From 8af0c336b815341189ebc1ceb480a99a050a0585 Mon Sep 17 00:00:00 2001 From: UnicornChance Date: Fri, 9 Aug 2024 08:32:52 -0600 Subject: [PATCH 1/8] chore(deps): udpate keycloak v25.0.2 --- src/keycloak/chart/templates/statefulset.yaml | 7 +++++-- src/keycloak/chart/values.yaml | 4 ++-- src/keycloak/common/zarf.yaml | 2 +- src/keycloak/values/registry1-values.yaml | 2 +- src/keycloak/values/unicorn-values.yaml | 2 +- src/keycloak/values/upstream-values.yaml | 2 +- src/keycloak/zarf.yaml | 6 +++--- 7 files changed, 14 insertions(+), 11 deletions(-) diff --git a/src/keycloak/chart/templates/statefulset.yaml b/src/keycloak/chart/templates/statefulset.yaml index c0dddf1c5..25f3515a0 100644 --- a/src/keycloak/chart/templates/statefulset.yaml +++ b/src/keycloak/chart/templates/statefulset.yaml @@ -195,10 +195,13 @@ spec: - name: tcp-fd containerPort: 57800 protocol: TCP + - name: metrics + containerPort: 9000 + protocol: TCP livenessProbe: httpGet: path: /health/live - port: http + port: metrics scheme: HTTP failureThreshold: 15 timeoutSeconds: 2 @@ -207,7 +210,7 @@ spec: readinessProbe: httpGet: path: /health/ready - port: http + port: metrics scheme: HTTP failureThreshold: 15 timeoutSeconds: 2 diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml index d9288badd..ddc6ea748 100644 --- a/src/keycloak/chart/values.yaml +++ b/src/keycloak/chart/values.yaml @@ -2,7 +2,7 @@ image: # The Keycloak image repository repository: quay.io/keycloak/keycloak # Overrides the Keycloak image tag whose default is the chart appVersion - tag: "24.0.5" + tag: "25.0.2" # The Keycloak image pull policy pullPolicy: IfNotPresent @@ -193,7 +193,7 @@ serviceMonitor: # The path at which metrics are served path: /metrics # The Service port at which metrics are served - port: http + port: metrics # added by Big Bang to support Istio mTLS scheme: "" tlsConfig: {} diff --git a/src/keycloak/common/zarf.yaml b/src/keycloak/common/zarf.yaml index 2c9f443f2..e14b958f7 100644 --- a/src/keycloak/common/zarf.yaml +++ b/src/keycloak/common/zarf.yaml @@ -10,7 +10,7 @@ components: - name: keycloak namespace: keycloak # renovate: datasource=docker depName=quay.io/keycloak/keycloak versioning=semver - version: 24.0.5 + version: 25.0.2 localPath: ../chart actions: onDeploy: diff --git a/src/keycloak/values/registry1-values.yaml b/src/keycloak/values/registry1-values.yaml index dd9f5ad88..f1012634c 100644 --- a/src/keycloak/values/registry1-values.yaml +++ b/src/keycloak/values/registry1-values.yaml @@ -1,6 +1,6 @@ image: repository: registry1.dso.mil/ironbank/opensource/keycloak/keycloak - tag: "24.0.5" + tag: "25.0.2" podSecurityContext: fsGroup: 2000 securityContext: diff --git a/src/keycloak/values/unicorn-values.yaml b/src/keycloak/values/unicorn-values.yaml index 571b6eba2..31b47fc44 100644 --- a/src/keycloak/values/unicorn-values.yaml +++ b/src/keycloak/values/unicorn-values.yaml @@ -1,3 +1,3 @@ image: repository: cgr.dev/du-uds-defenseunicorns/keycloak - tag: "24.0.5" + tag: "25.0.2" diff --git a/src/keycloak/values/upstream-values.yaml b/src/keycloak/values/upstream-values.yaml index 10aaf74cd..425bc3cfb 100644 --- a/src/keycloak/values/upstream-values.yaml +++ b/src/keycloak/values/upstream-values.yaml @@ -2,4 +2,4 @@ podSecurityContext: fsGroup: 1000 image: repository: quay.io/keycloak/keycloak - tag: "24.0.5" + tag: "25.0.2" diff --git a/src/keycloak/zarf.yaml b/src/keycloak/zarf.yaml index 99f051d46..cbdfa1af3 100644 --- a/src/keycloak/zarf.yaml +++ b/src/keycloak/zarf.yaml @@ -20,7 +20,7 @@ components: valuesFiles: - "values/upstream-values.yaml" images: - - quay.io/keycloak/keycloak:24.0.5 + - quay.io/keycloak/keycloak:25.0.2 - ghcr.io/defenseunicorns/uds/identity-config:0.5.2 - name: keycloak @@ -36,7 +36,7 @@ components: valuesFiles: - "values/registry1-values.yaml" images: - - registry1.dso.mil/ironbank/opensource/keycloak/keycloak:24.0.5 + - registry1.dso.mil/ironbank/opensource/keycloak/keycloak:25.0.2 - ghcr.io/defenseunicorns/uds/identity-config:0.5.2 - name: keycloak @@ -50,5 +50,5 @@ components: valuesFiles: - "values/unicorn-values.yaml" images: - - cgr.dev/du-uds-defenseunicorns/keycloak:24.0.5 # todo: switch to FIPS image + - cgr.dev/du-uds-defenseunicorns/keycloak:25.0.2 # todo: switch to FIPS image - ghcr.io/defenseunicorns/uds/identity-config:0.5.2 From 6e0ae427bd7dd28b4413422b8e0ca47b56d4275c Mon Sep 17 00:00:00 2001 From: Rob Ferguson Date: Tue, 27 Aug 2024 13:09:58 -0500 Subject: [PATCH 2/8] proxy headers --- src/keycloak/chart/templates/statefulset.yaml | 17 +++++------------ src/keycloak/chart/templates/uds-package.yaml | 2 +- src/keycloak/chart/values.yaml | 5 +++-- src/keycloak/common/zarf.yaml | 2 +- src/keycloak/values/registry1-values.yaml | 2 +- src/keycloak/values/unicorn-values.yaml | 2 +- src/keycloak/values/upstream-values.yaml | 2 +- src/keycloak/zarf.yaml | 9 ++++++--- 8 files changed, 19 insertions(+), 22 deletions(-) diff --git a/src/keycloak/chart/templates/statefulset.yaml b/src/keycloak/chart/templates/statefulset.yaml index 25f3515a0..a21f013cd 100644 --- a/src/keycloak/chart/templates/statefulset.yaml +++ b/src/keycloak/chart/templates/statefulset.yaml @@ -64,6 +64,9 @@ spec: - "--spi-theme-static-max-age=-1" - "--spi-theme-cache-themes=false" - "--spi-theme-cache-templates=false" + - "--proxy-headers=xforwarded" + - "--http-enabled=true" + - "--hostname-debug=true" {{- else }} - "start" # # Needed for nginx provider @@ -91,18 +94,8 @@ spec: # Enable access log - name: QUARKUS_HTTP_ACCESS_LOG_ENABLED - value: "true" - - # Hostname strict is not needed when used with Istio - - name: KC_HOSTNAME_STRICT - value: "false" - - name: KC_HOSTNAME_STRICT_HTTPS - value: "false" - - # Set the proxy type to edge to avoid weird Keycloak behavior - - name: KC_PROXY - value: edge - + value: "true" + # X509 configuration - name: KC_HTTPS_CLIENT_AUTH value: request diff --git a/src/keycloak/chart/templates/uds-package.yaml b/src/keycloak/chart/templates/uds-package.yaml index e5919fa04..4ef21c99b 100644 --- a/src/keycloak/chart/templates/uds-package.yaml +++ b/src/keycloak/chart/templates/uds-package.yaml @@ -95,7 +95,7 @@ spec: - name: redirect-metrics uri: prefix: /metrics - rewrite: + redirect: uri: "/realms/{{ .Values.realm }}/account" headers: request: diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml index ddc6ea748..527eb2210 100644 --- a/src/keycloak/chart/values.yaml +++ b/src/keycloak/chart/values.yaml @@ -2,12 +2,13 @@ image: # The Keycloak image repository repository: quay.io/keycloak/keycloak # Overrides the Keycloak image tag whose default is the chart appVersion - tag: "25.0.2" + tag: "25.0.4" # The Keycloak image pull policy pullPolicy: IfNotPresent # renovate: datasource=github-tags depName=defenseunicorns/uds-identity-config versioning=semver -configImage: ghcr.io/defenseunicorns/uds/identity-config:0.5.2 +# configImage: ghcr.io/defenseunicorns/uds/identity-config:0.5.2 +configImage: rjferguson21/uds-core-config:25 # The public domain name of the Keycloak server domain: "###ZARF_VAR_DOMAIN###" diff --git a/src/keycloak/common/zarf.yaml