From a9f0785b5c02c80c762efda0bc44729c83e3717c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Budai?= <ondrej@budai.cz>
Date: Wed, 28 Jun 2023 15:58:11 +0200
Subject: [PATCH] koji_builder: switch the koji-osbuild token URL to the
 unified SSO

identity.api.openshift.com was shut down several hours ago. The plugin now
needs to use sso.redhat.com instead.

This commit adjusts the token URL and the script that pokes holes in the
firewall for selected domains.
---
 roles/koji_builder/templates/builder.conf         | 2 +-
 roles/koji_builder/templates/builder.conf.stg     | 2 +-
 roles/koji_builder/templates/osbuildapi-update.sh | 7 ++-----
 3 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/roles/koji_builder/templates/builder.conf b/roles/koji_builder/templates/builder.conf
index 754ccaffb1..98a7e61f4c 100644
--- a/roles/koji_builder/templates/builder.conf
+++ b/roles/koji_builder/templates/builder.conf
@@ -4,7 +4,7 @@ server = https://api.openshift.com/
 [composer:oauth]
 client_id = {{koji_builder_client_id}}
 client_secret = {{koji_builder_client_secret}}
-token_url = https://identity.api.openshift.com/auth/realms/rhoas/protocol/openid-connect/token
+token_url = https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
 
 [koji]
 server = https://koji.fedoraproject.org/kojihub
diff --git a/roles/koji_builder/templates/builder.conf.stg b/roles/koji_builder/templates/builder.conf.stg
index d33ee8a07d..75eaed35f4 100644
--- a/roles/koji_builder/templates/builder.conf.stg
+++ b/roles/koji_builder/templates/builder.conf.stg
@@ -4,7 +4,7 @@ server = https://api.stage.openshift.com/
 [composer:oauth]
 client_id = {{koji_builder_client_id_stg}}
 client_secret = {{koji_builder_client_secret_stg}}
-token_url = https://identity.api.openshift.com/auth/realms/rhoas/protocol/openid-connect/token
+token_url = https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
 
 [koji]
 server = https://koji.stg.fedoraproject.org/kojihub
diff --git a/roles/koji_builder/templates/osbuildapi-update.sh b/roles/koji_builder/templates/osbuildapi-update.sh
index 45a854e754..e15cec371c 100644
--- a/roles/koji_builder/templates/osbuildapi-update.sh
+++ b/roles/koji_builder/templates/osbuildapi-update.sh
@@ -19,10 +19,8 @@ do
      /usr/sbin/ipset add osbuildapi $j
 done
 
-{% if env == 'staging' %}
-# in stg we need to add identity.api because we are using api.stage above. 
-# in prod this is already the same as api.openshift.com, so skip it.
-RESOLVEQUERY=`resolvectl -4 --cache=no --legend=no query identity.api.openshift.com 2> /dev/null`
+# both stage and prod authenticate using sso.redhat.com
+RESOLVEQUERY=`resolvectl -4 --cache=no --legend=no query sso.redhat.com 2> /dev/null`
 test $? -eq 0 || exit $?
 
 NEWIDENTITYIPS=`echo "$RESOLVEQUERY" | grep link | sed -E 's/.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/g' | sort -n`
@@ -31,4 +29,3 @@ for j in $NEWIDENTITYIPS
 do
      /usr/sbin/ipset add osbuildapi $j
 done
-{% endif %}