(#86) ArgoCD

Using the Helm chart so we can inject the istio sidecar with a kustomize
patch and tweak the configs for OIDC integration.

Login works, istio sidecar is injected.  ArgoCD can only be configured
with one domain unfortunately, it's not accessible at argocd.ois.run,
only argocd.k2.ois.run (or whatever cluster it's installed into).

Ideally it would use the Host header but it does not.

RBAC is not implemented but the User Info endpoint does have group
membership so this shouldn't be a problem to implement.

docs/examples/authpolicy.cue

@@ -0,0 +1,37 @@
+package holos
+
+import ap "security.istio.io/authorizationpolicy/v1"
+
+// #AuthPolicyRules represents AuthorizationPolicy rules for hosts that need specialized treatment.  Entries in this struct are exclused from the blank ingressauth AuthorizationPolicy governing the ingressgateway and included in a spcialized policy
+#AuthPolicyRules: {
+	// AuthProxySpec represents the identity provider configuration
+	AuthProxySpec: #AuthProxySpec & #Platform.authproxy
+
+	// Hosts are hosts that need specialized treatment
+	hosts: {
+		[Name=_]: {
+			// name is the fully qualifed hostname, a Host: header value.
+			name: Name
+			// slug is the resource name prefix
+			slug: string
+			// Refer to https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule
+			spec: ap.#AuthorizationPolicySpec & {
+				action: "CUSTOM"
+				provider: name: AuthProxySpec.provider
+				selector: matchLabels: istio: "ingressgateway"
+			}
+		}
+	}
+
+	objects: #APIObjects & {
+		for Host in hosts {
+			apiObjects: {
+				AuthorizationPolicy: "\(Host.slug)-custom": {
+					metadata: namespace: "istio-ingress"
+					metadata: name:      "\(Host.slug)-custom"
+					spec: Host.spec
+				}
+			}
+		}
+	}
+}

docs/examples/cue.mod/gen/argoproj.io/appproject/v1alpha1/types_gen.cue

@@ -0,0 +1,189 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-platform-argocd/prod-platform-argocd.gen.yaml
+
+package v1alpha1
+
+import "strings"
+
+// AppProject provides a logical grouping of applications,
+// providing controls for: * where the apps may deploy to
+// (cluster whitelist) * what may be deployed (repository
+// whitelist, resource whitelist/blacklist) * who can access
+// these applications (roles, OIDC group claims bindings) * and
+// what they can do (RBAC policies) * automation access to these
+// roles (JWT tokens)
+#AppProject: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "argoproj.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "AppProject"
+	metadata: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// AppProjectSpec is the specification of an AppProject
+	spec!: #AppProjectSpec
+}
+
+// AppProjectSpec is the specification of an AppProject
+#AppProjectSpec: {
+	// ClusterResourceBlacklist contains list of blacklisted cluster
+	// level resources
+	clusterResourceBlacklist?: [...{
+		group: string
+		kind:  string
+	}]
+
+	// ClusterResourceWhitelist contains list of whitelisted cluster
+	// level resources
+	clusterResourceWhitelist?: [...{
+		group: string
+		kind:  string
+	}]
+
+	// Description contains optional project description
+	description?: string
+
+	// Destinations contains list of destinations available for
+	// deployment
+	destinations?: [...{
+		// Name is an alternate way of specifying the target cluster by
+		// its symbolic name. This must be set if Server is not set.
+		name?: string
+
+		// Namespace specifies the target namespace for the application's
+		// resources. The namespace will only be set for namespace-scoped
+		// resources that have not set a value for .metadata.namespace
+		namespace?: string
+
+		// Server specifies the URL of the target cluster's Kubernetes
+		// control plane API. This must be set if Name is not set.
+		server?: string
+	}]
+
+	// NamespaceResourceBlacklist contains list of blacklisted
+	// namespace level resources
+	namespaceResourceBlacklist?: [...{
+		group: string
+		kind:  string
+	}]
+
+	// NamespaceResourceWhitelist contains list of whitelisted
+	// namespace level resources
+	namespaceResourceWhitelist?: [...{
+		group: string
+		kind:  string
+	}]
+
+	// OrphanedResources specifies if controller should monitor
+	// orphaned resources of apps in this project
+	orphanedResources?: {
+		// Ignore contains a list of resources that are to be excluded
+		// from orphaned resources monitoring
+		ignore?: [...{
+			group?: string
+			kind?:  string
+			name?:  string
+		}]
+
+		// Warn indicates if warning condition should be created for apps
+		// which have orphaned resources
+		warn?: bool
+	}
+
+	// PermitOnlyProjectScopedClusters determines whether destinations
+	// can only reference clusters which are project-scoped
+	permitOnlyProjectScopedClusters?: bool
+
+	// Roles are user defined RBAC roles associated with this project
+	roles?: [...{
+		// Description is a description of the role
+		description?: string
+
+		// Groups are a list of OIDC group claims bound to this role
+		groups?: [...string]
+
+		// JWTTokens are a list of generated JWT tokens bound to this role
+		jwtTokens?: [...{
+			exp?: int
+			iat:  int
+			id?:  string
+		}]
+
+		// Name is a name for this role
+		name: string
+
+		// Policies Stores a list of casbin formatted strings that define
+		// access policies for the role in the project
+		policies?: [...string]
+	}]
+
+	// SignatureKeys contains a list of PGP key IDs that commits in
+	// Git must be signed with in order to be allowed for sync
+	signatureKeys?: [...{
+		// The ID of the key in hexadecimal notation
+		keyID: string
+	}]
+
+	// SourceNamespaces defines the namespaces application resources
+	// are allowed to be created in
+	sourceNamespaces?: [...string]
+
+	// SourceRepos contains list of repository URLs which can be used
+	// for deployment
+	sourceRepos?: [...string]
+
+	// SyncWindows controls when syncs can be run for apps in this
+	// project
+	syncWindows?: [...{
+		// Applications contains a list of applications that the window
+		// will apply to
+		applications?: [...string]
+
+		// Clusters contains a list of clusters that the window will apply
+		// to
+		clusters?: [...string]
+
+		// Duration is the amount of time the sync window will be open
+		duration?: string
+
+		// Kind defines if the window allows or blocks syncs
+		kind?: string
+
+		// ManualSync enables manual syncs when they would otherwise be
+		// blocked
+		manualSync?: bool
+
+		// Namespaces contains a list of namespaces that the window will
+		// apply to
+		namespaces?: [...string]
+
+		// Schedule is the time the window will begin, specified in cron
+		// format
+		schedule?: string
+
+		// TimeZone of the sync that will be applied to the schedule
+		timeZone?: string
+	}]
+}

docs/examples/platforms/reference/clusters/foundation/cloud/argocd/argocd.cue

@@ -0,0 +1,84 @@
+package holos
+
+import "encoding/yaml"
+
+let ArgoCD = "argocd"
+let Namespace = "prod-platform"
+
+spec: components: HelmChartList: [
+	#HelmChart & {
+		_dependsOn: "prod-secrets-stores": _
+		namespace: Namespace
+
+		metadata: name: "\(namespace)-\(ArgoCD)"
+
+		chart: {
+			name:    "argo-cd"
+			release: "argocd"
+			version: "6.7.8"
+			repository: {
+				name: "argocd"
+				url:  "https://argoproj.github.io/argo-helm"
+			}
+		}
+
+		_values: #ArgoCDValues & {
+			kubeVersionOverride: "1.29.0"
+			global: domain: "argocd.\(#ClusterName).\(#Platform.org.domain)"
+
+			configs: params: "server.insecure": true
+
+			configs: cm: {
+				"admin.enabled": false
+				"oidc.config":   yaml.Marshal(OIDCConfig)
+			}
+		}
+
+		// Holos overlay objects
+		apiObjectMap: OBJECTS.apiObjectMap
+	},
+]
+
+let OBJECTS = #APIObjects & {
+	apiObjects: {
+		// ExternalSecret: "deploy-key": _
+		VirtualService: (ArgoCD): {
+			metadata: name:      ArgoCD
+			metadata: namespace: Namespace
+			spec: hosts: [
+				ArgoCD + ".\(#Platform.org.domain)",
+				ArgoCD + ".\(#ClusterName).\(#Platform.org.domain)",
+			]
+			spec: gateways: ["istio-ingress/\(Namespace)"]
+			spec: http: [{route: [{destination: {
+				host: "argocd-server.\(Namespace).svc.cluster.local"
+				port: number: 80
+			}}]}]
+		}
+	}
+}
+let IstioInject = [{op: "add", path: "/spec/template/metadata/labels/sidecar.istio.io~1inject", value: "true"}]
+
+#Kustomize: _patches: {
+	mesh: {
+		target: {
+			group:   "apps"
+			version: "v1"
+			kind:    "Deployment"
+			name:    "argocd-server"
+		}
+		patch: yaml.Marshal(IstioInject)
+	}
+}
+
+// Probably shouldn't use the authproxy struct and should instead define an identity provider struct.
+let AuthProxySpec = #AuthProxySpec & #Platform.authproxy
+
+let OIDCConfig = {
+	name:     "Holos Platform"
+	issuer:   AuthProxySpec.issuer
+	clientID: #Platform.argocd.clientID
+	requestedIDTokenClaims: groups: essential: true
+	requestedScopes: ["openid", "profile", "email", "groups", "urn:zitadel:iam:org:domain:primary:\(AuthProxySpec.orgDomain)"]
+	enablePKCEAuthentication: true
+}

docs/examples/platforms/reference/clusters/foundation/cloud/mesh/istio/ingress/ingress.cue

