Skip to content

Commit

Permalink
Merge branch 'main' into akurlov/update-local-setup-doc
Browse files Browse the repository at this point in the history
  • Loading branch information
kurlov authored Dec 2, 2024
2 parents d99e7c5 + 2f1f2c1 commit db1a452
Show file tree
Hide file tree
Showing 61 changed files with 241 additions and 4,257 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@ jobs:
git diff --exit-code
- name: Setup tests secrets
run: |
make ocm/setup aws/setup redhatsso/setup centralcert/setup observatorium/setup secrets/touch
make ocm/setup aws/setup redhatsso/setup centralcert/setup secrets/touch
- name: Run Migration Script
run: make db/migrate
- name: Verify & Test
Expand Down
2 changes: 1 addition & 1 deletion .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ repos:
require_serial: true
pass_filenames: true
stages: [pre-push, manual]
files: '(openapi/.*|pkg/workers/worker_interface.go|pkg/client/ocm/id.go|pkg/client/aws/client.go|pkg/client/ocm/client.go|pkg/client/iam/client.go|pkg/services/authorization/authorization.go|pkg/services/sso/iam_service.go|pkg/client/redhatsso/client.go|pkg/auth/auth_agent_service.go|internal/dinosaur/pkg/services/observatorium_service.go|internal/dinosaur/pkg/services/cluster_placement_strategy.go|internal/dinosaur/pkg/services/cloud_providers.go|internal/dinosaur/pkg/services/clusters.go|internal/dinosaur/pkg/services/quota.go|internal/dinosaur/pkg/services/fleetshard_operator_addon.go|internal/dinosaur/pkg/services/quota_service_factory.go|internal/dinosaur/pkg/clusters/cluster_builder.go|internal/dinosaur/pkg/clusters/provider.go|internal/dinosaur/pkg/services/dinosaur.go)'
files: '(openapi/.*|pkg/workers/worker_interface.go|pkg/client/ocm/id.go|pkg/client/aws/client.go|pkg/client/ocm/client.go|pkg/client/iam/client.go|pkg/services/authorization/authorization.go|pkg/services/sso/iam_service.go|pkg/client/redhatsso/client.go|pkg/auth/auth_agent_service.go|internal/dinosaur/pkg/services/cluster_placement_strategy.go|internal/dinosaur/pkg/services/cloud_providers.go|internal/dinosaur/pkg/services/clusters.go|internal/dinosaur/pkg/services/quota.go|internal/dinosaur/pkg/services/fleetshard_operator_addon.go|internal/dinosaur/pkg/services/quota_service_factory.go|internal/dinosaur/pkg/clusters/cluster_builder.go|internal/dinosaur/pkg/clusters/provider.go|internal/dinosaur/pkg/services/dinosaur.go)'
- repo: https://github.com/Yelp/detect-secrets
rev: v1.5.0
hooks:
Expand Down
22 changes: 11 additions & 11 deletions .secrets.baseline
Original file line number Diff line number Diff line change
Expand Up @@ -268,7 +268,7 @@
"filename": "internal/dinosaur/pkg/api/public/api/openapi.yaml",
"hashed_secret": "5b455797b93de5b6a19633ba22127c8a610f5c1b",
"is_verified": false,
"line_number": 1535
"line_number": 1343
}
],
"internal/dinosaur/pkg/presenters/managedcentral.go": [
Expand Down Expand Up @@ -330,63 +330,63 @@
"filename": "templates/service-template.yml",
"hashed_secret": "13032f402fed753c2248419ea4f69f99931f6dbc",
"is_verified": false,
"line_number": 524
"line_number": 471
},
{
"type": "Base64 High Entropy String",
"filename": "templates/service-template.yml",
"hashed_secret": "30025f80f6e22cdafb85db387d50f90ea884576a",
"is_verified": false,
"line_number": 524
"line_number": 471
},
{
"type": "Base64 High Entropy String",
