Mirrormanager: set OIDC secrets

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
2024-01-16 17:02:45 +01:00 · 2024-01-16 17:02:45 +01:00 · dc1473572e
commit dc1473572e
parent 0bf8571d94
6 changed files with 39 additions and 3 deletions
--- a/playbooks/openshift-apps/mirrormanager.yml
+++ b/playbooks/openshift-apps/mirrormanager.yml
@ -67,6 +67,11 @@
      template: buildconfig.yml
      objectname: buildconfig.yml

+    - role: openshift/object
+      app: mirrormanager
+      template: secrets.yml
+      objectname: secrets.yml
+
    - role: openshift/object
      app: mirrormanager
      template: configmap.yml
@ -81,8 +86,7 @@
    - role: openshift/route
      app: mirrormanager
      routename: frontend
-      # host: "mirrormanager{{ env_suffix }}.fedoraproject.org"
-      host: "mirrors.apps.ocp{{ env_suffix }}.fedoraproject.org"
+      host: "{{ mirrormanager_hostname }}"
      servicename: frontend
      serviceport: web
      annotations:
--- a/roles/openshift-apps/mirrormanager/files/deploymentconfig.yml
+++ b/roles/openshift-apps/mirrormanager/files/deploymentconfig.yml
@ -35,6 +35,9 @@ spec:
        - name: mm-config
          mountPath: "/etc/mirrormanager"
          readOnly: true
+        - name: mm-secrets
+          mountPath: "/etc/mirrormanager-secrets"
+          readOnly: true
        - name: statistics
          mountPath: /var/www/mirrormanager-statistics
        - name: wsgi-script
@ -86,6 +89,9 @@ spec:
      - name: mm-config
        configMap:
          name: mirrormanager
+      - name: mm-secrets
+        secret:
+          secretName: secrets
      - name: statistics
        persistentVolumeClaim:
          claimName: statistics
--- a/roles/openshift-apps/mirrormanager/templates/client_secrets.json
+++ b/roles/openshift-apps/mirrormanager/templates/client_secrets.json
@ -0,0 +1,13 @@
+{
+    "web": {
+        "auth_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/Authorization",
+        "client_id": "{{ mirrormanager_oidc_client_id }}",
+        "client_secret": "{{ (env == 'production')|ternary(mirrormanager_prod_oidc_client_secret, mirrormanager_stg_oidc_client_secret) }}",
+        "issuer": "https://id{{env_suffix}}.fedoraproject.org/openidc/",
+        "redirect_uris": [
+            "https://{{ mirrormanager_hostname }}/authorize"
+        ],
+        "token_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/Token",
+        "userinfo_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/UserInfo"
+    }
+}
--- a/roles/openshift-apps/mirrormanager/templates/mm.cfg.py
+++ b/roles/openshift-apps/mirrormanager/templates/mm.cfg.py
@ -2,7 +2,7 @@
 # This is the config file for MirrorManager as intended to be used in OpenShift
 #

-OIDC_CLIENT_SECRETS = '/etc/mirrormanager/client_secrets.json'
+OIDC_CLIENT_SECRETS = '/etc/mirrormanager-secrets/client_secrets.json'

 # This is the directory the code enabled by SHOW_STATISTICS will use
 # to locate the statistics files and display them.
--- a/roles/openshift-apps/mirrormanager/templates/secrets.yml
+++ b/roles/openshift-apps/mirrormanager/templates/secrets.yml
@ -0,0 +1,11 @@
+{% macro load_file(filename) %}{% include filename %}{%- endmacro -%}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: secrets
+  labels:
+    app: mirrormanager
+stringData:
+  client_secrets.json: |-
+    {{ load_file('client_secrets.json') | indent }}
--- a/vars/apps/mirrormanager.yml
+++ b/vars/apps/mirrormanager.yml
@ -1,4 +1,6 @@
 ---
+mirrormanager_hostname: "mirrors.apps.ocp{{ env_suffix }}.fedoraproject.org"
 mirrormanager_db_host: "db01{{ env_suffix }}"
+mirrormanager_oidc_client_id: "mirrormanager"
 # Move that to an env var to target a specific deployment
 mm2_checkin: false