dry run of gcp deploy with automated domain creation

.gcp.env

@@ -1,4 +1,4 @@
-SENTRIUS_VERSION=1.0.9
+SENTRIUS_VERSION=1.0.10
 SENTRIUS_SSH_VERSION=1.0.2
-SENTRIUS_KEYCLOAK_VERSION=1.0.2
-SENTRIUS_AGENT_VERSION=1.0.10
+SENTRIUS_KEYCLOAK_VERSION=1.0.3
+SENTRIUS_AGENT_VERSION=1.0.11

Dockerfile

@@ -15,4 +15,4 @@ RUN apt-get update && apt-get install -y curl
 
 
 # Command to run the app
-CMD ["java", "-jar", "/app/sentrius.jar", "--spring.config.location=/config/application.properties", "--dynamic.properties.path=/config/dynamic.properties"]
+CMD ["java", "-jar", "/app/sentrius.jar", "--spring.config.location=/config/api-application.properties", "--dynamic.properties.path=/config/dynamic.properties"]

docker/keycloak/realms/sentrius-realm.json

@@ -7,9 +7,9 @@
       "enabled": true,
       "clientAuthenticatorType": "client-secret",
       "secret": "nGkEukexSWTvDzYjSkDmeUlM0FJ5Jhh0",
-      "rootUrl": "http://sentrius-keycloak:30080/",
-      "baseUrl": "http://sentrius-keycloak:30080/",
-      "redirectUris": ["http://sentrius-keycloak:30080/*"],
+      "rootUrl": "${ROOT_URL}",
+      "baseUrl": "/",
+      "redirectUris": ["${REDIRECT_URIS}/*"],
       "protocol": "openid-connect"
     }
   ],

docker/sentrius-agent/Dockerfile

@@ -14,4 +14,4 @@ RUN apt-get update && apt-get install -y curl
 
 
 # Command to run the app
-CMD ["java", "-jar", "/app/agent.jar", "--spring.config.location=/config/application.properties"]
+CMD ["java", "-jar", "/app/agent.jar", "--spring.config.location=/config/agent-application.properties"]

ops-scripts/gcp/base.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
 NAMESPACE=sentrius
 CLUSTER=sentrius-autopilot-cluster-1
-REGION=us-east1
+REGION=us-east1
+ZONE=sentrius-cloud

ops-scripts/gcp/create-subdomain.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
+
+
+source ${SCRIPT_DIR}/base.sh
+
+TENANT=$1
+
+gcloud dns record-sets transaction start --zone=${ZONE}
+gcloud dns record-sets transaction add --zone=${ZONE} \
+  --name=${TENANT}.sentrius.cloud. \
+  --type=CNAME \
+  --ttl=300 \
+  app-loadbalancer.region.cloud.goog &&
+gcloud dns record-sets transaction execute --zone=${ZONE}

ops-scripts/gcp/depoloy-helm.sh

@@ -6,7 +6,25 @@ SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
 source ${SCRIPT_DIR}/base.sh
 source ${SCRIPT_DIR}/../../.gcp.env
 
