From 27ee1ff1d2527d910268ed3afc76a5a1c28a25d6 Mon Sep 17 00:00:00 2001 From: Emily Zheng Date: Mon, 24 Nov 2025 21:56:28 +0800 Subject: [PATCH] feat(CLOUDDST-30417): add component image-rbac-proxy Signed-off-by: Emily Zheng --- .../image-rbac-proxy/image-rbac-proxy.yaml | 45 ++++++++ .../image-rbac-proxy/kustomization.yaml | 6 + .../infra-deployments/kustomization.yaml | 1 + .../appsre-stonesoup-vault-secret-store.yaml | 1 + components/image-rbac-proxy/OWNERS | 7 ++ components/image-rbac-proxy/README.md | 14 +++ .../base/allow-argocd-to-manage.yaml | 13 +++ .../image-rbac-proxy/base/kustomization.yaml | 7 ++ .../base/quay-robot-account.yaml | 24 ++++ components/image-rbac-proxy/base/route.yaml | 27 +++++ .../image-rbac-proxy/oauth/kustomization.yaml | 5 + .../image-rbac-proxy/oauth/oauth-secret.yaml | 106 ++++++++++++++++++ .../staging/base/kustomization.yaml | 11 ++ .../staging/stone-stage-p01/configmap.yaml | 10 ++ .../staging/stone-stage-p01/dex-config.yaml | 30 +++++ .../stone-stage-p01/kustomization.yaml | 25 +++++ .../staging/stone-stage-p01/route-patch.yaml | 4 + .../staging/stone-stage-p01/sa-patch.yaml | 4 + .../staging/stone-stg-rh01/configmap.yaml | 10 ++ .../staging/stone-stg-rh01/dex-config.yaml | 30 +++++ .../staging/stone-stg-rh01/kustomization.yaml | 25 +++++ .../staging/stone-stg-rh01/route-patch.yaml | 4 + .../staging/stone-stg-rh01/sa-patch.yaml | 4 + 23 files changed, 413 insertions(+) create mode 100644 argo-cd-apps/base/member/infra-deployments/image-rbac-proxy/image-rbac-proxy.yaml create mode 100644 argo-cd-apps/base/member/infra-deployments/image-rbac-proxy/kustomization.yaml create mode 100644 components/image-rbac-proxy/OWNERS create mode 100644 components/image-rbac-proxy/README.md create mode 100644 components/image-rbac-proxy/base/allow-argocd-to-manage.yaml create mode 100644 components/image-rbac-proxy/base/kustomization.yaml create mode 100644 components/image-rbac-proxy/base/quay-robot-account.yaml create mode 100644 components/image-rbac-proxy/base/route.yaml create mode 100644 components/image-rbac-proxy/oauth/kustomization.yaml create mode 100644 components/image-rbac-proxy/oauth/oauth-secret.yaml create mode 100644 components/image-rbac-proxy/staging/base/kustomization.yaml create mode 100644 components/image-rbac-proxy/staging/stone-stage-p01/configmap.yaml create mode 100644 components/image-rbac-proxy/staging/stone-stage-p01/dex-config.yaml create mode 100644 components/image-rbac-proxy/staging/stone-stage-p01/kustomization.yaml create mode 100644 components/image-rbac-proxy/staging/stone-stage-p01/route-patch.yaml create mode 100644 components/image-rbac-proxy/staging/stone-stage-p01/sa-patch.yaml create mode 100644 components/image-rbac-proxy/staging/stone-stg-rh01/configmap.yaml create mode 100644 components/image-rbac-proxy/staging/stone-stg-rh01/dex-config.yaml create mode 100644 components/image-rbac-proxy/staging/stone-stg-rh01/kustomization.yaml create mode 100644 components/image-rbac-proxy/staging/stone-stg-rh01/route-patch.yaml create mode 100644 components/image-rbac-proxy/staging/stone-stg-rh01/sa-patch.yaml diff --git a/argo-cd-apps/base/member/infra-deployments/image-rbac-proxy/image-rbac-proxy.yaml b/argo-cd-apps/base/member/infra-deployments/image-rbac-proxy/image-rbac-proxy.yaml new file mode 100644 index 00000000000..a8e9df2187f --- /dev/null +++ b/argo-cd-apps/base/member/infra-deployments/image-rbac-proxy/image-rbac-proxy.yaml @@ -0,0 +1,45 @@ +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: image-rbac-proxy +spec: + generators: + - merge: + mergeKeys: + - nameNormalized + generators: + - clusters: + values: + sourceRoot: components/image-rbac-proxy + environment: staging + clusterDir: base + - list: + elements: + - nameNormalized: stone-stage-p01 + values.clusterDir: stone-stage-p01 + - nameNormalized: stone-stg-rh01 + values.clusterDir: stone-stg-rh01 + template: + metadata: + name: image-rbac-proxy-{{nameNormalized}} + spec: + project: default + source: + path: '{{values.sourceRoot}}/{{values.environment}}/{{values.clusterDir}}' + repoURL: https://github.com/redhat-appstudio/infra-deployments.git + targetRevision: main + destination: + namespace: image-rbac-proxy + server: '{{server}}' + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + retry: + limit: -1 + backoff: + duration: 10s + factor: 2 + maxDuration: 3m diff --git a/argo-cd-apps/base/member/infra-deployments/image-rbac-proxy/kustomization.yaml b/argo-cd-apps/base/member/infra-deployments/image-rbac-proxy/kustomization.yaml new file mode 100644 index 00000000000..ca458585f6c --- /dev/null +++ b/argo-cd-apps/base/member/infra-deployments/image-rbac-proxy/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- image-rbac-proxy.yaml +components: + - ../../../../k-components/deploy-to-member-cluster-merge-generator diff --git a/argo-cd-apps/base/member/infra-deployments/kustomization.yaml b/argo-cd-apps/base/member/infra-deployments/kustomization.yaml index 06208a41a6c..2d669428166 100644 --- a/argo-cd-apps/base/member/infra-deployments/kustomization.yaml +++ b/argo-cd-apps/base/member/infra-deployments/kustomization.yaml @@ -13,6 +13,7 @@ resources: - etcd-shield - internal-services - image-controller + - image-rbac-proxy - multi-platform-controller - perf-team-prometheus-reader - project-controller diff --git a/components/cluster-secret-store/base/appsre-stonesoup-vault-secret-store.yaml b/components/cluster-secret-store/base/appsre-stonesoup-vault-secret-store.yaml index 74dca9fb8e7..a5132c6e0b5 100644 --- a/components/cluster-secret-store/base/appsre-stonesoup-vault-secret-store.yaml +++ b/components/cluster-secret-store/base/appsre-stonesoup-vault-secret-store.yaml @@ -39,6 +39,7 @@ spec: - konflux-ci - konflux-ui - image-controller + - image-rbac-proxy - multi-platform-controller - openshift-logging - quality-dashboard diff --git a/components/image-rbac-proxy/OWNERS b/components/image-rbac-proxy/OWNERS new file mode 100644 index 00000000000..7f34343260d --- /dev/null +++ b/components/image-rbac-proxy/OWNERS @@ -0,0 +1,7 @@ +# See the OWNERS docs: https://go.k8s.io/owners + +approvers: +- emilyzheng + +reviewers: +- emilyzheng diff --git a/components/image-rbac-proxy/README.md b/components/image-rbac-proxy/README.md new file mode 100644 index 00000000000..3d73378121a --- /dev/null +++ b/components/image-rbac-proxy/README.md @@ -0,0 +1,14 @@ +--- +title: Image RBAC Proxy +--- + +Deployment of [image-rbac-proxy](https://github.com/konflux-ci/image-rbac-proxy) + +## Proxy secrets + +List of secrets: + +| Name | Source | Description | +| ------------- | ------------ | ----------------------------------| +| quay-username | appsre vault | Quay username for image pull | +| quay-password | appsre vault | Quay password for image pull | diff --git a/components/image-rbac-proxy/base/allow-argocd-to-manage.yaml b/components/image-rbac-proxy/base/allow-argocd-to-manage.yaml new file mode 100644 index 00000000000..f5692a73fd1 --- /dev/null +++ b/components/image-rbac-proxy/base/allow-argocd-to-manage.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: grant-argocd + namespace: image-rbac-proxy +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin +subjects: +- kind: ServiceAccount + name: openshift-gitops-argocd-application-controller + namespace: openshift-gitops diff --git a/components/image-rbac-proxy/base/kustomization.yaml b/components/image-rbac-proxy/base/kustomization.yaml new file mode 100644 index 00000000000..2e2d9d33903 --- /dev/null +++ b/components/image-rbac-proxy/base/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: image-rbac-proxy +resources: +- allow-argocd-to-manage.yaml +- quay-robot-account.yaml +- route.yaml diff --git a/components/image-rbac-proxy/base/quay-robot-account.yaml b/components/image-rbac-proxy/base/quay-robot-account.yaml new file mode 100644 index 00000000000..922c91c189d --- /dev/null +++ b/components/image-rbac-proxy/base/quay-robot-account.yaml @@ -0,0 +1,24 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: quay-robot-account + namespace: image-rbac-proxy + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/sync-wave: "-1" +spec: + dataFrom: + - extract: + key: staging/image-rbac-proxy/quay-robot-account + refreshInterval: 5m + secretStoreRef: + kind: ClusterSecretStore + name: appsre-stonesoup-vault + target: + creationPolicy: Owner + deletionPolicy: Delete + name: quay-robot-account + template: + data: + quay-username: '{{ .quay-username }}' + quay-password: '{{ .quay-password }}' diff --git a/components/image-rbac-proxy/base/route.yaml b/components/image-rbac-proxy/base/route.yaml new file mode 100644 index 00000000000..40cefecd42e --- /dev/null +++ b/components/image-rbac-proxy/base/route.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: image-rbac-proxy + namespace: image-rbac-proxy +spec: + to: + kind: Service + name: image-rbac-proxy + tls: + insecureEdgeTerminationPolicy: Redirect + termination: reencrypt +--- +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: dex + namespace: image-rbac-proxy +spec: + path: /idp + to: + kind: Service + name: dex + tls: + insecureEdgeTerminationPolicy: Redirect + termination: reencrypt diff --git a/components/image-rbac-proxy/oauth/kustomization.yaml b/components/image-rbac-proxy/oauth/kustomization.yaml new file mode 100644 index 00000000000..779aff6b424 --- /dev/null +++ b/components/image-rbac-proxy/oauth/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: image-rbac-proxy +resources: +- oauth-secret.yaml diff --git a/components/image-rbac-proxy/oauth/oauth-secret.yaml b/components/image-rbac-proxy/oauth/oauth-secret.yaml new file mode 100644 index 00000000000..0046c855058 --- /dev/null +++ b/components/image-rbac-proxy/oauth/oauth-secret.yaml @@ -0,0 +1,106 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: oauth-secret-generator + namespace: image-rbac-proxy +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: oauth-secret-generator + namespace: image-rbac-proxy +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - list + - create + - get + - update + - patch + - delete +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: oauth-secret-generator + namespace: image-rbac-proxy +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: oauth-secret-generator +subjects: +- kind: ServiceAccount + name: oauth-secret-generator + namespace: image-rbac-proxy +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: oauth-secret-generator + namespace: image-rbac-proxy + annotations: + argocd.argoproj.io/sync-options: Force=true,Replace=true +spec: + template: + spec: + containers: + - command: + - /bin/bash + - -c + - | + set -o errexit + set -o nounset + set -o pipefail + + echo "Generating/updating image-proxy-client-secret" + + random_pass=$(openssl rand -base64 20) + kubectl create secret generic image-proxy-client-secret \ + --namespace image-rbac-proxy \ + --from-literal="client-secret=${random_pass}" \ + --dry-run=client \ + -o yaml \ + | kubectl apply -f - + + echo "Restarting the proxy deployment" + if kubectl -n image-rbac-proxy get deployment/image-rbac-proxy; then + kubectl -n image-rbac-proxy rollout restart deployment/image-rbac-proxy + else + echo "skipping restart" + fi + + echo "Restarting the dex deployment" + if kubectl -n image-rbac-proxy get deployment/dex; then + kubectl -n image-rbac-proxy rollout restart deployment/dex + else + echo "skipping dex restart" + fi + + image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14 + imagePullPolicy: Always + name: oauth-secret-generator + resources: + limits: + cpu: 100m + memory: 250Mi + requests: + cpu: 10m + memory: 10Mi + securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true + dnsPolicy: ClusterFirst + restartPolicy: Never + serviceAccountName: oauth-secret-generator + terminationGracePeriodSeconds: 30 diff --git a/components/image-rbac-proxy/staging/base/kustomization.yaml b/components/image-rbac-proxy/staging/base/kustomization.yaml new file mode 100644 index 00000000000..19cfd14610e --- /dev/null +++ b/components/image-rbac-proxy/staging/base/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: image-rbac-proxy +resources: +- ../../base +- https://github.com/konflux-ci/image-rbac-proxy/deploy/base?ref=5ff8c84750f5ec2b536d7c8e5ec1c38c16e794a5 + +images: +- name: quay.io/konflux-ci/image-rbac-proxy + newName: quay.io/konflux-ci/image-rbac-proxy + newTag: 5ff8c84750f5ec2b536d7c8e5ec1c38c16e794a5 diff --git a/components/image-rbac-proxy/staging/stone-stage-p01/configmap.yaml b/components/image-rbac-proxy/staging/stone-stage-p01/configmap.yaml new file mode 100644 index 00000000000..6f85b561b7a --- /dev/null +++ b/components/image-rbac-proxy/staging/stone-stage-p01/configmap.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: image-rbac-proxy + namespace: image-rbac-proxy +data: + backend-namespace: redhat-user-workloads-stage + cluster-url: https://api.stone-stage-p01.hpmt.p1.openshiftapps.com:6443 + proxy-url: https://image-rbac-proxy.apps.stone-stage-p01.hpmt.p1.openshiftapps.com + dex-url: https://image-rbac-proxy.apps.stone-stage-p01.hpmt.p1.openshiftapps.com/idp diff --git a/components/image-rbac-proxy/staging/stone-stage-p01/dex-config.yaml b/components/image-rbac-proxy/staging/stone-stage-p01/dex-config.yaml new file mode 100644 index 00000000000..2b0b8a2aaa8 --- /dev/null +++ b/components/image-rbac-proxy/staging/stone-stage-p01/dex-config.yaml @@ -0,0 +1,30 @@ +issuer: https://image-rbac-proxy.apps.stone-stage-p01.hpmt.p1.openshiftapps.com/idp +storage: + type: kubernetes + config: + inCluster: true +web: + https: 0.0.0.0:9443 + tlsCert: /etc/dex/tls/tls.crt + tlsKey: /etc/dex/tls/tls.key +oauth2: + skipApprovalScreen: true +staticClients: +- id: image-rbac-proxy + redirectURIs: + - https://image-rbac-proxy.apps.stone-stage-p01.hpmt.p1.openshiftapps.com/oauth/callback + name: 'image-rbac-proxy' + secretEnv: 'OAUTH2_CLIENT_SECRET' + +telemetry: + http: 0.0.0.0:5558 + +connectors: + - type: openshift + id: openshift + name: OpenShift + config: + issuer: https://api.stone-stage-p01.hpmt.p1.openshiftapps.com:6443 + clientID: system:serviceaccount:image-rbac-proxy:dex-client + clientSecret: $OPENSHIFT_OAUTH_CLIENT_SECRET + redirectURI: https://image-rbac-proxy.apps.stone-stage-p01.hpmt.p1.openshiftapps.com/idp/callback diff --git a/components/image-rbac-proxy/staging/stone-stage-p01/kustomization.yaml b/components/image-rbac-proxy/staging/stone-stage-p01/kustomization.yaml new file mode 100644 index 00000000000..ad02cd56a22 --- /dev/null +++ b/components/image-rbac-proxy/staging/stone-stage-p01/kustomization.yaml @@ -0,0 +1,25 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: image-rbac-proxy +resources: +- ../base +# Enable this to create/rotate oauth secret +# - ../../oauth + +configMapGenerator: + - name: dex + files: + - dex-config.yaml + +patches: +- path: configmap.yaml +- path: route-patch.yaml + target: + kind: Route + group: route.openshift.io + version: v1 +- path: sa-patch.yaml + target: + kind: ServiceAccount + name: dex-client + version: v1 diff --git a/components/image-rbac-proxy/staging/stone-stage-p01/route-patch.yaml b/components/image-rbac-proxy/staging/stone-stage-p01/route-patch.yaml new file mode 100644 index 00000000000..e3027053810 --- /dev/null +++ b/components/image-rbac-proxy/staging/stone-stage-p01/route-patch.yaml @@ -0,0 +1,4 @@ +--- +- op: add + path: /spec/host + value: image-rbac-proxy.apps.stone-stage-p01.hpmt.p1.openshiftapps.com diff --git a/components/image-rbac-proxy/staging/stone-stage-p01/sa-patch.yaml