Add script, templates and manifests to make RHOBS deployable on test …

…clusters (#112) * Adjust tenant and session secrets Signed-off-by: Matej Gera <[email protected]> * Update image names and tags Signed-off-by: Matej Gera <[email protected]> * Add Minio and Dex jsonnet templates Signed-off-by: Matej Gera <[email protected]> * Additional test secrets Signed-off-by: Matej Gera <[email protected]> * Add test service accounts and role bindings Signed-off-by: Matej Gera <[email protected]> * Add generated templates Signed-off-by: Matej Gera <[email protected]> * Add parameter override files Signed-off-by: Matej Gera <[email protected]> * Add launch script and README Signed-off-by: Matej Gera <[email protected]> * Cleanup Signed-off-by: Matej Gera <[email protected]> * Update tests/README.md Co-authored-by: Moad Zardab <[email protected]> Co-authored-by: Moad Zardab <[email protected]>
rhobs · Feb 2, 2022 · 9601c75 · 9601c75
1 parent 10b17be
commit 9601c75
Show file tree

Hide file tree

Showing 32 changed files with 752 additions and 72 deletions.
diff --git a/.gitleaks.toml b/.gitleaks.toml
@@ -0,0 +1,7 @@
+title = "gitleaks config"
+[allowlist]
+paths=[
+    '''dex-template.jsonnet''',
+    '''observatorium-template.yaml''',
+    '''dex-template.yaml''',
+]
diff --git a/Makefile b/Makefile
@@ -83,7 +83,7 @@ whitelisted_metrics: $(GOJSONTOYAML) $(GOJQ)
 
 .PHONY: manifests
 manifests: format $(VENDOR_DIR)
-manifests: resources/services/telemeter-template.yaml resources/services/jaeger-template.yaml resources/services/parca-template.yaml
+manifests: resources/services/telemeter-template.yaml resources/services/jaeger-template.yaml resources/services/parca-template.yaml tests/minio-template.yaml tests/dex-template.yaml
 manifests: resources/services/observatorium-template.yaml resources/services/observatorium-metrics-template.yaml resources/services/observatorium-logs-template.yaml
 manifests: resources/services/metric-federation-rule-template.yaml
 	$(MAKE) clean
@@ -97,6 +97,14 @@ resources/services/jaeger-template.yaml: $(wildcard services/jaeger-*) $(JSONNET
 	@echo ">>>>> Running jaeger-template"
 	$(JSONNET) -J vendor services/jaeger-template.jsonnet | $(GOJSONTOYAML) > $@
 
+tests/minio-template.yaml: $(JSONNET) $(GOJSONTOYAML) $(JSONNETFMT)
+	@echo ">>>>> Running minio-template"
+	$(JSONNET) -J vendor services/minio-template.jsonnet | $(GOJSONTOYAML) > $@
+
+tests/dex-template.yaml: $(JSONNET) $(GOJSONTOYAML) $(JSONNETFMT)
+	@echo ">>>>> Running dex-template"
+	$(JSONNET) -J vendor services/dex-template.jsonnet | $(GOJSONTOYAML) > $@
+
 resources/services/telemeter-template.yaml: $(wildcard services/telemeter-*) $(JSONNET) $(GOJSONTOYAML) $(JSONNETFMT)
 	@echo ">>>>> Running telemeter templates"
 	$(JSONNET) -J vendor services/telemeter-template.jsonnet | $(GOJSONTOYAML) > $@