-helm upgrade --install sentrius ./sentrius-gcp-chart --namespace ${NAMESPACE} \
+TENANT=$1
+
+if [[ -z "$TENANT" ]]; then
+    echo "Must provide single argument for tenant name" 1>&2
+    exit 1
+fi
+
+# Check if namespace exists
+kubectl get namespace ${TENANT} >/dev/null 2>&1
+if [[ $? -ne 0 ]]; then
+    echo "Namespace ${TENANT} does not exist. Creating..."
+    kubectl create namespace ${TENANT} || { echo "Failed to create namespace ${TENANT}"; exit 1; }
+fi
+
+
+
+helm upgrade --install sentrius ./sentrius-gcp-chart --namespace ${TENANT} \
+    --set tenant=${TENANT} \
+    --set subdomain=${TENANT}.sentrius.cloud \
     --set sentrius.image.repository=us-central1-docker.pkg.dev/sentrius-project/sentrius-repo/sentrius \
     --set sentrius.image.tag=${SENTRIUS_VERSION} \
     --set ssh.image.repository=us-central1-docker.pkg.dev/sentrius-project/sentrius-repo/sentrius-ssh \
@@ -15,3 +33,51 @@ helm upgrade --install sentrius ./sentrius-gcp-chart --namespace ${NAMESPACE} \
     --set keycloak.image.tag=${SENTRIUS_KEYCLOAK_VERSION} \
     --set sentriusagent.image.repository=us-central1-docker.pkg.dev/sentrius-project/sentrius-repo/sentrius-agent \
     --set sentriusagent.image.tag=${SENTRIUS_AGENT_VERSION} || { echo "Failed to deploy Sentrius with Helm"; exit 1; }
+
+
+# Wait for LoadBalancer IPs to be ready
+echo "Waiting for LoadBalancer IPs to be assigned..."
+RETRIES=30
+SLEEP_INTERVAL=10
+
+for ((i=1; i<=RETRIES; i++)); do
+    # Retrieve LoadBalancer IP
+    # Retrieve LoadBalancer IP
+    INGRESS_IP=$(kubectl get ingress managed-cert-ingress-${TENANT} -n ${TENANT} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+
+
+    if [[ -n "INGRESS_IP" ]]; then
+        echo "INGRESS_IP IP: $INGRESS_IP"
+        break
+    fi
+
+    echo "Attempt $i: Waiting for IPs to be assigned..."
+    sleep $SLEEP_INTERVAL
+done
+
+if [[ -z "INGRESS_IP" ]]; then
+    echo "Failed to retrieve LoadBalancer IPs after $((RETRIES * SLEEP_INTERVAL)) seconds."
+    exit 1
+fi
+
+# Check if subdomain exists
+if gcloud dns record-sets list --zone=${ZONE} --name=${TENANT}.sentrius.cloud. | grep -q ${TENANT}.sentrius.cloud.; then
+    echo "Subdomain ${TENANT}.sentrius.cloud already exists. Skipping creation."
+else
+    echo "Creating subdomain ${TENANT}.sentrius.cloud..."
+    gcloud dns record-sets transaction start --zone=${ZONE}
+
+    gcloud dns record-sets transaction add --zone=${ZONE} \
+          --name=${TENANT}.sentrius.cloud. \
+          --type=A \
+          --ttl=300 \
+          $NGRESS_IP
+
+    gcloud dns record-sets transaction add --zone=${ZONE} \
+      --name=keycloak.${TENANT}.sentrius.cloud. \
+      --type=A \
+      --ttl=300 \
+      $INGRESS_IP
+
+    gcloud dns record-sets transaction execute --zone=${ZONE}
+fi

ops-scripts/gcp/remove-subdomain.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
+
+
+source ${SCRIPT_DIR}/base.sh
+
+DOMAIN=$1
+
+gcloud dns record-sets transaction start --zone=${ZONE}
+gcloud dns record-sets transaction remove --zone=${ZONE} \
+    --name=${DOMAIN}.sentrius.cloud --type=A --ttl=300
+gcloud dns record-sets transaction execute --zone=${ZONE}

ops-scripts/gcp/test-helm.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
+
+
+source ${SCRIPT_DIR}/base.sh
+source ${SCRIPT_DIR}/../../.gcp.env
+
+TENANT=$1
+
+if [[ -z "$TENANT" ]]; then
+    echo "Must provide single argument for tenant name" 1>&2
+    exit 1
+fi
+
+# Check if namespace exists
+kubectl get namespace ${TENANT} >/dev/null 2>&1
+if [[ $? -ne 0 ]]; then
+    echo "Namespace ${TENANT} does not exist. Creating..."
+    kubectl create namespace ${TENANT} || { echo "Failed to create namespace ${TENANT}"; exit 1; }
+fi
+
+
+
+helm template ${TENANT} ./sentrius-gcp-chart/ --values sentrius-gcp-chart/values.yaml \
+    --set tenant=${TENANT} \
+    --set subdomain=${TENANT}.sentrius.cloud \
+    --set sentrius.image.repository=us-central1-docker.pkg.dev/sentrius-project/sentrius-repo/sentrius \
+    --set sentrius.image.tag=${SENTRIUS_VERSION} \
+    --set ssh.image.repository=us-central1-docker.pkg.dev/sentrius-project/sentrius-repo/sentrius-ssh \
+    --set ssh.image.tag=${SENTRIUS_SSH_VERSION} \
+    --set keycloak.image.repository=us-central1-docker.pkg.dev/sentrius-project/sentrius-repo/sentrius-keycloak \
+    --set keycloak.image.tag=${SENTRIUS_KEYCLOAK_VERSION} \
+    --set sentriusagent.image.repository=us-central1-docker.pkg.dev/sentrius-project/sentrius-repo/sentrius-agent \
+    --set sentriusagent.image.tag=${SENTRIUS_AGENT_VERSION} || { echo "Failed to deploy Sentrius with Helm"; exit 1; }

