Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document Zarf actions must-haves #70

Open
Racer159 opened this issue Jun 18, 2024 · 2 comments
Open

Document Zarf actions must-haves #70

Racer159 opened this issue Jun 18, 2024 · 2 comments
Assignees
@ericwyles
Labels
tech-debt 💳

Comments

@Racer159
Copy link
Contributor

Describe what should be investigated or refactored

Zarf is looking to refactor / redesign Zarf actions to be simpler and easier to maintain - we need to document our actions must-haves to ensure our needs are still met for our packages (particularly GLR). These needs should be 1) described in plain text and 2) linked to examples of their use.

Links to any relevant code

https://github.com/defenseunicorns/uds-package-gitlab-runner/pull/93/files#diff-330516a8f3fb4c57de1a7928d4955df77c5d0546ab1558525367e8e16fa14d57R31

Additional context

This should just be a quick look through each package we maintain (and some we may want/need to maintain in the future (i.e. Nexus)) and then adding a comment to this issue to pass over to the Zarf team.
@Racer159
Copy link
Contributor Author

A decent example for someone who picks this up is:

https://github.com/defenseunicorns/uds-package-sigstore/blob/main/src/dev-openbao/zarf.yaml#L29

or

https://github.com/defenseunicorns/uds-package-gitlab-runner/blob/main/common/zarf.yaml#L22

@ericwyles ericwyles self-assigned this Aug 9, 2024
@ericwyles
Copy link
Contributor

I reviewed the following repos:

Findings.

Wait Commands

First, we have a lot of very similar Wait commands in actions. I'm just summarizing these, a lot of them appear in multiple places but they are just basic built in wait commands. A de-duped summary of these is below and the more interesting stuff follows

Zarf Action: onDeploy.after

  • Wait for Package condition status.phase to be Ready
  • Wait for Pod condition to be Ready
  • Wait for Deployment condition to be Available
  • Wait for Job condition to be Complete

Zarf Action: onDeploy.before

  • Wait for Pod condition to be Ready
  • Wait for Postgresql resource condition status.PostgresClusterStatus to be Running
  • Wait for Job status.succeeded to be 1

More Interesting stuff

uds-package-archivista

Link: https://github.com/defenseunicorns/uds-package-archivista/blob/fa1c7f3f6af38cf0d2871caa23d63e2e79c1dd27/src/dev-secrets/zarf.yaml#L10
Zarf Action: onDeploy.before

  • Read user and password values from minio secret and populate ACCESS_KEY and SECRET_KEY variables

uds-package-gitlab

Link: https://github.com/defenseunicorns/uds-package-gitlab/blob/dbd955b9a95a1a25e6f1cd459b8e90f47f677c84/src/dev-secrets/zarf.yaml#L11
Zarf Action: onDeploy.before

  • Read user and password values from minio secret and populate ACCESS_KEY and SECRET_KEY variables

uds-package-gitlab-runner

Link: https://github.com/defenseunicorns/uds-package-gitlab-runner/blob/e7c2d33249bd9ba0dd188d53c22ebc4ebcbab966/common/zarf.yaml#L21
Zarf Action: onDeploy.before

  • Labels/annotates secrets to be managed by helm
  • Fetch runner registration token from secret in the gitlab namespace
  • Find the running Gitlab Webservice pod name
  • kubectl exec into the webservice pod found above and execute a curl command to POST to register the gitlab runner using the runner registration token
  • extract the registered runner's auth token and set it in the zarf variable RUNNER_AUTH_TOKEN

uds-package-mattermost

Link: https://github.com/defenseunicorns/uds-package-mattermost/blob/5667b8981e0f7acd9b9c11196ab16b5148a0d29b/plugins/zarf.yaml#L15
Zarf Action: onCreate.before

  • Run a docker build for mattermost plugins to build an extra image from source. The image is loaded in the local docker cache but not pushed to a registry. It will end up in the created zarf package.

Link: https://github.com/defenseunicorns/uds-package-mattermost/blob/5667b8981e0f7acd9b9c11196ab16b5148a0d29b/src/dev-secrets/zarf.yaml#L10
Zarf Action: onDeploy.before

  • Read user and password values from minio secret and populate ACCESS_KEY and SECRET_KEY variables

uds-package-nexus

Link: https://github.com/defenseunicorns/uds-package-nexus/blob/ba9b59eff006b97e900aa4bbd5cf4105ca87a2c0/zarf.yaml#L53
Zarf Action: onDeploy.before

  • Executes a curl command to get the keycloak SAML descriptor from the uds realm and set it to NEXUS_SSO_IDP_METADATA variable

Link: https://github.com/defenseunicorns/uds-package-nexus/blob/ba9b59eff006b97e900aa4bbd5cf4105ca87a2c0/src/dev-secrets/zarf.yaml#L11
Zarf Action: onDeploy.before

  • Read user and password values from postgres secret and populate NEXUS_DB_PASSWORD and NEXUS_DB_USERNAME variables

uds-package-postgres-operator

Link: https://github.com/defenseunicorns/uds-package-postgres-operator/blob/ac70cfb85e6c5b4e654d220029dddd2551e82299/common/zarf.yaml#L21
Zarf Action: onDeploy.before

  • kubectl annotate resources with helm release-namespace=postgres-operator as a shim to upgrade resources created with older versions of the operator to the new chart namespace layout

uds-package-sigstore

Link: https://github.com/defenseunicorns/uds-package-sigstore/blob/c124424536d00d46565ace2f077c2c76fde4f9ec/src/dev-openbao/zarf.yaml#L28
Zarf Action: onDeploy.before

  • kubectl delete a pod (to clear pod state)

Zarf Action: onDeploy.after

  • Find a specific pod name based on a label and find a running pod
  • kubectl exec into pod to run bao commands and extract public key to a file
  • Use openssl to create keys and kubectl exec back into bao pod to import them to fulcio, tsa, and rekor

Zarf Action: onDeploy.onSuccess and onDeploy.onFailure

  • Delete intermediate files that were used for key creation

uds-package-sonarqube

Link: https://github.com/defenseunicorns/uds-package-sonarqube/blob/cc24c606eb81cbb7782977ac23f41d057a8064cf/common/zarf.yaml#L23
Zarf Action: onCreate.before

  • Run a docker build for sonarqube monitoring to build an extra image from source. The image is loaded in the local docker cache but not pushed to a registry. It will end up in the created zarf package.

Zarf Action: onDeploy.after

  • Use curl http post to a URL to run database migrations and echo out the migration state extracted from the response body of the curl command

uds-package-valkey

Link: https://github.com/defenseunicorns/uds-package-valkey/blob/242e61a2d869c3cd3b8567ba8fb73ff7844287b8/tests/zarf.yaml#L19
Zarf Action: onDeploy.after

  • get secret and set to VALKEY_PASSWORD variable
  • kubectl exec into the valkey-cli pod (using above secret) and run valkey-cli commands to verify valkey is functioning. Capture the output of the commands and grep for specific values to verify success. This verifies that the valkey service is responsive and a value that is set in the service can be retrieved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ericwyles ericwyles

Labels
tech-debt 💳
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Racer159 @ericwyles