From 8bd21754c217c818ff4023e4b13ed08eb0ae8a35 Mon Sep 17 00:00:00 2001 From: Yury Kovalev Date: Fri, 28 Nov 2025 13:46:35 +0100 Subject: [PATCH 1/3] ROX-32050: Remove parameter store usages --- .../templates/emailsender-secret.yaml | 17 ----------------- .../emailsender/templates/emailsender.yaml | 5 +---- deploy/charts/emailsender/values.yaml | 2 +- 3 files changed, 2 insertions(+), 22 deletions(-) diff --git a/deploy/charts/emailsender/templates/emailsender-secret.yaml b/deploy/charts/emailsender/templates/emailsender-secret.yaml index 6ceb5f3fb0..6df2d86a1c 100644 --- a/deploy/charts/emailsender/templates/emailsender-secret.yaml +++ b/deploy/charts/emailsender/templates/emailsender-secret.yaml @@ -32,21 +32,4 @@ spec: remoteRef: key: "cluster-{{ .Values.clusterName }}-emailsender-db" property: "port" ---- -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: emailsender-ext-parameters - namespace: {{ .Release.Namespace }} -spec: - secretStoreRef: - name: {{ .Values.secretStore.aws.parameterStoreSecretStoreName }} - kind: ClusterSecretStore - target: - name: emailsender-parameters - creationPolicy: Owner - data: - - secretKey: aws-role-arn # pragma: allowlist secret - remoteRef: - key: "/emailsender/aws_role_arn" {{- end }} diff --git a/deploy/charts/emailsender/templates/emailsender.yaml b/deploy/charts/emailsender/templates/emailsender.yaml index 4e947c2069..4461990dbb 100644 --- a/deploy/charts/emailsender/templates/emailsender.yaml +++ b/deploy/charts/emailsender/templates/emailsender.yaml @@ -54,10 +54,7 @@ spec: - name: AWS_REGION value: {{ .Values.aws.region }} - name: AWS_ROLE_ARN - valueFrom: - secretKeyRef: - name: emailsender-parameters - key: "aws-role-arn" + value: {{ .Values.aws.roleArn }} - name: AWS_WEB_IDENTITY_TOKEN_FILE value: "/var/run/secrets/tokens/aws-token" ports: diff --git a/deploy/charts/emailsender/values.yaml b/deploy/charts/emailsender/values.yaml index d5358a5321..a7202abc8c 100644 --- a/deploy/charts/emailsender/values.yaml +++ b/deploy/charts/emailsender/values.yaml @@ -23,6 +23,7 @@ authConfigFromKubernetes: true # AWS configuration aws: region: "us-east-1" + roleArn: "" # Resource limits and requests resources: requests: @@ -36,4 +37,3 @@ createExternalSecrets: true secretStore: aws: secretsManagerSecretStoreName: secrets-manager-secret-store # pragma: allowlist secret - parameterStoreSecretStoreName: parameter-store-secret-store # pragma: allowlist secret From 6477c3a97f12f59766ace0562fef830d4d353f61 Mon Sep 17 00:00:00 2001 From: Yury Kovalev Date: Fri, 28 Nov 2025 15:59:34 +0100 Subject: [PATCH 2/3] Remove setup osd cluster idp --- docs/development/setup-osd-cluster-idp.md | 95 -------------------- dp-terraform/osd-cluster-idp-setup.sh | 105 ---------------------- 2 files changed, 200 deletions(-) delete mode 100644 docs/development/setup-osd-cluster-idp.md delete mode 100644 dp-terraform/osd-cluster-idp-setup.sh diff --git a/docs/development/setup-osd-cluster-idp.md b/docs/development/setup-osd-cluster-idp.md deleted file mode 100644 index d1c3fc3e4a..0000000000 --- a/docs/development/setup-osd-cluster-idp.md +++ /dev/null @@ -1,95 +0,0 @@ -# How-To setup OSD cluster Identity Provider (IdP) - -## Pre-reqs - -1. `ocm` installed -2. Secrets `oidc_client_id` and `oidc_client_secret` set in AWS secrets manager in `us-east-1`. -3. Parameter `oidc_user_list` set by [terraform](https://github.com/stackrox/acs-fleet-manager-aws-config) in `us-east-1`. - -Additionally, you will require access to the