Merge branch 'main' into renovate/grafana

defenseunicorns · Oct 29, 2024 · 82650d8 · 82650d8
2 parents 0e236b0 + 0c19633
commit 82650d8
Show file tree

Hide file tree

Showing 32 changed files with 224 additions and 66 deletions.
diff --git a/.github/bundles/aks/uds-bundle.yaml b/.github/bundles/aks/uds-bundle.yaml
@@ -6,7 +6,7 @@ metadata:
   name: uds-core-aks-nightly
   description: A UDS bundle for deploying UDS Core on AKS
   # x-release-please-start-version
-  version: "0.29.1"
+  version: "0.30.0"
   # x-release-please-end
 
 packages:
@@ -17,7 +17,7 @@ packages:
   - name: core
     path: ../../../build
     # x-release-please-start-version
-    ref: 0.29.1
+    ref: 0.30.0
     # x-release-please-end
     overrides:
       istio-admin-gateway:

diff --git a/.github/bundles/eks/uds-bundle.yaml b/.github/bundles/eks/uds-bundle.yaml
@@ -6,7 +6,7 @@ metadata:
   name: uds-core-eks-nightly
   description: A UDS bundle for deploying EKS and UDS Core
   # x-release-please-start-version
-  version: "0.29.1"
+  version: "0.30.0"
   # x-release-please-end
 
 packages:
@@ -17,7 +17,7 @@ packages:
   - name: core
     path: ../../../build
     # x-release-please-start-version
-    ref: 0.29.1
+    ref: 0.30.0
     # x-release-please-end
     optionalComponents:
       - metrics-server

diff --git a/.github/bundles/rke2/uds-bundle.yaml b/.github/bundles/rke2/uds-bundle.yaml
@@ -6,7 +6,7 @@ metadata:
   name: uds-core-rke2-nightly
   description: A UDS bundle for deploying RKE2 and UDS Core
   # x-release-please-start-version
-  version: "0.29.1"
+  version: "0.30.0"
   # x-release-please-end
 
 packages:
@@ -38,7 +38,7 @@ packages:
   - name: core
     path: ../../../build
     # x-release-please-start-version
-    ref: 0.29.1
+    ref: 0.30.0
     # x-release-please-end
     optionalComponents:
       - metrics-server

diff --git a/.release-please-manifest.json b/.release-please-manifest.json
@@ -1,3 +1,3 @@
 {
-    ".": "0.29.1"
+    ".": "0.30.0"
 }
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,34 @@
 
 All notable changes to this project will be documented in this file.
 
+## [0.30.0](https://github.com/defenseunicorns/uds-core/compare/v0.29.1...v0.30.0) (2024-10-28)
+
+
+### ⚠ BREAKING CHANGES
+
+* remove uds-runtime from core ([#955](https://github.com/defenseunicorns/uds-core/issues/955))
+
+### Features
+
+* add finalizer for UDS Package CRs ([#953](https://github.com/defenseunicorns/uds-core/issues/953)) ([fa42714](https://github.com/defenseunicorns/uds-core/commit/fa427142b8a7391504eb2133614cf7504e0259ab))
+* adds registry1 flavor of uds runtime ([#925](https://github.com/defenseunicorns/uds-core/issues/925)) ([0011852](https://github.com/defenseunicorns/uds-core/commit/0011852dd6c8f1305e2fa0c837db45f3c1801c31))
+
+
+### Bug Fixes
+
+* batch authservice checksum updates ([#735](https://github.com/defenseunicorns/uds-core/issues/735)) ([100d35b](https://github.com/defenseunicorns/uds-core/commit/100d35bfb05545b2a6adb75c918e6e93eda0a312))
+* logout redirect uri ([#945](https://github.com/defenseunicorns/uds-core/issues/945)) ([8e2b5d8](https://github.com/defenseunicorns/uds-core/commit/8e2b5d840bcddc7af299ff8845836c08a54a35c8))
+* resolve lingering note formatting ([#938](https://github.com/defenseunicorns/uds-core/issues/938)) ([455a530](https://github.com/defenseunicorns/uds-core/commit/455a53020cee8fe9edf629366401c70fd47ef355))
+* vector remap language logic typo ([#959](https://github.com/defenseunicorns/uds-core/issues/959)) ([89af729](https://github.com/defenseunicorns/uds-core/commit/89af7292b11ac9a9d100ba1e6a81c81441472f14))
+
+
+### Miscellaneous
+
+* add proper version update to aks nightly bundle ([#942](https://github.com/defenseunicorns/uds-core/issues/942)) ([2f51c75](https://github.com/defenseunicorns/uds-core/commit/2f51c75d761e3385a3ae46cb62d6375210620c37))
+* block local auth for neuvector ([#965](https://github.com/defenseunicorns/uds-core/issues/965)) ([8f25b41](https://github.com/defenseunicorns/uds-core/commit/8f25b41e4c187680e8353e31cdd4f37e19063338))
+* **deps:** update vector to 0.42.0 ([#946](https://github.com/defenseunicorns/uds-core/issues/946)) ([2f63db2](https://github.com/defenseunicorns/uds-core/commit/2f63db2f26cb30c056f376b1823f758cd403aefe))
+* remove uds-runtime from core ([#955](https://github.com/defenseunicorns/uds-core/issues/955)) ([c6f6664](https://github.com/defenseunicorns/uds-core/commit/c6f66649bef5fef8e14eeb157a1ba76d2e96c78b))
+
 ## [0.29.1](https://github.com/defenseunicorns/uds-core/compare/v0.29.0...v0.29.1) (2024-10-18)
 
