upgrade to istio 1.8.4, split jaeger and kiali into separate deployments

224e2670 · runyontr · joshwolf · 36ac449b · 224e2670 · 224e2670
Commit 224e2670 authored 3 years ago by runyontr Committed by joshwolf 3 years ago
--- a/chart/dev-sso-values.yaml
+++ b/chart/dev-sso-values.yaml
@@ -3,13 +3,16 @@
 sso:
  certificate_authority: '-----BEGIN CERTIFICATE-----\nMIIH0zCCBrugAwIBAgIQHeg1retyhPnWuzryBJeBvTANBgkqhkiG9w0BAQsFADCB\nujELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsT\nH1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAy\nMDEyIEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEuMCwG\nA1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxSzAeFw0y\nMDEyMTUwMzE1MDJaFw0yMjAxMTQwMzE1MDJaMHMxCzAJBgNVBAYTAlVTMREwDwYD\nVQQIEwhDb2xvcmFkbzEZMBcGA1UEBxMQQ29sb3JhZG8gU3ByaW5nczEeMBwGA1UE\nChMVRGVwYXJ0bWVudCBvZiBEZWZlbnNlMRYwFAYDVQQDEw1sb2dpbi5kc28ubWls\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAymUXk7STDlepS5HJu0ca\nB57S5dfLp7zxYmcsGjo10YkHy3m9LASQCTyiioDrlwo2b+n8oZ7esGLv3RgggMwf\nxvLVyx1+lZDswxdQoXmjArTdbqpcSoq3Y1rvVp33/jGb3slBjQtcMt2QvaFv3fxy\ncwwINvJFEqsQS7zGUgpolJ3smKdcVpUSGZmzpYposuDlPUGeOJaQRMAACW5arWiT\nVkDhJD+OVOYEHW8uCQfghD3JJXu6Xp9SwlWe6UNOdxo9cq3s/XE4ZwEgffdLXP2A\nwuJF/7B7CFdZjIMptmOODyCeatC344iyubU0MiGCOm4W4wn0pQ0XJtAzWeYFKATL\n9BquNOzPUR6pMSFMvIEiS96zbVFuOYt2XKgPryWEYji3Oky082WWYOcXt0NnqnCj\nSafVU+2fQi4jQ0att5YXagEEPz83lQZdSKb2+grDeFg78VrEZAe+Y0mVu4/G93he\nUOqfZ9jdCnFXq8sEMG9bJJFKeOXkb1Da8Y0amfOw4hFd4UslrbvC5ZCUZNh6roOk\n8kast9QWtWFIGPC3f+Uq3gvx3GBHzIG9QPOq1CjSSAF3tWKuMTxK4zaS33mriJo0\nDv1CMX3FCmjT/qG3422guBL02hbGHveDSWk0/saY7ZWFifxnvKEdOi4ItnpMuQhE\nzx6/+t7FWuzBTPAeVqV1l2sCAwEAAaOCAxkwggMVMAwGA1UdEwEB/wQCMAAwHQYD\nVR0OBBYEFCLwpnkje7QKLWok+nWIeBEnIGfmMB8GA1UdIwQYMBaAFIKicHTdvFM/\nz3vU981/p2DGCky/MGgGCCsGAQUFBwEBBFwwWjAjBggrBgEFBQcwAYYXaHR0cDov\nL29jc3AuZW50cnVzdC5uZXQwMwYIKwYBBQUHMAKGJ2h0dHA6Ly9haWEuZW50cnVz\ndC5uZXQvbDFrLWNoYWluMjU2LmNlcjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8v\nY3JsLmVudHJ1c3QubmV0L2xldmVsMWsuY3JsMCcGA1UdEQQgMB6CDWxvZ2luLmRz\nby5taWyCDWxvZ2luLmRzb3AuaW8wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQG\nCCsGAQUFBwMBBggrBgEFBQcDAjBMBgNVHSAERTBDMDcGCmCGSAGG+mwKAQUwKTAn\nBggrBgEFBQcCARYbaHR0cHM6Ly93d3cuZW50cnVzdC5uZXQvcnBhMAgGBmeBDAEC\nAjCCAX4GCisGAQQB1nkCBAIEggFuBIIBagFoAHUAVhQGmi/XwuzT9eG9RLI+x0Z2\nubyZEVzA75SYVdaJ0N0AAAF2ZGTpIwAABAMARjBEAiAK+W9ukx92DJPFV87LexEg\n/qDFTjtkiLh/z+mLmDtOwQIgUD4YrMuo22sV9MeJ8JmzraCQVdUUIprw4K4HN+eO\n6W0AdwDfpV6raIJPH2yt7rhfTj5a6s2iEqRqXo47EsAgRFwqcwAAAXZkZOlKAAAE\nAwBIMEYCIQDRpvbR/GroWSGlCIh1q0RUITb8RfI4skqqBa/FeU811AIhAPlRY4lv\nDC2u9MFSEiCVeaFYJRU0xvAwmHQMtrl+IE4iAHYARqVV63X6kSAwtaKJafTzfREs\nQXS+/Um4havy/HD+bUcAAAF2ZGTrYAAABAMARzBFAiEAifP8Y0nXFBykaTyzpWpv\nE3FDi8NCQeJFRMJqD7loTjMCIHVDio7r+zANTbIdRLRRzHoNzo//xfJ0JUqejNRA\naCpZMA0GCSqGSIb3DQEBCwUAA4IBAQB/wtYjDQiPLe99tZq98IyxOSJCli2mtlV9\ngSC67aj4rgW6g+C8P1bSoB5PamMq6rON5q0SXL3CQiQ7vegxCQnleDh0LWeKPFS2\njjSIl3CvrYfBlNBzw4H1uAa/yw+enr0So8oX8kdSTBFGnU4KoK646lFZRXSifFIU\nzzQ9QYYedmiP0iKs5LDYGAOsB/w/O94+zv6qGKXA1fVzBXAD54MddqGk9mHZTSyL\n6nsSTx4r8vCGQir7d2QuIGLD48zaYQz0TFcGKnBV3/9CB27RxJkRdMwUbMvNdp3C\nV+C2+jdR8xA/0qCnvSxHc1lTZgXxVkcu/wpqIBn3af5Ha8ddd0DU\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFDjCCA/agAwIBAgIMDulMwwAAAABR03eFMA0GCSqGSIb3DQEBCwUAMIG+MQsw\nCQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UECxMfU2Vl\nIHd3dy5lbnRydXN0Lm5ldC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMpIDIwMDkg\nRW50cnVzdCwgSW5jLiAtIGZvciBhdXRob3JpemVkIHVzZSBvbmx5MTIwMAYDVQQD\nEylFbnRydXN0IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMjAeFw0x\nNTEwMDUxOTEzNTZaFw0zMDEyMDUxOTQzNTZaMIG6MQswCQYDVQQGEwJVUzEWMBQG\nA1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UECxMfU2VlIHd3dy5lbnRydXN0Lm5l\ndC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMpIDIwMTIgRW50cnVzdCwgSW5jLiAt\nIGZvciBhdXRob3JpemVkIHVzZSBvbmx5MS4wLAYDVQQDEyVFbnRydXN0IENlcnRp\nZmljYXRpb24gQXV0aG9yaXR5IC0gTDFLMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A\nMIIBCgKCAQEA2j+W0E25L0Tn2zlem1DuXKVh2kFnUwmqAJqOV38pa9vH4SEkqjrQ\njUcj0u1yFvCRIdJdt7hLqIOPt5EyaM/OJZMssn2XyP7BtBe6CZ4DkJN7fEmDImiK\nm95HwzGYei59QAvS7z7Tsoyqj0ip/wDoKVgG97aTWpRzJiatWA7lQrjV6nN5ZGhT\nJbiEz5R6rgZFDKNrTdDGvuoYpDbwkrK6HIiPOlJ/915tgxyd8B/lw9bdpXiSPbBt\nLOrJz5RBGXFEaLpHPATpXbo+8DX3Fbae8i4VHj9HyMg4p3NFXU2wO7GOFyk36t0F\nASK7lDYqjVs1/lMZLwhGwSqzGmIdTivZGwIDAQABo4IBDDCCAQgwDgYDVR0PAQH/\nBAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwMwYIKwYBBQUHAQEEJzAlMCMGCCsG\nAQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAwBgNVHR8EKTAnMCWgI6Ah\