"filename": "templates/service-template.yml",
"hashed_secret": "355f24fd038bcaf85617abdcaa64af51ed19bbcf",
"is_verified": false,
"line_number": 524
"line_number": 471
},
{
"type": "Base64 High Entropy String",
"filename": "templates/service-template.yml",
"hashed_secret": "3d8a1dcd2c3c765ce35c9a9552d23273cc4ddace",
"is_verified": false,
"line_number": 524
"line_number": 471
},
{
"type": "Base64 High Entropy String",
"filename": "templates/service-template.yml",
"hashed_secret": "4ac7b0522761eba972467942cd5cd7499dd2c361",
"is_verified": false,
"line_number": 524
"line_number": 471
},
{
"type": "Base64 High Entropy String",
"filename": "templates/service-template.yml",
"hashed_secret": "7639ab2a6bcf2ea30a055a99468c9cd844d4c22a",
"is_verified": false,
"line_number": 524
"line_number": 471
},
{
"type": "Base64 High Entropy String",
"filename": "templates/service-template.yml",
"hashed_secret": "b56360daf4793d2a74991a972b34d95bc00fb2da",
"is_verified": false,
"line_number": 524
"line_number": 471
},
{
"type": "Base64 High Entropy String",
"filename": "templates/service-template.yml",
"hashed_secret": "c9a73ef9ee8ce9f38437227801c70bcc6740d1a1",
"is_verified": false,
"line_number": 524
"line_number": 471
},
{
"type": "Secret Keyword",
"filename": "templates/service-template.yml",
"hashed_secret": "4e199b4a1c40b497a95fcd1cd896351733849949",
"is_verified": false,
"line_number": 707,
"line_number": 654,
"is_secret": false
}
],
Expand Down Expand Up @@ -416,5 +416,5 @@
}
]
},
"generated_at": "2024-10-17T08:34:41Z"
"generated_at": "2024-11-26T16:50:48Z"
}
5 changes: 3 additions & 2 deletions .tekton/acs-fleetshard-operator-push.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,9 @@ metadata:
build.appstudio.redhat.com/commit_sha: '{{revision}}'
build.appstudio.redhat.com/target_branch: '{{target_branch}}'
pipelinesascode.tekton.dev/max-keep-runs: "3"
pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch
== "main"
pipelinesascode.tekton.dev/on-cel-expression: |
target_branch == "main"
&& (event == "push" || event == "pull_request")
creationTimestamp: null
labels:
appstudio.openshift.io/application: acscs-main
Expand Down
60 changes: 0 additions & 60 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -215,8 +215,6 @@ help:
@echo "make setup/git/hooks setup git hooks"
@echo "make secrets/touch touch all required secret files"
@echo "make centralcert/setup setup the central TLS certificate used for Managed Central Service"
@echo "make observatorium/setup setup observatorium secrets used by CI"
@echo "make observatorium/token-refresher/setup" setup a local observatorium token refresher
@echo "make docker/login/internal login to an openshift cluster image registry"
@echo "make image/push/internal push image to an openshift cluster image registry."
@echo "make deploy/project deploy the service via templates to an openshift cluster"
Expand Down Expand Up @@ -634,7 +632,6 @@ secrets/touch:
secrets/central-tls.crt \
secrets/central-tls.key \
secrets/central.idp-client-secret \
secrets/observability-config-access.token \
secrets/ocm-service.clientId \
secrets/ocm-service.clientSecret \
secrets/ocm-service.token \
Expand Down Expand Up @@ -675,31 +672,6 @@ centralcert/setup:
@echo -n "$(CENTRAL_TLS_KEY)" > secrets/central-tls.key
.PHONY:centralcert/setup

