Skip to content

Commit 9601c75

Browse files
matej-gmoadz
matej-g
and
moadz
authored
Add script, templates and manifests to make RHOBS deployable on test clusters (#112)
* Adjust tenant and session secrets Signed-off-by: Matej Gera <[email protected]> * Update image names and tags Signed-off-by: Matej Gera <[email protected]> * Add Minio and Dex jsonnet templates Signed-off-by: Matej Gera <[email protected]> * Additional test secrets Signed-off-by: Matej Gera <[email protected]> * Add test service accounts and role bindings Signed-off-by: Matej Gera <[email protected]> * Add generated templates Signed-off-by: Matej Gera <[email protected]> * Add parameter override files Signed-off-by: Matej Gera <[email protected]> * Add launch script and README Signed-off-by: Matej Gera <[email protected]> * Cleanup Signed-off-by: Matej Gera <[email protected]> * Update tests/README.md Co-authored-by: Moad Zardab <[email protected]> Co-authored-by: Moad Zardab <[email protected]>
1 parent 10b17be commit 9601c75

32 files changed

+752
-72
lines changed

.gitleaks.toml

+7
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
title = "gitleaks config"
2+
[allowlist]
3+
paths=[
4+
'''dex-template.jsonnet''',
5+
'''observatorium-template.yaml''',
6+
'''dex-template.yaml''',
7+
]

Makefile

+9-1
Original file line numberDiff line numberDiff line change
@@ -83,7 +83,7 @@ whitelisted_metrics: $(GOJSONTOYAML) $(GOJQ)
8383

8484
.PHONY: manifests
8585
manifests: format $(VENDOR_DIR)
86-
manifests: resources/services/telemeter-template.yaml resources/services/jaeger-template.yaml resources/services/parca-template.yaml
86+
manifests: resources/services/telemeter-template.yaml resources/services/jaeger-template.yaml resources/services/parca-template.yaml tests/minio-template.yaml tests/dex-template.yaml
8787
manifests: resources/services/observatorium-template.yaml resources/services/observatorium-metrics-template.yaml resources/services/observatorium-logs-template.yaml
8888
manifests: resources/services/metric-federation-rule-template.yaml
8989
$(MAKE) clean
@@ -97,6 +97,14 @@ resources/services/jaeger-template.yaml: $(wildcard services/jaeger-*) $(JSONNET
9797
@echo ">>>>> Running jaeger-template"
9898
$(JSONNET) -J vendor services/jaeger-template.jsonnet | $(GOJSONTOYAML) > $@
9999

100+
tests/minio-template.yaml: $(JSONNET) $(GOJSONTOYAML) $(JSONNETFMT)
101+
@echo ">>>>> Running minio-template"
102+
$(JSONNET) -J vendor services/minio-template.jsonnet | $(GOJSONTOYAML) > $@
103+
104+
tests/dex-template.yaml: $(JSONNET) $(GOJSONTOYAML) $(JSONNETFMT)
105+
@echo ">>>>> Running dex-template"
106+
$(JSONNET) -J vendor services/dex-template.jsonnet | $(GOJSONTOYAML) > $@
107+
100108
resources/services/telemeter-template.yaml: $(wildcard services/telemeter-*) $(JSONNET) $(GOJSONTOYAML) $(JSONNETFMT)
101109
@echo ">>>>> Running telemeter templates"
102110
$(JSONNET) -J vendor services/telemeter-template.jsonnet | $(GOJSONTOYAML) > $@

