diff --git a/packages/standard/zarf.yaml b/packages/standard/zarf.yaml index ea15a9c02..ebbbc1a8c 100644 --- a/packages/standard/zarf.yaml +++ b/packages/standard/zarf.yaml @@ -8,6 +8,7 @@ metadata: # x-release-please-end components: + # CRDs - name: prometheus-operator-crds required: true import: @@ -65,12 +66,20 @@ components: import: path: ../../src/prometheus-stack + # Promtail - name: promtail required: true import: path: ../../src/promtail + # Grafana - name: grafana required: true import: path: ../../src/grafana + + # Authservice + - name: authservice + required: true + import: + path: ../../src/authservice diff --git a/src/authservice/chart/Chart.yaml b/src/authservice/chart/Chart.yaml new file mode 100644 index 000000000..b66be7037 --- /dev/null +++ b/src/authservice/chart/Chart.yaml @@ -0,0 +1,23 @@ +apiVersion: v2 +name: authservice +description: A Helm chart for Istio Authservice + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.5.3 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +appVersion: 0.5.3 diff --git a/src/authservice/chart/templates/_helpers.tpl b/src/authservice/chart/templates/_helpers.tpl new file mode 100644 index 000000000..c081b1d37 --- /dev/null +++ b/src/authservice/chart/templates/_helpers.tpl @@ -0,0 +1,58 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "authservice.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "authservice.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "authservice.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "authservice.labels" -}} +helm.sh/chart: {{ include "authservice.chart" . }} +{{ include "authservice.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "authservice.selectorLabels" -}} +app.kubernetes.io/name: {{ include "authservice.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "authservice.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "authservice.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/src/authservice/chart/templates/authn.yaml b/src/authservice/chart/templates/authn.yaml new file mode 100644 index 000000000..1c16c105c --- /dev/null +++ b/src/authservice/chart/templates/authn.yaml @@ -0,0 +1,20 @@ +# Authservice is non-functional without Istio/RequestAuthentication but we wrap this in a conditional to handle standalone testing +{{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }} +apiVersion: security.istio.io/v1beta1 +kind: RequestAuthentication +metadata: + name: jwt-authn + namespace: istio-system +spec: + selector: + matchLabels: + {{ .Values.selector.key }}: {{ .Values.selector.value | quote }} + jwtRules: + - issuer: https://{{ .Values.global.oidc.host }}/auth/realms/{{ .Values.global.oidc.realm }} + {{- if .Values.global.jwks }} + jwks: {{ .Values.global.jwks | quote }} + {{- else }} + jwksUri: https://{{ .Values.global.oidc.host }}/auth/realms/{{ .Values.global.oidc.realm }}/protocol/openid-connect/certs + {{- end }} + forwardOriginalToken: true +{{- end }} diff --git a/src/authservice/chart/templates/authz.yaml b/src/authservice/chart/templates/authz.yaml new file mode 100644 index 000000000..c428885f2 --- /dev/null +++ b/src/authservice/chart/templates/authz.yaml @@ -0,0 +1,41 @@ +# Authservice is non-functional without Istio/AuthorizationPolicy but we wrap this in a conditional to handle standalone testing +{{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: authservice + namespace: istio-system +spec: + selector: + matchLabels: + {{ .Values.selector.key }}: {{ .Values.selector.value | quote }} + action: CUSTOM + provider: + name: authservice + rules: + {{- if .Values.allow_unmatched_requests }} + - {} + {{- else if .Values.custom_authpolicy_rules }} +{{ .Values.custom_authpolicy_rules | toYaml | indent 2 }} + {{- else }} + - to: + - operation: + hosts: + - "*.