set oauth proxy secret as param

Signed-off-by: Thibault Mange <[email protected]>
rhobs · Sep 28, 2023 · a34478a · a34478a
1 parent 1276848
commit a34478a
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 3 deletions.
diff --git a/resources/services/app-sre-stage-01/rhobs/observatorium-metrics-compact-template.yaml b/resources/services/app-sre-stage-01/rhobs/observatorium-metrics-compact-template.yaml
@@ -216,6 +216,7 @@ objects:
           - -tls-cert=/etc/tls/private/tls.crt
           - -tls-key=/etc/tls/private/tls.key
           - -client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token
+          - -cookie-secret=${OAUTH_PROXY_COOKIE_SECRET}
           - -cookie-secret-file=/etc/proxy/secrets/session_secret
           - -openshift-ca=/etc/pki/tls/cert.pem
           - -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
@@ -273,3 +274,7 @@ objects:
             storage: 500Gi
         storageClassName: gp2
       status: {}
+parameters:
+- from: '[a-zA-Z0-9]{40}'
+  generate: expression
+  name: OAUTH_PROXY_COOKIE_SECRET
diff --git a/resources/services/telemeter-prod-01/rhobs/observatorium-metrics-compact-template.yaml b/resources/services/telemeter-prod-01/rhobs/observatorium-metrics-compact-template.yaml
@@ -216,6 +216,7 @@ objects:
           - -tls-cert=/etc/tls/private/tls.crt
           - -tls-key=/etc/tls/private/tls.key
           - -client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token
+          - -cookie-secret=${OAUTH_PROXY_COOKIE_SECRET}
           - -cookie-secret-file=/etc/proxy/secrets/session_secret
           - -openshift-ca=/etc/pki/tls/cert.pem
           - -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
@@ -273,3 +274,7 @@ objects:
             storage: 500Gi
         storageClassName: gp2
       status: {}
+parameters:
+- from: '[a-zA-Z0-9]{40}'
+  generate: expression
+  name: OAUTH_PROXY_COOKIE_SECRET
diff --git a/services_go/observatorium/observatorium.go b/services_go/observatorium/observatorium.go
@@ -61,20 +61,28 @@ func (o *Observatorium) Manifests(generator *mimic.Generator) {
 	components := []struct {
 		name    string
 		objects k8sutil.ObjectMap
+		params  []templatev1.Parameter
 	}{
-		{"observatorium-metrics-compact", makeCompactor(o.cfg.Namespace, o.cfg.PreManifestsHooks.Compactor)},
-		{"observatorium-metrics-store", makeStore(o.cfg.Namespace, o.cfg.PreManifestsHooks.ThanosStore)},
+		{"observatorium-metrics-compact", makeCompactor(o.cfg.Namespace, o.cfg.PreManifestsHooks.Compactor), []templatev1.Parameter{
+			{
+				Name:     "OAUTH_PROXY_COOKIE_SECRET",
+				Generate: "expression",
+				From:     "[a-zA-Z0-9]{40}",
+			},
+		}},
+		{"observatorium-metrics-store", makeStore(o.cfg.Namespace, o.cfg.PreManifestsHooks.ThanosStore), []templatev1.Parameter{}},
 	}
 
 	for _, component := range components {
 		template := openshift.WrapInTemplate("", component.objects, metav1.ObjectMeta{
 			Name: component.name,
-		}, []templatev1.Parameter{})
+		}, component.params)
 		generator.With(o.cfg.Cluster, o.cfg.Instance).Add(component.name+"-template.yaml", &customYAML{encoder: encoding.GhodssYAML(template[""])})
 	}
 }
 
 // customYAML is a YAML encoder wrapper that allows cleaning of the output.
+// Wihtout this, the manifests would contain a status section that is not needed.
 type customYAML struct {
 	encoder encoding.Encoder
 	reader  io.Reader

diff --git a/services_go/observatorium/sidecars.go b/services_go/observatorium/sidecars.go
@@ -27,6 +27,7 @@ func makeOauthProxy(upstreamPort int32, namespace, serviceAccount, tlsSecret str
 			"-tls-cert=/etc/tls/private/tls.crt",
 			"-tls-key=/etc/tls/private/tls.key",
 			"-client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token",
+			"-cookie-secret=${OAUTH_PROXY_COOKIE_SECRET}", // replaced by openshift template parameter
 			"-cookie-secret-file=/etc/proxy/secrets/session_secret",
 			"-openshift-ca=/etc/pki/tls/cert.pem",
 			"-openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",