diff --git a/go.mod b/go.mod index 611d5e0677..5fbde421c5 100644 --- a/go.mod +++ b/go.mod @@ -85,4 +85,4 @@ require ( ) // Delete when https://github.com/observatorium/observatorium/pull/543 is merged to main branch -replace github.com/observatorium/observatorium => github.com/thibaultmg/observatorium v0.0.0-20231220163412-1ab33d0d2970 +replace github.com/observatorium/observatorium => github.com/thibaultmg/observatorium v0.0.0-20240105161024-101d341092f9 diff --git a/go.sum b/go.sum index 9d2467d885..89dc13431f 100644 --- a/go.sum +++ b/go.sum @@ -1259,8 +1259,8 @@ github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= github.com/tchap/go-patricia v2.2.6+incompatible/go.mod h1:bmLyhP68RS6kStMGxByiQ23RP/odRBOTVjwp2cDyi6I= -github.com/thibaultmg/observatorium v0.0.0-20231220163412-1ab33d0d2970 h1:s8EY8D5uaMn2WrxdLhM36XFDPveL39e6ufpO0X8RbXQ= -github.com/thibaultmg/observatorium v0.0.0-20231220163412-1ab33d0d2970/go.mod h1:VFiHODMs9Mnd2DGCtYBr6qdKBZwj6gmwgxilTmnv4EE= +github.com/thibaultmg/observatorium v0.0.0-20240105161024-101d341092f9 h1:A+TcmA/7KHIAvUce9049FRZK1jBdKDPYBCyq4j5ff18= +github.com/thibaultmg/observatorium v0.0.0-20240105161024-101d341092f9/go.mod h1:VFiHODMs9Mnd2DGCtYBr6qdKBZwj6gmwgxilTmnv4EE= github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk= github.com/tinylib/msgp v1.0.2/go.mod h1:+d+yLhGm8mzTaHzB+wgMYrodPfmZrzkirds8fDWklFE= github.com/tinylib/msgp v1.1.0/go.mod h1:+d+yLhGm8mzTaHzB+wgMYrodPfmZrzkirds8fDWklFE= diff --git a/resources/services/app-sre-stage-01/rhobs/observatorium-api-template.yaml b/resources/services/app-sre-stage-01/rhobs/observatorium-api-template.yaml index 754259c421..2d0e701b0e 100755 --- a/resources/services/app-sre-stage-01/rhobs/observatorium-api-template.yaml +++ b/resources/services/app-sre-stage-01/rhobs/observatorium-api-template.yaml @@ -129,6 +129,22 @@ objects: app.kubernetes.io/instance: observatorium app.kubernetes.io/name: avalanche app.kubernetes.io/part-of: observatorium +- apiVersion: v1 + kind: Secret + metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: api + app.kubernetes.io/instance: observatorium + app.kubernetes.io/name: observatorium-api + app.kubernetes.io/part-of: observatorium + app.kubernetes.io/version: main-2023-12-06-62d7703 + name: observatorium-ams-oidc-client-secret + namespace: rhobs + stringData: + client-id: ${AMS_OIDC_CLIENT_ID} + client-secret: ${AMS_OIDC_CLIENT_SECRET} + issuer-url: ${AMS_OIDC_ISSUER_URL} - apiVersion: apps/v1 kind: Deployment metadata: @@ -459,17 +475,17 @@ objects: valueFrom: secretKeyRef: key: client-id - name: observatorium-api-oidc-client + name: observatorium-ams-oidc-client-secret - name: CLIENT_SECRET valueFrom: secretKeyRef: key: client-secret - name: observatorium-api-oidc-client + name: observatorium-ams-oidc-client-secret - name: ISSUER_URL valueFrom: secretKeyRef: key: issuer-url - name: observatorium-api-oidc-client + name: observatorium-ams-oidc-client-secret image: quay.io/observatorium/opa-ams:master-2022-11-03-222daab livenessProbe: failureThreshold: 10 @@ -511,9 +527,9 @@ objects: - configMap: name: observatorium-rbac name: rbac-config - - configMap: - name: observatorium-tenants - name: tenants + - name: tenants + secret: + secretName: observatorium-tenants - apiVersion: v1 kind: Service metadata: @@ -1502,46 +1518,57 @@ objects: name: observatorium-rbac namespace: rhobs - apiVersion: v1 - data: + kind: Secret + metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: api + app.kubernetes.io/instance: observatorium + app.kubernetes.io/name: observatorium-api + app.kubernetes.io/part-of: observatorium + app.kubernetes.io/version: main-2023-12-06-62d7703 + name: observatorium-tenants + namespace: rhobs + stringData: config.yaml: | tenants: - name: appsre id: 3833951d-bede-4a53-85e5-f73f4913973f oidc: - clientID: ${CLIENT_ID} - clientSecret: ${CLIENT_SECRET} + clientID: ${TENANT_OIDC_CLIENT_ID} + clientSecret: ${TENANT_OIDC_CLIENT_SECRET} issuerURL: https://sso.redhat.com/auth/realms/redhat-external redirectURL: https://observatorium-mst.api.stage.openshift.com/oidc/appsre/callback usernameClaim: preferred_username - name: cnvqe id: 9ca26972-4328-4fe3-92db-31302013d03f oidc: - clientID: ${CLIENT_ID} - clientSecret: ${CLIENT_SECRET} + clientID: ${TENANT_OIDC_CLIENT_ID} + clientSecret: ${TENANT_OIDC_CLIENT_SECRET} issuerURL: https://sso.redhat.com/auth/realms/redhat-external redirectURL: https://observatorium-mst.api.stage.openshift.com/oidc/cnvqe/callback usernameClaim: preferred_username - name: dptp id: AC879303-C60F-4D0D-A6D5-A485CFD638B8 oidc: - clientID: ${CLIENT_ID} - clientSecret: ${CLIENT_SECRET} + clientID: ${TENANT_OIDC_CLIENT_ID} + clientSecret: ${TENANT_OIDC_CLIENT_SECRET} issuerURL: https://sso.redhat.com/auth/realms/redhat-external redirectURL: https://observatorium-mst.api.stage.openshift.com/oidc/dptp/callback usernameClaim: preferred_username - name: odfms id: 99c885bc-2d64-4c4d-b55e-8bf30d98c657 oidc: - clientID: ${CLIENT_ID} - clientSecret: ${CLIENT_SECRET} + clientID: ${TENANT_OIDC_CLIENT_ID} + clientSecret: ${TENANT_OIDC_CLIENT_SECRET} issuerURL: https://sso.redhat.com/auth/realms/redhat-external redirectURL: https://observatorium-mst.api.stage.openshift.com/oidc/odfms/callback usernameClaim: preferred_username - name: osd id: 770c1124-6ae8-4324-a9d4-9ce08590094b oidc: - clientID: ${CLIENT_ID} - clientSecret: ${CLIENT_SECRET} + clientID: ${TENANT_OIDC_CLIENT_ID} + clientSecret: ${TENANT_OIDC_CLIENT_SECRET} issuerURL: https://sso.redhat.com/auth/realms/redhat-external redirectURL: https://observatorium-mst.api.stage.openshift.com/oidc/osd/callback usernameClaim: preferred_username @@ -1554,32 +1581,32 @@ objects: - name: psiocp id: 37b8fd3f-56ff-4b64-8272-917c9b0d1623 oidc: - clientID: ${CLIENT_ID} - clientSecret: ${CLIENT_SECRET} + clientID: ${TENANT_OIDC_CLIENT_ID} + clientSecret: ${TENANT_OIDC_CLIENT_SECRET} issuerURL: https://sso.redhat.com/auth/realms/redhat-external redirectURL: https://observatorium-mst.api.stage.openshift.com/oidc/psiocp/callback usernameClaim: preferred_username - name: reference-addon id: d17ea8ce-d4c6-42ef-b259-7d10c9227e93 oidc: - clientID: ${CLIENT_ID} - clientSecret: ${CLIENT_SECRET} + clientID: ${TENANT_OIDC_CLIENT_ID} + clientSecret: ${TENANT_OIDC_CLIENT_SECRET} issuerURL: https://sso.redhat.com/auth/realms/redhat-external redirectURL: https://observatorium-mst.api.stage.openshift.com/oidc/reference-addon/callback usernameClaim: preferred_username - name: rhacs id: 1b9b6e43-9128-4bbf-bfff-3c120bbe6f11 