From c331ec11071c5618589d02dce88daa99e5755238 Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Mon, 16 Dec 2024 14:49:37 -0700 Subject: [PATCH] chore: allow separate configuration of admin domain name (#1114) ## Description Allows more flexibility in deployment by exposing a new zarf var for `ADMIN_DOMAIN`. Note that an entirely different domain will require this change in Keycloak: https://github.com/defenseunicorns/uds-identity-config/pull/284 ## Related Issue N/A ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) ## Steps to Validate Testing can be done by exporting `UDS_ADMIN_DOMAIN=uds.dev`. With these changes you should be able to see all virtualservices and gateways use `uds.dev`. Applications will not immediately be accessible due to uds-k3d's nginx config routing them to the wrong gateway (plus the wrong certs used for the admin interfaces). You can also test with a different domain entirely but this requires similar setup. ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --------- Co-authored-by: Chance <139784371+UnicornChance@users.noreply.github.com> --- docs/reference/UDS Core/dns.md | 6 ++++-- docs/reference/configuration/ingress.md | 5 +++-- src/grafana/chart/templates/uds-package.yaml | 4 ++++ src/grafana/chart/values.yaml | 1 + src/grafana/common/zarf.yaml | 2 ++ src/grafana/values/values.yaml | 2 +- src/grafana/zarf.yaml | 3 +++ src/istio/chart/templates/gateway.yaml | 2 +- src/istio/values/config-admin.yaml | 3 ++- src/istio/zarf.yaml | 3 +++ src/keycloak/chart/templates/statefulset.yaml | 2 ++ src/keycloak/chart/values.schema.json | 3 +++ src/keycloak/chart/values.yaml | 2 ++ src/keycloak/common/zarf.yaml | 2 ++ src/keycloak/zarf.yaml | 3 +++ src/neuvector/chart/templates/uds-package.yaml | 4 ++++ src/neuvector/chart/values.yaml | 1 + src/neuvector/common/zarf.yaml | 2 ++ src/neuvector/zarf.yaml | 3 +++ src/pepr/config.ts | 7 ++++++- src/pepr/operator/controllers/istio/service-entry.ts | 4 ++-- .../operator/controllers/istio/virtual-service.spec.ts | 2 +- src/pepr/operator/controllers/istio/virtual-service.ts | 4 ++-- src/pepr/uds-operator-config/values.yaml | 2 ++ src/pepr/zarf.yaml | 5 ++++- 25 files changed, 63 insertions(+), 14 deletions(-) diff --git a/docs/reference/UDS Core/dns.md b/docs/reference/UDS Core/dns.md index 9d493e6bd..3528f83a9 100644 --- a/docs/reference/UDS Core/dns.md +++ b/docs/reference/UDS Core/dns.md @@ -5,9 +5,11 @@ title: DNS Configuration UDS Core deploys two Gateways by default - a Tenant Gateway for end-user applications and an Admin Gateway for administrative applications. You can read more about Istio configuration in UDS Core [here](https://uds.defenseunicorns.com/reference/configuration/ingress/). This section covers how to configure DNS for these Gateways. ### Domain Configuration -Each Gateway is associated to a wildcard DNS entry that is derived from the `DOMAIN` [variable](https://github.com/defenseunicorns/uds-core/blob/e624d73f79bd6739b6808fbdbf5ca75ebb7c1d3c/src/istio/zarf.yaml#L8) in the UDS Core Istio package. When deploying UDS Core, you can expect two Gateways to be created that match the following domain names: + +Each Gateway requires a wildcard DNS entry corresponding with the chosen `DOMAIN` and `ADMIN_DOMAIN` [variables](https://github.com/defenseunicorns/uds-core/blob/f6b0b59060a14febd11b0cdc7480f853a57f8520/src/istio/zarf.yaml#L10-L16) (or `admin.` if not specifying a separate admin domain). When deploying UDS Core, you can expect two Gateways to be created that match the following domain names: - `*.` / Tenant Gateway -- `*.admin.` / Admin Gateway +- `*.` / Admin Gateway if setting `ADMIN_DOMAIN` +- `*.admin.