Authservice

.gitlab-ci.yml

@@ -27,7 +27,7 @@ stages:
 # Smoke Tests
 #
 .bigbang:
-  image: registry.dsop.io/platform-one/private/big-bang/pipeline-templates/k3d-builder:b0b45793
+  image: registry.dsop.io/platform-one/big-bang/pipeline-templates/pipeline-templates/k3d-builder:0.0.1
 
 .deploy_bigbang: &deploy_bigbang
   # Deploy flux and wait for it to be ready
@@ -36,24 +36,30 @@ stages:
   - kubectl get namespaces,pods,gitrepositories,helmrelease -A
 
   # Deploy BigBang
-  - helm upgrade -i bigbang chart -n bigbang --create-namespace --set registryCredentials.username='robot$bigbang' --set registryCredentials.password=${REGISTRY1_PASSWORD}
-  - kubectl apply -f examples/complete/envs/dev/source-secrets.yaml
+  - helm upgrade -i bigbang chart -n bigbang --create-namespace --set registryCredentials.username='robot$bigbang' --set registryCredentials.password=${REGISTRY1_PASSWORD} --set addons.argocd.enabled=true --set addons.authservice.enabled=true
+
+  # Apply secrets kustomization pointing to current branch
+  - echo "Deploying secrets from the ${CI_COMMIT_REF_NAME} branch"
+  - cat examples/complete/envs/dev/source-secrets.yaml | sed 's|master|'$CI_COMMIT_REF_NAME'|g' | kubectl apply -f -
 
   # Wait for components to be ready
   # NOTE: Wait for each package individually so they show up nicely in ci logs
-  - kubectl wait --for=condition=Ready --timeout 300s helmrelease -n bigbang gatekeeper
-  - kubectl wait --for=condition=Ready --timeout 300s helmrelease -n bigbang istio-operator
-  - kubectl wait --for=condition=Ready --timeout 300s helmrelease -n bigbang istio
-  - kubectl wait --for=condition=Ready --timeout 300s helmrelease -n bigbang monitoring
-  - kubectl wait --for=condition=Ready --timeout 300s helmrelease -n bigbang eck-operator
+  - kubectl wait --for=condition=Ready --timeout 120s helmrelease -n bigbang gatekeeper
+  - kubectl wait --for=condition=Ready --timeout 120s helmrelease -n bigbang istio-operator
+  - kubectl wait --for=condition=Ready --timeout 240s helmrelease -n bigbang istio
+  - kubectl wait --for=condition=Ready --timeout 500s helmrelease -n bigbang monitoring
+  - kubectl wait --for=condition=Ready --timeout 120s helmrelease -n bigbang eck-operator
   - kubectl wait --for=condition=Ready --timeout 300s helmrelease -n bigbang ek
   - kubectl wait --for=condition=Ready --timeout 300s helmrelease -n bigbang fluent-bit
   - kubectl wait --for=condition=Ready --timeout 300s helmrelease -n bigbang twistlock
   - kubectl wait --for=condition=Ready --timeout 300s helmrelease -n bigbang cluster-auditor
-  # Enable this after we merge in
-  # - kubectl wait --for=condition=Ready --timeout 300s helmrelease -n bigbang argocd
   - kubectl wait --for=condition=Ready --timeout 30s kustomizations.kustomize.toolkit.fluxcd.io -n bigbang secrets
 
+  # Wait for addons (only if they exist since they might not yet for upgrades)
+  # TODO: This is kinda messy
+  - kubectl get helmrelease -n bigbang argocd && kubectl wait --for=condition=Ready --timeout 300s helmrelease -n bigbang argocd
+  - kubectl get helmrelease -n bigbang authservice && kubectl wait --for=condition=Ready --timeout 300s helmrelease -n bigbang authservice
+
   # Quick check for non iron bank images
   - echo "Showing images not from ironbank:"
   # Ignore rancher images since those are from k3d
@@ -66,18 +72,17 @@ stages:
 
 clean install:
   stage: smoke tests
-#  extends:
-#    - .k3d
+  extends:
+    - .k3d
   rules:
     # Skip on merge requests (it is ran as part of the non MR pipeline)
     - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
       when: never
+    - when: always
   variables:
     CLUSTER_NAME: "clean-${CI_COMMIT_REF_SLUG}-${CI_COMMIT_SHORT_SHA}"
-  image: alpine:latest
   script:
-#    - *deploy_bigbang
-    - echo "temp"
+    - *deploy_bigbang
 
 upgrade:
   stage: smoke tests
@@ -92,8 +97,8 @@ upgrade:
     - git fetch && git checkout ${CI_DEFAULT_BRANCH}
     - *deploy_bigbang
 
-    - echo "Upgrade Big Bang from ${CI_COMMIT_BRANCH}"
-    - git checkout ${CI_COMMIT_BRANCH}
+    - echo "Upgrade Big Bang from ${CI_MERGE_REQUEST_SOURCE_BRANCH_NAME}"
+    - git checkout ${CI_MERGE_REQUEST_SOURCE_BRANCH_NAME}
     - *deploy_bigbang
 
 #-----------------------------------------------------------------------------------------------------------------------

chart/templates/authservice/authservice-helmrelease.yaml

+{{- if and .Values.istio.enabled .Values.addons.authservice.enabled }}
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: authservice
+  namespace: {{ .Release.Namespace }}
+spec:
+  targetNamespace: istio-system
+  chart:
+    spec:
+      chart: chart
+      interval: 5m
+      sourceRef:
+        kind: GitRepository
+        name: authservice
+        namespace: {{ .Release.Namespace }}
+
+  {{- with .Values.flux }}
+  interval: {{ .interval }}
+  test:
+    enable: false
+  install:
+    remediation:
+      retries: {{ .install.retries }}
+  upgrade:
+    remediation:
+      retries: {{ .upgrade.retries }}
+      remediateLastFailure: true
+    cleanupOnFail: true
+  rollback:
+    timeout: {{ .rollback.timeout }}
+    cleanupOnFail: {{ .rollback.cleanupOnFail }}
+  {{- end }}
+
+  valuesFrom:
+    - name: values
+      kind: Secret
+      valuesKey: "authservice.yaml"
+  values:
+    imagePullSecrets:
+      - name: private-registry
+
+    defaultConfig: false
+    filterLabel: keycloak
+
+  dependsOn:
+  - name: istio
+    namespace: {{ .Release.Namespace }}
+{{- end }}
\ No newline at end of file

chart/templates/authservice/gitrepository.yaml

+{{- if and .Values.istio.enabled .Values.addons.authservice.enabled  }}
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: GitRepository
+metadata:
+  name: authservice
+  namespace: {{ .Release.Namespace }}
+spec:
+  ignore: |
+    # exclude file extensions
+    /**/*.md
+    /**/*.txt
+    /**/*.sh
+  interval: {{ .Values.flux.interval }}
+  url: {{ .Values.addons.authservice.git.repo }}
+  ref:
+    {{- include "validRef" .Values.addons.authservice.git | nindent 4 }}
+{{- end }}

chart/templates/values.yaml

@@ -9,6 +9,8 @@ stringData:
 {{ toYaml .Values | indent 4}}
   argocd.yaml: |
 {{ toYaml .Values.addons.argocd.values | indent 4 }}
+  authservice.yaml: |
+{{ toYaml .Values.addons.authservice.values | indent 4 }}
   istio.yaml: |
 {{ toYaml .Values.istio.values | indent 4  }}
   gatekeeper.yaml: |

chart/values.yaml

@@ -83,3 +83,10 @@ addons:
       repo: https://repo1.dsop.io/platform-one/big-bang/apps/core/argocd.git
       branch: chart-release
     values: {}
+
+  authservice:
+    enabled: false
+    git:
+      repo: https://repo1.dsop.io/platform-one/big-bang/apps/sandbox/authservice.git
+      branch: master
+    values: {}
\ No newline at end of file

examples/complete/envs/dev/secrets/authservice-config.yaml

+apiVersion: v1
+kind: Secret
+metadata:
+    name: authservice-config
+    namespace: istio-system
+data:
+    config.json: ENC[AES256_GCM,data:yeHCrpjDGgn44xNfYJxhKd9hM5IL7P93KFcZRHm76DeXMwtphtmg2eUpoNJzz6SE1I01bVC6l/RtoVPxS6V8tO/hB2Lc3zZAgDLt+CdTOrY0fKGkHewm2O0NGyuYXUfkD0zQ35vmgMWtYObA+klQrS5JTfysyXrmsuG7ZvEBc1WSa7p40SyKUYSo7MooB+Q2Jm4K6HKKFm2Yg2pZ9CGSsb/GcRZVLK6fZOnQn1faqCpWFNTLNgyiovfDeEVg0F9bOO579FRjecfEeXbqIiKbr1+ztN/+yhRozQpsMBvfBDLT8R6U54LRPLSX213jzNY5yWYbLXVYGwq6EBZ7rYVUoPUDM429lqVtXxBwSZNI4dwxbj2QbY/0f75OgD0RM1c36F97DugklAOBmF1rqPMuCaojAk3I9S0OxffzbVNECLN7Nv2nKbtDl9bKuH5gTji/KQC1qJdKtWmK7QqoVh31LCJLa7aI6FTTZIdeONH9gXoubdnirp1hIoU92pMGOxfMsUWwK4gM2Q8+U230lBYwVAMHAQPxmD3iOr0DQb5e0DuhK1UF5xnCrYXteYvaq7L/6k2C7vionxdKZ+UDc6Jcub2QlS83WWjdI4VAefMA9Zrk1OmH+5TJhP1yMeXPEMLZZxUpz4umRuWk8H5j8S0clkAj37YJMnVKDYiVDJMQh49v/WKEAkSK7afw6lhAa1JIvZCCmOv9CD9nATEMjvXPM/pEVF5SfBr/6PtmGVjXw1XlELrgznfX09KEHHuoHfSupNAW7Vw6ljn+rK7n+yn/9f9MteENSBB9nYyre3DiVbjUiqcs8D82Z4/h8DnkTXHKEqb5gQT3mBR3LIiRhCvdN7Z9ywdciFevLEZyqZXLKtkwhUV01qUMQMbJtM5O1DeWc76mDPsykEs4zZR0Rc+CyvOgSj+wqC/i+hxyawoH9wccTIekO5+2WpEWZ1oAl3JIqMG2t8CxDt2KGzwiW5MKSMxSdUf4XpcOdzZbazMhEqSuFwaANDrxKJslwl5/vEcR+fy+JDPy8UFFUzRJ8YzOZa0vbYEgpdm2yvCDYkRRVsEs5OXnDtFKpVQGkHbZ7TT+wADJ5pCaM/2+WSi3Q82aH/a5NjxrTGH3sdVYKz39ucTopplpfwQMv9g6ksH1pbWqAbKZbMgHza6q0VN2KE/ss49jKBEARufxsO3qL7vEgpZr0Tu2a/mundGqKTymt43gfBh76I+pA2kvx3EiSYS7yFT6S1BeYCo1eWBZP0HHBkTuYv0N6CPJtGnc1iwKXaYb8TKqQV44AJh1ct77+d5DRYK7RAVOce8+hu4fBFSC9k4xg3k1hJbqkx9S+038uWf0OwCEvn8KZfsfW8LLaHkWiTAzFybAcA0SL1ZQntM4ZU07C10hHmMk1zgaWW0vMI66W+/UX3Qh4ZLQqUceALlIxQD3ktkpZZpXvoV4qkuuSzI2RUPYsEq1joLMPyfnhS+BDMi571pXPzwstnmsCQZcDAVWgNowqWphywtMkQFrIiIpPRKVyblYj4H4L2SUvlDnBUK2VSnHdcL4BHJeZiCMdA+rWgnAX5Ij0vHb4OdOBYr6fk9QDAmhAEUSgwSILjgBchkVpowdgkSEmmGxlqniICJIhgITJuiFI9E072yNRnaY30Ze6r4C8l75OJa3CFp7pAg9V8uobWhD8jbUvEHH1ecHQU8lfLqM06OA7IZQyRHGjVGrCMZDZnxvh/S9kmx/cA3dTedH5ouqIXdO2fhv5JPWJb/J2+qYjT+Hzb5S5B3ZGM3pSVdZiqmbiR1+f7jvqLMASIMNxXiJJccc6IA49mv9lXhtz/RVUbE/DxrrkbCJBHxzECV3yab9sB3bF4Dp5ASn4OoiWXRCOrtOHB6D878DHBAUJVRDN9vumF35wPNzEeLQa4W/fcvwofI6Zp3J9E+m0zL0orF26HMmPR/LqJeg8c9HEEYxWvwJGJDMKH6sobtZIDu6mb5Nv7hbdVccjc0ly0FeShbWxJDB43xDAXooolfyS8dE+V9YywPg5iooT2uErGmN6e4kxN75RaV9ADH4j5dqxfZYUSJFL6FBCK11fruTgTqxKWy8oBz5T6O5dG/00zQu7SF7z3I5ep8H7O7l23008b8BSiDSmb3MOlvEjCrhw+NqBm9JfUO1hJAEKhNJ4l9TPZOjucpu7qWlVbGdTSMjUCNdUH6SMnGU9RFY3t9yBDzKVOhHnVJpe588zYcCm1yLqIA5wPzX8VLsuc6BMEDxgf2XApcHpegodCkUQO9WuWBJb8ahT5kPdxDlN61FJNs1n7Scp2Y6/1qVdh6fup5jY0P+FxpgAyfuVCzdtRMlkbeyxxfyyztafhBbSJ9GS6ZKJ1TAGl6WB1Y5VD7kXbLHcAgFn83twdEDOK9dSo3/Bo94hBiTYgEmewH6SdWH1Ds1pA8uexlyLHWhBHPREJeN7F18/y+Kx5VJaF9CW4874h2WMexTJvNy9w9C4Txyr4osM9R/0wtaxHvU7SjuKZropItz2WKjNrn3YhDwXQ8kcbSg9SK5zBtSXIH6gGhW6ifakY5/+EYSWRI7nN5gGnci2TWLmRPgKErNFTdg0bvaQ6joTdQAMVjDakjgsk7wgAEsuI88L2DokpPXvVTDEr82I/ysAtyTp93CgRi7tuvkx1g/qE4vZhSUKC60xGxdqiP5RHHphT8Trpu//btd+kI0CSDn+w7eWNnnj35EGz/xOE4NPix9M115kwvau2NUyA/fOP33GnSLuyavV65AwO8FbE0MA8vKP/bO3AFb2xROSThcD42jfJnCQRTTxFxeJgbykOLe0zSZybw0NQ/EJs/SmITdXiQWE//9ozOt4IhxXgmYvUgl4yW3VExg6iPWbOOcs0rPp5eXJeF/J19XZ00nW8TXHDGjDio2P5yc1feaI85pAAZREjQ0kBheLYoNmQeVQIgh0CfUzf7Etl/DE4p3sfbmmdyln8XMvoq5MTE2/gEMEx91K7dJvB6qaSI+kiCzj+tLjigZEan+sgQNkV3/NEA+Nml/t9jyoLxxG/WYyM4G8XN+qubm2y3nBjq+eHQgd0fadm2I8AI1AYP7DnV16zu5VYWdVw/W5I0iNIbRzGOD+gtz2R+jbSsjaYg05g4444korcIM6sBHk/J5piCr1ZSaAUClws6IlZ/rqhqKrkrKZ/fQXoyLp2q5dVw0IBbjIMkouwN1SeukalLcFwVoiKnHr2iCiLKSfz8BVt9WZfaL5xj6MPX6z7YioJC0gzzyMzo5WE7+jOEBKDxC7rX7LuZLFv52DMz0v/3xXCtCzXJpbDqqBF/9Q1Y0zEJ6C2qsFdx8yMu5Tl9oagALjdqtriRwF9qwjW9anS2DJSqXUCQe0Lk2TQL7W3nAIlCc6al6QFidtci64BWX6hQ9njTGFZRxXiLfjghi5r/AJP2RSnBiA5VP5YJhWkh+Z1P54QyqlnFSWJMelP8IVLiMVJrtYNpH7jPoqOJoW5LT2c4Ar5z+pJA+nK7FneUCHEtVXAorgiTV69rWsFKrOMWAWPnWwx5nwIH1rMKGZmBHMTbNtIdtbpyC6QkJNsDUJSv9KSxAooFiYxZMIucT3KdWfbR4BuZFk4Wiz1B1AKWEmf/1J5/zEyLY5E4Rb9mSKHcJPXtVgOsHe5U5LdP48WR7cep3zSZ3JrqzfH+o+CAjkh79fld/Cvzoo02pN0IhHzhvDnnMygjOuUsoDC+iYb5CoPEcik8VvAwsEFK0f6mLCKjYMQDjxAgrq/8wKBwKYAXjhLi133p2NUoCA9+OQOlCSv7BygQ9iG+SekabS+4Tziqe6cFqDDz9KvzGRZyLD3fkX+bpGRo9uKloldvlVQ0BJ+3PADvHAm5XqrqtI0isW3Z/I9qnJnD15piRLyJAUDObI4HRHUF5Txexg9v3SAUSVguSn0tSujHNM+3oLpkhwD/Y/crqx0AN5YK/b8RJVht/IXfn0sI0xLvqcLtbiXktG9XBOtPkTxePj5ELzRaeHv4NGE58CAEanFsTyI22ePwKiISr1OdpyzxIMNWgew/kzX2R4Pf63w6J0ebiNIDLSBsNbSsXsbp5mlaCmjIx06RLArviNG+ZigxGzfeVRzYCUVVOld58SJNrFgcgcY1fNQKYQChZx+tlx65YWKpy6zNB0aCRTmRmHCsWsm4dT3y7v4zPGE3D9emhwdMwhjr0mkBTRv8VYFJ/4VtKFkz6Mnq7991BajMWkOZLqtH3otbwNRahtqFiUey5ZmQrNVYgIHQUw2Ks1HMY7BGkwRmdhaXPjB0J8/dGKir3OiZe5f8UjcMCeIwRICzFgrPn8nd9F7jiFd8FrO8r9FW2Oo089r4M6X0f/FvkHOJKkyCpQdqZ1rBPibPUhuHugZRb0A52A8DJzeNkJvmyDhjn+x3+yty4BEaXreHYPH3vIc6nOxefa5y3gS+UfzXl+8GUPbQRq/LGD92xVccfhZZjZGznOFrQDvjICGk/yEECa/9JY4IAK2UR+1UTaoY0U33Nc3yFW/20dkSc1QQWsio/8qkJkz1f2TPprCWstYTWRCb/FArAmMyEmo03y3zm5rApgPD56Eo=,iv:bpn4VO7gA0MYMBgmgoDwIblHGlVW3Ekmg8wNmYl0YD0=,tag:tQKh11BYua3PdBXHDuejcg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    lastmodified: '2020-11-20T20:10:39Z'
+    mac: ENC[AES256_GCM,data:ox2+A0U6gJY/m6zrWs0b9zNRrnuIy/3JdPaFyENcttGA00Fuhsb8Yqefgy1lU/mrO4SSZEq8tfEnIezP0OhOFYku8uUjYNdV89KDdDq+VAQGNE2nVZk/2v3BidBmxE8g7BW+NmBTVjjEFqWHHx6pC8iNBg4/hdqtY4QlHcgxHWs=,iv:EWsQ1BCIto+jM3s9q/uymxurSIAV91k7yDTkx0jtBSA=,tag:kjgaqwqJMur0oRmV8XF6Ew==,type:str]
+    pgp:
+    -   created_at: '2020-11-20T20:10:38Z'
+        enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA93W3Fi3CqSYARAAmhjQ6dahjX4RFXwErHl5pJBYwNuRC6WyJZXYwDqWwxd0
+            eAIJ8/FyFqdHYG3lCAnICqLbdC/0UaXnBa5KDEMAcz7xHheq9NQCAuVL4sxyLklq
+            JdTO55SHPU3SO04cG++sB8VZhi0tUORMmNA0NoLrkMzx14V3UjEY3fWye4hL26a2
+            Ei6QhdbGHhEdq6/8nOOQXc1h8fAzchiJ5316fNIg/tdr6My0mUuDwi/pWeow4j5o
+            iiEtK6OsPPKgE4UaclQj2+CDKPhP4z6Ljuwd7EBPjrdywkHUmmbx3mJk6BOUiMdN
+            EvpVXpcz3sTu4RKmdzqDHocwbvxFW/cuXaAWWzaM3BpR970Itz1qV663RN3uuMr5
+            hnkiCiwk0T12dZ5B+DK7kdirT0my9mPkOM4+BmpTUvsiTF2OVI5+zwt/h4ZtUy1e
+            QVEpzSVpGsY/EN+2hFEuEmBnNBi8gmzMRa+FZJyvs26K8AeH0Rja4sjFYf8ccAfx
+            6b3XLhOci6xa1Ik3HeWlOf78bMwnuHl0H9rgtg1S+AGWRJOG4tfJCTRpi9j/srVn
+            /x0wBVFyPiTV5oIjQgWoJgw4ZOz7XW23xmr9SpCP4ZwPu4q4I+KSlPb4pM0jSzZw
+            zpuvAKWJPkTxBGYewjjgImgWOGkhoIDah71djed3E/EtPULqSAUCjyXO4ktpI2HS
+            XgHvRRyHDbaKz7u9JuuGCRhQ0R0SQn4sGYwu5IiYiEP0sHcKs5p9Y/ThsyEKeyis
+            jMcf4GfW/yCmjudrfZ3V8yRDWG105QURx7qtSaMJ1nMGUFMq+bphDNRQopeBwUE=
+            =Ztvz
+            -----END PGP MESSAGE-----
+        fp: 41BFF8BAF2586039F6293D835A2E820C25FE527C
+    encrypted_regex: ^(data|stringData)$
+    version: 3.6.1