77 "github.com/ghodss/yaml"
88 "github.com/observatorium/observatorium/configuration_go/kubegen/openshift"
99 templatev1 "github.com/openshift/api/template/v1"
10+ "github.com/philipgough/mimic"
1011 "github.com/philipgough/mimic/encoding"
1112 monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
1213 cfgobservatorium "github.com/rhobs/configuration/configuration/observatorium"
@@ -29,11 +30,40 @@ const (
2930 routerService = "thanos-receive-router-rhobs"
3031)
3132
33+ type gatewayConfig struct {
34+ namespace string
35+ generator func (component string ) * mimic.Generator
36+ tenants * corev1.Secret
37+ amsURL string
38+ m TemplateMaps
39+ }
40+
3241// Gateway Generates the Observatorium API Gateway configuration for the stage environment.
3342func (s Stage ) Gateway () error {
34- gen := s .generator (gatewayName )
35- amsURL := "https://api.stage.openshift.com"
43+ conf := gatewayConfig {
44+ namespace : s .namespace (),
45+ generator : s .generator ,
46+ amsURL : "https://api.stage.openshift.com" ,
47+ m : StageMaps ,
48+ tenants : stageGatewayTenants (StageMaps , s .namespace ()),
49+ }
50+ return gateway (conf )
51+ }
3652
53+ // Gateway Generates the Observatorium API Gateway configuration for the production environment.
54+ func (p Production ) Gateway () error {
55+ conf := gatewayConfig {
56+ namespace : p .namespace (),
57+ generator : p .generator ,
58+ amsURL : "https://api.openshift.com" ,
59+ m : ProductionMaps ,
60+ tenants : prodGatewayTenants (ProductionMaps , p .namespace ()),
61+ }
62+ return gateway (conf )
63+ }
64+
65+ func gateway (c gatewayConfig ) error {
66+ ns := c .namespace
3767 b , err := json .Marshal (cfgobservatorium .GenerateRBAC ())
3868 if err != nil {
3969 return fmt .Errorf ("failed to marshal RBAC configuration: %w" , err )
@@ -44,12 +74,12 @@ func (s Stage) Gateway() error {
4474 }
4575
4676 objs := []runtime.Object {
47- gatewayRBAC (StageMaps , s . namespace () , string (rbacYAML )),
48- stageGatewayTenants (StageMaps , s . namespace () ),
49- gatewayDeployment (StageMaps , s . namespace (), amsURL ),
50- createGatewayService ( StageMaps , s . namespace ()) ,
77+ gatewayRBAC (StageMaps , ns , string (rbacYAML )),
78+ gatewayDeployment (StageMaps , ns , c . amsURL ),
79+ createGatewayService (StageMaps , ns ),
80+ c . tenants ,
5181 }
52-
82+ gen := c . generator ( gatewayName )
5383 template := openshift .WrapInTemplate (objs , metav1.ObjectMeta {
5484 Name : gatewayName ,
5585 }, gatewayTemplateParams )
@@ -58,9 +88,9 @@ func (s Stage) Gateway() error {
5888 gen .Generate ()
5989
6090 sms := []runtime.Object {
61- gatewayServiceMonitor (StageMaps , s . namespace () ),
91+ gatewayServiceMonitor (StageMaps , ns ),
6292 }
63- gen = s .generator (gatewayName )
93+ gen = c .generator (gatewayName )
6494 template = openshift .WrapInTemplate (sms , metav1.ObjectMeta {
6595 Name : gatewayName + "-service-monitor" ,
6696 }, nil )
@@ -601,6 +631,146 @@ func stageGatewayTenants(m TemplateMaps, namespace string) *corev1.Secret {
601631 }
602632}
603633
634+ func prodGatewayTenants (m TemplateMaps , namespace string ) * corev1.Secret {
635+ labels , _ := gatewayLabels (m )
636+ return & corev1.Secret {
637+ TypeMeta : metav1.TypeMeta {
638+ Kind : "Secret" ,
639+ APIVersion : "v1" ,
640+ },
641+ ObjectMeta : metav1.ObjectMeta {
642+ Name : gatewayName ,
643+ Namespace : namespace ,
644+ Labels : labels ,
645+ Annotations : map [string ]string {
646+ "qontract.recycle" : "true" ,
647+ },
648+ },
649+ StringData : map [string ]string {
650+ "client-id" : "${CLIENT_ID}" ,
651+ "client-secret" : "${CLIENT_SECRET}" ,
652+ "issuer-url" : "https://sso.redhat.com/auth/realms/redhat-external" ,
653+ "tenants.yaml" : `tenants:
654+ - id: 0fc2b00e-201b-4c17-b9f2-19d91adc4fd2
655+ name: rhobs
656+ oidc:
657+ clientID: ${CLIENT_ID}
658+ clientSecret: ${CLIENT_SECRET}
659+ issuerURL: https://sso.redhat.com/auth/realms/redhat-external
660+ redirectURL: https://observatorium.api.openshift.com/oidc/rhobs/callback
661+ usernameClaim: preferred_username
662+ groupClaim: email
663+ - id: 770c1124-6ae8-4324-a9d4-9ce08590094b
664+ name: osd
665+ oidc:
666+ clientID: ${CLIENT_ID}
667+ clientSecret: ${CLIENT_SECRET}
