OCP-on-NERC · larsks · Nov 14, 2023 · Nov 7, 2023 · Nov 7, 2023 · Sep 29, 2023
diff --git a/cluster-scope/base/config.openshift.io/oauths/cluster/kustomization.yaml b/cluster-scope/base/config.openshift.io/oauths/cluster/kustomization.yaml
@@ -1,4 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-    - oauth.yaml
+  - oauth.yaml
diff --git a/cluster-scope/base/config.openshift.io/oauths/cluster/oauth.yaml b/cluster-scope/base/config.openshift.io/oauths/cluster/oauth.yaml
@@ -1,11 +1,11 @@
 apiVersion: config.openshift.io/v1
 kind: OAuth
 metadata:
+  name: cluster
   annotations:
     include.release.openshift.io/ibm-cloud-managed: "true"
     include.release.openshift.io/self-managed-high-availability: "true"
     include.release.openshift.io/single-node-developer: "true"
     release.openshift.io/create-only: "true"
-  name: cluster
 spec:
   identityProviders: []
diff --git a/...externalsecrets/github-client-secret.yaml → .../github-client-secret/externalsecret.yaml b/...externalsecrets/github-client-secret.yaml → .../github-client-secret/externalsecret.yaml
@@ -18,7 +18,7 @@ spec:
       metadata:
         labels: {}
   data:
-  - secretKey: clientSecret
-    remoteRef:
-      key: nerc/nerc-ocp-prod/openshift-config/github-client-secret
-      property: clientSecret
+    - secretKey: clientSecret
+      remoteRef:
+        key: REPLACE_IN_OVERLAY
+        property: clientSecret
diff --git a/...er-scope/base/external-secrets.io/externalsecrets/github-client-secret/kustomization.yaml b/...er-scope/base/external-secrets.io/externalsecrets/github-client-secret/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+    - externalsecret.yaml
diff --git a/...rnalsecrets/oauths-clientsecret-nerc.yaml → ...ths-clientsecret-nerc/externalsecret.yaml b/...rnalsecrets/oauths-clientsecret-nerc.yaml → ...ths-clientsecret-nerc/externalsecret.yaml
@@ -20,5 +20,5 @@ spec:
   data:
     - secretKey: clientSecret
       remoteRef:
-        key: nerc/nerc-ocp-prod/openshift-config/oauths-clientsecret-nerc
+        key: REPLACE_IN_OVERLAY
         property: clientSecret
diff --git a/...cope/base/external-secrets.io/externalsecrets/oauths-clientsecret-nerc/kustomization.yaml b/...cope/base/external-secrets.io/externalsecrets/oauths-clientsecret-nerc/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+    - externalsecret.yaml
diff --git a/cluster-scope/components/nerc-oauth-github/kustomization.yaml b/cluster-scope/components/nerc-oauth-github/kustomization.yaml
@@ -0,0 +1,23 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - ../../base/external-secrets.io/externalsecrets/github-client-secret
+
+patches:
+  - patch: |
+      apiVersion: config.openshift.io/v1
+      kind: OAuth
+      metadata:
+        name: cluster
+      spec:
+        identityProviders:
+          - name: github
+            mappingMethod: claim
+            type: GitHub
+            github:
+              clientID: REPLACE_IN_OVERLAY
+              clientSecret:
+                name: github-client-secret
+              teams:
+                - ocp-on-nerc/nerc-ops
diff --git a/cluster-scope/components/nerc-oauth-keycloak/kustomization.yaml b/cluster-scope/components/nerc-oauth-keycloak/kustomization.yaml
@@ -0,0 +1,30 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - ../../base/external-secrets.io/externalsecrets/oauths-clientsecret-nerc
+
+patches:
+  - patch: |
+      apiVersion: config.openshift.io/v1
+      kind: OAuth
+      metadata:
+        name: cluster
+      spec:
+        identityProviders:
+          - mappingMethod: lookup
+            name: mss-keycloak
+            openID:
+              claims:
+                email:
+                  - email
+                name:
+                  - name
+                preferredUsername:
+                  - preferred_username
+              clientID: REPLACE_IN_OVERLAY
+              clientSecret:
+                name: oauths-clientsecret-nerc
+              extraScopes: []
+              issuer: https://keycloak.mss.mghpcc.org/auth/realms/mss
+            type: OpenID
diff --git a/cluster-scope/overlays/nerc-ocp-infra/externalsecrets/kustomization.yaml b/cluster-scope/overlays/nerc-ocp-infra/externalsecrets/kustomization.yaml
@@ -1,7 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- github-client-secret.yaml
 - rook-ceph-external-cluster-details.yaml
 - default-ingress-certificate.yaml
 - default-api-certificate.yaml

diff --git a/cluster-scope/overlays/nerc-ocp-infra/kustomization.yaml b/cluster-scope/overlays/nerc-ocp-infra/kustomization.yaml
@@ -32,6 +32,9 @@ resources:
 - grafana-dashboards
 - persistentvolumeclaims
 
+components:
+  - ../../components/nerc-oauth-github
+
 generatorOptions:
   disableNameSuffixHash: true
 