oidc: - clientID: ${CLIENT_ID} - clientSecret: ${CLIENT_SECRET} + clientID: ${TENANT_OIDC_CLIENT_ID} + clientSecret: ${TENANT_OIDC_CLIENT_SECRET} issuerURL: https://sso.redhat.com/auth/realms/redhat-external redirectURL: https://observatorium-mst.api.stage.openshift.com/oidc/rhacs/callback usernameClaim: preferred_username - name: rhel id: "" oidc: - clientID: ${CLIENT_ID} - clientSecret: ${CLIENT_SECRET} + clientID: ${TENANT_OIDC_CLIENT_ID} + clientSecret: ${TENANT_OIDC_CLIENT_SECRET} issuerURL: https://sso.redhat.com/auth/realms/redhat-external redirectURL: https://observatorium-mst.api.stage.openshift.com/oidc/rhel/callback usernameClaim: preferred_username @@ -1590,8 +1617,8 @@ objects: - name: rhobs id: 0fc2b00e-201b-4c17-b9f2-19d91adc4fd2 oidc: - clientID: ${CLIENT_ID} - clientSecret: ${CLIENT_SECRET} + clientID: ${TENANT_OIDC_CLIENT_ID} + clientSecret: ${TENANT_OIDC_CLIENT_SECRET} groupClaim: email issuerURL: https://sso.redhat.com/auth/realms/redhat-external redirectURL: https://observatorium-mst.api.stage.openshift.com/oidc/rhobs/callback @@ -1599,38 +1626,27 @@ objects: - name: rhods id: 8ace13a2-1c72-4559-b43d-ab43e32a255a oidc: - clientID: ${CLIENT_ID} - clientSecret: ${CLIENT_SECRET} + clientID: ${TENANT_OIDC_CLIENT_ID} + clientSecret: ${TENANT_OIDC_CLIENT_SECRET} issuerURL: https://sso.redhat.com/auth/realms/redhat-external redirectURL: https://observatorium-mst.api.stage.openshift.com/oidc/rhods/callback usernameClaim: preferred_username - name: rhtap id: 0031e8d6-e50a-47ea-aecb-c7e0bd84b3f1 oidc: - clientID: ${CLIENT_ID} - clientSecret: ${CLIENT_SECRET} + clientID: ${TENANT_OIDC_CLIENT_ID} + clientSecret: ${TENANT_OIDC_CLIENT_SECRET} issuerURL: https://sso.redhat.com/auth/realms/redhat-external redirectURL: https://observatorium-mst.api.stage.openshift.com/oidc/rhtap/callback usernameClaim: preferred_username - name: telemeter id: "" oidc: - clientID: ${CLIENT_ID} - clientSecret: ${CLIENT_SECRET} + clientID: ${TENANT_OIDC_CLIENT_ID} + clientSecret: ${TENANT_OIDC_CLIENT_SECRET} issuerURL: https://sso.redhat.com/auth/realms/redhat-external redirectURL: https://observatorium-mst.api.stage.openshift.com/oidc/telemeter/callback usernameClaim: preferred_username - kind: ConfigMap - metadata: - creationTimestamp: null - labels: - app.kubernetes.io/component: api - app.kubernetes.io/instance: observatorium - app.kubernetes.io/name: observatorium-api - app.kubernetes.io/part-of: observatorium - app.kubernetes.io/version: main-2023-12-06-62d7703 - name: observatorium-tenants - namespace: rhobs - apiVersion: v1 data: queries.yaml: | @@ -2141,6 +2157,9 @@ objects: app.kubernetes.io/name: memcached app.kubernetes.io/part-of: observatorium parameters: +- name: AMS_OIDC_CLIENT_ID +- name: AMS_OIDC_CLIENT_SECRET +- name: AMS_OIDC_ISSUER_URL - name: CACHE_CPU_REQUEST value: 500m - name: CACHE_MEMORY_LIMIT @@ -2159,3 +2178,5 @@ parameters: value: 1Gi - name: OBSAPI_REPLICAS value: "1" +- name: TENANT_OIDC_CLIENT_ID +- name: TENANT_OIDC_CLIENT_SECRET diff --git a/resources/services/app-sre-stage-01/rhobs/observatorium-metrics-alertmanager-template.yaml b/resources/services/app-sre-stage-01/rhobs/observatorium-metrics-alertmanager-template.yaml index 60f7ed3c5d..203206d6f3 100755 --- a/resources/services/app-sre-stage-01/rhobs/observatorium-metrics-alertmanager-template.yaml +++ b/resources/services/app-sre-stage-01/rhobs/observatorium-metrics-alertmanager-template.yaml @@ -147,7 +147,7 @@ objects: app.kubernetes.io/instance: observatorium app.kubernetes.io/name: alertmanager app.kubernetes.io/part-of: observatorium - serviceName: observatorium-alertmanager + serviceName: observatorium-alertmanager-cluster template: metadata: creationTimestamp: null diff --git a/resources/services/app-sre-stage-01/rhobs/observatorium-metrics-query-frontend-template.yaml b/resources/services/app-sre-stage-01/rhobs/observatorium-metrics-query-frontend-template.yaml index 986e5689c9..35f73ec413 100755 --- a/resources/services/app-sre-stage-01/rhobs/observatorium-metrics-query-frontend-template.yaml +++ b/resources/services/app-sre-stage-01/rhobs/observatorium-metrics-query-frontend-template.yaml @@ -211,9 +211,9 @@ objects: spec: ports: - name: http - port: 9090 + port: 10902 protocol: TCP - targetPort: 9090 + targetPort: 10902 - name: https port: 8443 protocol: TCP @@ -362,19 +362,19 @@ objects: failureThreshold: 8 httpGet: path: /-/healthy - port: 9090 + port: 10902 periodSeconds: 30 timeoutSeconds: 1 name: thanos ports: - - containerPort: 9090 + - containerPort: 10902 name: http protocol: TCP readinessProbe: failureThreshold: 20 httpGet: path: /-/ready - port: 9090 + port: 10902 periodSeconds: 5 resources: limits: diff --git a/resources/services/telemeter-prod-01/rhobs/observatorium-api-template.yaml b/resources/services/telemeter-prod-01/rhobs/observatorium-api-template.yaml index 089694f367..45a48bfaf4 100755 --- a/resources/services/telemeter-prod-01/rhobs/observatorium-api-template.yaml +++ b/resources/services/telemeter-prod-01/rhobs/observatorium-api-template.yaml @@ -124,6 +124,21 @@ objects: app.kubernetes.io/instance: observatorium app.kubernetes.io/name: avalanche app.kubernetes.io/part-of: observatorium +- apiVersion: v1 + kind: Secret + metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: api + app.kubernetes.io/instance: observatorium + app.kubernetes.io/name: observatorium-api + app.kubernetes.io/part-of: observatorium + app.kubernetes.io/version: main-2023-12-06-62d7703 + name: observatorium-ams-oidc-client-secret + stringData: + client-id: ${AMS_OIDC_CLIENT_ID} + client-secret: ${AMS_OIDC_CLIENT_SECRET} + issuer-url: ${AMS_OIDC_ISSUER_URL} - apiVersion: apps/v1 kind: Deployment metadata: @@ -443,14 +458,17 @@ objects: valueFrom: secretKeyRef: key: client-id + name: observatorium-ams-oidc-client-secret - name: CLIENT_SECRET valueFrom: secretKeyRef: key: client-secret + name: observatorium-ams-oidc-client-secret - name: ISSUER_URL valueFrom: secretKeyRef: key: issuer-url + name: observatorium-ams-oidc-client-secret image: quay.io/observatorium/opa-ams:master-2022-11-03-222daab livenessProbe: failureThreshold: 10 @@ -489,9 +507,9 @@ objects: serviceAccountName: observatorium-api terminationGracePeriodSeconds: 120 volumes: - - configMap: - name: observatorium-tenants - name: tenants + - name: tenants + secret: + secretName: observatorium-tenants - apiVersion: v1 kind: Service metadata: @@ -970,10 +988,7 @@ objects: app.kubernetes.io/name: rules-obsctl-reloader