feat: create dependencies packages

.github/workflows/commitlint.yaml

@@ -0,0 +1,28 @@
+name: Metadata
+
+on:
+  pull_request:
+    branches: [main]
+    types: [opened, edited, synchronize]
+
+jobs:
+  title_check:
+    runs-on: ubuntu-latest
+    name: Validate PR Title
+    permissions:
+      pull-requests: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+
+      - name: Setup Node.js
+        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
+
+      - name: Install commitlint
+        run: npm install --save-dev @commitlint/{config-conventional,cli}
+
+      - name: Lint PR title
+        run: echo "${{ github.event.pull_request.title }}" | npx commitlint

.github/workflows/pull-request-conditionals.yaml

@@ -0,0 +1,24 @@
+name: Setup
+
+# This workflow is triggered on pull requests to the main branch.
+on:
+  pull_request:
+    paths:
+      - "**"
+
+# Permissions for the GITHUB_TOKEN used by the workflow.
+permissions:
+  id-token: write # Needed for OIDC-related operations.
+  contents: read # Allows reading the content of the repository.
+  pull-requests: read # Allows reading pull request metadata.
+
+# Default settings for all run commands in the workflow jobs.
+defaults:
+  run:
+    shell: bash -e -o pipefail {0} # Ensures that scripts fail on error and pipefail is set.
+
+jobs:
+  run-test:
+    name: Test
+    uses: ./.github/workflows/test.yaml
+    secrets: inherit

.github/workflows/release.yaml

@@ -0,0 +1,37 @@
+name: Publish UDS Dependency Packages
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  publish-packages:
+    runs-on: ubuntu-latest
+    name: Publish Packages
+
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Environment setup
+        uses: ./.github/actions/setup
+
+      - name: Iron Bank Login
+        run: zarf tools registry login -u "${{ secrets.IRON_BANK_ROBOT_USERNAME }}"
+
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: dummy
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Create Packages
+        run: use run create-packages
+
+      - name: Publish Packages
+        run: uds run publish-packages

.github/workflows/test.yaml

@@ -0,0 +1,52 @@
+name: Test package
+
+on:
+  # Manual trigger
+  workflow_dispatch:
+
+  # Triggered by pull-request-conditionals.yaml
+  workflow_call:
+
+# Abort prior jobs in the same workflow / PR
+concurrency:
+  group: test-${{ github.ref }}-${{ inputs.package }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    runs-on: "uds-ubuntu-big-boy-16-core"
+    timeout-minutes: 20
+    name: Test
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Environment setup
+        uses: ./.github/actions/setup
+
+      - name: Iron Bank Login
+        run: zarf tools registry login -u "${{secrets.IRON_BANK_ROBOT_USERNAME}}" -p "${{secrets.IRON_BANK_ROBOT_PASSWORD}}" registry1.dso.mil
+
+      - name: Create test bundle
+        run: uds run create-test-bundle
+
+      - name: Setup cluster
+        run: uds run setup-cluster
+
+      - name: Deploy test bundle
+        run: uds run deploy-test-bundle
+
+      # - name: Test package
+      #   run: uds run test-package
+
+      - name: Cleanup
+        if: always()
+        run: uds run cleanup
+
+      - name: Save logs
+        if: always()
+        uses: ./.github/actions/save-logs

.gitignore

@@ -0,0 +1,28 @@
+**/*.tfstate
+**/*.tfstate.backup
+*.tar.gz
+*.tar.zst
+~/
+.DS_Store
+defense-unicorns-distro/preflight.sh
+.terraform
+tmp
+zarf-sbom
+
+.cache/
+.idea/
+build/
+.DS_Store
+*.tar.zst
+test/tf/public-ec2-instance/.tool-versions
+zarf-sbom
+tmp/
+values-*.yaml
+overlay-values-*
+
+# Terraform
+test/tf/public-ec2-instance/.test-data
+test/tf/public-ec2-instance/.terraform
+terraform.tfstate
+terraform.tfstate.backup
+.terraform.lock.hcl

.pre-commit-config.yaml

@@ -0,0 +1,53 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.4.0
+    hooks:
+      - id: check-added-large-files
+        args: ["--maxkb=1024"]
+      - id: check-merge-conflict
+      - id: detect-aws-credentials
+        args:
+          - "--allow-missing-credentials"
+      - id: detect-private-key
+        exclude: |
+          (?x)^(
+            kustomizations/bigbang/environment-bb/values-bigbang.enc.yaml
+          )$
+      - id: end-of-file-fixer
+        exclude: "^kustomizations/bigbang/vendor/.*$"
+      - id: fix-byte-order-marker
+      - id: trailing-whitespace
+        exclude: "^kustomizations/bigbang/vendor/.*$"
+        args: [--markdown-linebreak-ext=md]
+      - id: check-yaml
+        exclude: |
+          (?x)^(
+            charts/raw/templates/resources.yaml
+          )$
+        args:
+          - "--allow-multiple-documents"
+  - repo: https://github.com/sirosen/fix-smartquotes
+    rev: 0.2.0
+    hooks:
+      - id: fix-smartquotes
+  - repo: https://github.com/python-jsonschema/check-jsonschema
+    rev: 0.24.0
+    hooks:
+      - id: check-jsonschema
+        name: "Validate Zarf Configs Against Schema"
+        files: "zarf.yaml"
+        types: [yaml]
+        args:
+          [
+            "--schemafile",
+            "https://raw.githubusercontent.com/defenseunicorns/zarf/v0.29.1/zarf.schema.json",
+            "--no-cache"
+          ]
+  - repo: https://github.com/golangci/golangci-lint
+    rev: v1.52.3
+    hooks:
+      - id: golangci-lint
+  - repo: https://github.com/renovatebot/pre-commit-hooks
+    rev: 36.40.0
+    hooks:
+      - id: renovate-config-validator

CHANGELOG.md

@@ -0,0 +1,3 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.