environment specific AWS account. - -## Creating the IdPs - -For each OSD cluster, you can create IdPs that will allow login to the OpenShift Console and map your user to a specific group within the cluster, providing i.e. administrative rights. - -The following IdPs will be created: -- OIDC IdP using auth.redhat.com as backend. - -Before executing the script that manages the IdP setup, you have to ensure you are logged in with OCM. -Based on the environment, you have to choose between `rhacs-managed-service-integration`, `rhacs-managed-service-stage` or `rhacs-managed-service-prod` account. - -Afterwards, you can call the script and adjust the parameters based on your needs: -```shell -AWS_REGION=us-east-1 AWS_SAML_ROLE=-poweruser ./dp-terraform/osd-cluster-idp-setup.sh "integration|stage|prod" "cluster-name" -``` - -The script will handle the following: -1. Fetch required parameters from AWS Parameter Store and credentials from AWS Secrets Manager. The first time it runs, it will ask for AWS credentials. -2. Create the OIDC IdP for the cluster. -3. Create the user <-> group mapping for cluster-admins. - -Afterwards, you should see the list of users and their group mapping within the console.openshift.com and when -logging in the OSD cluster you should see the option to login via `OIDC`. - -**Note: The sync from console.openshift.com and your OSD cluster may take some time for your IdP to show up when trying to log in.** - -The script also creates a robot service account and related resources, for use by continuous deployment. - -## Cleanup - -For the cleanup, there's currently no script offered. - -There's two options for deleting the user mappings from console.openshift.com: -- deleting manually within the UI -- calling the following command: `ocm delete user --group=cluster-admins ` - -Additionally, you will have to clear the users within the OSD cluster. - -You can do so by running the following: -```shell -# Login to the cluster. This will automatically set the correct context for oc. -ocm cluster login --token -oc login --token - -# List the identities that have been created. An identity will be created the first time -# a user logins via an IdP -oc get identity - -# Delete all identities -oc delete identity - -# Ensure the users are also cleaned up -oc get users - -# Delete existing users -oc delete users -``` - -## Troubleshooting - -### Authentication error - -In case you are receiving an "authentication error" when logging in, here are some steps to further investigate the issue: -```shell -ocm cluster login --token -oc login --token - -# Get the authentication operator pods -oc get pods -n openshift-authentication - -# Check the logs of the pods (should be 3 replicas) to find an issue -oc logs -n openshift-authentication -``` - -The following log statements have been observed and there's a remediation available: -**Please add additional findings, if you have them, in this list to help others!** - -`errorpage.go:28] AuthenticationError: users.user.openshift.io not found`: -Description: This error occurs when the user is deleted within openshift, but the identity is still existing. -Remediation: Delete the identity of the user. You can do this by running the following: -```shell -# Retrieve all identities -oc get identity -# Use the identity that is related to the user ID -oc delete identity -``` diff --git a/dp-terraform/osd-cluster-idp-setup.sh b/dp-terraform/osd-cluster-idp-setup.sh deleted file mode 100644 index 94c33e3998..0000000000 --- a/dp-terraform/osd-cluster-idp-setup.sh +++ /dev/null @@ -1,105 +0,0 @@ -#!