Migrate to appsre unleash

.gitleaks.toml

@@ -0,0 +1,7 @@
+[allowlist]
+description = "Global Allowlist"
+
+regexes = [
+    # keycloak client secret used in local
+    '''ZYhToGucoRMwaWHxXyGKsjunXlXV6Uto''',
+]

controllers/cloud.redhat.com/providers/featureflags/localfeatureflags.go

@@ -2,7 +2,6 @@
 
 import (
 	"fmt"
-	"net/url"
 
 	crd "github.com/RedHatInsights/clowder/apis/cloud.redhat.com/v1alpha1"
 	"github.com/RedHatInsights/clowder/controllers/cloud.redhat.com/config"
@@ -11,6 +10,7 @@
 	"github.com/RedHatInsights/clowder/controllers/cloud.redhat.com/providers"
 	"github.com/RedHatInsights/clowder/controllers/cloud.redhat.com/providers/sizing"
 	provutils "github.com/RedHatInsights/clowder/controllers/cloud.redhat.com/providers/utils"
+	"github.com/RedHatInsights/clowder/controllers/cloud.redhat.com/providers/web"
 
 	apps "k8s.io/api/apps/v1"
 	core "k8s.io/api/core/v1"
@@ -108,19 +108,16 @@
 
 	username := utils.RandString(16)
 	hostname := fmt.Sprintf("%v.%v.svc", namespacedNameDb.Name, namespacedNameDb.Namespace)
-	passwordEncode := url.QueryEscape(password)
-	connectionURL := fmt.Sprintf("postgres://%s:%s@%s/%s", username, passwordEncode, hostname, "unleash")
 
 	dataInitDb := func() map[string]string {
 
 		return map[string]string{
-			"hostname":      hostname,
-			"port":          "5432",
-			"username":      username,
-			"password":      password,
-			"pgPass":        pgPassword,
-			"name":          "unleash",
-			"connectionURL": connectionURL,
+			"hostname": hostname,
+			"port":     "5432",
+			"username": username,
+			"password": password,
+			"pgPass":   pgPassword,
+			"name":     "unleash",
 		}
 	}
 
@@ -182,9 +179,12 @@
 }
 
 func createDefaultFFSecMap() map[string]string {
+
+	randString := utils.RandHexString(32)
+
 	return map[string]string{
-		"adminAccessToken":  "*:*." + utils.RandHexString(32),
-		"clientAccessToken": "default:development." + utils.RandHexString(32),
+		"adminAccessToken":  "*:*." + randString,
+		"clientAccessToken": "*:default." + randString + ",*:development." + randString + ",*:production." + randString,
 	}
 }
 
@@ -209,12 +209,11 @@
 	return nil
 }
 
-func makeLocalFeatureFlags(o obj.ClowdObject, objMap providers.ObjectMap, _ bool, nodePort bool) {
+func makeLocalFeatureFlags(cache *rc.ObjectCache, o obj.ClowdObject, objMap providers.ObjectMap, _ bool, nodePort bool) {
 	nn := providers.GetNamespacedName(o, "featureflags")
-
 	dd := objMap[LocalFFDeployment].(*apps.Deployment)
 	svc := objMap[LocalFFService].(*core.Service)
-
+	environment := o.(*crd.ClowdEnvironment)
 	labels := o.GetLabels()
 	labels["env-app"] = nn.Name
 	labels["service"] = "featureflags"
@@ -236,10 +235,42 @@
 			Name:  "DATABASE_SSL",
 			Value: "false",
 		},
+		{
+			Name:  "KC_HOST",
+			Value: web.GetAuthHostname(environment.Status.Hostname),
+		},
+		{
+			Name:  "KC_REALM",
+			Value: "unleash",
+		},
+		{
+			Name:  "KC_CLIENT_ID",
+			Value: "unleash",
+		},
+		{
+			Name:  "KC_ADMIN_ROLES",
+			Value: "admin",
+		},
+		{
+			Name:  "KC_EDITOR_ROLES",
+			Value: "editor",
+		},
+		{
+			Name:  "KC_VIEWER_ROLES",
+			Value: "viewer",
+		},
+		{
+			Name:  "KC_CLIENT_SECRET",
+			Value: "notsosecret",
+		},
 	}
 
