diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index b91a8b2b04e2d0b957e2f8b8ba16dc6504eb247a..29cdb054ea5d093b8530d39fcb71b054aa830a0e 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -33,6 +33,18 @@ variables:
IMAGE_PKG: images.tar.gz
REPOS_PKG: repositories.tar.gz
+.bigbang-dogfood:
+ tags:
+ - bigbang
+ - dogfood
+
+.bigbang:
+ image: registry.dsop.io/platform-one/big-bang/pipeline-templates/pipeline-templates/k3d-builder:0.0.1
+ extends: .bigbang-dogfood
+ after_script:
+ - kubectl get all -A
+ - kubectl get helmrelease -A
+
#-----------------------------------------------------------------------------------------------------------------------
# Pre Stage Jobs
#
@@ -40,6 +52,8 @@ variables:
changelog:
image: registry.dsop.io/platform-one/big-bang/pipeline-templates/pipeline-templates/pre-envs:ubi8.3
stage: .pre
+ extends:
+ - .bigbang-dogfood
allow_failure: true
variables:
CHANGELOG_FILE: CHANGELOG.md
@@ -50,6 +64,8 @@ changelog:
version:
image: registry.dsop.io/platform-one/big-bang/pipeline-templates/pipeline-templates/pre-envs:ubi8.3
stage: .pre
+ extends:
+ - .bigbang-dogfood
allow_failure: true
variables:
CHART_FILE: chart/Chart.yaml
@@ -61,6 +77,8 @@ version:
commits:
image: registry.dsop.io/platform-one/big-bang/pipeline-templates/pipeline-templates/pre-envs:ubi8.3
stage: .pre
+ extends:
+ - .bigbang-dogfood
allow_failure: true
script:
- dnf module install -y nodejs
@@ -71,6 +89,8 @@ commits:
pre vars:
image: registry.dsop.io/platform-one/big-bang/pipeline-templates/pipeline-templates/pre-envs:ubi8.3
stage: .pre
+ extends:
+ - .bigbang-dogfood
artifacts:
reports:
dotenv: variables.env
@@ -102,12 +122,6 @@ pre vars:
# Smoke Tests
#
-.bigbang:
- image: registry.dsop.io/platform-one/big-bang/pipeline-templates/pipeline-templates/k3d-builder:0.0.1
- after_script:
- - kubectl get all -A
- - kubectl get helmrelease -A
-
.deploy_bigbang: &deploy_bigbang
- find ./scripts/deploy -type f -name '*.sh' | sort | xargs -r -I {} sh -c 'echo {} && sh {}'
@@ -117,13 +131,15 @@ pre vars:
clean install:
stage: smoke tests
extends:
- - .k3d
+ - .k3s-ci
variables:
CLUSTER_NAME: "clean-${CI_COMMIT_SHORT_SHA}"
script:
- *deploy_bigbang
- *test_bigbang
- - docker exec -i k3d-${CLUSTER_NAME}-server-0 crictl images -o json | jq -r '.images[].repoTags[0] | select(. != null)' > images.txt
+
+ # Fetch list of all images ran
+ - curl -sfL k3s:8081/images | jq -r '.images[].repoTags[0]' > images.txt
artifacts:
paths:
- images.txt
@@ -134,7 +150,7 @@ upgrade:
dependencies:
- pre vars
extends:
- - .k3d
+ - .k3s-ci
rules:
# skip job when MR title starts with 'Breaking Change'
- if: '$CI_MERGE_REQUEST_TITLE =~ /^Breaking Change/'
@@ -142,7 +158,7 @@ upgrade:
# run pipeline on merge request events
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
variables:
- CLUSTER_NAME: "clean-${CI_COMMIT_SHORT_SHA}"
+ CLUSTER_NAME: "upgrade-${CI_COMMIT_SHORT_SHA}"
script:
