Merge branch '666-multi-ingress-gateways-ci-pipeline' into 'master'

SKIP UPGRADE: Resolve "Update CI pipeline to handle multi-ingress gateways and Keycloak"

Closes #666

See merge request platform-one/big-bang/bigbang!897

.gitlab-ci.yml

@@ -115,7 +115,6 @@ clean install:
   script:
     - *deploy_bigbang
     - *test_bigbang
-
     # Fetch list of all images ran (retry crictl up to 6x)
     - echo -e "\e[0Ksection_start:`date +%s`:images_used[collapsed=true]\r\e[0K\e[33;1mImages Used\e[37m"
     - cid=$(docker ps -aqf "name=k3d-${CI_JOB_ID}-server-0")

.gitlab-ci/jobs/ci-cluster/.gitlab-ci.yml

@@ -30,9 +30,10 @@
     - echo -e "\e[0Ksection_start:`date +%s`:k3d_up[collapsed=true]\r\e[0K\e[33;1mK3D Cluster Create\e[37m"  
     # Give docker-in-docker time to come alive
     - i=0; while [ "$i" -lt 12 ]; do docker info &>/dev/null && break; sleep 5; i=$(( i + 1 )) ; done
-    - docker network create ${CI_JOB_ID} --driver=bridge -o "com.docker.network.driver.mtu"="1450"
-    - k3d cluster create ${CI_JOB_ID} --config tests/ci/k3d/config.yaml --network ${CI_JOB_ID}
+    - docker network create ${CI_JOB_ID} --driver=bridge -o "com.docker.network.driver.mtu"="1450" --subnet=172.20.0.0/16
+    - chmod +x tests/ci/k3d/deploy_k3d.sh; echo "Executing tests/ci/k3d/deploy_k3d.sh..."; ./tests/ci/k3d/deploy_k3d.sh
     - until kubectl get deployment coredns -n kube-system -o go-template='{{.status.availableReplicas}}' | grep -v -e '<no value>'; do sleep 1s; done
+    - chmod +x tests/ci/k3d/metallb/install_metallb.sh; echo "Executing tests/ci/k3d/metallb/install_metallb.sh..."; ./tests/ci/k3d/metallb/install_metallb.sh
     - kubectl get all -A
     - echo -e "\e[0Ksection_end:`date +%s`:k3d_up\r\e[0K"    
   after_script:

tests/ci/k3d/deploy_k3d.sh

+#!/usr/bin/env bash
+
+set -ex
+# if keycloak label or all packages label add deploy k3d without loadbalancer so metallb can be used
+if [[ $CI_MERGE_REQUEST_LABELS =~ "keycloak" ||  $CI_MERGE_REQUEST_LABELS =~ "all-packages" ]]; then
+  k3d cluster create ${CI_JOB_ID} --config tests/ci/k3d/disable-servicelb-config.yaml --network ${CI_JOB_ID}
+else
+  k3d cluster create ${CI_JOB_ID} --config tests/ci/k3d/config.yaml --network ${CI_JOB_ID}
+fi

tests/ci/k3d/disable-servicelb-config.yaml

+apiVersion: k3d.io/v1alpha2
+kind: Simple
+name: ci
+servers: 1
+options:
+  k3s:
+    extraServerArgs:
+      - --disable=traefik
+      - --disable=servicelb
+  k3d:
+    wait: true
+volumes:
+  - volume: /etc/machine-id:/etc/machine-id
+    nodeFilters:
+      - server[*]
+      - agent[*]
+ports:
+  - port: 80:80
+    nodeFilters:
+      - loadbalancer
+  - port: 443:443
+    nodeFilters:
+      - loadbalancer
\ No newline at end of file

tests/ci/k3d/metallb/install_metallb.sh

+#!/usr/bin/env bash
+
+set -ex
+
+if [[ $CI_MERGE_REQUEST_LABELS =~ "keycloak" ||  $CI_MERGE_REQUEST_LABELS =~ "all-packages" ]]; then
+  kubectl create -f tests/ci/k3d/metallb/metallb.yaml
+  kubectl create -f tests/ci/k3d/metallb/metallb-config.yaml
+else
+ echo "Keycloak not present, Metallb will not be install"
+fi

tests/ci/k3d/metallb/metallb-config.yaml

+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: metallb-system
+  name: config
+data:
+  config: |
+    address-pools:
+    - name: default
+      protocol: layer2
+      addresses:
+      - 172.20.1.240-172.20.1.243

