Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: allow separate configuration of admin domain name #1114

Merged
merged 4 commits into from
Dec 16, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions docs/reference/UDS Core/dns.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,11 @@ title: DNS Configuration
UDS Core deploys two Gateways by default - a Tenant Gateway for end-user applications and an Admin Gateway for administrative applications. You can read more about Istio configuration in UDS Core [here](https://uds.defenseunicorns.com/reference/configuration/ingress/). This section covers how to configure DNS for these Gateways.

### Domain Configuration
Each Gateway is associated to a wildcard DNS entry that is derived from the `DOMAIN` [variable](https://github.com/defenseunicorns/uds-core/blob/e624d73f79bd6739b6808fbdbf5ca75ebb7c1d3c/src/istio/zarf.yaml#L8) in the UDS Core Istio package. When deploying UDS Core, you can expect two Gateways to be created that match the following domain names:

Each Gateway requires a wildcard DNS entry corresponding with the chosen `DOMAIN` and `ADMIN_DOMAIN` [variables](https://github.com/defenseunicorns/uds-core/blob/f6b0b59060a14febd11b0cdc7480f853a57f8520/src/istio/zarf.yaml#L10-L16) (or `admin.<DOMAIN>` if not specifying a separate admin domain). When deploying UDS Core, you can expect two Gateways to be created that match the following domain names:
- `*.<DOMAIN>` / Tenant Gateway
- `*.admin.<DOMAIN>` / Admin Gateway
- `*.<ADMIN_DOMAIN>` / Admin Gateway if setting `ADMIN_DOMAIN`
- `*.admin.<DOMAIN>` / Admin Gateway if NOT setting `ADMIN_DOMAIN`

:::note
The default value for `DOMAIN` is `uds.dev`, which is intended for development purposes only. For non-development purposes, you should override this value by specifying a value for `domain` in your `uds-config.yaml`. You can find instructions on how to do so [here](https://uds.defenseunicorns.com/reference/configuration/ingress/#configure-domain-name-and-tls-for-istio-gateways).
Expand Down
5 changes: 3 additions & 2 deletions docs/reference/configuration/ingress.md
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ packages:

### Configure Domain Name and TLS for Istio Gateways

By default, the UDS Core Istio Gateways are set up to use the `uds.dev` domain and have a valid TLS certificate packaged. You will want to change the domain name for your environment and provide a valid TLS certificate for this domain.
By default, the UDS Core Istio Gateways are set up to use the `uds.dev` (tenant/passthrough) and `admin.uds.dev` (admin) domains with valid TLS certificates. You will need to change the domain name for your environment and provide a valid TLS certificate for your domain(s).

You can set the TLS certs via overrides in a [UDS Bundle](https://uds.defenseunicorns.com/structure/bundles/) (see below). UDS Core Istio Gateways default to only supporting TLS v1.3, but this can also be overridden per gateway if clients use TLS 1.2 (as seen in the tenant gateway example `value` below).

Expand Down Expand Up @@ -81,11 +81,12 @@ You can then either use environment variables (`UDS_ADMIN_TLS_CERT`, `UDS_ADMIN_
The `TLS_CERT` configuration values must include your specific domain certificate (e.g., `*.uds.dev`) **and** the full certificate chain leading up to a trusted root Certificate Authority (CA), concatenated together. Failing to include the full chain can result in unexpected behavior with certain applications, as some container images may not inherently trust intermediate certificates.
:::

