Use secret observing helm chart with oidc-auth-apps
This commit adds the secret observing helm chart to oidc-auth-apps to detect changes in secrets and restart the oidc-client and dex pods when needed. Change-Id: I0559e75a2b80013e9d92d0bc7284bef4fea1294a Story: 2007361 Task: 42933 Depends-On: https://review.opendev.org/c/starlingx/helm-charts/+/804301 Signed-off-by: Jerry Sun <jerry.sun@windriver.com>
This commit is contained in:
Jerry Sun
parent
cd0daf743e
commit
d3ef6e81b6
@ -8,3 +8,5 @@
|
|||||||
# These values match the names in the chart package's Chart.yaml
|
# These values match the names in the chart package's Chart.yaml
|
||||||
HELM_CHART_DEX = 'dex'
|
HELM_CHART_DEX = 'dex'
|
||||||
HELM_CHART_OIDC_CLIENT = 'oidc-client'
|
HELM_CHART_OIDC_CLIENT = 'oidc-client'
|
||||||
|
HELM_CHART_SECRET_OBSERVER = 'secret-observer' # nosec
|
||||||
|
# nosec to ignore bandit error of hard coded secret on previous line
|
||||||
|
|||||||
@ -0,0 +1,34 @@
|
|||||||
|
#
|
||||||
|
# Copyright (c) 2021 Wind River Systems, Inc.
|
||||||
|
#
|
||||||
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
#
|
||||||
|
|
||||||
|
from k8sapp_oidc.common import constants as app_constants
|
||||||
|
from k8sapp_oidc.helm.dex_base import DexBaseHelm
|
||||||
|
|
||||||
|
from sysinv.common import exception
|
||||||
|
from sysinv.helm import common
|
||||||
|
|
||||||
|
|
||||||
|
class SecretObserverHelm(DexBaseHelm):
|
||||||
|
"""Class to encapsulate helm operations for the secret observer chart"""
|
||||||
|
|
||||||
|
CHART = app_constants.HELM_CHART_SECRET_OBSERVER
|
||||||
|
SERVICE_NAME = 'secret-observer'
|
||||||
|
|
||||||
|
def get_namespaces(self):
|
||||||
|
return self.SUPPORTED_NAMESPACES
|
||||||
|
|
||||||
|
def get_overrides(self, namespace=None):
|
||||||
|
overrides = {
|
||||||
|
common.HELM_NS_KUBE_SYSTEM: {}
|
||||||
|
}
|
||||||
|
|
||||||
|
if namespace in self.SUPPORTED_NAMESPACES:
|
||||||
|
return overrides[namespace]
|
||||||
|
elif namespace:
|
||||||
|
raise exception.InvalidHelmNamespace(chart=self.CHART,
|
||||||
|
namespace=namespace)
|
||||||
|
else:
|
||||||
|
return overrides
|
||||||
@ -35,6 +35,7 @@ systemconfig.helm_applications =
|
|||||||
systemconfig.helm_plugins.oidc_auth_apps =
|
systemconfig.helm_plugins.oidc_auth_apps =
|
||||||
001_dex = k8sapp_oidc.helm.dex:Dex
|
001_dex = k8sapp_oidc.helm.dex:Dex
|
||||||
002_oidc-client = k8sapp_oidc.helm.oidc_client:OidcClientHelm
|
002_oidc-client = k8sapp_oidc.helm.oidc_client:OidcClientHelm
|
||||||
|
003_secret-observer = k8sapp_oidc.helm.secret_observer:SecretObserverHelm
|
||||||
|
|
||||||
[wheel]
|
[wheel]
|
||||||
universal = 1
|
universal = 1
|
||||||
|
|||||||
@ -4,3 +4,7 @@ SRC_DIR="stx-oidc-auth-helm"
|
|||||||
# as the plugin version
|
# as the plugin version
|
||||||
TIS_BASE_SRCREV=860834c14ba54eb047ef02bde7a1f2407ce700ad
|
TIS_BASE_SRCREV=860834c14ba54eb047ef02bde7a1f2407ce700ad
|
||||||
TIS_PATCH_VER=GITREVCOUNT
|
TIS_PATCH_VER=GITREVCOUNT
|
||||||
|
|
||||||
|
COPY_LIST_TO_TAR="\
|
||||||
|
$STX_BASE/helm-charts/secret-observer/secret-observer/helm-charts \
|
||||||
|
"
|
||||||
|
|||||||
@ -39,6 +39,7 @@ The StarlingX K8S application for OIDC authorization
|
|||||||
# Make the charts. These produce a tgz file
|
# Make the charts. These produce a tgz file
|
||||||
cd helm-charts
|
cd helm-charts
|
||||||
make oidc-client
|
make oidc-client
|
||||||
|
make secret-observer
|
||||||
cd -
|
cd -
|
||||||
|
|
||||||
# Create a chart tarball compliant with sysinv kube-app.py
|
# Create a chart tarball compliant with sysinv kube-app.py
|
||||||
|
|||||||
@ -111,6 +111,45 @@ data:
|
|||||||
reference: master
|
reference: master
|
||||||
dependencies: []
|
dependencies: []
|
||||||
---
|
---
|
||||||
|
schema: armada/Chart/v1
|
||||||
|
metadata:
|
||||||
|
schema: metadata/Document/v1
|
||||||
|
name: kube-system-secret-observer
|
||||||
|
data:
|
||||||
|
chart_name: secret-observer
|
||||||
|
release: auth-secret-observer
|
||||||
|
namespace: kube-system
|
||||||
|
values:
|
||||||
|
namespace: "kube-system"
|
||||||
|
observedSecrets:
|
||||||
|
- secretName: "dex-client-secret"
|
||||||
|
filename: "dex-ca.pem"
|
||||||
|
deploymentToRestart: "stx-oidc-client"
|
||||||
|
- secretName: "local-dex.tls"
|
||||||
|
filename: "tls.crt"
|
||||||
|
deploymentToRestart: "stx-oidc-client"
|
||||||
|
- secretName: "local-dex.tls"
|
||||||
|
filename: "tls.crt"
|
||||||
|
deploymentToRestart: "oidc-dex"
|
||||||
|
source:
|
||||||
|
location: http://172.17.0.1:8080/helm_charts/stx-platform/secret-observer-0.1.0.tgz
|
||||||
|
subpath: secret-observer
|
||||||
|
type: tar
|
||||||
|
reference: master
|
||||||
|
upgrade:
|
||||||
|
no_hooks: false
|
||||||
|
pre:
|
||||||
|
delete:
|
||||||
|
- labels:
|
||||||
|
release_group: kube-system-secret-observer
|
||||||
|
type: job
|
||||||
|
wait:
|
||||||
|
labels:
|
||||||
|
release_group: kube-system-secret-observer
|
||||||
|
resources: []
|
||||||
|
timeout: 1800
|
||||||
|
dependencies: []
|
||||||
|
---
|
||||||
schema: armada/ChartGroup/v1
|
schema: armada/ChartGroup/v1
|
||||||
metadata:
|
metadata:
|
||||||
schema: metadata/Document/v1
|
schema: metadata/Document/v1
|
||||||
@ -121,6 +160,7 @@ data:
|
|||||||
chart_group:
|
chart_group:
|
||||||
- kube-system-dex
|
- kube-system-dex
|
||||||
- kube-system-oidc-client
|
- kube-system-oidc-client
|
||||||
|
- kube-system-secret-observer
|
||||||
---
|
---
|
||||||
schema: armada/Manifest/v1
|
schema: armada/Manifest/v1
|
||||||
metadata:
|
metadata:
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user