From ff9e6261bcf136bf7985d086701bb20325d4b791 Mon Sep 17 00:00:00 2001 From: Humair Khan Date: Wed, 16 Feb 2022 16:56:21 -0500 Subject: [PATCH] Enable trino programmatic access via dex auth service. --- .../osc/osc-cl2/cluster-management/das.yaml | 20 ++++++++ .../cluster-management/kustomization.yaml | 1 + das/base/configmap.yaml | 11 +++++ das/base/deployment.yaml | 47 +++++++++++++++++++ das/base/kustomization.yaml | 9 ++++ das/base/route.yaml | 14 ++++++ das/base/secret.yaml | 6 +++ das/base/service.yaml | 14 ++++++ das/overlays/osc-cl2/configmap.yaml | 11 +++++ das/overlays/osc-cl2/kustomization.yaml | 9 ++++ das/overlays/osc-cl2/secret-generator.yaml | 6 +++ das/overlays/osc-cl2/secret.enc.yaml | 39 +++++++++++++++ dex/overlays/osc/osc-cl2/dex-clients.enc.yaml | 5 +- 13 files changed, 190 insertions(+), 2 deletions(-) create mode 100644 argocd/overlays/moc-infra/applications/envs/osc/osc-cl2/cluster-management/das.yaml create mode 100644 das/base/configmap.yaml create mode 100644 das/base/deployment.yaml create mode 100644 das/base/kustomization.yaml create mode 100644 das/base/route.yaml create mode 100644 das/base/secret.yaml create mode 100644 das/base/service.yaml create mode 100644 das/overlays/osc-cl2/configmap.yaml create mode 100644 das/overlays/osc-cl2/kustomization.yaml create mode 100644 das/overlays/osc-cl2/secret-generator.yaml create mode 100644 das/overlays/osc-cl2/secret.enc.yaml diff --git a/argocd/overlays/moc-infra/applications/envs/osc/osc-cl2/cluster-management/das.yaml b/argocd/overlays/moc-infra/applications/envs/osc/osc-cl2/cluster-management/das.yaml new file mode 100644 index 000000000..834ea9f69 --- /dev/null +++ b/argocd/overlays/moc-infra/applications/envs/osc/osc-cl2/cluster-management/das.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: das +spec: + destination: + name: osc-cl2 + namespace: odh-trino + project: cluster-management + source: + path: das/overlays/osc-cl2 + repoURL: https://github.com/operate-first/apps.git + targetRevision: HEAD + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - Validate=false diff --git a/argocd/overlays/moc-infra/applications/envs/osc/osc-cl2/cluster-management/kustomization.yaml b/argocd/overlays/moc-infra/applications/envs/osc/osc-cl2/cluster-management/kustomization.yaml index b23ee0fa6..0f8c22677 100644 --- a/argocd/overlays/moc-infra/applications/envs/osc/osc-cl2/cluster-management/kustomization.yaml +++ b/argocd/overlays/moc-infra/applications/envs/osc/osc-cl2/cluster-management/kustomization.yaml @@ -4,6 +4,7 @@ resources: - acme-operator.yaml - cloudbeaver.yaml - cluster-resources.yaml + - das.yaml - dex.yaml - kfdefs.yaml - odh-operator.yaml diff --git a/das/base/configmap.yaml b/das/base/configmap.yaml new file mode 100644 index 000000000..096d23f37 --- /dev/null +++ b/das/base/configmap.yaml @@ -0,0 +1,11 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: das +data: + CLIENT_ID: "das" + REDIRECT_URI: "https://das-odh-trino.apps.odh-cl1.apps.os-climate.org/callback" + ISSUER_URL: "http://dex-dex.apps.odh-cl1.apps.os-climate.org" + LISTEN_ADDRESS: "http://0.0.0.0:5555" + DEBUG: "false" + SCOPES: "email,openid,profile" diff --git a/das/base/deployment.yaml b/das/base/deployment.yaml new file mode 100644 index 000000000..5e610e59a --- /dev/null +++ b/das/base/deployment.yaml @@ -0,0 +1,47 