Merge branch 'main' into 'add-config-flexibility'

# Conflicts: # chart/templates/controlplane.yaml # chart/values.yaml

Merge branch 'main' into 'add-config-flexibility'
# Conflicts: # chart/templates/controlplane.yaml # chart/values.yaml
61ad66c2 · runyontr · 49970172 · 07e89405 · 61ad66c2 · 61ad66c2
Commit 61ad66c2 authored Jan 06, 2021 by runyontr
12 changed files
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
+# Changelog
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [1.7.3-bb.1]
+### Added
+- Top level "sso" values designation. This will enable an haproxy installation in the desired namespace (sso.namespace: istio-addons-sso) that in conjunction with authservice package will place an SSO gate in front of Kiali+Jaeger UIs.
+- New Jaeger+Kiali VirtualServices pointing to the haproxy installation will be installed when "sso.enabled: true"
+- sso.selector variable sets the label that will be applied to the authservice EnvoyFilter placing the SSO page in front of the regular UIs. Must match the selector for "authservice.selector.key/value".
+### Changed
+- Jaeger+Kiali VirtualServices pointing directly to the UIs will be skipped when "sso.enabled: true"
--- a/CODEOWNERS
+++ b/CODEOWNERS
-[Owners]
-* @big-bang @party-bus
-[Reviewers]
 * @andrew.babbitt @joshwolf @megamind
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
+# Contributing
+Thanks for contributing to this repository!
+This repository follows the following conventions:
+* [Semantic Versioning](https://semver.org/)
+* [Keep a Changelog](https://keepachangelog.com/)
+* [Conventional Commits](https://www.conventionalcommits.org/)
+Development requires the Kubernetes CLI tool as well as a local Kubernetes cluster. [k3d](https://k3d.io) is recommended as a lightweight local option for standing up Kubernetes clusters.
+To contribute a change:
+1. Create a branch on the cloned repository
+2. Make the changes in code.
+3. Write tests using [cypress](https://www.cypress.io) and [Conftest](https://conftest.dev)
+4. Make commits using the [Conventional Commits](https://www.conventionalcommits.org/) format. This helps with automation for changelog. Update `CHANGELOG.md` in the same commit using the [Keep a Changelog](https://keepachangelog.com). Depending on tooling maturity, this step may be automated.
+5. Open a merge request using one of the provided templates. If this merge request is solving a preexisting issue, add the issue reference into the description of the MR.
+6. During this time, ensure that all new commits are rebased into your branch so that it remains up to date with the `main` branch.
+7. Wait for a maintainer of the repository (see CODEOWNERS) to approve.
+8. If you have permissions to merge, you are responsible for merging. Otherwise, a CODEOWNER will merge the commit.
--- a/README.md
+++ b/README.md
@@ -2,6 +2,13 @@
 A simple chart wrapper around `IstioOperator` custom resource.
+# Table of Contents
+- [Prerequisites](#pre-requisites)
+- [Iron Bank](#iron-bank-istio-controlplane)
+- [Deployment](#deploy-istio-controlplane)
+- [Istio configuration](docs/README.md)
+- [Keycloak configuration](docs/KEYCLOAK.md)
 ## Pre-Requisites
 * Kubernetes Cluster deployed
@@ -23,4 +30,4 @@ You can `pull` the registry1 image(s) [here](https://registry1.dsop.io/harbor/pr
 git clone https://repo1.dsop.io/platform-one/big-bang/apps/core/istio-controlplane.git
 cd istio-controlplane
 helm install istio-controlplane chart
 ```
\ No newline at end of file
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
 apiVersion: v2
 name: istio
-version: 1.7.3-bb.0
+version: 1.7.3-bb.2
\ No newline at end of file
--- a/chart/templates/controlplane.yaml
+++ b/chart/templates/controlplane.yaml
@@ -17,6 +17,27 @@ spec:
          {{- with .Values.ingressGateway.extraK8sConfig  }}
            {{- toYaml . | nindent 10 }}
          {{- end }}
+          {{- if .Values.ingressGateway.nodePorts.enabled }}
+          service:
+            type: NodePort
