Merge branch 'main' into gotta-go-fast

.github/actions/lint-check/action.yaml

@@ -12,7 +12,7 @@ runs:
       uses: Homebrew/actions/setup-homebrew@master
     - name: Install UDS CLI
       # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver
-      run: brew install defenseunicorns/tap/uds@0.16.0
+      run: brew install defenseunicorns/tap/uds@0.17.0
       shell: bash
     - name: Run Formatting Checks
       run: uds run lint-check --no-progress

.github/actions/save-logs/action.yaml

@@ -34,7 +34,7 @@ runs:
         sudo chown $USER /tmp/uds-*.log || echo ""
       shell: bash
 
-    - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+    - uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
       with:
         name: debug-log${{ inputs.suffix }}
         path: |

.github/actions/setup/action.yaml

@@ -32,7 +32,7 @@ runs:
       uses: defenseunicorns/setup-uds@b987a32bac3baeb67bfb08f5e1544e2f9076ee8a # v1.0.0
       with:
         # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver
-        version: v0.16.0
+        version: v0.17.0
 
     - name: Install Lula
       uses: defenseunicorns/lula-action/setup@badad8c4b1570095f57e66ffd62664847698a3b9 # v0.0.1
@@ -50,7 +50,7 @@ runs:
 
     - name: Chainguard Login
       if: ${{ inputs.chainguardIdentity != '' }}
-      uses: chainguard-dev/setup-chainctl@f52718d822dc73d21a04ef2082822c4a203163b3 # v0.2.2
+      uses: chainguard-dev/setup-chainctl@598499528905f95b94e62e4831cf42035e768933 # v0.2.3
       with:
         identity: ${{ inputs.chainguardIdentity }}
 

.github/bundles/uds-bundle.yaml → .github/bundles/eks/uds-bundle.yaml

@@ -12,7 +12,7 @@ packages:
     ref: v0.41.0
 
   - name: core
-    path: ../../build/
+    path: ../../../build
     # x-release-please-start-version
     ref: 0.28.0
     # x-release-please-end
@@ -25,7 +25,7 @@ packages:
             - name: VELERO_USE_SECRET
               description: "Toggle use secret off to use IRSA."
               path: credentials.useSecret
-            - name: VELERO_IRSA_ANNOTATION
+            - name: VELERO_IRSA_ROLE_ARN
               description: "IRSA ARN annotation to use for Velero"
               path: serviceAccount.server.annotations.eks\.amazonaws\.com/role-arn
       loki:
@@ -50,7 +50,7 @@ packages:
             - name: LOKI_S3_REGION
               description: "The S3 region"
               path: loki.storage.s3.region
-            - name: LOKI_IRSA_ANNOTATION
+            - name: LOKI_IRSA_ROLE_ARN
               description: "The irsa role annotation"
               path: serviceAccount.annotations.eks\.amazonaws\.com/role-arn
       grafana:

.github/bundles/uds-config.yaml → .github/bundles/eks/uds-config.yaml

@@ -8,9 +8,9 @@ variables:
     loki_ruler_bucket: ${ZARF_VAR_LOKI_S3_BUCKET}
     loki_admin_bucket: ${ZARF_VAR_LOKI_S3_BUCKET}
     loki_s3_region: ${ZARF_VAR_LOKI_S3_AWS_REGION}
-    loki_irsa_annotation: ${ZARF_VAR_LOKI_S3_ROLE_ARN}
+    loki_irsa_role_arn: ${ZARF_VAR_LOKI_S3_ROLE_ARN}
     velero_use_secret: false
-    velero_irsa_annotation: "${ZARF_VAR_VELERO_S3_ROLE_ARN}"
+    velero_irsa_role_arn: "${ZARF_VAR_VELERO_S3_ROLE_ARN}"
     velero_bucket: ${ZARF_VAR_VELERO_S3_BUCKET}
     velero_bucket_region: ${ZARF_VAR_VELERO_S3_AWS_REGION}
     velero_bucket_provider_url: ""