configuration/observatorium/tenants.libsonnet

+8-19
Original file line numberDiff line numberDiff line change
@@ -4,31 +4,20 @@
44
name: 'rhobs',
55
id: '770c1124-6ae8-4324-a9d4-9ce08590094b',
66
oidc: {
7-
clientID: 'id',
8-
clientSecret: 'secret',
9-
issuerURL: 'https://rhobs.tenants.observatorium.io',
10-
usernameClaim: 'preferred_username',
11-
groupClaim: 'groups',
7+
clientID: 'test',
8+
clientSecret: 'ZXhhbXBsZS1hcHAtc2VjcmV0',
9+
issuerURL: 'http://dex.dex.svc.cluster.local:5556/dex',
10+
usernameClaim: 'email',
1211
},
1312
},
1413
{
1514
name: 'telemeter',
1615
id: 'FB870BF3-9F3A-44FF-9BF7-D7A047A52F43',
1716
oidc: {
18-
clientID: 'id',
19-
clientSecret: 'secret',
20-
issuerURL: 'https://sso.redhat.com/auth/realms/redhat-external',
21-
usernameClaim: 'preferred_username',
22-
},
23-
},
24-
{
25-
name: 'dptp',
26-
id: 'AC879303-C60F-4D0D-A6D5-A485CFD638B8',
27-
oidc: {
28-
clientID: 'id',
29-
clientSecret: 'secret',
30-
issuerURL: 'https://sso.redhat.com/auth/realms/redhat-external',
31-
usernameClaim: 'preferred_username',
17+
clientID: 'test',
18+
clientSecret: 'ZXhhbXBsZS1hcHAtc2VjcmV0',
19+
issuerURL: 'http://dex.dex.svc.cluster.local:5556/dex',
20+
usernameClaim: 'email',
3221
},
3322
},
3423
],

jsonnetfile.lock.json

+2-2
Original file line numberDiff line numberDiff line change
@@ -100,8 +100,8 @@
100100
"subdir": "configuration"
101101
}
102102
},
103-
"version": "60e0a925bc826358105ee805a85855bfb6a1100a",
104-
"sum": "jSwDsOn7DcWgXxmW/IZHvvAycyAfoYXFE6clhPoRvpE="
103+
"version": "2de7b74fb0ca1b62d2eeab8bc1eecfb8786cb282",
104+
"sum": "dBeYY+hqNXb64b2x+HACcng7d6d6XyI1vVbTHKyN+GQ="
105105
},
106106
{
107107
"source": {

resources/services/jaeger-template.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -243,7 +243,7 @@ objects:
243243
severity: warning
244244
- apiVersion: v1
245245
data:
246-
session_secret: ""
246+
session_secret: c2VjcmV0
247247
kind: Secret
248248
metadata:
249249
labels:

resources/services/metric-federation-rule-template.yaml

+2-2
Original file line numberDiff line numberDiff line change
@@ -290,7 +290,7 @@ parameters:
290290
- name: CONFIGMAP_RELOADER_IMAGE_TAG
291291
value: 4.5.0
292292
- name: JAEGER_AGENT_IMAGE_TAG
293-
value: 1.15.0
293+
value: 1.29.0
294294
- name: JAEGER_AGENT_IMAGE
295295
value: quay.io/app-sre/jaegertracing-jaeger-agent
296296
- name: JAEGER_COLLECTOR_NAMESPACE
@@ -302,7 +302,7 @@ parameters:
302302
- name: THANOS_CONFIG_SECRET
303303
value: thanos-objectstorage
304304
- name: THANOS_IMAGE_TAG
305-
value: master-2020-08-12-70f89d83
305+
value: v0.23.1
306306
- name: THANOS_IMAGE
307307
value: quay.io/thanos/thanos
308308
- name: THANOS_QUERIER_NAMESPACE

resources/services/observatorium-logs-template.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -1635,7 +1635,7 @@ parameters:
16351635
- name: JAEGER_AGENT_IMAGE
16361636
value: jaegertracing/jaeger-agent
16371637
- name: JAEGER_AGENT_IMAGE_TAG
1638-
value: 1.22.0
1638+
value: 1.29.0
16391639
- name: JAEGER_PROXY_CPU_REQUEST
16401640
value: 100m
16411641
- name: JAEGER_PROXY_MEMORY_REQUEST

resources/services/observatorium-metrics-template.yaml

+5-5
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ metadata:
55
objects:
66
- apiVersion: v1
77
data:
8-
session_secret: ""
8+
session_secret: c2VjcmV0
99
kind: Secret
1010
metadata:
1111
labels:
@@ -744,7 +744,7 @@ objects:
744744
secretName: query-frontend-proxy
745745
- apiVersion: v1
746746
data:
747-
session_secret: ""
747+
session_secret: c2VjcmV0
748748
kind: Secret
749749
metadata:
750750
labels:
@@ -819,7 +819,7 @@ objects:
819819
app.kubernetes.io/part-of: observatorium
820820
- apiVersion: v1
821821
data:
822-
session_secret: ""
822+
session_secret: c2VjcmV0
823823
kind: Secret
824824
metadata:
825825
labels:
@@ -2758,7 +2758,7 @@ parameters:
27582758
- name: NAMESPACES
27592759
value: '["telemeter", "observatorium-metrics", "observatorium-mst-production"]'
27602760
- name: JAEGER_AGENT_IMAGE_TAG
2761-
value: 1.15.0
2761+
value: 1.29.0
27622762
- name: JAEGER_AGENT_IMAGE
27632763
value: quay.io/app-sre/jaegertracing-jaeger-agent
27642764
- name: JAEGER_COLLECTOR_NAMESPACE
@@ -2828,7 +2828,7 @@ parameters:
28282828
- name: THANOS_CONFIG_SECRET
28292829
value: thanos-objectstorage
28302830
- name: THANOS_IMAGE_TAG
2831-
value: master-2020-08-12-70f89d83
2831+
value: v0.23.1
28322832
- name: THANOS_IMAGE
28332833
value: quay.io/thanos/thanos
28342834
- name: THANOS_QUERIER_CPU_LIMIT

resources/services/observatorium-template.yaml

+14-19
Original file line numberDiff line numberDiff line change
@@ -282,30 +282,25 @@ objects:
282282
app.kubernetes.io/version: ${OBSERVATORIUM_API_IMAGE_TAG}
283283
name: ${OBSERVATORIUM_API_IDENTIFIER}
284284
stringData:
285+
client-id: test
286+
client-secret: ZXhhbXBsZS1hcHAtc2VjcmV0
287+
issuer-url: http://dex.dex.svc.cluster.local:5556/dex
285288
tenants.yaml: |-
286289
"tenants":
287290
- "id": "770c1124-6ae8-4324-a9d4-9ce08590094b"
288291
"name": "rhobs"
289292
"oidc":
290-
"clientID": "id"
291-
"clientSecret": "secret"
292-
"groupClaim": "groups"
293-
"issuerURL": "https://rhobs.tenants.observatorium.io"
294-
"usernameClaim": "preferred_username"
293+
"clientID": "test"
294+
"clientSecret": "ZXhhbXBsZS1hcHAtc2VjcmV0"
295+
"issuerURL": "http://dex.dex.svc.cluster.local:5556/dex"
296+
"usernameClaim": "email"
295297
- "id": "FB870BF3-9F3A-44FF-9BF7-D7A047A52F43"
296298
"name": "telemeter"
297299
"oidc":
298-
"clientID": "id"
299-
"clientSecret": "secret"
300-
"issuerURL": "https://sso.redhat.com/auth/realms/redhat-external"
301-
"usernameClaim": "preferred_username"
302-
- "id": "AC879303-C60F-4D0D-A6D5-A485CFD638B8"
303-
"name": "dptp"
304-
"oidc":
305-
"clientID": "id"
306-
"clientSecret": "secret"
307-
"issuerURL": "https://sso.redhat.com/auth/realms/redhat-external"
308-
"usernameClaim": "preferred_username"
300+
"clientID": "test"
301+
"clientSecret": "ZXhhbXBsZS1hcHAtc2VjcmV0"
302+
"issuerURL": "http://dex.dex.svc.cluster.local:5556/dex"
303+
"usernameClaim": "email"
309304
- apiVersion: v1
310305
kind: Service
311306
metadata:
@@ -958,7 +953,7 @@ parameters:
958953
- name: GUBERNATOR_REPLICAS
959954
value: "2"
960955
- name: JAEGER_AGENT_IMAGE_TAG
961-
value: 1.22.0
956+
value: 1.29.0
962957
- name: JAEGER_AGENT_IMAGE
963958
value: jaegertracing/jaeger-agent
964959
- name: JAEGER_COLLECTOR_NAMESPACE
@@ -1012,7 +1007,7 @@ parameters:
10121007
- name: OBSERVATORIUM_API_IDENTIFIER
10131008
value: observatorium-observatorium-api
10141009
- name: OBSERVATORIUM_API_IMAGE_TAG
1015-
value: master-2021-03-26-v0.1.1-200-gea0242a
1010+
value: main-2022-01-05-v0.1.2-108-gf8b0fbf
10161011
- name: OBSERVATORIUM_API_IMAGE
10171012
value: quay.io/observatorium/api
10181013
- name: OBSERVATORIUM_API_MEMORY_LIMIT
@@ -1028,7 +1023,7 @@ parameters:
10281023
- name: OPA_AMS_CPU_REQUEST
10291024
value: 100m
10301025
- name: OPA_AMS_IMAGE_TAG
1031-
value: master-2021-02-17-ed50046
1026+
value: master-2021-07-14-d517f70
10321027
- name: OPA_AMS_IMAGE
10331028
value: quay.io/observatorium/opa-ams
10341029
- name: OPA_AMS_MEMCACHED_EXPIRE

