11# delve
22
33Deploys the [ Delve] ( https://github.com/McIndi/delve ) audit-search platform
4- (Django 5 + DRF) into the armory cluster. This is ** Phase 1** of the
5- [ Delve audit-search integration plan] ( ../../../doc/handoffs/delve-audit-integration-plan.md ) :
6- Delve running on Postgres at ` https://delve.armory.local ` , authenticating with a
7- local Django superuser. Keycloak SSO and machine ingestion land in later phases.
4+ (Django 5 + DRF) into the armory cluster, per the
5+ [ Delve audit-search integration plan] ( ../../../doc/handoffs/delve-audit-integration-plan.md ) .
6+ ** Phase 1** stood Delve up on Postgres at ` https://delve.armory.local ` with
7+ local Django auth; ** Phase 3** (this role's ` pki.yml ` + ` oidc_client.yml ` ) adds
8+ Keycloak human SSO and internal-TLS ingress re-encrypt. Machine ingestion lands
9+ in Phase 2.
810
911## What it does
1012
@@ -13,10 +15,23 @@ local Django superuser. Keycloak SSO and machine ingestion land in later phases.
1315 ` delve ` namespace as ` delve-db-secret ` , then provisions a single-replica
1416 Postgres StatefulSet (role-owned, ** not** in the chart) and waits for it to
1517 be Ready.
16- 2 . ` deploy.yml ` — provisions the external ingress TLS certificate, maps the
17- ingress host locally, renders the chart values, and releases the vendored
18- ` charts/delve ` Helm chart (` delve-web ` , ` delve-worker ` , and a pre-install
19- ` migrate ` hook).
18+ 2 . ` pki.yml ` * (Phase 3, gated on ` delve_oidc_enabled ` )* — issues the internal
19+ TLS cert (` delve-internal-tls ` , from ` openbao-pki-internal ` ) the web pod
20+ serves HTTPS from for ingress re-encrypt.
21+ 3 . ` oidc_client.yml ` * (Phase 3, gated on ` delve_oidc_enabled ` )* — creates/updates
22+ the confidential ` delve ` Keycloak client (redirect URI
23+ ` https://delve.armory.local/oidc/callback/ ` ), ensures a ` groups `
24+ group-membership mapper, persists the credentials to ` secret/delve/oidc ` , and
25+ VSO-syncs them into the ` delve ` namespace as ` delve-oidc ` ** before** the Helm
26+ release. Logins are the shared ` armory ` realm users; the Delve-side
27+ ` DelveOIDCBackend ` maps ` armory-admins ` →superuser, ` armory-operators ` →staff,
28+ ` armory-viewers ` →read.
29+ 4 . ` deploy.yml ` — provisions the external ingress TLS certificate, maps the
30+ ingress host locally, resolves the issuer host to the ingress IP (pod
31+ ` hostAlias ` ), renders the chart values (flipping ` oidc.enabled ` /` tls.enabled `
32+ and the ` backend-protocol: HTTPS ` annotation when SSO is on), and releases the
33+ vendored ` charts/delve ` Helm chart (` delve-web ` , ` delve-worker ` , and a
34+ pre-install ` migrate ` hook).
2035
2136## Cross-role wiring (not in this role)
2237
@@ -25,12 +40,12 @@ These live elsewhere because role defaults are invisible across roles
2540
2641- ** ` inventories/development/group_vars/all.yml ` ** — ` delve_namespace ` ,
2742 ` delve_vso_sa_name ` , ` delve_openbao_policy_name ` , ` delve_openbao_k8s_role ` ,
28- ` delve_openbao_db_path ` , ` delve_enabled ` , and ` delve ` in
29- ` trust_manager_internal_ca_target_namespaces ` .
43+ ` delve_openbao_db_path ` , ` delve_openbao_oidc_path ` , ` delve_enabled ` , and
44+ ` delve ` in ` trust_manager_internal_ca_target_namespaces ` .
3045- ** ` roles/openbao ` ** — ` delve ` is in ` openbao_provisioner_kv_prefixes `
3146 (defaults), and ` consumer_wiring.yml ` writes the ` delve-vso ` ACL policy and
3247 Kubernetes auth role that let VSO in the ` delve ` namespace read
33- ` secret/delve/db ` .
48+ ` secret/delve/db ` and ` secret/delve/oidc ` .
3449
3550## Deviation from the plan
3651
0 commit comments