From 25be2e580b1ea1e836f1e56d172eba11b52c2d41 Mon Sep 17 00:00:00 2001 From: Joel McCoy Date: Sat, 2 Nov 2024 19:42:09 -0500 Subject: [PATCH 1/9] feat: add virtual services / authservice for monitoring package --- .../chart/templates/uds-package.yaml | 51 +++++++++++++++++++ src/prometheus-stack/chart/values.yaml | 13 +++++ 2 files changed, 64 insertions(+) diff --git a/src/prometheus-stack/chart/templates/uds-package.yaml b/src/prometheus-stack/chart/templates/uds-package.yaml index fd049e994..007817950 100644 --- a/src/prometheus-stack/chart/templates/uds-package.yaml +++ b/src/prometheus-stack/chart/templates/uds-package.yaml @@ -7,7 +7,43 @@ metadata: name: prometheus-stack namespace: {{ .Release.Namespace }} spec: + {{- if .Values.sso.enabled }} + sso: + - name: uds-prometheus + clientId: uds-prometheus + redirectUris: + - "https://prom.admin.{{ .Values.domain }}/auth" + enableAuthserviceSelector: + app.kubernetes.io/name: prometheus + groups: + anyOf: + - /UDS Core/Admin + - /UDS Core/Auditor + - name: uds-alertmanager + clientId: uds-alertmanager + redirectUris: + - "https://alerts.admin.{{ .Values.domain }}/auth" + enableAuthserviceSelector: + app.kubernetes.io/name: alertmanager + groups: + anyOf: + - /UDS Core/Admin + - /UDS Core/Auditor + {{- end }} network: + expose: + - service: alertmanager-operated + selector: + app.kubernetes.io/name: alertmanager + host: alerts + gateway: admin + port: 9093 + - service: prometheus-operated + selector: + app: prometheus + host: prom + gateway: admin + port: 9090 allow: # Permit intra-namespace communication - direction: Ingress @@ -65,3 +101,18 @@ spec: port: 9090 description: "Grafana Metrics Queries" + # Custom rules for unanticipated scenarios + {{- range .Values.custom }} + - direction: {{ .direction }} + selector: + {{ .selector | toYaml | nindent 10 }} + {{- if not .remoteGenerated }} + remoteNamespace: {{ .remoteNamespace }} + remoteSelector: + {{ .remoteSelector | toYaml | nindent 10 }} + port: {{ .port }} + {{- else }} + remoteGenerated: {{ .remoteGenerated }} + {{- end }} + description: {{ .description }} + {{- end }} diff --git a/src/prometheus-stack/chart/values.yaml b/src/prometheus-stack/chart/values.yaml index 2067cc53d..a19f712be 100644 --- a/src/prometheus-stack/chart/values.yaml +++ b/src/prometheus-stack/chart/values.yaml @@ -1,2 +1,15 @@ # Copyright 2024 Defense Unicorns # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +domain: "###ZARF_VAR_DOMAIN###" + +sso: + enabled: true + +custom: [] +# - direction: Egress +# selector: +# app.kubernetes.io/name: alertmanager +# remoteGenerated: Anywhere +# description: "Egress from alertmanager to anywhere" +# port: 443 From b68a2b04207f62513b89c094d8d53f982472bd1e Mon Sep 17 00:00:00 2001 From: Joel McCoy Date: Sat, 2 Nov 2024 21:26:25 -0500 Subject: [PATCH 2/9] fix: reorder authservice --- packages/standard/zarf.