Enable trino programmatic access via dex auth service.

argocd/overlays/moc-infra/applications/envs/osc/osc-cl2/cluster-management/das.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: das
+spec:
+  destination:
+    name: osc-cl2
+    namespace: odh-trino
+  project: cluster-management
+  source:
+    path: das/overlays/osc-cl2
+    repoURL: https://github.com/operate-first/apps.git
+    targetRevision: HEAD
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - Validate=false

argocd/overlays/moc-infra/applications/envs/osc/osc-cl2/cluster-management/kustomization.yaml

@@ -4,6 +4,7 @@ resources:
   - acme-operator.yaml
   - cloudbeaver.yaml
   - cluster-resources.yaml
+  - das.yaml
   - dex.yaml
   - kfdefs.yaml
   - odh-operator.yaml

das/base/configmap.yaml

@@ -0,0 +1,11 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: das
+data:
+  CLIENT_ID: "das"
+  REDIRECT_URI: "https://das-odh-trino.apps.odh-cl1.apps.os-climate.org/callback"
+  ISSUER_URL: "http://dex-dex.apps.odh-cl1.apps.os-climate.org"
+  LISTEN_ADDRESS: "http://0.0.0.0:5555"
+  DEBUG: "false"
+  SCOPES: "email,openid,profile"

das/base/deployment.yaml

@@ -0,0 +1,47 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: das
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: das
+  template:
+    metadata:
+      labels:
+        app: das
+    spec:
+      containers:
+        - name: das
+          image: quay.io/operate-first/das:v0.2.0
+          envFrom:
+            - configMapRef:
+                name: das
+            - secretRef:
+                name: das
+          ports:
+            - containerPort: 5555
+              name: web
+          command:
+            - "./das/das-exec"
+          args:
+            - "--client-id"
+            - "$(CLIENT_ID)"
+            - "--client-secret"
+            - "$(CLIENT_SECRET)"
+            - "--issuer"
+            - "$(ISSUER_URL)"
+            - "--listen"
+            - "$(LISTEN_ADDRESS)"
+            - "--redirect-uri"
+            - "$(REDIRECT_URI)"
+            - "--scopes"
+            - "$(SCOPES)"
+          resources:
+            limits:
+              cpu: 1
+              memory: 2Gi
+            requests:
+              cpu: 512m
+              memory: 500Mi

das/base/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: odh-trino
+resources:
+  - deployment.yaml
+  - configmap.yaml
+  - secret.yaml
+  - service.yaml
+  - route.yaml

das/base/route.yaml

@@ -0,0 +1,14 @@
+kind: Route
+apiVersion: route.openshift.io/v1
+metadata:
+  name: das
+  annotations:
+    kubernetes.io/tls-acme: "true"
+  labels:
+    app: das
+spec:
+  to:
+    kind: Service
+    name: das
+  port:
+    targetPort: web

das/base/secret.yaml

@@ -0,0 +1,6 @@
+kind: Secret
+apiVersion: v1
+metadata:
+  name: das
+stringData:
+  CLIENT_SECRET: "SECRET"

das/base/service.yaml

@@ -0,0 +1,14 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: das
+  labels:
+    app: das
+spec:
+  ports:
+    - name: web
+      protocol: TCP
+      port: 80
+      targetPort: web
+  selector:
+    app: das

das/overlays/osc-cl2/configmap.yaml

@@ -0,0 +1,11 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: das
+data:
+  CLIENT_ID: "das"
+  REDIRECT_URI: "https://das-odh-trino.apps.odh-cl2.apps.os-climate.org/callback"
+  ISSUER_URL: "http://dex-dex.apps.odh-cl2.apps.os-climate.org"
+  LISTEN_ADDRESS: "http://0.0.0.0:5555"
+  DEBUG: "false"
+  SCOPES: "email,openid,profile"

das/overlays/osc-cl2/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: odh-trino
+resources:
+  - ../../base
+patchesStrategicMerge:
+  - configmap.yaml
+generators:
+  - secret-generator.yaml

das/overlays/osc-cl2/secret-generator.yaml

@@ -0,0 +1,6 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: secret-generator
+files:
+  - secret.enc.yaml