nhh9odHRwOi8vY3JsLmVudHJ1c3QubmV0L2cyY2EuY3JsMDsGA1UdIAQ0MDIwMAYE\nVR0gADAoMCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVudHJ1c3QubmV0L3JwYTAd\nBgNVHQ4EFgQUgqJwdN28Uz/Pe9T3zX+nYMYKTL8wHwYDVR0jBBgwFoAUanImetAe\n733nO2lR1GyNn5ASZqswDQYJKoZIhvcNAQELBQADggEBADnVjpiDYcgsY9NwHRkw\ny/YJrMxp1cncN0HyMg/vdMNY9ngnCTQIlZIv19+4o/0OgemknNM/TWgrFTEKFcxS\nBJPok1DD2bHi4Wi3Ogl08TRYCj93mEC45mj/XeTIRsXsgdfJghhcg85x2Ly/rJkC\nk9uUmITSnKa1/ly78EqvIazCP0kkZ9Yujs+szGQVGHLlbHfTUqi53Y2sAEo1GdRv\nc6N172tkw+CNgxKhiucOhk3YtCAbvmqljEtoZuMrx1gL+1YQ1JH7HdMxWBCMRON1\nexCdtTix9qrKgWRs6PLigVWXUX/hwidQosk8WwBD9lu51aX8/wdQQGcHsFXwt35u\nLcw=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIEPjCCAyagAwIBAgIESlOMKDANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMC\nVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50\ncnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3Qs\nIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVz\ndCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIwHhcNMDkwNzA3MTcy\nNTU0WhcNMzAxMjA3MTc1NTU0WjCBvjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVu\ndHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwt\ndGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0\naG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVzdCBSb290IENlcnRpZmlj\nYXRpb24gQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\nAoIBAQC6hLZy254Ma+KZ6TABp3bqMriVQRrJ2mFOWHLP/vaCeb9zYQYKpSfYs1/T\nRU4cctZOMvJyig/3gxnQaoCAAEUesMfnmr8SVycco2gvCoe9amsOXmXzHHfV1IWN\ncCG0szLni6LVhjkCsbjSR87kyUnEO6fe+1R9V77w6G7CebI6C1XiUJgWMhNcL3hW\nwcKUs/Ja5CeanyTXxuzQmyWC48zCxEXFjJd6BmsqEZ+pCm5IO2/b1BEZQvePB7/1\nU1+cPvQXLOZprE4yTGJ36rfo5bs0vBmLrpxR57d+tVOxMyLlbc9wPBr64ptntoP0\njaWvYkxN4FisZDQSA/i2jZRjJKRxAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAP\nBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRqciZ60B7vfec7aVHUbI2fkBJmqzAN\nBgkqhkiG9w0BAQsFAAOCAQEAeZ8dlsa2eT8ijYfThwMEYGprmi5ZiXMRrEPR9RP/\njTkrwPK9T3CMqS/qF8QLVJ7UG5aYMzyorWKiAHarWWluBh1+xLlEjZivEtRh2woZ\nRkfz6/djwUAFQKXSt/S1mja/qYh2iARVBCuch38aNzx+LaUa2NSJXsq9rD1s2G2v\n1fN2D807iDginWyTmsQ9v4IbZT+mD12q/OWyFcq1rca8PdCE6OoGcrBNOTJ4vz4R\nnAuknZoh8/CbCzB428Hch0P+vGOaysXCHMnHjf87ElgI5rY97HosTvuDls4MPGmH\nVHOkc8KT/1EQrBVUAdj8BbGJoX90g5pJ19xOe4pIb4tF9g==\n-----END CERTIFICATE-----'