observatorium/setup:
@echo -n "$(OBSERVATORIUM_CONFIG_ACCESS_TOKEN)" > secrets/observability-config-access.token;
@echo -n "$(RHSSO_LOGS_CLIENT_ID)" > secrets/rhsso-logs.clientId;
@echo -n "$(RHSSO_LOGS_CLIENT_SECRET)" > secrets/rhsso-logs.clientSecret;
@echo -n "$(RHSSO_METRICS_CLIENT_ID)" > secrets/rhsso-metrics.clientId;
@echo -n "$(RHSSO_METRICS_CLIENT_SECRET)" > secrets/rhsso-metrics.clientSecret;
.PHONY:observatorium/setup

observatorium/token-refresher/setup: PORT ?= 8085
observatorium/token-refresher/setup: IMAGE_TAG ?= latest
observatorium/token-refresher/setup: ISSUER_URL ?= https://sso.redhat.com/auth/realms/redhat-external
observatorium/token-refresher/setup: OBSERVATORIUM_URL ?= https://observatorium-mst.api.stage.openshift.com/api/metrics/v1/manageddinosaur
observatorium/token-refresher/setup:
@$(DOCKER) run -d -p ${PORT}:${PORT} \
--restart always \
--name observatorium-token-refresher quay.io/rhoas/mk-token-refresher:${IMAGE_TAG} \
/bin/token-refresher \
--oidc.issuer-url="${ISSUER_URL}" \
--url="${OBSERVATORIUM_URL}" \
--oidc.client-id="${CLIENT_ID}" \
--oidc.client-secret="${CLIENT_SECRET}" \
--web.listen=":${PORT}"
@echo The Observatorium token refresher is now running on 'http://localhost:${PORT}'
.PHONY: observatorium/token-refresher/setup

# Setup dummy OCM_OFFLINE_TOKEN for integration testing
ocm/setup: OCM_OFFLINE_TOKEN ?= "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c" # pragma: allowlist secret
ocm/setup:
Expand Down Expand Up @@ -743,13 +715,6 @@ deploy/secrets:
-p CENTRAL_IDP_CLIENT_SECRET="$(shell ([ -s './secrets/central.idp-client-secret' ] && [ -z '${CENTRAL_IDP_CLIENT_SECRET}' ]) && cat ./secrets/central.idp-client-secret || echo '${CENTRAL_IDP_CLIENT_SECRET}')" \
-p CENTRAL_TLS_CERT="$(shell ([ -s './secrets/central-tls.crt' ] && [ -z '${CENTRAL_TLS_CERT}' ]) && cat ./secrets/central-tls.crt || echo '${CENTRAL_TLS_CERT}')" \
-p CENTRAL_TLS_KEY="$(shell ([ -s './secrets/central-tls.key' ] && [ -z '${CENTRAL_TLS_KEY}' ]) && cat ./secrets/central-tls.key || echo '${CENTRAL_TLS_KEY}')" \
-p OBSERVABILITY_CONFIG_ACCESS_TOKEN="$(shell ([ -s './secrets/observability-config-access.token' ] && [ -z '${OBSERVABILITY_CONFIG_ACCESS_TOKEN}' ]) && cat ./secrets/observability-config-access.token || echo '${OBSERVABILITY_CONFIG_ACCESS_TOKEN}')" \
-p OBSERVABILITY_RHSSO_LOGS_CLIENT_ID="$(shell ([ -s './secrets/rhsso-logs.clientId' ] && [ -z '${OBSERVABILITY_RHSSO_LOGS_CLIENT_ID}' ]) && cat ./secrets/rhsso-logs.clientId || echo '${OBSERVABILITY_RHSSO_LOGS_CLIENT_ID}')" \
-p OBSERVABILITY_RHSSO_LOGS_SECRET="$(shell ([ -s './secrets/rhsso-logs.clientSecret' ] && [ -z '${OBSERVABILITY_RHSSO_LOGS_SECRET}' ]) && cat ./secrets/rhsso-logs.clientSecret || echo '${OBSERVABILITY_RHSSO_LOGS_SECRET}')" \
-p OBSERVABILITY_RHSSO_METRICS_CLIENT_ID="$(shell ([ -s './secrets/rhsso-metrics.clientId' ] && [ -z '${OBSERVABILITY_RHSSO_METRICS_CLIENT_ID}' ]) && cat ./secrets/rhsso-metrics.clientId || echo '${OBSERVABILITY_RHSSO_METRICS_CLIENT_ID}')" \
-p OBSERVABILITY_RHSSO_METRICS_SECRET="$(shell ([ -s './secrets/rhsso-metrics.clientSecret' ] && [ -z '${OBSERVABILITY_RHSSO_METRICS_SECRET}' ]) && cat ./secrets/rhsso-metrics.clientSecret || echo '${OBSERVABILITY_RHSSO_METRICS_SECRET}')" \
-p OBSERVABILITY_RHSSO_GRAFANA_CLIENT_ID="${OBSERVABILITY_RHSSO_GRAFANA_CLIENT_ID}" \
-p OBSERVABILITY_RHSSO_GRAFANA_CLIENT_SECRET="${OBSERVABILITY_RHSSO_GRAFANA_CLIENT_SECRET}" \
| oc apply -f - -n $(NAMESPACE)
.PHONY: deploy/secrets

