved": "https://registry.npmjs.org/@types/node/-/node-22.5.4.tgz", + "integrity": "sha512-FDuKUJQm/ju9fT/SeX/6+gBzoPzlVCzfzmGkwKvRHQVxi4BntVbyIwf6a4Xn62mrvndLiml6z/UBXIdEVjQLXg==", "dependencies": { - "undici-types": "~5.26.4" + "undici-types": "~6.19.2" } }, "node_modules/@types/node-fetch": { @@ -1851,19 +1910,14 @@ } }, "node_modules/@types/ramda": { - "version": "0.30.0", - "resolved": "https://registry.npmjs.org/@types/ramda/-/ramda-0.30.0.tgz", - "integrity": "sha512-DQtfqUbSB18iM9NHbQ++kVUDuBWHMr6T2FpW1XTiksYRGjq4WnNPZLt712OEHEBJs7aMyJ68Mf2kGMOP1srVVw==", + "version": "0.30.2", + "resolved": "https://registry.npmjs.org/@types/ramda/-/ramda-0.30.2.tgz", + "integrity": "sha512-PyzHvjCalm2BRYjAU6nIB3TprYwMNOUY/7P/N8bSzp9W/yM2YrtGtAnnVtaCNSeOZ8DzKyFDvaqQs7LnWwwmBA==", + "license": "MIT", "dependencies": { - "types-ramda": "^0.30.0" + "types-ramda": "^0.30.1" } }, - "node_modules/@types/semver": { - "version": "7.5.8", - "resolved": "https://registry.npmjs.org/@types/semver/-/semver-7.5.8.tgz", - "integrity": "sha512-I8EUhyrgfLrcTkzV3TSsGyl1tSuPrEDzr0yd5m90UgNxQkyDXULk3b6MlQqTCpZpNtWe1K0hzclnZkTcLBe2UQ==", - "peer": true - }, "node_modules/@types/stack-utils": { "version": "2.0.3", "resolved": "https://registry.npmjs.org/@types/stack-utils/-/stack-utils-2.0.3.tgz", @@ -1893,17 +1947,17 @@ "integrity": "sha512-HP38xE+GuWGlbSRq9WrZkousaQ7dragtZCruBVMi0oX1migFZavZ3OROKHSkNp/9ouq82zrWtZpg18jFnVN96g==" }, "node_modules/@types/ws": { - "version": "8.5.10", - "resolved": "https://registry.npmjs.org/@types/ws/-/ws-8.5.10.tgz", - "integrity": "sha512-vmQSUcfalpIq0R9q7uTo2lXs6eGIpt9wtnLdMv9LVpIjCA/+ufZRozlVoVelIYixx1ugCBKDhn89vnsEGOCx9A==", + "version": "8.5.12", + "resolved": "https://registry.npmjs.org/@types/ws/-/ws-8.5.12.tgz", + "integrity": "sha512-3tPRkv1EtkDpzlgyKyI8pGsGZAGPEaXeu0DOj5DI25Ja91bdAYddYHbADRYVrZMRbfW+1l5YwXVDKohDJNQxkQ==", "dependencies": { "@types/node": "*" } }, "node_modules/@types/yargs": { - "version": "17.0.32", - "resolved": "https://registry.npmjs.org/@types/yargs/-/yargs-17.0.32.tgz", - "integrity": "sha512-xQ67Yc/laOG5uMfX/093MRlGGCIBzZMarVa+gfNKJxWAIgykYpVGkBdbqEzGDDfCrVUj6Hiff4mTZ5BA6TmAog==", + "version": "17.0.33", + "resolved": "https://registry.npmjs.org/@types/yargs/-/yargs-17.0.33.tgz", + "integrity": "sha512-WpxBCKWPLr4xSsHgz511rFJAM+wS28w2zEO1QDNY5zM/S8ok70NNfztH0xwhqKyaK0OHCbN98LDAZuy1ctxDkA==", "dev": true, "dependencies": { "@types/yargs-parser": "*" @@ -1916,33 +1970,31 @@ "dev": true }, "node_modules/@typescript-eslint/eslint-plugin": { - "version": "6.15.0", - "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-6.15.0.tgz", - "integrity": "sha512-j5qoikQqPccq9QoBAupOP+CBu8BaJ8BLjaXSioDISeTZkVO3ig7oSIKh3H+rEpee7xCXtWwSB4KIL5l6hWZzpg==", + "version": "7.18.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-7.18.0.tgz", + "integrity": "sha512-94EQTWZ40mzBc42ATNIBimBEDltSJ9RQHCC8vc/PDbxi4k8dVwUAv4o98dk50M1zB+JGFxp43FP7f8+FP8R6Sw==", "peer": true, "dependencies": { - "@eslint-community/regexpp": "^4.5.1", - "@typescript-eslint/scope-manager": "6.15.0", - "@typescript-eslint/type-utils": "6.15.0", - "@typescript-eslint/utils": "6.15.0", - "@typescript-eslint/visitor-keys": "6.15.0", - "debug": "^4.3.4", + "@eslint-community/regexpp": "^4.10.0", + "@typescript-eslint/scope-manager": "7.18.0", + "@typescript-eslint/type-utils": "7.18.0", + "@typescript-eslint/utils": "7.18.0", + "@typescript-eslint/visitor-keys": "7.18.0", "graphemer": "^1.4.0", - "ignore": "^5.2.4", + "ignore": "^5.3.1", "natural-compare": "^1.4.0", - "semver": "^7.5.4", - "ts-api-utils": "^1.0.1" + "ts-api-utils": "^1.3.0" }, "engines": { - "node": "^16.0.0 || >=18.0.0" + "node": "^18.18.0 || >=20.0.0" }, "funding": { "type": "opencollective", "url": "https://opencollective.com/typescript-eslint" }, "peerDependencies": { - "@typescript-eslint/parser": "^6.0.0 || ^6.0.0-alpha", - "eslint": "^7.0.0 || ^8.0.0" + "@typescript-eslint/parser": "^7.0.0", + "eslint": "^8.56.0" }, "peerDependenciesMeta": { "typescript": { @@ -1951,26 +2003,26 @@ } }, "node_modules/@typescript-eslint/parser": { - "version": "6.15.0", - "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-6.15.0.tgz", - "integrity": "sha512-MkgKNnsjC6QwcMdlNAel24jjkEO/0hQaMDLqP4S9zq5HBAUJNQB6y+3DwLjX7b3l2b37eNAxMPLwb3/kh8VKdA==", + "version": "7.18.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-7.18.0.tgz", + "integrity": "sha512-4Z+L8I2OqhZV8qA132M4wNL30ypZGYOQVBfMgxDH/K5UX0PNqTu1c6za9ST5r9+tavvHiTWmBnKzpCJ/GlVFtg==", "peer": true, "dependencies": { - "@typescript-eslint/scope-manager": "6.15.0", - "@typescript-eslint/types": "6.15.0", - "@typescript-eslint/typescript-estree": "6.15.0", - "@typescript-eslint/visitor-keys": "6.15.0", + "@typescript-eslint/scope-manager": "7.18.0", + "@typescript-eslint/types": "7.18.0", + "@typescript-eslint/typescript-estree": "7.18.0", + "@typescript-eslint/visitor-keys": "7.18.0", "debug": "^4.3.4" }, "engines": { - "node": "^16.0.0 || >=18.0.0" + "node": "^18.18.0 || >=20.0.0" }, "funding": { "type": "opencollective", "url": "https://opencollective.com/typescript-eslint" }, "peerDependencies": { - "eslint": "^7.0.0 || ^8.0.0" + "eslint": "^8.56.0" }, "peerDependenciesMeta": { "typescript": { @@ -1979,16 +2031,16 @@ } }, "node_modules/@typescript-eslint/scope-manager": { - "version": "6.15.0", - "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-6.15.0.tgz", - "integrity": "sha512-+BdvxYBltqrmgCNu4Li+fGDIkW9n//NrruzG9X1vBzaNK+ExVXPoGB71kneaVw/Jp+4rH/vaMAGC6JfMbHstVg==", + "version": "7.18.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-7.18.0.tgz", + "integrity": "sha512-jjhdIE/FPF2B7Z1uzc6i3oWKbGcHb87Qw7AWj6jmEqNOfDFbJWtjt/XfwCpvNkpGWlcJaog5vTR+VV8+w9JflA==", "peer": true, "dependencies": { - "@typescript-eslint/types": "6.15.0", - "@typescript-eslint/visitor-keys": "6.15.0" + "@typescript-eslint/types": "7.18.0", + "@typescript-eslint/visitor-keys": "7.18.0" }, "engines": { - "node": "^16.0.0 || >=18.0.0" + "node": "^18.18.0 || >=20.0.0" }, "funding": { "type": "opencollective", @@ -1996,25 +2048,25 @@ } }, "node_modules/@typescript-eslint/type-utils": { - "version": "6.15.0", - "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-6.15.0.tgz", - "integrity": "sha512-CnmHKTfX6450Bo49hPg2OkIm/D/TVYV7jO1MCfPYGwf6x3GO0VU8YMO5AYMn+u3X05lRRxA4fWCz87GFQV6yVQ==", + "version": "7.18.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-7.18.0.tgz", + "integrity": "sha512-XL0FJXuCLaDuX2sYqZUUSOJ2sG5/i1AAze+axqmLnSkNEVMVYLF+cbwlB2w8D1tinFuSikHmFta+P+HOofrLeA==", "peer": true, "dependencies": { - "@typescript-eslint/typescript-estree": "6.15.0", - "@typescript-eslint/utils": "6.15.0", + "@typescript-eslint/typescript-estree": "7.18.0", + "@typescript-eslint/utils": "7.18.0", "debug": "^4.3.4", - "ts-api-utils": "^1.0.1" + "ts-api-utils": "^1.3.0" }, "engines": { - "node": "^16.0.0 || >=18.0.0" + "node": "^18.18.0 || >=20.0.0" }, "funding": { "type": "opencollective", "url": "https://opencollective.com/typescript-eslint" }, "peerDependencies": { - "eslint": "^7.0.0 || ^8.0.0" + "eslint": "^8.56.0" }, "peerDependenciesMeta": { "typescript": { @@ -2023,12 +2075,12 @@ } }, "node_modules/@typescript-eslint/types": { - "version": "6.15.0", - "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-6.15.0.tgz", - "integrity": "sha512-yXjbt//E4T/ee8Ia1b5mGlbNj9fB9lJP4jqLbZualwpP2BCQ5is6BcWwxpIsY4XKAhmdv3hrW92GdtJbatC6dQ==", + "version": "7.18.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-7.18.0.tgz", + "integrity": "sha512-iZqi+Ds1y4EDYUtlOOC+aUmxnE9xS/yCigkjA7XpTKV6nCBd3Hp/PRGGmdwnfkV2ThMyYldP1wRpm/id99spTQ==", "peer": true, "engines": { - "node": "^16.0.0 || >=18.0.0" + "node": "^18.18.0 || >=20.0.0" }, "funding": { "type": "opencollective", @@ -2036,21 +2088,22 @@ } }, "node_modules/@typescript-eslint/typescript-estree": { - "version": "6.15.0", - "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-6.15.0.tgz", - "integrity": "sha512-7mVZJN7Hd15OmGuWrp2T9UvqR2Ecg+1j/Bp1jXUEY2GZKV6FXlOIoqVDmLpBiEiq3katvj/2n2mR0SDwtloCew==", + "version": "7.18.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-7.18.0.tgz", + "integrity": "sha512-aP1v/BSPnnyhMHts8cf1qQ6Q1IFwwRvAQGRvBFkWlo3/lH29OXA3Pts+c10nxRxIBrDnoMqzhgdwVe5f2D6OzA==", "peer": true, "dependencies": { - "@typescript-eslint/types": "6.15.0", - "@typescript-eslint/visitor-keys": "6.15.0", + "@typescript-eslint/types": "7.18.0", + "@typescript-eslint/visitor-keys": "7.18.0", "debug": "^4.3.4", "globby": "^11.1.0", "is-glob": "^4.0.3", - "semver": "^7.5.4", - "ts-api-utils": "^1.0.1" + "minimatch": "^9.0.4", + "semver": "^7.6.0", + "ts-api-utils": "^1.3.0" }, "engines": { - "node": "^16.0.0 || >=18.0.0" + "node": "^18.18.0 || >=20.0.0" }, "funding": { "type": "opencollective", @@ -2063,41 +2116,38 @@ } }, "node_modules/@typescript-eslint/utils": { - "version": "6.15.0", - "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-6.15.0.tgz", - "integrity": "sha512-eF82p0Wrrlt8fQSRL0bGXzK5nWPRV2dYQZdajcfzOD9+cQz9O7ugifrJxclB+xVOvWvagXfqS4Es7vpLP4augw==", + "version": "7.18.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-7.18.0.tgz", + "integrity": "sha512-kK0/rNa2j74XuHVcoCZxdFBMF+aq/vH83CXAOHieC+2Gis4mF8jJXT5eAfyD3K0sAxtPuwxaIOIOvhwzVDt/kw==", "peer": true, "dependencies": { "@eslint-community/eslint-utils": "^4.4.0", - "@types/json-schema": "^7.0.12", - "@types/semver": "^7.5.0", - "@typescript-eslint/scope-manager": "6.15.0", - "@typescript-eslint/types": "6.15.0", - "@typescript-eslint/typescript-estree": "6.15.0", - "semver": "^7.5.4" + "@typescript-eslint/scope-manager": "7.18.0", + "@typescript-eslint/types": "7.18.0", + "@typescript-eslint/typescript-estree": "7.18.0" }, "engines": { - "node": "^16.0.0 || >=18.0.0" + "node": "^18.18.0 || >=20.0.0" }, "funding": { "type": "opencollective", "url": "https://opencollective.com/typescript-eslint" }, "peerDependencies": { - "eslint": "^7.0.0 || ^8.0.0" + "eslint": "^8.56.0" } }, "node_modules/@typescript-eslint/visitor-keys": { - "version": "6.15.0", - "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-6.15.0.tgz", - "integrity": "sha512-1zvtdC1a9h5Tb5jU9x3ADNXO9yjP8rXlaoChu0DQX40vf5ACVpYIVIZhIMZ6d5sDXH7vq4dsZBT1fEGj8D2n2w==", + "version": "7.18.0", + "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-7.18.0.tgz", + "integrity": "sha512-cDF0/Gf81QpY3xYyJKDV14Zwdmid5+uuENhjH2EqFaF0ni+yAyq/LzMaIJdhNJXZI7uLzwIlA+V7oWoyn6Curg==", "peer": true, "dependencies": { - "@typescript-eslint/types": "6.15.0", - "eslint-visitor-keys": "^3.4.1" + "@typescript-eslint/types": "7.18.0", + "eslint-visitor-keys": "^3.4.3" }, "engines": { - "node": "^16.0.0 || >=18.0.0" + "node": "^18.18.0 || >=20.0.0" }, "funding": { "type": "opencollective", @@ -2134,9 +2184,9 @@ } }, "node_modules/acorn": { - "version": "8.12.0", - "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.12.0.tgz", - "integrity": "sha512-RTvkC4w+KNXrM39/lWCUaG0IbRkWdCv7W/IOW9oU6SawyxulvkQy5HQPVTKxEjczcUvapcrw3cFx/60VN/NRNw==", + "version": "8.12.1", + "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.12.1.tgz", + "integrity": "sha512-tcpGyI9zbizT9JbV6oYE477V6mTlXvvi0T0G3SNIYE2apm/G5huBa1+K89VGeovbg+jycCrfhl3ADxErOuO6Jg==", "peer": true, "bin": { "acorn": "bin/acorn" @@ -2251,6 +2301,12 @@ "node": ">=8" } }, + "node_modules/async": { + "version": "3.2.6", + "resolved": "https://registry.npmjs.org/async/-/async-3.2.6.tgz", + "integrity": "sha512-htCUDlxyyCLMgaM3xXg0C0LW2xqfuQ6p05pCEIsXuyQ+a1koYKTuBMzRNwmybfLgvJDMd0r1LTn4+E0Ti6C2AA==", + "dev": true + }, "node_modules/asynckit": { "version": "0.4.0", "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz", @@ -2342,23 +2398,26 @@ } }, "node_modules/babel-preset-current-node-syntax": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/babel-preset-current-node-syntax/-/babel-preset-current-node-syntax-1.0.1.tgz", - "integrity": "sha512-M7LQ0bxarkxQoN+vz5aJPsLBn77n8QgTFmo8WK0/44auK2xlCXrYcUxHFxgU7qW5Yzw/CjmLRK2uJzaCd7LvqQ==", + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/babel-preset-current-node-syntax/-/babel-preset-current-node-syntax-1.1.0.tgz", + "integrity": "sha512-ldYss8SbBlWva1bs28q78Ju5Zq1F+8BrqBZZ0VFhLBvhh6lCpC2o3gDJi/5DRLs9FgYZCnmPYIVFU4lRXCkyUw==", "dev": true, "dependencies": { "@babel/plugin-syntax-async-generators": "^7.8.4", "@babel/plugin-syntax-bigint": "^7.8.3", - "@babel/plugin-syntax-class-properties": "^7.8.3", - "@babel/plugin-syntax-import-meta": "^7.8.3", + "@babel/plugin-syntax-class-properties": "^7.12.13", + "@babel/plugin-syntax-class-static-block": "^7.14.5", + "@babel/plugin-syntax-import-attributes": "^7.24.7", + "@babel/plugin-syntax-import-meta": "^7.10.4", "@babel/plugin-syntax-json-strings": "^7.8.3", - "@babel/plugin-syntax-logical-assignment-operators": "^7.8.3", + "@babel/plugin-syntax-logical-assignment-operators": "^7.10.4", "@babel/plugin-syntax-nullish-coalescing-operator": "^7.8.3", - "@babel/plugin-syntax-numeric-separator": "^7.8.3", + "@babel/plugin-syntax-numeric-separator": "^7.10.4", "@babel/plugin-syntax-object-rest-spread": "^7.8.3", "@babel/plugin-syntax-optional-catch-binding": "^7.8.3", "@babel/plugin-syntax-optional-chaining": "^7.8.3", - "@babel/plugin-syntax-top-level-await": "^7.8.3" + "@babel/plugin-syntax-private-property-in-object": "^7.14.5", + "@babel/plugin-syntax-top-level-await": "^7.14.5" }, "peerDependencies": { "@babel/core": "^7.0.0" @@ -2410,9 +2469,10 @@ "integrity": "sha512-VOMgTMwjAaUG580SXn3LacVgjurrbMme7ZZNYGSSV7mmtY6QQRh0Eg3pwIcntQ77DErK1L0NxkbetjcoXzVwKw==" }, "node_modules/body-parser": { - "version": "1.20.2", - "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.2.tgz", - "integrity": "sha512-ml9pReCu3M61kGlqoTm2umSXTlRTuGTx0bfYj+uIUKKYycG5NtSbeetV3faSU6R7ajOPw0g/J1PvK4qNy7s5bA==", + "version": "1.20.3", + "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.3.tgz", + "integrity": "sha512-7rAxByjUMqQ3/bHJy7D6OGXvx/MMc4IqBn/X0fcM1QUcAItpZrBEYhWGem+tzXH90c+G01ypMcYJBO9Y30203g==", + "license": "MIT", "dependencies": { "bytes": "3.1.2", "content-type": "~1.0.5", @@ -2422,7 +2482,7 @@ "http-errors": "2.0.0", "iconv-lite": "0.4.24", "on-finished": "2.4.1", - "qs": "6.11.0", + "qs": "6.13.0", "raw-body": "2.5.2", "type-is": "~1.6.18", "unpipe": "1.0.0" @@ -2436,6 +2496,7 @@ "version": "2.6.9", "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz", "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==", + "license": "MIT", "dependencies": { "ms": "2.0.0" } @@ -2443,15 +2504,15 @@ "node_modules/body-parser/node_modules/ms": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz", - "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==" + "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==", + "license": "MIT" }, "node_modules/brace-expansion": { - "version": "1.1.11", - "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz", - "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==", + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz", + "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==", "dependencies": { - "balanced-match": "^1.0.0", - "concat-map": "0.0.1" + "balanced-match": "^1.0.0" } }, "node_modules/braces": { @@ -2471,9 +2532,9 @@ "integrity": "sha512-iczIdVJzGEYhP5DqQxYM9Hh7Ztpqqi+CXZpSmX8ALFs9ecXkQIeqRyM6TfxEfMVpwhl3dSuDvxdzzo9sUOIVBQ==" }, "node_modules/browserslist": { - "version": "4.23.1", - "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.23.1.tgz", - "integrity": "sha512-TUfofFo/KsK/bWZ9TWQ5O26tsWW4Uhmt8IYklbnUa70udB6P2wA7w7o4PY4muaEPBQaAX+CEnmmIA41NVHtPVw==", + "version": "4.23.3", + "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.23.3.tgz", + "integrity": "sha512-btwCFJVjI4YWDNfau8RhZ+B1Q/VLoUITrm3RlP6y1tYGWIOa+InuYiRGXUBXo8nA1qKmHMyLB/iVQg5TT4eFoA==", "dev": true, "funding": [ { @@ -2490,10 +2551,10 @@ } ], "dependencies": { - "caniuse-lite": "^1.0.30001629", - "electron-to-chromium": "^1.4.796", - "node-releases": "^2.0.14", - "update-browserslist-db": "^1.0.16" + "caniuse-lite": "^1.0.30001646", + "electron-to-chromium": "^1.5.4", + "node-releases": "^2.0.18", + "update-browserslist-db": "^1.1.0" }, "bin": { "browserslist": "cli.js" @@ -2564,6 +2625,7 @@ "version": "3.1.2", "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.2.tgz", "integrity": "sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg==", + "license": "MIT", "engines": { "node": ">= 0.8" } @@ -2572,6 +2634,7 @@ "version": "1.0.7", "resolved": "https://registry.npmjs.org/call-bind/-/call-bind-1.0.7.tgz", "integrity": "sha512-GHTSNSYICQ7scH7sZ+M2rFopRoLh8t2bLSW6BbgrtLsahOIB5iyAVJf9GjWK3cYTDaMj4XdBpM1cA6pIS0Kv2w==", + "license": "MIT", "dependencies": { "es-define-property": "^1.0.0", "es-errors": "^1.3.0", @@ -2604,9 +2667,9 @@ } }, "node_modules/caniuse-lite": { - "version": "1.0.30001639", - "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001639.tgz", - "integrity": "sha512-eFHflNTBIlFwP2AIKaYuBQN/apnUoKNhBdza8ZnW/h2di4LCZ4xFqYlxUxo+LQ76KFI1PGcC1QDxMbxTZpSCAg==", + "version": "1.0.30001659", + "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001659.tgz", + "integrity": "sha512-Qxxyfv3RdHAfJcXelgf0hU4DFUVXBGTjqrBUZLUh8AtlGnsDo+CnncYtTd95+ZKfnANUOzxyIQCuU/UeBZBYoA==", "dev": true, "funding": [ { @@ -2671,11 +2734,42 @@ } }, "node_modules/cjs-module-lexer": { - "version": "1.3.1", - "resolved": "https://registry.npmjs.org/cjs-module-lexer/-/cjs-module-lexer-1.3.1.tgz", - "integrity": "sha512-a3KdPAANPbNE4ZUv9h6LckSl9zLsYOP4MBmhIPkRaeyybt+r4UghLvq+xw/YwUcC1gqylCkL4rdVs3Lwupjm4Q==", + "version": "1.4.1", + "resolved": "https://registry.npmjs.org/cjs-module-lexer/-/cjs-module-lexer-1.4.1.tgz", + "integrity": "sha512-cuSVIHi9/9E/+821Qjdvngor+xpnlwnuwIyZOaLmHBVdXL+gP+I6QQB9VkO7RI77YIcTV+S1W9AreJ5eN63JBA==", "dev": true }, + "node_modules/cli-cursor": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/cli-cursor/-/cli-cursor-5.0.0.tgz", + "integrity": "sha512-aCj4O5wKyszjMmDT4tZj93kxyydN/K5zPWSCe6/0AV/AA1pqe5ZBIw0a2ZfPQV7lL5/yb5HsUreJ6UFAF1tEQw==", + "dev": true, + "dependencies": { + "restore-cursor": "^5.0.0" + }, + "engines": { + "node": ">=18" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/cli-truncate": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/cli-truncate/-/cli-truncate-4.0.0.tgz", + "integrity": "sha512-nPdaFdQ0h/GEigbPClz11D0v/ZJEwxmeVZGeMo3Z5StPtUTkA9o1lD6QwoirYiSDzbcwn2XcjwmCp68W1IS4TA==", + "dev": true, + "dependencies": { + "slice-ansi": "^5.0.0", + "string-width": "^7.0.0" + }, + "engines": { + "node": ">=18" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, "node_modules/cliui": { "version": "8.0.1", "resolved": "https://registry.npmjs.org/cliui/-/cliui-8.0.1.tgz", @@ -2689,14 +2783,56 @@ "node": ">=12" } }, - "node_modules/co": { - "version": "4.6.0", - "resolved": "https://registry.npmjs.org/co/-/co-4.6.0.tgz", - "integrity": "sha512-QVb0dM5HvG+uaxitm8wONl7jltx8dqhfU33DcqtOZcLSVIKSDDLDi7+0LbAKiyI8hD9u42m2YxXSkMGWThaecQ==", - "dev": true, + "node_modules/cliui/node_modules/emoji-regex": { + "version": "8.0.0", + "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", + "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==" + }, + "node_modules/cliui/node_modules/is-fullwidth-code-point": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", + "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", "engines": { - "iojs": ">= 1.0.0", - "node": ">= 0.12.0" + "node": ">=8" + } + }, + "node_modules/cliui/node_modules/string-width": { + "version": "4.2.3", + "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", + "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", + "dependencies": { + "emoji-regex": "^8.0.0", + "is-fullwidth-code-point": "^3.0.0", + "strip-ansi": "^6.0.1" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/cliui/node_modules/wrap-ansi": { + "version": "7.0.0", + "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-7.0.0.tgz", + "integrity": "sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==", + "dependencies": { + "ansi-styles": "^4.0.0", + "string-width": "^4.1.0", + "strip-ansi": "^6.0.0" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/chalk/wrap-ansi?sponsor=1" + } + }, + "node_modules/co": { + "version": "4.6.0", + "resolved": "https://registry.npmjs.org/co/-/co-4.6.0.tgz", + "integrity": "sha512-QVb0dM5HvG+uaxitm8wONl7jltx8dqhfU33DcqtOZcLSVIKSDDLDi7+0LbAKiyI8hD9u42m2YxXSkMGWThaecQ==", + "dev": true, + "engines": { + "iojs": ">= 1.0.0", + "node": ">= 0.12.0" } }, "node_modules/collect-v8-coverage": { @@ -2743,12 +2879,11 @@ } }, "node_modules/commander": { - "version": "11.1.0", - "resolved": "https://registry.npmjs.org/commander/-/commander-11.1.0.tgz", - "integrity": "sha512-yPVavfyCcRhmorC7rWlkHn15b4wDVgVmBA7kV4QVBsF7kv/9TKJAbAXVTxvTnwP8HHKjRCJDClKbciiYS7p0DQ==", - "peer": true, + "version": "12.1.0", + "resolved": "https://registry.npmjs.org/commander/-/commander-12.1.0.tgz", + "integrity": "sha512-Vw8qHK3bZM9y/P10u3Vib8o/DdkvA2OtPtZvD871QKjy74Wj1WSKFILMPRPSdUSx5RFK1arlJzEtA4PkFgnbuA==", "engines": { - "node": ">=16" + "node": ">=18" } }, "node_modules/concat-map": { @@ -2771,6 +2906,7 @@ "version": "1.0.5", "resolved": "https://registry.npmjs.org/content-type/-/content-type-1.0.5.tgz", "integrity": "sha512-nTjqfcBFEipKdXCv4YDQWCfmcLZKm81ldF0pAopTvyrFGVbcR6P/VAAd5G7N+0tTr8QqiU0tFadD6FK4NtJwOA==", + "license": "MIT", "engines": { "node": ">= 0.6" } @@ -2845,11 +2981,11 @@ } }, "node_modules/debug": { - "version": "4.3.5", - "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.5.tgz", - "integrity": "sha512-pt0bNEmneDIvdL1Xsd9oDQ/wrQRkXDT4AUWlNZNPKvW5x/jyO9VFXkJUP07vQ2upmw5PlaITaPKc31jK13V+jg==", + "version": "4.3.7", + "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.7.tgz", + "integrity": "sha512-Er2nc/H7RrMXZBFCEim6TCmMk02Z8vLC2Rbi1KEBggpo0fS6l0S1nnapwmIi3yW/+GOJap1Krg4w0Hg80oCqgQ==", "dependencies": { - "ms": "2.1.2" + "ms": "^2.1.3" }, "engines": { "node": ">=6.0" @@ -2893,6 +3029,7 @@ "version": "1.1.4", "resolved": "https://registry.npmjs.org/define-data-property/-/define-data-property-1.1.4.tgz", "integrity": "sha512-rBMvIzlpA8v6E+SJZoo++HAYqsLrkg7MSfIinMPFhmkorw7X+dOXVJQs+QT69zGkzMyfDnIMN2Wid1+NbL3T+A==", + "license": "MIT", "dependencies": { "es-define-property": "^1.0.0", "es-errors": "^1.3.0", @@ -2917,6 +3054,7 @@ "version": "2.0.0", "resolved": "https://registry.npmjs.org/depd/-/depd-2.0.0.tgz", "integrity": "sha512-g7nH6P6dyDioJogAAGprGpCtVImJhpPk/roCzdb3fIh61/s/nPsfR6onyMwkCAR/OlC3yBC0lESvUoQEAssIrw==", + "license": "MIT", "engines": { "node": ">= 0.8" } @@ -2925,6 +3063,7 @@ "version": "1.2.0", "resolved": "https://registry.npmjs.org/destroy/-/destroy-1.2.0.tgz", "integrity": "sha512-2sJGJTaXIIaR1w4iJSNoN0hnMY7Gpc/n8D4qSCJw8QqFWXf7cuAgnEHxBpweaVcPevC2l3KpjYCx3NypQQgaJg==", + "license": "MIT", "engines": { "node": ">= 0.8", "npm": "1.2.8000 || >= 1.4.16" @@ -2980,12 +3119,28 @@ "node_modules/ee-first": { "version": "1.1.1", "resolved": "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz", - "integrity": "sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow==" + "integrity": "sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow==", + "license": "MIT" + }, + "node_modules/ejs": { + "version": "3.1.10", + "resolved": "https://registry.npmjs.org/ejs/-/ejs-3.1.10.tgz", + "integrity": "sha512-UeJmFfOrAQS8OJWPZ4qtgHyWExa088/MtK5UEyoJGFH67cDEXkZSviOiKRCZ4Xij0zxI3JECgYs3oKx+AizQBA==", + "dev": true, + "dependencies": { + "jake": "^10.8.5" + }, + "bin": { + "ejs": "bin/cli.js" + }, + "engines": { + "node": ">=0.10.0" + } }, "node_modules/electron-to-chromium": { - "version": "1.4.815", - "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.4.815.tgz", - "integrity": "sha512-OvpTT2ItpOXJL7IGcYakRjHCt8L5GrrN/wHCQsRB4PQa1X9fe+X9oen245mIId7s14xvArCGSTIq644yPUKKLg==", + "version": "1.5.18", + "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.18.tgz", + "integrity": "sha512-1OfuVACu+zKlmjsNdcJuVQuVE61sZOLbNM4JAQ1Rvh6EOj0/EUKhMJjRH73InPlXSh8HIJk1cVZ8pyOV/FMdUQ==", "dev": true }, "node_modules/emittery": { @@ -3001,14 +3156,16 @@ } }, "node_modules/emoji-regex": { - "version": "8.0.0", - "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", - "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==" + "version": "10.4.0", + "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-10.4.0.tgz", + "integrity": "sha512-EC+0oUMY1Rqm4O6LLrgjtYDvcVYTy7chDnM4Q7030tP4Kwj3u/pR6gP9ygnp2CJMK5Gq+9Q2oqmrFJAz01DXjw==", + "dev": true }, "node_modules/encodeurl": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-1.0.2.tgz", - "integrity": "sha512-TPJXq8JqFaVYm2CWmPvnP2Iyo4ZSM7/QKcSmuMLDObfpH5fi7RUGmd/rTDf+rut/saiDiQEeVTNgAmJEdAOx0w==", + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-2.0.0.tgz", + "integrity": "sha512-Q0n9HRi4m6JuGIV1eFlmvJB7ZEVxu93IrMyiMsGC0lrMJMWzRgx6WGquyfQgZVb31vhGgXnfmPNNXmxnOkRBrg==", + "license": "MIT", "engines": { "node": ">= 0.8" } @@ -3021,6 +3178,18 @@ "once": "^1.4.0" } }, + "node_modules/environment": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/environment/-/environment-1.1.0.tgz", + "integrity": "sha512-xUtoPkMggbz0MPyPiIWr1Kp4aeWJjDZ6SMvURhimjdZgsRuDplF5/s9hcgGhyXMhs+6vpnuoiZ2kFiu3FMnS8Q==", + "dev": true, + "engines": { + "node": ">=18" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, "node_modules/error-ex": { "version": "1.3.2", "resolved": "https://registry.npmjs.org/error-ex/-/error-ex-1.3.2.tgz", @@ -3034,6 +3203,7 @@ "version": "1.0.0", "resolved": "https://registry.npmjs.org/es-define-property/-/es-define-property-1.0.0.tgz", "integrity": "sha512-jxayLKShrEqqzJ0eumQbVhTYQM27CfT1T35+gCgDFoL82JLsXqTJ76zv6A0YLOgEnLUMvLzsDsGIrl8NFpT2gQ==", + "license": "MIT", "dependencies": { "get-intrinsic": "^1.2.4" }, @@ -3045,52 +3215,54 @@ "version": "1.3.0", "resolved": "https://registry.npmjs.org/es-errors/-/es-errors-1.3.0.tgz", "integrity": "sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==", + "license": "MIT", "engines": { "node": ">= 0.4" } }, "node_modules/esbuild": { - "version": "0.19.10", - "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.19.10.tgz", - "integrity": "sha512-S1Y27QGt/snkNYrRcswgRFqZjaTG5a5xM3EQo97uNBnH505pdzSNe/HLBq1v0RO7iK/ngdbhJB6mDAp0OK+iUA==", + "version": "0.23.0", + "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.23.0.tgz", + "integrity": "sha512-1lvV17H2bMYda/WaFb2jLPeHU3zml2k4/yagNMG8Q/YtfMjCwEUZa2eXXMgZTVSL5q1n4H7sQ0X6CdJDqqeCFA==", "hasInstallScript": true, "peer": true, "bin": { "esbuild": "bin/esbuild" }, "engines": { - "node": ">=12" + "node": ">=18" }, "optionalDependencies": { - "@esbuild/aix-ppc64": "0.19.10", - "@esbuild/android-arm": "0.19.10", - "@esbuild/android-arm64": "0.19.10", - "@esbuild/android-x64": "0.19.10", - "@esbuild/darwin-arm64": "0.19.10", - "@esbuild/darwin-x64": "0.19.10", - "@esbuild/freebsd-arm64": "0.19.10", - "@esbuild/freebsd-x64": "0.19.10", - "@esbuild/linux-arm": "0.19.10", - "@esbuild/linux-arm64": "0.19.10", - "@esbuild/linux-ia32": "0.19.10", - "@esbuild/linux-loong64": "0.19.10", - "@esbuild/linux-mips64el": "0.19.10", - "@esbuild/linux-ppc64": "0.19.10", - "@esbuild/linux-riscv64": "0.19.10", - "@esbuild/linux-s390x": "0.19.10", - "@esbuild/linux-x64": "0.19.10", - "@esbuild/netbsd-x64": "0.19.10", - "@esbuild/openbsd-x64": "0.19.10", - "@esbuild/sunos-x64": "0.19.10", - "@esbuild/win32-arm64": "0.19.10", - "@esbuild/win32-ia32": "0.19.10", - "@esbuild/win32-x64": "0.19.10" + "@esbuild/aix-ppc64": "0.23.0", + "@esbuild/android-arm": "0.23.0", + "@esbuild/android-arm64": "0.23.0", + "@esbuild/android-x64": "0.23.0", + "@esbuild/darwin-arm64": "0.23.0", + "@esbuild/darwin-x64": "0.23.0", + "@esbuild/freebsd-arm64": "0.23.0", + "@esbuild/freebsd-x64": "0.23.0", + "@esbuild/linux-arm": "0.23.0", + "@esbuild/linux-arm64": "0.23.0", + "@esbuild/linux-ia32": "0.23.0", + "@esbuild/linux-loong64": "0.23.0", + "@esbuild/linux-mips64el": "0.23.0", + "@esbuild/linux-ppc64": "0.23.0", + "@esbuild/linux-riscv64": "0.23.0", + "@esbuild/linux-s390x": "0.23.0", + "@esbuild/linux-x64": "0.23.0", + "@esbuild/netbsd-x64": "0.23.0", + "@esbuild/openbsd-arm64": "0.23.0", + "@esbuild/openbsd-x64": "0.23.0", + "@esbuild/sunos-x64": "0.23.0", + "@esbuild/win32-arm64": "0.23.0", + "@esbuild/win32-ia32": "0.23.0", + "@esbuild/win32-x64": "0.23.0" } }, "node_modules/escalade": { - "version": "3.1.2", - "resolved": "https://registry.npmjs.org/escalade/-/escalade-3.1.2.tgz", - "integrity": "sha512-ErCHMCae19vR8vQGe50xIsVomy19rg6gFu3+r3jkEO46suLMWBksvVyoGgQV+jOfl84ZSOSlmv6Gxa89PmTGmA==", + "version": "3.2.0", + "resolved": "https://registry.npmjs.org/escalade/-/escalade-3.2.0.tgz", + "integrity": "sha512-WUj2qlxaQtO4g6Pq5c29GTcWGDyd8itL8zTlipgECz3JesAiiOKotd8JU6otB3PACgG6xkJUyVhboMS+bje/jA==", "engines": { "node": ">=6" } @@ -3098,7 +3270,8 @@ "node_modules/escape-html": { "version": "1.0.3", "resolved": "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz", - "integrity": "sha512-NiSupZ4OeuGwr68lGIeym/ksIZMJodUGOSCZ/FSnTxcrekbvqrgdUxlJOMpijaKZVjAJrWrGs/6Jy8OMuyj9ow==" + "integrity": "sha512-NiSupZ4OeuGwr68lGIeym/ksIZMJodUGOSCZ/FSnTxcrekbvqrgdUxlJOMpijaKZVjAJrWrGs/6Jy8OMuyj9ow==", + "license": "MIT" }, "node_modules/escape-string-regexp": { "version": "4.0.0", @@ -3113,16 +3286,16 @@ } }, "node_modules/eslint": { - "version": "8.56.0", - "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.56.0.tgz", - "integrity": "sha512-Go19xM6T9puCOWntie1/P997aXxFsOi37JIHRWI514Hc6ZnaHGKY9xFhrU65RT6CcBEzZoGG1e6Nq+DT04ZtZQ==", + "version": "8.57.0", + "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.57.0.tgz", + "integrity": "sha512-dZ6+mexnaTIbSBZWgou51U6OmzIhYM2VcNdtiTtI7qPNZm35Akpr0f6vtw3w1Kmn5PYo+tZVfh13WrhpS6oLqQ==", "peer": true, "dependencies": { "@eslint-community/eslint-utils": "^4.2.0", "@eslint-community/regexpp": "^4.6.1", "@eslint/eslintrc": "^2.1.4", - "@eslint/js": "8.56.0", - "@humanwhocodes/config-array": "^0.11.13", + "@eslint/js": "8.57.0", + "@humanwhocodes/config-array": "^0.11.14", "@humanwhocodes/module-importer": "^1.0.1", "@nodelib/fs.walk": "^1.2.8", "@ungap/structured-clone": "^1.2.0", @@ -3195,6 +3368,28 @@ "url": "https://opencollective.com/eslint" } }, + "node_modules/eslint/node_modules/brace-expansion": { + "version": "1.1.11", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz", + "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==", + "peer": true, + "dependencies": { + "balanced-match": "^1.0.0", + "concat-map": "0.0.1" + } + }, + "node_modules/eslint/node_modules/minimatch": { + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz", + "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==", + "peer": true, + "dependencies": { + "brace-expansion": "^1.1.7" + }, + "engines": { + "node": "*" + } + }, "node_modules/espree": { "version": "9.6.1", "resolved": "https://registry.npmjs.org/espree/-/espree-9.6.1.tgz", @@ -3226,9 +3421,9 @@ } }, "node_modules/esquery": { - "version": "1.5.0", - "resolved": "https://registry.npmjs.org/esquery/-/esquery-1.5.0.tgz", - "integrity": "sha512-YQLXUplAwJgCydQ78IMJywZCceoqk1oH01OERdSAJc/7U2AylwjhSCLDEtqwg811idIS/9fIU5GjG73IgjKMVg==", + "version": "1.6.0", + "resolved": "https://registry.npmjs.org/esquery/-/esquery-1.6.0.tgz", + "integrity": "sha512-ca9pw9fomFcKPvFLXhBKUK90ZvGibiGOvRJNbjljY7s7uq/5YO4BOzcYtJqExdx99rF6aAcnRxHmcUHcz6sQsg==", "peer": true, "dependencies": { "estraverse": "^5.1.0" @@ -3271,6 +3466,7 @@ "version": "1.8.1", "resolved": "https://registry.npmjs.org/etag/-/etag-1.8.1.tgz", "integrity": "sha512-aIL5Fx7mawVa300al2BnEE4iNvo1qETxLrPI/o05L7z6go7fCw1J6EQmbK4FmJ2AS7kgVF/KEZWufBfdClMcPg==", + "license": "MIT", "engines": { "node": ">= 0.6" } @@ -3283,6 +3479,12 @@ "node": ">=6" } }, + "node_modules/eventemitter3": { + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/eventemitter3/-/eventemitter3-5.0.1.tgz", + "integrity": "sha512-GWkBvjiSZK87ELrYOSESUYeVIc9mvLLf/nXalMOS5dYrgZq9o5OVkbZAVM06CVxYsCwH9BDZFPlQTlPA1j4ahA==", + "dev": true + }, "node_modules/events": { "version": "3.3.0", "resolved": "https://registry.npmjs.org/events/-/events-3.3.0.tgz", @@ -3340,36 +3542,37 @@ } }, "node_modules/express": { - "version": "4.19.2", - "resolved": "https://registry.npmjs.org/express/-/express-4.19.2.tgz", - "integrity": "sha512-5T6nhjsT+EOMzuck8JjBHARTHfMht0POzlA60WV2pMD3gyXw2LZnZ+ueGdNxG+0calOJcWKbpFcuzLZ91YWq9Q==", + "version": "4.21.0", + "resolved": "https://registry.npmjs.org/express/-/express-4.21.0.tgz", + "integrity": "sha512-VqcNGcj/Id5ZT1LZ/cfihi3ttTn+NJmkli2eZADigjq29qTlWi/hAQ43t/VLPq8+UX06FCEx3ByOYet6ZFblng==", + "license": "MIT", "dependencies": { "accepts": "~1.3.8", "array-flatten": "1.1.1", - "body-parser": "1.20.2", + "body-parser": "1.20.3", "content-disposition": "0.5.4", "content-type": "~1.0.4", "cookie": "0.6.0", "cookie-signature": "1.0.6", "debug": "2.6.9", "depd": "2.0.0", - "encodeurl": "~1.0.2", + "encodeurl": "~2.0.0", "escape-html": "~1.0.3", "etag": "~1.8.1", - "finalhandler": "1.2.0", + "finalhandler": "1.3.1", "fresh": "0.5.2", "http-errors": "2.0.0", - "merge-descriptors": "1.0.1", + "merge-descriptors": "1.0.3", "methods": "~1.1.2", "on-finished": "2.4.1", "parseurl": "~1.3.3", - "path-to-regexp": "0.1.7", + "path-to-regexp": "0.1.10", "proxy-addr": "~2.0.7", - "qs": "6.11.0", + "qs": "6.13.0", "range-parser": "~1.2.1", "safe-buffer": "5.2.1", - "send": "0.18.0", - "serve-static": "1.15.0", + "send": "0.19.0", + "serve-static": "1.16.2", "setprototypeof": "1.2.0", "statuses": "2.0.1", "type-is": "~1.6.18", @@ -3491,6 +3694,27 @@ "node": "^10.12.0 || >=12.0.0" } }, + "node_modules/filelist": { + "version": "1.0.4", + "resolved": "https://registry.npmjs.org/filelist/-/filelist-1.0.4.tgz", + "integrity": "sha512-w1cEuf3S+DrLCQL7ET6kz+gmlJdbq9J7yXCSjK/OZCPA+qEN1WyF4ZAf0YYJa4/shHJra2t/d/r8SV4Ji+x+8Q==", + "dev": true, + "dependencies": { + "minimatch": "^5.0.1" + } + }, + "node_modules/filelist/node_modules/minimatch": { + "version": "5.1.6", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-5.1.6.tgz", + "integrity": "sha512-lKwV/1brpG6mBUFHtb7NUmtABCb2WZZmm2wNiOA5hAb8VdCS4B3dtMWyvcoViccwAW/COERjXLt0zP1zXUN26g==", + "dev": true, + "dependencies": { + "brace-expansion": "^2.0.1" + }, + "engines": { + "node": ">=10" + } + }, "node_modules/fill-range": { "version": "7.1.1", "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz", @@ -3503,12 +3727,13 @@ } }, "node_modules/finalhandler": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-1.2.0.tgz", - "integrity": "sha512-5uXcUVftlQMFnWC9qu/svkWv3GTd2PfUhK/3PLkYNAe7FbqJMt3515HaxE6eRL74GdsriiwujiawdaB1BpEISg==", + "version": "1.3.1", + "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-1.3.1.tgz", + "integrity": "sha512-6BN9trH7bp3qvnrRyzsBz+g3lZxTNZTbVO2EV1CS0WIcDbawYVdYvGflME/9QP0h0pYlCDBCTjYa9nZzMDpyxQ==", + "license": "MIT", "dependencies": { "debug": "2.6.9", - "encodeurl": "~1.0.2", + "encodeurl": "~2.0.0", "escape-html": "~1.0.3", "on-finished": "2.4.1", "parseurl": "~1.3.3", @@ -3523,6 +3748,7 @@ "version": "2.6.9", "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz", "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==", + "license": "MIT", "dependencies": { "ms": "2.0.0" } @@ -3530,7 +3756,8 @@ "node_modules/finalhandler/node_modules/ms": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz", - "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==" + "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==", + "license": "MIT" }, "node_modules/find-up": { "version": "5.0.0", @@ -3568,10 +3795,15 @@ "integrity": "sha512-X8cqMLLie7KsNUDSdzeN8FYK9rEt4Dt67OsG/DNGnYTSDBG4uFAJFBnUeiV+zCVAvwFy56IjM9sH51jVaEhNxw==", "peer": true }, + "node_modules/foreach": { + "version": "2.0.6", + "resolved": "https://registry.npmjs.org/foreach/-/foreach-2.0.6.tgz", + "integrity": "sha512-k6GAGDyqLe9JaebCsFCoudPPWfihKu8pylYXRlqP1J7ms39iPoTtk2fviNglIeQEwdh0bQeKJ01ZPyuyQvKzwg==" + }, "node_modules/foreground-child": { - "version": "3.2.1", - "resolved": "https://registry.npmjs.org/foreground-child/-/foreground-child-3.2.1.tgz", - "integrity": "sha512-PXUUyLqrR2XCWICfv6ukppP96sdFwWbNEnfEMt7jNsISjMsvaLNinAHNDYyvkyU+SZG2BTSbT5NjG+vZslfGTA==", + "version": "3.3.0", + "resolved": "https://registry.npmjs.org/foreground-child/-/foreground-child-3.3.0.tgz", + "integrity": "sha512-Ld2g8rrAyMYFXBhEqMz8ZAHBi4J4uS1i/CxGMDnjyFWddMXLVcDp051DZfu+t7+ab7Wv6SMqpWmyFIj5UbfFvg==", "dependencies": { "cross-spawn": "^7.0.0", "signal-exit": "^4.0.1" @@ -3619,6 +3851,7 @@ "version": "0.5.2", "resolved": "https://registry.npmjs.org/fresh/-/fresh-0.5.2.tgz", "integrity": "sha512-zJ2mQYM18rEFOudeV4GShTGIQ7RbzA7ozbU9I/XBpm7kqgMywgmylMwXHxZJmkVoYkna9d2pVXVXPdYTP9ej8Q==", + "license": "MIT", "engines": { "node": ">= 0.6" } @@ -3667,10 +3900,23 @@ "node": "6.* || 8.* || >= 10.*" } }, + "node_modules/get-east-asian-width": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/get-east-asian-width/-/get-east-asian-width-1.2.0.tgz", + "integrity": "sha512-2nk+7SIVb14QrgXFHcm84tD4bKQz0RxPuMT8Ag5KPOq7J5fEmAg0UbXdTOSHqNuHSU28k55qnceesxXRZGzKWA==", + "dev": true, + "engines": { + "node": ">=18" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, "node_modules/get-intrinsic": { "version": "1.2.4", "resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.2.4.tgz", "integrity": "sha512-5uYhsJH8VJBTv7oslg4BznJYhDoRI6waYCxMmCdnTrcCrHA/fCFKoTFz2JKKE0HdDFUF7/oQuhzumXJK7paBRQ==", + "license": "MIT", "dependencies": { "es-errors": "^1.3.0", "function-bind": "^1.1.2", @@ -3738,6 +3984,26 @@ "node": ">=10.13.0" } }, + "node_modules/glob/node_modules/brace-expansion": { + "version": "1.1.11", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz", + "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==", + "dependencies": { + "balanced-match": "^1.0.0", + "concat-map": "0.0.1" + } + }, + "node_modules/glob/node_modules/minimatch": { + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz", + "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==", + "dependencies": { + "brace-expansion": "^1.1.7" + }, + "engines": { + "node": "*" + } + }, "node_modules/globals": { "version": "13.24.0", "resolved": "https://registry.npmjs.org/globals/-/globals-13.24.0.tgz", @@ -3777,6 +4043,7 @@ "version": "1.0.1", "resolved": "https://registry.npmjs.org/gopd/-/gopd-1.0.1.tgz", "integrity": "sha512-d65bNlIadxvpb/A2abVdlqKqV563juRnZ1Wtk6s1sIR8uNsXR70xqIzVqxVf1eTqDunwT2MkczEeaezCKTZhwA==", + "license": "MIT", "dependencies": { "get-intrinsic": "^1.1.3" }, @@ -3808,6 +4075,7 @@ "version": "1.0.2", "resolved": "https://registry.npmjs.org/has-property-descriptors/-/has-property-descriptors-1.0.2.tgz", "integrity": "sha512-55JNKuIW+vq4Ke1BjOTjM2YctQIvCT7GFzHwmfZPGo5wnrgkid0YQtnAleFSqumZm4az3n2BS+erby5ipJdgrg==", + "license": "MIT", "dependencies": { "es-define-property": "^1.0.0" }, @@ -3819,6 +4087,7 @@ "version": "1.0.3", "resolved": "https://registry.npmjs.org/has-proto/-/has-proto-1.0.3.tgz", "integrity": "sha512-SJ1amZAJUiZS+PhsVLf5tGydlaVB8EdFpaSO4gmiUKUOxk8qzn5AIy4ZeJUmh22znIdk/uMAUT2pl3FxzVUH+Q==", + "license": "MIT", "engines": { "node": ">= 0.4" }, @@ -3830,6 +4099,7 @@ "version": "1.0.3", "resolved": "https://registry.npmjs.org/has-symbols/-/has-symbols-1.0.3.tgz", "integrity": "sha512-l3LCuF6MgDNwTDKkdYGEihYjt5pRPbEg46rtlmnSPlUbgmB8LOIrKJbYYFBSbnPaJexMKtiPO8hmeRjRz2Td+A==", + "license": "MIT", "engines": { "node": ">= 0.4" }, @@ -3863,6 +4133,7 @@ "version": "2.0.0", "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.0.tgz", "integrity": "sha512-FtwrG/euBzaEjYeRqOgly7G0qviiXoJWnvEH2Z1plBdXgbyjv34pHTSb9zoeHMyDy33+DWy5Wt9Wo+TURtOYSQ==", + "license": "MIT", "dependencies": { "depd": "2.0.0", "inherits": "2.0.4", @@ -3888,10 +4159,27 @@ "node": ">=10.17.0" } }, + "node_modules/husky": { + "version": "9.1.6", + "resolved": "https://registry.npmjs.org/husky/-/husky-9.1.6.tgz", + "integrity": "sha512-sqbjZKK7kf44hfdE94EoX8MZNk0n7HeW37O4YrVGCF4wzgQjp+akPAkfUK5LZ6KuR/6sqeAVuXHji+RzQgOn5A==", + "dev": true, + "license": "MIT", + "bin": { + "husky": "bin.js" + }, + "engines": { + "node": ">=18" + }, + "funding": { + "url": "https://github.com/sponsors/typicode" + } + }, "node_modules/iconv-lite": { "version": "0.4.24", "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.4.24.tgz", "integrity": "sha512-v3MXnZAcvnywkTUEZomIActle7RXXeedOR31wwl7VlyoXO4Qi9arvSenNQWne1TcRwhCL1HwLI21bEqdpj8/rA==", + "license": "MIT", "dependencies": { "safer-buffer": ">= 2.1.2 < 3" }, @@ -3919,9 +4207,9 @@ ] }, "node_modules/ignore": { - "version": "5.3.1", - "resolved": "https://registry.npmjs.org/ignore/-/ignore-5.3.1.tgz", - "integrity": "sha512-5Fytz/IraMjqpwfd34ke28PTVMjZjJG2MPn5t7OE4eUCUNf8BAa7b5WUS9/Qvr6mwOQS7Mk6vdsMno5he+T8Xw==", + "version": "5.3.2", + "resolved": "https://registry.npmjs.org/ignore/-/ignore-5.3.2.tgz", + "integrity": "sha512-hsBTNUqQTDwkWtcdYI2i06Y/nUBEsNEDJKjWdigLvegy8kDuJAS8uRlpkkcQpyEXL0Z/pjDy5HBmMjRCJ2gq+g==", "peer": true, "engines": { "node": ">= 4" @@ -3944,9 +4232,9 @@ } }, "node_modules/import-local": { - "version": "3.1.0", - "resolved": "https://registry.npmjs.org/import-local/-/import-local-3.1.0.tgz", - "integrity": "sha512-ASB07uLtnDs1o6EHjKpX34BKYDSqnFerfTOJL2HvMqF70LnxpjkzDB8J44oT9pu4AMPkQwf8jl6szgvNd2tRIg==", + "version": "3.2.0", + "resolved": "https://registry.npmjs.org/import-local/-/import-local-3.2.0.tgz", + "integrity": "sha512-2SPlun1JUPWoM6t3F0dw0FkCF/jWY8kttcY4f599GLTSjh2OCuuhdTkJQsEcZzBqbXZGKMK2OqW1oZsjtf/gQA==", "dev": true, "dependencies": { "pkg-dir": "^4.2.0", @@ -4000,9 +4288,9 @@ "dev": true }, "node_modules/is-core-module": { - "version": "2.14.0", - "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.14.0.tgz", - "integrity": "sha512-a5dFJih5ZLYlRtDc0dZWP7RiKr6xIKzmn/oAYCDvdLThadVgyJwlaoQPmRtMSpz+rk0OGAgIu+TcM9HUF0fk1A==", + "version": "2.15.1", + "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.15.1.tgz", + "integrity": "sha512-z0vtXSwucUJtANQWldhbtbt7BnL0vxiFjIdDLAatwhDYty2bad6s+rijD6Ri4YuYJubLzIJLUidCh09e1djEVQ==", "dev": true, "dependencies": { "hasown": "^2.0.2" @@ -4024,11 +4312,15 @@ } }, "node_modules/is-fullwidth-code-point": { - "version": "3.0.0", - "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", - "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-4.0.0.tgz", + "integrity": "sha512-O4L094N2/dZ7xqVdrXhh9r1KODPJpFms8B5sGdJLPy664AgvXsreZUyCQQNItZRDlYug4xStLjNp/sz3HvBowQ==", + "dev": true, "engines": { - "node": ">=8" + "node": ">=12" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" } }, "node_modules/is-generator-fn": { @@ -4166,15 +4458,12 @@ } }, "node_modules/jackspeak": { - "version": "3.4.0", - "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-3.4.0.tgz", - "integrity": "sha512-JVYhQnN59LVPFCEcVa2C3CrEKYacvjRfqIQl+h8oi91aLYQVWRYbxjPcv1bUiUy/kLmQaANrYfNMCO3kuEDHfw==", + "version": "3.4.3", + "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-3.4.3.tgz", + "integrity": "sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw==", "dependencies": { "@isaacs/cliui": "^8.0.2" }, - "engines": { - "node": ">=14" - }, "funding": { "url": "https://github.com/sponsors/isaacs" }, @@ -4182,6 +4471,46 @@ "@pkgjs/parseargs": "^0.11.0" } }, + "node_modules/jake": { + "version": "10.9.2", + "resolved": "https://registry.npmjs.org/jake/-/jake-10.9.2.tgz", + "integrity": "sha512-2P4SQ0HrLQ+fw6llpLnOaGAvN2Zu6778SJMrCUwns4fOoG9ayrTiZk3VV8sCPkVZF8ab0zksVpS8FDY5pRCNBA==", + "dev": true, + "dependencies": { + "async": "^3.2.3", + "chalk": "^4.0.2", + "filelist": "^1.0.4", + "minimatch": "^3.1.2" + }, + "bin": { + "jake": "bin/cli.js" + }, + "engines": { + "node": ">=10" + } + }, + "node_modules/jake/node_modules/brace-expansion": { + "version": "1.1.11", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz", + "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==", + "dev": true, + "dependencies": { + "balanced-match": "^1.0.0", + "concat-map": "0.0.1" + } + }, + "node_modules/jake/node_modules/minimatch": { + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz", + "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==", + "dev": true, + "dependencies": { + "brace-expansion": "^1.1.7" + }, + "engines": { + "node": "*" + } + }, "node_modules/jest": { "version": "29.7.0", "resolved": "https://registry.npmjs.org/jest/-/jest-29.7.0.tgz", @@ -4738,9 +5067,9 @@ } }, "node_modules/jose": { - "version": "4.15.7", - "resolved": "https://registry.npmjs.org/jose/-/jose-4.15.7.tgz", - "integrity": "sha512-L7ioP+JAuZe8v+T5+zVI9Tx8LtU8BL7NxkyDFVMv+Qr3JW0jSoYDedLtodaXwfqMpeCyx4WXFNyu9tJt4WvC1A==", + "version": "4.15.9", + "resolved": "https://registry.npmjs.org/jose/-/jose-4.15.9.tgz", + "integrity": "sha512-1vUQX+IdDMVPj4k8kOxgUqlcK518yluMuGZwqlr44FS1ppZB/5GWh4rZG89erpOBOJjU/OBsnCVFfapsRz6nEA==", "funding": { "url": "https://github.com/sponsors/panva" } @@ -4776,9 +5105,9 @@ } }, "node_modules/jsep": { - "version": "1.3.8", - "resolved": "https://registry.npmjs.org/jsep/-/jsep-1.3.8.tgz", - "integrity": "sha512-qofGylTGgYj9gZFsHuyWAN4jr35eJ66qJCK4eKDnldohuUoQFbU3iZn2zjvEbd9wOAhP9Wx5DsAAduTyE1PSWQ==", + "version": "1.3.9", + "resolved": "https://registry.npmjs.org/jsep/-/jsep-1.3.9.tgz", + "integrity": "sha512-i1rBX5N7VPl0eYb6+mHNp52sEuaS2Wi8CDYx1X5sn9naevL78+265XJqy1qENEk7mRKwS06NHpUqiBwR7qeodw==", "engines": { "node": ">= 10.16.0" } @@ -4807,6 +5136,14 @@ "integrity": "sha512-xyFwyhro/JEof6Ghe2iz2NcXoj2sloNsWr/XsERDK/oiPCfaNhl5ONfp+jQdAZRQQ0IJWNzH9zIZF7li91kh2w==", "dev": true }, + "node_modules/json-pointer": { + "version": "0.6.2", + "resolved": "https://registry.npmjs.org/json-pointer/-/json-pointer-0.6.2.tgz", + "integrity": "sha512-vLWcKbOaXlO+jvRy4qNd+TI1QUPZzfJj1tpJ3vAXDych5XJf93ftpUKe5pKCrzyIIwgBJcOcCVRUfqQP25afBw==", + "dependencies": { + "foreach": "^2.0.4" + } + }, "node_modules/json-schema-traverse": { "version": "0.4.1", "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz", @@ -4866,9 +5203,10 @@ } }, "node_modules/kubernetes-fluent-client": { - "version": "2.6.3", - "resolved": "https://registry.npmjs.org/kubernetes-fluent-client/-/kubernetes-fluent-client-2.6.3.tgz", - "integrity": "sha512-JgOp2/Y1rNNPAYKek7wq4qL1DcF/3Bf2a39NRUL2QPhnONcrU1f/on1OPMAzz7vZ4zfH2rluMPE/nmxo5l7QAA==", + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/kubernetes-fluent-client/-/kubernetes-fluent-client-3.0.3.tgz", + "integrity": "sha512-Cp2VdZYQY2bX4Sio5Tk4g20Vh7m2+OIUQrrIIYFYIcxqzTDBcK4yqVx8Au0SanwjgJ3DG2ysGMhyBUWJOezBmw==", + "license": "Apache-2.0", "dependencies": { "@kubernetes/client-node": "1.0.0-rc6", "byline": "5.0.0", @@ -4876,7 +5214,7 @@ "http-status-codes": "2.3.0", "node-fetch": "2.7.0", "quicktype-core": "23.0.170", - "type-fest": "4.20.1", + "type-fest": "4.26.1", "yargs": "17.7.2" }, "bin": { @@ -4887,9 +5225,10 @@ } }, "node_modules/kubernetes-fluent-client/node_modules/type-fest": { - "version": "4.20.1", - "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-4.20.1.tgz", - "integrity": "sha512-R6wDsVsoS9xYOpy8vgeBlqpdOyzJ12HNfQhC/aAKWM3YoCV9TtunJzh/QpkMgeDhkoynDcw5f1y+qF9yc/HHyg==", + "version": "4.26.1", + "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-4.26.1.tgz", + "integrity": "sha512-yOGpmOAL7CkKe/91I5O3gPICmJNLJ1G4zFYVAsRHg7M64biSnPtRj0WNQt++bRkjYOqjWXrhnUw1utzmVErAdg==", + "license": "(MIT OR CC0-1.0)", "engines": { "node": ">=16" }, @@ -4919,55 +5258,361 @@ "node": ">= 0.8.0" } }, + "node_modules/lilconfig": { + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/lilconfig/-/lilconfig-3.1.2.tgz", + "integrity": "sha512-eop+wDAvpItUys0FWkHIKeC9ybYrTGbU41U5K7+bttZZeohvnY7M9dZ5kB21GNWiFT2q1OoPTvncPCgSOVO5ow==", + "dev": true, + "engines": { + "node": ">=14" + }, + "funding": { + "url": "https://github.com/sponsors/antonk52" + } + }, "node_modules/lines-and-columns": { "version": "1.2.4", "resolved": "https://registry.npmjs.org/lines-and-columns/-/lines-and-columns-1.2.4.tgz", "integrity": "sha512-7ylylesZQ/PV29jhEDl3Ufjo6ZX7gCqJr5F7PKrqc93v7fzSymt1BpwEU8nAUXs8qzzvqhbjhK5QZg6Mt/HkBg==", "dev": true }, - "node_modules/locate-path": { - "version": "6.0.0", - "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-6.0.0.tgz", - "integrity": "sha512-iPZK6eYjbxRu3uB4/WZ3EsEIMJFMqAoopl3R+zuq0UjcAm/MO6KCweDgPfP3elTztoKP3KtnVHxTn2NHBSDVUw==", - "peer": true, + "node_modules/lint-staged": { + "version": "15.2.10", + "resolved": "https://registry.npmjs.org/lint-staged/-/lint-staged-15.2.10.tgz", + "integrity": "sha512-5dY5t743e1byO19P9I4b3x8HJwalIznL5E1FWYnU6OWw33KxNBSLAc6Cy7F2PsFEO8FKnLwjwm5hx7aMF0jzZg==", + "dev": true, "dependencies": { - "p-locate": "^5.0.0" + "chalk": "~5.3.0", + "commander": "~12.1.0", + "debug": "~4.3.6", + "execa": "~8.0.1", + "lilconfig": "~3.1.2", + "listr2": "~8.2.4", + "micromatch": "~4.0.8", + "pidtree": "~0.6.0", + "string-argv": "~0.3.2", + "yaml": "~2.5.0" + }, + "bin": { + "lint-staged": "bin/lint-staged.js" }, "engines": { - "node": ">=10" + "node": ">=18.12.0" }, "funding": { - "url": "https://github.com/sponsors/sindresorhus" + "url": "https://opencollective.com/lint-staged" } }, - "node_modules/lodash": { - "version": "4.17.21", - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", - "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==" - }, - "node_modules/lodash.memoize": { - "version": "4.1.2", - "resolved": "https://registry.npmjs.org/lodash.memoize/-/lodash.memoize-4.1.2.tgz", - "integrity": "sha512-t7j+NzmgnQzTAYXcsHYLgimltOV1MXHtlOWf6GjL9Kj8GK5FInw5JotxvbOs+IvV1/Dzo04/fCGfLVs7aXb4Ag==", - "dev": true - }, - "node_modules/lodash.merge": { - "version": "4.6.2", - "resolved": "https://registry.npmjs.org/lodash.merge/-/lodash.merge-4.6.2.tgz", - "integrity": "sha512-0KpjqXRVvrYyCsX1swR/XTK0va6VQkQM6MNo7PqW77ByjAhoARA8EfrP1N4+KlKj8YS0ZUCtRT/YUuhyYDujIQ==", - "peer": true - }, - "node_modules/lru-cache": { - "version": "5.1.1", - "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-5.1.1.tgz", - "integrity": "sha512-KpNARQA3Iwv+jTA0utUVVbrh+Jlrr1Fv0e56GGzAFOXN7dk/FviaDW8LHmK52DlcH4WP2n6gI8vN1aesBFgo9w==", + "node_modules/lint-staged/node_modules/chalk": { + "version": "5.3.0", + "resolved": "https://registry.npmjs.org/chalk/-/chalk-5.3.0.tgz", + "integrity": "sha512-dLitG79d+GV1Nb/VYcCDFivJeK1hiukt9QjRNVOsUtTy1rR1YJsmpGGTZ3qJos+uw7WmWF4wUwBd9jxjocFC2w==", "dev": true, - "dependencies": { - "yallist": "^3.0.2" + "engines": { + "node": "^12.17.0 || ^14.13 || >=16.0.0" + }, + "funding": { + "url": "https://github.com/chalk/chalk?sponsor=1" } }, - "node_modules/make-dir": { - "version": "4.0.0", + "node_modules/lint-staged/node_modules/execa": { + "version": "8.0.1", + "resolved": "https://registry.npmjs.org/execa/-/execa-8.0.1.tgz", + "integrity": "sha512-VyhnebXciFV2DESc+p6B+y0LjSm0krU4OgJN44qFAhBY0TJ+1V61tYD2+wHusZ6F9n5K+vl8k0sTy7PEfV4qpg==", + "dev": true, + "dependencies": { + "cross-spawn": "^7.0.3", + "get-stream": "^8.0.1", + "human-signals": "^5.0.0", + "is-stream": "^3.0.0", + "merge-stream": "^2.0.0", + "npm-run-path": "^5.1.0", + "onetime": "^6.0.0", + "signal-exit": "^4.1.0", + "strip-final-newline": "^3.0.0" + }, + "engines": { + "node": ">=16.17" + }, + "funding": { + "url": "https://github.com/sindresorhus/execa?sponsor=1" + } + }, + "node_modules/lint-staged/node_modules/get-stream": { + "version": "8.0.1", + "resolved": "https://registry.npmjs.org/get-stream/-/get-stream-8.0.1.tgz", + "integrity": "sha512-VaUJspBffn/LMCJVoMvSAdmscJyS1auj5Zulnn5UoYcY531UWmdwhRWkcGKnGU93m5HSXP9LP2usOryrBtQowA==", + "dev": true, + "engines": { + "node": ">=16" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/lint-staged/node_modules/human-signals": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/human-signals/-/human-signals-5.0.0.tgz", + "integrity": "sha512-AXcZb6vzzrFAUE61HnN4mpLqd/cSIwNQjtNWR0euPm6y0iqx3G4gOXaIDdtdDwZmhwe82LA6+zinmW4UBWVePQ==", + "dev": true, + "engines": { + "node": ">=16.17.0" + } + }, + "node_modules/lint-staged/node_modules/is-stream": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/is-stream/-/is-stream-3.0.0.tgz", + "integrity": "sha512-LnQR4bZ9IADDRSkvpqMGvt/tEJWclzklNgSw48V5EAaAeDd6qGvN8ei6k5p0tvxSR171VmGyHuTiAOfxAbr8kA==", + "dev": true, + "engines": { + "node": "^12.20.0 || ^14.13.1 || >=16.0.0" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/lint-staged/node_modules/mimic-fn": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/mimic-fn/-/mimic-fn-4.0.0.tgz", + "integrity": "sha512-vqiC06CuhBTUdZH+RYl8sFrL096vA45Ok5ISO6sE/Mr1jRbGH4Csnhi8f3wKVl7x8mO4Au7Ir9D3Oyv1VYMFJw==", + "dev": true, + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/lint-staged/node_modules/npm-run-path": { + "version": "5.3.0", + "resolved": "https://registry.npmjs.org/npm-run-path/-/npm-run-path-5.3.0.tgz", + "integrity": "sha512-ppwTtiJZq0O/ai0z7yfudtBpWIoxM8yE6nHi1X47eFR2EWORqfbu6CnPlNsjeN683eT0qG6H/Pyf9fCcvjnnnQ==", + "dev": true, + "dependencies": { + "path-key": "^4.0.0" + }, + "engines": { + "node": "^12.20.0 || ^14.13.1 || >=16.0.0" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/lint-staged/node_modules/onetime": { + "version": "6.0.0", + "resolved": "https://registry.npmjs.org/onetime/-/onetime-6.0.0.tgz", + "integrity": "sha512-1FlR+gjXK7X+AsAHso35MnyN5KqGwJRi/31ft6x0M194ht7S+rWAvd7PHss9xSKMzE0asv1pyIHaJYq+BbacAQ==", + "dev": true, + "dependencies": { + "mimic-fn": "^4.0.0" + }, + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/lint-staged/node_modules/path-key": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/path-key/-/path-key-4.0.0.tgz", + "integrity": "sha512-haREypq7xkM7ErfgIyA0z+Bj4AGKlMSdlQE2jvJo6huWD1EdkKYV+G/T4nq0YEF2vgTT8kqMFKo1uHn950r4SQ==", + "dev": true, + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/lint-staged/node_modules/signal-exit": { + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz", + "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==", + "dev": true, + "engines": { + "node": ">=14" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, + "node_modules/lint-staged/node_modules/strip-final-newline": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/strip-final-newline/-/strip-final-newline-3.0.0.tgz", + "integrity": "sha512-dOESqjYr96iWYylGObzd39EuNTa5VJxyvVAEm5Jnh7KGo75V43Hk1odPQkNDyXNmUR6k+gEiDVXnjB8HJ3crXw==", + "dev": true, + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/listr2": { + "version": "8.2.4", + "resolved": "https://registry.npmjs.org/listr2/-/listr2-8.2.4.tgz", + "integrity": "sha512-opevsywziHd3zHCVQGAj8zu+Z3yHNkkoYhWIGnq54RrCVwLz0MozotJEDnKsIBLvkfLGN6BLOyAeRrYI0pKA4g==", + "dev": true, + "dependencies": { + "cli-truncate": "^4.0.0", + "colorette": "^2.0.20", + "eventemitter3": "^5.0.1", + "log-update": "^6.1.0", + "rfdc": "^1.4.1", + "wrap-ansi": "^9.0.0" + }, + "engines": { + "node": ">=18.0.0" + } + }, + "node_modules/locate-path": { + "version": "6.0.0", + "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-6.0.0.tgz", + "integrity": "sha512-iPZK6eYjbxRu3uB4/WZ3EsEIMJFMqAoopl3R+zuq0UjcAm/MO6KCweDgPfP3elTztoKP3KtnVHxTn2NHBSDVUw==", + "peer": true, + "dependencies": { + "p-locate": "^5.0.0" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/lodash": { + "version": "4.17.21", + "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", + "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==" + }, + "node_modules/lodash.memoize": { + "version": "4.1.2", + "resolved": "https://registry.npmjs.org/lodash.memoize/-/lodash.memoize-4.1.2.tgz", + "integrity": "sha512-t7j+NzmgnQzTAYXcsHYLgimltOV1MXHtlOWf6GjL9Kj8GK5FInw5JotxvbOs+IvV1/Dzo04/fCGfLVs7aXb4Ag==", + "dev": true + }, + "node_modules/lodash.merge": { + "version": "4.6.2", + "resolved": "https://registry.npmjs.org/lodash.merge/-/lodash.merge-4.6.2.tgz", + "integrity": "sha512-0KpjqXRVvrYyCsX1swR/XTK0va6VQkQM6MNo7PqW77ByjAhoARA8EfrP1N4+KlKj8YS0ZUCtRT/YUuhyYDujIQ==", + "peer": true + }, + "node_modules/log-update": { + "version": "6.1.0", + "resolved": "https://registry.npmjs.org/log-update/-/log-update-6.1.0.tgz", + "integrity": "sha512-9ie8ItPR6tjY5uYJh8K/Zrv/RMZ5VOlOWvtZdEHYSTFKZfIBPQa9tOAEeAWhd+AnIneLJ22w5fjOYtoutpWq5w==", + "dev": true, + "dependencies": { + "ansi-escapes": "^7.0.0", + "cli-cursor": "^5.0.0", + "slice-ansi": "^7.1.0", + "strip-ansi": "^7.1.0", + "wrap-ansi": "^9.0.0" + }, + "engines": { + "node": ">=18" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/log-update/node_modules/ansi-escapes": { + "version": "7.0.0", + "resolved": "https://registry.npmjs.org/ansi-escapes/-/ansi-escapes-7.0.0.tgz", + "integrity": "sha512-GdYO7a61mR0fOlAsvC9/rIHf7L96sBc6dEWzeOu+KAea5bZyQRPIpojrVoI4AXGJS/ycu/fBTdLrUkA4ODrvjw==", + "dev": true, + "dependencies": { + "environment": "^1.0.0" + }, + "engines": { + "node": ">=18" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/log-update/node_modules/ansi-regex": { + "version": "6.1.0", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.1.0.tgz", + "integrity": "sha512-7HSX4QQb4CspciLpVFwyRe79O3xsIZDDLER21kERQ71oaPodF8jL725AgJMFAYbooIqolJoRLuM81SpeUkpkvA==", + "dev": true, + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/chalk/ansi-regex?sponsor=1" + } + }, + "node_modules/log-update/node_modules/ansi-styles": { + "version": "6.2.1", + "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-6.2.1.tgz", + "integrity": "sha512-bN798gFfQX+viw3R7yrGWRqnrN2oRkEkUjjl4JNn4E8GxxbjtG3FbrEIIY3l8/hrwUwIeCZvi4QuOTP4MErVug==", + "dev": true, + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/chalk/ansi-styles?sponsor=1" + } + }, + "node_modules/log-update/node_modules/is-fullwidth-code-point": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-5.0.0.tgz", + "integrity": "sha512-OVa3u9kkBbw7b8Xw5F9P+D/T9X+Z4+JruYVNapTjPYZYUznQ5YfWeFkOj606XYYW8yugTfC8Pj0hYqvi4ryAhA==", + "dev": true, + "dependencies": { + "get-east-asian-width": "^1.0.0" + }, + "engines": { + "node": ">=18" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/log-update/node_modules/slice-ansi": { + "version": "7.1.0", + "resolved": "https://registry.npmjs.org/slice-ansi/-/slice-ansi-7.1.0.tgz", + "integrity": "sha512-bSiSngZ/jWeX93BqeIAbImyTbEihizcwNjFoRUIY/T1wWQsfsm2Vw1agPKylXvQTU7iASGdHhyqRlqQzfz+Htg==", + "dev": true, + "dependencies": { + "ansi-styles": "^6.2.1", + "is-fullwidth-code-point": "^5.0.0" + }, + "engines": { + "node": ">=18" + }, + "funding": { + "url": "https://github.com/chalk/slice-ansi?sponsor=1" + } + }, + "node_modules/log-update/node_modules/strip-ansi": { + "version": "7.1.0", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.1.0.tgz", + "integrity": "sha512-iq6eVVI64nQQTRYq2KtEg2d2uU7LElhTJwsH4YzIHZshxlgZms/wIc4VoDQTlG/IvVIrBKG06CrZnp0qv7hkcQ==", + "dev": true, + "dependencies": { + "ansi-regex": "^6.0.1" + }, + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/chalk/strip-ansi?sponsor=1" + } + }, + "node_modules/lru-cache": { + "version": "5.1.1", + "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-5.1.1.tgz", + "integrity": "sha512-KpNARQA3Iwv+jTA0utUVVbrh+Jlrr1Fv0e56GGzAFOXN7dk/FviaDW8LHmK52DlcH4WP2n6gI8vN1aesBFgo9w==", + "dev": true, + "dependencies": { + "yallist": "^3.0.2" + } + }, + "node_modules/make-dir": { + "version": "4.0.0", "resolved": "https://registry.npmjs.org/make-dir/-/make-dir-4.0.0.tgz", "integrity": "sha512-hXdUTZYIVOt1Ex//jAQi+wTZZpUpwBj/0QsOzqegb3rGMMeJiSEu5xLHnYfBrRV4RH2+OCSOO95Is/7x1WJ4bw==", "dev": true, @@ -5000,14 +5645,19 @@ "version": "0.3.0", "resolved": "https://registry.npmjs.org/media-typer/-/media-typer-0.3.0.tgz", "integrity": "sha512-dq+qelQ9akHpcOl/gUVRTxVIOkAJ1wR3QAvb4RsVjS8oVoFjDGTc679wJYmUmknUF5HwMLOgb5O+a3KxfWapPQ==", + "license": "MIT", "engines": { "node": ">= 0.6" } }, "node_modules/merge-descriptors": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-1.0.1.tgz", - "integrity": "sha512-cCi6g3/Zr1iqQi6ySbseM1Xvooa98N0w31jzUYrXPX2xqObmFGHJ0tQ5u74H3mVh7wLouTseZyYIq39g8cNp1w==" + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-1.0.3.tgz", + "integrity": "sha512-gaNvAS7TZ897/rVaZ0nMtAyxNyi/pdbjbAwUpFQpN70GqnVfOiXpeUUMKRBmzXaSQ8DdTX4/0ms62r2K+hE6mQ==", + "license": "MIT", + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } }, "node_modules/merge-stream": { "version": "2.0.0", @@ -5033,9 +5683,9 @@ } }, "node_modules/micromatch": { - "version": "4.0.7", - "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.7.tgz", - "integrity": "sha512-LPP/3KorzCwBxfeUuZmaR6bG2kdeHSbe0P2tY3FLRU4vYrjYz5hI4QZwV0njUx3jeuKe67YukQ1LSPZBKDqO/Q==", + "version": "4.0.8", + "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.8.tgz", + "integrity": "sha512-PXwfBhYu0hBCPw8Dn0E+WDYb7af3dSLVWKi3HGv84IdF4TyFoC0ysxFd0Goxw7nSv4T/PzEJQxsYsEiFCKo2BA==", "dependencies": { "braces": "^3.0.3", "picomatch": "^2.3.1" @@ -5048,6 +5698,7 @@ "version": "1.6.0", "resolved": "https://registry.npmjs.org/mime/-/mime-1.6.0.tgz", "integrity": "sha512-x0Vn8spI+wuJ1O6S7gnbaQg8Pxh4NNHb7KSINmEWKiPE4RKOplvijn+NkmYmmRgP68mc70j2EbeTFRsrswaQeg==", + "license": "MIT", "bin": { "mime": "cli.js" }, @@ -5083,15 +5734,30 @@ "node": ">=6" } }, + "node_modules/mimic-function": { + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/mimic-function/-/mimic-function-5.0.1.tgz", + "integrity": "sha512-VP79XUPxV2CigYP3jWwAUFSku2aKqBH7uTAapFWCBqutsbmDo96KY5o8uh6U+/YSIn5OxJnXp73beVkpqMIGhA==", + "dev": true, + "engines": { + "node": ">=18" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, "node_modules/minimatch": { - "version": "3.1.2", - "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz", - "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==", + "version": "9.0.5", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz", + "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==", "dependencies": { - "brace-expansion": "^1.1.7" + "brace-expansion": "^2.0.1" }, "engines": { - "node": "*" + "node": ">=16 || 14 >=14.17" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" } }, "node_modules/minimist": { @@ -5122,18 +5788,10 @@ "node": ">= 18" } }, - "node_modules/minizlib/node_modules/brace-expansion": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz", - "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==", - "dependencies": { - "balanced-match": "^1.0.0" - } - }, "node_modules/minizlib/node_modules/glob": { - "version": "10.4.2", - "resolved": "https://registry.npmjs.org/glob/-/glob-10.4.2.tgz", - "integrity": "sha512-GwMlUF6PkPo3Gk21UxkCohOv0PLcIXVtKyLlpEI28R/cO/4eNOdmLk3CMW1wROV/WR/EsZOWAfBbBOqYvs88/w==", + "version": "10.4.5", + "resolved": "https://registry.npmjs.org/glob/-/glob-10.4.5.tgz", + "integrity": "sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg==", "dependencies": { "foreground-child": "^3.1.0", "jackspeak": "^3.1.2", @@ -5145,23 +5803,6 @@ "bin": { "glob": "dist/esm/bin.mjs" }, - "engines": { - "node": ">=16 || 14 >=14.18" - }, - "funding": { - "url": "https://github.com/sponsors/isaacs" - } - }, - "node_modules/minizlib/node_modules/minimatch": { - "version": "9.0.5", - "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz", - "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==", - "dependencies": { - "brace-expansion": "^2.0.1" - }, - "engines": { - "node": ">=16 || 14 >=14.17" - }, "funding": { "url": "https://github.com/sponsors/isaacs" } @@ -5175,18 +5816,15 @@ } }, "node_modules/minizlib/node_modules/rimraf": { - "version": "5.0.7", - "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-5.0.7.tgz", - "integrity": "sha512-nV6YcJo5wbLW77m+8KjH8aB/7/rxQy9SZ0HY5shnwULfS+9nmTtVXAJET5NdZmCzA4fPI/Hm1wo/Po/4mopOdg==", + "version": "5.0.10", + "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-5.0.10.tgz", + "integrity": "sha512-l0OE8wL34P4nJH/H2ffoaniAokM2qSmrtXHmlpvYr5AVVX8msAyW0l8NVJFDxlSK4u3Uh/f41cQheDVdnYijwQ==", "dependencies": { "glob": "^10.3.7" }, "bin": { "rimraf": "dist/esm/bin.mjs" }, - "engines": { - "node": ">=14.18" - }, "funding": { "url": "https://github.com/sponsors/isaacs" } @@ -5206,9 +5844,9 @@ } }, "node_modules/ms": { - "version": "2.1.2", - "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz", - "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==" + "version": "2.1.3", + "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz", + "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==" }, "node_modules/natural-compare": { "version": "1.4.0", @@ -5258,9 +5896,9 @@ "dev": true }, "node_modules/node-releases": { - "version": "2.0.14", - "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.14.tgz", - "integrity": "sha512-y10wOWt8yZpqXmOgRo77WaHEmhYQYGNA6y421PKsKYWEK8aW+cqAphborZDhqfyKrbZEN92CN1X2KbafY2s7Yw==", + "version": "2.0.18", + "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.18.tgz", + "integrity": "sha512-d9VeXT4SJ7ZeOqGX6R5EM022wpL+eWPooLI+5UpWn2jCT1aosUQEhQP214x33Wkwx3JQMvIm+tIoVOdodFS40g==", "dev": true }, "node_modules/normalize-path": { @@ -5296,6 +5934,7 @@ "version": "1.13.2", "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.13.2.tgz", "integrity": "sha512-IRZSRuzJiynemAXPYtPe5BoI/RESNYR7TYm50MC5Mqbd3Jmw5y790sErYw3V6SryFJD64b74qQQs9wn5Bg/k3g==", + "license": "MIT", "engines": { "node": ">= 0.4" }, @@ -5323,6 +5962,7 @@ "version": "2.4.1", "resolved": "https://registry.npmjs.org/on-finished/-/on-finished-2.4.1.tgz", "integrity": "sha512-oVlzkg3ENAhCk2zdv7IJwd/QUD4z2RxRwpkcGY8psCVcCYZNq4wYnVWALHM+brtuJjePWiYF/ClmuDr8Ch5+kg==", + "license": "MIT", "dependencies": { "ee-first": "1.1.1" }, @@ -5354,11 +5994,11 @@ } }, "node_modules/openid-client": { - "version": "5.6.5", - "resolved": "https://registry.npmjs.org/openid-client/-/openid-client-5.6.5.tgz", - "integrity": "sha512-5P4qO9nGJzB5PI0LFlhj4Dzg3m4odt0qsJTfyEtZyOlkgpILwEioOhVVJOrS1iVH494S4Ee5OCjjg6Bf5WOj3w==", + "version": "5.7.0", + "resolved": "https://registry.npmjs.org/openid-client/-/openid-client-5.7.0.tgz", + "integrity": "sha512-4GCCGZt1i2kTHpwvaC/sCpTpQqDnBzDzuJcJMbH+y1Q5qI8U8RBvoSh28svarXszZHR5BAMXbJPX1PGPRE3VOA==", "dependencies": { - "jose": "^4.15.5", + "jose": "^4.15.9", "lru-cache": "^6.0.0", "object-hash": "^2.2.0", "oidc-token-hash": "^5.0.3" @@ -5482,6 +6122,7 @@ "version": "1.3.3", "resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz", "integrity": "sha512-CiyeOxFT/JZyN5m0z9PfXw4SCBJ6Sygz1Dpl0wqjlhDEGGBP1GnsUVEL0p63hoG1fcj3fHynXi9NYO4nWOL+qQ==", + "license": "MIT", "engines": { "node": ">= 0.8" } @@ -5532,12 +6173,9 @@ } }, "node_modules/path-scurry/node_modules/lru-cache": { - "version": "10.3.0", - "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.3.0.tgz", - "integrity": "sha512-CQl19J/g+Hbjbv4Y3mFNNXFEL/5t/KCg8POCuUqd4rMKjGG+j1ybER83hxV58zL+dFI1PTkt3GNFSHRt+d8qEQ==", - "engines": { - "node": "14 || >=16.14" - } + "version": "10.4.3", + "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.4.3.tgz", + "integrity": "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==" }, "node_modules/path-scurry/node_modules/minipass": { "version": "7.1.2", @@ -5548,9 +6186,10 @@ } }, "node_modules/path-to-regexp": { - "version": "0.1.7", - "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz", - "integrity": "sha512-5DFkuoqlv1uYQKxy8omFBeJPQcdoE07Kv2sferDCrAq1ohOU+MSDswDIbnx3YAM60qIOnYa53wBhXW0EbMonrQ==" + "version": "0.1.10", + "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.10.tgz", + "integrity": "sha512-7lf7qcQidTku0Gu3YDPc8DJ1q7OOucfa/BSsIwjuh56VU7katFvuM8hULfkwB3Fns/rsVF7PwPKVw1sl5KQS9w==", + "license": "MIT" }, "node_modules/path-type": { "version": "4.0.0", @@ -5562,16 +6201,18 @@ } }, "node_modules/pepr": { - "version": "0.32.6", - "resolved": "https://registry.npmjs.org/pepr/-/pepr-0.32.6.tgz", - "integrity": "sha512-eX3Kb5ZDKpsG0QIEbXGaTrw+awC+TrajWOSRBc+RvoWtEz+I0c+L6VSRGckMSD9rfAVMqDkx3GsF+DuRDgcD6Q==", + "version": "0.36.0", + "resolved": "https://registry.npmjs.org/pepr/-/pepr-0.36.0.tgz", + "integrity": "sha512-+GyQK9SUhjoEAfWU1cdKtKjYx8JCT+aracTBb5jRh3JIljD61H8nxlAlIS8rEcAdGw2Gcu/qztxX62x3Bjaw+A==", + "license": "Apache-2.0", "dependencies": { - "@types/ramda": "0.30.0", - "express": "4.19.2", + "@types/ramda": "0.30.2", + "express": "4.21.0", "fast-json-patch": "3.1.1", - "kubernetes-fluent-client": "2.6.3", - "pino": "9.2.0", - "pino-pretty": "11.2.1", + "json-pointer": "^0.6.2", + "kubernetes-fluent-client": "3.0.3", + "pino": "9.4.0", + "pino-pretty": "11.2.2", "prom-client": "15.1.3", "ramda": "0.30.1" }, @@ -5582,22 +6223,22 @@ "node": ">=18.0.0" }, "peerDependencies": { - "@typescript-eslint/eslint-plugin": "6.15.0", - "@typescript-eslint/parser": "6.15.0", - "commander": "11.1.0", - "esbuild": "0.19.10", - "eslint": "8.56.0", + "@typescript-eslint/eslint-plugin": "7.18.0", + "@typescript-eslint/parser": "7.18.0", + "commander": "12.1.0", + "esbuild": "0.23.0", + "eslint": "8.57.0", "node-forge": "1.3.1", - "prettier": "3.1.1", + "prettier": "3.3.3", "prompts": "2.4.2", "typescript": "5.3.3", - "uuid": "9.0.1" + "uuid": "10.0.0" } }, "node_modules/picocolors": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.0.1.tgz", - "integrity": "sha512-anP1Z8qwhkbmu7MFP5iTt+wQKXgwzf7zTyGlcdzabySa9vd0Xt392U0rVmz9poOaBj0uHJKyyo9/upk0HrEQew==", + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.0.tgz", + "integrity": "sha512-TQ92mBOW0l3LeMeyLV6mzy/kWr8lkd/hp3mTg7wYK7zJhuBStmGMBG0BdeDZS/dZx1IukaX6Bk11zcln25o1Aw==", "dev": true }, "node_modules/picomatch": { @@ -5611,17 +6252,30 @@ "url": "https://github.com/sponsors/jonschlinkert" } }, + "node_modules/pidtree": { + "version": "0.6.0", + "resolved": "https://registry.npmjs.org/pidtree/-/pidtree-0.6.0.tgz", + "integrity": "sha512-eG2dWTVw5bzqGRztnHExczNxt5VGsE6OwTeCG3fdUf9KBsZzO3R5OIIIzWR+iZA0NtZ+RDVdaoE2dK1cn6jH4g==", + "dev": true, + "bin": { + "pidtree": "bin/pidtree.js" + }, + "engines": { + "node": ">=0.10" + } + }, "node_modules/pino": { - "version": "9.2.0", - "resolved": "https://registry.npmjs.org/pino/-/pino-9.2.0.tgz", - "integrity": "sha512-g3/hpwfujK5a4oVbaefoJxezLzsDgLcNJeITvC6yrfwYeT9la+edCK42j5QpEQSQCZgTKapXvnQIdgZwvRaZug==", + "version": "9.4.0", + "resolved": "https://registry.npmjs.org/pino/-/pino-9.4.0.tgz", + "integrity": "sha512-nbkQb5+9YPhQRz/BeQmrWpEknAaqjpAqRK8NwJpmrX/JHu7JuZC5G1CeAwJDJfGes4h+YihC6in3Q2nGb+Y09w==", + "license": "MIT", "dependencies": { "atomic-sleep": "^1.0.0", "fast-redact": "^3.1.1", "on-exit-leak-free": "^2.1.0", "pino-abstract-transport": "^1.2.0", "pino-std-serializers": "^7.0.0", - "process-warning": "^3.0.0", + "process-warning": "^4.0.0", "quick-format-unescaped": "^4.0.3", "real-require": "^0.2.0", "safe-stable-stringify": "^2.3.1", @@ -5642,9 +6296,9 @@ } }, "node_modules/pino-pretty": { - "version": "11.2.1", - "resolved": "https://registry.npmjs.org/pino-pretty/-/pino-pretty-11.2.1.tgz", - "integrity": "sha512-O05NuD9tkRasFRWVaF/uHLOvoRDFD7tb5VMertr78rbsYFjYp48Vg3477EshVAF5eZaEw+OpDl/tu+B0R5o+7g==", + "version": "11.2.2", + "resolved": "https://registry.npmjs.org/pino-pretty/-/pino-pretty-11.2.2.tgz", + "integrity": "sha512-2FnyGir8nAJAqD3srROdrF1J5BIcMT4nwj7hHSc60El6Uxlym00UbCCd8pYIterstVBFlMyF1yFV8XdGIPbj4A==", "dependencies": { "colorette": "^2.0.7", "dateformat": "^4.6.3", @@ -5761,9 +6415,9 @@ } }, "node_modules/prettier": { - "version": "3.1.1", - "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.1.1.tgz", - "integrity": "sha512-22UbSzg8luF4UuZtzgiUOfcGM8s4tjBv6dJRT7j275NXsy2jb4aJa4NNveul5x4eqlF1wuhuR2RElK71RvmVaw==", + "version": "3.3.3", + "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.3.3.tgz", + "integrity": "sha512-i2tDNA0O5IrMO757lfrdQZCc2jPNDVntV0m/+4whiDfWaTKfMNgR7Qz0NAeGz/nRqF4m5/6CLzbP4/liHt12Ew==", "peer": true, "bin": { "prettier": "bin/prettier.cjs" @@ -5810,15 +6464,14 @@ } }, "node_modules/process-warning": { - "version": "3.0.0", - "resolved": "https://registry.npmjs.org/process-warning/-/process-warning-3.0.0.tgz", - "integrity": "sha512-mqn0kFRl0EoqhnL0GQ0veqFHyIN1yig9RHh/InzORTUiZHFRAur+aMtRkELNwGs9aNwKS6tg/An4NYBPGwvtzQ==" + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/process-warning/-/process-warning-4.0.0.tgz", + "integrity": "sha512-/MyYDxttz7DfGMMHiysAsFE4qF+pQYAA8ziO/3NcRVrQ5fSk+Mns4QZA/oRPFzvcqNoVJXQNWNAsdwBXLUkQKw==" }, "node_modules/prom-client": { "version": "15.1.3", "resolved": "https://registry.npmjs.org/prom-client/-/prom-client-15.1.3.tgz", "integrity": "sha512-6ZiOBfCywsD4k1BN9IX0uZhF+tJkV8q8llP64G5Hajs4JOeVLPCwpPVcpXy3BwYiUGgyJzsJJQeOIv7+hDSq8g==", - "license": "Apache-2.0", "dependencies": { "@opentelemetry/api": "^1.4.0", "tdigest": "^0.1.1" @@ -5886,11 +6539,12 @@ ] }, "node_modules/qs": { - "version": "6.11.0", - "resolved": "https://registry.npmjs.org/qs/-/qs-6.11.0.tgz", - "integrity": "sha512-MvjoMCJwEarSbUYk5O+nmoSzSutSsTwF85zcHPQ9OrlFoZOYIjaqBAJIqIXjptyD5vThxGq52Xu/MaJzRkIk4Q==", + "version": "6.13.0", + "resolved": "https://registry.npmjs.org/qs/-/qs-6.13.0.tgz", + "integrity": "sha512-+38qI9SOr8tfZ4QmJNplMUxqjbe7LKvvZgWdExBOmd+egZTtjLB67Gu0HRX3u/XOq7UU2Nx6nsjvS16Z9uwfpg==", + "license": "BSD-3-Clause", "dependencies": { - "side-channel": "^1.0.4" + "side-channel": "^1.0.6" }, "engines": { "node": ">=0.6" @@ -5963,6 +6617,7 @@ "version": "1.2.1", "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz", "integrity": "sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg==", + "license": "MIT", "engines": { "node": ">= 0.6" } @@ -5971,6 +6626,7 @@ "version": "2.5.2", "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.5.2.tgz", "integrity": "sha512-8zGqypfENjCIqGhgXToC8aB2r7YrBX+AQAfIPs/Mlk+BtPTztOvTS01NRW/3Eh60J+a48lt8qsCzirQ6loCVfA==", + "license": "MIT", "dependencies": { "bytes": "3.1.2", "http-errors": "2.0.0", @@ -6079,6 +6735,49 @@ "node": ">=10" } }, + "node_modules/restore-cursor": { + "version": "5.1.0", + "resolved": "https://registry.npmjs.org/restore-cursor/-/restore-cursor-5.1.0.tgz", + "integrity": "sha512-oMA2dcrw6u0YfxJQXm342bFKX/E4sG9rbTzO9ptUcR/e8A33cHuvStiYOwH7fszkZlZ1z/ta9AAoPk2F4qIOHA==", + "dev": true, + "dependencies": { + "onetime": "^7.0.0", + "signal-exit": "^4.1.0" + }, + "engines": { + "node": ">=18" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/restore-cursor/node_modules/onetime": { + "version": "7.0.0", + "resolved": "https://registry.npmjs.org/onetime/-/onetime-7.0.0.tgz", + "integrity": "sha512-VXJjc87FScF88uafS3JllDgvAm+c/Slfz06lorj2uAY34rlUu0Nt+v8wreiImcrgAjjIHp1rXpTDlLOGw29WwQ==", + "dev": true, + "dependencies": { + "mimic-function": "^5.0.0" + }, + "engines": { + "node": ">=18" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/restore-cursor/node_modules/signal-exit": { + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz", + "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==", + "dev": true, + "engines": { + "node": ">=14" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, "node_modules/reusify": { "version": "1.0.4", "resolved": "https://registry.npmjs.org/reusify/-/reusify-1.0.4.tgz", @@ -6094,6 +6793,12 @@ "resolved": "https://registry.npmjs.org/rfc4648/-/rfc4648-1.5.3.tgz", "integrity": "sha512-MjOWxM065+WswwnmNONOT+bD1nXzY9Km6u3kzvnx8F8/HXGZdz3T6e6vZJ8Q/RIMUSp/nxqjH3GwvJDy8ijeQQ==" }, + "node_modules/rfdc": { + "version": "1.4.1", + "resolved": "https://registry.npmjs.org/rfdc/-/rfdc-1.4.1.tgz", + "integrity": "sha512-q1b3N5QkRUWUl7iyylaaj3kOpIT0N2i9MqIEQXP73GVsN9cw3fdx8X63cEmWhJGi2PPCF23Ijp7ktmd39rawIA==", + "dev": true + }, "node_modules/rimraf": { "version": "3.0.2", "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-3.0.2.tgz", @@ -6153,9 +6858,9 @@ ] }, "node_modules/safe-stable-stringify": { - "version": "2.4.3", - "resolved": "https://registry.npmjs.org/safe-stable-stringify/-/safe-stable-stringify-2.4.3.tgz", - "integrity": "sha512-e2bDA2WJT0wxseVd4lsDP4+3ONX6HpMXQa1ZhFQ7SU+GjvORCmShbCMltrtIDfkYhVHrOcPtj+KhmDBdPdZD1g==", + "version": "2.5.0", + "resolved": "https://registry.npmjs.org/safe-stable-stringify/-/safe-stable-stringify-2.5.0.tgz", + "integrity": "sha512-b3rppTKm9T+PsVCBEOUR46GWI7fdOs00VKZ1+9c1EWDaDMvjQc6tUwuFyIprgGgTcWoVHSKrU8H31ZHA2e0RHA==", "engines": { "node": ">=10" } @@ -6163,7 +6868,8 @@ "node_modules/safer-buffer": { "version": "2.1.2", "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", - "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==" + "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==", + "license": "MIT" }, "node_modules/secure-json-parse": { "version": "2.7.0", @@ -6171,9 +6877,9 @@ "integrity": "sha512-6aU+Rwsezw7VR8/nyvKTx8QpWH9FrcYiXXlqC4z5d5XQBDRqtbfsRjnwGyqbi3gddNtWHuEk9OANUotL26qKUw==" }, "node_modules/semver": { - "version": "7.6.2", - "resolved": "https://registry.npmjs.org/semver/-/semver-7.6.2.tgz", - "integrity": "sha512-FNAIBWCx9qcRhoHcgcJ0gvU7SN1lYU2ZXuSfl04bSC5OpvDHFyJCjdNHomPXxjQlCBU67YW64PzY7/VIEH7F2w==", + "version": "7.6.3", + "resolved": "https://registry.npmjs.org/semver/-/semver-7.6.3.tgz", + "integrity": "sha512-oVekP1cKtI+CTDvHWYFUcMtsK/00wmAEfyqKfNdARm8u1wNVhSgaX7A8d4UuIlUI5e84iEwOhs7ZPYRmzU9U6A==", "bin": { "semver": "bin/semver.js" }, @@ -6182,9 +6888,10 @@ } }, "node_modules/send": { - "version": "0.18.0", - "resolved": "https://registry.npmjs.org/send/-/send-0.18.0.tgz", - "integrity": "sha512-qqWzuOjSFOuqPjFe4NOsMLafToQQwBSOEpS+FwEt3A2V3vKubTquT3vmLTQpFgMXp8AlFWFuP1qKaJZOtPpVXg==", + "version": "0.19.0", + "resolved": "https://registry.npmjs.org/send/-/send-0.19.0.tgz", + "integrity": "sha512-dW41u5VfLXu8SJh5bwRmyYUbAoSB3c9uQh6L8h/KtsFREPWpbX1lrljJo186Jc4nmci/sGUZ9a0a0J2zgfq2hw==", + "license": "MIT", "dependencies": { "debug": "2.6.9", "depd": "2.0.0", @@ -6208,6 +6915,7 @@ "version": "2.6.9", "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz", "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==", + "license": "MIT", "dependencies": { "ms": "2.0.0" } @@ -6215,22 +6923,28 @@ "node_modules/send/node_modules/debug/node_modules/ms": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz", - "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==" + "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==", + "license": "MIT" }, - "node_modules/send/node_modules/ms": { - "version": "2.1.3", - "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz", - "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==" + "node_modules/send/node_modules/encodeurl": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-1.0.2.tgz", + "integrity": "sha512-TPJXq8JqFaVYm2CWmPvnP2Iyo4ZSM7/QKcSmuMLDObfpH5fi7RUGmd/rTDf+rut/saiDiQEeVTNgAmJEdAOx0w==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } }, "node_modules/serve-static": { - "version": "1.15.0", - "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.15.0.tgz", - "integrity": "sha512-XGuRDNjXUijsUL0vl6nSD7cwURuzEgglbOaFuZM9g3kwDXOWVTck0jLzjPzGD+TazWbboZYu52/9/XPdUgne9g==", + "version": "1.16.2", + "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.16.2.tgz", + "integrity": "sha512-VqpjJZKadQB/PEbEwvFdO43Ax5dFBZ2UECszz8bQ7pi7wt//PWe1P6MN7eCnjsatYtBT6EuiClbjSWP2WrIoTw==", + "license": "MIT", "dependencies": { - "encodeurl": "~1.0.2", + "encodeurl": "~2.0.0", "escape-html": "~1.0.3", "parseurl": "~1.3.3", - "send": "0.18.0" + "send": "0.19.0" }, "engines": { "node": ">= 0.8.0" @@ -6240,6 +6954,7 @@ "version": "1.2.2", "resolved": "https://registry.npmjs.org/set-function-length/-/set-function-length-1.2.2.tgz", "integrity": "sha512-pgRc4hJ4/sNjWCSS9AmnS40x3bNMDTknHgL5UaMBTMyJnU90EgWh1Rz+MC9eFu4BuN/UwZjKQuY/1v3rM7HMfg==", + "license": "MIT", "dependencies": { "define-data-property": "^1.1.4", "es-errors": "^1.3.0", @@ -6255,7 +6970,8 @@ "node_modules/setprototypeof": { "version": "1.2.0", "resolved": "https://registry.npmjs.org/setprototypeof/-/setprototypeof-1.2.0.tgz", - "integrity": "sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw==" + "integrity": "sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw==", + "license": "ISC" }, "node_modules/shebang-command": { "version": "2.0.0", @@ -6280,6 +6996,7 @@ "version": "1.0.6", "resolved": "https://registry.npmjs.org/side-channel/-/side-channel-1.0.6.tgz", "integrity": "sha512-fDW/EZ6Q9RiO8eFG8Hj+7u/oW+XrPTIChwCOM2+th2A6OblDtYYIpve9m+KvI9Z4C9qSEXlaGR6bTEYHReuglA==", + "license": "MIT", "dependencies": { "call-bind": "^1.0.7", "es-errors": "^1.3.0", @@ -6312,10 +7029,38 @@ "node": ">=8" } }, + "node_modules/slice-ansi": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/slice-ansi/-/slice-ansi-5.0.0.tgz", + "integrity": "sha512-FC+lgizVPfie0kkhqUScwRu1O/lF6NOgJmlCgK+/LYxDCTk8sGelYaHDhFcDN+Sn3Cv+3VSa4Byeo+IMCzpMgQ==", + "dev": true, + "dependencies": { + "ansi-styles": "^6.0.0", + "is-fullwidth-code-point": "^4.0.0" + }, + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/chalk/slice-ansi?sponsor=1" + } + }, + "node_modules/slice-ansi/node_modules/ansi-styles": { + "version": "6.2.1", + "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-6.2.1.tgz", + "integrity": "sha512-bN798gFfQX+viw3R7yrGWRqnrN2oRkEkUjjl4JNn4E8GxxbjtG3FbrEIIY3l8/hrwUwIeCZvi4QuOTP4MErVug==", + "dev": true, + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/chalk/ansi-styles?sponsor=1" + } + }, "node_modules/sonic-boom": { - "version": "4.0.1", - "resolved": "https://registry.npmjs.org/sonic-boom/-/sonic-boom-4.0.1.tgz", - "integrity": "sha512-hTSD/6JMLyT4r9zeof6UtuBDpjJ9sO08/nmS5djaA9eozT9oOlNdpXSnzcgj4FTqpk3nkLrs61l4gip9r1HCrQ==", + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/sonic-boom/-/sonic-boom-4.1.0.tgz", + "integrity": "sha512-NGipjjRicyJJ03rPiZCJYjwlsuP2d1/5QUviozRXC7S3WdVWNK5e3Ojieb9CCyfhq2UC+3+SRd9nG3I2lPRvUw==", "dependencies": { "atomic-sleep": "^1.0.0" } @@ -6378,6 +7123,7 @@ "version": "2.0.1", "resolved": "https://registry.npmjs.org/statuses/-/statuses-2.0.1.tgz", "integrity": "sha512-RwNA9Z/7PrK06rYLIzFMlaF+l73iwpzsqRIFgbMLbTcLD6cOao82TaWefPXQvB2fOC4AjuYSEndS7N/mTCbkdQ==", + "license": "MIT", "engines": { "node": ">= 0.8" } @@ -6398,6 +7144,15 @@ "safe-buffer": "~5.2.0" } }, + "node_modules/string-argv": { + "version": "0.3.2", + "resolved": "https://registry.npmjs.org/string-argv/-/string-argv-0.3.2.tgz", + "integrity": "sha512-aqD2Q0144Z+/RqG52NeHEkZauTAUWJO8c6yTftGJKO3Tja5tUgIfmIl6kExvhtxSDP7fXB6DvzkfMpCd/F3G+Q==", + "dev": true, + "engines": { + "node": ">=0.6.19" + } + }, "node_modules/string-length": { "version": "4.0.2", "resolved": "https://registry.npmjs.org/string-length/-/string-length-4.0.2.tgz", @@ -6412,16 +7167,20 @@ } }, "node_modules/string-width": { - "version": "4.2.3", - "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", - "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", + "version": "7.2.0", + "resolved": "https://registry.npmjs.org/string-width/-/string-width-7.2.0.tgz", + "integrity": "sha512-tsaTIkKW9b4N+AEj+SVA+WhJzV7/zMhcSu78mLKWSk7cXMOSHsBKFWUs0fWwq8QyK3MgJBQRX6Gbi4kYbdvGkQ==", + "dev": true, "dependencies": { - "emoji-regex": "^8.0.0", - "is-fullwidth-code-point": "^3.0.0", - "strip-ansi": "^6.0.1" + "emoji-regex": "^10.3.0", + "get-east-asian-width": "^1.0.0", + "strip-ansi": "^7.1.0" }, "engines": { - "node": ">=8" + "node": ">=18" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" } }, "node_modules/string-width-cjs": { @@ -6438,6 +7197,46 @@ "node": ">=8" } }, + "node_modules/string-width-cjs/node_modules/emoji-regex": { + "version": "8.0.0", + "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", + "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==" + }, + "node_modules/string-width-cjs/node_modules/is-fullwidth-code-point": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", + "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", + "engines": { + "node": ">=8" + } + }, + "node_modules/string-width/node_modules/ansi-regex": { + "version": "6.1.0", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.1.0.tgz", + "integrity": "sha512-7HSX4QQb4CspciLpVFwyRe79O3xsIZDDLER21kERQ71oaPodF8jL725AgJMFAYbooIqolJoRLuM81SpeUkpkvA==", + "dev": true, + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/chalk/ansi-regex?sponsor=1" + } + }, + "node_modules/string-width/node_modules/strip-ansi": { + "version": "7.1.0", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.1.0.tgz", + "integrity": "sha512-iq6eVVI64nQQTRYq2KtEg2d2uU7LElhTJwsH4YzIHZshxlgZms/wIc4VoDQTlG/IvVIrBKG06CrZnp0qv7hkcQ==", + "dev": true, + "dependencies": { + "ansi-regex": "^6.0.1" + }, + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/chalk/strip-ansi?sponsor=1" + } + }, "node_modules/strip-ansi": { "version": "6.0.1", "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", @@ -6514,9 +7313,9 @@ } }, "node_modules/tar": { - "version": "7.4.0", - "resolved": "https://registry.npmjs.org/tar/-/tar-7.4.0.tgz", - "integrity": "sha512-XQs0S8fuAkQWuqhDeCdMlJXDX80D7EOVLDPVFkna9yQfzS+PHKgfxcei0jf6/+QAWcjqrnC8uM3fSAnrQl+XYg==", + "version": "7.4.3", + "resolved": "https://registry.npmjs.org/tar/-/tar-7.4.3.tgz", + "integrity": "sha512-5S7Va8hKfV7W5U6g3aYxXmlPoZVAwUMy9AOKyF2fVuZa2UD3qZjg578OrLRt8PcNN1PleVaL/5/yYATNL0ICUw==", "dependencies": { "@isaacs/fs-minipass": "^4.0.0", "chownr": "^3.0.0", @@ -6567,6 +7366,28 @@ "node": ">=8" } }, + "node_modules/test-exclude/node_modules/brace-expansion": { + "version": "1.1.11", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz", + "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==", + "dev": true, + "dependencies": { + "balanced-match": "^1.0.0", + "concat-map": "0.0.1" + } + }, + "node_modules/test-exclude/node_modules/minimatch": { + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz", + "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==", + "dev": true, + "dependencies": { + "brace-expansion": "^1.1.7" + }, + "engines": { + "node": "*" + } + }, "node_modules/text-table": { "version": "0.2.0", "resolved": "https://registry.npmjs.org/text-table/-/text-table-0.2.0.tgz", @@ -6632,6 +7453,7 @@ "version": "1.0.1", "resolved": "https://registry.npmjs.org/toidentifier/-/toidentifier-1.0.1.tgz", "integrity": "sha512-o5sSPKEkg/DIQNmH43V0/uerLrpzVedkUh8tGNvaeXpfpuwjKenlSox/2O/BTlZUtEe+JG7s5YhEz608PlAHRA==", + "license": "MIT", "engines": { "node": ">=0.6" } @@ -6654,19 +7476,21 @@ } }, "node_modules/ts-jest": { - "version": "29.2.0", - "resolved": "https://registry.npmjs.org/ts-jest/-/ts-jest-29.2.0.tgz", - "integrity": "sha512-eFmkE9MG0+oT6nqSOcUwL+2UUmK2IvhhUV8hFDsCHnc++v2WCCbQQZh5vvjsa8sgOY/g9T0325hmkEmi6rninA==", + "version": "29.2.5", + "resolved": "https://registry.npmjs.org/ts-jest/-/ts-jest-29.2.5.tgz", + "integrity": "sha512-KD8zB2aAZrcKIdGk4OwpJggeLcH1FgrICqDSROWqlnJXGCXK4Mn6FcdK2B6670Xr73lHMG1kHw8R87A0ecZ+vA==", "dev": true, + "license": "MIT", "dependencies": { - "bs-logger": "0.x", - "fast-json-stable-stringify": "2.x", + "bs-logger": "^0.2.6", + "ejs": "^3.1.10", + "fast-json-stable-stringify": "^2.1.0", "jest-util": "^29.0.0", "json5": "^2.2.3", - "lodash.memoize": "4.x", - "make-error": "1.x", - "semver": "^7.5.3", - "yargs-parser": "^21.0.1" + "lodash.memoize": "^4.1.2", + "make-error": "^1.3.6", + "semver": "^7.6.3", + "yargs-parser": "^21.1.1" }, "bin": { "ts-jest": "cli.js" @@ -6706,9 +7530,9 @@ "integrity": "sha512-nsZd8ZeNUzukXPlJmTBwUAuABDe/9qtVDelJeT/qW0ow3ZS3BsQJtNkan1802aM9Uf68/Y8ljw86Hu0h5IUW3w==" }, "node_modules/tslib": { - "version": "2.6.3", - "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.6.3.tgz", - "integrity": "sha512-xNvxJEOUiWPGhUuUdQgAJPKOOJfGnIyKySOc09XkKsgdUV/3E2zvwZYdejjmRgPCgcym1juLH3226yA7sEFJKQ==" + "version": "2.7.0", + "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.7.0.tgz", + "integrity": "sha512-gLXCKdN1/j47AiHiOkJN69hJmcbGTHI0ImLmbYLHykhgeN0jVGola9yVjFgzCUklsZQMW55o+dW7IXv3RCXDzA==" }, "node_modules/type-check": { "version": "0.4.0", @@ -6747,6 +7571,7 @@ "version": "1.6.18", "resolved": "https://registry.npmjs.org/type-is/-/type-is-1.6.18.tgz", "integrity": "sha512-TkRKr9sUTxEH8MdfuCSP7VizJyzRNMjj2J2do2Jr3Kym598JVdEksuzPQCnlFPW4ky9Q+iA+ma9BGm06XQBy8g==", + "license": "MIT", "dependencies": { "media-typer": "0.3.0", "mime-types": "~2.1.24" @@ -6777,14 +7602,14 @@ } }, "node_modules/underscore": { - "version": "1.13.6", - "resolved": "https://registry.npmjs.org/underscore/-/underscore-1.13.6.tgz", - "integrity": "sha512-+A5Sja4HP1M08MaXya7p5LvjuM7K6q/2EaC0+iovj/wOcMsTzMvDFbasi/oSapiwOlt252IqsKqPjCl7huKS0A==" + "version": "1.13.7", + "resolved": "https://registry.npmjs.org/underscore/-/underscore-1.13.7.tgz", + "integrity": "sha512-GMXzWtsc57XAtguZgaQViUOzs0KTkk8ojr3/xAxXLITqf/3EMwxC0inyETfDFjH/Krbhuep0HNbbjI9i/q3F3g==" }, "node_modules/undici-types": { - "version": "5.26.5", - "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-5.26.5.tgz", - "integrity": "sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==" + "version": "6.19.8", + "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.19.8.tgz", + "integrity": "sha512-ve2KP6f/JnbPBFyobGHuerC9g1FYGn/F8n1LWTwNxCEzd6IfqTwUQcNXgEtmmQ6DlRrC1hrSrBnCZPokRrDHjw==" }, "node_modules/unicode-properties": { "version": "1.4.1", @@ -6813,14 +7638,15 @@ "version": "1.0.0", "resolved": "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz", "integrity": "sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==", + "license": "MIT", "engines": { "node": ">= 0.8" } }, "node_modules/update-browserslist-db": { - "version": "1.0.16", - "resolved": "https://registry.npmjs.org/update-browserslist-db/-/update-browserslist-db-1.0.16.tgz", - "integrity": "sha512-KVbTxlBYlckhF5wgfyZXTWnMn7MMZjMu9XG8bPlliUOP9ThaF4QnhP8qrjrH7DRzHfSk0oQv1wToW+iA5GajEQ==", + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/update-browserslist-db/-/update-browserslist-db-1.1.0.tgz", + "integrity": "sha512-EdRAaAyk2cUE1wOf2DkEhzxqOQvFOoRJFNS6NeyJ01Gp2beMRpBAINjM2iDXE3KCuKhwnvHIQCJm6ThL2Z+HzQ==", "dev": true, "funding": [ { @@ -6879,9 +7705,9 @@ } }, "node_modules/uuid": { - "version": "9.0.1", - "resolved": "https://registry.npmjs.org/uuid/-/uuid-9.0.1.tgz", - "integrity": "sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA==", + "version": "10.0.0", + "resolved": "https://registry.npmjs.org/uuid/-/uuid-10.0.0.tgz", + "integrity": "sha512-8XkAphELsDnEGrDxUOHB3RGvXz6TeuYSGEZBOjtTtPm2lwhGBjLgOzLHB63IUWfBpNucQjND6d3AOudO+H3RWQ==", "funding": [ "https://github.com/sponsors/broofa", "https://github.com/sponsors/ctavan" @@ -6965,16 +7791,17 @@ "integrity": "sha512-gvVzJFlPycKc5dZN4yPkP8w7Dc37BtP1yczEneOb4uq34pXZcvrtRTmWV8W+Ume+XCxKgbjM+nevkyFPMybd4Q==" }, "node_modules/wrap-ansi": { - "version": "7.0.0", - "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-7.0.0.tgz", - "integrity": "sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==", + "version": "9.0.0", + "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-9.0.0.tgz", + "integrity": "sha512-G8ura3S+3Z2G+mkgNRq8dqaFZAuxfsxpBB8OCTGRTCtp+l/v9nbFNmCUP1BZMts3G1142MsZfn6eeUKrr4PD1Q==", + "dev": true, "dependencies": { - "ansi-styles": "^4.0.0", - "string-width": "^4.1.0", - "strip-ansi": "^6.0.0" + "ansi-styles": "^6.2.1", + "string-width": "^7.0.0", + "strip-ansi": "^7.1.0" }, "engines": { - "node": ">=10" + "node": ">=18" }, "funding": { "url": "https://github.com/chalk/wrap-ansi?sponsor=1" @@ -6997,6 +7824,71 @@ "url": "https://github.com/chalk/wrap-ansi?sponsor=1" } }, + "node_modules/wrap-ansi-cjs/node_modules/emoji-regex": { + "version": "8.0.0", + "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", + "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==" + }, + "node_modules/wrap-ansi-cjs/node_modules/is-fullwidth-code-point": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", + "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", + "engines": { + "node": ">=8" + } + }, + "node_modules/wrap-ansi-cjs/node_modules/string-width": { + "version": "4.2.3", + "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", + "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", + "dependencies": { + "emoji-regex": "^8.0.0", + "is-fullwidth-code-point": "^3.0.0", + "strip-ansi": "^6.0.1" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/wrap-ansi/node_modules/ansi-regex": { + "version": "6.1.0", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.1.0.tgz", + "integrity": "sha512-7HSX4QQb4CspciLpVFwyRe79O3xsIZDDLER21kERQ71oaPodF8jL725AgJMFAYbooIqolJoRLuM81SpeUkpkvA==", + "dev": true, + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/chalk/ansi-regex?sponsor=1" + } + }, + "node_modules/wrap-ansi/node_modules/ansi-styles": { + "version": "6.2.1", + "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-6.2.1.tgz", + "integrity": "sha512-bN798gFfQX+viw3R7yrGWRqnrN2oRkEkUjjl4JNn4E8GxxbjtG3FbrEIIY3l8/hrwUwIeCZvi4QuOTP4MErVug==", + "dev": true, + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/chalk/ansi-styles?sponsor=1" + } + }, + "node_modules/wrap-ansi/node_modules/strip-ansi": { + "version": "7.1.0", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.1.0.tgz", + "integrity": "sha512-iq6eVVI64nQQTRYq2KtEg2d2uU7LElhTJwsH4YzIHZshxlgZms/wIc4VoDQTlG/IvVIrBKG06CrZnp0qv7hkcQ==", + "dev": true, + "dependencies": { + "ansi-regex": "^6.0.1" + }, + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/chalk/strip-ansi?sponsor=1" + } + }, "node_modules/wrappy": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", @@ -7016,9 +7908,9 @@ } }, "node_modules/ws": { - "version": "8.17.1", - "resolved": "https://registry.npmjs.org/ws/-/ws-8.17.1.tgz", - "integrity": "sha512-6XQFvXTkbfUOZOKKILFG1PDK2NDQs4azKQl26T0YS5CxqWLgXajbPZ+h4gZekJyRqFU8pvnbAbbs/3TgRPy+GQ==", + "version": "8.18.0", + "resolved": "https://registry.npmjs.org/ws/-/ws-8.18.0.tgz", + "integrity": "sha512-8VbfWfHLbbwu3+N6OKsOMpBdT4kXPDDB9cJk2bJ6mh9ucxdlnNvH1e+roYkKmN9Nxw2yjz7VzeO9oOz2zJ04Pw==", "engines": { "node": ">=10.0.0" }, @@ -7050,9 +7942,9 @@ "dev": true }, "node_modules/yaml": { - "version": "2.4.5", - "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.4.5.tgz", - "integrity": "sha512-aBx2bnqDzVOyNKfsysjA2ms5ZlnjSAW2eG3/L5G/CSujfjLJTJsEw1bGw8kCf04KodQWk1pxlGnZ56CRxiawmg==", + "version": "2.5.1", + "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.5.1.tgz", + "integrity": "sha512-bLQOjaX/ADgQ20isPJRvF0iRUHIxVhYvr53Of7wGcWlO2jvtUlH5m87DsmulFVxRpNLOnI4tB6p/oh8D7kpn9Q==", "bin": { "yaml": "bin.mjs" }, @@ -7085,6 +7977,32 @@ "node": ">=12" } }, + "node_modules/yargs/node_modules/emoji-regex": { + "version": "8.0.0", + "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", + "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==" + }, + "node_modules/yargs/node_modules/is-fullwidth-code-point": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", + "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", + "engines": { + "node": ">=8" + } + }, + "node_modules/yargs/node_modules/string-width": { + "version": "4.2.3", + "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", + "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", + "dependencies": { + "emoji-regex": "^8.0.0", + "is-fullwidth-code-point": "^3.0.0", + "strip-ansi": "^6.0.1" + }, + "engines": { + "node": ">=8" + } + }, "node_modules/yocto-queue": { "version": "0.1.0", "resolved": "https://registry.npmjs.org/yocto-queue/-/yocto-queue-0.1.0.tgz", diff --git a/package.json b/package.json index 1b7e6beaf..a0c4fc6f2 100644 --- a/package.json +++ b/package.json @@ -23,25 +23,20 @@ "zarf" ], "labels": [] - }, - "env": { - "UDS_DOMAIN": "###ZARF_VAR_DOMAIN###", - "UDS_CA_CERT": "###ZARF_VAR_CA_CERT###", - "UDS_ALLOW_ALL_NS_EXEMPTIONS": "###ZARF_VAR_ALLOW_ALL_NS_EXEMPTIONS###", - "UDS_SINGLE_TEST": "###ZARF_VAR_UDS_SINGLE_TEST###", - "UDS_LOG_LEVEL": "###ZARF_VAR_UDS_LOG_LEVEL###" } }, "scripts": { "k3d-setup": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0'" }, "dependencies": { - "pepr": "0.32.6" + "pepr": "0.36.0" }, "devDependencies": { "@jest/globals": "29.7.0", + "husky": "9.1.6", "jest": "29.7.0", - "ts-jest": "29.2.0" + "lint-staged": "15.2.10", + "ts-jest": "29.2.5" }, "jest": { "preset": "ts-jest", diff --git a/packages/slim-dev/zarf.yaml b/packages/slim-dev/zarf.yaml index c7f0e40a4..8e72b8e01 100644 --- a/packages/slim-dev/zarf.yaml +++ b/packages/slim-dev/zarf.yaml @@ -4,15 +4,15 @@ metadata: description: "UDS Core (Istio, UDS Operator and Keycloak)" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.23.0" + version: "0.27.3" # x-release-please-end -variables: - - name: CA_CERT - description: "Base64 encoded CA cert that signed the domain wildcard certs used for Istio ingress" - default: "" - components: + - name: uds-operator-config + required: true + import: + path: ../../src/pepr + # CRDs - name: prometheus-operator-crds required: true @@ -44,8 +44,7 @@ components: - name: pepr-uds-core required: true import: - path: ../../dist - name: module + path: ../../src/pepr # Keycloak - name: keycloak diff --git a/packages/standard/zarf.yaml b/packages/standard/zarf.yaml index 196275fd3..10d402458 100644 --- a/packages/standard/zarf.yaml +++ b/packages/standard/zarf.yaml @@ -4,15 +4,15 @@ metadata: description: "UDS Core" authors: "Defense Unicorns - Product" # x-release-please-start-version - version: "0.23.0" + version: "0.27.3" # x-release-please-end -variables: - - name: CA_CERT - description: "Base64 encoded CA cert that signed the domain wildcard certs used for Istio ingress" - default: "" - components: + - name: uds-operator-config + required: true + import: + path: ../../src/pepr + # CRDs - name: prometheus-operator-crds required: true @@ -44,12 +44,11 @@ components: - name: pepr-uds-core required: true import: - path: ../../dist - name: module + path: ../../src/pepr # Metrics Server - name: metrics-server - required: true + required: false import: path: ../../src/metrics-server @@ -95,6 +94,12 @@ components: import: path: ../../src/authservice + # UDS Runtime + - name: uds-runtime + required: false + import: + path: ../../src/runtime + # Velero - name: velero required: true diff --git a/release-please-config.json b/release-please-config.json index ab5696504..55d182d93 100644 --- a/release-please-config.json +++ b/release-please-config.json @@ -9,6 +9,7 @@ { "type": "fix", "section": "Bug Fixes", "hidden": false }, { "type": "chore", "section": "Miscellaneous", "hidden": false } ], + "bump-minor-pre-major": true, "versioning": "default", "extra-files": [ ".github/bundles/uds-bundle.yaml", diff --git a/renovate.json b/renovate.json index 80ac376bc..27804d714 100644 --- a/renovate.json +++ b/renovate.json @@ -1,6 +1,6 @@ { "extends": [ - "github>defenseunicorns/uds-common//config/renovate.json5", + "github>defenseunicorns/uds-common//config/renovate.json5#helm-match-fix", ":semanticCommits", ":semanticCommitTypeAll(chore)" ], @@ -11,40 +11,6 @@ "helm-values": { "ignorePaths": ["src/neuvector/values"] }, - "regexManagers": [ - { - "fileMatch": ["^src/neuvector/values/.*\\.yaml$"], - "matchStrings": [ - "registry:\\s+(?.*?)\n(.|\\s)*repository:\\s+(?.*?)\\s+tag:\\s+[\"]?(?[^\"]*)[\"]?" - ], - "registryUrlTemplate": "https://{{{registryUrl}}}", - "datasourceTemplate": "docker" - }, - { - "fileMatch": ["^src/neuvector/values/upstream-values\\.yaml$"], - "matchStrings": [ - "registry: docker.io\\s+tag:\\s+[\"]?(?[^\"]*)[\"]?" - ], - "depNameTemplate": "docker.io/neuvector/controller", - "datasourceTemplate": "docker" - }, - { - "fileMatch": ["^src/neuvector/values/unicorn-values\\.yaml$"], - "matchStrings": [ - "registry: cgr.dev\\s+tag:\\s+[\"]?(?[^\"]*)[\"]?" - ], - "depNameTemplate": "cgr.dev/du-uds-defenseunicorns/neuvector-controller-fips", - "datasourceTemplate": "docker" - }, - { - "fileMatch": ["^src/neuvector/values/registry1-values\\.yaml$"], - "matchStrings": [ - "registry: registry1.dso.mil\\s+tag:\\s+[\"]?(?