-istio:
+kiali:
  sso:
    enabled: true
-    kiali: 
-      client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-kiali
-    jaeger: 
-      client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-jaeger
+    client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-kiali
+
+jaeger:
+  sso:
+    enabled: true
+    client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-jaeger
+
 logging:
  sso:
    enabled: true

--- a/chart/templates/authservice/authservice-helmrelease.yaml
+++ b/chart/templates/authservice/authservice-helmrelease.yaml
-
-  {{- if and .Values.istio.enabled ( or .Values.addons.authservice.enabled ( or .Values.monitoring.sso.enabled .Values.istio.sso.enabled ) ) }}
+{{- if and .Values.istio.enabled ( or .Values.addons.authservice.enabled .Values.monitoring.sso.enabled .Values.jaeger.sso.enabled ) }}
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:

--- a/chart/templates/authservice/gitrepository.yaml
+++ b/chart/templates/authservice/gitrepository.yaml
-{{- if and .Values.istio.enabled .Values.addons.authservice.enabled  }}
+{{- if and .Values.istio.enabled ( or .Values.addons.authservice.enabled .Values.monitoring.sso.enabled .Values.jaeger.sso.enabled ) }}
 apiVersion: source.toolkit.fluxcd.io/v1beta1
 kind: GitRepository
 metadata:

--- a/chart/templates/authservice/namespace.yaml
+++ b/chart/templates/authservice/namespace.yaml
-{{- if and .Values.istio.enabled .Values.addons.authservice.enabled }}
+{{- if and .Values.istio.enabled ( or .Values.addons.authservice.enabled .Values.monitoring.sso.enabled .Values.jaeger.sso.enabled ) }}
 apiVersion: v1
 kind: Namespace
 metadata:

--- a/chart/templates/authservice/values.yaml
+++ b/chart/templates/authservice/values.yaml
-{{- if and .Values.istio.enabled .Values.addons.authservice.enabled }}
+{{- if and .Values.istio.enabled ( or .Values.addons.authservice.enabled .Values.monitoring.sso.enabled .Values.jaeger.sso.enabled ) }}
 {{- include "values-secret" (dict "root" $ "package" .Values.addons.authservice "name" "authservice" "defaults" (include "bigbang.defaults.authservice" .)) }}
 {{- end }}

@@ -32,22 +32,17 @@ chains:
  {{ .Values.addons.authservice.chains | toYaml | nindent 2 }}
  {{- end }}

-  kiali:
-    match:
-      header: ":authority"
-      prefix: "kiali"
-    client_id: {{ .Values.istio.sso.kiali.client_id }}
-    client_secret: "{{ .Values.istio.sso.kiali.client_secret }}"
-    callback_uri: https://kiali.{{ .Values.hostname }}/login
-
+  {{- if .Values.jaeger.sso.enabled }}
  jaeger:
    match:
      header: ":authority"
      prefix: "tracing"
-    client_id: "{{ .Values.istio.sso.jaeger.client_id }}"
-    client_secret: "{{ .Values.istio.sso.jaeger.client_secret }}"
+    client_id: "{{ .Values.jaeger.sso.client_id }}"
+    client_secret: "{{ .Values.jaeger.sso.client_secret }}"
    callback_uri: https://tracing.{{ .Values.hostname }}/login
+  {{- end }}

+  {{- if .Values.monitoring.sso.enabled }}
  prometheus:
    match:
      header: ":authority"
@@ -63,5 +58,5 @@ chains:
    client_id: {{ .Values.monitoring.sso.alertmanager.client_id }}
    client_secret: "{{ .Values.monitoring.sso.alertmanager.client_secret }}"
    callback_uri: https://alertmanager.{{ .Values.hostname }}/login/generic_oauth
-
+  {{- end }}
 {{- end -}}
--- a/chart/templates/haproxy/gitrepository.yaml
+++ b/chart/templates/haproxy/gitrepository.yaml
-{{- if and .Values.istio.enabled .Values.addons.authservice.enabled }}
+{{- if and .Values.istio.enabled .Values.monitoring.sso.enabled }}
 apiVersion: source.toolkit.fluxcd.io/v1beta1
 kind: GitRepository
 metadata:

--- a/chart/templates/haproxy/haproxy-authservice.yaml
+++ b/chart/templates/haproxy/haproxy-authservice.yaml
-{{- if and .Values.istio.enabled .Values.addons.authservice.enabled }}
+{{- if and .Values.istio.enabled .Values.monitoring.sso.enabled }}
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:

--- a/chart/templates/haproxy/values.yaml
+++ b/chart/templates/haproxy/values.yaml
-{{- if and .Values.istio.enabled .Values.addons.authservice.enabled }}
+{{- if and .Values.istio.enabled .Values.monitoring.sso.enabled }}
 {{- include "values-secret" (dict "root" $ "package" .Values.addons.haproxy "name" "haproxy-sso" "defaults" (include "bigbang.defaults.haproxy-sso" .)) }}
 {{- end }}