+            ports:
+            {{- range .Values.ingressGateway.nodePorts.ports }}
+            {{- if and (not .name) (ne .name "") }}
+              {{- fail "missing nodePort 'name' field" }}
+            {{- end }}
+            {{- if not .port }}
+              {{- fail "missing nodePort 'port' field" }}
+            {{- end }}
+            {{- if not .nodePort }}
+              {{- fail "missing nodePort 'nodePort' field" }}
+            {{- else if or (lt (int .nodePort) 30000) (gt (int .nodePort) 32767)}}
+              {{- fail "nodePort value outside of acceptable range (30000-32767)" }}
+            {{- end }}
+            - name: {{ .name }}
+              port: {{ .port }}
+              targetPort: {{ .targetPort | default .port }}
+              nodePort: {{ .nodePort }}
+            {{- end }}
          hpaSpec:
            minReplicas: {{ .Values.ingressGateway.minReplicas }}
            maxReplicas: {{ .Values.ingressGateway.maxReplicas }}
@@ -80,12 +101,17 @@ spec:
    {{- with .Values.extraValues }}
      {{- toYaml . | nindent 4 }}
    {{- end }}
+    # https://istio.io/v1.5/docs/reference/config/installation-options/#kiali-options
    kiali:
      image: {{ .Values.kiali.image.name }}
      hub: {{ .Values.kiali.image.hub }}
      tag: {{ .Values.kiali.image.tag }}
+      {{- if .Values.monitoring.enabled }}
+      prometheusAddr: http://monitoring-monitoring-kube-prometheus.monitoring.svc:9090
+      {{- end }}
      dashboard:
+        jaegerURL: https://tracing.{{ .Values.hostname}}
+        grafanaInClusterURL: http://monitoring-monitoring-grafana.monitoring.svc
        auth:
          strategy: {{ .Values.kiali.dashboard.auth.strategy }}

--- a/chart/templates/haproxy.yaml
+++ b/chart/templates/haproxy.yaml
+{{- if .Values.sso.enabled }}
+---
+# Source: haproxy/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: istio-addons-sso-haproxy
+  namespace: {{ .Values.sso.namespace }}
+  labels:
+    helm.sh/chart: haproxy-1.1.1
+    app.kubernetes.io/name: haproxy
+    app.kubernetes.io/instance: istio-addons-sso
+    app.kubernetes.io/version: "2.2.4"
+    app.kubernetes.io/managed-by: Helm
+---
+# Source: haproxy/templates/configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: istio-addons-sso-haproxy
+  namespace: {{ .Values.sso.namespace }}
+  labels:
+    helm.sh/chart: haproxy-1.1.1
+    app.kubernetes.io/name: haproxy
+    app.kubernetes.io/instance: istio-addons-sso
+    app.kubernetes.io/version: "2.2.4"
+    app.kubernetes.io/managed-by: Helm
+data:
+  haproxy.cfg: |
+    global
+      maxconn 1024
+      daemon
+      log stdout format raw local0 info
+    defaults
+      log global
+      mode http
+      option httplog
+      timeout client 60s
+      timeout connect 60s
+      timeout server 60s
+    frontend fe_main
+      bind :8080
+      acl host_kiali hdr(host) -i kiali.{{ .Values.hostname }}
+      acl host_tracing hdr(host) -i tracing.{{ .Values.hostname }}
+      option forwardfor
+      use_backend kiali_main if host_kiali
+      use_backend tracing_main if host_tracing
+    backend kiali_main
+      mode http
+      server kiali kiali.{{ .Release.Namespace }}.svc.cluster.local:20001
+    backend tracing_main
+      mode http
+      server tracing tracing.{{ .Release.Namespace }}.svc.cluster.local:80
+---
+# Source: haproxy/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: istio-addons-sso-haproxy
+  namespace: {{ .Values.sso.namespace }}
+  labels:
+    helm.sh/chart: haproxy-1.1.1
+    app.kubernetes.io/name: haproxy
+    app.kubernetes.io/instance: istio-addons-sso
+    app.kubernetes.io/version: "2.2.4"
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: haproxy
+    app.kubernetes.io/instance: istio-addons-sso
+  ports:
+  - name: http
+    protocol: TCP
+    port: 8080
+    targetPort: http
+  - name: https
+    protocol: TCP
+    port: 443
+    targetPort: https
+  - name: stat
+    protocol: TCP
+    port: 1024
+    targetPort: stat
+---
