diff --git a/charts/gloo-config/Chart.yaml b/charts/gloo-config/Chart.yaml index 7fa635c..300b926 100644 --- a/charts/gloo-config/Chart.yaml +++ b/charts/gloo-config/Chart.yaml @@ -2,5 +2,5 @@ apiVersion: v2 name: gloo-config description: A Helm chart for Gloo Configurations type: application -version: 0.1.28 -appVersion: "0.1.28" +version: 0.2.2 +appVersion: "0.2.2" diff --git a/charts/gloo-config/templates/_functions.tpl b/charts/gloo-config/templates/_functions.tpl index 7ab9a2b..a3041e0 100644 --- a/charts/gloo-config/templates/_functions.tpl +++ b/charts/gloo-config/templates/_functions.tpl @@ -1,47 +1,331 @@ -{{- /* Generate AuthConfig Name */}} -{{- define "getAuthConfigName" -}} - {{- $values := index . 0 -}} - {{- $ext := "no-headerextension" -}} - {{- if $values.headerextension -}} - {{- if eq true $values.headerextension -}} - {{- $ext = "with-headerextension" -}} +{{- /* Get Domain Informations + +### Description: + +Helper template function to return a specific domain information like tld or subdomain based on parameter + +### Parameters: + +- selector (string) +- global values (interface) + +### Return: + +Domain Name (string) + +### Example: + +{{ $var := (include "getDomainInfo" (list $getPrivateDomain $)) }} +{{ $var_subdomain := (include "getDomainInfo" (list $getPublicSubDomainInt $)) }} +{{ print $var }} +-> [.tld1.de .tld2.com] +{{ print $var_subdomain }} +-> [.public.prod] + +*/}} +{{- define "getDomainInfo" -}} + {{- $selector := index . 0 -}} + {{- $ := index . 1 -}} + + {{- $data := dict -}} + {{- $_ := set $data "private_domains" (default (list ".iteratec.de" ".iteratec.com") ($.Values.defaults.domains).private.topLevel) -}} + {{- $_ := set $data "public_domains" (default (list ".iteratec.io") ($.Values.defaults.domains).public.topLevel) -}} + {{- $_ := set $data "private_subdomain_prod" (default ".private.prod" ($.Values.defaults.domains).private.subDomain.production) -}} + {{- $_ := set $data "private_subdomain_int" (default ".private.int" ($.Values.defaults.domains).private.subDomain.integration) -}} + {{- $_ := set $data "private_subdomain_dev" (default ".private.dev" ($.Values.defaults.domains).private.subDomain.development) -}} + {{- $_ := set $data "public_subdomain_prod" (default ".prod" ($.Values.defaults.domains).public.subDomain.production) -}} + {{- $_ := set $data "public_subdomain_int" (default ".int" ($.Values.defaults.domains).public.subDomain.production) -}} + + {{- if eq "getPrivateDomains" $selector -}} + {{- range $data.private_domains -}} + {{- printf "%v " . -}} + {{- end -}} + {{- else if eq "getPublicDomains" $selector -}} + {{- range $data.public_domains -}} + {{- printf "%v " . -}} {{- end -}} + {{- else if eq "getPublicSubDomainProd" $selector -}} + {{- print $data.public_subdomain_prod -}} + {{- else if eq "getPublicSubDomainInt" $selector -}} + {{- print $data.public_subdomain_int -}} + {{- else if eq "getPrivateSubDomainProd" $selector -}} + {{- print $data.private_subdomain_prod -}} + {{- else if eq "getPrivateSubDomainInt" $selector -}} + {{- print $data.private_subdomain_int -}} + {{- else if eq "getPrivateSubDomainDev" $selector -}} + {{- print $data.private_subdomain_dev -}} {{- end -}} - {{- printf "%s-%s-%s" $values.svc $values.authenticationtype $ext }} {{- end -}} -{{- /* Generate VirtualService Name */}} + + +{{- /* Generate AuthConfig Name + +### Description: + +Create and return the name of AuthConfig resource based on Service name (svc), headerextentions authenticationType + +### Parameters: + +- values (dict) +- global values (interface) + +### Return: + +AuthConfigName (string) + +### Example: + +{{ $_ := set $dict "svc" "myserver" }} +{{ $var := (include "getAuthConfigName" (list $dict 0)) }} +{{ print $var }} +-> myservice-0 + +*/}} +{{- define "getAuthConfigName" -}} + {{- $values := index . 0 -}} + {{- $index := index . 1 -}} + {{- printf "%s-%d" $values.svc $index }} +{{- end -}} + +{{- /* Generate VirtualService Name + +### Description: + +Create and return the name of VirtualService resource based on Parameter one and Parameter two + +### Parameters: + +- param1 (string) +- param2 (int) + +### Return: + +value (string) + +### Example: + +{{ $var := (include "getVirtualServiceName" (list "svc" 1)) }} +{{ print $var }} +-> svc-1 + +*/}} {{- define "getVirtualServiceName" -}} {{- printf "%s-%d" (index . 0) (index . 1) }} {{- end -}} -{{- /* Generate Upstream Name */}} + +{{- /* Generate Upstream Name + +### Description: + +Create and return the name of Upstream resource based on Parameters + +### Parameters: + +- param1 (string) +- param2 (string) +- param3 (string) +- param4 (int) + +### Return: + +value (string) + +### Example: + +{{ $var := (include "getUpStreamName" (list "backend" "upstream" "int" 2)) }} +{{ print $var }} +-> backend-upstream-svc-int-2 + +*/}} {{- define "getUpStreamName" -}} - {{- printf "%s-%s-svc-%v-%d" (index . 