tests/ci/k3d/metallb/metallb.yaml

+apiVersion: v1
+kind: Namespace
+metadata:
+  name: metallb-system
+  labels:
+    app: metallb
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  labels:
+    app: metallb
+  name: controller
+  namespace: metallb-system
+spec:
+  allowPrivilegeEscalation: false
+  allowedCapabilities: []
+  allowedHostPaths: []
+  defaultAddCapabilities: []
+  defaultAllowPrivilegeEscalation: false
+  fsGroup:
+    ranges:
+    - max: 65535
+      min: 1
+    rule: MustRunAs
+  hostIPC: false
+  hostNetwork: false
+  hostPID: false
+  privileged: false
+  readOnlyRootFilesystem: true
+  requiredDropCapabilities:
+  - ALL
+  runAsUser:
+    ranges:
+    - max: 65535
+      min: 1
+    rule: MustRunAs
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    ranges:
+    - max: 65535
+      min: 1
+    rule: MustRunAs
+  volumes:
+  - configMap
+  - secret
+  - emptyDir
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  labels:
+    app: metallb
+  name: speaker
+  namespace: metallb-system
+spec:
+  allowPrivilegeEscalation: false
+  allowedCapabilities:
+  - NET_RAW
+  allowedHostPaths: []
+  defaultAddCapabilities: []
+  defaultAllowPrivilegeEscalation: false
+  fsGroup:
+    rule: RunAsAny
+  hostIPC: false
+  hostNetwork: true
+  hostPID: false
+  hostPorts:
+  - max: 7472
+    min: 7472
+  - max: 7946
+    min: 7946
+  privileged: true
+  readOnlyRootFilesystem: true
+  requiredDropCapabilities:
+  - ALL
+  runAsUser:
+    rule: RunAsAny
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  volumes:
+  - configMap
+  - secret
+  - emptyDir
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: metallb
+  name: controller
+  namespace: metallb-system
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: metallb
+  name: speaker
+  namespace: metallb-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app: metallb
+  name: metallb-system:controller
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - services/status
+  verbs:
+  - update
+- apiGroups:
+  - ''
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - policy
+  resourceNames:
+  - controller
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app: metallb
+  name: metallb-system:speaker
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - services
+  - endpoints
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups: ["discovery.k8s.io"]
+  resources:
+  - endpointslices
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - policy
+  resourceNames:
+  - speaker
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app: metallb
+  name: config-watcher
+  namespace: metallb-system
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app: metallb
+  name: pod-lister
+  namespace: metallb-system
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - pods
+  verbs:
+  - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app: metallb
+  name: controller
+  namespace: metallb-system
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - create
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  resourceNames:
+  - memberlist
+  verbs:
+  - list
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  resourceNames:
+  - controller
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: metallb
+  name: metallb-system:controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: metallb-system:controller
+subjects:
+- kind: ServiceAccount
+  name: controller
+  namespace: metallb-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app: metallb
+  name: metallb-system:speaker
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: metallb-system:speaker
+subjects:
+- kind: ServiceAccount
+  name: speaker
+  namespace: metallb-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app: metallb
+  name: config-watcher
+  namespace: metallb-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: config-watcher
+subjects:
+- kind: ServiceAccount
+  name: controller
+- kind: ServiceAccount
+  name: speaker
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app: metallb
+  name: pod-lister
+  namespace: metallb-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: pod-lister
+subjects:
+- kind: ServiceAccount
+  name: speaker
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app: metallb
+  name: controller
+  namespace: metallb-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: controller
+subjects:
+- kind: ServiceAccount
+  name: controller
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    app: metallb
+    component: speaker
+  name: speaker
+  namespace: metallb-system
+spec:
+  selector:
+    matchLabels:
+      app: metallb
+      component: speaker
+  template:
+    metadata:
+      annotations:
+        prometheus.io/port: '7472'
+        prometheus.io/scrape: 'true'
+      labels:
+        app: metallb
+        component: speaker
+    spec:
+      containers:
+      - args:
+        - --port=7472
+        - --config=config
+        env:
+        - name: METALLB_NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: METALLB_HOST
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+        - name: METALLB_ML_BIND_ADDR
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        # needed when another software is also using memberlist / port 7946
+        # when changing this default you also need to update the container ports definition
+        # and the PodSecurityPolicy hostPorts definition
+        #- name: METALLB_ML_BIND_PORT
+        #  value: "7946"
+        - name: METALLB_ML_LABELS
+          value: "app=metallb,component=speaker"
+        - name: METALLB_ML_SECRET_KEY
+          valueFrom:
+            secretKeyRef:
+              name: memberlist
+              key: secretkey
+        image: registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates/metallb-speaker:v0.10.2
+        name: speaker
+        ports:
+        - containerPort: 7472
+          name: monitoring
+        - containerPort: 7946
+          name: memberlist-tcp
+        - containerPort: 7946
+          name: memberlist-udp
+          protocol: UDP
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            add:
+            - NET_RAW
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+      hostNetwork: true
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: speaker
+      terminationGracePeriodSeconds: 2
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+        operator: Exists
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: metallb
+    component: controller
+  name: controller
+  namespace: metallb-system
+spec:
+  revisionHistoryLimit: 3
+  selector:
+    matchLabels:
+      app: metallb
+      component: controller
+  template:
+    metadata:
+      annotations:
+        prometheus.io/port: '7472'
+        prometheus.io/scrape: 'true'
+      labels:
+        app: metallb
+        component: controller
+    spec:
+      containers:
+      - args:
+        - --port=7472
+        - --config=config
+        env:
+        - name: METALLB_ML_SECRET_NAME
+          value: memberlist
+        - name: METALLB_DEPLOYMENT
+          value: controller
+        image: registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates/metallb-controller:v0.10.2
+        name: controller
+        ports:
+        - containerPort: 7472
+          name: monitoring
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - all
+          readOnlyRootFilesystem: true
+      nodeSelector:
+        kubernetes.io/os: linux
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+      serviceAccountName: controller
+      terminationGracePeriodSeconds: 0
\ No newline at end of file

