Skip to content

Commit a412581

Browse files
mjnagelnoahpb
andauthored
feat: add unicorn flavor to uds-core (defenseunicorns#507)
## Description Adds the unicorn flavor (Chainguard images currently) to uds-core with CI testing/publishing. Validated the publish workflow changes on a fork. Note that create was skipped due to lack of credentials on the fork so the workflow is running a "dry-run" publish. Take particular note of the `Determine destination repository` job and the dry run publish commands: - Snapshot: https://github.com/BagelLab/uds-core/actions/runs/9910149555 - Normal Release: https://github.com/BagelLab/uds-core/actions/runs/9910127730 Note: An issue has been opened to switch NeuVector from upstream -> chainguard (defenseunicorns#568). Upstream was chosen instead of registry1 to ensure arm64 support for the full unicorn flavor. ## Related Issue N/A ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide Steps](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)(https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md#submitting-a-pull-request) followed --------- Co-authored-by: Noah Birrer <noah@defenseunicorns.com>
1 parent eb613e1 commit a412581

32 files changed

Lines changed: 435 additions & 27 deletions

.github/actions/setup/action.yaml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,9 @@ inputs:
1111
registry1Password:
1212
description: 'IRON_BANK_ROBOT_PASSWORD'
1313
required: true
14+
chainguardIdentity:
15+
description: "ID for Chainguard Identity"
16+
required: true
1417

1518
runs:
1619
using: "composite"
@@ -40,6 +43,12 @@ runs:
4043
run: echo "${{ env.REGISTRY_PASSWORD }}" | uds zarf tools registry login -u "${{ env.REGISTRY_USERNAME }}" --password-stdin registry1.dso.mil
4144
shell: bash
4245

46+
- name: Chainguard Login
47+
if: ${{ inputs.chainguardIdentity != '' }}
48+
uses: chainguard-dev/setup-chainctl@fc62b08dfd3179dd694b50f672bc371f878fbd1e # v0.2.1
49+
with:
50+
identity: ${{ inputs.chainguardIdentity }}
51+
4352
- name: GHCR Login
4453
if: ${{ inputs.ghToken != '' }}
4554
env:

.github/workflows/publish.yaml

Lines changed: 26 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -12,13 +12,14 @@ jobs:
1212
publish-uds-core:
1313
strategy:
1414
matrix:
15-
flavor: [upstream, registry1]
15+
flavor: [upstream, registry1, unicorn]
1616
runs-on: "uds-ubuntu-big-boy-8-core"
1717
name: Publish packages
1818

1919
permissions:
2020
contents: read
2121
packages: write
22+
id-token: write # This is needed for OIDC federation.
2223

2324
steps:
2425
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
@@ -29,6 +30,7 @@ jobs:
2930
registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }}
3031
registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }}
3132
ghToken: ${{ secrets.GITHUB_TOKEN }}
33+
chainguardIdentity: ${{ secrets.CHAINGUARD_IDENTITY }}
3234

3335
- name: (Snapshot) Get snapshot version using git commit short sha and date
3436
if: ${{ inputs.snapshot }}
@@ -59,7 +61,7 @@ jobs:
5961
ZARF_ARCHITECTURE=arm64 uds run -f tasks/create.yaml k3d-slim-dev-bundle --no-progress
6062
fi
6163
62-
# Standard Package by default tests what's in the Istio Package
64+
# Standard Package by default tests full core
6365
- name: Test amd64 Bundle
6466
if: ${{ !inputs.snapshot }}
6567
run: |
@@ -70,21 +72,31 @@ jobs:
7072
if: ${{ always() && !inputs.snapshot }}
7173
uses: ./.github/actions/debug-output
7274