0) (index . 1) (index . 2) (index . 3) }} + {{- printf "%s-%s-svc-%v" (index . 0) (index . 1) (index . 2) }} {{- end -}} -{{- /* Generate Service DomainName URL */}} + +{{- /* Generate AuthConfig AppUrl + +### Description: + +Create and return the url for authconfig value oauth2.oidcAuthorizationCode.appUrl based on available service domains +The template function will always use first domain from service domain list if multiple domains are configured + +### Parameters: + +- values (dict) +- global values (interface) + +### Return: + +value (string) + +### Example: + +{{ $var := (include "getAppUrl" (list $dict $)) }} +{{ print $var }} +-> https:// + +*/}} {{- define "getAppUrl" -}} {{- $values := index . 0 -}} {{- $ := index . 1 -}} - {{- printf "https://%s.%s" $values.svc (first $.Values.defaults.domains) }} + {{- printf "https://%s" (first (regexSplit " " (include "getSvcDomain" (list $values $)) -1 )) }} {{- end -}} -{{- /* Generate Service Domain */}} + +{{- /* Generate Service Domain (FQDN) + +### Description: + +Helper template function to generate the fulled qualified domain name based on multiple values (env and internet) +The return string will contain a separator char as suffix (whitespace) ! +To handle the return string in loop iterations (range, ...), use regexSplit function (see Example). + +### Parameters: + +- values (dict) +- global values (interface) + +### Return: + +value (string) + +### Example: + +{{ $_ := set $dict "svc" "myservice" }} +{{ $_ := set $dict "internet" true }} +{{ $_ := set $dict "env" "prod" }} +{{ $var := (regexSplit " " (include "getSvcDomain" (list $dict $)) -1) }} +{{ print $var }} +-> [myservice.private.prod.iteratec.com myservice.private.prod.iteratec.de myservice.private.prod.iteratec.io] + +*/}} {{- define "getSvcDomain" -}} {{- $values := index . 0 -}} {{- $ := index . 1 -}} - {{- printf "%s.%s" $values.svc (first $.Values.defaults.domains) }} + {{- $s := dict -}} + {{- if eq "prod" $.Values.defaults.env -}} + {{- if $values.internet -}} + {{- $_ := set $s "subdomain" (include "getDomainInfo" (list "getPublicSubDomainProd" $)) -}} + {{- else -}} + {{- $_ := set $s "subdomain" (include "getDomainInfo" (list "getPrivateSubDomainProd" $)) -}} + {{- end -}} + {{- else if eq "int" $.Values.defaults.env -}} + {{- if $values.internet -}} + {{- $_ := set $s "subdomain" (include "getDomainInfo" (list "getPublicSubDomainInt" $)) -}} + {{- else -}} + {{- $_ := set $s "subdomain" (include "getDomainInfo" (list "getPrivateSubDomainInt" $)) -}} + {{- end -}} + {{- else if eq "dev" $.Values.defaults.env -}} + {{- if $values.internet -}} + {{- $_ := set $s "subdomain" (include "getDomainInfo" (list "getPublicSubDomainDev" $)) -}} + {{- else -}} + {{- $_ := set $s "subdomain" (include "getDomainInfo" (list "getPrivateSubDomainDev" $)) -}} + {{- end -}} + {{- end -}} + + {{- $_ := set $s "publicdomains" (regexSplit " " (include "getDomainInfo" (list "getPublicDomains" $)) -1) -}} + {{- $_ := set $s "privatedomains" (regexSplit " " (include "getDomainInfo" (list "getPrivateDomains" $)) -1) -}} + + + {{- if $values.internet -}} + {{- range $s.publicdomains -}} + {{- if . -}} + {{- printf "%v%v%v " $values.svc (default "" $s.subdomain) . -}} + {{- end -}} + {{- end -}} + {{- else -}} + {{- range $s.privatedomains -}} + {{- if . -}} + {{- printf "%v%v%v " $values.svc (default "" $s.subdomain) . -}} + {{- end -}} + {{- end -}} + {{- end -}} {{- end -}} -{{- /* Create and return OpenID URL Name */}} + +{{- /* Generate OpenID URL + +### Description: + +Create and return OpenID URL Name + +### Parameters: + +- realm (string) +- global values (interface) + +### Return: + +value (string) + +### Example: + +[in values.yaml] +defaults: + issuerUrl: https://oidc.iteratec.com/realms/root/realms + openidConfigurationUrl: .well-known/openid-configuration + +{{ $var := (include "getOpenIDUrl" (list "myRealm" $)) }} +{{ print $var }} +-> https://oidc.iteratec.com/realms/root/realms/myRealm/.well-known/openid-configuration + +*/}} {{- define "getOpenIDUrl" -}} {{- $realm := index . 0 -}} {{- $ := index . 1 -}} {{- printf "%s/%s/%s" $.Values.defaults.issuerUrl $realm $.Values.defaults.openidConfigurationUrl -}} {{- end -}} -{{- /* Generate OpenID URL */}} + +{{- /* Generate Issuer URL + +### Description: + +Create and return Issuer URL Name + +### Parameters: + +- realm (string) +- global values (interface) + +### Return: + +value (string) + +### Example: + +[in values.yaml] +defaults: + issuerUrl: https://oidc.iteratec.com/realms/root/realms + +{{ $var := (include "getIssuerUrl" (list "myRealm" $)) }} +{{ print $var }} +-> https://oidc.iteratec.com/realms/root/realms/myRealm/ + +*/}} {{- define "getIssuerUrl" -}} {{- $realm := index . 0 -}} {{- $ := index . 