` / Admin Gateway if NOT setting `ADMIN_DOMAIN` :::note The default value for `DOMAIN` is `uds.dev`, which is intended for development purposes only. For non-development purposes, you should override this value by specifying a value for `domain` in your `uds-config.yaml`. You can find instructions on how to do so [here](https://uds.defenseunicorns.com/reference/configuration/ingress/#configure-domain-name-and-tls-for-istio-gateways). diff --git a/docs/reference/configuration/ingress.md b/docs/reference/configuration/ingress.md index 416469356..b1ab00cfd 100644 --- a/docs/reference/configuration/ingress.md +++ b/docs/reference/configuration/ingress.md @@ -36,7 +36,7 @@ packages: ### Configure Domain Name and TLS for Istio Gateways -By default, the UDS Core Istio Gateways are set up to use the `uds.dev` domain and have a valid TLS certificate packaged. You will want to change the domain name for your environment and provide a valid TLS certificate for this domain. +By default, the UDS Core Istio Gateways are set up to use the `uds.dev` (tenant/passthrough) and `admin.uds.dev` (admin) domains with valid TLS certificates. You will need to change the domain name for your environment and provide a valid TLS certificate for your domain(s). You can set the TLS certs via overrides in a [UDS Bundle](https://uds.defenseunicorns.com/structure/bundles/) (see below). UDS Core Istio Gateways default to only supporting TLS v1.3, but this can also be overridden per gateway if clients use TLS 1.2 (as seen in the tenant gateway example `value` below). @@ -81,11 +81,12 @@ You can then either use environment variables (`UDS_ADMIN_TLS_CERT`, `UDS_ADMIN_ The `TLS_CERT` configuration values must include your specific domain certificate (e.g., `*.uds.dev`) **and** the full certificate chain leading up to a trusted root Certificate Authority (CA), concatenated together. Failing to include the full chain can result in unexpected behavior with certain applications, as some container images may not inherently trust intermediate certificates. ::: -Domain should be set via your [uds-config](https://uds.defenseunicorns.com/reference/cli/quickstart-and-usage/#variables-and-configuration) file using the shared key to override the Zarf Domain Variable (see example `uds-config.yaml` below). +Domain should be set via your [uds-config](https://uds.defenseunicorns.com/reference/cli/quickstart-and-usage/#variables-and-configuration) file using the shared key to override the Zarf Domain Variable (see example `uds-config.yaml` below). By default the `admin_domain` will be set to `admin.` but can be overridden to host admin services on a different domain. ```yaml shared: domain: yourawesomedomain.com # shared across all packages in a bundle + admin_domain: youradmindomain.com # optional, defaults to admin.yourawesomedomain.com # TLS Certs/Keys if not provided via environment variables variables: diff --git a/src/grafana/chart/templates/uds-package.yaml b/src/grafana/chart/templates/uds-package.yaml index 8a60f02ab..65ece92e3 100644 --- a/src/grafana/chart/templates/uds-package.yaml +++ b/src/grafana/chart/templates/uds-package.yaml @@ -11,7 +11,11 @@ spec: - name: Grafana Dashboard clientId: uds-core-admin-grafana redirectUris: + {{- if .Values.adminDomain }} + - "https://grafana.{{ .Values.adminDomain }}/login/generic_oauth" + {{- else }} - "https://grafana.admin.