diff --git a/configuration/observatorium/tenants.libsonnet b/configuration/observatorium/tenants.libsonnet
@@ -4,31 +4,20 @@
       name: 'rhobs',
       id: '770c1124-6ae8-4324-a9d4-9ce08590094b',
       oidc: {
-        clientID: 'id',
-        clientSecret: 'secret',
-        issuerURL: 'https://rhobs.tenants.observatorium.io',
-        usernameClaim: 'preferred_username',
-        groupClaim: 'groups',
+        clientID: 'test',
+        clientSecret: 'ZXhhbXBsZS1hcHAtc2VjcmV0',
+        issuerURL: 'http://dex.dex.svc.cluster.local:5556/dex',
+        usernameClaim: 'email',
       },
     },
     {
       name: 'telemeter',
       id: 'FB870BF3-9F3A-44FF-9BF7-D7A047A52F43',
       oidc: {
-        clientID: 'id',
-        clientSecret: 'secret',
-        issuerURL: 'https://sso.redhat.com/auth/realms/redhat-external',
-        usernameClaim: 'preferred_username',
-      },
-    },
-    {
-      name: 'dptp',
-      id: 'AC879303-C60F-4D0D-A6D5-A485CFD638B8',
-      oidc: {
-        clientID: 'id',
-        clientSecret: 'secret',
-        issuerURL: 'https://sso.redhat.com/auth/realms/redhat-external',
-        usernameClaim: 'preferred_username',
+        clientID: 'test',
+        clientSecret: 'ZXhhbXBsZS1hcHAtc2VjcmV0',
+        issuerURL: 'http://dex.dex.svc.cluster.local:5556/dex',
+        usernameClaim: 'email',
       },
     },
   ],

diff --git a/jsonnetfile.lock.json b/jsonnetfile.lock.json
@@ -100,8 +100,8 @@
           "subdir": "configuration"
         }
       },
-      "version": "60e0a925bc826358105ee805a85855bfb6a1100a",
-      "sum": "jSwDsOn7DcWgXxmW/IZHvvAycyAfoYXFE6clhPoRvpE="
+      "version": "2de7b74fb0ca1b62d2eeab8bc1eecfb8786cb282",
+      "sum": "dBeYY+hqNXb64b2x+HACcng7d6d6XyI1vVbTHKyN+GQ="
     },
     {
       "source": {

diff --git a/resources/services/jaeger-template.yaml b/resources/services/jaeger-template.yaml
@@ -243,7 +243,7 @@ objects:
           severity: warning
 - apiVersion: v1
   data:
-    session_secret: ""
+    session_secret: c2VjcmV0
   kind: Secret
   metadata:
     labels:

diff --git a/resources/services/metric-federation-rule-template.yaml b/resources/services/metric-federation-rule-template.yaml
@@ -290,7 +290,7 @@ parameters:
 - name: CONFIGMAP_RELOADER_IMAGE_TAG
   value: 4.5.0
 - name: JAEGER_AGENT_IMAGE_TAG
-  value: 1.15.0
+  value: 1.29.0
 - name: JAEGER_AGENT_IMAGE
   value: quay.io/app-sre/jaegertracing-jaeger-agent
 - name: JAEGER_COLLECTOR_NAMESPACE
@@ -302,7 +302,7 @@ parameters:
 - name: THANOS_CONFIG_SECRET
   value: thanos-objectstorage
 - name: THANOS_IMAGE_TAG
-  value: master-2020-08-12-70f89d83
+  value: v0.23.1
 - name: THANOS_IMAGE
   value: quay.io/thanos/thanos
 - name: THANOS_QUERIER_NAMESPACE

diff --git a/resources/services/observatorium-logs-template.yaml b/resources/services/observatorium-logs-template.yaml
@@ -1635,7 +1635,7 @@ parameters:
 - name: JAEGER_AGENT_IMAGE
   value: jaegertracing/jaeger-agent
 - name: JAEGER_AGENT_IMAGE_TAG
-  value: 1.22.0
+  value: 1.29.0
 - name: JAEGER_PROXY_CPU_REQUEST
   value: 100m
 - name: JAEGER_PROXY_MEMORY_REQUEST

