diff --git a/CODEOWNERS b/CODEOWNERS
index 91325cc66cfa130d8accb9c4885d8c9d1788f521..c26891cbfdcb3df3844344b1eeef85e62ebdd484 100644
--- a/CODEOWNERS
+++ b/CODEOWNERS
@@ -98,9 +98,9 @@ chart/values.yaml @lynnstill @ryan.j.garcia @kevin.wilder
chart/templates/gitlab @lynnstill @ryan.j.garcia @kevin.wilder
^[KeyCloak]
-chart/Chart.yaml @megamind
-chart/values.yaml @megamind
-chart/templates/keycloak @megamind
+chart/Chart.yaml @megamind @kevin.wilder @michaelmcleroy
+chart/values.yaml @megamind @kevin.wilder @michaelmcleroy
+chart/templates/keycloak @megamind @kevin.wilder @michaelmcleroy
^[Mattermost (and operator)]
chart/Chart.yaml @micah.nagel @branden.cobb
diff --git a/README.md b/README.md
index 5197f692aeeb0b01e18e7031478979209a80eaf6..27066d93665d103c28360661ebbf6468f38495c5 100644
--- a/README.md
+++ b/README.md
@@ -310,6 +310,19 @@ To start using Big Bang, you will need to create your own Big Bang environment t
| addons.velero.flux | object | `{}` | Flux reconciliation overrides specifically for the Velero Package |
| addons.velero.values | object | `{"plugins":[]}` | Values to passthrough to the Velero chart: https://repo1.dso.mil/platform-one/big-bang/apps/cluster-utilities/velero/-/blob/main/chart/values.yaml |
| addons.velero.postRenderers | list | `[]` | Post Renderers. See docs/postrenders.md |
+| addons.keycloak.enabled | bool | `false` | Toggle deployment of Keycloak |
+| addons.keycloak.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak.git"` | Git repo for Keycloak Helm chart |
+| addons.keycloak.git.path | string | `"./chart"` | Path to helm chart in Git repository |
+| addons.keycloak.git.tag | string | `"x.x.x-bb.x"` | Git tag for Helm chart |
+| addons.keycloak.ingress.key | string | `-----BEGIN PRIVATE KEY-----...` | Private certificate key for Keycloak |
+| addons.keycloak.ingress.cert | string | `-----BEGIN CERTIFICATE-----...` | TLS certificate for Keycloak |
+| addons.keycloak.database.host | string | `""` | Hostname of a pre-existing database to use. Entering connection info will disable the deployment of an internal database and will auto-create any required secrets. |
+| addons.keycloak.database.type | string | `postgres` | Specifies the database type (e.g. `postgres`, `mysql`) |
+| addons.keycloak.database.port | string | `""` | Port of a pre-existing database to use. |
+| addons.keycloak.database.database | string | `""` | Database name to connect (Note: database name CANNOT contain hyphens). |
+| addons.keycloak.database.username | string | `""` | Username for access to the external database, the user must have all privileges on the database. |
+| addons.keycloak.database.password | string | `""` | Password for the username for access to the external database. |
+| addons.keycloak.values | map | `{}` | Additional values to pass through to the Keycloak Helm chart |
## Contributing
diff --git a/chart/admin.bigbang.dev-certs.yaml b/chart/admin.bigbang.dev-certs.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..9104b5a745428ffef16a1a11b6d0831a511df26a
--- /dev/null
+++ b/chart/admin.bigbang.dev-certs.yaml
@@ -0,0 +1,88 @@
+istio:
+ ingress:
+ key: |
+ -----BEGIN PRIVATE KEY-----
+ MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC8bJtY3qQC0udg
+ WInp1K81Canpzsd/22mQ9f8GjVNF/7DhCSXRdHNeLtDNeJ2JoH96d1vLAm1YmHJ3
+ 1aBwVULM0cWPRDkRg2Wjl/sMFoLgxR1ZKdtq3xxC2fwiDXjwv9JyOQgOrQqFxP7B
+ Qab1fv9uDfHP1aIxcDN7CpOxJHrjMoxyiPRynNFvw/iiGDJ+Jvomt8opWb4mC2jZ
+ MK5WGLvYWj9mkUo9crnQVJBNgU/ebx3j+yWztD6PDnuTNptI3x6OySjbkYlBGhjK
+ MpfQ7mTPCr5pBEgcJFVXVROg8Bum15vn3Uv+4LNe1tHcDxwCJQQJrzGNNc5YMpn8
+ 1rvltDOTAgMBAAECggEACINbrXM5s8r1mzvE12S9mcba/25RQyyVo3AJ2rDt7z6z
+ Liespr79K2cwFeh6Laqrt8vGwPBWImeY3GMxgYHIp9pec6+gaHMoV3DZbd1igmdF
+ gS7L9BMqgra4lo1HRpFUH8cF3yvgStTwsaiWs4bOYZmNsFc1ocgw+0EqFRnR14vw
+ Q6pxlNlR0wND4WwEQ+PEFuGyaZpcnDA38vwaNyIVl99pRXXojvfco7dacYyce40o
+ O02mtl2yME4ssCgYPcThonPaUDjF594q7J2kqVRp6mJ0J9lvsxPRZ3NC1tOfVgzI
+ E/YVeNx7S9r0ONTJFLfRidd+udBKBCUM7NcKygqk8QKBgQDiQc0LPe7NWzfZ5Ks2
+ IeZZ1S7CX/Eyv7VW90YhOUTF9g9PmmH1v539vp9xdHlo9YaF2dXuf1GsMgpNQ4IZ
+ Nuz5xwvvmma3demqtOawTpHj3vHpZWOYTL0SEb5XwyPaZZIb33wxDidT8/0CpwPt
+ Tlq6GQ8HPYupHT6cJQcb7PgAmQKBgQDVMZ+0WucFAKeJSEj1zDZA0EzUqiFfLCpP
+ gko9+9yhPvl7Q6c+oOV0brx0ny+racLUsV0m8vzvvLFxHTubPa7CMKf5s7c3EPQv
+ 8GqovlsvgzchwxRRs0KQMhQSZw1X2UDSBDci0AwZRXrJQp3odJk+0Pq5MslfCF6s
+ fwWxV6C1CwKBgBSvv3ePqg3MkUayyZShdNYxz5yl+P+S15mj8h2HhuoynSPCEcLO
+ Sjuw+hL9ezxFdo82Y4Dy0xzTVm3KBlMX2oLb2BOIImwTs9GPyKfGB0C2WZflVT3P
+ hlnolWagyN5m+vzhahFyIdZjMHbVnl5ME6+AKweWcPZ9XgQYvpWnDOXBAoGBAL0I
+ mTEUAQ+geuzxGTBI+DoT+GwAxkJbKNEDF81KC2E2M4Qmgp63j3zjy1ok4+G7jzOE
+ aLJmdfwkdbl0UCvgT5qEBg0UWvoKoFn5dLlWwAeq8zGOhe/DYNv2a3G9ykkAq8cM
+ Uc8eZfvqbWsTFGzPJipaplWcQI1xIHEW1/ddWXPtAoGBAInFXBnVDJiZkhq1adt9
+ 3S/YVoMigw6ZD4j7E5g/5QBCs2rnZex20YFuJDvf+HAD/3eohJ6n75QRSZc0sn9j
+ XO49WKI7Qd2XTEL6dGvxGyFRTqrC5dUd3v/wq4XjUz1bI6VTvvHvf7EPCGh1NJ8v
+ PcJzvO/HdugGAG1xWnN7HT4g
+ -----END PRIVATE KEY-----
+ cert: |
+ -----BEGIN CERTIFICATE-----
+ MIIFLDCCBBSgAwIBAgISA87F5ACBGZuzPeSeGr2wqcY8MA0GCSqGSIb3DQEBCwUA
+ MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
+ EwJSMzAeFw0yMTA0MTQxNDIzMTRaFw0yMTA3MTMxNDIzMTRaMB4xHDAaBgNVBAMM
+ EyouYWRtaW4uYmlnYmFuZy5kZXYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+ AoIBAQC8bJtY3qQC0udgWInp1K81Canpzsd/22mQ9f8GjVNF/7DhCSXRdHNeLtDN
+ eJ2JoH96d1vLAm1YmHJ31aBwVULM0cWPRDkRg2Wjl/sMFoLgxR1ZKdtq3xxC2fwi
+ DXjwv9JyOQgOrQqFxP7BQab1fv9uDfHP1aIxcDN7CpOxJHrjMoxyiPRynNFvw/ii
+ GDJ+Jvomt8opWb4mC2jZMK5WGLvYWj9mkUo9crnQVJBNgU/ebx3j+yWztD6PDnuT
+ NptI3x6OySjbkYlBGhjKMpfQ7mTPCr5pBEgcJFVXVROg8Bum15vn3Uv+4LNe1tHc
+ DxwCJQQJrzGNNc5YMpn81rvltDOTAgMBAAGjggJOMIICSjAOBgNVHQ8BAf8EBAMC
+ BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAw
+ HQYDVR0OBBYEFLp8IoeSyLzb/tJ57pxDqGX4t/4nMB8GA1UdIwQYMBaAFBQusxe3
+ WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0
+ cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5j
+ ci5vcmcvMB4GA1UdEQQXMBWCEyouYWRtaW4uYmlnYmFuZy5kZXYwTAYDVR0gBEUw
+ QzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDov
+ L2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgCU
+ ILwejtWNbIhzH4KLIiwN0dpNXmxPlD1h204vWE2iwgAAAXjQ+rZ5AAAEAwBHMEUC
+ IQCOtTENOPlAwvmnqNxm9LHWo1TkNpLZqdCQWffa3zc2sAIgVpNs+pLLUmJfwq0+
+ FRSQJB9FyrH7js53BSZ1WyfY6GwAdgB9PvL4j/+IVWgkwsDKnlKJeSvFDngJfy5q
+ l2iZfiLw1wAAAXjQ+razAAAEAwBHMEUCIQDCliAyo7EV92Kmp5zeoVfeqklvPPYi
+ p43KG/yc6gbiBwIgHpQYiQ5MCcJHnnol3Ku35ZYJw8jcWy7aW2S9gHR3eeUwDQYJ
+ KoZIhvcNAQELBQADggEBACUBLIHwOvyAsXlRGxqDKBGcl8BmbelWgp+XXsf9MZd0
+ hYYrPlnQL95C5R78FXmYlG24J4uHLMTvz+gYe/WRv4Cjr8It+EaoGATZ8zGa2OlY
+ FTfx6dLk/h2KPF9N45o5rsUtlTlTfJYGz58p30XefLwOdIrez8UtEV2fWevAWwYw
+ ZGLvPczwDABye0OUou+M+BoZQOI6hrcQ3IXGlf/VQKzBp1dOOxZB7bx3mOzg1CI6
+ 1AebDLxybOev4Ke25jbtst6i4HG1feFXm4yL1utNsn15uBVoQVfKeLVvMO3Y2Hyi
+ DZvLATJX4qq0e2wDcETc8fxshOUnYhpzrbUctVBBncA=
+ -----END CERTIFICATE-----
+ -----BEGIN CERTIFICATE-----
+ MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/
+ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+ DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow
+ MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT
+ AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs
+ jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp
+ Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB
+ U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7
+ gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel
+ /xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R
+ oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
+ BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p
+ ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE
+ p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE
+ AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu
+ Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0
+ LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf
+ r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B
+ AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH
+ ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8
+ S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL
+ qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p
+ O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw
+ UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==
+ -----END CERTIFICATE-----
diff --git a/chart/templates/NOTES.txt b/chart/templates/NOTES.txt
index dd26f8971bb4bce3cca5232e2c9db328810f1473..c9b4c494c5871be2624b8eff2ab61643678f3ee6 100644
--- a/chart/templates/NOTES.txt
+++ b/chart/templates/NOTES.txt
@@ -150,3 +150,12 @@ PLATFORM ONE MATTERMOST WARNING:
Make sure to go back and edit your values or ensure you add the license through the mattermost settings page.
{{- end }}
{{- end }}
+
+{{ if $.Values.addons.keycloak.enabled }}
+PLATFORM ONE KEYCLOAK WARNING:
+ You have enabled keycloak in the values configuration.
+ Core packages are automatically moved to an `admin` subdomain (e.g. prometheus.admin.bigbang.dev).
+ Addons are not accessible and not supported in the same cluster as Keycloak.
+ Keycloak is still in a BETA status. This means we don't fully recommend it for production workloads quite yet, but will be rolling out support in the near future to move it to STABLE.
+ Specifically, the way that multiple ingressgateways are created and specified within BigBang will make the automatic `admin` creation of core packages obsolete, and will also allow Keycloak to better function alongside other addons.
+{{- end }}
diff --git a/chart/templates/istio/controlplane/values.yaml b/chart/templates/istio/controlplane/values.yaml
index 0253096611ec0354e870afb82c2176e3e8fdb1bf..bafd8ec1aa107a91cee5113273fb90aebc15377d 100644
--- a/chart/templates/istio/controlplane/values.yaml
+++ b/chart/templates/istio/controlplane/values.yaml
@@ -12,4 +12,20 @@ imagePullSecrets:
- private-registry
openshift: {{ .Values.openshift }}
+
+{{- if .Values.addons.keycloak.enabled }}
+extraServers:
+- port:
+ name: https-keycloak
+ protocol: TLS
+ number: 8443
+ hosts:
+ - keycloak.{{ .Values.hostname }}
+ tls:
+ mode: PASSTHROUGH
+
+gateway:
+ hosts:
+ - "*.admin.{{ .Values.hostname }}"
+{{- end }}
{{- end -}}
diff --git a/chart/templates/jaeger/values.yaml b/chart/templates/jaeger/values.yaml
index 0e6e14c4edc53a99492a5609c49158565dd50ce3..0eaf683a5ff7a7febe4158a04a15c48bec3a929a 100644
--- a/chart/templates/jaeger/values.yaml
+++ b/chart/templates/jaeger/values.yaml
@@ -8,6 +8,9 @@ imagePullSecrets:
hostname: {{ .Values.hostname }}
istio:
enabled: {{ .Values.istio.enabled }}
+ jaeger:
+ hosts:
+ - tracing{{ if .Values.addons.keycloak.enabled }}.admin{{ end }}.{{ .Values.hostname }}
monitoring:
enabled: {{ .Values.monitoring.enabled }}
elasticsearch:
diff --git a/chart/templates/keycloak/gitrepository.yaml b/chart/templates/keycloak/gitrepository.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..0710b2cd1c6d6963f842ef59e7cfe9b82f534d3b
--- /dev/null
+++ b/chart/templates/keycloak/gitrepository.yaml
@@ -0,0 +1,18 @@
+{{- if and (not .Values.offline) .Values.addons.keycloak.enabled }}
+{{ $name := "keycloak" }}
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: GitRepository
+metadata:
+ name: {{ $name }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: {{ $name }}
+ app.kubernetes.io/component: "security-tools"
+ {{- include "commonLabels" . | nindent 4}}
+spec:
+ interval: {{ .Values.flux.interval }}
+ url: {{ .Values.addons.keycloak.git.repo }}
+ ref:
+ {{- include "validRef" .Values.addons.keycloak.git | nindent 4 }}
+ {{- include "gitCreds" . | nindent 2 }}
+{{- end }}
\ No newline at end of file
diff --git a/chart/templates/keycloak/helmrelease.yaml b/chart/templates/keycloak/helmrelease.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..b08ec2f7c04a804d7e4314bf4173fe0f51b1d13c
--- /dev/null
+++ b/chart/templates/keycloak/helmrelease.yaml
@@ -0,0 +1,55 @@
+{{- $fluxSettingsKeycloak := merge .Values.addons.keycloak.flux .Values.flux -}}
+{{- if .Values.addons.keycloak.enabled }}
+{{ $name := "keycloak" }}
+{{ $component := "security-tools" }}
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+ name: {{ $name }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/name: {{ $name }}
+ app.kubernetes.io/component: {{ $component }}
+ {{- include "commonLabels" . | nindent 4}}
+spec:
+ releaseName: {{ $name }}
+ targetNamespace: {{ $name }}
+ chart:
+ spec:
+ chart: {{ .Values.addons.keycloak.git.path }}
+ interval: 5m
+ sourceRef:
+ kind: GitRepository
+ name: {{ $name }}
+ namespace: {{ .Release.Namespace }}
+
+
+ {{- toYaml $fluxSettingsKeycloak | nindent 2 }}
+
+ valuesFrom:
+ - name: {{ .Release.Name }}-{{ $name }}-values
+ kind: Secret
+ valuesKey: "common"
+ - name: {{ .Release.Name }}-{{ $name }}-values
+ kind: Secret
+ valuesKey: "defaults"
+ - name: {{ .Release.Name }}-{{ $name }}-values
+ kind: Secret
+ valuesKey: "overlays"
+
+ {{- if or .Values.gatekeeper.enabled .Values.istio.enabled .Values.monitoring.enabled }}
+ dependsOn:
+ {{- if .Values.gatekeeper.enabled }}
+ - name: gatekeeper
+ namespace: {{ .Release.Namespace }}
+ {{- end }}
+ {{- if .Values.istio.enabled }}
+ - name: istio
+ namespace: {{ .Release.Namespace }}
+ {{- end }}
+ {{- if .Values.monitoring.enabled }}
+ - name: monitoring
+ namespace: {{ .Release.Namespace }}
+ {{- end }}
+ {{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/chart/templates/keycloak/imagepullsecret.yaml b/chart/templates/keycloak/imagepullsecret.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..27ab5d838f65a41115de70a6c2216e48c279b79e
--- /dev/null
+++ b/chart/templates/keycloak/imagepullsecret.yaml
@@ -0,0 +1,18 @@
+{{- if .Values.addons.keycloak.enabled }}
+{{ $name := "keycloak" }}
+{{ $component := "security-tools" }}
+{{- if ( include "imagePullSecret" . ) }}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: private-registry
+ namespace: {{ $name }}
+ labels:
+ app.kubernetes.io/name: {{ $name }}
+ app.kubernetes.io/component: {{ $component }}
+ {{- include "commonLabels" . | nindent 4}}
+type: kubernetes.io/dockerconfigjson
+data:
+ .dockerconfigjson: {{ template "imagePullSecret" . }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/chart/templates/keycloak/namespace.yaml b/chart/templates/keycloak/namespace.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..43bd5d754517e28968e5971b5bf5644c5b87da26
--- /dev/null
+++ b/chart/templates/keycloak/namespace.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.addons.keycloak.enabled }}
+{{ $name := "keycloak" }}
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: {{ $name }}
+ labels:
+ istio-injection: disabled-because-keycloak-hates-istio
+ app.kubernetes.io/name: {{ $name }}
+ app.kubernetes.io/component: "security-tools"
+ {{- include "commonLabels" . | nindent 4}}
+{{- end }}
\ No newline at end of file
diff --git a/chart/templates/keycloak/values.yaml b/chart/templates/keycloak/values.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..ab94553b913e328f75ed5f284076f61f68829ae1
--- /dev/null
+++ b/chart/templates/keycloak/values.yaml
@@ -0,0 +1,59 @@
+{{- if .Values.addons.keycloak.enabled }}
+{{- include "values-secret" (dict "root" $ "package" .Values.addons.keycloak "name" "keycloak" "defaults" (include "bigbang.defaults.keycloak" .)) }}
+{{- end }}
+
+{{- define "bigbang.defaults.keycloak" -}}
+replicas: 2
+
+imagePullSecrets:
+- name: private-registry
+
+hostname: {{ .Values.hostname }}
+
+istio:
+ enabled: {{ .Values.istio.enabled }}
+ keycloak:
+ enabled: true
+ hosts:
+ - keycloak.{{ .Values.hostname }}
+
+monitoring:
+ enabled: {{ .Values.monitoring.enabled }}
+serviceMonitor:
+ enabled: {{ .Values.monitoring.enabled }}
+
+{{- if .Values.addons.keycloak.database.host }}
+postgresql:
+ enabled: false
+{{- end }}
+
+{{- if or .Values.addons.keycloak.database.host (and .Values.addons.keycloak.ingress.cert .Values.addons.keycloak.ingress.key) }}
+secrets:
+ {{- if and .Values.addons.keycloak.ingress.cert .Values.addons.keycloak.ingress.key }}
+ certificates:
+ stringData:
+ tls.crt: {{ .Values.addons.keycloak.ingress.cert | quote }}
+ tls.key: {{ .Values.addons.keycloak.ingress.key | quote }}
+ {{- end }}
+
+ {{- with .Values.addons.keycloak.database }}
+ {{- if .host }}
+ db:
+ stringData:
+ DB_USER: {{ .username | quote }}
+ DB_PASSWORD: {{ .password | quote }}
+ DB_VENDOR: {{ default "postgres" .type }}
+ DB_ADDR: {{ .host }}
+ DB_PORT: {{ .port | quote }}
+ DB_DATABASE: {{ .database }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+
+{{- if .Values.addons.keycloak.database.host }}
+extraEnvFrom: |
+ - secretRef:
+ name: 'keycloak-db'
+{{- end }}
+
+{{- end }}
\ No newline at end of file
diff --git a/chart/templates/kiali/values.yaml b/chart/templates/kiali/values.yaml
index ff4d493ae973d5a8d60a6f913483174f515f190a..7ad61fae33841a3b69e7447ae9e45fdeb28e4b57 100644
--- a/chart/templates/kiali/values.yaml
+++ b/chart/templates/kiali/values.yaml
@@ -6,6 +6,9 @@
hostname: {{ .Values.hostname }}
istio:
enabled: {{ .Values.istio.enabled }}
+ kiali:
+ hosts:
+ - kiali{{ if .Values.addons.keycloak.enabled }}.admin{{ end }}.{{ .Values.hostname }}
monitoring:
enabled: {{ .Values.monitoring.enabled }}
elasticsearch:
diff --git a/chart/templates/logging/elasticsearch-kibana/values.yaml b/chart/templates/logging/elasticsearch-kibana/values.yaml
index 6cc13cd4e780fdd76fe0b7c23e66b048c025a710..23fc2dcf9c91194d5c66e828ebde34f0216fb5f2 100644
--- a/chart/templates/logging/elasticsearch-kibana/values.yaml
+++ b/chart/templates/logging/elasticsearch-kibana/values.yaml
@@ -6,6 +6,9 @@
hostname: {{ .Values.hostname }}
istio:
enabled: {{ .Values.istio.enabled }}
+ kibana:
+ hosts:
+ - kibana{{ if .Values.addons.keycloak.enabled }}.admin{{ end }}.{{ .Values.hostname }}
{{- with .Values.logging.sso }}
{{- if .enabled }}
diff --git a/chart/templates/monitoring/values.yaml b/chart/templates/monitoring/values.yaml
index d83f81e578f71299c4d532f6008acc1af1b89412..a73c4034fed81e53df85e898ab1321061bbb1e8b 100644
--- a/chart/templates/monitoring/values.yaml
+++ b/chart/templates/monitoring/values.yaml
@@ -10,20 +10,28 @@ flux:
istio:
enabled: {{ .Values.istio.enabled }}
- {{- if .Values.monitoring.sso.enabled }}
prometheus:
enabled: true
+ {{- if .Values.monitoring.sso.enabled }}
service: authservice-haproxy-sso
port: 8080
namespace: authservice
+ {{- end }}
+ hosts:
+ - prometheus{{ if .Values.addons.keycloak.enabled }}.admin{{ end }}.{{ .Values.hostname }}
alertmanager:
enabled: true
+ {{- if .Values.monitoring.sso.enabled }}
service: authservice-haproxy-sso
port: 8080
namespace: authservice
+ {{- end }}
+ hosts:
+ - alertmanager{{ if .Values.addons.keycloak.enabled }}.admin{{ end }}.{{ .Values.hostname }}
grafana:
enabled: true
- {{- end }}
+ hosts:
+ - grafana{{ if .Values.addons.keycloak.enabled }}.admin{{ end }}.{{ .Values.hostname }}
global:
imagePullSecrets:
@@ -40,7 +48,7 @@ grafana:
grafana.ini:
{{- if .Values.istio.enabled }}
server:
- root_url: https://grafana.{{ .Values.hostname }}/
+ root_url: https://grafana{{ if .Values.addons.keycloak.enabled }}.admin{{ end }}.{{ .Values.hostname }}/
{{- end }}
auth:
diff --git a/chart/templates/twistlock/values.yaml b/chart/templates/twistlock/values.yaml
index deac9cd45bcc8b30deb8ad02bc8dbc7fde18a8b6..8bb22e6a99c04847909a3fe3f06b0a629d5d2440 100644
--- a/chart/templates/twistlock/values.yaml
+++ b/chart/templates/twistlock/values.yaml
@@ -14,4 +14,7 @@ imagePullSecrets:
istio:
enabled: {{ .Values.istio.enabled }}
+ console:
+ hosts:
+ - twistlock{{ if .Values.addons.keycloak.enabled }}.admin{{ end }}.{{ .Values.hostname }}
{{- end -}}
diff --git a/chart/values.yaml b/chart/values.yaml
index 5d4df1de27de69fd965e9892dc81921007b0cf48..f73e879b5703b009112497378480ece11afa73c3 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -69,7 +69,7 @@ sso:
# -- OIDC token URL template string (to be used as default)
token_url: "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/token"
-
+
# -- OIDC auth URL template string (to be used as default)
auth_url: "https://{{ .Values.sso.oidc.host }}/auth/realms/{{ .Values.sso.oidc.realm }}/protocol/openid-connect/auth"
@@ -864,3 +864,44 @@ addons:
#
# ----------------------------------------------------------------------------------------------------------------------
+ # ----------------------------------------------------------------------------------------------------------------------
+ # Keycloak
+ #
+ keycloak:
+ # -- Toggle deployment of Keycloak.
+ enabled: false
+ git:
+ repo: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak.git
+ path: "./chart"
+ tag: "11.0.0-bb.0"
+
+ # -- Certificate/Key pair to use as the certificate for exposing Keycloak
+ ingress:
+ key: ""
+ cert: ""
+
+ database:
+ # -- Hostname of a pre-existing database to use for Keycloak.
+ # Entering connection info will disable the deployment of an internal database and will auto-create any required secrets.
+ host: ""
+
+ # -- Pre-existing database type (e.g. postgres) to use for Keycloak.
+ type: postgres
+
+ # -- Port of a pre-existing database to use for Keycloak.
+ port: 5432
+
+ # -- Database name to connect to on host.
+ database: "" # example: keycloak
+
+ # -- Username to connect as to external database, the user must have all privileges on the database.
+ username: ""
+
+ # -- Database password for the username used to connect to the existing database.
+ password: ""
+
+ # -- Flux reconciliation overrides specifically for the OPA Gatekeeper Package
+ flux: {}
+
+ # -- Values to passthrough to the keycloak chart: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak.git
+ values: {}
\ No newline at end of file
diff --git a/charter/BigBangPackages.md b/charter/BigBangPackages.md
index 8ff064d68a57b538bdc8bb71753b18efef5e0394..854c1a2392bc82c086c17433e8fe9e0c97a108f4 100644
--- a/charter/BigBangPackages.md
+++ b/charter/BigBangPackages.md
@@ -320,7 +320,8 @@ Dependencies:
Owners:
* @megamind
-* @joshwolf
+* @kevin.wilder
+* @michaelmcleroy
Understudy:
diff --git a/charter/packages/keycloak/Architecture.md b/charter/packages/keycloak/Architecture.md
new file mode 100644
index 0000000000000000000000000000000000000000..641ccaaa88d09c35c2c33ab0aeaa4c6c6e27e5b5
--- /dev/null
+++ b/charter/packages/keycloak/Architecture.md
@@ -0,0 +1,195 @@
+# Keycloak
+
+## Overview
+
+[Keycloak](https://www.keycloak.org/) provides open source identity and access management for modern applications and services. This document will cover the architectural touchpoints for the Big Bang Keycloak package, which has been extended to include customizable registration and group segmentation.
+
+### Keycloak Architecture
+
+```mermaid
+graph LR
+
+ urlkc(Keycloak URL) -->|HTTPS| ig
+ urlpr(Prometheus URL) -->|HTTPS| ig
+
+ subgraph "Keycloak Ingress"
+ ig(Gateway) -->|TLS Passthrough| servkc{{"Service<BR>Keycloak"}}
+ ig(Gateway) -->|HTTP| servpr{{"Service<BR>Prometheus"}}
+ end
+
+ subgraph "Monitoring"
+ servpr --> prom(Prometheus)
+ prom(Prometheus) --> monitor
+ monitor(Service Monitor) --> servkc
+ end
+
+ subgraph "Keycloak Cluster"
+ servkc <--> pod0("Keycloak Pod 0")
+ servkc <--> pod1("Keycloak Pod 1")
+ end
+
+ subgraph "Database"
+ pod0 --> db[(Keycloak DB)]
+ pod1 --> db[(Keycloak DB)]
+ end
+```
+
+## Integration w/ Big Bang
+
+Big Bang's integration with Keycloak requires special considerations and configuration compared to other applications. This document will help you get it setup correctly.
+
+### Keycloak with Other Apps
+
+Due to the sensitivity of Keycloak, Big Bang does not support deploying KeyCloak and any other add-ons. But, Keycloak can be deployed with the core Big Bang applications (e.g. Istio, Monitoring, Logging). The URL to access these core apps is under the `admin` subdomain to avoid [a problem with overlapping certificates](#certificate-overlap-problem). For example, in the `bigbang.dev` domain, to access Prometheus, you would go to `https://prometheus.admin.bigbang.dev`. Keycloak would still be accessed at `https://keycloak.bigbang.dev`.
+
+> The `admin` subdomain is only used when Keycloak is enabled
+
+### Keycloak's Custom Image
+
+The upstream [Keycloak Helm chart](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak) is customized for use in Platform One. It contains the following modifications from a standard Keycloak deployment:
+
+- DoD Certificate Authorities
+- Customized Platform One registration
+- Customizable Platform One realm, with IL2, IL4, and IL5 isolation (not loaded by default, but [available in the package's git repo](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak/-/blob/main/chart/resources/dev/baby-yoda.json))
+- Redirects for specific keycloak endpoints to work with Platform One deployments
+- A customized image, based on Iron Bank's Keycloak, that adds a plugin to support the above features
+
+### Keycloak Admin password
+
+Big Bang creates a default admin user for logging into the admin console. To override the default admin credentials in Keycloak, set the following in Big Bang's `values.yaml`:
+
+```yaml
+addons:
+ keycloak:
+ values:
+ secrets:
+ credentials:
+ stringData:
+ adminuser: your_admin_username
+ password: your_admin_password
+```
+
+### Keycloak TLS
+
+To properly configure Keycloak TLS, you must provide Keycloak a certificate in `addons.keycloak.ingress` that does not overlap with any TLS terminated app certificate. See [the details](#certificate-overlap-problem) for further information on why this is a problem.
+
+In the Big Bang implementation, [core apps use the `admin` subdomain](#keycloak-with-other-apps). You need two wildcard SAN certificates, one for `*.admin.yourdomain` and one for `*.yourdomain` for this implementation. The `*.admin.yourdomain` cert goes into `istio.ingress` and the `*.yourdomain` cert goes into `addons.keycloak.ingress`.
+
+In the following example for Big Bang, we provide a certificate for `*.admin.bigbang.dev` to TLS terminated apps and a `*.bigbang.dev` certificate to Keycloak.
+
+```yaml
+hostname: bigbang.dev
+istio:
+ ingress:
+ key: |-
+ <Private Key for *.admin.bigbang.dev>
+ cert: |-
+ <Certificate for *.admin.bigbang.dev>
+addons:
+ keycloak:
+ enabled: true
+ ingress:
+ key: |-
+ <Private key for *.bigbang.dev>
+ cert: |-
+ <Certificate for *.bigbang.dev>
+```
+
+#### Certificate Overlap Problem
+
+> This problem automatically worked around by Big Bang if you have non-overlapping certificates as [recommended above](#keycloak-tls). Youc an skip this section unless you want the gritty details.
+
+Modern browsers will reuse established TLS connections when the destination's IP and port are the same and the current certificate is valid. See the [HTTP/2 spec](https://httpwg.org/specs/rfc7540.html#rfc.section.9.1.1) for details. If our cluster has a single load balancer and listens on port 443 for multiple apps, then the IP address and port for all apps in the cluster will be the same from the browser's point of view. Normally, this isn't a problem because Big Bang uses TLS termination for all applications. The encryption occurs between Istio and the browser no matter which hostname you use, so the connection can be reused without problems.
+
+With Keycloak, we need to passthrough TLS rather than terminate it at Istio. If we have other apps, like Kiali, that are TLS terminated, Istio needs two server entries in its Gateway to passthrough TLS for hosts matching `keycloak.bigbang.dev` and to terminate TLS for other hosts. If the certificate used for TLS is valid for both Keycloak and other apps (e.g. the cert includes a SAN of `*.bigbang.dev`), then the browser thinks it can reuse connections between the applications (the IP, port, and cert are the same). If you access a TLS terminated app first (e.g. `kiali.bigbang.dev`), then try to access `keycloak.bigbang.dev`, the browser tries to reuse the connection to the terminated app, resulting in a [data leak](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11767) to the terminated app and a 404 error in the browser. Istio is [supposed to handle this](https://github.com/istio/istio/issues/13589) situation, but does not.
+
+To workaround this situation, you have to isolate the applications by IP, port, or certificate so the browser will not reuse the connection between them. You can use external load balancers or different ingress ports to create unique IPs or ports for the applications. Or you can create non-overlapping certs for the applications. This does not prevent you from using wildcard certs, since you could have one cert for `*.bigbang.dev` and another for `*.admin.bigbang.dev` that don't overlap. Alternatively, you can create one cert for `kiali.bigbang.dev` and other TLS terminated apps and another cert for `keycloak.bigbang.dev`.
+
+> All of the core and addon apps are TLS terminated except Keycloak.
+
+## Big Bang Touchpoints
+
+### GUI
+
+Keycloak has two main end point URLs:
+https://keycloak.bigbang.dev for authentication.
+https://keycloak.bigbang.dev/auth/admin for administration.
+
+The `bigbang.dev` domain name can be customized by setting the `hostname` in `values.yaml`
+
+### Database
+
+An external shared database is required for Keycloak operation in production. It should be setup according to [the Keycloak database configuration documentation](https://www.keycloak.org/docs/latest/server_installation/#_database).
+
+> For development ad test, a Postgres database is provided inside the cluster. This should **NOT** be used in production.
+
+The following values can be customized in `values.yaml` to connect to your external database:
+
+```yaml
+addons:
+ keycloak:
+ database:
+ host: mydb.mydomain.com
+ type: postgres
+ port: 5432
+ database: keycloak
+ username: kcuser
+ password: p@ssw0rd
+```
+
+### Logging
+
+Logging is automatic for Keycloak when the Logging package is enabled in Big Bang. Fluentbit captures the logs and ships them to Elastic.
+
+### Monitoring
+
+When the Monitoring package is enabled, Big Bang will turn on Keycloak's production of Prometheus metrics and setup a Service Monitor to scrape those metrics. By default, metrics for the `datasources` (db), `undertow` (http), and `jgroup` subsystems are enabled.
+
+### Health Checks
+
+Liveness and readiness probes are included in the Keycloak Helm chart for all deployments. The probes check the endpoint at `/auth/realm/master/` on port 8080 of the pods. This means the probes will still succeed even if you have an invalid certificate loaded into Keycloak.
+
+If you wish to adjust the probes, you can override the values in `values.yaml`:
+
+```yaml
+addons:
+ keycloak:
+ values:
+ livenessProbe: |
+ httpGet:
+ path: /auth/realms/master
+ port: http
+ scheme: HTTP
+ initialDelaySeconds: 120
+ failureThreshold: 15
+ periodSeconds: 15
+ readinessProbe: |
+ httpGet:
+ path: /auth/realms/master
+ port: http
+ scheme: HTTP
+ initialDelaySeconds: 120
+ failureThreshold: 15
+ timeoutSeconds: 2
+```
+
+## Licensing
+
+Keycloak is available under the [Apache License 2.0](https://github.com/keycloak/keycloak/blob/master/LICENSE.txt) for free.
+
+## High Availability
+
+By default Big Bang deploys Keycloak with two replicas in a high availability cluster configuration. It is already configured to support cache sharing, anti-affinity, failovers, and rolling updates. If you wish to increase or decrease the number of replicas, you can set the following in `values.yaml`:
+
+```yaml
+addons:
+ keycloak:
+ values:
+ replicas: 2
+```
+
+## Dependent Packages
+
+- PostgreSQL for in-cluster development/test database
+- Istio for ingress
+- (Optional) Monitoring for metrics
diff --git a/docs/airgap/scripts/values.yaml b/docs/airgap/scripts/values.yaml
index a68db060dd901882926eff46455cbd9eff07ed27..d10439752b27f25494e40a4bb537845c8651b527 100644
--- a/docs/airgap/scripts/values.yaml
+++ b/docs/airgap/scripts/values.yaml
@@ -114,4 +114,8 @@ addons:
mattermost:
enabled: false
git:
- repo: ssh://git@host.k3d.internal/home/git/repos/mattermost
\ No newline at end of file
+ repo: ssh://git@host.k3d.internal/home/git/repos/mattermost
+ keycloak:
+ enabled: false
+ git:
+ repo: ssh://git@host.k3d.internal/home/git/repos/keycloak
\ No newline at end of file
diff --git a/scripts/deploy/01_deploy_bigbang.sh b/scripts/deploy/01_deploy_bigbang.sh
index d06829ebd358cdeba037d4dbd208d8714e35e196..fffee1baaae53accc0484c2a9bd42089ee97778a 100755
--- a/scripts/deploy/01_deploy_bigbang.sh
+++ b/scripts/deploy/01_deploy_bigbang.sh
@@ -17,6 +17,11 @@ else
done
fi
+# if keycloak enabled add ingress passthrough cert to addons.keycloak.ingress
+if [ "$(yq e ".addons.keycloak.enabled" "tests/ci/k3d/values.yaml")" == "true" ]; then
+ yq eval-all 'select(fileIndex == 0) * select(filename == "tests/ci/keycloak-certs/keycloak-passthrough-values.yaml")' $CI_VALUES_FILE tests/ci/keycloak-certs/keycloak-passthrough-values.yaml > tmpfile && mv tmpfile $CI_VALUES_FILE
+fi
+
# deploy BigBang using dev sized scaling
echo "Installing BigBang with the following configurations:"
cat $CI_VALUES_FILE
@@ -27,11 +32,24 @@ helm upgrade -i bigbang chart -n bigbang --create-namespace \
--set registryCredentials[0].registry=registry1.dso.mil \
-f ${CI_VALUES_FILE}
-# apply secrets kustomization pointing to current branch
-echo "Deploying secrets from the ${CI_COMMIT_REF_NAME} branch"
-if [ -z "$CI_COMMIT_TAG" ]; then
- cat tests/ci/shared-secrets.yaml | sed 's|master|'"$CI_COMMIT_REF_NAME"'|g' | kubectl apply -f -
+# if keycloak is enabled use *.admin.bigbang.dev cert
+# otherwise use *.bigbang.dev
+if [ "$(yq e ".addons.keycloak.enabled" "tests/ci/k3d/values.yaml")" == "true" ]; then
+ # apply secrets kustomization pointing to current branch
+ echo "Deploying secrets from the ${CI_COMMIT_REF_NAME} branch"
+ if [ -z "$CI_COMMIT_TAG" ]; then
+ cat tests/ci/keycloak.yaml | sed 's|master|'"$CI_COMMIT_REF_NAME"'|g' | kubectl apply -f -
+ else
+ # NOTE: $CI_COMMIT_REF_NAME = $CI_COMMIT_TAG when running on a tagged build
+ cat tests/ci/keycloak.yaml | sed 's|branch: master|tag: '"$CI_COMMIT_REF_NAME"'|g' | kubectl apply -f -
+ fi
else
- # NOTE: $CI_COMMIT_REF_NAME = $CI_COMMIT_TAG when running on a tagged build
- cat tests/ci/shared-secrets.yaml | sed 's|branch: master|tag: '"$CI_COMMIT_REF_NAME"'|g' | kubectl apply -f -
-fi
\ No newline at end of file
+ # apply secrets kustomization pointing to current branch
+ echo "Deploying secrets from the ${CI_COMMIT_REF_NAME} branch"
+ if [ -z "$CI_COMMIT_TAG" ]; then
+ cat tests/ci/shared-secrets.yaml | sed 's|master|'"$CI_COMMIT_REF_NAME"'|g' | kubectl apply -f -
+ else
+ # NOTE: $CI_COMMIT_REF_NAME = $CI_COMMIT_TAG when running on a tagged build
+ cat tests/ci/shared-secrets.yaml | sed 's|branch: master|tag: '"$CI_COMMIT_REF_NAME"'|g' | kubectl apply -f -
+ fi
+fi
diff --git a/scripts/deploy/02_wait_for_helmreleases.sh b/scripts/deploy/02_wait_for_helmreleases.sh
index 8e554fbb8ae124ed63608ac7a5e7a60b9a2f12dd..ae1e93b69e930ab7dfa7977c2b74baef0a574149 100755
--- a/scripts/deploy/02_wait_for_helmreleases.sh
+++ b/scripts/deploy/02_wait_for_helmreleases.sh
@@ -3,7 +3,7 @@
set -e
## This is an array to instantiate the order of wait conditions
-ORDERED_HELMRELEASES="gatekeeper istio-operator istio monitoring eck-operator ek fluent-bit twistlock cluster-auditor authservice argocd gitlab haproxy-sso gitlab-runner minio-operator minio anchore sonarqube mattermost-operator mattermost"
+ORDERED_HELMRELEASES="gatekeeper istio-operator istio monitoring eck-operator ek fluent-bit twistlock cluster-auditor authservice argocd gitlab haproxy-sso gitlab-runner minio-operator minio anchore sonarqube mattermost-operator mattermost keycloak"
## This is the actual deployed helmrelease objects in the cluster
DEPLOYED_HELMRELEASES=$(kubectl get hr --no-headers -n bigbang | awk '{ print $1}')
diff --git a/tests/bash/01_virtualservices.sh b/tests/bash/01_virtualservices.sh
index b5dd206c171c87ff512ed77ac42bdb33e5cb3167..872ecb8cccdda81b62dfdec86056d2b298843f6b 100755
--- a/tests/bash/01_virtualservices.sh
+++ b/tests/bash/01_virtualservices.sh
@@ -12,4 +12,4 @@ hosts=`kubectl get virtualservices -A -o jsonpath="{ .items[*].spec.hosts[*] }"`
for host in $hosts; do
echo "$ip $host" >> /etc/hosts
curl -svv https://$host/ > /dev/null
-done
\ No newline at end of file
+done
diff --git a/tests/bash/03_cypress.sh b/tests/bash/03_cypress.sh
index 904036c39514b2f72a8579f5ab072ac179ee3d7e..d817e426c81d846e69d5a6363d791e758b220a1e 100755
--- a/tests/bash/03_cypress.sh
+++ b/tests/bash/03_cypress.sh
@@ -40,7 +40,28 @@ done
for dir in cypress-tests/*/
do
if [ -f "${dir}tests/cypress.json" ]; then
- echo "Running cypress tests in ${dir}"
- cypress run --project "${dir}"tests
+ if [ "$(yq e ".addons.keycloak.enabled" "tests/ci/k3d/values.yaml")" == "true" ]; then
+ echo "Running cypress tests. Keycloak is enabled. Directory is ${dir}"
+ if [ "${dir}" == "cypress-tests/elasticsearch-kibana/" ]; then
+ echo "Keycloak is enabled and cypress directory is ${dir}"
+ echo "Running cypress tests in ${dir}"
+ CYPRESS_kibana_url=kibana.admin.bigbang.dev cypress run --project "${dir}"tests
+ fi
+ if [ "${dir}" == "cypress-tests/monitoring/" ]; then
+ echo "Keycloak is enabled and cypress directory is ${dir}"
+ echo "Running cypress tests in ${dir}"
+ CYPRESS_prometheus_url=prometheus.admin.bigbang.dev CYPRESS_grafana_url=grafana.admin.bigbang.dev cypress run --project "${dir}"tests
+ fi
+ if [ "${dir}" == "cypress-tests/twistlock/" ]; then
+ echo "Keycloak is enabled and cypress directory is ${dir}"
+ echo "Running cypress tests in ${dir}"
+ CYPRESS_twistlock_url=twistlock.admin.bigbang.dev cypress run --project "${dir}"tests
+ fi
+ else
+ echo "Keycloak not enabled"
+ echo "Running cypress tests in ${dir}"
+ cypress run --project "${dir}"tests
+ fi
fi
done
+
diff --git a/tests/ci/k3d/values.yaml b/tests/ci/k3d/values.yaml
index 8e8f9a55f6d046542d1fb8408d1f4af14d555dd6..1e52d16e04da5748d34d37bbca6be10f493eae8a 100644
--- a/tests/ci/k3d/values.yaml
+++ b/tests/ci/k3d/values.yaml
@@ -399,3 +399,13 @@ addons:
# Backup data in object storage will _not_ be deleted, however Backup instances in the Kubernetes API will.
# Always clean up CRDs in CI.
cleanUpCRDs: true
+
+ keycloak:
+ enabled: false
+ values:
+ replicas: 1
+ resources:
+ requests:
+ cpu: 10m
+ memory: 16Mi
+ limits: {}
\ No newline at end of file
diff --git a/tests/ci/keycloak-certs/admin.bigbang.dev-secret.yaml b/tests/ci/keycloak-certs/admin.bigbang.dev-secret.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..e4517a841f75eb27e7d4a003b25d7301988a06a9
--- /dev/null
+++ b/tests/ci/keycloak-certs/admin.bigbang.dev-secret.yaml