sentrius-gcp-chart/templates/agent-deployment.yaml

@@ -17,11 +17,7 @@ spec:
       initContainers:
         - name: wait-for-postgres
           image: busybox
-          command: [ 'sh', '-c', 'until nc -z {{ .Release.Name }}-postgres.{{ .Release.Namespace }}.svc.cluster.local 5432; do echo waiting for postgres; sleep 2; done;' ]
-        - name: wait-for-keycloak
-          image: busybox
-          command: [ 'sh', '-c', 'until nc -z {{ .Release.Name }}-keycloak.{{ .Release.Namespace }}.svc.cluster.local
-           30081; do echo waiting for postgres; sleep 2; done;' ]
+          command: [ 'sh', '-c', 'until nc -z {{ .Release.Name }}-postgres 5432; do echo waiting for postgres; sleep 2; done;' ]
       containers:
         - name: sentrius-agent
           image: "{{ .Values.sentriusagent.image.repository }}:{{ .Values.sentriusagent.image.tag }}"

sentrius-gcp-chart/templates/configmap.yaml

@@ -5,7 +5,126 @@ metadata:
   labels:
     {{- include "sentrius.labels" . | nindent 4 }}
 data:
-  application.properties: |
-    {{ .Values.sentrius.config.application | nindent 4 }}
+  agent-application.properties: |
+    keystore.file=sso.jceks
+    keystore.password=${KEYSTORE_PASSWORD}
+    keystore.alias=KEYBOX-ENCRYPTION_KEY
+    keystore.algorithm=AES
+    spring.main.web-application-type=servlet
+    spring.thymeleaf.enabled=true
+    spring.freemarker.enabled=false
+    #flyway configuration
+    spring.flyway.enabled=true
+    spring.datasource.url=jdbc:postgresql://sentrius-postgres:5432/sentrius
+    spring.datasource.username=${SPRING_DATASOURCE_USERNAME}
+    spring.datasource.password=${SPRING_DATASOURCE_PASSWORD}
+    spring.datasource.driver-class-name=org.postgresql.Driver
+    # Connection pool settings
+    spring.datasource.hikari.maximum-pool-size=10
+    spring.datasource.hikari.minimum-idle=5
+    spring.datasource.hikari.idle-timeout=30000
+    spring.datasource.hikari.max-lifetime=1800000
+    # Hibernate settings (optional, for JPA)
+    spring.jpa.database-platform=org.hibernate.dialect.PostgreSQLDialect
+    # Disable automatic schema generation in production
+    spring.jpa.hibernate.ddl-auto=none
+    # Ensure this path matches your project structure
+    #spring.flyway.locations=classpath:db/migration/
+    spring.flyway.baseline-on-migrate=true
+    # Thymeleaf settings
+    spring.thymeleaf.prefix=classpath:/templates/
+    spring.thymeleaf.suffix=.html
+    #spring.datasource.url=jdbc:h2:mem:testdb
+    logging.level.org.springframework.web=INFO
+    logging.level.org.springframework.security=INFO
+    logging.level.io.sentrius=DEBUG
+    logging.level.org.thymeleaf=INFO
+    spring.thymeleaf.servlet.produce-partial-output-while-processing=false
+    spring.servlet.multipart.enabled=true
+    spring.servlet.multipart.max-file-size=10MB
+    spring.servlet.multipart.max-request-size=10MB
+    server.error.whitelabel.enabled=false
+    dynamic.properties.path=/config/dynamic.properties
+    keycloak.realm=sentrius
+    # Keycloak configuration
+    spring.security.oauth2.client.registration.keycloak.client-id="{{ .Values.sentrius.oauth2.client_id }}"
+    spring.security.oauth2.client.registration.keycloak.client-secret="{{ .Values.sentrius.oauth2.client_secret }}"
+    spring.security.oauth2.client.registration.keycloak.authorization-grant-type="{{ .Values.sentrius.oauth2.authorization_grant_type }}"
+    spring.security.oauth2.client.registration.keycloak.redirect-uri=http://{{ .Values.subdomain }}/login/oauth2/code/keycloak
+    spring.security.oauth2.client.registration.keycloak.scope="{{ .Values.sentrius.oauth2.scope }}"
+    spring.security.oauth2.resourceserver.jwt.issuer-uri=http://keycloak.{{ .Values.subdomain }}/realms/sentrius
+    spring.security.oauth2.client.provider.keycloak.issuer-uri=http://keycloak.{{ .Values.tenant }}.sentrius.cloud/realms/sentrius
+    agents.session-analytics.enabled=true
+  api-application.properties: |
+    keystore.file=sso.jceks
+    keystore.password=${KEYSTORE_PASSWORD}
+    keystore.alias=KEYBOX-ENCRYPTION_KEY
