cloud_deps: read auth0 creds from terraform_remote_state#45
Open
entlein wants to merge 5 commits into
Open
Conversation
The kubeconfig path was misspelled in cloud_deps/provider.tf, causing the kubernetes and kustomization providers to look for the kubeconfig at ~/.kube/cockpick-config rather than ~/.kube/cockpit-config.
Replace the sops_file-based lookup of auth0_config.yaml with a data.terraform_remote_state.auth0 reference so the cloud_deps state can consume the live values produced by the auth0 terraform run instead of relying on a separately-encrypted committed file. - core_resource_deps.tf: data.sops_file.auth0 -> data.terraform_remote_state.auth0 - variables.tf: new auth0_state_* vars (backend config for the remote state) - provider.tf: drop the sops provider (no longer referenced) Outputs expected on the auth0 state: pixie_client_id, pixie_client_secret.
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Plus Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
entlein
temporarily deployed
to
pr-actions-approval
GitHub Actions
Inactive
Brings the cockpit overlay in line with the SovereignSOC ckp2 deploy:
- cloud_ingress / proxy_envoy / servers_transport / domain_config
all swap pixie.austrianopencloudcommunity.org for
test.austrianopencloudcommunity.org (matches the cloud_domain
tfvar fed into cloud_deps cert-manager, so cert SAN ↔ ingress
host stop conflicting).
- new oauth_config.yaml patches pl-oauth-config away from the hydra
defaults inherited from k8s/cloud_deps/public/configs.yaml.
PL_OAUTH_PROVIDER=auth0 and PL_AUTH_URI point at our auth0
tenant; the auth-server already has the matching client_id /
client_secret via the cloud-auth0-secrets Secret created by
cloud_deps from terraform_remote_state.
- kustomization.yaml: register the new oauth_config patch.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
entlein
temporarily deployed
to
pr-actions-approval
GitHub Actions
Inactive
kustomize patches: can only modify resources already in the build, but pl-oauth-config lives in k8s/cloud_deps/public/configs.yaml (deployed by terraform, not by cockpit). The previous commit registered it under patches: and kustomize rightly errored: error: no resource matches strategic merge patch "ConfigMap.v1.[noGrp]/pl-oauth-config.[noNs]" Move it to resources: so cockpit emits its own pl-oauth-config; the subsequent kubectl apply overwrites whatever the cloud_deps terraform state previously wrote. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
entlein
temporarily deployed
to
pr-actions-approval
GitHub Actions
Inactive
The Certificate's issuerRef previously specified only `name`, which makes cert-manager default to `kind: Issuer` (namespaced). For any deployment whose `public_issuer` is a ClusterIssuer — e.g. the `letsencrypt-prod` ClusterIssuer commonly used on Traefik-based clusters — the CertificateRequest then sits forever with: Referenced "Issuer" not found: issuer.cert-manager.io "letsencrypt-prod" not found while the (Cluster)Issuer is right there with Ready=True at the cluster scope. cloud-proxy and vzconn-server consequently can't mount the cloud-proxy-tls-certs Secret and hang in ContainerCreating. Pin the kind explicitly. Hardcoding ClusterIssuer here is fine because nothing else in this repo creates a namespaced public Issuer — the self-signed and pixie-cloud-ca Issuers below are intentionally namespaced and already specify their kinds via the default. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
entlein
temporarily deployed
to
pr-actions-approval
GitHub Actions
Inactive
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Stacks on top of #44 (cockpit typo fix) which stacks on #41.
Replace the sops_file-based lookup of
terraform/credentials/cockpit/auth0_config.yamlwithdata.terraform_remote_state.auth0. Lets the cloud_deps state consume client_id/secret from the live auth0 terraform state instead of relying on a committed SOPS file (which only contains one specific tenant's values).Changes
core_resource_deps.tf—data.sops_file.auth0→data.terraform_remote_state.auth0;kubernetes_secret_v1.cloud_auth0readsoutputs.pixie_client_id/outputs.pixie_client_secret.variables.tf— newauth0_state_*vars to configure the remote state backend.provider.tf— drop thesopsprovider (no longer used).Required on the auth0 state
The remote state must expose:
output "pixie_client_id"output "pixie_client_secret"(sensitive)These wrap whichever
auth0_client/auth0_client_credentialsresource pair represents Pixie Cloud in the relevant tenant.