{{ .Values.domain }}" + {{- end }} +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: jwt-authz + namespace: istio-system +spec: + selector: + matchLabels: + {{ .Values.selector.key }}: {{ .Values.selector.value | quote }} + rules: + - from: + - source: + requestPrincipals: + - "https://{{ .Values.global.oidc.host }}/auth/realms/{{ .Values.global.oidc.realm }}/*" +{{- end }} diff --git a/src/authservice/chart/templates/deployment.yaml b/src/authservice/chart/templates/deployment.yaml new file mode 100644 index 000000000..2729985d8 --- /dev/null +++ b/src/authservice/chart/templates/deployment.yaml @@ -0,0 +1,99 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "authservice.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "authservice.labels" . | nindent 4 }} +spec: +{{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} +{{- end }} + selector: + matchLabels: + {{- include "authservice.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "authservice.selectorLabels" . | nindent 8 }} + spec: + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.global.certificate_authority }} + env: + - name: SSL_CERT_FILE + value: /mnt/ca-bundle/ca-bundle.crt + {{- end}} + ports: + - name: http + containerPort: 10003 + protocol: TCP + livenessProbe: + tcpSocket: + port: 10003 + readinessProbe: + tcpSocket: + port: 10003 + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - name: {{ include "authservice.name" . }} + mountPath: /etc/authservice + {{- if .Values.global.certificate_authority }} + - name: ca-bundle + mountPath: /mnt/ca-bundle + {{- end }} + {{- if .Values.global.certificate_authority }} + initContainers: + - name: update-ca-bundle + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + command: + - sh + - -c + - | + cat /etc/pki/tls/certs/* > /mnt/ca-bundle/ca-bundle.crt + volumeMounts: + - name: sso-tls-ca + mountPath: /etc/pki/tls/certs/oidc-ca.crt + subPath: oidc-ca.crt + readOnly: true + - name: ca-bundle + mountPath: /mnt/ca-bundle + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: {{ include "authservice.name" . }} + secret: + secretName: {{ include "authservice.fullname" . }} + {{- if .Values.global.certificate_authority }} + - name: sso-tls-ca + secret: + secretName: {{ include "authservice.fullname" . }}-sso-tls-ca + - name: ca-bundle + emptyDir: + sizeLimit: 5Mi + {{- end}} diff --git a/src/authservice/chart/templates/hpa.yaml b/src/authservice/chart/templates/hpa.yaml new file mode 100644 index 000000000..e5a4cb8ea --- /dev/null +++ b/src/authservice/chart/templates/hpa.yaml @@ -0,0 +1,33 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "authservice.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "authservice.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "authservice.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/src/authservice/chart/templates/secret-ca.yaml b/src/authservice/chart/templates/secret-ca.yaml new file mode 100644 index 000000000..c62a57470 --- /dev/null +++ b/src/authservice/chart/templates/secret-ca.yaml @@ -0,0 +1,11 @@ +{{- if .Values.global.certificate_authority }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "authservice.fullname" . }}-sso-tls-ca + namespace: {{ .Release.Namespace }} + labels: + {{- include "authservice.labels" . | nindent 4 }} +stringData: + oidc-ca.crt: {{ .Values.global.certificate_authority | quote }} +{{- end }} \ No newline at end of file diff --git a/src/authservice/chart/templates/secret.yaml b/src/authservice/chart/templates/secret.yaml new file mode 100644 index 000000000..8df1a07bb --- /dev/null +++ b/src/authservice/chart/templates/secret.yaml @@ -0,0 +1,139 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "authservice.