{{ .Values.domain }}/login/generic_oauth" + {{- end }} monitor: - selector: diff --git a/src/grafana/chart/values.yaml b/src/grafana/chart/values.yaml index 52cacf05d..53afe8564 100644 --- a/src/grafana/chart/values.yaml +++ b/src/grafana/chart/values.yaml @@ -2,6 +2,7 @@ # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial domain: "###ZARF_VAR_DOMAIN###" +adminDomain: "###ZARF_VAR_ADMIN_DOMAIN###" # Stores Grafana's metadata, including dashboards, data sources, organizations, alerts, and other configurations. Required for HA mode. postgresql: diff --git a/src/grafana/common/zarf.yaml b/src/grafana/common/zarf.yaml index 2392cec36..8cefdea24 100644 --- a/src/grafana/common/zarf.yaml +++ b/src/grafana/common/zarf.yaml @@ -15,6 +15,8 @@ components: namespace: grafana version: 0.1.0 localPath: ../chart + valuesFiles: + - ../chart/values.yaml - name: grafana url: https://grafana.github.io/helm-charts/ version: 8.7.0 diff --git a/src/grafana/values/values.yaml b/src/grafana/values/values.yaml index 51f7d5765..bb60966ae 100644 --- a/src/grafana/values/values.yaml +++ b/src/grafana/values/values.yaml @@ -19,7 +19,7 @@ extraSecretMounts: grafana.ini: server: - root_url: https://grafana.admin.###ZARF_VAR_DOMAIN### + root_url: https://grafana.{{ "###ZARF_VAR_ADMIN_DOMAIN###" | default "admin.###ZARF_VAR_DOMAIN###" }} # Disable telemetry that doesn't function in the airgap analytics: reporting_enabled: false diff --git a/src/grafana/zarf.yaml b/src/grafana/zarf.yaml index 54ff7056e..e2cff0a4c 100644 --- a/src/grafana/zarf.yaml +++ b/src/grafana/zarf.yaml @@ -12,6 +12,9 @@ variables: description: "Cluster domain" default: "uds.dev" + - name: ADMIN_DOMAIN + description: "Domain for admin services, defaults to `admin.DOMAIN`" + components: - name: grafana required: true diff --git a/src/istio/chart/templates/gateway.yaml b/src/istio/chart/templates/gateway.yaml index 3bcfdb040..5b6062319 100644 --- a/src/istio/chart/templates/gateway.yaml +++ b/src/istio/chart/templates/gateway.yaml @@ -1,7 +1,7 @@ # Copyright 2024 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial -{{- $domain := .Values.domain }} +{{- $domain := tpl .Values.domain . }} {{- if .Values.tls }} apiVersion: networking.istio.io/v1beta1 kind: Gateway diff --git a/src/istio/values/config-admin.yaml b/src/istio/values/config-admin.yaml index e5c265887..cde6e30aa 100644 --- a/src/istio/values/config-admin.yaml +++ b/src/istio/values/config-admin.yaml @@ -2,7 +2,8 @@ # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial name: admin -domain: "admin.###ZARF_VAR_DOMAIN###" +# Accommodate a specific admin domain or the default of `admin.DOMAIN` +domain: '{{ "###ZARF_VAR_ADMIN_DOMAIN###" | default "admin.###ZARF_VAR_DOMAIN###" }}' tls: servers: keycloak: diff --git a/src/istio/zarf.yaml b/src/istio/zarf.yaml index 03b88b419..b12f42087 100644 --- a/src/istio/zarf.yaml +++ b/src/istio/zarf.yaml @@ -12,6 +12,9 @@ variables: description: "Cluster domain" default: "uds.dev" + - name: ADMIN_DOMAIN + description: "Domain for admin services, defaults to `admin.DOMAIN`" + components: - name: istio-controlplane required: true diff --git a/src/keycloak/chart/templates/statefulset.yaml b/src/keycloak/chart/templates/statefulset.yaml index 1e18ee733..7b69a9737 100644 --- a/src/keycloak/chart/templates/statefulset.yaml +++ b/src/keycloak/chart/templates/statefulset.yaml @@ -92,6 +92,8 @@ spec: # Common configuration - name: UDS_DOMAIN value: "{{ .Values.domain }}" + - name: UDS_ADMIN_DOMAIN + value: "{{ tpl .Values.adminDomain . }}" # Enable health and metrics endpoints - name: KC_HEALTH_ENABLED diff --git a/src/keycloak/chart/values.schema.json b/src/keycloak/chart/values.schema.json index 9348c158d..df4312912 100644 --- a/src/keycloak/chart/values.schema.json +++ b/src/keycloak/chart/values.schema.json @@ -130,6 +130,9 @@ "domain": { "type": "string" }, + "adminDomain": { + "type": "string" + }, "enableServiceLinks": { "type": "boolean" }, diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml index c4486d9a1..6f542807f 100644 --- a/src/keycloak/chart/values.yaml +++ b/src/keycloak/chart/values.yaml @@ -14,6 +14,8 @@ configImage: ghcr.io/defenseunicorns/uds/identity-config:0.8.0 # The public domain name of the Keycloak server domain: "###ZARF_VAR_DOMAIN###" +# The admin domain for hosts to trust clients on +adminDomain: '{{ "###ZARF_VAR_ADMIN_DOMAIN###" | default "admin.