Add OSD to rules-obsctl-reloader (#329)

Signed-off-by: Saswata Mukherjee <[email protected]>

Signed-off-by: Saswata Mukherjee <[email protected]>

Makefile

@@ -22,7 +22,7 @@ $(JSONNET_VENDOR_DIR): $(JB) jsonnetfile.json jsonnetfile.lock.json
 
 .PHONY: update
 update: $(JB) jsonnetfile.json jsonnetfile.lock.json
-	@$(JB) update --jsonnetpkg-home="$(JSONNET_VENDOR_DIR)" https://github.com/saswatamcode/slo-libsonnet/slo-libsonnet@special-selector
+	@$(JB) update --jsonnetpkg-home="$(JSONNET_VENDOR_DIR)" https://github.com/rhobs/obsctl-reloader/jsonnet/lib@main
 
 .PHONY: format
 format: $(JSONNET_SRC) $(JSONNETFMT)

jsonnetfile.lock.json

@@ -316,8 +316,8 @@
           "subdir": "jsonnet/lib"
         }
       },
-      "version": "a6a0ff74be63dabac0a1562a364a3a1ccc8f985d",
-      "sum": "vdcovQefbNENJcAlNTojsUldmCF0QIBUB5zSwB7wF4s="
+      "version": "17c3d4f4da79c22a4caf752601010ab2ffcf6f35",
+      "sum": "oQRPgrGDsD1m3JDjrcUFuceXhDY8zmQ9rsvc7ECiHm8="
     },
     {
       "source": {

resources/services/observatorium-template.yaml

@@ -190,31 +190,39 @@ objects:
           app.kubernetes.io/version: ${OBSCTL_RELOADER_IMAGE_TAG}
       spec:
         containers:
-        - env:
+        - args:
+          - --sleep-duration-seconds=${SLEEP_DURATION_SECONDS}
+          - --observatorium-api-url=${OBSERVATORIUM_URL}
+          - --managed-tenants=${MANAGED_TENANTS}
+          - --issuer-url=${OIDC_ISSUER_URL}
+          - --audience=${OIDC_AUDIENCE}
+          env:
           - name: NAMESPACE_NAME
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
-          - name: OBSERVATORIUM_URL
-            value: ${OBSERVATORIUM_URL}
-          - name: OIDC_AUDIENCE
-            value: ${OIDC_AUDIENCE}
-          - name: OIDC_ISSUER_URL
-            value: ${OIDC_ISSUER_URL}
-          - name: SLEEP_DURATION_SECONDS
-            value: ${SLEEP_DURATION_SECONDS}
-          - name: MANAGED_TENANTS
-            value: ${MANAGED_TENANTS}
-          - name: OIDC_CLIENT_ID
+          - name: RHOBS_CLIENT_ID
             valueFrom:
               secretKeyRef:
                 key: client_id
-                name: ${OBSCTL_RELOADER_SECRET_NAME}
-          - name: OIDC_CLIENT_SECRET
+                name: ${RHOBS_RELOADER_SECRET_NAME}
+          - name: OSD_CLIENT_ID
+            valueFrom:
+              secretKeyRef:
+                key: client-id
+                name: ${OSD_RELOADER_SECRET_NAME}
+                optional: true
+          - name: RHOBS_CLIENT_SECRET
             valueFrom:
               secretKeyRef:
                 key: client_secret
-                name: ${OBSCTL_RELOADER_SECRET_NAME}
+                name: ${RHOBS_RELOADER_SECRET_NAME}
+          - name: OSD_CLIENT_SECRET
+            valueFrom:
+              secretKeyRef:
+                key: client-secret
+                name: ${OSD_RELOADER_SECRET_NAME}
+                optional: true
           image: ${OBSCTL_RELOADER_IMAGE}:${OBSCTL_RELOADER_IMAGE_TAG}
           imagePullPolicy: IfNotPresent
           name: obsctl-reloader
@@ -1571,13 +1579,15 @@ parameters:
 - name: SLEEP_DURATION_SECONDS
   value: "15"
 - name: MANAGED_TENANTS
-  value: rhobs
-- name: OBSCTL_RELOADER_SECRET_NAME
+  value: rhobs,osd
+- name: RHOBS_RELOADER_SECRET_NAME
   value: rhobs-tenant
+- name: OSD_RELOADER_SECRET_NAME
+  value: observatorium-observatorium-mst-api
 - name: OBSCTL_RELOADER_IMAGE
   value: quay.io/app-sre/obsctl-reloader
 - name: OBSCTL_RELOADER_IMAGE_TAG
-  value: a6a0ff7
+  value: 17c3d4f
 - name: METRICS_WRITE_SERVICE_NAME
   value: observatorium-thanos-receive
 - name: METRICS_WRITE_SERVICE_PORT

services/observatorium-template.jsonnet

@@ -89,10 +89,11 @@ local obs = import 'observatorium.libsonnet';
     { name: 'OIDC_AUDIENCE', value: 'observatorium' },
     { name: 'OIDC_ISSUER_URL', value: 'https://sso.redhat.com/auth/realms/redhat-external' },
     { name: 'SLEEP_DURATION_SECONDS', value: '15' },
-    { name: 'MANAGED_TENANTS', value: 'rhobs' },
-    { name: 'OBSCTL_RELOADER_SECRET_NAME', value: 'rhobs-tenant' },
+    { name: 'MANAGED_TENANTS', value: 'rhobs,osd' },
+    { name: 'RHOBS_RELOADER_SECRET_NAME', value: 'rhobs-tenant' },
+    { name: 'OSD_RELOADER_SECRET_NAME', value: 'observatorium-observatorium-mst-api' },
     { name: 'OBSCTL_RELOADER_IMAGE', value: 'quay.io/app-sre/obsctl-reloader' },
-    { name: 'OBSCTL_RELOADER_IMAGE_TAG', value: 'a6a0ff7' },
+    { name: 'OBSCTL_RELOADER_IMAGE_TAG', value: '17c3d4f' },
     { name: 'METRICS_WRITE_SERVICE_NAME', value: obs.thanos.receiversService.metadata.name },
     { name: 'METRICS_WRITE_SERVICE_PORT', value: std.toString(obs.thanos.receiversService.spec.ports[2].port) },
   ],

services/observatorium.libsonnet

@@ -166,8 +166,24 @@ local obsctlReloader = (import 'github.com/rhobs/obsctl-reloader/jsonnet/lib/obs
       oidcIssuerURL: '${OIDC_ISSUER_URL}',
       sleepDurationSeconds: '${SLEEP_DURATION_SECONDS}',
       managedTenants: '${MANAGED_TENANTS}',
-      obsctlReloaderSecret: '${OBSCTL_RELOADER_SECRET_NAME}',
     },
+    tenantSecretMap: [
+      {
+        tenant: 'RHOBS',
+        secret: '${RHOBS_RELOADER_SECRET_NAME}',
+        idKey: 'client_id',
+        secretKey: 'client_secret',
+      },
+      {
+        tenant: 'OSD',
+        secret: '${OSD_RELOADER_SECRET_NAME}',
+        idKey: 'client-id',
+        secretKey: 'client-secret',
+        // Marking as optional here, as OSD only exists on mst,
+        // so this should not block pod start.
+        optional: true,
+      },
+    ],
   }),
 
   rulesSLOPrometheusRule: {