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: das +spec: + replicas: 1 + selector: + matchLabels: + app: das + template: + metadata: + labels: + app: das + spec: + containers: + - name: das + image: quay.io/operate-first/das:v0.2.0 + envFrom: + - configMapRef: + name: das + - secretRef: + name: das + ports: + - containerPort: 5555 + name: web + command: + - "./das/das-exec" + args: + - "--client-id" + - "$(CLIENT_ID)" + - "--client-secret" + - "$(CLIENT_SECRET)" + - "--issuer" + - "$(ISSUER_URL)" + - "--listen" + - "$(LISTEN_ADDRESS)" + - "--redirect-uri" + - "$(REDIRECT_URI)" + - "--scopes" + - "$(SCOPES)" + resources: + limits: + cpu: 1 + memory: 2Gi + requests: + cpu: 512m + memory: 500Mi diff --git a/das/base/kustomization.yaml b/das/base/kustomization.yaml new file mode 100644 index 000000000..70d18fdc6 --- /dev/null +++ b/das/base/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: odh-trino +resources: + - deployment.yaml + - configmap.yaml + - secret.yaml + - service.yaml + - route.yaml diff --git a/das/base/route.yaml b/das/base/route.yaml new file mode 100644 index 000000000..f91ff890d --- /dev/null +++ b/das/base/route.yaml @@ -0,0 +1,14 @@ +kind: Route +apiVersion: route.openshift.io/v1 +metadata: + name: das + annotations: + kubernetes.io/tls-acme: "true" + labels: + app: das +spec: + to: + kind: Service + name: das + port: + targetPort: web diff --git a/das/base/secret.yaml b/das/base/secret.yaml new file mode 100644 index 000000000..42d5554e7 --- /dev/null +++ b/das/base/secret.yaml @@ -0,0 +1,6 @@ +kind: Secret +apiVersion: v1 +metadata: + name: das +stringData: + CLIENT_SECRET: "SECRET" diff --git a/das/base/service.yaml b/das/base/service.yaml new file mode 100644 index 000000000..d48ce9303 --- /dev/null +++ b/das/base/service.yaml @@ -0,0 +1,14 @@ +kind: Service +apiVersion: v1 +metadata: + name: das + labels: + app: das +spec: + ports: + - name: web + protocol: TCP + port: 80 + targetPort: web + selector: + app: das diff --git a/das/overlays/osc-cl2/configmap.yaml b/das/overlays/osc-cl2/configmap.yaml new file mode 100644 index 000000000..ed20bb077 --- /dev/null +++ b/das/overlays/osc-cl2/configmap.yaml @@ -0,0 +1,11 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: das +data: + CLIENT_ID: "das" + REDIRECT_URI: "https://das-odh-trino.apps.odh-cl2.apps.os-climate.org/callback" + ISSUER_URL: "http://dex-dex.apps.odh-cl2.apps.os-climate.org" + LISTEN_ADDRESS: "http://0.0.0.0:5555" + DEBUG: "false" + SCOPES: "email,openid,profile" diff --git a/das/overlays/osc-cl2/kustomization.yaml b/das/overlays/osc-cl2/kustomization.yaml new file mode 100644 index 000000000..a0f5c4aa2 --- /dev/null +++ b/das/overlays/osc-cl2/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: odh-trino +resources: + - ../../base +patchesStrategicMerge: + - configmap.yaml +generators: + - secret-generator.yaml diff --git a/das/overlays/osc-cl2/secret-generator.yaml b/das/overlays/osc-cl2/secret-generator.yaml new file mode 100644 index 000000000..cf02665cf --- /dev/null +++ b/das/overlays/osc-cl2/secret-generator.yaml @@ -0,0 +1,6 @@ +apiVersion: viaduct.ai/v1 +kind: ksops +metadata: + name: secret-generator +files: + - secret.enc.yaml diff --git a/das/overlays/osc-cl2/secret.enc.yaml b/das/overlays/osc-cl2/secret.enc.yaml new file mode 100644 index 000000000..bf56fc866 --- /dev/null +++ b/das/overlays/osc-cl2/secret.enc.yaml @@ -0,0 +1,39 @@ +kind: Secret +apiVersion: v1 +metadata: + name: das + annotations: + kustomize.config.k8s.io/behavior: replace +stringData: + CLIENT_SECRET: ENC[AES256_GCM,data:FPZpjwti9X+xbiLSeuJsT17+jmHFf2QtKnO/Mq2IL93tYN/0,iv:ATW/CpvdtbE6NWKxuwt/rOZsjkjPaVTDpYVMuoSTbKE=,tag:3fvAE+MEIy0b93K32uHR1w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + lastmodified: '2022-02-16T21:52:19Z' + mac: ENC[AES256_GCM,data:GkauogEb8QU/hs/fFYI0laSddotIoqqVigY2+LPDJP+y5FPSjTMgWaRHKXIAhww5StOleUZ+Rul5cLFtHIWZYbtA3SkYbIIJT7nM84qVPeCbDRyLBJwc7S10YSzDHqPtBg2EFnYjofCYddlNgcIABop1rjlKAMP3Faev+mNAXeA=,iv:pPbKQU5WfORZDzzYhKtwQYslKx9kVV9p0XTvFgh40vs=,tag:WQq5MpX3lxsozHRh+YkUTA==,type:str] + pgp: + - created_at: '2022-02-16T21:48:04Z' + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA9aKBcudqifiARAAcf2Af4Uyb1kbsDhbAChT4s63yjXuvNS349dZaW5kPAC5 + rlc5uLkCIrewESZg1x5bj9oHc1pCOpoItiHg85Hnd4iAcMLc2OX7mG9GHnwCrvMT + crlwLMfDJfuyefpHqO8uJibbegBNgmFLHglhfM78EIcDS2C8jVTFHiYk3/ZQWg47 + ZvvrUQwgbh/G8zNL6uhBEWMf6nqCoUiIQPTOGgfwyHqBrblVo6GlU2alF+n4hNu5 + aceZitZqSzvpnIoW5TZVWxp5bx9zWAKZTAnfVWHSzxdpMLtjTytRcCUwq7FbcPCM + 5iOq3F5wKEybye3FMluUv7a8HKv+i6byXG3AiEikToBYuaXN/QqwH2/NVs5fcMKb + rv1teT2enu96i3UC5hNux/94jFWbo9f+jBc5xShaEy3ztBbsyGcyMljH1okSliYp + 9ewiWFO2Hx5Toq0w3unXF13orxw8L3L63zMAB64SQtVC4+7anVMTROHi3I38AXDK + 27hRerz8z8VyZhmfzLFGyytWPiiMYY6zVCaxnO6U7mzvtFFmPGa7FI61YF8VOHiP + t5o60Cab6NwyKpWxaeHbok+Sm8gy+HcdNSQf5Tq2Hux/XjG2907QeYx9N5LrQ/Nm + vblWOyXGnlZGTJi6n9AmB+NVhRiDWksoO8KPUvIprEGgxp43+J/AYnmMETxpqr/S + 4AHkAq+Uz6YYxZpDB1ojhf05NOEf3eCD4GzhNUjg+OJQX1Kn4IzlSmkMK7JG+2AI + YYYjg7MdOmjxP61hSHuAkNtfcvSmuvLgfeQRcJtvQpIc2/MGORA83aU74i1s21Xh + djMA + =PDw2 + -----END PGP MESSAGE----- + fp: 0508677DD04952D06A943D5B4DC4116D360E3276 + encrypted_regex: ^(users|data|stringData)$ + version: 3.6.1 diff --git a/dex/overlays/osc/osc-cl2/dex-clients.enc.yaml b/dex/overlays/osc/osc-cl2/dex-clients.enc.yaml index 786857a52..054ccd47c 100644 --- a/dex/overlays/osc/osc-cl2/dex-clients.enc.yaml +++ b/dex/overlays/osc/osc-cl2/dex-clients.enc.yaml @@ -7,13 +7,14 @@ metadata: stringData: SUPERSET_SECRET: ENC[AES256_GCM,data:+SU1scRNu1rFHl+Y5RIjpCHhd+i1WG4/nTo6Aj+xTfQglKPE,iv:Q1N73L3T/fVjSEF3ZY3+wtBLDwH4gV6kCkyJ7pPWdgg=,tag:BQZdMCMTFqQnZoCNs9+Bnw==,type:str] TRINO_SECRET: ENC[AES256_GCM,data:RvMhbCU9Wt6gcKWBzjaaCtTx0w6VcA00QlqDYV6OUBHijRJq,iv:AUQKlOLc2fAi60xWgDh2kwdBOMsNoTVD12jqtszaTwk=,tag:tls8HVgC697OZqSZlP6RLQ==,type:str] + DAS_SECRET: ENC[AES256_GCM,data:/sPZPs1rBj8SGFB+ap/dkkhueY3WN1+tS3TfdzYY0mpiZn3L,iv:hJOrj0VCFojd4xJg5dNYZxUiAIgGlnJYYjR5KVAd93M=,tag:YmDFeqd1MYEY1ycC9s1DRA==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] - lastmodified: '2022-02-10T21:42:48Z' - mac: ENC[AES256_GCM,data:OnqUena9aass/Q1nmWMdZ23PypshOwOEpWmdwN0m/QAgxOrTuZ9SOCkXbw2pHMg/MeUWsG1AW+G5wy6NcVaJjUt0uMgIo0VQyHNNLL8dWb+tPqyNhikN1HNpBlrK9cVISkscpg7nYtif3BFcHMwLttnGojevJwDg1d/oh4uTeRc=,iv:KvQgTdZhOX3krmx/DoSO+eCN4lzdcLZtl7caQJDIvc0=,tag:SGHdbfuSv6w8+a23KBy1Ng==,type:str] + lastmodified: '2022-02-16T21:43:30Z' + mac: ENC[AES256_GCM,data:AFDo0r/IGCrcbntbPyhY3RIpiJjtXXxsK1mx2cf4XZCQtsJUIdSDWeLS8n46Y8avFgeubRze2lJeF50q7EU6ELSy4IW8O4oA/kdBLuvhFt76QHNN59GhBB4XVH4Yl+i42clZeT1lMRUtm+s0i10DqD9gL7fAaQYvtIkAWxmaC5I=,iv:HiIFM1kIGrzOcvJORZ9iQ93f2AGY38eLR/IzZPXqnFQ=,tag:yd1XQsV4tWoY+IfDIR/7qw==,type:str] pgp: - created_at: '2022-02-10T21:42:47Z' enc: |-