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/packages/standard/zarf.yaml b/packages/standard/zarf.yaml index b8568b4c7..6dc231692 100644 --- a/packages/standard/zarf.yaml +++ b/packages/standard/zarf.yaml @@ -61,6 +61,12 @@ components: import: path: ../identity-authorization + # Authservice + - name: authservice + required: true + import: + path: ../identity-authorization + # Neuvector - name: neuvector required: true @@ -91,12 +97,6 @@ components: import: path: ../monitoring - # Authservice - - name: authservice - required: true - import: - path: ../identity-authorization - # Velero - name: velero required: true From 8986de848ab24d33d45a99fcd3986474ccb9b35f Mon Sep 17 00:00:00 2001 From: Joel McCoy Date: Sat, 2 Nov 2024 22:06:42 -0500 Subject: [PATCH 3/9] fix: remove authservice in front of prometheus --- src/prometheus-stack/chart/templates/uds-package.yaml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/src/prometheus-stack/chart/templates/uds-package.yaml b/src/prometheus-stack/chart/templates/uds-package.yaml index 007817950..2395a4996 100644 --- a/src/prometheus-stack/chart/templates/uds-package.yaml +++ b/src/prometheus-stack/chart/templates/uds-package.yaml @@ -9,16 +9,6 @@ metadata: spec: {{- if .Values.sso.enabled }} sso: - - name: uds-prometheus - clientId: uds-prometheus - redirectUris: - - "https://prom.admin.{{ .Values.domain }}/auth" - enableAuthserviceSelector: - app.kubernetes.io/name: prometheus - groups: - anyOf: - - /UDS Core/Admin - - /UDS Core/Auditor - name: uds-alertmanager clientId: uds-alertmanager redirectUris: From bb2e47786935ba738f36d3c24d4988eb0b19e928 Mon Sep 17 00:00:00 2001 From: Joel McCoy Date: Sat, 2 Nov 2024 22:19:22 -0500 Subject: [PATCH 4/9] chore: remove authservice --- .../chart/templates/uds-package.yaml | 13 ------------- src/prometheus-stack/chart/values.yaml | 3 --- 2 files changed, 16 deletions(-) diff --git a/src/prometheus-stack/chart/templates/uds-package.yaml b/src/prometheus-stack/chart/templates/uds-package.yaml index 2395a4996..a50b3f90b 100644 --- a/src/prometheus-stack/chart/templates/uds-package.yaml +++ b/src/prometheus-stack/chart/templates/uds-package.yaml @@ -7,19 +7,6 @@ metadata: name: prometheus-stack namespace: {{ .Release.Namespace }} spec: - {{- if .Values.sso.enabled }} - sso: - - name: uds-alertmanager - clientId: uds-alertmanager - redirectUris: - - "https://alerts.admin.{{ .Values.domain }}/auth" - enableAuthserviceSelector: - app.kubernetes.io/name: alertmanager - groups: - anyOf: - - /UDS Core/Admin - - /UDS Core/Auditor - {{- end }} network: expose: - service: alertmanager-operated diff --git a/src/prometheus-stack/chart/values.yaml b/src/prometheus-stack/chart/values.yaml index a19f712be..8a2f494c5 100644 --- a/src/prometheus-stack/chart/values.yaml +++ b/src/prometheus-stack/chart/values.yaml @@ -3,9 +3,6 @@ domain: "###ZARF_VAR_DOMAIN###" -sso: - enabled: true - custom: [] # - direction: Egress # selector: From 10fa01b14e75ffa20b0de1877a09c915974ecdd0 Mon Sep 17 00:00:00 2001 From: Joel McCoy Date: Sat, 9 Nov 2024 15:02:18 -0600 Subject: [PATCH 5/9] chore: add back in sso --- .../chart/templates/uds-package.yaml | 27 +++++++++++++++++-- src/prometheus-stack/chart/values.yaml | 3 +++ 2 files changed, 28 insertions(+), 2 deletions(-) diff --git a/src/prometheus-stack/chart/templates/uds-package.yaml b/src/prometheus-stack/chart/templates/uds-package.yaml index a50b3f90b..fb9a7247d 100644 --- a/src/prometheus-stack/chart/templates/uds-package.yaml +++ b/src/prometheus-stack/chart/templates/uds-package.yaml @@ -7,18 +7,41 @@ metadata: name: prometheus-stack namespace: {{ .Release.Namespace }} spec: + {{- if .Values.sso.enabled }} + sso: + - name: uds-prometheus + clientId: uds-prometheus + redirectUris: + - "https://prometheus.admin.