 

diff --git a/README.md b/README.md
@@ -55,7 +55,7 @@ If you want to try out UDS Core, you can use the [k3d-core-demo bundle](./bundle
 <!-- x-release-please-start-version -->
 
 ```bash
-uds deploy k3d-core-demo:0.29.1
+uds deploy k3d-core-demo:0.30.0
 ```
 
 <!-- x-release-please-end -->
@@ -69,7 +69,7 @@ Deploy Istio, Keycloak and Pepr:
 <!-- x-release-please-start-version -->
 
 ```bash
-uds deploy k3d-core-slim-dev:0.29.1
+uds deploy k3d-core-slim-dev:0.30.0
 ```
 
 <!-- x-release-please-end -->

diff --git a/bundles/k3d-slim-dev/uds-bundle.yaml b/bundles/k3d-slim-dev/uds-bundle.yaml
@@ -6,7 +6,7 @@ metadata:
   name: k3d-core-slim-dev
   description: A UDS bundle for deploying Istio from UDS Core on a development cluster
   # x-release-please-start-version
-  version: "0.29.1"
+  version: "0.30.0"
   # x-release-please-end
 
 packages:
@@ -37,7 +37,7 @@ packages:
   - name: core-base
     path: ../../build/
     # x-release-please-start-version
-    ref: 0.29.1
+    ref: 0.30.0
     # x-release-please-end
     overrides:
       istio-admin-gateway:
@@ -73,7 +73,7 @@ packages:
   - name: core-identity-authorization
     path: ../../build/
     # x-release-please-start-version
-    ref: 0.29.1
+    ref: 0.30.0
     # x-release-please-end
     overrides:
       keycloak:

diff --git a/bundles/k3d-standard/uds-bundle.yaml b/bundles/k3d-standard/uds-bundle.yaml
@@ -6,7 +6,7 @@ metadata:
   name: k3d-core-demo
   description: A UDS bundle for deploying the standard UDS Core package on a development cluster
   # x-release-please-start-version
-  version: "0.29.1"
+  version: "0.30.0"
   # x-release-please-end
 
 packages:
@@ -37,7 +37,7 @@ packages:
   - name: core
     path: ../../build/
     # x-release-please-start-version
-    ref: 0.29.1
+    ref: 0.30.0
     # x-release-please-end
     optionalComponents:
       - istio-passthrough-gateway

diff --git a/packages/backup-restore/zarf.yaml b/packages/backup-restore/zarf.yaml
@@ -7,7 +7,7 @@ metadata:
   description: "UDS Core (Backup and Restore)"
   authors: "Defense Unicorns - Product"
   # x-release-please-start-version
-  version: "0.29.1"
+  version: "0.30.0"
   # x-release-please-end
   x-uds-dependencies: ["base"]
 

diff --git a/packages/base/zarf.yaml b/packages/base/zarf.yaml
@@ -7,7 +7,7 @@ metadata:
   description: "UDS Core (Base)"
   authors: "Defense Unicorns - Product"
   # x-release-please-start-version
-  version: "0.29.1"
+  version: "0.30.0"
   # x-release-please-end
   x-uds-dependencies: []
 

diff --git a/packages/identity-authorization/zarf.yaml b/packages/identity-authorization/zarf.yaml
@@ -7,7 +7,7 @@ metadata:
   description: "UDS Core (Identity & Authorization)"
   authors: "Defense Unicorns - Product"
   # x-release-please-start-version
-  version: "0.29.1"
+  version: "0.30.0"
   # x-release-please-end
   x-uds-dependencies: ["base"]
 

