[minor] gitops: automated configtool oidc registration

[tomklapiscak]

Description

These changes are part of the work to automate the registration of an OIDC client to support usage of the MAS Application Framework (MAF) configuration tool (https://jsw.ibm.com/browse/MASCORE-3763)

gitops-suite function changes

Accepts optional --oidc-config parameter: this is a YAML string for defining the OpenID clients (OIDC) that will be registered automatically after the suite is installed.

E.g. mas gitops-suite --oidc-config '{"configtool": {"trusted_uri_prefixes": ["https://example.com:443", "https://otherexample.com:8443"]}}'

is rendered into generated ibm-mas-suite-.yaml config file as:

  oidc:
    configtool:
      trusted_uri_prefixes:
        - http://localhost:3000
        - http://localhost:3001
        - http://localhost:3006

This is used by the changes in ibm-mas/gitops#247 to render a Job to perform the OIDC registration step.

Gitops Tekton changes

Passes oidc configuration from mas-instance-params.yaml into the gitops-mas-suite Task as YAML. These changes are copied into saas-tekton here: https://github.ibm.com/maximoappsuite/saas-tekton/pull/89

Make configtool_oidc function suitable for use in automation

Some minor changes were required to the configtool_oidc function to make it suitable for use by a Job inside the cluster. This PR changes two things necessary for this to work properly. The changes are backwards compatible.

1. skip lookup of oauth admin creds from k8s secret (and related oc commands) if already provided as env vars. cluster server/token params are not required if so. This is because we will be obtaining these values by mounting the k8s secret to the file system instead (so we do not have to grant unnecessary secret retrieval permissions to the pod's service account).
2. exit with non-zero if something goes wrong. This is to ensure any failures will be detected / reported by automation.

Question to reviewer: Is there some good reason this tool was coded to exit with a 0 status code in most failure cases? If so, I won't be able to use this script for my purposes.

Testing (Fyre)

Configure configtool OIDC with default trusted_uri_prefixes:

mas-instance-params.yaml:

oidc:
  configtool: {}

gitops-mas-instance pipeline run

gitops-envs commit:

ibm-mas-suite.yaml:

  oidc:
    configtool:
      trusted_uri_prefixes:
        - http://localhost:3000
        - http://localhost:3001
        - http://localhost:3006

postsync job runs:

Local MAF instance running on localhost:3001

Forwards to MAS for login:

MAF tool login successful:

Configure configtool OIDC with non-default trusted_uri_prefixes:

mas-instance-params.yaml:

oidc:
  configtool:
    trusted_uri_prefixes:
      - http://localhost:3001

gitops-mas-instance pipeline run

gitops-envs commit:

ibm-mas-suite.yaml:

  oidc:
    configtool:
      trusted_uri_prefixes:
        - http://localhost:3001

postsync job runs:

Local MAF instance running on localhost:3001

Forwards to MAS for login:

MAF tool login successful:

Remove OIDC configtool configuration

No oidc element in mas-instance-params.yaml

gitops-mas-instance pipeline run

gitops-envs commit:

oidc element removed from in ibm-mas-suite.yaml

postsync job runs:

Local MAF instance running on localhost:3001:

Login fails as expected:

Testing (ROSA / fvtsaas)

[whitfiea]

Looks good to me, I am not sure why it would be set to exit 0 originally, but I don't see why it shouldn't be set correctly