.github/bundles/rke2/uds-bundle.yaml

@@ -0,0 +1,78 @@
+kind: UDSBundle
+metadata:
+  name: uds-core-rke2-nightly
+  description: A UDS bundle for deploying RKE2 and UDS Core
+  # x-release-please-start-version
+  version: "0.28.0"
+  # x-release-please-end
+
+packages:
+  - name: pod-identity-webhook
+    repository: ghcr.io/defenseunicorns/packages/uds/pod-identity-webhook
+    ref: 0.3.1-upstream
+
+  - name: init
+    repository: ghcr.io/zarf-dev/packages/init
+    ref: v0.40.1
+    overrides:
+      zarf-registry:
+        docker-registry:
+          variables:
+            - path: affinity.custom
+              name: REGISTRY_AFFINITY_CUSTOM_UDS
+            - path: persistence.accessMode
+              name: REGISTRY_PVC_ACCESS_MODE
+              default: ReadWriteMany
+      zarf-seed-registry:
+        docker-registry:
+          variables:
+            - path: affinity.custom
+              name: REGISTRY_AFFINITY_CUSTOM_UDS
+            - path: persistence.accessMode
+              name: REGISTRY_PVC_ACCESS_MODE
+              default: ReadWriteMany
+
+  - name: core
+    path: ../../../build
+    # x-release-please-start-version
+    ref: 0.28.0
+    # x-release-please-end
+    optionalComponents:
+      - metrics-server
+    overrides:
+      velero:
+        velero:
+          variables:
+            - name: VELERO_USE_SECRET
+              description: "Toggle use secret off to use IRSA."
+              path: credentials.useSecret
+            - name: VELERO_IRSA_ROLE_ARN
+              description: "IRSA ARN annotation to use for Velero"
+              path: serviceAccount.server.annotations.irsa/role-arn
+      loki:
+        loki:
+          values:
+            - path: loki.storage.s3.endpoint
+              value: ""
+            - path: loki.storage.s3.secretAccessKey
+              value: ""
+            - path: loki.storage.s3.accessKeyId
+              value: ""
+            - path: global.dnsService
+              value: rke2-coredns-rke2-coredns
+          variables:
+            - name: LOKI_CHUNKS_BUCKET
+              description: "The object storage bucket for Loki chunks"
+              path: loki.storage.bucketNames.chunks
+            - name: LOKI_RULER_BUCKET
+              description: "The object storage bucket for Loki ruler"
+              path: loki.storage.bucketNames.ruler
+            - name: LOKI_ADMIN_BUCKET
+              description: "The object storage bucket for Loki admin"
+              path: loki.storage.bucketNames.admin
+            - name: LOKI_S3_REGION
+              description: "The S3 region"
+              path: loki.storage.s3.region
+            - name: LOKI_IRSA_ROLE_ARN
+              description: "The irsa role annotation"
+              path: serviceAccount.annotations.irsa/role-arn

.github/bundles/rke2/uds-config.yaml

@@ -0,0 +1,18 @@
+# Overwritten by ci-iac-aws package
+options:
+  architecture: amd64
+
+variables:
+  core:
+    loki_chunks_bucket: ${ZARF_VAR_LOKI_S3_BUCKET}
+    loki_ruler_bucket: ${ZARF_VAR_LOKI_S3_BUCKET}
+    loki_admin_bucket: ${ZARF_VAR_LOKI_S3_BUCKET}
+    loki_s3_region: ${ZARF_VAR_LOKI_S3_AWS_REGION}
+    loki_irsa_role_arn: ${ZARF_VAR_LOKI_S3_ROLE_ARN}
+    velero_use_secret: false
+    velero_irsa_role_arn: "${ZARF_VAR_VELERO_S3_ROLE_ARN}"
+    velero_bucket: ${ZARF_VAR_VELERO_S3_BUCKET}
+    velero_bucket_region: ${ZARF_VAR_VELERO_S3_AWS_REGION}
+    velero_bucket_provider_url: ""
+    velero_bucket_credential_name: ""
+    velero_bucket_credential_key: ""