diff --git a/packages/logging/zarf.yaml b/packages/logging/zarf.yaml
@@ -7,7 +7,7 @@ metadata:
   description: "UDS Core (Logging)"
   authors: "Defense Unicorns - Product"
   # x-release-please-start-version
-  version: "0.29.1"
+  version: "0.30.0"
   # x-release-please-end
   x-uds-dependencies: ["base"]
 

diff --git a/packages/metrics-server/zarf.yaml b/packages/metrics-server/zarf.yaml
@@ -7,7 +7,7 @@ metadata:
   description: "UDS Core (Metrics Server)"
   authors: "Defense Unicorns - Product"
   # x-release-please-start-version
-  version: "0.29.1"
+  version: "0.30.0"
   # x-release-please-end
   x-uds-dependencies: ["base"]
 

diff --git a/packages/monitoring/zarf.yaml b/packages/monitoring/zarf.yaml
@@ -7,7 +7,7 @@ metadata:
   description: "UDS Core Monitoring (Prometheus and Grafana)"
   authors: "Defense Unicorns - Product"
   # x-release-please-start-version
-  version: "0.29.1"
+  version: "0.30.0"
   # x-release-please-end
   x-uds-dependencies: ["base", "identity-authorization"]
 

diff --git a/packages/runtime-security/zarf.yaml b/packages/runtime-security/zarf.yaml
@@ -7,7 +7,7 @@ metadata:
   description: "UDS Core (Runtime Security)"
   authors: "Defense Unicorns - Product"
   # x-release-please-start-version
-  version: "0.29.1"
+  version: "0.30.0"
   # x-release-please-end
   x-uds-dependencies: ["base", "identity-authorization"]
 

diff --git a/packages/standard/zarf.yaml b/packages/standard/zarf.yaml
@@ -7,7 +7,7 @@ metadata:
   description: "UDS Core"
   authors: "Defense Unicorns - Product"
   # x-release-please-start-version
-  version: "0.29.1"
+  version: "0.30.0"
   # x-release-please-end
 
 components:

diff --git a/src/neuvector/chart/templates/neuvector-deny.yaml b/src/neuvector/chart/templates/neuvector-deny.yaml
@@ -0,0 +1,20 @@
+# Copyright 2024 Defense Unicorns
+# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
+
+{{- if .Values.denyLocalAuth }}
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: neuvector-deny-local-login
+  namespace: {{ .Release.Namespace }}
+spec:
+  action: DENY
+  selector:
+    matchLabels:
+      app: neuvector-manager-pod
+  rules:
+  - to:
+    - operation:
+        paths: ["/auth"]
+        ports: ["8443"]
+{{- end }}
diff --git a/src/neuvector/chart/templates/uds-package.yaml b/src/neuvector/chart/templates/uds-package.yaml
@@ -1,5 +1,6 @@
 # Copyright 2024 Defense Unicorns
 # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
+{{- $neuvectorAdminPass := join "" (list (randAlphaNum 12) (randAlpha 2 | upper) (randAlpha 2 | lower) (randNumeric 2))}}
 
 apiVersion: uds.dev/v1alpha1
 kind: Package
@@ -24,6 +25,13 @@ spec:
         - "https://neuvector.admin.{{ .Values.domain }}/openId_auth"
       secretName: neuvector-secret
       secretTemplate:
+        userinitcfg.yaml: |-
+          always_reload: true
+          users:
+            - username: admin
+              fullname: admin
+              password: {{ $neuvectorAdminPass }}
+              role: admin
         oidcinitcfg.yaml: |-
           always_reload: true
           client_id: clientField(clientId)

diff --git a/src/neuvector/chart/values.yaml b/src/neuvector/chart/values.yaml
@@ -7,3 +7,5 @@ grafana:
   enabled: false
 
 generateInternalCert: false
+
+denyLocalAuth: true
diff --git a/src/pepr/operator/controllers/istio/injection.ts b/src/pepr/operator/controllers/istio/injection.ts
@@ -164,7 +164,8 @@ async function killPods(ns: string, enableInjection: boolean) {
     }
 
     for (const pod of group) {
-      log.info(`Deleting pod ${ns}/${pod.metadata?.name} to enable the istio sidecar`);
+      const action = enableInjection ? "enable" : "remove";
+      log.info(`Deleting pod ${ns}/${pod.metadata?.name} to ${action} the istio sidecar`);
       await K8s(kind.Pod).Delete(pod);
     }
   }

diff --git a/src/pepr/operator/controllers/keycloak/authservice/authservice.ts b/src/pepr/operator/controllers/keycloak/authservice/authservice.ts
@@ -9,10 +9,16 @@ import { Component, setupLogger } from "../../../../logger";
 import { UDSPackage } from "../../../crd";
 import { Client } from "../types";
 import { updatePolicy } from "./authorization-policy";
-import { getAuthserviceConfig, operatorConfig, updateAuthServiceSecret } from "./config";
+import {
+  getAuthserviceConfig,
+  operatorConfig,
+  setAuthserviceConfig,
+  updateAuthServiceSecret,
+} from "./config";
 import { Action, AuthServiceEvent, AuthserviceConfig, Chain } from "./types";
 
 export const log = setupLogger(Component.OPERATOR_AUTHSERVICE);
+let lock = false;
 
 export async function authservice(pkg: UDSPackage, clients: Map<string, Client>) {
   // Get the list of clients from the package
@@ -65,13 +71,37 @@ export async function reconcileAuthservice(
 
 // Write authservice config to secret (ensure the new function name is referenced)
 export async function updateConfig(event: AuthServiceEvent) {
-  // Parse existing authservice config
-  let config = await getAuthserviceConfig();
+  // Lock to prevent concurrent updates
+  if (lock) {
+    log.debug("Lock is set for config update, retrying...");
+    setTimeout(() => updateConfig(event), 0);
+    return;
+  }
 
-  // Update config based on event
-  config = buildConfig(config, event);
+  let config: AuthserviceConfig;
+
+  try {
+    log.debug("Locking config for update");
+    lock = true;
+
+    // build updated config based on event
+    config = await getAuthserviceConfig().then(config => {
+      return buildConfig(config, event);
+    });
+
+    // Update the in-memory config immediately
+    setAuthserviceConfig(config);
+  } catch (e) {
+    log.error("Failed to build in memory authservice secret for event", event, e);
+    throw e;
+  } finally {
+    // unlock config
+    log.debug("Unlocking config for update");
+    lock = false;
+  }
 
-  // Update the authservice secret using the new function
+  // apply the authservice secret
+  log.debug("Applying authservice secret");
   await updateAuthServiceSecret(config);
 }
 

diff --git a/src/pepr/operator/controllers/keycloak/authservice/config.ts b/src/pepr/operator/controllers/keycloak/authservice/config.ts
@@ -130,6 +130,15 @@ export function buildInitialSecret(): AuthserviceConfig {
   return config;
 }
 
+/**
+ * Sets the in memory configuration for Authservce.
+ *
+ * @param config - The configuration object for Authservice.
+ */
+export function setAuthserviceConfig(config: AuthserviceConfig) {
+  inMemorySecret = config;
+}
+
 /**
  * Retrieves the authservice configuration, either from the in-memory cache
  * or from the Kubernetes secret if not already cached.
@@ -176,9 +185,6 @@ export async function updateAuthServiceSecret(
   checksum = true,
 ): Promise<void> {
   return new Promise((resolve, reject) => {
-    // Update the in-memory secret immediately
-    inMemorySecret = authserviceConfig;
-
     // Add the package config and its resolve function to the pending packages map
     pendingPackages.set(authserviceConfig, { resolve, reject });
 
@@ -195,7 +201,7 @@ export async function updateAuthServiceSecret(
         );
 
         // Prepare the config to be written (assumes that all packages share the same secret)
-        const { base64EncodedConfig, hash } = encodeConfig(inMemorySecret!);
+        const { base64EncodedConfig, hash } = encodeConfig(authserviceConfig!);
 
         // Apply the authservice config secret
         lastSuccessfulSecret = await applySecret(base64EncodedConfig);

diff --git a/src/pepr/operator/controllers/keycloak/client-sync.ts b/src/pepr/operator/controllers/keycloak/client-sync.ts
@@ -84,7 +84,7 @@ export async function purgeSSOClients(pkg: UDSPackage, newClients: string[] = []
     const token = Store.getItem(storeKey);
     if (token) {
       await apiCall({ clientId: ref }, "DELETE", token);
-      Store.removeItem(storeKey);
+      await Store.removeItemAndWait(storeKey);
     } else {
       log.warn(pkg.metadata, `Failed to remove client ${ref}, token not found`);
     }