- if $CHART_BREAKING_CHANGE; then echo "Breaking change detected by chart version difference, skipping job"; exit 0; fi
- echo "Install Big Bang from ${CI_DEFAULT_BRANCH}"
@@ -201,6 +217,7 @@ upgrade:
aws/network up:
extends:
+ - .bigbang-dogfood
- .infra fork
- .network up
environment:
@@ -209,6 +226,7 @@ aws/network up:
aws/network down:
extends:
+ - .bigbang-dogfood
- .infra cleanup
- .network down
stage: network down
@@ -226,6 +244,7 @@ aws/network down:
aws/rke2/cluster up:
stage: cluster up
extends:
+ - .bigbang-dogfood
- .infra create
- .rke2 up
needs:
@@ -239,6 +258,7 @@ aws/rke2/cluster up:
aws/rke2/bigbang up:
stage: bigbang up
extends:
+ - .bigbang-dogfood
- .infra create
- .bigbang
needs:
@@ -258,6 +278,7 @@ aws/rke2/bigbang up:
aws/rke2/bigbang test:
stage: test
extends:
+ - .bigbang-dogfood
- .infra create
- .bigbang
needs:
@@ -280,6 +301,7 @@ aws/rke2/bigbang test:
aws/rke2/bigbang down:
stage: bigbang down
extends:
+ - .bigbang-dogfood
- .infra cleanup
- .bigbang
needs:
@@ -300,6 +322,7 @@ aws/rke2/bigbang down:
aws/rke2/cluster down:
stage: cluster down
extends:
+ - .bigbang-dogfood
- .infra cleanup
- .rke2 down
needs:
@@ -318,6 +341,8 @@ aws/rke2/cluster down:
package:
stage: package
image: registry.dsop.io/platform-one/big-bang/umbrella/synker:0.0.1
+ extends:
+ - .bigbang-dogfood
rules:
# run job for manual tag events
- if: $CI_COMMIT_TAG
@@ -351,6 +376,8 @@ package:
release:
stage: release
image: registry.gitlab.com/gitlab-org/release-cli:latest
+ extends:
+ - .bigbang-dogfood
rules:
# run job for manual tag events
- if: $CI_COMMIT_TAG
diff --git a/.gitlab-ci/jobs/ci-cluster/.gitlab-ci.yml b/.gitlab-ci/jobs/ci-cluster/.gitlab-ci.yml
new file mode 100644
index 0000000000000000000000000000000000000000..f37d75867c68d43a309730dd1756275034b1684a
--- /dev/null
+++ b/.gitlab-ci/jobs/ci-cluster/.gitlab-ci.yml
@@ -0,0 +1,26 @@
+.k8s-util:
+ image: registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates/k8s-ci:v1.20.2
+
+.dind-runner:
+ tags:
+ - bigbang
+ - privileged
+ - dogfood
+
+.k3s-ci:
+ extends:
+ - .k8s-util
+ - .dind-runner
+ services:
+ - name: registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates/k3s-ci:v1.20.2-k3s1-bb.0
+ alias: k3s
+ command:
+ - "server"
+ - "--tls-san=k3s"
+ - "--disable=metrics-server"
+ - "--disable=traefik"
+ before_script:
+ - mkdir -p ~/.kube
+ - curl -sfL k3s:8081?service=k3s > ~/.kube/config
+ - kubectl version
+ - kubectl cluster-info
diff --git a/.gitlab-ci/jobs/k3d/.gitlab-ci.yml b/.gitlab-ci/jobs/k3d/.gitlab-ci.yml
deleted file mode 100644
index 94546061b6408bd59cbc3f314679c2b4880fa4ad..0000000000000000000000000000000000000000
--- a/.gitlab-ci/jobs/k3d/.gitlab-ci.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-.k3d_before_script: &k3d_before_script
- # Starting dnsmasq for cluster dns resolution
- - docker run -d -p 53:53/udp -p 53:53 registry.dsop.io/platform-one/big-bang/pipeline-templates/pipeline-templates/go-dnsmasq:0eddd476
- - echo "nameserver 127.0.0.1" >> /etc/resolv.conf