Expand Down Expand Up @@ -794,9 +759,6 @@ deploy/service: ENABLE_TERMS_ACCEPTANCE ?= "false"
deploy/service: ENABLE_DENY_LIST ?= "false"
deploy/service: ALLOW_EVALUATOR_INSTANCE ?= "true"
deploy/service: QUOTA_TYPE ?= "quota-management-list"
deploy/service: OBSERVABILITY_CONFIG_REPO ?= "https://api.github.com/repos/bf2fc6cc711aee1a0c2a/observability-resources-mk/contents"
deploy/service: OBSERVABILITY_CONFIG_CHANNEL ?= "resources"
deploy/service: OBSERVABILITY_CONFIG_TAG ?= "main"
deploy/service: DATAPLANE_CLUSTER_SCALING_TYPE ?= "manual"
deploy/service: CENTRAL_IDP_ISSUER ?= "https://sso.stage.redhat.com/auth/realms/redhat-external"
deploy/service: CENTRAL_IDP_CLIENT_ID ?= "rhacs-ms-dev"
Expand Down Expand Up @@ -830,13 +792,6 @@ endif
-p OCM_ADDON_SERVICE_URL="$(OCM_ADDON_SERVICE_URL)" \
-p AMS_URL="${AMS_URL}" \
-p SERVICE_PUBLIC_HOST_URL="https://$(shell oc get routes/fleet-manager -o jsonpath="{.spec.host}" -n $(NAMESPACE))" \
-p OBSERVATORIUM_RHSSO_GATEWAY="${OBSERVATORIUM_RHSSO_GATEWAY}" \
-p OBSERVATORIUM_RHSSO_REALM="${OBSERVATORIUM_RHSSO_REALM}" \
-p OBSERVATORIUM_RHSSO_TENANT="${OBSERVATORIUM_RHSSO_TENANT}" \
-p OBSERVATORIUM_RHSSO_AUTH_SERVER_URL="${OBSERVATORIUM_RHSSO_AUTH_SERVER_URL}" \
-p OBSERVATORIUM_TOKEN_REFRESHER_URL="http://token-refresher.$(NAMESPACE).svc.cluster.local" \
-p OBSERVABILITY_CONFIG_REPO="${OBSERVABILITY_CONFIG_REPO}" \
-p OBSERVABILITY_CONFIG_TAG="${OBSERVABILITY_CONFIG_TAG}" \
-p ENABLE_TERMS_ACCEPTANCE="${ENABLE_TERMS_ACCEPTANCE}" \
-p ALLOW_EVALUATOR_INSTANCE="${ALLOW_EVALUATOR_INSTANCE}" \
-p QUOTA_TYPE="${QUOTA_TYPE}" \
Expand All @@ -861,7 +816,6 @@ endif
# remove service deployments from an OpenShift cluster
undeploy: FLEET_MANAGER_IMAGE ?= $(SHORT_IMAGE_REF)
undeploy:
@-oc process -f ./templates/observatorium-token-refresher.yml --local | oc delete -f - -n $(NAMESPACE)
@-oc process -f ./templates/db-template.yml --local | oc delete -f - -n $(NAMESPACE)
@-oc process -f ./templates/secrets-template.yml --local | oc delete -f - -n $(NAMESPACE)
@-oc process -f ./templates/route-template.yml --local | oc delete -f - -n $(NAMESPACE)
Expand All @@ -871,20 +825,6 @@ undeploy:
| oc delete -f - -n $(NAMESPACE)
.PHONY: undeploy

