[x] Must define any external interfaces under the expose key.
[x] Must deploy and operate successfully with Istio injection enabled in the namespace.
[x] Should avoid workarounds such as disabling strict mTLS peer authentication.
Network Policies
[x] Must define network policies under the allow key as required.
[x] Should minimize network policies to specific selectors needed for Ingress/Egress traffic.
[x] #29
Keycloak
[x] Must use and create a Keycloak client through the sso key if the application provides a user login.
[x] #30
[x] #31
[x] Should clearly mark the client id with the group and app name uds-<group>-<application> (i.e. uds-swf-mattermost) to provide consistency in the Keycloak UI.
[x] May end any generated secrets with -sso to easily locate them when querying the cluster.
[x] #38
Prometheus
[x] #32
Exemptions
UDS Packages may make use of the UDS Exemption custom resource for exempting any Pepr policies, but in doing so they:
[x] Must minimize the scope and number of the exemptions to only what is absolutely required by the application
[x] Must have documented rationale for any exemptions present
Structure
Packages also follow structural guidelines to ensure consistency and flexibility for configuration, they:
[x] Should expose all configuration (uds.dev CRs, additional Secrets/ConfigMaps, etc) through a Helm chart (ideally in a chart or charts directory).
This allows UDS bundles to override configuration with Helm overrides and enables downstream teams to fully control their bundle configurations.
[x] #33
This ensures that the package is configured the same way that the bundle would be and avoids any side effect issues of Zarf's ### templating
[x] #34
This allows for different images or configurations to be delivered consistently to customers.
Testing
A UDS Package will also have testing and quality checks to ensure that updates / changes to them result in minimal churn. Packages:
[x] #35
This can by something like Playwright / Cypress tests for services with a Web UI or something like Jest tests for headless services.
[x] Must implement Upgrade Testing to ensure that the current development package works when deployed over the previously released one.
[x] #36
Maintenance
To help maintain a UDS Package, it:
[x] Must have a dependency management bot (such as renovate) configured to open PRs to update core package and support dependencies.
[x] Must release its package to the ghcr.io/defenseunicorns/packages/<group> namespace as the application's name (i.e. ghcr.io/defenseunicorns/packages/uds/mattermost)
General
And in addition to the above, packages generally:
[x] Must be capable of operating within an internet-disconnected (air-gapped) environment
Istio
exposekey.Network Policies
allowkey as required.Keycloak
ssokey if the application provides a user login.uds-<group>-<application>(i.e.uds-swf-mattermost) to provide consistency in the Keycloak UI.-ssoto easily locate them when querying the cluster.Prometheus
Exemptions
UDS Packages may make use of the UDS
Exemptioncustom resource for exempting any Pepr policies, but in doing so they:Structure
Packages also follow structural guidelines to ensure consistency and flexibility for configuration, they:
[x] Should expose all configuration (
uds.devCRs, additionalSecrets/ConfigMaps, etc) through a Helm chart (ideally in achartorchartsdirectory).[x] #33
[x] #34
Testing
A UDS Package will also have testing and quality checks to ensure that updates / changes to them result in minimal churn. Packages:
[x] #35
[x] Must implement Upgrade Testing to ensure that the current development package works when deployed over the previously released one.
[x] #36
Maintenance
To help maintain a UDS Package, it:
[x] Must have a dependency management bot (such as renovate) configured to open PRs to update core package and support dependencies.
[x] Must release its package to the
ghcr.io/defenseunicorns/packages/<group>namespace as the application's name (i.e.ghcr.io/defenseunicorns/packages/uds/mattermost)General
And in addition to the above, packages generally:
[x] Must be capable of operating within an internet-disconnected (air-gapped) environment
[x] #37