feat: zarf file (#39)

* Adding a simple zarf file and corresponding uds task for building it

* revert change to version

* pinning version of sed, removing multi-arch build assumption

* task -> cmd

* add zarf build test

* adjusting builder image base, removing pinned sed

* Adding .vscode settings and some renovate config to track zarf/uds schema versions

* updating docs

* remove unused renovate config settings

.github/workflows/test.yaml

@@ -11,7 +11,7 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  title_check:
+  docker_build:
     runs-on: ubuntu-latest
     name: Test Docker Build
     permissions:
@@ -27,6 +27,23 @@ jobs:
 
       - name: Test building the docker image
         run: uds run dev-build
+
+  zarf_build:
+    runs-on: ubuntu-latest
+    name: Test Zarf Build
+    permissions:
+      pull-requests: read
+      contents: read
+
+    steps:  
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Environment setup
+        uses: defenseunicorns/uds-common/.github/actions/setup@fc12e3a773580020a1d63e254525eab0f8b99fc8
+
+      - name: Test building a zarf package
+        run: uds run build-zarf-pkg
 
   plugin_unit_tests:
     runs-on: ubuntu-latest

.gitignore

@@ -13,3 +13,4 @@ test.cer
 test.csr
 test.pem
 *authorized_certs*
+src/extra-jars/

.vscode/settings.json

@@ -0,0 +1,33 @@
+{
+    "yaml.schemas": {  
+      "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.9.2/tasks.schema.json": [
+        "tasks.yaml",
+        "tasks/**/*.yaml",
+        "src/**/validate.yaml"
+      ],
+      "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.9.2/zarf.schema.json": [
+        "zarf.yaml"
+      ]
+    },
+    "cSpell.words": [
+      "alertmanager",
+      "Authservice",
+      "automount",
+      "controlplane",
+      "crds",
+      "distros",
+      "ironbank",
+      "Kiali",
+      "Kyverno",
+      "MITM",
+      "neuvector",
+      "opensource",
+      "promtail",
+      "Quarkus",
+      "Quickstart",
+      "seccomp",
+      "Sysctls",
+      "Velero"
+    ],
+    "cSpell.enabled": true
+  }

README.md

@@ -9,6 +9,7 @@ This repo builds the UDS Identity (Keycloak) Config image used by UDS Identity.
    | Task Name | Task Description |
    |---------------------|---------------------------------------------|
    | build-and-publish   | Build and publish the multi-arch image      |
+   | build-zarf-pkg      | Build the image locally and package it with Zarf |
    | dev-build           | Build the image locally for dev             |
    | dev-update-image    | Build the image and import locally into k3d |
    | dev-theme           | Copy theme to Keycloak in dev cluster       |

docs/CUSTOMIZE.md

@@ -215,3 +215,13 @@ RUN mvn clean package
 #### Building New Image with Updates
 
 Once satisfied with changes and tested that they work, see [Testing custom image in UDS Core](./CUSTOMIZE.md#testing-custom-image-in-uds-core) for building, publishing, and using the new image with `uds-core`.
+
+
+## Transport Custom Image with Zarf
+For convenience, a Zarf package definition has been included to simplify custom image transport and install in air-gapped systems.
+
+#### Build the Zarf package
+Use the included UDS task to build the custom image and package it with Zarf:
+```
+uds run build-zarf-pkg
+```

renovate.json

@@ -66,5 +66,15 @@
         "matchPaths": [".github/**"],
         "groupName": "GHA-DEPS"
     }
+  ],
+  "regexManagers":[
+    {
+      "fileMatch": ["^tasks.ya?ml$", "^tasks/.*\\.ya?ml$", "^\\.vscode/settings\\.json$"],
+      "matchStrings": [
+         "https:\\/\\/raw\\.githubusercontent\\.com\\/(?<depName>[^\\/]+\\/[^\\/]+)\\/(?<currentValue>[^\\/]+)"
+      ],
+      "versioningTemplate": "semver-coerced",
+      "datasourceTemplate": "github-tags"
+    }  
   ]
 }

src/Dockerfile

@@ -21,7 +21,7 @@ COPY extra-jars/* ./target/
 # Build the Java truststore from DOD CAs                                          #
 #                                                                                 #
 ###################################################################################
-FROM cgr.dev/chainguard/jdk:latest-dev as truststore
+FROM amazoncorretto:21-alpine-jdk as truststore
 USER root
 RUN apk add openssl coreutils sed bash findutils
 

tasks.yaml

@@ -13,6 +13,12 @@ tasks:
     description: "Build and publish the multi-arch image"
     actions:
       - cmd: docker buildx build --push --platform linux/arm64/v8,linux/amd64 --tag ${IMAGE_NAME}:${VERSION} src
+
+  - name: build-zarf-pkg
+    description: "Build the custom docker image and the zarf package for transporting it"
+    actions:
+      - cmd: docker build --tag ${IMAGE_NAME}:${VERSION} src
+      - cmd: ./uds zarf package create . --set IDENTITY_CONFIG_IMG=${IMAGE_NAME}:${VERSION} --confirm
 
   - name: dev-build
     description: "Build the image locally for dev"

zarf.yaml

@@ -0,0 +1,15 @@
+kind: ZarfPackageConfig
+metadata:
+  name: keycloak-identity-config
+  version: "0.0.1"
+
+constants:
+  - name: IDENTIFY_CONFIG_IMG
+    description: "Image name and tag (MUST BE PROVIDED -- no default)"
+    value: '###ZARF_PKG_TMPL_IDENTITY_CONFIG_IMG###'
+
+components:
+  - name: keycloak-config-wrapper
+    required: true
+    images:
+      - '###ZARF_PKG_TMPL_IDENTITY_CONFIG_IMG###'