# Deploys an Observatorium token refresher on an OpenShift cluster
deploy/token-refresher: ISSUER_URL ?= "https://sso.redhat.com/auth/realms/redhat-external"
deploy/token-refresher: OBSERVATORIUM_TOKEN_REFRESHER_IMAGE ?= "quay.io/rhoas/mk-token-refresher"
deploy/token-refresher: OBSERVATORIUM_TOKEN_REFRESHER_IMAGE_TAG ?= "latest"
deploy/token-refresher: OBSERVATORIUM_URL ?= "https://observatorium-mst.api.stage.openshift.com/api/metrics/v1/manageddinosaur"
deploy/token-refresher:
@-oc process -f ./templates/observatorium-token-refresher.yml \
-p ISSUER_URL=${ISSUER_URL} \
-p OBSERVATORIUM_URL=${OBSERVATORIUM_URL} \
-p OBSERVATORIUM_TOKEN_REFRESHER_IMAGE=${OBSERVATORIUM_TOKEN_REFRESHER_IMAGE} \
-p OBSERVATORIUM_TOKEN_REFRESHER_IMAGE_TAG=${OBSERVATORIUM_TOKEN_REFRESHER_IMAGE_TAG} \
| oc apply -f - -n $(NAMESPACE)
.PHONY: deploy/token-refresher

# Deploys OpenShift ingress router on a k8s cluster
deploy/openshift-router:
./scripts/openshift-router.sh deploy
Expand Down
1 change: 0 additions & 1 deletion cmd/fleet-manager/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,6 @@ func main() {
// Unsupported CLI commands. Eventually some of them can be removed.
// rootCmd.AddCommand(cluster.NewClusterCommand(env))
// rootCmd.AddCommand(cloudprovider.NewCloudProviderCommand(env))
// rootCmd.AddCommand(observatorium.NewRunObservatoriumCommand(env))
// rootCmd.AddCommand(errors.NewErrorsCommand(env))

if err := rootCmd.Execute(); err != nil {
Expand Down
1 change: 0 additions & 1 deletion dev/env/defaults/00-defaults.env
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,6 @@ export OSD_IDP_SSO_CLIENT_ID_DEFAULT=""
export OSD_IDP_SSO_CLIENT_SECRET_DEFAULT=""
export ROUTE53_ACCESS_KEY_DEFAULT=""
export ROUTE53_SECRET_ACCESS_KEY_DEFAULT=""
export OBSERVABILITY_CONFIG_ACCESS_TOKEN_DEFAULT=""
export SPAWN_LOGGER_DEFAULT="false"
export DUMP_LOGS_DEFAULT="false"
export OPERATOR_SOURCE_DEFAULT=""
Expand Down
2 changes: 0 additions & 2 deletions dev/env/scripts/lib.sh
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,6 @@ init() {
export OSD_IDP_SSO_CLIENT_SECRET=${OSD_IDP_SSO_CLIENT_SECRET:-$OSD_IDP_SSO_CLIENT_SECRET_DEFAULT}
export ROUTE53_ACCESS_KEY=${ROUTE53_ACCESS_KEY:-$ROUTE53_ACCESS_KEY_DEFAULT}
export ROUTE53_SECRET_ACCESS_KEY=${ROUTE53_SECRET_ACCESS_KEY:-$ROUTE53_SECRET_ACCESS_KEY_DEFAULT}
export OBSERVABILITY_CONFIG_ACCESS_TOKEN=${OBSERVABILITY_CONFIG_ACCESS_TOKEN:-$OBSERVABILITY_CONFIG_ACCESS_TOKEN_DEFAULT}
export INHERIT_IMAGEPULLSECRETS=${INHERIT_IMAGEPULLSECRETS:-$INHERIT_IMAGEPULLSECRETS_DEFAULT}
export SPAWN_LOGGER=${SPAWN_LOGGER:-$SPAWN_LOGGER_DEFAULT}
export DUMP_LOGS=${DUMP_LOGS:-$DUMP_LOGS_DEFAULT}
Expand Down Expand Up @@ -190,7 +189,6 @@ OSD_IDP_SSO_CLIENT_ID: ********
OSD_IDP_SSO_CLIENT_SECRET: ********
ROUTE53_ACCESS_KEY: ********
ROUTE53_SECRET_ACCESS_KEY: ********
OBSERVABILITY_CONFIG_ACCESS_TOKEN: ********
INHERIT_IMAGEPULLSECRETS: ${INHERIT_IMAGEPULLSECRETS}
SPAWN_LOGGER: ${SPAWN_LOGGER}
DUMP_LOGS: ${DUMP_LOGS}
Expand Down
8 changes: 0 additions & 8 deletions docs/development/populating-configuration.md
Original file line number Diff line number Diff line change
Expand Up @@ -115,14 +115,6 @@ In the Data Plane cluster, the Central Operator and the FleetShard Deployments
might reference container images that are located in authenticated container
image registries.

