Use pre-shared key in rhelemeter component (#611)

philipgough · web-flow · commit e10e35da2843 · 2023-09-29T10:54:55.000+01:00
* jb update telemeter

* Generate template for rhelemeter that uses client info file

* Update test for rhelemeter
diff --git a/jsonnetfile.json b/jsonnetfile.json
@@ -82,7 +82,7 @@
           "subdir": "jsonnet/lib"
         }
       },
-      "version": "master",
+      "version": "main",
       "name": "thanos-receive-controller"
     },
     {
@@ -92,7 +92,7 @@
           "subdir": "jsonnet/thanos-receive-controller-mixin"
         }
       },
-      "version": "master"
+      "version": "main"
     },
     {
       "source": {
diff --git a/jsonnetfile.lock.json b/jsonnetfile.lock.json
@@ -303,8 +303,8 @@
           "subdir": "jsonnet/telemeter"
         }
       },
-      "version": "36999a33bdeb42c6f25d099985c98f346f83c1f3",
-      "sum": "uXGo7tcHOkLNS53J0o64vhrNl+dc1SYY4hkrBoxitz8="
+      "version": "5923762c315758d64e0a3ebebb15943ebf0c2a80",
+      "sum": "C8wxoobehWU7ykPDhCMiCmSWTe/8jGjOJvcS+rxzp2U="
     },
     {
       "source": {
diff --git a/resources/services/rhelemeter-template.yaml b/resources/services/rhelemeter-template.yaml
@@ -3,6 +3,23 @@ kind: Template
 metadata:
   name: rhelemeter
 objects:
+- apiVersion: v1
+  kind: Secret
+  metadata:
+    labels:
+      k8s-app: rhelemeter-server
+    name: rhelemeter-server-client-info
+  stringData:
+    client-info.json: |-
+      {
+          "config": {
+              "common_name_header": "x-rh-certauth-cn",
+              "issuer_header": "x-rh-certauth-issuer",
+              "secret_header": "x-rh-rhelemeter-gateway-secret"
+          },
+          "secret": "${RHELEMETER_CLIENT_INFO_PSK}"
+      }
+  type: Opaque
 - apiVersion: apps/v1
   kind: Deployment
   metadata:
@@ -22,11 +39,11 @@ objects:
           - /usr/bin/rhelemeter-server
           - --listen=0.0.0.0:8443
           - --listen-internal=0.0.0.0:8081
-          - --tls-key=/etc/pki/external/tls.key
-          - --tls-crt=/etc/pki/external/tls.crt
-          - --tls-ca-crt=/etc/pki/external/ca.crt
+          - --tls-key=/etc/pki/service/tls.key
+          - --tls-crt=/etc/pki/service/tls.crt
           - --internal-tls-key=/etc/pki/service/tls.key
           - --internal-tls-crt=/etc/pki/service/tls.crt
+          - --client-info-data-file=/etc/external/client-info.json
           - --oidc-issuer=$(OIDC_ISSUER)
           - --client-id=$(CLIENT_ID)
           - --client-secret=$(CLIENT_SECRET)
@@ -78,8 +95,8 @@ objects:
           - mountPath: /etc/pki/service
             name: rhelemeter-server-tls
             readOnly: false
-          - mountPath: /etc/pki/external
-            name: rhelemeter-server-external-mtls
+          - mountPath: /etc/external
+            name: rhelemeter-server-client-info
             readOnly: false
         serviceAccountName: rhelemeter-server
         volumes:
@@ -89,20 +106,9 @@ objects:
         - name: rhelemeter-server-tls
           secret:
             secretName: rhelemeter-server-shared
-        - name: rhelemeter-server-external-mtls
+        - name: rhelemeter-server-client-info
           secret:
-            secretName: rhelemeter-server-external-mtls
-- apiVersion: v1
-  kind: Secret
-  metadata:
-    labels:
-      k8s-app: rhelemeter-server
-    name: rhelemeter-server-external-mtls
-  stringData:
-    ca.crt: ${RHELEMETER_EXTERNAL_MTLS_CA}
-    tls.crt: ${RHELEMETER_EXTERNAL_MTLS_CRT}
-    tls.key: ${RHELEMETER_EXTERNAL_MTLS_KEY}
-  type: Opaque
+            secretName: rhelemeter-server-client-info
 - apiVersion: v1
   kind: Secret
   metadata:
@@ -163,7 +169,7 @@ parameters:
 - name: NAMESPACE
   value: rhelemeter
 - name: IMAGE_TAG
-  value: 82f71d3
+  value: "5923762"
 - name: IMAGE
   value: quay.io/app-sre/telemeter
 - name: REPLICAS
@@ -173,16 +179,12 @@ parameters:
 - name: RHELEMETER_FORWARD_URL
   value: ""
 - name: RHELEMETER_OIDC_ISSUER
-  value: ""
+  value: https://sso.redhat.com/auth/realms/redhat-external
 - name: RHELEMETER_CLIENT_ID
   value: ""
 - name: RHELEMETER_CLIENT_SECRET
   value: ""
-- name: RHELEMETER_EXTERNAL_MTLS_CA
-  value: ""
-- name: RHELEMETER_EXTERNAL_MTLS_CRT
-  value: ""
-- name: RHELEMETER_EXTERNAL_MTLS_KEY
+- name: RHELEMETER_CLIENT_INFO_PSK
   value: ""
 - name: RHELEMETER_LOG_LEVEL
   value: warn
diff --git a/services/rhelemeter-template.jsonnet b/services/rhelemeter-template.jsonnet
@@ -11,9 +11,7 @@ local rhelemeter = (import 'rhelemeter.libsonnet') {
       oidcIssuer: '${RHELEMETER_OIDC_ISSUER}',
       clientID: '${RHELEMETER_CLIENT_ID}',
       clientSecret: '${RHELEMETER_CLIENT_SECRET}',
-      externalMtlsCa: '${RHELEMETER_EXTERNAL_MTLS_CA}',
-      externalMtlsCrt: '${RHELEMETER_EXTERNAL_MTLS_CRT}',
-      externalMtlsKey: '${RHELEMETER_EXTERNAL_MTLS_KEY}',
+      clientInfoPSK: '${RHELEMETER_CLIENT_INFO_PSK}',
       resourceLimits:: {
         cpu: '${RHELEMETER_SERVER_CPU_LIMIT}',
         memory: '${RHELEMETER_SERVER_MEMORY_LIMIT}',
@@ -38,17 +36,15 @@ local rhelemeter = (import 'rhelemeter.libsonnet') {
   ],
   parameters: [
     { name: 'NAMESPACE', value: 'rhelemeter' },
-    { name: 'IMAGE_TAG', value: '82f71d3' },
+    { name: 'IMAGE_TAG', value: '5923762' },
     { name: 'IMAGE', value: 'quay.io/app-sre/telemeter' },
     { name: 'REPLICAS', value: '2' },
     { name: 'RHELEMETER_TENANT_ID', value: 'rhel' },
     { name: 'RHELEMETER_FORWARD_URL', value: '' },
-    { name: 'RHELEMETER_OIDC_ISSUER', value: '' },
+    { name: 'RHELEMETER_OIDC_ISSUER', value: 'https://sso.redhat.com/auth/realms/redhat-external' },
     { name: 'RHELEMETER_CLIENT_ID', value: '' },
     { name: 'RHELEMETER_CLIENT_SECRET', value: '' },
-    { name: 'RHELEMETER_EXTERNAL_MTLS_CA', value: '' },
-    { name: 'RHELEMETER_EXTERNAL_MTLS_CRT', value: '' },
-    { name: 'RHELEMETER_EXTERNAL_MTLS_KEY', value: '' },
+    { name: 'RHELEMETER_CLIENT_INFO_PSK', value: '' },
     { name: 'RHELEMETER_LOG_LEVEL', value: 'warn' },
     { name: 'RHELEMETER_SERVER_CPU_LIMIT', value: '1' },
     { name: 'RHELEMETER_SERVER_CPU_REQUEST', value: '100m' },
diff --git a/services/rhelemeter.libsonnet b/services/rhelemeter.libsonnet
@@ -5,17 +5,15 @@
     namespace: 'rhelemeter',
 