tests/ci/keycloak-certs/admin.bigbang.dev-secret.yaml

-apiVersion: v1
-kind: Secret
-metadata:
-  name: public-cert
-  namespace: istio-system
-type: kubernetes.io/tls
-stringData:
-  # *.admin.bigbang.dev
-  tls.crt: |
-    -----BEGIN CERTIFICATE-----
-    MIIFLDCCBBSgAwIBAgISA87F5ACBGZuzPeSeGr2wqcY8MA0GCSqGSIb3DQEBCwUA
-    MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
-    EwJSMzAeFw0yMTA0MTQxNDIzMTRaFw0yMTA3MTMxNDIzMTRaMB4xHDAaBgNVBAMM
-    EyouYWRtaW4uYmlnYmFuZy5kZXYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-    AoIBAQC8bJtY3qQC0udgWInp1K81Canpzsd/22mQ9f8GjVNF/7DhCSXRdHNeLtDN
-    eJ2JoH96d1vLAm1YmHJ31aBwVULM0cWPRDkRg2Wjl/sMFoLgxR1ZKdtq3xxC2fwi
-    DXjwv9JyOQgOrQqFxP7BQab1fv9uDfHP1aIxcDN7CpOxJHrjMoxyiPRynNFvw/ii
-    GDJ+Jvomt8opWb4mC2jZMK5WGLvYWj9mkUo9crnQVJBNgU/ebx3j+yWztD6PDnuT
-    NptI3x6OySjbkYlBGhjKMpfQ7mTPCr5pBEgcJFVXVROg8Bum15vn3Uv+4LNe1tHc
-    DxwCJQQJrzGNNc5YMpn81rvltDOTAgMBAAGjggJOMIICSjAOBgNVHQ8BAf8EBAMC
-    BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAw
-    HQYDVR0OBBYEFLp8IoeSyLzb/tJ57pxDqGX4t/4nMB8GA1UdIwQYMBaAFBQusxe3
-    WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0
-    cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5j
-    ci5vcmcvMB4GA1UdEQQXMBWCEyouYWRtaW4uYmlnYmFuZy5kZXYwTAYDVR0gBEUw
-    QzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDov
-    L2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgCU
-    ILwejtWNbIhzH4KLIiwN0dpNXmxPlD1h204vWE2iwgAAAXjQ+rZ5AAAEAwBHMEUC
-    IQCOtTENOPlAwvmnqNxm9LHWo1TkNpLZqdCQWffa3zc2sAIgVpNs+pLLUmJfwq0+
-    FRSQJB9FyrH7js53BSZ1WyfY6GwAdgB9PvL4j/+IVWgkwsDKnlKJeSvFDngJfy5q
-    l2iZfiLw1wAAAXjQ+razAAAEAwBHMEUCIQDCliAyo7EV92Kmp5zeoVfeqklvPPYi
-    p43KG/yc6gbiBwIgHpQYiQ5MCcJHnnol3Ku35ZYJw8jcWy7aW2S9gHR3eeUwDQYJ
-    KoZIhvcNAQELBQADggEBACUBLIHwOvyAsXlRGxqDKBGcl8BmbelWgp+XXsf9MZd0
-    hYYrPlnQL95C5R78FXmYlG24J4uHLMTvz+gYe/WRv4Cjr8It+EaoGATZ8zGa2OlY
-    FTfx6dLk/h2KPF9N45o5rsUtlTlTfJYGz58p30XefLwOdIrez8UtEV2fWevAWwYw
-    ZGLvPczwDABye0OUou+M+BoZQOI6hrcQ3IXGlf/VQKzBp1dOOxZB7bx3mOzg1CI6
-    1AebDLxybOev4Ke25jbtst6i4HG1feFXm4yL1utNsn15uBVoQVfKeLVvMO3Y2Hyi
-    DZvLATJX4qq0e2wDcETc8fxshOUnYhpzrbUctVBBncA=
-    -----END CERTIFICATE-----
-    -----BEGIN CERTIFICATE-----
-    MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/
-    MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
-    DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow
-    MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT
-    AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs
-    jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp
-    Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB
-    U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7
-    gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel
-    /xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R
-    oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
-    BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p
-    ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE
-    p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE
-    AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu
-    Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0
-    LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf
-    r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B
-    AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH
-    ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8
-    S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL
-    qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p
-    O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw
-    UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==
-    -----END CERTIFICATE-----
-  tls.key: |
-    -----BEGIN PRIVATE KEY-----
-    MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC8bJtY3qQC0udg
-    WInp1K81Canpzsd/22mQ9f8GjVNF/7DhCSXRdHNeLtDNeJ2JoH96d1vLAm1YmHJ3
-    1aBwVULM0cWPRDkRg2Wjl/sMFoLgxR1ZKdtq3xxC2fwiDXjwv9JyOQgOrQqFxP7B
-    Qab1fv9uDfHP1aIxcDN7CpOxJHrjMoxyiPRynNFvw/iiGDJ+Jvomt8opWb4mC2jZ
-    MK5WGLvYWj9mkUo9crnQVJBNgU/ebx3j+yWztD6PDnuTNptI3x6OySjbkYlBGhjK
-    MpfQ7mTPCr5pBEgcJFVXVROg8Bum15vn3Uv+4LNe1tHcDxwCJQQJrzGNNc5YMpn8
-    1rvltDOTAgMBAAECggEACINbrXM5s8r1mzvE12S9mcba/25RQyyVo3AJ2rDt7z6z
-    Liespr79K2cwFeh6Laqrt8vGwPBWImeY3GMxgYHIp9pec6+gaHMoV3DZbd1igmdF
-    gS7L9BMqgra4lo1HRpFUH8cF3yvgStTwsaiWs4bOYZmNsFc1ocgw+0EqFRnR14vw
-    Q6pxlNlR0wND4WwEQ+PEFuGyaZpcnDA38vwaNyIVl99pRXXojvfco7dacYyce40o
-    O02mtl2yME4ssCgYPcThonPaUDjF594q7J2kqVRp6mJ0J9lvsxPRZ3NC1tOfVgzI
-    E/YVeNx7S9r0ONTJFLfRidd+udBKBCUM7NcKygqk8QKBgQDiQc0LPe7NWzfZ5Ks2
-    IeZZ1S7CX/Eyv7VW90YhOUTF9g9PmmH1v539vp9xdHlo9YaF2dXuf1GsMgpNQ4IZ
-    Nuz5xwvvmma3demqtOawTpHj3vHpZWOYTL0SEb5XwyPaZZIb33wxDidT8/0CpwPt
-    Tlq6GQ8HPYupHT6cJQcb7PgAmQKBgQDVMZ+0WucFAKeJSEj1zDZA0EzUqiFfLCpP
-    gko9+9yhPvl7Q6c+oOV0brx0ny+racLUsV0m8vzvvLFxHTubPa7CMKf5s7c3EPQv
-    8GqovlsvgzchwxRRs0KQMhQSZw1X2UDSBDci0AwZRXrJQp3odJk+0Pq5MslfCF6s
-    fwWxV6C1CwKBgBSvv3ePqg3MkUayyZShdNYxz5yl+P+S15mj8h2HhuoynSPCEcLO
-    Sjuw+hL9ezxFdo82Y4Dy0xzTVm3KBlMX2oLb2BOIImwTs9GPyKfGB0C2WZflVT3P
-    hlnolWagyN5m+vzhahFyIdZjMHbVnl5ME6+AKweWcPZ9XgQYvpWnDOXBAoGBAL0I
-    mTEUAQ+geuzxGTBI+DoT+GwAxkJbKNEDF81KC2E2M4Qmgp63j3zjy1ok4+G7jzOE
-    aLJmdfwkdbl0UCvgT5qEBg0UWvoKoFn5dLlWwAeq8zGOhe/DYNv2a3G9ykkAq8cM
-    Uc8eZfvqbWsTFGzPJipaplWcQI1xIHEW1/ddWXPtAoGBAInFXBnVDJiZkhq1adt9
-    3S/YVoMigw6ZD4j7E5g/5QBCs2rnZex20YFuJDvf+HAD/3eohJ6n75QRSZc0sn9j
-    XO49WKI7Qd2XTEL6dGvxGyFRTqrC5dUd3v/wq4XjUz1bI6VTvvHvf7EPCGh1NJ8v
-    PcJzvO/HdugGAG1xWnN7HT4g
-    -----END PRIVATE KEY-----
\ No newline at end of file

