Packages.md

@@ -25,7 +25,7 @@ Columns:
 | [OPA Gatekeeper](https://repo1.dso.mil/platform-one/big-bang/apps/core/policy) | ![OPA Build](https://repo1.dso.mil/platform-one/big-bang/apps/core/policy/badges/main/pipeline.svg) | No | No | No | [Yes](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/626) | No | No |
 | [Cluster Auditor](https://repo1.dso.mil/platform-one/big-bang/apps/core/cluster-auditor) | ![Cluster Auditor Build](https://repo1.dso.mil/platform-one/big-bang/apps/core/cluster-auditor/badges/main/pipeline.svg)  | No | No | No | [Yes](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/565) | [Yes (STRICT)](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/1370) | No |
 | [Kyverno](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno) | ![Kyverno Build](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno/badges/main/pipeline.svg) |  No | No | No | Yes | No | No |
-| [Kyverno Policies](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno-policies) | ![Kyverno Build](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno-policies/badges/main/pipeline.svg) |  No | No | No | Yes | No | No |
+| [Kyverno Policies](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno-policies) ![BETA](https://img.shields.io/badge/BETA-purple?style=flat-square) | ![Kyverno Build](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno-policies/badges/main/pipeline.svg) |  No | No | No | Yes | No | No |
 | [Promtail](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/promtail) ![BETA](https://img.shields.io/badge/BETA-purple?style=flat-square) | ![Promtail Build](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/promtail/badges/main/pipeline.svg) |  No | No | No | Yes | [Yes (STRICT)](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/1516) | No |
 | [Loki](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/loki) ![BETA](https://img.shields.io/badge/BETA-purple?style=flat-square) | ![Loki Build](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/loki/badges/main/pipeline.svg) |  No | No | No | Yes | [Yes (STRICT)](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/1516) | No |
 | [Tempo](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/tempo) ![BETA](https://img.shields.io/badge/BETA-purple?style=flat-square) | ![Tempo Build](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/tempo/badges/main/pipeline.svg) | No | Yes | Yes | [Yes](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/1253) | [Yes (STRICT)](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/1762) | No |
@@ -66,7 +66,7 @@ Columns:
 | Package | Status | Logging | Telemetry | Tracing | Network Policies | mTLS | Behavior Detection |
 | --- | --- | --- | --- | --- | --- | --- | --- |
 | [MinIO](https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio)  | ![MinIO Build](https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio/badges/main/pipeline.svg)    | No | No | No | [Yes](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/550) | [Yes (STRICT)](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/1566) | No |
-| [MinIO Operator](https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio-operator) |  ![MinIO Operator Build](https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio-operator/badges/main/pipeline.svg) | No | No | No | [Yes](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/685)] | [Yes (STRICT)](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/1554) |No |
+| [MinIO Operator](https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio-operator) |  ![MinIO Operator Build](https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio-operator/badges/main/pipeline.svg) | No | No | No | [Yes](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/685) | [Yes (STRICT)](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/1554) | No |
 
 ### Cluster Utilities
 

chart/templates/authservice/authservice-helmrelease.yaml

 {{- $fluxSettingsAuthservice := merge .Values.addons.authservice.flux .Values.flux -}}
-{{- if and .Values.istio.enabled (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled)) }}
+{{- if and .Values.istio.enabled (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled)) }}
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:

chart/templates/authservice/gitrepository.yaml

-{{- if and .Values.istio.enabled (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled)) }}
+{{- if and .Values.istio.enabled (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled)) }}
 apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: GitRepository
 metadata:

chart/templates/authservice/imagepullsecret.yaml

-{{- if and .Values.istio.enabled (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled)) }}
+{{- if and .Values.istio.enabled (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled)) }}
 {{- if ( include "imagePullSecret" . ) }}
 apiVersion: v1
 kind: Secret

chart/templates/authservice/namespace.yaml

-{{- if and .Values.istio.enabled (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled)) }}
+{{- if and .Values.istio.enabled (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled)) }}
 apiVersion: v1
 kind: Namespace
 metadata:

chart/templates/authservice/values.yaml

-{{- if and .Values.istio.enabled (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled)) }}
+{{- if and .Values.istio.enabled (or .Values.addons.authservice.enabled (and .Values.monitoring.enabled .Values.monitoring.sso.enabled) (and .Values.jaeger.enabled .Values.jaeger.sso.enabled) (and .Values.tempo.enabled .Values.tempo.sso.enabled)) }}
 {{- include "values-secret" (dict "root" $ "package" .Values.addons.authservice "name" "authservice" "defaults" (include "bigbang.defaults.authservice" .)) }}
 {{- end }}
 
@@ -83,12 +83,10 @@ chains:
   jaeger:
     match:
       header: ":authority"
-    {{- $jaegerValues := .Values.jaeger.values | default dict }}
-    {{- $jaegerIstioValues := $jaegerValues.istio | default dict }}
-    {{- $jaegerHostValues := $jaegerIstioValues.jaeger | default dict}}
-    {{- if hasKey $jaegerHostValues "hosts" }}
-      prefix: {{ range .Values.jaeger.values.istio.jaeger.hosts }}{{ tpl . $}}{{ end }}
-    callback_uri: https://{{ range .Values.jaeger.values.istio.jaeger.hosts }}{{ tpl . $}}{{ end }}/login
+    {{- $jaegerHosts := (dig "istio" "jaeger" "hosts" dict .Values.jaeger.values) }}
+    {{- if $jaegerHosts }}
+      prefix: {{ trimSuffix (printf ".%s" $domainName) (tpl ($jaegerHosts | first) $) }}
+    callback_uri: https://{{ tpl ($jaegerHosts | first) $ }}/login
     {{- else }}
       prefix: "tracing"
     callback_uri: https://tracing.{{ $domainName }}/login
@@ -97,16 +95,33 @@ chains:
     client_secret: "{{ .Values.jaeger.sso.client_secret }}"
   {{- end }}
 
+  {{- if and .Values.tempo.enabled .Values.tempo.sso.enabled }}
+  tempo:
+    match:
+      header: ":authority"
+    {{- $tempoHosts := (dig "istio" "tempoQuery" "hosts" dict .Values.tempo.values) }}
+    {{- if $tempoHosts }}
+      prefix: {{ trimSuffix (printf ".%s" $domainName) (tpl ($tempoHosts | first) $) }}
+    callback_uri: https://{{ tpl ($tempoHosts | first) $ }}/login
+    {{- else if .Values.jaeger.enabled }}
+      prefix: "tempo"
+    callback_uri: https://tempo.{{ $domainName }}/login
+    {{- else }}
+      prefix: "tracing"
+    callback_uri: https://tracing.{{ $domainName }}/login
+    {{- end }}
+    client_id: "{{ .Values.tempo.sso.client_id }}"
+    client_secret: "{{ .Values.tempo.sso.client_secret }}"
+  {{- end }}
+
   {{- if and .Values.monitoring.enabled .Values.monitoring.sso.enabled }}
   prometheus:
     match:
       header: ":authority"
-    {{- $monitoringValues := .Values.monitoring.values | default dict }}
-    {{- $monitoringIstioValues := $monitoringValues.istio | default dict }}
-    {{- $prometheusHostValues := $monitoringIstioValues.prometheus | default dict}}
-    {{- if hasKey $prometheusHostValues "hosts" }}
-      prefix: {{ range .Values.monitoring.values.istio.prometheus.hosts }}{{ tpl . $}}{{ end }}
-    callback_uri: https://{{ range .Values.monitoring.values.istio.prometheus.hosts }}{{ tpl . $}}{{ end }}/login/generic_oauth
+    {{- $prometheusHosts := (dig "istio" "prometheus" "hosts" dict .Values.monitoring.values) }}
+    {{- if $prometheusHosts }}
+      prefix: {{ trimSuffix (printf ".%s" $domainName) (tpl ($prometheusHosts | first) $) }}
+    callback_uri: https://{{ tpl ($prometheusHosts | first) $ }}/login/generic_oauth
     {{- else }}
       prefix: "prometheus"
     callback_uri: https://prometheus.{{ $domainName }}/login/generic_oauth
@@ -117,10 +132,11 @@ chains:
   alertmanager:
     match:
       header: ":authority"
-    {{- $alertmanagerHostValues := $monitoringIstioValues.alertmanager | default dict}}
-    {{- if hasKey $alertmanagerHostValues "hosts" }}
-      prefix: {{ range .Values.monitoring.values.istio.alertmanager.hosts }}{{ tpl . $}}{{ end }}
-    callback_uri: https://{{ range .Values.monitoring.values.istio.alertmanager.hosts }}{{ tpl . $}}{{ end }}/login/generic_oauth
+    {{- $alertmanagerHosts := (dig "istio" "alertmanager" "hosts" dict .Values.monitoring.values) }}
+    {{- if $alertmanagerHosts }}
+      prefix: {{ trimSuffix (printf ".%s" $domainName) (tpl ($alertmanagerHosts | first) $) }}
+
+    callback_uri: https://{{ tpl ($alertmanagerHosts | first) $ }}/login/generic_oauth
     {{- else }}
       prefix: "alertmanager"
     callback_uri: https://alertmanager.{{ $domainName }}/login/generic_oauth

chart/templates/tempo/tempo-helmrelease.yaml

@@ -36,13 +36,16 @@ spec:
     - name: {{ .Release.Name }}-tempo-values
       kind: Secret
       valuesKey: "overlays"
-  {{- if or .Values.monitoring.enabled .Values.istio.enabled }}
+  {{- if or .Values.monitoring.enabled .Values.istio.enabled .Values.tempo.sso.enabled }}
   dependsOn:
     {{- if  .Values.monitoring.enabled }}
     - name: monitoring
       namespace: {{ .Release.Namespace }}
     {{- end }}
-
+    {{- if .Values.tempo.sso.enabled }}
+    - name: authservice
+      namespace: {{ .Release.Namespace }}
+    {{- end }}
     {{- if .Values.istio.enabled }}
     - name: istio
       namespace: {{ .Release.Namespace }}

chart/templates/tempo/values.yaml

@@ -31,7 +31,7 @@ tempo:
 {{- end }}
 {{- end }}
 
-    # hostname is deprecated and replaced with domain. But if hostname exists then use it.
+# hostname is deprecated and replaced with domain. But if hostname exists then use it.
 {{- $domainName := default .Values.domain .Values.hostname }}
 hostname: {{ $domainName }}
 domain: {{ $domainName }}
@@ -69,4 +69,14 @@ monitoring:
 serviceMonitor:
   enabled: {{ .Values.monitoring.enabled }}
 
+sso:
+  enabled: {{ .Values.tempo.sso.enabled }}
+
+{{- if .Values.tempo.sso.enabled }}
+{{- $tempoAuthserviceKey := (dig "selector" "key" "protect" .Values.addons.authservice.values) }}
+{{- $tempoAuthserviceValue := (dig "selector" "value" "keycloak" .Values.addons.authservice.values) }}
+podLabels:
+  {{ $tempoAuthserviceKey }}: {{ $tempoAuthserviceValue }}
+{{- end }}
+
 {{- end -}}

chart/values.yaml

@@ -552,7 +552,7 @@ tempo:
   git:
     repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/tempo.git
     path: "./chart"
-    tag: "0.15.1-bb.6"
+    tag: "0.15.1-bb.7"
 
   # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
   ingress:
@@ -561,6 +561,16 @@ tempo:
   # -- Flux reconciliation overrides specifically for the Tempo Package
   flux: {}
 
+  sso:
+    # -- Toggle SSO for Tempo on and off
+    enabled: false
+
+    # -- OIDC Client ID to use for Tempo
+    client_id: ""
+
+    # -- OIDC Client Secret to use for Tempo
+    client_secret: ""
+
   objectStorage:
     # -- S3 compatible endpoint to use for connection information.
     # examples: "s3.amazonaws.com" "s3.us-gov-west-1.amazonaws.com" "minio.minio.svc.cluster.local:9000"
@@ -1088,7 +1098,7 @@ addons:
     git:
       repo: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise.git
       path: "./chart"
-      tag: "1.18.6-bb.6"
+      tag: "1.18.6-bb.7"
 
     # -- Flux reconciliation overrides specifically for the Anchore Package
     flux:
@@ -1318,7 +1328,7 @@ addons:
     git:
       repo: https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/keycloak.git
       path: "./chart"
-      tag: "18.1.1-bb.6"
+      tag: "18.2.1-bb.0"
 
     database:
       # -- Hostname of a pre-existing database to use for Keycloak.

docs/assets/configs/example/dev-sso-values.yaml

@@ -166,6 +166,14 @@ logging:
     client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-kibana
   license:
     trial: true
+
+tempo:
+  sso:
+    enabled: true
+    client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-jaeger
+    # If deploying both Jaeger and Tempo you will need the tempo specific client below (matches the `tempo.bigbang.dev` VS)
+    # client_id: platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-tempo
+
 monitoring:
   sso:
     enabled: true