feat: support authservice with redis, switch to pepr helm chart (defenseunicorns#658)

## Description
* Updates Pepr to 0.34.0
* Uses Pepr Helm Chart
* Adds support to configure redis as authservice memory store

## Related Issue

Fixes defenseunicorns#518

## Type of change

- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)

## Checklist before merging

- [ ] Test, docs, adr added or updated as needed
- [ ] [Contributor
Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)
followed

---------

Co-authored-by: Micah Nagel <micah.nagel@defenseunicorns.com>

Author: rjferguson21

.yamllint

@@ -9,6 +9,7 @@ ignore:
   - '**/chart/templates**'
   - 'node_modules/**'
   - 'dist/**'
+  - 'src/pepr/uds-operator-config/templates**'
 
 rules:
   anchors: enable

docs/configuration/uds-operator.md

@@ -152,6 +152,17 @@ The UDS Operator uses the first `redirectUris` to populate the `match.prefix` ho
 
 For a complete example, see [app-authservice-tenant.yaml](https://github.com/defenseunicorns/uds-core/blob/main/src/test/app-authservice-tenant.yaml)
 
+#### External Session Store
+If you wish to scale Authservice horiztonally, Authservice supports using an [external redis session store](https://docs.tetrate.io/istio-authservice/configuration/oidc#session-store-configuration) which can be configured by setting [UDS_AUTHSERVICE_REDIS_URI](https://github.com/defenseunicorns/uds-core/blob/main/src/pepr/zarf.yaml#L20-L22).
+
+You can also specify the `AUTHSERVICE_REDIS_URI` variable in your `uds-config.yaml`:
+
+```yaml
+variables:
+  core:
+    AUTHSERVICE_REDIS_URI: redis://redis.redis.svc.cluster.local:6379
+```
+
 #### Trusted Certificate Authority
 
 Authservice can be configured with additional trusted certificate bundle in cases where UDS Core ingress gateways are deployed with private PKI.

package-lock.json

@@ -23,20 +23,13 @@
         "zarf"
       ],
       "labels": []
-    },
-    "env": {
-      "UDS_DOMAIN": "###ZARF_VAR_DOMAIN###",
-      "UDS_CA_CERT": "###ZARF_VAR_CA_CERT###",
-      "UDS_ALLOW_ALL_NS_EXEMPTIONS": "###ZARF_VAR_ALLOW_ALL_NS_EXEMPTIONS###",
-      "UDS_SINGLE_TEST": "###ZARF_VAR_UDS_SINGLE_TEST###",
-      "UDS_LOG_LEVEL": "###ZARF_VAR_UDS_LOG_LEVEL###"
     }
   },
   "scripts": {
     "k3d-setup": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0'"
   },
   "dependencies": {
-    "pepr": "0.33.0"
+    "pepr": "0.34.0"
   },
   "devDependencies": {
     "@jest/globals": "29.7.0",

package.json

@@ -7,12 +7,12 @@ metadata:
   version: "0.25.2"
   # x-release-please-end
 
-variables:
-  - name: CA_CERT
-    description: "Base64 encoded CA cert that signed the domain wildcard certs used for Istio ingress"
-    default: ""
-
 components:
+  - name: uds-operator-config
+    required: true
+    import:
+      path: ../../src/pepr
+
   # CRDs
   - name: prometheus-operator-crds
     required: true
@@ -44,8 +44,7 @@ components:
   - name: pepr-uds-core
     required: true
     import:
-      path: ../../dist
-      name: module
+      path: ../../src/pepr
 
   # Keycloak
   - name: keycloak

packages/slim-dev/zarf.yaml

@@ -7,12 +7,12 @@ metadata:
   version: "0.25.2"
   # x-release-please-end
 
-variables:
-  - name: CA_CERT
-    description: "Base64 encoded CA cert that signed the domain wildcard certs used for Istio ingress"
-    default: ""
-
 components:
+  - name: uds-operator-config
+    required: true
+    import:
+      path: ../../src/pepr
+
   # CRDs
   - name: prometheus-operator-crds
     required: true
@@ -44,8 +44,7 @@ components:
   - name: pepr-uds-core
     required: true
     import:
-      path: ../../dist
-      name: module
+      path: ../../src/pepr
 
   # Metrics Server
   - name: metrics-server

packages/standard/zarf.yaml

@@ -16,7 +16,7 @@ spec:
       # Egress must be allowed to the external facing Keycloak endpoint
       - direction: Egress
         remoteGenerated: Anywhere
-        description: "SSO Provider"
+        description: "SSO Provider & Redis Session Store"
 
       - direction: Ingress
         selector:

src/authservice/chart/templates/uds-package.yaml

@@ -21,3 +21,18 @@ spec:
   portLevelMtls:
     "3000":
       mode: PERMISSIVE
+---
+apiVersion: "security.istio.io/v1beta1"
+kind: PeerAuthentication
+metadata:
+  name: permissive-pepr-webhook-watcher
+  namespace: pepr-system
+spec:
+  selector:
+    matchLabels:
+      pepr.dev/controller: watcher
+  mtls:
+    mode: STRICT
+  portLevelMtls:
+    "3000":
+      mode: PERMISSIVE

src/istio/common/manifests/pepr-istio-config.yaml

@@ -2,6 +2,7 @@ import { Component, setupLogger } from "./logger";
 
 let domain = process.env.UDS_DOMAIN;
 let caCert = process.env.UDS_CA_CERT;
+let authserviceRedisUri = process.env.AUTHSERVICE_REDIS_URI;
 