668+ issuerURL: https://sso.redhat.com/auth/realms/redhat-external
669+ redirectURL: https://observatorium-mst.api.openshift.com/oidc/osd/callback
670+ usernameClaim: preferred_username
671+ opa:
672+ url: http://127.0.0.1:8082/v1/data/observatorium/allow
673+ rateLimits:
674+ - endpoint: /api/metrics/v1/.+/api/v1/receive
675+ limit: 10000
676+ window: 30s
677+ - id: 1b9b6e43-9128-4bbf-bfff-3c120bbe6f11
678+ name: rhacs
679+ oidc:
680+ clientID: ${CLIENT_ID}
681+ clientSecret: ${CLIENT_SECRET}
682+ issuerURL: https://sso.redhat.com/auth/realms/redhat-external
683+ redirectURL: https://observatorium-mst.api.openshift.com/oidc/rhacs/callback
684+ usernameClaim: preferred_username
685+ - id: 9ca26972-4328-4fe3-92db-31302013d03f
686+ name: cnvqe
687+ oidc:
688+ clientID: ${CLIENT_ID}
689+ clientSecret: ${CLIENT_SECRET}
690+ issuerURL: https://sso.redhat.com/auth/realms/redhat-external
691+ redirectURL: https://observatorium-mst.api.openshift.com/oidc/cnvqe/callback
692+ usernameClaim: preferred_username
693+ - id: 37b8fd3f-56ff-4b64-8272-917c9b0d1623
694+ name: psiocp
695+ oidc:
696+ clientID: ${CLIENT_ID}
697+ clientSecret: ${CLIENT_SECRET}
698+ issuerURL: https://sso.redhat.com/auth/realms/redhat-external
699+ redirectURL: https://observatorium-mst.api.openshift.com/oidc/psiocp/callback
700+ usernameClaim: preferred_username
701+ - id: 8ace13a2-1c72-4559-b43d-ab43e32a255a
702+ name: rhods
703+ oidc:
704+ clientID: ${CLIENT_ID}
705+ clientSecret: ${CLIENT_SECRET}
706+ issuerURL: https://sso.redhat.com/auth/realms/redhat-external
707+ redirectURL: https://observatorium-mst.api.openshift.com/oidc/rhods/callback
708+ usernameClaim: preferred_username
709+ - id: 99c885bc-2d64-4c4d-b55e-8bf30d98c657
710+ name: odfms
711+ oidc:
712+ clientID: ${CLIENT_ID}
713+ clientSecret: ${CLIENT_SECRET}
714+ issuerURL: https://sso.redhat.com/auth/realms/redhat-external
715+ redirectURL: https://observatorium-mst.api.openshift.com/oidc/odfms/callback
716+ usernameClaim: preferred_username
717+ - id: d17ea8ce-d4c6-42ef-b259-7d10c9227e93
718+ name: reference-addon
719+ oidc:
720+ clientID: ${CLIENT_ID}
721+ clientSecret: ${CLIENT_SECRET}
722+ issuerURL: https://sso.redhat.com/auth/realms/redhat-external
723+ redirectURL: https://observatorium-mst.api.openshift.com/oidc/reference-addon/callback
724+ usernameClaim: preferred_username
725+ - id: AC879303-C60F-4D0D-A6D5-A485CFD638B8
726+ name: dptp
727+ oidc:
728+ clientID: ${CLIENT_ID}
729+ clientSecret: ${CLIENT_SECRET}
730+ issuerURL: https://sso.redhat.com/auth/realms/redhat-external
731+ redirectURL: https://observatorium-mst.api.openshift.com/oidc/dptp/callback
732+ usernameClaim: preferred_username
733+ - id: 3833951d-bede-4a53-85e5-f73f4913973f
734+ name: appsre
735+ oidc:
736+ clientID: ${CLIENT_ID}
737+ clientSecret: ${CLIENT_SECRET}
738+ issuerURL: https://sso.redhat.com/auth/realms/redhat-external
739+ redirectURL: https://observatorium-mst.api.openshift.com/oidc/appsre/callback
740+ usernameClaim: preferred_username
741+ - id: 0031e8d6-e50a-47ea-aecb-c7e0bd84b3f1
742+ name: rhtap
743+ oidc:
744+ clientID: ${CLIENT_ID}
745+ clientSecret: ${CLIENT_SECRET}
746+ issuerURL: https://sso.redhat.com/auth/realms/redhat-external
747+ redirectURL: https://observatorium-mst.api.openshift.com/oidc/rhtap/callback
748+ usernameClaim: preferred_username
749+ - id: 72e6f641-b2e2-47eb-bbc2-fee3c8fbda26
750+ name: rhel
751+ oidc:
752+ clientID: ${CLIENT_ID}
753+ clientSecret: ${CLIENT_SECRET}
754+ issuerURL: https://sso.redhat.com/auth/realms/redhat-external
755+ redirectURL: https://observatorium-mst.api.openshift.com/oidc/rhel/callback
756+ usernameClaim: preferred_username
757+ rateLimits:
758+ - endpoint: '/api/metrics/v1/rhel/api/v1/receive'
759+ limit: 10000
760+ window: 30s
761+ - id: FB870BF3-9F3A-44FF-9BF7-D7A047A52F43
762+ name: telemeter
763+ oidc:
764+ clientID: ${CLIENT_ID}
765+ clientSecret: ${CLIENT_SECRET}
766+ issuerURL: https://sso.redhat.com/auth/realms/redhat-external
767+ redirectURL: https://observatorium.api.openshift.com/oidc/telemeter/callback
768+ usernameClaim: preferred_username
769+ ` ,
770+ },
771+ }
772+ }
773+
604774var gatewayTemplateParams = []templatev1.Parameter {
605775 {
606776 Name : "OSD_ORGANIZATION_ID" ,
0 commit comments