feat(CLOUDDST-30417): add component image-rbac-proxy

emilyzheng · emilyzheng · commit 27ee1ff1d252 · 2025-12-01T11:29:38.000+08:00
Signed-off-by: Emily Zheng &lt;yuzheng@redhat.com&gt;
diff --git a/argo-cd-apps/base/member/infra-deployments/image-rbac-proxy/image-rbac-proxy.yaml b/argo-cd-apps/base/member/infra-deployments/image-rbac-proxy/image-rbac-proxy.yaml
@@ -0,0 +1,45 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: image-rbac-proxy
+spec:
+  generators:
+    - merge:
+        mergeKeys:
+          - nameNormalized
+        generators:
+          - clusters:
+              values:
+                sourceRoot: components/image-rbac-proxy
+                environment: staging
+                clusterDir: base
+          - list:
+              elements:
+                - nameNormalized: stone-stage-p01
+                  values.clusterDir: stone-stage-p01
+                - nameNormalized: stone-stg-rh01
+                  values.clusterDir: stone-stg-rh01
+  template:
+    metadata:
+      name: image-rbac-proxy-{{nameNormalized}}
+    spec:
+      project: default
+      source:
+        path: '{{values.sourceRoot}}/{{values.environment}}/{{values.clusterDir}}'
+        repoURL: https://github.com/redhat-appstudio/infra-deployments.git
+        targetRevision: main
+      destination:
+        namespace: image-rbac-proxy
+        server: '{{server}}'
+      syncPolicy:
+        automated:
+          prune: true
+          selfHeal: true
+        syncOptions:
+        - CreateNamespace=true
+        retry:
+          limit: -1
+          backoff:
+            duration: 10s
+            factor: 2
+            maxDuration: 3m
diff --git a/argo-cd-apps/base/member/infra-deployments/image-rbac-proxy/kustomization.yaml b/argo-cd-apps/base/member/infra-deployments/image-rbac-proxy/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- image-rbac-proxy.yaml
+components:
+  - ../../../../k-components/deploy-to-member-cluster-merge-generator
diff --git a/argo-cd-apps/base/member/infra-deployments/kustomization.yaml b/argo-cd-apps/base/member/infra-deployments/kustomization.yaml
@@ -13,6 +13,7 @@ resources:
   - etcd-shield
   - internal-services
   - image-controller
+  - image-rbac-proxy
   - multi-platform-controller
   - perf-team-prometheus-reader
   - project-controller
diff --git a/components/cluster-secret-store/base/appsre-stonesoup-vault-secret-store.yaml b/components/cluster-secret-store/base/appsre-stonesoup-vault-secret-store.yaml
@@ -39,6 +39,7 @@ spec:
         - konflux-ci
         - konflux-ui
         - image-controller
+        - image-rbac-proxy
         - multi-platform-controller
         - openshift-logging
         - quality-dashboard
diff --git a/components/image-rbac-proxy/OWNERS b/components/image-rbac-proxy/OWNERS
@@ -0,0 +1,7 @@
+# See the OWNERS docs: https://go.k8s.io/owners
+
+approvers:
+- emilyzheng
+
+reviewers:
+- emilyzheng
diff --git a/components/image-rbac-proxy/README.md b/components/image-rbac-proxy/README.md
@@ -0,0 +1,14 @@
+---
+title: Image RBAC Proxy
+---
+
+Deployment of [image-rbac-proxy](https://github.com/konflux-ci/image-rbac-proxy)
+
+## Proxy secrets
+
+List of secrets:
+
+| Name          | Source       | Description                       |
+| ------------- | ------------ | ----------------------------------|
+| quay-username | appsre vault | Quay username for image pull |
+| quay-password | appsre vault | Quay password for image pull |
diff --git a/components/image-rbac-proxy/base/allow-argocd-to-manage.yaml b/components/image-rbac-proxy/base/allow-argocd-to-manage.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: grant-argocd
+  namespace: image-rbac-proxy
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: admin
+subjects:
+- kind: ServiceAccount
+  name: openshift-gitops-argocd-application-controller
+  namespace: openshift-gitops
diff --git a/components/image-rbac-proxy/base/kustomization.yaml b/components/image-rbac-proxy/base/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: image-rbac-proxy
+resources:
+- allow-argocd-to-manage.yaml
+- quay-robot-account.yaml
+- route.yaml
diff --git a/components/image-rbac-proxy/base/quay-robot-account.yaml b/components/image-rbac-proxy/base/quay-robot-account.yaml