{{ .Values.domain }}/auth" + enableAuthserviceSelector: + app.kubernetes.io/name: prometheus + groups: + anyOf: + - /UDS Core/Admin + - /UDS Core/Auditor + - name: uds-alertmanager + clientId: uds-alertmanager + redirectUris: + - "https://alertmanager.admin.{{ .Values.domain }}/auth" + enableAuthserviceSelector: + app.kubernetes.io/name: alertmanager + groups: + anyOf: + - /UDS Core/Admin + - /UDS Core/Auditor + {{- end }} network: expose: - service: alertmanager-operated selector: app.kubernetes.io/name: alertmanager - host: alerts + host: alertmanager gateway: admin port: 9093 - service: prometheus-operated selector: app: prometheus - host: prom + host: prometheus gateway: admin port: 9090 allow: diff --git a/src/prometheus-stack/chart/values.yaml b/src/prometheus-stack/chart/values.yaml index 8a2f494c5..a19f712be 100644 --- a/src/prometheus-stack/chart/values.yaml +++ b/src/prometheus-stack/chart/values.yaml @@ -3,6 +3,9 @@ domain: "###ZARF_VAR_DOMAIN###" +sso: + enabled: true + custom: [] # - direction: Egress # selector: From eb5f67f13fbd33ff16df6c8ebc36fd5724eb5d6a Mon Sep 17 00:00:00 2001 From: Joel McCoy Date: Sat, 16 Nov 2024 15:12:13 -0600 Subject: [PATCH 6/9] feat: add authz policies and virtual services --- .../templates/alertmanager-authz-policy.yaml | 22 +++++++++++++++++ .../templates/alertmanager-internal-vs.yaml | 19 +++++++++++++++ .../templates/prometheus-authz-policy.yaml | 24 +++++++++++++++++++ .../templates/prometheus-internal-vs.yaml | 19 +++++++++++++++ .../chart/templates/uds-package.yaml | 13 +++++----- 5 files changed, 91 insertions(+), 6 deletions(-) create mode 100644 src/prometheus-stack/chart/templates/alertmanager-authz-policy.yaml create mode 100644 src/prometheus-stack/chart/templates/alertmanager-internal-vs.yaml create mode 100644 src/prometheus-stack/chart/templates/prometheus-authz-policy.yaml create mode 100644 src/prometheus-stack/chart/templates/prometheus-internal-vs.yaml diff --git a/src/prometheus-stack/chart/templates/alertmanager-authz-policy.yaml b/src/prometheus-stack/chart/templates/alertmanager-authz-policy.yaml new file mode 100644 index 000000000..f786367f8 --- /dev/null +++ b/src/prometheus-stack/chart/templates/alertmanager-authz-policy.yaml @@ -0,0 +1,22 @@ +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: monitoring-alertmanager-authz-policy + namespace: monitoring +spec: + selector: + matchLabels: + app.kubernetes.io/name: alertmanager + action: ALLOW + rules: + - from: + - source: + namespaces: + - monitoring + to: + - operation: + methods: + - GET + - POST + paths: + - /* diff --git a/src/prometheus-stack/chart/templates/alertmanager-internal-vs.yaml b/src/prometheus-stack/chart/templates/alertmanager-internal-vs.yaml new file mode 100644 index 000000000..78ac72c67 --- /dev/null +++ b/src/prometheus-stack/chart/templates/alertmanager-internal-vs.yaml @@ -0,0 +1,19 @@ +apiVersion: networking.istio.io/v1 +kind: VirtualService +metadata: + name: alertmanager-internal + namespace: monitoring +spec: + hosts: + - kube-prometheus-stack-alertmanager.monitoring.svc.cluster.local + http: + - route: + - destination: + host: kube-prometheus-stack-alertmanager.monitoring.svc.cluster.local + port: + number: 9093 + headers: + request: + set: + authorization: "internal-traffic" + diff --git a/src/prometheus-stack/chart/templates/prometheus-authz-policy.yaml b/src/prometheus-stack/chart/templates/prometheus-authz-policy.yaml new file mode 100644 index 000000000..0c38db902 --- /dev/null +++ b/src/prometheus-stack/chart/templates/prometheus-authz-policy.yaml @@ -0,0 +1,24 @@ +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: monitoring-prometheus-authz-policy + namespace: monitoring +spec: + selector: + matchLabels: + app.kubernetes.io/name: prometheus + action: ALLOW + rules: + - from: + - source: + namespaces: + - monitoring + - grafana + to: + - operation: + methods: + - GET + - POST + paths: + - /* + diff --git a/src/prometheus-stack/chart/templates/prometheus-internal-vs.yaml b/src/prometheus-stack/chart/templates/prometheus-internal-vs.yaml new file mode 100644 index 000000000..7641274a1 --- /dev/null +++ b/src/prometheus-stack/chart/templates/prometheus-internal-vs.yaml @@ -0,0 +1,19 @@ +apiVersion: networking.istio.io/v1 +kind: VirtualService +metadata: + name: prometheus-internal + namespace: monitoring +spec: + hosts: + - kube-prometheus-stack-prometheus.monitoring.svc.cluster.local + http: + - route: + - destination: + host: kube-prometheus-stack-prometheus.monitoring.svc.cluster.local + port: + number: 9090 + headers: + request: + set: + authorization: "internal-traffic" + diff --git a/src/prometheus-stack/chart/templates/uds-package.yaml b/src/prometheus-stack/chart/templates/uds-package.yaml index fb9a7247d..f125b4326 100644 --- a/src/prometheus-stack/chart/templates/uds-package.yaml +++ b/src/prometheus-stack/chart/templates/uds-package.yaml @@ -12,9 +12,10 @@ spec: - name: uds-prometheus clientId: uds-prometheus redirectUris: - - "https://prometheus.admin.{{ .Values.domain }}/auth" + - "https://metrics.admin.{{ .Values.domain }}/auth" enableAuthserviceSelector: app.kubernetes.io/name: prometheus + operator.prometheus.io/name: kube-prometheus-stack-prometheus groups: anyOf: - /UDS Core/Admin @@ -22,7 +23,7 @@ spec: - name: uds-alertmanager clientId: uds-alertmanager redirectUris: - - "https://alertmanager.admin.{{ .Values.domain }}/auth" + - "https://alerts.admin.{{ .Values.domain }}/auth" enableAuthserviceSelector: app.kubernetes.io/name: alertmanager groups: @@ -32,16 +33,16 @@ spec: {{- end }} network: expose: - - service: alertmanager-operated + - service: kube-prometheus-stack-alertmanager selector: app.kubernetes.io/name: alertmanager - host: alertmanager + host: alerts gateway: admin port: 9093 - - service: prometheus-operated + - service: kube-prometheus-stack-prometheus selector: app: prometheus - host: prometheus + host: metrics gateway: admin port: 9090 allow: From 7ff5088fa1d84e864ae95dcab3279aa6e48198d9 Mon Sep 17 00:00:00 2001 From: Joel McCoy Date: Sat, 16 Nov 2024 15:16:56 -0600 Subject: [PATCH 7/9] chore: add license --- .../chart/templates/alertmanager-authz-policy.yaml | 3 +++ .../chart/templates/alertmanager-internal-vs.yaml | 3 +++ .../chart/templates/prometheus-authz-policy.yaml | 3 +++ .../chart/templates/prometheus-internal-vs.yaml | 3 +++ 4 files changed, 12 insertions(+) diff --git a/src/prometheus-stack/chart/templates/alertmanager-authz-policy.yaml b/src/prometheus-stack/chart/templates/alertmanager-authz-policy.yaml index f786367f8..08078f6d7 100644 --- a/src/prometheus-stack/chart/templates/alertmanager-authz-policy.yaml +++ b/src/prometheus-stack/chart/templates/alertmanager-authz-policy.