@@ -56,6 +56,8 @@ spec: components: HelmChartList: [
 		apiObjectMap: _IngressAuthProxy.Deployment.apiObjectMap
 		// Auth Policy
 		apiObjectMap: _IngressAuthProxy.Policy.apiObjectMap
+		// Auth Policy Exclusions
+		apiObjectMap: _AuthPolicyRules.objects.apiObjectMap
 	},
 ]
 

docs/examples/platforms/reference/clusters/foundation/cloud/mesh/mesh.cue

@@ -262,20 +262,62 @@ _IngressAuthProxy: {
 				spec: selector: matchLabels: istio: "ingressgateway"
 			}
 			AuthorizationPolicy: "\(Name)-custom": {
+				_description: "Route all requests through the auth proxy by default"
+
 				metadata: Metadata & {name: "\(Name)-custom"}
 				spec: {
 					action: "CUSTOM"
 					provider: name: AuthProxySpec.provider
-					// bypass the external authorizer when the id token is already in the request.
-					// the RequestAuthentication rule will verify the token.
-					rules: [{when: [
-						{key: "request.headers[\(AuthProxySpec.idTokenHeader)]", notValues: ["*"]},
-						// TODO: Define a way for hosts to be excluded.
-						{key: "request.headers[host]", notValues: [AuthProxySpec.issuerHost]},
-					]}]
+					rules: [
+						{
+							to: [{
+								operation: notHosts: [
+									// Never send requests for the login service through the authorizer, would block login.
+									AuthProxySpec.issuerHost,
+									// Exclude hosts with specialized rules from the catch-all.
+									for x in _AuthPolicyRules.hosts {x.name},
+								]
+							}]
+							when: [
+								{
+									// bypass the external authorizer when the id token is already in the request.
+									// the RequestAuthentication rule will verify the token.
+									key: "request.headers[\(AuthProxySpec.idTokenHeader)]"
+									notValues: ["*"]
+								},
+							]
+						},
+					]
 					selector: matchLabels: istio: "ingressgateway"
 				}
 			}
 		}
 	}
 }
+
+_AuthPolicyRules: #AuthPolicyRules & {
+	hosts: {
+		let Vault = "vault.core.ois.run"
+		(Vault): {
+			slug: "vault"
+			// Rules for when to route requests through the auth proxy
+			spec: rules: [
+				{
+					to: [{
+						operation: hosts: [Vault]
+						operation: paths: ["/ui", "/ui/*"]
+					}]
+				},
+				{
+					to: [{
+						operation: hosts: [Vault]
+					}]
+					when: [{
+						key: "request.headers[x-vault-request]"
+						notValues: ["true"]
+					}]
+				},
+			]
+		}
+	}
+}

docs/examples/platforms/reference/clusters/projects.cue

@@ -2,14 +2,17 @@ package holos
 
 #Project: authProxyOrgDomain: "openinfrastructure.co"
 
+let ZitadelProjectID = 257713952794870157
+
 _Projects: #Projects & {
 	// The platform project is required and where platform services reside.  ArgoCD, Grafana, Prometheus, etc...
 	platform: {
-		resourceId: 257713952794870157
-		clusters: k1: _
+		resourceId: ZitadelProjectID
+		// platform level services typically run in the core cluster pair.
+		clusters: core1: _
+		clusters: core2: _
+		// for development, probably wouldn't run these services in the workload clusters.
 		clusters: k2: _
-		stages: dev: authProxyClientID:  "260887327029658738@holos_platform"
-		stages: prod: authProxyClientID: "260887404288738416@holos_platform"
 		// Services hosted in the platform project
 		hosts: argocd:     _
 		hosts: grafana:    _
@@ -17,11 +20,9 @@ _Projects: #Projects & {
 	}
 
 	holos: {
-		resourceId: 260446255245690199
+		resourceId: ZitadelProjectID
 		clusters: k1: _
 		clusters: k2: _
-		stages: dev: authProxyClientID:  "260505543108527218@holos"
-		stages: prod: authProxyClientID: "260506079325128023@holos"
 		environments: {
 			prod: stage: "prod"
 			dev: stage:  "dev"
@@ -32,13 +33,11 @@ _Projects: #Projects & {
 	}
 
 	iam: {
-		resourceId: 260582480954787159
+		resourceId: ZitadelProjectID
 		clusters: {
 			core1: _
 			core2: _
 		}
-		stages: dev: authProxyClientID:  "260582521186616432@iam"
-		stages: prod: authProxyClientID: "260582633862399090@iam"
 	}
 }
 

pkg/version/embedded/minor

@@ -1 +1 @@
-61
+62

pkg/version/embedded/patch

@@ -1 +1 @@
-7
+0