Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add monitoring virtualservices for alertmanager / prometheus #977

Draft
wants to merge 10 commits into
base: main
Choose a base branch
from
Draft

feat: add monitoring virtualservices for alertmanager / prometheus #977

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
25be2e5
feat: add virtual services / authservice for monitoring package
joelmccoy Nov 3, 2024
b68a2b0
fix: reorder authservice
joelmccoy Nov 3, 2024
8986de8
fix: remove authservice in front of prometheus
joelmccoy Nov 3, 2024
bb2e477
chore: remove authservice
joelmccoy Nov 3, 2024
10fa01b
chore: add back in sso
joelmccoy Nov 9, 2024
eb5f67f
feat: add authz policies and virtual services
joelmccoy Nov 16, 2024
7ff5088
chore: add license
joelmccoy Nov 16, 2024
38d7b9e
Merge branch 'main' into add-monitoring-virtualservices
joelmccoy Nov 16, 2024
9cacc6d
chore: remove custom
joelmccoy Nov 16, 2024
3c2a1a1
chore: cleanup custom
joelmccoy Nov 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions packages/standard/zarf.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,12 @@ components:
import:
path: ../identity-authorization

# Authservice
- name: authservice
required: true
import:
path: ../identity-authorization

# Neuvector
- name: neuvector
required: true
Expand Down Expand Up @@ -91,12 +97,6 @@ components:
import:
path: ../monitoring

# Authservice
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

moved this up the list in the standard bundle as it should be deployed after keycloak. and tests were failing as monitoring gets deployed before authservice if left alone.

- name: authservice
required: true
import:
path: ../identity-authorization

# Velero
- name: velero
required: true
Expand Down
25 changes: 25 additions & 0 deletions src/prometheus-stack/chart/templates/alertmanager-authz-policy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# Copyright 2024 Defense Unicorns
# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: monitoring-alertmanager-authz-policy
namespace: monitoring
spec:
selector:
matchLabels:
app.kubernetes.io/name: alertmanager
action: ALLOW
rules:
- from:
- source:
namespaces:
- monitoring
to:
- operation:
methods:
- GET
- POST
paths:
- /*
22 changes: 22 additions & 0 deletions src/prometheus-stack/chart/templates/alertmanager-internal-vs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# Copyright 2024 Defense Unicorns
# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial

apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
name: alertmanager-internal
namespace: monitoring
spec:
hosts:
- kube-prometheus-stack-alertmanager.monitoring.svc.cluster.local
http:
- route:
- destination:
host: kube-prometheus-stack-alertmanager.monitoring.svc.cluster.local
port:
number: 9093
headers:
request:
set:
authorization: "internal-traffic"

27 changes: 27 additions & 0 deletions src/prometheus-stack/chart/templates/prometheus-authz-policy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# Copyright 2024 Defense Unicorns
# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: monitoring-prometheus-authz-policy
namespace: monitoring
spec:
selector:
matchLabels:
app.kubernetes.io/name: prometheus
action: ALLOW
rules:
- from:
- source:
namespaces:
- monitoring
- grafana
to:
- operation:
methods:
- GET
- POST
paths:
- /*

22 changes: 22 additions & 0 deletions src/prometheus-stack/chart/templates/prometheus-internal-vs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# Copyright 2024 Defense Unicorns
# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial

apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
name: prometheus-internal
namespace: monitoring
spec:
hosts:
- kube-prometheus-stack-prometheus.monitoring.svc.cluster.local
http:
- route:
- destination:
host: kube-prometheus-stack-prometheus.monitoring.svc.cluster.local
port:
number: 9090
headers:
request:
set:
authorization: "internal-traffic"

52 changes: 52 additions & 0 deletions src/prometheus-stack/chart/templates/uds-package.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,44 @@ metadata:
name: prometheus-stack
namespace: {{ .Release.Namespace }}
spec:
{{- if .Values.sso.enabled }}
sso:
- name: uds-prometheus
clientId: uds-prometheus
redirectUris:
- "https://metrics.admin.{{ .Values.domain }}/auth"
enableAuthserviceSelector:
app.kubernetes.io/name: prometheus
operator.prometheus.io/name: kube-prometheus-stack-prometheus
groups:
anyOf:
- /UDS Core/Admin
- /UDS Core/Auditor
- name: uds-alertmanager
clientId: uds-alertmanager
redirectUris:
- "https://alerts.admin.{{ .Values.domain }}/auth"
enableAuthserviceSelector:
app.kubernetes.io/name: alertmanager
groups:
anyOf:
- /UDS Core/Admin
- /UDS Core/Auditor
{{- end }}
network:
expose:
- service: kube-prometheus-stack-alertmanager
selector:
app.kubernetes.io/name: alertmanager
host: alerts
gateway: admin
port: 9093
- service: kube-prometheus-stack-prometheus
selector:
app: prometheus
host: metrics
gateway: admin
port: 9090
allow:
# Permit intra-namespace communication
- direction: Ingress
Expand Down Expand Up @@ -65,3 +102,18 @@ spec:
port: 9090
description: "Grafana Metrics Queries"

# Custom rules for unanticipated scenarios
{{- range .Values.custom }}
- direction: {{ .direction }}
selector:
{{ .selector | toYaml | nindent 10 }}
{{- if not .remoteGenerated }}
remoteNamespace: {{ .remoteNamespace }}
remoteSelector:
{{ .remoteSelector | toYaml | nindent 10 }}
port: {{ .port }}
{{- else }}
remoteGenerated: {{ .remoteGenerated }}
{{- end }}
description: {{ .description }}
{{- end }}
5 changes: 5 additions & 0 deletions src/prometheus-stack/chart/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,7 @@
# Copyright 2024 Defense Unicorns
# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial

domain: "###ZARF_VAR_DOMAIN###"

sso:
enabled: true
16 changes: 0 additions & 16 deletions src/vector/chart/templates/uds-package.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,19 +31,3 @@ spec:
app.kubernetes.io/name: loki
port: 8080
description: "Write Logs to Loki"

# Custom rules for additional networking access
{{- range .Values.additionalNetworkAllow }}
- direction: {{ .direction }}
selector:
{{ .selector | toYaml | nindent 10 }}
{{- if not .remoteGenerated }}
remoteNamespace: {{ .remoteNamespace }}
remoteSelector:
{{ .remoteSelector | toYaml | nindent 10 }}
port: {{ .port }}
{{- else }}
remoteGenerated: {{ .remoteGenerated }}
{{- end }}
description: {{ .description }}
{{- end }}
Loading