 // We need to handle `npx pepr <>` commands that will not template the env vars
 if (!domain || domain === "###ZARF_VAR_DOMAIN###") {
@@ -10,6 +11,9 @@ if (!domain || domain === "###ZARF_VAR_DOMAIN###") {
 if (!caCert || caCert === "###ZARF_VAR_CA_CERT###") {
   caCert = "";
 }
+if (!authserviceRedisUri || authserviceRedisUri === "###ZARF_VAR_AUTHSERVICE_REDIS_URI###") {
+  authserviceRedisUri = "";
+}
 
 export const UDSConfig = {
   // Ignore the UDS_DOMAIN if not deployed by Zarf
@@ -20,6 +24,9 @@ export const UDSConfig = {
   isSingleTest: process.env.UDS_SINGLE_TEST === "true",
   // Allow UDS policy exemptions to be used in any namespace
   allowAllNSExemptions: process.env.UDS_ALLOW_ALL_NS_EXEMPTIONS === "true",
+
+  // Redis URI for Authservice
+  authserviceRedisUri,
 };
 
 // configure subproject logger

src/pepr/config.ts

@@ -43,7 +43,7 @@ export async function setupAuthserviceSecret() {
 
 // this initial secret is only a placeholder until the first chain is created
 function buildInitialSecret(): AuthserviceConfig {
-  return {
+  const config: AuthserviceConfig = {
     allow_unmatched_requests: false,
     listen_address: "0.0.0.0",
     listen_port: "10003",
@@ -84,6 +84,14 @@ function buildInitialSecret(): AuthserviceConfig {
       }),
     ],
   };
+
+  if (UDSConfig.authserviceRedisUri) {
+    config.default_oidc_config.redis_session_store_config = {
+      server_uri: UDSConfig.authserviceRedisUri!,
+    };
+  }
+
+  return config;
 }
 
 export async function getAuthserviceConfig() {

src/pepr/operator/controllers/keycloak/authservice/config.ts

@@ -37,6 +37,7 @@ interface OIDCConfig {
   absolute_session_timeout?: string;
   idle_session_timeout?: string;
   scopes: string[];
+  redis_session_store_config?: { server_uri: string };
 }
 
 interface JWKSFetcher {

src/pepr/operator/controllers/keycloak/authservice/types.ts

@@ -0,0 +1,18 @@
+apiVersion: v2
+name: uds-operator-config
+description: UDS Core configuration for UDS Operator
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0

src/pepr/uds-operator-config/Chart.yaml

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "uds-operator-config.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "uds-operator-config.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "uds-operator-config.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "uds-operator-config.labels" -}}
+helm.sh/chart: {{ include "uds-operator-config.chart" . }}
+{{ include "uds-operator-config.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "uds-operator-config.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "uds-operator-config.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "uds-operator-config.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "uds-operator-config.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

src/pepr/uds-operator-config/templates/_helpers.tpl

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: uds-operator-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "uds-operator-config.labels" . | nindent 4 }}
+type: Opaque
+data:
+{{- range $key, $value := .Values.operator }}
+  {{ $key }}: {{ $value | b64enc | quote }}
+{{- end }}

src/pepr/uds-operator-config/templates/secret.yaml

@@ -0,0 +1,7 @@
+operator:
+  UDS_DOMAIN: "###ZARF_VAR_DOMAIN###"
+  UDS_CA_CERT: "###ZARF_VAR_CA_CERT###"
+  UDS_ALLOW_ALL_NS_EXEMPTIONS: "###ZARF_VAR_ALLOW_ALL_NS_EXEMPTIONS###"
+  UDS_SINGLE_TEST: "###ZARF_VAR_UDS_SINGLE_TEST###"
+  UDS_LOG_LEVEL: "###ZARF_VAR_UDS_LOG_LEVEL###"
+  AUTHSERVICE_REDIS_URI: "###ZARF_VAR_AUTHSERVICE_REDIS_URI###"

src/pepr/uds-operator-config/values.yaml

@@ -0,0 +1,12 @@
+watcher:
+  serviceMonitor:
+    enabled: ###ZARF_VAR_PEPR_SERVICE_MONITORS###
+  envFrom:
+    - secretRef:
+        name: uds-operator-config
+admission:
+  serviceMonitor:
+    enabled: ###ZARF_VAR_PEPR_SERVICE_MONITORS###
+  envFrom:
+    - secretRef:
+        name: uds-operator-config