.github/filters.yaml

@@ -10,3 +10,29 @@ identity-authorization:
   - "packages/identity-authorization/**"
   - "src/keycloak/**"
   - "src/authservice/**"
+
+logging:
+  - "packages/logging/**"
+  - "src/loki/**"
+  - "src/vector/**"
+
+ui:
+  - "packages/ui/**"
+  - "src/runtime/**"
+
+runtime-security:
+  - "packages/runtime-security/**"
+  - "src/neuvector/**"
+
+backup-restore:
+  - "packages/backup-restore/**"
+  - "src/velero/**"
+
+metrics-server:
+  - "packages/metrics-server/**"
+  - "src/metrics-server/**"
+
+monitoring:
+  - "packages/monitoring/**"
+  - "src/prometheus-stack/**"
+  - "src/grafana/**"

.github/test-infra/buckets-iac/loki.tf → .github/test-infra/aws/eks/loki.tf

@@ -25,4 +25,4 @@ resource "aws_iam_policy" "loki_policy" {
       }
     ]
   })
-}
+}

.github/test-infra/buckets-iac/main.tf → .github/test-infra/aws/eks/main.tf

@@ -1,29 +1,3 @@
-provider "aws" {
-  region = var.region
-
-  default_tags {
-    tags = {
-      PermissionsBoundary = var.permissions_boundary_name
-    }
-  }
-}
-
-terraform {
-  required_version = ">= 1.8.0"
-  backend "s3" {
-  }
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = ">= 4.0"
-    }
-
-    random = {
-      source  = "hashicorp/random"
-      version = "3.6.3"
-    }
-  }
-}
 
 resource "random_id" "default" {
   byte_length = 2
@@ -127,4 +101,4 @@ resource "aws_s3_bucket_policy" "bucket_policy" {
       }
     ]
   })
-}
+}

.github/test-infra/rds-iac/output.tf → .github/test-infra/aws/eks/outputs.tf

@@ -1,3 +1,31 @@
+output "aws_region" {
+  value = data.aws_region.current.name
+}
+
+output "loki_irsa_role_arn" {
+  value = module.irsa["loki"].role_arn
+}
+
+output "loki_s3" {
+  value = module.S3["loki"]
+}
+
+output "loki_s3_bucket" {
+  value = module.S3["loki"].bucket_name
+}
+
+output "velero_irsa_role_arn" {
+  value = module.irsa["velero"].role_arn
+}
+
+output "velero_s3" {
+  value = module.S3["velero"]
+}
+
+output "velero_s3_bucket" {
+  value = module.S3["velero"].bucket_name
+}
+
 output "grafana_pg_host" {
   description = "RDS Endpoint for Grafana"
   value       = element(split(":", module.db.db_instance_endpoint), 0)
@@ -23,3 +51,7 @@ output "grafana_pg_password" {
   value       = random_password.db_password.result
   sensitive   = true
 }
+
+output "grafana_ha" {
+  value = true
+}

.github/test-infra/rds-iac/main.tf → .github/test-infra/aws/eks/rds.tf

@@ -1,24 +1,3 @@
-provider "aws" {
-  region = var.region
-}
-
-terraform {
-  required_version = ">= 1.8.0"
-  backend "s3" {
-  }
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = ">= 4.0"
-    }
-
-    random = {
-      source  = "hashicorp/random"
-      version = "3.6.3"
-    }
-  }
-}
-
 resource "random_password" "db_password" {
   length  = 16
   special = false
@@ -105,14 +84,6 @@ data "aws_subnets" "subnets" {
   }
 }
 
-data "aws_partition" "current" {}
-
-data "aws_caller_identity" "current" {}
-
 locals {
   vpc_id = data.aws_vpc.vpc.id
 }
-
-resource "random_id" "unique_id" {
-  byte_length = 4
-}