- # Standup cluster
- - k3d cluster create ${CLUSTER_NAME} --k3s-server-arg "--disable=traefik" --k3s-server-arg "--disable=metrics-server" -p 80:80@loadbalancer -p 443:443@loadbalancer --wait --agents $N_AGENTS --servers $N_SERVERS
- - while ! (kubectl get node | grep "server" > /dev/null); do sleep 3; done
- - kubectl get nodes
- - k3d node list
-
-.k3d_after_script: &k3d_after_script
- - k3d cluster delete ${CLUSTER_NAME}
-
-.k3d:
- image: registry.dsop.io/platform-one/big-bang/pipeline-templates/pipeline-templates/k3d-builder:045fb1c2
- services:
- - registry.dsop.io/platform-one/big-bang/pipeline-templates/pipeline-templates/docker:dind
- tags:
- - bigbang
- - privileged
- - public
- variables:
- DOCKER_HOST: tcp://localhost:2375/
- DOCKER_DRIVER: overlay2
- DOCKER_TLS_CERTDIR: ""
- CLUSTER_NAME: ${CI_COMMIT_REF_SLUG}
- N_SERVERS: 1
- N_AGENTS: 0
- before_script:
- - *k3d_before_script
- after_script:
- - *k3d_after_script
\ No newline at end of file
diff --git a/.gitlab-ci/templates.yml b/.gitlab-ci/templates.yml
index 736dd64a58d724f31ec5f34cebed5c96cab571ee..0904d75f4ea45f458532dfa1d7cf45276051aa90 100644
--- a/.gitlab-ci/templates.yml
+++ b/.gitlab-ci/templates.yml
@@ -2,8 +2,8 @@ include:
# "Default" AWS Networking
- local: '/.gitlab-ci/jobs/networking/aws/.gitlab-ci.yml'
- # K3D Gitlab CI job
- - local: '/.gitlab-ci/jobs/k3d/.gitlab-ci.yml'
+ # Clusters in CI
+ - local: '/.gitlab-ci/jobs/ci-cluster/.gitlab-ci.yml'
# RKE2 Gitlab CI jobs
- local: '/.gitlab-ci/jobs/rke2/.gitlab-ci.yml'
diff --git a/CHANGELOG.md b/CHANGELOG.md
index e06d4890f31eac849b8e4650aa85e73eae64fb49..43b22cf175ee1ace073176f4970de6e66e8e77b4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,9 +4,58 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
---
+<<<<<<< HEAD
## [1.0.5]
* Added Kubernetes labels to all objects created by umbrella
+=======
+## [1.0.6]
+
+* Added [HAProxy Addon](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/haproxy)
+* Added support for automatically populating configs and settings for the following placing SSO in front of apps without support:
+```
+istio:
+ sso:
+ enabled: true
+ prometheus:
+ client_id:
+ client_secret:
+ alertmanager:
+ client_id:
+ client_secret:
+
+monitoring:
+ sso:
+ enabled: true
+ kiali:
+ client_id:
+ client_secret:
+ jaeger:
+ client_id:
+ client_secret:
+```
+* Added authservice namespace where authservice addon and haproxy deployment will be created.
+* Added global sso options for umbrella which will be applied to all configured authservice chains:
+```
+sso:
+ oidc:
+ host: login.dso.mil
+ realm: baby-yoda
+ certificate_authority: ''
+ jwks: ""
+ client_id: ""
+ client_secret: ""
+```
+* Updated syntax for authservice chains definition.
+
+## [1.0.5]
+
+* Bumped monitoring chart to consume kiwigrid/sidecar from IronBank
+
+## [1.0.4]
+
+* Bug fix where argocd's VirtualService wouldn't recieve the top level hostname value.
+>>>>>>> origin/master
## [1.0.3]
@@ -84,4 +133,4 @@ for setting ingressgateway to use nodeports
* Initial release of Big Bang
----
\ No newline at end of file
+---
diff --git a/base/gitrepository.yaml b/base/gitrepository.yaml
index 9e20f13852b766b6ce6552e87c1de9ba494826a1..3d8a00a772549b5c47376960dcd4bd4085e601bb 100644
--- a/base/gitrepository.yaml
+++ b/base/gitrepository.yaml
@@ -11,4 +11,4 @@ spec:
interval: 10m
url: https://repo1.dsop.io/platform-one/big-bang/umbrella.git
ref:
- tag: 1.0.5
\ No newline at end of file
+ tag: 1.0.7
\ No newline at end of file
diff --git a/chart/Chart.yaml b/chart/Chart.yaml
index 02a48339ac35f9953bdb36d5a98cdb21f05b6c9d..6364dbd2ae1c2f61b67872dc1b144343939fee51 100644
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@@ -1,3 +1,3 @@
apiVersion: v2
name: bigbang
-version: 1.0.5
+version: 1.0.7
diff --git a/chart/templates/argocd/argocd-helmrelease.yaml b/chart/templates/argocd/argocd-helmrelease.yaml
index 5a7a59fb2cb6db8d81df54e992121f8c5acc0b31..49deb582217c48a394a3722c7db9db7c224b4e59 100644
--- a/chart/templates/argocd/argocd-helmrelease.yaml
+++ b/chart/templates/argocd/argocd-helmrelease.yaml
@@ -41,6 +41,7 @@ spec:
kind: Secret
valuesKey: "argocd.yaml"
values:
+ hostname: {{ .Values.hostname }}
createNamespace: false
imagePullSecrets:
- name: private-registry
diff --git a/chart/templates/authservice/authservice-helmrelease.yaml b/chart/templates/authservice/authservice-helmrelease.yaml
index 702879064eaa63b18562eeb80af036f023627f55..40fd61db5b504bd29fcdc0480b7717d29582251d 100644
--- a/chart/templates/authservice/authservice-helmrelease.yaml
+++ b/chart/templates/authservice/authservice-helmrelease.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.istio.enabled .Values.addons.authservice.enabled }}
+{{- if and .Values.istio.enabled ( or .Values.addons.authservice.enabled .Values.istio.sso.enabled ) }}
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
@@ -9,7 +9,7 @@ metadata:
app.kubernetes.io/component: "core"
{{- include "commonLabels" . | nindent 4}}
spec:
- targetNamespace: istio-system
+ targetNamespace: authservice
chart:
spec:
chart: {{ .Values.addons.authservice.git.path }}
@@ -43,9 +43,45 @@ spec:
values:
imagePullSecrets:
- name: private-registry
-
- filterLabel: keycloak
-
+ global:
+ oidc:
+ host: {{ .Values.sso.oidc.host }}
+ realm: {{ .Values.sso.oidc.realm }}
+ {{- if .Values.sso.jwks }}
+ jwks: "{{ .Values.sso.jwks }}"
+ {{- end }}
+{{- if .Values.sso.client_id}}
+ client_id: {{ .Values.sso.client_id }}
+{{- end }}
+{{- if .Values.sso.client_secret }}
+ client_secret: {{ .Values.sso.client_secret }}
+{{- end }}
+ certificate_authority: {{ .Values.sso.certificate_authority }}
+ chains:
+ kiali:
+ match:
+ header: ":authority"
+ prefix: "kiali"
+ client_id: {{ .Values.istio.sso.kiali.client_id }}
+ callback_uri: https://kiali.{{ .Values.hostname }}/login
+ jaeger:
+ match:
+ header: ":authority"
+ prefix: "tracing"
+ client_id: "{{ .Values.istio.sso.jaeger.client_id }}"
+ callback_uri: https://tracing.{{ .Values.hostname }}/login
+ prometheus:
+ match:
+ header: ":authority"
+ prefix: "prometheus"
+ client_id: {{ .Values.monitoring.sso.prometheus.client_id }}
+ callback_uri: https://prometheus.{{ .Values.hostname }}/login/generic_oauth
+ alertmanager:
+ match:
+ header: ":authority"
+ prefix: "alertmanager"
+ client_id: {{ .Values.monitoring.sso.alertmanager.client_id }}
