From f6b0b59060a14febd11b0cdc7480f853a57f8520 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Wed, 11 Dec 2024 20:46:04 -0700 Subject: [PATCH 1/3] wip: allow admin domain to be configurable --- src/grafana/chart/templates/uds-package.yaml | 4 ++++ src/grafana/chart/values.yaml | 1 + src/grafana/common/zarf.yaml | 2 ++ src/grafana/values/values.yaml | 6 +++++- src/grafana/zarf.yaml | 3 +++ src/istio/chart/templates/gateway.yaml | 2 +- src/istio/values/config-admin.yaml | 2 +- src/istio/zarf.yaml | 3 +++ src/neuvector/chart/templates/uds-package.yaml | 4 ++++ src/neuvector/chart/values.yaml | 1 + src/neuvector/common/zarf.yaml | 2 ++ src/neuvector/zarf.yaml | 3 +++ src/pepr/config.ts | 7 ++++++- src/pepr/operator/controllers/istio/service-entry.ts | 4 ++-- .../operator/controllers/istio/virtual-service.spec.ts | 2 +- src/pepr/operator/controllers/istio/virtual-service.ts | 4 ++-- src/pepr/uds-operator-config/values.yaml | 2 ++ src/pepr/zarf.yaml | 5 ++++- 18 files changed, 47 insertions(+), 10 deletions(-) diff --git a/src/grafana/chart/templates/uds-package.yaml b/src/grafana/chart/templates/uds-package.yaml index 8a60f02ab..65ece92e3 100644 --- a/src/grafana/chart/templates/uds-package.yaml +++ b/src/grafana/chart/templates/uds-package.yaml @@ -11,7 +11,11 @@ spec: - name: Grafana Dashboard clientId: uds-core-admin-grafana redirectUris: + {{- if .Values.adminDomain }} + - "https://grafana.{{ .Values.adminDomain }}/login/generic_oauth" + {{- else }} - "https://grafana.admin.{{ .Values.domain }}/login/generic_oauth" + {{- end }} monitor: - selector: diff --git a/src/grafana/chart/values.yaml b/src/grafana/chart/values.yaml index 52cacf05d..53afe8564 100644 --- a/src/grafana/chart/values.yaml +++ b/src/grafana/chart/values.yaml @@ -2,6 +2,7 @@ # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial domain: "###ZARF_VAR_DOMAIN###" +adminDomain: "###ZARF_VAR_ADMIN_DOMAIN###" # Stores Grafana's metadata, including dashboards, data sources, organizations, alerts, and other configurations. Required for HA mode. postgresql: diff --git a/src/grafana/common/zarf.yaml b/src/grafana/common/zarf.yaml index 5ace535b5..08d9c159a 100644 --- a/src/grafana/common/zarf.yaml +++ b/src/grafana/common/zarf.yaml @@ -15,6 +15,8 @@ components: namespace: grafana version: 0.1.0 localPath: ../chart + valuesFiles: + - ../chart/values.yaml - name: grafana url: https://grafana.github.io/helm-charts/ version: 8.6.1 diff --git a/src/grafana/values/values.yaml b/src/grafana/values/values.yaml index 51f7d5765..2ec64914a 100644 --- a/src/grafana/values/values.yaml +++ b/src/grafana/values/values.yaml @@ -17,9 +17,13 @@ extraSecretMounts: mountPath: /etc/secrets/auth_generic_oauth readOnly: true +# These values are used to template the grafana.ini server value below +domain: "###ZARF_VAR_DOMAIN###" +adminDomain: "###ZARF_VAR_ADMIN_DOMAIN###" + grafana.ini: server: - root_url: https://grafana.admin.###ZARF_VAR_DOMAIN### + root_url: https://grafana.{{ $.Values.adminDomain | default (printf "admin.%s" $.Values.domain) }} # Disable telemetry that doesn't function in the airgap analytics: reporting_enabled: false diff --git a/src/grafana/zarf.yaml b/src/grafana/zarf.yaml index 49a174eb7..9e6d044bc 100644 --- a/src/grafana/zarf.yaml +++ b/src/grafana/zarf.yaml @@ -12,6 +12,9 @@ variables: description: "Cluster domain" default: "uds.dev" + - name: ADMIN_DOMAIN + description: "Domain for admin services, defaults to `admin.DOMAIN`" + components: - name: grafana required: true diff --git a/src/istio/chart/templates/gateway.yaml b/src/istio/chart/templates/gateway.yaml index 3bcfdb040..5b6062319 100644 --- a/src/istio/chart/templates/gateway.yaml +++ b/src/istio/chart/templates/gateway.yaml @@ -1,7 +1,7 @@ # Copyright 2024 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial -{{- $domain := .Values.domain }} +{{- $domain := tpl .Values.domain . }} {{- if .Values.tls }} apiVersion: networking.istio.io/v1beta1 kind: Gateway diff --git a/src/istio/values/config-admin.yaml b/src/istio/values/config-admin.yaml index e5c265887..c27b5085c 100644 --- a/src/istio/values/config-admin.yaml +++ b/src/istio/values/config-admin.yaml @@ -2,7 +2,7 @@ # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial name: admin -domain: "admin.###ZARF_VAR_DOMAIN###" +domain: '{{ "###ZARF_VAR_ADMIN_DOMAIN###" | default "admin.###ZARF_VAR_DOMAIN###" }}' tls: servers: keycloak: diff --git a/src/istio/zarf.yaml b/src/istio/zarf.yaml index 03b88b419..b12f42087 100644 --- a/src/istio/zarf.yaml +++ b/src/istio/zarf.yaml @@ -12,6 +12,9 @@ variables: description: "Cluster domain" default: "uds.dev" + - name: ADMIN_DOMAIN + description: "Domain for admin services, defaults to `admin.DOMAIN`" + components: - name: istio-controlplane required: true diff --git a/src/neuvector/chart/templates/uds-package.yaml b/src/neuvector/chart/templates/uds-package.yaml index dc65bfe84..62dc67156 100644 --- a/src/neuvector/chart/templates/uds-package.yaml +++ b/src/neuvector/chart/templates/uds-package.yaml @@ -22,7 +22,11 @@ spec: - name: Neuvector clientId: uds-core-admin-neuvector redirectUris: + {{- if .Values.adminDomain }} + - "https://neuvector.{{ .Values.adminDomain }}/openId_auth" + {{- else }} - "https://neuvector.admin.{{ .Values.domain }}/openId_auth" + {{- end }} secretName: neuvector-secret secretTemplate: userinitcfg.yaml: |- diff --git a/src/neuvector/chart/values.yaml b/src/neuvector/chart/values.yaml index 2980de043..87b67a6c6 100644 --- a/src/neuvector/chart/values.yaml +++ b/src/neuvector/chart/values.yaml @@ -2,6 +2,7 @@ # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial domain: "###ZARF_VAR_DOMAIN###" +adminDomain: "###ZARF_VAR_ADMIN_DOMAIN###" grafana: enabled: false diff --git a/src/neuvector/common/zarf.yaml b/src/neuvector/common/zarf.yaml index f95a54f1b..bae734063 100644 --- a/src/neuvector/common/zarf.yaml +++ b/src/neuvector/common/zarf.yaml @@ -21,6 +21,8 @@ components: namespace: neuvector version: 0.1.0 localPath: ../chart + valuesFiles: + - ../chart/values.yaml - name: core url: https://neuvector.github.io/neuvector-helm/ version: 2.8.3 diff --git a/src/neuvector/zarf.yaml b/src/neuvector/zarf.yaml index c2bcbc047..13e475650 100644 --- a/src/neuvector/zarf.yaml +++ b/src/neuvector/zarf.yaml @@ -12,6 +12,9 @@ variables: description: "Cluster domain" default: "uds.dev" + - name: ADMIN_DOMAIN + description: "Domain for admin services, defaults to `admin.DOMAIN`" + components: - name: neuvector description: "Deploy Neuvector" diff --git a/src/pepr/config.ts b/src/pepr/config.ts index e227df63f..a51288f18 100644 --- a/src/pepr/config.ts +++ b/src/pepr/config.ts @@ -6,6 +6,7 @@ import { Component, setupLogger } from "./logger"; let domain = process.env.UDS_DOMAIN; +let adminDomain = process.env.UDS_ADMIN_DOMAIN; let caCert = process.env.UDS_CA_CERT; let authserviceRedisUri = process.env.AUTHSERVICE_REDIS_URI; @@ -13,6 +14,9 @@ let authserviceRedisUri = process.env.AUTHSERVICE_REDIS_URI; if (!domain || domain === "###ZARF_VAR_DOMAIN###") { domain = "uds.dev"; } +if (!adminDomain || adminDomain === "###ZARF_VAR_ADMIN_DOMAIN###") { + adminDomain = `admin.${domain}`; +} if (!caCert || caCert === "###ZARF_VAR_CA_CERT###") { caCert = ""; } @@ -21,8 +25,9 @@ if (!authserviceRedisUri || authserviceRedisUri === "###ZARF_VAR_AUTHSERVICE_RED } export const UDSConfig = { - // Ignore the UDS_DOMAIN if not deployed by Zarf + // Set the base domain (tenant) and admin domain domain, + adminDomain, // Base64 Encoded Trusted CA cert for Istio certificates (i.e. for `sso.domain`) caCert, // Allow UDS policy exemptions to be used in any namespace diff --git a/src/pepr/operator/controllers/istio/service-entry.ts b/src/pepr/operator/controllers/istio/service-entry.ts index 0e049913e..8c432f97a 100644 --- a/src/pepr/operator/controllers/istio/service-entry.ts +++ b/src/pepr/operator/controllers/istio/service-entry.ts @@ -33,8 +33,8 @@ export function generateServiceEntry( const name = generateSEName(pkgName, expose); - // For the admin gateway, we need to add the path prefix - const domain = (gateway === Gateway.Admin ? "admin." : "") + UDSConfig.domain; + // Get the correct domain based on gateway + const domain = gateway === Gateway.Admin ? UDSConfig.adminDomain : UDSConfig.domain; // Append the domain to the host const fqdn = `${host}.${domain}`; diff --git a/src/pepr/operator/controllers/istio/virtual-service.spec.ts b/src/pepr/operator/controllers/istio/virtual-service.spec.ts index 9d92a5f6f..a6f7e79ae 100644 --- a/src/pepr/operator/controllers/istio/virtual-service.spec.ts +++ b/src/pepr/operator/controllers/istio/virtual-service.spec.ts @@ -70,7 +70,7 @@ describe("test generate virtual service", () => { expect(payload).toBeDefined(); expect(payload.spec?.hosts).toBeDefined(); - expect(payload.spec!.hosts![0]).toEqual(`${host}.admin.${UDSConfig.domain}`); + expect(payload.spec!.hosts![0]).toEqual(`${host}.${UDSConfig.adminDomain}`); }); it("should create an advancedHttp VirtualService object", () => { diff --git a/src/pepr/operator/controllers/istio/virtual-service.ts b/src/pepr/operator/controllers/istio/virtual-service.ts index c5ecc28d1..4287d4add 100644 --- a/src/pepr/operator/controllers/istio/virtual-service.ts +++ b/src/pepr/operator/controllers/istio/virtual-service.ts @@ -25,8 +25,8 @@ export function generateVirtualService( const name = generateVSName(pkgName, expose); - // For the admin gateway, we need to add the path prefix - const domain = (gateway === Gateway.Admin ? "admin." : "") + UDSConfig.domain; + // Get the correct domain based on gateway + const domain = gateway === Gateway.Admin ? UDSConfig.adminDomain : UDSConfig.domain; // Append the domain to the host const fqdn = `${host}.${domain}`; diff --git a/src/pepr/uds-operator-config/values.yaml b/src/pepr/uds-operator-config/values.yaml index dfd236a58..680a2f07a 100644 --- a/src/pepr/uds-operator-config/values.yaml +++ b/src/pepr/uds-operator-config/values.yaml @@ -2,7 +2,9 @@ # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial operator: + # Domain configuration (admin defaults to `admin.UDS_DOMAIN`) UDS_DOMAIN: "###ZARF_VAR_DOMAIN###" + UDS_ADMIN_DOMAIN: "###ZARF_VAR_ADMIN_DOMAIN###" UDS_CA_CERT: "###ZARF_VAR_CA_CERT###" UDS_ALLOW_ALL_NS_EXEMPTIONS: "###ZARF_VAR_ALLOW_ALL_NS_EXEMPTIONS###" UDS_LOG_LEVEL: "###ZARF_VAR_UDS_LOG_LEVEL###" diff --git a/src/pepr/zarf.yaml b/src/pepr/zarf.yaml index 267a24f96..1c426c6d4 100644 --- a/src/pepr/zarf.yaml +++ b/src/pepr/zarf.yaml @@ -4,7 +4,7 @@ kind: ZarfPackageConfig metadata: name: pepr-uds-core - description: 'Pepr Module: A collection of capabilities for UDS Core' + description: "Pepr Module: A collection of capabilities for UDS Core" url: https://github.com/defenseunicorns/pepr variables: @@ -12,6 +12,9 @@ variables: description: "Cluster domain" default: "uds.dev" + - name: ADMIN_DOMAIN + description: "Domain for admin services, defaults to `admin.DOMAIN`" + - name: CA_CERT description: "Base64 encoded CA cert that signed the domain wildcard certs used for Istio ingress" default: "" From d445aaa691020a353886095ddca8b4387b974c96 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Thu, 12 Dec 2024 10:48:20 -0700 Subject: [PATCH 2/3] wip: fix logic around templating --- docs/reference/configuration/ingress.md | 5 +++-- src/grafana/values/values.yaml | 6 +----- src/istio/values/config-admin.yaml | 1 + src/keycloak/chart/templates/statefulset.yaml | 2 ++ src/keycloak/chart/values.schema.json | 3 +++ src/keycloak/chart/values.yaml | 2 ++ src/keycloak/common/zarf.yaml | 2 ++ src/keycloak/zarf.yaml | 3 +++ 8 files changed, 17 insertions(+), 7 deletions(-) diff --git a/docs/reference/configuration/ingress.md b/docs/reference/configuration/ingress.md index 416469356..b1ab00cfd 100644 --- a/docs/reference/configuration/ingress.md +++ b/docs/reference/configuration/ingress.md @@ -36,7 +36,7 @@ packages: ### Configure Domain Name and TLS for Istio Gateways -By default, the UDS Core Istio Gateways are set up to use the `uds.dev` domain and have a valid TLS certificate packaged. You will want to change the domain name for your environment and provide a valid TLS certificate for this domain. +By default, the UDS Core Istio Gateways are set up to use the `uds.dev` (tenant/passthrough) and `admin.uds.dev` (admin) domains with valid TLS certificates. You will need to change the domain name for your environment and provide a valid TLS certificate for your domain(s). You can set the TLS certs via overrides in a [UDS Bundle](https://uds.defenseunicorns.com/structure/bundles/) (see below). UDS Core Istio Gateways default to only supporting TLS v1.3, but this can also be overridden per gateway if clients use TLS 1.2 (as seen in the tenant gateway example `value` below). @@ -81,11 +81,12 @@ You can then either use environment variables (`UDS_ADMIN_TLS_CERT`, `UDS_ADMIN_ The `TLS_CERT` configuration values must include your specific domain certificate (e.g., `*.uds.dev`) **and** the full certificate chain leading up to a trusted root Certificate Authority (CA), concatenated together. Failing to include the full chain can result in unexpected behavior with certain applications, as some container images may not inherently trust intermediate certificates. ::: -Domain should be set via your [uds-config](https://uds.defenseunicorns.com/reference/cli/quickstart-and-usage/#variables-and-configuration) file using the shared key to override the Zarf Domain Variable (see example `uds-config.yaml` below). +Domain should be set via your [uds-config](https://uds.defenseunicorns.com/reference/cli/quickstart-and-usage/#variables-and-configuration) file using the shared key to override the Zarf Domain Variable (see example `uds-config.yaml` below). By default the `admin_domain` will be set to `admin.` but can be overridden to host admin services on a different domain. ```yaml shared: domain: yourawesomedomain.com # shared across all packages in a bundle + admin_domain: youradmindomain.com # optional, defaults to admin.yourawesomedomain.com # TLS Certs/Keys if not provided via environment variables variables: diff --git a/src/grafana/values/values.yaml b/src/grafana/values/values.yaml index 2ec64914a..bb60966ae 100644 --- a/src/grafana/values/values.yaml +++ b/src/grafana/values/values.yaml @@ -17,13 +17,9 @@ extraSecretMounts: mountPath: /etc/secrets/auth_generic_oauth readOnly: true -# These values are used to template the grafana.ini server value below -domain: "###ZARF_VAR_DOMAIN###" -adminDomain: "###ZARF_VAR_ADMIN_DOMAIN###" - grafana.ini: server: - root_url: https://grafana.{{ $.Values.adminDomain | default (printf "admin.%s" $.Values.domain) }} + root_url: https://grafana.{{ "###ZARF_VAR_ADMIN_DOMAIN###" | default "admin.###ZARF_VAR_DOMAIN###" }} # Disable telemetry that doesn't function in the airgap analytics: reporting_enabled: false diff --git a/src/istio/values/config-admin.yaml b/src/istio/values/config-admin.yaml index c27b5085c..cde6e30aa 100644 --- a/src/istio/values/config-admin.yaml +++ b/src/istio/values/config-admin.yaml @@ -2,6 +2,7 @@ # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial name: admin +# Accommodate a specific admin domain or the default of `admin.DOMAIN` domain: '{{ "###ZARF_VAR_ADMIN_DOMAIN###" | default "admin.###ZARF_VAR_DOMAIN###" }}' tls: servers: diff --git a/src/keycloak/chart/templates/statefulset.yaml b/src/keycloak/chart/templates/statefulset.yaml index 6f3a9e570..ce351fa93 100644 --- a/src/keycloak/chart/templates/statefulset.yaml +++ b/src/keycloak/chart/templates/statefulset.yaml @@ -88,6 +88,8 @@ spec: # Common configuration - name: UDS_DOMAIN value: "{{ .Values.domain }}" + - name: UDS_ADMIN_DOMAIN + value: "{{ tpl .Values.adminDomain . }}" # Enable health and metrics endpoints - name: KC_HEALTH_ENABLED diff --git a/src/keycloak/chart/values.schema.json b/src/keycloak/chart/values.schema.json index f05bdc3a8..25a63d2f5 100644 --- a/src/keycloak/chart/values.schema.json +++ b/src/keycloak/chart/values.schema.json @@ -130,6 +130,9 @@ "domain": { "type": "string" }, + "adminDomain": { + "type": "string" + }, "enableServiceLinks": { "type": "boolean" }, diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml index 7f61f9012..49518c4bd 100644 --- a/src/keycloak/chart/values.yaml +++ b/src/keycloak/chart/values.yaml @@ -14,6 +14,8 @@ configImage: ghcr.io/defenseunicorns/uds/identity-config:0.8.0 # The public domain name of the Keycloak server domain: "###ZARF_VAR_DOMAIN###" +# The admin domain for hosts to trust clients on +adminDomain: '{{ "###ZARF_VAR_ADMIN_DOMAIN###" | default "admin.###ZARF_VAR_DOMAIN###" }}' # Additional Istio Gateways that expose Keycloak, to allow for client cert usage # A prefix of `istio-` is required for namespaces to prevent accidental misconfiguration diff --git a/src/keycloak/common/zarf.yaml b/src/keycloak/common/zarf.yaml index f8ff6726d..7df06d73f 100644 --- a/src/keycloak/common/zarf.yaml +++ b/src/keycloak/common/zarf.yaml @@ -15,6 +15,8 @@ components: # renovate: datasource=docker depName=quay.io/keycloak/keycloak versioning=semver version: 26.0.7 localPath: ../chart + valuesFiles: + - ../chart/values.yaml actions: onDeploy: before: diff --git a/src/keycloak/zarf.yaml b/src/keycloak/zarf.yaml index 710f56ea0..3116d5a0c 100644 --- a/src/keycloak/zarf.yaml +++ b/src/keycloak/zarf.yaml @@ -11,6 +11,9 @@ variables: description: "Cluster domain" default: "uds.dev" + - name: ADMIN_DOMAIN + description: "Domain for admin services, defaults to `admin.DOMAIN`" + components: - name: keycloak required: true From 963388055f293b0f9fa3b228a3e4748d5dc7ad07 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Thu, 12 Dec 2024 20:56:45 -0700 Subject: [PATCH 3/3] docs: dns doc update [skip ci] --- docs/reference/UDS Core/dns.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/reference/UDS Core/dns.md b/docs/reference/UDS Core/dns.md index 9d493e6bd..3528f83a9 100644 --- a/docs/reference/UDS Core/dns.md +++ b/docs/reference/UDS Core/dns.md @@ -5,9 +5,11 @@ title: DNS Configuration UDS Core deploys two Gateways by default - a Tenant Gateway for end-user applications and an Admin Gateway for administrative applications. You can read more about Istio configuration in UDS Core [here](https://uds.defenseunicorns.com/reference/configuration/ingress/). This section covers how to configure DNS for these Gateways. ### Domain Configuration -Each Gateway is associated to a wildcard DNS entry that is derived from the `DOMAIN` [variable](https://github.com/defenseunicorns/uds-core/blob/e624d73f79bd6739b6808fbdbf5ca75ebb7c1d3c/src/istio/zarf.yaml#L8) in the UDS Core Istio package. When deploying UDS Core, you can expect two Gateways to be created that match the following domain names: + +Each Gateway requires a wildcard DNS entry corresponding with the chosen `DOMAIN` and `ADMIN_DOMAIN` [variables](https://github.com/defenseunicorns/uds-core/blob/f6b0b59060a14febd11b0cdc7480f853a57f8520/src/istio/zarf.yaml#L10-L16) (or `admin.` if not specifying a separate admin domain). When deploying UDS Core, you can expect two Gateways to be created that match the following domain names: - `*.` / Tenant Gateway -- `*.admin.` / Admin Gateway +- `*.` / Admin Gateway if setting `ADMIN_DOMAIN` +- `*.admin.` / Admin Gateway if NOT setting `ADMIN_DOMAIN` :::note The default value for `DOMAIN` is `uds.dev`, which is intended for development purposes only. For non-development purposes, you should override this value by specifying a value for `domain` in your `uds-config.yaml`. You can find instructions on how to do so [here](https://uds.defenseunicorns.com/reference/configuration/ingress/#configure-domain-name-and-tls-for-istio-gateways).