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "authservice.labels" . | nindent 4 }} +stringData: + config.json: | + { + "allow_unmatched_requests": {{ .Values.allow_unmatched_requests }}, + "listen_address": "0.0.0.0", + "listen_port": "10003", + {{- if .Values.trigger_rules }} + "trigger_rules": {{ toJson .Values.trigger_rules }}, + {{- end }} + "log_level": "{{ .Values.config.logLevel }}", + "default_oidc_config": { + "skip_verify_peer_cert": {{ $.Values.global.skip_verify_peer_cert }}, + "authorization_uri": "https://{{ $.Values.global.oidc.host }}/auth/realms/{{ $.Values.global.oidc.realm }}/protocol/openid-connect/auth", + "token_uri": "https://{{ $.Values.global.oidc.host }}/auth/realms/{{ $.Values.global.oidc.realm }}/protocol/openid-connect/token", + {{- if $.Values.global.jwks }} + "jwks": {{ $.Values.global.jwks | quote }}, + {{- else }} + "jwks_fetcher": { + "jwks_uri": "https://{{ $.Values.global.oidc.host }}/auth/realms/{{ $.Values.global.oidc.realm }}/protocol/openid-connect/certs", + "periodic_fetch_interval_sec": {{ $.Values.global.periodic_fetch_interval_sec }}, + "skip_verify_peer_cert": "{{ $.Values.global.skip_verify_peer_cert }}" + }, + {{- end }} + "client_id": "{{ $.Values.global.client_id }}", + "client_secret": "{{ $.Values.global.client_secret }}", + "id_token": { + "preamble": "Bearer", + "header": "Authorization" + }, + "access_token": { + "header": "JWT" + }, + {{- if contains "\\n" $.Values.global.certificate_authority }} + "trusted_certificate_authority": "{{ $.Values.global.certificate_authority }}", + {{- else }} + "trusted_certificate_authority": {{ $.Values.global.certificate_authority | quote }}, + {{- end }} + "logout": { + "path": "{{ $.Values.global.logout_path }}"{{ if $.Values.global.logout_redirect_uri }}, + "redirect_uri": "{{ $.Values.global.logout_redirect_uri }}" + {{- else if $.Values.global.oidc }}, + "redirect_uri": "https://{{ $.Values.global.oidc.host }}/auth/realms/{{ $.Values.global.oidc.realm}}/protocol/openid-connect/token/logout" + {{- end }} + }, + "absolute_session_timeout": "{{ $.Values.global.absolute_session_timeout }}", + "idle_session_timeout": "{{ $.Values.global.idle_session_timeout }}", + "scopes": [] + }, + "threads": 8, + "chains": [ + {{- range $k, $v := $.Values.chains }}{{ if ne $k ( first (keys $.Values.chains | sortAlpha) ) }},{{ end }} + { + "name": "{{ $k }}", + "match": { + {{- if .match }} + "header": "{{ .match.header | default $.Values.global.match.header }}", + {{- if .match.prefix }} + "prefix": "{{ tpl .match.prefix $ }}" + {{- else if .match.equality }} + "equality": "{{ .match.equality }}" + {{- else }} + "prefix": "{{ $.Values.global.match.prefix }}" + {{- end }} + {{- else }} + "header": "{{ $.Values.global.match.header }}", + "prefix": "{{ $.Values.global.match.prefix }}" + {{- end }} + }, + "filters": [ + { + "oidc_override": { + "authorization_uri": "https://{{ (dig "oidc" "host" $.Values.global.oidc.host .) }}/auth/realms/{{ (dig "oidc" "realm" $.Values.global.oidc.realm .) }}/protocol/openid-connect/auth", + "token_uri": "https://{{ (dig "oidc" "host" $.Values.global.oidc.host .) }}/auth/realms/{{ (dig "oidc" "realm" $.Values.global.oidc.realm .) }}/protocol/openid-connect/token", + {{- if or .redis_server_uri $.Values.global.redis_server_uri }} + "redis_session_store_config": { + "server_uri": {{ .redis_server_uri | default $.Values.global.redis_server_uri | quote }} + }, + {{- end }} + {{- if .callback_uri }} + "callback_uri": "{{ tpl .callback_uri $ | default $.Values.callback_uri }}", + {{- else }} + {{- fail "ERROR: Missing required field 'callback_uri' in one of the config chains" }} + {{ end }} + {{- if .jwks }} + "jwks": {{ .jwks | quote }}, + {{- else if .jwks_uri }} + "jwks_fetcher": { + "jwks_uri": {{ .jwks_uri | quote }}, + "periodic_fetch_interval_sec": {{ .periodic_fetch_interval_sec | default 60}}, + "skip_verify_peer_cert": {{ .skip_verify_peer_cert | default $.Values.global.skip_verify_peer_cert }} + }, + {{- end }} + {{- if .client_id }} + "client_id": "{{ .client_id }}", + {{- end }} + {{- if .client_secret }} + "client_secret": "{{ .client_secret }}", + {{- end }} + "cookie_name_prefix": "{{ default $k .cookie_name_prefix }}", + {{- if .certificate_authority }} + {{- if contains "\\n" .certificate_authority }} + "trusted_certificate_authority": "{{ .certificate_authority }}", + {{- else }} + "trusted_certificate_authority": {{ .certificate_authority | quote }}, + {{- end }} + {{- end }} + "logout": { + {{- if .logout_path }} + "path": "{{ .logout_path | default $.Values.global.logout_path }}", + {{- end }} + {{- if .logout_redirect_uri }} + "redirect_uri": "{{ .logout_redirect_uri | default $.Values.global.logout_redirect_uri }}" + {{- else if .oidc }} + "redirect_uri": "https://{{ .oidc.host | default $.Values.global.oidc.host }}/auth/realms/{{ .oidc.realm | default $.Values.global.oidc.realm}}/protocol/openid-connect/token/logout" + {{- else }} + "redirect_uri": "https://{{ $.Values.global.oidc.host }}/auth/realms/{{ $.Values.global.oidc.realm }}/protocol/openid-connect/token/logout" + {{- end}} + }, + {{- if .absolute_session_timeout }} + "absolute_session_timeout": "{{ .absolute_session_timeout }}", + {{- end }} + {{- if .idle_session_timeout }} + "idle_session_timeout": "{{ .idle_session_timeout }}", + {{- end }} + "scopes": {{ default list .scopes | toJson }} + } + } + ] + } + {{- end }} + ] + } diff --git a/src/authservice/chart/templates/service.yaml b/src/authservice/chart/templates/service.yaml new file mode 100644 index 000000000..978a7b9ef --- /dev/null +++ b/src/authservice/chart/templates/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "authservice.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "authservice.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - port: 10003 + targetPort: 10003 + protocol: TCP + name: grpc + selector: + {{- include "authservice.selectorLabels" . | nindent 4 }} diff --git a/src/authservice/chart/templates/uds-package.yaml b/src/authservice/chart/templates/uds-package.yaml new file mode 100644 index 000000000..3884987bb --- /dev/null +++ b/src/authservice/chart/templates/uds-package.yaml @@ -0,0 +1,28 @@ +apiVersion: uds.dev/v1alpha1 +kind: Package +metadata: + name: authservice + namespace: {{ .Release.Namespace }} +spec: + network: + allow: + # Permit intra-namespace communication for multi-replica setup + - direction: Ingress + remoteGenerated: IntraNamespace + + - direction: Egress + remoteGenerated: IntraNamespace + + # Egress must be allowed to the external facing Keycloak endpoint + - direction: Egress + remoteGenerated: Anywhere + description: "SSO Provider" + + - direction: Ingress + podLabels: + app.kubernetes.io/name: authservice + remoteNamespace: "" # Any namespace could have a protected app + remotePodLabels: + {{ .Values.selector.key }}: {{ .Values.selector.value }} + port: 10003 + description: "Protected Apps" diff --git a/src/authservice/chart/values.yaml b/src/authservice/chart/values.yaml new file mode 100644 index 000000000..c1cd139c3 --- /dev/null +++ b/src/authservice/chart/values.yaml @@ -0,0 +1,133 @@ +# -- When setting this above 1, a redis configuration is required. +replicaCount: 1 + +image: + repository: ghcr.io/istio-ecosystem/authservice/authservice + pullPolicy: IfNotPresent + # -- Overrides the image tag whose default is the chart appVersion. + tag: "" + +# -- If true will allow the requests even no filter chain match is found +allow_unmatched_requests: false + +# -- Extra Ruleset for AuthorizationPolicy CUSTOM action to forward to Authservice. +# To enable `allow_unmatched_requests` must be `false`. These custom rules mean that only these requests +# will be routed and will break default UDS Core setup for `prometheus/alertmanager/tempo` unless added. +# Path specific Operations are not supported, it is recommended to use only hosts, notHosts, & method operations. +# See reference: https://istio.io/latest/docs/reference/config/security/authorization-policy/ +custom_authpolicy_rules: + - when: + - key: request.headers[authorization] + notValues: + - "*" + +global: + # -- Default client_id to be used in each chain + client_id: "global_id" + # -- Default client_secret to be used in each chain + client_secret: "global_secret" + match: + # -- Header to match. The value ":authority" is used to match the requested hostname + header: ":authority" + # -- value matches the start of the header value defined above + prefix: "uds" + # -- Logout URL for the client + logout_path: "/globallogout" + # -- Logout Redirect URI for the client + logout_redirect_uri: "" + absolute_session_timeout: 0 + idle_session_timeout: 0 + # -- CA that signed the OIDC provider cert. Passed through as a Helm multi-line string. + certificate_authority: "" + + # -- URI for Redis instance used for OIDC token storage/retrieval. This may also be specified per-chain, example: tcp://redis:6379/ + redis_server_uri: "" + + oidc: + # -- OpenID Connect hostname. Assumption of Keycloak based on URL construction + host: login.uds.dev + # -- Realm for OpenID Connect + realm: doug + + # -- JWKS, a default jwks_uri is computed if not specified. Must be formatted as an escaped JSON string. + jwks: "" + + # -- Request interval to check whether new JWKs are available. + periodic_fetch_interval_sec: 60 + + # -- If set to true, the verification of the destination certificate will be skipped when making a request to the JWKs URI and the token endpoint. This option is useful when you want to use a self-signed certificate for testing purposes, but basically should not be set to true in any other cases. + skip_verify_peer_cert: false + +# -- Individual chains. Must have a `name` value and a `callback_uri`, full example of all fields provided below. +# NOTE: if using "match" can only specify `prefix` OR `equality`, not both +chains: + # Default Filter to prevent errors on launch + local: + match: + header: ":local" + prefix: "localhost" + client_id: local_id + client_secret: local_secret + callback_uri: https://localhost/login + logout_path: "/local" + # example_chain: + # match: + # header: ":authority" + # prefix: "localhost" + # equality: "localhost.localdomain" + # client_id: my_uds_app + # client_secret: secret_value + # callback_uri: https://myapp.uds.dev/login + # cookie_name_prefix: differentThanFull # Override the cookie name prefix in case you need it to be something else (ex. two apps share the same cookie) + # logout: + # path: "/logout" + # absolute_session_timeout: timeout_value + # idle_session_timeout: timeout_value + # jwks_uri: https://myapp.uds.dev/jwks # Override if this client is on a different realm + # oidc: + # host: local_oidc_host + # realm: local_oidc_realm + # periodic_fetch_interval_sec: 60 + # scopes: + # - additionalScope1 + # - additionalScope2 + +nameOverride: "authservice" + +podAnnotations: {} + +podSecurityContext: {} + +securityContext: {} + +resources: {} + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 3 + targetCPUUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# -- Log level for the deployment +config: + logLevel: trace + +# -- Label to determine what workloads (pods/deployments) should be protected by authservice. +selector: + key: protect + value: keycloak + +# -- Values to bypass