Resolve "egress-sso network policy needs to open port 8443, not 443"
General MR
Summary
Creating a new chart value and make the port: option in our NetworkPolicy configurable with a default of 443
Relevant logs/screenshots
{{- if and .Values.networkPolicies.enabled .Values.global.appConfig.omniauth.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-sso
namespace: {{ .Release.Namespace }}
spec:
podSelector:
matchLabels:
app: webservice
policyTypes:
- Egress
egress:
- ports:
- port: 8443
protocol: TCP
{{- end }}
in this file: https://repo1.dso.mil/big-bang/product/packages/gitlab/-/blob/main/chart/templates/bigbang/networkpolicies/egress-sso.yaml
Linked Issue
egress-sso network policy needs to open port 8443, not 443
Upgrade Notices
- Used "-m" when installing k3d dev-cluster
- Used these keycloak-dev-valuus.yaml overrides
- Follow this doc Deploying GitLab with a Dev Instance of Keycloak
- Gitlab overrides needed for testing
clusterAuditor:
enabled: false
gatekeeper:
enabled: false
istio:
enabled: true
istioOperator:
enabled: true
kiali:
enabled: false
kyverno:
enabled: false
kyvernoPolicies:
enabled: false
kyvernoReporter:
enabled: false
promtail:
enabled: false
loki:
enabled: false
neuvector:
enabled: false
tempo:
enabled: false
monitoring:
enabled: false
grafana:
enabled: false
twistlock:
enabled: false
eckOperator:
enabled: false
networkPolicies:
enabled: true
controlPlaneCidr: 172.20.0.0/12
addons:
keycloak:
enabled: true
# gitlabRunner:
# enabled: true
# git:
# tag: null
# branch: "main"
gitlab:
enabled: true
git:
tag: null
branch: "241-egress-sso-network-policy-needs-to-open-port-8443-not-443"
sso:
enabled: true
label: "Platform One SSO"
# client_id takien from baby-yoda dev realm: https://repo1.dso.mil/big-bang/product/packages/keycloak/-/blob/main/chart/resources/dev/baby-yoda.json?ref_type=heads#L830
client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_gitlab
client_secret: ""
values:
gitlab:
webservice:
minReplicas: 1
maxReplicas: 1
helmTests:
enabled: false
gitlab-shell:
minReplicas: 1
maxReplicas: 1
sidekiq:
minReplicas: 1
maxReplicas: 1
networkPolicies:
enabled: true
ingress:
enabled: true
controlPlaneCidr: 172.20.0.0/12
egressPort: 8443
registry:
hpa:
minReplicas: 1
maxReplicas:
global:
appConfig:
object_store:
enabled: true
defaultCanCreateGroup: true
omniauth:
enabled: true
sso: # derived from docs/assets/configs/example/dev-sso-values.yaml
name: Keycloak Dev SSO
url: https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda
saml:
metadata: <md:EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda"><md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo><ds:KeyName>_07RPwhMexEqyDGLwd73WbtxO9l-Ghd5867uqIJMh5Y</ds:KeyName><ds:X509Data><ds:X509Certificate>MIICoTCCAYkCBgGPlzHrcDANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwHhcNMjQwNTIwMTgwODAyWhcNMzQwNTIwMTgwOTQyWjAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtw1oK/epahzEoVNLVz5+SLe7siUjr9RDb941Wj1mAh0hOWglT/01OSJUPIGbXaQJq6g73XFbkrqO9nblj5Zq3Z9JmGGUwvi2YgKy2Rq7ptna9b+zEie9KG5A384AVptNONKZg8AMVLR0jJZamIVXvzSLzYyoI0Ox85ga5vW078MFXQg3EV4Zk4Z8bbVp7slqWVSqnu4zPVyPgDKxlhAOtcETVA1LfO8Q60L3FbQnMwElzUx8ieh03zNwyVvu7+3d9KhksG28etnk6BA5SGIRLzHV7l3p3EiGnzAql5zqBxTMiYi4vGPDgTygzUbr+FbKhVbh8gZ0uBYgSiwoq/efpAgMBAAEwDQYJKoZIhvcNAQELBQADggEBADFfuY/yvojhqzOGN0EZs9x5ohYy7Kl1kfsFR+I9QNQpWu5BccNOblXIDBnFojIy/+xsqiKSq80NbgHb1el7QyksTt6+8HijtG4wvtfIvSf3Vnje9NJ2VtcalmdHrGtNIolDTHPnIt0PH6vGDpoGR555VvRp3/jvaiXLE5vKBo2Y4bOoeMuzAMWnsF7vraGmvRzNBLTrmnAiGJILetIh7lK7P+nuLRQlV1BL6WTRYibwqfbSnw4ti9IJxSZ4++Mjqv56F0GgCwr//CTvxxJDY+PJcCxlbZ7lTo3zTPNQuV/3jIH0UXDLRuSuCwv2k7x/rJgidjbZvxsWNPWjIxYCxME=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml/resolve" index="0"></md:ArtifactResolutionService><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml"></md:SingleLogoutService><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml"></md:SingleLogoutService><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml"></md:SingleLogoutService><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml"></md:SingleLogoutService><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml"></md:SingleSignOnService><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml"></md:SingleSignOnService><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml"></md:SingleSignOnService><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml"></md:SingleSignOnService></md:IDPSSODescriptor></md:EntityDescriptor>
certificateAuthority:
cert: |
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----
Edited by Daniel Stocum