diff --git a/chart/templates/authservice/authservice-helmrelease.yaml b/chart/templates/authservice/authservice-helmrelease.yaml
index b1cdb4c87462a61c027e30e8e92fe00bdef95bb1..c97539afcbfbb40a49b3a753620b8c4925d09d7f 100644
--- a/chart/templates/authservice/authservice-helmrelease.yaml
+++ b/chart/templates/authservice/authservice-helmrelease.yaml
@@ -1,5 +1,5 @@
{{- $fluxSettingsAuthservice := merge .Values.addons.authservice.flux .Values.flux -}}
-{{- if and .Values.istio.enabled (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled)) }}
+{{- if and .Values.istio.enabled (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled)) }}
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
diff --git a/chart/templates/authservice/gitrepository.yaml b/chart/templates/authservice/gitrepository.yaml
index 08ad4f6b2b9259e2486d29584a45b268b2a822f0..aed6d624d7281be4a2069f0ccfad8a79773dc02c 100644
--- a/chart/templates/authservice/gitrepository.yaml
+++ b/chart/templates/authservice/gitrepository.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.istio.enabled (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled)) }}
+{{- if and .Values.istio.enabled (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled)) }}
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: GitRepository
metadata:
diff --git a/chart/templates/authservice/imagepullsecret.yaml b/chart/templates/authservice/imagepullsecret.yaml
index 2bfbcc8ee7f1836762400b7cb373d1ca229cdd52..c26e456c3015e5dced62b38aad48b707da0301c8 100644
--- a/chart/templates/authservice/imagepullsecret.yaml
+++ b/chart/templates/authservice/imagepullsecret.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.istio.enabled (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled)) }}
+{{- if and .Values.istio.enabled (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled)) }}
{{- if ( include "imagePullSecret" . ) }}
apiVersion: v1
kind: Secret
diff --git a/chart/templates/authservice/namespace.yaml b/chart/templates/authservice/namespace.yaml
index 2d5b9f9bce01be39f4c233c03c8b54ce1a31b1d2..475a6f876da9b04fc79d39ade4ced6b11cb6c846 100644
--- a/chart/templates/authservice/namespace.yaml
+++ b/chart/templates/authservice/namespace.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.istio.enabled (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled)) }}
+{{- if and .Values.istio.enabled (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled)) }}
apiVersion: v1
kind: Namespace
metadata:
diff --git a/chart/templates/authservice/values.yaml b/chart/templates/authservice/values.yaml
index bc284b67eb5ca1202de01338fd6d2260aad93b42..7950be8500a75866d70108d81f6fa8b4b804886c 100644
--- a/chart/templates/authservice/values.yaml
+++ b/chart/templates/authservice/values.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.istio.enabled (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled)) }}
+{{- if and .Values.istio.enabled (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled)) }}
{{- include "values-secret" (dict "root" $ "package" .Values.addons.authservice "name" "authservice" "defaults" (include "bigbang.defaults.authservice" .)) }}
{{- end }}
@@ -83,12 +83,10 @@ chains:
jaeger:
match:
header: ":authority"
- {{- $jaegerValues := .Values.jaeger.values | default dict }}
- {{- $jaegerIstioValues := $jaegerValues.istio | default dict }}
- {{- $jaegerHostValues := $jaegerIstioValues.jaeger | default dict}}
- {{- if hasKey $jaegerHostValues "hosts" }}
- prefix: {{ range .Values.jaeger.values.istio.jaeger.hosts }}{{ tpl . $}}{{ end }}
- callback_uri: https://{{ range .Values.jaeger.values.istio.jaeger.hosts }}{{ tpl . $}}{{ end }}/login
+ {{- $jaegerHosts := (dig "istio" "jaeger" "hosts" dict .Values.jaeger.values) }}
+ {{- if $jaegerHosts }}
+ prefix: {{ trimSuffix (printf ".%s" $domainName) (tpl ($jaegerHosts | first) $) }}
+ callback_uri: https://{{ tpl ($jaegerHosts | first) $ }}/login
{{- else }}
prefix: "tracing"
callback_uri: https://tracing.{{ $domainName }}/login
@@ -97,16 +95,33 @@ chains:
client_secret: "{{ .Values.jaeger.sso.client_secret }}"
{{- end }}
+ {{- if and .Values.tempo.enabled .Values.tempo.sso.enabled }}
+ tempo:
+ match:
+ header: ":authority"
+ {{- $tempoHosts := (dig "istio" "tempoQuery" "hosts" dict .Values.tempo.values) }}
+ {{- if $tempoHosts }}
+ prefix: {{ trimSuffix (printf ".%s" $domainName) (tpl ($tempoHosts | first) $) }}
+ callback_uri: https://{{ tpl ($tempoHosts | first) $ }}/login
+ {{- else if .Values.jaeger.enabled }}
+ prefix: "tempo"
+ callback_uri: https://tempo.{{ $domainName }}/login
+ {{- else }}
+ prefix: "tracing"
+ callback_uri: https://tracing.{{ $domainName }}/login
+ {{- end }}
+ client_id: "{{ .Values.tempo.sso.client_id }}"
+ client_secret: "{{ .Values.tempo.sso.client_secret }}"
+ {{- end }}
+
{{- if and .Values.monitoring.enabled .Values.monitoring.sso.enabled }}
prometheus:
match:
header: ":authority"
- {{- $monitoringValues := .Values.monitoring.values | default dict }}
- {{- $monitoringIstioValues := $monitoringValues.istio | default dict }}
- {{- $prometheusHostValues := $monitoringIstioValues.prometheus | default dict}}
- {{- if hasKey $prometheusHostValues "hosts" }}
- prefix: {{ range .Values.monitoring.values.istio.prometheus.hosts }}{{ tpl . $}}{{ end }}
- callback_uri: https://{{ range .Values.monitoring.values.istio.prometheus.hosts }}{{ tpl . $}}{{ end }}/login/generic_oauth
+ {{- $prometheusHosts := (dig "istio" "prometheus" "hosts" dict .Values.monitoring.values) }}
+ {{- if $prometheusHosts }}
+ prefix: {{ trimSuffix (printf ".%s" $domainName) (tpl ($prometheusHosts | first) $) }}
+ callback_uri: https://{{ tpl ($prometheusHosts | first) $ }}/login/generic_oauth
{{- else }}
prefix: "prometheus"
callback_uri: https://prometheus.{{ $domainName }}/login/generic_oauth
@@ -117,10 +132,11 @@ chains:
alertmanager:
match:
header: ":authority"
- {{- $alertmanagerHostValues := $monitoringIstioValues.alertmanager | default dict}}
- {{- if hasKey $alertmanagerHostValues "hosts" }}
- prefix: {{ range .Values.monitoring.values.istio.alertmanager.hosts }}{{ tpl . $}}{{ end }}
- callback_uri: https://{{ range .Values.monitoring.values.istio.alertmanager.hosts }}{{ tpl . $}}{{ end }}/login/generic_oauth
+ {{- $alertmanagerHosts := (dig "istio" "alertmanager" "hosts" dict .Values.monitoring.values) }}
+ {{- if $alertmanagerHosts }}
+ prefix: {{ trimSuffix (printf ".%s" $domainName) (tpl ($alertmanagerHosts | first) $) }}
+
+ callback_uri: https://{{ tpl ($alertmanagerHosts | first) $ }}/login/generic_oauth
{{- else }}
prefix: "alertmanager"
callback_uri: https://alertmanager.{{ $domainName }}/login/generic_oauth
diff --git a/chart/templates/tempo/tempo-helmrelease.yaml b/chart/templates/tempo/tempo-helmrelease.yaml
index 0dcd41c5ac1578d9f661efc03c11e87940866e18..bff0bb6a8192bf8edd5648b265f1755c06847773 100644
--- a/chart/templates/tempo/tempo-helmrelease.yaml
+++ b/chart/templates/tempo/tempo-helmrelease.yaml
@@ -36,13 +36,16 @@ spec:
- name: {{ .Release.Name }}-tempo-values
kind: Secret
valuesKey: "overlays"
- {{- if or .Values.monitoring.enabled .Values.istio.enabled }}
+ {{- if or .Values.monitoring.enabled .Values.istio.enabled .Values.tempo.sso.enabled }}
dependsOn:
{{- if .Values.monitoring.enabled }}
- name: monitoring
namespace: {{ .Release.Namespace }}
{{- end }}
-
+ {{- if .Values.tempo.sso.enabled }}
+ - name: authservice
+ namespace: {{ .Release.Namespace }}
+ {{- end }}
{{- if .Values.istio.enabled }}
- name: istio
namespace: {{ .Release.Namespace }}
diff --git a/chart/templates/tempo/values.yaml b/chart/templates/tempo/values.yaml
index 8e83ba06c91fbff0caef3e9c58b5af8a1d0f309d..21494b4183d9a4f4d9cfd51ad33cc31de3d76c51 100644
--- a/chart/templates/tempo/values.yaml
+++ b/chart/templates/tempo/values.yaml
@@ -31,7 +31,7 @@ tempo:
{{- end }}
{{- end }}
- # hostname is deprecated and replaced with domain. But if hostname exists then use it.
+# hostname is deprecated and replaced with domain. But if hostname exists then use it.
{{- $domainName := default .Values.domain .Values.hostname }}
hostname: {{ $domainName }}
domain: {{ $domainName }}
@@ -69,4 +69,14 @@ monitoring:
serviceMonitor:
enabled: {{ .Values.monitoring.enabled }}
+sso:
+ enabled: {{ .Values.tempo.sso.enabled }}
+
+{{- if .Values.tempo.sso.enabled }}
+{{- $tempoAuthserviceKey := (dig "selector" "key" "protect" .Values.addons.authservice.values) }}
+{{- $tempoAuthserviceValue := (dig "selector" "value" "keycloak" .Values.addons.authservice.values) }}
+podLabels:
+ {{ $tempoAuthserviceKey }}: {{ $tempoAuthserviceValue }}
+{{- end }}
+
{{- end -}}
diff --git a/chart/values.yaml b/chart/values.yaml
index 8af620de4320b45e596488ba9ecc39f7f44ffed3..970e730d388aa7832f75698fc698b7075ae24d9d 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -552,7 +552,7 @@ tempo:
git:
repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/tempo.git
path: "./chart"
- tag: "0.15.1-bb.6"
+ tag: "0.15.1-bb.7"
# -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`). The default is "public".
ingress:
@@ -561,6 +561,16 @@ tempo:
# -- Flux reconciliation overrides specifically for the Tempo Package
flux: {}
+ sso:
+ # -- Toggle SSO for Tempo on and off
+ enabled: false
+
+ # -- OIDC Client ID to use for Tempo
+ client_id: ""
+
+ # -- OIDC Client Secret to use for Tempo
+ client_secret: ""
+
objectStorage:
# -- S3 compatible endpoint to use for connection information.
# examples: "s3.amazonaws.com" "s3.us-gov-west-1.amazonaws.com" "minio.minio.svc.cluster.local:9000"
diff --git a/docs/assets/configs/example/dev-sso-values.yaml b/docs/assets/configs/example/dev-sso-values.yaml
index c247b96ff015b9aca0d0ed8b607fe940908e8796..dfa6dfb13c57ba3191e6016b4c4e101ab1062dd7 100644
--- a/docs/assets/configs/example/dev-sso-values.yaml
+++ b/docs/assets/configs/example/dev-sso-values.yaml
@@ -166,6 +166,14 @@ logging:
client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-kibana
license:
trial: true
+
+tempo:
+ sso:
+ enabled: true
+ client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-jaeger
+ # If deploying both Jaeger and Tempo you will need the tempo specific client below (matches the `tempo.bigbang.dev` VS)
+ # client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-tempo
+
monitoring:
sso:
enabled: true