Skip to content

feat(CLOUDDST-30417): add component image-rbac-proxy #9320

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
+413 −0
Draft

feat(CLOUDDST-30417): add component image-rbac-proxy #9320

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 45 additions & 0 deletions argo-cd-apps/base/member/infra-deployments/image-rbac-proxy/image-rbac-proxy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: image-rbac-proxy
spec:
generators:
- merge:
mergeKeys:
- nameNormalized
generators:
- clusters:
values:
sourceRoot: components/image-rbac-proxy
environment: staging
clusterDir: base
- list:
elements:
- nameNormalized: stone-stage-p01
values.clusterDir: stone-stage-p01
- nameNormalized: stone-stg-rh01
values.clusterDir: stone-stg-rh01
template:
metadata:
name: image-rbac-proxy-{{nameNormalized}}
spec:
project: default
source:
path: '{{values.sourceRoot}}/{{values.environment}}/{{values.clusterDir}}'
repoURL: https://github.com/redhat-appstudio/infra-deployments.git
targetRevision: main
destination:
namespace: image-rbac-proxy
server: '{{server}}'
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
retry:
limit: -1
backoff:
duration: 10s
factor: 2
maxDuration: 3m
6 changes: 6 additions & 0 deletions argo-cd-apps/base/member/infra-deployments/image-rbac-proxy/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- image-rbac-proxy.yaml
components:
- ../../../../k-components/deploy-to-member-cluster-merge-generator
1 change: 1 addition & 0 deletions argo-cd-apps/base/member/infra-deployments/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ resources:
- etcd-shield
- internal-services
- image-controller
- image-rbac-proxy
- multi-platform-controller
- perf-team-prometheus-reader
- project-controller
Expand Down
1 change: 1 addition & 0 deletions components/cluster-secret-store/base/appsre-stonesoup-vault-secret-store.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ spec:
- konflux-ci
- konflux-ui
- image-controller
- image-rbac-proxy
- multi-platform-controller
- openshift-logging
- quality-dashboard
Expand Down
7 changes: 7 additions & 0 deletions components/image-rbac-proxy/OWNERS
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# See the OWNERS docs: https://go.k8s.io/owners

approvers:
- emilyzheng

reviewers:
- emilyzheng
14 changes: 14 additions & 0 deletions components/image-rbac-proxy/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
---
title: Image RBAC Proxy
---

Deployment of [image-rbac-proxy](https://github.com/konflux-ci/image-rbac-proxy)

## Proxy secrets

List of secrets:

| Name | Source | Description |
| ------------- | ------------ | ----------------------------------|
| quay-username | appsre vault | Quay username for image pull |
| quay-password | appsre vault | Quay password for image pull |
13 changes: 13 additions & 0 deletions components/image-rbac-proxy/base/allow-argocd-to-manage.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: grant-argocd
namespace: image-rbac-proxy
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admin
subjects:
- kind: ServiceAccount
name: openshift-gitops-argocd-application-controller
namespace: openshift-gitops
7 changes: 7 additions & 0 deletions components/image-rbac-proxy/base/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: image-rbac-proxy
resources:
- allow-argocd-to-manage.yaml
- quay-robot-account.yaml
- route.yaml
24 changes: 24 additions & 0 deletions components/image-rbac-proxy/base/quay-robot-account.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: quay-robot-account
namespace: image-rbac-proxy
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
argocd.argoproj.io/sync-wave: "-1"
spec:
dataFrom:
- extract:
key: staging/image-rbac-proxy/quay-robot-account
refreshInterval: 5m
secretStoreRef:
kind: ClusterSecretStore
name: appsre-stonesoup-vault
target:
creationPolicy: Owner
deletionPolicy: Delete
name: quay-robot-account
template:
data:
quay-username: '{{ .quay-username }}'
quay-password: '{{ .quay-password }}'
27 changes: 27 additions & 0 deletions components/image-rbac-proxy/base/route.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
---
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: image-rbac-proxy
namespace: image-rbac-proxy
spec:
to:
kind: Service
name: image-rbac-proxy
tls:
insecureEdgeTerminationPolicy: Redirect
termination: reencrypt
---
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: dex
namespace: image-rbac-proxy
spec:
path: /idp
to:
kind: Service
name: dex
tls:
insecureEdgeTerminationPolicy: Redirect
termination: reencrypt
5 changes: 5 additions & 0 deletions components/image-rbac-proxy/oauth/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: image-rbac-proxy
resources:
- oauth-secret.yaml
106 changes: 106 additions & 0 deletions components/image-rbac-proxy/oauth/oauth-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: oauth-secret-generator
namespace: image-rbac-proxy
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: oauth-secret-generator
namespace: image-rbac-proxy
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- list
- create
- get
- update
- patch
- delete
- apiGroups:
- apps
resources:
- deployments
verbs:
- get
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: oauth-secret-generator
namespace: image-rbac-proxy
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: oauth-secret-generator
subjects:
- kind: ServiceAccount
name: oauth-secret-generator
namespace: image-rbac-proxy
---
apiVersion: batch/v1
kind: Job
metadata:
name: oauth-secret-generator
namespace: image-rbac-proxy
annotations:
argocd.argoproj.io/sync-options: Force=true,Replace=true
spec:
template:
spec:
containers:
- command:
- /bin/bash
- -c
- |
set -o errexit
set -o nounset
set -o pipefail