Domain should be set via your [uds-config](https://uds.defenseunicorns.com/reference/cli/quickstart-and-usage/#variables-and-configuration) file using the shared key to override the Zarf Domain Variable (see example `uds-config.yaml` below).
Domain should be set via your [uds-config](https://uds.defenseunicorns.com/reference/cli/quickstart-and-usage/#variables-and-configuration) file using the shared key to override the Zarf Domain Variable (see example `uds-config.yaml` below). By default the `admin_domain` will be set to `admin.<DOMAIN>` but can be overridden to host admin services on a different domain.

```yaml
shared:
domain: yourawesomedomain.com # shared across all packages in a bundle
admin_domain: youradmindomain.com # optional, defaults to admin.yourawesomedomain.com

# TLS Certs/Keys if not provided via environment variables
variables:
Expand Down
4 changes: 4 additions & 0 deletions src/grafana/chart/templates/uds-package.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,11 @@ spec:
- name: Grafana Dashboard
clientId: uds-core-admin-grafana
redirectUris:
{{- if .Values.adminDomain }}
- "https://grafana.{{ .Values.adminDomain }}/login/generic_oauth"
{{- else }}
- "https://grafana.admin.{{ .Values.domain }}/login/generic_oauth"
{{- end }}

monitor:
- selector:
Expand Down
1 change: 1 addition & 0 deletions src/grafana/chart/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial

domain: "###ZARF_VAR_DOMAIN###"
adminDomain: "###ZARF_VAR_ADMIN_DOMAIN###"

# Stores Grafana's metadata, including dashboards, data sources, organizations, alerts, and other configurations. Required for HA mode.
postgresql:
Expand Down
2 changes: 2 additions & 0 deletions src/grafana/common/zarf.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ components:
namespace: grafana
version: 0.1.0
localPath: ../chart
valuesFiles:
- ../chart/values.yaml
- name: grafana
url: https://grafana.github.io/helm-charts/
version: 8.7.0
Expand Down
2 changes: 1 addition & 1 deletion src/grafana/values/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ extraSecretMounts:

grafana.ini:
server:
root_url: https://grafana.admin.###ZARF_VAR_DOMAIN###
root_url: https://grafana.{{ "###ZARF_VAR_ADMIN_DOMAIN###" | default "admin.###ZARF_VAR_DOMAIN###" }}
# Disable telemetry that doesn't function in the airgap
analytics:
reporting_enabled: false
Expand Down
3 changes: 3 additions & 0 deletions src/grafana/zarf.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,9 @@ variables:
description: "Cluster domain"
default: "uds.dev"

- name: ADMIN_DOMAIN
description: "Domain for admin services, defaults to `admin.DOMAIN`"

components:
- name: grafana
required: true
Expand Down
2 changes: 1 addition & 1 deletion src/istio/chart/templates/gateway.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# Copyright 2024 Defense Unicorns
# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial

{{- $domain := .Values.domain }}
{{- $domain := tpl .Values.domain . }}
{{- if .Values.tls }}
apiVersion: networking.istio.io/v1beta1
kind: Gateway
Expand Down
3 changes: 2 additions & 1 deletion src/istio/values/config-admin.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial

name: admin
domain: "admin.###ZARF_VAR_DOMAIN###"
# Accommodate a specific admin domain or the default of `admin.DOMAIN`
domain: '{{ "###ZARF_VAR_ADMIN_DOMAIN###" | default "admin.###ZARF_VAR_DOMAIN###" }}'
tls:
servers:
keycloak:
Expand Down
3 changes: 3 additions & 0 deletions src/istio/zarf.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,9 @@ variables:
description: "Cluster domain"
default: "uds.dev"

- name: ADMIN_DOMAIN
description: "Domain for admin services, defaults to `admin.DOMAIN`"

components:
- name: istio-controlplane
required: true
Expand Down
2 changes: 2 additions & 0 deletions src/keycloak/chart/templates/statefulset.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,8 @@ spec:
# Common configuration
- name: UDS_DOMAIN
value: "{{ .Values.domain }}"
- name: UDS_ADMIN_DOMAIN
value: "{{ tpl .Values.adminDomain . }}"

# Enable health and metrics endpoints
- name: KC_HEALTH_ENABLED
Expand Down
3 changes: 3 additions & 0 deletions src/keycloak/chart/values.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,9 @@
"domain": {
"type": "string"
},
"adminDomain": {
"type": "string"
},
"enableServiceLinks": {
"type": "boolean"
},
Expand Down
2 changes: 2 additions & 0 deletions src/keycloak/chart/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ configImage: ghcr.io/defenseunicorns/uds/identity-config:0.8.0

# The public domain name of the Keycloak server
domain: "###ZARF_VAR_DOMAIN###"
# The admin domain for hosts to trust clients on
adminDomain: '{{ "###ZARF_VAR_ADMIN_DOMAIN###" | default "admin.###ZARF_VAR_DOMAIN###" }}'

# Additional Istio Gateways that expose Keycloak, to allow for client cert usage
# A prefix of `istio-` is required for namespaces to prevent accidental misconfiguration
Expand Down
2 changes: 2 additions & 0 deletions src/keycloak/common/zarf.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ components:
# renovate: datasource=docker depName=quay.io/keycloak/keycloak versioning=semver
version: 26.0.7
localPath: ../chart
valuesFiles:
- ../chart/values.yaml
actions:
onDeploy:
before:
Expand Down
3 changes: 3 additions & 0 deletions src/keycloak/zarf.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ variables:
description: "Cluster domain"
default: "uds.dev"

- name: ADMIN_DOMAIN
description: "Domain for admin services, defaults to `admin.DOMAIN`"

components:
- name: keycloak
required: true
Expand Down
4 changes: 4 additions & 0 deletions src/neuvector/chart/templates/uds-package.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,11 @@ spec:
- name: Neuvector
clientId: uds-core-admin-neuvector
redirectUris:
{{- if .Values.adminDomain }}
- "https://neuvector.{{ .Values.adminDomain }}/openId_auth"
{{- else }}
- "https://neuvector.admin.{{ .Values.domain }}/openId_auth"
{{- end }}
secretName: neuvector-secret
secretTemplate:
userinitcfg.yaml: |-
Expand Down
1 change: 1 addition & 0 deletions src/neuvector/chart/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial

domain: "###ZARF_VAR_DOMAIN###"
adminDomain: "###ZARF_VAR_ADMIN_DOMAIN###"

grafana:
enabled: false
Expand Down
2 changes: 2 additions & 0 deletions src/neuvector/common/zarf.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@ components:
namespace: neuvector
version: 0.1.0
localPath: ../chart
valuesFiles:
- ../chart/values.yaml
- name: core
url: https://neuvector.github.io/neuvector-helm/
version: 2.8.3
Expand Down
3 changes: 3 additions & 0 deletions src/neuvector/zarf.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,9 @@ variables:
description: "Cluster domain"
default: "uds.dev"

- name: ADMIN_DOMAIN
description: "Domain for admin services, defaults to `admin.DOMAIN`"

components:
- name: neuvector
description: "Deploy Neuvector"
Expand Down
7 changes: 6 additions & 1 deletion src/pepr/config.ts
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,17 @@
import { Component, setupLogger } from "./logger";

let domain = process.env.UDS_DOMAIN;
let adminDomain = process.env.UDS_ADMIN_DOMAIN;
let caCert = process.env.UDS_CA_CERT;
let authserviceRedisUri = process.env.AUTHSERVICE_REDIS_URI;

// We need to handle `npx pepr <>` commands that will not template the env vars
if (!domain || domain === "###ZARF_VAR_DOMAIN###") {
domain = "uds.dev";
}
if (!adminDomain || adminDomain === "###ZARF_VAR_ADMIN_DOMAIN###") {
adminDomain = `admin.${domain}`;
}
if (!caCert || caCert === "###ZARF_VAR_CA_CERT###") {
caCert = "";
}
Expand All @@ -21,8 +25,9 @@ if (!authserviceRedisUri || authserviceRedisUri === "###ZARF_VAR_AUTHSERVICE_RED
}

export const UDSConfig = {
// Ignore the UDS_DOMAIN if not deployed by Zarf
// Set the base domain (tenant) and admin domain
domain,
adminDomain,
// Base64 Encoded Trusted CA cert for Istio certificates (i.e. for `sso.domain`)
caCert,
// Allow UDS policy exemptions to be used in any namespace
Expand Down
4 changes: 2 additions & 2 deletions src/pepr/operator/controllers/istio/service-entry.ts
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,8 @@ export function generateServiceEntry(

const name = generateSEName(pkgName, expose);

// For the admin gateway, we need to add the path prefix
const domain = (gateway === Gateway.Admin ? "admin." : "") + UDSConfig.domain;
// Get the correct domain based on gateway
const domain = gateway === Gateway.Admin ? UDSConfig.adminDomain : UDSConfig.domain;

// Append the domain to the host
const fqdn = `${host}.${domain}`;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ describe("test generate virtual service", () => {

expect(payload).toBeDefined();
expect(payload.spec?.hosts).toBeDefined();
expect(payload.spec!.hosts![0]).toEqual(`${host}.admin.${UDSConfig.domain}`);
expect(payload.spec!.hosts![0]).toEqual(`${host}.${UDSConfig.adminDomain}`);
});

it("should create an advancedHttp VirtualService object", () => {
Expand Down
4 changes: 2 additions & 2 deletions src/pepr/operator/controllers/istio/virtual-service.ts
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,8 @@ export function generateVirtualService(

const name = generateVSName(pkgName, expose);

// For the admin gateway, we need to add the path prefix
const domain = (gateway === Gateway.Admin ? "admin." : "") + UDSConfig.domain;
// Get the correct domain based on gateway
const domain = gateway === Gateway.Admin ? UDSConfig.adminDomain : UDSConfig.domain;

// Append the domain to the host
const fqdn = `${host}.${domain}`;
Expand Down
2 changes: 2 additions & 0 deletions src/pepr/uds-operator-config/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@
# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial

operator:
# Domain configuration (admin defaults to `admin.UDS_DOMAIN`)
UDS_DOMAIN: "###ZARF_VAR_DOMAIN###"
UDS_ADMIN_DOMAIN: "###ZARF_VAR_ADMIN_DOMAIN###"
UDS_CA_CERT: "###ZARF_VAR_CA_CERT###"
UDS_ALLOW_ALL_NS_EXEMPTIONS: "###ZARF_VAR_ALLOW_ALL_NS_EXEMPTIONS###"
UDS_LOG_LEVEL: "###ZARF_VAR_UDS_LOG_LEVEL###"
Expand Down
5 changes: 4 additions & 1 deletion src/pepr/zarf.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,17 @@
kind: ZarfPackageConfig
metadata:
name: pepr-uds-core
description: 'Pepr Module: A collection of capabilities for UDS Core'
description: "Pepr Module: A collection of capabilities for UDS Core"
url: https://github.com/defenseunicorns/pepr

variables:
- name: DOMAIN
description: "Cluster domain"
default: "uds.dev"

- name: ADMIN_DOMAIN
description: "Domain for admin services, defaults to `admin.DOMAIN`"

- name: CA_CERT
description: "Base64 encoded CA cert that signed the domain wildcard certs used for Istio ingress"
default: ""
Expand Down
Loading