@@ -65,33 +65,12 @@ config: |
    unique-id-format %{+X}o\ 1-%[date,hex,bytes(8,8),lower]-%[capture.req.hdr(3)]
    http-request set-header X-Amzn-Trace-Id Root=%[unique-id,lower]
    bind :8080
-{{- if and .Values.istio.sso.enabled }}
-    acl host_kiali hdr(host) -i kiali.{{ .Values.hostname }}
-    acl host_tracing hdr(host) -i tracing.{{ .Values.hostname }}
-{{- end }}
-{{- if and .Values.monitoring.enabled .Values.monitoring.sso.enabled }}
    acl host_alertmanager hdr(host) -i alertmanager.{{ .Values.hostname }}
    acl host_prometheus hdr(host) -i prometheus.{{ .Values.hostname }}
-{{- end }}

    option forwardfor
-{{- if and .Values.istio.sso.enabled }}
-    use_backend kiali_main if host_kiali
-    use_backend tracing_main if host_tracing
-{{- end }}
-{{- if and .Values.monitoring.enabled .Values.monitoring.sso.enabled }}
    use_backend alertmanager_main if host_alertmanager
    use_backend prometheus_main if host_prometheus
-{{- end }} 
-{{- if and .Values.istio.sso.enabled }}
-  backend kiali_main
-    mode http
-    server kiali kiali.istio-system.svc.cluster.local:20001
-  backend tracing_main
-    mode http
-    server jaeger tracing.istio-system.svc.cluster.local:80
-{{- end }}
-{{- if and .Values.monitoring.enabled .Values.monitoring.sso.enabled }}
  backend alertmanager_main
    mode http
    option forwardfor
@@ -102,8 +81,6 @@ config: |
    option forwardfor
    http-request replace-header Host .* monitoring-monitoring-kube-prometheus.monitoring.svc.cluster.local
    server prometheus monitoring-monitoring-kube-prometheus.monitoring.svc.cluster.local:9090
-{{- end }}
-
 image:
  repository: registry1.dso.mil/ironbank/opensource/haproxy/haproxy22
 containerPorts:

--- a/chart/templates/istio/controlplane/values.yaml
+++ b/chart/templates/istio/controlplane/values.yaml
@@ -4,23 +4,13 @@

 {{- define "bigbang.defaults.istio" -}}
 hostname: {{ .Values.hostname }}
-sso:
-  enabled: {{ .Values.istio.sso.enabled }}
+
+tracing:
+  enabled:  {{ .Values.jaeger.enabled }}