src/pepr/values.yaml

@@ -0,0 +1,68 @@
+kind: ZarfPackageConfig
+metadata:
+  name: pepr-uds-core
+  description: 'Pepr Module: A collection of capabilities for UDS Core'
+  url: https://github.com/defenseunicorns/pepr
+
+variables:
+  - name: DOMAIN
+    description: "Cluster domain"
+    default: "uds.dev"
+
+  - name: CA_CERT
+    description: "Base64 encoded CA cert that signed the domain wildcard certs used for Istio ingress"
+    default: ""
+
+  - name: UDS_LOG_LEVEL
+    description: "UDS Operator log level"
+    default: "debug"
+
+  - name: AUTHSERVICE_REDIS_URI
+    description: "UDS Authservice Redis URI"
+    default: ""
+
+  - name: UDS_SINGLE_TEST
+    description: "UDS Single package test"
+    default: ""
+
+  - name: PEPR_SERVICE_MONITORS
+    description: "Enables Service Monitors for Pepr services (watcher, admission)"
+    default: "true"
+
+components:
+  - name: uds-operator-config
+    required: true
+    charts:
+      - name: uds-operator-config
+        namespace: pepr-system
+        version: 0.1.0
+        localPath: uds-operator-config
+        valuesFiles:
+          - uds-operator-config/values.yaml
+
+  - name: pepr-uds-core
+    required: true
+    import:
+      name: module
+      path: ../../dist
+    charts:
+      - name: module
+        valuesFiles:
+          - values.yaml
+    actions:
+      onDeploy:
+        before:
+          - cmd: ./zarf tools kubectl annotate secret -n pepr-system pepr-uds-core-api-token meta.helm.sh/release-name=module --overwrite || true
+          - cmd: ./zarf tools kubectl annotate secret -n pepr-system pepr-uds-core-module meta.helm.sh/release-name=module --overwrite || true
+          - cmd: ./zarf tools kubectl annotate secret -n pepr-system pepr-uds-core-tls meta.helm.sh/release-name=module --overwrite || true
+          - cmd: ./zarf tools kubectl annotate serviceaccount -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true
+          - cmd: ./zarf tools kubectl annotate clusterrolebinding pepr-uds-core meta.helm.sh/release-name=module --overwrite || true
+          - cmd: ./zarf tools kubectl annotate clusterrole pepr-uds-core meta.helm.sh/release-name=module --overwrite || true
+          - cmd: ./zarf tools kubectl annotate role -n pepr-system pepr-uds-core-store meta.helm.sh/release-name=module --overwrite || true
+          - cmd: ./zarf tools kubectl annotate rolebinding -n pepr-system pepr-uds-core-store meta.helm.sh/release-name=module --overwrite || true
+          - cmd: ./zarf tools kubectl annotate service -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true
+          - cmd: ./zarf tools kubectl annotate service -n pepr-system pepr-uds-core-watcher meta.helm.sh/release-name=module --overwrite || true
+          - cmd: ./zarf tools kubectl annotate deployment -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true
+          - cmd: ./zarf tools kubectl annotate deployment -n pepr-system pepr-uds-core-watcher meta.helm.sh/release-name=module --overwrite || true
+          - cmd: ./zarf tools kubectl annotate mutatingwebhookconfiguration -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true
+          - cmd: ./zarf tools kubectl annotate validatingwebhookconfiguration -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true

src/pepr/zarf.yaml

@@ -44,7 +44,7 @@ tasks:
       - task: pepr-build
 
       - description: "Create the Pepr Zarf Package, if it exists"
-        cmd: "uds zarf package create dist --confirm --no-progress"
+        cmd: "uds zarf package create src/pepr --confirm --no-progress"
 
       - description: "Create the requested Zarf Package (must set UDS_PKG environment variable)"
         cmd: "uds zarf package create src/${UDS_PKG} --confirm --no-progress --flavor ${FLAVOR}"
@@ -63,4 +63,4 @@ tasks:
           CUSTOM_PEPR_IMAGE=$( [ "${FLAVOR}" = "registry1" ] && echo "--custom-image ${REGISTRY1_PEPR_IMAGE}" ) || CUSTOM_PEPR_IMAGE=""
           rm -fr dist
           npm ci
-          npx pepr build $CUSTOM_PEPR_IMAGE
+          npx pepr build -z chart $CUSTOM_PEPR_IMAGE

tasks/create.yaml

@@ -30,8 +30,7 @@ tasks:
           fi
       - description: "Deploy the Pepr Module"
         cmd: |
-          PEPR_VERSION=$(npm pkg get version | tr -d '"')
-          uds zarf package deploy build/zarf-package-pepr-uds-core-${UDS_ARCH}-${PEPR_VERSION}.tar.zst --confirm --no-progress --set UDS_SINGLE_TEST=true
+          uds zarf package deploy build/zarf-package-pepr-uds-core-${UDS_ARCH}.tar.zst --confirm --no-progress --set UDS_SINGLE_TEST=true --set PEPR_SERVICE_MONITORS=false
       - description: "Deploy the requested Zarf Package (must set UDS_PKG environment variable)"
         cmd: uds zarf package deploy build/zarf-package-uds-core-${UDS_PKG}-${UDS_ARCH}.tar.zst --confirm --no-progress --components '*'