From cd7b2df0953f28a8b2ac4648c701cee2ed8b4a5c Mon Sep 17 00:00:00 2001 From: entlein Date: Sun, 24 May 2026 18:34:43 +0200 Subject: [PATCH 1/5] Fix typo: cockpick-config -> cockpit-config The kubeconfig path was misspelled in cloud_deps/provider.tf, causing the kubernetes and kustomization providers to look for the kubeconfig at ~/.kube/cockpick-config rather than ~/.kube/cockpit-config. --- terraform/kubernetes/cloud_deps/provider.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/kubernetes/cloud_deps/provider.tf b/terraform/kubernetes/cloud_deps/provider.tf index 527cf2b4295..7be032f04d7 100644 --- a/terraform/kubernetes/cloud_deps/provider.tf +++ b/terraform/kubernetes/cloud_deps/provider.tf @@ -16,11 +16,11 @@ terraform { } provider "kubernetes" { - config_path = "~/.kube/cockpick-config" + config_path = "~/.kube/cockpit-config" config_context = "default" } provider "kustomization" { context = "default" - kubeconfig_path = "~/.kube/cockpick-config" + kubeconfig_path = "~/.kube/cockpit-config" } From 76316d70bebbd18cdf1153e6264c5ab42fa9ac62 Mon Sep 17 00:00:00 2001 From: entlein Date: Sun, 24 May 2026 19:34:14 +0200 Subject: [PATCH 2/5] cloud_deps: read auth0 client_id/secret from terraform_remote_state Replace the sops_file-based lookup of auth0_config.yaml with a data.terraform_remote_state.auth0 reference so the cloud_deps state can consume the live values produced by the auth0 terraform run instead of relying on a separately-encrypted committed file. - core_resource_deps.tf: data.sops_file.auth0 -> data.terraform_remote_state.auth0 - variables.tf: new auth0_state_* vars (backend config for the remote state) - provider.tf: drop the sops provider (no longer referenced) Outputs expected on the auth0 state: pixie_client_id, pixie_client_secret. --- .../cloud_deps/core_resource_deps.tf | 15 +++++++++++---- terraform/kubernetes/cloud_deps/provider.tf | 4 ---- terraform/kubernetes/cloud_deps/variables.tf | 18 ++++++++++++++++++ 3 files changed, 29 insertions(+), 8 deletions(-) diff --git a/terraform/kubernetes/cloud_deps/core_resource_deps.tf b/terraform/kubernetes/cloud_deps/core_resource_deps.tf index 1d82f493f28..f549ffd64d4 100644 --- a/terraform/kubernetes/cloud_deps/core_resource_deps.tf +++ b/terraform/kubernetes/cloud_deps/core_resource_deps.tf @@ -83,8 +83,15 @@ resource "kubernetes_secret_v1" "db_secrets" { wait_for_service_account_token = false } -data "sops_file" "auth0" { - source_file = "${path.module}/../../credentials/cockpit/auth0_config.yaml" +data "terraform_remote_state" "auth0" { + backend = "azurerm" + config = { + resource_group_name = var.auth0_state_resource_group + storage_account_name = var.auth0_state_storage_account + container_name = var.auth0_state_container + key = var.auth0_state_key + use_azuread_auth = true + } } resource "kubernetes_secret_v1" "cloud_auth0" { @@ -94,8 +101,8 @@ resource "kubernetes_secret_v1" "cloud_auth0" { } data = { - "auth0-client-id" = data.sops_file.auth0.data["stringData.auth0-client-id"] - "auth0-client-secret" = data.sops_file.auth0.data["stringData.auth0-client-secret"] + "auth0-client-id" = data.terraform_remote_state.auth0.outputs.pixie_client_id + "auth0-client-secret" = data.terraform_remote_state.auth0.outputs.pixie_client_secret } type = "Opaque" diff --git a/terraform/kubernetes/cloud_deps/provider.tf b/terraform/kubernetes/cloud_deps/provider.tf index 7be032f04d7..0453dc57823 100644 --- a/terraform/kubernetes/cloud_deps/provider.tf +++ b/terraform/kubernetes/cloud_deps/provider.tf @@ -8,10 +8,6 @@ terraform { source = "kbst/kustomization" version = "0.9.7" } - sops = { - source = "carlpett/sops" - version = "~> 1.0" - } } } diff --git a/terraform/kubernetes/cloud_deps/variables.tf b/terraform/kubernetes/cloud_deps/variables.tf index 88b789f3ec0..f7349926ab7 100644 --- a/terraform/kubernetes/cloud_deps/variables.tf +++ b/terraform/kubernetes/cloud_deps/variables.tf @@ -39,3 +39,21 @@ variable "cluster_internal_issuer" { variable "public_issuer" { default = "letsencrypt-prod" } + +# Auth0 remote state lookup — reads pixie_client_id / pixie_client_secret +# outputs from the auth0 terraform state. All four must be supplied by the +# caller (pipeline passes them as -var). +variable "auth0_state_resource_group" { + type = string +} +variable "auth0_state_storage_account" { + type = string +} +variable "auth0_state_container" { + type = string + default = "tfoscaas-0001" +} +variable "auth0_state_key" { + type = string + default = "auth0-ckp2.tfstate" +} From 66953b0fd50cb41192b1189f8ad824caf6565edd Mon Sep 17 00:00:00 2001 From: Entlein Date: Thu, 28 May 2026 21:55:03 +0200 Subject: [PATCH 3/5] cockpit: switch hostnames to test.