From 0c1a5648679a22b803a1d99496b726d2f498e8d0 Mon Sep 17 00:00:00 2001
From: "garcia.ryan" <garcia.ryan@solute.us>
Date: Thu, 21 Jan 2021 04:34:07 -0700
Subject: [PATCH] feat: allow sso for kiali, jaeger, prometheus and
alertmanager via authservice
---
chart/Chart.yaml | 2 +-
.../authservice/authservice-helmrelease.yaml | 46 +++++-
chart/templates/authservice/namespace.yaml | 155 ++++++++++++++++++
chart/templates/haproxy/gitrepository.yaml | 12 ++
.../istio-controlplane-helmrelease.yaml | 14 ++
.../monitoring/monitoring-helmrelease.yaml | 14 ++
chart/templates/values.yaml | 20 ++-
chart/values.yaml | 49 +++++-
scripts/deploy/02_wait_for_helmrealeases.sh | 2 +-
tests/ci/k3d/values.yaml | 3 +
10 files changed, 307 insertions(+), 10 deletions(-)
create mode 100644 chart/templates/authservice/namespace.yaml
create mode 100644 chart/templates/haproxy/gitrepository.yaml
diff --git a/chart/Chart.yaml b/chart/Chart.yaml
index 02a48339ac..1a647e34fc 100644
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@@ -1,3 +1,3 @@
apiVersion: v2
name: bigbang
-version: 1.0.5
+version: 1.0.6
diff --git a/chart/templates/authservice/authservice-helmrelease.yaml b/chart/templates/authservice/authservice-helmrelease.yaml
index 52a575e661..1d86682814 100644
--- a/chart/templates/authservice/authservice-helmrelease.yaml
+++ b/chart/templates/authservice/authservice-helmrelease.yaml
@@ -1,11 +1,11 @@
-{{- if and .Values.istio.enabled .Values.addons.authservice.enabled }}
+{{- if and .Values.istio.enabled ( or .Values.addons.authservice.enabled .Values.istio.sso.enabled ) }}
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: authservice
namespace: {{ .Release.Namespace }}
spec:
- targetNamespace: istio-system
+ targetNamespace: authservice
chart:
spec:
chart: {{ .Values.addons.authservice.git.path }}
@@ -39,9 +39,45 @@ spec:
values:
imagePullSecrets:
- name: private-registry
-
- filterLabel: keycloak
-
+ global:
+ oidc:
+ host: {{ .Values.sso.oidc.host }}
+ realm: {{ .Values.sso.oidc.realm }}
+ {{- if .Values.sso.jwks }}
+ jwks: "{{ .Values.sso.jwks }}"
+ {{- end }}
+{{- if .Values.sso.client_id}}
+ client_id: {{ .Values.sso.client_id }}
+{{- end }}
+{{- if .Values.sso.client_secret }}
+ client_secret: {{ .Values.sso.client_secret }}
+{{- end }}
+ certificate_authority: {{ .Values.sso.certificate_authority }}
+ chains:
+ kiali:
+ match:
+ header: ":authority"
+ prefix: "kiali"
+ client_id: {{ .Values.istio.sso.kiali.client_id }}
+ callback_uri: https://kiali.{{ .Values.hostname }}/login
+ jaeger:
+ match:
+ header: ":authority"
+ prefix: "tracing"
+ client_id: "{{ .Values.istio.sso.jaeger.client_id }}"
+ callback_uri: https://tracing.{{ .Values.hostname }}/login
+ prometheus:
+ match:
+ header: ":authority"
+ prefix: "prometheus"
+ client_id: {{ .Values.monitoring.sso.prometheus.client_id }}
+ callback_uri: https://prometheus.{{ .Values.hostname }}/login/generic_oauth
+ alertmanager:
+ match:
+ header: ":authority"
+ prefix: "alertmanager"
+ client_id: {{ .Values.monitoring.sso.alertmanager.client_id }}
+ callback_uri: https://alertmanager.{{ .Values.hostname }}/login/generic_oauth
dependsOn:
- name: istio
namespace: {{ .Release.Namespace }}
diff --git a/chart/templates/authservice/namespace.yaml b/chart/templates/authservice/namespace.yaml
new file mode 100644
index 0000000000..603721cdd0
--- /dev/null
+++ b/chart/templates/authservice/namespace.yaml
@@ -0,0 +1,155 @@
+{{- if and .Values.istio.enabled .Values.addons.authservice.enabled }}
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: authservice
+ {{- if .Values.istio.enabled }}
+ labels:
+ istio-injection: enabled
+ {{- end }}
+
+{{- if and (ne .Values.registryCredentials.username "") (ne .Values.registryCredentials.password "") }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: private-registry
