feat: add checkpoint uds-core slim package

.github/actions/setup/action.yaml

@@ -14,6 +14,10 @@ inputs:
   chainguardIdentity:
     description: "ID for Chainguard Identity"
     required: true
+  udsCliVersion:
+    description: The uds-cli version to install
+    # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver
+    default: 0.16.0
 
 runs:
   using: "composite"
@@ -28,13 +32,14 @@ runs:
       # renovate: datasource=github-tags depName=k3d-io/k3d versioning=semver
       run: curl -s https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh | TAG=v5.7.4 bash
 
-    - name: Set up Homebrew
-      uses: Homebrew/actions/setup-homebrew@master
+    - name: Set UDS CLI Arch
+      id: setUdsCliArch
+      shell: bash
+      run: INPUT=${{ runner.arch == 'X64' && 'amd64' || runner.arch }}; echo "ARCH=${INPUT,,}" >> "$GITHUB_OUTPUT"
 
     - name: Install UDS CLI
       shell: bash
-      # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver
-      run: brew install defenseunicorns/tap/uds@0.16.0
+      run: curl -o /usr/local/bin/uds -L https://github.com/defenseunicorns/uds-cli/releases/download/v${{ inputs.udsCliVersion }}/uds-cli_v${{ inputs.udsCliVersion }}_Linux_${{steps.setUdsCliArch.outputs.ARCH}} && chmod +x /usr/local/bin/uds
 
     - name: Install Lula
       uses: defenseunicorns/lula-action/setup@badad8c4b1570095f57e66ffd62664847698a3b9 # v0.0.1

.github/workflows/checkpoint.yaml

@@ -0,0 +1,56 @@
+name: Checkpoint UDS Core
+
+on:
+  # triggered by tag-and-release.yaml
+  workflow_call:
+
+jobs:
+  publish-uds-core:
+    strategy:
+      matrix:
+        architecture: [amd64, arm64]
+    runs-on: ${{ matrix.architecture == 'arm64' && 'uds-ubuntu-arm64-4-core' || 'uds-ubuntu-big-boy-4-core' }}
+    name: Publish checkpoint
+
+    permissions:
+      contents: read
+      packages: write
+      id-token: write  # This is needed for OIDC federation.
+
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Environment setup
+        uses: ./.github/actions/setup
+        with:
+          registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }}
+          registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }}
+          ghToken: ${{ secrets.GITHUB_TOKEN }}
+          chainguardIdentity: ${{ secrets.CHAINGUARD_IDENTITY }}
+
+      - name: Deploy K3d + UDS Core Slim Bundle
+        run: |
+          uds run -f tasks/deploy.yaml latest-slim-bundle-release --no-progress
+
+      - name: Create Checkpoint Package
+        run: |
+          uds run -f tasks/create.yaml checkpoint-dev-package --no-progress
+
+      - name: Test Checkpoint Package
+        run: |
+          uds run -f tasks/deploy.yaml checkpoint-package --no-progress
+          npm ci
+          uds run test-slim-dev --no-progress
+
+      - name: Debug Output
+        if: always()
+        uses: ./.github/actions/debug-output
+
+      - name: Publish Checkpoint Package
+        run: uds run -f tasks/publish.yaml checkpoint-package --no-progress
+
+      - name: Save logs
+        if: always()
+        uses: ./.github/actions/save-logs
+        with:
+          suffix: -${{ matrix.architecture }}

.github/workflows/slim-dev-test.yaml

@@ -47,6 +47,8 @@ jobs:
         uses: ./.github/actions/setup
       - name: Deploy Slim Dev Bundle
         run: uds run slim-dev --no-progress
+      - name: Test Slim Dev Bundle
+        run: uds run test-slim-dev --no-progress
       - name: Debug Output
         if: ${{ always() }}
         uses: ./.github/actions/debug-output

.github/workflows/tag-and-release.yaml

@@ -29,3 +29,12 @@ jobs:
     with:
       snapshot: false
     secrets: inherit
+
+  checkpoint-uds-core-release:
+    needs: publish-uds-core-release
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    uses: ./.github/workflows/checkpoint.yaml
+    secrets: inherit

.gitignore

@@ -18,3 +18,6 @@ extract-terraform.sh
 **/.terraform*
 cluster-config.yaml
 **.tfstate
+
+packages/checkpoint-dev/data
+packages/checkpoint-dev/uds-frozen.tar

packages/checkpoint-dev/README.md

@@ -0,0 +1,6 @@
+# K3d + UDS Core Slim Dev Checkpoint
+
+This is a special modified version of UDS Core that rehydrates K3d + UDS Core Slim Dev from a committed container and volumes.
+
+> [!IMPORTANT]
+> In order to `zarf package create` this package you must have a running UDS k3d cluster with the UDS Core Slim dev installed in it!  This package also requires `sudo` to create and deploy currently - if you see a prompt and it seems stalled it is waiting for password input (hidden by the spinner)