diff --git a/resources/services/observatorium-metrics-template.yaml b/resources/services/observatorium-metrics-template.yaml
@@ -5,7 +5,7 @@ metadata:
 objects:
 - apiVersion: v1
   data:
-    session_secret: ""
+    session_secret: c2VjcmV0
   kind: Secret
   metadata:
     labels:
@@ -744,7 +744,7 @@ objects:
             secretName: query-frontend-proxy
 - apiVersion: v1
   data:
-    session_secret: ""
+    session_secret: c2VjcmV0
   kind: Secret
   metadata:
     labels:
@@ -819,7 +819,7 @@ objects:
         app.kubernetes.io/part-of: observatorium
 - apiVersion: v1
   data:
-    session_secret: ""
+    session_secret: c2VjcmV0
   kind: Secret
   metadata:
     labels:
@@ -2758,7 +2758,7 @@ parameters:
 - name: NAMESPACES
   value: '["telemeter", "observatorium-metrics", "observatorium-mst-production"]'
 - name: JAEGER_AGENT_IMAGE_TAG
-  value: 1.15.0
+  value: 1.29.0
 - name: JAEGER_AGENT_IMAGE
   value: quay.io/app-sre/jaegertracing-jaeger-agent
 - name: JAEGER_COLLECTOR_NAMESPACE
@@ -2828,7 +2828,7 @@ parameters:
 - name: THANOS_CONFIG_SECRET
   value: thanos-objectstorage
 - name: THANOS_IMAGE_TAG
-  value: master-2020-08-12-70f89d83
+  value: v0.23.1
 - name: THANOS_IMAGE
   value: quay.io/thanos/thanos
 - name: THANOS_QUERIER_CPU_LIMIT

diff --git a/resources/services/observatorium-template.yaml b/resources/services/observatorium-template.yaml
@@ -282,30 +282,25 @@ objects:
       app.kubernetes.io/version: ${OBSERVATORIUM_API_IMAGE_TAG}
     name: ${OBSERVATORIUM_API_IDENTIFIER}
   stringData:
+    client-id: test
+    client-secret: ZXhhbXBsZS1hcHAtc2VjcmV0
+    issuer-url: http://dex.dex.svc.cluster.local:5556/dex
     tenants.yaml: |-
       "tenants":
       - "id": "770c1124-6ae8-4324-a9d4-9ce08590094b"
         "name": "rhobs"
         "oidc":
-          "clientID": "id"
-          "clientSecret": "secret"
-          "groupClaim": "groups"
-          "issuerURL": "https://rhobs.tenants.observatorium.io"
-          "usernameClaim": "preferred_username"
+          "clientID": "test"
+          "clientSecret": "ZXhhbXBsZS1hcHAtc2VjcmV0"
+          "issuerURL": "http://dex.dex.svc.cluster.local:5556/dex"
+          "usernameClaim": "email"
       - "id": "FB870BF3-9F3A-44FF-9BF7-D7A047A52F43"
         "name": "telemeter"
         "oidc":
-          "clientID": "id"
-          "clientSecret": "secret"
-          "issuerURL": "https://sso.redhat.com/auth/realms/redhat-external"
-          "usernameClaim": "preferred_username"
-      - "id": "AC879303-C60F-4D0D-A6D5-A485CFD638B8"
-        "name": "dptp"
-        "oidc":
-          "clientID": "id"
-          "clientSecret": "secret"
-          "issuerURL": "https://sso.redhat.com/auth/realms/redhat-external"
-          "usernameClaim": "preferred_username"
+          "clientID": "test"
+          "clientSecret": "ZXhhbXBsZS1hcHAtc2VjcmV0"
+          "issuerURL": "http://dex.dex.svc.cluster.local:5556/dex"
+          "usernameClaim": "email"
 - apiVersion: v1
   kind: Service
   metadata:
@@ -958,7 +953,7 @@ parameters:
 - name: GUBERNATOR_REPLICAS
   value: "2"
 - name: JAEGER_AGENT_IMAGE_TAG
-  value: 1.22.0
+  value: 1.29.0
 - name: JAEGER_AGENT_IMAGE
   value: jaegertracing/jaeger-agent
 - name: JAEGER_COLLECTOR_NAMESPACE
@@ -1012,7 +1007,7 @@ parameters:
 - name: OBSERVATORIUM_API_IDENTIFIER
   value: observatorium-observatorium-api
 - name: OBSERVATORIUM_API_IMAGE_TAG
-  value: master-2021-03-26-v0.1.1-200-gea0242a
+  value: main-2022-01-05-v0.1.2-108-gf8b0fbf
 - name: OBSERVATORIUM_API_IMAGE
   value: quay.io/observatorium/api
 - name: OBSERVATORIUM_API_MEMORY_LIMIT
@@ -1028,7 +1023,7 @@ parameters:
 - name: OPA_AMS_CPU_REQUEST
   value: 100m
 - name: OPA_AMS_IMAGE_TAG
-  value: master-2021-02-17-ed50046
+  value: master-2021-07-14-d517f70
 - name: OPA_AMS_IMAGE
   value: quay.io/observatorium/opa-ams
 - name: OPA_AMS_MEMCACHED_EXPIRE

diff --git a/resources/services/telemeter-template.yaml b/resources/services/telemeter-template.yaml
@@ -5,10 +5,10 @@ metadata:
 objects:
 - apiVersion: v1
   data:
-    authorize_url: ""
-    client_id: ""
-    client_secret: ""
-    oidc_issuer: ""
+    authorize_url: aHR0cHM6Ly9hcGkuc3RhZ2Uub3BlbnNoaWZ0LmNvbS9hcGkvYWNjb3VudHNfbWdtdC92MS9jbHVzdGVyX3JlZ2lzdHJhdGlvbnM=
+    client_id: dGVzdA==
+    client_secret: WlhoaGJYQnNaUzFoY0hBdGMyVmpjbVYw
+    oidc_issuer: aHR0cDovL2RleC5kZXguc3ZjLmNsdXN0ZXIubG9jYWw6NTU1Ni9kZXg=
   kind: Secret
   metadata:
     labels:
@@ -748,7 +748,7 @@ objects:
             secretName: token-refresher-proxy
 - apiVersion: v1
   data:
-    session_secret: ""
+    session_secret: c2VjcmV0
   kind: Secret
   metadata:
     labels:
@@ -806,13 +806,13 @@ parameters:
 - name: NAMESPACE
   value: telemeter
 - name: IMAGE_CANARY_TAG
-  value: v4.0
+  value: 2c9c76e
 - name: IMAGE_CANARY
-  value: quay.io/openshift/origin-telemeter
+  value: quay.io/app-sre/telemeter
 - name: IMAGE_TAG
-  value: v4.0
+  value: 2c9c76e
 - name: IMAGE
-  value: quay.io/openshift/origin-telemeter
+  value: quay.io/app-sre/telemeter
 - name: MEMCACHED_CPU_LIMIT
   value: "3"
 - name: MEMCACHED_CPU_REQUEST

diff --git a/services/dex-template.jsonnet b/services/dex-template.jsonnet
@@ -0,0 +1,107 @@
+local dex = (import 'github.com/observatorium/observatorium/configuration/components/dex.libsonnet')({
+  name:: 'dex',
+  namespace:: '${NAMESPACE}',
+  image:: '${IMAGE}:${IMAGE_TAG}',
+  version:: '${IMAGE_TAG}',
+  config:: {
+    oauth2: {
+      passwordConnector: 'local',
+    },
+    staticClients: [
+      {
+        id: 'test',
+        name: 'test',
+        secret: 'ZXhhbXBsZS1hcHAtc2VjcmV0',
+      },
+    ],
+    enablePasswordDB: true,
+    staticPasswords: [
+      {
+        email: '[email protected]',
+        // bcrypt hash of the string "password"
+        hash: '$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W',
+        username: 'admin',
+        userID: '08a8684b-db88-4b73-90a9-3cd1661f5466',
+      },
+    ],
+    issuer: 'http://${NAMESPACE}.${NAMESPACE}.svc.cluster.local:5556/dex',
+    storage: {
+      type: 'sqlite3',
+      config: { file: '/storage/dex.db' },
+    },
+    web: {
+      http: '0.0.0.0:5556',
+    },
+    logger: { level: 'debug' },
+  },
+  replicas: 1,
+}) + {
+  deployment+: {
+    spec+: {
+      replicas: '${{REPLICAS}}',  // additional parenthesis does matter, they convert argument to an int.
+      template+: {
+        spec+: {
+          containers: [
+            super.containers[0] {
+              resources: {
+                requests: {
+                  cpu: '${DEX_CPU_REQUEST}',
+                  memory: '${DEX_MEMORY_REQUEST}',
+                },
+                limits: {
+                  cpu: '${DEX_CPU_LIMITS}',
+                  memory: '${DEX_MEMORY_LIMITS}',
+                },
+              },
+              volumeMounts: [
+                { name: 'config', mountPath: '/etc/dex/cfg' },
+                { name: 'storage', mountPath: '/storage', readOnly: false },
+              ],
+            },
+          ],
+          volumes: [
+            {
+              name: 'config',
+              secret: {
+                secretName: dex.config.name,
+                items: [
+                  { key: 'config.yaml', path: 'config.yaml' },
+                ],
+              },
+            },
+            {
+              name: 'storage',
+              persistentVolumeClaim: { claimName: dex.config.name },
+            },
+          ],
+        },
+      },
+    },
+  },
+};
+
+{
+  apiVersion: 'v1',
+  kind: 'Template',
+  metadata: {
+    name: 'dex',
+  },
+  objects: [
+    dex[name] {
+      metadata+: {
+        namespace:: 'hidden',
+      },
+    }
+    for name in std.objectFields(dex)
+  ],
+  parameters: [
+    { name: 'NAMESPACE', value: 'dex' },
+    { name: 'IMAGE', value: 'dexidp/dex' },
+    { name: 'IMAGE_TAG', value: 'v2.30.0' },
+    { name: 'REPLICAS', value: '1' },
+    { name: 'DEX_CPU_REQUEST', value: '100m' },
+    { name: 'DEX_MEMORY_REQUEST', value: '200Mi' },
+    { name: 'DEX_CPU_LIMITS', value: '100m' },
+    { name: 'DEX_MEMORY_LIMITS', value: '200Mi' },
+  ],
+}
diff --git a/services/metric-federation-rule-template.jsonnet b/services/metric-federation-rule-template.jsonnet
@@ -15,13 +15,13 @@ local obs = import 'observatorium.libsonnet';
     { name: 'NAMESPACES', value: '["observatorium-metrics"]' },
     { name: 'CONFIGMAP_RELOADER_IMAGE', value: 'quay.io/openshift/origin-configmap-reloader' },
     { name: 'CONFIGMAP_RELOADER_IMAGE_TAG', value: '4.5.0' },
-    { name: 'JAEGER_AGENT_IMAGE_TAG', value: '1.15.0' },
+    { name: 'JAEGER_AGENT_IMAGE_TAG', value: '1.29.0' },
     { name: 'JAEGER_AGENT_IMAGE', value: 'quay.io/app-sre/jaegertracing-jaeger-agent' },
     { name: 'JAEGER_COLLECTOR_NAMESPACE', value: '$(NAMESPACE)' },
     { name: 'SERVICE_ACCOUNT_NAME', value: 'prometheus-telemeter' },
     { name: 'STORAGE_CLASS', value: 'gp2' },
     { name: 'THANOS_CONFIG_SECRET', value: 'thanos-objectstorage' },
-    { name: 'THANOS_IMAGE_TAG', value: 'master-2020-08-12-70f89d83' },
+    { name: 'THANOS_IMAGE_TAG', value: 'v0.23.1' },
     { name: 'THANOS_IMAGE', value: 'quay.io/thanos/thanos' },
     { name: 'THANOS_QUERIER_NAMESPACE', value: 'observatorium-mst' },
     { name: 'THANOS_RULER_CPU_LIMIT', value: '1' },