+ namespace: authservice
+type: kubernetes.io/dockerconfigjson
+data:
+ .dockerconfigjson: {{ template "imagePullSecret" . }}
+{{- end }}
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+ name: haproxy-sso
+ namespace: {{ .Release.Namespace }}
+spec:
+ targetNamespace: authservice
+ chart:
+ spec:
+ chart: "./chart"
+ interval: 5m
+ sourceRef:
+ kind: GitRepository
+ name: haproxy
+ namespace: {{ .Release.Namespace }}
+
+ {{- with .Values.flux }}
+ interval: {{ .interval }}
+ test:
+ enable: false
+ install:
+ remediation:
+ retries: {{ .install.retries }}
+ upgrade:
+ remediation:
+ retries: {{ .upgrade.retries }}
+ remediateLastFailure: true
+ cleanupOnFail: true
+ rollback:
+ timeout: {{ .rollback.timeout }}
+ cleanupOnFail: {{ .rollback.cleanupOnFail }}
+ {{- end }}
+
+ values:
+ hostname: {{ .Values.hostname }}
+
+ podLabels:
+ protect: keycloak
+ config: |
+ global
+ maxconn 1024
+ daemon
+ log stdout format raw local0 info
+ defaults
+ log global
+ mode http
+ option httplog
+ timeout client 60s
+ timeout connect 60s
+ timeout server 60s
+ frontend fe_main
+ # Create custom headers as temporary holding places for info
+ http-request set-header X-Scheme http if !{ ssl_fc }
+ http-request set-header X-Scheme https if { ssl_fc }
+ http-request set-header X-TraceId %[rand,hex,bytes(8,8),lower]%[rand,hex,bytes(8,8),lower]%[rand,hex,bytes(8,8),lower]
+ http-request set-header X-SegmentId0 %[rand,hex,bytes(8,8),lower]%[rand,hex,bytes(8,8),lower]
+ http-request set-header X-SegmentId1 %[rand,hex,bytes(8,8),lower]%[rand,hex,bytes(8,8),lower]
+ http-request set-header X-SegmentId2 %[rand,hex,bytes(8,8),lower]%[rand,hex,bytes(8,8),lower]
+ http-request set-header X-SegmentId3 %[rand,hex,bytes(8,8),lower]%[rand,hex,bytes(8,8),lower]
+ http-request set-header X-SegmentId4 %[rand,hex,bytes(8,8),lower]%[rand,hex,bytes(8,8),lower]
+
+ # Declare capture slots for logging headers
+ declare capture request len 512
+ http-request capture req.fhdr(User-Agent) id 0
+
+ declare capture request len 5
+ http-request capture req.hdr(X-Scheme) id 1
+
+ declare capture request len 512
+ http-request capture req.hdr(Host) id 2
+
+ declare capture request len 24
+ http-request capture req.hdr(X-TraceId) id 3
+
+ declare capture request len 16
+ http-request capture req.hdr(X-SegmentId0) id 4
+
+ declare capture request len 16
+ http-request capture req.hdr(X-SegmentId1) id 5
+
+ declare capture request len 16
+ http-request capture req.hdr(X-SegmentId2) id 6
+
+ declare capture request len 16
+ http-request capture req.hdr(X-SegmentId3) id 7
+
+ declare capture request len 16
+ http-request capture req.hdr(X-SegmentId4) id 8
+
+ declare capture response len 8
+ http-response capture res.hdr(Content-Length) id 0
+
+ # Generate a unique Trace ID
+ unique-id-format %{+X}o\ 1-%[date,hex,bytes(8,8),lower]-%[capture.req.hdr(3)]
+ http-request set-header X-Amzn-Trace-Id Root=%[unique-id,lower]
+ bind :8080
+ acl host_kiali hdr(host) -i kiali.{{ .Values.hostname }}
+ acl host_tracing hdr(host) -i tracing.{{ .Values.hostname }}
+ acl host_alertmanager hdr(host) -i alertmanager.{{ .Values.hostname }}
+ acl host_prometheus hdr(host) -i prometheus.{{ .Values.hostname }}
+
+ option forwardfor
+ use_backend kiali_main if host_kiali
+ use_backend tracing_main if host_tracing
+ use_backend alertmanager_main if host_alertmanager
+ use_backend prometheus_main if host_prometheus
+ backend kiali_main
+ mode http
+ server kiali kiali.istio-system.svc.cluster.local:20001
+ backend tracing_main
+ mode http
+ server jaeger tracing.istio-system.svc.cluster.local:80
+ backend alertmanager_main
+ mode http
+ option forwardfor
+ http-request replace-header Host .* monitoring-monitoring-kube-alertmanager.monitoring.svc.cluster.local
