feat: add monitoring virtualservices for alertmanager / prometheus

packages/standard/zarf.yaml

@@ -61,6 +61,12 @@ components:
     import:
       path: ../identity-authorization
 
+  # Authservice
+  - name: authservice
+    required: true
+    import:
+      path: ../identity-authorization
+
   # Neuvector
   - name: neuvector
     required: true
@@ -91,12 +97,6 @@ components:
     import:
       path: ../monitoring
 
-  # Authservice
-  - name: authservice
-    required: true
-    import:
-      path: ../identity-authorization
-
   # Velero
   - name: velero
     required: true

src/prometheus-stack/chart/templates/uds-package.yaml

@@ -7,7 +7,43 @@ metadata:
   name: prometheus-stack
   namespace: {{ .Release.Namespace }}
 spec:
+  {{- if .Values.sso.enabled }}
+  sso:
+    - name: uds-prometheus
+      clientId: uds-prometheus
+      redirectUris:
+        - "https://prom.admin.{{ .Values.domain }}/auth"
+      enableAuthserviceSelector:
+        app.kubernetes.io/name: prometheus
+      groups:
+        anyOf:
+          - /UDS Core/Admin
+          - /UDS Core/Auditor
+    - name: uds-alertmanager
+      clientId: uds-alertmanager
+      redirectUris:
+        - "https://alerts.admin.{{ .Values.domain }}/auth"
+      enableAuthserviceSelector:
+        app.kubernetes.io/name: alertmanager
+      groups:
+        anyOf:
+          - /UDS Core/Admin
+          - /UDS Core/Auditor
+  {{- end }}
   network:
+    expose:
+      - service: alertmanager-operated
+        selector:
+          app.kubernetes.io/name: alertmanager
+        host: alerts
+        gateway: admin
+        port: 9093
+      - service: prometheus-operated
+        selector:
+          app: prometheus
+        host: prom
+        gateway: admin
+        port: 9090
     allow:
       # Permit intra-namespace communication
       - direction: Ingress
@@ -65,3 +101,18 @@ spec:
         port: 9090
         description: "Grafana Metrics Queries"
 
+      # Custom rules for unanticipated scenarios
+      {{- range .Values.custom }}
+      - direction: {{ .direction }}
+        selector:
+          {{ .selector | toYaml | nindent 10 }}
+        {{- if not .remoteGenerated }}
+        remoteNamespace: {{ .remoteNamespace }}
+        remoteSelector:
+          {{ .remoteSelector | toYaml | nindent 10 }}
+        port: {{ .port }}
+        {{- else }}
+        remoteGenerated: {{ .remoteGenerated }}
+        {{- end }}
+        description: {{ .description }}
+      {{- end }}

src/prometheus-stack/chart/values.yaml

@@ -1,2 +1,15 @@
 # Copyright 2024 Defense Unicorns
 # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
+
+domain: "###ZARF_VAR_DOMAIN###"
+
+sso:
+  enabled: true
+
+custom: []
+#   - direction: Egress
+#     selector:
+#       app.kubernetes.io/name: alertmanager
+#     remoteGenerated: Anywhere
+#     description: "Egress from alertmanager to anywhere"
+#     port: 443