b/components/image-rbac-proxy/staging/stone-stage-p01/sa-patch.yaml new file mode 100644 index 00000000000..37f1f249a80 --- /dev/null +++ b/components/image-rbac-proxy/staging/stone-stage-p01/sa-patch.yaml @@ -0,0 +1,4 @@ +--- +- op: add + path: /metadata/annotations/serviceaccounts.openshift.io~1oauth-redirecturi.konflux + value: https://image-rbac-proxy.apps.stone-stage-p01.hpmt.p1.openshiftapps.com/idp/callback diff --git a/components/image-rbac-proxy/staging/stone-stg-rh01/configmap.yaml b/components/image-rbac-proxy/staging/stone-stg-rh01/configmap.yaml new file mode 100644 index 00000000000..6d523271032 --- /dev/null +++ b/components/image-rbac-proxy/staging/stone-stg-rh01/configmap.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: image-rbac-proxy + namespace: image-rbac-proxy +data: + backend-namespace: redhat-user-workloads-stage + cluster-url: https://api.stone-stg-rh01.l2vh.p1.openshiftapps.com:6443 + proxy-url: https://image-rbac-proxy.apps.stone-stg-rh01.l2vh.p1.openshiftapps.com + dex-url: https://image-rbac-proxy.apps.stone-stg-rh01.l2vh.p1.openshiftapps.com/idp diff --git a/components/image-rbac-proxy/staging/stone-stg-rh01/dex-config.yaml b/components/image-rbac-proxy/staging/stone-stg-rh01/dex-config.yaml new file mode 100644 index 00000000000..17ce77b7162 --- /dev/null +++ b/components/image-rbac-proxy/staging/stone-stg-rh01/dex-config.yaml @@ -0,0 +1,30 @@ +issuer: https://image-rbac-proxy.apps.stone-stg-rh01.l2vh.p1.openshiftapps.com/idp +storage: + type: kubernetes + config: + inCluster: true +web: + https: 0.0.0.0:9443 + tlsCert: /etc/dex/tls/tls.crt + tlsKey: /etc/dex/tls/tls.key +oauth2: + skipApprovalScreen: true +staticClients: +- id: image-rbac-proxy + redirectURIs: + - https://image-rbac-proxy.apps.stone-stg-rh01.l2vh.p1.openshiftapps.com/oauth/callback + name: 'image-rbac-proxy' + secretEnv: 'OAUTH2_CLIENT_SECRET' + +telemetry: + http: 0.0.0.0:5558 + +connectors: + - type: openshift + id: openshift + name: OpenShift + config: + issuer: https://api.stone-stg-rh01.l2vh.p1.openshiftapps.com:6443 + clientID: system:serviceaccount:image-rbac-proxy:dex-client + clientSecret: $OPENSHIFT_OAUTH_CLIENT_SECRET + redirectURI: https://image-rbac-proxy.apps.stone-stg-rh01.l2vh.p1.openshiftapps.com/idp/callback diff --git a/components/image-rbac-proxy/staging/stone-stg-rh01/kustomization.yaml b/components/image-rbac-proxy/staging/stone-stg-rh01/kustomization.yaml new file mode 100644 index 00000000000..ad02cd56a22 --- /dev/null +++ b/components/image-rbac-proxy/staging/stone-stg-rh01/kustomization.yaml @@ -0,0 +1,25 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: image-rbac-proxy +resources: +- ../base +# Enable this to create/rotate oauth secret +# - ../../oauth + +configMapGenerator: + - name: dex + files: + - dex-config.yaml + +patches: +- path: configmap.yaml +- path: route-patch.yaml + target: + kind: Route + group: route.openshift.io + version: v1 +- path: sa-patch.yaml + target: + kind: ServiceAccount + name: dex-client + version: v1 diff --git a/components/image-rbac-proxy/staging/stone-stg-rh01/route-patch.yaml b/components/image-rbac-proxy/staging/stone-stg-rh01/route-patch.yaml new file mode 100644 index 00000000000..51277f1a561 --- /dev/null +++ b/components/image-rbac-proxy/staging/stone-stg-rh01/route-patch.yaml @@ -0,0 +1,4 @@ +--- +- op: add + path: /spec/host + value: image-rbac-proxy.apps.stone-stg-rh01.l2vh.p1.openshiftapps.com diff --git a/components/image-rbac-proxy/staging/stone-stg-rh01/sa-patch.yaml b/components/image-rbac-proxy/staging/stone-stg-rh01/sa-patch.yaml new file mode 100644 index 00000000000..e26c2232f89 --- /dev/null +++ b/components/image-rbac-proxy/staging/stone-stg-rh01/sa-patch.yaml @@ -0,0 +1,4 @@ +--- +- op: add + path: /metadata/annotations/serviceaccounts.openshift.io~1oauth-redirecturi.konflux + value: https://image-rbac-proxy.apps.stone-stg-rh01.l2vh.p1.openshiftapps.com/idp/callback