diff --git a/cluster/ci/config/prow/openshift/tracer.yaml b/cluster/ci/config/prow/openshift/tracer.yaml index 0708622bccf92..139f0f0c97978 100644 --- a/cluster/ci/config/prow/openshift/tracer.yaml +++ b/cluster/ci/config/prow/openshift/tracer.yaml @@ -4,6 +4,10 @@ parameters: - description: The name of the component. name: NAME value: tracer +- description: The session secret for the proxy + name: SESSION_SECRET + generate: expression + from: "[a-zA-Z0-9]{43}" objects: - apiVersion: v1 kind: Route @@ -13,8 +17,8 @@ objects: haproxy.router.openshift.io/timeout: 2m spec: tls: + termination: Reencrypt insecureEdgeTerminationPolicy: Redirect - termination: edge to: kind: Service name: "${NAME}" @@ -22,12 +26,14 @@ objects: kind: Service metadata: name: "${NAME}" + annotations: + service.alpha.openshift.io/serving-cert-secret-name: "${NAME}-tls" spec: selector: app: "${NAME}" ports: - - port: 80 - targetPort: 8080 + - port: 443 + targetPort: 8443 type: ClusterIP - apiVersion: apps.openshift.io/v1 kind: DeploymentConfig @@ -42,6 +48,32 @@ objects: spec: serviceAccountName: "${NAME}" containers: + - name: oauth-proxy + image: openshift/oauth-proxy:v1.0.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8443 + name: web + args: + - -provider=openshift + - -https-address=:8443 + - -http-address= + - -email-domain=* + - -upstream=http://localhost:8080 + - -client-id=system:serviceaccount:ci:${NAME} + - -openshift-ca=/etc/pki/tls/cert.pem + - -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt + - '-openshift-sar={"resource": "secrets", "verb": "update"}' + - '-openshift-delegate-urls={"/": {"resource": "secrets", "verb": "update"}}' + - -client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token + - -cookie-secret-file=/etc/proxy/secrets/session_secret + - -tls-cert=/etc/tls/private/tls.crt + - -tls-key=/etc/tls/private/tls.key + volumeMounts: + - mountPath: /etc/tls/private + name: "${NAME}-tls" + - mountPath: /etc/proxy/secrets + name: session-secret - image: "${NAME}" name: "${NAME}" args: @@ -49,6 +81,13 @@ objects: - --namespace=ci ports: - containerPort: 8080 + volumes: + - name: session-secret + secret: + secretName: session-secret + - name: "${NAME}-tls" + secret: + secretName: "${NAME}-tls" triggers: - type: ConfigChange - imageChangeParams: diff --git a/cluster/ci/config/prow/openshift/tracer_rbac.yaml b/cluster/ci/config/prow/openshift/tracer_rbac.yaml index 625914be30dc2..fe802ee64721e 100644 --- a/cluster/ci/config/prow/openshift/tracer_rbac.yaml +++ b/cluster/ci/config/prow/openshift/tracer_rbac.yaml @@ -8,6 +8,8 @@ objects: - apiVersion: v1 kind: ServiceAccount metadata: + annotations: + serviceaccounts.openshift.io/oauth-redirectreference.tracer: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"tracer"}}' name: "${NAME}" - kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 @@ -37,3 +39,32 @@ objects: subjects: - kind: ServiceAccount name: "${NAME}" +- kind: ClusterRole + apiVersion: rbac.authorization.k8s.io/v1beta1 + metadata: + name: "${NAME}-oauth" + rules: + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- kind: ClusterRoleBinding + apiVersion: rbac.authorization.k8s.io/v1beta1 + metadata: + name: "${NAME}-oauth" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "${NAME}-oauth" + subjects: + - kind: ServiceAccount + name: "${NAME}" + namespace: ci