packages/checkpoint-dev/checkpoint.sh

@@ -0,0 +1,69 @@
+#!/bin/bash
+
+# Name of the running k3d container
+K3S_CONTAINER="k3d-uds-server-0"
+
+# Step 0: Ensure we can get sudo
+echo "This package requires elevated permissions to create - requesting sudo (if paused enter password)"
+sudo echo "got sudo! success!"
+
+# Step 1: Get the container ID of the running k3d container
+CONTAINER_ID=$(docker ps -qf "name=$K3S_CONTAINER")
+
+if [ -z "$CONTAINER_ID" ]; then
+    echo "No running container found for $K3S_CONTAINER"
+    exit 1
+fi
+
+# Step 2: Get the mounted volumes of the running container
+echo "Inspecting container volumes for $CONTAINER_ID..."
+VOLUMES=$(docker inspect -f '{{ json .Mounts }}' "$CONTAINER_ID" | jq)
+
+# Step 3: Prepare directories to save the volume data
+sudo rm -rf data
+mkdir -p data/kubelet_data data/k3s_data
+
+# Step 4: Loop through volumes and copy data to corresponding directories
+echo "Copying volumes to local directories..."
+
+for row in $(echo "$VOLUMES" | jq -r '.[] | @base64'); do
+    _jq() {
+        echo "${row}" | base64 --decode | jq -r "${1}"
+    }
+
+    SOURCE=$(_jq '.Source')
+    DESTINATION=$(_jq '.Destination')
+
+    case "$DESTINATION" in
+        "/var/lib/kubelet")
+            echo "Copying $SOURCE to data/kubelet_data/"
+            sudo cp -a "$SOURCE"/. data/kubelet_data/
+            ;;
+        "/var/lib/rancher/k3s")
+            echo "Copying $SOURCE to data/k3s_data/"
+            sudo cp -a "$SOURCE"/. data/k3s_data/
+            ;;
+        *)
+            echo "$DESTINATION is not needed. Skipping..."
+            ;;
+    esac
+done
+
+# Step 5: Commit and save the current container as a new image
+IMAGE_NAME="ghcr.io/defenseunicorns/uds-core/checkpoint:latest"
+echo "Committing container $CONTAINER_ID to image $IMAGE_NAME:latest..."
+docker commit -p "$CONTAINER_ID" "$IMAGE_NAME"
+
+echo "Saving image to data/uds-k3d-checkpoint-latest.tar..."
+docker save -o data/uds-k3d-checkpoint-latest.tar "$IMAGE_NAME"
+
+echo "Container image saved to data/uds-k3d-checkpoint-latest.tar"
+
+# Step 6: Create a tarball from the data contents
+echo "Creating a final tarball to include in the package"
+sudo tar --blocking-factor=64 -cpf uds-checkpoint.tar data
+sudo chown -R $(whoami):$(whoami) "$(pwd)/uds-checkpoint.tar"
+
+echo "Successfully checkpointed the cluster!"
+
+exit 0

packages/checkpoint-dev/zarf.yaml

@@ -0,0 +1,83 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json
+
+kind: ZarfPackageConfig
+metadata:
+  name: k3d-core-slim-dev
+  description: "Rehydratable UDS K3d + UDS Core Slim (Istio, UDS Operator and Keycloak) Checkpoint"
+  authors: "Defense Unicorns - Product"
+  # x-release-please-start-version
+  version: "0.28.0"
+  # x-release-please-end
+
+variables:
+  - name: CLUSTER_NAME
+    description: "Name of the cluster"
+    default: "uds"
+
+  - name: K3D_EXTRA_ARGS
+    description: "Optionally pass k3d arguments to the default"
+    default: ""
+
+  - name: NGINX_EXTRA_PORTS
+    description: "Optionally allow more ports through Nginx (combine with K3D_EXTRA_ARGS '-p <port>:<port>@server:*')"
+    default: "[]"
+
+components:
+  - name: destroy-cluster
+    required: true
+    description: "Optionally destroy the cluster before creating it"
+    actions:
+      onDeploy:
+        before:
+          - cmd: |
+              echo "This package requires elevated permissions to create - requesting sudo (if paused enter password)"
+              sudo echo "got sudo! success!"
+          - cmd: k3d cluster delete ${ZARF_VAR_CLUSTER_NAME}
+            description: "Destroy the cluster"
+          - cmd: |
+              sudo rm -rf data
+
+  - name: create-cluster
+    required: true
+    description: "Create the K3d cluster w/UDS Core pre-installed"
+    files:
+      - source: uds-checkpoint.tar
+        target: uds-checkpoint.tar
+    actions:
+      onCreate:
+        before:
+          - cmd: ./checkpoint.sh
+        onSuccess:
+          - cmd: |
+              sudo rm -rf data uds-checkpoint.tar
+      onDeploy:
+        after:
+          - cmd: |
+              sudo tar --blocking-factor=64 -xpf uds-checkpoint.tar data
+              K8S_TOKEN="$(sudo cat $(pwd)/data/k3s_data/server/token)"
+
+              docker load -i data/uds-k3d-checkpoint-latest.tar
+
+              k3d cluster create \
+                -p "80:80@server:*" \
+                -p "443:443@server:*" \
+                --api-port 6550 \
+                --k3s-arg "--disable=traefik@server:*" \
+                --k3s-arg "--disable=metrics-server@server:*" \
+                --k3s-arg "--disable=servicelb@server:*" \
+                --k3s-arg "--disable=local-storage@server:*" \
+                --k3s-arg "--token=${K8S_TOKEN}@server:*" \
+                -v "$(pwd)/data/kubelet_data:/var/lib/kubelet@server:*" \
+                -v "$(pwd)/data/k3s_data:/var/lib/rancher/k3s@server:*" \
+                --image ghcr.io/defenseunicorns/uds-core/checkpoint:latest ${ZARF_VAR_K3D_EXTRA_ARGS} \
+                ${ZARF_VAR_CLUSTER_NAME}
+            description: "Create the cluster"
+          - description: Keycloak to be Healthy
+            wait:
+              cluster:
+                kind: Pod
+                name: app.kubernetes.io/name=keycloak
+                namespace: keycloak
+                condition: Ready
+        onSuccess:
+          - cmd: rm -f uds-checkpoint.tar

src/istio/tasks.yaml

@@ -21,3 +21,19 @@ tasks:
             kind: Gateway
             name: tenant-gateway
             namespace: istio-tenant-gateway
+
+  - name: validate-slim
+    actions:
+      - description: Validate the Istio Admin Gateway
+        wait:
+          cluster:
+            kind: Gateway
+            name: admin-gateway
+            namespace: istio-admin-gateway
+
+      - description: Validate the Istio Tenant Gateway
+        wait:
+          cluster:
+            kind: Gateway
+            name: tenant-gateway
+            namespace: istio-tenant-gateway

tasks.yaml

@@ -125,6 +125,14 @@ tasks:
     actions:
       - task: test:compliance-evaluate
 
+  - name: test-slim-dev
+    description: "Run validate for the components contained in the slim dev bundle"
+    actions:
+      - cmd: |
+          uds run -f src/istio/tasks.yaml validate-slim --no-progress
+          uds run -f src/keycloak/tasks.yaml validate --no-progress
+          uds run -f src/pepr/tasks.yaml validate --no-progress
+
   - name: lint-check
     description: "Run linting checks"
     actions:

tasks/create.yaml

@@ -38,6 +38,12 @@ tasks:
       - description: "Create the UDS Core Istio and Keycloak Only Bundle"
         cmd: "uds create bundles/k3d-slim-dev --confirm --no-progress --architecture=${ZARF_ARCHITECTURE}"
 
+  - name: checkpoint-dev-package
+    description: "Create the K3d + UDS Core Checkpoint Zarf Package"
+    actions:
+      - description: "Create the UDS Core Checkpoint Zarf Package"
+        cmd: "uds zarf package create packages/checkpoint-dev --confirm --no-progress --skip-sbom"
+
   - name: single-package
     description: "Create a single Zarf Package, must set UDS_PKG environment variable"
     actions:

tasks/deploy.yaml

@@ -51,7 +51,21 @@ tasks:
       - description: "Deploy the latest UDS Core package release"
         cmd: uds zarf package deploy oci://${TARGET_REPO}/core:${LATEST_VERSION} --confirm --no-progress --components '*'
 
+  - name: latest-slim-bundle-release
+    actions:
+      - description: "Get latest tag version from OCI"
+        cmd: uds zarf tools registry ls ghcr.io/defenseunicorns/packages/uds/bundles/k3d-core-slim-dev | sort -V | tail -1
+        setVariables:
+          - name: LATEST_VERSION
+      - description: "Deploy the latest UDS Core package release"
+        cmd: uds deploy oci://ghcr.io/defenseunicorns/packages/uds/bundles/k3d-core-slim-dev:${LATEST_VERSION} --set INSECURE_ADMIN_PASSWORD_GENERATION=true --confirm --no-progress
+
   - name: standard-package
     actions:
       - description: "Deploy the standard UDS Core zarf package"
         cmd: uds zarf package deploy build/zarf-package-core-${UDS_ARCH}-${VERSION}.tar.zst --confirm --no-progress --components '*'
+
+  - name: checkpoint-package
+    actions:
+      - description: "Deploy the checkpoint K3d + UDS Core Slim zarf package"
+        cmd: uds zarf package deploy build/zarf-package-k3d-core-slim-dev-${UDS_ARCH}-${VERSION}.tar.zst --confirm --no-progress

tasks/publish.yaml

@@ -33,6 +33,13 @@ tasks:
              uds zarf tools registry copy ${pkgPath}:${VERSION}-${FLAVOR} ${pkgPath}:latest-${FLAVOR}
           fi
 
+  - name: checkpoint-package
+    description: "Publish the UDS checkpoint package"
+    actions:
+      - description: "Publish the checkpoint package for the current UDS_ARCH"
+        cmd: |
+          uds zarf package publish build/zarf-package-k3d-core-slim-dev-${UDS_ARCH}-${VERSION}.tar.zst oci://ghcr.io/defenseunicorns/dev/uds/checkpoints/k3d-core-slim-dev
+
   - name: bundles
     description: "Publish UDS Bundles"
     actions: