MK8S-140 - Set default ca namespace in oidc-proxy-rbac

Author: ChengYanJin

salt/metalk8s/addons/prometheus-operator/deployed/oidc-proxy-prometheus.sls

@@ -12,8 +12,8 @@
     )
 %}
 
-{%- set prometheus_oidc_enabled = prometheus.spec.config.get('enable_oidc_authentication', False) %}
-{%- set prometheus_oidc = prometheus.spec.config.get('oidc', {}) %}
+{%- set prometheus_oidc_enabled = prometheus.spec.get('config', {}).get('enable_oidc_authentication', False) %}
+{%- set prometheus_oidc = prometheus.spec.get('config', {}).get('oidc', {}) %}
 
 {%- set prometheus_oidc_ca = prometheus_oidc.get('caSecret', {}) %}
 {%- set ca_namespace = prometheus_oidc_ca.get('namespace', 'metalk8s-ingress') %}

salt/metalk8s/addons/prometheus-operator/deployed/oidc-proxy-rbac.sls

@@ -20,11 +20,11 @@
     )
 %}
 
-{%- set prometheus_oidc_enabled = prometheus.spec.config.get('enable_oidc_authentication', False) %}
+{%- set prometheus_oidc_enabled = prometheus.spec.get('config', {}).get('enable_oidc_authentication', False) %}
 {%- set alertmanager_oidc_enabled = alertmanager.spec.get('config', {}).get('enable_oidc_authentication', False) %}
 
-{%- set prometheus_ca_namespace = prometheus.spec.config.get('oidc', {}).get('caSecret', {}).get('namespace', '') %}
-{%- set alertmanager_ca_namespace = alertmanager.spec.get('config', {}).get('oidc', {}).get('caSecret', {}).get('namespace', '') %}
+{%- set prometheus_ca_namespace = prometheus.spec.get('config', {}).get('oidc', {}).get('caSecret', {}).get('namespace', 'metalk8s-ingress') %}
+{%- set alertmanager_ca_namespace = alertmanager.spec.get('config', {}).get('oidc', {}).get('caSecret', {}).get('namespace', 'metalk8s-ingress') %}
 
 {%- if prometheus_oidc_enabled %}
 
@@ -37,8 +37,6 @@ Create oidc-proxy-prometheus ServiceAccount:
           name: oidc-proxy-prometheus
           namespace: metalk8s-monitoring
 
-{%- if prometheus_ca_namespace %}
-
 Create oidc-proxy-prometheus-secret-reader Role in {{ prometheus_ca_namespace }}:
   metalk8s_kubernetes.object_present:
     - manifest:
@@ -69,8 +67,6 @@ Create oidc-proxy-prometheus-secret-reader-binding RoleBinding in {{ prometheus_
           name: oidc-proxy-prometheus-secret-reader
           apiGroup: rbac.authorization.k8s.io
 
-{%- endif %}
-
 {%- else %}
 
 Ensure oidc-proxy-prometheus ServiceAccount does not exist:
@@ -80,8 +76,6 @@ Ensure oidc-proxy-prometheus ServiceAccount does not exist:
     - kind: ServiceAccount
     - apiVersion: v1
 
-{%- if prometheus_ca_namespace %}
-
 Ensure oidc-proxy-prometheus-secret-reader Role does not exist in {{ prometheus_ca_namespace }}:
   metalk8s_kubernetes.object_absent:
     - name: oidc-proxy-prometheus-secret-reader
@@ -98,8 +92,6 @@ Ensure oidc-proxy-prometheus-secret-reader-binding RoleBinding does not exist in
 
 {%- endif %}
 
-{%- endif %}
-
 {%- if alertmanager_oidc_enabled %}
 
 Create oidc-proxy-alertmanager ServiceAccount:
@@ -111,8 +103,6 @@ Create oidc-proxy-alertmanager ServiceAccount:
           name: oidc-proxy-alertmanager
           namespace: metalk8s-monitoring
 
-{%- if alertmanager_ca_namespace %}
-
 Create oidc-proxy-alertmanager-secret-reader Role in {{ alertmanager_ca_namespace }}:
   metalk8s_kubernetes.object_present:
     - manifest:
@@ -143,8 +133,6 @@ Create oidc-proxy-alertmanager-secret-reader-binding RoleBinding in {{ alertmana
           name: oidc-proxy-alertmanager-secret-reader
           apiGroup: rbac.authorization.k8s.io
 
-{%- endif %}
-
 {%- else %}
 
 Ensure oidc-proxy-alertmanager ServiceAccount does not exist:
@@ -154,8 +142,6 @@ Ensure oidc-proxy-alertmanager ServiceAccount does not exist:
     - kind: ServiceAccount
     - apiVersion: v1
 
-{%- if alertmanager_ca_namespace %}
-
 Ensure oidc-proxy-alertmanager-secret-reader Role does not exist in {{ alertmanager_ca_namespace }}:
   metalk8s_kubernetes.object_absent:
     - name: oidc-proxy-alertmanager-secret-reader
@@ -171,5 +157,3 @@ Ensure oidc-proxy-alertmanager-secret-reader-binding RoleBinding does not exist
     - apiVersion: rbac.authorization.k8s.io/v1
 
 {%- endif %}
-
-{%- endif %}