@@ -42,11 +45,38 @@ configMapGenerator:
   namespace: openshift-monitoring
 
 patches:
-- path: oauths/cluster_patch.yaml
 - path: consoles.operator.openshift.io/cluster_patch.yaml
 - path: storageclasses/ocs-external-storagecluster-ceph-rbd_patch.yaml
 - path: clustersecretstores/nerc-cluster-secrets_patch.yaml
 - path: ingresscontrollers/default_patch.yaml
 - path: machineconfigs/hostpath-provisioner-selinux_patch.yaml
 - path: externalsecrets/open-cluster-management-observability-multiclusterhub-operator-pull-secret_patch.yaml
 - path: externalsecrets/open-cluster-management-observability-thanos-object-storage_patch.yaml
+- patch: |
+    apiVersion: config.openshift.io/v1
+    kind: OAuth
+    metadata:
+      name: cluster
+    spec:
+      identityProviders:
+      - name: github
+        github:
+          clientID: 77915cd4cdb5c4df7723
+          teams:
+            - ocp-on-nerc/nerc-ops
+            - ocp-on-nerc/nerc-logs-metrics
+- target:
+    kind: ExternalSecret
+    name: github-client-secret
+  patch: |
+    - op: replace
+      path: /spec/data/0/remoteRef/key
+      value: nerc/nerc-ocp-infra/openshift-config/github-client-secret
+- target:
+    kind: ExternalSecret
+  patch: |
+    - op: replace
+      path: /spec/secretStoreRef
+      value:
+        kind: ClusterSecretStore
+        name: nerc-cluster-secrets
diff --git a/cluster-scope/overlays/nerc-ocp-infra/oauths/cluster_patch.yaml b/cluster-scope/overlays/nerc-ocp-infra/oauths/cluster_patch.yaml
diff --git a/cluster-scope/overlays/nerc-ocp-prod/externalsecrets/kustomization.yaml b/cluster-scope/overlays/nerc-ocp-prod/externalsecrets/kustomization.yaml
@@ -1,6 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- oauths-clientsecret-nerc.yaml
-- github-client-secret.yaml
 - github-group-sync.yaml
diff --git a/cluster-scope/overlays/nerc-ocp-prod/kustomization.yaml b/cluster-scope/overlays/nerc-ocp-prod/kustomization.yaml
@@ -39,6 +39,11 @@ resources:
 - odhdashboardconfigs
 
 components:
+  - ../../components/nerc-oauth-keycloak
+  - ../../components/nerc-oauth-github
+
+  # this must come last in order to apply
+  # to all resources.
   - ../../components/argocd-skip-dryrun
 
 generatorOptions:
@@ -52,11 +57,44 @@ configMapGenerator:
 
 patches:
 - path: ingresscontrollers/default_patch.yaml
-- path: oauths/cluster_patch.yaml
 - path: kubeletconfigs/system-reserved-patch.yaml
 - target:
     kind: SecretStore
   patch: |
     - op: replace
       path: /spec/provider/vault/auth/kubernetes/mountPath
       value: kubernetes/nerc-ocp-prod
+- patch: |
+    apiVersion: config.openshift.io/v1
+    kind: OAuth
+    metadata:
+      name: cluster
+    spec:
+      identityProviders:
+      - name: mss-keycloak
+        openID:
+          clientID: ocp-prod
+- patch: |
+    apiVersion: config.openshift.io/v1
+    kind: OAuth
+    metadata:
+      name: cluster
+    spec:
+      identityProviders:
+      - name: github
+        github:
+          clientID: 771ea98004d436c6e529
+- target:
+    kind: ExternalSecret
+    name: oauths-clientsecret-nerc
+  patch: |
+    - op: replace
+      path: /spec/data/0/remoteRef/key
+      value: nerc/nerc-ocp-prod/openshift-config/oauths-clientsecret-nerc
+- target:
+    kind: ExternalSecret
+    name: github-client-secret
+  patch: |
+    - op: replace
+      path: /spec/data/0/remoteRef/key
+      value: nerc/nerc-ocp-prod/openshift-config/github-client-secret
diff --git a/cluster-scope/overlays/nerc-ocp-test/externalsecrets/kustomization.yaml b/cluster-scope/overlays/nerc-ocp-test/externalsecrets/kustomization.yaml
@@ -1,5 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- github-client-secret.yaml
 - github-group-sync.yaml
diff --git a/cluster-scope/overlays/nerc-ocp-test/kustomization.yaml b/cluster-scope/overlays/nerc-ocp-test/kustomization.yaml
@@ -21,11 +21,34 @@ resources:
 - nodenetworkconfigurationpolicies/vlan-2175-nese.yaml
 - secretstores
 
+components:
+  - ../../components/nerc-oauth-github
+
 patches:
-- path: oauths/cluster_patch.yaml
 - target:
     kind: SecretStore
   patch: |
     - op: replace
       path: /spec/provider/vault/auth/kubernetes/mountPath
       value: kubernetes/nerc-ocp-test
+- patch: |
+    apiVersion: config.openshift.io/v1
+    kind: OAuth
+    metadata:
+      name: cluster
+    spec:
+      identityProviders:
+      - name: github
+        github:
+          clientID: e87d9a48533084f2aa5f
+          teams:
+            - ocp-on-nerc/nerc-ops
+            - ocp-on-nerc/nerc-logs-metrics
+            - ocp-on-nerc/nerc-rhods
+- target:
+    kind: ExternalSecret
+    name: github-client-secret
+  patch: |
+    - op: replace
+      path: /spec/data/0/remoteRef/key
+      value: nerc/nerc-ocp-test/openshift-config/github-client-secret
diff --git a/cluster-scope/overlays/nerc-ocp-test/oauths/cluster_patch.yaml b/cluster-scope/overlays/nerc-ocp-test/oauths/cluster_patch.yaml