From 29efa52e94cd9d228762630cbeee07c518b2cb7f Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Thu, 28 Jul 2022 12:33:11 -0700
Subject: [PATCH] koji_build: add identity to allowed list, add some comments

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 .../templates/osbuildapi-update.sh            | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/roles/koji_builder/templates/osbuildapi-update.sh b/roles/koji_builder/templates/osbuildapi-update.sh
index 2190029e00..ff46b8ae37 100644
--- a/roles/koji_builder/templates/osbuildapi-update.sh
+++ b/roles/koji_builder/templates/osbuildapi-update.sh
@@ -1,18 +1,31 @@
 #!/bin/bash
 
+# Make sure the ipset is created.
 /usr/sbin/ipset create osbuildapi hash:ip >& /dev/null
 
+# in staging we need to allow api.stage and in prod api.
 {% if env == 'staging' %}
-RESOLVEQUERY=`resolvectl --cache=no --legend=no query api.stage.openshift.com 2> /dev/null`         
+RESOLVEQUERY=`resolvectl --cache=no --legend=no query api.stage.openshift.com 2> /dev/null`
 {% else %}
-RESOLVEQUERY=`resolvectl --cache=no --legend=no query api.openshift.com 2> /dev/null`         
+RESOLVEQUERY=`resolvectl --cache=no --legend=no query api.openshift.com 2> /dev/null`
 {% endif %}
 test $? -eq 0 || exit $?
 
-NEWIPS=`echo $RESOLVEQUERY | grep link | awk '{print $2 " " $6}' | sort -n`                         
+NEWIPS=`echo $RESOLVEQUERY | grep link | awk '{print $2 " " $6}' | sort -n`
 
 /usr/sbin/ipset flush osbuildapi
 for j in $NEWIPS
 do
      /usr/sbin/ipset add osbuildapi $j
 done
+
+# in both stg and prod apparently we use idenity.adpi.openshift.com for auth
+RESOLVEQUERY=`resolvectl --cache=no --legend=no query identity.api.openshift.com 2> /dev/null`
+test $? -eq 0 || exit $?
+
+NEWIDENTITYIPS=`echo $RESOLVEQUERY | grep link | awk '{print $2 " " $6}' | sort -n`
+
+for j in $NEWIDENTITYIPS
+do
+     /usr/sbin/ipset add osbuildapi $j
+done