resources/services/telemeter-template.yaml

+9-9
Original file line numberDiff line numberDiff line change
@@ -5,10 +5,10 @@ metadata:
55
objects:
66
- apiVersion: v1
77
data:
8-
authorize_url: ""
9-
client_id: ""
10-
client_secret: ""
11-
oidc_issuer: ""
8+
authorize_url: aHR0cHM6Ly9hcGkuc3RhZ2Uub3BlbnNoaWZ0LmNvbS9hcGkvYWNjb3VudHNfbWdtdC92MS9jbHVzdGVyX3JlZ2lzdHJhdGlvbnM=
9+
client_id: dGVzdA==
10+
client_secret: WlhoaGJYQnNaUzFoY0hBdGMyVmpjbVYw
11+
oidc_issuer: aHR0cDovL2RleC5kZXguc3ZjLmNsdXN0ZXIubG9jYWw6NTU1Ni9kZXg=
1212
kind: Secret
1313
metadata:
1414
labels:
@@ -748,7 +748,7 @@ objects:
748748
secretName: token-refresher-proxy
749749
- apiVersion: v1
750750
data:
751-
session_secret: ""
751+
session_secret: c2VjcmV0
752752
kind: Secret
753753
metadata:
754754
labels:
@@ -806,13 +806,13 @@ parameters:
806806
- name: NAMESPACE
807807
value: telemeter
808808
- name: IMAGE_CANARY_TAG
809-
value: v4.0
809+
value: 2c9c76e
810810
- name: IMAGE_CANARY
811-
value: quay.io/openshift/origin-telemeter
811+
value: quay.io/app-sre/telemeter
812812
- name: IMAGE_TAG
813-
value: v4.0
813+
value: 2c9c76e
814814
- name: IMAGE
815-
value: quay.io/openshift/origin-telemeter
815+
value: quay.io/app-sre/telemeter
816816
- name: MEMCACHED_CPU_LIMIT
817817
value: "3"
818818
- name: MEMCACHED_CPU_REQUEST

