Fix serving cert annotation, port name

components/thanos-querier-cache.libsonnet

@@ -47,7 +47,7 @@ local k = import 'ksonnet/ksonnet.beta.4/k.libsonnet';
           'observatorium-cache',
           $.thanos.querierCache.deployment.metadata.labels,
           [
-            ports.newNamed('http', 9091, 9091),
+            ports.newNamed('cache', 9090, 9090),
           ],
         ) +
         service.mixin.metadata.withNamespace('observatorium') +

environments/kubernetes/manifests/thanos-querier-cache-service.yaml

@@ -7,8 +7,8 @@ metadata:
   namespace: observatorium
 spec:
   ports:
-  - name: http
-    port: 9091
-    targetPort: 9091
+  - name: cache
+    port: 9090
+    targetPort: 9090
   selector:
     app.kubernetes.io/name: observatorium-querier-cache

environments/openshift/kube-thanos.libsonnet

@@ -274,15 +274,24 @@ local list = import 'telemeter/lib/list.libsonnet';
     querierCache+: {
       // The proxy secret is there to encrypt session created by the oauth proxy.
       proxySecret:
-        secret.new('querier-proxy', {
+        secret.new('querier-cache-proxy', {
           session_secret: std.base64($.thanos.variables.proxyConfig.sessionSecret),
         }) +
         secret.mixin.metadata.withNamespace(namespace) +
         secret.mixin.metadata.withLabels({ 'app.kubernetes.io/name': 'thanos-querier' }),
       configmap+:
         configmap.mixin.metadata.withNamespace(namespace),
       service+:
-        service.mixin.metadata.withNamespace(namespace),
+        service.mixin.metadata.withNamespace(namespace) +
+        service.mixin.metadata.withAnnotations({
+          'service.alpha.openshift.io/serving-cert-secret-name': 'querier-tls',
+        }) + {
+          spec+: {
+            ports+: [
+              service.mixin.spec.portsType.newNamed('proxy', 9091, 'https'),
+            ],
+          },
+        },
       deployment+:
         {
           spec+: {
@@ -305,10 +314,10 @@ local list = import 'telemeter/lib/list.libsonnet';
                   container.new('proxy', $.thanos.variables.proxyImage) +
                   container.withArgs([
                     '-provider=openshift',
-                    '-https-address=:%d' % $.thanos.querier.service.spec.ports[2].port,
+                    '-https-address=:%d' % $.thanos.querierCache.service.spec.ports[1].port,
                     '-http-address=',
                     '-email-domain=*',
-                    '-upstream=http://localhost:%d' % $.thanos.querier.service.spec.ports[1].port,
+                    '-upstream=http://localhost:%d' % $.thanos.querierCache.service.spec.ports[0].port,
                     '-openshift-service-account=prometheus-telemeter',
                     '-openshift-sar={"resource": "namespaces", "verb": "get", "name": "${NAMESPACE}", "namespace": "${NAMESPACE}"}',
                     '-openshift-delegate-urls={"/": {"resource": "namespaces", "verb": "get", "name": "${NAMESPACE}", "namespace": "${NAMESPACE}"}}',

environments/openshift/manifests/observatorium-template.yaml

@@ -191,21 +191,26 @@ objects:
   metadata:
     labels:
       app.kubernetes.io/name: thanos-querier
-    name: querier-proxy
+    name: querier-cache-proxy
     namespace: ${NAMESPACE}
   type: Opaque
 - apiVersion: v1
   kind: Service
   metadata:
+    annotations:
+      service.alpha.openshift.io/serving-cert-secret-name: querier-tls
     labels:
       app.kubernetes.io/name: observatorium-querier-cache
     name: observatorium-cache
     namespace: ${NAMESPACE}
   spec:
     ports:
-    - name: http
+    - name: cache
+      port: 9090
+      targetPort: 9090
+    - name: proxy
       port: 9091
-      targetPort: 9091
+      targetPort: https
     selector:
       app.kubernetes.io/name: observatorium-querier-cache
 - apiVersion: apps/v1