73-
- name: Publish Standard Package
74-
if: ${{ !inputs.snapshot }}
75-
run: uds run -f tasks/publish.yaml standard-package --set FLAVOR=${{ matrix.flavor }} --no-progress
75+
# Determine repository to publish to
76+
- name: Determine destination repository
77+
id: repo
78+
run: |
79+
repo=ghcr.io/defenseunicorns/packages
80+
# Publish unicorn flavor to private repository
81+
if [ "${{ matrix.flavor }}" = "unicorn" ]; then
82+
repo+=/private
83+
fi
84+
repo+=/uds
85+
# Publish snapshots to snapshot repository
86+
if [ "${{ inputs.snapshot }}" = "true" ]; then
87+
repo+=/snapshots
88+
fi
7689
77-
- name: Publish Upstream Flavored Bundles
78-
if: ${{ !inputs.snapshot && matrix.flavor != 'registry1' }}
79-
run: uds run -f tasks/publish.yaml bundles --no-progress
90+
echo "repo=${repo}" >> "$GITHUB_OUTPUT"
91+
echo "Publishing packages and bundles to ${repo}"
8092
81-
- name: (Snapshot) Publish Standard Package
82-
if: ${{ inputs.snapshot }}
83-
run: uds run -f tasks/publish.yaml standard-package --set FLAVOR=${{ matrix.flavor }} --set TARGET_REPO="ghcr.io/defenseunicorns/packages/uds/snapshots" --set VERSION="${SNAPSHOT_VERSION}" --no-progress
93+
# Publish package and bundle to destination repository
94+
- name: Publish Standard Package
95+
run: uds run -f tasks/publish.yaml standard-package --set FLAVOR=${{ matrix.flavor }} --set TARGET_REPO=${{ steps.repo.outputs.repo }} --no-progress
8496

85-
- name: (Snapshot) Publish Upstream Flavored Bundles
86-
if: ${{ inputs.snapshot && matrix.flavor != 'registry1' }}
87-
run: uds run -f tasks/publish.yaml bundles --set TARGET_REPO="ghcr.io/defenseunicorns/packages/uds/snapshots" --set VERSION="${SNAPSHOT_VERSION}" --no-progress
97+
- name: Publish Upstream Flavored Bundles
98+
if: ${{ matrix.flavor == 'upstream' }}
99+
run: uds run -f tasks/publish.yaml bundles --set TARGET_REPO=${{ steps.repo.outputs.repo }} --no-progress
88100

89101
- name: Save logs
90102
if: always()

.github/workflows/pull-request-conditionals.yaml

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -66,7 +66,7 @@ jobs:
6666
strategy:
6767
matrix:
6868
package: ${{ fromJSON(needs.check-paths.outputs.packages) }}
69-
flavor: [upstream, registry1]
69+
flavor: [upstream, registry1, unicorn]
7070
test_type: [install]
7171
include:
7272
- package: all
@@ -75,6 +75,10 @@ jobs:
7575
- package: all
7676
flavor: upstream
7777
test_type: upgrade
78+
# Commented out until unicorn flavor has a published release
79+
# - package: all
80+
# flavor: unicorn
81+
# test_type: upgrade
7882
uses: ./.github/workflows/test.yaml
7983
with:
8084
package: ${{ matrix.package }}

.github/workflows/snapshot-release.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@ jobs:
1010
permissions:
1111
contents: write
1212
packages: write
13+
id-token: write
1314
uses: ./.github/workflows/publish.yaml
1415
with:
1516
snapshot: true

.github/workflows/tag-and-release.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@ jobs:
2424
permissions:
2525
contents: write
2626
packages: write
27+
id-token: write
2728
uses: ./.github/workflows/publish.yaml
2829
with:
2930
snapshot: false

.github/workflows/test.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,7 @@ on:
3434

3535
permissions:
3636
contents: read
37+
id-token: write # This is needed for OIDC federation.
3738

3839
jobs:
3940
test:
@@ -53,6 +54,7 @@ jobs:
5354
registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }}
5455
registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }}
5556
ghToken: ${{ secrets.GITHUB_TOKEN }}
57+
chainguardIdentity: ${{ secrets.CHAINGUARD_IDENTITY }}
5658