1 -}} {{- printf "%s/%s/" $.Values.defaults.issuerUrl $realm -}} {{- end -}} -{{- /* Check AuthConfig */}} + +{{- /* Check AuthConfig + +### Description: + +Check parameter for existing authconfig name + +### Parameters: + +- authconfig type (string) + +### Return: + +value (string) + +### Example: + +{{ $var := (include "authExists" "backend") }} +{{ print $var }} +-> "true" + +*/}} {{- define "authExists" -}} {{- $allAuthTypes := list "ui" "ui-with-strongauth" "backend" "backend-with-strongauth" "m2m" "m2m-with-token" -}} {{- if (index . 0) -}} @@ -52,8 +336,29 @@ {{- end -}} {{- end -}} {{- end -}} -{{- /* Generate Strongauth ACR Value */}} + +{{- /* Generate Strongauth ACR value + +### Description: + +Generate and return Strongauth ACR value + +### Parameters: + +- strongauthlevel (string) + +### Return: + +value (string) + +### Example: + +{{ $var := (include "getAcrValue" "2403") }} +{{ print $var }} +-> "strongAuth2403Service" + +*/}} {{- define "getAcrValue" -}} {{- $strongauthlevel := index . 0 -}} {{- printf "strongAuth%vService" $strongauthlevel -}} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/charts/gloo-config/templates/auth_backend-with-strongauth.yaml b/charts/gloo-config/templates/auth_backend-with-strongauth.yaml index 48a7bf2..021b445 100644 --- a/charts/gloo-config/templates/auth_backend-with-strongauth.yaml +++ b/charts/gloo-config/templates/auth_backend-with-strongauth.yaml @@ -22,9 +22,9 @@ spec: address: {{ $.Values.defaults.passthru.grpcAddress.headerExtension }} config: openIdConfigurationUrl: {{ $values.openidurl }} - enableAccessTokenForwarding: {{ $.Values.defaults.passthru.enableAccessTokenForwarding }} - enableSubjectForwarding: {{ $.Values.defaults.passthru.enableSubjectForwarding }} - enableQAccountMatching: {{ $.Values.defaults.passthru.enableQAccountMatching }} + {{- range $key, $value := $values.passthru.config }} + {{ $key }}: {{ $value }} + {{- end }} {{- end }} {{ end -}} diff --git a/charts/gloo-config/templates/auth_backend.yaml b/charts/gloo-config/templates/auth_backend.yaml index 37a1ca8..0ffd43c 100644 --- a/charts/gloo-config/templates/auth_backend.yaml +++ b/charts/gloo-config/templates/auth_backend.yaml @@ -21,8 +21,8 @@ spec: address: {{ $.Values.defaults.passthru.grpcAddress.headerExtension }} config: openIdConfigurationUrl: {{ $values.openidurl }} - enableAccessTokenForwarding: {{ $.Values.defaults.passthru.enableAccessTokenForwarding }} - enableSubjectForwarding: {{ $.Values.defaults.passthru.enableSubjectForwarding }} - enableQAccountMatching: {{ $.Values.defaults.passthru.enableQAccountMatching }} + {{- range $key, $value := $values.passthru.config }} + {{ $key }}: {{ $value }} + {{- end }} {{- end }} {{ end -}} diff --git a/charts/gloo-config/templates/auth_m2m-with-token.yaml b/charts/gloo-config/templates/auth_m2m-with-token.yaml index 1868f4d..6043aec 100644 --- a/charts/gloo-config/templates/auth_m2m-with-token.yaml +++ b/charts/gloo-config/templates/auth_m2m-with-token.yaml @@ -32,9 +32,9 @@ spec: address: {{ $.Values.defaults.passthru.grpcAddress.headerExtension }} config: openIdConfigurationUrl: {{ $values.openidurl }} - enableAccessTokenForwarding: {{ $.Values.defaults.passthru.enableAccessTokenForwarding }} - enableSubjectForwarding: {{ $.Values.defaults.passthru.enableSubjectForwarding }} - enableQAccountMatching: {{ $.Values.defaults.passthru.enableQAccountMatching }} + {{- range $key, $value := $values.passthru.config }} + {{ $key }}: {{ $value }} + {{- end }} {{- end }} {{ end -}} diff --git a/charts/gloo-config/templates/auth_m2m.yaml b/charts/gloo-config/templates/auth_m2m.yaml index 338db9b..e6ea218 100644 --- a/charts/gloo-config/templates/auth_m2m.yaml +++ b/charts/gloo-config/templates/auth_m2m.yaml @@ -27,8 +27,8 @@ spec: address: {{ $.Values.defaults.passthru.grpcAddress.headerExtension }} config: openIdConfigurationUrl: {{ $values.openidurl }} - enableAccessTokenForwarding: {{ $.Values.defaults.passthru.enableAccessTokenForwarding }} - enableSubjectForwarding: {{ $.Values.defaults.passthru.enableSubjectForwarding }} - enableQAccountMatching: {{ $.Values.defaults.passthru.enableQAccountMatching }} + {{- range $key, $value := $values.passthru.config }} + {{ $key }}: {{ $value }} + {{- end }} {{- end }} {{ end -}} diff --git a/charts/gloo-config/templates/auth_ui-with-strongauth.yaml b/charts/gloo-config/templates/auth_ui-with-strongauth.yaml index ceb151a..46e6c98 100644 --- a/charts/gloo-config/templates/auth_ui-with-strongauth.yaml +++ b/charts/gloo-config/templates/auth_ui-with-strongauth.yaml @@ -29,10 +29,10 @@ spec: issuerUrl: {{ $values.issuerurl }} session: cookieOptions: - domain: {{ first $.Values.defaults.domains }} - maxAge: {{ $.Values.defaults.extauth.session.cookieTimeout }} + domain: {{ first $values.servicedomain }} + maxAge: {{ $values.cookietimeout }} redis: - cookieName: {{ $values.sessioncachename }} + cookieName: {{ $values.cachename }} options: host: {{ $.Values.defaults.redisUrl }} @@ -42,8 +42,8 @@ spec: address: {{ $.Values.defaults.passthru.grpcAddress.headerExtension }} config: openIdConfigurationUrl: {{ $values.openidurl }} - enableAccessTokenForwarding: {{ $.Values.defaults.passthru.enableAccessTokenForwarding }} - enableSubjectForwarding: {{ $.Values.defaults.passthru.enableSubjectForwarding }} - enableQAccountMatching: {{ $.Values.defaults.passthru.enableQAccountMatching }} + {{- range $key, $value := $values.passthru.config }} + {{ $key }}: {{ $value }} + {{- end }} {{- end }} {{ end -}} \ No newline at end of file diff --git a/charts/gloo-config/templates/auth_ui.yaml b/charts/gloo-config/templates/auth_ui.yaml index 2011c05..ab8ba0f 100644 --- a/charts/gloo-config/templates/auth_ui.yaml +++ b/charts/gloo-config/templates/auth_ui.yaml @@ -20,10 +20,10 @@ spec: issuerUrl: {{ $values.issuerurl }} session: cookieOptions: - domain: {{ first $.Values.defaults.domains }} - maxAge: {{ $.Values.defaults.extauth.session.cookieTimeout }} + domain: {{ first $values.servicedomain }} + maxAge: {{ $values.cookietimeout }} redis: - cookieName: {{ $values.sessioncachename }} + cookieName: {{ $values.cachename }} options: host: {{ $.Values.defaults.redisUrl }} @@ -33,8 +33,8 @@ spec: address: {{ $.Values.defaults.passthru.grpcAddress.headerExtension }} config: openIdConfigurationUrl: {{ $values.openidurl }} - enableAccessTokenForwarding: {{ $.Values.defaults.passthru.enableAccessTokenForwarding }} - enableSubjectForwarding: {{ $.Values.defaults.passthru.enableSubjectForwarding }} - enableQAccountMatching: {{ $.Values.defaults.passthru.enableQAccountMatching }} + {{- range $key, $value := $values.passthru.config }} + {{ $key }}: {{ $value }} + {{- end }} {{- end }} {{ end -}} \ No newline at end of file diff --git a/charts/gloo-config/templates/authconfig.tpl b/charts/gloo-config/templates/authconfig.tpl index 9b9379b..ed531e1 100644 --- a/charts/gloo-config/templates/authconfig.tpl +++ b/charts/gloo-config/templates/authconfig.tpl @@ -3,18 +3,21 @@ {{- $_ := set $values "svc" .svc -}} {{- $_ := set $values "internet" .internet -}} {{- $_ := set $values "strongauthlevel" .strongAuthLevel -}} + {{- $_ := set $values "passthru" .passthru -}} + {{- $_ := set $values "servicedomain" (regexSplit " " (include "getSvcDomain" (list $values $)) -1) -}} + {{- range $key, $val := .routes }} {{- $_ := set $values "prefix" $val.prefix -}} - {{- $_ := set $values "redirect" $val.redirect -}} {{- $_ := set $values "authenticationtype" $val.authenticationType -}} - {{- $_ := set $values "clientid" $val.clientId -}} - {{- $_ := set $values "callbackpath" (default $.Values.defaults.callbackPath $val.callbackPath) -}} - {{- $_ := set $values "clientsecret" $val.clientSecret -}} - {{- $_ := set $values "headerextension" $val.headerExtension -}} - {{- $_ := set $values "allowedclientids" $val.allowedClientIds -}} - {{- $_ := set $values "sessioncachename" (default $.Values.defaults.extauth.redis.cacheName $val.sessionCacheName) -}} - {{- $_ := set $values "authpluginmode" $val.authPluginMode -}} - {{- $_ := set $values "authconfigname" (include "getAuthConfigName" (list $values)) -}} + {{- $_ := set $values "clientid" ($val.authenticationConfig).clientId -}} + {{- $_ := set $values "callbackpath" (default $.Values.defaults.authenticationConfig.callbackPath ($val.authenticationConfig).callbackPath) -}} + {{- $_ := set $values "clientsecret" ($val.authenticationConfig).clientSecret -}} + {{- $_ := set $values "headerextension" ($val.authenticationConfig).headerExtension -}} + {{- $_ := set $values "allowedclientids" ($val.authenticationConfig).allowedClientIds -}} + {{- $_ := set $values "cachename" (default $.Values.defaults.authenticationConfig.redis.cacheName ((($val.authenticationConfig).redis).cacheName)) -}} + {{- $_ := set $values "cookietimeout" (default $.Values.defaults.authenticationConfig.session.cookieTimeout ((($val.authenticationConfig).session).cookieTimeout )) -}} + {{- $_ := set $values "authpluginmode" ($val.authenticationConfig).authPluginMode -}} + {{- $_ := set $values "authconfigname" (include "getAuthConfigName" (list $values $key)) -}} {{- $_ := set $values "appurl" (include "getAppUrl" (list $values $)) -}} {{- $_ := set $values "openidurl" (include "getOpenIDUrl" (list $.Values.defaults.realms.default $)) -}} {{- $_ := set $values "issuerurl" (include "getIssuerUrl" (list $.Values.defaults.realms.default $)) -}} diff --git a/charts/gloo-config/templates/certificate.tpl b/charts/gloo-config/templates/certificate.tpl new file mode 100644 index 0000000..9e7c070 --- /dev/null +++ b/charts/gloo-config/templates/certificate.tpl @@ -0,0 +1,44 @@ +{{ range $.Values.apigw -}} + {{- $values := dict -}} + {{- $_ := set $values "svc" .svc -}} + {{- $_ := set $values "internet" .internet -}} + {{- $_ := set $values "sslconfig" $.Values.defaults.sslConfig -}} + {{- $_ := set $values "servicedomain" (regexSplit " " (include "getSvcDomain" (list $values $)) -1) -}} + + {{- if and (not $values.internet) (not $values.sslconfig.useCustomIssuer) }} +--- +apiVersion: cert-manager.io/v1 +internet: {{ $values.internet }} +kind: Certificate +metadata: + name: {{ $values.svc }}-certificate-by-issuer +spec: + commonName: {{ first $values.servicedomain }} + secretName: {{ $values.svc }}-private-tls-by-issuer + issuerRef: + name: wadtfy-certificate-issuer + group: {{ $values.sslconfig.certificate.issuergroup }} + kind: Issuer + subject: + organizations: + - {{ $values.sslconfig.certificate.organization }} + countries: + - {{ $values.sslconfig.certificate.country }} + localities: + - {{ $values.sslconfig.certificate.location }} + provinces: + - {{ $values.sslconfig.certificate.province }} + organizationalUnits: + - {{ $values.sslconfig.certificate.organizationalUnit }} + dnsNames: + {{- range $values.servicedomain }} + {{- if . }} + - {{ . }} + {{- end }} + {{- end }} + emailAddresses: + {{- range $values.sslconfig.certificate.emailAddresses }} + - {{ . }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/gloo-config/templates/upstream.tpl b/charts/gloo-config/templates/upstream.tpl index f96cb5a..56a3c28 100644 --- a/charts/gloo-config/templates/upstream.tpl +++ b/charts/gloo-config/templates/upstream.tpl @@ -3,10 +3,10 @@ {{- $_ := set $values "svc" $val.svc -}} {{- $_ := set $values "appname" $val.appName -}} {{- $_ := set $values "svcname" $val.svcName -}} - {{- $_ := set $values "usemtls" ($val.useMTLS | toString) -}} {{- $_ := set $values "serviceport" (default $.Values.defaults.service.port $val.servicePort) -}} - {{- $_ := set $values "upstreamname" (include "getUpStreamName" (list $.Release.Namespace $values.svc $values.serviceport $key)) -}} - {{- $_ := set $values "upstreamnamespace" $.Values.defaults.upstreamNamespace -}} +{{- /* {{- $_ := set $values "upstreamname" (include "getUpStreamName" (list $.Release.Namespace $values.svc $values.serviceport $key)) -}} */}} + {{- $_ := set $values "upstreamname" (include "getUpStreamName" (list $.Release.Namespace $values.svc $values.serviceport)) -}} + {{- $_ := set $values "upstreamnamespace" $.Release.Namespace -}} --- apiVersion: gloo.solo.io/v1 kind: Upstream @@ -20,7 +20,6 @@ spec: serviceName: {{ default (printf "%s-svc" $values.svc) $values.svcname }} serviceNamespace: {{ $.Release.Namespace }} servicePort: {{ $values.serviceport }} - {{- if or (eq $values.usemtls "true") (eq $values.usemtls "") }} sslConfig: alpnProtocols: - istio @@ -29,5 +28,4 @@ spec: clusterName: gateway_proxy_sds targetUri: 127.0.0.1:8234 validationContextName: istio_validation_context - {{- end }} {{ end -}} \ No newline at end of file diff --git a/charts/gloo-config/templates/virtualservice.tpl b/charts/gloo-config/templates/virtualservice.tpl index 211e69d..812e369 100644 --- a/charts/gloo-config/templates/virtualservice.tpl +++ b/charts/gloo-config/templates/virtualservice.tpl @@ -2,14 +2,15 @@ {{- $values := dict -}} {{- $_ := set $values "svc" $val.svc -}} {{- $_ := set $values "internet" $val.internet -}} + {{- $_ := set $values "csrf" $val.csrf -}} {{- $_ := set $values "cors" $val.cors -}} {{- $_ := set $values "headermanipulation" $val.headerManipulation -}} {{- $_ := set $values "rootprefix" ($val.rootPrefix | toString) -}} {{- $_ := set $values "swaggerprefix" ($val.swaggerPrefix | toString) -}} {{- $_ := set $values "serviceport" (default $.Values.defaults.service.port $val.servicePort) -}} - {{- $_ := set $values "sslsecret" (default $.Values.defaults.sslConfig.secretRef $val.sslSecret) -}} - {{- $_ := set $values "virtualservicename" (include "getVirtualServiceName" (list $values.svc $key)) -}} - {{- $_ := set $values "servicedomain" (include "getSvcDomain" (list $values $) ) -}} + {{- $_ := set $values "sslconfig" (default $.Values.defaults.sslConfig $val.sslConfig) -}} + {{- $_ := set $values "virtualservicename" $values.svc -}} + {{- $_ := set $values "servicedomain" (regexSplit " " (include "getSvcDomain" (list $values $)) -1) -}} --- apiVersion: gateway.solo.io/v1 kind: VirtualService @@ -17,21 +18,39 @@ metadata: name: {{ $values.virtualservicename }} namespace: {{ $.Release.Namespace }} labels: - {{- if eq true $values.internet }} + {{- if $values.internet }} {{ $.Values.defaults.metadata.glooGateway }}: public {{- else }} {{ $.Values.defaults.metadata.glooGateway }}: private {{- end }} spec: sslConfig: + parameters: + minimumProtocolVersion: {{ $values.sslconfig.minTlsVersion }} secretRef: - name: {{ $values.sslsecret }} - namespace: {{ $.Release.Namespace }} + {{- if $values.sslconfig.useCustomIssuer }} + name: {{ $values.svc }}-private-tls-by-issuer + namespace: {{ $.Release.Namespace -}} + {{- else if $values.internet }} + name: gloo-public-tls + namespace: "gloo-system" + {{- else }} + name: {{ $values.sslconfig.secretRef }} + namespace: {{ $values.sslconfig.secretRefNamespace }} + {{- end }} sniDomains: - - {{ $values.servicedomain }} + {{- range $values.servicedomain }} + {{- if . }} + - {{ . }} + {{- end }} + {{- end }} virtualHost: - domains: - - {{ $values.servicedomain }} + domains: + {{- range $values.servicedomain }} + {{- if . }} + - {{ . }} + {{- end }} + {{- end }} options: {{- if $values.headermanipulation }} headerManipulation: @@ -42,6 +61,16 @@ spec: value: {{ $v.header.value }} {{- end }} {{- end }} + {{- if $values.csrf }} + csrf: + additionalOrigins: + {{- range $values.csrf.allowSubdomain }} + - suffix: {{ regexReplaceAll "^.*://" . "" }} + {{- end }} + filterEnabled: + defaultValue: + numerator: 100 + {{- end}} {{- if $values.cors }} cors: allowCredentials: {{ default $.Values.defaults.cors.allowCredentials $values.cors.allowCredentials }} @@ -78,26 +107,26 @@ spec: maxAge: {{ default $.Values.defaults.cors.maxAge $values.cors.maxAge }} {{- end }} routes: - {{- range .routes }} - {{- $_ := set $values "prefix" .prefix -}} - {{- $_ := set $values "redirect" .redirect -}} - {{- $_ := set $values "authenticationtype" .authenticationType -}} - {{- $_ := set $values "clientid" .clientId -}} - {{- $_ := set $values "callbackPath" (default $.Values.defaults.callbackPath .callbackPath) -}} - {{- $_ := set $values "headerextension" .headerExtension -}} - {{- $_ := set $values "upstream" .upstream -}} - {{- $_ := set $values "authconfigname" (include "getAuthConfigName" (list $values)) -}} + {{- range $key, $val := .routes }} + {{- $_ := set $values "prefix" $val.prefix -}} + {{- $_ := set $values "authenticationtype" $val.authenticationType -}} + {{- $_ := set $values "clientid" ($val.authenticationConfig).clientId -}} + {{- $_ := set $values "callbackPath" (default $.Values.defaults.authenticationConfig.callbackPath ($val.authenticationConfig).callbackPath) -}} + {{- $_ := set $values "headerextension" ($val.authenticationConfig).headerExtension -}} + {{- $_ := set $values "upstream" $val.upstream -}} + {{- $_ := set $values "timeout" (default $.Values.defaults.timeout $val.timeout) -}} + {{- $_ := set $values "authconfigname" (include "getAuthConfigName" (list $values $key)) -}} {{- if $values.upstream -}} {{- $_ := set $values "upstreamname" $values.upstream.name -}} {{- $_ := set $values "upstreamnamespace" $values.upstream.namespace -}} {{- else -}} - {{- $_ := set $values "upstreamname" (include "getUpStreamName" (list $.Release.Namespace $values.svc $values.serviceport $key)) -}} - {{- $_ := set $values "upstreamnamespace" $.Values.defaults.upstreamNamespace -}} + {{- $_ := set $values "upstreamname" (include "getUpStreamName" (list $.Release.Namespace $values.svc $values.serviceport)) -}} + {{- $_ := set $values "upstreamnamespace" $.Release.Namespace -}} {{- end -}} {{- /* Set swagger redirect rule for ui auth flows */}} - {{- if or (eq "ui" $values.authenticationtype) (eq "ui-with-strongauth" $values.authenticationtype) }} + {{- if or (eq "backend" $values.authenticationtype) (eq "backend-with-strongauth" $values.authenticationtype) (eq "m2m" $values.authenticationtype) (eq "m2m-with-token" $values.authenticationtype) }} {{- if and (not $values.swaggerpathredirect) (or (eq $values.swaggerprefix "true") (eq $values.swaggerprefix "")) }} - matchers: - prefix: /docs @@ -118,6 +147,7 @@ spec: namespace: {{ $values.upstreamnamespace }} {{- if $values.authenticationtype }} options: + timeout: {{ $values.timeout }} extauth: configRef: name: {{ $values.authconfigname }} @@ -136,6 +166,7 @@ spec: namespace: {{ $values.upstreamnamespace }} {{- if eq "true" (include "authExists" (list $values.authenticationtype)) }} options: + timeout: {{ $values.timeout }} extauth: configRef: name: {{ $values.authconfigname }} @@ -158,6 +189,7 @@ spec: namespace: {{ $values.upstreamnamespace }} {{- if $values.authenticationtype }} options: + timeout: {{ $values.timeout }} extauth: configRef: name: {{ $values.authconfigname }} diff --git a/charts/gloo-config/templates/virtualservice_http-to-https.tpl b/charts/gloo-config/templates/virtualservice_http-to-https.tpl deleted file mode 100644 index 0214a8b..0000000 --- a/charts/gloo-config/templates/virtualservice_http-to-https.tpl +++ /dev/null @@ -1,68 +0,0 @@ -{{- /* Check if any redirects are defined */}} -{{- $redirects := dict -}} -{{ range $.Values.apigw -}} - {{- range .routes -}} - {{- if .httpsRedirect -}} - {{- $_ := set $redirects "found" true -}} - {{- end -}} - {{- end -}} -{{- end -}} - -{{- /* Only create virtualservice for http-to-https if at least one httpsRedirect defined */}} -{{- if $redirects.found -}} - {{- range $key, $val := $.Values.apigw -}} - {{- $values := dict -}} - {{- $_ := set $values "svc" $val.svc -}} - {{- $_ := set $values "internet" $val.internet -}} - {{- $_ := set $values "virtualservicename" (include "getVirtualServiceName" (list (printf "%s-%s" $values.svc "http-to-https") $key)) -}} - {{- $_ := set $values "servicedomain" (include "getSvcDomain" (list $values $) ) -}} ---- -apiVersion: gateway.solo.io/v1 -kind: VirtualService -metadata: - name: {{ $values.virtualservicename }} - namespace: {{ $.Release.Namespace }} - labels: - {{- if eq true $values.internet }} - {{ $.Values.defaults.metadata.glooGateway}}: public - {{- else }} - {{ $.Values.defaults.metadata.glooGateway}}: private - {{- end }} -spec: - virtualHost: - domains: - - {{ $values.servicedomain }} - routes: - {{- range .routes }} - {{- $_ := set $values "authenticationtype" .authenticationType -}} - {{- $_ := set $values "prefix" .prefix -}} - {{- $_ := set $values "httpsredirect" .httpsRedirect -}} - {{- if or (eq "ui" $values.authenticationtype) (eq "ui-with-strongauth" $values.authenticationtype) }} - {{- if not $values.swaggerpathredirect }} - - matchers: - - prefix: /swagger-ui.html - - prefix: /docs - redirectAction: - httpsRedirect: true - {{- $_ := set $values "swaggerpathredirect" true -}} - {{- end }} - {{- end }} - {{- if and ($values.httpsredirect) (not (eq "/docs" $values.prefix)) (not (eq "/swagger-ui.html" $values.prefix)) }} - - matchers: - - prefix: {{ $values.prefix }} - redirectAction: - httpsRedirect: true - {{- end }} - {{- if eq "/" $values.prefix -}} - {{- $_ := set $values "rootPathExist" "" -}} - {{- end -}} - {{- end -}} - {{- /* Set root prefix if not exist */}} - {{- if not (hasKey $values "rootPathExist") }} - - matchers: - - prefix: / - redirectAction: - httpsRedirect: true - {{- end }} - {{- end -}} -{{ end -}} diff --git a/charts/gloo-config/values.schema.json b/charts/gloo-config/values.schema.json index a6f9f16..b7c952c 100644 --- a/charts/gloo-config/values.schema.json +++ b/charts/gloo-config/values.schema.json @@ -5,9 +5,6 @@ "defaults": { "type": "object", "properties": { - "callbackPath": { - "type": "string" - }, "cors": { "type": "object", "properties": { @@ -20,20 +17,24 @@ }, "required": [ "allowCredentials", "maxAge" ] }, - "domains": { - "type": "array", - "items": { - "type": "string" - } + "env": { + "type": "string", + "enum": ["dev", "int", "prod"] + }, + "timeout": { + "type": "string" }, - "extauth": { + "authenticationConfig": { "type": "object", "properties": { "redis": { "type": "object", "properties": { "cacheName": { - "type": "string" + "type": "string", + "enum":[ + "-prod", "wadtfy-int", "wadtfy-test" + ] } }, "required": [ "cacheName" ] @@ -47,11 +48,11 @@ }, "required": [ "cookieTimeout" ] }, - "timeout": { - "type": "string" + "callbackPath": { + "$ref": "#/definitions/sanePrefix" } }, - "required": [ "redis", "session", "timeout" ] + "required": [ "redis", "session", "callbackPath" ] }, "issuerUrl": { "type": "string" @@ -70,15 +71,9 @@ }, "passthru": { "type": "object", - "properties": { - "enableAccessTokenForwarding": { - "type": "boolean" - }, - "enableQAccountMatching": { - "type": "boolean" - }, - "enableSubjectForwarding": { - "type": "boolean" + "properties": { + "config": { + "type": "null" }, "grpcAddress": { "type": "object", @@ -92,9 +87,15 @@ "tokenAuth": { "type": "string" } - } + }, + "required": [ + "headerExtension", "strongAuth", "tokenAuth" + ] } - } + }, + "required": [ + "grpcAddress" + ] }, "realms": { "type": "object", @@ -123,21 +124,74 @@ "sslConfig": { "type": "object", "properties": { + "minTlsVersion": { + "type": "string", + "enum": [ + "TLSv1_2", "TLSv1_3" + ] + }, + "useCustomIssuer": { + "type": "boolean" + }, "secretRef": { "type": "string" + }, + "secretRefNamespace": { + "type": "string" } }, - "required": [ "secretRef" ] - }, - "upstreamNamespace": { - "type": "string" + "required": [ "minTlsVersion" ], + "allOf": [ + { + "if": { + "properties": { "useCustomIssuer": { "const": false } }, + "required": ["useCustomIssuer"] + }, + "then": { + "properties": { + "certificate": { + "type": "object", + "properties": { + "issuerGroup": { + "type": "string" + }, + "organization": { + "type": "string" + }, + "country": { + "type": "string" + }, + "location": { + "type": "string" + }, + "province": { + "type": "string" + }, + "organizationalUnit": { + "type": "string" + }, + "emailAddresses": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + } + } + }, + "required": [ "issuerGroup", "organization", "country", "location", "province", "organizationalUnit" ] + } + }, + "required": ["certificate"] + } + } + ] } }, - "required": [ - "domains", "issuerUrl", "metadata", "realms", "openidConfigurationUrl", - "redisUrl", "extauth", "callbackPath", "service", - "sslConfig", "cors", "upstreamNamespace" - ] + "required": [ + "env", "issuerUrl", "metadata", "realms", "openidConfigurationUrl", + "redisUrl", "authenticationConfig", "service", + "sslConfig", "cors", "passthru", "timeout" + ] }, "apigw": { @@ -151,12 +205,6 @@ "internet": { "type": "boolean" }, - "useMTLS": { - "type": "boolean" - }, - "sslSecret": { - "type": "string" - }, "rootPrefix": { "type": "boolean" }, @@ -172,6 +220,18 @@ "servicePort": { "type": "integer" }, + "csrf": { + "type": "object", + "properties": { + "allowSubdomain": { + "type": "array", + "items": { + "type": "string" + } + } + }, + "required": ["allowSubdomain"] + }, "cors": { "type": "object", "properties": { @@ -235,6 +295,26 @@ "strongAuthLevel": { "type": "integer" }, + "sslConfig": { + "type": "object", + "properties": { + "minTlsVersion": { + "type": "string", + "enum": [ + "TLSv1_2", "TLSv1_3" + ] + }, + "useCustomIssuer": { + "type": "boolean" + }, + "secretRef": { + "type": "string" + }, + "secretRefNamespace": { + "type": "string" + } + } + }, "routes": { "type": "array", "items": { @@ -249,36 +329,12 @@ "ui", "ui-with-strongauth", "backend", "backend-with-strongauth", "m2m", "m2m-with-token" ] }, - "clientId": { - "$ref": "#/definitions/saneClientID" - }, - "callbackPath": { - "$ref": "#/definitions/sanePrefix" - }, "clientSecret": { "type": "string" }, "redirectUrl": { "type": "string" }, - "headerExtension": { - "type": "boolean" - }, - "allowedClientIds": { - "type": "array", - "items": { - "type": "string" - } - }, - "httpsRedirect": { - "type": "boolean" - }, - "sessionCacheName": { - "type": "string", - "enum":[ - "auth0-session", "wadtfy-prod", "wadtfy-int", "wadtfy-test" - ] - }, "upstream": { "type": "object", "properties": { @@ -293,48 +349,149 @@ "name" ] }, - "authPluginMode": { - "type": "string", - "enum": [ - "VerifyAccessToken", "GatherCredentials" - ] + "authenticationConfig": { + "type": "object", + "properties": { + "allowedClientIds": { + "type": "array", + "items": { + "type": "string" + } + }, + "authPluginMode": { + "type": "string", + "enum": [ + "VerifyAccessToken", "GatherCredentials" + ] + }, + "callbackPath": { + "$ref": "#/definitions/sanePrefix" + }, + "clientId": { + "$ref": "#/definitions/saneClientID" + }, + "headerExtension": { + "type": "boolean" + }, + "redis": { + "type": "object", + "properties": { + "cacheName": { + "type": "string", + "enum":[ + "wadtfy-prod", "wadtfy-int", "wadtfy-test" + ] + } + } + }, + "session": { + "type": "object", + "properties": { + "cookieTimeout": { + "type": "integer" + } + } + } + } } }, "allOf": [ { "if": { - "properties": { "type": { "const": "ui" } }, - "required": ["type"] + "properties": { "authenticationType": { "const": "ui" } }, + "required": ["authenticationType"] }, "then": { - "required": ["clientId", "clientSecret"] + "properties": { + "authenticationConfig": { + "type": "object", + "properties": { + "clientId": { + "$ref": "#/definitions/saneClientID" + }, + "clientSecret": { + "type": "string" + } + }, + "required": ["clientId", "clientSecret"] + } + }, + "required": ["authenticationConfig"] } }, { "if": { - "properties": { "type": { "const": "ui-with-strongauth" } }, - "required": ["type"] + "properties": { "authenticationType": { "const": "ui-with-strongauth" } }, + "required": ["authenticationType"] }, "then": { - "required": ["clientId", "clientSecret"] + "properties": { + "authenticationConfig": { + "type": "object", + "properties": { + "clientId": { + "$ref": "#/definitions/saneClientID" + }, + "clientSecret": { + "type": "string" + } + }, + "required": ["clientId", "clientSecret"] + } + }, + "required": ["authenticationConfig"] } }, { "if": { - "properties": { "type": { "const": "m2m" } }, - "required": ["type"] + "properties": { "authenticationType": { "const": "m2m" } }, + "required": ["authenticationType"] }, "then": { - "required": ["allowedClientIds"] + "properties": { + "authenticationConfig": { + "type": "object", + "properties": { + "allowedClientIds": { + "type": "array", + "items": { + "type": "string" + } + } + }, + "required": ["allowedClientIds"] + } + }, + "required": ["authenticationConfig"] } }, { "if": { - "properties": { "type": { "const": "m2m-with-token" } }, - "required": ["type"] + "properties": { "authenticationType": { "const": "m2m-with-token" } }, + "required": ["authenticationType"] }, "then": { - "required": ["clientId", "clientSecret"] + "properties": { + "authenticationConfig": { + "type": "object", + "properties": { + "clientId": { + "$ref": "#/definitions/saneClientID" + }, + "clientSecret": { + "type": "string" + }, + "authPluginMode": { + "type": "string", + "enum": [ + "VerifyAccessToken", "GatherCredentials" + ] + } + }, + "required": ["clientId", "clientSecret", "authPluginMode"] + } + }, + "required": ["authenticationConfig"] } } ],