app.kubernetes.io/part-of: observatorium - apiVersion: v1 - data: - config.yaml: | - tenants: [] - kind: ConfigMap + kind: Secret metadata: creationTimestamp: null labels: @@ -983,6 +998,9 @@ objects: app.kubernetes.io/part-of: observatorium app.kubernetes.io/version: main-2023-12-06-62d7703 name: observatorium-tenants + stringData: + config.yaml: | + tenants: [] - apiVersion: v1 data: queries.yaml: | @@ -1472,6 +1490,9 @@ objects: app.kubernetes.io/name: memcached app.kubernetes.io/part-of: observatorium parameters: +- name: AMS_OIDC_CLIENT_ID +- name: AMS_OIDC_CLIENT_SECRET +- name: AMS_OIDC_ISSUER_URL - name: CACHE_CPU_REQUEST value: 500m - name: CACHE_MEMORY_LIMIT diff --git a/resources/services/telemeter-prod-01/rhobs/observatorium-metrics-alertmanager-template.yaml b/resources/services/telemeter-prod-01/rhobs/observatorium-metrics-alertmanager-template.yaml index 60f7ed3c5d..203206d6f3 100755 --- a/resources/services/telemeter-prod-01/rhobs/observatorium-metrics-alertmanager-template.yaml +++ b/resources/services/telemeter-prod-01/rhobs/observatorium-metrics-alertmanager-template.yaml @@ -147,7 +147,7 @@ objects: app.kubernetes.io/instance: observatorium app.kubernetes.io/name: alertmanager app.kubernetes.io/part-of: observatorium - serviceName: observatorium-alertmanager + serviceName: observatorium-alertmanager-cluster template: metadata: creationTimestamp: null diff --git a/resources/services/telemeter-prod-01/rhobs/observatorium-metrics-query-frontend-template.yaml b/resources/services/telemeter-prod-01/rhobs/observatorium-metrics-query-frontend-template.yaml index 1aa7758675..d7297a6dc5 100755 --- a/resources/services/telemeter-prod-01/rhobs/observatorium-metrics-query-frontend-template.yaml +++ b/resources/services/telemeter-prod-01/rhobs/observatorium-metrics-query-frontend-template.yaml @@ -211,9 +211,9 @@ objects: spec: ports: - name: http - port: 9090 + port: 10902 protocol: TCP - targetPort: 9090 + targetPort: 10902 - name: https port: 8443 protocol: TCP @@ -362,19 +362,19 @@ objects: failureThreshold: 8 httpGet: path: /-/healthy - port: 9090 + port: 10902 periodSeconds: 30 timeoutSeconds: 1 name: thanos ports: - - containerPort: 9090 + - containerPort: 10902 name: http protocol: TCP readinessProbe: failureThreshold: 20 httpGet: path: /-/ready - port: 9090 + port: 10902 periodSeconds: 5 resources: limits: diff --git a/services_go/instances/rhobs/rhobs.go b/services_go/instances/rhobs/rhobs.go index 6870b5842d..750fdb7f84 100644 --- a/services_go/instances/rhobs/rhobs.go +++ b/services_go/instances/rhobs/rhobs.go @@ -12,6 +12,7 @@ import ( "github.com/observatorium/observatorium/configuration_go/abstr/kubernetes/thanos/ruler" "github.com/observatorium/observatorium/configuration_go/abstr/kubernetes/thanos/store" "github.com/observatorium/observatorium/configuration_go/k8sutil" + templatev1 "github.com/openshift/api/template/v1" "github.com/prometheus/common/model" cfgobservatorium "github.com/rhobs/configuration/configuration/observatorium" "github.com/rhobs/configuration/services_go/observatorium" @@ -172,11 +173,14 @@ func stageConfig() observatorium.Observatorium { Namespace: "rhobs", RBAC: rbacConfig, AmsUrl: "https://api.stage.openshift.com", - AmsClientSecretName: "observatorium-api-oidc-client", UpQueriesTenant: tenantsMapping[DefaultInstanceName][rhobsTenantName], ObsCtlReloaderManagedTenants: []string{string(rhobsTenantName), string(osdTenantName), string(appsreTenantName), string(rhtapTenantName)}, Tenants: makeObsTenants(tenants), RuleObjStoreSecret: "rhobs-rules-objstore-stage-s3", + TemplateParams: []templatev1.Parameter{ + {Name: "TENANT_OIDC_CLIENT_ID"}, + {Name: "TENANT_OIDC_CLIENT_SECRET"}, + }, }, MetricsInstances: observatorium.ObservatoriumMetrics{ Namespace: "rhobs", @@ -358,8 +362,8 @@ func buildMetricTenants(tenants map[tenantName]TenantConfig, instance InstanceNa func makeIODC(tenant tenantName, env string) *observatoriumapi.TenantOIDC { return &observatoriumapi.TenantOIDC{ - ClientID: "${CLIENT_ID}", - ClientSecret: "${CLIENT_SECRET}", + ClientID: "${TENANT_OIDC_CLIENT_ID}", + ClientSecret: "${TENANT_OIDC_CLIENT_SECRET}", IssuerURL: "https://sso.redhat.com/auth/realms/redhat-external", RedirectURL: fmt.Sprintf("https://observatorium-mst.api.%s.openshift.com/oidc/%s/callback", env, tenant), UsernameClaim: "preferred_username", diff --git a/services_go/observatorium/api.go b/services_go/observatorium/api.go index 221ad6d0e3..dbeddb0b63 100644 --- a/services_go/observatorium/api.go +++ b/services_go/observatorium/api.go @@ -52,7 +52,6 @@ type ObservatoriumAPI struct { GubernatorPremanifestsHook func(*observatoriumapi.GubernatorDeployment) RBAC string AmsUrl string - AmsClientSecretName string UpQueryFrontendOpts func(*observatoriumup.UpOptions) UpQueryFrontendDeploy func(*observatoriumup.UpDeployment) UpQueriesTenant string @@ -60,6 +59,7 @@ type ObservatoriumAPI struct { AvalancheDeploy func(*avalanche.AvalancheDeployment) ObsCtlReloaderManagedTenants []string RuleObjStoreSecret string + TemplateParams []templatev1.Parameter } func (o *ObservatoriumAPI) Manifests(generator *mimic.Generator) { @@ -71,9 +71,12 @@ func (o *ObservatoriumAPI) Manifests(generator *mimic.Generator) { } func (o *ObservatoriumAPI) makeAPI() encoding.Encoder { + templateParams := []templatev1.Parameter{} // collects template params generated by subcomponents + templateParams = append(templateParams, o.TemplateParams...) + // Observatorium api config gubernatorName := "observatorium-gubernator" - tenantsConfig := observatoriumapi.Tenants{Tenants: o.Tenants} + tenantsConfig := &observatoriumapi.Tenants{Tenants: o.Tenants} opts := &observatoriumapi.ObservatoriumAPIOptions{ InternalTracingEndpoint: "localhost:6831", LogLevel: log.LogLevelWarn, @@ -82,11 +85,11 @@ func (o *ObservatoriumAPI) makeAPI() encoding.Encoder { MetricsWriteEndpoint: fmt.Sprintf("http://%s.%s.svc.cluster.local:19291", receiveRouterName, o.Namespace), MetricsRulesEndpoint: fmt.Sprintf("http://%s.%s.svc.cluster.local:8080", rulesObjstoreName, o.Namespace), MetricsAlertmanagerEndpoint: fmt.Sprintf("http://%s.%s.svc.cluster.local:9093", alertManagerName, o.Namespace), - TenantsConfig: observatoriumapi.NewTenantsConfig().WithValue(tenantsConfig), + TenantsConfig: observatoriumapi.NewTenantsConfig(tenantsConfig).AsSecret(), } if o.RBAC != "" { - opts.RbacConfig = observatoriumapi.NewRbacConfig().WithValue(o.RBAC) + opts.RbacConfig = observatoriumapi.NewRbacConfig(&o.RBAC) } // K8s config @@ -96,9 +99,23 @@ func (o *ObservatoriumAPI) makeAPI() encoding.Encoder { delete(obsapi.PodResources.Limits, corev1.ResourceCPU) opaAmsCache := "observatorium-api-cache-memcached" cacheURL := fmt.Sprintf("%s.