wip: fix logic around templating

defenseunicorns · Dec 12, 2024 · d445aaa · d445aaa
1 parent f6b0b59
commit d445aaa
Show file tree

Hide file tree

Showing 8 changed files with 17 additions and 7 deletions.
diff --git a/docs/reference/configuration/ingress.md b/docs/reference/configuration/ingress.md
@@ -36,7 +36,7 @@ packages:
 
 ### Configure Domain Name and TLS for Istio Gateways
 
-By default, the UDS Core Istio Gateways are set up to use the `uds.dev` domain and have a valid TLS certificate packaged.  You will want to change the domain name for your environment and provide a valid TLS certificate for this domain.
+By default, the UDS Core Istio Gateways are set up to use the `uds.dev` (tenant/passthrough) and `admin.uds.dev` (admin) domains with valid TLS certificates.  You will need to change the domain name for your environment and provide a valid TLS certificate for your domain(s).
 
 You can set the TLS certs via overrides in a [UDS Bundle](https://uds.defenseunicorns.com/structure/bundles/) (see below). UDS Core Istio Gateways default to only supporting TLS v1.3, but this can also be overridden per gateway if clients use TLS 1.2 (as seen in the tenant gateway example `value` below).
 
@@ -81,11 +81,12 @@ You can then either use environment variables (`UDS_ADMIN_TLS_CERT`, `UDS_ADMIN_
 The `TLS_CERT` configuration values must include your specific domain certificate (e.g., `*.uds.dev`) **and** the full certificate chain leading up to a trusted root Certificate Authority (CA), concatenated together. Failing to include the full chain can result in unexpected behavior with certain applications, as some container images may not inherently trust intermediate certificates.
 :::
 
-Domain should be set via your [uds-config](https://uds.defenseunicorns.com/reference/cli/quickstart-and-usage/#variables-and-configuration) file using the shared key to override the Zarf Domain Variable (see example `uds-config.yaml` below).
+Domain should be set via your [uds-config](https://uds.defenseunicorns.com/reference/cli/quickstart-and-usage/#variables-and-configuration) file using the shared key to override the Zarf Domain Variable (see example `uds-config.yaml` below). By default the `admin_domain` will be set to `admin.<DOMAIN>` but can be overridden to host admin services on a different domain.
 
 ```yaml
 shared:
   domain: yourawesomedomain.com # shared across all packages in a bundle
+  admin_domain: youradmindomain.com # optional, defaults to admin.yourawesomedomain.com
 
 # TLS Certs/Keys if not provided via environment variables
 variables:

diff --git a/src/grafana/values/values.yaml b/src/grafana/values/values.yaml
@@ -17,13 +17,9 @@ extraSecretMounts:
     mountPath: /etc/secrets/auth_generic_oauth
     readOnly: true
 
-# These values are used to template the grafana.ini server value below
-domain: "###ZARF_VAR_DOMAIN###"
-adminDomain: "###ZARF_VAR_ADMIN_DOMAIN###"
-
 grafana.ini:
   server:
-    root_url: https://grafana.{{ $.Values.adminDomain | default (printf "admin.%s" $.Values.domain) }}
+    root_url: https://grafana.{{ "###ZARF_VAR_ADMIN_DOMAIN###" | default "admin.###ZARF_VAR_DOMAIN###" }}
   # Disable telemetry that doesn't function in the airgap
   analytics:
     reporting_enabled: false

diff --git a/src/istio/values/config-admin.yaml b/src/istio/values/config-admin.yaml
@@ -2,6 +2,7 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
 
 name: admin
+# Accommodate a specific admin domain or the default of `admin.DOMAIN`
 domain: '{{ "###ZARF_VAR_ADMIN_DOMAIN###" | default "admin.###ZARF_VAR_DOMAIN###" }}'
 tls:
   servers:

diff --git a/src/keycloak/chart/templates/statefulset.yaml b/src/keycloak/chart/templates/statefulset.yaml
@@ -88,6 +88,8 @@ spec:
             # Common configuration
             - name: UDS_DOMAIN
               value: "{{ .Values.domain }}"
+            - name: UDS_ADMIN_DOMAIN
+              value: "{{ tpl .Values.adminDomain . }}"
 
             # Enable health and metrics endpoints
             - name: KC_HEALTH_ENABLED

diff --git a/src/keycloak/chart/values.schema.json b/src/keycloak/chart/values.schema.json
@@ -130,6 +130,9 @@
     "domain": {
       "type": "string"
     },
+    "adminDomain": {
+      "type": "string"
+    },
     "enableServiceLinks": {
       "type": "boolean"
     },

diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml
@@ -14,6 +14,8 @@ configImage: ghcr.io/defenseunicorns/uds/identity-config:0.8.0
 
 # The public domain name of the Keycloak server
 domain: "###ZARF_VAR_DOMAIN###"
+# The admin domain for hosts to trust clients on
+adminDomain: '{{ "###ZARF_VAR_ADMIN_DOMAIN###" | default "admin.###ZARF_VAR_DOMAIN###" }}'
 
 # Additional Istio Gateways that expose Keycloak, to allow for client cert usage
 # A prefix of `istio-` is required for namespaces to prevent accidental misconfiguration

diff --git a/src/keycloak/common/zarf.yaml b/src/keycloak/common/zarf.yaml
@@ -15,6 +15,8 @@ components:
         # renovate: datasource=docker depName=quay.io/keycloak/keycloak versioning=semver
         version: 26.0.7
         localPath: ../chart
+        valuesFiles:
+          - ../chart/values.yaml
     actions:
       onDeploy:
         before:

diff --git a/src/keycloak/zarf.yaml b/src/keycloak/zarf.yaml
@@ -11,6 +11,9 @@ variables:
     description: "Cluster domain"
     default: "uds.dev"
 
+  - name: ADMIN_DOMAIN
+    description: "Domain for admin services, defaults to `admin.DOMAIN`"
+
 components:
   - name: keycloak
     required: true