 imagePullSecrets:
  - private-registry

 openshift: {{ .Values.openshift }}

-{{- if .Values.istio.sso.enabled }}
-ingress:
-  kiali:
-    service: authservice-haproxy-sso
-    port: 8080
-    namespace: authservice
-  jaeger:
-    service: authservice-haproxy-sso
-    port: 8080
-    namespace: authservice
-{{- end }}
 {{- end -}}
--- a/chart/templates/jaeger/gitrepository.yaml
+++ b/chart/templates/jaeger/gitrepository.yaml
+{{- if and (not .Values.offline) .Values.jaeger.enabled }}
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: GitRepository
+metadata:
+  name: jaeger
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: jaeger
+    app.kubernetes.io/component: "core"
+    {{- include "commonLabels" . | nindent 4}}
+spec:
+  interval: {{ .Values.flux.interval }}
+  url: {{ .Values.jaeger.git.repo }}
+  ref:
+    {{- include "validRef" .Values.jaeger.git | nindent 4 }}
+  {{ include "gitIgnore" . }}
+  {{- include "gitCreds" . | nindent 2 }}
+{{- end }}
--- a/chart/templates/jaeger/imagepullsecret.yaml
+++ b/chart/templates/jaeger/imagepullsecret.yaml
+{{- if and .Values.jaeger.enabled ( include "imagePullSecret" . ) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: private-registry
+  namespace: jaeger
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ template "imagePullSecret" . }}
+{{- end }}
\ No newline at end of file
--- a/chart/templates/jaeger/jaeger-helmrelease.yaml
+++ b/chart/templates/jaeger/jaeger-helmrelease.yaml
+{{- if .Values.jaeger.enabled }}
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: jaeger
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: jaeger
+    app.kubernetes.io/component: "core"
+    {{- include "commonLabels" . | nindent 4}}
+spec:
+  targetNamespace: jaeger
+  chart:
+    spec:
+      chart: {{ .Values.jaeger.git.path }}
+      interval: 5m
+      sourceRef:
+        kind: GitRepository
+        name: jaeger
+        namespace: {{ .Release.Namespace }}
+
+  {{- with .Values.flux }}
+  interval: {{ .interval }}
+  test:
+    enable: false
+  install:
+    remediation:
+      retries: {{ .install.retries }}
+  upgrade:
+    remediation:
+      retries: {{ .upgrade.retries }}
+      remediateLastFailure: true
+    cleanupOnFail: true
+  rollback:
+    timeout: {{ .rollback.timeout }}
+    cleanupOnFail: {{ .rollback.cleanupOnFail }}
+  {{- end }}
+
+  valuesFrom:
+    - name: {{ .Release.Name }}-jaeger-values
+      kind: Secret
+      valuesKey: "common"
+    - name: {{ .Release.Name }}-jaeger-values
+      kind: Secret
+      valuesKey: "defaults"
+    - name: {{ .Release.Name }}-jaeger-values
+      kind: Secret
+      valuesKey: "overlays"
+
+  {{ if or .Values.istio.enabled .Values.monitoring.enabled .Values.jaeger.sso.enabled .Values.logging.enabled }}
+  dependsOn:
+  {{- if .Values.istio.enabled }}
+    - name: istio
+      namespace: {{ .Release.Namespace }}
+  {{- end }}
+  {{- if .Values.monitoring.enabled }}
+    - name: monitoring
+      namespace: {{ .Release.Namespace }}
+  {{- end }}
+  {{- if .Values.jaeger.sso.enabled }}
+    - name: authservice
+      namespace: {{ .Release.Namespace }}
+  {{- end }}
+  {{- if .Values.logging.enabled }}
+    - name: ek
+      namespace: {{ .Release.Namespace }}
+  {{- end }}
+  {{- end }}
+{{- end }}
--- a/chart/templates/jaeger/namespace.yaml
+++ b/chart/templates/jaeger/namespace.yaml
+{{- if .Values.jaeger.enabled }}
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: jaeger
+  labels:
+    istio-injection: enabled
+    app.kubernetes.io/name: jaeger
+    app.kubernetes.io/component: "core"
+    {{- include "commonLabels" . | nindent 4}}
+{{- end }}
\ No newline at end of file
--- a/chart/templates/jaeger/values.yaml
+++ b/chart/templates/jaeger/values.yaml
+{{- if .Values.jaeger.enabled }}
+{{- include "values-secret" (dict "root" $ "package" .Values.jaeger "name" "jaeger" "defaults" (include "bigbang.defaults.jaeger" .)) }}
+{{- end }}
+
+{{- define "bigbang.defaults.jaeger" -}}
+imagePullSecrets:
+  - name: private-registry
+hostname: {{ .Values.hostname }}
+istio:
+  enabled: {{ .Values.istio.enabled }}
+monitoring:
+  enabled: {{ .Values.monitoring.enabled }}
+elasticsearch:
+  enabled: {{ .Values.logging.enabled }}
+jaeger:
+  spec:
+    allInOne:
+      labels:
+        protect: keycloak
+    query:
+      labels:
+        protect: keycloak
+{{- end -}}
\ No newline at end of file
