Merge pull request #4 from defenseunicorns/fix-pvc-config

.github/actions/setup/action.yaml

@@ -20,7 +20,7 @@ runs:
       uses: defenseunicorns/setup-zarf@main
       with:
         # renovate: datasource=github-tags depName=defenseunicorns/zarf versioning=semver
-        version: v0.32.1
+        version: v0.32.4
         download-init-package: ${{ inputs.download-init-package }}
 
     - name: Use Node.js latest
@@ -40,4 +40,4 @@ runs:
     - name: Install UDS CLI
       shell: bash
       # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver
-      run: brew install defenseunicorns/tap/uds@0.6.1
+      run: brew install defenseunicorns/tap/uds@0.9.2

.github/workflows/commitlint.yaml

@@ -22,7 +22,9 @@ jobs:
         uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
 
       - name: Install commitlint
-        run: npm install --save-dev @commitlint/{config-conventional,cli}
+        run: |
+          npm install --save-dev @commitlint/config-conventional@18.6.0
+          npm install --save-dev @commitlint/cli@18.6.0
 
       - name: Lint PR title
         run: echo "${{ github.event.pull_request.title }}" | npx commitlint

bundle/uds-bundle.yaml

@@ -7,9 +7,13 @@ metadata:
   # x-release-please-end
 
 packages:
-  - name: confluence-postgres
+  - name: dev-postgres
+    repository: ghcr.io/defenseunicorns/packages/uds/dev-postgres
+    ref: 0.0.2
+
+  - name: dev-secrets
     path: ../
-    ref: 12.6.6-0
+    ref: 0.1.0
 
   - name: confluence
     path: ../

bundle/uds-config.yaml

@@ -1,3 +1,6 @@
 variables:
+  dev-postgres:
+    db_username: "confluence"
+    db_name: "confluencedb"
   confluence:
-    confluence_db_endpoint: "postgresql.confluence-db.svc.cluster.local"
+    confluence_db_endpoint: "postgresql.dev-postgres.svc.cluster.local"

commitlint.config.js

@@ -0,0 +1 @@
+module.exports = { extends: ["@commitlint/config-conventional"] };

renovate.json

@@ -97,6 +97,15 @@
       ],
       "versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver-coerced{{/if}}",
       "extractVersionTemplate": "{{#if extractVersion}}{{{extractVersion}}}{{else}}^(?<version>.*)${{/if}}"
+    },
+    {
+      "fileMatch": [
+        "^\\.github/workflows/commitlint\\.yaml$"
+      ],
+      "matchStrings": [
+        "npm install --save-dev (?<depName>@?.*?)@(?<currentValue>.+)"
+      ],
+      "datasourceTemplate": "npm"
     }
   ],
   "packageRules": [

src/dev-secrets/zarf.yaml

@@ -0,0 +1,25 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json
+kind: ZarfPackageConfig
+metadata:
+  name: dev-secrets
+  version: "0.1.0"
+  architecture: amd64
+
+components:
+  - name: postgres-password
+    required: true
+    actions:
+      onDeploy:
+        before:
+          - cmd: kubectl get secret -n dev-postgres postgresql --template={{.data.password}} | base64 -d
+            mute: true
+            setVariables:
+              - name: POSTGRES_DB_PASSWORD
+                sensitive: true
+  - name: confluence-postgres-password
+    required: true
+    manifests:
+      - name: confluence-postgres
+        namespace: confluence
+        files:
+          - postgres-secret.yaml

tasks.yaml

@@ -1,8 +1,8 @@
 includes:
-  - cleanup: ./tasks/cleanup.yaml
+  - clean: ./tasks/cleanup.yaml
   - create: ./tasks/create.yaml
   - deploy: ./tasks/deploy.yaml
-  - setup: ./tasks/setup.yaml
+  - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common-tasks/main/tasks/setup.yaml
   - test: ./tasks/test.yaml
 
 tasks:
@@ -33,4 +33,4 @@ tasks:
 
   - name: cleanup
     actions:
-      - task: cleanup:destroy
+      - task: clean:destroy

tasks/create.yaml

@@ -15,23 +15,12 @@ tasks:
     actions:
       - cmd: zarf package create --confirm --no-progress --architecture=${ZARF_ARCHITECTURE} --flavor ${FLAVOR}
 
-  - name: dependency-package
+  - name: dependency-package-no-sbom
     description: Create the Dependency Zarf Package(s)
     actions:
-      - cmd: |
-          for dependency in postgres; do
-            zarf package create test/${dependency}/ --confirm --no-progress --architecture=${UDS_ARCH} --skip-sbom
-          done
+      - cmd: zarf package create src/dev-secrets/ --confirm --no-progress --architecture=${UDS_ARCH} --skip-sbom
 
   - name: confluence-package-no-sbom
     description: Create the UDS confluence Zarf Package
     actions:
       - cmd: zarf package create --confirm --skip-sbom --no-progress --architecture=${ZARF_ARCHITECTURE} --flavor ${FLAVOR}
-
-  - name: dependency-package-no-sbom
-    description: Create the Dependency Zarf Package(s)
-    actions:
-      - cmd: |
-          for dependency in postgres; do
-            zarf package create test/${dependency}/ --confirm --skip-sbom --no-progress --architecture=${UDS_ARCH} --skip-sbom
-          done

tasks/test.yaml

@@ -5,7 +5,7 @@ tasks:
         wait:
           cluster:
             kind: StatefulSet
-            name: confluence-confluence
+            name: confluence
             namespace: confluence
 
   - name: ingress
@@ -14,5 +14,5 @@ tasks:
         wait:
           network:
             protocol: https
-            address: confluence.uds.dev
+            address: confluence.uds.dev/setup/setuplicense.action
             code: 200

values/confluence-values.yaml

@@ -34,7 +34,7 @@ confluence:
         secretKeyRef:
           name: "confluence-postgres"
           key: "password"
-
+volumes:
   localHome:
     persistentVolumeClaim:
       create: true
@@ -43,8 +43,3 @@ confluence:
         requests:
           storage: 1Gi
 
-# networkPolicies:
-#   enabled: true
-#   ingressLabels:
-#     app: tenant-ingressgateway
-#   controlPlaneCidr: 0.0.0.0/0

values/upstream.yaml

@@ -1,3 +1,37 @@
 # image:
 #   repository: confluence
 #   tag: 9.9.3-{{ .Values.edition }}
+
+confluence:
+  # -- Whether to apply security context to pod.
+  #
+  securityContextEnabled: true
+
+  securityContext:
+
+    # -- The GID used by the Confluence docker image
+    # GID will default to 2002 if not supplied and securityContextEnabled is set to true.
+    # This is intended to ensure that the shared-home volume is group-writeable by the GID used by the Confluence container.
+    # However, this doesn't appear to work for NFS volumes due to a K8s bug: https://github.com/kubernetes/examples/issues/260
+    fsGroup: 2002
+    runAsUser: 2002
+    runAsGroup: 2002
+    runAsNonRoot: true
+
+  # -- Standard K8s field that holds security configurations that will be applied to a container.
+  # https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+  #
+  containerSecurityContext:
+    runAsUser: 2002
+    runAsGroup: 2002
+    runAsNonRoot: true
+
+   # -- Boolean to define whether to set local home directory permissions on startup
+  # of Confluence container. Set to 'false' to disable this behaviour.
+  #
+  setPermissions: true
+
+volumes:
+  sharedHome:
+    nfsPermissionFixer:
+      enabled: false