%s.svc.cluster.local:11211", opaAmsCache, o.Namespace) + + amsOidcClientSecretName := "observatorium-ams-oidc-client-secret" + amsSideCar := o.makeOpaAms(o.AmsUrl, cacheURL, amsOidcClientSecretName) + amsSideCar.Secrets = map[string]map[string][]byte{ + amsOidcClientSecretName: { + "client-id": []byte("${AMS_OIDC_CLIENT_ID}"), + "client-secret": []byte("${AMS_OIDC_CLIENT_SECRET}"), + "issuer-url": []byte("${AMS_OIDC_ISSUER_URL}"), + }, + } + templateParams = append(templateParams, templatev1.Parameter{Name: "AMS_OIDC_CLIENT_ID"}) + templateParams = append(templateParams, templatev1.Parameter{Name: "AMS_OIDC_CLIENT_SECRET"}) + templateParams = append(templateParams, templatev1.Parameter{Name: "AMS_OIDC_ISSUER_URL"}) + obsapi.Sidecars = []k8sutil.ContainerProvider{ makeJaegerAgent("observatorium-tools"), - o.makeOpaAms(o.AmsUrl, cacheURL, o.AmsClientSecretName), + amsSideCar, } // Execute preManifestsHook @@ -137,14 +154,13 @@ func (o *ObservatoriumAPI) makeAPI() encoding.Encoder { maps.Copy(manifests, o.makeAvalanche()) // Set encoders and template params - params := []templatev1.Parameter{} cacheEncoder := NewStdTemplateYAML(opaAmsCache, "CACHE") - params = append(params, cacheEncoder.TemplateParams()...) + templateParams = append(templateParams, cacheEncoder.TemplateParams()...) apiEncoder := NewStdTemplateYAML(obsapi.Name, "OBSAPI").WithLogLevel() - params = append(params, apiEncoder.TemplateParams()...) + templateParams = append(templateParams, apiEncoder.TemplateParams()...) template := openshift.WrapInTemplate("", manifests, metav1.ObjectMeta{ Name: obsapi.Name, - }, sortTemplateParams(params)) + }, sortTemplateParams(templateParams)) return cacheEncoder.Wrap(apiEncoder.Wrap(encoding.GhodssYAML(template[""]))) } @@ -217,7 +233,7 @@ func (o *ObservatoriumAPI) makeUp(name, endpoint string) k8sutil.ObjectMap { opts.EndpointRead = fmt.Sprintf("http://observatorium-thanos-query-frontend.%s.svc.cluster.local:9090", o.Namespace) zeroDur := model.Duration(0) opts.Duration = &zeroDur - opts.QueriesFile = observatoriumup.NewQueriesFileOption().WithValue(observatoriumup.QueriesFile{ + opts.QueriesFile = observatoriumup.NewQueriesFileOption(&observatoriumup.QueriesFile{ Queries: []upoptions.QuerySpec{ { Name: "query-path-sli-1M-samples", diff --git a/services_go/observatorium/metrics.go b/services_go/observatorium/metrics.go index f2d819eab5..fae64dcf32 100644 --- a/services_go/observatorium/metrics.go +++ b/services_go/observatorium/metrics.go @@ -130,7 +130,7 @@ func (o *ObservatoriumMetrics) Manifests(generator *mimic.Generator) { func (o *ObservatoriumMetrics) makeAlertManager() encoding.Encoder { // Alertmanager config opts := alertmanager.NewDefaultOptions() - opts.ConfigFile = alertmanager.NewConfigFile().WithExistingResource("alertmanager-config", "alertmanager.yaml").AsSecret() + opts.ConfigFile = alertmanager.NewConfigFile(nil).WithExistingResource("alertmanager-config", "alertmanager.yaml").AsSecret() opts.ClusterReconnectTimeout = model.Duration(5 * time.Minute) executeIfNotNil(o.AlertManagerOpts, opts)