5759
- name: Test a single source package
5860
if: ${{ inputs.package != 'all' && inputs.test_type == 'install' }}

docs/deployment/flavors.md

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
---
2+
title: Published Flavors
3+
type: docs
4+
weight: 2
5+
---
6+
7+
UDS Core is published with multiple variations (Zarf flavors). Each flavor uses a separate source registry for the images. Each flavor is used as the suffix on the OCI tags for packages. For production use cases we recommend the `registry1` or `unicorn` flavors as these images tend to be more secure than their `upstream` counterparts.
8+
9+
{{% alert-note %}}
10+
Demo and dev bundles (`k3d-core-demo` and `k3d-core-slim-dev`) are only published from the upstream flavor.
11+
{{% /alert-note %}}
12+
13+
### Flavors
14+
15+
| Flavor | GHCR Location | Image Source |
16+
| --------------------- | ---------------------------------------------- | -------------------------------------------------------------------------------------------------------------------- |
17+
| `registry1` | `ghcr.io/defenseunicorns/packages/uds` | [Ironbank](https://p1.dso.mil/services/iron-bank) - DoD hardened images (only supports amd64 architecture currently) |
18+
| `upstream` | `ghcr.io/defenseunicorns/packages/uds` | Various sources, typically DockerHub/GHCR/Quay, these are the default images used by helm charts |
19+
| **ALPHA** `unicorn` | `ghcr.io/defenseunicorns/packages/private/uds` | Industry best images designed with security and minimalism in mind |
20+
21+
{{% alert-note %}}
22+
The `unicorn` flavored packages are only available in a private repository. These packages are available for all members of the Defense Unicorns organization/company, if you are outside the organization [contact us](https://www.defenseunicorns.com/contactus) if you are interested in using this flavor for your mission.
23+
{{% /alert-note %}}

docs/deployment/uds-deploy.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
---
22
title: Deploy UDS Core
33
type: docs
4-
weight: 2
4+
weight: 3
55
---
66

77
## Prerequisites
Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
---
2+
title: Flavor Specific Development Notes
3+
type: docs
4+
weight: 5
5+
---
6+
7+
Specific flavors of UDS Core have access and architecture restrictions when used for development work. The `upstream` flavor is generally recommended for development as it does not have any restrictions or requirements.
8+
9+
### Registry1
10+
11+
The `registry1` flavor uses images from [Ironbank](https://p1.dso.mil/services/iron-bank) which can only be pulled with authentication. Developers can self-register on [P1 SSO](https://login.dso.mil/) and retrieve a pull token for auth from [registry1's Harbor](https://registry1.dso.mil/). (In upper right corner, click --> User Profile, then click the Copy icon next to CLI secret, and use this for `docker login`.)
12+
13+
Images in `registry1` historically only supported `amd64` architectures. While some images do now support `arm64` architecture, uds-core only supports `amd64` for the `registry1` flavor. If developing on an `arm64` machine you will need to use a virtualization layer or an external dev box.
14+
15+
### Unicorn
16+
17+
The `unicorn` flavor uses images primarily from a private Chainguard repository. These images can be pulled by any developers in the Defense Unicorns organization once added to the Chainguard repository. Local authentication should be done with [chainctl](https://edu.chainguard.dev/chainguard/administration/how-to-install-chainctl/), specifically using the [credential helper](https://edu.chainguard.dev/chainguard/administration/how-to-install-chainctl/#configure-a-docker-credential-helper) for a seamless experience.
18+
19+
Developers outside of the Defense Unicorns organization/company will be unable to pull these images directly and should rely on CI testing for validation of this flavor. [Contact us](https://www.defenseunicorns.com/contactus) if you have a need to pull these images and develop on this flavor in particular.

docs/development/uds-development-maintenance.md

Lines changed: 0 additions & 11 deletions
This file was deleted.

0 commit comments

Comments
 (0)