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: diff --git a/src/prometheus-stack/chart/templates/alertmanager-internal-vs.yaml b/src/prometheus-stack/chart/templates/alertmanager-internal-vs.yaml index 78ac72c67..295381685 100644 --- a/src/prometheus-stack/chart/templates/alertmanager-internal-vs.yaml +++ b/src/prometheus-stack/chart/templates/alertmanager-internal-vs.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: networking.istio.io/v1 kind: VirtualService metadata: diff --git a/src/prometheus-stack/chart/templates/prometheus-authz-policy.yaml b/src/prometheus-stack/chart/templates/prometheus-authz-policy.yaml index 0c38db902..e0578a9a1 100644 --- a/src/prometheus-stack/chart/templates/prometheus-authz-policy.yaml +++ b/src/prometheus-stack/chart/templates/prometheus-authz-policy.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: diff --git a/src/prometheus-stack/chart/templates/prometheus-internal-vs.yaml b/src/prometheus-stack/chart/templates/prometheus-internal-vs.yaml index 7641274a1..d576d97e5 100644 --- a/src/prometheus-stack/chart/templates/prometheus-internal-vs.yaml +++ b/src/prometheus-stack/chart/templates/prometheus-internal-vs.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: networking.istio.io/v1 kind: VirtualService metadata: From 9cacc6d16ffcf7dd68c919894a34e8fda05f770a Mon Sep 17 00:00:00 2001 From: Joel McCoy Date: Sat, 16 Nov 2024 15:18:50 -0600 Subject: [PATCH 8/9] chore: remove custom --- src/prometheus-stack/chart/values.yaml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/src/prometheus-stack/chart/values.yaml b/src/prometheus-stack/chart/values.yaml index a19f712be..cfa6753e4 100644 --- a/src/prometheus-stack/chart/values.yaml +++ b/src/prometheus-stack/chart/values.yaml @@ -5,11 +5,3 @@ domain: "###ZARF_VAR_DOMAIN###" sso: enabled: true - -custom: [] -# - direction: Egress -# selector: -# app.kubernetes.io/name: alertmanager -# remoteGenerated: Anywhere -# description: "Egress from alertmanager to anywhere" -# port: 443 From 3c2a1a181fd2f7bbc6db370158205240e388be34 Mon Sep 17 00:00:00 2001 From: Joel McCoy Date: Sat, 16 Nov 2024 15:39:11 -0600 Subject: [PATCH 9/9] chore: cleanup custom --- src/vector/chart/templates/uds-package.yaml | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/src/vector/chart/templates/uds-package.yaml b/src/vector/chart/templates/uds-package.yaml index e4ac9d9c9..1ad9dd75d 100644 --- a/src/vector/chart/templates/uds-package.yaml +++ b/src/vector/chart/templates/uds-package.yaml @@ -31,19 +31,3 @@ spec: app.kubernetes.io/name: loki port: 8080 description: "Write Logs to Loki" - - # Custom rules for additional networking access - {{- range .Values.additionalNetworkAllow }} - - direction: {{ .direction }} - selector: - {{ .selector | toYaml | nindent 10 }} - {{- if not .remoteGenerated }} - remoteNamespace: {{ .remoteNamespace }} - remoteSelector: - {{ .remoteSelector | toYaml | nindent 10 }} - port: {{ .port }} - {{- else }} - remoteGenerated: {{ .remoteGenerated }} - {{- end }} - description: {{ .description }} - {{- end }}