+    keystore.algorithm=AES
+    spring.main.web-application-type=servlet
+    spring.thymeleaf.enabled=true
+    spring.freemarker.enabled=false
+    #flyway configuration
+    spring.flyway.enabled=true
+    spring.datasource.url=jdbc:postgresql://sentrius-postgres:5432/sentrius
+    spring.datasource.username=${SPRING_DATASOURCE_USERNAME}
+    spring.datasource.password=${SPRING_DATASOURCE_PASSWORD}
+    spring.datasource.driver-class-name=org.postgresql.Driver
+    # Connection pool settings
+    spring.datasource.hikari.maximum-pool-size=10
+    spring.datasource.hikari.minimum-idle=5
+    spring.datasource.hikari.idle-timeout=30000
+    spring.datasource.hikari.max-lifetime=1800000
+    # Hibernate settings (optional, for JPA)
+    spring.jpa.database-platform=org.hibernate.dialect.PostgreSQLDialect
+    # Disable automatic schema generation in production
+    spring.jpa.hibernate.ddl-auto=none
+    # Ensure this path matches your project structure
+    #spring.flyway.locations=classpath:db/migration/
+    spring.flyway.baseline-on-migrate=true
+    # Thymeleaf settings
+    spring.thymeleaf.prefix=classpath:/templates/
+    spring.thymeleaf.suffix=.html
+    #spring.datasource.url=jdbc:h2:mem:testdb
+    logging.level.org.springframework.web=INFO
+    logging.level.org.springframework.security=INFO
+    logging.level.io.sentrius=DEBUG
+    logging.level.org.thymeleaf=INFO
+    spring.thymeleaf.servlet.produce-partial-output-while-processing=false
+    spring.servlet.multipart.enabled=true
+    spring.servlet.multipart.max-file-size=10MB
+    spring.servlet.multipart.max-request-size=10MB
+    server.error.whitelabel.enabled=false
+    dynamic.properties.path=/config/dynamic.properties
+    keycloak.realm=sentrius
+    # Keycloak configuration
+    spring.security.oauth2.client.registration.keycloak.client-id={{ .Values.sentrius.oauth2.client_id }}
+    spring.security.oauth2.client.registration.keycloak.client-secret={{ .Values.sentrius.oauth2.client_secret }}
+    spring.security.oauth2.client.registration.keycloak.authorization-grant-type={{ .Values.sentrius.oauth2.authorization_grant_type }}
+    spring.security.oauth2.client.registration.keycloak.redirect-uri=http://{{ .Values.subdomain }}/login/oauth2/code/keycloak
+    spring.security.oauth2.client.registration.keycloak.scope={{ .Values.sentrius.oauth2.scope }}
+    spring.security.oauth2.resourceserver.jwt.issuer-uri=http://keycloak.{{ .Values.subdomain }}/realms/sentrius
+    spring.security.oauth2.client.provider.keycloak.issuer-uri=http://keycloak.{{ .Values.tenant }}.sentrius.cloud/realms/sentrius
   dynamic.properties: |
-    {{ .Values.sentrius.config.dynamic | nindent 4 }}
+    auditorClass=io.sentrius.sso.automation.auditing.AccessTokenAuditor
+    twopartyapproval.option.LOCKING_SYSTEMS=true
+    requireProfileForLogin=true
+    maxJitDurationMs=1440000
+    sshEnabled=true
+    systemLogoName=Sentrius
+    AccessTokenAuditor.rule.4=io.sentrius.sso.automation.auditing.rules.OpenAISessionRule;Malicious AI Monitoring
+    AccessTokenAuditor.rule.5=io.sentrius.sso.automation.auditing.rules.TwoPartyAIMonitor;AI Second Party Monitor
+    allowProxies=true
+    AccessTokenAuditor.rule.2=io.sentrius.sso.automation.auditing.rules.DeletePrevention;Delete Prevention
+    AccessTokenAuditor.rule.3=io.sentrius.sso.automation.auditing.rules.TwoPartySessionRule;Require Second Party Monitoring
+    AccessTokenAuditor.rule.0=io.sentrius.sso.automation.auditing.rules.CommandEvaluator;Restricted Commands
+    terminalsInNewTab=false
+    auditFlushIntervalMs=5000
+    AccessTokenAuditor.rule.1=io.sentrius.sso.automation.auditing.rules.AllowedCommandsRule;Approved Commands
+    knownHostsPath=/home/marc/.ssh/known_hosts
+    systemLogoPathLarge=/images/sentrius_large.jpg
+    maxJitUses=1
+    systemLogoPathSmall=/images/sentrius_small.png
+    enableInternalAudit=true
+    twopartyapproval.require.explanation.LOCKING_SYSTEMS=false
+    canApproveOwnJITs=false
+    yamlConfiguration=/app/exampleInstallWithTypes.yml