+ server alertmanager monitoring-monitoring-kube-alertmanager.monitoring.svc.cluster.local:9093
+ backend prometheus_main
+ mode http
+ option forwardfor
+ http-request replace-header Host .* monitoring-monitoring-kube-prometheus.monitoring.svc.cluster.local
+ server prometheus monitoring-monitoring-kube-prometheus.monitoring.svc.cluster.local:9090
+
+ image:
+ repository: registry1.dso.mil/ironbank/opensource/haproxy/haproxy22
+ containerPorts:
+ http: 8080
+ dependsOn:
+ - name: istio
+ namespace: {{ .Release.Namespace }}
+ - name: monitoring
+ namespace: {{ .Release.Namespace }}
+{{- end }}
\ No newline at end of file
diff --git a/chart/templates/haproxy/gitrepository.yaml b/chart/templates/haproxy/gitrepository.yaml
new file mode 100644
index 0000000000..f873b93b48
--- /dev/null
+++ b/chart/templates/haproxy/gitrepository.yaml
@@ -0,0 +1,12 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: GitRepository
+metadata:
+ name: haproxy
+ namespace: {{ .Release.Namespace }}
+spec:
+ interval: {{ .Values.flux.interval }}
+ url: {{ .Values.addons.haproxy.git.repo}}
+ ref:
+ {{- include "validRef" .Values.addons.haproxy.git | nindent 4 }}
+ {{ include "gitIgnore" . }}
+ {{- include "gitCreds" .Values.git | nindent 2 }}
\ No newline at end of file
diff --git a/chart/templates/istio/controlplane/istio-controlplane-helmrelease.yaml b/chart/templates/istio/controlplane/istio-controlplane-helmrelease.yaml
index f755338950..1488bae59a 100644
--- a/chart/templates/istio/controlplane/istio-controlplane-helmrelease.yaml
+++ b/chart/templates/istio/controlplane/istio-controlplane-helmrelease.yaml
@@ -38,10 +38,24 @@ spec:
valuesKey: "istio.yaml"
values:
hostname: {{ .Values.hostname }}
+ sso:
+ enabled: {{ .Values.istio.sso.enabled }}
imagePullSecrets:
- private-registry
+{{- if .Values.istio.sso.enabled }}
+ ingress:
+ kiali:
+ service: authservice-haproxy-sso
+ port: 8080
+ namespace: authservice
+ jaeger:
+ service: authservice-haproxy-sso
+ port: 8080
+ namespace: authservice
+{{- end }}
+
dependsOn:
- name: istio-operator
namespace: {{ .Release.Namespace }}
diff --git a/chart/templates/monitoring/monitoring-helmrelease.yaml b/chart/templates/monitoring/monitoring-helmrelease.yaml
index 95d19c6ca0..946a2f7ebe 100644
--- a/chart/templates/monitoring/monitoring-helmrelease.yaml
+++ b/chart/templates/monitoring/monitoring-helmrelease.yaml
@@ -41,6 +41,8 @@ spec:
hostname: {{ .Values.hostname }}
istio:
enabled: {{ .Values.istio.enabled }}
+ sso:
+ enabled: {{ .Values.monitoring.sso.enabled }}
global:
imagePullSecrets:
- name: private-registry
@@ -56,6 +58,18 @@ spec:
imagePullSecrets:
- name: private-registry
+{{- if .Values.monitoring.sso.enabled }}
+ ingress:
+ prometheus:
+ service: authservice-haproxy-sso
+ port: 8080
+ namespace: authservice
+ alertmanager:
+ service: authservice-haproxy-sso
+ port: 8080
+ namespace: authservice
+{{- end }}
+
# TODO: DRY this up
{{- if or .Values.gatekeeper.enabled .Values.istio.enabled }}
dependsOn:
diff --git a/chart/templates/values.yaml b/chart/templates/values.yaml
index edf4a8caa9..7f52832ca9 100644
--- a/chart/templates/values.yaml
+++ b/chart/templates/values.yaml
@@ -11,8 +11,22 @@ stringData:
{{ toYaml .Values.addons.argocd.values | indent 4 }}
istiooperator.yaml: |
{{ toYaml .Values.istiooperator.values | indent 4 }}
- authservice.yaml: |
+ authservice.yaml: |
+ chains:
+ {{- if .Values.addons.authservice.chains }}
+ {{ .Values.addons.authservice.chains | toYaml | nindent 6 }}
+ {{- end }}
+ kiali:
+ client_secret: "{{ .Values.istio.sso.kiali.client_secret }}"
+ jaeger:
+ client_secret: "{{ .Values.istio.sso.jaeger.client_secret }}"
+ prometheus:
+ client_secret: "{{ .Values.monitoring.sso.prometheus.client_secret }}"
+ alertmanager:
+ client_secret: "{{ .Values.monitoring.sso.alertmanager.client_secret }}"
