Use secret observing helm chart with oidc-auth-apps

This commit adds the secret observing helm chart to oidc-auth-apps to detect changes in secrets and restart the oidc-client and dex pods when needed. Change-Id: I0559e75a2b80013e9d92d0bc7284bef4fea1294a Story: 2007361 Task: 42933 Depends-On: https://review.opendev.org/c/starlingx/helm-charts/+/804301 Signed-off-by: Jerry Sun <jerry.sun@windriver.com>
2021-08-11 16:15:08 -04:00 · 2021-08-11 16:15:08 -04:00 · d3ef6e81b6
commit d3ef6e81b6
parent cd0daf743e
6 changed files with 82 additions and 0 deletions
--- a/python-k8sapp-oidc/k8sapp_oidc/k8sapp_oidc/common/constants.py
+++ b/python-k8sapp-oidc/k8sapp_oidc/k8sapp_oidc/common/constants.py
@ -8,3 +8,5 @@
 # These values match the names in the chart package's Chart.yaml
 HELM_CHART_DEX = 'dex'
 HELM_CHART_OIDC_CLIENT = 'oidc-client'
+HELM_CHART_SECRET_OBSERVER = 'secret-observer'  # nosec
+# nosec to ignore bandit error of hard coded secret on previous line
--- a/python-k8sapp-oidc/k8sapp_oidc/k8sapp_oidc/helm/secret_observer.py
+++ b/python-k8sapp-oidc/k8sapp_oidc/k8sapp_oidc/helm/secret_observer.py
@ -0,0 +1,34 @@
+#
+# Copyright (c) 2021 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+from k8sapp_oidc.common import constants as app_constants
+from k8sapp_oidc.helm.dex_base import DexBaseHelm
+
+from sysinv.common import exception
+from sysinv.helm import common
+
+
+class SecretObserverHelm(DexBaseHelm):
+    """Class to encapsulate helm operations for the secret observer chart"""
+
+    CHART = app_constants.HELM_CHART_SECRET_OBSERVER
+    SERVICE_NAME = 'secret-observer'
+
+    def get_namespaces(self):
+        return self.SUPPORTED_NAMESPACES
+
+    def get_overrides(self, namespace=None):
+        overrides = {
+            common.HELM_NS_KUBE_SYSTEM: {}
+        }
+
+        if namespace in self.SUPPORTED_NAMESPACES:
+            return overrides[namespace]
+        elif namespace:
+            raise exception.InvalidHelmNamespace(chart=self.CHART,
+                                                 namespace=namespace)
+        else:
+            return overrides
--- a/python-k8sapp-oidc/k8sapp_oidc/setup.cfg
+++ b/python-k8sapp-oidc/k8sapp_oidc/setup.cfg
@ -35,6 +35,7 @@ systemconfig.helm_applications =
 systemconfig.helm_plugins.oidc_auth_apps =
    001_dex = k8sapp_oidc.helm.dex:Dex
    002_oidc-client = k8sapp_oidc.helm.oidc_client:OidcClientHelm
+    003_secret-observer = k8sapp_oidc.helm.secret_observer:SecretObserverHelm

 [wheel]
 universal = 1
--- a/stx-oidc-auth-helm/centos/build_srpm.data
+++ b/stx-oidc-auth-helm/centos/build_srpm.data
@ -4,3 +4,7 @@ SRC_DIR="stx-oidc-auth-helm"
 # as the plugin version
 TIS_BASE_SRCREV=860834c14ba54eb047ef02bde7a1f2407ce700ad
 TIS_PATCH_VER=GITREVCOUNT
+
+COPY_LIST_TO_TAR="\
+    $STX_BASE/helm-charts/secret-observer/secret-observer/helm-charts \
+"
--- a/stx-oidc-auth-helm/centos/stx-oidc-auth-helm.spec
+++ b/stx-oidc-auth-helm/centos/stx-oidc-auth-helm.spec
@ -39,6 +39,7 @@ The StarlingX K8S application for OIDC authorization
 # Make the charts. These produce a tgz file
 cd helm-charts
 make oidc-client
+make secret-observer
 cd -

 # Create a chart tarball compliant with sysinv kube-app.py
--- a/stx-oidc-auth-helm/stx-oidc-auth-helm/manifests/manifest.yaml
+++ b/stx-oidc-auth-helm/stx-oidc-auth-helm/manifests/manifest.yaml
@ -111,6 +111,45 @@ data:
    reference: master
  dependencies: []
 ---
+schema: armada/Chart/v1
+metadata:
+  schema: metadata/Document/v1
+  name: kube-system-secret-observer
+data:
+  chart_name: secret-observer
+  release: auth-secret-observer
+  namespace: kube-system
+  values:
+    namespace: "kube-system"
+    observedSecrets:
+      - secretName: "dex-client-secret"
+        filename: "dex-ca.pem"
+        deploymentToRestart: "stx-oidc-client"
+      - secretName: "local-dex.tls"
+        filename: "tls.crt"
+        deploymentToRestart: "stx-oidc-client"
+      - secretName: "local-dex.tls"
+        filename: "tls.crt"
+        deploymentToRestart: "oidc-dex"
+  source:
+    location: http://172.17.0.1:8080/helm_charts/stx-platform/secret-observer-0.1.0.tgz
+    subpath: secret-observer
+    type: tar
+    reference: master
+  upgrade:
+    no_hooks: false
+    pre:
+      delete:
+      - labels:
+          release_group: kube-system-secret-observer
+        type: job
+  wait:
+    labels:
+      release_group: kube-system-secret-observer
+    resources: []
+    timeout: 1800
+  dependencies: []
+---
 schema: armada/ChartGroup/v1
 metadata:
  schema: metadata/Document/v1
@ -121,6 +160,7 @@ data:
  chart_group:
  - kube-system-dex
  - kube-system-oidc-client
+  - kube-system-secret-observer
 ---
 schema: armada/Manifest/v1
 metadata: