Add oidc_cm.yml

Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>

files/communishift/objects/README.md

@@ -0,0 +1,7 @@
+Instructions
+------------
+
+The files in this directory are the configuration files for communishift to be applied.
+
+For OIDC auth, get the client secret for "communishift" from ansible-private/files/ipsilon/openidc.production.static, and run:
+oc create secret generic fedoraidp-clientsecret --from-literal=clientSecret=<client-secret> -n openshift-config

files/communishift/objects/machineconfigs/README.md

@@ -0,0 +1,12 @@
+MachineConfig files
+-------------------
+
+The files in this directory are used as machineconfig files for communishift.
+Note that they're template files: some changes will need to be made before "oc create -f".
+
+Specifically:
+- The templates have two "DOBOTH" replacements. You want to create the file twice,
+  once with both DOBOTH cases replaced with "master" and once replaced with "worker".
+- The mc_firewall.yml.template has a bit FILL_IN_HERE. Run "./to_data.sh firewall.sh",
+  and copy the output from that script into the FILL_IN_HERE bit in the MC.
+  Then run that MC twice as per the previous point (master and worker).

files/communishift/objects/machineconfigs/firewall.sh

@@ -0,0 +1,10 @@
+set -xe
+
+iptables -N fedora-block-ports
+iptables -A fedora-block-ports -p tcp --dport 111 -j REJECT
+iptables -A fedora-block-ports -p udp --dport 111 -j REJECT
+iptables -A fedora-block-ports -p tcp --dport 22623 --src 38.145.48.42 -j ACCEPT
+iptables -A fedora-block-ports -p tcp --dport 22623 --src 38.145.48.43 -j ACCEPT
+iptables -A fedora-block-ports -p tcp --dport 22623 -j REJECT
+
+iptables -I INPUT 1 -j fedora-block-ports

files/communishift/objects/machineconfigs/mc_chrony.yml.template

@@ -0,0 +1,19 @@
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+metadata:
+  generation: 1
+  name: 50-chrony-DOBOTH
+  labels:
+    machineconfiguration.openshift.io/role: DOBOTH
+spec:
+  config:
+    ignition:
+      version: "2.2.0"
+    storage:
+      files:
+      - contents:
+          source: "data:,server%20cloud-noc01.cloud.fedoraproject.org%20port%20124"
+          verification: {}
+        filesystem: root
+        mode: 0644
+        path: /etc/chrony.conf

files/communishift/objects/machineconfigs/mc_firewall.yml.template

@@ -0,0 +1,32 @@
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+metadata:
+  generation: 1
+  name: 40-firewall-DOBOTH
+  labels:
+    machineconfiguration.openshift.io/role: DOBOTH
+spec:
+  config:
+    ignition:
+      version: "2.2.0"
+    storage:
+      files:
+      - path: /etc/fedora_firewall.sh
+        mode: 0755
+        filesystem: root
+        contents:
+          source: "FILL_IN_HERE"
+    systemd:
+      units:
+      - name: "fedora_firewall.service"
+        enabled: true
+        contents: |-
+          [Unit]
+          Descrption=Block firewall ports for Fedora
+
+          [Service]
+          Type=oneshot
+          ExecStart=bash /etc/fedora_firewall.sh
+
+          [Install]
+          WantedBy=multi-user.target

files/communishift/objects/machineconfigs/to_data.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+echo -n "data:,"
+cat $1 | tr '\n' '*' | sed -e 's/*/%0A/g' | sed -e 's/ /%20/g'
+echo

files/communishift/objects/oidc_cm.yml

@@ -0,0 +1,26 @@
+apiVersion: config.openshift.io/v1
+kind: OAuth
+metadata:
+  name: cluster
+spec:
+  identityProviders:
+  - name: fedoraidp
+    login: true
+    challenge: false
+    mappingMethod: claim
+    type: OpenID
+    openID:
+      clientID: communishift
+      clientSecret:
+        name: fedoraidp-clientsecret
+      extraScopes:
+      - email
+      - profile
+      claims:
+        preferredUsername:
+        - nickname
+        name:
+        - name
+        email:
+        - email
+      issuer: https://id.fedoraproject.org