* and add auth0 oauth_config MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Brings the cockpit overlay in line with the SovereignSOC ckp2 deploy: - cloud_ingress / proxy_envoy / servers_transport / domain_config all swap pixie.austrianopencloudcommunity.org for test.austrianopencloudcommunity.org (matches the cloud_domain tfvar fed into cloud_deps cert-manager, so cert SAN ↔ ingress host stop conflicting). - new oauth_config.yaml patches pl-oauth-config away from the hydra defaults inherited from k8s/cloud_deps/public/configs.yaml. PL_OAUTH_PROVIDER=auth0 and PL_AUTH_URI point at our auth0 tenant; the auth-server already has the matching client_id / client_secret via the cloud-auth0-secrets Secret created by cloud_deps from terraform_remote_state. - kustomization.yaml: register the new oauth_config patch. Co-Authored-By: Claude Opus 4.7 (1M context) --- private/cockpit/cloud_ingress.yaml | 10 +++++----- private/cockpit/domain_config.yaml | 2 +- private/cockpit/kustomization.yaml | 1 + private/cockpit/oauth_config.yaml | 10 ++++++++++ private/cockpit/proxy_envoy.yaml | 2 +- private/cockpit/servers_transport.yaml | 2 +- 6 files changed, 19 insertions(+), 8 deletions(-) create mode 100644 private/cockpit/oauth_config.yaml diff --git a/private/cockpit/cloud_ingress.yaml b/private/cockpit/cloud_ingress.yaml index f78447e56c0..f511b457f1d 100644 --- a/private/cockpit/cloud_ingress.yaml +++ b/private/cockpit/cloud_ingress.yaml @@ -5,16 +5,16 @@ metadata: name: cloud-ingress namespace: plc annotations: - external-dns.alpha.kubernetes.io/hostname: pixie.austrianopencloudcommunity.org,work.pixie.austrianopencloudcommunity.org + external-dns.alpha.kubernetes.io/hostname: test.austrianopencloudcommunity.org,work.test.austrianopencloudcommunity.org cert-manager.io/cluster-issuer: "letsencrypt-prod" spec: tls: - hosts: - - pixie.austrianopencloudcommunity.org - - work.pixie.austrianopencloudcommunity.org + - test.austrianopencloudcommunity.org + - work.test.austrianopencloudcommunity.org secretName: cloud-proxy-tls-certs rules: - - host: pixie.austrianopencloudcommunity.org + - host: test.austrianopencloudcommunity.org http: paths: - path: /px.services @@ -45,7 +45,7 @@ spec: name: cloud-proxy-service port: number: 443 - - host: work.pixie.austrianopencloudcommunity.org + - host: work.test.austrianopencloudcommunity.org http: paths: - path: /px.services diff --git a/private/cockpit/domain_config.yaml b/private/cockpit/domain_config.yaml index ebc460f3abc..bffad38b03d 100644 --- a/private/cockpit/domain_config.yaml +++ b/private/cockpit/domain_config.yaml @@ -4,5 +4,5 @@ kind: ConfigMap metadata: name: pl-domain-config data: - PL_DOMAIN_NAME: pixie.austrianopencloudcommunity.org + PL_DOMAIN_NAME: test.austrianopencloudcommunity.org PASSTHROUGH_PROXY_PORT: "" diff --git a/private/cockpit/kustomization.yaml b/private/cockpit/kustomization.yaml index ca3a5d234d1..ca015c5c36c 100644 --- a/private/cockpit/kustomization.yaml +++ b/private/cockpit/kustomization.yaml @@ -27,6 +27,7 @@ labels: pairs: app: pl-cloud patches: +- path: oauth_config.yaml - path: artifact_config.yaml - path: auth_deployment.yaml - path: domain_config.yaml diff --git a/private/cockpit/oauth_config.yaml b/private/cockpit/oauth_config.yaml new file mode 100644 index 00000000000..55acfbaef00 --- /dev/null +++ b/private/cockpit/oauth_config.