das/overlays/osc-cl2/secret.enc.yaml

@@ -0,0 +1,39 @@
+kind: Secret
+apiVersion: v1
+metadata:
+    name: das
+    annotations:
+        kustomize.config.k8s.io/behavior: replace
+stringData:
+    CLIENT_SECRET: ENC[AES256_GCM,data:FPZpjwti9X+xbiLSeuJsT17+jmHFf2QtKnO/Mq2IL93tYN/0,iv:ATW/CpvdtbE6NWKxuwt/rOZsjkjPaVTDpYVMuoSTbKE=,tag:3fvAE+MEIy0b93K32uHR1w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    lastmodified: '2022-02-16T21:52:19Z'
+    mac: ENC[AES256_GCM,data:GkauogEb8QU/hs/fFYI0laSddotIoqqVigY2+LPDJP+y5FPSjTMgWaRHKXIAhww5StOleUZ+Rul5cLFtHIWZYbtA3SkYbIIJT7nM84qVPeCbDRyLBJwc7S10YSzDHqPtBg2EFnYjofCYddlNgcIABop1rjlKAMP3Faev+mNAXeA=,iv:pPbKQU5WfORZDzzYhKtwQYslKx9kVV9p0XTvFgh40vs=,tag:WQq5MpX3lxsozHRh+YkUTA==,type:str]
+    pgp:
+    -   created_at: '2022-02-16T21:48:04Z'
+        enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA9aKBcudqifiARAAcf2Af4Uyb1kbsDhbAChT4s63yjXuvNS349dZaW5kPAC5
+            rlc5uLkCIrewESZg1x5bj9oHc1pCOpoItiHg85Hnd4iAcMLc2OX7mG9GHnwCrvMT
+            crlwLMfDJfuyefpHqO8uJibbegBNgmFLHglhfM78EIcDS2C8jVTFHiYk3/ZQWg47
+            ZvvrUQwgbh/G8zNL6uhBEWMf6nqCoUiIQPTOGgfwyHqBrblVo6GlU2alF+n4hNu5
+            aceZitZqSzvpnIoW5TZVWxp5bx9zWAKZTAnfVWHSzxdpMLtjTytRcCUwq7FbcPCM
+            5iOq3F5wKEybye3FMluUv7a8HKv+i6byXG3AiEikToBYuaXN/QqwH2/NVs5fcMKb
+            rv1teT2enu96i3UC5hNux/94jFWbo9f+jBc5xShaEy3ztBbsyGcyMljH1okSliYp
+            9ewiWFO2Hx5Toq0w3unXF13orxw8L3L63zMAB64SQtVC4+7anVMTROHi3I38AXDK
+            27hRerz8z8VyZhmfzLFGyytWPiiMYY6zVCaxnO6U7mzvtFFmPGa7FI61YF8VOHiP
+            t5o60Cab6NwyKpWxaeHbok+Sm8gy+HcdNSQf5Tq2Hux/XjG2907QeYx9N5LrQ/Nm
+            vblWOyXGnlZGTJi6n9AmB+NVhRiDWksoO8KPUvIprEGgxp43+J/AYnmMETxpqr/S
+            4AHkAq+Uz6YYxZpDB1ojhf05NOEf3eCD4GzhNUjg+OJQX1Kn4IzlSmkMK7JG+2AI
+            YYYjg7MdOmjxP61hSHuAkNtfcvSmuvLgfeQRcJtvQpIc2/MGORA83aU74i1s21Xh
+            djMA
+            =PDw2
+            -----END PGP MESSAGE-----
+        fp: 0508677DD04952D06A943D5B4DC4116D360E3276
+    encrypted_regex: ^(users|data|stringData)$
+    version: 3.6.1

dex/overlays/osc/osc-cl2/dex-clients.enc.yaml

@@ -7,13 +7,14 @@ metadata:
 stringData:
     SUPERSET_SECRET: ENC[AES256_GCM,data:+SU1scRNu1rFHl+Y5RIjpCHhd+i1WG4/nTo6Aj+xTfQglKPE,iv:Q1N73L3T/fVjSEF3ZY3+wtBLDwH4gV6kCkyJ7pPWdgg=,tag:BQZdMCMTFqQnZoCNs9+Bnw==,type:str]
     TRINO_SECRET: ENC[AES256_GCM,data:RvMhbCU9Wt6gcKWBzjaaCtTx0w6VcA00QlqDYV6OUBHijRJq,iv:AUQKlOLc2fAi60xWgDh2kwdBOMsNoTVD12jqtszaTwk=,tag:tls8HVgC697OZqSZlP6RLQ==,type:str]
+    DAS_SECRET: ENC[AES256_GCM,data:/sPZPs1rBj8SGFB+ap/dkkhueY3WN1+tS3TfdzYY0mpiZn3L,iv:hJOrj0VCFojd4xJg5dNYZxUiAIgGlnJYYjR5KVAd93M=,tag:YmDFeqd1MYEY1ycC9s1DRA==,type:str]
 sops:
     kms: []
     gcp_kms: []
     azure_kv: []
     hc_vault: []
-    lastmodified: '2022-02-10T21:42:48Z'
-    mac: ENC[AES256_GCM,data:OnqUena9aass/Q1nmWMdZ23PypshOwOEpWmdwN0m/QAgxOrTuZ9SOCkXbw2pHMg/MeUWsG1AW+G5wy6NcVaJjUt0uMgIo0VQyHNNLL8dWb+tPqyNhikN1HNpBlrK9cVISkscpg7nYtif3BFcHMwLttnGojevJwDg1d/oh4uTeRc=,iv:KvQgTdZhOX3krmx/DoSO+eCN4lzdcLZtl7caQJDIvc0=,tag:SGHdbfuSv6w8+a23KBy1Ng==,type:str]
+    lastmodified: '2022-02-16T21:43:30Z'
+    mac: ENC[AES256_GCM,data:AFDo0r/IGCrcbntbPyhY3RIpiJjtXXxsK1mx2cf4XZCQtsJUIdSDWeLS8n46Y8avFgeubRze2lJeF50q7EU6ELSy4IW8O4oA/kdBLuvhFt76QHNN59GhBB4XVH4Yl+i42clZeT1lMRUtm+s0i10DqD9gL7fAaQYvtIkAWxmaC5I=,iv:HiIFM1kIGrzOcvJORZ9iQ93f2AGY38eLR/IzZPXqnFQ=,tag:yd1XQsV4tWoY+IfDIR/7qw==,type:str]
     pgp:
     -   created_at: '2022-02-10T21:42:47Z'
         enc: |-