koji_builder: switch the koji-osbuild token URL to the unified SSO

identity.api.openshift.com was shut down several hours ago. The plugin now
needs to use sso.redhat.com instead.

This commit adjusts the token URL and the script that pokes holes in the
firewall for selected domains.

roles/koji_builder/templates/builder.conf

@@ -4,7 +4,7 @@ server = https://api.openshift.com/
 [composer:oauth]
 client_id = {{koji_builder_client_id}}
 client_secret = {{koji_builder_client_secret}}
-token_url = https://identity.api.openshift.com/auth/realms/rhoas/protocol/openid-connect/token
+token_url = https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
 
 [koji]
 server = https://koji.fedoraproject.org/kojihub

roles/koji_builder/templates/builder.conf.stg

@@ -4,7 +4,7 @@ server = https://api.stage.openshift.com/
 [composer:oauth]
 client_id = {{koji_builder_client_id_stg}}
 client_secret = {{koji_builder_client_secret_stg}}
-token_url = https://identity.api.openshift.com/auth/realms/rhoas/protocol/openid-connect/token
+token_url = https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
 
 [koji]
 server = https://koji.stg.fedoraproject.org/kojihub

roles/koji_builder/templates/osbuildapi-update.sh

@@ -19,10 +19,8 @@ do
      /usr/sbin/ipset add osbuildapi $j
 done
 
-{% if env == 'staging' %}
-# in stg we need to add identity.api because we are using api.stage above. 
-# in prod this is already the same as api.openshift.com, so skip it.
-RESOLVEQUERY=`resolvectl -4 --cache=no --legend=no query identity.api.openshift.com 2> /dev/null`
+# both stage and prod authenticate using sso.redhat.com
+RESOLVEQUERY=`resolvectl -4 --cache=no --legend=no query sso.redhat.com 2> /dev/null`
 test $? -eq 0 || exit $?
 
 NEWIDENTITYIPS=`echo "$RESOLVEQUERY" | grep link | sed -E 's/.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/g' | sort -n`
@@ -31,4 +29,3 @@ for j in $NEWIDENTITYIPS
 do
      /usr/sbin/ipset add osbuildapi $j
 done
-{% endif %}