tests/ci/keycloak-certs/keycloak-passthrough-values.yaml

@@ -2,89 +2,125 @@ addons:
   keycloak:
     ingress:
       # *.bigbang.dev
+      gateway: "passthrough"
       key: |
         -----BEGIN PRIVATE KEY-----
-        MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDl7oIecDHRb8XB
-        jG4sEW1qsBlI94oIa50KTHWOet7mhW82BX+scWVgqI3PbIVUI144IgKGPSq3SEki
-        gP0zNgSlxNjZZ/UaB99HXlK5kZ87puDvoOYMBiurjq/QzgwygiN9NyyqdUtWdc/V
-        94owxS47HsclhnOEXscVOjSQI/PIGM5G8UXZyeV0yvGVvrUYNbMfz9Mhh3rD2ihw
-        6LQVgX710J7q3IOiC1CDCt0wXur1w18LYs+R1Yu07AM7R5EoEEFB2TZhYgDZ3+v7
-        lvv/EINyVc5FfolIhyV1VG+dZxevHFiuZQ5cNLpiLwep3QreKeNk1ijBhAehRnTM
-        a8fB+mb9AgMBAAECggEAS7KiE/NL82+g43+gJdH2+9DOAj+8qdkD8ogJi8bX63yy
-        iE53IgaTIadcSJWpr3GVa1WHDzrD/WNG8J0Wvu1hylFsMucOwmslDxH2mjFfAvyF
-        wV5vXjYJ2ok3SL8NNPOzS14GznefPe+7ZO4CCNxhxAT1+1ywWzv4vvxSocG0WINy
-        QwbY53vl7/fyJzmkiDUuqRqtVKR/SCvVFyV/Mzb9XwLVVOzme7zMbK9EwlR7XxwH
-        NtjZS2t/DbFUh+O9lj28fuV4qVo83jGWE63P4bEvOXzFC5zu+kpEmQEP5X1UGqqp
-        h1NBPG0oeP17hv0jVzc703dbnBzif58Sc4DFraQ94QKBgQD81+IquSpmW1epJdNu
-        AGAalvPS0JWWjjBrn+sC0JA+7QWGJrGAN8FtZrx/Eu58ovuD3Yra86ilWALWJKQj
-        vaEg/xbrZixbQoap6MI4XYK6hqEY2Og28K4MqQXtvQB5NrjnDdYY7cICStJ8WMGs
-        KV0MKzHGsUbvTBRQGXaFXHDSlwKBgQDozWWIHZ+fO0Rd/nG8M+kRY3HmIFLyxZ7C
-        YZ5pgEn+X4xNi3lghkBMXAx50BB+as158lPrdHLTpkeYbcWg7xfcn2C4V+mKuUDo
-        aAX8TeqbIy/Wc67HxM0+ujRkwNNIqZJhLrE34SGBDzj9jDv+sLAjglAzIbK3vtLR
-        nP5DRQ1JiwKBgFd7Djp/9GaTxgG1H7EYmie5AMV4+7iqm6AxJWvE45OSCG5A5vsY
-        z2jduewxjag778/RECDvWvNSPzD+XngrPRughrqNkF1G6DbTXJeJ6xhESmrBaZ7Q
-        qTeiJ3X5BbfqshDnXaMkaBLI9oilYOUDLrluHHvFjGhxJzoLhVFhCXwjAoGBALmM
-        9C7gRZh5eY1dPzOdQFeepmqgOtzLDDWr7sHyAYfgighIcW6wslDqUPtKDctkvu9C
-        aQbS4q606n2giJMz3hX3ZfSoBTmPXB+gwZyOUb5i9j78J0OMJXaonRfs5LoWhdg1
-        igSayMR/6JGWEz91fn5e4CNQ6YwwaQGvGq1tPSDvAoGBAMH7yzcNoPlTGF7tIHuf
-        xvFGCnnrS+UFWm6JaFCaNmKCr1FqRqa0seQmRl0FrnwXH3Q9/KpepBlcMjxhI1aF
-        ZtXMjqYq3Fe6V8QAx0HxbbAlyzeOnK5xmKfzV0YXSHH5GjvK99zKT6s8Gu1jxu4I
-        vfkczrrBlKbNp5wxPgjcAZd7
+        MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQD1ahjVSH4A+inh
+        YyeVfOMQJhzrtt7OXpcGbSeepDY0lz+opc29BWafqcwZKef12aYMU7CzoyPJCL13
+        gOjn6FbU3h8FNkDZQ0kiZfGWQxHGYoJLB8MdXKyYgcynDCczMFNR/mc7YwF0IMVp
+        iApW/XYg2sv4ouuaBAZI/F7jQVYl1SB18gkk180YxZK9mzetie8V9dCEMkodH1tq
+        +BRzCYbrh3oSX/dL/CXYq/x29nFYTZmMctMc7T9ligS7n/JCBVTsLLGL/BL7E/Ba
+        8g54qDGR78FEW1kgr0dsWVcOWJQdb8JpwCRUUFXYHL5liFGS1IozD+bpFfUvUxNH
+        1sjPo18JAgMBAAECggEBAJRaQ5LC1LDAiQqfhvE94oEDmR4AmOWFlqQi3f1vZPkb
+        qTbIq/skxamk2iUoCPm8TT1MZhfheaNwLiCMg76U29CoSXY8Gq17mD08BPOBrcAQ
+        EpVKpu8b85XpeQ5OMXAnOWbqc/sZWWqa2Nt3ilCVvZAU05KE4gljf20lajLUb0BE
+        S+EOHgiPgbL9Upgb2HvsYjaBkgy6dMIJhH9ybyQqRJPaLceEbu53Krrv4iuZjzLD
+        CIdePYRge9DfvIff0UBlAFPVgahrwJNzZoqhEv9KlvSshE51tfaNv7zzMpoEnq7z
+        XqbisXXq/Pn6MaWiyF/6sYxYZDrAIHI5exmoJAYs4tECgYEA/V9eNpdh70Vzv19l
+        TkpjEklaAgDzSda68TSb5hYLtINI3m3+vVN+rlth5gZN7n8hKjxIBuUI8yERMY8B
+        is5g+qgIqK1jDeRHUJTKo7x+fRgM2vCTcYQgxCC4x2czkG86AifsNaGZ6j2P9y2v
+        lpaozs+ONkADpGwnOu0lsCBxbVUCgYEA9/WaPrhOO/ImKlyFbXnXHZsoRXKuWVKm
+        DRcs7z8LZmPH7n3ikiMZW7CUbKHB3mreL6Xv5gQ/nait2tjYRPT2OfBA+WTQi/kO
+        MwHyuq92J1965WCld3hzGYeJHtB12rVjheRQ3TBeBCFFu3pgEVsgqnVV1gqceBL7
+        edXnu85KSuUCgYEAxbhURvmfPR7PknmZDp1R7oU7LfEb6XUd8PiC5+wwOi9w/9KK
+        RagQZXN+VAh7bC/c656a/nZgo4ocZrYYF/+xAil6iFa1w7NuS12xPFDtzCSmc3vl
+        M2JOR37ZcxH/1ShW9jO9SqTO/VIJNHR8X2E2Xhzt9zvBG+AiRQOms2i92vkCgYEA
+        pZ2AiZXWg0mIXlDvuaBgouCoNEKV2wlN6X5qP94PAjNxLYUdWNhirpAxgqFD+QfO
+        IWsm4a5Cw04P2RVu1hf7gdVLwIeql2MhLcaGVlStiTzHu/8iZbqovgt99Xvsy8jN
+        kXde323XzdBfYAorskv4dIHsdAsgWT7sgoLxxcnSa1UCgYEAh0SDR9xTdNnCRTL8
+        Fz+YyN8EWm4XaiYv4fDu7mBEiAYJFQjfez/ZammSASwfv+sFcE4rCEMED2InlLin
+        73hJO8bDRMI7BEtaYKyEFcCgdNXOyDRfYhLtJllaIiJNbC8m4dW8H7Hq4Av2pTc0
+        dbfd2CfWKgXWqJNl2RCGWIoqDIU=
         -----END PRIVATE KEY-----
       cert: |
         -----BEGIN CERTIFICATE-----
-        MIIFMzCCBBugAwIBAgISA/bfQH5Vgy3KTu3PXxiNHed8MA0GCSqGSIb3DQEBCwUA
+        MIIFITCCBAmgAwIBAgISA4QDnwfowfekJU7pBgWPPB3SMA0GCSqGSIb3DQEBCwUA
         MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
-        EwJSMzAeFw0yMTA0MTYwMTA1MTNaFw0yMTA3MTUwMTA1MTNaMBgxFjAUBgNVBAMM