@@ -0,0 +1,24 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: quay-robot-account
+  namespace: image-rbac-proxy
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+    argocd.argoproj.io/sync-wave: "-1"
+spec:
+  dataFrom:
+    - extract:
+        key: staging/image-rbac-proxy/quay-robot-account
+  refreshInterval: 5m
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: appsre-stonesoup-vault
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Delete
+    name: quay-robot-account
+    template:
+      data:
+        quay-username: '{{ .quay-username }}'
+        quay-password: '{{ .quay-password }}'
diff --git a/components/image-rbac-proxy/base/route.yaml b/components/image-rbac-proxy/base/route.yaml
@@ -0,0 +1,27 @@
+---
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  name: image-rbac-proxy
+  namespace: image-rbac-proxy
+spec:
+  to:
+    kind: Service
+    name: image-rbac-proxy
+  tls:
+    insecureEdgeTerminationPolicy: Redirect
+    termination: reencrypt
+---
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  name: dex
+  namespace: image-rbac-proxy
+spec:
+  path: /idp
+  to:
+    kind: Service
+    name: dex
+  tls:
+    insecureEdgeTerminationPolicy: Redirect
+    termination: reencrypt
diff --git a/components/image-rbac-proxy/oauth/kustomization.yaml b/components/image-rbac-proxy/oauth/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: image-rbac-proxy
+resources:
+- oauth-secret.yaml
diff --git a/components/image-rbac-proxy/oauth/oauth-secret.yaml b/components/image-rbac-proxy/oauth/oauth-secret.yaml
@@ -0,0 +1,106 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: oauth-secret-generator
+  namespace: image-rbac-proxy
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: oauth-secret-generator
+  namespace: image-rbac-proxy
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - list
+  - create
+  - get
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - get
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: oauth-secret-generator
+  namespace: image-rbac-proxy
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: oauth-secret-generator
+subjects:
+- kind: ServiceAccount
+  name: oauth-secret-generator
+  namespace: image-rbac-proxy
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: oauth-secret-generator
+  namespace: image-rbac-proxy
+  annotations:
+    argocd.argoproj.io/sync-options: Force=true,Replace=true
+spec:
+  template:
+    spec:
+      containers:
+      - command:
+        - /bin/bash
+        - -c
+        - |
+          set -o errexit
+          set -o nounset
+          set -o pipefail
+
+          echo "Generating/updating image-proxy-client-secret"
+
+          random_pass=$(openssl rand -base64 20)
+          kubectl create secret generic image-proxy-client-secret \
+              --namespace image-rbac-proxy \
+              --from-literal="client-secret=${random_pass}" \
+              --dry-run=client \
+              -o yaml \
+              | kubectl apply -f -
+
+          echo "Restarting the proxy deployment"
+          if kubectl -n image-rbac-proxy get deployment/image-rbac-proxy; then
+            kubectl -n image-rbac-proxy rollout restart deployment/image-rbac-proxy
+          else
+            echo "skipping restart"
+          fi
+
+          echo "Restarting the dex deployment"
+          if kubectl -n image-rbac-proxy get deployment/dex; then
+            kubectl -n image-rbac-proxy rollout restart deployment/dex
+          else
+            echo "skipping dex restart"
+          fi
+
+        image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14
+        imagePullPolicy: Always
+        name: oauth-secret-generator
+        resources:
+          limits:
+            cpu: 100m
+            memory: 250Mi
+          requests:
+            cpu: 10m
+            memory: 10Mi
+        securityContext:
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+      dnsPolicy: ClusterFirst
+      restartPolicy: Never
+      serviceAccountName: oauth-secret-generator
+      terminationGracePeriodSeconds: 30
diff --git a/components/image-rbac-proxy/staging/base/kustomization.yaml b/components/image-rbac-proxy/staging/base/kustomization.yaml
@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: image-rbac-proxy
+resources:
+- ../../base
