Merge pull request #154 from mlbiam/master

udpates for HA openunison, deployment via pulumi
OpenUnison · May 30, 2024 · 3a6f2d2 · 3a6f2d2
2 parents 525f9cb + 5dc0504
commit 3a6f2d2
Show file tree

Hide file tree

Showing 25 changed files with 670 additions and 21 deletions.
diff --git a/openunison-k8s-add-cluster/Chart.yaml b/openunison-k8s-add-cluster/Chart.yaml
@@ -14,7 +14,7 @@ type: application
 
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 1.0.7
+version: 1.0.8
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.

diff --git a/openunison-k8s-add-cluster/templates/applications/k8s-idp.yaml b/openunison-k8s-add-cluster/templates/applications/k8s-idp.yaml
@@ -65,7 +65,7 @@ spec:
           accessTokenSkewMillis: "120000"
         secretParams:
         - name: clientSecret
-          secretName: orchestra-secrets-source
+          secretName: {{ .Values.cluster.sso.client_secret | default "orchestra-secrets-source" }}
           secretKey: cluster-idp-{{ .Values.cluster.name }}
   cookieConfig:
     sessionCookieName: tremolosession

diff --git a/openunison-k8s-cluster-management-by-group/templates/rbac.yaml b/openunison-k8s-cluster-management-by-group/templates/rbac.yaml
@@ -8,7 +8,7 @@ subjects:
   name: k8s-cluster-administrators
   apiGroup: rbac.authorization.k8s.io
 - kind: ServiceAccount
-  name: openunison-{{ .Values.openunison.orchestra_release_name }}
+  name: openunison-{{ .Values.impersonation.orchestra_release_name }}
   namespace: {{ .Release.Namespace }}
 roleRef:
   kind: ClusterRole

diff --git a/openunison-k8s-cluster-management-by-group/values.yaml b/openunison-k8s-cluster-management-by-group/values.yaml
@@ -2,8 +2,11 @@ primaryCluster:
   name: Control Plane Cluster
   description: Central control plane cluster used to manage other clusters
 
-openunison:
+impersonation:
   orchestra_release_name: orchestra
+
+openunison:
+
   orchestra_login_portal_name: orchestra-login-portal
   azGroups:
   - k8s-cluster-k8s-administrators

diff --git a/openunison-k8s-cluster-management/Chart.yaml b/openunison-k8s-cluster-management/Chart.yaml
@@ -14,7 +14,7 @@ type: application
 
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 3.0.22
+version: 3.0.23
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.

diff --git a/openunison-k8s-cluster-management/templates/rbac/external.yaml b/openunison-k8s-cluster-management/templates/rbac/external.yaml
@@ -8,13 +8,17 @@ metadata:
     argocd.argoproj.io/sync-wave: "40"
 subjects:
 - kind: Group
+  {{ if .Values.openunison.naas.groups.privilegedAccessGroup }}
+  name: {{ .Values.openunison.naas.groups.privilegedAccessGroup }}{{ .Values.openunison.naas.groups.external.suffix }}
+  {{ else }}
   name: k8s-cluster-administrators{{ .Values.openunison.naas.groups.external.suffix }}
+  {{ end }}
   apiGroup: rbac.authorization.k8s.io
 - kind: Group
   name: k8s-cluster-k8s-administrators{{ .Values.openunison.naas.groups.external.suffix }}
   apiGroup: rbac.authorization.k8s.io
 - kind: ServiceAccount
-  name: openunison-{{ .Values.openunison.orchestra_release_name }}
+  name: openunison-{{ .Values.impersonation.orchestra_release_name }}
   namespace: {{ .Release.Namespace }}
 roleRef:
   kind: ClusterRole

diff --git a/openunison-k8s-cluster-management/templates/rbac/internal.yaml b/openunison-k8s-cluster-management/templates/rbac/internal.yaml
@@ -8,10 +8,14 @@ metadata:
     argocd.argoproj.io/sync-wave: "40"
 subjects:
 - kind: Group
+  {{ if .Values.openunison.naas.groups.privilegedAccessGroup }}
+  name: {{ .Values.openunison.naas.groups.privilegedAccessGroup }}{{ .Values.openunison.naas.groups.internal.suffix }}
+  {{ else }}
   name: k8s-cluster-k8s-administrators{{ .Values.openunison.naas.groups.internal.suffix }}
+  {{ end }}
   apiGroup: rbac.authorization.k8s.io
 - kind: ServiceAccount
-  name: openunison-{{ .Values.openunison.orchestra_release_name }}
+  name: openunison-{{ .Values.impersonation.orchestra_release_name }}
   namespace: {{ .Release.Namespace }}
 roleRef:
   kind: ClusterRole

diff --git a/openunison-k8s-cluster-management/values.yaml b/openunison-k8s-cluster-management/values.yaml
@@ -5,8 +5,11 @@ primaryCluster:
 dashboard:
   enabled: true
 