+{{ if .Values.addons.authservice.values }}
{{ toYaml .Values.addons.authservice.values | indent 4 }}
+{{- end }}
istio.yaml: |
{{ toYaml .Values.istio.values | indent 4 }}
gatekeeper.yaml: |
@@ -24,7 +38,11 @@ stringData:
logging.yaml: |
{{ toYaml .Values.logging.values | indent 4 }}
monitoring.yaml: |
+ grafana_client_id: {{ .Values.monitoring.sso.grafana.client_id | quote }}
+ grafana_client_secret: {{ .Values.monitoring.sso.grafana.client_secret | quote }}
+{{ if .Values.monitoring.values }}
{{ toYaml .Values.monitoring.values | indent 4 }}
+{{- end }}
twistlock.yaml: |
{{ toYaml .Values.twistlock.values | indent 4 }}
clusterauditor.yaml: |
diff --git a/chart/values.yaml b/chart/values.yaml
index f3acaaa827..68da2cbcfa 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -46,6 +46,16 @@ git:
publicKey: ""
knownHosts: ""
+# Gloabl SSO parameters
+sso:
+ oidc:
+ host: login.dso.mil
+ realm: baby-yoda
+ certificate_authority: ''
+ jwks: ""
+ client_id: ""
+ client_secret: ""
+
# Flux reconciliation parameters
flux:
interval: 2m
@@ -65,7 +75,15 @@ istio:
git:
repo: https://repo1.dsop.io/platform-one/big-bang/apps/core/istio-controlplane.git
path: "./chart"
- tag: "1.7.3-bb.4"
+ tag: "1.7.3-bb.6"
+ sso:
+ enabled: false
+ kiali:
+ client_id: kiali
+ client_secret: "change_me"
+ jaeger:
+ client_id: jaeger
+ client_secret: "change_me"
values: {}
istiooperator:
@@ -137,7 +155,18 @@ monitoring:
git:
repo: https://repo1.dsop.io/platform-one/big-bang/apps/core/monitoring.git
path: "./chart"
- tag: "11.0.0-bb.4"
+ tag: "11.0.0-bb.6"
+ sso:
+ enabled: false
+ prometheus:
+ client_id: prometheus
+ client_secret: "change_me"
+ alertmanager:
+ client_id: alertmanager
+ client_secret: "change_me"
+ grafana:
+ client_id: grafana
+ client_secret: "change_me"
values: {}
# ----------------------------------------------------------------------------------------------------------------------
@@ -163,12 +192,21 @@ addons:
values: {}
authservice:
+ # if enabling authservice, a filter needs to be provided by either enabling
+ # sso for monitoring or istio, or manually adding a filter chain in the values here:
+ # values:
+ # chain:
+ # minimal:
+ # callback_uri: "https://somecallback"
enabled: false
git:
repo: https://repo1.dsop.io/platform-one/big-bang/apps/sandbox/authservice.git
path: "./chart"
tag: "0.1.6-bb.0"
+ # Dont put chain configuraitons in this section
values: {}
+ # Put additional chain configuration in this section
+ chains: {}
gitlab:
enabled: false
@@ -176,3 +214,10 @@ addons:
repo: https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab.git
path: "./chart"
tag: "4.2.0-bb.1"
+
+ haproxy:
+ git:
+ repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/haproxy.git
+ path: "./chart"
+ tag: 1.1.2-bb.0
+ values: {}
\ No newline at end of file
diff --git a/scripts/deploy/02_wait_for_helmrealeases.sh b/scripts/deploy/02_wait_for_helmrealeases.sh
index 6347c9f6e0..3ef6696f93 100755
--- a/scripts/deploy/02_wait_for_helmrealeases.sh
+++ b/scripts/deploy/02_wait_for_helmrealeases.sh
@@ -3,7 +3,7 @@
set -e
## This is an array to instantiate the order of wait conditions
-ORDERED_HELMRELEASES="gatekeeper istio-operator istio monitoring eck-operator ek fluent-bit twistlock cluster-auditor gitlab"
+ORDERED_HELMRELEASES="gatekeeper istio-operator istio monitoring eck-operator ek fluent-bit twistlock cluster-auditor authservice argocd gitlab"
## This the actual deployed helmrelease objects in the cluster
diff --git a/tests/ci/k3d/values.yaml b/tests/ci/k3d/values.yaml
index 16fb20cc98..e34790bfac 100644
--- a/tests/ci/k3d/values.yaml
+++ b/tests/ci/k3d/values.yaml
@@ -58,6 +58,9 @@ addons:
enabled: true
authservice:
enabled: true
+ chains:
+ minimal:
+ callback_uri: "https://minimal.bigbang.dev"
gitlab:
enabled: true
values:
--
GitLab