-        DSouYmlnYmFuZy5kZXYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDl
-        7oIecDHRb8XBjG4sEW1qsBlI94oIa50KTHWOet7mhW82BX+scWVgqI3PbIVUI144
-        IgKGPSq3SEkigP0zNgSlxNjZZ/UaB99HXlK5kZ87puDvoOYMBiurjq/QzgwygiN9
-        NyyqdUtWdc/V94owxS47HsclhnOEXscVOjSQI/PIGM5G8UXZyeV0yvGVvrUYNbMf
-        z9Mhh3rD2ihw6LQVgX710J7q3IOiC1CDCt0wXur1w18LYs+R1Yu07AM7R5EoEEFB
-        2TZhYgDZ3+v7lvv/EINyVc5FfolIhyV1VG+dZxevHFiuZQ5cNLpiLwep3QreKeNk
-        1ijBhAehRnTMa8fB+mb9AgMBAAGjggJbMIICVzAOBgNVHQ8BAf8EBAMCBaAwHQYD
+        EwJSMzAeFw0yMTA2MzAwODQxNDhaFw0yMTA5MjgwODQxNDdaMBgxFjAUBgNVBAMM
+        DSouYmlnYmFuZy5kZXYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD1
+        ahjVSH4A+inhYyeVfOMQJhzrtt7OXpcGbSeepDY0lz+opc29BWafqcwZKef12aYM
+        U7CzoyPJCL13gOjn6FbU3h8FNkDZQ0kiZfGWQxHGYoJLB8MdXKyYgcynDCczMFNR
+        /mc7YwF0IMVpiApW/XYg2sv4ouuaBAZI/F7jQVYl1SB18gkk180YxZK9mzetie8V
+        9dCEMkodH1tq+BRzCYbrh3oSX/dL/CXYq/x29nFYTZmMctMc7T9ligS7n/JCBVTs
+        LLGL/BL7E/Ba8g54qDGR78FEW1kgr0dsWVcOWJQdb8JpwCRUUFXYHL5liFGS1Ioz
+        D+bpFfUvUxNH1sjPo18JAgMBAAGjggJJMIICRTAOBgNVHQ8BAf8EBAMCBaAwHQYD
         VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0O
-        BBYEFAqYpSC/aq86VGg0Pj+AJL8Jq4opMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJ
+        BBYEFLKxa8BVwd6HZjzGXLkyXZLww/DwMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJ
         QOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3Iz
         Lm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcv
-        MCsGA1UdEQQkMCKCDSouYmlnYmFuZy5kZXaCESouZGV2LmJpZ2JhbmcuZGV2MEwG
-        A1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEW
-        Gmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB
-        8gDwAHUAb1N2rDHwMRnYmQCkURX/dxUcEdkCwQApBo2yCJo32RMAAAF42GzRXAAA
-        BAMARjBEAiBC9SJzpBUmMfpTTflKasVUMCOVEH/yQHLez9OijeyLEQIgJ29qt+mt
-        Cwhds52p8Fn8d4DQ05X1YGe83w//nJG76hwAdwD2XJQv0XcwIhRUGAgwlFaO400T
-        GTO/3wwvIAvMTvFk4wAAAXjYbNHPAAAEAwBIMEYCIQDBtSlv2u3Sz3bTOKQAzsmS
-        +u79PjtpvTnHfp7SwqGTAAIhAOJL7dr9pJt9JRKBl4E7Vu79xU7xOux1LIUVE+kA
-        dR1qMA0GCSqGSIb3DQEBCwUAA4IBAQBQK76kZJwa1zNv2k2h/u5isvcQiDL8eoUd
-        idIdXy7ydIbhzYl9Vh+zDGkUwxvIP4jVjD4FBC4QqQTjqutw8sLWjbzSPJLVfYLV
-        TmwtkbCvhTiE3PAdT+SmoOFIUsd2LEmjFJ622DyUaNH0OsdrHKClC/KIO0NvhTQs
-        ZnN89eH1wreIL9DolXko3RgkGB1LbG9MH4/dvzTnKHoBo4EUFXoJcnSiK7rdHEXI
-        u7wKFjw9OJnqjCLx7SGOIyhLo4c5UtJXU8uxKmxsO63WGZG+ZB38uzuRZaEEt+zs
-        SolSteEEHHXbe/BjYfufW2BXdJwqi3gaw04j+8Q4hcntH2cM28TW
+        MBgGA1UdEQQRMA+CDSouYmlnYmFuZy5kZXYwTAYDVR0gBEUwQzAIBgZngQwBAgEw
+        NwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5j
+        cnlwdC5vcmcwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdwCUILwejtWNbIhzH4KL
+        IiwN0dpNXmxPlD1h204vWE2iwgAAAXpcS8iTAAAEAwBIMEYCIQCcXRHwJqXD4XZJ
+        69yt9vwm/5d3fV5iEncCsg4XoV8APAIhALuWdIvzfv1qLlS3Yv+DrVf5t2lMGdrL
+        RilySJivVC0QAHYA9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOMAAAF6
+        XEvIqAAABAMARzBFAiEA7mPS3NK7XQQo+GxdVRq0kJX4uV3ELIKbVzPIdpXCmxYC
+        IHfgadCRBTml5nnTd7xpjwRuvRNr/gsyyyIV0Xjao4DIMA0GCSqGSIb3DQEBCwUA
+        A4IBAQBbccxKHBf4FOqHSP3U3+pCrU3Z3zhfTjYVaPP/gI7+rus4m6Jnq/pP21ak
+        RWFJx9Yfp0zYPG33H4b65vvmG2jYzb/sLorHIodSn8O7HD11peWwFzgRLflVQ2Kx
+        yPYdn/yY1BFIZ5cyz1iQNIUghMZVLc1JfqQbuRuodf2si0x7d2CTMV3k0qUvpll9
+        6KstE/OEjLA0jgRmZAq0JBHZjDeYi65LoQWF1XM6Al1p0GvhGC+x//UyYZr/sBOl
+        3FvnSe9NXeAMqeJ6QIrkFFsogPMUoTpJYs47gjMdEl6eOT2uwgchZsHpqrdHVHG6
+        9xxT5njjSqfC0xOqknR0hhhn5Pbu
         -----END CERTIFICATE-----
         -----BEGIN CERTIFICATE-----
-        MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/
+        MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
+        TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+        cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
+        WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+        RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+        AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
+        R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
+        sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
+        NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
+        Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
+        /kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
+        AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
+        Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
+        FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
+        AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
+        Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
+        gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
+        PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
+        ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
+        CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
+        lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
+        avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
+        yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
+        yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
+        hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
+        HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
+        MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
+        nLRbwHOoq7hHwg==
+        -----END CERTIFICATE-----
+        -----BEGIN CERTIFICATE-----
+        MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
         MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
-        DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow
-        MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT
-        AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs
-        jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp
-        Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB
-        U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7
-        gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel
-        /xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R
-        oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
-        BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p
-        ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE
-        p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE
-        AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu
-        Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0
-        LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf
-        r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B
-        AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH
-        ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8
-        S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL
-        qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p
-        O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw
-        UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==
+        DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
+        TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+        cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
+        AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
+        ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
+        wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
+        LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
+        4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
+        bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
+        sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
+        Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
+        FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
+        SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
+        PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
+        TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
+        SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
+        c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+        +tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
+        ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
+        b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
+        U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
+        MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
+        5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
+        9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
+        WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
+        he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
+        Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
         -----END CERTIFICATE-----

tests/ci/keycloak-certs/kustomization.yaml

-resources:
-- admin.bigbang.dev-secret.yaml
-

tests/ci/keycloak.yaml

-apiVersion: source.toolkit.fluxcd.io/v1beta1
-kind: GitRepository
-metadata:
-  name: secrets
-  namespace: bigbang
-spec:
-  interval: 1m0s
-  # NOTE: We could use the same "bigbang" repository, but secrets are usually committed to a consumer owned repo,
-  #       so we are demonstrating that here with a new `GitRepository` resource pointed to the same repo
-  url: https://repo1.dso.mil/platform-one/big-bang/bigbang.git
-  ref:
-    branch: master
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
-kind: Kustomization
-metadata:
-  name: secrets
-  namespace: bigbang
-spec:
-  interval: 1m0s
-  sourceRef:
-    kind: GitRepository
-    name: secrets
-    namespace: bigbang
-  path: "./tests/ci/keycloak-certs"
-  prune: true

tests/ci/passthrough-gateway.yaml

+istio:
+  ingressGateways:
+    passthrough-ingressgateway:
+      type: "LoadBalancer" # or "NodePort"
+      kubernetesResourceSpec: {} # https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec
+      # Node ports are assigned starting from nodePortBase.  The nodePortBase specifies the start of a range of 4 unused node ports.
+      # Node port will be assigned as follows: Port 15021 (Status) = nodePortBase, Port 80 = nodePortBase+1, Port 443 = nodePortBase+2, Port 15443 (SNI) = nodePortBase+3
+      # Node port base should be in the range from 30000 to 32764
+      # nodePortBase: 32000  # Alternatively, the kubernetesResourceSpec can be used to configure all port parameters
+  gateways:
+    passthrough:
+      ingressGateway: "passthrough-ingressgateway"
+      hosts:
+      - "*.{{ .Values.domain }}"
+      tls:
+        mode: "PASSTHROUGH"
\ No newline at end of file