###ZARF_VAR_DOMAIN###" }}' # Additional Istio Gateways that expose Keycloak, to allow for client cert usage # A prefix of `istio-` is required for namespaces to prevent accidental misconfiguration diff --git a/src/keycloak/common/zarf.yaml b/src/keycloak/common/zarf.yaml index f8ff6726d..7df06d73f 100644 --- a/src/keycloak/common/zarf.yaml +++ b/src/keycloak/common/zarf.yaml @@ -15,6 +15,8 @@ components: # renovate: datasource=docker depName=quay.io/keycloak/keycloak versioning=semver version: 26.0.7 localPath: ../chart + valuesFiles: + - ../chart/values.yaml actions: onDeploy: before: diff --git a/src/keycloak/zarf.yaml b/src/keycloak/zarf.yaml index 710f56ea0..3116d5a0c 100644 --- a/src/keycloak/zarf.yaml +++ b/src/keycloak/zarf.yaml @@ -11,6 +11,9 @@ variables: description: "Cluster domain" default: "uds.dev" + - name: ADMIN_DOMAIN + description: "Domain for admin services, defaults to `admin.DOMAIN`" + components: - name: keycloak required: true diff --git a/src/neuvector/chart/templates/uds-package.yaml b/src/neuvector/chart/templates/uds-package.yaml index dc65bfe84..62dc67156 100644 --- a/src/neuvector/chart/templates/uds-package.yaml +++ b/src/neuvector/chart/templates/uds-package.yaml @@ -22,7 +22,11 @@ spec: - name: Neuvector clientId: uds-core-admin-neuvector redirectUris: + {{- if .Values.adminDomain }} + - "https://neuvector.{{ .Values.adminDomain }}/openId_auth" + {{- else }} - "https://neuvector.admin.{{ .Values.domain }}/openId_auth" + {{- end }} secretName: neuvector-secret secretTemplate: userinitcfg.yaml: |- diff --git a/src/neuvector/chart/values.yaml b/src/neuvector/chart/values.yaml index 2980de043..87b67a6c6 100644 --- a/src/neuvector/chart/values.yaml +++ b/src/neuvector/chart/values.yaml @@ -2,6 +2,7 @@ # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial domain: "###ZARF_VAR_DOMAIN###" +adminDomain: "###ZARF_VAR_ADMIN_DOMAIN###" grafana: enabled: false diff --git a/src/neuvector/common/zarf.yaml b/src/neuvector/common/zarf.yaml index f95a54f1b..bae734063 100644 --- a/src/neuvector/common/zarf.yaml +++ b/src/neuvector/common/zarf.yaml @@ -21,6 +21,8 @@ components: namespace: neuvector version: 0.1.0 localPath: ../chart + valuesFiles: + - ../chart/values.yaml - name: core url: https://neuvector.github.io/neuvector-helm/ version: 2.8.3 diff --git a/src/neuvector/zarf.yaml b/src/neuvector/zarf.yaml index c2bcbc047..13e475650 100644 --- a/src/neuvector/zarf.yaml +++ b/src/neuvector/zarf.yaml @@ -12,6 +12,9 @@ variables: description: "Cluster domain" default: "uds.dev" + - name: ADMIN_DOMAIN + description: "Domain for admin services, defaults to `admin.DOMAIN`" + components: - name: neuvector description: "Deploy Neuvector" diff --git a/src/pepr/config.ts b/src/pepr/config.ts index e227df63f..a51288f18 100644 --- a/src/pepr/config.ts +++ b/src/pepr/config.ts @@ -6,6 +6,7 @@ import { Component, setupLogger } from "./logger"; let domain = process.env.UDS_DOMAIN; +let adminDomain = process.env.UDS_ADMIN_DOMAIN; let caCert = process.env.UDS_CA_CERT; let authserviceRedisUri = process.env.AUTHSERVICE_REDIS_URI; @@ -13,6 +14,9 @@ let authserviceRedisUri = process.env.AUTHSERVICE_REDIS_URI; if (!domain || domain === "###ZARF_VAR_DOMAIN###") { domain = "uds.dev"; } +if (!adminDomain || adminDomain === "###ZARF_VAR_ADMIN_DOMAIN###") { + adminDomain = `admin.${domain}`; +} if (!caCert || caCert === "###ZARF_VAR_CA_CERT###") { caCert = ""; } @@ -21,8 +25,9 @@ if (!authserviceRedisUri || authserviceRedisUri === "###ZARF_VAR_AUTHSERVICE_RED } export const UDSConfig = { - // Ignore the UDS_DOMAIN if not deployed by Zarf + // Set the base domain (tenant) and admin domain domain, + adminDomain, // Base64 Encoded Trusted CA cert for Istio certificates (i.e. for `sso.domain`) caCert, // Allow UDS policy exemptions to be used in any namespace diff --git a/src/pepr/operator/controllers/istio/service-entry.ts b/src/pepr/operator/controllers/istio/service-entry.ts index 0e049913e..8c432f97a 100644 --- a/src/pepr/operator/controllers/istio/service-entry.ts +++ b/src/pepr/operator/controllers/istio/service-entry.ts @@ -33,8 +33,8 @@ export function generateServiceEntry( const name = generateSEName(pkgName, expose); - // For the admin gateway, we need to add the path prefix - const domain = (gateway === Gateway.Admin ? "admin." : "") + UDSConfig.domain; + // Get the correct domain based on gateway + const domain = gateway === Gateway.Admin ? UDSConfig.adminDomain : UDSConfig.domain; // Append the domain to the host const fqdn = `${host}.${domain}`; diff --git a/src/pepr/operator/controllers/istio/virtual-service.spec.ts b/src/pepr/operator/controllers/istio/virtual-service.spec.ts index 9d92a5f6f..a6f7e79ae 100644 --- a/src/pepr/operator/controllers/istio/virtual-service.spec.ts +++ b/src/pepr/operator/controllers/istio/virtual-service.spec.ts @@ -70,7 +70,7 @@ describe("test generate virtual service", () => { expect(payload).toBeDefined(); expect(payload.spec?.hosts).toBeDefined(); - expect(payload.spec!.hosts![0]).toEqual(`${host}.admin.${UDSConfig.domain}`); + expect(payload.spec!.hosts![0]).toEqual(`${host}.${UDSConfig.adminDomain}`); }); it("should create an advancedHttp VirtualService object", () => { diff --git a/src/pepr/operator/controllers/istio/virtual-service.ts b/src/pepr/operator/controllers/istio/virtual-service.ts index c5ecc28d1..4287d4add 100644 --- a/src/pepr/operator/controllers/istio/virtual-service.ts +++ b/src/pepr/operator/controllers/istio/virtual-service.ts @@ -25,8 +25,8 @@ export function generateVirtualService( const name = generateVSName(pkgName, expose); - // For the admin gateway, we need to add the path prefix - const domain = (gateway === Gateway.Admin ? "admin." : "") + UDSConfig.domain; + // Get the correct domain based on gateway + const domain = gateway === Gateway.Admin ? UDSConfig.adminDomain : UDSConfig.domain; // Append the domain to the host const fqdn = `${host}.${domain}`; diff --git a/src/pepr/uds-operator-config/values.yaml b/src/pepr/uds-operator-config/values.yaml index dfd236a58..680a2f07a 100644 --- a/src/pepr/uds-operator-config/values.yaml +++ b/src/pepr/uds-operator-config/values.yaml @@ -2,7 +2,9 @@ # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial operator: + # Domain configuration (admin defaults to `admin.UDS_DOMAIN`) UDS_DOMAIN: "###ZARF_VAR_DOMAIN###" + UDS_ADMIN_DOMAIN: "###ZARF_VAR_ADMIN_DOMAIN###" UDS_CA_CERT: "###ZARF_VAR_CA_CERT###" UDS_ALLOW_ALL_NS_EXEMPTIONS: "###ZARF_VAR_ALLOW_ALL_NS_EXEMPTIONS###" UDS_LOG_LEVEL: "###ZARF_VAR_UDS_LOG_LEVEL###" diff --git a/src/pepr/zarf.yaml b/src/pepr/zarf.yaml index 267a24f96..1c426c6d4 100644 --- a/src/pepr/zarf.yaml +++ b/src/pepr/zarf.yaml @@ -4,7 +4,7 @@ kind: ZarfPackageConfig metadata: name: pepr-uds-core - description: 'Pepr Module: A collection of capabilities for UDS Core' + description: "Pepr Module: A collection of capabilities for UDS Core" url: https://github.com/defenseunicorns/pepr variables: @@ -12,6 +12,9 @@ variables: description: "Cluster domain" default: "uds.dev" + - name: ADMIN_DOMAIN + description: "Domain for admin services, defaults to `admin.DOMAIN`" + - name: CA_CERT description: "Base64 encoded CA cert that signed the domain wildcard certs used for Istio ingress" default: ""