[^\"]*)[\"]?" - ], - "depNameTemplate": "registry1.dso.mil/ironbank/neuvector/neuvector/controller", - "datasourceTemplate": "docker" - } - ], "packageRules": [ { "matchFileNames": ["src/authservice/**"], @@ -107,7 +73,7 @@ "commitMessageTopic": "grafana" }, { - "matchPackageNames": ["defenseunicorns/zarf", "ghcr.io/defenseunicorns/packages/init"], + "matchPackageNames": ["zarf-dev/zarf", "ghcr.io/zarf-dev/packages/init"], "groupName": "zarf", "commitMessageTopic": "zarf" }, @@ -123,7 +89,7 @@ }, { "matchFileNames": [".github/workflows/**", ".github/actions/**"], - "excludePackageNames": ["defenseunicorns/zarf", "defenseunicorns/uds-cli"], + "excludePackageNames": ["zarf-dev/zarf", "defenseunicorns/uds-cli"], "groupName": "githubactions", "commitMessageTopic": "githubactions", "pinDigests": true diff --git a/src/authservice/chart/templates/uds-package.yaml b/src/authservice/chart/templates/uds-package.yaml index ac12b65bd..0e4e583de 100644 --- a/src/authservice/chart/templates/uds-package.yaml +++ b/src/authservice/chart/templates/uds-package.yaml @@ -15,11 +15,26 @@ spec: # Egress must be allowed to the external facing Keycloak endpoint - direction: Egress - remoteGenerated: Anywhere + remoteSelector: + app: tenant-ingressgateway + remoteNamespace: istio-tenant-gateway description: "SSO Provider" + {{- if .Values.redis.uri }} + - direction: Egress + description: Redis Session Store + {{- if .Values.redis.internal.enabled }} + remoteSelector: {{ .Values.redis.internal.remoteSelector }} + remoteNamespace: {{ .Values.redis.internal.remoteNamespace }} + {{- else if .Values.redis.egressCidr }} + remoteCidr: {{ .Values.redis.egressCidr }} + {{- else }} + remoteGenerated: Anywhere + {{- end }} + {{- end }} + - direction: Ingress - podLabels: + selector: app.kubernetes.io/name: authservice remoteNamespace: "" # Any namespace could have a protected app port: 10003 diff --git a/src/authservice/chart/values.yaml b/src/authservice/chart/values.yaml index b28496153..06a631c9c 100644 --- a/src/authservice/chart/values.yaml +++ b/src/authservice/chart/values.yaml @@ -9,6 +9,14 @@ image: nameOverride: "authservice" +redis: + uri: "###ZARF_VAR_AUTHSERVICE_REDIS_URI###" + egressCidr: "" + internal: + enabled: false + remoteSelector: {} + remoteNamespace: "" + podAnnotations: {} podSecurityContext: {} diff --git a/src/authservice/common/zarf.yaml b/src/authservice/common/zarf.yaml index aa7cefa85..59914ddd9 100644 --- a/src/authservice/common/zarf.yaml +++ b/src/authservice/common/zarf.yaml @@ -19,7 +19,7 @@ components: maxTotalSeconds: 300 wait: cluster: - kind: Packages + kind: packages.uds.dev name: authservice namespace: authservice condition: "'{.status.phase}'=Ready" diff --git a/src/authservice/values/registry1-values.yaml b/src/authservice/values/registry1-values.yaml index ba6e8f324..ad28c1a01 100644 --- a/src/authservice/values/registry1-values.yaml +++ b/src/authservice/values/registry1-values.yaml @@ -1,3 +1,3 @@ image: repository: registry1.dso.mil/ironbank/istio-ecosystem/authservice - tag: "1.0.1-ubi9" + tag: "1.0.2-ubi9" diff --git a/src/authservice/values/unicorn-values.yaml b/src/authservice/values/unicorn-values.yaml index 34feb99c9..34bb6887d 100644 --- a/src/authservice/values/unicorn-values.yaml +++ b/src/authservice/values/unicorn-values.yaml @@ -1,3 +1,3 @@ image: repository: cgr.dev/du-uds-defenseunicorns/authservice-fips - tag: "1.0.1" + tag: "1.0.2" diff --git a/src/authservice/values/upstream-values.yaml b/src/authservice/values/upstream-values.yaml index f4167f3c7..f85681777 100644 --- a/src/authservice/values/upstream-values.yaml +++ b/src/authservice/values/upstream-values.yaml @@ -1,3 +1,3 @@ image: repository: ghcr.io/istio-ecosystem/authservice/authservice - tag: "1.0.1" + tag: "1.0.2" diff --git a/src/authservice/zarf.yaml b/src/authservice/zarf.yaml index 3856fbf17..e214a28fc 100644 --- a/src/authservice/zarf.yaml +++ b/src/authservice/zarf.yaml @@ -16,7 +16,7 @@ components: valuesFiles: - values/upstream-values.yaml images: - - ghcr.io/istio-ecosystem/authservice/authservice:1.0.1 + - ghcr.io/istio-ecosystem/authservice/authservice:1.0.2 - name: authservice required: true @@ -29,7 +29,7 @@ components: valuesFiles: - values/registry1-values.yaml images: - - registry1.dso.mil/ironbank/istio-ecosystem/authservice:1.0.1-ubi9 + - registry1.dso.mil/ironbank/istio-ecosystem/authservice:1.0.2-ubi9 - name: authservice required: true @@ -42,4 +42,4 @@ components: valuesFiles: - values/unicorn-values.yaml images: - - cgr.dev/du-uds-defenseunicorns/authservice-fips:1.0.1 + - cgr.dev/du-uds-defenseunicorns/authservice-fips:1.0.2 diff --git a/src/grafana/chart/templates/uds-package.yaml b/src/grafana/chart/templates/uds-package.yaml index 713a103a0..0181bc8f1 100644 --- a/src/grafana/chart/templates/uds-package.yaml +++ b/src/grafana/chart/templates/uds-package.yaml @@ -28,23 +28,38 @@ spec: targetPort: 3000 allow: - - direction: Ingress + # Egress allowed to Loki + - direction: Egress selector: app.kubernetes.io/name: grafana - remoteNamespace: tempo + remoteNamespace: loki remoteSelector: - app.kubernetes.io/name: tempo - port: 9090 - description: "Tempo Datasource" + app.kubernetes.io/name: loki + description: "Loki Datasource" + port: 8080 + # Egress allowed to Prometheus - direction: Egress selector: app.kubernetes.io/name: grafana - remoteGenerated: Anywhere + remoteNamespace: monitoring + remoteSelector: + app.kubernetes.io/name: prometheus + description: "Prometheus Datasource" + port: 9090 + # Egress allowed to Keyclaok - direction: Egress - remoteNamespace: tempo + selector: + app.kubernetes.io/name: grafana + remoteNamespace: keycloak remoteSelector: - app.kubernetes.io/name: tempo - port: 9411 - description: "Tempo" + app.kubernetes.io/name: keycloak + description: "SSO Provider" + + # Egress allowed to KubeAPI + - direction: Egress + selector: + app.kubernetes.io/name: grafana + remoteGenerated: KubeAPI + description: "Datasources Watcher" diff --git a/src/grafana/common/zarf.yaml b/src/grafana/common/zarf.yaml index bc614aa15..e707fc78f 100644 --- a/src/grafana/common/zarf.yaml +++ b/src/grafana/common/zarf.yaml @@ -14,7 +14,7 @@ components: localPath: ../chart - name: grafana url: https://grafana.github.io/helm-charts/ - version: 8.3.2 + version: 8.5.1 namespace: grafana valuesFiles: - ../values/values.yaml @@ -25,7 +25,7 @@ components: maxTotalSeconds: 300 wait: cluster: - kind: Packages + kind: packages.uds.dev name: grafana namespace: grafana condition: "'{.status.phase}'=Ready" diff --git a/src/grafana/oscal-component.yaml b/src/grafana/oscal-component.yaml index e0c0516d4..5966df926 100644 --- a/src/grafana/oscal-component.yaml +++ b/src/grafana/oscal-component.yaml @@ -4,7 +4,7 @@ component-definition: title: Grafana last-modified: "2024-01-18T16:36:58Z" version: "20240118" - oscal-version: 1.1.1 + oscal-version: 1.1.2 parties: - uuid: f3cf70f8-ba44-4e55-9ea3-389ef24847d3 type: organization @@ -228,7 +228,10 @@ component-definition: # Control Implementation Compatible metrics endpoints emitted from each application is compiled by Prometheus and displayed through Grafana with associated timestamps of when the data was collected. - + props: + - name: framework + ns: https://docs.lula.dev/oscal/ns + value: il4 back-matter: resources: - uuid: d429396c-1dab-4712-9034-607c90a63b8a diff --git a/src/grafana/values/registry1-values.yaml b/src/grafana/values/registry1-values.yaml index b32d33a08..faeb618aa 100644 --- a/src/grafana/values/registry1-values.yaml +++ b/src/grafana/values/registry1-values.yaml @@ -1,7 +1,7 @@ image: registry: registry1.dso.mil repository: ironbank/opensource/grafana/grafana - tag: 11.1.0 + tag: 11.2.0 initChownData: image: @@ -18,4 +18,4 @@ sidecar: image: registry: registry1.dso.mil repository: ironbank/kiwigrid/k8s-sidecar - tag: 1.27.4 + tag: 1.27.6 diff --git a/src/grafana/values/unicorn-values.yaml b/src/grafana/values/unicorn-values.yaml index 517e3e2a8..b03311547 100644 --- a/src/grafana/values/unicorn-values.yaml +++ b/src/grafana/values/unicorn-values.yaml @@ -1,7 +1,7 @@ image: registry: cgr.dev repository: du-uds-defenseunicorns/grafana-fips - tag: 11.1.0 + tag: 11.2.0 initChownData: image: @@ -12,10 +12,10 @@ initChownData: downloadDashboardsImage: registry: cgr.dev repository: du-uds-defenseunicorns/curl-fips - tag: 8.8.0 + tag: 8.10.1 sidecar: image: registry: cgr.dev repository: du-uds-defenseunicorns/k8s-sidecar-fips - tag: 1.27.4 + tag: 1.27.6 diff --git a/src/grafana/values/upstream-values.yaml b/src/grafana/values/upstream-values.yaml index d711cae7b..7da312248 100644 --- a/src/grafana/values/upstream-values.yaml +++ b/src/grafana/values/upstream-values.yaml @@ -3,12 +3,12 @@ sidecar: # -- The Docker registry registry: ghcr.io repository: kiwigrid/k8s-sidecar - tag: 1.27.4 + tag: 1.27.6 image: registry: docker.io repository: grafana/grafana - tag: 11.1.0 + tag: 11.2.0 initChownData: image: @@ -19,4 +19,4 @@ initChownData: downloadDashboardsImage: registry: docker.io repository: curlimages/curl - tag: 8.8.0 + tag: 8.10.1 diff --git a/src/grafana/values/values.yaml b/src/grafana/values/values.yaml index 450d68776..6ae3c9a8b 100644 --- a/src/grafana/values/values.yaml +++ b/src/grafana/values/values.yaml @@ -17,6 +17,11 @@ extraSecretMounts: grafana.ini: server: root_url: https://grafana.admin.###ZARF_VAR_DOMAIN### + # Disable telemetry that doesn't function in the airgap + analytics: + reporting_enabled: false + check_for_updates: false + check_for_plugin_updates: false auth: # Disable the login form to force users to use SSO disable_login_form: true diff --git a/src/grafana/zarf.yaml b/src/grafana/zarf.yaml index b68fd6c43..a59ba5ecb 100644 --- a/src/grafana/zarf.yaml +++ b/src/grafana/zarf.yaml @@ -21,10 +21,10 @@ components: valuesFiles: - values/upstream-values.yaml images: - - docker.io/grafana/grafana:11.1.0 - - docker.io/curlimages/curl:8.8.0 + - docker.io/grafana/grafana:11.2.0 + - docker.io/curlimages/curl:8.10.1 - docker.io/library/busybox:1.36.1 - - ghcr.io/kiwigrid/k8s-sidecar:1.27.4 + - ghcr.io/kiwigrid/k8s-sidecar:1.27.6 - name: grafana required: true @@ -37,9 +37,9 @@ components: valuesFiles: - values/registry1-values.yaml images: - - registry1.dso.mil/ironbank/opensource/grafana/grafana:11.1.0 + - registry1.dso.mil/ironbank/opensource/grafana/grafana:11.2.0 - registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.4 - - registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar:1.27.4 + - registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar:1.27.6 - name: grafana required: true @@ -52,7 +52,7 @@ components: valuesFiles: - values/unicorn-values.yaml images: - - cgr.dev/du-uds-defenseunicorns/grafana-fips:11.1.0 + - cgr.dev/du-uds-defenseunicorns/grafana-fips:11.2.0 - cgr.dev/du-uds-defenseunicorns/busybox-fips:1.36.1 - - cgr.dev/du-uds-defenseunicorns/curl-fips:8.8.0 - - cgr.dev/du-uds-defenseunicorns/k8s-sidecar-fips:1.27.4 + - cgr.dev/du-uds-defenseunicorns/curl-fips:8.10.1 + - cgr.dev/du-uds-defenseunicorns/k8s-sidecar-fips:1.27.6 diff --git a/src/istio/chart/templates/gateway.yaml b/src/istio/chart/templates/gateway.yaml index ea2d7c28a..eb09e0564 100644 --- a/src/istio/chart/templates/gateway.yaml +++ b/src/istio/chart/templates/gateway.yaml @@ -32,7 +32,8 @@ spec: mode: {{ $server.mode }} {{- if ne $server.mode "PASSTHROUGH" }} credentialName: gateway-tls - minProtocolVersion: TLSV1_3 + # if supportTLSV1_2 is both defined and true, use TLSV1_2, otherwise use TLSV1_3 + minProtocolVersion: {{ if $.Values.tls.supportTLSV1_2 }}TLSV1_2{{ else }}TLSV1_3{{ end }} {{- end }} {{ end }} {{ end }} diff --git a/src/istio/chart/values.yaml b/src/istio/chart/values.yaml index cf564b049..618b15015 100644 --- a/src/istio/chart/values.yaml +++ b/src/istio/chart/values.yaml @@ -24,3 +24,5 @@ domain: "###ZARF_VAR_DOMAIN###" # # Hosts to add to this gateway # hosts: # - "*" +# # Whether to support TLS 1.2 (if false, only TLS 1.3 will be supported) +# supportTLSV1_2: true diff --git a/src/istio/common/manifests/pepr-istio-config.yaml b/src/istio/common/manifests/pepr-istio-config.yaml index 062a5ee05..50eaf2ee1 100644 --- a/src/istio/common/manifests/pepr-istio-config.yaml +++ b/src/istio/common/manifests/pepr-istio-config.yaml @@ -21,3 +21,18 @@ spec: portLevelMtls: "3000": mode: PERMISSIVE +--- +apiVersion: "security.istio.io/v1beta1" +kind: PeerAuthentication +metadata: + name: permissive-pepr-webhook-watcher + namespace: pepr-system +spec: + selector: + matchLabels: + pepr.dev/controller: watcher + mtls: + mode: STRICT + portLevelMtls: + "3000": + mode: PERMISSIVE diff --git a/src/istio/common/zarf.yaml b/src/istio/common/zarf.yaml index 717d64c29..76e8c1e54 100644 --- a/src/istio/common/zarf.yaml +++ b/src/istio/common/zarf.yaml @@ -10,11 +10,11 @@ components: charts: - name: base url: https://istio-release.storage.googleapis.com/charts - version: 1.22.2 + version: 1.23.1 namespace: istio-system - name: istiod url: https://istio-release.storage.googleapis.com/charts - version: 1.22.2 + version: 1.23.1 namespace: istio-system valuesFiles: - "../values/values.yaml" diff --git a/src/istio/oscal-component.yaml b/src/istio/oscal-component.yaml index e1f621528..5ceae0134 100644 --- a/src/istio/oscal-component.yaml +++ b/src/istio/oscal-component.yaml @@ -1,671 +1,1400 @@ -# add the descriptions inline component-definition: - uuid: cc873a43-e9fa-433b-8c20-222d733daf1e - metadata: - title: Istio Controlplane - last-modified: "2024-01-18T16:41:56Z" - version: "20240118" - oscal-version: 1.1.1 - parties: - - uuid: f3cf70f8-ba44-4e55-9ea3-389ef24847d3 - type: organization - name: Defense Unicorns - links: - - href: https://defenseunicorns.com - rel: website + back-matter: + resources: + - rlinks: + - href: https://github.com/istio/istio/ + title: Istio Operator + uuid: 60826461-D279-468C-9E4B-614FAC44A306 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: istioMeshConfig + resource-rule: + field: + base64: false + jsonpath: .data.mesh + type: yaml + group: "" + name: istio + namespaces: + - istio-system + resource: configmaps + version: v1 + type: kubernetes + lula-version: "" + metadata: + name: check-istio-logging-all-traffic + uuid: 90738c86-6315-450a-ac69-cc50eb4859cc + provider: + opa-spec: + output: + observations: + - validate.msg + validation: validate.validate + rego: | + package validate + + # Default policy result + default validate = false + default msg = "Logging not enabled or configured" + + # Check if Istio's Mesh Configuration has logging enabled + validate { + logging_enabled.result + } + + msg = logging_enabled.msg + + logging_enabled = {"result": true, "msg": msg} { + # Check for access log file output to stdout + input.istioMeshConfig.accessLogFile == "/dev/stdout" + msg := "Istio is logging all traffic" + } else = {"result": false, "msg": msg} { + msg := "Istio is not logging all traffic" + } + type: opa + title: check-istio-logging-all-traffic + uuid: 90738c86-6315-450a-ac69-cc50eb4859cc + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: pods + resource-rule: + group: "" + name: "" + namespaces: [] + resource: pods + version: v1 + type: kubernetes + lula-version: "" + metadata: + name: istio-prometheus-annotations-validation + uuid: f345c359-3208-46fb-9348-959bd628301e + provider: + opa-spec: + output: + observations: + - validate.msg + - validate.exempt_namespaces_msg + validation: validate.validate + rego: | + package validate + import future.keywords.in + + # Default policy result + default validate = false + default msg = "Not evaluated" + + # Check for required Istio and Prometheus annotations + validate { + has_prometheus_annotation.result + } + msg = has_prometheus_annotation.msg + + # Check for prometheus annotations in pod spec + no_annotation = [sprintf("%s/%s", [pod.metadata.namespace, pod.metadata.name]) | pod := input.pods[_]; not contains_annotation(pod); not is_exempt(pod)] + + has_prometheus_annotation = {"result": true, "msg": msg} { + count(no_annotation) == 0 + msg := "All pods have correct prometheus annotations." + } else = {"result": false, "msg": msg} { + msg := sprintf("Prometheus annotations not found in pods: %s.", [concat(", ", no_annotation)]) + } + + contains_annotation(pod) { + annotations := pod.metadata.annotations + annotations["prometheus.io/scrape"] == "true" + annotations["prometheus.io/path"] != "" + annotations["prometheus.io/port"] == "15020" + } + + # Exemptions + exempt_namespaces = {"kube-system", "istio-system", "uds-dev-stack", "zarf"} + exempt_namespaces_msg = sprintf("Exempted Namespaces: %s", [concat(", ", exempt_namespaces)]) + is_exempt(pod) { + pod.metadata.namespace in exempt_namespaces + } + type: opa + title: istio-prometheus-annotations-validation + uuid: f345c359-3208-46fb-9348-959bd628301e + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: pods + resource-rule: + group: "" + name: "" + namespaces: [] + resource: pods + version: v1 + type: kubernetes + lula-version: "" + metadata: + name: all-pods-istio-injected + uuid: 1761ac07-80dd-47d2-947e-09f67943b986 + provider: + opa-spec: + output: + observations: + - validate.msg + - validate.exempt_namespaces_msg + validation: validate.validate + rego: | + package validate + import rego.v1 + + # Default policy result + default validate := false + default msg := "Not evaluated" + + exempt_namespaces := {"kube-system", "istio-system", "uds-dev-stack", "zarf", "istio-admin-gateway", "istio-tenant-gateway", "istio-passthrough-gateway"} + exempt_namespaces_msg = sprintf("Exempted Namespaces: %s", [concat(", ", exempt_namespaces)]) + + validate if { + has_istio_sidecar.result + } + msg = has_istio_sidecar.msg + + # Check for sidecar and init containers in pod spec + no_sidecar = [sprintf("%s/%s", [pod.metadata.namespace, pod.metadata.name]) | pod := input.pods[_]; not has_sidecar(pod); not is_exempt(pod)] + + has_istio_sidecar = {"result": true, "msg": msg} if { + count(no_sidecar) == 0 + msg := "All pods have Istio sidecar proxy." + } else = {"result": false, "msg": msg} if { + msg := sprintf("Istio sidecar proxy not found in pods: %s.", [concat(", ", no_sidecar)]) + } + + has_sidecar(pod) if { + status := pod.metadata.annotations["sidecar.istio.io/status"] + containers := json.unmarshal(status).containers + initContainers := json.unmarshal(status).initContainers + + has_container_name(pod.spec.containers, containers) + has_container_name(pod.spec.initContainers, initContainers) + } else = false + + has_container_name(containers, names) if { + container := containers[_] + container.name in names + } + + is_exempt(pod) if { + pod.metadata.namespace in exempt_namespaces + } + type: opa + title: all-pods-istio-injected + uuid: 1761ac07-80dd-47d2-947e-09f67943b986 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: adminGateway + resource-rule: + group: networking.istio.io + name: admin-gateway + namespaces: + - istio-admin-gateway + resource: gateways + version: v1beta1 + - description: "" + name: virtualServices + resource-rule: + group: networking.istio.io + name: "" + namespaces: [] + resource: virtualservices + version: v1beta1 + type: kubernetes + lula-version: "" + metadata: + name: check-istio-admin-gateway-and-usage + uuid: c6c9daf1-4196-406d-8679-312c0512ab2e + provider: + opa-spec: + output: + observations: + - validate.msg + validation: validate.validate + rego: | + package validate + + # Expected admin gateway details + expected_gateway := "admin-gateway" + expected_gateway_namespace := "istio-admin-gateway" + expected_ns_name := sprintf("%s/%s", [expected_gateway_namespace, expected_gateway]) + + # Default policy result + default validate = false + default admin_gw_exists = false + default admin_vs_match = false + default msg = "Not evaluated" + + validate { + result_admin_gw_exixts.result + result_admin_vs_match.result + } + + msg = concat(" ", [result_admin_gw_exixts.msg, result_admin_vs_match.msg]) + + result_admin_gw_exixts = {"result": true, "msg": msg} { + input.adminGateway.kind == "Gateway" + input.adminGateway.metadata.name == expected_gateway + input.adminGateway.metadata.namespace == expected_gateway_namespace + msg := "Admin gateway exists." + } else = {"result": false, "msg": msg} { + msg := "Admin gateway does not exist." + } + + result_admin_vs_match = {"result": true, "msg": msg}{ + count(admin_vs-admin_vs_using_gateway) == 0 + count(all_vs_using_gateway-admin_vs_using_gateway) == 0 + msg := "Admin virtual services are using admin gateway." + } else = {"result": false, "msg": msg} { + msg := sprintf("Mismatch of admin virtual services using gateway. Admin VS not using GW: %s. Non-Admin VS using gateway: %s.", [concat(", ", admin_vs-admin_vs_using_gateway), concat(", ", all_vs_using_gateway-admin_vs_using_gateway)]) + } + + # Count admin virtual services + admin_vs := {adminVs.metadata.name | adminVs := input.virtualServices[_]; adminVs.kind == "VirtualService"; contains(adminVs.metadata.name, "admin")} + + # Count admin VirtualServices correctly using the admin gateway (given by vs name containing "admin") + admin_vs_using_gateway := {adminVs.metadata.name | adminVs := input.virtualServices[_]; adminVs.kind == "VirtualService"; contains(adminVs.metadata.name, "admin"); adminVs.spec.gateways[_] == expected_ns_name} + + # Count all VirtualServices using the admin gateway + all_vs_using_gateway := {vs.metadata.name | vs := input.virtualServices[_]; vs.kind == "VirtualService"; vs.spec.gateways[_] == expected_ns_name} + type: opa + title: check-istio-admin-gateway-and-usage + uuid: c6c9daf1-4196-406d-8679-312c0512ab2e + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: istioConfig + resource-rule: + field: + base64: false + jsonpath: .data.mesh + type: yaml + group: "" + name: istio + namespaces: + - istio-system + resource: configmaps + version: v1 + type: kubernetes + lula-version: "" + metadata: + name: istio-metrics-logging-configured + uuid: 70d99754-2918-400c-ac9a-319f874fff90 + provider: + opa-spec: + output: + observations: + - validate.msg + validation: validate.validate + rego: | + package validate + + # Default policy result + default validate = false + default msg = "Not evaluated" + + # Validate Istio configuration for metrics logging support + validate { + check_metrics_enabled.result + } + msg = check_metrics_enabled.msg + + check_metrics_enabled = { "result": false, "msg": msg } { + input.istioConfig.enablePrometheusMerge == false + msg := "Metrics logging not supported." + } else = { "result": true, "msg": msg } { + msg := "Metrics logging supported." + } + type: opa + title: istio-metrics-logging-configured + uuid: 70d99754-2918-400c-ac9a-319f874fff90 + - description: | + lula-version: "" + metadata: + name: communications-terminated-after-inactivity-PLACEHOLDER + uuid: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 + provider: + opa-spec: + rego: | + package validate + validate := false + + # Check on destination rule, outlier detection? + # -> Doesn't appear that UDS is configured to create destination rules. + type: opa + title: communications-terminated-after-inactivity-PLACEHOLDER + uuid: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 + - description: | + lula-version: "" + metadata: + name: tls-origination-at-egress-PLACEHOLDER + uuid: 8be1601e-5870-4573-ab4f-c1c199944815 + provider: + opa-spec: + rego: | + package validate + default validate := false + # How to prove TLS origination is configured at egress + # DestinationRule? + type: opa + title: tls-origination-at-egress-PLACEHOLDER + uuid: 8be1601e-5870-4573-ab4f-c1c199944815 + - description: | + lula-version: "" + metadata: + name: fips-evaluation-PLACEHOLDER + uuid: 73434890-2751-4894-b7b2-7e583b4a8977 + title: fips-evaluation-PLACEHOLDER + uuid: 73434890-2751-4894-b7b2-7e583b4a8977 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: authorizationPolicy + resource-rule: + group: security.istio.io + name: keycloak-block-admin-access-from-public-gateway + namespaces: + - keycloak + resource: authorizationpolicies + version: v1beta1 + type: kubernetes + lula-version: "" + metadata: + name: istio-enforces-authorized-keycloak-access + uuid: fbd877c8-d6b6-4d88-8685-2c4aaaab02a1 + provider: + opa-spec: + output: + observations: + - validate.msg + validation: validate.validate + rego: | + package validate + import rego.v1 + + # Default policy result + default validate := false + default msg := "Not evaluated" + + # Validate both AuthorizationPolicy restricts access to Keycloak admin + validate if { + check_auth_policy_for_keycloak_admin_access.result + } + + msg = check_auth_policy_for_keycloak_admin_access.msg + + check_auth_policy_for_keycloak_admin_access = {"result": true, "msg": msg} if { + input.authorizationPolicy.kind == "AuthorizationPolicy" + valid_auth_policy(input.authorizationPolicy) + msg := "AuthorizationPolicy restricts access to Keycloak admin." + } else = {"result": false, "msg": msg} if { + msg := "AuthorizationPolicy does not restrict access to Keycloak admin." + } + + # Define the rule for denying access + expected_keycloak_admin_denial_rule := { + "from": [ + { + "source": { + "notNamespaces": ["istio-admin-gateway"] + } + } + ], + "to": [ + { + "operation": { + "ports": ["8080"], + "paths": ["/admin*", "/realms/master*"] + } + } + ] + } + + # Validate that the authorization policy contains the expected first rule + valid_auth_policy(ap) if { + ap.spec.action == "DENY" + rules := ap.spec.rules + + # Ensure the expected rule is present in the input policy + some i + rules[i] == expected_keycloak_admin_denial_rule + } + type: opa + title: istio-enforces-authorized-keycloak-access + uuid: fbd877c8-d6b6-4d88-8685-2c4aaaab02a1 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: istioConfig + resource-rule: + field: + base64: false + jsonpath: .data.mesh + type: yaml + group: "" + name: istio + namespaces: + - istio-system + resource: configmaps + version: v1 + type: kubernetes + lula-version: "" + metadata: + name: istio-tracing-logging-support + uuid: f346b797-be35-40a8-a93a-585db6fd56ec + provider: + opa-spec: + output: + observations: + - validate.msg + validation: validate.validate + rego: | + package validate + + # Default policy result + default validate = false + default msg = "Not evaluated" + + # Validate Istio configuration for event logging support + validate { + check_tracing_enabled.result + } + msg = check_tracing_enabled.msg + + check_tracing_enabled = { "result": true, "msg": msg } { + input.istioConfig.defaultConfig.tracing != null + input.istioConfig.defaultConfig.tracing.zipkin.address != "" + msg := "Tracing logging supported." + } else = { "result": false, "msg": msg } { + msg := "Tracing logging not supported." + } + type: opa + title: istio-tracing-logging-support + uuid: f346b797-be35-40a8-a93a-585db6fd56ec + - description: | + lula-version: "" + metadata: + name: egress-gateway-exists-and-configured-PLACEHOLDER + uuid: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 + title: egress-gateway-exists-and-configured-PLACEHOLDER + uuid: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: networkPolicies + resource-rule: + group: networking.k8s.io + name: "" + namespaces: [] + resource: networkpolicies + version: v1 + type: kubernetes + lula-version: "" + metadata: + name: secure-communication-with-istiod + uuid: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 + provider: + opa-spec: + output: + observations: + - validate.msg_correct + - validate.msg_incorrect + validation: validate.validate + rego: | + package validate + + # Default policy result + default validate = false + default msg_correct = "Not evaluated" + default msg_incorrect = "Not evaluated" + + # Expected values + expected_istiod_port := 15012 + expected_istiod_protocol := "TCP" + required_namespaces := {"authservice", "grafana", "keycloak", "loki", "metrics-server", "monitoring", "neuvector", "promtail", "velero"} + + # Validate NetworkPolicy for Istiod in required namespaces + validate { + count(required_namespaces - correct_istiod_namespaces) == 0 + } + + msg_correct = sprintf("NetworkPolicies correctly configured for istiod in namespaces: %v.", [concat(", ", correct_istiod_namespaces)]) + msg_incorrect = msg { + missing_namespace := required_namespaces - correct_istiod_namespaces + count(missing_namespace) > 0 + msg := sprintf("NetworkPolicies not correctly configured for istiod in namespaces: %v.", [concat(", ", missing_namespace)]) + } else = "No incorrect istiod NetworkPolicies found." + + # Helper to find correct NetworkPolicies + correct_istiod_policies = {policy | + policy := input.networkPolicies[_] + policy.spec.egress[_].to[_].podSelector.matchLabels["istio"] == "pilot" + policy.spec.egress[_].ports[_].port == expected_istiod_port + policy.spec.egress[_].ports[_].protocol == expected_istiod_protocol + } + + # Helper to extract namespaces of correct NetworkPolicies + correct_istiod_namespaces = {policy.metadata.namespace | + policy := correct_istiod_policies[_] + } + type: opa + title: secure-communication-with-istiod + uuid: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: peerAuths + resource-rule: + group: security.istio.io + name: "" + namespaces: [] + resource: peerauthentications + version: v1beta1 + type: kubernetes + lula-version: "" + metadata: + name: enforce-mtls-strict + uuid: ca49ac97-487a-446a-a0b7-92b20e2c83cb + provider: + opa-spec: + output: + observations: + - validate.msg + validation: validate.validate + rego: | + package validate + + import future.keywords.every + + # Default policy result + default validate = false + default all_strict = false + default msg = "Not evaluated" + + validate { + result_all_strict.result + } + + msg = concat(" ", [result_all_strict.msg]) + + # Rego policy logic to evaluate if all PeerAuthentications have mtls mode set to STRICT + result_all_strict = {"result": true, "msg": msg} { + every peerAuthentication in input.peerAuths { + mode := peerAuthentication.spec.mtls.mode + mode == "STRICT" + } + msg := "All PeerAuthentications have mtls mode set to STRICT." + } else = {"result": false, "msg": msg} { + msg := "Not all PeerAuthentications have mtls mode set to STRICT." + } + type: opa + title: enforce-mtls-strict + uuid: ca49ac97-487a-446a-a0b7-92b20e2c83cb + - description: | + lula-version: "" + metadata: + name: authorized-traffic-egress-PLACEHOLDER + uuid: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 + title: authorized-traffic-egress-PLACEHOLDER + uuid: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: namespaces + resource-rule: + group: "" + name: "" + namespaces: [] + resource: namespaces + version: v1 + type: kubernetes + lula-version: "" + metadata: + name: all-namespaces-istio-injected + uuid: 0da39859-a91a-4ca6-bd8b-9b117689188f + provider: + opa-spec: + output: + observations: + - validate.msg + - validate.exempted_namespaces_msg + validation: validate.validate + rego: | + package validate + import future.keywords.every + import future.keywords.in + + default validate = false + default msg = "Not evaluated" + + # Validation + validate { + check_non_istio_injected_namespaces.result + } + msg = check_non_istio_injected_namespaces.msg + exempted_namespaces_msg = sprintf("Exempted Namespaces: %s", [concat(", ", exempted_namespaces)]) + + # List of exempted namespaces + exempted_namespaces := {"istio-system", "kube-system", "default", "istio-admin-gateway", + "istio-passthrough-gateway", "istio-tenant-gateway", "kube-node-lease", "kube-public", "uds-crds", + "uds-dev-stack", "uds-policy-exemptions", "zarf"} + + # Collect non-Istio-injected namespaces + non_istio_injected_namespaces := {ns.metadata.name | + ns := input.namespaces[_] + ns.kind == "Namespace" + not ns.metadata.labels["istio-injection"] == "enabled" + not ns.metadata.name in exempted_namespaces + } + + # Check no non-Istio-injected namespaces + check_non_istio_injected_namespaces = { "result": true, "msg": "All namespaces are Istio-injected" } { + count(non_istio_injected_namespaces) == 0 + } else = { "result": false, "msg": msg } { + msg := sprintf("Non-Istio-injected namespaces: %v", [non_istio_injected_namespaces]) + } + type: opa + title: all-namespaces-istio-injected + uuid: 0da39859-a91a-4ca6-bd8b-9b117689188f + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: gateways + resource-rule: + group: networking.istio.io + name: "" + namespaces: [] + resource: gateways + version: v1beta1 + type: kubernetes + lula-version: "" + metadata: + name: gateway-configuration-check + uuid: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 + provider: + opa-spec: + output: + observations: + - validate.msg + - validate.msg_existing_gateways + - validate.msg_allowed_gateways + validation: validate.validate + rego: | + package validate + import rego.v1 + + # default values + default validate := false + default msg := "Not evaluated" + + validate if { + check_expected_gw.result + check_all_gw_found.result + } + + msg := concat(" ", [check_expected_gw.msg, check_all_gw_found.msg]) + msg_existing_gateways := concat(", ", gateways) + msg_allowed_gateways := concat(", ", allowed) + + # Check if only allowed gateways are in the system + allowed := {"admin", "tenant", "passthrough"} + gateways := {sprintf("%s/%s", [gw.metadata.namespace, gw.metadata.name]) | gw := input.gateways[_]} + allowed_gateways := {sprintf("%s/%s", [gw.metadata.namespace, gw.metadata.name]) | gw := input.gateways[_]; gw_in_list(gw, allowed)} + actual_allowed := {s | g := gateways[_]; s := allowed[_]; contains(g, s)} + + check_expected_gw = {"result": true, "msg": msg} if { + gateways == allowed_gateways + msg := "Only allowed gateways found." + } else = {"result": false, "msg": msg} if { + msg := sprintf("Some disallowed gateways found: %v.", [gateways-allowed_gateways]) + } + + gw_in_list(gw, allowed) if { + contains(gw.metadata.name, allowed[_]) + } + + # Check if the entire set contains all required gateways + check_all_gw_found = {"result": true, "msg": msg} if { + actual_allowed == allowed + msg := "All gateway types found." + } else = {"result": false, "msg": msg} if { + msg := sprintf("Gateway type(s) missing: %v.", [allowed - actual_allowed]) + } + type: opa + title: gateway-configuration-check + uuid: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: authorizationPolicies + resource-rule: + group: security.istio.io + name: "" + namespaces: [] + resource: authorizationpolicies + version: v1beta1 + type: kubernetes + lula-version: "" + metadata: + name: istio-rbac-enforcement-check + uuid: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 + provider: + opa-spec: + output: + observations: + - validate.msg + - validate.msg_authPolicies + validation: validate.validate + rego: | + package validate + + # Default policy result + default validate = false + default msg = "Istio RBAC not enforced" + + # Evaluation for Istio Authorization Policies + validate { + count(all_auth_policies) > 0 + } + + # Get all authorization policies + all_auth_policies := { sprintf("%s/%s", [authPolicy.metadata.namespace, authPolicy.metadata.name]) | + authPolicy := input.authorizationPolicies[_]; authPolicy.kind == "AuthorizationPolicy" } + + msg = "Istio RBAC enforced" { + validate + } + msg_authPolicies = sprintf("Authorization Policies: %v", [concat(", ", all_auth_policies)]) + type: opa + title: istio-rbac-enforcement-check + uuid: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 + - description: | + lula-version: "" + metadata: + name: istio-rbac-for-approved-personnel-PLACEHOLDER + uuid: 9b361d7b-4e07-40db-8b86-3854ed499a4b + title: istio-rbac-for-approved-personnel-PLACEHOLDER + uuid: 9b361d7b-4e07-40db-8b86-3854ed499a4b + - description: | + lula-version: "" + metadata: + name: external-traffic-managed-PLACEHOLDER + uuid: 19faf69a-de74-4b78-a628-64a9f244ae13 + provider: + opa-spec: + rego: | + package validate + default validate := false + # This policy could check meshConfig.outboundTrafficPolicy.mode (default is ALLOW_ANY) + # Possibly would need a ServiceEntry(?) + # (https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#envoy-passthrough-to-external-services) + type: opa + title: external-traffic-managed-PLACEHOLDER + uuid: 19faf69a-de74-4b78-a628-64a9f244ae13 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: istioddeployment + resource-rule: + group: apps + name: istiod + namespaces: + - istio-system + resource: deployments + version: v1 + - description: "" + name: istiodhpa + resource-rule: + group: autoscaling + name: istiod + namespaces: + - istio-system + resource: horizontalpodautoscalers + version: v2 + type: kubernetes + lula-version: "" + metadata: + name: istio-health-check + uuid: 67456ae8-4505-4c93-b341-d977d90cb125 + provider: + opa-spec: + output: + observations: + - istiohealth.deployment_message + - istiohealth.hpa_message + validation: istiohealth.is_istio_healthy + rego: | + package istiohealth + + default is_istio_healthy = false + default deployment_message = "Deployment status not evaluated" + default hpa_message = "HPA status not evaluated" + + # Check if the Istio Deployment is healthy + is_istio_healthy { + count(input.istioddeployment.status.conditions) > 0 + all_deployment_conditions_are_true + input.istiodhpa.status.currentReplicas >= input.istiodhpa.spec.minReplicas + } + + all_deployment_conditions_are_true { + # Ensure every condition in the array has a status that is not "False" + all_true = {c | c := input.istioddeployment.status.conditions[_]; c.status != "False"} + count(all_true) == count(input.istioddeployment.status.conditions) + } + + deployment_message = msg { + all_deployment_conditions_are_true + msg := "All deployment conditions are true." + } else = msg { + msg := "One or more deployment conditions are false." + } + + hpa_message = msg { + input.istiodhpa.status.currentReplicas >= input.istiodhpa.spec.minReplicas + msg := "HPA has sufficient replicas." + } else = msg { + msg := "HPA does not have sufficient replicas." + } + type: opa + title: istio-health-check + uuid: 67456ae8-4505-4c93-b341-d977d90cb125 + - description: | + domain: + kubernetes-spec: + create-resources: null + resources: + - description: "" + name: gateways + resource-rule: + group: networking.istio.io + name: "" + namespaces: [] + resource: gateways + version: v1beta1 + type: kubernetes + lula-version: "" + metadata: + name: ingress-traffic-encrypted + uuid: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed + provider: + opa-spec: + output: + observations: + - validate.msg + - validate.msg_exempt + validation: validate.validate + rego: | + package validate + import future.keywords.every + + default validate = false + default msg = "Not evaluated" + + # Validation + validate { + check_gateways_allowed.result + } + msg := check_gateways_allowed.msg + msg_exempt := sprintf("Exempted Gateways: %s", [concat(", ", exempt_gateways)]) + + # Collect gateways that do not encrypt ingress traffic + gateways_disallowed = {sprintf("%s/%s", [gateway.metadata.namespace, gateway.metadata.name]) | + gateway := input.gateways[_]; + not allowed_gateway(gateway) + } + + check_gateways_allowed = {"result": true, "msg": "All gateways encrypt ingress traffic"} { + count(gateways_disallowed) == 0 + } else = {"result": false, "msg": msg} { + msg := sprintf("Some gateways do not encrypt ingress traffic: %s", [concat(", ", gateways_disallowed)]) + } + + # Check allowed gateway + allowed_gateway(gateway) { + every server in gateway.spec.servers { + allowed_server(server) + } + } + + exempt_gateways := {"istio-passthrough-gateway/passthrough-gateway"} + allowed_gateway(gateway) { + sprintf("%s/%s", [gateway.metadata.namespace, gateway.metadata.name]) in exempt_gateways + # *Unchecked condition that exempted gateway is only used by virtual services that route https traffic + # Find all virtual services that use this gateway + # Check that vs has https scheme + } + + # Check allowed server spec in gateway + allowed_server(server) { + server.port.protocol == "HTTP" + server.tls.httpsRedirect == true + } + + allowed_server(server) { + server.port.protocol == "HTTPS" + server.tls.mode in {"SIMPLE", "OPTIONAL_MUTUAL"} + } + type: opa + title: ingress-traffic-encrypted + uuid: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed components: - - uuid: e7e62a4f-8ae7-4fb0-812c-60ea6ae26374 - type: software - title: Istio Controlplane - description: | - Istio Service Mesh - purpose: Istio Service Mesh - responsible-roles: - - role-id: provider - party-uuids: - - f3cf70f8-ba44-4e55-9ea3-389ef24847d3 - control-implementations: - - uuid: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c - source: https://raw.githubusercontent.com/GSA/fedramp-automation/93ca0e20ff5e54fc04140613476fba80f08e3c7d/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.json - description: Controls implemented by Istio and authservice that are inherited by applications + - control-implementations: + - description: Controls implemented by Istio and authservice that are inherited by applications implemented-requirements: - - uuid: 17b76910-1395-48a2-9441-edbb7c1f04ec - control-id: ac-3 - description: >- - # Control Description - Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. - - # Control Implementation - Istio implements with global configuration. - - # How Istio Helps - Istio helps implement access enforcement in two ways: limiting service-to-service access (see AC-4 below), - and acting as an enforcement point for end user authentication and authorization (AC-3, this section). - - Service to Service Access: Istio provides authenticatable runtime identities for all applications in the mesh in the form of X.509 certificates. - Those certificates are used for encryption in transit as well as authentication of the service's identity. - This authenticated principal can be used for access control of service to service communication via Istio's AuthorizationPolicy. - We cover this in detail in AC-4, Information Flow Enforcement, below. - - End User Authentication and Authorization: Istio facilitates end user authentication and authorization in two ways: - 1. Istio has native support for JWT authentication and authorization based on JWT claims. - It can be configured to extract a JWT from each request's headers, validate them against issuers and with specific keys, and limit access based on any of the JWT's fields. - 2. Istio supports extracting metadata from each request and forwarding it to an external authentication and authorization server. - Istio will enforce the verdict returned by this server, and can attach additional metadata returned by the server (e.g., an internal JWT in place of an external API key). - - remarks: This control is fully implemented by this tool. - - - uuid: b4383b6b-bcdf-41db-a323-873de77ba46b - control-id: ac-4 - description: >- - # Control Description - Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]. - - # Control Implementation - Istio implements with mission team configuration. - - # How does Istio help? - Istio encrypts all in-mesh communication at runtime using the service's identity. - This provides TLS for all applications in the mesh. If you're using the Tetrate Istio Distribution, then this TLS is FIPS verified. mTLS is configured through the PeerAuthentication resource, and should be set to STRICT to enforce mTLS between all components of the information system. - Istio's AuthorizationPolicy controls service-to-service communication within the mesh. - Combined with Istio ingress and egress gateways, as well as a few installation settings, Istio can manage all traffic into and out of your deployment. - In addition to AuthorizationPolicies controlling traffic in the mesh, Istio ingress gateways terminate HTTPS on behalf of applications in the mesh (AC-4 (4) - not required by moderate but valuable nonetheless). - By managing how traffic flows out of applications using VirtualServices or ServiceEntries, all traffic leaving your infrastructure can be channeled through an egress gateway. - Egress gateways can audit and limit how traffic flows to external services outside of the information system under control. - - remarks: This control is fully implemented by this tool. - - - uuid: 19bd393a-25fb-4ef1-9633-5fc510247d69 - control-id: ac-4.4 - description: >- - # Control Description - Prevent encrypted information from bypassing [Assignment: intrusion detection mechanisms] by [Selection (one or more): decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; [Assignment: organization-defined procedure or method]]. - - # Control Implementation - All encrypted HTTPS connections are terminated at the Istio ingress gateway. - - remarks: This control is fully implemented by this tool. - - - uuid: 2e0879f1-381d-445d-b201-8ba3a1194147 - control-id: ac-4.21 - description: >- - # Control Description - Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information]. - - # Control Implementation - Istio implements with mission team configuration. - - # How does Istio help? - When Istio is configured as above for AC-4 limiting access to services within the information system and controlling communication ingress and egress to and from the information system it provides logical separation of information flows. - Istio policies can provide this separation at the finest grain possible. For example, for HTTP traffic, Istio provides the ability to limit communication per verb and path, as well as based on header values or end-user credentials stored at headers, in addition to controlling traffic with the traditional network five-tuple. - Istio enforces the policy at the application instance itself. - - remarks: This control is fully met by this tool. - - - uuid: 7e8f7b8e-e95a-479b-96dd-7ff0bf957a84 - control-id: ac-6.3 - description: >- - # Control Description - Authorize network access to [Assignment: [all privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system. - - # Control Implementation - Configured with an "admin" gateway to restrict access to applications that only need sysadmin access. - - remarks: This control is fully implemented by this tool. - - - uuid: 36e1ad45-4c25-42b0-b06b-889734fde442 - control-id: ac-6.9 - description: >- - # Control Description - Log the execution of privileged functions. - - # Control Implementation - Istio implements with global configuration. - - # How does Istio help? - Istio produces logs for all traffic in the information system see AU-3 below for more information on what information is logged and how to configure additional information to be logged with each access. - As long as the privileged functions are exposed as network endpoints in the information system, Istio will log their use like it logs all other network traffic. - Logging privileged use outside of the information system like using kubectl to access the cluster directly is outside of the scope of Istio's runtime logging. - - remarks: This control is fully implemented by this tool. - - - uuid: 25609c9a-a482-49e3-ba76-2cee88a5932a - control-id: ac-14 - description: >- - # Control Description - "a. Identify [Assignment: organization-defined user actions] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and - b. Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication." - - # Control Implementation - Istio implements with mission team configuration. - - # How does Istio help? - Istio can be configured to extract end-user credentials from requests for authentication (either locally, or forwarding them on to an external authorization service), and to disallow requests without authentication tokens. - This is configured using RequestAuthentication and AuthorizationPolicy resources, described at length in AC-4 above. - Using this, Istio's authorization policy becomes documentation of services that do not require authentication. - - remarks: This control is fully implemented by this tool. - - - uuid: 908b6b76-978d-4089-a422-3112656c8452 - control-id: ac-17.3 - description: >- - # Control Description - Route remote accesses through authorized and managed network access control points. - - # Control Implementation - Istio routes remote access through correct configuration and managed network access control points. - - remarks: This control is fully implemented by this tool. - - - uuid: 524006e4-67d7-4124-8679-58392ab20cbb - control-id: au-2 - description: >- - # Control Description - "a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes]; - b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; - c. Specify the following event types for logging within the system: [Assignment: organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event) along with the frequency of (or situation requiring) logging for each identified event type]; - d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and - e. Review and update the event types selected for logging [Assignment: annually or whenever there is a change in the threat environment]." - - # Control Implementation - Istio provides access logs for all HTTP network requests, including mission applications. - - remarks: This control is fully implemented by this tool - - - uuid: a8e9fcc9-f900-4467-9287-b288341c9575 - control-id: au-3 - description: >- - # Control Description - "Ensure that audit records contain information that establishes the following: - a. What type of event occurred; - b. When the event occurred; - c. Where the event occurred; - d. Source of the event; - e. Outcome of the event; and - f. Identity of any individuals, subjects, or objects/entities associated with the event." - - # Control Implementation - Istio implements with global configuration. - - # How does Istio help? - Istio generates access logs for all traffic in the mesh (ingress, internal, and egress) that is a superset of the data in the [Common Log Format](https://en.wikipedia.org/wiki/Common_Log_Format). - For HTTP traffic, this includes timestamp, source and destination IPs, request verb, response code, and more. - You can get a full overview of the data that is provided [in the Istio documentation](https://istio.io/latest/docs/tasks/observability/logs/access-log/). - The format of these logs can be configured per deployment or globally at install time to conform with requirements of existing log analysis tools or other organizational needs. - By default, Envoy sidecars in the mesh emit these logs as text to standard out. However, Envoy can be configured to forward this log data over gRPC to a server that aggregates (and potentially acts on) them. - This is called the [Access Log Service (ALS)](https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/accesslog/v3/als.proto). - These can be augmented by application-specific audit logging, but for many services (and HTTP services especially), the mesh's logs are sufficient to reconstruct an understanding of events to perform an audit. - - remarks: This control is fully implemented by this tool. - - - uuid: 1db223f2-4b59-424a-9bb5-d7a6a2f381e8 - control-id: au-3.1 - description: >- - # Control Description - Generate audit records containing the following additional information: [Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]. - + - control-id: ac-4 + description: |- # Control Implementation - Istio implements with global configuration. - - # How does Istio help? - Istio’s access logs can be configured to produce additional information as needed by the organization. - - remarks: This control is fully implemented by this tool. - - - uuid: 4739a734-5ad6-4898-afb7-00561ee84736 - control-id: au-9 - description: >- - # Control Description - "a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and - b. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information." - - # Control Implementation - Istio contributes but does not implement. - - # How does Istio Help? - If you’re using Istio to produce audit information (see AU-3, AU-3 (1)), then the logs that Istio produces are subject to AU-9 controls. - Protecting the logs that Istio produces is outside of the scope of Istio itself, but integrating your log ingestion and protection system with the logs that Istio produces, you can easily satisfy this requirement. - Kubernetes RBAC should be configured to allow only specific users access to the log files Envoy produces, ideally no users should have direct access and instead only access logs via the log ingestion system (like Splunk). - - remarks: This control is fully implemented by this tool. - - - uuid: 395a4976-bf4a-4193-b928-05a0700e03fb - control-id: au-9.2 - description: >- - # Control Description - Store audit records [Assignment: oat least weekly] in a repository that is part of a physically different system or system component than the system or component being audited. - - # Control Implementation - Istio contributes but does not implement. - - # How does Istio Help? - See AU-9 above, but in short: ensure that Istio’s logging configuration aligns with your larger log collection pipeline. The log collection pipeline itself should implement the AU-9 controls required by the organization. - - remarks: This control is fully implemented by this tool. - - - uuid: b06017d9-c9ab-462d-9861-99b9849f4ee4 - control-id: au-12 - description: >- - # Control Description - "a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: all information system and network components where audit capability is deployed/available]; - b. Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and - c. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3." - - # Control Implementation - Istio implements with global configuration. - - # How does Istio Help? - Istio generates logs for all network traffic - TCP connections, HTTP requests, etc. These events are a subset of all events defined by most organizations in AU-2 a. as worthy of audit. - See AU-3 for details of the information that can be generated, and AU-3 (1) for information on customizing it. - If the only events to be logged per AU-2 a. are network events, then Istio satisfies AU-12 fully for the information system. - - remarks: This control is fully implemented by this tool. - - - uuid: bf8b66b2-8909-4935-98ba-189bf3ffde03 - control-id: cm-5 - description: >- - # Control Description - Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system. - - # Control Implementation - Istio contributes but does not implement. - - # How does Istio Help? - Istio is configured with Kubernetes Custom Resources. As such it can be configured as code, and managed by your existing CM-5 conformant code management processes. - Kubernetes RBAC should be used to control who can change which configuration at runtime. - UDS Core implements CM-5 controls by implementing infrastructure as code practices, configuring Kubernetes RBAC to prevent humans from authoring configuration and allowing only continuous delivery systems (Flux, by default) to author runtime configuration. Since all configuration is managed in this CM-5 conformant way, Istio’s configuration is controlled in a CM-5 conformant way. - - remarks: This control is fully implemented by this tool. - - - uuid: 3ee327e1-2cce-4908-a78d-99e65ce2333a - control-id: cm-6 - description: >- - # Control Description - "a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: United States Government Configuration Baseline (USGCB)]; - b. Implement the configuration settings; - c. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and - d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures." - - "CM-6 (a) Requirement 1: The service provider shall use the DoD STIGs or Center for Internet Security guidelines to establish configuration settings or establishes its own configuration settings if USGCB is not available. - CM-6 (a) Requirement 2: The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available). - CM-6 (a) Guidance: Information on the USGCB can be found at: https://csrc.nist.gov/projects/united-states-government-configuration-baseline." - - - # Control Implementation - Istio contributes but does not implement. - - # How does Istio Help? - This document provides the guidance for configuring Istio, both globally as well as for mission teams. Additional best practices should be followed, including: - - NIST SP 800-204A: Building Secure Microservices-based Applications Using Service-Mesh Architecture - - NIST SP 800-204B: Attribute-based Access Control for Microservices-based Applications using a Service Mesh - Tetrate helps maintain and periodically audits UDS Core’s Istio configurations to ensure they implement best practice defaults. - - remarks: This control is fully implemented by this tool. - - - uuid: 0ab5781b-2f6b-4c71-83ef-e00f10c7ed93 - control-id: cm-8.1 - description: >- - # Control Description - Update the inventory of system components as part of component installations, removals, and system updates. - - # Control Implementation - Istio implements with global configuration. - - # How does Istio Help? - Istio’s service inventory is updated continuously from the Kubernetes API server (the information system’s source of truth for what applications are running). Therefore, the inventory is updated when components of the information system are installed or removed. As a result, Istio implements CM-8 (1) for the information system. - - remarks: This control is fully implemented by this tool. - - - uuid: 8d72738e-99ae-40e8-9fc0-bdfc51d24121 - control-id: cm-8.2 - description: >- - # Control Description - Update the inventory of system components as part of component installations, removals, and system updates. - + Istio encrypts all in-mesh communication at runtime using FIPS verified mTLS in addition to ingress and egress gateways for controlling communication. + links: + - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + rel: lula + text: Check that Istio is healthy + - href: "#ca49ac97-487a-446a-a0b7-92b20e2c83cb" + rel: lula + text: Check that Istio is enforcing mtls STRICT + - href: "#1761ac07-80dd-47d2-947e-09f67943b986" + rel: lula + text: All pods are istio injected with proxyv2 sidecar + - href: "#fd071676-6b92-4e1c-a4f0-4c8d2bd55aed" + rel: lula + text: Check ingress traffic is encrypted + remarks: "# Control Description Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content." + uuid: 9e158525-96bd-4d4f-a674-7e3eab9aea7a + - control-id: ac-4.4 + description: |- # Control Implementation - Provides an inventory of all workloads (including mission apps) in the service mesh, viewable in Kiali. The inventory is automatically and continuously updated. - - remarks: This control is fully implemented by this tool. - - - uuid: 3d88af30-61e0-47ed-a495-74ca61ce99a7 - control-id: ia-2 - description: >- - # Control Description - Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users. - + All encrypted HTTPS connections are terminated at the Istio ingress gateway. + links: + - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + rel: lula + text: Check that Istio is healthy + - href: "#ca49ac97-487a-446a-a0b7-92b20e2c83cb" + rel: lula + text: Check that Istio is enforcing mtls STRICT + - href: "#1761ac07-80dd-47d2-947e-09f67943b986" + rel: lula + text: All pods are istio injected with proxyv2 sidecar + - href: "#fd071676-6b92-4e1c-a4f0-4c8d2bd55aed" + rel: lula + text: Check ingress traffic is encrypted + remarks: "# Control Description The information system prevents encrypted information from bypassing content-checking mechanisms by decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; Assignment: organization-defined procedure or method." + uuid: c3e13abc-3c19-4f08-a2f8-40fcbef5daa7 + - control-id: ac-4.21 + description: |- # Control Implementation - Istio implements with mission team configuration. - - # How does Istio Help? - Istio can be used to implement authentication of end-user credentials for applications in the mesh. This is typically configured via Istio’s external authorization service or by validating JWTs on each request (see AC-3). - If components in the information system are protected by Istio configured to validate end-user credentials, then Istio satisfies the authentication clause IA-2: “[the information system] authenticates organizational users (or processes acting on behalf or organizational users).” - Assigning user identities themselves, and ensuring their uniqueness, is out of scope of Istio. (Istio does assign identities to applications or processes running in the information system – see AC-4.) - - remarks: This control is fully implemented by this tool. - - - uuid: 4b28dcb2-f7fb-4944-9661-1182ccf197b2 - control-id: ia-4 - description: >- - # Control Description - "Manage system identifiers by: - a. Receiving authorization from [Assignment: oat a minimum, the ISSO (or similar role within the organization)] to assign an individual, group, role, service, or device identifier; - b. Selecting an identifier that identifies an individual, group, role, service, or device; - c. Assigning the identifier to the intended individual, group, role, service, or device; and - d. Preventing reuse of identifiers for [Assignment: at least two (2) years]." - + Istio is configured to use ingress and egress gateways to provide logical flow separation. + links: + - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + rel: lula + text: Check that Istio is healthy + - href: "#0da39859-a91a-4ca6-bd8b-9b117689188f" + rel: lula + text: Check namespaces are istio injected + - href: "#c6c9daf1-4196-406d-8679-312c0512ab2e" + rel: lula + text: Check that Istio is configured with an admin gateway and admin services use it + - href: "#b0a8f21e-b12f-47ea-a967-2f4a3ec69e44" + rel: lula + text: Validates that Istio Gateways are available and expected VirtualServices using each Gateway. + remarks: "Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information]." + uuid: 6e32feb5-ce43-465f-9422-e3ef3276bf5d + - control-id: ac-6.3 + description: |- # Control Implementation - Istio contributes but does not implement. - - # How does Istio Help? - Istio assigned identities to runtime entities based on their Kubernetes service account. Service accounts are unique per (namespace, service account name) pair and are assigned to all pods in the cluster. - Pods should opt in to using a specific service account, but if they do not then Kubernetes provides a default service account per namespace. - - The identities Istio assigned are: - a. Authorized for the specific application by checking against the Kubernetes API server (the system of record for runtime identities). - b. Each service receives an identity from Kubernetes at runtime, whether it is assigned explicitly or not. - c. Sent only to correct workloads because Istio authenticates runtime proofs (mainly, the pod’s service account token) in addition to authorizing the identity by checking with the Kubernetes API server. - d. Service accounts in Kubernetes are unique. However, Kubernetes-level controls (out of the scope of Istio) need to be implemented to ensure that identities are not re-used. - e. The Kubernetes service account lifecycle is out of scope of Istio. A Kubernetes-level control is need to satisfy this requirement. - - remarks: This control is fully implemented by this tool. - - - uuid: 501ef187-1344-40bf-a697-127ae1d65a41 - control-id: ia-7 - description: >- - # Control Description - Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication. - + Configured with an "admin" gateway to restrict access to applications that only need administrative access. + links: + - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + rel: lula + text: Check that Istio is healthy + - href: "#c6c9daf1-4196-406d-8679-312c0512ab2e" + rel: lula + text: Check that Istio is configured with an admin gateway and admin services use it + remarks: "Authorize network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system." + uuid: 0081f95a-3233-4e07-a6cd-95cb1905c318 + - control-id: ac-6.9 + description: |- # Control Implementation - Istio implements with global configuration. - - # How does Istio Help? - Istio provides encryption in transit for all applications in the mesh, and can also provide TLS termination at ingress and TLS origination at egress. Tetrate Istio Distribution (TID) is the only FIPS 140-2 Verified Istio distribution that exists. It is available from the Iron Bank. - When using the TID FIPS builds, all communication between components of the information system is encrypted using FIPS 140-2 verified software. - - remarks: This control is fully implemented by this tool. - - - uuid: 902e23be-f46b-416e-b407-fa579be28612 - control-id: sc-3 - description: >- - # Control Description - Isolate security functions from nonsecurity functions. - + Istio produces logs for all traffic in the information system. + links: + - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + rel: lula + text: Check that Istio is healthy + - href: "#90738c86-6315-450a-ac69-cc50eb4859cc" + rel: lula + text: Check that Istio is logging all traffic which could contain privileged function calls + - href: "#1761ac07-80dd-47d2-947e-09f67943b986" + rel: lula + text: All pods are istio injected with proxyv2 sidecar + remarks: Log the execution of privileged functions. + uuid: 6d8a6c80-2844-4bfd-bc9d-0f5a71e5c979 + - control-id: ac-14 + description: |- # Control Implementation - Istio breaks-down services into microservices to isolate security functions from non-security functions. - - remarks: This control is fully implemented by this tool. - - - uuid: 11732a14-62d3-43ff-b294-5b2508b8e967 - control-id: sc-4 - description: >- - # Control Description - Prevent unauthorized and unintended information transfer via shared system resources. - + Istio implements with service to service and provides authorization policies that require authentication to access any non-public features. + links: + - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + rel: lula + text: Check that Istio is healthy + - href: "#fbd877c8-d6b6-4d88-8685-2c4aaaab02a1" + rel: lula + text: Validates that Istio is used to authorize access to Keycloak admin console only from admin gateway + remarks: 'a. Identify [Assignment: organization-defined user actions] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and b. Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication."' + uuid: c8c03abd-244d-4813-a966-3feece1bad6a + - control-id: au-2 + description: |- # Control Implementation - Istio can enforce that outbound traffic goes through an Egress Gateway. When combined with a Network Policy, you can enforce all traffic, or some subset, goes through the egress gateway to prevent unauthorized and unintended information transfer via shared system resources. - - remarks: This control is fully implemented by this tool. - - - uuid: 8258a234-68c6-4b0b-b527-b58e5b39ecda - control-id: sc-5 - description: >- - # Control Description - "a. [Selection: Protect against] the effects of the following types of denial-of-service events: [Assignment: at a minimum: ICMP (ping) flood, SYN flood, slowloris, buffer overflow attack, and volume attack]; and - b. Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event]." - + Istio logs all Istio event logs within the system's mesh network. + links: + - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + rel: lula + text: Check that Istio is healthy + - href: "#90738c86-6315-450a-ac69-cc50eb4859cc" + rel: lula + text: Check that Istio is logging all traffic which could contain audit events + remarks: "a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: organization-defined event types that the system is capable of logging]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: organization-defined frequency]." + uuid: 88f300a6-aa21-41b4-919d-29ef3e4381bb + - control-id: au-3 + description: |- # Control Implementation - Istio monitors the egress traffic and enforces all the security policies. Monitoring the egress traffic, enables you to analyze, possibly offline, and detect an attack. - - - uuid: 8fcf76d0-a612-4f1a-8c07-2dfe03d7b03a - control-id: sc-7 - description: >- - # Control Description - "a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; - b. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and - c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture." - + Istio logs all Istio event logs within the system's mesh network. + links: + - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + rel: lula + text: Check that Istio is healthy + - href: "#f346b797-be35-40a8-a93a-585db6fd56ec" + rel: lula + text: Check that Istio is configured to provide tracing data + remarks: "Ensure that audit records contain information that establishes the following: a. What type of event occurred; b. When the event occurred; c. Where the event occurred; d. Source of the event; e. Outcome of the event; and f. Identity of any individuals, subjects, or objects/entities associated with the event." + uuid: 52756a01-6f5c-49b1-8a6b-972b74a01da4 + - control-id: au-3.1 + description: |- # Control Implementation - Istio implements with global configuration. - - # How does Istio Help? - Istio alone can not completely satisfy the SC-7 requirement, because Istio sits at Layer 4 and above, in other words it sits atop the IP network you provide it. However, Istio can aid in implementing boundary protection in your stack: - a. Istio provides monitoring (AU-12) and control of traffic ingress into and egressing out of the cluster, as well as internally for all communication between components. If all information system components are running in the cluster, this satisfies SC-7 a. - b. Istio operates at layer 4 and above - it cannot implement sub-networks at the IP layer. However, Istio can be used for logical separation of components at runtime (see AC-4 (21)). - Istio’s separation should be augmented with network-level separation, e.g. via a CNI plugin, to help implement a defense in depth strategy. - c. The only ingress into the cluster is via Istio gateways (AC-3), egress is controlled by Istio gateways (AC-4). If all information system components are running in the cluster, this satisfies the needs of SC-7 c. - Further, access policy can be applied at both points, as well as at every application instance via Istio’s sidecar. This gives the organization the opportunity to implement more fine-grained controls than is needed by SC-7. - - remarks: This control is fully implemented by this tool. - - - uuid: cbc3fcca-7628-4f70-ac40-8bea413ae4dc - control-id: sc-7.4 - description: >- - # Control Description - "(a) Implement a managed interface for each external telecommunication service; - (b) Establish a traffic flow policy for each managed interface; - (c) Protect the confidentiality and integrity of the information being transmitted across each interface; - (d) Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need; - (e) Review exceptions to the traffic flow policy [Assignment: at least every ninety (90) days or whenever there is a change in the threat environment that warrants a review of the exceptions] and remove exceptions that are no longer supported by an explicit mission or business need; - (f) Prevent unauthorized exchange of control plane traffic with external networks; - (g) Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and - (h) Filter unauthorized control plane traffic from external networks." - + Istio has been configured to implement event logging within our environment. This includes capturing metrics related to the duration of sessions, connections, transactions, or activities. Specifically, Istio's telemetry features are utilized to capture these metrics, which provide valuable data that can be used to infer the duration of sessions or connections. + links: + - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + rel: lula + text: Check that Istio is healthy + - href: "#70d99754-2918-400c-ac9a-319f874fff90" + rel: lula + text: Check that Istio is configured to provide metrics data + - href: "#1761ac07-80dd-47d2-947e-09f67943b986" + rel: lula + text: All pods are istio injected with proxyv2 sidecar + - href: "#f345c359-3208-46fb-9348-959bd628301e" + rel: lula + text: Check that pods running sidecar have the correct annotations for prometheus metrics scrape + remarks: "Generate audit records containing the following additional information: [Assignment: organization-defined additional information]. AU-3 (1) [session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]" + uuid: 16cc258e-d907-47bb-97d9-4e92677cf075 + - control-id: au-12 + description: |- # Control Implementation - Istio implements with global configuration. - - # How does Istio Help? - Like SC-7, Istio works in tandem with a few other components of the infrastructure to satisfy SC-7 (4). - For example, it’s common to use an identity-aware proxy (like UDS Core’s CNAP), or even a cloud provider load balancer (like an ELB) as the initial interface for an external service, immediately passing the requests on to Istio’s ingress. - For all of the information system components in the cluster: - a. Istio provides an interface its ingress and egress gateways for external network traffic. Istio allows configuring how that interface is exposed, including ports and protocols as well as certificates that are served. See AC-4. - b. Istio provides fine-grained layer 7 policy on each request to control how traffic flows through that ingress. It enforces this policy at ingress gateways to control the external traffic ingress into your information system. - Istio also enforces them at egress gateways to control how components of your information system communicate with external systems. See AC-4. - c. Istio’s ingress gateways serve TLS (or mTLS) to external systems, and Istio provides mTLS between applications of the information system in the mesh. See AC-4. - d. Istio must be explicitly configured to allow exceptions, either in AuthorizationPolicy documents controlling runtime access or in resource annotations exempting traffic from Istio’s sidecar. - These can be used as supporting documents for SC-7 (4) d., but will need to be augmented with organizational documentation citing specific mission needs and durations. - e. This is an organizational activity out of the scope of Istio. - - remarks: This control is fully implemented by this tool. - - - uuid: e8c72e81-4e58-42cb-bcd4-714df65e2225 - control-id: sc-7.5 - description: >- - # Control Description - Deny network communications traffic by default and allow network communications traffic by exception [Selection (one or more): at managed interfaces; for [Assignment: any systems]]. - + Istio provides audit record generation capabilities for a variety of event types, including session, connection, transaction, or activity durations, and the number of bytes received and sent. + links: + - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + rel: lula + text: Check that Istio is healthy + - href: "#90738c86-6315-450a-ac69-cc50eb4859cc" + rel: lula + text: Check that Istio is logging all traffic which could contain audit events + remarks: "a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components]; b. Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and c. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3." + uuid: 8f645835-6538-4327-a7aa-453b398f5ef4 + - control-id: cm-5 + description: |- # Control Implementation - Istio implements with mission team configuration. - - # How does Istio Help? - At ingress and egress gateways, Istio denies all traffic that does not have explicit traffic routing policies in the form of a VirtualService attached to the gateways. - Inside of the mesh, and to control egress out to external services, you can author AuthorizationPolicies to limit access. - Those policies must be written in the “allow with positive matching” style. - Together, Istio implements the SC-7 (5) control on behalf of applications in the mesh. - - remarks: This control is fully implemented by this tool. - - - uuid: 6ef57828-3fda-49a6-8b18-e4926ade2e05 - control-id: sc-7.8 - description: >- - # Control Description - Route [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces. - + Istio enforces logical access restrictions associated with changes to the system. Istio's Role-Based Access Control (RBAC) features are used to define and enforce access controls, ensuring that only approved personnel can make changes to the system. + links: + - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + rel: lula + text: Check that Istio is healthy + - href: "#7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28" + rel: lula + text: Check that Istio is enforcing RBAC + - href: "#9b361d7b-4e07-40db-8b86-3854ed499a4b" + rel: lula + text: Check that particular RBAC is ensuring only approved personnel can make changes to the system [PLACEHOLDER] + remarks: Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system. + uuid: 32e53a18-4b64-4a24-935c-11cbac2c62be + - control-id: sc-3 + description: |- # Control Implementation - Istio’s traffic management model relies on the Envoy proxies that are deployed along with the services. - All traffic that the mesh services send and receive (data plane traffic) is proxied through Envoy, making it easy to direct and control traffic around the mesh without making any changes to the services. - - remarks: This control is fully implemented by this tool. - - - uuid: e288c006-3a9d-44d7-91c9-61a4260bc148 - control-id: sc-7.10 - description: >- - # Control Description - "(a) Prevent the exfiltration of information; and - (b) Conduct exfiltration tests [Assignment: organization-defined frequency]." - Prevention of exfiltration applies to both the intentional and unintentional exfiltration of information. Techniques used to prevent the exfiltration of information from systems may be implemented at internal endpoints, external boundaries, and across managed interfaces and include adherence to protocol - formats, monitoring for beaconing activity from systems, disconnecting external network interfaces except when explicitly needed, employing traffic profile analysis to detect deviations from the volume and types of traffic expected, call backs to command and control centers, conducting penetration testing, - monitoring for steganography, disassembling and reassembling packet headers, and using data loss and data leakage prevention tools. Devices that enforce strict adherence to protocol formats include deep packet inspection firewalls and Extensible Markup Language (XML) gateways. The devices verify adherence - to protocol formats and specifications at the application layer and identify vulnerabilities that cannot be detected by devices that operate at the network or transport layers. The prevention of exfiltration is similar to data loss prevention or data leakage prevention and is closely associated with - cross-domain solutions and system guards that enforce information flow requirements. - + Namespaces, Istio gateways, and network policies collectively by providing resource isolation, secure traffic routing, and network segmentation to prevent unauthorized and unintended information transfer. + links: + - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + rel: lula + text: Check that Istio is healthy + - href: "#c6c9daf1-4196-406d-8679-312c0512ab2e" + rel: lula + text: Check that Istio is configured with an admin gateway and admin services use it + - href: "#b0a8f21e-b12f-47ea-a967-2f4a3ec69e44" + rel: lula + text: Validates that Istio Gateways are available and expected VirtualServices using each Gateway. + remarks: Isolate security functions from nonsecurity functions. + uuid: 9e2894a3-2452-4f7a-b8a5-f72b89b23c87 + - control-id: sc-4 + description: |- # Control Implementation - Istio can set an alert to detect attempted data exfiltration by a service in the cluster. In this mode, Prometheus can tell you both the source and (attempted) destination workload for the blocked request. - The Istio System manages the ingress and egress network traffic permitted within your OPA-integrated Istio service mesh. You can specify egress traffic is only allowed to a predefined collection of endpoints to minimize the risk of data exfiltration or to implement microservice API authorization. - - remarks: This control is fully implemented by this tool. - - - uuid: 5aadb273-8674-4220-b905-3828b57499cb - control-id: sc-7.20 - description: >- - # Control Description - Provide the capability to dynamically isolate [Assignment: organization-defined system components] from other system components. - + Istio enforces outbound traffic goes through an Egress Gateway with a Network Policy. + links: + - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + rel: lula + text: Check that Istio is healthy + - href: "#7455f86d-b79c-4226-9ce3-f3fb7d9348c8" + rel: lula + text: Network Policies are in place to ensure that only authorized traffic is allowed to egress the cluster [PLACEHOLDER] + - href: "#ecdb90c7-971a-4442-8f29-a8b0f6076bc9" + rel: lula + text: Egress Gateway exists and is configured [PLACEHOLDER] + remarks: Prevent unauthorized and unintended information transfer via shared system resources. + uuid: 86bc4fb7-f91b-4f2c-b914-65427951018c + - control-id: sc-7.4 + description: |- # Control Implementation - Locality-weighted load balancing allows administrators to control the distribution of traffic to endpoints based on the localities of where the traffic originates and where it will terminate. - These localities are specified using arbitrary labels that designate a hierarchy of localities in {region}/{zone}/{sub-zone} form. - If the goal of the operator is not to distribute load across zones and regions but rather to restrict the region of failover to meet other operational requirements an operator can set a ‘failover’ policy instead of a ‘distribute’ policy. - - remarks: This control is fully implemented by this tool. - - - uuid: 35490063-9fc5-4ea7-ae6e-4ef25fbf2d5a - control-id: sc-7.21 - description: >- - # Control Description - Employ boundary protection mechanisms to isolate [Assignment: organization-defined system components] supporting [Assignment: organization-defined missions and/or business functions]. - + Istio is configured to provide managed interfaces for external telecommunication services, establish traffic flow policies, and protect the confidentiality and integrity of transmitted information. It also prevents unauthorized exchange of control plane traffic and filters unauthorized control plane traffic. + links: + - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + rel: lula + text: Check that Istio is healthy + - href: "#570e2dc7-e6c2-4ad5-8ea3-f07974f59747" + rel: lula + text: Resources in namespaces can securely communicate with Istio control plane via network policies + - href: "#fbd877c8-d6b6-4d88-8685-2c4aaaab02a1" + rel: lula + text: Validates that Istio is used to authorize access to Keycloak admin console only from admin gateway + - href: "#b0a8f21e-b12f-47ea-a967-2f4a3ec69e44" + rel: lula + text: Validates that Istio Gateways are available and expected VirtualServices using each Gateway. + remarks: "(a) Implement a managed interface for each external telecommunication service; (b) Establish a traffic flow policy for each managed interface; (c) Protect the confidentiality and integrity of the information being transmitted across each interface; (d) Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need; (e) Review exceptions to the traffic flow policy [Assignment: organization-defined frequency] and remove exceptions that are no longer supported by an explicit mission or business need; (f) Prevent unauthorized exchange of control plane traffic with external networks; (g) Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and (h) Filter unauthorized control plane traffic from external networks." + uuid: 85df9e6c-3d94-4c60-9a20-8c481831f1e0 + - control-id: sc-7.8 + description: |- # Control Implementation - Multi-mesh deployments facilitate division of a system into subsystems with different security and compliance requirements, and facilitate the boundary protection. - You put each subsystem into a separate service mesh, preferably on a separate network. You connect the Istio meshes using gateways. The gateways monitor and control cross-mesh traffic at the boundary of each mesh. - Istio isolation boundaries can run multiple TSB-managed Istio environments within a Kubernetes cluster, or spanning several clusters. - These Istio environments are isolated from each other in terms of service discovery and config distribution. - - remarks: This control is fully implemented by this tool. - - - uuid: d07f799b-d95c-461e-ae03-4f174ada99bb - control-id: sc-7.25 - description: >- - # Control Description - Prohibit the direct connection of [Assignment: organization-defined unclassified national security system] to an external network without the use of [Assignment: organization-defined boundary protection device]. - + is configured to route internal communications traffic to external networks through authenticated proxy servers at managed interfaces, using its Egress Gateway. + links: + - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + rel: lula + text: Check that Istio is healthy + - href: "#ecdb90c7-971a-4442-8f29-a8b0f6076bc9" + rel: lula + text: Egress Gateway exists and is configured [PLACEHOLDER] + - href: "#19faf69a-de74-4b78-a628-64a9f244ae13" + rel: lula + text: Check that external traffic is managed [PLACEHOLDER] + remarks: "Route [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces." + uuid: 4b930af3-ae84-43ff-b751-448fe1c2eec8 + - control-id: sc-7.20 + description: |- # Control Implementation - All outbound traffic from an Istio-enabled pod is redirected to its sidecar proxy by default, accessibility of URLs outside of the cluster depends on the configuration of the proxy. - By default, Istio configures the Envoy proxy to pass through requests for unknown services. Although this provides a convenient way to get started with Istio, configuring stricter control is usually preferable. - Egress gateways can limit how traffic flows to external services outside of the information system under control. - Istio can be configured to extract end-user credentials from requests for authentication (either locally, or forwarding them on to an external authorization service), and to disallow requests without authentication tokens. - - remarks: This control is fully implemented by this tool. - - - uuid: fbdaaeea-0ac4-4bbc-8b75-5b6b7da031e5 - control-id: sc-8 - description: >- - # Control Description - Protect the [Selection confidentiality AND integrity] of transmitted information. - + Istio is configured to dynamically isolate certain internal system components when necessary. This is achieved through Istio's network policies, which allow us to partition or separate system components + links: + - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + rel: lula + text: Check that Istio is healthy + - href: "#ca49ac97-487a-446a-a0b7-92b20e2c83cb" + rel: lula + text: Check that Istio is enforcing mtls STRICT + - href: "#1761ac07-80dd-47d2-947e-09f67943b986" + rel: lula + text: All pods are istio injected with proxyv2 sidecar + remarks: "Provide the capability to dynamically isolate [Assignment: organization-defined system components] from other system components." + uuid: 30b49a3e-ad38-441d-8c07-5a9018848a02 + - control-id: sc-7.21 + description: |- # Control Implementation - Istio implements with global configuration. - - # How does Istio Help? - Istio provides encryption in transit (TLS) for all applications in the mesh. This ensures both confidentiality and integrity of communication between applications deployed in the mesh. When you deploy a FIPS verified build of Istio (e.g. from the Tetrate Istio Distribution), that encryption conforms to FIPS 140-2 requirements. When Istio is configured in STRICT mTLS mode (see AC-4), it implements the SC-8 control for all applications in the mesh. - - remarks: This control is fully implemented by this tool. - - - uuid: 3a204429-6f70-481c-8092-657cc7e79456 - control-id: sc-8.1 - description: >- - # Control Description - Implement cryptographic mechanisms to [Selection prevent unauthorized disclosure of information AND detect changes to information] during transmission. - + Istio is configured to isolate system components that perform different mission or business functions. This is achieved through Istio's network policies and mutual TLS, which allow us to control information flows and provide enhanced protection. + links: + - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + rel: lula + text: Check that Istio is healthy + - href: "#ca49ac97-487a-446a-a0b7-92b20e2c83cb" + rel: lula + text: Check that Istio is enforcing mtls STRICT + - href: "#1761ac07-80dd-47d2-947e-09f67943b986" + rel: lula + text: All pods are istio injected with proxyv2 sidecar + remarks: "Employ boundary protection mechanisms to isolate [Assignment: organization-defined system components] supporting [Assignment: organization-defined missions and/or business functions]." + uuid: c9a1e9bc-3caa-44ce-a300-ecd722487987 + - control-id: sc-8 + description: |- # Control Implementation - Istio implements with global configuration. - - # How does Istio Help? - See SC-8 for full details. In short, Istio provides encryption in transit (mutual TLS) for all applications in the mesh. When you’re using TID’s FIPS verified build of Istio, then this encryption also satisfies FIPS 140-2 requirements. - - remarks: This control is fully implemented by this tool. - - - uuid: b044588e-77b1-4e5d-a1bb-b6b0a789c5b0 - control-id: sc-8.2 - description: >- - # Control Description - Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception. - + Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. + links: + - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + rel: lula + text: Check that Istio is healthy + - href: "#ca49ac97-487a-446a-a0b7-92b20e2c83cb" + rel: lula + text: Check that Istio is enforcing mtls STRICT + - href: "#1761ac07-80dd-47d2-947e-09f67943b986" + rel: lula + text: All pods are istio injected with proxyv2 sidecar + remarks: "Protect the [Selection (one or more): confidentiality; integrity] of transmitted information." + uuid: 7548b4ee-e4a3-4e3c-a34b-95eccad45f92 + - control-id: sc-8.1 + description: |- # Control Implementation - Istio implements with global configuration. - - # How does Istio Help? - Istio provides encryption in transit (TLS) for all applications in the mesh. This ensures both confidentiality and integrity of communication between applications deployed in the mesh. When you deploy a FIPS verified build of Istio (e.g. from the Tetrate Istio Distribution), that encryption conforms to FIPS 140-2 requirements. When Istio is configured in STRICT mTLS mode (see AC-4), it implements the SC-8 control for all applications in the mesh. - - remarks: This control is fully implemented by this tool. - - - uuid: 1e4bf509-37d9-4e06-b6ac-11108e760f4c - control-id: sc-10 - description: >- - # Control Description - Terminate the network connection associated with a communications session at the end of the session or after [Assignment: no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions.] - + Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. + links: + - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + rel: lula + text: Check that Istio is healthy + - href: "#ca49ac97-487a-446a-a0b7-92b20e2c83cb" + rel: lula + text: Check that Istio is enforcing mtls STRICT + - href: "#1761ac07-80dd-47d2-947e-09f67943b986" + rel: lula + text: All pods are istio injected with proxyv2 sidecar + remarks: "Implement cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission." + uuid: 69415B92-0490-4A14-9E0F-E1EE61951F9C + - control-id: sc-8.2 + description: |- # Control Implementation - A timeout for HTTP requests can be specified using a timeout field in a route rule. - - remarks: This control is fully implemented by this tool. - - - uuid: 042b6b8a-759e-472b-b70b-c4351b53803a - control-id: sc-13 - description: >- - # Control Description - "a. Determine the [Assignment: organization-defined cryptographic uses]; and - b. Implement the following types of cryptography required for each specified cryptographic use: [Assignment: FIPS-validated or NSA-approved cryptography]." - + Istio implements with global configuration. + links: + - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + rel: lula + text: Check that Istio is healthy + - href: "#ca49ac97-487a-446a-a0b7-92b20e2c83cb" + rel: lula + text: Check that Istio is enforcing mtls STRICT to ensure integrity of information sent/received + - href: "#1761ac07-80dd-47d2-947e-09f67943b986" + rel: lula + text: All pods are istio injected with proxyv2 sidecar + - href: "#fbd877c8-d6b6-4d88-8685-2c4aaaab02a1" + rel: lula + text: Validates that Istio is used to authorize access to Keycloak admin console only from admin gateway + remarks: "Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception." + uuid: c158b75a-cefc-4794-b124-f1e56ff5646d + - control-id: sc-10 + description: |- # Control Implementation - Istio implements with global configuration. - - # How does Istio Help? - As outlined in the section on SC-8, Istio provides encryption in transit for all applications in the mesh. The Tetrate Istio Distribution’s FIPS Verified build is the only FIPS verified build of Istio and Envoy available, and satisfies requirements for FIPS 140-2 as well as the requirement to use the best available software for the job. - - remarks: This control is fully implemented by this tool. - - - uuid: 97cd68fc-1519-4fbc-bca2-c76c16fcc7e1 - control-id: sc-23 - description: >- - # Control Description - Protect the authenticity of communications sessions. - + Istio is configured to manage network connections associated with specific communication sessions. It can be set up to automatically terminate these connections after periods of inactivity, providing an additional layer of security. + links: + - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + rel: lula + text: Check that Istio is healthy + - href: "#663f5e92-6db4-4042-8b5a-eba3ebe5a622" + rel: lula + text: Istio terminates communication sessions after inactivity [PLACEHOLDER] + remarks: "Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception." + uuid: 169c9ad3-0a6c-46ee-80cd-cd8cef5eca5c + - control-id: sc-13 + description: |- # Control Implementation - Istio implements with global configuration. - - # How does Istio Help? - Istio provides encryption in transit (TLS) for all applications in the mesh. This ensures both confidentiality and integrity of communication between applications deployed in the mesh. When you deploy a FIPS verified build of Istio (e.g. from the Tetrate Istio Distribution), that encryption conforms to FIPS 140-2 requirements. When Istio is configured in STRICT mTLS mode (see AC-4), it implements the SC-8 control for all applications in the mesh. - - remarks: This control is fully implemented by this tool. - - - uuid: 18df5a35-f209-47d1-84f5-346c22530a5f - control-id: sc-39 - description: >- - # Control Description - Maintain a separate execution domain for each executing system process. - + Istio provides FIPS encryption in transit for all applications in the mesh, TLS termination at ingress, and TLS origination at egress. + links: + - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + rel: lula + text: Check that Istio is healthy + - href: "#ca49ac97-487a-446a-a0b7-92b20e2c83cb" + rel: lula + text: Check that Istio is enforcing mtls STRICT + - href: "#fd071676-6b92-4e1c-a4f0-4c8d2bd55aed" + rel: lula + text: Istio is encrypting ingress traffic + - href: "#8be1601e-5870-4573-ab4f-c1c199944815" + rel: lula + text: Istio is providing TLS origination at egress [PLACEHOLDER] + - href: "#73434890-2751-4894-b7b2-7e583b4a8977" + rel: lula + text: System is using FIPS-compliant Istio distribution [PLACEHOLDER] + remarks: 'a. Determine the [Assignment: organization-defined cryptographic uses]; and b. Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use]."' + uuid: 2bf5c525-af5f-4b8b-8349-3f6a91e0aab9 + - control-id: sc-23 + description: |- # Control Implementation - Istio’s authorization features provide mesh-, namespace-, and workload-wide access control for your workloads in the mesh. - Istio supports trust domain migration for authorization policy. This means if an Istio mesh needs to change its trust domain, the authorization policy doesn’t need to be changed manually. - - remarks: This control is fully implemented by this tool. - - - uuid: 1a778726-73cb-4335-a13d-8ca2bdb6f7d9 - control-id: si-4.22 - description: >- - # Control Description - "(a) Detect network services that have not been authorized or approved by [Assignment: organization-defined authorization or approval processes]; and - (b) [Selection (one or more): Audit; Alert [Assignment: organization-defined personnel or roles]] when detected." - + Istio is configured to protect session authenticity, establishing confidence in the ongoing identities of other parties and the validity of transmitted information. This is achieved through Istio's mutual TLS, which ensures secure communication. + links: + - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + rel: lula + text: Check that Istio is healthy + - href: "#ca49ac97-487a-446a-a0b7-92b20e2c83cb" + rel: lula + text: Check that Istio is enforcing mtls STRICT + remarks: "Protect the [Selection (one or more): confidentiality; integrity] of the following information at rest: [Assignment: organization-defined information at rest]. SC-28 Guidance: The organization supports the capability to use cryptographic mechanisms to protect information at rest. SC-28 Guidance: When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured. SC-28 Guidance: Note that this enhancement requires the use of cryptography in accordance with SC-13." + uuid: 625bfdc1-0b20-45f3-919b-91afbac77799 + - control-id: sc-39 + description: |- # Control Implementation - Istio implements with global configuration. - - # How does Istio Help? - Istio generates logs for all network traffic - TCP connections, HTTP requests, etc. Can be configured for specific network traffic such as not authorized or approved by a system process or user. - Network event alerts can be configured by organizations need. - - remarks: This control is fully implemented by this tool. - - back-matter: - resources: - - uuid: 11d6961f-7ea3-463e-a765-8e0eddf08c4c - title: Defense Unicorns UDS Core - rlinks: - - href: https://github.com/defenseunicorns/uds-core + Istio is configured to maintain separate execution domains for each executing process. This is achieved through Istio's sidecar proxy design, where each service in the mesh has its own dedicated sidecar proxy to handle its inbound and outbound traffic. This ensures that communication between processes is controlled and one process cannot modify the executing code of another process. + links: + - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + rel: lula + text: Check that Istio is healthy + - href: "#1761ac07-80dd-47d2-947e-09f67943b986" + rel: lula + text: All pods are istio injected with proxyv2 sidecar + remarks: Maintain a separate execution domain for each executing system process. + uuid: f972ef8d-1eb0-403b-8db8-e65a4f4e2aaa + source: https://raw.githubusercontent.com/GSA/fedramp-automation/93ca0e20ff5e54fc04140613476fba80f08e3c7d/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.json + uuid: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c + props: + - name: framework + ns: https://docs.lula.dev/oscal/ns + value: il4 + description: | + Istio Service Mesh + purpose: Istio Service Mesh + responsible-roles: + - party-uuids: + - f3cf70f8-ba44-4e55-9ea3-389ef24847d3 + role-id: provider + title: Istio Controlplane + type: software + uuid: 81f6ec5d-9b8d-408f-8477-f8a04f493690 + metadata: + last-modified: 2024-07-16T02:47:14.949557671Z + oscal-version: 1.1.2 + parties: + - links: + - href: https://uds.defenseunicorns.com/ + rel: website + name: Unicorn Delivery Service + type: organization + uuid: f3cf70f8-ba44-4e55-9ea3-389ef24847d3 + title: Istio Controlplane + version: "20240614" + uuid: 7e3269fc-fe33-49c9-be88-6c868e21aae1 diff --git a/src/istio/values/registry1-values.yaml b/src/istio/values/registry1-values.yaml index c61aa2e9e..77a6c3375 100644 --- a/src/istio/values/registry1-values.yaml +++ b/src/istio/values/registry1-values.yaml @@ -1,9 +1,9 @@ pilot: - image: registry1.dso.mil/ironbank/tetrate/istio/pilot:1.22.2-tetratefips-v0 + image: registry1.dso.mil/ironbank/tetrate/istio/pilot:1.23.1-tetratefips-v0 global: proxy_init: # renovate: image=registry1.dso.mil/ironbank/tetrate/istio/proxyv2 - image: "###ZARF_REGISTRY###/ironbank/tetrate/istio/proxyv2:1.22.2-tetratefips-v0" + image: "###ZARF_REGISTRY###/ironbank/tetrate/istio/proxyv2:1.23.1-tetratefips-v0" proxy: # renovate: image=registry1.dso.mil/ironbank/tetrate/istio/proxyv2 - image: "###ZARF_REGISTRY###/ironbank/tetrate/istio/proxyv2:1.22.2-tetratefips-v0" + image: "###ZARF_REGISTRY###/ironbank/tetrate/istio/proxyv2:1.23.1-tetratefips-v0" diff --git a/src/istio/values/unicorn-values.yaml b/src/istio/values/unicorn-values.yaml index 2a19c8327..723b7a858 100644 --- a/src/istio/values/unicorn-values.yaml +++ b/src/istio/values/unicorn-values.yaml @@ -1,7 +1,9 @@ pilot: - image: cgr.dev/du-uds-defenseunicorns/istio-pilot-fips:1.22.2 + image: "cgr.dev/du-uds-defenseunicorns/istio-pilot-fips:1.23.1" global: proxy_init: - image: cgr.dev/du-uds-defenseunicorns/istio-proxy-fips:1.22.2 + # renovate: image=cgr.dev/du-uds-defenseunicorns/istio-proxy-fips + image: "###ZARF_REGISTRY###/du-uds-defenseunicorns/istio-proxy-fips:1.23.1" proxy: - image: cgr.dev/du-uds-defenseunicorns/istio-proxy-fips:1.22.2 + # renovate: image=cgr.dev/du-uds-defenseunicorns/istio-proxy-fips + image: "###ZARF_REGISTRY###/du-uds-defenseunicorns/istio-proxy-fips:1.23.1" diff --git a/src/istio/values/upstream-values.yaml b/src/istio/values/upstream-values.yaml index 750dc2fc6..262c70d4e 100644 --- a/src/istio/values/upstream-values.yaml +++ b/src/istio/values/upstream-values.yaml @@ -1,9 +1,9 @@ pilot: - image: "docker.io/istio/pilot:1.22.2-distroless" + image: "docker.io/istio/pilot:1.23.1-distroless" global: proxy_init: # renovate: image=docker.io/istio/proxyv2 - image: "###ZARF_REGISTRY###/istio/proxyv2:1.22.2-distroless" + image: "###ZARF_REGISTRY###/istio/proxyv2:1.23.1-distroless" proxy: # renovate: image=docker.io/istio/proxyv2 - image: "###ZARF_REGISTRY###/istio/proxyv2:1.22.2-distroless" + image: "###ZARF_REGISTRY###/istio/proxyv2:1.23.1-distroless" diff --git a/src/istio/zarf.yaml b/src/istio/zarf.yaml index d48eeee91..610a174e8 100644 --- a/src/istio/zarf.yaml +++ b/src/istio/zarf.yaml @@ -21,8 +21,8 @@ components: valuesFiles: - "values/upstream-values.yaml" images: - - "docker.io/istio/pilot:1.22.2-distroless" - - "docker.io/istio/proxyv2:1.22.2-distroless" + - "docker.io/istio/pilot:1.23.1-distroless" + - "docker.io/istio/proxyv2:1.23.1-distroless" - name: istio-controlplane required: true @@ -35,8 +35,8 @@ components: valuesFiles: - "values/registry1-values.yaml" images: - - registry1.dso.mil/ironbank/tetrate/istio/proxyv2:1.22.2-tetratefips-v0 - - registry1.dso.mil/ironbank/tetrate/istio/pilot:1.22.2-tetratefips-v0 + - registry1.dso.mil/ironbank/tetrate/istio/proxyv2:1.23.1-tetratefips-v0 + - registry1.dso.mil/ironbank/tetrate/istio/pilot:1.23.1-tetratefips-v0 - name: istio-controlplane required: true @@ -49,15 +49,15 @@ components: valuesFiles: - "values/unicorn-values.yaml" images: - - cgr.dev/du-uds-defenseunicorns/istio-pilot-fips:1.22.2 - - cgr.dev/du-uds-defenseunicorns/istio-proxy-fips:1.22.2 + - cgr.dev/du-uds-defenseunicorns/istio-pilot-fips:1.23.1 + - cgr.dev/du-uds-defenseunicorns/istio-proxy-fips:1.23.1 - name: istio-admin-gateway required: true charts: - name: gateway url: https://istio-release.storage.googleapis.com/charts - version: 1.22.2 + version: 1.23.1 releaseName: admin-ingressgateway namespace: istio-admin-gateway - name: uds-istio-config @@ -72,7 +72,7 @@ components: charts: - name: gateway url: https://istio-release.storage.googleapis.com/charts - version: 1.22.2 + version: 1.23.1 releaseName: tenant-ingressgateway namespace: istio-tenant-gateway - name: uds-istio-config @@ -87,7 +87,7 @@ components: charts: - name: gateway url: https://istio-release.storage.googleapis.com/charts - version: 1.22.2 + version: 1.23.1 releaseName: passthrough-ingressgateway namespace: istio-passthrough-gateway - name: uds-istio-config diff --git a/src/keycloak/chart/Chart.yaml b/src/keycloak/chart/Chart.yaml index f0e7c72be..7269f5f3e 100644 --- a/src/keycloak/chart/Chart.yaml +++ b/src/keycloak/chart/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: keycloak # renovate: datasource=docker depName=quay.io/keycloak/keycloak versioning=semver -version: 24.0.5 +version: 25.0.5 description: Open Source Identity and Access Management For Modern Applications and Services keywords: - sso diff --git a/src/keycloak/chart/templates/_helpers.tpl b/src/keycloak/chart/templates/_helpers.tpl index bb0825a07..a5ce50f28 100644 --- a/src/keycloak/chart/templates/_helpers.tpl +++ b/src/keycloak/chart/templates/_helpers.tpl @@ -89,7 +89,7 @@ Check external PostgreSQL connection information. Fails when required values are {{- else -}}{{fail "You must define \"username\", \"password\", \"database\", \"host\", and \"port\" for \"postgresql\"."}} {{- end -}} {{- default "true" "" }} -{{- else if not (empty (compact (values (omit .Values.postgresql "port")))) -}} +{{- else if not (empty (compact (values (omit .Values.postgresql "port" "internal")))) -}} {{ fail "Cannot use an external PostgreSQL Database when devMode is enabled." -}} {{- else -}} {{ default "false" "" }} diff --git a/src/keycloak/chart/templates/istio-admin.yaml b/src/keycloak/chart/templates/istio-admin.yaml index 684f63b00..54f6ff114 100644 --- a/src/keycloak/chart/templates/istio-admin.yaml +++ b/src/keycloak/chart/templates/istio-admin.yaml @@ -12,6 +12,8 @@ spec: rules: - to: - operation: + ports: + - "8080" paths: - "/admin*" - "/realms/master*" @@ -21,6 +23,8 @@ spec: - istio-admin-gateway - to: - operation: + ports: + - "8080" paths: - /metrics* from: @@ -30,19 +34,32 @@ spec: - monitoring - to: - operation: + ports: + - "8080" paths: # Never allow anonymous client registration except from the pepr-system namespace # This is another fallback protection, as the KC policy already blocks it - "/realms/{{ .Values.realm }}/clients-registrations/*" from: - source: - notNamespaces: ["pepr-system"] + notNamespaces: + - "pepr-system" - when: - key: request.headers[istio-mtls-client-certificate] values: ["*"] + to: + - operation: + ports: + - "8080" from: - source: notNamespaces: - istio-tenant-gateway - istio-admin-gateway + {{- range .Values.additionalGatewayNamespaces }} + {{- if not (hasPrefix "istio-" .) }} + {{- fail (printf "Allowed gateway namespace '%s' must start with 'istio-'" .) }} + {{- end }} + - {{ . }} + {{- end }} {{- end }} diff --git a/src/keycloak/chart/templates/prometheusrule.yaml b/src/keycloak/chart/templates/prometheusrule.yaml index 4c33fe4f3..20ef047ac 100644 --- a/src/keycloak/chart/templates/prometheusrule.yaml +++ b/src/keycloak/chart/templates/prometheusrule.yaml @@ -4,7 +4,7 @@ apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: name: {{ include "keycloak.fullname" $ }} - namespace: {{ .Release.Namespace }} + namespace: {{ $.Release.Namespace }} {{- with .annotations }} annotations: {{- range $key, $value := . }} diff --git a/src/keycloak/chart/templates/service-headless.yaml b/src/keycloak/chart/templates/service-headless.yaml index 37b530411..d5a67c2b5 100644 --- a/src/keycloak/chart/templates/service-headless.yaml +++ b/src/keycloak/chart/templates/service-headless.yaml @@ -14,5 +14,13 @@ spec: port: 80 targetPort: http protocol: TCP + - name: tcp + port: 7800 + targetPort: tcp + protocol: TCP + - name: tcp-fd + port: 57800 + targetPort: tcp-fd + protocol: TCP selector: {{- include "keycloak.selectorLabels" . | nindent 4 }} diff --git a/src/keycloak/chart/templates/service-http.yaml b/src/keycloak/chart/templates/service-http.yaml index bb2bd1c42..d3be8dd2e 100644 --- a/src/keycloak/chart/templates/service-http.yaml +++ b/src/keycloak/chart/templates/service-http.yaml @@ -27,5 +27,9 @@ spec: port: 8080 targetPort: http protocol: TCP + - name: http-metrics + port: 9000 + targetPort: metrics + protocol: TCP selector: {{- include "keycloak.selectorLabels" . | nindent 4 }} diff --git a/src/keycloak/chart/templates/statefulset.yaml b/src/keycloak/chart/templates/statefulset.yaml index 0041a8d99..4e4521381 100644 --- a/src/keycloak/chart/templates/statefulset.yaml +++ b/src/keycloak/chart/templates/statefulset.yaml @@ -72,9 +72,15 @@ spec: # This will only import the realm if it does not exist - "--import-realm" - "--features=preview" + - "--proxy-headers=xforwarded" + - "--http-enabled=true" + - "--hostname-strict=false" + {{- if .Values.jsonLogFormat }} + - "--log-console-output=json" + {{- end }} envFrom: - secretRef: - name: {{ include "keycloak.fullname" . }}-realm-env + name: {{ include "keycloak.fullname" . }}-realm-env env: # Common configuration - name: UDS_DOMAIN @@ -88,18 +94,8 @@ spec: # Enable access log - name: QUARKUS_HTTP_ACCESS_LOG_ENABLED - value: "true" - - # Hostname strict is not needed when used with Istio - - name: KC_HOSTNAME_STRICT - value: "false" - - name: KC_HOSTNAME_STRICT_HTTPS - value: "false" - - # Set the proxy type to edge to avoid weird Keycloak behavior - - name: KC_PROXY - value: edge - + value: "true" + # X509 configuration - name: KC_HTTPS_CLIENT_AUTH value: request @@ -133,7 +129,7 @@ spec: # java opts for jgroups required for infinispan distributed cache when using the kubernetes stack. # https://www.keycloak.org/server/caching - name: JAVA_OPTS_APPEND - value: -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless + value: -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless.keycloak.svc.cluster.local # Postgres database configuration - name: KC_DB @@ -186,10 +182,19 @@ spec: - name: http containerPort: 8080 protocol: TCP + - name: tcp + containerPort: 7800 + protocol: TCP + - name: tcp-fd + containerPort: 57800 + protocol: TCP + - name: metrics + containerPort: 9000 + protocol: TCP livenessProbe: httpGet: path: /health/live - port: http + port: metrics scheme: HTTP failureThreshold: 15 timeoutSeconds: 2 @@ -198,7 +203,7 @@ spec: readinessProbe: httpGet: path: /health/ready - port: http + port: metrics scheme: HTTP failureThreshold: 15 timeoutSeconds: 2 diff --git a/src/keycloak/chart/templates/uds-package.yaml b/src/keycloak/chart/templates/uds-package.yaml index 27afba03f..2c1c52e47 100644 --- a/src/keycloak/chart/templates/uds-package.yaml +++ b/src/keycloak/chart/templates/uds-package.yaml @@ -10,8 +10,8 @@ spec: app.kubernetes.io/component: http podSelector: app.kubernetes.io/name: keycloak - targetPort: 8080 - portName: http + targetPort: 9000 + portName: http-metrics description: Metrics network: @@ -26,7 +26,7 @@ spec: port: 8080 # Temp workaround for any cluster pod - # @todo: remove this once cluster pods is a remote generated target + # todo: remove this once cluster pods is a remote generated target - description: "Keycloak backchannel access" direction: Ingress selector: @@ -34,6 +34,7 @@ spec: remoteGenerated: Anywhere port: 8080 + # Keycloak OCSP to check certs cannot guarantee a static IP - description: "OCSP Lookup" direction: Egress selector: @@ -58,7 +59,28 @@ spec: selector: app.kubernetes.io/name: keycloak port: {{ .Values.postgresql.port }} + {{- if .Values.postgresql.internal.enabled }} + remoteSelector: {{ .Values.postgresql.internal.remoteSelector }} + remoteNamespace: {{ .Values.postgresql.internal.remoteNamespace }} + {{- else if .Values.postgresql.egressCidr }} + remoteCidr: {{ .Values.postgresql.egressCidr }} + {{- else }} remoteGenerated: Anywhere + {{- end }} + {{- end }} + + {{- if .Values.autoscaling.enabled }} + # HA for keycloak + - direction: Ingress + remoteGenerated: IntraNamespace + ports: + - 7800 + - 57800 + - direction: Egress + remoteGenerated: IntraNamespace + ports: + - 7800 + - 57800 {{- end }} expose: @@ -82,7 +104,7 @@ spec: - name: redirect-metrics uri: prefix: /metrics - rewrite: + redirect: uri: "/realms/{{ .Values.realm }}/account" headers: request: diff --git a/src/keycloak/chart/values.schema.json b/src/keycloak/chart/values.schema.json new file mode 100644 index 000000000..f05bdc3a8 --- /dev/null +++ b/src/keycloak/chart/values.schema.json @@ -0,0 +1,416 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "type": "object", + "additionalProperties": false, + "properties": { + "affinity": { + "type": "string" + }, + "additionalGatewayNamespaces": { + "type": "array", + "items": { + "type": "string" + } + }, + "autoscaling": { + "type": "object", + "properties": { + "behavior": { + "type": "object", + "properties": { + "scaleDown": { + "type": "object", + "properties": { + "policies": { + "type": "array", + "items": { + "type": "object", + "properties": { + "periodSeconds": { + "type": "number" + }, + "type": { + "type": "string" + }, + "value": { + "type": "number" + } + } + } + }, + "stabilizationWindowSeconds": { + "type": "number" + } + } + }, + "scaleUp": { + "type": "object", + "properties": { + "policies": { + "type": "array", + "items": { + "type": "object", + "properties": { + "periodSeconds": { + "type": "number" + }, + "type": { + "type": "string" + }, + "value": { + "type": "number" + } + } + } + }, + "stabilizationWindowSeconds": { + "type": "number" + } + } + } + } + }, + "enabled": { + "type": "boolean" + }, + "labels": { + "type": "object", + "properties": {} + }, + "maxReplicas": { + "type": "number" + }, + "metrics": { + "type": "array", + "items": { + "type": "object", + "properties": { + "resource": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "target": { + "type": "object", + "properties": { + "averageUtilization": { + "type": "number" + }, + "type": { + "type": "string" + } + } + } + } + }, + "type": { + "type": "string" + } + } + } + }, + "minReplicas": { + "type": "number" + } + } + }, + "clusterDomain": { + "type": "string" + }, + "configImage": { + "type": "string" + }, + "debugMode": { + "type": "boolean" + }, + "devMode": { + "type": "boolean" + }, + "domain": { + "type": "string" + }, + "enableServiceLinks": { + "type": "boolean" + }, + "fips": { + "type": "boolean" + }, + "image": { + "type": "object", + "properties": { + "pullPolicy": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "insecureAdminPasswordGeneration": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "username": { + "type": "string" + } + } + }, + "jsonLogFormat": { + "type": "boolean" + }, + "nodeSelector": { + "type": "object", + "properties": {} + }, + "persistence": { + "type": "object", + "properties": { + "accessMode": { + "type": "string" + }, + "conf": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "size": { + "type": "string" + } + } + }, + "data": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "size": { + "type": "string" + } + } + }, + "providers": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "size": { + "type": "string" + } + } + }, + "storageClassName": { + "type": "string" + }, + "themes": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "size": { + "type": "string" + } + } + } + } + }, + "podDisruptionBudget": { + "type": "object", + "properties": {} + }, + "podLabels": { + "type": "object", + "properties": {} + }, + "podManagementPolicy": { + "type": "string" + }, + "podSecurityContext": { + "type": "object", + "properties": {} + }, + "postgresql": { + "type": "object", + "properties": { + "database": { + "type": "string" + }, + "host": { + "type": "string" + }, + "password": { + "type": "string" + }, + "port": { + "type": "number" + }, + "username": { + "type": "string" + } + } + }, + "priorityClassName": { + "type": "string" + }, + "prometheusRule": { + "type": "object", + "properties": { + "annotations": { + "type": "object", + "properties": {} + }, + "enabled": { + "type": "boolean" + }, + "labels": { + "type": "object", + "properties": {} + }, + "rules": { + "type": "array", + "items": {} + } + } + }, + "realm": { + "type": "string" + }, + "realmInitEnv": { + "type": "object", + "properties": { + "GOOGLE_IDP_ENABLED": { + "type": "boolean" + } + } + }, + "resources": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + } + } + } + }, + "restartPolicy": { + "type": "string" + }, + "securityContext": { + "type": "object", + "properties": {} + }, + "service": { + "type": "object", + "properties": { + "labels": { + "type": "object", + "properties": {} + }, + "sessionAffinity": { + "type": "string" + }, + "sessionAffinityConfig": { + "type": "object", + "properties": {} + } + } + }, + "serviceMonitor": { + "type": "object", + "properties": { + "annotations": { + "type": "object", + "properties": {} + }, + "enabled": { + "type": "boolean" + }, + "interval": { + "type": "string" + }, + "labels": { + "type": "object", + "properties": {} + }, + "namespace": { + "type": "string" + }, + "namespaceSelector": { + "type": "object", + "properties": {} + }, + "path": { + "type": "string" + }, + "port": { + "type": "string" + }, + "scheme": { + "type": "string" + }, + "scrapeTimeout": { + "type": "string" + }, + "tlsConfig": { + "type": "object", + "properties": {} + } + } + }, + "smtp": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "port": { + "type": "number" + } + } + }, + "statefulsetLabels": { + "type": "object", + "properties": {} + }, + "terminationGracePeriodSeconds": { + "type": "number" + }, + "tolerations": { + "type": "array", + "items": {} + }, + "topologySpreadConstraints": { + "type": "null" + }, + "updateStrategy": { + "type": "string" + } + } +} diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml index 011f4814e..9a6f5de0d 100644 --- a/src/keycloak/chart/values.yaml +++ b/src/keycloak/chart/values.yaml @@ -2,16 +2,22 @@ image: # The Keycloak image repository repository: quay.io/keycloak/keycloak # Overrides the Keycloak image tag whose default is the chart appVersion - tag: "24.0.5" + tag: "25.0.5" # The Keycloak image pull policy pullPolicy: IfNotPresent # renovate: datasource=github-tags depName=defenseunicorns/uds-identity-config versioning=semver -configImage: ghcr.io/defenseunicorns/uds/identity-config:0.5.0 +configImage: ghcr.io/defenseunicorns/uds/identity-config:0.6.3 # The public domain name of the Keycloak server domain: "###ZARF_VAR_DOMAIN###" +# Additional Istio Gateways that expose Keycloak, to allow for client cert usage +# A prefix of `istio-` is required for namespaces to prevent accidental misconfiguration +additionalGatewayNamespaces: [] +# Example +# - "istio-login-gateway" + # The primary Keycloak realm realm: uds @@ -61,6 +67,9 @@ devMode: true # Enable debug logging for keycloak and quarkus debugMode: false +# Enable JSON logging format for Keycloak +jsonLogFormat: true + # Enable SMTP networkPolicy and config smtp: enabled: false @@ -165,6 +174,12 @@ postgresql: host: "" # Port the database is listening on port: 5432 + egressCidr: "" + # Configure internal postgresql deployment, requires keycloak not be deployed in dev-mode + internal: + enabled: false + remoteSelector: {} + remoteNamespace: "" serviceMonitor: # If `true`, a ServiceMonitor resource for the prometheus-operator is created @@ -184,7 +199,7 @@ serviceMonitor: # The path at which metrics are served path: /metrics # The Service port at which metrics are served - port: http + port: metrics # added by Big Bang to support Istio mTLS scheme: "" tlsConfig: {} diff --git a/src/keycloak/common/zarf.yaml b/src/keycloak/common/zarf.yaml index 2c9f443f2..4740b8a39 100644 --- a/src/keycloak/common/zarf.yaml +++ b/src/keycloak/common/zarf.yaml @@ -10,7 +10,7 @@ components: - name: keycloak namespace: keycloak # renovate: datasource=docker depName=quay.io/keycloak/keycloak versioning=semver - version: 24.0.5 + version: 25.0.5 localPath: ../chart actions: onDeploy: @@ -19,7 +19,7 @@ components: maxTotalSeconds: 300 wait: cluster: - kind: Packages + kind: packages.uds.dev name: keycloak namespace: keycloak condition: "'{.status.phase}'=Ready" diff --git a/src/keycloak/tasks.yaml b/src/keycloak/tasks.yaml index 1b6739b58..e8513a206 100644 --- a/src/keycloak/tasks.yaml +++ b/src/keycloak/tasks.yaml @@ -1,5 +1,5 @@ includes: - - config: https://raw.githubusercontent.com/defenseunicorns/uds-identity-config/v0.4.5/tasks.yaml + - config: https://raw.githubusercontent.com/defenseunicorns/uds-identity-config/v0.6.3/tasks.yaml tasks: - name: validate diff --git a/src/keycloak/values/registry1-values.yaml b/src/keycloak/values/registry1-values.yaml index dd9f5ad88..c94809ed6 100644 --- a/src/keycloak/values/registry1-values.yaml +++ b/src/keycloak/values/registry1-values.yaml @@ -1,6 +1,6 @@ image: repository: registry1.dso.mil/ironbank/opensource/keycloak/keycloak - tag: "24.0.5" + tag: "25.0.5" podSecurityContext: fsGroup: 2000 securityContext: diff --git a/src/keycloak/values/unicorn-values.yaml b/src/keycloak/values/unicorn-values.yaml index 571b6eba2..d3c178aa2 100644 --- a/src/keycloak/values/unicorn-values.yaml +++ b/src/keycloak/values/unicorn-values.yaml @@ -1,3 +1,5 @@ +podSecurityContext: + fsGroup: 65532 image: repository: cgr.dev/du-uds-defenseunicorns/keycloak - tag: "24.0.5" + tag: "25.0.5" diff --git a/src/keycloak/values/upstream-values.yaml b/src/keycloak/values/upstream-values.yaml index 10aaf74cd..ac9fc21ce 100644 --- a/src/keycloak/values/upstream-values.yaml +++ b/src/keycloak/values/upstream-values.yaml @@ -2,4 +2,4 @@ podSecurityContext: fsGroup: 1000 image: repository: quay.io/keycloak/keycloak - tag: "24.0.5" + tag: "25.0.5" diff --git a/src/keycloak/zarf.yaml b/src/keycloak/zarf.yaml index 25f4d26db..91c498e26 100644 --- a/src/keycloak/zarf.yaml +++ b/src/keycloak/zarf.yaml @@ -20,8 +20,8 @@ components: valuesFiles: - "values/upstream-values.yaml" images: - - quay.io/keycloak/keycloak:24.0.5 - - ghcr.io/defenseunicorns/uds/identity-config:0.5.0 + - quay.io/keycloak/keycloak:25.0.5 + - ghcr.io/defenseunicorns/uds/identity-config:0.6.3 - name: keycloak required: true @@ -36,8 +36,8 @@ components: valuesFiles: - "values/registry1-values.yaml" images: - - registry1.dso.mil/ironbank/opensource/keycloak/keycloak:24.0.5 - - ghcr.io/defenseunicorns/uds/identity-config:0.5.0 + - registry1.dso.mil/ironbank/opensource/keycloak/keycloak:25.0.5 + - ghcr.io/defenseunicorns/uds/identity-config:0.6.3 - name: keycloak required: true @@ -50,5 +50,5 @@ components: valuesFiles: - "values/unicorn-values.yaml" images: - - cgr.dev/du-uds-defenseunicorns/keycloak:24.0.5 # todo: switch to FIPS image - - ghcr.io/defenseunicorns/uds/identity-config:0.5.0 + - cgr.dev/du-uds-defenseunicorns/keycloak:25.0.5 # todo: switch to FIPS image + - ghcr.io/defenseunicorns/uds/identity-config:0.6.3 diff --git a/src/loki/chart/templates/uds-package.yaml b/src/loki/chart/templates/uds-package.yaml index 8f30a3d0c..a04557a51 100644 --- a/src/loki/chart/templates/uds-package.yaml +++ b/src/loki/chart/templates/uds-package.yaml @@ -31,7 +31,6 @@ spec: app.kubernetes.io/name: prometheus ports: - 3100 - - 8080 description: "Prometheus Metrics" - direction: Ingress @@ -44,15 +43,16 @@ spec: - 8080 description: "Promtail Log Storage" - # Todo: wide open for now for pushing to s3 + # Egress for S3 connections - direction: Egress selector: app.kubernetes.io/name: loki + description: Storage + {{- if .Values.storage.internal.enabled }} + remoteSelector: {{ .Values.storage.internal.remoteSelector }} + remoteNamespace: {{ .Values.storage.internal.remoteNamespace }} + {{- else if .Values.storage.egressCidr }} + remoteCidr: {{ .Values.storage.egressCidr }} + {{- else }} remoteGenerated: Anywhere - - - direction: Egress - remoteNamespace: tempo - remoteSelector: - app.kubernetes.io/name: tempo - port: 9411 - description: "Tempo" + {{- end }} diff --git a/src/loki/chart/values.yaml b/src/loki/chart/values.yaml index e69de29bb..fbb557b5a 100644 --- a/src/loki/chart/values.yaml +++ b/src/loki/chart/values.yaml @@ -0,0 +1,6 @@ +storage: + internal: + enabled: false + remoteSelector: {} + remoteNamespace: "" + egressCidr: "" diff --git a/src/loki/common/zarf.yaml b/src/loki/common/zarf.yaml index 35376a992..28750e2d6 100644 --- a/src/loki/common/zarf.yaml +++ b/src/loki/common/zarf.yaml @@ -13,7 +13,7 @@ components: localPath: ../chart - name: loki url: https://grafana.github.io/helm-charts/ - version: 5.47.1 + version: 6.12.0 namespace: loki valuesFiles: - ../values/values.yaml @@ -24,7 +24,7 @@ components: maxTotalSeconds: 300 wait: cluster: - kind: Packages + kind: packages.uds.dev name: loki namespace: loki condition: "'{.status.phase}'=Ready" diff --git a/src/loki/oscal-component.yaml b/src/loki/oscal-component.yaml index 4faecc474..62245b436 100644 --- a/src/loki/oscal-component.yaml +++ b/src/loki/oscal-component.yaml @@ -4,7 +4,7 @@ component-definition: title: Loki Component last-modified: "2024-01-18T20:36:22Z" version: "20240118" - oscal-version: 1.1.1 + oscal-version: 1.1.2 parties: - uuid: f3cf70f8-ba44-4e55-9ea3-389ef24847d3 type: organization @@ -187,7 +187,10 @@ component-definition: Provides time-series event compilation capabilities. remarks: This control is fully implemented by this tool. - + props: + - name: framework + ns: https://docs.lula.dev/oscal/ns + value: il4 back-matter: resources: - uuid: b989384f-54c9-4bb9-8cbd-ae993f8f6e0b diff --git a/src/loki/values/registry1-values.yaml b/src/loki/values/registry1-values.yaml index 2d742b29f..900772e53 100644 --- a/src/loki/values/registry1-values.yaml +++ b/src/loki/values/registry1-values.yaml @@ -2,7 +2,7 @@ loki: image: registry: registry1.dso.mil repository: ironbank/opensource/grafana/loki - tag: 2.9.6 + tag: 3.1.1 podSecurityContext: fsGroup: 10001 runAsGroup: 10001 @@ -19,4 +19,8 @@ gateway: image: registry: registry1.dso.mil repository: ironbank/opensource/nginx/nginx-alpine - tag: 1.25.3 + tag: 1.26.2 +memcached: + image: + repository: registry1.dso.mil/ironbank/opensource/memcached/memcached + tag: 1.6.31 diff --git a/src/loki/values/unicorn-values.yaml b/src/loki/values/unicorn-values.yaml index 20df5327b..309753bee 100644 --- a/src/loki/values/unicorn-values.yaml +++ b/src/loki/values/unicorn-values.yaml @@ -2,9 +2,13 @@ loki: image: registry: cgr.dev repository: du-uds-defenseunicorns/loki - tag: 2.9.8 + tag: 3.1.1 gateway: image: registry: cgr.dev repository: du-uds-defenseunicorns/nginx-fips - tag: 1.27.0 + tag: 1.27.1 +memcached: + image: + repository: cgr.dev/du-uds-defenseunicorns/memcached + tag: 1.6.31 diff --git a/src/loki/values/upstream-values.yaml b/src/loki/values/upstream-values.yaml index deaa6c7b8..a7ebd51df 100644 --- a/src/loki/values/upstream-values.yaml +++ b/src/loki/values/upstream-values.yaml @@ -2,10 +2,16 @@ loki: image: registry: docker.io repository: grafana/loki - tag: 2.9.6 + tag: 3.1.1 gateway: image: registry: docker.io repository: nginxinc/nginx-unprivileged - tag: 1.25-alpine + tag: 1.27-alpine + +memcached: + image: + registry: docker.io + repository: memcached + tag: 1.6.31-alpine diff --git a/src/loki/values/values.yaml b/src/loki/values/values.yaml index 7a72c1790..99717b712 100644 --- a/src/loki/values/values.yaml +++ b/src/loki/values/values.yaml @@ -14,8 +14,17 @@ memberlist: service: publishNotReadyAddresses: true +chunksCache: + enabled: false + +resultsCache: + enabled: false + loki: configStorageType: Secret + # Disable telemetry that doesn't function in the airgap + analytics: + reporting_enabled: false storage: bucketNames: chunks: uds @@ -30,8 +39,18 @@ loki: insecure: false commonConfig: replication_factor: 1 + schemaConfig: + configs: + - from: 2022-01-11 + store: boltdb-shipper + object_store: "{{ .Values.loki.storage.type }}" + schema: v12 + index: + prefix: loki_index_ + period: 24h limits_config: split_queries_by_interval: "30m" + allow_structured_metadata: false query_scheduler: max_outstanding_requests_per_tenant: 32000 # This is the default in Loki 3.0 extraMemberlistConfig: @@ -69,6 +88,8 @@ rbac: test: enabled: false +deploymentMode: SimpleScalable + # Configuration for the single binary node(s) singleBinary: # -- Number of replicas for the single binary @@ -110,27 +131,35 @@ sidecar: # -- Whether or not to create a sidecar to ingest rule from specific ConfigMaps and/or Secrets. enabled: false +memcachedExporter: + # -- Whether memcached metrics should be exported + enabled: false + monitoring: - enabled: true - selfMonitoring: - enabled: false - grafanaAgent: - installOperator: false - lokiCanary: - enabled: false + serviceMonitor: + enabled: true + +lokiCanary: + enabled: false + gateway: enabled: true # Remove default anti-affinity to support single node - affinity: "" + affinity: null + + # Gateway has no metrics https://github.com/grafana/loki/issues/13201 + service: + labels: + prometheus.io/service-monitor: "false" read: # Remove default anti-affinity to support single node - affinity: "" + affinity: null write: # Remove default anti-affinity to support single node - affinity: "" + affinity: null backend: # Remove default anti-affinity to support single node - affinity: "" + affinity: null diff --git a/src/loki/zarf.yaml b/src/loki/zarf.yaml index df76918b9..46d102da2 100644 --- a/src/loki/zarf.yaml +++ b/src/loki/zarf.yaml @@ -16,8 +16,9 @@ components: valuesFiles: - ./values/upstream-values.yaml images: - - docker.io/grafana/loki:2.9.6 - - docker.io/nginxinc/nginx-unprivileged:1.25-alpine + - docker.io/grafana/loki:3.1.1 + - docker.io/nginxinc/nginx-unprivileged:1.27-alpine + - docker.io/memcached:1.6.31-alpine - name: loki required: true @@ -31,8 +32,9 @@ components: valuesFiles: - ./values/registry1-values.yaml images: - - registry1.dso.mil/ironbank/opensource/grafana/loki:2.9.6 - - registry1.dso.mil/ironbank/opensource/nginx/nginx-alpine:1.25.3 + - registry1.dso.mil/ironbank/opensource/grafana/loki:3.1.1 + - registry1.dso.mil/ironbank/opensource/nginx/nginx-alpine:1.26.2 + - registry1.dso.mil/ironbank/opensource/memcached/memcached:1.6.31 - name: loki required: true @@ -46,5 +48,6 @@ components: valuesFiles: - ./values/unicorn-values.yaml images: - - cgr.dev/du-uds-defenseunicorns/loki:2.9.8 - - cgr.dev/du-uds-defenseunicorns/nginx-fips:1.27.0 + - cgr.dev/du-uds-defenseunicorns/loki:3.1.1 + - cgr.dev/du-uds-defenseunicorns/nginx-fips:1.27.1 + - cgr.dev/du-uds-defenseunicorns/memcached:1.6.31 diff --git a/src/metrics-server/common/zarf.yaml b/src/metrics-server/common/zarf.yaml index 2a8ecde42..9bad06c8a 100644 --- a/src/metrics-server/common/zarf.yaml +++ b/src/metrics-server/common/zarf.yaml @@ -6,7 +6,7 @@ metadata: components: - name: metrics-server - required: true + required: false # This component is optional since most k8s distros provide this out of the box charts: - name: uds-metrics-server-config namespace: metrics-server @@ -25,7 +25,7 @@ components: maxTotalSeconds: 300 wait: cluster: - kind: Packages + kind: packages.uds.dev name: metrics-server namespace: metrics-server condition: "'{.status.phase}'=Ready" diff --git a/src/metrics-server/values/registry1-values.yaml b/src/metrics-server/values/registry1-values.yaml index d9e913de6..6ef5bb83a 100644 --- a/src/metrics-server/values/registry1-values.yaml +++ b/src/metrics-server/values/registry1-values.yaml @@ -1,3 +1,3 @@ image: repository: registry1.dso.mil/ironbank/opensource/kubernetes-sigs/metrics-server - tag: "v0.7.1" + tag: "v0.7.2" diff --git a/src/metrics-server/values/unicorn-values.yaml b/src/metrics-server/values/unicorn-values.yaml index f86a8a6b6..fd874866b 100644 --- a/src/metrics-server/values/unicorn-values.yaml +++ b/src/metrics-server/values/unicorn-values.yaml @@ -1,3 +1,3 @@ image: repository: cgr.dev/du-uds-defenseunicorns/metrics-server-fips - tag: "0.7.1" + tag: "0.7.2" diff --git a/src/metrics-server/values/upstream-values.yaml b/src/metrics-server/values/upstream-values.yaml index 9e90be8a1..00f0dfcb6 100644 --- a/src/metrics-server/values/upstream-values.yaml +++ b/src/metrics-server/values/upstream-values.yaml @@ -1,3 +1,3 @@ image: repository: registry.k8s.io/metrics-server/metrics-server - tag: "v0.7.1" + tag: "v0.7.2" diff --git a/src/metrics-server/zarf.yaml b/src/metrics-server/zarf.yaml index bb31f8724..62c412083 100644 --- a/src/metrics-server/zarf.yaml +++ b/src/metrics-server/zarf.yaml @@ -6,7 +6,7 @@ metadata: components: - name: metrics-server - required: true + required: false only: flavor: upstream import: @@ -16,10 +16,10 @@ components: valuesFiles: - "values/upstream-values.yaml" images: - - registry.k8s.io/metrics-server/metrics-server:v0.7.1 + - registry.k8s.io/metrics-server/metrics-server:v0.7.2 - name: metrics-server - required: true + required: false only: flavor: registry1 import: @@ -29,10 +29,10 @@ components: valuesFiles: - "values/registry1-values.yaml" images: - - registry1.dso.mil/ironbank/opensource/kubernetes-sigs/metrics-server:v0.7.1 + - registry1.dso.mil/ironbank/opensource/kubernetes-sigs/metrics-server:v0.7.2 - name: metrics-server - required: true + required: false only: flavor: unicorn import: @@ -42,4 +42,4 @@ components: valuesFiles: - "values/unicorn-values.yaml" images: - - cgr.dev/du-uds-defenseunicorns/metrics-server-fips:0.7.1 + - cgr.dev/du-uds-defenseunicorns/metrics-server-fips:0.7.2 diff --git a/src/neuvector/chart/templates/_helpers.tpl b/src/neuvector/chart/templates/_helpers.tpl index 687a38f21..c8555f97b 100644 --- a/src/neuvector/chart/templates/_helpers.tpl +++ b/src/neuvector/chart/templates/_helpers.tpl @@ -60,3 +60,19 @@ Create the name of the service account to use {{- default "default" .Values.serviceAccount.name }} {{- end }} {{- end }} + +{{/* +Lookup existing secret key/value +*/}} +{{- define "neuvector.secrets.lookup" -}} +{{- $value := "" -}} +{{- $secretData := (lookup "v1" "Secret" .namespace .secret).data -}} +{{- if and $secretData (hasKey $secretData .key) -}} + {{- $value = index $secretData .key -}} +{{- else if .defaultValue -}} + {{- $value = .defaultValue | toString | b64enc -}} +{{- end -}} +{{- if $value -}} +{{- printf "%s" $value -}} +{{- end -}} +{{- end -}} diff --git a/src/neuvector/chart/templates/internal-cert.yaml b/src/neuvector/chart/templates/internal-cert.yaml new file mode 100644 index 000000000..d6e96a174 --- /dev/null +++ b/src/neuvector/chart/templates/internal-cert.yaml @@ -0,0 +1,18 @@ +{{- if .Values.generateInternalCert -}} +{{- $cn := "neuvector" }} +{{- $ca := genCA "neuvector" 3650 -}} +{{- $cert := genSignedCert $cn nil (list $cn) 3650 $ca -}} +{{- $name := "neuvector-internal-cert" -}} +# This secret generates a cert for internal neuvector comms since these are missing in some non-upstream images +# While these certs are long-lived, it isn't the primary method for TLS comms since Istio is ensuring mTLS with secure, rotated certificates +apiVersion: v1 +kind: Secret +metadata: + name: {{ $name }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + tls.key: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" $name "key" "tls.key" "defaultValue" $cert.Key) }} + tls.crt: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" $name "key" "tls.crt" "defaultValue" $cert.Cert) }} + ca.crt: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" $name "key" "ca.crt" "defaultValue" $ca.Cert) }} +{{- end }} diff --git a/src/neuvector/chart/templates/uds-package.yaml b/src/neuvector/chart/templates/uds-package.yaml index f9c4bd08e..1cdee101d 100644 --- a/src/neuvector/chart/templates/uds-package.yaml +++ b/src/neuvector/chart/templates/uds-package.yaml @@ -58,9 +58,12 @@ spec: # Access to SSO for OIDC - direction: Egress - remoteGenerated: Anywhere selector: app: neuvector-controller-pod + remoteSelector: + app: tenant-ingressgateway + remoteNamespace: istio-tenant-gateway + description: "SSO Provider" - direction: Egress remoteGenerated: KubeAPI @@ -79,10 +82,3 @@ spec: app: neuvector-controller-pod port: 30443 description: "Webhook" - - - direction: Egress - remoteNamespace: tempo - remoteSelector: - app.kubernetes.io/name: tempo - port: 9411 - description: "Tempo" diff --git a/src/neuvector/chart/values.yaml b/src/neuvector/chart/values.yaml index 3f206b71b..fac586fa5 100644 --- a/src/neuvector/chart/values.yaml +++ b/src/neuvector/chart/values.yaml @@ -2,3 +2,5 @@ domain: "###ZARF_VAR_DOMAIN###" grafana: enabled: false + +generateInternalCert: false diff --git a/src/neuvector/common/zarf.yaml b/src/neuvector/common/zarf.yaml index 08b370c03..b56d75371 100644 --- a/src/neuvector/common/zarf.yaml +++ b/src/neuvector/common/zarf.yaml @@ -11,7 +11,7 @@ components: charts: - name: crd url: https://neuvector.github.io/neuvector-helm/ - version: 2.7.7 + version: 2.7.9 namespace: neuvector gitPath: charts/crd - name: uds-neuvector-config @@ -20,18 +20,18 @@ components: localPath: ../chart - name: core url: https://neuvector.github.io/neuvector-helm/ - version: 2.7.7 + version: 2.7.9 namespace: neuvector gitPath: charts/core valuesFiles: - ../values/values.yaml - - name: monitor - url: https://neuvector.github.io/neuvector-helm/ - version: 2.7.7 - namespace: neuvector - gitPath: charts/monitor - valuesFiles: - - ../values/monitor-values.yaml + # - name: monitor + # url: https://neuvector.github.io/neuvector-helm/ + # version: 2.7.9 + # namespace: neuvector + # gitPath: charts/monitor + # valuesFiles: + # - ../values/monitor-values.yaml actions: onDeploy: after: @@ -39,7 +39,7 @@ components: maxTotalSeconds: 300 wait: cluster: - kind: Packages + kind: packages.uds.dev name: neuvector namespace: neuvector condition: "'{.status.phase}'=Ready" diff --git a/src/neuvector/oscal-component.yaml b/src/neuvector/oscal-component.yaml index b9aedd9fe..f15e9a6c4 100644 --- a/src/neuvector/oscal-component.yaml +++ b/src/neuvector/oscal-component.yaml @@ -4,7 +4,7 @@ component-definition: title: NeuVector last-modified: "2024-01-30T17:01:30Z" version: "20240130" - oscal-version: 1.1.1 + oscal-version: 1.1.2 parties: - uuid: f3cf70f8-ba44-4e55-9ea3-389ef24847d3 type: organization @@ -415,7 +415,10 @@ component-definition: NeuVector correlates configuration data and network traffic for error tracking to provide context around misconfigurations and threats in the form of actionable alerts. remarks: This control is fully implemented by this tool. - + props: + - name: framework + ns: https://docs.lula.dev/oscal/ns + value: il4 back-matter: resources: - uuid: 6ba32bca-c4e2-4f27-a99c-e5ba8251ac61 diff --git a/src/neuvector/values/registry1-monitor-values.yaml b/src/neuvector/values/registry1-monitor-values.yaml deleted file mode 100644 index f3f01b662..000000000 --- a/src/neuvector/values/registry1-monitor-values.yaml +++ /dev/null @@ -1,9 +0,0 @@ -registry: registry1.dso.mil -exporter: - image: - repository: ironbank/neuvector/neuvector/prometheus-exporter - tag: 5.3.2 - - containerSecurityContext: - runAsUser: 1001 - runAsGroup: 1001 diff --git a/src/neuvector/values/registry1-values.yaml b/src/neuvector/values/registry1-values.yaml index 2141356f5..ba258fce7 100644 --- a/src/neuvector/values/registry1-values.yaml +++ b/src/neuvector/values/registry1-values.yaml @@ -1,5 +1,6 @@ registry: registry1.dso.mil -tag: "5.3.3" +# renovate: datasource=docker depName=registry1.dso.mil/ironbank/neuvector/neuvector/controller versioning=docker +tag: "5.3.4" manager: image: repository: ironbank/neuvector/neuvector/manager @@ -30,6 +31,7 @@ cve: scanner: image: repository: ironbank/neuvector/neuvector/scanner + # renovate: datasource=docker depName=registry1.dso.mil/ironbank/neuvector/neuvector/scanner versioning=docker tag: "5" containerSecurityContext: capabilities: @@ -41,6 +43,7 @@ cve: enabled: true image: repository: ironbank/redhat/ubi/ubi9-minimal + # renovate: datasource=docker depName=registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal versioning=docker tag: "9.4" containerSecurityContext: capabilities: diff --git a/src/neuvector/values/unicorn-config-values.yaml b/src/neuvector/values/unicorn-config-values.yaml new file mode 100644 index 000000000..e07235598 --- /dev/null +++ b/src/neuvector/values/unicorn-config-values.yaml @@ -0,0 +1 @@ +generateInternalCert: true diff --git a/src/neuvector/values/unicorn-monitor-values.yaml b/src/neuvector/values/unicorn-monitor-values.yaml deleted file mode 100644 index 51f216b67..000000000 --- a/src/neuvector/values/unicorn-monitor-values.yaml +++ /dev/null @@ -1,5 +0,0 @@ -registry: cgr.dev -exporter: - image: - repository: du-uds-defenseunicorns/neuvector-prometheus-exporter-fips - tag: 5.3.0 diff --git a/src/neuvector/values/unicorn-values.yaml b/src/neuvector/values/unicorn-values.yaml index 4f90d4966..a0f05bd01 100644 --- a/src/neuvector/values/unicorn-values.yaml +++ b/src/neuvector/values/unicorn-values.yaml @@ -1,5 +1,9 @@ +# Generate certs missing from unicorn images +autoGenerateCert: true + registry: cgr.dev -tag: "5.3.3" +# renovate: datasource=docker depName=cgr.dev/du-uds-defenseunicorns/neuvector-controller-fips versioning=docker +tag: "5.3.4" manager: image: repository: du-uds-defenseunicorns/neuvector-manager @@ -9,18 +13,29 @@ enforcer: repository: du-uds-defenseunicorns/neuvector-enforcer-fips containerSecurityContext: privileged: true + internal: + certificate: + secret: neuvector-internal-cert controller: image: repository: du-uds-defenseunicorns/neuvector-controller-fips + internal: + certificate: + secret: neuvector-internal-cert cve: scanner: + internal: + certificate: + secret: neuvector-internal-cert image: - repository: du-uds-defenseunicorns/neuvector-scanner-fips + registry: docker.io + repository: neuvector/scanner tag: latest updater: enabled: true image: repository: du-uds-defenseunicorns/neuvector-updater-fips - tag: 8.8.0-dev + # renovate: datasource=docker depName=cgr.dev/du-uds-defenseunicorns/neuvector-updater-fips versioning=docker + tag: 8.10.1-dev diff --git a/src/neuvector/values/upstream-monitor-values.yaml b/src/neuvector/values/upstream-monitor-values.yaml deleted file mode 100644 index 58148a492..000000000 --- a/src/neuvector/values/upstream-monitor-values.yaml +++ /dev/null @@ -1,5 +0,0 @@ -registry: docker.io -exporter: - image: - repository: neuvector/prometheus-exporter - tag: 5.3.2 diff --git a/src/neuvector/values/upstream-values.yaml b/src/neuvector/values/upstream-values.yaml index 82f78a65a..67bc9edee 100644 --- a/src/neuvector/values/upstream-values.yaml +++ b/src/neuvector/values/upstream-values.yaml @@ -1,5 +1,6 @@ registry: docker.io -tag: "5.3.3" +# renovate: datasource=docker depName=docker.io/neuvector/controller versioning=docker +tag: "5.3.4" manager: image: repository: neuvector/manager diff --git a/src/neuvector/values/values.yaml b/src/neuvector/values/values.yaml index 3ebd7891b..cafd56b35 100644 --- a/src/neuvector/values/values.yaml +++ b/src/neuvector/values/values.yaml @@ -4,12 +4,10 @@ rbac: true manager: env: ssl: false - disableFipsInJava: true svc: type: ClusterIP controller: - apisvc: type: ClusterIP configmap: @@ -29,24 +27,9 @@ controller: value: "1" cve: - scanner: - affinity: {} - updater: enabled: true -k3s: - enabled: true - runtimePath: /run/k3s/containerd/containerd.sock - -bottlerocket: - enabled: false - runtimePath: /run/dockershim.sock - -containerd: - enabled: false - path: /var/run/containerd/containerd.sock - crdwebhook: enabled: false type: ClusterIP diff --git a/src/neuvector/zarf.yaml b/src/neuvector/zarf.yaml index f64572ded..5d76af2f8 100644 --- a/src/neuvector/zarf.yaml +++ b/src/neuvector/zarf.yaml @@ -16,16 +16,12 @@ components: - name: core valuesFiles: - values/upstream-values.yaml - - name: monitor - valuesFiles: - - values/upstream-monitor-values.yaml images: - - docker.io/neuvector/controller:5.3.3 - - docker.io/neuvector/manager:5.3.3 + - docker.io/neuvector/controller:5.3.4 + - docker.io/neuvector/manager:5.3.4 - docker.io/neuvector/updater:latest - docker.io/neuvector/scanner:latest - - docker.io/neuvector/enforcer:5.3.3 - - docker.io/neuvector/prometheus-exporter:5.3.2 + - docker.io/neuvector/enforcer:5.3.4 - name: neuvector description: "Deploy Neuvector" @@ -38,16 +34,12 @@ components: - name: core valuesFiles: - values/registry1-values.yaml - - name: monitor - valuesFiles: - - values/registry1-monitor-values.yaml images: - - registry1.dso.mil/ironbank/neuvector/neuvector/controller:5.3.3 - - registry1.dso.mil/ironbank/neuvector/neuvector/manager:5.3.3 + - registry1.dso.mil/ironbank/neuvector/neuvector/controller:5.3.4 + - registry1.dso.mil/ironbank/neuvector/neuvector/manager:5.3.4 - registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.4 - registry1.dso.mil/ironbank/neuvector/neuvector/scanner:5 - - registry1.dso.mil/ironbank/neuvector/neuvector/enforcer:5.3.3 - - registry1.dso.mil/ironbank/neuvector/neuvector/prometheus-exporter:5.3.2 + - registry1.dso.mil/ironbank/neuvector/neuvector/enforcer:5.3.4 - name: neuvector description: "Deploy Neuvector" @@ -57,32 +49,15 @@ components: import: path: common charts: - - name: core + - name: uds-neuvector-config valuesFiles: - - values/upstream-values.yaml - - name: monitor + - values/unicorn-config-values.yaml + - name: core valuesFiles: - - values/upstream-monitor-values.yaml + - values/unicorn-values.yaml images: - - docker.io/neuvector/controller:5.3.3 - - docker.io/neuvector/manager:5.3.3 - - docker.io/neuvector/updater:latest + - cgr.dev/du-uds-defenseunicorns/neuvector-manager:5.3.4 + - cgr.dev/du-uds-defenseunicorns/neuvector-enforcer-fips:5.3.4 + - cgr.dev/du-uds-defenseunicorns/neuvector-controller-fips:5.3.4 - docker.io/neuvector/scanner:latest - - docker.io/neuvector/enforcer:5.3.3 - - docker.io/neuvector/prometheus-exporter:5.3.2 - - # todo: switch to chainguard images once manager is functional - # charts: - # - name: core - # valuesFiles: - # - values/unicorn-values.yaml - # - name: monitor - # valuesFiles: - # - values/unicorn-monitor-values.yaml - # images: - # - cgr.dev/du-uds-defenseunicorns/neuvector-manager:5.3.3 - # - cgr.dev/du-uds-defenseunicorns/neuvector-enforcer-fips:5.3.3 - # - cgr.dev/du-uds-defenseunicorns/neuvector-controller-fips:5.3.3 - # - cgr.dev/du-uds-defenseunicorns/neuvector-scanner-fips:latest - # - cgr.dev/du-uds-defenseunicorns/neuvector-updater-fips:8.8.0-dev - # - cgr.dev/du-uds-defenseunicorns/neuvector-prometheus-exporter-fips:5.3.0 + - cgr.dev/du-uds-defenseunicorns/neuvector-updater-fips:8.10.1-dev diff --git a/src/pepr/config.ts b/src/pepr/config.ts index 485d2f80f..183f504d9 100644 --- a/src/pepr/config.ts +++ b/src/pepr/config.ts @@ -2,6 +2,7 @@ import { Component, setupLogger } from "./logger"; let domain = process.env.UDS_DOMAIN; let caCert = process.env.UDS_CA_CERT; +let authserviceRedisUri = process.env.AUTHSERVICE_REDIS_URI; // We need to handle `npx pepr <>` commands that will not template the env vars if (!domain || domain === "###ZARF_VAR_DOMAIN###") { @@ -10,6 +11,9 @@ if (!domain || domain === "###ZARF_VAR_DOMAIN###") { if (!caCert || caCert === "###ZARF_VAR_CA_CERT###") { caCert = ""; } +if (!authserviceRedisUri || authserviceRedisUri === "###ZARF_VAR_AUTHSERVICE_REDIS_URI###") { + authserviceRedisUri = ""; +} export const UDSConfig = { // Ignore the UDS_DOMAIN if not deployed by Zarf @@ -20,6 +24,9 @@ export const UDSConfig = { isSingleTest: process.env.UDS_SINGLE_TEST === "true", // Allow UDS policy exemptions to be used in any namespace allowAllNSExemptions: process.env.UDS_ALLOW_ALL_NS_EXEMPTIONS === "true", + + // Redis URI for Authservice + authserviceRedisUri, }; // configure subproject logger diff --git a/src/pepr/operator/README.md b/src/pepr/operator/README.md index 737828f60..5b95cea2d 100644 --- a/src/pepr/operator/README.md +++ b/src/pepr/operator/README.md @@ -12,7 +12,7 @@ The UDS Operator manages the lifecycle of UDS Package CRs and their correspondin #### Exemption -- allowing exemption custom resources only in the `uds-policy-exemptions` namespace unless configured to allow in all namespaces (see [configuring policy exemptions](../../../docs/CONFIGURE_POLICY_EXEMPTIONS.md)) +- allowing exemption custom resources only in the `uds-policy-exemptions` namespace unless configured to allow in all namespaces (see [configuring policy exemptions](../../../docs/configuration/uds-configure-policy-exemptions.md)) - updating the policies Pepr store with registered exemptions ### Example UDS Package CR @@ -42,13 +42,6 @@ spec: app.kubernetes.io/name: grafana remoteGenerated: Anywhere - - direction: Egress - remoteNamespace: tempo - remoteSelector: - app.kubernetes.io/name: tempo - port: 9411 - description: "Tempo" - # SSO allows for the creation of Keycloak clients and with automatic secret generation sso: - name: Grafana Dashboard diff --git a/src/pepr/operator/controllers/exemptions/exemptions.spec.ts b/src/pepr/operator/controllers/exemptions/exemptions.spec.ts index 8c276d879..270ae3002 100644 --- a/src/pepr/operator/controllers/exemptions/exemptions.spec.ts +++ b/src/pepr/operator/controllers/exemptions/exemptions.spec.ts @@ -1,8 +1,9 @@ import { beforeEach, describe, expect, it } from "@jest/globals"; +import { WatchPhase } from "kubernetes-fluent-client/dist/fluent/types"; import { MatcherKind, Policy } from "../../crd"; import { Exemption } from "../../crd/generated/exemption-v1alpha1"; import { ExemptionStore } from "./exemption-store"; -import { WatchPhase, processExemptions } from "./exemptions"; +import { processExemptions } from "./exemptions"; const enforcerMatcher = { namespace: "neuvector", diff --git a/src/pepr/operator/controllers/exemptions/exemptions.ts b/src/pepr/operator/controllers/exemptions/exemptions.ts index a52a39723..1b3401154 100644 --- a/src/pepr/operator/controllers/exemptions/exemptions.ts +++ b/src/pepr/operator/controllers/exemptions/exemptions.ts @@ -1,14 +1,7 @@ +import { WatchPhase } from "kubernetes-fluent-client/dist/fluent/types"; import { UDSExemption } from "../../crd"; import { ExemptionStore } from "./exemption-store"; -export enum WatchPhase { - Added = "ADDED", - Modified = "MODIFIED", - Deleted = "DELETED", - Bookmark = "BOOKMARK", - Error = "ERROR", -} - // Handle adding, updating, and deleting exemptions from Policymap export function processExemptions(exemption: UDSExemption, phase: WatchPhase) { switch (phase) { diff --git a/src/pepr/operator/controllers/istio/injection.ts b/src/pepr/operator/controllers/istio/injection.ts index fa13077f1..50193ea96 100644 --- a/src/pepr/operator/controllers/istio/injection.ts +++ b/src/pepr/operator/controllers/istio/injection.ts @@ -39,6 +39,7 @@ export async function enableInjection(pkg: UDSPackage) { annotations[pkgKey] = "true"; // Apply the updated Namespace + log.debug(`Updating namespace ${pkg.metadata.namespace} with istio injection label`); await K8s(kind.Namespace).Apply( { metadata: { @@ -52,6 +53,9 @@ export async function enableInjection(pkg: UDSPackage) { // Kill the pods if we changed the value of the istio-injection label if (originalInjectionLabel !== labels[injectionLabel]) { + log.debug( + `Attempting pod restart in ${pkg.metadata.namespace} based on istio injection label change`, + ); await killPods(pkg.metadata.namespace, true); } } @@ -86,6 +90,7 @@ export async function cleanupNamespace(pkg: UDSPackage) { } // Apply the updated Namespace + log.debug(`Updating namespace ${pkg.metadata.namespace}, removing istio injection labels.`); await K8s(kind.Namespace).Apply( { metadata: { @@ -99,6 +104,9 @@ export async function cleanupNamespace(pkg: UDSPackage) { // Kill the pods if we changed the value of the istio-injection label if (originalInjectionLabel !== labels[injectionLabel]) { + log.debug( + `Attempting pod restart in ${pkg.metadata.namespace} based on istio injection label change`, + ); await killPods(pkg.metadata.namespace, false); } } @@ -118,6 +126,7 @@ async function killPods(ns: string, enableInjection: boolean) { for (const pod of pods.items) { // Ignore pods that already have a deletion timestamp if (pod.metadata?.deletionTimestamp) { + log.debug(`Ignoring Pod ${ns}/${pod.metadata?.name}, already being deleted`); continue; } @@ -125,17 +134,20 @@ async function killPods(ns: string, enableInjection: boolean) { // If enabling injection, ignore pods that already have the istio sidecar if (enableInjection && foundSidecar) { + log.debug(`Ignoring Pod ${ns}/${pod.metadata?.name}, already has sidecar`); continue; } // If disabling injection, ignore pods that don't have the istio sidecar if (!enableInjection && !foundSidecar) { + log.debug(`Ignoring Pod ${ns}/${pod.metadata?.name}, injection disabled`); continue; } // Get the UID of the owner of the pod or default to "other" (shouldn't happen) const controlledBy = pod.metadata?.ownerReferences?.find(ref => ref.controller)?.uid || "other"; groups[controlledBy] = groups[controlledBy] || []; + log.debug(`Adding Pod ${ns}/${pod.metadata?.name} to ${controlledBy} deletion list.`); groups[controlledBy].push(pod); } diff --git a/src/pepr/operator/controllers/istio/virtual-service.spec.ts b/src/pepr/operator/controllers/istio/virtual-service.spec.ts index 890d0c12b..f07f6fe17 100644 --- a/src/pepr/operator/controllers/istio/virtual-service.spec.ts +++ b/src/pepr/operator/controllers/istio/virtual-service.spec.ts @@ -1,7 +1,7 @@ import { describe, expect, it } from "@jest/globals"; import { UDSConfig } from "../../../config"; -import { generateVirtualService } from "./virtual-service"; import { Expose, Gateway } from "../../crd"; +import { generateVirtualService } from "./virtual-service"; describe("test generate virtual service", () => { const ownerRefs = [ @@ -109,4 +109,21 @@ describe("test generate virtual service", () => { ); expect(payload.spec!.http![0].route![0].destination?.port?.number).toEqual(port); }); + + it.only("should create a redirect VirtualService object", () => { + const gateway = Gateway.Tenant; + const expose: Expose = { + gateway, + host, + port, + service, + advancedHTTP: { redirect: { uri: "https://example.com" } }, + }; + + const payload = generateVirtualService(expose, namespace, pkgName, generation, ownerRefs); + + expect(payload).toBeDefined(); + expect(payload.spec!.http![0].route).toBeUndefined(); + expect(payload.spec!.http![0].redirect?.uri).toEqual("https://example.com"); + }); }); diff --git a/src/pepr/operator/controllers/istio/virtual-service.ts b/src/pepr/operator/controllers/istio/virtual-service.ts index 3fa892b39..983624975 100644 --- a/src/pepr/operator/controllers/istio/virtual-service.ts +++ b/src/pepr/operator/controllers/istio/virtual-service.ts @@ -40,7 +40,7 @@ export function generateVirtualService( }, ]; - if (!advancedHTTP.directResponse) { + if (!advancedHTTP.directResponse && !advancedHTTP.redirect) { // Create the route to the service if not using advancedHTTP.directResponse http.route = route; } diff --git a/src/pepr/operator/controllers/keycloak/authservice/authorization-policy.ts b/src/pepr/operator/controllers/keycloak/authservice/authorization-policy.ts index 8e48c7629..1c16fcbe4 100644 --- a/src/pepr/operator/controllers/keycloak/authservice/authorization-policy.ts +++ b/src/pepr/operator/controllers/keycloak/authservice/authorization-policy.ts @@ -6,7 +6,7 @@ import { IstioRequestAuthentication, UDSPackage, } from "../../../crd"; -import { getOwnerRef, purgeOrphans } from "../../utils"; +import { getOwnerRef, purgeOrphans, sanitizeResourceName } from "../../utils"; import { log } from "./authservice"; import { Action as AuthServiceAction, AuthServiceEvent } from "./types"; @@ -26,7 +26,7 @@ function authserviceAuthorizationPolicy( return { kind: "AuthorizationPolicy", metadata: { - name: `${name}-authservice`, + name: sanitizeResourceName(`${name}-authservice`), namespace, }, spec: { @@ -59,7 +59,7 @@ function jwtAuthZAuthorizationPolicy( return { kind: "AuthorizationPolicy", metadata: { - name: `${name}-jwt-authz`, + name: sanitizeResourceName(`${name}-jwt-authz`), namespace, }, spec: { @@ -89,7 +89,7 @@ function authNRequestAuthentication( return { kind: "RequestAuthentication", metadata: { - name: `${name}-jwt-authn`, + name: sanitizeResourceName(`${name}-jwt-authn`), namespace, }, spec: { diff --git a/src/pepr/operator/controllers/keycloak/authservice/config.ts b/src/pepr/operator/controllers/keycloak/authservice/config.ts index eace37048..76de7630e 100644 --- a/src/pepr/operator/controllers/keycloak/authservice/config.ts +++ b/src/pepr/operator/controllers/keycloak/authservice/config.ts @@ -43,7 +43,7 @@ export async function setupAuthserviceSecret() { // this initial secret is only a placeholder until the first chain is created function buildInitialSecret(): AuthserviceConfig { - return { + const config: AuthserviceConfig = { allow_unmatched_requests: false, listen_address: "0.0.0.0", listen_port: "10003", @@ -84,6 +84,14 @@ function buildInitialSecret(): AuthserviceConfig { }), ], }; + + if (UDSConfig.authserviceRedisUri) { + config.default_oidc_config.redis_session_store_config = { + server_uri: UDSConfig.authserviceRedisUri!, + }; + } + + return config; } export async function getAuthserviceConfig() { diff --git a/src/pepr/operator/controllers/keycloak/authservice/types.ts b/src/pepr/operator/controllers/keycloak/authservice/types.ts index 9c20fdc50..1d12fcbae 100644 --- a/src/pepr/operator/controllers/keycloak/authservice/types.ts +++ b/src/pepr/operator/controllers/keycloak/authservice/types.ts @@ -37,6 +37,7 @@ interface OIDCConfig { absolute_session_timeout?: string; idle_session_timeout?: string; scopes: string[]; + redis_session_store_config?: { server_uri: string }; } interface JWKSFetcher { diff --git a/src/pepr/operator/controllers/keycloak/client-sync.spec.ts b/src/pepr/operator/controllers/keycloak/client-sync.spec.ts index 1fcfab6a8..247ba7e70 100644 --- a/src/pepr/operator/controllers/keycloak/client-sync.spec.ts +++ b/src/pepr/operator/controllers/keycloak/client-sync.spec.ts @@ -1,9 +1,9 @@ import { describe, expect, it } from "@jest/globals"; import { Sso } from "../../crd"; import { + convertSsoToClient, extractSamlCertificateFromXML, generateSecretData, - handleClientGroups, } from "./client-sync"; import { Client } from "./types"; @@ -138,91 +138,136 @@ describe("Test Secret & Template Data Generation", () => { }); }); -describe("handleClientGroups function", () => { - it('should correctly transform groups into attributes["uds.core.groups"]', () => { - // Arrange - const ssoWithGroups: Sso = { +describe("convertSsoToClient function", () => { + it("should correctly convert a basic SSO object to a Client object", () => { + const sso: Sso = { clientId: "test-client", name: "Test Client", + }; + + const expectedClient: Partial = { + clientId: "test-client", + attributes: { "uds.core.groups": "" }, + }; + + expect(convertSsoToClient(sso)).toEqual(expectedClient); + }); + + it("should correctly convert a full SSO object to a Client object", () => { + const sso: Sso = { + alwaysDisplayInConsole: true, + attributes: { + "backchannel.logout.revoke.offline.tokens": "true", + }, + clientId: "test-client", + defaultClientScopes: ["scope1", "scope2"], + description: "Test Description", + enableAuthserviceSelector: { key: "value" }, + enabled: true, + groups: { anyOf: ["group1"] }, + name: "Test Client", + publicClient: true, redirectUris: ["https://example.com/callback"], - groups: { - anyOf: ["group1", "group2"], + rootUrl: "https://example.com", + secret: "secret", + secretName: "secretName", + secretTemplate: { templateKey: "templateValue" }, + standardFlowEnabled: true, + webOrigins: ["https://example.com"], + }; + + const expectedClient: Partial = { + clientId: "test-client", + alwaysDisplayInConsole: true, + attributes: { + "backchannel.logout.revoke.offline.tokens": "true", + "uds.core.groups": '{"anyOf":["group1"]}', }, + defaultClientScopes: ["scope1", "scope2"], + enabled: true, + publicClient: true, + redirectUris: ["https://example.com/callback"], + secret: "secret", + standardFlowEnabled: true, + webOrigins: ["https://example.com"], }; - // Act - handleClientGroups(ssoWithGroups); - - // Assert - expect(ssoWithGroups.attributes).toBeDefined(); - expect(typeof ssoWithGroups.attributes).toBe("object"); - expect(ssoWithGroups.attributes!["uds.core.groups"]).toEqual( - JSON.stringify({ - anyOf: ["group1", "group2"], - }), - ); - expect(ssoWithGroups.groups).toBeUndefined(); + expect(convertSsoToClient(sso)).toEqual(expectedClient); }); - it('should set attributes["uds.core.groups"] to an empty object if groups are not provided', () => { - // Arrange - const ssoWithoutGroups: Sso = { + it("should handle optional fields correctly", () => { + const sso: Sso = { clientId: "test-client", name: "Test Client", - redirectUris: ["https://example.com/callback"], + groups: { anyOf: [] }, + enabled: undefined, + protocol: undefined, }; - // Act - handleClientGroups(ssoWithoutGroups); + const expectedClient: Partial = { + clientId: "test-client", + attributes: { "uds.core.groups": '{"anyOf":[]}' }, + registrationAccessToken: undefined, + samlIdpCertificate: undefined, + }; - // Assert - expect(ssoWithoutGroups.attributes).toBeDefined(); - expect(typeof ssoWithoutGroups.attributes).toBe("object"); - expect(ssoWithoutGroups.attributes!["uds.core.groups"]).toEqual(""); - expect(ssoWithoutGroups.groups).toBeUndefined(); + expect(convertSsoToClient(sso)).toEqual(expectedClient); }); - it('should set attributes["uds.core.groups"] to an empty object if empty groups object is provided', () => { - // Arrange - const ssoWithoutGroups: Sso = { + it("should handle empty fields correctly", () => { + const sso: Sso = { clientId: "test-client", name: "Test Client", - redirectUris: ["https://example.com/callback"], - groups: {}, + attributes: {}, }; - // Act - handleClientGroups(ssoWithoutGroups); + const expectedClient: Partial = { + clientId: "test-client", + attributes: { "uds.core.groups": "" }, + }; - // Assert - expect(ssoWithoutGroups.attributes).toBeDefined(); - expect(typeof ssoWithoutGroups.attributes).toBe("object"); - expect(ssoWithoutGroups.attributes!["uds.core.groups"]).toEqual(""); - expect(ssoWithoutGroups.groups).toBeUndefined(); + expect(convertSsoToClient(sso)).toEqual(expectedClient); }); - it('should set attributes["uds.core.groups"] to an empty array of groups if groups.anyOf is empty array', () => { - // Arrange - const ssoWithGroups: Sso = { + it("should handle multiple groups", () => { + const sso: Sso = { + alwaysDisplayInConsole: true, + attributes: { + "backchannel.logout.revoke.offline.tokens": "true", + }, clientId: "test-client", + defaultClientScopes: ["scope1", "scope2"], + description: "Test Description", + enableAuthserviceSelector: { key: "value" }, + enabled: true, + groups: { anyOf: ["group1", "group2"] }, name: "Test Client", + publicClient: true, redirectUris: ["https://example.com/callback"], - groups: { - anyOf: [], + rootUrl: "https://example.com", + secret: "secret", + secretName: "secretName", + secretTemplate: { templateKey: "templateValue" }, + standardFlowEnabled: true, + webOrigins: ["https://example.com"], + }; + + const expectedClient: Partial = { + clientId: "test-client", + alwaysDisplayInConsole: true, + attributes: { + "backchannel.logout.revoke.offline.tokens": "true", + "uds.core.groups": '{"anyOf":["group1","group2"]}', }, + defaultClientScopes: ["scope1", "scope2"], + enabled: true, + publicClient: true, + redirectUris: ["https://example.com/callback"], + secret: "secret", + standardFlowEnabled: true, + webOrigins: ["https://example.com"], }; - // Act - handleClientGroups(ssoWithGroups); - - // Assert - expect(ssoWithGroups.attributes).toBeDefined(); - expect(typeof ssoWithGroups.attributes).toBe("object"); - expect(ssoWithGroups.attributes!["uds.core.groups"]).toEqual( - JSON.stringify({ - anyOf: [], - }), - ); - expect(ssoWithGroups.groups).toBeUndefined(); + expect(convertSsoToClient(sso)).toEqual(expectedClient); }); }); diff --git a/src/pepr/operator/controllers/keycloak/client-sync.ts b/src/pepr/operator/controllers/keycloak/client-sync.ts index da2042370..3aa891554 100644 --- a/src/pepr/operator/controllers/keycloak/client-sync.ts +++ b/src/pepr/operator/controllers/keycloak/client-sync.ts @@ -4,8 +4,8 @@ import { UDSConfig } from "../../../config"; import { Component, setupLogger } from "../../../logger"; import { Store } from "../../common"; import { Sso, UDSPackage } from "../../crd"; -import { getOwnerRef } from "../utils"; -import { Client } from "./types"; +import { getOwnerRef, purgeOrphans, sanitizeResourceName } from "../utils"; +import { Client, clientKeys } from "./types"; let apiURL = "http://keycloak-http.keycloak.svc.cluster.local:8080/realms/uds/clients-registrations/default"; @@ -47,6 +47,7 @@ export async function keycloak(pkg: UDSPackage) { // Get the list of clients from the package const clientReqs = pkg.spec?.sso || []; const clients: Map = new Map(); + const generation = (pkg.metadata?.generation ?? 0).toString(); for (const clientReq of clientReqs) { const client = await syncClient(clientReq, pkg); @@ -54,6 +55,12 @@ export async function keycloak(pkg: UDSPackage) { } await purgeSSOClients(pkg, [...clients.keys()]); + // Purge orphaned SSO secrets + try { + await purgeOrphans(generation, pkg.metadata!.namespace!, pkg.metadata!.name!, kind.Secret, log); + } catch (e) { + log.error(e, `Failed to purge orphaned SSO secrets in for ${pkg.metadata!.name!}: ${e}`); + } return clients; } @@ -80,9 +87,37 @@ export async function purgeSSOClients(pkg: UDSPackage, newClients: string[] = [] } } +/** + * Need to convert the SSO object into a Client Object to avoid + * passing groups to keycloak and attributes to the package.sso + * @param sso + * @returns + */ +export function convertSsoToClient(sso: Partial): Client { + const client: Partial = {}; + + // Iterate over the properties of Client and check if they exist in sso + for (const key of clientKeys) { + if (key in sso) { + (client as Record)[key] = sso[key as keyof Sso]; + } + } + + // Group auth based on sso group membership + client.attributes = client.attributes || {}; + + if (sso.groups?.anyOf) { + client.attributes["uds.core.groups"] = JSON.stringify(sso.groups); + } else { + client.attributes["uds.core.groups"] = ""; + } + + // Assert that the result conforms to Client type + return client as Client; +} + async function syncClient( - // eslint-disable-next-line @typescript-eslint/no-unused-vars - { enableAuthserviceSelector, secretName, secretTemplate, ...clientReq }: Sso, + { secretName, secretTemplate, ...clientReq }: Sso, pkg: UDSPackage, isRetry = false, ) { @@ -90,8 +125,7 @@ async function syncClient( // Not including the CR data in the ref because Keycloak client IDs must be unique already const name = `sso-client-${clientReq.clientId}`; - let client: Client; - handleClientGroups(clientReq); + let client = convertSsoToClient(clientReq); // Get keycloak client token from the store if this is an existing client const token = Store.getItem(name); @@ -99,15 +133,15 @@ async function syncClient( try { // If an existing client is found, use the token to update the client if (token && !isRetry) { - log.debug(pkg.metadata, `Found existing token for ${clientReq.clientId}`); - client = await apiCall(clientReq, "PUT", token); + log.debug(pkg.metadata, `Found existing token for ${client.clientId}`); + client = await apiCall(client, "PUT", token); } else { - log.debug(pkg.metadata, `Creating new client for ${clientReq.clientId}`); - client = await apiCall(clientReq); + log.debug(pkg.metadata, `Creating new client for ${client.clientId}`); + client = await apiCall(client); } } catch (err) { const msg = - `Failed to process Keycloak request for client '${clientReq.clientId}', package ` + + `Failed to process Keycloak request for client '${client.clientId}', package ` + `${pkg.metadata?.namespace}/${pkg.metadata?.name}. Error: ${err.message}`; // Throw the error if this is the retry or was an initial client creation attempt @@ -124,7 +158,7 @@ async function syncClient( } catch (retryErr) { // If the retry fails, log the retry error and throw the original error const retryMsg = - `Retry of Keycloak request failed for client '${clientReq.clientId}', package ` + + `Retry of Keycloak request failed for client '${client.clientId}', package ` + `${pkg.metadata?.namespace}/${pkg.metadata?.name}. Error: ${retryErr.message}`; log.error(retryMsg); // Throw the error from the original attempt since our retry without token failed @@ -138,7 +172,7 @@ async function syncClient( await Store.setItemAndWait(name, client.registrationAccessToken!); } catch (err) { throw Error( - `Failed to set token in store for client '${clientReq.clientId}', package ` + + `Failed to set token in store for client '${client.clientId}', package ` + `${pkg.metadata?.namespace}/${pkg.metadata?.name}`, ); } @@ -146,57 +180,47 @@ async function syncClient( // Remove the registrationAccessToken from the client object to avoid problems (one-time use token) delete client.registrationAccessToken; - if (clientReq.protocol === "saml") { + if (client.protocol === "saml") { client.samlIdpCertificate = await getSamlCertificate(); } // Create or update the client secret - await K8s(kind.Secret).Apply({ - metadata: { - namespace: pkg.metadata!.namespace, - // Use the CR secret name if provided, otherwise use the client name - name: secretName || name, - labels: { - "uds/package": pkg.metadata!.name, + if (!client.publicClient) { + const generation = (pkg.metadata?.generation ?? 0).toString(); + const sanitizedSecretName = sanitizeResourceName(secretName || name); + await K8s(kind.Secret).Apply({ + metadata: { + namespace: pkg.metadata!.namespace, + // Use the CR secret name if provided, otherwise use the client name + name: sanitizedSecretName, + labels: { + "uds/package": pkg.metadata!.name, + "uds/generation": generation, + }, + + // Use the CR as the owner ref for each VirtualService + ownerReferences: getOwnerRef(pkg), }, - - // Use the CR as the owner ref for each VirtualService - ownerReferences: getOwnerRef(pkg), - }, - data: generateSecretData(client, secretTemplate), - }); + data: generateSecretData(client, secretTemplate), + }); + } return client; } -/** - * Handles the client groups by converting the groups to attributes. - * @param clientReq - The client request object. - */ -export function handleClientGroups(clientReq: Sso) { - if (clientReq.groups?.anyOf) { - clientReq.attributes = clientReq.attributes || {}; - clientReq.attributes["uds.core.groups"] = JSON.stringify(clientReq.groups); - } else { - clientReq.attributes = clientReq.attributes || {}; - clientReq.attributes["uds.core.groups"] = ""; // Remove groups attribute from client - } - delete clientReq.groups; -} - -async function apiCall(sso: Partial, method = "POST", authToken = "") { +async function apiCall(client: Partial, method = "POST", authToken = "") { // Handle single test mode if (UDSConfig.isSingleTest) { - log.warn(`Generating fake client for '${sso.clientId}' in single test mode`); + log.warn(`Generating fake client for '${client.clientId}' in single test mode`); return { - ...sso, - secret: sso.secret || "fake-secret", + ...client, + secret: client.secret || "fake-secret", registrationAccessToken: "fake-registration-access-token", } as Client; } const req = { - body: JSON.stringify(sso) as string | undefined, + body: JSON.stringify(client) as string | undefined, method, headers: { "Content-Type": "application/json", @@ -209,7 +233,7 @@ async function apiCall(sso: Partial, method = "POST", authToken = "") { if (authToken) { req.headers.Authorization = `Bearer ${authToken}`; // Ensure that we URI encode the clientId in the request URL - url += `/${encodeURIComponent(sso.clientId!)}`; + url += `/${encodeURIComponent(client.clientId!)}`; } // Remove the body for DELETE requests diff --git a/src/pepr/operator/controllers/keycloak/types.ts b/src/pepr/operator/controllers/keycloak/types.ts index ec88ca062..bd20fe20d 100644 --- a/src/pepr/operator/controllers/keycloak/types.ts +++ b/src/pepr/operator/controllers/keycloak/types.ts @@ -1,3 +1,5 @@ +import { ProtocolMapper } from "../../crd/generated/package-v1alpha1"; + export interface Client { alwaysDisplayInConsole: boolean; attributes: Record; @@ -17,6 +19,7 @@ export interface Client { notBefore: number; optionalClientScopes: string[]; protocol: string; + protocolMappers?: ProtocolMapper[]; publicClient: boolean; redirectUris: string[]; registrationAccessToken?: string; @@ -27,3 +30,35 @@ export interface Client { webOrigins: string[]; samlIdpCertificate?: string; } + +// Define a constant array of keys +export const clientKeys = [ + "alwaysDisplayInConsole", + "attributes", + "authenticationFlowBindingOverrides", + "bearerOnly", + "clientAuthenticatorType", + "clientId", + "consentRequired", + "defaultClientScopes", + "defaultRoles", + "directAccessGrantsEnabled", + "enabled", + "frontchannelLogout", + "fullScopeAllowed", + "implicitFlowEnabled", + "nodeReRegistrationTimeout", + "notBefore", + "optionalClientScopes", + "protocol", + "protocolMappers", + "publicClient", + "redirectUris", + "registrationAccessToken", + "secret", + "serviceAccountsEnabled", + "standardFlowEnabled", + "surrogateAuthRequired", + "webOrigins", + "samlIdpCertificate", +] as const; diff --git a/src/pepr/operator/controllers/network/generate.spec.ts b/src/pepr/operator/controllers/network/generate.spec.ts new file mode 100644 index 000000000..9abeb1647 --- /dev/null +++ b/src/pepr/operator/controllers/network/generate.spec.ts @@ -0,0 +1,171 @@ +import { describe, expect, it } from "@jest/globals"; +import { kind } from "pepr"; +import { Direction } from "../../crd"; +import { generate } from "./generate"; + +describe("network policy generate", () => { + it("should generate correct network policy", async () => { + const policy = generate("test", { + description: "test", + direction: Direction.Ingress, + selector: { app: "test" }, + remoteNamespace: "foo", + remoteSelector: { app: "foo" }, + }); + + expect(policy.metadata?.name).toEqual("Ingress-test"); + expect(policy.spec).toEqual({ + ingress: [ + { + from: [ + { + namespaceSelector: { + matchLabels: { + "kubernetes.io/metadata.name": "foo", + }, + }, + podSelector: { + matchLabels: { + app: "foo", + }, + }, + }, + ], + ports: [], + }, + ], + podSelector: { matchLabels: { app: "test" } }, + policyTypes: ["Ingress"], + } as kind.NetworkPolicy["spec"]); + }); +}); + +describe("network policy generate", () => { + it("should generate correct network policy for just remoteNamespace", async () => { + const policy = generate("test", { + description: "test", + direction: Direction.Ingress, + selector: { app: "test" }, + remoteNamespace: "foo", + }); + + expect(policy.metadata?.name).toEqual("Ingress-test"); + expect(policy.spec).toEqual({ + ingress: [ + { + from: [ + { + namespaceSelector: { + matchLabels: { + "kubernetes.io/metadata.name": "foo", + }, + }, + }, + ], + ports: [], + }, + ], + podSelector: { matchLabels: { app: "test" } }, + policyTypes: ["Ingress"], + } as kind.NetworkPolicy["spec"]); + }); +}); + +describe("network policy generate", () => { + it("should generate correct network policy for empty string and wildcard remoteNamespace", async () => { + const policy = generate("test", { + description: "test", + direction: Direction.Egress, + selector: { app: "test" }, + remoteNamespace: "", + }); + + expect(policy.metadata?.name).toEqual("Egress-test"); + expect(policy.spec).toEqual({ + egress: [ + { + ports: [], + to: [{ namespaceSelector: {} }], + }, + ], + podSelector: { matchLabels: { app: "test" } }, + policyTypes: ["Egress"], + } as kind.NetworkPolicy["spec"]); + }); + + const policyWildcard = generate("test", { + description: "test", + direction: Direction.Egress, + selector: { app: "test" }, + remoteNamespace: "*", + }); + + expect(policyWildcard.spec).toEqual({ + egress: [ + { + ports: [], + to: [{ namespaceSelector: {} }], + }, + ], + podSelector: { matchLabels: { app: "test" } }, + policyTypes: ["Egress"], + } as kind.NetworkPolicy["spec"]); +}); + +describe("network policy generate with remoteCidr", () => { + it("should generate correct network policy with remoteCidr for Egress", async () => { + const policy = generate("test", { + description: "test", + direction: Direction.Egress, + selector: { app: "test" }, + remoteCidr: "192.168.0.0/16", + }); + + expect(policy.metadata?.name).toEqual("Egress-test"); + expect(policy.spec).toEqual({ + egress: [ + { + to: [ + { + ipBlock: { + cidr: "192.168.0.0/16", + except: ["169.254.169.254/32"], // Include the except field here + }, + }, + ], + ports: [], + }, + ], + podSelector: { matchLabels: { app: "test" } }, + policyTypes: ["Egress"], + } as kind.NetworkPolicy["spec"]); + }); + + it("should generate correct network policy with remoteCidr for Ingress", async () => { + const policy = generate("test", { + description: "test", + direction: Direction.Ingress, + selector: { app: "test" }, + remoteCidr: "10.0.0.0/8", + }); + + expect(policy.metadata?.name).toEqual("Ingress-test"); + expect(policy.spec).toEqual({ + ingress: [ + { + from: [ + { + ipBlock: { + cidr: "10.0.0.0/8", + except: ["169.254.169.254/32"], // Include the except field here + }, + }, + ], + ports: [], + }, + ], + podSelector: { matchLabels: { app: "test" } }, + policyTypes: ["Ingress"], + } as kind.NetworkPolicy["spec"]); + }); +}); diff --git a/src/pepr/operator/controllers/network/generate.ts b/src/pepr/operator/controllers/network/generate.ts index fab3ab534..ecba6d1cb 100644 --- a/src/pepr/operator/controllers/network/generate.ts +++ b/src/pepr/operator/controllers/network/generate.ts @@ -1,4 +1,4 @@ -import { V1LabelSelector, V1NetworkPolicyPeer, V1NetworkPolicyPort } from "@kubernetes/client-node"; +import { V1NetworkPolicyPeer, V1NetworkPolicyPort } from "@kubernetes/client-node"; import { kind } from "pepr"; import { Allow, RemoteGenerated } from "../../crd"; @@ -6,6 +6,59 @@ import { anywhere } from "./generators/anywhere"; import { cloudMetadata } from "./generators/cloudMetadata"; import { intraNamespace } from "./generators/intraNamespace"; import { kubeAPI } from "./generators/kubeAPI"; +import { remoteCidr } from "./generators/remoteCidr"; + +function isWildcardNamespace(namespace: string) { + return namespace === "" || namespace === "*"; +} + +function getPeers(policy: Allow): V1NetworkPolicyPeer[] { + let peers: V1NetworkPolicyPeer[] = []; + + if (policy.remoteGenerated) { + switch (policy.remoteGenerated) { + case RemoteGenerated.KubeAPI: + peers = kubeAPI(); + break; + + case RemoteGenerated.CloudMetadata: + peers = cloudMetadata; + break; + + case RemoteGenerated.IntraNamespace: + peers = [intraNamespace]; + break; + + case RemoteGenerated.Anywhere: + peers = [anywhere]; + break; + } + } else if (policy.remoteNamespace !== undefined || policy.remoteSelector !== undefined) { + const peer: V1NetworkPolicyPeer = {}; + + if (policy.remoteNamespace !== undefined) { + if (isWildcardNamespace(policy.remoteNamespace)) { + peer.namespaceSelector = {}; + } else { + peer.namespaceSelector = { + matchLabels: { "kubernetes.io/metadata.name": policy.remoteNamespace }, + }; + } + } + + if (policy.remoteSelector !== undefined) { + peer.podSelector = { + matchLabels: policy.remoteSelector, + }; + } + + peers.push(peer); + } else if (policy.remoteCidr !== undefined) { + peers = [remoteCidr(policy.remoteCidr)]; + } + + return peers; +} export function generate(namespace: string, policy: Allow): kind.NetworkPolicy { // Generate a unique name for the NetworkPolicy @@ -35,57 +88,8 @@ export function generate(namespace: string, policy: Allow): kind.NetworkPolicy { }; } - // Create the remote (peer) to match against - let peers: V1NetworkPolicyPeer[] = []; - - // Add the remoteNamespace if they exist - if (policy.remoteNamespace !== undefined) { - const namespaceSelector: V1LabelSelector = {}; - - // Add the remoteNamespace to the namespaceSelector if it exists and is not "*", otherwise match all namespaces - if (policy.remoteNamespace !== "" && policy.remoteNamespace !== "*") { - namespaceSelector.matchLabels = { - "kubernetes.io/metadata.name": policy.remoteNamespace, - }; - } - - // Add the remoteNamespace to the peers - peers.push({ namespaceSelector }); - } - - // Add the remoteSelector if they exist - if (policy.remoteSelector) { - peers.push({ - podSelector: { - matchLabels: policy.remoteSelector, - }, - }); - } - - // Check if remoteGenerated is set - if (policy.remoteGenerated) { - // Add the remoteGenerated label - generated.metadata!.labels!["uds/generated"] = policy.remoteGenerated; - - // Check if remoteGenerated is set - switch (policy.remoteGenerated) { - case RemoteGenerated.KubeAPI: - peers = kubeAPI(); - break; - - case RemoteGenerated.CloudMetadata: - peers = cloudMetadata; - break; - - case RemoteGenerated.IntraNamespace: - peers.push(intraNamespace); - break; - - case RemoteGenerated.Anywhere: - peers = [anywhere]; - break; - } - } + // Create the network policy peers + const peers: V1NetworkPolicyPeer[] = getPeers(policy); // Define the ports to allow from the ports property const ports: V1NetworkPolicyPort[] = (policy.ports ?? []).map(port => ({ port })); diff --git a/src/pepr/operator/controllers/network/generators/remoteCidr.ts b/src/pepr/operator/controllers/network/generators/remoteCidr.ts new file mode 100644 index 000000000..031e43f16 --- /dev/null +++ b/src/pepr/operator/controllers/network/generators/remoteCidr.ts @@ -0,0 +1,12 @@ +import { V1NetworkPolicyPeer } from "@kubernetes/client-node"; +import { META_IP } from "./cloudMetadata"; + +/** Matches a specific custom cidr EXCEPT the Cloud Meta endpoint */ +export function remoteCidr(cidr: string): V1NetworkPolicyPeer { + return { + ipBlock: { + cidr, + except: [META_IP], + }, + }; +} diff --git a/src/pepr/operator/controllers/utils.ts b/src/pepr/operator/controllers/utils.ts index b9c6d0ca3..7bfd9e4cf 100644 --- a/src/pepr/operator/controllers/utils.ts +++ b/src/pepr/operator/controllers/utils.ts @@ -41,6 +41,17 @@ export function getOwnerRef(cr: GenericKind): V1OwnerReference[] { ]; } +/** + * Purges orphaned Kubernetes resources of a specified kind within a namespace that do not match the provided generation. + * + * @template T + * @param {string} generation - The generation label to retain. + * @param {string} namespace - The namespace to search for resources. + * @param {string} pkgName - The package name label to filter resources. + * @param {T} kind - The Kubernetes resource kind to purge. + * @param {Logger} log - Logger instance for logging debug messages. + * @returns {Promise} - A promise that resolves when the operation is complete. + */ export async function purgeOrphans( generation: string, namespace: string, diff --git a/src/pepr/operator/crd/generated/package-v1alpha1.ts b/src/pepr/operator/crd/generated/package-v1alpha1.ts index a96450297..20d896d92 100644 --- a/src/pepr/operator/crd/generated/package-v1alpha1.ts +++ b/src/pepr/operator/crd/generated/package-v1alpha1.ts @@ -144,6 +144,10 @@ export interface Allow { * A list of ports to allow (protocol is always TCP) */ ports?: number[]; + /** + * Custom generated policy CIDR + */ + remoteCidr?: string; /** * Custom generated remote selector for the policy */ @@ -250,6 +254,10 @@ export interface AdvancedHTTP { * passthrough gateway. */ match?: AdvancedHTTPMatch[]; + /** + * A HTTP rule can either return a direct_response, redirect or forward (default) traffic. + */ + redirect?: Redirect; /** * Retry policy for HTTP requests. */ @@ -395,6 +403,50 @@ export interface PurpleURI { regex?: string; } +/** + * A HTTP rule can either return a direct_response, redirect or forward (default) traffic. + */ +export interface Redirect { + /** + * On a redirect, overwrite the Authority/Host portion of the URL with this value. + */ + authority?: string; + /** + * On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 + * for HTTP and 443 for HTTPS. + * + * Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT + */ + derivePort?: DerivePort; + /** + * On a redirect, overwrite the port portion of the URL with this value. + */ + port?: number; + /** + * On a redirect, Specifies the HTTP status code to use in the redirect response. + */ + redirectCode?: number; + /** + * On a redirect, overwrite the scheme portion of the URL with this value. + */ + scheme?: string; + /** + * On a redirect, overwrite the Path portion of the URL with this value. + */ + uri?: string; +} + +/** + * On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 + * for HTTP and 443 for HTTPS. + * + * Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT + */ +export enum DerivePort { + FromProtocolDefault = "FROM_PROTOCOL_DEFAULT", + FromRequestPort = "FROM_REQUEST_PORT", +} + /** * Retry policy for HTTP requests. */ @@ -538,7 +590,7 @@ export interface Sso { */ enabled?: boolean; /** - * The client sso group type + * The client SSO group type */ groups?: Groups; /** @@ -549,11 +601,19 @@ export interface Sso { * Specifies the protocol of the client, either 'openid-connect' or 'saml' */ protocol?: Protocol; + /** + * Protocol Mappers to configure on the client + */ + protocolMappers?: ProtocolMapper[]; + /** + * Defines whether the client requires a client secret for authentication + */ + publicClient?: boolean; /** * Valid URI pattern a browser can redirect to after a successful login. Simple wildcards * are allowed such as 'https://unicorns.uds.dev/*' */ - redirectUris: string[]; + redirectUris?: string[]; /** * Root URL appended to relative URLs */ @@ -570,6 +630,10 @@ export interface Sso { * A template for the generated secret */ secretTemplate?: { [key: string]: string }; + /** + * Enables the standard OpenID Connect redirect based authentication with authorization code. + */ + standardFlowEnabled?: boolean; /** * Allowed CORS origins. To permit all origins of Valid Redirect URIs, add '+'. This does * not include the '*' wildcard though. To permit all origins, explicitly add '*'. @@ -586,23 +650,48 @@ export enum ClientAuthenticatorType { } /** - * The client sso group type + * The client SSO group type */ export interface Groups { /** - * List of groups allowed to access to client + * List of groups allowed to access the client */ anyOf?: string[]; } /** * Specifies the protocol of the client, either 'openid-connect' or 'saml' + * + * Protocol of the mapper */ export enum Protocol { OpenidConnect = "openid-connect", Saml = "saml", } +export interface ProtocolMapper { + /** + * Configuration options for the mapper. + */ + config?: { [key: string]: string }; + /** + * Whether user consent is required for this mapper + */ + consentRequired?: boolean; + /** + * Name of the mapper + */ + name: string; + /** + * Protocol of the mapper + */ + protocol: Protocol; + /** + * Protocol Mapper type of the mapper + */ + protocolMapper: string; +} + export interface Status { authserviceClients?: string[]; endpoints?: string[]; diff --git a/src/pepr/operator/crd/generated/prometheus/podmonitor-v1.ts b/src/pepr/operator/crd/generated/prometheus/podmonitor-v1.ts index d2e9f3f9a..77bd51537 100644 --- a/src/pepr/operator/crd/generated/prometheus/podmonitor-v1.ts +++ b/src/pepr/operator/crd/generated/prometheus/podmonitor-v1.ts @@ -3,7 +3,17 @@ import { GenericKind, RegisterKind } from "kubernetes-fluent-client"; /** - * PodMonitor defines monitoring for a set of pods. + * The `PodMonitor` custom resource definition (CRD) defines how `Prometheus` and + * `PrometheusAgent` can scrape metrics from a group of pods. + * Among other things, it allows to specify: + * * The pods to scrape via label selectors. + * * The container ports to scrape. + * * Authentication credentials to use. + * * Target and metric relabeling. + * + * + * `Prometheus` and `PrometheusAgent` objects select `PodMonitor` objects using label and + * namespace selectors. */ export class PodMonitor extends GenericKind { /** @@ -21,7 +31,7 @@ export interface Spec { * discovered targets. * * - * It requires Prometheus >= v2.37.0. + * It requires Prometheus >= v2.35.0. */ attachMetadata?: AttachMetadata; /** @@ -77,12 +87,13 @@ export interface Spec { */ labelValueLengthLimit?: number; /** - * Selector to select which namespaces the Kubernetes `Pods` objects - * are discovered from. + * `namespaceSelector` defines in which namespace(s) Prometheus should discover the pods. + * By default, the pods are discovered in the same namespace as the `PodMonitor` object but + * it is possible to select pods across different/all namespaces. */ namespaceSelector?: NamespaceSelector; /** - * List of endpoints part of this PodMonitor. + * Defines how to scrape metrics from the selected pods. */ podMetricsEndpoints?: PodMetricsEndpoint[]; /** @@ -113,7 +124,7 @@ export interface Spec { */ scrapeProtocols?: ScrapeProtocol[]; /** - * Label selector to select the Kubernetes `Pod` objects. + * Label selector to select the Kubernetes `Pod` objects to scrape metrics from. */ selector: Selector; /** @@ -128,19 +139,24 @@ export interface Spec { * discovered targets. * * - * It requires Prometheus >= v2.37.0. + * It requires Prometheus >= v2.35.0. */ export interface AttachMetadata { /** - * When set to true, Prometheus must have the `get` permission on the - * `Nodes` objects. + * When set to true, Prometheus attaches node metadata to the discovered + * targets. + * + * + * The Prometheus service account must have the `list` and `watch` + * permissions on the `Nodes` objects. */ node?: boolean; } /** - * Selector to select which namespaces the Kubernetes `Pods` objects - * are discovered from. + * `namespaceSelector` defines in which namespace(s) Prometheus should discover the pods. + * By default, the pods are discovered in the same namespace as the `PodMonitor` object but + * it is possible to select pods across different/all namespaces. */ export interface NamespaceSelector { /** @@ -304,7 +320,7 @@ export interface PodMetricsEndpoint { /** * TLS configuration to use when scraping the target. */ - tlsConfig?: TLSConfig; + tlsConfig?: PodMetricsEndpointTLSConfig; /** * `trackTimestampsStaleness` defines whether Prometheus tracks staleness of * the metrics that have an explicit timestamp present in scraped data. @@ -591,10 +607,48 @@ export interface Oauth2 { * URL. */ endpointParams?: { [key: string]: string }; + /** + * `noProxy` is a comma-separated string that can contain IPs, CIDR notation, domain names + * that should be excluded from proxying. IP and domain names can + * contain port numbers. + * + * + * It requires Prometheus >= v2.43.0. + */ + noProxy?: string; + /** + * ProxyConnectHeader optionally specifies headers to send to + * proxies during CONNECT requests. + * + * + * It requires Prometheus >= v2.43.0. + */ + proxyConnectHeader?: { [key: string]: ProxyConnectHeader[] }; + /** + * Whether to use the proxy configuration defined by environment variables (HTTP_PROXY, + * HTTPS_PROXY, and NO_PROXY). + * If unset, Prometheus uses its default value. + * + * + * It requires Prometheus >= v2.43.0. + */ + proxyFromEnvironment?: boolean; + /** + * `proxyURL` defines the HTTP proxy server to use. + * + * + * It requires Prometheus >= v2.43.0. + */ + proxyUrl?: string; /** * `scopes` defines the OAuth2 scopes used for the token request. */ scopes?: string[]; + /** + * TLS configuration to use when connecting to the OAuth2 server. + * It requires Prometheus >= v2.43.0. + */ + tlsConfig?: Oauth2TLSConfig; /** * `tokenURL` configures the URL to fetch the token from. */ @@ -692,6 +746,243 @@ export interface ClientSecret { optional?: boolean; } +/** + * SecretKeySelector selects a key of a Secret. + */ +export interface ProxyConnectHeader { + /** + * The key of the secret to select from. Must be a valid secret key. + */ + key: string; + /** + * Name of the referent. + * This field is effectively required, but due to backwards compatibility is + * allowed to be empty. Instances of this type with an empty value here are + * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? + * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it + * https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + */ + name?: string; + /** + * Specify whether the Secret or its key must be defined + */ + optional?: boolean; +} + +/** + * TLS configuration to use when connecting to the OAuth2 server. + * It requires Prometheus >= v2.43.0. + */ +export interface Oauth2TLSConfig { + /** + * Certificate authority used when verifying server certificates. + */ + ca?: PurpleCA; + /** + * Client certificate to present when doing client-authentication. + */ + cert?: PurpleCERT; + /** + * Disable target certificate validation. + */ + insecureSkipVerify?: boolean; + /** + * Secret containing the client key file for the targets. + */ + keySecret?: PurpleKeySecret; + /** + * Maximum acceptable TLS version. + * + * + * It requires Prometheus >= v2.41.0. + */ + maxVersion?: Version; + /** + * Minimum acceptable TLS version. + * + * + * It requires Prometheus >= v2.35.0. + */ + minVersion?: Version; + /** + * Used to verify the hostname for the targets. + */ + serverName?: string; +} + +/** + * Certificate authority used when verifying server certificates. + */ +export interface PurpleCA { + /** + * ConfigMap containing data to use for the targets. + */ + configMap?: PurpleConfigMap; + /** + * Secret containing data to use for the targets. + */ + secret?: PurpleSecret; +} + +/** + * ConfigMap containing data to use for the targets. + */ +export interface PurpleConfigMap { + /** + * The key to select. + */ + key: string; + /** + * Name of the referent. + * This field is effectively required, but due to backwards compatibility is + * allowed to be empty. Instances of this type with an empty value here are + * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? + * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it + * https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + */ + name?: string; + /** + * Specify whether the ConfigMap or its key must be defined + */ + optional?: boolean; +} + +/** + * Secret containing data to use for the targets. + */ +export interface PurpleSecret { + /** + * The key of the secret to select from. Must be a valid secret key. + */ + key: string; + /** + * Name of the referent. + * This field is effectively required, but due to backwards compatibility is + * allowed to be empty. Instances of this type with an empty value here are + * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? + * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it + * https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + */ + name?: string; + /** + * Specify whether the Secret or its key must be defined + */ + optional?: boolean; +} + +/** + * Client certificate to present when doing client-authentication. + */ +export interface PurpleCERT { + /** + * ConfigMap containing data to use for the targets. + */ + configMap?: FluffyConfigMap; + /** + * Secret containing data to use for the targets. + */ + secret?: FluffySecret; +} + +/** + * ConfigMap containing data to use for the targets. + */ +export interface FluffyConfigMap { + /** + * The key to select. + */ + key: string; + /** + * Name of the referent. + * This field is effectively required, but due to backwards compatibility is + * allowed to be empty. Instances of this type with an empty value here are + * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? + * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it + * https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + */ + name?: string; + /** + * Specify whether the ConfigMap or its key must be defined + */ + optional?: boolean; +} + +/** + * Secret containing data to use for the targets. + */ +export interface FluffySecret { + /** + * The key of the secret to select from. Must be a valid secret key. + */ + key: string; + /** + * Name of the referent. + * This field is effectively required, but due to backwards compatibility is + * allowed to be empty. Instances of this type with an empty value here are + * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? + * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it + * https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + */ + name?: string; + /** + * Specify whether the Secret or its key must be defined + */ + optional?: boolean; +} + +/** + * Secret containing the client key file for the targets. + */ +export interface PurpleKeySecret { + /** + * The key of the secret to select from. Must be a valid secret key. + */ + key: string; + /** + * Name of the referent. + * This field is effectively required, but due to backwards compatibility is + * allowed to be empty. Instances of this type with an empty value here are + * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? + * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it + * https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + */ + name?: string; + /** + * Specify whether the Secret or its key must be defined + */ + optional?: boolean; +} + +/** + * Maximum acceptable TLS version. + * + * + * It requires Prometheus >= v2.41.0. + * + * Minimum acceptable TLS version. + * + * + * It requires Prometheus >= v2.35.0. + */ +export enum Version { + Tls10 = "TLS10", + Tls11 = "TLS11", + Tls12 = "TLS12", + Tls13 = "TLS13", +} + /** * RelabelConfig allows dynamic rewriting of the label set for targets, alerts, * scraped samples and remote write samples. @@ -772,15 +1063,15 @@ export enum Scheme { /** * TLS configuration to use when scraping the target. */ -export interface TLSConfig { +export interface PodMetricsEndpointTLSConfig { /** * Certificate authority used when verifying server certificates. */ - ca?: CA; + ca?: FluffyCA; /** * Client certificate to present when doing client-authentication. */ - cert?: CERT; + cert?: FluffyCERT; /** * Disable target certificate validation. */ @@ -788,7 +1079,21 @@ export interface TLSConfig { /** * Secret containing the client key file for the targets. */ - keySecret?: KeySecret; + keySecret?: FluffyKeySecret; + /** + * Maximum acceptable TLS version. + * + * + * It requires Prometheus >= v2.41.0. + */ + maxVersion?: Version; + /** + * Minimum acceptable TLS version. + * + * + * It requires Prometheus >= v2.35.0. + */ + minVersion?: Version; /** * Used to verify the hostname for the targets. */ @@ -798,21 +1103,21 @@ export interface TLSConfig { /** * Certificate authority used when verifying server certificates. */ -export interface CA { +export interface FluffyCA { /** * ConfigMap containing data to use for the targets. */ - configMap?: CAConfigMap; + configMap?: TentacledConfigMap; /** * Secret containing data to use for the targets. */ - secret?: CASecret; + secret?: TentacledSecret; } /** * ConfigMap containing data to use for the targets. */ -export interface CAConfigMap { +export interface TentacledConfigMap { /** * The key to select. */ @@ -837,7 +1142,7 @@ export interface CAConfigMap { /** * Secret containing data to use for the targets. */ -export interface CASecret { +export interface TentacledSecret { /** * The key of the secret to select from. Must be a valid secret key. */ @@ -862,21 +1167,21 @@ export interface CASecret { /** * Client certificate to present when doing client-authentication. */ -export interface CERT { +export interface FluffyCERT { /** * ConfigMap containing data to use for the targets. */ - configMap?: CERTConfigMap; + configMap?: StickyConfigMap; /** * Secret containing data to use for the targets. */ - secret?: CERTSecret; + secret?: StickySecret; } /** * ConfigMap containing data to use for the targets. */ -export interface CERTConfigMap { +export interface StickyConfigMap { /** * The key to select. */ @@ -901,7 +1206,7 @@ export interface CERTConfigMap { /** * Secret containing data to use for the targets. */ -export interface CERTSecret { +export interface StickySecret { /** * The key of the secret to select from. Must be a valid secret key. */ @@ -926,7 +1231,7 @@ export interface CERTSecret { /** * Secret containing the client key file for the targets. */ -export interface KeySecret { +export interface FluffyKeySecret { /** * The key of the secret to select from. Must be a valid secret key. */ @@ -964,7 +1269,7 @@ export enum ScrapeProtocol { } /** - * Label selector to select the Kubernetes `Pod` objects. + * Label selector to select the Kubernetes `Pod` objects to scrape metrics from. */ export interface Selector { /** diff --git a/src/pepr/operator/crd/generated/prometheus/servicemonitor-v1.ts b/src/pepr/operator/crd/generated/prometheus/servicemonitor-v1.ts index 17c09c2a4..94ea5b299 100644 --- a/src/pepr/operator/crd/generated/prometheus/servicemonitor-v1.ts +++ b/src/pepr/operator/crd/generated/prometheus/servicemonitor-v1.ts @@ -3,7 +3,17 @@ import { GenericKind, RegisterKind } from "kubernetes-fluent-client"; /** - * ServiceMonitor defines monitoring for a set of services. + * The `ServiceMonitor` custom resource definition (CRD) defines how `Prometheus` and + * `PrometheusAgent` can scrape metrics from a group of services. + * Among other things, it allows to