feat: pre core exemption handling

[TristanHoladay]

Description

Introducing a UDS Exemption CRD package, which allows for applying UDSExemption CRs before uds-core has deployed.
Also, integrating a uds-core scoped pre-core-exemption chart that allows users to pass exemptions (for things that might exist pre-core) through their bundle.

Related Issue

resolves #272

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Other (security config, docs update, etc)

Checklist before merging

• Test, docs, adr added or updated as needed
• Contributor Guide Steps(https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md#submitting-a-pull-request) followed

[TristanHoladay]

For testing manually:

1. Initial deploy and then cycle

   • uds run crd-test
   • after everything comes up delete podinfo pod and make sure it re-creates with the exemptions

2. Upgrade (podinfo exemption only)

   • leave cluster from previous test up (comment out the setup:create-k3d-cluster in crd-test in tasks.yaml
   • un-comment the commented exemption block for node port services in the podinfo config chart (test-podinfo/config-chart/templates/uds-exemption.yaml)
   • change the service.type in the podinfo values (test-podinfo/chart/values.yaml) to NodePort
   • re-run uds run crd-test
   • you should see the podinfo exemption update, as well as the pepr store, and the podinfo service to should recreated successfully as a NodePort service

3. Upgrade (exemption CRD)

   • you can leave the cluster up from the previous test
   • change the exemption CRD by adding a required field (e.g. make a new property in to .spec like .spec.test in src/pepr/operator/crd/sources/exemption/v1alpha1.ts)
   • update the podinfo exemption with new required field
   • generate the crd via uds run -f src/pepr/tasks/gen-crds which will update the crd.yaml in the exemption crd zarf package
   • you'll need to clean up the fields from the generated crd in the crd.yaml. remove all fields that are unique to the applied instance (eg. uid, timestamps etc...)
   • re-run uds run crd-test
   • verify that the podinfo exemption is updated and that podinfo cycles

[TristanHoladay]

example bundle using CRD package:

kind: UDSBundle
metadata:
  name: example CRD

packages:
  - name: exemption-crd
    repository: ghcr.io/defenseunicorns/...
    ref: 0.20.0

  - name: init
    repository: ghcr.io/defenseunicorns/packages/init
    # renovate: datasource=github-tags depName=defenseunicorns/zarf versioning=semver
    ref: v0.33.1

  # has UDS Exemption CR
  - name: test-podinfo
    path: ../../build/
    ref: 0.1.0

  - name: core-slim-dev
    path: ../../build/
    ref: 0.20.0

example bundle using helm overrides:

kind: UDSBundle
metadata:
  name: example helm overrides

packages:
  - name: init
    repository: ghcr.io/defenseunicorns/packages/init
    # renovate: datasource=github-tags depName=defenseunicorns/zarf versioning=semver
    ref: v0.33.1

  # UDS Exemption CR does not live here but is passed to core
  - name: test-podinfo
    path: ../../build/
    ref: 0.1.0

  - name: core-slim-dev
    path: ../../build/
    # x-release-please-start-version
    ref: 0.20.0
    # x-release-please-end
    overrides:
      pre-core-exemptions:
        pre-core-exemptions:
          values:
            - path: enabled
              value: true
            - path: exemptions
              value: |
                    exemptions:
                      - policies:
                          - DisallowPrivileged
                          - RequireNonRootUser
                          - DropAllCapabilities
                        title: "podinfo1"
                        matcher:
                          namespace: podinfo
                          name: "^podinfo.*"
                          test: 1
                      - policies:
                          - DisallowNodePortServices
                        title: "podinfo2"
                        matcher:
                          namespace: podinfo
                          name: "^.*-local.*"
                          kind: service
                          test: 2

[mjnagel]

Hopefully small comments overall - I think this is a good 2-pronged approach to provide solves for this issue.

[mjnagel]

Going to close this PR for now - we need to reevaluate if there's still a need here and how to prioritize if there is. Noting that there are a few known ways to accomplish exemptions for things that come before core:

• Exemptions can be added as a standalone "post-core" package, which ensures they can be re-scheduled/upgraded
• Pre-core items are typically "k8s/infra" related and could/should be deployed in kube-system oftentimes (which is exempted from any pepr policies)
• Exemptions can be added directly in pre-core packages, wrapped with helm capability checks which ensures they are present at an upgrade