From 2aa7adaa47f42813c7e7eba6235c7a439bea41f1 Mon Sep 17 00:00:00 2001
From: Michael-Kruggel <michael.kruggel@defenseunicorns.com>
Date: Fri, 15 Mar 2024 19:08:01 +0000
Subject: [PATCH 1/2] feat: adds sso framework and removes default join and
 master keys

---
 chart/templates/uds-package.yaml            | 19 +++++++++++++++++++
 chart/values.yaml                           |  2 ++
 src/dev-secrets/join-master-key-secret.yaml |  9 ---------
 src/dev-secrets/zarf.yaml                   |  7 -------
 values/registry1-values.yaml                |  2 --
 values/upstream-values.yaml                 |  2 --
 zarf.yaml                                   | 18 +++++++++---------
 7 files changed, 30 insertions(+), 29 deletions(-)
 delete mode 100644 src/dev-secrets/join-master-key-secret.yaml

diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml
index b64a971..eb365b3 100644
--- a/chart/templates/uds-package.yaml
+++ b/chart/templates/uds-package.yaml
@@ -4,6 +4,13 @@ metadata:
   name: artifactory
   namespace: {{ .Release.Namespace }}
 spec:
+  {{- if .Values.sso }}
+  sso:
+    - name: Artifactory SSO
+      clientId: uds-core-artifactory
+      redirectUris:
+        - "https://artifactory.{{ .Values.domain }}/artifactory/"
+  {{- end }}
   network:
     expose:
       - service: artifactory
@@ -13,6 +20,18 @@ spec:
         host: artifactory
         port: 8082
     allow:
+      - direction: Ingress
+        remoteGenerated: IntraNamespace
+      - direction: Egress
+        remoteGenerated: IntraNamespace
+      - direction: Egress
+        podLabels:
+          app.kubernetes.io/name: artifactory
+        port: 443
+        description: "SSO"
+      - direction: Egress
+        # todo: this is over permissive, need to scope it down
+        remoteGenerated: KubeAPI
       - direction: Egress
         podLabels:
           app: artifactory
diff --git a/chart/values.yaml b/chart/values.yaml
index e69de29..9c2f3c1 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -0,0 +1,2 @@
+domain: "###ZARF_VAR_DOMAIN###"
+sso: true
diff --git a/src/dev-secrets/join-master-key-secret.yaml b/src/dev-secrets/join-master-key-secret.yaml
deleted file mode 100644
index 1b15e7d..0000000
--- a/src/dev-secrets/join-master-key-secret.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: artifactory-keys
-  namespace: artifactory
-type: kubernetes.io/opaque
-stringData:
-  join-key: EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
-  master-key: bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
diff --git a/src/dev-secrets/zarf.yaml b/src/dev-secrets/zarf.yaml
index 869c4c7..6e8e30c 100644
--- a/src/dev-secrets/zarf.yaml
+++ b/src/dev-secrets/zarf.yaml
@@ -23,10 +23,3 @@ components:
         namespace: artifactory
         files:
           - postgres-secret.yaml
-  - name: artifactory-keys
-    required: true
-    manifests:
-      - name: artifactory-keys
-        namespace: artifactory
-        files:
-          - join-master-key-secret.yaml
diff --git a/values/registry1-values.yaml b/values/registry1-values.yaml
index 97bde9f..d9eb932 100644
--- a/values/registry1-values.yaml
+++ b/values/registry1-values.yaml
@@ -2,8 +2,6 @@ global:
   imageRegistry: registry1.dso.mil
   joinKey: null
   masterKey: null
-  joinKeySecretName: artifactory-keys
-  masterKeySecretName: artifactory-keys
   artifactoryHaEnabled: false
   imagePullSecrets:
     - private-registry
diff --git a/values/upstream-values.yaml b/values/upstream-values.yaml
index 9d970ad..a3501da 100644
--- a/values/upstream-values.yaml
+++ b/values/upstream-values.yaml
@@ -1,6 +1,4 @@
 global:
-  joinKeySecretName: artifactory-keys
-  masterKeySecretName: artifactory-keys
 initContainerImage: registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.3
 artifactory:
   name: artifactory
diff --git a/zarf.yaml b/zarf.yaml
index c344ac3..4887afd 100644
--- a/zarf.yaml
+++ b/zarf.yaml
@@ -21,6 +21,10 @@ components:
     only:
       flavor: registry1
     charts:
+      - name: uds-artifactory-config
+        namespace: artifactory
+        version: 0.1.0
+        localPath: chart
       # renovate: bb-chart
       - name: artifactory
         url: https://repo1.dso.mil/big-bang/apps/third-party/jfrog-platform.git
@@ -29,10 +33,6 @@ components:
         namespace: artifactory
         valuesFiles:
           - values/registry1-values.yaml
-      - name: uds-artifactory-config
-        namespace: artifactory
-        version: 0.1.0
-        localPath: chart
     images:
       - registry1.dso.mil/ironbank/jfrog/artifactory/artifactory:7.63.9
       - registry1.dso.mil/ironbank/jfrog/jfrog-xray/router:7.61.1
@@ -44,19 +44,19 @@ components:
     only:
       flavor: upstream
     charts:
+      - name: uds-artifactory-config
+        namespace: artifactory
+        version: 0.1.0
+        localPath: chart
       # renovate: datasource=helm
       - name: artifactory
         url: https://charts.jfrog.io
-        version: 107.71.9
+        version: 107.77.7
         namespace: artifactory
         repoName: artifactory
         releaseName: artifactory
         valuesFiles:
           - values/upstream-values.yaml
-      - name: uds-artifactory-config
-        namespace: artifactory
-        version: 0.1.0
-        localPath: chart
     images:
       - registry1.dso.mil/ironbank/jfrog/artifactory/artifactory:7.71.5
       - registry1.dso.mil/ironbank/jfrog/jfrog-xray/router:7.87.0

From d540f58152e18f4b809b37a3a376727fc8b398c7 Mon Sep 17 00:00:00 2001
From: Michael-Kruggel <michael.kruggel@defenseunicorns.com>
Date: Mon, 18 Mar 2024 17:15:11 +0000
Subject: [PATCH 2/2] fix: image pull secrets

---
 values/upstream-values.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/values/upstream-values.yaml b/values/upstream-values.yaml
index a3501da..d83b4a9 100644
--- a/values/upstream-values.yaml
+++ b/values/upstream-values.yaml
@@ -1,4 +1,6 @@
 global:
+  imagePullSecrets:
+    - name: private-registry
 initContainerImage: registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.3
 artifactory:
   name: artifactory