specify: + * * The services to scrape via label selectors. + * * The container ports to scrape. + * * Authentication credentials to use. + * * Target and metric relabeling. + * + * + * `Prometheus` and `PrometheusAgent` objects select `ServiceMonitor` objects using label + * and namespace selectors. */ export class ServiceMonitor extends GenericKind { /** @@ -36,8 +46,14 @@ export interface Spec { bodySizeLimit?: string; /** * List of endpoints part of this ServiceMonitor. + * Defines how to scrape metrics from Kubernetes + * [Endpoints](https://kubernetes.io/docs/concepts/services-networking/service/#endpoints) + * objects. + * In most cases, an Endpoints object is backed by a Kubernetes + * [Service](https://kubernetes.io/docs/concepts/services-networking/service/) object with + * the same name and labels. */ - endpoints?: Endpoint[]; + endpoints: Endpoint[]; /** * `jobLabel` selects the label from the associated Kubernetes `Service` * object which will be used as the `job` label for all metrics. @@ -83,8 +99,10 @@ export interface Spec { */ labelValueLengthLimit?: number; /** - * Selector to select which namespaces the Kubernetes `Endpoints` objects - * are discovered from. + * `namespaceSelector` defines in which namespace(s) Prometheus should discover the + * services. + * By default, the services are discovered in the same namespace as the `ServiceMonitor` + * object but it is possible to select pods across different/all namespaces. */ namespaceSelector?: NamespaceSelector; /** @@ -115,7 +133,7 @@ export interface Spec { */ scrapeProtocols?: ScrapeProtocol[]; /** - * Label selector to select the Kubernetes `Endpoints` objects. + * Label selector to select the Kubernetes `Endpoints` objects to scrape metrics from. */ selector: Selector; /** @@ -139,8 +157,12 @@ export interface Spec { */ export interface AttachMetadata { /** - * When set to true, Prometheus must have the `get` permission on the - * `Nodes` objects. + * When set to true, Prometheus attaches node metadata to the discovered + * targets. + * + * + * The Prometheus service account must have the `list` and `watch` + * permissions on the `Nodes` objects. */ node?: boolean; } @@ -299,7 +321,7 @@ export interface Endpoint { /** * TLS configuration to use when scraping the target. */ - tlsConfig?: TLSConfig; + tlsConfig?: EndpointTLSConfig; /** * `trackTimestampsStaleness` defines whether Prometheus tracks staleness of * the metrics that have an explicit timestamp present in scraped data. @@ -586,10 +608,48 @@ export interface Oauth2 { * URL. */ endpointParams?: { [key: string]: string }; + /** + * `noProxy` is a comma-separated string that can contain IPs, CIDR notation, domain names + * that should be excluded from proxying. IP and domain names can + * contain port numbers. + * + * + * It requires Prometheus >= v2.43.0. + */ + noProxy?: string; + /** + * ProxyConnectHeader optionally specifies headers to send to + * proxies during CONNECT requests. + * + * + * It requires Prometheus >= v2.43.0. + */ + proxyConnectHeader?: { [key: string]: ProxyConnectHeader[] }; + /** + * Whether to use the proxy configuration defined by environment variables (HTTP_PROXY, + * HTTPS_PROXY, and NO_PROXY). + * If unset, Prometheus uses its default value. + * + * + * It requires Prometheus >= v2.43.0. + */ + proxyFromEnvironment?: boolean; + /** + * `proxyURL` defines the HTTP proxy server to use. + * + * + * It requires Prometheus >= v2.43.0. + */ + proxyUrl?: string; /** * `scopes` defines the OAuth2 scopes used for the token request. */ scopes?: string[]; + /** + * TLS configuration to use when connecting to the OAuth2 server. + * It requires Prometheus >= v2.43.0. + */ + tlsConfig?: Oauth2TLSConfig; /** * `tokenURL` configures the URL to fetch the token from. */ @@ -687,6 +747,243 @@ export interface ClientSecret { optional?: boolean; } +/** + * SecretKeySelector selects a key of a Secret. + */ +export interface ProxyConnectHeader { + /** + * The key of the secret to select from. Must be a valid secret key. + */ + key: string; + /** + * Name of the referent. + * This field is effectively required, but due to backwards compatibility is + * allowed to be empty. Instances of this type with an empty value here are + * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? + * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it + * https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + */ + name?: string; + /** + * Specify whether the Secret or its key must be defined + */ + optional?: boolean; +} + +/** + * TLS configuration to use when connecting to the OAuth2 server. + * It requires Prometheus >= v2.43.0. + */ +export interface Oauth2TLSConfig { + /** + * Certificate authority used when verifying server certificates. + */ + ca?: PurpleCA; + /** + * Client certificate to present when doing client-authentication. + */ + cert?: PurpleCERT; + /** + * Disable target certificate validation. + */ + insecureSkipVerify?: boolean; + /** + * Secret containing the client key file for the targets. + */ + keySecret?: PurpleKeySecret; + /** + * Maximum acceptable TLS version. + * + * + * It requires Prometheus >= v2.41.0. + */ + maxVersion?: Version; + /** + * Minimum acceptable TLS version. + * + * + * It requires Prometheus >= v2.35.0. + */ + minVersion?: Version; + /** + * Used to verify the hostname for the targets. + */ + serverName?: string; +} + +/** + * Certificate authority used when verifying server certificates. + */ +export interface PurpleCA { + /** + * ConfigMap containing data to use for the targets. + */ + configMap?: PurpleConfigMap; + /** + * Secret containing data to use for the targets. + */ + secret?: PurpleSecret; +} + +/** + * ConfigMap containing data to use for the targets. + */ +export interface PurpleConfigMap { + /** + * The key to select. + */ + key: string; + /** + * Name of the referent. + * This field is effectively required, but due to backwards compatibility is + * allowed to be empty. Instances of this type with an empty value here are + * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? + * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it + * https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + */ + name?: string; + /** + * Specify whether the ConfigMap or its key must be defined + */ + optional?: boolean; +} + +/** + * Secret containing data to use for the targets. + */ +export interface PurpleSecret { + /** + * The key of the secret to select from. Must be a valid secret key. + */ + key: string; + /** + * Name of the referent. + * This field is effectively required, but due to backwards compatibility is + * allowed to be empty. Instances of this type with an empty value here are + * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? + * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it + * https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + */ + name?: string; + /** + * Specify whether the Secret or its key must be defined + */ + optional?: boolean; +} + +/** + * Client certificate to present when doing client-authentication. + */ +export interface PurpleCERT { + /** + * ConfigMap containing data to use for the targets. + */ + configMap?: FluffyConfigMap; + /** + * Secret containing data to use for the targets. + */ + secret?: FluffySecret; +} + +/** + * ConfigMap containing data to use for the targets. + */ +export interface FluffyConfigMap { + /** + * The key to select. + */ + key: string; + /** + * Name of the referent. + * This field is effectively required, but due to backwards compatibility is + * allowed to be empty. Instances of this type with an empty value here are + * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? + * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it + * https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + */ + name?: string; + /** + * Specify whether the ConfigMap or its key must be defined + */ + optional?: boolean; +} + +/** + * Secret containing data to use for the targets. + */ +export interface FluffySecret { + /** + * The key of the secret to select from. Must be a valid secret key. + */ + key: string; + /** + * Name of the referent. + * This field is effectively required, but due to backwards compatibility is + * allowed to be empty. Instances of this type with an empty value here are + * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? + * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it + * https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + */ + name?: string; + /** + * Specify whether the Secret or its key must be defined + */ + optional?: boolean; +} + +/** + * Secret containing the client key file for the targets. + */ +export interface PurpleKeySecret { + /** + * The key of the secret to select from. Must be a valid secret key. + */ + key: string; + /** + * Name of the referent. + * This field is effectively required, but due to backwards compatibility is + * allowed to be empty. Instances of this type with an empty value here are + * almost certainly wrong. + * TODO: Add other useful fields. apiVersion, kind, uid? + * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + * TODO: Drop `kubebuilder:default` when controller-gen doesn't need it + * https://github.com/kubernetes-sigs/kubebuilder/issues/3896. + */ + name?: string; + /** + * Specify whether the Secret or its key must be defined + */ + optional?: boolean; +} + +/** + * Maximum acceptable TLS version. + * + * + * It requires Prometheus >= v2.41.0. + * + * Minimum acceptable TLS version. + * + * + * It requires Prometheus >= v2.35.0. + */ +export enum Version { + Tls10 = "TLS10", + Tls11 = "TLS11", + Tls12 = "TLS12", + Tls13 = "TLS13", +} + /** * RelabelConfig allows dynamic rewriting of the label set for targets, alerts, * scraped samples and remote write samples. @@ -767,11 +1064,11 @@ export enum Scheme { /** * TLS configuration to use when scraping the target. */ -export interface TLSConfig { +export interface EndpointTLSConfig { /** * Certificate authority used when verifying server certificates. */ - ca?: CA; + ca?: FluffyCA; /** * Path to the CA cert in the Prometheus container to use for the targets. */ @@ -779,7 +1076,7 @@ export interface TLSConfig { /** * Client certificate to present when doing client-authentication. */ - cert?: CERT; + cert?: FluffyCERT; /** * Path to the client cert file in the Prometheus container for the targets. */ @@ -795,7 +1092,21 @@ export interface TLSConfig { /** * Secret containing the client key file for the targets. */ - keySecret?: KeySecret; + keySecret?: FluffyKeySecret; + /** + * Maximum acceptable TLS version. + * + * + * It requires Prometheus >= v2.41.0. + */ + maxVersion?: Version; + /** + * Minimum acceptable TLS version. + * + * + * It requires Prometheus >= v2.35.0. + */ + minVersion?: Version; /** * Used to verify the hostname for the targets. */ @@ -805,21 +1116,21 @@ export interface TLSConfig { /** * Certificate authority used when verifying server certificates. */ -export interface CA { +export interface FluffyCA { /** * ConfigMap containing data to use for the targets. */ - configMap?: CAConfigMap; + configMap?: TentacledConfigMap; /** * Secret containing data to use for the targets. */ - secret?: CASecret; + secret?: TentacledSecret; } /** * ConfigMap containing data to use for the targets. */ -export interface CAConfigMap { +export interface TentacledConfigMap { /** * The key to select. */ @@ -844,7 +1155,7 @@ export interface CAConfigMap { /** * Secret containing data to use for the targets. */ -export interface CASecret { +export interface TentacledSecret { /** * The key of the secret to select from. Must be a valid secret key. */ @@ -869,21 +1180,21 @@ export interface CASecret { /** * Client certificate to present when doing client-authentication. */ -export interface CERT { +export interface FluffyCERT { /** * ConfigMap containing data to use for the targets. */ - configMap?: CERTConfigMap; + configMap?: StickyConfigMap; /** * Secret containing data to use for the targets. */ - secret?: CERTSecret; + secret?: StickySecret; } /** * ConfigMap containing data to use for the targets. */ -export interface CERTConfigMap { +export interface StickyConfigMap { /** * The key to select. */ @@ -908,7 +1219,7 @@ export interface CERTConfigMap { /** * Secret containing data to use for the targets. */ -export interface CERTSecret { +export interface StickySecret { /** * The key of the secret to select from. Must be a valid secret key. */ @@ -933,7 +1244,7 @@ export interface CERTSecret { /** * Secret containing the client key file for the targets. */ -export interface KeySecret { +export interface FluffyKeySecret { /** * The key of the secret to select from. Must be a valid secret key. */ @@ -956,8 +1267,10 @@ export interface KeySecret { } /** - * Selector to select which namespaces the Kubernetes `Endpoints` objects - * are discovered from. + * `namespaceSelector` defines in which namespace(s) Prometheus should discover the + * services. + * By default, the services are discovered in the same namespace as the `ServiceMonitor` + * object but it is possible to select pods across different/all namespaces. */ export interface NamespaceSelector { /** @@ -987,7 +1300,7 @@ export enum ScrapeProtocol { } /** - * Label selector to select the Kubernetes `Endpoints` objects. + * Label selector to select the Kubernetes `Endpoints` objects to scrape metrics from. */ export interface Selector { /** diff --git a/src/pepr/operator/crd/index.ts b/src/pepr/operator/crd/index.ts index 285c6c904..ac3bba71b 100644 --- a/src/pepr/operator/crd/index.ts +++ b/src/pepr/operator/crd/index.ts @@ -6,6 +6,7 @@ export { Monitor, Phase, Status as PkgStatus, + Protocol, RemoteGenerated, Sso, Package as UDSPackage, diff --git a/src/pepr/operator/crd/sources/istio/virtualservice-v1beta1.ts b/src/pepr/operator/crd/sources/istio/virtualservice-v1beta1.ts index 4e8fd69cc..5a30ff039 100644 --- a/src/pepr/operator/crd/sources/istio/virtualservice-v1beta1.ts +++ b/src/pepr/operator/crd/sources/istio/virtualservice-v1beta1.ts @@ -228,6 +228,65 @@ export const advancedHTTP: V1JSONSchemaProps = { }, type: "object", }, + redirect: { + description: + "A HTTP rule can either return a direct_response, redirect or forward (default) traffic.", + oneOf: [ + { + not: { + anyOf: [ + { + required: ["port"], + }, + { + required: ["derivePort"], + }, + ], + }, + }, + { + required: ["port"], + }, + { + required: ["derivePort"], + }, + ], + properties: { + authority: { + description: + "On a redirect, overwrite the Authority/Host portion of the URL with this value.", + type: "string", + }, + port: { + description: "On a redirect, overwrite the port portion of the URL with this value.", + maximum: 4294967295, + minimum: 0, + type: "integer", + }, + derivePort: { + description: + "On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS.\n\nValid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT", + enum: ["FROM_PROTOCOL_DEFAULT", "FROM_REQUEST_PORT"], + type: "string", + }, + redirectCode: { + description: + "On a redirect, Specifies the HTTP status code to use in the redirect response.", + maximum: 4294967295, + minimum: 0, + type: "integer", + }, + scheme: { + description: "On a redirect, overwrite the scheme portion of the URL with this value.", + type: "string", + }, + uri: { + description: "On a redirect, overwrite the Path portion of the URL with this value.", + type: "string", + }, + }, + type: "object", + }, retries: { description: "Retry policy for HTTP requests.", properties: { @@ -265,4 +324,4 @@ export const advancedHTTP: V1JSONSchemaProps = { }, }, type: "object", -}; +} as V1JSONSchemaProps; diff --git a/src/pepr/operator/crd/sources/package/v1alpha1.ts b/src/pepr/operator/crd/sources/package/v1alpha1.ts index e5628b230..8af0ed32a 100644 --- a/src/pepr/operator/crd/sources/package/v1alpha1.ts +++ b/src/pepr/operator/crd/sources/package/v1alpha1.ts @@ -84,6 +84,10 @@ const allow = { type: "string", enum: ["KubeAPI", "IntraNamespace", "CloudMetadata", "Anywhere"], }, + remoteCidr: { + description: "Custom generated policy CIDR", + type: "string", + }, port: { description: "The port to allow (protocol is always TCP)", minimum: 1, @@ -252,7 +256,7 @@ const sso = { type: "array", items: { type: "object", - required: ["clientId", "name", "redirectUris"], + required: ["clientId", "name"], properties: { enableAuthserviceSelector: { description: @@ -303,6 +307,42 @@ const sso = { type: "string", }, }, + protocolMappers: { + description: "Protocol Mappers to configure on the client", + type: "array", + default: [], + items: { + type: "object", + required: ["name", "protocol", "protocolMapper"], + properties: { + name: { + description: "Name of the mapper", + type: "string", + }, + protocol: { + description: "Protocol of the mapper", + type: "string", + enum: ["openid-connect", "saml"], + }, + protocolMapper: { + description: "Protocol Mapper type of the mapper", + type: "string", + }, + consentRequired: { + description: "Whether user consent is required for this mapper", + type: "boolean", + default: false, + }, + config: { + description: "Configuration options for the mapper.", + type: "object", + additionalProperties: { + type: "string", + }, + }, + }, + }, + }, rootUrl: { description: "Root URL appended to relative URLs", type: "string", @@ -335,6 +375,17 @@ const sso = { type: "boolean", default: false, }, + standardFlowEnabled: { + description: + "Enables the standard OpenID Connect redirect based authentication with authorization code.", + type: "boolean", + default: true, + }, + publicClient: { + description: "Defines whether the client requires a client secret for authentication", + type: "boolean", + default: false, + }, clientAuthenticatorType: { description: "The client authenticator type", type: "string", @@ -348,11 +399,11 @@ const sso = { }, }, groups: { - description: "The client sso group type", + description: "The client SSO group type", type: "object", properties: { anyOf: { - description: "List of groups allowed to access to client", + description: "List of groups allowed to access the client", type: "array", items: { type: "string", diff --git a/src/pepr/operator/crd/validators/package-validator.spec.ts b/src/pepr/operator/crd/validators/package-validator.spec.ts new file mode 100644 index 000000000..cc8cc6ba5 --- /dev/null +++ b/src/pepr/operator/crd/validators/package-validator.spec.ts @@ -0,0 +1,526 @@ +import { afterEach, describe, expect, it, jest } from "@jest/globals"; +import { PeprValidateRequest } from "pepr"; +import { Allow, Direction, Expose, Gateway, Protocol, RemoteGenerated, Sso, UDSPackage } from ".."; +import { validator } from "./package-validator"; + +const makeMockReq = ( + pkg: Partial, + exposeList: Partial[], + allowList: Partial[], + ssoClients: Partial[], +) => { + const defaultPkg: UDSPackage = { + metadata: { + namespace: "application-system", + name: "application", + }, + spec: { + network: { + expose: [], + allow: [], + }, + sso: [], + }, + }; + + for (const expose of exposeList) { + const defaultExpose: Expose = { + host: "app", + }; + defaultPkg.spec!.network!.expose?.push({ ...defaultExpose, ...expose }); + } + + for (const allow of allowList) { + const defaultAllow: Allow = { + direction: Direction.Egress, + }; + defaultPkg.spec!.network!.allow?.push({ ...defaultAllow, ...allow }); + } + + for (const client of ssoClients) { + const defaultClient: Sso = { + name: "Application Login", + clientId: "uds-package-application", + redirectUris: ["https://app.uds.dev/redirect"], + }; + defaultPkg.spec!.sso?.push({ ...defaultClient, ...client }); + } + + return { + Raw: { ...defaultPkg, ...pkg }, + Approve: jest.fn(), + Deny: jest.fn(), + } as unknown as PeprValidateRequest; +}; + +describe("Test validation of Exemption CRs", () => { + afterEach(() => { + jest.resetAllMocks(); + }); + + it("allows packages that have no issues", async () => { + const mockReq = makeMockReq({}, [{}], [{}], [{}]); + await validator(mockReq); + expect(mockReq.Approve).toHaveBeenCalledTimes(1); + }); + + it("denies system namespaces", async () => { + const mockReq = makeMockReq({ metadata: { namespace: "kube-system" } }, [], [], []); + await validator(mockReq); + expect(mockReq.Deny).toHaveBeenCalledTimes(1); + }); + + it("denies advancedHTTP when used with passthrough Gateways", async () => { + const mockReq = makeMockReq( + {}, + [ + { + gateway: Gateway.Passthrough, + advancedHTTP: { + directResponse: { status: 403 }, + }, + }, + ], + [], + [], + ); + await validator(mockReq); + expect(mockReq.Deny).toHaveBeenCalledTimes(1); + }); + + it("denies advancedHTTP.directResponse when used with a selector", async () => { + const mockReq = makeMockReq( + {}, + [ + { + advancedHTTP: { + directResponse: { status: 403 }, + }, + selector: { app: "app" }, + }, + ], + [], + [], + ); + await validator(mockReq); + expect(mockReq.Deny).toHaveBeenCalledTimes(1); + }); + + it("denies advancedHTTP.directResponse when used with a service", async () => { + const mockReq = makeMockReq( + {}, + [ + { + advancedHTTP: { + directResponse: { status: 403 }, + }, + service: "app-service", + }, + ], + [], + [], + ); + await validator(mockReq); + expect(mockReq.Deny).toHaveBeenCalledTimes(1); + }); + + it("denies advancedHTTP.directResponse when used with a port", async () => { + const mockReq = makeMockReq( + {}, + [ + { + advancedHTTP: { + directResponse: { status: 403 }, + }, + port: 443, + }, + ], + [], + [], + ); + await validator(mockReq); + expect(mockReq.Deny).toHaveBeenCalledTimes(1); + }); + + it("denies advancedHTTP.directResponse when used with a targetPort", async () => { + const mockReq = makeMockReq( + {}, + [ + { + advancedHTTP: { + directResponse: { status: 403 }, + }, + port: 8443, + }, + ], + [], + [], + ); + await validator(mockReq); + expect(mockReq.Deny).toHaveBeenCalledTimes(1); + }); + + it("denies virtual services that are the same name", async () => { + const mockReq = makeMockReq({}, [{}, {}], [], []); + await validator(mockReq); + expect(mockReq.Deny).toHaveBeenCalledTimes(1); + }); + + it("denies network policies that specify both remoteGenerated and remoteNamespace", async () => { + const mockReq = makeMockReq( + {}, + [], + [ + { + remoteGenerated: RemoteGenerated.Anywhere, + remoteNamespace: "other-system", + }, + ], + [], + ); + await validator(mockReq); + expect(mockReq.Deny).toHaveBeenCalledTimes(1); + }); + + it("denies network policies that specify both remoteGenerated and remoteSelector", async () => { + const mockReq = makeMockReq( + {}, + [], + [ + { + remoteGenerated: RemoteGenerated.Anywhere, + remoteSelector: { app: "other" }, + }, + ], + [], + ); + await validator(mockReq); + expect(mockReq.Deny).toHaveBeenCalledTimes(1); + }); + + it("denies network policies that are the same name", async () => { + const mockReq = makeMockReq({}, [], [{}, {}], []); + await validator(mockReq); + expect(mockReq.Deny).toHaveBeenCalledTimes(1); + }); + + it("denies clients with clientIDs that are not unique", async () => { + const mockReq = makeMockReq({}, [], [], [{}, {}]); + await validator(mockReq); + expect(mockReq.Deny).toHaveBeenCalledTimes(1); + }); + + it("denies clients with invalid secret names", async () => { + const mockReq = makeMockReq( + {}, + [], + [], + [ + { + secretName: "HELLO_KITTEH", + }, + ], + ); + await validator(mockReq); + expect(mockReq.Deny).toHaveBeenCalledTimes(1); + }); + + it("denies clients with using the standard flow that don't have redirectUris", async () => { + const mockReq = makeMockReq( + {}, + [], + [], + [ + { + redirectUris: undefined, + }, + ], + ); + await validator(mockReq); + expect(mockReq.Deny).toHaveBeenCalledTimes(1); + }); + + it("allows clients not using the standard flow that don't have redirectUris", async () => { + const mockReq = makeMockReq( + {}, + [], + [], + [ + { + standardFlowEnabled: false, + redirectUris: undefined, + }, + ], + ); + await validator(mockReq); + expect(mockReq.Approve).toHaveBeenCalledTimes(1); + }); + + it("denies public device flow clients using the standard flow", async () => { + const mockReq = makeMockReq( + {}, + [], + [], + [ + { + publicClient: true, + attributes: { "oauth2.device.authorization.grant.enabled": "true" }, + standardFlowEnabled: true, + }, + ], + ); + await validator(mockReq); + expect(mockReq.Deny).toHaveBeenCalledTimes(1); + }); + + it("denies public device flow clients using a secret", async () => { + const mockReq = makeMockReq( + {}, + [], + [], + [ + { + publicClient: true, + attributes: { "oauth2.device.authorization.grant.enabled": "true" }, + standardFlowEnabled: false, + secret: "app-client-secret", + }, + ], + ); + await validator(mockReq); + expect(mockReq.Deny).toHaveBeenCalledTimes(1); + }); + + it("denies public device flow clients using a secretName", async () => { + const mockReq = makeMockReq( + {}, + [], + [], + [ + { + publicClient: true, + attributes: { "oauth2.device.authorization.grant.enabled": "true" }, + standardFlowEnabled: false, + secretName: "app-k8s-secret", + }, + ], + ); + await validator(mockReq); + expect(mockReq.Deny).toHaveBeenCalledTimes(1); + }); + + it("denies public device flow clients using a secretTemplate", async () => { + const mockReq = makeMockReq( + {}, + [], + [], + [ + { + publicClient: true, + attributes: { "oauth2.device.authorization.grant.enabled": "true" }, + standardFlowEnabled: false, + secretTemplate: {}, + }, + ], + ); + await validator(mockReq); + expect(mockReq.Deny).toHaveBeenCalledTimes(1); + }); + + it("denies public device flow clients using enableAuthserviceSelector", async () => { + const mockReq = makeMockReq( + {}, + [], + [], + [ + { + publicClient: true, + attributes: { "oauth2.device.authorization.grant.enabled": "true" }, + standardFlowEnabled: false, + enableAuthserviceSelector: {}, + }, + ], + ); + await validator(mockReq); + expect(mockReq.Deny).toHaveBeenCalledTimes(1); + }); + + it("denies public device flow clients using the saml protocol", async () => { + const mockReq = makeMockReq( + {}, + [], + [], + [ + { + publicClient: true, + attributes: { "oauth2.device.authorization.grant.enabled": "true" }, + standardFlowEnabled: false, + protocol: Protocol.Saml, + }, + ], + ); + await validator(mockReq); + expect(mockReq.Deny).toHaveBeenCalledTimes(1); + }); + + it("denies public clients without the device flow attribute", async () => { + const mockReq = makeMockReq( + {}, + [], + [], + [ + { + publicClient: true, + standardFlowEnabled: false, + }, + ], + ); + await validator(mockReq); + expect(mockReq.Deny).toHaveBeenCalledTimes(1); + }); + + it("allows public clients that have the device flow attribute with standard flow disabled", async () => { + const mockReq = makeMockReq( + {}, + [], + [], + [ + { + publicClient: true, + attributes: { "oauth2.device.authorization.grant.enabled": "true" }, + standardFlowEnabled: false, + }, + ], + ); + await validator(mockReq); + expect(mockReq.Approve).toHaveBeenCalledTimes(1); + }); + + it("denies authservice clients with : in client ID", async () => { + const mockReq = makeMockReq( + {}, + [], + [], + [ + { + clientId: "http://example.com", + enableAuthserviceSelector: { + app: "foobar", + }, + }, + ], + ); + await validator(mockReq); + expect(mockReq.Deny).toHaveBeenCalledTimes(1); + }); + + it("allows non-authservice clients with : in client ID", async () => { + const mockReq = makeMockReq( + {}, + [], + [], + [ + { + clientId: "http://example.com", + enableAuthserviceSelector: undefined, // explicitly undefined + }, + ], + ); + await validator(mockReq); + expect(mockReq.Approve).toHaveBeenCalledTimes(1); + }); +}); + +describe("Test Allowed SSO Client Attributes", () => { + afterEach(() => { + jest.resetAllMocks(); + }); + + it("denies clients with unsupported attributes", async () => { + const mockReq = makeMockReq( + {}, + [], + [], + [ + { + attributes: { + "unsupported.attribute": "true", + }, + }, + ], + ); + await validator(mockReq); + expect(mockReq.Deny).toHaveBeenCalledTimes(1); + expect(mockReq.Deny).toHaveBeenCalledWith( + 'The client ID "uds-package-application" contains an unsupported attribute "unsupported.attribute"', + ); + }); + + it("allows clients with only supported attributes", async () => { + const mockReq = makeMockReq( + {}, + [], + [], + [ + { + attributes: { + "oidc.ciba.grant.enabled": "true", + "backchannel.logout.session.required": "false", + "backchannel.logout.revoke.offline.tokens": "true", + "post.logout.redirect.uris": "https://app.uds.dev/logout", + "oauth2.device.authorization.grant.enabled": "true", + "pkce.code.challenge.method": "S256", + "client.session.idle.timeout": "3600", + "saml.assertion.signature": "false", + "saml.client.signature": "false", + saml_assertion_consumer_url_post: "https://nexus.uds.dev/saml", + }, + }, + ], + ); + await validator(mockReq); + expect(mockReq.Approve).toHaveBeenCalledTimes(1); + }); + + it("denies clients with a mix of supported and unsupported attributes", async () => { + const mockReq = makeMockReq( + {}, + [], + [], + [ + { + attributes: { + "oidc.ciba.grant.enabled": "true", + "unsupported.attribute": "true", + }, + }, + ], + ); + await validator(mockReq); + expect(mockReq.Deny).toHaveBeenCalledTimes(1); + expect(mockReq.Deny).toHaveBeenCalledWith( + 'The client ID "uds-package-application" contains an unsupported attribute "unsupported.attribute"', + ); + }); + + it("allows clients without attributes", async () => { + const mockReq = makeMockReq( + {}, + [], + [], + [ + { + attributes: {}, + }, + ], + ); + await validator(mockReq); + expect(mockReq.Approve).toHaveBeenCalledTimes(1); + }); + + it("allows clients with no attributes defined", async () => { + const mockReq = makeMockReq({}, [], [], [{}]); + await validator(mockReq); + expect(mockReq.Approve).toHaveBeenCalledTimes(1); + }); +}); diff --git a/src/pepr/operator/crd/validators/package-validator.ts b/src/pepr/operator/crd/validators/package-validator.ts index 2c8955059..4ad6266fc 100644 --- a/src/pepr/operator/crd/validators/package-validator.ts +++ b/src/pepr/operator/crd/validators/package-validator.ts @@ -1,6 +1,6 @@ import { PeprValidateRequest } from "pepr"; -import { Gateway, UDSPackage } from ".."; +import { Gateway, Protocol, UDSPackage } from ".."; import { generateVSName } from "../../controllers/istio/virtual-service"; import { generateName } from "../../controllers/network/generate"; import { sanitizeResourceName } from "../../controllers/utils"; @@ -58,9 +58,34 @@ export async function validator(req: PeprValidateRequest) { const networkPolicyNames = new Set(); for (const policy of networkPolicy) { - // remoteGenerated cannot be combined with remoteNamespace or remoteSelector - if (policy.remoteGenerated && (policy.remoteNamespace || policy.remoteSelector)) { - return req.Deny("remoteGenerated cannot be combined with remoteNamespace or remoteSelector"); + // If 'remoteGenerated' is set, it cannot be combined with 'remoteNamespace', 'remoteSelector', or 'remoteCidr'. + if ( + policy.remoteGenerated && + (policy.remoteNamespace || policy.remoteSelector || policy.remoteCidr) + ) { + return req.Deny( + "remoteGenerated cannot be combined with remoteNamespace, remoteSelector, or remoteCidr", + ); + } + + // If either 'remoteNamespace' or 'remoteSelector' is set, they cannot be combined with 'remoteGenerated' or 'remoteCidr'. + if ( + (policy.remoteNamespace || policy.remoteSelector) && + (policy.remoteGenerated || policy.remoteCidr) + ) { + return req.Deny( + "remoteNamespace and remoteSelector cannot be combined with remoteGenerated or remoteCidr", + ); + } + + // If 'remoteCidr' is set, it cannot be combined with 'remoteGenerated', 'remoteNamespace', or 'remoteSelector'. + if ( + policy.remoteCidr && + (policy.remoteGenerated || policy.remoteNamespace || policy.remoteSelector) + ) { + return req.Deny( + "remoteCidr cannot be combined with remoteGenerated, remoteNamespace, or remoteSelector", + ); } // Ensure the policy name is unique @@ -81,6 +106,19 @@ export async function validator(req: PeprValidateRequest) { // Ensure the client IDs are unique const clientIDs = new Set(); + const allowedClientAttributes = new Set([ + "oidc.ciba.grant.enabled", + "backchannel.logout.session.required", + "backchannel.logout.revoke.offline.tokens", + "post.logout.redirect.uris", + "oauth2.device.authorization.grant.enabled", + "pkce.code.challenge.method", + "client.session.idle.timeout", + "saml.assertion.signature", + "saml.client.signature", + "saml_assertion_consumer_url_post", + ]); + for (const client of ssoClients) { if (clientIDs.has(client.clientId)) { return req.Deny(`The client ID "${client.clientId}" is not unique`); @@ -92,6 +130,43 @@ export async function validator(req: PeprValidateRequest) { `The client ID "${client.clientId}" uses an invalid secret name ${client.secretName}`, ); } + // If standardFlowEnabled is undefined (defaults to `true`) or explicitly true and there are no redirectUris set, deny the req + if (client.standardFlowEnabled !== false && !client.redirectUris) { + return req.Deny( + `The client ID "${client.clientId}" must specify redirectUris if standardFlowEnabled is turned on (it is enabled by default)`, + ); + } + // If this is a public client ensure that it only sets itself up as an OAuth Device Flow client + if ( + client.publicClient && + (client.standardFlowEnabled !== false || + client.secret !== undefined || + client.secretName !== undefined || + client.secretTemplate !== undefined || + client.enableAuthserviceSelector !== undefined || + client.protocol === Protocol.Saml || + client.attributes?.["oauth2.device.authorization.grant.enabled"] !== "true") + ) { + return req.Deny( + `The client ID "${client.clientId}" must _only_ configure the OAuth Device Flow as a public client`, + ); + } + // Check if client.attributes contain any disallowed attributes + if (client.attributes) { + for (const attr of Object.keys(client.attributes)) { + if (!allowedClientAttributes.has(attr)) { + return req.Deny( + `The client ID "${client.clientId}" contains an unsupported attribute "${attr}"`, + ); + } + } + } + // If this is an authservice client ensure it does not contain a `:`, see https://github.com/istio-ecosystem/authservice/issues/263 + if (client.enableAuthserviceSelector && client.clientId.includes(":")) { + return req.Deny( + `The client ID "${client.clientId}" is invalid as an Authservice client - Authservice does not support client IDs with the ":" character`, + ); + } } return req.Approve(); diff --git a/src/pepr/operator/reconcilers/package-reconciler.ts b/src/pepr/operator/reconcilers/package-reconciler.ts index 0312441ed..568f71afa 100644 --- a/src/pepr/operator/reconcilers/package-reconciler.ts +++ b/src/pepr/operator/reconcilers/package-reconciler.ts @@ -1,4 +1,4 @@ -import { handleFailure, shouldSkip, updateStatus } from "."; +import { handleFailure, shouldSkip, updateStatus, writeEvent } from "."; import { UDSConfig } from "../../config"; import { Component, setupLogger } from "../../logger"; import { enableInjection } from "../controllers/istio/injection"; @@ -35,6 +35,23 @@ export async function packageReconciler(pkg: UDSPackage) { return; } + if (pkg.status?.retryAttempt && pkg.status?.retryAttempt > 0) { + // calculate exponential backoff where backoffSeconds = 3^retryAttempt + const backOffSeconds = 3 ** pkg.status?.retryAttempt; + + log.info( + metadata, + `Waiting ${backOffSeconds} seconds before processing package ${namespace}/${name}, status.phase: ${pkg.status?.phase}, observedGeneration: ${pkg.status?.observedGeneration}, retryAttempt: ${pkg.status?.retryAttempt}`, + ); + + await writeEvent(pkg, { + message: `Waiting ${backOffSeconds} seconds before retrying package`, + }); + + // wait for backOff seconds before retrying + await new Promise(resolve => setTimeout(resolve, backOffSeconds * 1000)); + } + // Migrate the package to the latest version migrate(pkg); diff --git a/src/pepr/policies/index.ts b/src/pepr/policies/index.ts index f63d6f75c..8ba25dc26 100644 --- a/src/pepr/policies/index.ts +++ b/src/pepr/policies/index.ts @@ -1,4 +1,5 @@ // Various validation actions for Kubernetes resources from Big Bang +import { WatchCfg } from "kubernetes-fluent-client"; import { K8s } from "pepr"; import { Component, setupLogger } from "../logger"; import { ExemptionStore } from "../operator/controllers/exemptions/exemption-store"; @@ -21,11 +22,25 @@ export async function startExemptionWatch() { // only run in admission controller or dev mode if (process.env.PEPR_WATCH_MODE === "false" || process.env.PEPR_MODE === "dev") { + const watchCfg: WatchCfg = { + resyncFailureMax: process.env.PEPR_RESYNC_FAILURE_MAX + ? parseInt(process.env.PEPR_RESYNC_FAILURE_MAX, 10) + : 5, + resyncDelaySec: process.env.PEPR_RESYNC_DELAY_SECONDS + ? parseInt(process.env.PEPR_RESYNC_DELAY_SECONDS, 10) + : 5, + lastSeenLimitSeconds: process.env.PEPR_LAST_SEEN_LIMIT_SECONDS + ? parseInt(process.env.PEPR_LAST_SEEN_LIMIT_SECONDS, 10) + : 300, + relistIntervalSec: process.env.PEPR_RELIST_INTERVAL_SECONDS + ? parseInt(process.env.PEPR_RELIST_INTERVAL_SECONDS, 10) + : 1800, + }; const watcher = K8s(UDSExemption).Watch(async (exemption, phase) => { log.debug(`Processing exemption ${exemption.metadata?.name}, watch phase: ${phase}`); processExemptions(exemption, phase); - }); + }, watchCfg); // This will run until the process is terminated or the watch is aborted log.debug("Starting exemption watch..."); diff --git a/src/pepr/policies/security.ts b/src/pepr/policies/security.ts index e4b782433..6d614b58c 100644 --- a/src/pepr/policies/security.ts +++ b/src/pepr/policies/security.ts @@ -25,14 +25,40 @@ import { exemptionAnnotationPrefix, isExempt, markExemption } from "./exemptions */ When(a.Pod) .IsCreatedOrUpdated() - .Mutate(markExemption(Policy.DisallowPrivileged)) + .Mutate(request => { + markExemption(Policy.DisallowPrivileged)(request); + if (request.HasAnnotation(`${exemptionAnnotationPrefix}.${Policy.DisallowPrivileged}`)) { + return; + } + let wasMutated = false; + + // Check if any containers defined in the pod do not have the `allowPrivilegeEscalation` field present. If not, include it and set to false. + for (const container of containers(request)) { + container.securityContext = container.securityContext || {}; + const mutateCriteria = [ + container.securityContext.allowPrivilegeEscalation === undefined, + !container.securityContext.privileged, + !container.securityContext.capabilities?.add?.includes("CAP_SYS_ADMIN"), + ]; + // We are only mutating if the conditions above are all satisfied + if (mutateCriteria.every(priv => priv === true)) { + container.securityContext.allowPrivilegeEscalation = false; + wasMutated = true; + } + } + if (wasMutated) { + annotateMutation(request, Policy.DisallowPrivileged); + } + }) .Validate(request => { if (isExempt(request, Policy.DisallowPrivileged)) { return request.Approve(); } const violations = securityContextContainers(request).filter( - c => c.ctx.allowPrivilegeEscalation || c.ctx.privileged, + // Checking if allowPrivilegeEscalation is undefined. If yes, fallback to true as the default behavior in k8s is to allow if undefined. + // Checks the three different ways a container could escalate to admin privs + c => (c.ctx.allowPrivilegeEscalation ?? true) || c.ctx.privileged, ); if (violations.length) { diff --git a/src/pepr/prometheus/index.ts b/src/pepr/prometheus/index.ts index 1f69b1664..ef4c1e34e 100644 --- a/src/pepr/prometheus/index.ts +++ b/src/pepr/prometheus/index.ts @@ -8,7 +8,6 @@ import { ServiceMonitorEndpoint, ServiceMonitorScheme, } from "../operator/crd"; - // configure subproject logger const log = setupLogger(Component.PROMETHEUS); @@ -25,7 +24,7 @@ const { When } = prometheus; When(PrometheusServiceMonitor) .IsCreatedOrUpdated() .Mutate(async sm => { - if (sm.Raw.spec === undefined) { + if (sm.Raw.spec === undefined || sm.Raw.spec.scrapeClass != undefined) { return; } @@ -39,6 +38,7 @@ When(PrometheusServiceMonitor) `Mutating scrapeClass to exempt ServiceMonitor ${sm.Raw.metadata?.name} from default scrapeClass mTLS config`, ); sm.Raw.spec.scrapeClass = "exempt"; + return; } else { log.info(`Patching service monitor ${sm.Raw.metadata?.name} for mTLS metrics`); @@ -64,7 +64,7 @@ When(PrometheusServiceMonitor) When(PrometheusPodMonitor) .IsCreatedOrUpdated() .Mutate(async pm => { - if (pm.Raw.spec === undefined) { + if (pm.Raw.spec === undefined || pm.Raw.spec.scrapeClass != undefined) { return; } @@ -74,6 +74,7 @@ When(PrometheusPodMonitor) `Mutating scrapeClass to exempt PodMonitor ${pm.Raw.metadata?.name} from default scrapeClass mTLS config`, ); pm.Raw.spec.scrapeClass = "exempt"; + return; } else { log.info(`Patching pod monitor ${pm.Raw.metadata?.name} for mTLS metrics`); @@ -102,5 +103,6 @@ async function isIstioInjected(monitor: PrometheusServiceMonitor | PrometheusPod return true; } } + return false; } diff --git a/src/pepr/uds-operator-config/Chart.yaml b/src/pepr/uds-operator-config/Chart.yaml new file mode 100644 index 000000000..fd20c4ad3 --- /dev/null +++ b/src/pepr/uds-operator-config/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +name: uds-operator-config +description: UDS Core configuration for UDS Operator + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 diff --git a/src/pepr/uds-operator-config/templates/_helpers.tpl b/src/pepr/uds-operator-config/templates/_helpers.tpl new file mode 100644 index 000000000..3a42d419c --- /dev/null +++ b/src/pepr/uds-operator-config/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "uds-operator-config.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "uds-operator-config.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "uds-operator-config.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "uds-operator-config.labels" -}} +helm.sh/chart: {{ include "uds-operator-config.chart" . }} +{{ include "uds-operator-config.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "uds-operator-config.selectorLabels" -}} +app.kubernetes.io/name: {{ include "uds-operator-config.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "uds-operator-config.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "uds-operator-config.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/src/pepr/uds-operator-config/templates/secret.yaml b/src/pepr/uds-operator-config/templates/secret.yaml new file mode 100644 index 000000000..503a4b2e0 --- /dev/null +++ b/src/pepr/uds-operator-config/templates/secret.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Secret +metadata: + name: uds-operator-config + namespace: {{ .Release.Namespace }} + labels: + {{- include "uds-operator-config.labels" . | nindent 4 }} +type: Opaque +stringData: +{{- range $key, $value := .Values.operator }} + {{ $key }}: {{ $value | quote }} +{{- end }} diff --git a/src/pepr/uds-operator-config/values.yaml b/src/pepr/uds-operator-config/values.yaml new file mode 100644 index 000000000..9d443b3be --- /dev/null +++ b/src/pepr/uds-operator-config/values.yaml @@ -0,0 +1,9 @@ +operator: + UDS_DOMAIN: "###ZARF_VAR_DOMAIN###" + UDS_CA_CERT: "###ZARF_VAR_CA_CERT###" + UDS_ALLOW_ALL_NS_EXEMPTIONS: "###ZARF_VAR_ALLOW_ALL_NS_EXEMPTIONS###" + UDS_SINGLE_TEST: "###ZARF_VAR_UDS_SINGLE_TEST###" + UDS_LOG_LEVEL: "###ZARF_VAR_UDS_LOG_LEVEL###" + AUTHSERVICE_REDIS_URI: "###ZARF_VAR_AUTHSERVICE_REDIS_URI###" + # Allow Pepr watch to be configurable to react to dropped connections faster + PEPR_LAST_SEEN_LIMIT_SECONDS: "300" diff --git a/src/pepr/values.yaml b/src/pepr/values.yaml new file mode 100644 index 000000000..55ee5664a --- /dev/null +++ b/src/pepr/values.yaml @@ -0,0 +1,12 @@ +watcher: + serviceMonitor: + enabled: ###ZARF_VAR_PEPR_SERVICE_MONITORS### + envFrom: + - secretRef: + name: uds-operator-config +admission: + serviceMonitor: + enabled: ###ZARF_VAR_PEPR_SERVICE_MONITORS### + envFrom: + - secretRef: + name: uds-operator-config diff --git a/src/pepr/zarf.yaml b/src/pepr/zarf.yaml new file mode 100644 index 000000000..5dafad221 --- /dev/null +++ b/src/pepr/zarf.yaml @@ -0,0 +1,82 @@ +kind: ZarfPackageConfig +metadata: + name: pepr-uds-core + description: 'Pepr Module: A collection of capabilities for UDS Core' + url: https://github.com/defenseunicorns/pepr + +variables: + - name: DOMAIN + description: "Cluster domain" + default: "uds.dev" + + - name: CA_CERT + description: "Base64 encoded CA cert that signed the domain wildcard certs used for Istio ingress" + default: "" + + - name: UDS_LOG_LEVEL + description: "UDS Operator log level" + default: "debug" + + - name: AUTHSERVICE_REDIS_URI + description: "UDS Authservice Redis URI" + default: "" + + - name: UDS_SINGLE_TEST + description: "UDS Single package test" + default: "" + + - name: PEPR_SERVICE_MONITORS + description: "Enables Service Monitors for Pepr services (watcher, admission)" + default: "true" + +components: + - name: uds-operator-config + required: true + charts: + - name: uds-operator-config + namespace: pepr-system + version: 0.1.0 + localPath: uds-operator-config + valuesFiles: + - uds-operator-config/values.yaml + + - name: pepr-uds-core + required: true + import: + name: module + path: ../../dist + charts: + - name: module + valuesFiles: + - values.yaml + actions: + onDeploy: + before: + - cmd: ./zarf tools kubectl annotate secret -n pepr-system pepr-uds-core-api-token meta.helm.sh/release-name=module --overwrite || true + mute: true + - cmd: ./zarf tools kubectl annotate secret -n pepr-system pepr-uds-core-module meta.helm.sh/release-name=module --overwrite || true + mute: true + - cmd: ./zarf tools kubectl annotate secret -n pepr-system pepr-uds-core-tls meta.helm.sh/release-name=module --overwrite || true + mute: true + - cmd: ./zarf tools kubectl annotate serviceaccount -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true + mute: true + - cmd: ./zarf tools kubectl annotate clusterrolebinding pepr-uds-core meta.helm.sh/release-name=module --overwrite || true + mute: true + - cmd: ./zarf tools kubectl annotate clusterrole pepr-uds-core meta.helm.sh/release-name=module --overwrite || true + mute: true + - cmd: ./zarf tools kubectl annotate role -n pepr-system pepr-uds-core-store meta.helm.sh/release-name=module --overwrite || true + mute: true + - cmd: ./zarf tools kubectl annotate rolebinding -n pepr-system pepr-uds-core-store meta.helm.sh/release-name=module --overwrite || true + mute: true + - cmd: ./zarf tools kubectl annotate service -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true + mute: true + - cmd: ./zarf tools kubectl annotate service -n pepr-system pepr-uds-core-watcher meta.helm.sh/release-name=module --overwrite || true + mute: true + - cmd: ./zarf tools kubectl annotate deployment -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true + mute: true + - cmd: ./zarf tools kubectl annotate deployment -n pepr-system pepr-uds-core-watcher meta.helm.sh/release-name=module --overwrite || true + mute: true + - cmd: ./zarf tools kubectl annotate mutatingwebhookconfiguration -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true + mute: true + - cmd: ./zarf tools kubectl annotate validatingwebhookconfiguration -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true + mute: true diff --git a/src/prometheus-stack/chart/templates/prometheus-pod-monitor.yaml b/src/prometheus-stack/chart/templates/prometheus-pod-monitor.yaml index 29f2827c2..06bcd9e5c 100644 --- a/src/prometheus-stack/chart/templates/prometheus-pod-monitor.yaml +++ b/src/prometheus-stack/chart/templates/prometheus-pod-monitor.yaml @@ -13,6 +13,11 @@ spec: podMetricsEndpoints: - port: http-web - port: reloader-web + # Ensure we filter out the init containers + relabelings: + - sourceLabels: [__meta_kubernetes_pod_container_init] + regex: "true" + action: drop namespaceSelector: matchNames: - monitoring diff --git a/src/prometheus-stack/chart/templates/uds-package.yaml b/src/prometheus-stack/chart/templates/uds-package.yaml index 746a08692..2dfda03fb 100644 --- a/src/prometheus-stack/chart/templates/uds-package.yaml +++ b/src/prometheus-stack/chart/templates/uds-package.yaml @@ -46,9 +46,9 @@ spec: port: 10250 description: "Webhook" - # todo: lockdown egress to scrape targets + # Prometheus scrape targets - direction: Egress - remoteNamespace: "" + remoteNamespace: "" # todo: restrict this overly permissive netpol selector: app.kubernetes.io/name: prometheus description: "Metrics Scraping" @@ -62,9 +62,3 @@ spec: port: 9090 description: "Grafana Metrics Queries" - - direction: Egress - remoteNamespace: tempo - remoteSelector: - app.kubernetes.io/name: tempo - port: 9411 - description: "Tempo" diff --git a/src/prometheus-stack/common/zarf.yaml b/src/prometheus-stack/common/zarf.yaml index 20025a485..142bbd63f 100644 --- a/src/prometheus-stack/common/zarf.yaml +++ b/src/prometheus-stack/common/zarf.yaml @@ -15,7 +15,7 @@ components: - name: kube-prometheus-stack namespace: monitoring url: https://prometheus-community.github.io/helm-charts - version: 58.7.2 + version: 62.7.0 valuesFiles: - "../values/values.yaml" actions: @@ -25,7 +25,7 @@ components: maxTotalSeconds: 300 wait: cluster: - kind: Packages + kind: packages.uds.dev name: prometheus-stack namespace: monitoring condition: "'{.status.phase}'=Ready" diff --git a/src/prometheus-stack/oscal-component.yaml b/src/prometheus-stack/oscal-component.yaml index 84525040c..2dab3e066 100644 --- a/src/prometheus-stack/oscal-component.yaml +++ b/src/prometheus-stack/oscal-component.yaml @@ -4,7 +4,7 @@ component-definition: title: Prometheus Stack last-modified: "2024-01-31T14:39:33Z" version: "20240131" - oscal-version: 1.1.1 + oscal-version: 1.1.2 parties: - uuid: f3cf70f8-ba44-4e55-9ea3-389ef24847d3 type: organization @@ -233,7 +233,10 @@ component-definition: of when the data was collected remarks: This control is fully implemented by this tool. - + props: + - name: framework + ns: https://docs.lula.dev/oscal/ns + value: il4 back-matter: resources: - uuid: ff397816-6126-4b2c-938b-e7d202003def diff --git a/src/prometheus-stack/tasks.yaml b/src/prometheus-stack/tasks.yaml index d9b8cfab5..eacf43448 100644 --- a/src/prometheus-stack/tasks.yaml +++ b/src/prometheus-stack/tasks.yaml @@ -29,3 +29,12 @@ tasks: name: app.kubernetes.io/name=prometheus-node-exporter namespace: monitoring condition: Ready + # Below task can be used to generate CRD types, but is commented out pending resolution of https://github.com/defenseunicorns/kubernetes-fluent-client/issues/374 + # - name: gen-crds + # actions: + # - description: Generate servicemonitor types + # cmd: "npx kubernetes-fluent-client crd https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.77.