Mirrormanager: set OIDC secrets

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>

playbooks/openshift-apps/mirrormanager.yml

@@ -67,6 +67,11 @@
       template: buildconfig.yml
       objectname: buildconfig.yml
 
+    - role: openshift/object
+      app: mirrormanager
+      template: secrets.yml
+      objectname: secrets.yml
+
     - role: openshift/object
       app: mirrormanager
       template: configmap.yml
@@ -81,8 +86,7 @@
     - role: openshift/route
       app: mirrormanager
       routename: frontend
-      # host: "mirrormanager{{ env_suffix }}.fedoraproject.org"
+      host: "{{ mirrormanager_hostname }}"
-      host: "mirrors.apps.ocp{{ env_suffix }}.fedoraproject.org"
       servicename: frontend
       serviceport: web
       annotations:

roles/openshift-apps/mirrormanager/files/deploymentconfig.yml

@@ -35,6 +35,9 @@ spec:
         - name: mm-config
           mountPath: "/etc/mirrormanager"
           readOnly: true
+        - name: mm-secrets
+          mountPath: "/etc/mirrormanager-secrets"
+          readOnly: true
         - name: statistics
           mountPath: /var/www/mirrormanager-statistics
         - name: wsgi-script
@@ -86,6 +89,9 @@ spec:
       - name: mm-config
         configMap:
           name: mirrormanager
+      - name: mm-secrets
+        secret:
+          secretName: secrets
       - name: statistics
         persistentVolumeClaim:
           claimName: statistics

roles/openshift-apps/mirrormanager/templates/client_secrets.json

@@ -0,0 +1,13 @@
+{
+    "web": {
+        "auth_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/Authorization",
+        "client_id": "{{ mirrormanager_oidc_client_id }}",
+        "client_secret": "{{ (env == 'production')|ternary(mirrormanager_prod_oidc_client_secret, mirrormanager_stg_oidc_client_secret) }}",
+        "issuer": "https://id{{env_suffix}}.fedoraproject.org/openidc/",
+        "redirect_uris": [
+            "https://{{ mirrormanager_hostname }}/authorize"
+        ],
+        "token_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/Token",
+        "userinfo_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/UserInfo"
+    }
+}

roles/openshift-apps/mirrormanager/templates/mm.cfg.py

@@ -2,7 +2,7 @@
 # This is the config file for MirrorManager as intended to be used in OpenShift
 #
 
-OIDC_CLIENT_SECRETS = '/etc/mirrormanager/client_secrets.json'
+OIDC_CLIENT_SECRETS = '/etc/mirrormanager-secrets/client_secrets.json'
 
 # This is the directory the code enabled by SHOW_STATISTICS will use
 # to locate the statistics files and display them.

roles/openshift-apps/mirrormanager/templates/secrets.yml

@@ -0,0 +1,11 @@
+{% macro load_file(filename) %}{% include filename %}{%- endmacro -%}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: secrets
+  labels:
+    app: mirrormanager
+stringData:
+  client_secrets.json: |-
+    {{ load_file('client_secrets.json') | indent }}

vars/apps/mirrormanager.yml

@@ -1,4 +1,6 @@
 ---
+mirrormanager_hostname: "mirrors.apps.ocp{{ env_suffix }}.fedoraproject.org"
 mirrormanager_db_host: "db01{{ env_suffix }}"
+mirrormanager_oidc_client_id: "mirrormanager"
 # Move that to an env var to target a specific deployment
 mm2_checkin: false