@@ -0,0 +1,94 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: wildcard-cert
+ namespace: istio-system
+type: kubernetes.io/tls
+stringData:
+ # *.admin.bigbang.dev
+ tls.crt: |
+ -----BEGIN CERTIFICATE-----
+ MIIFLDCCBBSgAwIBAgISA87F5ACBGZuzPeSeGr2wqcY8MA0GCSqGSIb3DQEBCwUA
+ MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
+ EwJSMzAeFw0yMTA0MTQxNDIzMTRaFw0yMTA3MTMxNDIzMTRaMB4xHDAaBgNVBAMM
+ EyouYWRtaW4uYmlnYmFuZy5kZXYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+ AoIBAQC8bJtY3qQC0udgWInp1K81Canpzsd/22mQ9f8GjVNF/7DhCSXRdHNeLtDN
+ eJ2JoH96d1vLAm1YmHJ31aBwVULM0cWPRDkRg2Wjl/sMFoLgxR1ZKdtq3xxC2fwi
+ DXjwv9JyOQgOrQqFxP7BQab1fv9uDfHP1aIxcDN7CpOxJHrjMoxyiPRynNFvw/ii
+ GDJ+Jvomt8opWb4mC2jZMK5WGLvYWj9mkUo9crnQVJBNgU/ebx3j+yWztD6PDnuT
+ NptI3x6OySjbkYlBGhjKMpfQ7mTPCr5pBEgcJFVXVROg8Bum15vn3Uv+4LNe1tHc
+ DxwCJQQJrzGNNc5YMpn81rvltDOTAgMBAAGjggJOMIICSjAOBgNVHQ8BAf8EBAMC
+ BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAw
+ HQYDVR0OBBYEFLp8IoeSyLzb/tJ57pxDqGX4t/4nMB8GA1UdIwQYMBaAFBQusxe3
+ WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0
+ cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5j
+ ci5vcmcvMB4GA1UdEQQXMBWCEyouYWRtaW4uYmlnYmFuZy5kZXYwTAYDVR0gBEUw
+ QzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDov
+ L2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgCU
+ ILwejtWNbIhzH4KLIiwN0dpNXmxPlD1h204vWE2iwgAAAXjQ+rZ5AAAEAwBHMEUC
+ IQCOtTENOPlAwvmnqNxm9LHWo1TkNpLZqdCQWffa3zc2sAIgVpNs+pLLUmJfwq0+
+ FRSQJB9FyrH7js53BSZ1WyfY6GwAdgB9PvL4j/+IVWgkwsDKnlKJeSvFDngJfy5q
+ l2iZfiLw1wAAAXjQ+razAAAEAwBHMEUCIQDCliAyo7EV92Kmp5zeoVfeqklvPPYi
+ p43KG/yc6gbiBwIgHpQYiQ5MCcJHnnol3Ku35ZYJw8jcWy7aW2S9gHR3eeUwDQYJ
+ KoZIhvcNAQELBQADggEBACUBLIHwOvyAsXlRGxqDKBGcl8BmbelWgp+XXsf9MZd0
+ hYYrPlnQL95C5R78FXmYlG24J4uHLMTvz+gYe/WRv4Cjr8It+EaoGATZ8zGa2OlY
+ FTfx6dLk/h2KPF9N45o5rsUtlTlTfJYGz58p30XefLwOdIrez8UtEV2fWevAWwYw
+ ZGLvPczwDABye0OUou+M+BoZQOI6hrcQ3IXGlf/VQKzBp1dOOxZB7bx3mOzg1CI6
+ 1AebDLxybOev4Ke25jbtst6i4HG1feFXm4yL1utNsn15uBVoQVfKeLVvMO3Y2Hyi
+ DZvLATJX4qq0e2wDcETc8fxshOUnYhpzrbUctVBBncA=
+ -----END CERTIFICATE-----
+ -----BEGIN CERTIFICATE-----
+ MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/
+ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+ DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow
+ MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT
+ AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs
+ jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp
+ Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB
+ U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7
+ gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel
+ /xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R
+ oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
+ BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p
+ ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE
+ p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE
+ AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu
+ Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0
+ LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf
+ r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B
+ AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH
+ ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8
+ S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL
+ qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p
+ O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw
+ UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==
+ -----END CERTIFICATE-----
+ tls.key: |
+ -----BEGIN PRIVATE KEY-----
+ MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC8bJtY3qQC0udg
+ WInp1K81Canpzsd/22mQ9f8GjVNF/7DhCSXRdHNeLtDNeJ2JoH96d1vLAm1YmHJ3
+ 1aBwVULM0cWPRDkRg2Wjl/sMFoLgxR1ZKdtq3xxC2fwiDXjwv9JyOQgOrQqFxP7B
+ Qab1fv9uDfHP1aIxcDN7CpOxJHrjMoxyiPRynNFvw/iiGDJ+Jvomt8opWb4mC2jZ
+ MK5WGLvYWj9mkUo9crnQVJBNgU/ebx3j+yWztD6PDnuTNptI3x6OySjbkYlBGhjK
+ MpfQ7mTPCr5pBEgcJFVXVROg8Bum15vn3Uv+4LNe1tHcDxwCJQQJrzGNNc5YMpn8
+ 1rvltDOTAgMBAAECggEACINbrXM5s8r1mzvE12S9mcba/25RQyyVo3AJ2rDt7z6z
+ Liespr79K2cwFeh6Laqrt8vGwPBWImeY3GMxgYHIp9pec6+gaHMoV3DZbd1igmdF
+ gS7L9BMqgra4lo1HRpFUH8cF3yvgStTwsaiWs4bOYZmNsFc1ocgw+0EqFRnR14vw
+ Q6pxlNlR0wND4WwEQ+PEFuGyaZpcnDA38vwaNyIVl99pRXXojvfco7dacYyce40o
+ O02mtl2yME4ssCgYPcThonPaUDjF594q7J2kqVRp6mJ0J9lvsxPRZ3NC1tOfVgzI
+ E/YVeNx7S9r0ONTJFLfRidd+udBKBCUM7NcKygqk8QKBgQDiQc0LPe7NWzfZ5Ks2
+ IeZZ1S7CX/Eyv7VW90YhOUTF9g9PmmH1v539vp9xdHlo9YaF2dXuf1GsMgpNQ4IZ
+ Nuz5xwvvmma3demqtOawTpHj3vHpZWOYTL0SEb5XwyPaZZIb33wxDidT8/0CpwPt
+ Tlq6GQ8HPYupHT6cJQcb7PgAmQKBgQDVMZ+0WucFAKeJSEj1zDZA0EzUqiFfLCpP
+ gko9+9yhPvl7Q6c+oOV0brx0ny+racLUsV0m8vzvvLFxHTubPa7CMKf5s7c3EPQv
+ 8GqovlsvgzchwxRRs0KQMhQSZw1X2UDSBDci0AwZRXrJQp3odJk+0Pq5MslfCF6s
+ fwWxV6C1CwKBgBSvv3ePqg3MkUayyZShdNYxz5yl+P+S15mj8h2HhuoynSPCEcLO
+ Sjuw+hL9ezxFdo82Y4Dy0xzTVm3KBlMX2oLb2BOIImwTs9GPyKfGB0C2WZflVT3P
+ hlnolWagyN5m+vzhahFyIdZjMHbVnl5ME6+AKweWcPZ9XgQYvpWnDOXBAoGBAL0I
+ mTEUAQ+geuzxGTBI+DoT+GwAxkJbKNEDF81KC2E2M4Qmgp63j3zjy1ok4+G7jzOE
+ aLJmdfwkdbl0UCvgT5qEBg0UWvoKoFn5dLlWwAeq8zGOhe/DYNv2a3G9ykkAq8cM
+ Uc8eZfvqbWsTFGzPJipaplWcQI1xIHEW1/ddWXPtAoGBAInFXBnVDJiZkhq1adt9
+ 3S/YVoMigw6ZD4j7E5g/5QBCs2rnZex20YFuJDvf+HAD/3eohJ6n75QRSZc0sn9j
+ XO49WKI7Qd2XTEL6dGvxGyFRTqrC5dUd3v/wq4XjUz1bI6VTvvHvf7EPCGh1NJ8v
+ PcJzvO/HdugGAG1xWnN7HT4g
+ -----END PRIVATE KEY-----
\ No newline at end of file
diff --git a/tests/ci/keycloak-certs/keycloak-passthrough-values.yaml b/tests/ci/keycloak-certs/keycloak-passthrough-values.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..59d269f1e465e2cbfae85069979e314e0c24cc2b
--- /dev/null
+++ b/tests/ci/keycloak-certs/keycloak-passthrough-values.yaml
@@ -0,0 +1,90 @@
+addons:
+ keycloak:
+ ingress:
+ # *.bigbang.dev
+ key: |
+ -----BEGIN PRIVATE KEY-----
+ MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDl7oIecDHRb8XB
+ jG4sEW1qsBlI94oIa50KTHWOet7mhW82BX+scWVgqI3PbIVUI144IgKGPSq3SEki
+ gP0zNgSlxNjZZ/UaB99HXlK5kZ87puDvoOYMBiurjq/QzgwygiN9NyyqdUtWdc/V
+ 94owxS47HsclhnOEXscVOjSQI/PIGM5G8UXZyeV0yvGVvrUYNbMfz9Mhh3rD2ihw
+ 6LQVgX710J7q3IOiC1CDCt0wXur1w18LYs+R1Yu07AM7R5EoEEFB2TZhYgDZ3+v7
+ lvv/EINyVc5FfolIhyV1VG+dZxevHFiuZQ5cNLpiLwep3QreKeNk1ijBhAehRnTM
+ a8fB+mb9AgMBAAECggEAS7KiE/NL82+g43+gJdH2+9DOAj+8qdkD8ogJi8bX63yy
+ iE53IgaTIadcSJWpr3GVa1WHDzrD/WNG8J0Wvu1hylFsMucOwmslDxH2mjFfAvyF
+ wV5vXjYJ2ok3SL8NNPOzS14GznefPe+7ZO4CCNxhxAT1+1ywWzv4vvxSocG0WINy
+ QwbY53vl7/fyJzmkiDUuqRqtVKR/SCvVFyV/Mzb9XwLVVOzme7zMbK9EwlR7XxwH
+ NtjZS2t/DbFUh+O9lj28fuV4qVo83jGWE63P4bEvOXzFC5zu+kpEmQEP5X1UGqqp
+ h1NBPG0oeP17hv0jVzc703dbnBzif58Sc4DFraQ94QKBgQD81+IquSpmW1epJdNu
+ AGAalvPS0JWWjjBrn+sC0JA+7QWGJrGAN8FtZrx/Eu58ovuD3Yra86ilWALWJKQj
+ vaEg/xbrZixbQoap6MI4XYK6hqEY2Og28K4MqQXtvQB5NrjnDdYY7cICStJ8WMGs
+ KV0MKzHGsUbvTBRQGXaFXHDSlwKBgQDozWWIHZ+fO0Rd/nG8M+kRY3HmIFLyxZ7C
+ YZ5pgEn+X4xNi3lghkBMXAx50BB+as158lPrdHLTpkeYbcWg7xfcn2C4V+mKuUDo
+ aAX8TeqbIy/Wc67HxM0+ujRkwNNIqZJhLrE34SGBDzj9jDv+sLAjglAzIbK3vtLR
+ nP5DRQ1JiwKBgFd7Djp/9GaTxgG1H7EYmie5AMV4+7iqm6AxJWvE45OSCG5A5vsY
+ z2jduewxjag778/RECDvWvNSPzD+XngrPRughrqNkF1G6DbTXJeJ6xhESmrBaZ7Q
+ qTeiJ3X5BbfqshDnXaMkaBLI9oilYOUDLrluHHvFjGhxJzoLhVFhCXwjAoGBALmM
+ 9C7gRZh5eY1dPzOdQFeepmqgOtzLDDWr7sHyAYfgighIcW6wslDqUPtKDctkvu9C
+ aQbS4q606n2giJMz3hX3ZfSoBTmPXB+gwZyOUb5i9j78J0OMJXaonRfs5LoWhdg1
+ igSayMR/6JGWEz91fn5e4CNQ6YwwaQGvGq1tPSDvAoGBAMH7yzcNoPlTGF7tIHuf
+ xvFGCnnrS+UFWm6JaFCaNmKCr1FqRqa0seQmRl0FrnwXH3Q9/KpepBlcMjxhI1aF
+ ZtXMjqYq3Fe6V8QAx0HxbbAlyzeOnK5xmKfzV0YXSHH5GjvK99zKT6s8Gu1jxu4I
+ vfkczrrBlKbNp5wxPgjcAZd7
+ -----END PRIVATE KEY-----
+ cert: |
+ -----BEGIN CERTIFICATE-----
+ MIIFMzCCBBugAwIBAgISA/bfQH5Vgy3KTu3PXxiNHed8MA0GCSqGSIb3DQEBCwUA
+ MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
+ EwJSMzAeFw0yMTA0MTYwMTA1MTNaFw0yMTA3MTUwMTA1MTNaMBgxFjAUBgNVBAMM
+ DSouYmlnYmFuZy5kZXYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDl
+ 7oIecDHRb8XBjG4sEW1qsBlI94oIa50KTHWOet7mhW82BX+scWVgqI3PbIVUI144
+ IgKGPSq3SEkigP0zNgSlxNjZZ/UaB99HXlK5kZ87puDvoOYMBiurjq/QzgwygiN9
+ NyyqdUtWdc/V94owxS47HsclhnOEXscVOjSQI/PIGM5G8UXZyeV0yvGVvrUYNbMf
+ z9Mhh3rD2ihw6LQVgX710J7q3IOiC1CDCt0wXur1w18LYs+R1Yu07AM7R5EoEEFB
+ 2TZhYgDZ3+v7lvv/EINyVc5FfolIhyV1VG+dZxevHFiuZQ5cNLpiLwep3QreKeNk
+ 1ijBhAehRnTMa8fB+mb9AgMBAAGjggJbMIICVzAOBgNVHQ8BAf8EBAMCBaAwHQYD
+ VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0O
+ BBYEFAqYpSC/aq86VGg0Pj+AJL8Jq4opMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJ
+ QOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3Iz
+ Lm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcv
+ MCsGA1UdEQQkMCKCDSouYmlnYmFuZy5kZXaCESouZGV2LmJpZ2JhbmcuZGV2MEwG
+ A1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEW
+ Gmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB
+ 8gDwAHUAb1N2rDHwMRnYmQCkURX/dxUcEdkCwQApBo2yCJo32RMAAAF42GzRXAAA
+ BAMARjBEAiBC9SJzpBUmMfpTTflKasVUMCOVEH/yQHLez9OijeyLEQIgJ29qt+mt
+ Cwhds52p8Fn8d4DQ05X1YGe83w//nJG76hwAdwD2XJQv0XcwIhRUGAgwlFaO400T
+ GTO/3wwvIAvMTvFk4wAAAXjYbNHPAAAEAwBIMEYCIQDBtSlv2u3Sz3bTOKQAzsmS
+ +u79PjtpvTnHfp7SwqGTAAIhAOJL7dr9pJt9JRKBl4E7Vu79xU7xOux1LIUVE+kA
+ dR1qMA0GCSqGSIb3DQEBCwUAA4IBAQBQK76kZJwa1zNv2k2h/u5isvcQiDL8eoUd
+ idIdXy7ydIbhzYl9Vh+zDGkUwxvIP4jVjD4FBC4QqQTjqutw8sLWjbzSPJLVfYLV
+ TmwtkbCvhTiE3PAdT+SmoOFIUsd2LEmjFJ622DyUaNH0OsdrHKClC/KIO0NvhTQs
+ ZnN89eH1wreIL9DolXko3RgkGB1LbG9MH4/dvzTnKHoBo4EUFXoJcnSiK7rdHEXI
+ u7wKFjw9OJnqjCLx7SGOIyhLo4c5UtJXU8uxKmxsO63WGZG+ZB38uzuRZaEEt+zs
+ SolSteEEHHXbe/BjYfufW2BXdJwqi3gaw04j+8Q4hcntH2cM28TW
+ -----END CERTIFICATE-----
+ -----BEGIN CERTIFICATE-----
+ MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/
+ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+ DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow
+ MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT
+ AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs
+ jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp
+ Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB
+ U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7
+ gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel
+ /xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R
+ oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
+ BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p
+ ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE
+ p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE
+ AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu
+ Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0
+ LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf
+ r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B
+ AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH
+ ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8
+ S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL
+ qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p
+ O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw
+ UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==
+ -----END CERTIFICATE-----
diff --git a/tests/ci/keycloak-certs/kustomization.yaml b/tests/ci/keycloak-certs/kustomization.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..0704c9fe95623b825e2170deb30289d03ccdc7fd
--- /dev/null
+++ b/tests/ci/keycloak-certs/kustomization.yaml
@@ -0,0 +1,3 @@
+resources:
+- admin.bigbang.dev-secret.yaml
+
diff --git a/tests/ci/keycloak.yaml b/tests/ci/keycloak.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..c206d5144d4f5babd77f3bbddcfa45fb0fcd87bb
--- /dev/null
+++ b/tests/ci/keycloak.yaml
@@ -0,0 +1,26 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: GitRepository
+metadata:
+ name: secrets
+ namespace: bigbang
+spec:
+ interval: 1m0s
+ # NOTE: We could use the same "bigbang" repository, but secrets are usually committed to a consumer owned repo,
+ # so we are demonstrating that here with a new `GitRepository` resource pointed to the same repo
+ url: https://repo1.dso.mil/platform-one/big-bang/bigbang.git
+ ref:
+ branch: master
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
+kind: Kustomization
+metadata:
+ name: secrets
+ namespace: bigbang
+spec:
+ interval: 1m0s
+ sourceRef:
+ kind: GitRepository
+ name: secrets
+ namespace: bigbang
+ path: "./tests/ci/keycloak-certs"
+ prune: true