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml src/pepr/operator/crd/generated/prometheus" + # - description: Generate podmonitor types + # cmd: "npx kubernetes-fluent-client crd https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.77.0/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml src/pepr/operator/crd/generated/prometheus" + # - description: Pepr Format + # cmd: "npx pepr format" diff --git a/src/prometheus-stack/values/registry1-values.yaml b/src/prometheus-stack/values/registry1-values.yaml index 65e36453a..b0d19a0a9 100644 --- a/src/prometheus-stack/values/registry1-values.yaml +++ b/src/prometheus-stack/values/registry1-values.yaml @@ -8,7 +8,7 @@ kube-state-metrics: image: registry: registry1.dso.mil repository: ironbank/opensource/kubernetes/kube-state-metrics - tag: v2.12.0 + tag: v2.13.0 securityContext: enabled: true fsGroup: 65532 @@ -20,12 +20,12 @@ prometheus: image: registry: registry1.dso.mil repository: ironbank/opensource/prometheus/prometheus - tag: v2.52.0 + tag: v2.54.1 prometheus-node-exporter: image: registry: registry1.dso.mil repository: ironbank/opensource/prometheus/node-exporter - tag: v1.8.1 + tag: v1.8.2 prometheusOperator: admissionWebhooks: containerSecurityContext: @@ -37,7 +37,7 @@ prometheusOperator: image: registry: registry1.dso.mil repository: ironbank/opensource/ingress-nginx/kube-webhook-certgen - tag: v1.3.0 + tag: v1.4.3 registry: registry1.dso.mil repository: ironbank/opensource/ingress-nginx/kube-webhook-certgen tag: v1.3.0 @@ -48,9 +48,9 @@ prometheusOperator: image: registry: registry1.dso.mil repository: ironbank/opensource/prometheus-operator/prometheus-operator - tag: v0.74.0 + tag: v0.77.0 prometheusConfigReloader: image: registry: registry1.dso.mil repository: ironbank/opensource/prometheus-operator/prometheus-config-reloader - tag: v0.74.0 + tag: v0.77.0 diff --git a/src/prometheus-stack/values/unicorn-values.yaml b/src/prometheus-stack/values/unicorn-values.yaml index 67d689058..f9f1f9f91 100644 --- a/src/prometheus-stack/values/unicorn-values.yaml +++ b/src/prometheus-stack/values/unicorn-values.yaml @@ -8,7 +8,7 @@ kube-state-metrics: image: registry: cgr.dev repository: du-uds-defenseunicorns/kube-state-metrics-fips - tag: 2.12.0 + tag: 2.13.0 securityContext: enabled: true fsGroup: 65532 @@ -20,12 +20,12 @@ prometheus: image: registry: cgr.dev repository: du-uds-defenseunicorns/prometheus-fips - tag: 2.52.0 + tag: 2.54.1 prometheus-node-exporter: image: registry: cgr.dev repository: du-uds-defenseunicorns/prometheus-node-exporter-fips - tag: 1.8.1 + tag: 1.8.2 prometheusOperator: admissionWebhooks: containerSecurityContext: @@ -37,7 +37,7 @@ prometheusOperator: image: registry: cgr.dev repository: du-uds-defenseunicorns/kube-webhook-certgen-fips - tag: 1.10.1 + tag: 1.11.2 registry: cgr.dev repository: du-uds-defenseunicorns/kube-webhook-certgen-fips tag: 1.10.1 @@ -48,9 +48,9 @@ prometheusOperator: image: registry: cgr.dev repository: du-uds-defenseunicorns/prometheus-operator-fips - tag: 0.74.0 + tag: 0.77.0 prometheusConfigReloader: image: registry: cgr.dev repository: du-uds-defenseunicorns/prometheus-config-reloader-fips - tag: 0.74.0 + tag: 0.77.0 diff --git a/src/prometheus-stack/values/upstream-values.yaml b/src/prometheus-stack/values/upstream-values.yaml index f8d260d18..8f2c4c34a 100644 --- a/src/prometheus-stack/values/upstream-values.yaml +++ b/src/prometheus-stack/values/upstream-values.yaml @@ -8,7 +8,7 @@ kube-state-metrics: image: registry: registry.k8s.io repository: kube-state-metrics/kube-state-metrics - tag: v2.12.0 + tag: v2.13.0 securityContext: enabled: true fsGroup: 65534 @@ -20,19 +20,19 @@ prometheus: image: registry: quay.io repository: prometheus/prometheus - tag: v2.52.0 + tag: v2.54.1 prometheus-node-exporter: image: registry: quay.io repository: prometheus/node-exporter - tag: v1.8.1 + tag: v1.8.2 prometheusOperator: admissionWebhooks: patch: image: registry: registry.k8s.io repository: ingress-nginx/kube-webhook-certgen - tag: v20221220-controller-v1.5.1-58-g787ea74b6 + tag: v1.4.3 securityContext: runAsGroup: 2000 runAsNonRoot: true @@ -40,9 +40,9 @@ prometheusOperator: image: registry: quay.io repository: prometheus-operator/prometheus-operator - tag: v0.74.0 + tag: v0.77.0 prometheusConfigReloader: image: registry: quay.io repository: prometheus-operator/prometheus-config-reloader - tag: v0.74.0 + tag: v0.77.0 diff --git a/src/prometheus-stack/values/values.yaml b/src/prometheus-stack/values/values.yaml index fe6f21d26..1419a08a0 100644 --- a/src/prometheus-stack/values/values.yaml +++ b/src/prometheus-stack/values/values.yaml @@ -47,8 +47,8 @@ prometheus: probeSelectorNilUsesHelmValues: false resources: limits: - cpu: 300m - memory: 2Gi + cpu: 500m + memory: 4Gi requests: cpu: 100m memory: 512Mi diff --git a/src/prometheus-stack/zarf.yaml b/src/prometheus-stack/zarf.yaml index ea1e31733..b1c30e46a 100644 --- a/src/prometheus-stack/zarf.yaml +++ b/src/prometheus-stack/zarf.yaml @@ -10,7 +10,7 @@ components: charts: - name: prometheus-operator-crds url: https://prometheus-community.github.io/helm-charts - version: 11.0.0 + version: 14.0.0 namespace: uds-crds valuesFiles: - "values/crd-values.yaml" @@ -27,13 +27,13 @@ components: valuesFiles: - "values/upstream-values.yaml" images: - - "quay.io/prometheus/node-exporter:v1.8.1" - - "quay.io/prometheus-operator/prometheus-operator:v0.74.0" - - "registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.12.0" + - "quay.io/prometheus/node-exporter:v1.8.2" + - "quay.io/prometheus-operator/prometheus-operator:v0.77.0" + - "registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.13.0" - "quay.io/prometheus/alertmanager:v0.27.0" - - "quay.io/prometheus-operator/prometheus-config-reloader:v0.74.0" - - "quay.io/prometheus/prometheus:v2.52.0" - - "registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20221220-controller-v1.5.1-58-g787ea74b6" + - "quay.io/prometheus-operator/prometheus-config-reloader:v0.77.0" + - "quay.io/prometheus/prometheus:v2.54.1" + - "registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3" - name: kube-prometheus-stack required: true @@ -47,13 +47,13 @@ components: valuesFiles: - "values/registry1-values.yaml" images: - - "registry1.dso.mil/ironbank/opensource/prometheus/node-exporter:v1.8.1" - - "registry1.dso.mil/ironbank/opensource/prometheus-operator/prometheus-operator:v0.74.0" - - "registry1.dso.mil/ironbank/opensource/kubernetes/kube-state-metrics:v2.12.0" + - "registry1.dso.mil/ironbank/opensource/prometheus/node-exporter:v1.8.2" + - "registry1.dso.mil/ironbank/opensource/prometheus-operator/prometheus-operator:v0.77.0" + - "registry1.dso.mil/ironbank/opensource/kubernetes/kube-state-metrics:v2.13.0" - "registry1.dso.mil/ironbank/opensource/prometheus/alertmanager:v0.27.0" - - "registry1.dso.mil/ironbank/opensource/prometheus-operator/prometheus-config-reloader:v0.74.0" - - "registry1.dso.mil/ironbank/opensource/prometheus/prometheus:v2.52.0" - - "registry1.dso.mil/ironbank/opensource/ingress-nginx/kube-webhook-certgen:v1.3.0" + - "registry1.dso.mil/ironbank/opensource/prometheus-operator/prometheus-config-reloader:v0.77.0" + - "registry1.dso.mil/ironbank/opensource/prometheus/prometheus:v2.54.1" + - "registry1.dso.mil/ironbank/opensource/ingress-nginx/kube-webhook-certgen:v1.4.3" - name: kube-prometheus-stack required: true @@ -67,10 +67,10 @@ components: valuesFiles: - "values/unicorn-values.yaml" images: - - "cgr.dev/du-uds-defenseunicorns/prometheus-node-exporter-fips:1.8.1" - - "cgr.dev/du-uds-defenseunicorns/prometheus-operator-fips:0.74.0" - - "cgr.dev/du-uds-defenseunicorns/kube-state-metrics-fips:2.12.0" + - "cgr.dev/du-uds-defenseunicorns/prometheus-node-exporter-fips:1.8.2" + - "cgr.dev/du-uds-defenseunicorns/prometheus-operator-fips:0.77.0" + - "cgr.dev/du-uds-defenseunicorns/kube-state-metrics-fips:2.13.0" - "cgr.dev/du-uds-defenseunicorns/prometheus-alertmanager-fips:0.27.0" - - "cgr.dev/du-uds-defenseunicorns/prometheus-config-reloader-fips:0.74.0" - - "cgr.dev/du-uds-defenseunicorns/prometheus-fips:2.52.0" - - "cgr.dev/du-uds-defenseunicorns/kube-webhook-certgen-fips:1.10.1" + - "cgr.dev/du-uds-defenseunicorns/prometheus-config-reloader-fips:0.77.0" + - "cgr.dev/du-uds-defenseunicorns/prometheus-fips:2.54.1" + - "cgr.dev/du-uds-defenseunicorns/kube-webhook-certgen-fips:1.11.2" diff --git a/src/promtail/chart/templates/uds-package.yaml b/src/promtail/chart/templates/uds-package.yaml index 4875d82ec..98a46eca7 100644 --- a/src/promtail/chart/templates/uds-package.yaml +++ b/src/promtail/chart/templates/uds-package.yaml @@ -14,7 +14,7 @@ spec: network: allow: - direction: Ingress - podSelector: + selector: app.kubernetes.io/name: promtail remoteNamespace: monitoring remoteSelector: @@ -23,17 +23,10 @@ spec: description: "Prometheus Metrics" - direction: Egress - podSelector: + selector: app.kubernetes.io/name: promtail remoteGenerated: KubeAPI - - direction: Egress - remoteNamespace: tempo - remoteSelector: - app.kubernetes.io/name: tempo - port: 9411 - description: "Tempo" - - direction: Egress selector: app.kubernetes.io/name: promtail diff --git a/src/promtail/common/zarf.yaml b/src/promtail/common/zarf.yaml index b3df11848..be2384ee2 100644 --- a/src/promtail/common/zarf.yaml +++ b/src/promtail/common/zarf.yaml @@ -14,7 +14,7 @@ components: localPath: ../chart - name: promtail url: https://grafana.github.io/helm-charts/ - version: 6.16.3 + version: 6.16.5 namespace: promtail gitPath: charts/promtail valuesFiles: @@ -26,7 +26,7 @@ components: maxTotalSeconds: 300 wait: cluster: - kind: Packages + kind: packages.uds.dev name: promtail namespace: promtail condition: "'{.status.phase}'=Ready" diff --git a/src/promtail/oscal-component.yaml b/src/promtail/oscal-component.yaml index 012159d33..94635da4e 100644 --- a/src/promtail/oscal-component.yaml +++ b/src/promtail/oscal-component.yaml @@ -4,7 +4,7 @@ component-definition: title: Promtail last-modified: "2024-01-31T16:44:35Z" version: "20240132" - oscal-version: 1.1.1 + oscal-version: 1.1.2 parties: - uuid: f3cf70f8-ba44-4e55-9ea3-389ef24847d3 type: organization @@ -115,7 +115,10 @@ component-definition: - href: "#9bfc68e0-381a-4006-9f68-c293e3b20cee" rel: reference text: Lula Validation - + props: + - name: framework + ns: https://docs.lula.dev/oscal/ns + value: il4 back-matter: resources: - uuid: D552C935-E40C-4A03-B5CC-4605EBD95B6D diff --git a/src/promtail/values/registry1-values.yaml b/src/promtail/values/registry1-values.yaml index 63511bc69..6dec37593 100644 --- a/src/promtail/values/registry1-values.yaml +++ b/src/promtail/values/registry1-values.yaml @@ -1,7 +1,7 @@ image: registry: registry1.dso.mil repository: ironbank/opensource/grafana/promtail - tag: v3.1.0 + tag: v3.1.1 sidecar: configReloader: image: diff --git a/src/promtail/values/unicorn-values.yaml b/src/promtail/values/unicorn-values.yaml index 4f4ac593e..c2248c2a6 100644 --- a/src/promtail/values/unicorn-values.yaml +++ b/src/promtail/values/unicorn-values.yaml @@ -1,10 +1,10 @@ image: registry: cgr.dev repository: du-uds-defenseunicorns/promtail - tag: 3.1.0 + tag: 3.1.1 sidecar: configReloader: image: registry: cgr.dev repository: du-uds-defenseunicorns/configmap-reload-fips - tag: 0.12.0 + tag: 0.13.1 diff --git a/src/promtail/values/upstream-values.yaml b/src/promtail/values/upstream-values.yaml index 1813158fb..9c9dc6f40 100644 --- a/src/promtail/values/upstream-values.yaml +++ b/src/promtail/values/upstream-values.yaml @@ -1,7 +1,7 @@ image: registry: docker.io repository: grafana/promtail - tag: 3.1.0 + tag: 3.1.1 sidecar: configReloader: image: diff --git a/src/promtail/zarf.yaml b/src/promtail/zarf.yaml index e1310ed58..69354c754 100644 --- a/src/promtail/zarf.yaml +++ b/src/promtail/zarf.yaml @@ -18,7 +18,7 @@ components: - values/upstream-values.yaml images: - ghcr.io/jimmidyson/configmap-reload:v0.13.1 - - docker.io/grafana/promtail:3.1.0 + - docker.io/grafana/promtail:3.1.1 - name: promtail required: true @@ -33,7 +33,7 @@ components: - values/registry1-values.yaml images: - registry1.dso.mil/ironbank/opensource/jimmidyson/configmap-reload:v0.13.1 - - registry1.dso.mil/ironbank/opensource/grafana/promtail:v3.1.0 + - registry1.dso.mil/ironbank/opensource/grafana/promtail:v3.1.1 - name: promtail required: true @@ -47,5 +47,5 @@ components: valuesFiles: - values/unicorn-values.yaml images: - - cgr.dev/du-uds-defenseunicorns/configmap-reload-fips:0.12.0 - - cgr.dev/du-uds-defenseunicorns/promtail:3.1.0 + - cgr.dev/du-uds-defenseunicorns/configmap-reload-fips:0.13.1 + - cgr.dev/du-uds-defenseunicorns/promtail:3.1.1 diff --git a/src/runtime/README.md b/src/runtime/README.md new file mode 100644 index 000000000..b97b73ec7 --- /dev/null +++ b/src/runtime/README.md @@ -0,0 +1,3 @@ +## UDS Runtime + +Documentation and code for UDS Runtime can be viewed on the [UDS Runtime Repository](https://github.com/defenseunicorns/uds-runtime). diff --git a/src/runtime/tasks.yaml b/src/runtime/tasks.yaml new file mode 100644 index 000000000..75208bc81 --- /dev/null +++ b/src/runtime/tasks.yaml @@ -0,0 +1,32 @@ +tasks: + - name: validate + actions: + - description: Validate Runtime Pod + wait: + cluster: + kind: Pod + name: app=uds-runtime + condition: Ready + namespace: uds-runtime + - description: Validate Runtime Interface + wait: + network: + protocol: https + address: runtime.admin.uds.dev + code: 200 + - description: Verify Runtime is protected by checking redirect + maxRetries: 3 + cmd: | + set -e + SSO_REDIRECT=$(uds zarf tools kubectl run curl-test --image=cgr.dev/chainguard/curl:latest -q --restart=Never --rm -i -- -Ls -o /dev/null -w %{url_effective} "https://runtime.admin.uds.dev") + case "${SSO_REDIRECT}" in + "https://sso.uds.dev"*) + echo "Protected by authservice" + ;; + *) + # Fallback option if the condition is false + echo "Runtime is not protected by authservice" + echo $SSO_REDIRECT + exit 1 + ;; + esac diff --git a/src/runtime/zarf.yaml b/src/runtime/zarf.yaml new file mode 100644 index 000000000..aff8c3883 --- /dev/null +++ b/src/runtime/zarf.yaml @@ -0,0 +1,28 @@ +kind: ZarfPackageConfig +metadata: + name: uds-core-runtime + description: "UDS Core Runtime" + url: "https://github.com/defenseunicorns/uds-runtime" + +components: + - name: uds-runtime + required: false + images: + - ghcr.io/defenseunicorns/uds-runtime:0.4.0 + charts: + - name: uds-runtime + namespace: uds-runtime + version: "v0.4.0" + url: https://github.com/defenseunicorns/uds-runtime.git + gitPath: chart + actions: + onDeploy: + after: + - description: Validate Runtime Package + maxTotalSeconds: 300 + wait: + cluster: + kind: packages.uds.dev + name: uds-runtime + namespace: uds-runtime + condition: "'{.status.phase}'=Ready" diff --git a/src/test/tasks.yaml b/src/test/tasks.yaml index 385728f6a..905791c46 100644 --- a/src/test/tasks.yaml +++ b/src/test/tasks.yaml @@ -15,6 +15,14 @@ tasks: name: httpbin namespace: test-admin-app + - description: Verify admin package CR is ready + wait: + cluster: + kind: Package + name: httpbin + namespace: test-admin-app + condition: "'{.status.phase}'=Ready" + - description: Wait for the tenant app to be ready wait: cluster: @@ -22,6 +30,14 @@ tasks: name: http-echo-multi-port namespace: test-tenant-app + - description: Verify tenant package CR is ready + wait: + cluster: + kind: Package + name: test-tenant-app + namespace: test-tenant-app + condition: "'{.status.phase}'=Ready" + - description: Verify the admin app is accessible wait: network: @@ -57,6 +73,14 @@ tasks: address: demo-8081.uds.dev code: 200 + - description: Verify authservice app package CR is ready + wait: + cluster: + kind: Package + name: httpbin-other + namespace: authservice-test-app + condition: "'{.status.phase}'=Ready" + - description: Verify the authservice tenant app is accessible wait: network: diff --git a/src/velero/README.md b/src/velero/README.md index a24c25567..534761d6a 100644 --- a/src/velero/README.md +++ b/src/velero/README.md @@ -8,9 +8,9 @@ https://velero.io/ - k3d installed on machine -#### Object Storage +#### S3 Compatible Object Storage -S3 compatible object storage must be available in order to use this package. Bucket information and access credentials can be provided via configuration values / env vars: +Bucket information and access credentials can be provided via configuration values / env vars: - Bucket ID: `ZARF_VAR_VELERO_BUCKET` - Bucket Region: `ZARF_VAR_VELERO_BUCKET_REGION` @@ -44,8 +44,34 @@ By overriding the velero values in the bundle as follows: value: "velero-bucket-credentials" ``` -## Plugin Compatability -This package currently assumes the availability of S3 API compatible object storage. As such, only the AWS specific plugin image is included. More information about all available plugins [can be found in the upstream docs](https://velero.io/plugins/). Ironbank includes images for Azure and the generic CSI driver, but those are currently excluded from this package. We may revisit package defaults at some point in the future depending on usage and user requests. +#### Azure Blob Storage + +Blob information and access credentials can be provided by overriding bundle values: +``` + - name: core + overrides: + velero: + velero: + values: + - path: credentials.secretContents.cloud + value: | + AZURE_STORAGE_ACCOUNT_ACCESS_KEY=${VELERO_STORAGE_ACCOUNT_ACCESS_KEY} + AZURE_CLOUD_NAME=${VELERO_CLOUD_NAME} + - path: configuration.backupStorageLocation + value: + - name: default + provider: azure + bucket: ${VERLERO_BUCKET_NAME} + config: + storageAccount:${VELERO_STORAGE_ACCOUNT} + resourceGroup:${VELERO_RESOURCE_GROUP} + storageAccountKeyEnvVar:VELERO_STORAGE_ACCOUNT_ACCESS_KEY + subscriptionId:${AZ_SUBSCRIPTION_ID} +``` + +## Plugin Compatibility + +This package currently assumes the availability of S3 API compatible object storage, Azure blob storage or use of the CSI plugin which is baked into Velero by default. More information about all available plugins can be found in the upstream docs**[can be found in the upstream docs](https://velero.io/plugins/). ## Deploy @@ -64,18 +90,23 @@ UDS_PKG=velero uds run deploy-single-package ### Test the package via UDS tasks Running the following will check that the velero deployment exists in the cluster and attempt to execute a backup: + ```bash uds run -f src/velero/tasks.yaml validate ``` + > Alternatively, you can combine package creation, cluster setup, package deploy and the test command with a simple `UDS_PKG=velero uds run test-single-package` ## Manually trigger the default backup for testing purposes -``` + +```bash velero backup create --from-schedule velero-udsbackup -n velero ``` + > NOTE: requires [the velero CLI](https://velero.io/docs/v1.3.0/velero-install/) Alternatively, manually create a `backup` object with `kubectl`: + ```bash uds zarf tools kubectl apply -f - <<-EOF apiVersion: velero.io/v1 @@ -99,6 +130,7 @@ EOF ``` ## Manually restore backup + ```bash velero restore create uds-restore-$(date +%s) \ --from-backup \ @@ -113,4 +145,4 @@ velero restore create uds-restore-$(date +%s) \ > [!NOTE] > Additional configuration will be required to get CSI backed PVCs to be snapshotted > as noted in the [Velero documentation](https://velero.io/docs/main/csi/#prerequisites) - VolumeSnapshotLocation, VolumeSnapshotClass, etc. -> as well as switching `snapshotVolume` to `true` in the backup config. \ No newline at end of file +> as well as switching `snapshotVolume` to `true` in the backup config. diff --git a/src/velero/chart/templates/uds-package.yaml b/src/velero/chart/templates/uds-package.yaml index f483aa28f..0326a863e 100644 --- a/src/velero/chart/templates/uds-package.yaml +++ b/src/velero/chart/templates/uds-package.yaml @@ -6,14 +6,22 @@ metadata: spec: network: allow: - # Todo: wide open for now for pushing to s3 + # Egress for S3 connections - direction: Egress - podLabels: + selector: app.kubernetes.io/name: velero + description: Storage + {{- if .Values.storage.internal.enabled }} + remoteSelector: {{ .Values.storage.internal.remoteSelector }} + remoteNamespace: {{ .Values.storage.internal.remoteNamespace }} + {{- else if .Values.storage.egressCidr }} + remoteCidr: {{ .Values.storage.egressCidr }} + {{- else }} remoteGenerated: Anywhere + {{- end }} - direction: Egress - podLabels: + selector: batch.kubernetes.io/job-name: "velero-upgrade-crds" remoteGenerated: KubeAPI diff --git a/src/velero/chart/values.yaml b/src/velero/chart/values.yaml index e69de29bb..fbb557b5a 100644 --- a/src/velero/chart/values.yaml +++ b/src/velero/chart/values.yaml @@ -0,0 +1,6 @@ +storage: + internal: + enabled: false + remoteSelector: {} + remoteNamespace: "" + egressCidr: "" diff --git a/src/velero/common/zarf.yaml b/src/velero/common/zarf.yaml index 6cb1f8951..398d902cc 100644 --- a/src/velero/common/zarf.yaml +++ b/src/velero/common/zarf.yaml @@ -37,7 +37,7 @@ components: - name: velero namespace: velero url: https://vmware-tanzu.github.io/helm-charts - version: 6.6.0 + version: 7.2.1 repoName: velero releaseName: velero valuesFiles: diff --git a/src/velero/oscal-component.yaml b/src/velero/oscal-component.yaml index 5aee4da8f..b98db8364 100644 --- a/src/velero/oscal-component.yaml +++ b/src/velero/oscal-component.yaml @@ -2,9 +2,9 @@ component-definition: uuid: D73CF4E6-D893-4BDE-A195-C4DE782DF63B metadata: title: Velero Component - last-modified: '2022-04-08T12:00:00Z' + last-modified: "2022-04-08T12:00:00Z" version: "20220408" - oscal-version: 1.1.1 + oscal-version: 1.1.2 parties: # Should be consistent across all of the packages, but where is ground truth? - uuid: 72134592-08C2-4A77-8BAD-C880F109367A @@ -26,87 +26,90 @@ component-definition: - 72134592-08C2-4A77-8BAD-C880F109367A # matches parties entry for p1 control-implementations: - uuid: 5108E5FC-C45F-477B-8542-9C5611A92485 - source: https://raw.githubusercontent.com/usnistgov/oscal-content/master/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json - description: - Controls implemented by velero for inheritance by applications + source: https://raw.githubusercontent.com/GSA/fedramp-automation/93ca0e20ff5e54fc04140613476fba80f08e3c7d/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.json + description: Controls implemented by velero for inheritance by applications implemented-requirements: - uuid: 2ADA7512-E0D5-4CAE-81BC-C889C640AF93 control-id: cp-6 description: >- - Velero can take backups of your application configuration/data and store them off-site in either an approved cloud environment or on-premise location. + Velero can take backups of your application configuration/data and store them off-site in either an approved cloud environment or on-premise location. - uuid: 6C3339A0-9636-4E35-8FA8-731CF900B326 control-id: "cp-6.1" description: >- - Velero can take backups of your application configuration/data and store them off-site in either an approved cloud environment or on-premise location. + Velero can take backups of your application configuration/data and store them off-site in either an approved cloud environment or on-premise location. - uuid: 2799CCBF-C48D-4451-85BA-EBD9B949C361 control-id: cp-6.2 description: >- - Velero can restore application configuration/data from an approved cloud provider or on-premise location on-demand. + Velero can restore application configuration/data from an approved cloud provider or on-premise location on-demand. - uuid: 0AE59B43-50A7-4420-881B-E0635CCB8424 control-id: cp-6.3 description: >- - Velero supports back-ups to multiple cloud environments (including geo-separated locations for high availibility) and on-premise environments in the event of an accessibility disruptions. + Velero supports back-ups to multiple cloud environments (including geo-separated locations for high availability) and on-premise environments in the event of an accessibility disruptions. - uuid: B11B38B8-8744-4DFD-8C1A-4A4EDD7F9574 control-id: cp-7 description: >- - Velero can restore application configuration/data from an approved cloud provider or on-premise location to an alternative deployment environment on-demand. + Velero can restore application configuration/data from an approved cloud provider or on-premise location to an alternative deployment environment on-demand. - uuid: D74C3A8C-E5B0-4F81-895D-FB2A318D723B control-id: cp-7.1 description: >- - Velero supports back-ups to and restores from multiple cloud environments (including geo-separated locations for high availibility) and on-premise environments in the event of an accessibility disruptions. + Velero supports back-ups to and restores from multiple cloud environments (including geo-separated locations for high availability) and on-premise environments in the event of an accessibility disruptions. - uuid: 72D7145F-7A3F-47AF-835F-7E3D6EFAE1CC control-id: cp-7.2 description: >- - Velero supports back-ups to and restores from multiple cloud environments (including geo-separated locations for high availibility) and on-premise environments in the event of an accessibility disruptions. + Velero supports back-ups to and restores from multiple cloud environments (including geo-separated locations for high availability) and on-premise environments in the event of an accessibility disruptions. - uuid: 5B0AA4CB-9C49-4D32-8242-5631788BD941 control-id: cp-9 description: >- - "Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: - - System components/data. - - User-level information/application metadata. - - User-level storage/data. - - Scheduled back-ups with configurable scopes. - - Multi-cloud and on-premise support for availability of backup." + "Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: + - System components/data. + - User-level information/application metadata. + - User-level storage/data. + - Scheduled back-ups with configurable scopes. + - Multi-cloud and on-premise support for availability of backup." - uuid: 8E5917F3-3E45-46C1-8585-48550E19AFFB control-id: cp-9.1 description: >- - Velero provides feedback/logging of back-up status for configuration/data via kubectl or the Velero CLI tool. - Velero can restore your production configuration/data to validation environment to ensure reliability/integrity. + Velero provides feedback/logging of back-up status for configuration/data via kubectl or the Velero CLI tool. + Velero can restore your production configuration/data to validation environment to ensure reliability/integrity. - uuid: 51191D0E-0C7B-4D2D-861D-202AC8C505CF control-id: cp-9.2 description: >- - Velero can be configured to restore only certain components of a back-up when necessary. + Velero can be configured to restore only certain components of a back-up when necessary. - uuid: C650411C-33FD-4B59-8899-AC34B43C860F control-id: cp-9.3 description: >- - Velero supports back-ups to multiple cloud environments (including geo-separated locations for high availibility) and on-premise environments. + Velero supports back-ups to multiple cloud environments (including geo-separated locations for high availability) and on-premise environments. - uuid: 8AB09B17-301B-4836-835B-9CE22A9E2300 control-id: cp-9.5 description: >- - Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: - - System components/data. - - User-level information/application metadata. - - User-level storage/data. - - Scheduled back-ups with configurable scopes. - - Multi-cloud and on-premise support for availability of backup. + Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: + - System components/data. + - User-level information/application metadata. + - User-level storage/data. + - Scheduled back-ups with configurable scopes. + - Multi-cloud and on-premise support for availability of backup. - uuid: 7FACB782-C183-4585-8C0B-17824438FEA6 control-id: cp-9.8 description: >- - Velero supports encryption of backups via its supported providers' encryption support/mechanisms. + Velero supports encryption of backups via its supported providers' encryption support/mechanisms. - uuid: 26B3D98B-0C9D-434B-8DE5-06CBBC46A38C control-id: cp-10 description: >- - Velero can restore application configuration/data from an approved cloud provider or on-premise location on-demand. + Velero can restore application configuration/data from an approved cloud provider or on-premise location on-demand. - uuid: 3EA444B7-61ED-43DD-8B3D-24B55F286E59 control-id: cp-10.4 description: >- - Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: - - System components/data. - - User-level information/application metadata. - - User-level storage/data. - - Scheduled back-ups with configurable scopes. - - Multi-cloud and on-premise support for availability of backup. + Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: + - System components/data. + - User-level information/application metadata. + - User-level storage/data. + - Scheduled back-ups with configurable scopes. + - Multi-cloud and on-premise support for availability of backup. + props: + - name: framework + ns: https://docs.lula.dev/oscal/ns + value: il4 back-matter: resources: - uuid: DDC5B579-87DE-41FE-8D87-B4422A7F0A98 diff --git a/src/velero/tasks.yaml b/src/velero/tasks.yaml index 80a20187c..1c129338b 100644 --- a/src/velero/tasks.yaml +++ b/src/velero/tasks.yaml @@ -20,7 +20,7 @@ tasks: mute: true setVariables: - name: BACKUP_NAME - - description: "creates a velero backup object (equivilent of `velero backup create --from-schedule ...`)" + - description: "creates a velero backup object (equivalent of `velero backup create --from-schedule ...`)" cmd: |- uds zarf tools kubectl apply -f - <<-EOF apiVersion: velero.io/v1 diff --git a/src/velero/values/registry1-values.yaml b/src/velero/values/registry1-values.yaml index a49cd91cf..a77d3af58 100644 --- a/src/velero/values/registry1-values.yaml +++ b/src/velero/values/registry1-values.yaml @@ -1,6 +1,6 @@ image: repository: registry1.dso.mil/ironbank/opensource/velero/velero - tag: v1.13.2 + tag: v1.14.1 kubectl: image: @@ -9,13 +9,13 @@ kubectl: initContainers: - name: velero-plugin-for-aws - image: registry1.dso.mil/ironbank/opensource/velero/velero-plugin-for-aws:v1.9.2 + image: registry1.dso.mil/ironbank/opensource/velero/velero-plugin-for-aws:v1.10.1 imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /target name: plugins - - name: velero-plugin-for-csi - image: registry1.dso.mil/ironbank/opensource/velero/velero-plugin-for-csi:v0.7.1 + - name: velero-plugin-for-azure + image: registry1.dso.mil/ironbank/opensource/velero/velero-plugin-for-microsoft-azure:v1.10.1 imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /target diff --git a/src/velero/values/unicorn-values.yaml b/src/velero/values/unicorn-values.yaml index c5eb19b14..9f78c90db 100644 --- a/src/velero/values/unicorn-values.yaml +++ b/src/velero/values/unicorn-values.yaml @@ -1,21 +1,21 @@ image: repository: cgr.dev/du-uds-defenseunicorns/velero-fips - tag: 1.13.2-dev + tag: 1.14.1-dev kubectl: image: repository: cgr.dev/du-uds-defenseunicorns/kubectl-fips - tag: 1.29.5-dev + tag: 1.31.1-dev initContainers: - name: velero-plugin-for-aws - image: cgr.dev/du-uds-defenseunicorns/velero-plugin-for-aws-fips:1.9.2 + image: cgr.dev/du-uds-defenseunicorns/velero-plugin-for-aws-fips:1.10.1 imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /target name: plugins - - name: velero-plugin-for-csi - image: cgr.dev/du-uds-defenseunicorns/velero-plugin-for-csi-fips:0.7.1 + - name: velero-plugin-for-azure + image: velero/velero-plugin-for-microsoft-azure:v1.10.1 imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /target diff --git a/src/velero/values/upstream-values.yaml b/src/velero/values/upstream-values.yaml index 7bb3d6c0b..765de705c 100644 --- a/src/velero/values/upstream-values.yaml +++ b/src/velero/values/upstream-values.yaml @@ -1,21 +1,21 @@ image: repository: velero/velero - tag: v1.13.2 + tag: v1.14.1 kubectl: image: repository: docker.io/bitnami/kubectl - tag: 1.30.2 + tag: 1.31.1 initContainers: - name: velero-plugin-for-aws - image: velero/velero-plugin-for-aws:v1.9.2 + image: velero/velero-plugin-for-aws:v1.10.1 imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /target name: plugins - - name: velero-plugin-for-csi - image: velero/velero-plugin-for-csi:v0.7.1 + - name: velero-plugin-for-azure + image: velero/velero-plugin-for-microsoft-azure:v1.10.1 imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /target diff --git a/src/velero/zarf.yaml b/src/velero/zarf.yaml index 694179415..e3a809c83 100644 --- a/src/velero/zarf.yaml +++ b/src/velero/zarf.yaml @@ -16,10 +16,10 @@ components: valuesFiles: - values/upstream-values.yaml images: - - velero/velero:v1.13.2 - - velero/velero-plugin-for-aws:v1.9.2 - - docker.io/bitnami/kubectl:1.30.2 - - velero/velero-plugin-for-csi:v0.7.1 + - velero/velero:v1.14.1 + - velero/velero-plugin-for-aws:v1.10.1 + - docker.io/bitnami/kubectl:1.31.1 + - velero/velero-plugin-for-microsoft-azure:v1.10.1 - name: velero required: true @@ -32,10 +32,10 @@ components: valuesFiles: - values/registry1-values.yaml images: - - registry1.dso.mil/ironbank/opensource/velero/velero:v1.13.2 - - registry1.dso.mil/ironbank/opensource/velero/velero-plugin-for-aws:v1.9.2 - - registry1.dso.mil/ironbank/opensource/velero/velero-plugin-for-csi:v0.7.1 + - registry1.dso.mil/ironbank/opensource/velero/velero:v1.14.1 + - registry1.dso.mil/ironbank/opensource/velero/velero-plugin-for-aws:v1.10.1 - registry1.dso.mil/ironbank/big-bang/base:2.1.0 + - registry1.dso.mil/ironbank/opensource/velero/velero-plugin-for-microsoft-azure:v1.10.1 - name: velero required: true @@ -48,7 +48,7 @@ components: valuesFiles: - values/unicorn-values.yaml images: - - cgr.dev/du-uds-defenseunicorns/velero-fips:1.13.2-dev - - cgr.dev/du-uds-defenseunicorns/velero-plugin-for-aws-fips:1.9.2 - - cgr.dev/du-uds-defenseunicorns/velero-plugin-for-csi-fips:0.7.1 - - cgr.dev/du-uds-defenseunicorns/kubectl-fips:1.29.5-dev + - cgr.dev/du-uds-defenseunicorns/velero-fips:1.14.1-dev + - cgr.dev/du-uds-defenseunicorns/velero-plugin-for-aws-fips:1.10.1 + - cgr.dev/du-uds-defenseunicorns/kubectl-fips:1.31.1-dev + - velero/velero-plugin-for-microsoft-azure:v1.10.1 diff --git a/tasks.yaml b/tasks.yaml index 75ee60243..0ee6c3e46 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -4,9 +4,6 @@ variables: - name: PKG - - name: K3D_IMAGE - default: "rancher/k3s:v1.29.5-k3s1" - includes: - create: ./tasks/create.yaml - setup: ./tasks/setup.yaml @@ -105,11 +102,29 @@ tasks: actions: - task: test:uds-core + - name: test-uds-core-ha + description: "Build and test UDS Core" + actions: + - cmd: docker stop my-postgres && docker rm my-postgres || true + - cmd: docker network create k3d-uds || true + - cmd: docker run -p 5432:5432 --network=k3d-uds --name my-postgres -e POSTGRES_DB=keycloak -e POSTGRES_USER=keycloak -e POSTGRES_PASSWORD=password -d postgres + - task: test:uds-core-ha + - name: test-uds-core-upgrade description: "Test an upgrade from the latest released UDS Core package to current branch" actions: - task: test:uds-core-upgrade + - name: test-compliance-validate + description: "Validate Compliance of UDS Core to produce Assessment Results" + actions: + - task: test:compliance-validate + + - name: test-compliance-evaluate + description: "Evaluate Compliance of UDS Core against an established threshold" + actions: + - task: test:compliance-evaluate + - name: lint-check description: "Run linting checks" actions: @@ -119,3 +134,7 @@ tasks: description: "Fix linting issues" actions: - task: lint:fix + + - name: lint-oscal + actions: + - task: lint:oscal diff --git a/tasks/create.yaml b/tasks/create.yaml index 93e8f198a..3520ecffe 100644 --- a/tasks/create.yaml +++ b/tasks/create.yaml @@ -1,5 +1,5 @@ includes: - - common: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.7.1/tasks/create.yaml + - common: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.13.0/tasks/create.yaml variables: - name: FLAVOR @@ -7,7 +7,7 @@ variables: - name: REGISTRY1_PEPR_IMAGE # renovate: datasource=docker depName=registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller versioning=semver - default: registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller:v0.32.6 + default: registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller:v0.36.0 tasks: - name: standard-package @@ -44,7 +44,7 @@ tasks: - task: pepr-build - description: "Create the Pepr Zarf Package, if it exists" - cmd: "uds zarf package create dist --confirm --no-progress" + cmd: "uds zarf package create src/pepr --confirm --no-progress" - description: "Create the requested Zarf Package (must set UDS_PKG environment variable)" cmd: "uds zarf package create src/${UDS_PKG} --confirm --no-progress --flavor ${FLAVOR}" @@ -60,7 +60,14 @@ tasks: actions: - description: "Build the UDS Core Pepr Module" cmd: | - CUSTOM_PEPR_IMAGE=$( [ "${FLAVOR}" = "registry1" ] && echo "--custom-image ${REGISTRY1_PEPR_IMAGE}" ) || CUSTOM_PEPR_IMAGE="" + if [ -n "${PEPR_CUSTOM_IMAGE}" ] ; then + # e.g. PEPR_CUSTOM_IMAGE="pepr:dev uds run slim-dev" + PEPR_OVERRIDE_IMAGE="--custom-image ${PEPR_CUSTOM_IMAGE}" + elif [ "${FLAVOR}" = "registry1" ] ; then + PEPR_OVERRIDE_IMAGE="--custom-image ${REGISTRY1_PEPR_IMAGE}" + else + PEPR_OVERRIDE_IMAGE="" + fi rm -fr dist npm ci - npx pepr build $CUSTOM_PEPR_IMAGE + npx pepr build -z chart $PEPR_OVERRIDE_IMAGE diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index 258001554..cf2c0cd34 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -5,7 +5,7 @@ variables: - name: VERSION description: "The version of the packages to deploy" # x-release-please-start-version - default: "0.23.0" + default: "0.27.3" # x-release-please-end - name: FLAVOR default: upstream @@ -14,12 +14,19 @@ tasks: - name: k3d-standard-bundle actions: - description: "Deploy the UDS Core Standard Bundle" - cmd: uds deploy bundles/k3d-standard/uds-bundle-k3d-core-demo-${UDS_ARCH}-${VERSION}.tar.zst --set=uds-k3d-dev.K3D_IMAGE=${K3D_IMAGE} --confirm --no-progress + cmd: uds deploy bundles/k3d-standard/uds-bundle-k3d-core-demo-${UDS_ARCH}-${VERSION}.tar.zst --confirm --no-progress + + - name: k3d-standard-bundle-ha + actions: + - description: "Deploy the UDS Core Standard Bundle" + cmd: uds deploy bundles/k3d-standard/uds-bundle-k3d-core-demo-${UDS_ARCH}-${VERSION}.tar.zst --confirm --no-progress + env: + - UDS_CONFIG=bundles/k3d-standard/uds-ha-config.yaml - name: k3d-slim-dev-bundle actions: - description: "Deploy the UDS Core Slim Dev Only Bundle" - cmd: uds deploy bundles/k3d-slim-dev/uds-bundle-k3d-core-slim-dev-${UDS_ARCH}-${VERSION}.tar.zst --set=uds-k3d-dev.K3D_IMAGE=${K3D_IMAGE} --confirm --no-progress + cmd: uds deploy bundles/k3d-slim-dev/uds-bundle-k3d-core-slim-dev-${UDS_ARCH}-${VERSION}.tar.zst --confirm --no-progress - name: single-package actions: @@ -30,8 +37,7 @@ tasks: fi - description: "Deploy the Pepr Module" cmd: | - PEPR_VERSION=$(npm pkg get version | tr -d '"') - uds zarf package deploy build/zarf-package-pepr-uds-core-${UDS_ARCH}-${PEPR_VERSION}.tar.zst --confirm --no-progress --set UDS_SINGLE_TEST=true + uds zarf package deploy build/zarf-package-pepr-uds-core-${UDS_ARCH}.tar.zst --confirm --no-progress --set UDS_SINGLE_TEST=true --set PEPR_SERVICE_MONITORS=false - description: "Deploy the requested Zarf Package (must set UDS_PKG environment variable)" cmd: uds zarf package deploy build/zarf-package-uds-core-${UDS_PKG}-${UDS_ARCH}.tar.zst --confirm --no-progress --components '*' diff --git a/tasks/iac.yaml b/tasks/iac.yaml index 8a49e2df7..a5d4b8f74 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -13,7 +13,7 @@ tasks: - name: install-eksctl actions: - cmd: | - curl --silent --location "https://github.com/weaveworks/eksctl/releases/download/v0.183.0/eksctl_Linux_amd64.tar.gz" | tar xz -C /tmp + curl --silent --location "https://github.com/weaveworks/eksctl/releases/download/v0.190.0/eksctl_Linux_amd64.tar.gz" | tar xz -C /tmp sudo mv /tmp/eksctl /usr/local/bin - name: create-cluster @@ -26,7 +26,7 @@ tasks: metadata: name: ${CLUSTER_NAME} region: us-west-2 - version: "1.27" + version: "1.30" tags: PermissionsBoundary: ${PERMISSIONS_BOUNDARY_NAME} @@ -36,15 +36,18 @@ tasks: addons: - name: aws-ebs-csi-driver - version: v1.25.0-eksbuild.1 - attachPolicyARNs: - arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy + configurationValues: |- + defaultStorageClass: + enabled: true permissionsBoundary: ${PERMISSIONS_BOUNDARY_ARN} tags: PermissionsBoundary: ${PERMISSIONS_BOUNDARY_NAME} - name: vpc-cni + attachPolicyARNs: + - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy permissionsBoundary: ${PERMISSIONS_BOUNDARY_ARN} tags: PermissionsBoundary: ${PERMISSIONS_BOUNDARY_NAME} @@ -58,11 +61,13 @@ tasks: PermissionsBoundary: ${PERMISSIONS_BOUNDARY_NAME} iam: instanceRolePermissionsBoundary: ${PERMISSIONS_BOUNDARY_ARN} - ami: ${AMI_ID} - amiFamily: AmazonLinux2 - overrideBootstrapCommand: | - #!/bin/bash - /etc/eks/bootstrap.sh ${CLUSTER_NAME} --container-runtime containerd + withAddonPolicies: + cloudWatch: true + ebs: true + cloudWatch: + clusterLogging: + enableTypes: ["*"] + logRetentionInDays: 1 EOF - cmd: eksctl create cluster --dry-run -f cluster-config.yaml @@ -76,16 +81,16 @@ tasks: - name: create-iac actions: - - task: apply-terraform - - task: terraform-outputs + - task: apply-tofu + - task: tofu-outputs - task: create-uds-config - name: destroy-iac actions: - - cmd: terraform destroy -auto-approve + - cmd: tofu destroy -auto-approve dir: .github/test-infra/buckets-iac - - name: apply-terraform + - name: apply-tofu actions: - cmd: echo ${STATE_KEY} | sed 's/\.tfstate/-buckets1.tfstate/g' setVariables: @@ -93,38 +98,38 @@ tasks: dir: .github/test-infra/buckets-iac - cmd: echo ${BUCKETS_STATE_KEY} - cmd: | - terraform init -force-copy \ + tofu init -force-copy \ -backend-config="bucket=${STATE_BUCKET_NAME}" \ -backend-config="key=${BUCKETS_STATE_KEY}" \ -backend-config="region=${REGION}" \ -backend-config="dynamodb_table=${STATE_DYNAMODB_TABLE_NAME}" dir: .github/test-infra/buckets-iac - - cmd: terraform apply -auto-approve + - cmd: tofu apply -auto-approve dir: .github/test-infra/buckets-iac - - name: terraform-outputs + - name: tofu-outputs actions: - - cmd: terraform output -raw loki_s3_bucket + - cmd: tofu output -raw loki_s3_bucket setVariables: - name: "LOKI_S3_BUCKET" dir: .github/test-infra/buckets-iac - - cmd: terraform output -raw aws_region + - cmd: tofu output -raw aws_region setVariables: - name: LOKI_S3_AWS_REGION dir: .github/test-infra/buckets-iac - - cmd: terraform output -raw loki_irsa_role_arn + - cmd: tofu output -raw loki_irsa_role_arn setVariables: - name: LOKI_S3_ROLE_ARN dir: .github/test-infra/buckets-iac - - cmd: terraform output -raw velero_s3_bucket + - cmd: tofu output -raw velero_s3_bucket setVariables: - name: VELERO_S3_BUCKET dir: .github/test-infra/buckets-iac - - cmd: terraform output -raw aws_region + - cmd: tofu output -raw aws_region setVariables: - name: VELERO_S3_AWS_REGION dir: .github/test-infra/buckets-iac - - cmd: terraform output -raw velero_irsa_role_arn + - cmd: tofu output -raw velero_irsa_role_arn setVariables: - name: VELERO_S3_ROLE_ARN dir: .github/test-infra/buckets-iac diff --git a/tasks/lint.yaml b/tasks/lint.yaml index d5b732137..9ac598ac3 100644 --- a/tasks/lint.yaml +++ b/tasks/lint.yaml @@ -1,10 +1,18 @@ +includes: + - remote: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.13.0/tasks/lint.yaml + tasks: - name: fix description: "Fix formatting issues in the repo" actions: + - description: install codespell deps + cmd: CMD=pip && which $CMD || CMD=pip3 && $CMD install codespell - description: "Pepr Format" cmd: npx pepr format - + - description: Fix codespell lint issues + cmd: | + codespell || true + codespell -w - name: check description: "Run linting checks" @@ -13,7 +21,14 @@ tasks: cmd: npm ci - description: "Pepr Format check" cmd: npx pepr format --validate-only - - description: install yamllint deps - cmd: CMD=pip && which $CMD || CMD=pip3 && $CMD install yamllint + - description: install yamllint and codespell deps + cmd: CMD=pip && which $CMD || CMD=pip3 && $CMD install yamllint codespell - description: yaml lint cmd: yamllint . -c .yamllint --no-warnings + - description: codespell lint + cmd: codespell + + - name: oscal + actions: + - description: Lula Lint OSCAL + task: remote:oscal diff --git a/tasks/publish.yaml b/tasks/publish.yaml index 03767b20b..f4d05f374 100644 --- a/tasks/publish.yaml +++ b/tasks/publish.yaml @@ -8,7 +8,7 @@ variables: - name: VERSION description: "The version of the packages to build" # x-release-please-start-version - default: "0.23.0" + default: "0.27.3" # x-release-please-end tasks: diff --git a/tasks/setup.yaml b/tasks/setup.yaml index 7faff8b98..756d3e354 100644 --- a/tasks/setup.yaml +++ b/tasks/setup.yaml @@ -3,12 +3,12 @@ tasks: actions: - description: "Create the K3d cluster" # renovate: datasource=github-tags depName=defenseunicorns/uds-k3d versioning=semver - cmd: "uds zarf package deploy oci://defenseunicorns/uds-k3d:0.7.0 --set=K3D_IMAGE=${K3D_IMAGE} --confirm --no-progress" + cmd: "uds zarf package deploy oci://defenseunicorns/uds-k3d:0.9.0 --confirm --no-progress" - name: k3d-test-cluster actions: - task: create-k3d-cluster - description: "Initialize the cluster with Zarf" - # renovate: datasource=github-tags depName=defenseunicorns/zarf versioning=semver - cmd: "uds zarf package deploy oci://defenseunicorns/init:v0.35.0 --confirm --no-progress" + # renovate: datasource=github-tags depName=zarf-dev/zarf versioning=semver + cmd: "uds zarf package deploy oci://ghcr.io/zarf-dev/packages/init:v0.40.1 --confirm --no-progress" diff --git a/tasks/test.yaml b/tasks/test.yaml index 7c66726d4..105c0420d 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -2,6 +2,7 @@ includes: - create: ./create.yaml - setup: ./setup.yaml - deploy: ./deploy.yaml + - compliance: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.13.0/tasks/compliance.yaml tasks: - name: single-package @@ -32,6 +33,14 @@ tasks: - task: deploy:k3d-standard-bundle - task: validate-packages + - name: uds-core-ha + description: "Build and test UDS Core" + actions: + - task: create:standard-package + - task: create:k3d-standard-bundle + - task: deploy:k3d-standard-bundle-ha + - task: validate-packages + - name: uds-core-upgrade description: "Test an upgrade from the latest released UDS Core package to current branch" actions: @@ -40,3 +49,20 @@ tasks: - task: create:standard-package - task: deploy:standard-package - task: validate-packages + + - name: compliance-validate + description: "validate against the required compliance" + actions: + - task: compliance:validate + with: + oscalfile: ./compliance/oscal-component.yaml + assessment_results: ./compliance/oscal-assessment-results.yaml + options: -t il4 + + - name: compliance-evaluate + description: "evaluate against the required compliance" + actions: + - task: compliance:evaluate + with: + assessment_results: ./compliance/oscal-assessment-results.yaml + options: -t il4 From 7834e015e6f908fb129d29a8ac5f1d192de36877 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 20 Sep 2024 11:39:58 -0600 Subject: [PATCH 59/61] Update zarf.yaml --- src/runtime/zarf.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/runtime/zarf.yaml b/src/runtime/zarf.yaml index aff8c3883..462474c59 100644 --- a/src/runtime/zarf.yaml +++ b/src/runtime/zarf.yaml @@ -8,11 +8,11 @@ components: - name: uds-runtime required: false images: - - ghcr.io/defenseunicorns/uds-runtime:0.4.0 + - ghcr.io/defenseunicorns/uds-runtime:0.3.0 charts: - name: uds-runtime namespace: uds-runtime - version: "v0.4.0" + version: "v0.3.0" url: https://github.com/defenseunicorns/uds-runtime.git gitPath: chart actions: From a30f8ac49df3c13be80bc2f30f730ae3f7d698e0 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 20 Sep 2024 11:41:29 -0600 Subject: [PATCH 60/61] Update renovate.json --- renovate.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/renovate.json b/renovate.json index 27804d714..02057be9a 100644 --- a/renovate.json +++ b/renovate.json @@ -72,6 +72,11 @@ "groupName": "grafana", "commitMessageTopic": "grafana" }, + { + "matchFileNames": ["src/runtime/**"], + "groupName": "runtime", + "commitMessageTopic": "runtime" + }, { "matchPackageNames": ["zarf-dev/zarf", "ghcr.io/zarf-dev/packages/init"], "groupName": "zarf", From 43c11f41f5e137875d2e75f209b8107bd1affc06 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 20 Sep 2024 17:43:06 +0000 Subject: [PATCH 61/61] chore(deps): update runtime to v0.4.0 | datasource | package | from | to | | ---------- | ---------------------------------------------- | ------ | ------ | | docker | ghcr.io/defenseunicorns/uds-runtime | 0.3.0 | 0.4.0 | | git-tags | https://github.com/defenseunicorns/uds-runtime | v0.3.0 | v0.4.0 | --- src/runtime/zarf.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/runtime/zarf.yaml b/src/runtime/zarf.yaml index 462474c59..aff8c3883 100644 --- a/src/runtime/zarf.yaml +++ b/src/runtime/zarf.yaml @@ -8,11 +8,11 @@ components: - name: uds-runtime required: false images: - - ghcr.io/defenseunicorns/uds-runtime:0.3.0 + - ghcr.io/defenseunicorns/uds-runtime:0.4.0 charts: - name: uds-runtime namespace: uds-runtime - version: "v0.3.0" + version: "v0.4.0" url: https://github.com/defenseunicorns/uds-runtime.git gitPath: chart actions: