Add Your Own Package (Optional)
This tutorial walks through packaging a sample application and deploying it alongside UDS Core. By the end you’ll have an app exposed through Istio ingress and protected by Keycloak SSO, wired up automatically by the UDS Operator.
The sample app is podinfo, a lightweight Go service with a Helm chart.
Requirements
Section titled “Requirements”- UDS CLI — installed in the previous step (includes Zarf via
uds zarf)
Create the Zarf Package
Section titled “Create the Zarf Package”A Zarf Package bundles your application’s images and manifests for airgap-safe delivery. The UDS Operator watches for Package custom resources and automatically configures Istio ingress, Keycloak SSO, Prometheus monitoring, and network policies for your app.
-
Create a working directory
Terminal window mkdir podinfo-package && cd podinfo-package -
Create the UDS Package CR
This manifest tells the UDS Operator what platform integrations your app needs:
podinfo-package.yaml apiVersion: uds.dev/v1alpha1kind: Packagemetadata:name: podinfonamespace: podinfospec:network:expose:- service: podinfoselector:app.kubernetes.io/name: podinfogateway: tenanthost: podinfoport: 9898sso:- name: Podinfo SSOclientId: uds-core-podinforedirectUris:- "https://podinfo.uds.dev/login"enableAuthserviceSelector:app.kubernetes.io/name: podinfogroups:anyOf:- "/UDS Core/Admin"monitor:- selector:app.kubernetes.io/name: podinfotargetPort: 9898portName: httpdescription: "podinfo metrics"kind: PodMonitorWhen the operator reconciles this CR, it will:
- Create an Istio
VirtualServiceexposing podinfo atpodinfo.uds.dev - Register a Keycloak OIDC client and protect the app with Authservice
- Create a Prometheus
PodMonitorfor metrics scraping - Generate all required
NetworkPolicyresources automatically
- Create an Istio
-
Create
zarf.yamlThe Zarf package definition bundles the Helm chart, the Package CR, and the container image together:
zarf.yaml kind: ZarfPackageConfigmetadata:name: podinfoversion: 0.0.1components:- name: podinforequired: truecharts:- name: podinfoversion: 6.10.1namespace: podinfourl: https://github.com/stefanprodan/podinfo.gitgitPath: charts/podinfomanifests:- name: podinfo-uds-confignamespace: podinfofiles:- podinfo-package.yamlimages:- ghcr.io/stefanprodan/podinfo:6.10.1 -
Build and deploy the package
Terminal window uds zarf package create --confirmuds zarf package deploy zarf-package-podinfo-*.tar.zst --confirmThis builds
zarf-package-podinfo-<arch>-0.0.1.tar.zst, then deploys it onto your existing UDS Core cluster. The UDS Operator picks up the Package CR and configures ingress, SSO, monitoring, and network policies automatically.
Verify
Section titled “Verify”Check that the UDS Operator processed the Package resource:
kubectl get package -n podinfoExpected output:
NAME STATUS SSO CLIENTS ENDPOINTS MONITORS NETWORK POLICIES AGEpodinfo Ready ["uds-core-podinfo"] ["podinfo.uds.dev"] ["podinfo-..."] 9 2mReady confirms all platform integrations were provisioned.
Access the app:
Navigate to https://podinfo.uds.dev. You’ll be redirected to Keycloak. Only members of /UDS Core/Admin can log in.
Create a test user by setting up a simple tasks.yaml file that imports a helper from uds-common:
includes: - common-setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/main/tasks/setup.yamlThen run the task:
uds run common-setup:keycloak-user --set KEYCLOAK_USER_GROUP="/UDS Core/Admin"View metrics in Grafana:
Go to https://grafana.admin.uds.dev and navigate to Explore, then Prometheus, and run:
rate(process_cpu_seconds_total{namespace="podinfo"}[$__rate_interval])What Happened
Section titled “What Happened”By declaring your app’s needs in the Package CR, the UDS Operator automatically provisioned:
- Istio
VirtualServiceandAuthorizationPolicyfor ingress - Keycloak OIDC client with Authservice enforcement
NetworkPolicyresources scoped to only required traffic- Prometheus
PodMonitorfor metrics scraping
For the full Package CR reference, see Package CR.