feat: allow sso for kiali, jaeger, prometheus and alertmanager via authservice

chart/Chart.yaml

 apiVersion: v2
 name: bigbang
-version: 1.0.5
+version: 1.0.6

chart/templates/authservice/authservice-helmrelease.yaml

-{{- if and .Values.istio.enabled .Values.addons.authservice.enabled }}
+{{- if and .Values.istio.enabled ( or .Values.addons.authservice.enabled .Values.istio.sso.enabled ) }}
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
   name: authservice
   namespace: {{ .Release.Namespace }}
 spec:
-  targetNamespace: istio-system
+  targetNamespace: authservice
   chart:
     spec:
       chart: {{ .Values.addons.authservice.git.path }}
@@ -39,9 +39,45 @@ spec:
   values:
     imagePullSecrets:
       - name: private-registry
-
-    filterLabel: keycloak
-
+    global:
+      oidc:
+        host: {{ .Values.sso.oidc.host }}
+        realm: {{ .Values.sso.oidc.realm }}
+      {{- if .Values.sso.jwks }}
+      jwks: "{{ .Values.sso.jwks }}"
+      {{- end }}
+{{- if .Values.sso.client_id}}
+      client_id: {{ .Values.sso.client_id }}
+{{- end }}
+{{- if .Values.sso.client_secret }}
+      client_secret: {{ .Values.sso.client_secret }}
+{{- end }}
+      certificate_authority: {{ .Values.sso.certificate_authority }}
+    chains:
+      kiali:
+        match:
+          header: ":authority"
+          prefix: "kiali"
+        client_id: {{ .Values.istio.sso.kiali.client_id }}
+        callback_uri: https://kiali.{{ .Values.hostname }}/login
+      jaeger:
+        match:
+          header: ":authority"
+          prefix: "tracing"
+        client_id: "{{ .Values.istio.sso.jaeger.client_id }}"
+        callback_uri: https://tracing.{{ .Values.hostname }}/login
+      prometheus:
+        match:
+          header: ":authority"
+          prefix: "prometheus"
+        client_id: {{ .Values.monitoring.sso.prometheus.client_id }}
+        callback_uri: https://prometheus.{{ .Values.hostname }}/login/generic_oauth
+      alertmanager:
+        match:
+          header: ":authority"
+          prefix: "alertmanager"
+        client_id: {{ .Values.monitoring.sso.alertmanager.client_id }}
+        callback_uri: https://alertmanager.{{ .Values.hostname }}/login/generic_oauth
   dependsOn:
   - name: istio
     namespace: {{ .Release.Namespace }}