+# Source: haproxy/templates/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: istio-addons-sso-haproxy
+  namespace: {{ .Values.sso.namespace }}
+  labels:
+    helm.sh/chart: haproxy-1.1.1
+    app.kubernetes.io/name: haproxy
+    app.kubernetes.io/instance: istio-addons-sso
+    app.kubernetes.io/version: "2.2.4"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: haproxy
+      app.kubernetes.io/instance: istio-addons-sso
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: haproxy
+        app.kubernetes.io/instance: istio-addons-sso
+        {{ .Values.sso.selector.key | default "protect" }}: {{ .Values.sso.selector.value | default "keycloak" | quote }}
+      annotations:
+        checksum/environment: 4666beb3a5f7412acda03d86ace72f80948e14d64c320358cd93965b3e751382
+        sidecar.istio.io/inject: "true"
+    spec:
+      serviceAccountName: istio-addons-sso-haproxy
+      terminationGracePeriodSeconds: 60
+      securityContext:
+        {}
+      dnsPolicy: ClusterFirst
+      imagePullSecrets:
+      - name: private-registry
+      volumes:
+        - name: haproxy-config
+          configMap:
+            name: istio-addons-sso-haproxy
+      containers:
+        - name: haproxy
+          image: "registry1.dsop.io/ironbank/opensource/haproxy/haproxy22:v2.2.2"
+          imagePullPolicy: IfNotPresent
+          args:
+            - -f
+            - /usr/local/etc/haproxy/haproxy.cfg
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+            - name: https
+              containerPort: 443
+              protocol: TCP
+            - name: stat
+              containerPort: 1024
+              protocol: TCP
+          resources:
+            null
+          volumeMounts:
+            - name: haproxy-config
+              mountPath: /usr/local/etc/haproxy
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: kiali-auth
+  namespace: {{ .Values.sso.namespace }}
+spec:
+  hosts:
+    - "kiali.{{ .Values.hostname }}"
+  gateways:
+  - main.{{ .Release.Namespace }}.svc.cluster.local
+  http:
+    - route:
+        - destination:
+            host: istio-addons-sso-haproxy
+            port:
+              number: 8080
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: tracing-auth
+  namespace: {{ .Values.sso.namespace }}
+spec:
+  hosts:
+    - "tracing.{{ .Values.hostname }}"
+  gateways:
+  - main.{{ .Release.Namespace }}.svc.cluster.local
+  http:
+    - route:
+        - destination:
+            host: istio-addons-sso-haproxy
+            port:
+              number: 8080
+{{- end }}
--- a/chart/templates/jaeger-vs.yaml
+++ b/chart/templates/jaeger-vs.yaml
+{{- if not .Values.sso.enabled }}
 apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -12,5 +13,6 @@ spec:
  - route:
    - destination:
        port:
-          number: 16686
+          number: 80
-        host: jaeger-query.{{ .Release.Namespace }}.svc.cluster.local
+        host: tracing.{{ .Release.Namespace }}.svc.cluster.local
+{{- end }}
--- a/chart/templates/kiali-vs.yaml
+++ b/chart/templates/kiali-vs.yaml
+{{- if not .Values.sso.enabled }}
 apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -14,3 +15,4 @@ spec:
        port:
          number: 20001
        host: kiali.{{ .Release.Namespace }}.svc.cluster.local
+{{- end }}
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -10,6 +10,9 @@ tag: 1.7.3
 # The hostname to use for the default gateway
 hostname: bigbang.dev
+monitoring:
+  enabled: true
 imagePullSecrets:
  []
 #  - private-registry
@@ -35,6 +38,7 @@ extraServers:
 ingressGateway:
  minReplicas: 1
  maxReplicas: 5
  serviceAnnotations:
    {}
 #    service.beta.kubernetes.io/aws-load-balancer-internal: "true"
@@ -49,6 +53,24 @@ extraValues: {}
 # Escape for any additional configurations to be put in the 'values' section that
 # is not under the key 'global'. Use extraGlobalValues instead.
+# Set enabled to 'true', uncomment ports, and update if not using the cloud provider to generate your ELB/NLB.
+# Ensure the nodeports specified match your ELB/NLB in AWS.
+  nodePorts:
+    enabled: false
+  #  ports:
+  #  - name: http2
+  #    port: 80
+  #    targetPort: 8080
+  #    nodePort: 30080
+  #  - name: https
+  #    port: 443
+  #    targetPort: 8443
+  #    nodePort: 30443
+  #  - name: status
+  #    port: 15021
+  #    targetPort: 15021
+  #    nodePort: 31020
 extraIngressGateways:
  []
 # Complete example of an additional ingressgateway defined below
@@ -80,3 +102,11 @@ tracing:
    name: all-in-one
    hub: registry1.dsop.io/ironbank/opensource/jaegertracing
    tag: 1.19.2
+sso:
+  enabled: false
+  namespace: istio-addons-sso
+  selector:
+    key: protect
+    value: keycloak
--- a/docs/KEYCLOAK.md
+++ b/docs/KEYCLOAK.md
+# Istio Addon Specific Keycloak Configuration
+# Table of Contents
+- Keycloak configuration
+- Istio configuration
+## Keycloak Configuration
+#### Kiali
+1. Create a kiali client
+   - Change the following configuration items
+      - access type: confidential _this will enable a "Credentials" tab within the client configuration page_
+      - Direct Access Grants Enabled: Off
+      - Valid Redirect URIs: https://kiali.${DOMAIN}/login
+      - Base URL: https://kiali.${DOMAIN}
+    - Take note of the client secret in the credential tab
+#### Jaeger
+1. Create a jaeger client
+   - Change the following configuration items
+      - access type: confidential _this will enable a "Credentials" tab within the client configuration page_
+      - Direct Access Grants Enabled: Off
+      - Valid Redirect URIs: https://tracing.${DOMAIN}/login
+      - Base URL: https://tracing.${DOMAIN}
+    - Take note of the client secret in the credential tab
+## Kiali and Jaeger Configuration
+Configuration of Keycloak/OIDC auth in front of Prometheus+Alertmanager requires the following:
+1. [Authservice](https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/authservice) Installed in your cluster and individual chains for Prometheus+Alertmanager configured:
+```
+authservice:
+  enabled: true
+  values:
+    chains:
+      kiali:
+        match:
+          header: ":authority"
+          prefix: "kiali.DOMAIN"
+        client_id: kiali (configured above)
+        client_secret: secret-text
+        callback_uri: https://kiali.DOMAIN/login
+        cookie_name_prefix: hello_world
+        logout_path: /logout
+      jaeger:
+        match:
+          header: ":authority"
+          prefix: "tracing.DOMAIN"
+        client_id: jaeger (configured above)
+        client_secret: secret-text
+        callback_uri: https://jaeger.DOMAIN/login
+        cookie_name_prefix: hello_world
+        logout_path: /logout
+```
+* When used in conjunction with Bigbang Umbrella, see the `istio.sso` section of values.yaml to configure sso in Umbrella.  The umbrella configures Authservice with these values.
+* Jaeger/tracing chain looks identical just with jaeger specific client_id, client_secret, prefix, and callback_uri.
+2. Utilize the sso options for this monitoring package:
+```
+sso:
+  enabled: false
+  namespace: istio-addons-sso
+  selector:
+    key: protect
+    value: keycloak
+```
+* Setting sso.enabled to true installs an HAProxy container in the defined namespace which works in conjunction with Authservice to place an OIDC redirect in front of Kiali+Jaeger.
+* When sso.enabled is set to true, the Kiali+Jaeger VirtualServices are replaced with ones that route to the HAProxy Deployment rather than directly to the services themselves.
+* The selector value MUST correspond to the same "selector" value set for Authservice. Default for all is the label: "protect: keycloak"
--- a/docs/README.md
+++ b/docs/README.md