--- a/chart/templates/kiali/gitrepository.yaml
+++ b/chart/templates/kiali/gitrepository.yaml
+{{- if and (not .Values.offline) .Values.kiali.enabled }}
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: GitRepository
+metadata:
+  name: kiali
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: kiali
+    app.kubernetes.io/component: "core"
+    {{- include "commonLabels" . | nindent 4}}
+spec:
+  interval: {{ .Values.flux.interval }}
+  url: {{ .Values.kiali.git.repo }}
+  ref:
+    {{- include "validRef" .Values.kiali.git | nindent 4 }}
+  {{ include "gitIgnore" . }}
+  {{- include "gitCreds" . | nindent 2 }}
+{{- end }}
--- a/chart/templates/kiali/helmrelease.yaml
+++ b/chart/templates/kiali/helmrelease.yaml
+{{- if .Values.kiali.enabled }}
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: kiali
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: kiali
+    app.kubernetes.io/component: "core"
+    {{- include "commonLabels" . | nindent 4}}
+spec:
+  targetNamespace: kiali
+  chart:
+    spec:
+      chart: {{ .Values.kiali.git.path }}
+      interval: 5m
+      sourceRef:
+        kind: GitRepository
+        name: kiali
+        namespace: {{ .Release.Namespace }}
+  {{- with .Values.flux }}
+  interval: {{ .interval }}
+  test:
+    enable: false
+  install:
+    remediation:
+      retries: {{ .install.retries }}
+  upgrade:
+    remediation:
+      retries: {{ .upgrade.retries }}
+      remediateLastFailure: true
+    cleanupOnFail: true
+  rollback:
+    timeout: {{ .rollback.timeout }}
+    cleanupOnFail: {{ .rollback.cleanupOnFail }}
+  {{- end }}
+
+  valuesFrom:
+    - name: {{ .Release.Name }}-kiali-values
+      kind: Secret
+      valuesKey: "common"
+    - name: {{ .Release.Name }}-kiali-values
+      kind: Secret
+      valuesKey: "defaults"
+    - name: {{ .Release.Name }}-kiali-values
+      kind: Secret
+      valuesKey: "overlays"
+
+  {{ if or .Values.istio.enabled .Values.monitoring.enabled }}
+  dependsOn:
+  {{- if .Values.istio.enabled }}
+    - name: istio
+      namespace: {{ .Release.Namespace }}
+  {{- end }}
+  {{- if .Values.monitoring.enabled }}
+    - name: monitoring
+      namespace: {{ .Release.Namespace }}
+  {{- end }}
+  {{- end }}
+{{- end }}
--- a/chart/templates/kiali/imagepullsecret.yaml
+++ b/chart/templates/kiali/imagepullsecret.yaml
+{{- if and .Values.kiali.enabled ( include "imagePullSecret" . ) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: private-registry
+  namespace: kiali
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ template "imagePullSecret" . }}
+{{- end }}
\ No newline at end of file
--- a/chart/templates/kiali/namespace.yaml
+++ b/chart/templates/kiali/namespace.yaml
+{{- if .Values.kiali.enabled }}
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kiali
+  labels:
+    istio-injection: enabled
+    app.kubernetes.io/name: kiali
+    app.kubernetes.io/component: "core"
+    {{- include "commonLabels" . | nindent 4}}
+{{- end }}
\ No newline at end of file
--- a/chart/templates/kiali/sso-client-secret.yaml
+++ b/chart/templates/kiali/sso-client-secret.yaml
+{{- if and .Values.kiali.enabled .Values.kiali.sso.client_secret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: kiali-openid
+  namespace: kiali
+type: kubernetes.io/opaque
+stringData:
+  oidc-secret: {{ .Values.kiali.sso.client_secret }}
+{{- end }}
\ No newline at end of file
--- a/chart/templates/kiali/values.yaml
+++ b/chart/templates/kiali/values.yaml
+{{- if .Values.kiali.enabled }}
+{{- include "values-secret" (dict "root" $ "package" .Values.kiali "name" "kiali" "defaults" (include "bigbang.defaults.kiali" .)) }}
+{{- end }}
+
+{{- define "bigbang.defaults.kiali" -}}
+hostname: {{ .Values.hostname }}
+istio:
+  enabled: {{ .Values.istio.enabled }}
+monitoring:
+  enabled: {{ .Values.monitoring.enabled }}
+elasticsearch:
+  enabled: {{ .Values.logging.enabled }}
+cr:
+  spec:
+    server:
+      web_port: "443"
+    auth:
+      {{- if .Values.kiali.sso.enabled }}
+      strategy: openid
+      openid:
+        client_id: "{{ .Values.kiali.sso.client_id }}"
+        disable_rbac: true
+        issuer_uri: "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}"
+        scopes:
+        - openid
+        - email
+        username_claim: email
+      {{- else }}
+      strategy: token
+      {{- end }}
+    api:
+      namespaces:
+        # bigbang watches all!
+        exclude: []
+{{- end -}}