 	envVars = provutils.AppendEnvVarsFromSecret(envVars, "featureflags-db",
-		provutils.NewSecretEnvVar("DATABASE_URL", "connectionURL"),
+		provutils.NewSecretEnvVar("DATABASE_HOST", "hostname"),
+		provutils.NewSecretEnvVar("DATABASE_PORT", "port"),
+		provutils.NewSecretEnvVar("DATABASE_USERNAME", "username"),
+		provutils.NewSecretEnvVar("DATABASE_PASSWORD", "password"),
+		provutils.NewSecretEnvVar("DATABASE_NAME", "name"),
 	)
 	envVars = provutils.AppendEnvVarsFromSecret(envVars, nn.Name,
 		provutils.NewSecretEnvVar("INIT_CLIENT_API_TOKENS", "clientAccessToken"),

controllers/cloud.redhat.com/providers/featureflags/provider.go

@@ -7,7 +7,9 @@ import (
 	p "github.com/RedHatInsights/clowder/controllers/cloud.redhat.com/providers"
 )
 
-var DefaultImageFeatureFlagsUnleash = "quay.io/cloudservices/unleash-docker:5.6.9"
+// AppSRE Unleash ver. 5.6.9
+// https://github.com/app-sre/unleash/tree/64de4f47c57e84b9838f8f1f932822212caf55fb
+var DefaultImageFeatureFlagsUnleash = "quay.io/app-sre/unleash:64de4f4"
 
 // ProvName identifies the featureflags provider.
 var ProvName = "featureflags"

controllers/cloud.redhat.com/providers/inmemorydb/redis.go

@@ -87,7 +87,7 @@
 	return providers.CachedMakeComponent(r.Provider.Cache, objList, app, "redis", makeLocalRedis, false, r.Env.IsNodePort())
 }
 
-func makeLocalRedis(o obj.ClowdObject, objMap providers.ObjectMap, _ bool, nodePort bool) {
+func makeLocalRedis(cache *rc.ObjectCache, o obj.ClowdObject, objMap providers.ObjectMap, _ bool, nodePort bool) {
 	nn := providers.GetNamespacedName(o, "redis")
 
 	dd := objMap[RedisDeployment].(*apps.Deployment)

controllers/cloud.redhat.com/providers/inmemorydb/redis_test.go

@@ -37,7 +37,7 @@ func TestLocalRedis(t *testing.T) {
 		RedisDeployment: &dd,
 		RedisService:    &svc,
 	}
-	makeLocalRedis(&env, objMap, true, false)
+	makeLocalRedis(nil, &env, objMap, true, false)
 
 	assert.Equal(t, "env-redis", dd.GetName(), "name was not set correctly")
 	assert.Len(t, svc.Spec.Ports, 1, "number of ports specified is wrong")

controllers/cloud.redhat.com/providers/objectstore/minio.go

@@ -279,7 +279,7 @@
 	return p.Cache.Update(MinioNetworkPolicy, np)
 }
 
-func makeLocalMinIO(o obj.ClowdObject, objMap providers.ObjectMap, usePVC bool, nodePort bool) {
+func makeLocalMinIO(cache *rc.ObjectCache, o obj.ClowdObject, objMap providers.ObjectMap, usePVC bool, nodePort bool) {
 	nn := providers.GetNamespacedName(o, "minio")
 
 	dd := objMap[MinioDeployment].(*apps.Deployment)

controllers/cloud.redhat.com/providers/providers.go

@@ -128,7 +128,7 @@ type ClowderProvider interface {
 	GetConfig() *config.AppConfig
 }
 