chart/templates/authservice/namespace.yaml

+{{- if and .Values.istio.enabled .Values.addons.authservice.enabled }}
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: authservice
+  {{- if .Values.istio.enabled }}
+  labels:
+    istio-injection: enabled
+  {{- end }}
+
+{{- if and (ne .Values.registryCredentials.username "") (ne .Values.registryCredentials.password "") }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: private-registry
+  namespace: authservice
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ template "imagePullSecret" . }}
+{{- end }}
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: haproxy-sso
+  namespace: {{ .Release.Namespace }}
+spec:
+  targetNamespace: authservice
+  chart:
+    spec:
+      chart: "./chart"
+      interval: 5m
+      sourceRef:
+        kind: GitRepository
+        name: haproxy
+        namespace: {{ .Release.Namespace }}
+
+  {{- with .Values.flux }}
+  interval: {{ .interval }}
+  test:
+    enable: false
+  install:
+    remediation:
+      retries: {{ .install.retries }}
+  upgrade:
+    remediation:
+      retries: {{ .upgrade.retries }}
+      remediateLastFailure: true
+    cleanupOnFail: true
+  rollback:
+    timeout: {{ .rollback.timeout }}
+    cleanupOnFail: {{ .rollback.cleanupOnFail }}
+  {{- end }}
+
+  values:
+    hostname: {{ .Values.hostname }}
+
+    podLabels:
+      protect: keycloak
+    config: |
+      global
+        maxconn 1024
+        daemon
+        log stdout format raw local0 info
+      defaults
+        log global
+        mode http
+        option httplog
+        timeout client 60s
+        timeout connect 60s
+        timeout server 60s
+      frontend fe_main
+        # Create custom headers as temporary holding places for info
+        http-request set-header X-Scheme http if !{ ssl_fc }
+        http-request set-header X-Scheme https if { ssl_fc }
+        http-request set-header X-TraceId %[rand,hex,bytes(8,8),lower]%[rand,hex,bytes(8,8),lower]%[rand,hex,bytes(8,8),lower]
+        http-request set-header X-SegmentId0 %[rand,hex,bytes(8,8),lower]%[rand,hex,bytes(8,8),lower]
+        http-request set-header X-SegmentId1 %[rand,hex,bytes(8,8),lower]%[rand,hex,bytes(8,8),lower]
+        http-request set-header X-SegmentId2 %[rand,hex,bytes(8,8),lower]%[rand,hex,bytes(8,8),lower]
+        http-request set-header X-SegmentId3 %[rand,hex,bytes(8,8),lower]%[rand,hex,bytes(8,8),lower]
+        http-request set-header X-SegmentId4 %[rand,hex,bytes(8,8),lower]%[rand,hex,bytes(8,8),lower]
+
+        # Declare capture slots for logging headers
+        declare capture request len 512
+        http-request capture req.fhdr(User-Agent) id 0
+
+        declare capture request len 5
+        http-request capture req.hdr(X-Scheme) id 1
+
+        declare capture request len 512
+        http-request capture req.hdr(Host) id 2
+
+        declare capture request len 24
+        http-request capture req.hdr(X-TraceId) id 3
+
+        declare capture request len 16
+        http-request capture req.hdr(X-SegmentId0) id 4
+
+        declare capture request len 16
+        http-request capture req.hdr(X-SegmentId1) id 5
+
+        declare capture request len 16
+        http-request capture req.hdr(X-SegmentId2) id 6
+
+        declare capture request len 16
+        http-request capture req.hdr(X-SegmentId3) id 7
+
+        declare capture request len 16
+        http-request capture req.hdr(X-SegmentId4) id 8
+
+        declare capture response len 8
+        http-response capture res.hdr(Content-Length) id 0
+
+        # Generate a unique Trace ID
+        unique-id-format %{+X}o\ 1-%[date,hex,bytes(8,8),lower]-%[capture.req.hdr(3)]
+        http-request set-header X-Amzn-Trace-Id Root=%[unique-id,lower]
+        bind :8080
+        acl host_kiali hdr(host) -i kiali.{{ .Values.hostname }}
+        acl host_tracing hdr(host) -i tracing.{{ .Values.hostname }}
+        acl host_alertmanager hdr(host) -i alertmanager.{{ .Values.hostname }}
+        acl host_prometheus hdr(host) -i prometheus.{{ .Values.hostname }}
+
+        option forwardfor
+        use_backend kiali_main if host_kiali
+        use_backend tracing_main if host_tracing
+        use_backend alertmanager_main if host_alertmanager
+        use_backend prometheus_main if host_prometheus
+      backend kiali_main
+        mode http
+        server kiali kiali.istio-system.svc.cluster.local:20001
+      backend tracing_main
+        mode http
+        server jaeger tracing.istio-system.svc.cluster.local:80
+      backend alertmanager_main
+        mode http
+        option forwardfor
+        http-request replace-header Host .* monitoring-monitoring-kube-alertmanager.monitoring.svc.cluster.local
+        server alertmanager monitoring-monitoring-kube-alertmanager.monitoring.svc.cluster.local:9093
+      backend prometheus_main
+        mode http
+        option forwardfor
+        http-request replace-header Host .* monitoring-monitoring-kube-prometheus.monitoring.svc.cluster.local
+        server prometheus monitoring-monitoring-kube-prometheus.monitoring.svc.cluster.local:9090
+
+    image:
+      repository: registry1.dso.mil/ironbank/opensource/haproxy/haproxy22
+    containerPorts:
+      http: 8080
+  dependsOn:
+    - name: istio
+      namespace: {{ .Release.Namespace }}
+    - name: monitoring
+      namespace: {{ .Release.Namespace }}
+{{- end }}
\ No newline at end of file