sentrius-gcp-chart/templates/deployment.yaml

@@ -17,11 +17,7 @@ spec:
       initContainers:
         - name: wait-for-postgres
           image: busybox
-          command: [ 'sh', '-c', 'until nc -z {{ .Release.Name }}-postgres.{{ .Release.Namespace }}.svc.cluster.local 5432; do echo waiting for postgres; sleep 2; done;' ]
-        - name: wait-for-keycloak
-          image: busybox
-          command: [ 'sh', '-c', 'until nc -z {{ .Release.Name }}-keycloak.{{ .Release.Namespace }}.svc.cluster.local
-           30081; do echo waiting for postgres; sleep 2; done;' ]
+          command: [ 'sh', '-c', 'until nc -z {{ .Release.Name }}-postgres 5432; do echo waiting for postgres; sleep 2; done;' ]
       containers:
         - name: sentrius
           image: "{{ .Values.sentrius.image.repository }}:{{ .Values.sentrius.image.tag }}"

sentrius-gcp-chart/templates/ingress.yaml

@@ -0,0 +1,31 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: managed-cert-ingress-canary
+  namespace: canary
+  annotations:
+    kubernetes.io/ingress.class: gce
+    kubernetes.io/ingress.allow-http: "false"
+    networking.gke.io/managed-certificates: wildcard-cert
+spec:
+  rules:
+    - host: keycloak.{{ .Values.tenant }}.sentrius.cloud
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .Release.Name }}-keycloak
+                port:
+                  number: 8081
+    - host: {{ .Values.tenant }}.sentrius.cloud
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .Release.Name }}-sentrius
+                port:
+                  number: 8080