OIDC chains in favor or using istio authorizationpolicies.security.istio.io +# and requestauthentications.security.istio.io for certain endpoints. +trigger_rules: [] +# - excluded_paths: +# - exact: /api/healthcheck +# included_paths: +# - prefix: / +# See reference: https://github.com/istio-ecosystem/authservice/blob/master/docs/README.md diff --git a/src/authservice/common/zarf.yaml b/src/authservice/common/zarf.yaml new file mode 100644 index 000000000..18ad2d6ae --- /dev/null +++ b/src/authservice/common/zarf.yaml @@ -0,0 +1,14 @@ +kind: ZarfPackageConfig +metadata: + name: uds-core-authservice-common + description: "UDS Core Authservice Common" + url: https://github.com/istio-ecosystem/authservice + +components: + - name: authservice + required: true + charts: + - name: authservice + localPath: ../chart + version: 0.5.3 + namespace: authservice diff --git a/src/authservice/tasks.yaml b/src/authservice/tasks.yaml index e3b314c9b..7fa53d5d2 100644 --- a/src/authservice/tasks.yaml +++ b/src/authservice/tasks.yaml @@ -1,7 +1,17 @@ tasks: - name: validate actions: - - description: Validate... - cmd: "echo Replace Me" - # wait: - # cluster: + - description: Validate UDS Package Authservice is reconciled + wait: + cluster: + kind: Package + name: authservice + namespace: authservice + condition: "'{.status.phase}'=Ready" + - description: Validate authservice is up + wait: + cluster: + kind: Pod + name: "app.kubernetes.io/name=authservice" + namespace: authservice + condition: Ready diff --git a/src/authservice/values/registry1-values.yaml b/src/authservice/values/registry1-values.yaml new file mode 100644 index 000000000..97fb34ca0 --- /dev/null +++ b/src/authservice/values/registry1-values.yaml @@ -0,0 +1,3 @@ +image: + repository: registry1.dso.mil/ironbank/istio-ecosystem/authservice + tag: "0.5.3" diff --git a/src/authservice/values/upstream-values.yaml b/src/authservice/values/upstream-values.yaml new file mode 100644 index 000000000..1c01b5b26 --- /dev/null +++ b/src/authservice/values/upstream-values.yaml @@ -0,0 +1,3 @@ +image: + repository: ghcr.io/istio-ecosystem/authservice/authservice + tag: "0.5.3" diff --git a/src/authservice/zarf.yaml b/src/authservice/zarf.yaml index d75809a33..c87b7e7c6 100644 --- a/src/authservice/zarf.yaml +++ b/src/authservice/zarf.yaml @@ -1,11 +1,32 @@ kind: ZarfPackageConfig metadata: name: uds-core-authservice - description: "Example description" + description: "UDS Core Authservice" + url: https://github.com/istio-ecosystem/authservice components: - - name: test - actions: - onCreate: - after: - - cmd: echo "What can Doug do for you?" + - name: authservice + required: true + only: + flavor: upstream + import: + path: common + charts: + - name: authservice + valuesFiles: + - values/upstream-values.yaml + images: + - ghcr.io/istio-ecosystem/authservice/authservice:0.5.3 + + - name: authservice + required: true + only: + flavor: registry1 + import: + path: common + charts: + - name: authservice + valuesFiles: + - values/registry1-values.yaml + images: + - registry1.dso.mil/ironbank/istio-ecosystem/authservice:0.5.3 diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index e7d991833..1b16a5dd1 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -24,7 +24,7 @@ tasks: cmd: | set -e PEPR_VERSION=$(npm pkg get version | tr -d '"') - uds zarf package deploy build/zarf-package-pepr-uds-core-${UDS_ARCH}-${PEPR_VERSION}.tar.zst --confirm + uds zarf package deploy build/zarf-package-pepr-uds-core-${UDS_ARCH}-${PEPR_VERSION}.tar.zst --confirm --set DOMAIN="uds.dev" - description: "Deploy the requested Zarf Package (must set UDS_PKG environment variable)" cmd: uds zarf package deploy build/zarf-package-uds-core-${UDS_PKG}-${UDS_ARCH}.tar.zst --confirm