tests/deploy/01_deploy_bigbang.sh

@@ -7,7 +7,6 @@ CI_VALUES_FILE="tests/ci/k3d/values.yaml"
 if [[ "${CI_COMMIT_BRANCH}" == "${CI_DEFAULT_BRANCH}" ]] || [[ ! -z "$CI_COMMIT_TAG" ]] || [[ $CI_MERGE_REQUEST_LABELS =~ "all-packages" ]]; then
   echo "all-packages label enabled, or on default branch or tag, enabling all addons"
   yq e ".addons.*.enabled = "true"" $CI_VALUES_FILE > tmpfile && mv tmpfile $CI_VALUES_FILE
-  yq e ".addons.keycloak.enabled = "false"" $CI_VALUES_FILE > tmpfile && mv tmpfile $CI_VALUES_FILE
 else
   IFS=","
   for package in $CI_MERGE_REQUEST_LABELS; do
@@ -21,6 +20,8 @@ fi
 # if keycloak enabled add ingress passthrough cert to addons.keycloak.ingress
 if [ "$(yq e ".addons.keycloak.enabled" "tests/ci/k3d/values.yaml")" == "true" ]; then
   yq eval-all 'select(fileIndex == 0) * select(filename == "tests/ci/keycloak-certs/keycloak-passthrough-values.yaml")' $CI_VALUES_FILE tests/ci/keycloak-certs/keycloak-passthrough-values.yaml > tmpfile && mv tmpfile $CI_VALUES_FILE
+#if keycloak is enabled add passthrough ingress gateway and gateway to istio.
+  yq eval-all 'select(filename == "tests/ci/k3d/values.yaml") * select(filename == "tests/ci/passthrough-gateway.yaml")' $CI_VALUES_FILE tests/ci/passthrough-gateway.yaml > tmpfile && mv tmpfile $CI_VALUES_FILE
 fi
 
 # Set controlPlaneCidr for ci-infra jobs which are RKE2
@@ -39,32 +40,16 @@ helm upgrade -i bigbang chart -n bigbang --create-namespace \
   --set registryCredentials[0].registry=registry1.dso.mil \
   -f ${CI_VALUES_FILE}
 
-# if keycloak is enabled use *.admin.bigbang.dev cert
-# otherwise use *.bigbang.dev
-if [ "$(yq e ".addons.keycloak.enabled" "tests/ci/k3d/values.yaml")" == "true" ]; then
-  # apply secrets kustomization pointing to current branch
-  if [[ $(git branch --show-current) == "${CI_DEFAULT_BRANCH}" ]]; then
-    echo "Deploying secrets from the ${CI_DEFAULT_BRANCH} branch"
-    kubectl apply -f tests/ci/keycloak.yaml
-  elif [ -z "$CI_COMMIT_TAG" ]; then
-    echo "Deploying secrets from the ${CI_COMMIT_REF_NAME} branch"
-    cat tests/ci/keycloak.yaml | sed 's|master|'"$CI_COMMIT_REF_NAME"'|g' | kubectl apply -f -
-  else
-    echo "Deploying secrets from the ${CI_COMMIT_REF_NAME} tag"
-    # NOTE: $CI_COMMIT_REF_NAME = $CI_COMMIT_TAG when running on a tagged build
-    cat tests/ci/keycloak.yaml | sed 's|branch: master|tag: '"$CI_COMMIT_REF_NAME"'|g' | kubectl apply -f -
-  fi
+# apply secrets kustomization pointing to current branch or master if an upgrade job
+if [[ $(git branch --show-current) == "${CI_DEFAULT_BRANCH}" ]]; then
+  echo "Deploying secrets from the ${CI_DEFAULT_BRANCH} branch"
+  kubectl apply -f tests/ci/shared-secrets.yaml
+elif [ -z "$CI_COMMIT_TAG" ]; then
+  echo "Deploying secrets from the ${CI_COMMIT_REF_NAME} branch"
+  cat tests/ci/shared-secrets.yaml | sed 's|master|'"$CI_COMMIT_REF_NAME"'|g' | kubectl apply -f -
 else
-  # apply secrets kustomization pointing to current branch or master if an upgrade job
-  if [[ $(git branch --show-current) == "${CI_DEFAULT_BRANCH}" ]]; then
-    echo "Deploying secrets from the ${CI_DEFAULT_BRANCH} branch"
-    kubectl apply -f tests/ci/shared-secrets.yaml
-  elif [ -z "$CI_COMMIT_TAG" ]; then
-    echo "Deploying secrets from the ${CI_COMMIT_REF_NAME} branch"
-    cat tests/ci/shared-secrets.yaml | sed 's|master|'"$CI_COMMIT_REF_NAME"'|g' | kubectl apply -f -
-  else
-    echo "Deploying secrets from the ${CI_COMMIT_REF_NAME} tag"
-    # NOTE: $CI_COMMIT_REF_NAME = $CI_COMMIT_TAG when running on a tagged build
-    cat tests/ci/shared-secrets.yaml | sed 's|branch: master|tag: '"$CI_COMMIT_REF_NAME"'|g' | kubectl apply -f -
-  fi
+  echo "Deploying secrets from the ${CI_COMMIT_REF_NAME} tag"
+  # NOTE: $CI_COMMIT_REF_NAME = $CI_COMMIT_TAG when running on a tagged build
+  cat tests/ci/shared-secrets.yaml | sed 's|branch: master|tag: '"$CI_COMMIT_REF_NAME"'|g' | kubectl apply -f -
 fi
+

tests/tests/01_virtualservices.sh

@@ -5,11 +5,15 @@ set -e
 
 # Populate /etc/hosts
 ip=$(kubectl -n istio-system get service public-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
-
+ip_passthrough=$(kubectl -n istio-system get service passthrough-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
 echo "Checking "
 
 hosts=`kubectl get virtualservices -A -o jsonpath="{ .items[*].spec.hosts[*] }"`
 for host in $hosts; do
+  if [ $host == "keycloak.bigbang.dev" ]; then
+    echo "$ip_passthrough $host" >> /etc/hosts
+  else
     echo "$ip $host" >> /etc/hosts
-    curl -svv https://$host/ > /dev/null
+  fi
+  curl -svv https://$host/ > /dev/null
 done