-type makeFnCache func(o obj.ClowdObject, objMap ObjectMap, usePVC bool, nodePort bool)
+type makeFnCache func(cache *rc.ObjectCache, o obj.ClowdObject, objMap ObjectMap, usePVC bool, nodePort bool)
 
 func createResource(cache *rc.ObjectCache, resourceIdent rc.ResourceIdent, nn types.NamespacedName) (client.Object, error) {
 	gvks, nok, err := cache.GetScheme().ObjectKinds(resourceIdent.GetType())
@@ -200,7 +200,7 @@ func CachedMakeComponent(cache *rc.ObjectCache, objList []rc.ResourceIdent, o ob
 
 	}
 
-	fn(o, makeFnMap, usePVC, nodePort)
+	fn(cache, o, makeFnMap, usePVC, nodePort)
 
 	for k, v := range makeFnMap {
 		err := updateResource(cache, k, v)

controllers/cloud.redhat.com/providers/web/local.go

@@ -262,7 +262,7 @@ func setSecretVersion(cache *rc.ObjectCache, nn types.NamespacedName, desiredVer
 	return nil
 }
 
-func getAuthHostname(hostname string) string {
+func GetAuthHostname(hostname string) string {
 	hostComponents := strings.Split(hostname, ".")
 	hostComponents[0] += "-auth"
 	return strings.Join(hostComponents, ".")

controllers/cloud.redhat.com/providers/web/resources_caddygateway.go

@@ -317,7 +317,7 @@
 	return hash, p.Cache.Update(CoreCaddyConfigMap, cm)
 }
 
-func makeWebGatewayDeployment(o obj.ClowdObject, objMap providers.ObjectMap, _ bool, _ bool) {
+func makeWebGatewayDeployment(cache *rc.ObjectCache, o obj.ClowdObject, objMap providers.ObjectMap, _ bool, _ bool) {
 	nn := providers.GetNamespacedName(o, "caddy-gateway")
 
 	dd := objMap[WebGatewayDeployment].(*apps.Deployment)

controllers/cloud.redhat.com/providers/web/resources_keycloak.go

@@ -199,10 +199,10 @@
 }
 
 func makeKeycloakImportSecretRealm(cache *rc.ObjectCache, o obj.ClowdObject, password string) error {
-	userData := &core.Secret{}
+	importData := &core.Secret{}
 	userDataNN := providers.GetNamespacedName(o, "keycloak-realm-import")
 
-	if err := cache.Create(WebKeycloakImportSecret, userDataNN, userData); err != nil {
+	if err := cache.Create(WebKeycloakImportSecret, userDataNN, importData); err != nil {
 		return err
 	}
 
@@ -211,20 +211,32 @@
 
 	labeler := utils.MakeLabeler(userDataNN, labels, o)
 
-	labeler(userData)
+	labeler(importData)
 
-	userImportData, err := os.ReadFile("./jsons/redhat-external-realm.json")
+	readhatRealmData, err := os.ReadFile("./jsons/redhat-external-realm.json")
 	if err != nil {
 		return fmt.Errorf("could not read user data: %w", err)
 	}
 
-	userData.StringData = map[string]string{}
-	userImportDataString := string(userImportData)
-	userImportDataString = strings.Replace(userImportDataString, "########PASSWORD########", password, 1)
+	unleashRealmData, err := os.ReadFile("./jsons/unleash-realm.json")
+	if err != nil {
+		return fmt.Errorf("could not read unleash-realm data: %w", err)
+	}
+
+	unleashUsersData, err := os.ReadFile("./jsons/unleash-users-0.json")
+	if err != nil {
+		return fmt.Errorf("could not read unleash-users data: %w", err)
+	}
 
-	userData.StringData["redhat-external-realm.json"] = string(userImportDataString)
+	importData.StringData = map[string]string{}
+	redhatRealmDataString := string(readhatRealmData)
+	redhatRealmDataString = strings.Replace(redhatRealmDataString, "########PASSWORD########", password, 1)
 