-openunison:
+impersonation:
   orchestra_release_name: orchestra
+
+openunison:
+
   orchestra_login_portal_name: orchestra-login-portal
   naas:
     jobs:

diff --git a/orchestra-login-portal-argocd/Chart.yaml b/orchestra-login-portal-argocd/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 2.3.54
+version: 2.3.56
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/orchestra-login-portal/Chart.yaml b/orchestra-login-portal/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 2.3.49
+version: 2.3.51
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/orchestra-login-portal/templates/openunison/applications/activemq.yaml b/orchestra-login-portal/templates/openunison/applications/activemq.yaml
@@ -19,10 +19,13 @@ spec:
   - hosts:
     - "#[OU_HOST]"
     filterChain: 
+    - className: com.tremolosecurity.activemq.ChooseAmq
+      params:
+        namespace: {{ .Release.Namespace }}
     - className: com.tremolosecurity.proxy.filters.HideCookie
       params: {}
     uri: "/admin"
-    proxyTo: https://amq.{{ .Release.Namespace }}.svc:8162${fullURI}
+    proxyTo: https://${amq.server}:8162${fullURI}
     authChain: login-service
     overrideHost: true
     overrideReferer: true

diff --git a/orchestra-login-portal/templates/openunison/applications/k8s-login-tokens.yaml b/orchestra-login-portal/templates/openunison/applications/k8s-login-tokens.yaml
@@ -18,6 +18,13 @@ spec:
   - hosts:
     - "#[OU_HOST]"
     filterChain:
+    {{ if .Values.dashboard.require_session }}
+    - className: com.tremolosecurity.proxy.filters.AzFilter
+      params:
+        rules:
+        - "custom;require-session"
+        azFail: "force-logout"
+    {{ end }}
     - className: com.tremolosecurity.scalejs.token.ws.ScaleToken
       params:
         displayNameAttribute: "sub"

diff --git a/orchestra-login-portal/templates/openunison/applications/token.yaml b/orchestra-login-portal/templates/openunison/applications/token.yaml
@@ -18,6 +18,13 @@ spec:
   - hosts:
     - "#[OU_HOST]"
     filterChain: 
+    {{ if .Values.dashboard.require_session }}
+    - className: com.tremolosecurity.proxy.filters.AzFilter
+      params:
+        rules:
+        - "custom;require-session"
+        azFail: "force-logout"
+    {{ end }}
     - className: com.tremolosecurity.proxy.filters.XForward
       params:
         createHeaders: "false"
@@ -66,6 +73,13 @@ spec:
   - hosts:
     - "#[OU_HOST]"
     filterChain:
+    {{ if .Values.dashboard.require_session }}
+    - className: com.tremolosecurity.proxy.filters.AzFilter
+      params:
+        rules:
+        - "custom;require-session"
+        azFail: "force-logout"
+    {{ end }}
     - className: com.tremolosecurity.scalejs.token.ws.ScaleToken
       params:
         displayNameAttribute: "sub"

diff --git a/orchestra-login-portal/templates/openunison/authentication_chains/standard-chains.yaml b/orchestra-login-portal/templates/openunison/authentication_chains/standard-chains.yaml
@@ -176,7 +176,7 @@ spec:
     required: required
     params: 
       nameAttr: uid
-      workflowName: {{ .Values.openunison.post_jit_workflow }}
+      workflowName: "{{ .Values.openunison.post_jit_workflow }}"
 {{ end }}
   - name: genoidctoken
     required: required

diff --git a/orchestra/Chart.yaml b/orchestra/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 2.10.48
+version: 2.10.51
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/orchestra/templates/infrastructure/activemq-config-mysql.yaml b/orchestra/templates/infrastructure/activemq-config-mysql.yaml
@@ -147,6 +147,23 @@ data:
             <shutdownHooks>
                 <bean xmlns="http://www.springframework.org/schema/beans" class="org.apache.activemq.hooks.SpringContextHook" />
             </shutdownHooks>
+                <networkConnectors>
+{{ if .Values.openunison.activemq_remote }}
+{{ $remote_queue_num := 0 }}
+{{ $remote_queues := splitList "," .Values.openunison.non_secret_data.K8S_DR_QUEUES }}
+{{ range $host := .Values.openunison.activemq_remote}}
+                    <networkConnector  uri="static:(ssl://{{ $host }})" >
+                        <dynamicallyIncludedDestinations>
+                            <queue physicalName="{{ index $remote_queues $remote_queue_num }}" />
+                            {{ $remote_queue_num := add1 $remote_queue_num }}
+                        </dynamicallyIncludedDestinations>
+                        <excludedDestinations>
+                            <queue physicalName="ActiveMQ.DLQ" />
+                        </excludedDestinations>
+                    </networkConnector>
+{{ end }}
+{{ end }}
+                </networkConnectors>
 