/bin/bash -set -euo pipefail - -SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" - -# shellcheck source=scripts/lib/external_config.sh -source "$SCRIPT_DIR/../scripts/lib/external_config.sh" - -if [[ $# -ne 2 ]]; then - echo "Usage: $0 [environment] [cluster]" >&2 - echo "Known environments: integration stage prod" - echo "Cluster typically looks like: acs-{env}-dp-01" - echo "Description: This script will create identity providers for the OSD cluster:" - echo "- OIDC provider using auth.redhat.com" - echo "See additional documentation in docs/development/setup-osd-cluster-idp.md" - echo - echo "Note: you need to be logged into OCM for your environment's administrator" - echo "Note: you need access to AWS account of the selected environment" - exit 2 -fi - -ENVIRONMENT=$1 -CLUSTER_NAME=$2 - -export AWS_AUTH_HELPER="${AWS_AUTH_HELPER:-aws-saml}" - -export_cluster_environment() { - init_chamber - load_external_config "osd" OSD_ -} - -setup_oidc_provider() { - if ! ocm list idps --cluster="${CLUSTER_NAME}" --columns name | grep -qE '^OpenID *$'; then - echo "Creating an OpenID IdP for the cluster." - ocm create idp --name=OpenID \ - --cluster="${CLUSTER_ID}" \ - --type=openid \ - --client-id="${OSD_OIDC_CLIENT_ID}" \ - --client-secret="${OSD_OIDC_CLIENT_SECRET}" \ - --issuer-url=https://auth.redhat.com/auth/realms/EmployeeIDP \ - --email-claims=email --name-claims=preferred_username --username-claims=preferred_username - else - echo "Skipping creating an OIDC IdP for the cluster, already exists." - fi -} - -case $ENVIRONMENT in - integration) - EXPECT_OCM_ID="2QVFzUvsbMGheHhoUDjtG0tpJ08" - ;; - - stage) - EXPECT_OCM_ID="2ECw6PIE06TzjScQXe6QxMMt3Sa" - ;; - - prod) - # TODO: Fetch OCM token and log in as appropriate user as part of script. - EXPECT_OCM_ID="2BBslbGSQs5PS2HCfJKqOPcCN4r" - ;; - - *) - echo "Unknown environment ${ENVIRONMENT}" - exit 2 - ;; -esac - -ACTUAL_OCM_ID=$(ocm whoami | jq -r '.id') -if [[ "${EXPECT_OCM_ID}" != "${ACTUAL_OCM_ID}" ]]; then - echo "Must be logged into rhacs-managed-service-$ENVIRONMENT account in OCM to get cluster ID" - exit 1 -fi -CLUSTER_ID=$(ocm list cluster "${CLUSTER_NAME}" --no-headers --columns="ID") - -export_cluster_environment -setup_oidc_provider - -# This set of commands modifies OIDC provider to include "groups" claim mapping. -CLUSTER_IDP_ID=$(ocm get /api/clusters_mgmt/v1/clusters/"$CLUSTER_ID"/identity_providers | jq -r '.items[0].id') -tmpfile=$(mktemp /tmp/dataplane-idp-setup-tmp-patch-body.XXXXXX) -cat <"$tmpfile" -{ - "type": "OpenIDIdentityProvider", - "open_id": { - "claims": { - "email": [ - "email" - ], - "groups": [ - "groups" - ], - "name": [ - "preferred_username" - ], - "preferred_username": [ - "preferred_username" - ] - }, - "client_id": "${OSD_OIDC_CLIENT_ID}", - "client_secret": "${OSD_OIDC_CLIENT_SECRET}", - "issuer": "https://auth.redhat.com/auth/realms/EmployeeIDP" - } -} -END -ocm patch /api/clusters_mgmt/v1/clusters/"$CLUSTER_ID"/identity_providers/"$CLUSTER_IDP_ID" --body="$tmpfile" -rm "$tmpfile" From 1aeada7033fb0069762a15893968aff3c2e1444a Mon Sep 17 00:00:00 2001 From: Yury Kovalev Date: Fri, 28 Nov 2025 16:04:47 +0100 Subject: [PATCH 3/3] Remove Parameter Store usages --- .../emailsender-db/emailsender-db.yaml | 7 ------- .../secretstore/01-clustersecretstore.yaml | 20 ------------------- dev/env/values/emailsender/values.yaml | 2 ++ fleetshard/README.md | 2 +- scripts/lib/external_config.sh | 14 ------------- 5 files changed, 3 insertions(+), 42 deletions(-) diff --git a/dev/env/manifests/emailsender-db/emailsender-db.yaml b/dev/env/manifests/emailsender-db/emailsender-db.yaml index 5b9ffddaec..dfc5206830 100644 --- a/dev/env/manifests/emailsender-db/emailsender-db.yaml +++ b/dev/env/manifests/emailsender-db/emailsender-db.yaml @@ -57,10 +57,3 @@ metadata: name: emailsender-db stringData: db.host: "emailsender-db" ---- -apiVersion: v1 -kind: Secret -metadata: - name: emailsender-parameters -stringData: - aws-role-arn: "placeholder" diff --git a/dev/env/manifests/external-secrets/secretstore/01-clustersecretstore.yaml b/dev/env/manifests/external-secrets/secretstore/01-clustersecretstore.yaml index aeb3d32005..6d30daacba 100644 --- a/dev/env/manifests/external-secrets/secretstore/01-clustersecretstore.yaml +++ b/dev/env/manifests/external-secrets/secretstore/01-clustersecretstore.yaml @@ -18,23 +18,3 @@ spec: name: aws-access-keys key: secret-access-key namespace: rhacs ---- -apiVersion: external-secrets.io/v1beta1 -kind: ClusterSecretStore -metadata: - name: parameter-store-secret-store -spec: - provider: - aws: - service: ParameterStore - region: us-east-1 - auth: - secretRef: - accessKeyIDSecretRef: - name: aws-access-keys - key: access-key-id - namespace: rhacs - secretAccessKeySecretRef: - name: aws-access-keys - key: secret-access-key - namespace: rhacs diff --git a/dev/env/values/emailsender/values.yaml b/dev/env/values/emailsender/values.yaml index f873a5557e..d6fd98f1d7 100644 --- a/dev/env/values/emailsender/values.yaml +++ b/dev/env/values/emailsender/values.yaml @@ -10,3 +10,5 @@ db: image: repo: "quay.io/rhacs-eng/emailsender" createExternalSecrets: false +aws: + roleArn: placeholder diff --git a/fleetshard/README.md b/fleetshard/README.md index a61fde7d95..20892d9f75 100644 --- a/fleetshard/README.md +++ b/fleetshard/README.md @@ -34,7 +34,7 @@ make fleetshard-sync ``` ## External configuration -To run Fleetshard-sync locally, you may need to download the development configuration from AWS Parameter Store: +To run Fleetshard-sync locally, you may need to download the development configuration from AWS Secrets Manager: ```shell export AWS_AUTH_HELPER=aws-saml source ./scripts/lib/external_config.sh diff --git a/scripts/lib/external_config.sh b/scripts/lib/external_config.sh index 30d56a64ff..896ed1dc2f 100644 --- a/scripts/lib/external_config.sh +++ b/scripts/lib/external_config.sh @@ -60,17 +60,3 @@ auth_init_error() { auth_helper_error() { die "Error: $1. Please refer to the troubleshooting section in docs/development/secret-management.md for a possible cause." } - -# Loads config from the external storage to the environment and applying a prefix to a variable name (if exists). -load_external_config() { - local service="$1" - local prefix="${2:-}" - local parameter_store_output - local secrets_manager_output - parameter_store_output=$(chamber env "$service" --backend ssm) - # chamber fails for secretsmanager backend, but not for ssm (parameter store). - # We suppress pipefail error for secretsmanager backend to get similar behaviour. - secrets_manager_output=$(chamber env "$service" --backend secretsmanager) || true - [[ -z "$parameter_store_output" && -z "$secrets_manager_output" ]] && echo "WARNING: no parameters found under '/$service' of this environment" - eval "$(printf '%s\n%s' "$parameter_store_output" "$secrets_manager_output" | sed -E "s/(^export +)(.*)/readonly ${prefix}\2/")" -}