     rhelemeterServer+:: {
-      image: 'quay.io/app-sre/telemeter:82f71d3',
+      image: 'quay.io/app-sre/telemeter:5923762',
       replicas: 3,
       logLevel: 'warn',
       oidcIssuer: error 'must provide telemeterForwardURL',
       clientID: error 'must provide clientID',
       clientSecret: error 'must provide clientSecret',
       rhelemeterForwardURL: error 'must provide telemeterForwardURL',
       rhelemeterTenantID: error 'must provide rhelemeterTenantID',
-      externalMtlsCa: error 'must provide externalMtlsCa',
-      externalMtlsKey: error 'must provide externalMtlsKey',
-      externalMtlsCrt: error 'must provide externalMtlsCrt',
+      clientInfoPSK: error 'must provide clientInfoPSK',
     },
 
   },
@@ -27,7 +25,7 @@
       },
     },
 
-    externalMtlsSecret+: {
+    clientInfoSecret+: {
       data+:: {
       },
     },
diff --git a/tests/ci/ci_test.sh b/tests/ci/ci_test.sh
@@ -82,8 +82,7 @@ telemeter() {
 
 rhelemeter() {
     oc wait --for=jsonpath='{.status.phase}=Active' namespace/rhelemeter --timeout=5s
-    oc process -f --param-file=env/rhelemeter.test.ci.env -p RHELEMETER_EXTERNAL_MTLS_CA="$(cat ../deploy/manifests/rhelemeter_certs/ca.crt)" \
-        RHELEMETER_EXTERNAL_MTLS_CRT="$(cat ../deploy/manifests/rhelemeter_certs/tls.crt)" RHELEMETER_EXTERNAL_MTLS_KEY="$(cat ../deploy/manifests/rhelemeter_certs/tls.key)" \
+    oc process -f --param-file=env/rhelemeter.test.ci.env -p RHELEMETER_CLIENT_INFO_PSK=ZXhhbXBsZS1hcHAtc2VjcmV0 \
         -f ../../resources/services/rhelemeter-template.yaml | oc apply --namespace rhelemeter -f -
 }
 
diff --git a/tests/ci/env/rhelemeter.test.ci.env b/tests/ci/env/rhelemeter.test.ci.env
@@ -7,3 +7,4 @@ RHELEMETER_OIDC_ISSUER=http://dex.dex.svc.cluster.local:5556/dex
 RHELEMETER_CLIENT_ID=test
 RHELEMETER_TENANT_ID=test
 RHELEMETER_CLIENT_SECRET=ZXhhbXBsZS1hcHAtc2VjcmV0
+RHELEMETER_CLIENT_INFO_PSK=ZXhhbXBsZS1hcHAtc2VjcmV0
diff --git a/tests/deploy/env/rhelemeter.test.env b/tests/deploy/env/rhelemeter.test.env
@@ -7,3 +7,4 @@ RHELEMETER_OIDC_ISSUER=http://dex.dex.svc.cluster.local:5556/dex
 RHELEMETER_CLIENT_ID=test
 RHELEMETER_TENANT_ID=test
 RHELEMETER_CLIENT_SECRET=ZXhhbXBsZS1hcHAtc2VjcmV0
+RHELEMETER_CLIENT_INFO_PSK=ZXhhbXBsZS1hcHAtc2VjcmV0
diff --git a/tests/deploy/launch.sh b/tests/deploy/launch.sh
@@ -78,8 +78,7 @@ telemeter() {
 
 rhelemeter() {
     oc create ns rhelemeter || true
-    oc process --param-file=env/rhelemeter.test.env -p RHELEMETER_EXTERNAL_MTLS_CA="$(cat manifests/rhelemeter_certs/ca.crt)" \
-        RHELEMETER_EXTERNAL_MTLS_CRT="$(cat manifests/rhelemeter_certs/tls.crt)" RHELEMETER_EXTERNAL_MTLS_KEY="$(cat manifests/rhelemeter_certs/tls.key)" \
+    oc process --param-file=env/rhelemeter.test.env -p RHELEMETER_CLIENT_INFO_PSK=super-secret \
         -f ../../resources/services/rhelemeter-template.yaml | oc apply --namespace rhelemeter -f -
 }
 