         </broker>
 

diff --git a/orchestra/templates/infrastructure/activemq-config-postgresql.yaml b/orchestra/templates/infrastructure/activemq-config-postgresql.yaml
@@ -147,7 +147,23 @@ data:
             <shutdownHooks>
                 <bean xmlns="http://www.springframework.org/schema/beans" class="org.apache.activemq.hooks.SpringContextHook" />
             </shutdownHooks>
-
+                <networkConnectors>
+{{ if .Values.openunison.activemq_remote }}
+{{ $remote_queue_num := 0 }}
+{{ $remote_queues := splitList "," .Values.openunison.non_secret_data.K8S_DR_QUEUES }}
+{{ range $host := .Values.openunison.activemq_remote}}
+                    <networkConnector  uri="static:(ssl://{{ $host }})" >
+                        <dynamicallyIncludedDestinations>
+                            <queue physicalName="{{ index $remote_queues $remote_queue_num }}" />
+                            {{ $remote_queue_num := add1 $remote_queue_num }}
+                        </dynamicallyIncludedDestinations>
+                        <excludedDestinations>
+                            <queue physicalName="ActiveMQ.DLQ" />
+                        </excludedDestinations>
+                    </networkConnector>
+{{ end }}
+{{ end }}
+                </networkConnectors>
         </broker>
 
         <!--

diff --git a/orchestra/templates/infrastructure/activemq-config-pvc.yaml b/orchestra/templates/infrastructure/activemq-config-pvc.yaml
@@ -141,6 +141,24 @@ data:
                     <bean xmlns="http://www.springframework.org/schema/beans" class="org.apache.activemq.hooks.SpringContextHook" />
                 </shutdownHooks>
 
+                <networkConnectors>
+{{ if .Values.openunison.activemq_remote }}
+{{ $remote_queue_num := 0 }}
+{{ $remote_queues := splitList "," .Values.openunison.non_secret_data.K8S_DR_QUEUES }}
+{{ range $host := .Values.openunison.activemq_remote}}
+                    <networkConnector  uri="static:(ssl://{{ $host }})" >
+                        <dynamicallyIncludedDestinations>
+                            <queue physicalName="{{ index $remote_queues $remote_queue_num }}" />
+                            {{ $remote_queue_num := add1 $remote_queue_num }}
+                        </dynamicallyIncludedDestinations>
+                        <excludedDestinations>
+                            <queue physicalName="ActiveMQ.DLQ" />
+                        </excludedDestinations>
+                    </networkConnector>
+{{ end }}
+{{ end }}
+                </networkConnectors>
+
             </broker>
 
             <!--
@@ -327,7 +345,7 @@ spec:
   storageClassName: {{ .Values.openunison.activemq_storageclass }}
   {{ end }}
   accessModes:
-    - ReadWriteOnce
+    - {{ .Values.openunison.activemq_accessmode | default "ReadWriteOnce" }}
   resources:
     requests:
       storage: {{ .Values.openunison.activemq_pvc_size | default "1G" }}

diff --git a/orchestra/templates/infrastructure/activemq-config-sqlserver.yaml b/orchestra/templates/infrastructure/activemq-config-sqlserver.yaml
@@ -148,7 +148,23 @@ data:
             <shutdownHooks>
                 <bean xmlns="http://www.springframework.org/schema/beans" class="org.apache.activemq.hooks.SpringContextHook" />
             </shutdownHooks>
-
+                <networkConnectors>
+{{ if .Values.openunison.activemq_remote }}
+{{ $remote_queue_num := 0 }}
+{{ $remote_queues := splitList "," .Values.openunison.non_secret_data.K8S_DR_QUEUES }}
+{{ range $host := .Values.openunison.activemq_remote}}
+                    <networkConnector  uri="static:(ssl://{{ $host }})" >
+                        <dynamicallyIncludedDestinations>
+                            <queue physicalName="{{ index $remote_queues $remote_queue_num }}" />
+                            {{ $remote_queue_num := add1 $remote_queue_num }}
+                        </dynamicallyIncludedDestinations>
+                        <excludedDestinations>
+                            <queue physicalName="ActiveMQ.DLQ" />
+                        </excludedDestinations>
+                    </networkConnector>
+{{ end }}
+{{ end }}
+                </networkConnectors>
         </broker>
 
         <!--