services/dex-template.jsonnet

+107
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,107 @@
1+
local dex = (import 'github.com/observatorium/observatorium/configuration/components/dex.libsonnet')({
2+
name:: 'dex',
3+
namespace:: '${NAMESPACE}',
4+
image:: '${IMAGE}:${IMAGE_TAG}',
5+
version:: '${IMAGE_TAG}',
6+
config:: {
7+
oauth2: {
8+
passwordConnector: 'local',
9+
},
10+
staticClients: [
11+
{
12+
id: 'test',
13+
name: 'test',
14+
secret: 'ZXhhbXBsZS1hcHAtc2VjcmV0',
15+
},
16+
],
17+
enablePasswordDB: true,
18+
staticPasswords: [
19+
{
20+
email: '[email protected]',
21+
// bcrypt hash of the string "password"
22+
hash: '$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W',
23+
username: 'admin',
24+
userID: '08a8684b-db88-4b73-90a9-3cd1661f5466',
25+
},
26+
],
27+
issuer: 'http://${NAMESPACE}.${NAMESPACE}.svc.cluster.local:5556/dex',
28+
storage: {
29+
type: 'sqlite3',
30+
config: { file: '/storage/dex.db' },
31+
},
32+
web: {
33+
http: '0.0.0.0:5556',
34+
},
35+
logger: { level: 'debug' },
36+
},
37+
replicas: 1,
38+
}) + {
39+
deployment+: {
40+
spec+: {
41+
replicas: '${{REPLICAS}}', // additional parenthesis does matter, they convert argument to an int.
42+
template+: {
43+
spec+: {
44+
containers: [
45+
super.containers[0] {
46+
resources: {
47+
requests: {
48+
cpu: '${DEX_CPU_REQUEST}',
49+
memory: '${DEX_MEMORY_REQUEST}',
50+
},
51+
limits: {
52+
cpu: '${DEX_CPU_LIMITS}',
53+
memory: '${DEX_MEMORY_LIMITS}',
54+
},
55+
},
56+
volumeMounts: [
57+
{ name: 'config', mountPath: '/etc/dex/cfg' },
58+
{ name: 'storage', mountPath: '/storage', readOnly: false },
59+
],
60+
},
61+
],
62+
volumes: [
63+
{
64+
name: 'config',
65+
secret: {
66+
secretName: dex.config.name,
67+
items: [
68+
{ key: 'config.yaml', path: 'config.yaml' },
69+
],
70+
},
71+
},
72+
{
73+
name: 'storage',
74+
persistentVolumeClaim: { claimName: dex.config.name },
75+
},
76+
],
77+
},
78+
},
79+
},
80+
},
81+
};
82+
83+
{
84+
apiVersion: 'v1',
85+
kind: 'Template',
86+
metadata: {
87+
name: 'dex',
88+
},
89+
objects: [
90+
dex[name] {
91+
metadata+: {
92+
namespace:: 'hidden',
93+
},
94+
}
95+
for name in std.objectFields(dex)
96+
],
97+
parameters: [
98+
{ name: 'NAMESPACE', value: 'dex' },
99+
{ name: 'IMAGE', value: 'dexidp/dex' },
100+
{ name: 'IMAGE_TAG', value: 'v2.30.0' },
101+
{ name: 'REPLICAS', value: '1' },
102+
{ name: 'DEX_CPU_REQUEST', value: '100m' },
103+
{ name: 'DEX_MEMORY_REQUEST', value: '200Mi' },
104+
{ name: 'DEX_CPU_LIMITS', value: '100m' },
105+
{ name: 'DEX_MEMORY_LIMITS', value: '200Mi' },
106+
],
107+
}

services/metric-federation-rule-template.jsonnet

+2-2
Original file line numberDiff line numberDiff line change
@@ -15,13 +15,13 @@ local obs = import 'observatorium.libsonnet';
1515
{ name: 'NAMESPACES', value: '["observatorium-metrics"]' },
1616
{ name: 'CONFIGMAP_RELOADER_IMAGE', value: 'quay.io/openshift/origin-configmap-reloader' },
1717
{ name: 'CONFIGMAP_RELOADER_IMAGE_TAG', value: '4.5.0' },
18-
{ name: 'JAEGER_AGENT_IMAGE_TAG', value: '1.15.0' },
18+
{ name: 'JAEGER_AGENT_IMAGE_TAG', value: '1.29.0' },
1919
{ name: 'JAEGER_AGENT_IMAGE', value: 'quay.io/app-sre/jaegertracing-jaeger-agent' },
2020
{ name: 'JAEGER_COLLECTOR_NAMESPACE', value: '$(NAMESPACE)' },
2121
{ name: 'SERVICE_ACCOUNT_NAME', value: 'prometheus-telemeter' },
2222
{ name: 'STORAGE_CLASS', value: 'gp2' },
2323
{ name: 'THANOS_CONFIG_SECRET', value: 'thanos-objectstorage' },
24-
{ name: 'THANOS_IMAGE_TAG', value: 'master-2020-08-12-70f89d83' },
24+
{ name: 'THANOS_IMAGE_TAG', value: 'v0.23.1' },
2525
{ name: 'THANOS_IMAGE', value: 'quay.io/thanos/thanos' },
2626
{ name: 'THANOS_QUERIER_NAMESPACE', value: 'observatorium-mst' },
2727
{ name: 'THANOS_RULER_CPU_LIMIT', value: '1' },

0 commit comments

Comments
 (0)