+- https://github.com/konflux-ci/image-rbac-proxy/deploy/base?ref=5ff8c84750f5ec2b536d7c8e5ec1c38c16e794a5
+
+images:
+- name: quay.io/konflux-ci/image-rbac-proxy
+  newName: quay.io/konflux-ci/image-rbac-proxy
+  newTag: 5ff8c84750f5ec2b536d7c8e5ec1c38c16e794a5
diff --git a/components/image-rbac-proxy/staging/stone-stage-p01/configmap.yaml b/components/image-rbac-proxy/staging/stone-stage-p01/configmap.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: image-rbac-proxy
+  namespace: image-rbac-proxy
+data:
+  backend-namespace: redhat-user-workloads-stage
+  cluster-url: https://api.stone-stage-p01.hpmt.p1.openshiftapps.com:6443
+  proxy-url: https://image-rbac-proxy.apps.stone-stage-p01.hpmt.p1.openshiftapps.com
+  dex-url: https://image-rbac-proxy.apps.stone-stage-p01.hpmt.p1.openshiftapps.com/idp
diff --git a/components/image-rbac-proxy/staging/stone-stage-p01/dex-config.yaml b/components/image-rbac-proxy/staging/stone-stage-p01/dex-config.yaml
@@ -0,0 +1,30 @@
+issuer: https://image-rbac-proxy.apps.stone-stage-p01.hpmt.p1.openshiftapps.com/idp
+storage:
+  type: kubernetes
+  config:
+    inCluster: true
+web:
+  https: 0.0.0.0:9443
+  tlsCert: /etc/dex/tls/tls.crt
+  tlsKey: /etc/dex/tls/tls.key
+oauth2:
+  skipApprovalScreen: true
+staticClients:
+- id: image-rbac-proxy
+  redirectURIs:
+  - https://image-rbac-proxy.apps.stone-stage-p01.hpmt.p1.openshiftapps.com/oauth/callback
+  name: 'image-rbac-proxy'
+  secretEnv: 'OAUTH2_CLIENT_SECRET'
+
+telemetry:
+  http: 0.0.0.0:5558
+
+connectors:
+  - type: openshift
+    id: openshift
+    name: OpenShift
+    config:
+      issuer: https://api.stone-stage-p01.hpmt.p1.openshiftapps.com:6443
+      clientID: system:serviceaccount:image-rbac-proxy:dex-client
+      clientSecret: $OPENSHIFT_OAUTH_CLIENT_SECRET
+      redirectURI: https://image-rbac-proxy.apps.stone-stage-p01.hpmt.p1.openshiftapps.com/idp/callback
diff --git a/components/image-rbac-proxy/staging/stone-stage-p01/kustomization.yaml b/components/image-rbac-proxy/staging/stone-stage-p01/kustomization.yaml
@@ -0,0 +1,25 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: image-rbac-proxy
+resources:
+- ../base
+# Enable this to create/rotate oauth secret
+# - ../../oauth
+
+configMapGenerator:
+  - name: dex
+    files:
+      - dex-config.yaml
+
+patches:
+- path: configmap.yaml
+- path: route-patch.yaml
+  target:
+    kind: Route
+    group: route.openshift.io
+    version: v1
+- path: sa-patch.yaml
+  target:
+    kind: ServiceAccount
+    name: dex-client
+    version: v1
diff --git a/components/image-rbac-proxy/staging/stone-stage-p01/route-patch.yaml b/components/image-rbac-proxy/staging/stone-stage-p01/route-patch.yaml
@@ -0,0 +1,4 @@
+---
+- op: add
+  path: /spec/host
+  value: image-rbac-proxy.apps.stone-stage-p01.hpmt.p1.openshiftapps.com
diff --git a/components/image-rbac-proxy/staging/stone-stage-p01/sa-patch.yaml b/components/image-rbac-proxy/staging/stone-stage-p01/sa-patch.yaml
@@ -0,0 +1,4 @@
+---
+- op: add
+  path: /metadata/annotations/serviceaccounts.openshift.io~1oauth-redirecturi.konflux
+  value: https://image-rbac-proxy.apps.stone-stage-p01.hpmt.p1.openshiftapps.com/idp/callback
diff --git a/components/image-rbac-proxy/staging/stone-stg-rh01/configmap.yaml b/components/image-rbac-proxy/staging/stone-stg-rh01/configmap.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: image-rbac-proxy
+  namespace: image-rbac-proxy
+data:
+  backend-namespace: redhat-user-workloads-stage
+  cluster-url: https://api.stone-stg-rh01.l2vh.p1.openshiftapps.com:6443
+  proxy-url: https://image-rbac-proxy.apps.stone-stg-rh01.l2vh.p1.openshiftapps.com
+  dex-url: https://image-rbac-proxy.apps.stone-stg-rh01.l2vh.p1.openshiftapps.com/idp
diff --git a/components/image-rbac-proxy/staging/stone-stg-rh01/dex-config.yaml b/components/image-rbac-proxy/staging/stone-stg-rh01/dex-config.yaml
diff --git a/components/image-rbac-proxy/staging/stone-stg-rh01/kustomization.yaml b/components/image-rbac-proxy/staging/stone-stg-rh01/kustomization.yaml
diff --git a/components/image-rbac-proxy/staging/stone-stg-rh01/route-patch.yaml b/components/image-rbac-proxy/staging/stone-stg-rh01/route-patch.yaml
diff --git a/components/image-rbac-proxy/staging/stone-stg-rh01/sa-patch.yaml b/components/image-rbac-proxy/staging/stone-stg-rh01/sa-patch.yaml