echo "Generating/updating image-proxy-client-secret"

random_pass=$(openssl rand -base64 20)
kubectl create secret generic image-proxy-client-secret \
--namespace image-rbac-proxy \
--from-literal="client-secret=${random_pass}" \
--dry-run=client \
-o yaml \
| kubectl apply -f -

echo "Restarting the proxy deployment"
if kubectl -n image-rbac-proxy get deployment/image-rbac-proxy; then
kubectl -n image-rbac-proxy rollout restart deployment/image-rbac-proxy
else
echo "skipping restart"
fi

echo "Restarting the dex deployment"
if kubectl -n image-rbac-proxy get deployment/dex; then
kubectl -n image-rbac-proxy rollout restart deployment/dex
else
echo "skipping dex restart"
fi

image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14
imagePullPolicy: Always
name: oauth-secret-generator
resources:
limits:
cpu: 100m
memory: 250Mi
requests:
cpu: 10m
memory: 10Mi
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
dnsPolicy: ClusterFirst
restartPolicy: Never
serviceAccountName: oauth-secret-generator
terminationGracePeriodSeconds: 30
11 changes: 11 additions & 0 deletions components/image-rbac-proxy/staging/base/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: image-rbac-proxy
resources:
- ../../base
- https://github.com/konflux-ci/image-rbac-proxy/deploy/base?ref=5ff8c84750f5ec2b536d7c8e5ec1c38c16e794a5

images:
- name: quay.io/konflux-ci/image-rbac-proxy
newName: quay.io/konflux-ci/image-rbac-proxy
newTag: 5ff8c84750f5ec2b536d7c8e5ec1c38c16e794a5
10 changes: 10 additions & 0 deletions components/image-rbac-proxy/staging/stone-stage-p01/configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: image-rbac-proxy
namespace: image-rbac-proxy
data:
backend-namespace: redhat-user-workloads-stage
cluster-url: https://api.stone-stage-p01.hpmt.p1.openshiftapps.com:6443
proxy-url: https://image-rbac-proxy.apps.stone-stage-p01.hpmt.p1.openshiftapps.com
dex-url: https://image-rbac-proxy.apps.stone-stage-p01.hpmt.p1.openshiftapps.com/idp
30 changes: 30 additions & 0 deletions components/image-rbac-proxy/staging/stone-stage-p01/dex-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
issuer: https://image-rbac-proxy.apps.stone-stage-p01.hpmt.p1.openshiftapps.com/idp
storage:
type: kubernetes
config:
inCluster: true
web:
https: 0.0.0.0:9443
tlsCert: /etc/dex/tls/tls.crt
tlsKey: /etc/dex/tls/tls.key
oauth2:
skipApprovalScreen: true
staticClients:
- id: image-rbac-proxy
redirectURIs:
- https://image-rbac-proxy.apps.stone-stage-p01.hpmt.p1.openshiftapps.com/oauth/callback
name: 'image-rbac-proxy'
secretEnv: 'OAUTH2_CLIENT_SECRET'

telemetry:
http: 0.0.0.0:5558

connectors:
- type: openshift
id: openshift
name: OpenShift
config:
issuer: https://api.stone-stage-p01.hpmt.p1.openshiftapps.com:6443
clientID: system:serviceaccount:image-rbac-proxy:dex-client
clientSecret: $OPENSHIFT_OAUTH_CLIENT_SECRET
redirectURI: https://image-rbac-proxy.apps.stone-stage-p01.hpmt.p1.openshiftapps.com/idp/callback
25 changes: 25 additions & 0 deletions components/image-rbac-proxy/staging/stone-stage-p01/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: image-rbac-proxy
resources:
- ../base
# Enable this to create/rotate oauth secret
# - ../../oauth

configMapGenerator:
- name: dex
files:
- dex-config.yaml

patches:
- path: configmap.yaml
- path: route-patch.yaml
target:
kind: Route
group: route.openshift.io
version: v1
- path: sa-patch.yaml
target:
kind: ServiceAccount
name: dex-client
version: v1
4 changes: 4 additions & 0 deletions components/image-rbac-proxy/staging/stone-stage-p01/route-patch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
- op: add
path: /spec/host
value: image-rbac-proxy.apps.stone-stage-p01.hpmt.p1.openshiftapps.com
4 changes: 4 additions & 0 deletions components/image-rbac-proxy/staging/stone-stage-p01/sa-patch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
- op: add
path: /metadata/annotations/serviceaccounts.openshift.io~1oauth-redirecturi.konflux
value: https://image-rbac-proxy.apps.stone-stage-p01.hpmt.p1.openshiftapps.com/idp/callback
10 changes: 10 additions & 0 deletions components/image-rbac-proxy/staging/stone-stg-rh01/configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: image-rbac-proxy
namespace: image-rbac-proxy
data:
backend-namespace: redhat-user-workloads-stage
cluster-url: https://api.stone-stg-rh01.l2vh.p1.openshiftapps.com:6443
proxy-url: https://image-rbac-proxy.apps.stone-stg-rh01.l2vh.p1.openshiftapps.com
dex-url: https://image-rbac-proxy.apps.stone-stg-rh01.l2vh.p1.openshiftapps.com/idp
Loading