+ callback_uri: https://alertmanager.{{ .Values.hostname }}/login/generic_oauth
dependsOn:
- name: istio
namespace: {{ .Release.Namespace }}
diff --git a/chart/templates/authservice/namespace.yaml b/chart/templates/authservice/namespace.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..6760d1366838944dc77ff12ecea11dabdd2613b4
--- /dev/null
+++ b/chart/templates/authservice/namespace.yaml
@@ -0,0 +1,155 @@
+{{- if and .Values.istio.enabled .Values.addons.authservice.enabled }}
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: authservice
+ {{- if .Values.istio.enabled }}
+ labels:
+ istio-injection: enabled
+ {{- end }}
+
+{{- if ( include "imagePullSecret" . ) }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: private-registry
+ namespace: authservice
+type: kubernetes.io/dockerconfigjson
+data:
+ .dockerconfigjson: {{ template "imagePullSecret" . }}
+{{- end }}
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+ name: haproxy-sso
+ namespace: {{ .Release.Namespace }}
+spec:
+ targetNamespace: authservice
+ chart:
+ spec:
+ chart: "./chart"
+ interval: 5m
+ sourceRef:
+ kind: GitRepository
+ name: haproxy
+ namespace: {{ .Release.Namespace }}
+
+ {{- with .Values.flux }}
+ interval: {{ .interval }}
+ test:
+ enable: false
+ install:
+ remediation:
+ retries: {{ .install.retries }}
+ upgrade:
+ remediation:
+ retries: {{ .upgrade.retries }}
+ remediateLastFailure: true
+ cleanupOnFail: true
+ rollback:
+ timeout: {{ .rollback.timeout }}
+ cleanupOnFail: {{ .rollback.cleanupOnFail }}
+ {{- end }}
+
+ values:
+ hostname: {{ .Values.hostname }}
+
+ podLabels:
+ protect: keycloak
+ config: |
+ global
+ maxconn 1024
+ daemon
+ log stdout format raw local0 info
+ defaults
+ log global
+ mode http
+ option httplog
+ timeout client 60s
+ timeout connect 60s
+ timeout server 60s
+ frontend fe_main
+ # Create custom headers as temporary holding places for info
+ http-request set-header X-Scheme http if !{ ssl_fc }
+ http-request set-header X-Scheme https if { ssl_fc }
+ http-request set-header X-TraceId %[rand,hex,bytes(8,8),lower]%[rand,hex,bytes(8,8),lower]%[rand,hex,bytes(8,8),lower]
+ http-request set-header X-SegmentId0 %[rand,hex,bytes(8,8),lower]%[rand,hex,bytes(8,8),lower]
+ http-request set-header X-SegmentId1 %[rand,hex,bytes(8,8),lower]%[rand,hex,bytes(8,8),lower]
+ http-request set-header X-SegmentId2 %[rand,hex,bytes(8,8),lower]%[rand,hex,bytes(8,8),lower]
+ http-request set-header X-SegmentId3 %[rand,hex,bytes(8,8),lower]%[rand,hex,bytes(8,8),lower]
+ http-request set-header X-SegmentId4 %[rand,hex,bytes(8,8),lower]%[rand,hex,bytes(8,8),lower]
+
+ # Declare capture slots for logging headers
+ declare capture request len 512
+ http-request capture req.fhdr(User-Agent) id 0
+
+ declare capture request len 5
+ http-request capture req.hdr(X-Scheme) id 1
+
+ declare capture request len 512
+ http-request capture req.hdr(Host) id 2
+
+ declare capture request len 24
+ http-request capture req.hdr(X-TraceId) id 3
+
+ declare capture request len 16
+ http-request capture req.hdr(X-SegmentId0) id 4
+
+ declare capture request len 16
+ http-request capture req.hdr(X-SegmentId1) id 5
+
+ declare capture request len 16
+ http-request capture req.hdr(X-SegmentId2) id 6
+
+ declare capture request len 16
+ http-request capture req.hdr(X-SegmentId3) id 7
+
+ declare capture request len 16
+ http-request capture req.hdr(X-SegmentId4) id 8
+
+ declare capture response len 8
+ http-response capture res.hdr(Content-Length) id 0
+
+ # Generate a unique Trace ID
+ unique-id-format %{+X}o\ 1-%[date,hex,bytes(8,8),lower]-%[capture.req.hdr(3)]
+ http-request set-header X-Amzn-Trace-Id Root=%[unique-id,lower]
+ bind :8080
+ acl host_kiali hdr(host) -i kiali.{{ .Values.hostname }}
+ acl host_tracing hdr(host) -i tracing.{{ .Values.hostname }}
+ acl host_alertmanager hdr(host) -i alertmanager.{{ .Values.hostname }}
+ acl host_prometheus hdr(host) -i prometheus.{{ .Values.hostname }}
+
+ option forwardfor
+ use_backend kiali_main if host_kiali
+ use_backend tracing_main if host_tracing
+ use_backend alertmanager_main if host_alertmanager
+ use_backend prometheus_main if host_prometheus
+ backend kiali_main
+ mode http
+ server kiali kiali.istio-system.svc.cluster.local:20001
+ backend tracing_main
+ mode http
+ server jaeger tracing.istio-system.svc.cluster.local:80
+ backend alertmanager_main
+ mode http
+ option forwardfor
+ http-request replace-header Host .* monitoring-monitoring-kube-alertmanager.monitoring.svc.cluster.local
+ server alertmanager monitoring-monitoring-kube-alertmanager.monitoring.svc.cluster.local:9093
+ backend prometheus_main
+ mode http
+ option forwardfor
+ http-request replace-header Host .* monitoring-monitoring-kube-prometheus.monitoring.svc.cluster.local
+ server prometheus monitoring-monitoring-kube-prometheus.monitoring.svc.cluster.local:9090
+
+ image:
+ repository: registry1.dso.mil/ironbank/opensource/haproxy/haproxy22
+ containerPorts:
+ http: 8080
+ dependsOn:
+ - name: istio
+ namespace: {{ .Release.Namespace }}
+ - name: monitoring
+ namespace: {{ .Release.Namespace }}
+{{- end }}
\ No newline at end of file
diff --git a/chart/templates/gitlab/helmrelease.yaml b/chart/templates/gitlab/helmrelease.yaml
index 6b18d6674c8e843dae2c664df5cec8e96724e6f6..75d2b8a218bdc3d19bff1206a908795ea2187e41 100644
--- a/chart/templates/gitlab/helmrelease.yaml
+++ b/chart/templates/gitlab/helmrelease.yaml
@@ -19,7 +19,7 @@ spec:
kind: GitRepository
name: gitlab
namespace: {{ .Release.Namespace }}
-
+ timeout: 10m
{{- with .Values.flux }}
interval: {{ .interval }}
test:
diff --git a/chart/templates/haproxy/gitrepository.yaml b/chart/templates/haproxy/gitrepository.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..f873b93b48a34ba3a46846b684f0ff38881cfd0d
--- /dev/null
+++ b/chart/templates/haproxy/gitrepository.yaml
@@ -0,0 +1,12 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: GitRepository
+metadata:
+ name: haproxy
+ namespace: {{ .Release.Namespace }}
+spec:
+ interval: {{ .Values.flux.interval }}
+ url: {{ .Values.addons.haproxy.git.repo}}
+ ref:
+ {{- include "validRef" .Values.addons.haproxy.git | nindent 4 }}
+ {{ include "gitIgnore" . }}
+ {{- include "gitCreds" .Values.git | nindent 2 }}
\ No newline at end of file
diff --git a/chart/templates/istio/controlplane/istio-controlplane-helmrelease.yaml b/chart/templates/istio/controlplane/istio-controlplane-helmrelease.yaml
index d57e5a0f1cddd42fb57dd8b342c332394637c2fc..9c28d6af50f81be0f253c9f157083da082341aa8 100644
--- a/chart/templates/istio/controlplane/istio-controlplane-helmrelease.yaml
+++ b/chart/templates/istio/controlplane/istio-controlplane-helmrelease.yaml
@@ -42,10 +42,24 @@ spec:
valuesKey: "istio.yaml"
values:
hostname: {{ .Values.hostname }}
+ sso:
+ enabled: {{ .Values.istio.sso.enabled }}
imagePullSecrets:
- private-registry
+{{- if .Values.istio.sso.enabled }}
+ ingress:
+ kiali:
+ service: authservice-haproxy-sso
+ port: 8080
+ namespace: authservice
+ jaeger:
+ service: authservice-haproxy-sso
+ port: 8080
+ namespace: authservice
+{{- end }}
+
dependsOn:
- name: istio-operator
namespace: {{ .Release.Namespace }}
diff --git a/chart/templates/monitoring/monitoring-helmrelease.yaml b/chart/templates/monitoring/monitoring-helmrelease.yaml
index 19f176d86952870a50deb2d5eebfff8c058581b0..238852df671185aa13ad30cff504058a2841bf3d 100644
--- a/chart/templates/monitoring/monitoring-helmrelease.yaml
+++ b/chart/templates/monitoring/monitoring-helmrelease.yaml
@@ -45,6 +45,8 @@ spec:
hostname: {{ .Values.hostname }}
istio:
enabled: {{ .Values.istio.enabled }}
+ sso:
+ enabled: {{ .Values.monitoring.sso.enabled }}
global:
imagePullSecrets:
- name: private-registry
@@ -60,6 +62,18 @@ spec:
imagePullSecrets:
- name: private-registry
+{{- if .Values.monitoring.sso.enabled }}
+ ingress:
+ prometheus:
+ service: authservice-haproxy-sso
+ port: 8080
+ namespace: authservice
+ alertmanager:
+ service: authservice-haproxy-sso
+ port: 8080
+ namespace: authservice
+{{- end }}
+
# TODO: DRY this up
{{- if or .Values.gatekeeper.enabled .Values.istio.enabled }}
dependsOn:
diff --git a/chart/templates/values.yaml b/chart/templates/values.yaml
index edf4a8caa918c09ccaf3261abf191d10a5b424f8..7f52832ca9add1baebd902e789df5dec32d10fb1 100644
--- a/chart/templates/values.yaml
+++ b/chart/templates/values.yaml
@@ -11,8 +11,22 @@ stringData:
{{ toYaml .Values.addons.argocd.values | indent 4 }}
istiooperator.yaml: |
{{ toYaml .Values.istiooperator.values | indent 4 }}
- authservice.yaml: |
+ authservice.yaml: |
+ chains:
+ {{- if .Values.addons.authservice.chains }}
+ {{ .Values.addons.authservice.chains | toYaml | nindent 6 }}
+ {{- end }}
+ kiali:
+ client_secret: "{{ .Values.istio.sso.kiali.client_secret }}"
+ jaeger:
+ client_secret: "{{ .Values.istio.sso.jaeger.client_secret }}"
+ prometheus:
+ client_secret: "{{ .Values.monitoring.sso.prometheus.client_secret }}"
+ alertmanager:
+ client_secret: "{{ .Values.monitoring.sso.alertmanager.client_secret }}"
+{{ if .Values.addons.authservice.values }}
{{ toYaml .Values.addons.authservice.values | indent 4 }}
+{{- end }}
istio.yaml: |
{{ toYaml .Values.istio.values | indent 4 }}
gatekeeper.yaml: |
@@ -24,7 +38,11 @@ stringData:
logging.yaml: |
{{ toYaml .Values.logging.values | indent 4 }}
monitoring.yaml: |
+ grafana_client_id: {{ .Values.monitoring.sso.grafana.client_id | quote }}
+ grafana_client_secret: {{ .Values.monitoring.sso.grafana.client_secret | quote }}
+{{ if .Values.monitoring.values }}
{{ toYaml .Values.monitoring.values | indent 4 }}
+{{- end }}
twistlock.yaml: |
{{ toYaml .Values.twistlock.values | indent 4 }}
clusterauditor.yaml: |
diff --git a/chart/values.yaml b/chart/values.yaml
index f3acaaa82732bd7adc58c766b7e84be116a0d383..68da2cbcfa9b718af26b85761363ae124e997542 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -46,6 +46,16 @@ git:
publicKey: ""
knownHosts: ""
+# Gloabl SSO parameters
+sso:
+ oidc:
+ host: login.dso.mil
+ realm: baby-yoda
+ certificate_authority: ''
+ jwks: ""
+ client_id: ""
+ client_secret: ""
+
# Flux reconciliation parameters
flux:
interval: 2m
@@ -65,7 +75,15 @@ istio:
git:
repo: https://repo1.dsop.io/platform-one/big-bang/apps/core/istio-controlplane.git
path: "./chart"
- tag: "1.7.3-bb.4"
+ tag: "1.7.3-bb.6"
+ sso:
+ enabled: false
+ kiali:
+ client_id: kiali
+ client_secret: "change_me"
+ jaeger:
+ client_id: jaeger
+ client_secret: "change_me"
values: {}
istiooperator:
@@ -137,7 +155,18 @@ monitoring:
git:
repo: https://repo1.dsop.io/platform-one/big-bang/apps/core/monitoring.git
path: "./chart"
- tag: "11.0.0-bb.4"
+ tag: "11.0.0-bb.6"
+ sso:
+ enabled: false
+ prometheus:
+ client_id: prometheus
+ client_secret: "change_me"
+ alertmanager:
+ client_id: alertmanager
+ client_secret: "change_me"
+ grafana:
+ client_id: grafana
+ client_secret: "change_me"
values: {}
# ----------------------------------------------------------------------------------------------------------------------
@@ -163,12 +192,21 @@ addons:
values: {}
authservice:
+ # if enabling authservice, a filter needs to be provided by either enabling
+ # sso for monitoring or istio, or manually adding a filter chain in the values here:
+ # values:
+ # chain:
+ # minimal:
+ # callback_uri: "https://somecallback"
enabled: false
git:
repo: https://repo1.dsop.io/platform-one/big-bang/apps/sandbox/authservice.git
path: "./chart"
tag: "0.1.6-bb.0"
+ # Dont put chain configuraitons in this section
values: {}
+ # Put additional chain configuration in this section
+ chains: {}
gitlab:
enabled: false
@@ -176,3 +214,10 @@ addons:
repo: https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab.git
path: "./chart"
tag: "4.2.0-bb.1"
+
+ haproxy:
+ git:
+ repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/haproxy.git
+ path: "./chart"
+ tag: 1.1.2-bb.0
+ values: {}
\ No newline at end of file
diff --git a/scripts/deploy/02_wait_for_helmrealeases.sh b/scripts/deploy/02_wait_for_helmrealeases.sh
index 6347c9f6e010a7500931d586e506f1618f8dda81..3ef6696f93b89fb2cf3bf78103dbbf7cc27a2c66 100755
--- a/scripts/deploy/02_wait_for_helmrealeases.sh
+++ b/scripts/deploy/02_wait_for_helmrealeases.sh
@@ -3,7 +3,7 @@
set -e
## This is an array to instantiate the order of wait conditions
-ORDERED_HELMRELEASES="gatekeeper istio-operator istio monitoring eck-operator ek fluent-bit twistlock cluster-auditor gitlab"
+ORDERED_HELMRELEASES="gatekeeper istio-operator istio monitoring eck-operator ek fluent-bit twistlock cluster-auditor authservice argocd gitlab"
## This the actual deployed helmrelease objects in the cluster
diff --git a/tests/bash/01_virtualservices.sh b/tests/bash/01_virtualservices.sh
index 4fff8b902769b2105a001383cd89fe76f41db7fe..47267cdba83ff3ece46f8367946906d28ea2fad8 100755
--- a/tests/bash/01_virtualservices.sh
+++ b/tests/bash/01_virtualservices.sh
@@ -3,9 +3,13 @@
# exit on error
set -e
+# Populate /etc/hosts
+ip=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+
echo "Checking "
hosts=`kubectl get vs -A -o jsonpath="{ .items[*].spec.hosts[*] }"`
for host in $hosts; do
+ echo "$ip $host" >> /etc/hosts
curl -svv https://$host/ > /dev/null
done
\ No newline at end of file
diff --git a/tests/ci/k3d/values.yaml b/tests/ci/k3d/values.yaml
index 16fb20cc9889ff932d2d4a8661e8de7d73cc7530..e34790bfaca02de2179666de3858f070cbfe48d8 100644
--- a/tests/ci/k3d/values.yaml
+++ b/tests/ci/k3d/values.yaml
@@ -58,6 +58,9 @@ addons:
enabled: true
authservice:
enabled: true
+ chains:
+ minimal:
+ callback_uri: "https://minimal.bigbang.dev"
gitlab:
enabled: true
values: