-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathtasks.yaml
179 lines (155 loc) · 7.74 KB
/
tasks.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
# Copyright 2024 Defense Unicorns
# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
includes:
- remote: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.7.0/tasks/lint.yaml
variables:
- name: VERSION
description: "The image tag"
# x-release-please-start-version
default: "0.9.1"
# x-release-please-end
- name: IMAGE_NAME
description: "The repository + name for the published image"
default: "ghcr.io/defenseunicorns/uds/identity-config"
- name: CORE_VERSION
description: UDS Core Version for Releases and Clone
# renovate: datasource=github-tags depName=defenseunicorns/uds-core versioning=semver
default: "v0.34.0"
tasks:
- name: build-and-publish
description: "Build and publish the multi-arch image"
actions:
- cmd: docker buildx build --push --platform linux/arm64/v8,linux/amd64 --tag ${IMAGE_NAME}:${VERSION} src
- name: build-zarf-pkg
description: "Build the custom docker image and the zarf package for transporting it"
actions:
- cmd: docker build --tag ${IMAGE_NAME}:${VERSION} src
- cmd: ./uds zarf package create . --set IDENTITY_CONFIG_IMG=${IMAGE_NAME}:${VERSION} --confirm
- name: dev-build
description: "Build the image locally for dev"
actions:
- cmd: docker build src -t uds-core-config:keycloak --no-cache
- name: dev-update-image
description: "Build the image and import locally into k3d"
actions:
- task: dev-build
- cmd: |
k3d image import -c uds uds-core-config:keycloak
kubectl rollout restart statefulset -n keycloak keycloak
- name: dev-theme
description: "Copy theme to Keycloak in dev cluster"
actions:
- cmd: |
PV=$(kubectl get pvc keycloak-themes -n keycloak -o jsonpath='{.spec.volumeName}')
THEME_PATH=$(kubectl get pv $PV -o jsonpath="{.spec.hostPath.path}")
docker cp src/theme k3d-uds-server-0:/$THEME_PATH
- name: dev-plugin
description: "Build and test Keycloak plugin source and create maven-surefire report"
actions:
- cmd: |
cd src/plugin
mvn clean verify | egrep ".*"
- name: cacert
description: "Get the CA cert value for the Istio Gateway"
actions:
# This is written to a file rather than printed because it is a massive value to copy out of the terminal
- cmd: |
cat <<EOF > tls_cacert.yaml
tls:
cacert: "$(docker run --rm --entrypoint sh uds-core-config:keycloak -c 'cat /home/nonroot/authorized_certs.pem | base64 -w 0')"
EOF
echo "Base64 encoded CA Cert value is in cacert.b64, this can be passed to your Istio tenant gateway for Keycloak OPTIONAL_MUTUAL"
- name: debug-istio-traffic
description: "Debug Istio traffic on keycloak"
actions:
- cmd: istioctl proxy-config log keycloak-0.keycloak --level debug
- cmd: kubectl -n keycloak logs keycloak-0 -c istio-proxy -f
- name: regenerate-test-pki
description: "Generate a PKI cert for testing"
actions:
- cmd: |
openssl genrsa -out test.pem 2048
openssl genrsa -out ca.pem 2048
openssl req -x509 -new -nodes -key ca.pem -sha256 -days 1825 -out ca.cer -subj "/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD ID CA-59 FAKE TEST"
openssl req -new -key test.pem -out test.csr -config src/csr.conf -batch
openssl x509 -req -in test.csr -CA ca.cer -CAkey ca.pem -CAcreateserial -out test.cer -days 365 -extensions v3_ext -extfile src/csr.conf
openssl pkcs12 -export -out test.pfx -inkey test.pem -in test.cer -certfile ca.cer -passout pass:
zip src/authorized_certs ca.cer
- name: uds-core-gateway-cacert
description: "Copy cacert values into istio gateways"
actions:
- cmd: |
yq eval-all --inplace 'select(fileIndex == 0) * select(fileIndex == 1)' uds-core/src/istio/values/config-tenant.yaml src/test/cypress/certs/tls_cacert.yaml
yq eval-all --inplace 'select(fileIndex == 0) * select(fileIndex == 1)' uds-core/src/istio/values/config-admin.yaml src/test/cypress/certs/tls_cacert.yaml
- name: uds-core-smoke-test
description: "UDS Core + Identity Config smoke test with base realm.json"
actions:
- task: dev-build
- task: clone-core
- task: build-deploy-custom-slim
- name: uds-core-integration-tests
description: "UDS Core + Identity Config Integration Testing"
actions:
- description: Build identity config image
cmd: docker build --build-arg CA_ZIP_URL="test/cypress/certs/authorized_certs.zip" --build-arg REALM_FILE="test/cypress/realm.json" -t uds-core-config:keycloak --no-cache src
- task: clone-core
- task: uds-core-gateway-cacert
- task: build-deploy-custom-slim
- task: cypress-tests
- name: grafana-group-auth-build-deploy
description: Configure existing uds-core/grafana package for group authz, build, deploy grafana
actions:
- cmd: |
sed -i '/^\s*sso:/,/^\s*-\s*name:/ {
/groups:/d
/^\s*-\s*name:/a \ \ \ \ \ \ groups:\n\ \ \ \ \ \ \ \ anyOf:\n\ \ \ \ \ \ \ \ \ - \/UDS Core\/Admin
}' uds-core/src/grafana/chart/templates/uds-package.yaml
- cmd: |
cd uds-core
uds run create:single-layer-callable --set LAYER=monitoring
- name: clone-core
description: "Clone UDS Core for integration testing"
actions:
- cmd: rm -rf uds-core/
- cmd: git clone --branch ${CORE_VERSION} https://github.com/defenseunicorns/uds-core.git
- name: build-deploy-custom-slim
description: "Build/Deploy custom slim dev bundle for integration testing"
actions:
- cmd: uds zarf package create . --confirm --set=IDENTITY_CONFIG_IMG=uds-core-config:keycloak --no-progress
- cmd: cd uds-core && uds run create:single-layer && uds run create:single-layer-callable --set LAYER=identity-authorization
- task: grafana-group-auth-build-deploy
- cmd: uds create bundles --confirm --no-progress
- cmd: uds deploy bundles/uds-bundle-k3d-core-slim-dev-*.tar.zst --set=core-identity-authorization.KEYCLOAK_CONFIG_IMAGE=uds-core-config:keycloak --confirm --no-progress
- name: cypress-tests
description: "Run all cypress tests ( requires an existing deployed UDS Core Identity )"
actions:
- cmd: |
npm --prefix src/test/cypress install
npm --prefix src/test/cypress run cy.run
- name: license
actions:
- description: Lint for the SPDX license identifier being in source files
task: remote:license
- name: fix-license
actions:
- description: Add the SPDX license identifier to source files
task: remote:fix-license
# Note that due to cloning the docs repo (which is private) this task will require organization access to the repo
# This task does not clone in/manage docs outside of the identity repo so you may hit some 404s during development
- name: dev-docs
description: "Start the dev docs server"
actions:
- description: "Cleanup previous runs"
cmd: |
rm -rf uds-docs
- description: "Clone the docs repo and symlink the reference docs"
cmd: |
git clone https://github.com/defenseunicorns/uds-docs.git uds-docs
rm -rf uds-docs/src/content/docs/reference uds-docs/src/content/docs/.images
# This only symlinks the reference and images folders since these are the only docs we use in the docs site
ln -s $(pwd)/docs/reference uds-docs/src/content/docs/reference
ln -s $(pwd)/docs/.images uds-docs/src/content/docs/.images
- description: "Start the docs server with npm (this will run until you stop it)"
cmd: |
# Actual startup takes up to a minute because of the npm install
cd uds-docs && npm i && npm run dev