diff --git a/docs/reference/configuration/ingress.md b/docs/reference/configuration/ingress.md index 416469356..b1ab00cfd 100644 --- a/docs/reference/configuration/ingress.md +++ b/docs/reference/configuration/ingress.md @@ -36,7 +36,7 @@ packages: ### Configure Domain Name and TLS for Istio Gateways -By default, the UDS Core Istio Gateways are set up to use the `uds.dev` domain and have a valid TLS certificate packaged. You will want to change the domain name for your environment and provide a valid TLS certificate for this domain. +By default, the UDS Core Istio Gateways are set up to use the `uds.dev` (tenant/passthrough) and `admin.uds.dev` (admin) domains with valid TLS certificates. You will need to change the domain name for your environment and provide a valid TLS certificate for your domain(s). You can set the TLS certs via overrides in a [UDS Bundle](https://uds.defenseunicorns.com/structure/bundles/) (see below). UDS Core Istio Gateways default to only supporting TLS v1.3, but this can also be overridden per gateway if clients use TLS 1.2 (as seen in the tenant gateway example `value` below). @@ -81,11 +81,12 @@ You can then either use environment variables (`UDS_ADMIN_TLS_CERT`, `UDS_ADMIN_ The `TLS_CERT` configuration values must include your specific domain certificate (e.g., `*.uds.dev`) **and** the full certificate chain leading up to a trusted root Certificate Authority (CA), concatenated together. Failing to include the full chain can result in unexpected behavior with certain applications, as some container images may not inherently trust intermediate certificates. ::: -Domain should be set via your [uds-config](https://uds.defenseunicorns.com/reference/cli/quickstart-and-usage/#variables-and-configuration) file using the shared key to override the Zarf Domain Variable (see example `uds-config.yaml` below). +Domain should be set via your [uds-config](https://uds.defenseunicorns.com/reference/cli/quickstart-and-usage/#variables-and-configuration) file using the shared key to override the Zarf Domain Variable (see example `uds-config.yaml` below). By default the `admin_domain` will be set to `admin.` but can be overridden to host admin services on a different domain. ```yaml shared: domain: yourawesomedomain.com # shared across all packages in a bundle + admin_domain: youradmindomain.com # optional, defaults to admin.yourawesomedomain.com # TLS Certs/Keys if not provided via environment variables variables: diff --git a/src/grafana/values/values.yaml b/src/grafana/values/values.yaml index 2ec64914a..bb60966ae 100644 --- a/src/grafana/values/values.yaml +++ b/src/grafana/values/values.yaml @@ -17,13 +17,9 @@ extraSecretMounts: mountPath: /etc/secrets/auth_generic_oauth readOnly: true -# These values are used to template the grafana.ini server value below -domain: "###ZARF_VAR_DOMAIN###" -adminDomain: "###ZARF_VAR_ADMIN_DOMAIN###" - grafana.ini: server: - root_url: https://grafana.{{ $.Values.adminDomain | default (printf "admin.%s" $.Values.domain) }} + root_url: https://grafana.{{ "###ZARF_VAR_ADMIN_DOMAIN###" | default "admin.###ZARF_VAR_DOMAIN###" }} # Disable telemetry that doesn't function in the airgap analytics: reporting_enabled: false diff --git a/src/istio/values/config-admin.yaml b/src/istio/values/config-admin.yaml index c27b5085c..cde6e30aa 100644 --- a/src/istio/values/config-admin.yaml +++ b/src/istio/values/config-admin.yaml @@ -2,6 +2,7 @@ # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial name: admin +# Accommodate a specific admin domain or the default of `admin.DOMAIN` domain: '{{ "###ZARF_VAR_ADMIN_DOMAIN###" | default "admin.###ZARF_VAR_DOMAIN###" }}' tls: servers: diff --git a/src/keycloak/chart/templates/statefulset.yaml b/src/keycloak/chart/templates/statefulset.yaml index 6f3a9e570..ce351fa93 100644 --- a/src/keycloak/chart/templates/statefulset.yaml +++ b/src/keycloak/chart/templates/statefulset.yaml @@ -88,6 +88,8 @@ spec: # Common configuration - name: UDS_DOMAIN value: "{{ .Values.domain }}" + - name: UDS_ADMIN_DOMAIN + value: "{{ tpl .Values.adminDomain . }}" # Enable health and metrics endpoints - name: KC_HEALTH_ENABLED diff --git a/src/keycloak/chart/values.schema.json b/src/keycloak/chart/values.schema.json index f05bdc3a8..25a63d2f5 100644 --- a/src/keycloak/chart/values.schema.json +++ b/src/keycloak/chart/values.schema.json @@ -130,6 +130,9 @@ "domain": { "type": "string" }, + "adminDomain": { + "type": "string" + }, "enableServiceLinks": { "type": "boolean" }, diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml index 7f61f9012..49518c4bd 100644 --- a/src/keycloak/chart/values.yaml +++ b/src/keycloak/chart/values.yaml @@ -14,6 +14,8 @@ configImage: ghcr.io/defenseunicorns/uds/identity-config:0.8.0 # The public domain name of the Keycloak server domain: "###ZARF_VAR_DOMAIN###" +# The admin domain for hosts to trust clients on +adminDomain: '{{ "###ZARF_VAR_ADMIN_DOMAIN###" | default "admin.###ZARF_VAR_DOMAIN###" }}' # Additional Istio Gateways that expose Keycloak, to allow for client cert usage # A prefix of `istio-` is required for namespaces to prevent accidental misconfiguration diff --git a/src/keycloak/common/zarf.yaml b/src/keycloak/common/zarf.yaml index f8ff6726d..7df06d73f 100644 --- a/src/keycloak/common/zarf.yaml +++ b/src/keycloak/common/zarf.yaml @@ -15,6 +15,8 @@ components: # renovate: datasource=docker depName=quay.io/keycloak/keycloak versioning=semver version: 26.0.7 localPath: ../chart + valuesFiles: + - ../chart/values.yaml actions: onDeploy: before: diff --git a/src/keycloak/zarf.yaml b/src/keycloak/zarf.yaml index 710f56ea0..3116d5a0c 100644 --- a/src/keycloak/zarf.yaml +++ b/src/keycloak/zarf.yaml @@ -11,6 +11,9 @@ variables: description: "Cluster domain" default: "uds.dev" + - name: ADMIN_DOMAIN + description: "Domain for admin services, defaults to `admin.DOMAIN`" + components: - name: keycloak required: true