diff --git a/tests/deploy/testdata/client-info.json b/tests/deploy/testdata/client-info.json
@@ -0,0 +1,8 @@
+{
+  "secret": "super-secret",
+  "config": {
+    "secret_header": "x-secret",
+    "common_name_header": "x-common-name",
+    "issuer_header": "x-issuer"
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -82,7 +82,7 @@`
`82`	`82`	`"subdir": "jsonnet/lib"`
`83`	`83`	`}`
`84`	`84`	`},`
`85`		`- "version": "master",`
	`85`	`+ "version": "main",`
`86`	`86`	`"name": "thanos-receive-controller"`
`87`	`87`	`},`
`88`	`88`	`{`
`@@ -92,7 +92,7 @@`
`92`	`92`	`"subdir": "jsonnet/thanos-receive-controller-mixin"`
`93`	`93`	`}`
`94`	`94`	`},`
`95`		`- "version": "master"`
	`95`	`+ "version": "main"`
`96`	`96`	`},`
`97`	`97`	`{`
`98`	`98`	`"source": {`
Original file line number	Diff line number	Diff line change
`@@ -303,8 +303,8 @@`
`303`	`303`	`"subdir": "jsonnet/telemeter"`
`304`	`304`	`}`
`305`	`305`	`},`
`306`		`- "version": "36999a33bdeb42c6f25d099985c98f346f83c1f3",`
`307`		`- "sum": "uXGo7tcHOkLNS53J0o64vhrNl+dc1SYY4hkrBoxitz8="`
	`306`	`+ "version": "5923762c315758d64e0a3ebebb15943ebf0c2a80",`
	`307`	`+ "sum": "C8wxoobehWU7ykPDhCMiCmSWTe/8jGjOJvcS+rxzp2U="`
`308`	`308`	`},`
`309`	`309`	`{`
`310`	`310`	`"source": {`
Original file line number	Diff line number	Diff line change
`@@ -82,8 +82,7 @@ telemeter() {`
`82`	`82`
`83`	`83`	`rhelemeter() {`
`84`	`84`	`oc wait --for=jsonpath='{.status.phase}=Active' namespace/rhelemeter --timeout=5s`
`85`		`- oc process -f --param-file=env/rhelemeter.test.ci.env -p RHELEMETER_EXTERNAL_MTLS_CA="$(cat ../deploy/manifests/rhelemeter_certs/ca.crt)" \`
`86`		`- RHELEMETER_EXTERNAL_MTLS_CRT="$(cat ../deploy/manifests/rhelemeter_certs/tls.crt)" RHELEMETER_EXTERNAL_MTLS_KEY="$(cat ../deploy/manifests/rhelemeter_certs/tls.key)" \`
	`85`	`+ oc process -f --param-file=env/rhelemeter.test.ci.env -p RHELEMETER_CLIENT_INFO_PSK=ZXhhbXBsZS1hcHAtc2VjcmV0 \`
`87`	`86`	`-f ../../resources/services/rhelemeter-template.yaml \| oc apply --namespace rhelemeter -f -`
`88`	`87`	`}`
`89`	`88`
Original file line number	Diff line number	Diff line change
`@@ -78,8 +78,7 @@ telemeter() {`
`78`	`78`
`79`	`79`	`rhelemeter() {`
`80`	`80`	`oc create ns rhelemeter \|\| true`
`81`		`- oc process --param-file=env/rhelemeter.test.env -p RHELEMETER_EXTERNAL_MTLS_CA="$(cat manifests/rhelemeter_certs/ca.crt)" \`
`82`		`- RHELEMETER_EXTERNAL_MTLS_CRT="$(cat manifests/rhelemeter_certs/tls.crt)" RHELEMETER_EXTERNAL_MTLS_KEY="$(cat manifests/rhelemeter_certs/tls.key)" \`
	`81`	`+ oc process --param-file=env/rhelemeter.test.env -p RHELEMETER_CLIENT_INFO_PSK=super-secret \`
`83`	`82`	`-f ../../resources/services/rhelemeter-template.yaml \| oc apply --namespace rhelemeter -f -`
`84`	`83`	`}`
`85`	`84`