chart/templates/haproxy/gitrepository.yaml

+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: GitRepository
+metadata:
+  name: haproxy
+  namespace: {{ .Release.Namespace }}
+spec:
+  interval: {{ .Values.flux.interval }}
+  url: {{ .Values.addons.haproxy.git.repo}}
+  ref:
+    {{- include "validRef" .Values.addons.haproxy.git | nindent 4 }}
+  {{ include "gitIgnore" . }}
+  {{- include "gitCreds" .Values.git | nindent 2 }}
\ No newline at end of file

chart/templates/istio/controlplane/istio-controlplane-helmrelease.yaml

@@ -38,10 +38,24 @@ spec:
       valuesKey: "istio.yaml"
   values:
     hostname: {{ .Values.hostname }}
+    sso:
+      enabled: {{ .Values.istio.sso.enabled }}
 
     imagePullSecrets:
       - private-registry
 
+{{- if .Values.istio.sso.enabled }}
+    ingress:
+      kiali:
+        service: authservice-haproxy-sso
+        port: 8080
+        namespace: authservice
+      jaeger:
+        service: authservice-haproxy-sso
+        port: 8080
+        namespace: authservice
+{{- end }}
+
   dependsOn:
     - name: istio-operator
       namespace: {{ .Release.Namespace }}

chart/templates/monitoring/monitoring-helmrelease.yaml

@@ -41,6 +41,8 @@ spec:
     hostname: {{ .Values.hostname }}
     istio:
       enabled: {{ .Values.istio.enabled }}
+    sso:
+      enabled: {{ .Values.monitoring.sso.enabled }}
     global:
       imagePullSecrets:
         - name: private-registry
@@ -56,6 +58,18 @@ spec:
       imagePullSecrets:
       - name: private-registry
 
+{{- if .Values.monitoring.sso.enabled }}
+    ingress:
+      prometheus:
+        service: authservice-haproxy-sso
+        port: 8080
+        namespace: authservice
+      alertmanager:
+        service: authservice-haproxy-sso
+        port: 8080
+        namespace: authservice
+{{- end }}
+
   # TODO: DRY this up
   {{- if or .Values.gatekeeper.enabled .Values.istio.enabled }}
   dependsOn:

chart/templates/values.yaml

@@ -11,8 +11,22 @@ stringData:
 {{ toYaml .Values.addons.argocd.values | indent 4 }}
   istiooperator.yaml: |
 {{ toYaml .Values.istiooperator.values | indent 4  }}
-  authservice.yaml: |
+  authservice.yaml: | 
+    chains:
+    {{- if .Values.addons.authservice.chains }}
+      {{ .Values.addons.authservice.chains | toYaml | nindent 6 }}
+    {{- end }}
+      kiali:
+        client_secret: "{{ .Values.istio.sso.kiali.client_secret }}"
+      jaeger:
+        client_secret: "{{ .Values.istio.sso.jaeger.client_secret }}"
+      prometheus:
+        client_secret: "{{ .Values.monitoring.sso.prometheus.client_secret }}"
+      alertmanager:
+        client_secret: "{{ .Values.monitoring.sso.alertmanager.client_secret }}"
+{{ if .Values.addons.authservice.values }}
 {{ toYaml .Values.addons.authservice.values | indent 4 }}
+{{- end }}
   istio.yaml: |
 {{ toYaml .Values.istio.values | indent 4  }}
   gatekeeper.yaml: |
@@ -24,7 +38,11 @@ stringData:
   logging.yaml: |
 {{ toYaml .Values.logging.values | indent 4 }}
   monitoring.yaml: |
+    grafana_client_id: {{ .Values.monitoring.sso.grafana.client_id | quote }}
+    grafana_client_secret: {{ .Values.monitoring.sso.grafana.client_secret | quote }}
+{{ if .Values.monitoring.values }}
 {{ toYaml .Values.monitoring.values | indent 4 }}
+{{- end }}
   twistlock.yaml: |
 {{ toYaml .Values.twistlock.values | indent 4 }} 
   clusterauditor.yaml: |

chart/values.yaml

@@ -46,6 +46,16 @@ git:
     publicKey: ""
     knownHosts: ""
 
+# Gloabl SSO parameters
+sso:
+  oidc:
+    host: login.dso.mil
+    realm: baby-yoda
+  certificate_authority: ''
+  jwks: ""
+  client_id: ""
+  client_secret: ""
+
 # Flux reconciliation parameters
 flux:
   interval: 2m
@@ -65,7 +75,15 @@ istio:
   git:
     repo: https://repo1.dsop.io/platform-one/big-bang/apps/core/istio-controlplane.git
     path: "./chart"
-    tag: "1.7.3-bb.4"
+    tag: "1.7.3-bb.6"
+  sso:
+    enabled: false
+    kiali:
+      client_id: kiali
+      client_secret: "change_me"
+    jaeger:
+      client_id: jaeger
+      client_secret: "change_me"
   values: {}
 
 istiooperator:
@@ -137,7 +155,18 @@ monitoring:
   git:
     repo: https://repo1.dsop.io/platform-one/big-bang/apps/core/monitoring.git
     path: "./chart"
-    tag: "11.0.0-bb.4"
+    tag: "11.0.0-bb.6"
+  sso:
+    enabled: false
+    prometheus:
+      client_id: prometheus
+      client_secret: "change_me"
+    alertmanager:
+      client_id: alertmanager
+      client_secret: "change_me"
+    grafana:
+      client_id: grafana
+      client_secret: "change_me"
   values: {}
 # ----------------------------------------------------------------------------------------------------------------------
 
@@ -163,12 +192,21 @@ addons:
     values: {}
 
   authservice:
+    # if enabling authservice, a filter needs to be provided by either enabling
+    # sso for monitoring or istio, or manually adding a filter chain in the values here:
+    # values:
+    #   chain:
+    #     minimal:
+    #       callback_uri: "https://somecallback"
     enabled: false
     git:
       repo: https://repo1.dsop.io/platform-one/big-bang/apps/sandbox/authservice.git
       path: "./chart"
       tag: "0.1.6-bb.0"
+    # Dont put chain configuraitons in this section
     values: {}
+    # Put additional chain configuration in this section
+    chains: {}
 
   gitlab:
     enabled: false
@@ -176,3 +214,10 @@ addons:
       repo: https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab.git
       path: "./chart"
       tag: "4.2.0-bb.1"
+
+  haproxy:
+    git:
+      repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/haproxy.git
+      path: "./chart"
+      tag: 1.1.2-bb.0
+    values: {}
\ No newline at end of file

scripts/deploy/02_wait_for_helmrealeases.sh

@@ -3,7 +3,7 @@
 set -e
 
 ## This is an array to instantiate the order of wait conditions
-ORDERED_HELMRELEASES="gatekeeper istio-operator istio monitoring eck-operator ek fluent-bit twistlock cluster-auditor gitlab"
+ORDERED_HELMRELEASES="gatekeeper istio-operator istio monitoring eck-operator ek fluent-bit twistlock cluster-auditor authservice argocd gitlab"
 
 
 ## This the actual deployed helmrelease objects in the cluster

tests/ci/k3d/values.yaml

@@ -58,6 +58,9 @@ addons:
     enabled: true
   authservice:
     enabled: true
+    chains:
+      minimal:
+        callback_uri: "https://minimal.bigbang.dev"
   gitlab:
     enabled: true
     values: