From c97dc64831049f759c63ba13f0a1ffa2fa518040 Mon Sep 17 00:00:00 2001 From: tomklapiscak <7372253+tomklapiscak@users.noreply.github.com> Date: Fri, 10 Jan 2025 17:01:31 +0000 Subject: [PATCH 1/7] [patch] configtool_oidc only calls oc login etc if oauth admin creds were not specified as environment variables. This is to support usage of the tool from a job inside the cluster itself where these secret values are obtained via a volume mount. https://jsw.ibm.com/browse/MASCORE-3763 --- image/cli/mascli/functions/configtool_oidc | 41 +++++++++++++++------- 1 file changed, 28 insertions(+), 13 deletions(-) diff --git a/image/cli/mascli/functions/configtool_oidc b/image/cli/mascli/functions/configtool_oidc index d3e6674bfa..cd5373cf1b 100644 --- a/image/cli/mascli/functions/configtool_oidc +++ b/image/cli/mascli/functions/configtool_oidc @@ -36,8 +36,11 @@ So far only trust ui prefix is supported to update. Same as register command. ${COLOR_YELLOW}### mas oidc [-h|--help]${TEXT_RESET} Show this help message -${COLOR_YELLOW}4. Options for command${TEXT_RESET} -Cluster Credentials (Required): +OAuth Admin Credentials (Optional) + ${COLOR_YELLOW}OAUTH_ADMIN_USERNAME${TEXT_RESET}. If not set, the script will attempt to retrieve this from the {INSTANCE_NAME}-credentials-oauth-admin secret in the mas core namespace + ${COLOR_YELLOW}OAUTH_ADMIN_PWD${TEXT_RESET}. If not set, the script will attempt to retrieve this from the {INSTANCE_NAME}-credentials-oauth-admin secret in the mas core namespace + +Cluster Credentials (Required unless both OAUTH_ADMIN_USERNAME and OAUTH_ADMIN_PWD env vars are set): -t, --token ${COLOR_YELLOW}CLUSTER_TOKEN${TEXT_RESET} Cluster's token -s, --server ${COLOR_YELLOW}CLUSTER_SERVER${TEXT_RESET} Cluster server @@ -81,9 +84,12 @@ function configtool_oidc_noninteractive() { esac done - # check all args have been set - [[ -z "$CLUSTER_TOKEN" ]] && configtool_oidc_help "CLUSTER_TOKEN is not set" - [[ -z "$CLUSTER_SERVER" ]] && configtool_oidc_help "CLUSTER_SERVER is not set" + + if [[ -z "$OAUTH_ADMIN_USERNAME" || -z "$OAUTH_ADMIN_PWD" ]]; then + [[ -z "$CLUSTER_TOKEN" ]] && configtool_oidc_help "CLUSTER_TOKEN must be set if either OAUTH_ADMIN_USERNAME or OAUTH_ADMIN_PWD env vars are not provided" + [[ -z "$CLUSTER_SERVER" ]] && configtool_oidc_help "CLUSTER_SERVER must be set if either OAUTH_ADMIN_USERNAME or OAUTH_ADMIN_PWD env vars are not provided" + fi + [[ -z "$MAS_HOME" ]] && configtool_oidc_help "MAS_HOME is not set" [[ -z "$TRUST_UI_PREFIX" ]] && configtool_oidc_help "TRUST_UI_PREFIX is not set" } @@ -145,10 +151,6 @@ function configtool_oidc() { export TRUST_UI_PREFIX export MAS_INSTANCE_ID - # login cluster - echo Login $CLUSTER_SERVER... - oc login --token=$CLUSTER_TOKEN --server=$CLUSTER_SERVER - # instance name and domain echo preparing for $MAS_HOME... if [[ -z $MAS_HOME ]]; then @@ -186,10 +188,23 @@ function configtool_oidc() { if [[ ! -z $MAS_INSTANCE_ID ]]; then INSTANCE_NAME=$MAS_INSTANCE_ID fi - echo "entering mas-${INSTANCE_NAME}-core project" - oc project mas-${INSTANCE_NAME}-core - OAUTH_ADMIN_USERNAME=`oc get secret ${INSTANCE_NAME}-credentials-oauth-admin -o jsonpath="{.data['oauth-admin-username']}" | base64 -d` - OAUTH_ADMIN_PWD=`oc get secret ${INSTANCE_NAME}-credentials-oauth-admin -o jsonpath="{.data['oauth-admin-password']}" | base64 -d` + + + # lookup oauth admin credentials from k8s secret if either were not specified as environment vars + if [[ -z "$OAUTH_ADMIN_USERNAME" || -z "$OAUTH_ADMIN_PWD" ]]; then + echo Login $CLUSTER_SERVER... + oc login --token=$CLUSTER_TOKEN --server=$CLUSTER_SERVER + echo "Entering mas-${INSTANCE_NAME}-core project" + oc project mas-${INSTANCE_NAME}-core + if [[ -z "${OAUTH_ADMIN_USERNAME}" ]]; then + echo "Lookup ${INSTANCE_NAME}-credentials-oauth-admin / oauth-admin-username" + OAUTH_ADMIN_USERNAME=`oc get secret ${INSTANCE_NAME}-credentials-oauth-admin -o jsonpath="{.data['oauth-admin-username']}" | base64 -d` + fi + if [[ -z "${OAUTH_ADMIN_PWD}" ]]; then + echo "Lookup ${INSTANCE_NAME}-credentials-oauth-admin / oauth-admin-password" + OAUTH_ADMIN_PWD=`oc get secret ${INSTANCE_NAME}-credentials-oauth-admin -o jsonpath="{.data['oauth-admin-password']}" | base64 -d` + fi + fi # unregister echo checking if $CLIENT_CONFIGTOOL existed From e6624abe248102f17cda69145cc006ce56542fc0 Mon Sep 17 00:00:00 2001 From: tomklapiscak <7372253+tomklapiscak@users.noreply.github.com> Date: Fri, 10 Jan 2025 17:41:19 +0000 Subject: [PATCH 2/7] make configtool_oidc return non-zero exit code if something goes wrong this is to ensure that failures will be reported when this function is called from automation https://jsw.ibm.com/browse/MASCORE-3763 --- image/cli/mascli/functions/configtool_oidc | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/image/cli/mascli/functions/configtool_oidc b/image/cli/mascli/functions/configtool_oidc index cd5373cf1b..491515e390 100644 --- a/image/cli/mascli/functions/configtool_oidc +++ b/image/cli/mascli/functions/configtool_oidc @@ -155,7 +155,7 @@ function configtool_oidc() { echo preparing for $MAS_HOME... if [[ -z $MAS_HOME ]]; then echo "${COLOR_RED}MAS_HOME must be provided and not empty. sample: export MAS_HOME=\"masdev.home.mobfound1.masdev.suite.maximo.com\"${TEXT_RESET}" - exit 0 + exit 1 fi MAS_PARTS=(`echo $MAS_HOME | tr "." " "`) DOT="." @@ -175,7 +175,7 @@ function configtool_oidc() { done if [[ $i -lt 4 ]]; then echo "${COLOR_RED}MAS_HOME is incorrect. sample: \"masdev.home.mobfound1.masdev.suite.maximo.com\"${TEXT_RESET}" - exit 0 + exit 1 fi # OAUTH information @@ -212,7 +212,9 @@ function configtool_oidc() { echo "status_code: $status_code" echo running $OIDC_OP if [[ "$status_code" -eq 200 ]] ; then - curl -k -w %{http_code} -s -o /dev/null -I --user $OAUTH_ADMIN_USERNAME:$OAUTH_ADMIN_PWD -H 'Content-Type: application/json' -X DELETE $OAUTH_URL_CONFIGTOOL + curl --fail -k --user $OAUTH_ADMIN_USERNAME:$OAUTH_ADMIN_PWDx \ + -H 'Content-Type: application/json' \ + -X DELETE $OAUTH_URL_CONFIGTOOL || exit $? echo "" if [[ "$OIDC_OP" == "unregister" ]]; then echo "$OIDC_OP" Client $CLIENT_CONFIGTOOL. @@ -225,19 +227,19 @@ function configtool_oidc() { fi else echo Some issue occurred in MAS OIDC server. Please try again later. - exit 0 + exit 1 fi # trust ui prefix echo TRUST_UI_PREFIX: $TRUST_UI_PREFIX if [[ -z $TRUST_UI_PREFIX ]]; then echo "${COLOR_RED}TRUST_UI_PREFIX must be provided and not empty. sample: export TRUST_UI_PREFIX=\"http://localhost:3000,http://localhost:3001\"${TEXT_RESET}" - exit 0 + exit 1 fi TRUST_UI_PARTS=(`echo $TRUST_UI_PREFIX | tr "," " "`) if [[ ${#TRUST_UI_PARTS[@]} -eq 0 ]]; then echo "${COLOR_RED}TRUST_UI_PREFIX is empty, at least define one URL. \"http://localhost:3000\"${TEXT_RESET}" - exit 0 + exit 1 fi CALLBACK="/auth/callback" TRUST_UIS="[" @@ -260,7 +262,7 @@ function configtool_oidc() { # register or update (the same as register) if [[ "$OIDC_OP" == "register" || "$OIDC_OP" == "update" ]]; then echo "$OIDC_OP" Client $CLIENT_CONFIGTOOL. - curl -k --user $OAUTH_ADMIN_USERNAME:$OAUTH_ADMIN_PWD \ + curl --fail -k --user $OAUTH_ADMIN_USERNAME:$OAUTH_ADMIN_PWD \ -H 'Accept: application/json' \ -H 'Content-type: application/json' \ -X POST $OAUTH_URL \ @@ -292,6 +294,6 @@ function configtool_oidc() { "redirect_uris": $REDIRECT_UIS } EOF -) +) || exit $? fi } \ No newline at end of file From 5439505c250c666921c4dda5174c8f73db7a88b4 Mon Sep 17 00:00:00 2001 From: tomklapiscak <7372253+tomklapiscak@users.noreply.github.com> Date: Fri, 10 Jan 2025 17:51:38 +0000 Subject: [PATCH 3/7] Update .secrets.baseline --- .secrets.baseline | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index 2b34361528..be06140da8 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "^.secrets.baseline$", "lines": null }, - "generated_at": "2024-12-17T09:42:21Z", + "generated_at": "2025-01-10T17:50:50Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -152,7 +152,7 @@ "hashed_secret": "b6f30c2855008e26d901927d33cfcb970c62fe00", "is_secret": false, "is_verified": false, - "line_number": 264, + "line_number": 281, "type": "Secret Keyword", "verified_result": null } From b2069776e76c2aea14cbb7db0fa47dba7b1809fa Mon Sep 17 00:00:00 2001 From: tomklapiscak <7372253+tomklapiscak@users.noreply.github.com> Date: Mon, 13 Jan 2025 12:38:32 +0000 Subject: [PATCH 4/7] fix typo --- image/cli/mascli/functions/configtool_oidc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/image/cli/mascli/functions/configtool_oidc b/image/cli/mascli/functions/configtool_oidc index 491515e390..3a7c1eafbf 100644 --- a/image/cli/mascli/functions/configtool_oidc +++ b/image/cli/mascli/functions/configtool_oidc @@ -212,7 +212,7 @@ function configtool_oidc() { echo "status_code: $status_code" echo running $OIDC_OP if [[ "$status_code" -eq 200 ]] ; then - curl --fail -k --user $OAUTH_ADMIN_USERNAME:$OAUTH_ADMIN_PWDx \ + curl --fail -k --user $OAUTH_ADMIN_USERNAME:$OAUTH_ADMIN_PWD \ -H 'Content-Type: application/json' \ -X DELETE $OAUTH_URL_CONFIGTOOL || exit $? echo "" From 4d7f065aeb30f07972b0ee923ab0f1dd16be28c6 Mon Sep 17 00:00:00 2001 From: tomklapiscak <7372253+tomklapiscak@users.noreply.github.com> Date: Tue, 14 Jan 2025 14:06:18 +0000 Subject: [PATCH 5/7] [minor] add --oidc-config param to gitops-suite CLI function --- .secrets.baseline | 4 +- image/cli/mascli/functions/gitops_suite | 52 +++++++++++++++++++ .../cluster/instance/ibm-mas-suite.yaml.j2 | 5 ++ 3 files changed, 59 insertions(+), 2 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index be06140da8..c2d1a5f619 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "^.secrets.baseline$", "lines": null }, - "generated_at": "2025-01-10T17:50:50Z", + "generated_at": "2025-01-14T14:06:07Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -344,7 +344,7 @@ "hashed_secret": "b2817467154949a61f8e9ad31d1eeaf03221cbfa", "is_secret": false, "is_verified": false, - "line_number": 450, + "line_number": 502, "type": "Secret Keyword", "verified_result": null } diff --git a/image/cli/mascli/functions/gitops_suite b/image/cli/mascli/functions/gitops_suite index 05c82598e7..9daa86d7f7 100644 --- a/image/cli/mascli/functions/gitops_suite +++ b/image/cli/mascli/functions/gitops_suite @@ -76,6 +76,12 @@ IBM Maximo Application Suite: --mas-wipe-mongo-data ${COLOR_YELLOW}MAS_WIPE_MONGO_DATA${TEXT_RESET} Set to "true" to wipe all mongo data for this MAS instance on uninstall (optional, defaults to false) + --oidc-config ${COLOR_YELLOW}OIDC_CONFIG${TEXT_RESET} YAML string for defining the OpenID clients (OIDC) that will be registered automatically after the suite is installed. + Currently supported: + "configtool" client suitable to use by the Maximo Application Framework (MAF) configurator tool. Specify as follows: + --oidc-config '{"configtool": {"trusted_uri_prefixes": ["https://example.com:443", "https://otherexample.com:8443"]}}' + + "trusted_uri_prefixes" field is optional, if omitted ArgoCD will use the default ["http://localhost:3000", "http://localhost:3001", "http://localhost:3006"] Target Cluster (Optional): --cluster-url ${COLOR_YELLOW}CLUSTER_URL${TEXT_RESET} Set to target a remote Kubernetes cluster (defaults to 'https://kubernetes.default.svc') @@ -289,6 +295,11 @@ function gitops_suite_noninteractive() { export OVERRIDE_EDGE_CERTS=$1 && shift ;; + --oidc-config) + export OIDC_CONFIG=$1 && shift + ;; + + # Automatic GitHub Push -P|--github-push) export GITHUB_PUSH=true @@ -355,6 +366,46 @@ function gitops_suite_noninteractive() { [[ -z "$GIT_BRANCH" ]] && gitops_suite_help "GIT_BRANCH is not set" fi + if [[ -n "${OIDC_CONFIG}" ]]; then + + # Validate any OIDC_CONFIG passed in + export OIDC_CONFIG_YAML + OIDC_CONFIG_YAML=$(echo $OIDC_CONFIG | yq -P) || gitops_suite_help "OIDC_CONFIG is not valid YAML" + + # Check configtool is the only top-level key + # If we add more supported keys in future, add to the filter expression as such: filter(. != "configtool" and . != "otherkey") + echo "${OIDC_CONFIG_YAML}" | yq eval --exit-status=1 \ + 'keys | filter(. != "configtool" ) | length == 0' \ + 1> /dev/null 2>&1 \ + || gitops_suite_help "OIDC_CONFIG is invalid; only the 'configtool' key is supported at the top-level" + + # If configtool is specified, check that "trusted_uri_prefixes" is the only child key + # If we add more supported keys in future, add to the filter expression as such: filter(. != "trusted_uri_prefixes" and . != otherkey) + echo "${OIDC_CONFIG_YAML}" | yq eval --exit-status=1 \ + '(. | has("configtool")) == false or + (.configtool | keys | filter(. != "trusted_uri_prefixes") | length == 0)' \ + 1> /dev/null 2>&1 \ + || gitops_suite_help "OIDC_CONFIG is invalid,; only the 'trusted_uri_properties' key is supported under 'configtool'" + + # if specified, .configtool.trusted_uri_prefixes must be an array + echo "${OIDC_CONFIG_YAML}" | yq eval --exit-status=1 \ + '(. | has("configtool")) == false or + (.configtool | has("trusted_uri_prefixes")) == false or + (.configtool.trusted_uri_prefixes | type == "!!seq")' \ + 1> /dev/null 2>&1 \ + || gitops_suite_help "OIDC_CONFIG is invalid; if specified, the value of 'configtool.trusted_uri_properties' must be an array" + + # if specified, all elements of .configtool.trusted_uri_prefixes must be an array containing only strings + echo "${OIDC_CONFIG_YAML}" | yq eval --exit-status=1 \ + '(. | has("configtool")) == false or + (.configtool | has("trusted_uri_prefixes")) == false or + (.configtool.trusted_uri_prefixes | length == 0) or + (.configtool.trusted_uri_prefixes.[] | type == "!!str") as $item ireduce (true; . and $item)' \ + 1> /dev/null 2>&1 \ + || gitops_suite_help "OIDC_CONFIG is invalid; if specified, the value of 'configtool.trusted_uri_properties' must be an array containing only strings" + + fi + } function gitops_suite() { @@ -438,6 +489,7 @@ function gitops_suite() { echo_reset_dim "Cert Manager Namespace ......... ${COLOR_MAGENTA}${CERT_MANAGER_NAMESPACE}" echo_reset_dim "DNS Provider ................... ${COLOR_MAGENTA}${DNS_PROVIDER}" echo_reset_dim "Pod Template YAML File ........ ${COLOR_MAGENTA}${MAS_POD_TEMPLATE_YAML}" + echo_reset_dim "OIDC Config .................... ${COLOR_MAGENTA}${OIDC_CONFIG}" reset_colors if [[ -n "$DNS_PROVIDER" ]]; then diff --git a/image/cli/mascli/templates/gitops/appset-configs/cluster/instance/ibm-mas-suite.yaml.j2 b/image/cli/mascli/templates/gitops/appset-configs/cluster/instance/ibm-mas-suite.yaml.j2 index bf35f7786c..e3d36c1ad6 100644 --- a/image/cli/mascli/templates/gitops/appset-configs/cluster/instance/ibm-mas-suite.yaml.j2 +++ b/image/cli/mascli/templates/gitops/appset-configs/cluster/instance/ibm-mas-suite.yaml.j2 @@ -77,3 +77,8 @@ ibm_mas_suite: mas_pod_templates: {{ MAS_POD_TEMPLATE | indent(4) }} {% endif %} + +{% if OIDC_CONFIG_YAML is defined and OIDC_CONFIG_YAML !='' %} + oidc: + {{ OIDC_CONFIG_YAML | indent(4) }} +{% endif %} \ No newline at end of file From ad812fd9205e177c02d02ad3ef1154f53060b704 Mon Sep 17 00:00:00 2001 From: tomklapiscak <7372253+tomklapiscak@users.noreply.github.com> Date: Tue, 14 Jan 2025 17:01:49 +0000 Subject: [PATCH 6/7] gitops_suite applies default trusted_uri_prefixes if not specified --- .secrets.baseline | 4 ++-- image/cli/mascli/functions/gitops_suite | 10 +++++++++- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index c2d1a5f619..18ddbb0c2f 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "^.secrets.baseline$", "lines": null }, - "generated_at": "2025-01-14T14:06:07Z", + "generated_at": "2025-01-14T17:01:44Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -344,7 +344,7 @@ "hashed_secret": "b2817467154949a61f8e9ad31d1eeaf03221cbfa", "is_secret": false, "is_verified": false, - "line_number": 502, + "line_number": 510, "type": "Secret Keyword", "verified_result": null } diff --git a/image/cli/mascli/functions/gitops_suite b/image/cli/mascli/functions/gitops_suite index 9daa86d7f7..2f13c14bf2 100644 --- a/image/cli/mascli/functions/gitops_suite +++ b/image/cli/mascli/functions/gitops_suite @@ -81,7 +81,7 @@ IBM Maximo Application Suite: "configtool" client suitable to use by the Maximo Application Framework (MAF) configurator tool. Specify as follows: --oidc-config '{"configtool": {"trusted_uri_prefixes": ["https://example.com:443", "https://otherexample.com:8443"]}}' - "trusted_uri_prefixes" field is optional, if omitted ArgoCD will use the default ["http://localhost:3000", "http://localhost:3001", "http://localhost:3006"] + "trusted_uri_prefixes" field is optional, defaults to ["http://localhost:3000", "http://localhost:3001", "http://localhost:3006"] Target Cluster (Optional): --cluster-url ${COLOR_YELLOW}CLUSTER_URL${TEXT_RESET} Set to target a remote Kubernetes cluster (defaults to 'https://kubernetes.default.svc') @@ -404,6 +404,14 @@ function gitops_suite_noninteractive() { 1> /dev/null 2>&1 \ || gitops_suite_help "OIDC_CONFIG is invalid; if specified, the value of 'configtool.trusted_uri_properties' must be an array containing only strings" + # if no trusted_uri_prefixes field specified under configtool, set some defaults + if $(echo "${OIDC_CONFIG_YAML}" | yq eval --exit-status=1 \ + '(. | has("configtool")) == true and + (.configtool | has("trusted_uri_prefixes")) == false' \ + 1> /dev/null 2>&1); then + OIDC_CONFIG_YAML=$(echo "${OIDC_CONFIG_YAML}" | yq '.configtool.trusted_uri_prefixes = ["http://localhost:3000","http://localhost:3001","http://localhost:3006"]') + fi + fi } From cbc083e70921fabdbd9669c1fec1c621ee856e43 Mon Sep 17 00:00:00 2001 From: tomklapiscak <7372253+tomklapiscak@users.noreply.github.com> Date: Wed, 15 Jan 2025 11:06:48 +0000 Subject: [PATCH 7/7] pass oidc config into gitops-suite task --- tekton/src/pipelines/gitops/gitops-mas-instance.yml.j2 | 7 +++++++ tekton/src/tasks/gitops/gitops-suite.yml.j2 | 5 +++++ 2 files changed, 12 insertions(+) diff --git a/tekton/src/pipelines/gitops/gitops-mas-instance.yml.j2 b/tekton/src/pipelines/gitops/gitops-mas-instance.yml.j2 index d039d6f497..349d670bb2 100644 --- a/tekton/src/pipelines/gitops/gitops-mas-instance.yml.j2 +++ b/tekton/src/pipelines/gitops/gitops-mas-instance.yml.j2 @@ -194,6 +194,11 @@ spec: - name: sls_license_icn type: string + # oidc parameters + # ------------------------------------------------------------------------- + - name: oidc + type: string + tasks: # 0. Per-instance DB2U Operator @@ -382,6 +387,8 @@ spec: value: $(params.mas_pod_template_yaml) - name: mas_wipe_mongo_data value: $(params.mas_wipe_mongo_data) + - name: oidc + value: $(params.oidc) taskRef: kind: Task name: gitops-suite diff --git a/tekton/src/tasks/gitops/gitops-suite.yml.j2 b/tekton/src/tasks/gitops/gitops-suite.yml.j2 index 11468f319b..32aae39909 100644 --- a/tekton/src/tasks/gitops/gitops-suite.yml.j2 +++ b/tekton/src/tasks/gitops/gitops-suite.yml.j2 @@ -122,6 +122,8 @@ spec: - name: mas_wipe_mongo_data type: string default: "false" + - name: oidc + type: string stepTemplate: name: gitops-suite env: @@ -217,6 +219,9 @@ spec: value: $(params.mas_pod_template_yaml) - name: MAS_WIPE_MONGO_DATA value: $(params.mas_wipe_mongo_data) + + - name: OIDC_CONFIG + value: $(params.oidc) envFrom: - configMapRef: name: environment-properties