From 943ad0d17cbd3db5c01ee57c80d2f74b87ea7dbb Mon Sep 17 00:00:00 2001
From: Josh Wolf <josh@joshwolf.dev>
Date: Mon, 22 Feb 2021 09:16:32 -0700
Subject: [PATCH 1/3] add logging sso values for elasticsearch-kibana

---
 chart/templates/NOTES.txt                     | 10 +++++++++
 .../eck-operator-helmrelease.yaml             |  4 ++++
 .../elasticsearch-kibana/ek-helmrelease.yaml  |  9 ++++++++
 chart/values.yaml                             | 22 ++++++++++++++++---
 4 files changed, 42 insertions(+), 3 deletions(-)

diff --git a/chart/templates/NOTES.txt b/chart/templates/NOTES.txt
index 37b494ee..452c3fe0 100644
--- a/chart/templates/NOTES.txt
+++ b/chart/templates/NOTES.txt
@@ -115,3 +115,13 @@ PLATFORM ONE ANCHORE WARNING:
   Your SSO configuration will be ignored, the Anchore UI is only available for enterprise deployments.
 {{- end }}
 {{- end }}
+
+{{- if and $.Values.eckoperator.enabled $.Values.logging.enabled }}
+  {{- if $.Values.logging.sso.enabled }}
+    {{- if and (not $.Values.logging.license.trial) (not $.Values.logging.license.keyJSON) }}
+PLATFORM ONE LOGGING WARNING:
+  You have enabled SSO but not provided an enterprise license configuration to use. SSO is not functional without a license.
+  Edit the values for the eck-operator to specify a license key JSON or use the trial license for development.
+    {{- end }}
+  {{- end }}
+{{- end }}
diff --git a/chart/templates/logging/eck-operator/eck-operator-helmrelease.yaml b/chart/templates/logging/eck-operator/eck-operator-helmrelease.yaml
index 649b4824..b874b6cc 100644
--- a/chart/templates/logging/eck-operator/eck-operator-helmrelease.yaml
+++ b/chart/templates/logging/eck-operator/eck-operator-helmrelease.yaml
@@ -42,6 +42,10 @@ spec:
       valuesKey: "eckoperator.yaml"
 
   values:
+    license:
+      trial: {{ .Values.logging.license.trial }}
+      keyJSON: |
+        {{ .Values.logging.license.keyJSON | nindent 8 }}
     podAnnotations:
       sidecar.istio.io/inject: "true"
       traffic.sidecar.istio.io/includeInboundPorts: "*"
diff --git a/chart/templates/logging/elasticsearch-kibana/ek-helmrelease.yaml b/chart/templates/logging/elasticsearch-kibana/ek-helmrelease.yaml
index e735bc26..3d926df6 100644
--- a/chart/templates/logging/elasticsearch-kibana/ek-helmrelease.yaml
+++ b/chart/templates/logging/elasticsearch-kibana/ek-helmrelease.yaml
@@ -45,6 +45,15 @@ spec:
     hostname: {{ .Values.hostname }}
     istio:
       enabled: {{ .Values.istio.enabled }}
+    {{- if .Values.logging.sso.enabled }}
+    sso:
+      enabled: {{ .Values.logging.sso.enabled }}
+      client_id: {{ .Values.logging.sso.client_id }}
+      client_secret: {{ .Values.logging.sso.client_secret }}
+      oidc:
+        host: {{ .Values.sso.oidc.host }}
+        realm: {{ .Values.sso.oidc.realm }}
+    {{- end }}
     kibana:
       version: 7.9.2
       imagePullSecrets:
diff --git a/chart/values.yaml b/chart/values.yaml
index 40a7388e..885ca315 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -165,6 +165,24 @@ logging:
     path: "./chart"
     tag: "0.1.4-bb.3"
 
+  sso:
+    # -- Toggle OIDC SSO for Kibana/Elasticsearch on and off.
+    # Enabling this option will auto-create any required secrets.
+    enabled: false
+
+    # -- Elasticsearch/Kibana OIDC client ID
+    client_id: ""
+
+    # -- Elasticsearch/Kibana OIDC client secret
+    client_secret: ""
+
+  license:
+    # -- Toggle trial license installation of elasticsearch.  Note that enterprise (non trial) is required for SSO to work.
+    trial: false
+
+    # -- Elasticsearch license in json format seen here: https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana#enterprise-license
+    keyJSON: ""
+
   # -- Values to passthrough to the elasticsearch-kibana chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana.git
   values: {}
 
@@ -174,9 +192,7 @@ eckoperator:
   git:
     repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/eck-operator.git
     path: "./chart"
-    tag: "1.3.0-bb.3"
-
-  # -- Values to passthrough to the eck-operator chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/eck-operator.git
+    tag: "1.3.0-bb.4"
   values: {}
 
 fluentbit:
-- 
GitLab


From 8064be31a139cd91258911a9573ba4f0490a67b8 Mon Sep 17 00:00:00 2001
From: Nick Nellis <nick@tetrate.io>
Date: Mon, 22 Feb 2021 23:29:12 +0000
Subject: [PATCH 2/3] fix(logging): re-enable istio in logging namespace by
 default, source istio.enabled from passthrough values instead of adding more
 to the bigbang spec

---
 .../logging/elasticsearch-kibana/namespace.yaml        | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/chart/templates/logging/elasticsearch-kibana/namespace.yaml b/chart/templates/logging/elasticsearch-kibana/namespace.yaml
index c7528366..d7d8fd03 100644
--- a/chart/templates/logging/elasticsearch-kibana/namespace.yaml
+++ b/chart/templates/logging/elasticsearch-kibana/namespace.yaml
@@ -1,4 +1,13 @@
 {{- if or .Values.logging.enabled .Values.clusterAuditor.enabled }}
+{{- /* Default to istio being turned on, but disable if user sets istio to disable in the custom passthrough values.
+We have to do it this way because ownership of "istio.enabled" is owned by the chart but also BigBang.  Sourcing values from the passthrough values also means
+  we get to simplify the api space of BigBang just a little bit more.
+*/ -}}
+{{- $istio := .Values.logging.values.istio | default dict }}
+{{- $istioInjection := "enabled" }}
+{{- if and (hasKey $istio "enabled") (not $istio.enabled) }}
+{{- $istioInjection = "disabled" }}
+{{- end }}
 ---
 apiVersion: v1
 kind: Namespace
@@ -8,6 +17,7 @@ metadata:
     app.kubernetes.io/name: logging
     app.kubernetes.io/component: "core"
     {{- include "commonLabels" . | nindent 4}}
+    istio-injection: {{ $istioInjection }}
 ---
 {{- if ( include "imagePullSecret" . ) }}
 apiVersion: v1
-- 
GitLab


From 500b33d2f02d4e7d2cd8a64ac88712ff0f0ebc30 Mon Sep 17 00:00:00 2001
From: Micah Nagel <micah.nagel@parsons.com>
Date: Mon, 22 Feb 2021 16:38:16 +0000
Subject: [PATCH 3/3] fix: add missing enterprise Anchore images

---
 scripts/package/synker.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/scripts/package/synker.yaml b/scripts/package/synker.yaml
index ec3522e4..1f9036ce 100644
--- a/scripts/package/synker.yaml
+++ b/scripts/package/synker.yaml
@@ -30,6 +30,8 @@ source:
   authFile: /root/.docker/config.json
   images:
     - registry.dso.mil/platform-one/big-bang/apps/security-tools/twistlock/defender:20.04.163
+    - registry1.dso.mil/ironbank/anchore/enterprise/enterprise:2.4.1
+    - registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:2.4.1
 
     # Images used by pipeline-templates
     # NOTE: These are __not__ fully inclusive yet, see this issue for updates: https://repo1.dso.mil/platform-one/big-bang/bigbang/-/issues/145
@@ -43,4 +45,4 @@ source:
     - registry.il2.dso.mil/platform-one/devops/pipeline-templates/pipeline-job/dependency-check611-sonar-scanner45-dotnet-31:021921
 
       # Don't include until fortify is supported
-#    - registry.il2.dso.mil/platform-one/devops/pipeline-templates/pipeline-job/dotnet-fortify:20.2.0
\ No newline at end of file
+#    - registry.il2.dso.mil/platform-one/devops/pipeline-templates/pipeline-job/dotnet-fortify:20.2.0
-- 
GitLab