b/src/keycloak/common/zarf.yaml index e14b958f7..1e669bfb2 100644 --- a/src/keycloak/common/zarf.yaml +++ b/src/keycloak/common/zarf.yaml @@ -10,7 +10,7 @@ components: - name: keycloak namespace: keycloak # renovate: datasource=docker depName=quay.io/keycloak/keycloak versioning=semver - version: 25.0.2 + version: 25.0.4 localPath: ../chart actions: onDeploy: diff --git a/src/keycloak/values/registry1-values.yaml b/src/keycloak/values/registry1-values.yaml index f1012634c..30c921b92 100644 --- a/src/keycloak/values/registry1-values.yaml +++ b/src/keycloak/values/registry1-values.yaml @@ -1,6 +1,6 @@ image: repository: registry1.dso.mil/ironbank/opensource/keycloak/keycloak - tag: "25.0.2" + tag: "25.0.4" podSecurityContext: fsGroup: 2000 securityContext: diff --git a/src/keycloak/values/unicorn-values.yaml b/src/keycloak/values/unicorn-values.yaml index 31b47fc44..57122c4d0 100644 --- a/src/keycloak/values/unicorn-values.yaml +++ b/src/keycloak/values/unicorn-values.yaml @@ -1,3 +1,3 @@ image: repository: cgr.dev/du-uds-defenseunicorns/keycloak - tag: "25.0.2" + tag: "25.0.4" diff --git a/src/keycloak/values/upstream-values.yaml b/src/keycloak/values/upstream-values.yaml index 425bc3cfb..97dd2e6c2 100644 --- a/src/keycloak/values/upstream-values.yaml +++ b/src/keycloak/values/upstream-values.yaml @@ -2,4 +2,4 @@ podSecurityContext: fsGroup: 1000 image: repository: quay.io/keycloak/keycloak - tag: "25.0.2" + tag: "25.0.4" diff --git a/src/keycloak/zarf.yaml b/src/keycloak/zarf.yaml index cbdfa1af3..ddc6afbd4 100644 --- a/src/keycloak/zarf.yaml +++ b/src/keycloak/zarf.yaml @@ -20,8 +20,9 @@ components: valuesFiles: - "values/upstream-values.yaml" images: - - quay.io/keycloak/keycloak:25.0.2 + - quay.io/keycloak/keycloak:25.0.4 - ghcr.io/defenseunicorns/uds/identity-config:0.5.2 + - rjferguson21/uds-core-config:25 - name: keycloak required: true @@ -36,8 +37,9 @@ components: valuesFiles: - "values/registry1-values.yaml" images: - - registry1.dso.mil/ironbank/opensource/keycloak/keycloak:25.0.2 + - registry1.dso.mil/ironbank/opensource/keycloak/keycloak:25.0.4 - ghcr.io/defenseunicorns/uds/identity-config:0.5.2 + - rjferguson21/uds-core-config:25 - name: keycloak required: true @@ -50,5 +52,6 @@ components: valuesFiles: - "values/unicorn-values.yaml" images: - - cgr.dev/du-uds-defenseunicorns/keycloak:25.0.2 # todo: switch to FIPS image + - cgr.dev/du-uds-defenseunicorns/keycloak:25.0.4 # todo: switch to FIPS image - ghcr.io/defenseunicorns/uds/identity-config:0.5.2 + - rjferguson21/uds-core-config:25 From bebea66544daedb1767beb68b8bce17624a88966 Mon Sep 17 00:00:00 2001 From: Rob Ferguson Date: Tue, 27 Aug 2024 16:24:00 -0500 Subject: [PATCH 3/8] fix images --- src/keycloak/chart/templates/uds-package.yaml | 2 +- src/keycloak/zarf.yaml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/keycloak/chart/templates/uds-package.yaml b/src/keycloak/chart/templates/uds-package.yaml index 4ef21c99b..e5919fa04 100644 --- a/src/keycloak/chart/templates/uds-package.yaml +++ b/src/keycloak/chart/templates/uds-package.yaml @@ -95,7 +95,7 @@ spec: - name: redirect-metrics uri: prefix: /metrics - redirect: + rewrite: uri: "/realms/{{ .Values.realm }}/account" headers: request: diff --git a/src/keycloak/zarf.yaml b/src/keycloak/zarf.yaml index 94a6c1c1e..18823ac52 100644 --- a/src/keycloak/zarf.yaml +++ b/src/keycloak/zarf.yaml @@ -20,7 +20,7 @@ components: valuesFiles: - "values/upstream-values.yaml" images: - - quay.io/keycloak/keycloak:24.0.5 + - quay.io/keycloak/keycloak:25.0.4 - ghcr.io/defenseunicorns/uds/identity-config:0.6.0 - rjferguson21/uds-core-config:25 @@ -37,7 +37,7 @@ components: valuesFiles: - "values/registry1-values.yaml" images: - - registry1.dso.mil/ironbank/opensource/keycloak/keycloak:24.0.5 + - registry1.dso.mil/ironbank/opensource/keycloak/keycloak:25.0.4 - ghcr.io/defenseunicorns/uds/identity-config:0.6.0 - rjferguson21/uds-core-config:25 @@ -52,6 +52,6 @@ components: valuesFiles: - "values/unicorn-values.yaml" images: - - cgr.dev/du-uds-defenseunicorns/keycloak:24.0.5 # todo: switch to FIPS image + - cgr.dev/du-uds-defenseunicorns/keycloak:25.0.4 # todo: switch to FIPS image - ghcr.io/defenseunicorns/uds/identity-config:0.6.0 - rjferguson21/uds-core-config:25 From 014fbf85d72260ea7e4eb93c4e31b6753819b204 Mon Sep 17 00:00:00 2001 From: Rob Ferguson Date: Wed, 28 Aug 2024 15:00:25 -0500 Subject: [PATCH 4/8] ensure it works in ha mode --- src/keycloak/chart/templates/statefulset.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/keycloak/chart/templates/statefulset.yaml b/src/keycloak/chart/templates/statefulset.yaml index a21f013cd..d8ab04f27 100644 --- a/src/keycloak/chart/templates/statefulset.yaml +++ b/src/keycloak/chart/templates/statefulset.yaml @@ -64,8 +64,6 @@ spec: - "--spi-theme-static-max-age=-1" - "--spi-theme-cache-themes=false" - "--spi-theme-cache-templates=false" - - "--proxy-headers=xforwarded" - - "--http-enabled=true" - "--hostname-debug=true" {{- else }} - "start" @@ -75,6 +73,9 @@ spec: # This will only import the realm if it does not exist - "--import-realm" - "--features=preview" + - "--proxy-headers=xforwarded" + - "--http-enabled=true" + - "--hostname-strict=false" {{- if .Values.jsonLogFormat }} - "--log-console-output=json" {{- end }} From cb06312ef273ab4bd69dd740e18c4b849db23be2 Mon Sep 17 00:00:00 2001 From: Rob Ferguson Date: Fri, 30 Aug 2024 14:20:26 -0500 Subject: [PATCH 5/8] wip hostname v2 --- bundles/k3d-slim-dev/uds-bundle.yaml | 18 ++++++++++++++++++ bundles/k3d-standard/uds-bundle.yaml | 18 ++++++++++++++++++ bundles/k3d-standard/uds-ha-config.yaml | 8 ++++++++ src/keycloak/chart/templates/statefulset.yaml | 5 ++++- tasks.yaml | 8 ++++++++ tasks/deploy.yaml | 7 +++++++ tasks/test.yaml | 8 ++++++++ 7 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 bundles/k3d-standard/uds-ha-config.yaml diff --git a/bundles/k3d-slim-dev/uds-bundle.yaml b/bundles/k3d-slim-dev/uds-bundle.yaml index 9c1805c46..656ed1ff0 100644 --- a/bundles/k3d-slim-dev/uds-bundle.yaml +++ b/bundles/k3d-slim-dev/uds-bundle.yaml @@ -61,6 +61,24 @@ packages: - name: INSECURE_ADMIN_PASSWORD_GENERATION description: "Generate an insecure admin password for dev/test" path: insecureAdminPasswordGeneration.enabled + - name: KEYCLOAK_HA + description: "Enable Keycloak HA" + path: autoscaling.enabled + - name: KEYCLOAK_PG_USERNAME + description: "Keycloak Postgres username" + path: postgresql.username + - name: KEYCLOAK_PG_PASSWORD + description: "Keycloak Postgres password" + path: postgresql.password + - name: KEYCLOAK_PG_DATABASE + description: "Keycloak Postgres database" + path: postgresql.database + - name: KEYCLOAK_PG_HOST + description: "Keycloak Postgres host" + path: postgresql.host + - name: KEYCLOAK_DEVMODE + description: "Enables Keycloak dev mode" + path: devMode values: - path: realmInitEnv value: diff --git a/bundles/k3d-standard/uds-bundle.yaml b/bundles/k3d-standard/uds-bundle.yaml index 676fcd696..302b68f19 100644 --- a/bundles/k3d-standard/uds-bundle.yaml +++ b/bundles/k3d-standard/uds-bundle.yaml @@ -100,6 +100,24 @@ packages: - name: INSECURE_ADMIN_PASSWORD_GENERATION description: "Generate an insecure admin password for dev/test" path: insecureAdminPasswordGeneration.enabled + - name: KEYCLOAK_HA + description: "Enable Keycloak HA" + path: autoscaling.enabled + - name: KEYCLOAK_PG_USERNAME + description: "Keycloak Postgres username" + path: postgresql.username + - name: KEYCLOAK_PG_PASSWORD + description: "Keycloak Postgres password" + path: postgresql.password + - name: KEYCLOAK_PG_DATABASE + description: "Keycloak Postgres database" + path: postgresql.database + - name: KEYCLOAK_PG_HOST + description: "Keycloak Postgres host" + path: postgresql.host + - name: KEYCLOAK_DEVMODE + description: "Enables Keycloak dev mode" + path: devMode values: - path: realmInitEnv value: diff --git a/bundles/k3d-standard/uds-ha-config.yaml b/bundles/k3d-standard/uds-ha-config.yaml new file mode 100644 index 000000000..e5784f45c --- /dev/null +++ b/bundles/k3d-standard/uds-ha-config.yaml @@ -0,0 +1,8 @@ +variables: + core: + keycloak_ha: true + keycloak_pg_username: keycloak + keycloak_pg_password: password + keycloak_pg_database: keycloak + keycloak_pg_host: host.k3d.internal + keycloak_devmode: false \ No newline at end of file diff --git a/src/keycloak/chart/templates/statefulset.yaml b/src/keycloak/chart/templates/statefulset.yaml index d8ab04f27..ba9e2791f 100644 --- a/src/keycloak/chart/templates/statefulset.yaml +++ b/src/keycloak/chart/templates/statefulset.yaml @@ -75,7 +75,10 @@ spec: - "--features=preview" - "--proxy-headers=xforwarded" - "--http-enabled=true" - - "--hostname-strict=false" + - --hostname-strict=true + - --hostname-debug=true + - "--hostname=https://sso.{{ .Values.domain }}" + - "--hostname-admin=https://keycloak.admin.{{ .Values.domain }}" {{- if .Values.jsonLogFormat }} - "--log-console-output=json" {{- end }} diff --git a/tasks.yaml b/tasks.yaml index 370d05bb1..0ee6c3e46 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -102,6 +102,14 @@ tasks: actions: - task: test:uds-core + - name: test-uds-core-ha + description: "Build and test UDS Core" + actions: + - cmd: docker stop my-postgres && docker rm my-postgres || true + - cmd: docker network create k3d-uds || true + - cmd: docker run -p 5432:5432 --network=k3d-uds --name my-postgres -e POSTGRES_DB=keycloak -e POSTGRES_USER=keycloak -e POSTGRES_PASSWORD=password -d postgres + - task: test:uds-core-ha + - name: test-uds-core-upgrade description: "Test an upgrade from the latest released UDS Core package to current branch" actions: diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index 9ef7959d2..c841f2ceb 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -16,6 +16,13 @@ tasks: - description: "Deploy the UDS Core Standard Bundle" cmd: uds deploy bundles/k3d-standard/uds-bundle-k3d-core-demo-${UDS_ARCH}-${VERSION}.tar.zst --confirm --no-progress + - name: k3d-standard-bundle-ha + actions: + - description: "Deploy the UDS Core Standard Bundle" + cmd: uds deploy bundles/k3d-standard/uds-bundle-k3d-core-demo-${UDS_ARCH}-${VERSION}.tar.zst --confirm --no-progress + env: + - UDS_CONFIG=bundles/k3d-standard/uds-ha-config.yaml + - name: k3d-slim-dev-bundle actions: - description: "Deploy the UDS Core Slim Dev Only Bundle" diff --git a/tasks/test.yaml b/tasks/test.yaml index d4d26cf60..d1a65f342 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -33,6 +33,14 @@ tasks: - task: deploy:k3d-standard-bundle - task: validate-packages + - name: uds-core-ha + description: "Build and test UDS Core" + actions: + - task: create:standard-package + - task: create:k3d-standard-bundle + - task: deploy:k3d-standard-bundle-ha + - task: validate-packages + - name: uds-core-upgrade description: "Test an upgrade from the latest released UDS Core package to current branch" actions: From f0d868f573f9c620e9bbf1305abb50335a37e212 Mon Sep 17 00:00:00 2001 From: Rob Ferguson Date: Tue, 3 Sep 2024 13:27:45 -0500 Subject: [PATCH 6/8] add redirect to advancedHTTP --- src/keycloak/chart/templates/statefulset.yaml | 6 +- src/keycloak/chart/templates/uds-package.yaml | 2 +- .../controllers/istio/virtual-service.spec.ts | 19 +++++- .../controllers/istio/virtual-service.ts | 2 +- .../crd/generated/package-v1alpha1.ts | 48 +++++++++++++++ .../sources/istio/virtualservice-v1beta1.ts | 61 ++++++++++++++++++- 6 files changed, 129 insertions(+), 9 deletions(-) diff --git a/src/keycloak/chart/templates/statefulset.yaml b/src/keycloak/chart/templates/statefulset.yaml index ba9e2791f..4e4521381 100644 --- a/src/keycloak/chart/templates/statefulset.yaml +++ b/src/keycloak/chart/templates/statefulset.yaml @@ -64,7 +64,6 @@ spec: - "--spi-theme-static-max-age=-1" - "--spi-theme-cache-themes=false" - "--spi-theme-cache-templates=false" - - "--hostname-debug=true" {{- else }} - "start" # # Needed for nginx provider @@ -75,10 +74,7 @@ spec: - "--features=preview" - "--proxy-headers=xforwarded" - "--http-enabled=true" - - --hostname-strict=true - - --hostname-debug=true - - "--hostname=https://sso.{{ .Values.domain }}" - - "--hostname-admin=https://keycloak.admin.{{ .Values.domain }}" + - "--hostname-strict=false" {{- if .Values.jsonLogFormat }} - "--log-console-output=json" {{- end }} diff --git a/src/keycloak/chart/templates/uds-package.yaml b/src/keycloak/chart/templates/uds-package.yaml index e5919fa04..4ef21c99b 100644 --- a/src/keycloak/chart/templates/uds-package.yaml +++ b/src/keycloak/chart/templates/uds-package.yaml @@ -95,7 +95,7 @@ spec: - name: redirect-metrics uri: prefix: /metrics - rewrite: + redirect: uri: "/realms/{{ .Values.realm }}/account" headers: request: diff --git a/src/pepr/operator/controllers/istio/virtual-service.spec.ts b/src/pepr/operator/controllers/istio/virtual-service.spec.ts index 890d0c12b..f07f6fe17 100644 --- a/src/pepr/operator/controllers/istio/virtual-service.spec.ts +++ b/src/pepr/operator/controllers/istio/virtual-service.spec.ts @@ -1,7 +1,7 @@ import { describe, expect, it } from "@jest/globals"; import { UDSConfig } from "../../../config"; -import { generateVirtualService } from "./virtual-service"; import { Expose, Gateway } from "../../crd"; +import { generateVirtualService } from "./virtual-service"; describe("test generate virtual service", () => { const ownerRefs = [ @@ -109,4 +109,21 @@ describe("test generate virtual service", () => { ); expect(payload.spec!.http![0].route![0].destination?.port?.number).toEqual(port); }); + + it.only("should create a redirect VirtualService object", () => { + const gateway = Gateway.Tenant; + const expose: Expose = { + gateway, + host, + port, + service, + advancedHTTP: { redirect: { uri: "https://example.com" } }, + }; + + const payload = generateVirtualService(expose, namespace, pkgName, generation, ownerRefs); + + expect(payload).toBeDefined(); + expect(payload.spec!.http![0].route).toBeUndefined(); + expect(payload.spec!.http![0].redirect?.uri).toEqual("https://example.com"); + }); }); diff --git a/src/pepr/operator/controllers/istio/virtual-service.ts b/src/pepr/operator/controllers/istio/virtual-service.ts index 3fa892b39..983624975 100644 --- a/src/pepr/operator/controllers/istio/virtual-service.ts +++ b/src/pepr/operator/controllers/istio/virtual-service.ts @@ -40,7 +40,7 @@ export function generateVirtualService( }, ]; - if (!advancedHTTP.directResponse) { + if (!advancedHTTP.directResponse && !advancedHTTP.redirect) { // Create the route to the service if not using advancedHTTP.directResponse http.route = route; } diff --git a/src/pepr/operator/crd/generated/package-v1alpha1.ts b/src/pepr/operator/crd/generated/package-v1alpha1.ts index cd0f7330c..1721ffe9b 100644 --- a/src/pepr/operator/crd/generated/package-v1alpha1.ts +++ b/src/pepr/operator/crd/generated/package-v1alpha1.ts @@ -250,6 +250,10 @@ export interface AdvancedHTTP { * passthrough gateway. */ match?: AdvancedHTTPMatch[]; + /** + * A HTTP rule can either return a direct_response, redirect or forward (default) traffic. + */ + redirect?: Redirect; /** * Retry policy for HTTP requests. */ @@ -395,6 +399,50 @@ export interface PurpleURI { regex?: string; } +/** + * A HTTP rule can either return a direct_response, redirect or forward (default) traffic. + */ +export interface Redirect { + /** + * On a redirect, overwrite the Authority/Host portion of the URL with this value. + */ + authority?: string; + /** + * On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 + * for HTTP and 443 for HTTPS. + * + * Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT + */ + derivePort?: DerivePort; + /** + * On a redirect, overwrite the port portion of the URL with this value. + */ + port?: number; + /** + * On a redirect, Specifies the HTTP status code to use in the redirect response. + */ + redirectCode?: number; + /** + * On a redirect, overwrite the scheme portion of the URL with this value. + */ + scheme?: string; + /** + * On a redirect, overwrite the Path portion of the URL with this value. + */ + uri?: string; +} + +/** + * On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 + * for HTTP and 443 for HTTPS. + * + * Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT + */ +export enum DerivePort { + FromProtocolDefault = "FROM_PROTOCOL_DEFAULT", + FromRequestPort = "FROM_REQUEST_PORT", +} + /** * Retry policy for HTTP requests. */ diff --git a/src/pepr/operator/crd/sources/istio/virtualservice-v1beta1.ts b/src/pepr/operator/crd/sources/istio/virtualservice-v1beta1.ts index 4e8fd69cc..5a30ff039 100644 --- a/src/pepr/operator/crd/sources/istio/virtualservice-v1beta1.ts +++ b/src/pepr/operator/crd/sources/istio/virtualservice-v1beta1.ts @@ -228,6 +228,65 @@ export const advancedHTTP: V1JSONSchemaProps = { }, type: "object", }, + redirect: { + description: + "A HTTP rule can either return a direct_response, redirect or forward (default) traffic.", + oneOf: [ + { + not: { + anyOf: [ + { + required: ["port"], + }, + { + required: ["derivePort"], + }, + ], + }, + }, + { + required: ["port"], + }, + { + required: ["derivePort"], + }, + ], + properties: { + authority: { + description: + "On a redirect, overwrite the Authority/Host portion of the URL with this value.", + type: "string", + }, + port: { + description: "On a redirect, overwrite the port portion of the URL with this value.", + maximum: 4294967295, + minimum: 0, + type: "integer", + }, + derivePort: { + description: + "On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS.\n\nValid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT", + enum: ["FROM_PROTOCOL_DEFAULT", "FROM_REQUEST_PORT"], + type: "string", + }, + redirectCode: { + description: + "On a redirect, Specifies the HTTP status code to use in the redirect response.", + maximum: 4294967295, + minimum: 0, + type: "integer", + }, + scheme: { + description: "On a redirect, overwrite the scheme portion of the URL with this value.", + type: "string", + }, + uri: { + description: "On a redirect, overwrite the Path portion of the URL with this value.", + type: "string", + }, + }, + type: "object", + }, retries: { description: "Retry policy for HTTP requests.", properties: { @@ -265,4 +324,4 @@ export const advancedHTTP: V1JSONSchemaProps = { }, }, type: "object", -}; +} as V1JSONSchemaProps; From b62c9512f4d4b0d2d9c58bc0e0dcb368b6c2bd63 Mon Sep 17 00:00:00 2001 From: Rob Ferguson Date: Tue, 3 Sep 2024 13:30:14 -0500 Subject: [PATCH 7/8] fix yaml lint --- bundles/k3d-standard/uds-ha-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundles/k3d-standard/uds-ha-config.yaml b/bundles/k3d-standard/uds-ha-config.yaml index e5784f45c..24b0119cd 100644 --- a/bundles/k3d-standard/uds-ha-config.yaml +++ b/bundles/k3d-standard/uds-ha-config.yaml @@ -5,4 +5,4 @@ variables: keycloak_pg_password: password keycloak_pg_database: keycloak keycloak_pg_host: host.k3d.internal - keycloak_devmode: false \ No newline at end of file + keycloak_devmode: false From 06009ab1681b121e8ae78c660652571d53903e20 Mon Sep 17 00:00:00 2001 From: Rob Ferguson Date: Thu, 5 Sep 2024 12:20:41 -0500 Subject: [PATCH 8/8] use release identity config --- src/keycloak/chart/values.yaml | 3 +-- src/keycloak/tasks.yaml | 2 +- src/keycloak/zarf.yaml | 9 +++------ 3 files changed, 5 insertions(+), 9 deletions(-) diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml index d99251179..e5ee480c8 100644 --- a/src/keycloak/chart/values.yaml +++ b/src/keycloak/chart/values.yaml @@ -7,8 +7,7 @@ image: pullPolicy: IfNotPresent # renovate: datasource=github-tags depName=defenseunicorns/uds-identity-config versioning=semver -# configImage: ghcr.io/defenseunicorns/uds/identity-config:0.6.0 -configImage: rjferguson21/uds-core-config:25 +configImage: ghcr.io/defenseunicorns/uds/identity-config:0.6.1 # The public domain name of the Keycloak server domain: "###ZARF_VAR_DOMAIN###" diff --git a/src/keycloak/tasks.yaml b/src/keycloak/tasks.yaml index 67b146103..95fe48108 100644 --- a/src/keycloak/tasks.yaml +++ b/src/keycloak/tasks.yaml @@ -1,5 +1,5 @@ includes: - - config: https://raw.githubusercontent.com/defenseunicorns/uds-identity-config/v0.6.0/tasks.yaml + - config: https://raw.githubusercontent.com/defenseunicorns/uds-identity-config/v0.6.1/tasks.yaml tasks: - name: validate diff --git a/src/keycloak/zarf.yaml b/src/keycloak/zarf.yaml index 18823ac52..dd24b2eac 100644 --- a/src/keycloak/zarf.yaml +++ b/src/keycloak/zarf.yaml @@ -21,8 +21,7 @@ components: - "values/upstream-values.yaml" images: - quay.io/keycloak/keycloak:25.0.4 - - ghcr.io/defenseunicorns/uds/identity-config:0.6.0 - - rjferguson21/uds-core-config:25 + - ghcr.io/defenseunicorns/uds/identity-config:0.6.1 - name: keycloak required: true @@ -38,8 +37,7 @@ components: - "values/registry1-values.yaml" images: - registry1.dso.mil/ironbank/opensource/keycloak/keycloak:25.0.4 - - ghcr.io/defenseunicorns/uds/identity-config:0.6.0 - - rjferguson21/uds-core-config:25 + - ghcr.io/defenseunicorns/uds/identity-config:0.6.1 - name: keycloak required: true @@ -53,5 +51,4 @@ components: - "values/unicorn-values.yaml" images: - cgr.dev/du-uds-defenseunicorns/keycloak:25.0.4 # todo: switch to FIPS image - - ghcr.io/defenseunicorns/uds/identity-config:0.6.0 - - rjferguson21/uds-core-config:25 + - ghcr.io/defenseunicorns/uds/identity-config:0.6.1