-	return cache.Update(WebKeycloakImportSecret, userData)
+	importData.StringData["redhat-external-realm.json"] = string(redhatRealmDataString)
+	importData.StringData["unleash-realm.json"] = string(unleashRealmData)
+	importData.StringData["unleash-users-0.json"] = string(unleashUsersData)
+
+	return cache.Update(WebKeycloakImportSecret, importData)
 }
 
 func baseProbeHandler(port int32, path string) core.ProbeHandler {
@@ -246,7 +258,35 @@
 	}
 }
 
-func makeKeycloak(o obj.ClowdObject, objMap providers.ObjectMap, _ bool, nodePort bool) {
+type secretEnvVar struct {
+	Name string
+	Key  string
+}
+
+func newSecretEnvVar(name, key string) secretEnvVar {
+	return secretEnvVar{Name: name, Key: key}
+}
+
+func mapEnvVarsToSecret(inputs []secretEnvVar, secName string) []core.EnvVar {
+	envVars := []core.EnvVar{}
+	for _, env := range inputs {
+		newVar := core.EnvVar{
+			Name: env.Name,
+			ValueFrom: &core.EnvVarSource{
+				SecretKeyRef: &core.SecretKeySelector{
+					LocalObjectReference: core.LocalObjectReference{
+						Name: secName,
+					},
+					Key: env.Key,
+				},
+			},
+		}
+		envVars = append(envVars, newVar)
+	}
+	return envVars
+}
+
+func makeKeycloak(cache *rc.ObjectCache, o obj.ClowdObject, objMap providers.ObjectMap, _ bool, nodePort bool) {
 	nn := providers.GetNamespacedName(o, "keycloak")
 
 	dd := objMap[WebKeycloakDeployment].(*apps.Deployment)
@@ -279,10 +319,6 @@
 			Name:  "PROXY_ADDRESS_FORWARDING",
 			Value: "true",
 		},
-		{
-			Name:  "KEYCLOAK_IMPORT",
-			Value: "/json/redhat-external-realm.json",
-		},
 	}
 
 	envVars = provutils.AppendEnvVarsFromSecret(envVars, "keycloak-db",
@@ -422,7 +458,7 @@
 		IngressClassName: &ingressClass,
 		Rules: []networking.IngressRule{
 			{
-				Host: getAuthHostname(p.Env.Status.Hostname),
+				Host: GetAuthHostname(p.Env.Status.Hostname),
 				IngressRuleValue: networking.IngressRuleValue{
 					HTTP: &networking.HTTPIngressRuleValue{
 						Paths: []networking.HTTPIngressPath{{

controllers/cloud.redhat.com/providers/web/resources_mbop.go

@@ -171,7 +171,7 @@
 	return p.Cache.Update(WebBOPIngress, netobj)
 }
 
-func makeBOP(o obj.ClowdObject, objMap providers.ObjectMap, _ bool, nodePort bool) {
+func makeBOP(cache *rc.ObjectCache, o obj.ClowdObject, objMap providers.ObjectMap, _ bool, nodePort bool) {
 	snn := providers.GetNamespacedName(o, "keycloak")
 	nn := providers.GetNamespacedName(o, "mbop")
 

controllers/cloud.redhat.com/providers/web/resources_mocktitlements.go

@@ -158,7 +158,7 @@
 	return p.Cache.Update(WebMocktitlementsIngress, netobj)
 }
 
-func makeMocktitlements(o obj.ClowdObject, objMap providers.ObjectMap, _ bool, nodePort bool) {
+func makeMocktitlements(cache *rc.ObjectCache, o obj.ClowdObject, objMap providers.ObjectMap, _ bool, nodePort bool) {
 	snn := providers.GetNamespacedName(o, "keycloak")
 	nn := providers.GetNamespacedName(o, "mocktitlements")