How to upgrade the Authservice Package chartπ
The Authservice chart is mostly custom, but a vague origin can be found here. That being said, updates to the chart resources are almost all custom, so the modifications to upstream section will be empty.
Most of the renovate work is going to be bumping the redis or authservice version in Chart.yaml
.
- Checkout the
renovate/ironbank
branch. - Find the latest redis chart version on harbor.
- Bump the version redis in
chart/Chart.yaml
at.dependencies["redis"].version
. Renovate may have done this for you. -
Run a helm dependency command to update the
chart/charts/*.tgz
archives and create a new Chart.lock file. You will commit the tar archives along with the Chart.lock that was generated.helm dependency update ./chart
- If you haven’t authorized helm to access the Harbor registry, you can do so with
helm registry login registry1.dso.mil
. - In
chart/Chart.yaml
updateannotations.'helm.sh/image'
entries to to the new versions. Renovate might have already done this for you. - Redis image on harbor.
- Authservice image on harbor.
-
Note the
.appversion
,.version
before the-bb.Y
, andannotations.'bigbang.dev/applicationVersions["Authservice"]'
should matchannotations.'helm.sh/image'["authservice"].image
after the ‘:’.version: X.X.X-bb.Y appVersion: X.X.X annotations: bigbang.dev/applicationVersions: | - Authservice: X.X.X helm.sh/images: | - name: authservice image: registry1.dso.mil/ironbank/istio-ecosystem/authservice:X.X.X - name: redis condition: redis.enabled image: registry1.dso.mil/ironbank/bitnami/redis:Z.Z.Z
-
In
chart/values.yaml
theimage
entry should match thechart/Chart.yaml
annotations.'helm.sh/image'["authservice"].image
.image: repository: registry1.dso.mil/ironbank/istio-ecosystem/authservice pullPolicy: IfNotPresent # -- Overrides the image tag whose default is the chart appVersion. tag: "X.X.X"
- If you haven’t authorized helm to access the Harbor registry, you can do so with
-
Update
CHANGELOG.md
with an entry for “upgrade authservice to redis version X.X.X chart version X.X.X-bb.Y”. Or, whatever description is appropriate. - Update the
/README.md
following the gluon library script. - Use a development environment to deploy and test Authservice. See more detailed testing instructions below. Also test an upgrade by deploying the old version first and then deploying the new version.
- Update the
/README.md
again if you have made any additional changes during the upgrade/testing process.
Testing new Authservice versionπ
Branch/Tag Configπ
If you’d like to install from a specific branch or tag, then the code block under authservice needs to be uncommented and used to target your changes.
For example, this would target the renovate/ironbank
branch.
addons:
authservice:
<other config/labels>
...
...
# Add git branch or tag information to test against a specific branch or tag instead of using `main`
# Must set the unused label to null
git:
tag: null
branch: "renovate/ironbank"
Cluster setupπ
β οΈ Always make sure your local bigbang repo is current before deploying.
-
Export your Ironbank/Harbor credentials (this can be done in your
~/.bashrc
or~/.zshrc
file if desired). These specific variables are expected by thek3d-dev.sh
script when deploying metallb (part of the-a
flag), and are referenced in other commands for consistency:export REGISTRY_USERNAME='<your_username>' export REGISTRY_PASSWORD='<your_password>'
-
Export the path to your local bigbang repo (without a trailing
/
):
β οΈ Note that wrapping your file path in quotes when exporting will break expansion of ~
.
```sh
export BIGBANG_REPO_DIR=<absolute_path_to_local_bigbang_repo>
```
e.g.
```sh
export BIGBANG_REPO_DIR=~/repos/bigbang
```
-
Run the k3d_dev.sh script to deploy a dev cluster (
-a
flag required if deploying a local Keycloak):For
login.dso.mil
Keycloak:"${BIGBANG_REPO_DIR}/docs/assets/scripts/developer/k3d-dev.sh"
For local
keycloak.dev.bigbang.mil
Keycloak (-a
deploys instance with a second public IP and metallb):"${BIGBANG_REPO_DIR}/docs/assets/scripts/developer/k3d-dev.sh -a"
-
Export your kubeconfig:
export KUBECONFIG=~/.kube/<your_kubeconfig_file>
e.g.
export KUBECONFIG=~/.kube/Christopher.Galloway-dev-config
-
"${BIGBANG_REPO_DIR}/scripts/install_flux.sh -u ${REGISTRY_USERNAME} -p ${REGISTRY_PASSWORD}"
Deploy Bigbangπ
β οΈ Note that testing against your local branch or tag is only possible if you edit the overrides file to point to your changes.
