Merge branch 'feature/MK8S-140-Salt-deploy-oidc-proxy-resources' into q/133.0

Author: bert-e

buildchain/buildchain/salt_tree.py

@@ -407,6 +407,11 @@ def _download_ui_operator_crds() -> str:
     Path("salt/metalk8s/addons/prometheus-operator/deployed/service-configuration.sls"),
     Path("salt/metalk8s/addons/prometheus-operator/deployed/thanos-chart.sls"),
     Path("salt/metalk8s/addons/prometheus-operator/deployed/thanos-query-sd-files.sls"),
+    Path("salt/metalk8s/addons/prometheus-operator/deployed/oidc-proxy-rbac.sls"),
+    Path("salt/metalk8s/addons/prometheus-operator/deployed/oidc-proxy-prometheus.sls"),
+    Path(
+        "salt/metalk8s/addons/prometheus-operator/deployed/oidc-proxy-alertmanager.sls"
+    ),
     Path("salt/metalk8s/addons/ui/deployed/dependencies.sls"),
     Path("salt/metalk8s/addons/ui/deployed/ingress.sls"),
     Path("salt/metalk8s/addons/ui/deployed/init.sls"),

salt/metalk8s/addons/prometheus-operator/config/alertmanager.yaml

@@ -20,6 +20,9 @@ spec:
       audience: "" # Expected audience claim in the token
       groupsClaim: "" # JWT claim name that carries user groups/roles
       authorizedGroups: [] # Groups/roles allowed to access Alertmanager
+      caSecret:
+        namespace: "" # Namespace of the secret containing the CA certificate (must be labeled with metalk8s.scality.com/oidc-ca: "true")
+        name: "" # Name of the secret containing the CA certificate
   notification:
     config:
       global:

salt/metalk8s/addons/prometheus-operator/config/prometheus.yaml

@@ -17,6 +17,9 @@ spec:
       audience: "" # Expected audience claim in the token
       groupsClaim: "" # JWT claim name that carries user groups/roles
       authorizedGroups: [] # Groups/roles allowed to access Prometheus
+      caSecret:
+        namespace: "" # Namespace of the secret containing the CA certificate (must be labeled with metalk8s.scality.com/oidc-ca: "true")
+        name: "" # Name of the secret containing the CA certificate
     serviceMonitor:
       kubelet:
         scrapeTimeout: 10s

salt/metalk8s/addons/prometheus-operator/deployed/init.sls

@@ -10,3 +10,6 @@ include:
   - .kube-alerts-rules
   - .thanos-query-sd-files
   - .thanos-chart
+  - .oidc-proxy-rbac
+  - .oidc-proxy-prometheus
+  - .oidc-proxy-alertmanager

salt/metalk8s/addons/prometheus-operator/deployed/oidc-proxy-alertmanager.sls

@@ -0,0 +1,151 @@
+{%- from "metalk8s/repo/macro.sls" import build_image_name with context %}
+{%- from "metalk8s/map.jinja" import coredns with context %}
+
+{%- set alertmanager_defaults = salt.slsutil.renderer(
+        'salt://metalk8s/addons/prometheus-operator/config/alertmanager.yaml',
+        saltenv=saltenv
+    )
+%}
+
+{%- set alertmanager = salt.metalk8s_service_configuration.get_service_conf(
+        'metalk8s-monitoring', 'metalk8s-alertmanager-config', alertmanager_defaults
+    )
+%}
+
+{%- set alertmanager_oidc_enabled = alertmanager.spec.get('config', {}).get('enable_oidc_authentication', False) %}
+{%- set alertmanager_oidc = alertmanager.spec.get('config', {}).get('oidc', {}) %}
+
+{%- set alertmanager_oidc_ca = alertmanager_oidc.get('caSecret', {}) %}
+{%- set ca_namespace = alertmanager_oidc_ca.get('namespace', 'metalk8s-ingress') %}
+{%- set ca_name = alertmanager_oidc_ca.get('name', 'ingress-control-plane-default-certificate') %}
+
+{%- set ca_file = 'namespace_' ~ ca_namespace ~ '.secret_' ~ ca_name ~ '.tls.crt' %}
+
+{%- if alertmanager_oidc_enabled %}
+
+Create oauth2-proxy-alertmanager Deployment:
+  metalk8s_kubernetes.object_present:
+    - manifest:
+        apiVersion: apps/v1
+        kind: Deployment
+        metadata:
+          name: oauth2-proxy-alertmanager
+          namespace: metalk8s-monitoring
+          labels:
+            app: oauth2-proxy-alertmanager
+        spec:
+          replicas: 1
+          selector:
+            matchLabels:
+              app: oauth2-proxy-alertmanager
+          template:
+            metadata:
+              labels:
+                app: oauth2-proxy-alertmanager
+            spec:
+              serviceAccountName: oidc-proxy-alertmanager
+              initContainers:
+              - name: k8s-sidecar
+                image: {{ build_image_name("k8s-sidecar") }}
+                imagePullPolicy: IfNotPresent
+                restartPolicy: Always
+                env:
+                - name: LABEL
+                  value: metalk8s.scality.com/oidc-ca
+                - name: FOLDER
+                  value: /tmp/secrets
+                - name: NAMESPACE
+                  value: {{ ca_namespace }}
+                - name: RESOURCE
+                  value: secret
+                - name: UNIQUE_FILENAMES
+                  value: "true"
+                volumeMounts:
+                - name: secrets-volume
+                  mountPath: /tmp/secrets
+              containers:
+              - name: oauth2-proxy
+                image: {{ build_image_name("oauth2-proxy") }}
+                args:
+                - --provider=oidc
+                - --oidc-issuer-url={{ alertmanager_oidc.get('issuer', '') }}
+                - --client-id={{ alertmanager_oidc.get('audience', '') }}
+                # cookie-secret is required by oauth2-proxy but never used since all
+                # authentication goes through JWT bearer tokens (--skip-jwt-bearer-tokens=true).
+                # Any valid base64-encoded 32-byte value works here.
+                - --cookie-secret=MDEyMzQ1Njc4OWFiY2RlZmdoaWprbG1ub3BxcnN0dXY=
+                - --client-secret=unused-but-required
+                - --skip-jwt-bearer-tokens=true
+                - --email-domain=*
+                - --upstream=http://prometheus-operator-alertmanager.metalk8s-monitoring.svc:9093
+                - --oidc-groups-claim={{ alertmanager_oidc.get('groupsClaim', 'roles') }}
+                {%- for group in alertmanager_oidc.get('authorizedGroups', []) %}
+                - --allowed-group={{ group }}
+                {%- endfor %}
+                - --provider-ca-file=/tmp/secrets/{{ ca_file }}
+                - --http-address=0.0.0.0:9093
+                ports:
+                - containerPort: 9093
+                volumeMounts:
+                - name: secrets-volume
+                  mountPath: /tmp/secrets
+                  readOnly: true
+              volumes:
+              - name: secrets-volume
+                emptyDir: {}
+
+Create oauth2-proxy-alertmanager Service:
+  metalk8s_kubernetes.object_present:
+    - manifest:
+        apiVersion: v1
+        kind: Service
+        metadata:
+          name: oauth2-proxy-alertmanager
+          namespace: metalk8s-monitoring
+          labels:
+            app: oauth2-proxy-alertmanager
+        spec:
+          selector:
+            app: oauth2-proxy-alertmanager
+          ports:
+          - port: 9093
+
+{%- else %}
+
+Ensure oauth2-proxy-alertmanager Deployment does not exist:
+  metalk8s_kubernetes.object_absent:
+    - name: oauth2-proxy-alertmanager
+    - namespace: metalk8s-monitoring
+    - kind: Deployment
+    - apiVersion: apps/v1
+
+Ensure oauth2-proxy-alertmanager Service does not exist:
+  metalk8s_kubernetes.object_absent:
+    - name: oauth2-proxy-alertmanager
+    - namespace: metalk8s-monitoring
+    - kind: Service
+    - apiVersion: v1
+
+{%- endif %}
+
+Create alertmanager-proxy Service:
+  metalk8s_kubernetes.object_present:
+    - manifest:
+        apiVersion: v1
+        kind: Service
+        metadata:
+          name: alertmanager-proxy
+          namespace: metalk8s-monitoring
+          labels:
+            app.kubernetes.io/managed-by: salt
+            app.kubernetes.io/part-of: metalk8s
+            heritage: metalk8s
+        spec:
+          type: ExternalName
+          {%- if alertmanager_oidc_enabled %}
+          externalName: oauth2-proxy-alertmanager.metalk8s-monitoring.svc.{{ coredns.cluster_domain }}
+          {%- else %}
+          externalName: prometheus-operator-alertmanager.metalk8s-monitoring.svc.{{ coredns.cluster_domain }}
+          {%- endif %}
+          ports:
+          - port: 9093

salt/metalk8s/addons/prometheus-operator/deployed/oidc-proxy-prometheus.sls

@@ -0,0 +1,150 @@
+{%- from "metalk8s/repo/macro.sls" import build_image_name with context %}
+{%- from "metalk8s/map.jinja" import coredns with context %}
+
+{%- set prometheus_defaults = salt.slsutil.renderer(
+        'salt://metalk8s/addons/prometheus-operator/config/prometheus.yaml',
+        saltenv=saltenv
+    )
+%}
+
+{%- set prometheus = salt.metalk8s_service_configuration.get_service_conf(
+        'metalk8s-monitoring', 'metalk8s-prometheus-config', prometheus_defaults
+    )
+%}
+
+{%- set prometheus_oidc_enabled = prometheus.spec.get('config', {}).get('enable_oidc_authentication', False) %}
+{%- set prometheus_oidc = prometheus.spec.get('config', {}).get('oidc', {}) %}
+
+{%- set prometheus_oidc_ca = prometheus_oidc.get('caSecret', {}) %}
+{%- set ca_namespace = prometheus_oidc_ca.get('namespace', 'metalk8s-ingress') %}
+{%- set ca_name = prometheus_oidc_ca.get('name', 'ingress-control-plane-default-certificate') %}
+{%- set ca_file = 'namespace_' ~ ca_namespace ~ '.secret_' ~ ca_name ~ '.tls.crt' %}
+
+{%- if prometheus_oidc_enabled %}
+
+Create oauth2-proxy-prometheus Deployment:
+  metalk8s_kubernetes.object_present:
+    - manifest:
+        apiVersion: apps/v1
+        kind: Deployment
+        metadata:
+          name: oauth2-proxy-prometheus
+          namespace: metalk8s-monitoring
+          labels:
+            app: oauth2-proxy-prometheus
+        spec:
+          replicas: 1
+          selector:
+            matchLabels:
+              app: oauth2-proxy-prometheus
+          template:
+            metadata:
+              labels:
+                app: oauth2-proxy-prometheus
+            spec:
+              serviceAccountName: oidc-proxy-prometheus
+              initContainers:
+              - name: k8s-sidecar
+                image: {{ build_image_name("k8s-sidecar") }}
+                imagePullPolicy: IfNotPresent
+                restartPolicy: Always
+                env:
+                - name: LABEL
+                  value: metalk8s.scality.com/oidc-ca
+                - name: FOLDER
+                  value: /tmp/secrets
+                - name: NAMESPACE
+                  value: {{ ca_namespace }}
+                - name: RESOURCE
+                  value: secret
+                - name: UNIQUE_FILENAMES
+                  value: "true"
+                volumeMounts:
+                - name: secrets-volume
+                  mountPath: /tmp/secrets
+              containers:
+              - name: oauth2-proxy
+                image: {{ build_image_name("oauth2-proxy") }}
+                args:
+                - --provider=oidc
+                - --oidc-issuer-url={{ prometheus_oidc.get('issuer', '') }}
+                - --client-id={{ prometheus_oidc.get('audience', '') }}
+                # cookie-secret is required by oauth2-proxy but never used since all
+                # authentication goes through JWT bearer tokens (--skip-jwt-bearer-tokens=true).
+                # Any valid base64-encoded 32-byte value works here.
+                - --cookie-secret=MDEyMzQ1Njc4OWFiY2RlZmdoaWprbG1ub3BxcnN0dXY=
+                - --client-secret=unused-but-required
+                - --skip-jwt-bearer-tokens=true
+                - --email-domain=*
+                - --upstream=http://thanos-query-http.metalk8s-monitoring.svc:10902
+                - --oidc-groups-claim={{ prometheus_oidc.get('groupsClaim', 'roles') }}
+                {%- for group in prometheus_oidc.get('authorizedGroups', []) %}
+                - --allowed-group={{ group }}
+                {%- endfor %}
+                - --provider-ca-file=/tmp/secrets/{{ ca_file }}
+                - --http-address=0.0.0.0:10902
+                ports:
+                - containerPort: 10902
+                volumeMounts:
+                - name: secrets-volume
+                  mountPath: /tmp/secrets
+                  readOnly: true
+              volumes:
+              - name: secrets-volume
+                emptyDir: {}
+
+Create oauth2-proxy-prometheus Service:
+  metalk8s_kubernetes.object_present:
+    - manifest:
+        apiVersion: v1
+        kind: Service
+        metadata:
+          name: oauth2-proxy-prometheus
+          namespace: metalk8s-monitoring
+          labels:
+            app: oauth2-proxy-prometheus
+        spec:
+          selector:
+            app: oauth2-proxy-prometheus
+          ports:
+          - port: 10902
+
+{%- else %}
+
+Ensure oauth2-proxy-prometheus Deployment does not exist:
+  metalk8s_kubernetes.object_absent:
+    - name: oauth2-proxy-prometheus
+    - namespace: metalk8s-monitoring
+    - kind: Deployment
+    - apiVersion: apps/v1
+
+Ensure oauth2-proxy-prometheus Service does not exist:
+  metalk8s_kubernetes.object_absent:
+    - name: oauth2-proxy-prometheus
+    - namespace: metalk8s-monitoring
+    - kind: Service
+    - apiVersion: v1
+
+{%- endif %}
+
+Create prometheus-proxy Service:
+  metalk8s_kubernetes.object_present:
+    - manifest:
+        apiVersion: v1
+        kind: Service
+        metadata:
+          name: prometheus-proxy
+          namespace: metalk8s-monitoring
+          labels:
+            app.kubernetes.io/managed-by: salt
+            app.kubernetes.io/part-of: metalk8s
+            heritage: metalk8s
+        spec:
+          type: ExternalName
+          {%- if prometheus_oidc_enabled %}
+          externalName: oauth2-proxy-prometheus.metalk8s-monitoring.svc.{{ coredns.cluster_domain }}
+          {%- else %}
+          externalName: thanos-query-http.metalk8s-monitoring.svc.{{ coredns.cluster_domain }}
+          {%- endif %}
+          ports:
+          - port: 10902