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: pl-oauth-config +data: + PL_OAUTH_PROVIDER: auth0 + PL_AUTH_URI: dev-ylinrwd1tckmhm03.us.auth0.com + PL_AUTH_CLIENT_ID: rDOrqnuIaTsXiya5I41b1FkNzXOQfWbW + PL_AUTH_EMAIL_PASSWORD_CONN: Username-Password-Authentication diff --git a/private/cockpit/proxy_envoy.yaml b/private/cockpit/proxy_envoy.yaml index 17e05ecc92a..f196c8af4a5 100644 --- a/private/cockpit/proxy_envoy.yaml +++ b/private/cockpit/proxy_envoy.yaml @@ -42,7 +42,7 @@ data: cluster: api_service cors: allow_origin_string_match: - - suffix: "pixie.austrianopencloudcommunity.org" + - suffix: "test.austrianopencloudcommunity.org" allow_methods: GET, PUT, DELETE, POST, OPTIONS allow_headers: content-type,x-grpc-web,x-user-agent max_age: "1728000" diff --git a/private/cockpit/servers_transport.yaml b/private/cockpit/servers_transport.yaml index 5324809631e..50f86112c86 100644 --- a/private/cockpit/servers_transport.yaml +++ b/private/cockpit/servers_transport.yaml @@ -5,4 +5,4 @@ metadata: name: cloud-backend-transport namespace: plc spec: - serverName: pixie.austrianopencloudcommunity.org + serverName: test.austrianopencloudcommunity.org From 15cf8694557a53e6f806f6b3a974d613e799bbc5 Mon Sep 17 00:00:00 2001 From: Entlein Date: Thu, 28 May 2026 22:40:05 +0200 Subject: [PATCH 4/5] cockpit: oauth_config is a resource, not a patch kustomize patches: can only modify resources already in the build, but pl-oauth-config lives in k8s/cloud_deps/public/configs.yaml (deployed by terraform, not by cockpit). The previous commit registered it under patches: and kustomize rightly errored: error: no resource matches strategic merge patch "ConfigMap.v1.[noGrp]/pl-oauth-config.[noNs]" Move it to resources: so cockpit emits its own pl-oauth-config; the subsequent kubectl apply overwrites whatever the cloud_deps terraform state previously wrote. Co-Authored-By: Claude Opus 4.7 (1M context) --- private/cockpit/kustomization.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/private/cockpit/kustomization.yaml b/private/cockpit/kustomization.yaml index ca015c5c36c..2e1a93fdf5a 100644 --- a/private/cockpit/kustomization.yaml +++ b/private/cockpit/kustomization.yaml @@ -20,6 +20,7 @@ replicas: resources: - ../../k8s/cloud/base - plugin_db_updater_job.yaml +- oauth_config.yaml components: - ../../k8s/cloud/overlays/exposed_services_traefik labels: @@ -27,7 +28,6 @@ labels: pairs: app: pl-cloud patches: -- path: oauth_config.yaml - path: artifact_config.yaml - path: auth_deployment.yaml - path: domain_config.yaml From 1f6c3bcb612a9a83e61bb40ef395b95634d51e89 Mon Sep 17 00:00:00 2001 From: Entlein Date: Fri, 29 May 2026 10:41:58 +0200 Subject: [PATCH 5/5] cloud_deps: set issuerRef.kind=ClusterIssuer on cloud_proxy_tls_certs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Certificate's issuerRef previously specified only `name`, which makes cert-manager default to `kind: Issuer` (namespaced). For any deployment whose `public_issuer` is a ClusterIssuer — e.g. the `letsencrypt-prod` ClusterIssuer commonly used on Traefik-based clusters — the CertificateRequest then sits forever with: Referenced "Issuer" not found: issuer.cert-manager.io "letsencrypt-prod" not found while the (Cluster)Issuer is right there with Ready=True at the cluster scope. cloud-proxy and vzconn-server consequently can't mount the cloud-proxy-tls-certs Secret and hang in ContainerCreating. Pin the kind explicitly. Hardcoding ClusterIssuer here is fine because nothing else in this repo creates a namespaced public Issuer — the self-signed and pixie-cloud-ca Issuers below are intentionally namespaced and already specify their kinds via the default. Co-Authored-By: Claude Opus 4.7 (1M context) --- terraform/kubernetes/cloud_deps/cert_manager.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/terraform/kubernetes/cloud_deps/cert_manager.tf b/terraform/kubernetes/cloud_deps/cert_manager.tf index 75dc1be563a..15d812950ef 100644 --- a/terraform/kubernetes/cloud_deps/cert_manager.tf +++ b/terraform/kubernetes/cloud_deps/cert_manager.tf @@ -83,6 +83,10 @@ resource "kubernetes_manifest" "cloud_proxy_tls_certs" { "work.${local.cert_subdomain}", ] "issuerRef" = { + # ClusterIssuer kind must be explicit — defaulting to Issuer makes + # cert-manager look for a namespaced Issuer with this name in the + # plc namespace, which doesn't exist for letsencrypt-prod. + "kind" = "ClusterIssuer" "name" = var.public_issuer } "secretName" = "cloud-proxy-tls-certs"