## Setup the Observability stack secrets
See [Obsevability](./observability/README.md) to learn more about Observatorium and the observability stack.
The following command is used to setup the various secrets needed by the Observability stack.

```
make observatorium/setup
```

## Setup a custom TLS certificate for Central Host URLs

When Fleet Manager creates Central instances, it can be configured to
Expand Down
23 changes: 0 additions & 23 deletions docs/legacy/feature-flags.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@ This lists the feature flags and their sub-configurations to enable/disable and
- [Central](#central)
- [IAM](#iam)
- [Metrics Server](#metrics-server)
- [Observability](#observability)
- [OpenShift Cluster Manager](#openshift-cluster-manager)
- [Dataplane Cluster Management](#dataplane-cluster-management)
- [Sentry](#sentry)
Expand Down Expand Up @@ -76,28 +75,6 @@ This lists the feature flags and their sub-configurations to enable/disable and
- `https-cert-file` [Required]: The path to the file containing the TLS certificate.
- `https-key-file` [Required]: The path to the file containing the TLS private key.

## Observability
- **enable-observatorium-mock**: Enables use of a mock Observatorium client.
- `observatorium-timeout` [Optional]: Timeout to be used for Observatorium requests (default: `240s`).
- **observatorium-debug**: Enables Observatorium debug logging.
- **observatorium-ignore-ssl**: Disables Observatorium TLS verification.

### Red Hat SSO Authentication
- The '[Required]' in the following denotes that these flags are required to use Red Hat SSO Authentication with the service.
- `observability-red-hat-sso-auth-server-url`[Required]: Red Hat SSO authentication server URL (default: `https://sso.redhat.com/auth`).
- `observability-red-hat-sso-realm`[Required]: Red Hat SSO realm (default: `redhat-external`).
- `observability-red-hat-sso-token-refresher-url`[Required]: Red Hat SSO token refresher URL (default: `www.test.com`).
- `observability-red-hat-sso-observatorium-gateway`[Required]: Red Hat SSO observatorium gateway (default: `https://observatorium-mst.api.stage.openshift.com`).
- `observability-red-hat-sso-tenant`[Required]: Red Hat SSO tenant (default: `managedCentral`).
- `observability-red-hat-sso-logs-client-id-file`[Required]: The path to the file containing the client
ID for the logs service account for use with Red Hat SSO.
- `observability-red-hat-sso-logs-secret-file`[Required]: The path to the file containing the client
secret for the logs service account for use with Red Hat SSO.
- `observability-red-hat-sso-metrics-client-id-file`[Required]: The path to the file containing the client
ID for the metrics service account for use with Red Hat SSO.
- `observability-red-hat-sso-metrics-secret-file`[Required]: The path to the file containing the client
secret for the metrics service account for use with Red Hat SSO.

## OpenShift Cluster Manager
- **enable-ocm-mock**: Enables use of a mock OCM client.
- `ocm-mock-mode` [Optional]: Sets the ocm client mock type (default: `stub-server`).
Expand Down
Loading

0 comments on commit db1a452

Please sign in to comment.