From the root of this repo, run one of the following deploy commands depending on which Keycloak you wish to reference:
For login.dso.mil
Keycloak:
helm upgrade -i bigbang ${BIGBANG_REPO_DIR}/chart/ -n bigbang --create-namespace \
--set registryCredentials.username=${REGISTRY_USERNAME} --set registryCredentials.password=${REGISTRY_PASSWORD} \
-f https://repo1.dso.mil/big-bang/bigbang/-/raw/master/tests/test-values.yaml \
-f https://repo1.dso.mil/big-bang/bigbang/-/raw/master/chart/ingress-certs.yaml \
-f https://repo1.dso.mil/big-bang/bigbang/-/raw/master/docs/assets/configs/example/dev-sso-values.yaml \
-f docs/dev-overrides/minimal.yaml \
-f docs/dev-overrides/authservice-testing.yaml
For local keycloak.dev.bigbang.mil
Keycloak:
helm upgrade -i bigbang ${BIGBANG_REPO_DIR}/chart/ -n bigbang --create-namespace \
--set registryCredentials.username=${REGISTRY_USERNAME} --set registryCredentials.password=${REGISTRY_PASSWORD} \
-f https://repo1.dso.mil/big-bang/bigbang/-/raw/master/tests/test-values.yaml \
-f https://repo1.dso.mil/big-bang/bigbang/-/raw/master/chart/ingress-certs.yaml \
-f docs/dev-overrides/minimal.yaml \
-f docs/dev-overrides/authservice-testing-local-keycloak.yaml
This will deploy the following apps for testing (while disabling non-essential apps):
- Istio, Istio operator and Authservice
- Jaeger and Monitoring (specifically, Prometheus), with SSO enabled
- Optionally Keycloak
Validation/Testing Stepsπ
-
If you deployed with local keycloak enabled, login to https://keycloak.dev.bigbang.mil/auth/admin/master/console/ as the default admin user and set up a user account that can log into monitoring. You can find basic keycloak admin instructions here. IMPORTANT: To perform the next testing step successfully you must:
-
Create this account in the baby-yoda realm, not in the master realm.
-
Add the user to the “Impact Level 2 Authorized” group.
-
Navigate to Jaeger and validate that you are prompted to login with SSO and that the login is successful. This verifies that Authservice is working as an Istio extension.
-
Navigate to Prometheus (also uses Authservice) and validate that you are prompted to login with SSO and that the login is successful.
-
If you deployed with local keycloak enabled, make sure it’s
keycloak.dev.bigbang.mil
and notlogin.dso.mil
.
Files That Require Integration Testingπ
- ./chart/templates/bigbang/authservice-clusterrolebinding-openshift-scc.yaml
- ./chart/templates/bigbang/istio/authorizationPolicies/allow-any-to-auth-authz-policy.yaml
- ./chart/templates/bigbang/istio/authorizationPolicies/allow-intranamespace.yaml
- ./chart/templates/bigbang/istio/authorizationPolicies/shared-kiali-authz-policy.yaml
- ./chart/templates/bigbang/istio/authorizationPolicies/template.yaml
- ./chart/templates/bigbang/istio/jwksEndpointServiceEntry.yaml
- ./chart/templates/bigbang/istio/oidcHostServiceEntry.yaml
- ./chart/templates/bigbang/istio/peerAuthentication.yaml
- ./chart/templates/bigbang/istio/serviceEntry.yaml
- ./chart/templates/bigbang/istio/sidecar.yaml
- ./chart/templates/bigbang/network-attachment-definition.yaml
- ./chart/templates/bigbang/networkpolicies/additional-networkpolicies.yaml
Instructions for Integration Testingπ
See the Big Bang Doc
automountServiceAccountTokenπ
The mutating Kyverno policy named update-automountserviceaccounttokens is leveraged to harden all ServiceAccounts in this package with automountServiceAccountToken: false
.
This policy revokes access to the K8s API for Pods utilizing said ServiceAccounts. If a Pod truly requires access to the K8s API (for app functionality), the Pod is added to the pods:
array of the same mutating policy. This grants the Pod access to the API, and creates a Kyverno PolicyException to prevent an alert.
Modifications made to upstream chartπ
This section has nothing in it because this chart is basically all custom.