diff --git a/playbooks/openshift-apps/mirrormanager.yml b/playbooks/openshift-apps/mirrormanager.yml index 7471b18bb3..23525b42a8 100644 --- a/playbooks/openshift-apps/mirrormanager.yml +++ b/playbooks/openshift-apps/mirrormanager.yml @@ -67,6 +67,11 @@ template: buildconfig.yml objectname: buildconfig.yml + - role: openshift/object + app: mirrormanager + template: secrets.yml + objectname: secrets.yml + - role: openshift/object app: mirrormanager template: configmap.yml @@ -81,8 +86,7 @@ - role: openshift/route app: mirrormanager routename: frontend - # host: "mirrormanager{{ env_suffix }}.fedoraproject.org" - host: "mirrors.apps.ocp{{ env_suffix }}.fedoraproject.org" + host: "{{ mirrormanager_hostname }}" servicename: frontend serviceport: web annotations: diff --git a/roles/openshift-apps/mirrormanager/files/deploymentconfig.yml b/roles/openshift-apps/mirrormanager/files/deploymentconfig.yml index 6d7e66a624..b83b8516e0 100644 --- a/roles/openshift-apps/mirrormanager/files/deploymentconfig.yml +++ b/roles/openshift-apps/mirrormanager/files/deploymentconfig.yml @@ -35,6 +35,9 @@ spec: - name: mm-config mountPath: "/etc/mirrormanager" readOnly: true + - name: mm-secrets + mountPath: "/etc/mirrormanager-secrets" + readOnly: true - name: statistics mountPath: /var/www/mirrormanager-statistics - name: wsgi-script @@ -86,6 +89,9 @@ spec: - name: mm-config configMap: name: mirrormanager + - name: mm-secrets + secret: + secretName: secrets - name: statistics persistentVolumeClaim: claimName: statistics diff --git a/roles/openshift-apps/mirrormanager/templates/client_secrets.json b/roles/openshift-apps/mirrormanager/templates/client_secrets.json new file mode 100644 index 0000000000..be19b11791 --- /dev/null +++ b/roles/openshift-apps/mirrormanager/templates/client_secrets.json @@ -0,0 +1,13 @@ +{ + "web": { + "auth_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/Authorization", + "client_id": "{{ mirrormanager_oidc_client_id }}", + "client_secret": "{{ (env == 'production')|ternary(mirrormanager_prod_oidc_client_secret, mirrormanager_stg_oidc_client_secret) }}", + "issuer": "https://id{{env_suffix}}.fedoraproject.org/openidc/", + "redirect_uris": [ + "https://{{ mirrormanager_hostname }}/authorize" + ], + "token_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/Token", + "userinfo_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/UserInfo" + } +} diff --git a/roles/openshift-apps/mirrormanager/templates/mm.cfg.py b/roles/openshift-apps/mirrormanager/templates/mm.cfg.py index e8e375947f..d6adf781b7 100644 --- a/roles/openshift-apps/mirrormanager/templates/mm.cfg.py +++ b/roles/openshift-apps/mirrormanager/templates/mm.cfg.py @@ -2,7 +2,7 @@ # This is the config file for MirrorManager as intended to be used in OpenShift # -OIDC_CLIENT_SECRETS = '/etc/mirrormanager/client_secrets.json' +OIDC_CLIENT_SECRETS = '/etc/mirrormanager-secrets/client_secrets.json' # This is the directory the code enabled by SHOW_STATISTICS will use # to locate the statistics files and display them. diff --git a/roles/openshift-apps/mirrormanager/templates/secrets.yml b/roles/openshift-apps/mirrormanager/templates/secrets.yml new file mode 100644 index 0000000000..593510aa7b --- /dev/null +++ b/roles/openshift-apps/mirrormanager/templates/secrets.yml @@ -0,0 +1,11 @@ +{% macro load_file(filename) %}{% include filename %}{%- endmacro -%} +--- +apiVersion: v1 +kind: Secret +metadata: + name: secrets + labels: + app: mirrormanager +stringData: + client_secrets.json: |- + {{ load_file('client_secrets.json') | indent }} diff --git a/vars/apps/mirrormanager.yml b/vars/apps/mirrormanager.yml index 52938299a8..3bb97637a3 100644 --- a/vars/apps/mirrormanager.yml +++ b/vars/apps/mirrormanager.yml @@ -1,4 +1,6 @@ --- +mirrormanager_hostname: "mirrors.apps.ocp{{ env_suffix }}.fedoraproject.org" mirrormanager_db_host: "db01{{ env_suffix }}" +mirrormanager_oidc_client_id: "mirrormanager" # Move that to an env var to target a specific deployment mm2_checkin: false