CODEOWNERS

@@ -0,0 +1 @@
+* @defenseunicorns/software-factory-package-core

bundle/uds-bundle.yaml

@@ -0,0 +1,18 @@
+kind: UDSBundle
+metadata:
+  name: dependency-test
+  description: A UDS bundle for deploying UDS dependencies on a development cluster
+  version: 0.1.0
+
+packages:
+  - name: dev-minio
+    path: ../
+    ref: 5.0.13-0
+
+  - name: dev-postgres
+    path: ../
+    ref: 12.6.6-0
+
+  - name: dev-redis
+    path: ../
+    ref: 17.13.2-0

src/minio/peerauth.yaml

@@ -0,0 +1,8 @@
+apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+  name: minio-istio-exceptions
+  namespace: dev-minio
+spec:
+  mtls:
+    mode: PERMISSIVE

src/minio/policy-exceptions/registry.yaml

@@ -0,0 +1,27 @@
+apiVersion: kyverno.io/v2alpha1
+kind: PolicyException
+metadata:
+  name: gitlab-minio-registry-exception
+  namespace: dev-minio
+spec:
+  exceptions:
+  - policyName: restrict-image-registries
+    ruleNames:
+    - validate-registries
+    - autogen-validate-registries
+  match:
+    any:
+    - resources:
+        kinds:
+        - Deployment
+        namespaces:
+        - dev-minio
+        names:
+        - minio
+    - resources:
+        kinds:
+        - Job
+        namespaces:
+        - dev-minio
+        names:
+        - minio-post-job

src/minio/secret.yaml

@@ -0,0 +1,34 @@
+# Source: bigbang/templates/gitlab/secret-objectstore.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitlab-object-store
+  namespace: gitlab
+type: kubernetes.io/opaque
+stringData:
+  connection: |-
+    provider: AWS
+    region: minio
+    aws_access_key_id: ###ZARF_VAR_ACCESS_KEY###
+    aws_secret_access_key: ###ZARF_VAR_SECRET_KEY###
+    endpoint: "http://minio.gitlab-minio.svc.cluster.local:9000"
+    aws_signature_version: 4
+    path_style: true
+  registry: |-
+    s3:
+      bucket: gitlab-registry
+      accesskey: ###ZARF_VAR_ACCESS_KEY###
+      secretkey: ###ZARF_VAR_SECRET_KEY###
+      regionendpoint: "http://minio.gitlab-minio.svc.cluster.local:9000"
+      region: minio
+      aws_signature_version: 4
+      path_style: true
+  backups: |-
+    [default]
+    access_key = ###ZARF_VAR_ACCESS_KEY###
+    secret_key = ###ZARF_VAR_SECRET_KEY###
+    host_base = http://minio.gitlab-minio.svc.cluster.local:9000
+    host_bucket = http://minio.gitlab-minio.svc.cluster.local:9000
+    bucket_location = minio
+    multipart_chunk_size_mb = 128
+    use_https = False

src/minio/values.yaml

@@ -0,0 +1,26 @@
+replicas: 1
+mode: standalone
+
+# Some reasonable requests instead of the bonkers defaults
+resources:
+  requests:
+    memory: 128Mi
+    cpu: 100m
+
+buckets:
+  - name: uds-gitlab-artifacts
+  - name: uds-gitlab-backups
+  - name: uds-gitlab-ci-secure-files
+  - name: uds-gitlab-dependency-proxy
+  - name: uds-gitlab-lfs
+  - name: uds-gitlab-mr-diffs
+  - name: uds-gitlab-packages
+  - name: uds-gitlab-pages
+  - name: uds-gitlab-terraform-state
+  - name: uds-gitlab-uploads
+  - name: uds-gitlab-registry
+  - name: uds-gitlab-tmp
+
+postJob:
+  podAnnotations:
+    sidecar.istio.io/inject: "false"

src/minio/zarf.yaml

@@ -0,0 +1,47 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json
+kind: ZarfPackageConfig
+metadata:
+  name: dev-minio
+  version: "5.0.13-0"
+  architecture: amd64
+
+components:
+  - name: minio-istio-exceptions
+    required: true
+    manifests:
+      - name: istio-exceptions
+        files:
+          - "peerauth.yaml"
+  - name: minio
+    required: true
+    charts:
+      - name: minio
+        version: 5.0.13
+        namespace: dev-minio
+        url: https://charts.min.io/
+        valuesFiles:
+          - "values.yaml"
+    images:
+      - quay.io/minio/mc:RELEASE.2023-06-28T21-54-17Z
+      - quay.io/minio/minio:RELEASE.2023-07-07T07-13-57Z
+  - name: minio-secret
+    required: true
+    actions:
+      onDeploy:
+        before:
+          - cmd: kubectl get secret -n dev-minio minio --template='{{ index .data "rootPassword" }}' | base64 -d
+            mute: true
+            setVariables:
+              - name: SECRET_KEY
+                sensitive: true
+          - cmd: kubectl get secret -n dev-minio minio --template='{{ index .data "rootUser" }}' | base64 -d
+            mute: true
+            setVariables:
+              - name: ACCESS_KEY
+                sensitive: true
+  - name: gitlab-secret
+    required: true
+    manifests:
+      - name: gitlab-secret
+        files:
+          - "secret.yaml"